From a9ebd5c1e228b1a4d5be1744d7bf8cde15b93b46 Mon Sep 17 00:00:00 2001 From: Andrew LeFevre Date: Fri, 13 Jul 2018 23:08:45 -0400 Subject: [PATCH] Added IP obfuscation option. Idea and code from @vysec --- bin/shellpop | 9 +++++++ src/__init__.py | 1 + src/obfuscators.py | 63 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 73 insertions(+) create mode 100644 src/obfuscators.py diff --git a/bin/shellpop b/bin/shellpop index 19d4553..11b02ff 100644 --- a/bin/shellpop +++ b/bin/shellpop @@ -598,6 +598,12 @@ def main(): encoders.add_argument("--urlencode", action="store_true", required=False, help="Encode the command in URL encoding.") + # Obfuscation options + obfuscation = parser.add_argument_group("Obfuscation Options") + obfuscation.add_argument("--ipfuscate", action="store_true", required=False, help="Obfuscate IP address.") + obfuscation.add_argument("--obfuscate-small", action="store_true", default=False, required=False, help="Obfuscated \ + command will be as small as possible.") + # Use handler if possible. parser.add_argument("--handler", action="store_true", help="Use handler, if possible.", default=False, required=False) @@ -664,6 +670,9 @@ def main(): if args.host in [str(x) for x in netifaces.interfaces()]: args.host = str(netifaces.ifaddresses(args.host)[2][0]["addr"]) # translate iface name to ipv4 + if args.ipfuscate: + args.host = ipfuscate(args.host, args.obfuscate_small) + if args.xor is True: args.xor = randint(0, 255) else: diff --git a/src/__init__.py b/src/__init__.py index 70efc4d..46c3fbe 100644 --- a/src/__init__.py +++ b/src/__init__.py @@ -1,6 +1,7 @@ from bind import * from reverse import * from encoders import * +from obfuscators import * from classes import * from handlers import * from stagers import * diff --git a/src/obfuscators.py b/src/obfuscators.py new file mode 100644 index 0000000..0a4ac7c --- /dev/null +++ b/src/obfuscators.py @@ -0,0 +1,63 @@ +import os + +def ipfuscate(ip, smallIP): + """ + Obfuscate an IP address by converting it to decimal, hex, + octal, or a combination of the three. + Code borrowed from @vysecurity (https://github.com/vysec/IPFuscator) + Implemented by @capnspacehook + """ + parts = ip.split('.') + + if not smallIP: + ip = randomBaseIPgen(parts, smallIP) + + else: + type = ord(os.urandom(1)) % 4 + decimal = int(parts[0]) * 16777216 + int(parts[1]) * 65536 + int(parts[2]) * 256 + int(parts[3]) + + if type == 0: + ip = decimal + elif type == 1: + ip = hex(decimal) + elif type == 2: + ip = oct(decimal) + else: + ip = randomBaseIPgen(parts, smallIP) + + return str(ip) + +def randomBaseIPgen(parts, smallIP): + """ + Used by ipfuscate(), returns an obfuscated IP with random bases. + Code borrowed from @vysecurity (https://github.com/vysec/IPFuscator) + Implemented by @capnspacehook + """ + + hexParts = [] + octParts = [] + + for i in parts: + hexParts.append(hex(int(i))) + octParts.append(oct(int(i))) + + randBaseIP = "" + for i in range(0,4): + val = ord(os.urandom(1)) % 3 + if val == 0: + # dec + randBaseIP += parts[i] + '.' + elif val == 1: + # hex + if not smallIP: + randBaseIP += hexParts[i].replace('0x', '0x' + '0' * (ord(os.urandom(1)) % 31)) + '.' + else: + randBaseIP += hexParts[i] + '.' + else: + # oct + if not smallIP: + randBaseIP += '0' * (ord(os.urandom(1)) % 31) + octParts[i] + '.' + else: + randBaseIP += octParts[i] + '.' + + return randBaseIP[:-1]