https://gist.github.com/jhalon/5cbaab99dccadbf8e783921358020159
- MSVC v140 - VS 2015 C++ build tools (v14.00)
- MSVC v141 - VS 2017 C++ x64/x86 build tools (v14.16)
- Windows 10 SDK (10.0.17134.0)
- Visual Studio 2017 Community
https://gist.github.com/jhalon/5cbaab99dccadbf8e783921358020159
from pykd import * | |
import sys | |
# .load pykd. | |
# !py c:\users\uf0\desktop\dump_iat.py target_module_name|all [dep] | |
def usage(): | |
print("USAGE: !py c:\\users\\uf0\\desktop\\dump_iat.py target_module_name|all [dep]") | |
def fetch_iat(module,cmd,dep): |
#include <windows.h> | |
#include <tlhelp32.h> | |
#include <stdio.h> | |
#include <string.h> | |
#include <iostream> | |
#include <stdarg.h> | |
void _dbg_printf(const char *fmt, ...) | |
{ | |
char msg[2048] = {}; |
import argparse | |
import sys | |
def auto_int(x): | |
return int(x, 0) | |
# Modded by Matteo 'uf0' Malvica - 2021 | |
# The following code is taken from | |
# https://github.com/mwrlabs/win_driver_plugin/blob/master/win_driver_plugin/ioctl_decoder.py |
#include <Windows.h> | |
#include <stdio.h> | |
#include <winternl.h> | |
#pragma comment(lib, "ntdll") | |
#define IOCTL_BEEP CTL_CODE(FILE_DEVICE_BEEP, 0, METHOD_BUFFERED, FILE_ANY_ACCESS) | |
typedef struct _BEEP_SETTINGS { | |
ULONG ulFrequency; |
import random | |
import sys | |
import io | |
from ctypes import windll, POINTER, byref | |
from ctypes.wintypes import LPVOID, DWORD, LPCSTR, LPSTR, BOOL, HANDLE | |
DeviceIoControl = windll.kernel32.DeviceIoControl | |
CreateFileA = windll.kernel32.CreateFileA | |
CloseHandle = windll.kernel32.CloseHandle |
""" | |
Author: Matteo 'uf0' Malvica @matteomalvica | |
Tested with IDA 7.5 and Py3 | |
Original plugin: https://github.com/FSecureLABS/win_driver_plugin | |
""" | |
def getopvalue(addr): | |
"""Returns the value of the second operand to the instruction at `addr` masked to be a 32 bit value""" | |
return idc.get_operand_value(addr, 1) & 0xffffffff |
#!/user/bin/env python3 | |
""" | |
POP-POP-RET finder ported in py3 and IDA Pro 7.5 | |
Author: Matteo 'uf0' Malvica | |
""" | |
import idc | |
import ida_bytes |
# Exploit Title: Druva inSync Windows Client 6.6.3 - Local Privilege Escalation via path traversal | |
# Date: 2020-05-21 | |
# Exploit Author: Matteo Malvica | |
# Credits: Chris Lyne for previous version's exploit | |
# Vendor Homepage: druva.com | |
# Software Link: https://downloads.druva.com/downloads/inSync/Windows/6.6.3/inSync6.6.3r102156.msi | |
# Version: 6.6.3 | |
# Tested on: Windows 10 1909-18363.778 | |
# Command injection in inSyncCPHwnet64 RPC service |
# ! /usr/bin/python | |
# Original Author == @avicoder | |
# Remixed by == @uf0 | |
# | |
# This script aims to automate the burder of masscanning connected hosts on a local network via a virtual interface like tun/tap. | |
# The tool performs a masscan on the provided port, port-range after ARP scanning all host on a LAN. | |
import sys,getopt,subprocess |