def display_payload_options(self, selected_pload, showTitle=True): # show the title if specified if showTitle: evasion_helpers.title_screen() self.payload_info(selected_pload) return
def payload_selection_menu(self, showTitle=True): """ Menu to prompt the user for a custom shellcode string. Returns None if nothing is specified. """ # print out the main title to reset the interface if showTitle: evasion_helpers.title_screen() print(' [?] Generate or supply custom shellcode?\n') print(' %s - Ordnance %s' % (helpers.color('1'), helpers.color('(default)', yellow=True))) print(' %s - MSFVenom' % (helpers.color('2'))) print(' %s - custom shellcode string' % (helpers.color('3'))) print(' %s - file with shellcode (raw)\n' % (helpers.color('4'))) try: choice = self.required_options['SHELLCODE'][0].lower().strip() print(" [>] Please enter the number of your choice: %s" % (choice)) except: choice = input( " [>] Please enter the number of your choice: ").strip() if choice == '4': # instantiate our completer object for path completion comp = completer.PathCompleter() # we want to treat '/' as part of a word, so override the delimiters readline.set_completer_delims(' \t\n;') readline.parse_and_bind("tab: complete") readline.set_completer(comp.complete) # if the shellcode is specicified as a raw file filePath = input( " [>] Please enter the path to your raw shellcode file: ") try: with open(filePath, 'rb') as shellcode_file: file_shellcode = shellcode_file.read() except: print( helpers.color( " [!] WARNING: path not found, defaulting to msfvenom!", warning=True)) return None if len(file_shellcode) == 0: print( helpers.color( " [!] WARNING: no custom shellcode restrieved, defaulting to msfvenom!", warning=True)) return None # check if the shellcode was passed in as string-escaped form if file_shellcode[0:2] == "\\x" and file_shellcode[4:6] == "\\x": return file_shellcode else: # otherwise encode the raw data as a hex string hexString = binascii.hexlify(file_shellcode) file_shellcode = "\\x" + "\\x".join( [hexString[i:i + 2] for i in range(0, len(hexString), 2)]) return file_shellcode # remove the completer readline.set_completer(None) elif choice == '3' or choice == 'string': # if the shellcode is specified as a string cust_sc = input( " [>] Please enter custom shellcode (one line, no quotes, \\x00.. format): " ) if len(cust_sc) == 0: print( helpers.color( " [!] WARNING: no shellcode specified, defaulting to msfvenom!", warning=True)) return cust_sc elif choice == '' or choice == '1' or choice.lower( ) == 'veil-ordnance' or choice.lower() == 'ordnance': return 'ordnance' elif choice == '2' or choice.lower() == 'msf' or choice.lower( ) == 'metasploit' or choice.lower() == 'msfvenom': return None else: print( helpers.color( " [!] WARNING: Invalid option chosen, defaulting to Ordnance!", warning=True)) return 'ordnance'
def compiler(payload_object, invoked=False, cli_object=None): # Check the source code to ensure it is present if payload_object.payload_source_code == '': print( helpers.color("\n [!] ERROR: No payload source code provided.\n", warning=True)) return False else: # print title bar evasion_helpers.title_screen() if not invoked: # Determine the file name to use for output file_name = input( 'Please enter the base name for output files (default is payload): ' ).strip() else: file_name = cli_object.o # Basic checks on input while file_name != '' and ("\\" in file_name or "/" in file_name): print( helpers.color( "\nPlease provide a base name, not a path, for the output base\n", warning=True)) file_name = input( 'Please enter the base name for output files (default is payload): ' ).strip() # If no base name, set it to be payload if file_name == '': file_name = 'payload' # run check to make sure file doesn't exist, if it does # provide a new filename file_name = find_file_name(file_name, payload_object) source_code_filepath = settings.PAYLOAD_SOURCE_PATH + file_name + "." + payload_object.extension # Used when outputting exe files, go figure executable_filepath = settings.PAYLOAD_COMPILED_PATH + file_name + ".exe" if payload_object.language is not "native" and payload_object.extension is not "war": with open(source_code_filepath, 'w') as source_file: source_file.write(payload_object.payload_source_code) if payload_object.language == 'python': if not invoked: compile_method = '' else: compile_method = cli_object.compiler # Check extension for war or normal python file if payload_object.extension == 'py': if settings.OPERATING_SYSTEM == "Windows": compile_method = 'py2exe' else: if payload_object.required_options['COMPILE_TO_EXE'][ 0].lower() == 'y' and not invoked: evasion_helpers.title_screen() # if we have a linux distro, continue... # Determine if the user wants Pyinstaller, Pwnstaller, or Py2Exe. print( '\n [?] How would you like to create your payload executable?\n' ) print(' %s - Pyinstaller %s' % (helpers.color('1'), helpers.color('(default)', yellow=True))) print(' %s - Py2Exe\n' % (helpers.color('2'))) user_compile_choice = input( " [>] Please enter the number of your choice: ") if user_compile_choice == "1" or user_compile_choice == "": compile_method = "pyinstaller" elif user_compile_choice == "2": compile_method = "py2exe" else: compile_method = "pyinstaller" if compile_method == 'py2exe' and payload_object.required_options[ 'COMPILE_TO_EXE'][0].lower() == 'y': # Generate setup.py File for Py2Exe with open(settings.PAYLOAD_SOURCE_PATH + '/setup.py', 'w') as setup_file: setup_file.write("from distutils.core import setup\n") setup_file.write("import py2exe, sys, os\n\n") setup_file.write("setup(\n") setup_file.write( "\toptions = {'py2exe': {'bundle_files': 1}},\n") setup_file.write("\tzipfile = None,\n") setup_file.write("\twindows=['" + file_name + ".py']\n") setup_file.write(")") # Generate Batch script for Compiling on Windows Using Py2Exe with open(settings.PAYLOAD_SOURCE_PATH + '/runme.bat', 'w') as runme_file: runme_file.write( 'rem Batch Script for compiling python code into an executable\n' ) runme_file.write('rem on windows with py2exe\n') runme_file.write( 'rem Usage: Drop into your Python folder and click, or anywhere if Python is in your system path\n\n' ) runme_file.write("python setup.py py2exe\n") runme_file.write('cd dist\n') runme_file.write('move ' + file_name + '.exe ../\n') runme_file.write('cd ..\n') runme_file.write('rmdir /S /Q build\n') runme_file.write('rmdir /S /Q dist\n') evasion_helpers.title_screen() print_payload_information(payload_object) print( helpers.color( "\npy2exe files 'setup.py' and 'runme.bat' written to:\n" + settings.PAYLOAD_SOURCE_PATH + "\n")) else: if payload_object.required_options['COMPILE_TO_EXE'][ 0].lower() == 'y': # Used for PyInstaller standard # copy the pyinstaller runw to maintain its integrity in the event # pwnstaller is added in for python3 - this will future proof it runw_path = settings.VEIL_EVASION_PATH + 'Tools/Evasion/evasion_common/tools/runw.orig.exe' os.system( "cp " + runw_path + " " + settings.PYINSTALLER_PATH + "/PyInstaller/bootloader/Windows-32bit/runw.exe") # Validate python is installed in wine if not os.path.isfile(settings.WINEPREFIX + 'drive_c/Python34/python.exe'): print( helpers.color( "\n [!] ERROR: Can't find python.exe in " + os.path.expanduser(settings.WINEPREFIX + 'drive_c/Python34/'), warning=True)) print( helpers.color( " [!] ERROR: Make sure the python.exe binary exists before using PyInstaller.", warning=True)) sys.exit(1) random_key = evasion_helpers.randomString() os.system( 'WINEPREFIX=' + settings.WINEPREFIX + ' wine ' + settings.WINEPREFIX + '/drive_c/Python34/python.exe' + ' ' + os.path.expanduser(settings.PYINSTALLER_PATH + '/pyinstaller.py') + ' --onefile --noconsole --key ' + random_key + ' ' + source_code_filepath) evasion_helpers.title_screen() if os.path.isfile('dist/' + file_name + ".exe"): os.system('mv dist/' + file_name + ".exe " + settings.PAYLOAD_COMPILED_PATH) hash_executable(executable_filepath, file_name) print_payload_information(payload_object) print( " [*] Executable written to: " + helpers.color(settings.PAYLOAD_COMPILED_PATH + file_name + ".exe")) else: print( helpers.color( " [!] ERROR: Unable to create output file.", warning=True)) os.system('rm -rf dist') os.system('rm -rf build') os.system('rm -f *.spec') os.system('rm -f logdict*.*') print(" [*] Source code written to: " + helpers.color(source_code_filepath)) elif payload_object.extension == 'war': path_here = settings.PAYLOAD_COMPILED_PATH + file_name + "." + payload_object.extension with open(path_here, 'wb') as source_file: source_file.write(payload_object.payload_source_code) # Ensure that war file was written to disk if os.path.isfile(path_here): hash_executable(path_here, file_name) print_payload_information(payload_object) print(" [*] WAR file written to: " + helpers.color(source_code_filepath)) else: print( helpers.color(" [!] ERROR: Unable to create WAR file.", warning=True)) else: print( helpers.color( " [!] ERROR: Invalid python extension in payload module.\n", warning=True)) elif payload_object.language == 'ruby': if payload_object.required_options['COMPILE_TO_EXE'][0].lower( ) == 'y': os.system( 'WINEPREFIX=' + settings.WINEPREFIX + ' wine ' + settings.WINEPREFIX + '/drive_c/Ruby187/bin/ruby.exe ' + settings.WINEPREFIX + '/drive_c/Ruby187/bin/ocra --windows ' + source_code_filepath + ' --output ' + executable_filepath + ' ' + settings.WINEPREFIX + '/drive_c/Ruby187/lib/ruby/gems/1.8/gems/win32-api-1.4.8-x86-mingw32/lib/win32/*' ) evasion_helpers.title_screen() if os.path.isfile(executable_filepath): hash_executable(executable_filepath, file_name) print_payload_information(payload_object) print(" [*] Executable written to: " + helpers.color(executable_filepath)) else: print( helpers.color( " [!] ERROR: Unable to create output file.", warning=True)) print(" [*] Source code written to: " + helpers.color(source_code_filepath)) elif payload_object.language == 'powershell': evasion_helpers.title_screen() print_payload_information(payload_object) print(" [*] PowerShell doesn't compile, so you just get text :)") print(" [*] Source code written to: " + helpers.color(source_code_filepath)) elif payload_object.language == 'perl': print_payload_information(payload_object) print( "\nPerl can't currently be compiled in Linux. Install on Windows:" ) print( "https://www.veil-framework.com/perl-of-no-hope-january-v-day-2016/" ) print("Command: pp -gui -o <executablename> <sourcecodefile.pl>") print(" [*] Source code written to: " + helpers.color(source_code_filepath)) elif payload_object.language == 'native': # set path for native payload executable output path_here = settings.PAYLOAD_COMPILED_PATH + file_name + "." + payload_object.extension with open(path_here, 'wb') as source_file: source_file.write(payload_object.payload_source_code) # Ensure executables was written to disk if os.path.isfile(path_here): hash_executable(path_here, file_name) print_payload_information(payload_object) print(" [*] Exe file written to: " + helpers.color(path_here)) else: print( helpers.color(" [!] ERROR: Unable to create Exe file.", warning=True)) elif payload_object.language == 'lua': print_payload_information(payload_object) print( " [*] Lua currently doesn't compile in linux, so you just get text :)" ) print(" [*] Source code written to: " + helpers.color(source_code_filepath)) elif payload_object.language == 'go': if payload_object.required_options['COMPILE_TO_EXE'][0].lower( ) == 'y': # Compile go payload os.system( 'env GOROOT=/usr/local/go GOOS=windows GOARCH=386 /usr/bin/go build -ldflags "-s -w -H=windowsgui" -v -o ' + executable_filepath + ' ' + source_code_filepath) evasion_helpers.title_screen() if os.path.isfile(executable_filepath): hash_executable(executable_filepath, file_name) print_payload_information(payload_object) print(" [*] Executable written to: " + helpers.color(executable_filepath)) else: print( helpers.color( " [!] ERROR: Unable to create output file.", warning=True)) print(" [*] Source code written to: " + helpers.color(source_code_filepath)) elif payload_object.language == 'cs': if payload_object.required_options['COMPILE_TO_EXE'][0].lower( ) == 'y': # Compile our CS code into an executable and pass a compiler flag to prevent it from opening a command prompt when run os.system('mcs -platform:x86 -target:winexe ' + source_code_filepath + ' -out:' + executable_filepath) evasion_helpers.title_screen() if os.path.isfile(executable_filepath): hash_executable(executable_filepath, file_name) print_payload_information(payload_object) print(" [*] Executable written to: " + helpers.color(executable_filepath)) else: print( helpers.color( " [!] ERROR: Unable to create output file.", warning=True)) print(" [*] Source code written to: " + helpers.color(source_code_filepath)) elif payload_object.language == 'c': if payload_object.required_options['COMPILE_TO_EXE'][0].lower( ) == 'y': # Compile our C code into an executable and pass a compiler flag to prevent it from opening a command prompt when run os.system('i686-w64-mingw32-gcc -Wl,-subsystem,windows ' + source_code_filepath + ' -o ' + executable_filepath + " -lwsock32") evasion_helpers.title_screen() if os.path.isfile(executable_filepath): hash_executable(executable_filepath, file_name) print_payload_information(payload_object) print(" [*] Executable written to: " + helpers.color(executable_filepath)) else: print( helpers.color( " [!] ERROR: Unable to create output file.", warning=True)) print(" [*] Source code written to: " + helpers.color(source_code_filepath)) elif payload_object.language == 'autoit': if payload_object.required_options['COMPILE_TO_EXE'][0].lower( ) == 'y': # Compile autoit code os.system( 'WINEPREFIX=' + settings.WINEPREFIX + ' wine ' + settings.WINEPREFIX + 'drive_c/Program\ Files/AutoIt3/Aut2Exe/Aut2exe.exe /in ' + source_code_filepath + ' /out ' + executable_filepath + ' /comp 2 /nopack') if os.path.isfile(executable_filepath): hash_executable(executable_filepath, file_name) print_payload_information(payload_object) print(" [*] Executable written to: " + helpers.color(executable_filepath)) else: print( helpers.color( " [!] ERROR: Unable to create output file.", warning=True)) print(" [*] Source code written to: " + helpers.color(source_code_filepath)) else: print( helpers.color( "\n [!] ERROR: Invalid payload language in payload module.\n", warning=True)) return False if invoked: handler_code_generator(payload_object, file_name, invoked=True, cli_obj=cli_object) else: handler_code_generator(payload_object, file_name) if os.path.isfile(settings.HANDLER_PATH + file_name + '.rc'): print(" [*] Metasploit RC file written to: " + helpers.color(settings.HANDLER_PATH + file_name + '.rc')) if not invoked: dummy = input('\nPlease press enter to continue >: ') # End of if statement checking to make sure payload_source_code is # not empty return True
def tool_main_menu(self): # This is the main function where everything is called from # Iterate over payloads and find the user selected payload module evasion_main_command = '' show_evasion_menu = True while evasion_main_command == '': # set out tab completion for the appropriate modules on each run # as other modules sometimes reset this comp = completer.MainMenuCompleter(self.evasion_main_menu_commands, self.active_payloads) readline.set_completer_delims(' \t\n;') readline.parse_and_bind("tab: complete") readline.set_completer(comp.complete) if show_evasion_menu: evasion_helpers.title_screen() print("Veil-Evasion Menu") print("\n\t" + helpers.color(len(self.active_payloads)) + " payloads loaded\n") print("Available Commands:\n") for command in sorted(self.evasion_main_menu_commands.keys()): print("\t" + helpers.color(command) + '\t\t\t' + self.evasion_main_menu_commands[command]) print() show_evasion_menu = True evasion_main_command = input('Veil-Evasion command: ').strip() if evasion_main_command.lower() == "back": evasion_main_command = '' break elif evasion_main_command.lower() == "checkvt": self.check_vt() evasion_main_command = '' elif evasion_main_command.lower() == "clean": self.clean_artifacts() evasion_main_command = '' elif evasion_main_command.lower() == "exit": sys.exit(0) elif evasion_main_command.lower().startswith('info'): if len(evasion_main_command.split()) == 2: payload_selected = evasion_main_command.split()[1] selected_payload_module = self.return_payload_object(payload_selected) if not selected_payload_module: print() print(helpers.color("[*] Error: You did not provide a valid payload selection!", warning=True)) print(helpers.color("[*] Ex: info 2 or info lua/shellcode_inject/flat.py", warning=True)) print() evasion_main_command = '' show_evasion_menu = False else: self.print_options_screen(selected_payload_module) evasion_main_command = '' show_evasion_menu = False else: print() print(helpers.color("[*] Error: You did not provide a valid payload selection!", warning=True)) print(helpers.color("[*] Ex: info 2 or info lua/shellcode_inject/flat.py", warning=True)) print() evasion_main_command = '' show_evasion_menu = False elif evasion_main_command.lower().startswith('list'): evasion_helpers.title_screen() self.list_loaded_payloads() show_evasion_menu = False print() evasion_main_command = '' elif evasion_main_command.lower().startswith('use'): if len(evasion_main_command.split()) == 2: payload_selected = evasion_main_command.split()[1] selected_payload_module = self.return_payload_object(payload_selected) if not selected_payload_module: print() print(helpers.color("[*] Error: You did not provide a valid payload selection!", warning=True)) print(helpers.color("[*] Ex: info 2 or info lua/shellcode_inject/flat.py", warning=True)) print() evasion_main_command = '' show_evasion_menu = False else: self.use_payload(selected_payload_module) evasion_main_command = '' show_evasion_menu = True else: print() print(helpers.color("[*] Error: You did not provide a valid payload selection!", warning=True)) print(helpers.color("[*] Ex: use 2 or use lua/shellcode_inject/flat.py", warning=True)) print() evasion_main_command = '' show_evasion_menu = False else: evasion_main_command = '' return