withsecurelabs / c3 Goto Github PK

I am using C3 with dotnet core on a debian 9 distro.

I launch both the WebController with custom URI and port and the the Gateway executable with wine64 without any problem. But when I browse to the webcontroller web UI it keeps giving a Network Error message and I am not able to figure out why. I cannot change and save the webcontroller configuration from the web ui.

Thanks.

Mike

This line should be within the while loop to ensure the request is recreated with a new access_token following a 401 and token refresh.

https://github.com/FSecureLABS/C3/blob/d87b988c8249e2f977141ef3b62bdb4644791621/Src/Common/FSecure/GoogleDrive/GoogleDriveApi.cpp#L204

🤦‍♂️

		//
		// STEP 8.1: Add Exception handling
		//
#if defined _M_X64
		auto pImageEntryException = &ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXCEPTION];

		if (pImageEntryException->Size > 0)
		{
			auto functionTable = Rva2Va<PRUNTIME_FUNCTION>(baseAddress, pImageEntryException->VirtualAddress);
			DWORD count = pImageEntryException->Size / sizeof(IMAGE_RUNTIME_FUNCTION_ENTRY);
			if (!RtlAddFunctionTable(functionTable, count, (DWORD64)baseAddress))
			{
+				VirtualFree((void*)baseAddress, 0, MEM_RELEASE);
				return 1;
			}
		}

#elif defined _M_IX86

https://github.com/FSecureLABS/C3/blob/d01c3a42d2ecb525a368c10d5b5f82c22457715e/Src/CebuLoader/LoadPe.cpp#L330

I started Startwebcontroller.cmd and then I visited my localhost: 52935, but he kept prompting Network error, and I couldn't create a new GATEWAY button. It doesn't seem to work

the system cannot find the specified path.
No executable found matching command "dotnet-C3WebController.dll"

The link is broken and refers to an older site. The correct, official WithSecure link is now:

https://labs.withsecure.com/tools/c3/

Occasionally on gateways when I try to relaunch a gateway that was closed previously I'll receive the following error:

C3 Host: Docker container based on the mcr.microsoft.com/dotnet/core/aspnet:2.1-bionic image
Gateway Host: Separate Windows 10 1909 connected to the C3 instance
Channels: So far I've gotten the error with both OneDriveRest and Slack channels.

I've run process listings confirming that the gateway process is no longer running, and the C3 UI gateway indicator is yellow.

In response, I usually have to create a new gateway and start from scratch.

You are still using a very outdated version 4.21 of vis.
This version is not supported anymore!

Please update to the new libraries:
https://github.com/visjs

Feel free to contact us if you need any support during the transition :-)

Multiple Channels fail to create a session on Windows 7 / Server 2008. This appears to be an error in WinHTTP.

Tracing this through the Visual Studios debugger, I found that the exception was being thrown on the HTTPClient constructor.

An exception is thrown that gets caught here:

I also tried the Dropbox channel and received the error in the same part of the Dropbox channel.

My debugger doesn't enter the constructor when a breakpoint is set on it (for some reason I am not sure of), so I cannot quite tell what is wrong. But running net helpmsg 87 to get the error type, I can see that the exception is due to an invalid parameter. Googling "Failed to open Session", I find a couple references to the WinHTTP API.

Hello,

I don't know if it was something related to how I setup the Azure applications, but I had to add the header (client_secret) to the RefreshAccessToken function and update the GetCapabilities to ask for the client_secret. Also, I had to update the OutlookTask OnReceiveFromChannel function due to an error Base64 decoding the task contents.

Can the program be compiled using vs 15?

Is there an option to delete a gateway ?

I cannot seem to find new pattern for recent windows version 21H1, thats what I've tried:

std::pair<std::string, size_t> GetLdrpHandleTlsOffsetData()
{
        return { "\x74\x33\x44\x8d\x43\x09", 0x2C };
}
DWORD LdrpHandleTlsData(void* baseAddress)
{
        auto ldrpHandleTlsData = GetLdrpHandleTlsData();
	printf("ldrpHandleTlsData : %p \r\n", ldrpHandleTlsData);
	LDR_DATA_TABLE_ENTRY ldrDataTableEntry{};
	ldrDataTableEntry.DllBase = baseAddress;
	return ((LdrpHandleTlsData_t)ldrpHandleTlsData)(&ldrDataTableEntry);
}
auto TlsData = FSecure::Loader::UnexportedWinApi::LdrpHandleTlsData((void*)baseAddress);
printf("TlsData : %d \r\n", TlsData);

Results into this on 21H1 Windows OS:

ldrpHandleTlsData : 00007FFDF0137C14
TlsData : -1073741819

Thanks

Wrong F-Secure Project 😂

Gateway|debug> Caught exception while parsing action, throwing exception: unable to create channel

It seems like Covenant changed their API. It no longer has the /listener/createbridge. results in 400 error.

Gateway|Error> Caught an exception while parsing Action. [Covenant] Error setting up BridgeListener, HTTP resp: 400

Will the C3 project be updated? I need some channel configuration documents very much

I used the guide* to try recreate a OneDrive365RestFile channel, but I keep getting this error when I want to establish the channel from the gateway in the C3 GUI while it says that the command is succesfully sent. I also have the E3 license so I have access to OneDrive, Outlook etc.

*https://github.com/WithSecureLabs/C3/blob/master/Res/RelayGuides/Office365RelayGuide.md

Select (double-click) the gateway or relay on which to create the channel.
Open the command centre screen by selecting the “Command Centre” button.
In the “Select Command” dropdown, select a command such as “AddNegotiationChannelSlack”.
Fill out the required information, such as any credentials and application specifics.
Click the “Send Command” button.

i will like the app to bind to my external ip and as such configured my external Ip within the code. yet it seems it only want to detect my internal Ip and for that reason gives an error as address not in context.

Hey,

First of all let me thank you for bringing this amazing tool to the community, it is truly a work of art.
That being said, I've been trying to tinker around with it and customize the injection procedure (Common\FSecure\WinTools\InjectionBuffer.cpp and Common\FSecure\C3\Interfaces\Peripherals\Beacon.cpp) to not use the stager provided by the team server.
I reached the point where the beacon and the Relay are communicating on the same named pipe and the beacon successfuly appears on the Team Server, but for some reason after a single command the Gateway seems to stop reporting the beacon is alive to the team server, even though the process is still running on the victim machine with the Beacon still being located in memory correctly, and the SMB named pipe still active.

My question is basically what would be the best practise of customizing the used payload, as I've seen the ByteView class being used to call for the payload, but was hoping maybe I missed a really simple solution demonstrated somewhere else?

Thanks anyways,
Yigal

As it works with the Slack channel, this is for reference if the same function is to be used in the development of other channels. You mention in the code comments that the default request method is GET, but it appears to actually send a POST request with a 0 body due to weird handling of the NULL value passed into the data parameter. This works fine with Slack's API as they don't seem to care about the difference, but does raise issues when other API's (Microsoft for example) require it to be a GET request.

Thanks for the awesome project!