The MSIL JIT execution approach demonstrated by Matt Graeber back
in 2013 provides a shellcode injection vector without explicit use
of unmanaged memory or even marshalling the associated primitives.
Port the Util::EXE version from local fork, reduce size, implement
template-based approach with the RandomIdentifier::Generator. Use
conditional evaluation to determine if the address of the target
method is expressed as UInt32 or Int64 since UInt64 (as used in
prior work) does not cast to IntPtr in native 64bit execution.
Testing:
x86 & x64 payloads against 2008r2 and 2016 x64
Notes:
Migration away from sessions created with this payload crashes
the session, likely due to an incorrect return opcode being thrown
into the interpreter. Need to investigate and stabilize.
The MSIL JIT execution approach demonstrated by Matt Graeber back in 2013 provides a shellcode injection vector without explicit use of unmanaged memory or even marshalling the associated primitives.
Original post @ Exploit Monday:
PowerShell Empire full-fledged ps1:
Port the Util::EXE version from local fork, reduce size, implement template-based approach with the RandomIdentifier::Generator. Use conditional evaluation to determine if the address of the target method is expressed as UInt32 or Int64 since UInt64 (as used in prior work) does not cast to IntPtr in native 64bit execution.
Testing:
Notes: