Skip to content

Instantly share code, notes, and snippets.

View EspressoCake's full-sized avatar

EspressoCake

289 followers · 14 following
View GitHub Profile
@EspressoCake
EspressoCake / DumpHex.c
Created January 30, 2022 17:57 — forked from ccbrown/DumpHex.c
Compact C Hex Dump Function w/ASCII
#include <stdio.h>
void DumpHex(const void* data, size_t size) {
char ascii[17];
size_t i, j;
ascii[16] = '\0';
for (i = 0; i < size; ++i) {
printf("%02X ", ((unsigned char*)data)[i]);
if (((unsigned char*)data)[i] >= ' ' && ((unsigned char*)data)[i] <= '~') {
ascii[i % 16] = ((unsigned char*)data)[i];
@EspressoCake
EspressoCake / rsrcDecryptAssembly.nim
Created December 15, 2021 22:59 — forked from ChoiSG/rsrcDecryptAssembly.nim
embed .net, decrypt, load and execute in nim poc
import nimcrypto
import winim/clr except `[]` # https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/ <-- thank you so much, 2 hours googling I almost went crazy
#[
All credit goes to @byt3bl33d3r (OffensiveNim) and @s3cur3th1ssh1t
nimble install winim nimcrypto zippy
nim c -d:danger -d:strip --opt:size rsrcDecryptAssembly.nim
slurp = "staticRead" will read the file and store it in the variable (.rdata) on compile time.
@EspressoCake
EspressoCake / log4shell_regexes.py
Created December 14, 2021 02:53 — forked from karanlyons/log4shell_regexes.py
log4shell Regexes
import re
from urllib.parse import unquote
FLAGS = re.IGNORECASE | re.DOTALL
ESC_DOLLAR = r'(?:\$|\\u0024||\\x24|\\0?44|%24)'
ESC_LCURLY = r'(?:\{|\\u007B|\\x7B|\\173|%7B)'
ESC_RCURLY = r'(?:\}|\\u007D|\\x7D|\\175|%7D)'
_BACKSLASH_ESCAPE_RE = re.compile(r'\\(?:u[0-9af]{4}|x[0-9af]{2}|[0-7]{,3})')
_PERCENT_ESCAPE_RE = re.compile(r'%[0-9af]{2}')
@EspressoCake
EspressoCake / conti.cna
Created August 9, 2021 21:07 — forked from MHaggis/conti.cna
#AntiVirus Query
#Author: @r3dQu1nn
#Queries the Registry for AV installed
#Thanks to @i_am_excite and @merrillmatt011 for the help
#Props to @zerosum0x0 for the wmic find!
#Long ass one-liner :)
$powershellcmd = "\$av_list = @(\"BitDefender\", \"Kaspersky\", \"McAfee\", \"Norton\", \"Avast\", \"WebRoot\", \"AVG\", \"ESET\", \"Malware\", \"Windows Defender\");\$av_install = Get-ItemProperty HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$av_install1 = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$regkey = 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\\';\$av_loop2 = foreach (\$av1 in \$av_list){foreach (\$key in \$av_install){if (\$key.DisplayName -match \$av1 -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$key.DisplayName.ToString(), \$key.DisplayVersion.ToString(), \$key.InstallDate.ToString()}}}};\$proc_temp = Get-Process;\$av_loop = foreach (\$av in \$av_list){foreach (\$zz in \$proc_temp){if (\$zz.path -match \$av -eq \$TRUE)
@EspressoCake
EspressoCake / Win7x86-CVE-2020-17087.c
Created August 5, 2021 22:03 — forked from vp777/Win7x86-CVE-2020-17087.c
/*
The vulnerable function takes as input an array of bytes and outputs their hex representation in unicode. The hex encoded bytes are separated by space (0x20)
For example:
user input : 0 129
output buffer (vulnerable_chunk): 30 00 30 00 20 00 38 00 31 00 20 00
With regards to the vulnerability itself, the problem exists in the output buffer (vulnerable_chunk) size calculation:
vulnerable_chunk_size = (user_controlled_size*6)%65536;
vulnerable_chunk = AllocateMemory(vulnerable_chunk_size);
@EspressoCake
EspressoCake / NtMonitor.py
Created May 11, 2021 20:55 — forked from matterpreter/NtMonitor.py
Frida script to spawn a process and monitor Native API calls
import frida
import sys
def on_message(message, data):
if message['type'] == 'send':
print(message['payload'])
elif message['type'] == 'error':
print(message['stack'])
else:
print(message)
@EspressoCake
EspressoCake / ioctl_translator.py
Created March 26, 2021 14:19 — forked from uf0o/ioctl_translator.py
import argparse
import sys
def auto_int(x):
return int(x, 0)
# Modded by Matteo 'uf0' Malvica - 2021
# The following code is taken from
# https://github.com/mwrlabs/win_driver_plugin/blob/master/win_driver_plugin/ioctl_decoder.py
@EspressoCake
EspressoCake / EnumCLR.c
Created March 15, 2021 01:43 — forked from G0ldenGunSec/EnumCLR.c
Cobalt Strike BOF to identify processes with the CLR loaded with a goal of identifying SpawnTo / injection candidates.
#include <string.h>
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#include "beacon.h"
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD);
DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD);
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD);
@EspressoCake
EspressoCake / ngnix.conf
Created February 2, 2021 22:56 — forked from WhisperingChaos/ngnix.conf
NGINX SSL/TLS Reverse Proxy to Upstream SSL servers.
events {
# nginx requires this section even when applying all default values
}
http {
# Upstream keyword is followed by a url (domain name/IP). This reference encapsulates
# the list of backend servers defined for a virtual proxy. When autnenticating
# a certificate from a backend server, the upstream url is supplied to the
# certificate authentication process instead of the backend server name. See
# the comments associated with proxy_pass below for a detailed discussion.
@EspressoCake
EspressoCake / ShellcodeRDI.go
Last active September 16, 2020 18:03 — forked from leoloobeek/ShellcodeRDI.go
Go implementation of https://github.com/monoxgas/sRDI/
package main
/*
*
* This is just a Go implementation of https://github.com/monoxgas/sRDI/
* Useful if you're trying to generate shellcode for reflective DLL
* injection in Go, otherwise probably not much use :)
*
* The project, shellcode, most comments within this project
* are all from the original project by @SilentBreakSec's Nick Landers (@monoxgas)