From 34dbb87ac9eb4ee81a93ab47dafef59166e3917b Mon Sep 17 00:00:00 2001 From: eversinc33 Date: Wed, 6 Mar 2024 21:21:26 +0000 Subject: [PATCH] remove bof --- auxiliary/LoadDriverBOF/LICENSE | 21 ------- auxiliary/LoadDriverBOF/beacon.h | 69 --------------------- auxiliary/LoadDriverBOF/bofcompile.bat | 5 -- auxiliary/LoadDriverBOF/loaddriver.c | 75 ----------------------- auxiliary/LoadDriverBOF/loaddriver.cna | 30 --------- auxiliary/LoadDriverBOF/loaddriver.h | 55 ----------------- auxiliary/LoadDriverBOF/loaddriver.o | Bin 2950 -> 0 bytes auxiliary/LoadDriverBOF/loaddriver.x64.o | Bin 2950 -> 0 bytes 8 files changed, 255 deletions(-) delete mode 100644 auxiliary/LoadDriverBOF/LICENSE delete mode 100644 auxiliary/LoadDriverBOF/beacon.h delete mode 100644 auxiliary/LoadDriverBOF/bofcompile.bat delete mode 100644 auxiliary/LoadDriverBOF/loaddriver.c delete mode 100644 auxiliary/LoadDriverBOF/loaddriver.cna delete mode 100644 auxiliary/LoadDriverBOF/loaddriver.h delete mode 100644 auxiliary/LoadDriverBOF/loaddriver.o delete mode 100644 auxiliary/LoadDriverBOF/loaddriver.x64.o diff --git a/auxiliary/LoadDriverBOF/LICENSE b/auxiliary/LoadDriverBOF/LICENSE deleted file mode 100644 index b5a8fc6..0000000 --- a/auxiliary/LoadDriverBOF/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) 2023 REDMED-X - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/auxiliary/LoadDriverBOF/beacon.h b/auxiliary/LoadDriverBOF/beacon.h deleted file mode 100644 index 54befa9..0000000 --- a/auxiliary/LoadDriverBOF/beacon.h +++ /dev/null @@ -1,69 +0,0 @@ -/* - * Beacon Object Files (BOF) - * ------------------------- - * A Beacon Object File is a light-weight post exploitation tool that runs - * with Beacon's inline-execute command. - * - * Additional BOF resources are available here: - * - https://github.com/Cobalt-Strike/bof_template - * - * Cobalt Strike 4.x - * ChangeLog: - * 1/25/2022: updated for 4.5 - */ - -/* data API */ -typedef struct { - char * original; /* the original buffer [so we can free it] */ - char * buffer; /* current pointer into our buffer */ - int length; /* remaining length of data */ - int size; /* total size of this buffer */ -} datap; - -DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); -DECLSPEC_IMPORT char * BeaconDataPtr(datap * parser, int size); -DECLSPEC_IMPORT int BeaconDataInt(datap * parser); -DECLSPEC_IMPORT short BeaconDataShort(datap * parser); -DECLSPEC_IMPORT int BeaconDataLength(datap * parser); -DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); - -/* format API */ -typedef struct { - char * original; /* the original buffer [so we can free it] */ - char * buffer; /* current pointer into our buffer */ - int length; /* remaining length of data */ - int size; /* total size of this buffer */ -} formatp; - -DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); -DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); -DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, char * text, int len); -DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, char * fmt, ...); -DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); -DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); -DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); - -/* Output Functions */ -#define CALLBACK_OUTPUT 0x0 -#define CALLBACK_OUTPUT_OEM 0x1e -#define CALLBACK_OUTPUT_UTF8 0x20 -#define CALLBACK_ERROR 0x0d - -DECLSPEC_IMPORT void BeaconOutput(int type, char * data, int len); -DECLSPEC_IMPORT void BeaconPrintf(int type, char * fmt, ...); - - -/* Token Functions */ -DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); -DECLSPEC_IMPORT void BeaconRevertToken(); -DECLSPEC_IMPORT BOOL BeaconIsAdmin(); - -/* Spawn+Inject Functions */ -DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); -DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); -DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); -DECLSPEC_IMPORT BOOL BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo); -DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); - -/* Utility Functions */ -DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); \ No newline at end of file diff --git a/auxiliary/LoadDriverBOF/bofcompile.bat b/auxiliary/LoadDriverBOF/bofcompile.bat deleted file mode 100644 index 77264af..0000000 --- a/auxiliary/LoadDriverBOF/bofcompile.bat +++ /dev/null @@ -1,5 +0,0 @@ -@ECHO OFF - -cl.exe /nologo /c /Od /MT /W0 /GS- /Tc loaddriver.c -move /y loaddriver.obj loaddriver.o - diff --git a/auxiliary/LoadDriverBOF/loaddriver.c b/auxiliary/LoadDriverBOF/loaddriver.c deleted file mode 100644 index da17761..0000000 --- a/auxiliary/LoadDriverBOF/loaddriver.c +++ /dev/null @@ -1,75 +0,0 @@ -#include -#include -#include -#include -#include -#include -#include -#include "loaddriver.h" -#include "beacon.h" - -BOOL LoadDriver(LPCWSTR name, LPCWSTR description, LPCWSTR path) -{ - BeaconPrintf(CALLBACK_OUTPUT, "[*] Opening service manager\n"); - SC_HANDLE hSCManager = ADVAPI32$OpenSCManagerA(NULL, NULL, SC_MANAGER_ALL_ACCESS); - if (!hSCManager) - { - BeaconPrintf(CALLBACK_OUTPUT, "[!] Failed to open service manager: %i\n", KERNEL32$GetLastError()); - return FALSE; - } - - BeaconPrintf(CALLBACK_OUTPUT, "[*] Creating service: %s, %s, %s\n", name, description, path); - SC_HANDLE hService = ADVAPI32$CreateServiceA( - hSCManager, - name, - description, - SERVICE_START | DELETE | SERVICE_STOP, - SERVICE_KERNEL_DRIVER, - SERVICE_SYSTEM_START, // start automatically on system start - SERVICE_ERROR_IGNORE, - path, - NULL, NULL, NULL, NULL, NULL - ); - - if (!hService) - { - if (KERNEL32$GetLastError() == 1073) - { - BeaconPrintf(CALLBACK_OUTPUT, "[!] Service already exists: %i\n", KERNEL32$GetLastError()); - return FALSE; - } - BeaconPrintf(CALLBACK_OUTPUT, "[!] Error creating service: %i\n", KERNEL32$GetLastError()); - return FALSE; - } - - if (!ADVAPI32$StartServiceA(hService, 0, NULL)) - { - BeaconPrintf(CALLBACK_OUTPUT, "[!] Error starting service: %i\n", KERNEL32$GetLastError()); - return FALSE; - } - - BeaconPrintf(CALLBACK_OUTPUT, "[*] Done\n"); - return TRUE; -} - -int go(char *args, int len) -{ - BOOL res = NULL; - datap parser; - LPCSTR name = L""; - LPCSTR description = L""; - LPCSTR path = L""; - - BeaconDataParse(&parser, args, len); - name = BeaconDataExtract(&parser, NULL); - description = BeaconDataExtract(&parser, NULL); - path = BeaconDataExtract(&parser, NULL); - - res = LoadDriver(name, description, path); - if(!res) - { - return 1; - } - - return 0; -} diff --git a/auxiliary/LoadDriverBOF/loaddriver.cna b/auxiliary/LoadDriverBOF/loaddriver.cna deleted file mode 100644 index 6441999..0000000 --- a/auxiliary/LoadDriverBOF/loaddriver.cna +++ /dev/null @@ -1,30 +0,0 @@ -# author eversinc33 - -beacon_command_register( - "loaddriver", "Load a driver through the service manager api.", - "INFO:\nLoad a driver through the service manager api.\n\nOPTIONS:\n[name]: Servicename.\n[description]: Service description.\n[path] Path to the driver file\n\n" . - "USAGE:\nloaddriver \n\n"); - -alias loaddriver { - $name = $1; - $description = $2; - $path = $3 - - if ($name eq "" || $description eq "" || $path eq "") { - berror($bid, "Specify values for all arguments\n"); - return; - } - - # Read in the right BOF file - $handle = openf(script_resource("loaddriver.o")); - $data = readb($handle, -1); - closef($handle); - - # Pack our arguments - $arg_data = bof_pack($bid, "ZZZ", $name, $description, $path); - - blog($bid, "Tasked to load driver.."); - beacon_inline_execute($bid, $data, "go", $arg_data); -} - - diff --git a/auxiliary/LoadDriverBOF/loaddriver.h b/auxiliary/LoadDriverBOF/loaddriver.h deleted file mode 100644 index 0294609..0000000 --- a/auxiliary/LoadDriverBOF/loaddriver.h +++ /dev/null @@ -1,55 +0,0 @@ -#include - -#pragma comment(lib, "Advapi32.lib") - -#define HRESULT_FROM_WIN32(x) (x ? ((HRESULT) (((x) & 0x0000FFFF) | (FACILITY_WIN32 << 16) | 0x80000000)) : 0) -#define MAX_GUID_SIZE 39 -#define MAX_DATA_LENGTH 65000 -#define true 1 - -//loaddriver -DECLSPEC_IMPORT SC_HANDLE WINAPI ADVAPI32$OpenSCManagerA( - _In_opt_ LPCSTR lpMachineName, - _In_opt_ LPCSTR lpDatabaseName, - _In_ DWORD dwDesiredAccess -); - -DECLSPEC_IMPORT SC_HANDLE WINAPI ADVAPI32$CreateServiceA( - _In_ SC_HANDLE hSCManager, - _In_ LPCSTR lpServiceName, - _In_opt_ LPCSTR lpDisplayName, - _In_ DWORD dwDesiredAccess, - _In_ DWORD dwServiceType, - _In_ DWORD dwStartType, - _In_ DWORD dwErrorControl, - _In_opt_ LPCSTR lpBinaryPathName, - _In_opt_ LPCSTR lpLoadOrderGroup, - _Out_opt_ LPDWORD lpdwTagId, - _In_opt_ LPCSTR lpDependencies, - _In_opt_ LPCSTR lpServiceStartName, - _In_opt_ LPCSTR lpPassword -); - -DECLSPEC_IMPORT BOOL WINAPI ADVAPI32$StartServiceA( - _In_ SC_HANDLE hService, - _In_ DWORD dwNumServiceArgs, - _In_opt_ LPCSTR* lpServiceArgVectors -); - - -//main -WINBASEAPI int __cdecl MSVCRT$printf(const char* _Format, ...); -WINBASEAPI int __cdecl MSVCRT$strcmp(const char* str1, const char* str2); -WINBASEAPI int __cdecl MSVCRT$getchar(void); -WINBASEAPI DWORD WINAPI KERNEL32$GetLastError(); - - -//bofstart + internal_printf + printoutput -WINBASEAPI void* __cdecl MSVCRT$calloc(size_t number, size_t size); -WINBASEAPI int WINAPI MSVCRT$vsnprintf(char* buffer, size_t count, const char* format, va_list arg); -WINBASEAPI void __cdecl MSVCRT$memset(void* dest, int c, size_t count); -WINBASEAPI void* WINAPI MSVCRT$memcpy(void* dest, const void* src, size_t count); -WINBASEAPI HANDLE WINAPI KERNEL32$GetProcessHeap(); -WINBASEAPI LPVOID WINAPI KERNEL32$HeapAlloc(HANDLE hHeap, DWORD dwFlags, SIZE_T dwBytes); -WINBASEAPI void __cdecl MSVCRT$free(void* memblock); -WINBASEAPI BOOL WINAPI KERNEL32$HeapFree(HANDLE, DWORD, PVOID); \ No newline at end of file diff --git a/auxiliary/LoadDriverBOF/loaddriver.o b/auxiliary/LoadDriverBOF/loaddriver.o deleted file mode 100644 index 1d5278d17c1b9ee22709123c30b1268f64458e0a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2950 zcma)8U2GIp6h70f{8Vd;{G=EnLmgp3T((_-?ndM8b`}PimP!j^SS-_>X*=5PtTVH9 zAwEzF#=17};Dd>Y5@X_nA;Bk+#AG87HDW@D55^}+h!G(%X#9yk!E^4N+0O1N@g#Ha zcfND(x&LRb{_-Mts`X>TS_rTaxI}c@$hlL7r$PzAkl<@x-O>&b-54p3NrS%S4Fs3! z{F2a~j<`n2l_vAPpVkDR<9D%{GY?=T!oa~uN!MJ>_X21~c22)+%U4LrRlP5qE~v? zw(JCII@2Q7$a9c@$Cf}E;4&w&hr(t{C3EUffl1%}MjHnI98-t;vEp zVc0a5Sy}2(W{0G9Wmc6IDbqJ!K~|YtP6Ld6ew)>)vrj-9#IE?df{hBw%u7-MimSPc zT&~nLidC*}#sjC6k4dK}B(@RN@@o>EL>0-CMAr7Bd@4%^kp=?$d@$ex#Ro|S0)czb zKT0Il;U->-*g2#=ih{tpqi&V*>%7~tDi!#+X;>wiN(qV?PCed*n^j!(-}Ab0@D4UP z6RX6oDA+@ZdmXRbG1juWH8@MdR;Dk|Hk`lIAoDvlb8{SLE20}NBfE(-m!1HQ25?v| z(?rWdxN&o;l;mT>fzB(ec>@z|V8SYf3R9>kO|$2F8UpPuuA&IVg=_{lnqn1Y=EC^- zm1v|S(hO^`Y-6Yk%f$@ISl+`>KbET*+KVOkn?@uuZnnz(g@}?sGqmAK@wTg~Xf2{O z%o;(&qx4j*X+)jO`efDmETX#^H(vF#5k1Jb!&SfIh$P0%Rk_a)tz+C*h{6ngi)cMV ze;{gQXdxcSdl_0;MGsezjEK@{GYBi1UvXmi;%F!}J_cLz)h69)ij6CH5Og>X)&JZWHyf$XoEVu4ob3ojtVRq0(*AgxC ztanR@51B1Mae8e-a|40U;%xLj77Tl&c!OR)+5|Sx4~a&}bX>=agZ7MVTeg^Mj7I%b z?T)M2b-j7xkgdGY0*Ob$?_53g<(o^tyY_qH*!AT<{;YkmF0@3Fubqx}tvY=!adgA` z&gkFaj;jOv-hO)VQ5;;2By*S+Bc^UmHw(9K)9NNiaek3#^dtyJJZ8$8h)n8$TLzp7 z{*Y;_LPDt~Dk;IAF|`Z{l#Oa7_#+OXDJ0OZm~PJOiFbdS_oW^8g<|m&UCShW6>IKu zpn*Bmz?^7c-fLjac}xgIj67y>^$bp&Gm_fB)o(^tp;a;&n99+LK4eb!K(nn!{%gRI3@2*4eW?@ zOO!wcd;56WNYz_eS}?pz-(Vf2Yg}jCnc3Z+Q8Dm#!&NoMWeLFxn>MtZm6!4LIiT5& r(ZFU(uC3+V8h*ew^X@3jznefR=3g}Px)h|?Q?-WiobX&r+=%EOAB!i; diff --git a/auxiliary/LoadDriverBOF/loaddriver.x64.o b/auxiliary/LoadDriverBOF/loaddriver.x64.o deleted file mode 100644 index 1a3888160e93ca3284263bd4a42adfbc032c5764..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2950 zcma)8U2GIp6h70f0!3_*pAk1C)|uI| z5FaQ7V_k?m_+T_q;)@T41Rsn@VzLTEO)wJTgYiicVnj#`CK}>T@SJ;RwzIoRJjvYq zo$s7`?*EyqzcL?gFZ|T7<^ik+E)m@}^6r%3sZd5RB>0+Fw{<{7H%3ZhQr5S;iQrO$ zUlKaf5!WcY(qzH+(^>#@{4Ta~<{_*^7~CHz>zb?iUH}~kZ{0Je6G}of87bELbs{g^ z3$Ow|5~`SAy&HUw{4URj{790JtVTv0hiklS3o0Hy4AE*NKmMY#>4};(iD(0^Tb*EI zQ4}}GnJuYZ>X5oEo#-l+Og%DTj&%JmI;Br(MKjj(FD)=yU;j`;m>sG-km}E5yF^;f zTll?(p9;ca8dqN;x63hXCudAyX%_OaSkAFZcHYR@M$vL|X|3Rl8%9pGG+nk$^h)p8 zlAAzHXIjJ>c>xmeD@&cq?2y!<%&O9SW%}l;$SNn6(Ewv#-C=d=?9z-V%6&#@xUpSqtYn~iETu+a$KU5s3Lii$ohViFJx&y(m-I34+edp_#nwZAaF1G zM~TEb?A0Q64yjL~Ah7PJTcz>_@3x{!MLupCR+*+!hEj%8Pj%yFl~(@uyl(8ji%rhN zshwiHSBbVHHD#DO8lE+4~a>fp!;HQH0VwHiH{2v8pn2Vf_3G zG*S|2h1FQLGt`ac0)}KP?_+2H%T)~R#*+I@BN7=mTjTyhL`k3(+Hs|L+m$u62GMF} zjUeJtdTZ7+qAq5Are=K}(L%Rsi&F>f@iE$@t+?R+RW!$%j=-{=&4~W(> z^ar9v49#l+xSydFHS|~w$%rVOwt}#{1(suO5Ecor=yRk{-oYroeCPwLAHXk!ZG1Ez z(Q?Monk-?6qH?qp(SwZJyKWz*0;52A0F%#@nK#5qt)Pt=Hp{JhSML+IXqX*z(X~Vi zJsaH;;v;4oP@F#7(A+>Ev^eX%j|IaXDPGp=N1MO~`a#hsn~v*vanPQzZOaz(&C#fz zn%!|VyP-F49I{m~+92_G_`R#AzJ7bjkJoM|j$U8((a2i|)L*WDBVRim?_PQOT;j;O z51i4z!<|D+@aM?j^g|x(dbDK4tva$H4&NA0k;e| z6Z|35R)vIeT~tznKVxbc5-1zhOYlb=LQ_bfUoqXB?5)p^&-v1h`$Dn!iLPgozKS*X z+1JDzY+_z-V%~3J&Us7-M2tLUarF#NoHLR-u-R`!v$z+KVSi=rLrm}~L9+=7bWTZT zw#P4WM5Paz4+I|;lNou8mT;d);3-1! zLIOQTNS^!k&yP8hvRgODyL)4#F(2@ljbbCSNoi!_#RevhC#pV9yyr|K6T4hvf{!42 z(}V>7cA?@48&6M^tv>VNBkYOx(!A@KIIRX}g3l&mLqZbEdcmsz!^7reaX2OKP7Q90 z^+=RJvVHwLZKN8lEG-z`rEjuk=^8f}w`X<^WK;~i)o@kKaals}!ln%^Zxv*GeGY22 sV>GduvTJL3w~imQ&4N1$bMGdQN`(VvL6?FQd#ctko)eyHi5n6910}*K`Tzg`