Brad Antoniewicz brad-anton

brad-anton / Simple Chrome Manifest Discovery and Parsing

Last active June 14, 2016 18:22

	def __process_manifest_json(self, fullpath):
	"""The manifest.json files contain less information
	then the Preferences files, so we'll use this menthod
	on if the preferences file is unavaible"""
	extension = fullpath.split(self.os.SLASH)[-3]

	if path.isfile(fullpath):
	with open(fullpath, 'rb') as f:
	manifest = json.load(f)

brad-anton / Parse Chrome Preferences

Created June 14, 2016 18:25

	def __check_preferences_json(self, preferences):
	"""Pulls Extension information out of the preferences file
	"""
	extensions = []
	with open(preferences, 'rb') as f:
	prefs_json = json.load(f)

	extensions_json = prefs_json['extensions']['settings']
	for extension in extensions_json.iterkeys():
	name = None

brad-anton / Query IE11 Extensions with PowerShell

Created June 14, 2016 19:14

	function Make-Extension
	{
	Param([string]$clsid, [string]$name, [string]$dll)

	$extension = New-Object PSObject -Prop (@{'CLSID' = $clsid;
	'Name' = $name;
	'DLL' = $dll })

	$extension
	}

brad-anton / Lookup CLSID in PowerShell

Created June 14, 2016 19:33

	function Lookup-Clsid
	{
	Param([string]$clsid)
	$CLSID_KEY = 'HKLM:\SOFTWARE\Classes\CLSID'

	If ( Test-Path $CLSID_KEY\$clsid) {
	$name = (Get-ItemProperty -Path $CLSID_KEY\$clsid).'(default)'
	$dll = (Get-ItemProperty -Path $CLSID_KEY\$clsid\InProcServer32).'(default)'
	}
	$name, $dll

brad-anton / gist:0ed1079969dad86079ad35a91122af52

Last active June 27, 2016 18:48

Investigate api query pattern

	inv = investigate.Investigate('12345678-1234-1234-1234-1234567890ab')
	inv.search('searchregex', start=datetime.timedelta(days=1), limit=100, include_category=False)

brad-anton / gist:f5c190d8d54445d1eecb1f6e2e2ae44d

Created June 27, 2016 18:46

Example lookup table implementation for regex generator

	# Create mappings for every character, for instance:
	s=['s','5','z','es','2']
	alphabet={ 's':s }

	def get_permutations(self, letter):
	try:
	permutations = alphabet[letter]
	except KeyError: # The letter is not in alphabet
	permutations = letter
	regex = '['

brad-anton / WildFire XOR

Created July 13, 2016 01:39

Deobfuscate the WildFire Stage something payload :)

	"""
	Quick binary xor for WildFire
	@brad_anton

	Bigrmkwhrr.png 645e7f63886d74c5edd149caac1b41cd
	Bigrmkwhrr.png.exe (output) ec5921b64581a7c6414680c36d50805c

	"""
	from itertools import cycle

brad-anton / gist:bfcbfc9419c0f20a32fb898a87fe7695

Created August 1, 2016 13:57

User input can overwrite variables

	while(list($key, $val) = each($_POST)) {
	$GLOBALS[$key] = $val;

brad-anton / gist:eafc52da26732f4ae99dc0a093298d49

Created August 1, 2016 14:25

Simplified version of web-to-email vulnerability

	$DestinationAddress = "[email protected]";
	$Subject = "Contact Form Inquiry";

	while(list($key, $val) = each($_POST)) {
	$GLOBALS[$key] = $val;
	}
	$Header = "From: $name <$email>\r\n";
	$Header .= "Reply-To: $name <$email>\r\n";

	mail($DestinationAddress, $Subject, $Message, $Header);

brad-anton / gist:f3311d60bffff4a4bfec0533d6f6283e

Created August 2, 2016 11:51

Simplified version of web-to-email vulnerability Raw

	$DestinationAddress = "[email protected]";
	$Subject = "Contact Form Inquiry";

	while(list($key, $val) = each($_POST)) {
	$GLOBALS[$key] = $val;
	}
	$Header = "From: $name <$email>\r\n";
	$Header .= "Reply-To: $name <$email>\r\n";

	mail($DestinationAddress, $Subject, $Message, $Header);