Keybase proof
I hereby claim:
- I am monoxgas on github.
- I am monoxgas (https://keybase.io/monoxgas) on keybase.
- I have a public key whose fingerprint is 8138 ABBC 8C08 62A4 1E16 A697 5856 495B 4691 8AB1
To claim this, I am signing this object:
Nick Landers monoxgas
monoxgas
/ urbandoor.cs
Created
April 10, 2023 22:58
Minimal PoC code for Kerberos Unlock LPE (CVE-2023-21817)
View urbandoor.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using NtApiDotNet; | |
| using NtApiDotNet.Ndr.Marshal; | |
| using NtApiDotNet.Win32; | |
| using NtApiDotNet.Win32.Rpc.Transport; | |
| using NtApiDotNet.Win32.Security.Authentication; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server; | |
| using NtApiDotNet.Win32.Security.Authentication.Logon; | |
| using System; |
monoxgas
/ EraseTextBoxes.bas
Last active
March 14, 2023 16:23
— forked from githubyouser/EraseTextBoxes.bas
Word VBA: Convert text boxes to plain text
View EraseTextBoxes.bas
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 'https://answers.microsoft.com/en-us/msoffice/forum/all/removing-text-box-from-word-document-without/a4d02b2f-d168-48dc-960b-4a45cbe79d86 | |
| Sub ReplaceTextBoxes() | |
| Dim RngDoc As Range, RngShp As Range, i As Long, boundary As String | |
| With ActiveDocument | |
| For i = .Shapes.Count To 1 Step -1 | |
| With .Shapes(i) | |
| 'If .Type = msoTextBox Then | |
| 'https://eileenslounge.com/viewtopic.php?p=28255#p28255 | |
| If .TextFrame.HasText = True Then | |
monoxgas
/ keybase.md
Created
September 6, 2022 19:41
View keybase.md
View syscall.pl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| use DynaLoader; | |
| use Devel::Peek; | |
| use Fcntl; | |
| use 5.008001; # because 5.6 doesn't have B::PV::object_2svref | |
| use Config; | |
| use B (); # for B::PV | |
| sub mmap { | |
| my ($addr, $size, $protect, $flags) = @_; | |
| syscall(197, $addr, $size, $protect, $flags, -1, 0); |
View extract.cpp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // ref: https://opensource.apple.com/source/dyld/[VERSION]/launch-cache/dsc_extractor.cpp.auto.html | |
| // > SDKROOT=`xcrun --sdk macosx --show-sdk-path` | |
| // > clang++ -o extract extract.cpp | |
| // > mkdir libraries | |
| // > ./extract /System/Library/dyld/dyld_shared_cache_x86_64 `pwd`/libraries/ | |
| #include <stdio.h> | |
| #include <stddef.h> | |
| #include <dlfcn.h> |
View vc_decrypt.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import struct | |
| import binascii | |
| from itertools import cycle, zip_longest | |
| from operator import itemgetter, xor | |
| from collections import Counter | |
| import re | |
| # Some root key constants from the binary |
monoxgas
/ keybase.md
Created
August 11, 2020 19:03
View keybase.md
Keybase proof
I hereby claim:
- I am monoxgas on github.
- I am monoxgas (https://keybase.io/monoxgas) on keybase.
- I have a public key ASCY7hWSUiJvdx6-976NCpVJx_ePWPOc6E3cuJz5PA8dygo
To claim this, I am signing this object:
View main.cpp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <intrin.h> | |
| #include <string> | |
| #include <TlHelp32.h> | |
| #include <psapi.h> | |
| BOOL PatchTheRet(HMODULE realModule) { | |
| // Get primary module info |
View main.cpp
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <intrin.h> | |
| #include <string> | |
| #include <TlHelp32.h> | |
| #include <psapi.h> | |
| DWORD WINAPI Thread(LPVOID lpParam) { | |
| // Insert evil stuff | |
| ExitProcess(0); |
monoxgas
/ mscorlib_load_assembly.vba
Last active
May 18, 2023 13:30
VBA code for calling AppDomain.Load using raw vtable lookups for the IUnknown
View mscorlib_load_assembly.vba
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb | |
| Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long | |
| Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr) | |
| Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr | |
| #If Win64 Then | |
| Const LS As LongPtr = 8& | |
| #Else | |
| Const LS As LongPtr = 4& |
NewerOlder