Merge pull request #1950 from stephenbradshaw/v1.5x/stager-rc4-support

Add RC4 support to shellcode stager - 1.5x backport

Author: moloch--

client/command/commands.go

@@ -484,6 +484,7 @@ func BindCommands(con *console.SliverConsoleClient) {
 			f.Bool("e", "lets-encrypt", false, "attempt to provision a let's encrypt certificate (HTTPS only)")
 			f.StringL("aes-encrypt-key", "", "encrypt stage with AES encryption key")
 			f.StringL("aes-encrypt-iv", "", "encrypt stage with AES encryption iv")
+			f.StringL("rc4-encrypt-key", "", "encrypt stage with RC4 encryption key")
 			f.String("C", "compress", "none", "compress the stage before encrypting (zlib, gzip, deflate9, none)")
 			f.Bool("P", "prepend-size", false, "prepend the size of the stage to the payload (to use with MSF stagers)")
 		},

client/command/jobs/stage.go

@@ -44,6 +44,7 @@ func StageListenerCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	listenerURL := ctx.Flags.String("url")
 	aesEncryptKey := ctx.Flags.String("aes-encrypt-key")
 	aesEncryptIv := ctx.Flags.String("aes-encrypt-iv")
+	rc4EncryptKey := ctx.Flags.String("rc4-encrypt-key")
 	prependSize := ctx.Flags.Bool("prepend-size")
 	compress := strings.ToLower(ctx.Flags.String("compress"))
 
@@ -70,6 +71,21 @@ func StageListenerCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 		return
 	}
 
+	if rc4EncryptKey != "" && aesEncryptKey != "" {
+		con.PrintErrorf("Cannot use both RC4 and AES encryption\n")
+		return
+	}
+
+	rc4Encrypt := false
+	if rc4EncryptKey != "" {
+		// RC4 keysize can be between 1 to 256 bytes
+		if len(rc4EncryptKey) < 1 || len(rc4EncryptKey) > 256 {
+			con.PrintErrorf("Incorrect length of RC4 Key\n")
+			return
+		}
+		rc4Encrypt = true
+	}
+
 	aesEncrypt := false
 	if aesEncryptKey != "" {
 		// check if aes encryption key is correct length
@@ -121,6 +137,10 @@ func StageListenerCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 		stage2 = util.PreludeEncrypt(stage2, []byte(aesEncryptKey), []byte(aesEncryptIv))
 	}
 
+	if rc4Encrypt {
+		stage2 = util.RC4EncryptUnsafe(stage2, []byte(rc4EncryptKey))
+	}
+
 	switch stagingURL.Scheme {
 	case "http":
 		if prependSize {
@@ -203,6 +223,10 @@ func StageListenerCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 		con.PrintInfof("AES KEY: %v\n", aesEncryptKey)
 		con.PrintInfof("AES IV: %v\n", aesEncryptIv)
 	}
+
+	if rc4Encrypt {
+		con.PrintInfof("RC4 KEY: %v\n", rc4EncryptKey)
+	}
 }
 
 func prependPayloadSize(payload []byte) []byte {

util/cryptography.go

@@ -22,10 +22,24 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
+	"crypto/rc4"
 	"errors"
 	"io"
 )
 
+// RC4 encryption - Cryptographically insecure!
+// Added for stage-listener shellcode obfuscation
+// Dont use for anything else!
+func RC4EncryptUnsafe(data []byte, key []byte) []byte {
+	cipher, err := rc4.NewCipher(key)
+	if err != nil {
+		return make([]byte, 0)
+	}
+	cipherText := make([]byte, len(data))
+	cipher.XORKeyStream(cipherText, data)
+	return cipherText
+}
+
 // PreludeEncrypt the results
 func PreludeEncrypt(data []byte, key []byte, iv []byte) []byte {
 	plainText, err := pad(data, aes.BlockSize)