Skip to content

Instantly share code, notes, and snippets.

View CaledoniaProject's full-sized avatar

CaledoniaProject

View GitHub Profile
@CaledoniaProject
CaledoniaProject / check_hashes.py
Created July 6, 2018 03:08 — forked from bandrel/check_hashes.py
To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
#!/usr/bin/env python3
#Purpose: To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
#Script requires a command line argument of a file containing usernames/hashes in the format of user:sid:LMHASH:NTLMHASH:::
# ./check_hashes.py <hash_dump>
import sys
hashes = {}
with open(sys.argv[1]) as infile:
@CaledoniaProject
CaledoniaProject / wldp_interesting_rundll32_invocations.txt
Created June 3, 2018 14:31 — forked from mattifestation/wldp_interesting_rundll32_invocations.txt
DLLs and export functions that wldp.dll finds interesting when invoked with rundll32
StorageUsage.dll,GetStorageUsageInfo
acmigration.dll,ApplyMigrationShims
acproxy.DLL,PerformAutochkOperations
ppioobe.dll,setupcalendaraccountforuser
edgehtml.dll,#125
edgehtml.dll,#133
davclnt.dll,davsetcookie
appxdeploymentextensions.onecore.dll,shellrefresh
pla.dll,plahost
aeinv.dll,updatesoftwareinventory
@CaledoniaProject
CaledoniaProject / yolo.c
Created May 18, 2018 05:16 — forked from saelo/yolo.c
Exploit for IPWnKit: a macOS IOKit exploit challenge from Defcon Qualifier CTF 2018
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <pthread.h>
#include <sys/mman.h>
#include <IOKit/IOKitLib.h>
#include <CoreFoundation/CFPropertyList.h>
const char* kMyDriversIOKitClassName = "io_oooverflow_IPwnKit";
@CaledoniaProject
CaledoniaProject / UEFISecDatabaseParser.ps1
Created May 9, 2018 00:54 — forked from mattifestation/UEFISecDatabaseParser.ps1
Parses signature data from the db and dbx UEFI variables.
function Get-UEFIDatabaseSigner {
<#
.SYNOPSIS
Dumps signature or hash information for whitelisted ('db' variable) or blacklisted ('dbx' variable) UEFI bootloaders.
.DESCRIPTION
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
RDP Eavesdropping and Hijacking
*******************************
I spent some time this evening looking at ways to eavesdrop and hijack RDP sessions. Here is a gist of (semi) interesting findings
that is not very new...
===========
Inspiration
===========
As you may already know...
@CaledoniaProject
CaledoniaProject / GetSecureBootPolicy.ps1
Created April 21, 2018 15:29 — forked from mattifestation/GetSecureBootPolicy.ps1
Partially-completed Secure Boot policy parser. I need help with parsing our the BCD element values.
function Get-SecureBootPolicy {
<#
.SYNOPSIS
Parses a Secure Boot policy.
.DESCRIPTION
Get-SecureBootPolicy parses either the default, system Secure Boot policy or a policy passed as a byte array. The byte array must be a raw, unsigned policy.
@CaledoniaProject
CaledoniaProject / InstallUtilMouseKeyLogger.cs
Created March 16, 2018 07:08
Input Capture - InstallUtil Hosted MouseClick / KeyLogger -
using System;
using System.IO;
using System.Diagnostics;
using System.Windows.Forms;
using System.Configuration.Install;
using System.Runtime.InteropServices;
//KeyStroke Mouse Clicks Code
/*
* https://code.google.com/p/klog-sharp/
*/
# This idea originated from this blog post on Invoke DSC Resources directly:
# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/
<#
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
{
ResourceID = "[Script]ScriptExample";
GetScript = "\"$(Get-Date): I am being GET\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
@CaledoniaProject
CaledoniaProject / WMI_attack_detection.ps1
Created March 2, 2018 06:27 — forked from mattifestation/WMI_attack_detection.ps1
BlueHat 2016 - WMI attack detection demo
#region Scriptblocks that will execute upon alert trigger
$LateralMovementDetected = {
$Event = $EventArgs.NewEvent
$EventTime = [DateTime]::FromFileTime($Event.TIME_CREATED)
$MethodName = $Event.MethodName
$Namespace = $Event.Namespace
$Object = $Event.ObjectPath
$User = $Event.User

TL;DR: Using symbolic execution to recover driver IOCTL codes that are computed at runtime.

The goal here is to find valid IOCTL codes for the HackSysExtremeVulnerableDriver by analyzing the binary. The control flow varies between the binary and source due to compiler optimizations. This results in a situation where only a few IOCTL codes in the assembly are represented as a constant with the remaining being computed at runtime.

The code in hevd_ioctl.py is a approximation of the control flow of the compiled IrpDeviceIoCtlHandler function. The effects of the compiler optimization are more pronounced when comparing this code to the original C function. To comply with requirements of the PyExZ3 module, the target function is named after the script's filename, and the `ex