Malware_Tools/Update.txt at master · Radicalware/Malware_Tools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315


    [1;31m#######################################################################

    The Official Release of Rmutate 5/3/2017

    #######################################################################[1;37m


    [1;31m-----------------------------------------------------------------------
     Update: 5/12/2017 > 1.1.X
    -----------------------------------------------------------------------[1;37m

    You now have the option to have a write-to memory shellcode using
    the -f6 option. That means there are 3 types, push arg exploit type for
    OSX/Linux, write to hdd for OSX/Linux, and now write-to-mem.
    Powershell option now has an obfuscating option -o. The purpose of
    this is to lower your bytecount. It will remove un-needed whitespace,
    semi-coluns and change all vars to a couple of letters; combine with
    the -d option (in the same arg) to debug so -od or -do. For more info
    Rmutate -h -f6

    [1;31m=======================================================================
     Update: 5/15/2017 > Version 2
    =======================================================================[1;37m

    After you convert a powershell exe to base64 you can use the w
    option to visibly see your output (helps with debugging)
    example: Rmutate -f6 .\something.ps1  -ps -ow
    that would show the windows mode for an executable Rmutate Script
    that is also obfuscated.

    Issue resolved where o'' and b'' would not work if -jcp was not
    used on unix and the 2nd var on up started with a / and the bit count
    for that register was under 64 bits. Originally, the -b'' and -o'' only
    worked in powershell, now it works in both cmd and powershell. Various
    other hotfixes were also made.

    [1;31m-----------------------------------------------------------------------
     Update: 5/27/2017 > 2.1.X
    -----------------------------------------------------------------------[1;37m

    changed the ascii encoding from UTF-8 to iso-8859-1 so more hex
    values would be converted. I removed the single quotes around the
    metasploit architecture (fix). The support_esc.rb has been updated to
    support jcp. Also, if fix the ascii conversion if a pointer was used.
    The final additionwas that  the jcp code will be placed at the bottom
    of the conversion. To see if jcp code was used "objdump -d <file>" and
    you should see a block of 16 bytes. If not, obj jcp code was not used.

    I used exception handling to take care of the clipboard content
    being too long. If you get the result OSError: [Errno 7] Argument list
    too long you will be given the option o write the contents to a file.
    This does not include the esc tool, for that just use a re-direction to
    a file. I added the regex \s*\.\.\. to esc to account for null bytes.
    As a shellcoder you will want null bytes if you have multiple JCPs. If
    used correctly, no encoder will be needed. I added shorthand so for
    example, -ath could be written as ah remove the "-" and the "t" when
    using a conversion. Also -hti and ith (aka hi and ih) converts hex to
    int and int to hex I added a new shellcode execution method (write and
    execute from hex). Use -fx to learn more. This writes to the filesystem
    unlike -f6 which writes to memory.

    I made the -fx and the -f6 jcp db block formated. That way making
    changes won't crash your gedit if your string is too long. You can also
    use the n in -sb and -nb to get block formats as well Rmutate -h -fx to
    learn more. New universal options: -cb (clipboard) and -pp (pipe)

        example: echo hello | Rmutate ha -pp
            would give you the hex for hello

    new conversion option: -ch and -c6; If you have a script that you
    want to use that is in hex (convert hex -ch) just use the -ch so:
    Rmutate -s <hex string> -linux -ex -ch You can use this with what is
    above, say you have a whole command written in hex that is in a file:
    cat hex_file.txt | Rmutate -s -pp -linux -ex -ch

    [1;31m-----------------------------------------------------------------------
     Update: 6/03/2017 > 2.2.X
    -----------------------------------------------------------------------[1;37m

    I added a hth function. This is good when you want to convert one
    style of hex to a different style of hex.
    So from "\x41\x42" to 0x4142 as an example.
    This combines -hta and -ath
    -hta (because it must organize different hex input) and then -ath
    to give different hex ouput
    Rmutate -hh -cb -nb (where -cb is a shellcode block in clipboard)
    would output a nasm block code syntax

    Rasm2 is now included with the -Rasm2 option. Rasm2 works like gdb
    except with the help of Rmutate. You can pipe C files with shellcode
    into Rmutate and get the assembly equivilent as output, you can even
    output as a unix/win file and exec.

    Added -mul and -div to the -bit (-bit used to be a part of hta),
    also I added shorthand, so you can type m for mul, a for add, etc (not
    and and are the only ones left unchanged)

    [1;31m-----------------------------------------------------------------------
     Update: 8/13/2017 > 2.3.X
    -----------------------------------------------------------------------[1;37m

    bit and hta are now seperated. You can use bit for your bitwise
    functions sense it is probably easier to remember for that than -hta. I
    fixed the hex to ascii conversion to translate one byte at a time. That
    way if you get something like \x09, the byte will just be ignored
    instead of giving no output. Piping into Rmutate with a newline will
    now function properly in hta. The clipboard will now input a "\n" or a
    "`n" (os dependent) where you have a newline, instead of removing all
    new lines. Just echo -e + clipboard to view it naturally.

    [1;31m-----------------------------------------------------------------------
     Update: 9/05/2017 > 2.4.X
    -----------------------------------------------------------------------[1;37m

    Rmutate -h -trans is now avalible. It is much better conversion
    tool than the legacy versions. This is because you can convert up to
    100 different combinations. Rmutate -h -rq has been updated. It now
    allows you to strip quotes for cmd as well as powershell for input. Use
    with the new hex output mod for url encoding if you find a shellshock
    vulnerability. zip/gzip compressors are now avalible. Combine the
    powershell obfuscator with gzip to save even more bytes!!

    [1;31m-----------------------------------------------------------------------
     Update: 9/09/2017 > 2.5.X
    -----------------------------------------------------------------------[1;37m

    I moved form xsel to xclip (sudo apt install xclip). This is
    because xsel was quite bad at capturing output that was of any size
    bigger than about 4000 bytes.  I added two global vars -k (keep your
    clipboard) and -o + file to send any clipboard content to the filename
    you specify (a good time to use that is if your clipboard were to fail
    and still want it's contents).
    I added 'Rmutate -h -im' which will automatically give you the
    reverse hex of your coppied line from immunity debugger (so you don't
    need to edit down the cliped content to just the addresses hex).
    I added 'Rmutate -h -main', which will give you all the actuall
    addresses and their coresponding functions. If you use objdump in
    ubuntu for example, you will get their relative, not their exact
    address, so in thase case, use "Rmutate -main".
    I added 'Rmutate r" which will allow you to pipe in content to
    your clipboard or print it out.
    I added javascript "js" as a hex mod, you can also convert from
    javascript now as well
    "Rmutate -h -trans" for more

    [1;31m-----------------------------------------------------------------------
     Update: 9/14/2017 > 2.6.X
    -----------------------------------------------------------------------[1;37m

    Added the ability to make linux and mac malware (Rmutate -h -f6)
    run as a daemon
    With OSX I had to use "killall Terminal" osascripts aren't
    processed the same in a shellcode envirnoment.
    Also ith -f6, both ruby and python get comment lines and blank
    lines stripped; also, Ruby is set to a single line execution with the
    -o option

    [1;31m-----------------------------------------------------------------------
     Update: 9/18/2017 > 2.7.X
    -----------------------------------------------------------------------[1;37m

    I added another ability "Rmutate -h -tr"
    -rt is for making a script victim ready for a "r"emote "t"erminal.
    -rq is for "r"emoving "q"uotes so code can be run nativly.
    with -rt; you don't need to upload a script to make it run or be
    frustrated with making sure you get all of your literals just right;
    just "rt" it from any shell and paste it into your victim's terminal.
    -esc now has a new feature /a or -a which will convert all hex to
    ascii. This is nice because if there is a type of base64 code inside,
    you can quickly convert it to it's text form with "Rmutate -h -trans"

    [1;31m-----------------------------------------------------------------------
     Update: 9/25/2017 > 2.8.X
    -----------------------------------------------------------------------[1;37m

    I added the ability to use the option '-s sk' sk being short for
    skeleton, you could also do -s ''
    That way you can use them to easily add in your own shellcode, say
    from exploit-db or something.
    The default is to have two voided pointers that will help scramble
    hashing of the shellcods when placed into binaries.
    You can remove the aption by adding -nah = no anti-hash
    You can now add a SUID/GUID header by using the -id parameter for
    both Linux and OSX

    [1;31m-----------------------------------------------------------------------
     Update: 10/08/2017 - 10/28/2017 > 2.9.X
    -----------------------------------------------------------------------[1;37m

    "Rmutate -h -f6" usage now has the added ability of -p. This will
    give you a php wrapper instead of an Rmutate wrapper. A great usage of
    this would be to make python/ruby/powershell reverse shells, use the
    new -p option and send the payload to a vulnerable web server.
    Rmutate -h -rt" has a new -bash method. This allows you to write
    or execute using only bash without needing ruby/python. However, if
    your script is designed for ruby/python, it is better to use it.
    "Rmutate -h -f6" now has a bash variation of the
    ruby/python/bat/powershell write and execute scripts
    When you combine this with the new php method, you can easily
    create mutli-port bash style backdoors on your victim's host.I was on a
    victim's machine that had a python version 2.3 and found out that my
    python reverse shell wouldn't work, but this new method would.
    "Rmutate r" can be run as root now.
    the -jcp for Linux/OSX standard is /bin/bash now instead of
    /bin/sh. This is because you get more functionality that way. For
    instance it is required when you want to ues the new -f6 bash option or
    if you want to convert a script like this
    -----------------------
    cat bash_test.sh
    for i in {0..5}; do
        echo $i
    done
    -----------------------
    cat bash_test.sh  | Rmutate -s -pp -ex -linux -jcp

    Note that you can't have nested file descriptors, that means for
    example, a multi-layered bash reverse shell will not work or a reverse
    shell that is inside the eval command. Also, I suggest always using
    ruby/python over bash on unix unless they have a legacy version. Sense
    php always executes as /bin/sh instead of /bin/bash, I had to send a
    randomly named file to the tmp folder to execute your request. In
    shellcode, that is not necessary sense I changed the execution form
    /bin/sh to /bin/bash. Lastly, 'h' mod for -f6 was changed to 't' for
    top line so I could use 'h' for hex mode to keep it in unison as the
    -rt mod.
    global var "-z" was intoduced (even though it was technically
    already in existance by not being implemented) to be a null variable
    holder. That way you can skip certain args you would rather not be
    conserned with to get to the global var place holders, example below
    and described more in depth "Rmutate -h -globals"
    echo "hello world" | Rmutate  -a -h -pp -z -x hi.txt -k
    a new mod 'r' and 'm' were added to the -f6 action
    'r' will make php executions run for legacy red-hat systems
    'm' will make a file on the os before executing for php executions
    "Rmutate -h -trans" no longer requires to to start mods with a
    shellcode type
    You can now use int for bitwise functions instead of just hex
    (Rmutate -h -bit)
    Clicking on Rmutate.exe now opens in PowerShell instead of cmd


    [1;31m-----------------------------------------------------------------------
     Update: 11/04/2017 > 12/30/2017 3.0.X
    -----------------------------------------------------------------------[1;37m

    "Rmutate -h -raw" was added; which means you can now convert raw
    assembly code straight to shellcode. This is better than r2's version
    because r2's version uses pre-computed shellcode output. My version
    compiles and extracts bytecode via objdump. That means that my method
    will always be error free.
    You can now use "Rmutate -h -bit" in an encoding loop with the new
    -e mod, also you can make the first and second input hex or int (both
    don't need to be the same anymore)
    The "-tn" option adds a terminating null to the end of your
    shellcode. This will be required when using my Radicalware MSF
    Encoders; else you will get garbage at the end of your decoded code
    that will interfear with your payload.
    a new mod has been given to "Rmutate -h -general" -bc "bytecode"
    where you can pipe in hex code and skipe the assembly/opcode portion of
    Rmutate.
    A fix was made that prevented rasm2 greping for bytes. So if you
    coppied gdb output which has dwords (addresses) and bytes (data), rasm2
    would only grab the data in that case by default. You can force it to
    grab only dwords by saying -32d, just like how you would in the
    translations "Rmutate -h -trans"
    I added a global var -xx to append to a file opposed to -x which
    overwrites the file that you want output to go to.
    This is different than > stdout because not all the Rmutate output
    is needed, some of it is information content or style.


    [1;31m-----------------------------------------------------------------------
     Update: 01/03/2018 > 01/07/2018 3.1.X
    -----------------------------------------------------------------------[1;37m

    Python now will fully obfuscate like how it was already done with
    powershell.
    use the 'o' hex mode with the -f6 action; "Rmutate -h -f6" for
    help
    Combined the anti-hash with the name of the execution variable.


    [1;31m-----------------------------------------------------------------------
     Update: 01/09/2018 > 01/25/2018 3.2.X
    -----------------------------------------------------------------------[1;37m

    Rmutate -h -stty was developed so you can get total control on
    your reverse shells.
    This means yes to vim, tmux and more.  Rmutate supports this for
    Linux & OSX. Support for Windows will be comming soon.
    I added an option to the "Rmutate -h -rt" ability to which you can
    split the commands up based on your splitter. You will be given the
    split section you ask, the command will pause while you paste into your
    victim terminal and then you can come back, press return to gather more
    data.
    I added the ability to -stty where if you add the "-br" argument
    for bashrc to which you will use the ability above with your local
    bashrc/bash_profile command. That way your victim machine will feel as
    native as possible.


    [1;31m=======================================================================
    Current Rmutate Version 3.2.3
            Rmutate v(Update Cluster or New Shellcode
            Type).(update).(hotfix)
    Hotfixes shown in current version (not update info)
    Rmutate is a product of http://Radicalware.net

    https://www.youtube.com/playlist?list=PLtgToKXTPsKoLHCeswgUwN_2uD7Oc6RgR

    git clone https://github.com/Radicalware/Malware_Tools.git mal
    =======================================================================[1;37m