| #!/usr/bin/env python | |
| """Simple HTTP Server With Upload. | |
| This module builds on BaseHTTPServer by implementing the standard GET | |
| and HEAD requests in a fairly straightforward manner. | |
| """ |
The table below contains the default/most probable observed behaviour depending on Windows version. Be sure to read the notes regarding Windows 7 and Windows 10.
Always verify the value of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate during triage.
| NTFS Last Access Update | |
|---|---|
| XP | ✔️ |
| If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { | |
| Write-Warning "This script will not function with administrative privileges. Please run as a normal user." | |
| Break | |
| } | |
| $outfile = "acltestfile" | |
| set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";") | |
| Foreach ($path in $paths) { | |
| # This prints a table of ACLs | |
| # get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights |
| { | |
| "type": "bundle", | |
| "id": "bundle--9f0725cb-4bc3-47c3-aba6-99cb97ba4f52", | |
| "spec_version": "2.0", | |
| "objects": [ | |
| { | |
| "type": "marking-definition", | |
| "id": "marking-definition--dc1b5371-1918-4e57-93f2-25d1d78d983f", | |
| "created": "2017-07-18T22:00:30.404Z", | |
| "definition_type": "statement", |
| ' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled | |
| ' by @_xpn_ | |
| ' | |
| ' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro | |
| Const EXTENDED_STARTUPINFO_PRESENT = &H80000 | |
| Const HEAP_ZERO_MEMORY = &H8& | |
| Const SW_HIDE = &H0& | |
| Const MAX_PATH = 260 | |
| Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007 |
This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.
All of the below examples had been generated for using as a remote address: 192.168.56.101.
List:
This document details how I setup LE on my server. Firstly, install the client as described on http://letsencrypt.readthedocs.org/en/latest/using.html and make sure you can execute it. I put it in /root/letsencrypt.
As it is not possible to change the ports used for the standalone authenticator and I already have a nginx running on port 80/443, I opted to use the webroot method for each of my domains (note that LE does not issue wildcard certificates by design, so you probably want to get a cert for www.example.com and example.com).
For this, I placed config files into etc/letsencrypt/configs, named after <domain>.conf. The files are simple:
| param($global:RestartRequired=0, | |
| $global:MoreUpdates=0, | |
| $global:MaxCycles=10) | |
| function Check-ContinueRestartOrEnd() { | |
| $RegistryKey = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | |
| $RegistryEntry = "InstallWindowsUpdates" | |
| switch ($global:RestartRequired) { | |
| 0 { | |
| $prop = (Get-ItemProperty $RegistryKey).$RegistryEntry |
| /* | |
| * CVE-2016-5195 dirtypoc | |
| * | |
| * This PoC is memory only and doesn't write anything on the filesystem. | |
| * /!\ Beware, it triggers a kernel crash a few minutes. | |
| * | |
| * gcc -Wall -o dirtycow-mem dirtycow-mem.c -ldl -lpthread | |
| */ | |
| #define _GNU_SOURCE |
| #!/usr/bin/python | |
| # -*- coding: utf8 -*- | |
| import sys | |
| import os | |
| import time | |
| import select | |
| import socket | |
| import pycares |