EspressoCake

## peerseek.cna
# Author: Justin Lucas
# Date:   September 19, 2023
# Info:   A script to colleagues' files starting at the current directory it is running
#         Where found, it will attempt to receive the file as a redirected byte stream

beacon_command_register("peerseek", "Seek a file from your peers to grab instantly.", "peerseek FILENAME");


alias peerseek
{

## BOF_With_Variadic_Arguments.cna
# Author:   Justin Lucas
# Date:     January 5, 2023

sub packVariadicArguments
{
    local('$result');
    local('$index');
    local('$currentArgument');

    # Shift and iterate a list with the Beacon ID popped

## wmic_cmds.txt
Host Enumeration:

--- OS Specifics ---
wmic os LIST Full (* To obtain the OS Name, use the "caption" property)

wmic computersystem LIST full

--- Anti-Virus ---

wmic /namespace:\\root\securitycenter2 path antivirusproduct

## resolve_hostname_over_SOCKS.py
#!/usr/bin/env python3
import logging
import socket
import sys
from argparse import ArgumentParser, Namespace
from dns.resolver import Resolver
from os.path import exists

# Example Usage: proxychains -q python3 resolve_hostname_over_SOCKS.py --nameserver 10.10.10.10 --items SOMEWORKSTATION1.CONTOSO.LOCAL SOMEWORKSTATION2.CONTOSO.LOCAL
# Example Usage: proxychains -q python3 resolve_hostname_over_SOCKS.py --nameserver 10.10.10.10 --fileinput --items file_with_hostnames.txt

## conti.cna
#AntiVirus Query
#Author: @r3dQu1nn
#Queries the Registry for AV installed
#Thanks to @i_am_excite and @merrillmatt011 for the help
#Props to @zerosum0x0 for the wmic find!

#Long ass one-liner :)
$powershellcmd = "\$av_list = @(\"BitDefender\", \"Kaspersky\", \"McAfee\", \"Norton\", \"Avast\", \"WebRoot\", \"AVG\", \"ESET\", \"Malware\", \"Windows Defender\");\$av_install = Get-ItemProperty HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$av_install1 = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$regkey = 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\\';\$av_loop2 = foreach (\$av1 in \$av_list){foreach (\$key in \$av_install){if (\$key.DisplayName -match \$av1 -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$key.DisplayName.ToString(), \$key.DisplayVersion.ToString(), \$key.InstallDate.ToString()}}}};\$proc_temp = Get-Process;\$av_loop = foreach (\$av in \$av_list){foreach (\$zz in \$proc_temp){if (\$zz.path -match \$av -eq \$TRUE)

## DumpHex.c
#include <stdio.h>

void DumpHex(const void* data, size_t size) {
	char ascii[17];
	size_t i, j;
	ascii[16] = '\0';
	for (i = 0; i < size; ++i) {
		printf("%02X ", ((unsigned char*)data)[i]);
		if (((unsigned char*)data)[i] >= ' ' && ((unsigned char*)data)[i] <= '~') {
			ascii[i % 16] = ((unsigned char*)data)[i];

## dllmain.go
package main

//#include "dllmain.h"
import "C"

## rsrcDecryptAssembly.nim
import nimcrypto
import winim/clr except `[]`  # https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/  <-- thank you so much, 2 hours googling I almost went crazy

#[
    All credit goes to @byt3bl33d3r (OffensiveNim) and @s3cur3th1ssh1t

    nimble install winim nimcrypto zippy
    nim c -d:danger -d:strip --opt:size rsrcDecryptAssembly.nim

    slurp = "staticRead" will read the file and store it in the variable (.rdata) on compile time.

## log4shell_regexes.py
import re
from urllib.parse import unquote


FLAGS = re.IGNORECASE | re.DOTALL
ESC_DOLLAR = r'(?:\$|\\u0024||\\x24|\\0?44|%24)'
ESC_LCURLY = r'(?:\{|\\u007B|\\x7B|\\173|%7B)'
ESC_RCURLY = r'(?:\}|\\u007D|\\x7D|\\175|%7D)'
_BACKSLASH_ESCAPE_RE = re.compile(r'\\(?:u[0-9af]{4}|x[0-9af]{2}|[0-7]{,3})')
_PERCENT_ESCAPE_RE = re.compile(r'%[0-9af]{2}')

## Win7x86-CVE-2020-17087.c
/*

The vulnerable function takes as input an array of bytes and outputs their hex representation in unicode. The hex encoded bytes are separated by space (0x20)
For example:
user input                      : 0                 129
output buffer (vulnerable_chunk): 30 00 30 00 20 00 38 00 31 00 20 00

With regards to the vulnerability itself, the problem exists in the output buffer (vulnerable_chunk) size calculation:
vulnerable_chunk_size = (user_controlled_size*6)%65536;
vulnerable_chunk = AllocateMemory(vulnerable_chunk_size);
	# Author: Justin Lucas
	# Date: September 19, 2023
	# Info: A script to colleagues' files starting at the current directory it is running
	# Where found, it will attempt to receive the file as a redirected byte stream

	beacon_command_register("peerseek", "Seek a file from your peers to grab instantly.", "peerseek FILENAME");


	alias peerseek
	{
	# Author: Justin Lucas
	# Date: January 5, 2023

	sub packVariadicArguments
	{
	local('$result');
	local('$index');
	local('$currentArgument');

	# Shift and iterate a list with the Beacon ID popped
	Host Enumeration:

	--- OS Specifics ---
	wmic os LIST Full (* To obtain the OS Name, use the "caption" property)

	wmic computersystem LIST full

	--- Anti-Virus ---

	wmic /namespace:\\root\securitycenter2 path antivirusproduct
	#!/usr/bin/env python3
	import logging
	import socket
	import sys
	from argparse import ArgumentParser, Namespace
	from dns.resolver import Resolver
	from os.path import exists

	# Example Usage: proxychains -q python3 resolve_hostname_over_SOCKS.py --nameserver 10.10.10.10 --items SOMEWORKSTATION1.CONTOSO.LOCAL SOMEWORKSTATION2.CONTOSO.LOCAL
	# Example Usage: proxychains -q python3 resolve_hostname_over_SOCKS.py --nameserver 10.10.10.10 --fileinput --items file_with_hostnames.txt
	#AntiVirus Query
	#Author: @r3dQu1nn
	#Queries the Registry for AV installed
	#Thanks to @i_am_excite and @merrillmatt011 for the help
	#Props to @zerosum0x0 for the wmic find!

	#Long ass one-liner :)
	$powershellcmd = "\$av_list = @(\"BitDefender\", \"Kaspersky\", \"McAfee\", \"Norton\", \"Avast\", \"WebRoot\", \"AVG\", \"ESET\", \"Malware\", \"Windows Defender\");\$av_install = Get-ItemProperty HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\;\$av_install1 = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\;\$regkey = 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\\';\$av_loop2 = foreach (\$av1 in \$av_list){foreach (\$key in \$av_install){if (\$key.DisplayName -match \$av1 -eq \$TRUE){% {\"{0}\|{1}\|{2}\" -f \$key.DisplayName.ToString(), \$key.DisplayVersion.ToString(), \$key.InstallDate.ToString()}}}};\$proc_temp = Get-Process;\$av_loop = foreach (\$av in \$av_list){foreach (\$zz in \$proc_temp){if (\$zz.path -match \$av -eq \$TRUE)
	#include <stdio.h>

	void DumpHex(const void* data, size_t size) {
	char ascii[17];
	size_t i, j;
	ascii[16] = '\0';
	for (i = 0; i < size; ++i) {
	printf("%02X ", ((unsigned char*)data)[i]);
	if (((unsigned char)data)[i] >= ' ' && ((unsigned char)data)[i] <= '~') {
	ascii[i % 16] = ((unsigned char*)data)[i];
	import nimcrypto
	import winim/clr except `[]` # https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/ <-- thank you so much, 2 hours googling I almost went crazy

	#[
	All credit goes to @byt3bl33d3r (OffensiveNim) and @s3cur3th1ssh1t

	nimble install winim nimcrypto zippy
	nim c -d:danger -d:strip --opt:size rsrcDecryptAssembly.nim

	slurp = "staticRead" will read the file and store it in the variable (.rdata) on compile time.
	import re
	from urllib.parse import unquote


	FLAGS = re.IGNORECASE \| re.DOTALL
	ESC_DOLLAR = r'(?:\$\|\\u0024\|\|\\x24\|\\0?44\|%24)'
	ESC_LCURLY = r'(?:\{\|\\u007B\|\\x7B\|\\173\|%7B)'
	ESC_RCURLY = r'(?:\}\|\\u007D\|\\x7D\|\\175\|%7D)'
	_BACKSLASH_ESCAPE_RE = re.compile(r'\\(?:u[0-9af]{4}\|x[0-9af]{2}\|[0-7]{,3})')
	_PERCENT_ESCAPE_RE = re.compile(r'%[0-9af]{2}')
	/*

	The vulnerable function takes as input an array of bytes and outputs their hex representation in unicode. The hex encoded bytes are separated by space (0x20)
	For example:
	user input : 0 129
	output buffer (vulnerable_chunk): 30 00 30 00 20 00 38 00 31 00 20 00

	With regards to the vulnerability itself, the problem exists in the output buffer (vulnerable_chunk) size calculation:
	vulnerable_chunk_size = (user_controlled_size*6)%65536;
	vulnerable_chunk = AllocateMemory(vulnerable_chunk_size);