Skip to content

Instantly share code, notes, and snippets.

View unprovable's full-sized avatar
Rubber ducked...

Mark C. unprovable

Rubber ducked...
View GitHub Profile

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

hasherezade / syscall_extractor.cpp
Last active August 30, 2023 21:47
Extracts syscalls list from NTDLL.DLL
View syscall_extractor.cpp
#include <stdio.h>
#include <Windows.h>
// based on:
// author: @evilsocket
// modified by: @hasherezade
#define IS_ADDRESS_BETWEEN( left, right, address ) ( (address) >= (left) && (address) < (right) )
View UACBypass.ps1
function Invoke-UACBypass {
Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.
Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
shuffle2 /
Created July 8, 2015 08:23
powersaves-amiibo-frida stuffs
Input MD5 : BB4E83D7A77AADD7F62728314EF09461
File Name : C:\Program Files (x86)\Powersaves For AMIIBO\Powersaves For AMIIBO.exe
0x108fd0 : schannel_recv -> log buffer on end
0x1090d0 : schannel_recv end
0x108d10 : schannel_send -> log buffer on start
0xce61 : deals with https "Token"
0xceab : deals with https "Vuid"
pklaus /
Last active November 1, 2023 10:20 — forked from andreif/Simple DNS server (UDP and TCP) in Python using
Simple DNS server (UDP and TCP) in Python using
#!/usr/bin/env python
import argparse
import datetime
import sys
import time
import threading
rmmh / gist:8515577
Created January 20, 2014 05:53
MSP430 Alphanumeric Instructions
View gist:8515577
a:61 z:7a A:41 Z:5a 0:30 9:39
MSP430 alphanumeric shellcode is hard. There's no way to write to memory,
no word-sized reg-reg operations, and all we have is add/sub/mov and a few conditional jumps.
# !/usr/python
# The FIN scan utilizes the FIN flag inside the TCP packet,
# along with the port number to connect to on the server.
# If there is no response from the server, then the port is open.
import logging
from scapy.all import *
wookiecooking / txt.txt
Created July 8, 2013 16:27
haha google dork searches
View txt.txt
intitle:index.of .bash_history
intitle:index.of .sh_history
intitle:”Index of” index.html.bak
intitle:”Index of” index.php.bak
intitle:”Index of” index.jsp.bak
intitle:”Index of” “.htpasswd” htpasswd.bak
inurl:backup intitle:index.of inurl:admin
“Index of /backup”
intitle:”Index of” index.html~
intitle:”Index of” index.php~
earthgecko /
Last active November 6, 2023 14:21
shell/bash generate random alphanumeric string
# bash generate random alphanumeric string
# bash generate random 32 character alphanumeric string (upper and lowercase) and
NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)
# bash generate random 32 character alphanumeric string (lowercase only)
cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1
endolith /
Last active October 30, 2023 18:08
Frequency estimation methods in Python
from __future__ import division
from numpy.fft import rfft
from numpy import argmax, mean, diff, log, nonzero
from scipy.signal import blackmanharris, correlate
from time import time
import sys
import soundfile as sf
except ImportError:
from scikits.audiolab import flacread