EspressoCake
EspressoCake
/ peerseek.cna
Created
September 19, 2023 19:07
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Justin Lucas | |
| # Date: September 19, 2023 | |
| # Info: A script to colleagues' files starting at the current directory it is running | |
| # Where found, it will attempt to receive the file as a redirected byte stream | |
| beacon_command_register("peerseek", "Seek a file from your peers to grab instantly.", "peerseek FILENAME"); | |
| alias peerseek | |
| { |
EspressoCake
/ BOF_With_Variadic_Arguments.cna
Created
January 5, 2023 23:31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Justin Lucas | |
| # Date: January 5, 2023 | |
| sub packVariadicArguments | |
| { | |
| local('$result'); | |
| local('$index'); | |
| local('$currentArgument'); | |
| # Shift and iterate a list with the Beacon ID popped |
EspressoCake
/ resolve_hostname_over_SOCKS.py
Last active
July 1, 2022 16:26
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import logging | |
| import socket | |
| import sys | |
| from argparse import ArgumentParser, Namespace | |
| from dns.resolver import Resolver | |
| from os.path import exists | |
| # Example Usage: proxychains -q python3 resolve_hostname_over_SOCKS.py --nameserver 10.10.10.10 --items SOMEWORKSTATION1.CONTOSO.LOCAL SOMEWORKSTATION2.CONTOSO.LOCAL | |
| # Example Usage: proxychains -q python3 resolve_hostname_over_SOCKS.py --nameserver 10.10.10.10 --fileinput --items file_with_hostnames.txt |
EspressoCake
/ DumpHex.c
Created
January 30, 2022 17:57
— forked from ccbrown/DumpHex.c
Compact C Hex Dump Function w/ASCII
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| void DumpHex(const void* data, size_t size) { | |
| char ascii[17]; | |
| size_t i, j; | |
| ascii[16] = '\0'; | |
| for (i = 0; i < size; ++i) { | |
| printf("%02X ", ((unsigned char*)data)[i]); | |
| if (((unsigned char*)data)[i] >= ' ' && ((unsigned char*)data)[i] <= '~') { | |
| ascii[i % 16] = ((unsigned char*)data)[i]; |
EspressoCake
/ rsrcDecryptAssembly.nim
Created
December 15, 2021 22:59
— forked from ChoiSG/rsrcDecryptAssembly.nim
embed .net, decrypt, load and execute in nim poc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import nimcrypto | |
| import winim/clr except `[]` # https://s3cur3th1ssh1t.github.io/Playing-with-OffensiveNim/ <-- thank you so much, 2 hours googling I almost went crazy | |
| #[ | |
| All credit goes to @byt3bl33d3r (OffensiveNim) and @s3cur3th1ssh1t | |
| nimble install winim nimcrypto zippy | |
| nim c -d:danger -d:strip --opt:size rsrcDecryptAssembly.nim | |
| slurp = "staticRead" will read the file and store it in the variable (.rdata) on compile time. |
EspressoCake
/ log4shell_regexes.py
Created
December 14, 2021 02:53
— forked from karanlyons/log4shell_regexes.py
log4shell Regexes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| from urllib.parse import unquote | |
| FLAGS = re.IGNORECASE | re.DOTALL | |
| ESC_DOLLAR = r'(?:\$|\\u0024||\\x24|\\0?44|%24)' | |
| ESC_LCURLY = r'(?:\{|\\u007B|\\x7B|\\173|%7B)' | |
| ESC_RCURLY = r'(?:\}|\\u007D|\\x7D|\\175|%7D)' | |
| _BACKSLASH_ESCAPE_RE = re.compile(r'\\(?:u[0-9af]{4}|x[0-9af]{2}|[0-7]{,3})') | |
| _PERCENT_ESCAPE_RE = re.compile(r'%[0-9af]{2}') |
EspressoCake
/ conti.cna
Created
August 9, 2021 21:07
— forked from MHaggis/conti.cna
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #AntiVirus Query | |
| #Author: @r3dQu1nn | |
| #Queries the Registry for AV installed | |
| #Thanks to @i_am_excite and @merrillmatt011 for the help | |
| #Props to @zerosum0x0 for the wmic find! | |
| #Long ass one-liner :) | |
| $powershellcmd = "\$av_list = @(\"BitDefender\", \"Kaspersky\", \"McAfee\", \"Norton\", \"Avast\", \"WebRoot\", \"AVG\", \"ESET\", \"Malware\", \"Windows Defender\");\$av_install = Get-ItemProperty HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$av_install1 = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$regkey = 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\\';\$av_loop2 = foreach (\$av1 in \$av_list){foreach (\$key in \$av_install){if (\$key.DisplayName -match \$av1 -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$key.DisplayName.ToString(), \$key.DisplayVersion.ToString(), \$key.InstallDate.ToString()}}}};\$proc_temp = Get-Process;\$av_loop = foreach (\$av in \$av_list){foreach (\$zz in \$proc_temp){if (\$zz.path -match \$av -eq \$TRUE) |
EspressoCake
/ Win7x86-CVE-2020-17087.c
Created
August 5, 2021 22:03
— forked from vp777/Win7x86-CVE-2020-17087.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| The vulnerable function takes as input an array of bytes and outputs their hex representation in unicode. The hex encoded bytes are separated by space (0x20) | |
| For example: | |
| user input : 0 129 | |
| output buffer (vulnerable_chunk): 30 00 30 00 20 00 38 00 31 00 20 00 | |
| With regards to the vulnerability itself, the problem exists in the output buffer (vulnerable_chunk) size calculation: | |
| vulnerable_chunk_size = (user_controlled_size*6)%65536; | |
| vulnerable_chunk = AllocateMemory(vulnerable_chunk_size); |
EspressoCake
/ NtMonitor.py
Created
May 11, 2021 20:55
— forked from matterpreter/NtMonitor.py
Frida script to spawn a process and monitor Native API calls
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import frida | |
| import sys | |
| def on_message(message, data): | |
| if message['type'] == 'send': | |
| print(message['payload']) | |
| elif message['type'] == 'error': | |
| print(message['stack']) | |
| else: | |
| print(message) |
EspressoCake
/ ioctl_translator.py
Created
March 26, 2021 14:19
— forked from uf0o/ioctl_translator.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import argparse | |
| import sys | |
| def auto_int(x): | |
| return int(x, 0) | |
| # Modded by Matteo 'uf0' Malvica - 2021 | |
| # The following code is taken from | |
| # https://github.com/mwrlabs/win_driver_plugin/blob/master/win_driver_plugin/ioctl_decoder.py |
NewerOlder