Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

failed parsing server prepend section in the profile #29

Open
superuser5 opened this issue Dec 6, 2023 · 1 comment
Open

failed parsing server prepend section in the profile #29

superuser5 opened this issue Dec 6, 2023 · 1 comment

Comments

@superuser5
Copy link

Thanks for the great tool!

I have created profile with the following server prepend header, and RedWarden fails to parse. The profile works with lates CS.
I can remove this section and RedWarden starts

section that causes crash:

server {

header "Content-Type" "text/html; charset=utf-8";
header "Connection" "close";
header "Server" "Apache";
header "X-XSS-Protection" "0";
header "Strict-Transport-Security" "max-age=26458309; includeSubDomains; preload";
header "Referrer-Policy" "no-referrer";
header "X-Slack-Backend" "h";
header "Pragma" "no-cache";
header "Cache-Control" "private, no-cache, no-store, must-revalidate";
header "X-Frame-Options" "SAMEORIGIN";
header "Vary" "Accept-Encoding";
header "X-Via" "haproxy-www-w6k7";
        

        output {

                netbios;

        prepend "<!DOCTYPE html>
<html lang=\"en-US\" class=\"supports_custom_scrollbar\">

<head>

error from RedWarden:

[DEBUG] 2023-12-06/13:46:02: Extracted complex variable: [header] = [['X-Via', 'haproxy-www-w6k7']]
[DEBUG] 2023-12-06/13:46:02: [key: [('http-get', 'default'), ('server', '')], line: 383, pos: 11598]    output {
[DEBUG] 2023-12-06/13:46:02: Extracted section: [output] (variant: )
[DEBUG] 2023-12-06/13:46:02: [key: [('http-get', 'default'), ('server', ''), ('output', '')], line: 385, pos: 11607]            netbios;
[DEBUG] 2023-12-06/13:46:02: Extracted complex variable: [netbios] = []
[DEBUG] 2023-12-06/13:46:02: [key: [('http-get', 'default'), ('server', ''), ('output', '')], line: 387, pos: 11617]    prepend "<!DOCTYPE html>                                                                                                                                            
[DEBUG] 2023-12-06/13:46:02: Found beginning of prepend/append instruction (line: 387):         prepend "<!DOCTYPE html>
[DEBUG] 2023-12-06/13:46:02: Found end of prepend/append instruction at line: 400
[DEBUG] 2023-12-06/13:46:02: Extracted prepend/append instruction IS NOT valid!
[DEBUG] 2023-12-06/13:46:02: 
---------------------                                                                                                                         
        prepend "<!DOCTYPE html><html lang=\"en-US\" class=\"supports_custom_scrollbar\"><head><meta charset=\"utf-8\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"><meta name=\"referrer\" content=\"no-referrer\"><meta name=\"superfish\" content=\"nofish\"> <title>Microsoft Developer Chat Slack</title><meta name=\"author\" content=\"Slack\"> <link rel=\"dns-prefetch\" href=\"https://a.slack-edge.com?id=";                                                                                                                                            
---------------------                                                                                                                         
[ERROR] 2023-12-06/13:46:02: Unexpected statement:
                prepend "<!DOCTYPE html>                                                                                                      
                                                                                                                                              
----- Context -----                                                                                                                           
                                                                                                                                              
                                                                                                                                              
        output {                                                                                                                              
                                                                                                                                              
                netbios;                                                                                                                      
                                                                                                                                              
        prepend "<!DOCTYPE html>                                                                                                              
<html lang=\"en-US\" class=\"supports_custom_scrollbar\">                                                                                     
                                                                                                                                              
<head>                                                                                                                                        
                                                                                                                                              
<meta charset=\"utf-8\">                                                                                                                      
                                                                                                                                              
[ERROR] 2023-12-06/13:46:02: 
Parsing failed.                                                                                                                               
[ERROR] 2023-12-06/13:46:02: Could not parse specified Malleable C2 profile!
@superuser5
Copy link
Author

Hi mgeeky,
Just wanted to publish another example of the parsing error:

checking profile with c2lint

[+] POST 3x check passed
[+] .http-get.server.output size is good
[+] .http-get.client size is good
[+] .http-post.client size is good
[+] .http-get.client.metadata transform+mangle+recover passed (1 byte[s])
[+] .http-get.client.metadata transform+mangle+recover passed (100 byte[s])
[+] .http-get.client.metadata transform+mangle+recover passed (128 byte[s])
[+] .http-get.client.metadata transform+mangle+recover passed (256 byte[s])
[+] .http-get.server.output transform+mangle+recover passed (0 byte[s])
[+] .http-get.server.output transform+mangle+recover passed (1 byte[s])
[+] .http-get.server.output transform+mangle+recover passed (48248 byte[s])
[+] .http-get.server.output transform+mangle+recover passed (1048576 byte[s])
[+] .http-post.client.id transform+mangle+recover passed (4 byte[s])
[+] .http-post.client.output transform+mangle+recover passed (0 byte[s])
[+] .http-post.client.output transform+mangle+recover passed (1 byte[s])
[+] .http-post.client.output chunks results
[+] .http-post.client.output transform+mangle+recover passed (33 byte[s])
[+] .http-post.client.output transform+mangle+recover passed (128 byte[s])
[!] Profile uses HTTP Host header for C&C. Will ignore Host header specified in payload config.
[!] .host_stage is FALSE. This will break staging over HTTP, HTTPS, and DNS!
[!] .code-signer.keystore is missing. Will not sign executables and DLLs
[+] SSL certificate generation OK
[*] Checking beacon WININET dlls...
[*] Checking beacon WINHTTP dlls...
[!] Detected 3 warnings.

parsing error:

[DEBUG] 2023-12-08/20:44:46: [key: [('http-stager', 'default'), ('server', '')], line: 115, pos: 5427]         output {
[DEBUG] 2023-12-08/20:44:46: Extracted section: [output] (variant: )
[DEBUG] 2023-12-08/20:44:46: [key: [('http-stager', 'default'), ('server', ''), ('output', '')], line: 116, pos: 5443]             prepend "
[DEBUG] 2023-12-08/20:44:46: Found beginning of prepend/append instruction (line: 116):             prepend "
[DEBUG] 2023-12-08/20:44:46: Found end of prepend/append instruction at line: 199
[DEBUG] 2023-12-08/20:44:46: Extracted multi-line prepend/append instruction.
[DEBUG] 2023-12-08/20:44:46: [key: [('http-stager', 'default'), ('server', ''), ('output', '')], line: 200, pos: 8229]             append "
[DEBUG] 2023-12-08/20:44:46: Found beginning of prepend/append instruction (line: 200):             append "
[DEBUG] 2023-12-08/20:44:46: Found end of prepend/append instruction at line: 213
[DEBUG] 2023-12-08/20:44:46: Extracted prepend/append instruction IS NOT valid!
[DEBUG] 2023-12-08/20:44:46: 
---------------------
            append "/*! * Socket.IO v4.5.4 * (c) 2014-2022 Guillermo Rauch * Released under the MIT License. */(function (global, factory) {  typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :  typeof define === 'function' && define.amd ? define(factory) :  (global = typeof globalThis !== 'undefined' ? globalThis : global || self, global.io = factory());})(this, (function () { 'use strict';  function _typeof(obj) {    \"@babel/helpers - typeof\";
---------------------
[ERROR] 2023-12-08/20:44:46: Unexpected statement:
                    append "

----- Context -----

Object.keys(runtimeDom).forEach(function (k) {
  if (k !== 'default') exports[k] = runtimeDom[k];
});
exports.compile = compileToFunction;
";
            append "
/*!
 * Socket.IO v4.5.4
 * (c) 2014-2022 Guillermo Rauch
 * Released under the MIT License.
 */

[ERROR] 2023-12-08/20:44:46: 
Parsing failed.
[ERROR] 2023-12-08/20:44:46: Could not parse specified Malleable C2 profile!

c2 profile randomly generated using https://github.com/threatexpress/random_c2_profile

################################################
# Cobalt Strike Malleable C2 Profile
# Version: Cobalt Strike 4.7
# Date   : 20231208_1936

################################################
## Profile Name
################################################
set sample_name "random";

################################################
## Sleep Times
################################################
set sleeptime "81822";         
set jitter    "48";           

################################################
##  Server Response Size jitter
################################################
set data_jitter "281"; # Append random-length string (up to data_jitter value) to http-get and http-post server output.        

################################################
##  HTTP Client Header Removal
################################################
# set headers_remove "Strict-Transport-Security"; # Comma-separated list of HTTP client headers to remove from Beacon C2.

################################################
## Beacon User-Agent
################################################
set useragent "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36";

################################################
## SSL CERTIFICATE
################################################
https-certificate { # Simple self signed certificate data
    
    set C   "BR";
    set CN  "reseller.com";
    set O   "style_images";
    set OU  "v2.83 operations";
    set validity "365";
}

################################################
## Task and Proxy Max Size
################################################
set tasks_max_size "1048576";
set tasks_proxy_max_size "921600";
set tasks_dns_proxy_max_size "71680";  

################################################
## Access Token controls
## Added in 4.7
## Allows control over how access tokens are permissioned
# https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/post-exploitation_trust-relationships.htm
set steal_token_access_mask "11";
################################################

################################################
## TCP Beacon
################################################
set tcp_port "27214"; # TCP beacion listen port
set tcp_frame_header "\x7c\xb7\xb7\x9a\x9f\x65\xaa\x7d\xe4\x5d\x8c\xde\xad\x8e\xdd\xcc\xcd\xc1\x6f\xd9\x5c\xd6\xb8\x56\xb1\xc7\x99\xc0\xdb\x8d"; # Prepend header to TCP Beacon messages

################################################
## SMB beacons
################################################
set pipename         "Winsock2\\CatalogChangeListener-DDPN###-1"; # Name of pipe for SSH sessions. Each # is replaced with a random hex value.
set pipename_stager  "Spool\\pipe_OLBR_##"; # Name of pipe to use for SMB Beacon's named pipe stager. Each # is replaced with a random hex value.
set smb_frame_header "\xba\x7f\xf6\xf8\xc6\x54\xfe\xee\xe0\xcc\x60\x9f\x8d\x70\xaf\xa5\x89\x9c\xcf\xd8\xd1\xf3"; # Prepend header to SMB Beacon messages

################################################
## DNS beacons
################################################
dns-beacon {
    # Options moved into "dns-beacon" group in version 4.3
    set dns_idle           "40.84.169.176"; # IP address used to indicate no tasks are available to DNS Beacon; Mask for other DNS C2 values
    set dns_max_txt        "252"; # Maximum length of DNS TXT responses for tasks
    set dns_sleep          "48"; # Force a sleep prior to each individual DNS request. (in milliseconds) 
    set dns_ttl            "1"; # TTL for DNS replies
    set maxdns             "241"; # Maximum length of hostname when uploading data over DNS (0-255)
    set dns_stager_prepend ".c."; # Maximum length of hostname when uploading data over DNS (0-255)
    set dns_stager_subhost ".a0n1."; # Subdomain used by DNS TXT record stager.
    set beacon             "zwxn3q."; # 8 Char max recommended. DNS subhost prefix
    set get_A              "qs."; # 8 Char max recommended. DNS subhost prefix
    set get_AAAA           "15f."; # 8 Char max recommended. DNS subhost prefix
    set get_TXT            "6."; # 8 Char max recommended. DNS subhost prefix
    set put_metadata       "67."; # 8 Char max recommended. DNS subhost prefix
    set put_output         "s."; # 8 Char max recommended. DNS subhost prefix
    set ns_response        "zero"; # How to process NS Record requests. "drop" does not respond to the request (default), "idle" responds with A record for IP address from "dns_idle", "zero" responds with A record for 0.0.0.0

}

################################################
## SSH beacons
################################################
set ssh_banner        "SSH-2.0-OpenSSH_8.2p1 Debian"; # SSH client banner
set ssh_pipename      "AuthPipeVHYR_##"; # Name of pipe for SSH sessions. Each # is replaced with a random hex value.


################################################
## Staging process
################################################
set host_stage "false"; 

http-stager { # Reference: https://www.cobaltstrike.com/help-malleable-c2
    set uri_x86 "/Put/change/I1RRRVZR"; # URI for x86 staging
    set uri_x64 "/Add/v4.7/PUGV14V6NV6"; # URI for x64 staging

    server {
        header "Server" "Microsoft-IIS/10.0";
        header "Cache-Control" "max-age=0, no-cache";
        header "Pragma" "no-cache";
        header "Connection" "keep-alive";
        header "Content-Type" "application/javascript; charset=utf-8";
        output {
            prepend "
'use strict';

Object.defineProperty(exports, '__esModule', { value: true });

var compilerDom = require('@vue/compiler-dom');
var runtimeDom = require('@vue/runtime-dom');
var shared = require('@vue/shared');

function _interopNamespace(e) {
  if (e && e.__esModule) return e;
  var n = Object.create(null);
  if (e) {
    Object.keys(e).forEach(function (k) {
      n[k] = e[k];
    });
  }
  n['default'] = e;
  return Object.freeze(n);
}

var runtimeDom__namespace = /*#__PURE__*/_interopNamespace(runtimeDom);

// This entry is the \"full-build\" that includes both the runtime
const compileCache = Object.create(null);
function compileToFunction(template, options) {
    if (!shared.isString(template)) {
        if (template.nodeType) {
            template = template.innerHTML;
        }
        else {
            runtimeDom.warn(`invalid template option: `, template);
            return shared.NOOP;
        }
    }
    const key = template;
    const cached = compileCache[key];
    if (cached) {
        return cached;
    }
    if (template[0] === '#') {
        const el = document.querySelector(template);
        if (!el) {
            runtimeDom.warn(`Template element not found or is empty: ${template}`);
        }
        // __UNSAFE__
        // Reason: potential execution of JS expressions in in-DOM template.
        // The user must make sure the in-DOM template is trusted. If it's rendered
        // by the server, the template should not contain any user data.
        template = el ? el.innerHTML : ``;
    }
    const opts = shared.extend({
        hoistStatic: true,
        onError: onError ,
        onWarn: e => onError(e, true) 
    }, options);
    if (!opts.isCustomElement && typeof customElements !== 'undefined') {
        opts.isCustomElement = tag => !!customElements.get(tag);
    }
    const { code } = compilerDom.compile(template, opts);
    function onError(err, asWarning = false) {
        const message = asWarning
            ? err.message
            : `Template compilation error: ${err.message}`;
        const codeFrame = err.loc &&
            shared.generateCodeFrame(template, err.loc.start.offset, err.loc.end.offset);
        runtimeDom.warn(codeFrame ? `${message}
${codeFrame}` : message);
    }
    // The wildcard import results in a huge object with every export
    // with keys that cannot be mangled, and can be quite heavy size-wise.
    // In the global build we know `Vue` is available globally so we can avoid
    // the wildcard object.
    const render = (new Function('Vue', code)(runtimeDom__namespace));
    render._rc = true;
    return (compileCache[key] = render);
}
runtimeDom.registerRuntimeCompiler(compileToFunction);

Object.keys(runtimeDom).forEach(function (k) {
  if (k !== 'default') exports[k] = runtimeDom[k];
});
exports.compile = compileToFunction;
";
            append "
/*!
 * Socket.IO v4.5.4
 * (c) 2014-2022 Guillermo Rauch
 * Released under the MIT License.
 */
(function (global, factory) {
  typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
  typeof define === 'function' && define.amd ? define(factory) :
  (global = typeof globalThis !== 'undefined' ? globalThis : global || self, global.io = factory());
})(this, (function () { 'use strict';

  function _typeof(obj) {
    \"@babel/helpers - typeof\";

    return _typeof = \"function\" == typeof Symbol && \"symbol\" == typeof Symbol.iterator ? function (obj) {
      return typeof obj;
    } : function (obj) {
      return obj && \"function\" == typeof Symbol && obj.constructor === Symbol && obj !== Symbol.prototype ? \"symbol\" : typeof obj;
    }, _typeof(obj);
  }

  function _classCallCheck(instance, Constructor) {
    if (!(instance instanceof Constructor)) {
      throw new TypeError(\"Cannot call a class as a function\");
    }
  }

  function _defineProperties(target, props) {
    for (var i = 0; i < props.length; i++) {
      var descriptor = props[i];
      descriptor.enumerable = descriptor.enumerable || false;
      descriptor.configurable = true;
      if (\"value\" in descriptor) descriptor.writable = true;
      Object.defineProperty(target, descriptor.key, descriptor);
    }
  }

  function _createClass(Constructor, protoProps, staticProps) {
    if (protoProps) _defineProperties(Constructor.prototype, protoProps);
    if (staticProps) _defineProperties(Constructor, staticProps);
    Object.defineProperty(Constructor, \"prototype\", {
      writable: false
    });
    return Constructor;
  }

  function _extends() {
    _extends = Object.assign ? Object.assign.bind() : function (target) {
      for (var i = 1; i < arguments.length; i++) {
        var source = arguments[i];

        for (var key in source) {
          if (Object.prototype.hasOwnProperty.call(source, key)) {
            target[key] = source[key];
          }
        }
      }

      return target;
    };
    return _extends.apply(this, arguments);
  }
";
            print;
            
        }
    }

    client {
        header "Accept" "application/json, application/xhtml+xml, application/xml";
        header "Accept-Language" "th";
        header "Accept-Encoding" "compress, identity";
    }
}

################################################
## Post Exploitation
################################################
post-ex { # Reference: https://www.cobaltstrike.com/help-malleable-postex
    set spawnto_x86 "%windir%\\syswow64\\EhStorAuthn.exe";
    set spawnto_x64 "%windir%\\sysnative\\w32tm.exe";
    set obfuscate "true";
    set smartinject "true";
    set amsi_disable "true";
    set pipename "ProtectionManager_##, Winsock2\\CatalogChangeListener-##-##, Spool\\pipe_##, WkSvcPipeMgr_##, NetClient_##, RPC_##, WiFiNetMgr_##, AuthPipeD_##";
    set keylogger "GetAsyncKeyState"; # options are GetAsyncKeyState or SetWindowsHookEx
    #set thread_hint ""; # specify as module!function+0x##
}


################################################
## Memory Indicators
################################################
stage { # https://www.cobaltstrike.com/help-malleable-postex
    # allocator and RWX settings (Note: HealAlloc uses RXW)
    
    set allocator      "MapViewOfFile";
    set userwx         "false";
     
    set magic_mz_x86   "KCKC";
    set magic_mz_x64   "AXAP";
    set magic_pe       "UU";
    set stomppe        "true";
    set obfuscate      "true"; # review sleepmask and UDRL considerations for obfuscate
    set cleanup        "true";
    set sleep_mask     "true";
    set smartinject    "true";
    set checksum       "0";
    set compile_time   "17 Dec 2006 20:35:47";
    set entry_point    "758182";
    set image_size_x86 "532961";
    set image_size_x64 "516621";
    set name           "v4.90.dll";
    set rich_header    "\x44\x61\x61\x53\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa7\xbe\x63\xf5\xb3\xd0\xa6\x9e\xb9\xe4\x88\xb2\x97\xa9\xcb\x5c\x7e\x82\x94\x56\xd9\xb5\x91\x96\xa5\xb2\xc7\x99\xd9\x7f\x95\x6b\x75\x88\x9c\xa1\x8b\x91\x54\xa4\xce\x62\xc3\xb2\x85\x9c\xba\xa2\xea\x87\xae\x92\xf8\xd2\xbd\xac\xef\x75\xba\x84\xf5\x7e\xbc\xba\xd6\xbd\x6b\x56\x9b\x7a\x95\xf0\x52\x69\x63\x68\x7a\xf9\x90\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

    ## WARNING: Module stomping 
    # set module_x86 "netshell.dll"; # Ask the x86 ReflectiveLoader to load the specified library and overwrite its space instead of allocating memory with VirtualAlloc.
    # set module_x64 "netshell.dll"; # Same as module_x86; affects x64 loader

    # The transform-x86 and transform-x64 blocks pad and transform Beacon's Reflective DLL stage. These blocks support three commands: prepend, append, and strrep.
    transform-x86 { # blocks pad and transform Beacon's Reflective DLL stage. These blocks support three commands: prepend, append, and strrep.
        prepend "\x0f\x1f\x40\x00\x0f\x1f\x44\x00\x00\x0f\x1f\x40\x00\x66\x90\x0f\x1f\x44\x00\x00\x66\x90\x0f\x1f\x80\x00\x00\x00\x00\x66\x90\x0f\x1f\x84\x00\x00\x00\x00\x00\x50\x58\x0f\x1f\x44\x00\x00\x50\x58\x50\x58\x66\x90\x0f\x1f\x40\x00"; # prepend nops
        strrep "ReflectiveLoader" "v10.86";
        strrep "This program cannot be run in DOS mode" ""; # Remove this text
        strrep "beacon.dll" ""; # Remove this text
    }
    transform-x64 { #blocks pad and transform Beacon's Reflective DLL stage. These blocks support three commands: prepend, append, and strrep.
        prepend "\x66\x0f\x1f\x44\x00\x00\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x40\x00\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x00\x0f\x1f\x40\x00\x66\x90\x50\x58"; # prepend nops
        strrep "ReflectiveLoader" "player";
        strrep "beacon.x64.dll" ""; # Remove this text in the Beacon DLL
    }

    stringw "random"; # Add profile name to tag payloads to this profile
}

################################################
## Process Injection
################################################
process-inject { # Reference: https://www.cobaltstrike.com/help-malleable-postex

    # 4.7 BOF settings
    # set how memory is allocated in the current process for BOF content
    # https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2-extend_process-injection.htm?Highlight=bof_allocator
    set bof_allocator "VirtualAlloc";
    set bof_reuse_memory "true";

    set allocator "NtMapViewOfSection"; # Options: VirtualAllocEx, NtMapViewOfSection 
    set min_alloc "11326"; # 	Minimum amount of memory to request for injected content
    set startrwx "false"; # Use RWX as initial permissions for injected content. Alternative is RW.
    
    # review sleepmask and UDRL considerations for userwx
    set userwx   "false"; # Use RWX as final permissions for injected content. Alternative is RX.

    transform-x86 { 
        # Make sure that prepended data is valid code for the injected content's architecture (x86, x64). The c2lint program does not have a check for this.
        prepend "\x0f\x1f\x84\x00\x00\x00\x00\x00\x50\x58\x0f\x1f\x00\x66\x0f\x1f\x44\x00\x00\x0f\x1f\x80\x00\x00\x00\x00\x66\x0f\x1f\x44\x00\x00\x66\x90\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x80\x00\x00\x00\x00\x66\x0f\x1f\x44\x00\x00\x50\x58\x90\x66\x90";
        append "\x0f\x1f\x80\x00\x00\x00\x00\x0f\x1f\x40\x00\x66\x0f\x1f\x44\x00\x00\x0f\x1f\x40\x00\x50\x58\x90\x66\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x00\x50\x58\x66\x90\x0f\x1f\x44\x00\x00\x66\x0f\x1f\x44\x00\x00\x0f\x1f\x84\x00\x00\x00\x00\x00\x0f\x1f\x44\x00\x00\x66\x0f\x1f\x44\x00\x00\x0f\x1f\x40\x00\x0f\x1f\x00\x0f\x1f\x40\x00\x0f\x1f\x84\x00\x00\x00\x00\x00\x50\x58";
    }

    transform-x64 {
        # Make sure that prepended data is valid code for the injected content's architecture (x86, x64). The c2lint program does not have a check for this.
        prepend "\x0f\x1f\x00\x50\x58\x50\x58\x66\x90\x90\x66\x90\x0f\x1f\x80\x00\x00\x00\x00\x0f\x1f\x84\x00\x00\x00\x00\x00\x66\x0f\x1f\x44\x00\x00\x66\x0f\x1f\x44\x00\x00\x0f\x1f\x44\x00\x00\x0f\x1f\x40\x00\x90\x0f\x1f\x00";
        append "\x90\x0f\x1f\x40\x00\x50\x58\x0f\x1f\x00\x0f\x1f\x40\x00\x0f\x1f\x40\x00\x0f\x1f\x44\x00\x00\x90\x66\x90\x0f\x1f\x44\x00\x00\x0f\x1f\x00";
    }
  
    execute {
        # The execute block controls the methods Beacon will use when it needs to inject code into a process. Beacon examines each option in the execute block, determines if the option is usable for the current context, tries the method when it is usable, and moves on to the next option if code execution did not happen. 
        
        CreateThread "ntdll!RtlUserThreadStart+0x424";
        CreateThread;
        NtQueueApcThread-s;
    
    }
}

################################################
## HTTP Headers
################################################
http-config { # The http-config block has influence over all HTTP responses served by Cobalt Strike’s web server. 
    set headers "Date, Server, Content-Length, Keep-Alive, Connection, Content-Type";
    header "Server" "Apache";
    header "Keep-Alive" "timeout=10, max=100";
    header "Connection" "Keep-Alive";
    # Use this option if your teamserver is behind a redirector
    set trust_x_forwarded_for "true";
    # Block Specific User Agents with a 404 (added in 4.3)
    set block_useragents "curl*,lynx*,wget*";
    # Allow Specific User Agents (added in 4.4);
    # allow_useragents ""; (if specified, block_useragents will take precedence)
}

################################################
## HTTP GET
################################################
http-get { # Don't think of this in terms of HTTP POST, but as a beacon transaction of pushing data to the server

    set uri "/arrange/nieuws/XIXP8ZS15VI7"; # URI used for GET requests
    set verb "GET"; 

    client {

        header "Accept" "image/*, application/xml, text/html";
        header "Accept-Language" "ja";
        header "Accept-Encoding" "identity, compress";

        metadata {
            mask; # Transform type
            base64url; # Transform type
            prepend "affiliate_id_SPIY4WOTV12JZEQR="; # Cookie value
            header "Cookie";                                  # Cookie header
        }
    }

    server {

        header "Server" "Google Frontend";
        header "Cache-Control" "max-age=0, no-cache";
        header "Pragma" "no-cache";
        header "Connection" "keep-alive";
        header "Content-Type" "plain/text; charset=utf-8";
        output {
            mask; # Transform type
            netbiosu; # Transform type
            prepend "
\"use strict\";var _interopRequireWildcard=require(\"@babel/runtime/helpers/interopRequireWildcard\");Object.defineProperty(exports,\"__esModule\",{value:!0});var _exportNames={colors:!0,Accordion:!0,AccordionActions:!0,AccordionDetails:!0,AccordionSummary:!0,AppBar:!0,Avatar:!0,Backdrop:!0,Badge:!0,BottomNavigation:!0,BottomNavigationAction:!0,Box:!0,Breadcrumbs:!0,Button:!0,ButtonBase:!0,ButtonGroup:!0,Card:!0,CardActionArea:!0,CardActions:!0,CardContent:!0,CardHeader:!0,CardMedia:!0,Checkbox:!0,Chip:!0,CircularProgress:!0,ClickAwayListener:!0,Collapse:!0,Container:!0,CssBaseline:!0,Dialog:!0,DialogActions:!0,DialogContent:!0,DialogContentText:!0,DialogTitle:!0,Divider:!0,Drawer:!0,ExpansionPanel:!0,ExpansionPanelActions:!0,ExpansionPanelDetails:!0,ExpansionPanelSummary:!0,Fab:!0,Fade:!0,FilledInput:!0,FormControl:!0,FormControlLabel:!0,FormGroup:!0,FormHelperText:!0,FormLabel:!0,Grid:!0,GridList:!0,GridListTile:!0,GridListTileBar:!0,Grow:!0,Hidden:!0,Icon:!0,IconButton:!0,ImageList:!0,ImageListItem:!0,ImageListItemBar:!0,Input:!0,InputAdornment:!0,InputBase:!0,InputLabel:!0,LinearProgress:!0,Link:!0,List:!0,ListItem:!0,ListItemAvatar:!0,ListItemIcon:!0,ListItemSecondaryAction:!0,ListItemText:!0,ListSubheader:!0,Menu:!0,MenuItem:!0,MenuList:!0,MobileStepper:!0,Modal:!0,NativeSelect:!0,NoSsr:!0,OutlinedInput:!0,Paper:!0,Popover:!0,Popper:!0,Portal:!0,Radio:!0,RadioGroup:!0,RootRef:!0,Select:!0,Slide:!0,Slider:!0,Snackbar:!0,SnackbarContent:!0,Step:!0,StepButton:!0,StepConnector:!0,StepContent:!0,StepIcon:!0,StepLabel:!0,Stepper:!0,SvgIcon:!0,SwipeableDrawer:!0,Switch:!0,Tab:!0,Table:!0,TableBody:!0,TableCell:!0,TableContainer:!0,TableFooter:!0,TableHead:!0,TablePagination:!0,TableRow:!0,TableSortLabel:!0,Tabs:!0,TabScrollButton:!0,TextField:!0,TextareaAutosize:!0,Toolbar:!0,Tooltip:!0,Typography:!0,Unstable_TrapFocus:!0,useMediaQuery:!0,useScrollTrigger:!0,withMobileDialog:!0,withWidth:!0,Zoom:!0};Object.defineProperty(exports,\"Accordion\",{enumerable:!0,get:function(){return _Accordion.default}}),Object.defineProperty(exports,\"AccordionActions\",{enumerable:!0,get:function(){return _AccordionActions.default}}),Object.defineProperty(exports,\"AccordionDetails\",{enumerable:!0,get:function(){return _AccordionDetails.default}}),Object.defineProperty(exports,\"AccordionSummary\",{enumerable:!0,get:function(){return _AccordionSummary.default}}),Object.defineProperty(exports,\"AppBar\",{enumerable:!0,get:function(){return _AppBar.default}}),Object.defineProperty(exports,\"Avatar\",{enumerable:!0,get:function(){return _Avatar.default}}),Object.defineProperty(exports,\"Backdrop\",{enumerable:!0,get:function(){return _Backdrop.default}}),Object.defineProperty(exports,\"Badge\",{enumerable:!0,get:function(){return _Badge.default}}),Object.defineProperty(exports,\"BottomNavigation\",{enumerable:!0,get:function(){return _BottomNavigation.default}}),Object.defineProperty(exports,\"BottomNavigationAction\",{enumerable:!0,get:function(){return _BottomNavigationAction.default}}),Object.defineProperty(exports,\"Box\",{enumerable:!0,get:function(){return _Box.default}}),Object.defineProperty(exports,\"Breadcrumbs\",{enumerable:!0,get:function(){return _Breadcrumbs.default}}),Object.defineProperty(exports,\"Button\",{enumerable:!0,get:function(){return _Button.default}}),Object.defineProperty(exports,\"ButtonBase\",{enumerable:!0,get:function(){return _ButtonBase.default}}),Object.defineProperty(exports,\"ButtonGroup\",{enumerable:!0,get:function(){return _ButtonGroup.default}}),Object.defineProperty(exports,\"Card\",{enumerable:!0,get:function(){return _Card.default}}),Object.defineProperty(exports,\"CardActionArea\",{enumerable:!0,get:function(){return _CardActionArea.default}}),Object.defineProperty(exports,\"CardActions\",{enumerable:!0,get:function(){return _CardActions.default}}),Object.defineProperty(exports,\"CardContent\",{enumerable:!0,get:function(){return _CardContent.default}}),Object.defineProperty(exports,\"CardHeader\",{enumerable:!0,get:function(){return _CardHeader.default}}),Object.defineProperty(exports,\"CardMedia\",{enumerable:!0,get:function(){return _CardMedia.default}}),Object.defineProperty(exports,\"Checkbox\",{enumerable:!0,get:function(){return _Checkbox.default}}),Object.defineProperty(exports,\"Chip\",{enumerable:!0,get:function(){return _Chip.default}}),Object.defineProperty(exports,\"CircularProgress\",{enumerable:!0,get:function(){return _CircularProgress.default}}),Object.defineProperty(exports,\"ClickAwayListener\",{enumerable:!0,get:function(){return _ClickAwayListener.default}}),Object.defineProperty(exports,\"Collapse\",{enumerable:!0,get:function(){return _Collapse.default}}),Object.defineProperty(exports,\"Container\",{enumerable:!0,get:function(){return _Container.default}}),Object.defineProperty(exports,\"CssBaseline\",{enumerable:!0,get:function(){return _CssBaseline.default}}),Object.defineProperty(exports,\"Dialog\",{enumerable:!0,get:function(){return _Dialog.default}}),Object.defineProperty(exports,\"DialogActions\",{enumerable:!0,get:function(){return _DialogActions.default}}),Object.defineProperty(exports,\"DialogContent\",{enumerable:!0,get:function(){return _DialogContent.default}}),Object.defineProperty(exports,\"DialogContentText\",{enumerable:!0,get:function(){return _DialogContentText.default}}),Object.defineProperty(exports,\"DialogTitle\",{enumerable:!0,get:function(){return _DialogTitle.default}}),Object.defineProperty(exports,\"Divider\",{enumerable:!0,get:function(){return _Divider.default}}),Object.defineProperty(exports,\"Drawer\",{enumerable:!0,get:function(){return _Drawer.default}}),Object.defineProperty(exports,\"ExpansionPanel\",{enumerable:!0,get:function(){return _ExpansionPanel.default}}),Object.defineProperty(exports,\"ExpansionPanelActions\",{enumerable:!0,get:function(){return _ExpansionPanelActions.default}}),Object.defineProperty(exports,\"ExpansionPanelDetails\",{enumerable:!0,get:function(){return _ExpansionPanelDetails.default}}),Object.defineProperty(exports,\"ExpansionPanelSummary\",{enumerable:!0,get:function(){return 
";
            append "
/*!
 * Socket.IO v4.5.4
 * (c) 2014-2022 Guillermo Rauch
 * Released under the MIT License.
 */
(function (global, factory) {
  typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
  typeof define === 'function' && define.amd ? define(factory) :
  (global = typeof globalThis !== 'undefined' ? globalThis : global || self, global.io = factory());
})(this, (function () { 'use strict';

  function _typeof(obj) {
    \"@babel/helpers - typeof\";

    return _typeof = \"function\" == typeof Symbol && \"symbol\" == typeof Symbol.iterator ? function (obj) {
      return typeof obj;
    } : function (obj) {
      return obj && \"function\" == typeof Symbol && obj.constructor === Symbol && obj !== Symbol.prototype ? \"symbol\" : typeof obj;
    }, _typeof(obj);
  }

  function _classCallCheck(instance, Constructor) {
    if (!(instance instanceof Constructor)) {
      throw new TypeError(\"Cannot call a class as a function\");
    }
  }

  function _defineProperties(target, props) {
    for (var i = 0; i < props.length; i++) {
      var descriptor = props[i];
      descriptor.enumerable = descriptor.enumerable || false;
      descriptor.configurable = true;
      if (\"value\" in descriptor) descriptor.writable = true;
      Object.defineProperty(target, descriptor.key, descriptor);
    }
  }

  function _createClass(Constructor, protoProps, staticProps) {
    if (protoProps) _defineProperties(Constructor.prototype, protoProps);
    if (staticProps) _defineProperties(Constructor, staticProps);
    Object.defineProperty(Constructor, \"prototype\", {
      writable: false
    });
    return Constructor;
  }

  function _extends() {
    _extends = Object.assign ? Object.assign.bind() : function (target) {
      for (var i = 1; i < arguments.length; i++) {
        var source = arguments[i];

        for (var key in source) {
          if (Object.prototype.hasOwnProperty.call(source, key)) {
            target[key] = source[key];
          }
        }
      }

      return target;
    };
    return _extends.apply(this, arguments);
  }
";
            print;
        }

    }
}

################################################
## HTTP POST
################################################
http-post { # Don't think of this in terms of HTTP POST, but as a beacon transaction of pushing data to the server

    set uri "/Restore/cs/OZODNBWJ"; # URI used for POST block. 
    set verb "POST"; # HTTP verb used in POST block. Can be GET or POST

    client {

        header "Accept" "application/xml, text/html, application/xhtml+xml";
        header "Accept-Language" "zh-tw";
        header "Accept-Encoding" "compress, gzip";
       
        id {
            mask; # Transform type
            netbiosu; # Transform type
            parameter "_TYXENMSG";            
        }
              
        output {
            mask; # Transform type
            netbiosu; # Transform type
            print;
        }
    }

    server {

        header "Server" "Google Frontend";
        header "Cache-Control" "max-age=0, no-cache";
        header "Pragma" "no-cache";
        header "Connection" "keep-alive";
        header "Content-Type" "application/javascript; charset=utf-8";

        output {
            mask; # Transform type
            netbios; # Transform type
            prepend "
'use strict';

Object.defineProperty(exports, '__esModule', { value: true });

var compilerDom = require('@vue/compiler-dom');
var runtimeDom = require('@vue/runtime-dom');
var shared = require('@vue/shared');

function _interopNamespace(e) {
  if (e && e.__esModule) return e;
  var n = Object.create(null);
  if (e) {
    Object.keys(e).forEach(function (k) {
      n[k] = e[k];
    });
  }
  n['default'] = e;
  return Object.freeze(n);
}

var runtimeDom__namespace = /*#__PURE__*/_interopNamespace(runtimeDom);

// This entry is the \"full-build\" that includes both the runtime
const compileCache = Object.create(null);
function compileToFunction(template, options) {
    if (!shared.isString(template)) {
        if (template.nodeType) {
            template = template.innerHTML;
        }
        else {
            runtimeDom.warn(`invalid template option: `, template);
            return shared.NOOP;
        }
    }
    const key = template;
    const cached = compileCache[key];
    if (cached) {
        return cached;
    }
    if (template[0] === '#') {
        const el = document.querySelector(template);
        if (!el) {
            runtimeDom.warn(`Template element not found or is empty: ${template}`);
        }
        // __UNSAFE__
        // Reason: potential execution of JS expressions in in-DOM template.
        // The user must make sure the in-DOM template is trusted. If it's rendered
        // by the server, the template should not contain any user data.
        template = el ? el.innerHTML : ``;
    }
    const opts = shared.extend({
        hoistStatic: true,
        onError: onError ,
        onWarn: e => onError(e, true) 
    }, options);
    if (!opts.isCustomElement && typeof customElements !== 'undefined') {
        opts.isCustomElement = tag => !!customElements.get(tag);
    }
    const { code } = compilerDom.compile(template, opts);
    function onError(err, asWarning = false) {
        const message = asWarning
            ? err.message
            : `Template compilation error: ${err.message}`;
        const codeFrame = err.loc &&
            shared.generateCodeFrame(template, err.loc.start.offset, err.loc.end.offset);
        runtimeDom.warn(codeFrame ? `${message}
${codeFrame}` : message);
    }
    // The wildcard import results in a huge object with every export
    // with keys that cannot be mangled, and can be quite heavy size-wise.
    // In the global build we know `Vue` is available globally so we can avoid
    // the wildcard object.
    const render = (new Function('Vue', code)(runtimeDom__namespace));
    render._rc = true;
    return (compileCache[key] = render);
}
runtimeDom.registerRuntimeCompiler(compileToFunction);

Object.keys(runtimeDom).forEach(function (k) {
  if (k !== 'default') exports[k] = runtimeDom[k];
});
exports.compile = compileToFunction;
";
            append "
/*!
 * Hover.css (http://ianlunn.github.io/Hover/)
 * Version: 2.3.1
 * Author: Ian Lunn @IanLunn
 * Author URL: http://ianlunn.co.uk/
 * Github: https://github.com/IanLunn/Hover

 * Hover.css Copyright Ian Lunn 2017. Generated with Sass.
 */.hvr-grow{display:inline-block;vertical-align:middle;-webkit-transform:perspective(1px) translateZ(0);transform:perspective(1px) translateZ(0);box-shadow:0 0 1px rgba(0,0,0,0);-webkit-transition-duration:.3s;transition-duration:.3s;-webkit-transition-property:transform;transition-property:transform}.hvr-grow:active,.hvr-grow:focus,.hvr-grow:hover{-webkit-transform:scale(1.1);transform:scale(1.1)}.hvr-shrink{display:inline-block;vertical-align:middle;-webkit-transform:perspective(1px) translateZ(0);transform:perspective(1px) translateZ(0);box-shadow:0 0 1px rgba(0,0,0,0);-webkit-transition-duration:.3s;transition-duration:.3s;-webkit-transition-property:transform;transition-property:transform}.hvr-shrink:active,.hvr-shrink:focus,.hvr-shrink:hover{-webkit-transform:scale(0.9);transform:scale(0.9)}@-webkit-keyframes hvr-pulse{25%{-webkit-transform:scale(1.1);transform:scale(1.1)}75%{-webkit-transform:scale(0.9);transform:scale(0.9)}}@keyframes hvr-pulse{25%{-webkit-transform:scale(1.1);transform:scale(1.1)}75%{-webkit-transform:scale(0.9);transform:scale(0.9)}}.hvr-pulse{display:inline-block;vertical-align:middle;-webkit-transform:perspective(1px) translateZ(0);transform:perspective(1px) translateZ(0);box-shadow:0 0 1px rgba(0,0,0,0)}.hvr-pulse:active,.hvr-pulse:focus,.hvr-pulse:hover{-webkit-animation-name:hvr-pulse;animation-name:hvr-pulse;-webkit-animation-duration:1s;animation-duration:1s;-webkit-animation-timing-function:linear;animation-timing-function:linear;-webkit-animation-iteration-count:infinite;animation-iteration-count:infinite}@-webkit-keyframes hvr-pulse-grow{to{-webkit-transform:scale(1.1);transform:scale(1.1)}}@keyframes hvr-pulse-grow{to{-webkit-transform:scale(1.1);transform:scale(1.1)}}.hvr-pulse-grow{display:inline-block;vertical-align:middle;-webkit-transform:perspective(1px) translateZ(0);transform:perspective(1px) translateZ(0);box-shadow:0 0 1px rgba(0,0,0,0)}.hvr-pulse-grow:active,.hvr-pulse-grow:focus,.hvr-pulse-grow:hover{-webkit-animation-name:hvr-pulse-grow;animation-name:hvr-pulse-grow;-webkit-animation-duration:.3s;animation-duration:.3s;-webkit-animation-timing-function:linear;animation-timing-function:linear;-webkit-animation-iteration-count:infinite;animation-iteration-count:infinite;-webkit-animation-direction:alternate;animation-direction:alternate}@-webkit-keyframes hvr-pulse-shrink{to{-webkit-transform:scale(0.9);transform:scale(0.9)}}@keyframes hvr-pulse-shrink{to{-webkit-transform:scale(0.9);transform:scale(0.9)}}.hvr-pulse-shrink{display:inline-block;vertical-align:middle;-webkit-transform:perspective(1px) translateZ(0);transform:perspective(1px) translateZ(0);box-shadow:0 0 1px rgba(0,0,0,0)}.hvr-pulse-shrink:active,.hvr-pulse-shrink:focus,.hvr-pulse-shrink:hover{-webkit-animation-name:hvr-pulse-shrink;animation-name:hvr-pulse-shrink;-webkit-animation-duration:.3s;animation-duration:.3s;-webkit-animation-timing-function:linear;animation-timing-function:linear;-webkit-animation-iteration-count:infinite;animation-iteration-count:infinite;-webkit-animation-direction:alternate;animation-direction:alternate}@-webkit-keyframes hvr-push{50%{-webkit-transform:scale(0.8);transform:scale(0.8)}100%{-webkit-transform:scale(1);transform:scale(1)}}@keyframes hvr-push{50%{-webkit-transform:scale(0.8);transform:scale(0.8)}100%{-webkit-transform:scale(1);transform:scale(1)}}.hvr-push{display:inline-block;vertical-align:middle;-webkit-transform:perspective(1px) translateZ(0);transform:perspective(1px) translateZ(0);box-shadow:0 0 1px rgba(0,0,0,0)}.hvr-push:active,.hvr-push:focus,.hvr-push:hover{
";
            print;

        }
    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@superuser5