Added IP obfuscation option. Idea and code from @vysec

gugafer · Jul 14, 2018 · a9ebd5c · a9ebd5c
1 parent 93e2ed2
commit a9ebd5c
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 0 deletions.
diff --git a/bin/shellpop b/bin/shellpop
@@ -598,6 +598,12 @@ def main():
     encoders.add_argument("--urlencode", action="store_true", required=False,
                           help="Encode the command in URL encoding.")
 
+    # Obfuscation options
+    obfuscation = parser.add_argument_group("Obfuscation Options")
+    obfuscation.add_argument("--ipfuscate", action="store_true", required=False, help="Obfuscate IP address.")
+    obfuscation.add_argument("--obfuscate-small", action="store_true", default=False, required=False, help="Obfuscated \
+    command will be as small as possible.")
+
     # Use handler if possible.
     parser.add_argument("--handler", action="store_true", help="Use handler, if possible.", default=False,
                         required=False)
@@ -664,6 +670,9 @@ def main():
     if args.host in [str(x) for x in netifaces.interfaces()]:
         args.host = str(netifaces.ifaddresses(args.host)[2][0]["addr"])  # translate iface name to ipv4
 
+    if args.ipfuscate:
+        args.host = ipfuscate(args.host, args.obfuscate_small)
+
     if args.xor is True:
         args.xor = randint(0, 255)
     else:

diff --git a/src/__init__.py b/src/__init__.py
@@ -1,6 +1,7 @@
 from bind import *
 from reverse import *
 from encoders import *
+from obfuscators import *
 from classes import *
 from handlers import *
 from stagers import *

diff --git a/src/obfuscators.py b/src/obfuscators.py
@@ -0,0 +1,63 @@
+import os
+
+def ipfuscate(ip, smallIP):
+    """
+    Obfuscate an IP address by converting it to decimal, hex, 
+    octal, or a combination of the three.
+    Code borrowed from @vysecurity (https://github.com/vysec/IPFuscator)
+    Implemented by @capnspacehook
+    """
+    parts = ip.split('.')
+
+    if not smallIP:
+        ip = randomBaseIPgen(parts, smallIP)
+
+    else:
+        type = ord(os.urandom(1)) % 4
+        decimal = int(parts[0]) * 16777216 + int(parts[1]) * 65536 + int(parts[2]) * 256 + int(parts[3])
+
+        if type == 0:
+            ip = decimal
+        elif type == 1:
+            ip = hex(decimal)
+        elif type == 2:
+            ip = oct(decimal)
+        else:
+            ip = randomBaseIPgen(parts, smallIP)
+
+    return str(ip)
+
+def randomBaseIPgen(parts, smallIP):
+    """
+    Used by ipfuscate(), returns an obfuscated IP with random bases.
+    Code borrowed from @vysecurity (https://github.com/vysec/IPFuscator)
+    Implemented by @capnspacehook
+    """
+
+    hexParts = []
+    octParts = []
+
+    for i in parts:
+		hexParts.append(hex(int(i)))
+		octParts.append(oct(int(i)))
+
+    randBaseIP = ""
+    for i in range(0,4):
+        val = ord(os.urandom(1)) % 3
+        if val == 0:
+            # dec
+            randBaseIP += parts[i] + '.'
+        elif val == 1:
+            # hex
+            if not smallIP:
+                randBaseIP += hexParts[i].replace('0x', '0x' + '0' * (ord(os.urandom(1)) % 31)) + '.'
+            else:
+                randBaseIP += hexParts[i] + '.'
+        else:
+            # oct
+            if not smallIP:
+                randBaseIP += '0' * (ord(os.urandom(1)) % 31) + octParts[i] + '.'
+            else:
+                randBaseIP += octParts[i] + '.'
+
+    return randBaseIP[:-1]