Skip to content

Instantly share code, notes, and snippets.

💭
Rubber ducked...

Mark C. unprovable

💭
Rubber ducked...
Block or report user

Report or block unprovable

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View Wannacrypt0r-FACTSHEET.md

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

@hasherezade
hasherezade / syscall_extractor.cpp
Last active May 26, 2020
Extracts syscalls list from NTDLL.DLL
View syscall_extractor.cpp
#include <stdio.h>
#include <Windows.h>
// based on: https://www.evilsocket.net/2014/02/11/on-windows-syscall-mechanism-and-syscall-numbers-extraction-methods/
// author: @evilsocket
// modified by: @hasherezade
#define IS_ADDRESS_BETWEEN( left, right, address ) ( (address) >= (left) && (address) < (right) )
PIMAGE_SECTION_HEADER SectionByRVA( PIMAGE_SECTION_HEADER pSections, DWORD dwSections, DWORD rva )
{
View UACBypass.ps1
function Invoke-UACBypass {
<#
.SYNOPSIS
Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.
Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
@shuffle2
shuffle2 / dbg.py
Created Jul 8, 2015
powersaves-amiibo-frida stuffs
View dbg.py
'''
Input MD5 : BB4E83D7A77AADD7F62728314EF09461
File Name : C:\Program Files (x86)\Powersaves For AMIIBO\Powersaves For AMIIBO.exe
0x108fd0 : schannel_recv -> log buffer on end
0x1090d0 : schannel_recv end
0x108d10 : schannel_send -> log buffer on start
0xce61 : deals with https "Token"
0xceab : deals with https "Vuid"
@pklaus
pklaus / ddnsserver.py Simple DNS server (UDP and TCP) in Python using dnslib.py
View ddnsserver.py
#!/usr/bin/env python
# coding=utf-8
import argparse
import datetime
import sys
import time
import threading
import traceback
import socketserver
@rmmh
rmmh / gist:8515577
Created Jan 20, 2014
MSP430 Alphanumeric Instructions
View gist:8515577
[0-9a-zA-Z]{2}
30-39,41-5a,61-7a
a:61 z:7a A:41 Z:5a 0:30 9:39
MSP430 alphanumeric shellcode is hard. There's no way to write to memory,
no word-sized reg-reg operations, and all we have is add/sub/mov and a few conditional jumps.
View FIN_scan.py
# !/usr/python
# The FIN scan utilizes the FIN flag inside the TCP packet,
# along with the port number to connect to on the server.
# If there is no response from the server, then the port is open.
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
@wookiecooking
wookiecooking / txt.txt
Created Jul 8, 2013
haha google dork searches
View txt.txt
intitle:index.of .bash_history
intitle:index.of .sh_history
intitle:”Index of” index.html.bak
intitle:”Index of” index.php.bak
intitle:”Index of” index.jsp.bak
intitle:”Index of” “.htpasswd” htpasswd.bak
inurl:backup intitle:index.of inurl:admin
“Index of /backup”
intitle:”Index of” index.html~
intitle:”Index of” index.php~
@earthgecko
earthgecko / bash.generate.random.alphanumeric.string.sh
Last active May 26, 2020
shell/bash generate random alphanumeric string
View bash.generate.random.alphanumeric.string.sh
#!/bin/bash
# bash generate random alphanumeric string
#
# bash generate random 32 character alphanumeric string (upper and lowercase) and
NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
# bash generate random 32 character alphanumeric string (lowercase only)
cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1
You can’t perform that action at this time.