lucam luca-m

## office2john.py
#!/usr/bin/env python

# This software is Copyright (c) 2012-2013 Dhiru Kholia <dhiru at openwall.com>
# and is licensed under the same license as used by the OleFileIO_PL library,
# which is included below.

# olefile (formerly OleFileIO_PL) version 0.41 2014-11-25
#
# Module to read/write Microsoft OLE2 files (also called Structured Storage or
# Microsoft Compound Document File Format), such as Microsoft Office 97-2003

## windbg_dump_all_modules.txt
# https://blogs.msdn.microsoft.com/benjaminperkins/2017/04/03/dumping-modules-from-a-memory-dump-for-decompilation/

.load C:\Program Files\dotnet\shared\Microsoft.NETCore.App\2.0.5\sos.dll

!for_each_module .if ($spat ("${@#ImageName}","*.exe")) { !SaveModule ${@#Base} D:\MemoryDumps\anything\exes\${@#ModuleName}.exe } .else { !SaveModule ${@#Base} D:\MemoryDumps\anything\dlls\${@#ModuleName}.dll }

## lazy_batch_deobfuscator.py
# @Fumik0_
# Lazy batch deobfuscator
# https://twitter.com/fumik0_/status/1043407064188506112

import re

def show_me(value,alph):
  command = ''
  tokens = re.findall('\d+,\d+',value)
  for i in tokens:

## gist:4603cae68de363bd797f550c2dda8d2d
 alias stats='sort | uniq -c| sort -n | sed "s/^\s+//g"'
 alias histo='while read n d; do (printf "%s\t%$((n/3))s\n" "$d" = | tr ' ' '=' ); done'

## checkIPrange
function checkIPrange(){
    START_IP=$(sipcalc $1 | grep "Usable range" | cut -f3 | tr "-" "\t" | cut -f2)
    END_IP=$(sipcalc $1 | grep "Usable range" | cut -f3 | tr "-" "\t" | cut -f3)
    echo "[+] Start: " $START_IP
    echo "[+] End: " $END_IP
    sudo systemctl start tor
    proxychains -q curl -s https://check.torproject.org/ | grep "Congratulations. This browser is configured to use Tor" >/dev/null
    if [ $? -ne 0 ]; then
        echo "No Tor!"
        return 1;

## CVE-2018-4878_poc.py
#!/usr/bin/env python
# coding: UTF-8
# Adobe Flash versions 28.0.0.137 and below remote code execution proof of concept exploit.
# https://packetstormsecurity.com/files/147041/Adobe-Flash-28.0.0.137-Remote-Code-Execution.html
import BaseHTTPServer
import sys
from SimpleHTTPServer import SimpleHTTPRequestHandler

print "@Syfi2k"
print "[+] https://cxsecurity.com/issue/WLB-2018040041 "

## PowerShellHostFinder.ps1
# Author: Matt Graeber, SpecterOps
ls C:\* -Recurse -Include '*.exe', '*.dll' -ErrorAction SilentlyContinue | % {
    try {
        $Assembly = [Reflection.Assembly]::ReflectionOnlyLoadFrom($_.FullName)

        if ($Assembly.GetReferencedAssemblies().Name -contains 'System.Management.Automation') {
            $_.FullName
        }
    } catch {}
}

## linux-memdump
#!/bin/bash
## Credits: https://github.com/4shadoww

mkdir dump-cache
rm dump-cache/*.dump
grep rw-p /proc/$1/maps | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' | while read start stop; do gdb --batch --pid $1 -ex "dump memory dump-cache/$1-$start-$stop.dump 0x$start 0x$stop"; done
cat dump-cache/*.dump > $1-dump

## vim_highlight_nonascii
syntax match nonascii "[^\x00-\x7F]"
highlight nonascii guibg=Red ctermbg=2 termbg=2

## gen_macro_doc.ps1
#Coded by Matt Nelson (@enigma0x3)
<#
.SYNOPSIS
Standalone Powershell script that will generate a malicious Microsoft Office document with a specified payload and persistence method

.DESCRIPTION
This script will generate malicious Microsoft Excel Documents that contain VBA macros. This script will prompt you for your attacking IP
(the one you will receive your shell at), the port you want your shell at, and the name of the document. From there, the script will then
display a menu of different attacks, all with different persistence methods. Once an attack is chosen, it will then prompt you for your payload type
(Only HTTP and HTTPS are supported).
	#!/usr/bin/env python

	# This software is Copyright (c) 2012-2013 Dhiru Kholia <dhiru at openwall.com>
	# and is licensed under the same license as used by the OleFileIO_PL library,
	# which is included below.

	# olefile (formerly OleFileIO_PL) version 0.41 2014-11-25
	#
	# Module to read/write Microsoft OLE2 files (also called Structured Storage or
	# Microsoft Compound Document File Format), such as Microsoft Office 97-2003
	# https://blogs.msdn.microsoft.com/benjaminperkins/2017/04/03/dumping-modules-from-a-memory-dump-for-decompilation/

	.load C:\Program Files\dotnet\shared\Microsoft.NETCore.App\2.0.5\sos.dll

	!for_each_module .if ($spat ("${@#ImageName}","*.exe")) { !SaveModule ${@#Base} D:\MemoryDumps\anything\exes\${@#ModuleName}.exe } .else { !SaveModule ${@#Base} D:\MemoryDumps\anything\dlls\${@#ModuleName}.dll }
	# @Fumik0_
	# Lazy batch deobfuscator
	# https://twitter.com/fumik0_/status/1043407064188506112

	import re

	def show_me(value,alph):
	command = ''
	tokens = re.findall('\d+,\d+',value)
	for i in tokens:
	alias stats='sort \| uniq -c\| sort -n \| sed "s/^\s+//g"'
	alias histo='while read n d; do (printf "%s\t%$((n/3))s\n" "$d" = \| tr ' ' '=' ); done'
	function checkIPrange(){
	START_IP=$(sipcalc $1 \| grep "Usable range" \| cut -f3 \| tr "-" "\t" \| cut -f2)
	END_IP=$(sipcalc $1 \| grep "Usable range" \| cut -f3 \| tr "-" "\t" \| cut -f3)
	echo "[+] Start: " $START_IP
	echo "[+] End: " $END_IP
	sudo systemctl start tor
	proxychains -q curl -s https://check.torproject.org/ \| grep "Congratulations. This browser is configured to use Tor" >/dev/null
	if [ $? -ne 0 ]; then
	echo "No Tor!"
	return 1;
	#!/usr/bin/env python
	# coding: UTF-8
	# Adobe Flash versions 28.0.0.137 and below remote code execution proof of concept exploit.
	# https://packetstormsecurity.com/files/147041/Adobe-Flash-28.0.0.137-Remote-Code-Execution.html
	import BaseHTTPServer
	import sys
	from SimpleHTTPServer import SimpleHTTPRequestHandler

	print "@Syfi2k"
	print "[+] https://cxsecurity.com/issue/WLB-2018040041 "
	# Author: Matt Graeber, SpecterOps
	ls C:\* -Recurse -Include '.exe', '.dll' -ErrorAction SilentlyContinue \| % {
	try {
	$Assembly = [Reflection.Assembly]::ReflectionOnlyLoadFrom($_.FullName)

	if ($Assembly.GetReferencedAssemblies().Name -contains 'System.Management.Automation') {
	$_.FullName
	}
	} catch {}
	}
	#!/bin/bash
	## Credits: https://github.com/4shadoww

	mkdir dump-cache
	rm dump-cache/*.dump
	grep rw-p /proc/$1/maps \| sed -n 's/^\([0-9a-f]\)-\([0-9a-f]\) .*$/\1 \2/p' \| while read start stop; do gdb --batch --pid $1 -ex "dump memory dump-cache/$1-$start-$stop.dump 0x$start 0x$stop"; done
	cat dump-cache/*.dump > $1-dump
	syntax match nonascii "[^\x00-\x7F]"
	highlight nonascii guibg=Red ctermbg=2 termbg=2
	#Coded by Matt Nelson (@enigma0x3)
	<#
	.SYNOPSIS
	Standalone Powershell script that will generate a malicious Microsoft Office document with a specified payload and persistence method

	.DESCRIPTION
	This script will generate malicious Microsoft Excel Documents that contain VBA macros. This script will prompt you for your attacking IP
	(the one you will receive your shell at), the port you want your shell at, and the name of the document. From there, the script will then
	display a menu of different attacks, all with different persistence methods. Once an attack is chosen, it will then prompt you for your payload type
	(Only HTTP and HTTPS are supported).