I hereby claim:
- I am e3prom on github.
- I am e3prom (https://keybase.io/e3prom) on keybase.
- I have a public key ASDeEdU2gxUTwAsyTjq3s_tyPQH5T3ZZYWGLudhT241hpQo
To claim this, I am signing this object:
Nicolas Chabbey e3prom
e3prom
/ ep-postexpl-c2.rules
Created
January 6, 2023 15:45
Snort/Suricata Additional C2/Post-Exploitation Ruleset
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Snort/Suricata Rules | |
| ## Provides additional detection of potential post-exploitation attacks, lateral-movements and C2 communication/beaconing. | |
| alert http $EXTERNAL_NET any -> $HOME_NET 5985 (msg:"[EP] Windows Remote Management (WinRM)"; flow:established,to_server; content:"POST"; http_method; content:"/wsman"; nocase; pcre:"/\/wsman/"; classtype:policy-violation; sid:9001002; rev:1; metadata:created_at 2022_11_09, updated_at 2022_11_09;) | |
| alert http $EXTERNAL_NET any -> $HOME_NET 5985 (msg:"[EP] WinRM Evil Client"; flow:established,to_server; content:"POST"; http_method; content:"Ruby WinRM Client"; nocase; http_user_agent; classtype:misc-attack; sid:9001003; rev:1; metadata:created_at 2022_11_09, updated_at 2022_11_09;) | |
| alert tls $EXTERNAL_NET any -> $HOME_NET 5986 (msg:"[EP] Windows Remote Management (WinRM) over TLS"; flow:established,to_server; content:"|1603 01|"; fast_pattern; stream_size: client, >,0; stream_size: server, >,0; classtype:policy-violation; sid:9001004; rev:1; metadata:created_at 2022_ |
e3prom
/ centos8-syshardening-cispartial.sh
Created
January 6, 2023 15:30
CentOS 8 System Hardening Script (CIS/Partial)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CentOS 8 Hardening Script (CIS Benchmark Partial) | |
| #!/bin/sh | |
| ### FILESYSTEMS | |
| /bin/echo -n '[*] Disabling unneeded filesystems... ' | |
| /bin/echo 'install cramfs /bin/true' > /etc/modprobe.d/cramfs.conf | |
| /bin/echo 'install squashfs /bin/true' > /etc/modprobe.d/squashfs.conf | |
| /bin/echo 'install udf /bin/true' > /etc/modprobe.d/udf.conf | |
| /bin/echo 'install usb-storage /bin/true' > /etc/modprobe.d/usb-storage.conf | |
| /bin/echo 'install iscsi_tcp /bin/true' > /etc/modprobe.d/iscsi_tcp.conf | |
| #/bin/echo 'install libiscsi /bin/true' >> /etc/modprobe.d/iscsi_tcp.conf |
e3prom
/ automation-ios-xe-ospf-restconf.py
Last active
February 20, 2019 15:47
Simple automation script to configure OSPF from YANG data model, on IOS-XE using RESTCONF
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # Automation skeleton for IOS-XE (RESCONF) with YANG | |
| # Nicolas Chabbey <e3prom> | |
| # | |
| # conf/devices.conf: | |
| # devices: | |
| # - hostname: 10.240.0.180 | |
| # type: cisco-ios-xe | |
| # port: 443 | |
| # verify: False |
e3prom
/ rust-int-strings-ownership.rs
Last active
February 20, 2019 15:36
A simple program to demonstrate ownership and pointers (de-)references with Rust.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| fn main() { | |
| // simple memory tests with integers (usually stored onto the stack). | |
| // integers Types have the Copy Traits, therefore old variables are still | |
| // available and can be referenced. | |
| let x = 1; | |
| let y = x; | |
| println!("x stored at {:p} is {}, y stored at {:p} is {}", &x, x, &y, y); | |
| // tests with immutable strings. | |
| let s1 = "immutable"; |
e3prom
/ keybase.md
Created
January 30, 2019 10:26
e3prom
/ win-x86-loadaddr.py
Created
March 9, 2018 13:56
Load DLL in memory using the Windows API LoadLibrary() function and return base address.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| This script allow you to load a DLL using the Windows API 'LoadLibrary()' function | |
| and returns it's load and relative text section virtual memory address. | |
| You can specifiy multiple DLL files at once using the wildcard (globbing) character. | |
| Note to self: next time use argparse instead of the *limited* getopt. | |
| Coded with some love by e3prom <github.com/e3prom | |
| ''' | |
| from ctypes import windll |
e3prom
/ generic-stack-overflow-file-exploit.py
Created
January 18, 2018 14:54
Demo exploit code for generic-stack-overflow-file.c, a basic stack-based overflow with SE handler pointer overwrite.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # generic-stack-overflow-file-exploit.py | |
| # Sample exploit code for the generic-stack-overflow-file.c, available at: | |
| # https://github.com/e3prom/shellcode/blob/master/dev/generic-stack-overflow.c | |
| # | |
| # Exploitability: | |
| # There is no direct RP overwrite, however we can control the SE handler pointer at offset 808. | |
| # The SE handler pointer points to a stack pivot. | |
| # This exploit is a little bit messy, I do apologize. | |
| import struct | |
| file = 'crash.txt' |