originally inspired by https://gist.github.com/irsdl/5fc80ebad0d6fa211d3efdec288250a6
#examples:
#cdw C:\Use[tab]
#cdw C:\Program\ [double tab]
#cdw "C:\Program Files\[double tab]
#
#lsw should also work, eg lsw -lh C:\Use[tab]
#
originally inspired by https://gist.github.com/irsdl/5fc80ebad0d6fa211d3efdec288250a6
#examples:
#cdw C:\Use[tab]
#cdw C:\Program\ [double tab]
#cdw "C:\Program Files\[double tab]
#
#lsw should also work, eg lsw -lh C:\Use[tab]
#
/* | |
The vulnerable function takes as input an array of bytes and outputs their hex representation in unicode. The hex encoded bytes are separated by space (0x20) | |
For example: | |
user input : 0 129 | |
output buffer (vulnerable_chunk): 30 00 30 00 20 00 38 00 31 00 20 00 | |
With regards to the vulnerability itself, the problem exists in the output buffer (vulnerable_chunk) size calculation: | |
vulnerable_chunk_size = (user_controlled_size*6)%65536; | |
vulnerable_chunk = AllocateMemory(vulnerable_chunk_size); |
#!/bin/bash | |
#not sure how useful If-Modified-Since/If-Unmodified-Since would be if Last-Modified header is not available:) | |
resource=${1?Missing the URL of the resource} | |
accuracy=${2:-2} #by default, tries to identify the first 2 most significant metrics, the year and month | |
function replacer { | |
local result i pattern replacement | |
result=$1 |
#!/bin/bash | |
: ' | |
examples: | |
./ip_range_check.sh <(echo 1.1.1.1) <(echo 1.1.1.2) | |
#no results | |
./ip_range_check.sh <(echo -e '127.0/8\n1.1.1.1/31') <(echo -e '7f000001.7f000002.rbndr.us\n1.1.256\n1.1.1.2\n2.2.2.36') | |
#7f000001.7f000002.rbndr.us 127.0.0.1 | |
#1.1.256 1.1.256 | |
' |
/* | |
babeljs plugin that unravels a number of common obfuscation patterns (originally found in F5 JS obfuscation library). | |
tip: for better results you can feed the output of the below plugin to minify | |
usage: set the plugins in your .babelrc to the path of this script | |
What it does, it gets as input the following obfuscated code: | |
function toBeGone(s, u, m){ |
''' | |
A poc for a device having the ScriptExecute buffer overflow originally reported by: | |
https://www.redteam-pentesting.de/en/advisories/rt-sa-2015-001/-avm-fritz-box-remote-code-execution-via-buffer-overflow | |
As suggested in the above advisory, parts of the source code of the vulnerable application can be found at: | |
https://github.com/mirror/dd-wrt/tree/master/src/router/dsl_cpe_control | |
Nevertheless, in the above repository there is an imposed maximum length on the user input, which mitigates the | |
vulnerability in the unsafe sscanf call. | |
This poc targets the variation without the user input length limitations. |
#!/bin/bash | |
frontable_domain=${1:-www.amazon.co.uk} | |
fronted_domain=${2:-your.cloudfront.net} | |
cert_path="ssl cert path" | |
cdn_port=443 | |
local_port=443 | |
echo "Frontable domain: $frontable_domain, Fronted: $fronted_domain" |
'Note: this "issue" was reported to checkpoint back in June/2018. | |
'This is mostly a reverse_https payload generated through msfvenom. | |
'It's modified on execution time to embed information (in base64 form) about the running environment in the domain used for the reverse | |
'connection. | |
'When the document is analysed, we should get back a report showing the "malicious" url that the document attempted to connect, which | |
'includes our encoded data. Some other potential avenues for data exfiltration are file and registry modifications which are normally | |
'included in the document analysis report. | |
'Note: Simple dns queries/http requests even though they are detected, the domain is not displayed in the report. I haven't spent any | |
'more time on this but I guess the payload has to be properly dressed/execute specific actions before getting back the full details | |
'of its behavior from the report |
'Originally posted at: https://stackoverflow.com/questions/1026483/is-there-a-way-to-crack-the-password-on-an-excel-vba-project/53358962#53358962 | |
'This version should work for both x86 and amd64 versions of Microsoft Office | |
Option Explicit | |
Private Const PAGE_EXECUTE_READWRITE = &H40 | |
Private Declare PtrSafe Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _ | |
(Destination As LongPtr, Source As LongPtr, ByVal Length As LongPtr) |