The following assumes you are using a AArch64 host.
Setup SDK and emulator :
# https://developer.android.com/studio/index.html#command-line-tools-only
sudo apt-get install unzip openjdk-17-jdk gradle -y
Muirey03
/ CVE-2025-43520.txt
Created
March 20, 2026 10:45
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CVE-2025-43520 - DarkSword | |
| 1. cluster_read_ext and cluster_write_ext call cluster_io_type to determine what IO operation to perform | |
| 2. cluster_io_type calls vm_map_get_upl with UPL_QUERY_OBJECT_TYPE to query type of the vm_object that backs the user-supplied virtual address range | |
| 3. If this object is physically contiguous it returns IO_CONTIG, otherwise it returns IO_DIRECT or IO_COPY | |
| 4. If cluster_io_type returns IO_CONTIG, cluster_[read|write]_ext will call the "contig" variant, cluster_[read|write]_contig | |
| 5. cluster_[read|write]_contig then calls vm_map_get_upl a second time to get the UPL from the uio | |
| 6. It then grabs the first physical page from the UPL using upl_phys_page and performs a physical copy | |
| 7. This is a TOCTOU. An attacker can remap the virtual address range so that the region is no longer physically contiguous after the first call to vm_map_get_upl, causing an OOBR/OOBW to physmem |
Abyss-W4tcher
/ AArch64_Android_emulation_and_kernel_cross-compilation.md
Last active
April 9, 2026 16:23
AArch64 Android emulation and kernel cross-compilation
monoxgas
/ urbandoor.cs
Created
April 10, 2023 22:58
Minimal PoC code for Kerberos Unlock LPE (CVE-2023-21817)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using NtApiDotNet; | |
| using NtApiDotNet.Ndr.Marshal; | |
| using NtApiDotNet.Win32; | |
| using NtApiDotNet.Win32.Rpc.Transport; | |
| using NtApiDotNet.Win32.Security.Authentication; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server; | |
| using NtApiDotNet.Win32.Security.Authentication.Logon; | |
| using System; |
LuemmelSec
/ GBC.ps1
Last active
December 15, 2025 12:53
Give Back Control over Windows functions script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $elevated = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) | |
| function Show-Menu { | |
| Clear-Host | |
| Write-Host "======================================================" | |
| Write-Host "================ Give Back Control ================" | |
| Write-Host "======================================================" | |
| if($elevated -eq $true){ | |
| Write-Host "Local Admin: " -ForegroundColor white -NoNewline; Write-Host $elevated -ForegroundColor Green | |
| Write-Host "We have superpowers. Ready to continue." |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "banzi.h" | |
| /* | |
| * socket 占页 | |
| * https://www.willsroot.io/2022/08/reviving-exploits-against-cred-struct.html | |
| * 需要在内核中开启 CONFIG_USER_NS=y, 默认开启 | |
| */ | |
| void unshare_setup(uid_t uid, gid_t gid) { | |
| int temp; |
mpgn
/ Scrambled vs NetExec .md
Last active
November 28, 2025 23:13
Scrambled vs NetExec for fun and profit by @mpgn_x64
Let pwn the box Scrambled from HackTheBox using only NetExec ! For context, I was reading Scrambled writeup from 0xdf_ when I read this:
smbclient won’t work, and I wasn’t able to get crackmapexec to work either.
To be fair, at the time of his writeup it was true, but not anymore and it's pretty simple with NXC, 5 minutes and you get root :)
Note: I will pass the web part where we get one username : ksimpson
brant-ruan
/ decompress_cpio.sh
Created
September 2, 2022 06:57
from https://0x434b.dev/dabbling-with-linux-kernel-exploitation-ctf-challenges-to-learn-the-ropes/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Decompress a .cpio.gz packed file system | |
| rm -rf ./initramfs && mkdir initramfs | |
| pushd . && pushd initramfs | |
| cp ../initramfs.cpio.gz . | |
| gzip -dc initramfs.cpio.gz | cpio -idm &>/dev/null && rm initramfs.cpio.gz | |
| popd |
r00t-3xp10it
/ GetCounterMeasures.ps1
Last active
July 20, 2024 23:05
List common security processes running!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| List common security processes running! | |
| Author: @r00t-3xp10it (ssa redteam) | |
| Tested Under: Windows 10 (19043) x64 bits | |
| Required Dependencies: Get-WmiObject, Get-Process {native} | |
| Optional Dependencies: Get-MpPreference, Get-ChildItem {native} | |
| PS cmdlet Dev version: v2.3.18 |
mate-h
/ python-reverse-engineering.md
Last active
November 6, 2025 00:23
Reverse Engineering Python executable
Obtained binaries from Discord server. The download link: https://drive.google.com/file/d/1xPP9R2VKmJ9jwNY_1xf1sVVHlxZIsLcg
Basic information about binaries. There are two main versions of the program in question:
aimful-kucoin.exe and aimful-binance.exe. They are both Windows executables. From the FAQ section of the discord server, the following information is available:
In what language was this bot written?
- Python.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> | |
| >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> | |
| >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> | |
| >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> | |
| >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> | |
| >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> | |
| >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> | |
| >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> | |
| >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> | |
| >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> |
NewerOlder