Sākums Izpētīt Palīdzība
Pierakstīties
zhensolid
/
OperatorsKit
1
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Koks: b8dc52f6b0
Atzari Tagi
OperatorsKit
/
KIT
/
FindWebClient
/
findwebclient.c

findwebclient.c 4.3 KB
Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159 
  1. #include <windows.h>
    2. 

  2. #include <stdio.h>
    3. 

  3. #include "findwebclient.h"
    4. 

  4. #include "beacon.h"
    5. 

  5. 

  6. 

  7. 

  8. 

  9. 

  10. //https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
    11. 

  11. HRESULT BeaconPrintToStreamW(_In_z_ LPCWSTR lpwFormat, ...) {
    12. 

  12. 	HRESULT hr = S_FALSE;
    13. 

  13. 	va_list argList;
    14. 

  14. 	DWORD dwWritten = 0;
    15. 

  15. 

  16. 	if (g_lpStream <= (LPSTREAM)1) {
    17. 

  17. 		hr = OLE32$CreateStreamOnHGlobal(NULL, TRUE, &g_lpStream);
    18. 

  18. 		if (FAILED(hr)) {
    19. 

  19. 			return hr;
    20. 

  20. 		}
    21. 

  21. 	}
    22. 

  22. 

  23. 	if (g_lpwPrintBuffer <= (LPWSTR)1) { 
    24. 

  24. 		g_lpwPrintBuffer = (LPWSTR)MSVCRT$calloc(MAX_STRING, sizeof(WCHAR));
    25. 

  25. 		if (g_lpwPrintBuffer == NULL) {
    26. 

  26. 			hr = E_FAIL;
    27. 

  27. 			goto CleanUp;
    28. 

  28. 		}
    29. 

  29. 	}
    30. 

  30. 

  31. 	va_start(argList, lpwFormat);
    32. 

  32. 	if (!MSVCRT$_vsnwprintf_s(g_lpwPrintBuffer, MAX_STRING, MAX_STRING -1, lpwFormat, argList)) {
    33. 

  33. 		hr = E_FAIL;
    34. 

  34. 		goto CleanUp;
    35. 

  35. 	}
    36. 

  36. 

  37. 	if (g_lpStream != NULL) {
    38. 

  38. 		if (FAILED(hr = g_lpStream->lpVtbl->Write(g_lpStream, g_lpwPrintBuffer, (ULONG)MSVCRT$wcslen(g_lpwPrintBuffer) * sizeof(WCHAR), &dwWritten))) {
    39. 

  39. 			goto CleanUp;
    40. 

  40. 		}
    41. 

  41. 	}
    42. 

  42. 

  43. 	hr = S_OK;
    44. 

  44. 

  45. CleanUp:
    46. 

  46. 

  47. 	if (g_lpwPrintBuffer != NULL) {
    48. 

  48. 		MSVCRT$memset(g_lpwPrintBuffer, 0, MAX_STRING * sizeof(WCHAR)); 
    49. 

  49. 	}
    50. 

  50. 

  51. 	va_end(argList);
    52. 

  52. 	return hr;
    53. 

  53. }
    54. 

  54. 

  55. //https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
    56. 

  56. VOID BeaconOutputStreamW() {
    57. 

  57. 	STATSTG ssStreamData = { 0 };
    58. 

  58. 	SIZE_T cbSize = 0;
    59. 

  59. 	ULONG cbRead = 0;
    60. 

  60. 	LARGE_INTEGER pos;
    61. 

  61. 	LPWSTR lpwOutput = NULL;
    62. 

  62. 

  63. 	if (FAILED(g_lpStream->lpVtbl->Stat(g_lpStream, &ssStreamData, STATFLAG_NONAME))) {
    64. 

  64. 		return;
    65. 

  65. 	}
    66. 

  66. 

  67. 	cbSize = ssStreamData.cbSize.LowPart;
    68. 

  68. 	lpwOutput = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, cbSize + 1);
    69. 

  69. 	if (lpwOutput != NULL) {
    70. 

  70. 		pos.QuadPart = 0;
    71. 

  71. 		if (FAILED(g_lpStream->lpVtbl->Seek(g_lpStream, pos, STREAM_SEEK_SET, NULL))) {
    72. 

  72. 			goto CleanUp;
    73. 

  73. 		}
    74. 

  74. 

  75. 		if (FAILED(g_lpStream->lpVtbl->Read(g_lpStream, lpwOutput, (ULONG)cbSize, &cbRead))) {		
    76. 

  76. 			goto CleanUp;
    77. 

  77. 		}
    78. 

  78. 

  79. 		BeaconPrintf(CALLBACK_OUTPUT, "%ls", lpwOutput);
    80. 

  80. 	}
    81. 

  81. 

  82. CleanUp:
    83. 

  83. 	if (g_lpStream != NULL) {
    84. 

  84. 		g_lpStream->lpVtbl->Release(g_lpStream);
    85. 

  85. 		g_lpStream = NULL;
    86. 

  86. 	}
    87. 

  87. 

  88. 	if (g_lpwPrintBuffer != NULL) {
    89. 

  89. 		MSVCRT$free(g_lpwPrintBuffer); 
    90. 

  90. 		g_lpwPrintBuffer = NULL;
    91. 

  91. 	}
    92. 

  92. 

  93. 	if (lpwOutput != NULL) {
    94. 

  94. 		KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, lpwOutput);
    95. 

  95. 	}
    96. 

  96. 	return;
    97. 

  97. }
    98. 

  98. 

  99. 

  100. 

  101. 

  102. int go(char *args, int len) {
    103. 

  103.     char* pipeNameHead = "\\\\";
    104. 

  104.     char* pipeNameTail = "\\pipe\\DAV RPC SERVICE";
    105. 

  105.     BOOL pipeStatus = 0;
    106. 

  106.     char* hostname;
    107. 

  107. 	char* nextHostname;
    108. 

  108. 	char* debug;
    109. 

  109.     int iBytesLen = 0;
    110. 

  110.     CHAR *hostFileBytes;
    111. 

  111. 	WCHAR wHostname[256];
    112. 

  112.     datap parser;
    113. 

  113. 

  114.     BeaconDataParse(&parser, args, len);
    115. 

  115.     hostFileBytes = BeaconDataExtract(&parser, &iBytesLen);
    116. 

  116. 	debug = BeaconDataExtract(&parser, NULL);
    117. 

  117. 	
    118. 

  118.     if(iBytesLen != 0) {
    119. 

  119.         BeaconPrintf(CALLBACK_OUTPUT, "[+] Loaded file in memory with a size of %d bytes\n[*] Start WebClient enumeration..\n", iBytesLen); 
    120. 

  120. 		
    121. 

  121. 		BeaconPrintToStreamW(L"\nEnumeration results:\n");
    122. 

  122. 		BeaconPrintToStreamW(L"==============================================\n");
    123. 

  123. 	
    124. 

  124.         hostname = MSVCRT$strtok(hostFileBytes, "\r\n");
    125. 

  125.         while (hostname != NULL) {
    126. 

  126. 			nextHostname = MSVCRT$strtok(NULL, "\r\n");
    127. 

  127.             if (nextHostname == NULL) {
    128. 

  128.                 break;
    129. 

  129.             }
    130. 

  130. 

  131.             size_t len = MSVCRT$strlen(hostname);
    132. 

  132.             char* fullPipeName = (char*) MSVCRT$malloc(len + MSVCRT$strlen(pipeNameHead) + MSVCRT$strlen(pipeNameTail) + 1);
    133. 

  133.             MSVCRT$strcpy(fullPipeName, pipeNameHead);
    134. 

  134.             MSVCRT$strcat(fullPipeName, hostname);
    135. 

  135.             MSVCRT$strcat(fullPipeName, pipeNameTail);
    136. 

  136. 		
    137. 

  137.             pipeStatus = KERNEL32$WaitNamedPipeA(fullPipeName, 3000);
    138. 

  138. 

  139. 			if (pipeStatus == 0 && (MSVCRT$strcmp(debug, "debug") == 0)) {
    140. 

  140. 				KERNEL32$MultiByteToWideChar(CP_ACP, 0, hostname, -1, wHostname, 256);
    141. 

  141. 				BeaconPrintToStreamW(L"[-] WebClient service not found on %s\n", wHostname);
    142. 

  142. 			} else if (pipeStatus == 0) {
    143. 

  143.             } else {
    144. 

  144. 				KERNEL32$MultiByteToWideChar(CP_ACP, 0, hostname, -1, wHostname, 256);
    145. 

  145. 				BeaconPrintToStreamW(L"[+] WebClient running on %s\n", wHostname);
    146. 

  146.             }
    147. 

  147.             MSVCRT$free(fullPipeName);
    148. 

  148.             hostname = nextHostname;
    149. 

  149.         }
    150. 

  150. 		BeaconOutputStreamW();
    151. 

  151. 

  152.     } else {
    153. 

  153.         BeaconPrintf(CALLBACK_ERROR, "Couldn't load the host file from disk.\n");
    154. 

  154.     }
    155. 

  155. 	
    156. 

  156. 	
    157. 

  157.     return 0;
    158. 

  158. }
    159. 

  159.