Update GetWebDavStatus BOF

GetWebDAVStatus_BOF/GetWebDAVStatus.cna

@@ -0,0 +1,29 @@
+#GetWebDAVStatus
+#CNA author @nickvourd
+
+beacon_command_register("GetWebDAVStatus", "Determine if the WebClient Service (WebDAV) is running on a remote system.", "Synopsis: GetWebDAVStatus <target server ip or hostname>\n\n");
+
+alias GetWebDAVStatus {
+    $bid = $1;
+
+    $input = substr($0, 16);
+    @args = split(' ', $input);
+
+    $target = @args[0];
+
+    if ($target eq "") {
+	    berror($bid, "Specify an ip or hostname");
+	    return;
+    }
+
+    # Read in the right BOF file
+    $handle = openf(script_resource("GetWebDAVStatus." . barch($bid) . ".o"));
+    $data   = readb($handle, -1);
+    closef($handle);
+
+    # Pack our arguments
+    $arg_data  = bof_pack($bid, "Z", $target);
+    btask($bid, "GetWebDAVStatus BOF by @G0ldenGunSec && @nickvourd");
+
+    beacon_inline_execute($bid, $data, "go", $arg_data);
+}

GetWebDAVStatus_BOF/GetWebDavStatus-Checksum.txt

@@ -0,0 +1,2 @@
+GetWebDAVStatus.x64.o       B8ED7B5C95EC7511D4CE307550BA0305
+GetWebDAVStatus.x86.o       49C859A3FF0D7E18E01576075A934899

GetWebDAVStatus_BOF/Source/GetWebDAVStatus.c

@@ -0,0 +1,39 @@
+#include <windows.h>
+#include <stdio.h>
+#include "beacon.h"
+
+WINBASEAPI BOOL WINAPI KERNEL32$WaitNamedPipeW(LPCWSTR lpNamedPipeName, DWORD nTimeOut);
+WINBASEAPI void* WINAPI MSVCRT$malloc(size_t);
+WINBASEAPI size_t WINAPI MSVCRT$wcslen(const wchar_t* str);
+WINBASEAPI wchar_t* WINAPI MSVCRT$wcscpy(wchar_t* dest, const wchar_t* source);
+WINBASEAPI wchar_t* WINAPI MSVCRT$wcscat(wchar_t* dest, const wchar_t* source);
+WINBASEAPI void WINAPI MSVCRT$free(void*);
+
+void go(char* args, int length) 
+{
+    wchar_t* host;
+    datap parser;
+    BeaconDataParse(&parser, args, length);
+    host = (wchar_t*)BeaconDataExtract(&parser, NULL);
+    //BeaconPrintf(CALLBACK_OUTPUT, "Value of host: %S", host);
+
+    wchar_t* pipeNameHead = L"\\\\";
+    wchar_t* pipeNameTail = L"\\pipe\\DAV RPC SERVICE";
+    BOOL pipeStatus = 0;
+
+    wchar_t* fullPipeName = (wchar_t*)MSVCRT$malloc((MSVCRT$wcslen(host) + MSVCRT$wcslen(pipeNameHead) + MSVCRT$wcslen(pipeNameTail) + 1) * sizeof(wchar_t));
+    MSVCRT$wcscpy(fullPipeName, pipeNameHead);
+    MSVCRT$wcscat(fullPipeName, host);
+    MSVCRT$wcscat(fullPipeName, pipeNameTail);
+
+    pipeStatus = KERNEL32$WaitNamedPipeW(fullPipeName, 3000);
+    if (pipeStatus == 0)
+    {
+        BeaconPrintf(CALLBACK_ERROR, "[x] Unable to hit DAV pipe on %S, system is either unreachable or does not have WebClient service running", host);
+    }
+    else
+    {
+        BeaconPrintf(CALLBACK_OUTPUT, "[+] WebClient service is active on %S", host);
+    }
+    MSVCRT$free((void*)fullPipeName);
+}

GetWebDAVStatus_BOF/Source/Makefile

@@ -0,0 +1,19 @@
+SRC = $(wildcard *.c)
+OBJS = $(patsubst %.c, %.o, $(SRC))
+CC_x86 := i686-w64-mingw32-gcc
+CC_x64 := x86_64-w64-mingw32-gcc
+STRIP_x86 := i686-w64-mingw32-strip
+STRIP_x64 := x86_64-w64-mingw32-strip
+CFLAGS := -masm=intel
+
+all: $(OBJS)
+
+%.o: %.c
+	$(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $<
+	$(STRIP_x64) --strip-unneeded ../$*.x64.o
+
+	$(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $<
+	$(STRIP_x86) --strip-unneeded ../$*.x86.o
+
+clean:
+	rm ../*.o

README.md

@@ -2,18 +2,24 @@
 Small project to determine if the Web Client service (WebDAV) is running on a remote system by checking for the presence of the DAV RPC SERVICE named pipe. Does not require admin privileges on the remote system, but does require some form of valid credentials (no anonymous access). Both a BOF and C# version of the project are included, the C# version is multi-threaded so would be better suited for scanning a large number of systems.
 
 ## Usage
-Both the BOF and C# versions take a comma-seperated list of systems to scan.  The C# version also has an optional arg of "--tc" that allows the operator to control the max amount of threads to be used (default: 5).
+The C# versions take a comma-seperated list of systems to scan.  The C# version also has an optional arg of "--tc" that allows the operator to control the max amount of threads to be used (default: 5). The BOF vesrion take only one argument.
 
-BOF: `inline-execute C:\scripts\GetWebDAVStatus_x64.o server01,server02`
+BOF: `GetWebDAVStatus server01`
 
 C#: `execute-assembly C:\assemblies\GetWebDAVStatus.exe server01,server02 --tc 1`
 
 ## Building
-The C# project should be a pretty standard build, x64 + Release is the recommended build configuration.  BOF can be built with the following command from the Developer Command Prompt for VS:
+The C# project should be a pretty standard build, x64 + Release is the recommended build configuration.  BOF can be built with the following command from the Makefile:
 
-`cl.exe /c /GS- Source.c /Fo./GetWebDAVStatus_x64.o`
+`make`
+
+Prerequisites for compiling the BOF:
+- i686-w64-mingw32-gcc
+- x86_64-w64-mingw32-gcc
 
 ## Credits
 [@tifkin_](https://twitter.com/tifkin_) originally posted about this method of remotely identifying WebDAV [here](https://twitter.com/tifkin_/status/1419806476353298442).
 
+Special thanks to [@nickvourd](https://twitter.com/nickvourd) for his contributions.
+
 Originally heard about the above tweet on [@flangvik](https://twitter.com/Flangvik)'s [twitch stream](https://www.twitch.tv/flangvik). Would definitely recommend checking out.