Skip to content

Instantly share code, notes, and snippets.

View mgeeky's full-sized avatar
💭
Wanna sip a sencha?

Mariusz Banach mgeeky

💭
Wanna sip a sencha?
2.3k followers · 95 following
  • Binary-Offensive.com
  • Poland
  • X @mariuszbit
View GitHub Profile
@mgeeky
mgeeky / adodb_stream_for_hta.js
Created March 6, 2023 19:05 — forked from rndomhack/adodb_stream_for_hta.js
Create ADODB.Stream object for HTA (mode IE9, IE10)
var fso = new ActiveXObject("Scripting.FileSystemObject");
var ado = (function() {
if (typeof window === "undefined") {
return new ActiveXObject("ADODB.Stream");
} else {
var _GetObject = (typeof GetObject === "function") ? GetObject : (function() {
var script = window.document.createElement("script");
script.setAttribute("language", "VBScript");
script.innerHTML = "Function GetObjectHelper(name)\nSet GetObjectHelper = GetObject(name)\nEnd Function";
window.document.body.appendChild(script);
@mgeeky
mgeeky / loadlibrary_system.c
Created March 2, 2023 17:57 — forked from rossy/loadlibrary_system.c
Safe LoadLibrary for DLLs that are expected to be in system32
#include <windows.h>
#include <wchar.h>
#define LOAD_LIBRARY_SEARCH_SYSTEM32 (0x00000800)
HMODULE loadlibrary_system(const wchar_t* name)
{
/* If running on Windows 8 or a system with KB2533623, LoadLibraryEx with
LOAD_LIBRARY_SEARCH_SYSTEM32 does the right thing */
if (GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "AddDllDirectory"))
@mgeeky
mgeeky / msteams-token.js
Created January 12, 2023 00:47 — forked from X-C3LL/msteams-token.js
// Obtain teams token - you can reuse it for GoMapEnum for example
// Author: Juan Manuel Fernandez (@TheXC3LL)
const puppeteer = require('puppeteer');
(async () => {
console.log("\t\tMS Teams Token Generator - @TheXC3LL\n\n");
const username = process.argv[2];
const password = process.argv[3];
console.log("[*] Using credentials: %s:%s", username, password);
@mgeeky
mgeeky / FreshyCalls-VBA.vba
Created January 12, 2023 00:44 — forked from X-C3LL/FreshyCalls-VBA.vba
Retrieving SSN for syscalling in VBA following FreshyCalls technique
' Proof of Concept: retrieving SSN for syscalling in VBA
' Author: Juan Manuel Fernandez (@TheXC3LL)
'Based on:
'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
'https://www.crummie5.club/freshycalls/
Private Type LARGE_INTEGER
@mgeeky
mgeeky / PEB.cs
Created October 24, 2022 14:28 — forked from TetteDev/PEB.cs
Unlinking Module from PEB with c# (64bit tested only)
public unsafe static bool UnlinkModuleFromPeb(IntPtr hModule)
{
if (hModule == IntPtr.Zero) return false;
PEB* peb = Get_PEB();
if (peb == null) return false;
LIST_ENTRY* CurrentEntry = peb->Ldr->InLoadOrderModuleList.Flink;
Debug.Assert(CurrentEntry != null);
@mgeeky
mgeeky / gist:a7dd62dd86205ad19c7365037508bb76
Created October 10, 2022 11:15 — forked from ThunderGunExpress/gist:d221b316c94c4b7403f3179292c23ccb
//All credit goes to Ysoserial.net and the great @tiraniddo
//Snippets copied from ysoserial.net
//https://thewover.github.io/Mixed-Assemblies/ - Great read!
//https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui - Another great read
using System;
using System.Collections.Generic;
using System.Runtime.Serialization.Formatters.Binary;
using System.IO;
using System.Reflection;
@mgeeky
mgeeky / fork.c
Created September 25, 2022 12:06 — forked from Cr4sh/fork.c
fork() for Windows
/*
* fork.c
* Experimental fork() on Windows. Requires NT 6 subsystem or
* newer.
*
* Copyright (c) 2012 William Pitcock <nenolod@dereferenced.org>
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
@mgeeky
mgeeky / Workstation-Takeover.md
Created September 15, 2022 20:26 — forked from gladiatx0r/Workstation-Takeover.md
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@mgeeky
mgeeky / AMSITools.psm1
Created August 5, 2022 13:05 — forked from mgraeber-rc/AMSITools.psm1
Get-AMSIEvent and Send-AmsiContent are helper functions used to validate AMSI ETW events. Note: because this script contains the word AMSI, it will flag most AV engines. Add an exception on a test system accordingly in order to get this to work.
filter Send-AmsiContent {
<#
.SYNOPSIS
Supplies the AmsiScanBuffer function with a buffer to be scanned by an AMSI provider.
Author: Matt Graeber
Company: Red Canary
.DESCRIPTION
@mgeeky
mgeeky / Caddyfile
Created August 1, 2022 19:16 — forked from byt3bl33d3r/Caddyfile
Caddyfile reverse proxy example for C2 platforms
{
# This instructs Caddy to hit the LetsEncrypt staging endpoint, in production you should remove this.
acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}
(proxy_upstream) {
# Enable access logging to STDOUT
log
# This is our list of naughty client User Agents that we don't want accessing our C2