Mathias R. Jessen IISResetMe

## Scan-LOLDrivers.ps1
function Scan-LOLDrivers {
    param(
        [Parameter(Mandatory = $true)]
        [string]$path
    )

    Add-Type -TypeDefinition @"
    using System;
    using System.Security.Cryptography;
    using System.Security.Cryptography.X509Certificates;

## Set-ADPrincipalRedirection.ps1
function Set-ADPrincipalRedirection {
    param(
        [Parameter(Mandatory)]
        $Domain,

        [string]
        $ComputersOU,

        [string]
        $UsersOU

## ConvertFrom-WildcardPattern.ps1
function ConvertFrom-WildcardPattern {
  param(
    [Parameter(Mandatory, ValueFromPipeline)]
    [WildcardPattern]$InputObject
  )

  begin {
    $pctrProp = [WildcardPattern].
                  GetMember('PatternConvertedToRegex', [Reflection.BindingFlags]'NonPublic, Instance')
  }

## Get-ADCertificateAuthority.ps1
$ConfigurationDN = $([ADSI]"LDAP://RootDSE").ConfigurationNamingContext;
$SearchRoot = "LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,$ConfigurationDN"
$SearchFilter = "(objectCategory=pkiEnrollmentService)"

foreach($CAEnrollService in (New-Object adsiSearcher([ADSI]$SearchRoot,$SearchFilter)).FindAll()){
  $serviceProperties = [ordered]@{}
  foreach($propName in 'Name CN DnsHostName'.Split()){
    $serviceProperties[$propName] = $CAEnrollService.Properties[$propName] |Select -First 1
  }

## Get-PSRStaticInvocationHistory.ps1

Get-PSReadLineOption |Get-Content -LiteralPath { $_.HistorySavePath } |ForEach-Object {
  if($_.EndsWith('`')){
    $last += "{0}`r`n" -f $_.Remove($_.Length - 1)
  }else{
    "${last}${_}"
    $last = $null
  }
} |Where-Object {$_ -like '*::*'} |ForEach-Object {
  # parse history entry as powershell script

## half_a_record_typer.ps1
using namespace System.Reflection
using namespace System.Reflection.Emit
using namespace System.Runtime.CompilerServices

# We'll attempt to construct a subset of the functionality of:
#  public record TestRecord(int M1, string M2);
#
# Namely, we'll generate:
#  - property getters (`get_M1()`, `get_M2()`),
#  - a public constructor (`TestRecord(int, int);`),

## MeasureCallstackPenalty.ps1
function target {
  param($Caller = $((Get-PSCallStack)[0].Command))

  "'$Caller' called!"
}

function volunteerID {
  target -Caller $MyInvocation.MyCommand
}

## Find-VulnerableSchemas.ps1
# Dictionary to hold superclass names
$superClass = @{}

# List to hold class names that inherit from container and are allowed to live under computer object
$vulnerableSchemas = [System.Collections.Generic.List[string]]::new()

# Resolve schema naming context
$schemaNC = (Get-ADRootDSE).schemaNamingContext

# Enumerate all class schemas

## flatten.ps1
using namespace System.Collections

function flatten
{
    param(
        [IDictionary]$Dictionary,
        [string]$KeyDelimiter = ':'
    )

    $newDict = @{}

## stackoverflow-font-hack.css
body *:not(code) { font-family: arial !important; }
code {font-family: monospace !important;}
	function Scan-LOLDrivers {
	param(
	[Parameter(Mandatory = $true)]
	[string]$path
	)

	Add-Type -TypeDefinition @"
	using System;
	using System.Security.Cryptography;
	using System.Security.Cryptography.X509Certificates;
	function Set-ADPrincipalRedirection {
	param(
	[Parameter(Mandatory)]
	$Domain,

	[string]
	$ComputersOU,

	[string]
	$UsersOU
	function ConvertFrom-WildcardPattern {
	param(
	[Parameter(Mandatory, ValueFromPipeline)]
	[WildcardPattern]$InputObject
	)

	begin {
	$pctrProp = [WildcardPattern].
	GetMember('PatternConvertedToRegex', [Reflection.BindingFlags]'NonPublic, Instance')
	}
	$ConfigurationDN = $([ADSI]"LDAP://RootDSE").ConfigurationNamingContext;
	$SearchRoot = "LDAP://CN=Enrollment Services,CN=Public Key Services,CN=Services,$ConfigurationDN"
	$SearchFilter = "(objectCategory=pkiEnrollmentService)"

	foreach($CAEnrollService in (New-Object adsiSearcher([ADSI]$SearchRoot,$SearchFilter)).FindAll()){
	$serviceProperties = [ordered]@{}
	foreach($propName in 'Name CN DnsHostName'.Split()){
	$serviceProperties[$propName] = $CAEnrollService.Properties[$propName] \|Select -First 1
	}

	Get-PSReadLineOption \|Get-Content -LiteralPath { $_.HistorySavePath } \|ForEach-Object {
	if($_.EndsWith('`')){
	$last += "{0}`r`n" -f $_.Remove($_.Length - 1)
	}else{
	"${last}${_}"
	$last = $null
	}
	} \|Where-Object {$_ -like '::'} \|ForEach-Object {
	# parse history entry as powershell script
	using namespace System.Reflection
	using namespace System.Reflection.Emit
	using namespace System.Runtime.CompilerServices

	# We'll attempt to construct a subset of the functionality of:
	# public record TestRecord(int M1, string M2);
	#
	# Namely, we'll generate:
	# - property getters (`get_M1()`, `get_M2()`),
	# - a public constructor (`TestRecord(int, int);`),
	function target {
	param($Caller = $((Get-PSCallStack)[0].Command))

	"'$Caller' called!"
	}

	function volunteerID {
	target -Caller $MyInvocation.MyCommand
	}
	# Dictionary to hold superclass names
	$superClass = @{}

	# List to hold class names that inherit from container and are allowed to live under computer object
	$vulnerableSchemas = [System.Collections.Generic.List[string]]::new()

	# Resolve schema naming context
	$schemaNC = (Get-ADRootDSE).schemaNamingContext

	# Enumerate all class schemas
	using namespace System.Collections

	function flatten
	{
	param(
	[IDictionary]$Dictionary,
	[string]$KeyDelimiter = ':'
	)

	$newDict = @{}
	body *:not(code) { font-family: arial !important; }
	code {font-family: monospace !important;}