Skip to content

Instantly share code, notes, and snippets.

View rkornmeyer's full-sized avatar

rkornmeyer

12 followers · 48 following
View GitHub Profile
@rkornmeyer
rkornmeyer / ShellcodeTest.cs
Created October 13, 2021 10:29 — forked from TheWover/ShellcodeTest.cs
Dirty but working C# remote shell code injector. Injects into explorer using the architecture of the platform. Modified from several random sources and cleaned up a bit.
/* Author: TheWover
Description: Injects embedded base64-encoded shellcode into an arbitrary hardcoded process using native Windows 32 API calls.
Last Modified: 11/1/2018
*/
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace ShellcodeTest
@rkornmeyer
rkornmeyer / clr_via_native.c
Created April 13, 2018 14:33 — forked from xpn/clr_via_native.c
A quick example showing loading CLR via native code
#include "stdafx.h"
int main()
{
ICLRMetaHost *metaHost = NULL;
IEnumUnknown *runtime = NULL;
ICLRRuntimeInfo *runtimeInfo = NULL;
ICLRRuntimeHost *runtimeHost = NULL;
IUnknown *enumRuntime = NULL;
LPWSTR frameworkName = NULL;
@rkornmeyer
rkornmeyer / ExcelXLL.md
Created March 22, 2018 17:22 — forked from ryhanson/ExcelXLL.md
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

@rkornmeyer
rkornmeyer / bash_cheatsheet.md
Created January 18, 2018 17:04 — forked from tmichel/bash_cheatsheet.md
Bash cheat sheet

Shell cheat sheet

Setting up iTerm

  • Use option as meta key:

Go to Preferences->Profiles tab. Select your profile on the left, and then open the Keyboard tab. At the bottom is a set of buttons that lets you select the behavior of the Option key. For most users, Esc+ will be the best choice.

  • Setting up word-by-word movement with Option+:
@rkornmeyer
rkornmeyer / google-dorks
Last active January 16, 2018 21:13 — forked from stevenswafford/google-dorks
Listing of a number of useful Google dorks.
" _ _ "
" _ /|| . . ||\ _ "
" ( } \||D ' ' ' C||/ { % "
" | /\__,=_[_] ' . . ' [_]_=,__/\ |"
" |_\_ |----| |----| _/_|"
" | |/ | | | | \| |"
" | /_ | | | | _\ |"
It is all fun and games until someone gets hacked!
@rkornmeyer
rkornmeyer / README.md
Created January 12, 2018 19:30 — forked from stormpython/README.md
Angular D3 Directives with Elasticsearch
@rkornmeyer
rkornmeyer / gist:ca980cfb23d57e3f9f6e50ee74aa98cf
Created September 14, 2017 16:25 — forked from hfiref0x/gist:59c689a14f1fc2302d858ae0aa3f6b86
CIA Stinger UAC bypass (likely)
DWORD Error, bytesIO;
NTSTATUS Status;
HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
BOOL bCond = FALSE;
SHELLEXECUTEINFO shinfo;
SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
TOKEN_MANDATORY_LABEL tml, *ptml;
PSID pIntegritySid = NULL;
STARTUPINFO si;
PROCESS_INFORMATION pi;
@rkornmeyer
rkornmeyer / FileReadPrimitive.ps1
Created August 21, 2017 23:53 — forked from mattifestation/FileReadPrimitive.ps1
A WMI file content read primitive - ROOT/Microsoft/Windows/Powershellv3/PS_ModuleFile
$CimSession = New-CimSession -ComputerName 10.0.0.2
$FilePath = 'C:\Windows\System32\notepad.exe'
# PS_ModuleFile only implements GetInstance (versus EnumerateInstance) so this trick below will force a "Get" operation versus the default "Enumerate" operation.
$PSModuleFileClass = Get-CimClass -Namespace ROOT/Microsoft/Windows/Powershellv3 -ClassName PS_ModuleFile -CimSession $CimSession
$InMemoryModuleFileInstance = New-CimInstance -CimClass $PSModuleFileClass -Property @{ InstanceID= $FilePath } -ClientOnly
$FileContents = Get-CimInstance -InputObject $InMemoryModuleFileInstance -CimSession $CimSession
$FileLengthBytes = $FileContents.FileData[0..3]
[Array]::Reverse($FileLengthBytes)
@rkornmeyer
rkornmeyer / customers.xml
Created August 18, 2017 13:51
msxsl.exe Proof Of Concept
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="script.xsl" ?>
<customers>
<customer>
<name>John Smith</name>
<address>123 Elm St.</address>
<phone>(123) 456-7890</phone>
</customer>
<customer>
<name>Mary Jones</name>
@rkornmeyer
rkornmeyer / main.py
Created July 7, 2017 12:01 — forked from redteam-cyberark/main.py
DF_GAE
import logging
import urllib
import webapp2
import urllib2
# v1.0.1 - updated to support POST request
# change to your IP
redirector = "(insert you C2 domain here)"