Skip to content

Instantly share code, notes, and snippets.

View bohops's full-sized avatar

bohops

357 followers · 10 following
View GitHub Profile
@ChoiSG
ChoiSG / dinvokeSyscall.cs
Created May 7, 2021 18:37
dinvoke with syscall - created for blog post
using System;
using DInvoke;
using System.Diagnostics;
using System.Runtime.InteropServices;
using DynamicInvoke = DInvoke.DynamicInvoke;
using Data = DInvoke.Data;
namespace dinvokeSyscall
{
class Program
@milo2012
milo2012 / Get-System.ps1
Last active November 22, 2021 18:50
Get-System.ps1
function Get-System {
<#
.SYNOPSIS
GetSystem functionality inspired by Meterpreter's getsystem.
Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: PSReflect
@med0x2e
med0x2e / steps.txt
Last active September 18, 2021 19:58
Steps to run GadgetToJScript on linux (wine)
Steps:
1- apt-get install mono-complete
2- apt-get install wine winetricks -y
3- winetricks dotnet35
4- winetricks dotnet48
5- dpkg --add-architecture i386 && apt-get update && apt-get install wine32
6- rm -Rf ~/.wine
7- WINEPREFIX=~/.wine32 WINEARCH=win32 wineboot
8- wine GadgetToJScript.NET3.5.exe -r -c helloworld.cs -d System.Windows.Forms.dll -w hta -o hello
@rvrsh3ll
rvrsh3ll / DInjectQueuerAPC.cs
Created November 20, 2020 15:10 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
{
public class Program
@Frycos
Frycos / CSM_pocs.md
Created November 16, 2020 18:55

TLDR

Cisco Security Manager is an enterprise-class security management application that provides insight into and control of Cisco security and network devices. Cisco Security Manager offers comprehensive security management (configuration and event management) across a wide range of Cisco security appliances, including Cisco ASA Adaptive Security Appliances, Cisco IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs), Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and many more. Cisco Security Manager allows you to manage networks of all sizes efficiently-from small networks to large networks consisting of hundreds of devices.

Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.

@byt3bl33d3r
byt3bl33d3r / README.md
Last active May 3, 2024 15:52
Remote AppDomainManager Injection

This is a variation of the technique originally discovered by subtee and described here

TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.

This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

  1. Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
  2. Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
  3. Host test.dll on a remote SMB or HTTP(S) server
@Arno0x
Arno0x / NetLoader.cs
Last active October 12, 2023 23:19
Partial rewrite of @Flangvik NetLoader. Supports proxy with authentication, XOR encrypted binaries, multiple arguments passing to binary.
/*
Author: Arno0x0x, Twitter: @Arno0x0x
Completely based on @Flangvik netloader
This partial rewrite of @Flangvik Netloader includes the following changes:
- Allow loading of an XOR encrypted binary to bypass antiviruses
To encrypt the initial binary you can use my Python transformFile.py script.
Example: ./transformFile.py -e xor -k mightyduck -i Rubeus.bin -o Rubeus.xor
@xpn
xpn / env_var_spoofing_poc.cpp
Created June 6, 2020 21:25
A very rough x64 POC for spoofing environment variables (similar to argument spoofing) with a focus on setting the COMPlus_ETWEnabled=0 var used to disable ETW in .NET
// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
//
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
// and then resuming the process.
//
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)
#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
#define INJECT_PARAM_LEN 43
@Cyb3rWard0g
Cyb3rWard0g / COMPlus_ETWEnabled_detection_notes.md
Last active November 23, 2023 20:05

Initial Notes:

  • The .NET Runtime Event Provider requires setting COMPLUS_ETWEnabled=1 in your process' environment.
  • CLRConfig will look for configurations in the following places in the following order:
    • Look at environment variables (prepending COMPlus_ to the name)
    • Look at the framework registry keys (HKCU\Software\Microsoft\.NETFramework
    • Look at the framework registry keys HKLM\Software\Microsoft\.NETFramework)
  • These can be set in the following ways:
    • Setting the environment variable COMPlus_:
  • Windows
@rvrsh3ll
rvrsh3ll / gadget2jscriptQueueAPCInject.cs
Last active July 21, 2023 13:07
using System;
using System.IO;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Net;
using System.IO.Compression;
public class Payload
{