def display_payload_options(self, selected_pload, showTitle=True):
# show the title if specified
if showTitle:
evasion_helpers.title_screen()
self.payload_info(selected_pload)
return
def display_payload_options(self, selected_pload, showTitle=True):
# show the title if specified
if showTitle:
evasion_helpers.title_screen()
self.payload_info(selected_pload)
return
def tool_main_menu(self):
# This is the main function where everything is called from
# Iterate over payloads and find the user selected payload module
evasion_main_command = ""
show_evasion_menu = True
while True:
# set out tab completion for the appropriate modules on each run
# as other modules sometimes reset this
comp = completer.MainMenuCompleter(self.evasion_main_menu_commands, self.active_payloads)
readline.set_completer_delims(' \t\n;')
readline.parse_and_bind("tab: complete")
readline.set_completer(comp.complete)
if show_evasion_menu:
evasion_helpers.title_screen()
print("Veil-Evasion Menu")
print("\n\t" + helpers.color(len(self.active_payloads)) + " payloads loaded\n")
print("Available Commands:\n")
for command in sorted(self.evasion_main_menu_commands.keys()):
print("\t" + helpers.color(command) + '\t\t\t' + self.evasion_main_menu_commands[command])
print()
show_evasion_menu = False
evasion_main_command = input('Veil/Evasion>: ').strip().lower()
if evasion_main_command.startswith("back") or evasion_main_command.startswith("main") or evasion_main_command.startswith("menu"):
break
elif evasion_main_command.startswith("checkvt"):
self.check_vt()
elif evasion_main_command.startswith("clean"):
self.clean_artifacts()
elif evasion_main_command.startswith("exit") or evasion_main_command.startswith("quit"):
sys.exit(0)
elif evasion_main_command.startswith('info'):
if len(evasion_main_command.split()) == 2:
payload_selected = evasion_main_command.split()[1]
selected_payload_module = self.return_payload_object(payload_selected)
if not selected_payload_module:
print()
print(helpers.color(" [!] ERROR: You did not provide a valid payload selection!", warning=True))
print(helpers.color(" [*] Ex: info 2 OR info lua/shellcode_inject/flat.py", warning=True))
print()
else:
self.print_options_screen(selected_payload_module)
else:
print()
print(helpers.color(" [!] ERROR: You did not provide a valid payload selection!", warning=True))
print(helpers.color(" [*] Ex: info 2 OR info lua/shellcode_inject/flat.py", warning=True))
print()
elif evasion_main_command.startswith('list'):
evasion_helpers.title_screen()
self.list_loaded_payloads()
elif evasion_main_command.startswith('use'):
if len(evasion_main_command.split()) == 2:
payload_selected = evasion_main_command.split()[1].lower()
selected_payload_module = self.return_payload_object(payload_selected)
if not selected_payload_module:
print()
print(helpers.color(" [!] ERROR: You did not provide a valid payload selection!", warning=True))
print(helpers.color(" [*] Ex: use 2 OR use lua/shellcode_inject/flat.py", warning=True))
print()
else:
self.use_payload(selected_payload_module)
show_evasion_menu = True
else:
print()
print(helpers.color(" [!] ERROR: You did not provide a valid payload selection!", warning=True))
print(helpers.color(" [*] Ex: use 2 OR use lua/shellcode_inject/flat.py", warning=True))
print()
return
def payload_selection_menu(self, showTitle=True):
"""
Menu to prompt the user for a custom shellcode string.
Returns None if nothing is specified.
"""
# print out the main title to reset the interface
if showTitle:
evasion_helpers.title_screen()
print(' [?] Generate or supply custom shellcode?\n')
print(' %s - Ordnance %s' % (helpers.color('1'), helpers.color('(default)', yellow=True)))
print(' %s - MSFVenom' % (helpers.color('2')))
print(' %s - custom shellcode string' % (helpers.color('3')))
print(' %s - file with shellcode (\\x41\\x42..)' % (helpers.color('4')))
print(' %s - binary file with shellcode\n' % helpers.color('5'))
try:
choice = self.required_options['SHELLCODE'][0].lower().strip()
print(" [>] Please enter the number of your choice: %s" % (choice))
except:
choice = input(" [>] Please enter the number of your choice: ").strip()
if choice == '4':
# instantiate our completer object for path completion
comp = completer.PathCompleter()
# we want to treat '/' as part of a word, so override the delimiters
readline.set_completer_delims(' \t\n;')
readline.parse_and_bind("tab: complete")
readline.set_completer(comp.complete)
# if the shellcode is specicified as a raw file
filePath = input(" [>] Please enter the path to your shellcode file: ")
try:
with open(filePath, 'r') as shellcode_file:
file_shellcode = shellcode_file.read()
file_shellcode = file_shellcode.strip()
except:
print(helpers.color(" [!] WARNING: path not found, defaulting to msfvenom!", warning=True))
return None
if len(file_shellcode) == 0:
print(helpers.color(" [!] WARNING: no custom shellcode restrieved, defaulting to msfvenom!", warning=True))
return None
# check if the shellcode was passed in as string-escaped form
if file_shellcode[0:2] == "\\x" and file_shellcode[4:6] == "\\x":
return file_shellcode
else:
# otherwise encode the raw data as a hex string
hexString = binascii.hexlify(file_shellcode)
file_shellcode = "\\x"+"\\x".join([hexString[i:i + 2] for i in range(0, len(hexString), 2)])
return file_shellcode
# remove the completer
readline.set_completer(None)
elif choice == '5':
# instantiate our completer object for path completion
comp = completer.PathCompleter()
# we want to treat '/' as part of a word, so override the delimiters
readline.set_completer_delims(' \t\n;')
readline.parse_and_bind("tab: complete")
readline.set_completer(comp.complete)
# if the shellcode is specicified as a raw file
filePath = input(" [>] Please enter the path to your binary file: ")
try:
with open(filePath, 'rb') as shellcode_file:
file_shellcode = shellcode_file.read()
except:
print(helpers.color(" [!] WARNING: path not found, defaulting to msfvenom!", warning=True))
return None
if len(file_shellcode) == 0:
print(helpers.color(" [!] WARNING: no custom shellcode restrieved, defaulting to msfvenom!", warning=True))
return None
binary_code = ''
# Convert from binary to shellcode
for byte in file_shellcode:
binary_code += "\\x" + hex(byte)[2:].zfill(2)
return binary_code
elif choice == '3' or choice == 'string':
# if the shellcode is specified as a string
cust_sc = input(" [>] Please enter custom shellcode (one line, no quotes, \\x00.. format): ")
if len(cust_sc) == 0:
print(helpers.color(" [!] WARNING: no shellcode specified, defaulting to msfvenom!", warning=True))
return cust_sc
elif choice == '' or choice == '1' or choice.lower() == 'veil-ordnance' or choice.lower() == 'ordnance':
return 'ordnance'
elif choice == '2' or choice.lower() == 'msf' or choice.lower() == 'metasploit' or choice.lower() == 'msfvenom':
return None
else:
print(helpers.color(" [!] WARNING: Invalid option chosen, defaulting to Ordnance!", warning=True))
return 'ordnance'
def compiler(payload_object, invoked=False, cli_object=None):
# Check the source code to ensure it is present
if payload_object.payload_source_code == '':
print(
helpers.color("\n [!] ERROR: No payload source code provided.\n",
warning=True))
return False
else:
# print title bar
evasion_helpers.title_screen()
if not invoked:
# Determine the file name to use for output
file_name = input(
' [>] Please enter the base name for output files (default is payload): '
).strip()
else:
file_name = cli_object.o
# Basic checks on input
while file_name != '' and ("\\" in file_name or "/" in file_name):
print(
helpers.color(
"\nPlease provide a base name, not a path, for the output base\n",
warning=True))
file_name = input(
' [>] Please enter the base name for output files (default is payload): '
).strip()
# If no base name, set it to be payload
if file_name == '':
file_name = 'payload'
# run check to make sure file doesn't exist, if it does
# provide a new filename
file_name = find_file_name(file_name, payload_object)
source_code_filepath = settings.PAYLOAD_SOURCE_PATH + file_name + "." + payload_object.extension
# Used when outputting exe files, go figure
executable_filepath = settings.PAYLOAD_COMPILED_PATH + file_name + ".exe"
if payload_object.language is not "native" and payload_object.extension is not "war":
with open(source_code_filepath, 'w') as source_file:
source_file.write(payload_object.payload_source_code)
if payload_object.language == 'python':
if not invoked:
compile_method = ""
else:
compile_method = cli_object.compiler
# Check extension for war or normal python file
if payload_object.extension == 'py':
if settings.OPERATING_SYSTEM == "Windows":
compile_method = 'py2exe'
else:
if payload_object.required_options['COMPILE_TO_EXE'][
0].lower() == 'y' and not invoked:
print()
evasion_helpers.title_screen()
print()
# if we have a linux distro, continue...
# Determine if the user wants Pyinstaller, Pwnstaller, or Py2Exe.
print(
' [?] How would you like to create your payload executable?\n'
)
print(' %s - Pyinstaller %s' %
(helpers.color('1'),
helpers.color('(default)', yellow=True)))
print(' %s - Py2Exe\n' % (helpers.color('2')))
user_compile_choice = input(
" [>] Please enter the number of your choice: ")
if user_compile_choice == "1" or user_compile_choice == '':
compile_method = "pyinstaller"
elif user_compile_choice == "2":
compile_method = "py2exe"
else:
compile_method = "pyinstaller"
if compile_method == 'py2exe' and payload_object.required_options[
'COMPILE_TO_EXE'][0].lower() == 'y':
# Generate setup.py File for Py2Exe
with open(settings.PAYLOAD_SOURCE_PATH + '/setup.py',
'w') as setup_file:
setup_file.write("from distutils.core import setup\n")
setup_file.write("import py2exe, sys, os\n\n")
setup_file.write("setup(\n")
setup_file.write(
"\toptions = {'py2exe': {'bundle_files': 1}},\n")
setup_file.write("\tzipfile = None,\n")
setup_file.write("\twindows=['" + file_name +
".py']\n")
setup_file.write(")")
# Generate Batch script for Compiling on Windows Using Py2Exe
with open(settings.PAYLOAD_SOURCE_PATH + '/runme.bat',
'w') as runme_file:
runme_file.write(
'rem Batch Script for compiling python code into an executable\n'
)
runme_file.write('rem on windows with py2exe\n')
runme_file.write(
'rem Usage: Drop into your Python folder and click, or anywhere if Python is in your system path\n\n'
)
runme_file.write("python setup.py py2exe\n")
runme_file.write('cd dist\n')
runme_file.write('move ' + file_name + '.exe ../\n')
runme_file.write('cd ..\n')
runme_file.write('rmdir /S /Q build\n')
runme_file.write('rmdir /S /Q dist\n')
print()
evasion_helpers.title_screen()
print()
print_payload_information(payload_object)
print(
helpers.color(
"\npy2exe files 'setup.py' and 'runme.bat' written to:\n"
+ settings.PAYLOAD_SOURCE_PATH + "\n"))
else:
if payload_object.required_options['COMPILE_TO_EXE'][
0].lower() == 'y':
# Used for PyInstaller standard
# copy the pyinstaller runw to maintain its integrity in the event
# pwnstaller is added in for python3 - this will future proof it
runw_path = settings.VEIL_PATH + '/tools/evasion/evasion_common/tools/runw.orig.exe'
os.system(
"cp " + runw_path + " " +
settings.PYINSTALLER_PATH +
"/PyInstaller/bootloader/Windows-32bit/runw.exe")
# Validate python is installed in wine
if not os.path.isfile(settings.WINEPREFIX +
'drive_c/Python34/python.exe'):
print(
helpers.color(
"\n [!] ERROR: Can't find python.exe in " +
os.path.expanduser(settings.WINEPREFIX +
'drive_c/Python34/'),
warning=True))
print(
helpers.color(
" [!] ERROR: Make sure the python.exe binary exists before using PyInstaller.",
warning=True))
sys.exit(1)
random_key = evasion_helpers.randomString()
os.system(
'WINEPREFIX=' + settings.WINEPREFIX + ' wine ' +
settings.WINEPREFIX +
'/drive_c/Python34/python.exe' + ' ' +
os.path.expanduser(settings.PYINSTALLER_PATH +
'/pyinstaller.py') +
' --onefile --noconsole --key ' + random_key +
' ' + source_code_filepath)
print()
evasion_helpers.title_screen()
print()
if os.path.isfile('dist/' + file_name + ".exe"):
os.system('mv dist/' + file_name + ".exe " +
settings.PAYLOAD_COMPILED_PATH)
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(
" [*] Executable written to: " +
helpers.color(settings.PAYLOAD_COMPILED_PATH +
file_name + ".exe"))
else:
print(
helpers.color(
" [!] ERROR: Unable to create output file.",
warning=True))
os.system('rm -rf dist')
os.system('rm -rf build')
os.system('rm -f *.spec')
os.system('rm -f logdict*.*')
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.extension == 'war':
path_here = settings.PAYLOAD_COMPILED_PATH + file_name + "." + payload_object.extension
with open(path_here, 'wb') as source_file:
source_file.write(payload_object.payload_source_code)
# Ensure that war file was written to disk
if os.path.isfile(path_here):
hash_executable(path_here, file_name)
print_payload_information(payload_object)
print(" [*] WAR file written to: " +
helpers.color(source_code_filepath))
else:
print(
helpers.color(" [!] ERROR: Unable to create WAR file.",
warning=True))
else:
print(
helpers.color(
" [!] ERROR: Invalid python extension in payload module.\n",
warning=True))
elif payload_object.language == 'ruby':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower(
) == 'y':
os.system(
'WINEPREFIX=' + settings.WINEPREFIX + ' wine ' +
settings.WINEPREFIX + '/drive_c/Ruby187/bin/ruby.exe ' +
settings.WINEPREFIX +
'/drive_c/Ruby187/bin/ocra --windows ' +
source_code_filepath + ' --output ' + executable_filepath +
' ' + settings.WINEPREFIX +
'/drive_c/Ruby187/lib/ruby/gems/1.8/gems/win32-api-1.4.8-x86-mingw32/lib/win32/*'
)
print()
evasion_helpers.title_screen()
print()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " +
helpers.color(executable_filepath))
else:
print(
helpers.color(
" [!] ERROR: Unable to create output file.",
warning=True))
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'powershell':
print()
evasion_helpers.title_screen()
print()
print_payload_information(payload_object)
print(" [*] PowerShell doesn't compile, so you just get text :)")
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'perl':
print_payload_information(payload_object)
print(
"\nPerl can't currently be compiled in Linux. Install on Windows:"
)
print(
"https://www.veil-framework.com/perl-of-no-hope-january-v-day-2016/"
)
print("Command: pp -gui -o <executablename> <sourcecodefile.pl>")
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'native':
# set path for native payload executable output
path_here = settings.PAYLOAD_COMPILED_PATH + file_name + "." + payload_object.extension
with open(path_here, 'wb') as source_file:
source_file.write(payload_object.payload_source_code)
# Ensure executables was written to disk
if os.path.isfile(path_here):
hash_executable(path_here, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " +
helpers.color(path_here))
else:
print(
helpers.color(" [!] ERROR: Unable to create Exe file.",
warning=True))
elif payload_object.language == 'lua':
print_payload_information(payload_object)
print(
" [*] Lua currently doesn't compile in linux, so you just get text :)"
)
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'go':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower(
) == 'y':
# Compile go payload
os.system(
'env GOROOT={0} GOOS=windows GOARCH=386 {0}/bin/go build -ldflags "-s -w -H=windowsgui" -v -o {1} {2}'
.format(settings.GOLANG_PATH, executable_filepath,
source_code_filepath))
print()
evasion_helpers.title_screen()
print()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " +
helpers.color(executable_filepath))
else:
print(
helpers.color(
" [!] ERROR: Unable to create output file.",
warning=True))
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'cs':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower(
) == 'y':
# Compile our CS code into an executable and pass a compiler flag to prevent it from opening a command prompt when run
os.system('mcs -platform:x86 -target:winexe ' +
source_code_filepath + ' -out:' +
executable_filepath)
print()
evasion_helpers.title_screen()
print()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " +
helpers.color(executable_filepath))
else:
print(
helpers.color(
" [!] ERROR: Unable to create output file.",
warning=True))
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'c':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower(
) == 'y':
# Compile our C code into an executable and pass a compiler flag to prevent it from opening a command prompt when run
os.system('i686-w64-mingw32-gcc -Wl,-subsystem,windows ' +
source_code_filepath + ' -o ' + executable_filepath +
" -lwsock32")
print()
evasion_helpers.title_screen()
print()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " +
helpers.color(executable_filepath))
else:
print(
helpers.color(
" [!] ERROR: Unable to create output file.",
warning=True))
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'autoit':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower(
) == 'y':
# Compile autoit code
os.system(
'WINEPREFIX=' + settings.WINEPREFIX + ' wine ' +
settings.WINEPREFIX +
'drive_c/Program\ Files/AutoIt3/Aut2Exe/Aut2exe.exe /in ' +
source_code_filepath + ' /out ' + executable_filepath +
' /comp 2 /nopack')
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " +
helpers.color(executable_filepath))
else:
print(
helpers.color(
" [!] ERROR: Unable to create output file.",
warning=True))
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
else:
print(
helpers.color(
"\n [!] ERROR: Invalid payload language in payload module.\n",
warning=True))
return False
if invoked:
handler_code_generator(payload_object,
file_name,
invoked=True,
cli_obj=cli_object)
else:
handler_code_generator(payload_object, file_name)
if os.path.isfile(settings.HANDLER_PATH + file_name + '.rc'):
print(" [*] Metasploit Resource file written to: " +
helpers.color(settings.HANDLER_PATH + file_name + '.rc'))
if not invoked:
dummy = input('\nHit enter to continue...\n')
# End of if statement checking to make sure payload_source_code is
# not empty
return True
def cli_menu(self, invoked=False):
evasion_helpers.title_screen()
# --list-payloads
if self.command_options.list_payloads:
self.list_loaded_payloads()
sys.exit()
# Check if a payload is provided, and if so, start the generation
# process
# Missing -p ?
if not self.command_options.p:
print(helpers.color(" [!] ERROR: Missing --payload selection (-p <payload>). Try: -t Evasion --list-payloads", warning=True))
else:
user_cli_payload = self.return_payload_object(self.command_options.p)
if not user_cli_payload:
print(helpers.color(" [!] ERROR: You did not provide a valid payload selection!", warning=True))
print(helpers.color(" [*] Ex: info 2 OR info lua/shellcode_inject/flat.py", warning=True))
sys.exit()
if self.command_options.ip is None and ("meterpreter" in user_cli_payload.path or "shellcode_inject" in user_cli_payload.path):
print(helpers.color(" [!] ERROR: You did not provide an IP/domain to connect to/bind on", warning=True))
sys.exit()
# Make sure IP is valid
# --ip
if self.command_options.ip is not None:
valid_ip = helpers.validate_ip(self.command_options.ip)
valid_hostname = helpers.validate_hostname(self.command_options.ip)
if not valid_ip and not valid_hostname:
print(helpers.color(" [!] ERROR: You did not provide a valid ip/domain!", warning=True))
print(helpers.color("[*] Please specify the correct value", warning=True))
sys.exit()
# Determine if using Ordnance or MSFVenom for shellcode generation
if self.command_options.ordnance_payload is None and self.command_options.msfvenom is None and "meterpreter" not in user_cli_payload.path:
print(helpers.color(" [!] ERROR: You did not provide a shellcode option to use!", warning=True))
sys.exit()
# Check if using a pure payload (shellcodeless)
if "meterpreter" in user_cli_payload.path or "shellcode_inject" in user_cli_payload.path:
if "meterpreter" in user_cli_payload.path:
# Check for where the IP is being stored
if "LHOST" in user_cli_payload.required_options:
user_cli_payload.required_options["LHOST"][0] = self.command_options.ip
elif "RHOST" in user_cli_payload.required_options:
user_cli_payload.required_options["RHOST"][0] = self.command_options.ip
# Store the LPORT value in the payload
if "LPORT" in user_cli_payload.required_options:
user_cli_payload.required_options["LPORT"][0] = self.command_options.port
else:
# If ordnance, generate shellcode through it
if self.command_options.ordnance_payload is not None:
Ordnance_object = ordnance_import.Tools(self.command_options)
Ordnance_object.cli_menu(invoked=True)
cli_shellcode = Ordnance_object.final_shellcode
# Or if msfvenom, get that code
elif self.command_options.msfvenom is not None:
cli_shellcode = shellcode_help.cli_msf_shellcode_gen(self.command_options)
# This could be the future area for adding custom shellcode. If there
# is a need I can add it in
# Set the shellcode in the Evasion payload
user_cli_payload.cli_shellcode = cli_shellcode
# Loop over setting required options
# -c
if self.command_options.c is not None:
for payload_option in self.command_options.c:
if payload_option is not '':
if "=" not in payload_option:
print(helpers.color(" [!] Payload option not entered in correct syntax.\n", warning=True))
sys.exit()
else:
key = payload_option.split('=')[0].upper()
value = payload_option.split('=')[1]
if key in user_cli_payload.required_options:
user_cli_payload.required_options[key][0] = value
else:
print(helpers.color(" [!] The option " + key + " does not exist for the selected payload!.\n", warning=True))
sys.exit()
# Generate the payload code
# source code stored in user_cli_payload.source_code
user_cli_payload.generate()
# figure out how to compile the code
outfile.compiler(user_cli_payload, invoked=True, cli_object=self.command_options)
return
def compiler(payload_object, invoked=False, cli_object=None):
# Check the source code to ensure it is present
if payload_object.payload_source_code == '':
print(helpers.color("\n [!] ERROR: No payload source code provided.\n", warning=True))
return False
else:
# print title bar
evasion_helpers.title_screen()
if not invoked:
# Determine the file name to use for output
file_name = input(' [>] Please enter the base name for output files (default is payload): ').strip()
else:
file_name = cli_object.o
# Basic checks on input
while file_name != '' and ("\\" in file_name or "/" in file_name):
print(helpers.color("\nPlease provide a base name, not a path, for the output base\n", warning=True))
file_name = input(' [>] Please enter the base name for output files (default is payload): ').strip()
# If no base name, set it to be payload
if file_name == '':
file_name = 'payload'
# run check to make sure file doesn't exist, if it does
# provide a new filename
file_name = find_file_name(file_name, payload_object)
source_code_filepath = settings.PAYLOAD_SOURCE_PATH + file_name + "." + payload_object.extension
# Used when outputting exe files, go figure
executable_filepath = settings.PAYLOAD_COMPILED_PATH + file_name + ".exe"
if payload_object.language is not "native" and payload_object.extension is not "war":
with open(source_code_filepath, 'w') as source_file:
source_file.write(payload_object.payload_source_code)
if payload_object.language == 'python':
if not invoked:
compile_method = ""
else:
compile_method = cli_object.compiler
# Check extension for war or normal python file
if payload_object.extension == 'py':
if settings.OPERATING_SYSTEM == "Windows":
compile_method = 'py2exe'
else:
if payload_object.required_options['COMPILE_TO_EXE'][0].lower() == 'y' and not invoked:
evasion_helpers.title_screen()
# if we have a linux distro, continue...
# Determine if the user wants PyInstaller, Pwnstaller, or Py2Exe.
print(' [?] How would you like to create your payload executable?\n')
print(' %s - PyInstaller %s' % (helpers.color('1'), helpers.color('(default)', yellow=True)))
print(' %s - Py2Exe\n' % (helpers.color('2')))
user_compile_choice = input(" [>] Please enter the number of your choice: ")
if user_compile_choice == "1" or user_compile_choice == '':
compile_method = "pyinstaller"
elif user_compile_choice == "2":
compile_method = "py2exe"
else:
compile_method = "pyinstaller"
if compile_method == 'py2exe' and payload_object.required_options['COMPILE_TO_EXE'][0].lower() == 'y':
# Generate setup.py File for Py2Exe
with open(settings.PAYLOAD_SOURCE_PATH + '/setup.py', 'w') as setup_file:
setup_file.write("from distutils.core import setup\n")
setup_file.write("import py2exe, sys, os\n\n")
setup_file.write("setup(\n")
setup_file.write("\toptions = {'py2exe': {'bundle_files': 1}},\n")
setup_file.write("\tzipfile = None,\n")
setup_file.write("\twindows=['" + file_name + ".py']\n")
setup_file.write(")")
# Generate Batch script for Compiling on Windows Using Py2Exe
with open(settings.PAYLOAD_SOURCE_PATH + '/runme.bat', 'w') as runme_file:
runme_file.write('rem Batch Script for compiling python code into an executable\n')
runme_file.write('rem on windows with py2exe\n')
runme_file.write('rem Usage: Drop into your Python folder and click, or anywhere if Python is in your system path\n\n')
runme_file.write("python setup.py py2exe\n")
runme_file.write('cd dist\n')
runme_file.write('move ' + file_name + '.exe ../\n')
runme_file.write('cd ..\n')
runme_file.write('rmdir /S /Q build\n')
runme_file.write('rmdir /S /Q dist\n')
evasion_helpers.title_screen()
print_payload_information(payload_object)
print(helpers.color("\npy2exe files 'setup.py' and 'runme.bat' written to:\n" + settings.PAYLOAD_SOURCE_PATH + "\n"))
else:
if payload_object.required_options['COMPILE_TO_EXE'][0].lower() == 'y':
# Used for PyInstaller standard
# copy the pyinstaller runw to maintain its integrity in the event
# pwnstaller is added in for python3 - this will future proof it
runw_path = settings.VEIL_PATH + '/tools/evasion/evasion_common/tools/runw.orig.exe'
os.system('cp ' + runw_path + ' ' + settings.PYINSTALLER_PATH + 'PyInstaller/bootloader/Windows-32bit/runw.exe')
# Validate python is installed in wine
if not os.path.isfile(settings.WINEPREFIX + 'drive_c/Python34/python.exe'):
print(helpers.color("\n [!] ERROR: Can't find python.exe in " + os.path.expanduser(settings.WINEPREFIX + 'drive_c/Python34/'), warning=True))
print(helpers.color(" [!] ERROR: Make sure the python.exe binary exists before using PyInstaller.", warning=True))
sys.exit(1)
random_key = evasion_helpers.randomString()
os.system('WINEPREFIX=' + settings.WINEPREFIX + ' wine ' + settings.WINEPREFIX + '/drive_c/Python34/python.exe' + ' ' + os.path.expanduser(settings.PYINSTALLER_PATH + '/pyinstaller.py') + ' --onefile --noconsole --key ' + random_key + ' ' + source_code_filepath)
evasion_helpers.title_screen()
if os.path.isfile('dist/' + file_name + ".exe"):
os.system('mv dist/' + file_name + ".exe " + settings.PAYLOAD_COMPILED_PATH)
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " + helpers.color(settings.PAYLOAD_COMPILED_PATH + file_name + ".exe"))
else:
print(helpers.color(" [!] ERROR: Unable to create output file.", warning=True))
os.system('rm -rf dist')
os.system('rm -rf build')
os.system('rm -f *.spec')
os.system('rm -f logdict*.*')
print(" [*] Source code written to: " + helpers.color(source_code_filepath))
elif payload_object.extension == 'war':
path_here = settings.PAYLOAD_COMPILED_PATH + file_name + "." + payload_object.extension
with open(path_here, 'wb') as source_file:
source_file.write(payload_object.payload_source_code)
# Ensure that war file was written to disk
if os.path.isfile(path_here):
hash_executable(path_here, file_name)
print_payload_information(payload_object)
print(" [*] WAR file written to: " + helpers.color(source_code_filepath))
else:
print(helpers.color(" [!] ERROR: Unable to create WAR file.", warning=True))
else:
print(helpers.color(" [!] ERROR: Invalid python extension in payload module.\n", warning=True))
elif payload_object.language == 'ruby':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower() == 'y':
os.system('WINEPREFIX=' + settings.WINEPREFIX + ' wine ' + settings.WINEPREFIX + '/drive_c/Ruby187/bin/ruby.exe ' + settings.WINEPREFIX + '/drive_c/Ruby187/bin/ocra --windows '+ source_code_filepath + ' --output ' + executable_filepath + ' ' + settings.WINEPREFIX + '/drive_c/Ruby187/lib/ruby/gems/1.8/gems/win32-api-1.4.8-x86-mingw32/lib/win32/*')
evasion_helpers.title_screen()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " + helpers.color(executable_filepath))
else:
print(helpers.color(" [!] ERROR: Unable to create output file.", warning=True))
print(" [*] Source code written to: " + helpers.color(source_code_filepath))
elif payload_object.language == 'powershell':
evasion_helpers.title_screen()
print_payload_information(payload_object)
print(" [*] PowerShell doesn't compile, so you just get text :)")
print(" [*] Source code written to: " + helpers.color(source_code_filepath))
elif payload_object.language == 'perl':
print_payload_information(payload_object)
print("\nPerl can't currently be compiled in Linux. Install on Windows:")
print("https://www.veil-framework.com/perl-of-no-hope-january-v-day-2016/")
print("Command: pp -gui -o <executablename> <sourcecodefile.pl>")
print(" [*] Source code written to: " + helpers.color(source_code_filepath))
elif payload_object.language == 'native':
# set path for native payload executable output
path_here = settings.PAYLOAD_COMPILED_PATH + file_name + "." + payload_object.extension
with open(path_here, 'wb') as source_file:
source_file.write(payload_object.payload_source_code)
# Ensure executables was written to disk
if os.path.isfile(path_here):
hash_executable(path_here, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " + helpers.color(path_here))
else:
print(helpers.color(" [!] ERROR: Unable to create Exe file.", warning=True))
elif payload_object.language == 'lua':
print_payload_information(payload_object)
print(" [*] Lua currently doesn't compile in linux, so you just get text :)")
print(" [*] Source code written to: " + helpers.color(source_code_filepath))
elif payload_object.language == 'go':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower() == 'y':
# Compile go payload
os.system( 'env GOROOT={0} GOOS=windows GOARCH=386 {0}/bin/go build -ldflags "-s -w -H=windowsgui" -v -o {1} {2}'.format(settings.GOLANG_PATH, executable_filepath, source_code_filepath) )
evasion_helpers.title_screen()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " + helpers.color(executable_filepath))
else:
print(helpers.color(" [!] ERROR: Unable to create output file.", warning=True))
print(" [*] Source code written to: " + helpers.color(source_code_filepath))
elif payload_object.language == 'cs':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower() == 'y':
# Compile our CS code into an executable and pass a compiler flag to prevent it from opening a command prompt when run
os.system('mcs -platform:x86 -target:winexe ' + source_code_filepath + ' -out:' + executable_filepath)
evasion_helpers.title_screen()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " + helpers.color(executable_filepath))
else:
print(helpers.color(" [!] ERROR: Unable to create output file.", warning=True))
print(" [*] Source code written to: " + helpers.color(source_code_filepath))
elif payload_object.language == 'c':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower() == 'y':
# Compile our C code into an executable and pass a compiler flag to prevent it from opening a command prompt when run
os.system('i686-w64-mingw32-gcc -Wl,-subsystem,windows ' + source_code_filepath + ' -o ' + executable_filepath + " -lwsock32")
evasion_helpers.title_screen()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " + helpers.color(executable_filepath))
else:
print(helpers.color(" [!] ERROR: Unable to create output file.", warning=True))
print(" [*] Source code written to: " + helpers.color(source_code_filepath))
elif payload_object.language == 'autoit':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower() == 'y':
# Compile autoit code
os.system('WINEPREFIX=' + settings.WINEPREFIX + ' wine ' + settings.WINEPREFIX + 'drive_c/Program\ Files/AutoIt3/Aut2Exe/Aut2exe.exe /in ' + source_code_filepath + ' /out ' + executable_filepath + ' /comp 2 /nopack')
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " + helpers.color(executable_filepath))
else:
print(helpers.color(" [!] ERROR: Unable to create output file.", warning=True))
print(" [*] Source code written to: " + helpers.color(source_code_filepath))
else:
print(helpers.color("\n [!] ERROR: Invalid payload language in payload module.\n", warning=True))
return False
if invoked:
handler_code_generator(payload_object, file_name, invoked=True, cli_obj=cli_object)
else:
handler_code_generator(payload_object, file_name)
if os.path.isfile(settings.HANDLER_PATH + file_name + '.rc'):
print(" [*] Metasploit Resource file written to: " + helpers.color(settings.HANDLER_PATH + file_name + '.rc'))
if not invoked:
dummy = input('\nHit enter to continue...\n')
# End of if statement checking to make sure payload_source_code is
# not empty
return True
def tool_main_menu(self):
# This is the main function where everything is called from
# Iterate over payloads and find the user selected payload module
evasion_main_command = ""
show_evasion_menu = True
while True:
# set out tab completion for the appropriate modules on each run
# as other modules sometimes reset this
comp = completer.MainMenuCompleter(self.evasion_main_menu_commands, self.active_payloads)
readline.set_completer_delims(' \t\n;')
readline.parse_and_bind("tab: complete")
readline.set_completer(comp.complete)
if show_evasion_menu:
evasion_helpers.title_screen()
print("Veil-Evasion Menu")
print("\n\t" + helpers.color(len(self.active_payloads)) + " payloads loaded\n")
print("Available Commands:\n")
for command in sorted(self.evasion_main_menu_commands.keys()):
print("\t" + helpers.color(command) + '\t\t\t' + self.evasion_main_menu_commands[command])
print()
show_evasion_menu = False
evasion_main_command = input('Veil/Evasion>: ').strip().lower()
if evasion_main_command.startswith("back") or evasion_main_command.startswith("main") or evasion_main_command.startswith("menu"):
break
elif evasion_main_command.startswith("checkvt"):
self.check_vt()
elif evasion_main_command.startswith("clean"):
self.clean_artifacts()
elif evasion_main_command.startswith("exit") or evasion_main_command.startswith("quit"):
sys.exit(0)
elif evasion_main_command.startswith('info'):
if len(evasion_main_command.split()) == 2:
payload_selected = evasion_main_command.split()[1]
selected_payload_module = self.return_payload_object(payload_selected)
if not selected_payload_module:
print()
print(helpers.color(" [!] ERROR: You did not provide a valid payload selection!", warning=True))
print(helpers.color(" [*] Ex: info 2 OR info lua/shellcode_inject/flat.py", warning=True))
print()
else:
self.print_options_screen(selected_payload_module)
else:
print()
print(helpers.color(" [!] ERROR: You did not provide a valid payload selection!", warning=True))
print(helpers.color(" [*] Ex: info 2 OR info lua/shellcode_inject/flat.py", warning=True))
print()
elif evasion_main_command.startswith('list'):
evasion_helpers.title_screen()
self.list_loaded_payloads()
elif evasion_main_command.startswith('use'):
if len(evasion_main_command.split()) == 2:
payload_selected = evasion_main_command.split()[1].lower()
selected_payload_module = self.return_payload_object(payload_selected)
if not selected_payload_module:
print()
print(helpers.color(" [!] ERROR: You did not provide a valid payload selection!", warning=True))
print(helpers.color(" [*] Ex: use 2 OR use lua/shellcode_inject/flat.py", warning=True))
print()
else:
self.use_payload(selected_payload_module)
show_evasion_menu = True
else:
print()
print(helpers.color(" [!] ERROR: You did not provide a valid payload selection!", warning=True))
print(helpers.color(" [*] Ex: use 2 OR use lua/shellcode_inject/flat.py", warning=True))
print()
return
def payload_selection_menu(self, showTitle=True):
"""
Menu to prompt the user for a custom shellcode string.
Returns None if nothing is specified.
"""
# print out the main title to reset the interface
if showTitle:
evasion_helpers.title_screen()
else:
print()
print(helpers.color(" [?] Generate or supply custom shellcode?\n"))
print(' %s - Ordnance %s' % (helpers.color('1'), helpers.color('(default)', yellow=True)))
print(' %s - MSFVenom' % (helpers.color('2')))
print(' %s - Custom shellcode string' % (helpers.color('3')))
print(' %s - File with shellcode (\\x41\\x42..)' % (helpers.color('4')))
print(' %s - Binary file with shellcode\n' % helpers.color('5'))
try:
choice = self.required_options['SHELLCODE'][0].lower().strip()
print(" [>] Please enter the number of your choice: %s" % (choice))
except:
choice = input(" [>] Please enter the number of your choice: ").strip()
if choice == '4':
# instantiate our completer object for path completion
comp = completer.PathCompleter()
# we want to treat '/' as part of a word, so override the delimiters
readline.set_completer_delims(' \t\n;')
readline.parse_and_bind("tab: complete")
readline.set_completer(comp.complete)
# if the shellcode is specicified as a raw file
filePath = input(" [>] Please enter the path to your shellcode file: ")
try:
with open(filePath, 'r') as shellcode_file:
file_shellcode = shellcode_file.read()
file_shellcode = file_shellcode.strip()
except:
print(helpers.color(" [!] WARNING: path not found, defaulting to msfvenom!", warning=True))
return None
if len(file_shellcode) == 0:
print(helpers.color(" [!] WARNING: no custom shellcode restrieved, defaulting to msfvenom!", warning=True))
return None
# check if the shellcode was passed in as string-escaped form
if file_shellcode[0:2] == "\\x" and file_shellcode[4:6] == "\\x":
return file_shellcode
else:
# otherwise encode the raw data as a hex string
hexString = binascii.hexlify(file_shellcode)
file_shellcode = "\\x"+"\\x".join([hexString[i:i + 2] for i in range(0, len(hexString), 2)])
return file_shellcode
# remove the completer
readline.set_completer(None)
elif choice == '5':
# instantiate our completer object for path completion
comp = completer.PathCompleter()
# we want to treat '/' as part of a word, so override the delimiters
readline.set_completer_delims(' \t\n;')
readline.parse_and_bind("tab: complete")
readline.set_completer(comp.complete)
# if the shellcode is specicified as a raw file
filePath = input(" [>] Please enter the path to your binary file: ")
try:
with open(filePath, 'rb') as shellcode_file:
file_shellcode = shellcode_file.read()
except:
print(helpers.color(" [!] WARNING: path not found, defaulting to msfvenom!", warning=True))
return None
if len(file_shellcode) == 0:
print(helpers.color(" [!] WARNING: no custom shellcode restrieved, defaulting to msfvenom!", warning=True))
return None
binary_code = ""
# Convert from binary to shellcode
for byte in file_shellcode:
binary_code += "\\x" + hex(byte)[2:].zfill(2)
return binary_code
elif choice == '3' or choice == 'string':
# if the shellcode is specified as a string
cust_sc = input(" [>] Please enter custom shellcode (one line, no quotes, \\x00.. format): ")
if len(cust_sc) == 0:
print(helpers.color(" [!] WARNING: no shellcode specified, defaulting to msfvenom!", warning=True))
return cust_sc
elif choice == '' or choice == '1' or choice.lower() == 'veil-ordnance' or choice.lower() == 'ordnance':
return 'ordnance'
elif choice == '2' or choice.lower() == 'msf' or choice.lower() == 'metasploit' or choice.lower() == 'msfvenom':
return None
else:
print(helpers.color(" [!] WARNING: Invalid option chosen, defaulting to Ordnance!", warning=True))
return 'ordnance'
