def customAction(self, packet):
if packet.haslayer(ICMP):
if packet.haslayer(Raw):
icmp_strings = repr(packet[Raw])
try:
incoming_data = base64.b64decode(
icmp_strings.split('\'')[1])
if incoming_data == self.last_packet:
pass
else:
if ".:::-989-:::." in incoming_data:
file_name = incoming_data.split(".:::-989-:::.")[0]
file_data = incoming_data.split(".:::-989-:::.")[1]
helpers.received_file(file_name)
with open(self.loot_path + file_name, 'a') as\
icmp_out:
icmp_out.write(file_data)
self.last_packet = incoming_data
else:
helpers.received_file(self.file_name)
with open(self.loot_path + self.file_name, 'a') as\
icmp_out:
icmp_out.write(incoming_data)
self.last_packet = incoming_data
except TypeError:
pass
except IndexError:
pass
return
def process_message(self, peer, mailfrom, rcpttos, data):
print 'Receiving message from:', peer
print 'Message addressed from:', mailfrom
print 'Message addressed to :', rcpttos
print 'Message length :', len(data)
loot_directory = helpers.ea_path() + '/data'
p = Parser()
msgobj = p.parsestr(data)
for part in msgobj.walk():
attachment = self.email_parse_attachment(part)
if type(attachment) is dict and 'filedata' in attachment:
decoded_file_data = base64.b64decode(attachment['filedata'])
attach_file_name = attachment['filename']
with open(loot_directory + "/" + attach_file_name,
'wb') as attached_file:
helpers.received_file(attach_file_name)
attached_file.write(decoded_file_data)
else:
current_date = time.strftime("%m/%d/%Y")
current_time = time.strftime("%H:%M:%S")
file_name = current_date.replace("/", "") +\
"_" + current_time.replace(":", "") + "email_data.txt"
with open(loot_directory + "/" + file_name, 'a') as email_file:
email_file.write('METADATA: File from - ' + str(peer) +
'\n\n')
email_file.write(data)
return
def write_file(self, file_name, write_mode='w', data=None):
global LOOT_PATH, FILE_DICT, FILE_STATUS
if data:
with open(LOOT_PATH + file_name, write_mode) as f:
f.write(data)
else:
helpers.received_file(file_name)
missing_keys = []
write_dict = FILE_DICT
if len(list(write_dict.keys())) < 2:
return
with open(LOOT_PATH + file_name, write_mode) as f:
for dict_key in range(1, int(FILE_STATUS) + 1):
try:
content = write_dict[str(dict_key)]
f.write(content)
except Exception:
missing_keys.append(dict_key)
if len(missing_keys):
print(
'[-] ERROR: The following keys were missing from FILE_DICT!\n{}'
.format(', '.join(missing_keys)))
self.clear_globals()
return
def do_POST(self):
# current directory
exfil_directory = os.path.join(helpers.ea_path(), 'transfer')
loot_path = exfil_directory + '/'
# Info for this from -
# http://stackoverflow.com/questions/13146064/simple-
# python-webserver-to-save-file
if self.path == "/post_data.php":
self.send_response(200)
self.end_headers()
# Check to make sure the agent directory exists, and a loot
# directory for the agent. If not, make them
if not os.path.isdir(loot_path):
os.makedirs(loot_path)
# Get the date info
current_date = time.strftime("%m/%d/%Y")
current_time = time.strftime("%H:%M:%S")
screenshot_name = current_date.replace(
"/", "") + "_" + current_time.replace(":", "") + "web_data.txt"
# Read the length of the file being uploaded
screen_length = self.headers['content-length']
screen_data = self.rfile.read(int(screen_length))
# Write out the file
with open(loot_path + screenshot_name, 'a') as cc_data_file:
cc_data_file.write('METADATA: From: ' +
str(self.client_address) + ' ' +
str(self.address_string) + '\n\n')
cc_data_file.write(str(screen_data))
elif self.path == "/post_file.php":
self.send_response(200)
self.end_headers()
# Check to make sure the agent directory exists, and a loot
# directory for the agent. If not, make them
if not os.path.isdir(loot_path):
os.makedirs(loot_path)
# Read the length of the file being uploaded
screen_length = self.headers['content-length']
screen_data = self.rfile.read(int(screen_length))
file_name = screen_data.split(b".:::-989-:::.")[0].decode('utf-8')
file_data = screen_data.split(b".:::-989-:::.")[1].decode('utf-8')
with open(loot_path + file_name, 'wb') as cc_data_file:
helpers.received_file(file_name)
cc_data_file.write(bytes(file_data, encoding='utf-8'))
elif self.path == "/posh_file.php":
self.send_response(200)
self.end_headers()
# Check to make sure the agent directory exists, and a loot
# directory for the agent. If not, make them
if not os.path.isdir(loot_path):
os.makedirs(loot_path)
# Read the length of the file being uploaded
length = self.headers['content-length']
filename = self.headers['Filename']
data = self.rfile.read(int(length))
with open(loot_path + filename, 'wb') as cc_data_file:
cc_data_file.write(data)
elif (self.path in malware_callbacks.malware_uris) or (
self.path.startswith(other_uri)
for other_uri in malware_callbacks.other_apt_uris):
self.send_response(200)
self.end_headers()
# Check to make sure the agent directory exists, and a loot
# directory for the agent. If not, make them
if not os.path.isdir(loot_path):
os.makedirs(loot_path)
# Get the date info
current_date = time.strftime("%m/%d/%Y")
current_time = time.strftime("%H:%M:%S")
screenshot_name = current_date.replace(
"/", "") + "_" + current_time.replace(":",
"") + "actor_data.txt"
# Read the length of the screenshot file being uploaded
screen_length = self.headers['content-length']
screen_data = self.rfile.read(int(screen_length))
# Write out the file
with open(loot_path + screenshot_name, 'a') as cc_data_file:
cc_data_file.write('METADATA: From: ' +
str(self.client_address) + ' ' +
str(self.address_string) + '\n\n')
cc_data_file.write(str(screen_data))
# All other Post requests
else:
self.send_response(404)
self.end_headers()
print('Odd... someone else is trying to access this web server...')
print('Might want to check that out...')