IntenseWiggling

for dev in $(lspci -D | grep "USB controller" | awk '{print $1}');
do
  echo "[#] $dev"
  echo $dev | sudo tee /sys/bus/pci/drivers/xhci_hcd/unbind
  echo $dev | sudo tee /sys/bus/pci/drivers/xhci_hcd/bind
done

IntenseWiggling

"query{}"!="*.1rx.io" "query{}"!="*.2mdn.net" "query{}"!="*.activedirectory.windowsazure.com" "query{}"!="*.adadvisor.net" "query{}"!="*.adap.tv" "query{}"!="*.addthis.com" "query{}"!="*.adform.net" "query{}"!="*.adnxs.com" "query{}"!="*.adroll.com" "query{}"!="*.adrta.com" "query{}"!="*.adsafeprotected.com" "query{}"!="*.adsrvr.org" "query{}"!="*.advertising.com" "query{}"!="*.akadns.net" "query{}"!="*.amazon-adsystem.com" "query{}"!="*.amazon-adsystem.com" "query{}"!="*.analytics.yahoo.com" "query{}"!="*.aol.com" "query{}"!="*.aria.microsoft.com" "query{}"!="*.arpa." "query{}"!="*.arpa" "query{}"!="*.betrad.com" "query{}"!="*.bidswitch.net" "query{}"!="*.bing.com" "query{}"!="*.b-msedge.net" "query{}"!="*.casalemedia.com" "query{}"!="*.chartbeat.net" "query{}"!="*.cnn.com" "query{}"!="*.convertro.com" "query{}"!="*.criteo.com" "query{}"!="*.criteo.net" "query{}"!="*.crwdcntrl.net" "query{}"!="*.demdex.net" "query{}"!="*.digicert.com" "query{}"!="*.disqus.com" "query{}"!="*.domdex.com" "query{}"!="*.dotomi.c

IntenseWiggling

Looking for WaitForSingleObject call within modern msfvenom generated payload.

---

Abstract

This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.

Contents: