Solomon Sklash SolomonSklash

## log4j_rce_check.py
#! /usr/bin/env python3

'''
    Needs Requests (pip3 install requests)

    Author: Marcello Salvati, Twitter: @byt3bl33d3r
    License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License)


    This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021.

## hash_djb2.py
#!/usr/bin/env python
# encoding: utf-8

def hash_djb2(s):
    hash = 5381
    for x in s:
        hash = (( hash << 5) + hash) + ord(x)
    return hash & 0xFFFFFFFF


## rpc_dump_rs5.txt
--------------------------------------------------------------------------------
<WinProcess "smss.exe" pid 368 at 0x5306908L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000
--------------------------------------------------------------------------------
<WinProcess "csrss.exe" pid 472 at 0x5306e48L>
64

Interfaces :
Endpoints :

## SysCall.cpp
#define _CRT_SECURE_NO_WARNINGS

#include <iostream>
#include <windows.h>
#include <psapi.h>

typedef struct _PS_ATTRIBUTE {
    ULONG Attribute;
    SIZE_T Size;
    union {

## memBruteforce.cpp
// memBruteforce.cpp by aaaddress1@chroot.org
// brute search loaded moudules in memory
// rewrite from https://www.exploit-db.com/exploits/45293
#include <Windows.h>
#include <iostream>
#pragma warning(disable:4996)

bool isMemExist(size_t addr) {
    int retv;
    __asm {

## mainc.c
#include <Windows.h>

LONG SingleStepEncryptDecrypt(EXCEPTION_POINTERS* ExceptionInfo);
typedef VOID(__stdcall* Shellcode)();

LPBYTE ShellcodeBuffer;
ULONG_PTR PreviousOffset;
ULONG_PTR CurrentOffset;
ULONGLONG InstructionCount;
DWORD dwOld;

## disable-defender.ps1
# Disable Windows Defender
# From https://github.com/jeremybeaume/tools/blob/master/disable-defender.ps1

<#
Options :

-Delete : delete the defender related files (services, drivers, executables, ....)

Source :  https://bidouillesecurity.com/disable-windows-defender-in-powershell

## apisetlookup.c
#include <windows.h>
#include <stdint.h>
#include <stdbool.h>
#include <stdio.h>
#include <sal.h>
#include <assert.h>

#ifdef _X86_
#error "This snippet only build in 64-bit due to heavy use of uintptr arithmetics."
#endif

## TestAssembly.cs
/*

================================ Compile as a .Net DLL ==============================
	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs

*/

using System.Windows.Forms;

namespace TestNamespace

## create-resource.sh
#!/bin/bash

# This script needs mingw installed

# Convert a .rc resource script input file to a .res binary resource output file
x86_64-w64-mingw32-windres -J rc -i Resource.rc -O res -o Resource.res

# Convert a .res binary resource input file to a COFF object output file
x86_64-w64-mingw32-windres -J res -i Resource.res -O coff -o Resource.o
	#! /usr/bin/env python3

	'''
	Needs Requests (pip3 install requests)

	Author: Marcello Salvati, Twitter: @byt3bl33d3r
	License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License)


	This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021.
	#!/usr/bin/env python
	# encoding: utf-8

	def hash_djb2(s):
	hash = 5381
	for x in s:
	hash = (( hash << 5) + hash) + ord(x)
	return hash & 0xFFFFFFFF
	--------------------------------------------------------------------------------
	<WinProcess "smss.exe" pid 368 at 0x5306908L>
	64
	[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000
	--------------------------------------------------------------------------------
	<WinProcess "csrss.exe" pid 472 at 0x5306e48L>
	64

	Interfaces :
	Endpoints :
	#define _CRT_SECURE_NO_WARNINGS

	#include <iostream>
	#include <windows.h>
	#include <psapi.h>

	typedef struct _PS_ATTRIBUTE {
	ULONG Attribute;
	SIZE_T Size;
	union {
	// memBruteforce.cpp by aaaddress1@chroot.org
	// brute search loaded moudules in memory
	// rewrite from https://www.exploit-db.com/exploits/45293
	#include <Windows.h>
	#include <iostream>
	#pragma warning(disable:4996)

	bool isMemExist(size_t addr) {
	int retv;
	__asm {
	#include <Windows.h>

	LONG SingleStepEncryptDecrypt(EXCEPTION_POINTERS* ExceptionInfo);
	typedef VOID(__stdcall* Shellcode)();

	LPBYTE ShellcodeBuffer;
	ULONG_PTR PreviousOffset;
	ULONG_PTR CurrentOffset;
	ULONGLONG InstructionCount;
	DWORD dwOld;
	# Disable Windows Defender
	# From https://github.com/jeremybeaume/tools/blob/master/disable-defender.ps1

	<#
	Options :

	-Delete : delete the defender related files (services, drivers, executables, ....)

	Source : https://bidouillesecurity.com/disable-windows-defender-in-powershell
	#include <windows.h>
	#include <stdint.h>
	#include <stdbool.h>
	#include <stdio.h>
	#include <sal.h>
	#include <assert.h>

	#ifdef _X86_
	#error "This snippet only build in 64-bit due to heavy use of uintptr arithmetics."
	#endif
	/*

	================================ Compile as a .Net DLL ==============================
	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs

	*/

	using System.Windows.Forms;

	namespace TestNamespace
	#!/bin/bash

	# This script needs mingw installed

	# Convert a .rc resource script input file to a .res binary resource output file
	x86_64-w64-mingw32-windres -J rc -i Resource.rc -O res -o Resource.res

	# Convert a .res binary resource input file to a COFF object output file
	x86_64-w64-mingw32-windres -J res -i Resource.res -O coff -o Resource.o