def display_payload_options(self, selected_pload, showTitle=True):
# show the title if specified
if showTitle:
evasion_helpers.title_screen()
self.payload_info(selected_pload)
return
def payload_selection_menu(self, showTitle=True):
"""
Menu to prompt the user for a custom shellcode string.
Returns None if nothing is specified.
"""
# print out the main title to reset the interface
if showTitle:
evasion_helpers.title_screen()
print(' [?] Generate or supply custom shellcode?\n')
print(' %s - Ordnance %s' %
(helpers.color('1'), helpers.color('(default)', yellow=True)))
print(' %s - MSFVenom' % (helpers.color('2')))
print(' %s - custom shellcode string' % (helpers.color('3')))
print(' %s - file with shellcode (raw)\n' % (helpers.color('4')))
try:
choice = self.required_options['SHELLCODE'][0].lower().strip()
print(" [>] Please enter the number of your choice: %s" % (choice))
except:
choice = input(
" [>] Please enter the number of your choice: ").strip()
if choice == '4':
# instantiate our completer object for path completion
comp = completer.PathCompleter()
# we want to treat '/' as part of a word, so override the delimiters
readline.set_completer_delims(' \t\n;')
readline.parse_and_bind("tab: complete")
readline.set_completer(comp.complete)
# if the shellcode is specicified as a raw file
filePath = input(
" [>] Please enter the path to your raw shellcode file: ")
try:
with open(filePath, 'rb') as shellcode_file:
file_shellcode = shellcode_file.read()
except:
print(
helpers.color(
" [!] WARNING: path not found, defaulting to msfvenom!",
warning=True))
return None
if len(file_shellcode) == 0:
print(
helpers.color(
" [!] WARNING: no custom shellcode restrieved, defaulting to msfvenom!",
warning=True))
return None
# check if the shellcode was passed in as string-escaped form
if file_shellcode[0:2] == "\\x" and file_shellcode[4:6] == "\\x":
return file_shellcode
else:
# otherwise encode the raw data as a hex string
hexString = binascii.hexlify(file_shellcode)
file_shellcode = "\\x" + "\\x".join(
[hexString[i:i + 2] for i in range(0, len(hexString), 2)])
return file_shellcode
# remove the completer
readline.set_completer(None)
elif choice == '3' or choice == 'string':
# if the shellcode is specified as a string
cust_sc = input(
" [>] Please enter custom shellcode (one line, no quotes, \\x00.. format): "
)
if len(cust_sc) == 0:
print(
helpers.color(
" [!] WARNING: no shellcode specified, defaulting to msfvenom!",
warning=True))
return cust_sc
elif choice == '' or choice == '1' or choice.lower(
) == 'veil-ordnance' or choice.lower() == 'ordnance':
return 'ordnance'
elif choice == '2' or choice.lower() == 'msf' or choice.lower(
) == 'metasploit' or choice.lower() == 'msfvenom':
return None
else:
print(
helpers.color(
" [!] WARNING: Invalid option chosen, defaulting to Ordnance!",
warning=True))
return 'ordnance'
def compiler(payload_object, invoked=False, cli_object=None):
# Check the source code to ensure it is present
if payload_object.payload_source_code == '':
print(
helpers.color("\n [!] ERROR: No payload source code provided.\n",
warning=True))
return False
else:
# print title bar
evasion_helpers.title_screen()
if not invoked:
# Determine the file name to use for output
file_name = input(
'Please enter the base name for output files (default is payload): '
).strip()
else:
file_name = cli_object.o
# Basic checks on input
while file_name != '' and ("\\" in file_name or "/" in file_name):
print(
helpers.color(
"\nPlease provide a base name, not a path, for the output base\n",
warning=True))
file_name = input(
'Please enter the base name for output files (default is payload): '
).strip()
# If no base name, set it to be payload
if file_name == '':
file_name = 'payload'
# run check to make sure file doesn't exist, if it does
# provide a new filename
file_name = find_file_name(file_name, payload_object)
source_code_filepath = settings.PAYLOAD_SOURCE_PATH + file_name + "." + payload_object.extension
# Used when outputting exe files, go figure
executable_filepath = settings.PAYLOAD_COMPILED_PATH + file_name + ".exe"
if payload_object.language is not "native" and payload_object.extension is not "war":
with open(source_code_filepath, 'w') as source_file:
source_file.write(payload_object.payload_source_code)
if payload_object.language == 'python':
if not invoked:
compile_method = ''
else:
compile_method = cli_object.compiler
# Check extension for war or normal python file
if payload_object.extension == 'py':
if settings.OPERATING_SYSTEM == "Windows":
compile_method = 'py2exe'
else:
if payload_object.required_options['COMPILE_TO_EXE'][
0].lower() == 'y' and not invoked:
evasion_helpers.title_screen()
# if we have a linux distro, continue...
# Determine if the user wants Pyinstaller, Pwnstaller, or Py2Exe.
print(
'\n [?] How would you like to create your payload executable?\n'
)
print(' %s - Pyinstaller %s' %
(helpers.color('1'),
helpers.color('(default)', yellow=True)))
print(' %s - Py2Exe\n' % (helpers.color('2')))
user_compile_choice = input(
" [>] Please enter the number of your choice: ")
if user_compile_choice == "1" or user_compile_choice == "":
compile_method = "pyinstaller"
elif user_compile_choice == "2":
compile_method = "py2exe"
else:
compile_method = "pyinstaller"
if compile_method == 'py2exe' and payload_object.required_options[
'COMPILE_TO_EXE'][0].lower() == 'y':
# Generate setup.py File for Py2Exe
with open(settings.PAYLOAD_SOURCE_PATH + '/setup.py',
'w') as setup_file:
setup_file.write("from distutils.core import setup\n")
setup_file.write("import py2exe, sys, os\n\n")
setup_file.write("setup(\n")
setup_file.write(
"\toptions = {'py2exe': {'bundle_files': 1}},\n")
setup_file.write("\tzipfile = None,\n")
setup_file.write("\twindows=['" + file_name +
".py']\n")
setup_file.write(")")
# Generate Batch script for Compiling on Windows Using Py2Exe
with open(settings.PAYLOAD_SOURCE_PATH + '/runme.bat',
'w') as runme_file:
runme_file.write(
'rem Batch Script for compiling python code into an executable\n'
)
runme_file.write('rem on windows with py2exe\n')
runme_file.write(
'rem Usage: Drop into your Python folder and click, or anywhere if Python is in your system path\n\n'
)
runme_file.write("python setup.py py2exe\n")
runme_file.write('cd dist\n')
runme_file.write('move ' + file_name + '.exe ../\n')
runme_file.write('cd ..\n')
runme_file.write('rmdir /S /Q build\n')
runme_file.write('rmdir /S /Q dist\n')
evasion_helpers.title_screen()
print_payload_information(payload_object)
print(
helpers.color(
"\npy2exe files 'setup.py' and 'runme.bat' written to:\n"
+ settings.PAYLOAD_SOURCE_PATH + "\n"))
else:
if payload_object.required_options['COMPILE_TO_EXE'][
0].lower() == 'y':
# Used for PyInstaller standard
# copy the pyinstaller runw to maintain its integrity in the event
# pwnstaller is added in for python3 - this will future proof it
runw_path = settings.VEIL_EVASION_PATH + 'Tools/Evasion/evasion_common/tools/runw.orig.exe'
os.system(
"cp " + runw_path + " " +
settings.PYINSTALLER_PATH +
"/PyInstaller/bootloader/Windows-32bit/runw.exe")
# Validate python is installed in wine
if not os.path.isfile(settings.WINEPREFIX +
'drive_c/Python34/python.exe'):
print(
helpers.color(
"\n [!] ERROR: Can't find python.exe in " +
os.path.expanduser(settings.WINEPREFIX +
'drive_c/Python34/'),
warning=True))
print(
helpers.color(
" [!] ERROR: Make sure the python.exe binary exists before using PyInstaller.",
warning=True))
sys.exit(1)
random_key = evasion_helpers.randomString()
os.system(
'WINEPREFIX=' + settings.WINEPREFIX + ' wine ' +
settings.WINEPREFIX +
'/drive_c/Python34/python.exe' + ' ' +
os.path.expanduser(settings.PYINSTALLER_PATH +
'/pyinstaller.py') +
' --onefile --noconsole --key ' + random_key +
' ' + source_code_filepath)
evasion_helpers.title_screen()
if os.path.isfile('dist/' + file_name + ".exe"):
os.system('mv dist/' + file_name + ".exe " +
settings.PAYLOAD_COMPILED_PATH)
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(
" [*] Executable written to: " +
helpers.color(settings.PAYLOAD_COMPILED_PATH +
file_name + ".exe"))
else:
print(
helpers.color(
" [!] ERROR: Unable to create output file.",
warning=True))
os.system('rm -rf dist')
os.system('rm -rf build')
os.system('rm -f *.spec')
os.system('rm -f logdict*.*')
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.extension == 'war':
path_here = settings.PAYLOAD_COMPILED_PATH + file_name + "." + payload_object.extension
with open(path_here, 'wb') as source_file:
source_file.write(payload_object.payload_source_code)
# Ensure that war file was written to disk
if os.path.isfile(path_here):
hash_executable(path_here, file_name)
print_payload_information(payload_object)
print(" [*] WAR file written to: " +
helpers.color(source_code_filepath))
else:
print(
helpers.color(" [!] ERROR: Unable to create WAR file.",
warning=True))
else:
print(
helpers.color(
" [!] ERROR: Invalid python extension in payload module.\n",
warning=True))
elif payload_object.language == 'ruby':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower(
) == 'y':
os.system(
'WINEPREFIX=' + settings.WINEPREFIX + ' wine ' +
settings.WINEPREFIX + '/drive_c/Ruby187/bin/ruby.exe ' +
settings.WINEPREFIX +
'/drive_c/Ruby187/bin/ocra --windows ' +
source_code_filepath + ' --output ' + executable_filepath +
' ' + settings.WINEPREFIX +
'/drive_c/Ruby187/lib/ruby/gems/1.8/gems/win32-api-1.4.8-x86-mingw32/lib/win32/*'
)
evasion_helpers.title_screen()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " +
helpers.color(executable_filepath))
else:
print(
helpers.color(
" [!] ERROR: Unable to create output file.",
warning=True))
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'powershell':
evasion_helpers.title_screen()
print_payload_information(payload_object)
print(" [*] PowerShell doesn't compile, so you just get text :)")
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'perl':
print_payload_information(payload_object)
print(
"\nPerl can't currently be compiled in Linux. Install on Windows:"
)
print(
"https://www.veil-framework.com/perl-of-no-hope-january-v-day-2016/"
)
print("Command: pp -gui -o <executablename> <sourcecodefile.pl>")
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'native':
# set path for native payload executable output
path_here = settings.PAYLOAD_COMPILED_PATH + file_name + "." + payload_object.extension
with open(path_here, 'wb') as source_file:
source_file.write(payload_object.payload_source_code)
# Ensure executables was written to disk
if os.path.isfile(path_here):
hash_executable(path_here, file_name)
print_payload_information(payload_object)
print(" [*] Exe file written to: " + helpers.color(path_here))
else:
print(
helpers.color(" [!] ERROR: Unable to create Exe file.",
warning=True))
elif payload_object.language == 'lua':
print_payload_information(payload_object)
print(
" [*] Lua currently doesn't compile in linux, so you just get text :)"
)
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'go':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower(
) == 'y':
# Compile go payload
os.system(
'env GOROOT=/usr/local/go GOOS=windows GOARCH=386 /usr/bin/go build -ldflags "-s -w -H=windowsgui" -v -o '
+ executable_filepath + ' ' + source_code_filepath)
evasion_helpers.title_screen()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " +
helpers.color(executable_filepath))
else:
print(
helpers.color(
" [!] ERROR: Unable to create output file.",
warning=True))
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'cs':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower(
) == 'y':
# Compile our CS code into an executable and pass a compiler flag to prevent it from opening a command prompt when run
os.system('mcs -platform:x86 -target:winexe ' +
source_code_filepath + ' -out:' +
executable_filepath)
evasion_helpers.title_screen()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " +
helpers.color(executable_filepath))
else:
print(
helpers.color(
" [!] ERROR: Unable to create output file.",
warning=True))
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'c':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower(
) == 'y':
# Compile our C code into an executable and pass a compiler flag to prevent it from opening a command prompt when run
os.system('i686-w64-mingw32-gcc -Wl,-subsystem,windows ' +
source_code_filepath + ' -o ' + executable_filepath +
" -lwsock32")
evasion_helpers.title_screen()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " +
helpers.color(executable_filepath))
else:
print(
helpers.color(
" [!] ERROR: Unable to create output file.",
warning=True))
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'autoit':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower(
) == 'y':
# Compile autoit code
os.system(
'WINEPREFIX=' + settings.WINEPREFIX + ' wine ' +
settings.WINEPREFIX +
'drive_c/Program\ Files/AutoIt3/Aut2Exe/Aut2exe.exe /in ' +
source_code_filepath + ' /out ' + executable_filepath +
' /comp 2 /nopack')
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " +
helpers.color(executable_filepath))
else:
print(
helpers.color(
" [!] ERROR: Unable to create output file.",
warning=True))
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
else:
print(
helpers.color(
"\n [!] ERROR: Invalid payload language in payload module.\n",
warning=True))
return False
if invoked:
handler_code_generator(payload_object,
file_name,
invoked=True,
cli_obj=cli_object)
else:
handler_code_generator(payload_object, file_name)
if os.path.isfile(settings.HANDLER_PATH + file_name + '.rc'):
print(" [*] Metasploit RC file written to: " +
helpers.color(settings.HANDLER_PATH + file_name + '.rc'))
if not invoked:
dummy = input('\nPlease press enter to continue >: ')
# End of if statement checking to make sure payload_source_code is
# not empty
return True
def tool_main_menu(self):
# This is the main function where everything is called from
# Iterate over payloads and find the user selected payload module
evasion_main_command = ''
show_evasion_menu = True
while evasion_main_command == '':
# set out tab completion for the appropriate modules on each run
# as other modules sometimes reset this
comp = completer.MainMenuCompleter(self.evasion_main_menu_commands, self.active_payloads)
readline.set_completer_delims(' \t\n;')
readline.parse_and_bind("tab: complete")
readline.set_completer(comp.complete)
if show_evasion_menu:
evasion_helpers.title_screen()
print("Veil-Evasion Menu")
print("\n\t" + helpers.color(len(self.active_payloads)) + " payloads loaded\n")
print("Available Commands:\n")
for command in sorted(self.evasion_main_menu_commands.keys()):
print("\t" + helpers.color(command) + '\t\t\t' + self.evasion_main_menu_commands[command])
print()
show_evasion_menu = True
evasion_main_command = input('Veil-Evasion command: ').strip()
if evasion_main_command.lower() == "back":
evasion_main_command = ''
break
elif evasion_main_command.lower() == "checkvt":
self.check_vt()
evasion_main_command = ''
elif evasion_main_command.lower() == "clean":
self.clean_artifacts()
evasion_main_command = ''
elif evasion_main_command.lower() == "exit":
sys.exit(0)
elif evasion_main_command.lower().startswith('info'):
if len(evasion_main_command.split()) == 2:
payload_selected = evasion_main_command.split()[1]
selected_payload_module = self.return_payload_object(payload_selected)
if not selected_payload_module:
print()
print(helpers.color("[*] Error: You did not provide a valid payload selection!", warning=True))
print(helpers.color("[*] Ex: info 2 or info lua/shellcode_inject/flat.py", warning=True))
print()
evasion_main_command = ''
show_evasion_menu = False
else:
self.print_options_screen(selected_payload_module)
evasion_main_command = ''
show_evasion_menu = False
else:
print()
print(helpers.color("[*] Error: You did not provide a valid payload selection!", warning=True))
print(helpers.color("[*] Ex: info 2 or info lua/shellcode_inject/flat.py", warning=True))
print()
evasion_main_command = ''
show_evasion_menu = False
elif evasion_main_command.lower().startswith('list'):
evasion_helpers.title_screen()
self.list_loaded_payloads()
show_evasion_menu = False
print()
evasion_main_command = ''
elif evasion_main_command.lower().startswith('use'):
if len(evasion_main_command.split()) == 2:
payload_selected = evasion_main_command.split()[1]
selected_payload_module = self.return_payload_object(payload_selected)
if not selected_payload_module:
print()
print(helpers.color("[*] Error: You did not provide a valid payload selection!", warning=True))
print(helpers.color("[*] Ex: info 2 or info lua/shellcode_inject/flat.py", warning=True))
print()
evasion_main_command = ''
show_evasion_menu = False
else:
self.use_payload(selected_payload_module)
evasion_main_command = ''
show_evasion_menu = True
else:
print()
print(helpers.color("[*] Error: You did not provide a valid payload selection!", warning=True))
print(helpers.color("[*] Ex: use 2 or use lua/shellcode_inject/flat.py", warning=True))
print()
evasion_main_command = ''
show_evasion_menu = False
else:
evasion_main_command = ''
return