This Python script automates the process of generating and inserting a shellcode into a C# file (ASPX-Helper.cs), then compiling it into an executable (ASPX-Helper.exe), which is subsequently run to produce an encoded version of the shellcode. This encoded shellcode is then inserted into an ASP.NET web shell template (webshell_template.aspx). Finally, a Metasploit resource file is created for quickly setting up a multi/handler to receive the reverse HTTPS Meterpreter shell.
This is a script I have made and used for OSEP Challenges and to save time in the Exam.
The script performs the following steps:
- Accepts user-provided LHOST and LPORT values via command line arguments.
- Generates shellcode using msfvenom with the provided LHOST and LPORT values.
- Embeds the generated shellcode into a template ASPX webshell.
- Compiles a helper C# program that aids in the utilization of the shellcode.
- Modifies the helper program to include the shellcode.
- Runs the modified helper program to generate encoded shellcode.
- Embeds the encoded shellcode into a webshell template and saves it as
WebShellFinal.aspx
. - Generates a Metasploit resource file
met64.rc
for handling incoming connections using the generated shellcode.
This script relies on the following software:
- Python 3
- Metasploit Framework
- Mono (for executing .NET applications)
- mcs (Mono C# compiler)
Run the script using Python, providing the LHOST and LPORT values as command line arguments:
python3 aspx_shellcode_generator.py --LHOST your_ip --LPORT your_port
Replace your_ip
and your_port
with your local IP and desired port number respectively.
After the script completes, the generated shellcode, modified helper program, encoded shellcode, final webshell, and Metasploit resource file will be located in the output
directory.
Please note that this tool is for educational purposes and authorized testing only. Always obtain proper permission before performing any kind of penetration testing.
This project is licensed under the MIT License.
xbz0n
This script was inspired by various resources in the penetration testing community.
The use of this script for illegal purposes is strictly prohibited. The author is not responsible for any misuse or damage caused by this script.