Updated stopsocks for sharpsocks in C#

nettitude · Oct 13, 2020 · 00faa23 · 00faa23
1 parent c4bfed9
commit 00faa23
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 2 deletions.
diff --git a/poshc2/client/Alias.py b/poshc2/client/Alias.py
@@ -42,5 +42,6 @@
     ["stopinveigh", "run-dll Inveigh.Program Inveigh StopAll"],
     ["lockless", "run-exe LockLess.Program LockLess"],
     ["sharpapplocker", "run-exe SharpApplocker.Program SharpApplocker"],
-    ["sharpedrchecker", "run-exe SharpEDRChecker.Program SharpEDRChecker"]
+    ["sharpedrchecker", "run-exe SharpEDRChecker.Program SharpEDRChecker"],
+    ["stopsocks", "run-dll SharpSocksImplantTestApp.Program SharpSocks StopSocks"]
 ]
diff --git a/poshc2/client/Help.py b/poshc2/client/Help.py
@@ -225,6 +225,7 @@
 * Socks:
 =========
 sharpsocks
+stopsocks
 run-exe SharpSocksImplantTestApp.Program SharpSocks -url1 /Barbara-Anne/Julissa/Moll/Jolie/Tiphany/Jessa/Letitia -url2 /Barbara-Anne/Julissa/Moll/Jolie/Tiphany/Jessa/Letitia -c raFAdgVujTHBwcvMuRFYgKHqp -k fFaKiMspoTWHPbu3PvUNvpzTkuq+VKDp+h1X79q3gXQ= -s https://10.10.10.1 -b 5000 --session-cookie ASP.NET_SessionId --payload-cookie __RequestVerificationToken
 
 * Bloodhound:
@@ -477,6 +478,7 @@
 get-eventlog -newest 10000 -instanceid 4624 -logname security | select message -expandproperty message | select-string -pattern "user1|user2|user3"
 send-mailmessage -to "[email protected]" -from "user01 <[email protected]>" -subject <> -smtpserver <> -attachment <>
 sharpsocks -uri http://www.c2.com:9090 -beacon 2000 -insecure
+stopsocks
 netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow program="C:\\windows\\system32\\svchost.exe" protocol=TCP localport=80 profile=Domain
 reversedns 10.0.0.1
 invoke-edrchecker

diff --git a/poshc2/client/command_handlers/SharpHandler.py b/poshc2/client/command_handlers/SharpHandler.py
@@ -251,7 +251,7 @@ def do_sharpsocks(user, command, randomuri):
             new_task("run-exe SharpSocksImplantTestApp.Program SharpSocks -s %s -c %s -k %s -url1 %s -url2 %s -b 1000 --session-cookie ASP.NET_SessionId --payload-cookie __RequestVerificationToken -df %s" % (sharpurl, channel, sharpkey, sharpurls[0].replace("\"", ""), sharpurls[1].replace("\"", ""), dfheader), user, randomuri)
         else:
             new_task("run-exe SharpSocksImplantTestApp.Program SharpSocks -s %s -c %s -k %s -url1 %s -url2 %s -b 1000 --session-cookie ASP.NET_SessionId --payload-cookie __RequestVerificationToken" % (sharpurl, channel, sharpkey, sharpurls[0].replace("\"", ""), sharpurls[1].replace("\"", "")), user, randomuri)
-    print("SharpSocks task issued, note that at present the C# implant has no stopsocks command, so to stop SharpSocks you will have to kill the implant process.")
+    print("SharpSocks task issued, to stop SharpSocks run stopsocks")
 
 
 def do_stop_keystrokes(user, command, randomuri):

diff --git a/resources/modules/SharpSocks.exe b/resources/modules/SharpSocks.exe