Cobalt Strike 4.1 released on 25 June 2020, introduced a novel (for that time) capability of running so called Beacon Object Files - small post-ex capabilities that execute in Beacon, parse arguments, call a few Win32 APIs, report output, and exit. Since that time BOFs became very popular and the demand to launch/execute them in other environments than Cobalt Strike's Beacon has emerged.
We at Z-Labs saw a big potential in BOFs and decided to extend its capabilities, versatility and usefulness even further. That's how the following projects came to live.
The repository provides:
- bof-launcher - programming library for BOFs in-memory management (loading, keeping track of loaded BOFs, execution, masking).
- z-beac0n - a custom-written stage-1 (aka pre-C2) solution featuring bof-launcher. Engineered with a small footprint, stealth and modularity in mind.
- Z-Labs BOFs collection - growing collection of OS-specific and cross-platform BOFs handy to use during red team engagements.
See here for bulding instructions.
BOF launcher library is the engine behind the z-beac0n adversary simulation toolkit.
It is a standalone programming library implemented in Zig and C that can be used to execute BOFs. On Windows it support x86 and x86_64 architectures, on Linux x86, x86_64, ARMv6+ and AArch64 architectures are supported. The library exposes either C API and Zig API.
Library features:
- Capable of running BOFs that adhere to Windows BOF template and Linux BOF template.
- Fully integrable with programs written in C/C++/Zig/Go or Rust. See examples for sample integrations.
- Adds capability to write BOFs in Zig programming language - which is a low-level langauge with a goal of being a "better C".
- Access to rich std library during BOF development: lists, hash maps, cross-platform OS layer, http, networking, threading, crypto and compression.
- Capability to implement cross-platform BOFs (see: udpScanner, tcpScanner, grep and various other BOFs).
- Provides modern sleepmasking functionality.
- Capability to run asynchronous or long-running BOFs in a separate thread.
- Pattern for launching more risky BOFs (i.e. privilege escalation exploits) inside of a sacrificial process.
- Seamless support for either Windows COFF and UNIX/Linux ELF formats.
- ARM and AARCH64 support on Linux.
- Flexible API allowing for BOF chaining (works like
Bashpipes but purely in-memory) both on Linux and Windows.
bof-launcher C API:
int bofLauncherInit(void);
void bofLauncherRelease(void);
int bofMemoryMaskKey(const unsigned char* key, int key_len);
int bofMemoryMaskWin32ApiCall(const char* win32_api_name, int masking_enabled);
int bofObjectInitFromMemory(const unsigned char* file_data_ptr, int file_data_len, BofObjectHandle* out_bof_handle);
void bofObjectRelease(BofObjectHandle bof_handle);
int bofObjectIsValid(BofObjectHandle bof_handle);
void* bofObjectGetProcAddress(BofObjectHandle bof_handle, const char* name);
int bofRun(const unsigned char* file_data_ptr, int file_data_len);
int bofObjectRun(BofObjectHandle bof_handle,
unsigned char* arg_data_ptr,
int arg_data_len,
BofContext** out_context);
int bofObjectRunAsyncThread(BofObjectHandle bof_handle,
unsigned char* arg_data_ptr,
int arg_data_len,
BofCompletionCallback completion_cb,
void* completion_cb_context,
BofContext** out_context);
int bofObjectRunAsyncProcess(BofObjectHandle bof_handle,
unsigned char* arg_data_ptr,
int arg_data_len,
BofCompletionCallback completion_cb,
void* completion_cb_context,
BofContext** out_context);
void bofContextRelease(BofContext* context);
int bofContextIsRunning(BofContext* context);
void bofContextWait(BofContext* context);
unsigned char bofContextGetExitCode(BofContext* context);
const char* bofContextGetOutput(BofContext* context, int* out_output_len);
BofObjectHandle bofContextGetObjectHandle(BofContext* context);
int bofArgsInit(BofArgs** out_args);
int bofArgsInit(BofArgs** out_args);
void bofArgsRelease(BofArgs* args);
int bofArgsAdd(BofArgs* args, unsigned char* arg, int arg_len);
void bofArgsBegin(BofArgs* args);
void bofArgsEnd(BofArgs* args);
const char* bofArgsGetBuffer(BofArgs* args);
int bofArgsGetBufferSize(BofArgs* args);
For details see here: z-beac0n - Open Adversary Simulation Toolkit
This is an open source project meant to be used with authorization to assess the security posture and for research purposes.
| BOF name | Description | Supported platforms | Example |
|---|---|---|---|
| z-beac0n core | So called BOF zero (BOF0), BOF that operates as standalone implant, manages other loaded BOFs; capable of executing other BOFs | Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
z-beac0n |
| tcpScanner | TCP connect() port scanner | Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
tcpScanner 4.3.2.1-255:22,80 |
| udpScanner | UDP port sweeper | Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
udpScanner 4.3.2.1-255:5000-5010 |
| whoami | On Linux: print effective user name; On Windows: output the current UserName and domain | Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
whoami |
| pwd | print name of current/working directory | Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
pwd |
| cd | change working directory | Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
cd / |
| cat | print content of a file | Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
cat /etc/passwd |
| zcat | print content of a gzip compressed file | Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
cat /boot/config.gz |
| ls | list directory content | Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
ls /etc |
| whereami | print hypervisor vendor signature from CPUID | Linux x86/x86_64; Windows x86/x86_64 |
whereami |
| grep | Print lines that match patterns | Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
grep root /etc/passwd |
| find | Search for files in a directory hierarchy | Linux x86/x86_64/ARMv6+/AArch64; Windows x86/x86_64 |
find /dev -type b |
| BOF name | Description | Supported platforms | Example |
|---|---|---|---|
| dirtypipe | Exploit for 'dirtypipe' vulnerability (CVE-2022-0847) implemented as a BOF | Linux x86/x86_64/ARMv6+/AArch64 |
dirtypipe /etc/shadow 913 "backdoor:xxx:10123::::::" |
| kmodLoader | API-style BOF; load/unload kernel module directly from memory (root privileges required) | Linux x86/x86_64/ARMv6+/AArch64 |
see docs |
| lskmod | list currently loaded kernel modules | Linux x86/x86_64/ARMv6+/AArch64 |
lskmod |
| hostname | show the system's host name | Linux x86/x86_64/ARMv6+/AArch64 |
hostname |
| hostid | print the numeric identifier for the current host | Linux x86/x86_64/ARMv6+/AArch64 |
hostid |
| id | print real and effective user and group IDs | Linux x86/x86_64/ARMv6+/AArch64 |
id www-data |
| uname | print system information | Linux x86/x86_64/ARMv6+/AArch64 |
uname -a |
| uptime | show how long the system has been running | Linux x86/x86_64/ARMv6+/AArch64 |
uptime |
| who | print currently logged in users | Linux x86/x86_64/ARMv6+/AArch64 |
who |
| ifconfig | Display the status of the currently active network interfaces. With root privileges: also manipulate current state of the device | Linux x86/x86_64/ARMv6+/AArch64 |
ifconfig eth0 promisc |
| BOF name | Description | Supported platforms | Example |
|---|---|---|---|
| winver | show the edition, version, and system type of Windows operating system | Windows x86/x86_64 |
winver |
| processInjectionSrdi | This BOF can inject any other BOF to any running process | Windows x86/x86_64 |
cli4bofs inject file:abs_path_to_bof -i:<pid> |
Being a zero-dependency, drop-in C/C++ compiler that supports cross-compilation out-of-the-box, Zig can be used to build this project. To do so Zig's tarball (0.15.2) needs to be downloaded and dropped in the directory of choice. After adding that directory to the PATH environment variable, buliding the whole project is as easy as running:
zig build
Above command will build all included BOFs, example programs and bof-launcher library for all supported platforms. To build BOFs as a debuggable, standalone executables run:
zig build -Doptimize=Debug
Build artifacts will show up in zig-out/bin and zig-out/lib folders.
To build and run test BOFs do:
zig build test
To run tests on foreign CPU architectures, you can use QEMU which is nicely integrated in Zig:
zig build test -fqemu --glibc-runtimes /usr