Links describing the leaked EQ Group tools for Windows
Repositories and ports
-
Lost in Translation - A repository of the leaked tools
-
MS17-010 - Port of some of the exploits to Windows 10
from __future__ import print_function | |
import pickle | |
import os.path | |
from googleapiclient.discovery import build | |
from google_auth_oauthlib.flow import InstalledAppFlow | |
from google.auth.transport.requests import Request | |
from apiclient import errors | |
import re | |
from bs4 import BeautifulSoup as Soup |
#!/usr/bin/env python | |
''' | |
It has been tested with either py2 or py3. | |
Beware ancient versions of Linux kernel which may not support SOCK_NONBLOCK | |
or the memory mapped ring buffer. | |
BPF filter listed below is compiled form of "not port 22" | |
if you want to change it, do something like |
import { Hono } from "hono"; | |
const app = new Hono() | |
app.get('/', async (c) => { | |
const bad_user_agent_array = ['curl', 'httpie'] | |
const user_agent = c.req.header('User-Agent') | |
const ip = c.req.header("CF-Connecting-IP") |
// Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;) | |
// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work. | |
using System; | |
using System.Collections.Generic; | |
using System.Runtime.InteropServices; | |
namespace SCCMDecryptPOC | |
{ | |
internal class Program |
from logger import capturer | |
from typing import Optional | |
from fastapi import FastAPI | |
app = FastAPI() | |
@app.get("/logs") | |
async def get_logs(event_name: Optional[str] = None): | |
if not event_name: |
#! /usr/bin/env python3 | |
''' | |
Needs Requests (pip3 install requests) | |
Author: Marcello Salvati, Twitter: @byt3bl33d3r | |
License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License) | |
This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021. |
# !! Remember to replace LIGHTHOUSE_IP with your actual Nebula lighthouse external IP Address | |
# See the example config file to know what all of these options do https://github.com/slackhq/nebula/blob/master/examples/config.yml | |
pki: | |
ca: /etc/nebula/ca.crt | |
cert: /etc/nebula/host.crt | |
key: /etc/nebula/host.key | |
static_host_map: | |
"192.168.100.1": ["<LIGHTHOUSE_IP>:4242"] |
Lost in Translation - A repository of the leaked tools
MS17-010 - Port of some of the exploits to Windows 10
#include <Windows.h> | |
LONG SingleStepEncryptDecrypt(EXCEPTION_POINTERS* ExceptionInfo); | |
typedef VOID(__stdcall* Shellcode)(); | |
LPBYTE ShellcodeBuffer; | |
ULONG_PTR PreviousOffset; | |
ULONG_PTR CurrentOffset; | |
ULONGLONG InstructionCount; | |
DWORD dwOld; |
{ | |
# This instructs Caddy to hit the LetsEncrypt staging endpoint, in production you should remove this. | |
acme_ca https://acme-staging-v02.api.letsencrypt.org/directory | |
} | |
(proxy_upstream) { | |
# Enable access logging to STDOUT | |
log | |
# This is our list of naughty client User Agents that we don't want accessing our C2 |