Skip to content

Instantly share code, notes, and snippets.

View unprovable's full-sized avatar
💭
Rubber ducked...

Mark C. unprovable

💭
Rubber ducked...
View GitHub Profile

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

@hasherezade
hasherezade / syscall_extractor.cpp
Last active August 30, 2023 21:47
Extracts syscalls list from NTDLL.DLL
#include <stdio.h>
#include <Windows.h>
// based on: https://www.evilsocket.net/2014/02/11/on-windows-syscall-mechanism-and-syscall-numbers-extraction-methods/
// author: @evilsocket
// modified by: @hasherezade
#define IS_ADDRESS_BETWEEN( left, right, address ) ( (address) >= (left) && (address) < (right) )
PIMAGE_SECTION_HEADER SectionByRVA( PIMAGE_SECTION_HEADER pSections, DWORD dwSections, DWORD rva )
{
function Invoke-UACBypass {
<#
.SYNOPSIS
Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.
Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
@shuffle2
shuffle2 / dbg.py
Created July 8, 2015 08:23
powersaves-amiibo-frida stuffs
'''
Input MD5 : BB4E83D7A77AADD7F62728314EF09461
File Name : C:\Program Files (x86)\Powersaves For AMIIBO\Powersaves For AMIIBO.exe
0x108fd0 : schannel_recv -> log buffer on end
0x1090d0 : schannel_recv end
0x108d10 : schannel_send -> log buffer on start
0xce61 : deals with https "Token"
0xceab : deals with https "Vuid"
@pklaus
pklaus / ddnsserver.py
Last active October 30, 2024 03:53 — forked from andreif/Simple DNS server (UDP and TCP) in Python using dnslib.py
Simple DNS server (UDP and TCP) in Python using dnslib.py
#!/usr/bin/env python
"""
LICENSE http://www.apache.org/licenses/LICENSE-2.0
"""
import argparse
import datetime
import sys
import time
import threading
@rmmh
rmmh / gist:8515577
Created January 20, 2014 05:53
MSP430 Alphanumeric Instructions
[0-9a-zA-Z]{2}
30-39,41-5a,61-7a
a:61 z:7a A:41 Z:5a 0:30 9:39
MSP430 alphanumeric shellcode is hard. There's no way to write to memory,
no word-sized reg-reg operations, and all we have is add/sub/mov and a few conditional jumps.
# !/usr/python
# The FIN scan utilizes the FIN flag inside the TCP packet,
# along with the port number to connect to on the server.
# If there is no response from the server, then the port is open.
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
@wookiecooking
wookiecooking / txt.txt
Created July 8, 2013 16:27
haha google dork searches
intitle:index.of .bash_history
intitle:index.of .sh_history
intitle:”Index of” index.html.bak
intitle:”Index of” index.php.bak
intitle:”Index of” index.jsp.bak
intitle:”Index of” “.htpasswd” htpasswd.bak
inurl:backup intitle:index.of inurl:admin
“Index of /backup”
intitle:”Index of” index.html~
intitle:”Index of” index.php~
@earthgecko
earthgecko / bash.generate.random.alphanumeric.string.sh
Last active October 16, 2024 20:10
shell/bash generate random alphanumeric string
#!/bin/bash
# bash generate random alphanumeric string
#
# bash generate random 32 character alphanumeric string (upper and lowercase) and
NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
# bash generate random 32 character alphanumeric string (lowercase only)
cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1
@endolith
endolith / frequency_estimator.py
Last active October 26, 2024 20:10
Frequency estimation methods in Python
from __future__ import division
from numpy.fft import rfft
from numpy import argmax, mean, diff, log, nonzero
from scipy.signal import blackmanharris, correlate
from time import time
import sys
try:
import soundfile as sf
except ImportError:
from scikits.audiolab import flacread