()
| 382 | |
| 383 | # this is used for custom shellcode generation |
| 384 | def custom_shellcode(): |
| 385 | print(""" |
| 386 | [*******************************************************************************************************] |
| 387 | |
| 388 | -----Custom Shellcode Generation Method---- |
| 389 | |
| 390 | This method will allow you to insert your own shellcode into the Unicorn attack. The PowerShell code |
| 391 | will increase the stack side of the powershell.exe (through VirtualAlloc) and inject it into memory. |
| 392 | |
| 393 | Note that in order for this to work, your txt file that you point Unicorn to must be formatted in the |
| 394 | following format or it will not work: |
| 395 | |
| 396 | 0x00,0x00,0x00 and so on. |
| 397 | |
| 398 | Also note that there is size restrictions. The total length size of the PowerShell command cannot exceed |
| 399 | the size of 8191. This is the max command line argument size limit in Windows. |
| 400 | |
| 401 | Usage: |
| 402 | |
| 403 | python unicorn.py shellcode_formatted_properly.txt shellcode |
| 404 | |
| 405 | Next simply copy the powershell command to something you have the ability for remote command execution. |
| 406 | |
| 407 | NOTE: THE FILE MUST PROPERLY BE FORMATTED IN A 0x00,0x00,0x00 TYPE FORMAT WITH NOTHING ELSE OTHER THAN |
| 408 | YOUR SHELLCODE IN THE TXT FILE. |
| 409 | |
| 410 | There are some caveats with this attack. Note that if your payload size is large in nature it will not |
| 411 | fit in cmd.exe. That means that from a command line argument perspective if you copy and paste you will |
| 412 | hit the 8191 character size restriction (hardcoded into cmd.exe). If you are launching directly from |
| 413 | cmd.exe this is an issue, however if you are launching directly from PowerShell or other normal |
| 414 | applications this is a non-problem. |
| 415 | |
| 416 | A couple examples here, wscript.shell and powershell uses USHORT - 65535 / 2 = 32767 size limit: |
| 417 | |
| 418 | typedef struct _UNICODE_STRING { |
| 419 | USHORT Length; |
| 420 | USHORT MaximumLength; |
| 421 | PWSTR Buffer; |
| 422 | } UNICODE_STRING; |
| 423 | |
| 424 | For this attack if you are launching directly from powershell, VBSCript (WSCRIPT.SHELL), there is no |
| 425 | issues. |
| 426 | |
| 427 | |
| 428 | [*******************************************************************************************************] |
| 429 | """) |
| 430 | |
| 431 | # this is used for custom shellcode generation |
| 432 | def settings_ms(): |
no outgoing calls
no test coverage detected