Cатсн²² (in)sесuяitу / ChrisJohnRiley

Back at the beginning of 2012 I played around with some Python ctypes as part of a project I was working on in the background. At the time I released a few code snippets that used ctypes to do a few fun things, but never really got around to releasing the main project I was working on.

Python ctypes posts from 2012:

• https://blog.c22.cc/2012/02/17/quick-post-fun-with-python-ctypes-simpleicmp/
• https://blog.c22.cc/2012/02/21/quick-post-more-fun-with-python-ctypes-internetconnectedstate/
• https://blog.c22.cc/2012/02/24/quick-post-yet-more-fun-with-python-ctypes-sspi/
• https://blog.c22.cc/2012/03/05/what-more-python-ctypes-dns-txt-records/

The main project I was working on was a simple Python script that injects shellcode into a running process using CreateRemoteThread (nothing brand new here). The interesting part of the project (for me anyway) was the ability for the Python script to request the shellcode to inject using DNS TXT requests, ICMP request/responses or simple HTTP(S) request (using SSPI if required). I demo’d the code at the BSides London conference in 2012 at the underground / lightning talks an had some positive feedback, however the time just hasn’t been there to finish things off since then.

As a result of the lack of time to finish things off, I’ve put up the latest modular version of PySC (version 0.8) on Github for people to use, tear apart , and generally laugh at as you see fit. As the project is still in prototype your mileage may vary.

PySC was designed to be configured using the config.py file present in /config directory, and run headless on a Windows system after being packed into an executable using something like PyInstaller. However you can run it using command line options as well by running it with -h to see the various options.

The /optional directory also includes some example server-side implementations for Metasploit and a Python Scapy ICMP listener for delivering Shellcode to the PySC client.

Check the source-code for details…

https://github.com/ChrisJohnRiley/PySC

PySC 0.8 (prototype release – 26 December 2013)

PySC expands on the numerous available tools and scripts to inject into a process on a
running system.

Aims of this project:

– Remove shellcode from the script to help avoid detection by AV and HIPS systems
– Offer a flexible command line based script
– Also provide the ability to run fully automated, as an EXE (by using pyinstaller)

To this end this prototype script offers the ability to download shellcode from a
remote DNS server (using TXT records) or through Internet Explorer (using SSPI to
utilize system-wide proxy settings and authorization tokens) and injects it into a
specified process. If injection into the specified process is not possible, the script
falls back to injecting into the current process.

Module dependancies: none

Notes:

PySC will by default run silent (no user feedback) to enable user
feedback (error/status messages) please use debug mode (-d/–debug
at command-line, or set debug = True in the script itself)

Any command-line options passed to PySC at runtime override the
hard-coded values within the script.

To use PySC as a stand-alone executable, set the desired parameters
in the script itself, and use pyinstaller to create an .exe