Raphael rsmudge

## gist:6717127
#
# This code is related to the Attacks -> Find Attacks and Attacks -> Hail Mary features
#

sub exploitPorts {
  local('$exploit %exploits $options $port');

	foreach $exploit (modules("exploits")) {
		$options = options("exploit", $exploit);
		if ('RPORT' in $options) {

## gist:6717164
#
# This code is related to the Attacks -> Find Attacks and Attacks -> Hail Mary features
#

popup attacks {
        item "&Find Attacks" {
                spawn(&runFindAttacks);
        }

        item "&Hail Mary" {

## irc.cna
#
# Quick/Dirty IRC Library for use with Aggressor Script
# https://www.cobaltstrike.com/aggressor-script/index.html
#

# irc_close($handle);
sub irc_close {
	println($1, "QUIT :Good bye!");
	closef($1);
}

## bot.cna
# demonstrate an example of inversion-of-control with Aggressor Script
#

# co-routine,
sub bot {
	# run pwd and get the output.
	bpwd($bid);
	when("beacon_output_alt", $this);
	yield;

## getpidany.cna
# getexplorerpid($bid, &callback);
sub getanypid {
  bps($1, lambda({
    local('$pid $name $entry');
    foreach $entry (split("\n", $2)) {
      ($name, $pid) = split("\\s+", $entry);
      if ($name eq $proc) {
        # $1 is our Beacon ID, $pid is the PID of $proc
        [$callback: $1, $proc, $pid];
      }

## getexplorer.cna
# getexplorerpid($bid, &callback);
sub getexplorerpid {
  bps($1, lambda({
    local('$pid $name $entry');
    foreach $entry (split("\n", $2)) {
      ($name, $pid) = split("\\s+", $entry);
      if ($name eq "explorer.exe") {
        # $1 is our Beacon ID, $pid is the PID of explorer.exe
        [$callback: $1, $pid];
      }

## tokenToEmail.cna
#
# This script overrides WEB_HIT and PROFILER_HIT from default.cna to
# resolve the id var (token) to an email
#
# https://www.cobaltstrike.com/aggressor-script/cobaltstrike.html
#

# method, uri, addr, ua, response, size, handler, when
set WEB_HIT {
	local('$out $now $method $uri $addr $ua $response $size $handler $when $params');

## getenv.cna
#
# Aggressor Script means to parse/use environment vars in a Beacon session.
#

global('%bvars');

# request environment variables for every new Beacon that comes in.
on beacon_initial {
	# ideally, we'd have a bshell that could take callbacks. We don't have
	# this yet. Eventually though, we will.

## safedelete.cna
#
# safe delete in file browser right-click menu
#
popup_clear("filebrowser");

popup filebrowser {
	item "&Download" {
		local('$file');
		foreach $file ($3) {
			bdownload($1, "$2 $+ \\ $+ $file");

## oneliner.cna
# host a PowerShell script on a one-off web server via Beacon.
#
# Why? Generate one-liners for length constrained command execution opportunities
#
# NOTE: this uses internal APIs and is subject to break in the next release. Don't hate!
#       if there's interest in this capability, I can build an official API for it.

import common.*;
import beacon.*;
	#
	# This code is related to the Attacks -> Find Attacks and Attacks -> Hail Mary features
	#

	sub exploitPorts {
	local('$exploit %exploits $options $port');

	foreach $exploit (modules("exploits")) {
	$options = options("exploit", $exploit);
	if ('RPORT' in $options) {
	#
	# This code is related to the Attacks -> Find Attacks and Attacks -> Hail Mary features
	#

	popup attacks {
	item "&Find Attacks" {
	spawn(&runFindAttacks);
	}

	item "&Hail Mary" {
	#
	# Quick/Dirty IRC Library for use with Aggressor Script
	# https://www.cobaltstrike.com/aggressor-script/index.html
	#

	# irc_close($handle);
	sub irc_close {
	println($1, "QUIT :Good bye!");
	closef($1);
	}
	# demonstrate an example of inversion-of-control with Aggressor Script
	#

	# co-routine,
	sub bot {
	# run pwd and get the output.
	bpwd($bid);
	when("beacon_output_alt", $this);
	yield;
	# getexplorerpid($bid, &callback);
	sub getanypid {
	bps($1, lambda({
	local('$pid $name $entry');
	foreach $entry (split("\n", $2)) {
	($name, $pid) = split("\\s+", $entry);
	if ($name eq $proc) {
	# $1 is our Beacon ID, $pid is the PID of $proc
	[$callback: $1, $proc, $pid];
	}
	# getexplorerpid($bid, &callback);
	sub getexplorerpid {
	bps($1, lambda({
	local('$pid $name $entry');
	foreach $entry (split("\n", $2)) {
	($name, $pid) = split("\\s+", $entry);
	if ($name eq "explorer.exe") {
	# $1 is our Beacon ID, $pid is the PID of explorer.exe
	[$callback: $1, $pid];
	}
	#
	# This script overrides WEB_HIT and PROFILER_HIT from default.cna to
	# resolve the id var (token) to an email
	#
	# https://www.cobaltstrike.com/aggressor-script/cobaltstrike.html
	#

	# method, uri, addr, ua, response, size, handler, when
	set WEB_HIT {
	local('$out $now $method $uri $addr $ua $response $size $handler $when $params');
	#
	# Aggressor Script means to parse/use environment vars in a Beacon session.
	#

	global('%bvars');

	# request environment variables for every new Beacon that comes in.
	on beacon_initial {
	# ideally, we'd have a bshell that could take callbacks. We don't have
	# this yet. Eventually though, we will.
	#
	# safe delete in file browser right-click menu
	#
	popup_clear("filebrowser");

	popup filebrowser {
	item "&Download" {
	local('$file');
	foreach $file ($3) {
	bdownload($1, "$2 $+ \\ $+ $file");
	# host a PowerShell script on a one-off web server via Beacon.
	#
	# Why? Generate one-liners for length constrained command execution opportunities
	#
	# NOTE: this uses internal APIs and is subject to break in the next release. Don't hate!
	# if there's interest in this capability, I can build an official API for it.

	import common.*;
	import beacon.*;