Skip to content

ss9214/cs564capstone

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Team Cipher CS564 Capstone Project

Presentation: https://docs.google.com/presentation/d/1wZEYjZx_0QHwhiwaYdVVf7jkP-cUIb2kz7qhborW6UM/edit?usp=sharing

What we did

  • Exploited CVE-2017-5638 in Apache Struts2
  • Delivered a custom C implant to victim via RCE
  • Used Base64+bash trick to launch the payload
  • Built a Python-based TCP C2 server for remote tasking and data exfiltration

Protocol: TCP Listener (Command & Control)

  • Standard TCP communication over socket (3-way handshake)
  • Persistent connection: Listener waits for implant to connect back
  • Tasking: Attacker sends commands (e.g., shell commands, file retrieval)
  • Exfiltration: Implant sends outputs and stolen files via TCP
  • Encrypted payloads (e.g., AES-256 or XOR-encoded data chunks)

Vulnerable Setup

Docker Setup:

Attacker Environment:

  • Windows Host with WSL and PowerShell
  • PowerShell: runs c2_server.py, http.server
  • WSL: compiles and hosts implant_client.c

Config File:

  • .env used for IP, port, and obfuscation key

Implant Development

Script: implant_client.c: Script for implant that acts like malware. It connects to C2 server, waits for commands, executes them on the victim machine, and sends back the results.

Behaviors:

  • It reads the C2 server's IP and port from a .env file.
  • Opens a TCP socket to the server.
  • Listens for incoming command strings.
  • Uses popen() to execute the commands on the system.
  • Captures the output and sends it back over the socket.

Compiled in WSL: gcc -o implant -O3 -fno-stack-protector -z execstack -static implant_client.c

Obfuscation Techniques

  • Implant precompiled in C with optimizations to make reversing difficult
  • Implant hidden in /usr/bin/ directory to avoid detection
  • .env file used to keep IP and port hidden
  • Named implant syslogd to be inconspicuous
  • Scripts clean themselves up after execution
  • C2 Commands hidden with XOR obfuscation
  • Exfiltration data and files also hidden with XOR obfuscation
  • Self-destruct command to delete all files related to the implant, including the implant, and end the connection

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors