DavidBuchanan314/pwn-mbr

Stars
172
Rank 221,201 (Top 5 %)
Language
C
License
MIT License
Created about 8 years ago
Updated about 2 years ago

DavidBuchanan314/pwn-mbr

DavidBuchanan314

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

A simple MBR hijack demonstration

pwn-mbr

A simple MBR hijack demonstration

Principles of operation:

Phase 1: Injection

A malicious binary is run with root privileges.
The original MBR is copied to the next "free" location (first sector found containing only zeroes) on the disk, before the first partition. A magic number is appended, so that it can be found later.
The boot sector is overwritten with "malicious" code.

Phase 2: Execution

Next time the machine is rebooted, the BIOS starts execution of the payload.
In this example, the text "MBR PWNED!" is written to the screen a few hundred times.
The payload locates the backup of the original boot sector (via the magic number) and copies it over to where it would normally reside in memory (0x7C00). However, this is where the payload is initially running from, so it copies itself elsewhere first.
Finally, the payload jumps back to 0x7C00, resuming normal boot operations.

Notes:

Only works on BIOS/legacy boot systems.
Although this demo doesn't do anything malicious, it is very possible that it corrupts your filesystem, so only run it on a dedicated VM unless you're very brave.

Demo:

tweetable-polyglot-png

Pack up to 3MB of data into a tweetable PNG polyglot file.

ambiguous-png-packer

Craft PNG files that appear completely different in Apple software [NOW PATCHED]

monomorph

MD5-Monomorphic Shellcode Packer - all payloads have the same MD5 hash

dlinject

Inject a shared library (i.e. arbitrary code) into a live linux process, without ptrace

NXLoader

My first Android app: Launch Fusée Gelée payloads from stock Android (CVE-2018-6242)

libleakmydata

A simple LD_PRELOAD library to disable SSL certificate verification. Inspired by libeatmydata.

TARDIS

Trace And Rewrite Delays In Syscalls: Hooking time-related Linux syscalls to warp a process's perspective of time, using ptrace.

TwitterHD

A userscript that forces twitter to always load images and videos in full resolution

unsafe-python

A library to assist writing memory-unsafe code in "pure" python, without any imports (i.e. no ctypes etc.)

Turbo-Recadmiumator

A remake of truedread/netflix-1080p which auto-patches cadmium-playercore at runtime to enable enhanced playback features. (NOTE: still working in 2023 despite no code updates for 2 years 😎)

parallel-png-proposal

stelf-loader

A stealthy ELF loader - no files, no execve, no RWX

fusee-nano

A minimalist re-implementation of the Fusée Gelée exploit, designed to run on embedded Linux devices. (Zero dependencies)

fusee-lede

Instructions/files for building a custom LEDE image to turn cheap routers into a Nintendo Switch "modchip"/"dongle". Powered by https://github.com/DavidBuchanan314/fusee-nano

RootMyTV

Placeholder repo 👀

WAMpage

WAMpage - A WebOS root LPE exploit chain (CVE-2022-23731)

6502-emu

A simple 6502 emulator, with I/O via a 6850 UART.

cowroot

Universal Android root tool based on CVE-2016-5195. Watch this space.

picopds

A minimum viable atproto PDS for protocol experimentation purposes

boiga

A Python library enabling ergonomic Scratch 3.0 code generation.

webos-vncserver

An extremely hacky VNC server for WebOS - Works by reading directly from the GPU's framebuffer.

wifi-sdcf

Reverse Engineering notes on the Dxingtek/Keytech(?) WiFi@SDCF card

trumpogram

The World, according to Donald Trump

aes-playground

My experiments in understanding AES, Whitebox AES, and related attacks

p65a

Pythonic 6502 Assembler: An experimental alternative to traditional assemblers.

rc4

A python3 RC4 implementation that doesn't suck. (i.e. it's actually binary-safe...)

bitmap-font-css

Trying to make bitmap web fonts look better.

scratch-cryptography-library

Modern cryptography primitives implemented in Scratch, via Boiga

scratch-vscode

Preview Scratch projects inside vscode, with live reload.

ScapyGuard

An extremely bare-bones Python3 WireGuard client.

rsyscall-lkm

rsyscall is a dirty hack that allows you to execute syscalls in the context of another Linux process. M̶a̶y̶ Will explode your kernel.

hello_png

Example code from my blog post of the same title

beatstar-tools

Scripts for datamining the Beatstar mobile game

shellinject

Spawn a reverse TCP shell in the context of another Linux process

python-bitsliced-aes

An experimental implementation of bitsliced aes in pure python. Quite possibly the fastest pure-python AES implementation on the planet.

classic-ipod-tools

Tools for manipulating classic ipod firmware images etc.

bagel

[WIP] bagel is a Binary age aLternative - mostly the same as age but with a binary header format.

python-ssh-server

A very incomplete, incompatible, and insecure implementation of RFC4253

cursed-code

A repo to keep track of all the useful/hacky/cursed scripts and one-liners I write

dag-cbrrr

A reasonably fast DAG-CBOR parser for Python

chip8

A simple CHIP-8 Emulator with a GTK+ frontend

merkle-search-tree

An abstract implementation of a Merkle Search Tree, structurally compatible with ATProto's instantiation

fakeIoT

Yet another telnet honeypot.

dram_emfi

playing with DDR DRAM bus fault injection

imgur-anti-anti-hotlink

A very simple WebExtension to prevent imgur from preventing you from viewing images directly.

reveilid

gif-enc

A rather inefficient GIF encoder, in python.

magic-helloworld

A program that prints "Hello World!" by magic, with a single memcpy.

ipod-toslink-mod

Adding optical digital audio output to classic iPods

shellcode

My personal shellcode collection.

iPodWizard-mirror

A git mirror of iPodWizard: https://sourceforge.net/projects/ipodwizard/

picofeedgen

A minimum-viable atproto feed genedator

irradiate.py

a simple script to simulate random "cosmic ray" memory errors against a linux process

falling-block-game

resemblance to any other game is purely coincidental

AnonymOS

Yet another unnamed operating system project.

6502-sbc

Documentation and code for my 6502 SBC

distrust

A very very WIP type-2 hypervisor in Rust, which uses the Linux KVM API.

ROLL13

an (unfinished) TLSv1.3 client in pure python, hand-rolled from first principles.

CVE-2017-13672

POCs for CVE-2017-13672 (OOB read in VGA Cirrus QEMU driver, causing DoS)

branflakes

Yet another x86_64 optimising Brainf*ck JIT compiler.

pda-hax

zoom-enhance

CSI style "Zoom and Enhance" with Google Maps

fizzbuzz-ng

The fastest fizzbuzz in the universe.

duino-coin-fork

english-letter-freqs

Useful generation scripts and precomputed LUTs useful for performing frequency analysis on English text.

CHIP8-ROP

A chip8 emulator that translates programs into a giant ROP payload. Not my best idea...

branflakes-ng

An improved version of my older project "branflakes", an optimising brainfuck compiler.

css-gradient-fixer

CSS Gradient Fixer

coursework

Random Cardiff uni CompSci coursework solutions, of varying quality.

pcb-pattern

Renders a random PCB pattern using HTML5 canvas.