New upstream version 3.0.6
Sophie Brun
4 years ago
0 | 1/31/2020 | |
1 | ------------ | |
2 | - Version 3.0.6 Master Release | |
3 | - Fixed osx stager generation byte/str errors - #84 (@hypnoticpattern) | |
4 | - Fixed osx appbundle generation which was stripping the wrong string - #84 (@hypnoticpattern) | |
5 | - Removed future imports from python3 launcher, so it works without any extra libraries - #81 (@Cx01N) | |
6 | - Staging key no longer needs to be exactly 32 characters - #85 (@Cx01N) | |
7 | - Add "stale" property to agents endpoint - #90 (@Vinnybod) | |
8 | - Agents endpoint now returns agents without failing due to session_key encoding - #90 (@Vinnybod) | |
9 | - Fixed an indentation bug in aes.py (@Cx01N) | |
10 | ||
0 | 11 | 1/21/2020 |
1 | 12 | ------------ |
2 | 13 | - Version 3.0.5 Master Release |
3 | - Fixed setup_database.py python3 issue - #75 (@linxon) | |
4 | - Added loaded listener types to API - #78 (@Vinnybod) | |
5 | - Fixed python launcherBase (@Cx01N) | |
6 | - Updated Python 3.8 compatibility in stager - #72 (@complana) | |
7 | - Fixed Powerup Invoke-allchecks issue - #64 (@SkiddieTech) | |
8 | - Fixed shellcode stager - #76 (@Hubbl3) | |
9 | - Fixed binary upload error - #55 (@Hubbl3) | |
10 | - Fixed multi/bash error (@Cx01N) | |
14 | - Fixed setup_database.py python3 issue - #75 (@linxon) | |
15 | - Added loaded listener types to API - #78 (@Vinnybod) | |
16 | - Fixed python launcherBase (@Cx01N) | |
17 | - Updated Python 3.8 compatibility in stager - #72 (@complana) | |
18 | - Fixed Powerup Invoke-allchecks issue - #64 (@SkiddieTech) | |
19 | - Fixed shellcode stager - #76 (@Hubbl3) | |
20 | - Fixed binary upload error - #55 (@Hubbl3) | |
21 | - Fixed multi/bash error (@Cx01N) | |
11 | 22 | |
12 | 23 | 1/14/2020 |
13 | 24 | ------------ |
0 | from __future__ import division | |
1 | from future import standard_library | |
2 | standard_library.install_aliases() | |
3 | from builtins import str | |
4 | from builtins import range | |
5 | from builtins import object | |
6 | from past.utils import old_div | |
7 | import __future__ | |
8 | 0 | import struct |
9 | import time | |
10 | 1 | import base64 |
11 | 2 | import subprocess |
12 | 3 | import random |
14 | 5 | import datetime |
15 | 6 | import os |
16 | 7 | import sys |
17 | import trace | |
18 | import shlex | |
19 | 8 | import zlib |
20 | 9 | import threading |
21 | 10 | import http.server |
22 | 11 | import zipfile |
23 | 12 | import io |
24 | 13 | import imp |
25 | import marshal | |
26 | 14 | import re |
27 | 15 | import shutil |
28 | 16 | import pwd |
30 | 18 | import math |
31 | 19 | import stat |
32 | 20 | import grp |
33 | from stat import S_ISREG, ST_CTIME, ST_MODE | |
21 | import numbers | |
34 | 22 | from os.path import expanduser |
35 | 23 | from io import StringIO |
36 | 24 | from threading import Thread |
530 | 518 | else: |
531 | 519 | send_message(build_response_packet(0, "invalid tasking ID: %s" %(taskingID), resultID)) |
532 | 520 | |
521 | def old_div(a, b): | |
522 | """ | |
523 | Equivalent to ``a / b`` on Python 2 without ``from __future__ import | |
524 | division``. | |
525 | """ | |
526 | if isinstance(a, numbers.Integral) and isinstance(b, numbers.Integral): | |
527 | return a // b | |
528 | else: | |
529 | return a / b | |
533 | 530 | |
534 | 531 | ################################################ |
535 | 532 | # |
234 | 234 | else: |
235 | 235 | if isinstance(iv, str): |
236 | 236 | self._last_cipherblock = _string_to_bytes(iv) |
237 | self._last_cipherblock = iv | |
237 | else: | |
238 | self._last_cipherblock = iv | |
238 | 239 | |
239 | 240 | AESBlockModeOfOperation.__init__(self, key) |
240 | 241 |
9 | 9 | stage_1 |
10 | 10 | stage_2 |
11 | 11 | """ |
12 | from __future__ import print_function | |
13 | 12 | |
14 | import copy | |
15 | 13 | import random |
16 | 14 | import string |
17 | 15 | import urllib.request as urllib |
774 | 774 | for activeAgent in activeAgentsRaw: |
775 | 775 | [ID, session_id, listener, name, language, language_version, delay, jitter, external_ip, internal_ip, username, high_integrity, process_name, process_id, hostname, os_details, session_key, nonce, checkin_time, lastseen_time, parent, children, servers, profile, functions, kill_date, working_hours, lost_limit, taskings, results] = activeAgent |
776 | 776 | |
777 | agents.append({"ID":ID, "session_id":session_id, "listener":listener, "name":name, "language":language, "language_version":language_version, "delay":delay, "jitter":jitter, "external_ip":external_ip, "internal_ip":internal_ip, "username":username, "high_integrity":high_integrity, "process_name":process_name, "process_id":process_id, "hostname":hostname, "os_details":os_details, "session_key":session_key, "nonce":nonce, "checkin_time":checkin_time, "lastseen_time":lastseen_time, "parent":parent, "children":children, "servers":servers, "profile":profile,"functions":functions, "kill_date":kill_date, "working_hours":working_hours, "lost_limit":lost_limit, "taskings":taskings, "results":results}) | |
777 | intervalMax = (delay + delay * jitter)+30 | |
778 | ||
779 | # get the agent last check in time | |
780 | agentTime = time.mktime(time.strptime(lastseen_time, "%Y-%m-%d %H:%M:%S")) | |
781 | ||
782 | stale = agentTime < time.mktime(time.localtime()) - intervalMax | |
783 | ||
784 | agents.append({"ID":ID, "session_id":session_id, "listener":listener, "name":name, "language":language, "language_version":language_version, "delay":delay, "jitter":jitter, "external_ip":external_ip, "internal_ip":internal_ip, "username":username, "high_integrity":high_integrity, "process_name":process_name, "process_id":process_id, "hostname":hostname, "os_details":os_details, "session_key":session_key.decode('latin-1').encode('utf-8'), "nonce":nonce, "checkin_time":checkin_time, "lastseen_time":lastseen_time, "parent":parent, "children":children, "servers":servers, "profile":profile,"functions":functions, "kill_date":kill_date, "working_hours":working_hours, "lost_limit":lost_limit, "taskings":taskings, "results":results, "stale":stale}) | |
778 | 785 | |
779 | 786 | return jsonify({'agents' : agents}) |
787 | ||
780 | 788 | |
781 | 789 | |
782 | 790 | @app.route('/api/agents/stale', methods=['GET']) |
800 | 808 | |
801 | 809 | if agentTime < time.mktime(time.localtime()) - intervalMax: |
802 | 810 | |
803 | staleAgents.append({"ID":ID, "session_id":session_id, "listener":listener, "name":name, "language":language, "language_version":language_version, "delay":delay, "jitter":jitter, "external_ip":external_ip, "internal_ip":internal_ip, "username":username, "high_integrity":high_integrity, "process_name":process_name, "process_id":process_id, "hostname":hostname, "os_details":os_details, "session_key":session_key, "nonce":nonce, "checkin_time":checkin_time, "lastseen_time":lastseen_time, "parent":parent, "children":children, "servers":servers, "profile":profile,"functions":functions, "kill_date":kill_date, "working_hours":working_hours, "lost_limit":lost_limit, "taskings":taskings, "results":results}) | |
811 | staleAgents.append({"ID":ID, "session_id":session_id, "listener":listener, "name":name, "language":language, "language_version":language_version, "delay":delay, "jitter":jitter, "external_ip":external_ip, "internal_ip":internal_ip, "username":username, "high_integrity":high_integrity, "process_name":process_name, "process_id":process_id, "hostname":hostname, "os_details":os_details, "session_key":session_key.decode('latin-1').encode('utf-8'), "nonce":nonce, "checkin_time":checkin_time, "lastseen_time":lastseen_time, "parent":parent, "children":children, "servers":servers, "profile":profile,"functions":functions, "kill_date":kill_date, "working_hours":working_hours, "lost_limit":lost_limit, "taskings":taskings, "results":results}) | |
804 | 812 | |
805 | 813 | return jsonify({'agents' : staleAgents}) |
806 | 814 |
14 | 14 | from builtins import str |
15 | 15 | from builtins import range |
16 | 16 | |
17 | VERSION = "3.0.5 BC-Security Fork" | |
17 | VERSION = "3.0.6 BC-Security Fork" | |
18 | 18 | |
19 | 19 | from pydispatch import dispatcher |
20 | 20 |
154 | 154 | # if the staging key isn't 32 characters, assume we're md5 hashing it |
155 | 155 | value = str(value).strip() |
156 | 156 | if len(value) != 32: |
157 | stagingKeyHash = hashlib.md5(value).hexdigest() | |
157 | stagingKeyHash = hashlib.md5(value.encode('UTF-8')).hexdigest() | |
158 | 158 | print(helpers.color('[!] Warning: staging key not 32 characters, using hash of staging key instead: %s' % (stagingKeyHash))) |
159 | 159 | listenerObject.options[option]['Value'] = stagingKeyHash |
160 | 160 | else: |
273 | 273 | |
274 | 274 | if Arch == 'x64': |
275 | 275 | |
276 | f = open(self.mainMenu.installPath + "/data/misc/apptemplateResources/x64/launcher.app/Contents/MacOS/launcher") | |
276 | f = open(self.mainMenu.installPath + "/data/misc/apptemplateResources/x64/launcher.app/Contents/MacOS/launcher", "rb") | |
277 | 277 | directory = self.mainMenu.installPath + "/data/misc/apptemplateResources/x64/launcher.app/" |
278 | 278 | else: |
279 | f = open(self.mainMenu.installPath + "/data/misc/apptemplateResources/x86/launcher.app/Contents/MacOS/launcher") | |
279 | f = open(self.mainMenu.installPath + "/data/misc/apptemplateResources/x86/launcher.app/Contents/MacOS/launcher", "rb") | |
280 | 280 | directory = self.mainMenu.installPath + "/data/misc/apptemplateResources/x86/launcher.app/" |
281 | 281 | |
282 | 282 | macho = macholib.MachO.MachO(f.name) |
291 | 291 | count = 0 |
292 | 292 | if int(cmd[count].cmd) == macholib.MachO.LC_SEGMENT_64 or int(cmd[count].cmd) == macholib.MachO.LC_SEGMENT: |
293 | 293 | count += 1 |
294 | if cmd[count].segname.strip('\x00') == '__TEXT' and cmd[count].nsects > 0: | |
294 | if cmd[count].segname.strip(b'\x00') == b'__TEXT' and cmd[count].nsects > 0: | |
295 | 295 | count += 1 |
296 | 296 | for section in cmd[count]: |
297 | if section.sectname.strip('\x00') == '__cstring': | |
297 | if section.sectname.strip(b'\x00') == b'__cstring': | |
298 | 298 | offset = int(section.offset) |
299 | 299 | placeHolderSz = int(section.size) - 52 |
300 | 300 | |
303 | 303 | |
304 | 304 | if placeHolderSz and offset: |
305 | 305 | |
306 | launcher = launcherCode + "\x00" * (placeHolderSz - len(launcherCode)) | |
306 | launcher = launcherCode.encode('utf8') + b'\x00' * (placeHolderSz - len(launcherCode)) | |
307 | 307 | patchedBinary = template[:offset]+launcher+template[(offset+len(launcher)):] |
308 | 308 | if AppName == "": |
309 | 309 | AppName = "launcher" |
96 | 96 | |
97 | 97 | else: |
98 | 98 | disarm = False |
99 | launcher = launcher.strip('echo').strip(' | /usr/bin/python &').strip("\"") | |
99 | launcher = launcher.strip('echo').strip(' | /usr/bin/python3 &').strip("\"") | |
100 | 100 | ApplicationZip = self.mainMenu.stagers.generate_appbundle(launcherCode=launcher,Arch=arch,icon=icnsPath,AppName=AppName, disarm=disarm) |
101 | 101 | return ApplicationZip |