superuser5

## Entry.c
/*!
 *
 * RPROXICMP
 *
 * GuidePoint Security LLC
 *
 * Threat and Attack Simulation Team
 *
!*/

## Program.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.CompilerServices;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
namespace Test
{
    // CCOB IS THE GOAT

## DynamicAssemblyLoader.cs
// DynamicAssemblyLoader: A DotNet Assembly Loader using a Dynamic Method and Emitted MSIL Instructions
// Author: @bohops
//
// "Normal" Implementation:
/*
 Assembly assembly = Assembly.Load(assemblyBytes);
 assembly.EntryPoint.Invoke(obj, objArr);
*/

using System;

## grant_full_disk_access.m
@import Darwin;
@import Foundation;
@import MachO;

#import <mach-o/fixup-chains.h>
// you'll need helpers.m from Ian Beer's write_no_write and vm_unaligned_copy_switch_race.m from
// WDBFontOverwrite
// Also, set an NSAppleMusicUsageDescription in Info.plist (can be anything)
#import "helpers.h"
#import "vm_unaligned_copy_switch_race.h"

## foundation.go
// How to build: "CC=clang go build"

package main

import (
	"fmt"
	"net/url"
	"strconv"
	"unsafe"
)

## macos-keylogger.m
// Info:
// Universal macOS keylogger that tracks input locations. It's injected per app as it doesn't require having global keyboard capturing permission

// Compilation:
// gcc -dynamiclib /tmp/keylogger.m -o /tmp/keylogger.dylib -framework Foundation -framework Appkit -arch x86_64 -arch arm64

// Usage:
// DYLD_INSERT_LIBRARIES=/tmp/keylogger.dylib /path/to/app/Contents/MacOS/App

#import <Foundation/Foundation.h>

## ms-msdt.MD

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                superuser5
                / ms-msdt.MD
            
            
              Created
              May 31, 2022 19:05
                — forked from tothi/ms-msdt.MD
            
              
                The MS-MSDT 0-day Office RCE Proof-of-Concept Payload Building Process
              
          
    MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx:

Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.


## wmi_event_consumer_stacking.txt
// run against results from Windows.Persistence.PermanentWMIEvents
// https://github.com/Velocidex/velociraptor/blob/master/artifacts/definitions/Windows/Persistence/PermanentWMIEvents.yaml

SELECT ConsumerDetails.Name AS ConsumerName, ConsumerDetails.CommandLineTemplate AS CommandLineTemplate, FilterDetails.Name AS FilterName, FilterDetails.Query AS FilterQuery, count() AS Count FROM source()
// filter common FPs
WHERE ConsumerName != "BVTConsumer"
AND ConsumerName != "SCM Event Log Consumer"
AND ConsumerName != "DellCommandPowerManagerAlertEventConsumer"
AND ConsumerName != "DellCommandPowerManagerPolicyChangeEventConsumer"
AND ConsumerName != "CmdLineConsumer_WSCEAA"

## defenderwatch.ps1
$WMI = @{
    Query = "SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'MSFT_MpPreference' AND TargetInstance.DisableRealtimeMonitoring=True"
    Action = {
	      #$Global:Data = $Event
        Write-Host "Defender Configuration change - DisableRealtimeMonitoring:"$Event.SourceEventArgs.NewEvent.TargetInstance.DisableRealtimeMonitoring"(Old Value:"$Event.SourceEventArgs.NewEvent.PreviousInstance.DisableRealtimeMonitoring")"
    }
	Namespace = 'root\microsoft\windows\defender'
    SourceIdentifier = "Defender.DisableRealtimeMonitoring"
}
$Null = Register-WMIEvent @WMI

## DynWin32-ReverseShell.ps1
<#

DynWin32-ReverseShell.ps1 is a reverse shell based on dynamically looked up Win32 API calls.
The script uses reflection to obtain access to GetModuleHandle, GetProcAddress and CreateProcess.
Afterwards it uses GetModuleHandle and GetProcAddress to resolve the required WSA functions
from ws2_32.dll.

This script should be used for educational purposes only (and maybe while playing CTF :D).
It was only tested on Windows 10 (x64) and is probably not stable or portable. It's only
purpose is to demonstrate the usage of reflective lookups of Win32 API calls. See it as
	/*!
	*
	* RPROXICMP
	*
	* GuidePoint Security LLC
	*
	* Threat and Attack Simulation Team
	*
	!*/
	using System;
	using System.Collections.Generic;
	using System.Linq;
	using System.Runtime.CompilerServices;
	using System.Net;
	using System.Reflection;
	using System.Runtime.InteropServices;
	namespace Test
	{
	// CCOB IS THE GOAT
	// DynamicAssemblyLoader: A DotNet Assembly Loader using a Dynamic Method and Emitted MSIL Instructions
	// Author: @bohops
	//
	// "Normal" Implementation:
	/*
	Assembly assembly = Assembly.Load(assemblyBytes);
	assembly.EntryPoint.Invoke(obj, objArr);
	*/

	using System;
	@import Darwin;
	@import Foundation;
	@import MachO;

	#import <mach-o/fixup-chains.h>
	// you'll need helpers.m from Ian Beer's write_no_write and vm_unaligned_copy_switch_race.m from
	// WDBFontOverwrite
	// Also, set an NSAppleMusicUsageDescription in Info.plist (can be anything)
	#import "helpers.h"
	#import "vm_unaligned_copy_switch_race.h"
	// How to build: "CC=clang go build"

	package main

	import (
	"fmt"
	"net/url"
	"strconv"
	"unsafe"
	)
	// Info:
	// Universal macOS keylogger that tracks input locations. It's injected per app as it doesn't require having global keyboard capturing permission

	// Compilation:
	// gcc -dynamiclib /tmp/keylogger.m -o /tmp/keylogger.dylib -framework Foundation -framework Appkit -arch x86_64 -arch arm64

	// Usage:
	// DYLD_INSERT_LIBRARIES=/tmp/keylogger.dylib /path/to/app/Contents/MacOS/App

	#import <Foundation/Foundation.h>
	// run against results from Windows.Persistence.PermanentWMIEvents
	// https://github.com/Velocidex/velociraptor/blob/master/artifacts/definitions/Windows/Persistence/PermanentWMIEvents.yaml

	SELECT ConsumerDetails.Name AS ConsumerName, ConsumerDetails.CommandLineTemplate AS CommandLineTemplate, FilterDetails.Name AS FilterName, FilterDetails.Query AS FilterQuery, count() AS Count FROM source()
	// filter common FPs
	WHERE ConsumerName != "BVTConsumer"
	AND ConsumerName != "SCM Event Log Consumer"
	AND ConsumerName != "DellCommandPowerManagerAlertEventConsumer"
	AND ConsumerName != "DellCommandPowerManagerPolicyChangeEventConsumer"
	AND ConsumerName != "CmdLineConsumer_WSCEAA"
	$WMI = @{
	Query = "SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'MSFT_MpPreference' AND TargetInstance.DisableRealtimeMonitoring=True"
	Action = {
	#$Global:Data = $Event
	Write-Host "Defender Configuration change - DisableRealtimeMonitoring:"$Event.SourceEventArgs.NewEvent.TargetInstance.DisableRealtimeMonitoring"(Old Value:"$Event.SourceEventArgs.NewEvent.PreviousInstance.DisableRealtimeMonitoring")"
	}
	Namespace = 'root\microsoft\windows\defender'
	SourceIdentifier = "Defender.DisableRealtimeMonitoring"
	}
	$Null = Register-WMIEvent @WMI
	<#

	DynWin32-ReverseShell.ps1 is a reverse shell based on dynamically looked up Win32 API calls.
	The script uses reflection to obtain access to GetModuleHandle, GetProcAddress and CreateProcess.
	Afterwards it uses GetModuleHandle and GetProcAddress to resolve the required WSA functions
	from ws2_32.dll.

	This script should be used for educational purposes only (and maybe while playing CTF :D).
	It was only tested on Windows 10 (x64) and is probably not stable or portable. It's only
	purpose is to demonstrate the usage of reflective lookups of Win32 API calls. See it as