killvxk

## gist:385cc93cf6cf336eb7285a1ebf1e8711
Steps to install Metasploit on Windows 10 using the Windows Subsystem for Linux

1.) Enable Developer Mode
    C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" /t REG_DWORD /f /v "AllowDevelopmentWithoutDevLicense" /d "1"

2.) Enable Windows Subsystem for Linux
    C:\> DISM /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux

3.) Reboot

## smbloris.c
/* SMBLoris attack proof-of-concept
 *
 * Copyright 2017 Hector Martin "marcan" <marcan@marcan.st>
 *
 * Licensed under the terms of the 2-clause BSD license.
 *
 * This is a proof of concept of a publicly disclosed vulnerability.
 * Please do not go around randomly DoSing people with it.
 *
 * Tips: do not use your local IP as source, or if you do, use iptables to block

## hyperdetect.c
//this requires being able to run at kernel mode and assumes you're using MSVC
//this also uses an unnamed structure for cr0_t, which is a nonstandard extension of the C language


//data structure for cr0
typedef union _cr0_t
{
	struct
	{
		uint64_t protection_enable : 1;

## abandonedInprocServer32.cs
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Management;

namespace ComAbandonment
{
    public class ComAbandonment
    {

## checksvc.py
import os
import subprocess
import ctypes

# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

svcinfo = {}
nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG']
FNULL = open(os.devnull, 'w')

## checkaslr.py
'''checkaslr.py: Check for files that opt into ASLR with /DYNAMICBASE,
but do not have a relocation table to allow ASLR to function.

usage: checkaslr.py <dir>
ex: checkaslr.py "C:\Program Files\"

requires: pefile <https://github.com/erocarrera/pefile>, which should be
installable via: pip install pefile
'''

## SystemCMD.cpp
#include "stdafx.h"
#include <windows.h>
#include <Winbase.h>
#include <Wtsapi32.h>
#include <Userenv.h>
#include <malloc.h>

#pragma comment(lib, "Wtsapi32.lib")
#pragma comment(lib, "Userenv.lib")

## launch_wsl.py
import sys
import windows
import windows.winproxy
import windows.generated_def as gdef

# List distro: wslconfig /l

class WSLAPIProxy(windows.winproxy.ApiProxy):
    APIDLL = "wslapi"
    default_error_check = staticmethod(windows.winproxy.no_error_check)

## clr_via_native.c
#include "stdafx.h"

int main()
{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;

## PSProcmon.psm1
# These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry
[Flags()]
enum RegistryOptions {
    CloseKey              = 0x00000001
    QuerySecurityKey      = 0x00000002
    SetSecurityKey        = 0x00000004
    EnumerateValueKey     = 0x00000010
    QueryMultipleValueKey = 0x00000020
    SetInformationKey     = 0x00000040
    FlushKey              = 0x00000080
	Steps to install Metasploit on Windows 10 using the Windows Subsystem for Linux

	1.) Enable Developer Mode
	C:\> reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" /t REG_DWORD /f /v "AllowDevelopmentWithoutDevLicense" /d "1"

	2.) Enable Windows Subsystem for Linux
	C:\> DISM /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux

	3.) Reboot
	/* SMBLoris attack proof-of-concept
	*
	* Copyright 2017 Hector Martin "marcan" <marcan@marcan.st>
	*
	* Licensed under the terms of the 2-clause BSD license.
	*
	* This is a proof of concept of a publicly disclosed vulnerability.
	* Please do not go around randomly DoSing people with it.
	*
	* Tips: do not use your local IP as source, or if you do, use iptables to block
	//this requires being able to run at kernel mode and assumes you're using MSVC
	//this also uses an unnamed structure for cr0_t, which is a nonstandard extension of the C language


	//data structure for cr0
	typedef union _cr0_t
	{
	struct
	{
	uint64_t protection_enable : 1;
	using System;
	using System.Collections.Generic;
	using System.IO;
	using System.Linq;
	using System.Management;

	namespace ComAbandonment
	{
	public class ComAbandonment
	{
	import os
	import subprocess
	import ctypes

	# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

	svcinfo = {}
	nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG']
	FNULL = open(os.devnull, 'w')
	'''checkaslr.py: Check for files that opt into ASLR with /DYNAMICBASE,
	but do not have a relocation table to allow ASLR to function.

	usage: checkaslr.py <dir>
	ex: checkaslr.py "C:\Program Files\"

	requires: pefile <https://github.com/erocarrera/pefile>, which should be
	installable via: pip install pefile
	'''
	#include "stdafx.h"
	#include <windows.h>
	#include <Winbase.h>
	#include <Wtsapi32.h>
	#include <Userenv.h>
	#include <malloc.h>

	#pragma comment(lib, "Wtsapi32.lib")
	#pragma comment(lib, "Userenv.lib")
	import sys
	import windows
	import windows.winproxy
	import windows.generated_def as gdef

	# List distro: wslconfig /l

	class WSLAPIProxy(windows.winproxy.ApiProxy):
	APIDLL = "wslapi"
	default_error_check = staticmethod(windows.winproxy.no_error_check)
	#include "stdafx.h"

	int main()
	{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;
	# These keyword values can be obtained with: logman query providers Microsoft-Windows-Kernel-Registry
	[Flags()]
	enum RegistryOptions {
	CloseKey = 0x00000001
	QuerySecurityKey = 0x00000002
	SetSecurityKey = 0x00000004
	EnumerateValueKey = 0x00000010
	QueryMultipleValueKey = 0x00000020
	SetInformationKey = 0x00000040
	FlushKey = 0x00000080