Skip to content

Instantly share code, notes, and snippets.

View Dliv3's full-sized avatar
🤣
hacking

Dliv3

🤣
hacking
1.1k followers · 251 following
View GitHub Profile
@Dliv3
Dliv3 / qemu-2.7.0-aslr_heap_pie_nx_wxorx_mmap.patch
Created March 20, 2019 07:52 — forked from grimmlin/qemu-2.7.0-aslr_heap_pie_nx_wxorx_mmap.patch
Qemu aslr, heapaslr, pie, NX and W^X implementation (NX only for arm and mips atm)
diff -Naur qemu-2.7.0.orig/cpu-exec.c qemu-2.7.0/cpu-exec.c
--- qemu-2.7.0.orig/cpu-exec.c 2016-09-02 17:34:17.000000000 +0200
+++ qemu-2.7.0/cpu-exec.c 2017-01-19 09:34:00.817088525 +0100
@@ -33,6 +33,9 @@
#include "hw/i386/apic.h"
#endif
#include "sysemu/replay.h"
+#include "syscall_defs.h"
+
+extern int do_nx;
@Dliv3
Dliv3 / dementor.py
Created June 20, 2019 01:56 — forked from 3xocyte/dementor.py
rough PoC to connect to spoolss to elicit machine account authentication
#!/usr/bin/env python
# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
# some code from https://www.exploit-db.com/exploits/2879/
import os
import sys
import argparse
import binascii
import ConfigParser
@Dliv3
Dliv3 / pwn.js
Created July 1, 2019 03:27 — forked from stek29/pwn.js
// a bit more annotated stage2 (from fakeobj/addrof to rw)
// source: https://github.com/phoenhex/files/blob/master/exploits/ios-11.3.1/pwn_i8.js
// useful resources:
// webkit sources, lol
// http://phrack.org/papers/attacking_javascript_engines.html -- bit outdated -- info about spectre mitigations/gigacage is missing
// https://labs.mwrinfosecurity.com/blog/some-brief-notes-on-webkit-heap-hardening/ -- tldr on gigacage
// thx _niklasb
@Dliv3
Dliv3 / Get-MachineAccountQuotaUsers.ps1
Created April 27, 2020 03:38 — forked from dstreefkerk/Get-MachineAccountQuotaUsers.ps1
Gets a list of AD computers that were created by regular users exercising their default right to create up to 10 computer accounts in an AD domain
$machineAccountQuotaComputers = Get-ADComputer -filter {ms-DS-CreatorSID -ne "$null"} -Properties ms-DS-CreatorSID,Created
foreach ($machine in $machineAccountQuotaComputers) {
$creator = $null
try {
$creator = [System.Security.Principal.SecurityIdentifier]::new($machine.'ms-DS-CreatorSID').Translate([System.Security.Principal.NTAccount]).Value
}
catch {
$creator = $machine.'ms-DS-CreatorSID'
}
@Dliv3
Dliv3 / example.js
Created May 16, 2020 04:12 — forked from iflody/example.js
var details = {
displayItems: [
{
label: "Original donation amount",
amount: { currency: "USD", value : "65.00" },
},
{
label: "Friends and family discount",
amount: { currency: "USD", value : "-10.00" },
pending: true
@Dliv3
Dliv3 / 2020-05-11-automatedmalwareunpacking.md
Created May 24, 2020 03:44
layout title date categories permalink
post
Thoughts about automated malware unpacking
2020-05-08 17:00:00 -0700
reverse-engineering malware-analysis
/posts/automated-malware-unpacking

Probably most of the malwares out there use some sort of packer to evade detection and classification or to make the post-analysis more difficult. So in this blog post, I will talk about one of the most-used packing techniques and how to SOMETHING_ELSE(defeat packers/ should edit) that with the power of binary emulation. Also, I'll drop a PoC of the new project that I'm working on.

Background

@Dliv3
Dliv3 / Simple DNS server (UDP and TCP) in Python using dnslib.py
Created May 22, 2021 03:22 — forked from andreif/Simple DNS server (UDP and TCP) in Python using dnslib.py
# coding=utf-8
"""
LICENSE http://www.apache.org/licenses/LICENSE-2.0
"""
import datetime
import sys
import time
import threading
import traceback
import SocketServer
@Dliv3
Dliv3 / main.go
Created May 22, 2021 03:23 — forked from walm/main.go
Simple Golang DNS Server
package main
import (
"fmt"
"log"
"strconv"
"github.com/miekg/dns"
)
@Dliv3
Dliv3 / machineKeyFinder.aspx
Created June 21, 2022 12:18 — forked from irsdl/machineKeyFinder.aspx
To find validation and decryption keys when AutoGenerate has been used in Machine Key settings
<%@ Page Language="C#" %>
<%
// Read https://soroush.secproject.com/blog/2019/05/danger-of-stealing-auto-generated-net-machine-keys/
Response.Write("<br/><hr/>");
byte[] autoGenKeyV4 = (byte[]) Microsoft.Win32.Registry.GetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\ASP.NET\\4.0.30319.0\\", "AutoGenKeyV4", new byte[]{});
if(autoGenKeyV4!=null)
Response.Write("HKCU\\Software\\Microsoft\\ASP.NET\\4.0.30319.0\\AutoGenKeyV4: "+BitConverter.ToString(autoGenKeyV4).Replace("-", string.Empty));
Response.Write("<br/>");
byte[] autoGenKey = (byte[]) Microsoft.Win32.Registry.GetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\ASP.NET\\2.0.50727.0\\", "AutoGenKey", new byte[]{});
if(autoGenKey!=null)
@Dliv3
Dliv3 / decryptKerbTicket.py
Created September 1, 2022 06:18 — forked from xan7r/decryptKerbTicket.py
Decrypt kerberos tickets and parse out authorization data
#!/usr/bin/env python2
# NOTE: this script was created for educational purposes to assist learning about kerberos tickets.
# Likely to have a few bugs that cause it to fail to decrypt some TGT or Service tickets.
#
# Recommended Instructions:
# Obtain valid kerberos tickets using Rubeus or mimikatz "sekurlsa::tickets /export"
# Optionally convert tickets to ccache format using kekeo "misc::convert ccache <ticketName.kirbi>"
# Obtain appropriate aes256 key using dcsync (krbtgt for TGT or usually target computer account for Service Ticket)
# Run this script to decrypt:
# ./decryptKerbTicket.py -k 5c7ee0b8f0ffeedbeefdeadbeeff1eefc7d313620feedbeefdeadbeefafd601e -t ./[email protected][email protected]