Skip to content

Instantly share code, notes, and snippets.

View EspressoCake's full-sized avatar

EspressoCake

287 followers · 14 following
View GitHub Profile
@EspressoCake
EspressoCake / peerseek.cna
Created September 19, 2023 19:07
# Author: Justin Lucas
# Date: September 19, 2023
# Info: A script to colleagues' files starting at the current directory it is running
# Where found, it will attempt to receive the file as a redirected byte stream
beacon_command_register("peerseek", "Seek a file from your peers to grab instantly.", "peerseek FILENAME");
alias peerseek
{
@EspressoCake
EspressoCake / BOF_With_Variadic_Arguments.cna
Created January 5, 2023 23:31
# Author: Justin Lucas
# Date: January 5, 2023
sub packVariadicArguments
{
local('$result');
local('$index');
local('$currentArgument');
# Shift and iterate a list with the Beacon ID popped
@EspressoCake
EspressoCake / resolve_hostname_over_SOCKS.py
Last active July 1, 2022 16:26
#!/usr/bin/env python3
import logging
import socket
import sys
from argparse import ArgumentParser, Namespace
from dns.resolver import Resolver
from os.path import exists
# Example Usage: proxychains -q python3 resolve_hostname_over_SOCKS.py --nameserver 10.10.10.10 --items SOMEWORKSTATION1.CONTOSO.LOCAL SOMEWORKSTATION2.CONTOSO.LOCAL
# Example Usage: proxychains -q python3 resolve_hostname_over_SOCKS.py --nameserver 10.10.10.10 --fileinput --items file_with_hostnames.txt
@EspressoCake
EspressoCake / DumpHex.c
Created January 30, 2022 17:57 — forked from ccbrown/DumpHex.c
Compact C Hex Dump Function w/ASCII
#include <stdio.h>
void DumpHex(const void* data, size_t size) {
char ascii[17];
size_t i, j;
ascii[16] = '\0';
for (i = 0; i < size; ++i) {
printf("%02X ", ((unsigned char*)data)[i]);
if (((unsigned char*)data)[i] >= ' ' && ((unsigned char*)data)[i] <= '~') {
ascii[i % 16] = ((unsigned char*)data)[i];
@EspressoCake
EspressoCake / rsrcDecryptAssembly.nim
Created December 15, 2021 22:59 — forked from ChoiSG/rsrcDecryptAssembly.nim
embed .net, decrypt, load and execute in nim poc
import nimcrypto
import winim/clr except `[]` # https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/ <-- thank you so much, 2 hours googling I almost went crazy
#[
All credit goes to @byt3bl33d3r (OffensiveNim) and @s3cur3th1ssh1t
nimble install winim nimcrypto zippy
nim c -d:danger -d:strip --opt:size rsrcDecryptAssembly.nim
slurp = "staticRead" will read the file and store it in the variable (.rdata) on compile time.
@EspressoCake
EspressoCake / log4shell_regexes.py
Created December 14, 2021 02:53 — forked from karanlyons/log4shell_regexes.py
log4shell Regexes
import re
from urllib.parse import unquote
FLAGS = re.IGNORECASE | re.DOTALL
ESC_DOLLAR = r'(?:\$|\\u0024||\\x24|\\0?44|%24)'
ESC_LCURLY = r'(?:\{|\\u007B|\\x7B|\\173|%7B)'
ESC_RCURLY = r'(?:\}|\\u007D|\\x7D|\\175|%7D)'
_BACKSLASH_ESCAPE_RE = re.compile(r'\\(?:u[0-9af]{4}|x[0-9af]{2}|[0-7]{,3})')
_PERCENT_ESCAPE_RE = re.compile(r'%[0-9af]{2}')
@EspressoCake
EspressoCake / conti.cna
Created August 9, 2021 21:07 — forked from MHaggis/conti.cna
#AntiVirus Query
#Author: @r3dQu1nn
#Queries the Registry for AV installed
#Thanks to @i_am_excite and @merrillmatt011 for the help
#Props to @zerosum0x0 for the wmic find!
#Long ass one-liner :)
$powershellcmd = "\$av_list = @(\"BitDefender\", \"Kaspersky\", \"McAfee\", \"Norton\", \"Avast\", \"WebRoot\", \"AVG\", \"ESET\", \"Malware\", \"Windows Defender\");\$av_install = Get-ItemProperty HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$av_install1 = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$regkey = 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\\';\$av_loop2 = foreach (\$av1 in \$av_list){foreach (\$key in \$av_install){if (\$key.DisplayName -match \$av1 -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$key.DisplayName.ToString(), \$key.DisplayVersion.ToString(), \$key.InstallDate.ToString()}}}};\$proc_temp = Get-Process;\$av_loop = foreach (\$av in \$av_list){foreach (\$zz in \$proc_temp){if (\$zz.path -match \$av -eq \$TRUE)
@EspressoCake
EspressoCake / Win7x86-CVE-2020-17087.c
Created August 5, 2021 22:03 — forked from vp777/Win7x86-CVE-2020-17087.c
/*
The vulnerable function takes as input an array of bytes and outputs their hex representation in unicode. The hex encoded bytes are separated by space (0x20)
For example:
user input : 0 129
output buffer (vulnerable_chunk): 30 00 30 00 20 00 38 00 31 00 20 00
With regards to the vulnerability itself, the problem exists in the output buffer (vulnerable_chunk) size calculation:
vulnerable_chunk_size = (user_controlled_size*6)%65536;
vulnerable_chunk = AllocateMemory(vulnerable_chunk_size);
@EspressoCake
EspressoCake / NtMonitor.py
Created May 11, 2021 20:55 — forked from matterpreter/NtMonitor.py
Frida script to spawn a process and monitor Native API calls
import frida
import sys
def on_message(message, data):
if message['type'] == 'send':
print(message['payload'])
elif message['type'] == 'error':
print(message['stack'])
else:
print(message)
@EspressoCake
EspressoCake / ioctl_translator.py
Created March 26, 2021 14:19 — forked from uf0o/ioctl_translator.py
import argparse
import sys
def auto_int(x):
return int(x, 0)
# Modded by Matteo 'uf0' Malvica - 2021
# The following code is taken from
# https://github.com/mwrlabs/win_driver_plugin/blob/master/win_driver_plugin/ioctl_decoder.py